diff options
Diffstat (limited to 'nixos')
173 files changed, 4626 insertions, 1260 deletions
diff --git a/nixos/doc/manual/administration/service-mgmt.chapter.md b/nixos/doc/manual/administration/service-mgmt.chapter.md index bb0f9b62e9138..674c737416805 100644 --- a/nixos/doc/manual/administration/service-mgmt.chapter.md +++ b/nixos/doc/manual/administration/service-mgmt.chapter.md @@ -75,7 +75,7 @@ necessary). Packages in Nixpkgs sometimes provide systemd units with them, usually in e.g `#pkg-out#/lib/systemd/`. Putting such a package in -`environment.systemPackages` doesn\'t make the service available to +`environment.systemPackages` doesn't make the service available to users or the system. In order to enable a systemd *system* service with provided upstream @@ -87,9 +87,9 @@ systemd.packages = [ pkgs.packagekit ]; Usually NixOS modules written by the community do the above, plus take care of other details. If a module was written for a service you are -interested in, you\'d probably need only to use +interested in, you'd probably need only to use `services.#name#.enable = true;`. These services are defined in -Nixpkgs\' [ `nixos/modules/` directory +Nixpkgs' [ `nixos/modules/` directory ](https://github.com/NixOS/nixpkgs/tree/master/nixos/modules). In case the service is simple enough, the above method should work, and start the service on boot. @@ -98,8 +98,8 @@ the service on boot. differently. Given a package that has a systemd unit file at `#pkg-out#/lib/systemd/user/`, using [](#opt-systemd.packages) will make you able to start the service via `systemctl --user start`, but it -won\'t start automatically on login. However, You can imperatively -enable it by adding the package\'s attribute to +won't start automatically on login. However, You can imperatively +enable it by adding the package's attribute to [](#opt-systemd.packages) and then do this (e.g): ```ShellSession @@ -113,7 +113,7 @@ If you are interested in a timer file, use `timers.target.wants` instead of `default.target.wants` in the 1st and 2nd command. Using `systemctl --user enable syncthing.service` instead of the above, -will work, but it\'ll use the absolute path of `syncthing.service` for +will work, but it'll use the absolute path of `syncthing.service` for the symlink, and this path is in `/nix/store/.../lib/systemd/user/`. Hence [garbage collection](#sec-nix-gc) will remove that file and you will wind up with a broken symlink in your systemd configuration, which diff --git a/nixos/doc/manual/configuration/kubernetes.chapter.md b/nixos/doc/manual/configuration/kubernetes.chapter.md index 5d7b083289d9c..f39726090e431 100644 --- a/nixos/doc/manual/configuration/kubernetes.chapter.md +++ b/nixos/doc/manual/configuration/kubernetes.chapter.md @@ -17,7 +17,7 @@ services.kubernetes = { }; ``` -Another way is to assign cluster roles (\"master\" and/or \"node\") to +Another way is to assign cluster roles ("master" and/or "node") to the host. This enables apiserver, controllerManager, scheduler, addonManager, kube-proxy and etcd: diff --git a/nixos/doc/manual/configuration/linux-kernel.chapter.md b/nixos/doc/manual/configuration/linux-kernel.chapter.md index 7b84416a86465..f5bce99dd1bbe 100644 --- a/nixos/doc/manual/configuration/linux-kernel.chapter.md +++ b/nixos/doc/manual/configuration/linux-kernel.chapter.md @@ -82,61 +82,68 @@ boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 120; sets the kernel's TCP keepalive time to 120 seconds. To see the available parameters, run `sysctl -a`. -## Customize your kernel {#sec-linux-config-customizing} +## Building a custom kernel {#sec-linux-config-customizing} -The first step before compiling the kernel is to generate an appropriate -`.config` configuration. Either you pass your own config via the -`configfile` setting of `linuxKernel.manualConfig`: +You can customize the default kernel configuration by overriding the arguments for your kernel package: ```nix -custom-kernel = let base_kernel = linuxKernel.kernels.linux_4_9; - in super.linuxKernel.manualConfig { - inherit (super) stdenv hostPlatform; - inherit (base_kernel) src; - version = "${base_kernel.version}-custom"; - - configfile = /home/me/my_kernel_config; - allowImportFromDerivation = true; -}; +pkgs.linux_latest.override { + ignoreConfigErrors = true; + autoModules = false; + kernelPreferBuiltin = true; + extraStructuredConfig = with lib.kernel; { + DEBUG_KERNEL = yes; + FRAME_POINTER = yes; + KGDB = yes; + KGDB_SERIAL_CONSOLE = yes; + DEBUG_INFO = yes; + }; +} ``` -You can edit the config with this snippet (by default `make - menuconfig` won\'t work out of the box on nixos): +See `pkgs/os-specific/linux/kernel/generic.nix` for details on how these arguments +affect the generated configuration. You can also build a custom version of Linux by calling +`pkgs.buildLinux` directly, which requires the `src` and `version` arguments to be specified. -```ShellSession -nix-shell -E 'with import <nixpkgs> {}; kernelToOverride.overrideAttrs (o: {nativeBuildInputs=o.nativeBuildInputs ++ [ pkg-config ncurses ];})' +To use your custom kernel package in your NixOS configuration, set + +```nix +boot.kernelPackages = pkgs.linuxPackagesFor yourCustomKernel; ``` -or you can let nixpkgs generate the configuration. Nixpkgs generates it -via answering the interactive kernel utility `make config`. The answers -depend on parameters passed to -`pkgs/os-specific/linux/kernel/generic.nix` (which you can influence by -overriding `extraConfig, autoModules, - modDirVersion, preferBuiltin, extraConfig`). +Note that this method will use the common configuration defined in `pkgs/os-specific/linux/kernel/common-config.nix`, +which is suitable for a NixOS system. + +If you already have a generated configuration file, you can build a kernel that uses it with `pkgs.linuxManualConfig`: ```nix -mptcp93.override ({ - name="mptcp-local"; +let + baseKernel = pkgs.linux_latest; +in pkgs.linuxManualConfig { + inherit (baseKernel) src modDirVersion; + version = "${baseKernel.version}-custom"; + configfile = ./my_kernel_config; + allowImportFromDerivation = true; +} +``` - ignoreConfigErrors = true; - autoModules = false; - kernelPreferBuiltin = true; +::: {.note} +The build will fail if `modDirVersion` does not match the source's `kernel.release` file, +so `modDirVersion` should remain tied to `src`. +::: - enableParallelBuilding = true; +To edit the `.config` file for Linux X.Y, proceed as follows: - extraConfig = '' - DEBUG_KERNEL y - FRAME_POINTER y - KGDB y - KGDB_SERIAL_CONSOLE y - DEBUG_INFO y - ''; -}); +```ShellSession +$ nix-shell '<nixpkgs>' -A linuxKernel.kernels.linux_X_Y.configEnv +$ unpackPhase +$ cd linux-* +$ make nconfig ``` ## Developing kernel modules {#sec-linux-config-developing-modules} -When developing kernel modules it\'s often convenient to run +When developing kernel modules it's often convenient to run edit-compile-run loop as quickly as possible. See below snippet as an example of developing `mellanox` drivers. diff --git a/nixos/doc/manual/configuration/profiles.chapter.md b/nixos/doc/manual/configuration/profiles.chapter.md index b4ae1b7d3faaa..2c3dea27c1818 100644 --- a/nixos/doc/manual/configuration/profiles.chapter.md +++ b/nixos/doc/manual/configuration/profiles.chapter.md @@ -2,7 +2,7 @@ In some cases, it may be desirable to take advantage of commonly-used, predefined configurations provided by nixpkgs, but different from those -that come as default. This is a role fulfilled by NixOS\'s Profiles, +that come as default. This is a role fulfilled by NixOS's Profiles, which come as files living in `<nixpkgs/nixos/modules/profiles>`. That is to say, expected usage is to add them to the imports list of your `/etc/configuration.nix` as such: diff --git a/nixos/doc/manual/configuration/user-mgmt.chapter.md b/nixos/doc/manual/configuration/user-mgmt.chapter.md index 5c3aca3ef9e95..b35b38f6e964a 100644 --- a/nixos/doc/manual/configuration/user-mgmt.chapter.md +++ b/nixos/doc/manual/configuration/user-mgmt.chapter.md @@ -30,7 +30,7 @@ to your NixOS configuration. For instance, if you remove a user from [](#opt-users.users) and run nixos-rebuild, the user account will cease to exist. Also, imperative commands for managing users and groups, such as useradd, are no longer available. Passwords may still be -assigned by setting the user\'s +assigned by setting the user's [hashedPassword](#opt-users.users._name_.hashedPassword) option. A hashed password can be generated using `mkpasswd`. diff --git a/nixos/doc/manual/configuration/wayland.chapter.md b/nixos/doc/manual/configuration/wayland.chapter.md index a3a46aa3da6f2..0f195bd665673 100644 --- a/nixos/doc/manual/configuration/wayland.chapter.md +++ b/nixos/doc/manual/configuration/wayland.chapter.md @@ -4,7 +4,7 @@ While X11 (see [](#sec-x11)) is still the primary display technology on NixOS, Wayland support is steadily improving. Where X11 separates the X Server and the window manager, on Wayland those are combined: a Wayland Compositor is like an X11 window manager, but also embeds the -Wayland \'Server\' functionality. This means it is sufficient to install +Wayland 'Server' functionality. This means it is sufficient to install a Wayland Compositor such as sway without separately enabling a Wayland server: diff --git a/nixos/doc/manual/configuration/x-windows.chapter.md b/nixos/doc/manual/configuration/x-windows.chapter.md index 27d117238807b..f92403ed1c4c4 100644 --- a/nixos/doc/manual/configuration/x-windows.chapter.md +++ b/nixos/doc/manual/configuration/x-windows.chapter.md @@ -81,7 +81,7 @@ second password to login can be redundant. To enable auto-login, you need to define your default window manager and desktop environment. If you wanted no desktop environment and i3 as your -your window manager, you\'d define: +your window manager, you'd define: ```nix services.xserver.displayManager.defaultSession = "none+i3"; @@ -110,7 +110,7 @@ maintained but may perform worse in some cases (like in old chipsets). The second driver, `intel`, is specific to Intel GPUs, but not recommended by most distributions: it lacks several modern features (for -example, it doesn\'t support Glamor) and the package hasn\'t been +example, it doesn't support Glamor) and the package hasn't been officially updated since 2015. The results vary depending on the hardware, so you may have to try both @@ -162,7 +162,7 @@ with other kernel modules. AMD provides a proprietary driver for its graphics cards that is not enabled by default because it's not Free Software, is often broken in -nixpkgs and as of this writing doesn\'t offer more features or +nixpkgs and as of this writing doesn't offer more features or performance. If you still want to use it anyway, you need to explicitly set: @@ -215,7 +215,7 @@ US layout, with an additional layer to type some greek symbols by pressing the right-alt key. Create a file called `us-greek` with the following content (under a -directory called `symbols`; it\'s an XKB peculiarity that will help with +directory called `symbols`; it's an XKB peculiarity that will help with testing): ```nix @@ -249,7 +249,7 @@ The name (after `extraLayouts.`) should match the one given to the Applying this customization requires rebuilding several packages, and a broken XKB file can lead to the X session crashing at login. Therefore, -you\'re strongly advised to **test your layout before applying it**: +you're strongly advised to **test your layout before applying it**: ```ShellSession $ nix-shell -p xorg.xkbcomp @@ -313,8 +313,8 @@ prefer to keep the layout definitions inside the NixOS configuration. Unfortunately, the Xorg server does not (currently) support setting a keymap directly but relies instead on XKB rules to select the matching -components (keycodes, types, \...) of a layout. This means that -components other than symbols won\'t be loaded by default. As a +components (keycodes, types, ...) of a layout. This means that +components other than symbols won't be loaded by default. As a workaround, you can set the keymap using `setxkbmap` at the start of the session with: @@ -323,7 +323,7 @@ services.xserver.displayManager.sessionCommands = "setxkbmap -keycodes media"; ``` If you are manually starting the X server, you should set the argument -`-xkbdir /etc/X11/xkb`, otherwise X won\'t find your layout files. For +`-xkbdir /etc/X11/xkb`, otherwise X won't find your layout files. For example with `xinit` run ```ShellSession diff --git a/nixos/doc/manual/configuration/xfce.chapter.md b/nixos/doc/manual/configuration/xfce.chapter.md index ee60d465e3b30..c331e63cfe54c 100644 --- a/nixos/doc/manual/configuration/xfce.chapter.md +++ b/nixos/doc/manual/configuration/xfce.chapter.md @@ -31,8 +31,8 @@ enabled. To enable Thunar without enabling Xfce, use the configuration option [](#opt-programs.thunar.enable) instead of simply adding `pkgs.xfce.thunar` to [](#opt-environment.systemPackages). -If you\'d like to add extra plugins to Thunar, add them to -[](#opt-programs.thunar.plugins). You shouldn\'t just add them to +If you'd like to add extra plugins to Thunar, add them to +[](#opt-programs.thunar.plugins). You shouldn't just add them to [](#opt-environment.systemPackages). ## Troubleshooting {#sec-xfce-troubleshooting .unnumbered} @@ -46,7 +46,7 @@ Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with db ``` This is caused by some needed GNOME services not running. This is all -fixed by enabling \"Launch GNOME services on startup\" in the Advanced +fixed by enabling "Launch GNOME services on startup" in the Advanced tab of the Session and Startup settings panel. Alternatively, you can run this command to do the same thing. diff --git a/nixos/doc/manual/development/option-declarations.section.md b/nixos/doc/manual/development/option-declarations.section.md index 88617ab1920a9..f89aae5730682 100644 --- a/nixos/doc/manual/development/option-declarations.section.md +++ b/nixos/doc/manual/development/option-declarations.section.md @@ -149,7 +149,7 @@ multiple modules, or as an alternative to related `enable` options. As an example, we will take the case of display managers. There is a central display manager module for generic display manager options and a -module file per display manager backend (sddm, gdm \...). +module file per display manager backend (sddm, gdm ...). There are two approaches we could take with this module structure: diff --git a/nixos/doc/manual/development/option-types.section.md b/nixos/doc/manual/development/option-types.section.md index e398d6c30cceb..0e9c4a4d16be4 100644 --- a/nixos/doc/manual/development/option-types.section.md +++ b/nixos/doc/manual/development/option-types.section.md @@ -92,11 +92,11 @@ merging is handled. : A free-form attribute set. ::: {.warning} - This type will be deprecated in the future because it doesn\'t + This type will be deprecated in the future because it doesn't recurse into attribute sets, silently drops earlier attribute - definitions, and doesn\'t discharge `lib.mkDefault`, `lib.mkIf` + definitions, and doesn't discharge `lib.mkDefault`, `lib.mkIf` and co. For allowing arbitrary attribute sets, prefer - `types.attrsOf types.anything` instead which doesn\'t have these + `types.attrsOf types.anything` instead which doesn't have these problems. ::: @@ -222,7 +222,7 @@ Submodules are detailed in [Submodule](#section-option-types-submodule). - *`specialArgs`* An attribute set of extra arguments to be passed to the module functions. The option `_module.args` should be used instead for most arguments since it allows overriding. - *`specialArgs`* should only be used for arguments that can\'t go + *`specialArgs`* should only be used for arguments that can't go through the module fixed-point, because of infinite recursion or other problems. An example is overriding the `lib` argument, because `lib` itself is used to define `_module.args`, which @@ -236,7 +236,7 @@ Submodules are detailed in [Submodule](#section-option-types-submodule). In such a case it would allow the option to be set with `the-submodule.config = "value"` instead of requiring `the-submodule.config.config = "value"`. This is because - only when modules *don\'t* set the `config` or `options` + only when modules *don't* set the `config` or `options` keys, all keys are interpreted as option definitions in the `config` section. Enabling this option implicitly puts all attributes in the `config` section. @@ -324,7 +324,7 @@ Composed types are types that take a type as parameter. `listOf : Type *`t1`* or type *`t2`*, e.g. `with types; either int str`. Multiple definitions cannot be merged. -`types.oneOf` \[ *`t1 t2`* \... \] +`types.oneOf` \[ *`t1 t2`* ... \] : Type *`t1`* or type *`t2`* and so forth, e.g. `with types; oneOf [ int str bool ]`. Multiple definitions cannot be diff --git a/nixos/doc/manual/development/replace-modules.section.md b/nixos/doc/manual/development/replace-modules.section.md index 0700a82004c1e..0c0d6a7ac2f19 100644 --- a/nixos/doc/manual/development/replace-modules.section.md +++ b/nixos/doc/manual/development/replace-modules.section.md @@ -2,7 +2,7 @@ Modules that are imported can also be disabled. The option declarations, config implementation and the imports of a disabled module will be -ignored, allowing another to take it\'s place. This can be used to +ignored, allowing another to take its place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release. @@ -14,7 +14,7 @@ relative to the modules path (eg. \<nixpkgs/nixos/modules> for nixos). This example will replace the existing postgresql module with the version defined in the nixos-unstable channel while keeping the rest of the modules and packages from the original nixos channel. This only -overrides the module definition, this won\'t use postgresql from +overrides the module definition, this won't use postgresql from nixos-unstable unless explicitly configured to do so. ```nix @@ -35,7 +35,7 @@ nixos-unstable unless explicitly configured to do so. This example shows how to define a custom module as a replacement for an existing module. Importing this module will disable the original module -without having to know it\'s implementation details. +without having to know its implementation details. ```nix { config, lib, pkgs, ... }: diff --git a/nixos/doc/manual/development/settings-options.section.md b/nixos/doc/manual/development/settings-options.section.md index d569e23adbdcb..334149d021cb4 100644 --- a/nixos/doc/manual/development/settings-options.section.md +++ b/nixos/doc/manual/development/settings-options.section.md @@ -9,10 +9,10 @@ can be declared. File formats can be separated into two categories: `{ foo = { bar = 10; }; }`. Other examples are INI, YAML and TOML. The following section explains the convention for these settings. -- Non-nix-representable ones: These can\'t be trivially mapped to a +- Non-nix-representable ones: These can't be trivially mapped to a subset of Nix syntax. Most generic programming languages are in this group, e.g. bash, since the statement `if true; then echo hi; fi` - doesn\'t have a trivial representation in Nix. + doesn't have a trivial representation in Nix. Currently there are no fixed conventions for these, but it is common to have a `configFile` option for setting the configuration file @@ -24,7 +24,7 @@ can be declared. File formats can be separated into two categories: an `extraConfig` option of type `lines` to allow arbitrary text after the autogenerated part of the file. -## Nix-representable Formats (JSON, YAML, TOML, INI, \...) {#sec-settings-nix-representable} +## Nix-representable Formats (JSON, YAML, TOML, INI, ...) {#sec-settings-nix-representable} By convention, formats like this are handled with a generic `settings` option, representing the full program configuration as a Nix value. The diff --git a/nixos/doc/manual/development/writing-documentation.chapter.md b/nixos/doc/manual/development/writing-documentation.chapter.md index 7c29f600d7012..4986c9f0a81b6 100644 --- a/nixos/doc/manual/development/writing-documentation.chapter.md +++ b/nixos/doc/manual/development/writing-documentation.chapter.md @@ -19,7 +19,7 @@ $ nix-shell nix-shell$ make ``` -Once you are done making modifications to the manual, it\'s important to +Once you are done making modifications to the manual, it's important to build it before committing. You can do that as follows: ```ShellSession diff --git a/nixos/doc/manual/development/writing-modules.chapter.md b/nixos/doc/manual/development/writing-modules.chapter.md index 0c41cbd3cb757..fa24679b7fc83 100644 --- a/nixos/doc/manual/development/writing-modules.chapter.md +++ b/nixos/doc/manual/development/writing-modules.chapter.md @@ -71,7 +71,7 @@ The meaning of each part is as follows. - This `imports` list enumerates the paths to other NixOS modules that should be included in the evaluation of the system configuration. A default set of modules is defined in the file `modules/module-list.nix`. - These don\'t need to be added in the import list. + These don't need to be added in the import list. - The attribute `options` is a nested set of *option declarations* (described below). diff --git a/nixos/doc/manual/development/writing-nixos-tests.section.md b/nixos/doc/manual/development/writing-nixos-tests.section.md index f3edea3e70477..5bcdf6e58eb17 100644 --- a/nixos/doc/manual/development/writing-nixos-tests.section.md +++ b/nixos/doc/manual/development/writing-nixos-tests.section.md @@ -165,7 +165,7 @@ The following methods are available on machine objects: `get_screen_text_variants` : Return a list of different interpretations of what is currently - visible on the machine\'s screen using optical character + visible on the machine's screen using optical character recognition. The number and order of the interpretations is not specified and is subject to change, but if no exception is raised at least one will be returned. @@ -177,7 +177,7 @@ The following methods are available on machine objects: `get_screen_text` : Return a textual representation of what is currently visible on the - machine\'s screen using optical character recognition. + machine's screen using optical character recognition. ::: {.note} This requires [`enableOCR`](#test-opt-enableOCR) to be set to `true`. @@ -273,12 +273,13 @@ The following methods are available on machine objects: `wait_for_open_port` -: Wait until a process is listening on the given TCP port (on - `localhost`, at least). +: Wait until a process is listening on the given TCP port and IP address + (default `localhost`). `wait_for_closed_port` -: Wait until nobody is listening on the given TCP port. +: Wait until nobody is listening on the given TCP port and IP address + (default `localhost`). `wait_for_x` @@ -350,8 +351,8 @@ machine.wait_for_unit("xautolock.service", "x-session-user") This applies to `systemctl`, `get_unit_info`, `wait_for_unit`, `start_job` and `stop_job`. -For faster dev cycles it\'s also possible to disable the code-linters -(this shouldn\'t be committed though): +For faster dev cycles it's also possible to disable the code-linters +(this shouldn't be committed though): ```nix { @@ -370,7 +371,7 @@ For faster dev cycles it\'s also possible to disable the code-linters This will produce a Nix warning at evaluation time. To fully disable the linter, wrap the test script in comment directives to disable the Black -linter directly (again, don\'t commit this within the Nixpkgs +linter directly (again, don't commit this within the Nixpkgs repository): ```nix diff --git a/nixos/doc/manual/from_md/administration/cleaning-store.chapter.xml b/nixos/doc/manual/from_md/administration/cleaning-store.chapter.xml index 4243d2bf53f9b..35dfaf30f4575 100644 --- a/nixos/doc/manual/from_md/administration/cleaning-store.chapter.xml +++ b/nixos/doc/manual/from_md/administration/cleaning-store.chapter.xml @@ -23,7 +23,7 @@ $ nix-collect-garbage this unit automatically at certain points in time, for instance, every night at 03:15: </para> - <programlisting language="bash"> + <programlisting language="nix"> nix.gc.automatic = true; nix.gc.dates = "03:15"; </programlisting> diff --git a/nixos/doc/manual/from_md/administration/container-networking.section.xml b/nixos/doc/manual/from_md/administration/container-networking.section.xml index 788a2b7b0acbd..a64053cdfa5e0 100644 --- a/nixos/doc/manual/from_md/administration/container-networking.section.xml +++ b/nixos/doc/manual/from_md/administration/container-networking.section.xml @@ -31,7 +31,7 @@ $ ping -c1 10.233.4.2 address. This can be accomplished using the following configuration on the host: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "eth0"; @@ -45,7 +45,7 @@ networking.nat.externalInterface = "eth0"; If you are using Network Manager, you need to explicitly prevent it from managing container interfaces: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/administration/control-groups.chapter.xml b/nixos/doc/manual/from_md/administration/control-groups.chapter.xml index 8dab2c9d44b49..f78c05878031e 100644 --- a/nixos/doc/manual/from_md/administration/control-groups.chapter.xml +++ b/nixos/doc/manual/from_md/administration/control-groups.chapter.xml @@ -42,7 +42,7 @@ $ systemd-cgls process would get 1/1001 of the cgroup’s CPU time.) You can limit a service’s CPU share in <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> systemd.services.httpd.serviceConfig.CPUShares = 512; </programlisting> <para> @@ -57,7 +57,7 @@ systemd.services.httpd.serviceConfig.CPUShares = 512; <literal>configuration.nix</literal>; for instance, to limit <literal>httpd.service</literal> to 512 MiB of RAM (excluding swap): </para> - <programlisting language="bash"> + <programlisting language="nix"> systemd.services.httpd.serviceConfig.MemoryLimit = "512M"; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/administration/declarative-containers.section.xml b/nixos/doc/manual/from_md/administration/declarative-containers.section.xml index 4831c9c74e848..efc3432ba1a14 100644 --- a/nixos/doc/manual/from_md/administration/declarative-containers.section.xml +++ b/nixos/doc/manual/from_md/administration/declarative-containers.section.xml @@ -6,7 +6,7 @@ following specifies that there shall be a container named <literal>database</literal> running PostgreSQL: </para> - <programlisting language="bash"> + <programlisting language="nix"> containers.database = { config = { config, pkgs, ... }: @@ -29,7 +29,7 @@ containers.database = However, they cannot change the network configuration. You can give a container its own network as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> containers.database = { privateNetwork = true; hostAddress = "192.168.100.10"; diff --git a/nixos/doc/manual/from_md/administration/service-mgmt.chapter.xml b/nixos/doc/manual/from_md/administration/service-mgmt.chapter.xml index 8b01b8f896a4a..3b7bd6cd30cf5 100644 --- a/nixos/doc/manual/from_md/administration/service-mgmt.chapter.xml +++ b/nixos/doc/manual/from_md/administration/service-mgmt.chapter.xml @@ -85,21 +85,21 @@ Jan 07 15:55:57 hagbard systemd[1]: Started PostgreSQL Server. Packages in Nixpkgs sometimes provide systemd units with them, usually in e.g <literal>#pkg-out#/lib/systemd/</literal>. Putting such a package in <literal>environment.systemPackages</literal> - doesn't make the service available to users or the system. + doesn’t make the service available to users or the system. </para> <para> In order to enable a systemd <emphasis>system</emphasis> service with provided upstream package, use (e.g): </para> - <programlisting language="bash"> + <programlisting language="nix"> systemd.packages = [ pkgs.packagekit ]; </programlisting> <para> Usually NixOS modules written by the community do the above, plus take care of other details. If a module was written for a service - you are interested in, you'd probably need only to use + you are interested in, you’d probably need only to use <literal>services.#name#.enable = true;</literal>. These services - are defined in Nixpkgs' + are defined in Nixpkgs’ <link xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/modules"> <literal>nixos/modules/</literal> directory </link>. In case the service is simple enough, the above method should work, and start @@ -111,8 +111,8 @@ systemd.packages = [ pkgs.packagekit ]; unit file at <literal>#pkg-out#/lib/systemd/user/</literal>, using <xref linkend="opt-systemd.packages" /> will make you able to start the service via <literal>systemctl --user start</literal>, - but it won't start automatically on login. However, You can - imperatively enable it by adding the package's attribute to + but it won’t start automatically on login. However, You can + imperatively enable it by adding the package’s attribute to <xref linkend="opt-systemd.packages" /> and then do this (e.g): </para> <programlisting> @@ -129,7 +129,7 @@ $ systemctl --user enable syncthing.service </para> <para> Using <literal>systemctl --user enable syncthing.service</literal> - instead of the above, will work, but it'll use the absolute path + instead of the above, will work, but it’ll use the absolute path of <literal>syncthing.service</literal> for the symlink, and this path is in <literal>/nix/store/.../lib/systemd/user/</literal>. Hence <link linkend="sec-nix-gc">garbage collection</link> will diff --git a/nixos/doc/manual/from_md/configuration/abstractions.section.xml b/nixos/doc/manual/from_md/configuration/abstractions.section.xml index c71e23e34adfd..469e85979e0f6 100644 --- a/nixos/doc/manual/from_md/configuration/abstractions.section.xml +++ b/nixos/doc/manual/from_md/configuration/abstractions.section.xml @@ -4,7 +4,7 @@ If you find yourself repeating yourself over and over, it’s time to abstract. Take, for instance, this Apache HTTP Server configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.httpd.virtualHosts = { "blog.example.org" = { @@ -29,7 +29,7 @@ the only difference is the document root directories. To prevent this duplication, we can use a <literal>let</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> let commonConfig = { adminAddr = "alice@example.org"; @@ -55,7 +55,7 @@ in You can write a <literal>let</literal> wherever an expression is allowed. Thus, you also could have written: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.httpd.virtualHosts = let commonConfig = ...; in @@ -74,7 +74,7 @@ in of different virtual hosts, all with identical configuration except for the document root. This can be done as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.httpd.virtualHosts = let diff --git a/nixos/doc/manual/from_md/configuration/ad-hoc-network-config.section.xml b/nixos/doc/manual/from_md/configuration/ad-hoc-network-config.section.xml index 035ee3122e157..516022dc16d24 100644 --- a/nixos/doc/manual/from_md/configuration/ad-hoc-network-config.section.xml +++ b/nixos/doc/manual/from_md/configuration/ad-hoc-network-config.section.xml @@ -7,7 +7,7 @@ network configuration not covered by the existing NixOS modules. For instance, to statically configure an IPv6 address: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.localCommands = '' ip -6 addr add 2001:610:685:1::1/64 dev eth0 diff --git a/nixos/doc/manual/from_md/configuration/adding-custom-packages.section.xml b/nixos/doc/manual/from_md/configuration/adding-custom-packages.section.xml index 07f541666cbe1..b1a1a8df32477 100644 --- a/nixos/doc/manual/from_md/configuration/adding-custom-packages.section.xml +++ b/nixos/doc/manual/from_md/configuration/adding-custom-packages.section.xml @@ -28,7 +28,7 @@ $ cd nixpkgs manual. Finally, you add it to <xref linkend="opt-environment.systemPackages" />, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ pkgs.my-package ]; </programlisting> <para> @@ -45,7 +45,7 @@ environment.systemPackages = [ pkgs.my-package ]; Hello</link> package directly in <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = let my-hello = with pkgs; stdenv.mkDerivation rec { @@ -62,13 +62,13 @@ environment.systemPackages = Of course, you can also move the definition of <literal>my-hello</literal> into a separate Nix expression, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ (import ./my-hello.nix) ]; </programlisting> <para> where <literal>my-hello.nix</literal> contains: </para> - <programlisting language="bash"> + <programlisting language="nix"> with import <nixpkgs> {}; # bring all of Nixpkgs into scope stdenv.mkDerivation rec { @@ -98,7 +98,7 @@ Hello, world! need to install <literal>appimage-run</literal>: add to <literal>/etc/nixos/configuration.nix</literal> </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ pkgs.appimage-run ]; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/config-file.section.xml b/nixos/doc/manual/from_md/configuration/config-file.section.xml index 9792116eb08d5..f6c8f70cffc54 100644 --- a/nixos/doc/manual/from_md/configuration/config-file.section.xml +++ b/nixos/doc/manual/from_md/configuration/config-file.section.xml @@ -3,7 +3,7 @@ <para> The NixOS configuration file generally looks like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { option definitions @@ -21,7 +21,7 @@ the name of an option and <literal>value</literal> is its value. For example, </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { services.httpd.enable = true; @@ -44,7 +44,7 @@ <literal>true</literal>. This means that the example above can also be written as: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { services = { @@ -96,7 +96,7 @@ The option value `services.httpd.enable' in `/etc/nixos/configuration.nix' is no <para> Strings are enclosed in double quotes, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.hostName = "dexter"; </programlisting> <para> @@ -107,7 +107,7 @@ networking.hostName = "dexter"; Multi-line strings can be enclosed in <emphasis>double single quotes</emphasis>, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.extraHosts = '' 127.0.0.2 other-localhost @@ -135,7 +135,7 @@ networking.extraHosts = These can be <literal>true</literal> or <literal>false</literal>, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.firewall.enable = true; networking.firewall.allowPing = false; </programlisting> @@ -149,7 +149,7 @@ networking.firewall.allowPing = false; <para> For example, </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 60; </programlisting> <para> @@ -171,7 +171,7 @@ boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 60; Sets were introduced above. They are name/value pairs enclosed in braces, as in the option definition </para> - <programlisting language="bash"> + <programlisting language="nix"> fileSystems."/boot" = { device = "/dev/sda1"; fsType = "ext4"; @@ -189,13 +189,13 @@ fileSystems."/boot" = The important thing to note about lists is that list elements are separated by whitespace, like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ]; </programlisting> <para> List elements can be any other type, e.g. sets: </para> - <programlisting language="bash"> + <programlisting language="nix"> swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; </programlisting> </listitem> @@ -211,7 +211,7 @@ swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; through the function argument <literal>pkgs</literal>. Typical uses: </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ pkgs.thunderbird pkgs.emacs diff --git a/nixos/doc/manual/from_md/configuration/customizing-packages.section.xml b/nixos/doc/manual/from_md/configuration/customizing-packages.section.xml index f78b5dc5460c5..8026c4102b486 100644 --- a/nixos/doc/manual/from_md/configuration/customizing-packages.section.xml +++ b/nixos/doc/manual/from_md/configuration/customizing-packages.section.xml @@ -22,7 +22,7 @@ a dependency on GTK 2. If you want to build it against GTK 3, you can specify that as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ (pkgs.emacs.override { gtk = pkgs.gtk3; }) ]; </programlisting> <para> @@ -46,7 +46,7 @@ environment.systemPackages = [ (pkgs.emacs.override { gtk = pkgs.gtk3; }) ]; the package, such as the source code. For instance, if you want to override the source code of Emacs, you can say: </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ (pkgs.emacs.overrideAttrs (oldAttrs: { name = "emacs-25.0-pre"; @@ -72,7 +72,7 @@ environment.systemPackages = [ everything depend on your customised instance, you can apply a <emphasis>global</emphasis> override as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> nixpkgs.config.packageOverrides = pkgs: { emacs = pkgs.emacs.override { gtk = pkgs.gtk3; }; }; diff --git a/nixos/doc/manual/from_md/configuration/declarative-packages.section.xml b/nixos/doc/manual/from_md/configuration/declarative-packages.section.xml index da31f18d9233e..bee310c2e34bf 100644 --- a/nixos/doc/manual/from_md/configuration/declarative-packages.section.xml +++ b/nixos/doc/manual/from_md/configuration/declarative-packages.section.xml @@ -7,7 +7,7 @@ adding the following line to <literal>configuration.nix</literal> enables the Mozilla Thunderbird email application: </para> - <programlisting language="bash"> + <programlisting language="nix"> environment.systemPackages = [ pkgs.thunderbird ]; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/file-systems.chapter.xml b/nixos/doc/manual/from_md/configuration/file-systems.chapter.xml index 71441d8b4a5b3..e5285c7975556 100644 --- a/nixos/doc/manual/from_md/configuration/file-systems.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/file-systems.chapter.xml @@ -7,7 +7,7 @@ <literal>/dev/disk/by-label/data</literal> onto the mount point <literal>/data</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> fileSystems."/data" = { device = "/dev/disk/by-label/data"; fsType = "ext4"; diff --git a/nixos/doc/manual/from_md/configuration/firewall.section.xml b/nixos/doc/manual/from_md/configuration/firewall.section.xml index 24c19bb1c66d7..6e1ffab72c540 100644 --- a/nixos/doc/manual/from_md/configuration/firewall.section.xml +++ b/nixos/doc/manual/from_md/configuration/firewall.section.xml @@ -6,14 +6,14 @@ both IPv4 and IPv6 traffic. It is enabled by default. It can be disabled as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.firewall.enable = false; </programlisting> <para> If the firewall is enabled, you can open specific TCP ports to the outside world: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.firewall.allowedTCPPorts = [ 80 443 ]; </programlisting> <para> @@ -26,7 +26,7 @@ networking.firewall.allowedTCPPorts = [ 80 443 ]; <para> To open ranges of TCP ports: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.firewall.allowedTCPPortRanges = [ { from = 4000; to = 4007; } { from = 8000; to = 8010; } diff --git a/nixos/doc/manual/from_md/configuration/gpu-accel.chapter.xml b/nixos/doc/manual/from_md/configuration/gpu-accel.chapter.xml index 90d2c17e12efb..c95d3dc865256 100644 --- a/nixos/doc/manual/from_md/configuration/gpu-accel.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/gpu-accel.chapter.xml @@ -62,7 +62,7 @@ Platform Vendor Advanced Micro Devices, Inc. <xref linkend="opt-hardware.opengl.extraPackages" /> enables OpenCL support: </para> - <programlisting language="bash"> + <programlisting language="nix"> hardware.opengl.extraPackages = [ rocm-opencl-icd ]; @@ -85,7 +85,7 @@ hardware.opengl.extraPackages = [ enable OpenCL support. For example, for Gen8 and later GPUs, the following configuration can be used: </para> - <programlisting language="bash"> + <programlisting language="nix"> hardware.opengl.extraPackages = [ intel-compute-runtime ]; @@ -162,7 +162,7 @@ GPU1: makes amdvlk the default driver and hides radv and lavapipe from the device list. A specific driver can be forced as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> hardware.opengl.extraPackages = [ pkgs.amdvlk ]; @@ -206,7 +206,7 @@ $ nix-shell -p libva-utils --run vainfo Modern Intel GPUs use the iHD driver, which can be installed with: </para> - <programlisting language="bash"> + <programlisting language="nix"> hardware.opengl.extraPackages = [ intel-media-driver ]; @@ -215,7 +215,7 @@ hardware.opengl.extraPackages = [ Older Intel GPUs use the i965 driver, which can be installed with: </para> - <programlisting language="bash"> + <programlisting language="nix"> hardware.opengl.extraPackages = [ vaapiIntel ]; diff --git a/nixos/doc/manual/from_md/configuration/ipv4-config.section.xml b/nixos/doc/manual/from_md/configuration/ipv4-config.section.xml index 047ba2165f070..49ec6f5952ecf 100644 --- a/nixos/doc/manual/from_md/configuration/ipv4-config.section.xml +++ b/nixos/doc/manual/from_md/configuration/ipv4-config.section.xml @@ -6,7 +6,7 @@ interfaces. However, you can configure an interface manually as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.interfaces.eth0.ipv4.addresses = [ { address = "192.168.1.2"; prefixLength = 24; @@ -16,7 +16,7 @@ networking.interfaces.eth0.ipv4.addresses = [ { Typically you’ll also want to set a default gateway and set of name servers: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.defaultGateway = "192.168.1.1"; networking.nameservers = [ "8.8.8.8" ]; </programlisting> @@ -32,7 +32,7 @@ networking.nameservers = [ "8.8.8.8" ]; The host name is set using <xref linkend="opt-networking.hostName" />: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.hostName = "cartman"; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/ipv6-config.section.xml b/nixos/doc/manual/from_md/configuration/ipv6-config.section.xml index 137c3d772a86d..2adb106226245 100644 --- a/nixos/doc/manual/from_md/configuration/ipv6-config.section.xml +++ b/nixos/doc/manual/from_md/configuration/ipv6-config.section.xml @@ -10,21 +10,21 @@ <xref linkend="opt-networking.interfaces._name_.tempAddress" />. You can disable IPv6 support globally by setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.enableIPv6 = false; </programlisting> <para> You can disable IPv6 on a single interface using a normal sysctl (in this example, we use interface <literal>eth0</literal>): </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernel.sysctl."net.ipv6.conf.eth0.disable_ipv6" = true; </programlisting> <para> As with IPv4 networking interfaces are automatically configured via DHCPv6. You can configure an interface manually: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.interfaces.eth0.ipv6.addresses = [ { address = "fe00:aa:bb:cc::2"; prefixLength = 64; @@ -34,7 +34,7 @@ networking.interfaces.eth0.ipv6.addresses = [ { For configuring a gateway, optionally with explicitly specified interface: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.defaultGateway6 = { address = "fe00::1"; interface = "enp0s3"; diff --git a/nixos/doc/manual/from_md/configuration/kubernetes.chapter.xml b/nixos/doc/manual/from_md/configuration/kubernetes.chapter.xml index 1de19f64bdad1..da9ba323f18cf 100644 --- a/nixos/doc/manual/from_md/configuration/kubernetes.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/kubernetes.chapter.xml @@ -10,7 +10,7 @@ way is to enable and configure cluster components appropriately by hand: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.kubernetes = { apiserver.enable = true; controllerManager.enable = true; @@ -21,24 +21,24 @@ services.kubernetes = { }; </programlisting> <para> - Another way is to assign cluster roles ("master" and/or - "node") to the host. This enables apiserver, + Another way is to assign cluster roles (<quote>master</quote> and/or + <quote>node</quote>) to the host. This enables apiserver, controllerManager, scheduler, addonManager, kube-proxy and etcd: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.kubernetes.roles = [ "master" ]; </programlisting> <para> While this will enable the kubelet and kube-proxy only: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.kubernetes.roles = [ "node" ]; </programlisting> <para> Assigning both the master and node roles is usable if you want a single node Kubernetes cluster for dev or testing purposes: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.kubernetes.roles = [ "master" "node" ]; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/linux-kernel.chapter.xml b/nixos/doc/manual/from_md/configuration/linux-kernel.chapter.xml index dd570e1d66c27..f889306d51c02 100644 --- a/nixos/doc/manual/from_md/configuration/linux-kernel.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/linux-kernel.chapter.xml @@ -5,7 +5,7 @@ option <literal>boot.kernelPackages</literal>. For instance, this selects the Linux 3.10 kernel: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernelPackages = pkgs.linuxKernel.packages.linux_3_10; </programlisting> <para> @@ -48,7 +48,7 @@ zcat /proc/config.gz <xref linkend="sec-customising-packages" />). For instance, to enable support for the kernel debugger KGDB: </para> - <programlisting language="bash"> + <programlisting language="nix"> nixpkgs.config.packageOverrides = pkgs: pkgs.lib.recursiveUpdate pkgs { linuxKernel.kernels.linux_5_10 = pkgs.linuxKernel.kernels.linux_5_10.override { extraConfig = '' @@ -69,7 +69,7 @@ nixpkgs.config.packageOverrides = pkgs: pkgs.lib.recursiveUpdate pkgs { automatically by <literal>udev</literal>. You can force a module to be loaded via <xref linkend="opt-boot.kernelModules" />, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ]; </programlisting> <para> @@ -77,7 +77,7 @@ boot.kernelModules = [ "fuse" "kvm-intel" "coretemp&quo root file system), you can use <xref linkend="opt-boot.initrd.kernelModules" />: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.initrd.kernelModules = [ "cifs" ]; </programlisting> <para> @@ -88,7 +88,7 @@ boot.initrd.kernelModules = [ "cifs" ]; Kernel runtime parameters can be set through <xref linkend="opt-boot.kernel.sysctl" />, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 120; </programlisting> <para> @@ -96,65 +96,82 @@ boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 120; available parameters, run <literal>sysctl -a</literal>. </para> <section xml:id="sec-linux-config-customizing"> - <title>Customize your kernel</title> + <title>Building a custom kernel</title> <para> - The first step before compiling the kernel is to generate an - appropriate <literal>.config</literal> configuration. Either you - pass your own config via the <literal>configfile</literal> setting - of <literal>linuxKernel.manualConfig</literal>: + You can customize the default kernel configuration by overriding + the arguments for your kernel package: </para> - <programlisting language="bash"> -custom-kernel = let base_kernel = linuxKernel.kernels.linux_4_9; - in super.linuxKernel.manualConfig { - inherit (super) stdenv hostPlatform; - inherit (base_kernel) src; - version = "${base_kernel.version}-custom"; - - configfile = /home/me/my_kernel_config; - allowImportFromDerivation = true; -}; + <programlisting language="nix"> +pkgs.linux_latest.override { + ignoreConfigErrors = true; + autoModules = false; + kernelPreferBuiltin = true; + extraStructuredConfig = with lib.kernel; { + DEBUG_KERNEL = yes; + FRAME_POINTER = yes; + KGDB = yes; + KGDB_SERIAL_CONSOLE = yes; + DEBUG_INFO = yes; + }; +} </programlisting> <para> - You can edit the config with this snippet (by default - <literal>make menuconfig</literal> won't work out of the box on - nixos): + See <literal>pkgs/os-specific/linux/kernel/generic.nix</literal> + for details on how these arguments affect the generated + configuration. You can also build a custom version of Linux by + calling <literal>pkgs.buildLinux</literal> directly, which + requires the <literal>src</literal> and <literal>version</literal> + arguments to be specified. </para> - <programlisting> -nix-shell -E 'with import <nixpkgs> {}; kernelToOverride.overrideAttrs (o: {nativeBuildInputs=o.nativeBuildInputs ++ [ pkg-config ncurses ];})' + <para> + To use your custom kernel package in your NixOS configuration, set + </para> + <programlisting language="nix"> +boot.kernelPackages = pkgs.linuxPackagesFor yourCustomKernel; </programlisting> <para> - or you can let nixpkgs generate the configuration. Nixpkgs - generates it via answering the interactive kernel utility - <literal>make config</literal>. The answers depend on parameters - passed to - <literal>pkgs/os-specific/linux/kernel/generic.nix</literal> - (which you can influence by overriding - <literal>extraConfig, autoModules, modDirVersion, preferBuiltin, extraConfig</literal>). + Note that this method will use the common configuration defined in + <literal>pkgs/os-specific/linux/kernel/common-config.nix</literal>, + which is suitable for a NixOS system. </para> - <programlisting language="bash"> -mptcp93.override ({ - name="mptcp-local"; - - ignoreConfigErrors = true; - autoModules = false; - kernelPreferBuiltin = true; - - enableParallelBuilding = true; - - extraConfig = '' - DEBUG_KERNEL y - FRAME_POINTER y - KGDB y - KGDB_SERIAL_CONSOLE y - DEBUG_INFO y - ''; -}); + <para> + If you already have a generated configuration file, you can build + a kernel that uses it with + <literal>pkgs.linuxManualConfig</literal>: + </para> + <programlisting language="nix"> +let + baseKernel = pkgs.linux_latest; +in pkgs.linuxManualConfig { + inherit (baseKernel) src modDirVersion; + version = "${baseKernel.version}-custom"; + configfile = ./my_kernel_config; + allowImportFromDerivation = true; +} +</programlisting> + <note> + <para> + The build will fail if <literal>modDirVersion</literal> does not + match the source’s <literal>kernel.release</literal> file, so + <literal>modDirVersion</literal> should remain tied to + <literal>src</literal>. + </para> + </note> + <para> + To edit the <literal>.config</literal> file for Linux X.Y, proceed + as follows: + </para> + <programlisting> +$ nix-shell '<nixpkgs>' -A linuxKernel.kernels.linux_X_Y.configEnv +$ unpackPhase +$ cd linux-* +$ make nconfig </programlisting> </section> <section xml:id="sec-linux-config-developing-modules"> <title>Developing kernel modules</title> <para> - When developing kernel modules it's often convenient to run + When developing kernel modules it’s often convenient to run edit-compile-run loop as quickly as possible. See below snippet as an example of developing <literal>mellanox</literal> drivers. </para> @@ -181,7 +198,7 @@ $ make -C $dev/lib/modules/*/build M=$(pwd)/drivers/net/ethernet/mellanox module available kernel version <emphasis>that is supported by ZFS</emphasis> like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> { boot.kernelPackages = pkgs.zfs.latestCompatibleLinuxPackages; } diff --git a/nixos/doc/manual/from_md/configuration/luks-file-systems.section.xml b/nixos/doc/manual/from_md/configuration/luks-file-systems.section.xml index 42b766eba98b4..144a5acecae30 100644 --- a/nixos/doc/manual/from_md/configuration/luks-file-systems.section.xml +++ b/nixos/doc/manual/from_md/configuration/luks-file-systems.section.xml @@ -30,7 +30,7 @@ Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: *** at boot time as <literal>/</literal>, add the following to <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d"; fileSystems."/".device = "/dev/mapper/crypted"; </programlisting> @@ -39,7 +39,7 @@ fileSystems."/".device = "/dev/mapper/crypted"; located on an encrypted partition, it is necessary to add the following grub option: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.loader.grub.enableCryptodisk = true; </programlisting> <section xml:id="sec-luks-file-systems-fido2"> @@ -67,7 +67,7 @@ Added to key to device /dev/sda2, slot: 2 compatible key, add the following to <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.initrd.luks.fido2Support = true; boot.initrd.luks.devices."/dev/sda2".fido2.credential = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7"; </programlisting> @@ -77,7 +77,7 @@ boot.initrd.luks.devices."/dev/sda2".fido2.credential = "f1d00200 protected, such as <link xlink:href="https://trezor.io/">Trezor</link>. </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess = true; </programlisting> </section> diff --git a/nixos/doc/manual/from_md/configuration/modularity.section.xml b/nixos/doc/manual/from_md/configuration/modularity.section.xml index a7688090fcc59..987b2fc43c013 100644 --- a/nixos/doc/manual/from_md/configuration/modularity.section.xml +++ b/nixos/doc/manual/from_md/configuration/modularity.section.xml @@ -14,7 +14,7 @@ other modules by including them from <literal>configuration.nix</literal>, e.g.: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { imports = [ ./vpn.nix ./kde.nix ]; @@ -28,7 +28,7 @@ <literal>vpn.nix</literal> and <literal>kde.nix</literal>. The latter might look like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { services.xserver.enable = true; @@ -50,7 +50,7 @@ you want it to appear first, you can use <literal>mkBefore</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.kernelModules = mkBefore [ "kvm-intel" ]; </programlisting> <para> @@ -70,7 +70,7 @@ The unique option `services.httpd.adminAddr' is defined multiple times, in `/etc When that happens, it’s possible to force one definition take precedence over the others: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.httpd.adminAddr = pkgs.lib.mkForce "bob@example.org"; </programlisting> <para> @@ -93,7 +93,7 @@ services.httpd.adminAddr = pkgs.lib.mkForce "bob@example.org"; <xref linkend="opt-services.xserver.enable" /> is set to <literal>true</literal> somewhere else: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { environment.systemPackages = @@ -137,7 +137,7 @@ nix-repl> map (x: x.hostName) config.services.httpd.virtualHosts below would have the same effect as importing a file which sets those options. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: let netConfig = hostName: { diff --git a/nixos/doc/manual/from_md/configuration/network-manager.section.xml b/nixos/doc/manual/from_md/configuration/network-manager.section.xml index 8f0d6d680ae07..c49618b4b9427 100644 --- a/nixos/doc/manual/from_md/configuration/network-manager.section.xml +++ b/nixos/doc/manual/from_md/configuration/network-manager.section.xml @@ -4,7 +4,7 @@ To facilitate network configuration, some desktop environments use NetworkManager. You can enable NetworkManager by setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.networkmanager.enable = true; </programlisting> <para> @@ -15,7 +15,7 @@ networking.networkmanager.enable = true; All users that should have permission to change network settings must belong to the <literal>networkmanager</literal> group: </para> - <programlisting language="bash"> + <programlisting language="nix"> users.users.alice.extraGroups = [ "networkmanager" ]; </programlisting> <para> @@ -36,7 +36,7 @@ users.users.alice.extraGroups = [ "networkmanager" ]; used together if desired. To do this you need to instruct NetworkManager to ignore those interfaces like: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.networkmanager.unmanaged = [ "*" "except:type:wwan" "except:type:gsm" ]; diff --git a/nixos/doc/manual/from_md/configuration/profiles.chapter.xml b/nixos/doc/manual/from_md/configuration/profiles.chapter.xml index 6f5fc130c6a07..f3aacfc0a2451 100644 --- a/nixos/doc/manual/from_md/configuration/profiles.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/profiles.chapter.xml @@ -4,12 +4,12 @@ In some cases, it may be desirable to take advantage of commonly-used, predefined configurations provided by nixpkgs, but different from those that come as default. This is a role fulfilled - by NixOS's Profiles, which come as files living in + by NixOS’s Profiles, which come as files living in <literal><nixpkgs/nixos/modules/profiles></literal>. That is to say, expected usage is to add them to the imports list of your <literal>/etc/configuration.nix</literal> as such: </para> - <programlisting language="bash"> + <programlisting language="nix"> imports = [ <nixpkgs/nixos/modules/profiles/profile-name.nix> ]; diff --git a/nixos/doc/manual/from_md/configuration/renaming-interfaces.section.xml b/nixos/doc/manual/from_md/configuration/renaming-interfaces.section.xml index 88c9e624c82ff..fca99edcbaea3 100644 --- a/nixos/doc/manual/from_md/configuration/renaming-interfaces.section.xml +++ b/nixos/doc/manual/from_md/configuration/renaming-interfaces.section.xml @@ -30,7 +30,7 @@ the interface with MAC address <literal>52:54:00:12:01:01</literal> using a netword link unit: </para> - <programlisting language="bash"> + <programlisting language="nix"> systemd.network.links."10-wan" = { matchConfig.PermanentMACAddress = "52:54:00:12:01:01"; linkConfig.Name = "wan"; @@ -43,7 +43,7 @@ systemd.network.links."10-wan" = { <para> Alternatively, we can use a plain old udev rule: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.udev.initrdRules = '' SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", \ ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="wan" diff --git a/nixos/doc/manual/from_md/configuration/ssh.section.xml b/nixos/doc/manual/from_md/configuration/ssh.section.xml index 037418d8ea4dd..a330457f51d63 100644 --- a/nixos/doc/manual/from_md/configuration/ssh.section.xml +++ b/nixos/doc/manual/from_md/configuration/ssh.section.xml @@ -3,7 +3,7 @@ <para> Secure shell (SSH) access to your machine can be enabled by setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.openssh.enable = true; </programlisting> <para> @@ -16,7 +16,7 @@ services.openssh.enable = true; You can declaratively specify authorised RSA/DSA public keys for a user as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> users.users.alice.openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3NzaC1kc3MAAACBAPIkGWVEt4..." ]; </programlisting> diff --git a/nixos/doc/manual/from_md/configuration/sshfs-file-systems.section.xml b/nixos/doc/manual/from_md/configuration/sshfs-file-systems.section.xml index 5d74712f35dc3..26984dd411a11 100644 --- a/nixos/doc/manual/from_md/configuration/sshfs-file-systems.section.xml +++ b/nixos/doc/manual/from_md/configuration/sshfs-file-systems.section.xml @@ -54,7 +54,7 @@ SHA256:yjxl3UbTn31fLWeyLYTAKYJPRmzknjQZoyG8gSNEoIE my-user@workstation <link linkend="opt-fileSystems">fileSystems</link> option. Here’s a typical setup: </para> - <programlisting language="bash"> + <programlisting language="nix"> { system.fsPackages = [ pkgs.sshfs ]; @@ -80,7 +80,7 @@ SHA256:yjxl3UbTn31fLWeyLYTAKYJPRmzknjQZoyG8gSNEoIE my-user@workstation well, for example you can change the default SSH port or specify a jump proxy: </para> - <programlisting language="bash"> + <programlisting language="nix"> { options = [ "ProxyJump=bastion@example.com" @@ -92,7 +92,7 @@ SHA256:yjxl3UbTn31fLWeyLYTAKYJPRmzknjQZoyG8gSNEoIE my-user@workstation It’s also possible to change the <literal>ssh</literal> command used by SSHFS to connect to the server. For example: </para> - <programlisting language="bash"> + <programlisting language="nix"> { options = [ (builtins.replaceStrings [" "] ["\\040"] diff --git a/nixos/doc/manual/from_md/configuration/subversion.chapter.xml b/nixos/doc/manual/from_md/configuration/subversion.chapter.xml index 794c2c34e3994..4390fc54ab534 100644 --- a/nixos/doc/manual/from_md/configuration/subversion.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/subversion.chapter.xml @@ -25,7 +25,7 @@ Apache HTTP, setting <xref linkend="opt-services.httpd.adminAddr" /> appropriately: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.httpd.enable = true; services.httpd.adminAddr = ...; networking.firewall.allowedTCPPorts = [ 80 443 ]; @@ -40,7 +40,7 @@ networking.firewall.allowedTCPPorts = [ 80 443 ]; <literal>.authz</literal> file describing access permission, and <literal>AuthUserFile</literal> to the password file. </para> - <programlisting language="bash"> + <programlisting language="nix"> services.httpd.extraModules = [ # note that order is *super* important here { name = "dav_svn"; path = "${pkgs.apacheHttpdPackages.subversion}/modules/mod_dav_svn.so"; } @@ -106,7 +106,7 @@ $ htpasswd -s PASSWORD_FILE USER_NAME <literal>ACCESS_FILE</literal> will look something like the following: </para> - <programlisting language="bash"> + <programlisting language="nix"> [/] * = r diff --git a/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml b/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml index a2d7d2a9f1154..d61b248d5eef6 100644 --- a/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml @@ -7,7 +7,7 @@ states that a user account named <literal>alice</literal> shall exist: </para> - <programlisting language="bash"> + <programlisting language="nix"> users.users.alice = { isNormalUser = true; home = "/home/alice"; @@ -36,7 +36,7 @@ users.users.alice = { <xref linkend="opt-users.users" /> and run nixos-rebuild, the user account will cease to exist. Also, imperative commands for managing users and groups, such as useradd, are no longer available. - Passwords may still be assigned by setting the user's + Passwords may still be assigned by setting the user’s <link linkend="opt-users.users._name_.hashedPassword">hashedPassword</link> option. A hashed password can be generated using <literal>mkpasswd</literal>. @@ -45,7 +45,7 @@ users.users.alice = { A user ID (uid) is assigned automatically. You can also specify a uid manually by adding </para> - <programlisting language="bash"> + <programlisting language="nix"> uid = 1000; </programlisting> <para> @@ -55,7 +55,7 @@ uid = 1000; Groups can be specified similarly. The following states that a group named <literal>students</literal> shall exist: </para> - <programlisting language="bash"> + <programlisting language="nix"> users.groups.students.gid = 1000; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/wayland.chapter.xml b/nixos/doc/manual/from_md/configuration/wayland.chapter.xml index 1e90d4f31177c..07892c875bb25 100644 --- a/nixos/doc/manual/from_md/configuration/wayland.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/wayland.chapter.xml @@ -5,11 +5,12 @@ display technology on NixOS, Wayland support is steadily improving. Where X11 separates the X Server and the window manager, on Wayland those are combined: a Wayland Compositor is like an X11 window - manager, but also embeds the Wayland 'Server' functionality. This - means it is sufficient to install a Wayland Compositor such as sway - without separately enabling a Wayland server: + manager, but also embeds the Wayland <quote>Server</quote> + functionality. This means it is sufficient to install a Wayland + Compositor such as sway without separately enabling a Wayland + server: </para> - <programlisting language="bash"> + <programlisting language="nix"> programs.sway.enable = true; </programlisting> <para> @@ -21,7 +22,7 @@ programs.sway.enable = true; be able to share your screen, you might want to activate this option: </para> - <programlisting language="bash"> + <programlisting language="nix"> xdg.portal.wlr.enable = true; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/configuration/wireless.section.xml b/nixos/doc/manual/from_md/configuration/wireless.section.xml index d39ec4fac493e..79feab47203a5 100644 --- a/nixos/doc/manual/from_md/configuration/wireless.section.xml +++ b/nixos/doc/manual/from_md/configuration/wireless.section.xml @@ -9,13 +9,13 @@ <para> NixOS will start wpa_supplicant for you if you enable this setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.wireless.enable = true; </programlisting> <para> NixOS lets you specify networks for wpa_supplicant declaratively: </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.wireless.networks = { echelon = { # SSID with no spaces or special characters psk = "abcdefgh"; @@ -49,7 +49,7 @@ network={ psk=dca6d6ed41f4ab5a984c9f55f6f66d4efdc720ebf66959810f4329bb391c5435 } </programlisting> - <programlisting language="bash"> + <programlisting language="nix"> networking.wireless.networks = { echelon = { pskRaw = "dca6d6ed41f4ab5a984c9f55f6f66d4efdc720ebf66959810f4329bb391c5435"; diff --git a/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml b/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml index c17e98983b27d..c5a8b9bae84d2 100644 --- a/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/x-windows.chapter.xml @@ -4,7 +4,7 @@ The X Window System (X11) provides the basis of NixOS’ graphical user interface. It can be enabled as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.enable = true; </programlisting> <para> @@ -13,7 +13,7 @@ services.xserver.enable = true; and <literal>intel</literal>). You can also specify a driver manually, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "r128" ]; </programlisting> <para> @@ -25,7 +25,7 @@ services.xserver.videoDrivers = [ "r128" ]; <literal>xterm</literal> window. Thus you should pick one or more of the following lines: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.desktopManager.plasma5.enable = true; services.xserver.desktopManager.xfce.enable = true; services.xserver.desktopManager.gnome.enable = true; @@ -42,14 +42,14 @@ services.xserver.windowManager.herbstluftwm.enable = true; LightDM. You can select an alternative one by picking one of the following lines: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.sddm.enable = true; services.xserver.displayManager.gdm.enable = true; </programlisting> <para> You can set the keyboard layout (and optionally the layout variant): </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.layout = "de"; services.xserver.xkbVariant = "neo"; </programlisting> @@ -57,7 +57,7 @@ services.xserver.xkbVariant = "neo"; The X server is started automatically at boot time. If you don’t want this to happen, you can set: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.autorun = false; </programlisting> <para> @@ -70,7 +70,7 @@ services.xserver.autorun = false; On 64-bit systems, if you want OpenGL for 32-bit programs such as in Wine, you should also set the following: </para> - <programlisting language="bash"> + <programlisting language="nix"> hardware.opengl.driSupport32Bit = true; </programlisting> <section xml:id="sec-x11-auto-login"> @@ -88,16 +88,16 @@ hardware.opengl.driSupport32Bit = true; <para> To enable auto-login, you need to define your default window manager and desktop environment. If you wanted no desktop - environment and i3 as your your window manager, you'd define: + environment and i3 as your your window manager, you’d define: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.defaultSession = "none+i3"; </programlisting> <para> Every display manager in NixOS supports auto-login, here is an example using lightdm for a user <literal>alice</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.lightdm.enable = true; services.xserver.displayManager.autoLogin.enable = true; services.xserver.displayManager.autoLogin.user = "alice"; @@ -122,8 +122,8 @@ services.xserver.displayManager.autoLogin.user = "alice"; <para> The second driver, <literal>intel</literal>, is specific to Intel GPUs, but not recommended by most distributions: it lacks several - modern features (for example, it doesn't support Glamor) and the - package hasn't been officially updated since 2015. + modern features (for example, it doesn’t support Glamor) and the + package hasn’t been officially updated since 2015. </para> <para> The results vary depending on the hardware, so you may have to try @@ -131,14 +131,14 @@ services.xserver.displayManager.autoLogin.user = "alice"; <xref linkend="opt-services.xserver.videoDrivers" /> to set one. The recommended configuration for modern systems is: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "modesetting" ]; </programlisting> <para> If you experience screen tearing no matter what, this configuration was reported to resolve the issue: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "intel" ]; services.xserver.deviceSection = '' Option "DRI" "2" @@ -159,14 +159,14 @@ services.xserver.deviceSection = '' enabled by default because it’s not free software. You can enable it as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "nvidia" ]; </programlisting> <para> Or if you have an older card, you may have to use one of the legacy drivers: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "nvidiaLegacy390" ]; services.xserver.videoDrivers = [ "nvidiaLegacy340" ]; services.xserver.videoDrivers = [ "nvidiaLegacy304" ]; @@ -181,11 +181,11 @@ services.xserver.videoDrivers = [ "nvidiaLegacy304" ]; <para> AMD provides a proprietary driver for its graphics cards that is not enabled by default because it’s not Free Software, is often - broken in nixpkgs and as of this writing doesn't offer more + broken in nixpkgs and as of this writing doesn’t offer more features or performance. If you still want to use it anyway, you need to explicitly set: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.videoDrivers = [ "amdgpu-pro" ]; </programlisting> <para> @@ -199,14 +199,14 @@ services.xserver.videoDrivers = [ "amdgpu-pro" ]; Support for Synaptics touchpads (found in many laptops such as the Dell Latitude series) can be enabled as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.libinput.enable = true; </programlisting> <para> The driver has many options (see <xref linkend="ch-options" />). For instance, the following disables tap-to-click behavior: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.libinput.touchpad.tapping = false; </programlisting> <para> @@ -222,7 +222,7 @@ services.xserver.libinput.touchpad.tapping = false; applications look similar to GTK ones, you can use the following configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> qt5.enable = true; qt5.platformTheme = "gtk2"; qt5.style = "gtk2"; @@ -244,10 +244,10 @@ qt5.style = "gtk2"; <para> Create a file called <literal>us-greek</literal> with the following content (under a directory called - <literal>symbols</literal>; it's an XKB peculiarity that will help + <literal>symbols</literal>; it’s an XKB peculiarity that will help with testing): </para> - <programlisting language="bash"> + <programlisting language="nix"> xkb_symbols "us-greek" { include "us(basic)" // includes the base US keys @@ -263,7 +263,7 @@ xkb_symbols "us-greek" <para> A minimal layout specification must include the following: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.extraLayouts.us-greek = { description = "US layout with alt-gr greek"; languages = [ "eng" ]; @@ -279,7 +279,7 @@ services.xserver.extraLayouts.us-greek = { <para> Applying this customization requires rebuilding several packages, and a broken XKB file can lead to the X session crashing at login. - Therefore, you're strongly advised to <emphasis role="strong">test + Therefore, you’re strongly advised to <emphasis role="strong">test your layout before applying it</emphasis>: </para> <programlisting> @@ -312,7 +312,7 @@ $ echo "$(nix-build --no-out-link '<nixpkgs>' -A xorg.xkeyboardconfig interest, then create a <literal>media-key</literal> file to hold the keycodes definitions </para> - <programlisting language="bash"> + <programlisting language="nix"> xkb_keycodes "media" { <volUp> = 123; @@ -322,7 +322,7 @@ xkb_keycodes "media" <para> Now use the newly define keycodes in <literal>media-sym</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> xkb_symbols "media" { key.type = "ONE_LEVEL"; @@ -333,7 +333,7 @@ xkb_symbols "media" <para> As before, to install the layout do </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.extraLayouts.media = { description = "Multimedia keys remapping"; languages = [ "eng" ]; @@ -352,18 +352,18 @@ services.xserver.extraLayouts.media = { <para> Unfortunately, the Xorg server does not (currently) support setting a keymap directly but relies instead on XKB rules to - select the matching components (keycodes, types, ...) of a layout. - This means that components other than symbols won't be loaded by + select the matching components (keycodes, types, …) of a layout. + This means that components other than symbols won’t be loaded by default. As a workaround, you can set the keymap using <literal>setxkbmap</literal> at the start of the session with: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.sessionCommands = "setxkbmap -keycodes media"; </programlisting> <para> If you are manually starting the X server, you should set the argument <literal>-xkbdir /etc/X11/xkb</literal>, otherwise X - won't find your layout files. For example with + won’t find your layout files. For example with <literal>xinit</literal> run </para> <programlisting> diff --git a/nixos/doc/manual/from_md/configuration/xfce.chapter.xml b/nixos/doc/manual/from_md/configuration/xfce.chapter.xml index 42e70d1d81d30..7ec69b5e9b8ff 100644 --- a/nixos/doc/manual/from_md/configuration/xfce.chapter.xml +++ b/nixos/doc/manual/from_md/configuration/xfce.chapter.xml @@ -3,7 +3,7 @@ <para> To enable the Xfce Desktop Environment, set </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.desktopManager.xfce.enable = true; services.xserver.displayManager.defaultSession = "xfce"; </programlisting> @@ -11,7 +11,7 @@ services.xserver.displayManager.defaultSession = "xfce"; Optionally, <emphasis>picom</emphasis> can be enabled for nice graphical effects, some example settings: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.picom = { enable = true; fade = true; @@ -36,8 +36,8 @@ services.picom = { <xref linkend="opt-environment.systemPackages" />. </para> <para> - If you'd like to add extra plugins to Thunar, add them to - <xref linkend="opt-programs.thunar.plugins" />. You shouldn't just + If you’d like to add extra plugins to Thunar, add them to + <xref linkend="opt-programs.thunar.plugins" />. You shouldn’t just add them to <xref linkend="opt-environment.systemPackages" />. </para> </section> @@ -54,9 +54,10 @@ Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with db </programlisting> <para> This is caused by some needed GNOME services not running. This is - all fixed by enabling "Launch GNOME services on startup" - in the Advanced tab of the Session and Startup settings panel. - Alternatively, you can run this command to do the same thing. + all fixed by enabling <quote>Launch GNOME services on + startup</quote> in the Advanced tab of the Session and Startup + settings panel. Alternatively, you can run this command to do the + same thing. </para> <programlisting> $ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true diff --git a/nixos/doc/manual/from_md/development/activation-script.section.xml b/nixos/doc/manual/from_md/development/activation-script.section.xml index 8672ab8afe541..429b45c93defc 100644 --- a/nixos/doc/manual/from_md/development/activation-script.section.xml +++ b/nixos/doc/manual/from_md/development/activation-script.section.xml @@ -22,7 +22,7 @@ these dependencies into account and order the snippets accordingly. As a simple example: </para> - <programlisting language="bash"> + <programlisting language="nix"> system.activationScripts.my-activation-script = { deps = [ "etc" ]; # supportsDryActivation = true; diff --git a/nixos/doc/manual/from_md/development/assertions.section.xml b/nixos/doc/manual/from_md/development/assertions.section.xml index 0844d484d60f6..13f04d5d1883e 100644 --- a/nixos/doc/manual/from_md/development/assertions.section.xml +++ b/nixos/doc/manual/from_md/development/assertions.section.xml @@ -18,7 +18,7 @@ <para> This is an example of using <literal>warnings</literal>. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, ... }: { config = lib.mkIf config.services.foo.enable { @@ -42,7 +42,7 @@ assertion is useful to prevent such a broken system from being built. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, ... }: { config = lib.mkIf config.services.syslogd.enable { diff --git a/nixos/doc/manual/from_md/development/bootspec.chapter.xml b/nixos/doc/manual/from_md/development/bootspec.chapter.xml index acf8ca76bf5cf..9ecbe1d1beede 100644 --- a/nixos/doc/manual/from_md/development/bootspec.chapter.xml +++ b/nixos/doc/manual/from_md/development/bootspec.chapter.xml @@ -43,7 +43,7 @@ <literal>/etc/os-release</literal> in order to bake it into a unified kernel image: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, ... }: { boot.bootspec.extensions = { "org.secureboot.osRelease" = config.environment.etc."os-release".source; diff --git a/nixos/doc/manual/from_md/development/freeform-modules.section.xml b/nixos/doc/manual/from_md/development/freeform-modules.section.xml index 86a9cf3140d88..c51bc76ff966e 100644 --- a/nixos/doc/manual/from_md/development/freeform-modules.section.xml +++ b/nixos/doc/manual/from_md/development/freeform-modules.section.xml @@ -30,7 +30,7 @@ type-checked <literal>settings</literal> attribute</link> for a more complete example. </para> - <programlisting language="bash"> + <programlisting language="nix"> { lib, config, ... }: { options.settings = lib.mkOption { @@ -52,7 +52,7 @@ <para> And the following shows what such a module then allows </para> - <programlisting language="bash"> + <programlisting language="nix"> { # Not a declared option, but the freeform type allows this settings.logLevel = "debug"; @@ -72,7 +72,7 @@ Freeform attributes cannot depend on other attributes of the same set without infinite recursion: </para> - <programlisting language="bash"> + <programlisting language="nix"> { # This throws infinite recursion encountered settings.logLevel = lib.mkIf (config.settings.port == 80) "debug"; diff --git a/nixos/doc/manual/from_md/development/importing-modules.section.xml b/nixos/doc/manual/from_md/development/importing-modules.section.xml index cb04dde67c831..96e5e1bb16b88 100644 --- a/nixos/doc/manual/from_md/development/importing-modules.section.xml +++ b/nixos/doc/manual/from_md/development/importing-modules.section.xml @@ -4,7 +4,7 @@ Sometimes NixOS modules need to be used in configuration but exist outside of Nixpkgs. These modules can be imported: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, ... }: { @@ -23,18 +23,18 @@ Nixpkgs NixOS modules. Like any NixOS module, this module can import additional modules: </para> - <programlisting language="bash"> + <programlisting language="nix"> # ./module-list/default.nix [ ./example-module1 ./example-module2 ] </programlisting> - <programlisting language="bash"> + <programlisting language="nix"> # ./extra-module/default.nix { imports = import ./module-list.nix; } </programlisting> - <programlisting language="bash"> + <programlisting language="nix"> # NIXOS_EXTRA_MODULE_PATH=/absolute/path/to/extra-module { config, lib, pkgs, ... }: diff --git a/nixos/doc/manual/from_md/development/meta-attributes.section.xml b/nixos/doc/manual/from_md/development/meta-attributes.section.xml index 1eb6e0f303682..9cc58afa1fdda 100644 --- a/nixos/doc/manual/from_md/development/meta-attributes.section.xml +++ b/nixos/doc/manual/from_md/development/meta-attributes.section.xml @@ -15,7 +15,7 @@ Each of the meta-attributes must be defined at most once per module file. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, ... }: { options = { diff --git a/nixos/doc/manual/from_md/development/option-declarations.section.xml b/nixos/doc/manual/from_md/development/option-declarations.section.xml index 0932a51a18cdb..2e6a12d530953 100644 --- a/nixos/doc/manual/from_md/development/option-declarations.section.xml +++ b/nixos/doc/manual/from_md/development/option-declarations.section.xml @@ -6,7 +6,7 @@ hasn’t been declared in any module. An option declaration generally looks like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> options = { name = mkOption { type = type specification; @@ -127,7 +127,7 @@ options = { For example: </para> <anchor xml:id="ex-options-declarations-util-mkEnableOption-magic" /> - <programlisting language="bash"> + <programlisting language="nix"> lib.mkEnableOption "magic" # is like lib.mkOption { @@ -142,7 +142,7 @@ lib.mkOption { <para> Usage: </para> - <programlisting language="bash"> + <programlisting language="nix"> mkPackageOption pkgs "name" { default = [ "path" "in" "pkgs" ]; example = "literal example"; } </programlisting> <para> @@ -177,7 +177,7 @@ mkPackageOption pkgs "name" { default = [ "path" "in&qu Examples: </para> <anchor xml:id="ex-options-declarations-util-mkPackageOption-hello" /> - <programlisting language="bash"> + <programlisting language="nix"> lib.mkPackageOption pkgs "hello" { } # is like lib.mkOption { @@ -188,7 +188,7 @@ lib.mkOption { } </programlisting> <anchor xml:id="ex-options-declarations-util-mkPackageOption-ghc" /> - <programlisting language="bash"> + <programlisting language="nix"> lib.mkPackageOption pkgs "GHC" { default = [ "ghc" ]; example = "pkgs.haskell.packages.ghc92.ghc.withPackages (hkgs: [ hkgs.primes ])"; @@ -222,7 +222,7 @@ lib.mkOption { As an example, we will take the case of display managers. There is a central display manager module for generic display manager options and a module file per display - manager backend (sddm, gdm ...). + manager backend (sddm, gdm …). </para> <para> There are two approaches we could take with this module @@ -287,7 +287,7 @@ lib.mkOption { <emphasis role="strong">Example: Extensible type placeholder in the service module</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.enable = mkOption { description = "Display manager to use"; type = with types; nullOr (enum [ ]); @@ -299,7 +299,7 @@ services.xserver.displayManager.enable = mkOption { <literal>services.xserver.displayManager.enable</literal> in the <literal>gdm</literal> module</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.enable = mkOption { type = with types; nullOr (enum [ "gdm" ]); }; @@ -310,7 +310,7 @@ services.xserver.displayManager.enable = mkOption { <literal>services.xserver.displayManager.enable</literal> in the <literal>sddm</literal> module</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> services.xserver.displayManager.enable = mkOption { type = with types; nullOr (enum [ "sddm" ]); }; diff --git a/nixos/doc/manual/from_md/development/option-def.section.xml b/nixos/doc/manual/from_md/development/option-def.section.xml index 3c1a979e70f33..87b290ec39c66 100644 --- a/nixos/doc/manual/from_md/development/option-def.section.xml +++ b/nixos/doc/manual/from_md/development/option-def.section.xml @@ -4,7 +4,7 @@ Option definitions are generally straight-forward bindings of values to option names, like </para> - <programlisting language="bash"> + <programlisting language="nix"> config = { services.httpd.enable = true; }; @@ -21,7 +21,7 @@ config = { another option, you may need to use <literal>mkIf</literal>. Consider, for instance: </para> - <programlisting language="bash"> + <programlisting language="nix"> config = if config.services.httpd.enable then { environment.systemPackages = [ ... ]; ... @@ -34,7 +34,7 @@ config = if config.services.httpd.enable then { value being constructed here. After all, you could also write the clearly circular and contradictory: </para> - <programlisting language="bash"> + <programlisting language="nix"> config = if config.services.httpd.enable then { services.httpd.enable = false; } else { @@ -44,7 +44,7 @@ config = if config.services.httpd.enable then { <para> The solution is to write: </para> - <programlisting language="bash"> + <programlisting language="nix"> config = mkIf config.services.httpd.enable { environment.systemPackages = [ ... ]; ... @@ -55,7 +55,7 @@ config = mkIf config.services.httpd.enable { of the conditional to be <quote>pushed down</quote> into the individual definitions, as if you had written: </para> - <programlisting language="bash"> + <programlisting language="nix"> config = { environment.systemPackages = if config.services.httpd.enable then [ ... ] else []; ... @@ -72,7 +72,7 @@ config = { option defaults have priority 1500. You can specify an explicit priority by using <literal>mkOverride</literal>, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> services.openssh.enable = mkOverride 10 false; </programlisting> <para> @@ -94,7 +94,7 @@ services.openssh.enable = mkOverride 10 false; <literal>mkOrder 500</literal> and <literal>mkOrder 1500</literal>, respectively. As an example, </para> - <programlisting language="bash"> + <programlisting language="nix"> hardware.firmware = mkBefore [ myFirmware ]; </programlisting> <para> @@ -117,7 +117,7 @@ hardware.firmware = mkBefore [ myFirmware ]; to be merged together as if they were declared in separate modules. This can be done using <literal>mkMerge</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> config = mkMerge [ # Unconditional stuff. { environment.systemPackages = [ ... ]; diff --git a/nixos/doc/manual/from_md/development/option-types.section.xml b/nixos/doc/manual/from_md/development/option-types.section.xml index c0f40cb342329..363399b086610 100644 --- a/nixos/doc/manual/from_md/development/option-types.section.xml +++ b/nixos/doc/manual/from_md/development/option-types.section.xml @@ -81,14 +81,14 @@ <para> Two definitions of this type like </para> - <programlisting language="bash"> + <programlisting language="nix"> { str = lib.mkDefault "foo"; pkg.hello = pkgs.hello; fun.fun = x: x + 1; } </programlisting> - <programlisting language="bash"> + <programlisting language="nix"> { str = lib.mkIf true "bar"; pkg.gcc = pkgs.gcc; @@ -98,7 +98,7 @@ <para> will get merged to </para> - <programlisting language="bash"> + <programlisting language="nix"> { str = "bar"; pkg.gcc = pkgs.gcc; @@ -152,13 +152,13 @@ <warning> <para> This type will be deprecated in the future because it - doesn't recurse into attribute sets, silently drops - earlier attribute definitions, and doesn't discharge + doesn’t recurse into attribute sets, silently drops + earlier attribute definitions, and doesn’t discharge <literal>lib.mkDefault</literal>, <literal>lib.mkIf</literal> and co. For allowing arbitrary attribute sets, prefer <literal>types.attrsOf types.anything</literal> instead - which doesn't have these problems. + which doesn’t have these problems. </para> </warning> </listitem> @@ -453,7 +453,7 @@ <literal>_module.args</literal> should be used instead for most arguments since it allows overriding. <emphasis><literal>specialArgs</literal></emphasis> - should only be used for arguments that can't go through + should only be used for arguments that can’t go through the module fixed-point, because of infinite recursion or other problems. An example is overriding the <literal>lib</literal> argument, because @@ -477,7 +477,7 @@ instead of requiring <literal>the-submodule.config.config = "value"</literal>. This is because only when modules - <emphasis>don't</emphasis> set the + <emphasis>don’t</emphasis> set the <literal>config</literal> or <literal>options</literal> keys, all keys are interpreted as option definitions in the <literal>config</literal> section. Enabling this @@ -668,7 +668,7 @@ <varlistentry> <term> <literal>types.oneOf</literal> [ - <emphasis><literal>t1 t2</literal></emphasis> ... ] + <emphasis><literal>t1 t2</literal></emphasis> … ] </term> <listitem> <para> @@ -732,7 +732,7 @@ <emphasis role="strong">Example: Directly defined submodule</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> options.mod = mkOption { description = "submodule example"; type = with types; submodule { @@ -752,7 +752,7 @@ options.mod = mkOption { <emphasis role="strong">Example: Submodule defined as a reference</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> let modOptions = { options = { @@ -787,7 +787,7 @@ options.mod = mkOption { <emphasis role="strong">Example: Declaration of a list of submodules</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> options.mod = mkOption { description = "submodule example"; type = with types; listOf (submodule { @@ -807,7 +807,7 @@ options.mod = mkOption { <emphasis role="strong">Example: Definition of a list of submodules</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> config.mod = [ { foo = 1; bar = "one"; } { foo = 2; bar = "two"; } @@ -827,7 +827,7 @@ config.mod = [ <emphasis role="strong">Example: Declaration of attribute sets of submodules</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> options.mod = mkOption { description = "submodule example"; type = with types; attrsOf (submodule { @@ -847,7 +847,7 @@ options.mod = mkOption { <emphasis role="strong">Example: Definition of attribute sets of submodules</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> config.mod.one = { foo = 1; bar = "one"; }; config.mod.two = { foo = 2; bar = "two"; }; </programlisting> @@ -878,7 +878,7 @@ config.mod.two = { foo = 2; bar = "two"; }; <emphasis role="strong">Example: Adding a type check</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> byte = mkOption { description = "An integer between 0 and 255."; type = types.addCheck types.int (x: x >= 0 && x <= 255); @@ -889,7 +889,7 @@ byte = mkOption { <emphasis role="strong">Example: Overriding a type check</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> nixThings = mkOption { description = "words that start with 'nix'"; type = types.str // { diff --git a/nixos/doc/manual/from_md/development/replace-modules.section.xml b/nixos/doc/manual/from_md/development/replace-modules.section.xml index cf8a39ba844fa..d8aaf59df366f 100644 --- a/nixos/doc/manual/from_md/development/replace-modules.section.xml +++ b/nixos/doc/manual/from_md/development/replace-modules.section.xml @@ -3,8 +3,8 @@ <para> Modules that are imported can also be disabled. The option declarations, config implementation and the imports of a disabled - module will be ignored, allowing another to take it's place. This - can be used to import a set of modules from another channel while + module will be ignored, allowing another to take its place. This can + be used to import a set of modules from another channel while keeping the rest of the system on a stable release. </para> <para> @@ -19,10 +19,10 @@ This example will replace the existing postgresql module with the version defined in the nixos-unstable channel while keeping the rest of the modules and packages from the original nixos channel. This - only overrides the module definition, this won't use postgresql from + only overrides the module definition, this won’t use postgresql from nixos-unstable unless explicitly configured to do so. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, ... }: { @@ -40,9 +40,9 @@ <para> This example shows how to define a custom module as a replacement for an existing module. Importing this module will disable the - original module without having to know it's implementation details. + original module without having to know its implementation details. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, ... }: with lib; diff --git a/nixos/doc/manual/from_md/development/settings-options.section.xml b/nixos/doc/manual/from_md/development/settings-options.section.xml index d26dd96243dbe..898cd3b2b6e97 100644 --- a/nixos/doc/manual/from_md/development/settings-options.section.xml +++ b/nixos/doc/manual/from_md/development/settings-options.section.xml @@ -19,10 +19,10 @@ </listitem> <listitem> <para> - Non-nix-representable ones: These can't be trivially mapped to a + Non-nix-representable ones: These can’t be trivially mapped to a subset of Nix syntax. Most generic programming languages are in this group, e.g. bash, since the statement - <literal>if true; then echo hi; fi</literal> doesn't have a + <literal>if true; then echo hi; fi</literal> doesn’t have a trivial representation in Nix. </para> <para> @@ -42,8 +42,7 @@ </listitem> </itemizedlist> <section xml:id="sec-settings-nix-representable"> - <title>Nix-representable Formats (JSON, YAML, TOML, INI, - ...)</title> + <title>Nix-representable Formats (JSON, YAML, TOML, INI, …)</title> <para> By convention, formats like this are handled with a generic <literal>settings</literal> option, representing the full program @@ -318,7 +317,7 @@ used, along with some other related best practices. See the comments for explanations. </para> - <programlisting language="bash"> + <programlisting language="nix"> { options, config, lib, pkgs, ... }: let cfg = config.services.foo; @@ -391,7 +390,7 @@ in { <emphasis role="strong">Example: Declaring a type-checked <literal>settings</literal> attribute</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> settings = lib.mkOption { type = lib.types.submodule { diff --git a/nixos/doc/manual/from_md/development/writing-documentation.chapter.xml b/nixos/doc/manual/from_md/development/writing-documentation.chapter.xml index 079c800605762..0d8a33df2069a 100644 --- a/nixos/doc/manual/from_md/development/writing-documentation.chapter.xml +++ b/nixos/doc/manual/from_md/development/writing-documentation.chapter.xml @@ -23,7 +23,7 @@ $ nix-shell nix-shell$ make </programlisting> <para> - Once you are done making modifications to the manual, it's + Once you are done making modifications to the manual, it’s important to build it before committing. You can do that as follows: </para> diff --git a/nixos/doc/manual/from_md/development/writing-modules.chapter.xml b/nixos/doc/manual/from_md/development/writing-modules.chapter.xml index 367731eda0900..35e94845c97e7 100644 --- a/nixos/doc/manual/from_md/development/writing-modules.chapter.xml +++ b/nixos/doc/manual/from_md/development/writing-modules.chapter.xml @@ -32,7 +32,7 @@ In <xref linkend="sec-configuration-syntax" />, we saw the following structure of NixOS modules: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { option definitions @@ -50,7 +50,7 @@ <emphasis role="strong">Example: Structure of NixOS Modules</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: { @@ -90,7 +90,7 @@ This <literal>imports</literal> list enumerates the paths to other NixOS modules that should be included in the evaluation of the system configuration. A default set of modules is defined in - the file <literal>modules/module-list.nix</literal>. These don't + the file <literal>modules/module-list.nix</literal>. These don’t need to be added in the import list. </para> </listitem> @@ -146,7 +146,7 @@ <emphasis role="strong">Example: NixOS Module for the <quote>locate</quote> Service</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, ... }: with lib; @@ -208,7 +208,7 @@ in { <emphasis role="strong">Example: Escaping in Exec directives</emphasis> </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, lib, pkgs, utils, ... }: with lib; diff --git a/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml b/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml index 99bd37808c206..308f7c6fb0f6d 100644 --- a/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml +++ b/nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml @@ -3,7 +3,7 @@ <para> A NixOS test is a module that has the following structure: </para> - <programlisting language="bash"> + <programlisting language="nix"> { # One or more machines: @@ -58,14 +58,14 @@ Tests that are part of NixOS are added to <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/all-tests.nix"><literal>nixos/tests/all-tests.nix</literal></link>. </para> - <programlisting language="bash"> + <programlisting language="nix"> hostname = runTest ./hostname.nix; </programlisting> <para> Overrides can be added by defining an anonymous module in <literal>all-tests.nix</literal>. </para> - <programlisting language="bash"> + <programlisting language="nix"> hostname = runTest { imports = [ ./hostname.nix ]; defaults.networking.firewall.enable = false; @@ -87,7 +87,7 @@ nix-build -A nixosTests.hostname Outside the <literal>nixpkgs</literal> repository, you can instantiate the test by first importing the NixOS library, </para> - <programlisting language="bash"> + <programlisting language="nix"> let nixos-lib = import (nixpkgs + "/nixos/lib") { }; in @@ -255,7 +255,7 @@ start_all() <listitem> <para> Return a list of different interpretations of what is - currently visible on the machine's screen using optical + currently visible on the machine’s screen using optical character recognition. The number and order of the interpretations is not specified and is subject to change, but if no exception is raised at least one will be returned. @@ -276,7 +276,7 @@ start_all() <listitem> <para> Return a textual representation of what is currently visible - on the machine's screen using optical character recognition. + on the machine’s screen using optical character recognition. </para> <note> <para> @@ -483,8 +483,8 @@ start_all() </term> <listitem> <para> - Wait until a process is listening on the given TCP port (on - <literal>localhost</literal>, at least). + Wait until a process is listening on the given TCP port and + IP address (default <literal>localhost</literal>). </para> </listitem> </varlistentry> @@ -494,7 +494,8 @@ start_all() </term> <listitem> <para> - Wait until nobody is listening on the given TCP port. + Wait until nobody is listening on the given TCP port and IP + address (default <literal>localhost</literal>). </para> </listitem> </varlistentry> @@ -630,10 +631,10 @@ machine.wait_for_unit("xautolock.service", "x-session-user") <literal>stop_job</literal>. </para> <para> - For faster dev cycles it's also possible to disable the - code-linters (this shouldn't be committed though): + For faster dev cycles it’s also possible to disable the + code-linters (this shouldn’t be committed though): </para> - <programlisting language="bash"> + <programlisting language="nix"> { skipLint = true; nodes.machine = @@ -650,10 +651,10 @@ machine.wait_for_unit("xautolock.service", "x-session-user") <para> This will produce a Nix warning at evaluation time. To fully disable the linter, wrap the test script in comment directives to - disable the Black linter directly (again, don't commit this within + disable the Black linter directly (again, don’t commit this within the Nixpkgs repository): </para> - <programlisting language="bash"> + <programlisting language="nix"> testScript = '' # fmt: off @@ -665,7 +666,7 @@ machine.wait_for_unit("xautolock.service", "x-session-user") Similarly, the type checking of test scripts can be disabled in the following way: </para> - <programlisting language="bash"> + <programlisting language="nix"> { skipTypeCheck = true; nodes.machine = @@ -700,25 +701,37 @@ with foo_running: <literal>polling_condition</literal> takes the following (optional) arguments: </para> - <para> - <literal>seconds_interval</literal> - </para> - <para> - : specifies how often the condition should be polled: - </para> + <variablelist> + <varlistentry> + <term> + <literal>seconds_interval</literal> + </term> + <listitem> + <para> + specifies how often the condition should be polled: + </para> + </listitem> + </varlistentry> + </variablelist> <programlisting language="python"> @polling_condition(seconds_interval=10) def foo_running(): machine.succeed("pgrep -x foo") </programlisting> - <para> - <literal>description</literal> - </para> - <para> - : is used in the log when the condition is checked. If this is not - provided, the description is pulled from the docstring of the - function. These two are therefore equivalent: - </para> + <variablelist> + <varlistentry> + <term> + <literal>description</literal> + </term> + <listitem> + <para> + is used in the log when the condition is checked. If this is + not provided, the description is pulled from the docstring + of the function. These two are therefore equivalent: + </para> + </listitem> + </varlistentry> + </variablelist> <programlisting language="python"> @polling_condition def foo_running(): @@ -739,7 +752,7 @@ def foo_running(): <literal>extraPythonPackages</literal>. For example, you could add <literal>numpy</literal> like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> { extraPythonPackages = p: [ p.numpy ]; diff --git a/nixos/doc/manual/from_md/installation/building-nixos.chapter.xml b/nixos/doc/manual/from_md/installation/building-nixos.chapter.xml index 080f1535e410f..0e46c1d48ca65 100644 --- a/nixos/doc/manual/from_md/installation/building-nixos.chapter.xml +++ b/nixos/doc/manual/from_md/installation/building-nixos.chapter.xml @@ -62,7 +62,7 @@ $ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd can create the following file at <literal>modules/installer/cd-dvd/installation-cd-graphical-gnome-macbook.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, ... }: { diff --git a/nixos/doc/manual/from_md/installation/changing-config.chapter.xml b/nixos/doc/manual/from_md/installation/changing-config.chapter.xml index 86f0b15b41c58..727c61c45d273 100644 --- a/nixos/doc/manual/from_md/installation/changing-config.chapter.xml +++ b/nixos/doc/manual/from_md/installation/changing-config.chapter.xml @@ -16,7 +16,7 @@ </para> <warning> <para> - This command doesn't start/stop + This command doesn’t start/stop <link linkend="opt-systemd.user.services">user services</link> automatically. <literal>nixos-rebuild</literal> only runs a <literal>daemon-reload</literal> for each user with running user @@ -64,8 +64,8 @@ <para> which causes the new configuration (and previous ones created using <literal>-p test</literal>) to show up in the GRUB submenu - <quote>NixOS - Profile 'test'</quote>. This can be useful to - separate test configurations from <quote>stable</quote> + <quote>NixOS - Profile <quote>test</quote></quote>. This can be + useful to separate test configurations from <quote>stable</quote> configurations. </para> <para> @@ -94,7 +94,7 @@ $ ./result/bin/run-*-vm unless you have set <literal>mutableUsers = false</literal>. Another way is to temporarily add the following to your configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> users.users.your-user.initialHashedPassword = "test"; </programlisting> <para> diff --git a/nixos/doc/manual/from_md/installation/installing-behind-a-proxy.section.xml b/nixos/doc/manual/from_md/installation/installing-behind-a-proxy.section.xml index a551807cd47c7..00b4e87667183 100644 --- a/nixos/doc/manual/from_md/installation/installing-behind-a-proxy.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-behind-a-proxy.section.xml @@ -11,7 +11,7 @@ <literal>/mnt/etc/nixos/configuration.nix</literal> to keep the internet accessible after reboot. </para> - <programlisting language="bash"> + <programlisting language="nix"> networking.proxy.default = "http://user:password@proxy:port/"; networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; </programlisting> diff --git a/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml b/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml index f29200952ac55..5f18d528d32d0 100644 --- a/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml @@ -53,7 +53,7 @@ $ . $HOME/.nix-profile/etc/profile.d/nix.sh # …or open a fresh shell Switch to the NixOS channel: </para> <para> - If you've just installed Nix on a non-NixOS distribution, you + If you’ve just installed Nix on a non-NixOS distribution, you will be on the <literal>nixpkgs</literal> channel by default. </para> <programlisting> @@ -78,11 +78,11 @@ $ nix-channel --add https://nixos.org/channels/nixos-version nixpkgs Install the NixOS installation tools: </para> <para> - You'll need <literal>nixos-generate-config</literal> and + You’ll need <literal>nixos-generate-config</literal> and <literal>nixos-install</literal>, but this also makes some man pages and <literal>nixos-enter</literal> available, just in case you want to chroot into your NixOS partition. NixOS installs - these by default, but you don't have NixOS yet.. + these by default, but you don’t have NixOS yet.. </para> <programlisting> $ nix-env -f '<nixpkgs>' -iA nixos-install-tools @@ -105,7 +105,7 @@ $ nix-env -f '<nixpkgs>' -iA nixos-install-tools mounting steps of <xref linkend="sec-installation" /> </para> <para> - If you're about to install NixOS in place using + If you’re about to install NixOS in place using <literal>NIXOS_LUSTRATE</literal> there is nothing to do for this step. </para> @@ -118,18 +118,18 @@ $ nix-env -f '<nixpkgs>' -iA nixos-install-tools $ sudo `which nixos-generate-config` --root /mnt </programlisting> <para> - You'll probably want to edit the configuration files. Refer to + You’ll probably want to edit the configuration files. Refer to the <literal>nixos-generate-config</literal> step in <xref linkend="sec-installation" /> for more information. </para> <para> Consider setting up the NixOS bootloader to give you the ability to boot on your existing Linux partition. For instance, if - you're using GRUB and your existing distribution is running + you’re using GRUB and your existing distribution is running Ubuntu, you may want to add something like this to your <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.loader.grub.extraEntries = '' menuentry "Ubuntu" { search --set=ubuntu --fs-uuid 3cc3e652-0c1f-4800-8451-033754f68e6e @@ -215,21 +215,21 @@ $ sudo `which nixos-generate-config` </programlisting> <para> Note that this will place the generated configuration files in - <literal>/etc/nixos</literal>. You'll probably want to edit the + <literal>/etc/nixos</literal>. You’ll probably want to edit the configuration files. Refer to the <literal>nixos-generate-config</literal> step in <xref linkend="sec-installation" /> for more information. </para> <para> - You'll likely want to set a root password for your first boot - using the configuration files because you won't have a chance to + You’ll likely want to set a root password for your first boot + using the configuration files because you won’t have a chance to enter a password until after you reboot. You can initialize the root password to an empty one with this line: (and of course - don't forget to set one once you've rebooted or to lock the + don’t forget to set one once you’ve rebooted or to lock the account with <literal>sudo passwd -l root</literal> if you use <literal>sudo</literal>) </para> - <programlisting language="bash"> + <programlisting language="nix"> users.users.root.initialHashedPassword = ""; </programlisting> </listitem> @@ -262,7 +262,7 @@ $ sudo chown -R 0:0 /nix </para> <para> <literal>/etc/NIXOS_LUSTRATE</literal> tells the NixOS bootup - scripts to move <emphasis>everything</emphasis> that's in the + scripts to move <emphasis>everything</emphasis> that’s in the root partition to <literal>/old-root</literal>. This will move your existing distribution out of the way in the very early stages of the NixOS bootup. There are exceptions (we do need to @@ -290,12 +290,12 @@ $ sudo chown -R 0:0 /nix <note> <para> Support for <literal>NIXOS_LUSTRATE</literal> was added in - NixOS 16.09. The act of "lustrating" refers to the - wiping of the existing distribution. Creating + NixOS 16.09. The act of <quote>lustrating</quote> refers to + the wiping of the existing distribution. Creating <literal>/etc/NIXOS_LUSTRATE</literal> can also be used on NixOS to remove all mutable files from your root partition - (anything that's not in <literal>/nix</literal> or - <literal>/boot</literal> gets "lustrated" on the + (anything that’s not in <literal>/nix</literal> or + <literal>/boot</literal> gets <quote>lustrated</quote> on the next boot. </para> <para> @@ -307,14 +307,14 @@ $ sudo chown -R 0:0 /nix </para> </note> <para> - Let's create the files: + Let’s create the files: </para> <programlisting> $ sudo touch /etc/NIXOS $ sudo touch /etc/NIXOS_LUSTRATE </programlisting> <para> - Let's also make sure the NixOS configuration files are kept once + Let’s also make sure the NixOS configuration files are kept once we reboot on NixOS: </para> <programlisting> @@ -331,7 +331,7 @@ $ echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE <warning> <para> Once you complete this step, your current distribution will no - longer be bootable! If you didn't get all the NixOS + longer be bootable! If you didn’t get all the NixOS configuration right, especially those settings pertaining to boot loading and root partition, NixOS may not be bootable either. Have a USB rescue device ready in case this happens. @@ -349,7 +349,7 @@ sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot <listitem> <para> If for some reason you want to revert to the old distribution, - you'll need to boot on a USB rescue disk and do something along + you’ll need to boot on a USB rescue disk and do something along these lines: </para> <programlisting> @@ -367,7 +367,7 @@ sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot loader. </para> <para> - And of course, if you're happy with NixOS and no longer need the + And of course, if you’re happy with NixOS and no longer need the old distribution: </para> <programlisting> @@ -376,7 +376,7 @@ sudo rm -rf /old-root </listitem> <listitem> <para> - It's also worth noting that this whole process can be automated. + It’s also worth noting that this whole process can be automated. This is especially useful for Cloud VMs, where provider do not provide NixOS. For instance, <link xlink:href="https://github.com/elitak/nixos-infect">nixos-infect</link> diff --git a/nixos/doc/manual/from_md/installation/installing-kexec.section.xml b/nixos/doc/manual/from_md/installation/installing-kexec.section.xml index 46ea0d59b6c30..40a697c74096e 100644 --- a/nixos/doc/manual/from_md/installation/installing-kexec.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-kexec.section.xml @@ -54,7 +54,7 @@ nix-build -A kexec.x86_64-linux '<nixpkgs/nixos/release.nix>' running Linux Distribution. </para> <para> - Note it’s symlinks pointing elsewhere, so <literal>cd</literal> in, + Note its symlinks pointing elsewhere, so <literal>cd</literal> in, and use <literal>scp * root@$destination</literal> to copy it over, rather than rsync. </para> @@ -69,7 +69,7 @@ nix-build -A kexec.x86_64-linux '<nixpkgs/nixos/release.nix>' instead of the default installer image, you can build your own <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> { modulesPath, ... }: { imports = [ (modulesPath + "/installer/netboot/netboot-minimal.nix") diff --git a/nixos/doc/manual/from_md/installation/installing-usb.section.xml b/nixos/doc/manual/from_md/installation/installing-usb.section.xml index 9d12ac45aac21..cb0fd95bc7c5f 100644 --- a/nixos/doc/manual/from_md/installation/installing-usb.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-usb.section.xml @@ -110,15 +110,15 @@ diskutil unmountDisk diskX sudo dd if=<path-to-image> of=/dev/rdiskX bs=4m </programlisting> <para> - After <literal>dd</literal> completes, a GUI dialog "The disk - you inserted was not readable by this computer" will pop up, - which can be ignored. + After <literal>dd</literal> completes, a GUI dialog <quote>The + disk you inserted was not readable by this computer</quote> will + pop up, which can be ignored. </para> <note> <para> - Using the 'raw' <literal>rdiskX</literal> device instead of - <literal>diskX</literal> with dd completes in minutes instead of - hours. + Using the <quote>raw</quote> <literal>rdiskX</literal> device + instead of <literal>diskX</literal> with dd completes in minutes + instead of hours. </para> </note> <orderedlist numeration="arabic" spacing="compact"> diff --git a/nixos/doc/manual/from_md/installation/installing-virtualbox-guest.section.xml b/nixos/doc/manual/from_md/installation/installing-virtualbox-guest.section.xml index 8b82a617e7f52..e435081852993 100644 --- a/nixos/doc/manual/from_md/installation/installing-virtualbox-guest.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-virtualbox-guest.section.xml @@ -11,8 +11,8 @@ <orderedlist numeration="arabic"> <listitem> <para> - Add a New Machine in VirtualBox with OS Type "Linux / Other - Linux" + Add a New Machine in VirtualBox with OS Type <quote>Linux / + Other Linux</quote> </para> </listitem> <listitem> @@ -38,7 +38,7 @@ <listitem> <para> Click on Settings / System / Acceleration and enable - "VT-x/AMD-V" acceleration + <quote>VT-x/AMD-V</quote> acceleration </para> </listitem> <listitem> @@ -58,25 +58,25 @@ There are a few modifications you should make in configuration.nix. Enable booting: </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.loader.grub.device = "/dev/sda"; </programlisting> <para> Also remove the fsck that runs at startup. It will always fail to run, stopping your boot until you press <literal>*</literal>. </para> - <programlisting language="bash"> + <programlisting language="nix"> boot.initrd.checkJournalingFS = false; </programlisting> <para> Shared folders can be given a name and a path in the host system in the VirtualBox settings (Machine / Settings / Shared Folders, then - click on the "Add" icon). Add the following to the + click on the <quote>Add</quote> icon). Add the following to the <literal>/etc/nixos/configuration.nix</literal> to auto-mount them. If you do not add <literal>"nofail"</literal>, the system will not boot properly. </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ...} : { fileSystems."/virtualboxshare" = { diff --git a/nixos/doc/manual/from_md/installation/installing.chapter.xml b/nixos/doc/manual/from_md/installation/installing.chapter.xml index c8d1e26b5e77d..5654eb424fc3b 100644 --- a/nixos/doc/manual/from_md/installation/installing.chapter.xml +++ b/nixos/doc/manual/from_md/installation/installing.chapter.xml @@ -345,12 +345,12 @@ OK <!-- legacy anchor --> </para> <para> - Here's an example partition scheme for UEFI, using + Here’s an example partition scheme for UEFI, using <literal>/dev/sda</literal> as the device. </para> <note> <para> - You can safely ignore <literal>parted</literal>'s + You can safely ignore <literal>parted</literal>’s informational message about needing to update /etc/fstab. </para> </note> @@ -415,12 +415,12 @@ OK <!-- legacy anchor --> </para> <para> - Here's an example partition scheme for Legacy Boot, using + Here’s an example partition scheme for Legacy Boot, using <literal>/dev/sda</literal> as the device. </para> <note> <para> - You can safely ignore <literal>parted</literal>'s + You can safely ignore <literal>parted</literal>’s informational message about needing to update /etc/fstab. </para> </note> diff --git a/nixos/doc/manual/from_md/installation/upgrading.chapter.xml b/nixos/doc/manual/from_md/installation/upgrading.chapter.xml index f6aedc800aca5..9f4cfaf36b628 100644 --- a/nixos/doc/manual/from_md/installation/upgrading.chapter.xml +++ b/nixos/doc/manual/from_md/installation/upgrading.chapter.xml @@ -128,7 +128,7 @@ nixos https://nixos.org/channels/nixos-unstable You can keep a NixOS system up-to-date automatically by adding the following to <literal>configuration.nix</literal>: </para> - <programlisting language="bash"> + <programlisting language="nix"> system.autoUpgrade.enable = true; system.autoUpgrade.allowReboot = true; </programlisting> @@ -145,7 +145,7 @@ system.autoUpgrade.allowReboot = true; contains a different kernel, initrd or kernel modules. You can also specify a channel explicitly, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11; </programlisting> </section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1404.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1404.section.xml index 8771623b468a4..5686545c1afb9 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1404.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1404.section.xml @@ -79,7 +79,7 @@ the NixOS configuration. For instance, if a package <literal>foo</literal> provides systemd units, you can say: </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.packages = [ pkgs.foo ]; } @@ -88,7 +88,7 @@ to enable those units. You can then set or override unit options in the usual way, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.foo.wantedBy = [ "multi-user.target" ]; systemd.services.foo.serviceConfig.MemoryLimit = "512M"; @@ -105,7 +105,7 @@ NixOS configuration requires unfree packages from Nixpkgs, you need to enable support for them explicitly by setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> { nixpkgs.config.allowUnfree = true; } @@ -123,7 +123,7 @@ The Adobe Flash player is no longer enabled by default in the Firefox and Chromium wrappers. To enable it, you must set: </para> - <programlisting language="bash"> + <programlisting language="nix"> { nixpkgs.config.allowUnfree = true; nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox @@ -136,7 +136,7 @@ The firewall is now enabled by default. If you don’t want this, you need to disable it explicitly: </para> - <programlisting language="bash"> + <programlisting language="nix"> { networking.firewall.enable = false; } diff --git a/nixos/doc/manual/from_md/release-notes/rl-1412.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1412.section.xml index 3b6af73359d69..ccaa4f6bd0812 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1412.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1412.section.xml @@ -370,7 +370,7 @@ documentation</link> for details. If you wish to continue to use httpd 2.2, add the following line to your NixOS configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.httpd.package = pkgs.apacheHttpd_2_2; } diff --git a/nixos/doc/manual/from_md/release-notes/rl-1509.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1509.section.xml index 68d2ab389e8f6..96b51a0510666 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1509.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1509.section.xml @@ -9,12 +9,12 @@ <para> The <link xlink:href="http://haskell.org/">Haskell</link> packages infrastructure has been re-designed from the ground up - ("Haskell NG"). NixOS now distributes the latest + (<quote>Haskell NG</quote>). NixOS now distributes the latest version of every single package registered on <link xlink:href="http://hackage.haskell.org/">Hackage</link> -- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the - <link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's + <link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User’s Guide to the Haskell Infrastructure</link>. Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we @@ -23,8 +23,8 @@ Haskell</link> release since version 0.0 as well as the most recent <link xlink:href="http://www.stackage.org/">Stackage Nightly</link> snapshot. The announcement - <link xlink:href="https://nixos.org/nix-dev/2015-September/018138.html">"Full - Stackage Support in Nixpkgs"</link> gives additional + <link xlink:href="https://nixos.org/nix-dev/2015-September/018138.html"><quote>Full + Stackage Support in Nixpkgs</quote></link> gives additional details. </para> </listitem> @@ -42,7 +42,7 @@ </para> </listitem> </itemizedlist> - <programlisting language="bash"> + <programlisting language="nix"> { system.autoUpgrade.enable = true; } @@ -432,7 +432,7 @@ </para> </listitem> </itemizedlist> - <programlisting language="bash"> + <programlisting language="nix"> { system.stateVersion = "14.12"; } @@ -464,7 +464,7 @@ </listitem> <listitem> <para> - Steam now doesn't need root rights to work. Instead of using + Steam now doesn’t need root rights to work. Instead of using <literal>*-steam-chrootenv</literal>, you should now just run <literal>steam</literal>. <literal>steamChrootEnv</literal> package was renamed to <literal>steam</literal>, and old @@ -523,7 +523,7 @@ </para> </listitem> </itemizedlist> - <programlisting language="bash"> + <programlisting language="nix"> { fileSystems."/shiny" = { device = "myshinysharedfolder"; @@ -534,15 +534,15 @@ <itemizedlist spacing="compact"> <listitem> <para> - "<literal>nix-env -qa</literal>" no longer discovers - Haskell packages by name. The only packages visible in the - global scope are <literal>ghc</literal>, + <quote><literal>nix-env -qa</literal></quote> no longer + discovers Haskell packages by name. The only packages visible in + the global scope are <literal>ghc</literal>, <literal>cabal-install</literal>, and <literal>stack</literal>, but all other packages are hidden. The reason for this inconvenience is the sheer size of the Haskell package set. Name-based lookups are expensive, and most <literal>nix-env -qa</literal> operations would become much - slower if we'd add the entire Hackage database into the top + slower if we’d add the entire Hackage database into the top level attribute set. Instead, the list of Haskell packages can be displayed by running: </para> @@ -566,13 +566,13 @@ nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc <para> Previous versions of NixOS came with a feature called <literal>ghc-wrapper</literal>, a small script that allowed GHC - to transparently pick up on libraries installed in the user's + to transparently pick up on libraries installed in the user’s profile. This feature has been deprecated; <literal>ghc-wrapper</literal> was removed from the distribution. The proper way to register Haskell libraries with the compiler now is the <literal>haskellPackages.ghcWithPackages</literal> function. The - <link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's + <link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User’s Guide to the Haskell Infrastructure</link> provides more information about this subject. </para> @@ -593,7 +593,7 @@ nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc have a function attribute called <literal>extension</literal> that users could override in their <literal>~/.nixpkgs/config.nix</literal> files to configure - additional attributes, etc. That function still exists, but it's + additional attributes, etc. That function still exists, but it’s now called <literal>overrides</literal>. </para> </listitem> @@ -662,7 +662,7 @@ infinite recursion encountered <literal>lib</literal>, after adding it as argument of the module. The following module </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: with pkgs.lib; @@ -677,7 +677,7 @@ with pkgs.lib; <para> should be modified to look like: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, lib, ... }: with lib; @@ -695,7 +695,7 @@ with lib; replaced by <literal>(import <nixpkgs> {})</literal>. The following module </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: let @@ -712,7 +712,7 @@ in <para> should be modified to look like: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, pkgs, ... }: let @@ -748,7 +748,7 @@ in <literal>/etc/ssh/moduli</literal> file with respect to the <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities discovered in the Diffie-Hellman key exchange</link> can now - replace OpenSSH's default version with one they generated + replace OpenSSH’s default version with one they generated themselves using the new <literal>services.openssh.moduliFile</literal> option. </para> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1603.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1603.section.xml index afbd2fd2c7976..25b356e0aa6ad 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1603.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1603.section.xml @@ -378,7 +378,7 @@ You will need to add an import statement to your NixOS configuration in order to use it, e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> { imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ]; } @@ -395,7 +395,7 @@ to be built in. All modules now reside in <literal>nginxModules</literal> set. Example configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> nginx.override { modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ]; } @@ -403,7 +403,7 @@ nginx.override { </listitem> <listitem> <para> - <literal>s3sync</literal> is removed, as it hasn't been + <literal>s3sync</literal> is removed, as it hasn’t been developed by upstream for 4 years and only runs with ruby 1.8. For an actively-developer alternative look at <literal>tarsnap</literal> and others. @@ -411,7 +411,7 @@ nginx.override { </listitem> <listitem> <para> - <literal>ruby_1_8</literal> has been removed as it's not + <literal>ruby_1_8</literal> has been removed as it’s not supported from upstream anymore and probably contains security issues. </para> @@ -439,7 +439,7 @@ nginx.override { <listitem> <para> The <literal>Ctrl+Alt+Backspace</literal> key combination no - longer kills the X server by default. There's a new option + longer kills the X server by default. There’s a new option <literal>services.xserver.enableCtrlAltBackspace</literal> allowing to enable the combination again. </para> @@ -457,7 +457,7 @@ nginx.override { <literal>/var/lib/postfix</literal>. Old configurations are migrated automatically. <literal>service.postfix</literal> module has also received many improvements, such as correct - directories' access rights, new <literal>aliasFiles</literal> + directories’ access rights, new <literal>aliasFiles</literal> and <literal>mapFiles</literal> options and more. </para> </listitem> @@ -468,7 +468,7 @@ nginx.override { continue to work, but print a warning, until the 16.09 release. An example of the new style: </para> - <programlisting language="bash"> + <programlisting language="nix"> { fileSystems."/example" = { device = "/dev/sdc"; @@ -497,7 +497,7 @@ nginx.override { <para> There are also Gutenprint improvements; in particular, a new option <literal>services.printing.gutenprint</literal> is added - to enable automatic updating of Gutenprint PPMs; it's greatly + to enable automatic updating of Gutenprint PPMs; it’s greatly recommended to enable it instead of adding <literal>gutenprint</literal> to the <literal>drivers</literal> list. @@ -524,7 +524,7 @@ nginx.override { used input method name, <literal>"ibus"</literal> for ibus. An example of the new style: </para> - <programlisting language="bash"> + <programlisting language="nix"> { i18n.inputMethod.enabled = "ibus"; i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ]; @@ -533,7 +533,7 @@ nginx.override { <para> That is equivalent to the old version: </para> - <programlisting language="bash"> + <programlisting language="nix"> { programs.ibus.enable = true; programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ]; @@ -545,7 +545,7 @@ nginx.override { <literal>services.udev.extraRules</literal> option now writes rules to <literal>99-local.rules</literal> instead of <literal>10-local.rules</literal>. This makes all the user rules - apply after others, so their results wouldn't be overridden by + apply after others, so their results wouldn’t be overridden by anything else. </para> </listitem> @@ -587,7 +587,7 @@ $TTL 1800 point to exact folder where syncthing is writing to. Example configuration should look something like: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.syncthing = { enable = true; @@ -632,8 +632,8 @@ error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be creat The <literal>services.xserver.startGnuPGAgent</literal> option has been removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no longer requires (or even - supports) the "start everything as a child of the - agent" scheme we've implemented in NixOS for older + supports) the <quote>start everything as a child of the + agent</quote> scheme we’ve implemented in NixOS for older versions. To configure the gpg-agent for your X session, add the following code to <literal>~/.bashrc</literal> or some file that’s sourced when your shell is started: @@ -670,7 +670,7 @@ export GPG_TTY </programlisting> <para> The <literal>gpg-agent(1)</literal> man page has more details - about this subject, i.e. in the "EXAMPLES" section. + about this subject, i.e. in the <quote>EXAMPLES</quote> section. </para> </listitem> </itemizedlist> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml index 0fba40a0e78d0..c2adbc88f5caa 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml @@ -78,7 +78,7 @@ LTS Haskell package set. That support has been dropped. The previously provided <literal>haskell.packages.lts-x_y</literal> package sets still exist in name to aviod breaking user code, - but these package sets don't actually contain the versions + but these package sets don’t actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and @@ -119,7 +119,7 @@ </listitem> <listitem> <para> - Gitlab's maintainance script <literal>gitlab-runner</literal> + Gitlab’s maintainance script <literal>gitlab-runner</literal> was removed and split up into the more clearer <literal>gitlab-run</literal> and <literal>gitlab-rake</literal> scripts, because <literal>gitlab-runner</literal> is a component @@ -164,7 +164,7 @@ <para> <literal>goPackages</literal> was replaced with separated Go applications in appropriate <literal>nixpkgs</literal> - categories. Each Go package uses its own dependency set. There's + categories. Each Go package uses its own dependency set. There’s also a new <literal>go2nix</literal> tool introduced to generate a Go package definition from its Go source automatically. </para> @@ -192,7 +192,7 @@ interface has been streamlined. Desktop users should be able to simply set </para> - <programlisting language="bash"> + <programlisting language="nix"> { security.grsecurity.enable = true; } diff --git a/nixos/doc/manual/from_md/release-notes/rl-1703.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1703.section.xml index 1119ec53dfc9a..8667063f37e08 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1703.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1703.section.xml @@ -22,7 +22,7 @@ </listitem> <listitem> <para> - The default desktop environment now is KDE's Plasma 5. KDE 4 + The default desktop environment now is KDE’s Plasma 5. KDE 4 has been removed </para> </listitem> @@ -560,7 +560,7 @@ Parsoid service now uses YAML configuration format. <literal>service.parsoid.interwikis</literal> is now called <literal>service.parsoid.wikis</literal> and is a list of - either API URLs or attribute sets as specified in parsoid's + either API URLs or attribute sets as specified in parsoid’s documentation. </para> </listitem> @@ -581,7 +581,7 @@ <literal>service.nylon</literal> is now declared using named instances. As an example: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.nylon = { enable = true; @@ -594,7 +594,7 @@ <para> should be replaced with: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.nylon.myvpn = { enable = true; @@ -615,7 +615,7 @@ <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install"> overlays</link>. For example, the following code: </para> - <programlisting language="bash"> + <programlisting language="nix"> let pkgs = import <nixpkgs> {}; in @@ -624,7 +624,7 @@ in <para> should be replaced by: </para> - <programlisting language="bash"> + <programlisting language="nix"> let pkgs = import <nixpkgs> {}; in @@ -647,7 +647,7 @@ in <listitem> <para> <literal>local_recipient_maps</literal> is not set to empty - value by Postfix service. It's an insecure default as stated + value by Postfix service. It’s an insecure default as stated by Postfix documentation. Those who want to retain this setting need to set it via <literal>services.postfix.extraConfig</literal>. @@ -669,7 +669,7 @@ in <listitem> <para> The socket handling of the <literal>services.rmilter</literal> - module has been fixed and refactored. As rmilter doesn't + module has been fixed and refactored. As rmilter doesn’t support binding to more than one socket, the options <literal>bindUnixSockets</literal> and <literal>bindInetSockets</literal> have been replaced by @@ -729,7 +729,7 @@ in improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless - workloads it's recommended to use + workloads it’s recommended to use <literal>jre_headless</literal>. </para> </listitem> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1709.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1709.section.xml index fc5d11f07c8db..849ec868c783b 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1709.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1709.section.xml @@ -26,10 +26,10 @@ The module option <literal>services.xserver.xrandrHeads</literal> now causes the first head specified in this list to be set as the primary - head. Apart from that, it's now possible to also set + head. Apart from that, it’s now possible to also set additional options by using an attribute set, for example: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.xserver.xrandrHeads = [ "HDMI-0" { @@ -543,7 +543,7 @@ </listitem> <listitem> <para> - Radicale's default package has changed from 1.x to 2.x. + Radicale’s default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by @@ -582,7 +582,7 @@ </listitem> <listitem> <para> - <literal>flexget</literal>'s state database cannot be upgraded + <literal>flexget</literal>’s state database cannot be upgraded to its new internal format, requiring removal of any existing <literal>db-config.sqlite</literal> which will be automatically recreated. @@ -590,9 +590,9 @@ </listitem> <listitem> <para> - The <literal>ipfs</literal> service now doesn't ignore the - <literal>dataDir</literal> option anymore. If you've ever set - this option to anything other than the default you'll have to + The <literal>ipfs</literal> service now doesn’t ignore the + <literal>dataDir</literal> option anymore. If you’ve ever set + this option to anything other than the default you’ll have to either unset it (so the default gets used) or migrate the old data manually with </para> @@ -651,16 +651,16 @@ rmdir /var/lib/ipfs/.ipfs </listitem> <listitem> <para> - <literal>cc-wrapper</literal>'s setup-hook now exports a + <literal>cc-wrapper</literal><quote>s setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g. <literal>LD</literal>, <literal>STRIP</literal>, <literal>RANLIB</literal>, etc). - This is done to prevent packages' build systems guessing, - which is harder to predict, especially when cross-compiling. - However, some packages have broken due to this—their build - systems either not supporting, or claiming to support without - adequate testing, taking such environment variables as - parameters. + This is done to prevent packages</quote> build systems + guessing, which is harder to predict, especially when + cross-compiling. However, some packages have broken due to + this—their build systems either not supporting, or claiming to + support without adequate testing, taking such environment + variables as parameters. </para> </listitem> <listitem> @@ -688,10 +688,10 @@ rmdir /var/lib/ipfs/.ipfs </listitem> <listitem> <para> - grsecurity/PaX support has been dropped, following upstream's + grsecurity/PaX support has been dropped, following upstream’s decision to cease free support. See <link xlink:href="https://grsecurity.net/passing_the_baton.php"> - upstream's announcement</link> for more information. No + upstream’s announcement</link> for more information. No complete replacement for grsecurity/PaX is available presently. </para> @@ -794,7 +794,7 @@ FLUSH PRIVILEGES; <para> Modules can now be disabled by using <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-replace-modules"> - disabledModules</link>, allowing another to take it's place. + disabledModules</link>, allowing another to take it’s place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release. @@ -808,7 +808,7 @@ FLUSH PRIVILEGES; provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems - and hopefully with each font designer's intent. Some + and hopefully with each font designer’s intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available. </para> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1803.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1803.section.xml index 910cad467e9d8..f197c52906b01 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1803.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1803.section.xml @@ -16,9 +16,9 @@ <listitem> <para> Platform support: x86_64-linux and x86_64-darwin since release - time (the latter isn't NixOS, really). Binaries for + time (the latter isn’t NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as - it's waiting for some test fixes, etc. + it’s waiting for some test fixes, etc. </para> </listitem> <listitem> @@ -495,11 +495,11 @@ <para> The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly - documented in the "Specifying dependencies" section - of the "Standard Environment" chapter of the nixpkgs - manual. The old logic isn't but is easy to describe: - dependencies were propagated as the same type of dependency no - matter what. In practice, that means that many + documented in the <quote>Specifying dependencies</quote> + section of the <quote>Standard Environment</quote> chapter of + the nixpkgs manual. The old logic isn’t but is easy to + describe: dependencies were propagated as the same type of + dependency no matter what. In practice, that means that many <literal>propagatedNativeBuildInputs</literal> should instead be <literal>propagatedBuildInputs</literal>. Thankfully, that was and is the least used type of dependency. Also, it means @@ -541,7 +541,7 @@ Previously, if other options in the Postfix module like <literal>services.postfix.useSrs</literal> were set and the user set config options that were also set by such options, - the resulting config wouldn't include all options that were + the resulting config wouldn’t include all options that were needed. They are now merged correctly. If config options need to be overridden, <literal>lib.mkForce</literal> or <literal>lib.mkOverride</literal> can be used. @@ -626,7 +626,7 @@ if <literal>config.networking.domain</literal> is set, <literal>matomo.${config.networking.hostName}</literal> if it is not set. If you change your - <literal>serverName</literal>, remember you'll need to + <literal>serverName</literal>, remember you’ll need to update the <literal>trustedHosts[]</literal> array in <literal>/var/lib/matomo/config/config.ini.php</literal> as well. @@ -793,7 +793,7 @@ <para> <literal>services.btrfs.autoScrub</literal> has been added, to periodically check btrfs filesystems for data corruption. If - there's a correct copy available, it will automatically repair + there’s a correct copy available, it will automatically repair corrupted blocks. </para> </listitem> @@ -830,7 +830,7 @@ <para> In order to have the previous default configuration add </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.xserver.displayManager.lightdm.greeters.gtk.indicators = [ "~host" "~spacer" diff --git a/nixos/doc/manual/from_md/release-notes/rl-1809.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1809.section.xml index aa4637a99b606..4bbfa7be398eb 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1809.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1809.section.xml @@ -54,7 +54,7 @@ <para> For example </para> - <programlisting language="bash"> + <programlisting language="nix"> { programs.firejail = { enable = true; @@ -523,8 +523,8 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <listitem> <para> The <literal>netcat</literal> package is now taken directly - from OpenBSD's <literal>libressl</literal>, instead of relying - on Debian's fork. The new version should be very close to the + from OpenBSD’s <literal>libressl</literal>, instead of relying + on Debian’s fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command. @@ -533,7 +533,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <listitem> <para> The <literal>services.docker-registry.extraConfig</literal> - object doesn't contain environment variables anymore. Instead + object doesn’t contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the @@ -543,7 +543,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <listitem> <para> <literal>gnucash</literal> has changed from version 2.4 to - 3.x. If you've been using <literal>gnucash</literal> (version + 3.x. If you’ve been using <literal>gnucash</literal> (version 2.4) instead of <literal>gnucash26</literal> (version 2.6) you must open your Gnucash data file(s) with <literal>gnucash26</literal> and then save them to upgrade the @@ -695,7 +695,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example: </para> - <programlisting language="bash"> + <programlisting language="nix"> { inherit (pkgs.nixos { boot.loader.grub.enable = false; @@ -791,7 +791,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <para> An example usage of this would be: </para> - <programlisting language="bash"> + <programlisting language="nix"> { config, ... }: { @@ -874,7 +874,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' The <literal>programs.screen</literal> module provides allows to configure <literal>/etc/screenrc</literal>, however the module behaved fairly counterintuitive as the config exists, - but the package wasn't available. Since 18.09 + but the package wasn’t available. Since 18.09 <literal>pkgs.screen</literal> will be added to <literal>environment.systemPackages</literal>. </para> @@ -920,7 +920,7 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <para> NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive - newlines, so it's no longer necessary to use + newlines, so it’s no longer necessary to use <literal></para><para></literal> to start a new paragraph. </para> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1903.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1903.section.xml index 31c5c1fc7f498..ed26f2ba45d05 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1903.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1903.section.xml @@ -29,9 +29,9 @@ <para> By default, <literal>services.xserver.desktopManager.pantheon</literal> - enables LightDM as a display manager, as pantheon's screen + enables LightDM as a display manager, as pantheon’s screen locking implementation relies on it. Because of that it is - recommended to leave LightDM enabled. If you'd like to + recommended to leave LightDM enabled. If you’d like to disable it anyway, set <literal>services.xserver.displayManager.lightdm.enable</literal> to <literal>false</literal> and enable your preferred @@ -39,8 +39,8 @@ </para> </note> <para> - Also note that Pantheon's LightDM greeter is not enabled by - default, because it has numerous issues in NixOS and isn't + Also note that Pantheon’s LightDM greeter is not enabled by + default, because it has numerous issues in NixOS and isn’t optimal for use here yet. </para> </listitem> @@ -200,7 +200,7 @@ <listitem> <para> The <literal>ntp</literal> module now has sane default - restrictions. If you're relying on the previous defaults, + restrictions. If you’re relying on the previous defaults, which permitted all queries and commands from all firewall-permitted sources, you can set <literal>services.ntp.restrictDefault</literal> and @@ -342,7 +342,7 @@ preserved when also setting interface specific rules such as <literal>networking.firewall.interfaces.en0.allow*</literal>. These rules continue to use the pseudo device - "default" + <quote>default</quote> (<literal>networking.firewall.interfaces.default.*</literal>), and assigning to this pseudo device will override the (<literal>networking.firewall.allow*</literal>) options. @@ -360,9 +360,9 @@ presence of <literal>services.sssd.enable = true</literal> because nscd caching would interfere with <literal>sssd</literal> in unpredictable ways as well. Because - we're using nscd not for caching, but for convincing glibc to + we’re using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, - we have decided to disable caching globally now, as it's + we have decided to disable caching globally now, as it’s usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the @@ -374,7 +374,7 @@ setting the <literal>services.nscd.config</literal> option with the desired caching parameters. </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.nscd.config = '' @@ -453,7 +453,7 @@ with its control field set to <literal>sufficient</literal> instead of <literal>required</literal>, so that password managed only by later PAM password modules are being executed. - Previously, for example, changing an LDAP account's password + Previously, for example, changing an LDAP account’s password through PAM was not possible: the whole password module verification was exited prematurely by <literal>pam_unix</literal>, preventing @@ -497,11 +497,11 @@ <link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the last version to accept self-signed certificates</link>. As such, it is now recommended to use a proper certificate - verified by a root CA (for example Let's Encrypt). The new + verified by a root CA (for example Let’s Encrypt). The new <link linkend="module-services-matrix">manual chapter on Matrix</link> contains a working example of using nginx as a reverse proxy in front of <literal>matrix-synapse</literal>, - using Let's Encrypt certificates. + using Let’s Encrypt certificates. </para> </listitem> <listitem> @@ -682,7 +682,7 @@ <link xlink:href="options.html#opt-services.ndppd.enable">all config options</link> provided by the current upstream version as service options. Additionally the <literal>ndppd</literal> - package doesn't contain the systemd unit configuration from + package doesn’t contain the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now. </para> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml index f9b99961d2771..3bf83e1eccbd0 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml @@ -82,13 +82,13 @@ </listitem> <listitem> <para> - We've updated to Xfce 4.14, which brings a new module + We’ve updated to Xfce 4.14, which brings a new module <literal>services.xserver.desktopManager.xfce4-14</literal>. - If you'd like to upgrade, please switch from the + If you’d like to upgrade, please switch from the <literal>services.xserver.desktopManager.xfce</literal> module - as it will be deprecated in a future release. They're - incompatibilities with the current Xfce module; it doesn't - support <literal>thunarPlugins</literal> and it isn't + as it will be deprecated in a future release. They’re + incompatibilities with the current Xfce module; it doesn’t + support <literal>thunarPlugins</literal> and it isn’t recommended to use <literal>services.xserver.desktopManager.xfce</literal> and <literal>services.xserver.desktopManager.xfce4-14</literal> @@ -125,7 +125,7 @@ </itemizedlist> <para> With these options we hope to give users finer grained control - over their systems. Prior to this change you'd either have to + over their systems. Prior to this change you’d either have to manually disable options or use <literal>environment.gnome3.excludePackages</literal> which only excluded the optional applications. @@ -138,7 +138,7 @@ <listitem> <para> Orthogonal to the previous changes to the GNOME 3 desktop - manager module, we've updated all default services and + manager module, we’ve updated all default services and applications to match as close as possible to a default reference GNOME 3 experience. </para> @@ -295,7 +295,7 @@ <literal>services.xserver.desktopManager.mate</literal> Note Mate uses <literal>programs.system-config-printer</literal> as it - doesn't use it as a service, but its graphical interface + doesn’t use it as a service, but its graphical interface directly. </para> </listitem> @@ -347,7 +347,7 @@ <literal>services.prometheus.alertmanager.user</literal> and <literal>services.prometheus.alertmanager.group</literal> have been removed because the alertmanager service is now using - systemd's + systemd’s <link xlink:href="http://0pointer.net/blog/dynamic-users-with-systemd.html"> DynamicUser mechanism</link> which obviates these options. </para> @@ -366,7 +366,7 @@ The <literal>services.nzbget.configFile</literal> and <literal>services.nzbget.openFirewall</literal> options were removed as they are managed internally by the nzbget. The - <literal>services.nzbget.dataDir</literal> option hadn't + <literal>services.nzbget.dataDir</literal> option hadn’t actually been used by the module for some time and so was removed as cleanup. </para> @@ -475,7 +475,7 @@ Make sure you set the <literal>_netdev</literal> option for each of the file systems referring to block devices provided by the autoLuks module. Not doing this might render the system - in a state where it doesn't boot anymore. + in a state where it doesn’t boot anymore. </para> <para> If you are actively using the <literal>autoLuks</literal> @@ -667,7 +667,7 @@ instead of depending on the catch-all <literal>acme-certificates.target</literal>. This target unit was also removed from the codebase. This will mean nginx will - no longer depend on certificates it isn't explicitly managing + no longer depend on certificates it isn’t explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at @@ -687,8 +687,8 @@ <literal>services.xserver.desktopManager.xterm</literal> is now disabled by default if <literal>stateVersion</literal> is 19.09 or higher. Previously the xterm desktopManager was - enabled when xserver was enabled, but it isn't useful for all - people so it didn't make sense to have any desktopManager + enabled when xserver was enabled, but it isn’t useful for all + people so it didn’t make sense to have any desktopManager enabled default. </para> </listitem> @@ -696,7 +696,7 @@ <para> The WeeChat plugin <literal>pkgs.weechatScripts.weechat-xmpp</literal> has been - removed as it doesn't receive any updates from upstream and + removed as it doesn’t receive any updates from upstream and depends on outdated Python2-based modules. </para> </listitem> @@ -744,11 +744,11 @@ <literal>services.gitlab.secrets.dbFile</literal>, <literal>services.gitlab.secrets.otpFile</literal> and <literal>services.gitlab.secrets.jwsFile</literal>). This was - done so that secrets aren't stored in the world-readable nix - store, but means that for each option you'll have to create a - file with the same exact string, add "File" to the - end of the option name, and change the definition to a string - pointing to the corresponding file; e.g. + done so that secrets aren’t stored in the world-readable nix + store, but means that for each option you’ll have to create a + file with the same exact string, add <quote>File</quote> to + the end of the option name, and change the definition to a + string pointing to the corresponding file; e.g. <literal>services.gitlab.databasePassword = "supersecurepassword"</literal> becomes <literal>services.gitlab.databasePasswordFile = "/path/to/secret_file"</literal> @@ -791,7 +791,7 @@ <listitem> <para> The <literal>nodejs-11_x</literal> package has been removed as - it's EOLed by upstream. + it’s EOLed by upstream. </para> </listitem> <listitem> @@ -961,7 +961,7 @@ from the upstream default <literal>speex-float-1</literal> to <literal>speex-float-5</literal>. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so - you'll need to set + you’ll need to set <literal>hardware.pulseaudio.daemon.config.resample-method</literal> back to <literal>speex-float-1</literal>. </para> @@ -1004,7 +1004,7 @@ </listitem> <listitem> <para> - It's now possible to change configuration in + It’s now possible to change configuration in <link xlink:href="options.html#opt-services.nextcloud.enable">services.nextcloud</link> after the initial deploy since all config parameters are persisted in an additional config file generated by the @@ -1178,7 +1178,7 @@ <link xlink:href="https://ceph.com/releases/v14-2-0-nautilus-released/">release notes</link> for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by - the package and module. Note: There's been some issues with + the package and module. Note: There’s been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch. diff --git a/nixos/doc/manual/from_md/release-notes/rl-2003.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2003.section.xml index 53e6e1329a942..35fbb7447c70d 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2003.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2003.section.xml @@ -73,7 +73,7 @@ <listitem> <para> The graphical installer image starts the graphical session - automatically. Before you'd be greeted by a tty and asked to + automatically. Before you’d be greeted by a tty and asked to enter <literal>systemctl start display-manager</literal>. It is now possible to disable the display-manager from running by selecting the <literal>Disable display-manager</literal> quirk @@ -93,7 +93,7 @@ <link xlink:href="options.html#opt-services.xserver.desktopManager.pantheon.enable">services.xserver.desktopManager.pantheon.enable</link>, we now default to also use <link xlink:href="https://blog.elementary.io/say-hello-to-the-new-greeter/"> - Pantheon's newly designed greeter </link>. Contrary to NixOS's + Pantheon’s newly designed greeter </link>. Contrary to NixOS’s usual update policy, Pantheon will receive updates during the cycle of NixOS 20.03 when backwards compatible. </para> @@ -133,7 +133,7 @@ option to improve support for upstream session files. If you used something like: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.xserver.desktopManager.default = "xfce"; services.xserver.windowManager.default = "icewm"; @@ -142,7 +142,7 @@ <para> you should change it to: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.xserver.displayManager.defaultSession = "xfce+icewm"; } @@ -196,7 +196,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. </listitem> <listitem> <para> - UPower's configuration is now managed by NixOS and can be + UPower’s configuration is now managed by NixOS and can be customized via <literal>services.upower</literal>. </para> </listitem> @@ -505,7 +505,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. <link xlink:href="https://github.com/NixOS/nixpkgs/pull/71106">#71106</link>. </para> <para> - We already don't support the global + We already don’t support the global <link xlink:href="options.html#opt-networking.useDHCP">networking.useDHCP</link>, <link xlink:href="options.html#opt-networking.defaultGateway">networking.defaultGateway</link> and @@ -522,7 +522,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. The stdenv now runs all bash with <literal>set -u</literal>, to catch the use of undefined variables. Before, it itself used <literal>set -u</literal> but was careful to unset it so - other packages' code ran as before. Now, all bash code is held + other packages’ code ran as before. Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded. </para> @@ -558,7 +558,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14 packages. And in the future NixOS releases will be the latest released version of Xfce available at the time of - the release's development (if viable). + the release’s development (if viable). </para> </listitem> <listitem> @@ -662,7 +662,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. <listitem> <para> The <literal>dump1090</literal> derivation has been changed to - use FlightAware's dump1090 as its upstream. However, this + use FlightAware’s dump1090 as its upstream. However, this version does not have an internal webserver anymore. The assets in the <literal>share/dump1090</literal> directory of the derivation can be used in conjunction with an external @@ -821,7 +821,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. is a <literal>loaOf</literal> option that is commonly used as follows: </para> - <programlisting language="bash"> + <programlisting language="nix"> { users.users = [ { name = "me"; @@ -836,7 +836,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. value of <literal>name</literal> as the name of the attribute set: </para> - <programlisting language="bash"> + <programlisting language="nix"> { users.users.me = { description = "My personal user."; @@ -890,7 +890,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. <listitem> <para> The<literal>services.buildkite-agent.openssh.publicKeyPath</literal> - option has been removed, as it's not necessary to deploy + option has been removed, as it’s not necessary to deploy public keys to clone private repositories. </para> </listitem> @@ -932,7 +932,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. The <literal>services.xserver.displayManager.auto</literal> module has been removed. It was only intended for use in internal NixOS tests, and gave the false impression of it - being a special display manager when it's actually LightDM. + being a special display manager when it’s actually LightDM. Please use the <literal>services.xserver.displayManager.lightdm.autoLogin</literal> options instead, or any other display manager in NixOS as they @@ -940,7 +940,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. because it permitted root auto-login you can override the lightdm-autologin pam module like: </para> - <programlisting language="bash"> + <programlisting language="nix"> { security.pam.services.lightdm-autologin.text = lib.mkForce '' auth requisite pam_nologin.so @@ -962,13 +962,13 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. auth required pam_succeed_if.so quiet </programlisting> <para> - line, where default it's: + line, where default it’s: </para> <programlisting> auth required pam_succeed_if.so uid >= 1000 quiet </programlisting> <para> - not permitting users with uid's below 1000 (like root). All + not permitting users with uid’s below 1000 (like root). All other display managers in NixOS are configured like this. </para> </listitem> @@ -1004,7 +1004,7 @@ auth required pam_succeed_if.so quiet Additionally, some Postfix configuration must now be set manually instead of automatically by the Mailman module: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.postfix.relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; services.postfix.config.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; @@ -1051,14 +1051,14 @@ auth required pam_succeed_if.so quiet <listitem> <para> The <literal>*psu</literal> versions of oraclejdk8 have been - removed as they aren't provided by upstream anymore. + removed as they aren’t provided by upstream anymore. </para> </listitem> <listitem> <para> The <literal>services.dnscrypt-proxy</literal> module has been removed as it used the deprecated version of dnscrypt-proxy. - We've added + We’ve added <link xlink:href="options.html#opt-services.dnscrypt-proxy2.enable">services.dnscrypt-proxy2.enable</link> to use the supported version. This module supports configuration via the Nix attribute set @@ -1066,7 +1066,7 @@ auth required pam_succeed_if.so quiet or by passing a TOML configuration file via <link xlink:href="options.html#opt-services.dnscrypt-proxy2.configFile">services.dnscrypt-proxy2.configFile</link>. </para> - <programlisting language="bash"> + <programlisting language="nix"> { # Example configuration: services.dnscrypt-proxy2.enable = true; @@ -1093,7 +1093,7 @@ auth required pam_succeed_if.so quiet </listitem> <listitem> <para> - sqldeveloper_18 has been removed as it's not maintained + sqldeveloper_18 has been removed as it’s not maintained anymore, sqldeveloper has been updated to version <literal>19.4</literal>. Please note that this means that this means that the oraclejdk is now required. For further @@ -1110,7 +1110,7 @@ auth required pam_succeed_if.so quiet the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different - dependency parameters and don't need to algorithmically + dependency parameters and don’t need to algorithmically partition anything. </para> <para> @@ -1123,7 +1123,7 @@ auth required pam_succeed_if.so quiet </listitem> <listitem> <para> - The gcc-snapshot-package has been removed. It's marked as + The gcc-snapshot-package has been removed. It’s marked as broken for >2 years and used to point to a fairly old snapshot from the gcc7-branch. </para> @@ -1158,7 +1158,7 @@ auth required pam_succeed_if.so quiet <listitem> <para> nextcloud has been updated to <literal>v18.0.2</literal>. This - means that users from NixOS 19.09 can't upgrade directly since + means that users from NixOS 19.09 can’t upgrade directly since you can only move one version forward and 19.09 uses <literal>v16.0.8</literal>. </para> @@ -1181,7 +1181,7 @@ auth required pam_succeed_if.so quiet Existing setups will be detected using <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>: by default, nextcloud17 will be used, but will raise a - warning which notes that after that deploy it's + warning which notes that after that deploy it’s recommended to update to the latest stable version (nextcloud18) by declaring the newly introduced setting <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link>. @@ -1194,7 +1194,7 @@ auth required pam_succeed_if.so quiet get an evaluation error by default. This is done to ensure that our <link xlink:href="options.html#opt-services.nextcloud.package">package</link>-option - doesn't select an older version by accident. It's + doesn’t select an older version by accident. It’s recommended to use pkgs.nextcloud18 or to set <link xlink:href="options.html#opt-services.nextcloud.package">package</link> to pkgs.nextcloud explicitly. @@ -1203,7 +1203,7 @@ auth required pam_succeed_if.so quiet </itemizedlist> <warning> <para> - Please note that if you're coming from + Please note that if you’re coming from <literal>19.03</literal> or older, you have to manually upgrade to <literal>19.09</literal> first to upgrade your server to Nextcloud v16. @@ -1215,7 +1215,7 @@ auth required pam_succeed_if.so quiet Hydra has gained a massive performance improvement due to <link xlink:href="https://github.com/NixOS/hydra/pull/710">some database schema changes</link> by adding several IDs and - better indexing. However, it's necessary to upgrade Hydra in + better indexing. However, it’s necessary to upgrade Hydra in multiple steps: </para> <itemizedlist> @@ -1229,7 +1229,7 @@ auth required pam_succeed_if.so quiet when upgrading. Otherwise, the package can be deployed using the following config: </para> - <programlisting language="bash"> + <programlisting language="nix"> { pkgs, ... }: { services.hydra.package = pkgs.hydra-migration; } @@ -1266,12 +1266,12 @@ $ hydra-backfill-ids <link xlink:href="options.html#opt-system.stateVersion">stateVersion</link> is set to <literal>20.03</literal> or greater, hydra-unstable will be used automatically! This will break - your setup if you didn't run the migration. + your setup if you didn’t run the migration. </para> </warning> <para> Please note that Hydra is currently not available with - nixStable as this doesn't compile anymore. + nixStable as this doesn’t compile anymore. </para> <warning> <para> @@ -1281,7 +1281,7 @@ $ hydra-backfill-ids assertion error will be thrown. To circumvent this, you need to set <link xlink:href="options.html#opt-services.hydra.package">services.hydra.package</link> - to pkgs.hydra explicitly and make sure you know what you're + to pkgs.hydra explicitly and make sure you know what you’re doing! </para> </warning> @@ -1319,7 +1319,7 @@ $ hydra-backfill-ids <para> To continue to use the old approach, you can configure: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};''; systemd.services.nginx.serviceConfig.User = lib.mkForce "root"; @@ -1413,14 +1413,14 @@ $ hydra-backfill-ids <itemizedlist> <listitem> <para> - If you use <literal>sqlite3</literal> you don't need to do + If you use <literal>sqlite3</literal> you don’t need to do anything. </para> </listitem> <listitem> <para> If you use <literal>postgresql</literal> on a different - server, you don't need to change anything as well since + server, you don’t need to change anything as well since this module was never designed to configure remote databases. </para> @@ -1432,7 +1432,7 @@ $ hydra-backfill-ids older, you simply need to enable postgresql-support explicitly: </para> - <programlisting language="bash"> + <programlisting language="nix"> { ... }: { services.matrix-synapse = { enable = true; @@ -1460,7 +1460,7 @@ $ hydra-backfill-ids <literal>nixos-unstable</literal> <emphasis>after</emphasis> the <literal>19.09</literal>-release, your database is misconfigured due to a regression in NixOS. For now, - matrix-synapse will startup with a warning, but it's + matrix-synapse will startup with a warning, but it’s recommended to reconfigure the database to set the values <literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> to @@ -1473,7 +1473,7 @@ $ hydra-backfill-ids <link xlink:href="options.html#opt-systemd.network.links">systemd.network.links</link> option is now respected even when <link xlink:href="options.html#opt-systemd.network.enable">systemd-networkd</link> - is disabled. This mirrors the behaviour of systemd - It's udev + is disabled. This mirrors the behaviour of systemd - It’s udev that parses <literal>.link</literal> files, not <literal>systemd-networkd</literal>. </para> @@ -1486,8 +1486,8 @@ $ hydra-backfill-ids <para> Please note that mongodb has been relicensed under their own <link xlink:href="https://www.mongodb.com/licensing/server-side-public-license/faq"><literal> sspl</literal></link>-license. - Since it's not entirely free and not OSI-approved, it's - listed as non-free. This means that Hydra doesn't provide + Since it’s not entirely free and not OSI-approved, it’s + listed as non-free. This means that Hydra doesn’t provide prebuilt mongodb-packages and needs to be built locally. </para> </warning> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml index edebd92b327a6..a1b007e711d73 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml @@ -722,7 +722,7 @@ See <link xlink:href="https://mariadb.com/kb/en/authentication-from-mariadb-104/">Authentication from MariaDB 10.4</link>. unix_socket auth plugin does not use - a password, and uses the connecting user's UID instead. When a + a password, and uses the connecting user’s UID instead. When a new MariaDB data directory is initialized, two MariaDB users are created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: @@ -730,7 +730,7 @@ traditional mysql_native_password plugin method, one must run the following: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret"); @@ -755,7 +755,7 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal> </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; } @@ -766,7 +766,7 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write access to <literal>/var/data</literal> </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; } @@ -864,7 +864,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <para> <literal>buildGoModule</literal> now internally creates a vendor directory in the source tree for downloaded modules - instead of using go's + instead of using go’s <link xlink:href="https://golang.org/cmd/go/#hdr-Module_proxy_protocol">module proxy protocol</link>. This storage format is simpler and therefore less likely to break with future versions of go. As @@ -885,7 +885,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <literal>phantomJsSupport = true</literal> to the package instantiation: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec { phantomJsSupport = true; @@ -941,24 +941,24 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <para> If you used the <literal>boot.initrd.network.ssh.host*Key</literal> options, - you'll get an error explaining how to convert your host keys + you’ll get an error explaining how to convert your host keys and migrate to the new <literal>boot.initrd.network.ssh.hostKeys</literal> option. - Otherwise, if you don't have any host keys set, you'll need to + Otherwise, if you don’t have any host keys set, you’ll need to generate some; see the <literal>hostKeys</literal> option documentation for instructions. </para> </listitem> <listitem> <para> - Since this release there's an easy way to customize your PHP + Since this release there’s an easy way to customize your PHP install to get a much smaller base PHP with only wanted extensions enabled. See the following snippet installing a smaller PHP with the extensions <literal>imagick</literal>, <literal>opcache</literal>, <literal>pdo</literal> and <literal>pdo_mysql</literal> loaded: </para> - <programlisting language="bash"> + <programlisting language="nix"> { environment.systemPackages = [ (pkgs.php.withExtensions @@ -973,7 +973,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ } </programlisting> <para> - The default <literal>php</literal> attribute hasn't lost any + The default <literal>php</literal> attribute hasn’t lost any extensions. The <literal>opcache</literal> extension has been added. All upstream PHP extensions are available under php.extensions.<name?>. @@ -997,7 +997,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ The remaining configuration flags can now be set directly on the <literal>php</literal> attribute. For example, instead of </para> - <programlisting language="bash"> + <programlisting language="nix"> { php.override { config.php.embed = true; @@ -1008,7 +1008,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <para> you should now write </para> - <programlisting language="bash"> + <programlisting language="nix"> { php.override { embedSupport = true; @@ -1062,7 +1062,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ writing to other folders, use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal> </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; } @@ -1076,7 +1076,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ docs</link> for details). If you require serving files from home directories, you may choose to set e.g. </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; } @@ -1093,7 +1093,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <para> Replace a <literal>nesting.clone</literal> entry with: </para> - <programlisting language="bash"> + <programlisting language="nix"> { specialisation.example-sub-configuration = { configuration = { @@ -1104,7 +1104,7 @@ WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ <para> Replace a <literal>nesting.children</literal> entry with: </para> - <programlisting language="bash"> + <programlisting language="nix"> { specialisation.example-sub-configuration = { inheritParentConfig = false; @@ -1162,7 +1162,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test <para> The <literal>systemd-networkd</literal> option <literal>systemd.network.networks.<name>.dhcp.CriticalConnection</literal> - has been removed following upstream systemd's deprecation of + has been removed following upstream systemd’s deprecation of the same. It is recommended to use <literal>systemd.network.networks.<name>.networkConfig.KeepConfiguration</literal> instead. See systemd.network 5 for details. @@ -1174,7 +1174,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test <literal>systemd.network.networks._name_.dhcpConfig</literal> has been renamed to <link xlink:href="options.html#opt-systemd.network.networks._name_.dhcpV4Config">systemd.network.networks.<emphasis>name</emphasis>.dhcpV4Config</link> - following upstream systemd's documentation change. See + following upstream systemd’s documentation change. See systemd.network 5 for details. </para> </listitem> @@ -1283,7 +1283,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test The <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link> package and NixOS module have been removed from Nixpkgs as the - software is unmaintained and can't be built. For more + software is unmaintained and can’t be built. For more information see issue <link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>. </para> @@ -1350,7 +1350,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test </listitem> <listitem> <para> - Radicale's default package has changed from 2.x to 3.x. An + Radicale’s default package has changed from 2.x to 3.x. An upgrade checklist can be found <link xlink:href="https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist">here</link>. You can use the newer version in the NixOS service by setting @@ -1385,7 +1385,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test multi-instance config with an existing bitcoind data directory and user, you have to adjust the original config, e.g.: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.bitcoind = { enable = true; @@ -1397,7 +1397,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test <para> To something similar: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.bitcoind.mainnet = { enable = true; @@ -1447,7 +1447,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test the original SSL settings, you have to adjust the original config, e.g.: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.dokuwiki = { enable = true; @@ -1458,7 +1458,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test <para> To something similar: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.dokuwiki."mywiki" = { enable = true; @@ -1472,8 +1472,8 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test </programlisting> <para> The base package has also been upgraded to the 2020-07-29 - "Hogfather" release. Plugins might be incompatible - or require upgrading. + <quote>Hogfather</quote> release. Plugins might be + incompatible or require upgrading. </para> </listitem> <listitem> @@ -1492,7 +1492,7 @@ $ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test option is (<literal>/var/db/postgresql</literal>) and then explicitly set this value to maintain compatibility: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.postgresql.dataDir = "/var/db/postgresql"; } @@ -1587,7 +1587,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; <listitem> <para> The <literal>security.rngd</literal> service is now disabled - by default. This choice was made because there's krngd in the + by default. This choice was made because there’s krngd in the linux kernel space making it (for most usecases) functionally redundent. </para> @@ -1609,13 +1609,13 @@ CREATE ROLE postgres LOGIN SUPERUSER; will be EOL (end of life) within the lifetime of 20.09</link>. </para> <para> - It's necessary to upgrade to nextcloud19: + It’s necessary to upgrade to nextcloud19: </para> <itemizedlist> <listitem> <para> From nextcloud17, you have to upgrade to nextcloud18 first - as Nextcloud doesn't allow going multiple major revisions + as Nextcloud doesn’t allow going multiple major revisions forward in a single upgrade. This is possible by setting <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link> to nextcloud18. @@ -1623,7 +1623,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; </listitem> <listitem> <para> - From nextcloud18, it's possible to directly upgrade to + From nextcloud18, it’s possible to directly upgrade to nextcloud19 by setting <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link> to nextcloud19. @@ -1685,7 +1685,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; <listitem> <para> The notmuch package moves its emacs-related binaries and emacs - lisp files to a separate output. They're not part of the + lisp files to a separate output. They’re not part of the default <literal>out</literal> output anymore - if you relied on the <literal>notmuch-emacs-mua</literal> binary or the emacs lisp files, access them via the @@ -1736,11 +1736,11 @@ CREATE ROLE postgres LOGIN SUPERUSER; </listitem> <listitem> <para> - The cc- and binutils-wrapper's "infix salt" and + The cc- and binutils-wrapper’s <quote>infix salt</quote> and <literal>_BUILD_</literal> and <literal>_TARGET_</literal> - user infixes have been replaced with with a "suffix - salt" and suffixes and <literal>_FOR_BUILD</literal> and - <literal>_FOR_TARGET</literal>. This matches the autotools + user infixes have been replaced with with a <quote>suffix + salt</quote> and suffixes and <literal>_FOR_BUILD</literal> + and <literal>_FOR_TARGET</literal>. This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier. </para> @@ -1774,8 +1774,8 @@ CREATE ROLE postgres LOGIN SUPERUSER; <literal>network-link-*</literal> units, which have been removed. Bringing the interface up has been moved to the beginning of the <literal>network-addresses-*</literal> unit. - Note this doesn't require <literal>systemd-networkd</literal> - - it's udev that parses <literal>.link</literal> files. Extra + Note this doesn’t require <literal>systemd-networkd</literal> + - it’s udev that parses <literal>.link</literal> files. Extra care needs to be taken in the presence of <link xlink:href="https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME">legacy udev rules</link> to rename interfaces, as MAC Address and MTU @@ -1825,7 +1825,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; you must include those directories into the <literal>BindPaths</literal> of the service: </para> - <programlisting language="bash"> + <programlisting language="nix"> { systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ]; } @@ -1835,7 +1835,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; <literal>transmission-daemon</literal> is now only available on the local network interface by default. Use: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.transmission.settings.rpc-bind-address = "0.0.0.0"; } @@ -1850,7 +1850,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; With this release <literal>systemd-networkd</literal> (when enabled through <link xlink:href="options.html#opt-networking.useNetworkd">networking.useNetworkd</link>) - has it's netlink socket created through a + has it’s netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) devices @@ -1873,7 +1873,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; </para> <para> Since the actual memory requirements depend on hardware, - timing, exact configurations etc. it isn't currently possible + timing, exact configurations etc. it isn’t currently possible to infer a good default from within the NixOS module system. Administrators are advised to monitor the logs of <literal>systemd-networkd</literal> for @@ -1882,7 +1882,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; </para> <para> Note: Increasing the <literal>ReceiveBufferSize=</literal> - doesn't allocate any memory. It just increases the upper bound + doesn’t allocate any memory. It just increases the upper bound on the kernel side. The memory allocation depends on the amount of messages that are queued on the kernel side of the netlink socket. @@ -1900,7 +1900,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; <para> This means that a configuration like this </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.dovecot2.mailboxes = [ { name = "Junk"; @@ -1912,7 +1912,7 @@ CREATE ROLE postgres LOGIN SUPERUSER; <para> should now look like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.dovecot2.mailboxes = { Junk.auto = "create"; @@ -1934,8 +1934,8 @@ CREATE ROLE postgres LOGIN SUPERUSER; </para> <para> If you have an existing installation, please make sure that - you're on nextcloud18 before upgrading to nextcloud19 since - Nextcloud doesn't support upgrades across multiple major + you’re on nextcloud18 before upgrading to nextcloud19 since + Nextcloud doesn’t support upgrades across multiple major versions. </para> </listitem> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml index 3477f29f42816..868c1709879d2 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml @@ -235,9 +235,9 @@ <para> The <literal>networking.wireless.iwd</literal> module now installs the upstream-provided 80-iwd.link file, which sets - the NamePolicy= for all wlan devices to "keep - kernel", to avoid race conditions between iwd and - networkd. If you don't want this, you can set + the NamePolicy= for all wlan devices to <quote>keep + kernel</quote>, to avoid race conditions between iwd and + networkd. If you don’t want this, you can set <literal>systemd.network.links."80-iwd" = lib.mkForce {}</literal>. </para> </listitem> @@ -245,7 +245,7 @@ <para> <literal>rubyMinimal</literal> was removed due to being unused and unusable. The default ruby interpreter includes JIT - support, which makes it reference it's compiler. Since JIT + support, which makes it reference it’s compiler. Since JIT support is probably needed by some Gems, it was decided to enable this feature with all cc references by default, and allow to build a Ruby derivation without references to cc, by @@ -330,7 +330,7 @@ <literal>mediatomb</literal> package. If you want to keep the old behavior, you must declare it with: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.mediatomb.package = pkgs.mediatomb; } @@ -341,7 +341,7 @@ service declaration to add the firewall rules itself before, you should now declare it with: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.mediatomb.openFirewall = true; } @@ -368,7 +368,7 @@ <link xlink:href="options.html#opt-services.uwsgi.capabilities">services.uwsgi.capabilities</link>. The previous behaviour can be restored by setting: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.uwsgi.user = "root"; services.uwsgi.group = "root"; @@ -427,7 +427,7 @@ <para> <link xlink:href="options.html#opt-networking.wireguard.interfaces">networking.wireguard.interfaces.<name>.generatePrivateKeyFile</link>, which is off by default, had a <literal>chmod</literal> race - condition fixed. As an aside, the parent directory's + condition fixed. As an aside, the parent directory’s permissions were widened, and the key files were made owner-writable. This only affects newly created keys. However, if the exact permissions are important for your setup, read @@ -527,7 +527,7 @@ $ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' this directory are guarded to only run if the files they want to manipulate do not already exist, and so will not re-apply their changes if the IMDS response changes. - Examples: <literal>root</literal>'s SSH key is only added if + Examples: <literal>root</literal>’s SSH key is only added if <literal>/root/.ssh/authorized_keys</literal> does not exist, and SSH host keys are only set from user data if they do not exist in <literal>/etc/ssh</literal>. @@ -550,9 +550,9 @@ $ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' configures Privoxy, and the <literal>services.tor.client.privoxy.enable</literal> option has been removed. To enable Privoxy, and to configure it to - use Tor's faster port, use the following configuration: + use Tor’s faster port, use the following configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> { opt-services.privoxy.enable = true; opt-services.privoxy.enableTor = true; @@ -628,7 +628,7 @@ $ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' exporter no longer accepts a fixed command-line parameter to specify the URL of the endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the - exporter's <literal>/probe</literal> endpoint. In the + exporter’s <literal>/probe</literal> endpoint. In the prometheus scrape configuration the scrape target might look like this: </para> @@ -689,7 +689,7 @@ http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/e <literal>mpich</literal> instead of the default <literal>openmpi</literal> can now be achived like this: </para> - <programlisting language="bash"> + <programlisting language="nix"> self: super: { mpi = super.mpich; @@ -790,7 +790,7 @@ self: super: for any device that the kernel recognises as an hardware RNG, as it will automatically run the krngd task to periodically collect random data from the device and mix it into the - kernel's RNG. + kernel’s RNG. </para> <para> The default SMTP port for GitLab has been changed to @@ -850,7 +850,7 @@ self: super: kodiPackages.inputstream-adaptive and kodiPackages.vfs-sftp addons: </para> - <programlisting language="bash"> + <programlisting language="nix"> { environment.systemPackages = [ pkgs.kodi @@ -867,7 +867,7 @@ self: super: and as a result the above configuration should now be written as: </para> - <programlisting language="bash"> + <programlisting language="nix"> { environment.systemPackages = [ (pkgs.kodi.withPackages (p: with p; [ @@ -893,7 +893,7 @@ self: super: <literal>services.minio.dataDir</literal> changed type to a list of paths, required for specifiyng multiple data directories for using with erasure coding. Currently, the - service doesn't enforce nor checks the correct number of paths + service doesn’t enforce nor checks the correct number of paths to correspond to minio requirements. </para> </listitem> @@ -910,7 +910,7 @@ self: super: <literal>dvorak-programmer</literal> in <literal>console.keyMap</literal> now instead of <literal>dvp</literal>. In - <literal>services.xserver.xkbVariant</literal> it's still + <literal>services.xserver.xkbVariant</literal> it’s still <literal>dvp</literal>. </para> </listitem> @@ -954,7 +954,7 @@ self: super: supported. </para> <para> - Furthermore, Radicale's systemd unit was hardened which might + Furthermore, Radicale’s systemd unit was hardened which might break some deployments. In particular, a non-default <literal>filesystem_folder</literal> has to be added to <literal>systemd.services.radicale.serviceConfig.ReadWritePaths</literal> @@ -991,7 +991,7 @@ self: super: <listitem> <para> <link xlink:href="https://www.gnuradio.org/">GNURadio</link> - has a <literal>pkgs</literal> attribute set, and there's a + has a <literal>pkgs</literal> attribute set, and there’s a <literal>gnuradio.callPackage</literal> function that extends <literal>pkgs</literal> with a <literal>mkDerivation</literal>, and a @@ -1027,7 +1027,7 @@ self: super: <listitem> <para> <link xlink:href="https://kodi.tv/">Kodi</link> has been - updated to version 19.1 "Matrix". See the + updated to version 19.1 <quote>Matrix</quote>. See the <link xlink:href="https://kodi.tv/article/kodi-19-0-matrix-release">announcement</link> for further details. </para> @@ -1098,9 +1098,9 @@ self: super: <listitem> <para> The default-version of <literal>nextcloud</literal> is - nextcloud21. Please note that it's <emphasis>not</emphasis> + nextcloud21. Please note that it’s <emphasis>not</emphasis> possible to upgrade <literal>nextcloud</literal> across - multiple major versions! This means that it's e.g. not + multiple major versions! This means that it’s e.g. not possible to upgrade from nextcloud18 to nextcloud20 in a single deploy and most <literal>20.09</literal> users will have to upgrade to nextcloud20 first. @@ -1122,7 +1122,7 @@ self: super: </listitem> <listitem> <para> - NixOS now emits a deprecation warning if systemd's + NixOS now emits a deprecation warning if systemd’s <literal>StartLimitInterval</literal> setting is used in a <literal>serviceConfig</literal> section instead of in a <literal>unitConfig</literal>; that setting is deprecated and @@ -1158,7 +1158,7 @@ self: super: users to declare autoscan media directories from their nixos configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.mediatomb.mediaDirectories = [ { path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; } @@ -1255,8 +1255,8 @@ self: super: <listitem> <para> The <literal>services.dnscrypt-proxy2</literal> module now - takes the upstream's example configuration and updates it with - the user's settings. An option has been added to restore the + takes the upstream’s example configuration and updates it with + the user’s settings. An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch. </para> @@ -1298,7 +1298,8 @@ self: super: <para> The zookeeper package does not provide <literal>zooInspector.sh</literal> anymore, as that - "contrib" has been dropped from upstream releases. + <quote>contrib</quote> has been dropped from upstream + releases. </para> </listitem> <listitem> @@ -1317,7 +1318,7 @@ self: super: now always ensures home directory permissions to be <literal>0700</literal>. Permissions had previously been ignored for already existing home directories, possibly - leaving them readable by others. The option's description was + leaving them readable by others. The option’s description was incorrect regarding ownership management and has been simplified greatly. </para> @@ -1518,7 +1519,7 @@ self: super: been dropped. Users that still want it should add the following to their system configuration: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.gvfs.package = pkgs.gvfs.override { samba = null; }; } diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index 9b6e755fd470d..48a717916535e 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -642,7 +642,7 @@ </para> </listitem> </itemizedlist> - <programlisting language="bash"> + <programlisting language="nix"> { services.paperless-ng.extraConfig = { # Provide languages as ISO 639-2 codes @@ -723,7 +723,7 @@ Superuser created successfully. </listitem> <listitem> <para> - The <literal>erigon</literal> ethereum node has moved it’s + The <literal>erigon</literal> ethereum node has moved its database location in <literal>2021-08-03</literal>, users upgrading must manually move their chaindata (see <link xlink:href="https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03">release @@ -737,7 +737,7 @@ Superuser created successfully. insecure. Out-of-tree modules are likely to require adaptation: instead of </para> - <programlisting language="bash"> + <programlisting language="nix"> { users.users.foo = { isSystemUser = true; @@ -747,7 +747,7 @@ Superuser created successfully. <para> also create a group for your user: </para> - <programlisting language="bash"> + <programlisting language="nix"> { users.users.foo = { isSystemUser = true; diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index c43757a9a057e..457bb46137f5f 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -714,7 +714,7 @@ <literal>programs.msmtp.*</literal> can be used instead for an equivalent setup. For example: </para> - <programlisting language="bash"> + <programlisting language="nix"> { # Original ssmtp configuration: services.ssmtp = { @@ -847,7 +847,7 @@ <literal>config.nixpkgs.config.allowUnfree</literal> are enabled. If you still want these fonts, use: </para> - <programlisting language="bash"> + <programlisting language="nix"> { fonts.fonts = [ pkgs.xorg.fontbhlucidatypewriter100dpi @@ -942,7 +942,7 @@ <para> Before: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.matrix-synapse = { enable = true; @@ -977,7 +977,7 @@ <para> After: </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.matrix-synapse = { enable = true; @@ -1143,7 +1143,7 @@ <para> Before: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.keycloak = { enable = true; httpPort = "8080"; @@ -1157,7 +1157,7 @@ <para> After: </para> - <programlisting language="bash"> + <programlisting language="nix"> services.keycloak = { enable = true; settings = { diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index f7168d5ea17ea..2d7226caa5b56 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -1082,7 +1082,7 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ removed. This option was an association of environment variables for Grafana. If you had an expression like </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.grafana.extraOptions.SECURITY_ADMIN_USER = "foobar"; } @@ -1096,7 +1096,7 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ For the migration, it is recommended to turn it into the INI format, i.e. to declare </para> - <programlisting language="bash"> + <programlisting language="nix"> { services.grafana.settings.security.admin_user = "foobar"; } diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index c05caa122b149..ea3be31a20606 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -25,6 +25,13 @@ <itemizedlist> <listitem> <para> + <link xlink:href="https://akkoma.social">Akkoma</link>, an + ActivityPub microblogging server. Available as + <link xlink:href="options.html#opt-services.akkoma.enable">services.akkoma</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/akinomyoga/ble.sh">blesh</link>, a line editor written in pure bash. Available as <link linkend="opt-programs.bash.blesh.enable">programs.bash.blesh</link>. @@ -32,6 +39,22 @@ </listitem> <listitem> <para> + <link xlink:href="https://github.com/adnanh/webhook">webhook</link>, + a lightweight webhook server. Available as + <link linkend="opt-services.webhook.enable">services.webhook</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/alexivkin/CUPS-PDF-to-PDF">cups-pdf-to-pdf</link>, + a pdf-generating cups backend based on + <link xlink:href="https://www.cups-pdf.de/">cups-pdf</link>. + Available as + <link linkend="opt-services.printing.cups-pdf.enable">services.printing.cups-pdf</link>. + </para> + </listitem> + <listitem> + <para> <link xlink:href="https://github.com/junegunn/fzf">fzf</link>, a command line fuzzyfinder. Available as <link linkend="opt-programs.fzf.fuzzyCompletion">programs.fzf</link>. @@ -60,6 +83,14 @@ <link xlink:href="options.html#opt-services.v2raya.enable">services.v2raya</link>. </para> </listitem> + <listitem> + <para> + <link xlink:href="https://www.netfilter.org/projects/ulogd/index.html">ulogd</link>, + a userspace logging daemon for netfilter/iptables related + logging. Available as + <link xlink:href="options.html#opt-services.ulogd.enable">services.ulogd</link>. + </para> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-23.05-incompatibilities"> @@ -341,6 +372,14 @@ </listitem> <listitem> <para> + <literal>services.grafana</literal> listens only on localhost + by default again. This was changed to upstreams default of + <literal>0.0.0.0</literal> by accident in the freeform setting + conversion. + </para> + </listitem> + <listitem> + <para> A new <literal>virtualisation.rosetta</literal> module was added to allow running <literal>x86_64</literal> binaries through @@ -369,6 +408,29 @@ </listitem> <listitem> <para> + A new option <literal>recommendedBrotliSettings</literal> has + been added to <literal>services.nginx</literal>. Learn more + about compression in Brotli format + <link xlink:href="https://github.com/google/ngx_brotli/blob/master/README.md">here</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link> + version is based on + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>, + existing installations will keep using version 0.7. New + installations will use version 0.8. In order to upgrade a + Garage cluster, please follow + <link xlink:href="https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/">upstream + instructions</link> and force + <link xlink:href="options.html#opt-services.garage.package">services.garage.package</link> + or upgrade accordingly + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>. + </para> + </listitem> + <listitem> + <para> Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. diff --git a/nixos/doc/manual/installation/changing-config.chapter.md b/nixos/doc/manual/installation/changing-config.chapter.md index 8a404f085d7cf..11b49ccb1f671 100644 --- a/nixos/doc/manual/installation/changing-config.chapter.md +++ b/nixos/doc/manual/installation/changing-config.chapter.md @@ -13,7 +13,7 @@ booting, and try to realise the configuration in the running system (e.g., by restarting system services). ::: {.warning} -This command doesn\'t start/stop [user services](#opt-systemd.user.services) +This command doesn't start/stop [user services](#opt-systemd.user.services) automatically. `nixos-rebuild` only runs a `daemon-reload` for each user with running user services. ::: @@ -51,7 +51,7 @@ GRUB 2 boot screen by giving it a different *profile name*, e.g. ``` which causes the new configuration (and previous ones created using -`-p test`) to show up in the GRUB submenu "NixOS - Profile \'test\'". +`-p test`) to show up in the GRUB submenu "NixOS - Profile 'test'". This can be useful to separate test configurations from "stable" configurations. diff --git a/nixos/doc/manual/installation/installing-from-other-distro.section.md b/nixos/doc/manual/installation/installing-from-other-distro.section.md index 36ef29d446398..921592fe53573 100644 --- a/nixos/doc/manual/installation/installing-from-other-distro.section.md +++ b/nixos/doc/manual/installation/installing-from-other-distro.section.md @@ -30,7 +30,7 @@ The first steps to all these are the same: 1. Switch to the NixOS channel: - If you\'ve just installed Nix on a non-NixOS distribution, you will + If you've just installed Nix on a non-NixOS distribution, you will be on the `nixpkgs` channel by default. ```ShellSession @@ -49,10 +49,10 @@ The first steps to all these are the same: 1. Install the NixOS installation tools: - You\'ll need `nixos-generate-config` and `nixos-install`, but this + You'll need `nixos-generate-config` and `nixos-install`, but this also makes some man pages and `nixos-enter` available, just in case you want to chroot into your NixOS partition. NixOS installs these - by default, but you don\'t have NixOS yet.. + by default, but you don't have NixOS yet.. ```ShellSession $ nix-env -f '<nixpkgs>' -iA nixos-install-tools @@ -70,7 +70,7 @@ The first steps to all these are the same: refer to the partitioning, file-system creation, and mounting steps of [](#sec-installation) - If you\'re about to install NixOS in place using `NIXOS_LUSTRATE` + If you're about to install NixOS in place using `NIXOS_LUSTRATE` there is nothing to do for this step. 1. Generate your NixOS configuration: @@ -79,12 +79,12 @@ The first steps to all these are the same: $ sudo `which nixos-generate-config` --root /mnt ``` - You\'ll probably want to edit the configuration files. Refer to the + You'll probably want to edit the configuration files. Refer to the `nixos-generate-config` step in [](#sec-installation) for more information. Consider setting up the NixOS bootloader to give you the ability to - boot on your existing Linux partition. For instance, if you\'re + boot on your existing Linux partition. For instance, if you're using GRUB and your existing distribution is running Ubuntu, you may want to add something like this to your `configuration.nix`: @@ -152,15 +152,15 @@ The first steps to all these are the same: ``` Note that this will place the generated configuration files in - `/etc/nixos`. You\'ll probably want to edit the configuration files. + `/etc/nixos`. You'll probably want to edit the configuration files. Refer to the `nixos-generate-config` step in [](#sec-installation) for more information. - You\'ll likely want to set a root password for your first boot using - the configuration files because you won\'t have a chance to enter a + You'll likely want to set a root password for your first boot using + the configuration files because you won't have a chance to enter a password until after you reboot. You can initialize the root password - to an empty one with this line: (and of course don\'t forget to set - one once you\'ve rebooted or to lock the account with + to an empty one with this line: (and of course don't forget to set + one once you've rebooted or to lock the account with `sudo passwd -l root` if you use `sudo`) ```nix @@ -186,7 +186,7 @@ The first steps to all these are the same: bootup scripts require its presence). `/etc/NIXOS_LUSTRATE` tells the NixOS bootup scripts to move - *everything* that\'s in the root partition to `/old-root`. This will + *everything* that's in the root partition to `/old-root`. This will move your existing distribution out of the way in the very early stages of the NixOS bootup. There are exceptions (we do need to keep NixOS there after all), so the NixOS lustrate process will not @@ -201,10 +201,10 @@ The first steps to all these are the same: ::: {.note} Support for `NIXOS_LUSTRATE` was added in NixOS 16.09. The act of - \"lustrating\" refers to the wiping of the existing distribution. + "lustrating" refers to the wiping of the existing distribution. Creating `/etc/NIXOS_LUSTRATE` can also be used on NixOS to remove - all mutable files from your root partition (anything that\'s not in - `/nix` or `/boot` gets \"lustrated\" on the next boot. + all mutable files from your root partition (anything that's not in + `/nix` or `/boot` gets "lustrated" on the next boot. lustrate /ˈlʌstreɪt/ verb. @@ -212,14 +212,14 @@ The first steps to all these are the same: ritual action. ::: - Let\'s create the files: + Let's create the files: ```ShellSession $ sudo touch /etc/NIXOS $ sudo touch /etc/NIXOS_LUSTRATE ``` - Let\'s also make sure the NixOS configuration files are kept once we + Let's also make sure the NixOS configuration files are kept once we reboot on NixOS: ```ShellSession @@ -233,7 +233,7 @@ The first steps to all these are the same: ::: {.warning} Once you complete this step, your current distribution will no - longer be bootable! If you didn\'t get all the NixOS configuration + longer be bootable! If you didn't get all the NixOS configuration right, especially those settings pertaining to boot loading and root partition, NixOS may not be bootable either. Have a USB rescue device ready in case this happens. @@ -247,7 +247,7 @@ The first steps to all these are the same: Cross your fingers, reboot, hopefully you should get a NixOS prompt! 1. If for some reason you want to revert to the old distribution, - you\'ll need to boot on a USB rescue disk and do something along + you'll need to boot on a USB rescue disk and do something along these lines: ```ShellSession @@ -264,14 +264,14 @@ The first steps to all these are the same: This may work as is or you might also need to reinstall the boot loader. - And of course, if you\'re happy with NixOS and no longer need the + And of course, if you're happy with NixOS and no longer need the old distribution: ```ShellSession sudo rm -rf /old-root ``` -1. It\'s also worth noting that this whole process can be automated. +1. It's also worth noting that this whole process can be automated. This is especially useful for Cloud VMs, where provider do not provide NixOS. For instance, [nixos-infect](https://github.com/elitak/nixos-infect) uses the diff --git a/nixos/doc/manual/installation/installing-kexec.section.md b/nixos/doc/manual/installation/installing-kexec.section.md index 286cbbda6a69e..61d8e8e5999b9 100644 --- a/nixos/doc/manual/installation/installing-kexec.section.md +++ b/nixos/doc/manual/installation/installing-kexec.section.md @@ -30,7 +30,7 @@ This will create a `result` directory containing the following: These three files are meant to be copied over to the other already running Linux Distribution. -Note it's symlinks pointing elsewhere, so `cd` in, and use +Note its symlinks pointing elsewhere, so `cd` in, and use `scp * root@$destination` to copy it over, rather than rsync. Once you finished copying, execute `kexec-boot` *on the destination*, and after diff --git a/nixos/doc/manual/installation/installing-usb.section.md b/nixos/doc/manual/installation/installing-usb.section.md index da32935a7a108..adfe22ea2f00e 100644 --- a/nixos/doc/manual/installation/installing-usb.section.md +++ b/nixos/doc/manual/installation/installing-usb.section.md @@ -56,12 +56,12 @@ select the image, select the USB flash drive and click "Write". sudo dd if=<path-to-image> of=/dev/rdiskX bs=4m ``` - After `dd` completes, a GUI dialog \"The disk - you inserted was not readable by this computer\" will pop up, which can + After `dd` completes, a GUI dialog "The disk + you inserted was not readable by this computer" will pop up, which can be ignored. ::: {.note} - Using the \'raw\' `rdiskX` device instead of `diskX` with dd completes in + Using the 'raw' `rdiskX` device instead of `diskX` with dd completes in minutes instead of hours. ::: diff --git a/nixos/doc/manual/installation/installing-virtualbox-guest.section.md b/nixos/doc/manual/installation/installing-virtualbox-guest.section.md index c3bbfe12152ed..004838e586be6 100644 --- a/nixos/doc/manual/installation/installing-virtualbox-guest.section.md +++ b/nixos/doc/manual/installation/installing-virtualbox-guest.section.md @@ -6,7 +6,7 @@ use a pre-made VirtualBox appliance, it is available at [the downloads page](https://nixos.org/nixos/download.html). If you want to set up a VirtualBox guest manually, follow these instructions: -1. Add a New Machine in VirtualBox with OS Type \"Linux / Other Linux\" +1. Add a New Machine in VirtualBox with OS Type "Linux / Other Linux" 1. Base Memory Size: 768 MB or higher. @@ -16,7 +16,7 @@ VirtualBox guest manually, follow these instructions: 1. Click on Settings / System / Processor and enable PAE/NX -1. Click on Settings / System / Acceleration and enable \"VT-x/AMD-V\" +1. Click on Settings / System / Acceleration and enable "VT-x/AMD-V" acceleration 1. Click on Settings / Display / Screen and select VMSVGA as Graphics @@ -41,7 +41,7 @@ boot.initrd.checkJournalingFS = false; Shared folders can be given a name and a path in the host system in the VirtualBox settings (Machine / Settings / Shared Folders, then click on -the \"Add\" icon). Add the following to the +the "Add" icon). Add the following to the `/etc/nixos/configuration.nix` to auto-mount them. If you do not add `"nofail"`, the system will not boot properly. diff --git a/nixos/doc/manual/installation/installing.chapter.md b/nixos/doc/manual/installation/installing.chapter.md index 04bc7b1f20725..ac7cf5a7bfc59 100644 --- a/nixos/doc/manual/installation/installing.chapter.md +++ b/nixos/doc/manual/installation/installing.chapter.md @@ -230,11 +230,11 @@ The recommended partition scheme differs depending if the computer uses #### UEFI (GPT) {#sec-installation-manual-partitioning-UEFI} []{#sec-installation-partitioning-UEFI} <!-- legacy anchor --> -Here\'s an example partition scheme for UEFI, using `/dev/sda` as the +Here's an example partition scheme for UEFI, using `/dev/sda` as the device. ::: {.note} -You can safely ignore `parted`\'s informational message about needing to +You can safely ignore `parted`'s informational message about needing to update /etc/fstab. ::: @@ -279,11 +279,11 @@ Once complete, you can follow with #### Legacy Boot (MBR) {#sec-installation-manual-partitioning-MBR} []{#sec-installation-partitioning-MBR} <!-- legacy anchor --> -Here\'s an example partition scheme for Legacy Boot, using `/dev/sda` as +Here's an example partition scheme for Legacy Boot, using `/dev/sda` as the device. ::: {.note} -You can safely ignore `parted`\'s informational message about needing to +You can safely ignore `parted`'s informational message about needing to update /etc/fstab. ::: diff --git a/nixos/doc/manual/md-to-db.sh b/nixos/doc/manual/md-to-db.sh index beb0ff9f70828..6eca9f3b2c3d8 100755 --- a/nixos/doc/manual/md-to-db.sh +++ b/nixos/doc/manual/md-to-db.sh @@ -1,5 +1,5 @@ #! /usr/bin/env nix-shell -#! nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/tarball/21.11 -i bash -p pandoc +#! nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/tarball/22.11 -i bash -p pandoc # This script is temporarily needed while we transition the manual to # CommonMark. It converts the .md files in the regular manual folder diff --git a/nixos/doc/manual/release-notes/rl-1509.section.md b/nixos/doc/manual/release-notes/rl-1509.section.md index 55804ddb988ae..1422ae4c299cd 100644 --- a/nixos/doc/manual/release-notes/rl-1509.section.md +++ b/nixos/doc/manual/release-notes/rl-1509.section.md @@ -2,7 +2,7 @@ In addition to numerous new and upgraded packages, this release has the following highlights: -- The [Haskell](http://haskell.org/) packages infrastructure has been re-designed from the ground up (\"Haskell NG\"). NixOS now distributes the latest version of every single package registered on [Hackage](http://hackage.haskell.org/) \-- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the [User\'s Guide to the Haskell Infrastructure](https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure). Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we distribute 51(!) additional Haskell package sets that provide every single [LTS Haskell](http://www.stackage.org/) release since version 0.0 as well as the most recent [Stackage Nightly](http://www.stackage.org/) snapshot. The announcement [\"Full Stackage Support in Nixpkgs\"](https://nixos.org/nix-dev/2015-September/018138.html) gives additional details. +- The [Haskell](http://haskell.org/) packages infrastructure has been re-designed from the ground up ("Haskell NG"). NixOS now distributes the latest version of every single package registered on [Hackage](http://hackage.haskell.org/) \-- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the [User's Guide to the Haskell Infrastructure](https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure). Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we distribute 51(!) additional Haskell package sets that provide every single [LTS Haskell](http://www.stackage.org/) release since version 0.0 as well as the most recent [Stackage Nightly](http://www.stackage.org/) snapshot. The announcement ["Full Stackage Support in Nixpkgs"](https://nixos.org/nix-dev/2015-September/018138.html) gives additional details. - Nix has been updated to version 1.10, which among other improvements enables cryptographic signatures on binary caches for improved security. @@ -178,7 +178,7 @@ The new option `system.stateVersion` ensures that certain configuration changes - Nix now requires binary caches to be cryptographically signed. If you have unsigned binary caches that you want to continue to use, you should set `nix.requireSignedBinaryCaches = false`. -- Steam now doesn\'t need root rights to work. Instead of using `*-steam-chrootenv`, you should now just run `steam`. `steamChrootEnv` package was renamed to `steam`, and old `steam` package \-- to `steamOriginal`. +- Steam now doesn't need root rights to work. Instead of using `*-steam-chrootenv`, you should now just run `steam`. `steamChrootEnv` package was renamed to `steam`, and old `steam` package \-- to `steamOriginal`. - CMPlayer has been renamed to bomi upstream. Package `cmplayer` was accordingly renamed to `bomi` @@ -203,7 +203,7 @@ The new option `system.stateVersion` ensures that certain configuration changes } ``` -- \"`nix-env -qa`\" no longer discovers Haskell packages by name. The only packages visible in the global scope are `ghc`, `cabal-install`, and `stack`, but all other packages are hidden. The reason for this inconvenience is the sheer size of the Haskell package set. Name-based lookups are expensive, and most `nix-env -qa` operations would become much slower if we\'d add the entire Hackage database into the top level attribute set. Instead, the list of Haskell packages can be displayed by running: +- "`nix-env -qa`" no longer discovers Haskell packages by name. The only packages visible in the global scope are `ghc`, `cabal-install`, and `stack`, but all other packages are hidden. The reason for this inconvenience is the sheer size of the Haskell package set. Name-based lookups are expensive, and most `nix-env -qa` operations would become much slower if we'd add the entire Hackage database into the top level attribute set. Instead, the list of Haskell packages can be displayed by running: ```ShellSession nix-env -f "<nixpkgs>" -qaP -A haskellPackages @@ -217,11 +217,11 @@ nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc Installing Haskell _libraries_ this way, however, is no longer supported. See the next item for more details. -- Previous versions of NixOS came with a feature called `ghc-wrapper`, a small script that allowed GHC to transparently pick up on libraries installed in the user\'s profile. This feature has been deprecated; `ghc-wrapper` was removed from the distribution. The proper way to register Haskell libraries with the compiler now is the `haskellPackages.ghcWithPackages` function. The [User\'s Guide to the Haskell Infrastructure](https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure) provides more information about this subject. +- Previous versions of NixOS came with a feature called `ghc-wrapper`, a small script that allowed GHC to transparently pick up on libraries installed in the user's profile. This feature has been deprecated; `ghc-wrapper` was removed from the distribution. The proper way to register Haskell libraries with the compiler now is the `haskellPackages.ghcWithPackages` function. The [User's Guide to the Haskell Infrastructure](https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure) provides more information about this subject. - All Haskell builds that have been generated with version 1.x of the `cabal2nix` utility are now invalid and need to be re-generated with a current version of `cabal2nix` to function. The most recent version of this tool can be installed by running `nix-env -i cabal2nix`. -- The `haskellPackages` set in Nixpkgs used to have a function attribute called `extension` that users could override in their `~/.nixpkgs/config.nix` files to configure additional attributes, etc. That function still exists, but it\'s now called `overrides`. +- The `haskellPackages` set in Nixpkgs used to have a function attribute called `extension` that users could override in their `~/.nixpkgs/config.nix` files to configure additional attributes, etc. That function still exists, but it's now called `overrides`. - The OpenBLAS library has been updated to version `0.2.14`. Support for the `x86_64-darwin` platform was added. Dynamic architecture detection was enabled; OpenBLAS now selects microarchitecture-optimized routines at runtime, so optimal performance is achieved without the need to rebuild OpenBLAS locally. OpenBLAS has replaced ATLAS in most packages which use an optimized BLAS or LAPACK implementation. @@ -312,7 +312,7 @@ Other notable improvements: - The nixos and nixpkgs channels were unified, so one _can_ use `nix-env -iA nixos.bash` instead of `nix-env -iA nixos.pkgs.bash`. See [the commit](https://github.com/NixOS/nixpkgs/commit/2cd7c1f198) for details. -- Users running an SSH server who worry about the quality of their `/etc/ssh/moduli` file with respect to the [vulnerabilities discovered in the Diffie-Hellman key exchange](https://stribika.github.io/2015/01/04/secure-secure-shell.html) can now replace OpenSSH\'s default version with one they generated themselves using the new `services.openssh.moduliFile` option. +- Users running an SSH server who worry about the quality of their `/etc/ssh/moduli` file with respect to the [vulnerabilities discovered in the Diffie-Hellman key exchange](https://stribika.github.io/2015/01/04/secure-secure-shell.html) can now replace OpenSSH's default version with one they generated themselves using the new `services.openssh.moduliFile` option. - A newly packaged TeX Live 2015 is provided in `pkgs.texlive`, split into 6500 nix packages. For basic user documentation see [the source](https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive/default.nix#L1). Beware of [an issue](https://github.com/NixOS/nixpkgs/issues/9757) when installing a too large package set. The plan is to deprecate and maybe delete the original TeX packages until the next release. diff --git a/nixos/doc/manual/release-notes/rl-1603.section.md b/nixos/doc/manual/release-notes/rl-1603.section.md index e4da7fd3094db..532a16f937b05 100644 --- a/nixos/doc/manual/release-notes/rl-1603.section.md +++ b/nixos/doc/manual/release-notes/rl-1603.section.md @@ -152,19 +152,19 @@ When upgrading from a previous release, please be aware of the following incompa } ``` -- `s3sync` is removed, as it hasn\'t been developed by upstream for 4 years and only runs with ruby 1.8. For an actively-developer alternative look at `tarsnap` and others. +- `s3sync` is removed, as it hasn't been developed by upstream for 4 years and only runs with ruby 1.8. For an actively-developer alternative look at `tarsnap` and others. -- `ruby_1_8` has been removed as it\'s not supported from upstream anymore and probably contains security issues. +- `ruby_1_8` has been removed as it's not supported from upstream anymore and probably contains security issues. - `tidy-html5` package is removed. Upstream only provided `(lib)tidy5` during development, and now they went back to `(lib)tidy` to work as a drop-in replacement of the original package that has been unmaintained for years. You can (still) use the `html-tidy` package, which got updated to a stable release from this new upstream. - `extraDeviceOptions` argument is removed from `bumblebee` package. Instead there are now two separate arguments: `extraNvidiaDeviceOptions` and `extraNouveauDeviceOptions` for setting extra X11 options for nvidia and nouveau drivers, respectively. -- The `Ctrl+Alt+Backspace` key combination no longer kills the X server by default. There\'s a new option `services.xserver.enableCtrlAltBackspace` allowing to enable the combination again. +- The `Ctrl+Alt+Backspace` key combination no longer kills the X server by default. There's a new option `services.xserver.enableCtrlAltBackspace` allowing to enable the combination again. - `emacsPackagesNg` now contains all packages from the ELPA, MELPA, and MELPA Stable repositories. -- Data directory for Postfix MTA server is moved from `/var/postfix` to `/var/lib/postfix`. Old configurations are migrated automatically. `service.postfix` module has also received many improvements, such as correct directories\' access rights, new `aliasFiles` and `mapFiles` options and more. +- Data directory for Postfix MTA server is moved from `/var/postfix` to `/var/lib/postfix`. Old configurations are migrated automatically. `service.postfix` module has also received many improvements, such as correct directories' access rights, new `aliasFiles` and `mapFiles` options and more. - Filesystem options should now be configured as a list of strings, not a comma-separated string. The old style will continue to work, but print a warning, until the 16.09 release. An example of the new style: @@ -180,7 +180,7 @@ When upgrading from a previous release, please be aware of the following incompa - CUPS, installed by `services.printing` module, now has its data directory in `/var/lib/cups`. Old configurations from `/etc/cups` are moved there automatically, but there might be problems. Also configuration options `services.printing.cupsdConf` and `services.printing.cupsdFilesConf` were removed because they had been allowing one to override configuration variables required for CUPS to work at all on NixOS. For most use cases, `services.printing.extraConf` and new option `services.printing.extraFilesConf` should be enough; if you encounter a situation when they are not, please file a bug. - There are also Gutenprint improvements; in particular, a new option `services.printing.gutenprint` is added to enable automatic updating of Gutenprint PPMs; it\'s greatly recommended to enable it instead of adding `gutenprint` to the `drivers` list. + There are also Gutenprint improvements; in particular, a new option `services.printing.gutenprint` is added to enable automatic updating of Gutenprint PPMs; it's greatly recommended to enable it instead of adding `gutenprint` to the `drivers` list. - `services.xserver.vaapiDrivers` has been removed. Use `hardware.opengl.extraPackages{,32}` instead. You can also specify VDPAU drivers there. @@ -202,7 +202,7 @@ When upgrading from a previous release, please be aware of the following incompa } ``` -- `services.udev.extraRules` option now writes rules to `99-local.rules` instead of `10-local.rules`. This makes all the user rules apply after others, so their results wouldn\'t be overridden by anything else. +- `services.udev.extraRules` option now writes rules to `99-local.rules` instead of `10-local.rules`. This makes all the user rules apply after others, so their results wouldn't be overridden by anything else. - Large parts of the `services.gitlab` module has been been rewritten. There are new configuration options available. The `stateDir` option was renamned to `statePath` and the `satellitesDir` option was removed. Please review the currently available options. @@ -246,7 +246,7 @@ When upgrading from a previous release, please be aware of the following incompa you should either re-run `nixos-generate-config` or manually replace `"${config.boot.kernelPackages.broadcom_sta}"` by `config.boot.kernelPackages.broadcom_sta` in your `/etc/nixos/hardware-configuration.nix`. More discussion is on [ the github issue](https://github.com/NixOS/nixpkgs/pull/12595). -- The `services.xserver.startGnuPGAgent` option has been removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no longer requires (or even supports) the \"start everything as a child of the agent\" scheme we\'ve implemented in NixOS for older versions. To configure the gpg-agent for your X session, add the following code to `~/.bashrc` or some file that's sourced when your shell is started: +- The `services.xserver.startGnuPGAgent` option has been removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no longer requires (or even supports) the "start everything as a child of the agent" scheme we've implemented in NixOS for older versions. To configure the gpg-agent for your X session, add the following code to `~/.bashrc` or some file that's sourced when your shell is started: ```shell GPG_TTY=$(tty) @@ -273,7 +273,7 @@ When upgrading from a previous release, please be aware of the following incompa gpg --import ~/.gnupg/secring.gpg ``` - The `gpg-agent(1)` man page has more details about this subject, i.e. in the \"EXAMPLES\" section. + The `gpg-agent(1)` man page has more details about this subject, i.e. in the "EXAMPLES" section. Other notable improvements: diff --git a/nixos/doc/manual/release-notes/rl-1609.section.md b/nixos/doc/manual/release-notes/rl-1609.section.md index 075f0cf52cd1a..e9c650cf40724 100644 --- a/nixos/doc/manual/release-notes/rl-1609.section.md +++ b/nixos/doc/manual/release-notes/rl-1609.section.md @@ -20,7 +20,7 @@ When upgrading from a previous release, please be aware of the following incompa - A large number of packages have been converted to use the multiple outputs feature of Nix to greatly reduce the amount of required disk space, as mentioned above. This may require changes to any custom packages to make them build again; see the relevant chapter in the Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions related to multiple-output packages [were changed](https://github.com/NixOS/nixpkgs/pull/14766) late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.) -- Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided `haskell.packages.lts-x_y` package sets still exist in name to aviod breaking user code, but these package sets don\'t actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will drop those old names entirely. [The motivation for this change](https://nixos.org/nix-dev/2016-June/020585.html) has been discussed at length on the `nix-dev` mailing list and in [Github issue \#14897](https://github.com/NixOS/nixpkgs/issues/14897). Development strategies for Haskell hackers who want to rely on Nix and NixOS have been described in [another nix-dev article](https://nixos.org/nix-dev/2016-June/020642.html). +- Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided `haskell.packages.lts-x_y` package sets still exist in name to aviod breaking user code, but these package sets don't actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will drop those old names entirely. [The motivation for this change](https://nixos.org/nix-dev/2016-June/020585.html) has been discussed at length on the `nix-dev` mailing list and in [Github issue \#14897](https://github.com/NixOS/nixpkgs/issues/14897). Development strategies for Haskell hackers who want to rely on Nix and NixOS have been described in [another nix-dev article](https://nixos.org/nix-dev/2016-June/020642.html). - Shell aliases for systemd sub-commands [were dropped](https://github.com/NixOS/nixpkgs/pull/15598): `start`, `stop`, `restart`, `status`. @@ -28,7 +28,7 @@ When upgrading from a previous release, please be aware of the following incompa - `/var/empty` is now immutable. Activation script runs `chattr +i` to forbid any modifications inside the folder. See [ the pull request](https://github.com/NixOS/nixpkgs/pull/18365) for what bugs this caused. -- Gitlab\'s maintainance script `gitlab-runner` was removed and split up into the more clearer `gitlab-run` and `gitlab-rake` scripts, because `gitlab-runner` is a component of Gitlab CI. +- Gitlab's maintainance script `gitlab-runner` was removed and split up into the more clearer `gitlab-run` and `gitlab-rake` scripts, because `gitlab-runner` is a component of Gitlab CI. - `services.xserver.libinput.accelProfile` default changed from `flat` to `adaptive`, as per [ official documentation](https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79). @@ -38,7 +38,7 @@ When upgrading from a previous release, please be aware of the following incompa - `pkgs.linuxPackages.virtualbox` now contains only the kernel modules instead of the VirtualBox user space binaries. If you want to reference the user space binaries, you have to use the new `pkgs.virtualbox` instead. -- `goPackages` was replaced with separated Go applications in appropriate `nixpkgs` categories. Each Go package uses its own dependency set. There\'s also a new `go2nix` tool introduced to generate a Go package definition from its Go source automatically. +- `goPackages` was replaced with separated Go applications in appropriate `nixpkgs` categories. Each Go package uses its own dependency set. There's also a new `go2nix` tool introduced to generate a Go package definition from its Go source automatically. - `services.mongodb.extraConfig` configuration format was changed to YAML. diff --git a/nixos/doc/manual/release-notes/rl-1703.section.md b/nixos/doc/manual/release-notes/rl-1703.section.md index 7f424f2a6ce32..b82c41e28ca34 100644 --- a/nixos/doc/manual/release-notes/rl-1703.section.md +++ b/nixos/doc/manual/release-notes/rl-1703.section.md @@ -8,7 +8,7 @@ In addition to numerous new and upgraded packages, this release has the followin - This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The default Linux kernel is 4.9 and Nix is at 1.11.8. -- The default desktop environment now is KDE\'s Plasma 5. KDE 4 has been removed +- The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed - The setuid wrapper functionality now supports setting capabilities. @@ -208,7 +208,7 @@ When upgrading from a previous release, please be aware of the following incompa - Two lone top-level dict dbs moved into `dictdDBs`. This affects: `dictdWordnet` which is now at `dictdDBs.wordnet` and `dictdWiktionary` which is now at `dictdDBs.wiktionary` -- Parsoid service now uses YAML configuration format. `service.parsoid.interwikis` is now called `service.parsoid.wikis` and is a list of either API URLs or attribute sets as specified in parsoid\'s documentation. +- Parsoid service now uses YAML configuration format. `service.parsoid.interwikis` is now called `service.parsoid.wikis` and is a list of either API URLs or attribute sets as specified in parsoid's documentation. - `Ntpd` was replaced by `systemd-timesyncd` as the default service to synchronize system time with a remote NTP server. The old behavior can be restored by setting `services.ntp.enable` to `true`. Upstream time servers for all NTP implementations are now configured using `networking.timeServers`. @@ -260,11 +260,11 @@ When upgrading from a previous release, please be aware of the following incompa - Autoloading connection tracking helpers is now disabled by default. This default was also changed in the Linux kernel and is considered insecure if not configured properly in your firewall. If you need connection tracking helpers (i.e. for active FTP) please enable `networking.firewall.autoLoadConntrackHelpers` and tune `networking.firewall.connectionTrackingModules` to suit your needs. -- `local_recipient_maps` is not set to empty value by Postfix service. It\'s an insecure default as stated by Postfix documentation. Those who want to retain this setting need to set it via `services.postfix.extraConfig`. +- `local_recipient_maps` is not set to empty value by Postfix service. It's an insecure default as stated by Postfix documentation. Those who want to retain this setting need to set it via `services.postfix.extraConfig`. - Iputils no longer provide ping6 and traceroute6. The functionality of these tools has been integrated into ping and traceroute respectively. To enforce an address family the new flags `-4` and `-6` have been added. One notable incompatibility is that specifying an interface (for link-local IPv6 for instance) is no longer done with the `-I` flag, but by encoding the interface into the address (`ping fe80::1%eth0`). -- The socket handling of the `services.rmilter` module has been fixed and refactored. As rmilter doesn\'t support binding to more than one socket, the options `bindUnixSockets` and `bindInetSockets` have been replaced by `services.rmilter.bindSocket.*`. The default is still a unix socket in `/run/rmilter/rmilter.sock`. Refer to the options documentation for more information. +- The socket handling of the `services.rmilter` module has been fixed and refactored. As rmilter doesn't support binding to more than one socket, the options `bindUnixSockets` and `bindInetSockets` have been replaced by `services.rmilter.bindSocket.*`. The default is still a unix socket in `/run/rmilter/rmilter.sock`. Refer to the options documentation for more information. - The `fetch*` functions no longer support md5, please use sha256 instead. @@ -278,7 +278,7 @@ When upgrading from a previous release, please be aware of the following incompa - Module type system have a new extensible option types feature that allow to extend certain types, such as enum, through multiple option declarations of the same option across multiple modules. -- `jre` now defaults to GTK UI by default. This improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless workloads it\'s recommended to use `jre_headless`. +- `jre` now defaults to GTK UI by default. This improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless workloads it's recommended to use `jre_headless`. - Python 2.6 interpreter and package set have been removed. diff --git a/nixos/doc/manual/release-notes/rl-1709.section.md b/nixos/doc/manual/release-notes/rl-1709.section.md index 970a0c2b7dd19..9f49549901bef 100644 --- a/nixos/doc/manual/release-notes/rl-1709.section.md +++ b/nixos/doc/manual/release-notes/rl-1709.section.md @@ -8,7 +8,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The user handling now keeps track of deallocated UIDs/GIDs. When a user or group is revived, this allows it to be allocated the UID/GID it had before. A consequence is that UIDs and GIDs are no longer reused. -- The module option `services.xserver.xrandrHeads` now causes the first head specified in this list to be set as the primary head. Apart from that, it\'s now possible to also set additional options by using an attribute set, for example: +- The module option `services.xserver.xrandrHeads` now causes the first head specified in this list to be set as the primary head. Apart from that, it's now possible to also set additional options by using an attribute set, for example: ```nix { services.xserver.xrandrHeads = [ @@ -208,7 +208,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `mysql` default `dataDir` has changed from `/var/mysql` to `/var/lib/mysql`. - - Radicale\'s default package has changed from 1.x to 2.x. Instructions to migrate can be found [ here ](http://radicale.org/1to2/). It is also possible to use the newer version by setting the `package` to `radicale2`, which is done automatically when `stateVersion` is 17.09 or higher. The `extraArgs` option has been added to allow passing the data migration arguments specified in the instructions; see the `radicale.nix` NixOS test for an example migration. + - Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found [ here ](http://radicale.org/1to2/). It is also possible to use the newer version by setting the `package` to `radicale2`, which is done automatically when `stateVersion` is 17.09 or higher. The `extraArgs` option has been added to allow passing the data migration arguments specified in the instructions; see the `radicale.nix` NixOS test for an example migration. - The `aiccu` package was removed. This is due to SixXS [ sunsetting](https://www.sixxs.net/main/) its IPv6 tunnel. @@ -216,9 +216,9 @@ When upgrading from a previous release, please be aware of the following incompa - Top-level `idea` package collection was renamed. All JetBrains IDEs are now at `jetbrains`. -- `flexget`\'s state database cannot be upgraded to its new internal format, requiring removal of any existing `db-config.sqlite` which will be automatically recreated. +- `flexget`'s state database cannot be upgraded to its new internal format, requiring removal of any existing `db-config.sqlite` which will be automatically recreated. -- The `ipfs` service now doesn\'t ignore the `dataDir` option anymore. If you\'ve ever set this option to anything other than the default you\'ll have to either unset it (so the default gets used) or migrate the old data manually with +- The `ipfs` service now doesn't ignore the `dataDir` option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with ```ShellSession dataDir=<valueOfDataDir> @@ -236,7 +236,7 @@ When upgrading from a previous release, please be aware of the following incompa - `wvdial` package and module were removed. This is due to the project being dead and not building with openssl 1.1. -- `cc-wrapper`\'s setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g. `LD`, `STRIP`, `RANLIB`, etc). This is done to prevent packages\' build systems guessing, which is harder to predict, especially when cross-compiling. However, some packages have broken due to this---their build systems either not supporting, or claiming to support without adequate testing, taking such environment variables as parameters. +- `cc-wrapper`'s setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g. `LD`, `STRIP`, `RANLIB`, etc). This is done to prevent packages' build systems guessing, which is harder to predict, especially when cross-compiling. However, some packages have broken due to this---their build systems either not supporting, or claiming to support without adequate testing, taking such environment variables as parameters. - `services.firefox.syncserver` now runs by default as a non-root user. To accommodate this change, the default sqlite database location has also been changed. Migration should work automatically. Refer to the description of the options for more details. @@ -244,7 +244,7 @@ When upgrading from a previous release, please be aware of the following incompa - Touchpad support should now be enabled through `libinput` as `synaptics` is now deprecated. See the option `services.xserver.libinput.enable`. -- grsecurity/PaX support has been dropped, following upstream\'s decision to cease free support. See [ upstream\'s announcement](https://grsecurity.net/passing_the_baton.php) for more information. No complete replacement for grsecurity/PaX is available presently. +- grsecurity/PaX support has been dropped, following upstream's decision to cease free support. See [ upstream's announcement](https://grsecurity.net/passing_the_baton.php) for more information. No complete replacement for grsecurity/PaX is available presently. - `services.mysql` now has declarative configuration of databases and users with the `ensureDatabases` and `ensureUsers` options. @@ -283,9 +283,9 @@ When upgrading from a previous release, please be aware of the following incompa ## Other Notable Changes {#sec-release-17.09-notable-changes} -- Modules can now be disabled by using [ disabledModules](https://nixos.org/nixpkgs/manual/#sec-replace-modules), allowing another to take it\'s place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release. +- Modules can now be disabled by using [ disabledModules](https://nixos.org/nixpkgs/manual/#sec-replace-modules), allowing another to take it's place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release. -- Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer\'s intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available. +- Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer's intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available. - ZFS/SPL have been updated to 0.7.0, `zfsUnstable, splUnstable` have therefore been removed. diff --git a/nixos/doc/manual/release-notes/rl-1803.section.md b/nixos/doc/manual/release-notes/rl-1803.section.md index c5146015d4499..681894eb13ece 100644 --- a/nixos/doc/manual/release-notes/rl-1803.section.md +++ b/nixos/doc/manual/release-notes/rl-1803.section.md @@ -6,7 +6,7 @@ In addition to numerous new and upgraded packages, this release has the followin - End of support is planned for end of October 2018, handing over to 18.09. -- Platform support: x86_64-linux and x86_64-darwin since release time (the latter isn\'t NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as it\'s waiting for some test fixes, etc. +- Platform support: x86_64-linux and x86_64-darwin since release time (the latter isn't NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as it's waiting for some test fixes, etc. - Nix now defaults to 2.0; see its [release notes](https://nixos.org/nix/manual/#ssec-relnotes-2.0). @@ -176,7 +176,7 @@ When upgrading from a previous release, please be aware of the following incompa - `cc-wrapper` has been split in two; there is now also a `bintools-wrapper`. The most commonly used files in `nix-support` are now split between the two wrappers. Some commonly used ones, like `nix-support/dynamic-linker`, are duplicated for backwards compatability, even though they rightly belong only in `bintools-wrapper`. Other more obscure ones are just moved. -- The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly documented in the \"Specifying dependencies\" section of the \"Standard Environment\" chapter of the nixpkgs manual. The old logic isn\'t but is easy to describe: dependencies were propagated as the same type of dependency no matter what. In practice, that means that many `propagatedNativeBuildInputs` should instead be `propagatedBuildInputs`. Thankfully, that was and is the least used type of dependency. Also, it means that some `propagatedBuildInputs` should instead be `depsTargetTargetPropagated`. Other types dependencies should be unaffected. +- The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly documented in the "Specifying dependencies" section of the "Standard Environment" chapter of the nixpkgs manual. The old logic isn't but is easy to describe: dependencies were propagated as the same type of dependency no matter what. In practice, that means that many `propagatedNativeBuildInputs` should instead be `propagatedBuildInputs`. Thankfully, that was and is the least used type of dependency. Also, it means that some `propagatedBuildInputs` should instead be `depsTargetTargetPropagated`. Other types dependencies should be unaffected. - `lib.addPassthru drv passthru` is removed. Use `lib.extendDerivation true passthru drv` instead. @@ -184,7 +184,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `hardware.amdHybridGraphics.disable` option was removed for lack of a maintainer. If you still need this module, you may wish to include a copy of it from an older version of nixos in your imports. -- The merging of config options for `services.postfix.config` was buggy. Previously, if other options in the Postfix module like `services.postfix.useSrs` were set and the user set config options that were also set by such options, the resulting config wouldn\'t include all options that were needed. They are now merged correctly. If config options need to be overridden, `lib.mkForce` or `lib.mkOverride` can be used. +- The merging of config options for `services.postfix.config` was buggy. Previously, if other options in the Postfix module like `services.postfix.useSrs` were set and the user set config options that were also set by such options, the resulting config wouldn't include all options that were needed. They are now merged correctly. If config options need to be overridden, `lib.mkForce` or `lib.mkOverride` can be used. - The following changes apply if the `stateVersion` is changed to 18.03 or higher. For `stateVersion = "17.09"` or lower the old behavior is preserved. @@ -204,7 +204,7 @@ When upgrading from a previous release, please be aware of the following incompa - The data directory `/var/lib/piwik` was renamed to `/var/lib/matomo`. All files will be moved automatically on first startup, but you might need to adjust your backup scripts. - - The default `serverName` for the nginx configuration changed from `piwik.${config.networking.hostName}` to `matomo.${config.networking.hostName}.${config.networking.domain}` if `config.networking.domain` is set, `matomo.${config.networking.hostName}` if it is not set. If you change your `serverName`, remember you\'ll need to update the `trustedHosts[]` array in `/var/lib/matomo/config/config.ini.php` as well. + - The default `serverName` for the nginx configuration changed from `piwik.${config.networking.hostName}` to `matomo.${config.networking.hostName}.${config.networking.domain}` if `config.networking.domain` is set, `matomo.${config.networking.hostName}` if it is not set. If you change your `serverName`, remember you'll need to update the `trustedHosts[]` array in `/var/lib/matomo/config/config.ini.php` as well. - The `piwik` user was renamed to `matomo`. The service will adjust ownership automatically for files in the data directory. If you use unix socket authentication, remember to give the new `matomo` user access to the database and to change the `username` to `matomo` in the `[database]` section of `/var/lib/matomo/config/config.ini.php`. @@ -250,7 +250,7 @@ When upgrading from a previous release, please be aware of the following incompa - The option `services.logstash.listenAddress` is now `127.0.0.1` by default. Previously the default behaviour was to listen on all interfaces. -- `services.btrfs.autoScrub` has been added, to periodically check btrfs filesystems for data corruption. If there\'s a correct copy available, it will automatically repair corrupted blocks. +- `services.btrfs.autoScrub` has been added, to periodically check btrfs filesystems for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks. - `displayManager.lightdm.greeters.gtk.clock-format.` has been added, the clock format string (as expected by strftime, e.g. `%H:%M`) to use with the lightdm gtk greeter panel. diff --git a/nixos/doc/manual/release-notes/rl-1809.section.md b/nixos/doc/manual/release-notes/rl-1809.section.md index 3443db37c97e1..71afc71d5a89a 100644 --- a/nixos/doc/manual/release-notes/rl-1809.section.md +++ b/nixos/doc/manual/release-notes/rl-1809.section.md @@ -204,11 +204,11 @@ When upgrading from a previous release, please be aware of the following incompa - The `clementine` package points now to the free derivation. `clementineFree` is removed now and `clementineUnfree` points to the package which is bundled with the unfree `libspotify` package. -- The `netcat` package is now taken directly from OpenBSD\'s `libressl`, instead of relying on Debian\'s fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command. +- The `netcat` package is now taken directly from OpenBSD's `libressl`, instead of relying on Debian's fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command. -- The `services.docker-registry.extraConfig` object doesn\'t contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in [the `docker/distribution` docs](https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md). +- The `services.docker-registry.extraConfig` object doesn't contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in [the `docker/distribution` docs](https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md). -- `gnucash` has changed from version 2.4 to 3.x. If you\'ve been using `gnucash` (version 2.4) instead of `gnucash26` (version 2.6) you must open your Gnucash data file(s) with `gnucash26` and then save them to upgrade the file format. Then you may use your data file(s) with Gnucash 3.x. See the upgrade [documentation](https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade). Gnucash 2.4 is still available under the attribute `gnucash24`. +- `gnucash` has changed from version 2.4 to 3.x. If you've been using `gnucash` (version 2.4) instead of `gnucash26` (version 2.6) you must open your Gnucash data file(s) with `gnucash26` and then save them to upgrade the file format. Then you may use your data file(s) with Gnucash 3.x. See the upgrade [documentation](https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade). Gnucash 2.4 is still available under the attribute `gnucash24`. - `services.munge` now runs as user (and group) `munge` instead of root. Make sure the key file is accessible to the daemon. @@ -315,7 +315,7 @@ When upgrading from a previous release, please be aware of the following incompa - The Kubernetes Dashboard now has only minimal RBAC permissions by default. If dashboard cluster-admin rights are desired, set `services.kubernetes.addons.dashboard.rbac.clusterAdmin` to true. On existing clusters, in order for the revocation of privileges to take effect, the current ClusterRoleBinding for kubernetes-dashboard must be manually removed: `kubectl delete clusterrolebinding kubernetes-dashboard` -- The `programs.screen` module provides allows to configure `/etc/screenrc`, however the module behaved fairly counterintuitive as the config exists, but the package wasn\'t available. Since 18.09 `pkgs.screen` will be added to `environment.systemPackages`. +- The `programs.screen` module provides allows to configure `/etc/screenrc`, however the module behaved fairly counterintuitive as the config exists, but the package wasn't available. Since 18.09 `pkgs.screen` will be added to `environment.systemPackages`. - The module `services.networking.hostapd` now uses WPA2 by default. @@ -327,6 +327,6 @@ When upgrading from a previous release, please be aware of the following incompa - The default display manager is now LightDM. To use SLiM set `services.xserver.displayManager.slim.enable` to `true`. -- NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive newlines, so it\'s no longer necessary to use `</para><para>` to start a new paragraph. +- NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive newlines, so it's no longer necessary to use `</para><para>` to start a new paragraph. - Top-level `buildPlatform`, `hostPlatform`, and `targetPlatform` in Nixpkgs are deprecated. Please use their equivalents in `stdenv` instead: `stdenv.buildPlatform`, `stdenv.hostPlatform`, and `stdenv.targetPlatform`. diff --git a/nixos/doc/manual/release-notes/rl-1903.section.md b/nixos/doc/manual/release-notes/rl-1903.section.md index e560b9f304485..b43518c471fd2 100644 --- a/nixos/doc/manual/release-notes/rl-1903.section.md +++ b/nixos/doc/manual/release-notes/rl-1903.section.md @@ -11,11 +11,11 @@ In addition to numerous new and upgraded packages, this release has the followin - Added the Pantheon desktop environment. It can be enabled through `services.xserver.desktopManager.pantheon.enable`. ::: {.note} - By default, `services.xserver.desktopManager.pantheon` enables LightDM as a display manager, as pantheon\'s screen locking implementation relies on it. - Because of that it is recommended to leave LightDM enabled. If you\'d like to disable it anyway, set `services.xserver.displayManager.lightdm.enable` to `false` and enable your preferred display manager. + By default, `services.xserver.desktopManager.pantheon` enables LightDM as a display manager, as pantheon's screen locking implementation relies on it. + Because of that it is recommended to leave LightDM enabled. If you'd like to disable it anyway, set `services.xserver.displayManager.lightdm.enable` to `false` and enable your preferred display manager. ::: - Also note that Pantheon\'s LightDM greeter is not enabled by default, because it has numerous issues in NixOS and isn\'t optimal for use here yet. + Also note that Pantheon's LightDM greeter is not enabled by default, because it has numerous issues in NixOS and isn't optimal for use here yet. - A major refactoring of the Kubernetes module has been completed. Refactorings primarily focus on decoupling components and enhancing security. Two-way TLS and RBAC has been enabled by default for all components, which slightly changes the way the module is configured. See: [](#sec-kubernetes) for details. @@ -57,7 +57,7 @@ When upgrading from a previous release, please be aware of the following incompa - The Syncthing state and configuration data has been moved from `services.syncthing.dataDir` to the newly defined `services.syncthing.configDir`, which default to `/var/lib/syncthing/.config/syncthing`. This change makes possible to share synced directories using ACLs without Syncthing resetting the permission on every start. -- The `ntp` module now has sane default restrictions. If you\'re relying on the previous defaults, which permitted all queries and commands from all firewall-permitted sources, you can set `services.ntp.restrictDefault` and `services.ntp.restrictSource` to `[]`. +- The `ntp` module now has sane default restrictions. If you're relying on the previous defaults, which permitted all queries and commands from all firewall-permitted sources, you can set `services.ntp.restrictDefault` and `services.ntp.restrictSource` to `[]`. - Package `rabbitmq_server` is renamed to `rabbitmq-server`. @@ -89,9 +89,9 @@ When upgrading from a previous release, please be aware of the following incompa - The option `services.xserver.displayManager.job.logToFile` which was previously set to `true` when using the display managers `lightdm`, `sddm` or `xpra` has been reset to the default value (`false`). -- Network interface indiscriminate NixOS firewall options (`networking.firewall.allow*`) are now preserved when also setting interface specific rules such as `networking.firewall.interfaces.en0.allow*`. These rules continue to use the pseudo device \"default\" (`networking.firewall.interfaces.default.*`), and assigning to this pseudo device will override the (`networking.firewall.allow*`) options. +- Network interface indiscriminate NixOS firewall options (`networking.firewall.allow*`) are now preserved when also setting interface specific rules such as `networking.firewall.interfaces.en0.allow*`. These rules continue to use the pseudo device "default" (`networking.firewall.interfaces.default.*`), and assigning to this pseudo device will override the (`networking.firewall.allow*`) options. -- The `nscd` service now disables all caching of `passwd` and `group` databases by default. This was interferring with the correct functioning of the `libnss_systemd.so` module which is used by `systemd` to manage uids and usernames in the presence of `DynamicUser=` in systemd services. This was already the default behaviour in presence of `services.sssd.enable = true` because nscd caching would interfere with `sssd` in unpredictable ways as well. Because we\'re using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, we have decided to disable caching globally now, as it\'s usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the issue of dns lookups failing in the presence of an unreliable network. +- The `nscd` service now disables all caching of `passwd` and `group` databases by default. This was interferring with the correct functioning of the `libnss_systemd.so` module which is used by `systemd` to manage uids and usernames in the presence of `DynamicUser=` in systemd services. This was already the default behaviour in presence of `services.sssd.enable = true` because nscd caching would interfere with `sssd` in unpredictable ways as well. Because we're using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, we have decided to disable caching globally now, as it's usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the issue of dns lookups failing in the presence of an unreliable network. If the old behaviour is desired, this can be restored by setting the `services.nscd.config` option with the desired caching parameters. @@ -137,7 +137,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `pam_unix` account module is now loaded with its control field set to `required` instead of `sufficient`, so that later PAM account modules that might do more extensive checks are being executed. Previously, the whole account module verification was exited prematurely in case a nss module provided the account name to `pam_unix`. The LDAP and SSSD NixOS modules already add their NSS modules when enabled. In case your setup breaks due to some later PAM account module previosuly shadowed, or failing NSS lookups, please file a bug. You can get back the old behaviour by manually setting `security.pam.services.<name?>.text`. -- The `pam_unix` password module is now loaded with its control field set to `sufficient` instead of `required`, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account\'s password through PAM was not possible: the whole password module verification was exited prematurely by `pam_unix`, preventing `pam_ldap` to manage the password as it should. +- The `pam_unix` password module is now loaded with its control field set to `sufficient` instead of `required`, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account's password through PAM was not possible: the whole password module verification was exited prematurely by `pam_unix`, preventing `pam_ldap` to manage the password as it should. - `fish` has been upgraded to 3.0. It comes with a number of improvements and backwards incompatible changes. See the `fish` [release notes](https://github.com/fish-shell/fish-shell/releases/tag/3.0.0) for more information. @@ -145,7 +145,7 @@ When upgrading from a previous release, please be aware of the following incompa - NixOS module system type `types.optionSet` and `lib.mkOption` argument `options` are deprecated. Use `types.submodule` instead. ([\#54637](https://github.com/NixOS/nixpkgs/pull/54637)) -- `matrix-synapse` has been updated to version 0.99. It will [no longer generate a self-signed certificate on first launch](https://github.com/matrix-org/synapse/pull/4509) and will be [the last version to accept self-signed certificates](https://matrix.org/blog/2019/02/05/synapse-0-99-0/). As such, it is now recommended to use a proper certificate verified by a root CA (for example Let\'s Encrypt). The new [manual chapter on Matrix](#module-services-matrix) contains a working example of using nginx as a reverse proxy in front of `matrix-synapse`, using Let\'s Encrypt certificates. +- `matrix-synapse` has been updated to version 0.99. It will [no longer generate a self-signed certificate on first launch](https://github.com/matrix-org/synapse/pull/4509) and will be [the last version to accept self-signed certificates](https://matrix.org/blog/2019/02/05/synapse-0-99-0/). As such, it is now recommended to use a proper certificate verified by a root CA (for example Let's Encrypt). The new [manual chapter on Matrix](#module-services-matrix) contains a working example of using nginx as a reverse proxy in front of `matrix-synapse`, using Let's Encrypt certificates. - `mailutils` now works by default when `sendmail` is not in a setuid wrapper. As a consequence, the `sendmailPath` argument, having lost its main use, has been removed. @@ -191,7 +191,7 @@ When upgrading from a previous release, please be aware of the following incompa With this change application specific volumes are relative to the master volume which can be adjusted independently, whereas before they were absolute; meaning that in effect, it scaled the device-volume with the volume of the loudest application. ::: -- The [`ndppd`](https://github.com/DanielAdolfsson/ndppd) module now supports [all config options](options.html#opt-services.ndppd.enable) provided by the current upstream version as service options. Additionally the `ndppd` package doesn\'t contain the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now. +- The [`ndppd`](https://github.com/DanielAdolfsson/ndppd) module now supports [all config options](options.html#opt-services.ndppd.enable) provided by the current upstream version as service options. Additionally the `ndppd` package doesn't contain the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now. - New installs of NixOS will default to the Redmine 4.x series unless otherwise specified in `services.redmine.package` while existing installs of NixOS will default to the Redmine 3.x series. diff --git a/nixos/doc/manual/release-notes/rl-1909.section.md b/nixos/doc/manual/release-notes/rl-1909.section.md index 0f09f9b927345..428352388193f 100644 --- a/nixos/doc/manual/release-notes/rl-1909.section.md +++ b/nixos/doc/manual/release-notes/rl-1909.section.md @@ -34,7 +34,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The installer now uses a less privileged `nixos` user whereas before we logged in as root. To gain root privileges use `sudo -i` without a password. -- We\'ve updated to Xfce 4.14, which brings a new module `services.xserver.desktopManager.xfce4-14`. If you\'d like to upgrade, please switch from the `services.xserver.desktopManager.xfce` module as it will be deprecated in a future release. They\'re incompatibilities with the current Xfce module; it doesn\'t support `thunarPlugins` and it isn\'t recommended to use `services.xserver.desktopManager.xfce` and `services.xserver.desktopManager.xfce4-14` simultaneously or to downgrade from Xfce 4.14 after upgrading. +- We've updated to Xfce 4.14, which brings a new module `services.xserver.desktopManager.xfce4-14`. If you'd like to upgrade, please switch from the `services.xserver.desktopManager.xfce` module as it will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't support `thunarPlugins` and it isn't recommended to use `services.xserver.desktopManager.xfce` and `services.xserver.desktopManager.xfce4-14` simultaneously or to downgrade from Xfce 4.14 after upgrading. - The GNOME 3 desktop manager module sports an interface to enable/disable core services, applications, and optional GNOME packages like games. @@ -46,9 +46,9 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.gnome3.games.enable` - With these options we hope to give users finer grained control over their systems. Prior to this change you\'d either have to manually disable options or use `environment.gnome3.excludePackages` which only excluded the optional applications. `environment.gnome3.excludePackages` is now unguarded, it can exclude any package installed with `environment.systemPackages` in the GNOME 3 module. + With these options we hope to give users finer grained control over their systems. Prior to this change you'd either have to manually disable options or use `environment.gnome3.excludePackages` which only excluded the optional applications. `environment.gnome3.excludePackages` is now unguarded, it can exclude any package installed with `environment.systemPackages` in the GNOME 3 module. -- Orthogonal to the previous changes to the GNOME 3 desktop manager module, we\'ve updated all default services and applications to match as close as possible to a default reference GNOME 3 experience. +- Orthogonal to the previous changes to the GNOME 3 desktop manager module, we've updated all default services and applications to match as close as possible to a default reference GNOME 3 experience. **The following changes were enacted in `services.gnome3.core-utilities.enable`** @@ -104,7 +104,7 @@ The following new services were added since the last release: - `services.xserver.desktopManager.pantheon` - - `services.xserver.desktopManager.mate` Note Mate uses `programs.system-config-printer` as it doesn\'t use it as a service, but its graphical interface directly. + - `services.xserver.desktopManager.mate` Note Mate uses `programs.system-config-printer` as it doesn't use it as a service, but its graphical interface directly. - [services.blueman.enable](options.html#opt-services.blueman.enable) has been added. If you previously had blueman installed via `environment.systemPackages` please migrate to using the NixOS module, as this would result in an insufficiently configured blueman. @@ -118,11 +118,11 @@ When upgrading from a previous release, please be aware of the following incompa - PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle and has been removed. -- The options `services.prometheus.alertmanager.user` and `services.prometheus.alertmanager.group` have been removed because the alertmanager service is now using systemd\'s [ DynamicUser mechanism](http://0pointer.net/blog/dynamic-users-with-systemd.html) which obviates these options. +- The options `services.prometheus.alertmanager.user` and `services.prometheus.alertmanager.group` have been removed because the alertmanager service is now using systemd's [ DynamicUser mechanism](http://0pointer.net/blog/dynamic-users-with-systemd.html) which obviates these options. - The NetworkManager systemd unit was renamed back from network-manager.service to NetworkManager.service for better compatibility with other applications expecting this name. The same applies to ModemManager where modem-manager.service is now called ModemManager.service again. -- The `services.nzbget.configFile` and `services.nzbget.openFirewall` options were removed as they are managed internally by the nzbget. The `services.nzbget.dataDir` option hadn\'t actually been used by the module for some time and so was removed as cleanup. +- The `services.nzbget.configFile` and `services.nzbget.openFirewall` options were removed as they are managed internally by the nzbget. The `services.nzbget.dataDir` option hadn't actually been used by the module for some time and so was removed as cleanup. - The `services.mysql.pidDir` option was removed, as it was only used by the wordpress apache-httpd service to wait for mysql to have started up. This can be accomplished by either describing a dependency on mysql.service (preferred) or waiting for the (hardcoded) `/run/mysqld/mysql.sock` file to appear. @@ -148,7 +148,7 @@ When upgrading from a previous release, please be aware of the following incompa A new knob named `nixops.enableDeprecatedAutoLuks` has been introduced to disable the eval failure and to acknowledge the notice was received and read. If you plan on using the feature please note that it might break with subsequent updates. - Make sure you set the `_netdev` option for each of the file systems referring to block devices provided by the autoLuks module. Not doing this might render the system in a state where it doesn\'t boot anymore. + Make sure you set the `_netdev` option for each of the file systems referring to block devices provided by the autoLuks module. Not doing this might render the system in a state where it doesn't boot anymore. If you are actively using the `autoLuks` module please let us know in [issue \#62211](https://github.com/NixOS/nixpkgs/issues/62211). @@ -196,13 +196,13 @@ When upgrading from a previous release, please be aware of the following incompa Furthermore, the acme module will not automatically add a dependency on `lighttpd.service` anymore. If you are using certficates provided by letsencrypt for lighttpd, then you should depend on the certificate service `acme-${cert}.service>` manually. - For nginx, the dependencies are still automatically managed when `services.nginx.virtualhosts.<name>.enableACME` is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-all `acme-certificates.target`. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn\'t explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at [NixOS/nixpkgs\#60180](https://github.com/NixOS/nixpkgs/issues/60180). + For nginx, the dependencies are still automatically managed when `services.nginx.virtualhosts.<name>.enableACME` is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-all `acme-certificates.target`. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at [NixOS/nixpkgs\#60180](https://github.com/NixOS/nixpkgs/issues/60180). - The old deprecated `emacs` package sets have been dropped. What used to be called `emacsPackagesNg` is now simply called `emacsPackages`. -- `services.xserver.desktopManager.xterm` is now disabled by default if `stateVersion` is 19.09 or higher. Previously the xterm desktopManager was enabled when xserver was enabled, but it isn\'t useful for all people so it didn\'t make sense to have any desktopManager enabled default. +- `services.xserver.desktopManager.xterm` is now disabled by default if `stateVersion` is 19.09 or higher. Previously the xterm desktopManager was enabled when xserver was enabled, but it isn't useful for all people so it didn't make sense to have any desktopManager enabled default. -- The WeeChat plugin `pkgs.weechatScripts.weechat-xmpp` has been removed as it doesn\'t receive any updates from upstream and depends on outdated Python2-based modules. +- The WeeChat plugin `pkgs.weechatScripts.weechat-xmpp` has been removed as it doesn't receive any updates from upstream and depends on outdated Python2-based modules. - Old unsupported versions (`logstash5`, `kibana5`, `filebeat5`, `heartbeat5`, `metricbeat5`, `packetbeat5`) of the ELK-stack and Elastic beats have been removed. @@ -210,7 +210,7 @@ When upgrading from a previous release, please be aware of the following incompa - Citrix Receiver (`citrix_receiver`) has been dropped in favor of Citrix Workspace (`citrix_workspace`). -- The `services.gitlab` module has had its literal secret options (`services.gitlab.smtp.password`, `services.gitlab.databasePassword`, `services.gitlab.initialRootPassword`, `services.gitlab.secrets.secret`, `services.gitlab.secrets.db`, `services.gitlab.secrets.otp` and `services.gitlab.secrets.jws`) replaced by file-based versions (`services.gitlab.smtp.passwordFile`, `services.gitlab.databasePasswordFile`, `services.gitlab.initialRootPasswordFile`, `services.gitlab.secrets.secretFile`, `services.gitlab.secrets.dbFile`, `services.gitlab.secrets.otpFile` and `services.gitlab.secrets.jwsFile`). This was done so that secrets aren\'t stored in the world-readable nix store, but means that for each option you\'ll have to create a file with the same exact string, add \"File\" to the end of the option name, and change the definition to a string pointing to the corresponding file; e.g. `services.gitlab.databasePassword = "supersecurepassword"` becomes `services.gitlab.databasePasswordFile = "/path/to/secret_file"` where the file `secret_file` contains the string `supersecurepassword`. +- The `services.gitlab` module has had its literal secret options (`services.gitlab.smtp.password`, `services.gitlab.databasePassword`, `services.gitlab.initialRootPassword`, `services.gitlab.secrets.secret`, `services.gitlab.secrets.db`, `services.gitlab.secrets.otp` and `services.gitlab.secrets.jws`) replaced by file-based versions (`services.gitlab.smtp.passwordFile`, `services.gitlab.databasePasswordFile`, `services.gitlab.initialRootPasswordFile`, `services.gitlab.secrets.secretFile`, `services.gitlab.secrets.dbFile`, `services.gitlab.secrets.otpFile` and `services.gitlab.secrets.jwsFile`). This was done so that secrets aren't stored in the world-readable nix store, but means that for each option you'll have to create a file with the same exact string, add "File" to the end of the option name, and change the definition to a string pointing to the corresponding file; e.g. `services.gitlab.databasePassword = "supersecurepassword"` becomes `services.gitlab.databasePasswordFile = "/path/to/secret_file"` where the file `secret_file` contains the string `supersecurepassword`. The state path (`services.gitlab.statePath`) now has the following restriction: no parent directory can be owned by any other user than `root` or the user specified in `services.gitlab.user`; i.e. if `services.gitlab.statePath` is set to `/var/lib/gitlab/state`, `gitlab` and all parent directories must be owned by either `root` or the user specified in `services.gitlab.user`. @@ -218,7 +218,7 @@ When upgrading from a previous release, please be aware of the following incompa - The Twitter client `corebird` has been dropped as [it is discontinued and does not work against the new Twitter API](https://www.patreon.com/posts/corebirds-future-18921328). Please use the fork `cawbird` instead which has been adapted to the API changes and is still maintained. -- The `nodejs-11_x` package has been removed as it\'s EOLed by upstream. +- The `nodejs-11_x` package has been removed as it's EOLed by upstream. - Because of the systemd upgrade, systemd-timesyncd will no longer work if `system.stateVersion` is not set correctly. When upgrading from NixOS 19.03, please make sure that `system.stateVersion` is set to `"19.03"`, or lower if the installation dates back to an earlier version of NixOS. @@ -252,7 +252,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `consul` package was upgraded past version `1.5`, so its deprecated legacy UI is no longer available. -- The default resample-method for PulseAudio has been changed from the upstream default `speex-float-1` to `speex-float-5`. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so you\'ll need to set `hardware.pulseaudio.daemon.config.resample-method` back to `speex-float-1`. +- The default resample-method for PulseAudio has been changed from the upstream default `speex-float-1` to `speex-float-5`. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so you'll need to set `hardware.pulseaudio.daemon.config.resample-method` back to `speex-float-1`. - The `phabricator` package and associated `httpd.extraSubservice`, as well as the `phd` service have been removed from nixpkgs due to lack of maintainer. @@ -264,7 +264,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `tomcat-connector` `httpd.extraSubservice` has been removed from nixpkgs. -- It\'s now possible to change configuration in [services.nextcloud](options.html#opt-services.nextcloud.enable) after the initial deploy since all config parameters are persisted in an additional config file generated by the module. Previously core configuration like database parameters were set using their imperative installer after creating `/var/lib/nextcloud`. +- It's now possible to change configuration in [services.nextcloud](options.html#opt-services.nextcloud.enable) after the initial deploy since all config parameters are persisted in an additional config file generated by the module. Previously core configuration like database parameters were set using their imperative installer after creating `/var/lib/nextcloud`. - There exists now `lib.forEach`, which is like `map`, but with arguments flipped. When mapping function body spans many lines (or has nested `map`s), it is often hard to follow which list is modified. @@ -308,6 +308,6 @@ When upgrading from a previous release, please be aware of the following incompa - The `altcoins` categorization of packages has been removed. You now access these packages at the top level, ie. `nix-shell -p dogecoin` instead of `nix-shell -p altcoins.dogecoin`, etc. -- Ceph has been upgraded to v14.2.1. See the [release notes](https://ceph.com/releases/v14-2-0-nautilus-released/) for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by the package and module. Note: There\'s been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch. +- Ceph has been upgraded to v14.2.1. See the [release notes](https://ceph.com/releases/v14-2-0-nautilus-released/) for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by the package and module. Note: There's been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch. - `pkgs.weechat` is now compiled against `pkgs.python3`. Weechat also recommends [to use Python3 in their docs.](https://weechat.org/scripts/python3/) diff --git a/nixos/doc/manual/release-notes/rl-2003.section.md b/nixos/doc/manual/release-notes/rl-2003.section.md index b92c7f6634c77..76cee8858e80a 100644 --- a/nixos/doc/manual/release-notes/rl-2003.section.md +++ b/nixos/doc/manual/release-notes/rl-2003.section.md @@ -34,11 +34,11 @@ In addition to numerous new and upgraded packages, this release has the followin - Postgresql for NixOS service now defaults to v11. -- The graphical installer image starts the graphical session automatically. Before you\'d be greeted by a tty and asked to enter `systemctl start display-manager`. It is now possible to disable the display-manager from running by selecting the `Disable display-manager` quirk in the boot menu. +- The graphical installer image starts the graphical session automatically. Before you'd be greeted by a tty and asked to enter `systemctl start display-manager`. It is now possible to disable the display-manager from running by selecting the `Disable display-manager` quirk in the boot menu. - GNOME 3 has been upgraded to 3.34. Please take a look at their [Release Notes](https://help.gnome.org/misc/release-notes/3.34) for details. -- If you enable the Pantheon Desktop Manager via [services.xserver.desktopManager.pantheon.enable](options.html#opt-services.xserver.desktopManager.pantheon.enable), we now default to also use [ Pantheon\'s newly designed greeter ](https://blog.elementary.io/say-hello-to-the-new-greeter/). Contrary to NixOS\'s usual update policy, Pantheon will receive updates during the cycle of NixOS 20.03 when backwards compatible. +- If you enable the Pantheon Desktop Manager via [services.xserver.desktopManager.pantheon.enable](options.html#opt-services.xserver.desktopManager.pantheon.enable), we now default to also use [ Pantheon's newly designed greeter ](https://blog.elementary.io/say-hello-to-the-new-greeter/). Contrary to NixOS's usual update policy, Pantheon will receive updates during the cycle of NixOS 20.03 when backwards compatible. - By default zfs pools will now be trimmed on a weekly basis. Trimming is only done on supported devices (i.e. NVME or SSDs) and should improve throughput and lifetime of these devices. It is controlled by the `services.zfs.trim.enable` varname. The zfs scrub service (`services.zfs.autoScrub.enable`) and the zfs autosnapshot service (`services.zfs.autoSnapshot.enable`) are now only enabled if zfs is set in `config.boot.initrd.supportedFilesystems` or `config.boot.supportedFilesystems`. These lists will automatically contain zfs as soon as any zfs mountpoint is configured in `fileSystems`. @@ -77,7 +77,7 @@ The following new services were added since the last release: - The kubernetes kube-proxy now supports a new hostname configuration `services.kubernetes.proxy.hostname` which has to be set if the hostname of the node should be non default. -- UPower\'s configuration is now managed by NixOS and can be customized via `services.upower`. +- UPower's configuration is now managed by NixOS and can be customized via `services.upower`. - To use Geary you should enable [programs.geary.enable](options.html#opt-programs.geary.enable) instead of just adding it to [environment.systemPackages](options.html#opt-environment.systemPackages). It was created so Geary could function properly outside of GNOME. @@ -187,9 +187,9 @@ When upgrading from a previous release, please be aware of the following incompa - The `99-main.network` file was removed. Matching all network interfaces caused many breakages, see [\#18962](https://github.com/NixOS/nixpkgs/pull/18962) and [\#71106](https://github.com/NixOS/nixpkgs/pull/71106). - We already don\'t support the global [networking.useDHCP](options.html#opt-networking.useDHCP), [networking.defaultGateway](options.html#opt-networking.defaultGateway) and [networking.defaultGateway6](options.html#opt-networking.defaultGateway6) options if [networking.useNetworkd](options.html#opt-networking.useNetworkd) is enabled, but direct users to configure the per-device [networking.interfaces.\<name\>....](options.html#opt-networking.interfaces) options. + We already don't support the global [networking.useDHCP](options.html#opt-networking.useDHCP), [networking.defaultGateway](options.html#opt-networking.defaultGateway) and [networking.defaultGateway6](options.html#opt-networking.defaultGateway6) options if [networking.useNetworkd](options.html#opt-networking.useNetworkd) is enabled, but direct users to configure the per-device [networking.interfaces.\<name\>....](options.html#opt-networking.interfaces) options. -- The stdenv now runs all bash with `set -u`, to catch the use of undefined variables. Before, it itself used `set -u` but was careful to unset it so other packages\' code ran as before. Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded. +- The stdenv now runs all bash with `set -u`, to catch the use of undefined variables. Before, it itself used `set -u` but was careful to unset it so other packages' code ran as before. Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded. - The SLIM Display Manager has been removed, as it has been unmaintained since 2013. Consider migrating to a different display manager such as LightDM (current default in NixOS), SDDM, GDM, or using the startx module which uses Xinitrc. @@ -197,7 +197,7 @@ When upgrading from a previous release, please be aware of the following incompa - The BEAM package set has been deleted. You will only find there the different interpreters. You should now use the different build tools coming with the languages with sandbox mode disabled. -- There is now only one Xfce package-set and module. This means that attributes `xfce4-14` and `xfceUnstable` all now point to the latest Xfce 4.14 packages. And in the future NixOS releases will be the latest released version of Xfce available at the time of the release\'s development (if viable). +- There is now only one Xfce package-set and module. This means that attributes `xfce4-14` and `xfceUnstable` all now point to the latest Xfce 4.14 packages. And in the future NixOS releases will be the latest released version of Xfce available at the time of the release's development (if viable). - The [phpfpm](options.html#opt-services.phpfpm.pools) module now sets `PrivateTmp=true` in its systemd units for better process isolation. If you rely on `/tmp` being shared with other services, explicitly override this by setting `serviceConfig.PrivateTmp` to `false` for each phpfpm unit. @@ -221,7 +221,7 @@ When upgrading from a previous release, please be aware of the following incompa - The packages `openobex` and `obexftp` are no longer installed when enabling Bluetooth via `hardware.bluetooth.enable`. -- The `dump1090` derivation has been changed to use FlightAware\'s dump1090 as its upstream. However, this version does not have an internal webserver anymore. The assets in the `share/dump1090` directory of the derivation can be used in conjunction with an external webserver to replace this functionality. +- The `dump1090` derivation has been changed to use FlightAware's dump1090 as its upstream. However, this version does not have an internal webserver anymore. The assets in the `share/dump1090` directory of the derivation can be used in conjunction with an external webserver to replace this functionality. - The fourStore and fourStoreEndpoint modules have been removed. @@ -291,7 +291,7 @@ When upgrading from a previous release, please be aware of the following incompa - `services.buildkite-agent.meta-data` has been renamed to [services.buildkite-agents.\<name\>.tags](options.html#opt-services.buildkite-agents), to match upstreams naming for 3.x. Its type has also changed - it now accepts an attrset of strings. - - The`services.buildkite-agent.openssh.publicKeyPath` option has been removed, as it\'s not necessary to deploy public keys to clone private repositories. + - The`services.buildkite-agent.openssh.publicKeyPath` option has been removed, as it's not necessary to deploy public keys to clone private repositories. - `services.buildkite-agent.openssh.privateKeyPath` has been renamed to [buildkite-agents.\<name\>.privateSshKeyPath](options.html#opt-services.buildkite-agents), as the whole `openssh` now only contained that single option. @@ -301,7 +301,7 @@ When upgrading from a previous release, please be aware of the following incompa - The `gcc5` and `gfortran5` packages have been removed. -- The `services.xserver.displayManager.auto` module has been removed. It was only intended for use in internal NixOS tests, and gave the false impression of it being a special display manager when it\'s actually LightDM. Please use the `services.xserver.displayManager.lightdm.autoLogin` options instead, or any other display manager in NixOS as they all support auto-login. If you used this module specifically because it permitted root auto-login you can override the lightdm-autologin pam module like: +- The `services.xserver.displayManager.auto` module has been removed. It was only intended for use in internal NixOS tests, and gave the false impression of it being a special display manager when it's actually LightDM. Please use the `services.xserver.displayManager.lightdm.autoLogin` options instead, or any other display manager in NixOS as they all support auto-login. If you used this module specifically because it permitted root auto-login you can override the lightdm-autologin pam module like: ```nix { @@ -325,13 +325,13 @@ When upgrading from a previous release, please be aware of the following incompa auth required pam_succeed_if.so quiet ``` - line, where default it\'s: + line, where default it's: ``` auth required pam_succeed_if.so uid >= 1000 quiet ``` - not permitting users with uid\'s below 1000 (like root). All other display managers in NixOS are configured like this. + not permitting users with uid's below 1000 (like root). All other display managers in NixOS are configured like this. - There have been lots of improvements to the Mailman module. As a result, @@ -357,9 +357,9 @@ When upgrading from a previous release, please be aware of the following incompa - Rspamd was updated to version 2.2. Read [ the upstream migration notes](https://rspamd.com/doc/migration.html#migration-to-rspamd-20) carefully. Please be especially aware that some modules were removed and the default Bayes backend is now Redis. -- The `*psu` versions of oraclejdk8 have been removed as they aren\'t provided by upstream anymore. +- The `*psu` versions of oraclejdk8 have been removed as they aren't provided by upstream anymore. -- The `services.dnscrypt-proxy` module has been removed as it used the deprecated version of dnscrypt-proxy. We\'ve added [services.dnscrypt-proxy2.enable](options.html#opt-services.dnscrypt-proxy2.enable) to use the supported version. This module supports configuration via the Nix attribute set [services.dnscrypt-proxy2.settings](options.html#opt-services.dnscrypt-proxy2.settings), or by passing a TOML configuration file via [services.dnscrypt-proxy2.configFile](options.html#opt-services.dnscrypt-proxy2.configFile). +- The `services.dnscrypt-proxy` module has been removed as it used the deprecated version of dnscrypt-proxy. We've added [services.dnscrypt-proxy2.enable](options.html#opt-services.dnscrypt-proxy2.enable) to use the supported version. This module supports configuration via the Nix attribute set [services.dnscrypt-proxy2.settings](options.html#opt-services.dnscrypt-proxy2.settings), or by passing a TOML configuration file via [services.dnscrypt-proxy2.configFile](options.html#opt-services.dnscrypt-proxy2.configFile). ```nix { @@ -382,13 +382,13 @@ When upgrading from a previous release, please be aware of the following incompa - `qesteidutil` has been deprecated in favor of `qdigidoc`. -- sqldeveloper_18 has been removed as it\'s not maintained anymore, sqldeveloper has been updated to version `19.4`. Please note that this means that this means that the oraclejdk is now required. For further information please read the [release notes](https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/sqldev-relnotes-194-5908846.html). +- sqldeveloper_18 has been removed as it's not maintained anymore, sqldeveloper has been updated to version `19.4`. Please note that this means that this means that the oraclejdk is now required. For further information please read the [release notes](https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/sqldev-relnotes-194-5908846.html). -- Haskell `env` and `shellFor` dev shell environments now organize dependencies the same way as regular builds. In particular, rather than receiving all the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don\'t need to algorithmically partition anything. +- Haskell `env` and `shellFor` dev shell environments now organize dependencies the same way as regular builds. In particular, rather than receiving all the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don't need to algorithmically partition anything. This means that if you incorrectly categorize a dependency, e.g. non-Haskell library dependency as a `buildDepends` or run-time Haskell dependency as a `setupDepends`, whereas things would have worked before they may not work now. -- The gcc-snapshot-package has been removed. It\'s marked as broken for \>2 years and used to point to a fairly old snapshot from the gcc7-branch. +- The gcc-snapshot-package has been removed. It's marked as broken for \>2 years and used to point to a fairly old snapshot from the gcc7-branch. - The nixos-build-vms8 -script now uses the python test-driver. @@ -398,21 +398,21 @@ When upgrading from a previous release, please be aware of the following incompa - Stand-alone usage of `Upower` now requires `services.upower.enable` instead of just installing into [environment.systemPackages](options.html#opt-environment.systemPackages). -- nextcloud has been updated to `v18.0.2`. This means that users from NixOS 19.09 can\'t upgrade directly since you can only move one version forward and 19.09 uses `v16.0.8`. +- nextcloud has been updated to `v18.0.2`. This means that users from NixOS 19.09 can't upgrade directly since you can only move one version forward and 19.09 uses `v16.0.8`. To provide a safe upgrade-path and to circumvent similar issues in the future, the following measures were taken: - The pkgs.nextcloud-attribute has been removed and replaced with versioned attributes (currently pkgs.nextcloud17 and pkgs.nextcloud18). With this change major-releases can be backported without breaking stuff and to make upgrade-paths easier. - - Existing setups will be detected using [system.stateVersion](options.html#opt-system.stateVersion): by default, nextcloud17 will be used, but will raise a warning which notes that after that deploy it\'s recommended to update to the latest stable version (nextcloud18) by declaring the newly introduced setting [services.nextcloud.package](options.html#opt-services.nextcloud.package). + - Existing setups will be detected using [system.stateVersion](options.html#opt-system.stateVersion): by default, nextcloud17 will be used, but will raise a warning which notes that after that deploy it's recommended to update to the latest stable version (nextcloud18) by declaring the newly introduced setting [services.nextcloud.package](options.html#opt-services.nextcloud.package). - - Users with an overlay (e.g. to use nextcloud at version `v18` on `19.09`) will get an evaluation error by default. This is done to ensure that our [package](options.html#opt-services.nextcloud.package)-option doesn\'t select an older version by accident. It\'s recommended to use pkgs.nextcloud18 or to set [package](options.html#opt-services.nextcloud.package) to pkgs.nextcloud explicitly. + - Users with an overlay (e.g. to use nextcloud at version `v18` on `19.09`) will get an evaluation error by default. This is done to ensure that our [package](options.html#opt-services.nextcloud.package)-option doesn't select an older version by accident. It's recommended to use pkgs.nextcloud18 or to set [package](options.html#opt-services.nextcloud.package) to pkgs.nextcloud explicitly. ::: {.warning} - Please note that if you\'re coming from `19.03` or older, you have to manually upgrade to `19.09` first to upgrade your server to Nextcloud v16. + Please note that if you're coming from `19.03` or older, you have to manually upgrade to `19.09` first to upgrade your server to Nextcloud v16. ::: -- Hydra has gained a massive performance improvement due to [some database schema changes](https://github.com/NixOS/hydra/pull/710) by adding several IDs and better indexing. However, it\'s necessary to upgrade Hydra in multiple steps: +- Hydra has gained a massive performance improvement due to [some database schema changes](https://github.com/NixOS/hydra/pull/710) by adding several IDs and better indexing. However, it's necessary to upgrade Hydra in multiple steps: - At first, an older version of Hydra needs to be deployed which adds those (nullable) columns. When having set [stateVersion ](options.html#opt-system.stateVersion) to a value older than `20.03`, this package will be selected by default from the module when upgrading. Otherwise, the package can be deployed using the following config: @@ -434,13 +434,13 @@ When upgrading from a previous release, please be aware of the following incompa - Deploy a newer version of Hydra to activate the DB optimizations. This can be done by using hydra-unstable. This package already includes [flake-support](https://github.com/nixos/rfcs/pull/49) and is therefore compiled against pkgs.nixFlakes. ::: {.warning} - If your [stateVersion](options.html#opt-system.stateVersion) is set to `20.03` or greater, hydra-unstable will be used automatically! This will break your setup if you didn\'t run the migration. + If your [stateVersion](options.html#opt-system.stateVersion) is set to `20.03` or greater, hydra-unstable will be used automatically! This will break your setup if you didn't run the migration. ::: - Please note that Hydra is currently not available with nixStable as this doesn\'t compile anymore. + Please note that Hydra is currently not available with nixStable as this doesn't compile anymore. ::: {.warning} - pkgs.hydra has been removed to ensure a graceful database-migration using the dedicated package-attributes. If you still have pkgs.hydra defined in e.g. an overlay, an assertion error will be thrown. To circumvent this, you need to set [services.hydra.package](options.html#opt-services.hydra.package) to pkgs.hydra explicitly and make sure you know what you\'re doing! + pkgs.hydra has been removed to ensure a graceful database-migration using the dedicated package-attributes. If you still have pkgs.hydra defined in e.g. an overlay, an assertion error will be thrown. To circumvent this, you need to set [services.hydra.package](options.html#opt-services.hydra.package) to pkgs.hydra explicitly and make sure you know what you're doing! ::: - The TokuDB storage engine will be disabled in mariadb 10.5. It is recommended to switch to RocksDB. See also [TokuDB](https://mariadb.com/kb/en/tokudb/). @@ -478,9 +478,9 @@ When upgrading from a previous release, please be aware of the following incompa Depending on your setup, you need to incorporate one of the following changes in your setup to upgrade to 20.03: - - If you use `sqlite3` you don\'t need to do anything. + - If you use `sqlite3` you don't need to do anything. - - If you use `postgresql` on a different server, you don\'t need to change anything as well since this module was never designed to configure remote databases. + - If you use `postgresql` on a different server, you don't need to change anything as well since this module was never designed to configure remote databases. - If you use `postgresql` and configured your synapse initially on `19.09` or older, you simply need to enable postgresql-support explicitly: @@ -496,12 +496,12 @@ When upgrading from a previous release, please be aware of the following incompa - If you deploy a fresh matrix-synapse, you need to configure the database yourself (e.g. by using the [services.postgresql.initialScript](options.html#opt-services.postgresql.initialScript) option). An example for this can be found in the [documentation of the Matrix module](#module-services-matrix). -- If you initially deployed your matrix-synapse on `nixos-unstable` _after_ the `19.09`-release, your database is misconfigured due to a regression in NixOS. For now, matrix-synapse will startup with a warning, but it\'s recommended to reconfigure the database to set the values `LC_COLLATE` and `LC_CTYPE` to [`'C'`](https://www.postgresql.org/docs/12/locale.html). +- If you initially deployed your matrix-synapse on `nixos-unstable` _after_ the `19.09`-release, your database is misconfigured due to a regression in NixOS. For now, matrix-synapse will startup with a warning, but it's recommended to reconfigure the database to set the values `LC_COLLATE` and `LC_CTYPE` to [`'C'`](https://www.postgresql.org/docs/12/locale.html). -- The [systemd.network.links](options.html#opt-systemd.network.links) option is now respected even when [systemd-networkd](options.html#opt-systemd.network.enable) is disabled. This mirrors the behaviour of systemd - It\'s udev that parses `.link` files, not `systemd-networkd`. +- The [systemd.network.links](options.html#opt-systemd.network.links) option is now respected even when [systemd-networkd](options.html#opt-systemd.network.enable) is disabled. This mirrors the behaviour of systemd - It's udev that parses `.link` files, not `systemd-networkd`. - mongodb has been updated to version `3.4.24`. ::: {.warning} - Please note that mongodb has been relicensed under their own [` sspl`](https://www.mongodb.com/licensing/server-side-public-license/faq)-license. Since it\'s not entirely free and not OSI-approved, it\'s listed as non-free. This means that Hydra doesn\'t provide prebuilt mongodb-packages and needs to be built locally. + Please note that mongodb has been relicensed under their own [` sspl`](https://www.mongodb.com/licensing/server-side-public-license/faq)-license. Since it's not entirely free and not OSI-approved, it's listed as non-free. This means that Hydra doesn't provide prebuilt mongodb-packages and needs to be built locally. ::: diff --git a/nixos/doc/manual/release-notes/rl-2009.section.md b/nixos/doc/manual/release-notes/rl-2009.section.md index 79be2a56a54eb..6995ef1d406cf 100644 --- a/nixos/doc/manual/release-notes/rl-2009.section.md +++ b/nixos/doc/manual/release-notes/rl-2009.section.md @@ -218,7 +218,7 @@ In addition to 1119 new, 118 updated, and 476 removed options; 61 new modules we When upgrading from a previous release, please be aware of the following incompatible changes: -- MariaDB has been updated to 10.4, MariaDB Galera to 26.4. Before you upgrade, it would be best to take a backup of your database. For MariaDB Galera Cluster, see [Upgrading from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster](https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104-with-galera-cluster/) instead. Before doing the upgrade read [Incompatible Changes Between 10.3 and 10.4](https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104). After the upgrade you will need to run `mysql_upgrade`. MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more intuitive. See [Authentication from MariaDB 10.4](https://mariadb.com/kb/en/authentication-from-mariadb-104/). unix_socket auth plugin does not use a password, and uses the connecting user\'s UID instead. When a new MariaDB data directory is initialized, two MariaDB users are created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root\@localhost and mysql\@localhost. To actually use the traditional mysql_native_password plugin method, one must run the following: +- MariaDB has been updated to 10.4, MariaDB Galera to 26.4. Before you upgrade, it would be best to take a backup of your database. For MariaDB Galera Cluster, see [Upgrading from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster](https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104-with-galera-cluster/) instead. Before doing the upgrade read [Incompatible Changes Between 10.3 and 10.4](https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104). After the upgrade you will need to run `mysql_upgrade`. MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more intuitive. See [Authentication from MariaDB 10.4](https://mariadb.com/kb/en/authentication-from-mariadb-104/). unix_socket auth plugin does not use a password, and uses the connecting user's UID instead. When a new MariaDB data directory is initialized, two MariaDB users are created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root\@localhost and mysql\@localhost. To actually use the traditional mysql_native_password plugin method, one must run the following: ```nix { @@ -284,7 +284,7 @@ When upgrading from a previous release, please be aware of the following incompa - The [matrix-synapse](options.html#opt-services.matrix-synapse.enable) module no longer includes optional dependencies by default, they have to be added through the [plugins](options.html#opt-services.matrix-synapse.plugins) option. -- `buildGoModule` now internally creates a vendor directory in the source tree for downloaded modules instead of using go\'s [module proxy protocol](https://golang.org/cmd/go/#hdr-Module_proxy_protocol). This storage format is simpler and therefore less likely to break with future versions of go. As a result `buildGoModule` switched from `modSha256` to the `vendorSha256` attribute to pin fetched version data. +- `buildGoModule` now internally creates a vendor directory in the source tree for downloaded modules instead of using go's [module proxy protocol](https://golang.org/cmd/go/#hdr-Module_proxy_protocol). This storage format is simpler and therefore less likely to break with future versions of go. As a result `buildGoModule` switched from `modSha256` to the `vendorSha256` attribute to pin fetched version data. - Grafana is now built without support for phantomjs by default. Phantomjs support has been [deprecated in Grafana](https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/) and the phantomjs project is [currently unmaintained](https://github.com/ariya/phantomjs/issues/15344#issue-302015362). It can still be enabled by providing `phantomJsSupport = true` to the package instantiation: @@ -306,9 +306,9 @@ When upgrading from a previous release, please be aware of the following incompa - The initrd SSH support now uses OpenSSH rather than Dropbear to allow the use of Ed25519 keys and other OpenSSH-specific functionality. Host keys must now be in the OpenSSH format, and at least one pre-generated key must be specified. - If you used the `boot.initrd.network.ssh.host*Key` options, you\'ll get an error explaining how to convert your host keys and migrate to the new `boot.initrd.network.ssh.hostKeys` option. Otherwise, if you don\'t have any host keys set, you\'ll need to generate some; see the `hostKeys` option documentation for instructions. + If you used the `boot.initrd.network.ssh.host*Key` options, you'll get an error explaining how to convert your host keys and migrate to the new `boot.initrd.network.ssh.hostKeys` option. Otherwise, if you don't have any host keys set, you'll need to generate some; see the `hostKeys` option documentation for instructions. -- Since this release there\'s an easy way to customize your PHP install to get a much smaller base PHP with only wanted extensions enabled. See the following snippet installing a smaller PHP with the extensions `imagick`, `opcache`, `pdo` and `pdo_mysql` loaded: +- Since this release there's an easy way to customize your PHP install to get a much smaller base PHP with only wanted extensions enabled. See the following snippet installing a smaller PHP with the extensions `imagick`, `opcache`, `pdo` and `pdo_mysql` loaded: ```nix { @@ -325,7 +325,7 @@ When upgrading from a previous release, please be aware of the following incompa } ``` - The default `php` attribute hasn\'t lost any extensions. The `opcache` extension has been added. All upstream PHP extensions are available under php.extensions.\<name?\>. + The default `php` attribute hasn't lost any extensions. The `opcache` extension has been added. All upstream PHP extensions are available under php.extensions.\<name?\>. All PHP `config` flags have been removed for the following reasons: @@ -418,9 +418,9 @@ When upgrading from a previous release, please be aware of the following incompa The default value for [services.httpd.mpm](options.html#opt-services.httpd.mpm) has been changed from `prefork` to `event`. Along with this change the default value for [services.httpd.virtualHosts.\<name\>.http2](options.html#opt-services.httpd.virtualHosts) has been set to `true`. -- The `systemd-networkd` option `systemd.network.networks.<name>.dhcp.CriticalConnection` has been removed following upstream systemd\'s deprecation of the same. It is recommended to use `systemd.network.networks.<name>.networkConfig.KeepConfiguration` instead. See systemd.network 5 for details. +- The `systemd-networkd` option `systemd.network.networks.<name>.dhcp.CriticalConnection` has been removed following upstream systemd's deprecation of the same. It is recommended to use `systemd.network.networks.<name>.networkConfig.KeepConfiguration` instead. See systemd.network 5 for details. -- The `systemd-networkd` option `systemd.network.networks._name_.dhcpConfig` has been renamed to [systemd.network.networks._name_.dhcpV4Config](options.html#opt-systemd.network.networks._name_.dhcpV4Config) following upstream systemd\'s documentation change. See systemd.network 5 for details. +- The `systemd-networkd` option `systemd.network.networks._name_.dhcpConfig` has been renamed to [systemd.network.networks._name_.dhcpV4Config](options.html#opt-systemd.network.networks._name_.dhcpV4Config) following upstream systemd's documentation change. See systemd.network 5 for details. - In the `picom` module, several options that accepted floating point numbers encoded as strings (for example [services.picom.activeOpacity](options.html#opt-services.picom.activeOpacity)) have been changed to the (relatively) new native `float` type. To migrate your configuration simply remove the quotes around the numbers. @@ -440,7 +440,7 @@ When upgrading from a previous release, please be aware of the following incompa - The GRUB specific option `boot.loader.grub.extraInitrd` has been replaced with the generic option `boot.initrd.secrets`. This option creates a secondary initrd from the specified files, rather than using a manually created initrd file. Due to an existing bug with `boot.loader.grub.extraInitrd`, it is not possible to directly boot an older generation that used that option. It is still possible to rollback to that generation if the required initrd file has not been deleted. -- The [DNSChain](https://github.com/okTurtles/dnschain) package and NixOS module have been removed from Nixpkgs as the software is unmaintained and can\'t be built. For more information see issue [\#89205](https://github.com/NixOS/nixpkgs/issues/89205). +- The [DNSChain](https://github.com/okTurtles/dnschain) package and NixOS module have been removed from Nixpkgs as the software is unmaintained and can't be built. For more information see issue [\#89205](https://github.com/NixOS/nixpkgs/issues/89205). - In the `resilio` module, [services.resilio.httpListenAddr](options.html#opt-services.resilio.httpListenAddr) has been changed to listen to `[::1]` instead of `0.0.0.0`. @@ -456,7 +456,7 @@ When upgrading from a previous release, please be aware of the following incompa - Update servers first, then clients. -- Radicale\'s default package has changed from 2.x to 3.x. An upgrade checklist can be found [here](https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist). You can use the newer version in the NixOS service by setting the `package` to `radicale3`, which is done automatically if `stateVersion` is 20.09 or higher. +- Radicale's default package has changed from 2.x to 3.x. An upgrade checklist can be found [here](https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist). You can use the newer version in the NixOS service by setting the `package` to `radicale3`, which is done automatically if `stateVersion` is 20.09 or higher. - `udpt` experienced a complete rewrite from C++ to rust. The configuration format changed from ini to toml. The new configuration documentation can be found at [the official website](https://naim94a.github.io/udpt/config.html) and example configuration is packaged in `${udpt}/share/udpt/udpt.toml`. @@ -522,7 +522,7 @@ When upgrading from a previous release, please be aware of the following incompa } ``` - The base package has also been upgraded to the 2020-07-29 \"Hogfather\" release. Plugins might be incompatible or require upgrading. + The base package has also been upgraded to the 2020-07-29 "Hogfather" release. Plugins might be incompatible or require upgrading. - The [services.postgresql.dataDir](options.html#opt-services.postgresql.dataDir) option is now set to `"/var/lib/postgresql/${cfg.package.psqlSchema}"` regardless of your [system.stateVersion](options.html#opt-system.stateVersion). Users with an existing postgresql install that have a [system.stateVersion](options.html#opt-system.stateVersion) of `17.03` or below should double check what the value of their [services.postgresql.dataDir](options.html#opt-services.postgresql.dataDir) option is (`/var/db/postgresql`) and then explicitly set this value to maintain compatibility: @@ -552,17 +552,17 @@ When upgrading from a previous release, please be aware of the following incompa - The [jellyfin](options.html#opt-services.jellyfin.enable) module will use and stay on the Jellyfin version `10.5.5` if `stateVersion` is lower than `20.09`. This is because significant changes were made to the database schema, and it is highly recommended to backup your instance before upgrading. After making your backup, you can upgrade to the latest version either by setting your `stateVersion` to `20.09` or higher, or set the `services.jellyfin.package` to `pkgs.jellyfin`. If you do not wish to upgrade Jellyfin, but want to change your `stateVersion`, you can set the value of `services.jellyfin.package` to `pkgs.jellyfin_10_5`. -- The `security.rngd` service is now disabled by default. This choice was made because there\'s krngd in the linux kernel space making it (for most usecases) functionally redundent. +- The `security.rngd` service is now disabled by default. This choice was made because there's krngd in the linux kernel space making it (for most usecases) functionally redundent. - The `hardware.nvidia.optimus_prime.enable` service has been renamed to `hardware.nvidia.prime.sync.enable` and has many new enhancements. Related nvidia prime settings may have also changed. - The package nextcloud17 has been removed and nextcloud18 was marked as insecure since both of them will [ will be EOL (end of life) within the lifetime of 20.09](https://docs.nextcloud.com/server/19/admin_manual/release_schedule.html). - It\'s necessary to upgrade to nextcloud19: + It's necessary to upgrade to nextcloud19: - - From nextcloud17, you have to upgrade to nextcloud18 first as Nextcloud doesn\'t allow going multiple major revisions forward in a single upgrade. This is possible by setting [services.nextcloud.package](options.html#opt-services.nextcloud.package) to nextcloud18. + - From nextcloud17, you have to upgrade to nextcloud18 first as Nextcloud doesn't allow going multiple major revisions forward in a single upgrade. This is possible by setting [services.nextcloud.package](options.html#opt-services.nextcloud.package) to nextcloud18. - - From nextcloud18, it\'s possible to directly upgrade to nextcloud19 by setting [services.nextcloud.package](options.html#opt-services.nextcloud.package) to nextcloud19. + - From nextcloud18, it's possible to directly upgrade to nextcloud19 by setting [services.nextcloud.package](options.html#opt-services.nextcloud.package) to nextcloud19. - The GNOME desktop manager no longer default installs gnome3.epiphany. It was chosen to do this as it has a usability breaking issue (see issue [\#98819](https://github.com/NixOS/nixpkgs/issues/98819)) that makes it unsuitable to be a default app. @@ -578,7 +578,7 @@ When upgrading from a previous release, please be aware of the following incompa - `services.journald.rateLimitBurst` was updated from `1000` to `10000` to follow the new upstream systemd default. -- The notmuch package moves its emacs-related binaries and emacs lisp files to a separate output. They\'re not part of the default `out` output anymore - if you relied on the `notmuch-emacs-mua` binary or the emacs lisp files, access them via the `notmuch.emacs` output. +- The notmuch package moves its emacs-related binaries and emacs lisp files to a separate output. They're not part of the default `out` output anymore - if you relied on the `notmuch-emacs-mua` binary or the emacs lisp files, access them via the `notmuch.emacs` output. - Device tree overlay support was improved in [\#79370](https://github.com/NixOS/nixpkgs/pull/79370) and now uses [hardware.deviceTree.kernelPackage](options.html#opt-hardware.deviceTree.kernelPackage) instead of `hardware.deviceTree.base`. [hardware.deviceTree.overlays](options.html#opt-hardware.deviceTree.overlays) configuration was extended to support `.dts` files with symbols. Device trees can now be filtered by setting [hardware.deviceTree.filter](options.html#opt-hardware.deviceTree.filter) option. @@ -590,7 +590,7 @@ When upgrading from a previous release, please be aware of the following incompa Please note that Rust packages utilizing a custom build/install procedure (e.g. by using a `Makefile`) or test suites that rely on the structure of the `target/` directory may break due to those assumptions. For further information, please read the Rust section in the Nixpkgs manual. -- The cc- and binutils-wrapper\'s \"infix salt\" and `_BUILD_` and `_TARGET_` user infixes have been replaced with with a \"suffix salt\" and suffixes and `_FOR_BUILD` and `_FOR_TARGET`. This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier. +- The cc- and binutils-wrapper's "infix salt" and `_BUILD_` and `_TARGET_` user infixes have been replaced with with a "suffix salt" and suffixes and `_FOR_BUILD` and `_FOR_TARGET`. This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier. - Additional Git documentation (HTML and text files) is now available via the `git-doc` package. @@ -598,7 +598,7 @@ When upgrading from a previous release, please be aware of the following incompa - The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer. To login through ssh, either a password or an ssh key must be set for the root user or the nixos user. -- The scripted networking system now uses `.link` files in `/etc/systemd/network` to configure mac address and link MTU, instead of the sometimes buggy `network-link-*` units, which have been removed. Bringing the interface up has been moved to the beginning of the `network-addresses-*` unit. Note this doesn\'t require `systemd-networkd` - it\'s udev that parses `.link` files. Extra care needs to be taken in the presence of [legacy udev rules](https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME) to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name. In such cases, you most likely want to create a `10-*.link` file through [systemd.network.links](options.html#opt-systemd.network.links) and set both name and MAC Address / MTU there. +- The scripted networking system now uses `.link` files in `/etc/systemd/network` to configure mac address and link MTU, instead of the sometimes buggy `network-link-*` units, which have been removed. Bringing the interface up has been moved to the beginning of the `network-addresses-*` unit. Note this doesn't require `systemd-networkd` - it's udev that parses `.link` files. Extra care needs to be taken in the presence of [legacy udev rules](https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME) to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name. In such cases, you most likely want to create a `10-*.link` file through [systemd.network.links](options.html#opt-systemd.network.links) and set both name and MAC Address / MTU there. - Grafana received a major update to version 7.x. A plugin is now needed for image rendering support, and plugins must now be signed by default. More information can be found [in the Grafana documentation](https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0). @@ -624,15 +624,15 @@ When upgrading from a previous release, please be aware of the following incompa to get the previous behavior of listening on all network interfaces. -- With this release `systemd-networkd` (when enabled through [networking.useNetworkd](options.html#opt-networking.useNetworkd)) has it\'s netlink socket created through a `systemd.socket` unit. This gives us control over socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) devices the default buffer size (currently 128MB) is not enough. +- With this release `systemd-networkd` (when enabled through [networking.useNetworkd](options.html#opt-networking.useNetworkd)) has it's netlink socket created through a `systemd.socket` unit. This gives us control over socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) devices the default buffer size (currently 128MB) is not enough. On a machine with \>100 virtual interfaces (e.g., wireguard tunnels, VLANs, ...), that all have to be brought up during system startup, the receive buffer size will spike for a brief period. Eventually some of the message will be dropped since there is not enough (permitted) buffer space available. By having `systemd-networkd` start with a netlink socket created by `systemd` we can configure the `ReceiveBufferSize=` parameter in the socket options (i.e. `systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize`) without recompiling `systemd-networkd`. - Since the actual memory requirements depend on hardware, timing, exact configurations etc. it isn\'t currently possible to infer a good default from within the NixOS module system. Administrators are advised to monitor the logs of `systemd-networkd` for `rtnl: kernel receive buffer overrun` spam and increase the memory limit as they see fit. + Since the actual memory requirements depend on hardware, timing, exact configurations etc. it isn't currently possible to infer a good default from within the NixOS module system. Administrators are advised to monitor the logs of `systemd-networkd` for `rtnl: kernel receive buffer overrun` spam and increase the memory limit as they see fit. - Note: Increasing the `ReceiveBufferSize=` doesn\'t allocate any memory. It just increases the upper bound on the kernel side. The memory allocation depends on the amount of messages that are queued on the kernel side of the netlink socket. + Note: Increasing the `ReceiveBufferSize=` doesn't allocate any memory. It just increases the upper bound on the kernel side. The memory allocation depends on the amount of messages that are queued on the kernel side of the netlink socket. - Specifying [mailboxes](options.html#opt-services.dovecot2.mailboxes) in the dovecot2 module as a list is deprecated and will break eval in 21.05. Instead, an attribute-set should be specified where the `name` should be the key of the attribute. @@ -662,7 +662,7 @@ When upgrading from a previous release, please be aware of the following incompa - nextcloud has been updated to [v19](https://nextcloud.com/blog/nextcloud-hub-brings-productivity-to-home-office/). - If you have an existing installation, please make sure that you\'re on nextcloud18 before upgrading to nextcloud19 since Nextcloud doesn\'t support upgrades across multiple major versions. + If you have an existing installation, please make sure that you're on nextcloud18 before upgrading to nextcloud19 since Nextcloud doesn't support upgrades across multiple major versions. - The `nixos-run-vms` script now deletes the previous run machines states on test startup. You can use the `--keep-vm-state` flag to match the previous behaviour and keep the same VM state between different test runs. diff --git a/nixos/doc/manual/release-notes/rl-2105.section.md b/nixos/doc/manual/release-notes/rl-2105.section.md index 77c4a9cd7a0ac..6244d79e7e781 100644 --- a/nixos/doc/manual/release-notes/rl-2105.section.md +++ b/nixos/doc/manual/release-notes/rl-2105.section.md @@ -68,9 +68,9 @@ When upgrading from a previous release, please be aware of the following incompa - If the `services.dbus` module is enabled, then the user D-Bus session is now always socket activated. The associated options `services.dbus.socketActivated` and `services.xserver.startDbusSession` have therefore been removed and you will receive a warning if they are present in your configuration. This change makes the user D-Bus session available also for non-graphical logins. -- The `networking.wireless.iwd` module now installs the upstream-provided 80-iwd.link file, which sets the NamePolicy= for all wlan devices to \"keep kernel\", to avoid race conditions between iwd and networkd. If you don\'t want this, you can set `systemd.network.links."80-iwd" = lib.mkForce {}`. +- The `networking.wireless.iwd` module now installs the upstream-provided 80-iwd.link file, which sets the NamePolicy= for all wlan devices to "keep kernel", to avoid race conditions between iwd and networkd. If you don't want this, you can set `systemd.network.links."80-iwd" = lib.mkForce {}`. -- `rubyMinimal` was removed due to being unused and unusable. The default ruby interpreter includes JIT support, which makes it reference it\'s compiler. Since JIT support is probably needed by some Gems, it was decided to enable this feature with all cc references by default, and allow to build a Ruby derivation without references to cc, by setting `jitSupport = false;` in an overlay. See [\#90151](https://github.com/NixOS/nixpkgs/pull/90151) for more info. +- `rubyMinimal` was removed due to being unused and unusable. The default ruby interpreter includes JIT support, which makes it reference it's compiler. Since JIT support is probably needed by some Gems, it was decided to enable this feature with all cc references by default, and allow to build a Ruby derivation without references to cc, by setting `jitSupport = false;` in an overlay. See [\#90151](https://github.com/NixOS/nixpkgs/pull/90151) for more info. - Setting `services.openssh.authorizedKeysFiles` now also affects which keys `security.pam.enableSSHAgentAuth` will use. WARNING: If you are using these options in combination do make sure that any key paths you use are present in `services.openssh.authorizedKeysFiles`! @@ -130,7 +130,7 @@ When upgrading from a previous release, please be aware of the following incompa - `vim` and `neovim` switched to Python 3, dropping all Python 2 support. -- [networking.wireguard.interfaces.\<name\>.generatePrivateKeyFile](options.html#opt-networking.wireguard.interfaces), which is off by default, had a `chmod` race condition fixed. As an aside, the parent directory\'s permissions were widened, and the key files were made owner-writable. This only affects newly created keys. However, if the exact permissions are important for your setup, read [\#121294](https://github.com/NixOS/nixpkgs/pull/121294). +- [networking.wireguard.interfaces.\<name\>.generatePrivateKeyFile](options.html#opt-networking.wireguard.interfaces), which is off by default, had a `chmod` race condition fixed. As an aside, the parent directory's permissions were widened, and the key files were made owner-writable. This only affects newly created keys. However, if the exact permissions are important for your setup, read [\#121294](https://github.com/NixOS/nixpkgs/pull/121294). - [boot.zfs.forceImportAll](options.html#opt-boot.zfs.forceImportAll) previously did nothing, but has been fixed. However its default has been changed to `false` to preserve the existing default behaviour. If you have this explicitly set to `true`, please note that your non-root pools will now be forcibly imported. @@ -157,12 +157,12 @@ When upgrading from a previous release, please be aware of the following incompa - Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and restarting the instance will now cause it to fetch and apply the new user data. ::: {.warning} - Specifically, `/etc/ec2-metadata` is re-populated on each boot. Some NixOS scripts that read from this directory are guarded to only run if the files they want to manipulate do not already exist, and so will not re-apply their changes if the IMDS response changes. Examples: `root`\'s SSH key is only added if `/root/.ssh/authorized_keys` does not exist, and SSH host keys are only set from user data if they do not exist in `/etc/ssh`. + Specifically, `/etc/ec2-metadata` is re-populated on each boot. Some NixOS scripts that read from this directory are guarded to only run if the files they want to manipulate do not already exist, and so will not re-apply their changes if the IMDS response changes. Examples: `root`'s SSH key is only added if `/root/.ssh/authorized_keys` does not exist, and SSH host keys are only set from user data if they do not exist in `/etc/ssh`. ::: - The `rspamd` services is now sandboxed. It is run as a dynamic user instead of root, so secrets and other files may have to be moved or their permissions may have to be fixed. The sockets are now located in `/run/rspamd` instead of `/run`. -- Enabling the Tor client no longer silently also enables and configures Privoxy, and the `services.tor.client.privoxy.enable` option has been removed. To enable Privoxy, and to configure it to use Tor\'s faster port, use the following configuration: +- Enabling the Tor client no longer silently also enables and configures Privoxy, and the `services.tor.client.privoxy.enable` option has been removed. To enable Privoxy, and to configure it to use Tor's faster port, use the following configuration: ```nix { @@ -181,7 +181,7 @@ When upgrading from a previous release, please be aware of the following incompa - The fish-foreign-env package has been replaced with fishPlugins.foreign-env, in which the fish functions have been relocated to the `vendor_functions.d` directory to be loaded automatically. -- The prometheus json exporter is now managed by the prometheus community. Together with additional features some backwards incompatibilities were introduced. Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter\'s `/probe` endpoint. In the prometheus scrape configuration the scrape target might look like this: +- The prometheus json exporter is now managed by the prometheus community. Together with additional features some backwards incompatibilities were introduced. Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter's `/probe` endpoint. In the prometheus scrape configuration the scrape target might look like this: ``` http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint @@ -230,7 +230,7 @@ When upgrading from a previous release, please be aware of the following incompa Additionally, packages flashplayer and hal-flash were removed along with the `services.flashpolicyd` module. -- The `security.rngd` module has been removed. It was disabled by default in 20.09 as it was functionally redundant with krngd in the linux kernel. It is not necessary for any device that the kernel recognises as an hardware RNG, as it will automatically run the krngd task to periodically collect random data from the device and mix it into the kernel\'s RNG. +- The `security.rngd` module has been removed. It was disabled by default in 20.09 as it was functionally redundant with krngd in the linux kernel. It is not necessary for any device that the kernel recognises as an hardware RNG, as it will automatically run the krngd task to periodically collect random data from the device and mix it into the kernel's RNG. The default SMTP port for GitLab has been changed to `25` from its previous default of `465`. If you depended on this default, you should now set the [services.gitlab.smtp.port](options.html#opt-services.gitlab.smtp.port) option. @@ -272,11 +272,11 @@ When upgrading from a previous release, please be aware of the following incompa - `environment.defaultPackages` now includes the nano package. If pkgs.nano is not added to the list, make sure another editor is installed and the `EDITOR` environment variable is set to it. Environment variables can be set using `environment.variables`. -- `services.minio.dataDir` changed type to a list of paths, required for specifiyng multiple data directories for using with erasure coding. Currently, the service doesn\'t enforce nor checks the correct number of paths to correspond to minio requirements. +- `services.minio.dataDir` changed type to a list of paths, required for specifiyng multiple data directories for using with erasure coding. Currently, the service doesn't enforce nor checks the correct number of paths to correspond to minio requirements. - All CUDA toolkit versions prior to CUDA 10 have been removed. -- The kbdKeymaps package was removed since dvp and neo are now included in kbd. If you want to use the Programmer Dvorak Keyboard Layout, you have to use `dvorak-programmer` in `console.keyMap` now instead of `dvp`. In `services.xserver.xkbVariant` it\'s still `dvp`. +- The kbdKeymaps package was removed since dvp and neo are now included in kbd. If you want to use the Programmer Dvorak Keyboard Layout, you have to use `dvorak-programmer` in `console.keyMap` now instead of `dvp`. In `services.xserver.xkbVariant` it's still `dvp`. - The babeld service is now being run as an unprivileged user. To achieve that the module configures `skip-kernel-setup true` and takes care of setting forwarding and rp_filter sysctls by itself as well as for each interface in `services.babeld.interfaces`. @@ -286,7 +286,7 @@ When upgrading from a previous release, please be aware of the following incompa - Instead of determining `services.radicale.package` automatically based on `system.stateVersion`, the latest version is always used because old versions are not officially supported. - Furthermore, Radicale\'s systemd unit was hardened which might break some deployments. In particular, a non-default `filesystem_folder` has to be added to `systemd.services.radicale.serviceConfig.ReadWritePaths` if the deprecated `services.radicale.config` is used. + Furthermore, Radicale's systemd unit was hardened which might break some deployments. In particular, a non-default `filesystem_folder` has to be added to `systemd.services.radicale.serviceConfig.ReadWritePaths` if the deprecated `services.radicale.config` is used. - In the `security.acme` module, use of `--reuse-key` parameter for Lego has been removed. It was introduced for HKPK, but this security feature is now deprecated. It is a better security practice to rotate key pairs instead of always keeping the same. If you need to keep this parameter, you can add it back using `extraLegoRenewFlags` as an option for the appropriate certificate. @@ -294,13 +294,13 @@ When upgrading from a previous release, please be aware of the following incompa - `stdenv.lib` has been deprecated and will break eval in 21.11. Please use `pkgs.lib` instead. See [\#108938](https://github.com/NixOS/nixpkgs/issues/108938) for details. -- [GNURadio](https://www.gnuradio.org/) has a `pkgs` attribute set, and there\'s a `gnuradio.callPackage` function that extends `pkgs` with a `mkDerivation`, and a `mkDerivationWith`, like Qt5. Now all `gnuradio.pkgs` are defined with `gnuradio.callPackage` and some packages that depend on gnuradio are defined with this as well. +- [GNURadio](https://www.gnuradio.org/) has a `pkgs` attribute set, and there's a `gnuradio.callPackage` function that extends `pkgs` with a `mkDerivation`, and a `mkDerivationWith`, like Qt5. Now all `gnuradio.pkgs` are defined with `gnuradio.callPackage` and some packages that depend on gnuradio are defined with this as well. - [Privoxy](https://www.privoxy.org/) has been updated to version 3.0.32 (See [announcement](https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html)). Compared to the previous release, Privoxy has gained support for HTTPS inspection (still experimental), Brotli decompression, several new filters and lots of bug fixes, including security ones. In addition, the package is now built with compression and external filters support, which were previously disabled. Regarding the NixOS module, new options for HTTPS inspection have been added and `services.privoxy.extraConfig` has been replaced by the new [services.privoxy.settings](options.html#opt-services.privoxy.settings) (See [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) for the motivation). -- [Kodi](https://kodi.tv/) has been updated to version 19.1 \"Matrix\". See the [announcement](https://kodi.tv/article/kodi-19-0-matrix-release) for further details. +- [Kodi](https://kodi.tv/) has been updated to version 19.1 "Matrix". See the [announcement](https://kodi.tv/article/kodi-19-0-matrix-release) for further details. - The `services.packagekit.backend` option has been removed as it only supported a single setting which would always be the default. Instead new [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) compliant [services.packagekit.settings](options.html#opt-services.packagekit.settings) and [services.packagekit.vendorSettings](options.html#opt-services.packagekit.vendorSettings) options have been introduced. @@ -316,13 +316,13 @@ When upgrading from a previous release, please be aware of the following incompa If this option is disabled, default MTA config becomes not set and you should set the options in `services.mailman.settings.mta` according to the desired configuration as described in [Mailman documentation](https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html). -- The default-version of `nextcloud` is nextcloud21. Please note that it\'s _not_ possible to upgrade `nextcloud` across multiple major versions! This means that it\'s e.g. not possible to upgrade from nextcloud18 to nextcloud20 in a single deploy and most `20.09` users will have to upgrade to nextcloud20 first. +- The default-version of `nextcloud` is nextcloud21. Please note that it's _not_ possible to upgrade `nextcloud` across multiple major versions! This means that it's e.g. not possible to upgrade from nextcloud18 to nextcloud20 in a single deploy and most `20.09` users will have to upgrade to nextcloud20 first. The package can be manually upgraded by setting [services.nextcloud.package](options.html#opt-services.nextcloud.package) to nextcloud21. - The setting [services.redis.bind](options.html#opt-services.redis.bind) defaults to `127.0.0.1` now, making Redis listen on the loopback interface only, and not all public network interfaces. -- NixOS now emits a deprecation warning if systemd\'s `StartLimitInterval` setting is used in a `serviceConfig` section instead of in a `unitConfig`; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See [\#45785](https://github.com/NixOS/nixpkgs/issues/45785) for details. +- NixOS now emits a deprecation warning if systemd's `StartLimitInterval` setting is used in a `serviceConfig` section instead of in a `unitConfig`; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See [\#45785](https://github.com/NixOS/nixpkgs/issues/45785) for details. All services should use [systemd.services._name_.startLimitIntervalSec](options.html#opt-systemd.services._name_.startLimitIntervalSec) or `StartLimitIntervalSec` in [systemd.services._name_.unitConfig](options.html#opt-systemd.services._name_.unitConfig) instead. @@ -357,7 +357,7 @@ When upgrading from a previous release, please be aware of the following incompa `services.unbound.forwardAddresses` and `services.unbound.allowedAccess` have also been changed to use the new settings interface. You can follow the instructions when executing `nixos-rebuild` to upgrade your configuration to use the new interface. -- The `services.dnscrypt-proxy2` module now takes the upstream\'s example configuration and updates it with the user\'s settings. An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch. +- The `services.dnscrypt-proxy2` module now takes the upstream's example configuration and updates it with the user's settings. An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch. - NixOS now defaults to the unified cgroup hierarchy (cgroupsv2). See the [Fedora Article for 31](https://www.redhat.com/sysadmin/fedora-31-control-group-v2) for details on why this is desirable, and how it impacts containers. @@ -367,11 +367,11 @@ When upgrading from a previous release, please be aware of the following incompa - GNOME users may wish to delete their `~/.config/pulse` due to the changes to stream routing logic. See [PulseAudio bug 832](https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832) for more information. -- The zookeeper package does not provide `zooInspector.sh` anymore, as that \"contrib\" has been dropped from upstream releases. +- The zookeeper package does not provide `zooInspector.sh` anymore, as that "contrib" has been dropped from upstream releases. - In the ACME module, the data used to build the hash for the account directory has changed to accommodate new features to reduce account rate limit issues. This will trigger new account creation on the first rebuild following this update. No issues are expected to arise from this, thanks to the new account creation handling. -- [users.users._name_.createHome](options.html#opt-users.users._name_.createHome) now always ensures home directory permissions to be `0700`. Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. The option\'s description was incorrect regarding ownership management and has been simplified greatly. +- [users.users._name_.createHome](options.html#opt-users.users._name_.createHome) now always ensures home directory permissions to be `0700`. Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. The option's description was incorrect regarding ownership management and has been simplified greatly. - When defining a new user, one of [users.users._name_.isNormalUser](options.html#opt-users.users._name_.isNormalUser) and [users.users._name_.isSystemUser](options.html#opt-users.users._name_.isSystemUser) is now required. This is to prevent accidentally giving a UID above 1000 to system users, which could have unexpected consequences, like running user activation scripts for system users. Note that users defined with an explicit UID below 500 are exempted from this check, as [users.users._name_.isSystemUser](options.html#opt-users.users._name_.isSystemUser) has no effect for those. diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index fc4b44957c36c..7272e9231582c 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -235,7 +235,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The `erigon` ethereum node has moved to a new database format in `2021-05-04`, and requires a full resync -- The `erigon` ethereum node has moved it's database location in `2021-08-03`, users upgrading must manually move their chaindata (see [release notes](https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03)). +- The `erigon` ethereum node has moved its database location in `2021-08-03`, users upgrading must manually move their chaindata (see [release notes](https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03)). - [users.users.<name>.group](options.html#opt-users.users._name_.group) no longer defaults to `nogroup`, which was insecure. Out-of-tree modules are likely to require adaptation: instead of ```nix diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 2d05d092f5b6b..bc3462914e5e1 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -14,8 +14,14 @@ In addition to numerous new and upgraded packages, this release has the followin <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> +- [Akkoma](https://akkoma.social), an ActivityPub microblogging server. Available as [services.akkoma](options.html#opt-services.akkoma.enable). + - [blesh](https://github.com/akinomyoga/ble.sh), a line editor written in pure bash. Available as [programs.bash.blesh](#opt-programs.bash.blesh.enable). +- [webhook](https://github.com/adnanh/webhook), a lightweight webhook server. Available as [services.webhook](#opt-services.webhook.enable). + +- [cups-pdf-to-pdf](https://github.com/alexivkin/CUPS-PDF-to-PDF), a pdf-generating cups backend based on [cups-pdf](https://www.cups-pdf.de/). Available as [services.printing.cups-pdf](#opt-services.printing.cups-pdf.enable). + - [fzf](https://github.com/junegunn/fzf), a command line fuzzyfinder. Available as [programs.fzf](#opt-programs.fzf.fuzzyCompletion). - [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable). @@ -24,6 +30,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable). +- [ulogd](https://www.netfilter.org/projects/ulogd/index.html), a userspace logging daemon for netfilter/iptables related logging. Available as [services.ulogd](options.html#opt-services.ulogd.enable). + ## Backward Incompatibilities {#sec-release-23.05-incompatibilities} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -95,12 +103,18 @@ In addition to numerous new and upgraded packages, this release has the followin - `nixos/lib/make-disk-image.nix` can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual. +- `services.grafana` listens only on localhost by default again. This was changed to upstreams default of `0.0.0.0` by accident in the freeform setting conversion. + - A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm). - The new option `users.motdFile` allows configuring a Message Of The Day that can be updated dynamically. - Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option. +- A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md). + +- [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion). + - Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. - The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it. diff --git a/nixos/lib/test-driver/test_driver/__init__.py b/nixos/lib/test-driver/test_driver/__init__.py index 61d91c9ed6545..db7e0ed33a892 100755 --- a/nixos/lib/test-driver/test_driver/__init__.py +++ b/nixos/lib/test-driver/test_driver/__init__.py @@ -41,11 +41,9 @@ def writeable_dir(arg: str) -> Path: """ path = Path(arg) if not path.is_dir(): - raise argparse.ArgumentTypeError("{0} is not a directory".format(path)) + raise argparse.ArgumentTypeError(f"{path} is not a directory") if not os.access(path, os.W_OK): - raise argparse.ArgumentTypeError( - "{0} is not a writeable directory".format(path) - ) + raise argparse.ArgumentTypeError(f"{path} is not a writeable directory") return path diff --git a/nixos/lib/test-driver/test_driver/driver.py b/nixos/lib/test-driver/test_driver/driver.py index 6542a2e2f6938..de6abbb4679e2 100644 --- a/nixos/lib/test-driver/test_driver/driver.py +++ b/nixos/lib/test-driver/test_driver/driver.py @@ -19,15 +19,11 @@ def get_tmp_dir() -> Path: tmp_dir.mkdir(mode=0o700, exist_ok=True) if not tmp_dir.is_dir(): raise NotADirectoryError( - "The directory defined by TMPDIR, TEMP, TMP or CWD: {0} is not a directory".format( - tmp_dir - ) + f"The directory defined by TMPDIR, TEMP, TMP or CWD: {tmp_dir} is not a directory" ) if not os.access(tmp_dir, os.W_OK): raise PermissionError( - "The directory defined by TMPDIR, TEMP, TMP, or CWD: {0} is not writeable".format( - tmp_dir - ) + f"The directory defined by TMPDIR, TEMP, TMP, or CWD: {tmp_dir} is not writeable" ) return tmp_dir diff --git a/nixos/lib/test-driver/test_driver/logger.py b/nixos/lib/test-driver/test_driver/logger.py index 59ed295472315..e6182ff7c761d 100644 --- a/nixos/lib/test-driver/test_driver/logger.py +++ b/nixos/lib/test-driver/test_driver/logger.py @@ -36,7 +36,7 @@ class Logger: def maybe_prefix(self, message: str, attributes: Dict[str, str]) -> str: if "machine" in attributes: - return "{}: {}".format(attributes["machine"], message) + return f"{attributes['machine']}: {message}" return message def log_line(self, message: str, attributes: Dict[str, str]) -> None: @@ -62,9 +62,7 @@ class Logger: def log_serial(self, message: str, machine: str) -> None: self.enqueue({"msg": message, "machine": machine, "type": "serial"}) if self._print_serial_logs: - self._eprint( - Style.DIM + "{} # {}".format(machine, message) + Style.RESET_ALL - ) + self._eprint(Style.DIM + f"{machine} # {message}" + Style.RESET_ALL) def enqueue(self, item: Dict[str, str]) -> None: self.queue.put(item) @@ -97,7 +95,7 @@ class Logger: yield self.drain_log_queue() toc = time.time() - self.log("(finished: {}, in {:.2f} seconds)".format(message, toc - tic)) + self.log(f"(finished: {message}, in {toc - tic:.2f} seconds)") self.xml.endElement("nest") diff --git a/nixos/lib/test-driver/test_driver/machine.py b/nixos/lib/test-driver/test_driver/machine.py index ffbc7c18e42b6..6af964a0f588e 100644 --- a/nixos/lib/test-driver/test_driver/machine.py +++ b/nixos/lib/test-driver/test_driver/machine.py @@ -101,14 +101,14 @@ def _perform_ocr_on_screenshot( tess_args = f"-c debug_file=/dev/null --psm 11" - cmd = f"convert {magick_args} {screenshot_path} tiff:{screenshot_path}.tiff" + cmd = f"convert {magick_args} '{screenshot_path}' 'tiff:{screenshot_path}.tiff'" ret = subprocess.run(cmd, shell=True, capture_output=True) if ret.returncode != 0: raise Exception(f"TIFF conversion failed with exit code {ret.returncode}") model_results = [] for model_id in model_ids: - cmd = f"tesseract {screenshot_path}.tiff - {tess_args} --oem {model_id}" + cmd = f"tesseract '{screenshot_path}.tiff' - {tess_args} --oem '{model_id}'" ret = subprocess.run(cmd, shell=True, capture_output=True) if ret.returncode != 0: raise Exception(f"OCR failed with exit code {ret.returncode}") @@ -420,8 +420,8 @@ class Machine: def send_monitor_command(self, command: str) -> str: self.run_callbacks() - with self.nested("sending monitor command: {}".format(command)): - message = ("{}\n".format(command)).encode() + with self.nested(f"sending monitor command: {command}"): + message = f"{command}\n".encode() assert self.monitor is not None self.monitor.send(message) return self.wait_for_monitor_prompt() @@ -438,7 +438,7 @@ class Machine: info = self.get_unit_info(unit, user) state = info["ActiveState"] if state == "failed": - raise Exception('unit "{}" reached state "{}"'.format(unit, state)) + raise Exception(f'unit "{unit}" reached state "{state}"') if state == "inactive": status, jobs = self.systemctl("list-jobs --full 2>&1", user) @@ -446,27 +446,24 @@ class Machine: info = self.get_unit_info(unit, user) if info["ActiveState"] == state: raise Exception( - ( - 'unit "{}" is inactive and there ' "are no pending jobs" - ).format(unit) + f'unit "{unit}" is inactive and there are no pending jobs' ) return state == "active" with self.nested( - "waiting for unit {}{}".format( - unit, f" with user {user}" if user is not None else "" - ) + f"waiting for unit {unit}" + + (f" with user {user}" if user is not None else "") ): retry(check_active, timeout) def get_unit_info(self, unit: str, user: Optional[str] = None) -> Dict[str, str]: - status, lines = self.systemctl('--no-pager show "{}"'.format(unit), user) + status, lines = self.systemctl(f'--no-pager show "{unit}"', user) if status != 0: raise Exception( - 'retrieving systemctl info for unit "{}" {} failed with exit code {}'.format( - unit, "" if user is None else 'under user "{}"'.format(user), status - ) + f'retrieving systemctl info for unit "{unit}"' + + ("" if user is None else f' under user "{user}"') + + f" failed with exit code {status}" ) line_pattern = re.compile(r"^([^=]+)=(.*)$") @@ -486,24 +483,22 @@ class Machine: if user is not None: q = q.replace("'", "\\'") return self.execute( - ( - "su -l {} --shell /bin/sh -c " - "$'XDG_RUNTIME_DIR=/run/user/`id -u` " - "systemctl --user {}'" - ).format(user, q) + f"su -l {user} --shell /bin/sh -c " + "$'XDG_RUNTIME_DIR=/run/user/`id -u` " + f"systemctl --user {q}'" ) - return self.execute("systemctl {}".format(q)) + return self.execute(f"systemctl {q}") def require_unit_state(self, unit: str, require_state: str = "active") -> None: with self.nested( - "checking if unit ‘{}’ has reached state '{}'".format(unit, require_state) + f"checking if unit '{unit}' has reached state '{require_state}'" ): info = self.get_unit_info(unit) state = info["ActiveState"] if state != require_state: raise Exception( - "Expected unit ‘{}’ to to be in state ".format(unit) - + "'{}' but it is in state ‘{}’".format(require_state, state) + f"Expected unit '{unit}' to to be in state " + f"'{require_state}' but it is in state '{state}'" ) def _next_newline_closed_block_from_shell(self) -> str: @@ -593,13 +588,11 @@ class Machine: """Execute each command and check that it succeeds.""" output = "" for command in commands: - with self.nested("must succeed: {}".format(command)): + with self.nested(f"must succeed: {command}"): (status, out) = self.execute(command, timeout=timeout) if status != 0: - self.log("output: {}".format(out)) - raise Exception( - "command `{}` failed (exit code {})".format(command, status) - ) + self.log(f"output: {out}") + raise Exception(f"command `{command}` failed (exit code {status})") output += out return output @@ -607,12 +600,10 @@ class Machine: """Execute each command and check that it fails.""" output = "" for command in commands: - with self.nested("must fail: {}".format(command)): + with self.nested(f"must fail: {command}"): (status, out) = self.execute(command, timeout=timeout) if status == 0: - raise Exception( - "command `{}` unexpectedly succeeded".format(command) - ) + raise Exception(f"command `{command}` unexpectedly succeeded") output += out return output @@ -627,7 +618,7 @@ class Machine: status, output = self.execute(command, timeout=timeout) return status == 0 - with self.nested("waiting for success: {}".format(command)): + with self.nested(f"waiting for success: {command}"): retry(check_success, timeout) return output @@ -642,7 +633,7 @@ class Machine: status, output = self.execute(command, timeout=timeout) return status != 0 - with self.nested("waiting for failure: {}".format(command)): + with self.nested(f"waiting for failure: {command}"): retry(check_failure) return output @@ -661,8 +652,8 @@ class Machine: def get_tty_text(self, tty: str) -> str: status, output = self.execute( - "fold -w$(stty -F /dev/tty{0} size | " - "awk '{{print $2}}') /dev/vcs{0}".format(tty) + f"fold -w$(stty -F /dev/tty{tty} size | " + f"awk '{{print $2}}') /dev/vcs{tty}" ) return output @@ -681,11 +672,11 @@ class Machine: ) return len(matcher.findall(text)) > 0 - with self.nested("waiting for {} to appear on tty {}".format(regexp, tty)): + with self.nested(f"waiting for {regexp} to appear on tty {tty}"): retry(tty_matches) def send_chars(self, chars: str, delay: Optional[float] = 0.01) -> None: - with self.nested("sending keys ‘{}‘".format(chars)): + with self.nested(f"sending keys '{chars}'"): for char in chars: self.send_key(char, delay) @@ -693,33 +684,33 @@ class Machine: """Waits until the file exists in machine's file system.""" def check_file(_: Any) -> bool: - status, _ = self.execute("test -e {}".format(filename)) + status, _ = self.execute(f"test -e {filename}") return status == 0 - with self.nested("waiting for file ‘{}‘".format(filename)): + with self.nested(f"waiting for file '{filename}'"): retry(check_file) - def wait_for_open_port(self, port: int) -> None: + def wait_for_open_port(self, port: int, addr: str = "localhost") -> None: def port_is_open(_: Any) -> bool: - status, _ = self.execute("nc -z localhost {}".format(port)) + status, _ = self.execute(f"nc -z {addr} {port}") return status == 0 - with self.nested("waiting for TCP port {}".format(port)): + with self.nested(f"waiting for TCP port {port} on {addr}"): retry(port_is_open) - def wait_for_closed_port(self, port: int) -> None: + def wait_for_closed_port(self, port: int, addr: str = "localhost") -> None: def port_is_closed(_: Any) -> bool: - status, _ = self.execute("nc -z localhost {}".format(port)) + status, _ = self.execute(f"nc -z {addr} {port}") return status != 0 - with self.nested("waiting for TCP port {} to be closed".format(port)): + with self.nested(f"waiting for TCP port {port} on {addr} to be closed"): retry(port_is_closed) def start_job(self, jobname: str, user: Optional[str] = None) -> Tuple[int, str]: - return self.systemctl("start {}".format(jobname), user) + return self.systemctl(f"start {jobname}", user) def stop_job(self, jobname: str, user: Optional[str] = None) -> Tuple[int, str]: - return self.systemctl("stop {}".format(jobname), user) + return self.systemctl(f"stop {jobname}", user) def wait_for_job(self, jobname: str) -> None: self.wait_for_unit(jobname) @@ -739,21 +730,21 @@ class Machine: toc = time.time() self.log("connected to guest root shell") - self.log("(connecting took {:.2f} seconds)".format(toc - tic)) + self.log(f"(connecting took {toc - tic:.2f} seconds)") self.connected = True def screenshot(self, filename: str) -> None: word_pattern = re.compile(r"^\w+$") if word_pattern.match(filename): - filename = os.path.join(self.out_dir, "{}.png".format(filename)) - tmp = "{}.ppm".format(filename) + filename = os.path.join(self.out_dir, f"{filename}.png") + tmp = f"{filename}.ppm" with self.nested( - "making screenshot {}".format(filename), + f"making screenshot {filename}", {"image": os.path.basename(filename)}, ): - self.send_monitor_command("screendump {}".format(tmp)) - ret = subprocess.run("pnmtopng {} > {}".format(tmp, filename), shell=True) + self.send_monitor_command(f"screendump {tmp}") + ret = subprocess.run(f"pnmtopng '{tmp}' > '{filename}'", shell=True) os.unlink(tmp) if ret.returncode != 0: raise Exception("Cannot convert screenshot") @@ -815,7 +806,7 @@ class Machine: def dump_tty_contents(self, tty: str) -> None: """Debugging: Dump the contents of the TTY<n>""" - self.execute("fold -w 80 /dev/vcs{} | systemd-cat".format(tty)) + self.execute(f"fold -w 80 /dev/vcs{tty} | systemd-cat") def _get_screen_text_variants(self, model_ids: Iterable[int]) -> List[str]: with tempfile.TemporaryDirectory() as tmpdir: @@ -837,15 +828,15 @@ class Machine: return True if last: - self.log("Last OCR attempt failed. Text was: {}".format(variants)) + self.log(f"Last OCR attempt failed. Text was: {variants}") return False - with self.nested("waiting for {} to appear on screen".format(regex)): + with self.nested(f"waiting for {regex} to appear on screen"): retry(screen_matches) def wait_for_console_text(self, regex: str) -> None: - with self.nested("waiting for {} to appear on console".format(regex)): + with self.nested(f"waiting for {regex} to appear on console"): # Buffer the console output, this is needed # to match multiline regexes. console = io.StringIO() @@ -862,7 +853,7 @@ class Machine: def send_key(self, key: str, delay: Optional[float] = 0.01) -> None: key = CHAR_TO_KEY.get(key, key) - self.send_monitor_command("sendkey {}".format(key)) + self.send_monitor_command(f"sendkey {key}") if delay is not None: time.sleep(delay) @@ -921,7 +912,7 @@ class Machine: self.pid = self.process.pid self.booted = True - self.log("QEMU running (pid {})".format(self.pid)) + self.log(f"QEMU running (pid {self.pid})") def cleanup_statedir(self) -> None: shutil.rmtree(self.state_dir) @@ -975,7 +966,7 @@ class Machine: names = self.get_window_names() if last_try: self.log( - "Last chance to match {} on the window list,".format(regexp) + f"Last chance to match {regexp} on the window list," + " which currently contains: " + ", ".join(names) ) @@ -992,9 +983,7 @@ class Machine: """Forward a TCP port on the host to a TCP port on the guest. Useful during interactive testing. """ - self.send_monitor_command( - "hostfwd_add tcp::{}-:{}".format(host_port, guest_port) - ) + self.send_monitor_command(f"hostfwd_add tcp::{host_port}-:{guest_port}") def block(self) -> None: """Make the machine unreachable by shutting down eth1 (the multicast diff --git a/nixos/lib/testing/legacy.nix b/nixos/lib/testing/legacy.nix index 868b8b65b17d5..b310575566015 100644 --- a/nixos/lib/testing/legacy.nix +++ b/nixos/lib/testing/legacy.nix @@ -3,9 +3,10 @@ let inherit (lib) mkIf mkOption types; in { - # This needs options.warnings, which we don't have (yet?). + # This needs options.warnings and options.assertions, which we don't have (yet?). # imports = [ # (lib.mkRenamedOptionModule [ "machine" ] [ "nodes" "machine" ]) + # (lib.mkRemovedOptionModule [ "minimal" ] "The minimal kernel module was removed as it was broken and not used any more in nixpkgs.") # ]; options = { diff --git a/nixos/lib/testing/nodes.nix b/nixos/lib/testing/nodes.nix index 8e620c96b3bb1..c538ab468c526 100644 --- a/nixos/lib/testing/nodes.nix +++ b/nixos/lib/testing/nodes.nix @@ -23,7 +23,7 @@ let nixpkgs.config.allowAliases = false; }) testModuleArgs.config.extraBaseModules - ] ++ optional config.minimal ../../modules/testing/minimal-kernel.nix; + ]; }; @@ -78,14 +78,6 @@ in ''; }; - minimal = mkOption { - type = types.bool; - default = false; - description = mdDoc '' - Enable to configure all [{option}`nodes`](#test-opt-nodes) to run with a minimal kernel. - ''; - }; - nodesCompat = mkOption { internal = true; description = mdDoc '' diff --git a/nixos/modules/config/shells-environment.nix b/nixos/modules/config/shells-environment.nix index 50bb9b17783bb..bc6583442edf2 100644 --- a/nixos/modules/config/shells-environment.nix +++ b/nixos/modules/config/shells-environment.nix @@ -42,8 +42,8 @@ in strings. The latter is concatenated, interspersed with colon characters. ''; - type = with types; attrsOf (either str (listOf str)); - apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v); + type = with types; attrsOf (oneOf [ (listOf str) str path ]); + apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else "${v}"); }; environment.profiles = mkOption { diff --git a/nixos/modules/config/system-environment.nix b/nixos/modules/config/system-environment.nix index 5b226d5079b0f..399304185223f 100644 --- a/nixos/modules/config/system-environment.nix +++ b/nixos/modules/config/system-environment.nix @@ -1,6 +1,6 @@ # This module defines a system-wide environment that will be # initialised by pam_env (that is, not only in shells). -{ config, lib, pkgs, ... }: +{ config, lib, options, pkgs, ... }: with lib; @@ -32,8 +32,7 @@ in therefore not possible to use PAM style variables such as `@{HOME}`. ''; - type = with types; attrsOf (either str (listOf str)); - apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v); + inherit (options.environment.variables) type apply; }; environment.profileRelativeSessionVariables = mkOption { diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 61d70ccc19b2a..19319b9309cd1 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -101,16 +101,13 @@ let type = types.bool; default = false; description = lib.mdDoc '' - Indicates whether this is an account for a “real” user. This - automatically sets {option}`group` to - `users`, {option}`createHome` to - `true`, {option}`home` to - {file}`/home/«username»`, + Indicates whether this is an account for a “real” user. + This automatically sets {option}`group` to `users`, + {option}`createHome` to `true`, + {option}`home` to {file}`/home/«username»`, {option}`useDefaultShell` to `true`, - and {option}`isSystemUser` to - `false`. - Exactly one of `isNormalUser` and - `isSystemUser` must be true. + and {option}`isSystemUser` to `false`. + Exactly one of `isNormalUser` and `isSystemUser` must be true. ''; }; diff --git a/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix b/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix new file mode 100644 index 0000000000000..9d09cdbe0206d --- /dev/null +++ b/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: + +{ + imports = [ ./installation-cd-minimal-new-kernel.nix ]; + + # Makes `availableOn` fail for zfs, see <nixos/modules/profiles/base.nix>. + # This is a workaround since we cannot remove the `"zfs"` string from `supportedFilesystems`. + # The proper fix would be to make `supportedFilesystems` an attrset with true/false which we + # could then `lib.mkForce false` + nixpkgs.overlays = [(final: super: { + zfs = super.zfs.overrideAttrs(_: { + meta.platforms = []; + }); + })]; +} diff --git a/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix b/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix index abf0a5186b6aa..7a3bd74cb70a7 100644 --- a/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix +++ b/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix @@ -9,6 +9,9 @@ ./installation-cd-base.nix ]; + # Causes a lot of uncached builds for a negligible decrease in size. + environment.noXlibs = lib.mkOverride 500 false; + documentation.man.enable = lib.mkOverride 500 true; fonts.fontconfig.enable = lib.mkForce false; diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 81aca86173899..659df7851b08d 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -77,6 +77,14 @@ let else config.boot.loader.timeout * 10; + # Timeout in grub is in seconds. + # null means max timeout (infinity) + # 0 means disable timeout + grubEfiTimeout = if config.boot.loader.timeout == null then + -1 + else + config.boot.loader.timeout; + # The configuration file for syslinux. # Notes on syslinux configuration and UNetbootin compatibility: @@ -284,7 +292,7 @@ let if serial; then set with_serial=yes ;fi export with_serial clear - set timeout=10 + set timeout=${toString grubEfiTimeout} # This message will only be viewable when "gfxterm" is not used. echo "" diff --git a/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix b/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix new file mode 100644 index 0000000000000..0e50559602945 --- /dev/null +++ b/nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: + +{ + imports = [ ./sd-image-aarch64-new-kernel-installer.nix ]; + + # Makes `availableOn` fail for zfs, see <nixos/modules/profiles/base.nix>. + # This is a workaround since we cannot remove the `"zfs"` string from `supportedFilesystems`. + # The proper fix would be to make `supportedFilesystems` an attrset with true/false which we + # could then `lib.mkForce false` + nixpkgs.overlays = [(final: super: { + zfs = super.zfs.overrideAttrs(_: { + meta.platforms = []; + }); + })]; +} diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index b3cdaf5568d4f..1067b21a22b07 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -89,6 +89,12 @@ in stateVersion = mkOption { type = types.str; + # TODO Remove this and drop the default of the option so people are forced to set it. + # Doing this also means fixing the comment in nixos/modules/testing/test-instrumentation.nix + apply = v: + lib.warnIf (options.system.stateVersion.highestPrio == (lib.mkOptionDefault { }).priority) + "system.stateVersion is not set, defaulting to ${v}. Read why this matters on https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion." + v; default = cfg.release; defaultText = literalExpression "config.${opt.release}"; description = lib.mdDoc '' @@ -149,14 +155,6 @@ in "os-release".text = attrsToText osReleaseContents; }; - # We have to use `warnings` because when warning in the default of the option - # the warning would also be shown when building the manual since the manual - # has to evaluate the default. - # - # TODO Remove this and drop the default of the option so people are forced to set it. - # Doing this also means fixing the comment in nixos/modules/testing/test-instrumentation.nix - warnings = lib.optional (options.system.stateVersion.highestPrio == (lib.mkOptionDefault { }).priority) - "system.stateVersion is not set, defaulting to ${config.system.stateVersion}. Read why this matters on https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion."; }; # uses version info nixpkgs, which requires a full nixpkgs path diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 7903cd23a750e..41b953dc34733 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -201,6 +201,7 @@ ./programs/nbd.nix ./programs/neovim.nix ./programs/nethoscope.nix + ./programs/nix-index.nix ./programs/nix-ld.nix ./programs/nm-applet.nix ./programs/nncp.nix @@ -519,6 +520,7 @@ ./services/logging/syslog-ng.nix ./services/logging/syslogd.nix ./services/logging/vector.nix + ./services/logging/ulogd.nix ./services/mail/clamsmtp.nix ./services/mail/davmail.nix ./services/mail/dkimproxy-out.nix @@ -1011,6 +1013,7 @@ ./services/networking/wasabibackend.nix ./services/networking/websockify.nix ./services/networking/wg-netmanager.nix + ./services/networking/webhook.nix ./services/networking/wg-quick.nix ./services/networking/wireguard.nix ./services/networking/wpa_supplicant.nix @@ -1027,6 +1030,7 @@ ./services/networking/znc/default.nix ./services/printing/cupsd.nix ./services/printing/ipp-usb.nix + ./services/printing/cups-pdf.nix ./services/scheduling/atd.nix ./services/scheduling/cron.nix ./services/scheduling/fcron.nix @@ -1101,6 +1105,7 @@ ./services/video/rtsp-simple-server.nix ./services/video/unifi-video.nix ./services/wayland/cage.nix + ./services/web-apps/akkoma.nix ./services/web-apps/alps.nix ./services/web-apps/atlassian/confluence.nix ./services/web-apps/atlassian/crowd.nix @@ -1308,6 +1313,7 @@ ./tasks/filesystems/btrfs.nix ./tasks/filesystems/cifs.nix ./tasks/filesystems/ecryptfs.nix + ./tasks/filesystems/envfs.nix ./tasks/filesystems/exfat.nix ./tasks/filesystems/ext.nix ./tasks/filesystems/f2fs.nix diff --git a/nixos/modules/profiles/macos-builder.nix b/nixos/modules/profiles/macos-builder.nix index 0cbac3bd61fed..a981814730a17 100644 --- a/nixos/modules/profiles/macos-builder.nix +++ b/nixos/modules/profiles/macos-builder.nix @@ -11,6 +11,17 @@ in { imports = [ ../virtualisation/qemu-vm.nix + + # Avoid a dependency on stateVersion + { + disabledModules = [ + ../virtualisation/nixos-containers.nix + ../services/x11/desktop-managers/xterm.nix + ]; + config = { + }; + options.boot.isContainer = lib.mkOption { default = false; internal = true; }; + } ]; # The builder is not intended to be used interactively @@ -93,7 +104,19 @@ in }; }); - system.stateVersion = "22.05"; + system = { + # To prevent gratuitous rebuilds on each change to Nixpkgs + nixos.revision = null; + + stateVersion = lib.mkDefault (throw '' + The macOS linux builder should not need a stateVersion to be set, but a module + has accessed stateVersion nonetheless. + Please inspect the trace of the following command to figure out which module + has a dependency on stateVersion. + + nix-instantiate --attr darwin.builder --show-trace + ''); + }; users.users."${user}"= { isNormalUser = true; diff --git a/nixos/modules/programs/nix-index.nix b/nixos/modules/programs/nix-index.nix new file mode 100644 index 0000000000000..a494b9d8c2c9b --- /dev/null +++ b/nixos/modules/programs/nix-index.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.programs.nix-index; +in { + options.programs.nix-index = with lib; { + enable = mkEnableOption (lib.mdDoc "nix-index, a file database for nixpkgs"); + + package = mkOption { + type = types.package; + default = pkgs.nix-index; + defaultText = literalExpression "pkgs.nix-index"; + description = lib.mdDoc "Package providing the `nix-index` tool."; + }; + + enableBashIntegration = mkEnableOption (lib.mdDoc "Bash integration") // { + default = true; + }; + + enableZshIntegration = mkEnableOption (lib.mdDoc "Zsh integration") // { + default = true; + }; + + enableFishIntegration = mkEnableOption (lib.mdDoc "Fish integration") // { + default = true; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = let + checkOpt = name: { + assertion = cfg.${name} -> !config.programs.command-not-found.enable; + message = '' + The 'programs.command-not-found.enable' option is mutually exclusive + with the 'programs.nix-index.${name}' option. + ''; + }; + in [ (checkOpt "enableBashIntegration") (checkOpt "enableZshIntegration") ]; + + environment.systemPackages = [ cfg.package ]; + + programs.bash.interactiveShellInit = lib.mkIf cfg.enableBashIntegration '' + source ${cfg.package}/etc/profile.d/command-not-found.sh + ''; + + programs.zsh.interactiveShellInit = lib.mkIf cfg.enableZshIntegration '' + source ${cfg.package}/etc/profile.d/command-not-found.sh + ''; + + # See https://github.com/bennofs/nix-index/issues/126 + programs.fish.interactiveShellInit = let + wrapper = pkgs.writeScript "command-not-found" '' + #!${pkgs.bash}/bin/bash + source ${cfg.package}/etc/profile.d/command-not-found.sh + command_not_found_handle "$@" + ''; + in lib.mkIf cfg.enableFishIntegration '' + function __fish_command_not_found_handler --on-event fish_command_not_found + ${wrapper} $argv + end + ''; + }; +} diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index ae8e1dd8463bf..c5fc09dcea028 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -150,8 +150,9 @@ let # Ensure that the home directory already exists # We can't assert createHome == true because that's not the case for root cd "${config.users.users.${cfg.user}.home}" - ${install} -d .config/borg - ${install} -d .cache/borg + # Create each directory separately to prevent root owned parent dirs + ${install} -d .config .config/borg + ${install} -d .cache .cache/borg '' + optionalString (isLocalPath cfg.repo && !cfg.removableDevice) '' ${install} -d ${escapeShellArg cfg.repo} '')); diff --git a/nixos/modules/services/hardware/supergfxd.nix b/nixos/modules/services/hardware/supergfxd.nix index cb604db91dc36..df339e4ba011f 100644 --- a/nixos/modules/services/hardware/supergfxd.nix +++ b/nixos/modules/services/hardware/supergfxd.nix @@ -23,7 +23,10 @@ in config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.supergfxctl ]; - environment.etc."supergfxd.conf" = lib.mkIf (cfg.settings != null) { source = json.generate "supergfxd.conf" cfg.settings; }; + environment.etc."supergfxd.conf" = lib.mkIf (cfg.settings != null) { + source = json.generate "supergfxd.conf" cfg.settings; + mode = "0644"; + }; services.dbus.enable = true; diff --git a/nixos/modules/services/logging/ulogd.nix b/nixos/modules/services/logging/ulogd.nix new file mode 100644 index 0000000000000..065032b531c6d --- /dev/null +++ b/nixos/modules/services/logging/ulogd.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.ulogd; + settingsFormat = pkgs.formats.ini { }; + settingsFile = settingsFormat.generate "ulogd.conf" cfg.settings; +in { + options = { + services.ulogd = { + enable = mkEnableOption (lib.mdDoc "ulogd"); + + settings = mkOption { + example = { + global.stack = "stack=log1:NFLOG,base1:BASE,pcap1:PCAP"; + log1.group = 2; + pcap1 = { + file = "/var/log/ulogd.pcap"; + sync = 1; + }; + }; + type = settingsFormat.type; + default = { }; + description = lib.mdDoc "Configuration for ulogd. See {file}`/share/doc/ulogd/` in `pkgs.ulogd.doc`."; + }; + + logLevel = mkOption { + type = types.enum [ 1 3 5 7 8 ]; + default = 5; + description = lib.mdDoc "Log level (1 = debug, 3 = info, 5 = notice, 7 = error, 8 = fatal)"; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.ulogd = { + description = "Ulogd Daemon"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.ulogd}/bin/ulogd -c ${settingsFile} --verbose --loglevel ${toString cfg.logLevel}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + }; + }; +} diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index cd0da4fc50987..a9504acee3511 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -116,8 +116,9 @@ in wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."exim.conf".source ]; serviceConfig = { - ExecStart = "${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; - ExecReload = "${coreutils}/bin/kill -HUP $MAINPID"; + ExecStart = "+${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; + ExecReload = "+${coreutils}/bin/kill -HUP $MAINPID"; + User = cfg.user; }; preStart = '' if ! test -d ${cfg.spoolDir}; then diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index b9b581acb34a5..3087d879b9d2b 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -507,6 +507,12 @@ in { sqlite3 = null; psycopg2 = "matrix-synapse"; }.${cfg.settings.database.name}; + defaultText = lib.literalExpression '' + { + sqlite3 = null; + psycopg2 = "matrix-synapse"; + }.''${cfg.settings.database.name}; + ''; description = lib.mdDoc '' Username to connect with psycopg2, set to null when using sqlite3. diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index b13706f641cf0..10db7cdfb33cc 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -819,7 +819,7 @@ in optionals (pkgs.hostPlatform ? gcc.arch) ( # a builder can run code for `gcc.arch` and inferior architectures [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++ - map (x: "gccarch-${x}") systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch} + map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch} or []) ) ); } diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 6a98d5cb686d3..33a8394dff2d2 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -211,19 +211,15 @@ in ]; systemd.services.paperless-scheduler = { - description = "Paperless scheduler"; + description = "Paperless Celery Beat"; serviceConfig = defaultServiceConfig // { User = cfg.user; - ExecStart = "${pkg}/bin/paperless-ngx qcluster"; + ExecStart = "${pkg}/bin/celery --app paperless beat --loglevel INFO"; Restart = "on-failure"; - # The `mbind` syscall is needed for running the classifier. - SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "mbind" ]; - # Needs to talk to mail server for automated import rules - PrivateNetwork = false; }; environment = env; wantedBy = [ "multi-user.target" ]; - wants = [ "paperless-consumer.service" "paperless-web.service" ]; + wants = [ "paperless-consumer.service" "paperless-web.service" "paperless-task-queue.service" ]; preStart = '' ln -sf ${manage} ${cfg.dataDir}/paperless-manage @@ -250,6 +246,20 @@ in after = [ "redis-paperless.service" ]; }; + systemd.services.paperless-task-queue = { + description = "Paperless Celery Workers"; + serviceConfig = defaultServiceConfig // { + User = cfg.user; + ExecStart = "${pkg}/bin/celery --app paperless worker --loglevel INFO"; + Restart = "on-failure"; + # The `mbind` syscall is needed for running the classifier. + SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "mbind" ]; + # Needs to talk to mail server for automated import rules + PrivateNetwork = false; + }; + environment = env; + }; + # Reading the user-provided password file requires root access systemd.services.paperless-copy-password = mkIf (cfg.passwordFile != null) { requiredBy = [ "paperless-scheduler.service" ]; @@ -301,7 +311,7 @@ in }; # Allow the web interface to access the private /tmp directory of the server. # This is required to support uploading files via the web interface. - unitConfig.JoinsNamespaceOf = "paperless-scheduler.service"; + unitConfig.JoinsNamespaceOf = "paperless-task-queue.service"; # Bind to `paperless-scheduler` so that the web server never runs # during migrations bindsTo = [ "paperless-scheduler.service" ]; diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 9a9a0ab755325..9cce4c71d964a 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -364,9 +364,15 @@ in { }; http_addr = mkOption { - description = lib.mdDoc "Listening address."; - default = ""; type = types.str; + default = "127.0.0.1"; + description = lib.mdDoc '' + Listening address. + + ::: {.note} + This setting intentionally varies from upstream's default to be a bit more secure by default. + ::: + ''; }; http_port = mkOption { diff --git a/nixos/modules/services/monitoring/uptime-kuma.nix b/nixos/modules/services/monitoring/uptime-kuma.nix index b6dc993e6a050..8e6c825b35eac 100644 --- a/nixos/modules/services/monitoring/uptime-kuma.nix +++ b/nixos/modules/services/monitoring/uptime-kuma.nix @@ -28,7 +28,7 @@ in }; description = lib.mdDoc '' Additional configuration for Uptime Kuma, see - <https://github.com/louislam/uptime-kuma/wiki/Environment-Variables"> + <https://github.com/louislam/uptime-kuma/wiki/Environment-Variables> for supported values. ''; }; diff --git a/nixos/modules/services/networking/cloudflared.nix b/nixos/modules/services/networking/cloudflared.nix index c8fc9fafee6dc..3ee43072ba861 100644 --- a/nixos/modules/services/networking/cloudflared.nix +++ b/nixos/modules/services/networking/cloudflared.nix @@ -168,8 +168,7 @@ in inherit originRequest; credentialsFile = mkOption { - type = with types; nullOr str; - default = null; + type = types.str; description = lib.mdDoc '' Credential file. @@ -190,8 +189,7 @@ in }; default = mkOption { - type = with types; nullOr str; - default = null; + type = types.str; description = lib.mdDoc '' Catch-all service if no ingress matches. @@ -262,12 +260,12 @@ in systemd.targets = mapAttrs' (name: tunnel: - nameValuePair "cloudflared-tunnel-${name}" ({ - description = lib.mdDoc "Cloudflare tunnel '${name}' target"; + nameValuePair "cloudflared-tunnel-${name}" { + description = "Cloudflare tunnel '${name}' target"; requires = [ "cloudflared-tunnel-${name}.service" ]; after = [ "cloudflared-tunnel-${name}.service" ]; unitConfig.StopWhenUnneeded = true; - }) + } ) config.services.cloudflared.tunnels; diff --git a/nixos/modules/services/networking/openconnect.nix b/nixos/modules/services/networking/openconnect.nix index 469f0a3bc3bb6..4676b1733af68 100644 --- a/nixos/modules/services/networking/openconnect.nix +++ b/nixos/modules/services/networking/openconnect.nix @@ -32,6 +32,7 @@ let description = lib.mdDoc "Username to authenticate with."; example = "example-user"; type = types.nullOr types.str; + default = null; }; # Note: It does not make sense to provide a way to declaratively @@ -108,7 +109,7 @@ let ExecStart = "${openconnect}/bin/openconnect --config=${ generateConfig name icfg } ${icfg.gateway}"; - StandardInput = "file:${icfg.passwordFile}"; + StandardInput = lib.mkIf (icfg.passwordFile != null) "file:${icfg.passwordFile}"; ProtectHome = true; }; diff --git a/nixos/modules/services/networking/powerdns.nix b/nixos/modules/services/networking/powerdns.nix index 6aa5928d63707..850a128cf1a46 100644 --- a/nixos/modules/services/networking/powerdns.nix +++ b/nixos/modules/services/networking/powerdns.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.powerdns; configDir = pkgs.writeTextDir "pdns.conf" "${cfg.extraConfig}"; + finalConfigDir = if cfg.secretFile == null then configDir else "/run/pdns"; in { options = { services.powerdns = { @@ -19,6 +20,19 @@ in { for details on supported values. ''; }; + + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/powerdns.env"; + description = lib.mdDoc '' + Environment variables from this file will be interpolated into the + final config file using envsubst with this syntax: `$ENVIRONMENT` + or `''${VARIABLE}`. + The file should contain lines formatted as `SECRET_VAR=SECRET_VALUE`. + This is useful to avoid putting secrets into the nix store. + ''; + }; }; }; @@ -31,7 +45,13 @@ in { after = [ "network.target" "mysql.service" "postgresql.service" "openldap.service" ]; serviceConfig = { - ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; + EnvironmentFile = lib.optional (cfg.secretFile != null) cfg.secretFile; + ExecStartPre = lib.optional (cfg.secretFile != null) + (pkgs.writeShellScript "pdns-pre-start" '' + umask 077 + ${pkgs.envsubst}/bin/envsubst -i "${configDir}/pdns.conf" > ${finalConfigDir}/pdns.conf + ''); + ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${finalConfigDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; }; }; diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix index 09b23a60a4afc..7db83e6a584ba 100644 --- a/nixos/modules/services/networking/tinc.nix +++ b/nixos/modules/services/networking/tinc.nix @@ -349,91 +349,94 @@ in ###### implementation - config = mkIf (cfg.networks != { }) { - - environment.etc = foldr (a: b: a // b) { } - (flip mapAttrsToList cfg.networks (network: data: - flip mapAttrs' data.hosts (host: text: nameValuePair - ("tinc/${network}/hosts/${host}") - ({ mode = "0644"; user = "tinc.${network}"; inherit text; }) - ) // { - "tinc/${network}/tinc.conf" = { - mode = "0444"; - text = '' - ${toTincConf ({ Interface = "tinc.${network}"; } // data.settings)} - ${data.extraConfig} - ''; + config = mkIf (cfg.networks != { }) ( + let + etcConfig = foldr (a: b: a // b) { } + (flip mapAttrsToList cfg.networks (network: data: + flip mapAttrs' data.hosts (host: text: nameValuePair + ("tinc/${network}/hosts/${host}") + ({ mode = "0644"; user = "tinc.${network}"; inherit text; }) + ) // { + "tinc/${network}/tinc.conf" = { + mode = "0444"; + text = '' + ${toTincConf ({ Interface = "tinc.${network}"; } // data.settings)} + ${data.extraConfig} + ''; + }; + } + )); + in { + environment.etc = etcConfig; + + systemd.services = flip mapAttrs' cfg.networks (network: data: nameValuePair + ("tinc.${network}") + (let version = getVersion data.package; in { + description = "Tinc Daemon - ${network}"; + wantedBy = [ "multi-user.target" ]; + path = [ data.package ]; + reloadTriggers = mkIf (versionAtLeast version "1.1pre") [ (builtins.toJSON etcConfig) ]; + restartTriggers = mkIf (versionOlder version "1.1pre") [ (builtins.toJSON etcConfig) ]; + serviceConfig = { + Type = "simple"; + Restart = "always"; + RestartSec = "3"; + ExecReload = mkIf (versionAtLeast version "1.1pre") "${data.package}/bin/tinc -n ${network} reload"; + ExecStart = "${data.package}/bin/tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}"; }; - } - )); - - systemd.services = flip mapAttrs' cfg.networks (network: data: nameValuePair - ("tinc.${network}") - ({ - description = "Tinc Daemon - ${network}"; - wantedBy = [ "multi-user.target" ]; - path = [ data.package ]; - restartTriggers = [ config.environment.etc."tinc/${network}/tinc.conf".source ]; - serviceConfig = { - Type = "simple"; - Restart = "always"; - RestartSec = "3"; - ExecReload = mkIf (versionAtLeast (getVersion data.package) "1.1pre") "${data.package}/bin/tinc -n ${network} reload"; - ExecStart = "${data.package}/bin/tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}"; + preStart = '' + mkdir -p /etc/tinc/${network}/hosts + chown tinc.${network} /etc/tinc/${network}/hosts + mkdir -p /etc/tinc/${network}/invitations + chown tinc.${network} /etc/tinc/${network}/invitations + + # Determine how we should generate our keys + if type tinc >/dev/null 2>&1; then + # Tinc 1.1+ uses the tinc helper application for key generation + ${if data.ed25519PrivateKeyFile != null then " # ed25519 Keyfile managed by nix" else '' + # Prefer ED25519 keys (only in 1.1+) + [ -f "/etc/tinc/${network}/ed25519_key.priv" ] || tinc -n ${network} generate-ed25519-keys + ''} + ${if data.rsaPrivateKeyFile != null then " # RSA Keyfile managed by nix" else '' + [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tinc -n ${network} generate-rsa-keys 4096 + ''} + # In case there isn't anything to do + true + else + # Tinc 1.0 uses the tincd application + [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tincd -n ${network} -K 4096 + fi + ''; + }) + ); + + environment.systemPackages = let + cli-wrappers = pkgs.stdenv.mkDerivation { + name = "tinc-cli-wrappers"; + nativeBuildInputs = [ pkgs.makeWrapper ]; + buildCommand = '' + mkdir -p $out/bin + ${concatStringsSep "\n" (mapAttrsToList (network: data: + optionalString (versionAtLeast data.package.version "1.1pre") '' + makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" \ + --add-flags "--pidfile=/run/tinc.${network}.pid" \ + --add-flags "--config=/etc/tinc/${network}" + '') cfg.networks)} + ''; }; - preStart = '' - mkdir -p /etc/tinc/${network}/hosts - chown tinc.${network} /etc/tinc/${network}/hosts - mkdir -p /etc/tinc/${network}/invitations - chown tinc.${network} /etc/tinc/${network}/invitations - - # Determine how we should generate our keys - if type tinc >/dev/null 2>&1; then - # Tinc 1.1+ uses the tinc helper application for key generation - ${if data.ed25519PrivateKeyFile != null then " # ed25519 Keyfile managed by nix" else '' - # Prefer ED25519 keys (only in 1.1+) - [ -f "/etc/tinc/${network}/ed25519_key.priv" ] || tinc -n ${network} generate-ed25519-keys - ''} - ${if data.rsaPrivateKeyFile != null then " # RSA Keyfile managed by nix" else '' - [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tinc -n ${network} generate-rsa-keys 4096 - ''} - # In case there isn't anything to do - true - else - # Tinc 1.0 uses the tincd application - [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tincd -n ${network} -K 4096 - fi - ''; - }) - ); - - environment.systemPackages = let - cli-wrappers = pkgs.stdenv.mkDerivation { - name = "tinc-cli-wrappers"; - nativeBuildInputs = [ pkgs.makeWrapper ]; - buildCommand = '' - mkdir -p $out/bin - ${concatStringsSep "\n" (mapAttrsToList (network: data: - optionalString (versionAtLeast data.package.version "1.1pre") '' - makeWrapper ${data.package}/bin/tinc "$out/bin/tinc.${network}" \ - --add-flags "--pidfile=/run/tinc.${network}.pid" \ - --add-flags "--config=/etc/tinc/${network}" - '') cfg.networks)} - ''; - }; - in [ cli-wrappers ]; - - users.users = flip mapAttrs' cfg.networks (network: _: - nameValuePair ("tinc.${network}") ({ - description = "Tinc daemon user for ${network}"; - isSystemUser = true; - group = "tinc.${network}"; - }) - ); - users.groups = flip mapAttrs' cfg.networks (network: _: - nameValuePair "tinc.${network}" {} - ); - }; + in [ cli-wrappers ]; + + users.users = flip mapAttrs' cfg.networks (network: _: + nameValuePair ("tinc.${network}") ({ + description = "Tinc daemon user for ${network}"; + isSystemUser = true; + group = "tinc.${network}"; + }) + ); + users.groups = flip mapAttrs' cfg.networks (network: _: + nameValuePair "tinc.${network}" {} + ); + }); meta.maintainers = with maintainers; [ minijackson mic92 ]; } diff --git a/nixos/modules/services/networking/webhook.nix b/nixos/modules/services/networking/webhook.nix new file mode 100644 index 0000000000000..b020db6961c32 --- /dev/null +++ b/nixos/modules/services/networking/webhook.nix @@ -0,0 +1,214 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.webhook; + defaultUser = "webhook"; + + hookFormat = pkgs.formats.json {}; + + hookType = types.submodule ({ name, ... }: { + freeformType = hookFormat.type; + options = { + id = mkOption { + type = types.str; + default = name; + description = mdDoc '' + The ID of your hook. This value is used to create the HTTP endpoint (`protocol://yourserver:port/prefix/''${id}`). + ''; + }; + execute-command = mkOption { + type = types.str; + description = mdDoc "The command that should be executed when the hook is triggered."; + }; + }; + }); + + hookFiles = mapAttrsToList (name: hook: hookFormat.generate "webhook-${name}.json" [ hook ]) cfg.hooks + ++ mapAttrsToList (name: hook: pkgs.writeText "webhook-${name}.json.tmpl" "[${hook}]") cfg.hooksTemplated; + +in { + options = { + services.webhook = { + enable = mkEnableOption (mdDoc '' + [Webhook](https://github.com/adnanh/webhook), a server written in Go that allows you to create HTTP endpoints (hooks), + which execute configured commands for any person or service that knows the URL + ''); + + package = mkPackageOption pkgs "webhook" {}; + user = mkOption { + type = types.str; + default = defaultUser; + description = mdDoc '' + Webhook will be run under this user. + + If set, you must create this user yourself! + ''; + }; + group = mkOption { + type = types.str; + default = defaultUser; + description = mdDoc '' + Webhook will be run under this group. + + If set, you must create this group yourself! + ''; + }; + ip = mkOption { + type = types.str; + default = "0.0.0.0"; + description = mdDoc '' + The IP webhook should serve hooks on. + + The default means it can be reached on any interface if `openFirewall = true`. + ''; + }; + port = mkOption { + type = types.port; + default = 9000; + description = mdDoc "The port webhook should be reachable from."; + }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Open the configured port in the firewall for external ingress traffic. + Preferably the Webhook server is instead put behind a reverse proxy. + ''; + }; + enableTemplates = mkOption { + type = types.bool; + default = cfg.hooksTemplated != {}; + defaultText = literalExpression "hooksTemplated != {}"; + description = mdDoc '' + Enable the generated hooks file to be parsed as a Go template. + See [the documentation](https://github.com/adnanh/webhook/blob/master/docs/Templates.md) for more information. + ''; + }; + urlPrefix = mkOption { + type = types.str; + default = "hooks"; + description = mdDoc '' + The URL path prefix to use for served hooks (`protocol://yourserver:port/''${prefix}/hook-id`). + ''; + }; + hooks = mkOption { + type = types.attrsOf hookType; + default = {}; + example = { + echo = { + execute-command = "echo"; + response-message = "Webhook is reachable!"; + }; + redeploy-webhook = { + execute-command = "/var/scripts/redeploy.sh"; + command-working-directory = "/var/webhook"; + }; + }; + description = mdDoc '' + The actual configuration of which hooks will be served. + + Read more on the [project homepage] and on the [hook definition] page. + At least one hook needs to be configured. + + [hook definition]: https://github.com/adnanh/webhook/blob/master/docs/Hook-Definition.md + [project homepage]: https://github.com/adnanh/webhook#configuration + ''; + }; + hooksTemplated = mkOption { + type = types.attrsOf types.str; + default = {}; + example = { + echo-template = '' + { + "id": "echo-template", + "execute-command": "echo", + "response-message": "{{ getenv "MESSAGE" }}" + } + ''; + }; + description = mdDoc '' + Same as {option}`hooks`, but these hooks are specified as literal strings instead of Nix values, + and hence can include [template syntax](https://github.com/adnanh/webhook/blob/master/docs/Templates.md) + which might not be representable as JSON. + + Template syntax requires the {option}`enableTemplates` option to be set to `true`, which is + done by default if this option is set. + ''; + }; + verbose = mkOption { + type = types.bool; + default = true; + description = mdDoc "Whether to show verbose output."; + }; + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + example = [ "-secure" ]; + description = mdDoc '' + These are arguments passed to the webhook command in the systemd service. + You can find the available arguments and options in the [documentation][parameters]. + + [parameters]: https://github.com/adnanh/webhook/blob/master/docs/Webhook-Parameters.md + ''; + }; + environment = mkOption { + type = types.attrsOf types.str; + default = {}; + description = mdDoc "Extra environment variables passed to webhook."; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = let + overlappingHooks = builtins.intersectAttrs cfg.hooks cfg.hooksTemplated; + in [ + { + assertion = hookFiles != []; + message = "At least one hook needs to be configured for webhook to run."; + } + { + assertion = overlappingHooks == {}; + message = "`services.webhook.hooks` and `services.webhook.hooksTemplated` have overlapping attribute(s): ${concatStringsSep ", " (builtins.attrNames overlappingHooks)}"; + } + ]; + + users.users = mkIf (cfg.user == defaultUser) { + ${defaultUser} = + { + isSystemUser = true; + group = cfg.group; + description = "Webhook daemon user"; + }; + }; + + users.groups = mkIf (cfg.user == defaultUser && cfg.group == defaultUser) { + ${defaultUser} = {}; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + + systemd.services.webhook = { + description = "Webhook service"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = config.networking.proxy.envVars // cfg.environment; + script = let + args = [ "-ip" cfg.ip "-port" (toString cfg.port) "-urlprefix" cfg.urlPrefix ] + ++ concatMap (hook: [ "-hooks" hook ]) hookFiles + ++ optional cfg.enableTemplates "-template" + ++ optional cfg.verbose "-verbose" + ++ cfg.extraArgs; + in '' + ${cfg.package}/bin/webhook ${escapeShellArgs args} + ''; + serviceConfig = { + Restart = "on-failure"; + User = cfg.user; + Group = cfg.group; + }; + }; + }; +} diff --git a/nixos/modules/services/printing/cups-pdf.nix b/nixos/modules/services/printing/cups-pdf.nix new file mode 100644 index 0000000000000..07f24367132f5 --- /dev/null +++ b/nixos/modules/services/printing/cups-pdf.nix @@ -0,0 +1,185 @@ +{ config, lib, pkgs, ... }: + +let + + # cups calls its backends as user `lp` (which is good!), + # but cups-pdf wants to be called as `root`, so it can change ownership of files. + # We add a suid wrapper and a wrapper script to trick cups into calling the suid wrapper. + # Note that a symlink to the suid wrapper alone wouldn't suffice, cups would complain + # > File "/nix/store/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-cups-progs/lib/cups/backend/cups-pdf" has insecure permissions (0104554/uid=0/gid=20) + + # wrapper script that redirects calls to the suid wrapper + cups-pdf-wrapper = pkgs.writeTextFile { + name = "${pkgs.cups-pdf-to-pdf.name}-wrapper.sh"; + executable = true; + destination = "/lib/cups/backend/cups-pdf"; + checkPhase = '' + ${pkgs.stdenv.shellDryRun} "$target" + ${lib.getExe pkgs.shellcheck} "$target" + ''; + text = '' + #! ${pkgs.runtimeShell} + exec "${config.security.wrapperDir}/cups-pdf" "$@" + ''; + }; + + # wrapped cups-pdf package that uses the suid wrapper + cups-pdf-wrapped = pkgs.buildEnv { + name = "${pkgs.cups-pdf-to-pdf.name}-wrapped"; + # using the wrapper as first path ensures it is used + paths = [ cups-pdf-wrapper pkgs.cups-pdf-to-pdf ]; + ignoreCollisions = true; + }; + + instanceSettings = name: { + freeformType = with lib.types; nullOr (oneOf [ int str path package ]); + # override defaults: + # inject instance name into paths, + # also avoid conflicts between user names and special dirs + options.Out = lib.mkOption { + type = with lib.types; nullOr singleLineStr; + default = "/var/spool/cups-pdf-${name}/users/\${USER}"; + defaultText = "/var/spool/cups-pdf-{instance-name}/users/\${USER}"; + example = "\${HOME}/cups-pdf"; + description = lib.mdDoc '' + output directory; + `''${HOME}` will be expanded to the user's home directory, + `''${USER}` will be expanded to the user name. + ''; + }; + options.AnonDirName = lib.mkOption { + type = with lib.types; nullOr singleLineStr; + default = "/var/spool/cups-pdf-${name}/anonymous"; + defaultText = "/var/spool/cups-pdf-{instance-name}/anonymous"; + example = "/var/lib/cups-pdf"; + description = lib.mdDoc "path for anonymously created PDF files"; + }; + options.Spool = lib.mkOption { + type = with lib.types; nullOr singleLineStr; + default = "/var/spool/cups-pdf-${name}/spool"; + defaultText = "/var/spool/cups-pdf-{instance-name}/spool"; + example = "/var/lib/cups-pdf"; + description = lib.mdDoc "spool directory"; + }; + options.Anonuser = lib.mkOption { + type = lib.types.singleLineStr; + default = "root"; + description = lib.mdDoc '' + User for anonymous PDF creation. + An empty string disables this feature. + ''; + }; + options.GhostScript = lib.mkOption { + type = with lib.types; nullOr path; + default = lib.getExe pkgs.ghostscript; + defaultText = lib.literalExpression "lib.getExe pkgs.ghostscript"; + example = lib.literalExpression ''''${pkgs.ghostscript}/bin/ps2pdf''; + description = lib.mdDoc "location of GhostScript binary"; + }; + }; + + instanceConfig = { name, config, ... }: { + options = { + enable = (lib.mkEnableOption (lib.mdDoc "this cups-pdf instance")) // { default = true; }; + installPrinter = (lib.mkEnableOption (lib.mdDoc '' + a CUPS printer queue for this instance. + The queue will be named after the instance and will use the {file}`CUPS-PDF_opt.ppd` ppd file. + If this is disabled, you need to add the queue yourself to use the instance + '')) // { default = true; }; + confFileText = lib.mkOption { + type = lib.types.lines; + description = lib.mdDoc '' + This will contain the contents of {file}`cups-pdf.conf` for this instance, derived from {option}`settings`. + You can use this option to append text to the file. + ''; + }; + settings = lib.mkOption { + type = lib.types.submodule (instanceSettings name); + default = {}; + example = { + Out = "\${HOME}/cups-pdf"; + UserUMask = "0033"; + }; + description = lib.mdDoc '' + Settings for a cups-pdf instance, see the descriptions in the template config file in the cups-pdf package. + The key value pairs declared here will be translated into proper key value pairs for {file}`cups-pdf.conf`. + Setting a value to `null` disables the option and removes it from the file. + ''; + }; + }; + config.confFileText = lib.pipe config.settings [ + (lib.filterAttrs (key: value: value != null)) + (lib.mapAttrs (key: builtins.toString)) + (lib.mapAttrsToList (key: value: "${key} ${value}\n")) + lib.concatStrings + ]; + }; + + cupsPdfCfg = config.services.printing.cups-pdf; + + copyConfigFileCmds = lib.pipe cupsPdfCfg.instances [ + (lib.filterAttrs (name: lib.getAttr "enable")) + (lib.mapAttrs (name: lib.getAttr "confFileText")) + (lib.mapAttrs (name: pkgs.writeText "cups-pdf-${name}.conf")) + (lib.mapAttrsToList (name: confFile: "ln --symbolic --no-target-directory ${confFile} /var/lib/cups/cups-pdf-${name}.conf\n")) + lib.concatStrings + ]; + + printerSettings = lib.pipe cupsPdfCfg.instances [ + (lib.filterAttrs (name: lib.getAttr "enable")) + (lib.filterAttrs (name: lib.getAttr "installPrinter")) + (lib.mapAttrsToList (name: instance: (lib.mapAttrs (key: lib.mkDefault) { + inherit name; + model = "CUPS-PDF_opt.ppd"; + deviceUri = "cups-pdf:/${name}"; + description = "virtual printer for cups-pdf instance ${name}"; + location = instance.settings.Out; + }))) + ]; + +in + +{ + + options.services.printing.cups-pdf = { + enable = lib.mkEnableOption (lib.mdDoc '' + the cups-pdf virtual pdf printer backend. + By default, this will install a single printer `pdf`. + but this can be changed/extended with {option}`services.printing.cups-pdf.instances` + ''); + instances = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule instanceConfig); + default.pdf = {}; + example.pdf.settings = { + Out = "\${HOME}/cups-pdf"; + UserUMask = "0033"; + }; + description = lib.mdDoc '' + Permits to raise one or more cups-pdf instances. + Each instance is named by an attribute name, and the attribute's values control the instance' configuration. + ''; + }; + }; + + config = lib.mkIf cupsPdfCfg.enable { + services.printing.enable = true; + services.printing.drivers = [ cups-pdf-wrapped ]; + hardware.printers.ensurePrinters = printerSettings; + # the cups module will install the default config file, + # but we don't need it and it would confuse cups-pdf + systemd.services.cups.preStart = lib.mkAfter '' + rm -f /var/lib/cups/cups-pdf.conf + ${copyConfigFileCmds} + ''; + security.wrappers.cups-pdf = { + group = "lp"; + owner = "root"; + permissions = "+r,ug+x"; + setuid = true; + source = "${pkgs.cups-pdf-to-pdf}/lib/cups/backend/cups-pdf"; + }; + }; + + meta.maintainers = [ lib.maintainers.yarny ]; + +} diff --git a/nixos/modules/services/system/cachix-agent/default.nix b/nixos/modules/services/system/cachix-agent/default.nix index aa3b2153422ca..11769d4e3095f 100644 --- a/nixos/modules/services/system/cachix-agent/default.nix +++ b/nixos/modules/services/system/cachix-agent/default.nix @@ -67,7 +67,8 @@ in { serviceConfig = { # we don't want to kill children processes as those are deployments KillMode = "process"; - Restart = "on-failure"; + Restart = "always"; + RestartSec = 5; EnvironmentFile = cfg.credentialsFile; ExecStart = '' ${cfg.package}/bin/cachix ${lib.optionalString cfg.verbose "--verbose"} ${lib.optionalString (cfg.host != null) "--host ${cfg.host}"} \ diff --git a/nixos/modules/services/web-apps/akkoma.md b/nixos/modules/services/web-apps/akkoma.md new file mode 100644 index 0000000000000..fc849be0c8726 --- /dev/null +++ b/nixos/modules/services/web-apps/akkoma.md @@ -0,0 +1,332 @@ +# Akkoma {#module-services-akkoma} + +[Akkoma](https://akkoma.dev/) is a lightweight ActivityPub microblogging server forked from Pleroma. + +## Service configuration {#modules-services-akkoma-service-configuration} + +The Elixir configuration file required by Akkoma is generated automatically from +[{option}`services.akkoma.config`](options.html#opt-services.akkoma.config). Secrets must be +included from external files outside of the Nix store by setting the configuration option to +an attribute set containing the attribute {option}`_secret` – a string pointing to the file +containing the actual value of the option. + +For the mandatory configuration settings these secrets will be generated automatically if the +referenced file does not exist during startup, unless disabled through +[{option}`services.akkoma.initSecrets`](options.html#opt-services.akkoma.initSecrets). + +The following configuration binds Akkoma to the Unix socket `/run/akkoma/socket`, expecting to +be run behind a HTTP proxy on `fediverse.example.com`. + + +```nix +services.akkoma.enable = true; +services.akkoma.config = { + ":pleroma" = { + ":instance" = { + name = "My Akkoma instance"; + description = "More detailed description"; + email = "admin@example.com"; + registration_open = false; + }; + + "Pleroma.Web.Endpoint" = { + url.host = "fediverse.example.com"; + }; + }; +}; +``` + +Please refer to the [configuration cheat sheet](https://docs.akkoma.dev/stable/configuration/cheatsheet/) +for additional configuration options. + +## User management {#modules-services-akkoma-user-management} + +After the Akkoma service is running, the administration utility can be used to +[manage users](https://docs.akkoma.dev/stable/administration/CLI_tasks/user/). In particular an +administrative user can be created with + +```ShellSession +$ pleroma_ctl user new <nickname> <email> --admin --moderator --password <password> +``` + +## Proxy configuration {#modules-services-akkoma-proxy-configuration} + +Although it is possible to expose Akkoma directly, it is common practice to operate it behind an +HTTP reverse proxy such as nginx. + +```nix +services.akkoma.nginx = { + enableACME = true; + forceSSL = true; +}; + +services.nginx = { + enable = true; + + clientMaxBodySize = "16m"; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; +}; +``` + +Please refer to [](#module-security-acme) for details on how to provision an SSL/TLS certificate. + +### Media proxy {#modules-services-akkoma-media-proxy} + +Without the media proxy function, Akkoma does not store any remote media like pictures or video +locally, and clients have to fetch them directly from the source server. + +```nix +# Enable nginx slice module distributed with Tengine +services.nginx.package = pkgs.tengine; + +# Enable media proxy +services.akkoma.config.":pleroma".":media_proxy" = { + enabled = true; + proxy_opts.redirect_on_failure = true; +}; + +# Adjust the persistent cache size as needed: +# Assuming an average object size of 128 KiB, around 1 MiB +# of memory is required for the key zone per GiB of cache. +# Ensure that the cache directory exists and is writable by nginx. +services.nginx.commonHttpConfig = '' + proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache + levels= keys_zone=akkoma_media_cache:16m max_size=16g + inactive=1y use_temp_path=off; +''; + +services.akkoma.nginx = { + locations."/proxy" = { + proxyPass = "http://unix:/run/akkoma/socket"; + + extraConfig = '' + proxy_cache akkoma_media_cache; + + # Cache objects in slices of 1 MiB + slice 1m; + proxy_cache_key $host$uri$is_args$args$slice_range; + proxy_set_header Range $slice_range; + + # Decouple proxy and upstream responses + proxy_buffering on; + proxy_cache_lock on; + proxy_ignore_client_abort on; + + # Default cache times for various responses + proxy_cache_valid 200 1y; + proxy_cache_valid 206 301 304 1h; + + # Allow serving of stale items + proxy_cache_use_stale error timeout invalid_header updating; + ''; + }; +}; +``` + +#### Prefetch remote media {#modules-services-akkoma-prefetch-remote-media} + +The following example enables the `MediaProxyWarmingPolicy` MRF policy which automatically +fetches all media associated with a post through the media proxy, as soon as the post is +received by the instance. + +```nix +services.akkoma.config.":pleroma".":mrf".policies = + map (pkgs.formats.elixirConf { }).lib.mkRaw [ + "Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy" +]; +``` + +#### Media previews {#modules-services-akkoma-media-previews} + +Akkoma can generate previews for media. + +```nix +services.akkoma.config.":pleroma".":media_preview_proxy" = { + enabled = true; + thumbnail_max_width = 1920; + thumbnail_max_height = 1080; +}; +``` + +## Frontend management {#modules-services-akkoma-frontend-management} + +Akkoma will be deployed with the `pleroma-fe` and `admin-fe` frontends by default. These can be +modified by setting +[{option}`services.akkoma.frontends`](options.html#opt-services.akkoma.frontends). + +The following example overrides the primary frontend’s default configuration using a custom +derivation. + +```nix +services.akkoma.frontends.primary.package = pkgs.runCommand "pleroma-fe" { + config = builtins.toJSON { + expertLevel = 1; + collapseMessageWithSubject = false; + stopGifs = false; + replyVisibility = "following"; + webPushHideIfCW = true; + hideScopeNotice = true; + renderMisskeyMarkdown = false; + hideSiteFavicon = true; + postContentType = "text/markdown"; + showNavShortcuts = false; + }; + nativeBuildInputs = with pkgs; [ jq xorg.lndir ]; + passAsFile = [ "config" ]; +} '' + mkdir $out + lndir ${pkgs.akkoma-frontends.pleroma-fe} $out + + rm $out/static/config.json + jq -s add ${pkgs.akkoma-frontends.pleroma-fe}/static/config.json ${config} \ + >$out/static/config.json +''; +``` + +## Federation policies {#modules-services-akkoma-federation-policies} + +Akkoma comes with a number of modules to police federation with other ActivityPub instances. +The most valuable for typical users is the +[`:mrf_simple`](https://docs.akkoma.dev/stable/configuration/cheatsheet/#mrf_simple) module +which allows limiting federation based on instance hostnames. + +This configuration snippet provides an example on how these can be used. Choosing an adequate +federation policy is not trivial and entails finding a balance between connectivity to the rest +of the fediverse and providing a pleasant experience to the users of an instance. + + +```nix +services.akkoma.config.":pleroma" = with (pkgs.formats.elixirConf { }).lib; { + ":mrf".policies = map mkRaw [ + "Pleroma.Web.ActivityPub.MRF.SimplePolicy" + ]; + + ":mrf_simple" = { + # Tag all media as sensitive + media_nsfw = mkMap { + "nsfw.weird.kinky" = "Untagged NSFW content"; + }; + + # Reject all activities except deletes + reject = mkMap { + "kiwifarms.cc" = "Persistent harassment of users, no moderation"; + }; + + # Force posts to be visible by followers only + followers_only = mkMap { + "beta.birdsite.live" = "Avoid polluting timelines with Twitter posts"; + }; + }; +}; +``` + +## Upload filters {#modules-services-akkoma-upload-filters} + +This example strips GPS and location metadata from uploads, deduplicates them and anonymises the +the file name. + +```nix +services.akkoma.config.":pleroma"."Pleroma.Upload".filters = + map (pkgs.formats.elixirConf { }).lib.mkRaw [ + "Pleroma.Upload.Filter.Exiftool" + "Pleroma.Upload.Filter.Dedupe" + "Pleroma.Upload.Filter.AnonymizeFilename" + ]; +``` + +## Migration from Pleroma {#modules-services-akkoma-migration-pleroma} + +Pleroma instances can be migrated to Akkoma either by copying the database and upload data or by +pointing Akkoma to the existing data. The necessary database migrations are run automatically +during startup of the service. + +The configuration has to be copy‐edited manually. + +Depending on the size of the database, the initial migration may take a long time and exceed the +startup timeout of the system manager. To work around this issue one may adjust the startup timeout +{option}`systemd.services.akkoma.serviceConfig.TimeoutStartSec` or simply run the migrations +manually: + +```ShellSession +pleroma_ctl migrate +``` + +### Copying data {#modules-services-akkoma-migration-pleroma-copy} + +Copying the Pleroma data instead of re‐using it in place may permit easier reversion to Pleroma, +but allows the two data sets to diverge. + +First disable Pleroma and then copy its database and upload data: + +```ShellSession +# Create a copy of the database +nix-shell -p postgresql --run 'createdb -T pleroma akkoma' + +# Copy upload data +mkdir /var/lib/akkoma +cp -R --reflink=auto /var/lib/pleroma/uploads /var/lib/akkoma/ +``` + +After the data has been copied, enable the Akkoma service and verify that the migration has been +successful. If no longer required, the original data may then be deleted: + +```ShellSession +# Delete original database +nix-shell -p postgresql --run 'dropdb pleroma' + +# Delete original Pleroma state +rm -r /var/lib/pleroma +``` + +### Re‐using data {#modules-services-akkoma-migration-pleroma-reuse} + +To re‐use the Pleroma data in place, disable Pleroma and enable Akkoma, pointing it to the +Pleroma database and upload directory. + +```nix +# Adjust these settings according to the database name and upload directory path used by Pleroma +services.akkoma.config.":pleroma"."Pleroma.Repo".database = "pleroma"; +services.akkoma.config.":pleroma".":instance".upload_dir = "/var/lib/pleroma/uploads"; +``` + +Please keep in mind that after the Akkoma service has been started, any migrations applied by +Akkoma have to be rolled back before the database can be used again with Pleroma. This can be +achieved through `pleroma_ctl ecto.rollback`. Refer to the +[Ecto SQL documentation](https://hexdocs.pm/ecto_sql/Mix.Tasks.Ecto.Rollback.html) for +details. + +## Advanced deployment options {#modules-services-akkoma-advanced-deployment} + +### Confinement {#modules-services-akkoma-confinement} + +The Akkoma systemd service may be confined to a chroot with + +```nix +services.systemd.akkoma.confinement.enable = true; +``` + +Confinement of services is not generally supported in NixOS and therefore disabled by default. +Depending on the Akkoma configuration, the default confinement settings may be insufficient and +lead to subtle errors at run time, requiring adjustment: + +Use +[{option}`services.systemd.akkoma.confinement.packages`](options.html#opt-systemd.services._name_.confinement.packages) +to make packages available in the chroot. + +{option}`services.systemd.akkoma.serviceConfig.BindPaths` and +{option}`services.systemd.akkoma.serviceConfig.BindReadOnlyPaths` permit access to outside paths +through bind mounts. Refer to +[{manpage}`systemd.exec(5)`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#BindPaths=) +for details. + +### Distributed deployment {#modules-services-akkoma-distributed-deployment} + +Being an Elixir application, Akkoma can be deployed in a distributed fashion. + +This requires setting +[{option}`services.akkoma.dist.address`](options.html#opt-services.akkoma.dist.address) and +[{option}`services.akkoma.dist.cookie`](options.html#opt-services.akkoma.dist.cookie). The +specifics depend strongly on the deployment environment. For more information please check the +relevant [Erlang documentation](https://www.erlang.org/doc/reference_manual/distributed.html). diff --git a/nixos/modules/services/web-apps/akkoma.nix b/nixos/modules/services/web-apps/akkoma.nix new file mode 100644 index 0000000000000..47ba53e42221a --- /dev/null +++ b/nixos/modules/services/web-apps/akkoma.nix @@ -0,0 +1,1086 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.akkoma; + ex = cfg.config; + db = ex.":pleroma"."Pleroma.Repo"; + web = ex.":pleroma"."Pleroma.Web.Endpoint"; + + isConfined = config.systemd.services.akkoma.confinement.enable; + hasSmtp = (attrByPath [ ":pleroma" "Pleroma.Emails.Mailer" "adapter" "value" ] null ex) == "Swoosh.Adapters.SMTP"; + + isAbsolutePath = v: isString v && substring 0 1 v == "/"; + isSecret = v: isAttrs v && v ? _secret && isAbsolutePath v._secret; + + absolutePath = with types; mkOptionType { + name = "absolutePath"; + description = "absolute path"; + descriptionClass = "noun"; + check = isAbsolutePath; + inherit (str) merge; + }; + + secret = mkOptionType { + name = "secret"; + description = "secret value"; + descriptionClass = "noun"; + check = isSecret; + nestedTypes = { + _secret = absolutePath; + }; + }; + + ipAddress = with types; mkOptionType { + name = "ipAddress"; + description = "IPv4 or IPv6 address"; + descriptionClass = "conjunction"; + check = x: str.check x && builtins.match "[.0-9:A-Fa-f]+" x != null; + inherit (str) merge; + }; + + elixirValue = let + elixirValue' = with types; + nullOr (oneOf [ bool int float str (attrsOf elixirValue') (listOf elixirValue') ]) // { + description = "Elixir value"; + }; + in elixirValue'; + + frontend = { + options = { + package = mkOption { + type = types.package; + description = mdDoc "Akkoma frontend package."; + example = literalExpression "pkgs.akkoma-frontends.pleroma-fe"; + }; + + name = mkOption { + type = types.nonEmptyStr; + description = mdDoc "Akkoma frontend name."; + example = "pleroma-fe"; + }; + + ref = mkOption { + type = types.nonEmptyStr; + description = mdDoc "Akkoma frontend reference."; + example = "stable"; + }; + }; + }; + + sha256 = builtins.hashString "sha256"; + + replaceSec = let + replaceSec' = { }@args: v: + if isAttrs v + then if v ? _secret + then if isAbsolutePath v._secret + then sha256 v._secret + else abort "Invalid secret path (_secret = ${v._secret})" + else mapAttrs (_: val: replaceSec' args val) v + else if isList v + then map (replaceSec' args) v + else v; + in replaceSec' { }; + + # Erlang/Elixir uses a somewhat special format for IP addresses + erlAddr = addr: fileContents + (pkgs.runCommand addr { + nativeBuildInputs = with pkgs; [ elixir ]; + code = '' + case :inet.parse_address('${addr}') do + {:ok, addr} -> IO.inspect addr + {:error, _} -> System.halt(65) + end + ''; + passAsFile = [ "code" ]; + } ''elixir "$codePath" >"$out"''); + + format = pkgs.formats.elixirConf { }; + configFile = format.generate "config.exs" + (replaceSec + (attrsets.updateManyAttrsByPath [{ + path = [ ":pleroma" "Pleroma.Web.Endpoint" "http" "ip" ]; + update = addr: + if isAbsolutePath addr + then format.lib.mkTuple + [ (format.lib.mkAtom ":local") addr ] + else format.lib.mkRaw (erlAddr addr); + }] cfg.config)); + + writeShell = { name, text, runtimeInputs ? [ ] }: + pkgs.writeShellApplication { inherit name text runtimeInputs; } + "/bin/${name}"; + + genScript = writeShell { + name = "akkoma-gen-cookie"; + runtimeInputs = with pkgs; [ coreutils util-linux ]; + text = '' + install -m 0400 \ + -o ${escapeShellArg cfg.user } \ + -g ${escapeShellArg cfg.group} \ + <(hexdump -n 16 -e '"%02x"' /dev/urandom) \ + "$RUNTIME_DIRECTORY/cookie" + ''; + }; + + copyScript = writeShell { + name = "akkoma-copy-cookie"; + runtimeInputs = with pkgs; [ coreutils ]; + text = '' + install -m 0400 \ + -o ${escapeShellArg cfg.user} \ + -g ${escapeShellArg cfg.group} \ + ${escapeShellArg cfg.dist.cookie._secret} \ + "$RUNTIME_DIRECTORY/cookie" + ''; + }; + + secretPaths = catAttrs "_secret" (collect isSecret cfg.config); + + vapidKeygen = pkgs.writeText "vapidKeygen.exs" '' + [public_path, private_path] = System.argv() + {public_key, private_key} = :crypto.generate_key :ecdh, :prime256v1 + File.write! public_path, Base.url_encode64(public_key, padding: false) + File.write! private_path, Base.url_encode64(private_key, padding: false) + ''; + + initSecretsScript = writeShell { + name = "akkoma-init-secrets"; + runtimeInputs = with pkgs; [ coreutils elixir ]; + text = let + key-base = web.secret_key_base; + jwt-signer = ex.":joken".":default_signer"; + signing-salt = web.signing_salt; + liveview-salt = web.live_view.signing_salt; + vapid-private = ex.":web_push_encryption".":vapid_details".private_key; + vapid-public = ex.":web_push_encryption".":vapid_details".public_key; + in '' + secret() { + # Generate default secret if non‐existent + test -e "$2" || install -D -m 0600 <(tr -dc 'A-Za-z-._~' </dev/urandom | head -c "$1") "$2" + if [ "$(stat --dereference --format='%s' "$2")" -lt "$1" ]; then + echo "Secret '$2' is smaller than minimum size of $1 bytes." >&2 + exit 65 + fi + } + + secret 64 ${escapeShellArg key-base._secret} + secret 64 ${escapeShellArg jwt-signer._secret} + secret 8 ${escapeShellArg signing-salt._secret} + secret 8 ${escapeShellArg liveview-salt._secret} + + ${optionalString (isSecret vapid-public) '' + { test -e ${escapeShellArg vapid-private._secret} && \ + test -e ${escapeShellArg vapid-public._secret}; } || \ + elixir ${escapeShellArgs [ vapidKeygen vapid-public._secret vapid-private._secret ]} + ''} + ''; + }; + + configScript = writeShell { + name = "akkoma-config"; + runtimeInputs = with pkgs; [ coreutils replace-secret ]; + text = '' + cd "$RUNTIME_DIRECTORY" + tmp="$(mktemp config.exs.XXXXXXXXXX)" + trap 'rm -f "$tmp"' EXIT TERM + + cat ${escapeShellArg configFile} >"$tmp" + ${concatMapStrings (file: '' + replace-secret ${escapeShellArgs [ (sha256 file) file ]} "$tmp" + '') secretPaths} + + chown ${escapeShellArg cfg.user}:${escapeShellArg cfg.group} "$tmp" + chmod 0400 "$tmp" + mv -f "$tmp" config.exs + ''; + }; + + pgpass = let + esc = escape [ ":" ''\'' ]; + in if (cfg.initDb.password != null) + then pkgs.writeText "pgpass.conf" '' + *:*:*${esc cfg.initDb.username}:${esc (sha256 cfg.initDb.password._secret)} + '' + else null; + + escapeSqlId = x: ''"${replaceStrings [ ''"'' ] [ ''""'' ] x}"''; + escapeSqlStr = x: "'${replaceStrings [ "'" ] [ "''" ] x}'"; + + setupSql = pkgs.writeText "setup.psql" '' + \set ON_ERROR_STOP on + + ALTER ROLE ${escapeSqlId db.username} + LOGIN PASSWORD ${if db ? password + then "${escapeSqlStr (sha256 db.password._secret)}" + else "NULL"}; + + ALTER DATABASE ${escapeSqlId db.database} + OWNER TO ${escapeSqlId db.username}; + + \connect ${escapeSqlId db.database} + CREATE EXTENSION IF NOT EXISTS citext; + CREATE EXTENSION IF NOT EXISTS pg_trgm; + CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + ''; + + dbHost = if db ? socket_dir then db.socket_dir + else if db ? socket then db.socket + else if db ? hostname then db.hostname + else null; + + initDbScript = writeShell { + name = "akkoma-initdb"; + runtimeInputs = with pkgs; [ coreutils replace-secret config.services.postgresql.package ]; + text = '' + pgpass="$(mktemp -t pgpass-XXXXXXXXXX.conf)" + setupSql="$(mktemp -t setup-XXXXXXXXXX.psql)" + trap 'rm -f "$pgpass $setupSql"' EXIT TERM + + ${optionalString (dbHost != null) '' + export PGHOST=${escapeShellArg dbHost} + ''} + export PGUSER=${escapeShellArg cfg.initDb.username} + ${optionalString (pgpass != null) '' + cat ${escapeShellArg pgpass} >"$pgpass" + replace-secret ${escapeShellArgs [ + (sha256 cfg.initDb.password._secret) cfg.initDb.password._secret ]} "$pgpass" + export PGPASSFILE="$pgpass" + ''} + + cat ${escapeShellArg setupSql} >"$setupSql" + ${optionalString (db ? password) '' + replace-secret ${escapeShellArgs [ + (sha256 db.password._secret) db.password._secret ]} "$setupSql" + ''} + + # Create role if non‐existent + psql -tAc "SELECT 1 FROM pg_roles + WHERE rolname = "${escapeShellArg (escapeSqlStr db.username)} | grep -F -q 1 || \ + psql -tAc "CREATE ROLE "${escapeShellArg (escapeSqlId db.username)} + + # Create database if non‐existent + psql -tAc "SELECT 1 FROM pg_database + WHERE datname = "${escapeShellArg (escapeSqlStr db.database)} | grep -F -q 1 || \ + psql -tAc "CREATE DATABASE "${escapeShellArg (escapeSqlId db.database)}" + OWNER "${escapeShellArg (escapeSqlId db.username)}" + TEMPLATE template0 + ENCODING 'utf8' + LOCALE 'C'" + + psql -f "$setupSql" + ''; + }; + + envWrapper = let + script = writeShell { + name = "akkoma-env"; + text = '' + cd "${cfg.package}" + + RUNTIME_DIRECTORY="''${RUNTIME_DIRECTORY:-/run/akkoma}" + AKKOMA_CONFIG_PATH="$RUNTIME_DIRECTORY/config.exs" \ + ERL_EPMD_ADDRESS="${cfg.dist.address}" \ + ERL_EPMD_PORT="${toString cfg.dist.epmdPort}" \ + ERL_FLAGS="${concatStringsSep " " [ + "-kernel inet_dist_use_interface '${erlAddr cfg.dist.address}'" + "-kernel inet_dist_listen_min ${toString cfg.dist.portMin}" + "-kernel inet_dist_listen_max ${toString cfg.dist.portMax}" + ]}" \ + RELEASE_COOKIE="$(<"$RUNTIME_DIRECTORY/cookie")" \ + RELEASE_NAME="akkoma" \ + exec "${cfg.package}/bin/$(basename "$0")" "$@" + ''; + }; + in pkgs.runCommandLocal "akkoma-env" { } '' + mkdir -p "$out/bin" + + ln -r -s ${escapeShellArg script} "$out/bin/pleroma" + ln -r -s ${escapeShellArg script} "$out/bin/pleroma_ctl" + ''; + + userWrapper = pkgs.writeShellApplication { + name = "pleroma_ctl"; + text = '' + if [ "''${1-}" == "update" ]; then + echo "OTP releases are not supported on NixOS." >&2 + exit 64 + fi + + exec sudo -u ${escapeShellArg cfg.user} \ + "${envWrapper}/bin/pleroma_ctl" "$@" + ''; + }; + + socketScript = if isAbsolutePath web.http.ip + then writeShell { + name = "akkoma-socket"; + runtimeInputs = with pkgs; [ coreutils inotify-tools ]; + text = '' + coproc { + inotifywait -q -m -e create ${escapeShellArg (dirOf web.http.ip)} + } + + trap 'kill "$COPROC_PID"' EXIT TERM + + until test -S ${escapeShellArg web.http.ip} + do read -r -u "''${COPROC[0]}" + done + + chmod 0666 ${escapeShellArg web.http.ip} + ''; + } + else null; + + staticDir = ex.":pleroma".":instance".static_dir; + uploadDir = ex.":pleroma".":instance".upload_dir; + + staticFiles = pkgs.runCommandLocal "akkoma-static" { } '' + ${concatStringsSep "\n" (mapAttrsToList (key: val: '' + mkdir -p $out/frontends/${escapeShellArg val.name}/ + ln -s ${escapeShellArg val.package} $out/frontends/${escapeShellArg val.name}/${escapeShellArg val.ref} + '') cfg.frontends)} + + ${optionalString (cfg.extraStatic != null) + (concatStringsSep "\n" (mapAttrsToList (key: val: '' + mkdir -p "$out/$(dirname ${escapeShellArg key})" + ln -s ${escapeShellArg val} $out/${escapeShellArg key} + '') cfg.extraStatic))} + ''; +in { + options = { + services.akkoma = { + enable = mkEnableOption (mdDoc "Akkoma"); + + package = mkOption { + type = types.package; + default = pkgs.akkoma; + defaultText = literalExpression "pkgs.akkoma"; + description = mdDoc "Akkoma package to use."; + }; + + user = mkOption { + type = types.nonEmptyStr; + default = "akkoma"; + description = mdDoc "User account under which Akkoma runs."; + }; + + group = mkOption { + type = types.nonEmptyStr; + default = "akkoma"; + description = mdDoc "Group account under which Akkoma runs."; + }; + + initDb = { + enable = mkOption { + type = types.bool; + default = true; + description = mdDoc '' + Whether to automatically initialise the database on startup. This will create a + database role and database if they do not already exist, and (re)set the role password + and the ownership of the database. + + This setting can be used safely even if the database already exists and contains data. + + The database settings are configured through + [{option}`config.services.akkoma.config.":pleroma"."Pleroma.Repo"`](#opt-services.akkoma.config.__pleroma_._Pleroma.Repo_). + + If disabled, the database has to be set up manually: + + ```SQL + CREATE ROLE akkoma LOGIN; + + CREATE DATABASE akkoma + OWNER akkoma + TEMPLATE template0 + ENCODING 'utf8' + LOCALE 'C'; + + \connect akkoma + CREATE EXTENSION IF NOT EXISTS citext; + CREATE EXTENSION IF NOT EXISTS pg_trgm; + CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + ``` + ''; + }; + + username = mkOption { + type = types.nonEmptyStr; + default = config.services.postgresql.superUser; + defaultText = literalExpression "config.services.postgresql.superUser"; + description = mdDoc '' + Name of the database user to initialise the database with. + + This user is required to have the `CREATEROLE` and `CREATEDB` capabilities. + ''; + }; + + password = mkOption { + type = types.nullOr secret; + default = null; + description = mdDoc '' + Password of the database user to initialise the database with. + + If set to `null`, no password will be used. + + The attribute `_secret` should point to a file containing the secret. + ''; + }; + }; + + initSecrets = mkOption { + type = types.bool; + default = true; + description = mdDoc '' + Whether to initialise non‐existent secrets with random values. + + If enabled, appropriate secrets for the following options will be created automatically + if the files referenced in the `_secrets` attribute do not exist during startup. + + - {option}`config.":pleroma"."Pleroma.Web.Endpoint".secret_key_base` + - {option}`config.":pleroma"."Pleroma.Web.Endpoint".signing_salt` + - {option}`config.":pleroma"."Pleroma.Web.Endpoint".live_view.signing_salt` + - {option}`config.":web_push_encryption".":vapid_details".private_key` + - {option}`config.":web_push_encryption".":vapid_details".public_key` + - {option}`config.":joken".":default_signer"` + ''; + }; + + installWrapper = mkOption { + type = types.bool; + default = true; + description = mdDoc '' + Whether to install a wrapper around `pleroma_ctl` to simplify administration of the + Akkoma instance. + ''; + }; + + extraPackages = mkOption { + type = with types; listOf package; + default = with pkgs; [ exiftool ffmpeg_5-headless graphicsmagick-imagemagick-compat ]; + defaultText = literalExpression "with pkgs; [ exiftool graphicsmagick-imagemagick-compat ffmpeg_5-headless ]"; + example = literalExpression "with pkgs; [ exiftool imagemagick ffmpeg_5-full ]"; + description = mdDoc '' + List of extra packages to include in the executable search path of the service unit. + These are needed by various configurable components such as: + + - ExifTool for the `Pleroma.Upload.Filter.Exiftool` upload filter, + - ImageMagick for still image previews in the media proxy as well as for the + `Pleroma.Upload.Filters.Mogrify` upload filter, and + - ffmpeg for video previews in the media proxy. + ''; + }; + + frontends = mkOption { + description = mdDoc "Akkoma frontends."; + type = with types; attrsOf (submodule frontend); + default = { + primary = { + package = pkgs.akkoma-frontends.pleroma-fe; + name = "pleroma-fe"; + ref = "stable"; + }; + admin = { + package = pkgs.akkoma-frontends.admin-fe; + name = "admin-fe"; + ref = "stable"; + }; + }; + defaultText = literalExpression '' + { + primary = { + package = pkgs.akkoma-frontends.pleroma-fe; + name = "pleroma-fe"; + ref = "stable"; + }; + admin = { + package = pkgs.akkoma-frontends.admin-fe; + name = "admin-fe"; + ref = "stable"; + }; + } + ''; + }; + + extraStatic = mkOption { + type = with types; nullOr (attrsOf package); + description = mdDoc '' + Attribute set of extra packages to add to the static files directory. + + Do not add frontends here. These should be configured through + [{option}`services.akkoma.frontends`](#opt-services.akkoma.frontends). + ''; + default = null; + example = literalExpression '' + { + "emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg; + "static/terms-of-service.html" = pkgs.writeText "terms-of-service.html" ''' + … + '''; + "favicon.png" = let + rev = "697a8211b0f427a921e7935a35d14bb3e32d0a2c"; + in pkgs.stdenvNoCC.mkDerivation { + name = "favicon.png"; + + src = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/TilCreator/NixOwO/''${rev}/NixOwO_plain.svg"; + hash = "sha256-tWhHMfJ3Od58N9H5yOKPMfM56hYWSOnr/TGCBi8bo9E="; + }; + + nativeBuildInputs = with pkgs; [ librsvg ]; + + dontUnpack = true; + installPhase = ''' + rsvg-convert -o $out -w 96 -h 96 $src + '''; + }; + } + ''; + }; + + dist = { + address = mkOption { + type = ipAddress; + default = "127.0.0.1"; + description = mdDoc '' + Listen address for Erlang distribution protocol and Port Mapper Daemon (epmd). + ''; + }; + + epmdPort = mkOption { + type = types.port; + default = 4369; + description = mdDoc "TCP port to bind Erlang Port Mapper Daemon to."; + }; + + portMin = mkOption { + type = types.port; + default = 49152; + description = mdDoc "Lower bound for Erlang distribution protocol TCP port."; + }; + + portMax = mkOption { + type = types.port; + default = 65535; + description = mdDoc "Upper bound for Erlang distribution protocol TCP port."; + }; + + cookie = mkOption { + type = types.nullOr secret; + default = null; + example = { _secret = "/var/lib/secrets/akkoma/releaseCookie"; }; + description = mdDoc '' + Erlang release cookie. + + If set to `null`, a temporary random cookie will be generated. + ''; + }; + }; + + config = mkOption { + description = mdDoc '' + Configuration for Akkoma. The attributes are serialised to Elixir DSL. + + Refer to <https://docs.akkoma.dev/stable/configuration/cheatsheet/> for + configuration options. + + Settings containing secret data should be set to an attribute set containing the + attribute `_secret` - a string pointing to a file containing the value the option + should be set to. + ''; + type = types.submodule { + freeformType = format.type; + options = { + ":pleroma" = { + ":instance" = { + name = mkOption { + type = types.nonEmptyStr; + description = mdDoc "Instance name."; + }; + + email = mkOption { + type = types.nonEmptyStr; + description = mdDoc "Instance administrator email."; + }; + + description = mkOption { + type = types.nonEmptyStr; + description = mdDoc "Instance description."; + }; + + static_dir = mkOption { + type = types.path; + default = toString staticFiles; + defaultText = literalMD '' + Derivation gathering the following paths into a directory: + + - [{option}`services.akkoma.frontends`](#opt-services.akkoma.frontends) + - [{option}`services.akkoma.extraStatic`](#opt-services.akkoma.extraStatic) + ''; + description = mdDoc '' + Directory of static files. + + This directory can be built using a derivation, or it can be managed as mutable + state by setting the option to an absolute path. + ''; + }; + + upload_dir = mkOption { + type = absolutePath; + default = "/var/lib/akkoma/uploads"; + description = mdDoc '' + Directory where Akkoma will put uploaded files. + ''; + }; + }; + + "Pleroma.Repo" = mkOption { + type = elixirValue; + default = { + adapter = format.lib.mkRaw "Ecto.Adapters.Postgres"; + socket_dir = "/run/postgresql"; + username = cfg.user; + database = "akkoma"; + }; + defaultText = literalExpression '' + { + adapter = (pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres"; + socket_dir = "/run/postgresql"; + username = config.services.akkoma.user; + database = "akkoma"; + } + ''; + description = mdDoc '' + Database configuration. + + Refer to + <https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options> + for options. + ''; + }; + + "Pleroma.Web.Endpoint" = { + url = { + host = mkOption { + type = types.nonEmptyStr; + default = config.networking.fqdn; + defaultText = literalExpression "config.networking.fqdn"; + description = mdDoc "Domain name of the instance."; + }; + + scheme = mkOption { + type = types.nonEmptyStr; + default = "https"; + description = mdDoc "URL scheme."; + }; + + port = mkOption { + type = types.port; + default = 443; + description = mdDoc "External port number."; + }; + }; + + http = { + ip = mkOption { + type = types.either absolutePath ipAddress; + default = "/run/akkoma/socket"; + example = "::1"; + description = mdDoc '' + Listener IP address or Unix socket path. + + The value is automatically converted to Elixir’s internal address + representation during serialisation. + ''; + }; + + port = mkOption { + type = types.port; + default = if isAbsolutePath web.http.ip then 0 else 4000; + defaultText = literalExpression '' + if isAbsolutePath config.services.akkoma.config.:pleroma"."Pleroma.Web.Endpoint".http.ip + then 0 + else 4000; + ''; + description = mdDoc '' + Listener port number. + + Must be 0 if using a Unix socket. + ''; + }; + }; + + secret_key_base = mkOption { + type = secret; + default = { _secret = "/var/lib/secrets/akkoma/key-base"; }; + description = mdDoc '' + Secret key used as a base to generate further secrets for encrypting and + signing data. + + The attribute `_secret` should point to a file containing the secret. + + This key can generated can be generated as follows: + + ```ShellSession + $ tr -dc 'A-Za-z-._~' </dev/urandom | head -c 64 + ``` + ''; + }; + + live_view = { + signing_salt = mkOption { + type = secret; + default = { _secret = "/var/lib/secrets/akkoma/liveview-salt"; }; + description = mdDoc '' + LiveView signing salt. + + The attribute `_secret` should point to a file containing the secret. + + This salt can be generated as follows: + + ```ShellSession + $ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 8 + ``` + ''; + }; + }; + + signing_salt = mkOption { + type = secret; + default = { _secret = "/var/lib/secrets/akkoma/signing-salt"; }; + description = mdDoc '' + Signing salt. + + The attribute `_secret` should point to a file containing the secret. + + This salt can be generated as follows: + + ```ShellSession + $ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 8 + ``` + ''; + }; + }; + + ":frontends" = mkOption { + type = elixirValue; + default = mapAttrs + (key: val: format.lib.mkMap { name = val.name; ref = val.ref; }) + cfg.frontends; + defaultText = literalExpression '' + lib.mapAttrs (key: val: + (pkgs.formats.elixirConf { }).lib.mkMap { name = val.name; ref = val.ref; }) + config.services.akkoma.frontends; + ''; + description = mdDoc '' + Frontend configuration. + + Users should rely on the default value and prefer to configure frontends through + [{option}`config.services.akkoma.frontends`](#opt-services.akkoma.frontends). + ''; + }; + }; + + ":web_push_encryption" = mkOption { + default = { }; + description = mdDoc '' + Web Push Notifications configuration. + + The necessary key pair can be generated as follows: + + ```ShellSession + $ nix-shell -p nodejs --run 'npx web-push generate-vapid-keys' + ``` + ''; + type = types.submodule { + freeformType = elixirValue; + options = { + ":vapid_details" = { + subject = mkOption { + type = types.nonEmptyStr; + default = "mailto:${ex.":pleroma".":instance".email}"; + defaultText = literalExpression '' + "mailto:''${config.services.akkoma.config.":pleroma".":instance".email}" + ''; + description = mdDoc "mailto URI for administrative contact."; + }; + + public_key = mkOption { + type = with types; either nonEmptyStr secret; + default = { _secret = "/var/lib/secrets/akkoma/vapid-public"; }; + description = mdDoc "base64-encoded public ECDH key."; + }; + + private_key = mkOption { + type = secret; + default = { _secret = "/var/lib/secrets/akkoma/vapid-private"; }; + description = mdDoc '' + base64-encoded private ECDH key. + + The attribute `_secret` should point to a file containing the secret. + ''; + }; + }; + }; + }; + }; + + ":joken" = { + ":default_signer" = mkOption { + type = secret; + default = { _secret = "/var/lib/secrets/akkoma/jwt-signer"; }; + description = mdDoc '' + JWT signing secret. + + The attribute `_secret` should point to a file containing the secret. + + This secret can be generated as follows: + + ```ShellSession + $ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 64 + ``` + ''; + }; + }; + + ":logger" = { + ":backends" = mkOption { + type = types.listOf elixirValue; + visible = false; + default = with format.lib; [ + (mkTuple [ (mkRaw "ExSyslogger") (mkAtom ":ex_syslogger") ]) + ]; + }; + + ":ex_syslogger" = { + ident = mkOption { + type = types.str; + visible = false; + default = "akkoma"; + }; + + level = mkOption { + type = types.nonEmptyStr; + apply = format.lib.mkAtom; + default = ":info"; + example = ":warning"; + description = mdDoc '' + Log level. + + Refer to + <https://hexdocs.pm/logger/Logger.html#module-levels> + for options. + ''; + }; + }; + }; + + ":tzdata" = { + ":data_dir" = mkOption { + type = elixirValue; + internal = true; + default = format.lib.mkRaw '' + Path.join(System.fetch_env!("CACHE_DIRECTORY"), "tzdata") + ''; + }; + }; + }; + }; + }; + + nginx = mkOption { + type = with types; nullOr (submodule + (import ../web-servers/nginx/vhost-options.nix { inherit config lib; })); + default = null; + description = mdDoc '' + Extra configuration for the nginx virtual host of Akkoma. + + If set to `null`, no virtual host will be added to the nginx configuration. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + warnings = optionals (!config.security.sudo.enable) ['' + The pleroma_ctl wrapper enabled by the installWrapper option relies on + sudo, which appears to have been disabled through security.sudo.enable. + '']; + + users = { + users."${cfg.user}" = { + description = "Akkoma user"; + group = cfg.group; + isSystemUser = true; + }; + groups."${cfg.group}" = { }; + }; + + # Confinement of the main service unit requires separation of the + # configuration generation into a separate unit to permit access to secrets + # residing outside of the chroot. + systemd.services.akkoma-config = { + description = "Akkoma social network configuration"; + reloadTriggers = [ configFile ] ++ secretPaths; + + unitConfig.PropagatesReloadTo = [ "akkoma.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + UMask = "0077"; + + RuntimeDirectory = "akkoma"; + + ExecStart = mkMerge [ + (mkIf (cfg.dist.cookie == null) [ genScript ]) + (mkIf (cfg.dist.cookie != null) [ copyScript ]) + (mkIf cfg.initSecrets [ initSecretsScript ]) + [ configScript ] + ]; + + ExecReload = mkMerge [ + (mkIf cfg.initSecrets [ initSecretsScript ]) + [ configScript ] + ]; + }; + }; + + systemd.services.akkoma-initdb = mkIf cfg.initDb.enable { + description = "Akkoma social network database setup"; + requires = [ "akkoma-config.service" ]; + requiredBy = [ "akkoma.service" ]; + after = [ "akkoma-config.service" "postgresql.service" ]; + before = [ "akkoma.service" ]; + + serviceConfig = { + Type = "oneshot"; + User = mkIf (db ? socket_dir || db ? socket) + cfg.initDb.username; + RemainAfterExit = true; + UMask = "0077"; + ExecStart = initDbScript; + PrivateTmp = true; + }; + }; + + systemd.services.akkoma = let + runtimeInputs = with pkgs; [ coreutils gawk gnused ] ++ cfg.extraPackages; + in { + description = "Akkoma social network"; + documentation = [ "https://docs.akkoma.dev/stable/" ]; + + # This service depends on network-online.target and is sequenced after + # it because it requires access to the Internet to function properly. + bindsTo = [ "akkoma-config.service" ]; + wants = [ "network-online.service" ]; + wantedBy = [ "multi-user.target" ]; + after = [ + "akkoma-config.target" + "network.target" + "network-online.target" + "postgresql.service" + ]; + + confinement.packages = mkIf isConfined runtimeInputs; + path = runtimeInputs; + + serviceConfig = { + Type = "exec"; + User = cfg.user; + Group = cfg.group; + UMask = "0077"; + + # The run‐time directory is preserved as it is managed by the akkoma-config.service unit. + RuntimeDirectory = "akkoma"; + RuntimeDirectoryPreserve = true; + + CacheDirectory = "akkoma"; + + BindPaths = [ "${uploadDir}:${uploadDir}:norbind" ]; + BindReadOnlyPaths = mkMerge [ + (mkIf (!isStorePath staticDir) [ "${staticDir}:${staticDir}:norbind" ]) + (mkIf isConfined (mkMerge [ + [ "/etc/hosts" "/etc/resolv.conf" ] + (mkIf (isStorePath staticDir) (map (dir: "${dir}:${dir}:norbind") + (splitString "\n" (readFile ((pkgs.closureInfo { rootPaths = staticDir; }) + "/store-paths"))))) + (mkIf (db ? socket_dir) [ "${db.socket_dir}:${db.socket_dir}:norbind" ]) + (mkIf (db ? socket) [ "${db.socket}:${db.socket}:norbind" ]) + ])) + ]; + + ExecStartPre = "${envWrapper}/bin/pleroma_ctl migrate"; + ExecStart = "${envWrapper}/bin/pleroma start"; + ExecStartPost = socketScript; + ExecStop = "${envWrapper}/bin/pleroma stop"; + ExecStopPost = mkIf (isAbsolutePath web.http.ip) + "${pkgs.coreutils}/bin/rm -f '${web.http.ip}'"; + + ProtectProc = "noaccess"; + ProcSubset = "pid"; + ProtectSystem = mkIf (!isConfined) "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateIPC = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + + CapabilityBoundingSet = mkIf + (any (port: port > 0 && port < 1024) + [ web.http.port cfg.dist.epmdPort cfg.dist.portMin ]) + [ "CAP_NET_BIND_SERVICE" ]; + + NoNewPrivileges = true; + SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ]; + SystemCallArchitectures = "native"; + + DeviceAllow = null; + DevicePolicy = "closed"; + + # SMTP adapter uses dynamic port 0 binding, which is incompatible with bind address filtering + SocketBindAllow = mkIf (!hasSmtp) (mkMerge [ + [ "tcp:${toString cfg.dist.epmdPort}" "tcp:${toString cfg.dist.portMin}-${toString cfg.dist.portMax}" ] + (mkIf (web.http.port != 0) [ "tcp:${toString web.http.port}" ]) + ]); + SocketBindDeny = mkIf (!hasSmtp) "any"; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${uploadDir} 0700 ${cfg.user} ${cfg.group} - -" + "Z ${uploadDir} ~0700 ${cfg.user} ${cfg.group} - -" + ]; + + environment.systemPackages = mkIf (cfg.installWrapper) [ userWrapper ]; + + services.nginx.virtualHosts = mkIf (cfg.nginx != null) { + ${web.url.host} = mkMerge [ cfg.nginx { + locations."/" = { + proxyPass = + if isAbsolutePath web.http.ip + then "http://unix:${web.http.ip}" + else if hasInfix ":" web.http.ip + then "http://[${web.http.ip}]:${toString web.http.port}" + else "http://${web.http.ip}:${toString web.http.port}"; + + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }]; + }; + }; + + meta.maintainers = with maintainers; [ mvs ]; + meta.doc = ./akkoma.xml; +} diff --git a/nixos/modules/services/web-apps/akkoma.xml b/nixos/modules/services/web-apps/akkoma.xml new file mode 100644 index 0000000000000..76e6b806f30fe --- /dev/null +++ b/nixos/modules/services/web-apps/akkoma.xml @@ -0,0 +1,396 @@ +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="module-services-akkoma"> + <title>Akkoma</title> + <para> + <link xlink:href="https://akkoma.dev/">Akkoma</link> is a + lightweight ActivityPub microblogging server forked from Pleroma. + </para> + <section xml:id="modules-services-akkoma-service-configuration"> + <title>Service configuration</title> + <para> + The Elixir configuration file required by Akkoma is generated + automatically from + <link xlink:href="options.html#opt-services.akkoma.config"><option>services.akkoma.config</option></link>. + Secrets must be included from external files outside of the Nix + store by setting the configuration option to an attribute set + containing the attribute <option>_secret</option> – a string + pointing to the file containing the actual value of the option. + </para> + <para> + For the mandatory configuration settings these secrets will be + generated automatically if the referenced file does not exist + during startup, unless disabled through + <link xlink:href="options.html#opt-services.akkoma.initSecrets"><option>services.akkoma.initSecrets</option></link>. + </para> + <para> + The following configuration binds Akkoma to the Unix socket + <literal>/run/akkoma/socket</literal>, expecting to be run behind + a HTTP proxy on <literal>fediverse.example.com</literal>. + </para> + <programlisting language="nix"> +services.akkoma.enable = true; +services.akkoma.config = { + ":pleroma" = { + ":instance" = { + name = "My Akkoma instance"; + description = "More detailed description"; + email = "admin@example.com"; + registration_open = false; + }; + + "Pleroma.Web.Endpoint" = { + url.host = "fediverse.example.com"; + }; + }; +}; +</programlisting> + <para> + Please refer to the + <link xlink:href="https://docs.akkoma.dev/stable/configuration/cheatsheet/">configuration + cheat sheet</link> for additional configuration options. + </para> + </section> + <section xml:id="modules-services-akkoma-user-management"> + <title>User management</title> + <para> + After the Akkoma service is running, the administration utility + can be used to + <link xlink:href="https://docs.akkoma.dev/stable/administration/CLI_tasks/user/">manage + users</link>. In particular an administrative user can be created + with + </para> + <programlisting> +$ pleroma_ctl user new <nickname> <email> --admin --moderator --password <password> +</programlisting> + </section> + <section xml:id="modules-services-akkoma-proxy-configuration"> + <title>Proxy configuration</title> + <para> + Although it is possible to expose Akkoma directly, it is common + practice to operate it behind an HTTP reverse proxy such as nginx. + </para> + <programlisting language="nix"> +services.akkoma.nginx = { + enableACME = true; + forceSSL = true; +}; + +services.nginx = { + enable = true; + + clientMaxBodySize = "16m"; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; +}; +</programlisting> + <para> + Please refer to <xref linkend="module-security-acme" /> for + details on how to provision an SSL/TLS certificate. + </para> + <section xml:id="modules-services-akkoma-media-proxy"> + <title>Media proxy</title> + <para> + Without the media proxy function, Akkoma does not store any + remote media like pictures or video locally, and clients have to + fetch them directly from the source server. + </para> + <programlisting language="nix"> +# Enable nginx slice module distributed with Tengine +services.nginx.package = pkgs.tengine; + +# Enable media proxy +services.akkoma.config.":pleroma".":media_proxy" = { + enabled = true; + proxy_opts.redirect_on_failure = true; +}; + +# Adjust the persistent cache size as needed: +# Assuming an average object size of 128 KiB, around 1 MiB +# of memory is required for the key zone per GiB of cache. +# Ensure that the cache directory exists and is writable by nginx. +services.nginx.commonHttpConfig = '' + proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache + levels= keys_zone=akkoma_media_cache:16m max_size=16g + inactive=1y use_temp_path=off; +''; + +services.akkoma.nginx = { + locations."/proxy" = { + proxyPass = "http://unix:/run/akkoma/socket"; + + extraConfig = '' + proxy_cache akkoma_media_cache; + + # Cache objects in slices of 1 MiB + slice 1m; + proxy_cache_key $host$uri$is_args$args$slice_range; + proxy_set_header Range $slice_range; + + # Decouple proxy and upstream responses + proxy_buffering on; + proxy_cache_lock on; + proxy_ignore_client_abort on; + + # Default cache times for various responses + proxy_cache_valid 200 1y; + proxy_cache_valid 206 301 304 1h; + + # Allow serving of stale items + proxy_cache_use_stale error timeout invalid_header updating; + ''; + }; +}; +</programlisting> + <section xml:id="modules-services-akkoma-prefetch-remote-media"> + <title>Prefetch remote media</title> + <para> + The following example enables the + <literal>MediaProxyWarmingPolicy</literal> MRF policy which + automatically fetches all media associated with a post through + the media proxy, as soon as the post is received by the + instance. + </para> + <programlisting language="nix"> +services.akkoma.config.":pleroma".":mrf".policies = + map (pkgs.formats.elixirConf { }).lib.mkRaw [ + "Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy" +]; +</programlisting> + </section> + <section xml:id="modules-services-akkoma-media-previews"> + <title>Media previews</title> + <para> + Akkoma can generate previews for media. + </para> + <programlisting language="nix"> +services.akkoma.config.":pleroma".":media_preview_proxy" = { + enabled = true; + thumbnail_max_width = 1920; + thumbnail_max_height = 1080; +}; +</programlisting> + </section> + </section> + </section> + <section xml:id="modules-services-akkoma-frontend-management"> + <title>Frontend management</title> + <para> + Akkoma will be deployed with the <literal>pleroma-fe</literal> and + <literal>admin-fe</literal> frontends by default. These can be + modified by setting + <link xlink:href="options.html#opt-services.akkoma.frontends"><option>services.akkoma.frontends</option></link>. + </para> + <para> + The following example overrides the primary frontend’s default + configuration using a custom derivation. + </para> + <programlisting language="nix"> +services.akkoma.frontends.primary.package = pkgs.runCommand "pleroma-fe" { + config = builtins.toJSON { + expertLevel = 1; + collapseMessageWithSubject = false; + stopGifs = false; + replyVisibility = "following"; + webPushHideIfCW = true; + hideScopeNotice = true; + renderMisskeyMarkdown = false; + hideSiteFavicon = true; + postContentType = "text/markdown"; + showNavShortcuts = false; + }; + nativeBuildInputs = with pkgs; [ jq xorg.lndir ]; + passAsFile = [ "config" ]; +} '' + mkdir $out + lndir ${pkgs.akkoma-frontends.pleroma-fe} $out + + rm $out/static/config.json + jq -s add ${pkgs.akkoma-frontends.pleroma-fe}/static/config.json ${config} \ + >$out/static/config.json +''; +</programlisting> + </section> + <section xml:id="modules-services-akkoma-federation-policies"> + <title>Federation policies</title> + <para> + Akkoma comes with a number of modules to police federation with + other ActivityPub instances. The most valuable for typical users + is the + <link xlink:href="https://docs.akkoma.dev/stable/configuration/cheatsheet/#mrf_simple"><literal>:mrf_simple</literal></link> + module which allows limiting federation based on instance + hostnames. + </para> + <para> + This configuration snippet provides an example on how these can be + used. Choosing an adequate federation policy is not trivial and + entails finding a balance between connectivity to the rest of the + fediverse and providing a pleasant experience to the users of an + instance. + </para> + <programlisting language="nix"> +services.akkoma.config.":pleroma" = with (pkgs.formats.elixirConf { }).lib; { + ":mrf".policies = map mkRaw [ + "Pleroma.Web.ActivityPub.MRF.SimplePolicy" + ]; + + ":mrf_simple" = { + # Tag all media as sensitive + media_nsfw = mkMap { + "nsfw.weird.kinky" = "Untagged NSFW content"; + }; + + # Reject all activities except deletes + reject = mkMap { + "kiwifarms.cc" = "Persistent harassment of users, no moderation"; + }; + + # Force posts to be visible by followers only + followers_only = mkMap { + "beta.birdsite.live" = "Avoid polluting timelines with Twitter posts"; + }; + }; +}; +</programlisting> + </section> + <section xml:id="modules-services-akkoma-upload-filters"> + <title>Upload filters</title> + <para> + This example strips GPS and location metadata from uploads, + deduplicates them and anonymises the the file name. + </para> + <programlisting language="nix"> +services.akkoma.config.":pleroma"."Pleroma.Upload".filters = + map (pkgs.formats.elixirConf { }).lib.mkRaw [ + "Pleroma.Upload.Filter.Exiftool" + "Pleroma.Upload.Filter.Dedupe" + "Pleroma.Upload.Filter.AnonymizeFilename" + ]; +</programlisting> + </section> + <section xml:id="modules-services-akkoma-migration-pleroma"> + <title>Migration from Pleroma</title> + <para> + Pleroma instances can be migrated to Akkoma either by copying the + database and upload data or by pointing Akkoma to the existing + data. The necessary database migrations are run automatically + during startup of the service. + </para> + <para> + The configuration has to be copy‐edited manually. + </para> + <para> + Depending on the size of the database, the initial migration may + take a long time and exceed the startup timeout of the system + manager. To work around this issue one may adjust the startup + timeout + <option>systemd.services.akkoma.serviceConfig.TimeoutStartSec</option> + or simply run the migrations manually: + </para> + <programlisting> +pleroma_ctl migrate +</programlisting> + <section xml:id="modules-services-akkoma-migration-pleroma-copy"> + <title>Copying data</title> + <para> + Copying the Pleroma data instead of re‐using it in place may + permit easier reversion to Pleroma, but allows the two data sets + to diverge. + </para> + <para> + First disable Pleroma and then copy its database and upload + data: + </para> + <programlisting> +# Create a copy of the database +nix-shell -p postgresql --run 'createdb -T pleroma akkoma' + +# Copy upload data +mkdir /var/lib/akkoma +cp -R --reflink=auto /var/lib/pleroma/uploads /var/lib/akkoma/ +</programlisting> + <para> + After the data has been copied, enable the Akkoma service and + verify that the migration has been successful. If no longer + required, the original data may then be deleted: + </para> + <programlisting> +# Delete original database +nix-shell -p postgresql --run 'dropdb pleroma' + +# Delete original Pleroma state +rm -r /var/lib/pleroma +</programlisting> + </section> + <section xml:id="modules-services-akkoma-migration-pleroma-reuse"> + <title>Re‐using data</title> + <para> + To re‐use the Pleroma data in place, disable Pleroma and enable + Akkoma, pointing it to the Pleroma database and upload + directory. + </para> + <programlisting language="nix"> +# Adjust these settings according to the database name and upload directory path used by Pleroma +services.akkoma.config.":pleroma"."Pleroma.Repo".database = "pleroma"; +services.akkoma.config.":pleroma".":instance".upload_dir = "/var/lib/pleroma/uploads"; +</programlisting> + <para> + Please keep in mind that after the Akkoma service has been + started, any migrations applied by Akkoma have to be rolled back + before the database can be used again with Pleroma. This can be + achieved through <literal>pleroma_ctl ecto.rollback</literal>. + Refer to the + <link xlink:href="https://hexdocs.pm/ecto_sql/Mix.Tasks.Ecto.Rollback.html">Ecto + SQL documentation</link> for details. + </para> + </section> + </section> + <section xml:id="modules-services-akkoma-advanced-deployment"> + <title>Advanced deployment options</title> + <section xml:id="modules-services-akkoma-confinement"> + <title>Confinement</title> + <para> + The Akkoma systemd service may be confined to a chroot with + </para> + <programlisting language="nix"> +services.systemd.akkoma.confinement.enable = true; +</programlisting> + <para> + Confinement of services is not generally supported in NixOS and + therefore disabled by default. Depending on the Akkoma + configuration, the default confinement settings may be + insufficient and lead to subtle errors at run time, requiring + adjustment: + </para> + <para> + Use + <link xlink:href="options.html#opt-systemd.services._name_.confinement.packages"><option>services.systemd.akkoma.confinement.packages</option></link> + to make packages available in the chroot. + </para> + <para> + <option>services.systemd.akkoma.serviceConfig.BindPaths</option> + and + <option>services.systemd.akkoma.serviceConfig.BindReadOnlyPaths</option> + permit access to outside paths through bind mounts. Refer to + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#BindPaths="><link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html"><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></link></link> + for details. + </para> + </section> + <section xml:id="modules-services-akkoma-distributed-deployment"> + <title>Distributed deployment</title> + <para> + Being an Elixir application, Akkoma can be deployed in a + distributed fashion. + </para> + <para> + This requires setting + <link xlink:href="options.html#opt-services.akkoma.dist.address"><option>services.akkoma.dist.address</option></link> + and + <link xlink:href="options.html#opt-services.akkoma.dist.cookie"><option>services.akkoma.dist.cookie</option></link>. + The specifics depend strongly on the deployment environment. For + more information please check the relevant + <link xlink:href="https://www.erlang.org/doc/reference_manual/distributed.html">Erlang + documentation</link>. + </para> + </section> + </section> +</chapter> diff --git a/nixos/modules/services/web-apps/discourse.nix b/nixos/modules/services/web-apps/discourse.nix index 1ab0e679a54ba..b8104ade4676d 100644 --- a/nixos/modules/services/web-apps/discourse.nix +++ b/nixos/modules/services/web-apps/discourse.nix @@ -820,10 +820,10 @@ in services.nginx = lib.mkIf cfg.nginx.enable { enable = true; - additionalModules = [ pkgs.nginxModules.brotli ]; recommendedTlsSettings = true; recommendedOptimisation = true; + recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedProxySettings = true; diff --git a/nixos/modules/services/web-apps/hedgedoc.nix b/nixos/modules/services/web-apps/hedgedoc.nix index a623e45691dfe..90ca3002c5924 100644 --- a/nixos/modules/services/web-apps/hedgedoc.nix +++ b/nixos/modules/services/web-apps/hedgedoc.nix @@ -291,7 +291,8 @@ in }; defaultNotePath = mkOption { type = types.nullOr types.str; - default = "./public/default.md"; + default = "${cfg.package}/public/default.md"; + defaultText = literalExpression "\"\${cfg.package}/public/default.md\""; description = lib.mdDoc '' Path to the default Note file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -299,7 +300,8 @@ in }; docsPath = mkOption { type = types.nullOr types.str; - default = "./public/docs"; + default = "${cfg.package}/public/docs"; + defaultText = literalExpression "\"\${cfg.package}/public/docs\""; description = lib.mdDoc '' Path to the docs directory. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -307,7 +309,8 @@ in }; indexPath = mkOption { type = types.nullOr types.str; - default = "./public/views/index.ejs"; + default = "${cfg.package}/public/views/index.ejs"; + defaultText = literalExpression "\"\${cfg.package}/public/views/index.ejs\""; description = lib.mdDoc '' Path to the index template file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -315,7 +318,8 @@ in }; hackmdPath = mkOption { type = types.nullOr types.str; - default = "./public/views/hackmd.ejs"; + default = "${cfg.package}/public/views/hackmd.ejs"; + defaultText = literalExpression "\"\${cfg.package}/public/views/hackmd.ejs\""; description = lib.mdDoc '' Path to the hackmd template file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -323,8 +327,8 @@ in }; errorPath = mkOption { type = types.nullOr types.str; - default = null; - defaultText = literalExpression "./public/views/error.ejs"; + default = "${cfg.package}/public/views/error.ejs"; + defaultText = literalExpression "\"\${cfg.package}/public/views/error.ejs\""; description = lib.mdDoc '' Path to the error template file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -332,8 +336,8 @@ in }; prettyPath = mkOption { type = types.nullOr types.str; - default = null; - defaultText = literalExpression "./public/views/pretty.ejs"; + default = "${cfg.package}/public/views/pretty.ejs"; + defaultText = literalExpression "\"\${cfg.package}/public/views/pretty.ejs\""; description = lib.mdDoc '' Path to the pretty template file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -341,8 +345,8 @@ in }; slidePath = mkOption { type = types.nullOr types.str; - default = null; - defaultText = literalExpression "./public/views/slide.hbs"; + default = "${cfg.package}/public/views/slide.hbs"; + defaultText = literalExpression "\"\${cfg.package}/public/views/slide.hbs\""; description = lib.mdDoc '' Path to the slide template file. (Non-canonical paths are relative to HedgeDoc's base directory) @@ -351,7 +355,7 @@ in uploadsPath = mkOption { type = types.str; default = "${cfg.workDir}/uploads"; - defaultText = literalExpression "/var/lib/${name}/uploads"; + defaultText = literalExpression "\"\${cfg.workDir}/uploads\""; description = lib.mdDoc '' Path under which uploaded files are saved. ''; diff --git a/nixos/modules/services/web-servers/garage-doc.xml b/nixos/modules/services/web-servers/garage-doc.xml new file mode 100644 index 0000000000000..16f6fde94b5a8 --- /dev/null +++ b/nixos/modules/services/web-servers/garage-doc.xml @@ -0,0 +1,139 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-garage"> + <title>Garage</title> + <para> + <link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link> + is an open-source, self-hostable S3 store, simpler than MinIO, for geodistributed stores. + The server setup can be automated using + <link linkend="opt-services.garage.enable">services.garage</link>. A + client configured to your local Garage instance is available in + the global environment as <literal>garage-manage</literal>. + </para> + <para> + The current default by NixOS is <package>garage_0_8</package> which is also the latest + major version available. + </para> + <section xml:id="module-services-garage-upgrade-scenarios"> + <title>General considerations on upgrades</title> + + <para> + Garage provides a cookbook documentation on how to upgrade: + <link xlink:href="https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/">https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/</link> + </para> + + <warning> + <para>Garage has two types of upgrades: patch-level upgrades and minor/major version upgrades.</para> + + <para>In all cases, you should read the changelog and ideally test the upgrade on a staging cluster.</para> + + <para>Checking the health of your cluster can be achieved using <literal>garage-manage repair</literal>.</para> + </warning> + + + <warning> + <para>Until 1.0 is released, patch-level upgrades are considered as minor version upgrades. + Minor version upgrades are considered as major version upgrades. + i.e. 0.6 to 0.7 is a major version upgrade.</para> + </warning> + + <itemizedlist> + <listitem> + <formalpara> + <title>Straightforward upgrades (patch-level upgrades)</title> + <para> + Upgrades must be performed one by one, i.e. for each node, stop it, upgrade it : change <link linkend="opt-system.stateVersion">stateVersion</link> or <link linkend="opt-services.garage.package">services.garage.package</link>, restart it if it was not already by switching. + </para> + </formalpara> + </listitem> + + <listitem> + <formalpara> + <title>Multiple version upgrades</title> + <para> + Garage do not provide any guarantee on moving more than one major-version forward. + E.g., if you're on <literal>0.7</literal>, you cannot upgrade to <literal>0.9</literal>. + You need to upgrade to <literal>0.8</literal> first. + + As long as <link linkend="opt-system.stateVersion">stateVersion</link> is declared properly, + this is enforced automatically. The module will issue a warning to remind the user to upgrade to latest + Garage <emphasis>after</emphasis> that deploy. + </para> + </formalpara> + </listitem> +</itemizedlist> +</section> + +<section xml:id="module-services-garage-advanced-upgrades"> + <title>Advanced upgrades (minor/major version upgrades)</title> + <para>Here are some baseline instructions to handle advanced upgrades in Garage, when in doubt, please refer to upstream instructions.</para> + + <itemizedlist> + <listitem><para>Disable API and web access to Garage.</para></listitem> + <listitem><para>Perform <literal>garage-manage repair --all-nodes --yes tables</literal> and <literal>garage-manage repair --all-nodes --yes blocks</literal>.</para></listitem> + <listitem><para>Verify the resulting logs and check that data is synced properly between all nodes. + If you have time, do additional checks (<literal>scrub</literal>, <literal>block_refs</literal>, etc.).</para></listitem> + <listitem><para>Check if queues are empty by <literal>garage-manage stats</literal> or through monitoring tools.</para></listitem> + <listitem><para>Run <literal>systemctl stop garage</literal> to stop the actual Garage version.</para></listitem> + <listitem><para>Backup the metadata folder of ALL your nodes, e.g. for a metadata directory (the default one) in <literal>/var/lib/garage/meta</literal>, + you can run <literal>pushd /var/lib/garage; tar -acf meta-v0.7.tar.zst meta/; popd</literal>.</para></listitem> + <listitem><para>Run the offline migration: <literal>nix-shell -p garage_0_8 --run "garage offline-repair --yes"</literal>, this can take some time depending on how many objects are stored in your cluster.</para></listitem> + <listitem><para>Bump Garage version in your NixOS configuration, either by changing <link linkend="opt-system.stateVersion">stateVersion</link> or bumping <link linkend="opt-services.garage.package">services.garage.package</link>, this should restart Garage automatically.</para></listitem> + <listitem><para>Perform <literal>garage-manage repair --all-nodes --yes tables</literal> and <literal>garage-manage repair --all-nodes --yes blocks</literal>.</para></listitem> + <listitem><para>Wait for a full table sync to run.</para></listitem> + </itemizedlist> + + <para> + Your upgraded cluster should be in a working state, re-enable API and web access. + </para> +</section> + +<section xml:id="module-services-garage-maintainer-info"> + <title>Maintainer information</title> + + <para> + As stated in the previous paragraph, we must provide a clean upgrade-path for Garage + since it cannot move more than one major version forward on a single upgrade. This chapter + adds some notes how Garage updates should be rolled out in the future. + + This is inspired from how Nextcloud does it. + </para> + + <para> + While patch-level updates are no problem and can be done directly in the + package-expression (and should be backported to supported stable branches after that), + major-releases should be added in a new attribute (e.g. Garage <literal>v0.8.0</literal> + should be available in <literal>nixpkgs</literal> as <literal>pkgs.garage_0_8_0</literal>). + To provide simple upgrade paths it's generally useful to backport those as well to stable + branches. As long as the package-default isn't altered, this won't break existing setups. + After that, the versioning-warning in the <literal>garage</literal>-module should be + updated to make sure that the + <link linkend="opt-services.garage.package">package</link>-option selects the latest version + on fresh setups. + </para> + + <para> + If major-releases will be abandoned by upstream, we should check first if those are needed + in NixOS for a safe upgrade-path before removing those. In that case we shold keep those + packages, but mark them as insecure in an expression like this (in + <literal><nixpkgs/pkgs/tools/filesystem/garage/default.nix></literal>): +<programlisting>/* ... */ +{ + garage_0_7_3 = generic { + version = "0.7.3"; + sha256 = "0000000000000000000000000000000000000000000000000000"; + eol = true; + }; +}</programlisting> + </para> + + <para> + Ideally we should make sure that it's possible to jump two NixOS versions forward: + i.e. the warnings and the logic in the module should guard a user to upgrade from a + Garage on e.g. 22.11 to a Garage on 23.11. + </para> + </section> + +</chapter> diff --git a/nixos/modules/services/web-servers/garage.nix b/nixos/modules/services/web-servers/garage.nix index 76ab273483eb4..d66bcd7315082 100644 --- a/nixos/modules/services/web-servers/garage.nix +++ b/nixos/modules/services/web-servers/garage.nix @@ -8,7 +8,10 @@ let configFile = toml.generate "garage.toml" cfg.settings; in { - meta.maintainers = [ maintainers.raitobezarius ]; + meta = { + doc = ./garage-doc.xml; + maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + }; options.services.garage = { enable = mkEnableOption (lib.mdDoc "Garage Object Storage (S3 compatible)"); @@ -56,10 +59,12 @@ in }; package = mkOption { - default = pkgs.garage; - defaultText = literalExpression "pkgs.garage"; + # TODO: when 23.05 is released and if Garage 0.9 is the default, put a stateVersion check. + default = if versionAtLeast stateVersion "23.05" then pkgs.garage_0_8_0 + else pkgs.garage_0_7; + defaultText = literalExpression "pkgs.garage_0_7"; type = types.package; - description = lib.mdDoc "Garage package to use."; + description = lib.mdDoc "Garage package to use, if you are upgrading from a major version, please read NixOS and Garage release notes for upgrade instructions."; }; }; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 8377e8a76d529..95e600ea79a5a 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -29,6 +29,43 @@ let ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; + # Mime.types values are taken from brotli sample configuration - https://github.com/google/ngx_brotli + # and Nginx Server Configs - https://github.com/h5bp/server-configs-nginx + compressMimeTypes = [ + "application/atom+xml" + "application/geo+json" + "application/json" + "application/ld+json" + "application/manifest+json" + "application/rdf+xml" + "application/vnd.ms-fontobject" + "application/wasm" + "application/x-rss+xml" + "application/x-web-app-manifest+json" + "application/xhtml+xml" + "application/xliff+xml" + "application/xml" + "font/collection" + "font/otf" + "font/ttf" + "image/bmp" + "image/svg+xml" + "image/vnd.microsoft.icon" + "text/cache-manifest" + "text/calendar" + "text/css" + "text/csv" + "text/html" + "text/javascript" + "text/markdown" + "text/plain" + "text/vcard" + "text/vnd.rim.location.xloc" + "text/vtt" + "text/x-component" + "text/xml" + ]; + defaultFastcgiParams = { SCRIPT_FILENAME = "$document_root$fastcgi_script_name"; QUERY_STRING = "$query_string"; @@ -140,6 +177,16 @@ let ssl_stapling_verify on; ''} + ${optionalString (cfg.recommendedBrotliSettings) '' + brotli on; + brotli_static on; + brotli_comp_level 5; + brotli_window 512k; + brotli_min_length 256; + brotli_types ${lib.concatStringsSep " " compressMimeTypes}; + brotli_buffers 32 8k; + ''} + ${optionalString (cfg.recommendedGzipSettings) '' gzip on; gzip_proxied any; @@ -456,6 +503,16 @@ in ''; }; + recommendedBrotliSettings = mkOption { + default = false; + type = types.bool; + description = lib.mdDoc '' + Enable recommended brotli settings. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md). + + This adds `pkgs.nginxModules.brotli` to `services.nginx.additionalModules`. + ''; + }; + recommendedGzipSettings = mkOption { default = false; type = types.bool; @@ -537,11 +594,10 @@ in additionalModules = mkOption { default = []; type = types.listOf (types.attrsOf types.anything); - example = literalExpression "[ pkgs.nginxModules.brotli ]"; + example = literalExpression "[ pkgs.nginxModules.echo ]"; description = lib.mdDoc '' Additional [third-party nginx modules](https://www.nginx.com/resources/wiki/modules/) - to install. Packaged modules are available in - `pkgs.nginxModules`. + to install. Packaged modules are available in `pkgs.nginxModules`. ''; }; @@ -999,6 +1055,8 @@ in groups = config.users.groups; }) dependentCertNames; + services.nginx.additionalModules = optional cfg.recommendedBrotliSettings pkgs.nginxModules.brotli; + systemd.services.nginx = { description = "Nginx Web Server"; wantedBy = [ "multi-user.target" ]; diff --git a/nixos/modules/system/boot/binfmt.nix b/nixos/modules/system/boot/binfmt.nix index 87e66f73be0ec..7f817e5d350da 100644 --- a/nixos/modules/system/boot/binfmt.nix +++ b/nixos/modules/system/boot/binfmt.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - inherit (lib) mkOption types optionalString stringAfter; + inherit (lib) mkOption mkDefault types optionalString stringAfter; cfg = config.boot.binfmt; @@ -281,7 +281,7 @@ in { config = { boot.binfmt.registrations = builtins.listToAttrs (map (system: { name = system; - value = let + value = { config, ... }: let interpreter = getEmulator system; qemuArch = getQemuArch system; @@ -292,13 +292,13 @@ in { in if preserveArgvZero then "${wrapper}/bin/${wrapperName}" else interpreter; - in { - inherit preserveArgvZero; + in ({ + preserveArgvZero = mkDefault preserveArgvZero; - interpreter = interpreterReg; - wrapInterpreterInShell = !preserveArgvZero; - interpreterSandboxPath = dirOf (dirOf interpreterReg); - } // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}")); + interpreter = mkDefault interpreterReg; + wrapInterpreterInShell = mkDefault (!config.preserveArgvZero); + interpreterSandboxPath = mkDefault (dirOf (dirOf config.interpreter)); + } // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}"))); }) cfg.emulatedSystems); nix.settings = lib.mkIf (cfg.emulatedSystems != []) { extra-platforms = cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux"; diff --git a/nixos/modules/system/boot/initrd-openvpn.nix b/nixos/modules/system/boot/initrd-openvpn.nix index b41e7524320e2..cbc61d55d6bb3 100644 --- a/nixos/modules/system/boot/initrd-openvpn.nix +++ b/nixos/modules/system/boot/initrd-openvpn.nix @@ -68,11 +68,8 @@ in $out/bin/openvpn --show-gateway ''; - # Add `iproute /bin/ip` to the config, to ensure that openvpn - # is able to set the routes boot.initrd.network.postCommands = '' - (cat /etc/initrd.ovpn; echo -e '\niproute /bin/ip') | \ - openvpn /dev/stdin & + openvpn /etc/initrd.ovpn & ''; }; diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 68da20615917b..ad7e2184d2a73 100644..100755 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -16,6 +16,7 @@ import datetime import glob import os.path from typing import NamedTuple, List, Optional +from packaging import version class SystemIdentifier(NamedTuple): profile: Optional[str] @@ -258,12 +259,18 @@ def main() -> None: if available_match is None: raise Exception("could not determine systemd-boot version") - installed_version = installed_match.group(1) - available_version = available_match.group(1) + installed_version = version.parse(installed_match.group(1)) + available_version = version.parse(available_match.group(1)) + # systemd 252 has a regression that leaves some machines unbootable, so we skip that update. + # The fix is in 252.2 + # See https://github.com/systemd/systemd/issues/25363 and https://github.com/NixOS/nixpkgs/pull/201558#issuecomment-1348603263 if installed_version < available_version: - print("updating systemd-boot from %s to %s" % (installed_version, available_version)) - subprocess.check_call(["@systemd@/bin/bootctl", "--esp-path=@efiSysMountPoint@", "update"]) + if version.parse('252') <= available_version < version.parse('252.2'): + print("skipping systemd-boot update to %s because of known regression" % available_version) + else: + print("updating systemd-boot from %s to %s" % (installed_version, available_version)) + subprocess.check_call(["@systemd@/bin/bootctl", "--esp-path=@efiSysMountPoint@", "update"]) mkdir_p("@efiSysMountPoint@/efi/nixos") mkdir_p("@efiSysMountPoint@/loader/entries") diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index 8cb7c7b8e47bb..103d6e583c310 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -7,12 +7,14 @@ let efi = config.boot.loader.efi; + python3 = pkgs.python3.withPackages (ps: [ ps.packaging ]); + systemdBootBuilder = pkgs.substituteAll { src = ./systemd-boot-builder.py; isExecutable = true; - inherit (pkgs) python3; + inherit python3; systemd = config.systemd.package; @@ -48,7 +50,7 @@ let }; checkedSystemdBootBuilder = pkgs.runCommand "systemd-boot" { - nativeBuildInputs = [ pkgs.mypy ]; + nativeBuildInputs = [ pkgs.mypy python3 ]; } '' install -m755 ${systemdBootBuilder} $out mypy \ diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 31702499b0f14..196f44ccd783c 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -148,6 +148,16 @@ in { visible = false; }; + extraConfig = mkOption { + default = ""; + type = types.lines; + example = "DefaultLimitCORE=infinity"; + description = lib.mdDoc '' + Extra config options for systemd. See systemd-system.conf(5) man page + for available options. + ''; + }; + contents = mkOption { description = lib.mdDoc "Set of files that have to be linked into the initrd"; example = literalExpression '' @@ -352,6 +362,7 @@ in { "/etc/systemd/system.conf".text = '' [Manager] DefaultEnvironment=PATH=/bin:/sbin ${optionalString (isBool cfg.emergencyAccess && cfg.emergencyAccess) "SYSTEMD_SULOGIN_FORCE=1"} + ${cfg.extraConfig} ''; "/lib/modules".source = "${modulesClosure}/lib/modules"; diff --git a/nixos/modules/tasks/filesystems/envfs.nix b/nixos/modules/tasks/filesystems/envfs.nix new file mode 100644 index 0000000000000..ef8f655c532a9 --- /dev/null +++ b/nixos/modules/tasks/filesystems/envfs.nix @@ -0,0 +1,51 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.services.envfs; + mounts = { + "/usr/bin" = { + device = "none"; + fsType = "envfs"; + options = [ + "fallback-path=${pkgs.runCommand "fallback-path" {} '' + mkdir -p $out + ln -s ${pkgs.coreutils}/bin/env $out/env + ln -s ${config.system.build.binsh}/bin/sh $out/sh + ''}" + ]; + }; + "/bin" = { + device = "/usr/bin"; + fsType = "none"; + options = [ "bind" ]; + }; + }; +in { + options = { + services.envfs = { + enable = lib.mkEnableOption (lib.mdDoc "Envfs filesystem") // { + description = lib.mdDoc '' + Fuse filesystem that returns symlinks to executables based on the PATH + of the requesting process. This is useful to execute shebangs on NixOS + that assume hard coded locations in locations like /bin or /usr/bin + etc. + ''; + }; + package = lib.mkOption { + type = lib.types.package; + description = lib.mdDoc "Which package to use for the envfs."; + default = pkgs.envfs; + defaultText = lib.mdDoc "pkgs.envfs"; + }; + }; + }; + config = lib.mkIf (cfg.enable) { + environment.systemPackages = [ cfg.package ]; + # we also want these mounts in virtual machines. + fileSystems = if config.virtualisation ? qemu then lib.mkVMOverride mounts else mounts; + + # We no longer need those when using envfs + system.activationScripts.usrbinenv = lib.mkForce ""; + system.activationScripts.binsh = lib.mkForce ""; + }; +} diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 0f14f2b501c22..6c77596475170 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -97,10 +97,15 @@ let in map (x: "${mountPoint x}.mount") (getPoolFilesystems pool); - getKeyLocations = pool: - if isBool cfgZfs.requestEncryptionCredentials - then "${cfgZfs.package}/sbin/zfs list -rHo name,keylocation,keystatus ${pool}" - else "${cfgZfs.package}/sbin/zfs list -Ho name,keylocation,keystatus ${toString (filter (x: datasetToPool x == pool) cfgZfs.requestEncryptionCredentials)}"; + getKeyLocations = pool: if isBool cfgZfs.requestEncryptionCredentials then { + hasKeys = cfgZfs.requestEncryptionCredentials; + command = "${cfgZfs.package}/sbin/zfs list -rHo name,keylocation,keystatus ${pool}"; + } else let + keys = filter (x: datasetToPool x == pool) cfgZfs.requestEncryptionCredentials; + in { + hasKeys = keys != []; + command = "${cfgZfs.package}/sbin/zfs list -Ho name,keylocation,keystatus ${toString keys}"; + }; createImportService = { pool, systemd, force, prefix ? "" }: nameValuePair "zfs-import-${pool}" { @@ -124,7 +129,9 @@ let RemainAfterExit = true; }; environment.ZFS_FORCE = optionalString force "-f"; - script = (importLib { + script = let + keyLocations = getKeyLocations pool; + in (importLib { # See comments at importLib definition. zpoolCmd = "${cfgZfs.package}/sbin/zpool"; awkCmd = "${pkgs.gawk}/bin/awk"; @@ -139,10 +146,8 @@ let done poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. if poolImported "${pool}"; then - ${optionalString (if isBool cfgZfs.requestEncryptionCredentials - then cfgZfs.requestEncryptionCredentials - else cfgZfs.requestEncryptionCredentials != []) '' - ${getKeyLocations pool} | while IFS=$'\t' read ds kl ks; do + ${optionalString keyLocations.hasKeys '' + ${keyLocations.command} | while IFS=$'\t' read ds kl ks; do { if [[ "$ks" != unavailable ]]; then continue @@ -565,7 +570,7 @@ in '' else concatMapStrings (fs: '' zfs load-key -- ${escapeShellArg fs} - '') cfgZfs.requestEncryptionCredentials} + '') (filter (x: datasetToPool x == pool) cfgZfs.requestEncryptionCredentials)} '') rootPools)); # Systemd in stage 1 diff --git a/nixos/modules/testing/minimal-kernel.nix b/nixos/modules/testing/minimal-kernel.nix deleted file mode 100644 index 7c2b9c05cf9a0..0000000000000 --- a/nixos/modules/testing/minimal-kernel.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - configfile = builtins.storePath (builtins.toFile "config" (lib.concatStringsSep "\n" - (map (builtins.getAttr "configLine") config.system.requiredKernelConfig)) - ); - - origKernel = pkgs.buildLinux { - inherit (pkgs.linux) src version stdenv; - inherit configfile; - allowImportFromDerivation = true; - kernelPatches = [ pkgs.kernelPatches.cifs_timeout_2_6_38 ]; - }; - - kernel = origKernel // (derivation (origKernel.drvAttrs // { - configurePhase = '' - runHook preConfigure - mkdir ../build - make $makeFlags "''${makeFlagsArray[@]}" mrproper - make $makeFlags "''${makeFlagsArray[@]}" KCONFIG_ALLCONFIG=${configfile} allnoconfig - runHook postConfigure - ''; - })); - - kernelPackages = pkgs.linuxPackagesFor kernel; -in { - boot.kernelPackages = kernelPackages; -} diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index 4ab2578eb81e6..028099c64643c 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -96,6 +96,12 @@ in MaxLevelConsole=debug ''; + boot.initrd.systemd.contents."/etc/systemd/journald.conf".text = '' + [Journal] + ForwardToConsole=yes + MaxLevelConsole=debug + ''; + systemd.extraConfig = '' # Don't clobber the console with duplicate systemd messages. ShowStatus=no @@ -107,6 +113,8 @@ in DefaultTimeoutStartSec=300 ''; + boot.initrd.systemd.extraConfig = config.systemd.extraConfig; + boot.consoleLogLevel = 7; # Prevent tests from accessing the Internet. diff --git a/nixos/release.nix b/nixos/release.nix index 919aa86a2d639..946379bcd6611 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -181,14 +181,22 @@ in rec { inherit system; }); - # A variant with a more recent (but possibly less stable) kernel - # that might support more hardware. + # A variant with a more recent (but possibly less stable) kernel that might support more hardware. + # This variant keeps zfs support enabled, hoping it will build and work. iso_minimal_new_kernel = forMatchingSystems [ "x86_64-linux" "aarch64-linux" ] (system: makeIso { module = ./modules/installer/cd-dvd/installation-cd-minimal-new-kernel.nix; type = "minimal-new-kernel"; inherit system; }); + # A variant with a more recent (but possibly less stable) kernel that might support more hardware. + # ZFS support disabled since it is unlikely to support the latest kernel. + iso_minimal_new_kernel_no_zfs = forMatchingSystems [ "x86_64-linux" "aarch64-linux" ] (system: makeIso { + module = ./modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix; + type = "minimal-new-kernel-no-zfs"; + inherit system; + }); + sd_image = forMatchingSystems [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ] (system: makeSdImage { module = { armv6l-linux = ./modules/installer/sd-card/sd-image-raspberrypi-installer.nix; @@ -206,6 +214,14 @@ in rec { inherit system; }); + sd_image_new_kernel_no_zfs = forMatchingSystems [ "aarch64-linux" ] (system: makeSdImage { + module = { + aarch64-linux = ./modules/installer/sd-card/sd-image-aarch64-new-kernel-no-zfs-installer.nix; + }.${system}; + type = "minimal-new-kernel-no-zfs"; + inherit system; + }); + # A bootable VirtualBox virtual appliance as an OVA file (i.e. packaged OVF). ova = forMatchingSystems [ "x86_64-linux" ] (system: diff --git a/nixos/tests/akkoma.nix b/nixos/tests/akkoma.nix new file mode 100644 index 0000000000000..7115c0beed34d --- /dev/null +++ b/nixos/tests/akkoma.nix @@ -0,0 +1,121 @@ +/* + End-to-end test for Akkoma. + + Based in part on nixos/tests/pleroma. + + TODO: Test federation. +*/ +import ./make-test-python.nix ({ pkgs, package ? pkgs.akkoma, confined ? false, ... }: +let + userPassword = "4LKOrGo8SgbPm1a6NclVU5Wb"; + + provisionUser = pkgs.writers.writeBashBin "provisionUser" '' + set -eu -o errtrace -o pipefail + + pleroma_ctl user new jamy jamy@nixos.test --password '${userPassword}' --moderator --admin -y + ''; + + tlsCert = pkgs.runCommand "selfSignedCerts" { + nativeBuildInputs = with pkgs; [ openssl ]; + } '' + mkdir -p $out + openssl req -x509 \ + -subj '/CN=akkoma.nixos.test/' -days 49710 \ + -addext 'subjectAltName = DNS:akkoma.nixos.test' \ + -keyout "$out/key.pem" -newkey ed25519 \ + -out "$out/cert.pem" -noenc + ''; + + sendToot = pkgs.writers.writeBashBin "sendToot" '' + set -eu -o errtrace -o pipefail + + export REQUESTS_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt" + + echo '${userPassword}' | ${pkgs.toot}/bin/toot login_cli -i "akkoma.nixos.test" -e "jamy@nixos.test" + echo "y" | ${pkgs.toot}/bin/toot post "hello world Jamy here" + echo "y" | ${pkgs.toot}/bin/toot timeline | grep -F -q "hello world Jamy here" + + # Test file upload + echo "y" | ${pkgs.toot}/bin/toot upload <(dd if=/dev/zero bs=1024 count=1024 status=none) \ + | grep -F -q "https://akkoma.nixos.test/media" + ''; + + checkFe = pkgs.writers.writeBashBin "checkFe" '' + set -eu -o errtrace -o pipefail + + paths=( / /static/{config,styles}.json /pleroma/admin/ ) + + for path in "''${paths[@]}"; do + diff \ + <(${pkgs.curl}/bin/curl -f -S -s -o /dev/null -w '%{response_code}' "https://akkoma.nixos.test$path") \ + <(echo -n 200) + done + ''; + + hosts = nodes: '' + ${nodes.akkoma.networking.primaryIPAddress} akkoma.nixos.test + ${nodes.client.networking.primaryIPAddress} client.nixos.test + ''; +in +{ + name = "akkoma"; + nodes = { + client = { nodes, pkgs, config, ... }: { + security.pki.certificateFiles = [ "${tlsCert}/cert.pem" ]; + networking.extraHosts = hosts nodes; + }; + + akkoma = { nodes, pkgs, config, ... }: { + networking.extraHosts = hosts nodes; + networking.firewall.allowedTCPPorts = [ 443 ]; + environment.systemPackages = with pkgs; [ provisionUser ]; + systemd.services.akkoma.confinement.enable = confined; + + services.akkoma = { + enable = true; + package = package; + config = { + ":pleroma" = { + ":instance" = { + name = "NixOS test Akkoma server"; + description = "NixOS test Akkoma server"; + email = "akkoma@nixos.test"; + notify_email = "akkoma@nixos.test"; + registration_open = true; + }; + + ":media_proxy" = { + enabled = false; + }; + + "Pleroma.Web.Endpoint" = { + url.host = "akkoma.nixos.test"; + }; + }; + }; + + nginx = { + addSSL = true; + sslCertificate = "${tlsCert}/cert.pem"; + sslCertificateKey = "${tlsCert}/key.pem"; + }; + }; + + services.nginx.enable = true; + services.postgresql.enable = true; + }; + }; + + testScript = { nodes, ... }: '' + start_all() + akkoma.wait_for_unit('akkoma-initdb.service') + akkoma.systemctl('restart akkoma-initdb.service') # test repeated initialisation + akkoma.wait_for_unit('akkoma.service') + akkoma.wait_for_file('/run/akkoma/socket'); + akkoma.succeed('${provisionUser}/bin/provisionUser') + akkoma.wait_for_unit('nginx.service') + client.succeed('${sendToot}/bin/sendToot') + client.succeed('${checkFe}/bin/checkFe') + ''; +}) + diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index e577001a3baf9..75f01d888b218 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -73,6 +73,8 @@ in { agate = runTest ./web-servers/agate.nix; agda = handleTest ./agda.nix {}; airsonic = handleTest ./airsonic.nix {}; + akkoma = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./akkoma.nix {}; + akkoma-confined = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./akkoma.nix { confined = true; }; allTerminfo = handleTest ./all-terminfo.nix {}; alps = handleTest ./alps.nix {}; amazon-init-shell = handleTest ./amazon-init-shell.nix {}; @@ -153,6 +155,7 @@ in { coturn = handleTest ./coturn.nix {}; couchdb = handleTest ./couchdb.nix {}; cri-o = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cri-o.nix {}; + cups-pdf = handleTest ./cups-pdf.nix {}; custom-ca = handleTest ./custom-ca.nix {}; croc = handleTest ./croc.nix {}; deluge = handleTest ./deluge.nix {}; @@ -192,6 +195,7 @@ in { engelsystem = handleTest ./engelsystem.nix {}; enlightenment = handleTest ./enlightenment.nix {}; env = handleTest ./env.nix {}; + envfs = handleTest ./envfs.nix {}; envoy = handleTest ./envoy.nix {}; ergo = handleTest ./ergo.nix {}; ergochat = handleTest ./ergochat.nix {}; @@ -225,7 +229,7 @@ in { fsck = handleTest ./fsck.nix {}; ft2-clone = handleTest ./ft2-clone.nix {}; mimir = handleTest ./mimir.nix {}; - garage = handleTest ./garage.nix {}; + garage = handleTest ./garage {}; gerrit = handleTest ./gerrit.nix {}; geth = handleTest ./geth.nix {}; ghostunnel = handleTest ./ghostunnel.nix {}; @@ -236,6 +240,7 @@ in { gitolite-fcgiwrap = handleTest ./gitolite-fcgiwrap.nix {}; glusterfs = handleTest ./glusterfs.nix {}; gnome = handleTest ./gnome.nix {}; + gnome-flashback = handleTest ./gnome-flashback.nix {}; gnome-xorg = handleTest ./gnome-xorg.nix {}; go-neb = handleTest ./go-neb.nix {}; gobgpd = handleTest ./gobgpd.nix {}; @@ -679,6 +684,7 @@ in { tuxguitar = handleTest ./tuxguitar.nix {}; ucarp = handleTest ./ucarp.nix {}; udisks2 = handleTest ./udisks2.nix {}; + ulogd = handleTest ./ulogd.nix {}; unbound = handleTest ./unbound.nix {}; unifi = handleTest ./unifi.nix {}; unit-php = handleTest ./web-servers/unit-php.nix {}; @@ -705,6 +711,7 @@ in { vsftpd = handleTest ./vsftpd.nix {}; warzone2100 = handleTest ./warzone2100.nix {}; wasabibackend = handleTest ./wasabibackend.nix {}; + webhook = runTest ./webhook.nix; wiki-js = handleTest ./wiki-js.nix {}; wine = handleTest ./wine.nix {}; wireguard = handleTest ./wireguard {}; diff --git a/nixos/tests/cups-pdf.nix b/nixos/tests/cups-pdf.nix new file mode 100644 index 0000000000000..70d14f29e2e5d --- /dev/null +++ b/nixos/tests/cups-pdf.nix @@ -0,0 +1,40 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: { + name = "cups-pdf"; + + nodes.machine = { pkgs, ... }: { + imports = [ ./common/user-account.nix ]; + environment.systemPackages = [ pkgs.poppler_utils ]; + fonts.fonts = [ pkgs.dejavu_fonts ]; # yields more OCR-able pdf + services.printing.cups-pdf.enable = true; + services.printing.cups-pdf.instances = { + opt = {}; + noopt.installPrinter = false; + }; + hardware.printers.ensurePrinters = [{ + name = "noopt"; + model = "CUPS-PDF_noopt.ppd"; + deviceUri = "cups-pdf:/noopt"; + }]; + }; + + # we cannot check the files with pdftotext, due to + # https://github.com/alexivkin/CUPS-PDF-to-PDF/issues/7 + # we need `imagemagickBig` as it has ghostscript support + + testScript = '' + from subprocess import run + machine.wait_for_unit("cups.service") + for name in ("opt", "noopt"): + text = f"test text {name}".upper() + machine.wait_until_succeeds(f"lpstat -v {name}") + machine.succeed(f"su - alice -c 'echo -e \"\n {text}\" | lp -d {name}'") + # wait until the pdf files are completely produced and readable by alice + machine.wait_until_succeeds(f"su - alice -c 'pdfinfo /var/spool/cups-pdf-{name}/users/alice/*.pdf'") + machine.succeed(f"cp /var/spool/cups-pdf-{name}/users/alice/*.pdf /tmp/{name}.pdf") + machine.copy_from_vm(f"/tmp/{name}.pdf", "") + run(f"${pkgs.imagemagickBig}/bin/convert -density 300 $out/{name}.pdf $out/{name}.jpeg", shell=True, check=True) + assert text.encode() in run(f"${lib.getExe pkgs.tesseract} $out/{name}.jpeg stdout", shell=True, check=True, capture_output=True).stdout + ''; + + meta.maintainers = [ lib.maintainers.yarny ]; +}) diff --git a/nixos/tests/envfs.nix b/nixos/tests/envfs.nix new file mode 100644 index 0000000000000..3f9cd1edb595a --- /dev/null +++ b/nixos/tests/envfs.nix @@ -0,0 +1,42 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: +let + pythonShebang = pkgs.writeScript "python-shebang" '' + #!/usr/bin/python + print("OK") + ''; + + bashShebang = pkgs.writeScript "bash-shebang" '' + #!/usr/bin/bash + echo "OK" + ''; +in +{ + name = "envfs"; + nodes.machine.services.envfs.enable = true; + + testScript = '' + start_all() + machine.wait_until_succeeds("mountpoint -q /usr/bin/") + machine.succeed( + "PATH=${pkgs.coreutils}/bin /usr/bin/cp --version", + # check fallback paths + "PATH= /usr/bin/sh --version", + "PATH= /usr/bin/env --version", + "PATH= test -e /usr/bin/sh", + "PATH= test -e /usr/bin/env", + # no stat + "! test -e /usr/bin/cp", + # also picks up PATH that was set after execve + "! /usr/bin/hello", + "PATH=${pkgs.hello}/bin /usr/bin/hello", + ) + + out = machine.succeed("PATH=${pkgs.python3}/bin ${pythonShebang}") + print(out) + assert out == "OK\n" + + out = machine.succeed("PATH=${pkgs.bash}/bin ${bashShebang}") + print(out) + assert out == "OK\n" + ''; +}) diff --git a/nixos/tests/garage/basic.nix b/nixos/tests/garage/basic.nix new file mode 100644 index 0000000000000..b6df1e72af983 --- /dev/null +++ b/nixos/tests/garage/basic.nix @@ -0,0 +1,98 @@ +args@{ mkNode, ... }: +(import ../make-test-python.nix ({ pkgs, ...} : { + name = "garage-basic"; + meta = { + maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; + }; + + nodes = { + single_node = mkNode { replicationMode = "none"; }; + }; + + testScript = '' + from typing import List + from dataclasses import dataclass + import re + + start_all() + + cur_version_regex = re.compile('Current cluster layout version: (?P<ver>\d*)') + key_creation_regex = re.compile('Key name: (?P<key_name>.*)\nKey ID: (?P<key_id>.*)\nSecret key: (?P<secret_key>.*)') + + @dataclass + class S3Key: + key_name: str + key_id: str + secret_key: str + + @dataclass + class GarageNode: + node_id: str + host: str + + def get_node_fqn(machine: Machine) -> GarageNode: + node_id, host = machine.succeed("garage node id").split('@') + return GarageNode(node_id=node_id, host=host) + + def get_node_id(machine: Machine) -> str: + return get_node_fqn(machine).node_id + + def get_layout_version(machine: Machine) -> int: + version_data = machine.succeed("garage layout show") + m = cur_version_regex.search(version_data) + if m and m.group('ver') is not None: + return int(m.group('ver')) + 1 + else: + raise ValueError('Cannot find current layout version') + + def apply_garage_layout(machine: Machine, layouts: List[str]): + for layout in layouts: + machine.succeed(f"garage layout assign {layout}") + version = get_layout_version(machine) + machine.succeed(f"garage layout apply --version {version}") + + def create_api_key(machine: Machine, key_name: str) -> S3Key: + output = machine.succeed(f"garage key new --name {key_name}") + m = key_creation_regex.match(output) + if not m or not m.group('key_id') or not m.group('secret_key'): + raise ValueError('Cannot parse API key data') + return S3Key(key_name=key_name, key_id=m.group('key_id'), secret_key=m.group('secret_key')) + + def get_api_key(machine: Machine, key_pattern: str) -> S3Key: + output = machine.succeed(f"garage key info {key_pattern}") + m = key_creation_regex.match(output) + if not m or not m.group('key_name') or not m.group('key_id') or not m.group('secret_key'): + raise ValueError('Cannot parse API key data') + return S3Key(key_name=m.group('key_name'), key_id=m.group('key_id'), secret_key=m.group('secret_key')) + + def test_bucket_writes(node): + node.succeed("garage bucket create test-bucket") + s3_key = create_api_key(node, "test-api-key") + node.succeed("garage bucket allow --read --write test-bucket --key test-api-key") + other_s3_key = get_api_key(node, 'test-api-key') + assert other_s3_key.secret_key == other_s3_key.secret_key + node.succeed( + f"mc alias set test-garage http://[::1]:3900 {s3_key.key_id} {s3_key.secret_key} --api S3v4" + ) + node.succeed("echo test | mc pipe test-garage/test-bucket/test.txt") + assert node.succeed("mc cat test-garage/test-bucket/test.txt").strip() == "test" + + def test_bucket_over_http(node, bucket='test-bucket', url=None): + if url is None: + url = f"{bucket}.web.garage" + + node.succeed(f'garage bucket website --allow {bucket}') + node.succeed(f'echo hello world | mc pipe test-garage/{bucket}/index.html') + assert (node.succeed(f"curl -H 'Host: {url}' http://localhost:3902")).strip() == 'hello world' + + with subtest("Garage works as a single-node S3 storage"): + single_node.wait_for_unit("garage.service") + single_node.wait_for_open_port(3900) + # Now Garage is initialized. + single_node_id = get_node_id(single_node) + apply_garage_layout(single_node, [f'-z qemutest -c 1 "{single_node_id}"']) + # Now Garage is operational. + test_bucket_writes(single_node) + test_bucket_over_http(single_node) + ''; +})) args diff --git a/nixos/tests/garage/default.nix b/nixos/tests/garage/default.nix new file mode 100644 index 0000000000000..4c38ea1bc898e --- /dev/null +++ b/nixos/tests/garage/default.nix @@ -0,0 +1,53 @@ +{ system ? builtins.currentSystem +, config ? { } +, pkgs ? import ../../.. { inherit system config; } +}: +with pkgs.lib; + +let + mkNode = package: { replicationMode, publicV6Address ? "::1" }: { pkgs, ... }: { + networking.interfaces.eth1.ipv6.addresses = [{ + address = publicV6Address; + prefixLength = 64; + }]; + + networking.firewall.allowedTCPPorts = [ 3901 3902 ]; + + services.garage = { + enable = true; + inherit package; + settings = { + replication_mode = replicationMode; + + rpc_bind_addr = "[::]:3901"; + rpc_public_addr = "[${publicV6Address}]:3901"; + rpc_secret = "5c1915fa04d0b6739675c61bf5907eb0fe3d9c69850c83820f51b4d25d13868c"; + + s3_api = { + s3_region = "garage"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.garage"; + }; + + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".web.garage"; + index = "index.html"; + }; + }; + }; + environment.systemPackages = [ pkgs.minio-client ]; + + # Garage requires at least 1GiB of free disk space to run. + virtualisation.diskSize = 2 * 1024; + }; +in + foldl + (matrix: ver: matrix // { + "basic${toString ver}" = import ./basic.nix { inherit system pkgs; mkNode = mkNode pkgs."garage_${ver}"; }; + "with-3node-replication${toString ver}" = import ./with-3node-replication.nix { inherit system pkgs; mkNode = mkNode pkgs."garage_${ver}"; }; + }) + {} + [ + "0_8_0" + ] diff --git a/nixos/tests/garage.nix b/nixos/tests/garage/with-3node-replication.nix index dc1f83e7f8f3c..d372ad1aa000f 100644 --- a/nixos/tests/garage.nix +++ b/nixos/tests/garage/with-3node-replication.nix @@ -1,50 +1,12 @@ -import ./make-test-python.nix ({ pkgs, ...} : -let - mkNode = { replicationMode, publicV6Address ? "::1" }: { pkgs, ... }: { - networking.interfaces.eth1.ipv6.addresses = [{ - address = publicV6Address; - prefixLength = 64; - }]; - - networking.firewall.allowedTCPPorts = [ 3901 3902 ]; - - services.garage = { - enable = true; - settings = { - replication_mode = replicationMode; - - rpc_bind_addr = "[::]:3901"; - rpc_public_addr = "[${publicV6Address}]:3901"; - rpc_secret = "5c1915fa04d0b6739675c61bf5907eb0fe3d9c69850c83820f51b4d25d13868c"; - - s3_api = { - s3_region = "garage"; - api_bind_addr = "[::]:3900"; - root_domain = ".s3.garage"; - }; - - s3_web = { - bind_addr = "[::]:3902"; - root_domain = ".web.garage"; - index = "index.html"; - }; - }; - }; - environment.systemPackages = [ pkgs.minio-client ]; - - # Garage requires at least 1GiB of free disk space to run. - virtualisation.diskSize = 2 * 1024; - }; - - -in { - name = "garage"; +args@{ mkNode, ... }: +(import ../make-test-python.nix ({ pkgs, ...} : +{ + name = "garage-3node-replication"; meta = { maintainers = with pkgs.lib.maintainers; [ raitobezarius ]; }; nodes = { - single_node = mkNode { replicationMode = "none"; }; node1 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::1"; }; node2 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::2"; }; node3 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::3"; }; @@ -126,16 +88,6 @@ in { node.succeed(f'echo hello world | mc pipe test-garage/{bucket}/index.html') assert (node.succeed(f"curl -H 'Host: {url}' http://localhost:3902")).strip() == 'hello world' - with subtest("Garage works as a single-node S3 storage"): - single_node.wait_for_unit("garage.service") - single_node.wait_for_open_port(3900) - # Now Garage is initialized. - single_node_id = get_node_id(single_node) - apply_garage_layout(single_node, [f'-z qemutest -c 1 "{single_node_id}"']) - # Now Garage is operational. - test_bucket_writes(single_node) - test_bucket_over_http(single_node) - with subtest("Garage works as a multi-node S3 storage"): nodes = ('node1', 'node2', 'node3', 'node4') rev_machines = {m.name: m for m in machines} @@ -166,4 +118,4 @@ in { for node in nodes: test_bucket_over_http(get_machine(node)) ''; -}) +})) args diff --git a/nixos/tests/gnome-flashback.nix b/nixos/tests/gnome-flashback.nix new file mode 100644 index 0000000000000..c97264e6928a0 --- /dev/null +++ b/nixos/tests/gnome-flashback.nix @@ -0,0 +1,51 @@ +import ./make-test-python.nix ({ pkgs, lib, ...} : { + name = "gnome-flashback"; + meta = with lib; { + maintainers = teams.gnome.members ++ [ maintainers.chpatrick ]; + }; + + nodes.machine = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + in + + { imports = [ ./common/user-account.nix ]; + + services.xserver.enable = true; + + services.xserver.displayManager = { + gdm.enable = true; + gdm.debug = true; + autoLogin = { + enable = true; + user = user.name; + }; + }; + + services.xserver.desktopManager.gnome.enable = true; + services.xserver.desktopManager.gnome.debug = true; + services.xserver.desktopManager.gnome.flashback.enableMetacity = true; + services.xserver.displayManager.defaultSession = "gnome-flashback-metacity"; + }; + + testScript = { nodes, ... }: let + user = nodes.machine.config.users.users.alice; + uid = toString user.uid; + xauthority = "/run/user/${uid}/gdm/Xauthority"; + in '' + with subtest("Login to GNOME Flashback with GDM"): + machine.wait_for_x() + # Wait for alice to be logged in" + machine.wait_for_unit("default.target", "${user.name}") + machine.wait_for_file("${xauthority}") + machine.succeed("xauth merge ${xauthority}") + # Check that logging in has given the user ownership of devices + assert "alice" in machine.succeed("getfacl -p /dev/snd/timer") + + with subtest("Wait for Metacity"): + machine.wait_until_succeeds( + "pgrep metacity" + ) + machine.sleep(20) + machine.screenshot("screen") + ''; +}) diff --git a/nixos/tests/initrd-network-openvpn/default.nix b/nixos/tests/initrd-network-openvpn/default.nix index bb4c41e6d7095..dbb34c28eea74 100644 --- a/nixos/tests/initrd-network-openvpn/default.nix +++ b/nixos/tests/initrd-network-openvpn/default.nix @@ -91,6 +91,7 @@ import ../make-test-python.nix ({ lib, ...}: config = '' dev tun0 ifconfig 10.8.0.1 10.8.0.2 + cipher AES-256-CBC ${secretblock} ''; }; diff --git a/nixos/tests/initrd-network-openvpn/initrd.ovpn b/nixos/tests/initrd-network-openvpn/initrd.ovpn index 5926a48af00f4..3ada4130e8682 100644 --- a/nixos/tests/initrd-network-openvpn/initrd.ovpn +++ b/nixos/tests/initrd-network-openvpn/initrd.ovpn @@ -3,6 +3,7 @@ dev tun ifconfig 10.8.0.2 10.8.0.1 # Only force VLAN 2 through the VPN route 192.168.2.0 255.255.255.0 10.8.0.1 +cipher AES-256-CBC secret [inline] <secret> # @@ -26,4 +27,4 @@ be5a69522a8e60ccb217f8521681b45d e7811584363597599cce2040a68ac00e f2125540e0f7f4adc37cb3f0d922eeb7 -----END OpenVPN Static key V1----- -</secret> \ No newline at end of file +</secret> diff --git a/nixos/tests/trafficserver.nix b/nixos/tests/trafficserver.nix index 983ded4f172e2..e4557c6c50e54 100644 --- a/nixos/tests/trafficserver.nix +++ b/nixos/tests/trafficserver.nix @@ -172,6 +172,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { assert re.fullmatch(expected, out) is not None, "no matching logs" out = json.loads(ats.succeed(f"traffic_logstats -jf {access_log_path}")) + assert isinstance(out, dict) assert out["total"]["error.total"]["req"] == "0", "unexpected log stat" ''; }) diff --git a/nixos/tests/ulogd.nix b/nixos/tests/ulogd.nix new file mode 100644 index 0000000000000..ce52d855ffc28 --- /dev/null +++ b/nixos/tests/ulogd.nix @@ -0,0 +1,84 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "ulogd"; + + meta = with lib; { + maintainers = with maintainers; [ p-h ]; + }; + + nodes.machine = { ... }: { + networking.firewall.enable = false; + networking.nftables.enable = true; + networking.nftables.ruleset = '' + table inet filter { + chain input { + type filter hook input priority 0; + log group 2 accept + } + + chain output { + type filter hook output priority 0; policy accept; + log group 2 accept + } + + chain forward { + type filter hook forward priority 0; policy drop; + log group 2 accept + } + + } + ''; + services.ulogd = { + enable = true; + settings = { + global = { + logfile = "/var/log/ulogd.log"; + stack = "log1:NFLOG,base1:BASE,pcap1:PCAP"; + }; + + log1.group = 2; + + pcap1 = { + file = "/var/log/ulogd.pcap"; + sync = 1; + }; + }; + }; + + environment.systemPackages = with pkgs; [ + tcpdump + ]; + }; + + testScript = '' + start_all() + machine.wait_for_unit("ulogd.service") + machine.wait_for_unit("network-online.target") + + with subtest("Ulogd is running"): + machine.succeed("pgrep ulogd >&2") + + # All packets show up twice in the logs + with subtest("Logs are collected"): + machine.succeed("ping -f 127.0.0.1 -c 5 >&2") + machine.succeed("sleep 2") + machine.wait_until_succeeds("du /var/log/ulogd.pcap >&2") + _, echo_request_packets = machine.execute("tcpdump -r /var/log/ulogd.pcap icmp[0] == 8 and host 127.0.0.1") + expected, actual = 5*2, len(echo_request_packets.splitlines()) + assert expected == actual, f"Expected {expected} packets, got: {actual}" + _, echo_reply_packets = machine.execute("tcpdump -r /var/log/ulogd.pcap icmp[0] == 0 and host 127.0.0.1") + expected, actual = 5*2, len(echo_reply_packets.splitlines()) + assert expected == actual, f"Expected {expected} packets, got: {actual}" + + with subtest("Reloading service reopens log file"): + machine.succeed("mv /var/log/ulogd.pcap /var/log/old_ulogd.pcap") + machine.succeed("systemctl reload ulogd.service") + machine.succeed("ping -f 127.0.0.1 -c 5 >&2") + machine.succeed("sleep 2") + _, echo_request_packets = machine.execute("tcpdump -r /var/log/ulogd.pcap icmp[0] == 8 and host 127.0.0.1") + expected, actual = 5*2, len(echo_request_packets.splitlines()) + assert expected == actual, f"Expected {expected} packets, got: {actual}" + _, echo_reply_packets = machine.execute("tcpdump -r /var/log/ulogd.pcap icmp[0] == 0 and host 127.0.0.1") + expected, actual = 5*2, len(echo_reply_packets.splitlines()) + assert expected == actual, f"Expected {expected} packets, got: {actual}" + ''; +}) diff --git a/nixos/tests/webhook.nix b/nixos/tests/webhook.nix new file mode 100644 index 0000000000000..ed70514086405 --- /dev/null +++ b/nixos/tests/webhook.nix @@ -0,0 +1,65 @@ +{ pkgs, ... }: +let + forwardedPort = 19000; + internalPort = 9000; +in +{ + name = "webhook"; + + nodes = { + webhookMachine = { pkgs, ... }: { + virtualisation.forwardPorts = [{ + host.port = forwardedPort; + guest.port = internalPort; + }]; + services.webhook = { + enable = true; + port = internalPort; + openFirewall = true; + hooks = { + echo = { + execute-command = "echo"; + response-message = "Webhook is reachable!"; + }; + }; + hooksTemplated = { + echoTemplate = '' + { + "id": "echo-template", + "execute-command": "echo", + "response-message": "{{ getenv "WEBHOOK_MESSAGE" }}" + } + ''; + }; + environment.WEBHOOK_MESSAGE = "Templates are working!"; + }; + }; + }; + + extraPythonPackages = p: [ + p.requests + p.types-requests + ]; + + testScript = { nodes, ... }: '' + import requests + webhookMachine.wait_for_unit("webhook") + webhookMachine.wait_for_open_port(${toString internalPort}) + + with subtest("Check that webhooks can be called externally"): + response = requests.get("http://localhost:${toString forwardedPort}/hooks/echo") + print(f"Response code: {response.status_code}") + print("Response: %r" % response.content) + + assert response.status_code == 200 + assert response.content == b"Webhook is reachable!" + + with subtest("Check that templated webhooks can be called externally"): + response = requests.get("http://localhost:${toString forwardedPort}/hooks/echo-template") + print(f"Response code: {response.status_code}") + print("Response: %r" % response.content) + + assert response.status_code == 200 + assert response.content == b"Templates are working!" + ''; +} diff --git a/nixos/tests/zfs.nix b/nixos/tests/zfs.nix index 29df691cecbed..3e55369daa06a 100644 --- a/nixos/tests/zfs.nix +++ b/nixos/tests/zfs.nix @@ -17,103 +17,151 @@ let makeTest { name = "zfs-" + name; meta = with pkgs.lib.maintainers; { - maintainers = [ adisbladis ]; + maintainers = [ adisbladis elvishjerricco ]; }; nodes.machine = { pkgs, lib, ... }: let usersharePath = "/var/lib/samba/usershares"; in { - virtualisation.emptyDiskImages = [ 4096 ]; + virtualisation = { + emptyDiskImages = [ 4096 4096 ]; + useBootLoader = true; + useEFIBoot = true; + }; + boot.loader.systemd-boot.enable = true; + boot.loader.timeout = 0; + boot.loader.efi.canTouchEfiVariables = true; networking.hostId = "deadbeef"; boot.kernelPackages = kernelPackage; boot.supportedFilesystems = [ "zfs" ]; boot.zfs.enableUnstable = enableUnstable; - services.samba = { - enable = true; - extraConfig = '' - registry shares = yes - usershare path = ${usersharePath} - usershare allow guests = yes - usershare max shares = 100 - usershare owner only = no - ''; + environment.systemPackages = [ pkgs.parted ]; + + # /dev/disk/by-id doesn't get populated in the NixOS test framework + boot.zfs.devNodes = "/dev/disk/by-uuid"; + + specialisation.samba.configuration = { + services.samba = { + enable = true; + extraConfig = '' + registry shares = yes + usershare path = ${usersharePath} + usershare allow guests = yes + usershare max shares = 100 + usershare owner only = no + ''; + }; + systemd.services.samba-smbd.serviceConfig.ExecStartPre = + "${pkgs.coreutils}/bin/mkdir -m +t -p ${usersharePath}"; + virtualisation.fileSystems = { + "/tmp/mnt" = { + device = "rpool/root"; + fsType = "zfs"; + }; + }; }; - systemd.services.samba-smbd.serviceConfig.ExecStartPre = - "${pkgs.coreutils}/bin/mkdir -m +t -p ${usersharePath}"; - environment.systemPackages = [ pkgs.parted ]; + specialisation.encryption.configuration = { + boot.zfs.requestEncryptionCredentials = [ "automatic" ]; + virtualisation.fileSystems."/automatic" = { + device = "automatic"; + fsType = "zfs"; + }; + virtualisation.fileSystems."/manual" = { + device = "manual"; + fsType = "zfs"; + }; + virtualisation.fileSystems."/manual/encrypted" = { + device = "manual/encrypted"; + fsType = "zfs"; + options = [ "noauto" ]; + }; + }; - # Setup regular fileSystems machinery to ensure forceImportAll can be - # tested via the regular service units. - virtualisation.fileSystems = { - "/forcepool" = { + specialisation.forcepool.configuration = { + systemd.services.zfs-import-forcepool.wantedBy = lib.mkVMOverride [ "forcepool.mount" ]; + systemd.targets.zfs.wantedBy = lib.mkVMOverride []; + boot.zfs.forceImportAll = true; + virtualisation.fileSystems."/forcepool" = { device = "forcepool"; fsType = "zfs"; options = [ "noauto" ]; }; }; - - # forcepool doesn't exist at first boot, and we need to manually test - # the import after tweaking the hostId. - systemd.services.zfs-import-forcepool.wantedBy = lib.mkVMOverride []; - systemd.targets.zfs.wantedBy = lib.mkVMOverride []; - boot.zfs.forceImportAll = true; - # /dev/disk/by-id doesn't get populated in the NixOS test framework - boot.zfs.devNodes = "/dev/disk/by-uuid"; }; testScript = '' + machine.wait_for_unit("multi-user.target") machine.succeed( - "modprobe zfs", "zpool status", - "ls /dev", - "mkdir /tmp/mnt", - "udevadm settle", - "parted --script /dev/vdb mklabel msdos", - "parted --script /dev/vdb -- mkpart primary 1024M -1s", - "udevadm settle", - "zpool create rpool /dev/vdb1", - "zfs create -o mountpoint=legacy rpool/root", - # shared datasets cannot have legacy mountpoint - "zfs create rpool/shared_smb", - "mount -t zfs rpool/root /tmp/mnt", - "udevadm settle", - # wait for samba services - "systemctl is-system-running --wait", - "zfs set sharesmb=on rpool/shared_smb", - "zfs share rpool/shared_smb", - "smbclient -gNL localhost | grep rpool_shared_smb", - "umount /tmp/mnt", - "zpool destroy rpool", - "udevadm settle", + "parted --script /dev/vdc mklabel msdos", + "parted --script /dev/vdc -- mkpart primary 1024M -1s", + "parted --script /dev/vdd mklabel msdos", + "parted --script /dev/vdd -- mkpart primary 1024M -1s", ) - machine.succeed( - 'echo password | zpool create -o altroot="/tmp/mnt" ' - + "-O encryption=aes-256-gcm -O keyformat=passphrase rpool /dev/vdb1", - "zfs create -o mountpoint=legacy rpool/root", - "mount -t zfs rpool/root /tmp/mnt", - "udevadm settle", - "umount /tmp/mnt", - "zpool destroy rpool", - "udevadm settle", - ) + with subtest("sharesmb works"): + machine.succeed( + "zpool create rpool /dev/vdc1", + "zfs create -o mountpoint=legacy rpool/root", + # shared datasets cannot have legacy mountpoint + "zfs create rpool/shared_smb", + "bootctl set-default nixos-generation-1-specialisation-samba.conf", + "sync", + ) + machine.crash() + machine.wait_for_unit("multi-user.target") + machine.succeed( + "zfs set sharesmb=on rpool/shared_smb", + "zfs share rpool/shared_smb", + "smbclient -gNL localhost | grep rpool_shared_smb", + "umount /tmp/mnt", + "zpool destroy rpool", + ) + + with subtest("encryption works"): + machine.succeed( + 'echo password | zpool create -O mountpoint=legacy ' + + "-O encryption=aes-256-gcm -O keyformat=passphrase automatic /dev/vdc1", + "zpool create -O mountpoint=legacy manual /dev/vdd1", + "echo otherpass | zfs create " + + "-o encryption=aes-256-gcm -o keyformat=passphrase manual/encrypted", + "bootctl set-default nixos-generation-1-specialisation-encryption.conf", + "sync", + "zpool export automatic", + "zpool export manual", + ) + machine.crash() + machine.start() + machine.wait_for_console_text("Starting password query on") + machine.send_console("password\n") + machine.wait_for_unit("multi-user.target") + machine.succeed( + "zfs get keystatus manual/encrypted | grep unavailable", + "echo otherpass | zfs load-key manual/encrypted", + "systemctl start manual-encrypted.mount", + "umount /automatic /manual/encrypted /manual", + "zpool destroy automatic", + "zpool destroy manual", + ) with subtest("boot.zfs.forceImportAll works"): machine.succeed( "rm /etc/hostid", "zgenhostid deadcafe", - "zpool create forcepool /dev/vdb1 -O mountpoint=legacy", + "zpool create forcepool /dev/vdc1 -O mountpoint=legacy", + "bootctl set-default nixos-generation-1-specialisation-forcepool.conf", + "rm /etc/hostid", + "sync", ) - machine.shutdown() - machine.start() - machine.succeed("udevadm settle") + machine.crash() + machine.wait_for_unit("multi-user.target") machine.fail("zpool import forcepool") machine.succeed( - "systemctl start zfs-import-forcepool.service", - "mount -t zfs forcepool /tmp/mnt", + "systemctl start forcepool.mount", + "mount | grep forcepool", ) '' + extraTest; |