aland/nixpkgs-odroid-hc4
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

uboot: (firmwareOdroidC2/C4) don't invoke patch tool, use patches = [] instead

Browse source 
https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/setup.sh#L948
this can do it nicely.

Signed-off-by: Anton Arapov <anton@deadbeef.mx>
This commit is contained in:
Anton Arapov 2021-04-03 12:58:10 +02:00 committed by Alan Daniels
commit 56de2bcd43
30691 changed files with 3076956 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

25
nixos/modules/config/appstream.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, lib, ... }:
with lib;
{
options = {
appstream.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to install files to support the
<link xlink:href="https://www.freedesktop.org/software/appstream/docs/index.html">AppStream metadata specification</link>.
'';
};
};
config = mkIf config.appstream.enable {
environment.pathsToLink = [
# per component metadata
"/share/metainfo"
# legacy path for above
"/share/appdata"
];
};
}

217
nixos/modules/config/console.nix Normal file
View file

@ -0,0 +1,217 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.console;
makeColor = i: concatMapStringsSep "," (x: "0x" + substring (2*i) 2 x);
isUnicode = hasSuffix "UTF-8" (toUpper config.i18n.defaultLocale);
optimizedKeymap = pkgs.runCommand "keymap" {
nativeBuildInputs = [ pkgs.buildPackages.kbd ];
LOADKEYS_KEYMAP_PATH = "${consoleEnv pkgs.kbd}/share/keymaps/**";
preferLocalBuild = true;
} ''
loadkeys -b ${optionalString isUnicode "-u"} "${cfg.keyMap}" > $out
'';
# Sadly, systemd-vconsole-setup doesn't support binary keymaps.
vconsoleConf = pkgs.writeText "vconsole.conf" ''
KEYMAP=${cfg.keyMap}
FONT=${cfg.font}
'';
consoleEnv = kbd: pkgs.buildEnv {
name = "console-env";
paths = [ kbd ] ++ cfg.packages;
pathsToLink = [
"/share/consolefonts"
"/share/consoletrans"
"/share/keymaps"
"/share/unimaps"
];
};
setVconsole = !config.boot.isContainer;
in
{
###### interface
options.console = {
font = mkOption {
type = with types; either str path;
default = "Lat2-Terminus16";
example = "LatArCyrHeb-16";
description = ''
The font used for the virtual consoles. Leave empty to use
whatever the <command>setfont</command> program considers the
default font.
Can be either a font name or a path to a PSF font file.
'';
};
keyMap = mkOption {
type = with types; either str path;
default = "us";
example = "fr";
description = ''
The keyboard mapping table for the virtual consoles.
'';
};
colors = mkOption {
type = types.listOf types.str;
default = [];
example = [
"002b36" "dc322f" "859900" "b58900"
"268bd2" "d33682" "2aa198" "eee8d5"
"002b36" "cb4b16" "586e75" "657b83"
"839496" "6c71c4" "93a1a1" "fdf6e3"
];
description = ''
The 16 colors palette used by the virtual consoles.
Leave empty to use the default colors.
Colors must be in hexadecimal format and listed in
order from color 0 to color 15.
'';
};
packages = mkOption {
type = types.listOf types.package;
default = [ ];
description = ''
List of additional packages that provide console fonts, keymaps and
other resources for virtual consoles use.
'';
};
useXkbConfig = mkOption {
type = types.bool;
default = false;
description = ''
If set, configure the virtual console keymap from the xserver
keyboard settings.
'';
};
earlySetup = mkOption {
default = false;
type = types.bool;
description = ''
Enable setting virtual console options as early as possible (in initrd).
'';
};
};
###### implementation
config = mkMerge [
{ console.keyMap = with config.services.xserver;
mkIf cfg.useXkbConfig
(pkgs.runCommand "xkb-console-keymap" { preferLocalBuild = true; } ''
'${pkgs.buildPackages.ckbcomp}/bin/ckbcomp' \
${optionalString (config.environment.sessionVariables ? XKB_CONFIG_ROOT)
"-I${config.environment.sessionVariables.XKB_CONFIG_ROOT}"
} \
-model '${xkbModel}' -layout '${layout}' \
-option '${xkbOptions}' -variant '${xkbVariant}' > "$out"
'');
}
(mkIf (!setVconsole) {
systemd.services.systemd-vconsole-setup.enable = false;
})
(mkIf setVconsole (mkMerge [
{ environment.systemPackages = [ pkgs.kbd ];
# Let systemd-vconsole-setup.service do the work of setting up the
# virtual consoles.
environment.etc."vconsole.conf".source = vconsoleConf;
# Provide kbd with additional packages.
environment.etc.kbd.source = "${consoleEnv pkgs.kbd}/share";
boot.initrd.preLVMCommands = mkIf (!config.boot.initrd.systemd.enable) (mkBefore ''
kbd_mode ${if isUnicode then "-u" else "-a"} -C /dev/console
printf "\033%%${if isUnicode then "G" else "@"}" >> /dev/console
loadkmap < ${optimizedKeymap}
${optionalString cfg.earlySetup ''
setfont -C /dev/console $extraUtils/share/consolefonts/font.psf
''}
'');
boot.initrd.systemd.contents = {
"/etc/vconsole.conf".source = vconsoleConf;
# Add everything if we want full console setup...
"/etc/kbd" = lib.mkIf cfg.earlySetup { source = "${consoleEnv config.boot.initrd.systemd.package.kbd}/share"; };
# ...but only the keymaps if we don't
"/etc/kbd/keymaps" = lib.mkIf (!cfg.earlySetup) { source = "${consoleEnv config.boot.initrd.systemd.package.kbd}/share/keymaps"; };
};
boot.initrd.systemd.storePaths = [
"${config.boot.initrd.systemd.package}/lib/systemd/systemd-vconsole-setup"
"${config.boot.initrd.systemd.package.kbd}/bin/setfont"
"${config.boot.initrd.systemd.package.kbd}/bin/loadkeys"
"${config.boot.initrd.systemd.package.kbd.gzip}/bin/gzip" # keyboard layouts are compressed
];
systemd.services.reload-systemd-vconsole-setup =
{ description = "Reset console on configuration changes";
wantedBy = [ "multi-user.target" ];
restartTriggers = [ vconsoleConf (consoleEnv pkgs.kbd) ];
reloadIfChanged = true;
serviceConfig =
{ RemainAfterExit = true;
ExecStart = "${pkgs.coreutils}/bin/true";
ExecReload = "/run/current-system/systemd/bin/systemctl restart systemd-vconsole-setup";
};
};
}
(mkIf (cfg.colors != []) {
boot.kernelParams = [
"vt.default_red=${makeColor 0 cfg.colors}"
"vt.default_grn=${makeColor 1 cfg.colors}"
"vt.default_blu=${makeColor 2 cfg.colors}"
];
})
(mkIf (cfg.earlySetup && !config.boot.initrd.systemd.enable) {
boot.initrd.extraUtilsCommands = ''
mkdir -p $out/share/consolefonts
${if substring 0 1 cfg.font == "/" then ''
font="${cfg.font}"
'' else ''
font="$(echo ${consoleEnv pkgs.kbd}/share/consolefonts/${cfg.font}.*)"
''}
if [[ $font == *.gz ]]; then
gzip -cd $font > $out/share/consolefonts/font.psf
else
cp -L $font $out/share/consolefonts/font.psf
fi
'';
})
]))
];
imports = [
(mkRenamedOptionModule [ "i18n" "consoleFont" ] [ "console" "font" ])
(mkRenamedOptionModule [ "i18n" "consoleKeyMap" ] [ "console" "keyMap" ])
(mkRenamedOptionModule [ "i18n" "consoleColors" ] [ "console" "colors" ])
(mkRenamedOptionModule [ "i18n" "consolePackages" ] [ "console" "packages" ])
(mkRenamedOptionModule [ "i18n" "consoleUseXkbConfig" ] [ "console" "useXkbConfig" ])
(mkRenamedOptionModule [ "boot" "earlyVconsoleSetup" ] [ "console" "earlySetup" ])
(mkRenamedOptionModule [ "boot" "extraTTYs" ] [ "console" "extraTTYs" ])
(mkRemovedOptionModule [ "console" "extraTTYs" ] ''
Since NixOS switched to systemd (circa 2012), TTYs have been spawned on
demand, so there is no need to configure them manually.
'')
];
}

45
nixos/modules/config/debug-info.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, lib, ... }:
with lib;
{
options = {
environment.enableDebugInfo = mkOption {
type = types.bool;
default = false;
description = ''
Some NixOS packages provide debug symbols. However, these are
not included in the system closure by default to save disk
space. Enabling this option causes the debug symbols to appear
in <filename>/run/current-system/sw/lib/debug/.build-id</filename>,
where tools such as <command>gdb</command> can find them.
If you need debug symbols for a package that doesn't
provide them by default, you can enable them as follows:
<programlisting>
nixpkgs.config.packageOverrides = pkgs: {
hello = pkgs.hello.overrideAttrs (oldAttrs: {
separateDebugInfo = true;
});
};
</programlisting>
'';
};
};
config = mkIf config.environment.enableDebugInfo {
# FIXME: currently disabled because /lib is already in
# environment.pathsToLink, and we can't have both.
#environment.pathsToLink = [ "/lib/debug/.build-id" ];
environment.extraOutputsToInstall = [ "debug" ];
environment.variables.NIX_DEBUG_INFO_DIRS = [ "/run/current-system/sw/lib/debug" ];
};
}

475
nixos/modules/config/fonts/fontconfig.nix Normal file
View file

@ -0,0 +1,475 @@
/*
Configuration files are linked to /etc/fonts/conf.d/
This module generates a package containing configuration files and link it in /etc/fonts.
Fontconfig reads files in folder name / file name order, so the number prepended to the configuration file name decide the order of parsing.
Low number means high priority.
*/
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.fonts.fontconfig;
fcBool = x: "<bool>" + (boolToString x) + "</bool>";
pkg = pkgs.fontconfig;
# configuration file to read fontconfig cache
# priority 0
cacheConf = makeCacheConf {};
# generate the font cache setting file
# When cross-compiling, we cant generate the cache, so we skip the
# <cachedir> part. fontconfig still works but is a little slower in
# looking things up.
makeCacheConf = { }:
let
makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
cache = makeCache pkgs.fontconfig;
cache32 = makeCache pkgs.pkgsi686Linux.fontconfig;
in
pkgs.writeText "fc-00-nixos-cache.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'urn:fontconfig:fonts.dtd'>
<fontconfig>
<!-- Font directories -->
${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
${optionalString (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) ''
<!-- Pre-generated font caches -->
<cachedir>${cache}</cachedir>
${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) ''
<cachedir>${cache32}</cachedir>
''}
''}
</fontconfig>
'';
# rendering settings configuration file
# priority 10
renderConf = pkgs.writeText "fc-10-nixos-rendering.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'urn:fontconfig:fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="pattern">
<edit mode="append" name="hinting">
${fcBool cfg.hinting.enable}
</edit>
<edit mode="append" name="autohint">
${fcBool cfg.hinting.autohint}
</edit>
<edit mode="append" name="hintstyle">
<const>hintslight</const>
</edit>
<edit mode="append" name="antialias">
${fcBool cfg.antialias}
</edit>
<edit mode="append" name="rgba">
<const>${cfg.subpixel.rgba}</const>
</edit>
<edit mode="append" name="lcdfilter">
<const>lcd${cfg.subpixel.lcdfilter}</const>
</edit>
</match>
</fontconfig>
'';
# local configuration file
localConf = pkgs.writeText "fc-local.conf" cfg.localConf;
# default fonts configuration file
# priority 52
defaultFontsConf =
let genDefault = fonts: name:
optionalString (fonts != []) ''
<alias binding="same">
<family>${name}</family>
<prefer>
${concatStringsSep ""
(map (font: ''
<family>${font}</family>
'') fonts)}
</prefer>
</alias>
'';
in
pkgs.writeText "fc-52-nixos-default-fonts.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'urn:fontconfig:fonts.dtd'>
<fontconfig>
<!-- Default fonts -->
${genDefault cfg.defaultFonts.sansSerif "sans-serif"}
${genDefault cfg.defaultFonts.serif "serif"}
${genDefault cfg.defaultFonts.monospace "monospace"}
${genDefault cfg.defaultFonts.emoji "emoji"}
</fontconfig>
'';
# bitmap font options
# priority 53
rejectBitmaps = pkgs.writeText "fc-53-no-bitmaps.conf" ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "urn:fontconfig:fonts.dtd">
<fontconfig>
${optionalString (!cfg.allowBitmaps) ''
<!-- Reject bitmap fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="scalable"><bool>false</bool></patelt>
</pattern>
</rejectfont>
</selectfont>
''}
<!-- Use embedded bitmaps in fonts like Calibri? -->
<match target="font">
<edit name="embeddedbitmap" mode="assign">
${fcBool cfg.useEmbeddedBitmaps}
</edit>
</match>
</fontconfig>
'';
# reject Type 1 fonts
# priority 53
rejectType1 = pkgs.writeText "fc-53-nixos-reject-type1.conf" ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "urn:fontconfig:fonts.dtd">
<fontconfig>
<!-- Reject Type 1 fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="fontformat"><string>Type 1</string></patelt>
</pattern>
</rejectfont>
</selectfont>
</fontconfig>
'';
# fontconfig configuration package
confPkg = pkgs.runCommand "fontconfig-conf" {
preferLocalBuild = true;
} ''
dst=$out/etc/fonts/conf.d
mkdir -p $dst
# fonts.conf
ln -s ${pkg.out}/etc/fonts/fonts.conf \
$dst/../fonts.conf
# TODO: remove this legacy symlink once people stop using packages built before #95358 was merged
mkdir -p $out/etc/fonts/2.11
ln -s /etc/fonts/fonts.conf \
$out/etc/fonts/2.11/fonts.conf
# fontconfig default config files
ln -s ${pkg.out}/etc/fonts/conf.d/*.conf \
$dst/
# 00-nixos-cache.conf
ln -s ${cacheConf} $dst/00-nixos-cache.conf
# 10-nixos-rendering.conf
ln -s ${renderConf} $dst/10-nixos-rendering.conf
# 50-user.conf
${optionalString (!cfg.includeUserConf) ''
rm $dst/50-user.conf
''}
# local.conf (indirect priority 51)
${optionalString (cfg.localConf != "") ''
ln -s ${localConf} $dst/../local.conf
''}
# 52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $dst/52-nixos-default-fonts.conf
# 53-no-bitmaps.conf
ln -s ${rejectBitmaps} $dst/53-no-bitmaps.conf
${optionalString (!cfg.allowType1) ''
# 53-nixos-reject-type1.conf
ln -s ${rejectType1} $dst/53-nixos-reject-type1.conf
''}
'';
# Package with configuration files
# this merge all the packages in the fonts.fontconfig.confPackages list
fontconfigEtc = pkgs.buildEnv {
name = "fontconfig-etc";
paths = cfg.confPackages;
ignoreCollisions = true;
};
in
{
imports = [
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowBitmaps" ] [ "fonts" "fontconfig" "allowBitmaps" ])
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowType1" ] [ "fonts" "fontconfig" "allowType1" ])
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "fonts" "fontconfig" "useEmbeddedBitmaps" ])
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ])
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ])
(mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "")
(mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "")
(mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "")
(mkRemovedOptionModule [ "fonts" "fontconfig" "dpi" ] "Use display server-specific options")
] ++ lib.forEach [ "enable" "substitutions" "preset" ]
(opt: lib.mkRemovedOptionModule [ "fonts" "fontconfig" "ultimate" "${opt}" ] ''
The fonts.fontconfig.ultimate module and configuration is obsolete.
The repository has since been archived and activity has ceased.
https://github.com/bohoomil/fontconfig-ultimate/issues/171.
No action should be needed for font configuration, as the fonts.fontconfig
module is already used by default.
'');
options = {
fonts = {
fontconfig = {
enable = mkOption {
type = types.bool;
default = true;
description = ''
If enabled, a Fontconfig configuration file will be built
pointing to a set of default fonts. If you don't care about
running X11 applications or any other program that uses
Fontconfig, you can turn this option off and prevent a
dependency on all those fonts.
'';
};
confPackages = mkOption {
internal = true;
type = with types; listOf path;
default = [ ];
description = ''
Fontconfig configuration packages.
'';
};
antialias = mkOption {
type = types.bool;
default = true;
description = ''
Enable font antialiasing. At high resolution (> 200 DPI),
antialiasing has no visible effect; users of such displays may want
to disable this option.
'';
};
localConf = mkOption {
type = types.lines;
default = "";
description = ''
System-wide customization file contents, has higher priority than
<literal>defaultFonts</literal> settings.
'';
};
defaultFonts = {
monospace = mkOption {
type = types.listOf types.str;
default = ["DejaVu Sans Mono"];
description = ''
System-wide default monospace font(s). Multiple fonts may be
listed in case multiple languages must be supported.
'';
};
sansSerif = mkOption {
type = types.listOf types.str;
default = ["DejaVu Sans"];
description = ''
System-wide default sans serif font(s). Multiple fonts may be
listed in case multiple languages must be supported.
'';
};
serif = mkOption {
type = types.listOf types.str;
default = ["DejaVu Serif"];
description = ''
System-wide default serif font(s). Multiple fonts may be listed
in case multiple languages must be supported.
'';
};
emoji = mkOption {
type = types.listOf types.str;
default = ["Noto Color Emoji"];
description = ''
System-wide default emoji font(s). Multiple fonts may be listed
in case a font does not support all emoji.
Note that fontconfig matches color emoji fonts preferentially,
so if you want to use a black and white font while having
a color font installed (eg. Noto Color Emoji installed alongside
Noto Emoji), fontconfig will still choose the color font even
when it is later in the list.
'';
};
};
hinting = {
enable = mkOption {
type = types.bool;
default = true;
description = ''
Enable font hinting. Hinting aligns glyphs to pixel boundaries to
improve rendering sharpness at low resolution. At high resolution
(> 200 dpi) hinting will do nothing (at best); users of such
displays may want to disable this option.
'';
};
autohint = mkOption {
type = types.bool;
default = false;
description = ''
Enable the autohinter in place of the default interpreter.
The results are usually lower quality than correctly-hinted
fonts, but better than unhinted fonts.
'';
};
};
includeUserConf = mkOption {
type = types.bool;
default = true;
description = ''
Include the user configuration from
<filename>~/.config/fontconfig/fonts.conf</filename> or
<filename>~/.config/fontconfig/conf.d</filename>.
'';
};
subpixel = {
rgba = mkOption {
default = "rgb";
type = types.enum ["rgb" "bgr" "vrgb" "vbgr" "none"];
description = ''
Subpixel order. The overwhelming majority of displays are
<literal>rgb</literal> in their normal orientation. Select
<literal>vrgb</literal> for mounting such a display 90 degrees
clockwise from its normal orientation or <literal>vbgr</literal>
for mounting 90 degrees counter-clockwise. Select
<literal>bgr</literal> in the unlikely event of mounting 180
degrees from the normal orientation. Reverse these directions in
the improbable event that the display's native subpixel order is
<literal>bgr</literal>.
'';
};
lcdfilter = mkOption {
default = "default";
type = types.enum ["none" "default" "light" "legacy"];
description = ''
FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering
has no visible effect; users of such displays may want to select
<literal>none</literal>.
'';
};
};
cache32Bit = mkOption {
default = false;
type = types.bool;
description = ''
Generate system fonts cache for 32-bit applications.
'';
};
allowBitmaps = mkOption {
type = types.bool;
default = true;
description = ''
Allow bitmap fonts. Set to <literal>false</literal> to ban all
bitmap fonts.
'';
};
allowType1 = mkOption {
type = types.bool;
default = false;
description = ''
Allow Type-1 fonts. Default is <literal>false</literal> because of
poor rendering.
'';
};
useEmbeddedBitmaps = mkOption {
type = types.bool;
default = false;
description = "Use embedded bitmaps in fonts like Calibri.";
};
};
};
};
config = mkMerge [
(mkIf cfg.enable {
environment.systemPackages = [ pkgs.fontconfig ];
environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/";
security.apparmor.includes."abstractions/fonts" = ''
# fonts.conf
r ${pkg.out}/etc/fonts/fonts.conf,
# fontconfig default config files
r ${pkg.out}/etc/fonts/conf.d/*.conf,
# 00-nixos-cache.conf
r ${cacheConf},
# 10-nixos-rendering.conf
r ${renderConf},
# 50-user.conf
${optionalString cfg.includeUserConf ''
r ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf,
''}
# local.conf (indirect priority 51)
${optionalString (cfg.localConf != "") ''
r ${localConf},
''}
# 52-nixos-default-fonts.conf
r ${defaultFontsConf},
# 53-no-bitmaps.conf
r ${rejectBitmaps},
${optionalString (!cfg.allowType1) ''
# 53-nixos-reject-type1.conf
r ${rejectType1},
''}
'';
})
(mkIf cfg.enable {
fonts.fontconfig.confPackages = [ confPkg ];
})
];
}

67
nixos/modules/config/fonts/fontdir.nix Normal file
View file

@ -0,0 +1,67 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.fonts.fontDir;
x11Fonts = pkgs.runCommand "X11-fonts" { preferLocalBuild = true; } ''
mkdir -p "$out/share/X11/fonts"
font_regexp='.*\.\(ttf\|ttc\|otf\|pcf\|pfa\|pfb\|bdf\)\(\.gz\)?'
find ${toString config.fonts.fonts} -regex "$font_regexp" \
-exec ln -sf -t "$out/share/X11/fonts" '{}' \;
cd "$out/share/X11/fonts"
${optionalString cfg.decompressFonts ''
${pkgs.gzip}/bin/gunzip -f *.gz
''}
${pkgs.xorg.mkfontscale}/bin/mkfontscale
${pkgs.xorg.mkfontdir}/bin/mkfontdir
cat $(find ${pkgs.xorg.fontalias}/ -name fonts.alias) >fonts.alias
'';
in
{
options = {
fonts.fontDir = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to create a directory with links to all fonts in
<filename>/run/current-system/sw/share/X11/fonts</filename>.
'';
};
decompressFonts = mkOption {
type = types.bool;
default = config.programs.xwayland.enable;
defaultText = literalExpression "config.programs.xwayland.enable";
description = ''
Whether to decompress fonts in
<filename>/run/current-system/sw/share/X11/fonts</filename>.
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ x11Fonts ];
environment.pathsToLink = [ "/share/X11/fonts" ];
services.xserver.filesSection = ''
FontPath "${x11Fonts}/share/X11/fonts"
'';
};
imports = [
(mkRenamedOptionModule [ "fonts" "enableFontDir" ] [ "fonts" "fontDir" "enable" ])
];
}

81
nixos/modules/config/fonts/fonts.nix Normal file
View file

@ -0,0 +1,81 @@
{ config, lib, pkgs, ... }:
with lib;
let
# A scalable variant of the X11 "core" cursor
#
# If not running a fancy desktop environment, the cursor is likely set to
# the default `cursor.pcf` bitmap font. This is 17px wide, so it's very
# small and almost invisible on 4K displays.
fontcursormisc_hidpi = pkgs.xorg.fontxfree86type1.overrideAttrs (old:
let
# The scaling constant is 230/96: the scalable `left_ptr` glyph at
# about 23 points is rendered as 17px, on a 96dpi display.
# Note: the XLFD font size is in decipoints.
size = 2.39583 * config.services.xserver.dpi;
sizeString = builtins.head (builtins.split "\\." (toString size));
in
{
postInstall = ''
alias='cursor -xfree86-cursor-medium-r-normal--0-${sizeString}-0-0-p-0-adobe-fontspecific'
echo "$alias" > $out/lib/X11/fonts/Type1/fonts.alias
'';
});
hasHidpi =
config.hardware.video.hidpi.enable &&
config.services.xserver.dpi != null;
defaultFonts =
[ pkgs.dejavu_fonts
pkgs.freefont_ttf
pkgs.gyre-fonts # TrueType substitutes for standard PostScript fonts
pkgs.liberation_ttf
pkgs.unifont
pkgs.noto-fonts-emoji
];
defaultXFonts =
[ (if hasHidpi then fontcursormisc_hidpi else pkgs.xorg.fontcursormisc)
pkgs.xorg.fontmiscmisc
];
in
{
imports = [
(mkRemovedOptionModule [ "fonts" "enableCoreFonts" ] "Use fonts.fonts = [ pkgs.corefonts ]; instead.")
];
options = {
fonts = {
# TODO: find another name for it.
fonts = mkOption {
type = types.listOf types.path;
default = [];
example = literalExpression "[ pkgs.dejavu_fonts ]";
description = "List of primary font paths.";
};
enableDefaultFonts = mkOption {
type = types.bool;
default = false;
description = ''
Enable a basic set of fonts providing several font styles
and families and reasonable coverage of Unicode.
'';
};
};
};
config = mkMerge [
{ fonts.fonts = mkIf config.fonts.enableDefaultFonts defaultFonts; }
{ fonts.fonts = mkIf config.services.xserver.enable defaultXFonts; }
];
}

33
nixos/modules/config/fonts/ghostscript.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, lib, pkgs, ... }:
with lib;
{
options = {
fonts = {
enableGhostscriptFonts = mkOption {
type = types.bool;
default = false;
description = ''
Whether to add the fonts provided by Ghostscript (such as
various URW fonts and the Base-14 Postscript fonts) to the
list of system fonts, making them available to X11
applications.
'';
};
};
};
config = mkIf config.fonts.enableGhostscriptFonts {
fonts.fonts = [ "${pkgs.ghostscript}/share/ghostscript/fonts" ];
};
}

44
nixos/modules/config/gnu.nix Normal file
View file

@ -0,0 +1,44 @@
{ config, lib, pkgs, ... }:
{
options = {
gnu = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
When enabled, GNU software is chosen by default whenever a there is
a choice between GNU and non-GNU software (e.g., GNU lsh
vs. OpenSSH).
'';
};
};
config = lib.mkIf config.gnu {
environment.systemPackages = with pkgs;
# TODO: Adjust `requiredPackages' from `system-path.nix'.
# TODO: Add Inetutils once it has the new `ifconfig'.
[ parted
#fdisk # XXX: GNU fdisk currently fails to build and it's redundant
# with the `parted' command.
nano zile
texinfo # for the stand-alone Info reader
]
++ lib.optional (!stdenv.isAarch32) grub2;
# GNU GRUB, where available.
boot.loader.grub.enable = !pkgs.stdenv.isAarch32;
boot.loader.grub.version = 2;
# GNU lsh.
services.openssh.enable = false;
services.lshd.enable = true;
programs.ssh.startAgent = false;
services.xserver.startGnuPGAgent = true;
# TODO: GNU dico.
# TODO: GNU Inetutils' inetd.
# TODO: GNU Pies.
};
}

87
nixos/modules/config/gtk/gtk-icon-cache.nix Normal file
View file

@ -0,0 +1,87 @@
{ config, lib, pkgs, ... }:
with lib;
{
options = {
gtk.iconCache.enable = mkOption {
type = types.bool;
default = config.services.xserver.enable;
defaultText = literalExpression "config.services.xserver.enable";
description = ''
Whether to build icon theme caches for GTK applications.
'';
};
};
config = mkIf config.gtk.iconCache.enable {
# (Re)build icon theme caches
# ---------------------------
# Each icon theme has its own cache. The difficult is that many
# packages may contribute with icons to the same theme by installing
# some icons.
#
# For instance, on my current NixOS system, the following packages
# (among many others) have icons installed into the hicolor icon
# theme: hicolor-icon-theme, psensor, wpa_gui, caja, etc.
#
# As another example, the mate icon theme has icons installed by the
# packages mate-icon-theme, mate-settings-daemon, and libmateweather.
#
# The HighContrast icon theme also has icons from different packages,
# like gnome-theme-extras and meld.
# When the cache is built all of its icons has to be known. How to
# implement this?
#
# I think that most themes have all icons installed by only one
# package. On my system there are 71 themes installed. Only 3 of them
# have icons installed from more than one package.
#
# If the main package of the theme provides a cache, presumably most
# of its icons will be available to applications without running this
# module. But additional icons offered by other packages will not be
# available. Therefore I think that it is good that the main theme
# package installs a cache (although it does not completely fixes the
# situation for packages installed with nix-env).
#
# The module solution presented here keeps the cache when there is
# only one package contributing with icons to the theme. Otherwise it
# rebuilds the cache taking into account the icons provided all
# packages.
environment.extraSetup = ''
# For each icon theme directory ...
find $out/share/icons -mindepth 1 -maxdepth 1 -print0 | while read -d $'\0' themedir
do
# In order to build the cache, the theme dir should be
# writable. When the theme dir is a symbolic link to somewhere
# in the nix store it is not writable and it means that only
# one package is contributing to the theme. If it already has
# a cache, no rebuild is needed. Otherwise a cache has to be
# built, and to be able to do that we first remove the
# symbolic link and make a directory, and then make symbolic
# links from the original directory into the new one.
if [ ! -w "$themedir" -a -L "$themedir" -a ! -r "$themedir"/icon-theme.cache ]; then
name=$(basename "$themedir")
path=$(readlink -f "$themedir")
rm "$themedir"
mkdir -p "$themedir"
ln -s "$path"/* "$themedir"/
fi
# (Re)build the cache if the theme dir is writable, replacing any
# existing cache for the theme
if [ -w "$themedir" ]; then
rm -f "$themedir"/icon-theme.cache
${pkgs.buildPackages.gtk3.out}/bin/gtk-update-icon-cache --ignore-theme-index "$themedir"
fi
done
'';
};
}

97
nixos/modules/config/i18n.nix Normal file
View file

@ -0,0 +1,97 @@
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
i18n = {
glibcLocales = mkOption {
type = types.path;
default = pkgs.buildPackages.glibcLocales.override {
allLocales = any (x: x == "all") config.i18n.supportedLocales;
locales = config.i18n.supportedLocales;
};
defaultText = literalExpression ''
pkgs.buildPackages.glibcLocales.override {
allLocales = any (x: x == "all") config.i18n.supportedLocales;
locales = config.i18n.supportedLocales;
}
'';
example = literalExpression "pkgs.glibcLocales";
description = ''
Customized pkg.glibcLocales package.
Changing this option can disable handling of i18n.defaultLocale
and supportedLocale.
'';
};
defaultLocale = mkOption {
type = types.str;
default = "en_US.UTF-8";
example = "nl_NL.UTF-8";
description = ''
The default locale. It determines the language for program
messages, the format for dates and times, sort order, and so on.
It also determines the character set, such as UTF-8.
'';
};
extraLocaleSettings = mkOption {
type = types.attrsOf types.str;
default = {};
example = { LC_MESSAGES = "en_US.UTF-8"; LC_TIME = "de_DE.UTF-8"; };
description = ''
A set of additional system-wide locale settings other than
<literal>LANG</literal> which can be configured with
<option>i18n.defaultLocale</option>.
'';
};
supportedLocales = mkOption {
type = types.listOf types.str;
default = ["all"];
example = ["en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1"];
description = ''
List of locales that the system should support. The value
<literal>"all"</literal> means that all locales supported by
Glibc will be installed. A full list of supported locales
can be found at <link
xlink:href="https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED"/>.
'';
};
};
};
###### implementation
config = {
environment.systemPackages =
# We increase the priority a little, so that plain glibc in systemPackages can't win.
optional (config.i18n.supportedLocales != []) (lib.setPrio (-1) config.i18n.glibcLocales);
environment.sessionVariables =
{ LANG = config.i18n.defaultLocale;
LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
} // config.i18n.extraLocaleSettings;
systemd.globalEnvironment = mkIf (config.i18n.supportedLocales != []) {
LOCALE_ARCHIVE = "${config.i18n.glibcLocales}/lib/locale/locale-archive";
};
# /etc/locale.conf is used by systemd.
environment.etc."locale.conf".source = pkgs.writeText "locale.conf"
''
LANG=${config.i18n.defaultLocale}
${concatStringsSep "\n" (mapAttrsToList (n: v: "${n}=${v}") config.i18n.extraLocaleSettings)}
'';
};
}

32
nixos/modules/config/iproute2.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.networking.iproute2;
in
{
options.networking.iproute2 = {
enable = mkEnableOption "copy IP route configuration files";
rttablesExtraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Verbatim lines to add to /etc/iproute2/rt_tables
'';
};
};
config = mkIf cfg.enable {
environment.etc."iproute2/bpf_pinning" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/bpf_pinning"; };
environment.etc."iproute2/ematch_map" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/ematch_map"; };
environment.etc."iproute2/group" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/group"; };
environment.etc."iproute2/nl_protos" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/nl_protos"; };
environment.etc."iproute2/rt_dsfield" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_dsfield"; };
environment.etc."iproute2/rt_protos" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_protos"; };
environment.etc."iproute2/rt_realms" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_realms"; };
environment.etc."iproute2/rt_scopes" = { mode = "0644"; text = fileContents "${pkgs.iproute2}/etc/iproute2/rt_scopes"; };
environment.etc."iproute2/rt_tables" = { mode = "0644"; text = (fileContents "${pkgs.iproute2}/etc/iproute2/rt_tables")
+ (optionalString (cfg.rttablesExtraConfig != "") "\n\n${cfg.rttablesExtraConfig}"); };
};
}

369
nixos/modules/config/krb5/default.nix Normal file
View file

@ -0,0 +1,369 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.krb5;
# This is to provide support for old configuration options (as much as is
# reasonable). This can be removed after 18.03 was released.
defaultConfig = {
libdefaults = optionalAttrs (cfg.defaultRealm != null)
{ default_realm = cfg.defaultRealm; };
realms = optionalAttrs (lib.all (value: value != null) [
cfg.defaultRealm cfg.kdc cfg.kerberosAdminServer
]) {
${cfg.defaultRealm} = {
kdc = cfg.kdc;
admin_server = cfg.kerberosAdminServer;
};
};
domain_realm = optionalAttrs (lib.all (value: value != null) [
cfg.domainRealm cfg.defaultRealm
]) {
".${cfg.domainRealm}" = cfg.defaultRealm;
${cfg.domainRealm} = cfg.defaultRealm;
};
};
mergedConfig = (recursiveUpdate defaultConfig {
inherit (config.krb5)
kerberos libdefaults realms domain_realm capaths appdefaults plugins
extraConfig config;
});
filterEmbeddedMetadata = value: if isAttrs value then
(filterAttrs
(attrName: attrValue: attrName != "_module" && attrValue != null)
value)
else value;
indent = " ";
mkRelation = name: value:
if (isList value) then
concatMapStringsSep "\n" (mkRelation name) value
else "${name} = ${mkVal value}";
mkVal = value:
if (value == true) then "true"
else if (value == false) then "false"
else if (isInt value) then (toString value)
else if (isAttrs value) then
let configLines = concatLists
(map (splitString "\n")
(mapAttrsToList mkRelation value));
in
(concatStringsSep "\n${indent}"
([ "{" ] ++ configLines))
+ "\n}"
else value;
mkMappedAttrsOrString = value: concatMapStringsSep "\n"
(line: if builtins.stringLength line > 0
then "${indent}${line}"
else line)
(splitString "\n"
(if isAttrs value then
concatStringsSep "\n"
(mapAttrsToList mkRelation value)
else value));
in {
###### interface
options = {
krb5 = {
enable = mkEnableOption "building krb5.conf, configuration file for Kerberos V";
kerberos = mkOption {
type = types.package;
default = pkgs.krb5Full;
defaultText = literalExpression "pkgs.krb5Full";
example = literalExpression "pkgs.heimdal";
description = ''
The Kerberos implementation that will be present in
<literal>environment.systemPackages</literal> after enabling this
service.
'';
};
libdefaults = mkOption {
type = with types; either attrs lines;
default = {};
apply = attrs: filterEmbeddedMetadata attrs;
example = literalExpression ''
{
default_realm = "ATHENA.MIT.EDU";
};
'';
description = ''
Settings used by the Kerberos V5 library.
'';
};
realms = mkOption {
type = with types; either attrs lines;
default = {};
example = literalExpression ''
{
"ATHENA.MIT.EDU" = {
admin_server = "athena.mit.edu";
kdc = [
"athena01.mit.edu"
"athena02.mit.edu"
];
};
};
'';
apply = attrs: filterEmbeddedMetadata attrs;
description = "Realm-specific contact information and settings.";
};
domain_realm = mkOption {
type = with types; either attrs lines;
default = {};
example = literalExpression ''
{
"example.com" = "EXAMPLE.COM";
".example.com" = "EXAMPLE.COM";
};
'';
apply = attrs: filterEmbeddedMetadata attrs;
description = ''
Map of server hostnames to Kerberos realms.
'';
};
capaths = mkOption {
type = with types; either attrs lines;
default = {};
example = literalExpression ''
{
"ATHENA.MIT.EDU" = {
"EXAMPLE.COM" = ".";
};
"EXAMPLE.COM" = {
"ATHENA.MIT.EDU" = ".";
};
};
'';
apply = attrs: filterEmbeddedMetadata attrs;
description = ''
Authentication paths for non-hierarchical cross-realm authentication.
'';
};
appdefaults = mkOption {
type = with types; either attrs lines;
default = {};
example = literalExpression ''
{
pam = {
debug = false;
ticket_lifetime = 36000;
renew_lifetime = 36000;
max_timeout = 30;
timeout_shift = 2;
initial_timeout = 1;
};
};
'';
apply = attrs: filterEmbeddedMetadata attrs;
description = ''
Settings used by some Kerberos V5 applications.
'';
};
plugins = mkOption {
type = with types; either attrs lines;
default = {};
example = literalExpression ''
{
ccselect = {
disable = "k5identity";
};
};
'';
apply = attrs: filterEmbeddedMetadata attrs;
description = ''
Controls plugin module registration.
'';
};
extraConfig = mkOption {
type = with types; nullOr lines;
default = null;
example = ''
[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
'';
description = ''
These lines go to the end of <literal>krb5.conf</literal> verbatim.
<literal>krb5.conf</literal> may include any of the relations that are
valid for <literal>kdc.conf</literal> (see <literal>man
kdc.conf</literal>), but it is not a recommended practice.
'';
};
config = mkOption {
type = with types; nullOr lines;
default = null;
example = ''
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
admin_server = kerberos.example.com
kdc = kerberos.example.com
default_principal_flags = +preauth
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
'';
description = ''
Verbatim <literal>krb5.conf</literal> configuration. Note that this
is mutually exclusive with configuration via
<literal>libdefaults</literal>, <literal>realms</literal>,
<literal>domain_realm</literal>, <literal>capaths</literal>,
<literal>appdefaults</literal>, <literal>plugins</literal> and
<literal>extraConfig</literal> configuration options. Consult
<literal>man krb5.conf</literal> for documentation.
'';
};
defaultRealm = mkOption {
type = with types; nullOr str;
default = null;
example = "ATHENA.MIT.EDU";
description = ''
DEPRECATED, please use
<literal>krb5.libdefaults.default_realm</literal>.
'';
};
domainRealm = mkOption {
type = with types; nullOr str;
default = null;
example = "athena.mit.edu";
description = ''
DEPRECATED, please create a map of server hostnames to Kerberos realms
in <literal>krb5.domain_realm</literal>.
'';
};
kdc = mkOption {
type = with types; nullOr str;
default = null;
example = "kerberos.mit.edu";
description = ''
DEPRECATED, please pass a <literal>kdc</literal> attribute to a realm
in <literal>krb5.realms</literal>.
'';
};
kerberosAdminServer = mkOption {
type = with types; nullOr str;
default = null;
example = "kerberos.mit.edu";
description = ''
DEPRECATED, please pass an <literal>admin_server</literal> attribute
to a realm in <literal>krb5.realms</literal>.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.kerberos ];
environment.etc."krb5.conf".text = if isString cfg.config
then cfg.config
else (''
[libdefaults]
${mkMappedAttrsOrString mergedConfig.libdefaults}
[realms]
${mkMappedAttrsOrString mergedConfig.realms}
[domain_realm]
${mkMappedAttrsOrString mergedConfig.domain_realm}
[capaths]
${mkMappedAttrsOrString mergedConfig.capaths}
[appdefaults]
${mkMappedAttrsOrString mergedConfig.appdefaults}
[plugins]
${mkMappedAttrsOrString mergedConfig.plugins}
'' + optionalString (mergedConfig.extraConfig != null)
("\n" + mergedConfig.extraConfig));
warnings = flatten [
(optional (cfg.defaultRealm != null) ''
The option krb5.defaultRealm is deprecated, please use
krb5.libdefaults.default_realm.
'')
(optional (cfg.domainRealm != null) ''
The option krb5.domainRealm is deprecated, please use krb5.domain_realm.
'')
(optional (cfg.kdc != null) ''
The option krb5.kdc is deprecated, please pass a kdc attribute to a
realm in krb5.realms.
'')
(optional (cfg.kerberosAdminServer != null) ''
The option krb5.kerberosAdminServer is deprecated, please pass an
admin_server attribute to a realm in krb5.realms.
'')
];
assertions = [
{ assertion = !((builtins.any (value: value != null) [
cfg.defaultRealm cfg.domainRealm cfg.kdc cfg.kerberosAdminServer
]) && ((builtins.any (value: value != {}) [
cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
cfg.appdefaults cfg.plugins
]) || (builtins.any (value: value != null) [
cfg.config cfg.extraConfig
])));
message = ''
Configuration of krb5.conf by deprecated options is mutually exclusive
with configuration by section. Please migrate your config using the
attributes suggested in the warnings.
'';
}
{ assertion = !(cfg.config != null
&& ((builtins.any (value: value != {}) [
cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
cfg.appdefaults cfg.plugins
]) || (builtins.any (value: value != null) [
cfg.extraConfig cfg.defaultRealm cfg.domainRealm cfg.kdc
cfg.kerberosAdminServer
])));
message = ''
Configuration of krb5.conf using krb.config is mutually exclusive with
configuration by section. If you want to mix the two, you can pass
lines to any configuration section or lines to krb5.extraConfig.
'';
}
];
};
}

303
nixos/modules/config/ldap.nix Normal file
View file

@ -0,0 +1,303 @@
{ config, lib, pkgs, ... }:
with pkgs;
with lib;
let
cfg = config.users.ldap;
# Careful: OpenLDAP seems to be very picky about the indentation of
# this file. Directives HAVE to start in the first column!
ldapConfig = {
target = "ldap.conf";
source = writeText "ldap.conf" ''
uri ${config.users.ldap.server}
base ${config.users.ldap.base}
timelimit ${toString config.users.ldap.timeLimit}
bind_timelimit ${toString config.users.ldap.bind.timeLimit}
bind_policy ${config.users.ldap.bind.policy}
${optionalString config.users.ldap.useTLS ''
ssl start_tls
''}
${optionalString (config.users.ldap.bind.distinguishedName != "") ''
binddn ${config.users.ldap.bind.distinguishedName}
''}
${optionalString (cfg.extraConfig != "") cfg.extraConfig }
'';
};
nslcdConfig = writeText "nslcd.conf" ''
uri ${cfg.server}
base ${cfg.base}
timelimit ${toString cfg.timeLimit}
bind_timelimit ${toString cfg.bind.timeLimit}
${optionalString (cfg.bind.distinguishedName != "")
"binddn ${cfg.bind.distinguishedName}" }
${optionalString (cfg.daemon.rootpwmoddn != "")
"rootpwmoddn ${cfg.daemon.rootpwmoddn}" }
${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig }
'';
# nslcd normally reads configuration from /etc/nslcd.conf.
# this file might contain secrets. We append those at runtime,
# so redirect its location to something more temporary.
nslcdWrapped = runCommand "nslcd-wrapped" { nativeBuildInputs = [ makeWrapper ]; } ''
mkdir -p $out/bin
makeWrapper ${nss_pam_ldapd}/sbin/nslcd $out/bin/nslcd \
--set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \
--set NIX_REDIRECTS "/etc/nslcd.conf=/run/nslcd/nslcd.conf"
'';
in
{
###### interface
options = {
users.ldap = {
enable = mkEnableOption "authentication against an LDAP server";
loginPam = mkOption {
type = types.bool;
default = true;
description = "Whether to include authentication against LDAP in login PAM.";
};
nsswitch = mkOption {
type = types.bool;
default = true;
description = "Whether to include lookup against LDAP in NSS.";
};
server = mkOption {
type = types.str;
example = "ldap://ldap.example.org/";
description = "The URL of the LDAP server.";
};
base = mkOption {
type = types.str;
example = "dc=example,dc=org";
description = "The distinguished name of the search base.";
};
useTLS = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, use TLS (encryption) over an LDAP (port 389)
connection. The alternative is to specify an LDAPS server (port
636) in <option>users.ldap.server</option> or to forego
security.
'';
};
timeLimit = mkOption {
default = 0;
type = types.int;
description = ''
Specifies the time limit (in seconds) to use when performing
searches. A value of zero (0), which is the default, is to
wait indefinitely for searches to be completed.
'';
};
daemon = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to let the nslcd daemon (nss-pam-ldapd) handle the
LDAP lookups for NSS and PAM. This can improve performance,
and if you need to bind to the LDAP server with a password,
it increases security, since only the nslcd user needs to
have access to the bindpw file, not everyone that uses NSS
and/or PAM. If this option is enabled, a local nscd user is
created automatically, and the nslcd service is started
automatically when the network get up.
'';
};
extraConfig = mkOption {
default = "";
type = types.lines;
description = ''
Extra configuration options that will be added verbatim at
the end of the nslcd configuration file (<literal>nslcd.conf(5)</literal>).
'' ;
} ;
rootpwmoddn = mkOption {
default = "";
example = "cn=admin,dc=example,dc=com";
type = types.str;
description = ''
The distinguished name to use to bind to the LDAP server
when the root user tries to modify a user's password.
'';
};
rootpwmodpwFile = mkOption {
default = "";
example = "/run/keys/nslcd.rootpwmodpw";
type = types.str;
description = ''
The path to a file containing the credentials with which to bind to
the LDAP server if the root user tries to change a user's password.
'';
};
};
bind = {
distinguishedName = mkOption {
default = "";
example = "cn=admin,dc=example,dc=com";
type = types.str;
description = ''
The distinguished name to bind to the LDAP server with. If this
is not specified, an anonymous bind will be done.
'';
};
passwordFile = mkOption {
default = "/etc/ldap/bind.password";
type = types.str;
description = ''
The path to a file containing the credentials to use when binding
to the LDAP server (if not binding anonymously).
'';
};
timeLimit = mkOption {
default = 30;
type = types.int;
description = ''
Specifies the time limit (in seconds) to use when connecting
to the directory server. This is distinct from the time limit
specified in <option>users.ldap.timeLimit</option> and affects
the initial server connection only.
'';
};
policy = mkOption {
default = "hard_open";
type = types.enum [ "hard_open" "hard_init" "soft" ];
description = ''
Specifies the policy to use for reconnecting to an unavailable
LDAP server. The default is <literal>hard_open</literal>, which
reconnects if opening the connection to the directory server
failed. By contrast, <literal>hard_init</literal> reconnects if
initializing the connection failed. Initializing may not
actually contact the directory server, and it is possible that
a malformed configuration file will trigger reconnection. If
<literal>soft</literal> is specified, then
<package>nss_ldap</package> will return immediately on server
failure. All hard reconnect policies block with exponential
backoff before retrying.
'';
};
};
extraConfig = mkOption {
default = "";
type = types.lines;
description = ''
Extra configuration options that will be added verbatim at
the end of the ldap configuration file (<literal>ldap.conf(5)</literal>).
If <option>users.ldap.daemon</option> is enabled, this
configuration will not be used. In that case, use
<option>users.ldap.daemon.extraConfig</option> instead.
'' ;
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.etc = optionalAttrs (!cfg.daemon.enable) {
"ldap.conf" = ldapConfig;
};
system.activationScripts = mkIf (!cfg.daemon.enable) {
ldap = stringAfter [ "etc" "groups" "users" ] ''
if test -f "${cfg.bind.passwordFile}" ; then
umask 0077
conf="$(mktemp)"
printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" |
cat ${ldapConfig.source} - >"$conf"
mv -fT "$conf" /etc/ldap.conf
fi
'';
};
system.nssModules = mkIf cfg.nsswitch (singleton (
if cfg.daemon.enable then nss_pam_ldapd else nss_ldap
));
system.nssDatabases.group = optional cfg.nsswitch "ldap";
system.nssDatabases.passwd = optional cfg.nsswitch "ldap";
system.nssDatabases.shadow = optional cfg.nsswitch "ldap";
users = mkIf cfg.daemon.enable {
groups.nslcd = {
gid = config.ids.gids.nslcd;
};
users.nslcd = {
uid = config.ids.uids.nslcd;
description = "nslcd user.";
group = "nslcd";
};
};
systemd.services = mkIf cfg.daemon.enable {
nslcd = {
wantedBy = [ "multi-user.target" ];
preStart = ''
umask 0077
conf="$(mktemp)"
{
cat ${nslcdConfig}
test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' ||
printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')"
test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' ||
printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')"
} >"$conf"
mv -fT "$conf" /run/nslcd/nslcd.conf
'';
restartTriggers = [
nslcdConfig
cfg.bind.passwordFile
cfg.daemon.rootpwmodpwFile
];
serviceConfig = {
ExecStart = "${nslcdWrapped}/bin/nslcd";
Type = "forking";
Restart = "always";
User = "nslcd";
Group = "nslcd";
RuntimeDirectory = [ "nslcd" ];
PIDFile = "/run/nslcd/nslcd.pid";
AmbientCapabilities = "CAP_SYS_RESOURCE";
};
};
};
};
imports =
[ (mkRenamedOptionModule [ "users" "ldap" "bind" "password"] [ "users" "ldap" "bind" "passwordFile"])
];
}

94
nixos/modules/config/locale.nix Normal file
View file

@ -0,0 +1,94 @@
{ config, lib, pkgs, ... }:
with lib;
let
tzdir = "${pkgs.tzdata}/share/zoneinfo";
nospace = str: filter (c: c == " ") (stringToCharacters str) == [];
timezone = types.nullOr (types.addCheck types.str nospace)
// { description = "null or string without spaces"; };
lcfg = config.location;
in
{
options = {
time = {
timeZone = mkOption {
default = null;
type = timezone;
example = "America/New_York";
description = ''
The time zone used when displaying times and dates. See <link
xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>
for a comprehensive list of possible values for this setting.
If null, the timezone will default to UTC and can be set imperatively
using timedatectl.
'';
};
hardwareClockInLocalTime = mkOption {
default = false;
type = types.bool;
description = "If set, keep the hardware clock in local time instead of UTC.";
};
};
location = {
latitude = mkOption {
type = types.float;
description = ''
Your current latitude, between
<literal>-90.0</literal> and <literal>90.0</literal>. Must be provided
along with longitude.
'';
};
longitude = mkOption {
type = types.float;
description = ''
Your current longitude, between
between <literal>-180.0</literal> and <literal>180.0</literal>. Must be
provided along with latitude.
'';
};
provider = mkOption {
type = types.enum [ "manual" "geoclue2" ];
default = "manual";
description = ''
The location provider to use for determining your location. If set to
<literal>manual</literal> you must also provide latitude/longitude.
'';
};
};
};
config = {
environment.sessionVariables.TZDIR = "/etc/zoneinfo";
services.geoclue2.enable = mkIf (lcfg.provider == "geoclue2") true;
# This way services are restarted when tzdata changes.
systemd.globalEnvironment.TZDIR = tzdir;
systemd.services.systemd-timedated.environment = lib.optionalAttrs (config.time.timeZone != null) { NIXOS_STATIC_TIMEZONE = "1"; };
environment.etc = {
zoneinfo.source = tzdir;
} // lib.optionalAttrs (config.time.timeZone != null) {
localtime.source = "/etc/zoneinfo/${config.time.timeZone}";
localtime.mode = "direct-symlink";
};
};
}

117
nixos/modules/config/malloc.nix Normal file
View file

@ -0,0 +1,117 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.environment.memoryAllocator;
# The set of alternative malloc(3) providers.
providers = {
graphene-hardened = {
libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so";
description = ''
An allocator designed to mitigate memory corruption attacks, such as
those caused by use-after-free bugs.
'';
};
jemalloc = {
libPath = "${pkgs.jemalloc}/lib/libjemalloc.so";
description = ''
A general purpose allocator that emphasizes fragmentation avoidance
and scalable concurrency support.
'';
};
scudo = let
platformMap = {
aarch64-linux = "aarch64";
x86_64-linux = "x86_64";
};
systemPlatform = platformMap.${pkgs.stdenv.hostPlatform.system} or (throw "scudo not supported on ${pkgs.stdenv.hostPlatform.system}");
in {
libPath = "${pkgs.llvmPackages_latest.compiler-rt}/lib/linux/libclang_rt.scudo-${systemPlatform}.so";
description = ''
A user-mode allocator based on LLVM Sanitizers CombinedAllocator,
which aims at providing additional mitigations against heap based
vulnerabilities, while maintaining good performance.
'';
};
mimalloc = {
libPath = "${pkgs.mimalloc}/lib/libmimalloc.so";
description = ''
A compact and fast general purpose allocator, which may
optionally be built with mitigations against various heap
vulnerabilities.
'';
};
};
providerConf = providers.${cfg.provider};
# An output that contains only the shared library, to avoid
# needlessly bloating the system closure
mallocLib = pkgs.runCommand "malloc-provider-${cfg.provider}"
rec {
preferLocalBuild = true;
allowSubstitutes = false;
origLibPath = providerConf.libPath;
libName = baseNameOf origLibPath;
}
''
mkdir -p $out/lib
cp -L $origLibPath $out/lib/$libName
'';
# The full path to the selected provider shlib.
providerLibPath = "${mallocLib}/lib/${mallocLib.libName}";
in
{
meta = {
maintainers = [ maintainers.joachifm ];
};
options = {
environment.memoryAllocator.provider = mkOption {
type = types.enum ([ "libc" ] ++ attrNames providers);
default = "libc";
description = ''
The system-wide memory allocator.
Briefly, the system-wide memory allocator providers are:
<itemizedlist>
<listitem><para><literal>libc</literal>: the standard allocator provided by libc</para></listitem>
${toString (mapAttrsToList
(name: value: "<listitem><para><literal>${name}</literal>: ${value.description}</para></listitem>")
providers)}
</itemizedlist>
<warning>
<para>
Selecting an alternative allocator (i.e., anything other than
<literal>libc</literal>) may result in instability, data loss,
and/or service failure.
</para>
</warning>
'';
};
};
config = mkIf (cfg.provider != "libc") {
environment.etc."ld-nix.so.preload".text = ''
${providerLibPath}
'';
security.apparmor.includes = {
"abstractions/base" = ''
r /etc/ld-nix.so.preload,
r ${config.environment.etc."ld-nix.so.preload".source},
include "${pkgs.apparmorRulesFromClosure {
name = "mallocLib";
baseRules = ["mr $path/lib/**.so*"];
} [ mallocLib ] }"
'';
};
};
}

237
nixos/modules/config/networking.nix Normal file
View file

@ -0,0 +1,237 @@
# /etc files related to networking, such as /etc/services.
{ config, lib, options, pkgs, ... }:
with lib;
let
cfg = config.networking;
opt = options.networking;
localhostMultiple = any (elem "localhost") (attrValues (removeAttrs cfg.hosts [ "127.0.0.1" "::1" ]));
in
{
imports = [
(mkRemovedOptionModule [ "networking" "hostConf" ] "Use environment.etc.\"host.conf\" instead.")
];
options = {
networking.hosts = lib.mkOption {
type = types.attrsOf (types.listOf types.str);
example = literalExpression ''
{
"127.0.0.1" = [ "foo.bar.baz" ];
"192.168.0.2" = [ "fileserver.local" "nameserver.local" ];
};
'';
description = ''
Locally defined maps of hostnames to IP addresses.
'';
};
networking.hostFiles = lib.mkOption {
type = types.listOf types.path;
defaultText = literalDocBook "Hosts from <option>networking.hosts</option> and <option>networking.extraHosts</option>";
example = literalExpression ''[ "''${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]'';
description = ''
Files that should be concatenated together to form <filename>/etc/hosts</filename>.
'';
};
networking.extraHosts = lib.mkOption {
type = types.lines;
default = "";
example = "192.168.0.1 lanlocalhost";
description = ''
Additional verbatim entries to be appended to <filename>/etc/hosts</filename>.
For adding hosts from derivation results, use <option>networking.hostFiles</option> instead.
'';
};
networking.timeServers = mkOption {
default = [
"0.nixos.pool.ntp.org"
"1.nixos.pool.ntp.org"
"2.nixos.pool.ntp.org"
"3.nixos.pool.ntp.org"
];
type = types.listOf types.str;
description = ''
The set of NTP servers from which to synchronise.
'';
};
networking.proxy = {
default = lib.mkOption {
type = types.nullOr types.str;
default = null;
description = ''
This option specifies the default value for httpProxy, httpsProxy, ftpProxy and rsyncProxy.
'';
example = "http://127.0.0.1:3128";
};
httpProxy = lib.mkOption {
type = types.nullOr types.str;
default = cfg.proxy.default;
defaultText = literalExpression "config.${opt.proxy.default}";
description = ''
This option specifies the http_proxy environment variable.
'';
example = "http://127.0.0.1:3128";
};
httpsProxy = lib.mkOption {
type = types.nullOr types.str;
default = cfg.proxy.default;
defaultText = literalExpression "config.${opt.proxy.default}";
description = ''
This option specifies the https_proxy environment variable.
'';
example = "http://127.0.0.1:3128";
};
ftpProxy = lib.mkOption {
type = types.nullOr types.str;
default = cfg.proxy.default;
defaultText = literalExpression "config.${opt.proxy.default}";
description = ''
This option specifies the ftp_proxy environment variable.
'';
example = "http://127.0.0.1:3128";
};
rsyncProxy = lib.mkOption {
type = types.nullOr types.str;
default = cfg.proxy.default;
defaultText = literalExpression "config.${opt.proxy.default}";
description = ''
This option specifies the rsync_proxy environment variable.
'';
example = "http://127.0.0.1:3128";
};
allProxy = lib.mkOption {
type = types.nullOr types.str;
default = cfg.proxy.default;
defaultText = literalExpression "config.${opt.proxy.default}";
description = ''
This option specifies the all_proxy environment variable.
'';
example = "http://127.0.0.1:3128";
};
noProxy = lib.mkOption {
type = types.nullOr types.str;
default = null;
description = ''
This option specifies the no_proxy environment variable.
If a default proxy is used and noProxy is null,
then noProxy will be set to 127.0.0.1,localhost.
'';
example = "127.0.0.1,localhost,.localdomain";
};
envVars = lib.mkOption {
type = types.attrs;
internal = true;
default = {};
description = ''
Environment variables used for the network proxy.
'';
};
};
};
config = {
assertions = [{
assertion = !localhostMultiple;
message = ''
`networking.hosts` maps "localhost" to something other than "127.0.0.1"
or "::1". This will break some applications. Please use
`networking.extraHosts` if you really want to add such a mapping.
'';
}];
# These entries are required for "hostname -f" and to resolve both the
# hostname and FQDN correctly:
networking.hosts = let
hostnames = # Note: The FQDN (canonical hostname) has to come first:
optional (cfg.hostName != "" && cfg.domain != null) "${cfg.hostName}.${cfg.domain}"
++ optional (cfg.hostName != "") cfg.hostName; # Then the hostname (without the domain)
in {
"127.0.0.2" = hostnames;
} // optionalAttrs cfg.enableIPv6 {
"::1" = hostnames;
};
networking.hostFiles = let
# Note: localhostHosts has to appear first in /etc/hosts so that 127.0.0.1
# resolves back to "localhost" (as some applications assume) instead of
# the FQDN! By default "networking.hosts" also contains entries for the
# FQDN so that e.g. "hostname -f" works correctly.
localhostHosts = pkgs.writeText "localhost-hosts" ''
127.0.0.1 localhost
${optionalString cfg.enableIPv6 "::1 localhost"}
'';
stringHosts =
let
oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip} + "\n";
allToString = set: concatMapStrings (oneToString set) (attrNames set);
in pkgs.writeText "string-hosts" (allToString (filterAttrs (_: v: v != []) cfg.hosts));
extraHosts = pkgs.writeText "extra-hosts" cfg.extraHosts;
in mkBefore [ localhostHosts stringHosts extraHosts ];
environment.etc =
{ # /etc/services: TCP/UDP port assignments.
services.source = pkgs.iana-etc + "/etc/services";
# /etc/protocols: IP protocol numbers.
protocols.source = pkgs.iana-etc + "/etc/protocols";
# /etc/hosts: Hostname-to-IP mappings.
hosts.source = pkgs.concatText "hosts" cfg.hostFiles;
# /etc/netgroup: Network-wide groups.
netgroup.text = mkDefault "";
# /etc/host.conf: resolver configuration file
"host.conf".text = ''
multi on
'';
} // optionalAttrs (pkgs.stdenv.hostPlatform.libc == "glibc") {
# /etc/rpc: RPC program numbers.
rpc.source = pkgs.stdenv.cc.libc.out + "/etc/rpc";
};
networking.proxy.envVars =
optionalAttrs (cfg.proxy.default != null) {
# other options already fallback to proxy.default
no_proxy = "127.0.0.1,localhost";
} // optionalAttrs (cfg.proxy.httpProxy != null) {
http_proxy = cfg.proxy.httpProxy;
} // optionalAttrs (cfg.proxy.httpsProxy != null) {
https_proxy = cfg.proxy.httpsProxy;
} // optionalAttrs (cfg.proxy.rsyncProxy != null) {
rsync_proxy = cfg.proxy.rsyncProxy;
} // optionalAttrs (cfg.proxy.ftpProxy != null) {
ftp_proxy = cfg.proxy.ftpProxy;
} // optionalAttrs (cfg.proxy.allProxy != null) {
all_proxy = cfg.proxy.allProxy;
} // optionalAttrs (cfg.proxy.noProxy != null) {
no_proxy = cfg.proxy.noProxy;
};
# Install the proxy environment variables
environment.sessionVariables = cfg.proxy.envVars;
};
}

44
nixos/modules/config/no-x-libs.nix Normal file
View file

@ -0,0 +1,44 @@
# This module gets rid of all dependencies on X11 client libraries
# (including fontconfig).
{ config, lib, ... }:
with lib;
{
options = {
environment.noXlibs = mkOption {
type = types.bool;
default = false;
description = ''
Switch off the options in the default configuration that
require X11 libraries. This includes client-side font
configuration and SSH forwarding of X11 authentication
in. Thus, you probably do not want to enable this option if
you want to run X11 programs on this machine via SSH.
'';
};
};
config = mkIf config.environment.noXlibs {
programs.ssh.setXAuthLocation = false;
security.pam.services.su.forwardXAuth = lib.mkForce false;
fonts.fontconfig.enable = false;
nixpkgs.overlays = singleton (const (super: {
cairo = super.cairo.override { x11Support = false; };
dbus = super.dbus.override { x11Support = false; };
beam = super.beam_nox;
networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; };
networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; };
networkmanager-l2tp = super.networkmanager-l2tp.override { withGnome = false; };
networkmanager-openconnect = super.networkmanager-openconnect.override { withGnome = false; };
networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; };
networkmanager-sstp = super.networkmanager-vpnc.override { withGnome = false; };
networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; };
gobject-introspection = super.gobject-introspection.override { x11Support = false; };
qemu = super.qemu.override { gtkSupport = false; spiceSupport = false; sdlSupport = false; };
}));
};
}

136
nixos/modules/config/nsswitch.nix Normal file
View file

@ -0,0 +1,136 @@
# Configuration for the Name Service Switch (/etc/nsswitch.conf).
{ config, lib, pkgs, ... }:
with lib;
{
options = {
# NSS modules. Hacky!
# Only works with nscd!
system.nssModules = mkOption {
type = types.listOf types.path;
internal = true;
default = [];
description = ''
Search path for NSS (Name Service Switch) modules. This allows
several DNS resolution methods to be specified via
<filename>/etc/nsswitch.conf</filename>.
'';
apply = list:
{
inherit list;
path = makeLibraryPath list;
};
};
system.nssDatabases = {
passwd = mkOption {
type = types.listOf types.str;
description = ''
List of passwd entries to configure in <filename>/etc/nsswitch.conf</filename>.
Note that "files" is always prepended while "systemd" is appended if nscd is enabled.
This option only takes effect if nscd is enabled.
'';
default = [];
};
group = mkOption {
type = types.listOf types.str;
description = ''
List of group entries to configure in <filename>/etc/nsswitch.conf</filename>.
Note that "files" is always prepended while "systemd" is appended if nscd is enabled.
This option only takes effect if nscd is enabled.
'';
default = [];
};
shadow = mkOption {
type = types.listOf types.str;
description = ''
List of shadow entries to configure in <filename>/etc/nsswitch.conf</filename>.
Note that "files" is always prepended.
This option only takes effect if nscd is enabled.
'';
default = [];
};
hosts = mkOption {
type = types.listOf types.str;
description = ''
List of hosts entries to configure in <filename>/etc/nsswitch.conf</filename>.
Note that "files" is always prepended, and "dns" and "myhostname" are always appended.
This option only takes effect if nscd is enabled.
'';
default = [];
};
services = mkOption {
type = types.listOf types.str;
description = ''
List of services entries to configure in <filename>/etc/nsswitch.conf</filename>.
Note that "files" is always prepended.
This option only takes effect if nscd is enabled.
'';
default = [];
};
};
};
imports = [
(mkRenamedOptionModule [ "system" "nssHosts" ] [ "system" "nssDatabases" "hosts" ])
];
config = {
assertions = [
{
assertion = config.system.nssModules.path != "" -> config.services.nscd.enable;
message = ''
Loading NSS modules from system.nssModules (${config.system.nssModules.path}),
requires services.nscd.enable being set to true.
If disabling nscd is really necessary, it is possible to disable loading NSS modules
by setting `system.nssModules = lib.mkForce [];` in your configuration.nix.
'';
}
];
# Name Service Switch configuration file. Required by the C
# library.
environment.etc."nsswitch.conf".text = ''
passwd: ${concatStringsSep " " config.system.nssDatabases.passwd}
group: ${concatStringsSep " " config.system.nssDatabases.group}
shadow: ${concatStringsSep " " config.system.nssDatabases.shadow}
hosts: ${concatStringsSep " " config.system.nssDatabases.hosts}
networks: files
ethers: files
services: ${concatStringsSep " " config.system.nssDatabases.services}
protocols: files
rpc: files
'';
system.nssDatabases = {
passwd = mkBefore [ "files" ];
group = mkBefore [ "files" ];
shadow = mkBefore [ "files" ];
hosts = mkMerge [
(mkOrder 998 [ "files" ])
(mkOrder 1499 [ "dns" ])
];
services = mkBefore [ "files" ];
};
};
}

106
nixos/modules/config/power-management.nix Normal file
View file

@ -0,0 +1,106 @@
{ config, lib, ... }:
with lib;
let
cfg = config.powerManagement;
in
{
###### interface
options = {
powerManagement = {
enable = mkOption {
type = types.bool;
default = true;
description =
''
Whether to enable power management. This includes support
for suspend-to-RAM and powersave features on laptops.
'';
};
resumeCommands = mkOption {
type = types.lines;
default = "";
description = "Commands executed after the system resumes from suspend-to-RAM.";
};
powerUpCommands = mkOption {
type = types.lines;
default = "";
example = literalExpression ''
"''${pkgs.hdparm}/sbin/hdparm -B 255 /dev/sda"
'';
description =
''
Commands executed when the machine powers up. That is,
they're executed both when the system first boots and when
it resumes from suspend or hibernation.
'';
};
powerDownCommands = mkOption {
type = types.lines;
default = "";
example = literalExpression ''
"''${pkgs.hdparm}/sbin/hdparm -B 255 /dev/sda"
'';
description =
''
Commands executed when the machine powers down. That is,
they're executed both when the system shuts down and when
it goes to suspend or hibernation.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
systemd.targets.post-resume = {
description = "Post-Resume Actions";
requires = [ "post-resume.service" ];
after = [ "post-resume.service" ];
wantedBy = [ "sleep.target" ];
unitConfig.StopWhenUnneeded = true;
};
# Service executed before suspending/hibernating.
systemd.services.pre-sleep =
{ description = "Pre-Sleep Actions";
wantedBy = [ "sleep.target" ];
before = [ "sleep.target" ];
script =
''
${cfg.powerDownCommands}
'';
serviceConfig.Type = "oneshot";
};
systemd.services.post-resume =
{ description = "Post-Resume Actions";
after = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
script =
''
/run/current-system/systemd/bin/systemctl try-restart post-resume.target
${cfg.resumeCommands}
${cfg.powerUpCommands}
'';
serviceConfig.Type = "oneshot";
};
};
}

331
nixos/modules/config/pulseaudio.nix Normal file
View file

@ -0,0 +1,331 @@
{ config, lib, pkgs, ... }:
with pkgs;
with lib;
let
cfg = config.hardware.pulseaudio;
alsaCfg = config.sound;
systemWide = cfg.enable && cfg.systemWide;
nonSystemWide = cfg.enable && !cfg.systemWide;
hasZeroconf = let z = cfg.zeroconf; in z.publish.enable || z.discovery.enable;
overriddenPackage = cfg.package.override
(optionalAttrs hasZeroconf { zeroconfSupport = true; });
binary = "${getBin overriddenPackage}/bin/pulseaudio";
binaryNoDaemon = "${binary} --daemonize=no";
# Forces 32bit pulseaudio and alsa-plugins to be built/supported for apps
# using 32bit alsa on 64bit linux.
enable32BitAlsaPlugins = cfg.support32Bit && stdenv.isx86_64 && (pkgs.pkgsi686Linux.alsa-lib != null && pkgs.pkgsi686Linux.libpulseaudio != null);
myConfigFile =
let
addModuleIf = cond: mod: optionalString cond "load-module ${mod}";
allAnon = optional cfg.tcp.anonymousClients.allowAll "auth-anonymous=1";
ipAnon = let a = cfg.tcp.anonymousClients.allowedIpRanges;
in optional (a != []) ''auth-ip-acl=${concatStringsSep ";" a}'';
in writeTextFile {
name = "default.pa";
text = ''
.include ${cfg.configFile}
${addModuleIf cfg.zeroconf.publish.enable "module-zeroconf-publish"}
${addModuleIf cfg.zeroconf.discovery.enable "module-zeroconf-discover"}
${addModuleIf cfg.tcp.enable (concatStringsSep " "
([ "module-native-protocol-tcp" ] ++ allAnon ++ ipAnon))}
${addModuleIf config.services.jack.jackd.enable "module-jack-sink"}
${addModuleIf config.services.jack.jackd.enable "module-jack-source"}
${cfg.extraConfig}
'';
};
ids = config.ids;
uid = ids.uids.pulseaudio;
gid = ids.gids.pulseaudio;
stateDir = "/run/pulse";
# Create pulse/client.conf even if PulseAudio is disabled so
# that we can disable the autospawn feature in programs that
# are built with PulseAudio support (like KDE).
clientConf = writeText "client.conf" ''
autospawn=no
${cfg.extraClientConf}
'';
# Write an /etc/asound.conf that causes all ALSA applications to
# be re-routed to the PulseAudio server through ALSA's Pulse
# plugin.
alsaConf = writeText "asound.conf" (''
pcm_type.pulse {
libs.native = ${pkgs.alsa-plugins}/lib/alsa-lib/libasound_module_pcm_pulse.so ;
${lib.optionalString enable32BitAlsaPlugins
"libs.32Bit = ${pkgs.pkgsi686Linux.alsa-plugins}/lib/alsa-lib/libasound_module_pcm_pulse.so ;"}
}
pcm.!default {
type pulse
hint.description "Default Audio Device (via PulseAudio)"
}
ctl_type.pulse {
libs.native = ${pkgs.alsa-plugins}/lib/alsa-lib/libasound_module_ctl_pulse.so ;
${lib.optionalString enable32BitAlsaPlugins
"libs.32Bit = ${pkgs.pkgsi686Linux.alsa-plugins}/lib/alsa-lib/libasound_module_ctl_pulse.so ;"}
}
ctl.!default {
type pulse
}
${alsaCfg.extraConfig}
'');
in {
options = {
hardware.pulseaudio = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the PulseAudio sound server.
'';
};
systemWide = mkOption {
type = types.bool;
default = false;
description = ''
If false, a PulseAudio server is launched automatically for
each user that tries to use the sound system. The server runs
with user privileges. If true, one system-wide PulseAudio
server is launched on boot, running as the user "pulse", and
only users in the "audio" group will have access to the server.
Please read the PulseAudio documentation for more details.
Don't enable this option unless you know what you are doing.
'';
};
support32Bit = mkOption {
type = types.bool;
default = false;
description = ''
Whether to include the 32-bit pulseaudio libraries in the system or not.
This is only useful on 64-bit systems and currently limited to x86_64-linux.
'';
};
configFile = mkOption {
type = types.nullOr types.path;
description = ''
The path to the default configuration options the PulseAudio server
should use. By default, the "default.pa" configuration
from the PulseAudio distribution is used.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Literal string to append to <literal>configFile</literal>
and the config file generated by the pulseaudio module.
'';
};
extraClientConf = mkOption {
type = types.lines;
default = "";
description = ''
Extra configuration appended to pulse/client.conf file.
'';
};
package = mkOption {
type = types.package;
default = if config.services.jack.jackd.enable
then pkgs.pulseaudioFull
else pkgs.pulseaudio;
defaultText = literalExpression "pkgs.pulseaudio";
example = literalExpression "pkgs.pulseaudioFull";
description = ''
The PulseAudio derivation to use. This can be used to enable
features (such as JACK support, Bluetooth) via the
<literal>pulseaudioFull</literal> package.
'';
};
extraModules = mkOption {
type = types.listOf types.package;
default = [];
example = literalExpression "[ pkgs.pulseaudio-modules-bt ]";
description = ''
Extra pulseaudio modules to use. This is intended for out-of-tree
pulseaudio modules like extra bluetooth codecs.
Extra modules take precedence over built-in pulseaudio modules.
'';
};
daemon = {
logLevel = mkOption {
type = types.str;
default = "notice";
description = ''
The log level that the system-wide pulseaudio daemon should use,
if activated.
'';
};
config = mkOption {
type = types.attrsOf types.unspecified;
default = {};
description = "Config of the pulse daemon. See <literal>man pulse-daemon.conf</literal>.";
example = literalExpression ''{ realtime-scheduling = "yes"; }'';
};
};
zeroconf = {
discovery.enable =
mkEnableOption "discovery of pulseaudio sinks in the local network";
publish.enable =
mkEnableOption "publishing the pulseaudio sink in the local network";
};
# TODO: enable by default?
tcp = {
enable = mkEnableOption "tcp streaming support";
anonymousClients = {
allowAll = mkEnableOption "all anonymous clients to stream to the server";
allowedIpRanges = mkOption {
type = types.listOf types.str;
default = [];
example = literalExpression ''[ "127.0.0.1" "192.168.1.0/24" ]'';
description = ''
A list of IP subnets that are allowed to stream to the server.
'';
};
};
};
};
};
config = mkMerge [
{
environment.etc = {
"pulse/client.conf".source = clientConf;
};
hardware.pulseaudio.configFile = mkDefault "${getBin overriddenPackage}/etc/pulse/default.pa";
}
(mkIf cfg.enable {
environment.systemPackages = [ overriddenPackage ];
sound.enable = true;
environment.etc = {
"asound.conf".source = alsaConf;
"pulse/daemon.conf".source = writeText "daemon.conf"
(lib.generators.toKeyValue {} cfg.daemon.config);
"openal/alsoft.conf".source = writeText "alsoft.conf" "drivers=pulse";
"libao.conf".source = writeText "libao.conf" "default_driver=pulse";
};
# Disable flat volumes to enable relative ones
hardware.pulseaudio.daemon.config.flat-volumes = mkDefault "no";
# Upstream defaults to speex-float-1 which results in audible artifacts
hardware.pulseaudio.daemon.config.resample-method = mkDefault "speex-float-5";
# Allow PulseAudio to get realtime priority using rtkit.
security.rtkit.enable = true;
systemd.packages = [ overriddenPackage ];
# PulseAudio is packaged with udev rules to handle various audio device quirks
services.udev.packages = [ overriddenPackage ];
})
(mkIf (cfg.extraModules != []) {
hardware.pulseaudio.daemon.config.dl-search-path = let
overriddenModules = builtins.map
(drv: drv.override { pulseaudio = overriddenPackage; })
cfg.extraModules;
modulePaths = builtins.map
(drv: "${drv}/${overriddenPackage.pulseDir}/modules")
# User-provided extra modules take precedence
(overriddenModules ++ [ overriddenPackage ]);
in lib.concatStringsSep ":" modulePaths;
})
(mkIf hasZeroconf {
services.avahi.enable = true;
})
(mkIf cfg.zeroconf.publish.enable {
services.avahi.publish.enable = true;
services.avahi.publish.userServices = true;
})
(mkIf nonSystemWide {
environment.etc = {
"pulse/default.pa".source = myConfigFile;
};
systemd.user = {
services.pulseaudio = {
restartIfChanged = true;
serviceConfig = {
RestartSec = "500ms";
PassEnvironment = "DISPLAY";
};
} // optionalAttrs config.services.jack.jackd.enable {
environment.JACK_PROMISCUOUS_SERVER = "jackaudio";
};
sockets.pulseaudio = {
wantedBy = [ "sockets.target" ];
};
};
})
(mkIf systemWide {
users.users.pulse = {
# For some reason, PulseAudio wants UID == GID.
uid = assert uid == gid; uid;
group = "pulse";
extraGroups = [ "audio" ];
description = "PulseAudio system service user";
home = stateDir;
createHome = true;
isSystemUser = true;
};
users.groups.pulse.gid = gid;
systemd.services.pulseaudio = {
description = "PulseAudio System-Wide Server";
wantedBy = [ "sound.target" ];
before = [ "sound.target" ];
environment.PULSE_RUNTIME_PATH = stateDir;
serviceConfig = {
Type = "notify";
ExecStart = "${binaryNoDaemon} --log-level=${cfg.daemon.logLevel} --system -n --file=${myConfigFile}";
Restart = "on-failure";
RestartSec = "500ms";
};
};
environment.variables.PULSE_COOKIE = "${stateDir}/.config/pulse/cookie";
})
];
}

104
nixos/modules/config/qt5.nix Normal file
View file

@ -0,0 +1,104 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.qt5;
isQGnome = cfg.platformTheme == "gnome" && builtins.elem cfg.style ["adwaita" "adwaita-dark"];
isQtStyle = cfg.platformTheme == "gtk2" && !(builtins.elem cfg.style ["adwaita" "adwaita-dark"]);
packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ]
else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ]
else throw "`qt5.platformTheme` ${cfg.platformTheme} and `qt5.style` ${cfg.style} are not compatible.";
in
{
options = {
qt5 = {
enable = mkEnableOption "Qt5 theming configuration";
platformTheme = mkOption {
type = types.enum [
"gtk2"
"gnome"
];
example = "gnome";
relatedPackages = [
"qgnomeplatform"
["libsForQt5" "qtstyleplugins"]
];
description = ''
Selects the platform theme to use for Qt5 applications.</para>
<para>The options are
<variablelist>
<varlistentry>
<term><literal>gtk</literal></term>
<listitem><para>Use GTK theme with
<link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link>
</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>gnome</literal></term>
<listitem><para>Use GNOME theme with
<link xlink:href="https://github.com/FedoraQt/QGnomePlatform">qgnomeplatform</link>
</para></listitem>
</varlistentry>
</variablelist>
'';
};
style = mkOption {
type = types.enum [
"adwaita"
"adwaita-dark"
"cleanlooks"
"gtk2"
"motif"
"plastique"
];
example = "adwaita";
relatedPackages = [
"adwaita-qt"
["libsForQt5" "qtstyleplugins"]
];
description = ''
Selects the style to use for Qt5 applications.</para>
<para>The options are
<variablelist>
<varlistentry>
<term><literal>adwaita</literal></term>
<term><literal>adwaita-dark</literal></term>
<listitem><para>Use Adwaita Qt style with
<link xlink:href="https://github.com/FedoraQt/adwaita-qt">adwaita</link>
</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>cleanlooks</literal></term>
<term><literal>gtk2</literal></term>
<term><literal>motif</literal></term>
<term><literal>plastique</literal></term>
<listitem><para>Use styles from
<link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link>
</para></listitem>
</varlistentry>
</variablelist>
'';
};
};
};
config = mkIf cfg.enable {
environment.variables.QT_QPA_PLATFORMTHEME = cfg.platformTheme;
environment.variables.QT_STYLE_OVERRIDE = cfg.style;
environment.systemPackages = packages;
};
}

145
nixos/modules/config/resolvconf.nix Normal file
View file

@ -0,0 +1,145 @@
# /etc files related to networking, such as /etc/services.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.networking.resolvconf;
resolvconfOptions = cfg.extraOptions
++ optional cfg.dnsSingleRequest "single-request"
++ optional cfg.dnsExtensionMechanism "edns0";
configText =
''
# This is the default, but we must set it here to prevent
# a collision with an apparently unrelated environment
# variable with the same name exported by dhcpcd.
interface_order='lo lo[0-9]*'
'' + optionalString config.services.nscd.enable ''
# Invalidate the nscd cache whenever resolv.conf is
# regenerated.
libc_restart='/run/current-system/systemd/bin/systemctl try-restart --no-block nscd.service 2> /dev/null'
'' + optionalString (length resolvconfOptions > 0) ''
# Options as described in resolv.conf(5)
resolv_conf_options='${concatStringsSep " " resolvconfOptions}'
'' + optionalString cfg.useLocalResolver ''
# This hosts runs a full-blown DNS resolver.
name_servers='127.0.0.1'
'' + cfg.extraConfig;
in
{
imports = [
(mkRenamedOptionModule [ "networking" "dnsSingleRequest" ] [ "networking" "resolvconf" "dnsSingleRequest" ])
(mkRenamedOptionModule [ "networking" "dnsExtensionMechanism" ] [ "networking" "resolvconf" "dnsExtensionMechanism" ])
(mkRenamedOptionModule [ "networking" "extraResolvconfConf" ] [ "networking" "resolvconf" "extraConfig" ])
(mkRenamedOptionModule [ "networking" "resolvconfOptions" ] [ "networking" "resolvconf" "extraOptions" ])
(mkRemovedOptionModule [ "networking" "resolvconf" "useHostResolvConf" ] "This option was never used for anything anyways")
];
options = {
networking.resolvconf = {
enable = mkOption {
type = types.bool;
default = !(config.environment.etc ? "resolv.conf");
defaultText = literalExpression ''!(config.environment.etc ? "resolv.conf")'';
description = ''
DNS configuration is managed by resolvconf.
'';
};
dnsSingleRequest = lib.mkOption {
type = types.bool;
default = false;
description = ''
Recent versions of glibc will issue both ipv4 (A) and ipv6 (AAAA)
address queries at the same time, from the same port. Sometimes upstream
routers will systemically drop the ipv4 queries. The symptom of this problem is
that 'getent hosts example.com' only returns ipv6 (or perhaps only ipv4) addresses. The
workaround for this is to specify the option 'single-request' in
/etc/resolv.conf. This option enables that.
'';
};
dnsExtensionMechanism = mkOption {
type = types.bool;
default = true;
description = ''
Enable the <code>edns0</code> option in <filename>resolv.conf</filename>. With
that option set, <code>glibc</code> supports use of the extension mechanisms for
DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC,
which does not work without it.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
example = "libc=NO";
description = ''
Extra configuration to append to <filename>resolvconf.conf</filename>.
'';
};
extraOptions = mkOption {
type = types.listOf types.str;
default = [];
example = [ "ndots:1" "rotate" ];
description = ''
Set the options in <filename>/etc/resolv.conf</filename>.
'';
};
useLocalResolver = mkOption {
type = types.bool;
default = false;
description = ''
Use local DNS server for resolving.
'';
};
};
};
config = mkMerge [
{
environment.etc."resolvconf.conf".text =
if !cfg.enable then
# Force-stop any attempts to use resolvconf
''
echo "resolvconf is disabled on this system but was used anyway:" >&2
echo "$0 $*" >&2
exit 1
''
else configText;
}
(mkIf cfg.enable {
environment.systemPackages = [ pkgs.openresolv ];
systemd.services.resolvconf = {
description = "resolvconf update";
before = [ "network-pre.target" ];
wants = [ "network-pre.target" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."resolvconf.conf".source ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.openresolv}/bin/resolvconf -u";
RemainAfterExit = true;
};
};
})
];
}

224
nixos/modules/config/shells-environment.nix Normal file
View file

@ -0,0 +1,224 @@
# This module defines a global environment configuration and
# a common configuration for all shells.
{ config, lib, utils, pkgs, ... }:
with lib;
let
cfg = config.environment;
exportedEnvVars =
let
absoluteVariables =
mapAttrs (n: toList) cfg.variables;
suffixedVariables =
flip mapAttrs cfg.profileRelativeEnvVars (envVar: listSuffixes:
concatMap (profile: map (suffix: "${profile}${suffix}") listSuffixes) cfg.profiles
);
allVariables =
zipAttrsWith (n: concatLists) [ absoluteVariables suffixedVariables ];
exportVariables =
mapAttrsToList (n: v: ''export ${n}="${concatStringsSep ":" v}"'') allVariables;
in
concatStringsSep "\n" exportVariables;
in
{
options = {
environment.variables = mkOption {
default = {};
example = { EDITOR = "nvim"; VISUAL = "nvim"; };
description = ''
A set of environment variables used in the global environment.
These variables will be set on shell initialisation (e.g. in /etc/profile).
The value of each variable can be either a string or a list of
strings. The latter is concatenated, interspersed with colon
characters.
'';
type = with types; attrsOf (either str (listOf str));
apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v);
};
environment.profiles = mkOption {
default = [];
description = ''
A list of profiles used to setup the global environment.
'';
type = types.listOf types.str;
};
environment.profileRelativeEnvVars = mkOption {
type = types.attrsOf (types.listOf types.str);
example = { PATH = [ "/bin" ]; MANPATH = [ "/man" "/share/man" ]; };
description = ''
Attribute set of environment variable. Each attribute maps to a list
of relative paths. Each relative path is appended to the each profile
of <option>environment.profiles</option> to form the content of the
corresponding environment variable.
'';
};
# !!! isn't there a better way?
environment.extraInit = mkOption {
default = "";
description = ''
Shell script code called during global environment initialisation
after all variables and profileVariables have been set.
This code is assumed to be shell-independent, which means you should
stick to pure sh without sh word split.
'';
type = types.lines;
};
environment.shellInit = mkOption {
default = "";
description = ''
Shell script code called during shell initialisation.
This code is assumed to be shell-independent, which means you should
stick to pure sh without sh word split.
'';
type = types.lines;
};
environment.loginShellInit = mkOption {
default = "";
description = ''
Shell script code called during login shell initialisation.
This code is assumed to be shell-independent, which means you should
stick to pure sh without sh word split.
'';
type = types.lines;
};
environment.interactiveShellInit = mkOption {
default = "";
description = ''
Shell script code called during interactive shell initialisation.
This code is assumed to be shell-independent, which means you should
stick to pure sh without sh word split.
'';
type = types.lines;
};
environment.shellAliases = mkOption {
example = { l = null; ll = "ls -l"; };
description = ''
An attribute set that maps aliases (the top level attribute names in
this option) to command strings or directly to build outputs. The
aliases are added to all users' shells.
Aliases mapped to <code>null</code> are ignored.
'';
type = with types; attrsOf (nullOr (either str path));
};
environment.homeBinInPath = mkOption {
description = ''
Include ~/bin/ in $PATH.
'';
default = false;
type = types.bool;
};
environment.localBinInPath = mkOption {
description = ''
Add ~/.local/bin/ to $PATH
'';
default = false;
type = types.bool;
};
environment.binsh = mkOption {
default = "${config.system.build.binsh}/bin/sh";
defaultText = literalExpression ''"''${config.system.build.binsh}/bin/sh"'';
example = literalExpression ''"''${pkgs.dash}/bin/dash"'';
type = types.path;
visible = false;
description = ''
The shell executable that is linked system-wide to
<literal>/bin/sh</literal>. Please note that NixOS assumes all
over the place that shell to be Bash, so override the default
setting only if you know exactly what you're doing.
'';
};
environment.shells = mkOption {
default = [];
example = literalExpression "[ pkgs.bashInteractive pkgs.zsh ]";
description = ''
A list of permissible login shells for user accounts.
No need to mention <literal>/bin/sh</literal>
here, it is placed into this list implicitly.
'';
type = types.listOf (types.either types.shellPackage types.path);
};
};
config = {
system.build.binsh = pkgs.bashInteractive;
# Set session variables in the shell as well. This is usually
# unnecessary, but it allows changes to session variables to take
# effect without restarting the session (e.g. by opening a new
# terminal instead of logging out of X11).
environment.variables = config.environment.sessionVariables;
environment.profileRelativeEnvVars = config.environment.profileRelativeSessionVariables;
environment.shellAliases = mapAttrs (name: mkDefault) {
ls = "ls --color=tty";
ll = "ls -l";
l = "ls -alh";
};
environment.etc.shells.text =
''
${concatStringsSep "\n" (map utils.toShellPath cfg.shells)}
/bin/sh
'';
# For resetting environment with `. /etc/set-environment` when needed
# and discoverability (see motivation of #30418).
environment.etc.set-environment.source = config.system.build.setEnvironment;
system.build.setEnvironment = pkgs.writeText "set-environment"
''
# DO NOT EDIT -- this file has been generated automatically.
# Prevent this file from being sourced by child shells.
export __NIXOS_SET_ENVIRONMENT_DONE=1
${exportedEnvVars}
${cfg.extraInit}
${optionalString cfg.homeBinInPath ''
# ~/bin if it exists overrides other bin directories.
export PATH="$HOME/bin:$PATH"
''}
${optionalString cfg.localBinInPath ''
export PATH="$HOME/.local/bin:$PATH"
''}
'';
system.activationScripts.binsh = stringAfter [ "stdio" ]
''
# Create the required /bin/sh symlink; otherwise lots of things
# (notably the system() function) won't work.
mkdir -m 0755 -p /bin
ln -sfn "${cfg.binsh}" /bin/.sh.tmp
mv /bin/.sh.tmp /bin/sh # atomically replace /bin/sh
'';
};
}

249
nixos/modules/config/swap.nix Normal file
View file

@ -0,0 +1,249 @@
{ config, lib, pkgs, utils, ... }:
with utils;
with lib;
let
randomEncryptionCoerce = enable: { inherit enable; };
randomEncryptionOpts = { ... }: {
options = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Encrypt swap device with a random key. This way you won't have a persistent swap device.
WARNING: Don't try to hibernate when you have at least one swap partition with
this option enabled! We have no way to set the partition into which hibernation image
is saved, so if your image ends up on an encrypted one you would lose it!
WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device
when using randomEncryption as the UUIDs and labels will get erased on every boot when
the partition is encrypted. Best to use /dev/disk/by-partuuid/
'';
};
cipher = mkOption {
default = "aes-xts-plain64";
example = "serpent-xts-plain64";
type = types.str;
description = ''
Use specified cipher for randomEncryption.
Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.
'';
};
source = mkOption {
default = "/dev/urandom";
example = "/dev/random";
type = types.str;
description = ''
Define the source of randomness to obtain a random key for encryption.
'';
};
allowDiscards = mkOption {
default = false;
type = types.bool;
description = ''
Whether to allow TRIM requests to the underlying device. This option
has security implications; please read the LUKS documentation before
activating it.
'';
};
};
};
swapCfg = {config, options, ...}: {
options = {
device = mkOption {
example = "/dev/sda3";
type = types.str;
description = "Path of the device or swap file.";
};
label = mkOption {
example = "swap";
type = types.str;
description = ''
Label of the device. Can be used instead of <varname>device</varname>.
'';
};
size = mkOption {
default = null;
example = 2048;
type = types.nullOr types.int;
description = ''
If this option is set, device is interpreted as the
path of a swapfile that will be created automatically
with the indicated size (in megabytes).
'';
};
priority = mkOption {
default = null;
example = 2048;
type = types.nullOr types.int;
description = ''
Specify the priority of the swap device. Priority is a value between 0 and 32767.
Higher numbers indicate higher priority.
null lets the kernel choose a priority, which will show up as a negative value.
'';
};
randomEncryption = mkOption {
default = false;
example = {
enable = true;
cipher = "serpent-xts-plain64";
source = "/dev/random";
};
type = types.coercedTo types.bool randomEncryptionCoerce (types.submodule randomEncryptionOpts);
description = ''
Encrypt swap device with a random key. This way you won't have a persistent swap device.
HINT: run "cryptsetup benchmark" to test cipher performance on your machine.
WARNING: Don't try to hibernate when you have at least one swap partition with
this option enabled! We have no way to set the partition into which hibernation image
is saved, so if your image ends up on an encrypted one you would lose it!
WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device
when using randomEncryption as the UUIDs and labels will get erased on every boot when
the partition is encrypted. Best to use /dev/disk/by-partuuid/
'';
};
discardPolicy = mkOption {
default = null;
example = "once";
type = types.nullOr (types.enum ["once" "pages" "both" ]);
description = ''
Specify the discard policy for the swap device. If "once", then the
whole swap space is discarded at swapon invocation. If "pages",
asynchronous discard on freed pages is performed, before returning to
the available pages pool. With "both", both policies are activated.
See swapon(8) for more information.
'';
};
options = mkOption {
default = [ "defaults" ];
example = [ "nofail" ];
type = types.listOf types.nonEmptyStr;
description = ''
Options used to mount the swap.
'';
};
deviceName = mkOption {
type = types.str;
internal = true;
};
realDevice = mkOption {
type = types.path;
internal = true;
};
};
config = rec {
device = mkIf options.label.isDefined
"/dev/disk/by-label/${config.label}";
deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device);
realDevice = if config.randomEncryption.enable then "/dev/mapper/${deviceName}" else config.device;
};
};
in
{
###### interface
options = {
swapDevices = mkOption {
default = [];
example = [
{ device = "/dev/hda7"; }
{ device = "/var/swapfile"; }
{ label = "bigswap"; }
];
description = ''
The swap devices and swap files. These must have been
initialised using <command>mkswap</command>. Each element
should be an attribute set specifying either the path of the
swap device or file (<literal>device</literal>) or the label
of the swap device (<literal>label</literal>, see
<command>mkswap -L</command>). Using a label is
recommended.
'';
type = types.listOf (types.submodule swapCfg);
};
};
config = mkIf ((length config.swapDevices) != 0) {
system.requiredKernelConfig = with config.lib.kernelConfig; [
(isYes "SWAP")
];
# Create missing swapfiles.
systemd.services =
let
createSwapDevice = sw:
assert sw.device != "";
assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-uuid" sw.device);
assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-label" sw.device);
let realDevice' = escapeSystemdPath sw.realDevice;
in nameValuePair "mkswap-${sw.deviceName}"
{ description = "Initialisation of swap device ${sw.device}";
wantedBy = [ "${realDevice'}.swap" ];
before = [ "${realDevice'}.swap" ];
path = [ pkgs.util-linux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup;
script =
''
${optionalString (sw.size != null) ''
currentSize=$(( $(stat -c "%s" "${sw.device}" 2>/dev/null || echo 0) / 1024 / 1024 ))
if [ "${toString sw.size}" != "$currentSize" ]; then
dd if=/dev/zero of="${sw.device}" bs=1M count=${toString sw.size}
chmod 0600 ${sw.device}
${optionalString (!sw.randomEncryption.enable) "mkswap ${sw.realDevice}"}
fi
''}
${optionalString sw.randomEncryption.enable ''
cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} \
${optionalString sw.randomEncryption.allowDiscards "--allow-discards"} ${sw.device} ${sw.deviceName}
mkswap ${sw.realDevice}
''}
'';
unitConfig.RequiresMountsFor = [ "${dirOf sw.device}" ];
unitConfig.DefaultDependencies = false; # needed to prevent a cycle
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = sw.randomEncryption.enable;
serviceConfig.ExecStop = optionalString sw.randomEncryption.enable "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}";
restartIfChanged = false;
};
in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption.enable) config.swapDevices));
};
}

63
nixos/modules/config/sysctl.nix Normal file
View file

@ -0,0 +1,63 @@
{ config, lib, ... }:
with lib;
let
sysctlOption = mkOptionType {
name = "sysctl option value";
check = val:
let
checkType = x: isBool x || isString x || isInt x || x == null;
in
checkType val || (val._type or "" == "override" && checkType val.content);
merge = loc: defs: mergeOneOption loc (filterOverrides defs);
};
in
{
options = {
boot.kernel.sysctl = mkOption {
default = {};
example = literalExpression ''
{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }
'';
type = types.attrsOf sysctlOption;
description = ''
Runtime parameters of the Linux kernel, as set by
<citerefentry><refentrytitle>sysctl</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>. Note that sysctl
parameters names must be enclosed in quotes
(e.g. <literal>"vm.swappiness"</literal> instead of
<literal>vm.swappiness</literal>). The value of each
parameter may be a string, integer, boolean, or null
(signifying the option will not appear at all).
'';
};
};
config = {
environment.etc."sysctl.d/60-nixos.conf".text =
concatStrings (mapAttrsToList (n: v:
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
) config.boot.kernel.sysctl);
systemd.services.systemd-sysctl =
{ wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
};
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
# users as these make it easier to exploit kernel vulnerabilities.
boot.kernel.sysctl."kernel.kptr_restrict" = mkDefault 1;
# Disable YAMA by default to allow easy debugging.
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
};
}

104
nixos/modules/config/system-environment.nix Normal file
View file

@ -0,0 +1,104 @@
# This module defines a system-wide environment that will be
# initialised by pam_env (that is, not only in shells).
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.environment;
in
{
options = {
environment.sessionVariables = mkOption {
default = {};
description = ''
A set of environment variables used in the global environment.
These variables will be set by PAM early in the login process.
The value of each session variable can be either a string or a
list of strings. The latter is concatenated, interspersed with
colon characters.
Note, due to limitations in the PAM format values may not
contain the <literal>"</literal> character.
Also, these variables are merged into
<xref linkend="opt-environment.variables"/> and it is
therefore not possible to use PAM style variables such as
<code>@{HOME}</code>.
'';
type = with types; attrsOf (either str (listOf str));
apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else v);
};
environment.profileRelativeSessionVariables = mkOption {
type = types.attrsOf (types.listOf types.str);
example = { PATH = [ "/bin" ]; MANPATH = [ "/man" "/share/man" ]; };
description = ''
Attribute set of environment variable used in the global
environment. These variables will be set by PAM early in the
login process.
Variable substitution is available as described in
<citerefentry>
<refentrytitle>pam_env.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>.
Each attribute maps to a list of relative paths. Each relative
path is appended to the each profile of
<option>environment.profiles</option> to form the content of
the corresponding environment variable.
Also, these variables are merged into
<xref linkend="opt-environment.profileRelativeEnvVars"/> and it is
therefore not possible to use PAM style variables such as
<code>@{HOME}</code>.
'';
};
};
config = {
environment.etc."pam/environment".text = let
suffixedVariables =
flip mapAttrs cfg.profileRelativeSessionVariables (envVar: suffixes:
flip concatMap cfg.profiles (profile:
map (suffix: "${profile}${suffix}") suffixes
)
);
# We're trying to use the same syntax for PAM variables and env variables.
# That means we need to map the env variables that people might use to their
# equivalent PAM variable.
replaceEnvVars = replaceStrings ["$HOME" "$USER"] ["@{HOME}" "@{PAM_USER}"];
pamVariable = n: v:
''${n} DEFAULT="${concatStringsSep ":" (map replaceEnvVars (toList v))}"'';
pamVariables =
concatStringsSep "\n"
(mapAttrsToList pamVariable
(zipAttrsWith (n: concatLists)
[
# Make sure security wrappers are prioritized without polluting
# shell environments with an extra entry. Sessions which depend on
# pam for its environment will otherwise have eg. broken sudo. In
# particular Gnome Shell sometimes fails to source a proper
# environment from a shell.
{ PATH = [ config.security.wrapperDir ]; }
(mapAttrs (n: toList) cfg.sessionVariables)
suffixedVariables
]));
in ''
${pamVariables}
'';
};
}

189
nixos/modules/config/system-path.nix Normal file
View file

@ -0,0 +1,189 @@
# This module defines the packages that appear in
# /run/current-system/sw.
{ config, lib, pkgs, ... }:
with lib;
let
requiredPackages = map (pkg: setPrio ((pkg.meta.priority or 5) + 3) pkg)
[ pkgs.acl
pkgs.attr
pkgs.bashInteractive # bash with ncurses support
pkgs.bzip2
pkgs.coreutils-full
pkgs.cpio
pkgs.curl
pkgs.diffutils
pkgs.findutils
pkgs.gawk
pkgs.stdenv.cc.libc
pkgs.getent
pkgs.getconf
pkgs.gnugrep
pkgs.gnupatch
pkgs.gnused
pkgs.gnutar
pkgs.gzip
pkgs.xz
pkgs.less
pkgs.libcap
pkgs.ncurses
pkgs.netcat
config.programs.ssh.package
pkgs.mkpasswd
pkgs.procps
pkgs.su
pkgs.time
pkgs.util-linux
pkgs.which
pkgs.zstd
];
defaultPackageNames =
[ "nano"
"perl"
"rsync"
"strace"
];
defaultPackages =
map
(n: let pkg = pkgs.${n}; in setPrio ((pkg.meta.priority or 5) + 3) pkg)
defaultPackageNames;
defaultPackagesText = "[ ${concatMapStringsSep " " (n: "pkgs.${n}") defaultPackageNames } ]";
in
{
options = {
environment = {
systemPackages = mkOption {
type = types.listOf types.package;
default = [];
example = literalExpression "[ pkgs.firefox pkgs.thunderbird ]";
description = ''
The set of packages that appear in
/run/current-system/sw. These packages are
automatically available to all users, and are
automatically updated every time you rebuild the system
configuration. (The latter is the main difference with
installing them in the default profile,
<filename>/nix/var/nix/profiles/default</filename>.
'';
};
defaultPackages = mkOption {
type = types.listOf types.package;
default = defaultPackages;
defaultText = literalDocBook ''
these packages, with their <literal>meta.priority</literal> numerically increased
(thus lowering their installation priority):
<programlisting>${defaultPackagesText}</programlisting>
'';
example = [];
description = ''
Set of default packages that aren't strictly necessary
for a running system, entries can be removed for a more
minimal NixOS installation.
Note: If <package>pkgs.nano</package> is removed from this list,
make sure another editor is installed and the
<literal>EDITOR</literal> environment variable is set to it.
Environment variables can be set using
<option>environment.variables</option>.
Like with systemPackages, packages are installed to
<filename>/run/current-system/sw</filename>. They are
automatically available to all users, and are
automatically updated every time you rebuild the system
configuration.
'';
};
pathsToLink = mkOption {
type = types.listOf types.str;
# Note: We need `/lib' to be among `pathsToLink' for NSS modules
# to work.
default = [];
example = ["/"];
description = "List of directories to be symlinked in <filename>/run/current-system/sw</filename>.";
};
extraOutputsToInstall = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "doc" "info" "devdoc" ];
description = "List of additional package outputs to be symlinked into <filename>/run/current-system/sw</filename>.";
};
extraSetup = mkOption {
type = types.lines;
default = "";
description = "Shell fragments to be run after the system environment has been created. This should only be used for things that need to modify the internals of the environment, e.g. generating MIME caches. The environment being built can be accessed at $out.";
};
};
system = {
path = mkOption {
internal = true;
description = ''
The packages you want in the boot environment.
'';
};
};
};
config = {
environment.systemPackages = requiredPackages ++ config.environment.defaultPackages;
environment.pathsToLink =
[ "/bin"
"/etc/xdg"
"/etc/gtk-2.0"
"/etc/gtk-3.0"
"/lib" # FIXME: remove and update debug-info.nix
"/sbin"
"/share/emacs"
"/share/hunspell"
"/share/nano"
"/share/org"
"/share/themes"
"/share/vim-plugins"
"/share/vulkan"
"/share/kservices5"
"/share/kservicetypes5"
"/share/kxmlgui5"
"/share/systemd"
"/share/thumbnailers"
];
system.path = pkgs.buildEnv {
name = "system-path";
paths = config.environment.systemPackages;
inherit (config.environment) pathsToLink extraOutputsToInstall;
ignoreCollisions = true;
# !!! Hacky, should modularise.
# outputs TODO: note that the tools will often not be linked by default
postBuild =
''
# Remove wrapped binaries, they shouldn't be accessible via PATH.
find $out/bin -maxdepth 1 -name ".*-wrapped" -type l -delete
if [ -x $out/bin/glib-compile-schemas -a -w $out/share/glib-2.0/schemas ]; then
$out/bin/glib-compile-schemas $out/share/glib-2.0/schemas
fi
${config.environment.extraSetup}
'';
};
};
}

57
nixos/modules/config/terminfo.nix Normal file
View file

@ -0,0 +1,57 @@
# This module manages the terminfo database
# and its integration in the system.
{ config, lib, pkgs, ... }:
with lib;
{
options.environment.enableAllTerminfo = with lib; mkOption {
default = false;
type = types.bool;
description = ''
Whether to install all terminfo outputs
'';
};
config = {
# can be generated with: filter (drv: (builtins.tryEval (drv ? terminfo)).value) (attrValues pkgs)
environment.systemPackages = mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs; [
alacritty
foot
kitty
mtm
rxvt-unicode-unwrapped
rxvt-unicode-unwrapped-emoji
termite
wezterm
]));
environment.pathsToLink = [
"/share/terminfo"
];
environment.etc.terminfo = {
source = "${config.system.path}/share/terminfo";
};
environment.profileRelativeSessionVariables = {
TERMINFO_DIRS = [ "/share/terminfo" ];
};
environment.extraInit = ''
# reset TERM with new TERMINFO available (if any)
export TERM=$TERM
'';
security.sudo.extraConfig = ''
# Keep terminfo database for root and %wheel.
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
Defaults:root,%wheel env_keep+=TERMINFO
'';
};
}

38
nixos/modules/config/unix-odbc-drivers.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, lib, ... }:
with lib;
# unixODBC drivers (this solution is not perfect.. Because the user has to
# ask the admin to add a driver.. but it's simple and works
let
iniDescription = pkg: ''
[${pkg.fancyName}]
Description = ${pkg.meta.description}
Driver = ${pkg}/${pkg.driver}
'';
in {
###### interface
options = {
environment.unixODBCDrivers = mkOption {
type = types.listOf types.package;
default = [];
example = literalExpression "with pkgs.unixODBCDrivers; [ sqlite psql ]";
description = ''
Specifies Unix ODBC drivers to be registered in
<filename>/etc/odbcinst.ini</filename>. You may also want to
add <literal>pkgs.unixODBC</literal> to the system path to get
a command line client to connect to ODBC databases.
'';
};
};
###### implementation
config = mkIf (config.environment.unixODBCDrivers != []) {
environment.etc."odbcinst.ini".text = concatMapStringsSep "\n" iniDescription config.environment.unixODBCDrivers;
};
}

365
nixos/modules/config/update-users-groups.pl Normal file
View file

@ -0,0 +1,365 @@
use strict;
use warnings;
use File::Path qw(make_path);
use File::Slurp;
use Getopt::Long;
use JSON;
# Keep track of deleted uids and gids.
my $uidMapFile = "/var/lib/nixos/uid-map";
my $uidMap = -e $uidMapFile ? decode_json(read_file($uidMapFile)) : {};
my $gidMapFile = "/var/lib/nixos/gid-map";
my $gidMap = -e $gidMapFile ? decode_json(read_file($gidMapFile)) : {};
my $is_dry = ($ENV{'NIXOS_ACTION'} // "") eq "dry-activate";
GetOptions("dry-activate" => \$is_dry);
make_path("/var/lib/nixos", { mode => 0755 }) unless $is_dry;
sub updateFile {
my ($path, $contents, $perms) = @_;
return if $is_dry;
write_file($path, { atomic => 1, binmode => ':utf8', perms => $perms // 0644 }, $contents) or die;
}
sub nscdInvalidate {
system("nscd", "--invalidate", $_[0]) unless $is_dry;
}
sub hashPassword {
my ($password) = @_;
my $salt = "";
my @chars = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
$salt .= $chars[rand 64] for (1..8);
return crypt($password, '$6$' . $salt . '$');
}
sub dry_print {
if ($is_dry) {
print STDERR ("$_[1] $_[2]\n")
} else {
print STDERR ("$_[0] $_[2]\n")
}
}
# Functions for allocating free GIDs/UIDs. FIXME: respect ID ranges in
# /etc/login.defs.
sub allocId {
my ($used, $prevUsed, $idMin, $idMax, $up, $getid) = @_;
my $id = $up ? $idMin : $idMax;
while ($id >= $idMin && $id <= $idMax) {
if (!$used->{$id} && !$prevUsed->{$id} && !defined &$getid($id)) {
$used->{$id} = 1;
return $id;
}
$used->{$id} = 1;
if ($up) { $id++; } else { $id--; }
}
die "$0: out of free UIDs or GIDs\n";
}
my (%gidsUsed, %uidsUsed, %gidsPrevUsed, %uidsPrevUsed);
sub allocGid {
my ($name) = @_;
my $prevGid = $gidMap->{$name};
if (defined $prevGid && !defined $gidsUsed{$prevGid}) {
dry_print("reviving", "would revive", "group '$name' with GID $prevGid");
$gidsUsed{$prevGid} = 1;
return $prevGid;
}
return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 999, 0, sub { my ($gid) = @_; getgrgid($gid) });
}
sub allocUid {
my ($name, $isSystemUser) = @_;
my ($min, $max, $up) = $isSystemUser ? (400, 999, 0) : (1000, 29999, 1);
my $prevUid = $uidMap->{$name};
if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) {
dry_print("reviving", "would revive", "user '$name' with UID $prevUid");
$uidsUsed{$prevUid} = 1;
return $prevUid;
}
return allocId(\%uidsUsed, \%uidsPrevUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
}
# Read the declared users/groups
my $spec = decode_json(read_file($ARGV[0]));
# Don't allocate UIDs/GIDs that are manually assigned.
foreach my $g (@{$spec->{groups}}) {
$gidsUsed{$g->{gid}} = 1 if defined $g->{gid};
}
foreach my $u (@{$spec->{users}}) {
$uidsUsed{$u->{uid}} = 1 if defined $u->{uid};
}
# Likewise for previously used but deleted UIDs/GIDs.
$uidsPrevUsed{$_} = 1 foreach values %{$uidMap};
$gidsPrevUsed{$_} = 1 foreach values %{$gidMap};
# Read the current /etc/group.
sub parseGroup {
chomp;
my @f = split(':', $_, -4);
my $gid = $f[2] eq "" ? undef : int($f[2]);
$gidsUsed{$gid} = 1 if defined $gid;
return ($f[0], { name => $f[0], password => $f[1], gid => $gid, members => $f[3] });
}
my %groupsCur = -f "/etc/group" ? map { parseGroup } read_file("/etc/group", { binmode => ":utf8" }) : ();
# Read the current /etc/passwd.
sub parseUser {
chomp;
my @f = split(':', $_, -7);
my $uid = $f[2] eq "" ? undef : int($f[2]);
$uidsUsed{$uid} = 1 if defined $uid;
return ($f[0], { name => $f[0], fakePassword => $f[1], uid => $uid,
gid => $f[3], description => $f[4], home => $f[5], shell => $f[6] });
}
my %usersCur = -f "/etc/passwd" ? map { parseUser } read_file("/etc/passwd", { binmode => ":utf8" }) : ();
# Read the groups that were created declaratively (i.e. not by groups)
# in the past. These must be removed if they are no longer in the
# current spec.
my $declGroupsFile = "/var/lib/nixos/declarative-groups";
my %declGroups;
$declGroups{$_} = 1 foreach split / /, -e $declGroupsFile ? read_file($declGroupsFile, { binmode => ":utf8" }) : "";
# Idem for the users.
my $declUsersFile = "/var/lib/nixos/declarative-users";
my %declUsers;
$declUsers{$_} = 1 foreach split / /, -e $declUsersFile ? read_file($declUsersFile, { binmode => ":utf8" }) : "";
# Generate a new /etc/group containing the declared groups.
my %groupsOut;
foreach my $g (@{$spec->{groups}}) {
my $name = $g->{name};
my $existing = $groupsCur{$name};
my %members = map { ($_, 1) } @{$g->{members}};
if (defined $existing) {
$g->{gid} = $existing->{gid} if !defined $g->{gid};
if ($g->{gid} != $existing->{gid}) {
dry_print("warning: not applying", "warning: would not apply", "GID change of group $name ($existing->{gid} -> $g->{gid})");
$g->{gid} = $existing->{gid};
}
$g->{password} = $existing->{password}; # do we want this?
if ($spec->{mutableUsers}) {
# Merge in non-declarative group members.
foreach my $uname (split /,/, $existing->{members} // "") {
$members{$uname} = 1 if !defined $declUsers{$uname};
}
}
} else {
$g->{gid} = allocGid($name) if !defined $g->{gid};
$g->{password} = "x";
}
$g->{members} = join ",", sort(keys(%members));
$groupsOut{$name} = $g;
$gidMap->{$name} = $g->{gid};
}
# Update the persistent list of declarative groups.
updateFile($declGroupsFile, join(" ", sort(keys %groupsOut)));
# Merge in the existing /etc/group.
foreach my $name (keys %groupsCur) {
my $g = $groupsCur{$name};
next if defined $groupsOut{$name};
if (!$spec->{mutableUsers} || defined $declGroups{$name}) {
dry_print("removing group", "would remove group", "$name");
} else {
$groupsOut{$name} = $g;
}
}
# Rewrite /etc/group. FIXME: acquire lock.
my @lines = map { join(":", $_->{name}, $_->{password}, $_->{gid}, $_->{members}) . "\n" }
(sort { $a->{gid} <=> $b->{gid} } values(%groupsOut));
updateFile($gidMapFile, to_json($gidMap));
updateFile("/etc/group", \@lines);
nscdInvalidate("group");
# Generate a new /etc/passwd containing the declared users.
my %usersOut;
foreach my $u (@{$spec->{users}}) {
my $name = $u->{name};
# Resolve the gid of the user.
if ($u->{group} =~ /^[0-9]$/) {
$u->{gid} = $u->{group};
} elsif (defined $groupsOut{$u->{group}}) {
$u->{gid} = $groupsOut{$u->{group}}->{gid} // die;
} else {
warn "warning: user $name has unknown group $u->{group}\n";
$u->{gid} = 65534;
}
my $existing = $usersCur{$name};
if (defined $existing) {
$u->{uid} = $existing->{uid} if !defined $u->{uid};
if ($u->{uid} != $existing->{uid}) {
dry_print("warning: not applying", "warning: would not apply", "UID change of user $name ($existing->{uid} -> $u->{uid})");
$u->{uid} = $existing->{uid};
}
} else {
$u->{uid} = allocUid($name, $u->{isSystemUser}) if !defined $u->{uid};
if (defined $u->{initialPassword}) {
$u->{hashedPassword} = hashPassword($u->{initialPassword});
} elsif (defined $u->{initialHashedPassword}) {
$u->{hashedPassword} = $u->{initialHashedPassword};
}
}
# Ensure home directory incl. ownership and permissions.
if ($u->{createHome} and !$is_dry) {
make_path($u->{home}, { mode => oct($u->{homeMode}) }) if ! -e $u->{home};
chown $u->{uid}, $u->{gid}, $u->{home};
chmod oct($u->{homeMode}), $u->{home};
}
if (defined $u->{passwordFile}) {
if (-e $u->{passwordFile}) {
$u->{hashedPassword} = read_file($u->{passwordFile});
chomp $u->{hashedPassword};
} else {
warn "warning: password file $u->{passwordFile} does not exist\n";
}
} elsif (defined $u->{password}) {
$u->{hashedPassword} = hashPassword($u->{password});
}
if (!defined $u->{shell}) {
if (defined $existing) {
$u->{shell} = $existing->{shell};
} else {
warn "warning: no declarative or previous shell for $name, setting shell to nologin\n";
$u->{shell} = "/run/current-system/sw/bin/nologin";
}
}
$u->{fakePassword} = $existing->{fakePassword} // "x";
$usersOut{$name} = $u;
$uidMap->{$name} = $u->{uid};
}
# Update the persistent list of declarative users.
updateFile($declUsersFile, join(" ", sort(keys %usersOut)));
# Merge in the existing /etc/passwd.
foreach my $name (keys %usersCur) {
my $u = $usersCur{$name};
next if defined $usersOut{$name};
if (!$spec->{mutableUsers} || defined $declUsers{$name}) {
dry_print("removing user", "would remove user", "$name");
} else {
$usersOut{$name} = $u;
}
}
# Rewrite /etc/passwd. FIXME: acquire lock.
@lines = map { join(":", $_->{name}, $_->{fakePassword}, $_->{uid}, $_->{gid}, $_->{description}, $_->{home}, $_->{shell}) . "\n" }
(sort { $a->{uid} <=> $b->{uid} } (values %usersOut));
updateFile($uidMapFile, to_json($uidMap));
updateFile("/etc/passwd", \@lines);
nscdInvalidate("passwd");
# Rewrite /etc/shadow to add new accounts or remove dead ones.
my @shadowNew;
my %shadowSeen;
foreach my $line (-f "/etc/shadow" ? read_file("/etc/shadow", { binmode => ":utf8" }) : ()) {
chomp $line;
my ($name, $hashedPassword, @rest) = split(':', $line, -9);
my $u = $usersOut{$name};;
next if !defined $u;
$hashedPassword = "!" if !$spec->{mutableUsers};
$hashedPassword = $u->{hashedPassword} if defined $u->{hashedPassword} && !$spec->{mutableUsers}; # FIXME
chomp $hashedPassword;
push @shadowNew, join(":", $name, $hashedPassword, @rest) . "\n";
$shadowSeen{$name} = 1;
}
foreach my $u (values %usersOut) {
next if defined $shadowSeen{$u->{name}};
my $hashedPassword = "!";
$hashedPassword = $u->{hashedPassword} if defined $u->{hashedPassword};
# FIXME: set correct value for sp_lstchg.
push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::::") . "\n";
}
updateFile("/etc/shadow", \@shadowNew, 0640);
{
my $uid = getpwnam "root";
my $gid = getgrnam "shadow";
my $path = "/etc/shadow";
(chown($uid, $gid, $path) || die "Failed to change ownership of $path: $!") unless $is_dry;
}
# Rewrite /etc/subuid & /etc/subgid to include default container mappings
my $subUidMapFile = "/var/lib/nixos/auto-subuid-map";
my $subUidMap = -e $subUidMapFile ? decode_json(read_file($subUidMapFile)) : {};
my (%subUidsUsed, %subUidsPrevUsed);
$subUidsPrevUsed{$_} = 1 foreach values %{$subUidMap};
sub allocSubUid {
my ($name, @rest) = @_;
# TODO: No upper bounds?
my ($min, $max, $up) = (100000, 100000 * 100, 1);
my $prevId = $subUidMap->{$name};
if (defined $prevId && !defined $subUidsUsed{$prevId}) {
$subUidsUsed{$prevId} = 1;
return $prevId;
}
my $id = allocId(\%subUidsUsed, \%subUidsPrevUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
my $offset = $id - 100000;
my $count = $offset * 65536;
my $subordinate = 100000 + $count;
return $subordinate;
}
my @subGids;
my @subUids;
foreach my $u (values %usersOut) {
my $name = $u->{name};
foreach my $range (@{$u->{subUidRanges}}) {
my $value = join(":", ($name, $range->{startUid}, $range->{count}));
push @subUids, $value;
}
foreach my $range (@{$u->{subGidRanges}}) {
my $value = join(":", ($name, $range->{startGid}, $range->{count}));
push @subGids, $value;
}
if($u->{autoSubUidGidRange}) {
my $subordinate = allocSubUid($name);
$subUidMap->{$name} = $subordinate;
my $value = join(":", ($name, $subordinate, 65536));
push @subUids, $value;
push @subGids, $value;
}
}
updateFile("/etc/subuid", join("\n", @subUids) . "\n");
updateFile("/etc/subgid", join("\n", @subGids) . "\n");
updateFile($subUidMapFile, encode_json($subUidMap) . "\n");

722
nixos/modules/config/users-groups.nix Normal file
View file

@ -0,0 +1,722 @@
{ config, lib, utils, pkgs, ... }:
with lib;
let
ids = config.ids;
cfg = config.users;
isPasswdCompatible = str: !(hasInfix ":" str || hasInfix "\n" str);
passwdEntry = type: lib.types.addCheck type isPasswdCompatible // {
name = "passwdEntry ${type.name}";
description = "${type.description}, not containing newlines or colons";
};
# Check whether a password hash will allow login.
allowsLogin = hash:
hash == "" # login without password
|| !(lib.elem hash
[ null # password login disabled
"!" # password login disabled
"!!" # a variant of "!"
"*" # password unset
]);
passwordDescription = ''
The options <option>hashedPassword</option>,
<option>password</option> and <option>passwordFile</option>
controls what password is set for the user.
<option>hashedPassword</option> overrides both
<option>password</option> and <option>passwordFile</option>.
<option>password</option> overrides <option>passwordFile</option>.
If none of these three options are set, no password is assigned to
the user, and the user will not be able to do password logins.
If the option <option>users.mutableUsers</option> is true, the
password defined in one of the three options will only be set when
the user is created for the first time. After that, you are free to
change the password with the ordinary user management commands. If
<option>users.mutableUsers</option> is false, you cannot change
user passwords, they will always be set according to the password
options.
'';
hashedPasswordDescription = ''
To generate a hashed password run <literal>mkpasswd -m sha-512</literal>.
If set to an empty string (<literal>""</literal>), this user will
be able to log in without being asked for a password (but not via remote
services such as SSH, or indirectly via <command>su</command> or
<command>sudo</command>). This should only be used for e.g. bootable
live systems. Note: this is different from setting an empty password,
which can be achieved using <option>users.users.&lt;name?&gt;.password</option>.
If set to <literal>null</literal> (default) this user will not
be able to log in using a password (i.e. via <command>login</command>
command).
'';
userOpts = { name, config, ... }: {
options = {
name = mkOption {
type = passwdEntry types.str;
apply = x: assert (builtins.stringLength x < 32 || abort "Username '${x}' is longer than 31 characters which is not allowed!"); x;
description = ''
The name of the user account. If undefined, the name of the
attribute set will be used.
'';
};
description = mkOption {
type = passwdEntry types.str;
default = "";
example = "Alice Q. User";
description = ''
A short description of the user account, typically the
user's full name. This is actually the GECOS or comment
field in <filename>/etc/passwd</filename>.
'';
};
uid = mkOption {
type = with types; nullOr int;
default = null;
description = ''
The account UID. If the UID is null, a free UID is picked on
activation.
'';
};
isSystemUser = mkOption {
type = types.bool;
default = false;
description = ''
Indicates if the user is a system user or not. This option
only has an effect if <option>uid</option> is
<option>null</option>, in which case it determines whether
the user's UID is allocated in the range for system users
(below 500) or in the range for normal users (starting at
1000).
Exactly one of <literal>isNormalUser</literal> and
<literal>isSystemUser</literal> must be true.
'';
};
isNormalUser = mkOption {
type = types.bool;
default = false;
description = ''
Indicates whether this is an account for a real user. This
automatically sets <option>group</option> to
<literal>users</literal>, <option>createHome</option> to
<literal>true</literal>, <option>home</option> to
<filename>/home/<replaceable>username</replaceable></filename>,
<option>useDefaultShell</option> to <literal>true</literal>,
and <option>isSystemUser</option> to
<literal>false</literal>.
Exactly one of <literal>isNormalUser</literal> and
<literal>isSystemUser</literal> must be true.
'';
};
group = mkOption {
type = types.str;
apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x;
default = "";
description = "The user's primary group.";
};
extraGroups = mkOption {
type = types.listOf types.str;
default = [];
description = "The user's auxiliary groups.";
};
home = mkOption {
type = passwdEntry types.path;
default = "/var/empty";
description = "The user's home directory.";
};
homeMode = mkOption {
type = types.strMatching "[0-7]{1,5}";
default = "700";
description = "The user's home directory mode in numeric format. See chmod(1). The mode is only applied if <option>users.users.&lt;name&gt;.createHome</option> is true.";
};
cryptHomeLuks = mkOption {
type = with types; nullOr str;
default = null;
description = ''
Path to encrypted luks device that contains
the user's home directory.
'';
};
pamMount = mkOption {
type = with types; attrsOf str;
default = {};
description = ''
Attributes for user's entry in
<filename>pam_mount.conf.xml</filename>.
Useful attributes might include <code>path</code>,
<code>options</code>, <code>fstype</code>, and <code>server</code>.
See <link
xlink:href="http://pam-mount.sourceforge.net/pam_mount.conf.5.html" />
for more information.
'';
};
shell = mkOption {
type = types.nullOr (types.either types.shellPackage (passwdEntry types.path));
default = pkgs.shadow;
defaultText = literalExpression "pkgs.shadow";
example = literalExpression "pkgs.bashInteractive";
description = ''
The path to the user's shell. Can use shell derivations,
like <literal>pkgs.bashInteractive</literal>. Dont
forget to enable your shell in
<literal>programs</literal> if necessary,
like <code>programs.zsh.enable = true;</code>.
'';
};
subUidRanges = mkOption {
type = with types; listOf (submodule subordinateUidRange);
default = [];
example = [
{ startUid = 1000; count = 1; }
{ startUid = 100001; count = 65534; }
];
description = ''
Subordinate user ids that user is allowed to use.
They are set into <filename>/etc/subuid</filename> and are used
by <literal>newuidmap</literal> for user namespaces.
'';
};
subGidRanges = mkOption {
type = with types; listOf (submodule subordinateGidRange);
default = [];
example = [
{ startGid = 100; count = 1; }
{ startGid = 1001; count = 999; }
];
description = ''
Subordinate group ids that user is allowed to use.
They are set into <filename>/etc/subgid</filename> and are used
by <literal>newgidmap</literal> for user namespaces.
'';
};
autoSubUidGidRange = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Automatically allocate subordinate user and group ids for this user.
Allocated range is currently always of size 65536.
'';
};
createHome = mkOption {
type = types.bool;
default = false;
description = ''
Whether to create the home directory and ensure ownership as well as
permissions to match the user.
'';
};
useDefaultShell = mkOption {
type = types.bool;
default = false;
description = ''
If true, the user's shell will be set to
<option>users.defaultUserShell</option>.
'';
};
hashedPassword = mkOption {
type = with types; nullOr (passwdEntry str);
default = null;
description = ''
Specifies the hashed password for the user.
${passwordDescription}
${hashedPasswordDescription}
'';
};
password = mkOption {
type = with types; nullOr str;
default = null;
description = ''
Specifies the (clear text) password for the user.
Warning: do not set confidential information here
because it is world-readable in the Nix store. This option
should only be used for public accounts.
${passwordDescription}
'';
};
passwordFile = mkOption {
type = with types; nullOr str;
default = null;
description = ''
The full path to a file that contains the user's password. The password
file is read on each system activation. The file should contain
exactly one line, which should be the password in an encrypted form
that is suitable for the <literal>chpasswd -e</literal> command.
${passwordDescription}
'';
};
initialHashedPassword = mkOption {
type = with types; nullOr (passwdEntry str);
default = null;
description = ''
Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist. If <option>users.mutableUsers</option> is true, the
password can be changed subsequently using the
<command>passwd</command> command. Otherwise, it's
equivalent to setting the <option>hashedPassword</option> option.
${hashedPasswordDescription}
'';
};
initialPassword = mkOption {
type = with types; nullOr str;
default = null;
description = ''
Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist. If
<option>users.mutableUsers</option> is true, the password
can be changed subsequently using the
<command>passwd</command> command. Otherwise, it's
equivalent to setting the <option>password</option>
option. The same caveat applies: the password specified here
is world-readable in the Nix store, so it should only be
used for guest accounts or passwords that will be changed
promptly.
'';
};
packages = mkOption {
type = types.listOf types.package;
default = [];
example = literalExpression "[ pkgs.firefox pkgs.thunderbird ]";
description = ''
The set of packages that should be made available to the user.
This is in contrast to <option>environment.systemPackages</option>,
which adds packages to all users.
'';
};
};
config = mkMerge
[ { name = mkDefault name;
shell = mkIf config.useDefaultShell (mkDefault cfg.defaultUserShell);
}
(mkIf config.isNormalUser {
group = mkDefault "users";
createHome = mkDefault true;
home = mkDefault "/home/${config.name}";
homeMode = mkDefault "700";
useDefaultShell = mkDefault true;
isSystemUser = mkDefault false;
})
# If !mutableUsers, setting initialPassword is equivalent to
# setting password (and similarly for hashed passwords).
(mkIf (!cfg.mutableUsers && config.initialPassword != null) {
password = mkDefault config.initialPassword;
})
(mkIf (!cfg.mutableUsers && config.initialHashedPassword != null) {
hashedPassword = mkDefault config.initialHashedPassword;
})
(mkIf (config.isNormalUser && config.subUidRanges == [] && config.subGidRanges == []) {
autoSubUidGidRange = mkDefault true;
})
];
};
groupOpts = { name, config, ... }: {
options = {
name = mkOption {
type = passwdEntry types.str;
description = ''
The name of the group. If undefined, the name of the attribute set
will be used.
'';
};
gid = mkOption {
type = with types; nullOr int;
default = null;
description = ''
The group GID. If the GID is null, a free GID is picked on
activation.
'';
};
members = mkOption {
type = with types; listOf (passwdEntry str);
default = [];
description = ''
The user names of the group members, added to the
<literal>/etc/group</literal> file.
'';
};
};
config = {
name = mkDefault name;
members = mapAttrsToList (n: u: u.name) (
filterAttrs (n: u: elem config.name u.extraGroups) cfg.users
);
};
};
subordinateUidRange = {
options = {
startUid = mkOption {
type = types.int;
description = ''
Start of the range of subordinate user ids that user is
allowed to use.
'';
};
count = mkOption {
type = types.int;
default = 1;
description = "Count of subordinate user ids";
};
};
};
subordinateGidRange = {
options = {
startGid = mkOption {
type = types.int;
description = ''
Start of the range of subordinate group ids that user is
allowed to use.
'';
};
count = mkOption {
type = types.int;
default = 1;
description = "Count of subordinate group ids";
};
};
};
idsAreUnique = set: idAttr: !(foldr (name: args@{ dup, acc }:
let
id = builtins.toString (builtins.getAttr idAttr (builtins.getAttr name set));
exists = builtins.hasAttr id acc;
newAcc = acc // (builtins.listToAttrs [ { name = id; value = true; } ]);
in if dup then args else if exists
then builtins.trace "Duplicate ${idAttr} ${id}" { dup = true; acc = null; }
else { dup = false; acc = newAcc; }
) { dup = false; acc = {}; } (builtins.attrNames set)).dup;
uidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) cfg.users) "uid";
gidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) cfg.groups) "gid";
spec = pkgs.writeText "users-groups.json" (builtins.toJSON {
inherit (cfg) mutableUsers;
users = mapAttrsToList (_: u:
{ inherit (u)
name uid group description home homeMode createHome isSystemUser
password passwordFile hashedPassword
autoSubUidGidRange subUidRanges subGidRanges
initialPassword initialHashedPassword;
shell = utils.toShellPath u.shell;
}) cfg.users;
groups = attrValues cfg.groups;
});
systemShells =
let
shells = mapAttrsToList (_: u: u.shell) cfg.users;
in
filter types.shellPackage.check shells;
in {
imports = [
(mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ])
(mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ])
(mkRenamedOptionModule ["security" "initialRootPassword"] ["users" "users" "root" "initialHashedPassword"])
];
###### interface
options = {
users.mutableUsers = mkOption {
type = types.bool;
default = true;
description = ''
If set to <literal>true</literal>, you are free to add new users and groups to the system
with the ordinary <literal>useradd</literal> and
<literal>groupadd</literal> commands. On system activation, the
existing contents of the <literal>/etc/passwd</literal> and
<literal>/etc/group</literal> files will be merged with the
contents generated from the <literal>users.users</literal> and
<literal>users.groups</literal> options.
The initial password for a user will be set
according to <literal>users.users</literal>, but existing passwords
will not be changed.
<warning><para>
If set to <literal>false</literal>, the contents of the user and
group files will simply be replaced on system activation. This also
holds for the user passwords; all changed
passwords will be reset according to the
<literal>users.users</literal> configuration on activation.
</para></warning>
'';
};
users.enforceIdUniqueness = mkOption {
type = types.bool;
default = true;
description = ''
Whether to require that no two users/groups share the same uid/gid.
'';
};
users.users = mkOption {
default = {};
type = with types; attrsOf (submodule userOpts);
example = {
alice = {
uid = 1234;
description = "Alice Q. User";
home = "/home/alice";
createHome = true;
group = "users";
extraGroups = ["wheel"];
shell = "/bin/sh";
};
};
description = ''
Additional user accounts to be created automatically by the system.
This can also be used to set options for root.
'';
};
users.groups = mkOption {
default = {};
example =
{ students.gid = 1001;
hackers = { };
};
type = with types; attrsOf (submodule groupOpts);
description = ''
Additional groups to be created automatically by the system.
'';
};
users.allowNoPasswordLogin = mkOption {
type = types.bool;
default = false;
description = ''
Disable checking that at least the <literal>root</literal> user or a user in the <literal>wheel</literal> group can log in using
a password or an SSH key.
WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing.
'';
};
};
###### implementation
config = {
users.users = {
root = {
uid = ids.uids.root;
description = "System administrator";
home = "/root";
shell = mkDefault cfg.defaultUserShell;
group = "root";
initialHashedPassword = mkDefault "!";
};
nobody = {
uid = ids.uids.nobody;
isSystemUser = true;
description = "Unprivileged account (don't use!)";
group = "nogroup";
};
};
users.groups = {
root.gid = ids.gids.root;
wheel.gid = ids.gids.wheel;
disk.gid = ids.gids.disk;
kmem.gid = ids.gids.kmem;
tty.gid = ids.gids.tty;
floppy.gid = ids.gids.floppy;
uucp.gid = ids.gids.uucp;
lp.gid = ids.gids.lp;
cdrom.gid = ids.gids.cdrom;
tape.gid = ids.gids.tape;
audio.gid = ids.gids.audio;
video.gid = ids.gids.video;
dialout.gid = ids.gids.dialout;
nogroup.gid = ids.gids.nogroup;
users.gid = ids.gids.users;
nixbld.gid = ids.gids.nixbld;
utmp.gid = ids.gids.utmp;
adm.gid = ids.gids.adm;
input.gid = ids.gids.input;
kvm.gid = ids.gids.kvm;
render.gid = ids.gids.render;
sgx.gid = ids.gids.sgx;
shadow.gid = ids.gids.shadow;
};
system.activationScripts.users = {
supportsDryActivation = true;
text = ''
install -m 0700 -d /root
install -m 0755 -d /home
${pkgs.perl.withPackages (p: [ p.FileSlurp p.JSON ])}/bin/perl \
-w ${./update-users-groups.pl} ${spec}
'';
};
# for backwards compatibility
system.activationScripts.groups = stringAfter [ "users" ] "";
# Install all the user shells
environment.systemPackages = systemShells;
environment.etc = (mapAttrs' (_: { packages, name, ... }: {
name = "profiles/per-user/${name}";
value.source = pkgs.buildEnv {
name = "user-environment";
paths = packages;
inherit (config.environment) pathsToLink extraOutputsToInstall;
inherit (config.system.path) ignoreCollisions postBuild;
};
}) (filterAttrs (_: u: u.packages != []) cfg.users));
environment.profiles = [
"$HOME/.nix-profile"
"/etc/profiles/per-user/$USER"
];
assertions = [
{ assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);
message = "UIDs and GIDs must be unique!";
}
{ # If mutableUsers is false, to prevent users creating a
# configuration that locks them out of the system, ensure that
# there is at least one "privileged" account that has a
# password or an SSH authorized key. Privileged accounts are
# root and users in the wheel group.
# The check does not apply when users.disableLoginPossibilityAssertion
# The check does not apply when users.mutableUsers
assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin ->
any id (mapAttrsToList (name: cfg:
(name == "root"
|| cfg.group == "wheel"
|| elem "wheel" cfg.extraGroups)
&&
(allowsLogin cfg.hashedPassword
|| cfg.password != null
|| cfg.passwordFile != null
|| cfg.openssh.authorizedKeys.keys != []
|| cfg.openssh.authorizedKeys.keyFiles != [])
) cfg.users ++ [
config.security.googleOsLogin.enable
]);
message = ''
Neither the root account nor any wheel user has a password or SSH authorized key.
You must set one to prevent being locked out of your system.
If you really want to be locked out of your system, set users.allowNoPasswordLogin = true;
However you are most probably better off by setting users.mutableUsers = true; and
manually running passwd root to set the root password.
'';
}
] ++ flatten (flip mapAttrsToList cfg.users (name: user:
[
{
assertion = (user.hashedPassword != null)
-> (builtins.match ".*:.*" user.hashedPassword == null);
message = ''
The password hash of user "${user.name}" contains a ":" character.
This is invalid and would break the login system because the fields
of /etc/shadow (file where hashes are stored) are colon-separated.
Please check the value of option `users.users."${user.name}".hashedPassword`.'';
}
{
assertion = let
xor = a: b: a && !b || b && !a;
isEffectivelySystemUser = user.isSystemUser || (user.uid != null && user.uid < 500);
in xor isEffectivelySystemUser user.isNormalUser;
message = ''
Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.
'';
}
{
assertion = user.group != "";
message = ''
users.users.${user.name}.group is unset. This used to default to
nogroup, but this is unsafe. For example you can create a group
for this user with:
users.users.${user.name}.group = "${user.name}";
users.groups.${user.name} = {};
'';
}
]
));
warnings =
builtins.filter (x: x != null) (
flip mapAttrsToList cfg.users (_: user:
# This regex matches a subset of the Modular Crypto Format (MCF)[1]
# informal standard. Since this depends largely on the OS or the
# specific implementation of crypt(3) we only support the (sane)
# schemes implemented by glibc and BSDs. In particular the original
# DES hash is excluded since, having no structure, it would validate
# common mistakes like typing the plaintext password.
#
# [1]: https://en.wikipedia.org/wiki/Crypt_(C)
let
sep = "\\$";
base64 = "[a-zA-Z0-9./]+";
id = "[a-z0-9-]+";
value = "[a-zA-Z0-9/+.-]+";
options = "${id}(=${value})?(,${id}=${value})*";
scheme = "${id}(${sep}${options})?";
content = "${base64}${sep}${base64}";
mcf = "^${sep}${scheme}${sep}${content}$";
in
if (allowsLogin user.hashedPassword
&& user.hashedPassword != "" # login without password
&& builtins.match mcf user.hashedPassword == null)
then ''
The password hash of user "${user.name}" may be invalid. You must set a
valid hash or the user will be locked out of their account. Please
check the value of option `users.users."${user.name}".hashedPassword`.''
else null
));
};
}

56
nixos/modules/config/vte.nix Normal file
View file

@ -0,0 +1,56 @@
# VTE
{ config, pkgs, lib, ... }:
with lib;
let
vteInitSnippet = ''
# Show current working directory in VTE terminals window title.
# Supports both bash and zsh, requires interactive shell.
. ${pkgs.vte}/etc/profile.d/vte.sh
'';
in
{
meta = {
maintainers = teams.gnome.members;
};
options = {
programs.bash.vteIntegration = mkOption {
default = false;
type = types.bool;
description = ''
Whether to enable Bash integration for VTE terminals.
This allows it to preserve the current directory of the shell
across terminals.
'';
};
programs.zsh.vteIntegration = mkOption {
default = false;
type = types.bool;
description = ''
Whether to enable Zsh integration for VTE terminals.
This allows it to preserve the current directory of the shell
across terminals.
'';
};
};
config = mkMerge [
(mkIf config.programs.bash.vteIntegration {
programs.bash.interactiveShellInit = mkBefore vteInitSnippet;
})
(mkIf config.programs.zsh.vteIntegration {
programs.zsh.interactiveShellInit = vteInitSnippet;
})
];
}

26
nixos/modules/config/xdg/autostart.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, lib, ... }:
with lib;
{
meta = {
maintainers = teams.freedesktop.members;
};
options = {
xdg.autostart.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to install files to support the
<link xlink:href="https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html">XDG Autostart specification</link>.
'';
};
};
config = mkIf config.xdg.autostart.enable {
environment.pathsToLink = [
"/etc/xdg/autostart"
];
};
}

42
nixos/modules/config/xdg/icons.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, lib, ... }:
with lib;
{
meta = {
maintainers = teams.freedesktop.members;
};
options = {
xdg.icons.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to install files to support the
<link xlink:href="https://specifications.freedesktop.org/icon-theme-spec/icon-theme-spec-latest.html">XDG Icon Theme specification</link>.
'';
};
};
config = mkIf config.xdg.icons.enable {
environment.pathsToLink = [
"/share/icons"
"/share/pixmaps"
];
# libXcursor looks for cursors in XCURSOR_PATH
# it mostly follows the spec for icons
# See: https://www.x.org/releases/current/doc/man/man3/Xcursor.3.xhtml Themes
# These are preferred so they come first in the list
environment.sessionVariables.XCURSOR_PATH = [
"$HOME/.icons"
"$HOME/.local/share/icons"
];
environment.profileRelativeSessionVariables.XCURSOR_PATH = [
"/share/icons"
"/share/pixmaps"
];
};
}

29
nixos/modules/config/xdg/menus.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, ... }:
with lib;
{
meta = {
maintainers = teams.freedesktop.members;
};
options = {
xdg.menus.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to install files to support the
<link xlink:href="https://specifications.freedesktop.org/menu-spec/menu-spec-latest.html">XDG Desktop Menu specification</link>.
'';
};
};
config = mkIf config.xdg.menus.enable {
environment.pathsToLink = [
"/share/applications"
"/share/desktop-directories"
"/etc/xdg/menus"
"/etc/xdg/menus/applications-merged"
];
};
}

102
nixos/modules/config/xdg/mime.nix Normal file
View file

@ -0,0 +1,102 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.xdg.mime;
associationOptions = with types; attrsOf (
coercedTo (either (listOf str) str) (x: concatStringsSep ";" (toList x)) str
);
in
{
meta = {
maintainers = teams.freedesktop.members ++ (with maintainers; [ figsoda ]);
};
options = {
xdg.mime.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to install files to support the
<link xlink:href="https://specifications.freedesktop.org/shared-mime-info-spec/shared-mime-info-spec-latest.html">XDG Shared MIME-info specification</link> and the
<link xlink:href="https://specifications.freedesktop.org/mime-apps-spec/mime-apps-spec-latest.html">XDG MIME Applications specification</link>.
'';
};
xdg.mime.addedAssociations = mkOption {
type = associationOptions;
default = {};
example = {
"application/pdf" = "firefox.desktop";
"text/xml" = [ "nvim.desktop" "codium.desktop" ];
};
description = ''
Adds associations between mimetypes and applications. See the
<link xlink:href="https://specifications.freedesktop.org/mime-apps-spec/mime-apps-spec-latest.html#associations">
specifications</link> for more information.
'';
};
xdg.mime.defaultApplications = mkOption {
type = associationOptions;
default = {};
example = {
"application/pdf" = "firefox.desktop";
"image/png" = [ "sxiv.desktop" "gimp.desktop" ];
};
description = ''
Sets the default applications for given mimetypes. See the
<link xlink:href="https://specifications.freedesktop.org/mime-apps-spec/mime-apps-spec-latest.html#default">
specifications</link> for more information.
'';
};
xdg.mime.removedAssociations = mkOption {
type = associationOptions;
default = {};
example = {
"audio/mp3" = [ "mpv.desktop" "umpv.desktop" ];
"inode/directory" = "codium.desktop";
};
description = ''
Removes associations between mimetypes and applications. See the
<link xlink:href="https://specifications.freedesktop.org/mime-apps-spec/mime-apps-spec-latest.html#associations">
specifications</link> for more information.
'';
};
};
config = mkIf cfg.enable {
environment.etc."xdg/mimeapps.list" = mkIf (
cfg.addedAssociations != {}
|| cfg.defaultApplications != {}
|| cfg.removedAssociations != {}
) {
text = generators.toINI { } {
"Added Associations" = cfg.addedAssociations;
"Default Applications" = cfg.defaultApplications;
"Removed Associations" = cfg.removedAssociations;
};
};
environment.pathsToLink = [ "/share/mime" ];
environment.systemPackages = [
# this package also installs some useful data, as well as its utilities
pkgs.shared-mime-info
];
environment.extraSetup = ''
if [ -w $out/share/mime ] && [ -d $out/share/mime/packages ]; then
XDG_DATA_DIRS=$out/share PKGSYSTEM_ENABLE_FSYNC=0 ${pkgs.buildPackages.shared-mime-info}/bin/update-mime-database -V $out/share/mime > /dev/null
fi
if [ -w $out/share/applications ]; then
${pkgs.buildPackages.desktop-file-utils}/bin/update-desktop-database $out/share/applications
fi
'';
};
}

81
nixos/modules/config/xdg/portal.nix Normal file
View file

@ -0,0 +1,81 @@
{ config, pkgs, lib, ... }:
with lib;
{
imports = [
(mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ])
];
meta = {
maintainers = teams.freedesktop.members;
};
options.xdg.portal = {
enable =
mkEnableOption "<link xlink:href='https://github.com/flatpak/xdg-desktop-portal'>xdg desktop integration</link>" // {
default = false;
};
extraPortals = mkOption {
type = types.listOf types.package;
default = [ ];
description = ''
List of additional portals to add to path. Portals allow interaction
with system, like choosing files or taking screenshots. At minimum,
a desktop portal implementation should be listed. GNOME and KDE already
adds <package>xdg-desktop-portal-gtk</package>; and
<package>xdg-desktop-portal-kde</package> respectively. On other desktop
environments you probably want to add them yourself.
'';
};
gtkUsePortal = mkOption {
type = types.bool;
default = false;
description = ''
Sets environment variable <literal>GTK_USE_PORTAL</literal> to <literal>1</literal>.
This is needed for packages ran outside Flatpak to respect and use XDG Desktop Portals.
For example, you'd need to set this for non-flatpak Firefox to use native filechoosers.
Defaults to <literal>false</literal> to respect its opt-in nature.
'';
};
};
config =
let
cfg = config.xdg.portal;
packages = [ pkgs.xdg-desktop-portal ] ++ cfg.extraPortals;
joinedPortals = pkgs.buildEnv {
name = "xdg-portals";
paths = packages;
pathsToLink = [ "/share/xdg-desktop-portal/portals" "/share/applications" ];
};
in
mkIf cfg.enable {
assertions = [
{
assertion = cfg.extraPortals != [ ];
message = "Setting xdg.portal.enable to true requires a portal implementation in xdg.portal.extraPortals such as xdg-desktop-portal-gtk or xdg-desktop-portal-kde.";
}
];
services.dbus.packages = packages;
systemd.packages = packages;
environment = {
# fixes screen sharing on plasmawayland on non-chromium apps by linking
# share/applications/*.desktop files
# see https://github.com/NixOS/nixpkgs/issues/145174
systemPackages = [ joinedPortals ];
pathsToLink = [ "/share/applications" ];
sessionVariables = {
GTK_USE_PORTAL = mkIf cfg.gtkUsePortal "1";
XDG_DESKTOP_PORTAL_DIR = "${joinedPortals}/share/xdg-desktop-portal/portals";
};
};
};
}

67
nixos/modules/config/xdg/portals/wlr.nix Normal file
View file

@ -0,0 +1,67 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.xdg.portal.wlr;
package = pkgs.xdg-desktop-portal-wlr;
settingsFormat = pkgs.formats.ini { };
configFile = settingsFormat.generate "xdg-desktop-portal-wlr.ini" cfg.settings;
in
{
meta = {
maintainers = with maintainers; [ minijackson ];
};
options.xdg.portal.wlr = {
enable = mkEnableOption ''
desktop portal for wlroots-based desktops
This will add the <package>xdg-desktop-portal-wlr</package> package into
the <option>xdg.portal.extraPortals</option> option, and provide the
configuration file
'';
settings = mkOption {
description = ''
Configuration for <package>xdg-desktop-portal-wlr</package>.
See <literal>xdg-desktop-portal-wlr(5)</literal> for supported
values.
'';
type = types.submodule {
freeformType = settingsFormat.type;
};
default = { };
# Example taken from the manpage
example = literalExpression ''
{
screencast = {
output_name = "HDMI-A-1";
max_fps = 30;
exec_before = "disable_notifications.sh";
exec_after = "enable_notifications.sh";
chooser_type = "simple";
chooser_cmd = "''${pkgs.slurp}/bin/slurp -f %o -or";
};
}
'';
};
};
config = mkIf cfg.enable {
xdg.portal = {
enable = true;
extraPortals = [ package ];
};
systemd.user.services.xdg-desktop-portal-wlr.serviceConfig.ExecStart = [
# Empty ExecStart value to override the field
""
"${package}/libexec/xdg-desktop-portal-wlr --config=${configFile}"
];
};
}

30
nixos/modules/config/xdg/sounds.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, pkgs, ... }:
with lib;
{
meta = {
maintainers = teams.freedesktop.members;
};
options = {
xdg.sounds.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to install files to support the
<link xlink:href="https://www.freedesktop.org/wiki/Specifications/sound-theme-spec/">XDG Sound Theme specification</link>.
'';
};
};
config = mkIf config.xdg.sounds.enable {
environment.systemPackages = [
pkgs.sound-theme-freedesktop
];
environment.pathsToLink = [
"/share/sounds"
];
};
}

203
nixos/modules/config/zram.nix Normal file
View file

@ -0,0 +1,203 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.zramSwap;
# don't set swapDevices as mkDefault, so we can detect user had read our warning
# (see below) and made an action (or not)
devicesCount = if cfg.swapDevices != null then cfg.swapDevices else cfg.numDevices;
devices = map (nr: "zram${toString nr}") (range 0 (devicesCount - 1));
modprobe = "${pkgs.kmod}/bin/modprobe";
warnings =
assert cfg.swapDevices != null -> cfg.numDevices >= cfg.swapDevices;
flatten [
(optional (cfg.numDevices > 1 && cfg.swapDevices == null) ''
Using several small zram devices as swap is no better than using one large.
Set either zramSwap.numDevices = 1 or explicitly set zramSwap.swapDevices.
Previously multiple zram devices were used to enable multithreaded
compression. Linux supports multithreaded compression for 1 device
since 3.15. See https://lkml.org/lkml/2014/2/28/404 for details.
'')
];
in
{
###### interface
options = {
zramSwap = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enable in-memory compressed devices and swap space provided by the zram
kernel module.
See <link xlink:href="https://www.kernel.org/doc/Documentation/blockdev/zram.txt">
https://www.kernel.org/doc/Documentation/blockdev/zram.txt
</link>.
'';
};
numDevices = mkOption {
default = 1;
type = types.int;
description = ''
Number of zram devices to create. See also
<literal>zramSwap.swapDevices</literal>
'';
};
swapDevices = mkOption {
default = null;
example = 1;
type = with types; nullOr int;
description = ''
Number of zram devices to be used as swap. Must be
<literal>&lt;= zramSwap.numDevices</literal>.
Default is same as <literal>zramSwap.numDevices</literal>, recommended is 1.
'';
};
memoryPercent = mkOption {
default = 50;
type = types.int;
description = ''
Maximum amount of memory that can be used by the zram swap devices
(as a percentage of your total memory). Defaults to 1/2 of your total
RAM. Run <literal>zramctl</literal> to check how good memory is
compressed.
'';
};
memoryMax = mkOption {
default = null;
type = with types; nullOr int;
description = ''
Maximum total amount of memory (in bytes) that can be used by the zram
swap devices.
'';
};
priority = mkOption {
default = 5;
type = types.int;
description = ''
Priority of the zram swap devices. It should be a number higher than
the priority of your disk-based swap devices (so that the system will
fill the zram swap devices before falling back to disk swap).
'';
};
algorithm = mkOption {
default = "zstd";
example = "lz4";
type = with types; either (enum [ "lzo" "lz4" "zstd" ]) str;
description = ''
Compression algorithm. <literal>lzo</literal> has good compression,
but is slow. <literal>lz4</literal> has bad compression, but is fast.
<literal>zstd</literal> is both good compression and fast, but requires newer kernel.
You can check what other algorithms are supported by your zram device with
<programlisting>cat /sys/class/block/zram*/comp_algorithm</programlisting>
'';
};
};
};
config = mkIf cfg.enable {
inherit warnings;
system.requiredKernelConfig = with config.lib.kernelConfig; [
(isModule "ZRAM")
];
# Disabling this for the moment, as it would create and mkswap devices twice,
# once in stage 2 boot, and again when the zram-reloader service starts.
# boot.kernelModules = [ "zram" ];
boot.extraModprobeConfig = ''
options zram num_devices=${toString cfg.numDevices}
'';
services.udev.extraRules = ''
KERNEL=="zram[0-9]*", ENV{SYSTEMD_WANTS}="zram-init-%k.service", TAG+="systemd"
'';
systemd.services =
let
createZramInitService = dev:
nameValuePair "zram-init-${dev}" {
description = "Init swap on zram-based device ${dev}";
after = [ "dev-${dev}.device" "zram-reloader.service" ];
requires = [ "dev-${dev}.device" "zram-reloader.service" ];
before = [ "dev-${dev}.swap" ];
requiredBy = [ "dev-${dev}.swap" ];
unitConfig.DefaultDependencies = false; # needed to prevent a cycle
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "${pkgs.runtimeShell} -c 'echo 1 > /sys/class/block/${dev}/reset'";
};
script = ''
set -euo pipefail
# Calculate memory to use for zram
mem=$(${pkgs.gawk}/bin/awk '/MemTotal: / {
value=int($2*${toString cfg.memoryPercent}/100.0/${toString devicesCount}*1024);
${lib.optionalString (cfg.memoryMax != null) ''
memory_max=int(${toString cfg.memoryMax}/${toString devicesCount});
if (value > memory_max) { value = memory_max }
''}
print value
}' /proc/meminfo)
${pkgs.util-linux}/sbin/zramctl --size $mem --algorithm ${cfg.algorithm} /dev/${dev}
${pkgs.util-linux}/sbin/mkswap /dev/${dev}
'';
restartIfChanged = false;
};
in listToAttrs ((map createZramInitService devices) ++ [(nameValuePair "zram-reloader"
{
description = "Reload zram kernel module when number of devices changes";
wants = [ "systemd-udevd.service" ];
after = [ "systemd-udevd.service" ];
unitConfig.DefaultDependencies = false; # needed to prevent a cycle
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStartPre = "${modprobe} -r zram";
ExecStart = "${modprobe} zram";
ExecStop = "${modprobe} -r zram";
};
restartTriggers = [
cfg.numDevices
cfg.algorithm
cfg.memoryPercent
];
restartIfChanged = true;
})]);
swapDevices =
let
useZramSwap = dev:
{
device = "/dev/${dev}";
priority = cfg.priority;
};
in map useZramSwap devices;
};
}

25
nixos/modules/hardware/acpilight.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.acpilight;
in
{
options = {
hardware.acpilight = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enable acpilight.
This will allow brightness control via xbacklight from users in the video group
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ acpilight ];
services.udev.packages = with pkgs; [ acpilight ];
};
}

96
nixos/modules/hardware/all-firmware.nix Normal file
View file

@ -0,0 +1,96 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware;
in {
imports = [
(mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableIntel3945ABGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
];
###### interface
options = {
hardware.enableAllFirmware = mkOption {
default = false;
type = types.bool;
description = ''
Turn on this option if you want to enable all the firmware.
'';
};
hardware.enableRedistributableFirmware = mkOption {
default = config.hardware.enableAllFirmware;
defaultText = lib.literalExpression "config.hardware.enableAllFirmware";
type = types.bool;
description = ''
Turn on this option if you want to enable all the firmware with a license allowing redistribution.
'';
};
hardware.wirelessRegulatoryDatabase = mkOption {
default = false;
type = types.bool;
description = ''
Load the wireless regulatory database at boot.
'';
};
};
###### implementation
config = mkMerge [
(mkIf (cfg.enableAllFirmware || cfg.enableRedistributableFirmware) {
hardware.firmware = with pkgs; [
linux-firmware
intel2200BGFirmware
rtl8192su-firmware
rt5677-firmware
rtl8723bs-firmware
rtl8761b-firmware
rtw88-firmware
zd1211fw
alsa-firmware
sof-firmware
libreelec-dvb-firmware
] ++ optional (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) raspberrypiWirelessFirmware
++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [
rtl8723bs-firmware
] ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "5.16") [
rtw89-firmware
];
hardware.wirelessRegulatoryDatabase = true;
})
(mkIf cfg.enableAllFirmware {
assertions = [{
assertion = !cfg.enableAllFirmware || config.nixpkgs.config.allowUnfree;
message = ''
the list of hardware.enableAllFirmware contains non-redistributable licensed firmware files.
This requires nixpkgs.config.allowUnfree to be true.
An alternative is to use the hardware.enableRedistributableFirmware option.
'';
}];
hardware.firmware = with pkgs; [
broadcom-bt-firmware
b43Firmware_5_1_138
b43Firmware_6_30_163_46
xow_dongle-firmware
] ++ optionals pkgs.stdenv.hostPlatform.isx86 [
facetimehd-calibration
facetimehd-firmware
];
})
(mkIf cfg.wirelessRegulatoryDatabase {
hardware.firmware = [ pkgs.wireless-regdb ];
})
];
}

28
nixos/modules/hardware/bladeRF.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.bladeRF;
in
{
options.hardware.bladeRF = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enables udev rules for BladeRF devices. By default grants access
to users in the "bladerf" group. You may want to install the
libbladeRF package.
'';
};
};
config = mkIf cfg.enable {
services.udev.packages = [ pkgs.libbladeRF ];
users.groups.bladerf = {};
};
}

22
nixos/modules/hardware/brillo.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.brillo;
in
{
options = {
hardware.brillo = {
enable = mkEnableOption ''
Enable brillo in userspace.
This will allow brightness control from users in the video group.
'';
};
};
config = mkIf cfg.enable {
services.udev.packages = [ pkgs.brillo ];
environment.systemPackages = [ pkgs.brillo ];
};
}

53
nixos/modules/hardware/ckb-next.nix Normal file
View file

@ -0,0 +1,53 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.ckb-next;
in
{
imports = [
(mkRenamedOptionModule [ "hardware" "ckb" "enable" ] [ "hardware" "ckb-next" "enable" ])
(mkRenamedOptionModule [ "hardware" "ckb" "package" ] [ "hardware" "ckb-next" "package" ])
];
options.hardware.ckb-next = {
enable = mkEnableOption "the Corsair keyboard/mouse driver";
gid = mkOption {
type = types.nullOr types.int;
default = null;
example = 100;
description = ''
Limit access to the ckb daemon to a particular group.
'';
};
package = mkOption {
type = types.package;
default = pkgs.ckb-next;
defaultText = literalExpression "pkgs.ckb-next";
description = ''
The package implementing the Corsair keyboard/mouse driver.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
systemd.services.ckb-next = {
description = "Corsair Keyboards and Mice Daemon";
wantedBy = ["multi-user.target"];
serviceConfig = {
ExecStart = "${cfg.package}/bin/ckb-next-daemon ${optionalString (cfg.gid != null) "--gid=${builtins.toString cfg.gid}"}";
Restart = "on-failure";
};
};
};
meta = {
maintainers = with lib.maintainers; [ kierdavis ];
};
}

62
nixos/modules/hardware/corectrl.nix Normal file
View file

@ -0,0 +1,62 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.programs.corectrl;
in
{
options.programs.corectrl = {
enable = mkEnableOption ''
A tool to overclock amd graphics cards and processors.
Add your user to the corectrl group to run corectrl without needing to enter your password
'';
gpuOverclock = {
enable = mkEnableOption ''
true
'';
ppfeaturemask = mkOption {
type = types.str;
default = "0xfffd7fff";
example = "0xffffffff";
description = ''
Sets the `amdgpu.ppfeaturemask` kernel option.
In particular, it is used here to set the overdrive bit.
Default is `0xfffd7fff` as it is less likely to cause flicker issues.
Setting it to `0xffffffff` enables all features.
'';
};
};
};
config = mkIf cfg.enable (lib.mkMerge [
{
environment.systemPackages = [ pkgs.corectrl ];
services.dbus.packages = [ pkgs.corectrl ];
users.groups.corectrl = { };
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if ((action.id == "org.corectrl.helper.init" ||
action.id == "org.corectrl.helperkiller.init") &&
subject.local == true &&
subject.active == true &&
subject.isInGroup("corectrl")) {
return polkit.Result.YES;
}
});
'';
}
(lib.mkIf cfg.gpuOverclock.enable {
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/amd/include/amd_shared.h#n169
# The overdrive bit
boot.kernelParams = [ "amdgpu.ppfeaturemask=${cfg.gpuOverclock.ppfeaturemask}" ];
})
]);
meta.maintainers = with lib.maintainers; [ artturin ];
}

29
nixos/modules/hardware/cpu/amd-microcode.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
hardware.cpu.amd.updateMicrocode = mkOption {
default = false;
type = types.bool;
description = ''
Update the CPU microcode for AMD processors.
'';
};
};
###### implementation
config = mkIf config.hardware.cpu.amd.updateMicrocode {
# Microcode updates must be the first item prepended in the initrd
boot.initrd.prepend = mkOrder 1 [ "${pkgs.microcodeAmd}/amd-ucode.img" ];
};
}

29
nixos/modules/hardware/cpu/intel-microcode.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
hardware.cpu.intel.updateMicrocode = mkOption {
default = false;
type = types.bool;
description = ''
Update the CPU microcode for Intel processors.
'';
};
};
###### implementation
config = mkIf config.hardware.cpu.intel.updateMicrocode {
# Microcode updates must be the first item prepended in the initrd
boot.initrd.prepend = mkOrder 1 [ "${pkgs.microcodeIntel}/intel-ucode.img" ];
};
}

69
nixos/modules/hardware/cpu/intel-sgx.nix Normal file
View file

@ -0,0 +1,69 @@
{ config, lib, ... }:
with lib;
let
cfg = config.hardware.cpu.intel.sgx;
defaultPrvGroup = "sgx_prv";
in
{
options.hardware.cpu.intel.sgx.enableDcapCompat = mkOption {
description = ''
Whether to enable backward compatibility for SGX software build for the
out-of-tree Intel SGX DCAP driver.
Creates symbolic links for the SGX devices <literal>/dev/sgx_enclave</literal>
and <literal>/dev/sgx_provision</literal> to make them available as
<literal>/dev/sgx/enclave</literal> and <literal>/dev/sgx/provision</literal>,
respectively.
'';
type = types.bool;
default = true;
};
options.hardware.cpu.intel.sgx.provision = {
enable = mkEnableOption "access to the Intel SGX provisioning device";
user = mkOption {
description = "Owner to assign to the SGX provisioning device.";
type = types.str;
default = "root";
};
group = mkOption {
description = "Group to assign to the SGX provisioning device.";
type = types.str;
default = defaultPrvGroup;
};
mode = mkOption {
description = "Mode to set for the SGX provisioning device.";
type = types.str;
default = "0660";
};
};
config = mkMerge [
(mkIf cfg.provision.enable {
assertions = [
{
assertion = hasAttr cfg.provision.user config.users.users;
message = "Given user does not exist";
}
{
assertion = (cfg.provision.group == defaultPrvGroup) || (hasAttr cfg.provision.group config.users.groups);
message = "Given group does not exist";
}
];
users.groups = optionalAttrs (cfg.provision.group == defaultPrvGroup) {
"${cfg.provision.group}" = { };
};
services.udev.extraRules = with cfg.provision; ''
SUBSYSTEM=="misc", KERNEL=="sgx_provision", OWNER="${user}", GROUP="${group}", MODE="${mode}"
'';
})
(mkIf cfg.enableDcapCompat {
services.udev.extraRules = ''
SUBSYSTEM=="misc", KERNEL=="sgx_enclave", SYMLINK+="sgx/enclave"
SUBSYSTEM=="misc", KERNEL=="sgx_provision", SYMLINK+="sgx/provision"
'';
})
];
}

205
nixos/modules/hardware/device-tree.nix Normal file
View file

@ -0,0 +1,205 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.deviceTree;
overlayType = types.submodule {
options = {
name = mkOption {
type = types.str;
description = ''
Name of this overlay
'';
};
dtsFile = mkOption {
type = types.nullOr types.path;
description = ''
Path to .dts overlay file, overlay is applied to
each .dtb file matching "compatible" of the overlay.
'';
default = null;
example = literalExpression "./dts/overlays.dts";
};
dtsText = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Literal DTS contents, overlay is applied to
each .dtb file matching "compatible" of the overlay.
'';
example = ''
/dts-v1/;
/plugin/;
/ {
compatible = "raspberrypi";
fragment@0 {
target-path = "/soc";
__overlay__ {
pps {
compatible = "pps-gpio";
status = "okay";
};
};
};
};
'';
};
dtboFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to .dtbo compiled overlay file.
'';
};
};
};
# this requires kernel package
dtbsWithSymbols = pkgs.stdenv.mkDerivation {
name = "dtbs-with-symbols";
inherit (cfg.kernelPackage) src nativeBuildInputs depsBuildBuild;
patches = map (patch: patch.patch) cfg.kernelPackage.kernelPatches;
buildPhase = ''
patchShebangs scripts/*
substituteInPlace scripts/Makefile.lib \
--replace 'DTC_FLAGS += $(DTC_FLAGS_$(basetarget))' 'DTC_FLAGS += $(DTC_FLAGS_$(basetarget)) -@'
make ${pkgs.stdenv.hostPlatform.linux-kernel.baseConfig} ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
make dtbs ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
'';
installPhase = ''
make dtbs_install INSTALL_DTBS_PATH=$out/dtbs ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
'';
};
filterDTBs = src: if isNull cfg.filter
then "${src}/dtbs"
else
pkgs.runCommand "dtbs-filtered" {} ''
mkdir -p $out
cd ${src}/dtbs
find . -type f -name '${cfg.filter}' -print0 \
| xargs -0 cp -v --no-preserve=mode --target-directory $out --parents
'';
# Compile single Device Tree overlay source
# file (.dts) into its compiled variant (.dtbo)
compileDTS = name: f: pkgs.callPackage({ dtc }: pkgs.stdenv.mkDerivation {
name = "${name}-dtbo";
nativeBuildInputs = [ dtc ];
buildCommand = ''
dtc -I dts ${f} -O dtb -@ -o $out
'';
}) {};
# Fill in `dtboFile` for each overlay if not set already.
# Existence of one of these is guarded by assertion below
withDTBOs = xs: flip map xs (o: o // { dtboFile =
if isNull o.dtboFile then
if !isNull o.dtsFile then compileDTS o.name o.dtsFile
else compileDTS o.name (pkgs.writeText "dts" o.dtsText)
else o.dtboFile; } );
in
{
imports = [
(mkRemovedOptionModule [ "hardware" "deviceTree" "base" ] "Use hardware.deviceTree.kernelPackage instead")
];
options = {
hardware.deviceTree = {
enable = mkOption {
default = pkgs.stdenv.hostPlatform.linux-kernel.DTB or false;
type = types.bool;
description = ''
Build device tree files. These are used to describe the
non-discoverable hardware of a system.
'';
};
kernelPackage = mkOption {
default = config.boot.kernelPackages.kernel;
defaultText = literalExpression "config.boot.kernelPackages.kernel";
example = literalExpression "pkgs.linux_latest";
type = types.path;
description = ''
Kernel package containing the base device-tree (.dtb) to boot. Uses
device trees bundled with the Linux kernel by default.
'';
};
name = mkOption {
default = null;
example = "some-dtb.dtb";
type = types.nullOr types.str;
description = ''
The name of an explicit dtb to be loaded, relative to the dtb base.
Useful in extlinux scenarios if the bootloader doesn't pick the
right .dtb file from FDTDIR.
'';
};
filter = mkOption {
type = types.nullOr types.str;
default = null;
example = "*rpi*.dtb";
description = ''
Only include .dtb files matching glob expression.
'';
};
overlays = mkOption {
default = [];
example = literalExpression ''
[
{ name = "pps"; dtsFile = ./dts/pps.dts; }
{ name = "spi";
dtsText = "...";
}
{ name = "precompiled"; dtboFile = ./dtbos/example.dtbo; }
]
'';
type = types.listOf (types.coercedTo types.path (path: {
name = baseNameOf path;
dtboFile = path;
}) overlayType);
description = ''
List of overlays to apply to base device-tree (.dtb) files.
'';
};
package = mkOption {
default = null;
type = types.nullOr types.path;
internal = true;
description = ''
A path containing the result of applying `overlays` to `kernelPackage`.
'';
};
};
};
config = mkIf (cfg.enable) {
assertions = let
invalidOverlay = o: isNull o.dtsFile && isNull o.dtsText && isNull o.dtboFile;
in lib.singleton {
assertion = lib.all (o: !invalidOverlay o) cfg.overlays;
message = ''
deviceTree overlay needs one of dtsFile, dtsText or dtboFile set.
Offending overlay(s):
${toString (map (o: o.name) (builtins.filter invalidOverlay cfg.overlays))}
'';
};
hardware.deviceTree.package = if (cfg.overlays != [])
then pkgs.deviceTree.applyOverlays (filterDTBs dtbsWithSymbols) (withDTBOs cfg.overlays)
else (filterDTBs cfg.kernelPackage);
};
}

30
nixos/modules/hardware/digitalbitbox.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.digitalbitbox;
in
{
options.hardware.digitalbitbox = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enables udev rules for Digital Bitbox devices.
'';
};
package = mkOption {
type = types.package;
default = pkgs.digitalbitbox;
defaultText = literalExpression "pkgs.digitalbitbox";
description = "The Digital Bitbox package to use. This can be used to install a package with udev rules that differ from the defaults.";
};
};
config = mkIf cfg.enable {
services.udev.packages = [ cfg.package ];
};
}

12
nixos/modules/hardware/flirc.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
let
cfg = config.hardware.flirc;
in
{
options.hardware.flirc.enable = lib.mkEnableOption "software to configure a Flirc USB device";
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.flirc ];
services.udev.packages = [ pkgs.flirc ];
};
}

18
nixos/modules/hardware/gkraken.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.gkraken;
in
{
options.hardware.gkraken = {
enable = mkEnableOption "gkraken's udev rules for NZXT AIO liquid coolers";
};
config = mkIf cfg.enable {
services.udev.packages = with pkgs; [
gkraken
];
};
}

37
nixos/modules/hardware/gpgsmartcards.nix Normal file
View file

@ -0,0 +1,37 @@
{ config, lib, pkgs, ... }:
with lib;
let
# gnupg's manual describes how to setup ccid udev rules:
# https://www.gnupg.org/howtos/card-howto/en/ch02s03.html
# gnupg folks advised me (https://dev.gnupg.org/T5409) to look at debian's rules:
# https://salsa.debian.org/debian/gnupg2/-/blob/debian/main/debian/scdaemon.udev
# the latest rev of the entire debian gnupg2 repo as of 2021-04-28
# the scdaemon.udev file was last commited on 2021-01-05 (7817a03):
scdaemonUdevRev = "01898735a015541e3ffb43c7245ac1e612f40836";
scdaemonRules = pkgs.fetchurl {
url = "https://salsa.debian.org/debian/gnupg2/-/raw/${scdaemonUdevRev}/debian/scdaemon.udev";
sha256 = "08v0vp6950bz7galvc92zdss89y9vcwbinmbfcdldy8x72w6rqr3";
};
# per debian's udev deb hook (https://man7.org/linux/man-pages/man1/dh_installudev.1.html)
destination = "60-scdaemon.rules";
scdaemonUdevRulesPkg = pkgs.runCommand "scdaemon-udev-rules" {} ''
loc="$out/lib/udev/rules.d/"
mkdir -p "''${loc}"
cp "${scdaemonRules}" "''${loc}/${destination}"
'';
cfg = config.hardware.gpgSmartcards;
in {
options.hardware.gpgSmartcards = {
enable = mkEnableOption "udev rules for gnupg smart cards";
};
config = mkIf cfg.enable {
services.udev.packages = [ scdaemonUdevRulesPkg ];
};
}

23
nixos/modules/hardware/hackrf.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
let
cfg = config.hardware.hackrf;
in
{
options.hardware.hackrf = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enables hackrf udev rules and ensures 'plugdev' group exists.
This is a prerequisite to using HackRF devices without being root, since HackRF USB descriptors will be owned by plugdev through udev.
'';
};
};
config = lib.mkIf cfg.enable {
services.udev.packages = [ pkgs.hackrf ];
users.groups.plugdev = { };
};
}

43
nixos/modules/hardware/i2c.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, lib, ... }:
with lib;
let
cfg = config.hardware.i2c;
in
{
options.hardware.i2c = {
enable = mkEnableOption ''
i2c devices support. By default access is granted to users in the "i2c"
group (will be created if non-existent) and any user with a seat, meaning
logged on the computer locally.
'';
group = mkOption {
type = types.str;
default = "i2c";
description = ''
Grant access to i2c devices (/dev/i2c-*) to users in this group.
'';
};
};
config = mkIf cfg.enable {
boot.kernelModules = [ "i2c-dev" ];
users.groups = mkIf (cfg.group == "i2c") {
i2c = { };
};
services.udev.extraRules = ''
# allow group ${cfg.group} and users with a seat use of i2c devices
ACTION=="add", KERNEL=="i2c-[0-9]*", TAG+="uaccess", GROUP="${cfg.group}", MODE="660"
'';
};
meta.maintainers = [ maintainers.rnhmjoj ];
}

16
nixos/modules/hardware/keyboard/teck.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.keyboard.teck;
in
{
options.hardware.keyboard.teck = {
enable = mkEnableOption "non-root access to the firmware of TECK keyboards";
};
config = mkIf cfg.enable {
services.udev.packages = [ pkgs.teck-udev-rules ];
};
}

21
nixos/modules/hardware/keyboard/uhk.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.keyboard.uhk;
in
{
options.hardware.keyboard.uhk = {
enable = mkEnableOption ''
non-root access to the firmware of UHK keyboards.
You need it when you want to flash a new firmware on the keyboard.
Access to the keyboard is granted to users in the "input" group.
You may want to install the uhk-agent package.
'';
};
config = mkIf cfg.enable {
services.udev.packages = [ pkgs.uhk-udev-rules ];
};
}

24
nixos/modules/hardware/keyboard/zsa.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkOption mkIf types;
cfg = config.hardware.keyboard.zsa;
in
{
options.hardware.keyboard.zsa = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enables udev rules for keyboards from ZSA like the ErgoDox EZ, Planck EZ and Moonlander Mark I.
You need it when you want to flash a new configuration on the keyboard
or use their live training in the browser.
You may want to install the wally-cli package.
'';
};
};
config = mkIf cfg.enable {
services.udev.packages = [ pkgs.zsa-udev-rules ];
};
}

38
nixos/modules/hardware/ksm.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, lib, ... }:
with lib;
let
cfg = config.hardware.ksm;
in {
imports = [
(mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ])
];
options.hardware.ksm = {
enable = mkEnableOption "Kernel Same-Page Merging";
sleep = mkOption {
type = types.nullOr types.int;
default = null;
description = ''
How many milliseconds ksmd should sleep between scans.
Setting it to <literal>null</literal> uses the kernel's default time.
'';
};
};
config = mkIf cfg.enable {
systemd.services.enable-ksm = {
description = "Enable Kernel Same-Page Merging";
wantedBy = [ "multi-user.target" ];
script =
''
echo 1 > /sys/kernel/mm/ksm/run
'' + optionalString (cfg.sleep != null)
''
echo ${toString cfg.sleep} > /sys/kernel/mm/ksm/sleep_millisecs
'';
};
};
}

14
nixos/modules/hardware/ledger.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.ledger;
in {
options.hardware.ledger.enable = mkEnableOption "udev rules for Ledger devices";
config = mkIf cfg.enable {
services.udev.packages = [ pkgs.ledger-udev-rules ];
};
}

96
nixos/modules/hardware/logitech.nix Normal file
View file

@ -0,0 +1,96 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.logitech;
vendor = "046d";
daemon = "g15daemon";
in
{
imports = [
(mkRenamedOptionModule [ "hardware" "logitech" "enable" ] [ "hardware" "logitech" "wireless" "enable" ])
(mkRenamedOptionModule [ "hardware" "logitech" "enableGraphical" ] [ "hardware" "logitech" "wireless" "enableGraphical" ])
];
options.hardware.logitech = {
lcd = {
enable = mkEnableOption "Logitech LCD Devices";
startWhenNeeded = mkOption {
type = types.bool;
default = true;
description = ''
Only run the service when an actual supported device is plugged.
'';
};
devices = mkOption {
type = types.listOf types.str;
default = [ "0a07" "c222" "c225" "c227" "c251" ];
description = ''
List of USB device ids supported by g15daemon.
</para>
<para>
You most likely do not need to change this.
'';
};
};
wireless = {
enable = mkEnableOption "Logitech Wireless Devices";
enableGraphical = mkOption {
type = types.bool;
default = false;
description = "Enable graphical support applications.";
};
};
};
config = lib.mkIf (cfg.wireless.enable || cfg.lcd.enable) {
environment.systemPackages = []
++ lib.optional cfg.wireless.enable pkgs.ltunify
++ lib.optional cfg.wireless.enableGraphical pkgs.solaar;
services.udev = {
# ltunifi and solaar both provide udev rules but the most up-to-date have been split
# out into a dedicated derivation
packages = []
++ lib.optional cfg.wireless.enable pkgs.logitech-udev-rules
++ lib.optional cfg.lcd.enable pkgs.g15daemon;
extraRules = ''
# nixos: hardware.logitech.lcd
'' + lib.concatMapStringsSep "\n" (
dev:
''ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="${vendor}", ATTRS{idProduct}=="${dev}", TAG+="systemd", ENV{SYSTEMD_WANTS}+="${daemon}.service"''
) cfg.lcd.devices;
};
systemd.services."${daemon}" = lib.mkIf cfg.lcd.enable {
description = "Logitech LCD Support Daemon";
documentation = [ "man:g15daemon(1)" ];
wantedBy = lib.mkIf (! cfg.lcd.startWhenNeeded) "multi-user.target";
serviceConfig = {
Type = "forking";
ExecStart = "${pkgs.g15daemon}/bin/g15daemon";
# we patch it to write to /run/g15daemon/g15daemon.pid instead of
# /run/g15daemon.pid so systemd will do the cleanup for us.
PIDFile = "/run/${daemon}/g15daemon.pid";
PrivateTmp = true;
PrivateNetwork = true;
ProtectHome = "tmpfs";
ProtectSystem = "full"; # strict doesn't work
RuntimeDirectory = daemon;
Restart = "on-failure";
};
};
};
}

35
nixos/modules/hardware/mcelog.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, lib, pkgs, ... }:
with lib;
{
meta.maintainers = with maintainers; [ grahamc ];
options = {
hardware.mcelog = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable the Machine Check Exception logger.
'';
};
};
};
config = mkIf config.hardware.mcelog.enable {
systemd = {
packages = [ pkgs.mcelog ];
services.mcelog = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ProtectHome = true;
PrivateNetwork = true;
PrivateTmp = true;
};
};
};
};
}

31
nixos/modules/hardware/network/ath-user-regd.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
with lib;
let
kernelVersion = config.boot.kernelPackages.kernel.version;
linuxKernelMinVersion = "5.8";
kernelPatch = pkgs.kernelPatches.ath_regd_optional // {
extraConfig = ''
ATH_USER_REGD y
'';
};
in
{
options.networking.wireless.athUserRegulatoryDomain = mkOption {
default = false;
type = types.bool;
description = ''
If enabled, sets the ATH_USER_REGD kernel config switch to true to
disable the enforcement of EEPROM regulatory restrictions for ath
drivers. Requires at least Linux ${linuxKernelMinVersion}.
'';
};
config = mkIf config.networking.wireless.athUserRegulatoryDomain {
assertions = singleton {
assertion = lessThan 0 (builtins.compareVersions kernelVersion linuxKernelMinVersion);
message = "ATH_USER_REGD patch for kernels older than ${linuxKernelMinVersion} not ported yet!";
};
boot.kernelPatches = [ kernelPatch ];
};
}

30
nixos/modules/hardware/network/b43.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, pkgs, ... }:
with lib;
let kernelVersion = config.boot.kernelPackages.kernel.version; in
{
###### interface
options = {
networking.enableB43Firmware = mkOption {
default = false;
type = types.bool;
description = ''
Turn on this option if you want firmware for the NICs supported by the b43 module.
'';
};
};
###### implementation
config = mkIf config.networking.enableB43Firmware {
hardware.firmware = [ pkgs.b43Firmware_5_1_138 ];
};
}

3
nixos/modules/hardware/network/broadcom-43xx.nix Normal file
View file

@ -0,0 +1,3 @@
{
hardware.enableRedistributableFirmware = true;
}

30
nixos/modules/hardware/network/intel-2200bg.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, pkgs, lib, ... }:
{
###### interface
options = {
networking.enableIntel2200BGFirmware = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Turn on this option if you want firmware for the Intel
PRO/Wireless 2200BG to be loaded automatically. This is
required if you want to use this device.
'';
};
};
###### implementation
config = lib.mkIf config.networking.enableIntel2200BGFirmware {
hardware.firmware = [ pkgs.intel2200BGFirmware ];
};
}

9
nixos/modules/hardware/network/smc-2632w/default.nix Normal file
View file

@ -0,0 +1,9 @@
{lib, ...}:
{
hardware = {
pcmcia = {
firmware = [ (lib.cleanSource ./firmware) ];
};
};
}

8
nixos/modules/hardware/network/smc-2632w/firmware/cis/SMC2632W-v1.02.cis Normal file
View file

@ -0,0 +1,8 @@
vers_1 5.0, "SMC", "SMC2632W", "Version 01.02", ""
manfid 0x0156, 0x0002
funcid network_adapter
cftable_entry 0x01 [default]
Vcc Vmin 3000mV Vmax 3300mV Iavg 300mA Ipeak 300mA
Idown 10mA
io 0x0000-0x003f [lines=6] [16bit]
irq mask 0xffff [level] [pulse]

5
nixos/modules/hardware/network/zydas-zd1211.nix Normal file
View file

@ -0,0 +1,5 @@
{pkgs, ...}:
{
hardware.firmware = [ pkgs.zd1211fw ];
}

29
nixos/modules/hardware/new-lg4ff.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, lib, config, ... }:
with lib;
let
cfg = config.hardware.new-lg4ff;
kernelPackages = config.boot.kernelPackages;
in {
options.hardware.new-lg4ff = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enables improved Linux module drivers for Logitech driving wheels.
This will replace the existing in-kernel hid-logitech modules.
Works most notably on the Logitech G25, G27, G29 and Driving Force (GT).
'';
};
};
config = lib.mkIf cfg.enable {
boot = {
extraModulePackages = [ kernelPackages.new-lg4ff ];
kernelModules = [ "hid-logitech-new" ];
};
};
meta.maintainers = with lib.maintainers; [ matthiasbenaets ];
}

27
nixos/modules/hardware/nitrokey.nix Normal file
View file

@ -0,0 +1,27 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.nitrokey;
in
{
options.hardware.nitrokey = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enables udev rules for Nitrokey devices. By default grants access
to users in the "nitrokey" group. You may want to install the
nitrokey-app package, depending on your device and needs.
'';
};
};
config = mkIf cfg.enable {
services.udev.packages = [ pkgs.nitrokey-udev-rules ];
};
}

33
nixos/modules/hardware/onlykey/default.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, lib, ... }:
with lib;
{
####### interface
options = {
hardware.onlykey = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable OnlyKey device (https://crp.to/p/) support.
'';
};
};
};
## As per OnlyKey's documentation piece (hhttps://docs.google.com/document/d/1Go_Rs218fKUx-j_JKhddbSVTqY6P0vQO831t2MKCJC8),
## it is important to add udev rule for OnlyKey for it to work on Linux
####### implementation
config = mkIf config.hardware.onlykey.enable {
services.udev.extraRules = builtins.readFile ./onlykey.udev;
};
}

18
nixos/modules/hardware/onlykey/onlykey.udev Normal file
View file

@ -0,0 +1,18 @@
# UDEV Rules for OnlyKey, https://docs.crp.to/linux.html
ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="60fc", ENV{ID_MM_DEVICE_IGNORE}="1"
ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="60fc", ENV{MTP_NO_PROBE}="1"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="60fc", MODE:="0666"
KERNEL=="ttyACM*", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="60fc", MODE:="0666"
# The udev rules were updated upstream without an explanation as you can
# see in [this comment][commit]. Assuming that hey have changed the
# idVendor/idProduct, I've kept the old values.
# TODO: Contact them upstream.
#
# [commit]: https://github.com/trustcrypto/trustcrypto.github.io/commit/0bcf928adaea559e75efa02ebd1040f0a15f611d
#
ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", GROUP="plugdev"
KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", GROUP="plugdev"

157
nixos/modules/hardware/opengl.nix Normal file
View file

@ -0,0 +1,157 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.opengl;
kernelPackages = config.boot.kernelPackages;
videoDrivers = config.services.xserver.videoDrivers;
package = pkgs.buildEnv {
name = "opengl-drivers";
paths = [ cfg.package ] ++ cfg.extraPackages;
};
package32 = pkgs.buildEnv {
name = "opengl-drivers-32bit";
paths = [ cfg.package32 ] ++ cfg.extraPackages32;
};
in
{
imports = [
(mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ])
(mkRemovedOptionModule [ "hardware" "opengl" "s3tcSupport" ] ''
S3TC support is now always enabled in Mesa.
'')
];
options = {
hardware.opengl = {
enable = mkOption {
description = ''
Whether to enable OpenGL drivers. This is needed to enable
OpenGL support in X11 systems, as well as for Wayland compositors
like sway and Weston. It is enabled by default
by the corresponding modules, so you do not usually have to
set it yourself, only if there is no module for your wayland
compositor of choice. See services.xserver.enable and
programs.sway.enable.
'';
type = types.bool;
default = false;
};
driSupport = mkOption {
type = types.bool;
default = true;
description = ''
Whether to enable accelerated OpenGL rendering through the
Direct Rendering Interface (DRI).
'';
};
driSupport32Bit = mkOption {
type = types.bool;
default = false;
description = ''
On 64-bit systems, whether to support Direct Rendering for
32-bit applications (such as Wine). This is currently only
supported for the <literal>nvidia</literal> as well as
<literal>Mesa</literal>.
'';
};
package = mkOption {
type = types.package;
internal = true;
description = ''
The package that provides the OpenGL implementation.
'';
};
package32 = mkOption {
type = types.package;
internal = true;
description = ''
The package that provides the 32-bit OpenGL implementation on
64-bit systems. Used when <option>driSupport32Bit</option> is
set.
'';
};
extraPackages = mkOption {
type = types.listOf types.package;
default = [];
example = literalExpression "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]";
description = ''
Additional packages to add to OpenGL drivers. This can be used
to add OpenCL drivers, VA-API/VDPAU drivers etc.
'';
};
extraPackages32 = mkOption {
type = types.listOf types.package;
default = [];
example = literalExpression "with pkgs.pkgsi686Linux; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]";
description = ''
Additional packages to add to 32-bit OpenGL drivers on
64-bit systems. Used when <option>driSupport32Bit</option> is
set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc.
'';
};
setLdLibraryPath = mkOption {
type = types.bool;
internal = true;
default = false;
description = ''
Whether the <literal>LD_LIBRARY_PATH</literal> environment variable
should be set to the locations of driver libraries. Drivers which
rely on overriding libraries should set this to true. Drivers which
support <literal>libglvnd</literal> and other dispatch libraries
instead of overriding libraries should not set this.
'';
};
};
};
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.driSupport32Bit -> pkgs.stdenv.isx86_64;
message = "Option driSupport32Bit only makes sense on a 64-bit system.";
}
{ assertion = cfg.driSupport32Bit -> (config.boot.kernelPackages.kernel.features.ia32Emulation or false);
message = "Option driSupport32Bit requires a kernel that supports 32bit emulation";
}
];
systemd.tmpfiles.rules = [
"L+ /run/opengl-driver - - - - ${package}"
(
if pkgs.stdenv.isi686 then
"L+ /run/opengl-driver-32 - - - - opengl-driver"
else if cfg.driSupport32Bit then
"L+ /run/opengl-driver-32 - - - - ${package32}"
else
"r /run/opengl-driver-32"
)
];
environment.sessionVariables.LD_LIBRARY_PATH = mkIf cfg.setLdLibraryPath
([ "/run/opengl-driver/lib" ] ++ optional cfg.driSupport32Bit "/run/opengl-driver-32/lib");
hardware.opengl.package = mkDefault pkgs.mesa.drivers;
hardware.opengl.package32 = mkDefault pkgs.pkgsi686Linux.mesa.drivers;
boot.extraModulePackages = optional (elem "virtualbox" videoDrivers) kernelPackages.virtualboxGuestAdditions;
};
}

146
nixos/modules/hardware/openrazer.nix Normal file
View file

@ -0,0 +1,146 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.hardware.openrazer;
kernelPackages = config.boot.kernelPackages;
toPyBoolStr = b: if b then "True" else "False";
daemonExe = "${pkgs.openrazer-daemon}/bin/openrazer-daemon --config ${daemonConfFile}";
daemonConfFile = pkgs.writeTextFile {
name = "razer.conf";
text = ''
[General]
verbose_logging = ${toPyBoolStr cfg.verboseLogging}
[Startup]
sync_effects_enabled = ${toPyBoolStr cfg.syncEffectsEnabled}
devices_off_on_screensaver = ${toPyBoolStr cfg.devicesOffOnScreensaver}
mouse_battery_notifier = ${toPyBoolStr cfg.mouseBatteryNotifier}
[Statistics]
key_statistics = ${toPyBoolStr cfg.keyStatistics}
'';
};
dbusServiceFile = pkgs.writeTextFile rec {
name = "org.razer.service";
destination = "/share/dbus-1/services/${name}";
text = ''
[D-BUS Service]
Name=org.razer
Exec=${daemonExe}
SystemdService=openrazer-daemon.service
'';
};
drivers = [
"razerkbd"
"razermouse"
"razerfirefly"
"razerkraken"
"razermug"
"razercore"
];
in
{
options = {
hardware.openrazer = {
enable = mkEnableOption ''
OpenRazer drivers and userspace daemon.
'';
verboseLogging = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable verbose logging. Logs debug messages.
'';
};
syncEffectsEnabled = mkOption {
type = types.bool;
default = true;
description = ''
Set the sync effects flag to true so any assignment of
effects will work across devices.
'';
};
devicesOffOnScreensaver = mkOption {
type = types.bool;
default = true;
description = ''
Turn off the devices when the systems screensaver kicks in.
'';
};
mouseBatteryNotifier = mkOption {
type = types.bool;
default = true;
description = ''
Mouse battery notifier.
'';
};
keyStatistics = mkOption {
type = types.bool;
default = false;
description = ''
Collects number of keypresses per hour per key used to
generate a heatmap.
'';
};
users = mkOption {
type = with types; listOf str;
default = [];
description = ''
Usernames to be added to the "openrazer" group, so that they
can start and interact with the OpenRazer userspace daemon.
'';
};
};
};
config = mkIf cfg.enable {
boot.extraModulePackages = [ kernelPackages.openrazer ];
boot.kernelModules = drivers;
# Makes the man pages available so you can succesfully run
# > systemctl --user help openrazer-daemon
environment.systemPackages = [ pkgs.python3Packages.openrazer-daemon.man ];
services.udev.packages = [ kernelPackages.openrazer ];
services.dbus.packages = [ dbusServiceFile ];
# A user must be a member of the openrazer group in order to start
# the openrazer-daemon. Therefore we make sure that the group
# exists.
users.groups.openrazer = {
members = cfg.users;
};
systemd.user.services.openrazer-daemon = {
description = "Daemon to manage razer devices in userspace";
unitConfig.Documentation = "man:openrazer-daemon(8)";
# Requires a graphical session so the daemon knows when the screensaver
# starts. See the 'devicesOffOnScreensaver' option.
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
serviceConfig = {
Type = "dbus";
BusName = "org.razer";
ExecStart = "${daemonExe} --foreground";
Restart = "always";
};
};
};
meta = {
maintainers = with lib.maintainers; [ roelvandijk ];
};
}

69
nixos/modules/hardware/opentabletdriver.nix Normal file
View file

@ -0,0 +1,69 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.opentabletdriver;
in
{
meta.maintainers = with lib.maintainers; [ thiagokokada ];
options = {
hardware.opentabletdriver = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enable OpenTabletDriver udev rules, user service and blacklist kernel
modules known to conflict with OpenTabletDriver.
'';
};
blacklistedKernelModules = mkOption {
type = types.listOf types.str;
default = [ "hid-uclogic" "wacom" ];
description = ''
Blacklist of kernel modules known to conflict with OpenTabletDriver.
'';
};
package = mkOption {
type = types.package;
default = pkgs.opentabletdriver;
defaultText = literalExpression "pkgs.opentabletdriver";
description = ''
OpenTabletDriver derivation to use.
'';
};
daemon = {
enable = mkOption {
default = true;
type = types.bool;
description = ''
Whether to start OpenTabletDriver daemon as a systemd user service.
'';
};
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
services.udev.packages = [ cfg.package ];
boot.blacklistedKernelModules = cfg.blacklistedKernelModules;
systemd.user.services.opentabletdriver = with pkgs; mkIf cfg.daemon.enable {
description = "Open source, cross-platform, user-mode tablet driver";
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${cfg.package}/bin/otd-daemon -c ${cfg.package}/lib/OpenTabletDriver/Configurations";
Restart = "on-failure";
};
};
};
}

60
nixos/modules/hardware/pcmcia.nix Normal file
View file

@ -0,0 +1,60 @@
{ config, lib, pkgs, ... }:
with lib;
let
pcmciaUtils = pkgs.pcmciaUtils.passthru.function {
inherit (config.hardware.pcmcia) firmware config;
};
in
{
###### interface
options = {
hardware.pcmcia = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable this option to support PCMCIA card.
'';
};
firmware = mkOption {
type = types.listOf types.path;
default = [];
description = ''
List of firmware used to handle specific PCMCIA card.
'';
};
config = mkOption {
default = null;
type = types.nullOr types.path;
description = ''
Path to the configuration file which maps the memory, IRQs
and ports used by the PCMCIA hardware.
'';
};
};
};
###### implementation
config = mkIf config.hardware.pcmcia.enable {
boot.kernelModules = [ "pcmcia" ];
services.udev.packages = [ pcmciaUtils ];
environment.systemPackages = [ pcmciaUtils ];
};
}

130
nixos/modules/hardware/printers.nix Normal file
View file

@ -0,0 +1,130 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.printers;
ppdOptionsString = options: optionalString (options != {})
(concatStringsSep " "
(mapAttrsToList (name: value: "-o '${name}'='${value}'") options)
);
ensurePrinter = p: ''
${pkgs.cups}/bin/lpadmin -p '${p.name}' -E \
${optionalString (p.location != null) "-L '${p.location}'"} \
${optionalString (p.description != null) "-D '${p.description}'"} \
-v '${p.deviceUri}' \
-m '${p.model}' \
${ppdOptionsString p.ppdOptions}
'';
ensureDefaultPrinter = name: ''
${pkgs.cups}/bin/lpadmin -d '${name}'
'';
# "graph but not # or /" can't be implemented as regex alone due to missing lookahead support
noInvalidChars = str: all (c: c != "#" && c != "/") (stringToCharacters str);
printerName = (types.addCheck (types.strMatching "[[:graph:]]+") noInvalidChars)
// { description = "printable string without spaces, # and /"; };
in {
options = {
hardware.printers = {
ensureDefaultPrinter = mkOption {
type = types.nullOr printerName;
default = null;
description = ''
Ensures the named printer is the default CUPS printer / printer queue.
'';
};
ensurePrinters = mkOption {
description = ''
Will regularly ensure that the given CUPS printers are configured as declared here.
If a printer's options are manually changed afterwards, they will be overwritten eventually.
This option will never delete any printer, even if removed from this list.
You can check existing printers with <command>lpstat -s</command>
and remove printers with <command>lpadmin -x &lt;printer-name&gt;</command>.
Printers not listed here can still be manually configured.
'';
default = [];
type = types.listOf (types.submodule {
options = {
name = mkOption {
type = printerName;
example = "BrotherHL_Workroom";
description = ''
Name of the printer / printer queue.
May contain any printable characters except "/", "#", and space.
'';
};
location = mkOption {
type = types.nullOr types.str;
default = null;
example = "Workroom";
description = ''
Optional human-readable location.
'';
};
description = mkOption {
type = types.nullOr types.str;
default = null;
example = "Brother HL-5140";
description = ''
Optional human-readable description.
'';
};
deviceUri = mkOption {
type = types.str;
example = literalExpression ''
"ipp://printserver.local/printers/BrotherHL_Workroom"
"usb://HP/DESKJET%20940C?serial=CN16E6C364BH"
'';
description = ''
How to reach the printer.
<command>lpinfo -v</command> shows a list of supported device URIs and schemes.
'';
};
model = mkOption {
type = types.str;
example = literalExpression ''
"gutenprint.''${lib.versions.majorMinor (lib.getVersion pkgs.gutenprint)}://brother-hl-5140/expert"
'';
description = ''
Location of the ppd driver file for the printer.
<command>lpinfo -m</command> shows a list of supported models.
'';
};
ppdOptions = mkOption {
type = types.attrsOf types.str;
example = {
PageSize = "A4";
Duplex = "DuplexNoTumble";
};
default = {};
description = ''
Sets PPD options for the printer.
<command>lpoptions [-p printername] -l</command> shows suported PPD options for the given printer.
'';
};
};
});
};
};
};
config = mkIf (cfg.ensurePrinters != [] && config.services.printing.enable) {
systemd.services.ensure-printers = let
cupsUnit = if config.services.printing.startWhenNeeded then "cups.socket" else "cups.service";
in {
description = "Ensure NixOS-configured CUPS printers";
wantedBy = [ "multi-user.target" ];
requires = [ cupsUnit ];
after = [ cupsUnit ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = concatMapStringsSep "\n" ensurePrinter cfg.ensurePrinters
+ optionalString (cfg.ensureDefaultPrinter != null) (ensureDefaultPrinter cfg.ensureDefaultPrinter);
};
};
}

64
nixos/modules/hardware/raid/hpsa.nix Normal file
View file

@ -0,0 +1,64 @@
{ config, lib, pkgs, ... }:
with lib;
let
hpssacli = pkgs.stdenv.mkDerivation rec {
pname = "hpssacli";
version = "2.40-13.0";
src = pkgs.fetchurl {
urls = [
"https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/${pname}-${version}_amd64.deb"
"http://apt.netangels.net/pool/main/h/hpssacli/${pname}-${version}_amd64.deb"
];
sha256 = "11w7fwk93lmfw0yya4jpjwdmgjimqxx6412sqa166g1pz4jil4sw";
};
nativeBuildInputs = [ pkgs.dpkg ];
unpackPhase = "dpkg -x $src ./";
installPhase = ''
mkdir -p $out/bin $out/share/doc $out/share/man
mv opt/hp/hpssacli/bld/{hpssascripting,hprmstr,hpssacli} $out/bin/
mv opt/hp/hpssacli/bld/*.{license,txt} $out/share/doc/
mv usr/man $out/share/
for file in $out/bin/*; do
chmod +w $file
patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
--set-rpath ${lib.makeLibraryPath [ pkgs.stdenv.cc.cc ]} \
$file
done
'';
dontStrip = true;
meta = with lib; {
description = "HP Smart Array CLI";
homepage = "https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/";
license = licenses.unfreeRedistributable;
platforms = [ "x86_64-linux" ];
maintainers = with maintainers; [ volth ];
};
};
in {
###### interface
options = {
hardware.raid.HPSmartArray = {
enable = mkEnableOption "HP Smart Array kernel modules and CLI utility";
};
};
###### implementation
config = mkIf config.hardware.raid.HPSmartArray.enable {
boot.initrd.kernelModules = [ "sg" ]; /* hpssacli wants it */
boot.initrd.availableKernelModules = [ "hpsa" ];
environment.systemPackages = [ hpssacli ];
};
}

23
nixos/modules/hardware/rtl-sdr.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
let
cfg = config.hardware.rtl-sdr;
in {
options.hardware.rtl-sdr = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enables rtl-sdr udev rules, ensures 'plugdev' group exists, and blacklists DVB kernel modules.
This is a prerequisite to using devices supported by rtl-sdr without being root, since rtl-sdr USB descriptors will be owned by plugdev through udev.
'';
};
};
config = lib.mkIf cfg.enable {
boot.blacklistedKernelModules = [ "dvb_usb_rtl28xxu" "e4000" "rtl2832" ];
services.udev.packages = [ pkgs.rtl-sdr ];
users.groups.plugdev = {};
};
}

25
nixos/modules/hardware/saleae-logic.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
let
cfg = config.hardware.saleae-logic;
in
{
options.hardware.saleae-logic = {
enable = lib.mkEnableOption "udev rules for Saleae Logic devices";
package = lib.mkOption {
type = lib.types.package;
default = pkgs.saleae-logic-2;
defaultText = lib.literalExpression "pkgs.saleae-logic-2";
description = ''
Saleae Logic package to use.
'';
};
};
config = lib.mkIf cfg.enable {
services.udev.packages = [ cfg.package ];
};
meta.maintainers = with lib.maintainers; [ chivay ];
}

100
nixos/modules/hardware/sata.nix Normal file
View file

@ -0,0 +1,100 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkEnableOption mkIf mkOption types;
cfg = config.hardware.sata.timeout;
buildRule = d:
lib.concatStringsSep ", " [
''ACTION=="add"''
''SUBSYSTEM=="block"''
''ENV{ID_${lib.toUpper d.idBy}}=="${d.name}"''
''TAG+="systemd"''
''ENV{SYSTEMD_WANTS}="${unitName d}"''
];
devicePath = device:
"/dev/disk/by-${device.idBy}/${device.name}";
unitName = device:
"sata-timeout-${lib.strings.sanitizeDerivationName device.name}";
startScript =
pkgs.writeShellScript "sata-timeout.sh" ''
set -eEuo pipefail
device="$1"
${pkgs.smartmontools}/bin/smartctl \
-l scterc,${toString cfg.deciSeconds},${toString cfg.deciSeconds} \
--quietmode errorsonly \
"$device"
'';
in
{
meta.maintainers = with lib.maintainers; [ peterhoeg ];
options.hardware.sata.timeout = {
enable = mkEnableOption "SATA drive timeouts";
deciSeconds = mkOption {
example = 70;
type = types.int;
description = ''
Set SCT Error Recovery Control timeout in deciseconds for use in RAID configurations.
Values are as follows:
0 = disable SCT ERT
70 = default in consumer drives (7 seconds)
Maximum is disk dependant but probably 60 seconds.
'';
};
drives = mkOption {
description = "List of drives for which to configure the timeout.";
type = types.listOf
(types.submodule {
options = {
name = mkOption {
description = "Drive name without the full path.";
type = types.str;
};
idBy = mkOption {
description = "The method to identify the drive.";
type = types.enum [ "path" "wwn" ];
default = "path";
};
};
});
};
};
config = mkIf cfg.enable {
services.udev.extraRules = lib.concatMapStringsSep "\n" buildRule cfg.drives;
systemd.services = lib.listToAttrs (map
(e:
lib.nameValuePair (unitName e) {
description = "SATA timeout for ${e.name}";
wantedBy = [ "sata-timeout.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${startScript} '${devicePath e}'";
PrivateTmp = true;
PrivateNetwork = true;
ProtectHome = "tmpfs";
ProtectSystem = "strict";
};
}
)
cfg.drives);
systemd.targets.sata-timeout = {
description = "SATA timeout";
wantedBy = [ "multi-user.target" ];
};
};
}

81
nixos/modules/hardware/sensor/hddtemp.nix Normal file
View file

@ -0,0 +1,81 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkOption types;
cfg = config.hardware.sensor.hddtemp;
wrapper = pkgs.writeShellScript "hddtemp-wrapper" ''
set -eEuo pipefail
file=/var/lib/hddtemp/hddtemp.db
drives=(${toString (map (e: ''$(realpath ${lib.escapeShellArg e}) '') cfg.drives)})
cp ${pkgs.hddtemp}/share/hddtemp/hddtemp.db $file
${lib.concatMapStringsSep "\n" (e: "echo ${lib.escapeShellArg e} >> $file") cfg.dbEntries}
exec ${pkgs.hddtemp}/bin/hddtemp ${lib.escapeShellArgs cfg.extraArgs} \
--daemon \
--unit=${cfg.unit} \
--file=$file \
''${drives[@]}
'';
in
{
meta.maintainers = with lib.maintainers; [ peterhoeg ];
###### interface
options = {
hardware.sensor.hddtemp = {
enable = mkOption {
description = ''
Enable this option to support HDD/SSD temperature sensors.
'';
type = types.bool;
default = false;
};
drives = mkOption {
description = "List of drives to monitor. If you pass /dev/disk/by-path/* entries the symlinks will be resolved as hddtemp doesn't like names with colons.";
type = types.listOf types.str;
};
unit = mkOption {
description = "Celcius or Fahrenheit";
type = types.enum [ "C" "F" ];
default = "C";
};
dbEntries = mkOption {
description = "Additional DB entries";
type = types.listOf types.str;
default = [ ];
};
extraArgs = mkOption {
description = "Additional arguments passed to the daemon.";
type = types.listOf types.str;
default = [ ];
};
};
};
###### implementation
config = mkIf cfg.enable {
systemd.services.hddtemp = {
description = "HDD/SSD temperature";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "forking";
ExecStart = wrapper;
StateDirectory = "hddtemp";
PrivateTmp = true;
ProtectHome = "tmpfs";
ProtectSystem = "strict";
};
};
};
}

35
nixos/modules/hardware/sensor/iio.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
hardware.sensor.iio = {
enable = mkOption {
description = ''
Enable this option to support IIO sensors with iio-sensor-proxy.
IIO sensors are used for orientation and ambient light
sensors on some mobile devices.
'';
type = types.bool;
default = false;
};
};
};
###### implementation
config = mkIf config.hardware.sensor.iio.enable {
boot.initrd.availableKernelModules = [ "hid-sensor-hub" ];
environment.systemPackages = with pkgs; [ iio-sensor-proxy ];
services.dbus.packages = with pkgs; [ iio-sensor-proxy ];
services.udev.packages = with pkgs; [ iio-sensor-proxy ];
systemd.packages = with pkgs; [ iio-sensor-proxy ];
};
}

32
nixos/modules/hardware/steam-hardware.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.steam-hardware;
in
{
options.hardware.steam-hardware = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable udev rules for Steam hardware such as the Steam Controller, other supported controllers and the HTC Vive";
};
};
config = mkIf cfg.enable {
services.udev.packages = [
pkgs.steamPackages.steam
];
# The uinput module needs to be loaded in order to trigger the udev rules
# defined in the steam package for setting permissions on /dev/uinput.
#
# If the udev rules are not triggered, some controllers won't work with
# steam.
boot.kernelModules = [ "uinput" ];
};
}

89
nixos/modules/hardware/system-76.nix Normal file
View file

@ -0,0 +1,89 @@
{ config, lib, options, pkgs, ... }:
let
inherit (lib) literalExpression mkOption mkEnableOption types mkIf mkMerge optional versionOlder;
cfg = config.hardware.system76;
opt = options.hardware.system76;
kpkgs = config.boot.kernelPackages;
modules = [ "system76" "system76-io" ] ++ (optional (versionOlder kpkgs.kernel.version "5.5") "system76-acpi");
modulePackages = map (m: kpkgs.${m}) modules;
moduleConfig = mkIf cfg.kernel-modules.enable {
boot.extraModulePackages = modulePackages;
boot.kernelModules = modules;
services.udev.packages = modulePackages;
};
firmware-pkg = pkgs.system76-firmware;
firmwareConfig = mkIf cfg.firmware-daemon.enable {
# Make system76-firmware-cli usable by root from the command line.
environment.systemPackages = [ firmware-pkg ];
services.dbus.packages = [ firmware-pkg ];
systemd.services.system76-firmware-daemon = {
description = "The System76 Firmware Daemon";
serviceConfig = {
ExecStart = "${firmware-pkg}/bin/system76-firmware-daemon";
Restart = "on-failure";
};
wantedBy = [ "multi-user.target" ];
};
};
power-pkg = config.boot.kernelPackages.system76-power;
powerConfig = mkIf cfg.power-daemon.enable {
# Make system76-power usable by root from the command line.
environment.systemPackages = [ power-pkg ];
services.dbus.packages = [ power-pkg ];
systemd.services.system76-power = {
description = "System76 Power Daemon";
serviceConfig = {
ExecStart = "${power-pkg}/bin/system76-power daemon";
Restart = "on-failure";
Type = "dbus";
BusName = "com.system76.PowerDaemon";
};
wantedBy = [ "multi-user.target" ];
};
};
in {
options = {
hardware.system76 = {
enableAll = mkEnableOption "all recommended configuration for system76 systems";
firmware-daemon.enable = mkOption {
default = cfg.enableAll;
defaultText = literalExpression "config.${opt.enableAll}";
example = true;
description = "Whether to enable the system76 firmware daemon";
type = types.bool;
};
kernel-modules.enable = mkOption {
default = cfg.enableAll;
defaultText = literalExpression "config.${opt.enableAll}";
example = true;
description = "Whether to make the system76 out-of-tree kernel modules available";
type = types.bool;
};
power-daemon.enable = mkOption {
default = cfg.enableAll;
defaultText = literalExpression "config.${opt.enableAll}";
example = true;
description = "Whether to enable the system76 power daemon";
type = types.bool;
};
};
};
config = mkMerge [ moduleConfig firmwareConfig powerConfig ];
}

35
nixos/modules/hardware/tuxedo-keyboard.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.tuxedo-keyboard;
tuxedo-keyboard = config.boot.kernelPackages.tuxedo-keyboard;
in
{
options.hardware.tuxedo-keyboard = {
enable = mkEnableOption ''
Enables the tuxedo-keyboard driver.
To configure the driver, pass the options to the <option>boot.kernelParams</option> configuration.
There are several parameters you can change. It's best to check at the source code description which options are supported.
You can find all the supported parameters at: <link xlink:href="https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam" />
In order to use the <literal>custom</literal> lighting with the maximumg brightness and a color of <literal>0xff0a0a</literal> one would put pass <option>boot.kernelParams</option> like this:
<programlisting>
boot.kernelParams = [
"tuxedo_keyboard.mode=0"
"tuxedo_keyboard.brightness=255"
"tuxedo_keyboard.color_left=0xff0a0a"
];
</programlisting>
'';
};
config = mkIf cfg.enable
{
boot.kernelModules = ["tuxedo_keyboard"];
boot.extraModulePackages = [ tuxedo-keyboard ];
};
}

29
nixos/modules/hardware/ubertooth.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.ubertooth;
ubertoothPkg = pkgs.ubertooth.override {
udevGroup = cfg.group;
};
in {
options.hardware.ubertooth = {
enable = mkEnableOption "Enable the Ubertooth software and its udev rules.";
group = mkOption {
type = types.str;
default = "ubertooth";
example = "wheel";
description = "Group for Ubertooth's udev rules.";
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ ubertoothPkg ];
services.udev.packages = [ ubertoothPkg ];
users.groups.${cfg.group} = {};
};
}

19
nixos/modules/hardware/uinput.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, pkgs, lib, ... }:
let
cfg = config.hardware.uinput;
in {
options.hardware.uinput = {
enable = lib.mkEnableOption "uinput support";
};
config = lib.mkIf cfg.enable {
boot.kernelModules = [ "uinput" ];
users.groups.uinput = {};
services.udev.extraRules = ''
SUBSYSTEM=="misc", KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput"
'';
};
}

39
nixos/modules/hardware/usb-wwan.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
hardware.usbWwan = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable this option to support USB WWAN adapters.
'';
};
};
};
###### implementation
config = mkIf config.hardware.usbWwan.enable {
# Attaches device specific handlers.
services.udev.packages = with pkgs; [ usb-modeswitch-data ];
# Triggered by udev, usb-modeswitch creates systemd services via a
# template unit in the usb-modeswitch package.
systemd.packages = with pkgs; [ usb-modeswitch ];
# The systemd service requires the usb-modeswitch-data. The
# usb-modeswitch package intends to discover this via the
# filesystem at /usr/share/usb_modeswitch, and merge it with user
# configuration in /etc/usb_modeswitch.d. Configuring the correct
# path in the package is difficult, as it would cause a cyclic
# dependency.
environment.etc."usb_modeswitch.d".source = "${pkgs.usb-modeswitch-data}/share/usb_modeswitch";
};
}

71
nixos/modules/hardware/video/amdgpu-pro.nix Normal file
View file

@ -0,0 +1,71 @@
# This module provides the proprietary AMDGPU-PRO drivers.
{ config, lib, pkgs, ... }:
with lib;
let
drivers = config.services.xserver.videoDrivers;
enabled = elem "amdgpu-pro" drivers;
package = config.boot.kernelPackages.amdgpu-pro;
package32 = pkgs.pkgsi686Linux.linuxPackages.amdgpu-pro.override { kernel = null; };
opengl = config.hardware.opengl;
in
{
config = mkIf enabled {
nixpkgs.config.xorg.abiCompat = "1.20";
services.xserver.drivers = singleton
{ name = "amdgpu"; modules = [ package ]; display = true; };
hardware.opengl.package = package;
hardware.opengl.package32 = package32;
hardware.opengl.setLdLibraryPath = true;
boot.extraModulePackages = [ package.kmod ];
boot.kernelPackages = pkgs.linuxKernel.packagesFor
(pkgs.linuxKernel.kernels.linux_5_10.override {
structuredExtraConfig = {
DEVICE_PRIVATE = kernel.yes;
KALLSYMS_ALL = kernel.yes;
};
});
hardware.firmware = [ package.fw ];
system.activationScripts.setup-amdgpu-pro = ''
ln -sfn ${package}/opt/amdgpu{,-pro} /run
'';
system.requiredKernelConfig = with config.lib.kernelConfig; [
(isYes "DEVICE_PRIVATE")
(isYes "KALLSYMS_ALL")
];
boot.initrd.extraUdevRulesCommands = mkIf (!config.boot.initrd.systemd.enable) ''
cp -v ${package}/etc/udev/rules.d/*.rules $out/
'';
boot.initrd.services.udev.packages = [ package ];
environment.systemPackages =
[ package.vulkan ] ++
# this isn't really DRI, but we'll reuse this option for now
optional config.hardware.opengl.driSupport32Bit package32.vulkan;
environment.etc = {
"modprobe.d/blacklist-radeon.conf".source = package + "/etc/modprobe.d/blacklist-radeon.conf";
amd.source = package + "/etc/amd";
};
};
}

93
nixos/modules/hardware/video/bumblebee.nix Normal file
View file

@ -0,0 +1,93 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.bumblebee;
kernel = config.boot.kernelPackages;
useNvidia = cfg.driver == "nvidia";
bumblebee = pkgs.bumblebee.override {
inherit useNvidia;
useDisplayDevice = cfg.connectDisplay;
};
useBbswitch = cfg.pmMethod == "bbswitch" || cfg.pmMethod == "auto" && useNvidia;
primus = pkgs.primus.override {
inherit useNvidia;
};
in
{
options = {
hardware.bumblebee = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enable the bumblebee daemon to manage Optimus hybrid video cards.
This should power off secondary GPU until its use is requested
by running an application with optirun.
'';
};
group = mkOption {
default = "wheel";
example = "video";
type = types.str;
description = "Group for bumblebee socket";
};
connectDisplay = mkOption {
default = false;
type = types.bool;
description = ''
Set to true if you intend to connect your discrete card to a
monitor. This option will set up your Nvidia card for EDID
discovery and to turn on the monitor signal.
Only nvidia driver is supported so far.
'';
};
driver = mkOption {
default = "nvidia";
type = types.enum [ "nvidia" "nouveau" ];
description = ''
Set driver used by bumblebeed. Supported are nouveau and nvidia.
'';
};
pmMethod = mkOption {
default = "auto";
type = types.enum [ "auto" "bbswitch" "switcheroo" "none" ];
description = ''
Set preferred power management method for unused card.
'';
};
};
};
config = mkIf cfg.enable {
boot.blacklistedKernelModules = [ "nvidia-drm" "nvidia" "nouveau" ];
boot.kernelModules = optional useBbswitch "bbswitch";
boot.extraModulePackages = optional useBbswitch kernel.bbswitch ++ optional useNvidia kernel.nvidia_x11.bin;
environment.systemPackages = [ bumblebee primus ];
systemd.services.bumblebeed = {
description = "Bumblebee Hybrid Graphics Switcher";
wantedBy = [ "multi-user.target" ];
before = [ "display-manager.service" ];
serviceConfig = {
ExecStart = "${bumblebee}/bin/bumblebeed --use-syslog -g ${cfg.group} --driver ${cfg.driver} --pm-method ${cfg.pmMethod}";
};
};
};
}

56
nixos/modules/hardware/video/capture/mwprocapture.nix Normal file
View file

@ -0,0 +1,56 @@
{ config, lib, ... }:
with lib;
let
cfg = config.hardware.mwProCapture;
kernelPackages = config.boot.kernelPackages;
in
{
options.hardware.mwProCapture.enable = mkEnableOption "Magewell Pro Capture family kernel module";
config = mkIf cfg.enable {
boot.kernelModules = [ "ProCapture" ];
environment.systemPackages = [ kernelPackages.mwprocapture ];
boot.extraModulePackages = [ kernelPackages.mwprocapture ];
boot.extraModprobeConfig = ''
# Set the png picture to be displayed when no input signal is detected.
options ProCapture nosignal_file=${kernelPackages.mwprocapture}/res/NoSignal.png
# Set the png picture to be displayed when an unsupported input signal is detected.
options ProCapture unsupported_file=${kernelPackages.mwprocapture}/res/Unsupported.png
# Set the png picture to be displayed when an loking input signal is detected.
options ProCapture locking_file=${kernelPackages.mwprocapture}/res/Locking.png
# Message signaled interrupts switch
#options ProCapture disable_msi=0
# Set the debug level
#options ProCapture debug_level=0
# Force init switch eeprom
#options ProCapture init_switch_eeprom=0
# Min frame interval for VIDIOC_ENUM_FRAMEINTERVALS (default: 166666(100ns))
#options ProCapture enum_frameinterval_min=166666
# VIDIOC_ENUM_FRAMESIZES type (1: DISCRETE; 2: STEPWISE; otherwise: CONTINUOUS )
#options ProCapture enum_framesizes_type=0
# Parameters for internal usage
#options ProCapture internal_params=""
'';
};
}

76
nixos/modules/hardware/video/displaylink.nix Normal file
View file

@ -0,0 +1,76 @@
{ config, lib, pkgs, ... }:
with lib;
let
enabled = elem "displaylink" config.services.xserver.videoDrivers;
evdi = config.boot.kernelPackages.evdi;
displaylink = pkgs.displaylink.override {
inherit evdi;
};
in
{
config = mkIf enabled {
boot.extraModulePackages = [ evdi ];
boot.kernelModules = [ "evdi" ];
environment.etc."X11/xorg.conf.d/40-displaylink.conf".text = ''
Section "OutputClass"
Identifier "DisplayLink"
MatchDriver "evdi"
Driver "modesetting"
Option "AccelMethod" "none"
EndSection
'';
# make the device available
services.xserver.displayManager.sessionCommands = ''
${lib.getBin pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource 1 0
'';
# Those are taken from displaylink-installer.sh and from Arch Linux AUR package.
services.udev.packages = [ displaylink ];
powerManagement.powerDownCommands = ''
#flush any bytes in pipe
while read -n 1 -t 1 SUSPEND_RESULT < /tmp/PmMessagesPort_out; do : ; done;
#suspend DisplayLinkManager
echo "S" > /tmp/PmMessagesPort_in
#wait until suspend of DisplayLinkManager finish
if [ -f /tmp/PmMessagesPort_out ]; then
#wait until suspend of DisplayLinkManager finish
read -n 1 -t 10 SUSPEND_RESULT < /tmp/PmMessagesPort_out
fi
'';
powerManagement.resumeCommands = ''
#resume DisplayLinkManager
echo "R" > /tmp/PmMessagesPort_in
'';
systemd.services.dlm = {
description = "DisplayLink Manager Service";
after = [ "display-manager.service" ];
conflicts = [ "getty@tty7.service" ];
serviceConfig = {
ExecStart = "${displaylink}/bin/DisplayLinkManager";
Restart = "always";
RestartSec = 5;
LogsDirectory = "displaylink";
};
};
};
}

16
nixos/modules/hardware/video/hidpi.nix Normal file
View file

@ -0,0 +1,16 @@
{ lib, pkgs, config, ...}:
with lib;
{
options.hardware.video.hidpi.enable = mkEnableOption "Font/DPI configuration optimized for HiDPI displays";
config = mkIf config.hardware.video.hidpi.enable {
console.font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-v32n.psf.gz";
# Needed when typing in passwords for full disk encryption
console.earlySetup = mkDefault true;
boot.loader.systemd-boot.consoleMode = mkDefault "1";
# TODO Find reasonable defaults X11 & wayland
};
}

416
nixos/modules/hardware/video/nvidia.nix Normal file
View file

@ -0,0 +1,416 @@
# This module provides the proprietary NVIDIA X11 / OpenGL drivers.
{ config, lib, pkgs, ... }:
with lib;
let
nvidia_x11 = let
drivers = config.services.xserver.videoDrivers;
isDeprecated = str: (hasPrefix "nvidia" str) && (str != "nvidia");
hasDeprecated = drivers: any isDeprecated drivers;
in if (hasDeprecated drivers) then
throw ''
Selecting an nvidia driver has been modified for NixOS 19.03. The version is now set using `hardware.nvidia.package`.
''
else if (elem "nvidia" drivers) then cfg.package else null;
enabled = nvidia_x11 != null;
cfg = config.hardware.nvidia;
pCfg = cfg.prime;
syncCfg = pCfg.sync;
offloadCfg = pCfg.offload;
primeEnabled = syncCfg.enable || offloadCfg.enable;
nvidiaPersistencedEnabled = cfg.nvidiaPersistenced;
nvidiaSettings = cfg.nvidiaSettings;
busIDType = types.strMatching "([[:print:]]+\:[0-9]{1,3}\:[0-9]{1,2}\:[0-9])?";
in
{
imports =
[
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "enable" ] [ "hardware" "nvidia" "prime" "sync" "enable" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "sync" "allowExternalGpu" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "nvidiaBusId" ] [ "hardware" "nvidia" "prime" "nvidiaBusId" ])
(mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "intelBusId" ] [ "hardware" "nvidia" "prime" "intelBusId" ])
];
options = {
hardware.nvidia.powerManagement.enable = mkOption {
type = types.bool;
default = false;
description = ''
Experimental power management through systemd. For more information, see
the NVIDIA docs, on Chapter 21. Configuring Power Management Support.
'';
};
hardware.nvidia.powerManagement.finegrained = mkOption {
type = types.bool;
default = false;
description = ''
Experimental power management of PRIME offload. For more information, see
the NVIDIA docs, chapter 22. PCI-Express runtime power management.
'';
};
hardware.nvidia.modesetting.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable kernel modesetting when using the NVIDIA proprietary driver.
Enabling this fixes screen tearing when using Optimus via PRIME (see
<option>hardware.nvidia.prime.sync.enable</option>. This is not enabled
by default because it is not officially supported by NVIDIA and would not
work with SLI.
'';
};
hardware.nvidia.prime.nvidiaBusId = mkOption {
type = busIDType;
default = "";
example = "PCI:1:0:0";
description = ''
Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci
shows the NVIDIA GPU at "01:00.0", set this option to "PCI:1:0:0".
'';
};
hardware.nvidia.prime.intelBusId = mkOption {
type = busIDType;
default = "";
example = "PCI:0:2:0";
description = ''
Bus ID of the Intel GPU. You can find it using lspci; for example if lspci
shows the Intel GPU at "00:02.0", set this option to "PCI:0:2:0".
'';
};
hardware.nvidia.prime.amdgpuBusId = mkOption {
type = busIDType;
default = "";
example = "PCI:4:0:0";
description = ''
Bus ID of the AMD APU. You can find it using lspci; for example if lspci
shows the AMD APU at "04:00.0", set this option to "PCI:4:0:0".
'';
};
hardware.nvidia.prime.sync.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME.
If enabled, the NVIDIA GPU will be always on and used for all rendering,
while enabling output to displays attached only to the integrated Intel GPU
without a multiplexer.
Note that this option only has any effect if the "nvidia" driver is specified
in <option>services.xserver.videoDrivers</option>, and it should preferably
be the only driver there.
If this is enabled, then the bus IDs of the NVIDIA and Intel GPUs have to be
specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
<option>hardware.nvidia.prime.intelBusId</option>).
If you enable this, you may want to also enable kernel modesetting for the
NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
to prevent tearing.
Note that this configuration will only be successful when a display manager
for which the <option>services.xserver.displayManager.setupCommands</option>
option is supported is used.
'';
};
hardware.nvidia.prime.sync.allowExternalGpu = mkOption {
type = types.bool;
default = false;
description = ''
Configure X to allow external NVIDIA GPUs when using optimus.
'';
};
hardware.nvidia.prime.offload.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable render offload support using the NVIDIA proprietary driver via PRIME.
If this is enabled, then the bus IDs of the NVIDIA and Intel GPUs have to be
specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
<option>hardware.nvidia.prime.intelBusId</option>).
'';
};
hardware.nvidia.nvidiaSettings = mkOption {
default = true;
type = types.bool;
description = ''
Whether to add nvidia-settings, NVIDIA's GUI configuration tool, to
systemPackages.
'';
};
hardware.nvidia.nvidiaPersistenced = mkOption {
default = false;
type = types.bool;
description = ''
Update for NVIDA GPU headless mode, i.e. nvidia-persistenced. It ensures all
GPUs stay awake even during headless mode.
'';
};
hardware.nvidia.forceFullCompositionPipeline = lib.mkOption {
default = false;
type = types.bool;
description = ''
Whether to force-enable the full composition pipeline.
This sometimes fixes screen tearing issues.
This has been reported to reduce the performance of some OpenGL applications and may produce issues in WebGL.
It also drastically increases the time the driver needs to clock down after load.
'';
};
hardware.nvidia.package = lib.mkOption {
type = types.package;
default = config.boot.kernelPackages.nvidiaPackages.stable;
defaultText = literalExpression "config.boot.kernelPackages.nvidiaPackages.stable";
description = ''
The NVIDIA X11 derivation to use.
'';
example = literalExpression "config.boot.kernelPackages.nvidiaPackages.legacy_340";
};
};
config = let
igpuDriver = if pCfg.intelBusId != "" then "modesetting" else "amdgpu";
igpuBusId = if pCfg.intelBusId != "" then pCfg.intelBusId else pCfg.amdgpuBusId;
in mkIf enabled {
assertions = [
{
assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == "";
message = ''
You cannot configure both an Intel iGPU and an AMD APU. Pick the one corresponding to your processor.
'';
}
{
assertion = primeEnabled -> pCfg.nvidiaBusId != "" && (pCfg.intelBusId != "" || pCfg.amdgpuBusId != "");
message = ''
When NVIDIA PRIME is enabled, the GPU bus IDs must configured.
'';
}
{
assertion = offloadCfg.enable -> versionAtLeast nvidia_x11.version "435.21";
message = "NVIDIA PRIME render offload is currently only supported on versions >= 435.21.";
}
{
assertion = !(syncCfg.enable && offloadCfg.enable);
message = "Only one NVIDIA PRIME solution may be used at a time.";
}
{
assertion = !(syncCfg.enable && cfg.powerManagement.finegrained);
message = "Sync precludes powering down the NVIDIA GPU.";
}
{
assertion = cfg.powerManagement.finegrained -> offloadCfg.enable;
message = "Fine-grained power management requires offload to be enabled.";
}
{
assertion = cfg.powerManagement.enable -> (
builtins.pathExists (cfg.package.out + "/bin/nvidia-sleep.sh") &&
builtins.pathExists (cfg.package.out + "/lib/systemd/system-sleep/nvidia")
);
message = "Required files for driver based power management don't exist.";
}
];
# If Optimus/PRIME is enabled, we:
# - Specify the configured NVIDIA GPU bus ID in the Device section for the
# "nvidia" driver.
# - Add the AllowEmptyInitialConfiguration option to the Screen section for the
# "nvidia" driver, in order to allow the X server to start without any outputs.
# - Add a separate Device section for the Intel GPU, using the "modesetting"
# driver and with the configured BusID.
# - OR add a separate Device section for the AMD APU, using the "amdgpu"
# driver and with the configures BusID.
# - Reference that Device section from the ServerLayout section as an inactive
# device.
# - Configure the display manager to run specific `xrandr` commands which will
# configure/enable displays connected to the Intel iGPU / AMD APU.
services.xserver.useGlamor = mkDefault offloadCfg.enable;
services.xserver.drivers = let
in optional primeEnabled {
name = igpuDriver;
display = offloadCfg.enable;
modules = optional (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ];
deviceSection = ''
BusID "${igpuBusId}"
${optionalString (syncCfg.enable && igpuDriver != "amdgpu") ''Option "AccelMethod" "none"''}
'';
} ++ singleton {
name = "nvidia";
modules = [ nvidia_x11.bin ];
display = !offloadCfg.enable;
deviceSection = optionalString primeEnabled
''
BusID "${pCfg.nvidiaBusId}"
${optionalString syncCfg.allowExternalGpu "Option \"AllowExternalGpus\""}
'';
screenSection =
''
Option "RandRRotation" "on"
'' + optionalString syncCfg.enable ''
Option "AllowEmptyInitialConfiguration"
'' + optionalString cfg.forceFullCompositionPipeline ''
Option "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}"
Option "AllowIndirectGLXProtocol" "off"
Option "TripleBuffer" "on"
''
;
};
services.xserver.serverLayoutSection = optionalString syncCfg.enable ''
Inactive "Device-${igpuDriver}[0]"
'' + optionalString offloadCfg.enable ''
Option "AllowNVIDIAGPUScreens"
'';
services.xserver.displayManager.setupCommands = let
sinkGpuProviderName = if igpuDriver == "amdgpu" then
# find the name of the provider if amdgpu
"`${pkgs.xorg.xrandr}/bin/xrandr --listproviders | ${pkgs.gnugrep}/bin/grep -i AMD | ${pkgs.gnused}/bin/sed -n 's/^.*name://p'`"
else
igpuDriver;
in optionalString syncCfg.enable ''
# Added by nvidia configuration module for Optimus/PRIME.
${pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource "${sinkGpuProviderName}" NVIDIA-0
${pkgs.xorg.xrandr}/bin/xrandr --auto
'';
environment.etc."nvidia/nvidia-application-profiles-rc" = mkIf nvidia_x11.useProfiles {
source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";
};
# 'nvidia_x11' installs it's files to /run/opengl-driver/...
environment.etc."egl/egl_external_platform.d".source =
"/run/opengl-driver/share/egl/egl_external_platform.d/";
hardware.opengl.extraPackages = [
nvidia_x11.out
pkgs.nvidia-vaapi-driver
];
hardware.opengl.extraPackages32 = [
nvidia_x11.lib32
pkgs.pkgsi686Linux.nvidia-vaapi-driver
];
environment.systemPackages = [ nvidia_x11.bin ]
++ optionals cfg.nvidiaSettings [ nvidia_x11.settings ]
++ optionals nvidiaPersistencedEnabled [ nvidia_x11.persistenced ];
systemd.packages = optional cfg.powerManagement.enable nvidia_x11.out;
systemd.services = let
baseNvidiaService = state: {
description = "NVIDIA system ${state} actions";
path = with pkgs; [ kbd ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${nvidia_x11.out}/bin/nvidia-sleep.sh '${state}'";
};
};
nvidiaService = sleepState: (baseNvidiaService sleepState) // {
before = [ "systemd-${sleepState}.service" ];
requiredBy = [ "systemd-${sleepState}.service" ];
};
services = (builtins.listToAttrs (map (t: nameValuePair "nvidia-${t}" (nvidiaService t)) ["hibernate" "suspend"]))
// {
nvidia-resume = (baseNvidiaService "resume") // {
after = [ "systemd-suspend.service" "systemd-hibernate.service" ];
requiredBy = [ "systemd-suspend.service" "systemd-hibernate.service" ];
};
};
in optionalAttrs cfg.powerManagement.enable services
// optionalAttrs nvidiaPersistencedEnabled {
"nvidia-persistenced" = mkIf nvidiaPersistencedEnabled {
description = "NVIDIA Persistence Daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "forking";
Restart = "always";
PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid";
ExecStart = "${nvidia_x11.persistenced}/bin/nvidia-persistenced --verbose";
ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced";
};
};
};
systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia
"L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"
++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
"L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced";
boot.extraModulePackages = [ nvidia_x11.bin ];
# nvidia-uvm is required by CUDA applications.
boot.kernelModules = [ "nvidia-uvm" ] ++
optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ];
# If requested enable modesetting via kernel parameter.
boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1"
++ optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1";
services.udev.extraRules =
''
# Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c 195 255'"
KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c 195 254'"
KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", PROGRAM="${pkgs.gnugrep}/bin/grep 'Device Minor:' /proc/driver/nvidia/gpus/%b/information", \
RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%c{3} c 195 %c{3}"
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'"
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 1'"
'' + optionalString cfg.powerManagement.finegrained (
optionalString (versionOlder config.boot.kernelPackages.kernel.version "5.5") ''
# Remove NVIDIA USB xHCI Host Controller devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1"
# Remove NVIDIA USB Type-C UCSI devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{remove}="1"
# Remove NVIDIA Audio devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1"
'' + ''
# Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto"
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto"
# Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on"
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on"
'');
boot.extraModprobeConfig = mkIf cfg.powerManagement.finegrained ''
options nvidia "NVreg_DynamicPowerManagement=0x02"
'';
boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ];
services.acpid.enable = true;
};
}

3
nixos/modules/hardware/video/radeon.nix Normal file
View file

@ -0,0 +1,3 @@
{
hardware.enableRedistributableFirmware = true;
}

18
nixos/modules/hardware/video/switcheroo-control.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, pkgs, lib, ... }:
with lib;
let
pkg = [ pkgs.switcheroo-control ];
cfg = config.services.switcherooControl;
in {
options.services.switcherooControl = {
enable = mkEnableOption "switcheroo-control, a D-Bus service to check the availability of dual-GPU";
};
config = mkIf cfg.enable {
services.dbus.packages = pkg;
environment.systemPackages = pkg;
systemd.packages = pkg;
systemd.targets.multi-user.wants = [ "switcheroo-control.service" ];
};
}

64
nixos/modules/hardware/video/uvcvideo/default.nix Normal file
View file

@ -0,0 +1,64 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.uvcvideo;
uvcdynctrl-udev-rules = packages: pkgs.callPackage ./uvcdynctrl-udev-rules.nix {
drivers = packages;
udevDebug = false;
};
in
{
options = {
services.uvcvideo.dynctrl = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable <command>uvcvideo</command> dynamic controls.
Note that enabling this brings the <command>uvcdynctrl</command> tool
into your environment and register all dynamic controls from
specified <command>packages</command> to the <command>uvcvideo</command> driver.
'';
};
packages = mkOption {
type = types.listOf types.path;
example = literalExpression "[ pkgs.tiscamera ]";
description = ''
List of packages containing <command>uvcvideo</command> dynamic controls
rules. All files found in
<filename><replaceable>pkg</replaceable>/share/uvcdynctrl/data</filename>
will be included.
Note that these will serve as input to the <command>libwebcam</command>
package which through its own <command>udev</command> rule will register
the dynamic controls from specified packages to the <command>uvcvideo</command>
driver.
'';
apply = map getBin;
};
};
};
config = mkIf cfg.dynctrl.enable {
services.udev.packages = [
(uvcdynctrl-udev-rules cfg.dynctrl.packages)
];
environment.systemPackages = [
pkgs.libwebcam
];
};
}

Some files were not shown because too many files have changed in this diff Show more