Merge commit '18aa59b0f26fc707e7313f8467e67159e61600c2' from master i…

…nto staging There was one conflict in the NixOS manual; I checked that it still built after resolving it.
NixOS · Apr 1, 2019 · 4ccb740 · 4ccb740
2 parents 7551417 + 18aa59b
commit 4ccb740
Show file tree

Hide file tree

Showing 319 changed files with 5,658 additions and 2,611 deletions.
diff --git a/doc/Makefile b/doc/Makefile
@@ -78,15 +78,14 @@ manual-full.xml: ${MD_TARGETS} .version functions/library/locations.xml function
 	nix-instantiate --eval \
 		-E '(import ../lib).version' > .version
 
-function_locations := $(shell nix-build --no-out-link ./lib-function-locations.nix)
-
 functions/library/locations.xml:
-	ln -s $(function_locations) ./functions/library/locations.xml
+	nix-build ./lib-function-locations.nix \
+		--out-link $@
 
-functions/library/generated:
+functions/library/generated: functions/library/locations.xml
 	nix-build ./lib-function-docs.nix \
-		--arg locationsXml $(function_locations)\
-		--out-link ./functions/library/generated
+		--arg locationsXml $< \
+		--out-link $@
 
 %.section.xml: %.section.md
 	pandoc $^ -w docbook+smart \

diff --git a/doc/cross-compilation.xml b/doc/cross-compilation.xml
diff --git a/doc/reviewing-contributions.xml b/doc/reviewing-contributions.xml
@@ -189,7 +189,8 @@ $ git rebase --onto nixos-unstable BASEBRANCH FETCH_HEAD <co
      </listitem>
      <listitem>
       <para>
-       The <link xlink:href="https://github.com/Mic92/nix-review">nix-review</link>
+       The
+       <link xlink:href="https://github.com/Mic92/nix-review">nix-review</link>
        tool can be used to review a pull request content in a single command.
        <varname>PRNUMBER</varname> should be replaced by the number at the end
        of the pull request title. You can also provide the full github pull

diff --git a/doc/stdenv.xml b/doc/stdenv.xml
@@ -222,9 +222,10 @@ genericBuild
    </footnote>
    But even if one is not cross compiling, the platforms imply whether or not
    the dependency is needed at run-time or build-time, a concept that makes
-   perfect sense outside of cross compilation. For now, the run-time/build-time
-   distinction is just a hint for mental clarity, but in the future it perhaps
-   could be enforced.
+   perfect sense outside of cross compilation. By default, the
+   run-time/build-time distinction is just a hint for mental clarity, but with
+   <varname>strictDeps</varname> set it is mostly enforced even in the native
+   case.
   </para>
 
   <para>
@@ -348,7 +349,10 @@ let f(h, h + 1, i) = i + h
   <para>
    Overall, the unifying theme here is that propagation shouldn't be
    introducing transitive dependencies involving platforms the depending
-   package is unaware of. The offset bounds checking and definition of
+   package is unaware of. [One can imagine the dependending package asking for
+   dependencies with the platforms it knows about; other platforms it doesn't
+   know how to ask for. The platform description in that scenario is a kind of
+   unforagable capability.] The offset bounds checking and definition of
    <function>mapOffset</function> together ensure that this is the case.
    Discovering a new offset is discovering a new platform, and since those
    platforms weren't in the derivation "spec" of the needing package, they
@@ -2633,21 +2637,20 @@ addEnvHooks "$hostOffset" myBashFunction
        happens. It prevents nix from cleaning up the build environment
        immediately and allows the user to attach to a build environment using
        the <command>cntr</command> command. Upon build error it will print
-       instructions on how to use <command>cntr</command>, which can be used
-       to enter the environment for debugging. Installing cntr and
-       running the command will provide shell access to the build sandbox of
-       failed build. At <filename>/var/lib/cntr</filename> the sandboxed
-       filesystem is mounted. All commands and files of the system are still
-       accessible within the shell. To execute commands from the sandbox use
-       the cntr exec subcommand. Note that <command>cntr</command> also needs
-       to be executed on the machine that is doing the build, which might not
-       be the case when remote builders are enabled. <command>cntr</command> is
-       only supported on Linux-based platforms. To use it first add
-       <literal>cntr</literal> to your
-       <literal>environment.systemPackages</literal> on NixOS or alternatively
-       to the root user on non-NixOS systems. Then in the package that is
-       supposed to be inspected, add <literal>breakpointHook</literal> to
-       <literal>nativeBuildInputs</literal>.
+       instructions on how to use <command>cntr</command>, which can be used to
+       enter the environment for debugging. Installing cntr and running the
+       command will provide shell access to the build sandbox of failed build.
+       At <filename>/var/lib/cntr</filename> the sandboxed filesystem is
+       mounted. All commands and files of the system are still accessible
+       within the shell. To execute commands from the sandbox use the cntr exec
+       subcommand. Note that <command>cntr</command> also needs to be executed
+       on the machine that is doing the build, which might not be the case when
+       remote builders are enabled. <command>cntr</command> is only supported
+       on Linux-based platforms. To use it first add <literal>cntr</literal> to
+       your <literal>environment.systemPackages</literal> on NixOS or
+       alternatively to the root user on non-NixOS systems. Then in the package
+       that is supposed to be inspected, add <literal>breakpointHook</literal>
+       to <literal>nativeBuildInputs</literal>.
 <programlisting>
          nativeBuildInputs = [ breakpointHook ];
        </programlisting>

diff --git a/doc/submitting-changes.xml b/doc/submitting-changes.xml
@@ -354,23 +354,22 @@ Additional information.
    <title>Tested compilation of all pkgs that depend on this change using <command>nix-review</command></title>
 
    <para>
-    If you are updating a package's version, you can use nix-review to make sure all
-    packages that depend on the updated package still compile correctly.
-    The <command>nix-review</command> utility can look for and build all dependencies
-    either based on uncommited changes with the <literal>wip</literal> option or
-    specifying a github pull request number.
+    If you are updating a package's version, you can use nix-review to make
+    sure all packages that depend on the updated package still compile
+    correctly. The <command>nix-review</command> utility can look for and build
+    all dependencies either based on uncommited changes with the
+    <literal>wip</literal> option or specifying a github pull request number.
    </para>
 
    <para>
-     review changes from pull request number 12345:
-     <screen>nix-shell -p nix-review --run "nix-review pr 12345"</screen>
+    review changes from pull request number 12345:
+<screen>nix-shell -p nix-review --run "nix-review pr 12345"</screen>
    </para>
 
    <para>
-     review uncommitted changes:
-     <screen>nix-shell -p nix-review --run "nix-review wip"</screen>
+    review uncommitted changes:
+<screen>nix-shell -p nix-review --run "nix-review wip"</screen>
    </para>
-
   </section>
 
   <section xml:id="submitting-changes-tested-execution">

diff --git a/nixos/doc/manual/configuration/declarative-packages.xml b/nixos/doc/manual/configuration/declarative-packages.xml
@@ -27,8 +27,13 @@ nixos.firefox   firefox-23.0   Mozilla Firefox - the browser, reloaded
 <replaceable>...</replaceable>
 </screen>
   The first column in the output is the <emphasis>attribute name</emphasis>,
-  such as <literal>nixos.thunderbird</literal>. (The <literal>nixos</literal>
-  prefix allows distinguishing between different channels that you might have.)
+  such as <literal>nixos.thunderbird</literal>.
+ </para>
+ <para>
+  Note: the <literal>nixos</literal> prefix tells us that we want to get the
+  package from the <literal>nixos</literal> channel and works only in CLI tools.
+
+  In declarative configuration use <literal>pkgs</literal> prefix (variable).
  </para>
 
  <para>

diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml
@@ -55,6 +55,23 @@
   </para>
 
   <itemizedlist>
+   <listitem>
+    <para>
+     Buildbot no longer supports Python 2, as support was dropped upstream in
+     version 2.0.0. Configurations may need to be modified to make them
+     compatible with Python 3.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     PostgreSQL now uses
+     <filename class="directory">/run/postgresql</filename> as its socket
+     directory instead of <filename class="directory">/tmp</filename>. So
+     if you run an application like eg. Nextcloud, where you need to use
+     the Unix socket path as the database host name, you need to change it
+     accordingly.
+    </para>
+   </listitem>
    <listitem>
     <para>
       The NetworkManager systemd unit was renamed back from network-manager.service to

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -880,6 +880,7 @@
   ./virtualisation/container-config.nix
   ./virtualisation/containers.nix
   ./virtualisation/docker.nix
+  ./virtualisation/docker-containers.nix
   ./virtualisation/ecs-agent.nix
   ./virtualisation/libvirtd.nix
   ./virtualisation/lxc.nix

diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix
@@ -76,7 +76,7 @@ in
       };
 
       failmode = mkOption {
-        type = types.enum [ "safe" "enum" ];
+        type = types.enum [ "safe" "secure" ];
         default = "safe";
         description = ''
           On service or configuration errors that prevent Duo

diff --git a/nixos/modules/services/continuous-integration/buildbot/master.nix b/nixos/modules/services/continuous-integration/buildbot/master.nix
@@ -199,10 +199,10 @@ in {
 
       package = mkOption {
         type = types.package;
-        default = pkgs.pythonPackages.buildbot-full;
-        defaultText = "pkgs.pythonPackages.buildbot-full";
+        default = pkgs.python3Packages.buildbot-full;
+        defaultText = "pkgs.python3Packages.buildbot-full";
         description = "Package to use for buildbot.";
-        example = literalExample "pkgs.python3Packages.buildbot-full";
+        example = literalExample "pkgs.python3Packages.buildbot";
       };
 
       packages = mkOption {

diff --git a/nixos/modules/services/continuous-integration/buildbot/worker.nix b/nixos/modules/services/continuous-integration/buildbot/worker.nix
@@ -118,10 +118,10 @@ in {
 
       package = mkOption {
         type = types.package;
-        default = pkgs.pythonPackages.buildbot-worker;
-        defaultText = "pkgs.pythonPackages.buildbot-worker";
+        default = pkgs.python3Packages.buildbot-worker;
+        defaultText = "pkgs.python3Packages.buildbot-worker";
         description = "Package to use for buildbot worker.";
-        example = literalExample "pkgs.python3Packages.buildbot-worker";
+        example = literalExample "pkgs.python2Packages.buildbot-worker";
       };
 
       packages = mkOption {

diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
@@ -238,6 +238,7 @@ in
             User = "postgres";
             Group = "postgres";
             PermissionsStartOnly = true;
+            RuntimeDirectory = "postgresql";
             Type = if lib.versionAtLeast cfg.package.version "9.6"
                    then "notify"
                    else "simple";

diff --git a/nixos/modules/services/desktops/gsignond.nix b/nixos/modules/services/desktops/gsignond.nix
@@ -9,6 +9,8 @@ let
 in
 {
 
+  meta.maintainers = pkgs.pantheon.maintainers;
+
   ###### interface
 
   options = {

diff --git a/nixos/modules/services/desktops/pantheon/contractor.nix b/nixos/modules/services/desktops/pantheon/contractor.nix
@@ -6,6 +6,8 @@ with lib;
 
 {
 
+  meta.maintainers = pkgs.pantheon.maintainers;
+
   ###### interface
 
   options = {

diff --git a/nixos/modules/services/desktops/pantheon/files.nix b/nixos/modules/services/desktops/pantheon/files.nix
@@ -6,6 +6,8 @@ with lib;
 
 {
 
+  meta.maintainers = pkgs.pantheon.maintainers;
+
   ###### interface
 
   options = {

diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix
@@ -14,9 +14,10 @@ let
     log.fields.service = "registry";
     storage = {
       cache.blobdescriptor = blobCache;
-      filesystem.rootdirectory = cfg.storagePath;
       delete.enabled = cfg.enableDelete;
-    };
+    } // (if cfg.storagePath != null
+          then { filesystem.rootdirectory = cfg.storagePath; }
+          else {});
     http = {
       addr = "${cfg.listenAddress}:${builtins.toString cfg.port}";
       headers.X-Content-Type-Options = ["nosniff"];
@@ -61,9 +62,12 @@ in {
     };
 
     storagePath = mkOption {
-      type = types.path;
+      type = types.nullOr types.path;
       default = "/var/lib/docker-registry";
-      description = "Docker registry storage path.";
+      description = ''
+        Docker registry storage path for the filesystem storage backend. Set to
+        null to configure another backend via extraConfig.
+      '';
     };
 
     enableDelete = mkOption {
@@ -140,9 +144,12 @@ in {
       startAt = optional cfg.enableGarbageCollect cfg.garbageCollectDates;
     };
 
-    users.users.docker-registry = {
-      createHome = true;
-      home = cfg.storagePath;
-    };
+    users.users.docker-registry =
+      if cfg.storagePath != null
+      then {
+        createHome = true;
+        home = cfg.storagePath;
+      }
+      else {};
   };
 }
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
@@ -160,6 +160,8 @@ let
      '';
   };
 
+  extraGitlabRb = pkgs.writeText "extra-gitlab.rb" cfg.extraGitlabRb;
+
   smtpSettings = pkgs.writeText "gitlab-smtp-settings.rb" ''
     if Rails.env.production?
       Rails.application.config.action_mailer.delivery_method = :smtp
@@ -266,6 +268,26 @@ in {
         description = "Extra configuration in config/database.yml.";
       };
 
+      extraGitlabRb = mkOption {
+        type = types.str;
+        default = "";
+        example = ''
+          if Rails.env.production?
+            Rails.application.config.action_mailer.delivery_method = :sendmail
+            ActionMailer::Base.delivery_method = :sendmail
+            ActionMailer::Base.sendmail_settings = {
+              location: "/run/wrappers/bin/sendmail",
+              arguments: "-i -t"
+            }
+          end
+        '';
+        description = ''
+          Extra configuration to be placed in config/extra-gitlab.rb. This can
+          be used to add configuration not otherwise exposed through this module's
+          options.
+        '';
+      };
+
       host = mkOption {
         type = types.str;
         default = config.networking.hostName;
@@ -586,6 +608,7 @@ in {
         [ -L /run/gitlab/uploads ] || ln -sf ${cfg.statePath}/uploads /run/gitlab/uploads
         cp ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION
         cp -rf ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config
+        ln -sf ${extraGitlabRb} ${cfg.statePath}/config/initializers/extra-gitlab.rb
         ${optionalString cfg.smtp.enable ''
           ln -sf ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb
         ''}

diff --git a/nixos/modules/services/misc/plex.nix b/nixos/modules/services/misc/plex.nix
@@ -146,7 +146,7 @@ in
         PLEX_MEDIA_SERVER_MAX_PLUGIN_PROCS="6";
         PLEX_MEDIA_SERVER_TMPDIR="/tmp";
         PLEX_MEDIA_SERVER_USE_SYSLOG="true";
-        LD_LIBRARY_PATH="/run/opengl-driver/lib:${cfg.package}/usr/lib/plexmediaserver";
+        LD_LIBRARY_PATH="/run/opengl-driver/lib:${cfg.package}/usr/lib/plexmediaserver/lib";
         LC_ALL="en_US.UTF-8";
         LANG="en_US.UTF-8";
       };

diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
@@ -261,10 +261,14 @@ let
     fi
   '';
 
+  canonicalizePortList =
+    ports: lib.unique (builtins.sort builtins.lessThan ports);
+
   commonOptions = {
     allowedTCPPorts = mkOption {
-      type = types.listOf types.int;
+      type = types.listOf types.port;
       default = [ ];
+      apply = canonicalizePortList;
       example = [ 22 80 ];
       description =
         '' 
@@ -274,7 +278,7 @@ let
     };
 
     allowedTCPPortRanges = mkOption {
-      type = types.listOf (types.attrsOf types.int);
+      type = types.listOf (types.attrsOf types.port);
       default = [ ];
       example = [ { from = 8999; to = 9003; } ];
       description =
@@ -285,8 +289,9 @@ let
     };
 
     allowedUDPPorts = mkOption {
-      type = types.listOf types.int;
+      type = types.listOf types.port;
       default = [ ];
+      apply = canonicalizePortList;
       example = [ 53 ];
       description =
         ''
@@ -295,7 +300,7 @@ let
     };
 
     allowedUDPPortRanges = mkOption {
-      type = types.listOf (types.attrsOf types.int);
+      type = types.listOf (types.attrsOf types.port);
       default = [ ];
       example = [ { from = 60000; to = 61000; } ];
       description =

diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix
@@ -172,7 +172,7 @@ in {
           Database host.
 
           Note: for using Unix authentication with PostgreSQL, this should be
-          set to <literal>/tmp</literal>.
+          set to <literal>/run/postgresql</literal>.
         '';
       };
       dbport = mkOption {