diff --git a/nixos/modules/installer/sd-card/sd-image.nix b/nixos/modules/installer/sd-card/sd-image.nix index 0e717a2b6a7a6..db1530c104fa0 100644 --- a/nixos/modules/installer/sd-card/sd-image.nix +++ b/nixos/modules/installer/sd-card/sd-image.nix @@ -10,53 +10,49 @@ # # The derivation for the SD image will be placed in # config.system.build.sdImage - { config, lib, pkgs, ... }: - -with lib; - let rootfsImage = pkgs.callPackage ../../../lib/make-ext4-fs.nix ({ inherit (config.sdImage) storePaths; compressImage = config.sdImage.compressImage; populateImageCommands = config.sdImage.populateRootCommands; volumeLabel = "NIXOS_SD"; - } // optionalAttrs (config.sdImage.rootPartitionUUID != null) { + } // lib.optionalAttrs (config.sdImage.rootPartitionUUID != null) { uuid = config.sdImage.rootPartitionUUID; }); in { imports = [ - (mkRemovedOptionModule [ "sdImage" "bootPartitionID" ] "The FAT partition for SD image now only holds the Raspberry Pi firmware files. Use firmwarePartitionID to configure that partition's ID.") - (mkRemovedOptionModule [ "sdImage" "bootSize" ] "The boot files for SD image have been moved to the main ext4 partition. The FAT partition now only holds the Raspberry Pi firmware files. Changing its size may not be required.") + (lib.mkRemovedOptionModule [ "sdImage" "bootPartitionID" ] "The FAT lib.partition for SD image now only holds the Raspberry Pi firmware files. Use firmwarePartitionID to configure that lib.partition's ID.") + (lib.mkRemovedOptionModule [ "sdImage" "bootSize" ] "The boot files for SD image have been moved to the main ext4 lib.partition. The FAT lib.partition now only holds the Raspberry Pi firmware files. Changing its size may not be required.") ../../profiles/all-hardware.nix ]; options.sdImage = { - imageName = mkOption { + imageName = lib.mkOption { default = "${config.sdImage.imageBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.img"; description = '' Name of the generated image file. ''; }; - imageBaseName = mkOption { + imageBaseName = lib.mkOption { default = "nixos-sd-image"; description = '' Prefix of the name of the generated image file. ''; }; - storePaths = mkOption { - type = with types; listOf package; - example = literalExpression "[ pkgs.stdenv ]"; + storePaths = lib.mkOption { + type = with lib.types; listOf package; + example = lib.literalExpression "[ pkgs.stdenv ]"; description = '' Derivations to be included in the Nix store in the generated SD image. ''; }; - firmwarePartitionOffset = mkOption { - type = types.int; + firmwarePartitionOffset = lib.mkOption { + type = lib.types.int; default = 8; description = '' Gap in front of the /boot/firmware partition, in mebibytes (1024×1024 @@ -71,8 +67,8 @@ in ''; }; - firmwarePartitionID = mkOption { - type = types.str; + firmwarePartitionID = lib.mkOption { + type = lib.types.str; default = "0x2178694e"; description = '' Volume ID for the /boot/firmware partition on the SD card. This value @@ -80,16 +76,16 @@ in ''; }; - firmwarePartitionName = mkOption { - type = types.str; + firmwarePartitionName = lib.mkOption { + type = lib.types.str; default = "FIRMWARE"; description = '' Name of the filesystem which holds the boot firmware. ''; }; - rootPartitionUUID = mkOption { - type = types.nullOr types.str; + rootPartitionUUID = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; example = "14e19a7b-0ae0-484d-9d54-43bd6fdc20c7"; description = '' @@ -97,8 +93,8 @@ in ''; }; - firmwareSize = mkOption { - type = types.int; + firmwareSize = lib.mkOption { + type = lib.types.int; # As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB default = 30; description = '' @@ -106,8 +102,8 @@ in ''; }; - populateFirmwareCommands = mkOption { - example = literalExpression "'' cp \${pkgs.myBootLoader}/u-boot.bin firmware/ ''"; + populateFirmwareCommands = lib.mkOption { + example = lib.literalExpression "'' cp \${pkgs.myBootLoader}/u-boot.bin firmware/ ''"; description = '' Shell commands to populate the ./firmware directory. All files in that directory are copied to the @@ -115,8 +111,8 @@ in ''; }; - populateRootCommands = mkOption { - example = literalExpression "''\${config.boot.loader.generic-extlinux-compatible.populateCmd} -c \${config.system.build.toplevel} -d ./files/boot''"; + populateRootCommands = lib.mkOption { + example = lib.literalExpression "''\${config.boot.loader.generic-extlinux-compatible.populateCmd} -c \${config.system.build.toplevel} -d ./files/boot''"; description = '' Shell commands to populate the ./files directory. All files in that directory are copied to the @@ -125,8 +121,8 @@ in ''; }; - postBuildCommands = mkOption { - example = literalExpression "'' dd if=\${pkgs.myBootLoader}/SPL of=$img bs=1024 seek=1 conv=notrunc ''"; + postBuildCommands = lib.mkOption { + example = lib.literalExpression "'' dd if=\${pkgs.myBootLoader}/SPL of=$img bs=1024 seek=1 conv=notrunc ''"; default = ""; description = '' Shell commands to run after the image is built. @@ -134,8 +130,8 @@ in ''; }; - compressImage = mkOption { - type = types.bool; + compressImage = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether the SD image should be compressed using @@ -143,16 +139,16 @@ in ''; }; - expandOnBoot = mkOption { - type = types.bool; + expandOnBoot = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to configure the sd image to expand it's partition on boot. ''; }; - nixPathRegistrationFile = mkOption { - type = types.str; + nixPathRegistrationFile = lib.mkOption { + type = lib.types.str; default = "/nix-path-registration"; description = '' Location of the file containing the input for nix-store --load-db once the machine has booted. diff --git a/nixos/modules/profiles/clone-config.nix b/nixos/modules/profiles/clone-config.nix index 3f669ba7d2e16..a9c7409773d09 100644 --- a/nixos/modules/profiles/clone-config.nix +++ b/nixos/modules/profiles/clone-config.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, modules, ... }: - -with lib; - let # Location of the repository on the harddrive @@ -10,19 +7,19 @@ let # Check if the path is from the NixOS repository isNixOSFile = path: let s = toString path; in - removePrefix nixosPath s != s; + lib.removePrefix nixosPath s != s; # Copy modules given as extra configuration files. Unfortunately, we # cannot serialized attribute set given in the list of modules (that's why # you should use files). moduleFiles = # FIXME: use typeOf (Nix 1.6.1). - filter (x: !isAttrs x && !lib.isFunction x) modules; + lib.filter (x: !lib.isAttrs x && !lib.isFunction x) modules; # Partition module files because between NixOS and non-NixOS files. NixOS # files may change if the repository is updated. - partitionedModuleFiles = - let p = partition isNixOSFile moduleFiles; in + lib.partitionedModuleFiles = + let p = lib.partition isNixOSFile moduleFiles; in { nixos = p.right; others = p.wrong; }; # Path transformed to be valid on the installation device. Thus the @@ -30,9 +27,9 @@ let relocatedModuleFiles = let relocateNixOS = path: - ""; + ""; in - { nixos = map relocateNixOS partitionedModuleFiles.nixos; + { nixos = map relocateNixOS lib.partitionedModuleFiles.nixos; others = []; # TODO: copy the modules to the install-device repository. }; @@ -59,7 +56,7 @@ in options = { - installer.cloneConfig = mkOption { + installer.cloneConfig = lib.mkOption { default = true; description = '' Try to clone the installation-device configuration by re-using it's @@ -67,7 +64,7 @@ in ''; }; - installer.cloneConfigIncludes = mkOption { + installer.cloneConfigIncludes = lib.mkOption { default = []; example = [ "./nixos/modules/hardware/network/rt73.nix" ]; description = '' @@ -75,7 +72,7 @@ in ''; }; - installer.cloneConfigExtra = mkOption { + installer.cloneConfigExtra = lib.mkOption { default = ""; description = '' Extra text to include in the cloned configuration.nix included in this @@ -94,7 +91,7 @@ in # Provide a mount point for nixos-install. mkdir -p /mnt - ${optionalString config.installer.cloneConfig '' + ${lib.optionalString config.installer.cloneConfig '' # Provide a configuration for the CD/DVD itself, to allow users # to run nixos-rebuild to change the configuration of the # running system on the CD/DVD. diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index b85a2ac7e69d2..9ebedf5af09d9 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -5,38 +5,34 @@ # stability. If you experience any stability issues when using the # profile, try disabling it. If you report an issue and use this # profile, always mention that you do. - { config, lib, pkgs, ... }: - -with lib; - { meta = { - maintainers = [ maintainers.joachifm maintainers.emily ]; + maintainers = [ lib.maintainers.joachifm lib.maintainers.emily ]; }; - boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; + boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened; - nix.settings.allowed-users = mkDefault [ "@users" ]; + nix.settings.allowed-users = lib.mkDefault [ "@users" ]; - environment.memoryAllocator.provider = mkDefault "scudo"; - environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; + environment.memoryAllocator.provider = lib.mkDefault "scudo"; + environment.variables.SCUDO_OPTIONS = lib.mkDefault "ZeroContents=1"; - security.lockKernelModules = mkDefault true; + security.lockKernelModules = lib.mkDefault true; - security.protectKernelImage = mkDefault true; + security.protectKernelImage = lib.mkDefault true; - security.allowSimultaneousMultithreading = mkDefault false; + security.allowSimultaneousMultithreading = lib.mkDefault false; - security.forcePageTableIsolation = mkDefault true; + security.forcePageTableIsolation = lib.mkDefault true; # This is required by podman to run containers in rootless mode. - security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable; + security.unprivilegedUsernsClone = lib.mkDefault config.virtualisation.containers.enable; - security.virtualisation.flushL1DataCache = mkDefault "always"; + security.virtualisation.flushL1DataCache = lib.mkDefault "always"; - security.apparmor.enable = mkDefault true; - security.apparmor.killUnconfinedConfinables = mkDefault true; + security.apparmor.enable = lib.mkDefault true; + security.apparmor.killUnconfinedConfinables = lib.mkDefault true; boot.kernelParams = [ # Don't merge slabs @@ -83,35 +79,35 @@ with lib; ]; # Hide kptrs even for processes with CAP_SYSLOG - boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; + boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2; # Disable bpf() JIT (to eliminate spray attacks) - boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; + boot.kernel.sysctl."net.core.bpf_jit_enable" = lib.mkDefault false; # Disable ftrace debugging - boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; + boot.kernel.sysctl."kernel.ftrace_enabled" = lib.mkDefault false; # Enable strict reverse path filtering (that is, do not attempt to route # packets that "obviously" do not belong to the iface's network; dropped # packets are logged as martians). - boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; - boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = lib.mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = lib.mkDefault "1"; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = lib.mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = lib.mkDefault "1"; # Ignore broadcast ICMP (mitigate SMURF) - boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; + boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = lib.mkDefault true; # Ignore incoming ICMP redirects (note: default is needed to ensure that the # setting is applied to interfaces added after the sysctls are set) - boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; - boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false; - boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = lib.mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = lib.mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = lib.mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = lib.mkDefault false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = lib.mkDefault false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = lib.mkDefault false; # Ignore outgoing ICMP redirects (this is ipv4 only) - boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; - boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = lib.mkDefault false; + boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = lib.mkDefault false; } diff --git a/nixos/modules/profiles/minimal.nix b/nixos/modules/profiles/minimal.nix index 4ca2b8cc207f9..df424dddf704a 100644 --- a/nixos/modules/profiles/minimal.nix +++ b/nixos/modules/profiles/minimal.nix @@ -2,39 +2,38 @@ # contain any graphical stuff. { config, lib, ... }: - -with lib; - { - documentation.enable = mkDefault false; + environment.noXlibs = lib.mkDefault true; + + documentation.enable = lib.mkDefault false; - documentation.doc.enable = mkDefault false; + documentation.doc.enable = lib.mkDefault false; - documentation.info.enable = mkDefault false; + documentation.info.enable = lib.mkDefault false; - documentation.man.enable = mkDefault false; + documentation.man.enable = lib.mkDefault false; - documentation.nixos.enable = mkDefault false; + documentation.nixos.enable = lib.mkDefault false; # Perl is a default package. - environment.defaultPackages = mkDefault [ ]; + environment.defaultPackages = lib.mkDefault [ ]; - environment.stub-ld.enable = mkDefault false; + environment.stub-ld.enable = lib.mkDefault false; # The lessopen package pulls in Perl. - programs.less.lessopen = mkDefault null; + programs.less.lessopen = lib.mkDefault null; # This pulls in nixos-containers which depends on Perl. - boot.enableContainers = mkDefault false; + boot.enableContainers = lib.mkDefault false; - programs.command-not-found.enable = mkDefault false; + programs.command-not-found.enable = lib.mkDefault false; - services.logrotate.enable = mkDefault false; + services.logrotate.enable = lib.mkDefault false; - services.udisks2.enable = mkDefault false; + services.udisks2.enable = lib.mkDefault false; - xdg.autostart.enable = mkDefault false; - xdg.icons.enable = mkDefault false; - xdg.mime.enable = mkDefault false; - xdg.sounds.enable = mkDefault false; + xdg.autostart.enable = lib.mkDefault false; + xdg.icons.enable = lib.mkDefault false; + xdg.mime.enable = lib.mkDefault false; + xdg.sounds.enable = lib.mkDefault false; } diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 76c1010f41990..d51b3befa4ba3 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.pki; @@ -19,13 +16,12 @@ in { options = { - security.pki.installCACerts = mkEnableOption "installing CA certificates to the system" // { + security.pki.installCACerts = lib.mkEnableOption "installing CA certificates to the system" // { default = true; internal = true; }; - security.pki.useCompatibleBundle = mkEnableOption '' - usage of a compatibility bundle. + security.pki.useCompatibleBundle = lib.mkEnableOption ''usage of a compatibility bundle. Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, which is an OpenSSL specific PEM format. @@ -36,23 +32,23 @@ in certificates themselves. This can have security consequences depending on your usecases ''; - security.pki.certificateFiles = mkOption { - type = types.listOf types.path; + security.pki.certificateFiles = lib.mkOption { + type = lib.types.listOf lib.types.path; default = []; - example = literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]''; + example = lib.literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]''; description = '' A list of files containing trusted root certificates in PEM format. These are concatenated to form {file}`/etc/ssl/certs/ca-certificates.crt`, which is - used by many programs that use OpenSSL, such as + used by mlib.any programs that use OpenSSL, such as {command}`curl` and {command}`git`. ''; }; - security.pki.certificates = mkOption { - type = types.listOf types.str; + security.pki.certificates = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; - example = literalExpression '' + example = lib.literalExpression '' [ ''' NixOS.org ========= @@ -69,8 +65,8 @@ in ''; }; - security.pki.caCertificateBlacklist = mkOption { - type = types.listOf types.str; + security.pki.caCertificateBlacklist = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; example = [ "WoSign" "WoSign China" @@ -87,7 +83,7 @@ in }; - config = mkIf cfg.installCACerts { + config = lib.mkIf cfg.installCACerts { # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix index bb99c053f7185..146696b05de9a 100644 --- a/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixos/modules/security/chromium-suid-sandbox.nix @@ -1,18 +1,15 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.chromiumSuidSandbox; sandbox = pkgs.chromium.sandbox; in { imports = [ - (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) + (lib.mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) ]; - options.security.chromiumSuidSandbox.enable = mkOption { - type = types.bool; + options.security.chromiumSuidSandbox.enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install the Chromium SUID sandbox which is an executable that @@ -26,7 +23,7 @@ in ''; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ sandbox ]; security.wrappers.${sandbox.passthru.sandboxExecutableName} = { setuid = true; diff --git a/nixos/modules/security/doas.nix b/nixos/modules/security/doas.nix index 457a48a987aab..aea4daff20d10 100644 --- a/nixos/modules/security/doas.nix +++ b/nixos/modules/security/doas.nix @@ -1,6 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; let cfg = config.security.doas; @@ -10,36 +8,36 @@ let mkGrpString = group: ":${toString group}"; - mkOpts = rule: concatStringsSep " " [ - (optionalString rule.noPass "nopass") - (optionalString rule.noLog "nolog") - (optionalString rule.persist "persist") - (optionalString rule.keepEnv "keepenv") - "setenv { SSH_AUTH_SOCK TERMINFO TERMINFO_DIRS ${concatStringsSep " " rule.setEnv} }" + mkOpts = rule: lib.concatStringsSep " " [ + (lib.optionalString rule.noPass "nopass") + (lib.optionalString rule.noLog "nolog") + (lib.optionalString rule.persist "persist") + (lib.optionalString rule.keepEnv "keepenv") + "setenv { SSH_AUTH_SOCK TERMINFO TERMINFO_DIRS ${lib.concatStringsSep " " rule.setEnv} }" ]; mkArgs = rule: if (rule.args == null) then "" - else if (length rule.args == 0) then "args" - else "args ${concatStringsSep " " rule.args}"; + else if (lib.length rule.args == 0) then "args" + else "args ${lib.concatStringsSep " " rule.args}"; mkRule = rule: let opts = mkOpts rule; - as = optionalString (rule.runAs != null) "as ${rule.runAs}"; + as = lib.optionalString (rule.runAs != null) "as ${rule.runAs}"; - cmd = optionalString (rule.cmd != null) "cmd ${rule.cmd}"; + cmd = lib.optionalString (rule.cmd != null) "cmd ${rule.cmd}"; args = mkArgs rule; in - optionals (length cfg.extraRules > 0) [ + lib.optionals (lib.length cfg.extraRules > 0) [ ( - optionalString (length rule.users > 0) + lib.optionalString (lib.length rule.users > 0) (map (usr: "permit ${opts} ${mkUsrString usr} ${as} ${cmd} ${args}") rule.users) ) ( - optionalString (length rule.groups > 0) + lib.optionalString (lib.length rule.groups > 0) (map (grp: "permit ${opts} ${mkGrpString grp} ${as} ${cmd} ${args}") rule.groups) ) ]; @@ -50,8 +48,8 @@ in options.security.doas = { - enable = mkOption { - type = with types; bool; + enable = lib.mkOption { + type = with lib.types; bool; default = false; description = '' Whether to enable the {command}`doas` command, which allows @@ -59,8 +57,8 @@ in ''; }; - wheelNeedsPassword = mkOption { - type = with types; bool; + wheelNeedsPassword = lib.mkOption { + type = with lib.types; bool; default = true; description = '' Whether users of the `wheel` group must provide a password to @@ -68,35 +66,35 @@ in ''; }; - extraRules = mkOption { + extraRules = lib.mkOption { default = []; description = '' Define specific rules to be set in the {file}`/etc/doas.conf` file. More specific rules should come after more general ones in order to yield the expected behavior. - You can use `mkBefore` and/or `mkAfter` to ensure + You can use `lib.mkBefore` and/or `mkAfter` to ensure this is the case when configuration options are merged. Be aware that this option cannot be used to override the behaviour allowing passwordless operation for root. ''; - example = literalExpression '' + example = lib.literalExpression '' [ - # Allow execution of any command by any user in group doas, requiring - # a password and keeping any previously-defined environment variables. + # Allow execution of lib.any command by lib.any user in group doas, requiring + # a password and keeping lib.any previously-defined environment variables. { groups = [ "doas" ]; noPass = false; keepEnv = true; } # Allow execution of "/home/root/secret.sh" by user `backup` OR user - # `database` OR any member of the group with GID `1006`, without a + # `database` OR lib.any member of the group with GID `1006`, without a # password. { users = [ "backup" "database" ]; groups = [ 1006 ]; cmd = "/home/root/secret.sh"; noPass = true; } - # Allow any member of group `bar` to run `/home/baz/cmd1.sh` as user + # Allow lib.any member of group `bar` to run `/home/baz/cmd1.sh` as user # `foo` with argument `hello-doas`. { groups = [ "bar" ]; runAs = "foo"; cmd = "/home/baz/cmd1.sh"; args = [ "hello-doas" ]; } - # Allow any member of group `bar` to run `/home/baz/cmd2.sh` as user + # Allow lib.any member of group `bar` to run `/home/baz/cmd2.sh` as user # `foo` with no arguments. { groups = [ "bar" ]; runAs = "foo"; cmd = "/home/baz/cmd2.sh"; args = [ ]; } @@ -108,12 +106,12 @@ in setEnv = [ "-SSH_AUTH_SOCK" "ALPHA=1" "BETA" ]; } ] ''; - type = with types; listOf ( + type = with lib.types; listOf ( submodule { options = { - noPass = mkOption { - type = with types; bool; + noPass = lib.mkOption { + type = with lib.types; bool; default = false; description = '' If `true`, the user is not required to enter a @@ -121,8 +119,8 @@ in ''; }; - noLog = mkOption { - type = with types; bool; + noLog = lib.mkOption { + type = with lib.types; bool; default = false; description = '' If `true`, successful executions will not be logged @@ -131,8 +129,8 @@ in ''; }; - persist = mkOption { - type = with types; bool; + persist = lib.mkOption { + type = with lib.types; bool; default = false; description = '' If `true`, do not ask for a password again for some @@ -140,8 +138,8 @@ in ''; }; - keepEnv = mkOption { - type = with types; bool; + keepEnv = lib.mkOption { + type = with lib.types; bool; default = false; description = '' If `true`, environment variables other than those @@ -151,8 +149,8 @@ in ''; }; - setEnv = mkOption { - type = with types; listOf str; + setEnv = lib.mkOption { + type = with lib.types; listOf str; default = []; description = '' Keep or set the specified variables. Variables may also be @@ -170,20 +168,20 @@ in ''; }; - users = mkOption { - type = with types; listOf (either str int); + users = lib.mkOption { + type = with lib.types; listOf (either str int); default = []; description = "The usernames / UIDs this rule should apply for."; }; - groups = mkOption { - type = with types; listOf (either str int); + groups = lib.mkOption { + type = with lib.types; listOf (either str int); default = []; description = "The groups / GIDs this rule should apply for."; }; - runAs = mkOption { - type = with types; nullOr str; + runAs = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = '' Which user or group the specified command is allowed to run as. @@ -196,8 +194,8 @@ in ''; }; - cmd = mkOption { - type = with types; nullOr str; + cmd = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = '' The command the user is allowed to run. When set to @@ -209,12 +207,12 @@ in ''; }; - args = mkOption { - type = with types; nullOr (listOf str); + args = lib.mkOption { + type = with lib.types; nullOr (listOf str); default = null; description = '' Arguments that must be provided to the command. When set to - `[]`, the command must be run without any arguments. + `[]`, the command must be run without lib.any arguments. ''; }; }; @@ -222,8 +220,8 @@ in ); }; - extraConfig = mkOption { - type = with types; lines; + extraConfig = lib.mkOption { + type = with lib.types; lines; default = ""; description = '' Extra configuration text appended to {file}`doas.conf`. Be aware that @@ -236,9 +234,9 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - security.doas.extraRules = mkOrder 600 [ + security.doas.extraRules = lib.mkOrder 600 [ { groups = [ "wheel" ]; noPass = !cfg.wheelNeedsPassword; @@ -271,12 +269,12 @@ in # `environment.etc."doas.conf"`. # extraRules - ${concatStringsSep "\n" (lists.flatten (map mkRule cfg.extraRules))} + ${lib.concatStringsSep "\n" (lib.lists.lib.flatten (map mkRule cfg.extraRules))} # extraConfig ${cfg.extraConfig} - # "root" is allowed to do anything. + # "root" is allowed to do lib.anything. permit nopass keepenv root ''; preferLocalBuild = true; @@ -288,5 +286,5 @@ in }; - meta.maintainers = with maintainers; [ cole-h ]; + meta.maintainers = with lib.maintainers; [ cole-h ]; } diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index e755b5f0ee534..7543179b7fbeb 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.duosec; @@ -11,7 +8,7 @@ let [duo] ikey=${cfg.integrationKey} host=${cfg.host} - ${optionalString (cfg.groups != "") ("groups="+cfg.groups)} + ${lib.optionalString (cfg.groups != "") ("groups="+cfg.groups)} failmode=${cfg.failmode} pushinfo=${boolToStr cfg.pushinfo} autopush=${boolToStr cfg.autopush} @@ -26,32 +23,32 @@ let in { imports = [ - (mkRenamedOptionModule [ "security" "duosec" "group" ] [ "security" "duosec" "groups" ]) - (mkRenamedOptionModule [ "security" "duosec" "ikey" ] [ "security" "duosec" "integrationKey" ]) - (mkRemovedOptionModule [ "security" "duosec" "skey" ] "The insecure security.duosec.skey option has been replaced by a new security.duosec.secretKeyFile option. Use this new option to store a secure copy of your key instead.") + (lib.mkRenamedOptionModule [ "security" "duosec" "group" ] [ "security" "duosec" "groups" ]) + (lib.mkRenamedOptionModule [ "security" "duosec" "ikey" ] [ "security" "duosec" "integrationKey" ]) + (lib.mkRemovedOptionModule [ "security" "duosec" "skey" ] "The insecure security.duosec.skey option has been replaced by a new security.duosec.secretKeyFile option. Use this new option to store a secure copy of your key instead.") ]; options = { security.duosec = { - ssh.enable = mkOption { - type = types.bool; + ssh.enable = lib.mkOption { + type = lib.types.bool; default = false; description = "If enabled, protect SSH logins with Duo Security."; }; - pam.enable = mkOption { - type = types.bool; + pam.enable = lib.mkOption { + type = lib.types.bool; default = false; description = "If enabled, protect logins with Duo Security using PAM support."; }; - integrationKey = mkOption { - type = types.str; + integrationKey = lib.mkOption { + type = lib.types.str; description = "Integration key."; }; - secretKeyFile = mkOption { - type = types.nullOr types.path; + secretKeyFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; description = '' A file containing your secret key. The security of your Duo application is tied to the security of your secret key. @@ -59,13 +56,13 @@ in example = "/run/keys/duo-skey"; }; - host = mkOption { - type = types.str; + host = lib.mkOption { + type = lib.types.str; description = "Duo API hostname."; }; - groups = mkOption { - type = types.str; + groups = lib.mkOption { + type = lib.types.str; default = ""; example = "users,!wheel,!*admin guests"; description = '' @@ -76,8 +73,8 @@ in ''; }; - failmode = mkOption { - type = types.enum [ "safe" "secure" ]; + failmode = lib.mkOption { + type = lib.types.enum [ "safe" "secure" ]; default = "safe"; description = '' On service or configuration errors that prevent Duo @@ -86,8 +83,8 @@ in ''; }; - pushinfo = mkOption { - type = types.bool; + pushinfo = lib.mkOption { + type = lib.types.bool; default = false; description = '' Include information such as the command to be executed in @@ -95,8 +92,8 @@ in ''; }; - autopush = mkOption { - type = types.bool; + autopush = lib.mkOption { + type = lib.types.bool; default = false; description = '' If `true`, Duo Unix will automatically send @@ -109,8 +106,8 @@ in ''; }; - motd = mkOption { - type = types.bool; + motd = lib.mkOption { + type = lib.types.bool; default = false; description = '' Print the contents of `/etc/motd` to screen @@ -118,8 +115,8 @@ in ''; }; - prompts = mkOption { - type = types.enum [ 1 2 3 ]; + prompts = lib.mkOption { + type = lib.types.enum [ 1 2 3 ]; default = 3; description = '' If a user fails to authenticate with a second factor, Duo @@ -139,8 +136,8 @@ in ''; }; - acceptEnvFactor = mkOption { - type = types.bool; + acceptEnvFactor = lib.mkOption { + type = lib.types.bool; default = false; description = '' Look for factor selection or passcode in the @@ -154,8 +151,8 @@ in ''; }; - fallbackLocalIP = mkOption { - type = types.bool; + fallbackLocalIP = lib.mkOption { + type = lib.types.bool; default = false; description = '' Duo Unix reports the IP address of the authorizing user, for @@ -170,8 +167,8 @@ in ''; }; - allowTcpForwarding = mkOption { - type = types.bool; + allowTcpForwarding = lib.mkOption { + type = lib.types.bool; default = false; description = '' By default, when SSH forwarding, enabling Duo Security will @@ -183,7 +180,7 @@ in }; }; - config = mkIf (cfg.ssh.enable || cfg.pam.enable) { + config = lib.mkIf (cfg.ssh.enable || cfg.pam.enable) { environment.systemPackages = [ pkgs.duo-unix ]; security.wrappers.login_duo = @@ -240,12 +237,12 @@ in /* If PAM *and* SSH are enabled, then don't do anything special. If PAM isn't used, set the default SSH-only options. */ - services.openssh.extraConfig = mkIf (cfg.ssh.enable || cfg.pam.enable) ( + services.openssh.extraConfig = lib.mkIf (cfg.ssh.enable || cfg.pam.enable) ( if cfg.pam.enable then "UseDNS no" else '' # Duo Security configuration ForceCommand ${config.security.wrapperDir}/login_duo PermitTunnel no - ${optionalString (!cfg.allowTcpForwarding) '' + ${lib.optionalString (!cfg.allowTcpForwarding) '' AllowTcpForwarding no ''} ''); diff --git a/nixos/modules/security/google_oslogin.nix b/nixos/modules/security/google_oslogin.nix index 227e3b5bc4b9d..42dd3b22a0059 100644 --- a/nixos/modules/security/google_oslogin.nix +++ b/nixos/modules/security/google_oslogin.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.googleOsLogin; @@ -13,8 +10,8 @@ in options = { - security.googleOsLogin.enable = mkOption { - type = types.bool; + security.googleOsLogin.enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable Google OS Login. @@ -32,7 +29,7 @@ in }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.pam.services.sshd = { makeHomeDir = true; googleOsLoginAccountVerification = true; diff --git a/nixos/modules/security/lock-kernel-modules.nix b/nixos/modules/security/lock-kernel-modules.nix index 3a1ad4d8b3747..fac7ab87cb98f 100644 --- a/nixos/modules/security/lock-kernel-modules.nix +++ b/nixos/modules/security/lock-kernel-modules.nix @@ -1,15 +1,12 @@ { config, lib, ... }: - -with lib; - { meta = { - maintainers = [ maintainers.joachifm ]; + maintainers = [ lib.maintainers.joachifm ]; }; options = { - security.lockKernelModules = mkOption { - type = types.bool; + security.lockKernelModules = lib.mkOption { + type = lib.types.bool; default = false; description = '' Disable kernel module loading once the system is fully initialised. @@ -20,9 +17,9 @@ with lib; }; }; - config = mkIf config.security.lockKernelModules { - boot.kernelModules = concatMap (x: - optionals (x.device != null) ( + config = lib.mkIf config.security.lockKernelModules { + boot.kernelModules = lib.concatMap (x: + lib.optionals (x.device != null) ( if x.fsType == "vfat" then [ "vfat" "nls-cp437" "nls-iso8859-1" ] else [ x.fsType ]) diff --git a/nixos/modules/security/pam_mount.nix b/nixos/modules/security/pam_mount.nix index bc0c5c5fbfbc3..2915118eb7b48 100644 --- a/nixos/modules/security/pam_mount.nix +++ b/nixos/modules/security/pam_mount.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.pam.mount; @@ -13,23 +10,23 @@ let ${pkgs.lsof}/bin/lsof | ${pkgs.gnugrep}/bin/grep $MNTPT | ${pkgs.gawk}/bin/awk '{print $2}' | ${pkgs.findutils}/bin/xargs ${pkgs.util-linux}/bin/kill -$SIGNAL ''; - anyPamMount = any (attrByPath ["pamMount"] false) (attrValues config.security.pam.services); + anyPamMount = lib.any (lib.attrByPath ["pamMount"] false) (lib.attrValues config.security.pam.services); in { options = { security.pam.mount = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Enable PAM mount system to mount filesystems on user login. ''; }; - extraVolumes = mkOption { - type = types.listOf types.str; + extraVolumes = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = '' List of volume definitions for pam_mount. @@ -37,20 +34,20 @@ in ''; }; - additionalSearchPaths = mkOption { - type = types.listOf types.package; + additionalSearchPaths = lib.mkOption { + type = lib.types.listOf lib.types.package; default = []; - example = literalExpression "[ pkgs.bindfs ]"; + example = lib.literalExpression "[ pkgs.bindfs ]"; description = '' Additional programs to include in the search path of pam_mount. Useful for example if you want to use some FUSE filesystems like bindfs. ''; }; - cryptMountOptions = mkOption { - type = types.listOf types.str; + cryptMountOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; - example = literalExpression '' + example = lib.literalExpression '' [ "allow_discard" ] ''; description = '' @@ -59,10 +56,10 @@ in ''; }; - fuseMountOptions = mkOption { - type = types.listOf types.str; + fuseMountOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; - example = literalExpression '' + example = lib.literalExpression '' [ "nodev" "nosuid" "force-user=%(USER)" "gid=%(USERGID)" "perms=0700" "chmod-deny" "chown-deny" "chgrp-deny" ] ''; description = '' @@ -71,8 +68,8 @@ in ''; }; - debugLevel = mkOption { - type = types.int; + debugLevel = lib.mkOption { + type = lib.types.int; default = 0; example = 1; description = '' @@ -82,8 +79,8 @@ in ''; }; - logoutWait = mkOption { - type = types.int; + logoutWait = lib.mkOption { + type = lib.types.int; default = 0; description = '' Amount of microseconds to wait until killing remaining processes after @@ -92,40 +89,40 @@ in ''; }; - logoutHup = mkOption { - type = types.bool; + logoutHup = lib.mkOption { + type = lib.types.bool; default = false; description = '' Kill remaining processes after logout by sending a SIGHUP. ''; }; - logoutTerm = mkOption { - type = types.bool; + logoutTerm = lib.mkOption { + type = lib.types.bool; default = false; description = '' Kill remaining processes after logout by sending a SIGTERM. ''; }; - logoutKill = mkOption { - type = types.bool; + logoutKill = lib.mkOption { + type = lib.types.bool; default = false; description = '' Kill remaining processes after logout by sending a SIGKILL. ''; }; - createMountPoints = mkOption { - type = types.bool; + createMountPoints = lib.mkOption { + type = lib.types.bool; default = true; description = '' Create mountpoints for volumes if they do not exist. ''; }; - removeCreatedMountPoints = mkOption { - type = types.bool; + removeCreatedMountPoints = lib.mkOption { + type = lib.types.bool; default = true; description = '' Remove mountpoints created by pam_mount after logout. This @@ -137,13 +134,13 @@ in }; - config = mkIf (cfg.enable || anyPamMount) { + config = lib.mkIf (cfg.enable || anyPamMount) { environment.systemPackages = [ pkgs.pam_mount ]; environment.etc."security/pam_mount.conf.xml" = { source = let - extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null || u.pamMount != {}) config.users.users; + extraUserVolumes = lib.filterAttrs (n: u: u.cryptHomeLuks != null || u.pamMount != {}) config.users.users; mkAttr = k: v: ''${k}="${v}"''; userVolumeEntry = user: let attrs = { @@ -152,7 +149,7 @@ in mountpoint = user.home; } // user.pamMount; in - "\n"; + "\n"; in pkgs.writeText "pam_mount.conf.xml" '' @@ -163,20 +160,20 @@ in - ${makeBinPath ([ pkgs.util-linux ] ++ cfg.additionalSearchPaths)} + ${lib.makeBinPath ([ pkgs.util-linux ] ++ cfg.additionalSearchPaths)} - ${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) -o ,${concatStringsSep "," (cfg.fuseMountOptions ++ [ "%(OPTIONS)" ])}' + ${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) -o ,${lib.concatStringsSep "," (cfg.fuseMountOptions ++ [ "%(OPTIONS)" ])}' ${pkgs.fuse}/bin/fusermount -u %(MNTPT) - ${pkgs.pam_mount}/bin/mount.crypt -o ,${concatStringsSep "," (cfg.cryptMountOptions ++ [ "%(OPTIONS)" ])} %(VOLUME) %(MNTPT) + ${pkgs.pam_mount}/bin/mount.crypt -o ,${lib.concatStringsSep "," (cfg.cryptMountOptions ++ [ "%(OPTIONS)" ])} %(VOLUME) %(MNTPT) ${pkgs.pam_mount}/bin/umount.crypt %(MNTPT) ${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION) - ${optionalString oflRequired "${fake_ofl}/bin/fake_ofl %(SIGNAL) %(MNTPT)"} - ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))} - ${concatStringsSep "\n" cfg.extraVolumes} + ${lib.optionalString oflRequired "${fake_ofl}/bin/fake_ofl %(SIGNAL) %(MNTPT)"} + ${lib.concatStrings (map userVolumeEntry (lib.attrValues extraUserVolumes))} + ${lib.concatStringsSep "\n" cfg.extraVolumes} ''; }; diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 2959efd050919..31c4af5b6193e 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -1,21 +1,18 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.sudo; - toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; - toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; + toUserString = user: if (lib.isInt user) then "#${toString user}" else "${user}"; + toGroupString = group: if (lib.isInt group) then "%#${toString group}" else "%${group}"; toCommandOptionsString = options: - "${concatStringsSep ":" options}${optionalString (length options != 0) ":"} "; + "${lib.concatStringsSep ":" options}${lib.optionalString (lib.length options != 0) ":"} "; toCommandsString = commands: - concatStringsSep ", " ( + lib.concatStringsSep ", " ( map (command: - if (isString command) then + if (lib.isString command) then command else "${toCommandOptionsString command.options}${command.command}" @@ -30,8 +27,8 @@ in options.security.sudo = { - defaultOptions = mkOption { - type = with types; listOf str; + defaultOptions = lib.mkOption { + type = with lib.types; listOf str; default = [ "SETENV" ]; description = '' Options used for the default rules, granting `root` and the @@ -39,8 +36,8 @@ in ''; }; - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable the {command}`sudo` command, which @@ -48,10 +45,10 @@ in ''; }; - package = mkPackageOption pkgs "sudo" { }; + package = lib.mkPackageOption pkgs "sudo" { }; - wheelNeedsPassword = mkOption { - type = types.bool; + wheelNeedsPassword = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether users of the `wheel` group must @@ -59,8 +56,8 @@ in ''; }; - execWheelOnly = mkOption { - type = types.bool; + execWheelOnly = lib.mkOption { + type = lib.types.bool; default = false; description = '' Only allow members of the `wheel` group to execute sudo by @@ -70,8 +67,8 @@ in ''; }; - configFile = mkOption { - type = types.lines; + configFile = lib.mkOption { + type = lib.types.lines; # Note: if syntax errors are detected in this file, the NixOS # configuration will fail to build. description = '' @@ -80,7 +77,7 @@ in ''; }; - extraRules = mkOption { + extraRules = lib.mkOption { description = '' Define specific rules to be in the {file}`sudoers` file. More specific rules should come after more general ones in order to @@ -88,7 +85,7 @@ in this is the case when configuration options are merged. ''; default = []; - example = literalExpression '' + example = lib.literalExpression '' [ # Allow execution of any command by all users in group sudo, # requiring a password. @@ -107,34 +104,34 @@ in { command = '''/home/baz/cmd2.sh ""'''; options = [ "SETENV" ]; } ]; } ] ''; - type = with types; listOf (submodule { + type = with lib.types; listOf (submodule { options = { - users = mkOption { - type = with types; listOf (either str int); + users = lib.mkOption { + type = with lib.types; listOf (either str int); description = '' The usernames / UIDs this rule should apply for. ''; default = []; }; - groups = mkOption { - type = with types; listOf (either str int); + groups = lib.mkOption { + type = with lib.types; listOf (either str int); description = '' The groups / GIDs this rule should apply for. ''; default = []; }; - host = mkOption { - type = types.str; + host = lib.mkOption { + type = lib.types.str; default = "ALL"; description = '' For what host this rule should apply. ''; }; - runAs = mkOption { - type = with types; str; + runAs = lib.mkOption { + type = with lib.types; str; default = "ALL:ALL"; description = '' Under which user/group the specified command is allowed to run. @@ -145,15 +142,15 @@ in ''; }; - commands = mkOption { + commands = lib.mkOption { description = '' The commands for which the rule should apply. ''; - type = with types; listOf (either str (submodule { + type = with lib.types; listOf (either str (submodule { options = { - command = mkOption { - type = with types; str; + command = lib.mkOption { + type = with lib.types; str; description = '' A command being either just a path to a binary to allow any arguments, the full command with arguments pre-set or with `""` used as the argument, @@ -161,8 +158,8 @@ in ''; }; - options = mkOption { - type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" "MAIL" "NOMAIL" "FOLLOW" "NOFLLOW" "INTERCEPT" "NOINTERCEPT"]); + options = lib.mkOption { + type = with lib.types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" "MAIL" "NOMAIL" "FOLLOW" "NOFLLOW" "INTERCEPT" "NOINTERCEPT"]); description = '' Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/docs/man/1.9.15/sudoers.man/#Tag_Spec). ''; @@ -176,8 +173,8 @@ in }); }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; description = '' Extra configuration text appended to {file}`sudoers`. @@ -188,7 +185,7 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { assertions = [ { assertion = cfg.package.pname != "sudo-rs"; message = '' @@ -205,35 +202,35 @@ in options = opts ++ cfg.defaultOptions; } ]; } ]; - in mkMerge [ + in lib.mkMerge [ # This is ordered before users' `mkBefore` rules, # so as not to introduce unexpected changes. - (mkOrder 400 (defaultRule { users = [ "root" ]; })) + (lib.mkOrder 400 (defaultRule { users = [ "root" ]; })) # This is ordered to show before (most) other rules, but # late-enough for a user to `mkBefore` it. - (mkOrder 600 (defaultRule { + (lib.mkOrder 600 (defaultRule { groups = [ "wheel" ]; - opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD"); + opts = (lib.optional (!cfg.wheelNeedsPassword) "NOPASSWD"); })) ]; - security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [ + security.sudo.configFile = lib.concatStringsSep "\n" (lib.filter (s: s != "") [ '' # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’ # or ‘security.sudo.extraRules’ instead. '' - (pipe cfg.extraRules [ - (filter (rule: length rule.commands != 0)) + (lib.pipe cfg.extraRules [ + (lib.filter (rule: lib.length rule.commands != 0)) (map (rule: [ (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) ])) - flatten - (concatStringsSep "\n") + lib.flatten + (lib.concatStringsSep "\n") ]) "\n" - (optionalString (cfg.extraConfig != "") '' + (lib.optionalString (cfg.extraConfig != "") '' # extraConfig ${cfg.extraConfig} '') diff --git a/nixos/modules/services/cluster/corosync/default.nix b/nixos/modules/services/cluster/corosync/default.nix index cf3448620a5d7..d79ee832ff739 100644 --- a/nixos/modules/services/cluster/corosync/default.nix +++ b/nixos/modules/services/cluster/corosync/default.nix @@ -1,42 +1,40 @@ { config, lib, pkgs, ... }: - -with lib; let cfg = config.services.corosync; in { # interface options.services.corosync = { - enable = mkEnableOption "corosync"; + enable = lib.mkEnableOption "corosync"; - package = mkPackageOption pkgs "corosync" { }; + package = lib.mkPackageOption pkgs "corosync" { }; - clusterName = mkOption { - type = types.str; + clusterName = lib.mkOption { + type = lib.types.str; default = "nixcluster"; description = "Name of the corosync cluster."; }; - extraOptions = mkOption { - type = with types; listOf str; + extraOptions = lib.mkOption { + type = with lib.types; listOf str; default = []; description = "Additional options with which to start corosync."; }; - nodelist = mkOption { + nodelist = lib.mkOption { description = "Corosync nodelist: all cluster members."; default = []; - type = with types; listOf (submodule { + type = with lib.types; listOf (submodule { options = { - nodeid = mkOption { + nodeid = lib.mkOption { type = int; description = "Node ID number"; }; - name = mkOption { + name = lib.mkOption { type = str; description = "Node name"; }; - ring_addrs = mkOption { + ring_addrs = lib.mkOption { type = listOf str; description = "List of addresses, one for each ring."; }; @@ -46,7 +44,7 @@ in }; # implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; environment.etc."corosync/corosync.conf".text = '' @@ -58,11 +56,11 @@ in } nodelist { - ${concatMapStrings ({ nodeid, name, ring_addrs }: '' + ${lib.concatMapStrings ({ nodeid, name, ring_addrs }: '' node { nodeid: ${toString nodeid} name: ${name} - ${concatStrings (imap0 (i: addr: '' + ${lib.concatStrings (lib.imap0 (i: addr: '' ring${toString i}_addr: ${addr} '') ring_addrs)} } @@ -73,7 +71,7 @@ in # only corosync_votequorum is supported provider: corosync_votequorum wait_for_all: 0 - ${optionalString (builtins.length cfg.nodelist < 3) '' + ${lib.optionalString (builtins.length cfg.nodelist < 3) '' two_node: 1 ''} } diff --git a/nixos/modules/services/cluster/hadoop/default.nix b/nixos/modules/services/cluster/hadoop/default.nix index 4b255a97f5614..b4f89366d5bd3 100644 --- a/nixos/modules/services/cluster/hadoop/default.nix +++ b/nixos/modules/services/cluster/hadoop/default.nix @@ -3,15 +3,14 @@ let cfg = config.services.hadoop; opt = options.services.hadoop; in -with lib; { imports = [ ./yarn.nix ./hdfs.nix ./hbase.nix ]; options.services.hadoop = { - coreSite = mkOption { + coreSite = lib.mkOption { default = {}; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' { "fs.defaultFS" = "hdfs://localhost"; } @@ -21,31 +20,31 @@ with lib; ''; }; - coreSiteInternal = mkOption { + coreSiteInternal = lib.mkOption { default = {}; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; internal = true; description = '' Internal option to add configs to core-site.xml based on module options ''; }; - hdfsSiteDefault = mkOption { + hdfsSiteDefault = lib.mkOption { default = { "dfs.namenode.rpc-bind-host" = "0.0.0.0"; "dfs.namenode.http-address" = "0.0.0.0:9870"; "dfs.namenode.servicerpc-bind-host" = "0.0.0.0"; "dfs.namenode.http-bind-host" = "0.0.0.0"; }; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; description = '' Default options for hdfs-site.xml ''; }; - hdfsSite = mkOption { + hdfsSite = lib.mkOption { default = {}; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' { "dfs.nameservices" = "namenode1"; } @@ -55,23 +54,23 @@ with lib; ''; }; - hdfsSiteInternal = mkOption { + hdfsSiteInternal = lib.mkOption { default = {}; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; internal = true; description = '' Internal option to add configs to hdfs-site.xml based on module options ''; }; - mapredSiteDefault = mkOption { + mapredSiteDefault = lib.mkOption { default = { "mapreduce.framework.name" = "yarn"; "yarn.app.mapreduce.am.env" = "HADOOP_MAPRED_HOME=${cfg.package}"; "mapreduce.map.env" = "HADOOP_MAPRED_HOME=${cfg.package}"; "mapreduce.reduce.env" = "HADOOP_MAPRED_HOME=${cfg.package}"; }; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' { "mapreduce.framework.name" = "yarn"; "yarn.app.mapreduce.am.env" = "HADOOP_MAPRED_HOME=''${config.${opt.package}}"; @@ -79,15 +78,15 @@ with lib; "mapreduce.reduce.env" = "HADOOP_MAPRED_HOME=''${config.${opt.package}}"; } ''; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; description = '' Default options for mapred-site.xml ''; }; - mapredSite = mkOption { + mapredSite = lib.mkOption { default = {}; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' { "mapreduce.map.java.opts" = "-Xmx900m -XX:+UseParallelGC"; } @@ -98,7 +97,7 @@ with lib; ''; }; - yarnSiteDefault = mkOption { + yarnSiteDefault = lib.mkOption { default = { "yarn.nodemanager.admin-env" = "PATH=$PATH"; "yarn.nodemanager.aux-services" = "mapreduce_shuffle"; @@ -112,15 +111,15 @@ with lib; "yarn.resourcemanager.bind-host" = "0.0.0.0"; "yarn.resourcemanager.scheduler.class" = "org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler"; }; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; description = '' Default options for yarn-site.xml ''; }; - yarnSite = mkOption { + yarnSite = lib.mkOption { default = {}; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' { "yarn.resourcemanager.hostname" = "''${config.networking.hostName}"; } @@ -130,19 +129,19 @@ with lib; ''; }; - yarnSiteInternal = mkOption { + yarnSiteInternal = lib.mkOption { default = {}; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; internal = true; description = '' Internal option to add configs to yarn-site.xml based on module options ''; }; - httpfsSite = mkOption { + httpfsSite = lib.mkOption { default = { }; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' { "hadoop.http.max.threads" = 500; } @@ -153,19 +152,19 @@ with lib; ''; }; - log4jProperties = mkOption { + log4jProperties = lib.mkOption { default = "${cfg.package}/etc/hadoop/log4j.properties"; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' "''${config.${opt.package}}/etc/hadoop/log4j.properties" ''; - type = types.path; - example = literalExpression '' + type = lib.types.path; + example = lib.literalExpression '' "''${pkgs.hadoop}/etc/hadoop/log4j.properties"; ''; description = "log4j.properties file added to HADOOP_CONF_DIR"; }; - containerExecutorCfg = mkOption { + containerExecutorCfg = lib.mkOption { default = { # must be the same as yarn.nodemanager.linux-container-executor.group in yarnSite "yarn.nodemanager.linux-container-executor.group"="hadoop"; @@ -173,8 +172,8 @@ with lib; "feature.terminal.enabled"=1; "feature.mount-cgroup.enabled" = 1; }; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' options.services.hadoop.containerExecutorCfg.default // { "feature.terminal.enabled" = 0; } @@ -185,10 +184,10 @@ with lib; ''; }; - extraConfDirs = mkOption { + extraConfDirs = lib.mkOption { default = []; - type = types.listOf types.path; - example = literalExpression '' + type = lib.types.listOf lib.types.path; + example = lib.literalExpression '' [ ./extraHDFSConfs ./extraYARNConfs @@ -197,13 +196,13 @@ with lib; description = "Directories containing additional config files to be added to HADOOP_CONF_DIR"; }; - gatewayRole.enable = mkEnableOption "gateway role for deploying hadoop configs"; + gatewayRole.enable = lib.mkEnableOption "gateway role for deploying hadoop configs"; - package = mkPackageOption pkgs "hadoop" { }; + package = lib.mkPackageOption pkgs "hadoop" { }; }; - config = mkIf cfg.gatewayRole.enable { + config = lib.mkIf cfg.gatewayRole.enable { users.groups.hadoop = { gid = config.ids.gids.hadoop; }; diff --git a/nixos/modules/services/cluster/hadoop/hbase.nix b/nixos/modules/services/cluster/hadoop/hbase.nix index 8eb8d83fd84cc..b77186d4f8bdd 100644 --- a/nixos/modules/services/cluster/hadoop/hbase.nix +++ b/nixos/modules/services/cluster/hadoop/hbase.nix @@ -1,37 +1,35 @@ { config, lib, pkgs, ...}: - -with lib; let cfg = config.services.hadoop; hadoopConf = "${import ./conf.nix { inherit cfg pkgs lib; }}/"; - mkIfNotNull = x: mkIf (x != null) x; + mkIfNotNull = x: lib.mkIf (x != null) x; # generic hbase role options hbaseRoleOption = name: extraOpts: { - enable = mkEnableOption "HBase ${name}"; + enable = lib.mkEnableOption "HBase ${name}"; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = "Open firewall ports for HBase ${name}."; }; - restartIfChanged = mkOption { - type = types.bool; + restartIfChanged = lib.mkOption { + type = lib.types.bool; default = false; description = "Restart ${name} con config change."; }; - extraFlags = mkOption { - type = with types; listOf str; + extraFlags = lib.mkOption { + type = with lib.types; listOf str; default = []; - example = literalExpression ''[ "--backup" ]''; + example = lib.literalExpression ''[ "--backup" ]''; description = "Extra flags for the ${name} service."; }; - environment = mkOption { - type = with types; attrsOf str; + environment = lib.mkOption { + type = with lib.types; attrsOf str; default = {}; - example = literalExpression '' + example = lib.literalExpression '' { HBASE_MASTER_OPTS = "-Dcom.sun.management.jmxremote.ssl=true"; } @@ -40,19 +38,19 @@ let }; } // extraOpts; # generic hbase role configs - hbaseRoleConfig = name: ports: (mkIf cfg.hbase."${name}".enable { + hbaseRoleConfig = name: ports: (lib.mkIf cfg.hbase."${name}".enable { services.hadoop.gatewayRole = { enable = true; - enableHbaseCli = mkDefault true; + enableHbaseCli = lib.mkDefault true; }; - systemd.services."hbase-${toLower name}" = { + systemd.services."hbase-${lib.toLower name}" = { description = "HBase ${name}"; wantedBy = [ "multi-user.target" ]; - path = with cfg; [ hbase.package ] ++ optional + path = with cfg; [ hbase.package ] ++ lib.optional (with cfg.hbase.master; enable && initHDFS) package; - preStart = mkIf (with cfg.hbase.master; enable && initHDFS) - (concatStringsSep "\n" ( + preStart = lib.mkIf (with cfg.hbase.master; enable && initHDFS) + (lib.concatStringsSep "\n" ( map (x: "HADOOP_USER_NAME=hdfs hdfs --config /etc/hadoop-conf ${x}")[ "dfsadmin -safemode wait" "dfs -mkdir -p ${cfg.hbase.rootdir}" @@ -61,19 +59,19 @@ let )); inherit (cfg.hbase."${name}") environment; - script = concatStringsSep " " ( + script = lib.concatStringsSep " " ( [ "hbase --config /etc/hadoop-conf/" - "${toLower name} start" + "${lib.toLower name} start" ] ++ cfg.hbase."${name}".extraFlags - ++ map (x: "--${toLower x} ${toString cfg.hbase.${name}.${x}}") - (filter (x: hasAttr x cfg.hbase.${name}) ["port" "infoPort"]) + ++ map (x: "--${lib.toLower x} ${toString cfg.hbase.${name}.${x}}") + (lib.filter (x: lib.hasAttr x cfg.hbase.${name}) ["port" "infoPort"]) ); serviceConfig = { User = "hbase"; - SyslogIdentifier = "hbase-${toLower name}"; + SyslogIdentifier = "hbase-${lib.toLower name}"; Restart = "always"; }; }; @@ -81,10 +79,10 @@ let services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir; networking = { - firewall.allowedTCPPorts = mkIf cfg.hbase."${name}".openFirewall ports; - hosts = mkIf (with cfg.hbase.regionServer; enable && overrideHosts) { - "127.0.0.2" = mkForce [ ]; - "::1" = mkForce [ ]; + firewall.allowedTCPPorts = lib.mkIf cfg.hbase."${name}".openFirewall ports; + hosts = lib.mkIf (with cfg.hbase.regionServer; enable && overrideHosts) { + "127.0.0.2" = lib.mkForce [ ]; + "::1" = lib.mkForce [ ]; }; }; @@ -93,9 +91,9 @@ in { options.services.hadoop = { - gatewayRole.enableHbaseCli = mkEnableOption "HBase CLI tools"; + gatewayRole.enableHbaseCli = lib.mkEnableOption "HBase CLI tools"; - hbaseSiteDefault = mkOption { + hbaseSiteDefault = lib.mkOption { default = { "hbase.regionserver.ipc.address" = "0.0.0.0"; "hbase.master.ipc.address" = "0.0.0.0"; @@ -104,15 +102,15 @@ in "hbase.cluster.distributed" = "true"; }; - type = types.attrsOf types.anything; + type = with lib.types; attrsOf anything; description = '' Default options for hbase-site.xml ''; }; - hbaseSite = mkOption { + hbaseSite = lib.mkOption { default = {}; - type = with types; attrsOf anything; - example = literalExpression '' + type = with lib.types; attrsOf anything; + example = lib.literalExpression '' { "hbase.hregion.max.filesize" = 20*1024*1024*1024; "hbase.table.normalization.enabled" = "true"; @@ -123,9 +121,9 @@ in ''; }; - hbaseSiteInternal = mkOption { + hbaseSiteInternal = lib.mkOption { default = {}; - type = with types; attrsOf anything; + type = with lib.types; attrsOf anything; internal = true; description = '' Internal option to add configs to hbase-site.xml based on module options @@ -134,9 +132,9 @@ in hbase = { - package = mkPackageOption pkgs "hbase" { }; + package = lib.mkPackageOption pkgs "hbase" { }; - rootdir = mkOption { + rootdir = lib.mkOption { description = '' This option will set "hbase.rootdir" in hbase-site.xml and determine the directory shared by region servers and into which HBase persists. @@ -146,36 +144,36 @@ in Filesystems other than HDFS (like S3, QFS, Swift) are also supported. ''; - type = types.str; + type = lib.types.str; example = "hdfs://nameservice1/hbase"; default = "/hbase"; }; - zookeeperQuorum = mkOption { + zookeeperQuorum = lib.mkOption { description = '' This option will set "hbase.zookeeper.quorum" in hbase-site.xml. Comma separated list of servers in the ZooKeeper ensemble. ''; - type = with types; nullOr commas; + type = with lib.types; nullOr commas; example = "zk1.internal,zk2.internal,zk3.internal"; default = null; }; } // (let ports = port: infoPort: { - port = mkOption { - type = types.int; + port = lib.mkOption { + type = lib.types.int; default = port; description = "RPC port"; }; - infoPort = mkOption { - type = types.int; + infoPort = lib.mkOption { + type = lib.types.int; default = infoPort; description = "web UI port"; }; }; - in mapAttrs hbaseRoleOption { - master.initHDFS = mkEnableOption "initialization of the hbase directory on HDFS"; - regionServer.overrideHosts = mkOption { - type = types.bool; + in lib.mapAttrs hbaseRoleOption { + master.initHDFS = lib.mkEnableOption "initialization of the hbase directory on HDFS"; + regionServer.overrideHosts = lib.mkOption { + type = lib.types.bool; default = true; description = '' Remove /etc/hosts entries for "127.0.0.2" and "::1" defined in nixos/modules/config/networking.nix @@ -188,14 +186,14 @@ in }); }; - config = mkMerge ([ + config = lib.mkMerge ([ - (mkIf cfg.gatewayRole.enable { + (lib.mkIf cfg.gatewayRole.enable { - environment.systemPackages = mkIf cfg.gatewayRole.enableHbaseCli [ cfg.hbase.package ]; + environment.systemPackages = lib.mkIf cfg.gatewayRole.enableHbaseCli [ cfg.hbase.package ]; services.hadoop.hbaseSiteInternal = with cfg.hbase; { - "hbase.zookeeper.quorum" = mkIfNotNull zookeeperQuorum; + "hbase.zookeeper.quorum" = lib.mkIfNotNull zookeeperQuorum; }; users.users.hbase = { @@ -204,7 +202,7 @@ in isSystemUser = true; }; }) - ] ++ (mapAttrsToList hbaseRoleConfig { + ] ++ (lib.mapAttrsToList hbaseRoleConfig { master = [ 16000 16010 ]; regionServer = [ 16020 16030 ]; thrift = with cfg.hbase.thrift; [ port infoPort ]; diff --git a/nixos/modules/services/cluster/hadoop/hdfs.nix b/nixos/modules/services/cluster/hadoop/hdfs.nix index 1f61acf4012dd..5ca12f4b4c8b8 100644 --- a/nixos/modules/services/cluster/hadoop/hdfs.nix +++ b/nixos/modules/services/cluster/hadoop/hdfs.nix @@ -1,5 +1,4 @@ { config, lib, pkgs, ... }: -with lib; let cfg = config.services.hadoop; @@ -8,9 +7,9 @@ let # Generator for HDFS service options hadoopServiceOption = { serviceName, firewallOption ? true, extraOpts ? null }: { - enable = mkEnableOption serviceName; - restartIfChanged = mkOption { - type = types.bool; + enable = lib.mkEnableOption serviceName; + restartIfChanged = lib.mkOption { + type = lib.types.bool; description = '' Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. @@ -19,8 +18,8 @@ let ''; default = false; }; - extraFlags = mkOption{ - type = with types; listOf str; + extraFlags = lib.mkOption{ + type = with lib.types; listOf str; default = []; description = "Extra command line flags to pass to ${serviceName}"; example = [ @@ -28,23 +27,23 @@ let "-Dcom.sun.management.jmxremote.port=8010" ]; }; - extraEnv = mkOption{ - type = with types; attrsOf str; + extraEnv = lib.mkOption{ + type = with lib.types; attrsOf str; default = {}; description = "Extra environment variables for ${serviceName}"; }; - } // (optionalAttrs firewallOption { - openFirewall = mkOption { - type = types.bool; + } // (lib.optionalAttrs firewallOption { + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = "Open firewall ports for ${serviceName}."; }; - }) // (optionalAttrs (extraOpts != null) extraOpts); + }) // (lib.optionalAttrs (extraOpts != null) extraOpts); # Generator for HDFS service configs hadoopServiceConfig = { name - , serviceOptions ? cfg.hdfs."${toLower name}" + , serviceOptions ? cfg.hdfs."${lib.toLower name}" , description ? "Hadoop HDFS ${name}" , User ? "hdfs" , allowedTCPPorts ? [ ] @@ -53,23 +52,23 @@ let , extraConfig ? { } }: ( - mkIf serviceOptions.enable ( mkMerge [{ - systemd.services."hdfs-${toLower name}" = { + lib.mkIf serviceOptions.enable ( lib.mkMerge [{ + systemd.services."hdfs-${lib.toLower name}" = { inherit description preStart; environment = environment // serviceOptions.extraEnv; wantedBy = [ "multi-user.target" ]; inherit (serviceOptions) restartIfChanged; serviceConfig = { inherit User; - SyslogIdentifier = "hdfs-${toLower name}"; - ExecStart = "${cfg.package}/bin/hdfs --config ${hadoopConf} ${toLower name} ${escapeShellArgs serviceOptions.extraFlags}"; + SyslogIdentifier = "hdfs-${lib.toLower name}"; + ExecStart = "${cfg.package}/bin/hdfs --config ${hadoopConf} ${lib.toLower name} ${lib.escapeShellArgs serviceOptions.extraFlags}"; Restart = "always"; }; }; services.hadoop.gatewayRole.enable = true; - networking.firewall.allowedTCPPorts = mkIf + networking.firewall.allowedTCPPorts = lib.mkIf ((builtins.hasAttr "openFirewall" serviceOptions) && serviceOptions.openFirewall) allowedTCPPorts; } extraConfig]) @@ -80,8 +79,8 @@ in options.services.hadoop.hdfs = { namenode = hadoopServiceOption { serviceName = "HDFS NameNode"; } // { - formatOnInit = mkOption { - type = types.bool; + formatOnInit = lib.mkOption { + type = lib.types.bool; default = false; description = '' Format HDFS namenode on first start. This is useful for quickly spinning up @@ -94,18 +93,18 @@ in }; datanode = hadoopServiceOption { serviceName = "HDFS DataNode"; } // { - dataDirs = mkOption { + dataDirs = lib.mkOption { default = null; description = "Tier and path definitions for datanode storage."; - type = with types; nullOr (listOf (submodule { + type = with lib.types; nullOr (listOf (submodule { options = { - type = mkOption { + type = lib.mkOption { type = enum [ "SSD" "DISK" "ARCHIVE" "RAM_DISK" ]; description = '' Storage types ([SSD]/[DISK]/[ARCHIVE]/[RAM_DISK]) for HDFS storage policies. ''; }; - path = mkOption { + path = lib.mkOption { type = path; example = [ "/var/lib/hadoop/hdfs/dn" ]; description = "Determines where on the local filesystem a data node should store its blocks."; @@ -123,8 +122,8 @@ in }; httpfs = hadoopServiceOption { serviceName = "HDFS JournalNode"; } // { - tempPath = mkOption { - type = types.path; + tempPath = lib.mkOption { + type = lib.types.path; default = "/tmp/hadoop/httpfs"; description = "HTTPFS_TEMP path used by HTTPFS"; }; @@ -132,7 +131,7 @@ in }; - config = mkMerge [ + config = lib.mkMerge [ (hadoopServiceConfig { name = "NameNode"; allowedTCPPorts = [ @@ -141,7 +140,7 @@ in 8022 # namenode.servicerpc-address 8019 # dfs.ha.zkfc.port ]; - preStart = (mkIf cfg.hdfs.namenode.formatOnInit + preStart = (lib.mkIf cfg.hdfs.namenode.formatOnInit "${cfg.package}/bin/hdfs --config ${hadoopConf} namenode -format -nonInteractive || true" ); }) @@ -149,7 +148,7 @@ in (hadoopServiceConfig { name = "DataNode"; # port numbers for datanode changed between hadoop 2 and 3 - allowedTCPPorts = if versionAtLeast cfg.package.version "3" then [ + allowedTCPPorts = if lib.versionAtLeast cfg.package.version "3" then [ 9864 # datanode.http.address 9866 # datanode.address 9867 # datanode.ipc.address @@ -158,8 +157,8 @@ in 50010 # datanode.address 50020 # datanode.ipc.address ]; - extraConfig.services.hadoop.hdfsSiteInternal."dfs.datanode.data.dir" = mkIf (cfg.hdfs.datanode.dataDirs!= null) - (concatMapStringsSep "," (x: "["+x.type+"]file://"+x.path) cfg.hdfs.datanode.dataDirs); + extraConfig.services.hadoop.hdfsSiteInternal."dfs.datanode.data.dir" = lib.mkIf (cfg.hdfs.datanode.dataDirs!= null) + (lib.concatMapStringsSep "," (x: "["+x.type+"]file://"+x.path) cfg.hdfs.datanode.dataDirs); }) (hadoopServiceConfig { @@ -185,14 +184,14 @@ in ]; }) - (mkIf cfg.gatewayRole.enable { + (lib.mkIf cfg.gatewayRole.enable { users.users.hdfs = { description = "Hadoop HDFS user"; group = "hadoop"; uid = config.ids.uids.hdfs; }; }) - (mkIf cfg.hdfs.httpfs.enable { + (lib.mkIf cfg.hdfs.httpfs.enable { users.users.httpfs = { description = "Hadoop HTTPFS user"; group = "hadoop"; diff --git a/nixos/modules/services/cluster/hadoop/yarn.nix b/nixos/modules/services/cluster/hadoop/yarn.nix index 0a7b4b7e67b03..8aa6d17843632 100644 --- a/nixos/modules/services/cluster/hadoop/yarn.nix +++ b/nixos/modules/services/cluster/hadoop/yarn.nix @@ -1,10 +1,9 @@ { config, lib, pkgs, ...}: -with lib; let cfg = config.services.hadoop; hadoopConf = "${import ./conf.nix { inherit cfg pkgs lib; }}/"; - restartIfChanged = mkOption { - type = types.bool; + restartIfChanged = lib.mkOption { + type = lib.types.bool; description = '' Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. @@ -13,8 +12,8 @@ let ''; default = false; }; - extraFlags = mkOption{ - type = with types; listOf str; + extraFlags = lib.mkOption{ + type = with lib.types; listOf str; default = []; description = "Extra command line flags to pass to the service"; example = [ @@ -22,8 +21,8 @@ let "-Dcom.sun.management.jmxremote.port=8010" ]; }; - extraEnv = mkOption{ - type = with types; attrsOf str; + extraEnv = lib.mkOption{ + type = with lib.types; attrsOf str; default = {}; description = "Extra environment variables"; }; @@ -31,11 +30,11 @@ in { options.services.hadoop.yarn = { resourcemanager = { - enable = mkEnableOption "Hadoop YARN ResourceManager"; + enable = lib.mkEnableOption "Hadoop YARN ResourceManager"; inherit restartIfChanged extraFlags extraEnv; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Open firewall ports for resourcemanager @@ -43,56 +42,56 @@ in }; }; nodemanager = { - enable = mkEnableOption "Hadoop YARN NodeManager"; + enable = lib.mkEnableOption "Hadoop YARN NodeManager"; inherit restartIfChanged extraFlags extraEnv; resource = { - cpuVCores = mkOption { + cpuVCores = lib.mkOption { description = "Number of vcores that can be allocated for containers."; - type = with types; nullOr ints.positive; + type = with lib.types; nullOr ints.positive; default = null; }; - maximumAllocationVCores = mkOption { + maximumAllocationVCores = lib.mkOption { description = "The maximum virtual CPU cores any container can be allocated."; - type = with types; nullOr ints.positive; + type = with lib.types; nullOr ints.positive; default = null; }; - memoryMB = mkOption { + memoryMB = lib.mkOption { description = "Amount of physical memory, in MB, that can be allocated for containers."; - type = with types; nullOr ints.positive; + type = with lib.types; nullOr ints.positive; default = null; }; - maximumAllocationMB = mkOption { + maximumAllocationMB = lib.mkOption { description = "The maximum physical memory any container can be allocated."; - type = with types; nullOr ints.positive; + type = with lib.types; nullOr ints.positive; default = null; }; }; - useCGroups = mkOption { - type = types.bool; + useCGroups = lib.mkOption { + type = lib.types.bool; default = true; description = '' Use cgroups to enforce resource limits on containers ''; }; - localDir = mkOption { + localDir = lib.mkOption { description = "List of directories to store localized files in."; - type = with types; nullOr (listOf path); + type = with lib.types; nullOr (listOf path); example = [ "/var/lib/hadoop/yarn/nm" ]; default = null; }; - addBinBash = mkOption { - type = types.bool; + addBinBash = lib.mkOption { + type = lib.types.bool; default = true; description = '' Add /bin/bash. This is needed by the linux container executor's launch script. ''; }; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Open firewall ports for nodemanager. @@ -102,8 +101,8 @@ in }; }; - config = mkMerge [ - (mkIf cfg.gatewayRole.enable { + config = lib.mkMerge [ + (lib.mkIf cfg.gatewayRole.enable { users.users.yarn = { description = "Hadoop YARN user"; group = "hadoop"; @@ -111,7 +110,7 @@ in }; }) - (mkIf cfg.yarn.resourcemanager.enable { + (lib.mkIf cfg.yarn.resourcemanager.enable { systemd.services.yarn-resourcemanager = { description = "Hadoop YARN ResourceManager"; wantedBy = [ "multi-user.target" ]; @@ -122,14 +121,14 @@ in User = "yarn"; SyslogIdentifier = "yarn-resourcemanager"; ExecStart = "${cfg.package}/bin/yarn --config ${hadoopConf} " + - " resourcemanager ${escapeShellArgs cfg.yarn.resourcemanager.extraFlags}"; + " resourcemanager ${lib.escapeShellArgs cfg.yarn.resourcemanager.extraFlags}"; Restart = "always"; }; }; services.hadoop.gatewayRole.enable = true; - networking.firewall.allowedTCPPorts = (mkIf cfg.yarn.resourcemanager.openFirewall [ + networking.firewall.allowedTCPPorts = (lib.mkIf cfg.yarn.resourcemanager.openFirewall [ 8088 # resourcemanager.webapp.address 8030 # resourcemanager.scheduler.address 8031 # resourcemanager.resource-tracker.address @@ -138,11 +137,11 @@ in ]); }) - (mkIf cfg.yarn.nodemanager.enable { + (lib.mkIf cfg.yarn.nodemanager.enable { # Needed because yarn hardcodes /bin/bash in container start scripts # These scripts can't be patched, they are generated at runtime systemd.tmpfiles.rules = [ - (mkIf cfg.yarn.nodemanager.addBinBash "L /bin/bash - - - - /run/current-system/sw/bin/bash") + (lib.mkIf cfg.yarn.nodemanager.addBinBash "L /bin/bash - - - - /run/current-system/sw/bin/bash") ]; systemd.services.yarn-nodemanager = { @@ -171,20 +170,20 @@ in SyslogIdentifier = "yarn-nodemanager"; PermissionsStartOnly = true; ExecStart = "${cfg.package}/bin/yarn --config ${hadoopConf} " + - " nodemanager ${escapeShellArgs cfg.yarn.nodemanager.extraFlags}"; + " nodemanager ${lib.escapeShellArgs cfg.yarn.nodemanager.extraFlags}"; Restart = "always"; }; }; services.hadoop.gatewayRole.enable = true; - services.hadoop.yarnSiteInternal = with cfg.yarn.nodemanager; mkMerge [ ({ - "yarn.nodemanager.local-dirs" = mkIf (localDir!= null) (concatStringsSep "," localDir); + services.hadoop.yarnSiteInternal = with cfg.yarn.nodemanager; lib.mkMerge [ ({ + "yarn.nodemanager.local-dirs" = lib.mkIf (localDir!= null) (lib.concatStringsSep "," localDir); "yarn.scheduler.maximum-allocation-vcores" = resource.maximumAllocationVCores; "yarn.scheduler.maximum-allocation-mb" = resource.maximumAllocationMB; "yarn.nodemanager.resource.cpu-vcores" = resource.cpuVCores; "yarn.nodemanager.resource.memory-mb" = resource.memoryMB; - }) (mkIf useCGroups { + }) (lib.mkIf useCGroups { "yarn.nodemanager.linux-container-executor.cgroups.hierarchy" = "/hadoop-yarn"; "yarn.nodemanager.linux-container-executor.resources-handler.class" = "org.apache.hadoop.yarn.server.nodemanager.util.CgroupsLCEResourcesHandler"; "yarn.nodemanager.linux-container-executor.cgroups.mount" = "true"; @@ -192,7 +191,7 @@ in })]; networking.firewall.allowedTCPPortRanges = [ - (mkIf (cfg.yarn.nodemanager.openFirewall) {from = 1024; to = 65535;}) + (lib.mkIf (cfg.yarn.nodemanager.openFirewall) {from = 1024; to = 65535;}) ]; }) diff --git a/nixos/modules/services/cluster/kubernetes/addon-manager.nix b/nixos/modules/services/cluster/kubernetes/addon-manager.nix index 522cb0dd16dae..af4346d3c3ce9 100644 --- a/nixos/modules/services/cluster/kubernetes/addon-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/addon-manager.nix @@ -1,17 +1,14 @@ { config, lib, pkgs, ... }: - -with lib; - let top = config.services.kubernetes; cfg = top.addonManager; - isRBACEnabled = elem "RBAC" top.apiserver.authorizationMode; + isRBACEnabled = lib.elem "RBAC" top.apiserver.authorizationMode; addons = pkgs.runCommand "kubernetes-addons" { } '' mkdir -p $out # since we are mounting the addons to the addon manager, they need to be copied - ${concatMapStringsSep ";" (a: "cp -v ${a}/* $out/") (mapAttrsToList (name: addon: + ${lib.concatMapStringsSep ";" (a: "cp -v ${a}/* $out/") (lib.mapAttrsToList (name: addon: pkgs.writeTextDir "${name}.json" (builtins.toJSON addon) ) (cfg.addons))} ''; @@ -20,14 +17,14 @@ in ###### interface options.services.kubernetes.addonManager = with lib.types; { - bootstrapAddons = mkOption { + bootstrapAddons = lib.mkOption { description = '' Bootstrap addons are like regular addons, but they are applied with cluster-admin rights. They are applied at addon-manager startup only. ''; default = { }; type = attrsOf attrs; - example = literalExpression '' + example = lib.literalExpression '' { "my-service" = { "apiVersion" = "v1"; @@ -42,11 +39,11 @@ in ''; }; - addons = mkOption { + addons = lib.mkOption { description = "Kubernetes addons (any kind of Kubernetes resource can be an addon)."; default = { }; type = attrsOf (either attrs (listOf attrs)); - example = literalExpression '' + example = lib.literalExpression '' { "my-service" = { "apiVersion" = "v1"; @@ -62,11 +59,11 @@ in ''; }; - enable = mkEnableOption "Kubernetes addon manager"; + enable = lib.mkEnableOption "Kubernetes addon manager"; }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.etc."kubernetes/addons".source = "${addons}/"; systemd.services.kube-addon-manager = { @@ -89,7 +86,7 @@ in }; }; - services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled + services.kubernetes.addonManager.bootstrapAddons = lib.mkIf isRBACEnabled (let name = "system:kube-addon-manager"; namespace = "kube-system"; diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index 81e359e0e642a..d89d517e86955 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -1,36 +1,33 @@ { config, lib, options, pkgs, ... }: - -with lib; - let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.apiserver; - isRBACEnabled = elem "RBAC" cfg.authorizationMode; + isRBACEnabled = lib.elem "RBAC" cfg.authorizationMode; - apiserverServiceIP = (concatStringsSep "." ( - take 3 (splitString "." cfg.serviceClusterIpRange + apiserverServiceIP = (lib.concatStringsSep "." ( + lib.take 3 (lib.splitString "." cfg.serviceClusterIpRange )) + ".1"); in { imports = [ - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) - (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecureBindAddress" ] "") - (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecurePort" ] "") - (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) + (lib.mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) + (lib.mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) + (lib.mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecureBindAddress" ] "") + (lib.mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecurePort" ] "") + (lib.mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") + (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ]) + (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ]) + (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ]) + (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) ]; ###### interface options.services.kubernetes.apiserver = with lib.types; { - advertiseAddress = mkOption { + advertiseAddress = lib.mkOption { description = '' Kubernetes apiserver IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest @@ -40,13 +37,13 @@ in type = nullOr str; }; - allowPrivileged = mkOption { + allowPrivileged = lib.mkOption { description = "Whether to allow privileged containers on Kubernetes."; default = false; type = bool; }; - authorizationMode = mkOption { + authorizationMode = lib.mkOption { description = '' Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See @@ -55,7 +52,7 @@ in type = listOf (enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "Webhook" "RBAC" "Node"]); }; - authorizationPolicy = mkOption { + authorizationPolicy = lib.mkOption { description = '' Kubernetes apiserver authorization policy file. See @@ -64,7 +61,7 @@ in type = listOf attrs; }; - basicAuthFile = mkOption { + basicAuthFile = lib.mkOption { description = '' Kubernetes apiserver basic authentication file. See @@ -73,7 +70,7 @@ in type = nullOr path; }; - bindAddress = mkOption { + bindAddress = lib.mkOption { description = '' The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest @@ -83,14 +80,14 @@ in type = str; }; - clientCaFile = mkOption { + clientCaFile = lib.mkOption { description = "Kubernetes apiserver CA file for client auth."; default = top.caFile; - defaultText = literalExpression "config.${otop.caFile}"; + defaultText = lib.literalExpression "config.${otop.caFile}"; type = nullOr path; }; - disableAdmissionPlugins = mkOption { + disableAdmissionPlugins = lib.mkOption { description = '' Kubernetes admission control plugins to disable. See @@ -99,9 +96,9 @@ in type = listOf str; }; - enable = mkEnableOption "Kubernetes apiserver"; + enable = lib.mkEnableOption "Kubernetes apiserver"; - enableAdmissionPlugins = mkOption { + enableAdmissionPlugins = lib.mkOption { description = '' Kubernetes admission control plugins to enable. See @@ -120,89 +117,89 @@ in }; etcd = { - servers = mkOption { + servers = lib.mkOption { description = "List of etcd servers."; default = ["http://127.0.0.1:2379"]; - type = types.listOf types.str; + type = lib.types.listOf lib.types.str; }; - keyFile = mkOption { + keyFile = lib.mkOption { description = "Etcd key file."; default = null; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; }; - certFile = mkOption { + certFile = lib.mkOption { description = "Etcd cert file."; default = null; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; }; - caFile = mkOption { + caFile = lib.mkOption { description = "Etcd ca file."; default = top.caFile; - defaultText = literalExpression "config.${otop.caFile}"; - type = types.nullOr types.path; + defaultText = lib.literalExpression "config.${otop.caFile}"; + type = lib.types.nullOr lib.types.path; }; }; - extraOpts = mkOption { + extraOpts = lib.mkOption { description = "Kubernetes apiserver extra command line options."; default = ""; type = separatedString " "; }; - extraSANs = mkOption { + extraSANs = lib.mkOption { description = "Extra x509 Subject Alternative Names to be added to the kubernetes apiserver tls cert."; default = []; type = listOf str; }; - featureGates = mkOption { + featureGates = lib.mkOption { description = "Attribute set of feature gates."; default = top.featureGates; - defaultText = literalExpression "config.${otop.featureGates}"; + defaultText = lib.literalExpression "config.${otop.featureGates}"; type = attrsOf bool; }; - kubeletClientCaFile = mkOption { + kubeletClientCaFile = lib.mkOption { description = "Path to a cert file for connecting to kubelet."; default = top.caFile; - defaultText = literalExpression "config.${otop.caFile}"; + defaultText = lib.literalExpression "config.${otop.caFile}"; type = nullOr path; }; - kubeletClientCertFile = mkOption { + kubeletClientCertFile = lib.mkOption { description = "Client certificate to use for connections to kubelet."; default = null; type = nullOr path; }; - kubeletClientKeyFile = mkOption { + kubeletClientKeyFile = lib.mkOption { description = "Key to use for connections to kubelet."; default = null; type = nullOr path; }; - preferredAddressTypes = mkOption { + preferredAddressTypes = lib.mkOption { description = "List of the preferred NodeAddressTypes to use for kubelet connections."; type = nullOr str; default = null; }; - proxyClientCertFile = mkOption { + proxyClientCertFile = lib.mkOption { description = "Client certificate to use for connections to proxy."; default = null; type = nullOr path; }; - proxyClientKeyFile = mkOption { + proxyClientKeyFile = lib.mkOption { description = "Key to use for connections to proxy."; default = null; type = nullOr path; }; - runtimeConfig = mkOption { + runtimeConfig = lib.mkOption { description = '' Api runtime configuration. See @@ -212,7 +209,7 @@ in type = str; }; - storageBackend = mkOption { + storageBackend = lib.mkOption { description = '' Kubernetes apiserver storage backend. ''; @@ -220,13 +217,13 @@ in type = enum ["etcd2" "etcd3"]; }; - securePort = mkOption { + securePort = lib.mkOption { description = "Kubernetes apiserver secure port."; default = 6443; type = int; }; - apiAudiences = mkOption { + apiAudiences = lib.mkOption { description = '' Kubernetes apiserver ServiceAccount issuer. ''; @@ -234,7 +231,7 @@ in type = str; }; - serviceAccountIssuer = mkOption { + serviceAccountIssuer = lib.mkOption { description = '' Kubernetes apiserver ServiceAccount issuer. ''; @@ -242,7 +239,7 @@ in type = str; }; - serviceAccountSigningKeyFile = mkOption { + serviceAccountSigningKeyFile = lib.mkOption { description = '' Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this @@ -251,7 +248,7 @@ in type = path; }; - serviceAccountKeyFile = mkOption { + serviceAccountKeyFile = lib.mkOption { description = '' File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens. The specified file can contain @@ -262,7 +259,7 @@ in type = path; }; - serviceClusterIpRange = mkOption { + serviceClusterIpRange = lib.mkOption { description = '' A CIDR notation IP range from which to assign service cluster IPs. This must not overlap with any IP ranges assigned to nodes for pods. @@ -271,19 +268,19 @@ in type = str; }; - tlsCertFile = mkOption { + tlsCertFile = lib.mkOption { description = "Kubernetes apiserver certificate file."; default = null; type = nullOr path; }; - tlsKeyFile = mkOption { + tlsKeyFile = lib.mkOption { description = "Kubernetes apiserver private key file."; default = null; type = nullOr path; }; - tokenAuthFile = mkOption { + tokenAuthFile = lib.mkOption { description = '' Kubernetes apiserver token authentication file. See @@ -292,7 +289,7 @@ in type = nullOr path; }; - verbosity = mkOption { + verbosity = lib.mkOption { description = '' Optional glog verbosity level for logging statements. See @@ -301,7 +298,7 @@ in type = nullOr int; }; - webhookConfig = mkOption { + webhookConfig = lib.mkOption { description = '' Kubernetes apiserver Webhook config file. It uses the kubeconfig file format. See @@ -314,9 +311,9 @@ in ###### implementation - config = mkMerge [ + config = lib.mkMerge [ - (mkIf cfg.enable { + (lib.mkIf cfg.enable { systemd.services.kube-apiserver = { description = "Kubernetes APIServer Service"; wantedBy = [ "kubernetes.target" ]; @@ -324,48 +321,48 @@ in serviceConfig = { Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-apiserver \ - --allow-privileged=${boolToString cfg.allowPrivileged} \ - --authorization-mode=${concatStringsSep "," cfg.authorizationMode} \ - ${optionalString (elem "ABAC" cfg.authorizationMode) + --allow-privileged=${lib.boolToString cfg.allowPrivileged} \ + --authorization-mode=${lib.concatStringsSep "," cfg.authorizationMode} \ + ${lib.optionalString (lib.elem "ABAC" cfg.authorizationMode) "--authorization-policy-file=${ pkgs.writeText "kube-auth-policy.jsonl" - (concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.authorizationPolicy) + (lib.concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.authorizationPolicy) }" } \ - ${optionalString (elem "Webhook" cfg.authorizationMode) + ${lib.optionalString (lib.elem "Webhook" cfg.authorizationMode) "--authorization-webhook-config-file=${cfg.webhookConfig}" } \ --bind-address=${cfg.bindAddress} \ - ${optionalString (cfg.advertiseAddress != null) + ${lib.optionalString (cfg.advertiseAddress != null) "--advertise-address=${cfg.advertiseAddress}"} \ - ${optionalString (cfg.clientCaFile != null) + ${lib.optionalString (cfg.clientCaFile != null) "--client-ca-file=${cfg.clientCaFile}"} \ - --disable-admission-plugins=${concatStringsSep "," cfg.disableAdmissionPlugins} \ - --enable-admission-plugins=${concatStringsSep "," cfg.enableAdmissionPlugins} \ - --etcd-servers=${concatStringsSep "," cfg.etcd.servers} \ - ${optionalString (cfg.etcd.caFile != null) + --disable-admission-plugins=${lib.concatStringsSep "," cfg.disableAdmissionPlugins} \ + --enable-admission-plugins=${lib.concatStringsSep "," cfg.enableAdmissionPlugins} \ + --etcd-servers=${lib.concatStringsSep "," cfg.etcd.servers} \ + ${lib.optionalString (cfg.etcd.caFile != null) "--etcd-cafile=${cfg.etcd.caFile}"} \ - ${optionalString (cfg.etcd.certFile != null) + ${lib.optionalString (cfg.etcd.certFile != null) "--etcd-certfile=${cfg.etcd.certFile}"} \ - ${optionalString (cfg.etcd.keyFile != null) + ${lib.optionalString (cfg.etcd.keyFile != null) "--etcd-keyfile=${cfg.etcd.keyFile}"} \ - ${optionalString (cfg.featureGates != {}) - "--feature-gates=${(concatStringsSep "," (builtins.attrValues (mapAttrs (n: v: "${n}=${trivial.boolToString v}") cfg.featureGates)))}"} \ - ${optionalString (cfg.basicAuthFile != null) + ${lib.optionalString (cfg.featureGates != {}) + "--feature-gates=${(lib.concatStringsSep "," (builtins.attrValues (lib.mapAttrs (n: v: "${n}=${lib.trivial.boolToString v}") cfg.featureGates)))}"} \ + ${lib.optionalString (cfg.basicAuthFile != null) "--basic-auth-file=${cfg.basicAuthFile}"} \ - ${optionalString (cfg.kubeletClientCaFile != null) + ${lib.optionalString (cfg.kubeletClientCaFile != null) "--kubelet-certificate-authority=${cfg.kubeletClientCaFile}"} \ - ${optionalString (cfg.kubeletClientCertFile != null) + ${lib.optionalString (cfg.kubeletClientCertFile != null) "--kubelet-client-certificate=${cfg.kubeletClientCertFile}"} \ - ${optionalString (cfg.kubeletClientKeyFile != null) + ${lib.optionalString (cfg.kubeletClientKeyFile != null) "--kubelet-client-key=${cfg.kubeletClientKeyFile}"} \ - ${optionalString (cfg.preferredAddressTypes != null) + ${lib.optionalString (cfg.preferredAddressTypes != null) "--kubelet-preferred-address-types=${cfg.preferredAddressTypes}"} \ - ${optionalString (cfg.proxyClientCertFile != null) + ${lib.optionalString (cfg.proxyClientCertFile != null) "--proxy-client-cert-file=${cfg.proxyClientCertFile}"} \ - ${optionalString (cfg.proxyClientKeyFile != null) + ${lib.optionalString (cfg.proxyClientKeyFile != null) "--proxy-client-key-file=${cfg.proxyClientKeyFile}"} \ - ${optionalString (cfg.runtimeConfig != "") + ${lib.optionalString (cfg.runtimeConfig != "") "--runtime-config=${cfg.runtimeConfig}"} \ --secure-port=${toString cfg.securePort} \ --api-audiences=${toString cfg.apiAudiences} \ @@ -374,13 +371,13 @@ in --service-account-key-file=${cfg.serviceAccountKeyFile} \ --service-cluster-ip-range=${cfg.serviceClusterIpRange} \ --storage-backend=${cfg.storageBackend} \ - ${optionalString (cfg.tlsCertFile != null) + ${lib.optionalString (cfg.tlsCertFile != null) "--tls-cert-file=${cfg.tlsCertFile}"} \ - ${optionalString (cfg.tlsKeyFile != null) + ${lib.optionalString (cfg.tlsKeyFile != null) "--tls-private-key-file=${cfg.tlsKeyFile}"} \ - ${optionalString (cfg.tokenAuthFile != null) + ${lib.optionalString (cfg.tokenAuthFile != null) "--token-auth-file=${cfg.tokenAuthFile}"} \ - ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ + ${lib.optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; WorkingDirectory = top.dataDir; @@ -397,17 +394,17 @@ in }; services.etcd = { - clientCertAuth = mkDefault true; - peerClientCertAuth = mkDefault true; - listenClientUrls = mkDefault ["https://0.0.0.0:2379"]; - listenPeerUrls = mkDefault ["https://0.0.0.0:2380"]; - advertiseClientUrls = mkDefault ["https://${top.masterAddress}:2379"]; - initialCluster = mkDefault ["${top.masterAddress}=https://${top.masterAddress}:2380"]; - name = mkDefault top.masterAddress; - initialAdvertisePeerUrls = mkDefault ["https://${top.masterAddress}:2380"]; + clientCertAuth = lib.mkDefault true; + peerClientCertAuth = lib.mkDefault true; + listenClientUrls = lib.mkDefault ["https://0.0.0.0:2379"]; + listenPeerUrls = lib.mkDefault ["https://0.0.0.0:2380"]; + advertiseClientUrls = lib.mkDefault ["https://${top.masterAddress}:2379"]; + initialCluster = lib.mkDefault ["${top.masterAddress}=https://${top.masterAddress}:2380"]; + name = lib.mkDefault top.masterAddress; + initialAdvertisePeerUrls = lib.mkDefault ["https://${top.masterAddress}:2380"]; }; - services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled { + services.kubernetes.addonManager.bootstrapAddons = lib.mkIf isRBACEnabled { apiserver-kubelet-api-admin-crb = { apiVersion = "rbac.authorization.k8s.io/v1"; diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index b427de22bf896..044ae8e42153a 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -1,7 +1,4 @@ { config, lib, options, pkgs, ... }: - -with lib; - let top = config.services.kubernetes; otop = options.services.kubernetes; @@ -9,72 +6,72 @@ let in { imports = [ - (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"]) - (mkRemovedOptionModule [ "services" "kubernetes" "controllerManager" "insecurePort" ] "") + (lib.mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"]) + (lib.mkRemovedOptionModule [ "services" "kubernetes" "controllerManager" "insecurePort" ] "") ]; ###### interface options.services.kubernetes.controllerManager = with lib.types; { - allocateNodeCIDRs = mkOption { + allocateNodeCIDRs = lib.mkOption { description = "Whether to automatically allocate CIDR ranges for cluster nodes."; default = true; type = bool; }; - bindAddress = mkOption { + bindAddress = lib.mkOption { description = "Kubernetes controller manager listening address."; default = "127.0.0.1"; type = str; }; - clusterCidr = mkOption { + clusterCidr = lib.mkOption { description = "Kubernetes CIDR Range for Pods in cluster."; default = top.clusterCidr; - defaultText = literalExpression "config.${otop.clusterCidr}"; + defaultText = lib.literalExpression "config.${otop.clusterCidr}"; type = str; }; - enable = mkEnableOption "Kubernetes controller manager"; + enable = lib.mkEnableOption "Kubernetes controller manager"; - extraOpts = mkOption { + extraOpts = lib.mkOption { description = "Kubernetes controller manager extra command line options."; default = ""; type = separatedString " "; }; - featureGates = mkOption { + featureGates = lib.mkOption { description = "Attribute set of feature gates."; default = top.featureGates; - defaultText = literalExpression "config.${otop.featureGates}"; + defaultText = lib.literalExpression "config.${otop.featureGates}"; type = attrsOf bool; }; kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes controller manager"; - leaderElect = mkOption { + leaderElect = lib.mkOption { description = "Whether to start leader election before executing main loop."; type = bool; default = true; }; - rootCaFile = mkOption { + rootCaFile = lib.mkOption { description = '' Kubernetes controller manager certificate authority file included in service account's token secret. ''; default = top.caFile; - defaultText = literalExpression "config.${otop.caFile}"; + defaultText = lib.literalExpression "config.${otop.caFile}"; type = nullOr path; }; - securePort = mkOption { + securePort = lib.mkOption { description = "Kubernetes controller manager secure listening port."; default = 10252; type = int; }; - serviceAccountKeyFile = mkOption { + serviceAccountKeyFile = lib.mkOption { description = '' Kubernetes controller manager PEM-encoded private RSA key file used to sign service account tokens @@ -83,19 +80,19 @@ in type = nullOr path; }; - tlsCertFile = mkOption { + tlsCertFile = lib.mkOption { description = "Kubernetes controller-manager certificate file."; default = null; type = nullOr path; }; - tlsKeyFile = mkOption { + tlsKeyFile = lib.mkOption { description = "Kubernetes controller-manager private key file."; default = null; type = nullOr path; }; - verbosity = mkOption { + verbosity = lib.mkOption { description = '' Optional glog verbosity level for logging statements. See @@ -107,7 +104,7 @@ in }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.services.kube-controller-manager = { description = "Kubernetes Controller Manager Service"; wantedBy = [ "kubernetes.target" ]; @@ -117,26 +114,26 @@ in Restart = "on-failure"; Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-controller-manager \ - --allocate-node-cidrs=${boolToString cfg.allocateNodeCIDRs} \ + --allocate-node-cidrs=${lib.boolToString cfg.allocateNodeCIDRs} \ --bind-address=${cfg.bindAddress} \ - ${optionalString (cfg.clusterCidr!=null) + ${lib.optionalString (cfg.clusterCidr!=null) "--cluster-cidr=${cfg.clusterCidr}"} \ - ${optionalString (cfg.featureGates != {}) - "--feature-gates=${concatStringsSep "," (builtins.attrValues (mapAttrs (n: v: "${n}=${trivial.boolToString v}") cfg.featureGates))}"} \ + ${lib.optionalString (cfg.featureGates != {}) + "--feature-gates=${lib.concatStringsSep "," (builtins.attrValues (lib.mapAttrs (n: v: "${n}=${lib.trivial.boolToString v}") cfg.featureGates))}"} \ --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ - --leader-elect=${boolToString cfg.leaderElect} \ - ${optionalString (cfg.rootCaFile!=null) + --leader-elect=${lib.boolToString cfg.leaderElect} \ + ${lib.optionalString (cfg.rootCaFile!=null) "--root-ca-file=${cfg.rootCaFile}"} \ --secure-port=${toString cfg.securePort} \ - ${optionalString (cfg.serviceAccountKeyFile!=null) + ${lib.optionalString (cfg.serviceAccountKeyFile!=null) "--service-account-private-key-file=${cfg.serviceAccountKeyFile}"} \ - ${optionalString (cfg.tlsCertFile!=null) + ${lib.optionalString (cfg.tlsCertFile!=null) "--tls-cert-file=${cfg.tlsCertFile}"} \ - ${optionalString (cfg.tlsKeyFile!=null) + ${lib.optionalString (cfg.tlsKeyFile!=null) "--tls-private-key-file=${cfg.tlsKeyFile}"} \ - ${optionalString (elem "RBAC" top.apiserver.authorizationMode) + ${lib.optionalString (lib.elem "RBAC" top.apiserver.authorizationMode) "--use-service-account-credentials"} \ - ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ + ${lib.optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; WorkingDirectory = top.dataDir; @@ -162,7 +159,7 @@ in }; }; - services.kubernetes.controllerManager.kubeconfig.server = mkDefault top.apiserverAddress; + services.kubernetes.controllerManager.kubeconfig.server = lib.mkDefault top.apiserverAddress; }; meta.buildDocsInSandbox = false; diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 208b2a864f024..32e7e0d3f70a5 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -1,7 +1,4 @@ { config, lib, options, pkgs, ... }: - -with lib; - let cfg = config.services.kubernetes; opt = options.services.kubernetes; @@ -76,41 +73,41 @@ let secret = name: "${cfg.secretsPath}/${name}.pem"; mkKubeConfigOptions = prefix: { - server = mkOption { + server = lib.mkOption { description = "${prefix} kube-apiserver server address."; - type = types.str; + type = lib.types.str; }; - caFile = mkOption { + caFile = lib.mkOption { description = "${prefix} certificate authority file used to connect to kube-apiserver."; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; default = cfg.caFile; - defaultText = literalExpression "config.${opt.caFile}"; + defaultText = lib.literalExpression "config.${opt.caFile}"; }; - certFile = mkOption { + certFile = lib.mkOption { description = "${prefix} client certificate file used to connect to kube-apiserver."; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; default = null; }; - keyFile = mkOption { + keyFile = lib.mkOption { description = "${prefix} client key file used to connect to kube-apiserver."; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; default = null; }; }; in { imports = [ - (mkRemovedOptionModule [ "services" "kubernetes" "addons" "dashboard" ] "Removed due to it being an outdated version") - (mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") + (lib.mkRemovedOptionModule [ "services" "kubernetes" "addons" "dashboard" ] "Removed due to it being an outdated version") + (lib.mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") ]; ###### interface options.services.kubernetes = { - roles = mkOption { + roles = lib.mkOption { description = '' Kubernetes role that this machine should take. @@ -119,79 +116,79 @@ in { Node role will enable flannel, docker, kubelet and proxy services. ''; default = []; - type = types.listOf (types.enum ["master" "node"]); + type = lib.types.listOf (lib.types.enum ["master" "node"]); }; - package = mkPackageOption pkgs "kubernetes" { }; + package = lib.mkPackageOption pkgs "kubernetes" { }; kubeconfig = mkKubeConfigOptions "Default kubeconfig"; - apiserverAddress = mkOption { + apiserverAddress = lib.mkOption { description = '' Clusterwide accessible address for the kubernetes apiserver, including protocol and optional port. ''; example = "https://kubernetes-apiserver.example.com:6443"; - type = types.str; + type = lib.types.str; }; - caFile = mkOption { + caFile = lib.mkOption { description = "Default kubernetes certificate authority"; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; default = null; }; - dataDir = mkOption { + dataDir = lib.mkOption { description = "Kubernetes root directory for managing kubelet files."; default = "/var/lib/kubernetes"; - type = types.path; + type = lib.types.path; }; - easyCerts = mkOption { + easyCerts = lib.mkOption { description = "Automatically setup x509 certificates and keys for the entire cluster."; default = false; - type = types.bool; + type = lib.types.bool; }; - featureGates = mkOption { + featureGates = lib.mkOption { description = "List set of feature gates."; default = {}; - type = types.attrsOf types.bool; + type = lib.types.attrsOf lib.types.bool; }; - masterAddress = mkOption { + masterAddress = lib.mkOption { description = "Clusterwide available network address or hostname for the kubernetes master server."; example = "master.example.com"; - type = types.str; + type = lib.types.str; }; - path = mkOption { + path = lib.mkOption { description = "Packages added to the services' PATH environment variable. Both the bin and sbin subdirectories of each package are added."; - type = types.listOf types.package; + type = lib.types.listOf lib.types.package; default = []; }; - clusterCidr = mkOption { + clusterCidr = lib.mkOption { description = "Kubernetes controller manager and proxy CIDR Range for Pods in cluster."; default = "10.1.0.0/16"; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; }; - lib = mkOption { + lib = lib.mkOption { description = "Common functions for the kubernetes modules."; default = { inherit mkCert; inherit mkKubeConfig; inherit mkKubeConfigOptions; }; - type = types.attrs; + type = lib.types.attrs; }; - secretsPath = mkOption { + secretsPath = lib.mkOption { description = "Default location for kubernetes secrets. Not a store location."; - type = types.path; + type = lib.types.path; default = cfg.dataDir + "/secrets"; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' config.${opt.dataDir} + "/secrets" ''; }; @@ -199,23 +196,23 @@ in { ###### implementation - config = mkMerge [ + config = lib.mkMerge [ - (mkIf cfg.easyCerts { - services.kubernetes.pki.enable = mkDefault true; + (lib.mkIf cfg.easyCerts { + services.kubernetes.pki.enable = lib.mkDefault true; services.kubernetes.caFile = caCert; }) - (mkIf (elem "master" cfg.roles) { - services.kubernetes.apiserver.enable = mkDefault true; - services.kubernetes.scheduler.enable = mkDefault true; - services.kubernetes.controllerManager.enable = mkDefault true; - services.kubernetes.addonManager.enable = mkDefault true; - services.kubernetes.proxy.enable = mkDefault true; - services.etcd.enable = true; # Cannot mkDefault because of flannel default options + (lib.mkIf (lib.elem "master" cfg.roles) { + services.kubernetes.apiserver.enable = lib.mkDefault true; + services.kubernetes.scheduler.enable = lib.mkDefault true; + services.kubernetes.controllerManager.enable = lib.mkDefault true; + services.kubernetes.addonManager.enable = lib.mkDefault true; + services.kubernetes.proxy.enable = lib.mkDefault true; + services.etcd.enable = true; # Cannot lib.mkDefault because of flannel default options services.kubernetes.kubelet = { - enable = mkDefault true; - taints = mkIf (!(elem "node" cfg.roles)) { + enable = lib.mkDefault true; + taints = lib.mkIf (!(lib.elem "node" cfg.roles)) { master = { key = "node-role.kubernetes.io/master"; value = "true"; @@ -226,36 +223,36 @@ in { }) - (mkIf (all (el: el == "master") cfg.roles) { + (lib.mkIf (lib.all (el: el == "master") cfg.roles) { # if this node is only a master make it unschedulable by default - services.kubernetes.kubelet.unschedulable = mkDefault true; + services.kubernetes.kubelet.unschedulable = lib.mkDefault true; }) - (mkIf (elem "node" cfg.roles) { - services.kubernetes.kubelet.enable = mkDefault true; - services.kubernetes.proxy.enable = mkDefault true; + (lib.mkIf (lib.elem "node" cfg.roles) { + services.kubernetes.kubelet.enable = lib.mkDefault true; + services.kubernetes.proxy.enable = lib.mkDefault true; }) # Using "services.kubernetes.roles" will automatically enable easyCerts and flannel - (mkIf (cfg.roles != []) { - services.kubernetes.flannel.enable = mkDefault true; - services.flannel.etcd.endpoints = mkDefault etcdEndpoints; - services.kubernetes.easyCerts = mkDefault true; + (lib.mkIf (cfg.roles != []) { + services.kubernetes.flannel.enable = lib.mkDefault true; + services.flannel.etcd.endpoints = lib.mkDefault etcdEndpoints; + services.kubernetes.easyCerts = lib.mkDefault true; }) - (mkIf cfg.apiserver.enable { - services.kubernetes.pki.etcClusterAdminKubeconfig = mkDefault "kubernetes/cluster-admin.kubeconfig"; - services.kubernetes.apiserver.etcd.servers = mkDefault etcdEndpoints; + (lib.mkIf cfg.apiserver.enable { + services.kubernetes.pki.etcClusterAdminKubeconfig = lib.mkDefault "kubernetes/cluster-admin.kubeconfig"; + services.kubernetes.apiserver.etcd.servers = lib.mkDefault etcdEndpoints; }) - (mkIf cfg.kubelet.enable { + (lib.mkIf cfg.kubelet.enable { virtualisation.containerd = { - enable = mkDefault true; - settings = mapAttrsRecursive (name: mkDefault) defaultContainerdSettings; + enable = lib.mkDefault true; + settings = lib.mapAttrsRecursive (name: lib.mkDefault) defaultContainerdSettings; }; }) - (mkIf (cfg.apiserver.enable || cfg.controllerManager.enable) { + (lib.mkIf (cfg.apiserver.enable || cfg.controllerManager.enable) { services.kubernetes.pki.certs = { serviceAccount = mkCert { name = "service-account"; @@ -269,7 +266,7 @@ in { }; }) - (mkIf ( + (lib.mkIf ( cfg.apiserver.enable || cfg.scheduler.enable || cfg.controllerManager.enable || @@ -299,9 +296,9 @@ in { users.groups.kubernetes.gid = config.ids.gids.kubernetes; # dns addon is enabled by default - services.kubernetes.addons.dns.enable = mkDefault true; + services.kubernetes.addons.dns.enable = lib.mkDefault true; - services.kubernetes.apiserverAddress = mkDefault ("https://${if cfg.apiserver.advertiseAddress != null + services.kubernetes.apiserverAddress = lib.mkDefault ("https://${if cfg.apiserver.advertiseAddress != null then cfg.apiserver.advertiseAddress else "${cfg.masterAddress}:${toString cfg.apiserver.securePort}"}"); }) diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 6fb90469c706b..05205a529f8d9 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -1,7 +1,4 @@ { config, lib, options, pkgs, ... }: - -with lib; - let top = config.services.kubernetes; otop = options.services.kubernetes; @@ -11,42 +8,42 @@ in ###### interface options.services.kubernetes.scheduler = with lib.types; { - address = mkOption { + address = lib.mkOption { description = "Kubernetes scheduler listening address."; default = "127.0.0.1"; type = str; }; - enable = mkEnableOption "Kubernetes scheduler"; + enable = lib.mkEnableOption "Kubernetes scheduler"; - extraOpts = mkOption { + extraOpts = lib.mkOption { description = "Kubernetes scheduler extra command line options."; default = ""; type = separatedString " "; }; - featureGates = mkOption { + featureGates = lib.mkOption { description = "Attribute set of feature gates."; default = top.featureGates; - defaultText = literalExpression "config.${otop.featureGates}"; + defaultText = lib.literalExpression "config.${otop.featureGates}"; type = attrsOf bool; }; kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes scheduler"; - leaderElect = mkOption { + leaderElect = lib.mkOption { description = "Whether to start leader election before executing main loop."; type = bool; default = true; }; - port = mkOption { + port = lib.mkOption { description = "Kubernetes scheduler listening port."; default = 10251; type = port; }; - verbosity = mkOption { + verbosity = lib.mkOption { description = '' Optional glog verbosity level for logging statements. See @@ -58,7 +55,7 @@ in }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.services.kube-scheduler = { description = "Kubernetes Scheduler Service"; wantedBy = [ "kubernetes.target" ]; @@ -67,12 +64,12 @@ in Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-scheduler \ --bind-address=${cfg.address} \ - ${optionalString (cfg.featureGates != {}) - "--feature-gates=${concatStringsSep "," (builtins.attrValues (mapAttrs (n: v: "${n}=${trivial.boolToString v}") cfg.featureGates))}"} \ + ${lib.optionalString (cfg.featureGates != {}) + "--feature-gates=${lib.concatStringsSep "," (builtins.attrValues (lib.mapAttrs (n: v: "${n}=${lib.trivial.boolToString v}") cfg.featureGates))}"} \ --kubeconfig=${top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ - --leader-elect=${boolToString cfg.leaderElect} \ + --leader-elect=${lib.boolToString cfg.leaderElect} \ --secure-port=${toString cfg.port} \ - ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ + ${lib.optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; WorkingDirectory = top.dataDir; @@ -94,7 +91,7 @@ in }; }; - services.kubernetes.scheduler.kubeconfig.server = mkDefault top.apiserverAddress; + services.kubernetes.scheduler.kubeconfig.server = lib.mkDefault top.apiserverAddress; }; meta.buildDocsInSandbox = false; diff --git a/nixos/modules/services/continuous-integration/buildbot/worker.nix b/nixos/modules/services/continuous-integration/buildbot/worker.nix index 1534ca6f57855..62b38d2829aa4 100644 --- a/nixos/modules/services/continuous-integration/buildbot/worker.nix +++ b/nixos/modules/services/continuous-integration/buildbot/worker.nix @@ -1,9 +1,5 @@ # NixOS module for Buildbot Worker. - { config, lib, options, pkgs, ... }: - -with lib; - let cfg = config.services.buildbot-worker; opt = options.services.buildbot-worker; @@ -47,106 +43,106 @@ in { options = { services.buildbot-worker = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = "Whether to enable the Buildbot Worker."; }; - user = mkOption { + user = lib.mkOption { default = "bbworker"; - type = types.str; + type = lib.types.str; description = "User the buildbot Worker should execute under."; }; - group = mkOption { + group = lib.mkOption { default = "bbworker"; - type = types.str; + type = lib.types.str; description = "Primary group of buildbot Worker user."; }; - extraGroups = mkOption { - type = types.listOf types.str; + extraGroups = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = "List of extra groups that the Buildbot Worker user should be a part of."; }; - home = mkOption { + home = lib.mkOption { default = "/home/bbworker"; - type = types.path; + type = lib.types.path; description = "Buildbot home directory."; }; - buildbotDir = mkOption { + buildbotDir = lib.mkOption { default = "${cfg.home}/worker"; - defaultText = literalExpression ''"''${config.${opt.home}}/worker"''; - type = types.path; + defaultText = lib.literalExpression ''"''${config.${opt.home}}/worker"''; + type = lib.types.path; description = "Specifies the Buildbot directory."; }; - workerUser = mkOption { + workerUser = lib.mkOption { default = "example-worker"; - type = types.str; + type = lib.types.str; description = "Specifies the Buildbot Worker user."; }; - workerPass = mkOption { + workerPass = lib.mkOption { default = "pass"; - type = types.str; + type = lib.types.str; description = "Specifies the Buildbot Worker password."; }; - workerPassFile = mkOption { - type = types.path; + workerPassFile = lib.mkOption { + type = lib.types.path; description = "File used to store the Buildbot Worker password"; }; - hostMessage = mkOption { + hostMessage = lib.mkOption { default = null; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; description = "Description of this worker"; }; - adminMessage = mkOption { + adminMessage = lib.mkOption { default = null; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; description = "Name of the administrator of this worker"; }; - masterUrl = mkOption { + masterUrl = lib.mkOption { default = "localhost:9989"; - type = types.str; + type = lib.types.str; description = "Specifies the Buildbot Worker connection string."; }; - keepalive = mkOption { + keepalive = lib.mkOption { default = 600; - type = types.int; + type = lib.types.int; description = '' This is a number that indicates how frequently keepalive messages should be sent from the worker to the buildmaster, expressed in seconds. ''; }; - package = mkPackageOption pkgs "buildbot-worker" { }; + package = lib.mkPackageOption pkgs "buildbot-worker" { }; - packages = mkOption { + packages = lib.mkOption { default = with pkgs; [ git ]; - defaultText = literalExpression "[ pkgs.git ]"; - type = types.listOf types.package; + defaultText = lib.literalExpression "[ pkgs.git ]"; + type = lib.types.listOf lib.types.package; description = "Packages to add to PATH for the buildbot process."; }; }; }; - config = mkIf cfg.enable { - services.buildbot-worker.workerPassFile = mkDefault (pkgs.writeText "buildbot-worker-password" cfg.workerPass); + config = lib.mkIf cfg.enable { + services.buildbot-worker.workerPassFile = lib.mkDefault (pkgs.writeText "buildbot-worker-password" cfg.workerPass); - users.groups = optionalAttrs (cfg.group == "bbworker") { + users.groups = lib.optionalAttrs (cfg.group == "bbworker") { bbworker = { }; }; - users.users = optionalAttrs (cfg.user == "bbworker") { + users.users = lib.optionalAttrs (cfg.user == "bbworker") { bbworker = { description = "Buildbot Worker User."; isNormalUser = true; @@ -167,10 +163,10 @@ in { preStart = '' mkdir -vp "${cfg.buildbotDir}/info" - ${optionalString (cfg.hostMessage != null) '' + ${lib.optionalString (cfg.hostMessage != null) '' ln -sf "${pkgs.writeText "buildbot-worker-host" cfg.hostMessage}" "${cfg.buildbotDir}/info/host" ''} - ${optionalString (cfg.adminMessage != null) '' + ${lib.optionalString (cfg.adminMessage != null) '' ln -sf "${pkgs.writeText "buildbot-worker-admin" cfg.adminMessage}" "${cfg.buildbotDir}/info/admin" ''} ''; diff --git a/nixos/modules/services/continuous-integration/github-runner/options.nix b/nixos/modules/services/continuous-integration/github-runner/options.nix index 6ace6a1b187fc..db8bba499de70 100644 --- a/nixos/modules/services/continuous-integration/github-runner/options.nix +++ b/nixos/modules/services/continuous-integration/github-runner/options.nix @@ -2,10 +2,8 @@ , pkgs , ... }: - -with lib; { - options.services.github-runners = mkOption { + options.services.github-runners = lib.mkOption { description = '' Multiple GitHub Runners. ''; @@ -25,9 +23,9 @@ with lib; }; }; default = { }; - type = types.attrsOf (types.submodule ({ name, ... }: { + type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: { options = { - enable = mkOption { + enable = lib.mkOption { default = false; example = true; description = '' @@ -36,11 +34,11 @@ with lib; Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: [About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). ''; - type = types.bool; + type = lib.types.bool; }; - url = mkOption { - type = types.str; + url = lib.mkOption { + type = lib.types.str; description = '' Repository to add the runner to. @@ -57,8 +55,8 @@ with lib; example = "https://github.com/nixos/nixpkgs"; }; - tokenFile = mkOption { - type = types.path; + tokenFile = lib.mkOption { + type = lib.types.path; description = '' The full path to a file which contains either @@ -100,8 +98,8 @@ with lib; example = "/run/secrets/github-runner/nixos.token"; }; - name = mkOption { - type = types.nullOr types.str; + name = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = '' Name of the runner to configure. If null, defaults to the hostname. @@ -111,8 +109,8 @@ with lib; default = name; }; - runnerGroup = mkOption { - type = types.nullOr types.str; + runnerGroup = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = '' Name of the runner group to add this runner to (defaults to the default runner group). @@ -121,19 +119,19 @@ with lib; default = null; }; - extraLabels = mkOption { - type = types.listOf types.str; + extraLabels = lib.mkOption { + type = lib.types.listOf lib.types.str; description = '' Extra labels in addition to the default (unless disabled through the `noDefaultLabels` option). Changing this option triggers a new runner registration. ''; - example = literalExpression ''[ "nixos" ]''; + example = lib.literalExpression ''[ "nixos" ]''; default = [ ]; }; - noDefaultLabels = mkOption { - type = types.bool; + noDefaultLabels = lib.mkOption { + type = lib.types.bool; description = '' Disables adding the default labels. Also see the `extraLabels` option. @@ -142,8 +140,8 @@ with lib; default = false; }; - replace = mkOption { - type = types.bool; + replace = lib.mkOption { + type = lib.types.bool; description = '' Replace any existing runner with the same name. @@ -152,16 +150,16 @@ with lib; default = false; }; - extraPackages = mkOption { - type = types.listOf types.package; + extraPackages = lib.mkOption { + type = lib.types.listOf lib.types.package; description = '' Extra packages to add to `PATH` of the service to make them available to workflows. ''; default = [ ]; }; - extraEnvironment = mkOption { - type = types.attrs; + extraEnvironment = lib.mkOption { + type = lib.types.attrs; description = '' Extra environment variables to set for the runner, as an attrset. ''; @@ -171,8 +169,8 @@ with lib; default = { }; }; - serviceOverrides = mkOption { - type = types.attrs; + serviceOverrides = lib.mkOption { + type = lib.types.attrs; description = '' Modify the systemd service. Can be used to, e.g., adjust the sandboxing options. See {manpage}`systemd.exec(5)` for more options. @@ -184,10 +182,10 @@ with lib; default = { }; }; - package = mkPackageOption pkgs "github-runner" { }; + package = lib.mkPackageOption pkgs "github-runner" { }; - ephemeral = mkOption { - type = types.bool; + ephemeral = lib.mkOption { + type = lib.types.bool; description = '' If enabled, causes the following behavior: @@ -206,8 +204,8 @@ with lib; default = false; }; - user = mkOption { - type = types.nullOr types.str; + user = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = '' User under which to run the service. @@ -217,11 +215,11 @@ with lib; Also see the `group` option for an overview on the effects of the `user` and `group` settings. ''; default = null; - defaultText = literalExpression "username"; + defaultText = lib.literalExpression "username"; }; - group = mkOption { - type = types.nullOr types.str; + group = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = '' Group under which to run the service. @@ -236,11 +234,11 @@ with lib; but run as root implicitly. If this is really what you want, set `user = "root"` explicitly. ''; default = null; - defaultText = literalExpression "groupname"; + defaultText = lib.literalExpression "groupname"; }; - workDir = mkOption { - type = with types; nullOr str; + workDir = lib.mkOption { + type = with lib.types; nullOr str; description = '' Working directory, available as `$GITHUB_WORKSPACE` during workflow runs and used as a default for [repository checkouts](https://github.com/actions/checkout). @@ -253,8 +251,8 @@ with lib; default = null; }; - nodeRuntimes = mkOption { - type = with types; nonEmptyListOf (enum [ "node20" ]); + nodeRuntimes = lib.mkOption { + type = with lib.types; nonEmptyListOf (enum [ "node20" ]); default = [ "node20" ]; description = '' List of Node.js runtimes the runner should support. diff --git a/nixos/modules/services/continuous-integration/github-runner/service.nix b/nixos/modules/services/continuous-integration/github-runner/service.nix index ab2ebb7a498dc..adeacd60c7f43 100644 --- a/nixos/modules/services/continuous-integration/github-runner/service.nix +++ b/nixos/modules/services/continuous-integration/github-runner/service.nix @@ -3,11 +3,9 @@ , pkgs , ... }: - -with lib; { - config.assertions = flatten ( - flip mapAttrsToList config.services.github-runners (name: cfg: map (mkIf cfg.enable) [ + config.assertions = lib.flatten ( + lib.flip lib.mapAttrsToList config.services.github-runners (name: cfg: map (lib.mkIf cfg.enable) [ { assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]); message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set"; @@ -19,9 +17,7 @@ with lib; ]) ); - config.systemd.services = - let enabledRunners = filterAttrs (_: cfg: cfg.enable) config.services.github-runners; - in (flip mapAttrs' enabledRunners (name: cfg: + config.systemd.services = (lib.flip lib.mapAttrs' config.services.github-runners (name: cfg: let svcName = "github-runner-${name}"; systemdDir = "github-runner/${name}"; @@ -37,9 +33,9 @@ with lib; workDir = if cfg.workDir == null then runtimeDir else cfg.workDir; # Support old github-runner versions which don't have the `nodeRuntimes` arg yet. - package = cfg.package.override (old: optionalAttrs (hasAttr "nodeRuntimes" old) { inherit (cfg) nodeRuntimes; }); + package = cfg.package.override (old: lib.optionalAttrs (lib.hasAttr "nodeRuntimes" old) { inherit (cfg) nodeRuntimes; }); in - nameValuePair svcName { + lib.nameValuePair svcName { description = "GitHub Actions runner"; wantedBy = [ "multi-user.target" ]; @@ -61,7 +57,7 @@ with lib; config.nix.package ] ++ cfg.extraPackages; - serviceConfig = mkMerge [ + serviceConfig = lib.mkMerge [ { ExecStart = "${package}/bin/Runner.Listener run --startuptype service"; @@ -90,7 +86,7 @@ with lib; ${lines} ''; - runnerRegistrationConfig = getAttrs [ + runnerRegistrationConfig = lib.getAttrs [ "ephemeral" "extraLabels" "name" @@ -114,9 +110,9 @@ with lib; unconfigureRunner = writeScript "unconfigure" '' copy_tokens() { # Copy the configured token file to the state dir and allow the service user to read the file - install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}" + install --mode=666 ${lib.escapeShellArg cfg.tokenFile} "${newConfigTokenPath}" # Also copy current file to allow for a diff on the next start - install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}" + install --mode=600 ${lib.escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}" } clean_state() { find "$STATE_DIRECTORY/" -mindepth 1 -delete @@ -130,7 +126,7 @@ with lib; || changed=1 # Also check the content of the token file [[ -f "${currentConfigTokenPath}" ]] \ - && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \ + && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${lib.escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \ || changed=1 # If the config has changed, remove old state and copy tokens if [[ "$changed" -eq 1 ]]; then @@ -140,7 +136,7 @@ with lib; clean_state fi } - if [[ "${optionalString cfg.ephemeral "1"}" ]]; then + if [[ "${lib.optionalString cfg.ephemeral "1"}" ]]; then # In ephemeral mode, we always want to start with a clean state clean_state elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then @@ -161,13 +157,13 @@ with lib; --unattended --disableupdate --work "$WORK_DIRECTORY" - --url ${escapeShellArg cfg.url} - --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} - ${optionalString (cfg.name != null ) "--name ${escapeShellArg cfg.name}"} - ${optionalString cfg.replace "--replace"} - ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} - ${optionalString cfg.ephemeral "--ephemeral"} - ${optionalString cfg.noDefaultLabels "--no-default-labels"} + --url ${lib.escapeShellArg cfg.url} + --labels ${lib.escapeShellArg (lib.concatStringsSep "," cfg.extraLabels)} + ${lib.optionalString (cfg.name != null ) "--name ${lib.escapeShellArg cfg.name}"} + ${lib.optionalString cfg.replace "--replace"} + ${lib.optionalString (cfg.runnerGroup != null) "--runnergroup ${lib.escapeShellArg cfg.runnerGroup}"} + ${lib.optionalString cfg.ephemeral "--ephemeral"} + ${lib.optionalString cfg.noDefaultLabels "--no-default-labels"} ) # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option, # if it is not a PAT, we assume it contains a registration token and use the --token option @@ -196,7 +192,7 @@ with lib; ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/" ''; in - map (x: "${x} ${escapeShellArgs [ stateDir workDir logsDir ]}") [ + map (x: "${x} ${lib.escapeShellArgs [ stateDir workDir logsDir ]}") [ "+${unconfigureRunner}" # runs as root configureRunner setupWorkDir @@ -230,30 +226,30 @@ with lib; # Hardening (may overlap with DynamicUser=) # The following options are only for optimizing: # systemd-analyze security github-runner - AmbientCapabilities = mkBefore [ "" ]; - CapabilityBoundingSet = mkBefore [ "" ]; + AmbientCapabilities = lib.mkBefore [ "" ]; + CapabilityBoundingSet = lib.mkBefore [ "" ]; # ProtectClock= adds DeviceAllow=char-rtc r - DeviceAllow = mkBefore [ "" ]; - NoNewPrivileges = mkDefault true; - PrivateDevices = mkDefault true; - PrivateMounts = mkDefault true; - PrivateTmp = mkDefault true; - PrivateUsers = mkDefault true; - ProtectClock = mkDefault true; - ProtectControlGroups = mkDefault true; - ProtectHome = mkDefault true; - ProtectHostname = mkDefault true; - ProtectKernelLogs = mkDefault true; - ProtectKernelModules = mkDefault true; - ProtectKernelTunables = mkDefault true; - ProtectSystem = mkDefault "strict"; - RemoveIPC = mkDefault true; - RestrictNamespaces = mkDefault true; - RestrictRealtime = mkDefault true; - RestrictSUIDSGID = mkDefault true; - UMask = mkDefault "0066"; - ProtectProc = mkDefault "invisible"; - SystemCallFilter = mkBefore [ + DeviceAllow = lib.mkBefore [ "" ]; + NoNewPrivileges = lib.mkDefault true; + PrivateDevices = lib.mkDefault true; + PrivateMounts = lib.mkDefault true; + PrivateTmp = lib.mkDefault true; + PrivateUsers = lib.mkDefault true; + ProtectClock = lib.mkDefault true; + ProtectControlGroups = lib.mkDefault true; + ProtectHome = lib.mkDefault true; + ProtectHostname = lib.mkDefault true; + ProtectKernelLogs = lib.mkDefault true; + ProtectKernelModules = lib.mkDefault true; + ProtectKernelTunables = lib.mkDefault true; + ProtectSystem = lib.mkDefault "strict"; + RemoveIPC = lib.mkDefault true; + RestrictNamespaces = lib.mkDefault true; + RestrictRealtime = lib.mkDefault true; + RestrictSUIDSGID = lib.mkDefault true; + UMask = lib.mkDefault "0066"; + ProtectProc = lib.mkDefault "invisible"; + SystemCallFilter = lib.mkBefore [ "~@clock" "~@cpu-emulation" "~@module" @@ -265,33 +261,33 @@ with lib; "~setdomainname" "~sethostname" ]; - RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; + RestrictAddressFamilies = lib.mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ]; # Needs network access - PrivateNetwork = mkDefault false; + PrivateNetwork = lib.mkDefault false; # Cannot be true due to Node - MemoryDenyWriteExecute = mkDefault false; + MemoryDenyWriteExecute = lib.mkDefault false; # The more restrictive "pid" option makes `nix` commands in CI emit # "GC Warning: Couldn't read /proc/stat" # You may want to set this to "pid" if not using `nix` commands - ProcSubset = mkDefault "all"; + ProcSubset = lib.mkDefault "all"; # Coverage programs for compiled code such as `cargo-tarpaulin` disable # ASLR (address space layout randomization) which requires the # `personality` syscall # You may want to set this to `true` if not using coverage tooling on # compiled code - LockPersonality = mkDefault false; + LockPersonality = lib.mkDefault false; - DynamicUser = mkDefault true; + DynamicUser = lib.mkDefault true; } - (mkIf (cfg.user != null) { + (lib.mkIf (cfg.user != null) { DynamicUser = false; User = cfg.user; }) - (mkIf (cfg.group != null) { + (lib.mkIf (cfg.group != null) { DynamicUser = false; Group = cfg.group; }) diff --git a/nixos/modules/services/continuous-integration/gocd-agent/default.nix b/nixos/modules/services/continuous-integration/gocd-agent/default.nix index 0e61b253f17ee..0846c466e22a4 100644 --- a/nixos/modules/services/continuous-integration/gocd-agent/default.nix +++ b/nixos/modules/services/continuous-integration/gocd-agent/default.nix @@ -1,34 +1,31 @@ { config, lib, options, pkgs, ... }: - -with lib; - let cfg = config.services.gocd-agent; opt = options.services.gocd-agent; in { options = { services.gocd-agent = { - enable = mkEnableOption "gocd-agent"; + enable = lib.mkEnableOption "gocd-agent"; - user = mkOption { + user = lib.mkOption { default = "gocd-agent"; - type = types.str; + type = lib.types.str; description = '' User the Go.CD agent should execute under. ''; }; - group = mkOption { + group = lib.mkOption { default = "gocd-agent"; - type = types.str; + type = lib.types.str; description = '' If the default user "gocd-agent" is configured then this is the primary group of that user. ''; }; - extraGroups = mkOption { - type = types.listOf types.str; + extraGroups = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; example = [ "wheel" "docker" ]; description = '' @@ -36,18 +33,18 @@ in { ''; }; - packages = mkOption { + packages = lib.mkOption { default = [ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]; - defaultText = literalExpression "[ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]"; - type = types.listOf types.package; + defaultText = lib.literalExpression "[ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]"; + type = lib.types.listOf lib.types.package; description = '' Packages to add to PATH for the Go.CD agent process. ''; }; - agentConfig = mkOption { + agentConfig = lib.mkOption { default = ""; - type = types.str; + type = lib.types.str; example = '' agent.auto.register.resources=ant,java agent.auto.register.environments=QA,Performance @@ -58,40 +55,40 @@ in { ''; }; - goServer = mkOption { + goServer = lib.mkOption { default = "https://127.0.0.1:8154/go"; - type = types.str; + type = lib.types.str; description = '' URL of the GoCD Server to attach the Go.CD Agent to. ''; }; - workDir = mkOption { + workDir = lib.mkOption { default = "/var/lib/go-agent"; - type = types.str; + type = lib.types.str; description = '' Specifies the working directory in which the Go.CD agent java archive resides. ''; }; - initialJavaHeapSize = mkOption { + initialJavaHeapSize = lib.mkOption { default = "128m"; - type = types.str; + type = lib.types.str; description = '' Specifies the initial java heap memory size for the Go.CD agent java process. ''; }; - maxJavaHeapMemory = mkOption { + maxJavaHeapMemory = lib.mkOption { default = "256m"; - type = types.str; + type = lib.types.str; description = '' Specifies the java maximum heap memory size for the Go.CD agent java process. ''; }; - startupOptions = mkOption { - type = types.listOf types.str; + startupOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ "-Xms${cfg.initialJavaHeapSize}" "-Xmx${cfg.maxJavaHeapMemory}" @@ -99,7 +96,7 @@ in { "-Dcruise.console.publish.interval=10" "-Djava.security.egd=file:/dev/./urandom" ]; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' [ "-Xms''${config.${opt.initialJavaHeapSize}}" "-Xmx''${config.${opt.maxJavaHeapMemory}}" @@ -114,9 +111,9 @@ in { ''; }; - extraOptions = mkOption { + extraOptions = lib.mkOption { default = [ ]; - type = types.listOf types.str; + type = lib.types.listOf lib.types.str; example = [ "-X debug" "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006" @@ -133,9 +130,9 @@ in { ''; }; - environment = mkOption { + environment = lib.mkOption { default = { }; - type = with types; attrsOf str; + type = with lib.types; attrsOf str; description = '' Additional environment variables to be passed to the Go.CD agent process. As a base environment, Go.CD agent receives NIX_PATH from @@ -146,12 +143,12 @@ in { }; }; - config = mkIf cfg.enable { - users.groups = optionalAttrs (cfg.group == "gocd-agent") { + config = lib.mkIf cfg.enable { + users.groups = lib.optionalAttrs (cfg.group == "gocd-agent") { gocd-agent.gid = config.ids.gids.gocd-agent; }; - users.users = optionalAttrs (cfg.user == "gocd-agent") { + users.users = lib.optionalAttrs (cfg.user == "gocd-agent") { gocd-agent = { description = "gocd-agent user"; createHome = true; @@ -178,7 +175,7 @@ in { { NIX_REMOTE = "daemon"; AGENT_WORK_DIR = cfg.workDir; - AGENT_STARTUP_ARGS = ''${concatStringsSep " " cfg.startupOptions}''; + AGENT_STARTUP_ARGS = ''${lib.concatStringsSep " " cfg.startupOptions}''; LOG_DIR = cfg.workDir; LOG_FILE = "${cfg.workDir}/go-agent-start.log"; } // @@ -201,8 +198,8 @@ in { ln -s "${pkgs.writeText "autoregister.properties" cfg.agentConfig}" config/autoregister.properties ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt - ${pkgs.jre}/bin/java ${concatStringsSep " " cfg.startupOptions} \ - ${concatStringsSep " " cfg.extraOptions} \ + ${pkgs.jre}/bin/java ${lib.concatStringsSep " " cfg.startupOptions} \ + ${lib.concatStringsSep " " cfg.extraOptions} \ -jar ${pkgs.gocd-agent}/go-agent/agent-bootstrapper.jar \ -serverUrl ${cfg.goServer} ''; diff --git a/nixos/modules/services/continuous-integration/jenkins/slave.nix b/nixos/modules/services/continuous-integration/jenkins/slave.nix index d5a6b93a6cf8d..60782b9d255a8 100644 --- a/nixos/modules/services/continuous-integration/jenkins/slave.nix +++ b/nixos/modules/services/continuous-integration/jenkins/slave.nix @@ -1,5 +1,4 @@ { config, lib, pkgs, ... }: - let inherit (lib) mkIf mkOption types; cfg = config.services.jenkinsSlave; @@ -12,8 +11,8 @@ in { # enable ssh slaves. # * Optionally configure the node as a jenkins ad-hoc slave. This would imply configuration # properties for the master node. - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' If true the system will be configured to work as a jenkins slave. @@ -22,26 +21,26 @@ in { ''; }; - user = mkOption { + user = lib.mkOption { default = "jenkins"; - type = types.str; + type = lib.types.str; description = '' User the jenkins slave agent should execute under. ''; }; - group = mkOption { + group = lib.mkOption { default = "jenkins"; - type = types.str; + type = lib.types.str; description = '' If the default slave agent user "jenkins" is configured then this is the primary group of that user. ''; }; - home = mkOption { + home = lib.mkOption { default = "/var/lib/jenkins"; - type = types.path; + type = lib.types.path; description = '' The path to use as JENKINS_HOME. If the default user "jenkins" is configured then this is the home of the "jenkins" user. @@ -52,7 +51,7 @@ in { }; }; - config = mkIf (cfg.enable && !masterCfg.enable) { + config = lib.mkIf (cfg.enable && !masterCfg.enable) { users.groups = lib.optionalAttrs (cfg.group == "jenkins") { jenkins.gid = config.ids.gids.jenkins; }; diff --git a/nixos/modules/services/databases/aerospike.nix b/nixos/modules/services/databases/aerospike.nix index 676341084acb6..6608d105a339f 100644 --- a/nixos/modules/services/databases/aerospike.nix +++ b/nixos/modules/services/databases/aerospike.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.aerospike; @@ -39,18 +36,18 @@ in options = { services.aerospike = { - enable = mkEnableOption "Aerospike server"; + enable = lib.mkEnableOption "Aerospike server"; - package = mkPackageOption pkgs "aerospike" { }; + package = lib.mkPackageOption pkgs "aerospike" { }; - workDir = mkOption { - type = types.str; + workDir = lib.mkOption { + type = lib.types.str; default = "/var/lib/aerospike"; description = "Location where Aerospike stores its files"; }; - networkConfig = mkOption { - type = types.lines; + networkConfig = lib.mkOption { + type = lib.types.lines; default = '' service { address any @@ -78,8 +75,8 @@ in description = "network section of configuration file"; }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; example = '' namespace test { @@ -98,7 +95,7 @@ in ###### implementation - config = mkIf config.services.aerospike.enable { + config = lib.mkIf config.services.aerospike.enable { users.users.aerospike = { name = "aerospike"; @@ -109,8 +106,8 @@ in users.groups.aerospike.gid = config.ids.gids.aerospike; boot.kernel.sysctl = { - "net.core.rmem_max" = mkDefault 15728640; - "net.core.wmem_max" = mkDefault 5242880; + "net.core.rmem_max" = lib.mkDefault 15728640; + "net.core.wmem_max" = lib.mkDefault 5242880; }; systemd.services.aerospike = rec { diff --git a/nixos/modules/services/databases/clickhouse.nix b/nixos/modules/services/databases/clickhouse.nix index 37a1fe5d5b6ce..2b7dd663d0ed1 100644 --- a/nixos/modules/services/databases/clickhouse.nix +++ b/nixos/modules/services/databases/clickhouse.nix @@ -2,18 +2,16 @@ let cfg = config.services.clickhouse; in -with lib; { - ###### interface options = { services.clickhouse = { - enable = mkEnableOption "ClickHouse database server"; + enable = lib.mkEnableOption "ClickHouse database server"; - package = mkPackageOption pkgs "clickhouse" { }; + package = lib.mkPackageOption pkgs "clickhouse" { }; }; @@ -22,7 +20,7 @@ with lib; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { users.users.clickhouse = { name = "clickhouse"; @@ -71,7 +69,7 @@ with lib; environment.systemPackages = [ cfg.package ]; # startup requires a `/etc/localtime` which only if exists if `time.timeZone != null` - time.timeZone = mkDefault "UTC"; + time.timeZone = lib.mkDefault "UTC"; }; diff --git a/nixos/modules/services/databases/cockroachdb.nix b/nixos/modules/services/databases/cockroachdb.nix index 34e4e8760742f..9d466461c9a51 100644 --- a/nixos/modules/services/databases/cockroachdb.nix +++ b/nixos/modules/services/databases/cockroachdb.nix @@ -1,12 +1,9 @@ { config, lib, pkgs, utils, ... }: - -with lib; - let cfg = config.services.cockroachdb; crdb = cfg.package; - startupCommand = utils.escapeSystemdExecArgs + startupCommand = utils.lib.escapeSystemdExecArgs ([ # Basic startup "${crdb}/bin/cockroach" @@ -32,14 +29,14 @@ let ++ cfg.extraArgs); addressOption = descr: defaultPort: { - address = mkOption { - type = types.str; + address = lib.mkOption { + type = lib.types.str; default = "localhost"; description = "Address to bind to for ${descr}"; }; - port = mkOption { - type = types.port; + port = lib.mkOption { + type = lib.types.port; default = defaultPort; description = "Port to bind to for ${descr}"; }; @@ -49,14 +46,14 @@ in { options = { services.cockroachdb = { - enable = mkEnableOption "CockroachDB Server"; + enable = lib.mkEnableOption "CockroachDB Server"; listen = addressOption "intra-cluster communication" 26257; http = addressOption "http-based Admin UI" 8080; - locality = mkOption { - type = types.nullOr types.str; + locality = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; description = '' An ordered, comma-separated list of key-value pairs that describe the @@ -77,44 +74,44 @@ in ''; }; - join = mkOption { - type = types.nullOr types.str; + join = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; description = "The addresses for connecting the node to a cluster."; }; - insecure = mkOption { - type = types.bool; + insecure = lib.mkOption { + type = lib.types.bool; default = false; description = "Run in insecure mode."; }; - certsDir = mkOption { - type = types.nullOr types.path; + certsDir = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; description = "The path to the certificate directory."; }; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; default = "cockroachdb"; description = "User account under which CockroachDB runs"; }; - group = mkOption { - type = types.str; + group = lib.mkOption { + type = lib.types.str; default = "cockroachdb"; description = "User account under which CockroachDB runs"; }; - openPorts = mkOption { - type = types.bool; + openPorts = lib.mkOption { + type = lib.types.bool; default = false; description = "Open firewall ports for cluster communication by default"; }; - cache = mkOption { - type = types.str; + cache = lib.mkOption { + type = lib.types.str; default = "25%"; description = '' The total size for caches. @@ -129,8 +126,8 @@ in ''; }; - maxSqlMemory = mkOption { - type = types.str; + maxSqlMemory = lib.mkOption { + type = lib.types.str; default = "25%"; description = '' The maximum in-memory storage capacity available to store temporary @@ -145,7 +142,7 @@ in ''; }; - package = mkPackageOption pkgs "cockroachdb" { + package = lib.mkPackageOption pkgs "cockroachdb" { extraDescription = '' This would primarily be useful to enable Enterprise Edition features in your own custom CockroachDB build (Nixpkgs CockroachDB binaries @@ -153,8 +150,8 @@ in ''; }; - extraArgs = mkOption { - type = types.listOf types.str; + extraArgs = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; example = [ "--advertise-addr" "[fe80::f6f2:::]" ]; description = '' @@ -165,7 +162,7 @@ in }; }; - config = mkIf config.services.cockroachdb.enable { + config = lib.mkIf config.services.cockroachdb.enable { assertions = [ { assertion = !cfg.insecure -> cfg.certsDir != null; message = "CockroachDB must have a set of SSL certificates (.certsDir), or run in Insecure Mode (.insecure = true)"; @@ -174,7 +171,7 @@ in environment.systemPackages = [ crdb ]; - users.users = optionalAttrs (cfg.user == "cockroachdb") { + users.users = lib.optionalAttrs (cfg.user == "cockroachdb") { cockroachdb = { description = "CockroachDB Server User"; uid = config.ids.uids.cockroachdb; @@ -182,7 +179,7 @@ in }; }; - users.groups = optionalAttrs (cfg.group == "cockroachdb") { + users.groups = lib.optionalAttrs (cfg.group == "cockroachdb") { cockroachdb.gid = config.ids.gids.cockroachdb; }; diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index 7a3afc5efafcf..29da763e5751b 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.memcached; @@ -17,42 +14,42 @@ in options = { services.memcached = { - enable = mkEnableOption "Memcached"; + enable = lib.mkEnableOption "Memcached"; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; default = "memcached"; description = "The user to run Memcached as"; }; - listen = mkOption { - type = types.str; + listen = lib.mkOption { + type = lib.types.str; default = "127.0.0.1"; description = "The IP address to bind to."; }; - port = mkOption { - type = types.port; + port = lib.mkOption { + type = lib.types.port; default = 11211; description = "The port to bind to."; }; - enableUnixSocket = mkEnableOption "Unix Domain Socket at /run/memcached/memcached.sock instead of listening on an IP address and port. The `listen` and `port` options are ignored"; + enableUnixSocket = lib.mkEnableOption "Unix Domain Socket at /run/memcached/memcached.sock instead of listening on an IP address and port. The `listen` and `port` options are ignored"; - maxMemory = mkOption { - type = types.ints.unsigned; + maxMemory = lib.mkOption { + type = lib.types.ints.unsigned; default = 64; description = "The maximum amount of memory to use for storage, in megabytes."; }; - maxConnections = mkOption { - type = types.ints.unsigned; + maxConnections = lib.mkOption { + type = lib.types.ints.unsigned; default = 1024; description = "The maximum number of simultaneous connections."; }; - extraOptions = mkOption { - type = types.listOf types.str; + extraOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = "A list of extra options that will be added as a suffix when running memcached."; }; @@ -62,14 +59,14 @@ in ###### implementation - config = mkIf config.services.memcached.enable { + config = lib.mkIf config.services.memcached.enable { - users.users = optionalAttrs (cfg.user == "memcached") { + users.users = lib.optionalAttrs (cfg.user == "memcached") { memcached.description = "Memcached server user"; memcached.isSystemUser = true; memcached.group = "memcached"; }; - users.groups = optionalAttrs (cfg.user == "memcached") { memcached = {}; }; + users.groups = lib.optionalAttrs (cfg.user == "memcached") { memcached = {}; }; environment.systemPackages = [ memcached ]; @@ -85,7 +82,7 @@ in networking = if cfg.enableUnixSocket then "-s /run/memcached/memcached.sock" else "-l ${cfg.listen} -p ${toString cfg.port}"; - in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}"; + in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${lib.concatStringsSep " " cfg.extraOptions}"; User = cfg.user; @@ -110,7 +107,7 @@ in }; }; imports = [ - (mkRemovedOptionModule ["services" "memcached" "socket"] '' + (lib.mkRemovedOptionModule ["services" "memcached" "socket"] '' This option was replaced by a fixed unix socket path at /run/memcached/memcached.sock enabled using services.memcached.enableUnixSocket. '') ]; diff --git a/nixos/modules/services/databases/monetdb.nix b/nixos/modules/services/databases/monetdb.nix index ee24cf2b0fc20..42c9683fdb5e7 100644 --- a/nixos/modules/services/databases/monetdb.nix +++ b/nixos/modules/services/databases/monetdb.nix @@ -1,47 +1,44 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.monetdb; in { - meta.maintainers = with maintainers; [ StillerHarpo ]; + meta.maintainers = with lib.maintainers; [ StillerHarpo ]; ###### interface options = { services.monetdb = { - enable = mkEnableOption "the MonetDB database server"; + enable = lib.mkEnableOption "the MonetDB database server"; - package = mkPackageOption pkgs "monetdb" { }; + package = lib.mkPackageOption pkgs "monetdb" { }; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; default = "monetdb"; description = "User account under which MonetDB runs."; }; - group = mkOption { - type = types.str; + group = lib.mkOption { + type = lib.types.str; default = "monetdb"; description = "Group under which MonetDB runs."; }; - dataDir = mkOption { - type = types.path; + dataDir = lib.mkOption { + type = lib.types.path; default = "/var/lib/monetdb"; description = "Data directory for the dbfarm."; }; - port = mkOption { - type = types.ints.u16; + port = lib.mkOption { + type = lib.types.ints.u16; default = 50000; description = "Port to listen on."; }; - listenAddress = mkOption { - type = types.str; + listenAddress = lib.mkOption { + type = lib.types.str; default = "127.0.0.1"; example = "0.0.0.0"; description = "Address to listen on."; @@ -50,9 +47,9 @@ in { }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - users.users.monetdb = mkIf (cfg.user == "monetdb") { + users.users.monetdb = lib.mkIf (cfg.user == "monetdb") { uid = config.ids.uids.monetdb; group = cfg.group; description = "MonetDB user"; @@ -60,7 +57,7 @@ in { createHome = true; }; - users.groups.monetdb = mkIf (cfg.group == "monetdb") { + users.groups.monetdb = lib.mkIf (cfg.group == "monetdb") { gid = config.ids.gids.monetdb; members = [ cfg.user ]; }; diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix index 8b8a664107f22..e3619ad3fe658 100644 --- a/nixos/modules/services/databases/mongodb.nix +++ b/nixos/modules/services/databases/mongodb.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.mongodb; @@ -11,11 +8,11 @@ let mongoCnf = cfg: pkgs.writeText "mongodb.conf" '' net.bindIp: ${cfg.bind_ip} - ${optionalString cfg.quiet "systemLog.quiet: true"} + ${lib.optionalString cfg.quiet "systemLog.quiet: true"} systemLog.destination: syslog storage.dbPath: ${cfg.dbpath} - ${optionalString cfg.enableAuth "security.authorization: enabled"} - ${optionalString (cfg.replSetName != "") "replication.replSetName: ${cfg.replSetName}"} + ${lib.optionalString cfg.enableAuth "security.authorization: enabled"} + ${lib.optionalString (cfg.replSetName != "") "replication.replSetName: ${cfg.replSetName}"} ${cfg.extraConfig} ''; @@ -29,54 +26,54 @@ in services.mongodb = { - enable = mkEnableOption "the MongoDB server"; + enable = lib.mkEnableOption "the MongoDB server"; - package = mkPackageOption pkgs "mongodb" { }; + package = lib.mkPackageOption pkgs "mongodb" { }; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; default = "mongodb"; description = "User account under which MongoDB runs"; }; - bind_ip = mkOption { - type = types.str; + bind_ip = lib.mkOption { + type = lib.types.str; default = "127.0.0.1"; description = "IP to bind to"; }; - quiet = mkOption { - type = types.bool; + quiet = lib.mkOption { + type = lib.types.bool; default = false; description = "quieter output"; }; - enableAuth = mkOption { - type = types.bool; + enableAuth = lib.mkOption { + type = lib.types.bool; default = false; description = "Enable client authentication. Creates a default superuser with username root!"; }; - initialRootPassword = mkOption { - type = types.nullOr types.str; + initialRootPassword = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; description = "Password for the root user if auth is enabled."; }; - dbpath = mkOption { - type = types.str; + dbpath = lib.mkOption { + type = lib.types.str; default = "/var/db/mongodb"; description = "Location where MongoDB stores its files"; }; - pidFile = mkOption { - type = types.str; + pidFile = lib.mkOption { + type = lib.types.str; default = "/run/mongodb.pid"; description = "Location of MongoDB pid file"; }; - replSetName = mkOption { - type = types.str; + replSetName = lib.mkOption { + type = lib.types.str; default = ""; description = '' If this instance is part of a replica set, set its name here. @@ -84,8 +81,8 @@ in ''; }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; example = '' storage.journal.enabled: false @@ -93,8 +90,8 @@ in description = "MongoDB extra configuration in YAML format"; }; - initialScript = mkOption { - type = types.nullOr types.path; + initialScript = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; description = '' A file containing MongoDB statements to execute on first startup. @@ -107,20 +104,20 @@ in ###### implementation - config = mkIf config.services.mongodb.enable { + config = lib.mkIf config.services.mongodb.enable { assertions = [ { assertion = !cfg.enableAuth || cfg.initialRootPassword != null; message = "`enableAuth` requires `initialRootPassword` to be set."; } ]; - users.users.mongodb = mkIf (cfg.user == "mongodb") + users.users.mongodb = lib.mkIf (cfg.user == "mongodb") { name = "mongodb"; isSystemUser = true; group = "mongodb"; description = "MongoDB server user"; }; - users.groups.mongodb = mkIf (cfg.user == "mongodb") {}; + users.groups.mongodb = lib.mkIf (cfg.user == "mongodb") {}; environment.systemPackages = [ mongodb ]; @@ -177,8 +174,8 @@ in ''; postStart = '' if test -e "${cfg.dbpath}/.first_startup"; then - ${optionalString (cfg.initialScript != null) '' - ${mongodb}/bin/mongo ${optionalString (cfg.enableAuth) "-u root -p ${cfg.initialRootPassword}"} admin "${cfg.initialScript}" + ${lib.optionalString (cfg.initialScript != null) '' + ${mongodb}/bin/mongo ${lib.optionalString (cfg.enableAuth) "-u root -p ${cfg.initialRootPassword}"} admin "${cfg.initialScript}" ''} rm -f "${cfg.dbpath}/.first_startup" fi diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 43829b13c6c02..da1ee920bd18a 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -1,52 +1,49 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.redis; mkValueString = value: if value == true then "yes" else if value == false then "no" - else generators.mkValueStringDefault { } value; + else lib.generators.mkValueStringDefault { } value; - redisConfig = settings: pkgs.writeText "redis.conf" (generators.toKeyValue { + redisConfig = settings: pkgs.writeText "redis.conf" (lib.generators.toKeyValue { listsAsDuplicateKeys = true; - mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " "; + mkKeyValue = lib.generators.mkKeyValueDefault { inherit mkValueString; } " "; } settings); - redisName = name: "redis" + optionalString (name != "") ("-"+name); - enabledServers = filterAttrs (name: conf: conf.enable) config.services.redis.servers; + redisName = name: "redis" + lib.optionalString (name != "") ("-"+name); + enabledServers = lib.filterAttrs (name: conf: conf.enable) config.services.redis.servers; in { imports = [ - (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") - (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") - (mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") - (mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") - (mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") - (mkRemovedOptionModule [ "services" "redis" "extraConfig" ] "Use services.redis.servers.*.settings instead.") - (mkRenamedOptionModule [ "services" "redis" "enable"] [ "services" "redis" "servers" "" "enable" ]) - (mkRenamedOptionModule [ "services" "redis" "port"] [ "services" "redis" "servers" "" "port" ]) - (mkRenamedOptionModule [ "services" "redis" "openFirewall"] [ "services" "redis" "servers" "" "openFirewall" ]) - (mkRenamedOptionModule [ "services" "redis" "bind"] [ "services" "redis" "servers" "" "bind" ]) - (mkRenamedOptionModule [ "services" "redis" "unixSocket"] [ "services" "redis" "servers" "" "unixSocket" ]) - (mkRenamedOptionModule [ "services" "redis" "unixSocketPerm"] [ "services" "redis" "servers" "" "unixSocketPerm" ]) - (mkRenamedOptionModule [ "services" "redis" "logLevel"] [ "services" "redis" "servers" "" "logLevel" ]) - (mkRenamedOptionModule [ "services" "redis" "logfile"] [ "services" "redis" "servers" "" "logfile" ]) - (mkRenamedOptionModule [ "services" "redis" "syslog"] [ "services" "redis" "servers" "" "syslog" ]) - (mkRenamedOptionModule [ "services" "redis" "databases"] [ "services" "redis" "servers" "" "databases" ]) - (mkRenamedOptionModule [ "services" "redis" "maxclients"] [ "services" "redis" "servers" "" "maxclients" ]) - (mkRenamedOptionModule [ "services" "redis" "save"] [ "services" "redis" "servers" "" "save" ]) - (mkRenamedOptionModule [ "services" "redis" "slaveOf"] [ "services" "redis" "servers" "" "slaveOf" ]) - (mkRenamedOptionModule [ "services" "redis" "masterAuth"] [ "services" "redis" "servers" "" "masterAuth" ]) - (mkRenamedOptionModule [ "services" "redis" "requirePass"] [ "services" "redis" "servers" "" "requirePass" ]) - (mkRenamedOptionModule [ "services" "redis" "requirePassFile"] [ "services" "redis" "servers" "" "requirePassFile" ]) - (mkRenamedOptionModule [ "services" "redis" "appendOnly"] [ "services" "redis" "servers" "" "appendOnly" ]) - (mkRenamedOptionModule [ "services" "redis" "appendFsync"] [ "services" "redis" "servers" "" "appendFsync" ]) - (mkRenamedOptionModule [ "services" "redis" "slowLogLogSlowerThan"] [ "services" "redis" "servers" "" "slowLogLogSlowerThan" ]) - (mkRenamedOptionModule [ "services" "redis" "slowLogMaxLen"] [ "services" "redis" "servers" "" "slowLogMaxLen" ]) - (mkRenamedOptionModule [ "services" "redis" "settings"] [ "services" "redis" "servers" "" "settings" ]) + (lib.mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") + (lib.mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") + (lib.mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") + (lib.mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") + (lib.mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") + (lib.mkRemovedOptionModule [ "services" "redis" "extraConfig" ] "Use services.redis.servers.*.settings instead.") + (lib.mkRenamedOptionModule [ "services" "redis" "enable"] [ "services" "redis" "servers" "" "enable" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "port"] [ "services" "redis" "servers" "" "port" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "openFirewall"] [ "services" "redis" "servers" "" "openFirewall" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "bind"] [ "services" "redis" "servers" "" "bind" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "unixSocket"] [ "services" "redis" "servers" "" "unixSocket" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "unixSocketPerm"] [ "services" "redis" "servers" "" "unixSocketPerm" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "logLevel"] [ "services" "redis" "servers" "" "logLevel" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "logfile"] [ "services" "redis" "servers" "" "logfile" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "syslog"] [ "services" "redis" "servers" "" "syslog" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "databases"] [ "services" "redis" "servers" "" "databases" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "maxclients"] [ "services" "redis" "servers" "" "maxclients" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "save"] [ "services" "redis" "servers" "" "save" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "slaveOf"] [ "services" "redis" "servers" "" "slaveOf" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "masterAuth"] [ "services" "redis" "servers" "" "masterAuth" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "requirePass"] [ "services" "redis" "servers" "" "requirePass" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "requirePassFile"] [ "services" "redis" "servers" "" "requirePassFile" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "appendOnly"] [ "services" "redis" "servers" "" "appendOnly" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "appendFsync"] [ "services" "redis" "servers" "" "appendFsync" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "slowLogLogSlowerThan"] [ "services" "redis" "servers" "" "slowLogLogSlowerThan" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "slowLogMaxLen"] [ "services" "redis" "servers" "" "slowLogMaxLen" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "settings"] [ "services" "redis" "servers" "" "settings" ]) ]; ###### interface @@ -54,22 +51,22 @@ in { options = { services.redis = { - package = mkPackageOption pkgs "redis" { }; + package = lib.mkPackageOption pkgs "redis" { }; - vmOverCommit = mkEnableOption '' + vmOverCommit = lib.mkEnableOption '' set `vm.overcommit_memory` sysctl to 1 (Suggested for Background Saving: ) '' // { default = true; }; - servers = mkOption { - type = with types; attrsOf (submodule ({ config, name, ... }: { + servers = lib.mkOption { + type = with lib.types; attrsOf (submodule ({ config, name, ... }: { options = { - enable = mkEnableOption "Redis server"; + enable = lib.mkEnableOption "Redis server"; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; default = redisName name; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' if name == "" then "redis" else "redis-''${name}" ''; description = '' @@ -82,10 +79,10 @@ in { ''; }; - group = mkOption { + group = lib.mkOption { type = types.str; default = config.user; - defaultText = literalExpression "config.user"; + defaultText = lib.literalExpression "config.user"; description = '' Group account under which this instance of redis-server runs. @@ -96,33 +93,33 @@ in { ''; }; - port = mkOption { - type = types.port; + port = lib.mkOption { + type = lib.types.port; default = if name == "" then 6379 else 0; - defaultText = literalExpression ''if name == "" then 6379 else 0''; + defaultText = lib.literalExpression ''if name == "" then 6379 else 0''; description = '' The TCP port to accept connections. If port 0 is specified Redis will not listen on a TCP socket. ''; }; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to open ports in the firewall for the server. ''; }; - extraParams = mkOption { - type = with types; listOf str; + extraParams = lib.mkOption { + type = with lib.types; listOf str; default = []; description = "Extra parameters to append to redis-server invocation"; example = [ "--sentinel" ]; }; - bind = mkOption { - type = with types; nullOr str; + bind = lib.mkOption { + type = with lib.types; nullOr str; default = "127.0.0.1"; description = '' The IP interface to bind to. @@ -131,74 +128,74 @@ in { example = "192.0.2.1"; }; - unixSocket = mkOption { - type = with types; nullOr path; + unixSocket = lib.mkOption { + type = with lib.types; nullOr path; default = "/run/${redisName name}/redis.sock"; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' if name == "" then "/run/redis/redis.sock" else "/run/redis-''${name}/redis.sock" ''; description = "The path to the socket to bind to."; }; - unixSocketPerm = mkOption { - type = types.int; + unixSocketPerm = lib.mkOption { + type = lib.types.int; default = 660; description = "Change permissions for the socket"; example = 600; }; - logLevel = mkOption { - type = types.str; + logLevel = lib.mkOption { + type = lib.types.str; default = "notice"; # debug, verbose, notice, warning example = "debug"; description = "Specify the server verbosity level, options: debug, verbose, notice, warning."; }; - logfile = mkOption { - type = types.str; + logfile = lib.mkOption { + type = lib.types.str; default = "/dev/null"; description = "Specify the log file name. Also 'stdout' can be used to force Redis to log on the standard output."; example = "/var/log/redis.log"; }; - syslog = mkOption { - type = types.bool; + syslog = lib.mkOption { + type = lib.types.bool; default = true; description = "Enable logging to the system logger."; }; - databases = mkOption { - type = types.int; + databases = lib.mkOption { + type = lib.types.int; default = 16; description = "Set the number of databases."; }; - maxclients = mkOption { - type = types.int; + maxclients = lib.mkOption { + type = lib.types.int; default = 10000; description = "Set the max number of connected clients at the same time."; }; - save = mkOption { - type = with types; listOf (listOf int); + save = lib.mkOption { + type = with lib.types; listOf (listOf int); default = [ [900 1] [300 10] [60 10000] ]; description = '' - The schedule in which data is persisted to disk, represented as a list of lists where the first element represent the amount of seconds and the second the number of changes. + The schedule in which data is persisted to disk, represented as a list of lib.lists where the first lib.element represent the amount of seconds and the second the number of changes. - If set to the empty list (`[]`) then RDB persistence will be disabled (useful if you are using AOF or don't want any persistence). + If set to the empty list (`[]`) then RDB persistence will be disabled (useful if you are using AOF or don't want lib.any persistence). ''; }; - slaveOf = mkOption { - type = with types; nullOr (submodule ({ ... }: { + slaveOf = lib.mkOption { + type = with lib.types; nullOr (submodule ({ ... }: { options = { - ip = mkOption { + ip = lib.mkOption { type = str; description = "IP of the Redis master"; example = "192.168.1.100"; }; - port = mkOption { + port = lib.mkOption { type = port; description = "port of the Redis master"; default = 6379; @@ -211,8 +208,8 @@ in { example = { ip = "192.168.1.100"; port = 6379; }; }; - masterAuth = mkOption { - type = with types; nullOr str; + masterAuth = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = ''If the master is password protected (using the requirePass configuration) it is possible to tell the slave to authenticate before starting the replication synchronization @@ -220,8 +217,8 @@ in { (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)''; }; - requirePass = mkOption { - type = with types; nullOr str; + requirePass = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = '' Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE). @@ -230,55 +227,55 @@ in { example = "letmein!"; }; - requirePassFile = mkOption { - type = with types; nullOr path; + requirePassFile = lib.mkOption { + type = with lib.types; nullOr path; default = null; description = "File with password for the database."; example = "/run/keys/redis-password"; }; - appendOnly = mkOption { - type = types.bool; + appendOnly = lib.mkOption { + type = lib.types.bool; default = false; description = "By default data is only periodically persisted to disk, enable this option to use an append-only file for improved persistence."; }; - appendFsync = mkOption { - type = types.str; + appendFsync = lib.mkOption { + type = lib.types.str; default = "everysec"; # no, always, everysec description = "How often to fsync the append-only log, options: no, always, everysec."; }; - slowLogLogSlowerThan = mkOption { - type = types.int; + slowLogLogSlowerThan = lib.mkOption { + type = lib.types.int; default = 10000; description = "Log queries whose execution take longer than X in milliseconds."; example = 1000; }; - slowLogMaxLen = mkOption { - type = types.int; + slowLogMaxLen = lib.mkOption { + type = lib.types.int; default = 128; description = "Maximum number of items to keep in slow log."; }; - settings = mkOption { + settings = lib.mkOption { # TODO: this should be converted to freeformType - type = with types; attrsOf (oneOf [ bool int str (listOf str) ]); + type = with lib.types; attrsOf (oneOf [ bool int str (listOf str) ]); default = {}; description = '' Redis configuration. Refer to for details on supported values. ''; - example = literalExpression '' + example = lib.literalExpression '' { loadmodule = [ "/path/to/my_module.so" "/path/to/other_module.so" ]; } ''; }; }; - config.settings = mkMerge [ + config.settings = lib.mkMerge [ { inherit (config) port logfile databases maxclients appendOnly; daemonize = false; @@ -297,13 +294,13 @@ in { slowlog-max-len = config.slowLogMaxLen; } (mkIf (config.bind != null) { inherit (config) bind; }) - (mkIf (config.unixSocket != null) { + (lib.mkIf (config.unixSocket != null) { unixsocket = config.unixSocket; unixsocketperm = toString config.unixSocketPerm; }) - (mkIf (config.slaveOf != null) { slaveof = "${config.slaveOf.ip} ${toString config.slaveOf.port}"; }) - (mkIf (config.masterAuth != null) { masterauth = config.masterAuth; }) - (mkIf (config.requirePass != null) { requirepass = config.requirePass; }) + (lib.mkIf (config.slaveOf != null) { slaveof = "${config.slaveOf.ip} ${toString config.slaveOf.port}"; }) + (lib.mkIf (config.masterAuth != null) { masterauth = config.masterAuth; }) + (lib.mkIf (config.requirePass != null) { requirepass = config.requirePass; }) ]; })); description = "Configuration of multiple `redis-server` instances."; @@ -316,9 +313,9 @@ in { ###### implementation - config = mkIf (enabledServers != {}) { + config = lib.mkIf (enabledServers != {}) { - assertions = attrValues (mapAttrs (name: conf: { + assertions = lib.attrValues (lib.mapAttrs (name: conf: { assertion = conf.requirePass != null -> conf.requirePassFile == null; message = '' You can only set one services.redis.servers.${name}.requirePass @@ -326,32 +323,32 @@ in { ''; }) enabledServers); - boot.kernel.sysctl = mkIf cfg.vmOverCommit { + boot.kernel.sysctl = lib.mkIf cfg.vmOverCommit { "vm.overcommit_memory" = "1"; }; - networking.firewall.allowedTCPPorts = concatMap (conf: - optional conf.openFirewall conf.port - ) (attrValues enabledServers); + networking.firewall.allowedTCPPorts = lib.concatMap (conf: + lib.optional conf.openFirewall conf.port + ) (lib.attrValues enabledServers); environment.systemPackages = [ cfg.package ]; - users.users = mapAttrs' (name: conf: nameValuePair (redisName name) { + users.users = lib.mapAttrs' (name: conf: lib.nameValuePair (redisName name) { description = "System user for the redis-server instance ${name}"; isSystemUser = true; group = redisName name; }) enabledServers; - users.groups = mapAttrs' (name: conf: nameValuePair (redisName name) { + users.groups = lib.mapAttrs' (name: conf: lib.nameValuePair (redisName name) { }) enabledServers; - systemd.services = mapAttrs' (name: conf: nameValuePair (redisName name) { + systemd.services = lib.mapAttrs' (name: conf: lib.nameValuePair (redisName name) { description = "Redis Server - ${redisName name}"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - ExecStart = "${cfg.package}/bin/${cfg.package.serverBin or "redis-server"} /var/lib/${redisName name}/redis.conf ${escapeShellArgs conf.extraParams}"; + ExecStart = "${cfg.package}/bin/${cfg.package.serverBin or "redis-server"} /var/lib/${redisName name}/redis.conf ${lib.escapeShellArgs conf.extraParams}"; ExecStartPre = "+"+pkgs.writeShellScript "${redisName name}-prep-conf" (let redisConfVar = "/var/lib/${redisName name}/redis.conf"; redisConfRun = "/run/${redisName name}/nixos.conf"; @@ -364,10 +361,10 @@ in { echo 'include "${redisConfRun}"' > "${redisConfVar}" fi echo 'include "${redisConfStore}"' > "${redisConfRun}" - ${optionalString (conf.requirePassFile != null) '' + ${lib.optionalString (conf.requirePassFile != null) '' { echo -n "requirepass " - cat ${escapeShellArg conf.requirePassFile} + cat ${lib.escapeShellArg conf.requirePassFile} } >> "${redisConfRun}" ''} ''); @@ -388,7 +385,7 @@ in { # Security NoNewPrivileges = true; # Process Properties - LimitNOFILE = mkDefault "${toString (conf.maxclients + 32)}"; + LimitNOFILE = lib.mkDefault "${toString (conf.maxclients + 32)}"; # Sandboxing ProtectSystem = "strict"; ProtectHome = true; diff --git a/nixos/modules/services/desktops/deepin/dde-daemon.nix b/nixos/modules/services/desktops/deepin/dde-daemon.nix index ed4cd15bc271d..2188276f4b224 100644 --- a/nixos/modules/services/desktops/deepin/dde-daemon.nix +++ b/nixos/modules/services/desktops/deepin/dde-daemon.nix @@ -1,11 +1,8 @@ { config, pkgs, lib, ... }: - -with lib; - { meta = { - maintainers = teams.deepin.members; + maintainers = lib.teams.deepin.members; }; ###### interface @@ -14,7 +11,7 @@ with lib; services.deepin.dde-daemon = { - enable = mkEnableOption "daemon for handling the deepin session settings"; + enable = lib.mkEnableOption "daemon for handling the deepin session settings"; }; @@ -23,7 +20,7 @@ with lib; ###### implementation - config = mkIf config.services.deepin.dde-daemon.enable { + config = lib.mkIf config.services.deepin.dde-daemon.enable { environment.systemPackages = [ pkgs.deepin.dde-daemon ]; diff --git a/nixos/modules/services/desktops/espanso.nix b/nixos/modules/services/desktops/espanso.nix index 4a9bff9267a43..eda5c53014851 100644 --- a/nixos/modules/services/desktops/espanso.nix +++ b/nixos/modules/services/desktops/espanso.nix @@ -1,21 +1,19 @@ { config, lib, pkgs, ... }: - -with lib; let cfg = config.services.espanso; in { meta = { maintainers = with lib.maintainers; [ n8henrie numkem ]; }; options = { services.espanso = { - enable = mkEnableOption "Espanso"; - wayland = mkEnableOption "use the Wayland compatible espanso package"; - package = mkPackageOption pkgs "espanso" { + enable = lib.mkEnableOption "Espanso"; + wayland = lib.mkEnableOption "use the Wayland compatible espanso package"; + package = lib.mkPackageOption pkgs "espanso" { example = "pkgs.espanso-wayland"; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.user.services.espanso = { description = "Espanso daemon"; serviceConfig = { diff --git a/nixos/modules/services/desktops/geoclue2.nix b/nixos/modules/services/desktops/geoclue2.nix index 2e5de34bb76f5..6c100c9e7b502 100644 --- a/nixos/modules/services/desktops/geoclue2.nix +++ b/nixos/modules/services/desktops/geoclue2.nix @@ -1,37 +1,33 @@ # GeoClue 2 daemon. - { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.geoclue2; defaultWhitelist = [ "gnome-shell" "io.elementary.desktop.agent-geoclue2" ]; - appConfigModule = types.submodule ({ name, ... }: { + appConfigModule = lib.types.submodule ({ name, ... }: { options = { - desktopID = mkOption { - type = types.str; + desktopID = lib.mkOption { + type = lib.types.str; description = "Desktop ID of the application."; }; - isAllowed = mkOption { - type = types.bool; + isAllowed = lib.mkOption { + type = lib.types.bool; description = '' Whether the application will be allowed access to location information. ''; }; - isSystem = mkOption { - type = types.bool; + isSystem = lib.mkOption { + type = lib.types.bool; description = '' Whether the application is a system component or not. ''; }; - users = mkOption { - type = types.listOf types.str; + users = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = '' List of UIDs of all users for which this application is allowed location @@ -40,7 +36,7 @@ let }; }; - config.desktopID = mkDefault name; + config.desktopID = lib.mkDefault name; }); appConfigToINICompatible = _: { desktopID, isAllowed, isSystem, users, ... }: { @@ -48,7 +44,7 @@ let value = { allowed = isAllowed; system = isSystem; - users = concatStringsSep ";" users; + users = lib.concatStringsSep ";" users; }; }; @@ -61,8 +57,8 @@ in services.geoclue2 = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable GeoClue 2 daemon, a DBus service @@ -70,8 +66,8 @@ in ''; }; - enableDemoAgent = mkOption { - type = types.bool; + enableDemoAgent = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to use the GeoClue demo agent. This should be @@ -80,48 +76,48 @@ in ''; }; - enableNmea = mkOption { - type = types.bool; + enableNmea = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to fetch location from NMEA sources on local network. ''; }; - enable3G = mkOption { - type = types.bool; + enable3G = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable 3G source. ''; }; - enableCDMA = mkOption { - type = types.bool; + enableCDMA = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable CDMA source. ''; }; - enableModemGPS = mkOption { - type = types.bool; + enableModemGPS = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable Modem-GPS source. ''; }; - enableWifi = mkOption { - type = types.bool; + enableWifi = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable WiFi source. ''; }; - geoProviderUrl = mkOption { - type = types.str; + geoProviderUrl = lib.mkOption { + type = lib.types.str; default = "https://location.services.mozilla.com/v1/geolocate?key=geoclue"; example = "https://www.googleapis.com/geolocation/v1/geolocate?key=YOUR_KEY"; description = '' @@ -129,35 +125,24 @@ in ''; }; - package = mkOption { - type = types.package; - default = pkgs.geoclue2; - defaultText = literalExpression "pkgs.geoclue2"; - apply = pkg: pkg.override { - # the demo agent isn't built by default, but we need it here - withDemoAgent = cfg.enableDemoAgent; - }; - description = "The geoclue2 package to use"; - }; - - submitData = mkOption { - type = types.bool; + submitData = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to submit data to a GeoLocation Service. ''; }; - submissionUrl = mkOption { - type = types.str; + submissionUrl = lib.mkOption { + type = lib.types.str; default = "https://location.services.mozilla.com/v1/submit?key=geoclue"; description = '' The url to submit data to a GeoLocation Service. ''; }; - submissionNick = mkOption { - type = types.str; + submissionNick = lib.mkOption { + type = lib.types.str; default = "geoclue"; description = '' A nickname to submit network data with. @@ -165,10 +150,10 @@ in ''; }; - appConfig = mkOption { - type = types.attrsOf appConfigModule; + appConfig = lib.mkOption { + type = lib.types.attrsOf appConfigModule; default = {}; - example = literalExpression '' + example = lib.literalExpression '' "com.github.app" = { isAllowed = true; isSystem = true; @@ -186,7 +171,7 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; @@ -219,7 +204,7 @@ in # this needs to run as a user service, since it's associated with the # user who is making the requests - systemd.user.services = mkIf cfg.enableDemoAgent { + systemd.user.services = lib.mkIf cfg.enableDemoAgent { geoclue-agent = { description = "Geoclue agent"; # this should really be `partOf = [ "geoclue.service" ]`, but @@ -249,10 +234,10 @@ in }; environment.etc."geoclue/geoclue.conf".text = - generators.toINI {} ({ + lib.generators.toINI {} ({ agent = { - whitelist = concatStringsSep ";" - (optional cfg.enableDemoAgent "geoclue-demo-agent" ++ defaultWhitelist); + whitelist = lib.concatStringsSep ";" + (lib.optional cfg.enableDemoAgent "geoclue-demo-agent" ++ defaultWhitelist); }; network-nmea = { enable = cfg.enableNmea; @@ -269,14 +254,14 @@ in wifi = { enable = cfg.enableWifi; url = cfg.geoProviderUrl; - submit-data = boolToString cfg.submitData; + submit-data = lib.boolToString cfg.submitData; submission-url = cfg.submissionUrl; submission-nick = cfg.submissionNick; }; - } // mapAttrs' appConfigToINICompatible cfg.appConfig); + } // lib.mapAttrs' appConfigToINICompatible cfg.appConfig); }; meta = with lib; { - maintainers = with maintainers; [ ] ++ teams.pantheon.members; + maintainers = with lib.maintainers; [ ] ++ lib.teams.pantheon.members; }; } diff --git a/nixos/modules/services/desktops/malcontent.nix b/nixos/modules/services/desktops/malcontent.nix index 1fbeb17e6aeb4..fedd84549671d 100644 --- a/nixos/modules/services/desktops/malcontent.nix +++ b/nixos/modules/services/desktops/malcontent.nix @@ -1,9 +1,5 @@ # Malcontent daemon. - { config, lib, pkgs, ... }: - -with lib; - { ###### interface @@ -12,7 +8,7 @@ with lib; services.malcontent = { - enable = mkEnableOption "Malcontent, parental control support for applications"; + enable = lib.mkEnableOption "Malcontent, parental control support for applications"; }; @@ -21,7 +17,7 @@ with lib; ###### implementation - config = mkIf config.services.malcontent.enable { + config = lib.mkIf config.services.malcontent.enable { environment.systemPackages = with pkgs; [ malcontent diff --git a/nixos/modules/services/desktops/zeitgeist.nix b/nixos/modules/services/desktops/zeitgeist.nix index f170e90a2a417..3975f1c803c26 100644 --- a/nixos/modules/services/desktops/zeitgeist.nix +++ b/nixos/modules/services/desktops/zeitgeist.nix @@ -1,26 +1,22 @@ # Zeitgeist - { config, lib, pkgs, ... }: - -with lib; - { meta = with lib; { - maintainers = with maintainers; [ ] ++ teams.pantheon.members; + maintainers = with lib.maintainers; [ ] ++ lib.teams.pantheon.members; }; ###### interface options = { services.zeitgeist = { - enable = mkEnableOption "zeitgeist, a service which logs the users' activities and events"; + enable = lib.mkEnableOption "zeitgeist, a service which logs the users' activities and events"; }; }; ###### implementation - config = mkIf config.services.zeitgeist.enable { + config = lib.mkIf config.services.zeitgeist.enable { environment.systemPackages = [ pkgs.zeitgeist ]; diff --git a/nixos/modules/services/development/bloop.nix b/nixos/modules/services/development/bloop.nix index 5796b1148b9f8..b61f543f57138 100644 --- a/nixos/modules/services/development/bloop.nix +++ b/nixos/modules/services/development/bloop.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.bloop; @@ -9,8 +6,8 @@ let in { options.services.bloop = { - extraOptions = mkOption { - type = types.listOf types.str; + extraOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; example = [ "-J-Xmx2G" @@ -23,8 +20,8 @@ in { ''; }; - install = mkOption { - type = types.bool; + install = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install a user service for the Bloop server. @@ -35,12 +32,12 @@ in { }; }; - config = mkIf (cfg.install) { + config = lib.mkIf (cfg.install) { systemd.user.services.bloop = { description = "Bloop Scala build server"; environment = { - PATH = mkForce "${makeBinPath [ config.programs.java.package ]}"; + PATH = lib.mkForce "${lib.makeBinPath [ config.programs.java.package ]}"; }; serviceConfig = { Type = "forking"; diff --git a/nixos/modules/services/development/gemstash.nix b/nixos/modules/services/development/gemstash.nix index 367930dadfb8d..459b0e54e52b9 100644 --- a/nixos/modules/services/development/gemstash.nix +++ b/nixos/modules/services/development/gemstash.nix @@ -1,66 +1,64 @@ { lib, pkgs, config, ... }: -with lib; - let settingsFormat = pkgs.formats.yaml { }; # gemstash uses a yaml config where the keys are ruby symbols, # which means they start with ':'. This would be annoying to use # on the nix side, so we rewrite plain names instead. - prefixColon = s: listToAttrs (map + prefixColon = s: lib.listToAttrs (map (attrName: { name = ":${attrName}"; value = - if isAttrs s.${attrName} + if lib.isAttrs s.${attrName} then prefixColon s."${attrName}" else s."${attrName}"; }) - (attrNames s)); + (lib.attrNames s)); # parse the port number out of the tcp://ip:port bind setting string - parseBindPort = bind: strings.toInt (last (strings.splitString ":" bind)); + parseBindPort = bind: lib.toInt (lib.last (lib.splitString ":" bind)); cfg = config.services.gemstash; in { options.services.gemstash = { - enable = mkEnableOption "gemstash, a cache for rubygems.org and a private gem server"; + enable = lib.mkEnableOption "gemstash, a cache for rubygems.org and a private gem server"; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to open the firewall for the port in {option}`services.gemstash.bind`. ''; }; - settings = mkOption { + settings = lib.mkOption { default = {}; description = '' Configuration for Gemstash. The details can be found at in [gemstash documentation](https://github.com/rubygems/gemstash/blob/master/man/gemstash-configuration.5.md). Each key set here is automatically prefixed with ":" to match the gemstash expectations. ''; - type = types.submodule { + type = lib.types.submodule { freeformType = settingsFormat.type; options = { - base_path = mkOption { - type = types.path; + base_path = lib.mkOption { + type = lib.types.path; default = "/var/lib/gemstash"; description = "Path to store the gem files and the sqlite database. If left unchanged, the directory will be created."; }; - bind = mkOption { - type = types.str; + bind = lib.mkOption { + type = lib.types.str; default = "tcp://0.0.0.0:9292"; description = "Host and port combination for the server to listen on."; }; - db_adapter = mkOption { - type = types.nullOr (types.enum [ "sqlite3" "postgres" "mysql" "mysql2" ]); + db_adapter = lib.mkOption { + type = lib.types.nullOr (lib.types.enum [ "sqlite3" "postgres" "mysql" "mysql2" ]); default = null; description = "Which database type to use. For choices other than sqlite3, the dbUrl has to be specified as well."; }; - db_url = mkOption { - type = types.nullOr types.str; + db_url = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; description = "The database to connect to when using postgres, mysql, or mysql2."; }; @@ -70,7 +68,7 @@ in }; config = - mkIf cfg.enable { + lib.mkIf cfg.enable { users = { users.gemstash = { group = "gemstash"; @@ -79,12 +77,12 @@ in groups.gemstash = { }; }; - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ (parseBindPort cfg.settings.bind) ]; + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ (parseBindPort cfg.settings.bind) ]; systemd.services.gemstash = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig = mkMerge [ + serviceConfig = lib.mkMerge [ { ExecStart = "${pkgs.gemstash}/bin/gemstash start --no-daemonize --config-file ${settingsFormat.generate "gemstash.yaml" (prefixColon cfg.settings)}"; NoNewPrivileges = true; @@ -94,7 +92,7 @@ in RestrictSUIDSGID = true; LockPersonality = true; } - (mkIf (cfg.settings.base_path == "/var/lib/gemstash") { + (lib.mkIf (cfg.settings.base_path == "/var/lib/gemstash") { StateDirectory = "gemstash"; }) ]; diff --git a/nixos/modules/services/games/mchprs.nix b/nixos/modules/services/games/mchprs.nix index 50db7cf66bb50..169e4ba84f60e 100644 --- a/nixos/modules/services/games/mchprs.nix +++ b/nixos/modules/services/games/mchprs.nix @@ -1,14 +1,11 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.mchprs; settingsFormat = pkgs.formats.toml { }; whitelistFile = pkgs.writeText "whitelist.json" (builtins.toJSON - (mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist.list)); + (lib.mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist.list)); configToml = (removeAttrs cfg.settings [ "address" "port" ]) // @@ -22,18 +19,18 @@ in { options = { services.mchprs = { - enable = mkEnableOption "MCHPRS, a Minecraft server"; + enable = lib.mkEnableOption "MCHPRS, a Minecraft server"; - declarativeSettings = mkOption { - type = types.bool; + declarativeSettings = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to use a declarative configuration for MCHPRS. ''; }; - declarativeWhitelist = mkOption { - type = types.bool; + declarativeWhitelist = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to use a declarative whitelist. @@ -42,16 +39,16 @@ in ''; }; - dataDir = mkOption { - type = types.path; + dataDir = lib.mkOption { + type = lib.types.path; default = "/var/lib/mchprs"; description = '' Directory to store MCHPRS database and other state/data files. ''; }; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to open ports in the firewall for the server. @@ -60,8 +57,8 @@ in ''; }; - maxRuntime = mkOption { - type = types.str; + maxRuntime = lib.mkOption { + type = lib.types.str; default = "infinity"; example = "7d"; description = '' @@ -73,15 +70,15 @@ in ''; }; - package = mkPackageOption pkgs "mchprs" { }; + package = lib.mkPackageOption pkgs "mchprs" { }; - settings = mkOption { - type = types.submodule { + settings = lib.mkOption { + type = lib.types.submodule { freeformType = settingsFormat.type; options = { - port = mkOption { - type = types.port; + port = lib.mkOption { + type = lib.types.port; default = 25565; description = '' Port for the server. @@ -90,8 +87,8 @@ in ''; }; - address = mkOption { - type = types.str; + address = lib.mkOption { + type = lib.types.str; default = "0.0.0.0"; description = '' Address for the server. @@ -101,8 +98,8 @@ in ''; }; - motd = mkOption { - type = types.str; + motd = lib.mkOption { + type = lib.types.str; default = "Minecraft High Performance Redstone Server"; description = '' Message of the day. @@ -111,8 +108,8 @@ in ''; }; - chat_format = mkOption { - type = types.str; + chat_format = lib.mkOption { + type = lib.types.str; default = "<{username}> {message}"; description = '' How to format chat message interpolating `username` @@ -122,8 +119,8 @@ in ''; }; - max_players = mkOption { - type = types.ints.positive; + max_players = lib.mkOption { + type = lib.types.ints.positive; default = 99999; description = '' Maximum number of simultaneous players. @@ -132,8 +129,8 @@ in ''; }; - view_distance = mkOption { - type = types.ints.positive; + view_distance = lib.mkOption { + type = lib.types.ints.positive; default = 8; description = '' Maximal distance (in chunks) between players and loaded chunks. @@ -142,8 +139,8 @@ in ''; }; - bungeecord = mkOption { - type = types.bool; + bungeecord = lib.mkOption { + type = lib.types.bool; default = false; description = '' Enable compatibility with @@ -153,8 +150,8 @@ in ''; }; - schemati = mkOption { - type = types.bool; + schemati = lib.mkOption { + type = lib.types.bool; default = false; description = '' Mimic the verification and directory layout used by the @@ -165,8 +162,8 @@ in ''; }; - block_in_hitbox = mkOption { - type = types.bool; + block_in_hitbox = lib.mkOption { + type = lib.types.bool; default = true; description = '' Allow placing blocks inside of players @@ -176,8 +173,8 @@ in ''; }; - auto_redpiler = mkOption { - type = types.bool; + auto_redpiler = lib.mkOption { + type = lib.types.bool; default = true; description = '' Use redpiler automatically. @@ -196,8 +193,8 @@ in }; whitelist = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether or not the whitelist (in `whitelist.json`) shoud be enabled. @@ -205,17 +202,17 @@ in ''; }; - list = mkOption { + list = lib.mkOption { type = let - minecraftUUID = types.strMatching + minecraftUUID = lib.types.strMatching "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" // { description = "Minecraft UUID"; }; in - types.attrsOf minecraftUUID; + lib.types.attrsOf minecraftUUID; default = { }; - example = literalExpression '' + example = lib.literalExpression '' { username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"; username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"; @@ -235,7 +232,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { users.users.mchprs = { description = "MCHPRS service user"; home = cfg.dataDir; @@ -326,11 +323,11 @@ in ''); }; - networking.firewall = mkIf (cfg.declarativeSettings && cfg.openFirewall) { + networking.firewall = lib.mkIf (cfg.declarativeSettings && cfg.openFirewall) { allowedUDPPorts = [ cfg.settings.port ]; allowedTCPPorts = [ cfg.settings.port ]; }; }; - meta.maintainers = with maintainers; [ gdd ]; + meta.maintainers = with lib.maintainers; [ gdd ]; } diff --git a/nixos/modules/services/hardware/actkbd.nix b/nixos/modules/services/hardware/actkbd.nix index 335e9b2fdf5ae..1bd8c4090d3c5 100644 --- a/nixos/modules/services/hardware/actkbd.nix +++ b/nixos/modules/services/hardware/actkbd.nix @@ -1,15 +1,12 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.actkbd; configFile = pkgs.writeText "actkbd.conf" '' - ${concatMapStringsSep "\n" + ${lib.concatMapStringsSep "\n" ({ keys, events, attributes, command, ... }: - ''${concatMapStringsSep "+" toString keys}:${concatStringsSep "," events}:${concatStringsSep "," attributes}:${command}'' + ''${lib.concatMapStringsSep "+" toString keys}:${lib.concatStringsSep "," events}:${lib.concatStringsSep "," attributes}:${command}'' ) cfg.bindings} ${cfg.extraConfig} @@ -18,25 +15,25 @@ let bindingCfg = { ... }: { options = { - keys = mkOption { - type = types.listOf types.int; + keys = lib.mkOption { + type = lib.types.listOf lib.types.int; description = "List of keycodes to match."; }; - events = mkOption { - type = types.listOf (types.enum ["key" "rep" "rel"]); + events = lib.mkOption { + type = lib.types.listOf (lib.types.enum ["key" "rep" "rel"]); default = [ "key" ]; description = "List of events to match."; }; - attributes = mkOption { - type = types.listOf types.str; + attributes = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ "exec" ]; description = "List of attributes."; }; - command = mkOption { - type = types.str; + command = lib.mkOption { + type = lib.types.str; default = ""; description = "What to run."; }; @@ -54,8 +51,8 @@ in services.actkbd = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable the {command}`actkbd` key mapping daemon. @@ -71,8 +68,8 @@ in ''; }; - bindings = mkOption { - type = types.listOf (types.submodule bindingCfg); + bindings = lib.mkOption { + type = lib.types.listOf (lib.types.submodule bindingCfg); default = []; example = lib.literalExpression '' [ { keys = [ 113 ]; events = [ "key" ]; command = "''${pkgs.alsa-utils}/bin/amixer -q set Master toggle"; } @@ -87,8 +84,8 @@ in ''; }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; description = '' Literal contents to append to the end of actkbd configuration file. @@ -102,7 +99,7 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { services.udev.packages = lib.singleton (pkgs.writeTextFile { name = "actkbd-udev-rules"; diff --git a/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix b/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix index 8f9998108406b..377216d1f4313 100644 --- a/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix +++ b/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix @@ -1,11 +1,8 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.hardware.sane.brscan4; - netDeviceList = attrValues cfg.netDevices; + netDeviceList = lib.attrValues cfg.netDevices; etcFiles = pkgs.callPackage ./brscan4_etc_files.nix { netDevices = netDeviceList; }; @@ -13,8 +10,8 @@ let options = { - name = mkOption { - type = types.str; + name = lib.mkOption { + type = lib.types.str; description = '' The friendly name you give to the network device. If undefined, the name of attribute will be used. @@ -23,8 +20,8 @@ let example = "office1"; }; - model = mkOption { - type = types.str; + model = lib.mkOption { + type = lib.types.str; description = '' The model of the network device. ''; @@ -32,8 +29,8 @@ let example = "MFC-7860DW"; }; - ip = mkOption { - type = with types; nullOr str; + ip = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = '' The ip address of the device. If undefined, you will have to @@ -43,8 +40,8 @@ let example = "192.168.1.2"; }; - nodename = mkOption { - type = with types; nullOr str; + nodename = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = '' The node name of the device. If undefined, you will have to @@ -58,7 +55,7 @@ let config = - { name = mkDefault name; + { name = lib.mkDefault name; }; }; @@ -68,20 +65,20 @@ in options = { hardware.sane.brscan4.enable = - mkEnableOption "Brother's brscan4 scan backend" // { + lib.mkEnableOption "Brother's brscan4 scan backend" // { description = '' When enabled, will automatically register the "brscan4" sane backend and bring configuration files to their expected location. ''; }; - hardware.sane.brscan4.netDevices = mkOption { + hardware.sane.brscan4.netDevices = lib.mkOption { default = {}; example = { office1 = { model = "MFC-7860DW"; ip = "192.168.1.2"; }; office2 = { model = "MFC-7860DW"; nodename = "BRW0080927AFBCE"; }; }; - type = with types; attrsOf (submodule netDeviceOpts); + type = with lib.types; attrsOf (submodule netDeviceOpts); description = '' The list of network devices that will be registered against the brscan4 sane backend. @@ -89,7 +86,7 @@ in }; }; - config = mkIf (config.hardware.sane.enable && cfg.enable) { + config = lib.mkIf (config.hardware.sane.enable && cfg.enable) { hardware.sane.extraBackends = [ pkgs.brscan4 @@ -99,7 +96,7 @@ in { source = "${etcFiles}/etc/opt/brother/scanner/brscan4"; }; assertions = [ - { assertion = all (x: !(null != x.ip && null != x.nodename)) netDeviceList; + { assertion = lib.all (x: !(null != x.ip && null != x.nodename)) netDeviceList; message = '' When describing a network device as part of the attribute list `hardware.sane.brscan4.netDevices`, only one of its `ip` or `nodename` diff --git a/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix b/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix index 5236970337d84..38330eb692156 100644 --- a/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix +++ b/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix @@ -1,11 +1,8 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.hardware.sane.brscan5; - netDeviceList = attrValues cfg.netDevices; + netDeviceList = lib.attrValues cfg.netDevices; etcFiles = pkgs.callPackage ./brscan5_etc_files.nix { netDevices = netDeviceList; }; @@ -13,8 +10,8 @@ let options = { - name = mkOption { - type = types.str; + name = lib.mkOption { + type = lib.types.str; description = '' The friendly name you give to the network device. If undefined, the name of attribute will be used. @@ -23,8 +20,8 @@ let example = "office1"; }; - model = mkOption { - type = types.str; + model = lib.mkOption { + type = lib.types.str; description = '' The model of the network device. ''; @@ -32,8 +29,8 @@ let example = "ADS-1200"; }; - ip = mkOption { - type = with types; nullOr str; + ip = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = '' The ip address of the device. If undefined, you will have to @@ -43,8 +40,8 @@ let example = "192.168.1.2"; }; - nodename = mkOption { - type = with types; nullOr str; + nodename = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = '' The node name of the device. If undefined, you will have to @@ -58,7 +55,7 @@ let config = - { name = mkDefault name; + { name = lib.mkDefault name; }; }; @@ -68,15 +65,15 @@ in options = { hardware.sane.brscan5.enable = - mkEnableOption "the Brother brscan5 sane backend"; + lib.mkEnableOption "the Brother brscan5 sane backend"; - hardware.sane.brscan5.netDevices = mkOption { + hardware.sane.brscan5.netDevices = lib.mkOption { default = {}; example = { office1 = { model = "MFC-7860DW"; ip = "192.168.1.2"; }; office2 = { model = "MFC-7860DW"; nodename = "BRW0080927AFBCE"; }; }; - type = with types; attrsOf (submodule netDeviceOpts); + type = with lib.types; attrsOf (submodule netDeviceOpts); description = '' The list of network devices that will be registered against the brscan5 sane backend. @@ -84,7 +81,7 @@ in }; }; - config = mkIf (config.hardware.sane.enable && cfg.enable) { + config = lib.mkIf (config.hardware.sane.enable && cfg.enable) { hardware.sane.extraBackends = [ pkgs.brscan5 @@ -97,7 +94,7 @@ in environment.etc."sane.d/dll.d/brother5.conf".source = "${pkgs.brscan5}/etc/sane.d/dll.d/brother5.conf"; assertions = [ - { assertion = all (x: !(null != x.ip && null != x.nodename)) netDeviceList; + { assertion = lib.all (x: !(null != x.ip && null != x.nodename)) netDeviceList; message = '' When describing a network device as part of the attribute list `hardware.sane.brscan5.netDevices`, only one of its `ip` or `nodename` diff --git a/nixos/modules/services/hardware/sane_extra_backends/dsseries.nix b/nixos/modules/services/hardware/sane_extra_backends/dsseries.nix index d71a17f5ea6b4..49de9d94b427d 100644 --- a/nixos/modules/services/hardware/sane_extra_backends/dsseries.nix +++ b/nixos/modules/services/hardware/sane_extra_backends/dsseries.nix @@ -1,12 +1,9 @@ { config, lib, pkgs, ... }: - -with lib; - { options = { hardware.sane.dsseries.enable = - mkEnableOption "Brother DSSeries scan backend" // { + lib.mkEnableOption "Brother DSSeries scan backend" // { description = '' When enabled, will automatically register the "dsseries" SANE backend. @@ -16,7 +13,7 @@ with lib; }; }; - config = mkIf (config.hardware.sane.enable && config.hardware.sane.dsseries.enable) { + config = lib.mkIf (config.hardware.sane.enable && config.hardware.sane.dsseries.enable) { hardware.sane.extraBackends = [ pkgs.dsseries ]; services.udev.packages = [ pkgs.dsseries ]; diff --git a/nixos/modules/services/hardware/trezord.nix b/nixos/modules/services/hardware/trezord.nix index 097acb03631fe..b7642e476936a 100644 --- a/nixos/modules/services/hardware/trezord.nix +++ b/nixos/modules/services/hardware/trezord.nix @@ -1,6 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; let cfg = config.services.trezord; in { @@ -15,24 +13,24 @@ in { options = { services.trezord = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets. ''; }; - emulator.enable = mkOption { - type = types.bool; + emulator.enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Enable Trezor emulator support. ''; }; - emulator.port = mkOption { - type = types.port; + emulator.port = lib.mkOption { + type = lib.types.port; default = 21324; description = '' Listening port for the Trezor emulator. @@ -43,7 +41,7 @@ in { ### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { services.udev.packages = [ pkgs.trezor-udev-rules ]; systemd.services.trezord = { @@ -53,7 +51,7 @@ in { path = []; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.trezord}/bin/trezord-go ${optionalString cfg.emulator.enable "-e ${builtins.toString cfg.emulator.port}"}"; + ExecStart = "${pkgs.trezord}/bin/trezord-go ${lib.optionalString cfg.emulator.enable "-e ${builtins.toString cfg.emulator.port}"}"; User = "trezord"; }; }; diff --git a/nixos/modules/services/hardware/usbrelayd.nix b/nixos/modules/services/hardware/usbrelayd.nix index 31e56ab1d16c6..38047c4e44cab 100644 --- a/nixos/modules/services/hardware/usbrelayd.nix +++ b/nixos/modules/services/hardware/usbrelayd.nix @@ -1,13 +1,12 @@ { config, lib, pkgs, ... }: -with lib; let cfg = config.services.usbrelayd; in { - options.services.usbrelayd = with types; { - enable = mkEnableOption "USB Relay MQTT daemon"; + options.services.usbrelayd = with lib.types; { + enable = lib.mkEnableOption "USB Relay MQTT daemon"; - broker = mkOption { + broker = lib.mkOption { type = str; description = "Hostname or IP address of your MQTT Broker."; default = "127.0.0.1"; @@ -17,14 +16,14 @@ in ]; }; - clientName = mkOption { + clientName = lib.mkOption { type = str; description = "Name, your client connects as."; default = "MyUSBRelay"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.etc."usbrelayd.conf".text = '' [MQTT] diff --git a/nixos/modules/services/home-automation/ebusd.nix b/nixos/modules/services/home-automation/ebusd.nix index 97d1e2796adab..0a83bed6ff011 100644 --- a/nixos/modules/services/home-automation/ebusd.nix +++ b/nixos/modules/services/home-automation/ebusd.nix @@ -1,20 +1,17 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.ebusd; in { - meta.maintainers = with maintainers; [ nathan-gs ]; + meta.maintainers = with lib.maintainers; [ nathan-gs ]; options.services.ebusd = { - enable = mkEnableOption "ebusd, a daemon for communication with eBUS heating systems"; + enable = lib.mkEnableOption "ebusd, a daemon for communication with eBUS heating systems"; - package = mkPackageOption pkgs "ebusd" { }; + package = lib.mkPackageOption pkgs "ebusd" { }; - device = mkOption { - type = types.str; + device = lib.mkOption { + type = lib.types.str; default = ""; example = "IP:PORT"; description = '' @@ -29,32 +26,32 @@ in ''; }; - port = mkOption { + port = lib.mkOption { default = 8888; - type = types.port; + type = lib.types.port; description = '' The port on which to listen on ''; }; - readonly = mkOption { - type = types.bool; + readonly = lib.mkOption { + type = lib.types.bool; default = false; description = '' Only read from device, never write to it ''; }; - configpath = mkOption { - type = types.str; + configpath = lib.mkOption { + type = lib.types.str; default = "https://cfg.ebusd.eu/"; description = '' Directory to read CSV config files from. This can be a local folder or a URL. ''; }; - scanconfig = mkOption { - type = types.str; + scanconfig = lib.mkOption { + type = lib.types.str; default = "full"; description = '' Pick CSV config files matching initial scan ("none" or empty for no initial scan message, "full" for full scan, or a single hex address to scan, default is to send a broadcast ident message). @@ -67,61 +64,61 @@ in # "all" must come first so it can be overridden by more specific areas areas = [ "all" "main" "network" "bus" "update" "other" ]; levels = [ "none" "error" "notice" "info" "debug" ]; - in listToAttrs (map (area: nameValuePair area (mkOption { - type = types.enum levels; + in lib.listToAttrs (map (area: lib.nameValuePair area (lib.mkOption { + type = lib.types.enum levels; default = "notice"; example = "debug"; description = '' - Only write log for matching `AREA`s (${concatStringsSep "|" areas}) below or equal to `LEVEL` (${concatStringsSep "|" levels}) + Only write log for matching `AREA`s (${lib.concatStringsSep "|" areas}) below or equal to `LEVEL` (${lib.concatStringsSep "|" levels}) ''; })) areas); mqtt = { - enable = mkEnableOption "support for MQTT"; + enable = lib.mkEnableOption "support for MQTT"; - host = mkOption { - type = types.str; + host = lib.mkOption { + type = lib.types.str; default = "localhost"; description = '' Connect to MQTT broker on HOST. ''; }; - port = mkOption { + port = lib.mkOption { default = 1883; - type = types.port; + type = lib.types.port; description = '' The port on which to connect to MQTT ''; }; - home-assistant = mkOption { - type = types.bool; + home-assistant = lib.mkOption { + type = lib.types.bool; default = false; description = '' Adds the Home Assistant topics to MQTT, read more at [MQTT Integration](https://github.com/john30/ebusd/wiki/MQTT-integration) ''; }; - retain = mkEnableOption "set the retain flag on all topics instead of only selected global ones"; + retain = lib.mkEnableOption "set the retain flag on all topics instead of only selected global ones"; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; description = '' The MQTT user to use ''; }; - password = mkOption { - type = types.str; + password = lib.mkOption { + type = lib.types.str; description = '' The MQTT password. ''; }; }; - extraArguments = mkOption { - type = types.listOf types.str; + extraArguments = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = '' Extra arguments to the ebus daemon @@ -130,41 +127,41 @@ in }; config = let - usesDev = hasPrefix "/" cfg.device; - in mkIf cfg.enable { + usesDev = lib.hasPrefix "/" cfg.device; + in lib.mkIf cfg.enable { systemd.services.ebusd = { description = "EBUSd Service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { ExecStart = let - args = cli.toGNUCommandLineShell { optionValueSeparator = "="; } (foldr (a: b: a // b) { } [ + args = lib.cli.toGNUCommandLineShell { optionValueSeparator = "="; } (lib.foldr (a: b: a // b) { } [ { inherit (cfg) device port configpath scanconfig readonly; foreground = true; updatecheck = "off"; - log = mapAttrsToList (name: value: "${name}:${value}") cfg.logs; + log = lib.mapAttrsToList (name: value: "${name}:${value}") cfg.logs; mqttretain = cfg.mqtt.retain; } - (optionalAttrs cfg.mqtt.enable { + (lib.optionalAttrs cfg.mqtt.enable { mqtthost = cfg.mqtt.host; mqttport = cfg.mqtt.port; mqttuser = cfg.mqtt.user; mqttpass = cfg.mqtt.password; }) - (optionalAttrs cfg.mqtt.home-assistant { + (lib.optionalAttrs cfg.mqtt.home-assistant { mqttint = "${cfg.package}/etc/ebusd/mqtt-hassio.cfg"; mqttjson = true; }) ]); - in "${cfg.package}/bin/ebusd ${args} ${escapeShellArgs cfg.extraArguments}"; + in "${cfg.package}/bin/ebusd ${args} ${lib.escapeShellArgs cfg.extraArguments}"; DynamicUser = true; Restart = "on-failure"; # Hardening CapabilityBoundingSet = ""; - DeviceAllow = optionals usesDev [ cfg.device ]; + DeviceAllow = lib.optionals usesDev [ cfg.device ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = false; diff --git a/nixos/modules/services/home-automation/evcc.nix b/nixos/modules/services/home-automation/evcc.nix index a952437b1b56e..5e97b8c90d238 100644 --- a/nixos/modules/services/home-automation/evcc.nix +++ b/nixos/modules/services/home-automation/evcc.nix @@ -3,9 +3,6 @@ , config , ... }: - -with lib; - let cfg = config.services.evcc; @@ -18,10 +15,10 @@ in { meta.maintainers = with lib.maintainers; [ hexa ]; - options.services.evcc = with types; { - enable = mkEnableOption "EVCC, the extensible EV Charge Controller with PV integration"; + options.services.evcc = with lib.types; { + enable = lib.mkEnableOption "EVCC, the extensible EV Charge Controller with PV integration"; - extraArgs = mkOption { + extraArgs = lib.mkOption { type = listOf str; default = []; description = '' @@ -29,7 +26,7 @@ in ''; }; - settings = mkOption { + settings = lib.mkOption { type = format.type; description = '' evcc configuration as a Nix attribute set. @@ -39,7 +36,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.services.evcc = { wants = [ "network-online.target" ]; after = [ @@ -54,7 +51,7 @@ in getent ]; serviceConfig = { - ExecStart = "${package}/bin/evcc --config ${configFile} ${escapeShellArgs cfg.extraArgs}"; + ExecStart = "${package}/bin/evcc --config ${configFile} ${lib.escapeShellArgs cfg.extraArgs}"; CapabilityBoundingSet = [ "" ]; DeviceAllow = [ "char-ttyUSB"