Merge remote-tracking branch 'origin/staging-next' into staging

NixOS · Dec 13, 2024 · 172123b · 172123b
2 parents e5481e2 + c1c8e96
commit 172123b
Show file tree

Hide file tree

Showing 98 changed files with 3,860 additions and 4,219 deletions.
diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
@@ -12348,6 +12348,12 @@
     github = "lachrymaLF";
     githubId = 13716477;
   };
+  lactose = {
+    name = "lactose";
+    email = "[email protected]";
+    github = "juuyokka";
+    githubId = 15185244;
+  };
   lafrenierejm = {
     email = "[email protected]";
     github = "lafrenierejm";
@@ -15573,10 +15579,11 @@
     name = "Nathan Yong";
   };
   natsukagami = {
-    email = "[email protected]";
+    name = "Natsu Kagami";
+    email = "[email protected]";
+    matrix = "@nki:m.nkagami.me";
     github = "natsukagami";
     githubId = 9061737;
-    name = "Natsu Kagami";
     keys = [ { fingerprint = "5581 26DC 886F E14D 501D  B0F2 D6AD 7B57 A992 460C"; } ];
   };
   natsukium = {

diff --git a/nixos/lib/make-ext4-fs.nix b/nixos/lib/make-ext4-fs.nix
@@ -102,7 +102,7 @@ pkgs.stdenv.mkDerivation {
 
     if [ ${builtins.toString compressImage} ]; then
       echo "Compressing image"
-      zstd -v --no-progress ./$img -o $out
+      zstd -T$NIX_BUILD_CORES -v --no-progress ./$img -o $out
     fi
   '';
 }
diff --git a/nixos/modules/installer/sd-card/sd-image-aarch64.nix b/nixos/modules/installer/sd-card/sd-image-aarch64.nix
@@ -24,6 +24,9 @@
         [pi3]
         kernel=u-boot-rpi3.bin
 
+        # Otherwise the serial output will be garbled.
+        core_freq=250
+
         [pi02]
         kernel=u-boot-rpi3.bin
 

diff --git a/nixos/modules/services/audio/navidrome.nix b/nixos/modules/services/audio/navidrome.nix
@@ -109,14 +109,20 @@ in
             BindPaths =
               optional (cfg.settings ? DataFolder) cfg.settings.DataFolder
               ++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder;
-            BindReadOnlyPaths = [
-              # navidrome uses online services to download additional album metadata / covers
-              "${
-                config.environment.etc."ssl/certs/ca-certificates.crt".source
-              }:/etc/ssl/certs/ca-certificates.crt"
-              builtins.storeDir
-              "/etc"
-            ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
+            BindReadOnlyPaths =
+              [
+                # navidrome uses online services to download additional album metadata / covers
+                "${
+                  config.environment.etc."ssl/certs/ca-certificates.crt".source
+                }:/etc/ssl/certs/ca-certificates.crt"
+                builtins.storeDir
+                "/etc"
+              ]
+              ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder
+              ++ lib.optionals config.services.resolved.enable [
+                "/run/systemd/resolve/stub-resolv.conf"
+                "/run/systemd/resolve/resolv.conf"
+              ];
             CapabilityBoundingSet = "";
             RestrictAddressFamilies = [
               "AF_UNIX"

diff --git a/nixos/modules/services/databases/couchdb.nix b/nixos/modules/services/databases/couchdb.nix
@@ -1,36 +1,53 @@
-{ config, options, lib, pkgs, ... }:
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
 let
   cfg = config.services.couchdb;
   opt = options.services.couchdb;
-  configFile = pkgs.writeText "couchdb.ini" (
-    ''
-      [couchdb]
-      database_dir = ${cfg.databaseDir}
-      uri_file = ${cfg.uriFile}
-      view_index_dir = ${cfg.viewIndexDir}
-    '' + (lib.optionalString (cfg.adminPass != null) ''
-      [admins]
-      ${cfg.adminUser} = ${cfg.adminPass}
-    '' + ''
-      [chttpd]
-    '') +
-    ''
-      port = ${toString cfg.port}
-      bind_address = ${cfg.bindAddress}
-
-      [log]
-      file = ${cfg.logFile}
-    '');
-  executable = "${cfg.package}/bin/couchdb";
-
-in {
 
+  baseConfig = {
+    couchdb = {
+      database_dir = cfg.databaseDir;
+      uri_file = cfg.uriFile;
+      view_index_dir = cfg.viewIndexDir;
+    };
+    chttpd = {
+      port = cfg.port;
+      bind_address = cfg.bindAddress;
+    };
+    log = {
+      file = cfg.logFile;
+    };
+  };
+  adminConfig = lib.optionalAttrs (cfg.adminPass != null) {
+    admins = {
+      "${cfg.adminUser}" = cfg.adminPass;
+    };
+  };
+  appConfig = lib.recursiveUpdate (lib.recursiveUpdate baseConfig adminConfig) cfg.extraConfig;
+
+  optionsConfigFile = pkgs.writeText "couchdb.ini" (lib.generators.toINI { } appConfig);
+
+  # we are actually specifying 5 configuration files:
+  # 1. the preinstalled default.ini
+  # 2. the module configuration
+  # 3. the extraConfigFiles from the module options
+  # 4. the locally writable config file, which couchdb itself writes to
+  configFiles = [
+    "${cfg.package}/etc/default.ini"
+    optionsConfigFile
+  ] ++ cfg.extraConfigFiles ++ [ cfg.configFile ];
+  executable = "${cfg.package}/bin/couchdb";
+in
+{
   ###### interface
 
   options = {
-
     services.couchdb = {
-
       enable = lib.mkEnableOption "CouchDB Server";
 
       package = lib.mkPackageOption pkgs "couchdb3" { };
@@ -128,10 +145,15 @@ in {
       };
 
       extraConfig = lib.mkOption {
-        type = lib.types.lines;
-        default = "";
+        type = lib.types.attrs;
+        default = { };
+        description = "Extra configuration options for CouchDB";
+      };
+      extraConfigFiles = lib.mkOption {
+        type = lib.types.listOf lib.types.path;
+        default = [ ];
         description = ''
-          Extra configuration. Overrides any other configuration.
+          Extra configuration files. Overrides any other configuration. You can use this to setup the Admin user without putting the password in your nix store.
         '';
       };
 
@@ -146,24 +168,20 @@ in {
 
       configFile = lib.mkOption {
         type = lib.types.path;
+        default = "/var/lib/couchdb/local.ini";
         description = ''
           Configuration file for persisting runtime changes. File
           needs to be readable and writable from couchdb user/group.
         '';
       };
-
     };
-
   };
 
   ###### implementation
 
-  config = lib.mkIf config.services.couchdb.enable {
-
+  config = lib.mkIf cfg.enable {
     environment.systemPackages = [ cfg.package ];
 
-    services.couchdb.configFile = lib.mkDefault "/var/lib/couchdb/local.ini";
-
     systemd.tmpfiles.rules = [
       "d '${dirOf cfg.uriFile}' - ${cfg.user} ${cfg.group} - -"
       "f '${cfg.logFile}' - ${cfg.user} ${cfg.group} - -"
@@ -185,15 +203,10 @@ in {
       '';
 
       environment = {
-        # we are actually specifying 5 configuration files:
-        # 1. the preinstalled default.ini
-        # 2. the module configuration
-        # 3. the extraConfig from the module options
-        # 4. the locally writable config file, which couchdb itself writes to
-        ERL_FLAGS= ''-couch_ini ${cfg.package}/etc/default.ini ${configFile} ${pkgs.writeText "couchdb-extra.ini" cfg.extraConfig} ${cfg.configFile}'';
+        ERL_FLAGS = ''-couch_ini ${lib.concatStringsSep " " configFiles}'';
         # 5. the vm.args file
-        COUCHDB_ARGS_FILE=''${cfg.argsFile}'';
-        HOME =''${cfg.databaseDir}'';
+        COUCHDB_ARGS_FILE = ''${cfg.argsFile}'';
+        HOME = ''${cfg.databaseDir}'';
       };
 
       serviceConfig = {
@@ -210,6 +223,5 @@ in {
     };
 
     users.groups.couchdb.gid = config.ids.gids.couchdb;
-
   };
 }
diff --git a/nixos/modules/services/misc/anki-sync-server.nix b/nixos/modules/services/misc/anki-sync-server.nix
@@ -16,7 +16,7 @@ with lib; let
     cfg.users;
   usersWithIndexesFile = filter (x: x.user.passwordFile != null) usersWithIndexes;
   usersWithIndexesNoFile = filter (x: x.user.passwordFile == null && x.user.password != null) usersWithIndexes;
-  anki-sync-server-run = pkgs.writeShellScriptBin "anki-sync-server-run" ''
+  anki-sync-server-run = pkgs.writeShellScript "anki-sync-server-run" ''
     # When services.anki-sync-server.users.passwordFile is set,
     # each password file is passed as a systemd credential, which is mounted in
     # a file system exposed to the service. Here we read the passwords from
@@ -25,7 +25,10 @@ with lib; let
     ${
       concatMapStringsSep
       "\n"
-      (x: ''export SYNC_USER${toString x.i}=${escapeShellArg x.user.username}:"''$(cat "''${CREDENTIALS_DIRECTORY}/"${escapeShellArg x.user.username})"'')
+      (x: ''
+        read -r pass < "''${CREDENTIALS_DIRECTORY}/"${escapeShellArg x.user.username}
+        export SYNC_USER${toString x.i}=${escapeShellArg x.user.username}:"$pass"
+      '')
       usersWithIndexesFile
     }
     # For users where services.anki-sync-server.users.password isn't set,
@@ -36,7 +39,7 @@ with lib; let
       (x: ''export SYNC_USER${toString x.i}=${escapeShellArg x.user.username}:${escapeShellArg x.user.password}'')
       usersWithIndexesNoFile
     }
-    exec ${cfg.package}/bin/anki-sync-server
+    exec ${lib.getExe cfg.package}
   '';
 in {
   options.services.anki-sync-server = {
@@ -130,7 +133,7 @@ in {
         Type = "simple";
         DynamicUser = true;
         StateDirectory = name;
-        ExecStart = "${anki-sync-server-run}/bin/anki-sync-server-run";
+        ExecStart = anki-sync-server-run;
         Restart = "always";
         LoadCredential =
           map

diff --git a/pkgs/applications/networking/browsers/firefox-bin/update.nix b/pkgs/applications/networking/browsers/firefox-bin/update.nix
@@ -79,7 +79,8 @@ writeScript "update-${pname}" ''
                  tr " " ":"`; do
       # create an entry for every locale
       cat >> $tmpfile <<EOF
-      { url = "$url$version/`echo $line | cut -d":" -f3`";
+      {
+        url = "$url$version/`echo $line | cut -d":" -f3`";
         locale = "`echo $line | cut -d":" -f3 | sed "s/$arch\///" | sed "s/\/.*//"`";
         arch = "$arch";
         sha256 = "`echo $line | cut -d":" -f1`";
@@ -88,7 +89,7 @@ writeScript "update-${pname}" ''
     done
   done
   cat >> $tmpfile <<EOF
-      ];
+    ];
   }
   EOF