From 8d0fd739462685a1e9a1081c1c9778bd6b17e55c Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:21 +0100 Subject: [PATCH 01/44] nixos/security.pki: remove `with lib;` --- nixos/modules/security/ca.nix | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 76c1010f41990..9e5ad9fcf3a83 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.pki; @@ -19,12 +16,12 @@ in { options = { - security.pki.installCACerts = mkEnableOption "installing CA certificates to the system" // { + security.pki.installCACerts = lib.mkEnableOption "installing CA certificates to the system" // { default = true; internal = true; }; - security.pki.useCompatibleBundle = mkEnableOption '' + security.pki.useCompatibleBundle = lib.mkEnableOption '' usage of a compatibility bundle. Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, @@ -36,10 +33,10 @@ in certificates themselves. This can have security consequences depending on your usecases ''; - security.pki.certificateFiles = mkOption { - type = types.listOf types.path; + security.pki.certificateFiles = lib.mkOption { + type = lib.types.listOf lib.types.path; default = []; - example = literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]''; + example = lib.literalExpression ''[ "''${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]''; description = '' A list of files containing trusted root certificates in PEM format. These are concatenated to form @@ -49,10 +46,10 @@ in ''; }; - security.pki.certificates = mkOption { - type = types.listOf types.str; + security.pki.certificates = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; - example = literalExpression '' + example = lib.literalExpression '' [ ''' NixOS.org ========= @@ -69,8 +66,8 @@ in ''; }; - security.pki.caCertificateBlacklist = mkOption { - type = types.listOf types.str; + security.pki.caCertificateBlacklist = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; example = [ "WoSign" "WoSign China" @@ -87,7 +84,7 @@ in }; - config = mkIf cfg.installCACerts { + config = lib.mkIf cfg.installCACerts { # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; From 011b094cddf33ac35867d88b9ddb4775f19e0ffd Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:21 +0100 Subject: [PATCH 02/44] nixos/security.chromiumSuidSandbox: remove `with lib;` --- nixos/modules/security/chromium-suid-sandbox.nix | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix index bb99c053f7185..146696b05de9a 100644 --- a/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixos/modules/security/chromium-suid-sandbox.nix @@ -1,18 +1,15 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.chromiumSuidSandbox; sandbox = pkgs.chromium.sandbox; in { imports = [ - (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) + (lib.mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) ]; - options.security.chromiumSuidSandbox.enable = mkOption { - type = types.bool; + options.security.chromiumSuidSandbox.enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install the Chromium SUID sandbox which is an executable that @@ -26,7 +23,7 @@ in ''; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ sandbox ]; security.wrappers.${sandbox.passthru.sandboxExecutableName} = { setuid = true; From 6f58cc224f096c644c7f732912785c3487a18daf Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:21 +0100 Subject: [PATCH 03/44] nixos/security.doas: remove `with lib;` --- nixos/modules/security/doas.nix | 74 ++++++++++++++++----------------- 1 file changed, 36 insertions(+), 38 deletions(-) diff --git a/nixos/modules/security/doas.nix b/nixos/modules/security/doas.nix index 457a48a987aab..f73477e5c6642 100644 --- a/nixos/modules/security/doas.nix +++ b/nixos/modules/security/doas.nix @@ -1,6 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; let cfg = config.security.doas; @@ -10,36 +8,36 @@ let mkGrpString = group: ":${toString group}"; - mkOpts = rule: concatStringsSep " " [ - (optionalString rule.noPass "nopass") - (optionalString rule.noLog "nolog") - (optionalString rule.persist "persist") - (optionalString rule.keepEnv "keepenv") - "setenv { SSH_AUTH_SOCK TERMINFO TERMINFO_DIRS ${concatStringsSep " " rule.setEnv} }" + mkOpts = rule: lib.concatStringsSep " " [ + (lib.optionalString rule.noPass "nopass") + (lib.optionalString rule.noLog "nolog") + (lib.optionalString rule.persist "persist") + (lib.optionalString rule.keepEnv "keepenv") + "setenv { SSH_AUTH_SOCK TERMINFO TERMINFO_DIRS ${lib.concatStringsSep " " rule.setEnv} }" ]; mkArgs = rule: if (rule.args == null) then "" - else if (length rule.args == 0) then "args" - else "args ${concatStringsSep " " rule.args}"; + else if (lib.length rule.args == 0) then "args" + else "args ${lib.concatStringsSep " " rule.args}"; mkRule = rule: let opts = mkOpts rule; - as = optionalString (rule.runAs != null) "as ${rule.runAs}"; + as = lib.optionalString (rule.runAs != null) "as ${rule.runAs}"; - cmd = optionalString (rule.cmd != null) "cmd ${rule.cmd}"; + cmd = lib.optionalString (rule.cmd != null) "cmd ${rule.cmd}"; args = mkArgs rule; in - optionals (length cfg.extraRules > 0) [ + lib.optionals (lib.length cfg.extraRules > 0) [ ( - optionalString (length rule.users > 0) + lib.optionalString (lib.length rule.users > 0) (map (usr: "permit ${opts} ${mkUsrString usr} ${as} ${cmd} ${args}") rule.users) ) ( - optionalString (length rule.groups > 0) + lib.optionalString (lib.length rule.groups > 0) (map (grp: "permit ${opts} ${mkGrpString grp} ${as} ${cmd} ${args}") rule.groups) ) ]; @@ -50,8 +48,8 @@ in options.security.doas = { - enable = mkOption { - type = with types; bool; + enable = lib.mkOption { + type = with lib.types; bool; default = false; description = '' Whether to enable the {command}`doas` command, which allows @@ -59,8 +57,8 @@ in ''; }; - wheelNeedsPassword = mkOption { - type = with types; bool; + wheelNeedsPassword = lib.mkOption { + type = with lib.types; bool; default = true; description = '' Whether users of the `wheel` group must provide a password to @@ -68,7 +66,7 @@ in ''; }; - extraRules = mkOption { + extraRules = lib.mkOption { default = []; description = '' Define specific rules to be set in the @@ -79,7 +77,7 @@ in this option cannot be used to override the behaviour allowing passwordless operation for root. ''; - example = literalExpression '' + example = lib.literalExpression '' [ # Allow execution of any command by any user in group doas, requiring # a password and keeping any previously-defined environment variables. @@ -108,11 +106,11 @@ in setEnv = [ "-SSH_AUTH_SOCK" "ALPHA=1" "BETA" ]; } ] ''; - type = with types; listOf ( + type = with lib.types; listOf ( submodule { options = { - noPass = mkOption { + noPass = lib.mkOption { type = with types; bool; default = false; description = '' @@ -121,7 +119,7 @@ in ''; }; - noLog = mkOption { + noLog = lib.mkOption { type = with types; bool; default = false; description = '' @@ -131,7 +129,7 @@ in ''; }; - persist = mkOption { + persist = lib.mkOption { type = with types; bool; default = false; description = '' @@ -140,7 +138,7 @@ in ''; }; - keepEnv = mkOption { + keepEnv = lib.mkOption { type = with types; bool; default = false; description = '' @@ -151,7 +149,7 @@ in ''; }; - setEnv = mkOption { + setEnv = lib.mkOption { type = with types; listOf str; default = []; description = '' @@ -170,19 +168,19 @@ in ''; }; - users = mkOption { + users = lib.mkOption { type = with types; listOf (either str int); default = []; description = "The usernames / UIDs this rule should apply for."; }; - groups = mkOption { + groups = lib.mkOption { type = with types; listOf (either str int); default = []; description = "The groups / GIDs this rule should apply for."; }; - runAs = mkOption { + runAs = lib.mkOption { type = with types; nullOr str; default = null; description = '' @@ -196,7 +194,7 @@ in ''; }; - cmd = mkOption { + cmd = lib.mkOption { type = with types; nullOr str; default = null; description = '' @@ -209,7 +207,7 @@ in ''; }; - args = mkOption { + args = lib.mkOption { type = with types; nullOr (listOf str); default = null; description = '' @@ -222,8 +220,8 @@ in ); }; - extraConfig = mkOption { - type = with types; lines; + extraConfig = lib.mkOption { + type = with lib.types; lines; default = ""; description = '' Extra configuration text appended to {file}`doas.conf`. Be aware that @@ -236,9 +234,9 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - security.doas.extraRules = mkOrder 600 [ + security.doas.extraRules = lib.mkOrder 600 [ { groups = [ "wheel" ]; noPass = !cfg.wheelNeedsPassword; @@ -271,7 +269,7 @@ in # `environment.etc."doas.conf"`. # extraRules - ${concatStringsSep "\n" (lists.flatten (map mkRule cfg.extraRules))} + ${lib.concatStringsSep "\n" (lib.lists.flatten (map mkRule cfg.extraRules))} # extraConfig ${cfg.extraConfig} @@ -288,5 +286,5 @@ in }; - meta.maintainers = with maintainers; [ cole-h ]; + meta.maintainers = with lib.maintainers; [ cole-h ]; } From 89f9d95e025e08cca16366dec71525e9615a6f14 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:21 +0100 Subject: [PATCH 04/44] nixos/security.duosec: remove `with lib;` --- nixos/modules/security/duosec.nix | 73 +++++++++++++++---------------- 1 file changed, 35 insertions(+), 38 deletions(-) diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index e755b5f0ee534..7543179b7fbeb 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.duosec; @@ -11,7 +8,7 @@ let [duo] ikey=${cfg.integrationKey} host=${cfg.host} - ${optionalString (cfg.groups != "") ("groups="+cfg.groups)} + ${lib.optionalString (cfg.groups != "") ("groups="+cfg.groups)} failmode=${cfg.failmode} pushinfo=${boolToStr cfg.pushinfo} autopush=${boolToStr cfg.autopush} @@ -26,32 +23,32 @@ let in { imports = [ - (mkRenamedOptionModule [ "security" "duosec" "group" ] [ "security" "duosec" "groups" ]) - (mkRenamedOptionModule [ "security" "duosec" "ikey" ] [ "security" "duosec" "integrationKey" ]) - (mkRemovedOptionModule [ "security" "duosec" "skey" ] "The insecure security.duosec.skey option has been replaced by a new security.duosec.secretKeyFile option. Use this new option to store a secure copy of your key instead.") + (lib.mkRenamedOptionModule [ "security" "duosec" "group" ] [ "security" "duosec" "groups" ]) + (lib.mkRenamedOptionModule [ "security" "duosec" "ikey" ] [ "security" "duosec" "integrationKey" ]) + (lib.mkRemovedOptionModule [ "security" "duosec" "skey" ] "The insecure security.duosec.skey option has been replaced by a new security.duosec.secretKeyFile option. Use this new option to store a secure copy of your key instead.") ]; options = { security.duosec = { - ssh.enable = mkOption { - type = types.bool; + ssh.enable = lib.mkOption { + type = lib.types.bool; default = false; description = "If enabled, protect SSH logins with Duo Security."; }; - pam.enable = mkOption { - type = types.bool; + pam.enable = lib.mkOption { + type = lib.types.bool; default = false; description = "If enabled, protect logins with Duo Security using PAM support."; }; - integrationKey = mkOption { - type = types.str; + integrationKey = lib.mkOption { + type = lib.types.str; description = "Integration key."; }; - secretKeyFile = mkOption { - type = types.nullOr types.path; + secretKeyFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; description = '' A file containing your secret key. The security of your Duo application is tied to the security of your secret key. @@ -59,13 +56,13 @@ in example = "/run/keys/duo-skey"; }; - host = mkOption { - type = types.str; + host = lib.mkOption { + type = lib.types.str; description = "Duo API hostname."; }; - groups = mkOption { - type = types.str; + groups = lib.mkOption { + type = lib.types.str; default = ""; example = "users,!wheel,!*admin guests"; description = '' @@ -76,8 +73,8 @@ in ''; }; - failmode = mkOption { - type = types.enum [ "safe" "secure" ]; + failmode = lib.mkOption { + type = lib.types.enum [ "safe" "secure" ]; default = "safe"; description = '' On service or configuration errors that prevent Duo @@ -86,8 +83,8 @@ in ''; }; - pushinfo = mkOption { - type = types.bool; + pushinfo = lib.mkOption { + type = lib.types.bool; default = false; description = '' Include information such as the command to be executed in @@ -95,8 +92,8 @@ in ''; }; - autopush = mkOption { - type = types.bool; + autopush = lib.mkOption { + type = lib.types.bool; default = false; description = '' If `true`, Duo Unix will automatically send @@ -109,8 +106,8 @@ in ''; }; - motd = mkOption { - type = types.bool; + motd = lib.mkOption { + type = lib.types.bool; default = false; description = '' Print the contents of `/etc/motd` to screen @@ -118,8 +115,8 @@ in ''; }; - prompts = mkOption { - type = types.enum [ 1 2 3 ]; + prompts = lib.mkOption { + type = lib.types.enum [ 1 2 3 ]; default = 3; description = '' If a user fails to authenticate with a second factor, Duo @@ -139,8 +136,8 @@ in ''; }; - acceptEnvFactor = mkOption { - type = types.bool; + acceptEnvFactor = lib.mkOption { + type = lib.types.bool; default = false; description = '' Look for factor selection or passcode in the @@ -154,8 +151,8 @@ in ''; }; - fallbackLocalIP = mkOption { - type = types.bool; + fallbackLocalIP = lib.mkOption { + type = lib.types.bool; default = false; description = '' Duo Unix reports the IP address of the authorizing user, for @@ -170,8 +167,8 @@ in ''; }; - allowTcpForwarding = mkOption { - type = types.bool; + allowTcpForwarding = lib.mkOption { + type = lib.types.bool; default = false; description = '' By default, when SSH forwarding, enabling Duo Security will @@ -183,7 +180,7 @@ in }; }; - config = mkIf (cfg.ssh.enable || cfg.pam.enable) { + config = lib.mkIf (cfg.ssh.enable || cfg.pam.enable) { environment.systemPackages = [ pkgs.duo-unix ]; security.wrappers.login_duo = @@ -240,12 +237,12 @@ in /* If PAM *and* SSH are enabled, then don't do anything special. If PAM isn't used, set the default SSH-only options. */ - services.openssh.extraConfig = mkIf (cfg.ssh.enable || cfg.pam.enable) ( + services.openssh.extraConfig = lib.mkIf (cfg.ssh.enable || cfg.pam.enable) ( if cfg.pam.enable then "UseDNS no" else '' # Duo Security configuration ForceCommand ${config.security.wrapperDir}/login_duo PermitTunnel no - ${optionalString (!cfg.allowTcpForwarding) '' + ${lib.optionalString (!cfg.allowTcpForwarding) '' AllowTcpForwarding no ''} ''); From 264f1b4941e47fc2c26932d65500c73d664952d9 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:22 +0100 Subject: [PATCH 05/44] nixos/security.googleOsLogin: remove `with lib;` --- nixos/modules/security/google_oslogin.nix | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/nixos/modules/security/google_oslogin.nix b/nixos/modules/security/google_oslogin.nix index 227e3b5bc4b9d..42dd3b22a0059 100644 --- a/nixos/modules/security/google_oslogin.nix +++ b/nixos/modules/security/google_oslogin.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.googleOsLogin; @@ -13,8 +10,8 @@ in options = { - security.googleOsLogin.enable = mkOption { - type = types.bool; + security.googleOsLogin.enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable Google OS Login. @@ -32,7 +29,7 @@ in }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.pam.services.sshd = { makeHomeDir = true; googleOsLoginAccountVerification = true; From 97b9c7bfcc221300ca25e514f5f2fb4586975257 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:22 +0100 Subject: [PATCH 06/44] nixos/security.lockKernelModules: remove `with lib;` --- nixos/modules/security/lock-kernel-modules.nix | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/nixos/modules/security/lock-kernel-modules.nix b/nixos/modules/security/lock-kernel-modules.nix index 3a1ad4d8b3747..fac7ab87cb98f 100644 --- a/nixos/modules/security/lock-kernel-modules.nix +++ b/nixos/modules/security/lock-kernel-modules.nix @@ -1,15 +1,12 @@ { config, lib, ... }: - -with lib; - { meta = { - maintainers = [ maintainers.joachifm ]; + maintainers = [ lib.maintainers.joachifm ]; }; options = { - security.lockKernelModules = mkOption { - type = types.bool; + security.lockKernelModules = lib.mkOption { + type = lib.types.bool; default = false; description = '' Disable kernel module loading once the system is fully initialised. @@ -20,9 +17,9 @@ with lib; }; }; - config = mkIf config.security.lockKernelModules { - boot.kernelModules = concatMap (x: - optionals (x.device != null) ( + config = lib.mkIf config.security.lockKernelModules { + boot.kernelModules = lib.concatMap (x: + lib.optionals (x.device != null) ( if x.fsType == "vfat" then [ "vfat" "nls-cp437" "nls-iso8859-1" ] else [ x.fsType ]) From 430f4e9c5e5662a5c540fe1f1d8373f76fa1c5ff Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:22 +0100 Subject: [PATCH 07/44] nixos/security.pam: remove `with lib;` --- nixos/modules/security/pam_mount.nix | 77 +++++++++++++--------------- 1 file changed, 37 insertions(+), 40 deletions(-) diff --git a/nixos/modules/security/pam_mount.nix b/nixos/modules/security/pam_mount.nix index bc0c5c5fbfbc3..2915118eb7b48 100644 --- a/nixos/modules/security/pam_mount.nix +++ b/nixos/modules/security/pam_mount.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.pam.mount; @@ -13,23 +10,23 @@ let ${pkgs.lsof}/bin/lsof | ${pkgs.gnugrep}/bin/grep $MNTPT | ${pkgs.gawk}/bin/awk '{print $2}' | ${pkgs.findutils}/bin/xargs ${pkgs.util-linux}/bin/kill -$SIGNAL ''; - anyPamMount = any (attrByPath ["pamMount"] false) (attrValues config.security.pam.services); + anyPamMount = lib.any (lib.attrByPath ["pamMount"] false) (lib.attrValues config.security.pam.services); in { options = { security.pam.mount = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Enable PAM mount system to mount filesystems on user login. ''; }; - extraVolumes = mkOption { - type = types.listOf types.str; + extraVolumes = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = '' List of volume definitions for pam_mount. @@ -37,20 +34,20 @@ in ''; }; - additionalSearchPaths = mkOption { - type = types.listOf types.package; + additionalSearchPaths = lib.mkOption { + type = lib.types.listOf lib.types.package; default = []; - example = literalExpression "[ pkgs.bindfs ]"; + example = lib.literalExpression "[ pkgs.bindfs ]"; description = '' Additional programs to include in the search path of pam_mount. Useful for example if you want to use some FUSE filesystems like bindfs. ''; }; - cryptMountOptions = mkOption { - type = types.listOf types.str; + cryptMountOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; - example = literalExpression '' + example = lib.literalExpression '' [ "allow_discard" ] ''; description = '' @@ -59,10 +56,10 @@ in ''; }; - fuseMountOptions = mkOption { - type = types.listOf types.str; + fuseMountOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; - example = literalExpression '' + example = lib.literalExpression '' [ "nodev" "nosuid" "force-user=%(USER)" "gid=%(USERGID)" "perms=0700" "chmod-deny" "chown-deny" "chgrp-deny" ] ''; description = '' @@ -71,8 +68,8 @@ in ''; }; - debugLevel = mkOption { - type = types.int; + debugLevel = lib.mkOption { + type = lib.types.int; default = 0; example = 1; description = '' @@ -82,8 +79,8 @@ in ''; }; - logoutWait = mkOption { - type = types.int; + logoutWait = lib.mkOption { + type = lib.types.int; default = 0; description = '' Amount of microseconds to wait until killing remaining processes after @@ -92,40 +89,40 @@ in ''; }; - logoutHup = mkOption { - type = types.bool; + logoutHup = lib.mkOption { + type = lib.types.bool; default = false; description = '' Kill remaining processes after logout by sending a SIGHUP. ''; }; - logoutTerm = mkOption { - type = types.bool; + logoutTerm = lib.mkOption { + type = lib.types.bool; default = false; description = '' Kill remaining processes after logout by sending a SIGTERM. ''; }; - logoutKill = mkOption { - type = types.bool; + logoutKill = lib.mkOption { + type = lib.types.bool; default = false; description = '' Kill remaining processes after logout by sending a SIGKILL. ''; }; - createMountPoints = mkOption { - type = types.bool; + createMountPoints = lib.mkOption { + type = lib.types.bool; default = true; description = '' Create mountpoints for volumes if they do not exist. ''; }; - removeCreatedMountPoints = mkOption { - type = types.bool; + removeCreatedMountPoints = lib.mkOption { + type = lib.types.bool; default = true; description = '' Remove mountpoints created by pam_mount after logout. This @@ -137,13 +134,13 @@ in }; - config = mkIf (cfg.enable || anyPamMount) { + config = lib.mkIf (cfg.enable || anyPamMount) { environment.systemPackages = [ pkgs.pam_mount ]; environment.etc."security/pam_mount.conf.xml" = { source = let - extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null || u.pamMount != {}) config.users.users; + extraUserVolumes = lib.filterAttrs (n: u: u.cryptHomeLuks != null || u.pamMount != {}) config.users.users; mkAttr = k: v: ''${k}="${v}"''; userVolumeEntry = user: let attrs = { @@ -152,7 +149,7 @@ in mountpoint = user.home; } // user.pamMount; in - "\n"; + "\n"; in pkgs.writeText "pam_mount.conf.xml" '' @@ -163,20 +160,20 @@ in - ${makeBinPath ([ pkgs.util-linux ] ++ cfg.additionalSearchPaths)} + ${lib.makeBinPath ([ pkgs.util-linux ] ++ cfg.additionalSearchPaths)} - ${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) -o ,${concatStringsSep "," (cfg.fuseMountOptions ++ [ "%(OPTIONS)" ])}' + ${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) -o ,${lib.concatStringsSep "," (cfg.fuseMountOptions ++ [ "%(OPTIONS)" ])}' ${pkgs.fuse}/bin/fusermount -u %(MNTPT) - ${pkgs.pam_mount}/bin/mount.crypt -o ,${concatStringsSep "," (cfg.cryptMountOptions ++ [ "%(OPTIONS)" ])} %(VOLUME) %(MNTPT) + ${pkgs.pam_mount}/bin/mount.crypt -o ,${lib.concatStringsSep "," (cfg.cryptMountOptions ++ [ "%(OPTIONS)" ])} %(VOLUME) %(MNTPT) ${pkgs.pam_mount}/bin/umount.crypt %(MNTPT) ${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION) - ${optionalString oflRequired "${fake_ofl}/bin/fake_ofl %(SIGNAL) %(MNTPT)"} - ${concatStrings (map userVolumeEntry (attrValues extraUserVolumes))} - ${concatStringsSep "\n" cfg.extraVolumes} + ${lib.optionalString oflRequired "${fake_ofl}/bin/fake_ofl %(SIGNAL) %(MNTPT)"} + ${lib.concatStrings (map userVolumeEntry (lib.attrValues extraUserVolumes))} + ${lib.concatStringsSep "\n" cfg.extraVolumes} ''; }; From 5c7e172a284b50c5aa513c5bc5c40810813c2742 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:22 +0100 Subject: [PATCH 08/44] nixos/security.sudo: remove `with lib;` --- nixos/modules/security/sudo.nix | 81 ++++++++++++++++----------------- 1 file changed, 39 insertions(+), 42 deletions(-) diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 2959efd050919..57d1e42ca80c9 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -1,21 +1,18 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.security.sudo; - toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; - toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; + toUserString = user: if (lib.isInt user) then "#${toString user}" else "${user}"; + toGroupString = group: if (lib.isInt group) then "%#${toString group}" else "%${group}"; toCommandOptionsString = options: - "${concatStringsSep ":" options}${optionalString (length options != 0) ":"} "; + "${lib.concatStringsSep ":" options}${lib.optionalString (lib.length options != 0) ":"} "; toCommandsString = commands: - concatStringsSep ", " ( + lib.concatStringsSep ", " ( map (command: - if (isString command) then + if (lib.isString command) then command else "${toCommandOptionsString command.options}${command.command}" @@ -30,8 +27,8 @@ in options.security.sudo = { - defaultOptions = mkOption { - type = with types; listOf str; + defaultOptions = lib.mkOption { + type = with lib.types; listOf str; default = [ "SETENV" ]; description = '' Options used for the default rules, granting `root` and the @@ -39,8 +36,8 @@ in ''; }; - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable the {command}`sudo` command, which @@ -48,10 +45,10 @@ in ''; }; - package = mkPackageOption pkgs "sudo" { }; + package = lib.mkPackageOption pkgs "sudo" { }; - wheelNeedsPassword = mkOption { - type = types.bool; + wheelNeedsPassword = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether users of the `wheel` group must @@ -59,8 +56,8 @@ in ''; }; - execWheelOnly = mkOption { - type = types.bool; + execWheelOnly = lib.mkOption { + type = lib.types.bool; default = false; description = '' Only allow members of the `wheel` group to execute sudo by @@ -70,8 +67,8 @@ in ''; }; - configFile = mkOption { - type = types.lines; + configFile = lib.mkOption { + type = lib.types.lines; # Note: if syntax errors are detected in this file, the NixOS # configuration will fail to build. description = '' @@ -80,7 +77,7 @@ in ''; }; - extraRules = mkOption { + extraRules = lib.mkOption { description = '' Define specific rules to be in the {file}`sudoers` file. More specific rules should come after more general ones in order to @@ -88,7 +85,7 @@ in this is the case when configuration options are merged. ''; default = []; - example = literalExpression '' + example = lib.literalExpression '' [ # Allow execution of any command by all users in group sudo, # requiring a password. @@ -107,9 +104,9 @@ in { command = '''/home/baz/cmd2.sh ""'''; options = [ "SETENV" ]; } ]; } ] ''; - type = with types; listOf (submodule { + type = with lib.types; listOf (submodule { options = { - users = mkOption { + users = lib.mkOption { type = with types; listOf (either str int); description = '' The usernames / UIDs this rule should apply for. @@ -117,7 +114,7 @@ in default = []; }; - groups = mkOption { + groups = lib.mkOption { type = with types; listOf (either str int); description = '' The groups / GIDs this rule should apply for. @@ -125,7 +122,7 @@ in default = []; }; - host = mkOption { + host = lib.mkOption { type = types.str; default = "ALL"; description = '' @@ -133,7 +130,7 @@ in ''; }; - runAs = mkOption { + runAs = lib.mkOption { type = with types; str; default = "ALL:ALL"; description = '' @@ -145,14 +142,14 @@ in ''; }; - commands = mkOption { + commands = lib.mkOption { description = '' The commands for which the rule should apply. ''; type = with types; listOf (either str (submodule { options = { - command = mkOption { + command = lib.mkOption { type = with types; str; description = '' A command being either just a path to a binary to allow any arguments, @@ -161,7 +158,7 @@ in ''; }; - options = mkOption { + options = lib.mkOption { type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" "MAIL" "NOMAIL" "FOLLOW" "NOFLLOW" "INTERCEPT" "NOINTERCEPT"]); description = '' Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/docs/man/1.9.15/sudoers.man/#Tag_Spec). @@ -176,8 +173,8 @@ in }); }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; description = '' Extra configuration text appended to {file}`sudoers`. @@ -188,7 +185,7 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { assertions = [ { assertion = cfg.package.pname != "sudo-rs"; message = '' @@ -205,35 +202,35 @@ in options = opts ++ cfg.defaultOptions; } ]; } ]; - in mkMerge [ + in lib.mkMerge [ # This is ordered before users' `mkBefore` rules, # so as not to introduce unexpected changes. - (mkOrder 400 (defaultRule { users = [ "root" ]; })) + (lib.mkOrder 400 (defaultRule { users = [ "root" ]; })) # This is ordered to show before (most) other rules, but # late-enough for a user to `mkBefore` it. - (mkOrder 600 (defaultRule { + (lib.mkOrder 600 (defaultRule { groups = [ "wheel" ]; - opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD"); + opts = (lib.optional (!cfg.wheelNeedsPassword) "NOPASSWD"); })) ]; - security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [ + security.sudo.configFile = lib.concatStringsSep "\n" (lib.filter (s: s != "") [ '' # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’ # or ‘security.sudo.extraRules’ instead. '' - (pipe cfg.extraRules [ - (filter (rule: length rule.commands != 0)) + (lib.pipe cfg.extraRules [ + (lib.filter (rule: lib.length rule.commands != 0)) (map (rule: [ (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) ])) - flatten - (concatStringsSep "\n") + lib.flatten + (lib.concatStringsSep "\n") ]) "\n" - (optionalString (cfg.extraConfig != "") '' + (lib.optionalString (cfg.extraConfig != "") '' # extraConfig ${cfg.extraConfig} '') From ddcd8d565e60aaa7357f4aa148e05b6b4eedc8f3 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:22 +0100 Subject: [PATCH 09/44] nixos/services.corosync: remove `with lib;` --- .../services/cluster/corosync/default.nix | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/nixos/modules/services/cluster/corosync/default.nix b/nixos/modules/services/cluster/corosync/default.nix index cf3448620a5d7..d79ee832ff739 100644 --- a/nixos/modules/services/cluster/corosync/default.nix +++ b/nixos/modules/services/cluster/corosync/default.nix @@ -1,42 +1,40 @@ { config, lib, pkgs, ... }: - -with lib; let cfg = config.services.corosync; in { # interface options.services.corosync = { - enable = mkEnableOption "corosync"; + enable = lib.mkEnableOption "corosync"; - package = mkPackageOption pkgs "corosync" { }; + package = lib.mkPackageOption pkgs "corosync" { }; - clusterName = mkOption { - type = types.str; + clusterName = lib.mkOption { + type = lib.types.str; default = "nixcluster"; description = "Name of the corosync cluster."; }; - extraOptions = mkOption { - type = with types; listOf str; + extraOptions = lib.mkOption { + type = with lib.types; listOf str; default = []; description = "Additional options with which to start corosync."; }; - nodelist = mkOption { + nodelist = lib.mkOption { description = "Corosync nodelist: all cluster members."; default = []; - type = with types; listOf (submodule { + type = with lib.types; listOf (submodule { options = { - nodeid = mkOption { + nodeid = lib.mkOption { type = int; description = "Node ID number"; }; - name = mkOption { + name = lib.mkOption { type = str; description = "Node name"; }; - ring_addrs = mkOption { + ring_addrs = lib.mkOption { type = listOf str; description = "List of addresses, one for each ring."; }; @@ -46,7 +44,7 @@ in }; # implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; environment.etc."corosync/corosync.conf".text = '' @@ -58,11 +56,11 @@ in } nodelist { - ${concatMapStrings ({ nodeid, name, ring_addrs }: '' + ${lib.concatMapStrings ({ nodeid, name, ring_addrs }: '' node { nodeid: ${toString nodeid} name: ${name} - ${concatStrings (imap0 (i: addr: '' + ${lib.concatStrings (lib.imap0 (i: addr: '' ring${toString i}_addr: ${addr} '') ring_addrs)} } @@ -73,7 +71,7 @@ in # only corosync_votequorum is supported provider: corosync_votequorum wait_for_all: 0 - ${optionalString (builtins.length cfg.nodelist < 3) '' + ${lib.optionalString (builtins.length cfg.nodelist < 3) '' two_node: 1 ''} } From e5c3196d1724e2f20c0fa3bff6acc2ac72e67c1b Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:22 +0100 Subject: [PATCH 10/44] nixos/services.hadoop: remove `with lib;` --- .../services/cluster/hadoop/default.nix | 83 +++++++++---------- 1 file changed, 41 insertions(+), 42 deletions(-) diff --git a/nixos/modules/services/cluster/hadoop/default.nix b/nixos/modules/services/cluster/hadoop/default.nix index 4b255a97f5614..b4f89366d5bd3 100644 --- a/nixos/modules/services/cluster/hadoop/default.nix +++ b/nixos/modules/services/cluster/hadoop/default.nix @@ -3,15 +3,14 @@ let cfg = config.services.hadoop; opt = options.services.hadoop; in -with lib; { imports = [ ./yarn.nix ./hdfs.nix ./hbase.nix ]; options.services.hadoop = { - coreSite = mkOption { + coreSite = lib.mkOption { default = {}; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' { "fs.defaultFS" = "hdfs://localhost"; } @@ -21,31 +20,31 @@ with lib; ''; }; - coreSiteInternal = mkOption { + coreSiteInternal = lib.mkOption { default = {}; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; internal = true; description = '' Internal option to add configs to core-site.xml based on module options ''; }; - hdfsSiteDefault = mkOption { + hdfsSiteDefault = lib.mkOption { default = { "dfs.namenode.rpc-bind-host" = "0.0.0.0"; "dfs.namenode.http-address" = "0.0.0.0:9870"; "dfs.namenode.servicerpc-bind-host" = "0.0.0.0"; "dfs.namenode.http-bind-host" = "0.0.0.0"; }; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; description = '' Default options for hdfs-site.xml ''; }; - hdfsSite = mkOption { + hdfsSite = lib.mkOption { default = {}; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' { "dfs.nameservices" = "namenode1"; } @@ -55,23 +54,23 @@ with lib; ''; }; - hdfsSiteInternal = mkOption { + hdfsSiteInternal = lib.mkOption { default = {}; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; internal = true; description = '' Internal option to add configs to hdfs-site.xml based on module options ''; }; - mapredSiteDefault = mkOption { + mapredSiteDefault = lib.mkOption { default = { "mapreduce.framework.name" = "yarn"; "yarn.app.mapreduce.am.env" = "HADOOP_MAPRED_HOME=${cfg.package}"; "mapreduce.map.env" = "HADOOP_MAPRED_HOME=${cfg.package}"; "mapreduce.reduce.env" = "HADOOP_MAPRED_HOME=${cfg.package}"; }; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' { "mapreduce.framework.name" = "yarn"; "yarn.app.mapreduce.am.env" = "HADOOP_MAPRED_HOME=''${config.${opt.package}}"; @@ -79,15 +78,15 @@ with lib; "mapreduce.reduce.env" = "HADOOP_MAPRED_HOME=''${config.${opt.package}}"; } ''; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; description = '' Default options for mapred-site.xml ''; }; - mapredSite = mkOption { + mapredSite = lib.mkOption { default = {}; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' { "mapreduce.map.java.opts" = "-Xmx900m -XX:+UseParallelGC"; } @@ -98,7 +97,7 @@ with lib; ''; }; - yarnSiteDefault = mkOption { + yarnSiteDefault = lib.mkOption { default = { "yarn.nodemanager.admin-env" = "PATH=$PATH"; "yarn.nodemanager.aux-services" = "mapreduce_shuffle"; @@ -112,15 +111,15 @@ with lib; "yarn.resourcemanager.bind-host" = "0.0.0.0"; "yarn.resourcemanager.scheduler.class" = "org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler"; }; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; description = '' Default options for yarn-site.xml ''; }; - yarnSite = mkOption { + yarnSite = lib.mkOption { default = {}; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' { "yarn.resourcemanager.hostname" = "''${config.networking.hostName}"; } @@ -130,19 +129,19 @@ with lib; ''; }; - yarnSiteInternal = mkOption { + yarnSiteInternal = lib.mkOption { default = {}; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; internal = true; description = '' Internal option to add configs to yarn-site.xml based on module options ''; }; - httpfsSite = mkOption { + httpfsSite = lib.mkOption { default = { }; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' { "hadoop.http.max.threads" = 500; } @@ -153,19 +152,19 @@ with lib; ''; }; - log4jProperties = mkOption { + log4jProperties = lib.mkOption { default = "${cfg.package}/etc/hadoop/log4j.properties"; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' "''${config.${opt.package}}/etc/hadoop/log4j.properties" ''; - type = types.path; - example = literalExpression '' + type = lib.types.path; + example = lib.literalExpression '' "''${pkgs.hadoop}/etc/hadoop/log4j.properties"; ''; description = "log4j.properties file added to HADOOP_CONF_DIR"; }; - containerExecutorCfg = mkOption { + containerExecutorCfg = lib.mkOption { default = { # must be the same as yarn.nodemanager.linux-container-executor.group in yarnSite "yarn.nodemanager.linux-container-executor.group"="hadoop"; @@ -173,8 +172,8 @@ with lib; "feature.terminal.enabled"=1; "feature.mount-cgroup.enabled" = 1; }; - type = types.attrsOf types.anything; - example = literalExpression '' + type = lib.types.attrsOf lib.types.anything; + example = lib.literalExpression '' options.services.hadoop.containerExecutorCfg.default // { "feature.terminal.enabled" = 0; } @@ -185,10 +184,10 @@ with lib; ''; }; - extraConfDirs = mkOption { + extraConfDirs = lib.mkOption { default = []; - type = types.listOf types.path; - example = literalExpression '' + type = lib.types.listOf lib.types.path; + example = lib.literalExpression '' [ ./extraHDFSConfs ./extraYARNConfs @@ -197,13 +196,13 @@ with lib; description = "Directories containing additional config files to be added to HADOOP_CONF_DIR"; }; - gatewayRole.enable = mkEnableOption "gateway role for deploying hadoop configs"; + gatewayRole.enable = lib.mkEnableOption "gateway role for deploying hadoop configs"; - package = mkPackageOption pkgs "hadoop" { }; + package = lib.mkPackageOption pkgs "hadoop" { }; }; - config = mkIf cfg.gatewayRole.enable { + config = lib.mkIf cfg.gatewayRole.enable { users.groups.hadoop = { gid = config.ids.gids.hadoop; }; From decec5eaa373bb754ee37285d93b5db045ec416e Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:22 +0100 Subject: [PATCH 11/44] nixos/services.hadoop.hbase*: remove `with lib;` --- .../modules/services/cluster/hadoop/hbase.nix | 104 +++++++++--------- 1 file changed, 51 insertions(+), 53 deletions(-) diff --git a/nixos/modules/services/cluster/hadoop/hbase.nix b/nixos/modules/services/cluster/hadoop/hbase.nix index 8eb8d83fd84cc..b6b45d57032f7 100644 --- a/nixos/modules/services/cluster/hadoop/hbase.nix +++ b/nixos/modules/services/cluster/hadoop/hbase.nix @@ -1,37 +1,35 @@ { config, lib, pkgs, ...}: - -with lib; let cfg = config.services.hadoop; hadoopConf = "${import ./conf.nix { inherit cfg pkgs lib; }}/"; - mkIfNotNull = x: mkIf (x != null) x; + mkIfNotNull = x: lib.mkIf (x != null) x; # generic hbase role options hbaseRoleOption = name: extraOpts: { - enable = mkEnableOption "HBase ${name}"; + enable = lib.mkEnableOption "HBase ${name}"; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = "Open firewall ports for HBase ${name}."; }; - restartIfChanged = mkOption { - type = types.bool; + restartIfChanged = lib.mkOption { + type = lib.types.bool; default = false; description = "Restart ${name} con config change."; }; - extraFlags = mkOption { - type = with types; listOf str; + extraFlags = lib.mkOption { + type = with lib.types; listOf str; default = []; - example = literalExpression ''[ "--backup" ]''; + example = lib.literalExpression ''[ "--backup" ]''; description = "Extra flags for the ${name} service."; }; - environment = mkOption { - type = with types; attrsOf str; + environment = lib.mkOption { + type = with lib.types; attrsOf str; default = {}; - example = literalExpression '' + example = lib.literalExpression '' { HBASE_MASTER_OPTS = "-Dcom.sun.management.jmxremote.ssl=true"; } @@ -40,19 +38,19 @@ let }; } // extraOpts; # generic hbase role configs - hbaseRoleConfig = name: ports: (mkIf cfg.hbase."${name}".enable { + hbaseRoleConfig = name: ports: (lib.mkIf cfg.hbase."${name}".enable { services.hadoop.gatewayRole = { enable = true; - enableHbaseCli = mkDefault true; + enableHbaseCli = lib.mkDefault true; }; - systemd.services."hbase-${toLower name}" = { + systemd.services."hbase-${lib.toLower name}" = { description = "HBase ${name}"; wantedBy = [ "multi-user.target" ]; path = with cfg; [ hbase.package ] ++ optional (with cfg.hbase.master; enable && initHDFS) package; - preStart = mkIf (with cfg.hbase.master; enable && initHDFS) - (concatStringsSep "\n" ( + preStart = lib.mkIf (with cfg.hbase.master; enable && initHDFS) + (lib.concatStringsSep "\n" ( map (x: "HADOOP_USER_NAME=hdfs hdfs --config /etc/hadoop-conf ${x}")[ "dfsadmin -safemode wait" "dfs -mkdir -p ${cfg.hbase.rootdir}" @@ -61,19 +59,19 @@ let )); inherit (cfg.hbase."${name}") environment; - script = concatStringsSep " " ( + script = lib.concatStringsSep " " ( [ "hbase --config /etc/hadoop-conf/" - "${toLower name} start" + "${lib.toLower name} start" ] ++ cfg.hbase."${name}".extraFlags - ++ map (x: "--${toLower x} ${toString cfg.hbase.${name}.${x}}") - (filter (x: hasAttr x cfg.hbase.${name}) ["port" "infoPort"]) + ++ map (x: "--${lib.toLower x} ${toString cfg.hbase.${name}.${x}}") + (lib.filter (x: lib.hasAttr x cfg.hbase.${name}) ["port" "infoPort"]) ); serviceConfig = { User = "hbase"; - SyslogIdentifier = "hbase-${toLower name}"; + SyslogIdentifier = "hbase-${lib.toLower name}"; Restart = "always"; }; }; @@ -81,10 +79,10 @@ let services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir; networking = { - firewall.allowedTCPPorts = mkIf cfg.hbase."${name}".openFirewall ports; - hosts = mkIf (with cfg.hbase.regionServer; enable && overrideHosts) { - "127.0.0.2" = mkForce [ ]; - "::1" = mkForce [ ]; + firewall.allowedTCPPorts = lib.mkIf cfg.hbase."${name}".openFirewall ports; + hosts = lib.mkIf (with cfg.hbase.regionServer; enable && overrideHosts) { + "127.0.0.2" = lib.mkForce [ ]; + "::1" = lib.mkForce [ ]; }; }; @@ -93,9 +91,9 @@ in { options.services.hadoop = { - gatewayRole.enableHbaseCli = mkEnableOption "HBase CLI tools"; + gatewayRole.enableHbaseCli = lib.mkEnableOption "HBase CLI tools"; - hbaseSiteDefault = mkOption { + hbaseSiteDefault = lib.mkOption { default = { "hbase.regionserver.ipc.address" = "0.0.0.0"; "hbase.master.ipc.address" = "0.0.0.0"; @@ -104,15 +102,15 @@ in "hbase.cluster.distributed" = "true"; }; - type = types.attrsOf types.anything; + type = lib.types.attrsOf lib.types.anything; description = '' Default options for hbase-site.xml ''; }; - hbaseSite = mkOption { + hbaseSite = lib.mkOption { default = {}; - type = with types; attrsOf anything; - example = literalExpression '' + type = with lib.types; attrsOf anything; + example = lib.literalExpression '' { "hbase.hregion.max.filesize" = 20*1024*1024*1024; "hbase.table.normalization.enabled" = "true"; @@ -123,9 +121,9 @@ in ''; }; - hbaseSiteInternal = mkOption { + hbaseSiteInternal = lib.mkOption { default = {}; - type = with types; attrsOf anything; + type = with lib.types; attrsOf anything; internal = true; description = '' Internal option to add configs to hbase-site.xml based on module options @@ -134,9 +132,9 @@ in hbase = { - package = mkPackageOption pkgs "hbase" { }; + package = lib.mkPackageOption pkgs "hbase" { }; - rootdir = mkOption { + rootdir = lib.mkOption { description = '' This option will set "hbase.rootdir" in hbase-site.xml and determine the directory shared by region servers and into which HBase persists. @@ -146,36 +144,36 @@ in Filesystems other than HDFS (like S3, QFS, Swift) are also supported. ''; - type = types.str; + type = lib.types.str; example = "hdfs://nameservice1/hbase"; default = "/hbase"; }; - zookeeperQuorum = mkOption { + zookeeperQuorum = lib.mkOption { description = '' This option will set "hbase.zookeeper.quorum" in hbase-site.xml. Comma separated list of servers in the ZooKeeper ensemble. ''; - type = with types; nullOr commas; + type = with lib.types; nullOr commas; example = "zk1.internal,zk2.internal,zk3.internal"; default = null; }; } // (let ports = port: infoPort: { - port = mkOption { - type = types.int; + port = lib.mkOption { + type = lib.types.int; default = port; description = "RPC port"; }; - infoPort = mkOption { - type = types.int; + infoPort = lib.mkOption { + type = lib.types.int; default = infoPort; description = "web UI port"; }; }; - in mapAttrs hbaseRoleOption { - master.initHDFS = mkEnableOption "initialization of the hbase directory on HDFS"; - regionServer.overrideHosts = mkOption { - type = types.bool; + in lib.mapAttrs hbaseRoleOption { + master.initHDFS = lib.mkEnableOption "initialization of the hbase directory on HDFS"; + regionServer.overrideHosts = lib.mkOption { + type = lib.types.bool; default = true; description = '' Remove /etc/hosts entries for "127.0.0.2" and "::1" defined in nixos/modules/config/networking.nix @@ -188,11 +186,11 @@ in }); }; - config = mkMerge ([ + config = lib.mkMerge ([ - (mkIf cfg.gatewayRole.enable { + (lib.mkIf cfg.gatewayRole.enable { - environment.systemPackages = mkIf cfg.gatewayRole.enableHbaseCli [ cfg.hbase.package ]; + environment.systemPackages = lib.mkIf cfg.gatewayRole.enableHbaseCli [ cfg.hbase.package ]; services.hadoop.hbaseSiteInternal = with cfg.hbase; { "hbase.zookeeper.quorum" = mkIfNotNull zookeeperQuorum; @@ -204,7 +202,7 @@ in isSystemUser = true; }; }) - ] ++ (mapAttrsToList hbaseRoleConfig { + ] ++ (lib.mapAttrsToList hbaseRoleConfig { master = [ 16000 16010 ]; regionServer = [ 16020 16030 ]; thrift = with cfg.hbase.thrift; [ port infoPort ]; From e7e4c15a192a004692b1b386aacfd5d94c3055b4 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:22 +0100 Subject: [PATCH 12/44] nixos/services.hadoop.hdfs: remove `with lib;` --- .../modules/services/cluster/hadoop/hdfs.nix | 65 +++++++++---------- 1 file changed, 32 insertions(+), 33 deletions(-) diff --git a/nixos/modules/services/cluster/hadoop/hdfs.nix b/nixos/modules/services/cluster/hadoop/hdfs.nix index 1f61acf4012dd..5ca12f4b4c8b8 100644 --- a/nixos/modules/services/cluster/hadoop/hdfs.nix +++ b/nixos/modules/services/cluster/hadoop/hdfs.nix @@ -1,5 +1,4 @@ { config, lib, pkgs, ... }: -with lib; let cfg = config.services.hadoop; @@ -8,9 +7,9 @@ let # Generator for HDFS service options hadoopServiceOption = { serviceName, firewallOption ? true, extraOpts ? null }: { - enable = mkEnableOption serviceName; - restartIfChanged = mkOption { - type = types.bool; + enable = lib.mkEnableOption serviceName; + restartIfChanged = lib.mkOption { + type = lib.types.bool; description = '' Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. @@ -19,8 +18,8 @@ let ''; default = false; }; - extraFlags = mkOption{ - type = with types; listOf str; + extraFlags = lib.mkOption{ + type = with lib.types; listOf str; default = []; description = "Extra command line flags to pass to ${serviceName}"; example = [ @@ -28,23 +27,23 @@ let "-Dcom.sun.management.jmxremote.port=8010" ]; }; - extraEnv = mkOption{ - type = with types; attrsOf str; + extraEnv = lib.mkOption{ + type = with lib.types; attrsOf str; default = {}; description = "Extra environment variables for ${serviceName}"; }; - } // (optionalAttrs firewallOption { - openFirewall = mkOption { - type = types.bool; + } // (lib.optionalAttrs firewallOption { + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = "Open firewall ports for ${serviceName}."; }; - }) // (optionalAttrs (extraOpts != null) extraOpts); + }) // (lib.optionalAttrs (extraOpts != null) extraOpts); # Generator for HDFS service configs hadoopServiceConfig = { name - , serviceOptions ? cfg.hdfs."${toLower name}" + , serviceOptions ? cfg.hdfs."${lib.toLower name}" , description ? "Hadoop HDFS ${name}" , User ? "hdfs" , allowedTCPPorts ? [ ] @@ -53,23 +52,23 @@ let , extraConfig ? { } }: ( - mkIf serviceOptions.enable ( mkMerge [{ - systemd.services."hdfs-${toLower name}" = { + lib.mkIf serviceOptions.enable ( lib.mkMerge [{ + systemd.services."hdfs-${lib.toLower name}" = { inherit description preStart; environment = environment // serviceOptions.extraEnv; wantedBy = [ "multi-user.target" ]; inherit (serviceOptions) restartIfChanged; serviceConfig = { inherit User; - SyslogIdentifier = "hdfs-${toLower name}"; - ExecStart = "${cfg.package}/bin/hdfs --config ${hadoopConf} ${toLower name} ${escapeShellArgs serviceOptions.extraFlags}"; + SyslogIdentifier = "hdfs-${lib.toLower name}"; + ExecStart = "${cfg.package}/bin/hdfs --config ${hadoopConf} ${lib.toLower name} ${lib.escapeShellArgs serviceOptions.extraFlags}"; Restart = "always"; }; }; services.hadoop.gatewayRole.enable = true; - networking.firewall.allowedTCPPorts = mkIf + networking.firewall.allowedTCPPorts = lib.mkIf ((builtins.hasAttr "openFirewall" serviceOptions) && serviceOptions.openFirewall) allowedTCPPorts; } extraConfig]) @@ -80,8 +79,8 @@ in options.services.hadoop.hdfs = { namenode = hadoopServiceOption { serviceName = "HDFS NameNode"; } // { - formatOnInit = mkOption { - type = types.bool; + formatOnInit = lib.mkOption { + type = lib.types.bool; default = false; description = '' Format HDFS namenode on first start. This is useful for quickly spinning up @@ -94,18 +93,18 @@ in }; datanode = hadoopServiceOption { serviceName = "HDFS DataNode"; } // { - dataDirs = mkOption { + dataDirs = lib.mkOption { default = null; description = "Tier and path definitions for datanode storage."; - type = with types; nullOr (listOf (submodule { + type = with lib.types; nullOr (listOf (submodule { options = { - type = mkOption { + type = lib.mkOption { type = enum [ "SSD" "DISK" "ARCHIVE" "RAM_DISK" ]; description = '' Storage types ([SSD]/[DISK]/[ARCHIVE]/[RAM_DISK]) for HDFS storage policies. ''; }; - path = mkOption { + path = lib.mkOption { type = path; example = [ "/var/lib/hadoop/hdfs/dn" ]; description = "Determines where on the local filesystem a data node should store its blocks."; @@ -123,8 +122,8 @@ in }; httpfs = hadoopServiceOption { serviceName = "HDFS JournalNode"; } // { - tempPath = mkOption { - type = types.path; + tempPath = lib.mkOption { + type = lib.types.path; default = "/tmp/hadoop/httpfs"; description = "HTTPFS_TEMP path used by HTTPFS"; }; @@ -132,7 +131,7 @@ in }; - config = mkMerge [ + config = lib.mkMerge [ (hadoopServiceConfig { name = "NameNode"; allowedTCPPorts = [ @@ -141,7 +140,7 @@ in 8022 # namenode.servicerpc-address 8019 # dfs.ha.zkfc.port ]; - preStart = (mkIf cfg.hdfs.namenode.formatOnInit + preStart = (lib.mkIf cfg.hdfs.namenode.formatOnInit "${cfg.package}/bin/hdfs --config ${hadoopConf} namenode -format -nonInteractive || true" ); }) @@ -149,7 +148,7 @@ in (hadoopServiceConfig { name = "DataNode"; # port numbers for datanode changed between hadoop 2 and 3 - allowedTCPPorts = if versionAtLeast cfg.package.version "3" then [ + allowedTCPPorts = if lib.versionAtLeast cfg.package.version "3" then [ 9864 # datanode.http.address 9866 # datanode.address 9867 # datanode.ipc.address @@ -158,8 +157,8 @@ in 50010 # datanode.address 50020 # datanode.ipc.address ]; - extraConfig.services.hadoop.hdfsSiteInternal."dfs.datanode.data.dir" = mkIf (cfg.hdfs.datanode.dataDirs!= null) - (concatMapStringsSep "," (x: "["+x.type+"]file://"+x.path) cfg.hdfs.datanode.dataDirs); + extraConfig.services.hadoop.hdfsSiteInternal."dfs.datanode.data.dir" = lib.mkIf (cfg.hdfs.datanode.dataDirs!= null) + (lib.concatMapStringsSep "," (x: "["+x.type+"]file://"+x.path) cfg.hdfs.datanode.dataDirs); }) (hadoopServiceConfig { @@ -185,14 +184,14 @@ in ]; }) - (mkIf cfg.gatewayRole.enable { + (lib.mkIf cfg.gatewayRole.enable { users.users.hdfs = { description = "Hadoop HDFS user"; group = "hadoop"; uid = config.ids.uids.hdfs; }; }) - (mkIf cfg.hdfs.httpfs.enable { + (lib.mkIf cfg.hdfs.httpfs.enable { users.users.httpfs = { description = "Hadoop HTTPFS user"; group = "hadoop"; From c1109e87b0539bba328f36117e5993f99c0fdb6f Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:23 +0100 Subject: [PATCH 13/44] nixos/services.hadoop.yarn: remove `with lib;` --- .../modules/services/cluster/hadoop/yarn.nix | 71 +++++++++---------- 1 file changed, 35 insertions(+), 36 deletions(-) diff --git a/nixos/modules/services/cluster/hadoop/yarn.nix b/nixos/modules/services/cluster/hadoop/yarn.nix index 0a7b4b7e67b03..77eb996360735 100644 --- a/nixos/modules/services/cluster/hadoop/yarn.nix +++ b/nixos/modules/services/cluster/hadoop/yarn.nix @@ -1,10 +1,9 @@ { config, lib, pkgs, ...}: -with lib; let cfg = config.services.hadoop; hadoopConf = "${import ./conf.nix { inherit cfg pkgs lib; }}/"; - restartIfChanged = mkOption { - type = types.bool; + restartIfChanged = lib.mkOption { + type = lib.types.bool; description = '' Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. @@ -13,8 +12,8 @@ let ''; default = false; }; - extraFlags = mkOption{ - type = with types; listOf str; + extraFlags = lib.mkOption{ + type = with lib.types; listOf str; default = []; description = "Extra command line flags to pass to the service"; example = [ @@ -22,8 +21,8 @@ let "-Dcom.sun.management.jmxremote.port=8010" ]; }; - extraEnv = mkOption{ - type = with types; attrsOf str; + extraEnv = lib.mkOption{ + type = with lib.types; attrsOf str; default = {}; description = "Extra environment variables"; }; @@ -31,11 +30,11 @@ in { options.services.hadoop.yarn = { resourcemanager = { - enable = mkEnableOption "Hadoop YARN ResourceManager"; + enable = lib.mkEnableOption "Hadoop YARN ResourceManager"; inherit restartIfChanged extraFlags extraEnv; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Open firewall ports for resourcemanager @@ -43,56 +42,56 @@ in }; }; nodemanager = { - enable = mkEnableOption "Hadoop YARN NodeManager"; + enable = lib.mkEnableOption "Hadoop YARN NodeManager"; inherit restartIfChanged extraFlags extraEnv; resource = { - cpuVCores = mkOption { + cpuVCores = lib.mkOption { description = "Number of vcores that can be allocated for containers."; - type = with types; nullOr ints.positive; + type = with lib.types; nullOr ints.positive; default = null; }; - maximumAllocationVCores = mkOption { + maximumAllocationVCores = lib.mkOption { description = "The maximum virtual CPU cores any container can be allocated."; - type = with types; nullOr ints.positive; + type = with lib.types; nullOr ints.positive; default = null; }; - memoryMB = mkOption { + memoryMB = lib.mkOption { description = "Amount of physical memory, in MB, that can be allocated for containers."; - type = with types; nullOr ints.positive; + type = with lib.types; nullOr ints.positive; default = null; }; - maximumAllocationMB = mkOption { + maximumAllocationMB = lib.mkOption { description = "The maximum physical memory any container can be allocated."; - type = with types; nullOr ints.positive; + type = with lib.types; nullOr ints.positive; default = null; }; }; - useCGroups = mkOption { - type = types.bool; + useCGroups = lib.mkOption { + type = lib.types.bool; default = true; description = '' Use cgroups to enforce resource limits on containers ''; }; - localDir = mkOption { + localDir = lib.mkOption { description = "List of directories to store localized files in."; - type = with types; nullOr (listOf path); + type = with lib.types; nullOr (listOf path); example = [ "/var/lib/hadoop/yarn/nm" ]; default = null; }; - addBinBash = mkOption { - type = types.bool; + addBinBash = lib.mkOption { + type = lib.types.bool; default = true; description = '' Add /bin/bash. This is needed by the linux container executor's launch script. ''; }; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Open firewall ports for nodemanager. @@ -102,8 +101,8 @@ in }; }; - config = mkMerge [ - (mkIf cfg.gatewayRole.enable { + config = lib.mkMerge [ + (lib.mkIf cfg.gatewayRole.enable { users.users.yarn = { description = "Hadoop YARN user"; group = "hadoop"; @@ -111,7 +110,7 @@ in }; }) - (mkIf cfg.yarn.resourcemanager.enable { + (lib.mkIf cfg.yarn.resourcemanager.enable { systemd.services.yarn-resourcemanager = { description = "Hadoop YARN ResourceManager"; wantedBy = [ "multi-user.target" ]; @@ -122,14 +121,14 @@ in User = "yarn"; SyslogIdentifier = "yarn-resourcemanager"; ExecStart = "${cfg.package}/bin/yarn --config ${hadoopConf} " + - " resourcemanager ${escapeShellArgs cfg.yarn.resourcemanager.extraFlags}"; + " resourcemanager ${lib.escapeShellArgs cfg.yarn.resourcemanager.extraFlags}"; Restart = "always"; }; }; services.hadoop.gatewayRole.enable = true; - networking.firewall.allowedTCPPorts = (mkIf cfg.yarn.resourcemanager.openFirewall [ + networking.firewall.allowedTCPPorts = (lib.mkIf cfg.yarn.resourcemanager.openFirewall [ 8088 # resourcemanager.webapp.address 8030 # resourcemanager.scheduler.address 8031 # resourcemanager.resource-tracker.address @@ -138,11 +137,11 @@ in ]); }) - (mkIf cfg.yarn.nodemanager.enable { + (lib.mkIf cfg.yarn.nodemanager.enable { # Needed because yarn hardcodes /bin/bash in container start scripts # These scripts can't be patched, they are generated at runtime systemd.tmpfiles.rules = [ - (mkIf cfg.yarn.nodemanager.addBinBash "L /bin/bash - - - - /run/current-system/sw/bin/bash") + (lib.mkIf cfg.yarn.nodemanager.addBinBash "L /bin/bash - - - - /run/current-system/sw/bin/bash") ]; systemd.services.yarn-nodemanager = { @@ -171,7 +170,7 @@ in SyslogIdentifier = "yarn-nodemanager"; PermissionsStartOnly = true; ExecStart = "${cfg.package}/bin/yarn --config ${hadoopConf} " + - " nodemanager ${escapeShellArgs cfg.yarn.nodemanager.extraFlags}"; + " nodemanager ${lib.escapeShellArgs cfg.yarn.nodemanager.extraFlags}"; Restart = "always"; }; }; @@ -192,7 +191,7 @@ in })]; networking.firewall.allowedTCPPortRanges = [ - (mkIf (cfg.yarn.nodemanager.openFirewall) {from = 1024; to = 65535;}) + (lib.mkIf (cfg.yarn.nodemanager.openFirewall) {from = 1024; to = 65535;}) ]; }) From 42a84adc1c43fc3d1c31718ea35d826c2b8e0edb Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:23 +0100 Subject: [PATCH 14/44] nixos/services.kubernetes.addonManager: remove `with lib;` --- .../cluster/kubernetes/addon-manager.nix | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/nixos/modules/services/cluster/kubernetes/addon-manager.nix b/nixos/modules/services/cluster/kubernetes/addon-manager.nix index 522cb0dd16dae..af4346d3c3ce9 100644 --- a/nixos/modules/services/cluster/kubernetes/addon-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/addon-manager.nix @@ -1,17 +1,14 @@ { config, lib, pkgs, ... }: - -with lib; - let top = config.services.kubernetes; cfg = top.addonManager; - isRBACEnabled = elem "RBAC" top.apiserver.authorizationMode; + isRBACEnabled = lib.elem "RBAC" top.apiserver.authorizationMode; addons = pkgs.runCommand "kubernetes-addons" { } '' mkdir -p $out # since we are mounting the addons to the addon manager, they need to be copied - ${concatMapStringsSep ";" (a: "cp -v ${a}/* $out/") (mapAttrsToList (name: addon: + ${lib.concatMapStringsSep ";" (a: "cp -v ${a}/* $out/") (lib.mapAttrsToList (name: addon: pkgs.writeTextDir "${name}.json" (builtins.toJSON addon) ) (cfg.addons))} ''; @@ -20,14 +17,14 @@ in ###### interface options.services.kubernetes.addonManager = with lib.types; { - bootstrapAddons = mkOption { + bootstrapAddons = lib.mkOption { description = '' Bootstrap addons are like regular addons, but they are applied with cluster-admin rights. They are applied at addon-manager startup only. ''; default = { }; type = attrsOf attrs; - example = literalExpression '' + example = lib.literalExpression '' { "my-service" = { "apiVersion" = "v1"; @@ -42,11 +39,11 @@ in ''; }; - addons = mkOption { + addons = lib.mkOption { description = "Kubernetes addons (any kind of Kubernetes resource can be an addon)."; default = { }; type = attrsOf (either attrs (listOf attrs)); - example = literalExpression '' + example = lib.literalExpression '' { "my-service" = { "apiVersion" = "v1"; @@ -62,11 +59,11 @@ in ''; }; - enable = mkEnableOption "Kubernetes addon manager"; + enable = lib.mkEnableOption "Kubernetes addon manager"; }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.etc."kubernetes/addons".source = "${addons}/"; systemd.services.kube-addon-manager = { @@ -89,7 +86,7 @@ in }; }; - services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled + services.kubernetes.addonManager.bootstrapAddons = lib.mkIf isRBACEnabled (let name = "system:kube-addon-manager"; namespace = "kube-system"; From e75e6693b7904b42939bd06b9cf516eb824941bc Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:23 +0100 Subject: [PATCH 15/44] nixos/services.kubernetes.apiserver: remove `with lib;` --- .../services/cluster/kubernetes/apiserver.nix | 183 +++++++++--------- 1 file changed, 90 insertions(+), 93 deletions(-) diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index 81e359e0e642a..e05bcb37e819f 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -1,36 +1,33 @@ { config, lib, options, pkgs, ... }: - -with lib; - let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.apiserver; - isRBACEnabled = elem "RBAC" cfg.authorizationMode; + isRBACEnabled = lib.elem "RBAC" cfg.authorizationMode; - apiserverServiceIP = (concatStringsSep "." ( - take 3 (splitString "." cfg.serviceClusterIpRange + apiserverServiceIP = (lib.concatStringsSep "." ( + lib.take 3 (lib.splitString "." cfg.serviceClusterIpRange )) + ".1"); in { imports = [ - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) - (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecureBindAddress" ] "") - (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecurePort" ] "") - (mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ]) - (mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) + (lib.mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]) + (lib.mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"]) + (lib.mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecureBindAddress" ] "") + (lib.mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecurePort" ] "") + (lib.mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "") + (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ]) + (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ]) + (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ]) + (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]) ]; ###### interface options.services.kubernetes.apiserver = with lib.types; { - advertiseAddress = mkOption { + advertiseAddress = lib.mkOption { description = '' Kubernetes apiserver IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest @@ -40,13 +37,13 @@ in type = nullOr str; }; - allowPrivileged = mkOption { + allowPrivileged = lib.mkOption { description = "Whether to allow privileged containers on Kubernetes."; default = false; type = bool; }; - authorizationMode = mkOption { + authorizationMode = lib.mkOption { description = '' Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See @@ -55,7 +52,7 @@ in type = listOf (enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "Webhook" "RBAC" "Node"]); }; - authorizationPolicy = mkOption { + authorizationPolicy = lib.mkOption { description = '' Kubernetes apiserver authorization policy file. See @@ -64,7 +61,7 @@ in type = listOf attrs; }; - basicAuthFile = mkOption { + basicAuthFile = lib.mkOption { description = '' Kubernetes apiserver basic authentication file. See @@ -73,7 +70,7 @@ in type = nullOr path; }; - bindAddress = mkOption { + bindAddress = lib.mkOption { description = '' The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest @@ -83,14 +80,14 @@ in type = str; }; - clientCaFile = mkOption { + clientCaFile = lib.mkOption { description = "Kubernetes apiserver CA file for client auth."; default = top.caFile; - defaultText = literalExpression "config.${otop.caFile}"; + defaultText = lib.literalExpression "config.${otop.caFile}"; type = nullOr path; }; - disableAdmissionPlugins = mkOption { + disableAdmissionPlugins = lib.mkOption { description = '' Kubernetes admission control plugins to disable. See @@ -99,9 +96,9 @@ in type = listOf str; }; - enable = mkEnableOption "Kubernetes apiserver"; + enable = lib.mkEnableOption "Kubernetes apiserver"; - enableAdmissionPlugins = mkOption { + enableAdmissionPlugins = lib.mkOption { description = '' Kubernetes admission control plugins to enable. See @@ -120,89 +117,89 @@ in }; etcd = { - servers = mkOption { + servers = lib.mkOption { description = "List of etcd servers."; default = ["http://127.0.0.1:2379"]; type = types.listOf types.str; }; - keyFile = mkOption { + keyFile = lib.mkOption { description = "Etcd key file."; default = null; type = types.nullOr types.path; }; - certFile = mkOption { + certFile = lib.mkOption { description = "Etcd cert file."; default = null; type = types.nullOr types.path; }; - caFile = mkOption { + caFile = lib.mkOption { description = "Etcd ca file."; default = top.caFile; - defaultText = literalExpression "config.${otop.caFile}"; + defaultText = lib.literalExpression "config.${otop.caFile}"; type = types.nullOr types.path; }; }; - extraOpts = mkOption { + extraOpts = lib.mkOption { description = "Kubernetes apiserver extra command line options."; default = ""; type = separatedString " "; }; - extraSANs = mkOption { + extraSANs = lib.mkOption { description = "Extra x509 Subject Alternative Names to be added to the kubernetes apiserver tls cert."; default = []; type = listOf str; }; - featureGates = mkOption { + featureGates = lib.mkOption { description = "Attribute set of feature gates."; default = top.featureGates; - defaultText = literalExpression "config.${otop.featureGates}"; + defaultText = lib.literalExpression "config.${otop.featureGates}"; type = attrsOf bool; }; - kubeletClientCaFile = mkOption { + kubeletClientCaFile = lib.mkOption { description = "Path to a cert file for connecting to kubelet."; default = top.caFile; - defaultText = literalExpression "config.${otop.caFile}"; + defaultText = lib.literalExpression "config.${otop.caFile}"; type = nullOr path; }; - kubeletClientCertFile = mkOption { + kubeletClientCertFile = lib.mkOption { description = "Client certificate to use for connections to kubelet."; default = null; type = nullOr path; }; - kubeletClientKeyFile = mkOption { + kubeletClientKeyFile = lib.mkOption { description = "Key to use for connections to kubelet."; default = null; type = nullOr path; }; - preferredAddressTypes = mkOption { + preferredAddressTypes = lib.mkOption { description = "List of the preferred NodeAddressTypes to use for kubelet connections."; type = nullOr str; default = null; }; - proxyClientCertFile = mkOption { + proxyClientCertFile = lib.mkOption { description = "Client certificate to use for connections to proxy."; default = null; type = nullOr path; }; - proxyClientKeyFile = mkOption { + proxyClientKeyFile = lib.mkOption { description = "Key to use for connections to proxy."; default = null; type = nullOr path; }; - runtimeConfig = mkOption { + runtimeConfig = lib.mkOption { description = '' Api runtime configuration. See @@ -212,7 +209,7 @@ in type = str; }; - storageBackend = mkOption { + storageBackend = lib.mkOption { description = '' Kubernetes apiserver storage backend. ''; @@ -220,13 +217,13 @@ in type = enum ["etcd2" "etcd3"]; }; - securePort = mkOption { + securePort = lib.mkOption { description = "Kubernetes apiserver secure port."; default = 6443; type = int; }; - apiAudiences = mkOption { + apiAudiences = lib.mkOption { description = '' Kubernetes apiserver ServiceAccount issuer. ''; @@ -234,7 +231,7 @@ in type = str; }; - serviceAccountIssuer = mkOption { + serviceAccountIssuer = lib.mkOption { description = '' Kubernetes apiserver ServiceAccount issuer. ''; @@ -242,7 +239,7 @@ in type = str; }; - serviceAccountSigningKeyFile = mkOption { + serviceAccountSigningKeyFile = lib.mkOption { description = '' Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this @@ -251,7 +248,7 @@ in type = path; }; - serviceAccountKeyFile = mkOption { + serviceAccountKeyFile = lib.mkOption { description = '' File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens. The specified file can contain @@ -262,7 +259,7 @@ in type = path; }; - serviceClusterIpRange = mkOption { + serviceClusterIpRange = lib.mkOption { description = '' A CIDR notation IP range from which to assign service cluster IPs. This must not overlap with any IP ranges assigned to nodes for pods. @@ -271,19 +268,19 @@ in type = str; }; - tlsCertFile = mkOption { + tlsCertFile = lib.mkOption { description = "Kubernetes apiserver certificate file."; default = null; type = nullOr path; }; - tlsKeyFile = mkOption { + tlsKeyFile = lib.mkOption { description = "Kubernetes apiserver private key file."; default = null; type = nullOr path; }; - tokenAuthFile = mkOption { + tokenAuthFile = lib.mkOption { description = '' Kubernetes apiserver token authentication file. See @@ -292,7 +289,7 @@ in type = nullOr path; }; - verbosity = mkOption { + verbosity = lib.mkOption { description = '' Optional glog verbosity level for logging statements. See @@ -301,7 +298,7 @@ in type = nullOr int; }; - webhookConfig = mkOption { + webhookConfig = lib.mkOption { description = '' Kubernetes apiserver Webhook config file. It uses the kubeconfig file format. See @@ -314,9 +311,9 @@ in ###### implementation - config = mkMerge [ + config = lib.mkMerge [ - (mkIf cfg.enable { + (lib.mkIf cfg.enable { systemd.services.kube-apiserver = { description = "Kubernetes APIServer Service"; wantedBy = [ "kubernetes.target" ]; @@ -324,48 +321,48 @@ in serviceConfig = { Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-apiserver \ - --allow-privileged=${boolToString cfg.allowPrivileged} \ - --authorization-mode=${concatStringsSep "," cfg.authorizationMode} \ - ${optionalString (elem "ABAC" cfg.authorizationMode) + --allow-privileged=${lib.boolToString cfg.allowPrivileged} \ + --authorization-mode=${lib.concatStringsSep "," cfg.authorizationMode} \ + ${lib.optionalString (lib.elem "ABAC" cfg.authorizationMode) "--authorization-policy-file=${ pkgs.writeText "kube-auth-policy.jsonl" - (concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.authorizationPolicy) + (lib.concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.authorizationPolicy) }" } \ - ${optionalString (elem "Webhook" cfg.authorizationMode) + ${lib.optionalString (lib.elem "Webhook" cfg.authorizationMode) "--authorization-webhook-config-file=${cfg.webhookConfig}" } \ --bind-address=${cfg.bindAddress} \ - ${optionalString (cfg.advertiseAddress != null) + ${lib.optionalString (cfg.advertiseAddress != null) "--advertise-address=${cfg.advertiseAddress}"} \ - ${optionalString (cfg.clientCaFile != null) + ${lib.optionalString (cfg.clientCaFile != null) "--client-ca-file=${cfg.clientCaFile}"} \ - --disable-admission-plugins=${concatStringsSep "," cfg.disableAdmissionPlugins} \ - --enable-admission-plugins=${concatStringsSep "," cfg.enableAdmissionPlugins} \ - --etcd-servers=${concatStringsSep "," cfg.etcd.servers} \ - ${optionalString (cfg.etcd.caFile != null) + --disable-admission-plugins=${lib.concatStringsSep "," cfg.disableAdmissionPlugins} \ + --enable-admission-plugins=${lib.concatStringsSep "," cfg.enableAdmissionPlugins} \ + --etcd-servers=${lib.concatStringsSep "," cfg.etcd.servers} \ + ${lib.optionalString (cfg.etcd.caFile != null) "--etcd-cafile=${cfg.etcd.caFile}"} \ - ${optionalString (cfg.etcd.certFile != null) + ${lib.optionalString (cfg.etcd.certFile != null) "--etcd-certfile=${cfg.etcd.certFile}"} \ - ${optionalString (cfg.etcd.keyFile != null) + ${lib.optionalString (cfg.etcd.keyFile != null) "--etcd-keyfile=${cfg.etcd.keyFile}"} \ - ${optionalString (cfg.featureGates != {}) - "--feature-gates=${(concatStringsSep "," (builtins.attrValues (mapAttrs (n: v: "${n}=${trivial.boolToString v}") cfg.featureGates)))}"} \ - ${optionalString (cfg.basicAuthFile != null) + ${lib.optionalString (cfg.featureGates != {}) + "--feature-gates=${(lib.concatStringsSep "," (builtins.attrValues (lib.mapAttrs (n: v: "${n}=${lib.trivial.boolToString v}") cfg.featureGates)))}"} \ + ${lib.optionalString (cfg.basicAuthFile != null) "--basic-auth-file=${cfg.basicAuthFile}"} \ - ${optionalString (cfg.kubeletClientCaFile != null) + ${lib.optionalString (cfg.kubeletClientCaFile != null) "--kubelet-certificate-authority=${cfg.kubeletClientCaFile}"} \ - ${optionalString (cfg.kubeletClientCertFile != null) + ${lib.optionalString (cfg.kubeletClientCertFile != null) "--kubelet-client-certificate=${cfg.kubeletClientCertFile}"} \ - ${optionalString (cfg.kubeletClientKeyFile != null) + ${lib.optionalString (cfg.kubeletClientKeyFile != null) "--kubelet-client-key=${cfg.kubeletClientKeyFile}"} \ - ${optionalString (cfg.preferredAddressTypes != null) + ${lib.optionalString (cfg.preferredAddressTypes != null) "--kubelet-preferred-address-types=${cfg.preferredAddressTypes}"} \ - ${optionalString (cfg.proxyClientCertFile != null) + ${lib.optionalString (cfg.proxyClientCertFile != null) "--proxy-client-cert-file=${cfg.proxyClientCertFile}"} \ - ${optionalString (cfg.proxyClientKeyFile != null) + ${lib.optionalString (cfg.proxyClientKeyFile != null) "--proxy-client-key-file=${cfg.proxyClientKeyFile}"} \ - ${optionalString (cfg.runtimeConfig != "") + ${lib.optionalString (cfg.runtimeConfig != "") "--runtime-config=${cfg.runtimeConfig}"} \ --secure-port=${toString cfg.securePort} \ --api-audiences=${toString cfg.apiAudiences} \ @@ -374,13 +371,13 @@ in --service-account-key-file=${cfg.serviceAccountKeyFile} \ --service-cluster-ip-range=${cfg.serviceClusterIpRange} \ --storage-backend=${cfg.storageBackend} \ - ${optionalString (cfg.tlsCertFile != null) + ${lib.optionalString (cfg.tlsCertFile != null) "--tls-cert-file=${cfg.tlsCertFile}"} \ - ${optionalString (cfg.tlsKeyFile != null) + ${lib.optionalString (cfg.tlsKeyFile != null) "--tls-private-key-file=${cfg.tlsKeyFile}"} \ - ${optionalString (cfg.tokenAuthFile != null) + ${lib.optionalString (cfg.tokenAuthFile != null) "--token-auth-file=${cfg.tokenAuthFile}"} \ - ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ + ${lib.optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; WorkingDirectory = top.dataDir; @@ -397,17 +394,17 @@ in }; services.etcd = { - clientCertAuth = mkDefault true; - peerClientCertAuth = mkDefault true; - listenClientUrls = mkDefault ["https://0.0.0.0:2379"]; - listenPeerUrls = mkDefault ["https://0.0.0.0:2380"]; - advertiseClientUrls = mkDefault ["https://${top.masterAddress}:2379"]; - initialCluster = mkDefault ["${top.masterAddress}=https://${top.masterAddress}:2380"]; - name = mkDefault top.masterAddress; - initialAdvertisePeerUrls = mkDefault ["https://${top.masterAddress}:2380"]; + clientCertAuth = lib.mkDefault true; + peerClientCertAuth = lib.mkDefault true; + listenClientUrls = lib.mkDefault ["https://0.0.0.0:2379"]; + listenPeerUrls = lib.mkDefault ["https://0.0.0.0:2380"]; + advertiseClientUrls = lib.mkDefault ["https://${top.masterAddress}:2379"]; + initialCluster = lib.mkDefault ["${top.masterAddress}=https://${top.masterAddress}:2380"]; + name = lib.mkDefault top.masterAddress; + initialAdvertisePeerUrls = lib.mkDefault ["https://${top.masterAddress}:2380"]; }; - services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled { + services.kubernetes.addonManager.bootstrapAddons = lib.mkIf isRBACEnabled { apiserver-kubelet-api-admin-crb = { apiVersion = "rbac.authorization.k8s.io/v1"; From 697d1c36603c8c0613858b9abff0b5ef1a880956 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:23 +0100 Subject: [PATCH 16/44] nixos/services.kubernetes.controllerManager: remove `with lib;` --- .../cluster/kubernetes/controller-manager.nix | 65 +++++++++---------- 1 file changed, 31 insertions(+), 34 deletions(-) diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index b427de22bf896..044ae8e42153a 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -1,7 +1,4 @@ { config, lib, options, pkgs, ... }: - -with lib; - let top = config.services.kubernetes; otop = options.services.kubernetes; @@ -9,72 +6,72 @@ let in { imports = [ - (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"]) - (mkRemovedOptionModule [ "services" "kubernetes" "controllerManager" "insecurePort" ] "") + (lib.mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"]) + (lib.mkRemovedOptionModule [ "services" "kubernetes" "controllerManager" "insecurePort" ] "") ]; ###### interface options.services.kubernetes.controllerManager = with lib.types; { - allocateNodeCIDRs = mkOption { + allocateNodeCIDRs = lib.mkOption { description = "Whether to automatically allocate CIDR ranges for cluster nodes."; default = true; type = bool; }; - bindAddress = mkOption { + bindAddress = lib.mkOption { description = "Kubernetes controller manager listening address."; default = "127.0.0.1"; type = str; }; - clusterCidr = mkOption { + clusterCidr = lib.mkOption { description = "Kubernetes CIDR Range for Pods in cluster."; default = top.clusterCidr; - defaultText = literalExpression "config.${otop.clusterCidr}"; + defaultText = lib.literalExpression "config.${otop.clusterCidr}"; type = str; }; - enable = mkEnableOption "Kubernetes controller manager"; + enable = lib.mkEnableOption "Kubernetes controller manager"; - extraOpts = mkOption { + extraOpts = lib.mkOption { description = "Kubernetes controller manager extra command line options."; default = ""; type = separatedString " "; }; - featureGates = mkOption { + featureGates = lib.mkOption { description = "Attribute set of feature gates."; default = top.featureGates; - defaultText = literalExpression "config.${otop.featureGates}"; + defaultText = lib.literalExpression "config.${otop.featureGates}"; type = attrsOf bool; }; kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes controller manager"; - leaderElect = mkOption { + leaderElect = lib.mkOption { description = "Whether to start leader election before executing main loop."; type = bool; default = true; }; - rootCaFile = mkOption { + rootCaFile = lib.mkOption { description = '' Kubernetes controller manager certificate authority file included in service account's token secret. ''; default = top.caFile; - defaultText = literalExpression "config.${otop.caFile}"; + defaultText = lib.literalExpression "config.${otop.caFile}"; type = nullOr path; }; - securePort = mkOption { + securePort = lib.mkOption { description = "Kubernetes controller manager secure listening port."; default = 10252; type = int; }; - serviceAccountKeyFile = mkOption { + serviceAccountKeyFile = lib.mkOption { description = '' Kubernetes controller manager PEM-encoded private RSA key file used to sign service account tokens @@ -83,19 +80,19 @@ in type = nullOr path; }; - tlsCertFile = mkOption { + tlsCertFile = lib.mkOption { description = "Kubernetes controller-manager certificate file."; default = null; type = nullOr path; }; - tlsKeyFile = mkOption { + tlsKeyFile = lib.mkOption { description = "Kubernetes controller-manager private key file."; default = null; type = nullOr path; }; - verbosity = mkOption { + verbosity = lib.mkOption { description = '' Optional glog verbosity level for logging statements. See @@ -107,7 +104,7 @@ in }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.services.kube-controller-manager = { description = "Kubernetes Controller Manager Service"; wantedBy = [ "kubernetes.target" ]; @@ -117,26 +114,26 @@ in Restart = "on-failure"; Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-controller-manager \ - --allocate-node-cidrs=${boolToString cfg.allocateNodeCIDRs} \ + --allocate-node-cidrs=${lib.boolToString cfg.allocateNodeCIDRs} \ --bind-address=${cfg.bindAddress} \ - ${optionalString (cfg.clusterCidr!=null) + ${lib.optionalString (cfg.clusterCidr!=null) "--cluster-cidr=${cfg.clusterCidr}"} \ - ${optionalString (cfg.featureGates != {}) - "--feature-gates=${concatStringsSep "," (builtins.attrValues (mapAttrs (n: v: "${n}=${trivial.boolToString v}") cfg.featureGates))}"} \ + ${lib.optionalString (cfg.featureGates != {}) + "--feature-gates=${lib.concatStringsSep "," (builtins.attrValues (lib.mapAttrs (n: v: "${n}=${lib.trivial.boolToString v}") cfg.featureGates))}"} \ --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ - --leader-elect=${boolToString cfg.leaderElect} \ - ${optionalString (cfg.rootCaFile!=null) + --leader-elect=${lib.boolToString cfg.leaderElect} \ + ${lib.optionalString (cfg.rootCaFile!=null) "--root-ca-file=${cfg.rootCaFile}"} \ --secure-port=${toString cfg.securePort} \ - ${optionalString (cfg.serviceAccountKeyFile!=null) + ${lib.optionalString (cfg.serviceAccountKeyFile!=null) "--service-account-private-key-file=${cfg.serviceAccountKeyFile}"} \ - ${optionalString (cfg.tlsCertFile!=null) + ${lib.optionalString (cfg.tlsCertFile!=null) "--tls-cert-file=${cfg.tlsCertFile}"} \ - ${optionalString (cfg.tlsKeyFile!=null) + ${lib.optionalString (cfg.tlsKeyFile!=null) "--tls-private-key-file=${cfg.tlsKeyFile}"} \ - ${optionalString (elem "RBAC" top.apiserver.authorizationMode) + ${lib.optionalString (lib.elem "RBAC" top.apiserver.authorizationMode) "--use-service-account-credentials"} \ - ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ + ${lib.optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; WorkingDirectory = top.dataDir; @@ -162,7 +159,7 @@ in }; }; - services.kubernetes.controllerManager.kubeconfig.server = mkDefault top.apiserverAddress; + services.kubernetes.controllerManager.kubeconfig.server = lib.mkDefault top.apiserverAddress; }; meta.buildDocsInSandbox = false; From ac653187c5745caad46c874f9bae3f7241e3e46f Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:23 +0100 Subject: [PATCH 17/44] nixos/services.kubernetes: remove `with lib;` --- .../services/cluster/kubernetes/default.nix | 133 +++++++++--------- 1 file changed, 65 insertions(+), 68 deletions(-) diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 208b2a864f024..dea16f2d319bb 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -1,7 +1,4 @@ { config, lib, options, pkgs, ... }: - -with lib; - let cfg = config.services.kubernetes; opt = options.services.kubernetes; @@ -76,41 +73,41 @@ let secret = name: "${cfg.secretsPath}/${name}.pem"; mkKubeConfigOptions = prefix: { - server = mkOption { + server = lib.mkOption { description = "${prefix} kube-apiserver server address."; - type = types.str; + type = lib.types.str; }; - caFile = mkOption { + caFile = lib.mkOption { description = "${prefix} certificate authority file used to connect to kube-apiserver."; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; default = cfg.caFile; - defaultText = literalExpression "config.${opt.caFile}"; + defaultText = lib.literalExpression "config.${opt.caFile}"; }; - certFile = mkOption { + certFile = lib.mkOption { description = "${prefix} client certificate file used to connect to kube-apiserver."; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; default = null; }; - keyFile = mkOption { + keyFile = lib.mkOption { description = "${prefix} client key file used to connect to kube-apiserver."; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; default = null; }; }; in { imports = [ - (mkRemovedOptionModule [ "services" "kubernetes" "addons" "dashboard" ] "Removed due to it being an outdated version") - (mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") + (lib.mkRemovedOptionModule [ "services" "kubernetes" "addons" "dashboard" ] "Removed due to it being an outdated version") + (lib.mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") ]; ###### interface options.services.kubernetes = { - roles = mkOption { + roles = lib.mkOption { description = '' Kubernetes role that this machine should take. @@ -119,79 +116,79 @@ in { Node role will enable flannel, docker, kubelet and proxy services. ''; default = []; - type = types.listOf (types.enum ["master" "node"]); + type = lib.types.listOf (lib.types.enum ["master" "node"]); }; - package = mkPackageOption pkgs "kubernetes" { }; + package = lib.mkPackageOption pkgs "kubernetes" { }; kubeconfig = mkKubeConfigOptions "Default kubeconfig"; - apiserverAddress = mkOption { + apiserverAddress = lib.mkOption { description = '' Clusterwide accessible address for the kubernetes apiserver, including protocol and optional port. ''; example = "https://kubernetes-apiserver.example.com:6443"; - type = types.str; + type = lib.types.str; }; - caFile = mkOption { + caFile = lib.mkOption { description = "Default kubernetes certificate authority"; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; default = null; }; - dataDir = mkOption { + dataDir = lib.mkOption { description = "Kubernetes root directory for managing kubelet files."; default = "/var/lib/kubernetes"; - type = types.path; + type = lib.types.path; }; - easyCerts = mkOption { + easyCerts = lib.mkOption { description = "Automatically setup x509 certificates and keys for the entire cluster."; default = false; - type = types.bool; + type = lib.types.bool; }; - featureGates = mkOption { + featureGates = lib.mkOption { description = "List set of feature gates."; default = {}; - type = types.attrsOf types.bool; + type = lib.types.attrsOf lib.types.bool; }; - masterAddress = mkOption { + masterAddress = lib.mkOption { description = "Clusterwide available network address or hostname for the kubernetes master server."; example = "master.example.com"; - type = types.str; + type = lib.types.str; }; - path = mkOption { + path = lib.mkOption { description = "Packages added to the services' PATH environment variable. Both the bin and sbin subdirectories of each package are added."; - type = types.listOf types.package; + type = lib.types.listOf lib.types.package; default = []; }; - clusterCidr = mkOption { + clusterCidr = lib.mkOption { description = "Kubernetes controller manager and proxy CIDR Range for Pods in cluster."; default = "10.1.0.0/16"; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; }; - lib = mkOption { + lib = lib.mkOption { description = "Common functions for the kubernetes modules."; default = { inherit mkCert; inherit mkKubeConfig; inherit mkKubeConfigOptions; }; - type = types.attrs; + type = lib.types.attrs; }; - secretsPath = mkOption { + secretsPath = lib.mkOption { description = "Default location for kubernetes secrets. Not a store location."; - type = types.path; + type = lib.types.path; default = cfg.dataDir + "/secrets"; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' config.${opt.dataDir} + "/secrets" ''; }; @@ -199,23 +196,23 @@ in { ###### implementation - config = mkMerge [ + config = lib.mkMerge [ - (mkIf cfg.easyCerts { - services.kubernetes.pki.enable = mkDefault true; + (lib.mkIf cfg.easyCerts { + services.kubernetes.pki.enable = lib.mkDefault true; services.kubernetes.caFile = caCert; }) - (mkIf (elem "master" cfg.roles) { - services.kubernetes.apiserver.enable = mkDefault true; - services.kubernetes.scheduler.enable = mkDefault true; - services.kubernetes.controllerManager.enable = mkDefault true; - services.kubernetes.addonManager.enable = mkDefault true; - services.kubernetes.proxy.enable = mkDefault true; + (lib.mkIf (lib.elem "master" cfg.roles) { + services.kubernetes.apiserver.enable = lib.mkDefault true; + services.kubernetes.scheduler.enable = lib.mkDefault true; + services.kubernetes.controllerManager.enable = lib.mkDefault true; + services.kubernetes.addonManager.enable = lib.mkDefault true; + services.kubernetes.proxy.enable = lib.mkDefault true; services.etcd.enable = true; # Cannot mkDefault because of flannel default options services.kubernetes.kubelet = { - enable = mkDefault true; - taints = mkIf (!(elem "node" cfg.roles)) { + enable = lib.mkDefault true; + taints = lib.mkIf (!(lib.elem "node" cfg.roles)) { master = { key = "node-role.kubernetes.io/master"; value = "true"; @@ -226,36 +223,36 @@ in { }) - (mkIf (all (el: el == "master") cfg.roles) { + (lib.mkIf (lib.all (el: el == "master") cfg.roles) { # if this node is only a master make it unschedulable by default - services.kubernetes.kubelet.unschedulable = mkDefault true; + services.kubernetes.kubelet.unschedulable = lib.mkDefault true; }) - (mkIf (elem "node" cfg.roles) { - services.kubernetes.kubelet.enable = mkDefault true; - services.kubernetes.proxy.enable = mkDefault true; + (lib.mkIf (lib.elem "node" cfg.roles) { + services.kubernetes.kubelet.enable = lib.mkDefault true; + services.kubernetes.proxy.enable = lib.mkDefault true; }) # Using "services.kubernetes.roles" will automatically enable easyCerts and flannel - (mkIf (cfg.roles != []) { - services.kubernetes.flannel.enable = mkDefault true; - services.flannel.etcd.endpoints = mkDefault etcdEndpoints; - services.kubernetes.easyCerts = mkDefault true; + (lib.mkIf (cfg.roles != []) { + services.kubernetes.flannel.enable = lib.mkDefault true; + services.flannel.etcd.endpoints = lib.mkDefault etcdEndpoints; + services.kubernetes.easyCerts = lib.mkDefault true; }) - (mkIf cfg.apiserver.enable { - services.kubernetes.pki.etcClusterAdminKubeconfig = mkDefault "kubernetes/cluster-admin.kubeconfig"; - services.kubernetes.apiserver.etcd.servers = mkDefault etcdEndpoints; + (lib.mkIf cfg.apiserver.enable { + services.kubernetes.pki.etcClusterAdminKubeconfig = lib.mkDefault "kubernetes/cluster-admin.kubeconfig"; + services.kubernetes.apiserver.etcd.servers = lib.mkDefault etcdEndpoints; }) - (mkIf cfg.kubelet.enable { + (lib.mkIf cfg.kubelet.enable { virtualisation.containerd = { - enable = mkDefault true; - settings = mapAttrsRecursive (name: mkDefault) defaultContainerdSettings; + enable = lib.mkDefault true; + settings = lib.mapAttrsRecursive (name: lib.mkDefault) defaultContainerdSettings; }; }) - (mkIf (cfg.apiserver.enable || cfg.controllerManager.enable) { + (lib.mkIf (cfg.apiserver.enable || cfg.controllerManager.enable) { services.kubernetes.pki.certs = { serviceAccount = mkCert { name = "service-account"; @@ -269,7 +266,7 @@ in { }; }) - (mkIf ( + (lib.mkIf ( cfg.apiserver.enable || cfg.scheduler.enable || cfg.controllerManager.enable || @@ -299,9 +296,9 @@ in { users.groups.kubernetes.gid = config.ids.gids.kubernetes; # dns addon is enabled by default - services.kubernetes.addons.dns.enable = mkDefault true; + services.kubernetes.addons.dns.enable = lib.mkDefault true; - services.kubernetes.apiserverAddress = mkDefault ("https://${if cfg.apiserver.advertiseAddress != null + services.kubernetes.apiserverAddress = lib.mkDefault ("https://${if cfg.apiserver.advertiseAddress != null then cfg.apiserver.advertiseAddress else "${cfg.masterAddress}:${toString cfg.apiserver.securePort}"}"); }) From c41bc079d16bb4539181ea063361e57b9bbecaf6 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:23 +0100 Subject: [PATCH 18/44] nixos/services.kubernetes.scheduler: remove `with lib;` --- .../services/cluster/kubernetes/scheduler.nix | 31 +++++++++---------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 6fb90469c706b..05205a529f8d9 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -1,7 +1,4 @@ { config, lib, options, pkgs, ... }: - -with lib; - let top = config.services.kubernetes; otop = options.services.kubernetes; @@ -11,42 +8,42 @@ in ###### interface options.services.kubernetes.scheduler = with lib.types; { - address = mkOption { + address = lib.mkOption { description = "Kubernetes scheduler listening address."; default = "127.0.0.1"; type = str; }; - enable = mkEnableOption "Kubernetes scheduler"; + enable = lib.mkEnableOption "Kubernetes scheduler"; - extraOpts = mkOption { + extraOpts = lib.mkOption { description = "Kubernetes scheduler extra command line options."; default = ""; type = separatedString " "; }; - featureGates = mkOption { + featureGates = lib.mkOption { description = "Attribute set of feature gates."; default = top.featureGates; - defaultText = literalExpression "config.${otop.featureGates}"; + defaultText = lib.literalExpression "config.${otop.featureGates}"; type = attrsOf bool; }; kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes scheduler"; - leaderElect = mkOption { + leaderElect = lib.mkOption { description = "Whether to start leader election before executing main loop."; type = bool; default = true; }; - port = mkOption { + port = lib.mkOption { description = "Kubernetes scheduler listening port."; default = 10251; type = port; }; - verbosity = mkOption { + verbosity = lib.mkOption { description = '' Optional glog verbosity level for logging statements. See @@ -58,7 +55,7 @@ in }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.services.kube-scheduler = { description = "Kubernetes Scheduler Service"; wantedBy = [ "kubernetes.target" ]; @@ -67,12 +64,12 @@ in Slice = "kubernetes.slice"; ExecStart = ''${top.package}/bin/kube-scheduler \ --bind-address=${cfg.address} \ - ${optionalString (cfg.featureGates != {}) - "--feature-gates=${concatStringsSep "," (builtins.attrValues (mapAttrs (n: v: "${n}=${trivial.boolToString v}") cfg.featureGates))}"} \ + ${lib.optionalString (cfg.featureGates != {}) + "--feature-gates=${lib.concatStringsSep "," (builtins.attrValues (lib.mapAttrs (n: v: "${n}=${lib.trivial.boolToString v}") cfg.featureGates))}"} \ --kubeconfig=${top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ - --leader-elect=${boolToString cfg.leaderElect} \ + --leader-elect=${lib.boolToString cfg.leaderElect} \ --secure-port=${toString cfg.port} \ - ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ + ${lib.optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; WorkingDirectory = top.dataDir; @@ -94,7 +91,7 @@ in }; }; - services.kubernetes.scheduler.kubeconfig.server = mkDefault top.apiserverAddress; + services.kubernetes.scheduler.kubeconfig.server = lib.mkDefault top.apiserverAddress; }; meta.buildDocsInSandbox = false; From 5ee4c4b0a127c297a08d41ef409d93784fbd4709 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:23 +0100 Subject: [PATCH 19/44] nixos/services.buildbot-worker: remove `with lib;` --- .../buildbot/worker.nix | 78 +++++++++---------- 1 file changed, 37 insertions(+), 41 deletions(-) diff --git a/nixos/modules/services/continuous-integration/buildbot/worker.nix b/nixos/modules/services/continuous-integration/buildbot/worker.nix index 1534ca6f57855..62b38d2829aa4 100644 --- a/nixos/modules/services/continuous-integration/buildbot/worker.nix +++ b/nixos/modules/services/continuous-integration/buildbot/worker.nix @@ -1,9 +1,5 @@ # NixOS module for Buildbot Worker. - { config, lib, options, pkgs, ... }: - -with lib; - let cfg = config.services.buildbot-worker; opt = options.services.buildbot-worker; @@ -47,106 +43,106 @@ in { options = { services.buildbot-worker = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = "Whether to enable the Buildbot Worker."; }; - user = mkOption { + user = lib.mkOption { default = "bbworker"; - type = types.str; + type = lib.types.str; description = "User the buildbot Worker should execute under."; }; - group = mkOption { + group = lib.mkOption { default = "bbworker"; - type = types.str; + type = lib.types.str; description = "Primary group of buildbot Worker user."; }; - extraGroups = mkOption { - type = types.listOf types.str; + extraGroups = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = "List of extra groups that the Buildbot Worker user should be a part of."; }; - home = mkOption { + home = lib.mkOption { default = "/home/bbworker"; - type = types.path; + type = lib.types.path; description = "Buildbot home directory."; }; - buildbotDir = mkOption { + buildbotDir = lib.mkOption { default = "${cfg.home}/worker"; - defaultText = literalExpression ''"''${config.${opt.home}}/worker"''; - type = types.path; + defaultText = lib.literalExpression ''"''${config.${opt.home}}/worker"''; + type = lib.types.path; description = "Specifies the Buildbot directory."; }; - workerUser = mkOption { + workerUser = lib.mkOption { default = "example-worker"; - type = types.str; + type = lib.types.str; description = "Specifies the Buildbot Worker user."; }; - workerPass = mkOption { + workerPass = lib.mkOption { default = "pass"; - type = types.str; + type = lib.types.str; description = "Specifies the Buildbot Worker password."; }; - workerPassFile = mkOption { - type = types.path; + workerPassFile = lib.mkOption { + type = lib.types.path; description = "File used to store the Buildbot Worker password"; }; - hostMessage = mkOption { + hostMessage = lib.mkOption { default = null; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; description = "Description of this worker"; }; - adminMessage = mkOption { + adminMessage = lib.mkOption { default = null; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; description = "Name of the administrator of this worker"; }; - masterUrl = mkOption { + masterUrl = lib.mkOption { default = "localhost:9989"; - type = types.str; + type = lib.types.str; description = "Specifies the Buildbot Worker connection string."; }; - keepalive = mkOption { + keepalive = lib.mkOption { default = 600; - type = types.int; + type = lib.types.int; description = '' This is a number that indicates how frequently keepalive messages should be sent from the worker to the buildmaster, expressed in seconds. ''; }; - package = mkPackageOption pkgs "buildbot-worker" { }; + package = lib.mkPackageOption pkgs "buildbot-worker" { }; - packages = mkOption { + packages = lib.mkOption { default = with pkgs; [ git ]; - defaultText = literalExpression "[ pkgs.git ]"; - type = types.listOf types.package; + defaultText = lib.literalExpression "[ pkgs.git ]"; + type = lib.types.listOf lib.types.package; description = "Packages to add to PATH for the buildbot process."; }; }; }; - config = mkIf cfg.enable { - services.buildbot-worker.workerPassFile = mkDefault (pkgs.writeText "buildbot-worker-password" cfg.workerPass); + config = lib.mkIf cfg.enable { + services.buildbot-worker.workerPassFile = lib.mkDefault (pkgs.writeText "buildbot-worker-password" cfg.workerPass); - users.groups = optionalAttrs (cfg.group == "bbworker") { + users.groups = lib.optionalAttrs (cfg.group == "bbworker") { bbworker = { }; }; - users.users = optionalAttrs (cfg.user == "bbworker") { + users.users = lib.optionalAttrs (cfg.user == "bbworker") { bbworker = { description = "Buildbot Worker User."; isNormalUser = true; @@ -167,10 +163,10 @@ in { preStart = '' mkdir -vp "${cfg.buildbotDir}/info" - ${optionalString (cfg.hostMessage != null) '' + ${lib.optionalString (cfg.hostMessage != null) '' ln -sf "${pkgs.writeText "buildbot-worker-host" cfg.hostMessage}" "${cfg.buildbotDir}/info/host" ''} - ${optionalString (cfg.adminMessage != null) '' + ${lib.optionalString (cfg.adminMessage != null) '' ln -sf "${pkgs.writeText "buildbot-worker-admin" cfg.adminMessage}" "${cfg.buildbotDir}/info/admin" ''} ''; From d575253885cd4c02dc7bba6d972dbfa4812cb263 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:23 +0100 Subject: [PATCH 20/44] nixos/services.github-runners: remove `with lib;` --- .../github-runner/options.nix | 78 +++++++------ .../github-runner/service.nix | 104 +++++++++--------- 2 files changed, 89 insertions(+), 93 deletions(-) diff --git a/nixos/modules/services/continuous-integration/github-runner/options.nix b/nixos/modules/services/continuous-integration/github-runner/options.nix index 6ace6a1b187fc..db8bba499de70 100644 --- a/nixos/modules/services/continuous-integration/github-runner/options.nix +++ b/nixos/modules/services/continuous-integration/github-runner/options.nix @@ -2,10 +2,8 @@ , pkgs , ... }: - -with lib; { - options.services.github-runners = mkOption { + options.services.github-runners = lib.mkOption { description = '' Multiple GitHub Runners. ''; @@ -25,9 +23,9 @@ with lib; }; }; default = { }; - type = types.attrsOf (types.submodule ({ name, ... }: { + type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: { options = { - enable = mkOption { + enable = lib.mkOption { default = false; example = true; description = '' @@ -36,11 +34,11 @@ with lib; Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: [About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners). ''; - type = types.bool; + type = lib.types.bool; }; - url = mkOption { - type = types.str; + url = lib.mkOption { + type = lib.types.str; description = '' Repository to add the runner to. @@ -57,8 +55,8 @@ with lib; example = "https://github.com/nixos/nixpkgs"; }; - tokenFile = mkOption { - type = types.path; + tokenFile = lib.mkOption { + type = lib.types.path; description = '' The full path to a file which contains either @@ -100,8 +98,8 @@ with lib; example = "/run/secrets/github-runner/nixos.token"; }; - name = mkOption { - type = types.nullOr types.str; + name = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = '' Name of the runner to configure. If null, defaults to the hostname. @@ -111,8 +109,8 @@ with lib; default = name; }; - runnerGroup = mkOption { - type = types.nullOr types.str; + runnerGroup = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = '' Name of the runner group to add this runner to (defaults to the default runner group). @@ -121,19 +119,19 @@ with lib; default = null; }; - extraLabels = mkOption { - type = types.listOf types.str; + extraLabels = lib.mkOption { + type = lib.types.listOf lib.types.str; description = '' Extra labels in addition to the default (unless disabled through the `noDefaultLabels` option). Changing this option triggers a new runner registration. ''; - example = literalExpression ''[ "nixos" ]''; + example = lib.literalExpression ''[ "nixos" ]''; default = [ ]; }; - noDefaultLabels = mkOption { - type = types.bool; + noDefaultLabels = lib.mkOption { + type = lib.types.bool; description = '' Disables adding the default labels. Also see the `extraLabels` option. @@ -142,8 +140,8 @@ with lib; default = false; }; - replace = mkOption { - type = types.bool; + replace = lib.mkOption { + type = lib.types.bool; description = '' Replace any existing runner with the same name. @@ -152,16 +150,16 @@ with lib; default = false; }; - extraPackages = mkOption { - type = types.listOf types.package; + extraPackages = lib.mkOption { + type = lib.types.listOf lib.types.package; description = '' Extra packages to add to `PATH` of the service to make them available to workflows. ''; default = [ ]; }; - extraEnvironment = mkOption { - type = types.attrs; + extraEnvironment = lib.mkOption { + type = lib.types.attrs; description = '' Extra environment variables to set for the runner, as an attrset. ''; @@ -171,8 +169,8 @@ with lib; default = { }; }; - serviceOverrides = mkOption { - type = types.attrs; + serviceOverrides = lib.mkOption { + type = lib.types.attrs; description = '' Modify the systemd service. Can be used to, e.g., adjust the sandboxing options. See {manpage}`systemd.exec(5)` for more options. @@ -184,10 +182,10 @@ with lib; default = { }; }; - package = mkPackageOption pkgs "github-runner" { }; + package = lib.mkPackageOption pkgs "github-runner" { }; - ephemeral = mkOption { - type = types.bool; + ephemeral = lib.mkOption { + type = lib.types.bool; description = '' If enabled, causes the following behavior: @@ -206,8 +204,8 @@ with lib; default = false; }; - user = mkOption { - type = types.nullOr types.str; + user = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = '' User under which to run the service. @@ -217,11 +215,11 @@ with lib; Also see the `group` option for an overview on the effects of the `user` and `group` settings. ''; default = null; - defaultText = literalExpression "username"; + defaultText = lib.literalExpression "username"; }; - group = mkOption { - type = types.nullOr types.str; + group = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = '' Group under which to run the service. @@ -236,11 +234,11 @@ with lib; but run as root implicitly. If this is really what you want, set `user = "root"` explicitly. ''; default = null; - defaultText = literalExpression "groupname"; + defaultText = lib.literalExpression "groupname"; }; - workDir = mkOption { - type = with types; nullOr str; + workDir = lib.mkOption { + type = with lib.types; nullOr str; description = '' Working directory, available as `$GITHUB_WORKSPACE` during workflow runs and used as a default for [repository checkouts](https://github.com/actions/checkout). @@ -253,8 +251,8 @@ with lib; default = null; }; - nodeRuntimes = mkOption { - type = with types; nonEmptyListOf (enum [ "node20" ]); + nodeRuntimes = lib.mkOption { + type = with lib.types; nonEmptyListOf (enum [ "node20" ]); default = [ "node20" ]; description = '' List of Node.js runtimes the runner should support. diff --git a/nixos/modules/services/continuous-integration/github-runner/service.nix b/nixos/modules/services/continuous-integration/github-runner/service.nix index e3a926db8b25d..045ea41aa5f1a 100644 --- a/nixos/modules/services/continuous-integration/github-runner/service.nix +++ b/nixos/modules/services/continuous-integration/github-runner/service.nix @@ -3,11 +3,9 @@ , pkgs , ... }: - -with lib; { - config.assertions = flatten ( - flip mapAttrsToList config.services.github-runners (name: cfg: map (mkIf cfg.enable) [ + config.assertions = lib.flatten ( + lib.flip lib.mapAttrsToList config.services.github-runners (name: cfg: map (lib.mkIf cfg.enable) [ { assertion = !cfg.noDefaultLabels || (cfg.extraLabels != [ ]); message = "`services.github-runners.${name}`: The `extraLabels` option is mandatory if `noDefaultLabels` is set"; @@ -20,8 +18,8 @@ with lib; ); config.systemd.services = - let enabledRunners = filterAttrs (_: cfg: cfg.enable) config.services.github-runners; - in (flip mapAttrs' enabledRunners (name: cfg: + let enabledRunners = lib.filterAttrs (_: cfg: cfg.enable) config.services.github-runners; + in (lib.flip lib.mapAttrs' enabledRunners (name: cfg: let svcName = "github-runner-${name}"; systemdDir = "github-runner/${name}"; @@ -37,9 +35,9 @@ with lib; workDir = if cfg.workDir == null then runtimeDir else cfg.workDir; # Support old github-runner versions which don't have the `nodeRuntimes` arg yet. - package = cfg.package.override (old: optionalAttrs (hasAttr "nodeRuntimes" old) { inherit (cfg) nodeRuntimes; }); + package = cfg.package.override (old: lib.optionalAttrs (lib.hasAttr "nodeRuntimes" old) { inherit (cfg) nodeRuntimes; }); in - nameValuePair svcName { + lib.nameValuePair svcName { description = "GitHub Actions runner"; wantedBy = [ "multi-user.target" ]; @@ -61,7 +59,7 @@ with lib; config.nix.package ] ++ cfg.extraPackages; - serviceConfig = mkMerge [ + serviceConfig = lib.mkMerge [ { ExecStart = "${package}/bin/Runner.Listener run --startuptype service"; @@ -90,7 +88,7 @@ with lib; ${lines} ''; - runnerRegistrationConfig = getAttrs [ + runnerRegistrationConfig = lib.getAttrs [ "ephemeral" "extraLabels" "name" @@ -114,9 +112,9 @@ with lib; unconfigureRunner = writeScript "unconfigure" '' copy_tokens() { # Copy the configured token file to the state dir and allow the service user to read the file - install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}" + install --mode=666 ${lib.escapeShellArg cfg.tokenFile} "${newConfigTokenPath}" # Also copy current file to allow for a diff on the next start - install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}" + install --mode=600 ${lib.escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}" } clean_state() { find "$STATE_DIRECTORY/" -mindepth 1 -delete @@ -130,7 +128,7 @@ with lib; || changed=1 # Also check the content of the token file [[ -f "${currentConfigTokenPath}" ]] \ - && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \ + && ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${lib.escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \ || changed=1 # If the config has changed, remove old state and copy tokens if [[ "$changed" -eq 1 ]]; then @@ -140,7 +138,7 @@ with lib; clean_state fi } - if [[ "${optionalString cfg.ephemeral "1"}" ]]; then + if [[ "${lib.optionalString cfg.ephemeral "1"}" ]]; then # In ephemeral mode, we always want to start with a clean state clean_state elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then @@ -161,13 +159,13 @@ with lib; --unattended --disableupdate --work "$WORK_DIRECTORY" - --url ${escapeShellArg cfg.url} - --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} - ${optionalString (cfg.name != null ) "--name ${escapeShellArg cfg.name}"} - ${optionalString cfg.replace "--replace"} - ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} - ${optionalString cfg.ephemeral "--ephemeral"} - ${optionalString cfg.noDefaultLabels "--no-default-labels"} + --url ${lib.escapeShellArg cfg.url} + --labels ${lib.escapeShellArg (lib.concatStringsSep "," cfg.extraLabels)} + ${lib.optionalString (cfg.name != null ) "--name ${lib.escapeShellArg cfg.name}"} + ${lib.optionalString cfg.replace "--replace"} + ${lib.optionalString (cfg.runnerGroup != null) "--runnergroup ${lib.escapeShellArg cfg.runnerGroup}"} + ${lib.optionalString cfg.ephemeral "--ephemeral"} + ${lib.optionalString cfg.noDefaultLabels "--no-default-labels"} ) # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option, # if it is not a PAT, we assume it contains a registration token and use the --token option @@ -196,7 +194,7 @@ with lib; ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/" ''; in - map (x: "${x} ${escapeShellArgs [ stateDir workDir logsDir ]}") [ + map (x: "${x} ${lib.escapeShellArgs [ stateDir workDir logsDir ]}") [ "+${unconfigureRunner}" # runs as root configureRunner setupWorkDir @@ -230,30 +228,30 @@ with lib; # Hardening (may overlap with DynamicUser=) # The following options are only for optimizing: # systemd-analyze security github-runner - AmbientCapabilities = mkBefore [ "" ]; - CapabilityBoundingSet = mkBefore [ "" ]; + AmbientCapabilities = lib.mkBefore [ "" ]; + CapabilityBoundingSet = lib.mkBefore [ "" ]; # ProtectClock= adds DeviceAllow=char-rtc r - DeviceAllow = mkBefore [ "" ]; - NoNewPrivileges = mkDefault true; - PrivateDevices = mkDefault true; - PrivateMounts = mkDefault true; - PrivateTmp = mkDefault true; - PrivateUsers = mkDefault true; - ProtectClock = mkDefault true; - ProtectControlGroups = mkDefault true; - ProtectHome = mkDefault true; - ProtectHostname = mkDefault true; - ProtectKernelLogs = mkDefault true; - ProtectKernelModules = mkDefault true; - ProtectKernelTunables = mkDefault true; - ProtectSystem = mkDefault "strict"; - RemoveIPC = mkDefault true; - RestrictNamespaces = mkDefault true; - RestrictRealtime = mkDefault true; - RestrictSUIDSGID = mkDefault true; - UMask = mkDefault "0066"; - ProtectProc = mkDefault "invisible"; - SystemCallFilter = mkBefore [ + DeviceAllow = lib.mkBefore [ "" ]; + NoNewPrivileges = lib.mkDefault true; + PrivateDevices = lib.mkDefault true; + PrivateMounts = lib.mkDefault true; + PrivateTmp = lib.mkDefault true; + PrivateUsers = lib.mkDefault true; + ProtectClock = lib.mkDefault true; + ProtectControlGroups = lib.mkDefault true; + ProtectHome = lib.mkDefault true; + ProtectHostname = lib.mkDefault true; + ProtectKernelLogs = lib.mkDefault true; + ProtectKernelModules = lib.mkDefault true; + ProtectKernelTunables = lib.mkDefault true; + ProtectSystem = lib.mkDefault "strict"; + RemoveIPC = lib.mkDefault true; + RestrictNamespaces = lib.mkDefault true; + RestrictRealtime = lib.mkDefault true; + RestrictSUIDSGID = lib.mkDefault true; + UMask = lib.mkDefault "0066"; + ProtectProc = lib.mkDefault "invisible"; + SystemCallFilter = lib.mkBefore [ "~@clock" "~@cpu-emulation" "~@module" @@ -265,33 +263,33 @@ with lib; "~setdomainname" "~sethostname" ]; - RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; + RestrictAddressFamilies = lib.mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ]; # Needs network access - PrivateNetwork = mkDefault false; + PrivateNetwork = lib.mkDefault false; # Cannot be true due to Node - MemoryDenyWriteExecute = mkDefault false; + MemoryDenyWriteExecute = lib.mkDefault false; # The more restrictive "pid" option makes `nix` commands in CI emit # "GC Warning: Couldn't read /proc/stat" # You may want to set this to "pid" if not using `nix` commands - ProcSubset = mkDefault "all"; + ProcSubset = lib.mkDefault "all"; # Coverage programs for compiled code such as `cargo-tarpaulin` disable # ASLR (address space layout randomization) which requires the # `personality` syscall # You may want to set this to `true` if not using coverage tooling on # compiled code - LockPersonality = mkDefault false; + LockPersonality = lib.mkDefault false; - DynamicUser = mkDefault true; + DynamicUser = lib.mkDefault true; } - (mkIf (cfg.user != null) { + (lib.mkIf (cfg.user != null) { DynamicUser = false; User = cfg.user; }) - (mkIf (cfg.group != null) { + (lib.mkIf (cfg.group != null) { DynamicUser = false; Group = cfg.group; }) From 67553951b1be6db3fc12e70ae2c9357680c4dc98 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:24 +0100 Subject: [PATCH 21/44] nixos/services.gocd-agent: remove `with lib;` --- .../gocd-agent/default.nix | 69 +++++++++---------- 1 file changed, 33 insertions(+), 36 deletions(-) diff --git a/nixos/modules/services/continuous-integration/gocd-agent/default.nix b/nixos/modules/services/continuous-integration/gocd-agent/default.nix index 0e61b253f17ee..0846c466e22a4 100644 --- a/nixos/modules/services/continuous-integration/gocd-agent/default.nix +++ b/nixos/modules/services/continuous-integration/gocd-agent/default.nix @@ -1,34 +1,31 @@ { config, lib, options, pkgs, ... }: - -with lib; - let cfg = config.services.gocd-agent; opt = options.services.gocd-agent; in { options = { services.gocd-agent = { - enable = mkEnableOption "gocd-agent"; + enable = lib.mkEnableOption "gocd-agent"; - user = mkOption { + user = lib.mkOption { default = "gocd-agent"; - type = types.str; + type = lib.types.str; description = '' User the Go.CD agent should execute under. ''; }; - group = mkOption { + group = lib.mkOption { default = "gocd-agent"; - type = types.str; + type = lib.types.str; description = '' If the default user "gocd-agent" is configured then this is the primary group of that user. ''; }; - extraGroups = mkOption { - type = types.listOf types.str; + extraGroups = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; example = [ "wheel" "docker" ]; description = '' @@ -36,18 +33,18 @@ in { ''; }; - packages = mkOption { + packages = lib.mkOption { default = [ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]; - defaultText = literalExpression "[ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]"; - type = types.listOf types.package; + defaultText = lib.literalExpression "[ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]"; + type = lib.types.listOf lib.types.package; description = '' Packages to add to PATH for the Go.CD agent process. ''; }; - agentConfig = mkOption { + agentConfig = lib.mkOption { default = ""; - type = types.str; + type = lib.types.str; example = '' agent.auto.register.resources=ant,java agent.auto.register.environments=QA,Performance @@ -58,40 +55,40 @@ in { ''; }; - goServer = mkOption { + goServer = lib.mkOption { default = "https://127.0.0.1:8154/go"; - type = types.str; + type = lib.types.str; description = '' URL of the GoCD Server to attach the Go.CD Agent to. ''; }; - workDir = mkOption { + workDir = lib.mkOption { default = "/var/lib/go-agent"; - type = types.str; + type = lib.types.str; description = '' Specifies the working directory in which the Go.CD agent java archive resides. ''; }; - initialJavaHeapSize = mkOption { + initialJavaHeapSize = lib.mkOption { default = "128m"; - type = types.str; + type = lib.types.str; description = '' Specifies the initial java heap memory size for the Go.CD agent java process. ''; }; - maxJavaHeapMemory = mkOption { + maxJavaHeapMemory = lib.mkOption { default = "256m"; - type = types.str; + type = lib.types.str; description = '' Specifies the java maximum heap memory size for the Go.CD agent java process. ''; }; - startupOptions = mkOption { - type = types.listOf types.str; + startupOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ "-Xms${cfg.initialJavaHeapSize}" "-Xmx${cfg.maxJavaHeapMemory}" @@ -99,7 +96,7 @@ in { "-Dcruise.console.publish.interval=10" "-Djava.security.egd=file:/dev/./urandom" ]; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' [ "-Xms''${config.${opt.initialJavaHeapSize}}" "-Xmx''${config.${opt.maxJavaHeapMemory}}" @@ -114,9 +111,9 @@ in { ''; }; - extraOptions = mkOption { + extraOptions = lib.mkOption { default = [ ]; - type = types.listOf types.str; + type = lib.types.listOf lib.types.str; example = [ "-X debug" "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006" @@ -133,9 +130,9 @@ in { ''; }; - environment = mkOption { + environment = lib.mkOption { default = { }; - type = with types; attrsOf str; + type = with lib.types; attrsOf str; description = '' Additional environment variables to be passed to the Go.CD agent process. As a base environment, Go.CD agent receives NIX_PATH from @@ -146,12 +143,12 @@ in { }; }; - config = mkIf cfg.enable { - users.groups = optionalAttrs (cfg.group == "gocd-agent") { + config = lib.mkIf cfg.enable { + users.groups = lib.optionalAttrs (cfg.group == "gocd-agent") { gocd-agent.gid = config.ids.gids.gocd-agent; }; - users.users = optionalAttrs (cfg.user == "gocd-agent") { + users.users = lib.optionalAttrs (cfg.user == "gocd-agent") { gocd-agent = { description = "gocd-agent user"; createHome = true; @@ -178,7 +175,7 @@ in { { NIX_REMOTE = "daemon"; AGENT_WORK_DIR = cfg.workDir; - AGENT_STARTUP_ARGS = ''${concatStringsSep " " cfg.startupOptions}''; + AGENT_STARTUP_ARGS = ''${lib.concatStringsSep " " cfg.startupOptions}''; LOG_DIR = cfg.workDir; LOG_FILE = "${cfg.workDir}/go-agent-start.log"; } // @@ -201,8 +198,8 @@ in { ln -s "${pkgs.writeText "autoregister.properties" cfg.agentConfig}" config/autoregister.properties ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt - ${pkgs.jre}/bin/java ${concatStringsSep " " cfg.startupOptions} \ - ${concatStringsSep " " cfg.extraOptions} \ + ${pkgs.jre}/bin/java ${lib.concatStringsSep " " cfg.startupOptions} \ + ${lib.concatStringsSep " " cfg.extraOptions} \ -jar ${pkgs.gocd-agent}/go-agent/agent-bootstrapper.jar \ -serverUrl ${cfg.goServer} ''; From f6ebc4cfe0d5725a7629030ac7cef9b97a169231 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:24 +0100 Subject: [PATCH 22/44] nixos/services.aerospike: remove `with lib;` --- .../modules/services/databases/aerospike.nix | 25 ++++++++----------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/nixos/modules/services/databases/aerospike.nix b/nixos/modules/services/databases/aerospike.nix index 676341084acb6..6608d105a339f 100644 --- a/nixos/modules/services/databases/aerospike.nix +++ b/nixos/modules/services/databases/aerospike.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.aerospike; @@ -39,18 +36,18 @@ in options = { services.aerospike = { - enable = mkEnableOption "Aerospike server"; + enable = lib.mkEnableOption "Aerospike server"; - package = mkPackageOption pkgs "aerospike" { }; + package = lib.mkPackageOption pkgs "aerospike" { }; - workDir = mkOption { - type = types.str; + workDir = lib.mkOption { + type = lib.types.str; default = "/var/lib/aerospike"; description = "Location where Aerospike stores its files"; }; - networkConfig = mkOption { - type = types.lines; + networkConfig = lib.mkOption { + type = lib.types.lines; default = '' service { address any @@ -78,8 +75,8 @@ in description = "network section of configuration file"; }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; example = '' namespace test { @@ -98,7 +95,7 @@ in ###### implementation - config = mkIf config.services.aerospike.enable { + config = lib.mkIf config.services.aerospike.enable { users.users.aerospike = { name = "aerospike"; @@ -109,8 +106,8 @@ in users.groups.aerospike.gid = config.ids.gids.aerospike; boot.kernel.sysctl = { - "net.core.rmem_max" = mkDefault 15728640; - "net.core.wmem_max" = mkDefault 5242880; + "net.core.rmem_max" = lib.mkDefault 15728640; + "net.core.wmem_max" = lib.mkDefault 5242880; }; systemd.services.aerospike = rec { From fa6f1e3ce5d4808284ddf33ecddb3ccd8e1248db Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:24 +0100 Subject: [PATCH 23/44] nixos/services.clickhouse: remove `with lib;` --- nixos/modules/services/databases/clickhouse.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/databases/clickhouse.nix b/nixos/modules/services/databases/clickhouse.nix index 37a1fe5d5b6ce..9025b9a869584 100644 --- a/nixos/modules/services/databases/clickhouse.nix +++ b/nixos/modules/services/databases/clickhouse.nix @@ -2,7 +2,6 @@ let cfg = config.services.clickhouse; in -with lib; { ###### interface @@ -11,9 +10,9 @@ with lib; services.clickhouse = { - enable = mkEnableOption "ClickHouse database server"; + enable = lib.mkEnableOption "ClickHouse database server"; - package = mkPackageOption pkgs "clickhouse" { }; + package = lib.mkPackageOption pkgs "clickhouse" { }; }; @@ -22,7 +21,7 @@ with lib; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { users.users.clickhouse = { name = "clickhouse"; @@ -71,7 +70,7 @@ with lib; environment.systemPackages = [ cfg.package ]; # startup requires a `/etc/localtime` which only if exists if `time.timeZone != null` - time.timeZone = mkDefault "UTC"; + time.timeZone = lib.mkDefault "UTC"; }; From 3aa36dd1814903220fbc9ed21101f62272441fbe Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:24 +0100 Subject: [PATCH 24/44] nixos/services.cockroachdb: remove `with lib;` --- .../services/databases/cockroachdb.nix | 61 +++++++++---------- 1 file changed, 29 insertions(+), 32 deletions(-) diff --git a/nixos/modules/services/databases/cockroachdb.nix b/nixos/modules/services/databases/cockroachdb.nix index 34e4e8760742f..e46a8dd600b3e 100644 --- a/nixos/modules/services/databases/cockroachdb.nix +++ b/nixos/modules/services/databases/cockroachdb.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, utils, ... }: - -with lib; - let cfg = config.services.cockroachdb; crdb = cfg.package; @@ -32,14 +29,14 @@ let ++ cfg.extraArgs); addressOption = descr: defaultPort: { - address = mkOption { - type = types.str; + address = lib.mkOption { + type = lib.types.str; default = "localhost"; description = "Address to bind to for ${descr}"; }; - port = mkOption { - type = types.port; + port = lib.mkOption { + type = lib.types.port; default = defaultPort; description = "Port to bind to for ${descr}"; }; @@ -49,14 +46,14 @@ in { options = { services.cockroachdb = { - enable = mkEnableOption "CockroachDB Server"; + enable = lib.mkEnableOption "CockroachDB Server"; listen = addressOption "intra-cluster communication" 26257; http = addressOption "http-based Admin UI" 8080; - locality = mkOption { - type = types.nullOr types.str; + locality = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; description = '' An ordered, comma-separated list of key-value pairs that describe the @@ -77,44 +74,44 @@ in ''; }; - join = mkOption { - type = types.nullOr types.str; + join = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; description = "The addresses for connecting the node to a cluster."; }; - insecure = mkOption { - type = types.bool; + insecure = lib.mkOption { + type = lib.types.bool; default = false; description = "Run in insecure mode."; }; - certsDir = mkOption { - type = types.nullOr types.path; + certsDir = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; description = "The path to the certificate directory."; }; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; default = "cockroachdb"; description = "User account under which CockroachDB runs"; }; - group = mkOption { - type = types.str; + group = lib.mkOption { + type = lib.types.str; default = "cockroachdb"; description = "User account under which CockroachDB runs"; }; - openPorts = mkOption { - type = types.bool; + openPorts = lib.mkOption { + type = lib.types.bool; default = false; description = "Open firewall ports for cluster communication by default"; }; - cache = mkOption { - type = types.str; + cache = lib.mkOption { + type = lib.types.str; default = "25%"; description = '' The total size for caches. @@ -129,8 +126,8 @@ in ''; }; - maxSqlMemory = mkOption { - type = types.str; + maxSqlMemory = lib.mkOption { + type = lib.types.str; default = "25%"; description = '' The maximum in-memory storage capacity available to store temporary @@ -145,7 +142,7 @@ in ''; }; - package = mkPackageOption pkgs "cockroachdb" { + package = lib.mkPackageOption pkgs "cockroachdb" { extraDescription = '' This would primarily be useful to enable Enterprise Edition features in your own custom CockroachDB build (Nixpkgs CockroachDB binaries @@ -153,8 +150,8 @@ in ''; }; - extraArgs = mkOption { - type = types.listOf types.str; + extraArgs = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; example = [ "--advertise-addr" "[fe80::f6f2:::]" ]; description = '' @@ -165,7 +162,7 @@ in }; }; - config = mkIf config.services.cockroachdb.enable { + config = lib.mkIf config.services.cockroachdb.enable { assertions = [ { assertion = !cfg.insecure -> cfg.certsDir != null; message = "CockroachDB must have a set of SSL certificates (.certsDir), or run in Insecure Mode (.insecure = true)"; @@ -174,7 +171,7 @@ in environment.systemPackages = [ crdb ]; - users.users = optionalAttrs (cfg.user == "cockroachdb") { + users.users = lib.optionalAttrs (cfg.user == "cockroachdb") { cockroachdb = { description = "CockroachDB Server User"; uid = config.ids.uids.cockroachdb; @@ -182,7 +179,7 @@ in }; }; - users.groups = optionalAttrs (cfg.group == "cockroachdb") { + users.groups = lib.optionalAttrs (cfg.group == "cockroachdb") { cockroachdb.gid = config.ids.gids.cockroachdb; }; From 261e4890fbfeb9f544fb9e7fcfa6b9bd8dd7d043 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:24 +0100 Subject: [PATCH 25/44] nixos/services.memcached: remove `with lib;` --- .../modules/services/databases/memcached.nix | 41 +++++++++---------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index 7a3afc5efafcf..29da763e5751b 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.memcached; @@ -17,42 +14,42 @@ in options = { services.memcached = { - enable = mkEnableOption "Memcached"; + enable = lib.mkEnableOption "Memcached"; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; default = "memcached"; description = "The user to run Memcached as"; }; - listen = mkOption { - type = types.str; + listen = lib.mkOption { + type = lib.types.str; default = "127.0.0.1"; description = "The IP address to bind to."; }; - port = mkOption { - type = types.port; + port = lib.mkOption { + type = lib.types.port; default = 11211; description = "The port to bind to."; }; - enableUnixSocket = mkEnableOption "Unix Domain Socket at /run/memcached/memcached.sock instead of listening on an IP address and port. The `listen` and `port` options are ignored"; + enableUnixSocket = lib.mkEnableOption "Unix Domain Socket at /run/memcached/memcached.sock instead of listening on an IP address and port. The `listen` and `port` options are ignored"; - maxMemory = mkOption { - type = types.ints.unsigned; + maxMemory = lib.mkOption { + type = lib.types.ints.unsigned; default = 64; description = "The maximum amount of memory to use for storage, in megabytes."; }; - maxConnections = mkOption { - type = types.ints.unsigned; + maxConnections = lib.mkOption { + type = lib.types.ints.unsigned; default = 1024; description = "The maximum number of simultaneous connections."; }; - extraOptions = mkOption { - type = types.listOf types.str; + extraOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = "A list of extra options that will be added as a suffix when running memcached."; }; @@ -62,14 +59,14 @@ in ###### implementation - config = mkIf config.services.memcached.enable { + config = lib.mkIf config.services.memcached.enable { - users.users = optionalAttrs (cfg.user == "memcached") { + users.users = lib.optionalAttrs (cfg.user == "memcached") { memcached.description = "Memcached server user"; memcached.isSystemUser = true; memcached.group = "memcached"; }; - users.groups = optionalAttrs (cfg.user == "memcached") { memcached = {}; }; + users.groups = lib.optionalAttrs (cfg.user == "memcached") { memcached = {}; }; environment.systemPackages = [ memcached ]; @@ -85,7 +82,7 @@ in networking = if cfg.enableUnixSocket then "-s /run/memcached/memcached.sock" else "-l ${cfg.listen} -p ${toString cfg.port}"; - in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}"; + in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${lib.concatStringsSep " " cfg.extraOptions}"; User = cfg.user; @@ -110,7 +107,7 @@ in }; }; imports = [ - (mkRemovedOptionModule ["services" "memcached" "socket"] '' + (lib.mkRemovedOptionModule ["services" "memcached" "socket"] '' This option was replaced by a fixed unix socket path at /run/memcached/memcached.sock enabled using services.memcached.enableUnixSocket. '') ]; From 035c17d4080bcfd04019c73042f58739bab3f8c7 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:24 +0100 Subject: [PATCH 26/44] nixos/services.monetdb: remove `with lib;` --- nixos/modules/services/databases/monetdb.nix | 35 +++++++++----------- 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/nixos/modules/services/databases/monetdb.nix b/nixos/modules/services/databases/monetdb.nix index ee24cf2b0fc20..42c9683fdb5e7 100644 --- a/nixos/modules/services/databases/monetdb.nix +++ b/nixos/modules/services/databases/monetdb.nix @@ -1,47 +1,44 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.monetdb; in { - meta.maintainers = with maintainers; [ StillerHarpo ]; + meta.maintainers = with lib.maintainers; [ StillerHarpo ]; ###### interface options = { services.monetdb = { - enable = mkEnableOption "the MonetDB database server"; + enable = lib.mkEnableOption "the MonetDB database server"; - package = mkPackageOption pkgs "monetdb" { }; + package = lib.mkPackageOption pkgs "monetdb" { }; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; default = "monetdb"; description = "User account under which MonetDB runs."; }; - group = mkOption { - type = types.str; + group = lib.mkOption { + type = lib.types.str; default = "monetdb"; description = "Group under which MonetDB runs."; }; - dataDir = mkOption { - type = types.path; + dataDir = lib.mkOption { + type = lib.types.path; default = "/var/lib/monetdb"; description = "Data directory for the dbfarm."; }; - port = mkOption { - type = types.ints.u16; + port = lib.mkOption { + type = lib.types.ints.u16; default = 50000; description = "Port to listen on."; }; - listenAddress = mkOption { - type = types.str; + listenAddress = lib.mkOption { + type = lib.types.str; default = "127.0.0.1"; example = "0.0.0.0"; description = "Address to listen on."; @@ -50,9 +47,9 @@ in { }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - users.users.monetdb = mkIf (cfg.user == "monetdb") { + users.users.monetdb = lib.mkIf (cfg.user == "monetdb") { uid = config.ids.uids.monetdb; group = cfg.group; description = "MonetDB user"; @@ -60,7 +57,7 @@ in { createHome = true; }; - users.groups.monetdb = mkIf (cfg.group == "monetdb") { + users.groups.monetdb = lib.mkIf (cfg.group == "monetdb") { gid = config.ids.gids.monetdb; members = [ cfg.user ]; }; From 36828aceef0def6d449df5939f97756bd9d45671 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:24 +0100 Subject: [PATCH 27/44] nixos/services.mongodb: remove `with lib;` --- nixos/modules/services/databases/mongodb.nix | 63 ++++++++++---------- 1 file changed, 30 insertions(+), 33 deletions(-) diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix index 8b8a664107f22..e3619ad3fe658 100644 --- a/nixos/modules/services/databases/mongodb.nix +++ b/nixos/modules/services/databases/mongodb.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.mongodb; @@ -11,11 +8,11 @@ let mongoCnf = cfg: pkgs.writeText "mongodb.conf" '' net.bindIp: ${cfg.bind_ip} - ${optionalString cfg.quiet "systemLog.quiet: true"} + ${lib.optionalString cfg.quiet "systemLog.quiet: true"} systemLog.destination: syslog storage.dbPath: ${cfg.dbpath} - ${optionalString cfg.enableAuth "security.authorization: enabled"} - ${optionalString (cfg.replSetName != "") "replication.replSetName: ${cfg.replSetName}"} + ${lib.optionalString cfg.enableAuth "security.authorization: enabled"} + ${lib.optionalString (cfg.replSetName != "") "replication.replSetName: ${cfg.replSetName}"} ${cfg.extraConfig} ''; @@ -29,54 +26,54 @@ in services.mongodb = { - enable = mkEnableOption "the MongoDB server"; + enable = lib.mkEnableOption "the MongoDB server"; - package = mkPackageOption pkgs "mongodb" { }; + package = lib.mkPackageOption pkgs "mongodb" { }; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; default = "mongodb"; description = "User account under which MongoDB runs"; }; - bind_ip = mkOption { - type = types.str; + bind_ip = lib.mkOption { + type = lib.types.str; default = "127.0.0.1"; description = "IP to bind to"; }; - quiet = mkOption { - type = types.bool; + quiet = lib.mkOption { + type = lib.types.bool; default = false; description = "quieter output"; }; - enableAuth = mkOption { - type = types.bool; + enableAuth = lib.mkOption { + type = lib.types.bool; default = false; description = "Enable client authentication. Creates a default superuser with username root!"; }; - initialRootPassword = mkOption { - type = types.nullOr types.str; + initialRootPassword = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; description = "Password for the root user if auth is enabled."; }; - dbpath = mkOption { - type = types.str; + dbpath = lib.mkOption { + type = lib.types.str; default = "/var/db/mongodb"; description = "Location where MongoDB stores its files"; }; - pidFile = mkOption { - type = types.str; + pidFile = lib.mkOption { + type = lib.types.str; default = "/run/mongodb.pid"; description = "Location of MongoDB pid file"; }; - replSetName = mkOption { - type = types.str; + replSetName = lib.mkOption { + type = lib.types.str; default = ""; description = '' If this instance is part of a replica set, set its name here. @@ -84,8 +81,8 @@ in ''; }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; example = '' storage.journal.enabled: false @@ -93,8 +90,8 @@ in description = "MongoDB extra configuration in YAML format"; }; - initialScript = mkOption { - type = types.nullOr types.path; + initialScript = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; description = '' A file containing MongoDB statements to execute on first startup. @@ -107,20 +104,20 @@ in ###### implementation - config = mkIf config.services.mongodb.enable { + config = lib.mkIf config.services.mongodb.enable { assertions = [ { assertion = !cfg.enableAuth || cfg.initialRootPassword != null; message = "`enableAuth` requires `initialRootPassword` to be set."; } ]; - users.users.mongodb = mkIf (cfg.user == "mongodb") + users.users.mongodb = lib.mkIf (cfg.user == "mongodb") { name = "mongodb"; isSystemUser = true; group = "mongodb"; description = "MongoDB server user"; }; - users.groups.mongodb = mkIf (cfg.user == "mongodb") {}; + users.groups.mongodb = lib.mkIf (cfg.user == "mongodb") {}; environment.systemPackages = [ mongodb ]; @@ -177,8 +174,8 @@ in ''; postStart = '' if test -e "${cfg.dbpath}/.first_startup"; then - ${optionalString (cfg.initialScript != null) '' - ${mongodb}/bin/mongo ${optionalString (cfg.enableAuth) "-u root -p ${cfg.initialRootPassword}"} admin "${cfg.initialScript}" + ${lib.optionalString (cfg.initialScript != null) '' + ${mongodb}/bin/mongo ${lib.optionalString (cfg.enableAuth) "-u root -p ${cfg.initialRootPassword}"} admin "${cfg.initialScript}" ''} rm -f "${cfg.dbpath}/.first_startup" fi From db321b974ab79d2d50dc5f289816d0968cbcbead Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:25 +0100 Subject: [PATCH 28/44] nixos/services.redis: remove `with lib;` --- nixos/modules/services/databases/redis.nix | 163 ++++++++++----------- 1 file changed, 80 insertions(+), 83 deletions(-) diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 43829b13c6c02..49990dd736c7a 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -1,52 +1,49 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.redis; mkValueString = value: if value == true then "yes" else if value == false then "no" - else generators.mkValueStringDefault { } value; + else lib.generators.mkValueStringDefault { } value; - redisConfig = settings: pkgs.writeText "redis.conf" (generators.toKeyValue { + redisConfig = settings: pkgs.writeText "redis.conf" (lib.generators.toKeyValue { listsAsDuplicateKeys = true; - mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " "; + mkKeyValue = lib.generators.mkKeyValueDefault { inherit mkValueString; } " "; } settings); - redisName = name: "redis" + optionalString (name != "") ("-"+name); - enabledServers = filterAttrs (name: conf: conf.enable) config.services.redis.servers; + redisName = name: "redis" + lib.optionalString (name != "") ("-"+name); + enabledServers = lib.filterAttrs (name: conf: conf.enable) config.services.redis.servers; in { imports = [ - (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") - (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") - (mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") - (mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") - (mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") - (mkRemovedOptionModule [ "services" "redis" "extraConfig" ] "Use services.redis.servers.*.settings instead.") - (mkRenamedOptionModule [ "services" "redis" "enable"] [ "services" "redis" "servers" "" "enable" ]) - (mkRenamedOptionModule [ "services" "redis" "port"] [ "services" "redis" "servers" "" "port" ]) - (mkRenamedOptionModule [ "services" "redis" "openFirewall"] [ "services" "redis" "servers" "" "openFirewall" ]) - (mkRenamedOptionModule [ "services" "redis" "bind"] [ "services" "redis" "servers" "" "bind" ]) - (mkRenamedOptionModule [ "services" "redis" "unixSocket"] [ "services" "redis" "servers" "" "unixSocket" ]) - (mkRenamedOptionModule [ "services" "redis" "unixSocketPerm"] [ "services" "redis" "servers" "" "unixSocketPerm" ]) - (mkRenamedOptionModule [ "services" "redis" "logLevel"] [ "services" "redis" "servers" "" "logLevel" ]) - (mkRenamedOptionModule [ "services" "redis" "logfile"] [ "services" "redis" "servers" "" "logfile" ]) - (mkRenamedOptionModule [ "services" "redis" "syslog"] [ "services" "redis" "servers" "" "syslog" ]) - (mkRenamedOptionModule [ "services" "redis" "databases"] [ "services" "redis" "servers" "" "databases" ]) - (mkRenamedOptionModule [ "services" "redis" "maxclients"] [ "services" "redis" "servers" "" "maxclients" ]) - (mkRenamedOptionModule [ "services" "redis" "save"] [ "services" "redis" "servers" "" "save" ]) - (mkRenamedOptionModule [ "services" "redis" "slaveOf"] [ "services" "redis" "servers" "" "slaveOf" ]) - (mkRenamedOptionModule [ "services" "redis" "masterAuth"] [ "services" "redis" "servers" "" "masterAuth" ]) - (mkRenamedOptionModule [ "services" "redis" "requirePass"] [ "services" "redis" "servers" "" "requirePass" ]) - (mkRenamedOptionModule [ "services" "redis" "requirePassFile"] [ "services" "redis" "servers" "" "requirePassFile" ]) - (mkRenamedOptionModule [ "services" "redis" "appendOnly"] [ "services" "redis" "servers" "" "appendOnly" ]) - (mkRenamedOptionModule [ "services" "redis" "appendFsync"] [ "services" "redis" "servers" "" "appendFsync" ]) - (mkRenamedOptionModule [ "services" "redis" "slowLogLogSlowerThan"] [ "services" "redis" "servers" "" "slowLogLogSlowerThan" ]) - (mkRenamedOptionModule [ "services" "redis" "slowLogMaxLen"] [ "services" "redis" "servers" "" "slowLogMaxLen" ]) - (mkRenamedOptionModule [ "services" "redis" "settings"] [ "services" "redis" "servers" "" "settings" ]) + (lib.mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.") + (lib.mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.") + (lib.mkRemovedOptionModule [ "services" "redis" "dbFilename" ] "The redis module now uses /var/lib/redis/dump.rdb as database dump location.") + (lib.mkRemovedOptionModule [ "services" "redis" "appendOnlyFilename" ] "This option was never used.") + (lib.mkRemovedOptionModule [ "services" "redis" "pidFile" ] "This option was removed.") + (lib.mkRemovedOptionModule [ "services" "redis" "extraConfig" ] "Use services.redis.servers.*.settings instead.") + (lib.mkRenamedOptionModule [ "services" "redis" "enable"] [ "services" "redis" "servers" "" "enable" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "port"] [ "services" "redis" "servers" "" "port" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "openFirewall"] [ "services" "redis" "servers" "" "openFirewall" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "bind"] [ "services" "redis" "servers" "" "bind" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "unixSocket"] [ "services" "redis" "servers" "" "unixSocket" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "unixSocketPerm"] [ "services" "redis" "servers" "" "unixSocketPerm" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "logLevel"] [ "services" "redis" "servers" "" "logLevel" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "logfile"] [ "services" "redis" "servers" "" "logfile" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "syslog"] [ "services" "redis" "servers" "" "syslog" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "databases"] [ "services" "redis" "servers" "" "databases" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "maxclients"] [ "services" "redis" "servers" "" "maxclients" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "save"] [ "services" "redis" "servers" "" "save" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "slaveOf"] [ "services" "redis" "servers" "" "slaveOf" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "masterAuth"] [ "services" "redis" "servers" "" "masterAuth" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "requirePass"] [ "services" "redis" "servers" "" "requirePass" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "requirePassFile"] [ "services" "redis" "servers" "" "requirePassFile" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "appendOnly"] [ "services" "redis" "servers" "" "appendOnly" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "appendFsync"] [ "services" "redis" "servers" "" "appendFsync" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "slowLogLogSlowerThan"] [ "services" "redis" "servers" "" "slowLogLogSlowerThan" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "slowLogMaxLen"] [ "services" "redis" "servers" "" "slowLogMaxLen" ]) + (lib.mkRenamedOptionModule [ "services" "redis" "settings"] [ "services" "redis" "servers" "" "settings" ]) ]; ###### interface @@ -54,22 +51,22 @@ in { options = { services.redis = { - package = mkPackageOption pkgs "redis" { }; + package = lib.mkPackageOption pkgs "redis" { }; - vmOverCommit = mkEnableOption '' + vmOverCommit = lib.mkEnableOption '' set `vm.overcommit_memory` sysctl to 1 (Suggested for Background Saving: ) '' // { default = true; }; - servers = mkOption { - type = with types; attrsOf (submodule ({ config, name, ... }: { + servers = lib.mkOption { + type = with lib.types; attrsOf (submodule ({ config, name, ... }: { options = { - enable = mkEnableOption "Redis server"; + enable = lib.mkEnableOption "Redis server"; - user = mkOption { + user = lib.mkOption { type = types.str; default = redisName name; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' if name == "" then "redis" else "redis-''${name}" ''; description = '' @@ -82,10 +79,10 @@ in { ''; }; - group = mkOption { + group = lib.mkOption { type = types.str; default = config.user; - defaultText = literalExpression "config.user"; + defaultText = lib.literalExpression "config.user"; description = '' Group account under which this instance of redis-server runs. @@ -96,17 +93,17 @@ in { ''; }; - port = mkOption { + port = lib.mkOption { type = types.port; default = if name == "" then 6379 else 0; - defaultText = literalExpression ''if name == "" then 6379 else 0''; + defaultText = lib.literalExpression ''if name == "" then 6379 else 0''; description = '' The TCP port to accept connections. If port 0 is specified Redis will not listen on a TCP socket. ''; }; - openFirewall = mkOption { + openFirewall = lib.mkOption { type = types.bool; default = false; description = '' @@ -114,14 +111,14 @@ in { ''; }; - extraParams = mkOption { + extraParams = lib.mkOption { type = with types; listOf str; default = []; description = "Extra parameters to append to redis-server invocation"; example = [ "--sentinel" ]; }; - bind = mkOption { + bind = lib.mkOption { type = with types; nullOr str; default = "127.0.0.1"; description = '' @@ -131,55 +128,55 @@ in { example = "192.0.2.1"; }; - unixSocket = mkOption { + unixSocket = lib.mkOption { type = with types; nullOr path; default = "/run/${redisName name}/redis.sock"; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' if name == "" then "/run/redis/redis.sock" else "/run/redis-''${name}/redis.sock" ''; description = "The path to the socket to bind to."; }; - unixSocketPerm = mkOption { + unixSocketPerm = lib.mkOption { type = types.int; default = 660; description = "Change permissions for the socket"; example = 600; }; - logLevel = mkOption { + logLevel = lib.mkOption { type = types.str; default = "notice"; # debug, verbose, notice, warning example = "debug"; description = "Specify the server verbosity level, options: debug, verbose, notice, warning."; }; - logfile = mkOption { + logfile = lib.mkOption { type = types.str; default = "/dev/null"; description = "Specify the log file name. Also 'stdout' can be used to force Redis to log on the standard output."; example = "/var/log/redis.log"; }; - syslog = mkOption { + syslog = lib.mkOption { type = types.bool; default = true; description = "Enable logging to the system logger."; }; - databases = mkOption { + databases = lib.mkOption { type = types.int; default = 16; description = "Set the number of databases."; }; - maxclients = mkOption { + maxclients = lib.mkOption { type = types.int; default = 10000; description = "Set the max number of connected clients at the same time."; }; - save = mkOption { + save = lib.mkOption { type = with types; listOf (listOf int); default = [ [900 1] [300 10] [60 10000] ]; description = '' @@ -189,16 +186,16 @@ in { ''; }; - slaveOf = mkOption { + slaveOf = lib.mkOption { type = with types; nullOr (submodule ({ ... }: { options = { - ip = mkOption { + ip = lib.mkOption { type = str; description = "IP of the Redis master"; example = "192.168.1.100"; }; - port = mkOption { + port = lib.mkOption { type = port; description = "port of the Redis master"; default = 6379; @@ -211,7 +208,7 @@ in { example = { ip = "192.168.1.100"; port = 6379; }; }; - masterAuth = mkOption { + masterAuth = lib.mkOption { type = with types; nullOr str; default = null; description = ''If the master is password protected (using the requirePass configuration) @@ -220,7 +217,7 @@ in { (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)''; }; - requirePass = mkOption { + requirePass = lib.mkOption { type = with types; nullOr str; default = null; description = '' @@ -230,39 +227,39 @@ in { example = "letmein!"; }; - requirePassFile = mkOption { + requirePassFile = lib.mkOption { type = with types; nullOr path; default = null; description = "File with password for the database."; example = "/run/keys/redis-password"; }; - appendOnly = mkOption { + appendOnly = lib.mkOption { type = types.bool; default = false; description = "By default data is only periodically persisted to disk, enable this option to use an append-only file for improved persistence."; }; - appendFsync = mkOption { + appendFsync = lib.mkOption { type = types.str; default = "everysec"; # no, always, everysec description = "How often to fsync the append-only log, options: no, always, everysec."; }; - slowLogLogSlowerThan = mkOption { + slowLogLogSlowerThan = lib.mkOption { type = types.int; default = 10000; description = "Log queries whose execution take longer than X in milliseconds."; example = 1000; }; - slowLogMaxLen = mkOption { + slowLogMaxLen = lib.mkOption { type = types.int; default = 128; description = "Maximum number of items to keep in slow log."; }; - settings = mkOption { + settings = lib.mkOption { # TODO: this should be converted to freeformType type = with types; attrsOf (oneOf [ bool int str (listOf str) ]); default = {}; @@ -271,7 +268,7 @@ in { for details on supported values. ''; - example = literalExpression '' + example = lib.literalExpression '' { loadmodule = [ "/path/to/my_module.so" "/path/to/other_module.so" ]; } @@ -316,9 +313,9 @@ in { ###### implementation - config = mkIf (enabledServers != {}) { + config = lib.mkIf (enabledServers != {}) { - assertions = attrValues (mapAttrs (name: conf: { + assertions = lib.attrValues (lib.mapAttrs (name: conf: { assertion = conf.requirePass != null -> conf.requirePassFile == null; message = '' You can only set one services.redis.servers.${name}.requirePass @@ -326,32 +323,32 @@ in { ''; }) enabledServers); - boot.kernel.sysctl = mkIf cfg.vmOverCommit { + boot.kernel.sysctl = lib.mkIf cfg.vmOverCommit { "vm.overcommit_memory" = "1"; }; - networking.firewall.allowedTCPPorts = concatMap (conf: - optional conf.openFirewall conf.port - ) (attrValues enabledServers); + networking.firewall.allowedTCPPorts = lib.concatMap (conf: + lib.optional conf.openFirewall conf.port + ) (lib.attrValues enabledServers); environment.systemPackages = [ cfg.package ]; - users.users = mapAttrs' (name: conf: nameValuePair (redisName name) { + users.users = lib.mapAttrs' (name: conf: lib.nameValuePair (redisName name) { description = "System user for the redis-server instance ${name}"; isSystemUser = true; group = redisName name; }) enabledServers; - users.groups = mapAttrs' (name: conf: nameValuePair (redisName name) { + users.groups = lib.mapAttrs' (name: conf: lib.nameValuePair (redisName name) { }) enabledServers; - systemd.services = mapAttrs' (name: conf: nameValuePair (redisName name) { + systemd.services = lib.mapAttrs' (name: conf: lib.nameValuePair (redisName name) { description = "Redis Server - ${redisName name}"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - ExecStart = "${cfg.package}/bin/${cfg.package.serverBin or "redis-server"} /var/lib/${redisName name}/redis.conf ${escapeShellArgs conf.extraParams}"; + ExecStart = "${cfg.package}/bin/${cfg.package.serverBin or "redis-server"} /var/lib/${redisName name}/redis.conf ${lib.escapeShellArgs conf.extraParams}"; ExecStartPre = "+"+pkgs.writeShellScript "${redisName name}-prep-conf" (let redisConfVar = "/var/lib/${redisName name}/redis.conf"; redisConfRun = "/run/${redisName name}/nixos.conf"; @@ -364,10 +361,10 @@ in { echo 'include "${redisConfRun}"' > "${redisConfVar}" fi echo 'include "${redisConfStore}"' > "${redisConfRun}" - ${optionalString (conf.requirePassFile != null) '' + ${lib.optionalString (conf.requirePassFile != null) '' { echo -n "requirepass " - cat ${escapeShellArg conf.requirePassFile} + cat ${lib.escapeShellArg conf.requirePassFile} } >> "${redisConfRun}" ''} ''); @@ -388,7 +385,7 @@ in { # Security NoNewPrivileges = true; # Process Properties - LimitNOFILE = mkDefault "${toString (conf.maxclients + 32)}"; + LimitNOFILE = lib.mkDefault "${toString (conf.maxclients + 32)}"; # Sandboxing ProtectSystem = "strict"; ProtectHome = true; From 793ecf787783fc10a1ec89c2551691a7a62a482e Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:25 +0100 Subject: [PATCH 29/44] nixos/services.deepin.dde-daemon: remove `with lib;` --- nixos/modules/services/desktops/deepin/dde-daemon.nix | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/desktops/deepin/dde-daemon.nix b/nixos/modules/services/desktops/deepin/dde-daemon.nix index ed4cd15bc271d..2188276f4b224 100644 --- a/nixos/modules/services/desktops/deepin/dde-daemon.nix +++ b/nixos/modules/services/desktops/deepin/dde-daemon.nix @@ -1,11 +1,8 @@ { config, pkgs, lib, ... }: - -with lib; - { meta = { - maintainers = teams.deepin.members; + maintainers = lib.teams.deepin.members; }; ###### interface @@ -14,7 +11,7 @@ with lib; services.deepin.dde-daemon = { - enable = mkEnableOption "daemon for handling the deepin session settings"; + enable = lib.mkEnableOption "daemon for handling the deepin session settings"; }; @@ -23,7 +20,7 @@ with lib; ###### implementation - config = mkIf config.services.deepin.dde-daemon.enable { + config = lib.mkIf config.services.deepin.dde-daemon.enable { environment.systemPackages = [ pkgs.deepin.dde-daemon ]; From eeda33831185a3a29e16959e5ab7e57aaa7f9892 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:25 +0100 Subject: [PATCH 30/44] nixos/services.espanso: remove `with lib;` --- nixos/modules/services/desktops/espanso.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/desktops/espanso.nix b/nixos/modules/services/desktops/espanso.nix index a1f0b441e0d71..943c6fae86d9e 100644 --- a/nixos/modules/services/desktops/espanso.nix +++ b/nixos/modules/services/desktops/espanso.nix @@ -1,20 +1,18 @@ { config, lib, pkgs, ... }: - -with lib; let cfg = config.services.espanso; in { meta = { maintainers = with lib.maintainers; [ n8henrie numkem ]; }; options = { services.espanso = { - enable = mkEnableOption "Espanso"; - package = mkPackageOption pkgs "espanso" { + enable = lib.mkEnableOption "Espanso"; + package = lib.mkPackageOption pkgs "espanso" { example = "pkgs.espanso-wayland"; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.user.services.espanso = { description = "Espanso daemon"; serviceConfig = { From e693f4b95392c31ac83624a8609d07cc490c9bc4 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:25 +0100 Subject: [PATCH 31/44] nixos/services.geoclue2: remove `with lib;` --- nixos/modules/services/desktops/geoclue2.nix | 96 ++++++++++---------- 1 file changed, 46 insertions(+), 50 deletions(-) diff --git a/nixos/modules/services/desktops/geoclue2.nix b/nixos/modules/services/desktops/geoclue2.nix index 2e5de34bb76f5..6d040b71bd916 100644 --- a/nixos/modules/services/desktops/geoclue2.nix +++ b/nixos/modules/services/desktops/geoclue2.nix @@ -1,37 +1,33 @@ # GeoClue 2 daemon. - { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.geoclue2; defaultWhitelist = [ "gnome-shell" "io.elementary.desktop.agent-geoclue2" ]; - appConfigModule = types.submodule ({ name, ... }: { + appConfigModule = lib.types.submodule ({ name, ... }: { options = { - desktopID = mkOption { - type = types.str; + desktopID = lib.mkOption { + type = lib.types.str; description = "Desktop ID of the application."; }; - isAllowed = mkOption { - type = types.bool; + isAllowed = lib.mkOption { + type = lib.types.bool; description = '' Whether the application will be allowed access to location information. ''; }; - isSystem = mkOption { - type = types.bool; + isSystem = lib.mkOption { + type = lib.types.bool; description = '' Whether the application is a system component or not. ''; }; - users = mkOption { - type = types.listOf types.str; + users = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = '' List of UIDs of all users for which this application is allowed location @@ -40,7 +36,7 @@ let }; }; - config.desktopID = mkDefault name; + config.desktopID = lib.mkDefault name; }); appConfigToINICompatible = _: { desktopID, isAllowed, isSystem, users, ... }: { @@ -48,7 +44,7 @@ let value = { allowed = isAllowed; system = isSystem; - users = concatStringsSep ";" users; + users = lib.concatStringsSep ";" users; }; }; @@ -61,8 +57,8 @@ in services.geoclue2 = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable GeoClue 2 daemon, a DBus service @@ -70,8 +66,8 @@ in ''; }; - enableDemoAgent = mkOption { - type = types.bool; + enableDemoAgent = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to use the GeoClue demo agent. This should be @@ -80,48 +76,48 @@ in ''; }; - enableNmea = mkOption { - type = types.bool; + enableNmea = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to fetch location from NMEA sources on local network. ''; }; - enable3G = mkOption { - type = types.bool; + enable3G = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable 3G source. ''; }; - enableCDMA = mkOption { - type = types.bool; + enableCDMA = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable CDMA source. ''; }; - enableModemGPS = mkOption { - type = types.bool; + enableModemGPS = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable Modem-GPS source. ''; }; - enableWifi = mkOption { - type = types.bool; + enableWifi = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable WiFi source. ''; }; - geoProviderUrl = mkOption { - type = types.str; + geoProviderUrl = lib.mkOption { + type = lib.types.str; default = "https://location.services.mozilla.com/v1/geolocate?key=geoclue"; example = "https://www.googleapis.com/geolocation/v1/geolocate?key=YOUR_KEY"; description = '' @@ -129,10 +125,10 @@ in ''; }; - package = mkOption { - type = types.package; + package = lib.mkOption { + type = lib.types.package; default = pkgs.geoclue2; - defaultText = literalExpression "pkgs.geoclue2"; + defaultText = lib.literalExpression "pkgs.geoclue2"; apply = pkg: pkg.override { # the demo agent isn't built by default, but we need it here withDemoAgent = cfg.enableDemoAgent; @@ -140,24 +136,24 @@ in description = "The geoclue2 package to use"; }; - submitData = mkOption { - type = types.bool; + submitData = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to submit data to a GeoLocation Service. ''; }; - submissionUrl = mkOption { - type = types.str; + submissionUrl = lib.mkOption { + type = lib.types.str; default = "https://location.services.mozilla.com/v1/submit?key=geoclue"; description = '' The url to submit data to a GeoLocation Service. ''; }; - submissionNick = mkOption { - type = types.str; + submissionNick = lib.mkOption { + type = lib.types.str; default = "geoclue"; description = '' A nickname to submit network data with. @@ -165,10 +161,10 @@ in ''; }; - appConfig = mkOption { - type = types.attrsOf appConfigModule; + appConfig = lib.mkOption { + type = lib.types.attrsOf appConfigModule; default = {}; - example = literalExpression '' + example = lib.literalExpression '' "com.github.app" = { isAllowed = true; isSystem = true; @@ -186,7 +182,7 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; @@ -219,7 +215,7 @@ in # this needs to run as a user service, since it's associated with the # user who is making the requests - systemd.user.services = mkIf cfg.enableDemoAgent { + systemd.user.services = lib.mkIf cfg.enableDemoAgent { geoclue-agent = { description = "Geoclue agent"; # this should really be `partOf = [ "geoclue.service" ]`, but @@ -249,10 +245,10 @@ in }; environment.etc."geoclue/geoclue.conf".text = - generators.toINI {} ({ + lib.generators.toINI {} ({ agent = { - whitelist = concatStringsSep ";" - (optional cfg.enableDemoAgent "geoclue-demo-agent" ++ defaultWhitelist); + whitelist = lib.concatStringsSep ";" + (lib.optional cfg.enableDemoAgent "geoclue-demo-agent" ++ defaultWhitelist); }; network-nmea = { enable = cfg.enableNmea; @@ -269,11 +265,11 @@ in wifi = { enable = cfg.enableWifi; url = cfg.geoProviderUrl; - submit-data = boolToString cfg.submitData; + submit-data = lib.boolToString cfg.submitData; submission-url = cfg.submissionUrl; submission-nick = cfg.submissionNick; }; - } // mapAttrs' appConfigToINICompatible cfg.appConfig); + } // lib.mapAttrs' appConfigToINICompatible cfg.appConfig); }; meta = with lib; { From e323870fc81d76bcccaba1aa79dfa30cd1146da6 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:25 +0100 Subject: [PATCH 32/44] nixos/services.malcontent: remove `with lib;` --- nixos/modules/services/desktops/malcontent.nix | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/desktops/malcontent.nix b/nixos/modules/services/desktops/malcontent.nix index 1fbeb17e6aeb4..fedd84549671d 100644 --- a/nixos/modules/services/desktops/malcontent.nix +++ b/nixos/modules/services/desktops/malcontent.nix @@ -1,9 +1,5 @@ # Malcontent daemon. - { config, lib, pkgs, ... }: - -with lib; - { ###### interface @@ -12,7 +8,7 @@ with lib; services.malcontent = { - enable = mkEnableOption "Malcontent, parental control support for applications"; + enable = lib.mkEnableOption "Malcontent, parental control support for applications"; }; @@ -21,7 +17,7 @@ with lib; ###### implementation - config = mkIf config.services.malcontent.enable { + config = lib.mkIf config.services.malcontent.enable { environment.systemPackages = with pkgs; [ malcontent From 19fb7137b065704e9aec21251636925d9c1ef77d Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:25 +0100 Subject: [PATCH 33/44] nixos/services.zeitgeist: remove `with lib;` --- nixos/modules/services/desktops/zeitgeist.nix | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/desktops/zeitgeist.nix b/nixos/modules/services/desktops/zeitgeist.nix index f170e90a2a417..7ca2c6f3739a0 100644 --- a/nixos/modules/services/desktops/zeitgeist.nix +++ b/nixos/modules/services/desktops/zeitgeist.nix @@ -1,9 +1,5 @@ # Zeitgeist - { config, lib, pkgs, ... }: - -with lib; - { meta = with lib; { @@ -14,13 +10,13 @@ with lib; options = { services.zeitgeist = { - enable = mkEnableOption "zeitgeist, a service which logs the users' activities and events"; + enable = lib.mkEnableOption "zeitgeist, a service which logs the users' activities and events"; }; }; ###### implementation - config = mkIf config.services.zeitgeist.enable { + config = lib.mkIf config.services.zeitgeist.enable { environment.systemPackages = [ pkgs.zeitgeist ]; From 2a63acaac6b4fe73845aaf4011bfd0da03ada6b7 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:25 +0100 Subject: [PATCH 34/44] nixos/services.bloop: remove `with lib;` --- nixos/modules/services/development/bloop.nix | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/development/bloop.nix b/nixos/modules/services/development/bloop.nix index 5796b1148b9f8..b61f543f57138 100644 --- a/nixos/modules/services/development/bloop.nix +++ b/nixos/modules/services/development/bloop.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.bloop; @@ -9,8 +6,8 @@ let in { options.services.bloop = { - extraOptions = mkOption { - type = types.listOf types.str; + extraOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; example = [ "-J-Xmx2G" @@ -23,8 +20,8 @@ in { ''; }; - install = mkOption { - type = types.bool; + install = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install a user service for the Bloop server. @@ -35,12 +32,12 @@ in { }; }; - config = mkIf (cfg.install) { + config = lib.mkIf (cfg.install) { systemd.user.services.bloop = { description = "Bloop Scala build server"; environment = { - PATH = mkForce "${makeBinPath [ config.programs.java.package ]}"; + PATH = lib.mkForce "${lib.makeBinPath [ config.programs.java.package ]}"; }; serviceConfig = { Type = "forking"; From e8df83b3d2f007747f10cc1860c8541ef720a1c6 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:25 +0100 Subject: [PATCH 35/44] nixos/services.gemstash: remove `with lib;` --- .../modules/services/development/gemstash.nix | 44 +++++++++---------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/nixos/modules/services/development/gemstash.nix b/nixos/modules/services/development/gemstash.nix index 367930dadfb8d..6184180552aee 100644 --- a/nixos/modules/services/development/gemstash.nix +++ b/nixos/modules/services/development/gemstash.nix @@ -1,66 +1,64 @@ { lib, pkgs, config, ... }: -with lib; - let settingsFormat = pkgs.formats.yaml { }; # gemstash uses a yaml config where the keys are ruby symbols, # which means they start with ':'. This would be annoying to use # on the nix side, so we rewrite plain names instead. - prefixColon = s: listToAttrs (map + prefixColon = s: lib.listToAttrs (map (attrName: { name = ":${attrName}"; value = - if isAttrs s.${attrName} + if lib.isAttrs s.${attrName} then prefixColon s."${attrName}" else s."${attrName}"; }) - (attrNames s)); + (lib.attrNames s)); # parse the port number out of the tcp://ip:port bind setting string - parseBindPort = bind: strings.toInt (last (strings.splitString ":" bind)); + parseBindPort = bind: lib.strings.toInt (lib.last (lib.strings.splitString ":" bind)); cfg = config.services.gemstash; in { options.services.gemstash = { - enable = mkEnableOption "gemstash, a cache for rubygems.org and a private gem server"; + enable = lib.mkEnableOption "gemstash, a cache for rubygems.org and a private gem server"; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to open the firewall for the port in {option}`services.gemstash.bind`. ''; }; - settings = mkOption { + settings = lib.mkOption { default = {}; description = '' Configuration for Gemstash. The details can be found at in [gemstash documentation](https://github.com/rubygems/gemstash/blob/master/man/gemstash-configuration.5.md). Each key set here is automatically prefixed with ":" to match the gemstash expectations. ''; - type = types.submodule { + type = lib.types.submodule { freeformType = settingsFormat.type; options = { - base_path = mkOption { - type = types.path; + base_path = lib.mkOption { + type = lib.types.path; default = "/var/lib/gemstash"; description = "Path to store the gem files and the sqlite database. If left unchanged, the directory will be created."; }; - bind = mkOption { - type = types.str; + bind = lib.mkOption { + type = lib.types.str; default = "tcp://0.0.0.0:9292"; description = "Host and port combination for the server to listen on."; }; - db_adapter = mkOption { - type = types.nullOr (types.enum [ "sqlite3" "postgres" "mysql" "mysql2" ]); + db_adapter = lib.mkOption { + type = lib.types.nullOr (lib.types.enum [ "sqlite3" "postgres" "mysql" "mysql2" ]); default = null; description = "Which database type to use. For choices other than sqlite3, the dbUrl has to be specified as well."; }; - db_url = mkOption { - type = types.nullOr types.str; + db_url = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; description = "The database to connect to when using postgres, mysql, or mysql2."; }; @@ -70,7 +68,7 @@ in }; config = - mkIf cfg.enable { + lib.mkIf cfg.enable { users = { users.gemstash = { group = "gemstash"; @@ -79,12 +77,12 @@ in groups.gemstash = { }; }; - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ (parseBindPort cfg.settings.bind) ]; + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ (parseBindPort cfg.settings.bind) ]; systemd.services.gemstash = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig = mkMerge [ + serviceConfig = lib.mkMerge [ { ExecStart = "${pkgs.gemstash}/bin/gemstash start --no-daemonize --config-file ${settingsFormat.generate "gemstash.yaml" (prefixColon cfg.settings)}"; NoNewPrivileges = true; @@ -94,7 +92,7 @@ in RestrictSUIDSGID = true; LockPersonality = true; } - (mkIf (cfg.settings.base_path == "/var/lib/gemstash") { + (lib.mkIf (cfg.settings.base_path == "/var/lib/gemstash") { StateDirectory = "gemstash"; }) ]; From ae5e538219c31711113a1659e53b3210573a3365 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:26 +0100 Subject: [PATCH 36/44] nixos/services.mchprs: remove `with lib;` --- nixos/modules/services/games/mchprs.nix | 91 ++++++++++++------------- 1 file changed, 44 insertions(+), 47 deletions(-) diff --git a/nixos/modules/services/games/mchprs.nix b/nixos/modules/services/games/mchprs.nix index 50db7cf66bb50..169e4ba84f60e 100644 --- a/nixos/modules/services/games/mchprs.nix +++ b/nixos/modules/services/games/mchprs.nix @@ -1,14 +1,11 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.mchprs; settingsFormat = pkgs.formats.toml { }; whitelistFile = pkgs.writeText "whitelist.json" (builtins.toJSON - (mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist.list)); + (lib.mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist.list)); configToml = (removeAttrs cfg.settings [ "address" "port" ]) // @@ -22,18 +19,18 @@ in { options = { services.mchprs = { - enable = mkEnableOption "MCHPRS, a Minecraft server"; + enable = lib.mkEnableOption "MCHPRS, a Minecraft server"; - declarativeSettings = mkOption { - type = types.bool; + declarativeSettings = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to use a declarative configuration for MCHPRS. ''; }; - declarativeWhitelist = mkOption { - type = types.bool; + declarativeWhitelist = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to use a declarative whitelist. @@ -42,16 +39,16 @@ in ''; }; - dataDir = mkOption { - type = types.path; + dataDir = lib.mkOption { + type = lib.types.path; default = "/var/lib/mchprs"; description = '' Directory to store MCHPRS database and other state/data files. ''; }; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to open ports in the firewall for the server. @@ -60,8 +57,8 @@ in ''; }; - maxRuntime = mkOption { - type = types.str; + maxRuntime = lib.mkOption { + type = lib.types.str; default = "infinity"; example = "7d"; description = '' @@ -73,15 +70,15 @@ in ''; }; - package = mkPackageOption pkgs "mchprs" { }; + package = lib.mkPackageOption pkgs "mchprs" { }; - settings = mkOption { - type = types.submodule { + settings = lib.mkOption { + type = lib.types.submodule { freeformType = settingsFormat.type; options = { - port = mkOption { - type = types.port; + port = lib.mkOption { + type = lib.types.port; default = 25565; description = '' Port for the server. @@ -90,8 +87,8 @@ in ''; }; - address = mkOption { - type = types.str; + address = lib.mkOption { + type = lib.types.str; default = "0.0.0.0"; description = '' Address for the server. @@ -101,8 +98,8 @@ in ''; }; - motd = mkOption { - type = types.str; + motd = lib.mkOption { + type = lib.types.str; default = "Minecraft High Performance Redstone Server"; description = '' Message of the day. @@ -111,8 +108,8 @@ in ''; }; - chat_format = mkOption { - type = types.str; + chat_format = lib.mkOption { + type = lib.types.str; default = "<{username}> {message}"; description = '' How to format chat message interpolating `username` @@ -122,8 +119,8 @@ in ''; }; - max_players = mkOption { - type = types.ints.positive; + max_players = lib.mkOption { + type = lib.types.ints.positive; default = 99999; description = '' Maximum number of simultaneous players. @@ -132,8 +129,8 @@ in ''; }; - view_distance = mkOption { - type = types.ints.positive; + view_distance = lib.mkOption { + type = lib.types.ints.positive; default = 8; description = '' Maximal distance (in chunks) between players and loaded chunks. @@ -142,8 +139,8 @@ in ''; }; - bungeecord = mkOption { - type = types.bool; + bungeecord = lib.mkOption { + type = lib.types.bool; default = false; description = '' Enable compatibility with @@ -153,8 +150,8 @@ in ''; }; - schemati = mkOption { - type = types.bool; + schemati = lib.mkOption { + type = lib.types.bool; default = false; description = '' Mimic the verification and directory layout used by the @@ -165,8 +162,8 @@ in ''; }; - block_in_hitbox = mkOption { - type = types.bool; + block_in_hitbox = lib.mkOption { + type = lib.types.bool; default = true; description = '' Allow placing blocks inside of players @@ -176,8 +173,8 @@ in ''; }; - auto_redpiler = mkOption { - type = types.bool; + auto_redpiler = lib.mkOption { + type = lib.types.bool; default = true; description = '' Use redpiler automatically. @@ -196,8 +193,8 @@ in }; whitelist = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether or not the whitelist (in `whitelist.json`) shoud be enabled. @@ -205,17 +202,17 @@ in ''; }; - list = mkOption { + list = lib.mkOption { type = let - minecraftUUID = types.strMatching + minecraftUUID = lib.types.strMatching "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" // { description = "Minecraft UUID"; }; in - types.attrsOf minecraftUUID; + lib.types.attrsOf minecraftUUID; default = { }; - example = literalExpression '' + example = lib.literalExpression '' { username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"; username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"; @@ -235,7 +232,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { users.users.mchprs = { description = "MCHPRS service user"; home = cfg.dataDir; @@ -326,11 +323,11 @@ in ''); }; - networking.firewall = mkIf (cfg.declarativeSettings && cfg.openFirewall) { + networking.firewall = lib.mkIf (cfg.declarativeSettings && cfg.openFirewall) { allowedUDPPorts = [ cfg.settings.port ]; allowedTCPPorts = [ cfg.settings.port ]; }; }; - meta.maintainers = with maintainers; [ gdd ]; + meta.maintainers = with lib.maintainers; [ gdd ]; } From e7095ad753dd5a78b498a9f1441ef55e0fb72ca1 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:26 +0100 Subject: [PATCH 37/44] nixos/services.actkbd: remove `with lib;` --- nixos/modules/services/hardware/actkbd.nix | 37 ++++++++++------------ 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/nixos/modules/services/hardware/actkbd.nix b/nixos/modules/services/hardware/actkbd.nix index 335e9b2fdf5ae..1bd8c4090d3c5 100644 --- a/nixos/modules/services/hardware/actkbd.nix +++ b/nixos/modules/services/hardware/actkbd.nix @@ -1,15 +1,12 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.actkbd; configFile = pkgs.writeText "actkbd.conf" '' - ${concatMapStringsSep "\n" + ${lib.concatMapStringsSep "\n" ({ keys, events, attributes, command, ... }: - ''${concatMapStringsSep "+" toString keys}:${concatStringsSep "," events}:${concatStringsSep "," attributes}:${command}'' + ''${lib.concatMapStringsSep "+" toString keys}:${lib.concatStringsSep "," events}:${lib.concatStringsSep "," attributes}:${command}'' ) cfg.bindings} ${cfg.extraConfig} @@ -18,25 +15,25 @@ let bindingCfg = { ... }: { options = { - keys = mkOption { - type = types.listOf types.int; + keys = lib.mkOption { + type = lib.types.listOf lib.types.int; description = "List of keycodes to match."; }; - events = mkOption { - type = types.listOf (types.enum ["key" "rep" "rel"]); + events = lib.mkOption { + type = lib.types.listOf (lib.types.enum ["key" "rep" "rel"]); default = [ "key" ]; description = "List of events to match."; }; - attributes = mkOption { - type = types.listOf types.str; + attributes = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ "exec" ]; description = "List of attributes."; }; - command = mkOption { - type = types.str; + command = lib.mkOption { + type = lib.types.str; default = ""; description = "What to run."; }; @@ -54,8 +51,8 @@ in services.actkbd = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable the {command}`actkbd` key mapping daemon. @@ -71,8 +68,8 @@ in ''; }; - bindings = mkOption { - type = types.listOf (types.submodule bindingCfg); + bindings = lib.mkOption { + type = lib.types.listOf (lib.types.submodule bindingCfg); default = []; example = lib.literalExpression '' [ { keys = [ 113 ]; events = [ "key" ]; command = "''${pkgs.alsa-utils}/bin/amixer -q set Master toggle"; } @@ -87,8 +84,8 @@ in ''; }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; description = '' Literal contents to append to the end of actkbd configuration file. @@ -102,7 +99,7 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { services.udev.packages = lib.singleton (pkgs.writeTextFile { name = "actkbd-udev-rules"; From 5cbb902a798d8e576d92aaf0a81b99792eb714cb Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:26 +0100 Subject: [PATCH 38/44] nixos/hardware.sane.brscan4: remove `with lib;` --- .../hardware/sane_extra_backends/brscan4.nix | 33 +++++++++---------- 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix b/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix index 8f9998108406b..377216d1f4313 100644 --- a/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix +++ b/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix @@ -1,11 +1,8 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.hardware.sane.brscan4; - netDeviceList = attrValues cfg.netDevices; + netDeviceList = lib.attrValues cfg.netDevices; etcFiles = pkgs.callPackage ./brscan4_etc_files.nix { netDevices = netDeviceList; }; @@ -13,8 +10,8 @@ let options = { - name = mkOption { - type = types.str; + name = lib.mkOption { + type = lib.types.str; description = '' The friendly name you give to the network device. If undefined, the name of attribute will be used. @@ -23,8 +20,8 @@ let example = "office1"; }; - model = mkOption { - type = types.str; + model = lib.mkOption { + type = lib.types.str; description = '' The model of the network device. ''; @@ -32,8 +29,8 @@ let example = "MFC-7860DW"; }; - ip = mkOption { - type = with types; nullOr str; + ip = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = '' The ip address of the device. If undefined, you will have to @@ -43,8 +40,8 @@ let example = "192.168.1.2"; }; - nodename = mkOption { - type = with types; nullOr str; + nodename = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = '' The node name of the device. If undefined, you will have to @@ -58,7 +55,7 @@ let config = - { name = mkDefault name; + { name = lib.mkDefault name; }; }; @@ -68,20 +65,20 @@ in options = { hardware.sane.brscan4.enable = - mkEnableOption "Brother's brscan4 scan backend" // { + lib.mkEnableOption "Brother's brscan4 scan backend" // { description = '' When enabled, will automatically register the "brscan4" sane backend and bring configuration files to their expected location. ''; }; - hardware.sane.brscan4.netDevices = mkOption { + hardware.sane.brscan4.netDevices = lib.mkOption { default = {}; example = { office1 = { model = "MFC-7860DW"; ip = "192.168.1.2"; }; office2 = { model = "MFC-7860DW"; nodename = "BRW0080927AFBCE"; }; }; - type = with types; attrsOf (submodule netDeviceOpts); + type = with lib.types; attrsOf (submodule netDeviceOpts); description = '' The list of network devices that will be registered against the brscan4 sane backend. @@ -89,7 +86,7 @@ in }; }; - config = mkIf (config.hardware.sane.enable && cfg.enable) { + config = lib.mkIf (config.hardware.sane.enable && cfg.enable) { hardware.sane.extraBackends = [ pkgs.brscan4 @@ -99,7 +96,7 @@ in { source = "${etcFiles}/etc/opt/brother/scanner/brscan4"; }; assertions = [ - { assertion = all (x: !(null != x.ip && null != x.nodename)) netDeviceList; + { assertion = lib.all (x: !(null != x.ip && null != x.nodename)) netDeviceList; message = '' When describing a network device as part of the attribute list `hardware.sane.brscan4.netDevices`, only one of its `ip` or `nodename` From bbea258a9dc6ccf7e776f3523337796ae037631b Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:26 +0100 Subject: [PATCH 39/44] nixos/hardware.sane.brscan5: remove `with lib;` --- .../hardware/sane_extra_backends/brscan5.nix | 33 +++++++++---------- 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix b/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix index 5236970337d84..38330eb692156 100644 --- a/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix +++ b/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix @@ -1,11 +1,8 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.hardware.sane.brscan5; - netDeviceList = attrValues cfg.netDevices; + netDeviceList = lib.attrValues cfg.netDevices; etcFiles = pkgs.callPackage ./brscan5_etc_files.nix { netDevices = netDeviceList; }; @@ -13,8 +10,8 @@ let options = { - name = mkOption { - type = types.str; + name = lib.mkOption { + type = lib.types.str; description = '' The friendly name you give to the network device. If undefined, the name of attribute will be used. @@ -23,8 +20,8 @@ let example = "office1"; }; - model = mkOption { - type = types.str; + model = lib.mkOption { + type = lib.types.str; description = '' The model of the network device. ''; @@ -32,8 +29,8 @@ let example = "ADS-1200"; }; - ip = mkOption { - type = with types; nullOr str; + ip = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = '' The ip address of the device. If undefined, you will have to @@ -43,8 +40,8 @@ let example = "192.168.1.2"; }; - nodename = mkOption { - type = with types; nullOr str; + nodename = lib.mkOption { + type = with lib.types; nullOr str; default = null; description = '' The node name of the device. If undefined, you will have to @@ -58,7 +55,7 @@ let config = - { name = mkDefault name; + { name = lib.mkDefault name; }; }; @@ -68,15 +65,15 @@ in options = { hardware.sane.brscan5.enable = - mkEnableOption "the Brother brscan5 sane backend"; + lib.mkEnableOption "the Brother brscan5 sane backend"; - hardware.sane.brscan5.netDevices = mkOption { + hardware.sane.brscan5.netDevices = lib.mkOption { default = {}; example = { office1 = { model = "MFC-7860DW"; ip = "192.168.1.2"; }; office2 = { model = "MFC-7860DW"; nodename = "BRW0080927AFBCE"; }; }; - type = with types; attrsOf (submodule netDeviceOpts); + type = with lib.types; attrsOf (submodule netDeviceOpts); description = '' The list of network devices that will be registered against the brscan5 sane backend. @@ -84,7 +81,7 @@ in }; }; - config = mkIf (config.hardware.sane.enable && cfg.enable) { + config = lib.mkIf (config.hardware.sane.enable && cfg.enable) { hardware.sane.extraBackends = [ pkgs.brscan5 @@ -97,7 +94,7 @@ in environment.etc."sane.d/dll.d/brother5.conf".source = "${pkgs.brscan5}/etc/sane.d/dll.d/brother5.conf"; assertions = [ - { assertion = all (x: !(null != x.ip && null != x.nodename)) netDeviceList; + { assertion = lib.all (x: !(null != x.ip && null != x.nodename)) netDeviceList; message = '' When describing a network device as part of the attribute list `hardware.sane.brscan5.netDevices`, only one of its `ip` or `nodename` From 21a586465750ebcde06855fa8621650cceac95a5 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:26 +0100 Subject: [PATCH 40/44] nixos/hardware.sane.dsseries: remove `with lib;` --- .../services/hardware/sane_extra_backends/dsseries.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/hardware/sane_extra_backends/dsseries.nix b/nixos/modules/services/hardware/sane_extra_backends/dsseries.nix index d71a17f5ea6b4..49de9d94b427d 100644 --- a/nixos/modules/services/hardware/sane_extra_backends/dsseries.nix +++ b/nixos/modules/services/hardware/sane_extra_backends/dsseries.nix @@ -1,12 +1,9 @@ { config, lib, pkgs, ... }: - -with lib; - { options = { hardware.sane.dsseries.enable = - mkEnableOption "Brother DSSeries scan backend" // { + lib.mkEnableOption "Brother DSSeries scan backend" // { description = '' When enabled, will automatically register the "dsseries" SANE backend. @@ -16,7 +13,7 @@ with lib; }; }; - config = mkIf (config.hardware.sane.enable && config.hardware.sane.dsseries.enable) { + config = lib.mkIf (config.hardware.sane.enable && config.hardware.sane.dsseries.enable) { hardware.sane.extraBackends = [ pkgs.dsseries ]; services.udev.packages = [ pkgs.dsseries ]; From a5b237c027e1f052e342f1a9adc48714ead7a61c Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:26 +0100 Subject: [PATCH 41/44] nixos/services.trezord: remove `with lib;` --- nixos/modules/services/hardware/trezord.nix | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/nixos/modules/services/hardware/trezord.nix b/nixos/modules/services/hardware/trezord.nix index 097acb03631fe..b7642e476936a 100644 --- a/nixos/modules/services/hardware/trezord.nix +++ b/nixos/modules/services/hardware/trezord.nix @@ -1,6 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; let cfg = config.services.trezord; in { @@ -15,24 +13,24 @@ in { options = { services.trezord = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets. ''; }; - emulator.enable = mkOption { - type = types.bool; + emulator.enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Enable Trezor emulator support. ''; }; - emulator.port = mkOption { - type = types.port; + emulator.port = lib.mkOption { + type = lib.types.port; default = 21324; description = '' Listening port for the Trezor emulator. @@ -43,7 +41,7 @@ in { ### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { services.udev.packages = [ pkgs.trezor-udev-rules ]; systemd.services.trezord = { @@ -53,7 +51,7 @@ in { path = []; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.trezord}/bin/trezord-go ${optionalString cfg.emulator.enable "-e ${builtins.toString cfg.emulator.port}"}"; + ExecStart = "${pkgs.trezord}/bin/trezord-go ${lib.optionalString cfg.emulator.enable "-e ${builtins.toString cfg.emulator.port}"}"; User = "trezord"; }; }; From 3344c302e25f7e7e7a493e2dfebec42373709079 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:26 +0100 Subject: [PATCH 42/44] nixos/services.usbrelayd: remove `with lib;` --- nixos/modules/services/hardware/usbrelayd.nix | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/hardware/usbrelayd.nix b/nixos/modules/services/hardware/usbrelayd.nix index 31e56ab1d16c6..38047c4e44cab 100644 --- a/nixos/modules/services/hardware/usbrelayd.nix +++ b/nixos/modules/services/hardware/usbrelayd.nix @@ -1,13 +1,12 @@ { config, lib, pkgs, ... }: -with lib; let cfg = config.services.usbrelayd; in { - options.services.usbrelayd = with types; { - enable = mkEnableOption "USB Relay MQTT daemon"; + options.services.usbrelayd = with lib.types; { + enable = lib.mkEnableOption "USB Relay MQTT daemon"; - broker = mkOption { + broker = lib.mkOption { type = str; description = "Hostname or IP address of your MQTT Broker."; default = "127.0.0.1"; @@ -17,14 +16,14 @@ in ]; }; - clientName = mkOption { + clientName = lib.mkOption { type = str; description = "Name, your client connects as."; default = "MyUSBRelay"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.etc."usbrelayd.conf".text = '' [MQTT] From 9709ae3d48abf5d8c47625539e551d195c929d17 Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:26 +0100 Subject: [PATCH 43/44] nixos/services.ebusd: remove `with lib;` --- .../services/home-automation/ebusd.nix | 79 +++++++++---------- 1 file changed, 38 insertions(+), 41 deletions(-) diff --git a/nixos/modules/services/home-automation/ebusd.nix b/nixos/modules/services/home-automation/ebusd.nix index 97d1e2796adab..0a83bed6ff011 100644 --- a/nixos/modules/services/home-automation/ebusd.nix +++ b/nixos/modules/services/home-automation/ebusd.nix @@ -1,20 +1,17 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.ebusd; in { - meta.maintainers = with maintainers; [ nathan-gs ]; + meta.maintainers = with lib.maintainers; [ nathan-gs ]; options.services.ebusd = { - enable = mkEnableOption "ebusd, a daemon for communication with eBUS heating systems"; + enable = lib.mkEnableOption "ebusd, a daemon for communication with eBUS heating systems"; - package = mkPackageOption pkgs "ebusd" { }; + package = lib.mkPackageOption pkgs "ebusd" { }; - device = mkOption { - type = types.str; + device = lib.mkOption { + type = lib.types.str; default = ""; example = "IP:PORT"; description = '' @@ -29,32 +26,32 @@ in ''; }; - port = mkOption { + port = lib.mkOption { default = 8888; - type = types.port; + type = lib.types.port; description = '' The port on which to listen on ''; }; - readonly = mkOption { - type = types.bool; + readonly = lib.mkOption { + type = lib.types.bool; default = false; description = '' Only read from device, never write to it ''; }; - configpath = mkOption { - type = types.str; + configpath = lib.mkOption { + type = lib.types.str; default = "https://cfg.ebusd.eu/"; description = '' Directory to read CSV config files from. This can be a local folder or a URL. ''; }; - scanconfig = mkOption { - type = types.str; + scanconfig = lib.mkOption { + type = lib.types.str; default = "full"; description = '' Pick CSV config files matching initial scan ("none" or empty for no initial scan message, "full" for full scan, or a single hex address to scan, default is to send a broadcast ident message). @@ -67,61 +64,61 @@ in # "all" must come first so it can be overridden by more specific areas areas = [ "all" "main" "network" "bus" "update" "other" ]; levels = [ "none" "error" "notice" "info" "debug" ]; - in listToAttrs (map (area: nameValuePair area (mkOption { - type = types.enum levels; + in lib.listToAttrs (map (area: lib.nameValuePair area (lib.mkOption { + type = lib.types.enum levels; default = "notice"; example = "debug"; description = '' - Only write log for matching `AREA`s (${concatStringsSep "|" areas}) below or equal to `LEVEL` (${concatStringsSep "|" levels}) + Only write log for matching `AREA`s (${lib.concatStringsSep "|" areas}) below or equal to `LEVEL` (${lib.concatStringsSep "|" levels}) ''; })) areas); mqtt = { - enable = mkEnableOption "support for MQTT"; + enable = lib.mkEnableOption "support for MQTT"; - host = mkOption { - type = types.str; + host = lib.mkOption { + type = lib.types.str; default = "localhost"; description = '' Connect to MQTT broker on HOST. ''; }; - port = mkOption { + port = lib.mkOption { default = 1883; - type = types.port; + type = lib.types.port; description = '' The port on which to connect to MQTT ''; }; - home-assistant = mkOption { - type = types.bool; + home-assistant = lib.mkOption { + type = lib.types.bool; default = false; description = '' Adds the Home Assistant topics to MQTT, read more at [MQTT Integration](https://github.com/john30/ebusd/wiki/MQTT-integration) ''; }; - retain = mkEnableOption "set the retain flag on all topics instead of only selected global ones"; + retain = lib.mkEnableOption "set the retain flag on all topics instead of only selected global ones"; - user = mkOption { - type = types.str; + user = lib.mkOption { + type = lib.types.str; description = '' The MQTT user to use ''; }; - password = mkOption { - type = types.str; + password = lib.mkOption { + type = lib.types.str; description = '' The MQTT password. ''; }; }; - extraArguments = mkOption { - type = types.listOf types.str; + extraArguments = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = '' Extra arguments to the ebus daemon @@ -130,41 +127,41 @@ in }; config = let - usesDev = hasPrefix "/" cfg.device; - in mkIf cfg.enable { + usesDev = lib.hasPrefix "/" cfg.device; + in lib.mkIf cfg.enable { systemd.services.ebusd = { description = "EBUSd Service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { ExecStart = let - args = cli.toGNUCommandLineShell { optionValueSeparator = "="; } (foldr (a: b: a // b) { } [ + args = lib.cli.toGNUCommandLineShell { optionValueSeparator = "="; } (lib.foldr (a: b: a // b) { } [ { inherit (cfg) device port configpath scanconfig readonly; foreground = true; updatecheck = "off"; - log = mapAttrsToList (name: value: "${name}:${value}") cfg.logs; + log = lib.mapAttrsToList (name: value: "${name}:${value}") cfg.logs; mqttretain = cfg.mqtt.retain; } - (optionalAttrs cfg.mqtt.enable { + (lib.optionalAttrs cfg.mqtt.enable { mqtthost = cfg.mqtt.host; mqttport = cfg.mqtt.port; mqttuser = cfg.mqtt.user; mqttpass = cfg.mqtt.password; }) - (optionalAttrs cfg.mqtt.home-assistant { + (lib.optionalAttrs cfg.mqtt.home-assistant { mqttint = "${cfg.package}/etc/ebusd/mqtt-hassio.cfg"; mqttjson = true; }) ]); - in "${cfg.package}/bin/ebusd ${args} ${escapeShellArgs cfg.extraArguments}"; + in "${cfg.package}/bin/ebusd ${args} ${lib.escapeShellArgs cfg.extraArguments}"; DynamicUser = true; Restart = "on-failure"; # Hardening CapabilityBoundingSet = ""; - DeviceAllow = optionals usesDev [ cfg.device ]; + DeviceAllow = lib.optionals usesDev [ cfg.device ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = false; From d013bf0d553b9e3452f1a8e676882986fd39001f Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Sun, 8 Dec 2024 13:18:26 +0100 Subject: [PATCH 44/44] nixos/services.evcc: remove `with lib;` --- nixos/modules/services/home-automation/evcc.nix | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/home-automation/evcc.nix b/nixos/modules/services/home-automation/evcc.nix index a952437b1b56e..5e97b8c90d238 100644 --- a/nixos/modules/services/home-automation/evcc.nix +++ b/nixos/modules/services/home-automation/evcc.nix @@ -3,9 +3,6 @@ , config , ... }: - -with lib; - let cfg = config.services.evcc; @@ -18,10 +15,10 @@ in { meta.maintainers = with lib.maintainers; [ hexa ]; - options.services.evcc = with types; { - enable = mkEnableOption "EVCC, the extensible EV Charge Controller with PV integration"; + options.services.evcc = with lib.types; { + enable = lib.mkEnableOption "EVCC, the extensible EV Charge Controller with PV integration"; - extraArgs = mkOption { + extraArgs = lib.mkOption { type = listOf str; default = []; description = '' @@ -29,7 +26,7 @@ in ''; }; - settings = mkOption { + settings = lib.mkOption { type = format.type; description = '' evcc configuration as a Nix attribute set. @@ -39,7 +36,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.services.evcc = { wants = [ "network-online.target" ]; after = [ @@ -54,7 +51,7 @@ in getent ]; serviceConfig = { - ExecStart = "${package}/bin/evcc --config ${configFile} ${escapeShellArgs cfg.extraArgs}"; + ExecStart = "${package}/bin/evcc --config ${configFile} ${lib.escapeShellArgs cfg.extraArgs}"; CapabilityBoundingSet = [ "" ]; DeviceAllow = [ "char-ttyUSB"