ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push sheeet
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details

Browse Source
This commit is contained in:
Dark Steveneq
2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
pkgs/applications/networking/browsers/chromium/README.md Normal file
View File

@@ -0,0 +1,91 @@
# Maintainers
- Note: We could always use more contributors, testers, etc. E.g.:
- Dedicated maintainers for the NixOS stable channel
- PRs with cleanups, improvements, fixes, etc. (but please try to make reviews
as easy as possible)
- People who handle stale issues/PRs
- Other relevant packages:
- `google-chrome`: Updated via Chromium's `upstream-info.nix`.
- `ungoogled-chromium`: A patch set for Chromium, that has its own entry in Chromium's `upstream-info.nix`.
- `chromedriver`: Updated via Chromium's `upstream-info.nix` and not built
from source. Must match Chromium's major version.
- `electron-source`: Various versions of electron that are built from source using Chromium's
`-unwrapped` derivation, due to electron being based on Chromium.
# Upstream links
- Source code: https://source.chromium.org/chromium/chromium/src
- Bugs: https://bugs.chromium.org/p/chromium/issues/list
- Release updates: https://chromereleases.googleblog.com/
- Available as Atom or RSS feed (filter for
"Stable Channel Update for Desktop")
- Release API: https://developer.chrome.com/docs/versionhistory/guide/
- Release schedule: https://chromiumdash.appspot.com/schedule
# Updating Chromium
Simply run `./pkgs/applications/networking/browsers/chromium/update.py` to
update `upstream-info.nix`. After updates it is important to test at least
`nixosTests.chromium` (or basic manual testing) and `google-chrome` (which
reuses `upstream-info.nix`).
Note: The source tarball is often only available a few hours after the release
was announced. The CI/CD status can be tracked here:
- https://ci.chromium.org/p/infra/builders/cron/publish_tarball
- https://ci.chromium.org/p/infra/builders/cron/publish_tarball_dispatcher
To run all automated NixOS VM tests for Chromium, ungoogled-chromium,
and Google Chrome (not recommended, currently 6x tests!):
```
nix-build nixos/tests/chromium.nix
```
A single test can be selected, e.g. to test `ungoogled-chromium` (see
`channelMap` in `nixos/tests/chromium.nix` for all available options):
```
nix-build nixos/tests/chromium.nix -A ungoogled
```
(Note: Testing Google Chrome requires `export NIXPKGS_ALLOW_UNFREE=1`.)
For custom builds it's possible to "override" `channelMap`.
## Backports
All updates are considered security critical and should be ported to the stable
channel ASAP. When there is a new stable release the old one should receive
security updates for roughly one month. After that it is important to mark
Chromium as insecure (see 69e4ae56c4b for an example; it is important that the
tested job still succeeds and that all browsers that use `upstream-info.nix`
are marked as insecure).
## Major version updates
Unfortunately, Chromium regularly breaks on major updates and might need
various patches. Either due to issues with the Nix build sandbox (e.g. we cannot
fetch dependencies via the network and do not use standard FHS paths) or due to
missing upstream fixes that need to be backported.
Good sources for such patches and other hints:
- https://github.com/archlinux/svntogit-packages/tree/packages/chromium/trunk
- https://gitweb.gentoo.org/repo/gentoo.git/tree/www-client/chromium
- https://src.fedoraproject.org/rpms/chromium/tree/master
If the build fails immediately due to unknown compiler flags this usually means
that a new major release of LLVM is required.
## Beta and Dev channels
Those channels are only used to test and fix builds in advance. They may be
broken at times and must not delay stable channel updates.
# Testing
Useful tests:
- Version: chrome://version/
- GPU acceleration: chrome://gpu/
- Essential functionality: Browsing, extensions, video+audio, JS, ...
- WebGL: https://get.webgl.org/
- VA-API: https://wiki.archlinux.org/index.php/chromium#Hardware_video_acceleration
- Optional: Widevine CDM (proprietary), Benchmarks, Ozone, etc.

122
pkgs/applications/networking/browsers/chromium/browser.nix Normal file
View File

@@ -0,0 +1,122 @@
{
lib,
mkChromiumDerivation,
chromiumVersionAtLeast,
enableWideVine,
ungoogled,
}:
mkChromiumDerivation (base: rec {
name = "chromium-browser";
packageName = "chromium";
buildTargets = [
"chrome_sandbox"
"chrome"
];
outputs = [
"out"
"sandbox"
];
sandboxExecutableName = "__chromium-suid-sandbox";
installPhase = ''
mkdir -p "$libExecPath"
cp -v "$buildPath/"*.so "$buildPath/"*.pak "$buildPath/"*.bin "$libExecPath/"
cp -v "$buildPath/libvulkan.so.1" "$libExecPath/"
cp -v "$buildPath/vk_swiftshader_icd.json" "$libExecPath/"
cp -v "$buildPath/icudtl.dat" "$libExecPath/"
cp -vLR "$buildPath/locales" "$buildPath/resources" "$libExecPath/"
cp -v "$buildPath/chrome_crashpad_handler" "$libExecPath/"
cp -v "$buildPath/chrome" "$libExecPath/$packageName"
# Swiftshader
# See https://stackoverflow.com/a/4264351/263061 for the find invocation.
if [ -n "$(find "$buildPath/swiftshader/" -maxdepth 1 -name '*.so' -print -quit)" ]; then
echo "Swiftshader files found; installing"
mkdir -p "$libExecPath/swiftshader"
cp -v "$buildPath/swiftshader/"*.so "$libExecPath/swiftshader/"
else
echo "Swiftshader files not found"
fi
mkdir -p "$sandbox/bin"
cp -v "$buildPath/chrome_sandbox" "$sandbox/bin/${sandboxExecutableName}"
mkdir -vp "$out/share/man/man1"
cp -v "$buildPath/chrome.1" "$out/share/man/man1/$packageName.1"
for icon_file in chrome/app/theme/chromium/product_logo_*[0-9].png; do
num_and_suffix="''${icon_file##*logo_}"
icon_size="''${num_and_suffix%.*}"
expr "$icon_size" : "^[0-9][0-9]*$" || continue
logo_output_prefix="$out/share/icons/hicolor"
logo_output_path="$logo_output_prefix/''${icon_size}x''${icon_size}/apps"
mkdir -vp "$logo_output_path"
cp -v "$icon_file" "$logo_output_path/$packageName.png"
done
# Install Desktop Entry
install -D chrome/installer/linux/common/desktop.template \
$out/share/applications/chromium-browser.desktop
substituteInPlace $out/share/applications/chromium-browser.desktop \
--replace "@@MENUNAME@@" "Chromium" \
--replace "@@PACKAGE@@" "chromium" \
--replace "Exec=/usr/bin/@@USR_BIN_SYMLINK_NAME@@" "Exec=chromium"
# Append more mime types to the end
sed -i '/^MimeType=/ s,$,x-scheme-handler/webcal;x-scheme-handler/mailto;x-scheme-handler/about;x-scheme-handler/unknown,' \
$out/share/applications/chromium-browser.desktop
# See https://github.com/NixOS/nixpkgs/issues/12433
sed -i \
-e '/\[Desktop Entry\]/a\' \
-e 'StartupWMClass=chromium-browser' \
$out/share/applications/chromium-browser.desktop
'';
passthru = { inherit sandboxExecutableName; };
requiredSystemFeatures = [ "big-parallel" ];
meta = {
description =
"Open source web browser from Google"
+ lib.optionalString ungoogled ", with dependencies on Google web services removed";
longDescription = ''
Chromium is an open source web browser from Google that aims to build a
safer, faster, and more stable way for all Internet users to experience
the web. It has a minimalist user interface and provides the vast majority
of source code for Google Chrome (which has some additional features).
'';
homepage =
if ungoogled then
"https://github.com/ungoogled-software/ungoogled-chromium"
else
"https://www.chromium.org/";
# Maintainer pings for this derivation are highly unreliable.
# If you add yourself as maintainer here, please also add yourself as CODEOWNER.
maintainers =
with lib.maintainers;
if ungoogled then
[
networkexception
emilylange
]
else
[
networkexception
emilylange
];
license = if enableWideVine then lib.licenses.unfree else lib.licenses.bsd3;
platforms = lib.platforms.linux;
mainProgram = "chromium";
hydraPlatforms = [
"aarch64-linux"
"x86_64-linux"
];
timeout = 172800; # 48 hours (increased from the Hydra default of 10h)
};
})

897
pkgs/applications/networking/browsers/chromium/common.nix Normal file
View File

@@ -0,0 +1,897 @@
{
stdenv,
lib,
fetchpatch,
zstd,
fetchFromGitiles,
fetchNpmDeps,
buildPackages,
pkgsBuildBuild,
# Channel data:
upstream-info,
# Helper functions:
chromiumVersionAtLeast,
versionRange,
# Native build inputs:
ninja,
bashInteractive,
pkg-config,
python3,
perl,
nodejs,
npmHooks,
which,
libuuid,
overrideCC,
# postPatch:
pkgsBuildHost,
# configurePhase:
gnChromium,
symlinkJoin,
# Build inputs:
libpng,
bzip2,
flac,
speex,
libopus,
libevent,
expat,
libjpeg,
snappy,
libcap,
minizip,
libwebp,
libusb1,
re2,
ffmpeg,
libxslt,
libxml2,
nasm,
nspr,
nss,
util-linux,
alsa-lib,
bison,
gperf,
libkrb5,
glib,
gtk3,
dbus-glib,
libXScrnSaver,
libXcursor,
libXtst,
libxshmfence,
libGLU,
libGL,
dri-pkgconfig-stub,
libgbm,
pciutils,
protobuf,
speechd-minimal,
libXdamage,
at-spi2-core,
pipewire,
libva,
libdrm,
wayland,
libxkbcommon, # Ozone
curl,
libffi,
libepoxy,
libevdev,
# postPatch:
glibc, # gconv + locale
# postFixup:
vulkan-loader,
# Package customization:
cupsSupport ? true,
cups ? null,
proprietaryCodecs ? true,
pulseSupport ? false,
libpulseaudio ? null,
ungoogled ? false,
ungoogled-chromium,
# Optional dependencies:
libgcrypt ? null, # cupsSupport
systemdSupport ? lib.meta.availableOn stdenv.hostPlatform systemd,
systemd,
}:
buildFun:
let
python3WithPackages = python3.pythonOnBuildForHost.withPackages (
ps: with ps; [
ply
jinja2
setuptools
]
);
# The additional attributes for creating derivations based on the chromium
# source tree.
extraAttrs = buildFun base;
githubPatch =
{
commit,
hash,
revert ? false,
excludes ? [ ],
}:
fetchpatch {
url = "https://github.com/chromium/chromium/commit/${commit}.patch";
inherit hash revert excludes;
};
mkGnFlags =
let
# Serialize Nix types into GN types according to this document:
# https://source.chromium.org/gn/gn/+/master:docs/language.md
mkGnString = value: "\"${lib.escape [ "\"" "$" "\\" ] value}\"";
sanitize =
value:
if value == true then
"true"
else if value == false then
"false"
else if lib.isList value then
"[${lib.concatMapStringsSep ", " sanitize value}]"
else if lib.isInt value then
toString value
else if lib.isString value then
mkGnString value
else
throw "Unsupported type for GN value `${value}'.";
toFlag = key: value: "${key}=${sanitize value}";
in
attrs: lib.concatStringsSep " " (lib.attrValues (lib.mapAttrs toFlag attrs));
# https://source.chromium.org/chromium/chromium/src/+/master:build/linux/unbundle/replace_gn_files.py
gnSystemLibraries = [
# TODO:
# "ffmpeg"
# "snappy"
"flac"
"libjpeg"
"libpng"
# Use the vendored libwebp for M124+ until we figure out how to solve:
# Running phase: configurePhase
# ERROR Unresolved dependencies.
# //third_party/libavif:libavif_enc(//build/toolchain/linux/unbundle:default)
# needs //third_party/libwebp:libwebp_sharpyuv(//build/toolchain/linux/unbundle:default)
# "libwebp"
"libxml"
"libxslt" # depends on libxml, always remove or re-add as a pair
# "opus"
];
# build paths and release info
packageName = extraAttrs.packageName or extraAttrs.name;
buildType = "Release";
buildPath = "out/${buildType}";
libExecPath = "$out/libexec/${packageName}";
ungoogler = ungoogled-chromium {
inherit (upstream-info.deps.ungoogled-patches) rev hash;
};
# There currently isn't a (much) more concise way to get a stdenv
# that uses lld as its linker without bootstrapping pkgsLLVM; see
# https://github.com/NixOS/nixpkgs/issues/142901
buildPlatformLlvmStdenv =
let
llvmPackages = pkgsBuildBuild.rustc.llvmPackages;
in
overrideCC llvmPackages.stdenv (
llvmPackages.stdenv.cc.override {
inherit (llvmPackages) bintools;
}
);
chromiumRosettaStone = {
cpu =
platform:
let
name = platform.parsed.cpu.name;
in
(
{
"x86_64" = "x64";
"i686" = "x86";
"arm" = "arm";
"aarch64" = "arm64";
}
.${platform.parsed.cpu.name} or (throw "no chromium Rosetta Stone entry for cpu: ${name}")
);
os =
platform:
if platform.isLinux then
"linux"
else
throw "no chromium Rosetta Stone entry for os: ${platform.config}";
};
isElectron = packageName == "electron";
rustcVersion = buildPackages.rustc.version;
chromiumDeps = lib.mapAttrs (
path: args:
fetchFromGitiles (
removeAttrs args [ "recompress" ]
// lib.optionalAttrs args.recompress or false {
name = "source.tar.zstd";
downloadToTemp = false;
passthru.unpack = true;
nativeBuildInputs = [ zstd ];
postFetch = ''
tar \
--use-compress-program="zstd -T$NIX_BUILD_CORES" \
--sort=name \
--mtime="1970-01-01" \
--owner=root --group=root \
--numeric-owner --mode=go=rX,u+rw,a-s \
--remove-files \
--directory="$out" \
-cf "$TMPDIR/source.zstd" .
mv "$TMPDIR/source.zstd" "$out"
'';
}
)
) upstream-info.DEPS;
unpackPhaseSnippet = lib.concatStrings (
lib.mapAttrsToList (
path: dep:
(
if dep.unpack or false then
''
mkdir -p ${path}
pushd ${path}
unpackFile ${dep}
popd
''
else
''
mkdir -p ${dirOf path}
cp -r ${dep}/. ${path}
''
)
+ ''
chmod u+w -R ${path}
''
) chromiumDeps
);
base = rec {
pname = "${lib.optionalString ungoogled "ungoogled-"}${packageName}-unwrapped";
inherit (upstream-info) version;
inherit packageName buildType buildPath;
unpackPhase = ''
runHook preUnpack
${unpackPhaseSnippet}
sourceRoot=src
runHook postUnpack
'';
npmRoot = "third_party/node";
npmDeps =
(fetchNpmDeps {
src = chromiumDeps."src";
sourceRoot = npmRoot;
hash = upstream-info.deps.npmHash;
}).overrideAttrs
(p: {
nativeBuildInputs = p.nativeBuildInputs or [ ] ++ [ zstd ];
});
nativeBuildInputs = [
ninja
gnChromium
bashInteractive # needed for compgen in buildPhase -> process_template
pkg-config
python3WithPackages
perl
which
buildPackages.rustc.llvmPackages.bintools
bison
gperf
]
++ lib.optionals (!isElectron) [
nodejs
npmHooks.npmConfigHook
];
depsBuildBuild = [
buildPlatformLlvmStdenv
buildPlatformLlvmStdenv.cc
pkg-config
libuuid
]
# When cross-compiling, chromium builds a huge proportion of its
# components for both the `buildPlatform` (which it calls
# `host`) as well as for the `hostPlatform` -- easily more than
# half of the dependencies are needed here. To avoid having to
# maintain a separate list of buildPlatform-dependencies, we
# simply throw in the kitchen sink.
# ** Because of overrides, we have to copy the list as it otherwise mess with splicing **
++ [
(buildPackages.libpng.override { apngSupport = false; }) # https://bugs.chromium.org/p/chromium/issues/detail?id=752403
(buildPackages.libopus.override { withCustomModes = true; })
bzip2
flac
speex
libevent
expat
libjpeg
snappy
libcap
minizip
libwebp
libusb1
re2
ffmpeg
libxslt
libxml2
nasm
nspr
nss
util-linux
alsa-lib
libkrb5
glib
gtk3
dbus-glib
libXScrnSaver
libXcursor
libXtst
libxshmfence
libGLU
libGL
libgbm
pciutils
protobuf
speechd-minimal
libXdamage
at-spi2-core
pipewire
libva
libdrm
wayland
libxkbcommon
curl
libepoxy
libffi
libevdev
]
++ lib.optional systemdSupport systemd
++ lib.optionals cupsSupport [
libgcrypt
cups
]
++ lib.optional pulseSupport libpulseaudio;
buildInputs = [
(libpng.override { apngSupport = false; }) # https://bugs.chromium.org/p/chromium/issues/detail?id=752403
(libopus.override { withCustomModes = true; })
bzip2
flac
speex
libevent
expat
libjpeg
snappy
libcap
minizip
libwebp
libusb1
re2
ffmpeg
libxslt
libxml2
nasm
nspr
nss
util-linux
alsa-lib
libkrb5
glib
gtk3
dbus-glib
libXScrnSaver
libXcursor
libXtst
libxshmfence
libGLU
libGL
dri-pkgconfig-stub
libgbm
pciutils
protobuf
speechd-minimal
libXdamage
at-spi2-core
pipewire
libva
libdrm
wayland
libxkbcommon
curl
libepoxy
libffi
libevdev
]
++ lib.optional systemdSupport systemd
++ lib.optionals cupsSupport [
libgcrypt
cups
]
++ lib.optional pulseSupport libpulseaudio;
patches = [
./patches/cross-compile.patch
# Optional patch to use SOURCE_DATE_EPOCH in compute_build_timestamp.py (should be upstreamed):
./patches/no-build-timestamps.patch
]
++ lib.optionals (packageName == "chromium") [
# This patch is limited to chromium and ungoogled-chromium because electron-source sets
# enable_widevine to false.
#
# The patch disables the automatic Widevine download (component) that happens at runtime
# completely (~/.config/chromium/WidevineCdm/). This would happen if chromium encounters DRM
# protected content or when manually opening chrome://components.
#
# It also prevents previously downloaded Widevine blobs in that location from being loaded and
# used at all, while still allowing the use of our -wv wrapper. This is because those old
# versions are out of out our control and may be vulnerable, given we literally disable their
# auto updater.
#
# bundle_widevine_cdm is available as gn flag, but we cannot use it, as it expects a bunch of
# files Widevine files at configure/compile phase that we don't have. Changing the value of the
# BUNDLE_WIDEVINE_CDM build flag does work in the way we want though.
# We also need enable_widevine_cdm_component to be false. Unfortunately it isn't exposed as gn
# flag (declare_args) so we simply hardcode it to false.
./patches/widevine-disable-auto-download-allow-bundle.patch
]
++ [
# Required to fix the build with a more recent wayland-protocols version
# (we currently package 1.26 in Nixpkgs while Chromium bundles 1.21):
# Source: https://bugs.chromium.org/p/angleproject/issues/detail?id=7582#c1
./patches/angle-wayland-include-protocol.patch
# Chromium reads initial_preferences from its own executable directory
# This patch modifies it to read /etc/chromium/initial_preferences
./patches/chromium-initial-prefs.patch
# https://github.com/chromium/chromium/commit/02b6456643700771597c00741937e22068b0f956
# https://github.com/chromium/chromium/commit/69736ffe943ff996d4a88d15eb30103a8c854e29
# Rebased variant of patch to build M126+ with LLVM 17.
# staging-next will bump LLVM to 18, so we will be able to drop this soon.
./patches/chromium-126-llvm-17.patch
]
++ lib.optionals (!chromiumVersionAtLeast "140") [
# Partial revert of https://github.com/chromium/chromium/commit/3687976b0c6d36cf4157419a24a39f6770098d61
# allowing us to use our rustc and our clang.
./patches/chromium-129-rust.patch
]
++ lib.optionals (versionRange "140" "141") [
# Rebased variant of the patch above due to
# https://chromium-review.googlesource.com/c/chromium/src/+/6665907
./patches/chromium-140-rust.patch
]
++ lib.optionals (chromiumVersionAtLeast "141") [
# Rebased variant of the patch above due to
# https://chromium-review.googlesource.com/c/chromium/src/+/6897026
./patches/chromium-141-rust.patch
]
++ lib.optionals stdenv.hostPlatform.isAarch64 [
# Reverts decommit pooled pages which causes random crashes of tabs on systems
# with page sizes different than 4k. It 'supports' runtime page sizes, but has
# a hardcode for aarch64 systems.
# https://issues.chromium.org/issues/378017037
(fetchpatch {
name = "reverted-v8-decommit-pooled-paged-by-default.patch";
# https://chromium-review.googlesource.com/c/v8/v8/+/5864909
url = "https://chromium.googlesource.com/v8/v8/+/1ab1a14ad97394d384d8dc6de51bb229625e66d6^!?format=TEXT";
decode = "base64 -d";
stripLen = 1;
extraPrefix = "v8/";
revert = true;
hash = "sha256-PuinMLhJ2W4KPXI5K0ujw85ENTB1wG7Hv785SZ55xnY=";
})
]
++ [
# Modify the nodejs version check added in https://chromium-review.googlesource.com/c/chromium/src/+/6334038
# to look for the minimal version, not the exact version (major.minor.patch). The linked CL makes a case for
# preventing compilations of chromium with versions below their intended version, not about running the very
# exact version or even running a newer version.
./patches/chromium-136-nodejs-assert-minimal-version-instead-of-exact-match.patch
]
++ lib.optionals (chromiumVersionAtLeast "138") [
(fetchpatch {
# Unbreak building with Rust 1.89+ which introduced
# a new mismatched_lifetime_syntaxes lint.
# https://issues.chromium.org/issues/424424323
name = "chromium-138-rust-1.86-mismatched_lifetime_syntaxes.patch";
# https://chromium-review.googlesource.com/c/chromium/src/+/6658267
url = "https://chromium.googlesource.com/chromium/src/+/94a87ff38c51fd1a71980a5051d3553978391608^!?format=TEXT";
decode = "base64 -d";
includes = [ "build/rust/cargo_crate.gni" ];
hash = "sha256-xf1Jq5v3InXkiVH0uT7+h1HPwZse5MDcHKuJNjSLR6k=";
})
]
++ lib.optionals (!chromiumVersionAtLeast "138") [
# Rebased variant of the patch above for
# electron 35 (M134) and 36 (M136)
./patches/chromium-134-rust-1.86-mismatched_lifetime_syntaxes.patch
]
++ lib.optionals (chromiumVersionAtLeast "141") [
(fetchpatch {
# Fix "invalid application of 'sizeof' to an incomplete type 'blink::CSSStyleSheet'"
# by reverting https://chromium-review.googlesource.com/c/chromium/src/+/6892157
name = "chromium-141-Revert-Remove-unnecessary-include-in-tree_scope.h.patch";
url = "https://chromium.googlesource.com/chromium/src/+/0fc0e71aa1ca0419fae6d14255025543980d2cba^!?format=TEXT";
decode = "base64 -d";
revert = true;
hash = "sha256-pnEus2NHpNWZ6ZSXLgdTn+it7oy1MPZPbD8SOAKLWbw=";
})
];
postPatch =
# TODO: reuse mkGnFlags for this
# TODO: reflow
lib.optionalString (!isElectron) ''
cp ${./files/gclient_args.gni} build/config/gclient_args.gni
chmod u+w build/config/gclient_args.gni
echo 'checkout_mutter = false' >> build/config/gclient_args.gni
echo 'checkout_glic_e2e_tests = false' >> build/config/gclient_args.gni
echo 'checkout_clusterfuzz_data = false' >> build/config/gclient_args.gni
''
+ lib.optionalString (!isElectron) ''
echo 'LASTCHANGE=${upstream-info.DEPS."src".rev}-refs/tags/${version}@{#0}' > build/util/LASTCHANGE
echo "$SOURCE_DATE_EPOCH" > build/util/LASTCHANGE.committime
cat << EOF > gpu/config/gpu_lists_version.h
/* Generated by lastchange.py, do not edit.*/
#ifndef GPU_CONFIG_GPU_LISTS_VERSION_H_
#define GPU_CONFIG_GPU_LISTS_VERSION_H_
#define GPU_LISTS_VERSION "${upstream-info.DEPS."src".rev}"
#endif // GPU_CONFIG_GPU_LISTS_VERSION_H_
EOF
cat << EOF > skia/ext/skia_commit_hash.h
/* Generated by lastchange.py, do not edit.*/
#ifndef SKIA_EXT_SKIA_COMMIT_HASH_H_
#define SKIA_EXT_SKIA_COMMIT_HASH_H_
#define SKIA_COMMIT_HASH "${upstream-info.DEPS."src/third_party/skia".rev}-"
#endif // SKIA_EXT_SKIA_COMMIT_HASH_H_
EOF
echo -n '${upstream-info.DEPS."src/third_party/dawn".rev}' > gpu/webgpu/DAWN_VERSION
mkdir -p third_party/jdk/current/bin
''
+ ''
# Workaround/fix for https://bugs.chromium.org/p/chromium/issues/detail?id=1313361:
substituteInPlace BUILD.gn \
--replace '"//infra/orchestrator:orchestrator_all",' ""
# Disable build flags that require LLVM 15:
substituteInPlace build/config/compiler/BUILD.gn \
--replace '"-Xclang",' "" \
--replace '"-no-opaque-pointers",' ""
# remove unused third-party
for lib in ${toString gnSystemLibraries}; do
if [ -d "third_party/$lib" ]; then
find "third_party/$lib" -type f \
\! -path "third_party/$lib/chromium/*" \
\! -path "third_party/$lib/google/*" \
\! -path "third_party/harfbuzz-ng/utils/hb_scoped.h" \
\! -regex '.*\.\(gn\|gni\|isolate\)' \
-delete
fi
done
if [[ -e native_client/SConstruct ]]; then
# Required for patchShebangs (unsupported interpreter directive, basename: invalid option -- '*', etc.):
substituteInPlace native_client/SConstruct --replace "#! -*- python -*-" ""
fi
if [ -e third_party/harfbuzz-ng/src/src/update-unicode-tables.make ]; then
substituteInPlace third_party/harfbuzz-ng/src/src/update-unicode-tables.make \
--replace "/usr/bin/env -S make -f" "/usr/bin/make -f"
fi
if [ -e third_party/webgpu-cts/src/tools/run_deno ]; then
chmod -x third_party/webgpu-cts/src/tools/run_deno
fi
if [ -e third_party/dawn/third_party/webgpu-cts/tools/run_deno ]; then
chmod -x third_party/dawn/third_party/webgpu-cts/tools/run_deno
fi
# We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX
substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \
--replace \
'return sandbox_binary;' \
'return base::FilePath(GetDevelSandboxPath());'
substituteInPlace services/audio/audio_sandbox_hook_linux.cc \
--replace \
'/usr/share/alsa/' \
'${alsa-lib}/share/alsa/' \
--replace \
'/usr/lib/x86_64-linux-gnu/gconv/' \
'${glibc}/lib/gconv/' \
--replace \
'/usr/share/locale/' \
'${glibc}/share/locale/'
''
+ lib.optionalString systemdSupport ''
sed -i -e '/lib_loader.*Load/s!"\(libudev\.so\)!"${lib.getLib systemd}/lib/\1!' \
device/udev_linux/udev?_loader.cc
''
+ ''
# Allow to put extensions into the system-path.
sed -i -e 's,/usr,/run/current-system/sw,' chrome/common/chrome_paths.cc
# Add final newlines to scripts that do not end with one.
# This is a temporary workaround until https://github.com/NixOS/nixpkgs/pull/255463 (or similar) has been merged,
# as patchShebangs hard-crashes when it encounters files that contain only a shebang and do not end with a final
# newline.
find . -type f -perm -0100 -exec sed -i -e '$a\' {} +
patchShebangs .
''
+ lib.optionalString ungoogled ''
# Prune binaries (ungoogled only) *before* linking our own binaries:
${ungoogler}/utils/prune_binaries.py . ${ungoogler}/pruning.list || echo "some errors"
''
+ ''
# Link to our own Node.js and Java (required during the build):
mkdir -p third_party/node/linux/node-linux-x64/bin${lib.optionalString ungoogled " third_party/jdk/current/bin/"}
ln -sf "${pkgsBuildHost.nodejs}/bin/node" third_party/node/linux/node-linux-x64/bin/node
ln -s "${pkgsBuildHost.jdk17_headless}/bin/java" third_party/jdk/current/bin/
# Allow building against system libraries in official builds
sed -i 's/OFFICIAL_BUILD/GOOGLE_CHROME_BUILD/' tools/generate_shim_headers/generate_shim_headers.py
''
+
lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform && stdenv.hostPlatform.isAarch64)
''
substituteInPlace build/toolchain/linux/BUILD.gn \
--replace 'toolprefix = "aarch64-linux-gnu-"' 'toolprefix = ""'
''
+ lib.optionalString ungoogled ''
${ungoogler}/utils/patches.py . ${ungoogler}/patches
${ungoogler}/utils/domain_substitution.py apply -r ${ungoogler}/domain_regex.list -f ${ungoogler}/domain_substitution.list -c ./ungoogled-domsubcache.tar.gz .
'';
llvmCcAndBintools = symlinkJoin {
name = "llvmCcAndBintools";
paths = [
buildPackages.rustc.llvmPackages.llvm
buildPackages.rustc.llvmPackages.stdenv.cc
];
};
gnFlags = mkGnFlags (
{
# Main build and toolchain settings:
# Create an official and optimized release build (only official builds
# should be distributed to users, as non-official builds are intended for
# development and may not be configured appropriately for production,
# e.g. unsafe developer builds have developer-friendly features that may
# weaken or disable security measures like sandboxing or ASLR):
is_official_build = true;
disable_fieldtrial_testing_config = true;
# note: chromium calls buildPlatform "host" and calls hostPlatform "target"
host_cpu = chromiumRosettaStone.cpu stdenv.buildPlatform;
host_os = chromiumRosettaStone.os stdenv.buildPlatform;
target_cpu = chromiumRosettaStone.cpu stdenv.hostPlatform;
v8_target_cpu = chromiumRosettaStone.cpu stdenv.hostPlatform;
target_os = chromiumRosettaStone.os stdenv.hostPlatform;
# Build Chromium using the system toolchain (for Linux distributions):
#
# What you would expect to be called "target_toolchain" is
# actually called either "default_toolchain" or "custom_toolchain",
# depending on which part of the codebase you are in; see:
# https://github.com/chromium/chromium/blob/d36462cc9279464395aea5e65d0893d76444a296/build/config/BUILDCONFIG.gn#L17-L44
custom_toolchain = "//build/toolchain/linux/unbundle:default";
host_toolchain = "//build/toolchain/linux/unbundle:default";
# We only build those specific toolchains when we cross-compile, as native non-cross-compilations would otherwise
# end up building much more things than they need to (roughly double the build steps and time/compute):
}
// lib.optionalAttrs (stdenv.buildPlatform != stdenv.hostPlatform) {
host_toolchain = "//build/toolchain/linux/unbundle:host";
v8_snapshot_toolchain = "//build/toolchain/linux/unbundle:host";
}
// {
host_pkg_config = "${pkgsBuildBuild.pkg-config}/bin/pkg-config";
pkg_config = "${pkgsBuildHost.pkg-config}/bin/${stdenv.cc.targetPrefix}pkg-config";
# Don't build against a sysroot image downloaded from Cloud Storage:
use_sysroot = false;
# Because we use a different toolchain / compiler version:
treat_warnings_as_errors = false;
# We aren't compiling with Chrome's Clang (would enable Chrome-specific
# plugins for enforcing coding guidelines, etc.):
clang_use_chrome_plugins = false;
# Disable symbols (they would negatively affect the performance of the
# build since the symbols are large and dealing with them is slow):
symbol_level = 0;
blink_symbol_level = 0;
# Google API key, see: https://www.chromium.org/developers/how-tos/api-keys
# Note: The API key is for NixOS/nixpkgs use ONLY.
# For your own distribution, please get your own set of keys.
google_api_key = "AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI";
# Optional features:
use_gio = true;
use_cups = cupsSupport;
}
// lib.optionalAttrs (!chromiumVersionAtLeast "139") {
# Feature overrides:
# Native Client support was deprecated in 2020 and support will end in June 2021:
enable_nacl = false;
}
// lib.optionalAttrs (packageName == "chromium") {
# Enabling the Widevine here doesn't affect whether we can redistribute the chromium package.
# Widevine in this drv is a bit more complex than just that. See Widevine patch somewhere above.
enable_widevine = true;
}
// {
# Provides the enable-webrtc-pipewire-capturer flag to support Wayland screen capture:
rtc_use_pipewire = true;
# Disable PGO because the profile data requires a newer compiler version (LLVM 14 isn't sufficient):
chrome_pgo_phase = 0;
clang_base_path = "${llvmCcAndBintools}";
}
// lib.optionalAttrs (chromiumVersionAtLeast "141") {
# TODO: remove opt-out of https://chromium.googlesource.com/chromium/src/+/main/docs/modules.md
use_clang_modules = false;
}
// {
use_qt5 = false;
use_qt6 = false;
# LLVM < v21 does not support --warning-suppression-mappings yet:
clang_warning_suppression_file = "";
# To fix the build as we don't provide libffi_pic.a
# (ld.lld: error: unable to find library -l:libffi_pic.a):
use_system_libffi = true;
# Use nixpkgs Rust compiler instead of the one shipped by Chromium.
rust_sysroot_absolute = "${buildPackages.rustc}";
rust_bindgen_root = "${buildPackages.rust-bindgen}";
enable_rust = true;
# While we technically don't need the cache-invalidation rustc_version provides, rustc_version
# is still used in some scripts (e.g. build/rust/std/find_std_rlibs.py).
rustc_version = rustcVersion;
}
// lib.optionalAttrs (!(stdenv.buildPlatform.canExecute stdenv.hostPlatform)) {
# https://www.mail-archive.com/v8-users@googlegroups.com/msg14528.html
arm_control_flow_integrity = "none";
}
// lib.optionalAttrs proprietaryCodecs {
# enable support for the H.264 codec
proprietary_codecs = true;
enable_hangout_services_extension = true;
ffmpeg_branding = "Chrome";
}
// lib.optionalAttrs stdenv.hostPlatform.isAarch64 {
# Enable v4l2 video decoder for hardware acceleratation on aarch64:
use_vaapi = false;
use_v4l2_codec = true;
}
// lib.optionalAttrs pulseSupport {
use_pulseaudio = true;
link_pulseaudio = true;
}
// lib.optionalAttrs ungoogled (lib.importTOML ./ungoogled-flags.toml)
// (extraAttrs.gnFlags or { })
);
preConfigure = lib.optionalString (!isElectron) ''
(
cd third_party/node
grep patch update_npm_deps | sh
)
'';
configurePhase = ''
runHook preConfigure
# This is to ensure expansion of $out.
libExecPath="${libExecPath}"
${python3.pythonOnBuildForHost}/bin/python3 build/linux/unbundle/replace_gn_files.py --system-libraries ${toString gnSystemLibraries}
gn gen --args=${lib.escapeShellArg gnFlags} out/Release | tee gn-gen-outputs.txt
# Fail if `gn gen` contains a WARNING.
grep -o WARNING gn-gen-outputs.txt && echo "Found gn WARNING, exiting nix build" && exit 1
runHook postConfigure
'';
# Chromium expects nightly/bleeding edge rustc features to be available.
# Our rustc in nixpkgs follows stable, but since bootstrapping rustc requires
# nightly features too, we can (ab-)use RUSTC_BOOTSTRAP here as well to
# enable those features in our stable builds.
env.RUSTC_BOOTSTRAP = 1;
# Mute some warnings that are enabled by default. This is useful because
# our Clang is always older than Chromium's and the build logs have a size
# of approx. 25 MB without this option (and this saves e.g. 66 %).
env.NIX_CFLAGS_COMPILE = "-Wno-unknown-warning-option -Wno-unused-command-line-argument -Wno-shadow";
env.BUILD_CC = "$CC_FOR_BUILD";
env.BUILD_CXX = "$CXX_FOR_BUILD";
env.BUILD_AR = "$AR_FOR_BUILD";
env.BUILD_NM = "$NM_FOR_BUILD";
env.BUILD_READELF = "$READELF_FOR_BUILD";
buildPhase =
let
buildCommand = target: ''
TERM=dumb ninja -C "${buildPath}" -j$NIX_BUILD_CORES "${target}"
bash -s << EOL
(
source chrome/installer/linux/common/installer.include
PACKAGE=$packageName
MENUNAME="Chromium"
process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1"
)
EOL
'';
targets = extraAttrs.buildTargets or [ ];
commands = map buildCommand targets;
in
''
runHook preBuild
${lib.concatStringsSep "\n" commands}
runHook postBuild
'';
postFixup = ''
# Make sure that libGLESv2 and libvulkan are found by dlopen in both chromium binary and ANGLE libGLESv2.so.
# libpci (from pciutils) is needed by dlopen in angle/src/gpu_info_util/SystemInfo_libpci.cpp
for chromiumBinary in "$libExecPath/$packageName" "$libExecPath/libGLESv2.so"; do
patchelf --set-rpath "${
lib.makeLibraryPath [
libGL
vulkan-loader
pciutils
]
}:$(patchelf --print-rpath "$chromiumBinary")" "$chromiumBinary"
done
# replace bundled vulkan-loader
rm "$libExecPath/libvulkan.so.1"
ln -s -t "$libExecPath" "${lib.getLib vulkan-loader}/lib/libvulkan.so.1"
'';
passthru = {
updateScript = ./update.mjs;
}
// lib.optionalAttrs (!isElectron) {
inherit chromiumDeps npmDeps;
};
};
in
# Remove some extraAttrs we supplied to the base attributes already.
stdenv.mkDerivation (
base
// removeAttrs extraAttrs [
"name"
"gnFlags"
"buildTargets"
]
// {
passthru = base.passthru // (extraAttrs.passthru or { });
}
)

219
pkgs/applications/networking/browsers/chromium/default.nix Normal file
View File

@@ -0,0 +1,219 @@
{
newScope,
config,
stdenv,
makeWrapper,
buildPackages,
ed,
gnugrep,
coreutils,
xdg-utils,
glib,
gtk3,
gtk4,
adwaita-icon-theme,
gsettings-desktop-schemas,
gn,
fetchgit,
libva,
pipewire,
wayland,
runCommand,
lib,
libkrb5,
widevine-cdm,
electron-source, # for warnObsoleteVersionConditional
# package customization
# Note: enable* flags should not require full rebuilds (i.e. only affect the wrapper)
upstream-info ?
(lib.importJSON ./info.json).${if !ungoogled then "chromium" else "ungoogled-chromium"},
proprietaryCodecs ? true,
enableWideVine ? false,
ungoogled ? false, # Whether to build chromium or ungoogled-chromium
cupsSupport ? true,
pulseSupport ? config.pulseaudio or stdenv.hostPlatform.isLinux,
commandLineArgs ? "",
pkgsBuildBuild,
pkgs,
}:
let
stdenv = pkgs.rustc.llvmPackages.stdenv;
# Helper functions for changes that depend on specific versions:
warnObsoleteVersionConditional =
min-version: result:
let
min-supported-version = (lib.head (lib.attrValues electron-source)).unwrapped.info.chromium.version;
# Warning can be toggled by changing the value of enabled:
enabled = false;
in
lib.warnIf (enabled && lib.versionAtLeast min-supported-version min-version)
"chromium: min-supported-version ${min-supported-version} is newer than a conditional bounded at ${min-version}. You can safely delete it."
result;
chromiumVersionAtLeast =
min-version:
let
result = lib.versionAtLeast upstream-info.version min-version;
in
warnObsoleteVersionConditional min-version result;
versionRange =
min-version: upto-version:
let
inherit (upstream-info) version;
result = lib.versionAtLeast version min-version && lib.versionOlder version upto-version;
in
warnObsoleteVersionConditional upto-version result;
callPackage = newScope chromium;
chromium = rec {
inherit stdenv upstream-info;
mkChromiumDerivation = callPackage ./common.nix {
inherit chromiumVersionAtLeast versionRange;
inherit
proprietaryCodecs
cupsSupport
pulseSupport
ungoogled
;
gnChromium = buildPackages.gn.override upstream-info.deps.gn;
};
browser = callPackage ./browser.nix {
inherit chromiumVersionAtLeast enableWideVine ungoogled;
};
# ungoogled-chromium is, contrary to its name, not a build of
# chromium. It is a patched copy of chromium's *source code*.
# Therefore, it needs to come from buildPackages, because it
# contains python scripts which get /nix/store/.../bin/python3
# patched into their shebangs.
ungoogled-chromium = pkgsBuildBuild.callPackage ./ungoogled.nix { };
};
sandboxExecutableName = chromium.browser.passthru.sandboxExecutableName;
# We want users to be able to enableWideVine without rebuilding all of
# chromium, so we have a separate derivation here that copies chromium
# and adds the unfree WidevineCdm.
chromiumWV =
let
browser = chromium.browser;
in
if enableWideVine then
runCommand (browser.name + "-wv") { version = browser.version; } ''
mkdir -p $out
cp -a ${browser}/* $out/
chmod u+w $out/libexec/chromium
cp -a ${widevine-cdm}/share/google/chrome/WidevineCdm $out/libexec/chromium/
''
else
browser;
in
stdenv.mkDerivation {
pname = lib.optionalString ungoogled "ungoogled-" + "chromium";
inherit (chromium.browser) version;
nativeBuildInputs = [
makeWrapper
ed
];
buildInputs = [
# needed for GSETTINGS_SCHEMAS_PATH
gsettings-desktop-schemas
glib
gtk3
gtk4
# needed for XDG_ICON_DIRS
adwaita-icon-theme
# Needed for kerberos at runtime
libkrb5
];
outputs = [
"out"
"sandbox"
];
buildCommand =
let
browserBinary = "${chromiumWV}/libexec/chromium/chromium";
libPath = lib.makeLibraryPath [
libva
pipewire
wayland
gtk3
gtk4
libkrb5
];
in
''
mkdir -p "$out/bin"
makeWrapper "${browserBinary}" "$out/bin/chromium" \
--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime=true}}" \
--add-flags ${lib.escapeShellArg commandLineArgs}
ed -v -s "$out/bin/chromium" << EOF
2i
if [ -x "/run/wrappers/bin/${sandboxExecutableName}" ]
then
export CHROME_DEVEL_SANDBOX="/run/wrappers/bin/${sandboxExecutableName}"
else
export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"
fi
# Make generated desktop shortcuts have a valid executable name.
export CHROME_WRAPPER='chromium'
''
+ lib.optionalString (libPath != "") ''
# To avoid loading .so files from cwd, LD_LIBRARY_PATH here must not
# contain an empty section before or after a colon.
export LD_LIBRARY_PATH="\$LD_LIBRARY_PATH\''${LD_LIBRARY_PATH:+:}${libPath}"
''
+ ''
# libredirect causes chromium to deadlock on startup
export LD_PRELOAD="\$(echo -n "\$LD_PRELOAD" | ${coreutils}/bin/tr ':' '\n' | ${gnugrep}/bin/grep -v /lib/libredirect\\\\.so$ | ${coreutils}/bin/tr '\n' ':')"
export XDG_DATA_DIRS=$XDG_ICON_DIRS:$GSETTINGS_SCHEMAS_PATH\''${XDG_DATA_DIRS:+:}\$XDG_DATA_DIRS
''
+ lib.optionalString (!xdg-utils.meta.broken) ''
# Mainly for xdg-open but also other xdg-* tools (this is only a fallback; \$PATH is suffixed so that other implementations can be used):
export PATH="\$PATH\''${PATH:+:}${xdg-utils}/bin"
''
+ ''
.
w
EOF
ln -sv "${chromium.browser.sandbox}" "$sandbox"
ln -s "$out/bin/chromium" "$out/bin/chromium-browser"
mkdir -p "$out/share"
for f in '${chromium.browser}'/share/*; do # hello emacs */
ln -s -t "$out/share/" "$f"
done
'';
inherit (chromium.browser) packageName;
meta = chromium.browser.meta;
passthru = {
inherit (chromium) upstream-info browser;
mkDerivation = chromium.mkChromiumDerivation;
inherit sandboxExecutableName;
};
}

122
pkgs/applications/networking/browsers/chromium/depot_tools.py Executable file
View File

@@ -0,0 +1,122 @@
#! /usr/bin/env nix-shell
#! nix-shell -i python -p python3
"""
This is a heavily simplified variant of electron's update.py
for use in ./update.mjs and should not be called manually.
It resolves chromium's DEPS file recursively when called with
a working depot_tools checkout and a ref to fetch and prints
the result as JSON to stdout.
"""
import base64
import json
from typing import Optional
from urllib.request import urlopen
import sys
if len(sys.argv) != 3:
print("""This internal script has been called with the wrong amount of parameters.
This script is not supposed to be called manually.
Refer to ./update.mjs instead.""")
exit(1)
_, depot_tools_checkout, chromium_version = sys.argv
sys.path.append(depot_tools_checkout)
import gclient_eval
import gclient_utils
class Repo:
fetcher: str
args: dict
def __init__(self) -> None:
self.deps: dict = {}
self.hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
def get_deps(self, repo_vars: dict, path: str) -> None:
print(
"evaluating " + json.dumps(self, default=vars, sort_keys=True),
file=sys.stderr,
)
deps_file = self.get_file("DEPS")
evaluated = gclient_eval.Parse(deps_file, vars_override=repo_vars, filename="DEPS")
repo_vars = dict(evaluated.get("vars", {})) | repo_vars
prefix = f"{path}/" if evaluated.get("use_relative_paths", False) else ""
self.deps = {
prefix + dep_name: repo_from_dep(dep)
for dep_name, dep in evaluated.get("deps", {}).items()
if (
gclient_eval.EvaluateCondition(dep["condition"], repo_vars)
if "condition" in dep
else True
)
and repo_from_dep(dep) != None
}
for key in evaluated.get("recursedeps", []):
dep_path = prefix + key
if dep_path in self.deps and dep_path != "src/third_party/squirrel.mac":
self.deps[dep_path].get_deps(repo_vars, dep_path)
def flatten_repr(self) -> dict:
return {"fetcher": self.fetcher, "hash": self.hash, **self.args}
def flatten(self, path: str) -> dict:
out = {path: self.flatten_repr()}
for dep_path, dep in self.deps.items():
out |= dep.flatten(dep_path)
return out
def get_file(self, filepath: str) -> str:
raise NotImplementedError
class GitilesRepo(Repo):
def __init__(self, url: str, rev: str) -> None:
super().__init__()
self.fetcher = "fetchFromGitiles"
self.args = {
"url": url,
"rev": rev,
}
def get_file(self, filepath: str) -> str:
return base64.b64decode(
urlopen(
f"{self.args['url']}/+/{self.args['rev']}/{filepath}?format=TEXT"
).read()
).decode("utf-8")
def repo_from_dep(dep: dict) -> Optional[Repo]:
if "url" in dep:
url, rev = gclient_utils.SplitUrlRevision(dep["url"])
return GitilesRepo(url, rev)
else:
# Not a git dependency; skip
return None
chromium = GitilesRepo("https://chromium.googlesource.com/chromium/src.git", chromium_version)
chromium.get_deps(
{
**{
f"checkout_{platform}": platform == "linux" or platform == "x64" or platform == "arm64" or platform == "arm"
for platform in ["ios", "chromeos", "android", "mac", "win", "linux"]
},
**{
f"checkout_{arch}": True
for arch in ["x64", "arm64", "arm", "x86", "mips", "mips64", "ppc", "riscv64"]
},
},
"",
)
print(json.dumps(chromium.flatten("src")))

12
pkgs/applications/networking/browsers/chromium/files/gclient_args.gni Normal file
View File

@@ -0,0 +1,12 @@
build_with_chromium = true
checkout_android = false
checkout_android_prebuilts_build_tools = false
checkout_clang_coverage_tools = false
checkout_copybara = false
checkout_ios_webkit = false
checkout_nacl = false
checkout_openxr = false
checkout_src_internal = false
cros_boards = ""
cros_boards_with_qemu_images = ""
generate_location_tags = true

54
pkgs/applications/networking/browsers/chromium/get-commit-message.py Executable file
View File

@@ -0,0 +1,54 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p python3Packages.feedparser python3Packages.requests
# This script prints the Git commit message for stable channel updates.
# Usage: ./get-commit-message.py [version]
import re
import sys
import textwrap
from collections import OrderedDict
import feedparser
import requests
# Official rss/atom feed taken from <https://chromereleases.googleblog.com/>'s html source (<link type="application/atom+xml">)
feed = feedparser.parse('https://www.blogger.com/feeds/8982037438137564684/posts/default')
html_tags = re.compile(r'<[^>]+>')
target_version = sys.argv[1] if len(sys.argv) == 2 else None
for entry in feed.entries:
url = requests.get(entry.link).url.split('?')[0]
if entry.title.lower() != 'Stable Channel Update for Desktop'.lower():
if target_version and entry.title == '':
# Workaround for a special case (Chrome Releases bug?):
if not 'the-stable-channel-has-been-updated-to' in url:
continue
else:
continue
content = entry.content[0].value
content = html_tags.sub('', content) # Remove any HTML tags
if re.search(r'Linux', content) is None:
continue
#print(url) # For debugging purposes
version = re.search(r'\d+(\.\d+){3}', content).group(0)
if target_version:
if version != target_version:
continue
else:
print('chromium: TODO -> ' + version + '\n')
print(url)
if fixes := re.search(r'This update includes .+ security fix(es)?\.', content):
fixes = fixes.group(0)
if zero_days := re.search(r'Google is aware( of reports)? th(e|at) .+ in the wild\.', content):
fixes += " " + zero_days.group(0)
print('\n' + '\n'.join(textwrap.wrap(fixes, width=72)))
if cve_list := re.findall(r'CVE-[^: ]+', content):
cve_list = list(OrderedDict.fromkeys(cve_list)) # Remove duplicates but preserve the order
cve_string = ' '.join(cve_list)
print("\nCVEs:\n" + '\n'.join(textwrap.wrap(cve_string, width=72)))
sys.exit(0) # We only care about the most recent stable channel update
print("Error: No match.")
sys.exit(1)

1617
pkgs/applications/networking/browsers/chromium/info.json Normal file
View File

File diff suppressed because it is too large Load Diff

38
pkgs/applications/networking/browsers/chromium/patches/angle-wayland-include-protocol.patch Normal file
View File

@@ -0,0 +1,38 @@
diff -upr a/third_party/angle/BUILD.gn b/third_party/angle/BUILD.gn
--- a/third_party/angle/BUILD.gn 2022-08-17 19:38:11.000000000 +0000
+++ b/third_party/angle/BUILD.gn 2022-08-18 11:04:09.061751111 +0000
@@ -489,6 +489,12 @@ config("angle_vulkan_wayland_config") {
if (angle_enable_vulkan && angle_use_wayland &&
defined(vulkan_wayland_include_dirs)) {
include_dirs = vulkan_wayland_include_dirs
+ } else if (angle_enable_vulkan && angle_use_wayland) {
+ include_dirs = [
+ "$wayland_gn_dir/src/src",
+ "$wayland_gn_dir/include/src",
+ "$wayland_gn_dir/include/protocol",
+ ]
}
}
@@ -1073,6 +1079,7 @@ if (angle_use_wayland) {
include_dirs = [
"$wayland_dir/egl",
"$wayland_dir/src",
+ "$wayland_gn_dir/include/protocol",
]
}
diff -upr a/third_party/angle/src/third_party/volk/BUILD.gn b/third_party/angle/src/third_party/volk/BUILD.gn
--- a/third_party/angle/src/third_party/volk/BUILD.gn 2022-08-17 19:38:12.000000000 +0000
+++ b/third_party/angle/src/third_party/volk/BUILD.gn 2022-08-18 11:04:36.499828006 +0000
@@ -21,6 +21,9 @@ source_set("volk") {
configs += [ "$angle_root:angle_no_cfi_icall" ]
public_deps = [ "$angle_vulkan_headers_dir:vulkan_headers" ]
if (angle_use_wayland) {
- include_dirs = [ "$wayland_dir/src" ]
+ include_dirs = [
+ "$wayland_dir/src",
+ "$wayland_gn_dir/include/protocol",
+ ]
}
}

29
pkgs/applications/networking/browsers/chromium/patches/chromium-126-llvm-17.patch Normal file
View File

@@ -0,0 +1,29 @@
diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn
index 6efe967eb0a1c..590a2c274ac13 100644
--- a/build/config/compiler/BUILD.gn
+++ b/build/config/compiler/BUILD.gn
@@ -568,24 +568,6 @@ config("compiler") {
}
}
- # TODO(crbug.com/40283598): This causes binary size growth and potentially
- # other problems.
- # TODO(crbug.com/40284925): This isn't supported by Cronet's mainline llvm version.
- if (default_toolchain != "//build/toolchain/cros:target" &&
- !llvm_android_mainline) {
- cflags += [
- "-mllvm",
- "-split-threshold-for-reg-with-hint=0",
- ]
- if (use_thin_lto && is_a_target_toolchain) {
- if (is_win) {
- ldflags += [ "-mllvm:-split-threshold-for-reg-with-hint=0" ]
- } else {
- ldflags += [ "-Wl,-mllvm,-split-threshold-for-reg-with-hint=0" ]
- }
- }
- }
-
# TODO(crbug.com/40192287): Investigate why/if this should be needed.
if (is_win) {
cflags += [ "/clang:-ffp-contract=off" ]

21
pkgs/applications/networking/browsers/chromium/patches/chromium-129-rust.patch Normal file
View File

@@ -0,0 +1,21 @@
diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn
index 45086d6838cac..81132ad8ecb31 100644
--- a/build/config/compiler/BUILD.gn
+++ b/build/config/compiler/BUILD.gn
@@ -1727,16 +1727,6 @@ config("runtime_library") {
configs += [ "//build/config/c++:runtime_library" ]
}
- # Rust and C++ both provide intrinsics for LLVM to call for math operations. We
- # want to use the C++ intrinsics, not the ones in the Rust compiler_builtins
- # library. The Rust symbols are marked as weak, so that they can be replaced by
- # the C++ symbols. This config ensures the C++ symbols exist and are strong in
- # order to cause that replacement to occur by explicitly linking in clang's
- # compiler-rt library.
- if (is_clang && !is_nacl && !is_cronet_build) {
- configs += [ "//build/config/clang:compiler_builtins" ]
- }
-
# TODO(crbug.com/40570904): Come up with a better name for is POSIX + Fuchsia
# configuration.
if (is_posix || is_fuchsia) {

14
pkgs/applications/networking/browsers/chromium/patches/chromium-134-rust-1.86-mismatched_lifetime_syntaxes.patch Normal file
View File

@@ -0,0 +1,14 @@
diff --git a/build/rust/cargo_crate.gni b/build/rust/cargo_crate.gni
index 8266c44cbd1dfb8a53797dbe911ea74c32ce070e..ec7d751f2d068151dfeb71aa1f6510483bebd95c 100644
--- a/build/rust/cargo_crate.gni
+++ b/build/rust/cargo_crate.gni
@@ -285,6 +285,9 @@ template("cargo_crate") {
}
rustenv = _rustenv
+ # TODO(crbug.com/424424323): Clean up and enable.
+ rustflags += [ "-Amismatched_lifetime_syntaxes" ]
+
if (!defined(build_native_rust_unit_tests)) {
build_native_rust_unit_tests = _crate_type != "proc-macro"
}

19
pkgs/applications/networking/browsers/chromium/patches/chromium-136-nodejs-assert-minimal-version-instead-of-exact-match.patch Normal file
View File

@@ -0,0 +1,19 @@
diff --git a/third_party/node/check_version.js b/third_party/node/check_version.js
index 0a037ab449c3b8780e68506993e6281d44cef7dc..e7cba2e457543eb8767c9868d851e5e4f5c32f2a 100644
--- a/third_party/node/check_version.js
+++ b/third_party/node/check_version.js
@@ -29,11 +29,9 @@ async function main() {
const expectedVersion = extractExpectedVersion(contents);
const errorMessage =
- `Failed NodeJS version check: Expected version '${expectedVersion}', ` +
- `but found '${process.version}'. Did you run 'gclient sync'? If the ` +
- `problem persists try running 'gclient sync -f' instead, or deleting ` +
- `third_party/node/{linux,win,mac} folders and trying again.`;
+ `Failed NodeJS version check: Expected at least version '${expectedVersion}', ` +
+ `but found '${process.version}'.`;
- assert.equal(expectedVersion, process.version, errorMessage);
+ assert.ok(expectedVersion <= process.version, errorMessage);
}
main();

21
pkgs/applications/networking/browsers/chromium/patches/chromium-140-rust.patch Normal file
View File

@@ -0,0 +1,21 @@
diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn
index 77b02f76d2845fdf1a9429f704e59b8f7ab42993..e6ce3abe9872f415a9ef1cfc76f7267e7e44e1c9 100644
--- a/build/config/compiler/BUILD.gn
+++ b/build/config/compiler/BUILD.gn
@@ -1917,16 +1917,6 @@ config("runtime_library") {
configs += [ "//build/config/c++:runtime_library" ]
}
- # Rust and C++ both provide intrinsics for LLVM to call for math operations. We
- # want to use the C++ intrinsics, not the ones in the Rust compiler_builtins
- # library. The Rust symbols are marked as weak, so that they can be replaced by
- # the C++ symbols. This config ensures the C++ symbols exist and are strong in
- # order to cause that replacement to occur by explicitly linking in clang's
- # compiler-rt library.
- if (is_clang && !is_cronet_build) {
- configs += [ "//build/config/clang:compiler_builtins" ]
- }
-
# TODO(crbug.com/40570904): Come up with a better name for is POSIX + Fuchsia
# configuration.
if (is_posix || is_fuchsia) {

21
pkgs/applications/networking/browsers/chromium/patches/chromium-141-rust.patch Normal file
View File

@@ -0,0 +1,21 @@
diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn
index 516f7d85fc5718a26707d988389081cd86da49bd..f4b5284ad90591a57cb803353bbe57fd4e213159 100644
--- a/build/config/compiler/BUILD.gn
+++ b/build/config/compiler/BUILD.gn
@@ -1911,16 +1911,6 @@ config("runtime_library") {
configs += [ "//build/config/c++:runtime_library" ]
}
- # Rust and C++ both provide intrinsics for LLVM to call for math operations. We
- # want to use the C++ intrinsics, not the ones in the Rust compiler_builtins
- # library. The Rust symbols are marked as weak, so that they can be replaced by
- # the C++ symbols. This config ensures the C++ symbols exist and are strong in
- # order to cause that replacement to occur by explicitly linking in clang's
- # compiler-rt library.
- if (is_clang && !(is_a_target_toolchain && is_cronet_build)) {
- configs += [ "//build/config/clang:compiler_builtins" ]
- }
-
# TODO(crbug.com/40570904): Come up with a better name for is POSIX + Fuchsia
# configuration.
if (is_posix || is_fuchsia) {

19
pkgs/applications/networking/browsers/chromium/patches/chromium-initial-prefs.patch Normal file
View File

@@ -0,0 +1,19 @@
diff --git a/chrome/browser/first_run/first_run_internal_linux.cc b/chrome/browser/first_run/first_run_internal_linux.cc
index 33fd579012..9a17b54b37 100644
--- a/chrome/browser/first_run/first_run_internal_linux.cc
+++ b/chrome/browser/first_run/first_run_internal_linux.cc
@@ -19,13 +19,7 @@ bool IsOrganicFirstRun() {
}
base::FilePath InitialPrefsPath() {
- // The standard location of the initial prefs is next to the chrome binary.
- base::FilePath dir_exe;
- if (!base::PathService::Get(base::DIR_EXE, &dir_exe)) {
- return base::FilePath();
- }
-
- return installer::InitialPreferences::Path(dir_exe);
+ return base::FilePath("/etc/chromium/initial_preferences");
}
} // namespace internal

31
pkgs/applications/networking/browsers/chromium/patches/cross-compile.patch Normal file
View File

@@ -0,0 +1,31 @@
diff --git a/build/toolchain/linux/unbundle/BUILD.gn b/build/toolchain/linux/unbundle/BUILD.gn
index a091491236bb1..d36fd4e652fbf 100644
--- a/build/toolchain/linux/unbundle/BUILD.gn
+++ b/build/toolchain/linux/unbundle/BUILD.gn
@@ -9,6 +9,7 @@ gcc_toolchain("default") {
cxx = getenv("CXX")
ar = getenv("AR")
nm = getenv("NM")
+ readelf = getenv("READELF")
ld = cxx
extra_cflags = getenv("CFLAGS")
@@ -27,6 +28,7 @@ gcc_toolchain("host") {
cxx = getenv("BUILD_CXX")
ar = getenv("BUILD_AR")
nm = getenv("BUILD_NM")
+ readelf = getenv("BUILD_READELF")
ld = cxx
extra_cflags = getenv("BUILD_CFLAGS")
@@ -35,7 +37,8 @@ gcc_toolchain("host") {
extra_ldflags = getenv("BUILD_LDFLAGS")
toolchain_args = {
- current_cpu = current_cpu
- current_os = current_os
+ current_cpu = host_cpu
+ current_os = host_os
+ v8_current_cpu = target_cpu
}
}

17
pkgs/applications/networking/browsers/chromium/patches/no-build-timestamps.patch Normal file
View File

@@ -0,0 +1,17 @@
--- chromium-70.0.3538.67/build/compute_build_timestamp.py.orig 2018-11-02 16:00:34.368933077 +0200
+++ chromium-70.0.3538.67/build/compute_build_timestamp.py 2018-11-08 04:06:21.658105129 +0200
@@ -94,6 +94,14 @@
'build_type', help='The type of build', choices=('official', 'default'))
args = argument_parser.parse_args()
+ # I don't trust LASTCHANGE magic, and I definelly want something deterministic here
+ SOURCE_DATE_EPOCH = os.getenv("SOURCE_DATE_EPOCH", None)
+ if SOURCE_DATE_EPOCH is not None:
+ print(SOURCE_DATE_EPOCH)
+ return 0
+ else:
+ raise RuntimeError("SOURCE_DATE_EPOCH not set")
+
# The mtime of the revision in build/util/LASTCHANGE is stored in a file
# next to it. Read it, to get a deterministic time close to "now".
# That date is then modified as described at the top of the file so that

28
pkgs/applications/networking/browsers/chromium/patches/widevine-disable-auto-download-allow-bundle.patch Normal file
View File

@@ -0,0 +1,28 @@
diff --git a/third_party/widevine/cdm/BUILD.gn b/third_party/widevine/cdm/BUILD.gn
index 525693b6c10ab..245491e137d39 100644
--- a/third_party/widevine/cdm/BUILD.gn
+++ b/third_party/widevine/cdm/BUILD.gn
@@ -22,7 +22,7 @@ buildflag_header("buildflags") {
flags = [
"ENABLE_WIDEVINE=$enable_widevine",
- "BUNDLE_WIDEVINE_CDM=$bundle_widevine_cdm",
+ "BUNDLE_WIDEVINE_CDM=true",
"ENABLE_WIDEVINE_CDM_COMPONENT=$enable_widevine_cdm_component",
"ENABLE_MEDIA_FOUNDATION_WIDEVINE_CDM=$enable_media_foundation_widevine_cdm",
]
diff --git a/third_party/widevine/cdm/widevine.gni b/third_party/widevine/cdm/widevine.gni
index 8b97b7a57419e..69fe548ec2845 100644
--- a/third_party/widevine/cdm/widevine.gni
+++ b/third_party/widevine/cdm/widevine.gni
@@ -42,9 +42,7 @@ enable_library_widevine_cdm =
# desktop platforms. Not enabled for lacros (as it is changing to use the
# ash updated version). The CDM can be bundled regardless whether it's a
# component. See below.
-enable_widevine_cdm_component =
- enable_library_widevine_cdm &&
- (is_win || is_mac || is_linux || is_chromeos_ash)
+enable_widevine_cdm_component = false
# Enable (Windows) Media Foundation Widevine CDM component.
declare_args() {

18
pkgs/applications/networking/browsers/chromium/ungoogled-flags.toml Normal file
View File

@@ -0,0 +1,18 @@
build_with_tflite_lib=false
chrome_pgo_phase=0
clang_use_chrome_plugins=false
disable_fieldtrial_testing_config=true
enable_hangout_services_extension=false
enable_mdns=false
enable_remoting=false
enable_reporting=false
enable_service_discovery=false
enable_widevine=true
exclude_unwind_tables=true
google_api_key=""
google_default_client_id=""
google_default_client_secret=""
safe_browsing_mode=0
treat_warnings_as_errors=false
use_official_google_api_keys=false
use_unofficial_version_number=false

45
pkgs/applications/networking/browsers/chromium/ungoogled.nix Normal file
View File

@@ -0,0 +1,45 @@
{
stdenv,
fetchFromGitHub,
python3Packages,
makeWrapper,
patch,
}:
{
rev,
hash,
}:
stdenv.mkDerivation {
pname = "ungoogled-chromium";
version = rev;
src = fetchFromGitHub {
owner = "ungoogled-software";
repo = "ungoogled-chromium";
inherit rev hash;
};
dontBuild = true;
buildInputs = [
python3Packages.python
patch
];
nativeBuildInputs = [
makeWrapper
];
patchPhase = ''
sed -i '/chromium-widevine/d' patches/series
'';
installPhase = ''
mkdir $out
cp -R * $out/
wrapProgram $out/utils/patches.py --add-flags "apply" --prefix PATH : "${patch}/bin"
'';
}

279
pkgs/applications/networking/browsers/chromium/update.mjs Executable file
View File

@@ -0,0 +1,279 @@
#! /usr/bin/env nix-shell
/*
#! nix-shell -i zx -p zx
*/
cd(__dirname)
const nixpkgs = (await $`git rev-parse --show-toplevel`).stdout.trim()
const $nixpkgs = $({
cwd: nixpkgs
})
const dummy_hash = 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
const lockfile_file = './info.json'
const lockfile_initial = fs.readJsonSync(lockfile_file)
function flush_to_file() {
fs.writeJsonSync(lockfile_file, lockfile, { spaces: 2 })
}
const flush_to_file_proxy = {
get(obj, prop) {
const value = obj[prop]
return typeof value == 'object' ? new Proxy(value, flush_to_file_proxy) : value
},
set(obj, prop, value) {
obj[prop] = value
flush_to_file()
return true
},
}
const lockfile = new Proxy(structuredClone(lockfile_initial), flush_to_file_proxy)
const ungoogled_rev = argv['ungoogled-chromium-rev']
for (const attr_path of Object.keys(lockfile)) {
const ungoogled = attr_path === 'ungoogled-chromium'
if (!argv[attr_path] && !(ungoogled && ungoogled_rev)) {
console.log(`[${attr_path}] Skipping ${attr_path}. Pass --${attr_path} as argument to update.`)
continue
}
const version_nixpkgs = !ungoogled ? lockfile[attr_path].version : lockfile[attr_path].deps['ungoogled-patches'].rev
const version_upstream = !ungoogled ? await get_latest_chromium_release('linux') :
ungoogled_rev ?? await get_latest_ungoogled_release()
console.log(`[${attr_path}] ${chalk.red(version_nixpkgs)} (nixpkgs)`)
console.log(`[${attr_path}] ${chalk.green(version_upstream)} (upstream)`)
if (ungoogled_rev || version_greater_than(version_upstream, version_nixpkgs)) {
console.log(`[${attr_path}] ${chalk.green(version_upstream)} from upstream is newer than our ${chalk.red(version_nixpkgs)}...`)
let ungoogled_patches = ungoogled ? await fetch_ungoogled(version_upstream) : undefined
// For ungoogled-chromium we need to remove the patch revision (e.g. 130.0.6723.116-1 -> 130.0.6723.116)
// by just using the chromium_version.txt content from the patches checkout (to also work with commit revs).
const version_chromium = ungoogled_patches?.chromium_version ?? version_upstream
const chromium_rev = await chromium_resolve_tag_to_rev(version_chromium)
lockfile[attr_path] = {
version: version_chromium,
chromedriver: !ungoogled ? await fetch_chromedriver_binaries(await get_latest_chromium_release('mac')) : undefined,
deps: {
depot_tools: {},
gn: await fetch_gn(chromium_rev, lockfile_initial[attr_path].deps.gn),
'ungoogled-patches': !ungoogled ? undefined : {
rev: ungoogled_patches.rev,
hash: ungoogled_patches.hash,
},
npmHash: dummy_hash,
},
DEPS: {},
}
const depot_tools = await fetch_depot_tools(chromium_rev, lockfile_initial[attr_path].deps.depot_tools)
lockfile[attr_path].deps.depot_tools = {
rev: depot_tools.rev,
hash: depot_tools.hash,
}
// DEPS update loop
lockfile[attr_path].DEPS = await resolve_DEPS(depot_tools.out, chromium_rev)
for (const [path, value] of Object.entries(lockfile[attr_path].DEPS)) {
delete value.fetcher
delete value.postFetch
if (value.url === 'https://chromium.googlesource.com/chromium/src.git') {
value.recompress = true
}
const cache_hit = (() => {
for (const attr_path in lockfile_initial) {
const cache = lockfile_initial[attr_path].DEPS[path]
const hits_cache =
cache !== undefined &&
value.url === cache.url &&
value.rev === cache.rev &&
value.recompress === cache.recompress &&
cache.hash !== undefined &&
cache.hash !== '' &&
cache.hash !== dummy_hash
if (hits_cache) {
cache.attr_path = attr_path
return cache;
}
}
})();
if (cache_hit) {
console.log(`[${chalk.green(path)}] Reusing hash from previous info.json for ${cache_hit.url}@${cache_hit.rev} from ${cache_hit.attr_path}`)
value.hash = cache_hit.hash
continue
}
console.log(`[${chalk.red(path)}] FOD prefetching ${value.url}@${value.rev}...`)
value.hash = await prefetch_FOD('-A', `${attr_path}.browser.passthru.chromiumDeps."${path}"`)
console.log(`[${chalk.green(path)}] FOD prefetching successful`)
}
lockfile[attr_path].deps.npmHash = await prefetch_FOD('-A', `${attr_path}.browser.passthru.npmDeps`)
console.log(chalk.green(`[${attr_path}] Done updating ${attr_path} from ${version_nixpkgs} to ${version_upstream}!`))
}
}
async function fetch_gn(chromium_rev, gn_previous) {
const DEPS_file = await get_gitiles_file('https://chromium.googlesource.com/chromium/src', chromium_rev, 'DEPS')
const { rev } = /^\s+'gn_version': 'git_revision:(?<rev>.+)',$/m.exec(DEPS_file).groups
const cache_hit = rev === gn_previous.rev;
if (cache_hit) {
return gn_previous
}
const commit_date = await get_gitiles_commit_date('https://gn.googlesource.com/gn', rev)
const version = `0-unstable-${commit_date}`
const expr = [`(import ./. {}).gn.override { version = "${version}"; rev = "${rev}"; hash = ""; }`]
const derivation = await $nixpkgs`nix-instantiate --expr ${expr}`
return {
version,
rev,
hash: await prefetch_FOD(derivation),
}
}
async function get_gitiles_commit_date(base_url, rev) {
const url = `${base_url}/+/${rev}?format=json`
const response = await (await fetch(url)).text()
const json = JSON.parse(response.replace(`)]}'\n`, ''))
const date = new Date(json.committer.time)
return date.toISOString().split("T")[0]
}
async function fetch_chromedriver_binaries(version) {
// https://developer.chrome.com/docs/chromedriver/downloads/version-selection
const prefetch = async (url) => {
const expr = [`(import ./. {}).fetchzip { url = "${url}"; hash = ""; }`]
const derivation = await $nixpkgs`nix-instantiate --expr ${expr}`
return await prefetch_FOD(derivation)
}
// if the URL ever changes, the URLs in the chromedriver derivations need updating as well!
const url = (platform) => `https://storage.googleapis.com/chrome-for-testing-public/${version}/${platform}/chromedriver-${platform}.zip`
return {
version,
hash_darwin: await prefetch(url('mac-x64')),
hash_darwin_aarch64: await prefetch(url('mac-arm64')),
}
}
async function chromium_resolve_tag_to_rev(tag) {
const url = `https://chromium.googlesource.com/chromium/src/+/refs/tags/${tag}?format=json`
const response = await (await fetch(url)).text()
const json = JSON.parse(response.replace(`)]}'\n`, ''))
return json.commit
}
async function resolve_DEPS(depot_tools_checkout, chromium_rev) {
const { stdout } = await $`./depot_tools.py ${depot_tools_checkout} ${chromium_rev}`
const deps = JSON.parse(stdout)
return Object.fromEntries(Object.entries(deps).map(([k, { url, rev, hash }]) => [k, { url, rev, hash }]))
}
async function get_latest_chromium_release(platform) {
const url = `https://versionhistory.googleapis.com/v1/chrome/platforms/${platform}/channels/stable/versions/all/releases?` + new URLSearchParams({
order_by: 'version desc',
filter: 'endtime=none,fraction>=0.5'
})
const response = await (await fetch(url)).json()
return response.releases[0].version
}
async function get_latest_ungoogled_release() {
const ungoogled_tags = await (await fetch('https://api.github.com/repos/ungoogled-software/ungoogled-chromium/tags')).json()
const chromium_releases = await (await fetch('https://versionhistory.googleapis.com/v1/chrome/platforms/linux/channels/stable/versions/all/releases')).json()
const chromium_release_map = chromium_releases.releases.map((x) => x.version)
return ungoogled_tags.find((x) => chromium_release_map.includes(x.name.split('-')[0])).name
}
async function fetch_ungoogled(rev) {
const expr = (hash) => [`(import ./. {}).fetchFromGitHub { owner = "ungoogled-software"; repo = "ungoogled-chromium"; rev = "${rev}"; hash = "${hash}"; }`]
const hash = await prefetch_FOD('--expr', expr(''))
const checkout = await $nixpkgs`nix-build --expr ${expr(hash)}`
const checkout_path = checkout.stdout.trim()
await fs.copy(path.join(checkout_path, 'flags.gn'), './ungoogled-flags.toml')
const chromium_version = (await fs.readFile(path.join(checkout_path, 'chromium_version.txt'))).toString().trim()
console.log(`[ungoogled-chromium] ${chalk.green(rev)} patch revision resolves to chromium version ${chalk.green(chromium_version)}`)
return {
rev,
hash,
chromium_version,
}
}
function version_greater_than(greater, than) {
return greater.localeCompare(than, undefined, { numeric: true, sensitivity: 'base' }) === 1
}
async function get_gitiles_file(repo, rev, path) {
const base64 = await (await fetch(`${repo}/+/${rev}/${path}?format=TEXT`)).text()
return Buffer.from(base64, 'base64').toString('utf-8')
}
async function fetch_depot_tools(chromium_rev, depot_tools_previous) {
const depot_tools_rev = await get_gitiles_file('https://chromium.googlesource.com/chromium/src', chromium_rev, 'third_party/depot_tools')
const hash = depot_tools_rev === depot_tools_previous.rev ? depot_tools_previous.hash : ''
return await prefetch_gitiles('https://chromium.googlesource.com/chromium/tools/depot_tools', depot_tools_rev, hash)
}
async function prefetch_gitiles(url, rev, hash = '') {
const expr = () => [`(import ./. {}).fetchFromGitiles { url = "${url}"; rev = "${rev}"; hash = "${hash}"; }`]
if (hash === '') {
hash = await prefetch_FOD('--expr', expr())
}
const { stdout } = await $nixpkgs`nix-build --expr ${expr()}`
return {
url,
rev,
hash,
out: stdout.trim(),
}
}
async function prefetch_FOD(...args) {
const { stderr } = await $nixpkgs`nix-build ${args}`.nothrow()
const hash = /\s+got:\s+(?<hash>.+)$/m.exec(stderr)?.groups?.hash
if (hash == undefined) {
throw new Error(chalk.red('Expected to find hash in nix-build stderr output:') + stderr)
}
return hash
}

191
pkgs/applications/networking/browsers/firefox-bin/default.nix Normal file
View File

@@ -0,0 +1,191 @@
{
lib,
stdenv,
fetchurl,
config,
wrapGAppsHook3,
autoPatchelfHook,
alsa-lib,
curl,
dbus-glib,
gtk3,
libXtst,
libva,
pciutils,
pipewire,
adwaita-icon-theme,
generated,
writeScript,
writeText,
xidel,
coreutils,
gnused,
gnugrep,
gnupg,
runtimeShell,
systemLocale ? config.i18n.defaultLocale or "en_US",
patchelfUnstable, # have to use patchelfUnstable to support --no-clobber-old-sections
applicationName ? "Firefox",
undmg,
}:
let
inherit (generated) version sources;
binaryName = "firefox";
mozillaPlatforms = {
i686-linux = "linux-i686";
x86_64-linux = "linux-x86_64";
aarch64-linux = "linux-aarch64";
# bundles are universal and can be re-used for both darwin architectures
aarch64-darwin = "mac";
x86_64-darwin = "mac";
};
arch = mozillaPlatforms.${stdenv.hostPlatform.system};
isPrefixOf = prefix: string: builtins.substring 0 (builtins.stringLength prefix) string == prefix;
sourceMatches = locale: source: (isPrefixOf source.locale locale) && source.arch == arch;
policies = {
DisableAppUpdate = true;
}
// config.firefox.policies or { };
policiesJson = writeText "firefox-policies.json" (builtins.toJSON { inherit policies; });
defaultSource = lib.findFirst (sourceMatches "en-US") { } sources;
mozLocale =
if systemLocale == "ca_ES@valencia" then
"ca-valencia"
else
lib.replaceStrings [ "_" ] [ "-" ] systemLocale;
source = lib.findFirst (sourceMatches mozLocale) defaultSource sources;
pname = "firefox-bin-unwrapped";
in
stdenv.mkDerivation {
inherit pname version;
src = fetchurl { inherit (source) url sha256; };
sourceRoot = lib.optional stdenv.hostPlatform.isDarwin ".";
nativeBuildInputs = [
wrapGAppsHook3
]
++ lib.optionals (!stdenv.hostPlatform.isDarwin) [
autoPatchelfHook
patchelfUnstable
]
++ lib.optionals stdenv.hostPlatform.isDarwin [
undmg
];
buildInputs = lib.optionals (!stdenv.hostPlatform.isDarwin) [
gtk3
adwaita-icon-theme
alsa-lib
dbus-glib
libXtst
];
runtimeDependencies = [
curl
pciutils
]
++ lib.optionals (!stdenv.hostPlatform.isDarwin) [
libva.out
];
appendRunpaths = lib.optionals (!stdenv.hostPlatform.isDarwin) [
"${pipewire}/lib"
];
# Firefox uses "relrhack" to manually process relocations from a fixed offset
patchelfFlags = [ "--no-clobber-old-sections" ];
# don't break code signing
dontFixup = stdenv.hostPlatform.isDarwin;
installPhase =
if stdenv.hostPlatform.isDarwin then
''
mkdir -p $out/Applications
mv Firefox*.app "$out/Applications/${applicationName}.app"
''
else
''
mkdir -p "$prefix/lib/firefox-bin-${version}"
cp -r * "$prefix/lib/firefox-bin-${version}"
mkdir -p "$out/bin"
ln -s "$prefix/lib/firefox-bin-${version}/firefox" "$out/bin/${binaryName}"
# See: https://github.com/mozilla/policy-templates/blob/master/README.md
mkdir -p "$out/lib/firefox-bin-${version}/distribution";
ln -s ${policiesJson} "$out/lib/firefox-bin-${version}/distribution/policies.json";
'';
passthru = {
inherit applicationName binaryName;
libName = "firefox-bin-${version}";
ffmpegSupport = true;
gssSupport = true;
gtk3 = gtk3;
# update with:
# $ nix-shell maintainers/scripts/update.nix --argstr package firefox-bin-unwrapped
updateScript = import ./update.nix {
inherit
pname
writeScript
xidel
coreutils
gnused
gnugrep
gnupg
curl
runtimeShell
;
baseUrl = "https://archive.mozilla.org/pub/firefox/releases/";
};
};
meta = {
changelog = "https://www.mozilla.org/en-US/firefox/${version}/releasenotes/";
description = "Mozilla Firefox, free web browser (binary package)";
homepage = "https://www.mozilla.org/firefox/";
license = {
shortName = "firefox";
fullName = "Firefox Terms of Use";
url = "https://www.mozilla.org/about/legal/terms/firefox/";
# "You Are Responsible for the Consequences of Your Use of Firefox"
# (despite the heading, not an indemnity clause) states the following:
#
# > You agree that you will not use Firefox to infringe anyones rights
# > or violate any applicable laws or regulations.
# >
# > You will not do anything that interferes with or disrupts Mozillas
# > services or products (or the servers and networks which are connected
# > to Mozillas services).
#
# This conflicts with FSF freedom 0: "The freedom to run the program as
# you wish, for any purpose". (Why should Mozilla be involved in
# instances where you break your local laws just because you happen to
# use Firefox whilst doing it?)
free = false;
redistributable = true; # since MPL-2.0 still applies
};
sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
platforms = builtins.attrNames mozillaPlatforms;
hydraPlatforms = [ ];
maintainers = with lib.maintainers; [
taku0
lovesegfault
];
mainProgram = binaryName;
};
}

2477
pkgs/applications/networking/browsers/firefox-bin/release_sources.nix Normal file
View File

File diff suppressed because it is too large Load Diff

92
pkgs/applications/networking/browsers/firefox-bin/update.nix Normal file
View File

@@ -0,0 +1,92 @@
{
pname,
writeScript,
xidel,
coreutils,
gnused,
gnugrep,
curl,
gnupg,
runtimeShell,
baseName ? "firefox",
basePath ? "pkgs/applications/networking/browsers/firefox-bin",
baseUrl,
versionSuffix ? "",
}:
writeScript "update-${pname}" ''
#!${runtimeShell}
PATH=${coreutils}/bin:${gnused}/bin:${gnugrep}/bin:${xidel}/bin:${curl}/bin:${gnupg}/bin
set -eux
pushd ${basePath}
HOME=`mktemp -d`
export GNUPGHOME=`mktemp -d`
curl https://keys.openpgp.org/vks/v1/by-fingerprint/09BEED63F3462A2DFFAB3B875ECB6497C1A20256 | gpg --import -
tmpfile=`mktemp`
url=${baseUrl}
# retriving latest released version
# - extracts all links from the $url
# - removes . and ..
# - this line remove everything not starting with a number
# - this line sorts everything with semver in mind
# - we remove lines that are mentioning funnelcake
# - this line removes beta version if we are looking for final release
# versions or removes release versions if we are looking for beta
# versions
# - this line pick up latest release
version=`xidel -s $url --extract "//a" | \
sed s"/.$//" | \
grep "^[0-9]" | \
sort --version-sort | \
grep -v "funnelcake" | \
grep -e "\([[:digit:]]\|[[:digit:]][[:digit:]]\)${versionSuffix}$" | grep -v "b" | \
tail -1`
curl --silent -o $HOME/shasums "$url$version/SHA256SUMS"
curl --silent -o $HOME/shasums.asc "$url$version/SHA256SUMS.asc"
gpgv --keyring=$GNUPGHOME/pubring.kbx $HOME/shasums.asc $HOME/shasums
# this is a list of sha256 and tarballs for both arches
# Upstream files contains python repr strings like b'somehash', hence the sed dance
shasums=`cat $HOME/shasums | sed -E s/"b'([a-f0-9]{64})'?(.*)"/'\1\2'/ | grep '\.\(tar\.[a-z0-9]\+\|dmg\)$' | grep -v mac-EME-free`
cat > $tmpfile <<EOF
{
version = "$version";
sources = [
EOF
for arch in linux-x86_64 linux-i686 linux-aarch64 mac; do
# retriving a list of all tarballs for each arch
# - only select tarballs for current arch
# - only select tarballs for current version
# - rename space with colon so that for loop doesnt
# - inteprets sha and path as 2 lines
IFS=$'\n'
for line in `echo "$shasums" | \
grep $arch | \
grep -i "${baseName}.$version"'\.\(tar\.[a-z0-9]\+\|dmg\)$' | \
sed "s/ /:/ ; s/ /:/"`; do
# create an entry for every locale
cat >> $tmpfile <<EOF
{
url = "$url$version/`echo $line | cut -d":" -f3 | sed "s/ /%20/"`";
locale = "`echo $line | cut -d":" -f3 | sed "s/$arch\///" | sed "s/\/.*//"`";
arch = "$arch";
sha256 = "`echo $line | cut -d":" -f1`";
}
EOF
done
done
cat >> $tmpfile <<EOF
];
}
EOF
mv $tmpfile release${if versionSuffix == "" then "" else "_${versionSuffix}"}_sources.nix
popd
''

52
pkgs/applications/networking/browsers/firefox/mobile-config.nix Normal file
View File

@@ -0,0 +1,52 @@
{
runCommand,
fetchFromGitLab,
wrapFirefox,
firefox-unwrapped,
}:
let
pkg = fetchFromGitLab {
domain = "gitlab.postmarketos.org";
owner = "postmarketOS";
repo = "mobile-config-firefox";
rev = "4.6.0";
hash = "sha256-tISfxN/04spgtKStkkn+zlCtFU6GbtwuZubqpGN2olA=";
};
mobileConfigDir = runCommand "mobile-config-firefox" { } ''
mkdir -p $out/mobile-config-firefox/{common,userChrome,userContent}
cp ${pkg}/src/common/*.css $out/mobile-config-firefox/common/
cp ${pkg}/src/userChrome/*.css $out/mobile-config-firefox/userChrome/
cp ${pkg}/src/userContent/*.css $out/mobile-config-firefox/userContent/
(cd $out/mobile-config-firefox && find common -name "*.css" | sort) >> $out/mobile-config-firefox/userChrome.files
(cd $out/mobile-config-firefox && find common -name "*.css" | sort) >> $out/mobile-config-firefox/userContent.files
(cd $out/mobile-config-firefox && find userChrome -name "*.css" | sort) > $out/mobile-config-firefox/userChrome.files
(cd $out/mobile-config-firefox && find userContent -name "*.css" | sort) > $out/mobile-config-firefox/userContent.files
'';
mobileConfigAutoconfig = runCommand "mobile-config-autoconfig.js" { } ''
substitute ${pkg}/src/mobile-config-autoconfig.js $out \
--replace "/etc/mobile-config-firefox" "${mobileConfigDir}/mobile-config-firefox"
'';
mobileConfigPrefs = runCommand "mobile-config-prefs.js" { } ''
# Remove the autoconfig setup lines since we handle that through extraPrefsFiles
grep -v "general.config.filename" ${pkg}/src/mobile-config-prefs.js | \
grep -v "general.config.obscure_value" | \
grep -v "general.config.sandbox_enabled" > $out
'';
in
wrapFirefox firefox-unwrapped {
extraPrefsFiles = [
mobileConfigAutoconfig
mobileConfigPrefs
];
extraPoliciesFiles = [
"${pkg}/src/policies.json"
];
}

40
pkgs/applications/networking/browsers/firefox/packages/firefox-beta.nix Normal file
View File

@@ -0,0 +1,40 @@
{
stdenv,
lib,
callPackage,
fetchurl,
nixosTests,
buildMozillaMach,
}:
buildMozillaMach rec {
pname = "firefox-beta";
binaryName = "firefox-beta";
version = "144.0b6";
applicationName = "Firefox Beta";
src = fetchurl {
url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
sha512 = "b0e8398513db7de1f16412bedba519b3d307022c0eadc1c114f3ad247ac368c027bd968f98a38c41076c1e6e06c96ec3821230d470f4f804e51ff09ede84a618";
};
meta = {
changelog = "https://www.mozilla.org/en-US/firefox/${lib.versions.majorMinor version}beta/releasenotes/";
description = "Web browser built from Firefox Beta Release source tree";
homepage = "http://www.mozilla.com/en-US/firefox/";
maintainers = with lib.maintainers; [ jopejoe1 ];
platforms = lib.platforms.unix;
broken = stdenv.buildPlatform.is32bit;
# since Firefox 60, build on 32-bit platforms fails with "out of memory".
# not in `badPlatforms` because cross-compilation on 64-bit machine might work.
maxSilent = 14400; # 4h, double the default of 7200s (c.f. #129212, #129115)
license = lib.licenses.mpl20;
mainProgram = binaryName;
};
tests = {
inherit (nixosTests) firefox-beta;
};
updateScript = callPackage ../update.nix {
attrPath = "firefox-beta-unwrapped";
versionSuffix = "b[0-9]*";
};
}

55
pkgs/applications/networking/browsers/firefox/packages/firefox-devedition.nix Normal file
View File

@@ -0,0 +1,55 @@
{
stdenv,
lib,
callPackage,
fetchurl,
nixosTests,
buildMozillaMach,
}:
buildMozillaMach rec {
pname = "firefox-devedition";
binaryName = "firefox-devedition";
version = "144.0b6";
applicationName = "Firefox Developer Edition";
requireSigning = false;
branding = "browser/branding/aurora";
src = fetchurl {
url = "mirror://mozilla/devedition/releases/${version}/source/firefox-${version}.source.tar.xz";
sha512 = "08a42497eef413f097c4c8191ef2d0e4e7a6f39a63744d51352aaa4016ed8877da4eace81bfc85e97f8e4f17c7ea9225fe11c94e70d6e4c9f4ec69cd43aeecc4";
};
# buildMozillaMach sets MOZ_APP_REMOTINGNAME during configuration, but
# unfortunately if the branding file also defines MOZ_APP_REMOTINGNAME, the
# branding file takes precedence. ("aurora" is the only branding to do this,
# so far.) We remove it so that the name set in buildMozillaMach takes
# effect.
extraPostPatch = ''
sed -i '/^MOZ_APP_REMOTINGNAME=/d' browser/branding/aurora/configure.sh
'';
meta = {
changelog = "https://www.mozilla.org/en-US/firefox/${lib.versions.majorMinor version}beta/releasenotes/";
description = "Web browser built from Firefox Developer Edition source tree";
homepage = "http://www.mozilla.com/en-US/firefox/";
maintainers = with lib.maintainers; [
jopejoe1
rhendric
];
platforms = lib.platforms.unix;
broken = stdenv.buildPlatform.is32bit;
# since Firefox 60, build on 32-bit platforms fails with "out of memory".
# not in `badPlatforms` because cross-compilation on 64-bit machine might work.
maxSilent = 14400; # 4h, double the default of 7200s (c.f. #129212, #129115)
license = lib.licenses.mpl20;
mainProgram = binaryName;
};
tests = {
inherit (nixosTests) firefox-devedition;
};
updateScript = callPackage ../update.nix {
attrPath = "firefox-devedition-unwrapped";
versionSuffix = "b[0-9]*";
baseUrl = "https://archive.mozilla.org/pub/devedition/releases/";
};
}

40
pkgs/applications/networking/browsers/firefox/packages/firefox-esr-140.nix Normal file
View File

@@ -0,0 +1,40 @@
{
stdenv,
lib,
callPackage,
fetchurl,
nixosTests,
buildMozillaMach,
}:
buildMozillaMach rec {
pname = "firefox";
version = "140.3.1esr";
applicationName = "Firefox ESR";
src = fetchurl {
url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
sha512 = "a9302d99d7f07f4b250aa214635814964dd083204268e05fe877a3d8330b9c0caa6c29ed19da71bd88979b7cf39ed52f17698968b0da5b0d7430b6764b43b6cc";
};
meta = {
changelog = "https://www.mozilla.org/en-US/firefox/${lib.removeSuffix "esr" version}/releasenotes/";
description = "Web browser built from Firefox source tree";
homepage = "http://www.mozilla.com/en-US/firefox/";
maintainers = with lib.maintainers; [ hexa ];
platforms = lib.platforms.unix;
broken = stdenv.buildPlatform.is32bit;
# since Firefox 60, build on 32-bit platforms fails with "out of memory".
# not in `badPlatforms` because cross-compilation on 64-bit machine might work.
maxSilent = 14400; # 4h, double the default of 7200s (c.f. #129212, #129115)
license = lib.licenses.mpl20;
mainProgram = "firefox";
};
tests = {
inherit (nixosTests) firefox-esr-140;
};
updateScript = callPackage ../update.nix {
attrPath = "firefox-esr-140-unwrapped";
versionPrefix = "140";
versionSuffix = "esr";
};
}

37
pkgs/applications/networking/browsers/firefox/packages/firefox.nix Normal file
View File

@@ -0,0 +1,37 @@
{
stdenv,
lib,
callPackage,
fetchurl,
nixosTests,
buildMozillaMach,
}:
buildMozillaMach rec {
pname = "firefox";
version = "143.0.4";
src = fetchurl {
url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
sha512 = "2bcbde4e72ea41e9ccc98836901635350b5dc7b50c618e19ab6103a27adc0f017ca3fa7555378c8af6ee1f3a14d02935289fe2b0d35d840d610f5ac07a88e4b6";
};
meta = {
changelog = "https://www.mozilla.org/en-US/firefox/${version}/releasenotes/";
description = "Web browser built from Firefox source tree";
homepage = "http://www.mozilla.com/en-US/firefox/";
maintainers = with lib.maintainers; [ hexa ];
platforms = lib.platforms.unix;
broken = stdenv.buildPlatform.is32bit;
# since Firefox 60, build on 32-bit platforms fails with "out of memory".
# not in `badPlatforms` because cross-compilation on 64-bit machine might work.
maxSilent = 14400; # 4h, double the default of 7200s (c.f. #129212, #129115)
license = lib.licenses.mpl20;
mainProgram = "firefox";
};
tests = {
inherit (nixosTests) firefox;
};
updateScript = callPackage ../update.nix {
attrPath = "firefox-unwrapped";
};
}

59
pkgs/applications/networking/browsers/firefox/update.nix Normal file
View File

@@ -0,0 +1,59 @@
{
writeScript,
lib,
xidel,
common-updater-scripts,
coreutils,
gnused,
gnugrep,
curl,
gnupg,
attrPath,
runtimeShell,
baseUrl ? "https://archive.mozilla.org/pub/firefox/releases/",
versionPrefix ? "",
versionSuffix ? "",
versionKey ? "version",
}:
writeScript "update-${attrPath}" ''
#!${runtimeShell}
PATH=${
lib.makeBinPath [
common-updater-scripts
coreutils
curl
gnugrep
gnupg
gnused
xidel
]
}
set -eux
HOME=`mktemp -d`
export GNUPGHOME=`mktemp -d`
curl https://keys.openpgp.org/vks/v1/by-fingerprint/09BEED63F3462A2DFFAB3B875ECB6497C1A20256 | gpg --import -
url=${baseUrl}
# retriving latest released version
# - extracts all links from the $url
# - extracts lines only with number and dots followed by a slash
# - removes trailing slash
# - sorts everything with semver in mind
# - picks up latest release
version=`xidel -s $url --extract "//a" | \
grep "^${versionPrefix}[0-9.]*${versionSuffix}/$" | \
sed s/[/]$// | \
sort --version-sort | \
tail -n 1`
curl --silent --show-error -o "$HOME"/shasums "$url$version/SHA512SUMS"
curl --silent --show-error -o "$HOME"/shasums.asc "$url$version/SHA512SUMS.asc"
gpgv --keyring="$GNUPGHOME"/pubring.kbx "$HOME"/shasums.asc "$HOME"/shasums
hash=$(grep '\.source\.tar\.xz$' "$HOME"/shasums | grep '^[^ ]*' -o)
update-source-version ${attrPath} "$version" "$hash" "" --version-key=${versionKey}
''

572
pkgs/applications/networking/browsers/firefox/wrapper.nix Normal file
View File

@@ -0,0 +1,572 @@
{
stdenv,
lib,
makeDesktopItem,
makeWrapper,
lndir,
config,
buildPackages,
jq,
xdg-utils,
writeText,
## various stuff that can be plugged in
ffmpeg,
xorg,
alsa-lib,
libpulseaudio,
libcanberra-gtk3,
libglvnd,
libnotify,
opensc,
adwaita-icon-theme,
pipewire,
udev,
libkrb5,
libva,
libgbm,
cups,
pciutils,
vulkan-loader,
sndio,
libjack2,
speechd-minimal,
}:
## configurability of the wrapper itself
browser:
let
isDarwin = stdenv.hostPlatform.isDarwin;
wrapper =
{
applicationName ? browser.binaryName or (lib.getName browser), # Note: this is actually *binary* name and is different from browser.applicationName, which is *app* name!
pname ? applicationName,
version ? lib.getVersion browser,
nameSuffix ? "",
icon ? applicationName,
wmClass ? applicationName,
nativeMessagingHosts ? [ ],
pkcs11Modules ? [ ],
useGlvnd ? (!isDarwin),
cfg ? config.${applicationName} or { },
## Following options are needed for extra prefs & policies
# For more information about anti tracking (german website)
# visit https://wiki.kairaven.de/open/app/firefox
extraPrefs ? "",
extraPrefsFiles ? [ ],
# For more information about policies visit
# https://mozilla.github.io/policy-templates/
extraPolicies ? { },
extraPoliciesFiles ? [ ],
libName ? browser.libName or applicationName, # Important for tor package or the like
nixExtensions ? null,
hasMozSystemDirPatch ? (lib.hasPrefix "firefox" pname && !lib.hasSuffix "-bin" pname),
}:
let
ffmpegSupport = browser.ffmpegSupport or false;
gssSupport = browser.gssSupport or false;
alsaSupport = browser.alsaSupport or false;
pipewireSupport = browser.pipewireSupport or false;
sndioSupport = browser.sndioSupport or false;
jackSupport = browser.jackSupport or false;
# PCSC-Lite daemon (services.pcscd) also must be enabled for firefox to access smartcards
smartcardSupport = cfg.smartcardSupport or false;
allNativeMessagingHosts = map lib.getBin nativeMessagingHosts;
libs =
lib.optionals stdenv.hostPlatform.isLinux (
[
udev
libva
libgbm
libnotify
xorg.libXScrnSaver
cups
pciutils
vulkan-loader
]
++ lib.optional (cfg.speechSynthesisSupport or true) speechd-minimal
)
++ lib.optional pipewireSupport pipewire
++ lib.optional ffmpegSupport ffmpeg
++ lib.optional gssSupport libkrb5
++ lib.optional useGlvnd libglvnd
++ lib.optionals (cfg.enableQuakeLive or false) (
with xorg;
[
stdenv.cc
libX11
libXxf86dga
libXxf86vm
libXext
libXt
alsa-lib
zlib
]
)
++ lib.optional (config.pulseaudio or (!isDarwin)) libpulseaudio
++ lib.optional alsaSupport alsa-lib
++ lib.optional sndioSupport sndio
++ lib.optional jackSupport libjack2
++ lib.optional smartcardSupport opensc
++ pkcs11Modules
++ lib.optionals (!isDarwin) gtk_modules;
gtk_modules = [ libcanberra-gtk3 ];
# Darwin does not rename bundled binaries
launcherName = "${applicationName}${lib.optionalString (!isDarwin) nameSuffix}";
#########################
# #
# EXTRA PREF CHANGES #
# #
#########################
policiesJson = writeText "policies.json" (builtins.toJSON enterprisePolicies);
usesNixExtensions = nixExtensions != null;
nameArray = map (a: a.name) (lib.optionals usesNixExtensions nixExtensions);
# Check that every extension has a unique .name attribute
# and an extid attribute
extensions =
if nameArray != (lib.unique nameArray) then
throw "Firefox addon name needs to be unique"
else if browser.requireSigning || !browser.allowAddonSideload then
throw "Nix addons are only supported with signature enforcement disabled and addon sideloading enabled (eg. LibreWolf)"
else
map (
a:
if !(builtins.hasAttr "extid" a) then
throw "nixExtensions has an invalid entry. Missing extid attribute. Please use fetchFirefoxAddon"
else
a
) (lib.optionals usesNixExtensions nixExtensions);
enterprisePolicies = {
policies = {
DisableAppUpdate = true;
}
// lib.optionalAttrs usesNixExtensions {
ExtensionSettings = {
"*" = {
blocked_install_message = "You can't have manual extension mixed with nix extensions";
installation_mode = "blocked";
};
}
// lib.foldr (
e: ret:
ret
// {
"${e.extid}" = {
installation_mode = "allowed";
};
}
) { } extensions;
Extensions = {
Install = lib.foldr (e: ret: ret ++ [ "${e.outPath}/${e.extid}.xpi" ]) [ ] extensions;
};
}
// lib.optionalAttrs smartcardSupport {
SecurityDevices = {
"OpenSC PKCS#11 Module" = "opensc-pkcs11.so";
};
}
// extraPolicies;
};
mozillaCfg = ''
// First line must be a comment
// Disables addon signature checking
// to be able to install addons that do not have an extid
// Security is maintained because only user whitelisted addons
// with a checksum can be installed
${lib.optionalString usesNixExtensions ''lockPref("xpinstall.signatures.required", false);''}
'';
#############################
# #
# END EXTRA PREF CHANGES #
# #
#############################
in
stdenv.mkDerivation (finalAttrs: {
__structuredAttrs = true;
inherit pname version;
desktopItem = makeDesktopItem (
{
name = launcherName;
exec = "${launcherName} --name ${wmClass} %U";
inherit icon;
desktopName = browser.applicationName;
startupNotify = true;
startupWMClass = wmClass;
terminal = false;
}
// (
if libName == "thunderbird" then
{
genericName = "Email Client";
comment = "Read and write e-mails or RSS feeds, or manage tasks on calendars.";
categories = [
"Network"
"Chat"
"Email"
"Feed"
"GTK"
"News"
];
keywords = [
"mail"
"email"
"e-mail"
"messages"
"rss"
"calendar"
"address book"
"addressbook"
"chat"
];
mimeTypes = [
"message/rfc822"
"x-scheme-handler/mailto"
"text/calendar"
"text/x-vcard"
];
actions = {
profile-manager-window = {
name = "Profile Manager";
exec = "${launcherName} --ProfileManager";
};
};
}
else
{
genericName = "Web Browser";
categories = [
"Network"
"WebBrowser"
];
mimeTypes = [
"text/html"
"text/xml"
"application/xhtml+xml"
"application/vnd.mozilla.xul+xml"
"x-scheme-handler/http"
"x-scheme-handler/https"
];
actions = {
new-window = {
name = "New Window";
exec = "${launcherName} --new-window %U";
};
new-private-window = {
name = "New Private Window";
exec = "${launcherName} --private-window %U";
};
profile-manager-window = {
name = "Profile Manager";
exec = "${launcherName} --ProfileManager";
};
};
}
)
);
nativeBuildInputs = [
makeWrapper
lndir
jq
];
buildInputs = lib.optionals (!isDarwin) [ browser.gtk3 ];
makeWrapperArgs = [
"--prefix"
"LD_LIBRARY_PATH"
":"
"${finalAttrs.libs}"
"--suffix"
"PATH"
":"
"${placeholder "out"}/bin"
"--set"
"MOZ_APP_LAUNCHER"
launcherName
"--set"
"MOZ_LEGACY_PROFILES"
"1"
"--set"
"MOZ_ALLOW_DOWNGRADE"
"1"
]
++ lib.optionals (!isDarwin) [
"--suffix"
"GTK_PATH"
":"
"${lib.concatStringsSep ":" finalAttrs.gtk_modules}"
"--suffix"
"XDG_DATA_DIRS"
":"
"${adwaita-icon-theme}/share"
"--set-default"
"MOZ_ENABLE_WAYLAND"
"1"
]
++ lib.optionals (!xdg-utils.meta.broken && !isDarwin) [
# make xdg-open overridable at runtime
"--suffix"
"PATH"
":"
"${lib.makeBinPath [ xdg-utils ]}"
]
++ lib.optionals hasMozSystemDirPatch [
"--set"
"MOZ_SYSTEM_DIR"
"${placeholder "out"}/lib/mozilla"
]
++ lib.optionals (!hasMozSystemDirPatch && allNativeMessagingHosts != [ ]) [
"--run"
''mkdir -p ''${MOZ_HOME:-~/.mozilla}/native-messaging-hosts''
]
++ lib.optionals (!hasMozSystemDirPatch) (
lib.concatMap (ext: [
"--run"
''ln -sfLt ''${MOZ_HOME:-~/.mozilla}/native-messaging-hosts ${ext}/lib/mozilla/native-messaging-hosts/*''
]) allNativeMessagingHosts
);
buildCommand =
let
appPath = "Applications/${browser.applicationName}.app";
executablePrefix = if isDarwin then "${appPath}/Contents/MacOS" else "bin";
executablePath = "${executablePrefix}/${applicationName}";
finalBinaryPath = "${executablePath}" + lib.optionalString (!isDarwin) "${nameSuffix}";
sourceBinary = "${browser}/${executablePath}";
libDir = if isDarwin then "${appPath}/Contents/Resources" else "lib/${libName}";
prefsDir = if isDarwin then "${libDir}/browser/defaults/preferences" else "${libDir}/defaults/pref";
in
''
if [ ! -x "${sourceBinary}" ]
then
echo "cannot find executable file \`${sourceBinary}'"
exit 1
fi
#########################
# #
# EXTRA PREF CHANGES #
# #
#########################
# Link the runtime. The executable itself has to be copied,
# because it will resolve paths relative to its true location.
# Any symbolic links have to be replicated as well.
cd "${browser}"
find . -type d -exec mkdir -p "$out"/{} \;
find . -type f \( -not -name "${applicationName}" \) -exec ln -sT "${browser}"/{} "$out"/{} \;
find . -type f \( -name "${applicationName}" -o -name "${applicationName}-bin" \) -print0 | while read -d $'\0' f; do
cp -P --no-preserve=mode,ownership --remove-destination "${browser}/$f" "$out/$f"
chmod a+rwx "$out/$f"
done
# fix links and absolute references
find . -type l -print0 | while read -d $'\0' l; do
target="$(readlink "$l")"
target=''${target/#"${browser}"/"$out"}
ln -sfT "$target" "$out/$l"
done
cd "$out"
''
+ lib.optionalString isDarwin ''
cd "${appPath}"
# The omni.ja files have to be copied and not symlinked, otherwise tabs crash.
# Maybe related to how omni.ja file is mmapped into memory. See:
# https://github.com/mozilla/gecko-dev/blob/b1662b447f306e6554647914090d4b73ac8e1664/modules/libjar/nsZipArchive.cpp#L204
#
# The *.dylib files are copied, otherwise some basic functionality, e.g. Crypto API, is broken.
for file in $(find . -name "omni.ja" -o -name "*.dylib"); do
rm "$file"
cp "${browser}/${appPath}/$file" "$file"
done
# Copy any embedded .app directories; plugin-container fails to start otherwise.
for dir in $(find . -type d -name '*.app'); do
rm -r "$dir"
cp -r "${browser}/${appPath}/$dir" "$dir"
done
cd ..
''
+ ''
# create the wrapper
executablePrefix="$out/${executablePrefix}"
executablePath="$out/${executablePath}"
oldWrapperArgs=()
if [[ -L $executablePath ]]; then
# Symbolic link: wrap the link's target.
oldExe="$(readlink -v --canonicalize-existing "$executablePath")"
rm "$executablePath"
elif wrapperCmd=$(${buildPackages.makeBinaryWrapper.extractCmd} "$executablePath"); [[ $wrapperCmd ]]; then
# If the executable is a binary wrapper, we need to update its target to
# point to $out, but we can't just edit the binary in-place because of length
# issues. So we extract the command used to create the wrapper and add the
# arguments to our wrapper.
parseMakeCWrapperCall() {
shift # makeCWrapper
oldExe=$1; shift
oldWrapperArgs=("$@")
}
eval "parseMakeCWrapperCall ''${wrapperCmd//"${browser}"/"$out"}"
rm "$executablePath"
else
if read -rn2 shebang < "$executablePath" && [[ $shebang == '#!' ]]; then
# Shell wrapper: patch in place to point to $out.
sed -i "s@${browser}@$out@g" "$executablePath"
fi
# Suffix the executable with -old, because -wrapped might already be used by the old wrapper.
oldExe="$executablePrefix/.${applicationName}"-old
mv "$executablePath" "$oldExe"
fi
''
+ lib.optionalString (!isDarwin) ''
appendToVar makeWrapperArgs --prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH"
''
+ ''
concatTo makeWrapperArgs oldWrapperArgs
makeWrapper "$oldExe" "$out/${finalBinaryPath}" "''${makeWrapperArgs[@]}"
#############################
# #
# END EXTRA PREF CHANGES #
# #
#############################
''
+ lib.optionalString (!isDarwin) ''
if [ -e "${browser}/share/icons" ]; then
mkdir -p "$out/share"
ln -s "${browser}/share/icons" "$out/share/icons"
else
for res in 16 32 48 64 128; do
mkdir -p "$out/share/icons/hicolor/''${res}x''${res}/apps"
icon=$( find "${browser}/lib/" -name "default''${res}.png" )
if [ -e "$icon" ]; then ln -s "$icon" \
"$out/share/icons/hicolor/''${res}x''${res}/apps/${icon}.png"
fi
done
fi
install -m 644 -D -t $out/share/applications $desktopItem/share/applications/*
''
+ lib.optionalString hasMozSystemDirPatch ''
mkdir -p $out/lib/mozilla/native-messaging-hosts
for ext in ${toString allNativeMessagingHosts}; do
ln -sLt $out/lib/mozilla/native-messaging-hosts $ext/lib/mozilla/native-messaging-hosts/*
done
''
+ ''
mkdir -p $out/lib/mozilla/pkcs11-modules
for ext in ${toString pkcs11Modules}; do
ln -sLt $out/lib/mozilla/pkcs11-modules $ext/lib/mozilla/pkcs11-modules/*
done
#########################
# #
# EXTRA PREF CHANGES #
# #
#########################
# user customization
libDir="$out/${libDir}"
# creating policies.json
mkdir -p "$libDir/distribution"
POL_PATH="$libDir/distribution/policies.json"
rm -f "$POL_PATH"
cat ${policiesJson} >> "$POL_PATH"
extraPoliciesFiles=(${toString extraPoliciesFiles})
for extraPoliciesFile in "''${extraPoliciesFiles[@]}"; do
jq -s '.[0] * .[1]' $extraPoliciesFile "$POL_PATH" > .tmp.json
mv .tmp.json "$POL_PATH"
done
# preparing for autoconfig
prefsDir="$out/${prefsDir}"
mkdir -p "$prefsDir"
echo 'pref("general.config.filename", "mozilla.cfg");' > "$prefsDir/autoconfig.js"
echo 'pref("general.config.obscure_value", 0);' >> "$prefsDir/autoconfig.js"
cat > "$libDir/mozilla.cfg" << EOF
${mozillaCfg}
EOF
extraPrefsFiles=(${toString extraPrefsFiles})
for extraPrefsFile in "''${extraPrefsFiles[@]}"; do
cat "$extraPrefsFile" >> "$libDir/mozilla.cfg"
done
cat >> "$libDir/mozilla.cfg" << EOF
${extraPrefs}
EOF
mkdir -p "$libDir/distribution/extensions"
#############################
# #
# END EXTRA PREF CHANGES #
# #
#############################
'';
preferLocalBuild = true;
libs = lib.makeLibraryPath libs + ":" + lib.makeSearchPathOutput "lib" "lib64" libs;
gtk_modules = map (x: x + x.gtkModule) gtk_modules;
passthru = {
unwrapped = browser;
};
disallowedRequisites = [ stdenv.cc ];
meta = browser.meta // {
inherit (browser.meta) description;
mainProgram = launcherName;
hydraPlatforms = [ ];
priority = (browser.meta.priority or lib.meta.defaultPriority) - 1; # prefer wrapper over the package
};
});
in
lib.makeOverridable wrapper

57
pkgs/applications/networking/browsers/kristall/default.nix Normal file
View File

@@ -0,0 +1,57 @@
{
lib,
stdenv,
fetchFromGitHub,
wrapQtAppsHook,
qmake,
qtmultimedia,
}:
stdenv.mkDerivation rec {
pname = "kristall";
version = "0.3";
src = fetchFromGitHub {
owner = "MasterQ32";
repo = "kristall";
rev = "V${version}";
sha256 = "07nf7w6ilzs5g6isnvsmhh4qa1zsprgjyf0zy7rhpx4ikkj8c8zq";
};
postPatch = lib.optionalString stdenv.cc.isClang ''
sed -i '1i #include <errno.h>' src/browsertab.cpp
'';
nativeBuildInputs = [
wrapQtAppsHook
qmake
];
buildInputs = [ qtmultimedia ];
qmakeFlags = [ "src/kristall.pro" ];
installPhase =
if stdenv.hostPlatform.isDarwin then
''
mkdir -p $out/Applications
mv kristall.app $out/Applications
''
else
''
install -Dt $out/bin kristall
install -D Kristall.desktop $out/share/applications/net.random-projects.kristall.desktop
install -D src/icons/kristall.svg $out/share/icons/hicolor/scalable/apps/net.random-projects.kristall.svg
for size in 16 32 64 128; do
install -D src/icons/kristall-''${size}.png $out/share/icons/hicolor/''${size}x''${size}/apps/net.random-projects.kristall.png
done
'';
meta = with lib; {
description = "Graphical small-internet client, supports gemini, http, https, gopher, finger";
mainProgram = "kristall";
homepage = "https://random-projects.net/projects/kristall.gemini";
license = licenses.gpl3Only;
inherit (qtmultimedia.meta) platforms;
};
}

54
pkgs/applications/networking/browsers/librewolf/default.nix Normal file
View File

@@ -0,0 +1,54 @@
{
stdenv,
lib,
callPackage,
buildMozillaMach,
nixosTests,
}:
let
librewolf-src = callPackage ./librewolf.nix { };
in
(buildMozillaMach {
pname = "librewolf";
applicationName = "LibreWolf";
binaryName = "librewolf";
version = librewolf-src.packageVersion;
src = librewolf-src.firefox;
requireSigning = false;
allowAddonSideload = true;
branding = "browser/branding/librewolf";
inherit (librewolf-src)
extraConfigureFlags
extraPatches
extraPostPatch
extraPassthru
;
meta = {
description = "Fork of Firefox, focused on privacy, security and freedom";
homepage = "https://librewolf.net/";
maintainers = with lib.maintainers; [
# Also update ci/OWNERS entry when changing maintainers
squalus
dwrege
fpletz
grimmauld
];
platforms = lib.platforms.unix;
broken = stdenv.buildPlatform.is32bit;
# since Firefox 60, build on 32-bit platforms fails with "out of memory".
# not in `badPlatforms` because cross-compilation on 64-bit machine might work.
maxSilent = 14400; # 4h, double the default of 7200s (c.f. #129212, #129115)
license = lib.licenses.mpl20;
mainProgram = "librewolf";
};
tests = { inherit (nixosTests) librewolf; };
updateScript = callPackage ./update.nix {
attrPath = "librewolf-unwrapped";
};
}).override
{
crashreporterSupport = false;
enableOfficialBranding = false;
}

55
pkgs/applications/networking/browsers/librewolf/librewolf.nix Normal file
View File

@@ -0,0 +1,55 @@
{ callPackage }:
let
src = callPackage ./src.nix { };
in
rec {
inherit (src) packageVersion firefox source;
extraPatches = [ "${source}/patches/pref-pane/pref-pane-small.patch" ];
extraConfigureFlags = [
"--with-unsigned-addon-scopes=app,system"
"--disable-default-browser-agent"
];
extraPostPatch = ''
while read patch_name; do
echo "applying LibreWolf patch: $patch_name"
patch -p1 < ${source}/$patch_name
done <${source}/assets/patches.txt
cp -r ${source}/themes/browser .
cp ${source}/assets/search-config.json services/settings/dumps/main/search-config.json
sed -i '/MOZ_SERVICES_HEALTHREPORT/ s/True/False/' browser/moz.configure
cp ${source}/patches/pref-pane/category-librewolf.svg browser/themes/shared/preferences
cp ${source}/patches/pref-pane/librewolf.css browser/themes/shared/preferences
cp ${source}/patches/pref-pane/librewolf.inc.xhtml browser/components/preferences
cp ${source}/patches/pref-pane/librewolf.js browser/components/preferences
# override firefox version
for fn in browser/config/version.txt browser/config/version_display.txt; do
echo "${packageVersion}" > "$fn"
done
echo "patching appstrings.properties"
find . -path '*/appstrings.properties' -exec sed -i s/Firefox/LibreWolf/ {} \;
for fn in $(find "${source}/l10n/en-US/browser" -type f -name '*.inc.ftl'); do
target_fn=$(echo "$fn" | sed "s,${source}/l10n,browser/locales," | sed "s,\.inc\.ftl$,.ftl,")
cat "$fn" >> "$target_fn"
done
'';
extraPrefsFiles = [ "${source}/settings/librewolf.cfg" ];
extraPoliciesFiles = [ "${source}/settings/distribution/policies.json" ];
extraPassthru = {
librewolf = {
inherit src extraPatches;
};
inherit extraPrefsFiles extraPoliciesFiles;
};
}

11
pkgs/applications/networking/browsers/librewolf/src.json Normal file
View File

@@ -0,0 +1,11 @@
{
"packageVersion": "143.0.4-1",
"source": {
"rev": "143.0.4-1",
"hash": "sha256-RyLz5se2AqXAmsa/MckiUgcBfRxZVVsrNg2L757qOuo="
},
"firefox": {
"version": "143.0.4",
"hash": "sha512-K8veTnLqQenMyYg2kBY1NQtdx7UMYY4Zq2EDonrcDwF8o/p1VTeMivbuHzoU0Ck1KJ/isNNdhA1hD1rAeojktg=="
}
}

26
pkgs/applications/networking/browsers/librewolf/src.nix Normal file
View File

@@ -0,0 +1,26 @@
{
lib,
fetchurl,
fetchFromGitea,
}:
let
src = lib.importJSON ./src.json;
in
{
inherit (src) packageVersion;
source = fetchFromGitea (
src.source
// {
domain = "codeberg.org";
owner = "librewolf";
repo = "source";
fetchSubmodules = true;
}
);
firefox = fetchurl (
src.firefox
// {
url = "mirror://mozilla/firefox/releases/${src.firefox.version}/source/firefox-${src.firefox.version}.source.tar.xz";
}
);
}

81
pkgs/applications/networking/browsers/librewolf/update.nix Normal file
View File

@@ -0,0 +1,81 @@
# how to use
# nix-update -u librewolf-unwrapped
{
writeScript,
lib,
coreutils,
gnused,
gnugrep,
curl,
gnupg,
jq,
nix-prefetch-git,
moreutils,
runtimeShell,
nix,
...
}:
writeScript "update-librewolf" ''
#!${runtimeShell}
PATH=${
lib.makeBinPath [
coreutils
curl
gnugrep
gnupg
gnused
jq
moreutils
nix-prefetch-git
nix
]
}
set -euo pipefail
latestTag=$(curl "https://codeberg.org/api/v1/repos/librewolf/source/tags?page=1&limit=1" | jq -r .[0].name)
echo "latestTag=$latestTag"
srcJson=pkgs/applications/networking/browsers/librewolf/src.json
localRev=$(jq -r .source.rev < $srcJson)
echo "localRev=$localRev"
if [ "$localRev" == "$latestTag" ]; then
exit 0
fi
prefetchOut=$(mktemp)
repoUrl=https://codeberg.org/librewolf/source.git
nix-prefetch-git $repoUrl --quiet --rev $latestTag --fetch-submodules > $prefetchOut
srcDir=$(jq -r .path < $prefetchOut)
srcHash=$(nix --extra-experimental-features nix-command hash convert --to sri --hash-algo sha256 $(jq -r .sha256 < $prefetchOut))
ffVersion=$(<$srcDir/version)
lwRelease=$(<$srcDir/release)
lwVersion="$ffVersion-$lwRelease"
echo "lwVersion=$lwVersion"
echo "ffVersion=$ffVersion"
if [ "$lwVersion" != "$latestTag" ]; then
echo "error: Tag name does not match the computed LibreWolf version"
exit 1
fi
HOME=$(mktemp -d)
export GNUPGHOME=$(mktemp -d)
gpg --receive-keys 14F26682D0916CDD81E37B6D61B7B526D98F0353
mozillaUrl=https://archive.mozilla.org/pub/firefox/releases/
curl --silent --show-error -o "$HOME"/shasums "$mozillaUrl$ffVersion/SHA512SUMS"
curl --silent --show-error -o "$HOME"/shasums.asc "$mozillaUrl$ffVersion/SHA512SUMS.asc"
gpgv --keyring="$GNUPGHOME"/pubring.kbx "$HOME"/shasums.asc "$HOME"/shasums
ffHash=$(nix --extra-experimental-features nix-command hash convert --to sri --hash-algo sha512 $(grep '\.source\.tar\.xz$' "$HOME"/shasums | grep '^[^ ]*' -o))
echo "ffHash=$ffHash"
jq ".source.rev = \"$latestTag\"" $srcJson | sponge $srcJson
jq ".source.hash = \"$srcHash\"" $srcJson | sponge $srcJson
jq ".firefox.version = \"$ffVersion\"" $srcJson | sponge $srcJson
jq ".firefox.hash = \"$ffHash\"" $srcJson | sponge $srcJson
jq ".packageVersion = \"$lwVersion\"" $srcJson | sponge $srcJson
''

122
pkgs/applications/networking/browsers/nyxt/default.nix Normal file
View File

@@ -0,0 +1,122 @@
{
stdenv,
lib,
testers,
wrapGAppsHook3,
fetchzip,
sbcl,
pkg-config,
libfixposix,
gobject-introspection,
gsettings-desktop-schemas,
glib-networking,
gtk3,
glib,
gdk-pixbuf,
cairo,
pango,
webkitgtk_4_1,
openssl,
sqlite,
gstreamer,
gst-libav,
gst-plugins-base,
gst-plugins-good,
gst-plugins-bad,
gst-plugins-ugly,
xdg-utils,
xclip,
wl-clipboard,
nix-update-script,
nixosTests,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "nyxt";
version = "3.12.0";
src = fetchzip {
url = "https://github.com/atlas-engineer/nyxt/releases/download/${finalAttrs.version}/nyxt-${finalAttrs.version}-source-with-submodules.tar.xz";
hash = "sha256-T5p3OaWp28rny81ggdE9iXffmuh6wt6XSuteTOT8FLI=";
stripRoot = false;
};
nativeBuildInputs = [ wrapGAppsHook3 ];
buildInputs = [
sbcl
# for groveller
pkg-config
libfixposix
# for gappsWrapper
gobject-introspection
gsettings-desktop-schemas
glib-networking
gtk3
gstreamer
gst-libav
gst-plugins-base
gst-plugins-good
gst-plugins-bad
gst-plugins-ugly
];
# for cffi
LD_LIBRARY_PATH = lib.makeLibraryPath [
glib
gobject-introspection
gdk-pixbuf
cairo
pango
gtk3
webkitgtk_4_1
openssl
sqlite
libfixposix
];
postConfigure = ''
export CL_SOURCE_REGISTRY="$(pwd)/_build//"
export ASDF_OUTPUT_TRANSLATIONS="$(pwd):$(pwd)"
export PREFIX="$out"
export NYXT_VERSION="$version"
'';
# don't refresh from git
makeFlags = [
"all"
"NYXT_SUBMODULES=false"
];
preFixup = ''
gappsWrapperArgs+=(--prefix LD_LIBRARY_PATH : "$LD_LIBRARY_PATH")
gappsWrapperArgs+=(--prefix PATH : "${
lib.makeBinPath [
xdg-utils
xclip
wl-clipboard
]
}")
'';
# prevent corrupting core in exe
dontStrip = true;
passthru = {
tests.version = testers.testVersion { package = finalAttrs.finalPackage; };
updateScript = nix-update-script { };
tests = { inherit (nixosTests) nyxt; };
};
meta = with lib; {
description = "Infinitely extensible web-browser (with Lisp development files using WebKitGTK platform port)";
mainProgram = "nyxt";
homepage = "https://nyxt.atlas.engineer";
license = licenses.bsd3;
maintainers = with maintainers; [
lewo
dariof4
];
platforms = platforms.all;
};
})

236
pkgs/applications/networking/browsers/palemoon/bin.nix Normal file
View File

@@ -0,0 +1,236 @@
{
stdenv,
lib,
fetchzip,
alsa-lib,
autoPatchelfHook,
copyDesktopItems,
dbus-glib,
# ffmpeg 7 not supported yet, results in MP4 playback being unavailable
# https://repo.palemoon.org/MoonchildProductions/UXP/issues/2523
ffmpeg_6,
gtk2-x11,
withGTK3 ? true,
gtk3,
libglvnd,
libXt,
libpulseaudio,
makeDesktopItem,
wrapGAppsHook3,
writeScript,
testers,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "palemoon-bin";
version = "33.9.0.1";
src = finalAttrs.passthru.sources."gtk${if withGTK3 then "3" else "2"}";
preferLocalBuild = true;
strictDeps = true;
nativeBuildInputs = [
autoPatchelfHook
copyDesktopItems
wrapGAppsHook3
];
buildInputs = [
alsa-lib
dbus-glib
gtk2-x11
libXt
(lib.getLib stdenv.cc.cc)
]
++ lib.optionals withGTK3 [
gtk3
];
desktopItems = [
(makeDesktopItem {
name = "palemoon-bin";
desktopName = "Pale Moon Web Browser";
comment = "Browse the World Wide Web";
keywords = [
"Internet"
"WWW"
"Browser"
"Web"
"Explorer"
];
exec = "palemoon %u";
terminal = false;
type = "Application";
icon = "palemoon";
categories = [
"Network"
"WebBrowser"
];
mimeTypes = [
"text/html"
"text/xml"
"application/xhtml+xml"
"application/xml"
"application/rss+xml"
"application/rdf+xml"
"image/gif"
"image/jpeg"
"image/png"
"x-scheme-handler/http"
"x-scheme-handler/https"
"x-scheme-handler/ftp"
"x-scheme-handler/chrome"
"video/webm"
"application/x-xpinstall"
];
startupNotify = true;
startupWMClass = "Pale moon";
extraConfig = {
X-MultipleArgs = "false";
};
actions = {
"NewTab" = {
name = "Open new tab";
exec = "palemoon -new-tab https://start.palemoon.org";
};
"NewWindow" = {
name = "Open new window";
exec = "palemoon -new-window";
};
"NewPrivateWindow" = {
name = "Open new private window";
exec = "palemoon -private-window";
};
"ProfileManager" = {
name = "Open the Profile Manager";
exec = "palemoon --ProfileManager";
};
};
})
];
dontConfigure = true;
dontBuild = true;
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib/palemoon}
cp -R * $out/lib/palemoon/
ln -s $out/{lib/palemoon,bin}/palemoon
for iconpath in chrome/icons/default/default{16,32,48} icons/mozicon128; do
n=''${iconpath//[^0-9]/}
size=$n"x"$n
mkdir -p $out/share/icons/hicolor/$size/apps
ln -s $out/lib/palemoon/browser/"$iconpath".png $out/share/icons/hicolor/$size/apps/palemoon.png
done
# Disable built-in updater
# https://forum.palemoon.org/viewtopic.php?f=5&t=25073&p=197771#p197747
# > Please do not take this as permission to change, remove, or alter any other preferences as that is forbidden
# > without express permission according to the Pale Moon Redistribution License.
# > We are allowing this one and **ONLY** one exception in order to properly facilitate [package manager] repacks.
install -Dm644 ${./zz-disableUpdater.js} $out/lib/palemoon/browser/defaults/preferences/zz-disableUpdates.js
runHook postInstall
'';
dontWrapGApps = true;
preFixup = ''
# Make optional dependencies available
gappsWrapperArgs+=(
--prefix LD_LIBRARY_PATH : "${
lib.makeLibraryPath [
ffmpeg_6
libglvnd
libpulseaudio
]
}"
)
wrapGApp $out/lib/palemoon/palemoon
'';
passthru = {
sources =
let
urlRegionVariants =
buildVariant:
map
(
region:
"https://rm-${region}.palemoon.org/release/palemoon-${finalAttrs.version}.linux-x86_64-${buildVariant}.tar.xz"
)
[
"eu"
"us"
];
in
{
gtk3 = fetchzip {
urls = urlRegionVariants "gtk3";
hash = "sha256-QhER20l8GP0wQ0pDVwBZbYb2FImbX0kiUS9RCcR7gvg=";
};
gtk2 = fetchzip {
urls = urlRegionVariants "gtk2";
hash = "sha256-13lq59H8xGNbZHalZo87xAaoQg61t2v+B/LXnPoEyoU=";
};
};
tests.version = testers.testVersion {
package = finalAttrs.finalPackage;
};
updateScript = writeScript "update-palemoon-bin" ''
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p common-updater-scripts curl libxml2
set -eu -o pipefail
# Only release note announcement == finalized release
version="$(
curl -s 'http://www.palemoon.org/releasenotes.shtml' |
xmllint --html --xpath 'html/body/table/tbody/tr/td/h3/text()' - 2>/dev/null | head -n1 |
sed 's/v\(\S*\).*/\1/'
)"
for variant in gtk3 gtk2; do
update-source-version palemoon-bin "$version" --ignore-same-version --source-key="sources.$variant"
done
'';
};
meta = with lib; {
homepage = "https://www.palemoon.org/";
description = "Open Source, Goanna-based web browser focusing on efficiency and customization";
longDescription = ''
Pale Moon is an Open Source, Goanna-based web browser focusing on
efficiency and customization.
Pale Moon offers you a browsing experience in a browser completely built
from its own, independently developed source that has been forked off from
Firefox/Mozilla code a number of years ago, with carefully selected
features and optimizations to improve the browser's stability and user
experience, while offering full customization and a growing collection of
extensions and themes to make the browser truly your own.
'';
changelog = "https://repo.palemoon.org/MoonchildProductions/Pale-Moon/releases/tag/${finalAttrs.version}_Release";
license = [
licenses.mpl20
{
fullName = "Pale Moon Redistribution License";
url = "https://www.palemoon.org/redist.shtml";
# TODO free, redistributable? Has strict limitations on what modifications may be done & shipped by packagers
}
];
maintainers = with maintainers; [ OPNA2608 ];
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
mainProgram = "palemoon";
platforms = [ "x86_64-linux" ];
hydraPlatforms = [ ];
};
})

7
pkgs/applications/networking/browsers/palemoon/zz-disableUpdater.js Normal file
View File

@@ -0,0 +1,7 @@
/* https://forum.palemoon.org/viewtopic.php?f=5&t=25073&p=197771#p197747 */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
pref("app.update.enabled", false);

81
pkgs/applications/networking/browsers/webmacs/default.nix Normal file
View File

@@ -0,0 +1,81 @@
{
lib,
stdenv,
mkDerivationWith,
fetchFromGitHub,
python3Packages,
herbstluftwm,
}:
mkDerivationWith python3Packages.buildPythonApplication rec {
inherit stdenv;
pname = "webmacs";
version = "0.8";
format = "setuptools";
disabled = python3Packages.isPy27;
src = fetchFromGitHub {
owner = "parkouss";
repo = "webmacs";
rev = version;
fetchSubmodules = true;
sha256 = "1hzb9341hybgrqcy1w20hshm6xaiby4wbjpjkigf4zq389407368";
};
propagatedBuildInputs = with python3Packages; [
pyqtwebengine
setuptools
dateparser
jinja2
pygments
];
nativeCheckInputs = [
python3Packages.pytest
#python3Packages.pytest-xvfb
#python3Packages.pytest-qt
python3Packages.pytestCheckHook
herbstluftwm
# The following are listed in test-requirements.txt but appear not
# to be needed at present:
# python3Packages.pytest-mock
# python3Packages.flake8
];
# See https://github.com/parkouss/webmacs/blob/1a04fb7bd3f33d39cb4d71621b48c2458712ed39/setup.py#L32
# Don't know why they're using CC for g++.
preConfigure = ''
export CC=$CXX
'';
doCheck = false; # test dependencies not packaged up yet
dontWrapQtApps = true;
preFixup = ''
makeWrapperArgs+=("''${qtWrapperArgs[@]}")
'';
meta = with lib; {
description = "Keyboard-based web browser with Emacs/conkeror heritage";
mainProgram = "webmacs";
longDescription = ''
webmacs is yet another browser for keyboard-based web navigation.
It mainly targets emacs-like navigation, and started as a clone (in terms of
features) of conkeror.
Based on QtWebEngine and Python 3. Fully customizable in Python.
'';
homepage = "https://webmacs.readthedocs.io/en/latest/";
changelog = "https://github.com/parkouss/webmacs/blob/master/CHANGELOG.md";
license = licenses.gpl3;
maintainers = with maintainers; [ jacg ];
platforms = platforms.all;
};
}

119
pkgs/applications/networking/charles/default.nix Normal file
View File

@@ -0,0 +1,119 @@
{
lib,
stdenv,
makeWrapper,
makeDesktopItem,
fetchurl,
openjdk17-bootstrap,
jdk11,
jdk8,
}:
let
generic =
{
version,
hash,
platform ? "",
jdk,
...
}@attrs:
let
desktopItem = makeDesktopItem {
categories = [
"Network"
"Development"
"WebDevelopment"
"Java"
];
desktopName = "Charles";
exec = "charles %F";
genericName = "Web Debugging Proxy";
icon = "charles-proxy";
mimeTypes = [
"application/x-charles-savedsession"
"application/x-charles-savedsession+xml"
"application/x-charles-savedsession+json"
"application/har+json"
"application/vnd.tcpdump.pcap"
"application/x-charles-trace"
];
name = "Charles";
startupNotify = true;
};
in
stdenv.mkDerivation {
pname = "charles";
inherit version;
src = fetchurl {
url = "https://www.charlesproxy.com/assets/release/${version}/charles-proxy-${version}${platform}.tar.gz";
curlOptsList = [
"--user-agent"
"Mozilla/5.0"
]; # HTTP 104 otherwise
inherit hash;
};
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
runHook preInstall
makeWrapper ${jdk}/bin/java $out/bin/charles \
--add-flags "-Xmx1024M -Dcharles.config='~/.charles.config' ${lib.optionalString (lib.versionOlder version "5.0") "-jar $out/share/java/charles.jar"} ${lib.optionalString (lib.versionAtLeast version "5.0") "-XX:+UseZGC -Djava.library.path='$out/share/java' --add-opens java.base/sun.security.ssl=com.charlesproxy --add-opens java.desktop/java.awt.event=com.charlesproxy --add-opens java.base/java.io=com.charlesproxy --add-modules com.jthemedetector,com.formdev.flatlaf --module-path '$out/share/java' -m com.charlesproxy"}"
for fn in lib/*.jar; do
install -D -m644 $fn $out/share/java/$(basename $fn)
done
mkdir -p $out/share/applications
ln -s ${desktopItem}/share/applications/* $out/share/applications/
mkdir -p $out/share/icons
cp -r icon $out/share/icons/hicolor
runHook postInstall
'';
meta = {
description = "Web Debugging Proxy";
homepage = "https://www.charlesproxy.com/";
maintainers = with lib.maintainers; [
kalbasit
kashw2
];
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.unfree;
platforms = lib.platforms.unix;
};
};
in
{
charles5 = (
generic {
version = "5.0";
hash = "sha256-gvspRI3uF7bjE4UBuTGS5+n2h0nKudLtW3sqs2GZIyM=";
platform = "_x86_64";
jdk = openjdk17-bootstrap;
}
);
charles4 = (
generic {
version = "4.6.8";
hash = "sha256-AaS+zmQTWsGoLEhyGHA/UojmctE7IV0N9fnygNhEPls=";
platform = "_amd64";
jdk = jdk11;
}
);
charles3 = (
generic {
version = "3.12.3";
hash = "sha256-Wotxzf6kutYv1F6q71eJVojVJsATJ81war/w4K1A848=";
jdk = jdk8.jre;
mainProgram = "charles";
}
);
}

99
pkgs/applications/networking/cluster/calico/default.nix Normal file
View File

@@ -0,0 +1,99 @@
{
lib,
buildGoModule,
fetchFromGitHub,
}:
builtins.mapAttrs
(
pname:
{
doCheck ? true,
mainProgram ? pname,
subPackages,
}:
buildGoModule rec {
inherit pname;
version = "3.30.3";
src = fetchFromGitHub {
owner = "projectcalico";
repo = "calico";
rev = "v${version}";
hash = "sha256-Z2kYUak/zzO0IsKQyQ6sb3UD4QUZ9+9vGGVfl4qdPF8=";
};
vendorHash = "sha256-C9sge+xNTsW30PF2wJhRUNI1YEmXInD+xcboCtcC9kc=";
inherit doCheck subPackages;
ldflags = [
"-s"
"-w"
];
meta = {
homepage = "https://projectcalico.docs.tigera.io";
changelog = "https://github.com/projectcalico/calico/releases/tag/v${version}";
description = "Cloud native networking and network security";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [ urandom ];
platforms = lib.platforms.linux;
inherit mainProgram;
};
}
)
{
calico-apiserver = {
mainProgram = "apiserver";
subPackages = [
"apiserver/cmd/..."
];
};
calico-app-policy = {
# integration tests require network
doCheck = false;
mainProgram = "dikastes";
subPackages = [
"app-policy/cmd/..."
];
};
calico-cni-plugin = {
mainProgram = "calico";
subPackages = [
"cni-plugin/cmd/..."
];
};
calico-kube-controllers = {
# integration tests require network and docker
doCheck = false;
mainProgram = "kube-controllers";
subPackages = [
"kube-controllers/cmd/..."
];
};
calico-pod2daemon = {
mainProgram = "flexvol";
subPackages = [
"pod2daemon/csidriver"
"pod2daemon/flexvol"
"pod2daemon/nodeagent"
];
};
calico-typha = {
subPackages = [
"typha/cmd/..."
];
};
calicoctl = {
subPackages = [
"calicoctl/calicoctl"
];
};
confd-calico = {
mainProgram = "confd";
subPackages = [
"confd"
];
};
}

43
pkgs/applications/networking/cluster/cni/default.nix Normal file
View File

@@ -0,0 +1,43 @@
{
lib,
fetchFromGitHub,
buildGoModule,
}:
buildGoModule rec {
pname = "cni";
version = "1.3.0";
src = fetchFromGitHub {
owner = "containernetworking";
repo = "cni";
rev = "v${version}";
hash = "sha256-xeajsM8ZIlI6Otv9CQhPfYaVQwmJ5QcFEn1xt6e/ivQ=";
};
vendorHash = "sha256-uo3ZwFdD6aJ0WDGmt51l3hs9agUnv1cIQY/KMlNe5nI=";
subPackages = [
"./cnitool"
];
ldflags = [
"-s"
"-w"
];
meta = with lib; {
description = "Container Network Interface - networking for Linux containers";
mainProgram = "cnitool";
license = licenses.asl20;
homepage = "https://github.com/containernetworking/cni";
maintainers = with maintainers; [
offline
vdemeester
];
platforms = [
"x86_64-linux"
"aarch64-linux"
];
};
}

58
pkgs/applications/networking/cluster/cni/plugins.nix Normal file
View File

@@ -0,0 +1,58 @@
{
lib,
fetchFromGitHub,
buildGoModule,
nixosTests,
}:
buildGoModule rec {
pname = "cni-plugins";
version = "1.8.0";
src = fetchFromGitHub {
owner = "containernetworking";
repo = "plugins";
rev = "v${version}";
hash = "sha256-/I2fEVVQ89y8l95Ri0V5qxVj/SzXVqP0IT2vSdz8jC8=";
};
vendorHash = null;
doCheck = false;
ldflags = [
"-X github.com/containernetworking/plugins/pkg/utils/buildversion.BuildVersion=v${version}"
];
subPackages = [
"plugins/ipam/dhcp"
"plugins/ipam/host-local"
"plugins/ipam/static"
"plugins/main/bridge"
"plugins/main/dummy"
"plugins/main/host-device"
"plugins/main/ipvlan"
"plugins/main/loopback"
"plugins/main/macvlan"
"plugins/main/ptp"
"plugins/main/tap"
"plugins/main/vlan"
"plugins/meta/bandwidth"
"plugins/meta/firewall"
"plugins/meta/portmap"
"plugins/meta/sbr"
"plugins/meta/tuning"
"plugins/meta/vrf"
];
passthru.tests = { inherit (nixosTests) cri-o; };
meta = with lib; {
changelog = "https://github.com/containernetworking/plugins/releases/tag/${src.rev}";
description = "Some standard networking plugins, maintained by the CNI team";
homepage = "https://www.cni.dev/plugins/";
license = licenses.asl20;
platforms = platforms.linux;
teams = [ teams.podman ];
};
}

35
pkgs/applications/networking/cluster/docker-machine/hyperkit.nix Normal file
View File

@@ -0,0 +1,35 @@
{
lib,
buildGoModule,
minikube,
}:
buildGoModule rec {
inherit (minikube)
version
src
nativeBuildInputs
buildInputs
vendorHash
doCheck
postPatch
;
pname = "docker-machine-hyperkit";
buildPhase = ''
make docker-machine-driver-hyperkit COMMIT=${src.rev}
'';
installPhase = ''
install out/docker-machine-driver-hyperkit -Dt $out/bin
'';
meta = with lib; {
homepage = "https://minikube.sigs.k8s.io/docs/drivers/hyperkit";
description = "HyperKit driver for docker-machine";
license = licenses.asl20;
maintainers = with maintainers; [ atkinschang ];
platforms = [ "x86_64-darwin" ];
};
}

42
pkgs/applications/networking/cluster/docker-machine/kvm2.nix Normal file
View File

@@ -0,0 +1,42 @@
{
lib,
buildGoModule,
minikube,
}:
buildGoModule rec {
inherit (minikube)
version
src
nativeBuildInputs
buildInputs
vendorHash
doCheck
;
pname = "docker-machine-kvm2";
postPatch = minikube.postPatch + ''
sed -i '/GOARCH=$*/d' Makefile
'';
buildPhase = ''
make docker-machine-driver-kvm2 COMMIT=${src.rev}
'';
installPhase = ''
install out/docker-machine-driver-kvm2 -Dt $out/bin
'';
meta = with lib; {
homepage = "https://minikube.sigs.k8s.io/docs/drivers/kvm2";
description = "KVM2 driver for docker-machine";
mainProgram = "docker-machine-driver-kvm2";
license = licenses.asl20;
maintainers = with maintainers; [
tadfisher
atkinschang
];
platforms = platforms.linux;
};
}

47
pkgs/applications/networking/cluster/hadoop/containerExecutor.nix Normal file
View File

@@ -0,0 +1,47 @@
{
version,
stdenv,
fetchurl,
lib,
cmake,
openssl,
platformAttrs,
...
}:
stdenv.mkDerivation (finalAttrs: {
pname = "hadoop-yarn-containerexecutor";
inherit version;
src = fetchurl {
url = "mirror://apache/hadoop/common/hadoop-${finalAttrs.version}/hadoop-${finalAttrs.version}-src.tar.gz";
hash = platformAttrs.${stdenv.system}.srcHash;
};
sourceRoot =
"hadoop-${finalAttrs.version}-src/hadoop-yarn-project/hadoop-yarn/"
+ "hadoop-yarn-server/hadoop-yarn-server-nodemanager/src";
nativeBuildInputs = [ cmake ];
buildInputs = [ openssl ];
cmakeFlags = [ "-DHADOOP_CONF_DIR=/run/wrappers/yarn-nodemanager/etc/hadoop" ];
installPhase = ''
mkdir $out
mv target/var/empty/local/bin $out/
'';
meta = with lib; {
homepage = "https://hadoop.apache.org/";
description = "Framework for distributed processing of large data sets across clusters of computers";
license = licenses.asl20;
longDescription = ''
The Hadoop YARN Container Executor is a native component responsible for managing the lifecycle of containers
on individual nodes in a Hadoop YARN cluster. It launches, monitors, and terminates containers, ensuring that
resources like CPU and memory are allocated according to the policies defined in the ResourceManager.
'';
maintainers = with maintainers; [ illustris ];
platforms = filter (strings.hasSuffix "linux") (attrNames platformAttrs);
};
})

224
pkgs/applications/networking/cluster/hadoop/default.nix Normal file
View File

@@ -0,0 +1,224 @@
{
lib,
stdenv,
fetchurl,
makeWrapper,
autoPatchelfHook,
jdk8_headless,
jdk11_headless,
jdk21_headless,
bash,
coreutils,
which,
bzip2,
cyrus_sasl,
protobuf,
snappy,
zlib,
zstd,
openssl,
nixosTests,
sparkSupport ? true,
spark,
libtirpc,
callPackage,
}:
assert lib.elem stdenv.system [
"x86_64-linux"
"x86_64-darwin"
"aarch64-linux"
"aarch64-darwin"
];
let
common =
{
pname,
platformAttrs,
jdk,
tests,
}:
stdenv.mkDerivation (finalAttrs: {
inherit pname;
jdk = platformAttrs.${stdenv.system}.jdk or jdk;
version = platformAttrs.${stdenv.system}.version or (throw "Unsupported system: ${stdenv.system}");
src = fetchurl {
url =
"mirror://apache/hadoop/common/hadoop-${finalAttrs.version}/hadoop-${finalAttrs.version}"
+
lib.optionalString (lib.hasAttr "variant" platformAttrs.${stdenv.system})
"-${platformAttrs.${stdenv.system}.variant}"
+ lib.optionalString stdenv.hostPlatform.isAarch64 "-aarch64"
+ ".tar.gz";
inherit (platformAttrs.${stdenv.system} or (throw "Unsupported system: ${stdenv.system}"))
hash
;
};
doCheck = true;
# Build the container executor binary from source
# InstallPhase is not lazily evaluating containerExecutor for some reason
containerExecutor =
if stdenv.hostPlatform.isLinux then
(callPackage ./containerExecutor.nix {
inherit (finalAttrs) version;
inherit platformAttrs;
})
else
"";
nativeBuildInputs = [
makeWrapper
]
++ lib.optionals stdenv.hostPlatform.isLinux [ autoPatchelfHook ];
buildInputs = lib.optionals stdenv.hostPlatform.isLinux [
(lib.getLib stdenv.cc.cc)
openssl
protobuf
zlib
snappy
libtirpc
];
installPhase = ''
mkdir $out
mv * $out/
''
+ lib.optionalString stdenv.hostPlatform.isLinux ''
for n in $(find ${finalAttrs.containerExecutor}/bin -type f); do
ln -sf "$n" $out/bin
done
# these libraries are loaded at runtime by the JVM
ln -s ${lib.getLib cyrus_sasl}/lib/libsasl2.so $out/lib/native/libsasl2.so.2
ln -s ${lib.getLib openssl}/lib/libcrypto.so $out/lib/native/
ln -s ${lib.getLib zlib}/lib/libz.so.1 $out/lib/native/
ln -s ${lib.getLib zstd}/lib/libzstd.so.1 $out/lib/native/
ln -s ${lib.getLib bzip2}/lib/libbz2.so.1 $out/lib/native/
ln -s ${lib.getLib snappy}/lib/libsnappy.so.1 $out/lib/native/
# libjvm.so is in different paths for java 8 and 11
# libnativetask.so in hadooop 3 and libhdfs.so in hadoop 2 depend on it
find $out/lib/native/ -name 'libnativetask.so*' -o -name 'libhdfs.so*' | \
xargs -n1 patchelf --add-rpath $(dirname $(find ${finalAttrs.jdk.home} -name libjvm.so | head -n1))
# NixOS/nixpkgs#193370
# This workaround is needed to use protobuf 3.19
# hadoop 3.3+ depends on protobuf 3.18, 3.2 depends on 3.8
find $out/lib/native -name 'libhdfspp.so*' | \
xargs -r -n1 patchelf --replace-needed libprotobuf.so.${
if (lib.versionAtLeast finalAttrs.version "3.4.1") then
"32"
else if (lib.versionAtLeast finalAttrs.version "3.3") then
"18"
else
"8"
} libprotobuf.so
patchelf --replace-needed libcrypto.so.1.1 libcrypto.so \
$out/lib/native/{libhdfs{pp,}.so*,examples/{pipes-sort,wordcount-nopipe,wordcount-part,wordcount-simple}}
''
+ ''
for n in $(find $out/bin -type f ! -name "*.*"); do
wrapProgram "$n"\
--set-default JAVA_HOME ${finalAttrs.jdk.home}\
--set-default HADOOP_HOME $out/\
--run "test -d /etc/hadoop-conf && export HADOOP_CONF_DIR=\''${HADOOP_CONF_DIR-'/etc/hadoop-conf/'}"\
--set-default HADOOP_CONF_DIR $out/etc/hadoop/\
--prefix PATH : "${
lib.makeBinPath [
bash
coreutils
which
]
}"\
--prefix JAVA_LIBRARY_PATH : "${lib.makeLibraryPath finalAttrs.buildInputs}"
done
''
+ (lib.optionalString sparkSupport ''
# Add the spark shuffle service jar to YARN
cp ${spark.src}/yarn/spark-${spark.version}-yarn-shuffle.jar $out/share/hadoop/yarn/
'');
passthru = { inherit tests; };
meta =
with lib;
recursiveUpdate {
homepage = "https://hadoop.apache.org/";
description = "Framework for distributed processing of large data sets across clusters of computers";
license = licenses.asl20;
sourceProvenance = with sourceTypes; [ binaryBytecode ];
longDescription = ''
The Apache Hadoop software library is a framework that allows for
the distributed processing of large data sets across clusters of
computers using a simple programming model. It is designed to
scale up from single servers to thousands of machines, each
offering local computation and storage. Rather than rely on
hardware to deliver high-avaiability, the library itself is
designed to detect and handle failures at the application layer,
so delivering a highly-availabile service on top of a cluster of
computers, each of which may be prone to failures.
'';
maintainers = with maintainers; [ illustris ];
platforms = attrNames platformAttrs;
} (attrByPath [ stdenv.system "meta" ] { } platformAttrs);
});
in
{
# Different version of hadoop support different java runtime versions
# https://cwiki.apache.org/confluence/display/HADOOP/Hadoop+Java+Versions
hadoop_3_4 = common {
pname = "hadoop";
platformAttrs = rec {
x86_64-linux = {
version = "3.4.2";
hash = "sha256-YySoP+EeUXiQQ2/G2AvIKVBu0lLL4kZXUrkSIJAN+4M=";
srcHash = "sha256-AkZjpHk57S3pYiZambxgRHR7PD51HSI4H1HHW9ICah4=";
variant = "lean";
};
x86_64-darwin = x86_64-linux;
aarch64-linux = {
version = "3.4.0";
hash = "sha256-QWxzKtNyw/AzcHMv0v7kj91pw1HO7VAN9MHO84caFk8=";
srcHash = "sha256-viDF3LdRCZHqFycOYfN7nUQBPHiMCIjmu7jgIAaaK9E=";
jdk = jdk11_headless;
};
aarch64-darwin = aarch64-linux;
};
jdk = jdk21_headless;
# TODO: Package and add Intel Storage Acceleration Library
tests = nixosTests.hadoop;
};
hadoop_3_3 = common {
pname = "hadoop";
platformAttrs = rec {
x86_64-linux = {
version = "3.3.6";
hash = "sha256-9RlQWcDUECrap//xf3sqhd+Qa8tuGZSHFjGfmXhkGgQ=";
srcHash = "sha256-4OEsVhBNV9CJ+PN4FgCduUCVA9/el5yezSCZ6ko3+bU=";
};
x86_64-darwin = x86_64-linux;
aarch64-linux = x86_64-linux // {
hash = "sha256-5Lv2uA72BJEva5v2yncyPe5gKNCNOPNsoHffVt6KXQ0=";
};
aarch64-darwin = aarch64-linux;
};
jdk = jdk11_headless;
# TODO: Package and add Intel Storage Acceleration Library
tests = nixosTests.hadoop_3_3;
};
hadoop2 = common {
pname = "hadoop";
platformAttrs.x86_64-linux = {
version = "2.10.2";
hash = "sha256-xhA4zxqIRGNhIeBnJO9dLKf/gx/Bq+uIyyZwsIafEyo=";
srcHash = "sha256-ucxCyXiJo8aL6aNMhZgKEbn8sGKOoMPVREbMGSfSdAI=";
};
jdk = jdk8_headless;
tests = nixosTests.hadoop2;
};
}

87
pkgs/applications/networking/cluster/helm/default.nix Normal file
View File

@@ -0,0 +1,87 @@
{
lib,
stdenv,
buildGoModule,
fetchFromGitHub,
installShellFiles,
testers,
}:
buildGoModule (finalAttrs: {
pname = "kubernetes-helm";
version = "3.19.0";
src = fetchFromGitHub {
owner = "helm";
repo = "helm";
rev = "v${finalAttrs.version}";
sha256 = "sha256-ssOebBeIFVd6N0CDWfAU3HN0j4Rw7twncokzorHWJig=";
};
vendorHash = "sha256-G3PLT2jE+Oitct5F+o/hr8GDAKWcvp23dcpezuBge6k=";
subPackages = [ "cmd/helm" ];
ldflags = [
"-w"
"-s"
"-X helm.sh/helm/v3/internal/version.version=v${finalAttrs.version}"
"-X helm.sh/helm/v3/internal/version.gitCommit=${finalAttrs.src.rev}"
];
preBuild = ''
# set k8s version to client-go version, to match upstream
K8S_MODULES_VER="$(go list -f '{{.Version}}' -m k8s.io/client-go)"
K8S_MODULES_MAJOR_VER="$(($(cut -d. -f1 <<<"$K8S_MODULES_VER") + 1))"
K8S_MODULES_MINOR_VER="$(cut -d. -f2 <<<"$K8S_MODULES_VER")"
old_ldflags="''${ldflags}"
ldflags="''${ldflags} -X helm.sh/helm/v3/pkg/lint/rules.k8sVersionMajor=''${K8S_MODULES_MAJOR_VER}"
ldflags="''${ldflags} -X helm.sh/helm/v3/pkg/lint/rules.k8sVersionMinor=''${K8S_MODULES_MINOR_VER}"
ldflags="''${ldflags} -X helm.sh/helm/v3/pkg/chartutil.k8sVersionMajor=''${K8S_MODULES_MAJOR_VER}"
ldflags="''${ldflags} -X helm.sh/helm/v3/pkg/chartutil.k8sVersionMinor=''${K8S_MODULES_MINOR_VER}"
'';
__darwinAllowLocalNetworking = true;
preCheck = ''
# restore ldflags for tests
ldflags="''${old_ldflags}"
# skipping version tests because they require dot git directory
substituteInPlace cmd/helm/version_test.go \
--replace "TestVersion" "SkipVersion"
# skipping plugin tests
substituteInPlace cmd/helm/plugin_test.go \
--replace "TestPluginDynamicCompletion" "SkipPluginDynamicCompletion" \
--replace "TestLoadPlugins" "SkipLoadPlugins"
substituteInPlace cmd/helm/helm_test.go \
--replace "TestPluginExitCode" "SkipPluginExitCode"
'';
nativeBuildInputs = [ installShellFiles ];
postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
$out/bin/helm completion bash > helm.bash
$out/bin/helm completion zsh > helm.zsh
$out/bin/helm completion fish > helm.fish
installShellCompletion helm.{bash,zsh,fish}
'';
passthru.tests.version = testers.testVersion {
package = finalAttrs.finalPackage;
command = "helm version";
version = "v${finalAttrs.version}";
};
meta = with lib; {
homepage = "https://github.com/helm/helm";
description = "Package manager for kubernetes";
mainProgram = "helm";
license = licenses.asl20;
maintainers = with maintainers; [
rlupton20
edude03
saschagrunert
Frostman
Chili-Man
techknowlogick
];
};
})

21
pkgs/applications/networking/cluster/helm/plugins/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{ callPackage }:
{
helm-cm-push = callPackage ./helm-cm-push.nix { };
helm-diff = callPackage ./helm-diff.nix { };
helm-dt = callPackage ./helm-dt.nix { };
helm-git = callPackage ./helm-git.nix { };
helm-mapkubeapis = callPackage ./helm-mapkubeapis.nix { };
helm-s3 = callPackage ./helm-s3.nix { };
helm-secrets = callPackage ./helm-secrets.nix { };
helm-schema = callPackage ./helm-schema.nix { };
helm-unittest = callPackage ./helm-unittest.nix { };
}

48
pkgs/applications/networking/cluster/helm/plugins/helm-cm-push.nix Normal file
View File

@@ -0,0 +1,48 @@
{
lib,
buildGoModule,
fetchFromGitHub,
}:
buildGoModule rec {
pname = "helm-cm-push";
version = "0.10.4";
src = fetchFromGitHub {
owner = "chartmuseum";
repo = "helm-push";
rev = "v${version}";
hash = "sha256-YnhI1/BDk9swr3YFm5ajGf4LLgPty7blA2tlsMH0erY=";
};
vendorHash = "sha256-7bUDKqkvBV1Upcrj4DQnVCP74QtKlSwF0Kl2sPFZpjc=";
subPackage = [ "cmd/helm-cm-push" ];
# Remove hooks.
postPatch = ''
sed -e '/^hooks:/,+2 d' -i plugin.yaml
'';
env.CGO_ENABLED = 0;
ldflags = [
"-s"
"-w"
];
postInstall = ''
install -Dm644 plugin.yaml $out/helm-cm-push/plugin.yaml
mv $out/bin $out/helm-cm-push
'';
# Tests require the ChartMuseum service.
doCheck = false;
meta = with lib; {
description = "Helm plugin to push chart package to ChartMuseum";
homepage = "https://github.com/chartmuseum/helm-push";
license = licenses.asl20;
maintainers = [ ];
};
}

44
pkgs/applications/networking/cluster/helm/plugins/helm-diff.nix Normal file
View File

@@ -0,0 +1,44 @@
{
buildGoModule,
fetchFromGitHub,
lib,
}:
buildGoModule rec {
pname = "helm-diff";
version = "3.13.0";
src = fetchFromGitHub {
owner = "databus23";
repo = "helm-diff";
rev = "v${version}";
hash = "sha256-U1lNCOYix+7aPNq4U0A7KU4Cr+AqQsTUrYTg/0Zg5cs=";
};
vendorHash = "sha256-nwL6n0pthW12ij9iqmS404r0m9xv0qh8RYiQhqvJC2U=";
ldflags = [
"-s"
"-w"
"-X github.com/databus23/helm-diff/v3/cmd.Version=${version}"
];
# NOTE: Remove the install and upgrade hooks.
postPatch = ''
sed -i '/^hooks:/,+2 d' plugin.yaml
'';
postInstall = ''
install -dm755 $out/${pname}
mv $out/bin $out/${pname}/
mv $out/${pname}/bin/{helm-,}diff
install -m644 -Dt $out/${pname} plugin.yaml
'';
meta = with lib; {
description = "Helm plugin that shows a diff";
homepage = "https://github.com/databus23/helm-diff";
license = licenses.asl20;
maintainers = with maintainers; [ yurrriq ];
};
}

48
pkgs/applications/networking/cluster/helm/plugins/helm-dt.nix Normal file
View File

@@ -0,0 +1,48 @@
{
buildGoModule,
fetchFromGitHub,
lib,
}:
buildGoModule rec {
pname = "helm-dt";
version = "0.4.9";
src = fetchFromGitHub {
owner = "vmware-labs";
repo = "distribution-tooling-for-helm";
rev = "refs/tags/v${version}";
hash = "sha256-3zEu4fnvjM1SvyOyj6NzQteyfEh5X7ro/G0gkzt7ghY=";
};
vendorHash = "sha256-CIVgNS74V75etC9WBzoxu6aoMHlUYxWd22h2NG1uNn0=";
ldflags = [
"-s"
"-w"
"-X 'main.BuildDate=1970-01-01 00:00:00 UTC'"
"-X 'main.Commit=v${version}'"
];
# NOTE: Remove the install and upgrade hooks.
postPatch = ''
sed -i '/^hooks:/,+2 d' plugin.yaml
'';
# require network/login
doCheck = false;
env.CGO_ENABLED = 1;
postInstall = ''
install -dm755 $out/helm-dt/bin
mv $out/bin/dt $out/helm-dt/bin/dt
rmdir $out/bin
install -m644 -Dt $out/helm-dt plugin.yaml
'';
meta = {
description = "Helm Distribution plugin is is a set of utilities and Helm Plugin for making offline work with Helm Charts easier";
homepage = "https://github.com/vmware-labs/distribution-tooling-for-helm";
maintainers = with lib.maintainers; [ ascii17 ];
license = lib.licenses.mit;
};
}

55
pkgs/applications/networking/cluster/helm/plugins/helm-git.nix Normal file
View File

@@ -0,0 +1,55 @@
{
lib,
stdenv,
fetchFromGitHub,
coreutils,
findutils,
gitMinimal,
gnugrep,
gnused,
makeWrapper,
}:
stdenv.mkDerivation rec {
pname = "helm-git";
version = "1.4.1";
src = fetchFromGitHub {
owner = "aslafy-z";
repo = "helm-git";
rev = "v${version}";
sha256 = "sha256-gMx61fhAaiYHYd/so65DEBKANZZO826AFLU1FIE3hSs=";
};
nativeBuildInputs = [ makeWrapper ];
# NOTE: helm-git is comprised of shell scripts.
dontBuild = true;
installPhase = ''
install -dm755 $out/helm-git
install -m644 -Dt $out/helm-git plugin.yaml
cp helm-git helm-git-plugin.sh $out/helm-git/
patchShebangs $out/helm-git/helm-git{,-plugin.sh}
wrapProgram $out/helm-git/helm-git \
--prefix PATH : ${
lib.makeBinPath [
coreutils
findutils
gitMinimal
gnugrep
gnused
]
}
runHook postInstall
'';
meta = with lib; {
description = "Helm downloader plugin that provides GIT protocol support";
homepage = "https://github.com/aslafy-z/helm-git";
license = licenses.mit;
maintainers = with maintainers; [ flokli ];
};
}

38
pkgs/applications/networking/cluster/helm/plugins/helm-mapkubeapis.nix Normal file
View File

@@ -0,0 +1,38 @@
{
buildGoModule,
fetchFromGitHub,
lib,
}:
buildGoModule rec {
pname = "helm-mapkubeapis";
version = "0.6.1";
src = fetchFromGitHub {
owner = "helm";
repo = "helm-mapkubeapis";
rev = "v${version}";
hash = "sha256-RvyoqfhvoXESmc6M4B1XeUtal0zQt6LCKjByyBe6pUU=";
};
vendorHash = "sha256-ZnfNje0JuTCckW9SMc2TLb968nHiGK/bgOJnIllJJq4=";
# NOTE: Remove the install and upgrade hooks.
postPatch = ''
sed -i '/^hooks:/,+2 d' plugin.yaml
'';
postInstall = ''
install -dm755 $out/helm-mapkubeapis
mv $out/bin $out/helm-mapkubeapis/
install -m644 -Dt $out/helm-mapkubeapis/config/ config/Map.yaml
install -m644 -Dt $out/helm-mapkubeapis plugin.yaml
'';
meta = {
description = "Helm plugin which maps deprecated or removed Kubernetes APIs in a release to supported APIs";
homepage = "https://github.com/helm/helm-mapkubeapis";
license = with lib.licenses; [ asl20 ];
maintainers = with lib.maintainers; [ aos ];
};
}

50
pkgs/applications/networking/cluster/helm/plugins/helm-s3.nix Normal file
View File

@@ -0,0 +1,50 @@
{
buildGoModule,
fetchFromGitHub,
lib,
}:
buildGoModule rec {
pname = "helm-s3";
version = "0.17.0";
src = fetchFromGitHub {
owner = "hypnoglow";
repo = "helm-s3";
rev = "v${version}";
hash = "sha256-9n/Dzgr/wYGgJq47FdNGPPpOFzTRt4VaK8HA06F5FIE=";
};
vendorHash = "sha256-6YBIUUIvQ6ZDPF9Dz5tNXuHS+pa/yiNs4sKZbMudMxs=";
# NOTE: Remove the install and upgrade hooks.
postPatch = ''
sed -i '/^hooks:/,+2 d' plugin.yaml
'';
# NOTE: make test-unit, but skip awsutil, which needs internet access
checkPhase = ''
go test $(go list ./... | grep -vE '(awsutil|e2e)')
'';
ldflags = [
"-s"
"-w"
"-X main.version=${version}"
];
subPackages = [ "cmd/helm-s3" ];
postInstall = ''
install -dm755 $out/helm-s3
mv $out/bin $out/helm-s3/
install -m644 -Dt $out/helm-s3 plugin.yaml
'';
meta = with lib; {
description = "Helm plugin that allows to set up a chart repository using AWS S3";
homepage = "https://github.com/hypnoglow/helm-s3";
license = licenses.mit;
maintainers = with maintainers; [ yurrriq ];
};
}

66
pkgs/applications/networking/cluster/helm/plugins/helm-schema.nix Normal file
View File

@@ -0,0 +1,66 @@
{
buildGoModule,
fetchFromGitHub,
lib,
versionCheckHook,
nix-update-script,
}:
buildGoModule (finalAttrs: {
pname = "helm-schema";
version = "2.3.0";
src = fetchFromGitHub {
owner = "losisin";
repo = "helm-values-schema-json";
tag = "v${finalAttrs.version}";
hash = "sha256-q5A+tCnuHTtUyejP4flID7XhsoBfWGge2jCgsL0uEOc=";
};
vendorHash = "sha256-xmj2i1WNI/9ItbxRk8mPIygjq83xuvNu6THyPqZsysY=";
ldflags = [
"-s"
"-w"
"-X 'main.Version=v${finalAttrs.version}'"
];
postPatch = ''
# Remove the install and upgrade hooks
sed -i '/^hooks:/,+2 d' plugin.yaml
substituteInPlace {plugin.yaml,plugin.complete} \
--replace-fail '$HELM_PLUGIN_DIR' '${placeholder "out"}/${finalAttrs.pname}/bin'
'';
postInstall = ''
install -D plugin.complete -t $out/helm-schema/
install -m644 plugin.yaml -t $out/helm-schema/
mv $out/bin/{helm-values-schema-json,schema}
mv $out/bin $out/helm-schema
'';
# Unit tests try to open web server on port 0
__darwinAllowLocalNetworking = true;
doInstallCheck = true;
nativeInstallCheckInputs = [ versionCheckHook ];
versionCheckProgram = "${placeholder "out"}/helm-schema/bin/schema";
versionCheckProgramArg = "--version";
passthru.updateScript = nix-update-script { };
meta = {
mainProgram = "schema";
description = "Helm plugin for generating values.schema.json from multiple values files";
longDescription = ''
Helm plugin for generating `values.schema.json` from single or
multiple values files. Schema can be enriched by reading
annotations from comments. Works only with Helm3 charts.
'';
homepage = "https://github.com/losisin/helm-values-schema-json";
changelog = "https://github.com/losisin/helm-values-schema-json/releases/tag/v${finalAttrs.version}";
maintainers = with lib.maintainers; [ applejag ];
license = lib.licenses.mit;
};
})

67
pkgs/applications/networking/cluster/helm/plugins/helm-secrets.nix Normal file
View File

@@ -0,0 +1,67 @@
{
lib,
stdenv,
fetchFromGitHub,
makeWrapper,
coreutils,
findutils,
getopt,
gnugrep,
gnused,
sops,
}:
stdenv.mkDerivation rec {
pname = "helm-secrets";
version = "4.6.10";
src = fetchFromGitHub {
owner = "jkroepke";
repo = "helm-secrets";
rev = "v${version}";
hash = "sha256-hno6+kik+U9XA7Mr9OnuuVidfc/xoqWRjMbBMI6M3QA=";
};
nativeBuildInputs = [ makeWrapper ];
buildInputs = [
getopt
sops
];
# NOTE: helm-secrets is comprised of shell scripts.
dontBuild = true;
# NOTE: Fix version string
postPatch = ''
sed -i 's/^version:.*/version: "${version}"/' plugin.yaml
'';
installPhase = ''
runHook preInstall
install -dm755 $out/helm-secrets $out/helm-secrets/scripts
install -m644 -Dt $out/helm-secrets plugin.yaml
cp -r scripts/* $out/helm-secrets/scripts
wrapProgram $out/helm-secrets/scripts/run.sh \
--prefix PATH : ${
lib.makeBinPath [
coreutils
findutils
getopt
gnugrep
gnused
sops
]
}
runHook postInstall
'';
meta = with lib; {
description = "Helm plugin that helps manage secrets";
homepage = "https://github.com/jkroepke/helm-secrets";
license = licenses.asl20;
maintainers = with maintainers; [ yurrriq ];
platforms = platforms.unix;
};
}

38
pkgs/applications/networking/cluster/helm/plugins/helm-unittest.nix Normal file
View File

@@ -0,0 +1,38 @@
{
buildGoModule,
fetchFromGitHub,
lib,
}:
buildGoModule rec {
pname = "helm-unittest";
version = "0.7.2";
src = fetchFromGitHub {
owner = "helm-unittest";
repo = "helm-unittest";
rev = "v${version}";
hash = "sha256-RWucFZlyVYV5pHFGP7x5I+SILAJ9k12R7l5o7WKGS/c=";
};
vendorHash = "sha256-tTM9n/ahtAJoQt0fwf1jrSokWER+cOnpPX7NTNrhKc4=";
# NOTE: Remove the install and upgrade hooks.
postPatch = ''
sed -i '/^hooks:/,+2 d' plugin.yaml
'';
postInstall = ''
install -dm755 $out/helm-unittest
mv $out/bin/helm-unittest $out/helm-unittest/untt
rmdir $out/bin
install -m644 -Dt $out/helm-unittest plugin.yaml
'';
meta = with lib; {
description = "BDD styled unit test framework for Kubernetes Helm charts as a Helm plugin";
homepage = "https://github.com/helm-unittest/helm-unittest";
license = licenses.mit;
maintainers = with maintainers; [ yurrriq ];
};
}

56
pkgs/applications/networking/cluster/helm/wrapper.nix Normal file
View File

@@ -0,0 +1,56 @@
{
symlinkJoin,
lib,
makeWrapper,
writeText,
}:
helm:
let
wrapper =
{
plugins ? [ ],
extraMakeWrapperArgs ? "",
}:
let
initialMakeWrapperArgs = [
];
pluginsDir = symlinkJoin {
name = "helm-plugins";
paths = plugins;
};
in
symlinkJoin {
name = "helm-${lib.getVersion helm}";
# Remove the symlinks created by symlinkJoin which we need to perform
# extra actions upon
postBuild = ''
wrapProgram "$out/bin/helm" \
"--set" "HELM_PLUGINS" "${pluginsDir}" ${extraMakeWrapperArgs}
'';
paths = [
helm
pluginsDir
];
preferLocalBuild = true;
nativeBuildInputs = [ makeWrapper ];
passthru = {
inherit pluginsDir;
unwrapped = helm;
};
meta = helm.meta // {
# To prevent builds on hydra
hydraPlatforms = [ ];
# prefer wrapper over the package
priority = (helm.meta.priority or lib.meta.defaultPriority) - 1;
};
};
in
lib.makeOverridable wrapper

10
pkgs/applications/networking/cluster/k3s/1_31/chart-versions.nix Normal file
View File

@@ -0,0 +1,10 @@
{
traefik-crd = {
url = "https://k3s.io/k3s-charts/assets/traefik-crd/traefik-crd-27.0.201+up27.0.2.tgz";
sha256 = "0vwprcb60y15sc4lmi58gl1zr3yhsq43jlbsfm7gs20ci90frv16";
};
traefik = {
url = "https://k3s.io/k3s-charts/assets/traefik/traefik-27.0.201+up27.0.2.tgz";
sha256 = "12dp1r82qfzqfzs4sfxc54rnw8kv42a3w4gpk5v3qkhqm6fkrnn1";
};
}

26
pkgs/applications/networking/cluster/k3s/1_31/images-versions.json Normal file
View File

@@ -0,0 +1,26 @@
{
"airgap-images-amd64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-amd64.tar.gz",
"sha256": "22972425bc5554ce4d9958a3b7b5b3c1d4d80d9e6dd9494e9853fc659b944724"
},
"airgap-images-amd64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
"sha256": "2b89cf256067bb292cc24e0a93688c2e4704387910a37cda38ef83727121c780"
},
"airgap-images-arm-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-arm.tar.gz",
"sha256": "2437c19cfe19a8d62097430e8f51cab2ed740b42b18ee060bc7a18a7421f8ac9"
},
"airgap-images-arm-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-arm.tar.zst",
"sha256": "e7ba4d17e439863f71f303d871f6c700fdafc3b96fb69323cb59f2319ab844d4"
},
"airgap-images-arm64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-arm64.tar.gz",
"sha256": "90abbf66bae88eec6016c2a5053523dcbcdf94d215775b4bd773d322b236fc84"
},
"airgap-images-arm64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
"sha256": "fd166a50cbe9be3e3a41d5e3292357168578622a5d1211642206b9afd6cf1ddc"
}
}

15
pkgs/applications/networking/cluster/k3s/1_31/versions.nix Normal file
View File

@@ -0,0 +1,15 @@
{
k3sVersion = "1.31.13+k3s1";
k3sCommit = "a4ca1794628ec6d699b5768ef9fc1b99e1694efc";
k3sRepoSha256 = "0zlvbkidan1jpdbcqqvpr46701rcnch4q7iczbpadbx7ixq7qmwj";
k3sVendorHash = "sha256-wR4GNGd9QK/6IVdoXmcPDQwj0dvA/ofwVBgWXDmHz1U=";
chartVersions = import ./chart-versions.nix;
imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
k3sRootVersion = "0.15.0";
k3sRootSha256 = "008n8xx7x36y9y4r24hx39xagf1dxbp3pqq2j53s9zkaiqc62hd0";
k3sCNIVersion = "1.7.1-k3s1";
k3sCNISha256 = "0k1qfmsi5bqgwd5ap8ndimw09hsxn0cqf4m5ad5a4mgl6akw6dqz";
containerdVersion = "2.1.4-k3s1.32";
containerdSha256 = "05dcyv5kxic99ghi8wb1b544kmq0ccc06yiln2yfh49h11hngw50";
criCtlVersion = "1.31.0-k3s2";
}

10
pkgs/applications/networking/cluster/k3s/1_32/chart-versions.nix Normal file
View File

@@ -0,0 +1,10 @@
{
traefik-crd = {
url = "https://k3s.io/k3s-charts/assets/traefik-crd/traefik-crd-34.2.1+up34.2.0.tgz";
sha256 = "0bnvkp1bxfsccgdnvpq3ni3p2h8jyvj0iclbqj0rsls8vv1jnp9z";
};
traefik = {
url = "https://k3s.io/k3s-charts/assets/traefik/traefik-34.2.1+up34.2.0.tgz";
sha256 = "16ljy2ncn2kc4kr3m93w2kfw4vjk8is3cp3i2lx4b7afbmi75zyw";
};
}

26
pkgs/applications/networking/cluster/k3s/1_32/images-versions.json Normal file
View File

@@ -0,0 +1,26 @@
{
"airgap-images-amd64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-amd64.tar.gz",
"sha256": "50ba2c60c4541a2f09436e7fd91b8b782b2055f91b60ee668d70b29b9f6f1783"
},
"airgap-images-amd64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
"sha256": "079ef47f09b80397402a818c748aeebd6ba41a405f04c81c80ef05fbffc11dee"
},
"airgap-images-arm-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-arm.tar.gz",
"sha256": "7718b0be16c4cd336ca79df2bb1a0688fe1d76fdb83c584adb47a44ce70a630e"
},
"airgap-images-arm-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-arm.tar.zst",
"sha256": "2dcb0dcbb9d50ceef87be1125b6d6ca7a7f7ac233c3715d67db0680153486ed6"
},
"airgap-images-arm64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-arm64.tar.gz",
"sha256": "dfe042271ed97ef15a418cb219d31952914b4e78027d8dd871382e5e6bdbc7d1"
},
"airgap-images-arm64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
"sha256": "b92d129d8e182fd8079be5fa1442116e47cb8e298f9a3ced0e401b2d02929675"
}
}

15
pkgs/applications/networking/cluster/k3s/1_32/versions.nix Normal file
View File

@@ -0,0 +1,15 @@
{
k3sVersion = "1.32.9+k3s1";
k3sCommit = "062b953493abc18cbf3a85d76a71d70a9ea4b5cd";
k3sRepoSha256 = "0hsdkrdqb9dbi60k8fczxg23n72mp191qmpd0kqa0x1s6hq2pjw2";
k3sVendorHash = "sha256-ou169BNhsrY66iLVPufvOp1lYdiqR5e7mzNGDLOlW2I=";
chartVersions = import ./chart-versions.nix;
imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
k3sRootVersion = "0.15.0";
k3sRootSha256 = "008n8xx7x36y9y4r24hx39xagf1dxbp3pqq2j53s9zkaiqc62hd0";
k3sCNIVersion = "1.7.1-k3s1";
k3sCNISha256 = "0k1qfmsi5bqgwd5ap8ndimw09hsxn0cqf4m5ad5a4mgl6akw6dqz";
containerdVersion = "2.1.4-k3s1.32";
containerdSha256 = "05dcyv5kxic99ghi8wb1b544kmq0ccc06yiln2yfh49h11hngw50";
criCtlVersion = "1.31.0-k3s2";
}

10
pkgs/applications/networking/cluster/k3s/1_33/chart-versions.nix Normal file
View File

@@ -0,0 +1,10 @@
{
traefik-crd = {
url = "https://k3s.io/k3s-charts/assets/traefik-crd/traefik-crd-34.2.1+up34.2.0.tgz";
sha256 = "0bnvkp1bxfsccgdnvpq3ni3p2h8jyvj0iclbqj0rsls8vv1jnp9z";
};
traefik = {
url = "https://k3s.io/k3s-charts/assets/traefik/traefik-34.2.1+up34.2.0.tgz";
sha256 = "16ljy2ncn2kc4kr3m93w2kfw4vjk8is3cp3i2lx4b7afbmi75zyw";
};
}

26
pkgs/applications/networking/cluster/k3s/1_33/images-versions.json Normal file
View File

@@ -0,0 +1,26 @@
{
"airgap-images-amd64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-amd64.tar.gz",
"sha256": "580c09a6f8c088de023ff8ce256371e807edb45d60db9e53505db263e8987110"
},
"airgap-images-amd64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
"sha256": "c1d71ab864b6b7de087d0827a1810c5fd271134e317af8730ec9211eaf34b097"
},
"airgap-images-arm-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-arm.tar.gz",
"sha256": "940581b495178e35865db8bc7791052bfc3f62bc01fc960e7de27807b50473bd"
},
"airgap-images-arm-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-arm.tar.zst",
"sha256": "7a31e2d1d3bb220fe9073bf58051046745dfb871ca51230e56ec5789cb97d875"
},
"airgap-images-arm64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-arm64.tar.gz",
"sha256": "2ea460f5c783cec0479e6cf8d82e11ed6b6fee6c8e7622243fadd5f8b7476beb"
},
"airgap-images-arm64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
"sha256": "b0408ae107ce0ddbd47b62242d8e2e97532b1cfeeef1a38cad0cc54dfd289edc"
}
}

15
pkgs/applications/networking/cluster/k3s/1_33/versions.nix Normal file
View File

@@ -0,0 +1,15 @@
{
k3sVersion = "1.33.5+k3s1";
k3sCommit = "fab4a5c3de46748494cf7ad5dccc89b213965b08";
k3sRepoSha256 = "0c0phxnx09gainay4cgbcc2j1ddci73a9i0q92zf32whkbp06112";
k3sVendorHash = "sha256-v+tfVL9sDyiDRB3/IDDfyDekFAdjdUtTTChu6l5Qvg0=";
chartVersions = import ./chart-versions.nix;
imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
k3sRootVersion = "0.15.0";
k3sRootSha256 = "008n8xx7x36y9y4r24hx39xagf1dxbp3pqq2j53s9zkaiqc62hd0";
k3sCNIVersion = "1.7.1-k3s1";
k3sCNISha256 = "0k1qfmsi5bqgwd5ap8ndimw09hsxn0cqf4m5ad5a4mgl6akw6dqz";
containerdVersion = "2.1.4-k3s1";
containerdSha256 = "0fg9py52hac5bdmrabvkcpc1aawxl5xc0ij9zx964qkkc7fa19ca";
criCtlVersion = "1.33.0-k3s2";
}

21
pkgs/applications/networking/cluster/k3s/README.md Normal file
View File

@@ -0,0 +1,21 @@
# K3s
K3s is a simplified [Kubernetes](https://wiki.nixos.org/wiki/Kubernetes) version that bundles Kubernetes cluster components into a few small binaries optimized for Edge and IoT devices.
## Usage
* [Module Usage](docs/USAGE.md).
## Configuration Examples
* [Nvidia GPU Passthru](docs/examples/NVIDIA.md)
* [Storage Examples](docs/examples/STORAGE.md)
## Cluster Maintenance and Troubleshooting
* [Cluster Upkeep](docs/CLUSTER_UPKEEP.md).
## K3s Package Upkeep
* [Package Versioning Rationale](docs/VERSIONING.md)
* [Package Maintenance Documentation](docs/PKG_UPKEEP.md)

482
pkgs/applications/networking/cluster/k3s/builder.nix Normal file
View File

@@ -0,0 +1,482 @@
lib:
{
# git tag
k3sVersion,
# commit hash
k3sCommit,
k3sRepoSha256 ? lib.fakeHash,
k3sVendorHash ? lib.fakeHash,
# taken from ./scripts/version.sh VERSION_ROOT https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L47
k3sRootVersion,
k3sRootSha256 ? lib.fakeHash,
# Based on the traefik charts here: https://github.com/k3s-io/k3s/blob/d71ab6317e22dd34673faa307a412a37a16767f6/scripts/download#L29-L32
# see also https://github.com/k3s-io/k3s/blob/d71ab6317e22dd34673faa307a412a37a16767f6/manifests/traefik.yaml#L8
chartVersions,
# Air gap container images that are released as assets with every k3s release
imagesVersions,
# taken from ./scripts/version.sh VERSION_CNIPLUGINS https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L45
k3sCNIVersion,
k3sCNISha256 ? lib.fakeHash,
# taken from ./scripts/version.sh VERSION_CONTAINERD
containerdVersion,
containerdSha256 ? lib.fakeHash,
# run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag
criCtlVersion,
updateScript ? null,
}@attrs:
# builder.nix contains a "builder" expression that, given k3s version and hash
# variables, creates a package for that version.
# Due to variance in k3s's build process, this builder only works for k3s 1.26+
# currently.
# It is likely we will have to split out additional builders for additional
# versions in the future, or customize this one further.
{
bash,
bridge-utils,
btrfs-progs,
buildGoModule,
conntrack-tools,
coreutils,
ethtool,
fetchFromGitHub,
fetchgit,
fetchurl,
fetchzip,
findutils,
gnugrep,
gnused,
go,
iproute2,
ipset,
iptables,
nftables,
kmod,
lib,
libseccomp,
makeBinaryWrapper,
nixosTests,
overrideBundleAttrs ? { }, # An attrSet/function to override the `k3sBundle` derivation.
overrideCniPluginsAttrs ? { }, # An attrSet/function to override the `k3sCNIPlugins` derivation.
overrideContainerdAttrs ? { }, # An attrSet/function to override the `k3sContainerd` derivation.
pkg-config,
pkgsBuildBuild,
procps,
rsync,
runCommand,
runc,
socat,
sqlite,
stdenv,
su,
systemdMinimal,
util-linuxMinimal,
yq-go,
zstd,
versionCheckHook,
}:
# k3s is a kinda weird derivation. One of the main points of k3s is the
# simplicity of it being one binary that can perform several tasks.
# However, when you have a good package manager (like nix), that doesn't
# actually make much of a difference; you don't really care if it's one binary
# or 10 since with a good package manager, installing and running it is
# identical.
# Since upstream k3s packages itself as one large binary with several
# "personalities" (in the form of subcommands like 'k3s agent' and 'k3s
# kubectl'), it ends up being easiest to mostly mimic upstream packaging, with
# some exceptions.
# K3s also carries patches to some packages (such as containerd and cni
# plugins), so we intentionally use the k3s versions of those binaries for k3s,
# even if the upstream version of those binaries exist in nixpkgs already. In
# the end, that means we have a thick k3s binary that behaves like the upstream
# one for the most part.
# However, k3s also bundles several pieces of unpatched software, from the
# strongswan vpn software, to iptables, to socat, conntrack, busybox, etc.
# Those pieces of software we entirely ignore upstream's handling of, and just
# make sure they're in the path if desired.
let
baseMeta = {
description = "Lightweight Kubernetes distribution";
license = lib.licenses.asl20;
homepage = "https://k3s.io";
teams = [ lib.teams.k3s ];
platforms = lib.platforms.linux;
# resolves collisions with other installations of kubectl, crictl, ctr
# prefer non-k3s versions
priority = 5;
};
# https://github.com/k3s-io/k3s/blob/5fb370e53e0014dc96183b8ecb2c25a61e891e76/scripts/build#L19-L40
versionldflags = [
"-X github.com/k3s-io/k3s/pkg/version.Version=v${k3sVersion}"
"-X github.com/k3s-io/k3s/pkg/version.GitCommit=${lib.substring 0 8 k3sCommit}"
"-X github.com/k3s-io/k3s/pkg/version.UpstreamGolang=go${go.version}"
"-X k8s.io/client-go/pkg/version.gitVersion=v${k3sVersion}"
"-X k8s.io/client-go/pkg/version.gitCommit=${k3sCommit}"
"-X k8s.io/client-go/pkg/version.gitTreeState=clean"
"-X k8s.io/client-go/pkg/version.buildDate=1970-01-01T01:01:01Z"
"-X k8s.io/component-base/version.gitVersion=v${k3sVersion}"
"-X k8s.io/component-base/version.gitCommit=${k3sCommit}"
"-X k8s.io/component-base/version.gitTreeState=clean"
"-X k8s.io/component-base/version.buildDate=1970-01-01T01:01:01Z"
"-X github.com/kubernetes-sigs/cri-tools/pkg/version.Version=v${criCtlVersion}"
"-X github.com/containerd/containerd/version.Version=v${containerdVersion}"
"-X github.com/containerd/containerd/version.Package=github.com/k3s-io/containerd"
];
# bundled into the k3s binary
traefik = {
chart = fetchurl chartVersions.traefik;
name = baseNameOf chartVersions.traefik.url;
};
traefik-crd = {
chart = fetchurl chartVersions.traefik-crd;
name = baseNameOf chartVersions.traefik-crd.url;
};
# a shortcut that provides the images archive for the host platform. Currently only supports
# aarch64 (arm64) and x86_64 (amd64), throws on other architectures.
airgap-images =
{
x86_64-linux = fetchurl imagesVersions.airgap-images-amd64-tar-zst;
aarch64-linux = fetchurl imagesVersions.airgap-images-arm64-tar-zst;
}
.${stdenv.hostPlatform.system}
or (throw "k3s: no airgap images available for system ${stdenv.hostPlatform.system}, consider using an image archive with an explicit architecture.");
# so, k3s is a complicated thing to package
# This derivation attempts to avoid including any random binaries from the
# internet. k3s-root is _mostly_ binaries built to be bundled in k3s (which
# we don't care about doing, we can add those as build or runtime
# dependencies using a real package manager).
# In addition to those binaries, it's also configuration though (right now
# mostly strongswan configuration), and k3s does use those files.
# As such, we download it in order to grab 'etc' and bundle it into the final
# k3s binary.
k3sRoot = fetchzip {
# Note: marked as apache 2.0 license
url = "https://github.com/k3s-io/k3s-root/releases/download/v${k3sRootVersion}/k3s-root-amd64.tar";
sha256 = k3sRootSha256;
stripRoot = false;
};
k3sCNIPlugins =
(buildGoModule rec {
pname = "k3s-cni-plugins";
version = k3sCNIVersion;
vendorHash = null;
subPackages = [ "." ];
src = fetchFromGitHub {
owner = "rancher";
repo = "plugins";
rev = "v${version}";
sha256 = k3sCNISha256;
};
postInstall = ''
mv $out/bin/plugins $out/bin/cni
'';
meta = baseMeta // {
description = "CNI plugins, as patched by rancher for k3s";
};
}).overrideAttrs
overrideCniPluginsAttrs;
# Grab this separately from a build because it's used by both stages of the
# k3s build.
k3sRepo = fetchgit {
url = "https://github.com/k3s-io/k3s";
rev = "v${k3sVersion}";
sha256 = k3sRepoSha256;
};
# Modify the k3s installer script so that we can let it install only
# killall.sh
k3sKillallSh = runCommand "k3s-killall.sh" { } ''
# Copy the upstream k3s install script except for the last lines that
# actually run the install process
sed --quiet '/# --- run the install process --/q;p' ${k3sRepo}/install.sh > install.sh
# Let killall expect "containerd-shim" in the Nix store
substituteInPlace install.sh \
--replace-fail '/data/[^/]*/bin/containerd-shim' \
'/nix/store/.*k3s-containerd.*/bin/containerd-shim'
remove_matching_line() {
line_to_delete=$(grep -n "$1" install.sh | cut -d : -f 1 || true)
if [ -z $line_to_delete ]; then
echo "failed to find expression \"$1\" in k3s installer script (install.sh)"
exit 1
fi
sed -i "''${line_to_delete}d" install.sh
}
# Don't change mode and owner of killall
remove_matching_line "chmod.*KILLALL_K3S_SH"
remove_matching_line "chown.*KILLALL_K3S_SH"
# Execute only the "create_killall" function of the installer script
sed -i '$acreate_killall' install.sh
KILLALL_K3S_SH=$out bash install.sh
'';
# Stage 1 of the k3s build:
# Let's talk about how k3s is structured.
# One of the ideas of k3s is that there's the single "k3s" binary which can
# do everything you need, from running a k3s server, to being a worker node,
# to running kubectl.
# The way that actually works is that k3s is a single go binary that contains
# a bunch of bindata that it unpacks at runtime into directories (either the
# user's home directory or /var/lib/rancher if run as root).
# This bindata includes both binaries and configuration.
# In order to let nixpkgs do all its autostripping/patching/etc, we split this into two derivations.
# First, we build all the binaries that get packed into the thick k3s binary
# (and output them from one derivation so they'll all be suitably patched up).
# Then, we bundle those binaries into our thick k3s binary and use that as
# the final single output.
# This approach was chosen because it ensures the bundled binaries all are
# correctly built to run with nix (we can lean on the existing buildGoModule
# stuff), and we can again lean on that tooling for the final k3s binary too.
# Other alternatives would be to manually run the
# strip/patchelf/remove-references step ourselves in the installPhase of the
# derivation when we've built all the binaries, but haven't bundled them in
# with generated bindata yet.
k3sBundle =
(buildGoModule {
pname = "k3s-bin";
version = k3sVersion;
src = k3sRepo;
vendorHash = k3sVendorHash;
nativeBuildInputs = [ pkg-config ];
buildInputs = [
libseccomp
sqlite.dev
];
subPackages = [ "cmd/server" ];
ldflags = versionldflags;
tags = [
"ctrd"
"libsqlite3"
"linux"
];
# Set flags for sqlite dbstat
CGO_CFLAGS = "-DSQLITE_ENABLE_DBSTAT_VTAB=1 -DSQLITE_USE_ALLOCA=1";
# Copy manifests and static charts pre build so they get embedded during build
preBuild = ''
cp -av manifests/* ./pkg/deploy/embed/
mkdir -p ./pkg/static/embed/charts/
cp -v ${traefik.chart} ./pkg/static/embed/charts/${traefik.name}
cp -v ${traefik-crd.chart} ./pkg/static/embed/charts/${traefik-crd.name}
'';
# create the multicall symlinks for k3s
postInstall = ''
mv $out/bin/server $out/bin/k3s
pushd $out
# taken verbatim from https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/build#L105-L113
ln -s k3s ./bin/containerd
ln -s k3s ./bin/crictl
ln -s k3s ./bin/ctr
ln -s k3s ./bin/k3s-agent
ln -s k3s ./bin/k3s-certificate
ln -s k3s ./bin/k3s-completion
ln -s k3s ./bin/k3s-etcd-snapshot
ln -s k3s ./bin/k3s-secrets-encrypt
ln -s k3s ./bin/k3s-server
ln -s k3s ./bin/k3s-token
ln -s k3s ./bin/kubectl
popd
'';
meta = baseMeta // {
description = "Various binaries that get packaged into the final k3s binary";
};
}).overrideAttrs
overrideBundleAttrs;
# Only used for the shim since
# https://github.com/k3s-io/k3s/blob/v1.27.2%2Bk3s1/scripts/build#L153
k3sContainerd =
(buildGoModule {
pname = "k3s-containerd";
version = containerdVersion;
src = fetchFromGitHub {
owner = "k3s-io";
repo = "containerd";
rev = "v${containerdVersion}";
sha256 = containerdSha256;
};
vendorHash = null;
buildInputs = [ btrfs-progs ];
subPackages = [ "cmd/containerd-shim-runc-v2" ];
ldflags = versionldflags;
}).overrideAttrs
overrideContainerdAttrs;
in
buildGoModule (finalAttrs: {
pname = "k3s";
version = k3sVersion;
pos = builtins.unsafeGetAttrPos "k3sVersion" attrs;
tags = [
"libsqlite3"
"linux"
"ctrd"
];
src = k3sRepo;
vendorHash = k3sVendorHash;
postPatch = ''
# Nix prefers dynamically linked binaries over static binary.
substituteInPlace scripts/package-cli \
--replace-fail '"$LDFLAGS $STATIC" -o' \
'"$LDFLAGS" -o'
# Upstream codegen fails with trimpath set. Removes "trimpath" for 'go generate':
substituteInPlace scripts/package-cli \
--replace-fail '"''${GO}" generate' \
'GOFLAGS="" \
GOOS="${pkgsBuildBuild.go.GOOS}" \
GOARCH="${pkgsBuildBuild.go.GOARCH}" \
CC="${pkgsBuildBuild.stdenv.cc}/bin/cc" \
"''${GO}" generate'
'';
# Important utilities used by the kubelet, see
# https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
# Note the list in that issue is stale and some aren't relevant for k3s.
k3sRuntimeDeps = [
kmod
socat
iptables
nftables
iproute2
ipset
bridge-utils
ethtool
util-linuxMinimal # kubelet wants 'nsenter' and 'mount' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388
conntrack-tools
runc
bash
su
];
k3sKillallDeps = [
bash
systemdMinimal
procps
coreutils
gnugrep
findutils
gnused
];
buildInputs = finalAttrs.k3sRuntimeDeps;
nativeBuildInputs = [
makeBinaryWrapper
rsync
yq-go
zstd
];
# embedded in the final k3s cli
propagatedBuildInputs = [
k3sCNIPlugins
k3sContainerd
k3sBundle
];
# We override most of buildPhase due to peculiarities in k3s's build.
# Specifically, it has a 'go generate' which runs part of the package. See
# this comment:
# https://github.com/NixOS/nixpkgs/pull/158089#discussion_r799965694
# So, why do we use buildGoModule at all? For the `vendorHash` / `go mod download` stuff primarily.
buildPhase = ''
runHook preBuild
patchShebangs ./scripts/package-cli ./scripts/download ./scripts/build-upload
# copy needed 'go generate' inputs into place
mkdir -p ./bin/aux
rsync -a --no-perms ${k3sBundle}/bin/ ./bin/
ln -vsf ${k3sCNIPlugins}/bin/cni ./bin/cni
ln -vsf ${k3sContainerd}/bin/containerd-shim-runc-v2 ./bin
rsync -a --no-perms --chmod u=rwX ${k3sRoot}/etc/ ./etc/
export ARCH=$GOARCH
export DRONE_TAG="v${k3sVersion}"
export DRONE_COMMIT="${k3sCommit}"
# use ./scripts/package-cli to run 'go generate' + 'go build'
./scripts/package-cli
mkdir -p $out/bin
runHook postBuild
'';
# Otherwise it depends on 'getGoDirs', which is normally set in buildPhase
doCheck = false;
installPhase = ''
runHook preInstall
# wildcard to match the arm64 build too
install -m 0755 dist/artifacts/k3s* -D $out/bin/k3s
wrapProgram $out/bin/k3s \
--prefix PATH : ${lib.makeBinPath finalAttrs.k3sRuntimeDeps} \
--prefix PATH : "$out/bin"
ln -s $out/bin/k3s $out/bin/kubectl
ln -s $out/bin/k3s $out/bin/crictl
ln -s $out/bin/k3s $out/bin/ctr
install -m 0755 ${k3sKillallSh} -D $out/bin/k3s-killall.sh
wrapProgram $out/bin/k3s-killall.sh \
--prefix PATH : ${lib.makeBinPath (finalAttrs.k3sRuntimeDeps ++ finalAttrs.k3sKillallDeps)}
runHook postInstall
'';
doInstallCheck = true;
nativeInstallCheckInputs = [ versionCheckHook ];
versionCheckProgramArg = "--version";
passthru = {
inherit
airgap-images
k3sCNIPlugins
k3sContainerd
k3sRepo
k3sRoot
k3sBundle
updateScript
;
tests =
let
mkTests =
version:
let
k3s_version = "k3s_" + lib.replaceStrings [ "." ] [ "_" ] (lib.versions.majorMinor version);
in
lib.mapAttrs (name: value: nixosTests.k3s.${name}.${k3s_version}) nixosTests.k3s;
in
mkTests k3sVersion;
imagesList = throw "k3s.imagesList was removed";
airgapImages = throw "k3s.airgapImages was renamed to k3s.airgap-images";
airgapImagesAmd64 = throw "k3s.airgapImagesAmd64 was renamed to k3s.airgap-images-amd64-tar-zst";
airgapImagesArm64 = throw "k3s.airgapImagesArm64 was renamed to k3s.airgap-images-arm64-tar-zst";
airgapImagesArm = throw "k3s.airgapImagesArm was renamed to k3s.airgap-images-arm-tar-zst";
}
// (lib.mapAttrs (_: value: fetchurl value) imagesVersions);
meta = baseMeta;
})

44
pkgs/applications/networking/cluster/k3s/default.nix Normal file
View File

@@ -0,0 +1,44 @@
{ lib, callPackage, ... }@args:
let
k3s_builder = import ./builder.nix lib;
common = opts: callPackage (k3s_builder opts);
# extraArgs is the extra arguments passed in by the caller to propagate downward.
# This is to allow all-packages.nix to do:
#
# let k3s_1_23 = (callPackage ./path/to/k3s {
# commonK3sArg = ....
# }).k3s_1_23;
extraArgs = removeAttrs args [ "callPackage" ];
in
{
k3s_1_31 = common (
(import ./1_31/versions.nix)
// {
updateScript = [
./update-script.sh
"31"
];
}
) extraArgs;
k3s_1_32 = common (
(import ./1_32/versions.nix)
// {
updateScript = [
./update-script.sh
"32"
];
}
) extraArgs;
k3s_1_33 = common (
(import ./1_33/versions.nix)
// {
updateScript = [
./update-script.sh
"33"
];
}
) extraArgs;
}

86
pkgs/applications/networking/cluster/k3s/docs/CLUSTER_UPKEEP.md Normal file
View File

@@ -0,0 +1,86 @@
# K3s Upkeep for Users
General documentation for the K3s user for cluster tasks and troubleshooting steps.
## Upkeep
### Changing K3s Token
Changing the K3s token requires resetting cluster. To reset the cluster, you must do the following:
#### Stopping K3s
Disabling K3s NixOS module won't stop K3s related dependencies, such as containerd or networking. For stopping everything, either run "k3s-killall.sh" script (available on $PATH under `/run/current-system/sw/bin/k3s-killall.sh`) or reboot host.
### Syncing K3s in multiple hosts
Nix automatically syncs hosts to `configuration.nix`, for syncing configuration.nix's git repository and triggering `nixos-rebuild switch` in multiple hosts, it is commonly used `ansible`, which enables automation of cluster provisioning, upgrade and reset.
### Cluster Reset
As upstream "k3s-uninstall.sh" is yet to be packaged for NixOS, it's necessary to run manual steps for resetting cluster.
Disable K3s instances in **all** hosts:
In NixOS configuration, set:
```
services.k3s.enable = false;
```
Rebuild NixOS. This is going to remove K3s service files. But it won't delete K3s data.
To delete K3s files:
Dismount kubelet:
```
KUBELET_PATH=$(mount | grep kubelet | cut -d' ' -f3);
${KUBELET_PATH:+umount $KUBELET_PATH}
```
Delete k3s data:
```
rm -rf /etc/rancher/{k3s,node};
rm -rf /var/lib/{rancher/k3s,kubelet,longhorn,etcd,cni}
```
When using Etcd, Reset Etcd:
Certify **all** K3s instances are stopped, because a single instance can re-seed etcd database with previous cryptographic key.
Disable etcd database in NixOS configuration:
```
services.etcd.enable = false;
```
Rebuild NixOS.
Delete etcd files:
```
rm -rf /var/lib/etcd/
```
Reboot hosts.
In NixOS configuration:
```
Re-enable Etcd first. Rebuild NixOS. Certify service health. (systemctl status etcd)
Re-enable K3s second. Rebuild NixOS. Certify service health. (systemctl status k3s)
```
Etcd & K3s cluster will be provisioned new.
Tip: Use Ansible to automate reset routine, like this.
## Troubleshooting
### Raspberry Pi not working
If the k3s.service/k3s server does not start and gives you the error FATA[0000] failed to find memory cgroup (v2) Here's the github issue: https://github.com/k3s-io/k3s/issues/2067 .
To fix the problem, you can add these things to your configuration.nix.
```
boot.kernelParams = [
"cgroup_enable=cpuset" "cgroup_memory=1" "cgroup_enable=memory"
];
```
### FailedKillPod: failed to get network "cbr0" cached result
> KillPodSandboxError: failed to get network "cbr0" cached result: decoding version from network config: unexpected end of JSON input
Workaround: https://github.com/k3s-io/k3s/issues/6185#issuecomment-1581245331

45
pkgs/applications/networking/cluster/k3s/docs/ONBOARDING_MAINTAINER.md Normal file
View File

@@ -0,0 +1,45 @@
# Onboarding Maintainer
Anyone willing can become a maintainer, no pre-requisite knowledge is required. Willingness to learn is enough.
A K3s maintainer, maintains K3s's:
- [documentation](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/cluster/k3s/README.md)
- [issues](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+k3s)
- [pull requests](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%226.topic%3A+k3s%22)
- [NixOS tests](https://github.com/NixOS/nixpkgs/tree/master/nixos/tests/k3s)
- [NixOS service module](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/cluster/k3s/default.nix)
- [update script](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/cluster/k3s/update-script.sh) (the process of updating)
- updates (the act of updating) and [r-ryantm bot logs](https://r.ryantm.com/log/k3s/)
- deprecations
- CVEs
- NixOS releases
- dependencies (runc, containerd, ipset)
Anything that is due, basically.
As a maintainer, feel free to improve anything and everything at your discretion. Meaning, at your pace and according to your capabilities and interests.
Only consensus is required to move forward any proposal. Consensus meaning the approval of others.
If you cause a regression (we've all been there), you are responsible for fixing it, but in case you can't fix it (it happens), feel free to ask for help. That's fine, just let us know.
To merge code, you need to be a committer, or use the merge-bot, but currently the merge-bot only works for packages located at `pkgs/by-name/`, which means, K3s still need to be migrated there before you can use merge-bot for merging. As a non-committer, once you have approved a PR you need to forward the request to a committer. For deciding which committer, give preference initially to K3s committers, but any committer can commit. A committer usually has a green approval in PRs.
K3s's committers currently are: marcusramberg, Mic92.
@euank is often silent but still active and has always handled anything dreadful, internal parts of K3s/Kubernetes or architecture things, he initially packaged K3s for nixpkgs, think of him as a last resort, when we fail to accomplish a fix, he comes to rescue us from ourselves.
@mic92 stepped up when @superherointj stepped down a time ago, as Mic92 has a broad responsibility in nixpkgs (he is responsible for far too many things already, nixpkgs-reviews, sops-nix, release manager, bot-whatever), we avoid giving him chore work for `nixos-unstable`, only pick him as committer last. As Mic92 runs K3s in a `nixos-stable` setting, he might help in testing stable backports.
On how to handle requests, it's the usual basics, such as, when reviewing PRs, issues, be welcoming, helpful, provide hints whenever possible, try to move things forward, assume good will, ignore [as don't react to] any negativity [since it spirals badly], delay and sort any (severe) disagreement in private. Even on disagrements, be thankful to people for their dedicated time, no matter what happens. In essence, on any unfortunate event, **always put people over code**.
Dumbshit happens, we make mistakes, the CI, reviews, fellow maintainers are there to nudge us on a better direction, no need to over think interactions, if a problem happens, we'll handle it.
We should optimize for maintainers satisfaction, because it is maintainers that make the service great. The best kind of win we have is when someone new steps up for being a maintainer. This multiplies our capabilities of doing meaningful work and increases our knowledge pool.
Know that your participation matters most for us. And we thank you for stepping up. It's good to have you here!
We welcome you and wish you the best in this new journey!
K3s Maintainers

60
pkgs/applications/networking/cluster/k3s/docs/PKG_UPKEEP.md Normal file
View File

@@ -0,0 +1,60 @@
# K3s Upkeep for Maintainers
General documentation for the K3s maintainer and reviewer use for consistency in maintenance processes.
## NixOS Release Maintenance
This process split into two sections and adheres to the versioning policy outlined in [VERSIONING.md](VERSIONING.md).
### Pre-Release
* Prior to the breaking change window of the next release being closed:
* `nixos-unstable`: Ensure k3s points to latest versioned release
* `nixos-unstable`: Ensure release notes are up to date
* `nixos-unstable`: Remove k3s releases which will be end of life upstream prior to end-of-life for the next NixOS stable release are removed with proper deprecation notice (process listed below)
### Post-Release
* For major/minor releases of k3s:
* `nixos-unstable`: Create a new versioned k3s package
* `nixos-unstable`: Update k3s alias to point to new versioned k3s package
* `nixos-unstable`: Add NixOS Release note denoting:
* Removal of deprecated K3s packages
* Migration information from the Kubernetes and K3s projects
* `nixos-stable`: Backport the versioned package
* For patch releases of existing packages:
* `nixos-unstable`: Update package version (process listed below)
* `nixos-stable`: Backport package update done to nixos-unstable
## Patch Upgrade Process
Patch upgrades can use the [update script](../update-script.sh) in the root of the package. To update k3s 1.30.x, for example, you can run the following from the root of the nixpkgs git repo:
> ./pkgs/applications/networking/cluster/k3s/update-script.sh "30"
To update another version, just replace the `"30"` with the appropriate minor revision.
If the script should fail, the first goal would be to fix the script. If you are unable to fix the script, open an issue reporting the update script failure with the exact command used and the failure observed.
RyanTM bot can automatically do patch upgrades. Update logs are available at versioned urls, e.g. for 1.30.x: https://r.ryantm.com/log/k3s_1_30
## Package Removal Process
Package removal policy and timelines follow our reasoning in the [versioning documentation](VERSIONING.md#patch-release-support-lifecycle). In order to remove a versioned k3s package, create a PR achieving the following:
* Remove the versioned folder containing the chart and package version files (e.g. `./1_30/`)
* Remove the package block from [default.nix](../default.nix) (e.g. `k3s_1_30 = ...`)
* Remove the package reference from [pkgs/top-level/all-packages.nix](/pkgs/top-level/all-packages.nix)
* Add a deprecation notice in [pkgs/top-level/aliases.nix](/pkgs/top-level/aliases.nix), such as `k3s_1_26 = throw "'k3s_1_26' has been removed from nixpkgs as it has reached end of life"; # Added 2024-05-20`.
## Change Request Review Process
Quick checklist for reviewers of the k3s package:
* Is the version of the Go compiler pinned according to the go.mod file for the release?
* Update script will not pin nor change the go version.
* Do the K3s passthru.tests work for all architectures supported? (linux-x86_64, aarch64-linux)
* For GitHub CI, [OfBorg](https://github.com/NixOS/ofborg) can be used to test all platforms.
* For Local testing, the following can be run in nixpkgs root on the upgrade branch: `nix build .#k3s_1_29.passthru.tests.{etcd,single-node,multi-node}` (Replace "29" to the version tested)
* Anything unusual in the nix build logs or test logs?

100
pkgs/applications/networking/cluster/k3s/docs/USAGE.md Normal file
View File

@@ -0,0 +1,100 @@
# K3s Usage
## Single Node
```
{
networking.firewall.allowedTCPPorts = [
6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
# 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
# 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
];
networking.firewall.allowedUDPPorts = [
# 8472 # k3s, flannel: required if using multi-node for inter-node networking
];
services.k3s.enable = true;
services.k3s.role = "server";
services.k3s.extraFlags = toString [
# "--debug" # Optionally add additional args to k3s
];
}
```
Once the above changes are active, you can access your cluster through `sudo k3s kubectl` (e.g. `sudo k3s kubectl cluster-info`) or by using the generated kubeconfig file in `/etc/rancher/k3s/k3s.yaml`.
Multi-node setup
## Multi-Node
it is simple to create a cluster of multiple nodes in a highly available setup (all nodes are in the control-plane and are a part of the etcd cluster).
The first node is configured like this:
```
{
services.k3s = {
enable = true;
role = "server";
token = "<randomized common secret>";
clusterInit = true;
};
}
```
Any other subsequent nodes can be added with a slightly different config:
```
{
services.k3s = {
enable = true;
role = "server"; # Or "agent" for worker only nodes
token = "<randomized common secret>";
serverAddr = "https://<ip of first node>:6443";
};
}
```
For this to work you need to open the aforementioned API, etcd, and flannel ports in the firewall. Official documentation on what ports need to be opened for specific use cases can be found on [k3s' documentation site](https://docs.k3s.io/installation/requirements#inbound-rules-for-k3s-nodes). Note that it is [recommended](https://etcd.io/docs/v3.3/faq/#why-an-odd-number-of-cluster-members) to use an odd number of nodes in such a cluster.
Tip: If you run into connectivity issues between nodes for specific applications (e.g. ingress controller), please verify the firewall settings you have enabled (example under [Single Node](#single-node)) against the documentation for that specific application. In the ingress controller example, you may want to open 443 or 80 depending on your use case.
## Quirks
### `prefer-bundled-bin`
K3s has a config setting `prefer-bundled-bin` (and CLI flag `--prefer-bundled-bin`) that makes k3s use binaries from the `/var/lib/rancher/k3s/data/current/bin/aux/` directory, as unpacked by the k3s binary, before the system `$PATH`.
This works with the official distribution of k3s but not with the package from nixpkgs, as it does not bundle the upstream binaries from [`k3s-root`](https://github.com/k3s-io/k3s-root) into the k3s binary.
Thus the `prefer-bundled-bin` setting **cannot** be used to work around issues (like [this `mount` regression](https://github.com/util-linux/util-linux/issues/3474)) with binaries used/called by the kubelet.
### Building from a different source
Because the package is split into multiple derivations and the build process is generally more complex, it is not very obvious how to build k3s from a different source (fork or arbitrary commit).
To build k3s from a different source, you must use `.override` together with `overrideBundleAttrs` (for the k3sBundle derivation) and another `.overrideAttrs` (for the final derivation):
```nix
{ fetchgit, k3s }:
let
k3sRepo = fetchgit {
url = "https://github.com/k3s-io/k3s";
rev = "99d91538b1327da933356c318dc8040335fbb66c";
hash = "sha256-vVqZzVp0Tea27s8HDVq4SgqlbHBdZcFzNKmPFi0Yktk=";
};
vendorHash = "sha256-jrPVY+FVZV9wlbik/I35W8ChcLrHlYbLAwUYU16mJLM=";
in
(k3s.override {
overrideBundleAttrs = {
src = k3sRepo;
inherit vendorHash;
};
}).overrideAttrs
{
src = k3sRepo;
inherit vendorHash;
}
```
- Additionally to `overrideBundleAttrs` there are also: `overrideCniPluginsAttrs` and `overrideContainerdAttrs`.
- `k3s --version` still prints the commit SHA (`k3sCommit` passed into `builder.nix`) from the "base" package instead of the actually used `rev`.
- Depending on the changes made in the fork / commit, the `k3s.override` (without the `overrideAttrs` of the final derivation) might already be enough.
- If the commit is for a different version of k3s, make sure to use the correct "base" package, e.g., `k3s_1_31.override`. Otherwise the build fails with `Tagged version 'v1.33.1+k3s1' does not match expected version 'v1.31.9[+-]*'`
- When adding an entirely new k3s version by calling `builder.nix`, keep in mind that the `k3sCommit` parameter is not used as the `k3sRepo` `rev` (it uses `v${k3sVersion}`). Therefore, you additionally must override the package, as shown above.

46
pkgs/applications/networking/cluster/k3s/docs/VERSIONING.md Normal file
View File

@@ -0,0 +1,46 @@
# Versioning
K3s, Kubernetes, and other clustered software has the property of not being able to update atomically. Most software in nixpkgs, like for example bash, can be updated as part of a "nixos-rebuild switch" without having to worry about the old and the new bash interacting in some way.
K3s/Kubernetes, on the other hand, is typically run across several NixOS machines, and each NixOS machine is updated independently. As such, different versions of the package and NixOS module must maintain compatibility with each other through temporary version skew during updates.
The upstream Kubernetes project [documents this in their version-skew policy](https://kubernetes.io/releases/version-skew-policy/#supported-component-upgrade-order).
Within nixpkgs, we strive to maintain a valid "upgrade path" that does not run
afoul of the upstream version skew policy.
## Patch Release Support Lifecycle
K3s is built on top of K8s and typically provides a similar release cadence and support window (simply by cherry-picking over k8s patches). As such, we assume k3s's support lifecycle is identical to upstream K8s. The upstream K8s release and support lifecycle, including maintenance and end-of-life dates for current releases, is documented [on their support site](https://kubernetes.io/releases/patch-releases/#support-period). A more tabular view of the current support timeline can also be found on [endoflife.date](https://endoflife.date/kubernetes).
In short, a new Kubernetes version is released roughly every 4 months and each release is supported for a little over 1 year.
## Versioning in nixpkgs
There are two package types that are maintained within nixpkgs when we are looking at the `nixos-unstable` branch. A standard `k3s` package and versioned releases such as `k3s_1_28`, `k3s_1_29`, and `k3s_1_30`.
The standard `k3s` package will be updated as new versions of k3s are released upstream. Versioned releases, on the other hand, will follow the path release support lifecycle as detailed in the previous section and be removed from `nixos-unstable` when they are either end-of-life upstream or older than the current `k3s` package in `nixos-stable`.
## Versioning in NixOS Releases
Those same package types are also maintained on the release branches of NixOS, but have some special considerations within a release.
NixOS releases (24.05, 24.11, etc) should avoid having deprecated software or major version upgrades during the support lifecycle of that release wherever possible. As such, each NixOS release should only ever have one version of `k3s` when it is released. An example for the NixOS 24.05 release would be that `k3s` package points to `k3s_1_30` for the full lifecycle of its release with no other versions present at release.
However, this conflicts with our desire for users to be able to upgrade between stable NixOS releases without needing to make a large enough k3s version jump as to violate the skew policy listed previously. Given NixOS 24.05 has 1.30.x as its k3s version and the NixOS 24.11 release would have 1.32.x as its k3s version, we need to provide a way for users to upgrade k3s to 1.32.x before upgrading to the next NixOS stable release.
To be able to achieve the goal above, the k3s maintainers would backport `k3s_1_31` and `k3s_1_32` from `nixos-unstable` to NixOS 24.05 as they release. This means that when NixOS 24.11 is released with only the `k3s` package pointing to `k3s_1_32`, users will have an upgrade path on 24.05 to first upgrade locally to `k3s_1_31` and then to `k3s_1_32` (e.g. pointing `services.k3s.package` from `k3s` to `k3s_1_31`, upgrading the cluster, and repeating the process through versions).
Using the above as the example, a three NixOS release example would look like:
* NixOS 23.11
* k3s/k3s_1_27 (Release Version, patches backported)
* k3s_1_28 (Backported)
* k3s_1_29 (Backported)
* k3s_1_30 (Backported)
* NixOS 24.05
* k3s/k3s_1_30 (Release Version, patches backported)
* k3s_1_31 (Backported)
* k3s_1_32 (Backported)
* NixOS 24.11
* k3s/k3s_1_32 (Release Version, patches backported)

40
pkgs/applications/networking/cluster/k3s/docs/examples/EXTERNAL_CONTAINERD.md Normal file
View File

@@ -0,0 +1,40 @@
# Using an external Containerd
K3s ships with its own containerd binary, however, sometimes it's necessary to use an external
containerd. This can be done in a few lines of configuration.
## Configure Containerd
```nix
{
virtualisation.containerd = {
enable = true;
settings.plugins."io.containerd.grpc.v1.cri".cni = {
bin_dir = "/var/lib/rancher/k3s/data/current/bin";
conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d";
};
# Optionally, configure containerd to use the k3s pause image
settings.plugins."io.containerd.grpc.v1.cri" = {
sandbox_image = "docker.io/rancher/mirrored-pause:3.6";
};
};
}
```
## Configure k3s
```nix
{
services.k3s = {
enable = true;
extraFlags = [ "--container-runtime-endpoint unix:///run/containerd/containerd.sock" ];
};
}
```
## Importing Container Images
K3s provides the `services.k3s.images` option to import container images at startup. This option
does **not** work with an external containerd, but you can import the images via
`ctr -n=k8s.io image import /var/lib/rancher/k3s/agent/images/*`. Note that you need to set the
`k8s.io` namespace to make the images available to the cluster.

256
pkgs/applications/networking/cluster/k3s/docs/examples/NVIDIA.md Normal file
View File

@@ -0,0 +1,256 @@
# Nvidia GPU Support
> Note: this article assumes `services.k3s.enable = true;` is already set
## Enable the Nvidia driver
```
hardware.nvidia = {
open = true;
package = config.boot.kernelPackages.nvidiaPackages.stable; # change to match your kernel
nvidiaSettings = true;
};
# Hack for getting the nvidia driver recognized
services.xserver = {
enable = false;
videoDrivers = [ "nvidia" ];
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
];
```
Also, enable the Nvidia container toolkit:
```
hardware.nvidia-container-toolkit.enable = true;
hardware.nvidia-container-toolkit.mount-nvidia-executables = true;
environment.systemPackages = with pkgs; [
nvidia-container-toolkit
];
```
Rebuild your NixOS configuration.
### Verify that the GPU is accessible
Use the following command to ensure the GPU is accessible:
```
nvidia-smi
```
If there is an error in the output, a reboot may be required for the driver to be assigned to the GPU.
Additionally, `lspci -k` can be used to ensure the driver has been assigned to the GPU:
```
# lspci -k | grep -i nvidia
01:00.0 VGA compatible controller: NVIDIA Corporation TU106 [GeForce RTX 2060 Rev. A] (rev a1)
Kernel driver in use: nvidia
Kernel modules: nvidiafb, nouveau, nvidia_drm, nvidia
```
## Configure k3s
You now need to create a new file in `/var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl` with the following
```
{{ template "base" . }}
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia]
privileged_without_host_devices = false
runtime_engine = ""
runtime_root = ""
runtime_type = "io.containerd.runc.v2"
```
Now apply the following runtime class to k3s cluster:
```yaml
apiVersion: node.k8s.io/v1
handler: nvidia
kind: RuntimeClass
metadata:
labels:
app.kubernetes.io/component: gpu-operator
name: nvidia
```
Restart k3s:
```
systemctl restart k3s.service
```
Ensure that the Nvidia runtime is detected by k3s:
```
grep nvidia /var/lib/rancher/k3s/agent/etc/containerd/config.toml
```
Apply the DaemonSet in the [generic-cdi-plugin README](https://github.com/OlfillasOdikno/generic-cdi-plugin):
```
apiVersion: v1
kind: Namespace
metadata:
name: generic-cdi-plugin
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: generic-cdi-plugin-daemonset
namespace: generic-cdi-plugin
spec:
selector:
matchLabels:
name: generic-cdi-plugin
template:
metadata:
labels:
name: generic-cdi-plugin
app.kubernetes.io/component: generic-cdi-plugin
app.kubernetes.io/name: generic-cdi-plugin
spec:
containers:
- image: ghcr.io/olfillasodikno/generic-cdi-plugin:main
name: generic-cdi-plugin
command:
- /generic-cdi-plugin
- /var/run/cdi/nvidia-container-toolkit.json
imagePullPolicy: Always
securityContext:
privileged: true
tty: true
volumeMounts:
- name: kubelet
mountPath: /var/lib/kubelet
- name: nvidia-container-toolkit
mountPath: /var/run/cdi/nvidia-container-toolkit.json
volumes:
- name: kubelet
hostPath:
path: /var/lib/kubelet
- name: nvidia-container-toolkit
hostPath:
path: /var/run/cdi/nvidia-container-toolkit.json
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: "nixos-nvidia-cdi"
operator: In
values:
- "enabled"
```
Apply the following node label (replace `#CHANGEME` with your node name):
```
kind: Node
apiVersion: v1
metadata:
name: #CHANGEME
labels:
nixos-nvidia-cdi: enabled
```
Now, GPU-enabled pods can be run with this configuration:
```
spec:
runtimeClassName: nvidia
containers:
resources:
requests:
nvidia.com/gpu-all: "1"
limits:
nvidia.com/gpu-all: "1"
```
### Test pod
This is a complete pod configuration for reference/testing:
```
---
apiVersion: v1
kind: Pod
metadata:
name: gpu-test
namespace: default
spec:
runtimeClassName: nvidia # <- THIS FOR GPU
containers:
- name: gpu-test
image: nvidia/cuda:12.6.3-base-ubuntu22.04
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
env:
- name: NVIDIA_VISIBLE_DEVICES
value: all
- name: NVIDIA_DRIVER_CAPABILITIES
value: all
resources: # <- THIS FOR GPU
requests:
nvidia.com/gpu-all: "1"
limits:
nvidia.com/gpu-all: "1"
```
Once the pod is running, use the following command to test that the GPU was detected:
```
kubectl exec -n default -it pod/gpu-test -- nvidia-smi
```
If successful, the output will look like the following:
```
Thu Sep 25 04:17:42 2025
+-----------------------------------------------------------------------------------------+
| NVIDIA-SMI 580.82.09 Driver Version: 580.82.09 CUDA Version: 13.0 |
+-----------------------------------------+------------------------+----------------------+
| GPU Name Persistence-M | Bus-Id Disp.A | Volatile Uncorr. ECC |
| Fan Temp Perf Pwr:Usage/Cap | Memory-Usage | GPU-Util Compute M. |
| | | MIG M. |
|=========================================+========================+======================|
| 0 NVIDIA GeForce RTX 2060 Off | 00000000:01:00.0 On | N/A |
| 0% 36C P8 10W / 190W | 104MiB / 6144MiB | 0% Default |
| | | N/A |
+-----------------------------------------+------------------------+----------------------+
+-----------------------------------------------------------------------------------------+
| Processes: |
| GPU GI CI PID Type Process name GPU Memory |
| ID ID Usage |
|=========================================================================================|
| No running processes found |
+-----------------------------------------------------------------------------------------+
```

108
pkgs/applications/networking/cluster/k3s/docs/examples/STORAGE.md Normal file
View File

@@ -0,0 +1,108 @@
# Storage Examples
The following are some NixOS specific considerations for specific storage mechanisms with kubernetes/k3s.
## Longhorn
NixOS configuration required for Longhorn:
```
environment.systemPackages = [ pkgs.nfs-utils ];
services.openiscsi = {
enable = true;
name = "${config.networking.hostName}-initiatorhost";
};
```
Longhorn container has trouble with NixOS path. Solution is to override PATH environment variable, such as:
```
PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin
```
**Kyverno Policy for Fixing Longhorn Container for NixOS**
```
---
apiVersion: v1
kind: ConfigMap
metadata:
name: longhorn-nixos-path
namespace: longhorn-system
data:
PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: longhorn-add-nixos-path
annotations:
policies.kyverno.io/title: Add Environment Variables from ConfigMap
policies.kyverno.io/subject: Pod
policies.kyverno.io/category: Other
policies.kyverno.io/description: >-
Longhorn invokes executables on the host system, and needs
to be aware of the host systems PATH. This modifies all
deployments such that the PATH is explicitly set to support
NixOS based systems.
spec:
rules:
- name: add-env-vars
match:
resources:
kinds:
- Pod
namespaces:
- longhorn-system
mutate:
patchStrategicMerge:
spec:
initContainers:
- (name): "*"
envFrom:
- configMapRef:
name: longhorn-nixos-path
containers:
- (name): "*"
envFrom:
- configMapRef:
name: longhorn-nixos-path
---
```
## NFS
NixOS configuration required for NFS:
```
boot.supportedFilesystems = [ "nfs" ];
services.rpcbind.enable = true;
```
## Rook/Ceph
In order to support Rook/Ceph, the following NixOS kernelModule configuration is required:
```
boot.kernelModules = [ "rbd" ];
```
## ZFS ContainerD Support
The [ZFS snapshotter](https://github.com/containerd/zfs) can be enabled for k3s' embedded ContainerD though it requires mounting a dataset to a specific path used by k3s: `/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.zfs`
For example:
```bash
$ zfs create -o mountpoint=/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.zfs <zpool name>/containerd
```
You can now configure k3s to use zfs by passing the `--snapshotter` flag.
```
services.k3s = {
...
extraFlags = [
"--snapshotter=zfs"
];
```

146
pkgs/applications/networking/cluster/k3s/update-script.sh Executable file
View File

@@ -0,0 +1,146 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl git gnugrep gnused go jq nurl yq-go
set -x -eu -o pipefail
MAJOR_VERSION=1
MINOR_VERSION="${1:?Must provide a minor version number, like '26', as the only argument}"
WORKDIR=$(mktemp -d)
trap "rm -rf ${WORKDIR}" EXIT
# GitHub caps requests to GitHub API without GITHUB_TOKEN
CURL="curl --silent --fail --location ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"}"
NIXPKGS_ROOT="$(git rev-parse --show-toplevel)"/
NIXPKGS_K3S_PATH=$(cd $(dirname ${BASH_SOURCE[0]}); pwd -P)/
OLD_VERSION="$(nix-instantiate --eval -E "with import $NIXPKGS_ROOT. {}; k3s_${MAJOR_VERSION}_${MINOR_VERSION}.version or (builtins.parseDrvName k3s_${MAJOR_VERSION}_${MINOR_VERSION}.name).version" | tr -d '"')"
LATEST_TAG_RAWFILE=${WORKDIR}/latest_tag.json
$CURL https://api.github.com/repos/k3s-io/k3s/releases > ${LATEST_TAG_RAWFILE}
LATEST_TAG_NAME=$(cat ${LATEST_TAG_RAWFILE} | \
jq -r 'map(select(.prerelease == false))' | \
jq 'map(.tag_name)' | \
grep -v -e rc -e engine | tail -n +2 | head -n -1 | sed 's|[", ]||g' | sort -rV | grep -E "^v${MAJOR_VERSION}\.${MINOR_VERSION}\." | head -n1)
K3S_VERSION=$(echo ${LATEST_TAG_NAME} | sed 's/^v//')
K3S_COMMIT=$($CURL https://api.github.com/repos/k3s-io/k3s/git/refs/tags \
| jq -r "map(select(.ref == \"refs/tags/${LATEST_TAG_NAME}\")) | .[0] | .object.sha")
PREFETCH_META=$(nix-prefetch-url --unpack --print-path https://github.com/k3s-io/k3s/archive/refs/tags/${LATEST_TAG_NAME}.tar.gz)
K3S_STORE_PATH=${PREFETCH_META#*$'\n'}
K3S_REPO_SHA256=${PREFETCH_META%$'\n'*}
cd "$K3S_STORE_PATH"
# Set the DRONE variables as they are expected to be set in version.sh
DRONE_TAG="$LATEST_TAG_NAME"
DRONE_COMMIT="$K3S_COMMIT"
NO_DAPPER="" # Source git_version.sh in scripts/version.sh#L8
source "${K3S_STORE_PATH}/scripts/version.sh"
K3S_ROOT_SHA256=$(nix-prefetch-url --quiet --unpack \
"https://github.com/k3s-io/k3s-root/releases/download/${VERSION_ROOT}/k3s-root-amd64.tar")
CNIPLUGINS_SHA256=$(nix-prefetch-url --quiet --unpack \
"https://github.com/rancher/plugins/archive/refs/tags/${VERSION_CNIPLUGINS}.tar.gz")
CONTAINERD_SHA256=$(nix-prefetch-url --quiet --unpack \
"https://github.com/k3s-io/containerd/archive/refs/tags/${VERSION_CONTAINERD}.tar.gz")
CHART_FILES=( $(yq eval --no-doc .spec.chart "${K3S_STORE_PATH}/manifests/traefik.yaml" | xargs -n1 basename) )
# These files are:
# 1. traefik-crd-20.3.1+up20.3.0.tgz
# 2. traefik-20.3.1+up20.3.0.tgz
# at the time of writing
if [[ "${#CHART_FILES[@]}" != "2" ]]; then
echo "New manifest charts added, the packaging scripts will need to be updated: ${CHART_FILES}"
exit 1
fi
cd "${NIXPKGS_K3S_PATH}/${MAJOR_VERSION}_${MINOR_VERSION}"
CHARTS_URL=https://k3s.io/k3s-charts/assets
TRAEFIK_CRD_CHART_SHA256=$(nix-hash --type sha256 --base32 --flat <(curl -o - "${CHARTS_URL}/traefik-crd/${CHART_FILES[0]}"))
TRAEFIK_CHART_SHA256=$(nix-hash --type sha256 --base32 --flat <(curl -o - "${CHARTS_URL}/traefik/${CHART_FILES[1]}"))
# Get metadata for both files
rm -f chart-versions.nix.update
cat > chart-versions.nix.update <<EOF
{
traefik-crd = {
url = "${CHARTS_URL}/traefik-crd/${CHART_FILES[0]}";
sha256 = "$TRAEFIK_CRD_CHART_SHA256";
};
traefik = {
url = "${CHARTS_URL}/traefik/${CHART_FILES[1]}";
sha256 = "$TRAEFIK_CHART_SHA256";
};
}
EOF
mv chart-versions.nix.update chart-versions.nix
# Concatenate all sha256sums, one entry per line
SHA256_HASHES="\
$($CURL "https://github.com/k3s-io/k3s/releases/download/v${K3S_VERSION}/sha256sum-amd64.txt")
$($CURL "https://github.com/k3s-io/k3s/releases/download/v${K3S_VERSION}/sha256sum-arm64.txt")
$($CURL "https://github.com/k3s-io/k3s/releases/download/v${K3S_VERSION}/sha256sum-arm.txt")"
# Get all airgap images files associated with this release
IMAGES_ARCHIVES=$($CURL "https://api.github.com/repos/k3s-io/k3s/releases/tags/v${K3S_VERSION}" | \
# Filter the assets for airgap images archives
jq -r '.assets[] | select(.name | test("^k3s-airgap-images-.*\\.tar\\.")) | "\(.name) \(.browser_download_url)"')
# Create a JSON object for each airgap images file and prefetch all download URLs in the process
# Combine all JSON objects and write the result to images-versions.json
while read -r name url; do
# Pick the right hash based on the name
sha256=$(grep "$name" <<< "$SHA256_HASHES" | cut -d ' ' -f 1)
# Remove the k3s prefix and replace all dots with hyphens
clean_name=$(sed -e "s/^k3s-//" -e "s/\./-/g" <<< "$name")
jq --null-input --arg name "$clean_name" \
--arg url "$url" \
--arg sha256 "$sha256" \
'{$name: {"url": $url, "sha256": $sha256}}'
done <<<"${IMAGES_ARCHIVES}" | jq --slurp 'reduce .[] as $item ({}; . * $item)' > images-versions.json
FAKE_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
cat >versions.nix <<EOF
{
k3sVersion = "${K3S_VERSION}";
k3sCommit = "${K3S_COMMIT}";
k3sRepoSha256 = "${K3S_REPO_SHA256}";
k3sVendorHash = "${FAKE_HASH}";
chartVersions = import ./chart-versions.nix;
imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
k3sRootVersion = "${VERSION_ROOT:1}";
k3sRootSha256 = "${K3S_ROOT_SHA256}";
k3sCNIVersion = "${VERSION_CNIPLUGINS:1}";
k3sCNISha256 = "${CNIPLUGINS_SHA256}";
containerdVersion = "${VERSION_CONTAINERD:1}";
containerdSha256 = "${CONTAINERD_SHA256}";
criCtlVersion = "${VERSION_CRICTL:1}";
}
EOF
set +e
K3S_VENDOR_HASH=$(nurl -e "(import ${NIXPKGS_ROOT}. {}).k3s_${MAJOR_VERSION}_${MINOR_VERSION}.goModules")
set -e
if [ -n "${K3S_VENDOR_HASH:-}" ]; then
sed -i "s|${FAKE_HASH}|${K3S_VENDOR_HASH}|g" ./versions.nix
else
echo "Update failed. K3S_VENDOR_HASH is empty."
exit 1
fi
# Implement commit
# See https://nixos.org/manual/nixpkgs/stable/#var-passthru-updateScript-commit
cat <<EOF
[{
"attrPath": "k3s_${MAJOR_VERSION}_${MINOR_VERSION}",
"oldVersion": "$OLD_VERSION",
"newVersion": "$K3S_VERSION",
"files": ["$PWD/versions.nix","$PWD/chart-versions.nix","$PWD/images-versions.json"]
}]
EOF

92
pkgs/applications/networking/cluster/kops/default.nix Normal file
View File

@@ -0,0 +1,92 @@
{
lib,
stdenv,
buildGoModule,
fetchFromGitHub,
installShellFiles,
}:
let
generic =
{
version,
sha256,
rev ? version,
...
}@attrs:
let
attrs' = removeAttrs attrs [
"version"
"sha256"
"rev"
];
in
buildGoModule {
pname = "kops";
inherit version;
src = fetchFromGitHub {
rev = rev;
owner = "kubernetes";
repo = "kops";
inherit sha256;
};
vendorHash = null;
nativeBuildInputs = [ installShellFiles ];
subPackages = [ "cmd/kops" ];
ldflags = [
"-s"
"-w"
"-X k8s.io/kops.Version=${version}"
"-X k8s.io/kops.GitVersion=${version}"
];
doCheck = false;
postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
installShellCompletion --cmd kops \
--bash <($GOPATH/bin/kops completion bash) \
--fish <($GOPATH/bin/kops completion fish) \
--zsh <($GOPATH/bin/kops completion zsh)
'';
meta = with lib; {
description = "Easiest way to get a production Kubernetes up and running";
mainProgram = "kops";
homepage = "https://github.com/kubernetes/kops";
changelog = "https://github.com/kubernetes/kops/tree/master/docs/releases";
license = licenses.asl20;
maintainers = with maintainers; [
offline
zimbatm
diegolelis
yurrriq
];
};
}
// attrs';
in
rec {
mkKops = generic;
kops_1_31 = mkKops rec {
version = "1.31.0";
sha256 = "sha256-q9megrNXXKJ/YqP/fjPHh8Oji4dPK5M3HLHa+ufwRAM=";
rev = "v${version}";
};
kops_1_32 = mkKops rec {
version = "1.32.1";
sha256 = "sha256-nQKeTDajtUffPBhPrPuaJ+1XWgLDUltwDQDZHkylys4=";
rev = "v${version}";
};
kops_1_33 = mkKops rec {
version = "1.33.0";
sha256 = "sha256-VnnKWcU83yqsKW54Q1tr99/Ln8ppMyB7GLl70rUFGDY=";
rev = "v${version}";
};
}

33
pkgs/applications/networking/cluster/kubectl-view-allocations/default.nix Normal file
View File

@@ -0,0 +1,33 @@
{
lib,
stdenv,
rustPlatform,
fetchFromGitHub,
versionCheckHook,
}:
rustPlatform.buildRustPackage rec {
pname = "kubectl-view-allocations";
version = "1.0.0";
src = fetchFromGitHub {
owner = "davidB";
repo = "kubectl-view-allocations";
tag = version;
hash = "sha256-R4pxbIUY9QEsblbVv2/QbWZv7A/ZDQmUnOCYB34RkdE=";
};
cargoHash = "sha256-liExE40Ldel1G4RT3P1y5Da65RJSrc7HD+52SwW0oeg=";
doInstallCheck = true;
nativeInstallCheckInputs = [ versionCheckHook ];
versionCheckProgramArg = "--version";
meta = {
description = "kubectl plugin to list allocations (cpu, memory, gpu,... X utilization, requested, limit, allocatable,...)";
homepage = "https://github.com/davidB/kubectl-view-allocations";
license = lib.licenses.cc0;
maintainers = with lib.maintainers; [ mrene ];
platforms = lib.platforms.unix;
};
}

42
pkgs/applications/networking/cluster/kubeval/default.nix Normal file
View File

@@ -0,0 +1,42 @@
{
lib,
fetchFromGitHub,
buildGoModule,
fetchpatch,
}:
buildGoModule rec {
pname = "kubeval";
version = "0.16.1";
src = fetchFromGitHub {
owner = "instrumenta";
repo = "kubeval";
rev = "v${version}";
sha256 = "sha256-pwJOV7V78H2XaMiiJvKMcx0dEwNDrhgFHmCRLAwMirg=";
};
patches = [
# https://github.com/instrumenta/kubeval/pull/346
(fetchpatch {
name = "bump-golang.org/x/sys.patch";
url = "https://github.com/instrumenta/kubeval/commit/d64502b04d9e1b85fd3d5509049adb50f3e39954.patch";
sha256 = "sha256-S/lgwdykFLU2QZRW927fgCPxaIAMK3vSqmH08pXBQxM=";
})
];
vendorHash = "sha256-R/vVrLsVSA9SGra4ytoHlQkPaIgQaj/XdivcQp8xjSM=";
doCheck = false;
meta = with lib; {
description = "Validate your Kubernetes configuration files";
mainProgram = "kubeval";
homepage = "https://github.com/instrumenta/kubeval";
license = licenses.asl20;
maintainers = with maintainers; [
johanot
nicknovitski
];
};
}

16
pkgs/applications/networking/cluster/kubeval/schema.nix Normal file
View File

@@ -0,0 +1,16 @@
{ fetchFromGitHub }:
# To cache schema as a package so network calls are not
# necessary at runtime, allowing use in package builds you can use the following:
# KUBEVAL_SCHEMA_LOCATION="file:///${kubeval-schema}";
(fetchFromGitHub {
name = "kubeval-schema";
owner = "instrumenta";
repo = "kubernetes-json-schema";
rev = "6a498a60dc68c5f6a1cc248f94b5cd1e7241d699";
sha256 = "1y9m2ma3n4h7sf2lg788vjw6pkfyi0fa7gzc870faqv326n6x2jr";
})
// {
# the schema is huge (> 7GB), we don't get any benefit from building int on hydra
meta.hydraPlatforms = [ ];
}

76
pkgs/applications/networking/cluster/kuma/default.nix Normal file
View File

@@ -0,0 +1,76 @@
{
lib,
stdenv,
fetchFromGitHub,
buildGoModule,
coredns,
installShellFiles,
isFull ? false,
enableGateway ? false,
pname ? "kuma",
components ? lib.optionals isFull [
"kumactl"
"kuma-cp"
"kuma-dp"
],
}:
buildGoModule rec {
inherit pname;
version = "2.12.0";
tags = lib.optionals enableGateway [ "gateway" ];
src = fetchFromGitHub {
owner = "kumahq";
repo = "kuma";
tag = version;
hash = "sha256-5syQFcYBY/xKipIsAJdjVrXYXt7NNjjCeXiDVNO9NTo=";
};
vendorHash = "sha256-KgZYKopW+FOdwBIGxa2RLiEbefZ/1vAhcsWtcYhgdFs=";
# no test files
doCheck = false;
nativeBuildInputs = [ installShellFiles ] ++ lib.optionals isFull [ coredns ];
preBuild = ''
export HOME=$TMPDIR
'';
subPackages = map (p: "app/" + p) components;
postInstall =
lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) (
lib.concatMapStringsSep "\n" (p: ''
installShellCompletion --cmd ${p} \
--bash <($out/bin/${p} completion bash) \
--fish <($out/bin/${p} completion fish) \
--zsh <($out/bin/${p} completion zsh)
'') components
)
+ lib.optionalString isFull ''
ln -sLf ${coredns}/bin/coredns $out/bin
'';
ldflags =
let
prefix = "github.com/kumahq/kuma/pkg/version";
in
[
"-s"
"-w"
"-X ${prefix}.version=${version}"
"-X ${prefix}.gitTag=${version}"
"-X ${prefix}.gitCommit=${version}"
"-X ${prefix}.buildDate=${version}"
];
meta = {
description = "Service mesh controller";
homepage = "https://kuma.io/";
changelog = "https://github.com/kumahq/kuma/blob/${version}/CHANGELOG.md";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [ zbioe ];
};
}

8
pkgs/applications/networking/cluster/linkerd/default.nix Normal file
View File

@@ -0,0 +1,8 @@
{ callPackage }:
(callPackage ./generic.nix { }) {
channel = "stable";
version = "2.14.9";
sha256 = "135x5q0a8knckbjkag2xqcr76zy49i57zf2hlsa70iknynq33ys7";
vendorHash = "sha256-bGl8IZppwLDS6cRO4HmflwIOhH3rOhE/9slJATe+onI=";
}

8
pkgs/applications/networking/cluster/linkerd/edge.nix Normal file
View File

@@ -0,0 +1,8 @@
{ callPackage }:
(callPackage ./generic.nix { }) {
channel = "edge";
version = "25.7.4";
sha256 = "19s32frf6ymfv88zvinakqh23yp7zlcj6dcyzlkkviayf4gk270x";
vendorHash = "sha256-6cUWeJA0nxUMd+mrrHccPu9slebwZGUR0yGxev3k4ls=";
}

81
pkgs/applications/networking/cluster/linkerd/generic.nix Normal file
View File

@@ -0,0 +1,81 @@
{
lib,
stdenv,
fetchFromGitHub,
buildGoModule,
installShellFiles,
}:
{
channel,
version,
sha256,
vendorHash,
}:
buildGoModule rec {
pname = "linkerd-${channel}";
inherit version vendorHash;
src = fetchFromGitHub {
owner = "linkerd";
repo = "linkerd2";
rev = "${channel}-${version}";
inherit sha256;
};
subPackages = [ "cli" ];
preBuild = ''
env GOFLAGS="" go generate ./pkg/charts/static
env GOFLAGS="" go generate ./jaeger/static
env GOFLAGS="" go generate ./multicluster/static
env GOFLAGS="" go generate ./viz/static
# Necessary for building Musl
if [[ $NIX_HARDENING_ENABLE =~ "pie" ]]; then
export GOFLAGS="-buildmode=pie $GOFLAGS"
fi
'';
tags = [
"prod"
];
ldflags = [
"-s"
"-w"
"-X github.com/linkerd/linkerd2/pkg/version.Version=${src.rev}"
];
nativeBuildInputs = [ installShellFiles ];
postInstall = ''
mv $out/bin/cli $out/bin/linkerd
''
+ lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
installShellCompletion --cmd linkerd \
--bash <($out/bin/linkerd completion bash) \
--zsh <($out/bin/linkerd completion zsh) \
--fish <($out/bin/linkerd completion fish)
'';
doInstallCheck = true;
installCheckPhase = ''
$out/bin/linkerd version --client | grep ${src.rev} > /dev/null
'';
passthru.updateScript = (./. + "/update-${channel}.sh");
meta = with lib; {
description = "Simple Kubernetes service mesh that improves security, observability and reliability";
mainProgram = "linkerd";
downloadPage = "https://github.com/linkerd/linkerd2/";
homepage = "https://linkerd.io/";
license = licenses.asl20;
maintainers = with maintainers; [
bryanasdev000
Gonzih
];
};
}

33
pkgs/applications/networking/cluster/linkerd/update-edge.sh Executable file
View File

@@ -0,0 +1,33 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl gnugrep gnused jq
set -x -eu -o pipefail
cd $(dirname "$0")
VERSION=$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} \
--silent https://api.github.com/repos/linkerd/linkerd2/releases | \
jq 'map(.tag_name)' | grep -v -e '-rc' | grep edge | sed 's/["|,| ]//g' | sed 's/edge-//' | sort -V -r | head -n1)
SHA256=$(nix-prefetch-url --quiet --unpack https://github.com/linkerd/linkerd2/archive/refs/tags/edge-${VERSION}.tar.gz)
setKV () {
sed -i "s|$1 = \".*\"|$1 = \"${2:-}\"|" ./edge.nix
}
setKV version ${VERSION}
setKV sha256 ${SHA256}
setKV vendorHash "sha256-BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=" # Necessary to force clean build.
cd ../../../../../
set +e
VENDOR_HASH=$(nix-build --no-out-link -A linkerd_edge 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g')
set -e
cd - > /dev/null
if [ -n "${VENDOR_HASH:-}" ]; then
setKV vendorHash ${VENDOR_HASH}
else
echo "Update failed. VENDOR_HASH is empty."
exit 1
fi

33
pkgs/applications/networking/cluster/linkerd/update-stable.sh Executable file
View File

@@ -0,0 +1,33 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl gnugrep gnused jq
set -x -eu -o pipefail
cd $(dirname "$0")
VERSION=$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} \
--silent https://api.github.com/repos/linkerd/linkerd2/releases | \
jq 'map(.tag_name)' | grep -v -e '-rc' | grep stable | sed 's/["|,| ]//g' | sed 's/stable-//' | sort -V -r | head -n1)
SHA256=$(nix-prefetch-url --quiet --unpack https://github.com/linkerd/linkerd2/archive/refs/tags/stable-${VERSION}.tar.gz)
setKV () {
sed -i "s|$1 = \".*\"|$1 = \"${2:-}\"|" ./default.nix
}
setKV version ${VERSION}
setKV sha256 ${SHA256}
setKV vendorHash "sha256-BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=" # Necessary to force clean build.
cd ../../../../../
set +e
VENDOR_HASH=$(nix-build --no-out-link -A linkerd 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g')
set -e
cd - > /dev/null
if [ -n "${VENDOR_HASH:-}" ]; then
setKV vendorHash ${VENDOR_HASH}
else
echo "Update failed. VENDOR_HASH is empty."
exit 1
fi

164
pkgs/applications/networking/cluster/nixops/default.nix Normal file
View File

@@ -0,0 +1,164 @@
{
lib,
config,
python3,
emptyFile,
}:
let
inherit (lib) extends;
# doc: https://github.com/NixOS/nixpkgs/pull/158781/files#diff-854251fa1fe071654921224671c8ba63c95feb2f96b2b3a9969c81676780053a
encapsulate =
layerZero:
let
fixed = layerZero ({ extend = f: encapsulate (extends f layerZero); } // fixed);
in
fixed.public;
nixopsContextBase = this: {
python = python3.override {
self = this.python;
packageOverrides =
self: super:
{
nixops = self.callPackage ./unwrapped.nix { };
}
// (this.plugins self super);
};
plugins =
ps: _super:
with ps;
(
rec {
nixops-digitalocean = callPackage ./plugins/nixops-digitalocean.nix { };
nixops-encrypted-links = callPackage ./plugins/nixops-encrypted-links.nix { };
nixops-hercules-ci = callPackage ./plugins/nixops-hercules-ci.nix { };
nixops-vbox = callPackage ./plugins/nixops-vbox.nix { };
nixos-modules-contrib = callPackage ./plugins/nixos-modules-contrib.nix { };
# aliases for backwards compatibility
nixopsvbox = nixops-vbox;
}
// lib.optionalAttrs config.allowAliases rec {
nixops-aws = throw "nixops-aws was broken and was removed from nixpkgs";
nixops-gce = throw "nixops-gce was broken and was removed from nixpkgs";
nixops-libvirtd = throw "nixops-libvirtd was broken and was removed from nixpkgs";
nixops-hetzner = throw "nixops-hetzner was broken and was removed from nixpkgs";
nixops-hetznercloud = throw "nixops-hetznercloud was broken and was removed from nixpkgs";
nixops-virtd = nixops-libvirtd;
}
);
# We should not reapply the overlay, but it tends to work out. (It's been this way since poetry2nix was dropped.)
availablePlugins = this.plugins this.python.pkgs this.python.pkgs;
selectedPlugins = [ ];
# selector is a function mapping pythonPackages to a list of plugins
# e.g. nixops_unstable.withPlugins (ps: with ps; [ nixops-digitalocean ])
withPlugins =
selector:
this.extend (
this: _old: {
selectedPlugins = selector this.availablePlugins;
}
);
rawPackage = this.python.pkgs.toPythonApplication (
this.python.pkgs.nixops.overridePythonAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs ++ this.selectedPlugins;
# Propagating dependencies leaks them through $PYTHONPATH which causes issues
# when used in nix-shell.
postFixup = ''
rm $out/nix-support/propagated-build-inputs
'';
})
);
# Extra package attributes that aren't derivation attributes, just like `mkDerivation`'s `passthru`.
extraPackageAttrs = {
inherit (this)
selectedPlugins
availablePlugins
withPlugins
python
;
tests =
this.rawPackage.tests
// {
nixos = this.rawPackage.tests.nixos.passthru.override {
nixopsPkg = this.rawPackage;
};
commutative_addAvailablePlugins_withPlugins =
assert
(this.public.addAvailablePlugins (self: super: { inherit emptyFile; })).withPlugins (ps: [
emptyFile
]) ==
# Note that this value proves that the package is not instantiated until the end, where it's valid again.
(this.public.withPlugins (ps: [ emptyFile ])).addAvailablePlugins (
self: super: { inherit emptyFile; }
);
emptyFile;
}
# Make sure we also test with a configuration that's been extended with a plugin.
// lib.optionalAttrs (this.selectedPlugins == [ ]) {
withAPlugin =
lib.recurseIntoAttrs
(this.withPlugins (ps: with ps; [ nixops-encrypted-links ])).tests;
};
overrideAttrs =
f:
this.extend (
this: oldThis: {
rawPackage = oldThis.rawPackage.overrideAttrs f;
}
);
/**
nixops.addAvailablePlugins: Overlay -> Package
Add available plugins to the package. You probably also want to enable
them with the `withPlugins` method.
*/
addAvailablePlugins =
newPlugins:
this.extend (
finalThis: oldThis: {
plugins = lib.composeExtensions oldThis.plugins newPlugins;
}
);
# For those who need or dare.
internals = this;
};
package =
lib.lazyDerivation {
outputs = [
"out"
"dist"
];
derivation = this.rawPackage;
}
// this.extraPackageAttrs;
public = this.package;
};
minimal = encapsulate nixopsContextBase;
in
{
nixops_unstable_minimal = minimal;
# Not recommended; too fragile.
nixops_unstable_full = minimal.withPlugins (ps: [
ps.nixops-digitalocean
ps.nixops-encrypted-links
ps.nixops-hercules-ci
ps.nixops-vbox
]);
}

54
pkgs/applications/networking/cluster/nixops/plugins/nixops-digitalocean.nix Normal file
View File

@@ -0,0 +1,54 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
nixops,
python-digitalocean,
pythonOlder,
}:
buildPythonPackage {
pname = "nixops-digitalocean";
version = "0.1.0-unstable-2022-08-14";
pyproject = true;
disabled = pythonOlder "3.7";
src = fetchFromGitHub {
owner = "nix-community";
repo = "nixops-digitalocean";
rev = "e977b7f11e264a6a2bff2dcbc7b94c6a97b92fff";
hash = "sha256-aJtShvdqjAiCK5oZL0GR5cleDb4s1pJkO6UPKGd4Dgg=";
};
postPatch = ''
substituteInPlace pyproject.toml \
--replace poetry.masonry.api poetry.core.masonry.api \
--replace "poetry>=" "poetry-core>="
'';
nativeBuildInputs = [
poetry-core
];
buildInputs = [
nixops
];
propagatedBuildInputs = [
python-digitalocean
];
pythonImportsCheck = [ "nixops_digitalocean" ];
passthru.updateScript = unstableGitUpdater { };
meta = with lib; {
description = "NixOps Digitalocean plugin";
homepage = "https://github.com/nix-community/nixops-digitalocean";
license = licenses.lgpl3Only;
maintainers = [ ];
};
}

46
pkgs/applications/networking/cluster/nixops/plugins/nixops-encrypted-links.nix Normal file
View File

@@ -0,0 +1,46 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
nixops,
}:
buildPythonPackage {
pname = "nixops-encrypted-links";
version = "0-unstable-2021-02-16";
pyproject = true;
src = fetchFromGitHub {
owner = "nix-community";
repo = "nixops-encrypted-links";
rev = "e2f196fce15fcfb00d18c055e1ac53aec33b8fb1";
hash = "sha256-1TTbARyCfrLxF6SVNkmIKNNcLS9FVW22d9w0VRrH1os=";
};
postPatch = ''
substituteInPlace pyproject.toml \
--replace poetry.masonry.api poetry.core.masonry.api \
--replace "poetry>=" "poetry-core>="
'';
nativeBuildInputs = [
poetry-core
];
buildInputs = [
nixops
];
pythonImportsCheck = [ "nixops_encrypted_links" ];
passthru.updateScript = unstableGitUpdater { };
meta = with lib; {
description = "EncryptedLinksTo from Nixops 1 module port";
homepage = "https://github.com/nix-community/nixops-encrypted-links";
license = licenses.mit;
maintainers = [ ];
};
}

40
pkgs/applications/networking/cluster/nixops/plugins/nixops-hercules-ci.nix Normal file
View File

@@ -0,0 +1,40 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
nixops,
}:
buildPythonPackage {
pname = "nixops-hercules-ci";
version = "0-unstable-2021-10-06";
pyproject = true;
src = fetchFromGitHub {
owner = "hercules-ci";
repo = "nixops-hercules-ci";
rev = "e601d5baffd003fd5f22deeaea0cb96444b054dc";
hash = "sha256-4IZ+qzhERJIhLcIq9FvVml+xAFJ8R4QpUjFRw2DZl2U=";
};
nativeBuildInputs = [
poetry-core
];
buildInputs = [
nixops
];
pythonImportsCheck = [ "nixops_hercules_ci" ];
passthru.updateScript = unstableGitUpdater { };
meta = with lib; {
description = "Use Hercules CI as a NixOps backend";
homepage = "https://github.com/hercules-ci/nixops-hercules-ci";
license = licenses.asl20;
maintainers = with maintainers; [ roberth ];
};
}

48
pkgs/applications/networking/cluster/nixops/plugins/nixops-vbox.nix Normal file
View File

@@ -0,0 +1,48 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
nixops,
}:
buildPythonPackage {
pname = "nixops-vbox";
version = "1.0.0-unstable-2023-08-10";
pyproject = true;
src = fetchFromGitHub {
owner = "nix-community";
repo = "nixops-vbox";
rev = "baa5f09c9ae9aaf639c95192460ab5dcbe83a883";
hash = "sha256-QrxherQO1t0VpYjJSEbntUWVD6GW4MtVHiKINpzHA1M=";
};
postPatch = ''
substituteInPlace pyproject.toml \
--replace poetry.masonry.api poetry.core.masonry.api \
--replace "poetry>=" "poetry-core>="
'';
nativeBuildInputs = [
poetry-core
];
buildInputs = [
nixops
];
pythonImportsCheck = [ "nixopsvbox" ];
passthru.updateScript = unstableGitUpdater {
tagPrefix = "v";
};
meta = with lib; {
description = "NixOps plugin for VirtualBox VMs";
homepage = "https://github.com/nix-community/nixops-vbox";
license = licenses.lgpl3Only;
maintainers = with maintainers; [ aminechikhaoui ];
};
}

46
pkgs/applications/networking/cluster/nixops/plugins/nixos-modules-contrib.nix Normal file
View File

@@ -0,0 +1,46 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
nixops,
}:
buildPythonPackage {
pname = "nixos-modules-contrib";
version = "0-unstable-2021-01-20";
pyproject = true;
src = fetchFromGitHub {
owner = "nix-community";
repo = "nixos-modules-contrib";
rev = "81a1c2ef424dcf596a97b2e46a58ca73a1dd1ff8";
hash = "sha256-/RSStpkAxWpUB5saQ8CmQZljFjJyUMOrR1+GiHJR2Tg=";
};
postPatch = ''
substituteInPlace pyproject.toml \
--replace poetry.masonry.api poetry.core.masonry.api \
--replace "poetry>=" "poetry-core>="
'';
nativeBuildInputs = [
poetry-core
];
buildInputs = [
nixops
];
pythonImportsCheck = [ "nixos_modules_contrib" ];
passthru.updateScript = unstableGitUpdater { };
meta = with lib; {
description = "Useful NixOS modules which may not belong in the Nixpkgs repository itself";
homepage = "https://github.com/nix-community/nixos-modules-contrib";
license = licenses.lgpl3;
maintainers = [ ];
};
}

76
pkgs/applications/networking/cluster/nixops/unwrapped.nix Normal file
View File

@@ -0,0 +1,76 @@
{
lib,
buildPythonApplication,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
sphinx,
pluggy,
prettytable,
typeguard,
typing-extensions,
nixosTests,
}:
buildPythonApplication rec {
pname = "nixops";
version = "1.7-unstable-2024-02-28";
pyproject = true;
src = fetchFromGitHub {
owner = "NixOS";
repo = "nixops";
rev = "08feccb14074c5434f3e483d19a7f7d9bfcdb669";
hash = "sha256-yWeF5apQJdChjYVSOyH6LYjJYGa1RL68LRHrSgZ9l8U=";
};
postPatch = ''
substituteInPlace pyproject.toml --replace-fail \
'include = ["nix/*.nix", "nixops/py.typed" ]' \
'include = [ { path = "nix/*.nix", format = "wheel" }, { path = "nixops/py.typed", format = "wheel" } ]'
substituteInPlace nixops/args.py --replace-fail "@version@" "${version}-pre-${
lib.substring 0 7 src.rev or "dirty"
}"
'';
nativeBuildInputs = [
poetry-core
sphinx
];
propagatedBuildInputs = [
pluggy
prettytable
typeguard
typing-extensions
];
postInstall = ''
doc_cache=$(mktemp -d)
sphinx-build -b man -d $doc_cache doc/ $out/share/man/man1
html=$(mktemp -d)
sphinx-build -b html -d $doc_cache doc/ $out/share/nixops/doc
'';
pythonImportsCheck = [ "nixops" ];
passthru = {
tests.nixos = nixosTests.nixops.unstable;
updateScript = unstableGitUpdater {
tagPrefix = "v";
};
};
meta = with lib; {
description = "Tool for deploying to NixOS machines in a network or cloud";
homepage = "https://github.com/NixOS/nixops";
license = licenses.lgpl3Only;
maintainers = with lib.maintainers; [
aminechikhaoui
roberth
];
platforms = lib.platforms.unix;
mainProgram = "nixops";
};
}

Some files were not shown because too many files have changed in this diff Show More