nixseparatedebuginfod2: v0.1.0 -> 1.0.1, replace nixseparatedebuginfod (#452053)

- The `yeahwm` package and `services.xserver.windowManager.yeahwm` module were removed due to the package being broken and unmaintained upstream.

- `services.nixseparatedebuginfod.enable = true;` has been replaced by `services.nixseparatedebuginfod2.enable = true`. If you only use the official binary cache `https://cache.nixos.org` then no further configuration should be needed. If you have other https substituters, you can add them to `services.nixseparatedebuginfod2.subsituters`. SSH substituters are not supported by nixseparatedebuginfod2. Consider running nixseparatedebuginfod2 on the substituter instead, and pointing to it with the new option `environment.debuginfodServers`.

- The `services.snapserver` module has been migrated to use the settings option and render a configuration file instead of passing every option over the command line.

- The `services.meilisearch` module now always defaults to the latest version of meilisearch, as the previous `meilisearch_1_11` package was removed. This is only an issue if you were using the old version.

  ./services/development/livebook.nix

  ./services/development/lorri.nix

  ./services/development/nixseparatedebuginfod2.nix

  ./services/development/nixseparatedebuginfod.nix

  ./services/development/rstudio-server/default.nix

  ./services/development/vsmartcard-vpcd.nix

  ./services/development/zammad.nix

      "services.morty has been removed from NixOS. As the morty package was unmaintained and removed and searxng, its main consumer, dropped support for it."

    )

    (mkRemovedOptionModule [ "services" "mwlib" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "nixseparatedebuginfod" ]

      "Use `services.nixseparatedebuginfod2.enable = true;` instead. If you only use the official binary cache, no additional configuration should be needed."

    )

    (mkRemovedOptionModule [ "services" "pantheon" "files" ] ''

      This module was removed, please add pkgs.pantheon.elementary-files to environment.systemPackages directly.

    '')

{

  pkgs,

  lib,

  config,

  ...

}:

let

  cfg = config.services.nixseparatedebuginfod;

  url = "127.0.0.1:${toString cfg.port}";

in

{

  options = {

    services.nixseparatedebuginfod = {

      enable = lib.mkEnableOption "separatedebuginfod, a debuginfod server providing source and debuginfo for nix packages";

      port = lib.mkOption {

        description = "port to listen";

        default = 1949;

        type = lib.types.port;

      };

      nixPackage = lib.mkOption {

        type = lib.types.package;

        default = pkgs.nix;

        defaultText = lib.literalExpression "pkgs.nix";

        description = ''

          The version of nix that nixseparatedebuginfod should use as client for the nix daemon. It is strongly advised to use nix version >= 2.18, otherwise some debug info may go missing.

        '';

      };

      allowOldNix = lib.mkOption {

        type = lib.types.bool;

        default = false;

        description = ''

          Do not fail evaluation when {option}`services.nixseparatedebuginfod.nixPackage` is older than nix 2.18.

        '';

      };

    };

  };

  config = lib.mkIf cfg.enable {

    assertions = [

      {

        assertion = cfg.allowOldNix || (lib.versionAtLeast cfg.nixPackage.version "2.18");

        message = "nixseparatedebuginfod works better when `services.nixseparatedebuginfod.nixPackage` is set to nix >= 2.18 (instead of ${cfg.nixPackage.name}). Set `services.nixseparatedebuginfod.allowOldNix` to bypass.";

      }

    ];

    systemd.services.nixseparatedebuginfod = {

      wantedBy = [ "multi-user.target" ];

      wants = [ "nix-daemon.service" ];

      after = [ "nix-daemon.service" ];

      path = [ cfg.nixPackage ];

      serviceConfig = {

        ExecStart = [ "${pkgs.nixseparatedebuginfod}/bin/nixseparatedebuginfod -l ${url}" ];

        Restart = "on-failure";

        CacheDirectory = "nixseparatedebuginfod";

        # nix does not like DynamicUsers in allowed-users

        User = "nixseparatedebuginfod";

        Group = "nixseparatedebuginfod";

        # hardening

        # Filesystem stuff

        ProtectSystem = "strict"; # Prevent writing to most of /

        ProtectHome = true; # Prevent accessing /home and /root

        PrivateTmp = true; # Give an own directory under /tmp

        PrivateDevices = true; # Deny access to most of /dev

        ProtectKernelTunables = true; # Protect some parts of /sys

        ProtectControlGroups = true; # Remount cgroups read-only

        RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files

        PrivateMounts = true; # Give an own mount namespace

        RemoveIPC = true;

        UMask = "0077";

        # Capabilities

        CapabilityBoundingSet = ""; # Allow no capabilities at all

        NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options.

        # Kernel stuff

        ProtectKernelModules = true; # Prevent loading of kernel modules

        SystemCallArchitectures = "native"; # Usually no need to disable this

        ProtectKernelLogs = true; # Prevent access to kernel logs

        ProtectClock = true; # Prevent setting the RTC

        # Networking

        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";

        # Misc

        LockPersonality = true; # Prevent change of the personality

        ProtectHostname = true; # Give an own UTS namespace

        RestrictRealtime = true; # Prevent switching to RT scheduling

        MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python

        RestrictNamespaces = true;

      };

    };

    users.users.nixseparatedebuginfod = {

      isSystemUser = true;

      group = "nixseparatedebuginfod";

    };

    users.groups.nixseparatedebuginfod = { };

    nix.settings = lib.optionalAttrs (lib.versionAtLeast config.nix.package.version "2.4") {

      extra-allowed-users = [ "nixseparatedebuginfod" ];

    };

    environment.debuginfodServers = [ "http://${url}" ];

  };

}

  url = "127.0.0.1:${toString cfg.port}";

in

{

  imports = [

    (lib.mkRemovedOptionModule [ "services" "nixseparatedebuginfod2" "substituter" ] ''

      Instead of `services.nixseparatedebuginfod2.substituter = "foo"`, set `services.nixseparatedebuginfod2.substituters = [ "foo" ]` (possibly with mkForce to override the default value).

    '')

  ];

  options = {

    services.nixseparatedebuginfod2 = {

      enable = lib.mkEnableOption "nixseparatedebuginfod2, a debuginfod server providing source and debuginfo for nix packages";

      port = lib.mkOption {

        description = "port to listen";

        default = 1950;

        default = 1949;

        type = lib.types.port;

      };

      package = lib.mkPackageOption pkgs "nixseparatedebuginfod2" { };

      substituter = lib.mkOption {

        description = "nix substituter to fetch debuginfo from. Either http/https substituters, or `local:` to use debuginfo present in the local store.";

        default = "https://cache.nixos.org";

        example = "local:";

        type = lib.types.str;

      substituters = lib.mkOption {

        description = "nix substituter to fetch debuginfo from. Either http/https/file substituters, or `local:` to use debuginfo present in the local store.";

        default = [

          "local:"

          "https://cache.nixos.org"

        ];

        type = lib.types.listOf lib.types.str;

      };

      cacheExpirationDelay = lib.mkOption {

        description = "keep unused cache entries for this long. A number followed by a unit";

      path = [ config.nix.package ];

      serviceConfig = {

        ExecStart = [

          (utils.escapeSystemdExecArgs [

          (utils.escapeSystemdExecArgs (

            [

              (lib.getExe cfg.package)

              "--listen-address"

              url

            "--substituter"

            cfg.substituter

              "--expiration"

              cfg.cacheExpirationDelay

          ])

            ]

            ++ (lib.lists.concatMap (s: [

              "--substituter"

              s

            ]) cfg.substituters)

          ))

        ];

        Restart = "on-failure";

        CacheDirectory = "nixseparatedebuginfod2";