Merge master into haskell-updates

## Specifying dependencies {#ssec-stdenv-dependencies}

Build systems often require more dependencies than just what `stdenv` provides. This section describes attributes accepted by `stdenv.mkDerivation` that can be used to make these dependencies available to the build system.

### Overview {#ssec-stdenv-dependencies-overview}

A full reference of the different kinds of dependencies is provided in [](#ssec-stdenv-dependencies-reference), but here is an overview of the most common ones.

It should cover most use cases.

Add dependencies to `nativeBuildInputs` if they are executed during the build:

- those which are needed on `$PATH` during the build, for example `cmake` and `pkg-config`

- [setup hooks](#ssec-setup-hooks), for example [`makeWrapper`](#fun-makeWrapper)

- interpreters needed by [`patchShebangs`](#patch-shebangs.sh) for build scripts (with the `--build` flag), which can be the case for e.g. `perl`

Add dependencies to `buildInputs` if they will end up copied or linked into the final output or otherwise used at runtime:

- libraries used by compilers, for example `zlib`,

- interpreters needed by [`patchShebangs`](#patch-shebangs.sh) for scripts which are installed, which can be the case for e.g. `perl`

::: {.note}

These criteria are independent.

For example, software using Wayland usually needs the `wayland` library at runtime, so `wayland` should be added to `buildInputs`.

But it also executes the `wayland-scanner` program as part of the build to generate code, so `wayland` should also be added to `nativeBuildInputs`.

:::

Dependencies needed only to run tests are similarly classified between native (executed during build) and non-native (executed at runtime):

- `nativeCheckInputs` for test tools needed on `$PATH` (such as `ctest`) and [setup hooks](#ssec-setup-hooks) (for example [`pytestCheckHook`](#python))

- `checkInputs` for libraries linked into test executables (for example the `qcheck` OCaml package)

These dependencies are only injected when [`doCheck`](#var-stdenv-doCheck) is set to `true`.

#### Example {#ssec-stdenv-dependencies-overview-example}

Consider for example this simplified derivation for `solo5`, a sandboxing tool:

```nix

stdenv.mkDerivation rec {

  pname = "solo5";

  version = "0.7.5";

  src = fetchurl {

    url = "https://github.com/Solo5/solo5/releases/download/v${version}/solo5-v${version}.tar.gz";

    sha256 = "sha256-viwrS9lnaU8sTGuzK/+L/PlMM/xRRtgVuK5pixVeDEw=";

  };

  nativeBuildInputs = [ makeWrapper pkg-config ];

  buildInputs = [ libseccomp ];

  postInstall = ''

    substituteInPlace $out/bin/solo5-virtio-mkimage \

      --replace "/usr/lib/syslinux" "${syslinux}/share/syslinux" \

      --replace "/usr/share/syslinux" "${syslinux}/share/syslinux" \

      --replace "cp " "cp --no-preserve=mode "

    wrapProgram $out/bin/solo5-virtio-mkimage \

      --prefix PATH : ${lib.makeBinPath [ dosfstools mtools parted syslinux ]}

  '';

  doCheck = true;

  nativeCheckInputs = [ util-linux qemu ];

  checkPhase = '' [elided] '';

}

```

- `makeWrapper` is a setup hook, i.e., a shell script sourced by the generic builder of `stdenv`.

  It is thus executed during the build and must be added to `nativeBuildInputs`.

- `pkg-config` is a build tool which the configure script of `solo5` expects to be on `$PATH` during the build:

  therefore, it must be added to `nativeBuildInputs`.

- `libseccomp` is a library linked into `$out/bin/solo5-elftool`.

  As it is used at runtime, it must be added to `buildInputs`.

- Tests need `qemu` and `getopt` (from `util-linux`) on `$PATH`, these must be added to `nativeCheckInputs`.

- Some dependencies are injected directly in the shell code of phases: `syslinux`, `dosfstools`, `mtools`, and `parted`.

In this specific case, they will end up in the output of the derivation (`$out` here).

As Nix marks dependencies whose absolute path is present in the output as runtime dependencies, adding them to `buildInputs` is not required.

For more complex cases, like libraries linked into an executable which is then executed as part of the build system, see [](#ssec-stdenv-dependencies-reference).

### Reference {#ssec-stdenv-dependencies-reference}

As described in the Nix manual, almost any `*.drv` store path in a derivation’s attribute set will induce a dependency on that derivation. `mkDerivation`, however, takes a few attributes intended to include all the dependencies of a package. This is done both for structure and consistency, but also so that certain other setup can take place. For example, certain dependencies need their bin directories added to the `PATH`. That is built-in, but other setup is done via a pluggable mechanism that works in conjunction with these dependency attributes. See [](#ssec-setup-hooks) for details.

Dependencies can be broken down along three axes: their host and target platforms relative to the new derivation’s, and whether they are propagated. The platform distinctions are motivated by cross compilation; see [](#chap-cross) for exactly what each platform means. [^footnote-stdenv-ignored-build-platform] But even if one is not cross compiling, the platforms imply whether or not the dependency is needed at run-time or build-time, a concept that makes perfect sense outside of cross compilation. By default, the run-time/build-time distinction is just a hint for mental clarity, but with `strictDeps` set it is mostly enforced even in the native case.

Overall, the unifying theme here is that propagation shouldn’t be introducing transitive dependencies involving platforms the depending package is unaware of. \[One can imagine the dependending package asking for dependencies with the platforms it knows about; other platforms it doesn’t know how to ask for. The platform description in that scenario is a kind of unforagable capability.\] The offset bounds checking and definition of `mapOffset` together ensure that this is the case. Discovering a new offset is discovering a new platform, and since those platforms weren’t in the derivation “spec” of the needing package, they cannot be relevant. From a capability perspective, we can imagine that the host and target platforms of a package are the capabilities a package requires, and the depending package must provide the capability to the dependency.

### Variables specifying dependencies {#variables-specifying-dependencies}

#### Variables specifying dependencies {#variables-specifying-dependencies}

#### `depsBuildBuild` {#var-stdenv-depsBuildBuild}

##### `depsBuildBuild` {#var-stdenv-depsBuildBuild}

A list of dependencies whose host and target platforms are the new derivation’s build platform. These are programs and libraries used at build time that produce programs and libraries also used at build time. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it in `nativeBuildInputs` instead. The most common use of this `buildPackages.stdenv.cc`, the default C compiler for this role. That example crops up more than one might think in old commonly used C libraries.

Since these packages are able to be run at build-time, they are always added to the `PATH`, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.

#### `nativeBuildInputs` {#var-stdenv-nativeBuildInputs}

##### `nativeBuildInputs` {#var-stdenv-nativeBuildInputs}

A list of dependencies whose host platform is the new derivation’s build platform, and target platform is the new derivation’s host platform. These are programs and libraries used at build-time that, if they are a compiler or similar tool, produce code to run at run-time—i.e. tools used to build the new derivation. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it here, rather than in `depsBuildBuild` or `depsBuildTarget`. This could be called `depsBuildHost` but `nativeBuildInputs` is used for historical continuity.

Since these packages are able to be run at build-time, they are added to the `PATH`, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.

#### `depsBuildTarget` {#var-stdenv-depsBuildTarget}

##### `depsBuildTarget` {#var-stdenv-depsBuildTarget}

A list of dependencies whose host platform is the new derivation’s build platform, and target platform is the new derivation’s target platform. These are programs used at build time that produce code to run with code produced by the depending package. Most commonly, these are tools used to build the runtime or standard library that the currently-being-built compiler will inject into any code it compiles. In many cases, the currently-being-built-compiler is itself employed for that task, but when that compiler won’t run (i.e. its build and host platform differ) this is not possible. Other times, the compiler relies on some other tool, like binutils, that is always built separately so that the dependency is unconditional.

Since these packages are able to run at build time, they are added to the `PATH`, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.

#### `depsHostHost` {#var-stdenv-depsHostHost}

##### `depsHostHost` {#var-stdenv-depsHostHost}

A list of dependencies whose host and target platforms match the new derivation’s host platform. In practice, this would usually be tools used by compilers for macros or a metaprogramming system, or libraries used by the macros or metaprogramming code itself. It’s always preferable to use a `depsBuildBuild` dependency in the derivation being built over a `depsHostHost` on the tool doing the building for this purpose.

#### `buildInputs` {#var-stdenv-buildInputs}

##### `buildInputs` {#var-stdenv-buildInputs}

A list of dependencies whose host platform and target platform match the new derivation’s. This would be called `depsHostTarget` but for historical continuity. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it here, rather than in `depsBuildBuild`.

These are often programs and libraries used by the new derivation at *run*-time, but that isn’t always the case. For example, the machine code in a statically-linked library is only used at run-time, but the derivation containing the library is only needed at build-time. Even in the dynamic case, the library may also be needed at build-time to appease the linker.

#### `depsTargetTarget` {#var-stdenv-depsTargetTarget}

##### `depsTargetTarget` {#var-stdenv-depsTargetTarget}

A list of dependencies whose host platform matches the new derivation’s target platform. These are packages that run on the target platform, e.g. the standard library or run-time deps of standard library that a compiler insists on knowing about. It’s poor form in almost all cases for a package to depend on another from a future stage \[future stage corresponding to positive offset\]. Do not use this attribute unless you are packaging a compiler and are sure it is needed.

#### `depsBuildBuildPropagated` {#var-stdenv-depsBuildBuildPropagated}

##### `depsBuildBuildPropagated` {#var-stdenv-depsBuildBuildPropagated}

The propagated equivalent of `depsBuildBuild`. This perhaps never ought to be used, but it is included for consistency \[see below for the others\].

#### `propagatedNativeBuildInputs` {#var-stdenv-propagatedNativeBuildInputs}

##### `propagatedNativeBuildInputs` {#var-stdenv-propagatedNativeBuildInputs}

The propagated equivalent of `nativeBuildInputs`. This would be called `depsBuildHostPropagated` but for historical continuity. For example, if package `Y` has `propagatedNativeBuildInputs = [X]`, and package `Z` has `buildInputs = [Y]`, then package `Z` will be built as if it included package `X` in its `nativeBuildInputs`. If instead, package `Z` has `nativeBuildInputs = [Y]`, then `Z` will be built as if it included `X` in the `depsBuildBuild` of package `Z`, because of the sum of the two `-1` host offsets.

#### `depsBuildTargetPropagated` {#var-stdenv-depsBuildTargetPropagated}

##### `depsBuildTargetPropagated` {#var-stdenv-depsBuildTargetPropagated}

The propagated equivalent of `depsBuildTarget`. This is prefixed for the same reason of alerting potential users.

#### `depsHostHostPropagated` {#var-stdenv-depsHostHostPropagated}

##### `depsHostHostPropagated` {#var-stdenv-depsHostHostPropagated}

The propagated equivalent of `depsHostHost`.

#### `propagatedBuildInputs` {#var-stdenv-propagatedBuildInputs}

##### `propagatedBuildInputs` {#var-stdenv-propagatedBuildInputs}

The propagated equivalent of `buildInputs`. This would be called `depsHostTargetPropagated` but for historical continuity.

#### `depsTargetTargetPropagated` {#var-stdenv-depsTargetTargetPropagated}

##### `depsTargetTargetPropagated` {#var-stdenv-depsTargetTargetPropagated}

The propagated equivalent of `depsTargetTarget`. This is prefixed for the same reason of alerting potential users.

  ./system/boot/systemd/logind.nix

  ./system/boot/systemd/nspawn.nix

  ./system/boot/systemd/oomd.nix

  ./system/boot/systemd/repart.nix

  ./system/boot/systemd/shutdown.nix

  ./system/boot/systemd/tmpfiles.nix

  ./system/boot/systemd/user.nix

# Udisks daemon.

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.services.udisks2;

  settingsFormat = pkgs.formats.ini {

    listToValue = concatMapStringsSep "," (generators.mkValueStringDefault {});

  };

    services.udisks2 = {

      enable = mkEnableOption (lib.mdDoc "udisks2, a DBus service that allows applications to query and manipulate storage devices");

      enable = mkEnableOption (mdDoc "udisks2, a DBus service that allows applications to query and manipulate storage devices");

      mountOnMedia = mkOption {

        type = types.bool;

        default = false;

        description = mdDoc ''

          When enabled, instructs udisks2 to mount removable drives under `/media/` directory, instead of the

          default, ACL-controlled `/run/media/$USER/`. Since `/media/` is not mounted as tmpfs by default, it

          requires cleanup to get rid of stale mountpoints; enabling this option will take care of this at boot.

        '';

      };

      settings = mkOption rec {

        type = types.attrsOf settingsFormat.type;

          };

        };

        '';

        description = lib.mdDoc ''

        description = mdDoc ''

          Options passed to udisksd.

          See [here](http://manpages.ubuntu.com/manpages/latest/en/man5/udisks2.conf.5.html) and

          drive configuration in [here](http://manpages.ubuntu.com/manpages/latest/en/man8/udisks.8.html) for supported options.

    services.dbus.packages = [ pkgs.udisks2 ];

    systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ];

    systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ]

      ++ optional cfg.mountOnMedia "D! /media 0755 root root -";

    services.udev.packages = [ pkgs.udisks2 ];

    services.udev.extraRules = optionalString cfg.mountOnMedia ''

      ENV{ID_FS_USAGE}=="filesystem", ENV{UDISKS_FILESYSTEM_SHARED}="1"

    '';

    systemd.packages = [ pkgs.udisks2 ];

  };

            cp -r ${cfg.package}/etc/onlyoffice/documentserver/* /run/onlyoffice/config/

            chmod u+w /run/onlyoffice/config/default.json

            # Allow members of the onlyoffice group to serve files under /var/lib/onlyoffice/documentserver/App_Data

            chmod g+x /var/lib/onlyoffice/documentserver

            cp /run/onlyoffice/config/default.json{,.orig}

            # for a mapping of environment variables from the docker container to json options see

        group = "onlyoffice";

        isSystemUser = true;

      };

      nginx.extraGroups = [ "onlyoffice" ];

    };

    users.groups.onlyoffice = { };

{ config, pkgs, lib, ... }:

let

  cfg = config.boot.initrd.systemd.repart;

  writeDefinition = name: partitionConfig: pkgs.writeText

    "${name}.conf"

    (lib.generators.toINI { } { Partition = partitionConfig; });

  listOfDefinitions = lib.mapAttrsToList

    writeDefinition

    (lib.filterAttrs (k: _: !(lib.hasPrefix "_" k)) cfg.partitions);

  # Create a directory in the store that contains a copy of all definition

  # files. This is then passed to systemd-repart in the initrd so it can access

  # the definition files after the sysroot has been mounted but before

  # activation. This needs a hard copy of the files and not just symlinks

  # because otherwise the files do not show up in the sysroot.

  definitionsDirectory = pkgs.runCommand "systemd-repart-definitions" { } ''

    mkdir -p $out

    ${(lib.concatStringsSep "\n"

      (map (pkg: "cp ${pkg} $out/${pkg.name}") listOfDefinitions)

    )}

  '';

in

{

  options.boot.initrd.systemd.repart = {

    enable = lib.mkEnableOption (lib.mdDoc "systemd-repart") // {

      description = lib.mdDoc ''

        Grow and add partitions to a partition table a boot time in the initrd.

        systemd-repart only works with GPT partition tables.

      '';

    };

    partitions = lib.mkOption {

      type = with lib.types; attrsOf (attrsOf (oneOf [ str int bool ]));

      default = { };

      example = {

        "10-root" = {

          Type = "root";

        };

        "20-home" = {

          Type = "home";

          SizeMinBytes = "512M";

          SizeMaxBytes = "2G";

        };

      };

      description = lib.mdDoc ''

        Specify partitions as a set of the names of the definition files as the

        key and the partition configuration as its value. The partition

        configuration can use all upstream options. See <link

        xlink:href="https://www.freedesktop.org/software/systemd/man/repart.d.html"/>

        for all available options.

      '';

    };

  };

  config = lib.mkIf cfg.enable {

    # Link the definitions into /etc so that they are included in the

    # /nix/store of the sysroot. This also allows the user to run the

    # systemd-repart binary after activation manually while automatically

    # picking up the definition files.

    environment.etc."repart.d".source = definitionsDirectory;

    boot.initrd.systemd = {

      additionalUpstreamUnits = [

        "systemd-repart.service"

      ];

      storePaths = [

        "${config.boot.initrd.systemd.package}/bin/systemd-repart"

      ];

      # Override defaults in upstream unit.

      services.systemd-repart = {

        # Unset the coniditions as they cannot be met before activation because

        # the definition files are not stored in the expected locations.

        unitConfig.ConditionDirectoryNotEmpty = [

          " " # required to unset the previous value.

        ];

        serviceConfig = {

          # systemd-repart runs before the activation script. Thus we cannot

          # rely on them being linked in /etc already. Instead we have to

          # explicitly pass their location in the sysroot to the binary.

          ExecStart = [

            " " # required to unset the previous value.

            ''${config.boot.initrd.systemd.package}/bin/systemd-repart \

                  --definitions=/sysroot${definitionsDirectory} \

                  --dry-run=no

            ''

          ];

        };

        # Because the initrd does not have the `initrd-usr-fs.target` the

        # upestream unit runs too early in the boot process, before the sysroot

        # is available. However, systemd-repart needs access to the sysroot to

        # find the definition files.

        after = [ "sysroot.mount" ];

      };

    };

  };

}