Merge master into staging-next

steam.section.md

cataclysm-dda.section.md

urxvt.section.md

vcpkg.section.md

weechat.section.md

xorg.section.md

```

# VCPKG {#sec-vcpkg}

The `vcpkg-tool` package  has a wrapper around the `vcpkg` executable to avoid writing to the nix store.

The wrapper will also be present in `vcpkg`, unless you specify `vcpkg.override { vcpkg-tool = vcpkg-tool-unwrapped; }`

The wrapper has been made in a way so that it will provide default cli arguments, but tries not to interfere if the user provides the same arguments.

The arguments also have corresponding environment variables that can be used as an alternative way of overriding these paths.

Run the wrapper with the environment variable `NIX_VCPKG_DEBUG_PRINT_ENVVARS=true` to get a full list of corresponding environment variables.

## Nix specific environment variables {#sec-vcpkg-nix-envvars}

The wrapper also provides some new nix-specific environment variables that lets you control some of the wrapper functionality.

- `NIX_VCPKG_WRITABLE_PATH = <path>`

   Set this environment variable to specify the path where `vcpkg` will store buildtime artifacts.

   This will become the base path for all of the other paths.

- `NIX_VCPKG_DEBUG_PRINT_ENVVARS = true | false`

   Set this to `true` for the wrapper to print the corresponding environment variables for the arguments that will be provided to the unwrapped executable.

   The list of variables will be printed right before invoking `vcpkg`.

   This can be useful if you suspect that the wrapper for some reason was unable to prioritize user-provided cli args over its default ones, or for fixing other issues like typos or unexpanded environment variables.

    githubId = 76545554;

    name = "Avery";

  };

  averyanalex = {

    name = "Alexander Averyanov";

    email = "alex@averyan.ru";

    github = "averyanalex";

    githubId = 59499799;

    keys = [ { fingerprint = "A0FF 4F26 6B80 0B86 726D  EA5B 3C23 C7BD 9945 2036"; } ];

  };

  avh4 = {

    email = "gruen0aermel@gmail.com";

    github = "avh4";

              == ((attrs.group or null) == null))

        contents) "Contents of the disk image should set none of {user, group} or both at the same time.");

with lib;

let format' = format; in let

  format = if format' == "qcow2-compressed" then "qcow2" else format';

  compress = optionalString (format' == "qcow2-compressed") "-c";

  compress = lib.optionalString (format' == "qcow2-compressed") "-c";

  filename = "nixos." + {

    qcow2 = "qcow2";

        mkpart primary ext4 2MB -1 \

        align-check optimal 2 \

        print

      ${optionalString deterministic ''

      ${lib.optionalString deterministic ''

          sgdisk \

          --disk-guid=97FD5997-D90B-4AA3-8D16-C1723AEA73C \

          --partition-guid=1:1C06F03B-704E-4657-B9CD-681A087A2FDC \

        mkpart ESP fat32 8MiB ${bootSize} \

        set 1 boot on \

        mkpart primary ext4 ${bootSize} -1

      ${optionalString deterministic ''

      ${lib.optionalString deterministic ''

          sgdisk \

          --disk-guid=97FD5997-D90B-4AA3-8D16-C1723AEA73C \

          --partition-guid=1:1C06F03B-704E-4657-B9CD-681A087A2FDC \

        mkpart BOOT fat32 100MiB ${bootSize} \

        set 2 bls_boot on \

        mkpart ROOT ext4 ${bootSize} -1

      ${optionalString deterministic ''

      ${lib.optionalString deterministic ''

          sgdisk \

          --disk-guid=97FD5997-D90B-4AA3-8D16-C1723AEA73C \

          --partition-guid=1:1C06F03B-704E-4657-B9CD-681A087A2FDC  \

        mkpart no-fs 0 1024KiB \

        set 2 bios_grub on \

        mkpart primary ext4 ${bootSize} -1

      ${optionalString deterministic ''

      ${lib.optionalString deterministic ''

          sgdisk \

          --disk-guid=97FD5997-D90B-4AA3-8D16-C1723AEA73C \

          --partition-guid=1:1C06F03B-704E-4657-B9CD-681A087A2FDC \

  useEFIBoot = touchEFIVars;

  nixpkgs = cleanSource pkgs.path;

  nixpkgs = lib.cleanSource pkgs.path;

  # FIXME: merge with channel.nix / make-channel.nix.

  channelSources = pkgs.runCommand "nixos-${config.system.nixos.version}" {} ''

    echo -n ${config.system.nixos.versionSuffix} > $out/nixos/.version-suffix

  '';

  binPath = with pkgs; makeBinPath (

    [ rsync

  binPath = lib.makeBinPath (with pkgs; [

      rsync

      util-linux

      parted

      e2fsprogs

  basePaths = [ config.system.build.toplevel ]

    ++ lib.optional copyChannel channelSources;

  additionalPaths' = subtractLists basePaths additionalPaths;

  additionalPaths' = lib.subtractLists basePaths additionalPaths;

  closureInfo = pkgs.closureInfo {

    rootPaths = basePaths ++ additionalPaths';

    # Semi-shamelessly copied from make-etc.sh. I (@copumpkin) shall factor this stuff out as part of

    # https://github.com/NixOS/nixpkgs/issues/23052.

    set -f

    sources_=(${concatStringsSep " " sources})

    targets_=(${concatStringsSep " " targets})

    modes_=(${concatStringsSep " " modes})

    sources_=(${lib.concatStringsSep " " sources})

    targets_=(${lib.concatStringsSep " " targets})

    modes_=(${lib.concatStringsSep " " modes})

    set +f

    for ((i = 0; i < ''${#targets_[@]}; i++)); do

      ${if copyChannel then "--channel ${channelSources}" else "--no-channel-copy"} \

      --substituters ""

    ${optionalString (additionalPaths' != []) ''

      nix --extra-experimental-features nix-command copy --to $root --no-check-sigs ${concatStringsSep " " additionalPaths'}

    ${lib.optionalString (additionalPaths' != []) ''

      nix --extra-experimental-features nix-command copy --to $root --no-check-sigs ${lib.concatStringsSep " " additionalPaths'}

    ''}

    diskImage=nixos.raw

    ''}

    echo "copying staging root to image..."

    cptofs -p ${optionalString (partitionTableType != "none") "-P ${rootPartition}"} \

    cptofs -p ${lib.optionalString (partitionTableType != "none") "-P ${rootPartition}"} \

           -t ${fsType} \

           -i $diskImage \

           $root${optionalString onlyNixStore builtins.storeDir}/* / ||

           $root${lib.optionalString onlyNixStore builtins.storeDir}/* / ||

      (echo >&2 "ERROR: cptofs failed. diskSize might be too small for closure."; exit 1)

  '';

      buildInputs = with pkgs; [ util-linux e2fsprogs dosfstools ];

      postVM = moveOrConvertImage + createHydraBuildProducts + postVM;

      QEMU_OPTS =

        concatStringsSep " " (lib.optional useEFIBoot "-drive if=pflash,format=raw,unit=0,readonly=on,file=${efiFirmware}"

        lib.concatStringsSep " " (lib.optional useEFIBoot "-drive if=pflash,format=raw,unit=0,readonly=on,file=${efiFirmware}"

        ++ lib.optionals touchEFIVars [

          "-drive if=pflash,format=raw,unit=1,file=$efiVars"

        ] ++ lib.optionals (OVMF.systemManagementModeRequired or false) [

      # It is necessary to set root filesystem unique identifier in advance, otherwise

      # bootloader might get the wrong one and fail to boot.

      # At the end, we reset again because we want deterministic timestamps.

      ${optionalString (fsType == "ext4" && deterministic) ''

        tune2fs -T now ${optionalString deterministic "-U ${rootFSUID}"} -c 0 -i 0 $rootDisk

      ${lib.optionalString (fsType == "ext4" && deterministic) ''

        tune2fs -T now ${lib.optionalString deterministic "-U ${rootFSUID}"} -c 0 -i 0 $rootDisk

      ''}

      # make systemd-boot find ESP without udev

      mkdir /dev/block

      # Create the ESP and mount it. Unlike e2fsprogs, mkfs.vfat doesn't support an

      # '-E offset=X' option, so we can't do this outside the VM.

      ${optionalString (partitionTableType == "efi" || partitionTableType == "hybrid") ''

      ${lib.optionalString (partitionTableType == "efi" || partitionTableType == "hybrid") ''

        mkdir -p /mnt/boot

        mkfs.vfat -n ESP /dev/vda1

        mount /dev/vda1 /mnt/boot

        ${optionalString touchEFIVars "mount -t efivarfs efivarfs /sys/firmware/efi/efivars"}

        ${lib.optionalString touchEFIVars "mount -t efivarfs efivarfs /sys/firmware/efi/efivars"}

      ''}

      ${optionalString (partitionTableType == "efixbootldr") ''

      ${lib.optionalString (partitionTableType == "efixbootldr") ''

        mkdir -p /mnt/{boot,efi}

        mkfs.vfat -n ESP /dev/vda1

        mkfs.vfat -n BOOT /dev/vda2

        mount /dev/vda1 /mnt/efi

        mount /dev/vda2 /mnt/boot

        ${optionalString touchEFIVars "mount -t efivarfs efivarfs /sys/firmware/efi/efivars"}

        ${lib.optionalString touchEFIVars "mount -t efivarfs efivarfs /sys/firmware/efi/efivars"}

      ''}

      # Install a configuration.nix

      mkdir -p /mnt/etc/nixos

      ${optionalString (configFile != null) ''

      ${lib.optionalString (configFile != null) ''

        cp ${configFile} /mnt/etc/nixos/configuration.nix

      ''}

      ${lib.optionalString installBootLoader ''

        # In this throwaway resource, we only have /dev/vda, but the actual VM may refer to another disk for bootloader, e.g. /dev/vdb

        # Use this option to create a symlink from vda to any arbitrary device you want.

        ${optionalString (config.boot.loader.grub.enable) (lib.concatMapStringsSep " " (device:

        ${lib.optionalString (config.boot.loader.grub.enable) (lib.concatMapStringsSep " " (device:

          lib.optionalString (device != "/dev/vda") ''

            mkdir -p "$(dirname ${device})"

            ln -s /dev/vda ${device}

      # Set the ownerships of the contents. The modes are set in preVM.

      # No globbing on targets, so no need to set -f

      targets_=(${concatStringsSep " " targets})

      users_=(${concatStringsSep " " users})

      groups_=(${concatStringsSep " " groups})

      targets_=(${lib.concatStringsSep " " targets})

      users_=(${lib.concatStringsSep " " users})

      groups_=(${lib.concatStringsSep " " groups})

      for ((i = 0; i < ''${#targets_[@]}; i++)); do

        target="''${targets_[$i]}"

        user="''${users_[$i]}"

      # In deterministic mode, this is fixed to 1970-01-01 (UNIX timestamp 0).

      # This two-step approach is necessary otherwise `tune2fs` will want a fresher filesystem to perform

      # some changes.

      ${optionalString (fsType == "ext4") ''

        tune2fs -T now ${optionalString deterministic "-U ${rootFSUID}"} -c 0 -i 0 $rootDisk

        ${optionalString deterministic "tune2fs -f -T 19700101 $rootDisk"}

      ${lib.optionalString (fsType == "ext4") ''

        tune2fs -T now ${lib.optionalString deterministic "-U ${rootFSUID}"} -c 0 -i 0 $rootDisk

        ${lib.optionalString deterministic "tune2fs -f -T 19700101 $rootDisk"}

      ''}

    ''

  );

{ config, lib, pkgs, ... }:

with pkgs;

with lib;

let

  inherit (lib) mkEnableOption mkIf mkMerge mkOption mkRenamedOptionModule types;

  cfg = config.users.ldap;

  # this file.  Directives HAVE to start in the first column!

  ldapConfig = {

    target = "ldap.conf";

    source = writeText "ldap.conf" ''

    source = pkgs.writeText "ldap.conf" ''

      uri ${config.users.ldap.server}

      base ${config.users.ldap.base}

      timelimit ${toString config.users.ldap.timeLimit}

      bind_timelimit ${toString config.users.ldap.bind.timeLimit}

      bind_policy ${config.users.ldap.bind.policy}

      ${optionalString config.users.ldap.useTLS ''

      ${lib.optionalString config.users.ldap.useTLS ''

        ssl start_tls

      ''}

      ${optionalString (config.users.ldap.bind.distinguishedName != "") ''

      ${lib.optionalString (config.users.ldap.bind.distinguishedName != "") ''

        binddn ${config.users.ldap.bind.distinguishedName}

      ''}

      ${optionalString (cfg.extraConfig != "") cfg.extraConfig }

      ${lib.optionalString (cfg.extraConfig != "") cfg.extraConfig }

    '';

  };

  nslcdConfig = writeText "nslcd.conf" ''

  nslcdConfig = pkgs.writeText "nslcd.conf" ''

    uri ${cfg.server}

    base ${cfg.base}

    timelimit ${toString cfg.timeLimit}

    bind_timelimit ${toString cfg.bind.timeLimit}

    ${optionalString (cfg.bind.distinguishedName != "")

    ${lib.optionalString (cfg.bind.distinguishedName != "")

      "binddn ${cfg.bind.distinguishedName}" }

    ${optionalString (cfg.daemon.rootpwmoddn != "")

    ${lib.optionalString (cfg.daemon.rootpwmoddn != "")

      "rootpwmoddn ${cfg.daemon.rootpwmoddn}" }

    ${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig }

    ${lib.optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig }

  '';

  # nslcd normally reads configuration from /etc/nslcd.conf.

  # this file might contain secrets. We append those at runtime,

  # so redirect its location to something more temporary.

  nslcdWrapped = runCommand "nslcd-wrapped" { nativeBuildInputs = [ makeWrapper ]; } ''

  nslcdWrapped = pkgs.runCommand "nslcd-wrapped" { nativeBuildInputs = [ pkgs.makeWrapper ]; } ''

    mkdir -p $out/bin

    makeWrapper ${nss_pam_ldapd}/sbin/nslcd $out/bin/nslcd \

    makeWrapper ${pkgs.nss_pam_ldapd}/sbin/nslcd $out/bin/nslcd \

      --set LD_PRELOAD    "${pkgs.libredirect}/lib/libredirect.so" \

      --set NIX_REDIRECTS "/etc/nslcd.conf=/run/nslcd/nslcd.conf"

  '';

  config = mkIf cfg.enable {

    environment.etc = optionalAttrs (!cfg.daemon.enable) {

    environment.etc = lib.optionalAttrs (!cfg.daemon.enable) {

      "ldap.conf" = ldapConfig;

    };

    system.nssModules = mkIf cfg.nsswitch (singleton (

      if cfg.daemon.enable then nss_pam_ldapd else nss_ldap

    system.nssModules = mkIf cfg.nsswitch (lib.singleton (

      if cfg.daemon.enable then pkgs.nss_pam_ldapd else pkgs.nss_ldap

    ));

    system.nssDatabases.group = optional cfg.nsswitch "ldap";

    system.nssDatabases.passwd = optional cfg.nsswitch "ldap";

    system.nssDatabases.shadow = optional cfg.nsswitch "ldap";

    system.nssDatabases.group = lib.optional cfg.nsswitch "ldap";

    system.nssDatabases.passwd = lib.optional cfg.nsswitch "ldap";

    system.nssDatabases.shadow = lib.optional cfg.nsswitch "ldap";

    users = mkIf cfg.daemon.enable {

      groups.nslcd = {