colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge staging-next into staging

Browse Source
This commit is contained in:
github-actions[bot] 2023-07-16 12:01:41 +00:00 committed by GitHub
commit 786f620d45
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 270 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2311.section.md
View File

@ -24,6 +24,8 @@
- [Apache Guacamole](https://guacamole.apache.org/), a cross-platform, clientless remote desktop gateway. Available as [services.guacamole-server](#opt-services.guacamole-server.enable) and [services.guacamole-client](#opt-services.guacamole-client.enable) services.
- [trust-dns](https://trust-dns.org/), a Rust based DNS server built to be safe and secure from the ground up. Available as [services.trust-dns](#opt-services.trust-dns.enable).
## Backward Incompatibilities {#sec-release-23.11-incompatibilities}
- The `boot.loader.raspberryPi` options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs ([before mid-2019](https://github.com/NixOS/nixpkgs/pull/62462)) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices.

1
nixos/modules/module-list.nix
View File

@ -1059,6 +1059,7 @@
./services/networking/tox-node.nix
./services/networking/toxvpn.nix
./services/networking/trickster.nix
./services/networking/trust-dns.nix
./services/networking/tvheadend.nix
./services/networking/twingate.nix
./services/networking/ucarp.nix

177
nixos/modules/services/networking/trust-dns.nix Normal file
View File

@ -0,0 +1,177 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.trust-dns;
toml = pkgs.formats.toml { };
configFile = toml.generate "trust-dns.toml" (
lib.filterAttrsRecursive (_: v: v != null) cfg.settings
);
zoneType = lib.types.submodule ({ config, ... }: {
options = with lib; {
zone = mkOption {
type = types.str;
description = mdDoc ''
Zone name, like "example.com", "localhost", or "0.0.127.in-addr.arpa".
'';
};
zone_type = mkOption {
type = types.enum [ "Primary" "Secondary" "Hint" "Forward" ];
default = "Primary";
description = mdDoc ''
One of:
- "Primary" (the master, authority for the zone).
- "Secondary" (the slave, replicated from the primary).
- "Hint" (a cached zone with recursive resolver abilities).
- "Forward" (a cached zone where all requests are forwarded to another resolver).
For more details about these zone types, consult the documentation for BIND,
though note that trust-dns supports only a subset of BIND's zone types:
<https://bind9.readthedocs.io/en/v9_18_4/reference.html#type>
'';
};
file = mkOption {
type = types.either types.path types.str;
default = "${config.zone}.zone";
defaultText = literalExpression ''"''${config.zone}.zone"'';
description = mdDoc ''
Path to the .zone file.
If not fully-qualified, this path will be interpreted relative to the `directory` option.
If omitted, defaults to the value of the `zone` option suffixed with ".zone".
'';
};
};
});
in
{
meta.maintainers = with lib.maintainers; [ colinsane ];
options = {
services.trust-dns = with lib; {
enable = mkEnableOption (lib.mdDoc "trust-dns");
package = mkOption {
type = types.package;
default = pkgs.trust-dns;
defaultText = "pkgs.trust-dns";
description = mdDoc ''
Trust-dns package to use.
Only `bin/named` need be provided: the other trust-dns utilities (client and resolver) are not needed.
'';
};
quiet = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Log ERROR level messages only.
This option is mutually exclusive with the `debug` option.
If neither `quiet` nor `debug` are enabled, logging defaults to the INFO level.
'';
};
debug = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Log DEBUG, INFO, WARN and ERROR messages.
This option is mutually exclusive with the `debug` option.
If neither `quiet` nor `debug` are enabled, logging defaults to the INFO level.
'';
};
settings = mkOption {
description = lib.mdDoc ''
Settings for trust-dns. The options enumerated here are not exhaustive.
Refer to upstream documentation for all available options:
- [Example settings](https://github.com/bluejekyll/trust-dns/blob/main/tests/test-data/test_configs/example.toml)
'';
type = types.submodule {
freeformType = toml.type;
options = {
listen_addrs_ipv4 = mkOption {
type = types.listOf types.str;
default = [ "0.0.0.0" ];
description = mdDoc ''
List of ipv4 addresses on which to listen for DNS queries.
'';
};
listen_addrs_ipv6 = mkOption {
type = types.listOf types.str;
default = lib.optional config.networking.enableIPv6 "::0";
defaultText = literalExpression ''lib.optional config.networking.enableIPv6 "::0"'';
description = mdDoc ''
List of ipv6 addresses on which to listen for DNS queries.
'';
};
listen_port = mkOption {
type = types.port;
default = 53;
description = mdDoc ''
Port to listen on (applies to all listen addresses).
'';
};
directory = mkOption {
type = types.str;
default = "/var/lib/trust-dns";
description = mdDoc ''
The directory in which trust-dns should look for .zone files,
whenever zones aren't specified by absolute path.
'';
};
zones = mkOption {
description = mdDoc "List of zones to serve.";
default = {};
type = types.listOf (types.coercedTo types.str (zone: { inherit zone; }) zoneType);
};
};
};
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.trust-dns = {
description = "trust-dns Domain Name Server";
unitConfig.Documentation = "https://trust-dns.org/";
serviceConfig = {
ExecStart =
let
flags = (lib.optional cfg.debug "--debug") ++ (lib.optional cfg.quiet "--quiet");
flagsStr = builtins.concatStringsSep " " flags;
in ''
${cfg.package}/bin/named --config ${configFile} ${flagsStr}
'';
Type = "simple";
Restart = "on-failure";
RestartSec = "10s";
DynamicUser = true;
StateDirectory = "trust-dns";
ReadWritePaths = [ cfg.settings.directory ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
RestrictNamespaces = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
};
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
};
};
}

54
pkgs/development/compilers/lunarml/default.nix Normal file
View File

@ -0,0 +1,54 @@
{ lib
, fetchFromGitHub
, stdenvNoCC
, mlton
, lua5_3
}:
let
pname = "lunarml";
in
stdenvNoCC.mkDerivation {
inherit pname;
version = "unstable-2023-06-25";
src = fetchFromGitHub {
owner = "minoki";
repo = "LunarML";
rev = "f58f90cf7a2f26340403245907ed183f6a12ab52";
sha256 = "djHJfUAPplsejFW9L3fbwTeeWgvR+gKkI8TmwIh8n7E=";
};
outputs = [ "out" "doc" ];
nativeBuildInputs = [
mlton
];
nativeCheckInputs = [
lua5_3
];
postBuild = ''
make -C thirdparty install
'';
doCheck = true;
installPhase = ''
mkdir -p $doc/${pname} $out/{bin,lib}
cp -r bin $out
cp -r lib $out
cp -r doc/* README.* LICENSE* $doc/${pname}
cp -r example $doc/${pname}
'';
meta = {
description = "Standard ML compiler that produces Lua/JavaScript";
homepage = "https://github.com/minoki/LunarML";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ toastal ];
platforms = mlton.meta.platforms;
};
}

4
pkgs/development/ocaml-modules/eio/default.nix
View File

@ -18,14 +18,14 @@
buildDunePackage rec {
pname = "eio";
version = "0.10";
version = "0.11";
minimalOCamlVersion = "5.0";
duneVersion = "3";
src = fetchurl {
url = "https://github.com/ocaml-multicore/${pname}/releases/download/v${version}/${pname}-${version}.tbz";
sha256 = "OQ94FFB7gTPWwl46Z6dC1zHHymYlKyh7H7DjrU0Q7sw=";
sha256 = "DDN0IHRWJjFneIb0/koC+Wcs7JQpf/hcLthU21uqcao=";
};
propagatedBuildInputs = [

4
pkgs/development/ocaml-modules/eio/main.nix
View File

@ -3,7 +3,7 @@
, buildDunePackage
, eio
, eio_posix
, uring
, eio_linux
}:
buildDunePackage {
@ -18,6 +18,6 @@ buildDunePackage {
propagatedBuildInputs = [
eio_posix
] ++ lib.optionals stdenv.isLinux [
uring
eio_linux
];
}

6
pkgs/development/python-modules/pyrainbird/default.nix
View File

@ -22,16 +22,16 @@
buildPythonPackage rec {
pname = "pyrainbird";
version = "2.1.0";
version = "3.0.0";
format = "setuptools";
disabled = pythonOlder "3.9";
disabled = pythonOlder "3.10";
src = fetchFromGitHub {
owner = "allenporter";
repo = pname;
rev = "refs/tags/${version}";
hash = "sha256-JTZtRh7Ecsq0DUpGt5AxAVnN79i/nppsEjoHWcpTOsM=";
hash = "sha256-G/mmM2lEQWJV+7uZHKECj1jnhTYbcOw9yCi4/9nRDuk=";
};
postPatch = ''

11
pkgs/development/web/nodejs/nodejs.nix
View File

@ -160,9 +160,14 @@ let
${if stdenv.buildPlatform.isGnu then ''
ar -cqs $libv8/lib/libv8.a @files
'' else ''
cat files | while read -r file; do
ar -cqS $libv8/lib/libv8.a $file
done
# llvm-ar supports response files, so take advantage of it if its available.
if [ "$(basename $(readlink -f $(command -v ar)))" = "llvm-ar" ]; then
ar -cqs $libv8/lib/libv8.a @files
else
cat files | while read -r file; do
ar -cqS $libv8/lib/libv8.a $file
done
fi
''}
popd

6
pkgs/servers/minio/default.nix
View File

@ -15,16 +15,16 @@ let
in
buildGoModule rec {
pname = "minio";
version = "2023-06-09T07-32-12Z";
version = "2023-07-11T21-29-34Z";
src = fetchFromGitHub {
owner = "minio";
repo = "minio";
rev = "RELEASE.${version}";
sha256 = "sha256-YhABdJ+4KU/UGRukCR4iQ4ClHUz/icbIO/yd8rGIs48=";
sha256 = "sha256-H7JArZa7IivsH/vjEHLNUu8FQ8mDZ2tHqla+KBEQK4Y=";
};
vendorHash = "sha256-c2rB8Or4tt84caEmfbwcHCow3/fllk0mNW0R/MwB5Vg=";
vendorHash = "sha256-NpN6Ypb+9xPWf28AvY8v2QSN/P6VJuHPOGR5EJtN7W4=";
doCheck = false;

13
pkgs/servers/web-apps/discourse/default.nix
View File

@ -39,6 +39,8 @@
, nodePackages
, nodejs_16
, dart-sass-embedded
, jq
, moreutils
, plugins ? []
}@args:
@ -225,6 +227,8 @@ let
nodePackages.patch-package
yarn
nodejs_16
jq
moreutils
];
outputs = [ "out" "javascripts" ];
@ -266,10 +270,19 @@ let
export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt
find app/assets/javascripts -name package.json -print0 \
| xargs -0 -I {} bash -c "jq 'del(.scripts.postinstall)' -r <{} | sponge {}"
yarn install --offline --cwd app/assets/javascripts/discourse
patchShebangs app/assets/javascripts/node_modules/
# Run `patch-package` AFTER the corresponding shebang inside `.bin/patch-package`
# got patched. Otherwise this will fail with
# /bin/sh: line 1: /build/source/app/assets/javascripts/node_modules/.bin/patch-package: cannot execute: required file not found
pushd app/assets/javascripts &>/dev/null
yarn run patch-package
popd &>/dev/null
redis-server >/dev/null &
initdb -A trust $NIX_BUILD_TOP/postgres >/dev/null

2
pkgs/top-level/all-packages.nix
View File

@ -16313,6 +16313,8 @@ with pkgs;
inherit (darwin.apple_sdk.frameworks) CoreServices Security;
};
lunarml = callPackage ../development/compilers/lunarml { };
manticore = callPackage ../development/compilers/manticore { };
marst = callPackage ../development/compilers/marst { };

6
pkgs/top-level/perl-packages.nix
View File

@ -20006,10 +20006,10 @@ with self; {
PLS = buildPerlPackage {
pname = "PLS";
version = "0.897";
version = "0.905";
src = fetchurl {
url = "mirror://cpan/authors/id/M/MR/MREISNER/PLS-0.897.tar.gz";
hash = "sha256-3dzDrSbSgjQJ9l2NPKfCc4o4FwPiiSG1Vm8d2aJV6Ag=";
url = "mirror://cpan/authors/id/M/MR/MREISNER/PLS-0.905.tar.gz";
hash = "sha256-RVW1J5nBZBXDy/5eMB6gLKDrvDQhTH/lLx19ykUwLik=";
};
propagatedBuildInputs = [ Future IOAsync PPI PPR PathTiny PerlCritic PerlTidy PodMarkdown URI ];
nativeBuildInputs = lib.optional stdenv.isDarwin shortenPerlShebang;