colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge master into staging-next

Browse Source
This commit is contained in:
github-actions[bot] 2021-12-27 18:01:11 +00:00 committed by GitHub
commit 8ce4686310
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
63 changed files with 2918 additions and 2612 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
maintainers/maintainer-list.nix
View File

@ -2140,6 +2140,12 @@
githubId = 3956062;
name = "Simon Lackerbauer";
};
cirno-999 = {
email = "reverene@protonmail.com";
github = "cirno-999";
githubId = 73712874;
name = "cirno-999";
};
citadelcore = {
email = "alex@arctarus.co.uk";
github = "citadelcore";
@ -7072,6 +7078,12 @@
fingerprint = "BA3A 5886 AE6D 526E 20B4 57D6 6A37 DF94 8318 8492";
}];
};
lux = {
email = "lux@lux.name";
githubId = 1208273;
matrix = "@lux:ontheblueplanet.com";
name = "Lux";
};
luz = {
email = "luz666@daum.net";
github = "Luz";

34
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View File

@ -14,7 +14,17 @@
</itemizedlist>
<section xml:id="sec-release-22.05-highlights">
<title>Highlights</title>
<itemizedlist spacing="compact">
<itemizedlist>
<listitem>
<para>
<literal>security.acme.defaults</literal> has been added to
simplify configuring settings for many certificates at once.
This also opens up the the option to use DNS-01 validation
when using <literal>enableACME</literal> on web server virtual
hosts (e.g.
<literal>services.nginx.virtualHosts.*.enableACME</literal>).
</para>
</listitem>
<listitem>
<para>
PHP 8.1 is now available
@ -33,6 +43,14 @@
<link linkend="opt-services.aesmd.enable">services.aesmd</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://docs.docker.com/engine/security/rootless/">rootless
Docker</link>, a <literal>systemd --user</literal> Docker
service which runs without root permissions. Available as
<link xlink:href="options.html#opt-virtualisation.docker.rootless.enable">virtualisation.docker.rootless.enable</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>,
@ -189,6 +207,20 @@
using this default will print a warning when rebuilt.
</para>
</listitem>
<listitem>
<para>
<literal>security.acme</literal> certificates will now
correctly check for CA revokation before reaching their
minimum age.
</para>
</listitem>
<listitem>
<para>
Removing domains from
<literal>security.acme.certs._name_.extraDomainNames</literal>
will now correctly remove those domains during rebuild/renew.
</para>
</listitem>
<listitem>
<para>
The option

12
nixos/doc/manual/release-notes/rl-2205.section.md
View File

@ -6,11 +6,17 @@ In addition to numerous new and upgraded packages, this release has the followin
## Highlights {#sec-release-22.05-highlights}
- `security.acme.defaults` has been added to simplify configuring
settings for many certificates at once. This also opens up the
the option to use DNS-01 validation when using `enableACME` on
web server virtual hosts (e.g. `services.nginx.virtualHosts.*.enableACME`).
- PHP 8.1 is now available
## New Services {#sec-release-22.05-new-services}
- [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable).
- [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](options.html#opt-virtualisation.docker.rootless.enable).
- [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable).
@ -75,6 +81,12 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `services.unifi.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11.
Configurations using this default will print a warning when rebuilt.
- `security.acme` certificates will now correctly check for CA
revokation before reaching their minimum age.
- Removing domains from `security.acme.certs._name_.extraDomainNames`
will now correctly remove those domains during rebuild/renew.
- The option
[services.ssh.enableAskPassword](#opt-services.ssh.enableAskPassword) was
added, decoupling the setting of `SSH_ASKPASS` from

1
nixos/modules/module-list.nix
View File

@ -1187,6 +1187,7 @@
./virtualisation/oci-containers.nix
./virtualisation/cri-o.nix
./virtualisation/docker.nix
./virtualisation/docker-rootless.nix
./virtualisation/ecs-agent.nix
./virtualisation/libvirtd.nix
./virtualisation/lxc.nix

488
nixos/modules/security/acme.nix
View File

@ -3,6 +3,7 @@ with lib;
let
cfg = config.security.acme;
opt = options.security.acme;
user = if cfg.useRoot then "root" else "acme";
# Used to calculate timer accuracy for coalescing
numCerts = length (builtins.attrNames cfg.certs);
@ -23,7 +24,7 @@ let
# security.acme.certs.<cert>.group on some of the services.
commonServiceConfig = {
Type = "oneshot";
User = "acme";
User = user;
Group = mkDefault "acme";
UMask = 0022;
StateDirectoryMode = 750;
@ -101,12 +102,12 @@ let
# is configurable on a per-cert basis.
userMigrationService = let
script = with builtins; ''
chown -R acme .lego/accounts
chown -R ${user} .lego/accounts
'' + (concatStringsSep "\n" (mapAttrsToList (cert: data: ''
for fixpath in ${escapeShellArg cert} .lego/${escapeShellArg cert}; do
if [ -d "$fixpath" ]; then
chmod -R u=rwX,g=rX,o= "$fixpath"
chown -R acme:${data.group} "$fixpath"
chown -R ${user}:${data.group} "$fixpath"
fi
done
'') certConfigs));
@ -128,7 +129,7 @@ let
};
certToConfig = cert: data: let
acmeServer = if data.server != null then data.server else cfg.server;
acmeServer = data.server;
useDns = data.dnsProvider != null;
destPath = "/var/lib/acme/${cert}";
selfsignedDeps = optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];
@ -156,6 +157,7 @@ let
${toString data.ocspMustStaple} ${data.keyType}
'';
certDir = mkHash hashData;
# TODO remove domainHash usage entirely. Waiting on go-acme/lego#1532
domainHash = mkHash "${concatStringsSep " " extraDomains} ${data.domain}";
accountHash = (mkAccountHash acmeServer data);
accountDir = accountDirRoot + accountHash;
@ -210,7 +212,7 @@ let
description = "Renew ACME Certificate for ${cert}";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.renewInterval;
OnCalendar = data.renewInterval;
Unit = "acme-${cert}.service";
Persistent = "yes";
@ -267,7 +269,7 @@ let
cat key.pem fullchain.pem > full.pem
# Group might change between runs, re-apply it
chown 'acme:${data.group}' *
chown '${user}:${data.group}' *
# Default permissions make the files unreadable by group + anon
# Need to be readable by group
@ -322,7 +324,7 @@ let
fi
'');
} // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) {
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
# Working directory will be /tmp
@ -355,7 +357,7 @@ let
expiration_s=$[expiration_date - now]
expiration_days=$[expiration_s / (3600 * 24)] # rounds down
[[ $expiration_days -gt ${toString cfg.validMinDays} ]]
[[ $expiration_days -gt ${toString data.validMinDays} ]]
}
${optionalString (data.webroot != null) ''
@ -372,37 +374,40 @@ let
echo '${domainHash}' > domainhash.txt
# Check if we can renew
if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(ls -1 accounts)" ]; then
# Check if we can renew.
# We can only renew if the list of domains has not changed.
if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(ls -1 accounts)" ]; then
# When domains are updated, there's no need to do a full
# Lego run, but it's likely renew won't work if days is too low.
if [ -e certificates/domainhash.txt ] && cmp -s domainhash.txt certificates/domainhash.txt; then
# Even if a cert is not expired, it may be revoked by the CA.
# Try to renew, and silently fail if the cert is not expired.
# Avoids #85794 and resolves #129838
if ! lego ${renewOpts} --days ${toString data.validMinDays}; then
if is_expiration_skippable out/full.pem; then
echo 1>&2 "nixos-acme: skipping renewal because expiration isn't within the coming ${toString cfg.validMinDays} days"
echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString data.validMinDays} days"
else
echo 1>&2 "nixos-acme: renewing now, because certificate expires within the configured ${toString cfg.validMinDays} days"
lego ${renewOpts} --days ${toString cfg.validMinDays}
# High number to avoid Systemd reserved codes.
exit 11
fi
else
echo 1>&2 "certificate domain(s) have changed; will renew now"
# Any number > 90 works, but this one is over 9000 ;-)
lego ${renewOpts} --days 9001
fi
# Otherwise do a full run
else
lego ${runOpts}
elif ! lego ${runOpts}; then
# Produce a nice error for those doing their first nixos-rebuild with these certs
echo Failed to fetch certificates. \
This may mean your DNS records are set up incorrectly. \
${optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}
# Exit 10 so that users can potentially amend SuccessExitStatus to ignore this error.
# High number to avoid Systemd reserved codes.
exit 10
fi
mv domainhash.txt certificates/
# Group might change between runs, re-apply it
chown 'acme:${data.group}' certificates/*
chown '${user}:${data.group}' certificates/*
# Copy all certs to the "real" certs directory
CERT='certificates/${keyName}.crt'
if [ -e "$CERT" ] && ! cmp -s "$CERT" out/fullchain.pem; then
if ! cmp -s 'certificates/${keyName}.crt' out/fullchain.pem; then
touch out/renewed
echo Installing new certificate
cp -vp 'certificates/${keyName}.crt' out/fullchain.pem
@ -421,7 +426,194 @@ let
certConfigs = mapAttrs certToConfig cfg.certs;
certOpts = { name, ... }: {
# These options can be specified within
# security.acme.defaults or security.acme.certs.<name>
inheritableModule = isDefaults: { config, ... }: let
defaultAndText = name: default: {
# When ! isDefaults then this is the option declaration for the
# security.acme.certs.<name> path, which has the extra inheritDefaults
# option, which if disabled means that we can't inherit it
default = if isDefaults || ! config.inheritDefaults then default else cfg.defaults.${name};
# The docs however don't need to depend on inheritDefaults, they should
# stay constant. Though notably it wouldn't matter much, because to get
# the option information, a submodule with name `<name>` is evaluated
# without any definitions.
defaultText = if isDefaults then default else literalExpression "config.security.acme.defaults.${name}";
};
in {
options = {
validMinDays = mkOption {
type = types.int;
inherit (defaultAndText "validMinDays" 30) default defaultText;
description = "Minimum remaining validity before renewal in days.";
};
renewInterval = mkOption {
type = types.str;
inherit (defaultAndText "renewInterval" "daily") default defaultText;
description = ''
Systemd calendar expression when to check for renewal. See
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
'';
};
enableDebugLogs = mkEnableOption "debug logging for this certificate" // {
inherit (defaultAndText "enableDebugLogs" true) default defaultText;
};
webroot = mkOption {
type = types.nullOr types.str;
inherit (defaultAndText "webroot" null) default defaultText;
example = "/var/lib/acme/acme-challenge";
description = ''
Where the webroot of the HTTP vhost is located.
<filename>.well-known/acme-challenge/</filename> directory
will be created below the webroot if it doesn't exist.
<literal>http://example.org/.well-known/acme-challenge/</literal> must also
be available (notice unencrypted HTTP).
'';
};
server = mkOption {
type = types.nullOr types.str;
inherit (defaultAndText "server" null) default defaultText;
description = ''
ACME Directory Resource URI. Defaults to Let's Encrypt's
production endpoint,
<link xlink:href="https://acme-v02.api.letsencrypt.org/directory"/>, if unset.
'';
};
email = mkOption {
type = types.str;
inherit (defaultAndText "email" null) default defaultText;
description = ''
Email address for account creation and correspondence from the CA.
It is recommended to use the same email for all certs to avoid account
creation limits.
'';
};
group = mkOption {
type = types.str;
inherit (defaultAndText "group" "acme") default defaultText;
description = "Group running the ACME client.";
};
reloadServices = mkOption {
type = types.listOf types.str;
inherit (defaultAndText "reloadServices" []) default defaultText;
description = ''
The list of systemd services to call <code>systemctl try-reload-or-restart</code>
on.
'';
};
postRun = mkOption {
type = types.lines;
inherit (defaultAndText "postRun" "") default defaultText;
example = "cp full.pem backup.pem";
description = ''
Commands to run after new certificates go live. Note that
these commands run as the root user.
Executed in the same directory with the new certificate.
'';
};
keyType = mkOption {
type = types.str;
inherit (defaultAndText "keyType" "ec256") default defaultText;
description = ''
Key type to use for private keys.
For an up to date list of supported values check the --key-type option
at <link xlink:href="https://go-acme.github.io/lego/usage/cli/#usage"/>.
'';
};
dnsProvider = mkOption {
type = types.nullOr types.str;
inherit (defaultAndText "dnsProvider" null) default defaultText;
example = "route53";
description = ''
DNS Challenge provider. For a list of supported providers, see the "code"
field of the DNS providers listed at <link xlink:href="https://go-acme.github.io/lego/dns/"/>.
'';
};
dnsResolver = mkOption {
type = types.nullOr types.str;
inherit (defaultAndText "dnsResolver" null) default defaultText;
example = "1.1.1.1:53";
description = ''
Set the resolver to use for performing recursive DNS queries. Supported:
host:port. The default is to use the system resolvers, or Google's DNS
resolvers if the system's cannot be determined.
'';
};
credentialsFile = mkOption {
type = types.path;
inherit (defaultAndText "credentialsFile" null) default defaultText;
description = ''
Path to an EnvironmentFile for the cert's service containing any required and
optional environment variables for your selected dnsProvider.
To find out what values you need to set, consult the documentation at
<link xlink:href="https://go-acme.github.io/lego/dns/"/> for the corresponding dnsProvider.
'';
example = "/var/src/secrets/example.org-route53-api-token";
};
dnsPropagationCheck = mkOption {
type = types.bool;
inherit (defaultAndText "dnsPropagationCheck" true) default defaultText;
description = ''
Toggles lego DNS propagation check, which is used alongside DNS-01
challenge to ensure the DNS entries required are available.
'';
};
ocspMustStaple = mkOption {
type = types.bool;
inherit (defaultAndText "ocspMustStaple" false) default defaultText;
description = ''
Turns on the OCSP Must-Staple TLS extension.
Make sure you know what you're doing! See:
<itemizedlist>
<listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem>
<listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem>
</itemizedlist>
'';
};
extraLegoFlags = mkOption {
type = types.listOf types.str;
inherit (defaultAndText "extraLegoFlags" []) default defaultText;
description = ''
Additional global flags to pass to all lego commands.
'';
};
extraLegoRenewFlags = mkOption {
type = types.listOf types.str;
inherit (defaultAndText "extraLegoRenewFlags" []) default defaultText;
description = ''
Additional flags to pass to lego renew.
'';
};
extraLegoRunFlags = mkOption {
type = types.listOf types.str;
inherit (defaultAndText "extraLegoRunFlags" []) default defaultText;
description = ''
Additional flags to pass to lego run.
'';
};
};
};
certOpts = { name, config, ... }: {
options = {
# user option has been removed
user = mkOption {
@ -441,40 +633,11 @@ let
default = "_mkMergedOptionModule";
};
enableDebugLogs = mkEnableOption "debug logging for this certificate" // { default = cfg.enableDebugLogs; };
webroot = mkOption {
type = types.nullOr types.str;
default = null;
example = "/var/lib/acme/acme-challenge";
description = ''
Where the webroot of the HTTP vhost is located.
<filename>.well-known/acme-challenge/</filename> directory
will be created below the webroot if it doesn't exist.
<literal>http://example.org/.well-known/acme-challenge/</literal> must also
be available (notice unencrypted HTTP).
'';
};
listenHTTP = mkOption {
type = types.nullOr types.str;
default = null;
example = ":1360";
description = ''
Interface and port to listen on to solve HTTP challenges
in the form [INTERFACE]:PORT.
If you use a port other than 80, you must proxy port 80 to this port.
'';
};
server = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
ACME Directory Resource URI. Defaults to Let's Encrypt's
production endpoint,
<link xlink:href="https://acme-v02.api.letsencrypt.org/directory"/>, if unset.
'';
directory = mkOption {
type = types.str;
readOnly = true;
default = "/var/lib/acme/${name}";
description = "Directory where certificate and other state is stored.";
};
domain = mkOption {
@ -483,47 +646,6 @@ let
description = "Domain to fetch certificate for (defaults to the entry name).";
};
email = mkOption {
type = types.nullOr types.str;
default = cfg.email;
defaultText = literalExpression "config.${opt.email}";
description = "Contact email address for the CA to be able to reach you.";
};
group = mkOption {
type = types.str;
default = "acme";
description = "Group running the ACME client.";
};
reloadServices = mkOption {
type = types.listOf types.str;
default = [];
description = ''
The list of systemd services to call <code>systemctl try-reload-or-restart</code>
on.
'';
};
postRun = mkOption {
type = types.lines;
default = "";
example = "cp full.pem backup.pem";
description = ''
Commands to run after new certificates go live. Note that
these commands run as the root user.
Executed in the same directory with the new certificate.
'';
};
directory = mkOption {
type = types.str;
readOnly = true;
default = "/var/lib/acme/${name}";
description = "Directory where certificate and other state is stored.";
};
extraDomainNames = mkOption {
type = types.listOf types.str;
default = [];
@ -538,92 +660,25 @@ let
'';
};
keyType = mkOption {
type = types.str;
default = "ec256";
description = ''
Key type to use for private keys.
For an up to date list of supported values check the --key-type option
at <link xlink:href="https://go-acme.github.io/lego/usage/cli/#usage"/>.
'';
};
dnsProvider = mkOption {
# This setting must be different for each configured certificate, otherwise
# two or more renewals may fail to bind to the address. Hence, it is not in
# the inheritableOpts.
listenHTTP = mkOption {
type = types.nullOr types.str;
default = null;
example = "route53";
example = ":1360";
description = ''
DNS Challenge provider. For a list of supported providers, see the "code"
field of the DNS providers listed at <link xlink:href="https://go-acme.github.io/lego/dns/"/>.
Interface and port to listen on to solve HTTP challenges
in the form [INTERFACE]:PORT.
If you use a port other than 80, you must proxy port 80 to this port.
'';
};
dnsResolver = mkOption {
type = types.nullOr types.str;
default = null;
example = "1.1.1.1:53";
description = ''
Set the resolver to use for performing recursive DNS queries. Supported:
host:port. The default is to use the system resolvers, or Google's DNS
resolvers if the system's cannot be determined.
'';
};
credentialsFile = mkOption {
type = types.path;
description = ''
Path to an EnvironmentFile for the cert's service containing any required and
optional environment variables for your selected dnsProvider.
To find out what values you need to set, consult the documentation at
<link xlink:href="https://go-acme.github.io/lego/dns/"/> for the corresponding dnsProvider.
'';
example = "/var/src/secrets/example.org-route53-api-token";
};
dnsPropagationCheck = mkOption {
type = types.bool;
inheritDefaults = mkOption {
default = true;
description = ''
Toggles lego DNS propagation check, which is used alongside DNS-01
challenge to ensure the DNS entries required are available.
'';
};
ocspMustStaple = mkOption {
type = types.bool;
default = false;
description = ''
Turns on the OCSP Must-Staple TLS extension.
Make sure you know what you're doing! See:
<itemizedlist>
<listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem>
<listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem>
</itemizedlist>
'';
};
extraLegoFlags = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Additional global flags to pass to all lego commands.
'';
};
extraLegoRenewFlags = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Additional flags to pass to lego renew.
'';
};
extraLegoRunFlags = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Additional flags to pass to lego run.
'';
example = true;
description = "Whether to inherit values set in `security.acme.defaults` or not.";
type = lib.types.bool;
};
};
};
@ -632,41 +687,6 @@ in {
options = {
security.acme = {
enableDebugLogs = mkEnableOption "debug logging for all certificates by default" // { default = true; };
validMinDays = mkOption {
type = types.int;
default = 30;
description = "Minimum remaining validity before renewal in days.";
};
email = mkOption {
type = types.nullOr types.str;
default = null;
description = "Contact email address for the CA to be able to reach you.";
};
renewInterval = mkOption {
type = types.str;
default = "daily";
description = ''
Systemd calendar expression when to check for renewal. See
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
'';
};
server = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
ACME Directory Resource URI. Defaults to Let's Encrypt's
production endpoint,
<link xlink:href="https://acme-v02.api.letsencrypt.org/directory"/>, if unset.
'';
};
preliminarySelfsigned = mkOption {
type = types.bool;
default = true;
@ -689,9 +709,31 @@ in {
'';
};
useRoot = mkOption {
type = types.bool;
default = false;
description = ''
Whether to use the root user when generating certs. This is not recommended
for security + compatiblity reasons. If a service requires root owned certificates
consider following the guide on "Using ACME with services demanding root
owned certificates" in the NixOS manual, and only using this as a fallback
or for testing.
'';
};
defaults = mkOption {
type = types.submodule (inheritableModule true);
description = ''
Default values inheritable by all configured certs. You can
use this to define options shared by all your certs. These defaults
can also be ignored on a per-cert basis using the
`security.acme.certs.''${cert}.inheritDefaults' option.
'';
};
certs = mkOption {
default = { };
type = with types; attrsOf (submodule certOpts);
type = with types; attrsOf (submodule [ (inheritableModule false) certOpts ]);
description = ''
Attribute set of certificates to get signed and renewed. Creates
<literal>acme-''${cert}.{service,timer}</literal> systemd units for
@ -722,12 +764,16 @@ in {
To use the let's encrypt staging server, use security.acme.server =
"https://acme-staging-v02.api.letsencrypt.org/directory".
''
)
'')
(mkRemovedOptionModule [ "security" "acme" "directory" ] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
(mkRemovedOptionModule [ "security" "acme" "preDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
(mkRemovedOptionModule [ "security" "acme" "activationDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
(mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600)))
(mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "defaults" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600)))
(mkChangedOptionModule [ "security" "acme" "validMinDays" ] [ "security" "acme" "defaults" "validMinDays" ] (config: config.security.acme.validMinDays))
(mkChangedOptionModule [ "security" "acme" "renewInterval" ] [ "security" "acme" "defaults" "renewInterval" ] (config: config.security.acme.renewInterval))
(mkChangedOptionModule [ "security" "acme" "email" ] [ "security" "acme" "defaults" "email" ] (config: config.security.acme.email))
(mkChangedOptionModule [ "security" "acme" "server" ] [ "security" "acme" "defaults" "server" ] (config: config.security.acme.server))
(mkChangedOptionModule [ "security" "acme" "enableDebugLogs" ] [ "security" "acme" "defaults" "enableDebugLogs" ] (config: config.security.acme.enableDebugLogs))
];
config = mkMerge [
@ -842,8 +888,8 @@ in {
# Create some targets which can be depended on to be "active" after cert renewals
finishedTargets = mapAttrs' (cert: conf: nameValuePair "acme-finished-${cert}" {
wantedBy = [ "default.target" ];
requires = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
after = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
requires = [ "acme-${cert}.service" ];
after = [ "acme-${cert}.service" ];
}) certConfigs;
# Create targets to limit the number of simultaneous account creations

159
nixos/modules/security/acme.xml
View File

@ -7,8 +7,9 @@
<para>
NixOS supports automatic domain validation &amp; certificate retrieval and
renewal using the ACME protocol. Any provider can be used, but by default
NixOS uses Let's Encrypt. The alternative ACME client <literal>lego</literal>
is used under the hood.
NixOS uses Let's Encrypt. The alternative ACME client
<link xlink:href="https://go-acme.github.io/lego/">lego</link> is used under
the hood.
</para>
<para>
Automatic cert validation and configuration for Apache and Nginx virtual
@ -29,7 +30,7 @@
<para>
You must also set an email address to be used when creating accounts with
Let's Encrypt. You can set this for all certs with
<literal><xref linkend="opt-security.acme.email" /></literal>
<literal><xref linkend="opt-security.acme.defaults.email" /></literal>
and/or on a per-cert basis with
<literal><xref linkend="opt-security.acme.certs._name_.email" /></literal>.
This address is only used for registration and renewal reminders,
@ -38,7 +39,7 @@
<para>
Alternatively, you can use a different ACME server by changing the
<literal><xref linkend="opt-security.acme.server" /></literal> option
<literal><xref linkend="opt-security.acme.defaults.server" /></literal> option
to a provider of your choosing, or just change the server for one cert with
<literal><xref linkend="opt-security.acme.certs._name_.server" /></literal>.
</para>
@ -60,12 +61,12 @@
= true;</literal> in a virtualHost config. We first create self-signed
placeholder certificates in place of the real ACME certs. The placeholder
certs are overwritten when the ACME certs arrive. For
<literal>foo.example.com</literal> the config would look like.
<literal>foo.example.com</literal> the config would look like this:
</para>
<programlisting>
<xref linkend="opt-security.acme.acceptTerms" /> = true;
<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com";
<xref linkend="opt-security.acme.defaults.email" /> = "admin+acme@example.com";
services.nginx = {
<link linkend="opt-services.nginx.enable">enable</link> = true;
<link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = {
@ -114,7 +115,7 @@ services.nginx = {
<programlisting>
<xref linkend="opt-security.acme.acceptTerms" /> = true;
<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com";
<xref linkend="opt-security.acme.defaults.email" /> = "admin+acme@example.com";
# /var/lib/acme/.challenges must be writable by the ACME user
# and readable by the Nginx user. The easiest way to achieve
@ -218,7 +219,7 @@ services.bind = {
# Now we can configure ACME
<xref linkend="opt-security.acme.acceptTerms" /> = true;
<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com";
<xref linkend="opt-security.acme.defaults.email" /> = "admin+acme@example.com";
<xref linkend="opt-security.acme.certs" />."example.com" = {
<link linkend="opt-security.acme.certs._name_.domain">domain</link> = "*.example.com";
<link linkend="opt-security.acme.certs._name_.dnsProvider">dnsProvider</link> = "rfc2136";
@ -231,25 +232,39 @@ services.bind = {
<para>
The <filename>dnskeys.conf</filename> and <filename>certs.secret</filename>
must be kept secure and thus you should not keep their contents in your
Nix config. Instead, generate them one time with these commands:
Nix config. Instead, generate them one time with a systemd service:
</para>
<programlisting>
mkdir -p /var/lib/secrets
tsig-keygen rfc2136key.example.com &gt; /var/lib/secrets/dnskeys.conf
chown named:root /var/lib/secrets/dnskeys.conf
chmod 400 /var/lib/secrets/dnskeys.conf
systemd.services.dns-rfc2136-conf = {
requiredBy = ["acme-example.com.service", "bind.service"];
before = ["acme-example.com.service", "bind.service"];
unitConfig = {
ConditionPathExists = "!/var/lib/secrets/dnskeys.conf";
};
serviceConfig = {
Type = "oneshot";
UMask = 0077;
};
path = [ pkgs.bind ];
script = ''
mkdir -p /var/lib/secrets
tsig-keygen rfc2136key.example.com &gt; /var/lib/secrets/dnskeys.conf
chown named:root /var/lib/secrets/dnskeys.conf
chmod 400 /var/lib/secrets/dnskeys.conf
# Copy the secret value from the dnskeys.conf, and put it in
# RFC2136_TSIG_SECRET below
# Copy the secret value from the dnskeys.conf, and put it in
# RFC2136_TSIG_SECRET below
cat &gt; /var/lib/secrets/certs.secret &lt;&lt; EOF
RFC2136_NAMESERVER='127.0.0.1:53'
RFC2136_TSIG_ALGORITHM='hmac-sha256.'
RFC2136_TSIG_KEY='rfc2136key.example.com'
RFC2136_TSIG_SECRET='your secret key'
EOF
chmod 400 /var/lib/secrets/certs.secret
cat &gt; /var/lib/secrets/certs.secret &lt;&lt; EOF
RFC2136_NAMESERVER='127.0.0.1:53'
RFC2136_TSIG_ALGORITHM='hmac-sha256.'
RFC2136_TSIG_KEY='rfc2136key.example.com'
RFC2136_TSIG_SECRET='your secret key'
EOF
chmod 400 /var/lib/secrets/certs.secret
'';
};
</programlisting>
<para>
@ -258,6 +273,106 @@ chmod 400 /var/lib/secrets/certs.secret
journalctl -fu acme-example.com.service</literal> and watching its log output.
</para>
</section>
<section xml:id="module-security-acme-config-dns-with-vhosts">
<title>Using DNS validation with web server virtual hosts</title>
<para>
It is possible to use DNS-01 validation with all certificates,
including those automatically configured via the Nginx/Apache
<literal><link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link></literal>
option. This configuration pattern is fully
supported and part of the module's test suite for Nginx + Apache.
</para>
<para>
You must follow the guide above on configuring DNS-01 validation
first, however instead of setting the options for one certificate
(e.g. <xref linkend="opt-security.acme.certs._name_.dnsProvider" />)
you will set them as defaults
(e.g. <xref linkend="opt-security.acme.defaults.dnsProvider" />).
</para>
<programlisting>
# Configure ACME appropriately
<xref linkend="opt-security.acme.acceptTerms" /> = true;
<xref linkend="opt-security.acme.defaults.email" /> = "admin+acme@example.com";
<xref linkend="opt-security.acme.defaults" /> = {
<link linkend="opt-security.acme.defaults.dnsProvider">dnsProvider</link> = "rfc2136";
<link linkend="opt-security.acme.defaults.credentialsFile">credentialsFile</link> = "/var/lib/secrets/certs.secret";
# We don't need to wait for propagation since this is a local DNS server
<link linkend="opt-security.acme.defaults.dnsPropagationCheck">dnsPropagationCheck</link> = false;
};
# For each virtual host you would like to use DNS-01 validation with,
# set acmeRoot = null
services.nginx = {
<link linkend="opt-services.nginx.enable">enable</link> = true;
<link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = {
"foo.example.com" = {
<link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
<link linkend="opt-services.nginx.virtualHosts._name_.acmeRoot">acmeRoot</link> = null;
};
};
}
</programlisting>
<para>
And that's it! Next time your configuration is rebuilt, or when
you add a new virtualHost, it will be DNS-01 validated.
</para>
</section>
<section xml:id="module-security-acme-root-owned">
<title>Using ACME with services demanding root owned certificates</title>
<para>
Some services refuse to start if the configured certificate files
are not owned by root. PostgreSQL and OpenSMTPD are examples of these.
There is no way to change the user the ACME module uses (it will always be
<literal>acme</literal>), however you can use systemd's
<literal>LoadCredential</literal> feature to resolve this elegantly.
Below is an example configuration for OpenSMTPD, but this pattern
can be applied to any service.
</para>
<programlisting>
# Configure ACME however you like (DNS or HTTP validation), adding
# the following configuration for the relevant certificate.
# Note: You cannot use `systemctl reload` here as that would mean
# the LoadCredential configuration below would be skipped and
# the service would continue to use old certificates.
security.acme.certs."mail.example.com".postRun = ''
systemctl restart opensmtpd
'';
# Now you must augment OpenSMTPD's systemd service to load
# the certificate files.
<link linkend="opt-systemd.services._name_.requires">systemd.services.opensmtpd.requires</link> = ["acme-finished-mail.example.com.target"];
<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.opensmtpd.serviceConfig.LoadCredential</link> = let
certDir = config.security.acme.certs."mail.example.com".directory;
in [
"cert.pem:${certDir}/cert.pem"
"key.pem:${certDir}/key.pem"
];
# Finally, configure OpenSMTPD to use these certs.
services.opensmtpd = let
credsDir = "/run/credentials/opensmtpd.service";
in {
enable = true;
setSendmail = false;
serverConfiguration = ''
pki mail.example.com cert "${credsDir}/cert.pem"
pki mail.example.com key "${credsDir}/key.pem"
listen on localhost tls pki mail.example.com
action act1 relay host smtp://127.0.0.1:10027
match for local action act1
'';
};
</programlisting>
</section>
<section xml:id="module-security-acme-regenerate">
<title>Regenerating certificates</title>

17
nixos/modules/services/databases/influxdb2.nix
View File

@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }:
with lib;
let
format = pkgs.formats.json { };
cfg = config.services.influxdb2;
@ -9,12 +11,14 @@ in
options = {
services.influxdb2 = {
enable = mkEnableOption "the influxdb2 server";
package = mkOption {
default = pkgs.influxdb2-server;
defaultText = literalExpression "pkgs.influxdb2";
description = "influxdb2 derivation to use.";
type = types.package;
};
settings = mkOption {
default = { };
description = ''configuration options for influxdb2, see <link xlink:href="https://docs.influxdata.com/influxdb/v2.0/reference/config-options"/> for details.'';
@ -28,18 +32,20 @@ in
assertion = !(builtins.hasAttr "bolt-path" cfg.settings) && !(builtins.hasAttr "engine-path" cfg.settings);
message = "services.influxdb2.config: bolt-path and engine-path should not be set as they are managed by systemd";
}];
systemd.services.influxdb2 = {
description = "InfluxDB is an open-source, distributed, time series database";
documentation = [ "https://docs.influxdata.com/influxdb/" ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment = {
INFLUXD_CONFIG_PATH = "${configFile}";
INFLUXD_CONFIG_PATH = configFile;
};
serviceConfig = {
ExecStart = "${cfg.package}/bin/influxd --bolt-path \${STATE_DIRECTORY}/influxd.bolt --engine-path \${STATE_DIRECTORY}/engine";
StateDirectory = "influxdb2";
DynamicUser = true;
User = "influxdb2";
Group = "influxdb2";
CapabilityBoundingSet = "";
SystemCallFilter = "@system-service";
LimitNOFILE = 65536;
@ -47,6 +53,13 @@ in
Restart = "on-failure";
};
};
users.extraUsers.influxdb2 = {
isSystemUser = true;
group = "influxdb2";
};
users.extraGroups.influxdb2 = {};
};
meta.maintainers = with lib.maintainers; [ nickcao ];

93
nixos/modules/services/networking/dhcpd.nix
View File

@ -28,38 +28,45 @@ let
}
'';
dhcpdService = postfix: cfg: optionalAttrs cfg.enable {
"dhcpd${postfix}" = {
description = "DHCPv${postfix} server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
dhcpdService = postfix: cfg:
let
configFile =
if cfg.configFile != null
then cfg.configFile
else writeConfig cfg;
leaseFile = "/var/lib/dhcpd${postfix}/dhcpd.leases";
args = [
"@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}"
"-pf" "/run/dhcpd${postfix}/dhcpd.pid"
"-cf" configFile
"-lf" leaseFile
] ++ cfg.extraFlags
++ cfg.interfaces;
in
optionalAttrs cfg.enable {
"dhcpd${postfix}" = {
description = "DHCPv${postfix} server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
preStart = ''
mkdir -m 755 -p ${cfg.stateDir}
chown dhcpd:nogroup ${cfg.stateDir}
touch ${cfg.stateDir}/dhcpd.leases
'';
serviceConfig =
let
configFile = if cfg.configFile != null then cfg.configFile else writeConfig cfg;
args = [ "@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}"
"-pf" "/run/dhcpd${postfix}/dhcpd.pid"
"-cf" "${configFile}"
"-lf" "${cfg.stateDir}/dhcpd.leases"
"-user" "dhcpd" "-group" "nogroup"
] ++ cfg.extraFlags
++ cfg.interfaces;
in {
ExecStart = concatMapStringsSep " " escapeShellArg args;
Type = "forking";
Restart = "always";
RuntimeDirectory = [ "dhcpd${postfix}" ];
PIDFile = "/run/dhcpd${postfix}/dhcpd.pid";
preStart = "touch ${leaseFile}";
serviceConfig = {
ExecStart = concatMapStringsSep " " escapeShellArg args;
Type = "forking";
Restart = "always";
DynamicUser = true;
User = "dhcpd";
Group = "dhcpd";
AmbientCapabilities = [
"CAP_NET_RAW" # to send ICMP messages
"CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
];
StateDirectory = "dhcpd${postfix}";
RuntimeDirectory = "dhcpd${postfix}";
PIDFile = "/run/dhcpd${postfix}/dhcpd.pid";
};
};
};
};
};
machineOpts = { ... }: {
@ -102,15 +109,6 @@ let
'';
};
stateDir = mkOption {
type = types.path;
# We use /var/lib/dhcp for DHCPv4 to save backwards compatibility.
default = "/var/lib/dhcp${if postfix == "4" then "" else postfix}";
description = ''
State directory for the DHCP server.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
@ -194,7 +192,13 @@ in
imports = [
(mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ])
];
] ++ flip map [ "4" "6" ] (postfix:
mkRemovedOptionModule [ "services" "dhcpd${postfix}" "stateDir" ] ''
The DHCP server state directory is now managed with the systemd's DynamicUser mechanism.
This means the directory is named after the service (dhcpd${postfix}), created under
/var/lib/private/ and symlinked to /var/lib/.
''
);
###### interface
@ -210,15 +214,6 @@ in
config = mkIf (cfg4.enable || cfg6.enable) {
users = {
users.dhcpd = {
isSystemUser = true;
group = "dhcpd";
description = "DHCP daemon user";
};
groups.dhcpd = {};
};
systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6;
};

2
nixos/modules/services/networking/prosody.xml
View File

@ -72,7 +72,7 @@ services.prosody = {
a TLS certificate for the three endponits:
<programlisting>
security.acme = {
<link linkend="opt-security.acme.email">email</link> = "root@example.org";
<link linkend="opt-security.acme.defaults.email">email</link> = "root@example.org";
<link linkend="opt-security.acme.acceptTerms">acceptTerms</link> = true;
<link linkend="opt-security.acme.certs">certs</link> = {
"example.org" = {

2
nixos/modules/services/web-apps/discourse.xml
View File

@ -25,7 +25,7 @@ services.discourse = {
};
<link linkend="opt-services.discourse.secretKeyBaseFile">secretKeyBaseFile</link> = "/path/to/secret_key_base_file";
};
<link linkend="opt-security.acme.email">security.acme.email</link> = "me@example.com";
<link linkend="opt-security.acme.defaults.email">security.acme.email</link> = "me@example.com";
<link linkend="opt-security.acme.acceptTerms">security.acme.acceptTerms</link> = true;
</programlisting>
</para>

4
nixos/modules/services/web-apps/jitsi-meet.xml
View File

@ -20,7 +20,7 @@
};
<link linkend="opt-services.jitsi-videobridge.openFirewall">services.jitsi-videobridge.openFirewall</link> = true;
<link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ];
<link linkend="opt-security.acme.email">security.acme.email</link> = "me@example.com";
<link linkend="opt-security.acme.defaults.email">security.acme.email</link> = "me@example.com";
<link linkend="opt-security.acme.acceptTerms">security.acme.acceptTerms</link> = true;
}</programlisting>
</para>
@ -46,7 +46,7 @@
};
<link linkend="opt-services.jitsi-videobridge.openFirewall">services.jitsi-videobridge.openFirewall</link> = true;
<link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ];
<link linkend="opt-security.acme.email">security.acme.email</link> = "me@example.com";
<link linkend="opt-security.acme.defaults.email">security.acme.email</link> = "me@example.com";
<link linkend="opt-security.acme.acceptTerms">security.acme.acceptTerms</link> = true;
}</programlisting>
</para>

13
nixos/modules/services/web-servers/apache-httpd/default.nix
View File

@ -154,7 +154,7 @@ let
sslServerKey = if useACME then "${sslCertDir}/key.pem" else hostOpts.sslServerKey;
sslServerChain = if useACME then "${sslCertDir}/chain.pem" else hostOpts.sslServerChain;
acmeChallenge = optionalString useACME ''
acmeChallenge = optionalString (useACME && hostOpts.acmeRoot != null) ''
Alias /.well-known/acme-challenge/ "${hostOpts.acmeRoot}/.well-known/acme-challenge/"
<Directory "${hostOpts.acmeRoot}">
AllowOverride None
@ -677,9 +677,16 @@ in
};
security.acme.certs = let
acmePairs = map (hostOpts: nameValuePair hostOpts.hostName {
acmePairs = map (hostOpts: let
hasRoot = hostOpts.acmeRoot != null;
in nameValuePair hostOpts.hostName {
group = mkDefault cfg.group;
webroot = hostOpts.acmeRoot;
# if acmeRoot is null inherit config.security.acme
# Since config.security.acme.certs.<cert>.webroot's own default value
# should take precedence set priority higher than mkOptionDefault
webroot = mkOverride (if hasRoot then 1000 else 2000) hostOpts.acmeRoot;
# Also nudge dnsProvider to null in case it is inherited
dnsProvider = mkOverride (if hasRoot then 1000 else 2000) null;
extraDomainNames = hostOpts.serverAliases;
# Use the vhost-specific email address if provided, otherwise let
# security.acme.email or security.acme.certs.<cert>.email be used.

7
nixos/modules/services/web-servers/apache-httpd/vhost-options.nix
View File

@ -128,9 +128,12 @@ in
};
acmeRoot = mkOption {
type = types.str;
type = types.nullOr types.str;
default = "/var/lib/acme/acme-challenge";
description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here";
description = ''
Directory for the acme challenge which is PUBLIC, don't put certs or keys in here.
Set to null to inherit from config.security.acme.
'';
};
sslServerCert = mkOption {

13
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -278,7 +278,7 @@ let
acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) ''
location /.well-known/acme-challenge {
${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
root ${vhost.acmeRoot};
${optionalString (vhost.acmeRoot != null) "root ${vhost.acmeRoot};"}
auth_basic off;
}
${optionalString (vhost.acmeFallbackHost != null) ''
@ -948,9 +948,16 @@ in
};
security.acme.certs = let
acmePairs = map (vhostConfig: nameValuePair vhostConfig.serverName {
acmePairs = map (vhostConfig: let
hasRoot = vhostConfig.acmeRoot != null;
in nameValuePair vhostConfig.serverName {
group = mkDefault cfg.group;
webroot = vhostConfig.acmeRoot;
# if acmeRoot is null inherit config.security.acme
# Since config.security.acme.certs.<cert>.webroot's own default value
# should take precedence set priority higher than mkOptionDefault
webroot = mkOverride (if hasRoot then 1000 else 2000) vhostConfig.acmeRoot;
# Also nudge dnsProvider to null in case it is inherited
dnsProvider = mkOverride (if hasRoot then 1000 else 2000) null;
extraDomainNames = vhostConfig.serverAliases;
# Filter for enableACME-only vhosts. Don't want to create dud certs
}) (filter (vhostConfig: vhostConfig.useACMEHost == null) acmeEnabledVhosts);

9
nixos/modules/services/web-servers/nginx/vhost-options.nix
View File

@ -3,7 +3,7 @@
# has additional options that affect the web server as a whole, like
# the user/group to run under.)
{ lib, ... }:
{ config, lib, ... }:
with lib;
{
@ -85,9 +85,12 @@ with lib;
};
acmeRoot = mkOption {
type = types.str;
type = types.nullOr types.str;
default = "/var/lib/acme/acme-challenge";
description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here";
description = ''
Directory for the acme challenge which is PUBLIC, don't put certs or keys in here.
Set to null to inherit from config.security.acme.
'';
};
acmeFallbackHost = mkOption {

98
nixos/modules/virtualisation/docker-rootless.nix Normal file
View File

@ -0,0 +1,98 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.virtualisation.docker.rootless;
proxy_env = config.networking.proxy.envVars;
settingsFormat = pkgs.formats.json {};
daemonSettingsFile = settingsFormat.generate "daemon.json" cfg.daemon.settings;
in
{
###### interface
options.virtualisation.docker.rootless = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
This option enables docker in a rootless mode, a daemon that manages
linux containers. To interact with the daemon, one needs to set
<command>DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock</command>.
'';
};
setSocketVariable = mkOption {
type = types.bool;
default = false;
description = ''
Point <command>DOCKER_HOST</command> to rootless Docker instance for
normal users by default.
'';
};
daemon.settings = mkOption {
type = settingsFormat.type;
default = { };
example = {
ipv6 = true;
"fixed-cidr-v6" = "fd00::/80";
};
description = ''
Configuration for docker daemon. The attributes are serialized to JSON used as daemon.conf.
See https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
'';
};
package = mkOption {
default = pkgs.docker;
defaultText = literalExpression "pkgs.docker";
type = types.package;
example = literalExpression "pkgs.docker-edge";
description = ''
Docker package to be used in the module.
'';
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
environment.extraInit = optionalString cfg.setSocketVariable ''
if [ -z "$DOCKER_HOST" -a -n "$XDG_RUNTIME_DIR" ]; then
export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"
fi
'';
# Taken from https://github.com/moby/moby/blob/master/contrib/dockerd-rootless-setuptool.sh
systemd.user.services.docker = {
wantedBy = [ "default.target" ];
description = "Docker Application Container Engine (Rootless)";
# needs newuidmap from pkgs.shadow
path = [ "/run/wrappers" ];
environment = proxy_env;
unitConfig.StartLimitInterval = "60s";
serviceConfig = {
Type = "notify";
ExecStart = "${cfg.package}/bin/dockerd-rootless --config-file=${daemonSettingsFile}";
ExecReload = "${pkgs.procps}/bin/kill -s HUP $MAINPID";
TimeoutSec = 0;
RestartSec = 2;
Restart = "always";
StartLimitBurst = 3;
LimitNOFILE = "infinity";
LimitNPROC = "infinity";
LimitCORE = "infinity";
Delegate = true;
NotifyAccess = "all";
KillMode = "mixed";
};
};
};
}

576
nixos/tests/acme.nix
View File

@ -1,9 +1,9 @@
let
import ./make-test-python.nix ({ pkgs, lib, ... }: let
commonConfig = ./common/acme/client;
dnsServerIP = nodes: nodes.dnsserver.config.networking.primaryIPAddress;
dnsScript = {pkgs, nodes}: let
dnsScript = nodes: let
dnsAddress = dnsServerIP nodes;
in pkgs.writeShellScript "dns-hook.sh" ''
set -euo pipefail
@ -15,30 +15,137 @@ let
fi
'';
documentRoot = pkgs: pkgs.runCommand "docroot" {} ''
dnsConfig = nodes: {
dnsProvider = "exec";
dnsPropagationCheck = false;
credentialsFile = pkgs.writeText "wildcard.env" ''
EXEC_PATH=${dnsScript nodes}
EXEC_POLLING_INTERVAL=1
EXEC_PROPAGATION_TIMEOUT=1
EXEC_SEQUENCE_INTERVAL=1
'';
};
documentRoot = pkgs.runCommand "docroot" {} ''
mkdir -p "$out"
echo hello world > "$out/index.html"
'';
vhostBase = pkgs: {
vhostBase = {
forceSSL = true;
locations."/".root = documentRoot pkgs;
locations."/".root = documentRoot;
};
in import ./make-test-python.nix ({ lib, ... }: {
vhostBaseHttpd = {
forceSSL = true;
inherit documentRoot;
};
# Base specialisation config for testing general ACME features
webserverBasicConfig = {
services.nginx.enable = true;
services.nginx.virtualHosts."a.example.test" = vhostBase // {
enableACME = true;
};
};
# Generate specialisations for testing a web server
mkServerConfigs = { server, group, vhostBaseData, extraConfig ? {} }: let
baseConfig = { nodes, config, specialConfig ? {} }: lib.mkMerge [
{
security.acme = {
defaults = (dnsConfig nodes) // {
inherit group;
};
# One manual wildcard cert
certs."example.test" = {
domain = "*.example.test";
};
};
services."${server}" = {
enable = true;
virtualHosts = {
# Run-of-the-mill vhost using HTTP-01 validation
"${server}-http.example.test" = vhostBaseData // {
serverAliases = [ "${server}-http-alias.example.test" ];
enableACME = true;
};
# Another which inherits the DNS-01 config
"${server}-dns.example.test" = vhostBaseData // {
serverAliases = [ "${server}-dns-alias.example.test" ];
enableACME = true;
# Set acmeRoot to null instead of using the default of "/var/lib/acme/acme-challenge"
# webroot + dnsProvider are mutually exclusive.
acmeRoot = null;
};
# One using the wildcard certificate
"${server}-wildcard.example.test" = vhostBaseData // {
serverAliases = [ "${server}-wildcard-alias.example.test" ];
useACMEHost = "example.test";
};
};
};
# Used to determine if service reload was triggered
systemd.targets."test-renew-${server}" = {
wants = [ "acme-${server}-http.example.test.service" ];
after = [ "acme-${server}-http.example.test.service" "${server}-config-reload.service" ];
};
}
specialConfig
extraConfig
];
in {
"${server}".configuration = { nodes, config, ... }: baseConfig {
inherit nodes config;
};
# Test that server reloads when an alias is removed (and subsequently test removal works in acme)
"${server}-remove-alias".configuration = { nodes, config, ... }: baseConfig {
inherit nodes config;
specialConfig = {
# Remove an alias, but create a standalone vhost in its place for testing.
# This configuration results in certificate errors as useACMEHost does not imply
# append extraDomains, and thus we can validate the SAN is removed.
services."${server}" = {
virtualHosts."${server}-http.example.test".serverAliases = lib.mkForce [];
virtualHosts."${server}-http-alias.example.test" = vhostBaseData // {
useACMEHost = "${server}-http.example.test";
};
};
};
};
# Test that the server reloads when only the acme configuration is changed.
"${server}-change-acme-conf".configuration = { nodes, config, ... }: baseConfig {
inherit nodes config;
specialConfig = {
security.acme.certs."${server}-http.example.test" = {
keyType = "ec384";
# Also test that postRun is exec'd as root
postRun = "id | grep root";
};
};
};
};
in {
name = "acme";
meta.maintainers = lib.teams.acme.members;
nodes = {
# The fake ACME server which will respond to client requests
acme = { nodes, lib, ... }: {
acme = { nodes, ... }: {
imports = [ ./common/acme/server ];
networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];
};
# A fake DNS server which can be configured with records as desired
# Used to test DNS-01 challenge
dnsserver = { nodes, pkgs, ... }: {
dnsserver = { nodes, ... }: {
networking.firewall.allowedTCPPorts = [ 8055 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
systemd.services.pebble-challtestsrv = {
@ -54,7 +161,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
};
# A web server which will be the node requesting certs
webserver = { pkgs, nodes, lib, config, ... }: {
webserver = { nodes, config, ... }: {
imports = [ commonConfig ];
networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -63,130 +170,142 @@ in import ./make-test-python.nix ({ lib, ... }: {
environment.systemPackages = [ pkgs.openssl ];
# Set log level to info so that we can see when the service is reloaded
services.nginx.enable = true;
services.nginx.logError = "stderr info";
# First tests configure a basic cert and run a bunch of openssl checks
services.nginx.virtualHosts."a.example.test" = (vhostBase pkgs) // {
enableACME = true;
};
specialisation = {
# First derivation used to test general ACME features
general.configuration = { ... }: let
caDomain = nodes.acme.config.test-support.acme.caDomain;
email = config.security.acme.defaults.email;
# Exit 99 to make it easier to track if this is the reason a renew failed
accountCreateTester = ''
test -e accounts/${caDomain}/${email}/account.json || exit 99
'';
in lib.mkMerge [
webserverBasicConfig
{
# Used to test that account creation is collated into one service.
# These should not run until after acme-finished-a.example.test.target
systemd.services."b.example.test".preStart = accountCreateTester;
systemd.services."c.example.test".preStart = accountCreateTester;
# Used to determine if service reload was triggered
systemd.targets.test-renew-nginx = {
wants = [ "acme-a.example.test.service" ];
after = [ "acme-a.example.test.service" "nginx-config-reload.service" ];
};
services.nginx.virtualHosts."b.example.test" = vhostBase // {
enableACME = true;
};
services.nginx.virtualHosts."c.example.test" = vhostBase // {
enableACME = true;
};
}
];
# Test that account creation is collated into one service
specialisation.account-creation.configuration = { nodes, pkgs, lib, ... }: let
email = "newhostmaster@example.test";
caDomain = nodes.acme.config.test-support.acme.caDomain;
# Exit 99 to make it easier to track if this is the reason a renew failed
testScript = ''
test -e accounts/${caDomain}/${email}/account.json || exit 99
'';
# Test OCSP Stapling
ocsp-stapling.configuration = { ... }: lib.mkMerge [
webserverBasicConfig
{
security.acme.certs."a.example.test".ocspMustStaple = true;
services.nginx.virtualHosts."a.example.test" = {
extraConfig = ''
ssl_stapling on;
ssl_stapling_verify on;
'';
};
}
];
# Validate service relationships by adding a slow start service to nginx' wants.
# Reproducer for https://github.com/NixOS/nixpkgs/issues/81842
slow-startup.configuration = { ... }: lib.mkMerge [
webserverBasicConfig
{
systemd.services.my-slow-service = {
wantedBy = [ "multi-user.target" "nginx.service" ];
before = [ "nginx.service" ];
preStart = "sleep 5";
script = "${pkgs.python3}/bin/python -m http.server";
};
services.nginx.virtualHosts."slow.example.test" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:8000";
};
}
];
# Test lego internal server (listenHTTP option)
# Also tests useRoot option
lego-server.configuration = { ... }: {
security.acme.useRoot = true;
security.acme.certs."lego.example.test" = {
listenHTTP = ":80";
group = "nginx";
};
services.nginx.enable = true;
services.nginx.virtualHosts."lego.example.test" = {
useACMEHost = "lego.example.test";
onlySSL = true;
};
};
# Test compatiblity with Caddy
# It only supports useACMEHost, hence not using mkServerConfigs
} // (let
baseCaddyConfig = { nodes, config, ... }: {
security.acme = {
defaults = (dnsConfig nodes) // {
group = config.services.caddy.group;
};
# One manual wildcard cert
certs."example.test" = {
domain = "*.example.test";
};
};
services.caddy = {
enable = true;
virtualHosts."a.exmaple.test" = {
useACMEHost = "example.test";
extraConfig = ''
root * ${documentRoot}
'';
};
};
};
in {
security.acme.email = lib.mkForce email;
systemd.services."b.example.test".preStart = testScript;
systemd.services."c.example.test".preStart = testScript;
caddy.configuration = baseCaddyConfig;
services.nginx.virtualHosts."b.example.test" = (vhostBase pkgs) // {
enableACME = true;
};
services.nginx.virtualHosts."c.example.test" = (vhostBase pkgs) // {
enableACME = true;
};
};
# Test that the server reloads when only the acme configuration is changed.
"caddy-change-acme-conf".configuration = { nodes, config, ... }: lib.mkMerge [
(baseCaddyConfig {
inherit nodes config;
})
{
security.acme.certs."example.test" = {
keyType = "ec384";
};
}
];
# Cert config changes will not cause the nginx configuration to change.
# This tests that the reload service is correctly triggered.
# It also tests that postRun is exec'd as root
specialisation.cert-change.configuration = { pkgs, ... }: {
security.acme.certs."a.example.test".keyType = "ec384";
security.acme.certs."a.example.test".postRun = ''
set -euo pipefail
touch /home/test
chown root:root /home/test
echo testing > /home/test
'';
};
# Test compatibility with Nginx
}) // (mkServerConfigs {
server = "nginx";
group = "nginx";
vhostBaseData = vhostBase;
})
# Now adding an alias to ensure that the certs are updated
specialisation.nginx-aliases.configuration = { pkgs, ... }: {
services.nginx.virtualHosts."a.example.test" = {
serverAliases = [ "b.example.test" ];
};
};
# Test OCSP Stapling
specialisation.ocsp-stapling.configuration = { pkgs, ... }: {
security.acme.certs."a.example.test" = {
ocspMustStaple = true;
};
services.nginx.virtualHosts."a.example.com" = {
extraConfig = ''
ssl_stapling on;
ssl_stapling_verify on;
'';
};
};
# Test using Apache HTTPD
specialisation.httpd-aliases.configuration = { pkgs, config, lib, ... }: {
services.nginx.enable = lib.mkForce false;
services.httpd.enable = true;
services.httpd.adminAddr = config.security.acme.email;
services.httpd.virtualHosts."c.example.test" = {
serverAliases = [ "d.example.test" ];
forceSSL = true;
enableACME = true;
documentRoot = documentRoot pkgs;
};
# Used to determine if service reload was triggered
systemd.targets.test-renew-httpd = {
wants = [ "acme-c.example.test.service" ];
after = [ "acme-c.example.test.service" "httpd-config-reload.service" ];
};
};
# Validation via DNS-01 challenge
specialisation.dns-01.configuration = { pkgs, config, nodes, ... }: {
security.acme.certs."example.test" = {
domain = "*.example.test";
group = config.services.nginx.group;
dnsProvider = "exec";
dnsPropagationCheck = false;
credentialsFile = pkgs.writeText "wildcard.env" ''
EXEC_PATH=${dnsScript { inherit pkgs nodes; }}
'';
};
services.nginx.virtualHosts."dns.example.test" = (vhostBase pkgs) // {
useACMEHost = "example.test";
};
};
# Validate service relationships by adding a slow start service to nginx' wants.
# Reproducer for https://github.com/NixOS/nixpkgs/issues/81842
specialisation.slow-startup.configuration = { pkgs, config, nodes, lib, ... }: {
systemd.services.my-slow-service = {
wantedBy = [ "multi-user.target" "nginx.service" ];
before = [ "nginx.service" ];
preStart = "sleep 5";
script = "${pkgs.python3}/bin/python -m http.server";
};
services.nginx.virtualHosts."slow.example.com" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:8000";
};
};
# Test compatibility with Apache HTTPD
// (mkServerConfigs {
server = "httpd";
group = "wwwrun";
vhostBaseData = vhostBaseHttpd;
extraConfig = {
services.httpd.adminAddr = config.security.acme.defaults.email;
};
});
};
# The client will be used to curl the webserver to validate configuration
client = {nodes, lib, pkgs, ...}: {
client = { nodes, ... }: {
imports = [ commonConfig ];
networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];
@ -195,7 +314,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
};
};
testScript = {nodes, ...}:
testScript = { nodes, ... }:
let
caDomain = nodes.acme.config.test-support.acme.caDomain;
newServerSystem = nodes.webserver.config.system.build.toplevel;
@ -204,23 +323,26 @@ in import ./make-test-python.nix ({ lib, ... }: {
# Note, wait_for_unit does not work for oneshot services that do not have RemainAfterExit=true,
# this is because a oneshot goes from inactive => activating => inactive, and never
# reaches the active state. Targets do not have this issue.
''
import time
has_switched = False
def switch_to(node, name):
global has_switched
if has_switched:
node.succeed(
"${switchToNewServer}"
)
has_switched = True
# On first switch, this will create a symlink to the current system so that we can
# quickly switch between derivations
root_specs = "/tmp/specialisation"
node.execute(
f"test -e {root_specs}"
f" || ln -s $(readlink /run/current-system)/specialisation {root_specs}"
)
switcher_path = f"/run/current-system/specialisation/{name}/bin/switch-to-configuration"
rc, _ = node.execute(f"test -e '{switcher_path}'")
if rc > 0:
switcher_path = f"/tmp/specialisation/{name}/bin/switch-to-configuration"
node.succeed(
f"/run/current-system/specialisation/{name}/bin/switch-to-configuration test"
f"{switcher_path} test"
)
@ -310,8 +432,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
return download_ca_certs(node, retries - 1)
client.start()
dnsserver.start()
start_all()
dnsserver.wait_for_unit("pebble-challtestsrv.service")
client.wait_for_unit("default.target")
@ -320,19 +441,30 @@ in import ./make-test-python.nix ({ lib, ... }: {
'curl --data \'{"host": "${caDomain}", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'
)
acme.start()
webserver.start()
acme.wait_for_unit("network-online.target")
acme.wait_for_unit("pebble.service")
download_ca_certs(client)
with subtest("Can request certificate with HTTPS-01 challenge"):
# Perform general tests first
switch_to(webserver, "general")
with subtest("Can request certificate with HTTP-01 challenge"):
webserver.wait_for_unit("acme-finished-a.example.test.target")
check_fullchain(webserver, "a.example.test")
check_issuer(webserver, "a.example.test", "pebble")
webserver.wait_for_unit("nginx.service")
check_connection(client, "a.example.test")
with subtest("Runs 1 cert for account creation before others"):
webserver.wait_for_unit("acme-finished-b.example.test.target")
webserver.wait_for_unit("acme-finished-c.example.test.target")
check_connection(client, "b.example.test")
check_connection(client, "c.example.test")
with subtest("Certificates and accounts have safe + valid permissions"):
group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}"
# Nginx will set the group appropriately when enableACME is used
group = "nginx"
webserver.succeed(
f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"
)
@ -346,12 +478,6 @@ in import ./make-test-python.nix ({ lib, ... }: {
f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c '%a %U %G' {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"
)
with subtest("Certs are accepted by web server"):
webserver.succeed("systemctl start nginx.service")
check_fullchain(webserver, "a.example.test")
check_issuer(webserver, "a.example.test", "pebble")
check_connection(client, "a.example.test")
# Selfsigned certs tests happen late so we aren't fighting the system init triggering cert renewal
with subtest("Can generate valid selfsigned certs"):
webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
@ -365,77 +491,107 @@ in import ./make-test-python.nix ({ lib, ... }: {
# Will succeed if nginx can load the certs
webserver.succeed("systemctl start nginx-config-reload.service")
with subtest("Can reload nginx when timer triggers renewal"):
webserver.succeed("systemctl start test-renew-nginx.target")
check_issuer(webserver, "a.example.test", "pebble")
check_connection(client, "a.example.test")
with subtest("Runs 1 cert for account creation before others"):
switch_to(webserver, "account-creation")
webserver.wait_for_unit("acme-finished-a.example.test.target")
check_connection(client, "a.example.test")
webserver.wait_for_unit("acme-finished-b.example.test.target")
webserver.wait_for_unit("acme-finished-c.example.test.target")
check_connection(client, "b.example.test")
check_connection(client, "c.example.test")
with subtest("Can reload web server when cert configuration changes"):
switch_to(webserver, "cert-change")
webserver.wait_for_unit("acme-finished-a.example.test.target")
check_connection_key_bits(client, "a.example.test", "384")
webserver.succeed("grep testing /home/test")
# Clean to remove the testing file (and anything else messy we did)
webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
with subtest("Correctly implements OCSP stapling"):
switch_to(webserver, "ocsp-stapling")
webserver.wait_for_unit("acme-finished-a.example.test.target")
check_stapling(client, "a.example.test")
with subtest("Can request certificate with HTTPS-01 when nginx startup is delayed"):
switch_to(webserver, "slow-startup")
webserver.wait_for_unit("acme-finished-slow.example.com.target")
check_issuer(webserver, "slow.example.com", "pebble")
check_connection(client, "slow.example.com")
with subtest("Can request certificate for vhost + aliases (nginx)"):
# Check the key hash before and after adding an alias. It should not change.
# The previous test reverts the ed384 change
webserver.wait_for_unit("acme-finished-a.example.test.target")
switch_to(webserver, "nginx-aliases")
webserver.wait_for_unit("acme-finished-a.example.test.target")
check_issuer(webserver, "a.example.test", "pebble")
with subtest("Can request certificate with HTTP-01 using lego's internal web server"):
switch_to(webserver, "lego-server")
webserver.wait_for_unit("acme-finished-lego.example.test.target")
webserver.wait_for_unit("nginx.service")
webserver.succeed("echo HENLO && systemctl cat nginx.service")
webserver.succeed("test \"$(stat -c '%U' /var/lib/acme/* | uniq)\" = \"root\"")
check_connection(client, "a.example.test")
check_connection(client, "b.example.test")
check_connection(client, "lego.example.test")
with subtest("Can request certificates for vhost + aliases (apache-httpd)"):
try:
switch_to(webserver, "httpd-aliases")
webserver.wait_for_unit("acme-finished-c.example.test.target")
except Exception as err:
_, output = webserver.execute(
"cat /var/log/httpd/*.log && ls -al /var/lib/acme/acme-challenge"
)
print(output)
raise err
check_issuer(webserver, "c.example.test", "pebble")
check_connection(client, "c.example.test")
check_connection(client, "d.example.test")
with subtest("Can request certificate with HTTP-01 when nginx startup is delayed"):
webserver.execute("systemctl stop nginx")
switch_to(webserver, "slow-startup")
webserver.wait_for_unit("acme-finished-slow.example.test.target")
check_issuer(webserver, "slow.example.test", "pebble")
webserver.wait_for_unit("nginx.service")
check_connection(client, "slow.example.test")
with subtest("Can reload httpd when timer triggers renewal"):
# Switch to selfsigned first
webserver.succeed("systemctl clean acme-c.example.test.service --what=state")
webserver.succeed("systemctl start acme-selfsigned-c.example.test.service")
check_issuer(webserver, "c.example.test", "minica")
webserver.succeed("systemctl start httpd-config-reload.service")
webserver.succeed("systemctl start test-renew-httpd.target")
check_issuer(webserver, "c.example.test", "pebble")
check_connection(client, "c.example.test")
with subtest("Can request wildcard certificates using DNS-01 challenge"):
switch_to(webserver, "dns-01")
with subtest("Works with caddy"):
switch_to(webserver, "caddy")
webserver.wait_for_unit("acme-finished-example.test.target")
check_issuer(webserver, "example.test", "pebble")
check_connection(client, "dns.example.test")
webserver.wait_for_unit("caddy.service")
# FIXME reloading caddy is not sufficient to load new certs.
# Restart it manually until this is fixed.
webserver.succeed("systemctl restart caddy.service")
check_connection(client, "a.example.test")
with subtest("security.acme changes reflect on caddy"):
switch_to(webserver, "caddy-change-acme-conf")
webserver.wait_for_unit("acme-finished-example.test.target")
webserver.wait_for_unit("caddy.service")
# FIXME reloading caddy is not sufficient to load new certs.
# Restart it manually until this is fixed.
webserver.succeed("systemctl restart caddy.service")
check_connection_key_bits(client, "a.example.test", "384")
domains = ["http", "dns", "wildcard"]
for server, logsrc in [
("nginx", "journalctl -n 30 -u nginx.service"),
("httpd", "tail -n 30 /var/log/httpd/*.log"),
]:
wait_for_server = lambda: webserver.wait_for_unit(f"{server}.service")
with subtest(f"Works with {server}"):
try:
switch_to(webserver, server)
# Skip wildcard domain for this check ([:-1])
for domain in domains[:-1]:
webserver.wait_for_unit(
f"acme-finished-{server}-{domain}.example.test.target"
)
except Exception as err:
_, output = webserver.execute(
f"{logsrc} && ls -al /var/lib/acme/acme-challenge"
)
print(output)
raise err
wait_for_server()
for domain in domains[:-1]:
check_issuer(webserver, f"{server}-{domain}.example.test", "pebble")
for domain in domains:
check_connection(client, f"{server}-{domain}.example.test")
check_connection(client, f"{server}-{domain}-alias.example.test")
test_domain = f"{server}-{domains[0]}.example.test"
with subtest(f"Can reload {server} when timer triggers renewal"):
# Switch to selfsigned first
webserver.succeed(f"systemctl clean acme-{test_domain}.service --what=state")
webserver.succeed(f"systemctl start acme-selfsigned-{test_domain}.service")
check_issuer(webserver, test_domain, "minica")
webserver.succeed(f"systemctl start {server}-config-reload.service")
webserver.succeed(f"systemctl start test-renew-{server}.target")
check_issuer(webserver, test_domain, "pebble")
check_connection(client, test_domain)
with subtest("Can remove an alias from a domain + cert is updated"):
test_alias = f"{server}-{domains[0]}-alias.example.test"
switch_to(webserver, f"{server}-remove-alias")
webserver.wait_for_unit(f"acme-finished-{test_domain}.target")
wait_for_server()
check_connection(client, test_domain)
rc, _ = client.execute(
f"openssl s_client -CAfile /tmp/ca.crt -connect {test_alias}:443"
" </dev/null 2>/dev/null | openssl x509 -noout -text"
f" | grep DNS: | grep {test_alias}"
)
assert rc > 0, "Removed extraDomainName was not removed from the cert"
with subtest("security.acme changes reflect on web server"):
# Switch back to normal server config first, reset everything.
switch_to(webserver, server)
wait_for_server()
switch_to(webserver, f"{server}-change-acme-conf")
webserver.wait_for_unit(f"acme-finished-{test_domain}.target")
wait_for_server()
check_connection_key_bits(client, test_domain, "384")
'';
})

1
nixos/tests/all-tests.nix
View File

@ -105,6 +105,7 @@ in
dnscrypt-wrapper = handleTestOn ["x86_64-linux"] ./dnscrypt-wrapper {};
doas = handleTest ./doas.nix {};
docker = handleTestOn ["x86_64-linux"] ./docker.nix {};
docker-rootless = handleTestOn ["x86_64-linux"] ./docker-rootless.nix {};
docker-edge = handleTestOn ["x86_64-linux"] ./docker-edge.nix {};
docker-registry = handleTest ./docker-registry.nix {};
docker-tools = handleTestOn ["x86_64-linux"] ./docker-tools.nix {};

6
nixos/tests/common/acme/client/default.nix
View File

@ -5,9 +5,11 @@ let
in {
security.acme = {
server = "https://${caDomain}/dir";
email = "hostmaster@example.test";
acceptTerms = true;
defaults = {
server = "https://${caDomain}/dir";
email = "hostmaster@example.test";
};
};
security.pki.certificateFiles = [ caCert ];

5
nixos/tests/common/acme/server/default.nix
View File

@ -120,6 +120,11 @@ in {
enable = true;
description = "Pebble ACME server";
wantedBy = [ "network.target" ];
environment = {
# We're not testing lego, we're just testing our configuration.
# No need to sleep.
PEBBLE_VA_NOSLEEP = "1";
};
serviceConfig = {
RuntimeDirectory = "pebble";

41
nixos/tests/docker-rootless.nix Normal file
View File

@ -0,0 +1,41 @@
# This test runs docker and checks if simple container starts
import ./make-test-python.nix ({ lib, pkgs, ...} : {
name = "docker-rootless";
meta = with pkgs.lib.maintainers; {
maintainers = [ abbradar ];
};
nodes = {
machine = { pkgs, ... }: {
virtualisation.docker.rootless.enable = true;
users.users.alice = {
uid = 1000;
isNormalUser = true;
};
};
};
testScript = { nodes, ... }:
let
user = nodes.machine.config.users.users.alice;
sudo = lib.concatStringsSep " " [
"XDG_RUNTIME_DIR=/run/user/${toString user.uid}"
"DOCKER_HOST=unix:///run/user/${toString user.uid}/docker.sock"
"sudo" "--preserve-env=XDG_RUNTIME_DIR,DOCKER_HOST" "-u" "alice"
];
in ''
machine.wait_for_unit("multi-user.target")
machine.succeed("loginctl enable-linger alice")
machine.wait_until_succeeds("${sudo} systemctl --user is-active docker.service")
machine.succeed("tar cv --files-from /dev/null | ${sudo} docker import - scratchimg")
machine.succeed(
"${sudo} docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
)
machine.succeed("${sudo} docker ps | grep sleeping")
machine.succeed("${sudo} docker stop sleeping")
'';
})

2
pkgs/applications/audio/mopidy/default.nix
View File

@ -9,6 +9,8 @@ lib.makeScope newScope (self: with self; {
mopidy-iris = callPackage ./iris.nix { };
mopidy-jellyfin = callPackage ./jellyfin.nix { };
mopidy-local = callPackage ./local.nix { };
mopidy-moped = callPackage ./moped.nix { };

25
pkgs/applications/audio/mopidy/jellyfin.nix Normal file
View File

@ -0,0 +1,25 @@
{ lib, python3Packages, mopidy }:
python3Packages.buildPythonApplication rec {
pname = "mopidy-jellyfin";
version = "1.0.2";
src = python3Packages.fetchPypi {
inherit version;
pname = "Mopidy-Jellyfin";
sha256 = "0j7v5xx3c401r5dw1sqm1n2263chjga1d3ml85rg79hjhhhacy75";
};
propagatedBuildInputs = [ mopidy python3Packages.unidecode python3Packages.websocket-client ];
# no tests implemented
doCheck = false;
pythonImportsCheck = [ "mopidy_jellyfin" ];
meta = with lib; {
homepage = "https://github.com/jellyfin/mopidy-jellyfin";
description = "Mopidy extension for playing audio files from Jellyfin";
license = licenses.asl20;
maintainers = [ maintainers.pstn ];
};
}

15
pkgs/applications/graphics/weylus/default.nix
View File

@ -9,6 +9,8 @@
, copyDesktopItems
, fontconfig
, libpng
, pipewire
, makeWrapper
, autoPatchelfHook
}:
@ -38,6 +40,7 @@ stdenv.mkDerivation rec {
fontconfig
libva
gst_all_1.gst-plugins-base
pipewire
# autoPatchelfHook complains if these are missing, even on wayland
xorg.libXft
xorg.libXinerama
@ -47,12 +50,22 @@ stdenv.mkDerivation rec {
xorg.libXtst
];
nativeBuildInputs = [ copyDesktopItems autoPatchelfHook ];
nativeBuildInputs = [ copyDesktopItems autoPatchelfHook makeWrapper ];
postFixup = let
GST_PLUGIN_PATH = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" [
gst_all_1.gst-plugins-base
pipewire
];
in ''
wrapProgram $out/bin/weylus --prefix GST_PLUGIN_PATH : ${GST_PLUGIN_PATH}
'';
meta = with lib; {
description = "Use your tablet as graphic tablet/touch screen on your computer";
homepage = "https://github.com/H-M-H/Weylus";
license = with licenses; [ agpl3Only ];
maintainers = with maintainers; [ lom ];
platforms = [ "x86_64-linux" ];
};
}

17
pkgs/applications/office/hledger-check-fancyassertions/default.nix
View File

@ -1,12 +1,17 @@
{lib, stdenvNoCC, haskellPackages, fetchurl, writers}:
let
hledger-lib = haskellPackages.hledger-lib_1_24_1;
in
stdenvNoCC.mkDerivation rec {
pname = "hledger-check-fancyassertions";
version = "1.23";
inherit (hledger-lib) version;
src = fetchurl {
name = "hledger-check-fancyassertion-${version}.hs";
url = "https://raw.githubusercontent.com/simonmichael/hledger/hledger-lib-${version}/bin/hledger-check-fancyassertions.hs";
sha256 = "08p2din1j7l4c29ipn68k8vvs3ys004iy8a3zf318lzby4h04h0n";
sha256 = "0naggvivc6szsc8haa52a6lm079ikz5qfva0ljnqx0f1zlkxv984";
};
dontUnpack = true;
@ -15,11 +20,13 @@ stdenvNoCC.mkDerivation rec {
executable = writers.writeHaskell
"hledger-check-fancyassertions"
{
libraries = with haskellPackages; [
base base-compat base-compat-batteries filepath hledger-lib_1_24
libraries = [
hledger-lib
] ++ (with haskellPackages; [
base base-compat base-compat-batteries filepath
megaparsec microlens optparse-applicative string-qq text time
transformers
];
]);
inherit (haskellPackages) ghc;
}
src;

10
pkgs/applications/virtualization/docker/default.nix
View File

@ -15,7 +15,7 @@ rec {
, go-md2man, go, containerd_1_4, runc, docker-proxy, tini, libtool
, sqlite, iproute2, lvm2, systemd, docker-buildx, docker-compose_2
, btrfs-progs, iptables, e2fsprogs, xz, util-linux, xfsprogs, git
, procps, libseccomp
, procps, libseccomp, rootlesskit, slirp4netns, fuse-overlayfs
, nixosTests
, clientOnly ? !stdenv.isLinux, symlinkJoin
}:
@ -77,6 +77,8 @@ rec {
extraPath = optionals (stdenv.isLinux) (makeBinPath [ iproute2 iptables e2fsprogs xz xfsprogs procps util-linux git ]);
extraUserPath = optionals (stdenv.isLinux && !clientOnly) (makeBinPath [ rootlesskit slirp4netns fuse-overlayfs ]);
postPatch = ''
patchShebangs hack/make.sh hack/make/
'';
@ -109,6 +111,11 @@ rec {
install -Dm644 ./contrib/init/systemd/docker.service $out/etc/systemd/system/docker.service
substituteInPlace $out/etc/systemd/system/docker.service --replace /usr/bin/dockerd $out/bin/dockerd
install -Dm644 ./contrib/init/systemd/docker.socket $out/etc/systemd/system/docker.socket
# rootless Docker
install -Dm755 ./contrib/dockerd-rootless.sh $out/libexec/docker/dockerd-rootless.sh
makeWrapper $out/libexec/docker/dockerd-rootless.sh $out/bin/dockerd-rootless \
--prefix PATH : "$out/libexec/docker:$extraPath:$extraUserPath"
'';
DOCKER_BUILDTAGS = []
@ -184,6 +191,7 @@ rec {
'' + optionalString (!clientOnly) ''
# symlink docker daemon to docker cli derivation
ln -s ${moby}/bin/dockerd $out/bin/dockerd
ln -s ${moby}/bin/dockerd-rootless $out/bin/dockerd-rootless
# systemd
mkdir -p $out/etc/systemd/system

8
pkgs/data/misc/hackage/pin.json
View File

@ -1,6 +1,6 @@
{
"commit": "45e72928a9053df2938492a535a1b4351251d82f",
"url": "https://github.com/commercialhaskell/all-cabal-hashes/archive/45e72928a9053df2938492a535a1b4351251d82f.tar.gz",
"sha256": "1a87yf9bly5ayldgrkakyipxfkk7h9ifqb4dpd8l1f9zb1csdg1x",
"msg": "Update from Hackage at 2021-12-09T20:50:23Z"
"commit": "01a23b49c333c95167338433cd375e24fc60d66d",
"url": "https://github.com/commercialhaskell/all-cabal-hashes/archive/01a23b49c333c95167338433cd375e24fc60d66d.tar.gz",
"sha256": "0mf1pqlg5cj0p0si1vgf5mp5an89yhq0il6v7n58smcqbfdynds5",
"msg": "Update from Hackage at 2021-12-21T13:58:08Z"
}

158
pkgs/development/haskell-modules/configuration-common.nix
View File

@ -124,10 +124,6 @@ self: super: {
buildDepends = [ pkgs.qt5.wrapQtAppsHook ];
}) super.qtah-cpp-qt5;
# Missing test data
# https://github.com/aleksey-makarov/melf/issues/1
melf = dontCheck super.melf;
# The Haddock phase fails for one reason or another.
deepseq-magic = dontHaddock super.deepseq-magic;
feldspar-signal = dontHaddock super.feldspar-signal; # https://github.com/markus-git/feldspar-signal/issues/1
@ -863,7 +859,7 @@ self: super: {
super.hledger-lib;
# hledger-lib 1.24 depends on doctest >= 0.18
hledger-lib_1_24 = super.hledger-lib_1_24.override {
hledger-lib_1_24_1 = super.hledger-lib_1_24_1.override {
doctest = self.doctest_0_18_2;
};
@ -1232,12 +1228,8 @@ self: super: {
})
] super.polysemy;
# polysemy-plugin 0.2.5.0 has constraint ghc-tcplugins-extra (==0.3.*)
# This upstream issue is relevant:
# https://github.com/polysemy-research/polysemy/issues/322
polysemy-plugin = super.polysemy-plugin.override {
ghc-tcplugins-extra = self.ghc-tcplugins-extra_0_3_2;
};
# 2021-12-26: Too strict bounds on doctest
polysemy-plugin = doJailbreak super.polysemy-plugin;
# Test suite requires running a database server. Testing is done upstream.
hasql-notifications = dontCheck super.hasql-notifications;
@ -1517,9 +1509,6 @@ self: super: {
# Due to tests restricting base in 0.8.0.0 release
http-media = doJailbreak super.http-media;
# 2020-11-19: Jailbreaking until: https://github.com/snapframework/heist/pull/124
heist = doJailbreak super.heist;
hinit = generateOptparseApplicativeCompletion "hi" (super.hinit.override { haskeline = self.haskeline_0_8_2; });
# 2020-11-19: Jailbreaking until: https://github.com/snapframework/snap/pull/219
@ -2111,17 +2100,24 @@ self: super: {
gogol-core = appendPatch ./patches/gogol-core-144.patch super.gogol-core;
# Jailbreak isn't sufficient, but this is ok as it's a leaf package.
hadolint = super.hadolint.overrideScope (self: super: {
hadolint = overrideCabal (drv: {
# Test suite depends on ordering of unordered-containers returned values
# which was upgraded in LTS 18.19
# https://github.com/hadolint/hadolint/issues/753
testFlags = [
"--skip" "/Hadolint.Formatter.Sarif/Formatter: Sarif/print empty results/"
] ++ drv.testFlags or [];
}) (super.hadolint.overrideScope (self: super: {
language-docker = self.language-docker_10_4_0;
hspec = dontCheck self.hspec_2_9_4;
hspec-core = dontCheck self.hspec-core_2_9_4;
hspec-discover = dontCheck self.hspec-discover_2_9_4;
colourista = doJailbreak super.colourista;
});
}));
# These should be updated in lockstep
hledger_1_24 = super.hledger_1_24.override {
hledger-lib = self.hledger-lib_1_24;
hledger_1_24_1 = super.hledger_1_24_1.override {
hledger-lib = self.hledger-lib_1_24_1;
};
# Needs brick > 0.64
@ -2135,11 +2131,127 @@ self: super: {
# test suite requires stack to run, https://github.com/dino-/photoname/issues/24
photoname = dontCheck super.photoname;
# Too strict bounds on recursive-zipper
# https://github.com/ChrisPenner/jet/issues/1
jet = doJailbreak super.jet;
# Upgrade of unordered-containers in Stackage causes ordering-sensitive test to fail
# https://github.com/chrisdone/lucid/issues/123
# https://github.com/commercialhaskell/stackage/issues/6366
lucid = assert super.lucid.version == "2.9.12.1"; overrideCabal (drv: {
testFlags = [
"--skip" "/attributes-with/mixed/"
] ++ drv.testFlags or [];
}) super.lucid;
# Basically the entire doctest suite of swagger2 fails for the same reason
swagger2 = assert super.swagger2.version == "2.6"; overrideCabal (drv: {
testTarget = "spec";
}) super.swagger2;
# https://github.com/kapralVV/Unique/issues/9
Unique = assert super.Unique.version == "0.4.7.9"; overrideCabal (drv: {
testFlags = [
"--skip" "/Data.List.UniqueUnsorted.removeDuplicates/removeDuplicates: simple test/"
"--skip" "/Data.List.UniqueUnsorted.repeatedBy,repeated,unique/unique: simple test/"
"--skip" "/Data.List.UniqueUnsorted.repeatedBy,repeated,unique/repeatedBy: simple test/"
] ++ drv.testFlags or [];
}) super.Unique;
# https://github.com/AndrewRademacher/aeson-casing/issues/8
aeson-casing = assert super.aeson-casing.version == "0.2.0.0"; overrideCabal (drv: {
testFlags = [
"-p" "! /encode train/"
] ++ drv.testFlags or [];
}) super.aeson-casing;
# https://github.com/Soostone/katip/issues/134
katip = assert super.katip.version == "0.8.7.0"; overrideCabal (drv: {
testFlags = [
"-p" "!/Text-golden/&&!/respects payloadKeys for each constituent payload/"
] ++ drv.testFlags or [];
}) super.katip;
# 2020-11-19: Jailbreaking until: https://github.com/snapframework/heist/pull/124
# 2021-12-22: https://github.com/snapframework/heist/issues/131
heist = assert super.heist.version == "1.1.0.1"; overrideCabal (drv: {
testFlags = [
"-t" "!*/compiled/ns*"
] ++ drv.testFlags or [];
}) (doJailbreak super.heist);
# https://github.com/hercules-ci/hercules-ci-agent/issues/352
hercules-ci-api-agent = assert super.hercules-ci-api-agent.version == "0.4.1.0"; overrideCabal (drv: {
testFlags = [
"--skip" "/hercules-ci-api/Hercules.API.Agent.Evaluate.EvaluateEvent.DerivationInfo/DerivationInfo/ToJSON/encodes v2 correctly/"
] ++ drv.testFlags or [];
}) (doJailbreak super.hercules-ci-api-agent);
# https://github.com/emc2/HUnit-Plus/issues/26
HUnit-Plus = dontCheck super.HUnit-Plus;
# https://github.com/ewestern/haskell-postgis/issues/7
haskell-postgis = overrideCabal (drv: {
testFlags = [
"--skip" "/Geo/Hexable/Encodes a linestring/"
] ++ drv.testFlags or [];
}) super.haskell-postgis;
# https://github.com/ChrisPenner/json-to-haskell/issues/5
json-to-haskell = overrideCabal (drv: {
testFlags = [
"--match" "/should sanitize weird field and record names/"
] ++ drv.testFlags or [];
}) super.json-to-haskell;
# https://github.com/fieldstrength/aeson-deriving/issues/5
aeson-deriving = dontCheck super.aeson-deriving;
# https://github.com/morpheusgraphql/morpheus-graphql/issues/660
morpheus-graphql-core = overrideCabal (drv: {
testFlags = [
"-p" "!/field.unexpected-value/&&!/field.missing-field/&&!/argument.unexpected-value/&&!/argument.missing-field/"
] ++ drv.testFlags or [];
}) super.morpheus-graphql-core;
morpheus-graphql = overrideCabal (drv: {
testFlags = [
"-p" "!/Test Rendering/"
] ++ drv.testFlags or [];
}) super.morpheus-graphql;
# https://github.com/SupercedeTech/dropbox-client/issues/1
dropbox = overrideCabal (drv: {
testFlags = [
"--skip" "/Dropbox/Dropbox aeson aeson/encodes list folder correctly/"
] ++ drv.testFlags or [];
}) super.dropbox;
# https://github.com/alonsodomin/haskell-schema/issues/11
hschema-aeson = overrideCabal (drv: {
testFlags = [
"--skip" "/toJsonSerializer/should generate valid JSON/"
] ++ drv.testFlags or [];
}) super.hschema-aeson;
# https://gitlab.com/k0001/xmlbf/-/issues/32
xmlbf = overrideCabal (drv: {
testFlags = [
"-p" "!/xml: <x b=\"\" a=\"y\"><\\/x>/&&!/xml: <x b=\"z\" a=\"y\"><\\/x>/"
] ++ drv.testFlags or [];
}) super.xmlbf;
# https://github.com/ssadler/aeson-quick/issues/3
aeson-quick = overrideCabal (drv: {
testFlags = [
"-p" "!/asLens.set/&&!/complex.set/&&!/multipleKeys.set/"
] ++ drv.testFlags or [];
}) super.aeson-quick;
# https://github.com/minio/minio-hs/issues/165
minio-hs = overrideCabal (drv: {
testFlags = [
"-p" "!/Test mkSelectRequest/"
] ++ drv.testFlags or [];
}) super.minio-hs;
# Use latest version until next Stackage LTS snapshot
Agda = doDistribute self.Agda_2_6_2_1;
# golden files expect an old version of hpack, so tests fail intermittently
# TODO: maybe disable golden test suite altogether? this will happen again as
# hpack emits its version into the generated files…
hpack-dhall = assert super.hpack-dhall.version == "0.5.3"; dontCheck super.hpack-dhall;
# Invalid CPP in test suite: https://github.com/cdornan/memory-cd/issues/1
memory-cd = dontCheck super.memory-cd;
# https://github.com/andreymulik/sdp/issues/3
sdp = disableLibraryProfiling super.sdp;
sdp-binary = disableLibraryProfiling super.sdp-binary;
sdp-deepseq = disableLibraryProfiling super.sdp-deepseq;
sdp-hashable = disableLibraryProfiling super.sdp-hashable;
sdp-io = disableLibraryProfiling super.sdp-io;
sdp-quickcheck = disableLibraryProfiling super.sdp-quickcheck;
sdp4bytestring = disableLibraryProfiling super.sdp4bytestring;
sdp4text = disableLibraryProfiling super.sdp4text;
sdp4unordered = disableLibraryProfiling super.sdp4unordered;
sdp4vector = disableLibraryProfiling super.sdp4vector;
} // import ./configuration-tensorflow.nix {inherit pkgs haskellLib;} self super

12
pkgs/development/haskell-modules/configuration-ghc-9.0.x.nix
View File

@ -117,7 +117,7 @@ self: super: {
retry = dontCheck super.retry;
# Hlint needs >= 3.3.4 for ghc 9 support.
hlint = super.hlint_3_3_4;
hlint = doDistribute super.hlint_3_3_5;
# 2021-09-18: ghc-api-compat and ghc-lib-* need >= 9.0.x versions for hls and hlint
ghc-api-compat = doDistribute super.ghc-api-compat_9_0_1;
@ -128,16 +128,6 @@ self: super: {
# 2021-09-18: Need semialign >= 1.2 for correct bounds
semialign = super.semialign_1_2_0_1;
# 2021-09-18: GHC 9 compat release is missing
# Issue: https://github.com/obsidiansystems/dependent-sum/issues/65
dependent-sum-template = dontCheck (appendPatch
(pkgs.fetchpatch {
url = "https://github.com/obsidiansystems/dependent-sum/commit/8cf4c7fbc3bfa2be475a17bb7c94a1e1e9a830b5.patch";
sha256 = "02wyy0ciicq2x8lw4xxz3x5i4a550mxfidhm2ihh60ni6am498ff";
stripLen = 2;
extraPrefix = "";
}) super.dependent-sum-template);
# 2021-09-18: cabal2nix does not detect the need for ghc-api-compat.
hiedb = overrideCabal (old: {
libraryHaskellDepends = old.libraryHaskellDepends ++ [self.ghc-api-compat];

42
pkgs/development/haskell-modules/configuration-ghc-9.2.x.nix
View File

@ -101,6 +101,19 @@ self: super: {
genvalidity-property = self.genvalidity-property_1_0_0_0;
genvalidity-hspec = self.genvalidity-hspec_1_0_0_0;
ghc-byteorder = doJailbreak super.ghc-byteorder;
ghc-exactprint = overrideCabal (drv: {
# HACK: ghc-exactprint 1.3.0 is not buildable for GHC < 9.2,
# but hackage2nix evaluates the cabal file with GHC 8.10.*,
# causing the build-depends to be skipped. Since the dependency
# list hasn't changed much since 0.6.4, we can just reuse the
# normal expression.
inherit (self.ghc-exactprint_1_3_0) src version;
revision = null; editedCabalFile = null;
libraryHaskellDepends = [
self.fail
self.ordered-containers
] ++ drv.libraryHaskellDepends or [];
}) super.ghc-exactprint;
ghc-lib = self.ghc-lib_9_2_1_20211101;
ghc-lib-parser = self.ghc-lib-parser_9_2_1_20211101;
ghc-lib-parser-ex = self.ghc-lib-parser-ex_9_2_0_1;
@ -124,6 +137,7 @@ self: super: {
quickcheck-instances = super.quickcheck-instances_0_3_27;
regex-posix = doJailbreak super.regex-posix;
resolv = doJailbreak super.resolv;
retrie = doDistribute self.retrie_1_2_0_0;
semialign = super.semialign_1_2_0_1;
singleton-bool = doJailbreak super.singleton-bool;
scientific = doJailbreak super.scientific;
@ -210,20 +224,20 @@ self: super: {
text-short = dontCheck super.text-short_0_1_4;
# Use hlint from git for GHC 9.2.1 support
hlint = overrideCabal {
version = "unstable-2021-12-12";
src = pkgs.fetchFromGitHub {
owner = "ndmitchell";
repo = "hlint";
rev = "77a9702e10b772a7695c08682cd4f450fd0e9e46";
sha256 = "0hpp3iw7m7w2abr8vb86gdz3x6c8lj119zxln933k90ia7bmk8jc";
};
revision = null;
editedCabalFile = null;
} (super.hlint_3_3_4.overrideScope (self: super: {
ghc-lib-parser = self.ghc-lib-parser_9_2_1_20211101;
ghc-lib-parser-ex = self.ghc-lib-parser-ex_9_2_0_1;
}));
hlint = doDistribute (
overrideSrc {
version = "unstable-2021-12-12";
src = pkgs.fetchFromGitHub {
owner = "ndmitchell";
repo = "hlint";
rev = "77a9702e10b772a7695c08682cd4f450fd0e9e46";
sha256 = "0hpp3iw7m7w2abr8vb86gdz3x6c8lj119zxln933k90ia7bmk8jc";
};
} (super.hlint_3_3_5.overrideScope (self: super: {
ghc-lib-parser = self.ghc-lib-parser_9_2_1_20211101;
ghc-lib-parser-ex = self.ghc-lib-parser-ex_9_2_0_1;
}))
);
# https://github.com/sjakobi/bsb-http-chunked/issues/38
bsb-http-chunked = dontCheck super.bsb-http-chunked;

17
pkgs/development/haskell-modules/configuration-hackage2nix/broken.yaml
View File

@ -222,6 +222,7 @@ broken-packages:
- assumpta
- ast-monad
- astrds
- astro
- async-combinators
- async-dejafu
- asynchronous-exceptions
@ -1557,6 +1558,7 @@ broken-packages:
- fused-effects-mwc-random
- fused-effects-resumable
- fusion
- futhark-manifest
- futun
- future
- fuzzy-time-gen
@ -1675,6 +1677,7 @@ broken-packages:
- gi-gtksheet
- gi-handy
- gi-json
- gingersnap
- ginsu
- gipeda
- giphy-api
@ -3187,6 +3190,7 @@ broken-packages:
- monad-ste
- monad-stlike-io
- monad-task
- monad-throw-exit
- monad-timing
- monad-tx
- monad-unify
@ -3499,6 +3503,8 @@ broken-packages:
- opentelemetry-http-client
- opentheory-char
- opentok
- opentracing-jaeger
- opentracing-zipkin-v1
- opentype
- OpenVGRaw
- Operads
@ -3540,6 +3546,7 @@ broken-packages:
- overloaded
- overloaded-records
- overture
- owoify-hs
- pack
- package-description-remote
- package-o-tron
@ -3570,6 +3577,7 @@ broken-packages:
- pandoc-pyplot
- pandoc-unlit
- pandoc-utils
- pandora-io
- pang-a-lambda
- pangraph
- pan-os-syslog
@ -3596,6 +3604,7 @@ broken-packages:
- pareto
- parochial
- Parry
- parse
- parseargs
- parsec2
- parsec3
@ -3791,8 +3800,9 @@ broken-packages:
- polydata-core
- polynom
- polynomial
- polysemy-mocks
- polysemy-plugin
- polysemy-check
- polysemy-http
- polysemy-process
- polysemy-zoo
- polytypeable
- pomaps
@ -3843,6 +3853,7 @@ broken-packages:
- PPrinter
- pqc
- praglude
- prairie
- preamble
- precis
- precursor
@ -4370,6 +4381,7 @@ broken-packages:
- servant-static-th
- servant-streaming
- servant-to-elm
- servant-tracing
- servant-yaml
- servant-zeppelin
- server-generic
@ -4782,6 +4794,7 @@ broken-packages:
- syb-with-class-instances-text
- sydtest-aeson
- sydtest-hedis
- sydtest-hspec
- sydtest-mongo
- sydtest-persistent-postgresql
- sydtest-rabbitmq

10
pkgs/development/haskell-modules/configuration-hackage2nix/main.yaml
View File

@ -67,8 +67,6 @@ core-packages:
# tracked in stackage.yaml. Adding conflicting overrides with stackage here will
# not work.
default-package-overrides:
# This was only intended for ghc-7.0.4, and has very old deps, one hidden behind a flag
- MissingH ==1.4.2.0
# gi-gdkx11-4.x requires gtk-4.x, which is still under development and
# not yet available in Nixpkgs
- gi-gdkx11 < 4
@ -126,6 +124,12 @@ default-package-overrides:
- rel8 < 1.2.1.0
# 0.14.0.0 drops support for every GHC < 9.0.1
- brittany < 0.14
# 1.2.0.0: “Dropped support for GHC <9.2 (might readd it later)”
- retrie < 1.2.0.0
# Compat with polysemy in Stackage LTS 18
- polysemy-resume < 0.1.0.2
- polysemy-conc < 0.5
- polysemy-mocks < 0.2
extra-packages:
- base16-bytestring < 1 # required for cabal-install etc.
@ -138,7 +142,6 @@ extra-packages:
- dhall == 1.29.0 # required for ats-pkg
- dhall == 1.38.1 # required for spago
- Diff < 0.4 # required by liquidhaskell-0.8.10.2: https://github.com/ucsd-progsys/liquidhaskell/issues/1729
- ghc-tcplugins-extra ==0.3.2 # required for polysemy-plugin 0.2.5.0
- haddock == 2.23.* # required on GHC < 8.10.x
- haddock-api == 2.23.* # required on GHC < 8.10.x
- haddock-library ==1.7.* # required by stylish-cabal-0.5.0.0
@ -279,6 +282,7 @@ package-maintainers:
- Unique
maralorn:
- cabal-fmt
- ema
- generic-optics
- ghcup
- ghcid

159
pkgs/development/haskell-modules/configuration-hackage2nix/stackage.yaml
View File

@ -1,4 +1,4 @@
# Stackage LTS 18.18
# Stackage LTS 18.19
# This file is auto-generated by
# maintainers/scripts/haskell/update-stackage.sh
default-package-overrides:
@ -33,7 +33,7 @@ default-package-overrides:
- aeson-with ==0.1.2.0
- aeson-yak ==0.1.1.3
- aeson-yaml ==1.1.0.1
- Agda ==2.6.2
- Agda ==2.6.2.1
- agda2lagda ==0.2021.6.1
- al ==0.1.4.2
- alarmclock ==0.7.0.5
@ -142,10 +142,10 @@ default-package-overrides:
- amqp ==0.22.0
- amqp-utils ==0.6.3.2
- annotated-wl-pprint ==0.7.0
- ansi-terminal ==0.11
- ansi-terminal ==0.11.1
- ansi-wl-pprint ==0.6.9
- ANum ==0.2.0.2
- apecs ==0.9.3
- apecs ==0.9.4
- apecs-gloss ==0.2.4
- apecs-physics ==0.4.5
- api-field-json-th ==0.1.0.2
@ -263,7 +263,7 @@ default-package-overrides:
- bits ==0.5.3
- bitset-word8 ==0.1.1.2
- bits-extra ==0.0.2.0
- bitvec ==1.1.1.0
- bitvec ==1.1.2.0
- bitwise-enum ==1.0.1.0
- blake2 ==0.3.0
- blanks ==0.5.0
@ -301,10 +301,10 @@ default-package-overrides:
- btrfs ==0.2.0.0
- buffer-builder ==0.2.4.7
- buffer-pipe ==0.0
- bugsnag-haskell ==0.0.4.1
- bugsnag-haskell ==0.0.4.2
- bugsnag-hs ==0.2.0.7
- bugzilla-redhat ==0.3.3
- burrito ==1.2.0.3
- burrito ==1.2.0.4
- butcher ==1.3.3.2
- buttplug-hs-core ==0.1.0.1
- bv ==0.5
@ -320,7 +320,7 @@ default-package-overrides:
- bytestring-conversion ==0.3.1
- bytestring-lexing ==0.5.0.8
- bytestring-mmap ==0.2.2
- bytestring-strict-builder ==0.4.5.4
- bytestring-strict-builder ==0.4.5.5
- bytestring-to-vector ==0.3.0.1
- bytestring-tree-builder ==0.2.7.9
- bz2 ==1.0.1.0
@ -358,7 +358,7 @@ default-package-overrides:
- cassava-megaparsec ==2.0.4
- cast ==0.1.0.2
- category ==0.2.5.0
- cayley-client ==0.4.16
- cayley-client ==0.4.17
- cborg ==0.2.6.0
- cborg-json ==0.2.3.0
- cdar-mBound ==0.1.0.4
@ -399,7 +399,7 @@ default-package-overrides:
- clash-ghc ==1.4.6
- clash-lib ==1.4.6
- clash-prelude ==1.4.6
- classy-prelude ==1.5.0
- classy-prelude ==1.5.0.2
- classy-prelude-conduit ==1.5.0
- clay ==0.13.3
- clientsession ==0.9.1.2
@ -442,7 +442,7 @@ default-package-overrides:
- concise ==0.1.0.1
- concurrency ==1.11.0.2
- concurrent-extra ==0.7.0.12
- concurrent-output ==1.10.12
- concurrent-output ==1.10.14
- concurrent-split ==0.0.1.1
- concurrent-supply ==0.1.8
- cond ==0.4.1.1
@ -455,7 +455,7 @@ default-package-overrides:
- conduit-parse ==0.2.1.0
- conduit-zstd ==0.0.2.0
- conferer ==1.1.0.0
- conferer-aeson ==1.1.0.1
- conferer-aeson ==1.1.0.2
- conferer-hspec ==1.1.0.0
- conferer-warp ==1.1.0.0
- config-ini ==0.2.4.0
@ -490,7 +490,7 @@ default-package-overrides:
- crackNum ==3.1
- crc32c ==0.0.0
- credential-store ==0.1.2
- criterion ==1.5.11.0
- criterion ==1.5.12.0
- criterion-measurement ==0.1.3.0
- cron ==0.7.0
- crypto-api ==0.13.3
@ -523,8 +523,8 @@ default-package-overrides:
- curl ==1.3.8
- currencies ==0.2.0.0
- currency ==0.2.0.0
- cursor ==0.3.0.0
- cursor-brick ==0.1.0.0
- cursor ==0.3.2.0
- cursor-brick ==0.1.0.1
- cursor-fuzzy-time ==0.0.0.0
- cursor-gen ==0.3.0.0
- cutter ==0.0
@ -548,7 +548,7 @@ default-package-overrides:
- data-default-instances-old-locale ==0.0.1
- data-diverse ==4.7.0.0
- datadog ==0.2.5.0
- data-dword ==0.3.2
- data-dword ==0.3.2.1
- data-endian ==0.1.1
- data-fix ==0.3.2
- data-forest ==0.1.0.9
@ -584,7 +584,7 @@ default-package-overrides:
- dense-linear-algebra ==0.1.0.0
- dependent-map ==0.4.0.0
- dependent-sum ==0.7.1.0
- dependent-sum-template ==0.1.0.3
- dependent-sum-template ==0.1.1.1
- depq ==0.4.2
- deque ==0.4.4
- deriveJsonNoPrefix ==0.1.0.1
@ -595,7 +595,7 @@ default-package-overrides:
- dhall ==1.39.0
- dhall-bash ==1.0.37
- dhall-json ==1.7.7
- dhall-lsp-server ==1.0.16
- dhall-lsp-server ==1.0.17
- dhall-yaml ==1.2.7
- diagrams-solve ==0.1.3
- dialogflow-fulfillment ==0.1.1.4
@ -614,7 +614,6 @@ default-package-overrides:
- distributed-closure ==0.4.2.0
- distribution-opensuse ==1.1.1
- distributive ==0.6.2.1
- dl-fedora ==0.9.2
- dlist ==1.0
- dlist-instances ==0.1.1.1
- dlist-nonempty ==0.1.1
@ -658,7 +657,7 @@ default-package-overrides:
- edit-distance ==0.2.2.1
- edit-distance-vector ==1.0.0.4
- editor-open ==0.6.0.0
- egison ==4.1.2
- egison ==4.1.3
- egison-pattern-src ==0.2.1.2
- egison-pattern-src-th-mode ==0.2.1.2
- either ==5.0.1.1
@ -721,7 +720,7 @@ default-package-overrides:
- exception-hierarchy ==0.1.0.4
- exception-mtl ==0.4.0.1
- exceptions ==0.10.4
- exception-transformers ==0.4.0.10
- exception-transformers ==0.4.0.11
- exception-via ==0.1.0.0
- executable-path ==0.0.3.1
- exit-codes ==1.0.0
@ -760,7 +759,7 @@ default-package-overrides:
- file-embed-lzma ==0
- filelock ==0.1.1.5
- filemanip ==0.3.6.3
- filepath-bytestring ==1.4.2.1.8
- filepath-bytestring ==1.4.2.1.9
- file-path-th ==0.1.0.0
- filepattern ==0.1.2
- fileplow ==0.1.0.0
@ -785,7 +784,7 @@ default-package-overrides:
- flexible-defaults ==0.0.3
- FloatingHex ==0.5
- floatshow ==0.2.4
- flow ==1.0.22
- flow ==1.0.23
- flush-queue ==1.0.0
- fmlist ==0.9.4
- fmt ==0.6.3.0
@ -886,7 +885,7 @@ default-package-overrides:
- ghc-byteorder ==4.11.0.0.10
- ghc-check ==0.5.0.6
- ghc-core ==0.5.6
- ghc-events ==0.17.0
- ghc-events ==0.17.0.1
- ghc-exactprint ==0.6.4
- ghcid ==0.8.7
- ghci-hexcalc ==0.1.1.0
@ -900,11 +899,11 @@ default-package-overrides:
- ghc-source-gen ==0.4.2.0
- ghc-syntax-highlighter ==0.0.6.0
- ghc-tcplugins-extra ==0.4.2
- ghc-trace-events ==0.1.2.3
- ghc-trace-events ==0.1.2.4
- ghc-typelits-extra ==0.4.3
- ghc-typelits-knownnat ==0.7.6
- ghc-typelits-natnormalise ==0.7.6
- ghc-typelits-presburger ==0.6.1.0
- ghc-typelits-presburger ==0.6.2.0
- ghost-buster ==0.1.1.0
- gi-atk ==2.0.23
- gi-cairo ==1.0.25
@ -919,7 +918,7 @@ default-package-overrides:
- gi-gobject ==2.0.26
- gi-graphene ==1.0.3
- gi-gtk ==3.0.37
- gi-gtk-hs ==0.3.11
- gi-gtk-hs ==0.3.12
- gi-harfbuzz ==0.0.4
- ginger ==0.10.1.0
- gingersnap ==0.3.1.0
@ -945,7 +944,7 @@ default-package-overrides:
- goldplate ==0.2.0
- google-isbn ==1.0.3
- gopher-proxy ==0.1.1.2
- gothic ==0.1.7
- gothic ==0.1.8
- gpolyline ==0.1.0.1
- graph-core ==0.3.0.0
- graphite ==0.10.0.1
@ -1011,7 +1010,7 @@ default-package-overrides:
- hasql-transaction ==1.0.1
- hasty-hamiltonian ==1.3.4
- HaTeX ==3.22.3.0
- HaXml ==1.25.7
- HaXml ==1.25.8
- haxr ==3000.11.4.1
- HCodecs ==0.5.2
- hdaemonize ==0.5.6
@ -1046,7 +1045,7 @@ default-package-overrides:
- highlighting-kate ==0.6.4
- hinfo ==0.0.3.0
- hinotify ==0.4.1
- hint ==0.9.0.4
- hint ==0.9.0.5
- hjsmin ==0.2.0.4
- hkd-default ==1.1.0.0
- hkgr ==0.3
@ -1072,7 +1071,7 @@ default-package-overrides:
- hnock ==0.4.0
- hoauth2 ==1.16.0
- hoogle ==5.0.18.2
- hOpenPGP ==2.9.5
- hOpenPGP ==2.9.7
- hopenpgp-tools ==0.23.6
- hopenssl ==2.2.4
- hopfli ==0.2.2.1
@ -1082,7 +1081,7 @@ default-package-overrides:
- hourglass ==0.2.12
- hourglass-orphans ==0.1.0.0
- hp2pretty ==0.10
- hpack ==0.34.5
- hpack ==0.34.6
- hpack-dhall ==0.5.3
- hpc-codecov ==0.3.0.0
- hpc-lcov ==1.0.1
@ -1158,12 +1157,12 @@ default-package-overrides:
- http-common ==0.8.3.4
- http-conduit ==2.3.8
- http-date ==0.0.11
- http-directory ==0.1.8
- http-directory ==0.1.9
- http-download ==0.2.0.0
- httpd-shed ==0.4.1.1
- http-link-header ==1.2.1
- http-media ==0.8.0.0
- http-query ==0.1.0.1
- http-query ==0.1.1
- http-reverse-proxy ==0.6.0
- http-streams ==0.8.9.4
- http-types ==0.12.3
@ -1214,7 +1213,7 @@ default-package-overrides:
- ieee754 ==0.8.0
- if ==0.1.0.0
- iff ==0.0.6
- ihaskell ==0.10.2.1
- ihaskell ==0.10.2.2
- ihs ==0.1.0.3
- ilist ==0.4.0.1
- imagesize-conduit ==1.1
@ -1233,7 +1232,7 @@ default-package-overrides:
- indexed-traversable-instances ==0.1
- infer-license ==0.2.0
- inflections ==0.4.0.6
- influxdb ==1.9.2.1
- influxdb ==1.9.2.2
- ini ==0.4.1
- inj ==1.0
- inline-c ==0.9.1.5
@ -1246,7 +1245,7 @@ default-package-overrides:
- instance-control ==0.1.2.0
- int-cast ==0.2.0.0
- integer-logarithms ==1.0.3.1
- integer-roots ==1.0.1.0
- integer-roots ==1.0.2.0
- integration ==0.2.1
- intern ==0.9.4
- interpolate ==0.2.1
@ -1272,7 +1271,7 @@ default-package-overrides:
- iproute ==1.7.12
- IPv6Addr ==2.0.3
- ipynb ==0.1.0.2
- ipython-kernel ==0.10.2.1
- ipython-kernel ==0.10.2.2
- irc ==0.6.1.0
- irc-client ==1.1.2.2
- irc-conduit ==0.3.0.5
@ -1310,11 +1309,11 @@ default-package-overrides:
- JuicyPixels-scale-dct ==0.1.2
- junit-xml ==0.1.0.2
- justified-containers ==0.3.0.0
- jwt ==0.10.0
- jwt ==0.10.1
- kan-extensions ==5.2.3
- kanji ==3.4.1
- katip ==0.8.7.0
- katip-logstash ==0.1.0.0
- katip-logstash ==0.1.0.2
- kawhi ==0.3.0
- kazura-queue ==0.1.0.4
- kdt ==0.2.4
@ -1345,7 +1344,7 @@ default-package-overrides:
- language-javascript ==0.7.1.0
- language-protobuf ==1.0.1
- language-python ==0.5.8
- language-thrift ==0.12.0.0
- language-thrift ==0.12.0.1
- lapack ==0.3.2
- lapack-carray ==0.0.3
- lapack-comfort-array ==0.0.1
@ -1378,7 +1377,7 @@ default-package-overrides:
- lens-regex-pcre ==1.1.0.0
- lenz ==0.4.2.0
- leveldb-haskell ==0.6.5
- libBF ==0.6.2
- libBF ==0.6.3
- libffi ==0.1
- libgit ==0.3.1
- libgraph ==1.14
@ -1404,7 +1403,7 @@ default-package-overrides:
- list-predicate ==0.1.0.1
- listsafe ==0.1.0.1
- list-singleton ==1.0.0.5
- list-t ==1.0.5
- list-t ==1.0.5.1
- list-transformer ==1.0.7
- ListTree ==0.2.3
- literatex ==0.1.0.2
@ -1423,7 +1422,7 @@ default-package-overrides:
- logging-facade ==0.3.1
- logging-facade-syslog ==1
- logict ==0.7.1.0
- logstash ==0.1.0.1
- logstash ==0.1.0.3
- loop ==0.3.0
- lrucache ==1.2.0.1
- lrucaching ==0.3.3
@ -1445,7 +1444,7 @@ default-package-overrides:
- mainland-pretty ==0.7.1
- main-tester ==0.2.0.1
- makefile ==1.1.0.0
- managed ==1.0.8
- managed ==1.0.9
- MapWith ==0.2.0.0
- markdown ==0.1.17.5
- markdown-unlit ==0.5.1
@ -1582,7 +1581,7 @@ default-package-overrides:
- murmur3 ==1.0.5
- murmur-hash ==0.1.0.10
- MusicBrainz ==0.4.1
- mustache ==2.3.1
- mustache ==2.3.2
- mutable-containers ==0.3.4
- mwc-probability ==2.3.1
- mwc-random ==0.15.0.2
@ -1664,7 +1663,7 @@ default-package-overrides:
- ObjectName ==1.1.0.2
- o-clock ==1.2.1
- odbc ==0.2.5
- oeis2 ==1.0.5
- oeis2 ==1.0.6
- ofx ==0.4.4.0
- old-locale ==1.0.0.7
- old-time ==1.1.0.3
@ -1779,7 +1778,7 @@ default-package-overrides:
- pipes-attoparsec ==0.5.1.5
- pipes-binary ==0.4.3
- pipes-bytestring ==2.1.7
- pipes-concurrency ==2.0.12
- pipes-concurrency ==2.0.14
- pipes-csv ==1.4.3
- pipes-extras ==1.0.15
- pipes-fastx ==0.3.0.0
@ -1823,7 +1822,7 @@ default-package-overrides:
- postgrest ==7.0.1
- post-mess-age ==0.2.1.0
- pptable ==0.3.0.0
- pqueue ==1.4.1.3
- pqueue ==1.4.1.4
- prairie ==0.0.1.0
- prefix-units ==0.2.0
- prelude-compat ==0.0.0.2
@ -1854,7 +1853,7 @@ default-package-overrides:
- probability ==0.2.7
- process-extras ==0.7.4
- product-isomorphic ==0.0.3.3
- product-profunctors ==0.11.0.2
- product-profunctors ==0.11.0.3
- profiterole ==0.1
- profunctors ==5.6.2
- projectroot ==0.2.0.1
@ -1876,7 +1875,7 @@ default-package-overrides:
- protolude ==0.3.0
- proxied ==0.3.1
- psqueues ==0.2.7.3
- ptr-poker ==0.1.1.4
- ptr-poker ==0.1.2.3
- publicsuffix ==0.20200526
- pulse-simple ==0.1.14
- pureMD5 ==2.1.4
@ -1945,7 +1944,7 @@ default-package-overrides:
- read-env-var ==1.0.0.0
- reanimate ==1.1.4.0
- reanimate-svg ==0.13.0.1
- rebase ==1.13.1
- rebase ==1.13.2
- record-dot-preprocessor ==0.2.13
- record-hasfield ==1.0
- records-sop ==0.1.1.0
@ -1961,8 +1960,8 @@ default-package-overrides:
- reform-hamlet ==0.0.5.3
- reform-happstack ==0.2.5.4
- RefSerialize ==0.4.0
- ref-tf ==0.5
- regex ==1.1.0.0
- ref-tf ==0.5.0.1
- regex ==1.1.0.1
- regex-applicative ==0.3.4
- regex-applicative-text ==0.1.0.1
- regex-base ==0.94.0.2
@ -1973,15 +1972,15 @@ default-package-overrides:
- regex-posix ==0.96.0.1
- regex-posix-clib ==2.7
- regex-tdfa ==1.3.1.1
- regex-with-pcre ==1.1.0.0
- registry ==0.2.0.3
- regex-with-pcre ==1.1.0.1
- registry ==0.2.1.0
- reinterpret-cast ==0.1.0
- relapse ==1.0.0.0
- relational-query ==0.12.3.0
- relational-query-HDBC ==0.7.2.0
- relational-record ==0.2.2.0
- relational-schemas ==0.1.8.0
- reliable-io ==0.0.1
- reliable-io ==0.0.2
- relude ==0.7.0.0
- renderable ==0.2.0.1
- replace-attoparsec ==1.4.5.0
@ -1989,7 +1988,7 @@ default-package-overrides:
- repline ==0.4.0.0
- req ==3.9.0
- req-conduit ==1.0.1
- rerebase ==1.13.1
- rerebase ==1.13.2
- rescue ==0.4.2.1
- resistor-cube ==0.0.1.2
- resolv ==0.1.2.0
@ -2030,7 +2029,7 @@ default-package-overrides:
- safe-exceptions ==0.1.7.2
- safe-foldable ==0.1.0.0
- safeio ==0.0.5.0
- safe-json ==1.1.1.1
- safe-json ==1.1.2.0
- safe-money ==0.9.1
- SafeSemaphore ==0.10.1
- safe-tensor ==0.2.1.1
@ -2107,7 +2106,7 @@ default-package-overrides:
- servant-machines ==0.15.1
- servant-multipart ==0.12.1
- servant-multipart-api ==0.12.1
- servant-openapi3 ==2.0.1.2
- servant-openapi3 ==2.0.1.3
- servant-pipes ==0.15.3
- servant-rawm ==1.0.0.0
- servant-server ==0.18.3
@ -2195,7 +2194,7 @@ default-package-overrides:
- sourcemap ==0.1.6.1
- sox ==0.2.3.1
- soxlib ==0.0.3.1
- spacecookie ==1.0.0.0
- spacecookie ==1.0.0.1
- sparse-linear-algebra ==0.3.1
- sparse-tensor ==0.2.1.5
- spatial-math ==0.5.0.1
@ -2237,7 +2236,7 @@ default-package-overrides:
- stm-split ==0.0.2.1
- stopwatch ==0.1.0.6
- storable-complex ==0.2.3.0
- storable-endian ==0.2.6
- storable-endian ==0.2.6.1
- storable-record ==0.0.5
- storable-tuple ==0.0.3.3
- storablevector ==0.2.13.1
@ -2249,7 +2248,7 @@ default-package-overrides:
- streaming ==0.2.3.0
- streaming-attoparsec ==1.0.0.1
- streaming-bytestring ==0.2.1
- streaming-commons ==0.2.2.2
- streaming-commons ==0.2.2.3
- streamly ==0.7.3
- streams ==3.3
- streamt ==0.5.0.0
@ -2314,7 +2313,7 @@ default-package-overrides:
- tar ==0.5.1.1
- tar-conduit ==0.3.2
- tardis ==0.4.3.0
- tasty ==1.4.2
- tasty ==1.4.2.1
- tasty-ant-xml ==1.1.8
- tasty-bench ==0.2.5
- tasty-dejafu ==2.0.0.8
@ -2331,7 +2330,7 @@ default-package-overrides:
- tasty-leancheck ==0.0.2
- tasty-lua ==0.2.3.2
- tasty-program ==1.0.5
- tasty-quickcheck ==0.10.1.2
- tasty-quickcheck ==0.10.2
- tasty-rerun ==1.1.18
- tasty-silver ==3.2.3
- tasty-smallcheck ==0.8.2
@ -2358,7 +2357,7 @@ default-package-overrides:
- test-framework-smallcheck ==0.2
- test-fun ==0.1.0.0
- testing-type-modifiers ==0.1.0.1
- texmath ==0.12.3.2
- texmath ==0.12.3.3
- text-ansi ==0.1.1
- text-binary ==0.2.1.1
- text-builder ==0.6.6.3
@ -2394,7 +2393,7 @@ default-package-overrides:
- th-expand-syns ==0.4.8.0
- th-extras ==0.0.0.5
- th-lift ==0.8.2
- th-lift-instances ==0.1.18
- th-lift-instances ==0.1.19
- th-nowq ==0.1.0.5
- th-orphans ==0.13.12
- th-printf ==0.7
@ -2430,7 +2429,7 @@ default-package-overrides:
- tinylog ==0.15.0
- titlecase ==1.0.1
- tldr ==0.9.2
- tls ==1.5.5
- tls ==1.5.6
- tls-debug ==0.4.8
- tls-session-manager ==0.0.4
- tlynx ==0.5.1.1
@ -2465,7 +2464,7 @@ default-package-overrides:
- turtle ==1.5.23
- typecheck-plugin-nat-simple ==0.1.0.2
- TypeCompose ==0.9.14
- typed-process ==0.2.7.0
- typed-process ==0.2.8.0
- typed-uuid ==0.1.0.0
- type-equality ==1
- type-errors ==0.2.0.0
@ -2477,7 +2476,7 @@ default-package-overrides:
- type-level-numbers ==0.1.1.1
- typelits-witnesses ==0.4.0.0
- type-map ==0.1.6.0
- type-natural ==1.1.0.0
- type-natural ==1.1.0.1
- typenums ==0.1.4
- type-of-html ==1.6.2.0
- type-of-html-static ==0.1.0.2
@ -2487,7 +2486,7 @@ default-package-overrides:
- tzdata ==0.2.20201021.0
- ua-parser ==0.7.6.0
- uglymemo ==0.1.0.1
- unagi-chan ==0.4.1.3
- unagi-chan ==0.4.1.4
- unbounded-delays ==0.1.1.1
- unboxed-ref ==0.4.0.0
- unboxing-vector ==0.2.0.0
@ -2528,7 +2527,7 @@ default-package-overrides:
- unliftio-pool ==0.2.1.1
- unliftio-streams ==0.1.1.1
- unlit ==0.4.0.0
- unordered-containers ==0.2.15.0
- unordered-containers ==0.2.16.0
- unsafe ==0.0
- urbit-hob ==0.3.3
- uri-bytestring ==0.3.3.1
@ -2553,7 +2552,7 @@ default-package-overrides:
- validity-persistent ==0.0.0.0
- validity-primitive ==0.0.0.1
- validity-scientific ==0.2.0.3
- validity-text ==0.3.1.1
- validity-text ==0.3.1.2
- validity-time ==0.4.0.0
- validity-unordered-containers ==0.2.0.3
- validity-uuid ==0.1.0.3
@ -2577,7 +2576,7 @@ default-package-overrides:
- vector-split ==1.0.0.2
- vector-th-unbox ==0.2.2
- verbosity ==0.4.0.0
- versions ==5.0.0
- versions ==5.0.1
- vformat ==0.14.1.0
- vformat-aeson ==0.1.0.1
- vformat-time ==0.1.0.0
@ -2594,7 +2593,7 @@ default-package-overrides:
- wai-extra ==3.1.7
- wai-feature-flags ==0.1.0.2
- wai-handler-launch ==3.0.3.1
- wai-logger ==2.3.6
- wai-logger ==2.3.7
- wai-middleware-auth ==0.2.5.1
- wai-middleware-caching ==0.1.0.2
- wai-middleware-clacks ==0.1.0.1
@ -2624,12 +2623,12 @@ default-package-overrides:
- weigh ==0.0.16
- wide-word ==0.1.1.2
- wikicfp-scraper ==0.1.0.12
- wild-bind ==0.1.2.7
- wild-bind-x11 ==0.2.0.13
- wild-bind ==0.1.2.8
- wild-bind-x11 ==0.2.0.14
- Win32 ==2.6.2.1
- Win32-notify ==0.3.0.3
- windns ==0.1.0.1
- witch ==0.3.4.0
- witch ==0.3.4.1
- witherable ==0.4.2
- within ==0.2.0.1
- with-location ==0.1.0
@ -2650,9 +2649,9 @@ default-package-overrides:
- writer-cps-mtl ==0.1.1.6
- writer-cps-transformers ==0.5.6.1
- wss-client ==0.3.0.0
- wuss ==1.1.18
- wuss ==1.1.19
- X11 ==1.10.2
- X11-xft ==0.3.1
- X11-xft ==0.3.4
- x11-xim ==0.0.9.0
- x509 ==1.7.5
- x509-store ==1.6.7

15
pkgs/development/haskell-modules/configuration-hackage2nix/transitive-broken.yaml
View File

@ -650,7 +650,6 @@ dont-distribute-packages:
- cakyrespa
- cal3d-examples
- cal3d-opengl
- calamity-commands
- calc
- calculator
- caldims
@ -930,6 +929,7 @@ dont-distribute-packages:
- delta
- delta-h
- dep-t-advice
- dep-t-dynamic
- dependent-literals-plugin
- dependent-state
- dephd
@ -1087,6 +1087,7 @@ dont-distribute-packages:
- falling-turnip
- fallingblocks
- family-tree
- fast-bech32
- fastirc
- fault-tree
- fbrnch
@ -1514,6 +1515,7 @@ dont-distribute-packages:
- hedgehog-gen-json
- hedis-pile
- heist-aeson
- helic
- helics
- helics-wai
- helium
@ -2250,6 +2252,7 @@ dont-distribute-packages:
- numhask-range
- numhask-test
- nymphaea
- oath
- obd
- obdd
- oberon0
@ -2375,18 +2378,9 @@ dont-distribute-packages:
- polh-lexicon
- polydata
- polysemy-RandomFu
- polysemy-check
- polysemy-conc
- polysemy-http
- polysemy-log
- polysemy-log-co
- polysemy-log-di
- polysemy-methodology-co-log
- polysemy-optics
- polysemy-process
- polysemy-readline
- polysemy-resume
- polysemy-webserver
- polyseq
- polytypeable-utils
- pomodoro
@ -3080,6 +3074,7 @@ dont-distribute-packages:
- typed-encoding-encoding
- typed-spreadsheet
- typed-streams
- typelet
- typelevel
- typelevel-rewrite-rules
- typescript-docs

13
pkgs/development/haskell-modules/configuration-nix.nix
View File

@ -718,9 +718,13 @@ self: super: builtins.intersectAttrs super {
postgresql-pure = dontCheck super.postgresql-pure;
retrie = overrideCabal (drv: {
testToolDepends = [ pkgs.git pkgs.mercurial ];
testToolDepends = [ pkgs.git pkgs.mercurial ] ++ drv.testToolDepends or [];
}) super.retrie;
retrie_1_2_0_0 = overrideCabal (drv: {
testToolDepends = [ pkgs.git pkgs.mercurial ] ++ drv.testToolDepends or [];
}) super.retrie_1_2_0_0;
nix-output-monitor = overrideCabal {
# Can't ran the golden-tests with nix, because they call nix
testTarget = "unit-tests";
@ -1037,4 +1041,11 @@ self: super: builtins.intersectAttrs super {
})
] ++ (drv.patches or []);
}) super.graphviz;
# Test case tries to contact the network
http-api-data-qq = overrideCabal (drv: {
testFlags = [
"-p" "!/Can be used with http-client/"
] ++ drv.testFlags or [];
}) super.http-api-data-qq;
}

3061
pkgs/development/haskell-modules/hackage-packages.nix generated
View File

File diff suppressed because it is too large Load Diff

18
pkgs/development/libraries/pipewire/default.nix
View File

@ -1,5 +1,6 @@
{ stdenv
, lib
, buildPackages
, fetchFromGitLab
, removeReferencesTo
, python3
@ -171,12 +172,17 @@ let
postInstall = ''
mkdir $out/nix-support
pushd $lib/share/pipewire
for f in *.conf; do
echo "Generating JSON from $f"
$out/bin/spa-json-dump "$f" > "$out/nix-support/$f.json"
done
popd
${if (stdenv.hostPlatform == stdenv.buildPlatform) then ''
pushd $lib/share/pipewire
for f in *.conf; do
echo "Generating JSON from $f"
$out/bin/spa-json-dump "$f" > "$out/nix-support/$f.json"
done
popd
'' else ''
cp ${buildPackages.pipewire}/nix-support/*.json "$out/nix-support"
''}
moveToOutput "share/systemd/user/pipewire-pulse.*" "$pulse"
moveToOutput "lib/systemd/user/pipewire-pulse.*" "$pulse"

4
pkgs/development/libraries/qtstyleplugin-kvantum-qt4/default.nix
View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "qtstyleplugin-kvantum-qt4";
version = "0.20.1";
version = "0.20.2";
src = fetchFromGitHub {
owner = "tsujan";
repo = "Kvantum";
rev = "V${version}";
sha256 = "sha256-sY2slI9ZVuEurBIEaJMxUiKiUNXx+h7UEwEZKKr7R2Y=";
sha256 = "sha256-aIhLrGKb8iPl8N483+EOaCrTua96Qvl2lc2UXRiqvJA=";
};
nativeBuildInputs = [ qmake4Hook ];

4
pkgs/development/python-modules/deep-translator/default.nix
View File

@ -2,11 +2,11 @@
buildPythonPackage rec {
pname = "deep-translator";
version = "1.5.5";
version = "1.6.0";
src = fetchPypi {
inherit pname version;
sha256 = "sha256-XARhzRsquvKcdhPcooGIEmhGN7QJOCubcvOrZB0nhxU=";
sha256 = "sha256-B/SnLSaCRVhQvSU2hmdKPswM2N73nHAzQfVNBMgCofI=";
};
propagatedBuildInputs = [

4
pkgs/development/python-modules/django_compressor/default.nix
View File

@ -3,11 +3,11 @@
buildPythonPackage rec {
pname = "django_compressor";
version = "2.4.1";
version = "3.1";
src = fetchPypi {
inherit pname version;
sha256 = "3358077605c146fdcca5f9eaffb50aa5dbe15f238f8854679115ebf31c0415e0";
sha256 = "c4a87bf65f9a534cfaf1c321a000a229c24e50c6d62ba6ab089482db42e819d9";
};
postPatch = ''
substituteInPlace setup.py \

4
pkgs/development/python-modules/flux-led/default.nix
View File

@ -8,7 +8,7 @@
buildPythonPackage rec {
pname = "flux-led";
version = "0.27.13";
version = "0.27.17";
format = "setuptools";
disabled = pythonOlder "3.7";
@ -17,7 +17,7 @@ buildPythonPackage rec {
owner = "Danielhiversen";
repo = "flux_led";
rev = version;
sha256 = "sha256-lOfEEMHuhTfti7NYeZpXc+jeYQMJd/EnvT1oHByaCbw=";
sha256 = "sha256-cb1QbGeOudxLOxU4aEVWYOzCrZ+xFl8F5qHVJdOhPlg=";
};
propagatedBuildInputs = [

4
pkgs/development/python-modules/jupyterlab/default.nix
View File

@ -10,12 +10,12 @@
buildPythonPackage rec {
pname = "jupyterlab";
version = "3.2.4";
version = "3.2.5";
disabled = pythonOlder "3.5";
src = fetchPypi {
inherit pname version;
sha256 = "f692e0d95338d60f72dde660f16f3955a087775c59ec541ddb25952e3f97e9b1";
sha256 = "31b28f473b0f5826d2020583973c385526f0559b5b26efac6b8035ac1562874a";
};
nativeBuildInputs = [ jupyter-packaging ];

45
pkgs/development/python-modules/nitransforms/default.nix Normal file
View File

@ -0,0 +1,45 @@
{ lib
, buildPythonPackage
, fetchPypi
, pythonOlder
, h5py
, nibabel
, numpy
, setuptools-scm
, toml
}:
buildPythonPackage rec {
pname = "nitransforms";
version = "21.0.0";
disabled = pythonOlder "3.7";
src = fetchPypi {
inherit pname version;
sha256 = "njJqHqXVxldyGfmdM8GmgKdgIT4kMYLzcM5+ayR2EDo=";
};
buildInputs = [ setuptools-scm toml ];
propagatedBuildInputs = [ h5py nibabel numpy ];
doCheck = false;
# relies on data repo (https://github.com/nipreps-data/nitransforms-tests);
# probably too heavy
pythonImportsCheck = [
"nitransforms"
"nitransforms.base"
"nitransforms.io"
"nitransforms.io.base"
"nitransforms.linear"
"nitransforms.manip"
"nitransforms.nonlinear"
"nitransforms.patched"
];
meta = with lib; {
homepage = "https://nitransforms.readthedocs.io";
description = "Geometric transformations for images and surfaces";
license = licenses.mit;
maintainers = with maintainers; [ bcdarwin ];
};
}

4
pkgs/development/python-modules/openai/default.nix
View File

@ -17,7 +17,7 @@
buildPythonPackage rec {
pname = "openai";
version = "0.11.4";
version = "0.11.5";
disabled = pythonOlder "3.7.1";
@ -26,7 +26,7 @@ buildPythonPackage rec {
owner = "openai";
repo = "openai-python";
rev = "v${version}";
sha256 = "O2O4+GkyMyAxJqMNgiyPKoSXeJk0HGAst02QV6c9mJs=";
sha256 = "sha256-6eL3/vDWyIOVjRQo4OO3OgyUG3t8dKPtxzMMTxPCglM=";
};
propagatedBuildInputs = [

4
pkgs/development/python-modules/panel/default.nix
View File

@ -17,7 +17,7 @@ let
in
buildPythonPackage rec {
pname = "panel";
version = "0.12.5";
version = "0.12.6";
# Don't forget to also update the node packages
# 1. retrieve the package.json file
@ -25,7 +25,7 @@ buildPythonPackage rec {
# 3. node2nix
src = fetchPypi {
inherit pname version;
sha256 = "351481f2a2176359b28effa64c9d9fce487d6758514109cab96f9ed84787ae99";
sha256 = "97e158e8eb941f88d71929407f9455c903b5e18d89969db8ce8af66036f46b53";
};
# Since 0.10.0 panel attempts to fetch from the web.

4
pkgs/development/python-modules/phonenumbers/default.nix
View File

@ -6,12 +6,12 @@
buildPythonPackage rec {
pname = "phonenumbers";
version = "8.12.39";
version = "8.12.40";
format = "setuptools";
src = fetchPypi {
inherit pname version;
sha256 = "0f7745e1f108654db347d885e814cbb5f225b8c5f5ce336024b193c79291ddaa";
sha256 = "00f2955a456b458f9b6ab0d24329049c3e7358c44dfc1979fe4908ced40f1eb8";
};
checkInputs = [

6
pkgs/development/python-modules/pycarwings2/default.nix
View File

@ -11,7 +11,7 @@
buildPythonPackage rec {
pname = "pycarwings2";
version = "2.12";
version = "2.13";
format = "setuptools";
disabled = pythonOlder "3.5";
@ -20,8 +20,8 @@ buildPythonPackage rec {
owner = "filcole";
repo = pname;
# release not tagged: https://github.com/filcole/pycarwings2/issues/33
rev = "0dc9e7e74cb119614c72c7f955801a366f303c56";
sha256 = "sha256-3lyAgLuaNrCDvRT2yYkgaDiLPKW9Hbg05cQlMIBUs6o=";
rev = "v${version}";
sha256 = "04k1la7wix6sp668nqpwdhd3057b2bzcz7h2b9a57cxlifl8pjxf";
};
propagatedBuildInputs = [

12
pkgs/development/python-modules/pypandoc/default.nix
View File

@ -1,16 +1,14 @@
{ lib, substituteAll, buildPythonPackage, fetchFromGitHub
{ lib, substituteAll, buildPythonPackage, fetchPypi
, pandoc, texlive
}:
buildPythonPackage rec {
pname = "pypandoc";
version = "1.7.0";
version = "1.7.2";
src = fetchFromGitHub {
owner = "NicklasTegner";
repo = pname;
rev = "v${version}";
sha256 = "00r88qcvc9jpi8jvd6rpizz9gm33aq8hc3mf8lrarrjiq2fsxmk9";
src = fetchPypi {
inherit pname version;
sha256 = "1wk8jxnysb7sa55zhxx5brylv00ivamqbk1b4lbzi58ziij08p03";
};
patches = [

48
pkgs/games/nanosaur/default.nix Normal file
View File

@ -0,0 +1,48 @@
{ lib, stdenv, fetchFromGitHub, SDL2, cmake, makeWrapper }:
stdenv.mkDerivation rec {
pname = "nanosaur";
version = "unstable-2021-12-03";
src = fetchFromGitHub {
owner = "jorio";
repo = pname;
rev = "b567a3e6d7fd1cbc43800cfaa1bd82f31c6d9fae";
sha256 = "sha256-P/o6uSwUV6O8u8XNXN9YyA8XlgEUkqGj3SC+oD2/GKQ=";
fetchSubmodules = true;
};
buildInputs = [
SDL2
cmake
makeWrapper
];
configurePhase = ''
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
'';
buildPhase = ''
cmake --build build
'';
installPhase = ''
mv build $out
makeWrapper $out/Nanosaur $out/bin/Nanosaur --run "cd $out"
'';
meta = with lib; {
description = "A port of Nanosaur, a 1998 Macintosh game by Pangea Software, for modern operating systems";
longDescription = ''
Nanosaur is a 1998 Macintosh game by Pangea Software.
In it, youre a cybernetic dinosaur from the future whos sent back in time 20 minutes before a giant asteroid hits the Earth.
And you get to shoot at T-Rexes with nukes.
'';
homepage = "https://github.com/jorio/Nanosaur";
license = with licenses; [
cc-by-sa-40
];
maintainers = with maintainers; [ lux ];
platforms = platforms.linux;
};
}

4
pkgs/games/quakespasm/vulkan.nix
View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "vkquake";
version = "1.12.1";
version = "1.12.2";
src = fetchFromGitHub {
owner = "Novum";
repo = "vkQuake";
rev = version;
sha256 = "sha256-D6JtYhR+bkYYm4yuipNrsonziDGiDWICEohy4Mgdr+0=";
sha256 = "sha256-+AUSsqarDW40JKgDUIF3G9RNOKqQLuQHOGF23L8anPQ=";
};
sourceRoot = "source/Quake";

66
pkgs/misc/emulators/citra/default.nix
View File

@ -3,21 +3,23 @@
, fetchFromGitHub
, cmake
, wrapQtAppsHook
, SDL2
, qtbase
, qtmultimedia
, boost17x
, libpulseaudio
, pkg-config
, libusb1
, zstd
, libressl
, alsa-lib
, rapidjson
, aacHleDecoding ? true
, fdk_aac
, ffmpeg-full
, enableSdl2 ? true, SDL2
, enableQt ? true, qtbase, qtmultimedia
, enableQtTranslation ? enableQt, qttools
, enableWebService ? true
, enableCubeb ? true, libpulseaudio
, enableFfmpegAudioDecoder ? true
, enableFfmpegVideoDumper ? true
, ffmpeg
, useDiscordRichPresence ? true, rapidjson
, enableFdk ? false, fdk_aac
}:
assert lib.assertMsg (!enableFfmpegAudioDecoder || !enableFdk) "Can't enable both enableFfmpegAudioDecoder and enableFdk";
stdenv.mkDerivation {
pname = "citra";
@ -31,36 +33,43 @@ stdenv.mkDerivation {
fetchSubmodules = true;
};
nativeBuildInputs = [ cmake wrapQtAppsHook pkg-config ];
nativeBuildInputs = [
cmake
pkg-config
]
++ lib.optionals enableQt [ wrapQtAppsHook ];
buildInputs = [
SDL2
qtbase
qtmultimedia
libpulseaudio
boost17x
libusb1
alsa-lib
rapidjson # for discord-rpc
] ++ lib.optional aacHleDecoding [ fdk_aac ffmpeg-full ];
]
++ lib.optionals enableSdl2 [ SDL2 ]
++ lib.optionals enableQt [ qtbase qtmultimedia ]
++ lib.optionals enableQtTranslation [ qttools ]
++ lib.optionals enableCubeb [ libpulseaudio ]
++ lib.optionals (enableFfmpegAudioDecoder || enableFfmpegVideoDumper) [ ffmpeg ]
++ lib.optionals useDiscordRichPresence [ rapidjson ]
++ lib.optionals enableFdk [ fdk_aac ];
cmakeFlags = [
"-DUSE_SYSTEM_BOOST=ON"
"-DUSE_DISCORD_PRESENCE=ON"
] ++ lib.optionals aacHleDecoding [
"-DENABLE_FFMPEG_AUDIO_DECODER=ON"
"-DCITRA_USE_BUNDLED_FFMPEG=OFF"
];
]
++ lib.optionals (!enableSdl2) [ "-DENABLE_SDL2=OFF" ]
++ lib.optionals (!enableQt) [ "-DENABLE_QT=OFF" ]
++ lib.optionals enableQtTranslation [ "-DENABLE_QT_TRANSLATION=ON" ]
++ lib.optionals (!enableWebService) [ "-DENABLE_WEB_SERVICE=OFF" ]
++ lib.optionals (!enableCubeb) [ "-DENABLE_CUBEB=OFF" ]
++ lib.optionals enableFfmpegAudioDecoder [ "-DENABLE_FFMPEG_AUDIO_DECODER=ON"]
++ lib.optionals enableFfmpegVideoDumper [ "-DENABLE_FFMPEG_VIDEO_DUMPER=ON" ]
++ lib.optionals useDiscordRichPresence [ "-DUSE_DISCORD_PRESENCE=ON" ]
++ lib.optionals enableFdk [ "-DENABLE_FDK=ON" ];
postPatch = ''
# we already know the submodules are present
# We already know the submodules are present
substituteInPlace CMakeLists.txt \
--replace "check_submodules_present()" ""
# Trick configure system.
sed -n 's,^ *path = \(.*\),\1,p' .gitmodules | while read path; do
mkdir "$path/.git"
done
# Devendoring
rm -rf externals/zstd externals/libressl
cp -r ${zstd.src} externals/zstd
tar xf ${libressl.src} -C externals/
@ -69,6 +78,7 @@ stdenv.mkDerivation {
'';
# Todo: cubeb audio backend (the default one) doesn't work on the SDL interface.
# This seems to be a problem with libpulseaudio, other applications have similar problems (e.g Duckstation).
# Note that the two interfaces have two separate configuration files.
meta = with lib; {

12
pkgs/misc/vim-plugins/generated.nix
View File

@ -2818,6 +2818,18 @@ final: prev:
meta.homepage = "https://github.com/JuliaEditorSupport/julia-vim/";
};
kanagawa-nvim = buildVimPluginFrom2Nix {
pname = "kanagawa.nvim";
version = "2021-12-25";
src = fetchFromGitHub {
owner = "rebelot";
repo = "kanagawa.nvim";
rev = "10bccb5e8e8530725c8059df2e6852fb01842d1c";
sha256 = "15jji03qvpbyfk1bpc9b31rbkklfzdnhmnld4cr5ydjmz1fd5fzb";
};
meta.homepage = "https://github.com/rebelot/kanagawa.nvim/";
};
kommentary = buildVimPluginFrom2Nix {
pname = "kommentary";
version = "2021-12-03";

1
pkgs/misc/vim-plugins/vim-plugin-names
View File

@ -642,6 +642,7 @@ rbong/vim-flog
rcarriga/nvim-dap-ui
rcarriga/nvim-notify
rcarriga/vim-ultest
rebelot/kanagawa.nvim
rhysd/clever-f.vim
rhysd/committia.vim
rhysd/conflict-marker.vim

5
pkgs/misc/vscode-extensions/rust-analyzer/default.nix
View File

@ -8,6 +8,8 @@
, esbuild
, pkg-config
, libsecret
, stdenv
, darwin
, setDefaultServerPath ? true
}:
@ -40,6 +42,9 @@ let
jq moreutils esbuild
# Required by `keytar`, which is a dependency of `vsce`.
pkg-config libsecret
] ++ lib.optionals stdenv.isDarwin [
darwin.apple_sdk.frameworks.AppKit
darwin.apple_sdk.frameworks.Security
];
# Follows https://github.com/rust-analyzer/rust-analyzer/blob/41949748a6123fd6061eb984a47f4fe780525e63/xtask/src/dist.rs#L39-L65

4
pkgs/os-specific/linux/firmware/sof-firmware/default.nix
View File

@ -5,13 +5,13 @@
stdenvNoCC.mkDerivation rec {
pname = "sof-firmware";
version = "1.9.3";
version = "2.0";
src = fetchFromGitHub {
owner = "thesofproject";
repo = "sof-bin";
rev = "v${version}";
sha256 = "sha256-mQGwc0nwjku9ZxcFy8H4QiBLETkAeyqYvFzBHtK8/DY=";
sha256 = "sha256-pDxNcDe/l1foFYuHB0w3YZidKIeH6h0IuwRmMzeMteE=";
};
dontFixup = true; # binaries must not be stripped or patchelfed

53
pkgs/tools/archivers/torrent7z/default.nix Normal file
View File

@ -0,0 +1,53 @@
{ lib, stdenv, fetchFromGitHub, fetchpatch, ncurses }:
stdenv.mkDerivation rec {
pname = "torrent7z";
version = "1.3";
src = fetchFromGitHub {
owner = "BubblesInTheTub";
repo = pname;
rev = version;
sha256 = "Y2tr0+z9uij4Ifi6FfWRN24BwcDXUZKVLkLtKUiVjU4=";
};
patches = [
(fetchpatch {
name = "fix-gcc10-compilation.patch"; # Fix compilation on GCC 10. This patch is included on the latest commit
url =
"https://github.com/paulyc/torrent7z/commit/5958f42a364c430b3ed4ac68911bbbea1f967fc4.patch";
sha256 = "vJOv1sG9XwTvvxQiWew0H5ALoUb9wIAouzTsTvKHuPI=";
})
];
buildInputs = [ ncurses ];
hardeningDisable = [ "format" ];
postPatch = ''
# Remove non-free RAR source code
# (see DOC/License.txt, https://fedoraproject.org/wiki/Licensing:Unrar)
rm -r linux_src/p7zip_4.65/CPP/7zip/Compress/Rar*
find . -name makefile'*' -exec sed -i '/Rar/d' {} +
'';
preConfigure = ''
mkdir linux_src/p7zip_4.65/bin
cd linux_src/p7zip_4.65/CPP/7zip/Bundles/Alone
'';
installPhase = ''
mkdir -p $out/bin
cp ../../../../bin/t7z $out/bin
'';
meta = with lib; {
homepage = "https://github.com/BubblesInTheTub/torrent7z";
description = "A fork of torrent7z, viz a derivative of 7zip that produces invariant .7z archives for torrenting";
platforms = platforms.linux;
maintainers = with maintainers; [ cirno-999 ];
mainProgram = "t7z";
# RAR code is under non-free UnRAR license, but we remove it
license = licenses.gpl3Only;
};
}

6
pkgs/tools/security/ghidra/default.nix
View File

@ -24,12 +24,12 @@ let
in stdenv.mkDerivation rec {
pname = "ghidra";
version = "10.1";
versiondate = "20211210";
version = "10.1.1";
versiondate = "20211221";
src = fetchzip {
url = "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_${version}_build/ghidra_${version}_PUBLIC_${versiondate}.zip";
sha256 = "0b4wn2nwxp96dpg3xpabqh74xxv0fhwmqq04wgfjgdh6bavqk86b";
sha256 = "1aib24hjfavy31vq0pasbzix9lpqrb90m3hp4n0iakg6ck8jcl5r";
};
nativeBuildInputs = [

4
pkgs/tools/text/crowdin-cli/default.nix
View File

@ -14,11 +14,11 @@
stdenv.mkDerivation rec {
pname = "crowdin-cli";
version = "3.7.2";
version = "3.7.4";
src = fetchurl {
url = "https://github.com/crowdin/${pname}/releases/download/${version}/${pname}.zip";
sha256 = "sha256-7p+Di4GcztwzybJTcFXlun15NFYbJN8eGmJ0y9bify0=";
sha256 = "sha256-zsd95dkKzuhqtWFwc84tjZ05MnzE25UvfF459gfp+lA=";
};
nativeBuildInputs = [ installShellFiles makeWrapper unzip ];

6
pkgs/tools/text/replace/default.nix
View File

@ -11,7 +11,11 @@ stdenv.mkDerivation rec {
outputs = [ "out" "man" ];
makeFlags = [ "TREE=\$(out)" "MANTREE=\$(TREE)/share/man" ];
makeFlags = [
"TREE=\$(out)"
"MANTREE=\$(TREE)/share/man"
"CC=${stdenv.cc.targetPrefix}cc"
];
preBuild = ''
sed -e "s@/bin/mv@$(type -P mv)@" -i replace.h

5
pkgs/top-level/all-packages.nix
View File

@ -10270,6 +10270,8 @@ with pkgs;
touchegg = callPackage ../tools/inputmethods/touchegg { };
torrent7z = callPackage ../tools/archivers/torrent7z { };
torsocks = callPackage ../tools/security/tor/torsocks.nix { };
toss = callPackage ../tools/networking/toss { };
@ -27169,6 +27171,7 @@ with pkgs;
inherit (mopidyPackages)
mopidy
mopidy-iris
mopidy-jellyfin
mopidy-local
mopidy-moped
mopidy-mopify
@ -30705,6 +30708,8 @@ with pkgs;
naev = callPackage ../games/naev { };
nanosaur = callPackage ../games/nanosaur { };
nethack = callPackage ../games/nethack { };
nethack-qt = callPackage ../games/nethack {

7
pkgs/top-level/perl-packages.nix
View File

@ -6312,6 +6312,13 @@ let
url = "mirror://cpan/authors/id/R/RI/RIBASUSHI/DBIx-Class-0.082842.tar.gz";
sha256 = "1rh7idjjbibc1zmiaaarask434lh0lx7f2xyfwmy37k9fa0xcpmh";
};
patches = [
# https://github.com/Perl5/DBIx-Class/pull/141
(fetchpatch {
url = "https://github.com/Perl5/DBIx-Class/commit/fb896701d23fa4da622b5b1b2afbbba3da2dd8f3.patch";
sha256 = "sha256-MSbV9UfHu90NCdC5IFwuy/vpSDw4atfellYh7Ydvkm4=";
})
];
buildInputs = [ DBDSQLite TestDeep TestException TestWarn ];
propagatedBuildInputs = [ ClassAccessorGrouped ClassC3Componentised ConfigAny ContextPreserve DBI DataDumperConcise DataPage DevelGlobalDestruction ModuleFind PathClass SQLAbstractClassic ScopeGuard SubName namespaceclean ];
meta = {

2
pkgs/top-level/python-packages.nix
View File

@ -5296,6 +5296,8 @@ in {
nitpick = callPackage ../applications/version-management/nitpick { };
nitransforms = callPackage ../development/python-modules/nitransforms { };
nix-kernel = callPackage ../development/python-modules/nix-kernel {
inherit (pkgs) nix;
};

37
pkgs/top-level/release-haskell.nix
View File

@ -52,6 +52,7 @@ let
ghc884
ghc8107
ghc901
ghc921
];
# packagePlatforms applied to `haskell.packages.*`
@ -304,20 +305,28 @@ let
# and to confirm that critical packages for the
# package sets (like Cabal, jailbreak-cabal) are
# working as expected.
cabal-install = released ++ [ compilerNames.ghc921 ];
Cabal_3_6_2_0 = released ++ [ compilerNames.ghc921 ];
cabal2nix = released ++ [ compilerNames.ghc921 ];
cabal2nix-unstable = released ++ [ compilerNames.ghc921 ];
funcmp = released ++ [ compilerNames.ghc921 ];
haskell-language-server = released;
hoogle = released ++ [ compilerNames.ghc921 ];
hlint = released ++ [ compilerNames.ghc921 ];
hsdns = released ++ [ compilerNames.ghc921 ];
jailbreak-cabal = released ++ [ compilerNames.ghc921 ];
language-nix = released ++ [ compilerNames.ghc921 ];
nix-paths = released ++ [ compilerNames.ghc921 ];
titlecase = released ++ [ compilerNames.ghc921 ];
ghc-api-compat = released;
cabal-install = released;
Cabal_3_6_2_0 = released;
cabal2nix = released;
cabal2nix-unstable = released;
funcmp = released;
haskell-language-server = [
compilerNames.ghc884
compilerNames.ghc8107
compilerNames.ghc901
];
hoogle = released;
hlint = released;
hsdns = released;
jailbreak-cabal = released;
language-nix = released;
nix-paths = released;
titlecase = released;
ghc-api-compat = [
compilerNames.ghc884
compilerNames.ghc8107
compilerNames.ghc901
];
})
{
mergeable = pkgs.releaseTools.aggregate {