colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge master into haskell-updates

Browse Source
This commit is contained in:
github-actions[bot] 2023-01-15 00:13:48 +00:00 committed by GitHub
commit a9fe51f091
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1177 changed files with 17066 additions and 7256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

982
doc/languages-frameworks/haskell.section.md
View File

@ -1,7 +1,977 @@
# Haskell {#haskell}
# Haskell {#sec-haskell}
The documentation for the Haskell infrastructure is published at
<https://haskell4nix.readthedocs.io/>. The source code for that
site lives in the `doc/` sub-directory of the
[`cabal2nix` Git repository](https://github.com/NixOS/cabal2nix)
and changes can be submitted there.
The Haskell infrastructure in nixpkgs has two main purposes: The primary purpose
is to provide a Haskell compiler and build tools as well as infrastructure for
packaging Haskell-based packages.
The secondary purpose is to provide support for Haskell development environment
including prebuilt Haskell libraries. However, in this area sacrifices have been
made due to self-imposed restrictions in nixpkgs, to lessen the maintenance
effort and improve performance. Therefore, it may be advantageous to use an
alternative to the Haskell infrastructure in nixpkgs for development
environments in some cases. The main limitations are that we only provide
first-class support for the default compiler (currently GHC 9.2.4) and usually
only provide a default and (if different) the latest version of a haskell
package.
<!-- TODO(@sternensemann): Fix duplication w.r.t. package set generations
and package set rationale from a maintenance perspective. Probably just add
a dedicated section for this…
-->
## Available packages {#sec-haskell-available-packages}
The compiler and most build tools are exposed at the top level:
* `ghc` is the default version of GHC
* Language specific tools: `cabal-install`, `stack`, `hpack`, …
Many “normal” user facing packages written in Haskell, like `niv` or `cachix`,
are also exposed at the top level, so there is nothing haskell specific to
installing and using them.
All of these packages originally lived in the `haskellPackages` package set and
are re-exposed with a reduced dependency closure for convenience.
The `haskellPackages` set includes at least one version of every package from
hackage as well as some manually injected packages. This amounts to a lot of
packages, so it is hidden from `nix-env -qa` by default for performance reasons.
You can still list all packages in the set like this, though:
```console
$ nix-env -f '<nixpkgs>' -qaP -A haskellPackages
haskellPackages.a50 a50-0.5
haskellPackages.AAI AAI-0.2.0.1
haskellPackages.aasam aasam-0.2.0.0
haskellPackages.abacate abacate-0.0.0.0
haskellPackages.abc-puzzle abc-puzzle-0.2.1
```
The attribute names in `haskellPackages` always correspond with their name on
hackage. Since hackage allows names that are not valid nix without extra
escaping, you sometimes need to extra care when handling attribute names like
`3dmodels`.
For packages that are part of [Stackage], we use the version prescribed by a
Stackage solver (usually the current LTS one) as the default version. For all
other packages we use the latest version from Hackage. Sometimes alternative
versions of packages are provided whose attribute names are their normal name
with their version appended after an underscore, e.g. `Cabal_3_8_1_0`.
<!--
TODO(@sternenseemann):
If you are interested in details how the package set is
populated, read the section [Package set
generation](#sec-haskell-package-set-generation).
-->
Roughly half of the 16K packages contained in `haskellPackages` don't actually
build and are marked as broken semi-automatically. Most of those packages are
deprecated or unmaintained, but sometimes packages that should, don't build.
Very often fixing them is not a lot of work.
<!--
TODO(@sternenseemann):
How you can help with that is
described in [Fixing a broken package](#sec-haskell-fixing-a-broken-package).
-->
`haskellPackages` is built with our default compiler, but we also provide other
releases of GHC and package sets built with them. You can list all available
compilers like this:
```console
$ nix-env -f '<nixpkgs>' -qaP -A haskell.compiler
haskell.compiler.ghc810 ghc-8.10.7
haskell.compiler.ghc88 ghc-8.8.4
haskell.compiler.ghc90 ghc-9.0.2
haskell.compiler.ghc92 ghc-9.2.4
haskell.compiler.ghc925 ghc-9.2.5
haskell.compiler.ghc942 ghc-9.4.2
haskell.compiler.ghc943 ghc-9.4.3
haskell.compiler.ghc94 ghc-9.4.4
haskell.compiler.ghcHEAD ghc-9.7.20221224
haskell.compiler.ghc8102Binary ghc-binary-8.10.2
haskell.compiler.ghc8102BinaryMinimal ghc-binary-8.10.2
haskell.compiler.ghc8107BinaryMinimal ghc-binary-8.10.7
haskell.compiler.ghc8107Binary ghc-binary-8.10.7
haskell.compiler.ghc865Binary ghc-binary-8.6.5
haskell.compiler.ghc924Binary ghc-binary-9.2.4
haskell.compiler.ghc924BinaryMinimal ghc-binary-9.2.4
haskell.compiler.integer-simple.ghc810 ghc-integer-simple-8.10.7
haskell.compiler.integer-simple.ghc8107 ghc-integer-simple-8.10.7
haskell.compiler.integer-simple.ghc884 ghc-integer-simple-8.8.4
haskell.compiler.integer-simple.ghc88 ghc-integer-simple-8.8.4
haskell.compiler.native-bignum.ghc90 ghc-native-bignum-9.0.2
haskell.compiler.native-bignum.ghc902 ghc-native-bignum-9.0.2
haskell.compiler.native-bignum.ghc92 ghc-native-bignum-9.2.4
haskell.compiler.native-bignum.ghc924 ghc-native-bignum-9.2.4
haskell.compiler.native-bignum.ghc925 ghc-native-bignum-9.2.5
haskell.compiler.native-bignum.ghc942 ghc-native-bignum-9.4.2
haskell.compiler.native-bignum.ghc943 ghc-native-bignum-9.4.3
haskell.compiler.native-bignum.ghc94 ghc-native-bignum-9.4.4
haskell.compiler.native-bignum.ghc944 ghc-native-bignum-9.4.4
haskell.compiler.native-bignum.ghcHEAD ghc-native-bignum-9.7.20221224
haskell.compiler.ghcjs ghcjs-8.10.7
```
Every of those compilers has a corresponding attribute set built completely
using it. However, the non-standard package sets are not tested regularly and
have less working packages as a result. The corresponding package set for GHC
9.4.4 is `haskell.packages.ghc944` (in fact `haskellPackages` is just an alias
for `haskell.packages.ghc924`):
```console
$ nix-env -f '<nixpkgs>' -qaP -A haskell.packages.ghc924
haskell.packages.ghc924.a50 a50-0.5
haskell.packages.ghc924.AAI AAI-0.2.0.1
haskell.packages.ghc924.aasam aasam-0.2.0.0
haskell.packages.ghc924.abacate abacate-0.0.0.0
haskell.packages.ghc924.abc-puzzle abc-puzzle-0.2.1
```
Every package set also re-exposes the GHC used to build its packages as `haskell.packages.*.ghc`.
## `haskellPackages.mkDerivation` {#haskell-mkderivation}
Every haskell package set has its own haskell-aware `mkDerivation` which is used
to build its packages. Generally you won't have to interact with this builder
since [cabal2nix][cabal2nix] can generate packages
using it for an arbitrary cabal package definition. Still it is useful to know
the parameters it takes when you need to
[override](#sec-haskell-overriding-haskell-packages) a generated nix expression.
`haskellPackages.mkDerivation` is a wrapper around `stdenv.mkDerivation` which
re-defines the default phases to be haskell aware and handles dependency
specification, test suites, benchmarks etc. by compiling and invoking the
package's `Setup.hs`. It does *not* use or invoke the `cabal-install` binary,
but uses the underlying `Cabal` library instead.
### General arguments
`pname`
: Package name, assumed to be the same as on hackage (if applicable)
`version`
: Packaged version, assumed to be the same as on hackage (if applicable)
`src`
: Source of the package. If omitted, fetch package corresponding to `pname`
and `version` from hackage.
`sha256`
: Hash to use for the default case of `src`.
`revision`
: Revision number of the updated cabal file to fetch from hackage.
If `null` (which is the default value), the one included in `src` is used.
`editedCabalFile`
: `sha256` hash of the cabal file identified by `revision` or `null`.
`configureFlags`
: Extra flags passed when executing the `configure` command of `Setup.hs`.
`buildFlags`
: Extra flags passed when executing the `build` command of `Setup.hs`.
`haddockFlags`
: Extra flags passed to `Setup.hs haddock` when building the documentation.
`doCheck`
: Whether to execute the package's test suite if it has one. Defaults to `true` unless cross-compiling.
`doBenchmark`
: Whether to execute the package's benchmark if it has one. Defaults to `false`.
`doHoogle`
: Whether to generate an index file for [hoogle][hoogle] as part of
`haddockPhase` by passing the [`--hoogle` option][haddock-hoogle-option].
Defaults to `true`.
`doHaddockQuickjump`
: Whether to generate an index for interactive navigation of the HTML documentation.
Defaults to `true` if supported.
`enableLibraryProfiling`
: Whether to enable [profiling][profiling] for libraries contained in the
package. Enabled by default if supported.
`enableExecutableProfiling`
: Whether to enable [profiling][profiling] for executables contained in the
package. Disabled by default.
`profilingDetail`
: [Profiling detail level][profiling-detail] to set. Defaults to `exported-functions`.
`enableSharedExecutables`
: Whether to link executables dynamically. By default, executables are linked statically.
`enableSharedLibraries`
: Whether to build shared Haskell libraries. This is enabled by default unless we are using
`pkgsStatic` or shared libraries have been disabled in GHC.
`enableStaticLibraries`
: Whether to build static libraries. Enabled by default if supported.
`enableDeadCodeElimination`
: Whether to enable linker based dead code elimination in GHC.
Enabled by default if supported.
`enableHsc2hsViaAsm`
: Whether to pass `--via-asm` to `hsc2hs`.
`hyperlinkSource`
: Whether to render the source as well as part of the haddock documentation
by passing the [`--hyperlinked-source` flag][haddock-hyperlinked-source-option].
Defaults to `true`.
`isExecutable`
: Whether the package contains an executable.
`isLibrary`
: Whether the package contains a library.
`jailbreak`
: Whether to execute [jailbreak-cabal][jailbreak-cabal] before `configurePhase`
to lift any version constraints in the cabal file. Note that this can't
lift version bounds if they are conditional, e.g. if a dependency is hidden
behind a flag.
`enableParallelBuilding`
: Whether to use the `-j` flag to make GHC/Cabal start multiple jobs in parallel.
`maxBuildCores`
: Upper limit of jobs to use in parallel for compilation regardless of
`$NIX_BUILD_CORES`. Defaults to 16 as haskell compilation with GHC currently
sees a [performance regression](https://gitlab.haskell.org/ghc/ghc/-/issues/9221)
if too many parallel jobs are used.
`doCoverage`
: Whether to generate and install files needed for [HPC][haskell-program-coverage].
Defaults to `false`.
`doHaddock`
: Wether to build (HTML) documentation using [haddock][haddock].
Defaults to `true` if supported.
`testTarget`
: Name of the test suite to build and run. If unset, all test suites will be executed.
`preCompileBuildDriver`
: Shell code to run before compiling `Setup.hs`.
`postCompileBuildDriver`
: Shell code to run after compiling `Setup.hs`.
`preHaddock`
: Shell code to run before building documentation using haddock.
`postHaddock`
: Shell code to run after building documentation using haddock.
`coreSetup`
: Whether to only allow core libraries to be used while building `Setup.hs`.
Defaults to `false`.
`useCpphs`
: Whether to enable the [cpphs][cpphs] preprocessor. Defaults to `false`.
`enableSeparateBinOutput`
: Whether to install executables to a separate `bin` output. Defaults to `false`.
`enableSeparateDataOutput`
: Whether to install data files shipped with the package to a separate `data` output.
Defaults to `false`.
`enableSeparateDocOutput`
: Whether to install documentation to a separate `doc` output.
Is automatically enabled if `doHaddock` is `true`.
`allowInconsistentDependencies`
: If enabled, allow multiple versions of the same package at configure time.
Usually in such a situation compilation would later fail. Defaults to `false`.
`enableLibraryForGhci`
: Build and install a special object file for GHCi. This improves performance
when loading the library in the REPL, but requires extra build time and
disk space. Defaults to `false`.
`buildTarget`
: Name of the executable or library to build and install.
If unset, all available targets are built and installed.
### Specifying dependencies
Since `haskellPackages.mkDerivation` is intended to be generated from cabal
files, it reflects cabal's way of specifying dependencies. For one, dependencies
are grouped by what part of the package they belong to. This helps to reduce the
dependency closure of a derivation, for example benchmark dependencies are not
included if `doBenchmark == false`.
`setup*Depends`
: dependencies necessary to compile `Setup.hs`
`library*Depends`
: dependencies of a library contained in the package
`executable*Depends`
: dependencies of an executable contained in the package
`test*Depends`
: dependencies of a test suite contained in the package
`benchmark*Depends`
: dependencies of a benchmark contained in the package
The other categorization relates to the way the package depends on the dependency:
`*ToolDepends`
: Tools we need to run as part of the build process.
They are added to the derivation's `nativeBuildInputs`.
`*HaskellDepends`
: Haskell libraries the package depends on.
They are added to `propagatedBuildInputs`.
`*SystemDepends`
: Non-Haskell libraries the package depends on.
They are added to `buildInputs`
`*PkgconfigDepends`
: `*SystemDepends` which are discovered using `pkg-config`.
They are added to `buildInputs` and it is additionally
ensured that `pkg-config` is available at build time.
`*FrameworkDepends`
: Apple SDK Framework which the package depends on when compiling it on Darwin.
Using these two distinctions, you should be able to categorize most of the dependency
specifications that are available:
`benchmarkFrameworkDepends`,
`benchmarkHaskellDepends`,
`benchmarkPkgconfigDepends`,
`benchmarkSystemDepends`,
`benchmarkToolDepends`,
`executableFrameworkDepends`,
`executableHaskellDepends`,
`executablePkgconfigDepends`,
`executableSystemDepends`,
`executableToolDepends`,
`libraryFrameworkDepends`,
`libraryHaskellDepends`,
`libraryPkgconfigDepends`,
`librarySystemDepends`,
`libraryToolDepends`,
`setupHaskellDepends`,
`testFrameworkDepends`,
`testHaskellDepends`,
`testPkgconfigDepends`,
`testSystemDepends` and
`testToolDepends`.
That only leaves the following extra ways for specifying dependencies:
`buildDepends`
: Allows specifying Haskell dependencies which are added to `propagatedBuildInputs` unconditionally.
`buildTools`
: Like `*ToolDepends`, but are added to `nativeBuildInputs` unconditionally.
`extraLibraries`
: Like `*SystemDepends`, but are added to `buildInputs` unconditionally.
`pkg-configDepends`
: Like `*PkgconfigDepends`, but are added to `buildInputs` unconditionally.
`testDepends`
: Deprecated, use either `testHaskellDepends` or `testSystemDepends`.
`benchmarkDepends`
: Deprecated, use either `benchmarkHaskellDepends` or `benchmarkSystemDepends`.
The dependency specification methods in this list which are unconditional
are especially useful when writing [overrides](#sec-haskell-overriding-haskell-packages)
when you want to make sure that they are definitely included. However, it is
recommended to use the more accurate ones listed above when possible.
### Meta attributes
`haskellPackages.mkDerivation` accepts the following attributes as direct
arguments which are transparently set in `meta` of the resulting derivation. See
the [Meta-attributes section](#chap-meta) for their documentation.
* These attributes are populated with a default value if omitted:
* `homepage`: defaults to the hackage page for `pname`.
* `platforms`: defaults to `lib.platforms.all` (since GHC can cross-compile)
* These attributes are only set if given:
* `description`
* `license`
* `changelog`
* `maintainers`
* `broken`
* `hydraPlatforms`
## Development environments {#sec-haskell-development-environments}
In addition to building and installing Haskell software, nixpkgs can also
provide development environments for Haskell projects. This has the obvious
advantage that you benefit from `cache.nixos.org` and no longer need to compile
all project dependencies yourself.
Our main objective with `haskellPackages` is to package Haskell software in
nixpkgs. This entails some limitations, partially due to self-imposed
restrictions of nixpkgs, partially in the name of maintainability:
* Only the packages built with the default compiler see extensive testing of the
whole package set. The experience using an older or newer packaged compiler
may be worse.
* We aim for a “blessed” package set which only contains one version of each
package.
Thus, to get the best experience, make sure that your project can be compiled
using the default compiler of nixpkgs and recent versions of its dependencies.
“Recent” can either mean the version contained in a certain [Stackage] snapshot
(usually the latest LTS or nightly one) <!-- TODO(@sternenseemann): document our use of solvers -->
or the latest version from Hackage. Similarly to Stackage, we sometimes
intervene and downgrade packages to ensure as many packages as possible can
be compiled together.
In particular, it is not possible to get the dependencies of a legacy project
from nixpkgs or to use a specific stack solver for compiling a project.
Now for the actual development environments: By default every derivation built
using [`haskellPackages.mkDerivation`](#haskell-mkderivation) exposes an
environment suitable for building it interactively as the `env` attribute. For
example, if you have a local checkout of `random`, you can enter a development
environment for it like this (if the dependencies in the development and
packaged version match):
```console
$ cd ~/src/random
$ nix-shell -A haskellPackages.random.env '<nixpkgs>'
[nix-shell:~/src/random]$ ghc-pkg list
/nix/store/a8hhl54xlzfizrhcf03c1l3f6l9l8qwv-ghc-9.2.4-with-packages/lib/ghc-9.2.4/package.conf.d
Cabal-3.6.3.0
array-0.5.4.0
base-4.16.3.0
binary-0.8.9.0
ghc-9.2.4
```
As you can see, the environment contains a GHC which is set up so it finds all
dependencies of `random`. Note that this environment does not mirror
the environment used to build the package, but is intended as a convenient
tool for development and simple debugging. `env` relies on the `ghcWithPackages`
wrapper which automatically injects a pre-populated package-db into every
GHC invocation. When building the derivation, the appropriate flags would always
be passed explicitly.
`env` mirrors the normal derivation environment in one aspect: It does not include
familiar development tools like `cabal-install`, since we rely on plain `Setup.hs`
to build all packages. However, `cabal-install` will work as expected if in
`PATH` (e.g. when installed globally and using a `nix-shell` without `--pure`).
A declarative and pure way of adding arbitrary development tools is provided
via [`shellFor`](#ssec-haskell-shellFor).
<!-- TODO(@sternenseemann): this doesn't work in practice (anymore?)
This topic needs to be investigated again; Deleting the local hackage db is
an easy workaround (ty @maralorn), but some useful features of cabal2nix
depend on it (i.e. cabal2nix cabal://pkg-version).
You can make sure that `cabal-install` doesn't download or build any packages
not provided using Nix by passing `--offline`. There is of course a better way
to add any number of development tools to your `nix-shell` which we'll discuss
later.
-->
Often you won't work on a package that is already part of `haskellPackages` or
Hackage, so we first need to write a Nix expression to obtain the development
environment from. Luckily, we can generate one very easily from an already
existing cabal file using `cabal2nix`:
```console
$ ls
my-project.cabal src …
$ cabal2nix ./. > my-project.nix
```
The generated nix expression evaluates to a function ready to be
`callPackage`-ed. For now, we can add a minimal `default.nix` which does just
that:
```nix
# Retrieve nixpkgs impurely from NIX_PATH for now, you can pin it instead, of course.
{ pkgs ? import <nixpkgs> {} }:
# use the nixpkgs default haskell package set
pkgs.haskellPackages.callPackage ./my-project.nix { }
```
Using `nix-build default.nix` we can now build our project, but we can also
enter a shell with all the package's dependencies available using `nix-shell
-A env default.nix`. If you have `cabal-install` installed globally, it'll work
inside the shell as expected.
### shellFor {#ssec-haskell-shellFor}
Having to install tools globally is obviously not great, especially if you want
to provide a batteries-included `shell.nix` with your project. Luckily there's a
proper tool for making development environments out of packages' build
environments: `shellFor`, a function exposed by every haskell package set. It
takes the following arguments and returns a derivation which is suitable as a
development environment inside `nix-shell`:
`packages`
: This argument is used to select the packages for which to build the
development environment. This should be a function which takes a haskell package
set and returns a list of packages. `shellFor` will pass the used package set to
this function and include all dependencies of the returned package in the build
environment. This means you can reuse nix expressions of packages included in
nixpkgs, but also use local nix expressions like this: `hpkgs: [
(hpkgs.callPackage ./my-project.nix { }) ]`.
`nativeBuildInputs`
: Expects a list of derivations to add as build tools to the build environment.
This is the place to add packages like `cabal-install`, `doctest` or `hlint`.
Defaults to `[]`.
`buildInputs`
: Expects a list of derivations to add as library dependencies, like `openssl`.
This is rarely necessary as the haskell package expressions usually track system
dependencies as well. Defaults to `[]`.
<!-- TODO link specifying deps section here -->
`withHoogle`
: If this is true, `hoogle` will be added to `nativeBuildInputs`.
Additionally, its database will be populated with all included dependencies,
so you'll be able search through the documentation of your dependencies.
Defaults to `false`.
`genericBuilderArgsModifier`
: This argument accepts a function allowing you to modify the arguments passed
to `mkDerivation` in order to create the development environment. For example,
`args: { doCheck = false; }` would cause the environment to not include any test
dependencies. Defaults to `lib.id`.
`doBenchmark`
: This is a shortcut for enabling `doBenchmark` via `genericBuilderArgsModifier`.
Setting it to `true` will cause the development environment to include all
benchmark dependencies which would be excluded by default. Defaults to `false`.
One neat property of `shellFor` is that it allows you to work on multiple
packages using the same environment in conjunction with
[cabal.project files][cabal-project-files].
Say our example above depends on `distribution-nixpkgs` and we have a project
file set up for both, we can add the following `shell.nix` expression:
```nix
{ pkgs ? import <nixpkgs> {} }:
pkgs.haskellPackages.shellFor {
packages = hpkgs: [
# reuse the nixpkgs for this package
hpkgs.distribution-nixpkgs
# call our generated nix expression manually
(hpkgs.callPackage ./my-project/my-project.nix { })
];
# development tools we use
nativeBuildInputs = [
pkgs.cabal-install
pkgs.haskellPackages.doctest
pkgs.cabal2nix
];
# Extra arguments are added to mkDerivation's arguments as-is.
# Since it adds all passed arguments to the shell environment,
# we can use this to set the environment variable the `Paths_`
# module of distribution-nixpkgs uses to search for bundled
# files.
# See also: https://cabal.readthedocs.io/en/latest/cabal-package.html#accessing-data-files-from-package-code
distribution_nixpkgs_datadir = toString ./distribution-nixpkgs;
}
```
<!-- TODO(@sternenseemann): deps are not included if not selected -->
## Overriding haskell packages {#sec-haskell-overriding-haskell-packages}
### Overriding a single package
<!-- TODO(@sternenseemann): we should document /somewhere/ that base == null etc. -->
Like many language specific subsystems in nixpkgs, the Haskell infrastructure
also has its own quirks when it comes to overriding. Overriding of the *inputs*
to a package at least follows the standard procedure. For example, imagine you
need to build `nix-tree` with a more recent version of `brick` than the default
one provided by `haskellPackages`:
```nix
haskellPackages.nix-tree.override {
brick = haskellPackages.brick_0_67;
}
```
<!-- TODO(@sternenseemann): This belongs in the next section
One common problem you may run into with such an override is the build failing
with “abort because of serious configure-time warning from Cabal”. When scrolling
up, you'll usually notice that Cabal noticed that more than one versions of the same
package was present in the dependency graph. This typically causes a later compilation
failure (the error message `haskellPackages.mkDerivation` produces tries to save
you the time of finding this out yourself, but if you wish to do so, you can
disable it using `allowInconsistentDependencies`). Luckily, `haskellPackages` provides
you with a tool to deal with this. `overrideScope` creates a new `haskellPackages`
instance with the override applied *globally* for this package, so the dependency
closure automatically uses a consistent version of the overridden package. E. g.
if `haskell-ci` needs a recent version of `Cabal`, but also uses other packages
that depend on that library, you may want to use:
```nix
haskellPackages.haskell-ci.overrideScope (self: super: {
Cabal = self.Cabal_3_6_2_0;
})
```
-->
The custom interface comes into play when you want to override the arguments
passed to `haskellPackages.mkDerivation`. For this, the function `overrideCabal`
from `haskell.lib.compose` is used. E.g. if you want to install a man page
that is distributed with the package, you can do something like this:
```nix
haskell.lib.compose.overrideCabal (drv: {
postInstall = ''
${drv.postInstall or ""}
install -Dm644 man/pnbackup.1 -t $out/share/man/man1
'';
}) haskellPackages.pnbackup
```
`overrideCabal` takes two arguments:
1. A function which receives all arguments passed to `haskellPackages.mkDerivation`
before and returns a set of arguments to replace (or add) with a new value.
2. The Haskell derivation to override.
The arguments are ordered so that you can easily create helper functions by making
use of currying:
```nix
let
installManPage = haskell.lib.compose.overrideCabal (drv: {
postInstall = ''
${drv.postInstall or ""}
install -Dm644 man/${drv.pname}.1 -t "$out/share/man/man1"
'';
});
in
installManPage haskellPackages.pnbackup
```
In fact, `haskell.lib.compose` already provides lots of useful helpers for common
tasks, detailed in the next section. They are also structured in such a way that
they can be combined using `lib.pipe`:
```nix
lib.pipe my-haskell-package [
# lift version bounds on dependencies
haskell.lib.compose.doJailbreak
# disable building the haddock documentation
haskell.lib.compose.dontHaddock
# pass extra package flag to Cabal's configure step
(haskell.lib.compose.enableCabalFlag "myflag")
]
```
#### `haskell.lib.compose`
The base interface for all overriding is the following function:
`overrideCabal f drv`
: Takes the arguments passed to obtain `drv` to `f` and uses the resulting
attribute set to update the argument set. Then a recomputed version of `drv`
using the new argument set is returned.
<!--
TODO(@sternenseemann): ideally we want to be more detailed here as well, but
I want to avoid the documentation having to be kept in sync in too many places.
We already document this stuff in the mkDerivation section and lib/compose.nix.
Ideally this section would be generated from the latter in the future.
-->
All other helper functions are implemented in terms of `overrideCabal` and make
common overrides shorter and more complicate ones trivial. The simple overrides
which only change a single argument are only described very briefly in the
following overview. Refer to the
[documentation of `haskellPackages.mkDerivation`](#haskell-mkderivation)
for a more detailed description of the effects of the respective arguments.
##### Packaging Helpers
`overrideSrc { src, version } drv`
: Replace the source used for building `drv` with the path or derivation given
as `src`. The `version` attribute is optional. Prefer this function over
overriding `src` via `overrideCabal`, since it also automatically takes care of
removing any Hackage revisions.
<!-- TODO(@sternenseemann): deprecated
`generateOptparseApplicativeCompletions list drv`
: Generate and install shell completion files for the installed executables whose
names are given via `list`. The executables need to be using `optparse-applicative`
for this to work.
-->
`justStaticExecutables drv`
: Only build and install the executables produced by `drv`, removing everything
that may refer to other Haskell packages' store paths (like libraries and
documentation). This dramatically reduces the closure size of the resulting
derivation. Note that the executables are only statically linked against their
Haskell dependencies, but will still link dynamically against libc, GMP and
other system library dependencies. If dependencies use their Cabal-generated
`Paths_*` module, this may not work as well if GHC's dead code elimination
is unable to remove the references to the dependency's store path that module
contains.
`enableSeparateBinOutput drv`
: Install executables produced by `drv` to a separate `bin` output. This
has a similar effect as `justStaticExecutables`, but preserves the libraries
and documentation in the `out` output alongside the `bin` output with a
much smaller closure size.
`markBroken drv`
: Sets the `broken` flag to `true` for `drv`.
`markUnbroken drv`, `unmarkBroken drv`
: Set the `broken` flag to `false` for `drv`.
`doDistribute drv`
: Updates `hydraPlatforms` so that Hydra will build `drv`. This is
sometimes necessary when working with versioned packages in
`haskellPackages` which are not built by default.
`dontDistribute drv`
: Sets `hydraPlatforms` to `[]`, causing Hydra to skip this package
altogether. Useful if it fails to evaluate cleanly and is causing
noise in the evaluation errors tab on Hydra.
##### Development Helpers
`sdistTarball drv`
: Create a source distribution tarball like those found on Hackage
instead of building the package `drv`.
`documentationTarball drv`
: Create a documentation tarball suitable for uploading to Hackage
instead of building the package `drv`.
`buildFromSdist drv`
: Uses `sdistTarball drv` as the source to compile `drv`. This helps to catch
packaging bugs when building from a local directory, e.g. when required files
are missing from `extra-source-files`.
`failOnAllWarnings drv`
: Enables all warnings GHC supports and makes it fail the build if any of them
are emitted.
<!-- TODO(@sternenseemann):
`checkUnusedPackages opts drv`
: Adds an extra check to `postBuild` which fails the build if any dependency
taken as an input is not used. The `opts` attribute set allows relaxing this
check.
-->
`enableDWARFDebugging drv`
: Compiles the package with additional debug symbols enabled, useful
for debugging with e.g. `gdb`.
`doStrip drv`
: Sets `doStrip` to `true` for `drv`.
`dontStrip drv`
: Sets `doStrip` to `false` for `drv`.
<!-- TODO(@sternenseemann): shellAware -->
##### Trivial Helpers
`doJailbreak drv`
: Sets the `jailbreak` argument to `true` for `drv`.
`dontJailbreak drv`
: Sets the `jailbreak` argument to `false` for `drv`.
`doHaddock drv`
: Sets `doHaddock` to `true` for `drv`.
`dontHaddock drv`
: Sets `doHaddock` to `false` for `drv`. Useful if the build of a package is
failing because of e.g. a syntax error in the Haddock documentation.
`doHyperlinkSource drv`
: Sets `hyperlinkSource` to `true` for `drv`.
`dontHyperlinkSource drv`
: Sets `hyperlinkSource` to `false` for `drv`.
`doCheck drv`
: Sets `doCheck` to `true` for `drv`.
`dontCheck drv`
: Sets `doCheck` to `false` for `drv`. Useful if a package has a broken,
flaky or otherwise problematic test suite breaking the build.
<!-- Purposefully omitting the non-list variants here. They are a bit
ugly, and we may want to deprecate them at some point. -->
`appendConfigureFlags list drv`
: Adds the strings in `list` to the `configureFlags` argument for `drv`.
`enableCabalFlag flag drv`
: Makes sure that the Cabal flag `flag` is enabled in Cabal's configure step.
`disableCabalFlag flag drv`
: Makes sure that the Cabal flag `flag` is disabled in Cabal's configure step.
`appendBuildflags list drv`
: Adds the strings in `list` to the `buildFlags` argument for `drv`.
<!-- TODO(@sternenseemann): removeConfigureFlag -->
`appendPatches list drv`
: Adds the `list` of derivations or paths to the `patches` argument for `drv`.
<!-- TODO(@sternenseemann): link dep section -->
`addBuildTools list drv`
: Adds the `list` of derivations to the `buildTools` argument for `drv`.
`addExtraLibraries list drv`
: Adds the `list` of derivations to the `extraLibraries` argument for `drv`.
`addBuildDepends list drv`
: Adds the `list` of derivations to the `buildDepends` argument for `drv`.
`addTestToolDepends list drv`
: Adds the `list` of derivations to the `testToolDepends` argument for `drv`.
`addPkgconfigDepends list drv`
: Adds the `list` of derivations to the `pkg-configDepends` argument for `drv`.
`addSetupDepends list drv`
: Adds the `list` of derivations to the `setupHaskellDepends` argument for `drv`.
`doBenchmark drv`
: Set `doBenchmark` to `true` for `drv`. Useful if your development
environment is missing the dependencies necessary for compiling the
benchmark component.
`dontBenchmark drv`
: Set `doBenchmark` to `false` for `drv`.
`setBuildTargets list drv`
: Sets the `buildTarget` argument for `drv` so that the targets specified in `list` are built.
`doCoverage drv`
: Sets the `doCoverage` argument to `true` for `drv`.
`dontCoverage drv`
: Sets the `doCoverage` argument to `false` for `drv`.
#### Library functions in the Haskell package sets
Some library functions depend on packages from the Haskell package sets. Thus they are
exposed from those instead of from `haskell.lib.compose` which can only access what is
passed directly to it. When using the functions below, make sure that you are obtaining them
from the same package set (`haskellPackages`, `haskell.packages.ghc944` etc.) as the packages
you are working with or even better from the `self`/`final` fix point of your overlay to
`haskellPackages`.
Note: Some functions like `shellFor` that are not intended for overriding per se, are omitted
in this section. <!-- TODO(@sternenseemann): note about ifd section -->
`cabalSdist { src, name }`
: Generates the Cabal sdist tarball for `src`, suitable for uploading to Hackage.
Contrary to `haskell.lib.compose.sdistTarball`, it uses `cabal-install` over `Setup.hs`,
so it is usually faster: No build dependencies need to be downloaded and we can
skip compiling `Setup.hs`.
`buildFromCabalSdist drv`
: Build `drv`, but run its `src` attribute through `cabalSdist` first. Useful for catching
files necessary for compilation that are missing from the sdist.
`generateOptparseApplicativeCompletions list drv`
: Generate and install shell completion files for the installed executables whose
names are given via `list`. The executables need to be using `optparse-applicative`
for [this to work][optparse-applicative-completions].
Note that this feature is automatically disabled when cross-compiling, since it
requires executing the binaries in question.
<!--
TODO(@NixOS/haskell): finish these planned sections
### Overriding the entire package set
## Import-from-Derivation helpers
* `callCabal2nix`
* `callHackage`, `callHackageDirect`
* `developPackage`
## Contributing {#sec-haskell-contributing}
### Fixing a broken package {#sec-haskell-fixing-a-broken-package}
### Package set generation {#sec-haskell-package-set-generation}
### Packaging a Haskell project
### Backporting {#sec-haskell-backporting}
Backporting changes to a stable NixOS version in general is covered
in nixpkgs' `CONTRIBUTING.md` in general. In particular refer to the
[backporting policy](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#criteria-for-backporting-changes)
to check if the change you have in mind may be backported.
This section focuses on how to backport a package update (e.g. a
bug fix or security release). Fixing a broken package works like
it does for the unstable branches.
-->
## F.A.Q. {#sec-haskell-faq}
### Why is topic X not covered in this section? Why is section Y missing?
We have been working on [moving the nixpkgs Haskell documentation back into the
nixpkgs manual](https://github.com/NixOS/nixpkgs/issues/121403). Since this
process has not been completed yet, you may find some topics missing here
covered in the old [haskell4nix docs](https://haskell4nix.readthedocs.io/).
If you feel any important topic is not documented at all, feel free to comment
on the issue linked above.
[Stackage]: https://www.stackage.org
[cabal2nix]: https://github.com/nixos/cabal2nix
[hoogle]: https://wiki.haskell.org/Hoogle
[haddock]: https://www.haskell.org/haddock/
[haddock-hoogle-option]: https://haskell-haddock.readthedocs.io/en/latest/invoking.html#cmdoption-hoogle
[haddock-hyperlinked-source-option]: https://haskell-haddock.readthedocs.io/en/latest/invoking.html#cmdoption-hyperlinked-source
[profiling]: https://downloads.haskell.org/~ghc/latest/docs/html/users_guide/profiling.html
[haskell-program-coverage]: https://downloads.haskell.org/~ghc/latest/docs/html/users_guide/profiling.html#observing-code-coverage
[profiling-detail]: https://cabal.readthedocs.io/en/latest/cabal-project.html#cfg-field-profiling-detail
[jailbreak-cabal]: https://github.com/NixOS/jailbreak-cabal/
[cpphs]: https://hackage.haskell.org/package/cpphs
[cabal-project-files]: https://cabal.readthedocs.io/en/latest/cabal-project.html
[optparse-applicative-completions]: https://github.com/pcapriotti/optparse-applicative/blob/7726b63796aa5d0df82e926d467f039b78ca09e2/README.md#bash-zsh-and-fish-completions

5
doc/languages-frameworks/javascript.section.md
View File

@ -175,10 +175,11 @@ buildNpmPackage rec {
hash = "sha256-BR+ZGkBBfd0dSQqAvujsbgsEPFYw/ThrylxUbOksYxM=";
};
patches = [ ./remove-prepack-script.patch ];
npmDepsHash = "sha256-tuEfyePwlOy2/mOPdXbqJskO6IowvAP4DWg8xSZwbJw=";
# The prepack script runs the build script, which we'd rather do in the build phase.
npmPackFlags = [ "--ignore-scripts" ];
NODE_OPTIONS = "--openssl-legacy-provider";
meta = with lib; {

74
doc/languages-frameworks/qt.section.md
View File

@ -2,14 +2,11 @@
Writing Nix expressions for Qt libraries and applications is largely similar as for other C++ software.
This section assumes some knowledge of the latter.
There are two problems that the Nixpkgs Qt infrastructure addresses,
which are not shared by other C++ software:
1. There are usually multiple supported versions of Qt in Nixpkgs.
All of a package's dependencies must be built with the same version of Qt.
This is similar to the version constraints imposed on interpreted languages like Python.
2. Qt makes extensive use of runtime dependency detection.
Runtime dependencies are made into build dependencies through wrappers.
The major caveat with Qt applications is that Qt uses a plugin system to load additional modules at runtime,
from a list of well-known locations. In Nixpkgs, we patch QtCore to instead use an environment variable,
and wrap Qt applications to set it to the right paths. This effectively makes the runtime dependencies
pure and explicit at build-time, at the cost of introducing an extra indirection.
## Nix expression for a Qt package (default.nix) {#qt-default-nix}
@ -95,66 +92,3 @@ stdenv.mkDerivation {
This means that scripts won't be automatically wrapped so you'll need to manually wrap them as previously mentioned.
An example of when you'd always need to do this is with Python applications that use PyQt.
:::
## Adding a library to Nixpkgs {#adding-a-library-to-nixpkgs}
Add Qt libraries to `qt5-packages.nix` to make them available for every
supported Qt version.
### Example adding a Qt library {#qt-library-all-packages-nix}
The following represents the contents of `qt5-packages.nix`.
```nix
{
# ...
mylib = callPackage ../path/to/mylib {};
# ...
}
```
Libraries are built with every available version of Qt.
Use the `meta.broken` attribute to disable the package for unsupported Qt versions:
```nix
{ stdenv, lib, qtbase }:
stdenv.mkDerivation {
# ...
# Disable this library with Qt < 5.9.0
meta.broken = lib.versionOlder qtbase.version "5.9.0";
}
```
## Adding an application to Nixpkgs {#adding-an-application-to-nixpkgs}
Add Qt applications to `qt5-packages.nix`. Add an alias to `all-packages.nix`
to select the Qt 5 version used for the application.
### Example adding a Qt application {#qt-application-all-packages-nix}
The following represents the contents of `qt5-packages.nix`.
```nix
{
# ...
myapp = callPackage ../path/to/myapp {};
# ...
}
```
The following represents the contents of `all-packages.nix`.
```nix
{
# ...
myapp = libsForQt5.myapp;
# ...
}
```

26
doc/stdenv/stdenv.chapter.md
View File

@ -994,6 +994,32 @@ Convenience function for `makeWrapper` that replaces `<\executable\>` with a wra
If you will apply it multiple times, it will overwrite the wrapper file and you will end up with double wrapping, which should be avoided.
### `prependToVar` \<variableName\> \<elements...\> {#fun-prependToVar}
Prepend elements to a variable.
Example:
```shellSession
$ configureFlags="--disable-static"
$ prependToVar configureFlags --disable-dependency-tracking --enable-foo
$ echo $configureFlags
--disable-dependency-tracking --enable-foo --disable-static
```
### `appendToVar` \<variableName\> \<elements...\> {#fun-appendToVar}
Append elements to a variable.
Example:
```shellSession
$ configureFlags="--disable-static"
$ appendToVar configureFlags --disable-dependency-tracking --enable-foo
$ echo $configureFlags
--disable-static --disable-dependency-tracking --enable-foo
```
## Package setup hooks {#ssec-setup-hooks}
Nix itself considers a build-time dependency as merely something that should previously be built and accessible at build time—packages themselves are on their own to perform any additional setup. In most cases, that is fine, and the downstream derivation can deal with its own dependencies. But for a few common tasks, that would result in almost every package doing the same sort of setup work—depending not on the package itself, but entirely on which dependencies were used.

20
maintainers/maintainer-list.nix
View File

@ -3291,6 +3291,12 @@
githubId = 798427;
name = "Davor Babic";
};
davsanchez = {
email = "davidslt+nixpkgs@pm.me";
github = "davsanchez";
githubId = 11422515;
name = "David Sánchez";
};
dawidsowa = {
email = "dawid_sowa@posteo.net";
github = "dawidsowa";
@ -11830,6 +11836,12 @@
githubId = 1973389;
name = "Reuben D'Netto";
};
realsnick = {
name = "Ido Samuelson";
email = "ido.samuelson@gmail.com";
github = "realsnick";
githubId = 1440852;
};
redbaron = {
email = "ivanov.maxim@gmail.com";
github = "redbaron";
@ -13891,6 +13903,14 @@
github = "tejasag";
githubId = 67542663;
};
tejing = {
name = "Jeff Huffman";
email = "tejing@tejing.com";
matrix = "@tejing:matrix.org";
github = "tejing1";
githubId = 5663576;
keys = [{ fingerprint = "6F0F D43B 80E5 583E 60FC 51DC 4936 D067 EB12 AB32"; }];
};
telotortium = {
email = "rirelan@gmail.com";
github = "telotortium";

1
maintainers/team-list.nix
View File

@ -280,6 +280,7 @@ with lib.maintainers; {
kalbasit
mic92
zowoq
qbit
];
scope = "Maintain Golang compilers.";
shortName = "Go";

26
nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
View File

@ -214,6 +214,17 @@
or configure your firewall.
</para>
</listitem>
<listitem>
<para>
<literal>llvmPackages_rocm.llvm</literal> will not contain
<literal>clang</literal> or <literal>compiler-rt</literal>.
<literal>llvmPackages_rocm.clang</literal> will not contain
<literal>llvm</literal>.
<literal>llvmPackages_rocm.clangNoCompilerRt</literal> has
been removed in favor of using
<literal>llvmPackages_rocm.clang-unwrapped</literal>.
</para>
</listitem>
<listitem>
<para>
The Nginx module now validates the syntax of config files at
@ -271,6 +282,14 @@
that it configures the NixOS boot process, not the Nix daemon.
</para>
</listitem>
<listitem>
<para>
Deprecated <literal>xlibsWrapper</literal> transitional
package has been removed in favour of direct use of its
constitutents: <literal>xorg.libX11</literal>,
<literal>freetype</literal> and others.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-23.05-notable-changes">
@ -475,6 +494,13 @@
<link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>.
</para>
</listitem>
<listitem>
<para>
<literal>hip</literal> has been separated into
<literal>hip</literal>, <literal>hip-common</literal> and
<literal>hipcc</literal>.
</para>
</listitem>
<listitem>
<para>
Resilio sync secret keys can now be provided using a secrets

6
nixos/doc/manual/release-notes/rl-2305.section.md
View File

@ -59,6 +59,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.
- `llvmPackages_rocm.llvm` will not contain `clang` or `compiler-rt`. `llvmPackages_rocm.clang` will not contain `llvm`. `llvmPackages_rocm.clangNoCompilerRt` has been removed in favor of using `llvmPackages_rocm.clang-unwrapped`.
- The Nginx module now validates the syntax of config files at build time. For more complex configurations (using `include` with out-of-store files notably) you may need to disable this check by setting [services.nginx.validateConfig](#opt-services.nginx.validateConfig) to `false`.
- The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.
@ -71,6 +73,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon.
- Deprecated `xlibsWrapper` transitional package has been removed in favour of direct use of its constitutents: `xorg.libX11`, `freetype` and others.
## Other Notable Changes {#sec-release-23.05-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@ -127,6 +131,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion).
- `hip` has been separated into `hip`, `hip-common` and `hipcc`.
- Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.
- The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it.

6
nixos/modules/config/no-x-libs.nix
View File

@ -33,12 +33,16 @@ with lib;
ffmpeg_4 = super.ffmpeg_4-headless;
ffmpeg_5 = super.ffmpeg_5-headless;
gobject-introspection = super.gobject-introspection.override { x11Support = false; };
gst_all_1 = super.gst_all_1 // {
gst-plugins-base = super.gst_all_1.gst-plugins-base.override { enableX11 = false; };
};
gpsd = super.gpsd.override { guiSupport = false; };
imagemagick = super.imagemagick.override { libX11Support = false; libXtSupport = false; };
imagemagickBig = super.imagemagickBig.override { libX11Support = false; libXtSupport = false; };
libextractor = super.libextractor.override { gstreamerSupport = false; gtkSupport = false; };
libextractor = super.libextractor.override { gtkSupport = false; };
libva = super.libva-minimal;
limesuite = super.limesuite.override { withGui = false; };
mpv-unwrapped = super.mpv-unwrapped.override { sdl2Support = false; x11Support = false; };
msmtp = super.msmtp.override { withKeyring = false; };
networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; };
networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; };

19
nixos/modules/hardware/printers.nix
View File

@ -110,21 +110,26 @@ in {
};
config = mkIf (cfg.ensurePrinters != [] && config.services.printing.enable) {
systemd.services.ensure-printers = let
cupsUnit = if config.services.printing.startWhenNeeded then "cups.socket" else "cups.service";
in {
systemd.services.ensure-printers = {
description = "Ensure NixOS-configured CUPS printers";
wantedBy = [ "multi-user.target" ];
requires = [ cupsUnit ];
after = [ cupsUnit ];
wants = [ "cups.service" ];
after = [ "cups.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = concatMapStringsSep "\n" ensurePrinter cfg.ensurePrinters
+ optionalString (cfg.ensureDefaultPrinter != null) (ensureDefaultPrinter cfg.ensureDefaultPrinter);
script = concatStringsSep "\n" [
(concatMapStrings ensurePrinter cfg.ensurePrinters)
(optionalString (cfg.ensureDefaultPrinter != null)
(ensureDefaultPrinter cfg.ensureDefaultPrinter))
# Note: if cupsd is "stateless" the service can't be stopped,
# otherwise the configuration will be wiped on the next start.
(optionalString (with config.services.printing; startWhenNeeded && !stateless)
"systemctl stop cups.service")
];
};
};
}

2
nixos/modules/module-list.nix
View File

@ -1302,6 +1302,8 @@
./system/boot/systemd/shutdown.nix
./system/boot/systemd/tmpfiles.nix
./system/boot/systemd/user.nix
./system/boot/systemd/userdbd.nix
./system/boot/systemd/homed.nix
./system/boot/timesyncd.nix
./system/boot/tmp.nix
./system/boot/uvesafb.nix

1
nixos/modules/programs/zsh/zsh-syntax-highlighting.nix
View File

@ -26,6 +26,7 @@ in
"brackets"
"pattern"
"cursor"
"regexp"
"root"
"line"
]));

27
nixos/modules/security/pam.nix
View File

@ -488,6 +488,9 @@ let
account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
'' +
optionalString config.services.homed.enable ''
account sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
'' +
# The required pam_unix.so module has to come after all the sufficient modules
# because otherwise, the account lookup will fail if the user does not exist
# locally, for example with MySQL- or LDAP-auth.
@ -541,8 +544,10 @@ let
# after it succeeds. Certain modules need to run after pam_unix
# prompts the user for password so we run it once with 'optional' at an
# earlier point and it will run again with 'sufficient' further down.
# We use try_first_pass the second time to avoid prompting password twice
(optionalString (cfg.unixAuth &&
# We use try_first_pass the second time to avoid prompting password twice.
#
# The same principle applies to systemd-homed
(optionalString ((cfg.unixAuth || config.services.homed.enable) &&
(config.security.pam.enableEcryptfs
|| config.security.pam.enableFscrypt
|| cfg.pamMount
@ -553,7 +558,10 @@ let
|| cfg.failDelay.enable
|| cfg.duoSecurity.enable))
(
''
optionalString config.services.homed.enable ''
auth optional ${config.systemd.package}/lib/security/pam_systemd_home.so
'' +
optionalString cfg.unixAuth ''
auth optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
'' +
optionalString config.security.pam.enableEcryptfs ''
@ -584,6 +592,9 @@ let
auth required ${pkgs.duo-unix}/lib/security/pam_duo.so
''
)) +
optionalString config.services.homed.enable ''
auth sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
'' +
optionalString cfg.unixAuth ''
auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass
'' +
@ -605,6 +616,10 @@ let
auth required pam_deny.so
# Password management.
'' +
optionalString config.services.homed.enable ''
password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
'' + ''
password sufficient pam_unix.so nullok sha512
'' +
optionalString config.security.pam.enableEcryptfs ''
@ -650,6 +665,9 @@ let
++ optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"
++ optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"
)) +
optionalString config.services.homed.enable ''
session required ${config.systemd.package}/lib/security/pam_systemd_home.so
'' +
optionalString cfg.makeHomeDir ''
session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077
'' +
@ -1361,6 +1379,9 @@ in
'' +
optionalString config.virtualisation.lxc.lxcfs.enable ''
mr ${pkgs.lxc}/lib/security/pam_cgfs.so
'' +
optionalString config.services.homed.enable ''
mr ${config.systemd.package}/lib/security/pam_systemd_home.so
'';
};

2
nixos/modules/services/continuous-integration/github-runner.nix
View File

@ -20,4 +20,6 @@ in
config = mkIf cfg.enable {
services.github-runners.${cfg.name} = cfg;
};
meta.maintainers = with maintainers; [ veehaitch newam ];
}

3
nixos/modules/services/continuous-integration/github-runner/options.nix
View File

@ -127,10 +127,11 @@ with lib;
serviceOverrides = mkOption {
type = types.attrs;
description = lib.mdDoc ''
Overrides for the systemd service. Can be used to adjust the sandboxing options.
Modify the systemd service. Can be used to, e.g., adjust the sandboxing options.
'';
example = {
ProtectHome = false;
RestrictAddressFamilies = [ "AF_PACKET" ];
};
default = {};
};

392
nixos/modules/services/continuous-integration/github-runner/service.nix
View File

@ -45,222 +45,224 @@ in
config.nix.package
] ++ cfg.extraPackages;
serviceConfig = {
ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
serviceConfig = mkMerge [
{
ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
# Does the following, sequentially:
# - If the module configuration or the token has changed, purge the state directory,
# and create the current and the new token file with the contents of the configured
# token. While both files have the same content, only the later is accessible by
# the service user.
# - Configure the runner using the new token file. When finished, delete it.
# - Set up the directory structure by creating the necessary symlinks.
ExecStartPre =
let
# Wrapper script which expects the full path of the state, working and logs
# directory as arguments. Overrides the respective systemd variables to provide
# unambiguous directory names. This becomes relevant, for example, if the
# caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory=
# to contain more than one directory. This causes systemd to set the respective
# environment variables with the path of all of the given directories, separated
# by a colon.
writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" ''
set -euo pipefail
# Does the following, sequentially:
# - If the module configuration or the token has changed, purge the state directory,
# and create the current and the new token file with the contents of the configured
# token. While both files have the same content, only the later is accessible by
# the service user.
# - Configure the runner using the new token file. When finished, delete it.
# - Set up the directory structure by creating the necessary symlinks.
ExecStartPre =
let
# Wrapper script which expects the full path of the state, working and logs
# directory as arguments. Overrides the respective systemd variables to provide
# unambiguous directory names. This becomes relevant, for example, if the
# caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory=
# to contain more than one directory. This causes systemd to set the respective
# environment variables with the path of all of the given directories, separated
# by a colon.
writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" ''
set -euo pipefail
STATE_DIRECTORY="$1"
WORK_DIRECTORY="$2"
LOGS_DIRECTORY="$3"
STATE_DIRECTORY="$1"
WORK_DIRECTORY="$2"
LOGS_DIRECTORY="$3"
${lines}
'';
runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" "workDir" ] cfg;
newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
newConfigTokenPath= "$STATE_DIRECTORY/.new-token";
currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";
${lines}
'';
runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" "workDir" ] cfg;
newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
newConfigTokenPath = "$STATE_DIRECTORY/.new-token";
currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";
runnerCredFiles = [
".credentials"
".credentials_rsaparams"
".runner"
];
unconfigureRunner = writeScript "unconfigure" ''
copy_tokens() {
# Copy the configured token file to the state dir and allow the service user to read the file
install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
# Also copy current file to allow for a diff on the next start
install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
}
clean_state() {
find "$STATE_DIRECTORY/" -mindepth 1 -delete
copy_tokens
}
diff_config() {
changed=0
# Check for module config changes
[[ -f "${currentConfigPath}" ]] \
&& ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \
|| changed=1
# Also check the content of the token file
[[ -f "${currentConfigTokenPath}" ]] \
&& ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
|| changed=1
# If the config has changed, remove old state and copy tokens
if [[ "$changed" -eq 1 ]]; then
echo "Config has changed, removing old runner state."
echo "The old runner will still appear in the GitHub Actions UI." \
"You have to remove it manually."
runnerCredFiles = [
".credentials"
".credentials_rsaparams"
".runner"
];
unconfigureRunner = writeScript "unconfigure" ''
copy_tokens() {
# Copy the configured token file to the state dir and allow the service user to read the file
install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
# Also copy current file to allow for a diff on the next start
install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
}
clean_state() {
find "$STATE_DIRECTORY/" -mindepth 1 -delete
copy_tokens
}
diff_config() {
changed=0
# Check for module config changes
[[ -f "${currentConfigPath}" ]] \
&& ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \
|| changed=1
# Also check the content of the token file
[[ -f "${currentConfigTokenPath}" ]] \
&& ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
|| changed=1
# If the config has changed, remove old state and copy tokens
if [[ "$changed" -eq 1 ]]; then
echo "Config has changed, removing old runner state."
echo "The old runner will still appear in the GitHub Actions UI." \
"You have to remove it manually."
clean_state
fi
}
if [[ "${optionalString cfg.ephemeral "1"}" ]]; then
# In ephemeral mode, we always want to start with a clean state
clean_state
fi
}
if [[ "${optionalString cfg.ephemeral "1"}" ]]; then
# In ephemeral mode, we always want to start with a clean state
clean_state
elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
# There are state files from a previous run; diff them to decide if we need a new registration
diff_config
else
# The state directory is entirely empty which indicates a first start
copy_tokens
fi
'';
configureRunner = writeScript "configure" ''
if [[ -e "${newConfigTokenPath}" ]]; then
echo "Configuring GitHub Actions Runner"
args=(
--unattended
--disableupdate
--work "$WORK_DIRECTORY"
--url ${escapeShellArg cfg.url}
--labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)}
--name ${escapeShellArg cfg.name}
${optionalString cfg.replace "--replace"}
${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
${optionalString cfg.ephemeral "--ephemeral"}
)
# If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
# if it is not a PAT, we assume it contains a registration token and use the --token option
token=$(<"${newConfigTokenPath}")
if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
args+=(--pat "$token")
elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
# There are state files from a previous run; diff them to decide if we need a new registration
diff_config
else
args+=(--token "$token")
# The state directory is entirely empty which indicates a first start
copy_tokens
fi
${cfg.package}/bin/config.sh "''${args[@]}"
# Move the automatically created _diag dir to the logs dir
mkdir -p "$STATE_DIRECTORY/_diag"
cp -r "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/"
rm -rf "$STATE_DIRECTORY/_diag/"
# Cleanup token from config
rm "${newConfigTokenPath}"
# Symlink to new config
ln -s '${newConfigPath}' "${currentConfigPath}"
fi
'';
setupWorkDir = writeScript "setup-work-dirs" ''
# Cleanup previous service
${pkgs.findutils}/bin/find -H "$WORK_DIRECTORY" -mindepth 1 -delete
'';
configureRunner = writeScript "configure" ''
if [[ -e "${newConfigTokenPath}" ]]; then
echo "Configuring GitHub Actions Runner"
args=(
--unattended
--disableupdate
--work "$WORK_DIRECTORY"
--url ${escapeShellArg cfg.url}
--labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)}
--name ${escapeShellArg cfg.name}
${optionalString cfg.replace "--replace"}
${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
${optionalString cfg.ephemeral "--ephemeral"}
)
# If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
# if it is not a PAT, we assume it contains a registration token and use the --token option
token=$(<"${newConfigTokenPath}")
if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
args+=(--pat "$token")
else
args+=(--token "$token")
fi
${cfg.package}/bin/config.sh "''${args[@]}"
# Move the automatically created _diag dir to the logs dir
mkdir -p "$STATE_DIRECTORY/_diag"
cp -r "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/"
rm -rf "$STATE_DIRECTORY/_diag/"
# Cleanup token from config
rm "${newConfigTokenPath}"
# Symlink to new config
ln -s '${newConfigPath}' "${currentConfigPath}"
fi
'';
setupWorkDir = writeScript "setup-work-dirs" ''
# Cleanup previous service
${pkgs.findutils}/bin/find -H "$WORK_DIRECTORY" -mindepth 1 -delete
# Link _diag dir
ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag"
# Link _diag dir
ln -s "$LOGS_DIRECTORY" "$WORK_DIRECTORY/_diag"
# Link the runner credentials to the work dir
ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/"
'';
in
# Link the runner credentials to the work dir
ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$WORK_DIRECTORY/"
'';
in
map (x: "${x} ${escapeShellArgs [ stateDir workDir logsDir ]}") [
"+${unconfigureRunner}" # runs as root
configureRunner
setupWorkDir
];
# If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner)
# to trigger a fresh registration.
Restart = if cfg.ephemeral then "on-success" else "no";
# If the runner exits with `ReturnCode.RetryableError = 2`, always restart the service:
# https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146
RestartForceExitStatus = [ 2 ];
# If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner)
# to trigger a fresh registration.
Restart = if cfg.ephemeral then "on-success" else "no";
# If the runner exits with `ReturnCode.RetryableError = 2`, always restart the service:
# https://github.com/actions/runner/blob/40ed7f8/src/Runner.Common/Constants.cs#L146
RestartForceExitStatus = [ 2 ];
# Contains _diag
LogsDirectory = [ systemdDir ];
# Default RUNNER_ROOT which contains ephemeral Runner data
RuntimeDirectory = [ systemdDir ];
# Home of persistent runner data, e.g., credentials
StateDirectory = [ systemdDir ];
StateDirectoryMode = "0700";
WorkingDirectory = workDir;
# Contains _diag
LogsDirectory = [ systemdDir ];
# Default RUNNER_ROOT which contains ephemeral Runner data
RuntimeDirectory = [ systemdDir ];
# Home of persistent runner data, e.g., credentials
StateDirectory = [ systemdDir ];
StateDirectoryMode = "0700";
WorkingDirectory = workDir;
InaccessiblePaths = [
# Token file path given in the configuration, if visible to the service
"-${cfg.tokenFile}"
# Token file in the state directory
"${stateDir}/${currentConfigTokenFilename}"
];
InaccessiblePaths = [
# Token file path given in the configuration, if visible to the service
"-${cfg.tokenFile}"
# Token file in the state directory
"${stateDir}/${currentConfigTokenFilename}"
];
KillSignal = "SIGINT";
KillSignal = "SIGINT";
# Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing:
# systemd-analyze security github-runner
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0066";
ProtectProc = "invisible";
SystemCallFilter = [
"~@clock"
"~@cpu-emulation"
"~@module"
"~@mount"
"~@obsolete"
"~@raw-io"
"~@reboot"
"~capset"
"~setdomainname"
"~sethostname"
];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
# Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing:
# systemd-analyze security github-runner
AmbientCapabilities = mkBefore [ "" ];
CapabilityBoundingSet = mkBefore [ "" ];
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = mkBefore [ "" ];
NoNewPrivileges = mkDefault true;
PrivateDevices = mkDefault true;
PrivateMounts = mkDefault true;
PrivateTmp = mkDefault true;
PrivateUsers = mkDefault true;
ProtectClock = mkDefault true;
ProtectControlGroups = mkDefault true;
ProtectHome = mkDefault true;
ProtectHostname = mkDefault true;
ProtectKernelLogs = mkDefault true;
ProtectKernelModules = mkDefault true;
ProtectKernelTunables = mkDefault true;
ProtectSystem = mkDefault "strict";
RemoveIPC = mkDefault true;
RestrictNamespaces = mkDefault true;
RestrictRealtime = mkDefault true;
RestrictSUIDSGID = mkDefault true;
UMask = mkDefault "0066";
ProtectProc = mkDefault "invisible";
SystemCallFilter = mkBefore [
"~@clock"
"~@cpu-emulation"
"~@module"
"~@mount"
"~@obsolete"
"~@raw-io"
"~@reboot"
"~capset"
"~setdomainname"
"~sethostname"
];
RestrictAddressFamilies = mkBefore [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];
BindPaths = lib.optionals (cfg.workDir != null) [ cfg.workDir ];
# Needs network access
PrivateNetwork = false;
# Cannot be true due to Node
MemoryDenyWriteExecute = false;
# Needs network access
PrivateNetwork = mkDefault false;
# Cannot be true due to Node
MemoryDenyWriteExecute = mkDefault false;
# The more restrictive "pid" option makes `nix` commands in CI emit
# "GC Warning: Couldn't read /proc/stat"
# You may want to set this to "pid" if not using `nix` commands
ProcSubset = "all";
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
# ASLR (address space layout randomization) which requires the
# `personality` syscall
# You may want to set this to `true` if not using coverage tooling on
# compiled code
LockPersonality = false;
# The more restrictive "pid" option makes `nix` commands in CI emit
# "GC Warning: Couldn't read /proc/stat"
# You may want to set this to "pid" if not using `nix` commands
ProcSubset = mkDefault "all";
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
# ASLR (address space layout randomization) which requires the
# `personality` syscall
# You may want to set this to `true` if not using coverage tooling on
# compiled code
LockPersonality = mkDefault false;
# Note that this has some interactions with the User setting; so you may
# want to consult the systemd docs if using both.
DynamicUser = true;
} // (
lib.optionalAttrs (cfg.user != null) { User = cfg.user; }
) // cfg.serviceOverrides;
# Note that this has some interactions with the User setting; so you may
# want to consult the systemd docs if using both.
DynamicUser = mkDefault true;
}
(mkIf (cfg.user != null) { User = cfg.user; })
cfg.serviceOverrides
];
}

2
nixos/modules/services/continuous-integration/github-runners.nix
View File

@ -53,4 +53,6 @@ in
}))
);
};
meta.maintainers = with maintainers; [ veehaitch newam ];
}

7
nixos/modules/services/hardware/fancontrol.nix
View File

@ -42,6 +42,13 @@ in
ExecStart = "${pkgs.lm_sensors}/sbin/fancontrol ${configFile}";
};
};
# On some systems, the fancontrol service does not resume properly after sleep because the pwm status of the fans
# is not reset properly. Restarting the service fixes this, in accordance with https://github.com/lm-sensors/lm-sensors/issues/172.
powerManagement.resumeCommands = ''
systemctl restart fancontrol.service
'';
};
meta.maintainers = [ maintainers.evils ];

1
nixos/modules/services/networking/ircd-hybrid/builder.sh
View File

@ -1,3 +1,4 @@
if [ -e .attrs.sh ]; then source .attrs.sh; fi
source $stdenv/setup
doSub() {

7
nixos/modules/services/printing/cupsd.nix
View File

@ -341,7 +341,7 @@ in
systemd.sockets.cups = mkIf cfg.startWhenNeeded {
wantedBy = [ "sockets.target" ];
listenStreams = [ "/run/cups/cups.sock" ]
listenStreams = [ "" "/run/cups/cups.sock" ]
++ map (x: replaceStrings ["localhost"] ["127.0.0.1"] (removePrefix "*:" x)) cfg.listenAddresses;
};
@ -395,10 +395,7 @@ in
''}
'';
serviceConfig = {
PrivateTmp = true;
RuntimeDirectory = [ "cups" ];
};
serviceConfig.PrivateTmp = true;
};
systemd.services.cups-browsed = mkIf avahiEnabled

1
nixos/modules/services/web-servers/jboss/builder.sh
View File

@ -1,5 +1,6 @@
set -e
if [ -e .attrs.sh ]; then source .attrs.sh; fi
source $stdenv/setup
mkdir -p $out/bin

22
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services.nginx;
certs = config.security.acme.certs;
inherit (config.security.acme) certs;
vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;
acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME || vhostConfig.useACMEHost != null) vhostsConfigs;
dependentCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);
@ -27,7 +27,7 @@ let
else "${certs.${certName}.directory}/chain.pem";
})
) cfg.virtualHosts;
enableIPv6 = config.networking.enableIPv6;
inherit (config.networking) enableIPv6;
# Mime.types values are taken from brotli sample configuration - https://github.com/google/ngx_brotli
# and Nginx Server Configs - https://github.com/h5bp/server-configs-nginx
@ -149,7 +149,7 @@ let
''}
${upstreamConfig}
${optionalString (cfg.recommendedOptimisation) ''
${optionalString cfg.recommendedOptimisation ''
# optimisation
sendfile on;
tcp_nopush on;
@ -161,7 +161,7 @@ let
${optionalString (cfg.sslCiphers != null) "ssl_ciphers ${cfg.sslCiphers};"}
${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"}
${optionalString (cfg.recommendedTlsSettings) ''
${optionalString cfg.recommendedTlsSettings ''
# Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate
ssl_session_timeout 1d;
@ -177,7 +177,7 @@ let
ssl_stapling_verify on;
''}
${optionalString (cfg.recommendedBrotliSettings) ''
${optionalString cfg.recommendedBrotliSettings ''
brotli on;
brotli_static on;
brotli_comp_level 5;
@ -187,7 +187,7 @@ let
brotli_buffers 32 8k;
''}
${optionalString (cfg.recommendedGzipSettings) ''
${optionalString cfg.recommendedGzipSettings ''
gzip on;
gzip_proxied any;
gzip_comp_level 5;
@ -205,7 +205,7 @@ let
gzip_vary on;
''}
${optionalString (cfg.recommendedProxySettings) ''
${optionalString cfg.recommendedProxySettings ''
proxy_redirect off;
proxy_connect_timeout ${cfg.proxyTimeout};
proxy_send_timeout ${cfg.proxyTimeout};
@ -239,7 +239,7 @@ let
server_tokens ${if cfg.serverTokens then "on" else "off"};
${optionalString (cfg.proxyCache.enable) ''
${optionalString cfg.proxyCache.enable ''
proxy_cache_path /var/cache/nginx keys_zone=${cfg.proxyCache.keysZoneName}:${cfg.proxyCache.keysZoneSize}
levels=${cfg.proxyCache.levels}
use_temp_path=${if cfg.proxyCache.useTempPath then "on" else "off"}
@ -993,8 +993,6 @@ in
];
config = mkIf cfg.enable {
# TODO: test user supplied config file pases syntax test
warnings =
let
deprecatedSSL = name: config: optional config.enableSSL
@ -1142,14 +1140,14 @@ in
sslServices = map (certName: "acme-${certName}.service") dependentCertNames;
sslTargets = map (certName: "acme-finished-${certName}.target") dependentCertNames;
in mkIf (cfg.enableReload || sslServices != []) {
wants = optionals (cfg.enableReload) [ "nginx.service" ];
wants = optionals cfg.enableReload [ "nginx.service" ];
wantedBy = sslServices ++ [ "multi-user.target" ];
# Before the finished targets, after the renew services.
# This service might be needed for HTTP-01 challenges, but we only want to confirm
# certs are updated _after_ config has been reloaded.
before = sslTargets;
after = sslServices;
restartTriggers = optionals (cfg.enableReload) [ finalConfigFile ];
restartTriggers = optionals cfg.enableReload [ finalConfigFile ];
# Block reloading if not all certs exist yet.
# Happens when config changes add new vhosts/certs.
unitConfig.ConditionPathExists = optionals (sslServices != []) (map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames);

2
nixos/modules/system/boot/systemd.nix
View File

@ -450,7 +450,7 @@ in
(mkAfter [ "systemd" ])
]);
group = (mkMerge [
(mkAfter [ "systemd" ])
(mkAfter [ "[success=merge] systemd" ]) # need merge so that NSS won't stop at file-based groups
]);
};

43
nixos/modules/system/boot/systemd/homed.nix Normal file
View File

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.homed;
in
{
options.services.homed.enable = lib.mkEnableOption (lib.mdDoc ''
Enable systemd home area/user account manager
'');
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = config.services.nscd.enable;
message = "systemd-homed requires the use of systemd nss module. services.nscd.enable must be set to true,";
}
];
systemd.additionalUpstreamSystemUnits = [
"systemd-homed.service"
"systemd-homed-activate.service"
];
# This is mentioned in homed's [Install] section.
#
# While homed appears to work without it, it's probably better
# to follow upstream recommendations.
services.userdbd.enable = lib.mkDefault true;
systemd.services = {
systemd-homed = {
# These packages are required to manage encrypted volumes
path = config.system.fsPackages;
aliases = [ "dbus-org.freedesktop.home1.service" ];
wantedBy = [ "multi-user.target" ];
};
systemd-homed-activate = {
wantedBy = [ "systemd-homed.service" ];
};
};
};
}

18
nixos/modules/system/boot/systemd/userdbd.nix Normal file
View File

@ -0,0 +1,18 @@
{ config, lib, ... }:
let
cfg = config.services.userdbd;
in
{
options.services.userdbd.enable = lib.mkEnableOption (lib.mdDoc ''
Enables the systemd JSON user/group record lookup service
'');
config = lib.mkIf cfg.enable {
systemd.additionalUpstreamSystemUnits = [
"systemd-userdbd.socket"
"systemd-userdbd.service"
];
systemd.sockets.systemd-userdbd.wantedBy = [ "sockets.target" ];
};
}

3
nixos/release-combined.nix
View File

@ -146,7 +146,8 @@ in rec {
(onFullSupported "nixos.tests.predictable-interface-names.predictable")
(onFullSupported "nixos.tests.predictable-interface-names.unpredictableNetworkd")
(onFullSupported "nixos.tests.predictable-interface-names.unpredictable")
(onFullSupported "nixos.tests.printing")
(onFullSupported "nixos.tests.printing-service")
(onFullSupported "nixos.tests.printing-socket")
(onFullSupported "nixos.tests.proxy")
(onFullSupported "nixos.tests.sddm.default")
(onFullSupported "nixos.tests.shadow")

5
nixos/tests/all-tests.nix
View File

@ -544,7 +544,8 @@ in {
power-profiles-daemon = handleTest ./power-profiles-daemon.nix {};
pppd = handleTest ./pppd.nix {};
predictable-interface-names = handleTest ./predictable-interface-names.nix {};
printing = handleTest ./printing.nix {};
printing-socket = handleTest ./printing.nix { socket = true; };
printing-service = handleTest ./printing.nix { socket = false; };
privacyidea = handleTest ./privacyidea.nix {};
privoxy = handleTest ./privoxy.nix {};
prometheus = handleTest ./prometheus.nix {};
@ -655,6 +656,8 @@ in {
systemd-shutdown = handleTest ./systemd-shutdown.nix {};
systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};
systemd-misc = handleTest ./systemd-misc.nix {};
systemd-userdbd = handleTest ./systemd-userdbd.nix {};
systemd-homed = handleTest ./systemd-homed.nix {};
tandoor-recipes = handleTest ./tandoor-recipes.nix {};
taskserver = handleTest ./taskserver.nix {};
tayga = handleTest ./tayga.nix {};

177
nixos/tests/printing.nix
View File

@ -1,19 +1,31 @@
# Test printing via CUPS.
import ./make-test-python.nix ({pkgs, ... }:
let
printingServer = startWhenNeeded: {
services.printing.enable = true;
services.printing.stateless = true;
services.printing.startWhenNeeded = startWhenNeeded;
services.printing.listenAddresses = [ "*:631" ];
services.printing.defaultShared = true;
services.printing.extraConf = ''
<Location />
Order allow,deny
Allow from all
</Location>
'';
import ./make-test-python.nix (
{ pkgs
, socket ? true # whether to use socket activation
, ...
}:
{
name = "printing";
meta = with pkgs.lib.maintainers; {
maintainers = [ domenkozar eelco matthewbauer ];
};
nodes.server = { ... }: {
services.printing = {
enable = true;
stateless = true;
startWhenNeeded = socket;
listenAddresses = [ "*:631" ];
defaultShared = true;
extraConf = ''
<Location />
Order allow,deny
Allow from all
</Location>
'';
};
networking.firewall.allowedTCPPorts = [ 631 ];
# Add a HP Deskjet printer connected via USB to the server.
hardware.printers.ensurePrinters = [{
@ -22,32 +34,19 @@ let
model = "drv:///sample.drv/deskjet.ppd";
}];
};
printingClient = startWhenNeeded: {
nodes.client = { ... }: {
services.printing.enable = true;
services.printing.startWhenNeeded = startWhenNeeded;
services.printing.startWhenNeeded = socket;
# Add printer to the client as well, via IPP.
hardware.printers.ensurePrinters = [{
name = "DeskjetRemote";
deviceUri = "ipp://${if startWhenNeeded then "socketActivatedServer" else "serviceServer"}/printers/DeskjetLocal";
deviceUri = "ipp://server/printers/DeskjetLocal";
model = "drv:///sample.drv/deskjet.ppd";
}];
hardware.printers.ensureDefaultPrinter = "DeskjetRemote";
};
in {
name = "printing";
meta = with pkgs.lib.maintainers; {
maintainers = [ domenkozar eelco matthewbauer ];
};
nodes = {
socketActivatedServer = { ... }: (printingServer true);
serviceServer = { ... }: (printingServer false);
socketActivatedClient = { ... }: (printingClient true);
serviceClient = { ... }: (printingClient false);
};
testScript = ''
import os
import re
@ -55,75 +54,69 @@ in {
start_all()
with subtest("Make sure that cups is up on both sides and printers are set up"):
serviceServer.wait_for_unit("cups.service")
serviceClient.wait_for_unit("cups.service")
socketActivatedClient.wait_for_unit("ensure-printers.service")
server.wait_for_unit("cups.${if socket then "socket" else "service"}")
client.wait_for_unit("cups.${if socket then "socket" else "service"}")
assert "scheduler is running" in client.succeed("lpstat -r")
def test_printing(client, server):
assert "scheduler is running" in client.succeed("lpstat -r")
with subtest("UNIX socket is used for connections"):
assert "/var/run/cups/cups.sock" in client.succeed("lpstat -H")
with subtest("UNIX socket is used for connections"):
assert "/var/run/cups/cups.sock" in client.succeed("lpstat -H")
with subtest("HTTP server is available too"):
client.succeed("curl --fail http://localhost:631/")
client.succeed(f"curl --fail http://{server.name}:631/")
server.fail(f"curl --fail --connect-timeout 2 http://{client.name}:631/")
with subtest("HTTP server is available too"):
client.succeed("curl --fail http://localhost:631/")
client.succeed(f"curl --fail http://{server.name}:631/")
server.fail(f"curl --fail --connect-timeout 2 http://{client.name}:631/")
with subtest("LP status checks"):
assert "DeskjetRemote accepting requests" in client.succeed("lpstat -a")
assert "DeskjetLocal accepting requests" in client.succeed(
f"lpstat -h {server.name}:631 -a"
)
client.succeed("cupsdisable DeskjetRemote")
out = client.succeed("lpq")
print(out)
assert re.search(
"DeskjetRemote is not ready.*no entries",
client.succeed("lpq"),
flags=re.DOTALL,
)
client.succeed("cupsenable DeskjetRemote")
assert re.match(
"DeskjetRemote is ready.*no entries", client.succeed("lpq"), flags=re.DOTALL
with subtest("LP status checks"):
assert "DeskjetRemote accepting requests" in client.succeed("lpstat -a")
assert "DeskjetLocal accepting requests" in client.succeed(
f"lpstat -h {server.name}:631 -a"
)
client.succeed("cupsdisable DeskjetRemote")
out = client.succeed("lpq")
print(out)
assert re.search(
"DeskjetRemote is not ready.*no entries",
client.succeed("lpq"),
flags=re.DOTALL,
)
client.succeed("cupsenable DeskjetRemote")
assert re.match(
"DeskjetRemote is ready.*no entries", client.succeed("lpq"), flags=re.DOTALL
)
# Test printing various file types.
for file in [
"${pkgs.groff.doc}/share/doc/*/examples/mom/penguin.pdf",
"${pkgs.groff.doc}/share/doc/*/meref.ps",
"${pkgs.cups.out}/share/doc/cups/images/cups.png",
"${pkgs.pcre.doc}/share/doc/pcre/pcre.txt",
]:
file_name = os.path.basename(file)
with subtest(f"print {file_name}"):
# Print the file on the client.
print(client.succeed("lpq"))
client.succeed(f"lp {file}")
client.wait_until_succeeds(
f"lpq; lpq | grep -q -E 'active.*root.*{file_name}'"
)
# Test printing various file types.
for file in [
"${pkgs.groff.doc}/share/doc/*/examples/mom/penguin.pdf",
"${pkgs.groff.doc}/share/doc/*/meref.ps",
"${pkgs.cups.out}/share/doc/cups/images/cups.png",
"${pkgs.pcre.doc}/share/doc/pcre/pcre.txt",
]:
file_name = os.path.basename(file)
with subtest(f"print {file_name}"):
# Print the file on the client.
print(client.succeed("lpq"))
client.succeed(f"lp {file}")
client.wait_until_succeeds(
f"lpq; lpq | grep -q -E 'active.*root.*{file_name}'"
)
# Ensure that a raw PCL file appeared in the server's queue
# (showing that the right filters have been applied). Of
# course, since there is no actual USB printer attached, the
# file will stay in the queue forever.
server.wait_for_file("/var/spool/cups/d*-001")
server.wait_until_succeeds(f"lpq -a | grep -q -E '{file_name}'")
# Ensure that a raw PCL file appeared in the server's queue
# (showing that the right filters have been applied). Of
# course, since there is no actual USB printer attached, the
# file will stay in the queue forever.
server.wait_for_file("/var/spool/cups/d*-001")
server.wait_until_succeeds(f"lpq -a | grep -q -E '{file_name}'")
# Delete the job on the client. It should disappear on the
# server as well.
client.succeed("lprm")
client.wait_until_succeeds("lpq -a | grep -q -E 'no entries'")
# Delete the job on the client. It should disappear on the
# server as well.
client.succeed("lprm")
client.wait_until_succeeds("lpq -a | grep -q -E 'no entries'")
retry(lambda _: "no entries" in server.succeed("lpq -a"))
retry(lambda _: "no entries" in server.succeed("lpq -a"))
# The queue is empty already, so this should be safe.
# Otherwise, pairs of "c*"-"d*-001" files might persist.
server.execute("rm /var/spool/cups/*")
test_printing(serviceClient, serviceServer)
test_printing(socketActivatedClient, socketActivatedServer)
# The queue is empty already, so this should be safe.
# Otherwise, pairs of "c*"-"d*-001" files might persist.
server.execute("rm /var/spool/cups/*")
'';
})

99
nixos/tests/systemd-homed.nix Normal file
View File

@ -0,0 +1,99 @@
import ./make-test-python.nix ({ pkgs, lib, ... }:
let
password = "foobar";
newPass = "barfoo";
in
{
name = "systemd-homed";
nodes.machine = { config, pkgs, ... }: {
services.homed.enable = true;
users.users.test-normal-user = {
extraGroups = [ "wheel" ];
isNormalUser = true;
initialPassword = password;
};
};
testScript = ''
def switchTTY(number):
machine.send_key(f"alt-f{number}")
machine.wait_until_succeeds(f"[ $(fgconsole) = {number} ]")
machine.wait_for_unit(f"getty@tty{number}.service")
machine.wait_until_succeeds(f"pgrep -f 'agetty.*tty{number}'")
machine.wait_for_unit("multi-user.target")
# Smoke test to make sure the pam changes didn't break regular users.
machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
with subtest("login as regular user"):
switchTTY(2)
machine.wait_until_tty_matches("2", "login: ")
machine.send_chars("test-normal-user\n")
machine.wait_until_tty_matches("2", "login: test-normal-user")
machine.wait_until_tty_matches("2", "Password: ")
machine.send_chars("${password}\n")
machine.wait_until_succeeds("pgrep -u test-normal-user bash")
machine.send_chars("whoami > /tmp/1\n")
machine.wait_for_file("/tmp/1")
assert "test-normal-user" in machine.succeed("cat /tmp/1")
with subtest("create homed encrypted user"):
# TODO: Figure out how to pass password manually.
#
# This environment variable is used for homed internal testing
# and is not documented.
machine.succeed("NEWPASSWORD=${password} homectl create --shell=/run/current-system/sw/bin/bash --storage=luks -G wheel test-homed-user")
with subtest("login as homed user"):
switchTTY(3)
machine.wait_until_tty_matches("3", "login: ")
machine.send_chars("test-homed-user\n")
machine.wait_until_tty_matches("3", "login: test-homed-user")
machine.wait_until_tty_matches("3", "Password: ")
machine.send_chars("${password}\n")
machine.wait_until_succeeds("pgrep -t tty3 -u test-homed-user bash")
machine.send_chars("whoami > /tmp/2\n")
machine.wait_for_file("/tmp/2")
assert "test-homed-user" in machine.succeed("cat /tmp/2")
with subtest("change homed user password"):
switchTTY(4)
machine.wait_until_tty_matches("4", "login: ")
machine.send_chars("test-homed-user\n")
machine.wait_until_tty_matches("4", "login: test-homed-user")
machine.wait_until_tty_matches("4", "Password: ")
machine.send_chars("${password}\n")
machine.wait_until_succeeds("pgrep -t tty4 -u test-homed-user bash")
machine.send_chars("passwd\n")
# homed does it in a weird order, it asks for new passes, then it asks
# for the old one.
machine.sleep(2)
machine.send_chars("${newPass}\n")
machine.sleep(2)
machine.send_chars("${newPass}\n")
machine.sleep(4)
machine.send_chars("${password}\n")
machine.wait_until_fails("pgrep -t tty4 passwd")
@polling_condition
def not_logged_in_tty5():
machine.fail("pgrep -t tty5 bash")
switchTTY(5)
with not_logged_in_tty5: # type: ignore[union-attr]
machine.wait_until_tty_matches("5", "login: ")
machine.send_chars("test-homed-user\n")
machine.wait_until_tty_matches("5", "login: test-homed-user")
machine.wait_until_tty_matches("5", "Password: ")
machine.send_chars("${password}\n")
machine.wait_until_tty_matches("5", "Password incorrect or not sufficient for authentication of user test-homed-user.")
machine.wait_until_tty_matches("5", "Sorry, try again: ")
machine.send_chars("${newPass}\n")
machine.send_chars("whoami > /tmp/4\n")
machine.wait_for_file("/tmp/4")
assert "test-homed-user" in machine.succeed("cat /tmp/4")
with subtest("homed user should be in wheel according to NSS"):
machine.succeed("userdbctl group wheel -s io.systemd.NameServiceSwitch | grep test-homed-user")
'';
})

32
nixos/tests/systemd-userdbd.nix Normal file
View File

@ -0,0 +1,32 @@
import ./make-test-python.nix ({ pkgs, lib, ... }: {
name = "systemd-userdbd";
nodes.machine = { config, pkgs, ... }: {
services.userdbd.enable = true;
users.users.test-user-nss = {
isNormalUser = true;
};
environment.etc."userdb/test-user-dropin.user".text = builtins.toJSON {
userName = "test-user-dropin";
};
environment.systemPackages = with pkgs; [ libvarlink ];
};
testScript = ''
import json
from shlex import quote
def getUserRecord(name):
Interface = "unix:/run/systemd/userdb/io.systemd.Multiplexer/io.systemd.UserDatabase"
payload = json.dumps({
"service": "io.systemd.Multiplexer",
"userName": name
})
return json.loads(machine.succeed(f"varlink call {Interface}.GetUserRecord {quote(payload)}"))
machine.wait_for_unit("systemd-userdbd.socket")
getUserRecord("test-user-nss")
getUserRecord("test-user-dropin")
'';
})

6
pkgs/applications/audio/fluidsynth/default.nix
View File

@ -20,7 +20,11 @@ stdenv.mkDerivation rec {
++ lib.optionals stdenv.isLinux [ alsa-lib libpulseaudio ]
++ lib.optionals stdenv.isDarwin [ AudioUnit CoreAudio CoreMIDI CoreServices ];
cmakeFlags = [ "-Denable-framework=off" ];
cmakeFlags = [
"-Denable-framework=off"
# set CMAKE_INSTALL_NAME_DIR to correct value on darwin
"-DCMAKE_INSTALL_LIBDIR=lib"
];
meta = with lib; {
description = "Real-time software synthesizer based on the SoundFont 2 specifications";

4
pkgs/applications/audio/kid3/default.nix
View File

@ -27,11 +27,11 @@
stdenv.mkDerivation rec {
pname = "kid3";
version = "3.9.2";
version = "3.9.3";
src = fetchurl {
url = "https://download.kde.org/stable/${pname}/${version}/${pname}-${version}.tar.xz";
sha256 = "sha256-R4Xv+PmzKZQF1tFtSQTFjaisGug2EKM6mPVoGutNnok=";
sha256 = "sha256-D2hrdej2Q69AYjDn2Ey4vBSOmzBY3UzZMUdJSRjurdA=";
};
nativeBuildInputs = [

2
pkgs/applications/audio/sublime-music/default.nix
View File

@ -54,7 +54,7 @@ python3Packages.buildPythonApplication rec {
mpv
peewee
pygobject3
python-Levenshtein
levenshtein
python-dateutil
requests
semver

4
pkgs/applications/audio/wolf-shaper/default.nix
View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "wolf-shaper";
version = "0.1.8";
version = "1.0.0";
src = fetchFromGitHub {
owner = "pdesaulniers";
repo = "wolf-shaper";
rev = "v${version}";
sha256 = "1j9xmh1nkf45ay1c5dz2g165qvrwlanzcq6mvb3nfxar265drd9q";
sha256 = "sha256-BREv0nQVysWdx/sVd0cdFji49xtLmHEL8b2jLtgjDfI=";
fetchSubmodules = true;
};

4
pkgs/applications/audio/zam-plugins/default.nix
View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "zam-plugins";
version = "3.14";
version = "4.1";
src = fetchFromGitHub {
owner = "zamaudio";
repo = pname;
rev = version;
sha256 = "sha256-zlANfFuEXQdXlSu4CuXNyChiuV7wkumaOJqgthl6Y9Q=";
sha256 = "sha256-NKa6lOP3fpAFMYwzZAMFgW0tBSM/F89oB/nDbEUeflw=";
fetchSubmodules = true;
};

10
pkgs/applications/blockchains/chia/default.nix
View File

@ -6,21 +6,16 @@
let chia = python3Packages.buildPythonApplication rec {
pname = "chia";
version = "1.6.0";
version = "1.6.2";
src = fetchFromGitHub {
owner = "Chia-Network";
repo = "chia-blockchain";
rev = version;
fetchSubmodules = true;
hash = "sha256-TNaHPvN19fkRqkQHtqdeEDwhqbntcVhxXhY8TNIScEg=";
hash = "sha256-BgUgTYpjFsKisfFni8TzSYQ8+S3P+7m78DuyjWF5xh8=";
};
patches = [
# chia tries to put lock files in the python modules directory
./dont_lock_in_store.patch
];
postPatch = ''
substituteInPlace setup.py \
--replace "==" ">="
@ -59,6 +54,7 @@ let chia = python3Packages.buildPythonApplication rec {
fasteners
filelock
keyrings-cryptfile
psutil
pyyaml
setproctitle
setuptools # needs pkg_resources at runtime

21
pkgs/applications/blockchains/chia/dont_lock_in_store.patch
View File

@ -1,21 +0,0 @@
--- a/chia/wallet/puzzles/load_clvm.py
+++ b/chia/wallet/puzzles/load_clvm.py
@@ -82,18 +82,6 @@ def load_serialized_clvm(clvm_filename, package_or_requirement=__name__) -> Seri
"""
hex_filename = f"{clvm_filename}.hex"
- try:
- if pkg_resources.resource_exists(package_or_requirement, clvm_filename):
- # Establish whether the size is zero on entry
- full_path = pathlib.Path(pkg_resources.resource_filename(package_or_requirement, clvm_filename))
- output = full_path.parent / hex_filename
- compile_clvm(full_path, output, search_paths=[full_path.parent])
-
- except NotImplementedError:
- # pyinstaller doesn't support `pkg_resources.resource_exists`
- # so we just fall through to loading the hex clvm
- pass
-
clvm_hex = pkg_resources.resource_string(package_or_requirement, hex_filename).decode("utf8")
assert len(clvm_hex.strip()) != 0
clvm_blob = bytes.fromhex(clvm_hex)

16
pkgs/applications/blockchains/erigon/default.nix
View File

@ -1,21 +1,21 @@
{ lib, buildGoModule, fetchFromGitHub }:
{ lib, buildGoModule, fetchFromGitHub, nix-update-script }:
let
pinData = lib.importJSON ./pin.json;
in
buildGoModule rec {
pname = "erigon";
version = pinData.version;
version = "2.34.0";
in
buildGoModule {
inherit pname version;
src = fetchFromGitHub {
owner = "ledgerwatch";
repo = pname;
rev = "v${version}";
sha256 = pinData.sha256;
sha256 = "sha256-oiFPnDzvLdVkGeflqUcB00peZyVLMzsXi7QzOjPlpHo=";
fetchSubmodules = true;
};
vendorSha256 = pinData.vendorSha256;
vendorSha256 = "sha256-x/ffvbBKzJrssOo+cuWIiwHWu9UfeBHSbgwmLE0340A=";
proxyVendor = true;
# Build errors in mdbx when format hardening is enabled:
@ -29,7 +29,7 @@ buildGoModule rec {
"cmd/rlpdump"
];
passthru.updateScript = ./update.sh;
passthru.updateScript = nix-update-script { };
meta = with lib; {
homepage = "https://github.com/ledgerwatch/erigon/";

5
pkgs/applications/blockchains/erigon/pin.json
View File

@ -1,5 +0,0 @@
{
"version": "2.31.0",
"sha256": "sha256-+qVfujPKy/HAkMOJQdHI3G1pBoYG2Lhm5BKHrvf3lv0=",
"vendorSha256": "sha256-XTGbwMEuLBEXP/QAR8RLRPrbvz2ReCLg4tCogbqHiHg="
}

33
pkgs/applications/blockchains/erigon/update.sh
View File

@ -1,33 +0,0 @@
#!/usr/bin/env nix-shell
#! nix-shell -i oil -p jq sd nix-prefetch-github ripgrep
# TODO set to `verbose` or `extdebug` once implemented in oil
shopt --set xtrace
# we need failures inside of command subs to get the correct vendorSha256
shopt --unset inherit_errexit
const directory = $(dirname $0 | xargs realpath)
const owner = "ledgerwatch"
const repo = "erigon"
const latest_rev = $(curl -q https://api.github.com/repos/${owner}/${repo}/releases/latest | \
jq -r '.tag_name')
const latest_version = $(echo $latest_rev | sd 'v' '')
const current_version = $(jq -r '.version' $directory/pin.json)
if ("$latest_version" === "$current_version") {
echo "$repo is already up-to-date"
return 0
} else {
const tarball_meta = $(nix-prefetch-github $owner $repo --rev "$latest_rev" --fetch-submodules)
const tarball_hash = "sha256-$(echo $tarball_meta | jq -r '.sha256')"
jq ".version = \"$latest_version\" | \
.\"sha256\" = \"$tarball_hash\" | \
.\"vendorSha256\" = \"\"" $directory/pin.json | sponge $directory/pin.json
const new_vendor_sha256 = $(nix-build -A erigon 2>&1 | \
tail -n 2 | \
head -n 1 | \
sd '\s+got:\s+' '')
jq ".vendorSha256 = \"$new_vendor_sha256\"" $directory/pin.json | sponge $directory/pin.json
}

4
pkgs/applications/blockchains/haven-cli/default.nix
View File

@ -10,13 +10,13 @@
stdenv.mkDerivation rec {
pname = "haven-cli";
version = "3.0.0";
version = "3.0.3";
src = fetchFromGitHub {
owner = "haven-protocol-org";
repo = "haven-main";
rev = "v${version}";
sha256 = "sha256-ZQiSh1pB0njIAyJFPIsgoqNuhvMGRJ2NIZaUoB1fN3E=";
sha256 = "sha256-JbNk1TF0N3tRYGfZfSBFk+t/8GA4yjqP9G6S0ktdur8=";
fetchSubmodules = true;
};

18
pkgs/applications/blockchains/lighthouse/default.nix
View File

@ -14,11 +14,12 @@
, stdenv
, testers
, unzip
, nix-update-script
}:
rustPlatform.buildRustPackage rec {
pname = "lighthouse";
version = "3.3.0";
version = "3.4.0";
# lighthouse/common/deposit_contract/build.rs
depositContractSpecVersion = "0.12.1";
@ -28,10 +29,10 @@ rustPlatform.buildRustPackage rec {
owner = "sigp";
repo = "lighthouse";
rev = "v${version}";
hash = "sha256-py64CWY3k5Z2mm9WduJ4Fh7lQ8b3sF6iIFsYYjndU5I=";
hash = "sha256-4auiM5+kj/HjZKu2YP7JEnwDNxHuL39XCfmV/dc5jLE=";
};
cargoHash = "sha256-0gWTniLkhuPpgdUkE6gpF9uHYT6BeWWgH6Mu7KpFx9w=";
cargoHash = "sha256-ihfGwdxL7Ttw86dhaVBp5meb0caXjzgbbP27Io8zv/c=";
buildFeatures = [ "modern" "gnosis" ];
@ -89,10 +90,13 @@ rustPlatform.buildRustPackage rec {
nodePackages.ganache
];
passthru.tests.version = testers.testVersion {
package = lighthouse;
command = "lighthouse --version";
version = "v${lighthouse.version}";
passthru = {
tests.version = testers.testVersion {
package = lighthouse;
command = "lighthouse --version";
version = "v${lighthouse.version}";
};
updateScript = nix-update-script { };
};
meta = with lib; {

12
pkgs/applications/display-managers/greetd/wlgreet.nix
View File

@ -4,17 +4,17 @@
}:
rustPlatform.buildRustPackage rec {
pname = "wlgreet-unstable";
version = "2022-01-25";
pname = "wlgreet";
version = "0.4.1";
src = fetchFromSourcehut {
owner = "~kennylevinsen";
repo = "wlgreet";
rev = "8517e578cb64a8fb3bd8f8a438cdbe46f208b87c";
sha256 = "0la4xlikw61cxvbkil1d22dgvazi7rs17n5i2z02090fvnfxxzxh";
repo = pname;
rev = version;
hash = "sha256-qfEzr8tAE1+PK7xs1NQ1q6d/GlFA7/kSWXbJDOCrEsw=";
};
cargoSha256 = "651d2bf01612534f1c4b0472c812095a86eb064d16879380c87f684c04fe0d8d";
cargoHash = "sha256-1ugExUtrzqyd9dTlBHcc44UrtEfYrfUryuG79IkTv2Y=";
meta = with lib; {
description = "Raw wayland greeter for greetd, to be run under sway or similar";

2
pkgs/applications/editors/apostrophe/default.nix
View File

@ -7,7 +7,7 @@
let
pythonEnv = pythonPackages.python.withPackages(p: with p; [
regex setuptools python-Levenshtein pyenchant
regex setuptools levenshtein pyenchant
pygobject3 pycairo pypandoc chardet
]);

10
pkgs/applications/editors/jetbrains/default.nix
View File

@ -127,9 +127,9 @@ let
}).overrideAttrs (attrs: {
postFixup = (attrs.postFixup or "") + lib.optionalString stdenv.isLinux ''
interp="$(cat $NIX_CC/nix-support/dynamic-linker)"
patchelf --set-interpreter $interp $out/goland*/plugins/go-plugin/lib/dlv/linux/dlv
patchelf --set-interpreter $interp $out/goland/plugins/go-plugin/lib/dlv/linux/dlv
chmod +x $out/goland*/plugins/go-plugin/lib/dlv/linux/dlv
chmod +x $out/goland/plugins/go-plugin/lib/dlv/linux/dlv
# fortify source breaks build since delve compiles with -O0
wrapProgram $out/bin/goland \
@ -287,12 +287,6 @@ let
'';
maintainers = with maintainers; [ abaldeau ];
};
}).overrideAttrs (attrs: {
postPatch = (attrs.postPatch or "") + optionalString (stdenv.isLinux) ''
# Webstorm tries to use bundled jre if available.
# Lets prevent this for the moment
rm -r jbr
'';
});
in

2
pkgs/applications/editors/jetbrains/linux.nix
View File

@ -46,6 +46,8 @@ with stdenv; lib.makeOverridable mkDerivation (rec {
truncate --size=$size $fname
}
rm -rf jbr
interpreter=$(echo ${stdenv.cc.libc}/lib/ld-linux*.so.2)
if [[ "${stdenv.hostPlatform.system}" == "x86_64-linux" && -e bin/fsnotifier64 ]]; then
target_size=$(get_file_size bin/fsnotifier64)

2
pkgs/applications/editors/jupyter-kernels/octave/default.nix
View File

@ -20,7 +20,7 @@ in
rec {
launcher = runCommand "octave-kernel-launcher" {
inherit octave;
python = python3.withPackages (ps: [ ps.traitlets ps.jupyter_core ps.ipykernel ps.metakernel kernel ]);
python = python3.withPackages (ps: [ ps.traitlets ps.jupyter-core ps.ipykernel ps.metakernel kernel ]);
nativeBuildInputs = [ makeWrapper ];
} ''
mkdir -p $out/bin

4
pkgs/applications/editors/ldtk/default.nix
View File

@ -3,11 +3,11 @@
stdenv.mkDerivation rec {
pname = "ldtk";
version = "1.2.3";
version = "1.2.5";
src = fetchurl {
url = "https://github.com/deepnight/ldtk/releases/download/v${version}/ubuntu-distribution.zip";
sha256 = "sha256-G54PQriKbm1fTqxD3J2O9bD4FBZuwqkfFPV+412nRGA=";
sha256 = "sha256-kx4GOENYYbS09HxAiCCvqm/ztc32sdB39W8uv6D+R+A=";
};
nativeBuildInputs = [ unzip makeWrapper copyDesktopItems appimage-run ];

12
pkgs/applications/editors/vscode/vscodium.nix
View File

@ -15,11 +15,11 @@ let
archive_fmt = if stdenv.isDarwin then "zip" else "tar.gz";
sha256 = {
x86_64-linux = "0xbwx218dzf9nyjf531sb9ij0p8lz08yi09yz8dms07qcsfirac0";
x86_64-darwin = "028i7cbh43ivz5amx015v0d87kh4jj54b3ndirxl57py2gxszy0x";
aarch64-linux = "1rg67sfp3abpcxrl89db6x3a41la63xinl4kjin8v08w5iprrm0n";
aarch64-darwin = "0zm057rvabd29ay88l0h40adrc71p9cjvml34aci58klaqd2if0q";
armv7l-linux = "0amxgq98gifcjr9wfx8ddcjqkb1b6pr5q3dwfdbyynksqqd4hrxv";
x86_64-linux = "0mm6xa0kizgg2f6cql6jk8h83pn89h6q7rrs1kypvj3j0x6ysqsg";
x86_64-darwin = "1g9syvinj2mx292wrnrdn2znqhg17mrjqij0z1ilag5bi4xmzhcj";
aarch64-linux = "0xbq6fla0lxan08jgmsva91cbcv8rhzd7mqixrm1lsqh4h0wpssz";
aarch64-darwin = "1b4a56j256rib1997g9wwiak206axkppl124qg021vyab42x8rim";
armv7l-linux = "0gb96hi854kyh8694j9mbgl78f4y68czkwmjxhzb054l5b4adjla";
}.${system} or throwSystem;
sourceRoot = if stdenv.isDarwin then "" else ".";
@ -29,7 +29,7 @@ in
# Please backport all compatible updates to the stable release.
# This is important for the extension ecosystem.
version = "1.74.2.22355";
version = "1.74.3.23010";
pname = "vscodium";
executableName = "codium";

4
pkgs/applications/emulators/mgba/default.nix
View File

@ -26,13 +26,13 @@ let
in
stdenv.mkDerivation (finalAttrs: {
pname = "mgba";
version = "0.10.0";
version = "0.10.1";
src = fetchFromGitHub {
owner = "mgba-emu";
repo = "mgba";
rev = finalAttrs.version;
hash = "sha256-2thc2v3aD8t1PrREZIjzRuYfP7b3BA7uFb6R95zxsZI=";
hash = "sha256-oWrgYrN7s5tdGJ/GhA2ZaKDVqZq9411fHSoYnLKWDl8=";
};
nativeBuildInputs = [

8
pkgs/applications/emulators/rpcs3/default.nix
View File

@ -9,10 +9,10 @@
let
# Keep these separate so the update script can regex them
rpcs3GitVersion = "14358-a00f9e421";
rpcs3Version = "0.0.25-14358-a00f9e421";
rpcs3Revision = "a00f9e42115527aa9654870f194cf2c64329f2ef";
rpcs3Sha256 = "0avajihbs02nbfqs4kzgckl0v2z4z8h8fgcjs5m4zxvkgj5701nv";
rpcs3GitVersion = "14568-1852b370d";
rpcs3Version = "0.0.26-14568-1852b370d";
rpcs3Revision = "1852b370d7a8310de092ca4132464c84192671cb";
rpcs3Sha256 = "0yqvn5w9b4lxb43lllqch0s1sdj5v274hhbysgblbc7nilzcgsq6";
ittapi = fetchFromGitHub {
owner = "intel";

6
pkgs/applications/graphics/oculante/default.nix
View File

@ -18,16 +18,16 @@
rustPlatform.buildRustPackage rec {
pname = "oculante";
version = "0.6.39";
version = "0.6.41";
src = fetchFromGitHub {
owner = "woelper";
repo = pname;
rev = version;
sha256 = "sha256-5onRdxfI5RPa2/Ou9pH84u83Dg79+eMIIYhcEnZrP8A=";
sha256 = "sha256-2pXfdR5KUD6IUasxyUptxLSLDcvJtwJwOmhHD3I7op8=";
};
cargoHash = "sha256-Mf2WuTctF0a6YNquntTizRxwq6aqTTnr8QRS/BBVqCo=";
cargoHash = "sha256-F/NKTsDRfoueVrwlq/RkBR6wNn79NiuT2InAR+XPbqw=";
nativeBuildInputs = [
cmake

1
pkgs/applications/misc/adobe-reader/builder.sh
View File

@ -1,3 +1,4 @@
if [ -e .attrs.sh ]; then source .attrs.sh; fi
source $stdenv/setup
echo "unpacking $src..."

31
pkgs/applications/misc/cotp/default.nix Normal file
View File

@ -0,0 +1,31 @@
{ lib
, stdenv
, rustPlatform
, fetchFromGitHub
, AppKit
, libxcb
}:
rustPlatform.buildRustPackage rec {
name = "cotp";
version = "1.1.0";
src = fetchFromGitHub {
owner = "replydev";
repo = "cotp";
rev = "v${version}";
hash = "sha256-SbS+ch7/45kZb49jW2mnRWQruLrfrNfeZFqEPHQKGUg=";
};
cargoHash = "sha256-2lIR3K4/hr4XSmNGFd/dhwoFOtEB9KSnUrZkcaCyc9k=";
buildInputs = lib.optionals stdenv.isLinux [ libxcb ]
++ lib.optionals stdenv.isDarwin [ AppKit ];
meta = with lib; {
homepage = "https://github.com/replydev/cotp";
description = "Trustworthy, encrypted, command-line TOTP/HOTP authenticator app with import functionality";
license = licenses.gpl3Only;
maintainers = with maintainers; [ davsanchez ];
};
}

4
pkgs/applications/misc/fetchmail/default.nix
View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "fetchmail";
version = "6.4.34";
version = "6.4.35";
src = fetchurl {
url = "mirror://sourceforge/fetchmail/fetchmail-${version}.tar.xz";
sha256 = "sha256-w73e0bXOI2lgvRzu7j8yVyIO2Zw+7ISl12u1YY4yWNQ=";
sha256 = "sha256-ewtWy8D8qFRQTxZ3lfq1MtWlTVp9O24+NqM/NKCWCgE=";
};
buildInputs = [ openssl python3 ];

2
pkgs/applications/misc/oneko/default.nix
View File

@ -35,7 +35,5 @@ stdenv.mkDerivation rec {
license = with licenses; [ publicDomain ];
maintainers = with maintainers; [ xaverdh irenes ];
platforms = platforms.unix;
# never built on aarch64-darwin since first introduction in nixpkgs
broken = stdenv.isDarwin && stdenv.isAarch64;
};
}

5
pkgs/applications/misc/streamdeck-ui/default.nix
View File

@ -26,6 +26,11 @@ python3Packages.buildPythonApplication rec {
url = "https://github.com/timothycrosley/streamdeck-ui/commit/e271656c1f47b1619d1b942e2ebb01ab2d6a68a9.patch";
hash = "sha256-wqYwX6eSqMnW6OG7wSprD62Dz818ayFduVrqW9E/ays=";
})
(fetchpatch {
name = "update-python-xlib-0.33.patch";
url = "https://github.com/timothycrosley/streamdeck-ui/commit/07d7fdd33085b413dd26b02d8a02820edad2d568.patch";
hash = "sha256-PylTrbfB8RJ0+kbgJlRdcvfdahGoob8LabwhuFNsUpY=";
})
];
desktopItems = [ (makeDesktopItem {

2
pkgs/applications/misc/ulauncher/default.nix
View File

@ -55,7 +55,7 @@ python3Packages.buildPythonApplication rec {
dbus-python
pygobject3
pyinotify
python-Levenshtein
levenshtein
pyxdg
pycairo
requests

24
pkgs/applications/misc/warpd/default.nix
View File

@ -2,35 +2,29 @@
, stdenv
, fetchFromGitHub
, git
, libXi
, libXinerama
, libXft
, libXfixes
, libXtst
, libX11
, libXext
, waylandSupport ? false, cairo, libxkbcommon, wayland
, withWayland ? true, cairo, libxkbcommon, wayland
, withX ? true, libXi, libXinerama, libXft, libXfixes, libXtst, libX11, libXext
}:
stdenv.mkDerivation rec {
pname = "warpd";
version = "1.3.4";
version = "1.3.5";
src = fetchFromGitHub {
owner = "rvaiya";
repo = "warpd";
rev = "v${version}";
sha256 = "sha256-aNv2/+tREvKlpTAsbvmFxkXzONNt73/061i4E3fPFBM=";
hash = "sha256-5B3Ec+R1vF2iI0ennYcsRlnFXJkSns0jVbyAWJA4lTU=";
leaveDotGit = true;
};
nativeBuildInputs = [ git ];
buildInputs = if waylandSupport then [
buildInputs = lib.optionals withWayland [
cairo
libxkbcommon
wayland
] else [
] ++ lib.optionals withX [
libXi
libXinerama
libXft
@ -40,10 +34,12 @@ stdenv.mkDerivation rec {
libXext
];
makeFlags = [ "PREFIX=$(out)" ] ++ lib.optionals waylandSupport [ "PLATFORM=wayland" ];
makeFlags = [ "PREFIX=$(out)" ]
++ lib.optional (!withWayland) "DISABLE_WAYLAND=y"
++ lib.optional (!withX) "DISABLE_X=y";
postPatch = ''
substituteInPlace Makefile \
substituteInPlace mk/linux.mk \
--replace '-m644' '-Dm644' \
--replace '-m755' '-Dm755' \
--replace 'warpd.1.gz $(DESTDIR)' 'warpd.1.gz -t $(DESTDIR)' \

13
pkgs/applications/misc/waybar/default.nix
View File

@ -20,6 +20,7 @@
, inputSupport ? true, libinput
, jackSupport ? true, libjack2
, mpdSupport ? true, libmpdclient
, mprisSupport ? stdenv.isLinux, playerctl ? false
, nlSupport ? true, libnl
, pulseSupport ? true, libpulseaudio
, rfkillSupport ? true
@ -30,18 +31,18 @@
, udevSupport ? true, udev
, upowerSupport ? true, upower
, wireplumberSupport ? true, wireplumber
, withMediaPlayer ? false, glib, gobject-introspection, python3, playerctl
, withMediaPlayer ? mprisSupport && false, glib, gobject-introspection, python3
}:
stdenv.mkDerivation rec {
pname = "waybar";
version = "0.9.16";
version = "0.9.17";
src = fetchFromGitHub {
owner = "Alexays";
repo = "Waybar";
rev = version;
sha256 = "sha256-hcU0ijWIN7TtIPkURVmAh0kanQWkBUa22nubj7rSfBs=";
hash = "sha256-sdNenmzI/yvN9w4Z83ojDJi+2QBx2hxhJQCFkc5kCZw=";
};
nativeBuildInputs = [
@ -53,6 +54,7 @@ stdenv.mkDerivation rec {
playerctl
python3.pkgs.pygobject3
];
strictDeps = false;
buildInputs = with lib;
@ -62,6 +64,7 @@ stdenv.mkDerivation rec {
++ optional inputSupport libinput
++ optional jackSupport libjack2
++ optional mpdSupport libmpdclient
++ optional mprisSupport playerctl
++ optional nlSupport libnl
++ optional pulseSupport libpulseaudio
++ optional sndioSupport sndio
@ -83,6 +86,7 @@ stdenv.mkDerivation rec {
libnl = nlSupport;
libudev = udevSupport;
mpd = mpdSupport;
mpris = mprisSupport;
pulseaudio = pulseSupport;
rfkill = rfkillSupport;
sndio = sndioSupport;
@ -104,9 +108,10 @@ stdenv.mkDerivation rec {
'';
meta = with lib; {
changelog = "https://github.com/alexays/waybar/releases/tag/${version}";
description = "Highly customizable Wayland bar for Sway and Wlroots based compositors";
license = licenses.mit;
maintainers = with maintainers; [ FlorianFranzen minijackson synthetica lovesegfault ];
maintainers = with maintainers; [ FlorianFranzen minijackson synthetica lovesegfault rodrgz ];
platforms = platforms.unix;
homepage = "https://github.com/alexays/waybar";
};

4
pkgs/applications/networking/cluster/argocd-autopilot/default.nix
View File

@ -2,13 +2,13 @@
buildGoModule rec {
pname = "argocd-autopilot";
version = "0.4.9";
version = "0.4.10";
src = fetchFromGitHub {
owner = "argoproj-labs";
repo = "argocd-autopilot";
rev = "v${version}";
sha256 = "sha256-PHs6shuj2wHvlP6n05RPJjMY6wtJ1PbD6t0DxYrJpXE=";
sha256 = "sha256-DUWJDWqB+jyp3/2/eFP1ss2grNtrvUuvGWK0FYTXObc=";
};
vendorHash = "sha256-4ylOLnpvz/aQIoxVz2z69Rq/x2UG91yMmtSHyquvNq0=";

6
pkgs/applications/networking/cluster/argocd/default.nix
View File

@ -2,17 +2,17 @@
buildGoModule rec {
pname = "argocd";
version = "2.5.5";
version = "2.5.6";
src = fetchFromGitHub {
owner = "argoproj";
repo = "argo-cd";
rev = "v${version}";
sha256 = "sha256-u9VOkUaKQAdlXhCUUONBws4rW6PvxFSNXbit7gi6/P0=";
sha256 = "sha256-R00HW4jh6zohMoli9aomPCK/svzWSUi9fcRFvevMhyU=";
};
proxyVendor = true; # darwin/linux hash mismatch
vendorSha256 = "sha256-F5EY1/WWRPBN5fqp2J2mdpIzL1gNKR0ltzSdarT6dFw=";
vendorHash = "sha256-F5EY1/WWRPBN5fqp2J2mdpIzL1gNKR0ltzSdarT6dFw=";
# Set target as ./cmd per cli-local
# https://github.com/argoproj/argo-cd/blob/master/Makefile#L227

2
pkgs/applications/networking/cluster/nomad-autoscaler/default.nix
View File

@ -45,7 +45,7 @@ let
mv bin/nomad-autoscaler $bin/bin
ln -s $bin/bin/nomad-autoscaler $out/bin/nomad-autoscaler
for d in $outputs; do
for d in $(getAllOutputNames); do
mkdir -p ''${!d}/share
done
rmdir $bin/share

6
pkgs/applications/networking/cluster/talosctl/default.nix
View File

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "talosctl";
version = "1.3.1";
version = "1.3.2";
src = fetchFromGitHub {
owner = "siderolabs";
repo = "talos";
rev = "v${version}";
sha256 = "sha256-K5eslPo4Ou/JJoZGASJsZ331Nyc14Dva+cead3ngw0U=";
hash = "sha256-o037LemAZhsHVIfAU0yVoNNbJ6g8ehlA4lFLN78Q8dY=";
};
vendorSha256 = "sha256-N+sFJtC+9VCt3GJoAbRsNl7vCXiFFlewsIkwTdleUhk=";
vendorHash = "sha256-HPuVDfVxbHbNaCRg/D4VeW0finbFB4eageiAzoax1wk=";
ldflags = [ "-s" "-w" ];

24
pkgs/applications/networking/cluster/terraform-providers/providers.json
View File

@ -112,13 +112,13 @@
"vendorHash": null
},
"aws": {
"hash": "sha256-73g1/5JJ9OJ4LtImxIRQ+kwjT/vTyolFUScAcitZ+G4=",
"hash": "sha256-1ez/xzbFviTavUDfkCdI+s/r/NmaIMx+G8fiCTPAm9o=",
"homepage": "https://registry.terraform.io/providers/hashicorp/aws",
"owner": "hashicorp",
"repo": "terraform-provider-aws",
"rev": "v4.49.0",
"rev": "v4.50.0",
"spdx": "MPL-2.0",
"vendorHash": "sha256-L4EoUqkA5/nAs65G+mvXfFt/FzrCN/BmJoFSCP4PC7Q="
"vendorHash": "sha256-OhBrq6zHGBQYTXOxGih0O1udv9Rb1vcRBqD/zomKHww="
},
"azuread": {
"hash": "sha256-N+ty5O7sJbCp/rdQrwytOHzPFkaIvT5+1pOcoBQF1aw=",
@ -130,11 +130,11 @@
"vendorHash": null
},
"azurerm": {
"hash": "sha256-yCjfZruli5cIengL9f6ORsDWTY1BXwMr9g2Ohw+Q1Pc=",
"hash": "sha256-gWB1pZSv/lv5ZedPQIbcis5QA3g8JTIFeADh+Qte/rk=",
"homepage": "https://registry.terraform.io/providers/hashicorp/azurerm",
"owner": "hashicorp",
"repo": "terraform-provider-azurerm",
"rev": "v3.39.0",
"rev": "v3.39.1",
"spdx": "MPL-2.0",
"vendorHash": null
},
@ -340,11 +340,11 @@
"vendorHash": "sha256-z0vos/tZDUClK/s2yrXZG2RU8QgA8IM6bJj6jSdCnBk="
},
"docker": {
"hash": "sha256-70nwqQOMncOOeX/ulrzBqTAqQyHELwM1V8/ZC+jUyXE=",
"hash": "sha256-M2K4N39vtVDA/vMp/s2KYiS/uoE+STf2e6yh6q0CS28=",
"homepage": "https://registry.terraform.io/providers/kreuzwerker/docker",
"owner": "kreuzwerker",
"repo": "terraform-provider-docker",
"rev": "v2.25.0",
"rev": "v3.0.1",
"spdx": "MPL-2.0",
"vendorHash": "sha256-OdZQb81d7N1TdbDWEImq2U3kLkCPdhRk38+8T8fu+F4="
},
@ -395,13 +395,13 @@
"vendorHash": null
},
"flexibleengine": {
"hash": "sha256-ie7GbJxkB3wekGqA+S9wBWwRDAYK0RIzbFSG+VmTSjw=",
"hash": "sha256-uT8BmACMMJKVPAhL/7rudCXG9AOb4kS1Lswr5ZxY6M4=",
"homepage": "https://registry.terraform.io/providers/FlexibleEngineCloud/flexibleengine",
"owner": "FlexibleEngineCloud",
"repo": "terraform-provider-flexibleengine",
"rev": "v1.35.1",
"rev": "v1.36.0",
"spdx": "MPL-2.0",
"vendorHash": "sha256-Q9xbrRhrq75yzjSK/LTP47xA9uP7PNBsEjTx3oNEwRY="
"vendorHash": "sha256-obBN7Q/gKbvERJIUVz+GgPjn7/OKjXCiFI6WuOd0hic="
},
"fortios": {
"deleteVendor": true,
@ -1095,11 +1095,11 @@
"vendorHash": "sha256-2wPmLpjhG6QgG+BUCO0oIzHjBOWIOYuptgdtSIm9TZw="
},
"tencentcloud": {
"hash": "sha256-jCtTe1Wi9gvNd1IP+3kYlPYVBT45UkdjlhmNLhEgA10=",
"hash": "sha256-CLXW1takpsySUo8lpDe6DzRFczts1zRriHZge5uCb3A=",
"homepage": "https://registry.terraform.io/providers/tencentcloudstack/tencentcloud",
"owner": "tencentcloudstack",
"repo": "terraform-provider-tencentcloud",
"rev": "v1.79.5",
"rev": "v1.79.6",
"spdx": "MPL-2.0",
"vendorHash": null
},

6
pkgs/applications/networking/coreth/default.nix
View File

@ -6,19 +6,19 @@
buildGoModule rec {
pname = "coreth";
version = "0.11.5";
version = "0.11.6";
src = fetchFromGitHub {
owner = "ava-labs";
repo = pname;
rev = "v${version}";
hash = "sha256-tXwcwMNSrjgQOXcEIucEZjpmPL0cvgYPOV4CMU51Bz8=";
hash = "sha256-Me+kmEfvSJs8EPU4D7MwkEyHQuvDmQCSIATxygXws5o=";
};
# go mod vendor has a bug, see: golang/go#57529
proxyVendor = true;
vendorHash = "sha256-Wd0m/Bcbn3so0mh83tTfebfOBn51MiAxF3Azmu6ZA0o=";
vendorHash = "sha256-jI01tdAVdJOj/ocpwCiaANdyYKSLw00bV7ZtU7HvslA=";
ldflags = [
"-s"

2
pkgs/applications/networking/instant-messengers/qq/default.nix
View File

@ -49,6 +49,7 @@ stdenv.mkDerivation {
alsa-lib
at-spi2-core
cups
gtk3
libdrm
libgcrypt
libkrb5
@ -58,7 +59,6 @@ stdenv.mkDerivation {
];
runtimeDependencies = [
gtk3
(lib.getLib systemd)
];

3
pkgs/applications/networking/instant-messengers/teams-for-linux/default.nix
View File

@ -9,6 +9,8 @@
, nodejs
, fetchYarnDeps
, electron
, libpulseaudio
, pipewire
}:
stdenv.mkDerivation rec {
@ -66,6 +68,7 @@ stdenv.mkDerivation rec {
popd
makeWrapper '${electron}/bin/electron' "$out/bin/teams-for-linux" \
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ libpulseaudio pipewire ]} \
--add-flags "$out/share/teams-for-linux/app.asar" \
--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}"

1
pkgs/applications/office/libreoffice/download-list-builder.sh
View File

@ -1,3 +1,4 @@
if [ -e .attrs.sh ]; then source .attrs.sh; fi
source $stdenv/setup
tar --extract --file=$src libreoffice-$version/download.lst -O > $out

2
pkgs/applications/office/paperless-ngx/default.nix
View File

@ -155,7 +155,7 @@ python.pkgs.pythonPackages.buildPythonApplication rec {
python-dateutil
python-dotenv
python-gnupg
python-Levenshtein
levenshtein
python-magic
pytz
pyyaml

4
pkgs/applications/office/paperwork/paperwork-backend.nix
View File

@ -7,7 +7,7 @@
, pycountry
, whoosh
, termcolor
, python-Levenshtein
, levenshtein
, pygobject3
, pyocr
, natsort
@ -55,7 +55,7 @@ buildPythonPackage rec {
pygobject3
pyocr
pypillowfight
python-Levenshtein
levenshtein
poppler_gi
scikit-learn
termcolor

1
pkgs/applications/plasma-mobile/default.nix
View File

@ -79,6 +79,7 @@ let
plasma-settings = callPackage ./plasma-settings.nix {};
plasmatube = callPackage ./plasmatube {};
spacebar = callPackage ./spacebar.nix { inherit srcs; };
tokodon = callPackage ./tokodon.nix {};
};
in lib.makeScope libsForQt5.newScope packages

78
pkgs/applications/plasma-mobile/tokodon.nix Normal file
View File

@ -0,0 +1,78 @@
{ lib
, mkDerivation
, cmake
, extra-cmake-modules
, pkg-config
, kconfig
, kdbusaddons
, ki18n
, kirigami2
, kirigami-addons
, knotifications
, libwebsockets
, qqc2-desktop-style
, qtbase
, qtkeychain
, qtmultimedia
, qtquickcontrols2
, qttools
, qtwebsockets
, kitemmodels
, pimcommon
# Workarounds for the point release being missing.
, libsForQt5
, fetchFromGitLab
}:
# NOTE: we cannot use `mkDerivation` injected by the Plasma Mobile package
# set for the point release, as the point release was not uploaded to
# the Plasma Mobile gear repo, and the injected `mkDerivation` only can
# use the src (and version) from the `srcs` set.
libsForQt5.mkDerivation rec {
pname = "tokodon";
version = "22.11.2";
# NOTE: the tokodon point release was not uploaded to the Plasma Mobile gear repo.
src = fetchFromGitLab {
domain = "invent.kde.org";
owner = "network";
repo = pname;
rev = "v${version}";
hash = "sha256-uE9iHZDfpn1NTCeJPgsp2WBe0curdguTUbMTrkrmJ6M=";
};
nativeBuildInputs = [
cmake
extra-cmake-modules
pkg-config
];
buildInputs = [
kconfig
kdbusaddons
ki18n
kirigami2
kirigami-addons
knotifications
qqc2-desktop-style
qtbase
qtkeychain
qtmultimedia
qtquickcontrols2
qttools
qtwebsockets
kitemmodels
pimcommon
];
meta = with lib; {
description = "A Mastodon client for Plasma and Plasma Mobile";
homepage = "https://invent.kde.org/network/tokodon";
license = licenses.gpl3Plus;
platforms = platforms.unix;
maintainers = with maintainers; [ matthiasbeyer ];
};
}

2
pkgs/applications/science/astronomy/xearth/default.nix
View File

@ -26,8 +26,6 @@ stdenv.mkDerivation rec {
maintainers = [ maintainers.mafo ];
license = "xearth";
platforms=platforms.unix;
# never built on aarch64-darwin since first introduction in nixpkgs
broken = stdenv.isDarwin && stdenv.isAarch64;
};
}

2
pkgs/applications/science/biology/truvari/default.nix
View File

@ -21,7 +21,7 @@ python3Packages.buildPythonApplication rec {
propagatedBuildInputs = with python3Packages; [
pyvcf
python-Levenshtein
levenshtein
progressbar2
pysam
pyfaidx

4
pkgs/applications/science/math/sage/sagelib.nix
View File

@ -49,7 +49,7 @@
, boost
, singular
, pip
, jupyter_core
, jupyter-core
, sage-setup
, libhomfly
, libbraiding
@ -87,7 +87,7 @@ buildPythonPackage rec {
nativeBuildInputs = [
iml
perl
jupyter_core
jupyter-core
pkg-config
sage-setup
pip # needed to query installed packages

4
pkgs/applications/science/networking/sumo/default.nix
View File

@ -1,7 +1,7 @@
{ lib, bzip2, cmake, eigen, fetchFromGitHub, ffmpeg, fox_1_6, gdal,
git, gl2ps, gpp , gtest, jdk, libGL, libGLU, libX11, libjpeg,
libpng, libtiff, libxcrypt, openscenegraph , proj, python3,
python37Packages, stdenv, swig, xercesc, xorg, zlib }:
python3Packages, stdenv, swig, xercesc, xorg, zlib }:
stdenv.mkDerivation rec {
pname = "sumo";
@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
libxcrypt
openscenegraph
proj
python37Packages.setuptools
python3Packages.setuptools
xercesc
zlib
python3

2
pkgs/applications/terminal-emulators/alacritty/default.nix
View File

@ -60,6 +60,8 @@ rustPlatform.buildRustPackage rec {
cargoSha256 = "sha256-t6ckX0PYI8UHfXhGRpcX8ly3DzE9A6i9P6f3Ny3DBzw=";
auditable = true; # TODO: remove when this is the default
nativeBuildInputs = [
cmake
installShellFiles

15
pkgs/applications/version-management/commitizen/default.nix
View File

@ -7,6 +7,7 @@
, lib
, packaging
, poetry-core
, py
, pytest-freezegun
, pytest-mock
, pytest-regressions
@ -18,17 +19,18 @@
, typing-extensions
, argcomplete
, nix-update-script
, pre-commit
}:
buildPythonApplication rec {
pname = "commitizen";
version = "2.37.0";
version = "2.38.0";
src = fetchFromGitHub {
owner = "commitizen-tools";
repo = pname;
rev = "v${version}";
hash = "sha256-wo1I6QDWLxByHISmkPdass+BcKh0oxR5hD31UN/5+WQ=";
hash = "sha256-W+k+hqH0TKQAXf1Em6A1/VdqzJkhYp99I3lbqH6iDDc=";
deepClone = true;
};
@ -36,6 +38,11 @@ buildPythonApplication rec {
nativeBuildInputs = [ poetry-core ];
postPatch = ''
substituteInPlace pyproject.toml \
--replace 'charset-normalizer = "^2.1.0"' 'charset-normalizer = "*"'
'';
propagatedBuildInputs = [
termcolor
questionary
@ -52,6 +59,8 @@ buildPythonApplication rec {
doCheck = true;
checkInputs = [
pre-commit
py
pytestCheckHook
pytest-freezegun
pytest-mock
@ -79,6 +88,8 @@ buildPythonApplication rec {
"test_bump_pre_commit_changelog"
"test_bump_pre_commit_changelog_fails_always"
"test_get_commits_with_signature"
# fatal: not a git repository (or any of the parent directories): .git
"test_commitizen_debug_excepthook"
];
passthru.updateScript = nix-update-script { };

6
pkgs/applications/version-management/git-cliff/default.nix
View File

@ -7,16 +7,16 @@
rustPlatform.buildRustPackage rec {
pname = "git-cliff";
version = "1.1.0";
version = "1.1.1";
src = fetchFromGitHub {
owner = "orhun";
repo = "git-cliff";
rev = "v${version}";
hash = "sha256-WpLg9kBJnEEzWIx3dJN++Np1jUkYnFGlgCrUdvz2/3w=";
hash = "sha256-GCHwpOfjti9PETy3cHFHBFBot6YcSSFTBCd3zEtpP3U=";
};
cargoHash = "sha256-UN5X+rvL7nsFkIj+XZSdZ/qmHlkVVJy1BA2zSVQxqPw=";
cargoHash = "sha256-76HWkfct9weA64yvY5G/l96mjNpuKjPYHFZ5Ctz43Us=";
# attempts to run the program on .git in src which is not deterministic
doCheck = false;

6
pkgs/applications/version-management/git-credential-1password/default.nix
View File

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "git-credential-1password";
version = "1.2.0";
version = "1.2.1";
src = fetchFromGitHub {
owner = "develerik";
repo = pname;
rev = "v${version}";
sha256 = "sha256-Bz/EW+K4XtDap3cu3/+9nJePcdxMXakj8HDPsbCx1FU=";
sha256 = "sha256-8qdUOJ0MOk/xVvp3kDuxNRo3lMEJhLeI3Fle0tuZez0=";
};
vendorSha256 = "sha256-cPHA6rVUQg41sS79UBFf85OfLn53C8/OZVGT5xVdBdw=";
vendorHash = "sha256-B6BlVnUX4XLT+9EpL63Ht4S8Wo84RsmY99CL+srQfpw=";
meta = with lib; {
description = "A git credential helper for 1Password";

6
pkgs/applications/version-management/git/default.nix
View File

@ -12,7 +12,7 @@
, withManual ? true
, pythonSupport ? true
, withpcre2 ? true
, sendEmailSupport ? false
, sendEmailSupport ? perlSupport
, Security, CoreServices
, nixosTests
, withLibsecret ? false
@ -28,7 +28,7 @@ assert sendEmailSupport -> perlSupport;
assert svnSupport -> perlSupport;
let
version = "2.38.1";
version = "2.39.0";
svn = subversionClient.override { perlBindings = perlSupport; };
gitwebPerlLibs = with perlPackages; [ CGI HTMLParser CGIFast FCGI FCGIProcManager HTMLTagCloud ];
in
@ -41,7 +41,7 @@ stdenv.mkDerivation (finalAttrs: {
src = fetchurl {
url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz";
sha256 = "sha256-l9346liiueD7wlCOJFAoynWRG9ONFVFhaxSMGqV0Ctk=";
sha256 = "sha256-uhmbE/tamco97JF7C9c2vA61qd+Hc31DXt398Q1pJls=";
};
outputs = [ "out" ] ++ lib.optional withManual "doc";

7
pkgs/applications/version-management/glitter/default.nix
View File

@ -1,4 +1,4 @@
{ lib, rustPlatform, fetchFromGitHub }:
{ lib, rustPlatform, fetchFromGitHub, git }:
rustPlatform.buildRustPackage rec {
pname = "glitter";
@ -13,6 +13,10 @@ rustPlatform.buildRustPackage rec {
cargoSha256 = "sha256-GQ7Bns+FPj4jl2dBXnMrmcKIYcZTLZc1WvaHgKGj/gU=";
checkInputs = [
git
];
# tests require it to be in a git repository
preCheck = ''
git init
@ -24,6 +28,7 @@ rustPlatform.buildRustPackage rec {
meta = with lib; {
description = "A git wrapper that allows you to compress multiple commands into one";
homepage = "https://github.com/milo123459/glitter";
changelog = "https://github.com/Milo123459/glitter/releases/tag/v${version}";
license = licenses.mit;
maintainers = with maintainers; [ figsoda ];
};

952
pkgs/applications/version-management/sapling/Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

12
pkgs/applications/version-management/sapling/default.nix
View File

@ -43,7 +43,7 @@ let
owner = "facebook";
repo = "sapling";
rev = version;
hash = "sha256-IzbUaFrsSMojhsbpnRj1XLkhO9V2zYdmmZls4mtZquw=";
hash = "sha256-zlvb+qn9SSBPZmlF8KwKTWyKj94FGOafSMRMNLsccOU";
};
addonsSrc = "${src}/addons";
@ -51,7 +51,7 @@ let
# Fetches the Yarn modules in Nix to to be used as an offline cache
yarnOfflineCache = fetchYarnDeps {
yarnLock = "${addonsSrc}/yarn.lock";
sha256 = "sha256-B61T0ReZPRfrRjBC3iHLVkVYiifhzOXlaG1YL6rgmj4=";
sha256 = "sha256-+29WAgSXVciHhLMN04yfKiWCpjM3Vo54nUdTP6owSLs";
};
# Builds the NodeJS server that runs with `sl web`
@ -104,12 +104,12 @@ let
cargoDeps = rustPlatform.importCargoLock {
lockFile = ./Cargo.lock;
outputHashes = {
"cloned-0.1.0" = "sha256-c3CPWVjOk+VKBLD6WuaYZvBoKi5PwgXmiwxKoCk0bsI=";
"cloned-0.1.0" = "sha256-DYQTK722wgeDUJtOVXHLt42G6gpe6A62rET+JH+bPKU=";
"deltae-0.3.0" = "sha256-a9Skaqs+tVTw8x83jga+INBr+TdaMmo35Bf2wbfR6zs=";
"fb303_core-0.0.0" = "sha256-yoKKSBwqufFayLef2rRpX5oV1j8fL/kRkXBXIC++d7Q=";
"fbthrift-0.0.1+unstable" = "sha256-jtsDE5U/OavDUXRAE1N8/nujSPrWltImsFLzHaxfeM0=";
"fb303_core-0.0.0" = "sha256-YEFNTYvtgp8nc/1O7AbdyxCD3Xx2xCjbS17fTTEsUL0=";
"fbthrift-0.0.1+unstable" = "sha256-mDoYhXOzQIDqP7XdmiBbmq5VmAKAgggTNH/kW2kHv4k=";
"reqwest-0.11.11" = "sha256-uhc8XhkGW22XDNo0qreWdXeFF2cslOOZHfTRQ30IBcE=";
"serde_bser-0.3.1" = "sha256-KCAC+rbczroZn/oKYTVpAPJl40yMrszt/PGol+JStDU=";
"serde_bser-0.3.1" = "sha256-/zn1NfXWytXvnalkgPsg9BdujVV97PGkXwmPtQGVeCc=";
};
};
postPatch = ''

8
pkgs/applications/version-management/sapling/deps.json generated
View File

@ -69,10 +69,10 @@
"url": "https://files.pythonhosted.org/packages/fc/56/9f67dcd4a4b9960373173a31be1b8c47fe351a1c9385677a7bdd82810e57/ipdb-0.13.9.tar.gz"
},
{
"sha256": "04m31z011arz2b70rwwkhvzkb9d4yxcfbxpw27d6fa3n79a7sdxg",
"url": "https://files.pythonhosted.org/packages/bc/fa/8604d92ef753e0036d807f1b3179813ab2fa283e3b19c926e11673c8205b/Cython-0.29.26.tar.gz"
"sha256": "1xqsihpqnfal29nb5kmw8z71nd4jbsnbz7p3lkr094xpb13wycw7",
"url": "https://files.pythonhosted.org/packages/4c/76/1e41fbb365ad20b6efab2e61b0f4751518444c953b390f9b2d36cf97eea0/Cython-0.29.32.tar.gz"
}
],
"version": "0.1.20221118-210929-cfbb68aa",
"versionHash": "5535144625961033752"
"version": "0.2.20221222-152408-ha6a66d09",
"versionHash": "14601963598499040874"
}

4
pkgs/applications/video/catt/default.nix
View File

@ -13,7 +13,7 @@ let
owner = "jstasiak";
repo = "python-zeroconf";
rev = version;
sha256 = "158dqay74zvnz6kmpvip4ml0kw59nf2aaajwgaamx0zc8ci1p5pj";
hash = "sha256-8pYbIkPsg16VelwqpYSzqfAJaCU37lun+XZ/crzCDZU=";
};
});
@ -29,7 +29,7 @@ let
version = "9.2.0";
src = oldAttrs.src.override {
inherit version;
sha256 = "02ig2wf2yyrnnl88r2n13s1naskwsifwgx3syifmcxygflsmjd3d";
hash = "sha256-bTRZNXXPd1Zd9Hr0x13UfGplgx7BiowQtTZ7LxwXLwo=";
};
});
};

13
pkgs/applications/video/dvdstyler/default.nix
View File

@ -17,7 +17,7 @@
, libjpeg
, pkg-config
, wrapGAppsHook
, wxGTK30 # crash with wxGTK30 with GTK2 compat
, wxGTK32
, wxSVG
, xine-ui
, xmlto
@ -33,13 +33,18 @@ let
inherit (lib) optionals makeBinPath;
in stdenv.mkDerivation rec {
pname = "dvdstyler";
version = "3.1.2";
version = "3.2.1";
src = fetchurl {
url = "mirror://sourceforge/project/dvdstyler/dvdstyler/${version}/DVDStyler-${version}.tar.bz2";
sha256 = "03lsblqficcadlzkbyk8agh5rqcfz6y6dqvy9y866wqng3163zq4";
sha256 = "sha256-C7M0hzn0yTCXRUuBTss6WPa6zo8DD0Fhmp/ur7R0dVg=";
};
patches = [
# https://sourceforge.net/p/dvdstyler/DVDStyler/ci/679fa8dc6ac7657775eda9d7b0ed9da9d069aeec/
./wxgtk32.patch
];
nativeBuildInputs = [
bison
docbook_xml_dtd_412
@ -62,7 +67,7 @@ in stdenv.mkDerivation rec {
libexif
libjpeg
wxSVG
wxGTK30
wxGTK32
xine-ui
]
++ optionals dvdisasterSupport [ dvdisaster ]

12
pkgs/applications/video/dvdstyler/wxgtk32.patch Normal file
View File

@ -0,0 +1,12 @@
--- a/wxVillaLib/PropDlg.cpp
+++ b/wxVillaLib/PropDlg.cpp
@@ -12,7 +12,9 @@
#include "utils.h"
#include <wx/fontdlg.h>
#include <wx/colordlg.h>
+#ifdef __WXMSW__
#include <wx/generic/colrdlgg.h>
+#endif
#include <wx/filedlg.h>
#include <wx/dirdlg.h>
#include <wx/grid.h>

4
pkgs/applications/video/media-downloader/default.nix
View File

@ -11,13 +11,13 @@
stdenv.mkDerivation rec {
pname = "media-downloader";
version = "2.7.0";
version = "2.8.0";
src = fetchFromGitHub {
owner = "mhogomchungu";
repo = pname;
rev = "${version}";
sha256 = "sha256-uu/4S7cVWHOhBq52NF0AargE0nbPwjF0txSWL0DquQo=";
sha256 = "sha256-RMZG+rPbwJFL2AzEZlTrc8/bQCx8CWCWppEBjCj5hnU=";
};
nativeBuildInputs = [ cmake qt5.wrapQtAppsHook ];

6
pkgs/applications/virtualization/docker/compose.nix
View File

@ -2,13 +2,13 @@
buildGoModule rec {
pname = "docker-compose";
version = "2.14.2";
version = "2.15.1";
src = fetchFromGitHub {
owner = "docker";
repo = "compose";
rev = "v${version}";
sha256 = "sha256-Yr4R2w6tUsir57etZeex2jT1PW3EZvsLJkVAo/QkhUA=";
sha256 = "sha256-CDkewlZFvjp6kb6UoMDUv9iAUfm0akMD9RpI9/H7Sz8=";
};
postPatch = ''
@ -16,7 +16,7 @@ buildGoModule rec {
rm -rf e2e/
'';
vendorSha256 = "sha256-ar61gvbcm7bcgoPodppqrVJnyFHdZkPIMQ6IUXNpGBA=";
vendorSha256 = "sha256-sv4lK6MRwmp/1CSGBoYMpcGunVCuE8p1vB4VKaRuwQc=";
ldflags = [ "-X github.com/docker/compose/v2/internal.Version=${version}" "-s" "-w" ];

6
pkgs/applications/virtualization/nixpacks/default.nix
View File

@ -2,16 +2,16 @@
rustPlatform.buildRustPackage rec {
pname = "nixpacks";
version = "1.0.3";
version = "1.1.0";
src = fetchFromGitHub {
owner = "railwayapp";
repo = pname;
rev = "v${version}";
sha256 = "sha256-0Q0G2vUIkKRTSbQQrXoInzaPfFNWwT/NQ1/NKQeVpHU=";
sha256 = "sha256-rbpHi00LQiXQDzjRTSYnVG12ezJxi5ypZFXNIXipyqk=";
};
cargoSha256 = "sha256-vLUR8Rs33GukkRihoB9jD3G4ailJc8oakm7NSjoZdok=";
cargoHash = "sha256-gMxj1UtGcHmI9s/RPWKC0rlewaBtUan0nPHwZbgqWFM=";
# skip test due FHS dependency
doCheck = false;

32
pkgs/build-support/bintools-wrapper/default.nix
View File

@ -56,9 +56,9 @@ let
bintoolsVersion = lib.getVersion bintools;
bintoolsName = lib.removePrefix targetPrefix (lib.getName bintools);
libc_bin = if libc == null then null else getBin libc;
libc_dev = if libc == null then null else getDev libc;
libc_lib = if libc == null then null else getLib libc;
libc_bin = if libc == null then "" else getBin libc;
libc_dev = if libc == null then "" else getDev libc;
libc_lib = if libc == null then "" else getLib libc;
bintools_bin = if nativeTools then "" else getBin bintools;
# The wrapper scripts use 'cat' and 'grep', so we may need coreutils.
coreutils_bin = if nativeTools then "" else getBin coreutils;
@ -69,7 +69,7 @@ let
# The dynamic linker has different names on different platforms. This is a
# shell glob that ought to match it.
dynamicLinker =
/**/ if sharedLibraryLoader == null then null
/**/ if sharedLibraryLoader == null then ""
else if targetPlatform.libc == "musl" then "${sharedLibraryLoader}/lib/ld-musl-*"
else if targetPlatform.libc == "uclibc" then "${sharedLibraryLoader}/lib/ld*-uClibc.so.1"
else if (targetPlatform.libc == "bionic" && targetPlatform.is32bit) then "/system/bin/linker"
@ -88,7 +88,7 @@ let
else if targetPlatform.isDarwin then "/usr/lib/dyld"
else if targetPlatform.isFreeBSD then "/libexec/ld-elf.so.1"
else if lib.hasSuffix "pc-gnu" targetPlatform.config then "ld.so.1"
else null;
else "";
expand-response-params =
if buildPackages ? stdenv && buildPackages.stdenv.hasCC && buildPackages.stdenv.cc != "/dev/null"
@ -104,15 +104,10 @@ stdenv.mkDerivation {
preferLocalBuild = true;
inherit bintools_bin libc_bin libc_dev libc_lib coreutils_bin;
shell = getBin shell + shell.shellPath or "";
gnugrep_bin = if nativeTools then "" else gnugrep;
inherit targetPrefix suffixSalt;
outputs = [ "out" ] ++ optionals propagateDoc ([ "man" ] ++ optional (bintools ? info) "info");
passthru = {
inherit targetPrefix suffixSalt;
inherit bintools libc nativeTools nativeLibc nativePrefix;
emacsBufferSetup = pkgs: ''
@ -206,8 +201,6 @@ stdenv.mkDerivation {
strictDeps = true;
depsTargetTargetPropagated = extraPackages;
wrapperName = "BINTOOLS_WRAPPER";
setupHooks = [
../setup-hooks/role.bash
./setup-hook.sh
@ -379,10 +372,15 @@ stdenv.mkDerivation {
##
+ extraBuildCommands;
inherit dynamicLinker;
# for substitution in utils.bash
expandResponseParams = "${expand-response-params}/bin/expand-response-params";
env = {
# for substitution in utils.bash
expandResponseParams = "${expand-response-params}/bin/expand-response-params";
shell = getBin shell + shell.shellPath or "";
gnugrep_bin = if nativeTools then "" else gnugrep;
wrapperName = "BINTOOLS_WRAPPER";
inherit dynamicLinker targetPrefix suffixSalt coreutils_bin;
inherit bintools_bin libc_bin libc_dev libc_lib;
};
meta =
let bintools_ = if bintools != null then bintools else {}; in

30
pkgs/build-support/cc-wrapper/default.nix
View File

@ -42,9 +42,9 @@ let
ccVersion = lib.getVersion cc;
ccName = lib.removePrefix targetPrefix (lib.getName cc);
libc_bin = if libc == null then null else getBin libc;
libc_dev = if libc == null then null else getDev libc;
libc_lib = if libc == null then null else getLib libc;
libc_bin = if libc == null then "" else getBin libc;
libc_dev = if libc == null then "" else getDev libc;
libc_lib = if libc == null then "" else getLib libc;
cc_solib = getLib cc
+ optionalString (targetPlatform != hostPlatform) "/${targetPlatform.config}";
@ -132,22 +132,16 @@ stdenv.mkDerivation {
preferLocalBuild = true;
inherit cc libc_bin libc_dev libc_lib bintools coreutils_bin;
shell = getBin shell + shell.shellPath or "";
gnugrep_bin = if nativeTools then "" else gnugrep;
inherit targetPrefix suffixSalt;
inherit darwinPlatformForCC darwinMinVersion darwinMinVersionVariable;
outputs = [ "out" ] ++ optionals propagateDoc [ "man" "info" ];
passthru = {
inherit targetPrefix suffixSalt;
# "cc" is the generic name for a C compiler, but there is no one for package
# providing the linker and related tools. The two we use now are GNU
# Binutils, and Apple's "cctools"; "bintools" as an attempt to find an
# unused middle-ground name that evokes both.
inherit bintools;
inherit libc nativeTools nativeLibc nativePrefix isGNU isClang;
inherit cc libc nativeTools nativeLibc nativePrefix isGNU isClang;
emacsBufferSetup = pkgs: ''
; We should handle propagation here too
@ -276,8 +270,6 @@ stdenv.mkDerivation {
propagatedBuildInputs = [ bintools ] ++ extraTools ++ optionals cc.langD or false [ zlib ];
depsTargetTargetPropagated = optional (libcxx != null) libcxx ++ extraPackages;
wrapperName = "CC_WRAPPER";
setupHooks = [
../setup-hooks/role.bash
] ++ lib.optional (cc.langC or true) ./setup-hook.sh
@ -549,8 +541,16 @@ stdenv.mkDerivation {
nixSupport);
# for substitution in utils.bash
expandResponseParams = "${expand-response-params}/bin/expand-response-params";
env = {
# for substitution in utils.bash
expandResponseParams = "${expand-response-params}/bin/expand-response-params";
shell = getBin shell + shell.shellPath or "";
gnugrep_bin = if nativeTools then "" else gnugrep;
wrapperName = "CC_WRAPPER";
inherit suffixSalt coreutils_bin bintools cc;
inherit libc_bin libc_dev libc_lib;
inherit darwinPlatformForCC darwinMinVersion darwinMinVersionVariable;
};
meta =
let cc_ = if cc != null then cc else {}; in

2
pkgs/build-support/deterministic-uname/default.nix
View File

@ -38,7 +38,7 @@ substituteAll {
modDirVersion = if modDirVersion != "" then modDirVersion else "unknown";
meta = with lib; {
description = "Print certain system information (hardcoded with <nixpkgs/lib/system> values)";
description = "Print certain system information (hardcoded with lib/system values)";
longDescription = ''
This package provides a replacement for `uname` whose output depends only
on `stdenv.buildPlatform`. It is meant to be used from within derivations.

1
pkgs/build-support/fetchbzr/builder.sh
View File

@ -1,3 +1,4 @@
if [ -e .attrs.sh ]; then source .attrs.sh; fi
source "$stdenv/setup"
header "exporting \`$url' (revision $rev) into \`$out'"

1
pkgs/build-support/fetchcvs/builder.sh
View File

@ -1,3 +1,4 @@
if [ -e .attrs.sh ]; then source .attrs.sh; fi
source $stdenv/setup
(echo "#!$SHELL"; \

1
pkgs/build-support/fetchdarcs/builder.sh
View File

@ -1,3 +1,4 @@
if [ -e .attrs.sh ]; then source .attrs.sh; fi
source $stdenv/setup
tagtext=""

3
pkgs/build-support/fetchdocker/fetchdocker-builder.sh
View File

@ -1,3 +1,4 @@
if [ -e .attrs.sh ]; then source .attrs.sh; fi
source "${stdenv}/setup"
header "exporting ${repository}/${imageName} (tag: ${tag}) into ${out}"
mkdir -p "${out}"
@ -8,7 +9,7 @@ cat <<EOF > "${out}/compositeImage.sh"
# Create a tar archive of a docker image's layers, docker image config
# json, manifest.json, and repositories json; this streams directly to
# stdout and is intended to be used in concert with docker load, i.e:
#
#
# ${out}/compositeImage.sh | docker load
# The first character follow the 's' command for sed becomes the

1
pkgs/build-support/fetchfossil/builder.sh
View File

@ -1,3 +1,4 @@
if [ -e .attrs.sh ]; then source .attrs.sh; fi
source $stdenv/setup
header "Cloning Fossil $url [$rev] into $out"

Some files were not shown because too many files have changed in this diff Show More