ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-11-11 04:02:55 +03:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into haskell-updates

Browse Source
This commit is contained in:
sternenseemann 2024-01-12 16:55:57 +01:00
commit 245035ea35
1498 changed files with 15433 additions and 11232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
doc/languages-frameworks/texlive.section.md
View File

@ -208,3 +208,23 @@ EOF
cp test.pdf $out
''
```
## LuaLaTeX font cache {#sec-language-texlive-lualatex-font-cache}
The font cache for LuaLaTeX is written to `$HOME`.
Therefore, it is necessary to set `$HOME` to a writable path, e.g. [before using LuaLaTeX in nix derivations](https://github.com/NixOS/nixpkgs/issues/180639):
```nix
runCommandNoCC "lualatex-hello-world" {
buildInputs = [ texliveFull ];
} ''
mkdir $out
echo '\documentclass{article} \begin{document} Hello world \end{document}' > main.tex
env HOME=$(mktemp -d) lualatex -interaction=nonstopmode -output-format=pdf -output-directory=$out ./main.tex
''
```
Additionally, [the cache of a user can diverge from the nix store](https://github.com/NixOS/nixpkgs/issues/278718).
To resolve font issues that might follow, the cache can be removed by the user:
```ShellSession
luaotfload-tool --cache=erase --flush-lookups --force
```

161
lib/fixed-points.nix
View File

@ -103,42 +103,155 @@ rec {
else converge f x';
/*
Modify the contents of an explicitly recursive attribute set in a way that
honors `self`-references. This is accomplished with a function
Extend a function using an overlay.
Overlays allow modifying and extending fixed-point functions, specifically ones returning attribute sets.
A fixed-point function is a function which is intended to be evaluated by passing the result of itself as the argument.
This is possible due to Nix's lazy evaluation.
A fixed-point function returning an attribute set has the form
```nix
g = self: super: { foo = super.foo + " + "; }
final: { # attributes }
```
that has access to the unmodified input (`super`) as well as the final
non-recursive representation of the attribute set (`self`). `extends`
differs from the native `//` operator insofar as that it's applied *before*
references to `self` are resolved:
where `final` refers to the lazily evaluated attribute set returned by the fixed-point function.
```
nix-repl> fix (extends g f)
{ bar = "bar"; foo = "foo + "; foobar = "foo + bar"; }
An overlay to such a fixed-point function has the form
```nix
final: prev: { # attributes }
```
The name of the function is inspired by object-oriented inheritance, i.e.
think of it as an infix operator `g extends f` that mimics the syntax from
Java. It may seem counter-intuitive to have the "base class" as the second
argument, but it's nice this way if several uses of `extends` are cascaded.
where `prev` refers to the result of the original function to `final`, and `final` is the result of the composition of the overlay and the original function.
To get a better understanding how `extends` turns a function with a fix
point (the package set we start with) into a new function with a different fix
point (the desired packages set) lets just see, how `extends g f`
unfolds with `g` and `f` defined above:
Applying an overlay is done with `extends`:
```nix
let
f = final: { # attributes };
overlay = final: prev: { # attributes };
in extends overlay f;
```
extends g f = self: let super = f self; in super // g self super;
= self: let super = { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; }; in super // g self super
= self: { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; } // g self { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; }
= self: { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; } // { foo = "foo" + " + "; }
= self: { foo = "foo + "; bar = "bar"; foobar = self.foo + self.bar; }
To get the value of `final`, use `lib.fix`:
```nix
let
f = final: { # attributes };
overlay = final: prev: { # attributes };
g = extends overlay f;
in fix g
```
:::{.example}
# Extend a fixed-point function with an overlay
Define a fixed-point function `f` that expects its own output as the argument `final`:
```nix-repl
f = final: {
# Constant value a
a = 1;
# b depends on the final value of a, available as final.a
b = final.a + 2;
}
```
Evaluate this using [`lib.fix`](#function-library-lib.fixedPoints.fix) to get the final result:
```nix-repl
fix f
=> { a = 1; b = 3; }
```
An overlay represents a modification or extension of such a fixed-point function.
Here's an example of an overlay:
```nix-repl
overlay = final: prev: {
# Modify the previous value of a, available as prev.a
a = prev.a + 10;
# Extend the attribute set with c, letting it depend on the final values of a and b
c = final.a + final.b;
}
```
Use `extends overlay f` to apply the overlay to the fixed-point function `f`.
This produces a new fixed-point function `g` with the combined behavior of `f` and `overlay`:
```nix-repl
g = extends overlay f
```
The result is a function, so we can't print it directly, but it's the same as:
```nix-repl
g' = final: {
# The constant from f, but changed with the overlay
a = 1 + 10;
# Unchanged from f
b = final.a + 2;
# Extended in the overlay
c = final.a + final.b;
}
```
Evaluate this using [`lib.fix`](#function-library-lib.fixedPoints.fix) again to get the final result:
```nix-repl
fix g
=> { a = 11; b = 13; c = 24; }
```
:::
Type:
extends :: (Attrs -> Attrs -> Attrs) # The overlay to apply to the fixed-point function
-> (Attrs -> Attrs) # A fixed-point function
-> (Attrs -> Attrs) # The resulting fixed-point function
Example:
f = final: { a = 1; b = final.a + 2; }
fix f
=> { a = 1; b = 3; }
fix (extends (final: prev: { a = prev.a + 10; }) f)
=> { a = 11; b = 13; }
fix (extends (final: prev: { b = final.a + 5; }) f)
=> { a = 1; b = 6; }
fix (extends (final: prev: { c = final.a + final.b; }) f)
=> { a = 1; b = 3; c = 4; }
:::{.note}
The argument to the given fixed-point function after applying an overlay will *not* refer to its own return value, but rather to the value after evaluating the overlay function.
The given fixed-point function is called with a separate argument than if it was evaluated with `lib.fix`.
The new argument
:::
*/
extends = f: rattrs: self: let super = rattrs self; in super // f self super;
extends =
# The overlay to apply to the fixed-point function
overlay:
# The fixed-point function
f:
# Wrap with parenthesis to prevent nixdoc from rendering the `final` argument in the documentation
# The result should be thought of as a function, the argument of that function is not an argument to `extends` itself
(
final:
let
prev = f final;
in
prev // overlay final prev
);
/*
Compose two extending functions of the type expected by 'extends'

11
maintainers/maintainer-list.nix
View File

@ -917,12 +917,15 @@
name = "Alma Cemerlic";
};
Alper-Celik = {
email = "dev.alpercelik@gmail.com";
email = "alper@alper-celik.dev";
name = "Alper Çelik";
github = "Alper-Celik";
githubId = 110625473;
keys = [{
fingerprint = "6B69 19DD CEE0 FAF3 5C9F 2984 FA90 C0AB 738A B873";
}
{
fingerprint = "DF68 C500 4024 23CC F9C5 E6CA 3D17 C832 4696 FE70";
}];
};
alternateved = {
@ -14666,6 +14669,12 @@
githubId = 610615;
name = "Chih-Mao Chen";
};
pkosel = {
name = "pkosel";
email = "philipp.kosel@gmail.com";
github = "pkosel";
githubId = 170943;
};
pks = {
email = "ps@pks.im";
github = "pks-t";

7
maintainers/scripts/luarocks-packages.csv
View File

@ -7,7 +7,7 @@ binaryheap,,,,,,vcunat
busted,,,,,,
cassowary,,,,,,marsam alerque
cldr,,,,,,alerque
compat53,,,,0.7-1,,vcunat
compat53,,,,,,vcunat
cosmo,,,,,,marsam
coxpcall,,,,1.17.0-1,,
cqueues,,,,,,vcunat
@ -15,6 +15,7 @@ cyan,,,,,,
digestif,https://github.com/astoff/digestif.git,,,,5.3,
dkjson,,,,,,
fennel,,,,,,misterio77
fidget.nvim,,,,,,mrcjkb
fifo,,,,,,
fluent,,,,,,alerque
fzy,,,,,,mrcjkb
@ -55,7 +56,7 @@ lua-subprocess,https://github.com/0x0ade/lua-subprocess,,,,5.1,scoder12
lua-term,,,,,,
lua-toml,,,,,,
lua-zlib,,,,,,koral
lua_cliargs,https://github.com/amireh/lua_cliargs.git,,,,,
lua_cliargs,,,,,,
luabitop,https://github.com/teto/luabitop.git,,,,,
luacheck,,,,,,
luacov,,,,,,
@ -86,7 +87,7 @@ luautf8,,,,,,pstn
luazip,,,,,,
lua-yajl,,,,,,pstn
lua-iconv,,,,7.0.0,,
luuid,,,,,,
luuid,,,,20120509-2,,
luv,,,,1.44.2-1,,
lush.nvim,https://github.com/rktjmp/lush.nvim,,,,,teto
lyaml,,,,,,lblasc

1 name src ref server version luaversion maintainers
7 busted
8 cassowary marsam alerque
9 cldr alerque
10 compat53 0.7-1 vcunat
11 cosmo marsam
12 coxpcall 1.17.0-1
13 cqueues vcunat
15 digestif https://github.com/astoff/digestif.git 5.3
16 dkjson
17 fennel misterio77
18 fidget.nvim mrcjkb
19 fifo
20 fluent alerque
21 fzy mrcjkb
56 lua-term
57 lua-toml
58 lua-zlib koral
59 lua_cliargs https://github.com/amireh/lua_cliargs.git
60 luabitop https://github.com/teto/luabitop.git
61 luacheck
62 luacov
87 luazip
88 lua-yajl pstn
89 lua-iconv 7.0.0
90 luuid 20120509-2
91 luv 1.44.2-1
92 lush.nvim https://github.com/rktjmp/lush.nvim teto
93 lyaml lblasc

2
nixos/doc/manual/release-notes/rl-2405.section.md
View File

@ -26,6 +26,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable).
- systemd's gateway, upload, and remote services, which provides ways of sending journals across the network. Enable using [services.journald.gateway](#opt-services.journald.gateway.enable), [services.journald.upload](#opt-services.journald.upload.enable), and [services.journald.remote](#opt-services.journald.remote.enable).
- [GNS3](https://www.gns3.com/), a network software emulator. Available as [services.gns3-server](#opt-services.gns3-server.enable).
- [rspamd-trainer](https://gitlab.com/onlime/rspamd-trainer), script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training.

2
nixos/lib/make-options-doc/default.nix
View File

@ -120,7 +120,7 @@ in rec {
{ meta.description = "List of NixOS options in JSON format";
nativeBuildInputs = [
pkgs.brotli
pkgs.python3Minimal
pkgs.python3
];
options = builtins.toFile "options.json"
(builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix));

6
nixos/lib/test-driver/default.nix
View File

@ -18,7 +18,7 @@ python3Packages.buildPythonApplication {
pname = "nixos-test-driver";
version = "1.1";
src = ./.;
format = "pyproject";
pyproject = true;
propagatedBuildInputs = [
coreutils
@ -32,6 +32,10 @@ python3Packages.buildPythonApplication {
++ (lib.optionals enableOCR [ imagemagick_light tesseract4 ])
++ extraPythonPackages python3Packages;
nativeBuildInputs = [
python3Packages.setuptools
];
passthru.tests = {
inherit (nixosTests.nixos-test-driver) driver-timeout;
};

16
nixos/modules/hardware/video/webcam/ipu6.nix
View File

@ -13,11 +13,12 @@ in
enable = mkEnableOption (lib.mdDoc "support for Intel IPU6/MIPI cameras");
platform = mkOption {
type = types.enum [ "ipu6" "ipu6ep" ];
type = types.enum [ "ipu6" "ipu6ep" "ipu6epmtl" ];
description = lib.mdDoc ''
Choose the version for your hardware platform.
Use `ipu6` for Tiger Lake and `ipu6ep` for Alder Lake respectively.
Use `ipu6` for Tiger Lake, `ipu6ep` for Alder Lake or Raptor Lake,
and `ipu6epmtl` for Meteor Lake.
'';
};
@ -29,9 +30,7 @@ in
ipu6-drivers
];
hardware.firmware = with pkgs; [ ]
++ optional (cfg.platform == "ipu6") ipu6-camera-bin
++ optional (cfg.platform == "ipu6ep") ipu6ep-camera-bin;
hardware.firmware = [ pkgs.ipu6-camera-bins ];
services.udev.extraRules = ''
SUBSYSTEM=="intel-ipu6-psys", MODE="0660", GROUP="video"
@ -44,14 +43,13 @@ in
extraPackages = with pkgs.gst_all_1; [ ]
++ optional (cfg.platform == "ipu6") icamerasrc-ipu6
++ optional (cfg.platform == "ipu6ep") icamerasrc-ipu6ep;
++ optional (cfg.platform == "ipu6ep") icamerasrc-ipu6ep
++ optional (cfg.platform == "ipu6epmtl") icamerasrc-ipu6epmtl;
input = {
pipeline = "icamerasrc";
format = mkIf (cfg.platform == "ipu6ep") (mkDefault "NV12");
format = mkIf (cfg.platform != "ipu6") (mkDefault "NV12");
};
};
};
}

3
nixos/modules/module-list.nix
View File

@ -1476,6 +1476,9 @@
./system/boot/systemd/initrd-secrets.nix
./system/boot/systemd/initrd.nix
./system/boot/systemd/journald.nix
./system/boot/systemd/journald-gateway.nix
./system/boot/systemd/journald-remote.nix
./system/boot/systemd/journald-upload.nix
./system/boot/systemd/logind.nix
./system/boot/systemd/nspawn.nix
./system/boot/systemd/oomd.nix

1
nixos/modules/services/admin/pgadmin.nix
View File

@ -117,6 +117,7 @@ in
services.pgadmin.settings = {
DEFAULT_SERVER_PORT = cfg.port;
SERVER_MODE = true;
UPGRADE_CHECK_ENABLED = false;
} // (optionalAttrs cfg.openFirewall {
DEFAULT_SERVER = mkDefault "::";
}) // (optionalAttrs cfg.emailServer.enable {

11
nixos/modules/services/misc/gitlab.nix
View File

@ -27,13 +27,7 @@ let
encoding = "utf8";
pool = cfg.databasePool;
} // cfg.extraDatabaseConfig;
in if lib.versionAtLeast (lib.getVersion cfg.packages.gitlab) "15.9" then {
production.main = val;
# Starting with GitLab 15.9, single connections were deprecated and will be
# removed in GitLab 17.0. The CI connection however requires database_tasks set
# to false.
production.ci = val // { database_tasks = false; };
} else if lib.versionAtLeast (lib.getVersion cfg.packages.gitlab) "15.0" then {
in if lib.versionAtLeast (lib.getVersion cfg.packages.gitlab) "15.0" then {
production.main = val;
} else {
production = val;
@ -1354,12 +1348,11 @@ in {
fi
jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \
'.${if lib.versionAtLeast (lib.getVersion cfg.packages.gitlab) "15.0" then "production.main" else "production"}.password = $ENV.db_password ${if lib.versionAtLeast (lib.getVersion cfg.packages.gitlab) "15.9" then "| .production.ci.password = $ENV.db_password | .production.main as $main | del(.production.main) | .production |= {main: $main} + ." else ""}' \
'.${if lib.versionAtLeast (lib.getVersion cfg.packages.gitlab) "15.0" then "production.main" else "production"}.password = $ENV.db_password' \
>'${cfg.statePath}/config/database.yml'
''
else ''
jq <${pkgs.writeText "database.yml" (builtins.toJSON databaseConfig)} \
'${if lib.versionAtLeast (lib.getVersion cfg.packages.gitlab) "15.9" then ".production.main as $main | del(.production.main) | .production |= {main: $main} + ." else ""}' \
>'${cfg.statePath}/config/database.yml'
''
}

2
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -475,7 +475,7 @@ let
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix;
oldHTTP2 = versionOlder cfg.package.version "1.25.1";
oldHTTP2 = (versionOlder cfg.package.version "1.25.1" && !(cfg.package.pname == "angie" || cfg.package.pname == "angieQuic"));
in
{

135
nixos/modules/system/boot/systemd/journald-gateway.nix Normal file
View File

@ -0,0 +1,135 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.journald.gateway;
cliArgs = lib.cli.toGNUCommandLineShell { } {
# If either of these are null / false, they are not passed in the command-line
inherit (cfg) cert key trust system user merge;
};
in
{
meta.maintainers = [ lib.maintainers.raitobezarius ];
options.services.journald.gateway = {
enable = lib.mkEnableOption "the HTTP gateway to the journal";
port = lib.mkOption {
default = 19531;
type = lib.types.port;
description = ''
The port to listen to.
'';
};
cert = lib.mkOption {
default = null;
type = with lib.types; nullOr str;
description = lib.mdDoc ''
The path to a file or `AF_UNIX` stream socket to read the server
certificate from.
The certificate must be in PEM format. This option switches
`systemd-journal-gatewayd` into HTTPS mode and must be used together
with {option}`services.journald.gateway.key`.
'';
};
key = lib.mkOption {
default = null;
type = with lib.types; nullOr str;
description = lib.mdDoc ''
Specify the path to a file or `AF_UNIX` stream socket to read the
secret server key corresponding to the certificate specified with
{option}`services.journald.gateway.cert` from.
The key must be in PEM format.
This key should not be world-readable, and must be readably by the
`systemd-journal-gateway` user.
'';
};
trust = lib.mkOption {
default = null;
type = with lib.types; nullOr str;
description = lib.mdDoc ''
Specify the path to a file or `AF_UNIX` stream socket to read a CA
certificate from.
The certificate must be in PEM format.
Setting this option enforces client certificate checking.
'';
};
system = lib.mkOption {
default = true;
type = lib.types.bool;
description = lib.mdDoc ''
Serve entries from system services and the kernel.
This has the same meaning as `--system` for {manpage}`journalctl(1)`.
'';
};
user = lib.mkOption {
default = true;
type = lib.types.bool;
description = lib.mdDoc ''
Serve entries from services for the current user.
This has the same meaning as `--user` for {manpage}`journalctl(1)`.
'';
};
merge = lib.mkOption {
default = false;
type = lib.types.bool;
description = lib.mdDoc ''
Serve entries interleaved from all available journals, including other
machines.
This has the same meaning as `--merge` option for
{manpage}`journalctl(1)`.
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
# This prevents the weird case were disabling "system" and "user"
# actually enables both because the cli flags are not present.
assertion = cfg.system || cfg.user;
message = ''
systemd-journal-gatewayd cannot serve neither "system" nor "user"
journals.
'';
}
];
systemd.additionalUpstreamSystemUnits = [
"systemd-journal-gatewayd.socket"
"systemd-journal-gatewayd.service"
];
users.users.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway;
users.users.systemd-journal-gateway.group = "systemd-journal-gateway";
users.groups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway;
systemd.services.systemd-journal-gatewayd.serviceConfig.ExecStart = [
# Clear the default command line
""
"${pkgs.systemd}/lib/systemd/systemd-journal-gatewayd ${cliArgs}"
];
systemd.sockets.systemd-journal-gatewayd = {
wantedBy = [ "sockets.target" ];
listenStreams = [
# Clear the default port
""
(toString cfg.port)
];
};
};
}

163
nixos/modules/system/boot/systemd/journald-remote.nix Normal file
View File

@ -0,0 +1,163 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.journald.remote;
format = pkgs.formats.systemd;
cliArgs = lib.cli.toGNUCommandLineShell { } {
inherit (cfg) output;
# "-3" specifies the file descriptor from the .socket unit.
"listen-${cfg.listen}" = "-3";
};
in
{
meta.maintainers = [ lib.maintainers.raitobezarius ];
options.services.journald.remote = {
enable = lib.mkEnableOption "receiving systemd journals from the network";
listen = lib.mkOption {
default = "https";
type = lib.types.enum [ "https" "http" ];
description = lib.mdDoc ''
Which protocol to listen to.
'';
};
output = lib.mkOption {
default = "/var/log/journal/remote/";
type = lib.types.str;
description = lib.mdDoc ''
The location of the output journal.
In case the output file is not specified, journal files will be created
underneath the selected directory. Files will be called
{file}`remote-hostname.journal`, where the `hostname` part is the
escaped hostname of the source endpoint of the connection, or the
numerical address if the hostname cannot be determined.
'';
};
port = lib.mkOption {
default = 19532;
type = lib.types.port;
description = ''
The port to listen to.
Note that this option is used only if
{option}`services.journald.upload.listen` is configured to be either
"https" or "http".
'';
};
settings = lib.mkOption {
default = { };
description = lib.mdDoc ''
Configuration in the journal-remote configuration file. See
{manpage}`journal-remote.conf(5)` for available options.
'';
type = lib.types.submodule {
freeformType = format.type;
options.Remote = {
Seal = lib.mkOption {
default = false;
example = true;
type = lib.types.bool;
description = ''
Periodically sign the data in the journal using Forward Secure
Sealing.
'';
};
SplitMode = lib.mkOption {
default = "host";
example = "none";
type = lib.types.enum [ "host" "none" ];
description = lib.mdDoc ''
With "host", a separate output file is used, based on the
hostname of the other endpoint of a connection. With "none", only
one output journal file is used.
'';
};
ServerKeyFile = lib.mkOption {
default = "/etc/ssl/private/journal-remote.pem";
type = lib.types.str;
description = lib.mdDoc ''
A path to a SSL secret key file in PEM format.
Note that due to security reasons, `systemd-journal-remote` will
refuse files from the world-readable `/nix/store`. This file
should be readable by the "" user.
This option can be used with `listen = "https"`. If the path
refers to an `AF_UNIX` stream socket in the file system a
connection is made to it and the key read from it.
'';
};
ServerCertificateFile = lib.mkOption {
default = "/etc/ssl/certs/journal-remote.pem";
type = lib.types.str;
description = lib.mdDoc ''
A path to a SSL certificate file in PEM format.
This option can be used with `listen = "https"`. If the path
refers to an `AF_UNIX` stream socket in the file system a
connection is made to it and the certificate read from it.
'';
};
TrustedCertificateFile = lib.mkOption {
default = "/etc/ssl/ca/trusted.pem";
type = lib.types.str;
description = lib.mdDoc ''
A path to a SSL CA certificate file in PEM format, or `all`.
If `all` is set, then client certificate checking will be
disabled.
This option can be used with `listen = "https"`. If the path
refers to an `AF_UNIX` stream socket in the file system a
connection is made to it and the certificate read from it.
'';
};
};
};
};
};
config = lib.mkIf cfg.enable {
systemd.additionalUpstreamSystemUnits = [
"systemd-journal-remote.service"
"systemd-journal-remote.socket"
];
systemd.services.systemd-journal-remote.serviceConfig.ExecStart = [
# Clear the default command line
""
"${pkgs.systemd}/lib/systemd/systemd-journal-remote ${cliArgs}"
];
systemd.sockets.systemd-journal-remote = {
wantedBy = [ "sockets.target" ];
listenStreams = [
# Clear the default port
""
(toString cfg.port)
];
};
# User and group used by systemd-journal-remote.service
users.groups.systemd-journal-remote = { };
users.users.systemd-journal-remote = {
isSystemUser = true;
group = "systemd-journal-remote";
};
environment.etc."systemd/journal-remote.conf".source =
format.generate "journal-remote.conf" cfg.settings;
};
}

111
nixos/modules/system/boot/systemd/journald-upload.nix Normal file
View File

@ -0,0 +1,111 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.journald.upload;
format = pkgs.formats.systemd;
in
{
meta.maintainers = [ lib.maintainers.raitobezarius ];
options.services.journald.upload = {
enable = lib.mkEnableOption "uploading the systemd journal to a remote server";
settings = lib.mkOption {
default = { };
description = lib.mdDoc ''
Configuration for journal-upload. See {manpage}`journal-upload.conf(5)`
for available options.
'';
type = lib.types.submodule {
freeformType = format.type;
options.Upload = {
URL = lib.mkOption {
type = lib.types.str;
example = "https://192.168.1.1";
description = ''
The URL to upload the journal entries to.
See the description of `--url=` option in
{manpage}`systemd-journal-upload(8)` for the description of
possible values.
'';
};
ServerKeyFile = lib.mkOption {
type = with lib.types; nullOr str;
example = lib.literalExpression "./server-key.pem";
# Since systemd-journal-upload uses a DynamicUser, permissions must
# be done using groups
description = ''
SSL key in PEM format.
In contrary to what the name suggests, this option configures the
client private key sent to the remote journal server.
This key should not be world-readable, and must be readably by
the `systemd-journal` group.
'';
default = null;
};
ServerCertificateFile = lib.mkOption {
type = with lib.types; nullOr str;
example = lib.literalExpression "./server-ca.pem";
description = ''
SSL CA certificate in PEM format.
In contrary to what the name suggests, this option configures the
client certificate sent to the remote journal server.
'';
default = null;
};
TrustedCertificateFile = lib.mkOption {
type = with lib.types; nullOr str;
example = lib.literalExpression "./ca";
description = ''
SSL CA certificate.
This certificate will be used to check the remote journal HTTPS
server certificate.
'';
default = null;
};
NetworkTimeoutSec = lib.mkOption {
type = with lib.types; nullOr str;
example = "1s";
description = ''
When network connectivity to the server is lost, this option
configures the time to wait for the connectivity to get restored.
If the server is not reachable over the network for the
configured time, `systemd-journal-upload` exits. Takes a value in
seconds (or in other time units if suffixed with "ms", "min",
"h", etc). For details, see {manpage}`systemd.time(5)`.
'';
default = null;
};
};
};
};
};
config = lib.mkIf cfg.enable {
systemd.additionalUpstreamSystemUnits = [ "systemd-journal-upload.service" ];
systemd.services."systemd-journal-upload" = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Restart = "always";
# To prevent flooding the server in case the server is struggling
RestartSec = "3sec";
};
};
environment.etc."systemd/journal-upload.conf".source =
format.generate "journal-upload.conf" cfg.settings;
};
}

21
nixos/modules/system/boot/systemd/journald.nix
View File

@ -5,6 +5,10 @@ with lib;
let
cfg = config.services.journald;
in {
imports = [
(mkRenamedOptionModule [ "services" "journald" "enableHttpGateway" ] [ "services" "journald" "gateway" "enable" ])
];
options = {
services.journald.console = mkOption {
default = "";
@ -71,14 +75,6 @@ in {
'';
};
services.journald.enableHttpGateway = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc ''
Whether to enable the HTTP gateway to the journal.
'';
};
services.journald.forwardToSyslog = mkOption {
default = config.services.rsyslogd.enable || config.services.syslog-ng.enable;
defaultText = literalExpression "services.rsyslogd.enable || services.syslog-ng.enable";
@ -101,9 +97,6 @@ in {
] ++ (optional (!config.boot.isContainer) "systemd-journald-audit.socket") ++ [
"systemd-journald-dev-log.socket"
"syslog.socket"
] ++ optionals cfg.enableHttpGateway [
"systemd-journal-gatewayd.socket"
"systemd-journal-gatewayd.service"
];
environment.etc = {
@ -124,12 +117,6 @@ in {
};
users.groups.systemd-journal.gid = config.ids.gids.systemd-journal;
users.users.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway;
users.users.systemd-journal-gateway.group = "systemd-journal-gateway";
users.groups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway;
systemd.sockets.systemd-journal-gatewayd.wantedBy =
optional cfg.enableHttpGateway "sockets.target";
systemd.services.systemd-journal-flush.restartIfChanged = false;
systemd.services.systemd-journald.restartTriggers = [ config.environment.etc."systemd/journald.conf".source ];

7
nixos/modules/system/boot/timesyncd.nix
View File

@ -46,6 +46,13 @@ with lib;
wantedBy = [ "sysinit.target" ];
aliases = [ "dbus-org.freedesktop.timesync1.service" ];
restartTriggers = [ config.environment.etc."systemd/timesyncd.conf".source ];
# systemd-timesyncd disables DNSSEC validation in the nss-resolve module by setting SYSTEMD_NSS_RESOLVE_VALIDATE to 0 in the unit file.
# This is required in order to solve the chicken-and-egg problem when DNSSEC validation needs the correct time to work, but to set the
# correct time, we need to connect to an NTP server, which usually requires resolving its hostname.
# In order for nss-resolve to be able to read this environment variable we patch systemd-timesyncd to disable NSCD and use NSS modules directly.
# This means that systemd-timesyncd needs to have NSS modules path in LD_LIBRARY_PATH. When systemd-resolved is disabled we still need to set
# NSS module path so that systemd-timesyncd keeps using other NSS modules that are configured in the system.
environment.LD_LIBRARY_PATH = config.system.nssModules.path;
preStart = (
# Ensure that we have some stored time to prevent

3
nixos/tests/all-tests.nix
View File

@ -843,6 +843,8 @@ in {
systemd-initrd-networkd-openvpn = handleTestOn [ "x86_64-linux" "i686-linux" ] ./initrd-network-openvpn { systemdStage1 = true; };
systemd-initrd-vlan = handleTest ./systemd-initrd-vlan.nix {};
systemd-journal = handleTest ./systemd-journal.nix {};
systemd-journal-gateway = handleTest ./systemd-journal-gateway.nix {};
systemd-journal-upload = handleTest ./systemd-journal-upload.nix {};
systemd-machinectl = handleTest ./systemd-machinectl.nix {};
systemd-networkd = handleTest ./systemd-networkd.nix {};
systemd-networkd-dhcpserver = handleTest ./systemd-networkd-dhcpserver.nix {};
@ -858,6 +860,7 @@ in {
systemd-shutdown = handleTest ./systemd-shutdown.nix {};
systemd-sysupdate = runTest ./systemd-sysupdate.nix;
systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};
systemd-timesyncd-nscd-dnssec = handleTest ./systemd-timesyncd-nscd-dnssec.nix {};
systemd-user-tmpfiles-rules = handleTest ./systemd-user-tmpfiles-rules.nix {};
systemd-misc = handleTest ./systemd-misc.nix {};
systemd-userdbd = handleTest ./systemd-userdbd.nix {};

8
nixos/tests/installer.nix
View File

@ -510,14 +510,8 @@ let
ntp
perlPackages.ListCompare
perlPackages.XMLLibXML
python3Minimal
# make-options-doc/default.nix
(let
self = (pkgs.python3Minimal.override {
inherit self;
includeSiteCustomize = true;
});
in self.withPackages (p: [ p.mistune ]))
(python3.withPackages (p: [ p.mistune ]))
shared-mime-info
sudo
texinfo

2
nixos/tests/os-prober.nix
View File

@ -95,7 +95,7 @@ in {
ntp
perlPackages.ListCompare
perlPackages.XMLLibXML
python3Minimal
python3
shared-mime-info
stdenv
sudo

90
nixos/tests/systemd-journal-gateway.nix Normal file
View File

@ -0,0 +1,90 @@
import ./make-test-python.nix ({ lib, pkgs, ... }:
{
name = "systemd-journal-gateway";
meta = with pkgs.lib.maintainers; {
maintainers = [ minijackson raitobezarius ];
};
# Named client for coherence with the systemd-journal-upload test, and for
# certificate validation
nodes.client = {
services.journald.gateway = {
enable = true;
cert = "/run/secrets/client/cert.pem";
key = "/run/secrets/client/key.pem";
trust = "/run/secrets/ca.cert.pem";
};
};
testScript = ''
import json
import subprocess
import tempfile
tmpdir_o = tempfile.TemporaryDirectory()
tmpdir = tmpdir_o.name
def generate_pems(domain: str):
subprocess.run(
[
"${pkgs.minica}/bin/minica",
"--ca-key=ca.key.pem",
"--ca-cert=ca.cert.pem",
f"--domains={domain}",
],
cwd=str(tmpdir),
)
with subtest("Creating keys and certificates"):
generate_pems("server")
generate_pems("client")
client.wait_for_unit("multi-user.target")
def copy_pem(file: str):
machine.copy_from_host(source=f"{tmpdir}/{file}", target=f"/run/secrets/{file}")
machine.succeed(f"chmod 644 /run/secrets/{file}")
with subtest("Copying keys and certificates"):
machine.succeed("mkdir -p /run/secrets/{client,server}")
copy_pem("server/cert.pem")
copy_pem("server/key.pem")
copy_pem("client/cert.pem")
copy_pem("client/key.pem")
copy_pem("ca.cert.pem")
client.wait_for_unit("multi-user.target")
curl = '${pkgs.curl}/bin/curl'
accept_json = '--header "Accept: application/json"'
cacert = '--cacert /run/secrets/ca.cert.pem'
cert = '--cert /run/secrets/server/cert.pem'
key = '--key /run/secrets/server/key.pem'
base_url = 'https://client:19531'
curl_cli = f"{curl} {accept_json} {cacert} {cert} {key} --fail"
machine_info = client.succeed(f"{curl_cli} {base_url}/machine")
assert json.loads(machine_info)["hostname"] == "client", "wrong machine name"
# The HTTP request should have started the gateway service, triggered by
# the .socket unit
client.wait_for_unit("systemd-journal-gatewayd.service")
identifier = "nixos-test"
message = "Hello from NixOS test infrastructure"
client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")
# max-time is a workaround against a bug in systemd-journal-gatewayd where
# if TLS is enabled, the connection is never closed. Since it will timeout,
# we ignore the return code.
entries = client.succeed(
f"{curl_cli} --max-time 5 {base_url}/entries?SYSLOG_IDENTIFIER={identifier} || true"
)
# Number of entries should be only 1
added_entry = json.loads(entries)
assert added_entry["SYSLOG_IDENTIFIER"] == identifier and added_entry["MESSAGE"] == message, "journal entry does not correspond"
'';
})

101
nixos/tests/systemd-journal-upload.nix Normal file
View File

@ -0,0 +1,101 @@
import ./make-test-python.nix ({ pkgs, ... }:
{
name = "systemd-journal-upload";
meta = with pkgs.lib.maintainers; {
maintainers = [ minijackson raitobezarius ];
};
nodes.server = { nodes, ... }: {
services.journald.remote = {
enable = true;
listen = "http";
settings.Remote = {
ServerCertificateFile = "/run/secrets/sever.cert.pem";
ServerKeyFile = "/run/secrets/sever.key.pem";
TrustedCertificateFile = "/run/secrets/ca.cert.pem";
Seal = true;
};
};
networking.firewall.allowedTCPPorts = [ nodes.server.services.journald.remote.port ];
};
nodes.client = { lib, nodes, ... }: {
services.journald.upload = {
enable = true;
settings.Upload = {
URL = "http://server:${toString nodes.server.services.journald.remote.port}";
ServerCertificateFile = "/run/secrets/client.cert.pem";
ServerKeyFile = "/run/secrets/client.key.pem";
TrustedCertificateFile = "/run/secrets/ca.cert.pem";
};
};
# Wait for the PEMs to arrive
systemd.services.systemd-journal-upload.wantedBy = lib.mkForce [];
systemd.paths.systemd-journal-upload = {
wantedBy = [ "default.target" ];
# This file must be copied last
pathConfig.PathExists = [ "/run/secrets/ca.cert.pem" ];
};
};
testScript = ''
import subprocess
import tempfile
tmpdir_o = tempfile.TemporaryDirectory()
tmpdir = tmpdir_o.name
def generate_pems(domain: str):
subprocess.run(
[
"${pkgs.minica}/bin/minica",
"--ca-key=ca.key.pem",
"--ca-cert=ca.cert.pem",
f"--domains={domain}",
],
cwd=str(tmpdir),
)
with subtest("Creating keys and certificates"):
generate_pems("server")
generate_pems("client")
server.wait_for_unit("multi-user.target")
client.wait_for_unit("multi-user.target")
def copy_pems(machine: Machine, domain: str):
machine.succeed("mkdir /run/secrets")
machine.copy_from_host(
source=f"{tmpdir}/{domain}/cert.pem",
target=f"/run/secrets/{domain}.cert.pem",
)
machine.copy_from_host(
source=f"{tmpdir}/{domain}/key.pem",
target=f"/run/secrets/{domain}.key.pem",
)
# Should be last
machine.copy_from_host(
source=f"{tmpdir}/ca.cert.pem",
target="/run/secrets/ca.cert.pem",
)
with subtest("Copying keys and certificates"):
copy_pems(server, "server")
copy_pems(client, "client")
client.wait_for_unit("systemd-journal-upload.service")
# The journal upload should have started the remote service, triggered by
# the .socket unit
server.wait_for_unit("systemd-journal-remote.service")
identifier = "nixos-test"
message = "Hello from NixOS test infrastructure"
client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")
server.wait_until_succeeds(
f"journalctl --file /var/log/journal/remote/remote-*.journal --identifier={identifier} | grep -F '{message}'"
)
'';
})

8
nixos/tests/systemd-journal.nix
View File

@ -6,17 +6,11 @@ import ./make-test-python.nix ({ pkgs, ... }:
maintainers = [ lewo ];
};
nodes.machine = { pkgs, lib, ... }: {
services.journald.enableHttpGateway = true;
};
nodes.machine = { };
testScript = ''
machine.wait_for_unit("multi-user.target")
machine.succeed("journalctl --grep=systemd")
machine.succeed(
"${pkgs.curl}/bin/curl -s localhost:19531/machine | ${pkgs.jq}/bin/jq -e '.hostname == \"machine\"'"
)
'';
})

61
nixos/tests/systemd-timesyncd-nscd-dnssec.nix Normal file
View File

@ -0,0 +1,61 @@
# This test verifies that systemd-timesyncd can resolve the NTP server hostname when DNSSEC validation
# fails even though it is enforced in the systemd-resolved settings. It is required in order to solve
# the chicken-and-egg problem when DNSSEC validation needs the correct time to work, but to set the
# correct time, we need to connect to an NTP server, which usually requires resolving its hostname.
#
# This test does the following:
# - Sets up a DNS server (tinydns) listening on the eth1 ip addess, serving .ntp and fake.ntp records.
# - Configures that DNS server as a resolver and enables DNSSEC in systemd-resolved settings.
# - Configures systemd-timesyncd to use fake.ntp hostname as an NTP server.
# - Performs a regular DNS lookup, to ensure it fails due to broken DNSSEC.
# - Waits until systemd-timesyncd resolves fake.ntp by checking its debug output.
# Here, we don't expect systemd-timesyncd to connect and synchronize time because there is no NTP
# server running. For this test to succeed, we only need to ensure that systemd-timesyncd
# resolves the IP address of the fake.ntp host.
import ./make-test-python.nix ({ pkgs, ... }:
let
ntpHostname = "fake.ntp";
ntpIP = "192.0.2.1";
in
{
name = "systemd-timesyncd";
nodes.machine = { pkgs, lib, config, ... }:
let
eth1IP = (lib.head config.networking.interfaces.eth1.ipv4.addresses).address;
in
{
# Setup a local DNS server for the NTP domain on the eth1 IP address
services.tinydns = {
enable = true;
ip = eth1IP;
data = ''
.ntp:${eth1IP}
+.${ntpHostname}:${ntpIP}
'';
};
# Enable systemd-resolved with DNSSEC and use the local DNS as a name server
services.resolved.enable = true;
services.resolved.dnssec = "true";
networking.nameservers = [ eth1IP ];
# Configure systemd-timesyncd to use our NTP hostname
services.timesyncd.enable = lib.mkForce true;
services.timesyncd.servers = [ ntpHostname ];
services.timesyncd.extraConfig = ''
FallbackNTP=${ntpHostname}
'';
# The debug output is necessary to determine whether systemd-timesyncd successfully resolves our NTP hostname or not
systemd.services.systemd-timesyncd.environment.SYSTEMD_LOG_LEVEL = "debug";
};
testScript = ''
machine.wait_for_unit("tinydns.service")
machine.wait_for_unit("systemd-timesyncd.service")
machine.fail("resolvectl query ${ntpHostname}")
machine.wait_until_succeeds("journalctl -u systemd-timesyncd.service --grep='Resolved address ${ntpIP}:123 for ${ntpHostname}'")
'';
})

4
pkgs/README.md
View File

@ -354,6 +354,10 @@ There are a few naming guidelines:
Example: Given a project had its latest releases `2.2` in November 2021, and `3.0` in January 2022, a commit authored on March 15, 2022 for an upcoming bugfix release `2.2.1` would have `version = "2.2-unstable-2022-03-15"`.
- If a project has no suitable preceding releases - e.g., no versions at all, or an incompatible versioning / tagging schema - then the latest upstream version in the above schema should be `0`.
Example: Given a project that has no tags / released versions at all, or applies versionless tags like `latest` or `YYYY-MM-DD-Build`, a commit authored on March 15, 2022 would have `version = "0-unstable-2022-03-15"`.
- Dashes in the package `pname` _should_ be preserved in new variable names, rather than converted to underscores or camel cased — e.g., `http-parser` instead of `http_parser` or `httpParser`. The hyphenated style is preferred in all three package names.
- If there are multiple versions of a package, this _should_ be reflected in the variable names in `all-packages.nix`, e.g. `json-c_0_9` and `json-c_0_11`. If there is an obvious “default” version, make an attribute like `json-c = json-c_0_9;`. See also [versioning][versioning].

7
pkgs/applications/audio/ardour/7.nix
View File

@ -2,6 +2,7 @@
, stdenv
, fetchgit
, fetchzip
, fetchpatch
, alsa-lib
, aubio
, boost
@ -79,6 +80,12 @@ stdenv.mkDerivation rec {
# AS=as in the environment causes build failure https://tracker.ardour.org/view.php?id=8096
./as-flags.patch
./default-plugin-search-paths.patch
# Fix build with libxml2 2.12.
(fetchpatch {
url = "https://github.com/Ardour/ardour/commit/e995daa37529715214c6c4a2587e4134aaaba02f.patch";
hash = "sha256-EpXOIIObOwwcNgNma0E3nvaBad3930sagDjBpa+78WI=";
})
];
# Ardour's wscript requires git revision and date to be available.

1
pkgs/applications/audio/quodlibet/default.nix
View File

@ -66,6 +66,7 @@ python3.pkgs.buildPythonApplication rec {
] ++ (with python3.pkgs; [
sphinx-rtd-theme
sphinxHook
setuptools
]);
buildInputs = [

4
pkgs/applications/audio/whipper/default.nix
View File

@ -64,10 +64,6 @@ in python3.pkgs.buildPythonApplication rec {
"--prefix" "PATH" ":" (lib.makeBinPath bins)
];
preBuild = ''
export SETUPTOOLS_SCM_PRETEND_VERSION="${version}"
'';
outputs = [ "out" "man" ];
postBuild = ''
make -C man

6
pkgs/applications/blockchains/polkadot/default.nix
View File

@ -4,7 +4,7 @@
, rocksdb
, rust-jemalloc-sys-unprefixed
, rustPlatform
, rustc-wasm32
, rustc
, stdenv
, Security
, SystemConfiguration
@ -63,8 +63,8 @@ rustPlatform.buildRustPackage rec {
nativeBuildInputs = [
rustPlatform.bindgenHook
rustc-wasm32
rustc-wasm32.llvmPackages.lld
rustc
rustc.llvmPackages.lld
];
# NOTE: jemalloc is used by default on Linux with unprefixed enabled

6
pkgs/applications/editors/scite/default.nix
View File

@ -13,6 +13,12 @@ stdenv.mkDerivation {
buildInputs = [ gtk2 ];
sourceRoot = "scintilla/gtk";
CXXFLAGS = [
# GCC 13: error: 'intptr_t' does not name a type
"-include cstdint"
"-include system_error"
];
buildPhase = ''
make
cd ../../lexilla/src

1198
pkgs/applications/graphics/emblem/Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

7
pkgs/applications/graphics/emblem/default.nix
View File

@ -19,7 +19,7 @@
stdenv.mkDerivation rec {
pname = "emblem";
version = "1.2.0";
version = "1.3.0";
src = fetchFromGitLab {
domain = "gitlab.gnome.org";
@ -27,14 +27,11 @@ stdenv.mkDerivation rec {
owner = "design";
repo = "emblem";
rev = version;
sha256 = "sha256-sgo6rGwmybouTTBTPFrPJv8Wo9I6dcoT7sUVQGFUqkQ=";
sha256 = "sha256-VA4KZ8x/MMAA/g/x59h1CyHhlj0vbZqwAFdsfTPA2Ds=";
};
cargoDeps = rustPlatform.importCargoLock {
lockFile = ./Cargo.lock;
outputHashes = {
"librsvg-2.56.0" = "sha256-PIrec3nfeMo94bkYUrp6B7lie9O1RtiBdPMFUKKLtTQ=";
};
};
nativeBuildInputs = [

5
pkgs/applications/graphics/hdrmerge/default.nix
View File

@ -37,6 +37,11 @@ mkDerivation rec {
"-DALGLIB_DIR:PATH=${alglib}"
];
CXXFLAGS = [
# GCC 13: error: 'uint32_t' does not name a type
"-include cstdint"
];
patches = [
# https://github.com/jcelaya/hdrmerge/pull/222
(fetchpatch {

8
pkgs/applications/graphics/inkscape/default.nix
View File

@ -6,6 +6,7 @@
, cmake
, desktopToDarwinBundle
, fetchurl
, fetchpatch
, gettext
, ghostscript
, glib
@ -92,6 +93,13 @@ stdenv.mkDerivation rec {
src = ./fix-ps2pdf-path.patch;
inherit ghostscript;
})
# Fix build with libxml2 2.12
# https://gitlab.com/inkscape/inkscape/-/merge_requests/6089
(fetchpatch {
url = "https://gitlab.com/inkscape/inkscape/-/commit/694d8ae43d06efff21adebf377ce614d660b24cd.patch";
hash = "sha256-9IXJzpZbNU5fnt7XKgqCzUDrwr08qxGwo8TqnL+xc6E=";
})
];
postPatch = ''

9
pkgs/applications/graphics/krita/generic.nix
View File

@ -21,6 +21,15 @@ mkDerivation rec {
inherit hash;
};
patches = [
# Fixes build with SIP 6.8
(fetchpatch {
name = "bump-SIP-ABI-version-to-12.8.patch";
url = "https://invent.kde.org/graphics/krita/-/commit/2d71c47661d43a4e3c1ab0c27803de980bdf2bb2.diff";
hash = "sha256-U3E44nj4vra++PJV20h4YHjES78kgrJtr4ktNeQfOdA=";
})
];
nativeBuildInputs = [ cmake extra-cmake-modules pkg-config python3Packages.sip makeWrapper ];
buildInputs = [

5
pkgs/applications/graphics/meshlab/default.nix
View File

@ -75,6 +75,11 @@ mkDerivation rec {
"-DALLOW_BUNDLED_LEVMAR=ON"
];
CXXFLAGS = [
# GCC 13: error: 'int16_t' has not been declared in 'std'
"-include cstdint"
];
postFixup = ''
patchelf --add-needed $out/lib/meshlab/libmeshlab-common.so $out/bin/.meshlab-wrapped
'';

12
pkgs/applications/graphics/synfigstudio/default.nix
View File

@ -1,6 +1,7 @@
{ lib
, stdenv
, fetchFromGitHub
, fetchpatch
, pkg-config
, autoreconfHook
, wrapGAppsHook
@ -54,6 +55,17 @@ let
pname = "synfig";
inherit version src;
patches = [
# Pull upstream fix for autoconf-2.72 support:
# https://github.com/synfig/synfig/pull/2930
(fetchpatch {
name = "autoconf-2.72.patch";
url = "https://github.com/synfig/synfig/commit/80a3386c701049f597cf3642bb924d2ff832ae05.patch";
stripLen = 1;
hash = "sha256-7gX8tJCR81gw8ZDyNYa8UaeZFNOx4o1Lnq0cAcaKb2I=";
})
];
sourceRoot = "${src.name}/synfig-core";
configureFlags = [

8
pkgs/applications/graphics/tesseract/tesseract4.nix
View File

@ -16,6 +16,14 @@ stdenv.mkDerivation rec {
# great, but tesseract4's days are numbered anyway
postPatch = ''
sed -i '/allheaders.h/a#include "pix_internal.h"' src/textord/devanagari_processing.cpp
# gcc-13 compat fix, simulate this upstream patch:
# https://github.com/tesseract-ocr/tesseract/commit/17e795aaae7d40dbcb7d3365835c2f55ecc6355d.patch
# https://github.com/tesseract-ocr/tesseract/commit/c0db7b7e930322826e09981360e39fdbd16cc9b0.patch
sed -i src/ccutil/helpers.h -e '1i #include <climits>'
sed -i src/ccutil/helpers.h -e '1i #include <cstdint>'
sed -i src/dict/matchdefs.h -e '1i #include <cstdint>'
'';
enableParallelBuilding = true;

1
pkgs/applications/misc/ablog/default.nix
View File

@ -34,6 +34,7 @@ python3.pkgs.buildPythonApplication rec {
];
pytestFlagsArray = [
"-W" "ignore::sphinx.deprecation.RemovedInSphinx90Warning"
"--rootdir" "src/ablog"
];

12
pkgs/applications/misc/acpic/default.nix
View File

@ -6,15 +6,21 @@
python3Packages.buildPythonApplication rec {
pname = "acpic";
version = "1.0.0";
format = "setuptools";
pyproject = true;
src = fetchPypi {
inherit version pname;
hash = "sha256-vQ9VxCNbOmqHIY3e1wq1wNJl5ywfU2tm62gDg3vKvcg=";
};
nativeBuildInputs = [
python3Packages.pbr
postPatch = ''
substituteInPlace setup.py \
--replace "pbr>=5.8.1,<6" "pbr"
'';
nativeBuildInputs = with python3Packages; [
pbr
setuptools
];
# no tests

2
pkgs/applications/misc/audio/sox/default.nix
View File

@ -79,6 +79,8 @@ stdenv.mkDerivation rec {
++ lib.optional enableLibpulseaudio libpulseaudio
++ lib.optional stdenv.isDarwin CoreAudio;
enableParallelBuilding = true;
meta = with lib; {
description = "Sample Rate Converter for audio";
homepage = "https://sox.sourceforge.net/";

6
pkgs/applications/misc/authenticator/default.nix
View File

@ -24,20 +24,20 @@
stdenv.mkDerivation rec {
pname = "authenticator";
version = "4.3.0";
version = "4.4.0";
src = fetchFromGitLab {
domain = "gitlab.gnome.org";
owner = "World";
repo = "Authenticator";
rev = version;
hash = "sha256-WR5gXGry4wti2M4D/IQvwI7OSak1p+O+XAhr01hdv2Q=";
hash = "sha256-LNYhUDV5nM46qx29xXE6aCEdBo7VnwT61YgAW0ZXW30=";
};
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
name = "${pname}-${version}";
hash = "sha256-ZVDKTJojblVCbbdtnqcL+UVW1vkmu99AXCbgyCGNHCM=";
hash = "sha256-ntkKH4P3Ui2NZSVy87hGAsRA1GDRwoK9UnA/nFjyLnA=";
};
nativeBuildInputs = [

5
pkgs/applications/misc/barrier/default.nix
View File

@ -26,6 +26,11 @@ mkDerivation rec {
})
];
CXXFLAGS = [
# error: 'uint8_t' is not a member of 'std'; did you mean 'wint_t'?
"-include cstdint"
];
buildInputs = [ curl xorg.libX11 xorg.libXext xorg.libXtst avahiWithLibdnssdCompat qtbase ];
nativeBuildInputs = [ cmake wrapGAppsHook ];

5
pkgs/applications/misc/buku/default.nix
View File

@ -19,6 +19,7 @@ in
with python3.pkgs; buildPythonApplication rec {
version = "4.8";
pname = "buku";
pyproject = true;
src = fetchFromGitHub {
owner = "jarun";
@ -27,6 +28,10 @@ with python3.pkgs; buildPythonApplication rec {
sha256 = "sha256-kPVlfTYUusf5CZnKB53WZcCHo3MEnA2bLUHTRPGPn+8=";
};
nativeBuildInputs = [
setuptools
];
nativeCheckInputs = [
hypothesis
pytest

4
pkgs/applications/misc/calibre/default.nix
View File

@ -32,11 +32,11 @@
stdenv.mkDerivation (finalAttrs: {
pname = "calibre";
version = "7.2.0";
version = "7.3.0";
src = fetchurl {
url = "https://download.calibre-ebook.com/${finalAttrs.version}/calibre-${finalAttrs.version}.tar.xz";
hash = "sha256-1OZPSXF5cQlmwbD2bHVWtYHLUgCo8LaR1WPpuSUWoR8=";
hash = "sha256-fBdLXSRJMBVfQOfuqOqHzgHS8fXYq2x5J181pKZhASo=";
};
patches = [

2620
pkgs/applications/misc/citations/Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

20
pkgs/applications/misc/citations/default.nix
View File

@ -22,21 +22,19 @@
stdenv.mkDerivation (finalAttrs: {
pname = "citations";
version = "0.5.2";
version = "0.6.2";
src = fetchFromGitLab {
domain = "gitlab.gnome.org";
owner = "World";
repo = finalAttrs.pname;
rev = finalAttrs.version;
hash = "sha256-QofsVqulFMiyYKci2vHdQAUJoIIgnPyTRizoBDvYG+g=";
hash = "sha256-RV9oQcXzRsNcvZc/8Xt7qZ/88DvHofC2Av0ftxzeF6Q=";
};
cargoDeps = rustPlatform.importCargoLock {
lockFile = ./Cargo.lock;
outputHashes = {
"nom-bibtex-0.4.0" = "sha256-hulMoH3gkhD2HurrXdIqqkfKkZGujV9We0m0jsgHFfM=";
};
cargoDeps = rustPlatform.fetchCargoTarball {
src = finalAttrs.src;
hash = "sha256-XlqwgXuwxR6oEz0+hYAp/3b+XxH+Vd/DGr5j+iKhUjQ=";
};
nativeBuildInputs = [
@ -62,6 +60,13 @@ stdenv.mkDerivation (finalAttrs: {
darwin.apple_sdk.frameworks.Foundation
];
env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.cc.isClang (lib.concatStringsSep " " [
"-Wno-typedef-redefinition"
"-Wno-unused-parameter"
"-Wno-missing-field-initializers"
"-Wno-incompatible-function-pointer-types"
]);
doCheck = true;
nativeCheckInputs = [ clippy ];
@ -81,5 +86,6 @@ stdenv.mkDerivation (finalAttrs: {
license = licenses.gpl3Plus;
maintainers = with maintainers; [ benediktbroich ];
platforms = platforms.unix;
mainProgram = "citations";
};
})

2
pkgs/applications/misc/keepmenu/default.nix
View File

@ -17,8 +17,6 @@ python3Packages.buildPythonApplication rec {
hatch-vcs
];
env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
propagatedBuildInputs = with python3Packages; [
pykeepass
pynput

2
pkgs/applications/misc/khal/default.nix
View File

@ -17,8 +17,6 @@ python3.pkgs.buildPythonApplication rec {
hash = "sha256-yI33pB/t+UISvSbLUzmsZqBxLF6r8R3j9iPNeosKcYw=";
};
SETUPTOOLS_SCM_PRETEND_VERSION = version;
nativeBuildInputs = [
glibcLocales
installShellFiles

1
pkgs/applications/misc/khard/default.nix
View File

@ -9,7 +9,6 @@ python3.pkgs.buildPythonApplication rec {
sha256 = "sha256-WfMKDaPD2j6wT02+GO5HY5E7aF2Z7IQY/VdKiMSRxJA=";
};
SETUPTOOLS_SCM_PRETEND_VERSION = version;
nativeBuildInputs = with python3.pkgs; [
setuptools-scm
sphinxHook

2
pkgs/applications/misc/mozphab/default.nix
View File

@ -30,8 +30,6 @@ python3.pkgs.buildPythonApplication rec {
setuptools-scm
];
env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
propagatedBuildInputs = with python3.pkgs; [
colorama
distro

8
pkgs/applications/misc/mupdf/default.nix
View File

@ -165,10 +165,14 @@ stdenv.mkDerivation rec {
EOF
moveToOutput "bin" "$bin"
'' + lib.optionalString (enableX11 || enableGL) ''
'' + (lib.optionalString (stdenv.isDarwin) ''
for exe in $bin/bin/*; do
install_name_tool -change build/shared-release/libmupdf.dylib $out/lib/libmupdf.dylib "$exe"
done
'') + (lib.optionalString (enableX11 || enableGL) ''
mkdir -p $bin/share/icons/hicolor/48x48/apps
cp docs/logo/mupdf.png $bin/share/icons/hicolor/48x48/apps
'' + (if enableGL then ''
'') + (if enableGL then ''
ln -s "$bin/bin/mupdf-gl" "$bin/bin/mupdf"
'' else lib.optionalString (enableX11) ''
ln -s "$bin/bin/mupdf-x11" "$bin/bin/mupdf"

2
pkgs/applications/misc/octoprint/default.nix
View File

@ -163,7 +163,7 @@ let
zeroconf
zipstream-ng
class-doc
pydantic
pydantic_1
] ++ lib.optionals stdenv.isDarwin [
py.pkgs.appdirs
] ++ lib.optionals (!stdenv.isDarwin) [

6
pkgs/applications/misc/pagefind/default.nix
View File

@ -7,7 +7,7 @@
, binaryen
, gzip
, nodejs
, rustc-wasm32
, rustc
, wasm-bindgen-cli
, wasm-pack
}:
@ -66,8 +66,8 @@ rustPlatform.buildRustPackage rec {
binaryen
gzip
nodejs
rustc-wasm32
rustc-wasm32.llvmPackages.lld
rustc
rustc.llvmPackages.lld
wasm-bindgen-84
wasm-pack
];

11
pkgs/applications/misc/pysentation/default.nix
View File

@ -15,9 +15,14 @@ python3.pkgs.buildPythonApplication rec {
hash = "sha256-TwHDXWgGWuQVgatBDc1iympnb6dy4xYThLR5MouEZHA=";
};
nativeBuildInputs = [
python3.pkgs.setuptools
python3.pkgs.wheel
nativeBuildInputs = with python3.pkgs; [
setuptools
pythonRelaxDepsHook
];
pythonRelaxDeps = [
"click"
"rich"
];
propagatedBuildInputs = with python3.pkgs; [

8
pkgs/applications/misc/remnote/default.nix
View File

@ -6,11 +6,11 @@ stdenv.mkDerivation (finalAttrs: let
in
{
pname = "remnote";
version = "1.13.0";
version = "1.13.34";
src = fetchurl {
url = "https://download.remnote.io/remnote-desktop/RemNote-${version}.AppImage";
hash = "sha256-ovM7MnRqzy/mgz+h87hqIuvquODIfmxjdJG1NZYobbk=";
hash = "sha256-QOfU1pZWQfShq8bQPh9ZiGKxzIV6LH8S/sQk3MQVKD0=";
};
appexec = appimageTools.wrapType2 {
inherit pname version src;
@ -36,8 +36,8 @@ in
runHook preInstall
install -D ${appexec}/bin/remnote-${version} $out/bin/remnote
install -D "${desktopItem}/share/applications/"* -t $out/share/applications/
install -D ${icon} $out/share/pixmaps/remnote.png
install -m 444 -D "${desktopItem}/share/applications/"* -t $out/share/applications/
install -m 444 -D ${icon} $out/share/pixmaps/remnote.png
runHook postInstall
'';

4
pkgs/applications/misc/rofi-rbw/default.nix
View File

@ -17,14 +17,14 @@
buildPythonApplication rec {
pname = "rofi-rbw";
version = "1.2.0";
version = "1.3.0";
format = "pyproject";
src = fetchFromGitHub {
owner = "fdw";
repo = "rofi-rbw";
rev = "refs/tags/${version}";
hash = "sha256-6ZM+qJvVny/h5W/+7JqD/CCf9eayExvZfC/z9rHssVU=";
hash = "sha256-aTMKwb4BLupY0UmvPC86RnElZ9DFep8sApaMrlGbJ0M=";
};
nativeBuildInputs = [

4
pkgs/applications/misc/scli/default.nix
View File

@ -10,13 +10,13 @@
python3.pkgs.buildPythonApplication rec {
pname = "scli";
version = "0.7.2";
version = "0.7.3";
src = fetchFromGitHub {
owner = "isamert";
repo = pname;
rev = "refs/tags/v${version}";
sha256 = "sha256-7yyORM77oByH1gxx/TNkjJQBsig6ZxsfeI3ijg71oBs=";
sha256 = "sha256-x5NLYqA/sdQkT/8oG/ija/+4+KjRHa1q0T3mqymAuV8=";
};
propagatedBuildInputs = with python3.pkgs; [

2
pkgs/applications/misc/urlscan/default.nix
View File

@ -15,8 +15,6 @@ python3.pkgs.buildPythonApplication rec {
hash = "sha256-OzcoOIgEiadWrsUPIxBJTuZQYjScJBYKyqCu1or6fz8=";
};
SETUPTOOLS_SCM_PRETEND_VERSION = version;
nativeBuildInputs = with python3.pkgs; [
hatchling
hatch-vcs

1
pkgs/applications/misc/yambar/default.nix
View File

@ -82,6 +82,7 @@ stdenv.mkDerivation (finalAttrs: {
mesonBuildType = "release";
mesonFlags = [
(lib.mesonBool "werror" false)
(lib.mesonEnable "backend-x11" x11Support)
(lib.mesonEnable "backend-wayland" waylandSupport)
];

1
pkgs/applications/networking/browsers/firefox/wrapper.nix
View File

@ -416,6 +416,7 @@ let
meta = browser.meta // {
inherit (browser.meta) description;
mainProgram = launcherName;
hydraPlatforms = [];
priority = (browser.meta.priority or 0) - 1; # prefer wrapper over the package
};

2
pkgs/applications/networking/cloudflare-dyndns/default.nix
View File

@ -24,7 +24,7 @@ python3.pkgs.buildPythonApplication rec {
attrs
click
cloudflare
pydantic
pydantic_1
requests
];

64
pkgs/applications/networking/cluster/kubevela/default.nix Normal file
View File

@ -0,0 +1,64 @@
{ buildGoModule
, fetchFromGitHub
, installShellFiles
, lib
, stdenv
, testers
, kubevela
, nix-update-script
}:
buildGoModule rec {
pname = "kubevela";
version = "1.9.8";
src = fetchFromGitHub {
owner = "kubevela";
repo = "kubevela";
rev = "v${version}";
hash = "sha256-Bf9OS8IlsahE40JsYTALC3oW6HliyqycA2CTJFRRTag=";
};
vendorHash = "sha256-obvlie4P3mhp2VMyUYHNZIlgfICM4PDhu4YKeDsVMxw=";
ldflags = [
"-s" "-w"
"-X github.com/oam-dev/kubevela/version.VelaVersion=${version}"
];
subPackages = [ "references/cmd/cli" ];
CGO_ENABLED = 0;
# Workaround for permission issue in shell completion
HOME = "$TMPDIR";
installPhase = ''
runHook preInstall
install -Dm755 "$GOPATH/bin/cli" -T $out/bin/vela
runHook postInstall
'';
nativeBuildInputs = [ installShellFiles ];
postInstall = lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform) ''
installShellCompletion --cmd vela \
--bash <($out/bin/vela completion bash) \
--zsh <($out/bin/vela completion zsh)
'';
passthru.tests.version = testers.testVersion {
package = kubevela;
command = "HOME=$TMPDIR vela version";
};
passthru.updateScript = nix-update-script { };
meta = {
description = "An application delivery platform to deploy and operate applications in hybrid, multi-cloud environments";
downloadPage = "https://github.com/kubevela/kubevela";
homepage = "https://kubevela.io/";
license = lib.licenses.asl20;
maintainers = [ ];
mainProgram = "vela";
};
}

6
pkgs/applications/networking/cluster/terragrunt/default.nix
View File

@ -5,16 +5,16 @@
buildGoModule rec {
pname = "terragrunt";
version = "0.54.12";
version = "0.54.16";
src = fetchFromGitHub {
owner = "gruntwork-io";
repo = pname;
rev = "refs/tags/v${version}";
hash = "sha256-fKZd4WlU011LCrh6jLyEecm5jEbX/CF5Vk0PMQbznx0=";
hash = "sha256-UWldCHuRZI3pKl65VVorik9ucN0+xWyfl6r3X5m2xoI=";
};
vendorHash = "sha256-ey2PHpNK4GBE6FlXTYlbYhtG1re3OflbYnQmti9fS9k=";
vendorHash = "sha256-kGHcVWO59LyFGDjh9fC++z6PSirepa5QNHDJoojT5kA=";
doCheck = false;

2
pkgs/applications/networking/instant-messengers/deltachat-cursed/default.nix
View File

@ -23,8 +23,6 @@ python3.pkgs.buildPythonApplication rec {
setuptools-scm
];
SETUPTOOLS_SCM_PRETEND_VERSION = version;
propagatedBuildInputs = with python3.pkgs; [
appdirs
deltachat

33
pkgs/applications/networking/mailreaders/notmuch/default.nix
View File

@ -85,19 +85,26 @@ stdenv.mkDerivation rec {
patchShebangs notmuch-git
'';
preCheck = let
test-database = fetchurl {
url = "https://notmuchmail.org/releases/test-databases/database-v1.tar.xz";
sha256 = "1lk91s00y4qy4pjh8638b5lfkgwyl282g1m27srsf7qfn58y16a2";
};
in ''
mkdir -p test/test-databases
ln -s ${test-database} test/test-databases/database-v1.tar.xz
''
# Issues since gnupg: 2.4.0 -> 2.4.1
+ ''
rm test/{T350-crypto,T357-index-decryption}.sh
'';
preCheck =
let
test-database = fetchurl {
url = "https://notmuchmail.org/releases/test-databases/database-v1.tar.xz";
sha256 = "1lk91s00y4qy4pjh8638b5lfkgwyl282g1m27srsf7qfn58y16a2";
};
in
''
mkdir -p test/test-databases
ln -s ${test-database} test/test-databases/database-v1.tar.xz
''
+ ''
# Issues since gnupg: 2.4.0 -> 2.4.1
rm test/{T350-crypto,T357-index-decryption}.sh
# Issues since pbr 6.0.0 bump (ModuleNotFoundError: No module named 'notmuch2')
rm test/T055-path-config.sh
# Flaky, seems to get its paths wrong sometimes (?)
# *ERROR*: Opening output file: Permission denied, /nix/store/bzy21v2cd5sq1djzwa9b19q08wpp9mm0-emacs-29.1/bin/OUTPUT
rm test/T460-emacs-tree.sh
'';
doCheck = !stdenv.hostPlatform.isDarwin && (lib.versionAtLeast gmime3.version "3.0.3");
checkTarget = "test";

11
pkgs/applications/networking/newsreaders/liferea/default.nix
View File

@ -1,5 +1,6 @@
{ lib, stdenv
, fetchurl
, fetchpatch
, pkg-config
, intltool
, python3Packages
@ -31,6 +32,16 @@ stdenv.mkDerivation rec {
hash = "sha256-7lanrs63N6ZnqxvjcW/+cUZVDqUbML2gftQUc/sLr3Q=";
};
patches = [
# Pull upstream fix for libxml2-2.12 compatibility:
# https://github.com/lwindolf/liferea/pull/1329
(fetchpatch {
name = "libxml2-2.12.patch";
url = "https://github.com/lwindolf/liferea/commit/be8ef494586d9ef73c04ec4ca058a9a158ae3562.patch";
hash = "sha256-K1R7dJMm7ui6QKQqAHCo/ZrLCW3PhPU1EKRPEICtCsQ=";
})
];
nativeBuildInputs = [
wrapGAppsHook
python3Packages.wrapPython

9
pkgs/applications/office/abiword/default.nix
View File

@ -1,6 +1,7 @@
{ lib
, stdenv
, fetchurl
, fetchpatch
, pkg-config
, gtk3
, fribidi
@ -28,6 +29,14 @@ stdenv.mkDerivation rec {
hash = "sha256-ElckfplwUI1tFFbT4zDNGQnEtCsl4PChvDJSbW86IbQ=";
};
patches = [
# Fix build with libxml2 2.12
(fetchpatch {
url = "https://gitlab.gnome.org/World/AbiWord/-/commit/2a06be6a10a0718f8a3d8e00c317f5042c99a467.patch";
hash = "sha256-vfh81tGXe9dgnjcAtoWHOK8CtW7MZ75FFjnfKTkiKkk=";
})
];
nativeBuildInputs = [
pkg-config
wrapGAppsHook

15
pkgs/applications/office/libreoffice/default.nix
View File

@ -13,6 +13,7 @@
, IOCompress
, zlib
, libjpeg
, liblangtag
, expat
, freetype
, libwpd
@ -225,6 +226,17 @@ in stdenv.mkDerivation (finalAttrs: {
url = "https://cgit.freedesktop.org/libreoffice/core/patch/?id=ececb678b8362e3be8e02768ddd5e4197d87dc2a";
hash = "sha256-TUfKlwNxUTOJ95VLqwVD+ez1xhu7bW6xZlgIaCyIiNg=";
})
# Backport libxml 2.12 build fixes
# FIXME: remove in next release
(fetchpatch {
url = "https://cgit.freedesktop.org/libreoffice/core/patch/?id=c8f7408db73d2f2ccacb25a2b4fef8dfebdfc6cb";
hash = "sha256-uEgRx1eyS3Wx2ZDWEsUmpIbuKezVrIbO++qSL2QI8Lk=";
})
(fetchpatch {
url = "https://cgit.freedesktop.org/libreoffice/core/patch/?id=cbb17a548b5cc6a99b6ed7735479bb4f2bc40f26";
hash = "sha256-ofhif37uvQI+gidaUpyr6XlyBc3gTJUDBRb3ootrzz0=";
})
];
# libreoffice tries to reference the BUILDCONFIG (e.g. PKG_CONFIG_PATH)
@ -436,6 +448,7 @@ in stdenv.mkDerivation (finalAttrs: {
"--with-system-headers"
"--with-system-openssl"
"--with-system-libabw"
"--with-system-liblangtag"
"--without-system-libcmis"
"--with-system-libwps"
"--with-system-openldap"
@ -466,7 +479,6 @@ in stdenv.mkDerivation (finalAttrs: {
"--without-system-lpsolve"
"--without-system-libetonyek"
"--without-system-libfreehand"
"--without-system-liblangtag"
"--without-system-libmspub"
"--without-system-libnumbertext"
"--without-system-libpagemaker"
@ -566,6 +578,7 @@ in stdenv.mkDerivation (finalAttrs: {
libepoxy
libexttextcat
libjpeg
liblangtag
libmspack
libmwaw
libmysqlclient

2
pkgs/applications/office/paperwork/openpaperwork-core.nix
View File

@ -29,8 +29,6 @@ buildPythonPackage rec {
patchShebangs ../tools
'';
env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
propagatedBuildInputs = [
distro
setuptools

2
pkgs/applications/office/paperwork/openpaperwork-gtk.nix
View File

@ -29,8 +29,6 @@ buildPythonPackage rec {
patchShebangs ../tools
'';
env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
nativeBuildInputs = [
pkgs.gettext
pkgs.which

2
pkgs/applications/office/paperwork/paperwork-backend.nix
View File

@ -44,8 +44,6 @@ buildPythonPackage rec {
patchShebangs ../tools
'';
env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
propagatedBuildInputs = [
distro
gtk3

2
pkgs/applications/office/paperwork/paperwork-gtk.nix
View File

@ -42,8 +42,6 @@ python3Packages.buildPythonApplication rec {
sourceRoot = "${src.name}/paperwork-gtk";
env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
postPatch = ''
chmod a+w -R ..
patchShebangs ../tools

2
pkgs/applications/office/paperwork/paperwork-shell.nix
View File

@ -32,8 +32,6 @@ buildPythonPackage rec {
chmod a+w -R ..
patchShebangs ../tools
'';
env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
propagatedBuildInputs = [
openpaperwork-core
paperwork-backend

2
pkgs/applications/office/todoman/default.nix
View File

@ -19,8 +19,6 @@ python3.pkgs.buildPythonApplication rec {
hash = "sha256-5tQaNT6QVN9mxa9t6OvMux4ZGy4flUqszTAwet2QL0w=";
};
SETUPTOOLS_SCM_PRETEND_VERSION = version;
nativeBuildInputs = [
installShellFiles
] ++ (with python3.pkgs; [

2
pkgs/applications/science/electronics/nanovna-saver/default.nix
View File

@ -31,8 +31,6 @@ python3.pkgs.buildPythonApplication rec {
setuptools-scm
];
SETUPTOOLS_SCM_PRETEND_VERSION = version;
doCheck = false;
dontWrapGApps = true;

6
pkgs/applications/science/machine-learning/fasttext/default.nix
View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "fasttext";
version = "0.9.2";
version = "0.9.2-unstable-2023-11-28";
src = fetchFromGitHub {
owner = "facebookresearch";
repo = "fastText";
rev = "v${version}";
sha256 = "07cz2ghfq6amcljaxpdr5chbd64ph513y8zqmibfx2xwfp74xkhn";
rev = "6c2204ba66776b700095ff73e3e599a908ffd9c3";
hash = "sha256-lSIah4T+QqZwCRpeI3mxJ7PZT6pSHBO26rcEFfK8DSk=";
};
nativeBuildInputs = [ cmake ];

19
pkgs/applications/science/math/gmsh/default.nix
View File

@ -1,4 +1,4 @@
{ lib, stdenv, fetchurl, cmake, blas, lapack, gfortran, gmm, fltk, libjpeg
{ lib, stdenv, fetchurl, fetchpatch, cmake, blas, lapack, gfortran, gmm, fltk, libjpeg
, zlib, libGL, libGLU, xorg, opencascade-occt
, python ? null, enablePython ? false }:
@ -24,7 +24,22 @@ stdenv.mkDerivation rec {
enableParallelBuilding = true;
patches = [ ./fix-python.patch ];
patches = [
./fix-python.patch
# Pull upstream fix git gcc-13:
# https://gitlab.onelab.info/gmsh/gmsh/-/issues/2416
(fetchpatch {
name = "gcc-13-p1.patch";
url = "https://gitlab.onelab.info/gmsh/gmsh/-/commit/fb81a9c9026700e078de947b4522cb39e543a86b.patch";
hash = "sha256-1GInFqQZvOgflC3eQTjmZ9uBGFASRNCpCwDACN3yTQ4=";
})
(fetchpatch {
name = "gcc-13-p2.patch";
url = "https://gitlab.onelab.info/gmsh/gmsh/-/commit/aceb09c807b78ea26555f99fcb16c4f87c31fb5a.patch";
hash = "sha256-6FI0hIvj8hglCvxoKV0GzT2/F/Wz+ddkxV/TLzzJBLU=";
})
];
postPatch = ''
substituteInPlace api/gmsh.py --subst-var-by LIBPATH ${placeholder "out"}/lib/libgmsh.so

5
pkgs/applications/search/recoll/default.nix
View File

@ -97,7 +97,10 @@ mkDerivation rec {
(lib.withFeature stdenv.isLinux "inotify")
];
env.NIX_CFLAGS_COMPILE = toString [ "-DNIXPKGS" ];
env.NIX_CFLAGS_COMPILE = toString [
"-DNIXPKGS"
"-fpermissive" # libxml2-2.12 changed const qualifiers
];
patches = [
# fix "No/bad main configuration file" error

2
pkgs/applications/terminal-emulators/guake/default.nix
View File

@ -52,8 +52,6 @@ python3.pkgs.buildPythonApplication rec {
pyyaml
];
SETUPTOOLS_SCM_PRETEND_VERSION = version;
makeFlags = [
"PREFIX=${placeholder "out"}"
];

2
pkgs/applications/version-management/git-cola/default.nix
View File

@ -11,8 +11,6 @@ python3Packages.buildPythonApplication rec {
hash = "sha256-PtV2mzxOfZ88THiFD4K+qtOi41GeLF1GcdiFFhUR8Ak=";
};
env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
buildInputs = lib.optionals stdenv.isLinux [ qt5.qtwayland ];
propagatedBuildInputs = with python3Packages; [ git pyqt5 qtpy send2trash ];
nativeBuildInputs = with python3Packages; [ setuptools-scm gettext qt5.wrapQtAppsHook ];

4
pkgs/applications/version-management/git/default.nix
View File

@ -29,7 +29,7 @@ assert sendEmailSupport -> perlSupport;
assert svnSupport -> perlSupport;
let
version = "2.42.0";
version = "2.43.0";
svn = subversionClient.override { perlBindings = perlSupport; };
gitwebPerlLibs = with perlPackages; [ CGI HTMLParser CGIFast FCGI FCGIProcManager HTMLTagCloud ];
in
@ -42,7 +42,7 @@ stdenv.mkDerivation (finalAttrs: {
src = fetchurl {
url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz";
hash = "sha256-MnghDp/SmUuEhN1+Pd2eqLlA71IXDNtgbaqU2IfJOw0=";
hash = "sha256-VEZgPnPZEXgdJZ5WV1Dc0nekKDbI45LKyRzxN6qbduw=";
};
outputs = [ "out" ] ++ lib.optional withManual "doc";

12
pkgs/applications/version-management/gitlab/data.json
View File

@ -1,15 +1,15 @@
{
"version": "16.7.0",
"repo_hash": "sha256-l5TkjkVny2zQLUfbscG6adkmkC1KjxMAeFbSyUA1UbI=",
"version": "16.7.2",
"repo_hash": "sha256-YIwZkmTVmxXlZ07lCUco9VEbylMvE92LQdFOeZXWB2M=",
"yarn_hash": "1qxz2p969qg7kzyvhwxws5zwdw986gdq9gxllzi58c5c56jz49zf",
"owner": "gitlab-org",
"repo": "gitlab",
"rev": "v16.7.0-ee",
"rev": "v16.7.2-ee",
"passthru": {
"GITALY_SERVER_VERSION": "16.7.0",
"GITLAB_PAGES_VERSION": "16.7.0",
"GITALY_SERVER_VERSION": "16.7.2",
"GITLAB_PAGES_VERSION": "16.7.2",
"GITLAB_SHELL_VERSION": "14.32.0",
"GITLAB_ELASTICSEARCH_INDEXER_VERSION": "4.5.0",
"GITLAB_WORKHORSE_VERSION": "16.7.0"
"GITLAB_WORKHORSE_VERSION": "16.7.2"
}
}

4
pkgs/applications/version-management/gitlab/gitaly/default.nix
View File

@ -6,7 +6,7 @@
}:
let
version = "16.7.0";
version = "16.7.2";
package_version = "v${lib.versions.major version}";
gitaly_package = "gitlab.com/gitlab-org/gitaly/${package_version}";
@ -18,7 +18,7 @@ let
owner = "gitlab-org";
repo = "gitaly";
rev = "v${version}";
hash = "sha256-YLynUHE1lb0dfsZsalz91jSSk1Y5r7kqT2AcE27xf04=";
hash = "sha256-3R7x8eaUJqJ1mKlQ4kYThKyaSfSaow7lGx5EfNo+GNY=";
};
vendorHash = "sha256-btWHZMy1aBSsUVs30IqrdBCO79XQvTMXxkxYURF2Nqs=";

4
pkgs/applications/version-management/gitlab/gitlab-pages/default.nix
View File

@ -2,14 +2,14 @@
buildGoModule rec {
pname = "gitlab-pages";
version = "16.7.0";
version = "16.7.2";
# nixpkgs-update: no auto update
src = fetchFromGitLab {
owner = "gitlab-org";
repo = "gitlab-pages";
rev = "v${version}";
hash = "sha256-8jODsK5+o1fEaTuFv6bXfZp4oA87JUQbTdYQn66DKJA=";
hash = "sha256-rUSZDsQt6faNES3ibzo7fJqpzEmXRbbTXOkhOn7jggA=";
};
vendorHash = "sha256-NMky8v0YmN2pSeKJ7G0+DWAZvUx2JlwFbqPHvciYroM=";

2
pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix
View File

@ -5,7 +5,7 @@ in
buildGoModule rec {
pname = "gitlab-workhorse";
version = "16.7.0";
version = "16.7.2";
# nixpkgs-update: no auto update
src = fetchFromGitLab {

2
pkgs/applications/version-management/gitlint/default.nix
View File

@ -17,8 +17,6 @@ python3.pkgs.buildPythonApplication rec {
hash = "sha256-4SGkkC4LjZXTDXwK6jMOIKXR1qX76CasOwSqv8XUrjs=";
};
SETUPTOOLS_SCM_PRETEND_VERSION = version;
# Upstream splitted the project into gitlint and gitlint-core to
# simplify the dependency handling
sourceRoot = "${src.name}/gitlint-core";

12
pkgs/applications/version-management/mercurial/default.nix
View File

@ -1,6 +1,8 @@
{ lib, stdenv, fetchurl, fetchpatch, python3Packages, makeWrapper, gettext, installShellFiles
, re2Support ? true
, rustSupport ? stdenv.hostPlatform.isLinux, cargo, rustPlatform, rustc
# depends on rust-cpython which won't support python312
# https://github.com/dgrunwald/rust-cpython/commit/e815555629e557be084813045ca1ddebc2f76ef9
, rustSupport ? (stdenv.hostPlatform.isLinux && python3Packages.pythonOlder "3.12"), cargo, rustPlatform, rustc
, fullBuild ? false
, gitSupport ? fullBuild
, guiSupport ? fullBuild, tk
@ -21,11 +23,11 @@ let
self = python3Packages.buildPythonApplication rec {
pname = "mercurial${lib.optionalString fullBuild "-full"}";
version = "6.5.3";
version = "6.6.1";
src = fetchurl {
url = "https://mercurial-scm.org/release/mercurial-${version}.tar.gz";
sha256 = "sha256-LNyB+t4SnPVrEoQXUn8ZC6cv13ZWc5TOVO7XZOZn59U=";
sha256 = "sha256-opRlo/5Ao+jUm6g0MTSsKrooa2g//rg42gz25FIflpU=";
};
format = "other";
@ -35,7 +37,7 @@ let
cargoDeps = if rustSupport then rustPlatform.fetchCargoTarball {
inherit src;
name = "mercurial-${version}";
sha256 = "sha256-ob81zMUY4AVNIbkFKyImnj7QhHTh7LVOCcGeZDtTAXc=";
sha256 = "sha256-wLV0qdCfMgGpZRxnZik/lRwZHm/66p0sJn/mYVRvRkQ=";
sourceRoot = "mercurial-${version}/rust";
} else null;
cargoRoot = if rustSupport then "rust" else null;
@ -43,7 +45,7 @@ let
propagatedBuildInputs = lib.optional re2Support fb-re2
++ lib.optional gitSupport pygit2
++ lib.optional highlightSupport pygments;
nativeBuildInputs = [ makeWrapper gettext installShellFiles ]
nativeBuildInputs = [ makeWrapper gettext installShellFiles python3Packages.setuptools ]
++ lib.optionals rustSupport [
rustPlatform.cargoSetupHook
cargo

3
pkgs/applications/video/deface/default.nix
View File

@ -42,9 +42,6 @@ python3.pkgs.buildPythonApplication rec {
substituteInPlace pyproject.toml requirements.txt --replace "opencv-python" "opencv"
'';
# Let setuptools know deface version
SETUPTOOLS_SCM_PRETEND_VERSION = "v${version}";
pythonImportsCheck = [ "deface" "onnx" "onnxruntime" ];
meta = with lib; {

6
pkgs/applications/video/frigate/default.nix
View File

@ -25,6 +25,12 @@ let
python = python3.override {
packageOverrides = self: super: {
pydantic = super.pydantic_1;
versioningit = super.versioningit.overridePythonAttrs {
# checkPhase requires pydantic>=2
doCheck = false;
};
};
};

6
pkgs/applications/video/handbrake/default.nix
View File

@ -10,6 +10,7 @@
{ stdenv
, lib
, fetchFromGitHub
, fetchpatch
# For tests
, testers
, runCommand
@ -135,6 +136,11 @@ let
"${src}/contrib/ffmpeg/A28-avcodec-amfenc-HDR-metadata.patch"
# This patch is not applying since ffmpeg 5.1.1, probably it was backported by upstream
# "${src}/contrib/ffmpeg/A30-svt-av1-backports.patch"
(fetchpatch {
name = "vulkan-remove-extensions.patch";
url = "https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff_plain/eb0455d64690";
hash = "sha256-qvLrb7b+9/bel8A2lZuSmBiJtHXsABw0Lvgn1ggnmCU=";
})
];
});

32
pkgs/applications/video/obs-studio/default.nix
View File

@ -2,10 +2,11 @@
, lib
, stdenv
, fetchFromGitHub
, fetchpatch
, addOpenGLRunpath
, cmake
, fdk_aac
, ffmpeg_4
, ffmpeg
, jansson
, libjack2
, libxkbcommon
@ -35,6 +36,7 @@
, libcef
, pciutils
, pipewireSupport ? stdenv.isLinux
, withFdk ? true
, pipewire
, libdrm
, libajantv2
@ -73,6 +75,25 @@ stdenv.mkDerivation (finalAttrs: {
# Lets obs-browser build against CEF 90.1.0+
./Enable-file-access-and-universal-access-for-file-URL.patch
./fix-nix-plugin-path.patch
# Backport ffmpeg 6.1 / GCC 13 build fixes
# FIXME: remove in next release
(fetchpatch {
url = "https://github.com/obsproject/obs-studio/commit/cd784644f5e82b9988043f229c19603289c6d32c.patch";
hash = "sha256-S4JE5kgr4x3uMHY2GRh0GBJpb7o/wYZb/v0CDITFNnQ=";
})
(fetchpatch {
url = "https://github.com/obsproject/obs-studio/commit/758b47d4ed9a25b8d64ad481d8d039990b9e57c9.patch";
hash = "sha256-jYpjwhx6e+dhN3kzbd6FcdjQ+WhIX0/BOu9PSkt+2yI=";
})
(fetchpatch {
url = "https://github.com/obsproject/obs-studio/commit/4b5be75c7e4b8cee908ed4a02fe0078285b4e8c9.patch";
hash = "sha256-tuOevhyxchwG42ilrplbiWoiDAKaY4HgzShlvp4VSQI=";
})
(fetchpatch {
url = "https://github.com/obsproject/obs-studio/commit/6e080a68067b27fe5463f0f4eee7df690451f3d7.patch";
hash = "sha256-nbn/q3uszoHaDvaW8Et1MS1sgQzMsJRmjGSMHzUxV70=";
})
];
nativeBuildInputs = [
@ -86,8 +107,7 @@ stdenv.mkDerivation (finalAttrs: {
buildInputs = [
curl
fdk_aac
ffmpeg_4
ffmpeg
jansson
libcef
libjack2
@ -118,7 +138,8 @@ stdenv.mkDerivation (finalAttrs: {
++ optionals scriptingSupport [ luajit python3 ]
++ optional alsaSupport alsa-lib
++ optional pulseaudioSupport libpulseaudio
++ optionals pipewireSupport [ pipewire libdrm ];
++ optionals pipewireSupport [ pipewire libdrm ]
++ optional withFdk fdk_aac;
# Copied from the obs-linuxbrowser
postUnpack = ''
@ -140,6 +161,7 @@ stdenv.mkDerivation (finalAttrs: {
"-DCEF_ROOT_DIR=../../cef"
"-DENABLE_JACK=ON"
(lib.cmakeBool "ENABLE_QSV11" stdenv.hostPlatform.isx86_64)
(lib.cmakeBool "ENABLE_LIBFDK" withFdk)
];
dontWrapGApps = true;
@ -178,7 +200,7 @@ stdenv.mkDerivation (finalAttrs: {
'';
homepage = "https://obsproject.com";
maintainers = with maintainers; [ jb55 MP2E materus fpletz ];
license = licenses.gpl2Plus;
license = with licenses; [ gpl2Plus ] ++ optional withFdk fraunhofer-fdk;
platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
mainProgram = "obs";
};

4
pkgs/applications/virtualization/docker-slim/default.nix
View File

@ -2,13 +2,13 @@
buildGoModule rec {
pname = "docker-slim";
version = "1.40.7";
version = "1.40.8";
src = fetchFromGitHub {
owner = "slimtoolkit";
repo = "slim";
rev = version;
hash = "sha256-X+7FMdIotnafUEKQUrvxYgN4qGqbtVJaZD+V4/whylM=";
hash = "sha256-t02zshwSN+egKx+ySluvKK+BR4b0huuQW/BdjnCxOMU=";
};
vendorHash = null;

9
pkgs/applications/virtualization/kvmtool/default.nix
View File

@ -1,13 +1,12 @@
{ stdenv, fetchgit, lib, dtc }:
{ stdenv, fetchzip, lib, dtc }:
stdenv.mkDerivation {
pname = "kvmtool";
version = "unstable-2023-07-12";
src = fetchgit {
url = "https://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git";
rev = "106e2ea7756d980454d68631b87d5e25ba4e4881";
sha256 = "sha256-wpc5DfHnui0lBVH4uOq6a7pXVUZStjNLRvauu6QpRvE=";
src = fetchzip {
url = "https://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git/snapshot/kvmtool-106e2ea7756d980454d68631b87d5e25ba4e4881.tar.gz";
hash = "sha256-wpc5DfHnui0lBVH4uOq6a7pXVUZStjNLRvauu6QpRvE=";
};
patches = [ ./strlcpy-glibc-2.38-fix.patch ];

9
pkgs/applications/virtualization/rust-hypervisor-firmware/default.nix
View File

@ -1,8 +1,6 @@
{ lib
, fetchFromGitHub
, hostPlatform
, cargo
, rustc
, lld
}:
@ -24,12 +22,7 @@ let
};
};
# inherit (cross) rustPlatform;
# ^ breaks because we are doing a no_std embedded build with a custom sysroot,
# but the fast_cross rustc wrapper already passes a sysroot argument
rustPlatform = cross.makeRustPlatform {
inherit rustc cargo;
};
inherit (cross) rustPlatform;
in

115
pkgs/applications/window-managers/gamescope/default.nix
View File

@ -8,7 +8,6 @@
, vulkan-loader
, vulkan-headers
, wayland
, wayland-scanner
, wayland-protocols
, libxkbcommon
, glm
@ -16,11 +15,8 @@
, libcap
, SDL2
, pipewire
, udev
, pixman
, libinput
, seatd
, xwayland
, glslang
, hwdata
, openvr
@ -30,32 +26,51 @@
, libdisplay-info
, lib
, makeBinaryWrapper
, enableExecutable ? true
, enableWsi ? true
}:
let
pname = "gamescope";
version = "3.12.5";
vkroots = fetchFromGitHub {
joshShaders = fetchFromGitHub {
owner = "Joshua-Ashton";
repo = "vkroots";
rev = "26757103dde8133bab432d172b8841df6bb48155";
hash = "sha256-eet+FMRO2aBQJcCPOKNKGuQv5oDIrgdVPRO00c5gkL0=";
repo = "GamescopeShaders";
rev = "v0.1";
hash = "sha256-gR1AeAHV/Kn4ntiEDUSPxASLMFusV6hgSGrTbMCBUZA=";
};
in
stdenv.mkDerivation {
inherit pname version;
stdenv.mkDerivation (finalAttrs: {
pname = "gamescope";
version = "3.13.19";
src = fetchFromGitHub {
owner = "ValveSoftware";
repo = "gamescope";
rev = "refs/tags/${version}";
hash = "sha256-u4pnKd5ZEC3CS3E2i8E8Wposd8Tu4ZUoQXFmr0runwE=";
rev = "refs/tags/${finalAttrs.version}";
fetchSubmodules = true;
hash = "sha256-WKQgVbuHvTbZnvTU5imV35AKZ4AF0EDsdESBZwVH7+M=";
};
patches = [
# Unvendor dependencies
./use-pkgconfig.patch
# Make it look for shaders in the right place
./shaders-path.patch
];
# We can't substitute the patch itself because substituteAll is itself a derivation,
# so `placeholder "out"` ends up pointing to the wrong place
postPatch = ''
substituteInPlace src/reshade_effect_manager.cpp --replace "@out@" "$out"
'';
mesonFlags = [
(lib.mesonBool "enable_gamescope" enableExecutable)
(lib.mesonBool "enable_gamescope_wsi_layer" enableWsi)
];
# don't install vendored vkroots etc
mesonInstallFlags = ["--skip-subprojects"];
strictDeps = true;
depsBuildBuild = [
@ -66,70 +81,62 @@ stdenv.mkDerivation {
meson
pkg-config
ninja
wayland-scanner
glslang
] ++ lib.optionals enableExecutable [
makeBinaryWrapper
glslang
];
buildInputs = [
xorg.libXdamage
xorg.libXcomposite
xorg.libXrender
xorg.libXext
xorg.libXxf86vm
xorg.libXtst
xorg.libXres
xorg.libXi
xorg.libXmu
libdrm
libliftoff
vulkan-loader
vulkan-headers
SDL2
pipewire
hwdata
xorg.libX11
wayland
wayland-protocols
vulkan-loader
openvr
glm
] ++ lib.optionals enableWsi [
vulkan-headers
] ++ lib.optionals enableExecutable [
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXi
xorg.libXmu
xorg.libXrender
xorg.libXres
xorg.libXtst
xorg.libXxf86vm
libdrm
libliftoff
SDL2
wlroots
xwayland
seatd
libinput
libxkbcommon
glm
gbenchmark
udev
pixman
pipewire
libcap
stb
hwdata
openvr
vkroots
libdisplay-info
];
outputs = [ "out" "lib" ];
postUnpack = ''
rm -rf source/subprojects/vkroots
ln -s ${vkroots} source/subprojects/vkroots
'';
# --debug-layers flag expects these in the path
postInstall = ''
postInstall = lib.optionalString enableExecutable ''
# --debug-layers flag expects these in the path
wrapProgram "$out/bin/gamescope" \
--prefix PATH : ${with xorg; lib.makeBinPath [xprop xwininfo]}
# Install Vulkan layer in lib output
install -d $lib/share/vulkan
mv $out/share/vulkan/implicit_layer.d $lib/share/vulkan
rm -r $out/share/vulkan
# Install ReShade shaders
mkdir -p $out/share/gamescope/reshade
cp -r ${joshShaders}/* $out/share/gamescope/reshade/
'';
meta = with lib; {
description = "SteamOS session compositing window manager";
homepage = "https://github.com/ValveSoftware/gamescope";
license = licenses.bsd2;
maintainers = with maintainers; [ nrdxp pedrohlc Scrumplex zhaofengli ];
maintainers = with maintainers; [ nrdxp pedrohlc Scrumplex zhaofengli k900 ];
platforms = platforms.linux;
mainProgram = "gamescope";
};
}
})

13
pkgs/applications/window-managers/gamescope/shaders-path.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/src/reshade_effect_manager.cpp b/src/reshade_effect_manager.cpp
index 3597ca1..de45250 100644
--- a/src/reshade_effect_manager.cpp
+++ b/src/reshade_effect_manager.cpp
@@ -34,7 +34,7 @@ static std::string GetLocalUsrDir()
static std::string GetUsrDir()
{
- return "/usr";
+ return "@out@";
}
static LogScope reshade_log("gamescope_reshade");

6
pkgs/applications/window-managers/gamescope/use-pkgconfig.patch
View File

@ -1,11 +1,9 @@
diff --git a/meson.build b/meson.build
index 1311784..77043ac 100644
--- a/meson.build
+++ b/meson.build
@@ -6,7 +6,6 @@ project(
default_options: [
'cpp_std=c++14',
'cpp_std=c++20',
'warning_level=2',
- 'force_fallback_for=wlroots,libliftoff',
- 'force_fallback_for=wlroots,libliftoff,vkroots',
],
)

25
pkgs/build-support/bintools-wrapper/default.nix
View File

@ -33,6 +33,28 @@
, useMacosReexportHack ? false
, wrapGas ? false
# Note: the hardening flags are part of the bintools-wrapper, rather than
# the cc-wrapper, because a few of them are handled by the linker.
, defaultHardeningFlags ? with stdenvNoCC; [
"bindnow"
"format"
"fortify"
"fortify3"
"pic"
"relro"
"stackprotector"
"strictoverflow"
] ++ lib.optional (
# Musl-based platforms will keep "pie", other platforms will not.
# If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
# in the nixpkgs manual to inform users about the defaults.
targetPlatform.libc == "musl"
# Except when:
# - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
# - static armv7l, where compilation fails.
&& !(targetPlatform.isAarch && targetPlatform.isStatic)
) "pie"
# Darwin code signing support utilities
, postLinkSignHook ? null, signingUtils ? null
}:
@ -124,6 +146,8 @@ stdenv.mkDerivation {
(setenv "NIX_LDFLAGS_${suffixSalt}" (concat (getenv "NIX_LDFLAGS_${suffixSalt}") " -L" arg "/lib64"))))
'(${concatStringsSep " " (map (pkg: "\"${pkg}\"") pkgs)}))
'';
inherit defaultHardeningFlags;
};
dontBuild = true;
@ -380,6 +404,7 @@ stdenv.mkDerivation {
wrapperName = "BINTOOLS_WRAPPER";
inherit dynamicLinker targetPrefix suffixSalt coreutils_bin;
inherit bintools_bin libc_bin libc_dev libc_lib;
default_hardening_flags_str = builtins.toString defaultHardeningFlags;
};
meta =

2
pkgs/build-support/bintools-wrapper/setup-hook.sh
View File

@ -65,7 +65,7 @@ do
done
# If unset, assume the default hardening flags.
: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"}
: ${NIX_HARDENING_ENABLE="@default_hardening_flags_str@"}
export NIX_HARDENING_ENABLE
# No local scope in sourced file

Some files were not shown because too many files have changed in this diff Show More