From c5923af98669282886140478c6d83ddcdcf77a42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Tue, 29 Nov 2022 01:45:05 +0100 Subject: [PATCH 01/28] lib/systems/architectures: expand inferiors --- lib/systems/architectures.nix | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/lib/systems/architectures.nix b/lib/systems/architectures.nix index ddc320d24e0a..04f48ccd5b9f 100644 --- a/lib/systems/architectures.nix +++ b/lib/systems/architectures.nix @@ -40,14 +40,21 @@ rec { # a superior CPU has all the features of an inferior and is able to build and test code for it inferiors = { # x86_64 Intel + # https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html default = [ ]; westmere = [ ]; - sandybridge = [ "westmere" ] ++ inferiors.westmere; - ivybridge = [ "sandybridge" ] ++ inferiors.sandybridge; - haswell = [ "ivybridge" ] ++ inferiors.ivybridge; - broadwell = [ "haswell" ] ++ inferiors.haswell; - skylake = [ "broadwell" ] ++ inferiors.broadwell; - skylake-avx512 = [ "skylake" ] ++ inferiors.skylake; + sandybridge = [ "westmere" ] ++ inferiors.westmere; + ivybridge = [ "sandybridge" ] ++ inferiors.sandybridge; + haswell = [ "ivybridge" ] ++ inferiors.ivybridge; + broadwell = [ "haswell" ] ++ inferiors.haswell; + skylake = [ "broadwell" ] ++ inferiors.broadwell; + skylake-avx512 = [ "skylake" ] ++ inferiors.skylake; + cannonlake = [ "skylake-avx512" ] ++ inferiors.skylake-avx512; + icelake-client = [ "cannonlake" ] ++ inferiors.cannonlake; + icelake-server = [ "icelake-client" ] ++ inferiors.icelake-client; + cascadelake = [ "skylake-avx512" ] ++ inferiors.cannonlake; + cooperlake = [ "cascadelake" ] ++ inferiors.cascadelake; + tigerlake = [ "icelake-server" ] ++ inferiors.icelake-server; # x86_64 AMD # TODO: fill this (need testing) From 030b1aae17a7c520ae648fa9e8c3621889d04014 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sat, 24 Dec 2022 15:26:06 +0000 Subject: [PATCH 02/28] scorecard: 4.8.0 -> 4.10.2 --- pkgs/tools/security/scorecard/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/security/scorecard/default.nix b/pkgs/tools/security/scorecard/default.nix index befc07e2e18d..d3295de5bad8 100644 --- a/pkgs/tools/security/scorecard/default.nix +++ b/pkgs/tools/security/scorecard/default.nix @@ -2,13 +2,13 @@ buildGoModule rec { pname = "scorecard"; - version = "4.8.0"; + version = "4.10.2"; src = fetchFromGitHub { owner = "ossf"; repo = pname; rev = "v${version}"; - sha256 = "sha256-LGxSiubZECNwoFkkJOySI4LOmwk7DXVtY74XBCsr+uk="; + sha256 = "sha256-GQs+wBq47sn3h8I87p+HErBmLMs8Dzh9xj3xMYDsXm4="; # populate values otherwise taken care of by goreleaser, # unfortunately these require us to use git. By doing # this in postFetch we can delete .git afterwards and @@ -22,7 +22,7 @@ buildGoModule rec { find "$out" -name .git -print0 | xargs -0 rm -rf ''; }; - vendorSha256 = "sha256-j8/sVdqxLmrvQwHn+uj8+q+ne98xcIeQKS1VQJcrkh0="; + vendorSha256 = "sha256-W213KQu4FuJcT/cJOvS+WMw1fXBcSoZ4yssI06JAIc8="; nativeBuildInputs = [ installShellFiles ]; From 79a301305be732d1bc294dcc18126f14f7ef5581 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Tue, 7 Feb 2023 17:25:15 +0100 Subject: [PATCH 03/28] nginx: remove with lib over entire file --- pkgs/servers/http/nginx/generic.nix | 40 ++++++++++++++--------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/pkgs/servers/http/nginx/generic.nix b/pkgs/servers/http/nginx/generic.nix index 06fa12725674..f882b782bcc1 100644 --- a/pkgs/servers/http/nginx/generic.nix +++ b/pkgs/servers/http/nginx/generic.nix @@ -31,14 +31,12 @@ outer@{ lib, stdenv, fetchurl, fetchpatch, openssl, zlib, pcre, libxml2, libxslt , passthru ? { tests = {}; } }: -with lib; - let moduleNames = map (mod: mod.name or (throw "The nginx module with source ${toString mod.src} does not have a `name` attribute. This prevents duplicate module detection and is no longer supported.")) modules; - mapModules = attrPath: flip concatMap modules + mapModules = attrPath: lib.flip lib.concatMap modules (mod: let supports = mod.supports or (_: true); in @@ -47,8 +45,8 @@ let in -assert assertMsg (unique moduleNames == moduleNames) - "nginx: duplicate modules: ${concatStringsSep ", " moduleNames}. A common cause for this is that services.nginx.additionalModules adds a module which the nixos module itself already adds."; +assert lib.assertMsg (lib.unique moduleNames == moduleNames) + "nginx: duplicate modules: ${lib.concatStringsSep ", " moduleNames}. A common cause for this is that services.nginx.additionalModules adds a module which the nixos module itself already adds."; stdenv.mkDerivation { inherit pname version nginxVersion; @@ -94,37 +92,37 @@ stdenv.mkDerivation { "--http-fastcgi-temp-path=/tmp/nginx_fastcgi" "--http-uwsgi-temp-path=/tmp/nginx_uwsgi" "--http-scgi-temp-path=/tmp/nginx_scgi" - ] ++ optionals withDebug [ + ] ++ lib.optionals withDebug [ "--with-debug" - ] ++ optionals withKTLS [ + ] ++ lib.optionals withKTLS [ "--with-openssl-opt=enable-ktls" - ] ++ optionals withStream [ + ] ++ lib.optionals withStream [ "--with-stream" "--with-stream_realip_module" "--with-stream_ssl_module" "--with-stream_ssl_preread_module" - ] ++ optionals withMail [ + ] ++ lib.optionals withMail [ "--with-mail" "--with-mail_ssl_module" - ] ++ optionals withPerl [ + ] ++ lib.optionals withPerl [ "--with-http_perl_module" "--with-perl=${perl}/bin/perl" "--with-perl_modules_path=lib/perl5" - ] ++ optional withSlice "--with-http_slice_module" - ++ optional (gd != null) "--with-http_image_filter_module" - ++ optional (geoip != null) "--with-http_geoip_module" - ++ optional (withStream && geoip != null) "--with-stream_geoip_module" - ++ optional (with stdenv.hostPlatform; isLinux || isFreeBSD) "--with-file-aio" + ] ++ lib.optional withSlice "--with-http_slice_module" + ++ lib.optional (gd != null) "--with-http_image_filter_module" + ++ lib.optional (geoip != null) "--with-http_geoip_module" + ++ lib.optional (withStream && geoip != null) "--with-stream_geoip_module" + ++ lib.optional (with stdenv.hostPlatform; isLinux || isFreeBSD) "--with-file-aio" ++ configureFlags ++ map (mod: "--add-module=${mod.src}") modules; NIX_CFLAGS_COMPILE = toString ([ "-I${libxml2.dev}/include/libxml2" "-Wno-error=implicit-fallthrough" - ] ++ optionals (stdenv.cc.isGNU && lib.versionAtLeast stdenv.cc.version "11") [ + ] ++ lib.optionals (stdenv.cc.isGNU && lib.versionAtLeast stdenv.cc.version "11") [ # fix build vts module on gcc11 "-Wno-error=stringop-overread" - ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations"); + ] ++ lib.optional stdenv.isDarwin "-Wno-error=deprecated-declarations"); configurePlatforms = []; @@ -133,7 +131,7 @@ stdenv.mkDerivation { preConfigure = '' setOutputFlags= '' + preConfigure - + concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; + + lib.concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; patches = map fixPatch ([ (substituteAll { @@ -143,7 +141,7 @@ stdenv.mkDerivation { ''; }) ./nix-skip-check-logs-path.patch - ] ++ optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ + ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ (fetchpatch { url = "https://raw.githubusercontent.com/openwrt/packages/c057dfb09c7027287c7862afab965a4cd95293a3/net/nginx/patches/102-sizeof_test_fix.patch"; sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a"; @@ -161,7 +159,7 @@ stdenv.mkDerivation { inherit postPatch; - hardeningEnable = optional (!stdenv.isDarwin) "pie"; + hardeningEnable = lib.optional (!stdenv.isDarwin) "pie"; enableParallelBuilding = true; @@ -186,7 +184,7 @@ stdenv.mkDerivation { } // passthru.tests; }; - meta = if meta != null then meta else { + meta = if meta != null then meta else with lib; { description = "A reverse proxy and lightweight webserver"; homepage = "http://nginx.org"; license = licenses.bsd2; From bae9dc42dcdfcc6fedae1a6c8a4dc423b6fadfed Mon Sep 17 00:00:00 2001 From: Adam Stephens Date: Fri, 10 Feb 2023 13:16:35 -0500 Subject: [PATCH 04/28] river: 0.2.3 -> 0.2.4 --- pkgs/applications/window-managers/river/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/window-managers/river/default.nix b/pkgs/applications/window-managers/river/default.nix index e86af9dad573..439030f34da3 100644 --- a/pkgs/applications/window-managers/river/default.nix +++ b/pkgs/applications/window-managers/river/default.nix @@ -20,13 +20,13 @@ stdenv.mkDerivation rec { pname = "river"; - version = "0.2.3"; + version = "0.2.4"; src = fetchFromGitHub { owner = "riverwm"; repo = pname; rev = "refs/tags/v${version}"; - hash = "sha256-noZ2vo4J0cG3PN2k+2LzMc5WMtj0FEmMttE9obFH/tM="; + hash = "sha256-cIcO6owM6eYn+obYVaBOVQpnBx4++KOqQk5Hzo3GcNs="; fetchSubmodules = true; }; From 1645ebc882f17e0913aefafcedcafc7cbdb62fa2 Mon Sep 17 00:00:00 2001 From: Pol Dellaiera Date: Tue, 14 Feb 2023 10:38:08 +0100 Subject: [PATCH 05/28] soco-cli: 0.4.21 -> 0.4.55 --- pkgs/tools/audio/soco-cli/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/audio/soco-cli/default.nix b/pkgs/tools/audio/soco-cli/default.nix index 72e5323f60f3..068f916e4ef0 100644 --- a/pkgs/tools/audio/soco-cli/default.nix +++ b/pkgs/tools/audio/soco-cli/default.nix @@ -5,7 +5,7 @@ python3.pkgs.buildPythonApplication rec { pname = "soco-cli"; - version = "0.4.21"; + version = "0.4.55"; format = "setuptools"; disabled = python3.pythonOlder "3.6"; @@ -14,7 +14,7 @@ python3.pkgs.buildPythonApplication rec { owner = "avantrec"; repo = pname; rev = "v${version}"; - sha256 = "1kz2zx59gjfs01jiyzmps8j6yca06yqn6wkidvdk4s3izdm0rarw"; + sha256 = "sha256-zdu1eVtVBTYa47KjGc5fqKN6olxp98RoLGT2sNCfG9E="; }; propagatedBuildInputs = with python3.pkgs; [ From f7eba3716c09b53359c4d206f46e10ee9b2c78d7 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 14 Feb 2023 19:30:20 +0100 Subject: [PATCH 06/28] spidermonkey_102: 102.1.0 -> 102.8.0 https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/#CVE-2023-25735 Fixes: CVE-2023-25735 --- pkgs/development/interpreters/spidermonkey/102.nix | 4 ++-- .../interpreters/spidermonkey/common.nix | 13 ------------- 2 files changed, 2 insertions(+), 15 deletions(-) diff --git a/pkgs/development/interpreters/spidermonkey/102.nix b/pkgs/development/interpreters/spidermonkey/102.nix index ef89d1ca0a27..ff6808b13b0a 100644 --- a/pkgs/development/interpreters/spidermonkey/102.nix +++ b/pkgs/development/interpreters/spidermonkey/102.nix @@ -1,4 +1,4 @@ import ./common.nix { - version = "102.1.0"; - hash = "sha512-JQW4fOQRVEVWjra32K9BZ4vXh/0H8/eenwoi2QzfdSrl1DcYVs+cVuLZ2n1bfDk53CqrV1P8wBc5jn1lJg9vAw=="; + version = "102.8.0"; + hash = "sha512-k+qHmXtmCIuUxulDtumemnHRkIRE0JbA9ltodtLFhOVf9hICZvOFH5hrZkvR8S+jEgawNHnCt1Hnw8oJesFCdQ=="; } diff --git a/pkgs/development/interpreters/spidermonkey/common.nix b/pkgs/development/interpreters/spidermonkey/common.nix index 32a0ae2e7467..a4310b8f206f 100644 --- a/pkgs/development/interpreters/spidermonkey/common.nix +++ b/pkgs/development/interpreters/spidermonkey/common.nix @@ -62,19 +62,6 @@ stdenv.mkDerivation (finalAttrs: rec { # use pkg-config at all systems ./always-check-for-pkg-config.patch ./allow-system-s-nspr-and-icu-on-bootstrapped-sysroot.patch - - # Patches required by GJS - # https://discourse.gnome.org/t/gnome-43-to-depend-on-spidermonkey-102/10658 - # Install ProfilingCategoryList.h - (fetchpatch { - url = "https://hg.mozilla.org/releases/mozilla-esr102/raw-rev/33147b91e42b79f4c6dd3ec11cce96746018407a"; - sha256 = "sha256-xJFJZMYJ6P11HQDZbr48GFgybpAeVcu3oLIFEyyMjBI="; - }) - # Fix embeder build - (fetchpatch { - url = "https://hg.mozilla.org/releases/mozilla-esr102/raw-rev/1fa20fb474f5d149cc32d98df169dee5e6e6861b"; - sha256 = "sha256-eCisKjNxy9SLr9KoEE2UB26BflUknnR7PIvnpezsZeA="; - }) ] ++ lib.optionals (lib.versionAtLeast version "91" && stdenv.hostPlatform.system == "i686-linux") [ # Fixes i686 build, https://bugzilla.mozilla.org/show_bug.cgi?id=1729459 ./fix-float-i686.patch From 2b4f446ee82c2962fe5a86c26675c6205f40754e Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 14 Feb 2023 19:31:55 +0100 Subject: [PATCH 07/28] spidermonkey_91: 91.12.0 -> 91.13.0 Bringing the 91 release series to its final version. Did not check for changes, but this gives me closure. --- pkgs/development/interpreters/spidermonkey/91.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/spidermonkey/91.nix b/pkgs/development/interpreters/spidermonkey/91.nix index ca771fa75fd6..0ffa5fc287d5 100644 --- a/pkgs/development/interpreters/spidermonkey/91.nix +++ b/pkgs/development/interpreters/spidermonkey/91.nix @@ -1,4 +1,4 @@ import ./common.nix { - version = "91.12.0"; - hash = "sha512-Mj+3UkiLRYcrQPCw7h2MHf+haHTb/yr94ZpUKGyCTvSBdyM+Ap+ur6WUYYTnHDHGvFun7BelceIa9k/F9zNAQg=="; + version = "91.13.0"; + hash = "sha512-OLTMUt4h521gYea6F14cv9iIoWBwqpUfWkQoPy251+lPJQRiHw2nj+rG5xSRptDnA49j3QrhEtytcA6wLpqlFg=="; } From 14a114606a660e99feec27de917eec7e061201d4 Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Tue, 14 Feb 2023 18:15:30 +0100 Subject: [PATCH 08/28] opensearch: init at 2.5.0 --- pkgs/servers/search/opensearch/default.nix | 51 +++++++++++++++++++ .../opensearch/opensearch-home-fix.patch | 26 ++++++++++ pkgs/top-level/all-packages.nix | 2 + 3 files changed, 79 insertions(+) create mode 100644 pkgs/servers/search/opensearch/default.nix create mode 100644 pkgs/servers/search/opensearch/opensearch-home-fix.patch diff --git a/pkgs/servers/search/opensearch/default.nix b/pkgs/servers/search/opensearch/default.nix new file mode 100644 index 000000000000..da1e739b4a2a --- /dev/null +++ b/pkgs/servers/search/opensearch/default.nix @@ -0,0 +1,51 @@ +{ lib +, stdenvNoCC +, fetchurl +, makeWrapper +, jre_headless +, util-linux +, gnugrep +, coreutils +, autoPatchelfHook +, zlib +}: + +stdenvNoCC.mkDerivation rec { + pname = "opensearch"; + version = "2.5.0"; + + src = fetchurl { + url = "https://artifacts.opensearch.org/releases/bundle/opensearch/${version}/opensearch-${version}-linux-x64.tar.gz"; + hash = "sha256-WPD5StVBb/hK+kP/1wkQQBKRQma/uaP+8ULeIFUBL1U="; + }; + + nativeBuildInputs = [ makeWrapper ]; + buildInputs = [ jre_headless util-linux ]; + patches = [./opensearch-home-fix.patch ]; + + installPhase = '' + runHook preInstall + + mkdir -p $out + cp -R bin config lib modules plugins $out + + substituteInPlace $out/bin/opensearch \ + --replace 'bin/opensearch-keystore' "$out/bin/opensearch-keystore" + + wrapProgram $out/bin/opensearch \ + --prefix PATH : "${lib.makeBinPath [ util-linux gnugrep coreutils ]}" \ + --set JAVA_HOME "${jre_headless}" + + wrapProgram $out/bin/opensearch-plugin --set JAVA_HOME "${jre_headless}" + + runHook postInstall + ''; + + meta = { + description = "Open Source, Distributed, RESTful Search Engine"; + homepage = "https://github.com/opensearch-project/OpenSearch"; + license = lib.licenses.asl20; + platforms = lib.platforms.unix; + maintainers = with lib.maintainers; [ shyim ]; + }; +} diff --git a/pkgs/servers/search/opensearch/opensearch-home-fix.patch b/pkgs/servers/search/opensearch/opensearch-home-fix.patch new file mode 100644 index 000000000000..25d0130d6d9b --- /dev/null +++ b/pkgs/servers/search/opensearch/opensearch-home-fix.patch @@ -0,0 +1,26 @@ +diff -Naur a/bin/opensearch-env b/bin/opensearch-env +--- a/bin/opensearch-env 2017-12-12 13:31:51.000000000 +0100 ++++ b/bin/opensearch-env 2017-12-18 19:51:12.282809695 +0100 +@@ -19,18 +19,10 @@ + fi + done + +-# determine OpenSearch home; to do this, we strip from the path until we find +-# bin, and then strip bin (there is an assumption here that there is no nested +-# directory under bin also named bin) +-OPENSEARCH_HOME=`dirname "$SCRIPT"` +- +-# now make OPENSEARCH_HOME absolute +-OPENSEARCH_HOME=`cd "$OPENSEARCH_HOME"; pwd` +- +-while [ "`basename "$OPENSEARCH_HOME"`" != "bin" ]; do +- OPENSEARCH_HOME=`dirname "$OPENSEARCH_HOME"` +-done +-OPENSEARCH_HOME=`dirname "$OPENSEARCH_HOME"` ++if [ -z "$OPENSEARCH_HOME" ]; then ++ echo "You must set the OPENSEARCH_HOME var" >&2 ++ exit 1 ++fi + + # now set the classpath + OPENSEARCH_CLASSPATH="$OPENSEARCH_HOME/lib/*" \ No newline at end of file diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 8c5cae91ff1c..62eb435f0272 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -34812,6 +34812,8 @@ with pkgs; openrct2 = callPackage ../games/openrct2 { }; + opensearch = callPackage ../servers/search/opensearch { }; + osu-lazer = callPackage ../games/osu-lazer { }; osu-lazer-bin = callPackage ../games/osu-lazer/bin.nix { }; From d7eb44a4210e86e93002a5de90dd425ddef8e5d4 Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Tue, 14 Feb 2023 18:15:42 +0100 Subject: [PATCH 09/28] nixos/opensearch: init module --- nixos/modules/module-list.nix | 1 + nixos/modules/services/search/opensearch.nix | 210 +++++++++++++++++++ 2 files changed, 211 insertions(+) create mode 100644 nixos/modules/services/search/opensearch.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 74651efc0c5a..9ce78c9eb124 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1048,6 +1048,7 @@ ./services/search/hound.nix ./services/search/kibana.nix ./services/search/meilisearch.nix + ./services/search/opensearch.nix ./services/search/solr.nix ./services/security/aesmd.nix ./services/security/certmgr.nix diff --git a/nixos/modules/services/search/opensearch.nix b/nixos/modules/services/search/opensearch.nix new file mode 100644 index 000000000000..17b8697d149c --- /dev/null +++ b/nixos/modules/services/search/opensearch.nix @@ -0,0 +1,210 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.opensearch; + + settingsFormat = pkgs.formats.yaml {}; + + configDir = cfg.dataDir + "/config"; + + opensearchYml = settingsFormat.generate "opensearch.yml" cfg.settings; + + loggingConfigFilename = "log4j2.properties"; + loggingConfigFile = pkgs.writeTextFile { + name = loggingConfigFilename; + text = cfg.logging; + }; +in +{ + + options.services.opensearch = { + enable = mkEnableOption (lib.mdDoc "Whether to enable OpenSearch."); + + package = lib.mkPackageOptionMD pkgs "OpenSearch package to use." { + default = [ "opensearch" ]; + }; + + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + + options."network.host" = lib.mkOption { + type = lib.types.str; + default = "127.0.0.1"; + description = lib.mdDoc '' + Which port this service should listen on. + ''; + }; + + options."cluster.name" = lib.mkOption { + type = lib.types.str; + default = "opensearch"; + description = lib.mdDoc '' + The name of the cluster. + ''; + }; + + options."discovery.type" = lib.mkOption { + type = lib.types.str; + default = "single-node"; + description = lib.mdDoc '' + The type of discovery to use. + ''; + }; + + options."http.port" = lib.mkOption { + type = lib.types.port; + default = 9200; + description = lib.mdDoc '' + The port to listen on for HTTP traffic. + ''; + }; + + options."transport.port" = lib.mkOption { + type = lib.types.port; + default = 9300; + description = lib.mdDoc '' + The port to listen on for transport traffic. + ''; + }; + }; + + default = {}; + + description = lib.mdDoc '' + OpenSearch configuration. + ''; + }; + + logging = lib.mkOption { + description = lib.mdDoc "opensearch logging configuration."; + + default = '' + logger.action.name = org.opensearch.action + logger.action.level = info + + appender.console.type = Console + appender.console.name = console + appender.console.layout.type = PatternLayout + appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n + + rootLogger.level = info + rootLogger.appenderRef.console.ref = console + ''; + type = types.str; + }; + + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/opensearch"; + description = lib.mdDoc '' + Data directory for opensearch. + ''; + }; + + extraCmdLineOptions = lib.mkOption { + description = lib.mdDoc "Extra command line options for the opensearch launcher."; + default = [ ]; + type = lib.types.listOf lib.types.str; + }; + + extraJavaOptions = lib.mkOption { + description = lib.mdDoc "Extra command line options for Java."; + default = [ ]; + type = lib.types.listOf lib.types.str; + example = [ "-Djava.net.preferIPv4Stack=true" ]; + }; + + restartIfChanged = lib.mkOption { + type = lib.types.bool; + description = lib.mdDoc '' + Automatically restart the service on config change. + This can be set to false to defer restarts on a server or cluster. + Please consider the security implications of inadvertently running an older version, + and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option. + ''; + default = true; + }; + }; + + config = mkIf cfg.enable { + systemd.services.opensearch = { + description = "OpenSearch Daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = [ pkgs.inetutils ]; + inherit (cfg) restartIfChanged; + environment = { + OPENSEARCH_HOME = cfg.dataDir; + OPENSEARCH_JAVA_OPTS = toString cfg.extraJavaOptions; + OPENSEARCH_PATH_CONF = configDir; + }; + serviceConfig = { + ExecStart = "${cfg.package}/bin/opensearch ${toString cfg.extraCmdLineOptions}"; + User = "opensearch"; + Group = "opensearch"; + StateDirectory = cfg.dataDir; + StateDirectoryMode = "0700"; + PermissionsStartOnly = true; + LimitNOFILE = "1024000"; + Restart = "always"; + TimeoutStartSec = "infinity"; + }; + preStart = optionalString (!config.boot.isContainer) '' + # Only set vm.max_map_count if lower than ES required minimum + # This avoids conflict if configured via boot.kernel.sysctl + if [ $(${pkgs.procps}/bin/sysctl -n vm.max_map_count) -lt 262144 ]; then + ${pkgs.procps}/bin/sysctl -w vm.max_map_count=262144 + fi + '' + '' + mkdir -m 0700 -p ${cfg.dataDir} + + # Install plugins + ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib + ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules + + # opensearch needs to create the opensearch.keystore in the config directory + # so this directory needs to be writable. + mkdir -m 0700 -p ${configDir} + + # Note that we copy config files from the nix store instead of symbolically linking them + # because otherwise X-Pack Security will raise the following exception: + # java.security.AccessControlException: + # access denied ("java.io.FilePermission" "/var/lib/opensearch/config/opensearch.yml" "read") + + cp ${opensearchYml} ${configDir}/opensearch.yml + # Make sure the logging configuration for old opensearch versions is removed: + rm -f "${configDir}/logging.yml" + cp ${loggingConfigFile} ${configDir}/${loggingConfigFilename} + mkdir -p ${configDir}/scripts + cp ${cfg.package}/config/jvm.options ${configDir}/jvm.options + # redirect jvm logs to the data directory + mkdir -m 0700 -p ${cfg.dataDir}/logs + sed -e '#logs/gc.log#${cfg.dataDir}/logs/gc.log#' -i ${configDir}/jvm.options \ + + if [ "$(id -u)" = 0 ]; then chown -R opensearch:opensearch ${cfg.dataDir}; fi + ''; + postStart = '' + # Make sure opensearch is up and running before dependents + # are started + while ! ${pkgs.curl}/bin/curl -sS -f http://${cfg.settings."network.host"}:${toString cfg.settings."http.port"} 2>/dev/null; do + sleep 1 + done + ''; + }; + + environment.systemPackages = [ cfg.package ]; + + users = { + groups.opensearch = {}; + users.opensearch = { + description = "OpenSearch daemon user"; + home = cfg.dataDir; + group = "opensearch"; + isSystemUser = true; + }; + }; + }; +} From 4561785dfc6f454ce4df116a212f9282be76a164 Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Tue, 14 Feb 2023 18:16:11 +0100 Subject: [PATCH 10/28] nixos/tests/opensearch: init --- nixos/tests/all-tests.nix | 1 + nixos/tests/opensearch.nix | 19 +++++++++++++++++++ pkgs/servers/search/opensearch/default.nix | 3 +++ 3 files changed, 23 insertions(+) create mode 100644 nixos/tests/opensearch.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index ced2687ed9a4..4e8334622f83 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -490,6 +490,7 @@ in { ombi = handleTest ./ombi.nix {}; openarena = handleTest ./openarena.nix {}; openldap = handleTest ./openldap.nix {}; + opensearch = handleTest ./opensearch.nix {}; openresty-lua = handleTest ./openresty-lua.nix {}; opensmtpd = handleTest ./opensmtpd.nix {}; opensmtpd-rspamd = handleTest ./opensmtpd-rspamd.nix {}; diff --git a/nixos/tests/opensearch.nix b/nixos/tests/opensearch.nix new file mode 100644 index 000000000000..db63c2e053f5 --- /dev/null +++ b/nixos/tests/opensearch.nix @@ -0,0 +1,19 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "opensearch"; + meta.maintainers = with pkgs.lib.maintainers; [ shyim ]; + + nodes.machine = { + virtualisation.memorySize = 2048; + services.opensearch.enable = true; + }; + + testScript = '' + machine.start() + machine.wait_for_unit("opensearch.service") + machine.wait_for_open_port(9200) + + machine.succeed( + "curl --fail localhost:9200" + ) + ''; +}) diff --git a/pkgs/servers/search/opensearch/default.nix b/pkgs/servers/search/opensearch/default.nix index da1e739b4a2a..cf03d1939d9f 100644 --- a/pkgs/servers/search/opensearch/default.nix +++ b/pkgs/servers/search/opensearch/default.nix @@ -8,6 +8,7 @@ , coreutils , autoPatchelfHook , zlib +, nixosTests }: stdenvNoCC.mkDerivation rec { @@ -41,6 +42,8 @@ stdenvNoCC.mkDerivation rec { runHook postInstall ''; + passthru.tests = { inherit (nixosTests) opensearch; }; + meta = { description = "Open Source, Distributed, RESTful Search Engine"; homepage = "https://github.com/opensearch-project/OpenSearch"; From 8b84a720e87fe30f992fcee9ba9ae4b5f5588b91 Mon Sep 17 00:00:00 2001 From: Soner Sayakci Date: Tue, 14 Feb 2023 20:06:05 +0000 Subject: [PATCH 11/28] nixos/doc: add release note for opensearch --- nixos/doc/manual/release-notes/rl-2305.section.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 8af1753bb781..0a34dabd8217 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -36,6 +36,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [imaginary](https://github.com/h2non/imaginary), a microservice for high-level image processing that Nextcloud can use to generate previews. Available as [services.imaginary](#opt-services.imaginary.enable). +- [opensearch](https://opensearch.org), a search server alternative to Elasticsearch. Available as [services.opensearch](options.html#opt-services.opensearch.enable). + - [goeland](https://github.com/slurdge/goeland), an alternative to rss2email written in golang with many filters. Available as [services.goeland](#opt-services.goeland.enable). - [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable). From 36c3acef215191c09d5be2cac30096e6d127ce38 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 15 Feb 2023 01:25:55 +0100 Subject: [PATCH 12/28] microcodeIntel: 20221108 -> 20230214 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00767.html Fixes: CVE-2022-38090 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00738.html Fixes: CVE-2022-33196 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00700.html Fixes: CVE-2022-21216 --- pkgs/os-specific/linux/microcode/intel.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/microcode/intel.nix b/pkgs/os-specific/linux/microcode/intel.nix index 3683522f04f9..83ad98d1b1d2 100644 --- a/pkgs/os-specific/linux/microcode/intel.nix +++ b/pkgs/os-specific/linux/microcode/intel.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "microcode-intel"; - version = "20221108"; + version = "20230214"; src = fetchFromGitHub { owner = "intel"; repo = "Intel-Linux-Processor-Microcode-Data-Files"; rev = "microcode-${version}"; - hash = "sha256-JZbBrD3fHgJogDw4u2YggDX7OCXCu5/XEZKzHuVJR9k="; + hash = "sha256-SwdE1c7OEg5nncs5QqaTKCL77KddeHw7ZilctQ4L9RA="; }; nativeBuildInputs = [ iucode-tool libarchive ]; From 551245d6c4636862f91ba4a0e94b8120b7e8d4d4 Mon Sep 17 00:00:00 2001 From: Alexander Bantyev Date: Mon, 13 Feb 2023 19:09:35 +0400 Subject: [PATCH 13/28] plasma-mobile/qmlkonsole: init at 23.01.0 --- pkgs/applications/plasma-mobile/default.nix | 1 + .../applications/plasma-mobile/qmlkonsole.nix | 42 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 pkgs/applications/plasma-mobile/qmlkonsole.nix diff --git a/pkgs/applications/plasma-mobile/default.nix b/pkgs/applications/plasma-mobile/default.nix index 86a4f1d10071..9efbaa603395 100644 --- a/pkgs/applications/plasma-mobile/default.nix +++ b/pkgs/applications/plasma-mobile/default.nix @@ -78,6 +78,7 @@ let plasma-phonebook = callPackage ./plasma-phonebook.nix {}; plasma-settings = callPackage ./plasma-settings.nix {}; plasmatube = callPackage ./plasmatube {}; + qmlkonsole = callPackage ./qmlkonsole.nix {}; spacebar = callPackage ./spacebar.nix { inherit srcs; }; tokodon = callPackage ./tokodon.nix {}; }; diff --git a/pkgs/applications/plasma-mobile/qmlkonsole.nix b/pkgs/applications/plasma-mobile/qmlkonsole.nix new file mode 100644 index 000000000000..da892fb47c0e --- /dev/null +++ b/pkgs/applications/plasma-mobile/qmlkonsole.nix @@ -0,0 +1,42 @@ +{ lib +, mkDerivation + +, cmake +, extra-cmake-modules + +, kconfig +, ki18n +, kirigami-addons +, kirigami2 +, kcoreaddons +, qtquickcontrols2 +, kwindowsystem +, qmltermwidget +}: + +mkDerivation { + pname = "qmlkonsole"; + + nativeBuildInputs = [ + cmake + extra-cmake-modules + ]; + + buildInputs = [ + kconfig + ki18n + kirigami-addons + kirigami2 + qtquickcontrols2 + kcoreaddons + kwindowsystem + qmltermwidget + ]; + + meta = with lib; { + description = "Terminal app for Plasma Mobile"; + homepage = "https://invent.kde.org/plasma-mobile/qmlkonsole"; + license = with licenses; [ gpl2Plus gpl3Plus cc0 ]; + maintainers = with maintainers; [ balsoft ]; + }; +} From c5edb111ae86d707134138f16587da19d9c55fd8 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 15 Feb 2023 05:58:54 +0000 Subject: [PATCH 14/28] tbls: 1.61.0 -> 1.62.0 --- pkgs/tools/misc/tbls/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/misc/tbls/default.nix b/pkgs/tools/misc/tbls/default.nix index 36c69bc4989b..bca16be194f1 100644 --- a/pkgs/tools/misc/tbls/default.nix +++ b/pkgs/tools/misc/tbls/default.nix @@ -7,13 +7,13 @@ buildGoModule rec { pname = "tbls"; - version = "1.61.0"; + version = "1.62.0"; src = fetchFromGitHub { owner = "k1LoW"; repo = "tbls"; rev = "v${version}"; - hash = "sha256-yXD/LILWaXtjd3etdWINglZtvIYE6i6qmCSR3FUUQeM="; + hash = "sha256-T2zmgGbhWvqaor76mQuQ1O5bF+eGVaH6N4w17iyNhwU="; }; vendorHash = "sha256-AeaTAjo1wRl7Ymg/fyoijaa9UXf9SiNR447WJtZeN5o="; From 88128a0d86d74be43afe2740307e0d45af2b9539 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 15 Feb 2023 07:54:17 +0000 Subject: [PATCH 15/28] python310Packages.google-cloud-pubsub: 2.14.0 -> 2.14.1 --- .../python-modules/google-cloud-pubsub/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/google-cloud-pubsub/default.nix b/pkgs/development/python-modules/google-cloud-pubsub/default.nix index 26446cc412e5..cefa183916a6 100644 --- a/pkgs/development/python-modules/google-cloud-pubsub/default.nix +++ b/pkgs/development/python-modules/google-cloud-pubsub/default.nix @@ -16,14 +16,14 @@ buildPythonPackage rec { pname = "google-cloud-pubsub"; - version = "2.14.0"; + version = "2.14.1"; format = "setuptools"; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - hash = "sha256-4nFPB7dQRYvq9bB7Zw6ntgWO4VXAIcmH0LjmpAvzRG8="; + hash = "sha256-KLPGICGwT3j5FYwVfb/K6+n/tQTt0pda0PIo6/AgTG8="; }; propagatedBuildInputs = [ From 016bfaf3026ecc096360c78f93ae9d046839e1d7 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 15 Feb 2023 10:59:04 +0000 Subject: [PATCH 16/28] numix-icon-theme-circle: 23.02.05 -> 23.02.12 --- pkgs/data/icons/numix-icon-theme-circle/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/data/icons/numix-icon-theme-circle/default.nix b/pkgs/data/icons/numix-icon-theme-circle/default.nix index 0f81ab04264e..91d3426f016a 100644 --- a/pkgs/data/icons/numix-icon-theme-circle/default.nix +++ b/pkgs/data/icons/numix-icon-theme-circle/default.nix @@ -2,13 +2,13 @@ stdenvNoCC.mkDerivation rec { pname = "numix-icon-theme-circle"; - version = "23.02.05"; + version = "23.02.12"; src = fetchFromGitHub { owner = "numixproject"; repo = pname; rev = version; - sha256 = "sha256-wS7GAfrzJ2/BvfoBZ7YR/X5j/ND4o7shf08dgk9GBkA="; + sha256 = "sha256-gQdVmF7ZzC+KjU0uQW6+sEw9Wz5940G60ebXqKHajuY="; }; nativeBuildInputs = [ gtk3 ]; From 5ef2ffc6c9ff40f9a18fee2d17cc7c1f2f1b4f55 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 15 Feb 2023 11:55:26 +0100 Subject: [PATCH 17/28] esphome: 2022.12.8 -> 2023.2.0 https://github.com/esphome/esphome/releases/tag/2023.2.0 --- pkgs/tools/misc/esphome/dashboard.nix | 4 ++-- pkgs/tools/misc/esphome/default.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/tools/misc/esphome/dashboard.nix b/pkgs/tools/misc/esphome/dashboard.nix index 04abea26cabc..b9b5bfcc021b 100644 --- a/pkgs/tools/misc/esphome/dashboard.nix +++ b/pkgs/tools/misc/esphome/dashboard.nix @@ -5,12 +5,12 @@ buildPythonPackage rec { pname = "esphome-dashboard"; - version = "20221213.0"; + version = "20230214.0"; format = "setuptools"; src = fetchPypi { inherit pname version; - hash = "sha256-LwP+LBHzEWjPUih6aaZnI7Yh85vsa1Md1YgBWkLOUIs="; + hash = "sha256-TfQIvvLLsYubLbai2RNJkCu96nYFEWbdZU8WaJbpUwU="; }; # no tests diff --git a/pkgs/tools/misc/esphome/default.nix b/pkgs/tools/misc/esphome/default.nix index 848a1c1dbb56..410dede6387c 100644 --- a/pkgs/tools/misc/esphome/default.nix +++ b/pkgs/tools/misc/esphome/default.nix @@ -16,14 +16,14 @@ let in python.pkgs.buildPythonApplication rec { pname = "esphome"; - version = "2022.12.8"; + version = "2023.2.0"; format = "setuptools"; src = fetchFromGitHub { owner = pname; repo = pname; rev = "refs/tags/${version}"; - hash = "sha256-VKxCdejQGWLYeNOxa1PCwhdrLilnsYD9UBqj8Sen+OM="; + hash = "sha256-WoQ7mAtkv7By738bW1/oCurKEpHQKlqZkQ6D/b4zAes="; }; postPatch = '' From d7e04271d5fcc702f5f8b0d6f0ca0d8a9babae5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?PedroHLC=20=E2=98=AD?= Date: Wed, 15 Feb 2023 09:23:47 -0300 Subject: [PATCH 18/28] linuxKernel.kernels.linux_lqx: 6.1.10-lqx1 -> 6.1.12-lqx1 --- pkgs/os-specific/linux/kernel/zen-kernels.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix index 3610fe38f50d..4ca66b004b24 100644 --- a/pkgs/os-specific/linux/kernel/zen-kernels.nix +++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix @@ -11,9 +11,9 @@ let }; # ./update-zen.py lqx lqxVariant = { - version = "6.1.10"; #lqx + version = "6.1.12"; #lqx suffix = "lqx1"; #lqx - sha256 = "1ka94z0wvq90vfzd4ncjrzk5xcb5gvaldaph7mc25jxgh6pal822"; #lqx + sha256 = "0a6slrydf47hk4b3xlxycjw9y2xgjgvzjic2psbcb1c5y75zq720"; #lqx isLqx = true; }; zenKernelsFor = { version, suffix, sha256, isLqx }: buildLinux (args // { From bc12cf5976f682bfada4a780d4209202fa514512 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?PedroHLC=20=E2=98=AD?= Date: Wed, 15 Feb 2023 09:25:17 -0300 Subject: [PATCH 19/28] linuxKernel.kernels.linux_zen: 6.1.10-zen1 -> 6.1.12-zen1 --- pkgs/os-specific/linux/kernel/zen-kernels.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/zen-kernels.nix b/pkgs/os-specific/linux/kernel/zen-kernels.nix index 4ca66b004b24..2745cd780fce 100644 --- a/pkgs/os-specific/linux/kernel/zen-kernels.nix +++ b/pkgs/os-specific/linux/kernel/zen-kernels.nix @@ -4,9 +4,9 @@ let # comments with variant added for update script # ./update-zen.py zen zenVariant = { - version = "6.1.10"; #zen + version = "6.1.12"; #zen suffix = "zen1"; #zen - sha256 = "0dfn449v3lzz1clxbsypakd0sfii9iycy1hq9x52fr9xf8wy3cxk"; #zen + sha256 = "16g0rkgmxbj4425mbnadam7vbd8621ar13ddx26j298bc9m8yqic"; #zen isLqx = false; }; # ./update-zen.py lqx From c5a0a5ac5e205458224755ae194f768f2a8e6d8f Mon Sep 17 00:00:00 2001 From: sternenseemann Date: Wed, 15 Feb 2023 13:51:06 +0100 Subject: [PATCH 20/28] curl: add pkg-config metadata for libcurl.pc I did not add the validatePkgConfig setup hook to curl, as I suspect it may cause trouble when bootstrapping. --- doc/languages-frameworks/pkg-config.section.md | 2 +- pkgs/tools/networking/curl/default.nix | 3 +++ pkgs/top-level/pkg-config/pkg-config-data.json | 5 +++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/languages-frameworks/pkg-config.section.md b/doc/languages-frameworks/pkg-config.section.md index eecc84b4c1aa..fb6fee997d6f 100644 --- a/doc/languages-frameworks/pkg-config.section.md +++ b/doc/languages-frameworks/pkg-config.section.md @@ -6,7 +6,7 @@ Nixpkgs provides a couple of facilities for working with this tool. ## Writing packages providing pkg-config modules -Packages should set `meta.pkgConfigProvides` with the list of package config modules they provide. +Packages should set `meta.pkgConfigModules` with the list of package config modules they provide. They should also use `testers.testMetaPkgConfig` to check that the final built package matches that list. Additionally, the [`validatePkgConfig` setup hook](https://nixos.org/manual/nixpkgs/stable/#validatepkgconfig), will do extra checks on to-be-installed pkg-config modules. diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index 311e9e1b8c76..b91e7733ab23 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -33,6 +33,7 @@ , phpExtensions , python3 , tests +, testers , fetchpatch }: @@ -178,6 +179,7 @@ stdenv.mkDerivation (finalAttrs: { # Additional checking with support http3 protocol. # nginx-http3 = useThisCurl nixosTests.nginx-http3; nginx-http3 = nixosTests.nginx-http3; + pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage; }; }; @@ -189,5 +191,6 @@ stdenv.mkDerivation (finalAttrs: { platforms = platforms.all; # Fails to link against static brotli or gss broken = stdenv.hostPlatform.isStatic && (brotliSupport || gssSupport); + pkgConfigModules = [ "libcurl" ]; }; }) diff --git a/pkgs/top-level/pkg-config/pkg-config-data.json b/pkgs/top-level/pkg-config/pkg-config-data.json index 61ed9098b919..758986390b22 100644 --- a/pkgs/top-level/pkg-config/pkg-config-data.json +++ b/pkgs/top-level/pkg-config/pkg-config-data.json @@ -445,6 +445,11 @@ "openssl" ] }, + "libcurl": { + "attrPath": [ + "curl" + ] + }, "libecpg": { "attrPath": [ "postgresql" From 30e36d2e82c33cab87f1f50f4e66e1930942690f Mon Sep 17 00:00:00 2001 From: K900 Date: Tue, 14 Feb 2023 21:51:57 +0300 Subject: [PATCH 21/28] linux: 5.15.93 -> 5.15.94 --- pkgs/os-specific/linux/kernel/linux-5.15.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/linux-5.15.nix b/pkgs/os-specific/linux/kernel/linux-5.15.nix index f7ffc7c06669..394883e2de1e 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.15.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.15.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "5.15.93"; + version = "5.15.94"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = versions.pad 3 version; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "1baxkkd572110p95ah1wv0b4i2hfbkf8vyncb08y3w0bd7r29vg7"; + sha256 = "0wjsqvhp0jnisypb8yw6dncyp5k7zxbhjivh7jqivpsdwvdp14ns"; }; } // (args.argsOverride or { })) From 6ee2f048f2e18d77afcc1e3f4c830573c21e29fd Mon Sep 17 00:00:00 2001 From: K900 Date: Tue, 14 Feb 2023 21:52:02 +0300 Subject: [PATCH 22/28] linux: 6.1.11 -> 6.1.12 --- pkgs/os-specific/linux/kernel/linux-6.1.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/linux-6.1.nix b/pkgs/os-specific/linux/kernel/linux-6.1.nix index 4ea471e02ac4..4c7249f2b4c2 100644 --- a/pkgs/os-specific/linux/kernel/linux-6.1.nix +++ b/pkgs/os-specific/linux/kernel/linux-6.1.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "6.1.11"; + version = "6.1.12"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = versions.pad 3 version; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz"; - sha256 = "18gpkaa030g8mgmyprl05h4i8y5rjgyvbh0jcl8waqvq0xh0a6sq"; + sha256 = "1spdl3i69qwn7cywzs6kql8nlisdnmnwk9za7v4xq1092xsscynl"; }; } // (args.argsOverride or { })) From 30a72be3384bc56f4102e42cd20001cfa847b99f Mon Sep 17 00:00:00 2001 From: K900 Date: Tue, 14 Feb 2023 21:52:39 +0300 Subject: [PATCH 23/28] linux-rt_5_15: 5.15.92-rt57 -> 5.15.93-rt58 --- pkgs/os-specific/linux/kernel/linux-rt-5.15.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix index 9f73d7a57f27..9197f7d24827 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-5.15.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "5.15.92-rt57"; # updated by ./update-rt.sh + version = "5.15.93-rt58"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -18,14 +18,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz"; - sha256 = "14ggwrvk9n2nvk38fp4g486k864knf3n9979mm51m8wrvd8h8hlz"; + sha256 = "1baxkkd572110p95ah1wv0b4i2hfbkf8vyncb08y3w0bd7r29vg7"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "181db4cdaw8wjrqfh07mbqgyzv1awl1g12x6k8lciv78j10x5kmb"; + sha256 = "10xx70qf6nph3223yh6sc5jcyy938qrfdilli2a4zzhp0ibgp8bz"; }; }; in [ rt-patch ] ++ kernelPatches; From 5aec2a7956678bca924b3324f773eb0cd1665dca Mon Sep 17 00:00:00 2001 From: K900 Date: Tue, 14 Feb 2023 21:53:33 +0300 Subject: [PATCH 24/28] linux/hardened/patches/5.15: 5.15.92-hardened1 -> 5.15.93-hardened1 --- pkgs/os-specific/linux/kernel/hardened/patches.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 88fad3e8aa62..56b143bb408a 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -32,12 +32,12 @@ "5.15": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.15.92-hardened1.patch", - "sha256": "0wwi15r51jb0396vc4nbwjh9kxh68jvcbdw72pllwsgkhijgzkhg", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.92-hardened1/linux-hardened-5.15.92-hardened1.patch" + "name": "linux-hardened-5.15.93-hardened1.patch", + "sha256": "093a6qpiws4v8pzld6r92dczwvslrp8f2xrpb29qrp37i3kny5si", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.93-hardened1/linux-hardened-5.15.93-hardened1.patch" }, - "sha256": "14ggwrvk9n2nvk38fp4g486k864knf3n9979mm51m8wrvd8h8hlz", - "version": "5.15.92" + "sha256": "1baxkkd572110p95ah1wv0b4i2hfbkf8vyncb08y3w0bd7r29vg7", + "version": "5.15.93" }, "5.4": { "patch": { From fa90359876285998d9e1877c671dc6cadaf9cb2c Mon Sep 17 00:00:00 2001 From: K900 Date: Tue, 14 Feb 2023 21:53:41 +0300 Subject: [PATCH 25/28] linux/hardened/patches/6.1: 6.1.10-hardened1 -> 6.1.11-hardened1 --- pkgs/os-specific/linux/kernel/hardened/patches.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 56b143bb408a..5bc0f53c4684 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -52,11 +52,11 @@ "6.1": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-6.1.10-hardened1.patch", - "sha256": "0v0w4phc02ghylqnyhzkl1frmjkxwkxgadf2ycyzm8ckl73q8lr5", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.10-hardened1/linux-hardened-6.1.10-hardened1.patch" + "name": "linux-hardened-6.1.11-hardened1.patch", + "sha256": "1pydcjy2cjnb4zxcqr41hr34fg8alph314xasdsfvdw4zaz55s6h", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.11-hardened1/linux-hardened-6.1.11-hardened1.patch" }, - "sha256": "17fifhfh2jrvlhry696n428ldl5ag3g2km5l9hx8gx8wm6dr3qhb", - "version": "6.1.10" + "sha256": "18gpkaa030g8mgmyprl05h4i8y5rjgyvbh0jcl8waqvq0xh0a6sq", + "version": "6.1.11" } } From d4c9404846a082b435e4f97c6541516dff8e9c57 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 15 Feb 2023 15:02:22 +0000 Subject: [PATCH 26/28] ov: 0.14.1 -> 0.14.2 --- pkgs/tools/text/ov/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/text/ov/default.nix b/pkgs/tools/text/ov/default.nix index ebc7cdcf716c..55c66f7a5408 100644 --- a/pkgs/tools/text/ov/default.nix +++ b/pkgs/tools/text/ov/default.nix @@ -8,16 +8,16 @@ buildGoModule rec { pname = "ov"; - version = "0.14.1"; + version = "0.14.2"; src = fetchFromGitHub { owner = "noborus"; repo = "ov"; rev = "refs/tags/v${version}"; - hash = "sha256-ow2tIML7+x0X3FSpr4UQ8bzzYhZJZ9pZL8eNReEjitQ="; + hash = "sha256-tbJ3Es6huu+0HcpoiNpYLbxsm0QCWYZk6bX2MdQxT2I="; }; - vendorHash = "sha256-X2/kcXxdGwFvdiTu1MGyv90OngWmR/xR2YtjvmLkiVE="; + vendorHash = "sha256-EjLslvc0cgvD7LjuDa49h/qt6K4Z9DEtQjV/LYkKwKo="; ldflags = [ "-X main.Version=v${version}" From 9e9007e45fec743f41f47aa92c47ba36bc8e76b5 Mon Sep 17 00:00:00 2001 From: talyz Date: Wed, 15 Feb 2023 16:11:39 +0100 Subject: [PATCH 27/28] nixos/opensearch: Use DynamicUser and StateDirectory by default ...but still allow for setting `dataDir` to a custom path. This gets rid of the use of the deprecated option PermissionsStartOnly. Also, add the ability to customize user and group, since that could be useful with a custom `dataDir`. --- nixos/modules/services/search/opensearch.nix | 156 +++++++++++-------- nixos/tests/all-tests.nix | 2 +- nixos/tests/opensearch.nix | 67 ++++++-- pkgs/servers/search/opensearch/default.nix | 2 +- 4 files changed, 147 insertions(+), 80 deletions(-) diff --git a/nixos/modules/services/search/opensearch.nix b/nixos/modules/services/search/opensearch.nix index 17b8697d149c..df699b56747e 100644 --- a/nixos/modules/services/search/opensearch.nix +++ b/nixos/modules/services/search/opensearch.nix @@ -9,6 +9,9 @@ let configDir = cfg.dataDir + "/config"; + usingDefaultDataDir = cfg.dataDir == "/var/lib/opensearch"; + usingDefaultUserAndGroup = cfg.user == "opensearch" && cfg.group == "opensearch"; + opensearchYml = settingsFormat.generate "opensearch.yml" cfg.settings; loggingConfigFilename = "log4j2.properties"; @@ -20,9 +23,9 @@ in { options.services.opensearch = { - enable = mkEnableOption (lib.mdDoc "Whether to enable OpenSearch."); + enable = mkEnableOption (lib.mdDoc "OpenSearch"); - package = lib.mkPackageOptionMD pkgs "OpenSearch package to use." { + package = lib.mkPackageOptionMD pkgs "OpenSearch" { default = [ "opensearch" ]; }; @@ -99,13 +102,37 @@ in dataDir = lib.mkOption { type = lib.types.path; default = "/var/lib/opensearch"; + apply = converge (removeSuffix "/"); description = lib.mdDoc '' - Data directory for opensearch. + Data directory for OpenSearch. If you change this, you need to + manually create the directory. You also need to create the + `opensearch` user and group, or change + [](#opt-services.opensearch.user) and + [](#opt-services.opensearch.group) to existing ones with + access to the directory. + ''; + }; + + user = lib.mkOption { + type = lib.types.str; + default = "opensearch"; + description = lib.mdDoc '' + The user OpenSearch runs as. Should be left at default unless + you have very specific needs. + ''; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "opensearch"; + description = lib.mdDoc '' + The group OpenSearch runs as. Should be left at default unless + you have very specific needs. ''; }; extraCmdLineOptions = lib.mkOption { - description = lib.mdDoc "Extra command line options for the opensearch launcher."; + description = lib.mdDoc "Extra command line options for the OpenSearch launcher."; default = [ ]; type = lib.types.listOf lib.types.str; }; @@ -142,69 +169,76 @@ in OPENSEARCH_PATH_CONF = configDir; }; serviceConfig = { + ExecStartPre = + let + startPreFullPrivileges = '' + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit + '' + (optionalString (!config.boot.isContainer) '' + # Only set vm.max_map_count if lower than ES required minimum + # This avoids conflict if configured via boot.kernel.sysctl + if [ $(${pkgs.procps}/bin/sysctl -n vm.max_map_count) -lt 262144 ]; then + ${pkgs.procps}/bin/sysctl -w vm.max_map_count=262144 + fi + ''); + startPreUnprivileged = '' + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit + + # Install plugins + ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib + ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules + + # opensearch needs to create the opensearch.keystore in the config directory + # so this directory needs to be writable. + mkdir -p ${configDir} + chmod 0700 ${configDir} + + # Note that we copy config files from the nix store instead of symbolically linking them + # because otherwise X-Pack Security will raise the following exception: + # java.security.AccessControlException: + # access denied ("java.io.FilePermission" "/var/lib/opensearch/config/opensearch.yml" "read") + + cp ${opensearchYml} ${configDir}/opensearch.yml + + # Make sure the logging configuration for old OpenSearch versions is removed: + rm -f "${configDir}/logging.yml" + cp ${loggingConfigFile} ${configDir}/${loggingConfigFilename} + mkdir -p ${configDir}/scripts + cp ${cfg.package}/config/jvm.options ${configDir}/jvm.options + + # redirect jvm logs to the data directory + mkdir -p ${cfg.dataDir}/logs + chmod 0700 ${cfg.dataDir}/logs + sed -e '#logs/gc.log#${cfg.dataDir}/logs/gc.log#' -i ${configDir}/jvm.options + ''; + in [ + "+${pkgs.writeShellScript "opensearch-start-pre-full-privileges" startPreFullPrivileges}" + "${pkgs.writeShellScript "opensearch-start-pre-unprivileged" startPreUnprivileged}" + ]; + ExecStartPost = pkgs.writeShellScript "opensearch-start-post" '' + set -o errexit -o pipefail -o nounset -o errtrace + shopt -s inherit_errexit + + # Make sure opensearch is up and running before dependents + # are started + while ! ${pkgs.curl}/bin/curl -sS -f http://${cfg.settings."network.host"}:${toString cfg.settings."http.port"} 2>/dev/null; do + sleep 1 + done + ''; ExecStart = "${cfg.package}/bin/opensearch ${toString cfg.extraCmdLineOptions}"; - User = "opensearch"; - Group = "opensearch"; - StateDirectory = cfg.dataDir; - StateDirectoryMode = "0700"; - PermissionsStartOnly = true; + User = cfg.user; + Group = cfg.group; LimitNOFILE = "1024000"; Restart = "always"; TimeoutStartSec = "infinity"; - }; - preStart = optionalString (!config.boot.isContainer) '' - # Only set vm.max_map_count if lower than ES required minimum - # This avoids conflict if configured via boot.kernel.sysctl - if [ $(${pkgs.procps}/bin/sysctl -n vm.max_map_count) -lt 262144 ]; then - ${pkgs.procps}/bin/sysctl -w vm.max_map_count=262144 - fi - '' + '' - mkdir -m 0700 -p ${cfg.dataDir} - - # Install plugins - ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib - ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules - - # opensearch needs to create the opensearch.keystore in the config directory - # so this directory needs to be writable. - mkdir -m 0700 -p ${configDir} - - # Note that we copy config files from the nix store instead of symbolically linking them - # because otherwise X-Pack Security will raise the following exception: - # java.security.AccessControlException: - # access denied ("java.io.FilePermission" "/var/lib/opensearch/config/opensearch.yml" "read") - - cp ${opensearchYml} ${configDir}/opensearch.yml - # Make sure the logging configuration for old opensearch versions is removed: - rm -f "${configDir}/logging.yml" - cp ${loggingConfigFile} ${configDir}/${loggingConfigFilename} - mkdir -p ${configDir}/scripts - cp ${cfg.package}/config/jvm.options ${configDir}/jvm.options - # redirect jvm logs to the data directory - mkdir -m 0700 -p ${cfg.dataDir}/logs - sed -e '#logs/gc.log#${cfg.dataDir}/logs/gc.log#' -i ${configDir}/jvm.options \ - - if [ "$(id -u)" = 0 ]; then chown -R opensearch:opensearch ${cfg.dataDir}; fi - ''; - postStart = '' - # Make sure opensearch is up and running before dependents - # are started - while ! ${pkgs.curl}/bin/curl -sS -f http://${cfg.settings."network.host"}:${toString cfg.settings."http.port"} 2>/dev/null; do - sleep 1 - done - ''; + DynamicUser = usingDefaultUserAndGroup && usingDefaultDataDir; + } // (optionalAttrs (usingDefaultDataDir) { + StateDirectory = "opensearch"; + StateDirectoryMode = "0700"; + }); }; environment.systemPackages = [ cfg.package ]; - - users = { - groups.opensearch = {}; - users.opensearch = { - description = "OpenSearch daemon user"; - home = cfg.dataDir; - group = "opensearch"; - isSystemUser = true; - }; - }; }; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 4e8334622f83..86dd096afc0b 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -490,7 +490,7 @@ in { ombi = handleTest ./ombi.nix {}; openarena = handleTest ./openarena.nix {}; openldap = handleTest ./openldap.nix {}; - opensearch = handleTest ./opensearch.nix {}; + opensearch = discoverTests (import ./opensearch.nix); openresty-lua = handleTest ./openresty-lua.nix {}; opensmtpd = handleTest ./opensmtpd.nix {}; opensmtpd-rspamd = handleTest ./opensmtpd-rspamd.nix {}; diff --git a/nixos/tests/opensearch.nix b/nixos/tests/opensearch.nix index db63c2e053f5..c0caf950cb9c 100644 --- a/nixos/tests/opensearch.nix +++ b/nixos/tests/opensearch.nix @@ -1,19 +1,52 @@ -import ./make-test-python.nix ({ pkgs, ... }: { - name = "opensearch"; - meta.maintainers = with pkgs.lib.maintainers; [ shyim ]; +let + opensearchTest = + import ./make-test-python.nix ( + { pkgs, lib, extraSettings ? {} }: { + name = "opensearch"; + meta.maintainers = with pkgs.lib.maintainers; [ shyim ]; - nodes.machine = { - virtualisation.memorySize = 2048; - services.opensearch.enable = true; + nodes.machine = lib.mkMerge [ + { + virtualisation.memorySize = 2048; + services.opensearch.enable = true; + } + extraSettings + ]; + + testScript = '' + machine.start() + machine.wait_for_unit("opensearch.service") + machine.wait_for_open_port(9200) + + machine.succeed( + "curl --fail localhost:9200" + ) + ''; + }); +in +{ + opensearch = opensearchTest {}; + opensearchCustomPathAndUser = opensearchTest { + extraSettings = { + services.opensearch.dataDir = "/var/opensearch_test"; + services.opensearch.user = "open_search"; + services.opensearch.group = "open_search"; + system.activationScripts.createDirectory = { + text = '' + mkdir -p "/var/opensearch_test" + chown open_search:open_search /var/opensearch_test + chmod 0700 /var/opensearch_test + ''; + deps = [ "users" "groups" ]; + }; + users = { + groups.open_search = {}; + users.open_search = { + description = "OpenSearch daemon user"; + group = "open_search"; + isSystemUser = true; + }; + }; + }; }; - - testScript = '' - machine.start() - machine.wait_for_unit("opensearch.service") - machine.wait_for_open_port(9200) - - machine.succeed( - "curl --fail localhost:9200" - ) - ''; -}) +} diff --git a/pkgs/servers/search/opensearch/default.nix b/pkgs/servers/search/opensearch/default.nix index cf03d1939d9f..b8274d894b27 100644 --- a/pkgs/servers/search/opensearch/default.nix +++ b/pkgs/servers/search/opensearch/default.nix @@ -42,7 +42,7 @@ stdenvNoCC.mkDerivation rec { runHook postInstall ''; - passthru.tests = { inherit (nixosTests) opensearch; }; + passthru.tests = nixosTests.opensearch; meta = { description = "Open Source, Distributed, RESTful Search Engine"; From bb584ee6cd8b0d543b559ef715d161deb318ff3b Mon Sep 17 00:00:00 2001 From: "R. RyanTM" Date: Wed, 15 Feb 2023 09:35:20 -0800 Subject: [PATCH 28/28] cf-terraforming: 0.9.0 -> 0.10.0 (#216462) --- pkgs/tools/misc/cf-terraforming/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/misc/cf-terraforming/default.nix b/pkgs/tools/misc/cf-terraforming/default.nix index 20c4221a0816..d57475fb5938 100644 --- a/pkgs/tools/misc/cf-terraforming/default.nix +++ b/pkgs/tools/misc/cf-terraforming/default.nix @@ -2,16 +2,16 @@ buildGoModule rec { pname = "cf-terraforming"; - version = "0.9.0"; + version = "0.10.0"; src = fetchFromGitHub { owner = "cloudflare"; repo = "cf-terraforming"; rev = "v${version}"; - sha256 = "sha256-wELV3Jp11Iv3G//VOAosL5QDnbNTyEAvq9hmLWDdPBU="; + sha256 = "sha256-2YL+ncT1UcanslFnMIMonvGugD7HxO6taYZtKK6kmEc="; }; - vendorHash = "sha256-XFJGw76Fz9tzknWuzc1aw1uJ34UQfFLe1WUVtPGbn64="; + vendorHash = "sha256-eAWgLR3wqcTmlA3hG9IGgTm/Q+EKcypXYXRdtRAb94o="; ldflags = [ "-X github.com/cloudflare/cf-terraforming/internal/app/cf-terraforming/cmd.versionString=${version}" ]; # The test suite insists on downloading a binary release of Terraform from