Merge master into staging-next

2024-09-24 06:08:16 +03:00 · 2023-11-03 03:07:31 +00:00 · 2023-11-03 03:07:31 +00:00 · cbec6b85a3
commit cbec6b85a3
parent 6847716409 b65f481f0f
19 changed files with 854 additions and 155 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -762,6 +762,7 @@ in {
  spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {};
  sqlite3-to-mysql = handleTest ./sqlite3-to-mysql.nix {};
  sslh = handleTest ./sslh.nix {};
+  ssh-audit = handleTest ./ssh-audit.nix {};
  sssd = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd.nix {};
  sssd-ldap = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-ldap.nix {};
  stalwart-mail = handleTest ./stalwart-mail.nix {};
--- a/nixos/tests/ssh-audit.nix
+++ b/nixos/tests/ssh-audit.nix
@ -0,0 +1,103 @@
+import ./make-test-python.nix (
+  {pkgs, ...}: let
+    sshKeys = import (pkgs.path + "/nixos/tests/ssh-keys.nix") pkgs;
+    sshUsername = "any-user";
+    serverName = "server";
+    clientName = "client";
+    sshAuditPort = 2222;
+  in {
+    name = "ssh";
+
+    nodes = {
+      "${serverName}" = {
+        networking.firewall.allowedTCPPorts = [
+          sshAuditPort
+        ];
+        services.openssh.enable = true;
+        users.users."${sshUsername}" = {
+          isNormalUser = true;
+          openssh.authorizedKeys.keys = [
+            sshKeys.snakeOilPublicKey
+          ];
+        };
+      };
+      "${clientName}" = {
+        programs.ssh = {
+          ciphers = [
+            "aes128-ctr"
+            "aes128-gcm@openssh.com"
+            "aes192-ctr"
+            "aes256-ctr"
+            "aes256-gcm@openssh.com"
+            "chacha20-poly1305@openssh.com"
+          ];
+          extraConfig = ''
+            IdentitiesOnly yes
+          '';
+          hostKeyAlgorithms = [
+            "rsa-sha2-256"
+            "rsa-sha2-256-cert-v01@openssh.com"
+            "rsa-sha2-512"
+            "rsa-sha2-512-cert-v01@openssh.com"
+            "sk-ssh-ed25519-cert-v01@openssh.com"
+            "sk-ssh-ed25519@openssh.com"
+            "ssh-ed25519"
+            "ssh-ed25519-cert-v01@openssh.com"
+          ];
+          kexAlgorithms = [
+            "curve25519-sha256"
+            "curve25519-sha256@libssh.org"
+            "diffie-hellman-group-exchange-sha256"
+            "diffie-hellman-group16-sha512"
+            "diffie-hellman-group18-sha512"
+            "sntrup761x25519-sha512@openssh.com"
+          ];
+          macs = [
+            "hmac-sha2-256-etm@openssh.com"
+            "hmac-sha2-512-etm@openssh.com"
+            "umac-128-etm@openssh.com"
+          ];
+        };
+      };
+    };
+
+    testScript = ''
+      start_all()
+
+      ${serverName}.wait_for_open_port(22)
+
+      # Should pass SSH server audit
+      ${serverName}.succeed("${pkgs.ssh-audit}/bin/ssh-audit 127.0.0.1")
+
+      # Wait for client to be able to connect to the server
+      ${clientName}.wait_for_unit("network-online.target")
+
+      # Set up trusted private key
+      ${clientName}.succeed("cat ${sshKeys.snakeOilPrivateKey} > privkey.snakeoil")
+      ${clientName}.succeed("chmod 600 privkey.snakeoil")
+
+      # Fail fast and disable interactivity
+      ssh_options = "-o BatchMode=yes -o ConnectTimeout=1 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
+
+      # Should deny root user
+      ${clientName}.fail(f"ssh {ssh_options} root@${serverName} true")
+
+      # Should deny non-root user password login
+      ${clientName}.fail(f"ssh {ssh_options} -o PasswordAuthentication=yes ${sshUsername}@${serverName} true")
+
+      # Should allow non-root user certificate login
+      ${clientName}.succeed(f"ssh {ssh_options} -i privkey.snakeoil ${sshUsername}@${serverName} true")
+
+      # Should pass SSH client audit
+      service_name = "ssh-audit.service"
+      ${serverName}.succeed(f"systemd-run --unit={service_name} ${pkgs.ssh-audit}/bin/ssh-audit --client-audit --port=${toString sshAuditPort}")
+      ${clientName}.sleep(5) # We can't use wait_for_open_port because ssh-audit exits as soon as anything talks to it
+      ${clientName}.execute(
+          f"ssh {ssh_options} -i privkey.snakeoil -p ${toString sshAuditPort} ${sshUsername}@${serverName} true",
+          check_return=False,
+          timeout=10
+      )
+      ${serverName}.succeed(f"exit $(systemctl show --property=ExecMainStatus --value {service_name})")
+    '';
+  }
+)
--- a/pkgs/applications/misc/ArchiSteamFarm/default.nix
+++ b/pkgs/applications/misc/ArchiSteamFarm/default.nix
@ -76,7 +76,6 @@ buildDotnetModule rec {
    description = "Application with primary purpose of idling Steam cards from multiple accounts simultaneously";
    homepage = "https://github.com/JustArchiNET/ArchiSteamFarm";
    license = licenses.asl20;
-    platforms = [ "x86_64-linux" "aarch64-linux" ];
    mainProgram = "ArchiSteamFarm";
    maintainers = with maintainers; [ SuperSandro2000 lom ];
  };
--- a/pkgs/applications/misc/hugo/default.nix
+++ b/pkgs/applications/misc/hugo/default.nix
@ -10,16 +10,16 @@

 buildGoModule rec {
  pname = "hugo";
-  version = "0.120.2";
+  version = "0.120.3";

  src = fetchFromGitHub {
    owner = "gohugoio";
    repo = pname;
    rev = "refs/tags/v${version}";
-    hash = "sha256-hCcutRfx0GtnYJYoQ/2S8Y+OmxLCtHWzTCdozWUatXY=";
+    hash = "sha256-96ikGGKw9IN/ch199oFcucp8aVR+fEiAWBeu39J2Osw=";
  };

-  vendorHash = "sha256-59Q7IN7VK7tQv5w7qyxSz16G+Kmsrslu8we9S3aJeAg=";
+  vendorHash = "sha256-kUKnoUQzLbi0ssxvK2viNTHLtqx8vaHLYXO8ZWU2rmw=";

  doCheck = false;

--- a/pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix
+++ b/pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix
@ -104,14 +104,14 @@ let
 in
 stdenv.mkDerivation rec {
  pname = "telegram-desktop";
-  version = "4.11.2";
+  version = "4.11.3";

  src = fetchFromGitHub {
    owner = "telegramdesktop";
    repo = "tdesktop";
    rev = "v${version}";
    fetchSubmodules = true;
-    hash = "sha256-Hjg349h9dlBfKVLIPDqPP8U+Yt0Iaeyjq6hsUB5+zYM=";
+    hash = "sha256-Xjb8um3TA2yIPrCdEV1BJ10keyAqTnlU20ZZ0T3P3ls=";
  };

  patches = [
--- a/pkgs/by-name/ve/vesktop/package.nix
+++ b/pkgs/by-name/ve/vesktop/package.nix
@ -53,7 +53,10 @@ stdenv.mkDerivation rec {

    dontFixup = true;
    outputHashMode = "recursive";
-    outputHash = "sha256-KDJ8QmpwGb2lOdwWEl5y62pJiqEvpI59StfQZrN1PPE=";
+    outputHash = {
+      "aarch64-linux" = "sha256-Fkfq8vBfNXdndVb17aZOTvIOAyiccDzyuFvg6kDy7QI=";
+      "x86_64-linux" = "sha256-KDJ8QmpwGb2lOdwWEl5y62pJiqEvpI59StfQZrN1PPE=";
+    }.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
  };

  nativeBuildInputs = [
@ -105,7 +108,7 @@ stdenv.mkDerivation rec {
      runHook preInstall

      mkdir -p $out/opt/Vesktop/resources
-      cp dist/linux-unpacked/resources/app.asar $out/opt/Vesktop/resources
+      cp dist/linux-*unpacked/resources/app.asar $out/opt/Vesktop/resources

      pushd build
      ${libicns}/bin/icns2png -x icon.icns
@ -141,6 +144,5 @@ stdenv.mkDerivation rec {
    maintainers = with maintainers; [ getchoo Scrumplex vgskye ];
    platforms = [ "x86_64-linux" "aarch64-linux" ];
    mainProgram = "vencorddesktop";
-    broken = stdenv.hostPlatform.isAarch64;
  };
 }
--- a/pkgs/development/libraries/jemalloc/default.nix
+++ b/pkgs/development/libraries/jemalloc/default.nix
@ -50,7 +50,8 @@ stdenv.mkDerivation rec {
  env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.isDarwin "-Wno-error=array-bounds";
  env.NIX_LDFLAGS = lib.optionalString (stdenv.cc.libcxx != null) "-l${stdenv.cc.libcxx.cxxabi.libName}";

-  doCheck = true;
+  # Tries to link test binaries binaries dynamically and fails
+  doCheck = !stdenv.hostPlatform.isStatic;

  enableParallelBuilding = true;

--- a/pkgs/development/libraries/qt-5/5.15/default.nix
+++ b/pkgs/development/libraries/qt-5/5.15/default.nix
@ -12,7 +12,6 @@ Check for any minor version changes.
 , bison, cups ? null, harfbuzz, libGL, perl, python3
 , gstreamer, gst-plugins-base, gtk3, dconf
 , darwin
-, buildPackages

  # options
 , developerBuild ? false
@ -218,32 +217,24 @@ let
    qttools = [ ./qttools.patch ];
  };

-  addPackages = self: with self;
+  addPackages = self:
    let
-      qtModule =
-        import ../qtModule.nix
-        {
-          inherit perl;
-          inherit lib;
-          # Use a variant of mkDerivation that does not include wrapQtApplications
-          # to avoid cyclic dependencies between Qt modules.
-          mkDerivation =
-            import ../mkDerivation.nix
-            { inherit lib; inherit debug; wrapQtAppsHook = null; }
-            stdenv.mkDerivation;
-        }
-        { inherit self srcs patches; };
+      qtModule = callPackage ../qtModule.nix {
+        inherit patches;
+        # Use a variant of mkDerivation that does not include wrapQtApplications
+        # to avoid cyclic dependencies between Qt modules.
+        mkDerivation =
+          (callPackage ../mkDerivation.nix { wrapQtAppsHook = null; }) stdenv.mkDerivation;
+      };

      callPackage = self.newScope { inherit qtCompatVersion qtModule srcs stdenv; };
    in {

      inherit callPackage qtCompatVersion qtModule srcs;

-      mkDerivationWith =
-        import ../mkDerivation.nix
-        { inherit lib; inherit debug; inherit (self) wrapQtAppsHook; };
+      mkDerivationWith = callPackage ../mkDerivation.nix { };

-      mkDerivation = mkDerivationWith stdenv.mkDerivation;
+      mkDerivation = callPackage ({ mkDerivationWith }: mkDerivationWith stdenv.mkDerivation) { };

      qtbase = callPackage ../modules/qtbase.nix {
        inherit (srcs.qtbase) src version;
@ -325,7 +316,9 @@ let
      qtxmlpatterns = callPackage ../modules/qtxmlpatterns.nix {};

      env = callPackage ../qt-env.nix {};
-      full = env "qt-full-${qtbase.version}" ([
+      full = callPackage ({ env, qtbase }: env "qt-full-${qtbase.version}") { }
+      # `with self` is ok to use here because having these spliced is unnecessary
+      (with self; [
        qt3d qtcharts qtconnectivity qtdeclarative qtdoc qtgraphicaleffects
        qtimageformats qtlocation qtmultimedia qtquickcontrols qtquickcontrols2
        qtscript qtsensors qtserialport qtsvg qttools qttranslations
@ -334,20 +327,20 @@ let
      ] ++ lib.optional (!stdenv.isDarwin) qtwayland
        ++ lib.optional (stdenv.isDarwin) qtmacextras);

-      qmake = makeSetupHook {
+      qmake = callPackage ({ qtbase }: makeSetupHook {
        name = "qmake-hook";
-        propagatedBuildInputs = [ self.qtbase.dev ];
+        propagatedBuildInputs = [ qtbase.dev ];
        substitutions = {
          inherit debug;
          fix_qmake_libtool = ../hooks/fix-qmake-libtool.sh;
        };
-      } ../hooks/qmake-hook.sh;
+      } ../hooks/qmake-hook.sh) { };

-      wrapQtAppsHook = makeSetupHook {
+      wrapQtAppsHook = callPackage ({ makeBinaryWrapper, qtbase, qtwayland }: makeSetupHook {
        name = "wrap-qt5-apps-hook";
-        propagatedBuildInputs = [ self.qtbase.dev buildPackages.makeBinaryWrapper ]
-          ++ lib.optional stdenv.isLinux self.qtwayland.dev;
-      } ../hooks/wrap-qt-apps-hook.sh;
+        propagatedBuildInputs = [ qtbase.dev makeBinaryWrapper ]
+          ++ lib.optional stdenv.isLinux qtwayland.dev;
+      } ../hooks/wrap-qt-apps-hook.sh) { };
    };

  baseScope = makeScopeWithSplicing' {
--- a/pkgs/development/libraries/qt-5/mkDerivation.nix
+++ b/pkgs/development/libraries/qt-5/mkDerivation.nix
@ -1,6 +1,4 @@
-{ lib, debug, wrapQtAppsHook }:
-
-let inherit (lib) optional; in
+{ wrapQtAppsHook }:

 mkDerivation:

--- a/pkgs/development/libraries/qt-5/qtModule.nix
+++ b/pkgs/development/libraries/qt-5/qtModule.nix
@ -1,9 +1,7 @@
-{ lib, mkDerivation, perl }:
+{ lib, mkDerivation, perl, qmake, patches, srcs }:

 let inherit (lib) licenses maintainers platforms; in

-{ self, srcs, patches }:
-
 args:

 let
@ -16,7 +14,7 @@ mkDerivation (args // {
  inherit pname version src;
  patches = (args.patches or []) ++ (patches.${pname} or []);

-  nativeBuildInputs = (args.nativeBuildInputs or []) ++ [ perl self.qmake ];
+  nativeBuildInputs = (args.nativeBuildInputs or []) ++ [ perl qmake ];
  propagatedBuildInputs =
    (lib.warnIf (args ? qtInputs) "qt5.qtModule's qtInputs argument is deprecated" args.qtInputs or []) ++
    (args.propagatedBuildInputs or []);
--- a/pkgs/development/python-modules/home-assistant-chip-clusters/default.nix
+++ b/pkgs/development/python-modules/home-assistant-chip-clusters/default.nix
@ -7,7 +7,7 @@

 buildPythonPackage rec {
  pname = "home-assistant-chip-clusters";
-  version = "2023.10.1";
+  version = "2023.10.2";
  format = "wheel";

  src = fetchPypi {
@ -15,7 +15,7 @@ buildPythonPackage rec {
    pname = "home_assistant_chip_clusters";
    dist = "py3";
    python = "py3";
-    hash = "sha256-KI5idrD8SIpzSYopELYWJJaaiAFQzwRwhFBfb4BEw2o=";
+    hash = "sha256-wAXxz0BryZ6i0yaqNp74PfApwMHYQuSLz5prJEiG1YE=";
  };

  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/home-assistant-chip-core/default.nix
+++ b/pkgs/development/python-modules/home-assistant-chip-core/default.nix
@ -28,7 +28,7 @@

 buildPythonPackage rec {
  pname = "home-assistant-chip-core";
-  version = "2023.10.1";
+  version = "2023.10.2";
  format = "wheel";

  disabled = pythonOlder "3.7";
@ -37,11 +37,11 @@ buildPythonPackage rec {
    system = {
      "aarch64-linux" = {
        name = "aarch64";
-        hash = "sha256-wmavXr7WL9q7u8lnOaEWbRs3rlagBd9ovhxzRbjnrwY=";
+        hash = "sha256-KBFXFD5cSVgE57S1cHghU3kPDrbRquAARN95UriPCnM=";
      };
      "x86_64-linux" = {
        name = "x86_64";
-        hash = "sha256-mffjJtn0LmRz9DOWMMw9soYDDm/M1C5Tdj6YbWHaq2o=";
+        hash = "sha256-9x7pjgERvsBuyol8LiuPOlFZ5Up92N9HYg1mH9/0HAU=";
      };
    }.${stdenv.system} or (throw "Unsupported system");
  in fetchPypi {
--- a/pkgs/development/python-modules/python-matter-server/default.nix
+++ b/pkgs/development/python-modules/python-matter-server/default.nix
@ -28,7 +28,7 @@

 buildPythonPackage rec {
  pname = "python-matter-server";
-  version = "4.0.0";
+  version = "4.0.1";
  format = "pyproject";

  disabled = pythonOlder "3.10";
@ -37,7 +37,7 @@ buildPythonPackage rec {
    owner = "home-assistant-libs";
    repo = "python-matter-server";
    rev = "refs/tags/${version}";
-    hash = "sha256-7MBQo4jzBU/n7gVdGzVHlQl8Vj3OjfK4gk1vhLQQUE0=";
+    hash = "sha256-zCw5sj+UgY0egjXGzcbOb7VATeLY80+8Mv9owmdA+f0=";
  };

  nativeBuildInputs = [
--- a/pkgs/development/tools/rust/cargo-release/Cargo.lock
+++ b/pkgs/development/tools/rust/cargo-release/Cargo.lock
--- a/pkgs/development/tools/rust/cargo-release/default.nix
+++ b/pkgs/development/tools/rust/cargo-release/default.nix
@ -12,13 +12,13 @@

 rustPlatform.buildRustPackage rec {
  pname = "cargo-release";
-  version = "0.24.12";
+  version = "0.25.0";

  src = fetchFromGitHub {
    owner = "crate-ci";
    repo = "cargo-release";
    rev = "refs/tags/v${version}";
-    hash = "sha256-dB5gpaY6OB/IjMvqLUMH41l6Q/xMookxfVGXRcdhcBM=";
+    hash = "sha256-UJdGbuQfvlZHjCKyHCXPDJ5AdUWJCRUS/vNeTKAwyYI=";
  };

  cargoLock = {
@ -37,7 +37,7 @@ rustPlatform.buildRustPackage rec {
    openssl
  ] ++ lib.optionals stdenv.isDarwin [
    curl
-    darwin.apple_sdk.frameworks.Security
+    darwin.apple_sdk.frameworks.SystemConfiguration
  ];

  nativeCheckInputs = [
--- a/pkgs/servers/mail/postfix/default.nix
+++ b/pkgs/servers/mail/postfix/default.nix
@ -25,11 +25,11 @@ let

 in stdenv.mkDerivation rec {
  pname = "postfix";
-  version = "3.8.2";
+  version = "3.8.3";

  src = fetchurl {
    url = "http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/${pname}-${version}.tar.gz";
-    hash = "sha256-Z5CQPNu14ORxlmkeuaXyz4BQJi3vlB4Dnm1L9AQ6XjA=";
+    hash = "sha256-FpRsmHSnhqCfU7F9HIPcH6rjXL+AurNKsBeYtwQglos=";
  };

  nativeBuildInputs = [ makeWrapper m4 ];
--- a/pkgs/tools/nix/nixdoc/default.nix
+++ b/pkgs/tools/nix/nixdoc/default.nix
@ -2,16 +2,16 @@

 rustPlatform.buildRustPackage rec {
  pname = "nixdoc";
-  version = "2.4.0";
+  version = "2.5.1";

  src = fetchFromGitHub {
    owner = "nix-community";
    repo = "nixdoc";
    rev = "v${version}";
-    sha256 = "sha256-cEMehtxkqXAar/fDy3CnzsDEAuC1ABBaYqzqVBGnTrs=";
+    sha256 = "sha256-QgKzpFdzisWD6DZxs1LsKINBr/bSYQILpEu5RdcNgbc=";
  };

-  cargoHash = "sha256-QFDHIqXyTWTdqNrLcwWw3plX6EDH/k043nay5opjtws=";
+  cargoHash = "sha256-MztvOV1yAOgpwPYOUUZb7XHKhhhd/fvKPIFbsnMdhAQ=";

  buildInputs = lib.optionals stdenv.isDarwin [ darwin.Security ];

--- a/pkgs/tools/security/ssh-audit/default.nix
+++ b/pkgs/tools/security/ssh-audit/default.nix
@ -1,5 +1,6 @@
 { lib
 , fetchFromGitHub
+, nixosTests
 , python3Packages
 }:

@ -19,6 +20,10 @@ python3Packages.buildPythonApplication rec {
    pytestCheckHook
  ];

+  passthru.tests = {
+    inherit (nixosTests) ssh-audit;
+  };
+
  meta = with lib; {
    description = "Tool for ssh server auditing";
    homepage = "https://github.com/jtesta/ssh-audit";
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -24680,7 +24680,7 @@ with pkgs;
      inherit (__splicedPackages)
        makeScopeWithSplicing' generateSplicesForMkScope lib fetchurl fetchpatch fetchgit fetchFromGitHub makeSetupHook makeWrapper
        bison cups dconf harfbuzz libGL perl gtk3 python3
-        darwin buildPackages;
+        darwin;
      inherit (__splicedPackages.gst_all_1) gstreamer gst-plugins-base;
      inherit config;
      stdenv = if stdenv.isDarwin then overrideSDK stdenv "11.0" else stdenv;