Merge master into staging-next

2024-09-24 06:08:16 +03:00 · 2023-11-03 03:07:31 +00:00 · 2023-11-03 03:07:31 +00:00 · cbec6b85a3
commit cbec6b85a3
parent 6847716409 b65f481f0f
19 changed files with 854 additions and 155 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -762,6 +762,7 @@ in {
  spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {};
  sqlite3-to-mysql = handleTest ./sqlite3-to-mysql.nix {};
  sslh = handleTest ./sslh.nix {};
  ssh-audit = handleTest ./ssh-audit.nix {};
  sssd = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd.nix {};
  sssd-ldap = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-ldap.nix {};
  stalwart-mail = handleTest ./stalwart-mail.nix {};
--- a/nixos/tests/ssh-audit.nix
+++ b/nixos/tests/ssh-audit.nix
@ -0,0 +1,103 @@
 import ./make-test-python.nix (
  {pkgs, ...}: let
    sshKeys = import (pkgs.path + "/nixos/tests/ssh-keys.nix") pkgs;
    sshUsername = "any-user";
    serverName = "server";
    clientName = "client";
    sshAuditPort = 2222;
  in {
    name = "ssh";
    nodes = {
      "${serverName}" = {
        networking.firewall.allowedTCPPorts = [
          sshAuditPort
        ];
        services.openssh.enable = true;
        users.users."${sshUsername}" = {
          isNormalUser = true;
          openssh.authorizedKeys.keys = [
            sshKeys.snakeOilPublicKey
          ];
        };
      };
      "${clientName}" = {
        programs.ssh = {
          ciphers = [
            "aes128-ctr"
            "aes128-gcm@openssh.com"
            "aes192-ctr"
            "aes256-ctr"
            "aes256-gcm@openssh.com"
            "chacha20-poly1305@openssh.com"
          ];
          extraConfig = ''
            IdentitiesOnly yes
          '';
          hostKeyAlgorithms = [
            "rsa-sha2-256"
            "rsa-sha2-256-cert-v01@openssh.com"
            "rsa-sha2-512"
            "rsa-sha2-512-cert-v01@openssh.com"
            "sk-ssh-ed25519-cert-v01@openssh.com"
            "sk-ssh-ed25519@openssh.com"
            "ssh-ed25519"
            "ssh-ed25519-cert-v01@openssh.com"
          ];
          kexAlgorithms = [
            "curve25519-sha256"
            "curve25519-sha256@libssh.org"
            "diffie-hellman-group-exchange-sha256"
            "diffie-hellman-group16-sha512"
            "diffie-hellman-group18-sha512"
            "sntrup761x25519-sha512@openssh.com"
          ];
          macs = [
            "hmac-sha2-256-etm@openssh.com"
            "hmac-sha2-512-etm@openssh.com"
            "umac-128-etm@openssh.com"
          ];
        };
      };
    };
    testScript = ''
      start_all()
      ${serverName}.wait_for_open_port(22)
      # Should pass SSH server audit
      ${serverName}.succeed("${pkgs.ssh-audit}/bin/ssh-audit 127.0.0.1")
      # Wait for client to be able to connect to the server
      ${clientName}.wait_for_unit("network-online.target")
      # Set up trusted private key
      ${clientName}.succeed("cat ${sshKeys.snakeOilPrivateKey} > privkey.snakeoil")
      ${clientName}.succeed("chmod 600 privkey.snakeoil")
      # Fail fast and disable interactivity
      ssh_options = "-o BatchMode=yes -o ConnectTimeout=1 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
      # Should deny root user
      ${clientName}.fail(f"ssh {ssh_options} root@${serverName} true")
      # Should deny non-root user password login
      ${clientName}.fail(f"ssh {ssh_options} -o PasswordAuthentication=yes ${sshUsername}@${serverName} true")
      # Should allow non-root user certificate login
      ${clientName}.succeed(f"ssh {ssh_options} -i privkey.snakeoil ${sshUsername}@${serverName} true")
      # Should pass SSH client audit
      service_name = "ssh-audit.service"
      ${serverName}.succeed(f"systemd-run --unit={service_name} ${pkgs.ssh-audit}/bin/ssh-audit --client-audit --port=${toString sshAuditPort}")
      ${clientName}.sleep(5) # We can't use wait_for_open_port because ssh-audit exits as soon as anything talks to it
      ${clientName}.execute(
          f"ssh {ssh_options} -i privkey.snakeoil -p ${toString sshAuditPort} ${sshUsername}@${serverName} true",
          check_return=False,
          timeout=10
      )
      ${serverName}.succeed(f"exit $(systemctl show --property=ExecMainStatus --value {service_name})")
    '';
  }
 )
--- a/pkgs/applications/misc/ArchiSteamFarm/default.nix
+++ b/pkgs/applications/misc/ArchiSteamFarm/default.nix
@ -76,7 +76,6 @@ buildDotnetModule rec {
    description = "Application with primary purpose of idling Steam cards from multiple accounts simultaneously";
    homepage = "https://github.com/JustArchiNET/ArchiSteamFarm";
    license = licenses.asl20;
    platforms = [ "x86_64-linux" "aarch64-linux" ];
    mainProgram = "ArchiSteamFarm";
    maintainers = with maintainers; [ SuperSandro2000 lom ];
  };
--- a/pkgs/applications/misc/hugo/default.nix
+++ b/pkgs/applications/misc/hugo/default.nix
@ -10,16 +10,16 @@
 buildGoModule rec {
  pname = "hugo";
-  version = "0.120.2";
+  version = "0.120.3";
  src = fetchFromGitHub {
    owner = "gohugoio";
    repo = pname;
    rev = "refs/tags/v${version}";
-    hash = "sha256-hCcutRfx0GtnYJYoQ/2S8Y+OmxLCtHWzTCdozWUatXY=";
+    hash = "sha256-96ikGGKw9IN/ch199oFcucp8aVR+fEiAWBeu39J2Osw=";
  };
-  vendorHash = "sha256-59Q7IN7VK7tQv5w7qyxSz16G+Kmsrslu8we9S3aJeAg=";
+  vendorHash = "sha256-kUKnoUQzLbi0ssxvK2viNTHLtqx8vaHLYXO8ZWU2rmw=";
  doCheck = false;
--- a/pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix
+++ b/pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix
@ -104,14 +104,14 @@ let
 in
 stdenv.mkDerivation rec {
  pname = "telegram-desktop";
-  version = "4.11.2";
+  version = "4.11.3";
  src = fetchFromGitHub {
    owner = "telegramdesktop";
    repo = "tdesktop";
    rev = "v${version}";
    fetchSubmodules = true;
-    hash = "sha256-Hjg349h9dlBfKVLIPDqPP8U+Yt0Iaeyjq6hsUB5+zYM=";
+    hash = "sha256-Xjb8um3TA2yIPrCdEV1BJ10keyAqTnlU20ZZ0T3P3ls=";
  };
  patches = [
--- a/pkgs/by-name/ve/vesktop/package.nix
+++ b/pkgs/by-name/ve/vesktop/package.nix
@ -53,7 +53,10 @@ stdenv.mkDerivation rec {
    dontFixup = true;
    outputHashMode = "recursive";
-    outputHash = "sha256-KDJ8QmpwGb2lOdwWEl5y62pJiqEvpI59StfQZrN1PPE=";
+    outputHash = {
      "aarch64-linux" = "sha256-Fkfq8vBfNXdndVb17aZOTvIOAyiccDzyuFvg6kDy7QI=";
      "x86_64-linux" = "sha256-KDJ8QmpwGb2lOdwWEl5y62pJiqEvpI59StfQZrN1PPE=";
    }.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
  };
  nativeBuildInputs = [
@ -105,7 +108,7 @@ stdenv.mkDerivation rec {
      runHook preInstall
      mkdir -p $out/opt/Vesktop/resources
-      cp dist/linux-unpacked/resources/app.asar $out/opt/Vesktop/resources
+      cp dist/linux-*unpacked/resources/app.asar $out/opt/Vesktop/resources
      pushd build
      ${libicns}/bin/icns2png -x icon.icns
@ -141,6 +144,5 @@ stdenv.mkDerivation rec {
    maintainers = with maintainers; [ getchoo Scrumplex vgskye ];
    platforms = [ "x86_64-linux" "aarch64-linux" ];
    mainProgram = "vencorddesktop";
    broken = stdenv.hostPlatform.isAarch64;
  };
 }
--- a/pkgs/development/libraries/jemalloc/default.nix
+++ b/pkgs/development/libraries/jemalloc/default.nix
@ -50,7 +50,8 @@ stdenv.mkDerivation rec {
  env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.isDarwin "-Wno-error=array-bounds";
  env.NIX_LDFLAGS = lib.optionalString (stdenv.cc.libcxx != null) "-l${stdenv.cc.libcxx.cxxabi.libName}";
-  doCheck = true;
+  # Tries to link test binaries binaries dynamically and fails
  doCheck = !stdenv.hostPlatform.isStatic;
  enableParallelBuilding = true;
--- a/pkgs/development/libraries/qt-5/5.15/default.nix
+++ b/pkgs/development/libraries/qt-5/5.15/default.nix
@ -12,7 +12,6 @@ Check for any minor version changes.
 , bison, cups ? null, harfbuzz, libGL, perl, python3
 , gstreamer, gst-plugins-base, gtk3, dconf
 , darwin
 , buildPackages
  # options
 , developerBuild ? false
@ -218,32 +217,24 @@ let
    qttools = [ ./qttools.patch ];
  };
-  addPackages = self: with self;
+  addPackages = self:
    let
-      qtModule =
+      qtModule = callPackage ../qtModule.nix {
-        import ../qtModule.nix
+        inherit patches;
-        {
+        # Use a variant of mkDerivation that does not include wrapQtApplications
-          inherit perl;
+        # to avoid cyclic dependencies between Qt modules.
-          inherit lib;
+        mkDerivation =
-          # Use a variant of mkDerivation that does not include wrapQtApplications
+          (callPackage ../mkDerivation.nix { wrapQtAppsHook = null; }) stdenv.mkDerivation;
-          # to avoid cyclic dependencies between Qt modules.
+      };
          mkDerivation =
            import ../mkDerivation.nix
            { inherit lib; inherit debug; wrapQtAppsHook = null; }
            stdenv.mkDerivation;
        }
        { inherit self srcs patches; };
      callPackage = self.newScope { inherit qtCompatVersion qtModule srcs stdenv; };
    in {
      inherit callPackage qtCompatVersion qtModule srcs;
-      mkDerivationWith =
+      mkDerivationWith = callPackage ../mkDerivation.nix { };
        import ../mkDerivation.nix
        { inherit lib; inherit debug; inherit (self) wrapQtAppsHook; };
-      mkDerivation = mkDerivationWith stdenv.mkDerivation;
+      mkDerivation = callPackage ({ mkDerivationWith }: mkDerivationWith stdenv.mkDerivation) { };
      qtbase = callPackage ../modules/qtbase.nix {
        inherit (srcs.qtbase) src version;
@ -325,7 +316,9 @@ let
      qtxmlpatterns = callPackage ../modules/qtxmlpatterns.nix {};
      env = callPackage ../qt-env.nix {};
-      full = env "qt-full-${qtbase.version}" ([
+      full = callPackage ({ env, qtbase }: env "qt-full-${qtbase.version}") { }
      # `with self` is ok to use here because having these spliced is unnecessary
      (with self; [
        qt3d qtcharts qtconnectivity qtdeclarative qtdoc qtgraphicaleffects
        qtimageformats qtlocation qtmultimedia qtquickcontrols qtquickcontrols2
        qtscript qtsensors qtserialport qtsvg qttools qttranslations
@ -334,20 +327,20 @@ let
      ] ++ lib.optional (!stdenv.isDarwin) qtwayland
        ++ lib.optional (stdenv.isDarwin) qtmacextras);
-      qmake = makeSetupHook {
+      qmake = callPackage ({ qtbase }: makeSetupHook {
        name = "qmake-hook";
-        propagatedBuildInputs = [ self.qtbase.dev ];
+        propagatedBuildInputs = [ qtbase.dev ];
        substitutions = {
          inherit debug;
          fix_qmake_libtool = ../hooks/fix-qmake-libtool.sh;
        };
-      } ../hooks/qmake-hook.sh;
+      } ../hooks/qmake-hook.sh) { };
-      wrapQtAppsHook = makeSetupHook {
+      wrapQtAppsHook = callPackage ({ makeBinaryWrapper, qtbase, qtwayland }: makeSetupHook {
        name = "wrap-qt5-apps-hook";
-        propagatedBuildInputs = [ self.qtbase.dev buildPackages.makeBinaryWrapper ]
+        propagatedBuildInputs = [ qtbase.dev makeBinaryWrapper ]
-          ++ lib.optional stdenv.isLinux self.qtwayland.dev;
+          ++ lib.optional stdenv.isLinux qtwayland.dev;
-      } ../hooks/wrap-qt-apps-hook.sh;
+      } ../hooks/wrap-qt-apps-hook.sh) { };
    };
  baseScope = makeScopeWithSplicing' {
--- a/pkgs/development/libraries/qt-5/mkDerivation.nix
+++ b/pkgs/development/libraries/qt-5/mkDerivation.nix
@ -1,6 +1,4 @@
-{ lib, debug, wrapQtAppsHook }:
+{ wrapQtAppsHook }:
 let inherit (lib) optional; in
 mkDerivation:
--- a/pkgs/development/libraries/qt-5/qtModule.nix
+++ b/pkgs/development/libraries/qt-5/qtModule.nix
@ -1,9 +1,7 @@
-{ lib, mkDerivation, perl }:
+{ lib, mkDerivation, perl, qmake, patches, srcs }:
 let inherit (lib) licenses maintainers platforms; in
 { self, srcs, patches }:
 args:
 let
@ -16,7 +14,7 @@ mkDerivation (args // {
  inherit pname version src;
  patches = (args.patches or []) ++ (patches.${pname} or []);
-  nativeBuildInputs = (args.nativeBuildInputs or []) ++ [ perl self.qmake ];
+  nativeBuildInputs = (args.nativeBuildInputs or []) ++ [ perl qmake ];
  propagatedBuildInputs =
    (lib.warnIf (args ? qtInputs) "qt5.qtModule's qtInputs argument is deprecated" args.qtInputs or []) ++
    (args.propagatedBuildInputs or []);
--- a/pkgs/development/python-modules/home-assistant-chip-clusters/default.nix
+++ b/pkgs/development/python-modules/home-assistant-chip-clusters/default.nix
@ -7,7 +7,7 @@
 buildPythonPackage rec {
  pname = "home-assistant-chip-clusters";
-  version = "2023.10.1";
+  version = "2023.10.2";
  format = "wheel";
  src = fetchPypi {
@ -15,7 +15,7 @@ buildPythonPackage rec {
    pname = "home_assistant_chip_clusters";
    dist = "py3";
    python = "py3";
-    hash = "sha256-KI5idrD8SIpzSYopELYWJJaaiAFQzwRwhFBfb4BEw2o=";
+    hash = "sha256-wAXxz0BryZ6i0yaqNp74PfApwMHYQuSLz5prJEiG1YE=";
  };
  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/home-assistant-chip-core/default.nix
+++ b/pkgs/development/python-modules/home-assistant-chip-core/default.nix
@ -28,7 +28,7 @@
 buildPythonPackage rec {
  pname = "home-assistant-chip-core";
-  version = "2023.10.1";
+  version = "2023.10.2";
  format = "wheel";
  disabled = pythonOlder "3.7";
@ -37,11 +37,11 @@ buildPythonPackage rec {
    system = {
      "aarch64-linux" = {
        name = "aarch64";
-        hash = "sha256-wmavXr7WL9q7u8lnOaEWbRs3rlagBd9ovhxzRbjnrwY=";
+        hash = "sha256-KBFXFD5cSVgE57S1cHghU3kPDrbRquAARN95UriPCnM=";
      };
      "x86_64-linux" = {
        name = "x86_64";
-        hash = "sha256-mffjJtn0LmRz9DOWMMw9soYDDm/M1C5Tdj6YbWHaq2o=";
+        hash = "sha256-9x7pjgERvsBuyol8LiuPOlFZ5Up92N9HYg1mH9/0HAU=";
      };
    }.${stdenv.system} or (throw "Unsupported system");
  in fetchPypi {
--- a/pkgs/development/python-modules/python-matter-server/default.nix
+++ b/pkgs/development/python-modules/python-matter-server/default.nix
@ -28,7 +28,7 @@
 buildPythonPackage rec {
  pname = "python-matter-server";
-  version = "4.0.0";
+  version = "4.0.1";
  format = "pyproject";
  disabled = pythonOlder "3.10";
@ -37,7 +37,7 @@ buildPythonPackage rec {
    owner = "home-assistant-libs";
    repo = "python-matter-server";
    rev = "refs/tags/${version}";
-    hash = "sha256-7MBQo4jzBU/n7gVdGzVHlQl8Vj3OjfK4gk1vhLQQUE0=";
+    hash = "sha256-zCw5sj+UgY0egjXGzcbOb7VATeLY80+8Mv9owmdA+f0=";
  };
  nativeBuildInputs = [
--- a/pkgs/development/tools/rust/cargo-release/Cargo.lock
+++ b/pkgs/development/tools/rust/cargo-release/Cargo.lock
--- a/pkgs/development/tools/rust/cargo-release/default.nix
+++ b/pkgs/development/tools/rust/cargo-release/default.nix
@ -12,13 +12,13 @@
 rustPlatform.buildRustPackage rec {
  pname = "cargo-release";
-  version = "0.24.12";
+  version = "0.25.0";
  src = fetchFromGitHub {
    owner = "crate-ci";
    repo = "cargo-release";
    rev = "refs/tags/v${version}";
-    hash = "sha256-dB5gpaY6OB/IjMvqLUMH41l6Q/xMookxfVGXRcdhcBM=";
+    hash = "sha256-UJdGbuQfvlZHjCKyHCXPDJ5AdUWJCRUS/vNeTKAwyYI=";
  };
  cargoLock = {
@ -37,7 +37,7 @@ rustPlatform.buildRustPackage rec {
    openssl
  ] ++ lib.optionals stdenv.isDarwin [
    curl
-    darwin.apple_sdk.frameworks.Security
+    darwin.apple_sdk.frameworks.SystemConfiguration
  ];
  nativeCheckInputs = [
--- a/pkgs/servers/mail/postfix/default.nix
+++ b/pkgs/servers/mail/postfix/default.nix
@ -25,11 +25,11 @@ let
 in stdenv.mkDerivation rec {
  pname = "postfix";
-  version = "3.8.2";
+  version = "3.8.3";
  src = fetchurl {
    url = "http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/${pname}-${version}.tar.gz";
-    hash = "sha256-Z5CQPNu14ORxlmkeuaXyz4BQJi3vlB4Dnm1L9AQ6XjA=";
+    hash = "sha256-FpRsmHSnhqCfU7F9HIPcH6rjXL+AurNKsBeYtwQglos=";
  };
  nativeBuildInputs = [ makeWrapper m4 ];
--- a/pkgs/tools/nix/nixdoc/default.nix
+++ b/pkgs/tools/nix/nixdoc/default.nix
@ -2,16 +2,16 @@
 rustPlatform.buildRustPackage rec {
  pname = "nixdoc";
-  version = "2.4.0";
+  version = "2.5.1";
  src = fetchFromGitHub {
    owner = "nix-community";
    repo = "nixdoc";
    rev = "v${version}";
-    sha256 = "sha256-cEMehtxkqXAar/fDy3CnzsDEAuC1ABBaYqzqVBGnTrs=";
+    sha256 = "sha256-QgKzpFdzisWD6DZxs1LsKINBr/bSYQILpEu5RdcNgbc=";
  };
-  cargoHash = "sha256-QFDHIqXyTWTdqNrLcwWw3plX6EDH/k043nay5opjtws=";
+  cargoHash = "sha256-MztvOV1yAOgpwPYOUUZb7XHKhhhd/fvKPIFbsnMdhAQ=";
  buildInputs = lib.optionals stdenv.isDarwin [ darwin.Security ];
--- a/pkgs/tools/security/ssh-audit/default.nix
+++ b/pkgs/tools/security/ssh-audit/default.nix
@ -1,5 +1,6 @@
 { lib
 , fetchFromGitHub
 , nixosTests
 , python3Packages
 }:
@ -19,6 +20,10 @@ python3Packages.buildPythonApplication rec {
    pytestCheckHook
  ];
  passthru.tests = {
    inherit (nixosTests) ssh-audit;
  };
  meta = with lib; {
    description = "Tool for ssh server auditing";
    homepage = "https://github.com/jtesta/ssh-audit";
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -24680,7 +24680,7 @@ with pkgs;
      inherit (__splicedPackages)
        makeScopeWithSplicing' generateSplicesForMkScope lib fetchurl fetchpatch fetchgit fetchFromGitHub makeSetupHook makeWrapper
        bison cups dconf harfbuzz libGL perl gtk3 python3
-        darwin buildPackages;
+        darwin;
      inherit (__splicedPackages.gst_all_1) gstreamer gst-plugins-base;
      inherit config;
      stdenv = if stdenv.isDarwin then overrideSDK stdenv "11.0" else stdenv;