diff --git a/lib/types.nix b/lib/types.nix index 354714b28733..d7655bc1a6a2 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -55,6 +55,7 @@ let concatMapStringsSep concatStringsSep escapeNixString + hasInfix isCoercibleToString ; inherit (lib.trivial) @@ -360,6 +361,11 @@ rec { deprecationMessage = "See https://github.com/NixOS/nixpkgs/pull/66346 for better alternative types."; }; + passwdEntry = entryType: addCheck entryType (str: !(hasInfix ":" str || hasInfix "\n" str)) // { + name = "passwdEntry ${entryType.name}"; + description = "${entryType.description}, not containing newlines or colons"; + }; + attrs = mkOptionType { name = "attrs"; description = "attribute set"; diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index d3bdf218c339..85dfb9365619 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -6,12 +6,6 @@ let ids = config.ids; cfg = config.users; - isPasswdCompatible = str: !(hasInfix ":" str || hasInfix "\n" str); - passwdEntry = type: lib.types.addCheck type isPasswdCompatible // { - name = "passwdEntry ${type.name}"; - description = "${type.description}, not containing newlines or colons"; - }; - # Check whether a password hash will allow login. allowsLogin = hash: hash == "" # login without password @@ -60,7 +54,7 @@ let options = { name = mkOption { - type = passwdEntry types.str; + type = types.passwdEntry types.str; apply = x: assert (builtins.stringLength x < 32 || abort "Username '${x}' is longer than 31 characters which is not allowed!"); x; description = '' The name of the user account. If undefined, the name of the @@ -69,7 +63,7 @@ let }; description = mkOption { - type = passwdEntry types.str; + type = types.passwdEntry types.str; default = ""; example = "Alice Q. User"; description = '' @@ -134,7 +128,7 @@ let }; home = mkOption { - type = passwdEntry types.path; + type = types.passwdEntry types.path; default = "/var/empty"; description = "The user's home directory."; }; @@ -169,7 +163,7 @@ let }; shell = mkOption { - type = types.nullOr (types.either types.shellPackage (passwdEntry types.path)); + type = types.nullOr (types.either types.shellPackage (types.passwdEntry types.path)); default = pkgs.shadow; defaultText = literalExpression "pkgs.shadow"; example = literalExpression "pkgs.bashInteractive"; @@ -349,7 +343,7 @@ let options = { name = mkOption { - type = passwdEntry types.str; + type = types.passwdEntry types.str; description = '' The name of the group. If undefined, the name of the attribute set will be used. diff --git a/nixos/modules/services/mail/mailman.nix b/nixos/modules/services/mail/mailman.nix index 11ea169fe269..f08605218a53 100644 --- a/nixos/modules/services/mail/mailman.nix +++ b/nixos/modules/services/mail/mailman.nix @@ -44,7 +44,13 @@ let transport_file_type: hash ''; - mailmanCfg = lib.generators.toINI {} cfg.settings; + mailmanCfg = lib.generators.toINI {} + (recursiveUpdate cfg.settings + ((optionalAttrs (cfg.restApiPassFile != null) { + webservice.admin_pass = "#NIXOS_MAILMAN_REST_API_PASS_SECRET#"; + }))); + + mailmanCfgFile = pkgs.writeText "mailman-raw.cfg" mailmanCfg; mailmanHyperkittyCfg = pkgs.writeText "mailman-hyperkitty.cfg" '' [general] @@ -247,6 +253,14 @@ in { ''; }; + restApiPassFile = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + Path to the file containing the value for MAILMAN_REST_API_PASS. + ''; + }; + serve = { enable = mkEnableOption "Automatic nginx and uwsgi setup for mailman-web"; }; @@ -363,8 +377,6 @@ in { }; users.groups.mailman = {}; - environment.etc."mailman.cfg".text = mailmanCfg; - environment.etc."mailman3/settings.py".text = '' import os @@ -383,6 +395,11 @@ in { with open('/var/lib/mailman-web/settings_local.json') as f: globals().update(json.load(f)) + ${optionalString (cfg.restApiPassFile != null) '' + with open('${cfg.restApiPassFile}') as f: + MAILMAN_REST_API_PASS = f.read().rstrip('\n') + ''} + ${optionalString (cfg.ldap.enable) '' import ldap from django_auth_ldap.config import LDAPSearch, ${cfg.ldap.groupSearch.type} @@ -456,7 +473,7 @@ in { after = [ "network.target" ] ++ lib.optional cfg.enablePostfix "postfix-setup.service" ++ lib.optional withPostgresql "postgresql.service"; - restartTriggers = [ config.environment.etc."mailman.cfg".source ]; + restartTriggers = [ mailmanCfgFile ]; requires = optional withPostgresql "postgresql.service"; wantedBy = [ "multi-user.target" ]; serviceConfig = { @@ -480,6 +497,14 @@ in { requires = optional withPostgresql "postgresql.service"; serviceConfig.Type = "oneshot"; script = '' + install -m0750 -o mailman -g mailman ${mailmanCfgFile} /etc/mailman.cfg + ${optionalString (cfg.restApiPassFile != null) '' + ${pkgs.replace-secret}/bin/replace-secret \ + '#NIXOS_MAILMAN_REST_API_PASS_SECRET#' \ + ${cfg.restApiPassFile} \ + /etc/mailman.cfg + ''} + mailmanDir=/var/lib/mailman mailmanWebDir=/var/lib/mailman-web @@ -560,7 +585,7 @@ in { mailman-daily = { description = "Trigger daily Mailman events"; startAt = "daily"; - restartTriggers = [ config.environment.etc."mailman.cfg".source ]; + restartTriggers = [ mailmanCfgFile ]; serviceConfig = { ExecStart = "${mailmanEnv}/bin/mailman digests --send"; User = "mailman"; diff --git a/nixos/modules/services/web-apps/atlassian/confluence.nix b/nixos/modules/services/web-apps/atlassian/confluence.nix index 28491fb3a4ee..4aad307731ab 100644 --- a/nixos/modules/services/web-apps/atlassian/confluence.nix +++ b/nixos/modules/services/web-apps/atlassian/confluence.nix @@ -8,21 +8,22 @@ let pkg = cfg.package.override (optionalAttrs cfg.sso.enable { enableSSO = cfg.sso.enable; - crowdProperties = '' - application.name ${cfg.sso.applicationName} - application.password ${cfg.sso.applicationPassword} - application.login.url ${cfg.sso.crowd}/console/ - - crowd.server.url ${cfg.sso.crowd}/services/ - crowd.base.url ${cfg.sso.crowd}/ - - session.isauthenticated session.isauthenticated - session.tokenkey session.tokenkey - session.validationinterval ${toString cfg.sso.validationInterval} - session.lastvalidation session.lastvalidation - ''; }); + crowdProperties = pkgs.writeText "crowd.properties" '' + application.name ${cfg.sso.applicationName} + application.password ${if cfg.sso.applicationPassword != null then cfg.sso.applicationPassword else "@NIXOS_CONFLUENCE_CROWD_SSO_PWD@"} + application.login.url ${cfg.sso.crowd}/console/ + + crowd.server.url ${cfg.sso.crowd}/services/ + crowd.base.url ${cfg.sso.crowd}/ + + session.isauthenticated session.isauthenticated + session.tokenkey session.tokenkey + session.validationinterval ${toString cfg.sso.validationInterval} + session.lastvalidation session.lastvalidation + ''; + in { @@ -107,10 +108,17 @@ in }; applicationPassword = mkOption { - type = types.str; + type = types.nullOr types.str; + default = null; description = "Application password of this Confluence instance in Crowd"; }; + applicationPasswordFile = mkOption { + type = types.nullOr types.str; + default = null; + description = "Path to the application password for Crowd of Confluence."; + }; + validationInterval = mkOption { type = types.int; default = 2; @@ -147,6 +155,16 @@ in group = cfg.group; }; + assertions = [ + { assertion = cfg.sso.enable -> ((cfg.sso.applicationPassword == null) != (cfg.sso.applicationPasswordFile)); + message = "Please set either applicationPassword or applicationPasswordFile"; + } + ]; + + warnings = mkIf (cfg.sso.enable && cfg.sso.applicationPassword != null) [ + "Using `services.confluence.sso.applicationPassword` is deprecated! Use `applicationPasswordFile` instead!" + ]; + users.groups.${cfg.group} = {}; systemd.tmpfiles.rules = [ @@ -173,6 +191,7 @@ in CONF_USER = cfg.user; JAVA_HOME = "${cfg.jrePackage}"; CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions; + JAVA_OPTS = mkIf cfg.sso.enable "-Dcrowd.properties=${cfg.home}/crowd.properties"; }; preStart = '' @@ -183,6 +202,16 @@ in -e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \ '') + '' ${pkg}/conf/server.xml.dist > ${cfg.home}/server.xml + + ${optionalString cfg.sso.enable '' + install -m660 ${crowdProperties} ${cfg.home}/crowd.properties + ${optionalString (cfg.sso.applicationPasswordFile != null) '' + ${pkgs.replace-secret}/bin/replace-secret \ + '@NIXOS_CONFLUENCE_CROWD_SSO_PWD@' \ + ${cfg.sso.applicationPasswordFile} \ + ${cfg.home}/crowd.properties + ''} + ''} ''; serviceConfig = { diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index a5461fd2ac46..5732138cec84 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -192,7 +192,7 @@ in { }; emergencyAccess = mkOption { - type = with types; oneOf [ bool singleLineStr ]; + type = with types; oneOf [ bool (nullOr (passwdEntry str)) ]; visible = false; description = '' Set to true for unauthenticated emergency access, and false for diff --git a/pkgs/applications/blockchains/lightning-loop/default.nix b/pkgs/applications/blockchains/lightning-loop/default.nix index 7efba6de079d..4e696ddbda30 100644 --- a/pkgs/applications/blockchains/lightning-loop/default.nix +++ b/pkgs/applications/blockchains/lightning-loop/default.nix @@ -5,16 +5,16 @@ buildGoModule rec { pname = "lightning-loop"; - version = "0.19.1-beta"; + version = "0.20.0-beta"; src = fetchFromGitHub { owner = "lightninglabs"; repo = "loop"; rev = "v${version}"; - sha256 = "08jn1ybh9l9qy4j9b3psvgk7b869aaabpxh73v81980qflb9snnc"; + sha256 = "1nx7i4i96982z756r79655hjf0yyz5l9lqjkvyvb62pbzqgm6my8"; }; - vendorSha256 = "0wirlf43jl888bh2qxis1ihsr1g2lp2rx7p100dsb3imqbm25q3b"; + vendorSha256 = "0gp89fw6g8mz2ifn9wcbj84dgm736cspfxj2x34b524l2d8wz3lb"; subPackages = [ "cmd/loop" "cmd/loopd" ]; diff --git a/pkgs/applications/networking/irc/weechat/scripts/default.nix b/pkgs/applications/networking/irc/weechat/scripts/default.nix index a3cf55d6a034..f84e2307acb1 100644 --- a/pkgs/applications/networking/irc/weechat/scripts/default.nix +++ b/pkgs/applications/networking/irc/weechat/scripts/default.nix @@ -11,6 +11,8 @@ url_hint = callPackage ./url_hint { }; + weechat-grep = callPackage ./weechat-grep { }; + weechat-matrix-bridge = callPackage ./weechat-matrix-bridge { inherit (luaPackages) cjson luaffi; }; diff --git a/pkgs/applications/networking/irc/weechat/scripts/weechat-autosort/default.nix b/pkgs/applications/networking/irc/weechat/scripts/weechat-autosort/default.nix index 49e74e0203ac..c20d8f0a8079 100644 --- a/pkgs/applications/networking/irc/weechat/scripts/weechat-autosort/default.nix +++ b/pkgs/applications/networking/irc/weechat/scripts/weechat-autosort/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "weechat-autosort"; - version = "3.8"; + version = "3.9"; src = fetchFromGitHub { owner = "de-vri-es"; repo = pname; - rev = version; - sha256 = "0a2gc8nhklvlivradhqy2pkymsqyy01pvzrmwg60cln8snmcqpd5"; + rev = "d62fa8633015ebc2676060fcdae88c402977be46"; + sha256 = "sha256-doYDRIWiuHam2i3r3J3BZuWEhopoN4jms/xPXGyypok="; }; passthru.scripts = [ "autosort.py" ]; @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { meta = with lib; { description = "Autosort is a weechat script to automatically or manually keep your buffers sorted"; homepage = "https://github.com/de-vri-es/weechat-autosort"; - license = licenses.gpl3; - maintainers = with maintainers; [ emily ]; + license = licenses.gpl3Plus; + maintainers = with maintainers; [ emily flokli ]; }; } diff --git a/pkgs/applications/networking/irc/weechat/scripts/weechat-grep/default.nix b/pkgs/applications/networking/irc/weechat/scripts/weechat-grep/default.nix new file mode 100644 index 000000000000..efc575bd3e29 --- /dev/null +++ b/pkgs/applications/networking/irc/weechat/scripts/weechat-grep/default.nix @@ -0,0 +1,29 @@ +{ lib, stdenv, fetchurl }: + +stdenv.mkDerivation rec { + pname = "weechat-grep"; + version = "0.8.5"; + + src = fetchurl { + url = "https://github.com/weechat/scripts/raw/5ee93d56f371c829d2798a5446a14292c180f70b/python/grep.py"; + sha256 = "sha256-EVcoxjTTjXOYD8DppD+IULxpKerEdolmlgphrulFGC0="; + }; + + dontUnpack = true; + + installPhase = '' + mkdir -p $out/share + cp $src $out/share/grep.py + ''; + + passthru = { + scripts = [ "grep.py" ]; + }; + + meta = with lib; { + description = "Search in Weechat buffers and logs (for Weechat 0.3.*)"; + homepage = "https://github.com/weechat/scripts/blob/master/python/grep.py"; + license = licenses.gpl3Plus; + maintainers = with maintainers; [ flokli ]; + }; +} diff --git a/pkgs/development/libraries/libdigidocpp/default.nix b/pkgs/development/libraries/libdigidocpp/default.nix index c99e96863d33..7d34388aea39 100644 --- a/pkgs/development/libraries/libdigidocpp/default.nix +++ b/pkgs/development/libraries/libdigidocpp/default.nix @@ -2,26 +2,14 @@ , xercesc, xml-security-c, pkg-config, xsd, zlib, xalanc, xxd }: stdenv.mkDerivation rec { - version = "3.14.8"; + version = "3.14.10"; pname = "libdigidocpp"; src = fetchurl { url = "https://github.com/open-eid/libdigidocpp/releases/download/v${version}/libdigidocpp-${version}.tar.gz"; - sha256 = "sha256-U5i5IAyJF4359q6M6mQemEuG7+inPYIXqLy8GHv4dkg="; + hash = "sha256-n/+R4ho1Qcft3YSKE12oxZjbFHAsUDwoLFNuk5GXf5c="; }; - patches = [ - (fetchpatch { - # fix runtime crashes when signing with OpenSSL>1.1.1l - # https://github.com/open-eid/libdigidocpp/issues/474 asks for a new release - url = "https://github.com/open-eid/libdigidocpp/commit/42a8cfd834c10bdd206fe784a13217df222b1c8e.patch"; - sha256 = "sha256-o3ZT0dXhIu79C5ZR+2HPdLMZ3YwPG1v3vly5bseuxtU="; - excludes = [ - ".github/workflows/build.yml" # failed hunk - ]; - }) - ]; - nativeBuildInputs = [ cmake pkg-config xxd ]; buildInputs = [ diff --git a/pkgs/development/python-modules/jupyterlab/default.nix b/pkgs/development/python-modules/jupyterlab/default.nix index 77d2fd24c512..7093f4109519 100644 --- a/pkgs/development/python-modules/jupyterlab/default.nix +++ b/pkgs/development/python-modules/jupyterlab/default.nix @@ -10,14 +10,14 @@ buildPythonPackage rec { pname = "jupyterlab"; - version = "3.4.3"; + version = "3.4.4"; format = "setuptools"; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - sha256 = "sha256-4tzEDpQ2bd5d5LGejEPuEzzwQbhS0Bo2JafPKVMtpJ0="; + sha256 = "sha256-WioP3SK9hiitRbYY41IDh8MqSBjjrxEtutH2STBN/CA="; }; nativeBuildInputs = [ diff --git a/pkgs/development/python-modules/python-manilaclient/default.nix b/pkgs/development/python-modules/python-manilaclient/default.nix index 4c16d886e5fd..d0a8fc3a0fc6 100644 --- a/pkgs/development/python-modules/python-manilaclient/default.nix +++ b/pkgs/development/python-modules/python-manilaclient/default.nix @@ -23,14 +23,12 @@ buildPythonApplication rec { pname = "python-manilaclient"; - version = "3.4.0"; + version = "4.0.0"; format = "setuptools"; - disabled = pythonOlder "3.6"; - src = fetchPypi { inherit pname version; - hash = "sha256-F41/k7NJigwFNw2946sj3dZDKDH+PkgOjkml9t3Mgtw="; + hash = "sha256-TEGzUNgYTkb2VrvW2E3lurD6N1XcIhH2tjmPlsJ/5MI="; }; nativeBuildInputs = [ diff --git a/pkgs/servers/atlassian/confluence.nix b/pkgs/servers/atlassian/confluence.nix index ed8447accf86..03d78aeeefe2 100644 --- a/pkgs/servers/atlassian/confluence.nix +++ b/pkgs/servers/atlassian/confluence.nix @@ -6,7 +6,14 @@ assert withMysql -> (mysql_jdbc != null); -stdenvNoCC.mkDerivation rec { +let + optionalWarning = cond: msg: + if cond then lib.warn msg + else lib.id; +in + +optionalWarning (crowdProperties != null) "Using `crowdProperties` is deprecated!" +(stdenvNoCC.mkDerivation rec { pname = "atlassian-confluence"; version = "7.18.1"; @@ -45,6 +52,6 @@ stdenvNoCC.mkDerivation rec { homepage = "https://www.atlassian.com/software/confluence"; sourceProvenance = with sourceTypes; [ binaryBytecode ]; license = licenses.unfree; - maintainers = with maintainers; [ fpletz globin willibutz ciil techknowlogick ]; + maintainers = with maintainers; [ fpletz globin willibutz ciil techknowlogick ma27 ]; }; -} +}) diff --git a/pkgs/tools/misc/vimv-rs/default.nix b/pkgs/tools/misc/vimv-rs/default.nix index 6f20ad277753..2a0b51b03fbc 100644 --- a/pkgs/tools/misc/vimv-rs/default.nix +++ b/pkgs/tools/misc/vimv-rs/default.nix @@ -2,15 +2,15 @@ rustPlatform.buildRustPackage rec { pname = "vimv-rs"; - version = "1.7.5"; + version = "1.7.7"; src = fetchCrate { inherit version; crateName = "vimv"; - sha256 = "sha256-VOHQLdwJ6c8KB/IjMDZe9/pNHmLuouNggIK8uJPu+NQ="; + sha256 = "sha256-Y8xFoI/1zpaeT9jMuOME/g2vTLenhNSwGepncc1Ji+0="; }; - cargoHash = "sha256-qXT44h4f4Zw1bi/gblczxehA6hqLLjQBpSwVpYd0PE4="; + cargoHash = "sha256-yJHOeIjbWQTxLkkVv+YALrAhP5HBZpmbPDiLd+/bWZA="; buildInputs = lib.optionals stdenv.isDarwin [ Foundation ];