commit 5abd5f5ab0fc6f390ed412ca88181e7336249d02

+6

maintainers/maintainer-list.nix

··· 6186 6186 github = "meutraa"; 6187 6187 githubId = 68550871; 6188 6188 }; 6189 + mephistophiles = { 6190 + email = "mussitantesmortem@gmail.com"; 6191 + name = "Maxim Zhukov"; 6192 + github = "Mephistophiles"; 6193 + githubId = 4850908; 6194 + }; 6189 6195 mfossen = { 6190 6196 email = "msfossen@gmail.com"; 6191 6197 github = "mfossen";

+3

nixos/doc/manual/release-notes/rl-2105.xml

··· 24 24 </para> 25 25 </listitem> 26 26 <listitem> 27 + <para>The default Linux kernel was updated to the 5.10 LTS series, coming from the 5.4 LTS series.</para> 28 + </listitem> 29 + <listitem> 27 30 <para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para> 28 31 </listitem> 29 32 <listitem>

+1 -1

nixos/modules/hardware/all-firmware.nix

··· 49 49 rt5677-firmware 50 50 rtl8723bs-firmware 51 51 rtl8761b-firmware 52 - rtlwifi_new-firmware 52 + rtw88-firmware 53 53 zd1211fw 54 54 alsa-firmware 55 55 sof-firmware

+1

nixos/modules/module-list.nix

··· 949 949 ./services/web-servers/nginx/default.nix 950 950 ./services/web-servers/nginx/gitweb.nix 951 951 ./services/web-servers/phpfpm/default.nix 952 + ./services/web-servers/pomerium.nix 952 953 ./services/web-servers/unit/default.nix 953 954 ./services/web-servers/shellinabox.nix 954 955 ./services/web-servers/tomcat.nix

+131

nixos/modules/services/web-servers/pomerium.nix

··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + 5 + let 6 + format = pkgs.formats.yaml {}; 7 + in 8 + { 9 + options.services.pomerium = { 10 + enable = mkEnableOption "the Pomerium authenticating reverse proxy"; 11 + 12 + configFile = mkOption { 13 + type = with types; nullOr path; 14 + default = null; 15 + description = "Path to Pomerium config YAML. If set, overrides services.pomerium.settings."; 16 + }; 17 + 18 + useACMEHost = mkOption { 19 + type = with types; nullOr str; 20 + default = null; 21 + description = '' 22 + If set, use a NixOS-generated ACME certificate with the specified name. 23 + 24 + Note that this will require you to use a non-HTTP-based challenge, or 25 + disable Pomerium's in-built HTTP redirect server by setting 26 + http_redirect_addr to null and use a different HTTP server for serving 27 + the challenge response. 28 + 29 + If you're using an HTTP-based challenge, you should use the 30 + Pomerium-native autocert option instead. 31 + ''; 32 + }; 33 + 34 + settings = mkOption { 35 + description = '' 36 + The contents of Pomerium's config.yaml, in Nix expressions. 37 + 38 + Specifying configFile will override this in its entirety. 39 + 40 + See <link xlink:href="https://pomerium.io/reference/">the Pomerium 41 + configuration reference</link> for more information about what to put 42 + here. 43 + ''; 44 + default = {}; 45 + type = format.type; 46 + }; 47 + 48 + secretsFile = mkOption { 49 + type = with types; nullOr path; 50 + default = null; 51 + description = '' 52 + Path to file containing secrets for Pomerium, in systemd 53 + EnvironmentFile format. See the systemd.exec(5) man page. 54 + ''; 55 + }; 56 + }; 57 + 58 + config = let 59 + cfg = config.services.pomerium; 60 + cfgFile = if cfg.configFile != null then cfg.configFile else (format.generate "pomerium.yaml" cfg.settings); 61 + in mkIf cfg.enable ({ 62 + systemd.services.pomerium = { 63 + description = "Pomerium authenticating reverse proxy"; 64 + wants = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target"); 65 + after = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target"); 66 + wantedBy = [ "multi-user.target" ]; 67 + environment = optionalAttrs (cfg.useACMEHost != null) { 68 + CERTIFICATE_FILE = "fullchain.pem"; 69 + CERTIFICATE_KEY_FILE = "key.pem"; 70 + }; 71 + startLimitIntervalSec = 60; 72 + 73 + serviceConfig = { 74 + DynamicUser = true; 75 + StateDirectory = [ "pomerium" ]; 76 + ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}"; 77 + 78 + PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE 79 + MemoryDenyWriteExecute = false; # breaks LuaJIT 80 + 81 + NoNewPrivileges = true; 82 + PrivateTmp = true; 83 + PrivateDevices = true; 84 + DevicePolicy = "closed"; 85 + ProtectSystem = "strict"; 86 + ProtectHome = true; 87 + ProtectControlGroups = true; 88 + ProtectKernelModules = true; 89 + ProtectKernelTunables = true; 90 + ProtectKernelLogs = true; 91 + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; 92 + RestrictNamespaces = true; 93 + RestrictRealtime = true; 94 + RestrictSUIDSGID = true; 95 + LockPersonality = true; 96 + SystemCallArchitectures = "native"; 97 + 98 + EnvironmentFile = cfg.secretsFile; 99 + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; 100 + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; 101 + 102 + WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY"; 103 + LoadCredential = optionals (cfg.useACMEHost != null) [ 104 + "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem" 105 + "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem" 106 + ]; 107 + }; 108 + }; 109 + 110 + # postRun hooks on cert renew can't be used to restart Nginx since renewal 111 + # runs as the unprivileged acme user. sslTargets are added to wantedBy + before 112 + # which allows the acme-finished-$cert.target to signify the successful updating 113 + # of certs end-to-end. 114 + systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) { 115 + # TODO(lukegb): figure out how to make config reloading work with credentials. 116 + 117 + wantedBy = [ "acme-finished-${cfg.useACMEHost}.target" "multi-user.target" ]; 118 + # Before the finished targets, after the renew services. 119 + before = [ "acme-finished-${cfg.useACMEHost}.target" ]; 120 + after = [ "acme-${cfg.useACMEHost}.service" ]; 121 + # Block reloading if not all certs exist yet. 122 + unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ]; 123 + serviceConfig = { 124 + Type = "oneshot"; 125 + TimeoutSec = 60; 126 + ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service"; 127 + ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service"; 128 + }; 129 + }; 130 + }); 131 + }

+1

nixos/tests/all-tests.nix

··· 319 319 plikd = handleTest ./plikd.nix {}; 320 320 plotinus = handleTest ./plotinus.nix {}; 321 321 podman = handleTestOn ["x86_64-linux"] ./podman.nix {}; 322 + pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {}; 322 323 postfix = handleTest ./postfix.nix {}; 323 324 postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {}; 324 325 postgis = handleTest ./postgis.nix {};

+102

nixos/tests/pomerium.nix

··· 1 + import ./make-test-python.nix ({ pkgs, ... }: { 2 + name = "pomerium"; 3 + meta = with pkgs.stdenv.lib.maintainers; { 4 + maintainers = [ lukegb ]; 5 + }; 6 + 7 + nodes = let base = myIP: { pkgs, lib, ... }: { 8 + virtualisation.vlans = [ 1 ]; 9 + networking = { 10 + dhcpcd.enable = false; 11 + firewall.allowedTCPPorts = [ 80 443 ]; 12 + hosts = { 13 + "192.168.1.1" = [ "pomerium" "pom-auth" ]; 14 + "192.168.1.2" = [ "backend" "dummy-oidc" ]; 15 + }; 16 + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ 17 + { address = myIP; prefixLength = 24; } 18 + ]; 19 + }; 20 + }; in { 21 + pomerium = { pkgs, lib, ... }: { 22 + imports = [ (base "192.168.1.1") ]; 23 + services.pomerium = { 24 + enable = true; 25 + settings = { 26 + address = ":80"; 27 + insecure_server = true; 28 + authenticate_service_url = "http://pom-auth"; 29 + 30 + idp_provider = "oidc"; 31 + idp_scopes = [ "oidc" ]; 32 + idp_client_id = "dummy"; 33 + idp_provider_url = "http://dummy-oidc"; 34 + 35 + policy = [{ 36 + from = "https://my.website"; 37 + to = "http://192.168.1.2"; 38 + allow_public_unauthenticated_access = true; 39 + preserve_host_header = true; 40 + } { 41 + from = "https://login.required"; 42 + to = "http://192.168.1.2"; 43 + allowed_domains = [ "my.domain" ]; 44 + preserve_host_header = true; 45 + }]; 46 + }; 47 + secretsFile = pkgs.writeText "pomerium-secrets" '' 48 + # 12345678901234567890123456789012 in base64 49 + COOKIE_SECRET=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI= 50 + IDP_CLIENT_SECRET=dummy 51 + ''; 52 + }; 53 + }; 54 + backend = { pkgs, lib, ... }: { 55 + imports = [ (base "192.168.1.2") ]; 56 + services.nginx.enable = true; 57 + services.nginx.virtualHosts."my.website" = { 58 + root = pkgs.runCommand "testdir" {} '' 59 + mkdir "$out" 60 + echo hello world > "$out/index.html" 61 + ''; 62 + }; 63 + services.nginx.virtualHosts."dummy-oidc" = { 64 + root = pkgs.runCommand "testdir" {} '' 65 + mkdir -p "$out/.well-known" 66 + cat <<EOF >"$out/.well-known/openid-configuration" 67 + { 68 + "issuer": "http://dummy-oidc", 69 + "authorization_endpoint": "http://dummy-oidc/auth.txt", 70 + "token_endpoint": "http://dummy-oidc/token", 71 + "jwks_uri": "http://dummy-oidc/jwks.json", 72 + "userinfo_endpoint": "http://dummy-oidc/userinfo", 73 + "id_token_signing_alg_values_supported": ["RS256"] 74 + } 75 + EOF 76 + echo hello I am login page >"$out/auth.txt" 77 + ''; 78 + }; 79 + }; 80 + }; 81 + 82 + testScript = { ... }: '' 83 + backend.wait_for_unit("nginx") 84 + backend.wait_for_open_port(80) 85 + 86 + pomerium.wait_for_unit("pomerium") 87 + pomerium.wait_for_open_port(80) 88 + 89 + with subtest("no authentication required"): 90 + pomerium.succeed( 91 + "curl --resolve my.website:80:127.0.0.1 http://my.website | grep -q 'hello world'" 92 + ) 93 + 94 + with subtest("login required"): 95 + pomerium.succeed( 96 + "curl -I --resolve login.required:80:127.0.0.1 http://login.required | grep -q pom-auth" 97 + ) 98 + pomerium.succeed( 99 + "curl -L --resolve login.required:80:127.0.0.1 http://login.required | grep -q 'hello I am login page'" 100 + ) 101 + ''; 102 + })

+3 -3

pkgs/applications/backup/pika-backup/default.nix

··· 19 19 20 20 stdenv.mkDerivation rec { 21 21 pname = "pika-backup"; 22 - version = "0.2.2"; 22 + version = "0.2.3"; 23 23 24 24 src = fetchFromGitLab { 25 25 domain = "gitlab.gnome.org"; 26 26 owner = "World"; 27 27 repo = "pika-backup"; 28 28 rev = "v${version}"; 29 - sha256 = "16284gv31wdwmb99056962d1gh6xz26ami6synr47nsbbp5l0s6k"; 29 + sha256 = "sha256-jy22eyuzM2y7vByT3TOlAUuTKtPepkB9iiHQT1YGQ88="; 30 30 }; 31 31 32 32 cargoDeps = rustPlatform.fetchCargoTarball { 33 33 inherit src; 34 34 name = "${pname}-${version}"; 35 - sha256 = "12ymjwpxx3sdna8w5j9fnwwfk8ynk9ziwl0lkpq68y0vyllln5an"; 35 + sha256 = "1ndcpgw18w3l5f7vv5vw8lxhgd5y1zxfarwnyfx13m7kcv8m3vyj"; 36 36 }; 37 37 38 38 patches = [

+33

pkgs/applications/blockchains/crypto-org-wallet.nix

··· 1 + { lib, fetchurl, makeDesktopItem, appimageTools, imagemagick }: 2 + 3 + let 4 + pname = "chain-desktop-wallet"; 5 + version = "0.1.1"; 6 + name = "${pname}-${version}"; 7 + 8 + src = fetchurl { 9 + url = "https://github.com/crypto-com/${pname}/releases/download/v${version}/${name}-x86_64.AppImage"; 10 + sha256 = "12076hf8dlz0hg1pb2ixwlslrh8gi6s1iawnvhnn6vz4jmjvq356"; 11 + }; 12 + 13 + appimageContents = appimageTools.extractType2 { inherit name src; }; 14 + in appimageTools.wrapType2 rec { 15 + inherit name src; 16 + 17 + extraInstallCommands = '' 18 + mv $out/bin/${name} $out/bin/${pname} 19 + install -m 444 -D ${appimageContents}/${pname}.desktop $out/share/applications/${pname}.desktop 20 + ${imagemagick}/bin/convert ${appimageContents}/${pname}.png -resize 512x512 ${pname}_512.png 21 + install -m 444 -D ${pname}_512.png $out/share/icons/hicolor/512x512/apps/${pname}.png 22 + substituteInPlace $out/share/applications/${pname}.desktop \ 23 + --replace 'Exec=AppRun --no-sandbox %U' "Exec=$out/bin/${pname}" 24 + ''; 25 + 26 + meta = with lib; { 27 + description = "Crypto.org Chain desktop wallet (Beta)"; 28 + homepage = "https://github.com/crypto-com/chain-desktop-wallet"; 29 + license = licenses.asl20; 30 + maintainers = with maintainers; [ th0rgal ]; 31 + platforms = [ "x86_64-linux" ]; 32 + }; 33 + }

+3 -3

pkgs/applications/networking/browsers/chromium/upstream-info.json

··· 1 1 { 2 2 "stable": { 3 - "version": "89.0.4389.90", 4 - "sha256": "16i7bgk2jbcqs2p28nk5mlf0k6wah594pcsfm8b154nxbyf0iihi", 5 - "sha256bin64": "1hgpx7isp9krarj7jpbhs97ym4i9j9a1srywv9pdfzbhw6cid2pk", 3 + "version": "89.0.4389.114", 4 + "sha256": "007df9p78bbmk3iyfi8qn57mmn68qqrdhx6z8n2hl8ksd7lspw7j", 5 + "sha256bin64": "06wblyvyr93032fbzwm6qpzz4jjm6adziq4i4n6kmfdix2ajif8a", 6 6 "deps": { 7 7 "gn": { 8 8 "version": "2021-01-07",

+2 -2

pkgs/applications/networking/browsers/lagrange/default.nix

··· 14 14 15 15 stdenv.mkDerivation rec { 16 16 pname = "lagrange"; 17 - version = "1.2.2"; 17 + version = "1.3.0"; 18 18 19 19 src = fetchFromGitHub { 20 20 owner = "skyjake"; 21 21 repo = "lagrange"; 22 22 rev = "v${version}"; 23 - sha256 = "sha256-Y+BiXKxlUSZXaLcz75l333ZBkKyII9IyTmKQwjshBkE="; 23 + sha256 = "sha256-85KshJEL7ri10mSm/KgcT03WLEwRMMTGczb6mGx66Jw="; 24 24 fetchSubmodules = true; 25 25 }; 26 26

+2

pkgs/applications/networking/instant-messengers/slack/default.nix

··· 26 26 , libuuid 27 27 , libxcb 28 28 , libxkbcommon 29 + , libxshmfence 29 30 , mesa 30 31 , nspr 31 32 , nss ··· 117 118 xorg.libXi 118 119 xorg.libXrandr 119 120 xorg.libXrender 121 + xorg.libxshmfence 120 122 xorg.libXtst 121 123 xorg.libxkbfile 122 124 ] + ":${stdenv.cc.cc.lib}/lib64";

+26

pkgs/applications/window-managers/i3/auto-layout.nix

··· 1 + { lib, rustPlatform, fetchFromGitHub }: 2 + 3 + rustPlatform.buildRustPackage rec { 4 + pname = "i3-auto-layout"; 5 + version = "0.2"; 6 + 7 + src = fetchFromGitHub { 8 + owner = "chmln"; 9 + repo = pname; 10 + rev = "v${version}"; 11 + sha256 = "0ps08lga6qkgc8cgf5cx2lgwlqcnd2yazphh9xd2fznnzrllfxxz"; 12 + }; 13 + 14 + cargoSha256 = "1ch5mh515rlqmr65x96xcvrx6iaigqgjxc7sbwbznzkc5kmvwhc0"; 15 + 16 + # Currently no tests are implemented, so we avoid building the package twice 17 + doCheck = false; 18 + 19 + meta = with lib; { 20 + description = "Automatic, optimal tiling for i3wm"; 21 + homepage = "https://github.com/chmln/i3-auto-layout"; 22 + license = licenses.mit; 23 + maintainers = with maintainers; [ mephistophiles ]; 24 + platforms = platforms.linux; 25 + }; 26 + }

+3 -1

pkgs/development/libraries/qt-5/5.15/default.nix

··· 203 203 qtvirtualkeyboard = callPackage ../modules/qtvirtualkeyboard.nix {}; 204 204 qtwayland = callPackage ../modules/qtwayland.nix {}; 205 205 qtwebchannel = callPackage ../modules/qtwebchannel.nix {}; 206 - qtwebengine = callPackage ../modules/qtwebengine.nix {}; 206 + qtwebengine = callPackage ../modules/qtwebengine.nix { 207 + inherit (srcs.qtwebengine) version; 208 + }; 207 209 qtwebglplugin = callPackage ../modules/qtwebglplugin.nix {}; 208 210 qtwebkit = callPackage ../modules/qtwebkit.nix {}; 209 211 qtwebsockets = callPackage ../modules/qtwebsockets.nix {};

+4

pkgs/development/libraries/qt-5/modules/qtwebengine.nix

··· 17 17 , cups, darwin, openbsm, runCommand, xcbuild, writeScriptBin 18 18 , ffmpeg_3 ? null 19 19 , lib, stdenv, fetchpatch 20 + , version ? null 20 21 , qtCompatVersion 21 22 }: 22 23 ··· 230 231 [Paths] 231 232 Prefix = .. 232 233 EOF 234 + '' + lib.optionalString (lib.versions.majorMinor qtCompatVersion == "5.15") '' 235 + # Fix for out-of-sync QtWebEngine and Qt releases (since 5.15.3) 236 + sed 's/${lib.head (lib.splitString "-" version)} /${qtCompatVersion} /' -i "$out"/lib/cmake/*/*Config.cmake 233 237 ''; 234 238 235 239 meta = with lib; {

+34

pkgs/development/libraries/zlib-ng/default.nix

··· 1 + { lib, stdenv, fetchFromGitHub 2 + , cmake, pkg-config 3 + , withZlibCompat ? false 4 + }: 5 + 6 + stdenv.mkDerivation rec { 7 + pname = "zlib-ng"; 8 + version = "2.0.2"; 9 + 10 + src = fetchFromGitHub { 11 + owner = "zlib-ng"; 12 + repo = "zlib-ng"; 13 + rev = version; 14 + sha256 = "1cl6asrav2512j7p02zcpibywjljws0m7aazvb3q2r9qiyvyswji"; 15 + }; 16 + 17 + outputs = [ "out" "dev" "bin" ]; 18 + 19 + nativeBuildInputs = [ cmake pkg-config ]; 20 + 21 + cmakeFlags = [ 22 + "-DCMAKE_INSTALL_PREFIX=/" 23 + "-DBUILD_SHARED_LIBS=ON" 24 + "-DINSTALL_UTILS=ON" 25 + ] ++ lib.optionals withZlibCompat [ "-DZLIB_COMPAT=ON" ]; 26 + 27 + meta = with lib; { 28 + description = "zlib data compression library for the next generation systems"; 29 + homepage = "https://github.com/zlib-ng/zlib-ng"; 30 + license = licenses.zlib; 31 + platforms = platforms.all; 32 + maintainers = with maintainers; [ izorkin ]; 33 + }; 34 + }

+2 -2

pkgs/development/python-modules/boto3/default.nix

··· 13 13 14 14 buildPythonPackage rec { 15 15 pname = "boto3"; 16 - version = "1.17.40"; # N.B: if you change this, change botocore and awscli to a matching version 16 + version = "1.17.41"; # N.B: if you change this, change botocore and awscli to a matching version 17 17 18 18 src = fetchPypi { 19 19 inherit pname version; 20 - sha256 = "sha256-7pmbRrLGMOUOewUtbf4iQgOjSNg7AOFoylAAmvDydsE="; 20 + sha256 = "sha256-2FsOBdfelhabACS3aykr5isB729cqFOlElBjRrgtKrs="; 21 21 }; 22 22 23 23 propagatedBuildInputs = [ botocore jmespath s3transfer ] ++ lib.optionals (!isPy3k) [ futures ];

+2 -2

pkgs/development/python-modules/botocore/default.nix

··· 13 13 14 14 buildPythonPackage rec { 15 15 pname = "botocore"; 16 - version = "1.20.40"; # N.B: if you change this, change boto3 and awscli to a matching version 16 + version = "1.20.41"; # N.B: if you change this, change boto3 and awscli to a matching version 17 17 18 18 src = fetchPypi { 19 19 inherit pname version; 20 - sha256 = "sha256-ajWpl3zb16g52UjdX549JgwZt93nTgqETJcgaITTu6A="; 20 + sha256 = "sha256-Y/ZQ/Ja84UHoGUp2HmiQ/qL7puASU676Ma5p8UUBXCE="; 21 21 }; 22 22 23 23 propagatedBuildInputs = [

+2

pkgs/development/python-modules/sagemaker/default.nix

··· 10 10 , protobuf3-to-dict 11 11 , smdebug-rulesconfig 12 12 , pandas 13 + , packaging 13 14 }: 14 15 15 16 buildPythonPackage rec { ··· 32 33 google-pasta 33 34 importlib-metadata 34 35 numpy 36 + packaging 35 37 protobuf 36 38 protobuf3-to-dict 37 39 smdebug-rulesconfig

+2 -2

pkgs/development/tools/heroku/default.nix

··· 2 2 3 3 stdenv.mkDerivation rec { 4 4 pname = "heroku"; 5 - version = "7.47.11"; 5 + version = "7.51.0"; 6 6 7 7 src = fetchurl { 8 8 url = "https://cli-assets.heroku.com/heroku-v${version}/heroku-v${version}.tar.xz"; 9 - sha256 = "1inf2radpkd9jndap91cw0wbb2qmi71i287vyydl492372cf3cs2"; 9 + sha256 = "0wcqk4iy4r57k6fd6l0732yp5mclqfla1lfvx96ay45jnhh7rknx"; 10 10 }; 11 11 12 12 nativeBuildInputs = [ makeWrapper ];

+14 -12

pkgs/games/empty-epsilon/default.nix

··· 2 2 3 3 let 4 4 5 - major = "2020"; 6 - minor = "11"; 7 - patch = "23"; 5 + major = "2021"; 6 + minor = "03"; 7 + patch.seriousproton = "30"; 8 + patch.emptyepsilon = "31"; 8 9 9 - version = "${major}.${minor}.${patch}"; 10 + version.seriousproton = "${major}.${minor}.${patch.seriousproton}"; 11 + version.emptyepsilon = "${major}.${minor}.${patch.emptyepsilon}"; 10 12 11 13 serious-proton = stdenv.mkDerivation { 12 14 pname = "serious-proton"; 13 - inherit version; 15 + version = version.seriousproton; 14 16 15 17 src = fetchFromGitHub { 16 18 owner = "daid"; 17 19 repo = "SeriousProton"; 18 - rev = "EE-${version}"; 19 - sha256 = "sha256-/gwJPlvvOCv5XIsiVgZ8Eb/7vgwG/V+s/soGVCfYrwo="; 20 + rev = "EE-${version.seriousproton}"; 21 + sha256 = "sha256-wxb/CxJ/HKsVngeahjygZFPMMxitkHdVD0EQ3svxgIU="; 20 22 }; 21 23 22 24 nativeBuildInputs = [ cmake ]; ··· 36 38 37 39 stdenv.mkDerivation { 38 40 pname = "empty-epsilon"; 39 - inherit version; 41 + version = version.emptyepsilon; 40 42 41 43 src = fetchFromGitHub { 42 44 owner = "daid"; 43 45 repo = "EmptyEpsilon"; 44 - rev = "EE-${version}"; 45 - sha256 = "sha256-HbF6xThR+ogNHbAcXF03DaBhwVhNEr5BJO7jeeVZH/o="; 46 + rev = "EE-${version.emptyepsilon}"; 47 + sha256 = "sha256-x0XJPMU0prubTb4ti/W/dH5P9abNwbjqkeUhKQpct9o="; 46 48 }; 47 49 48 50 nativeBuildInputs = [ cmake ]; ··· 50 52 51 53 cmakeFlags = [ 52 54 "-DSERIOUS_PROTON_DIR=${serious-proton.src}" 53 - "-DCPACK_PACKAGE_VERSION=${version}" 55 + "-DCPACK_PACKAGE_VERSION=${version.emptyepsilon}" 54 56 "-DCPACK_PACKAGE_VERSION_MAJOR=${major}" 55 57 "-DCPACK_PACKAGE_VERSION_MINOR=${minor}" 56 - "-DCPACK_PACKAGE_VERSION_PATCH=${patch}" 58 + "-DCPACK_PACKAGE_VERSION_PATCH=${patch.emptyepsilon}" 57 59 ]; 58 60 59 61 meta = with lib; {

+1 -1

pkgs/games/steam/fhsenv.nix

··· 106 106 gst_all_1.gst-plugins-ugly 107 107 gst_all_1.gst-plugins-base 108 108 libdrm 109 + libxkbcommon # paradox launcher 109 110 mono 110 111 xorg.xkeyboardconfig 111 112 xorg.libpciaccess ··· 205 206 libidn 206 207 tbb 207 208 wayland 208 - libxkbcommon 209 209 210 210 # Other things from runtime 211 211 flac

+6 -6

pkgs/os-specific/linux/kernel/hardened/patches.json

··· 13 13 }, 14 14 "5.10": { 15 15 "extra": "-hardened1", 16 - "name": "linux-hardened-5.10.25-hardened1.patch", 17 - "sha256": "0d5fid229769frifr7g20ly553gxdqqvajfwyzqwjpr82jjzxlis", 18 - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.25-hardened1/linux-hardened-5.10.25-hardened1.patch" 16 + "name": "linux-hardened-5.10.26-hardened1.patch", 17 + "sha256": "08f4yks3fjv5zi85zbxa3aqfllb6nbr58hm6kchd83l6rknnix4r", 18 + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.26-hardened1/linux-hardened-5.10.26-hardened1.patch" 19 19 }, 20 20 "5.11": { 21 21 "extra": "-hardened1", 22 - "name": "linux-hardened-5.11.9-hardened1.patch", 23 - "sha256": "169jcalr81ckad08vx489h8j6k42s0rzxbpkr6knyrd7rv06ddk0", 24 - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.11.9-hardened1/linux-hardened-5.11.9-hardened1.patch" 22 + "name": "linux-hardened-5.11.10-hardened1.patch", 23 + "sha256": "16083fvl5km751dps7mzjc2fl1qp9jqnyn7lg8jlfxc8w32bbxwv", 24 + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.11.10-hardened1/linux-hardened-5.11.10-hardened1.patch" 25 25 }, 26 26 "5.4": { 27 27 "extra": "-hardened1",

+2 -2

pkgs/os-specific/linux/kernel/linux-5.11.nix

··· 3 3 with lib; 4 4 5 5 buildLinux (args // rec { 6 - version = "5.11.9"; 6 + version = "5.11.10"; 7 7 8 8 # modDirVersion needs to be x.y.z, will automatically add .0 if needed 9 9 modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; ··· 13 13 14 14 src = fetchurl { 15 15 url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; 16 - sha256 = "0dcqn6s85sd4zl7rv8ay88p5z12xvy2rma0dx6g6b480rg68sxal"; 16 + sha256 = "07fw48sy8p17jmm24x3rl99cwxiwhwjrxnmy3g542w9kzawaqwnk"; 17 17 }; 18 18 } // (args.argsOverride or {}))

+3 -3

pkgs/os-specific/linux/kernel/linux-rt-5.10.nix

··· 6 6 , ... } @ args: 7 7 8 8 let 9 - version = "5.10.21-rt34"; # updated by ./update-rt.sh 9 + version = "5.10.25-rt35"; # updated by ./update-rt.sh 10 10 branch = lib.versions.majorMinor version; 11 11 kversion = builtins.elemAt (lib.splitString "-" version) 0; 12 12 in buildLinux (args // { ··· 18 18 19 19 src = fetchurl { 20 20 url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz"; 21 - sha256 = "1bz2gmyvpl4vsk0r6fsnh451fzvvfbv63rw8ia75gfv52vzyczwy"; 21 + sha256 = "1p8s8vp5b6vjmvhj3plm0pr0d9qp5lrwm6l40a4bjr1vk9myf2lk"; 22 22 }; 23 23 24 24 kernelPatches = let rt-patch = { 25 25 name = "rt"; 26 26 patch = fetchurl { 27 27 url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; 28 - sha256 = "12c2qpifcgij7hilhd7xrnqaz04gqf41m93pmlm8cv4nxz58cy36"; 28 + sha256 = "0kvawcyxg0xzhx73xs9g9s0hr7bs44sy4zvfzvcg2m9hdyafry0k"; 29 29 }; 30 30 }; in [ rt-patch ] ++ lib.remove rt-patch kernelPatches; 31 31

+6

pkgs/servers/http/envoy/default.nix

··· 6 6 , go 7 7 , ninja 8 8 , python3 9 + , nixosTests 9 10 }: 10 11 11 12 let ··· 109 110 "--cxxopt=-Wno-maybe-uninitialized" 110 111 "--cxxopt=-Wno-uninitialized" 111 112 ]; 113 + 114 + passthru.tests = { 115 + # No tests for Envoy itself (yet), but it's tested as a core component of Pomerium. 116 + inherit (nixosTests) pomerium; 117 + }; 112 118 113 119 meta = with lib; { 114 120 homepage = "https://envoyproxy.io";

+2 -2

pkgs/servers/http/nginx/mainline.nix

··· 1 1 { callPackage, ... }@args: 2 2 3 3 callPackage ./generic.nix args { 4 - version = "1.19.8"; 5 - sha256 = "01cb6hsaik1sfjihbrldmwrcn54gk4plfy350sl1b4rml6qik29h"; 4 + version = "1.19.9"; 5 + sha256 = "0hfqqyfgqa6wqazmb3d434nb3r5p8szfisa0m6nfh9lqdbqdyd9f"; 6 6 }

+80

pkgs/servers/http/pomerium/default.nix

··· 1 + { buildGoModule 2 + , fetchFromGitHub 3 + , lib 4 + , envoy 5 + , zip 6 + , nixosTests 7 + }: 8 + 9 + let 10 + inherit (lib) concatStringsSep mapAttrsToList; 11 + in 12 + buildGoModule rec { 13 + pname = "pomerium"; 14 + version = "0.13.3"; 15 + src = fetchFromGitHub { 16 + owner = "pomerium"; 17 + repo = "pomerium"; 18 + rev = "v${version}"; 19 + hash = "sha256-g0w1aIHvf2rJANvGWHeUxdnyCDsvy/PQ9Kp8nDdT/0w="; 20 + }; 21 + 22 + vendorSha256 = "sha256-grihU85OcGyf9/KKrv87xZonX5r+Z1oHQTf84Ya61fg="; 23 + subPackages = [ 24 + "cmd/pomerium" 25 + "cmd/pomerium-cli" 26 + ]; 27 + 28 + buildFlagsArray = let 29 + # Set a variety of useful meta variables for stamping the build with. 30 + setVars = { 31 + Version = "v${version}"; 32 + BuildMeta = "nixpkgs"; 33 + ProjectName = "pomerium"; 34 + ProjectURL = "github.com/pomerium/pomerium"; 35 + }; 36 + varFlags = concatStringsSep " " (mapAttrsToList (name: value: "-X github.com/pomerium/pomerium/internal/version.${name}=${value}") setVars); 37 + in [ 38 + "-ldflags=${varFlags}" 39 + ]; 40 + 41 + nativeBuildInputs = [ 42 + zip 43 + ]; 44 + 45 + # Pomerium expects to have envoy append to it in a zip. 46 + # We use a store-only (-0) zip, so that the Nix scanner can find any store references we had in the envoy binary. 47 + postBuild = '' 48 + # Append Envoy 49 + pushd $NIX_BUILD_TOP 50 + mkdir -p envoy 51 + cd envoy 52 + cp ${envoy}/bin/envoy envoy 53 + zip -0 envoy.zip envoy 54 + popd 55 + 56 + mv $GOPATH/bin/pomerium $GOPATH/bin/pomerium.old 57 + cat $GOPATH/bin/pomerium.old $NIX_BUILD_TOP/envoy/envoy.zip >$GOPATH/bin/pomerium 58 + zip --adjust-sfx $GOPATH/bin/pomerium 59 + ''; 60 + 61 + # We also need to set dontStrip to avoid having the envoy ZIP stripped off the end. 62 + dontStrip = true; 63 + 64 + installPhase = '' 65 + install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium 66 + install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli 67 + ''; 68 + 69 + passthru.tests = { 70 + inherit (nixosTests) pomerium; 71 + }; 72 + 73 + meta = with lib; { 74 + homepage = "https://pomerium.io"; 75 + description = "Authenticating reverse proxy"; 76 + license = licenses.asl20; 77 + maintainers = with maintainers; [ lukegb ]; 78 + platforms = [ "x86_64-linux" ]; # Envoy derivation is x86_64-linux only. 79 + }; 80 + }

+3 -3

pkgs/shells/zsh/oh-my-zsh/default.nix

··· 5 5 , git, nix, nixfmt, jq, coreutils, gnused, curl, cacert }: 6 6 7 7 stdenv.mkDerivation rec { 8 - version = "2021-03-28"; 8 + version = "2021-03-31"; 9 9 pname = "oh-my-zsh"; 10 - rev = "69507c9518f7c7889d8f47ec8e67bfda02405817"; 10 + rev = "2b1d4122796fea12dcaa7545cfca59fb43e6393e"; 11 11 12 12 src = fetchFromGitHub { 13 13 inherit rev; 14 14 owner = "ohmyzsh"; 15 15 repo = "ohmyzsh"; 16 - sha256 = "0p5jjynwnf6yh2n0z46avavy7kb7dlqd145hd1qakig7csaclphd"; 16 + sha256 = "1c1hcmvfrfwds1zn165vpfh11a19s6kb20bxy2dzpby5cs15g6bc"; 17 17 }; 18 18 19 19 installPhase = ''

+2 -2

pkgs/tools/admin/awscli/default.nix

··· 21 21 in 22 22 with py.pkgs; buildPythonApplication rec { 23 23 pname = "awscli"; 24 - version = "1.19.40"; # N.B: if you change this, change botocore and boto3 to a matching version too 24 + version = "1.19.41"; # N.B: if you change this, change botocore and boto3 to a matching version too 25 25 26 26 src = fetchPypi { 27 27 inherit pname version; 28 - sha256 = "sha256-J1IuTA/DrBCDclRA3cjAU71Um4Eygjgo+rMTyvT/my4="; 28 + sha256 = "sha256-DKKE2iMn6BHmcohHY6Uv7q9Om8FkbTbsk0CaxueBJHA="; 29 29 }; 30 30 31 31 # https://github.com/aws/aws-cli/issues/4837

+2 -2

pkgs/tools/audio/abcmidi/default.nix

··· 2 2 3 3 stdenv.mkDerivation rec { 4 4 pname = "abcMIDI"; 5 - version = "2021.03.27"; 5 + version = "2021.03.30"; 6 6 7 7 src = fetchzip { 8 8 url = "https://ifdo.ca/~seymour/runabc/${pname}-${version}.zip"; 9 - sha256 = "sha256-dOUdxH1jJUr9MkU6mf0nwbjY5NYUJpHGkjUZWbRSGsw="; 9 + sha256 = "sha256-eOQbvs/mtFn7AmvSezO/jRm8+cO5tF7ggcF9DwwfqVc="; 10 10 }; 11 11 12 12 meta = with lib; {

+3 -3

pkgs/tools/networking/oneshot/default.nix

··· 2 2 3 3 buildGoModule rec { 4 4 pname = "oneshot"; 5 - version = "1.3.1"; 5 + version = "1.4.1"; 6 6 7 7 src = fetchFromGitHub { 8 8 owner = "raphaelreyna"; 9 9 repo = "oneshot"; 10 10 rev = "v${version}"; 11 - sha256 = "047mncv9abs4xj7bh9lhc3wan37cldjjyrpkis7pvx6zhzml74kf"; 11 + sha256 = "sha256-UD67xYBb1rvGMSPurte5z2Hcd7+JtXDPbgp3BVBdLuk="; 12 12 }; 13 13 14 - vendorSha256 = "1cxr96yrrmz37r542mc5376jll9lqjqm18k8761h9jqfbzmh9rkp"; 14 + vendorSha256 = "sha256-d+YE618OywSDOWiiULHENFEqzRmFVUFKPuPXnL1JubM="; 15 15 16 16 doCheck = false; 17 17

+3 -3

pkgs/tools/security/prs/default.nix

··· 12 12 13 13 rustPlatform.buildRustPackage rec { 14 14 pname = "prs"; 15 - version = "0.2.6"; 15 + version = "0.2.7"; 16 16 17 17 src = fetchFromGitLab { 18 18 owner = "timvisee"; 19 19 repo = "prs"; 20 20 rev = "v${version}"; 21 - sha256 = "sha256-2fpR9XCcKby+hI7Dzpr2qi1QgOzdgJp0Um57tQmi01A="; 21 + sha256 = "sha256-1Jrgf5UW6k0x3q6kQIB6Q7moOhConEnUU9r+21W5Uu8="; 22 22 }; 23 23 24 - cargoSha256 = "sha256-0oWNGrJ24gPkPp5PR/pQ1tIYkXztQJFAdPz162V5THY="; 24 + cargoSha256 = "sha256-N3pLW/OGeurrl+AlwdfbZ3T7WzEOAuyUMdIR164Xp7k="; 25 25 26 26 postPatch = '' 27 27 # The GPGME backend is recommended

+35

pkgs/tools/video/play-with-mpv/default.nix

··· 1 + { lib, python3Packages, fetchFromGitHub, fetchurl, youtube-dl, git }: 2 + 3 + let 4 + install_freedesktop = fetchurl { 5 + url = "https://github.com/thann/install_freedesktop/tarball/2673e8da4a67bee0ffc52a0ea381a541b4becdd4"; 6 + sha256 = "0j8d5jdcyqbl5p6sc1ags86v3hr2sghmqqi99d1mvc064g90ckrv"; 7 + }; 8 + in 9 + python3Packages.buildPythonApplication rec { 10 + pname = "play-with-mpv"; 11 + version = "unstable-2020-05-18"; 12 + 13 + src = fetchFromGitHub { 14 + owner = "thann"; 15 + repo = "play-with-mpv"; 16 + rev = "656448e03fe9de9e8bd21959f2a3b47c4acb8c3e"; 17 + sha256 = "1qma8b3lnkdhxdjsnrq7n9zgy53q62j4naaqqs07kjxbn72zb4p4"; 18 + }; 19 + 20 + nativeBuildInputs = [ git ]; 21 + propagatedBuildInputs = [ youtube-dl ]; 22 + 23 + postPatch = '' 24 + substituteInPlace setup.py --replace \ 25 + '"https://github.com/thann/install_freedesktop/tarball/master#egg=install_freedesktop-0.2.0"' \ 26 + '"file://${install_freedesktop}#egg=install_freedesktop-0.2.0"' 27 + ''; 28 + 29 + meta = with lib; { 30 + description = "Chrome extension and python server that allows you to play videos in webpages with MPV instead"; 31 + homepage = "https://github.com/Thann/play-with-mpv"; 32 + license = licenses.mit; 33 + maintainers = with maintainers; [ dawidsowa ]; 34 + }; 35 + }

+11 -1

pkgs/top-level/all-packages.nix

··· 1496 1496 1497 1497 pebble = callPackage ../tools/admin/pebble { }; 1498 1498 1499 + play-with-mpv = callPackage ../tools/video/play-with-mpv { }; 1500 + 1499 1501 reattach-to-user-namespace = callPackage ../os-specific/darwin/reattach-to-user-namespace {}; 1500 1502 1501 1503 skhd = callPackage ../os-specific/darwin/skhd { ··· 17785 17787 17786 17788 zlib = callPackage ../development/libraries/zlib { }; 17787 17789 17790 + zlib-ng = callPackage ../development/libraries/zlib-ng { }; 17791 + 17788 17792 libdynd = callPackage ../development/libraries/libdynd { }; 17789 17793 17790 17794 zlog = callPackage ../development/libraries/zlog { }; ··· 18538 18542 gperf = gperf_3_0; 18539 18543 }; 18540 18544 pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { }; 18545 + 18546 + pomerium = callPackage ../servers/http/pomerium { }; 18541 18547 18542 18548 postgrey = callPackage ../servers/mail/postgrey { }; 18543 18549 ··· 19893 19899 }); 19894 19900 19895 19901 # The current default kernel / kernel modules. 19896 - linuxPackages = linuxPackages_5_4; 19902 + linuxPackages = linuxPackages_5_10; 19897 19903 linux = linuxPackages.kernel; 19898 19904 19899 19905 # Update this when adding the newest kernel major version! ··· 23367 23373 i3 = callPackage ../applications/window-managers/i3 { 23368 23374 xcb-util-cursor = if stdenv.isDarwin then xcb-util-cursor-HEAD else xcb-util-cursor; 23369 23375 }; 23376 + 23377 + i3-auto-layout = callPackage ../applications/window-managers/i3/auto-layout.nix { }; 23370 23378 23371 23379 i3-gaps = callPackage ../applications/window-managers/i3/gaps.nix { }; 23372 23380 ··· 28627 28635 coq2html = callPackage ../applications/science/logic/coq2html { }; 28628 28636 28629 28637 cryptoverif = callPackage ../applications/science/logic/cryptoverif { }; 28638 + 28639 + crypto-org-wallet = callPackage ../applications/blockchains/crypto-org-wallet.nix { }; 28630 28640 28631 28641 caprice32 = callPackage ../misc/emulators/caprice32 { }; 28632 28642