commit df742c9c0e8a13cc6f573b1869e339632130524e · pyrox.dev/nixpkgs

+6

nixos/doc/manual/release-notes/rl-2405.section.md

··· 18 18 19 19 - [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable). 20 20 21 + - [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable). 22 + 21 23 ## Backward Incompatibilities {#sec-release-24.05-incompatibilities} 22 24 23 25  ··· 39 41 non-child processes. This means you will not be able to attach gdb to an 40 42 existing process, but will need to start that process from gdb (so it is a 41 43 child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0. 44 + 45 + - Gitea 1.21 upgrade has several breaking changes, including: 46 + - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*` 47 + - New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command. 42 48 43 49 - The `hardware.pulseaudio` module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes [issue 114399](https://github.com/NixOS/nixpkgs/issues/114399).

+2

nixos/modules/module-list.nix

··· 442 442 ./services/databases/surrealdb.nix 443 443 ./services/databases/victoriametrics.nix 444 444 ./services/desktops/accountsservice.nix 445 + ./services/desktops/ayatana-indicators.nix 445 446 ./services/desktops/bamf.nix 446 447 ./services/desktops/blueman.nix 447 448 ./services/desktops/cpupower-gui.nix ··· 1423 1424 ./system/activation/bootspec.nix 1424 1425 ./system/activation/top-level.nix 1425 1426 ./system/boot/binfmt.nix 1427 + ./system/boot/clevis.nix 1426 1428 ./system/boot/emergency-mode.nix 1427 1429 ./system/boot/grow-partition.nix 1428 1430 ./system/boot/initrd-network.nix

+58

nixos/modules/services/desktops/ayatana-indicators.nix

··· 1 + { config 2 + , pkgs 3 + , lib 4 + , ... 5 + }: 6 + 7 + let 8 + cfg = config.services.ayatana-indicators; 9 + in 10 + { 11 + options.services.ayatana-indicators = { 12 + enable = lib.mkEnableOption (lib.mdDoc '' 13 + Ayatana Indicators, a continuation of Canonical's Application Indicators 14 + ''); 15 + 16 + packages = lib.mkOption { 17 + type = lib.types.listOf lib.types.package; 18 + default = [ ]; 19 + example = lib.literalExpression "with pkgs; [ ayatana-indicator-messages ]"; 20 + description = lib.mdDoc '' 21 + List of packages containing Ayatana Indicator services 22 + that should be brought up by the SystemD "ayatana-indicators" user target. 23 + 24 + Packages specified here must have passthru.ayatana-indicators set correctly. 25 + 26 + If, how, and where these indicators are displayed will depend on your DE. 27 + ''; 28 + }; 29 + }; 30 + 31 + config = lib.mkIf cfg.enable { 32 + environment = { 33 + systemPackages = cfg.packages; 34 + 35 + pathsToLink = [ 36 + "/share/ayatana" 37 + ]; 38 + }; 39 + 40 + # libayatana-common's ayatana-indicators.target with explicit Wants & Before to bring up requested indicator services 41 + systemd.user.targets."ayatana-indicators" = 42 + let 43 + indicatorServices = lib.lists.flatten 44 + (map 45 + (pkg: 46 + (map (ind: "${ind}.service") pkg.passthru.ayatana-indicators)) 47 + cfg.packages); 48 + in 49 + { 50 + description = "Target representing the lifecycle of the Ayatana Indicators. Each indicator should be bound to it in its individual service file"; 51 + partOf = [ "graphical-session.target" ]; 52 + wants = indicatorServices; 53 + before = indicatorServices; 54 + }; 55 + }; 56 + 57 + meta.maintainers = with lib.maintainers; [ OPNA2608 ]; 58 + }

+51

nixos/modules/system/boot/clevis.md

··· 1 + # Clevis {#module-boot-clevis} 2 + 3 + [Clevis](https://github.com/latchset/clevis) 4 + is a framework for automated decryption of resources. 5 + Clevis allows for secure unattended disk decryption during boot, using decryption policies that must be satisfied for the data to decrypt. 6 + 7 + 8 + ## Create a JWE file containing your secret {#module-boot-clevis-create-secret} 9 + 10 + The first step is to embed your secret in a [JWE](https://en.wikipedia.org/wiki/JSON_Web_Encryption) file. 11 + JWE files have to be created through the clevis command line. 3 types of policies are supported: 12 + 13 + 1) TPM policies 14 + 15 + Secrets are pinned against the presence of a TPM2 device, for example: 16 + ``` 17 + echo hi | clevis encrypt tpm2 '{}' > hi.jwe 18 + ``` 19 + 2) Tang policies 20 + 21 + Secrets are pinned against the presence of a Tang server, for example: 22 + ``` 23 + echo hi | clevis encrypt tang '{"url": "http://tang.local"}' > hi.jwe 24 + ``` 25 + 26 + 3) Shamir Secret Sharing 27 + 28 + Using Shamir's Secret Sharing ([sss](https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing)), secrets are pinned using a combination of the two preceding policies. For example: 29 + ``` 30 + echo hi | clevis encrypt sss \ 31 + '{"t": 2, "pins": {"tpm2": {"pcr_ids": "0"}, "tang": {"url": "http://tang.local"}}}' \ 32 + > hi.jwe 33 + ``` 34 + 35 + For more complete documentation on how to generate a secret with clevis, see the [clevis documentation](https://github.com/latchset/clevis). 36 + 37 + 38 + ## Activate unattended decryption of a resource at boot {#module-boot-clevis-activate} 39 + 40 + In order to activate unattended decryption of a resource at boot, enable the `clevis` module: 41 + 42 + ``` 43 + boot.initrd.clevis.enable = true; 44 + ``` 45 + 46 + Then, specify the device you want to decrypt using a given clevis secret. Clevis will automatically try to decrypt the device at boot and will fallback to interactive unlocking if the decryption policy is not fulfilled. 47 + ``` 48 + boot.initrd.clevis.devices."/dev/nvme0n1p1".secretFile = ./nvme0n1p1.jwe; 49 + ``` 50 + 51 + Only `bcachefs`, `zfs` and `luks` encrypted devices are supported at this time.

+107

nixos/modules/system/boot/clevis.nix

··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + 5 + let 6 + cfg = config.boot.initrd.clevis; 7 + systemd = config.boot.initrd.systemd; 8 + supportedFs = [ "zfs" "bcachefs" ]; 9 + in 10 + { 11 + meta.maintainers = with maintainers; [ julienmalka camillemndn ]; 12 + meta.doc = ./clevis.md; 13 + 14 + options = { 15 + boot.initrd.clevis.enable = mkEnableOption (lib.mdDoc "Clevis in initrd"); 16 + 17 + 18 + boot.initrd.clevis.package = mkOption { 19 + type = types.package; 20 + default = pkgs.clevis; 21 + defaultText = "pkgs.clevis"; 22 + description = lib.mdDoc "Clevis package"; 23 + }; 24 + 25 + boot.initrd.clevis.devices = mkOption { 26 + description = "Encrypted devices that need to be unlocked at boot using Clevis"; 27 + default = { }; 28 + type = types.attrsOf (types.submodule ({ 29 + options.secretFile = mkOption { 30 + description = lib.mdDoc "Clevis JWE file used to decrypt the device at boot, in concert with the chosen pin (one of TPM2, Tang server, or SSS)."; 31 + type = types.path; 32 + }; 33 + })); 34 + }; 35 + 36 + boot.initrd.clevis.useTang = mkOption { 37 + description = "Whether the Clevis JWE file used to decrypt the devices uses a Tang server as a pin."; 38 + default = false; 39 + type = types.bool; 40 + }; 41 + 42 + }; 43 + 44 + config = mkIf cfg.enable { 45 + 46 + # Implementation of clevis unlocking for the supported filesystems are located directly in the respective modules. 47 + 48 + 49 + assertions = (attrValues (mapAttrs 50 + (device: _: { 51 + assertion = (any (fs: fs.device == device && (elem fs.fsType supportedFs)) config.system.build.fileSystems) || (hasAttr device config.boot.initrd.luks.devices); 52 + message = '' 53 + No filesystem or LUKS device with the name ${device} is declared in your configuration.''; 54 + }) 55 + cfg.devices)); 56 + 57 + 58 + warnings = 59 + if cfg.useTang && !config.boot.initrd.network.enable && !config.boot.initrd.systemd.network.enable 60 + then [ "In order to use a Tang pinned secret you must configure networking in initrd" ] 61 + else [ ]; 62 + 63 + boot.initrd = { 64 + extraUtilsCommands = mkIf (!systemd.enable) '' 65 + copy_bin_and_libs ${pkgs.jose}/bin/jose 66 + copy_bin_and_libs ${pkgs.curl}/bin/curl 67 + copy_bin_and_libs ${pkgs.bash}/bin/bash 68 + 69 + copy_bin_and_libs ${pkgs.tpm2-tools}/bin/.tpm2-wrapped 70 + mv $out/bin/{.tpm2-wrapped,tpm2} 71 + cp {${pkgs.tpm2-tss},$out}/lib/libtss2-tcti-device.so.0 72 + 73 + copy_bin_and_libs ${cfg.package}/bin/.clevis-wrapped 74 + mv $out/bin/{.clevis-wrapped,clevis} 75 + 76 + for BIN in ${cfg.package}/bin/clevis-decrypt*; do 77 + copy_bin_and_libs $BIN 78 + done 79 + 80 + for BIN in $out/bin/clevis{,-decrypt{,-null,-tang,-tpm2}}; do 81 + sed -i $BIN -e 's,${pkgs.bash},,' -e 's,${pkgs.coreutils},,' 82 + done 83 + 84 + sed -i $out/bin/clevis-decrypt-tpm2 -e 's,tpm2_,tpm2 ,' 85 + ''; 86 + 87 + secrets = lib.mapAttrs' (name: value: nameValuePair "/etc/clevis/${name}.jwe" value.secretFile) cfg.devices; 88 + 89 + systemd = { 90 + extraBin = mkIf systemd.enable { 91 + clevis = "${cfg.package}/bin/clevis"; 92 + curl = "${pkgs.curl}/bin/curl"; 93 + }; 94 + 95 + storePaths = mkIf systemd.enable [ 96 + cfg.package 97 + "${pkgs.jose}/bin/jose" 98 + "${pkgs.curl}/bin/curl" 99 + "${pkgs.tpm2-tools}/bin/tpm2_createprimary" 100 + "${pkgs.tpm2-tools}/bin/tpm2_flushcontext" 101 + "${pkgs.tpm2-tools}/bin/tpm2_load" 102 + "${pkgs.tpm2-tools}/bin/tpm2_unseal" 103 + ]; 104 + }; 105 + }; 106 + }; 107 + }

+46 -2

nixos/modules/system/boot/luksroot.nix

··· 1 - { config, options, lib, pkgs, ... }: 1 + { config, options, lib, utils, pkgs, ... }: 2 2 3 3 with lib; 4 4 5 5 let 6 6 luks = config.boot.initrd.luks; 7 + clevis = config.boot.initrd.clevis; 8 + systemd = config.boot.initrd.systemd; 7 9 kernelPackages = config.boot.kernelPackages; 8 10 defaultPrio = (mkOptionDefault {}).priority; 9 11 ··· 594 596 ''; 595 597 596 598 type = with types; attrsOf (submodule ( 597 - { name, ... }: { options = { 599 + { config, name, ... }: { options = { 598 600 599 601 name = mkOption { 600 602 visible = false; ··· 894 896 ''; 895 897 }; 896 898 }; 899 + 900 + config = mkIf (clevis.enable && (hasAttr name clevis.devices)) { 901 + preOpenCommands = mkIf (!systemd.enable) '' 902 + mkdir -p /clevis-${name} 903 + mount -t ramfs none /clevis-${name} 904 + clevis decrypt < /etc/clevis/${name}.jwe > /clevis-${name}/decrypted 905 + ''; 906 + keyFile = "/clevis-${name}/decrypted"; 907 + fallbackToPassword = !systemd.enable; 908 + postOpenCommands = mkIf (!systemd.enable) '' 909 + umount /clevis-${name} 910 + ''; 911 + }; 897 912 })); 898 913 }; 899 914 ··· 1080 1095 boot.initrd.preFailCommands = mkIf (!config.boot.initrd.systemd.enable) postCommands; 1081 1096 boot.initrd.preLVMCommands = mkIf (!config.boot.initrd.systemd.enable) (commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand preLVM) + postCommands); 1082 1097 boot.initrd.postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) (commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand postLVM) + postCommands); 1098 + 1099 + boot.initrd.systemd.services = let devicesWithClevis = filterAttrs (device: _: (hasAttr device clevis.devices)) luks.devices; in 1100 + mkIf (clevis.enable && systemd.enable) ( 1101 + (mapAttrs' 1102 + (name: _: nameValuePair "cryptsetup-clevis-${name}" { 1103 + wantedBy = [ "systemd-cryptsetup@${utils.escapeSystemdPath name}.service" ]; 1104 + before = [ 1105 + "systemd-cryptsetup@${utils.escapeSystemdPath name}.service" 1106 + "initrd-switch-root.target" 1107 + "shutdown.target" 1108 + ]; 1109 + wants = [ "systemd-udev-settle.service" ] ++ optional clevis.useTang "network-online.target"; 1110 + after = [ "systemd-modules-load.service" "systemd-udev-settle.service" ] ++ optional clevis.useTang "network-online.target"; 1111 + script = '' 1112 + mkdir -p /clevis-${name} 1113 + mount -t ramfs none /clevis-${name} 1114 + umask 277 1115 + clevis decrypt < /etc/clevis/${name}.jwe > /clevis-${name}/decrypted 1116 + ''; 1117 + conflicts = [ "initrd-switch-root.target" "shutdown.target" ]; 1118 + unitConfig.DefaultDependencies = "no"; 1119 + serviceConfig = { 1120 + Type = "oneshot"; 1121 + RemainAfterExit = true; 1122 + ExecStop = "${config.boot.initrd.systemd.package.util-linux}/bin/umount /clevis-${name}"; 1123 + }; 1124 + }) 1125 + devicesWithClevis) 1126 + ); 1083 1127 1084 1128 environment.systemPackages = [ pkgs.cryptsetup ]; 1085 1129 };

+9 -1

nixos/modules/tasks/filesystems/bcachefs.nix

··· 57 57 # bcachefs does not support mounting devices with colons in the path, ergo we don't (see #49671) 58 58 firstDevice = fs: lib.head (lib.splitString ":" fs.device); 59 59 60 - openCommand = name: fs: '' 60 + openCommand = name: fs: if config.boot.initrd.clevis.enable && (lib.hasAttr (firstDevice fs) config.boot.initrd.clevis.devices) then '' 61 + if clevis decrypt < /etc/clevis/${firstDevice fs}.jwe | bcachefs unlock ${firstDevice fs} 62 + then 63 + printf "unlocked ${name} using clevis\n" 64 + else 65 + printf "falling back to interactive unlocking...\n" 66 + tryUnlock ${name} ${firstDevice fs} 67 + fi 68 + '' else '' 61 69 tryUnlock ${name} ${firstDevice fs} 62 70 ''; 63 71

+11 -2

nixos/modules/tasks/filesystems/zfs.nix

··· 17 17 cfgZED = config.services.zfs.zed; 18 18 19 19 selectModulePackage = package: config.boot.kernelPackages.${package.kernelModuleAttribute}; 20 + clevisDatasets = map (e: e.device) (filter (e: (hasAttr e.device config.boot.initrd.clevis.devices) && e.fsType == "zfs" && (fsNeededForBoot e)) config.system.build.fileSystems); 21 + 22 + 20 23 inInitrd = any (fs: fs == "zfs") config.boot.initrd.supportedFilesystems; 21 24 inSystem = any (fs: fs == "zfs") config.boot.supportedFilesystems; 22 25 ··· 120 123 # but don't *require* it, because mounts shouldn't be killed if it's stopped. 121 124 # In the future, hopefully someone will complete this: 122 125 # https://github.com/zfsonlinux/zfs/pull/4943 123 - wants = [ "systemd-udev-settle.service" ]; 126 + wants = [ "systemd-udev-settle.service" ] ++ optional (config.boot.initrd.clevis.useTang) "network-online.target"; 124 127 after = [ 125 128 "systemd-udev-settle.service" 126 129 "systemd-modules-load.service" 127 130 "systemd-ask-password-console.service" 128 - ]; 131 + ] ++ optional (config.boot.initrd.clevis.useTang) "network-online.target"; 129 132 requiredBy = getPoolMounts prefix pool ++ [ "zfs-import.target" ]; 130 133 before = getPoolMounts prefix pool ++ [ "zfs-import.target" ]; 131 134 unitConfig = { ··· 154 157 poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. 155 158 fi 156 159 if poolImported "${pool}"; then 160 + ${concatMapStringsSep "\n" (elem: "clevis decrypt < /etc/clevis/${elem}.jwe | zfs load-key ${elem} || true ") (filter (p: (elemAt (splitString "/" p) 0) == pool) clevisDatasets)} 161 + 162 + 157 163 ${optionalString keyLocations.hasKeys '' 158 164 ${keyLocations.command} | while IFS=$'\t' read ds kl ks; do 159 165 { ··· 623 629 fi 624 630 poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool. 625 631 fi 632 + 633 + ${concatMapStringsSep "\n" (elem: "clevis decrypt < /etc/clevis/${elem}.jwe | zfs load-key ${elem}") (filter (p: (elemAt (splitString "/" p) 0) == pool) clevisDatasets)} 634 + 626 635 ${if isBool cfgZfs.requestEncryptionCredentials 627 636 then optionalString cfgZfs.requestEncryptionCredentials '' 628 637 zfs load-key -a

+1

nixos/tests/all-tests.nix

··· 135 135 authelia = handleTest ./authelia.nix {}; 136 136 avahi = handleTest ./avahi.nix {}; 137 137 avahi-with-resolved = handleTest ./avahi.nix { networkd = true; }; 138 + ayatana-indicators = handleTest ./ayatana-indicators.nix {}; 138 139 babeld = handleTest ./babeld.nix {}; 139 140 bazarr = handleTest ./bazarr.nix {}; 140 141 bcachefs = handleTestOn ["x86_64-linux" "aarch64-linux"] ./bcachefs.nix {};

+71

nixos/tests/ayatana-indicators.nix

··· 1 + import ./make-test-python.nix ({ pkgs, lib, ... }: let 2 + user = "alice"; 3 + in { 4 + name = "ayatana-indicators"; 5 + 6 + meta = { 7 + maintainers = with lib.maintainers; [ OPNA2608 ]; 8 + }; 9 + 10 + nodes.machine = { config, ... }: { 11 + imports = [ 12 + ./common/auto.nix 13 + ./common/user-account.nix 14 + ]; 15 + 16 + test-support.displayManager.auto = { 17 + enable = true; 18 + inherit user; 19 + }; 20 + 21 + services.xserver = { 22 + enable = true; 23 + desktopManager.mate.enable = true; 24 + displayManager.defaultSession = lib.mkForce "mate"; 25 + }; 26 + 27 + services.ayatana-indicators = { 28 + enable = true; 29 + packages = with pkgs; [ 30 + ayatana-indicator-messages 31 + ]; 32 + }; 33 + 34 + # Services needed by some indicators 35 + services.accounts-daemon.enable = true; # messages 36 + }; 37 + 38 + # TODO session indicator starts up in a semi-broken state, but works fine after a restart. maybe being started before graphical session is truly up & ready? 39 + testScript = { nodes, ... }: let 40 + runCommandPerIndicatorService = command: lib.strings.concatMapStringsSep "\n" command nodes.machine.systemd.user.targets."ayatana-indicators".wants; 41 + in '' 42 + start_all() 43 + machine.wait_for_x() 44 + 45 + # Desktop environment should reach graphical-session.target 46 + machine.wait_for_unit("graphical-session.target", "${user}") 47 + 48 + # MATE relies on XDG autostart to bring up the indicators. 49 + # Not sure *when* XDG autostart fires them up, and awaiting pgrep success seems to misbehave? 50 + machine.sleep(10) 51 + 52 + # Now check if all indicators were brought up successfully, and kill them for later 53 + '' + (runCommandPerIndicatorService (service: let serviceExec = builtins.replaceStrings [ "." ] [ "-" ] service; in '' 54 + machine.succeed("pgrep -f ${serviceExec}") 55 + machine.succeed("pkill -f ${serviceExec}") 56 + '')) + '' 57 + 58 + # Ayatana target is the preferred way of starting up indicators on SystemD session, the graphical session is responsible for starting this if it supports them. 59 + # Mate currently doesn't do this, so start it manually for checking (https://github.com/mate-desktop/mate-indicator-applet/issues/63) 60 + machine.systemctl("start ayatana-indicators.target", "${user}") 61 + machine.wait_for_unit("ayatana-indicators.target", "${user}") 62 + 63 + # Let all indicator services do their startups, potential post-launch crash & restart cycles so we can properly check for failures 64 + # Not sure if there's a better way of awaiting this without false-positive potential 65 + machine.sleep(10) 66 + 67 + # Now check if all indicator services were brought up successfully 68 + '' + runCommandPerIndicatorService (service: '' 69 + machine.wait_for_unit("${service}", "${user}") 70 + ''); 71 + })

+4

nixos/tests/installer-systemd-stage-1.nix

··· 32 32 stratisRoot 33 33 swraid 34 34 zfsroot 35 + clevisLuks 36 + clevisLuksFallback 37 + clevisZfs 38 + clevisZfsFallback 35 39 ; 36 40 37 41 }

+233 -15

nixos/tests/installer.nix

··· 12 12 # The configuration to install. 13 13 makeConfig = { bootLoader, grubDevice, grubIdentifier, grubUseEfi 14 14 , extraConfig, forceGrubReinstallCount ? 0, flake ? false 15 + , clevisTest 15 16 }: 16 17 pkgs.writeText "configuration.nix" '' 17 18 { config, lib, pkgs, modulesPath, ... }: ··· 52 53 53 54 boot.initrd.secrets."/etc/secret" = ./secret; 54 55 56 + ${optionalString clevisTest '' 57 + boot.kernelParams = [ "console=tty0" "ip=192.168.1.1:::255.255.255.0::eth1:none" ]; 58 + boot.initrd = { 59 + availableKernelModules = [ "tpm_tis" ]; 60 + clevis = { enable = true; useTang = true; }; 61 + network.enable = true; 62 + }; 63 + ''} 64 + 55 65 users.users.alice = { 56 66 isNormalUser = true; 57 67 home = "/home/alice"; ··· 71 81 # partitions and filesystems. 72 82 testScriptFun = { bootLoader, createPartitions, grubDevice, grubUseEfi, grubIdentifier 73 83 , postInstallCommands, preBootCommands, postBootCommands, extraConfig 74 - , testSpecialisationConfig, testFlakeSwitch 84 + , testSpecialisationConfig, testFlakeSwitch, clevisTest, clevisFallbackTest 75 85 }: 76 86 let iface = "virtio"; 77 87 isEfi = bootLoader == "systemd-boot" || (bootLoader == "grub" && grubUseEfi); ··· 79 89 in if !isEfi && !pkgs.stdenv.hostPlatform.isx86 then '' 80 90 machine.succeed("true") 81 91 '' else '' 92 + import subprocess 93 + tpm_folder = os.environ['NIX_BUILD_TOP'] 82 94 def assemble_qemu_flags(): 83 95 flags = "-cpu max" 84 96 ${if (system == "x86_64-linux" || system == "i686-linux") 85 97 then ''flags += " -m 1024"'' 86 98 else ''flags += " -m 768 -enable-kvm -machine virt,gic-version=host"'' 87 99 } 100 + ${optionalString clevisTest ''flags += f" -chardev socket,id=chrtpm,path={tpm_folder}/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0"''} 101 + ${optionalString clevisTest ''flags += " -device virtio-net-pci,netdev=vlan1,mac=52:54:00:12:11:02 -netdev vde,id=vlan1,sock=\"$QEMU_VDE_SOCKET_1\""''} 88 102 return flags 89 103 90 104 ··· 110 124 def create_machine_named(name): 111 125 return create_machine({**default_flags, "name": name}) 112 126 127 + class Tpm: 128 + def __init__(self): 129 + self.start() 113 130 114 - machine.start() 131 + def start(self): 132 + self.proc = subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", 133 + "socket", 134 + "--tpmstate", f"dir={tpm_folder}/swtpm", 135 + "--ctrl", f"type=unixio,path={tpm_folder}/swtpm-sock", 136 + "--tpm2" 137 + ]) 138 + 139 + # Check whether starting swtpm failed 140 + try: 141 + exit_code = self.proc.wait(timeout=0.2) 142 + if exit_code is not None and exit_code != 0: 143 + raise Exception("failed to start swtpm") 144 + except subprocess.TimeoutExpired: 145 + pass 146 + 147 + """Check whether the swtpm process exited due to an error""" 148 + def check(self): 149 + exit_code = self.proc.poll() 150 + if exit_code is not None and exit_code != 0: 151 + raise Exception("swtpm process died") 152 + 153 + 154 + os.mkdir(f"{tpm_folder}/swtpm") 155 + tpm = Tpm() 156 + tpm.check() 157 + 158 + start_all() 159 + ${optionalString clevisTest '' 160 + tang.wait_for_unit("sockets.target") 161 + tang.wait_for_unit("network-online.target") 162 + machine.wait_for_unit("network-online.target") 163 + ''} 164 + machine.wait_for_unit("multi-user.target") 165 + 115 166 116 167 with subtest("Assert readiness of login prompt"): 117 168 machine.succeed("echo hello") ··· 127 178 machine.copy_from_host( 128 179 "${ makeConfig { 129 180 inherit bootLoader grubDevice grubIdentifier 130 - grubUseEfi extraConfig; 181 + grubUseEfi extraConfig clevisTest; 131 182 } 132 183 }", 133 184 "/mnt/etc/nixos/configuration.nix", 134 185 ) 135 186 machine.copy_from_host("${pkgs.writeText "secret" "secret"}", "/mnt/etc/nixos/secret") 136 187 188 + ${optionalString clevisTest '' 189 + with subtest("Create the Clevis secret with Tang"): 190 + machine.wait_for_unit("network-online.target") 191 + machine.succeed('echo -n password | clevis encrypt sss \'{"t": 2, "pins": {"tpm2": {}, "tang": {"url": "http://192.168.1.2"}}}\' -y > /mnt/etc/nixos/clevis-secret.jwe')''} 192 + 193 + ${optionalString clevisFallbackTest '' 194 + with subtest("Shutdown Tang to check fallback to interactive prompt"): 195 + tang.shutdown() 196 + ''} 197 + 137 198 with subtest("Perform the installation"): 138 199 machine.succeed("nixos-install < /dev/null >&2") 139 200 ··· 200 261 machine.copy_from_host_via_shell( 201 262 "${ makeConfig { 202 263 inherit bootLoader grubDevice grubIdentifier 203 - grubUseEfi extraConfig; 264 + grubUseEfi extraConfig clevisTest; 204 265 forceGrubReinstallCount = 1; 205 266 } 206 267 }", ··· 229 290 machine.copy_from_host_via_shell( 230 291 "${ makeConfig { 231 292 inherit bootLoader grubDevice grubIdentifier 232 - grubUseEfi extraConfig; 293 + grubUseEfi extraConfig clevisTest; 233 294 forceGrubReinstallCount = 2; 234 295 } 235 296 }", ··· 303 364 """) 304 365 machine.copy_from_host_via_shell( 305 366 "${makeConfig { 306 - inherit bootLoader grubDevice grubIdentifier grubUseEfi extraConfig; 367 + inherit bootLoader grubDevice grubIdentifier grubUseEfi extraConfig clevisTest; 307 368 forceGrubReinstallCount = 1; 308 369 flake = true; 309 370 }}", ··· 379 440 , enableOCR ? false, meta ? {} 380 441 , testSpecialisationConfig ? false 381 442 , testFlakeSwitch ? false 443 + , clevisTest ? false 444 + , clevisFallbackTest ? false 382 445 }: 383 446 makeTest { 384 447 inherit enableOCR; ··· 416 479 virtualisation.rootDevice = "/dev/vdb"; 417 480 virtualisation.bootLoaderDevice = "/dev/vda"; 418 481 virtualisation.qemu.diskInterface = "virtio"; 419 - 420 - # We don't want to have any networking in the guest whatsoever. 421 - # Also, if any vlans are enabled, the guest will reboot 422 - # (with a different configuration for legacy reasons), 423 - # and spend 5 minutes waiting for the vlan interface to show up 424 - # (which will never happen). 425 - virtualisation.vlans = []; 482 + virtualisation.qemu.options = mkIf (clevisTest) [ 483 + "-chardev socket,id=chrtpm,path=$NIX_BUILD_TOP/swtpm-sock" 484 + "-tpmdev emulator,id=tpm0,chardev=chrtpm" 485 + "-device tpm-tis,tpmdev=tpm0" 486 + ]; 487 + # We don't want to have any networking in the guest apart from the clevis tests. 488 + virtualisation.vlans = mkIf (!clevisTest) []; 426 489 427 490 boot.loader.systemd-boot.enable = mkIf (bootLoader == "systemd-boot") true; 428 491 ··· 471 534 in [ 472 535 (pkgs.grub2.override { inherit zfsSupport; }) 473 536 (pkgs.grub2_efi.override { inherit zfsSupport; }) 474 - ]); 537 + ]) ++ optionals clevisTest [ pkgs.klibc ]; 475 538 476 539 nix.settings = { 477 540 substituters = mkForce []; ··· 480 543 }; 481 544 }; 482 545 546 + } // optionalAttrs clevisTest { 547 + tang = { 548 + services.tang = { 549 + enable = true; 550 + listenStream = [ "80" ]; 551 + ipAddressAllow = [ "192.168.1.0/24" ]; 552 + }; 553 + networking.firewall.allowedTCPPorts = [ 80 ]; 554 + }; 483 555 }; 484 556 485 557 testScript = testScriptFun { 486 558 inherit bootLoader createPartitions postInstallCommands preBootCommands postBootCommands 487 559 grubDevice grubIdentifier grubUseEfi extraConfig 488 - testSpecialisationConfig testFlakeSwitch; 560 + testSpecialisationConfig testFlakeSwitch clevisTest clevisFallbackTest; 489 561 }; 490 562 }; 491 563 ··· 586 658 zfs = super.zfs.overrideAttrs(_: {meta.platforms = [];});} 587 659 )]; 588 660 }; 661 + 662 + mkClevisBcachefsTest = { fallback ? false }: makeInstallerTest "clevis-bcachefs${optionalString fallback "-fallback"}" { 663 + clevisTest = true; 664 + clevisFallbackTest = fallback; 665 + enableOCR = fallback; 666 + extraInstallerConfig = { 667 + imports = [ no-zfs-module ]; 668 + boot.supportedFilesystems = [ "bcachefs" ]; 669 + environment.systemPackages = with pkgs; [ keyutils clevis ]; 670 + }; 671 + createPartitions = '' 672 + machine.succeed( 673 + "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 674 + + " mkpart primary ext2 1M 100MB" 675 + + " mkpart primary linux-swap 100M 1024M" 676 + + " mkpart primary 1024M -1s", 677 + "udevadm settle", 678 + "mkswap /dev/vda2 -L swap", 679 + "swapon -L swap", 680 + "keyctl link @u @s", 681 + "echo -n password | mkfs.bcachefs -L root --encrypted /dev/vda3", 682 + "echo -n password | bcachefs unlock /dev/vda3", 683 + "echo -n password | mount -t bcachefs /dev/vda3 /mnt", 684 + "mkfs.ext3 -L boot /dev/vda1", 685 + "mkdir -p /mnt/boot", 686 + "mount LABEL=boot /mnt/boot", 687 + "udevadm settle") 688 + ''; 689 + extraConfig = '' 690 + boot.initrd.clevis.devices."/dev/vda3".secretFile = "/etc/nixos/clevis-secret.jwe"; 691 + 692 + # We override what nixos-generate-config has generated because we do 693 + # not know the UUID in advance. 694 + fileSystems."/" = lib.mkForce { device = "/dev/vda3"; fsType = "bcachefs"; }; 695 + ''; 696 + preBootCommands = '' 697 + tpm = Tpm() 698 + tpm.check() 699 + '' + optionalString fallback '' 700 + machine.start() 701 + machine.wait_for_text("enter passphrase for") 702 + machine.send_chars("password\n") 703 + ''; 704 + }; 705 + 706 + mkClevisLuksTest = { fallback ? false }: makeInstallerTest "clevis-luks${optionalString fallback "-fallback"}" { 707 + clevisTest = true; 708 + clevisFallbackTest = fallback; 709 + enableOCR = fallback; 710 + extraInstallerConfig = { 711 + environment.systemPackages = with pkgs; [ clevis ]; 712 + }; 713 + createPartitions = '' 714 + machine.succeed( 715 + "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 716 + + " mkpart primary ext2 1M 100MB" 717 + + " mkpart primary linux-swap 100M 1024M" 718 + + " mkpart primary 1024M -1s", 719 + "udevadm settle", 720 + "mkswap /dev/vda2 -L swap", 721 + "swapon -L swap", 722 + "modprobe dm_mod dm_crypt", 723 + "echo -n password | cryptsetup luksFormat -q /dev/vda3 -", 724 + "echo -n password | cryptsetup luksOpen --key-file - /dev/vda3 crypt-root", 725 + "mkfs.ext3 -L nixos /dev/mapper/crypt-root", 726 + "mount LABEL=nixos /mnt", 727 + "mkfs.ext3 -L boot /dev/vda1", 728 + "mkdir -p /mnt/boot", 729 + "mount LABEL=boot /mnt/boot", 730 + "udevadm settle") 731 + ''; 732 + extraConfig = '' 733 + boot.initrd.clevis.devices."crypt-root".secretFile = "/etc/nixos/clevis-secret.jwe"; 734 + ''; 735 + preBootCommands = '' 736 + tpm = Tpm() 737 + tpm.check() 738 + '' + optionalString fallback '' 739 + machine.start() 740 + ${if systemdStage1 then '' 741 + machine.wait_for_text("Please enter") 742 + '' else '' 743 + machine.wait_for_text("Passphrase for") 744 + ''} 745 + machine.send_chars("password\n") 746 + ''; 747 + }; 748 + 749 + mkClevisZfsTest = { fallback ? false }: makeInstallerTest "clevis-zfs${optionalString fallback "-fallback"}" { 750 + clevisTest = true; 751 + clevisFallbackTest = fallback; 752 + enableOCR = fallback; 753 + extraInstallerConfig = { 754 + boot.supportedFilesystems = [ "zfs" ]; 755 + environment.systemPackages = with pkgs; [ clevis ]; 756 + }; 757 + createPartitions = '' 758 + machine.succeed( 759 + "flock /dev/vda parted --script /dev/vda -- mklabel msdos" 760 + + " mkpart primary ext2 1M 100MB" 761 + + " mkpart primary linux-swap 100M 1024M" 762 + + " mkpart primary 1024M -1s", 763 + "udevadm settle", 764 + "mkswap /dev/vda2 -L swap", 765 + "swapon -L swap", 766 + "zpool create -O mountpoint=legacy rpool /dev/vda3", 767 + "echo -n password | zfs create" 768 + + " -o encryption=aes-256-gcm -o keyformat=passphrase rpool/root", 769 + "mount -t zfs rpool/root /mnt", 770 + "mkfs.ext3 -L boot /dev/vda1", 771 + "mkdir -p /mnt/boot", 772 + "mount LABEL=boot /mnt/boot", 773 + "udevadm settle") 774 + ''; 775 + extraConfig = '' 776 + boot.initrd.clevis.devices."rpool/root".secretFile = "/etc/nixos/clevis-secret.jwe"; 777 + boot.zfs.requestEncryptionCredentials = true; 778 + 779 + 780 + # Using by-uuid overrides the default of by-id, and is unique 781 + # to the qemu disks, as they don't produce by-id paths for 782 + # some reason. 783 + boot.zfs.devNodes = "/dev/disk/by-uuid/"; 784 + networking.hostId = "00000000"; 785 + ''; 786 + preBootCommands = '' 787 + tpm = Tpm() 788 + tpm.check() 789 + '' + optionalString fallback '' 790 + machine.start() 791 + ${if systemdStage1 then '' 792 + machine.wait_for_text("Enter key for rpool/root") 793 + '' else '' 794 + machine.wait_for_text("Key load error") 795 + ''} 796 + machine.send_chars("password\n") 797 + ''; 798 + }; 799 + 589 800 in { 590 801 591 802 # !!! `parted mkpart' seems to silently create overlapping partitions. ··· 1175 1386 ) 1176 1387 ''; 1177 1388 }; 1389 + } // { 1390 + clevisBcachefs = mkClevisBcachefsTest { }; 1391 + clevisBcachefsFallback = mkClevisBcachefsTest { fallback = true; }; 1392 + clevisLuks = mkClevisLuksTest { }; 1393 + clevisLuksFallback = mkClevisLuksTest { fallback = true; }; 1394 + clevisZfs = mkClevisZfsTest { }; 1395 + clevisZfsFallback = mkClevisZfsTest { fallback = true; }; 1178 1396 } // optionalAttrs systemdStage1 { 1179 1397 stratisRoot = makeInstallerTest "stratisRoot" { 1180 1398 createPartitions = ''

+4 -4

pkgs/applications/audio/raysession/default.nix

··· 1 - { lib, fetchurl, buildPythonApplication, libjack2, pydbus, pyliblo, pyqt5, which, bash, qt5 }: 1 + { lib, fetchurl, buildPythonApplication, libjack2, pyliblo, pyqt5, which, bash, qt5 }: 2 2 3 3 buildPythonApplication rec { 4 4 pname = "raysession"; 5 - version = "0.13.1"; 5 + version = "0.14.2"; 6 6 7 7 src = fetchurl { 8 8 url = "https://github.com/Houston4444/RaySession/releases/download/v${version}/RaySession-${version}-source.tar.gz"; 9 - sha256 = "sha256-iiFRtX43u9BHe7a4ojza7kav+dMW9e05dPi7Gf9d1GM="; 9 + sha256 = "sha256-qEN3zBK/goRLIZaU06XXm8H5yj4Qjj/NH+bkHkjhLaw="; 10 10 }; 11 11 12 12 postPatch = '' ··· 25 25 qt5.wrapQtAppsHook 26 26 ]; 27 27 buildInputs = [ libjack2 bash ]; 28 - propagatedBuildInputs = [ pydbus pyliblo pyqt5 ]; 28 + propagatedBuildInputs = [ pyliblo pyqt5 ]; 29 29 30 30 dontWrapQtApps = true; # The program is a python script. 31 31

-52

pkgs/applications/graphics/normcap/default.nix

··· 1 - # From NUR https://github.com/nix-community/nur-combined/blob/6bddae47680482383b5769dd3aa7d82b88e6cbc8/repos/renesat/pkgs/normcap/default.nix 2 - 3 - { 4 - lib, 5 - stdenv, 6 - python3, 7 - fetchFromGitHub, 8 - tesseract4, 9 - leptonica, 10 - wl-clipboard 11 - }: 12 - python3.pkgs.buildPythonApplication rec { 13 - pname = "normcap"; 14 - version = "0.4.4"; 15 - format = "pyproject"; 16 - 17 - src = fetchFromGitHub { 18 - owner = "dynobo"; 19 - repo = "normcap"; 20 - rev = "v${version}"; 21 - hash = "sha256-dShtmoqS9TC3PHuwq24OEOhYfBHGhDCma8Du8QCkFuI="; 22 - }; 23 - 24 - buildInputs = [ 25 - wl-clipboard 26 - ]; 27 - 28 - nativeBuildInputs = with python3.pkgs; [ 29 - poetry-core 30 - ]; 31 - 32 - propagatedBuildInputs = with python3.pkgs; [ 33 - tesseract4 34 - leptonica 35 - pyside6 36 - 37 - # Test 38 - toml 39 - pytest-qt 40 - ]; 41 - 42 - postPatch = '' 43 - substituteInPlace pyproject.toml --replace 'PySide6-Essentials = "6.5.1"' "" 44 - ''; 45 - 46 - meta = with lib; { 47 - description = "OCR powered screen-capture tool to capture information instead of images"; 48 - homepage = "https://dynobo.github.io/normcap/"; 49 - license = licenses.gpl3Plus; 50 - maintainers = with maintainers; [ cafkafk ]; 51 - }; 52 - }

+2 -2

pkgs/applications/misc/chrysalis/default.nix

··· 35 35 $out/share/applications/Chrysalis.desktop \ 36 36 --replace 'Exec=Chrysalis' 'Exec=${pname}' 37 37 38 - cp -r ${appimageContents}/usr/share/icons $out/share 38 + install -Dm444 ${appimageContents}/usr/share/icons/hicolor/256x256/chrysalis.png -t $out/share/pixmaps 39 39 ''; 40 40 41 41 meta = with lib; { 42 42 description = "A graphical configurator for Kaleidoscope-powered keyboards"; 43 43 homepage = "https://github.com/keyboardio/Chrysalis"; 44 - license = licenses.gpl3; 44 + license = licenses.gpl3Only; 45 45 maintainers = with maintainers; [ aw ]; 46 46 platforms = [ "x86_64-linux" ]; 47 47 mainProgram = pname;

+4 -4

pkgs/applications/misc/itd/default.nix

··· 8 8 pname = "itd"; 9 9 version = "1.1.0"; 10 10 11 - # https://gitea.arsenm.dev/Arsen6331/itd/tags 11 + # https://gitea.elara.ws/Elara6331/itd/tags 12 12 src = fetchFromGitea { 13 - domain = "gitea.arsenm.dev"; 14 - owner = "Arsen6331"; 13 + domain = "gitea.elara.ws"; 14 + owner = "Elara6331"; 15 15 repo = "itd"; 16 16 rev = "v${version}"; 17 17 hash = "sha256-95/9Qy0HhrX+ORuv6g1T4/Eq1hf539lYG5fTkLeY6B0="; ··· 34 34 35 35 meta = with lib; { 36 36 description = "itd is a daemon to interact with the PineTime running InfiniTime"; 37 - homepage = "https://gitea.arsenm.dev/Arsen6331/itd"; 37 + homepage = "https://gitea.elara.ws/Elara6331/itd"; 38 38 license = licenses.gpl3Plus; 39 39 platforms = platforms.linux; 40 40 maintainers = with maintainers; [ mindavi raphaelr ];

+5 -3

pkgs/applications/networking/browsers/palemoon/bin.nix

··· 9 9 , gtk2-x11 10 10 , withGTK3 ? true 11 11 , gtk3 12 + , libglvnd 12 13 , libXt 13 14 , libpulseaudio 14 15 , makeDesktopItem ··· 18 19 19 20 stdenv.mkDerivation (finalAttrs: { 20 21 pname = "palemoon-bin"; 21 - version = "32.5.0"; 22 + version = "32.5.1"; 22 23 23 24 src = fetchzip { 24 25 urls = [ ··· 26 27 "https://rm-us.palemoon.org/release/palemoon-${finalAttrs.version}.linux-x86_64-gtk${if withGTK3 then "3" else "2"}.tar.xz" 27 28 ]; 28 29 hash = if withGTK3 then 29 - "sha256-1MJ5K9Zc/BHeQwwlq3XyUV8XTFEpPytNyTnsDpE1tBI=" 30 + "sha256-hWqL/WoRRigw8cNeJImOQLM8hewyS3PYNGr2WYP+cMk=" 30 31 else 31 - "sha256-xXunZTqoc2A+ilosRUUluxDwewD3xwITF5nb5Lbyv7Y="; 32 + "sha256-dlBnXP3WUgQ0spkLRowfzMcPArhGfpowsvwgCA+kvUA="; 32 33 }; 33 34 34 35 preferLocalBuild = true; ··· 147 148 gappsWrapperArgs+=( 148 149 --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ 149 150 ffmpeg 151 + libglvnd 150 152 libpulseaudio 151 153 ]}" 152 154 )

+3 -3

pkgs/applications/networking/p2p/libutp/3.4.nix

··· 2 2 3 3 stdenv.mkDerivation rec { 4 4 pname = "libutp"; 5 - version = "unstable-2023-10-16"; 5 + version = "unstable-2023-11-14"; 6 6 7 7 src = fetchFromGitHub { 8 8 # Use transmission fork from post-3.4-transmission branch 9 9 owner = "transmission"; 10 10 repo = pname; 11 - rev = "2589200eac82fc91b65979680e4b3c026dff0278"; 12 - hash = "sha256-wsDqdbMWVm3ubTbg5XClEWutJz1irSIazVLFeCyAAL4="; 11 + rev = "52645d6d0fb16009e11d2f84469d2e43b7b6b48a"; 12 + hash = "sha256-pcPVkDEEtriN9zlEcVFKwKhhh51wpJGxYlcu7bH1RkI="; 13 13 }; 14 14 15 15 nativeBuildInputs = [ cmake ];

+8 -3

pkgs/applications/science/logic/why3/default.nix

··· 1 1 { callPackage, fetchurl, lib, stdenv 2 - , ocamlPackages, coqPackages, rubber, hevea, emacs }: 2 + , ocamlPackages, coqPackages, rubber, hevea, emacs 3 + , version ? "1.7.0" 4 + }: 3 5 4 6 stdenv.mkDerivation rec { 5 7 pname = "why3"; 6 - version = "1.6.0"; 8 + inherit version; 7 9 8 10 src = fetchurl { 9 11 url = "https://why3.gitlabpages.inria.fr/releases/${pname}-${version}.tar.gz"; 10 - hash = "sha256-hFvM6kHScaCtcHCc6Vezl9CR7BFbiKPoTEh7kj0ZJxw="; 12 + hash = { 13 + "1.7.0" = "sha256-rygrjzuJVukOvpuXTG/yeoEP98ZFkLQHObgc3My1PVY="; 14 + "1.6.0" = "sha256-hFvM6kHScaCtcHCc6Vezl9CR7BFbiKPoTEh7kj0ZJxw="; 15 + }."${version}"; 11 16 }; 12 17 13 18 strictDeps = true;

+3 -3

pkgs/applications/search/recoll/default.nix

··· 70 70 71 71 mkDerivation rec { 72 72 pname = "recoll"; 73 - version = "1.36.0"; 73 + version = "1.36.2"; 74 74 75 75 src = fetchurl { 76 76 url = "https://www.lesbonscomptes.com/${pname}/${pname}-${version}.tar.gz"; 77 - hash = "sha256-vf0o0wBcG3878YD4mTUhni2aTUU9AJkG4an1oaRc4yw="; 77 + hash = "sha256-GyQqI3ciRO0TRaAeM4rGu+j/eB4bJlQ7VBTTxUGMNt4="; 78 78 }; 79 79 80 80 configureFlags = [ ··· 169 169 members, email attachments. 170 170 ''; 171 171 homepage = "https://www.lesbonscomptes.com/recoll/"; 172 - changelog = "https://www.lesbonscomptes.com/recoll/pages/release-${version}.html"; 172 + changelog = "https://www.lesbonscomptes.com/recoll/pages/release-${versions.majorMinor version}.html"; 173 173 license = licenses.gpl2Plus; 174 174 platforms = platforms.unix; 175 175 maintainers = with maintainers; [ jcumming ehmry ];

+2 -2

pkgs/applications/version-management/gitea/default.nix

··· 20 20 21 21 buildGoModule rec { 22 22 pname = "gitea"; 23 - version = "1.20.5"; 23 + version = "1.21.1"; 24 24 25 25 # not fetching directly from the git repo, because that lacks several vendor files for the web UI 26 26 src = fetchurl { 27 27 url = "https://dl.gitea.com/gitea/${version}/gitea-src-${version}.tar.gz"; 28 - hash = "sha256-cH/AHsFXOdvfSfj9AZUd3l/RlYE06o1ByZu0vvGQuXw="; 28 + hash = "sha256-5WEHUMQsQNgrglS+xJ4IWHUl0a6RLLPyx0l+ECJ4R9g="; 29 29 }; 30 30 31 31 vendorHash = null;

+2

pkgs/build-support/fetchtorrent/default.nix

··· 14 14 , recursiveHash ? true 15 15 , postFetch ? "" 16 16 , postUnpack ? "" 17 + , meta ? {} 17 18 }: 18 19 let 19 20 afterSuccess = writeShellScript "fetch-bittorrent-done.sh" '' ··· 30 31 jsonConfig = (formats.json {}).generate "jsonConfig" config; 31 32 in 32 33 runCommand name { 34 + inherit meta; 33 35 nativeBuildInputs = [ cacert ] ++ (if (backend == "transmission" ) then [ transmission_noSystemd ] else if (backend == "rqbit") then [ rqbit ] else throw "rqbit or transmission are the only available backends for fetchtorrent"); 34 36 outputHashAlgo = if hash != "" then null else "sha256"; 35 37 outputHash = hash;

+24 -2

pkgs/build-support/fetchtorrent/tests.nix

··· 1 - { testers, fetchtorrent, ... }: 1 + { testers, fetchtorrent, lib, ... }: 2 + 3 + let 4 + wired-cd.meta.license = [ 5 + # track 1, 4 and 11 6 + { 7 + spdxID = "CC NC-SAMPLING+ 1.0 Deed"; 8 + fullName = "NonCommercial Sampling Plus 1.0 Generic"; 9 + url = "https://creativecommons.org/licenses/nc-sampling+/1.0/"; 10 + free = false; # for noncommercial purposes only 11 + } 12 + # the rest 13 + { 14 + spdxID = "CC SAMPLING+ 1.0 Deed"; 15 + fullName = "Sampling Plus 1.0 Generic"; 16 + url = "https://creativecommons.org/licenses/sampling+/1.0/"; 17 + free = true; # no use in advertisement 18 + } 19 + ]; 20 + in 2 21 3 22 { 4 23 http-link = testers.invalidateFetcherByDrvHash fetchtorrent { 5 24 url = "https://webtorrent.io/torrents/wired-cd.torrent"; 6 25 hash = "sha256-OCsC22WuanqoN6lPv5wDT5ZxPcEHDpZ1EgXGvz1SDYo="; 7 26 backend = "transmission"; 27 + inherit (wired-cd) meta; 8 28 }; 9 29 magnet-link = testers.invalidateFetcherByDrvHash fetchtorrent { 10 30 url = "magnet:?xt=urn:btih:a88fda5954e89178c372716a6a78b8180ed4dad3&dn=The+WIRED+CD+-+Rip.+Sample.+Mash.+Share&tr=udp%3A%2F%2Fexplodie.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Ftracker.empire-js.us%3A1337&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337&tr=wss%3A%2F%2Ftracker.btorrent.xyz&tr=wss%3A%2F%2Ftracker.fastcast.nz&tr=wss%3A%2F%2Ftracker.openwebtorrent.com&ws=https%3A%2F%2Fwebtorrent.io%2Ftorrents%2F&xs=https%3A%2F%2Fwebtorrent.io%2Ftorrents%2Fwired-cd.torrent"; 11 31 hash = "sha256-OCsC22WuanqoN6lPv5wDT5ZxPcEHDpZ1EgXGvz1SDYo="; 12 32 backend = "transmission"; 33 + inherit (wired-cd) meta; 13 34 }; 14 35 http-link-rqbit = testers.invalidateFetcherByDrvHash fetchtorrent { 15 36 url = "https://webtorrent.io/torrents/wired-cd.torrent"; 16 37 hash = "sha256-OCsC22WuanqoN6lPv5wDT5ZxPcEHDpZ1EgXGvz1SDYo="; 17 38 backend = "rqbit"; 39 + inherit (wired-cd) meta; 18 40 }; 19 41 magnet-link-rqbit = testers.invalidateFetcherByDrvHash fetchtorrent { 20 42 url = "magnet:?xt=urn:btih:a88fda5954e89178c372716a6a78b8180ed4dad3&dn=The+WIRED+CD+-+Rip.+Sample.+Mash.+Share&tr=udp%3A%2F%2Fexplodie.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Ftracker.empire-js.us%3A1337&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337&tr=wss%3A%2F%2Ftracker.btorrent.xyz&tr=wss%3A%2F%2Ftracker.fastcast.nz&tr=wss%3A%2F%2Ftracker.openwebtorrent.com&ws=https%3A%2F%2Fwebtorrent.io%2Ftorrents%2F&xs=https%3A%2F%2Fwebtorrent.io%2Ftorrents%2Fwired-cd.torrent"; 21 43 hash = "sha256-OCsC22WuanqoN6lPv5wDT5ZxPcEHDpZ1EgXGvz1SDYo="; 22 44 backend = "rqbit"; 45 + inherit (wired-cd) meta; 23 46 }; 24 47 } 25 -

+147

pkgs/by-name/ay/ayatana-indicator-messages/package.nix

··· 1 + { stdenv 2 + , lib 3 + , fetchFromGitHub 4 + , gitUpdater 5 + , nixosTests 6 + , testers 7 + , accountsservice 8 + , cmake 9 + , dbus-test-runner 10 + , withDocumentation ? true 11 + , docbook_xsl 12 + , docbook_xml_dtd_45 13 + , glib 14 + , gobject-introspection 15 + , gtest 16 + , gtk-doc 17 + , intltool 18 + , lomiri 19 + , pkg-config 20 + , python3 21 + , systemd 22 + , vala 23 + , wrapGAppsHook 24 + }: 25 + 26 + stdenv.mkDerivation (finalAttrs: { 27 + pname = "ayatana-indicator-messages"; 28 + version = "23.10.0"; 29 + 30 + src = fetchFromGitHub { 31 + owner = "AyatanaIndicators"; 32 + repo = "ayatana-indicator-messages"; 33 + rev = finalAttrs.version; 34 + hash = "sha256-FBJeP5hOXJcOk04cRJpw+oN7L3w3meDX3ivLmFWkhVI="; 35 + }; 36 + 37 + outputs = [ 38 + "out" 39 + "dev" 40 + ] ++ lib.optionals withDocumentation [ 41 + "devdoc" 42 + ]; 43 + 44 + postPatch = '' 45 + # Uses pkg_get_variable, cannot substitute prefix with that 46 + substituteInPlace data/CMakeLists.txt \ 47 + --replace "\''${SYSTEMD_USER_DIR}" "$out/lib/systemd/user" 48 + 49 + # Bad concatenation 50 + substituteInPlace libmessaging-menu/messaging-menu.pc.in \ 51 + --replace "\''${exec_prefix}/@CMAKE_INSTALL_LIBDIR@" '@CMAKE_INSTALL_FULL_LIBDIR@' \ 52 + --replace "\''${prefix}/@CMAKE_INSTALL_INCLUDEDIR@" '@CMAKE_INSTALL_FULL_INCLUDEDIR@' 53 + '' + lib.optionalString (!withDocumentation) '' 54 + sed -i CMakeLists.txt \ 55 + '/add_subdirectory(doc)/d' 56 + ''; 57 + 58 + strictDeps = true; 59 + 60 + nativeBuildInputs = [ 61 + cmake 62 + glib # For glib-compile-schemas 63 + intltool 64 + pkg-config 65 + vala 66 + wrapGAppsHook 67 + ] ++ lib.optionals withDocumentation [ 68 + docbook_xsl 69 + docbook_xml_dtd_45 70 + gtk-doc 71 + ]; 72 + 73 + buildInputs = [ 74 + accountsservice 75 + lomiri.cmake-extras 76 + glib 77 + gobject-introspection 78 + systemd 79 + ]; 80 + 81 + nativeCheckInputs = [ 82 + (python3.withPackages (ps: with ps; [ 83 + pygobject3 84 + python-dbusmock 85 + ])) 86 + ]; 87 + 88 + checkInputs = [ 89 + dbus-test-runner 90 + gtest 91 + ]; 92 + 93 + cmakeFlags = [ 94 + "-DENABLE_TESTS=${lib.boolToString finalAttrs.doCheck}" 95 + "-DGSETTINGS_LOCALINSTALL=ON" 96 + "-DGSETTINGS_COMPILE=ON" 97 + ]; 98 + 99 + makeFlags = lib.optionals withDocumentation [ 100 + # gtk-doc doesn't call ld with the correct arguments 101 + # ld: ...: undefined reference to symbol 'strncpy@@GLIBC_2.2.5', 'qsort@@GLIBC_2.2.5' 102 + "LD=${stdenv.cc.targetPrefix}cc" 103 + ]; 104 + 105 + doCheck = stdenv.buildPlatform.canExecute stdenv.hostPlatform; 106 + 107 + preCheck = '' 108 + # test-client imports gir, whose solib entry points to final store location 109 + install -Dm644 libmessaging-menu/libmessaging-menu.so.0.0.0 $out/lib/libmessaging-menu.so.0 110 + ''; 111 + 112 + postCheck = '' 113 + # remove the above solib-installation, let it be done properly 114 + rm -r $out 115 + ''; 116 + 117 + preInstall = lib.optionalString withDocumentation '' 118 + # installing regenerates docs, generated files are created without write permissions, errors out while trying to overwrite them 119 + chmod +w doc/reference/html/* 120 + ''; 121 + 122 + passthru = { 123 + ayatana-indicators = [ 124 + "ayatana-indicator-messages" 125 + ]; 126 + tests = { 127 + pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage; 128 + vm = nixosTests.ayatana-indicators; 129 + }; 130 + updateScript = gitUpdater { }; 131 + }; 132 + 133 + meta = with lib; { 134 + description = "Ayatana Indicator Messages Applet"; 135 + longDescription = '' 136 + The -messages Ayatana System Indicator is the messages menu indicator for Unity7, MATE and Lomiri (optionally for 137 + others, e.g. XFCE, LXDE). 138 + ''; 139 + homepage = "https://github.com/AyatanaIndicators/ayatana-indicator-messages"; 140 + license = licenses.gpl3Only; 141 + platforms = platforms.linux; 142 + maintainers = with maintainers; [ OPNA2608 ]; 143 + pkgConfigModules = [ 144 + "messaging-menu" 145 + ]; 146 + }; 147 + })

+2 -2

pkgs/by-name/fr/frankenphp/package.nix

··· 19 19 pieBuild = stdenv.hostPlatform.isMusl; 20 20 in buildGoModule rec { 21 21 pname = "frankenphp"; 22 - version = "1.0.0-rc.3"; 22 + version = "1.0.0-rc.4"; 23 23 24 24 src = fetchFromGitHub { 25 25 owner = "dunglas"; 26 26 repo = "frankenphp"; 27 27 rev = "v${version}"; 28 - hash = "sha256-Al0gCxTb6s41ugX9J8N8lshop9kP3RPGCzlq5etk1RY="; 28 + hash = "sha256-4jNCKHt4eYI1BNaonIdS1Eq2OnJwgrU6qWZoiSpeIYk="; 29 29 }; 30 30 31 31 sourceRoot = "source/caddy";

+117

pkgs/by-name/no/normcap/package.nix

··· 1 + { lib 2 + , stdenv 3 + , python3 4 + , fetchFromGitHub 5 + , tesseract4 6 + , leptonica 7 + , wl-clipboard 8 + , libnotify 9 + , xorg 10 + }: 11 + 12 + let 13 + 14 + ps = python3.pkgs; 15 + 16 + wrapperDeps = [ 17 + leptonica 18 + tesseract4 19 + libnotify 20 + ] ++ lib.optionals stdenv.isLinux [ 21 + wl-clipboard 22 + ]; 23 + 24 + in 25 + 26 + ps.buildPythonApplication rec { 27 + pname = "normcap"; 28 + version = "0.4.4"; 29 + format = "pyproject"; 30 + 31 + disabled = ps.pythonOlder "3.9"; 32 + 33 + src = fetchFromGitHub { 34 + owner = "dynobo"; 35 + repo = "normcap"; 36 + rev = "refs/tags/v${version}"; 37 + hash = "sha256-dShtmoqS9TC3PHuwq24OEOhYfBHGhDCma8Du8QCkFuI="; 38 + }; 39 + 40 + pythonRemoveDeps = [ 41 + "PySide6-Essentials" 42 + ]; 43 + 44 + nativeBuildInputs = [ 45 + ps.pythonRelaxDepsHook 46 + ps.poetry-core 47 + ]; 48 + 49 + propagatedBuildInputs = [ 50 + ps.pyside6 51 + ]; 52 + 53 + preFixup = '' 54 + makeWrapperArgs+=( 55 + "''${qtWrapperArgs[@]}" 56 + --set QT_QPA_PLATFORM xcb 57 + --prefix PATH : ${lib.makeBinPath wrapperDeps} 58 + ) 59 + ''; 60 + 61 + nativeCheckInputs = wrapperDeps ++ [ 62 + ps.pytestCheckHook 63 + ps.pytest-qt 64 + ps.toml 65 + ] ++ lib.optionals stdenv.isLinux [ 66 + ps.pytest-xvfb 67 + xorg.xorgserver 68 + ]; 69 + 70 + preCheck = '' 71 + export HOME=$(mktemp -d) 72 + '' + lib.optionalString stdenv.isLinux '' 73 + # setup a virtual x11 display 74 + export DISPLAY=:$((2000 + $RANDOM % 1000)) 75 + Xvfb $DISPLAY -screen 5 1024x768x8 & 76 + xvfb_pid=$! 77 + ''; 78 + 79 + postCheck = lib.optionalString stdenv.isLinux '' 80 + # cleanup the virtual x11 display 81 + kill $xvfb_pid 82 + ''; 83 + 84 + disabledTests = [ 85 + # requires a wayland session (no xclip support) 86 + "test_wl_copy" 87 + # times out, unknown why 88 + "test_update_checker_triggers_checked_signal" 89 + # touches network 90 + "test_urls_reachable" 91 + # requires xdg 92 + "test_synchronized_capture" 93 + ] ++ lib.optionals stdenv.isDarwin [ 94 + # requires impure pbcopy 95 + "test_get_copy_func_with_pbcopy" 96 + "test_get_copy_func_without_pbcopy" 97 + "test_perform_pbcopy" 98 + ]; 99 + 100 + disabledTestPaths = [ 101 + # touches network 102 + "tests/tests_gui/test_downloader.py" 103 + # fails to import, causes pytest to freeze 104 + "tests/tests_gui/test_language_manager.py" 105 + ] ++ lib.optionals stdenv.isDarwin [ 106 + # requires a display 107 + "tests/integration/test_normcap.py" 108 + ]; 109 + 110 + meta = with lib; { 111 + description = "OCR powered screen-capture tool to capture information instead of images"; 112 + homepage = "https://dynobo.github.io/normcap/"; 113 + license = licenses.gpl3Plus; 114 + maintainers = with maintainers; [ cafkafk pbsds ]; 115 + mainProgram = "normcap"; 116 + }; 117 + }

+3

pkgs/desktops/lomiri/default.nix

··· 17 17 gmenuharness = callPackage ./development/gmenuharness { }; 18 18 libusermetrics = callPackage ./development/libusermetrics { }; 19 19 lomiri-api = callPackage ./development/lomiri-api { }; 20 + 21 + #### Services 22 + biometryd = callPackage ./services/biometryd { }; 20 23 }; 21 24 in 22 25 lib.makeScope libsForQt5.newScope packages

+137

pkgs/desktops/lomiri/services/biometryd/default.nix

··· 1 + { stdenv 2 + , lib 3 + , fetchFromGitLab 4 + , fetchpatch 5 + , gitUpdater 6 + , testers 7 + , boost 8 + , cmake 9 + , cmake-extras 10 + , dbus 11 + , dbus-cpp 12 + , gtest 13 + , libapparmor 14 + , libelf 15 + , pkg-config 16 + , process-cpp 17 + , properties-cpp 18 + , qtbase 19 + , qtdeclarative 20 + , sqlite 21 + }: 22 + 23 + stdenv.mkDerivation (finalAttrs: { 24 + pname = "biometryd"; 25 + version = "0.3.0"; 26 + 27 + src = fetchFromGitLab { 28 + owner = "ubports"; 29 + repo = "development/core/biometryd"; 30 + rev = finalAttrs.version; 31 + hash = "sha256-b095rsQnd63Ziqe+rn3ROo4LGXZxZ3Sa6h3apzCuyCs="; 32 + }; 33 + 34 + outputs = [ 35 + "out" 36 + "dev" 37 + ]; 38 + 39 + patches = [ 40 + # https://gitlab.com/ubports/development/core/biometryd/-/merge_requests/31 41 + (fetchpatch { 42 + url = "https://gitlab.com/OPNA2608/biometryd/-/commit/d01d979e4f98c6473761d1ace308aa182017804e.patch"; 43 + hash = "sha256-JxL3BLuh33ptfneU1y2qNGFKpeMlZlTMwCK97Rk3aTA="; 44 + }) 45 + (fetchpatch { 46 + url = "https://gitlab.com/OPNA2608/biometryd/-/commit/3cec6a3d42ea6aba8892da2c771b317f44daf9e2.patch"; 47 + hash = "sha256-Ij/aio38WmZ+NsUSbM195Gwb83goWIcCnJvGwAOJi50="; 48 + }) 49 + (fetchpatch { 50 + url = "https://gitlab.com/OPNA2608/biometryd/-/commit/e89bd9444bc1cfe84a9aa93faa23057c80f39564.patch"; 51 + hash = "sha256-1vEG349X9+SvY/f3no/l5cMVGpdzC8h/8XOZwL/70Dc="; 52 + }) 53 + 54 + # https://gitlab.com/ubports/development/core/biometryd/-/merge_requests/32 55 + (fetchpatch { 56 + url = "https://gitlab.com/OPNA2608/biometryd/-/commit/9e52fad0139c5a45f69e6a6256b2b5ff54f77740.patch"; 57 + hash = "sha256-DZSdzKq6EYgAllKSDgkGk2g57zHN+gI5fOoj7U5AcKY="; 58 + }) 59 + ]; 60 + 61 + postPatch = '' 62 + # Remove with !31 patches, fetchpatch can't apply renames 63 + pushd data 64 + for type in conf service; do 65 + mv biometryd.$type biometryd.$type.in 66 + substituteInPlace biometryd.$type.in \ 67 + --replace '/usr/bin' "\''${CMAKE_INSTALL_FULL_BINDIR}" 68 + done 69 + popd 70 + 71 + # Uses pkg_get_variable, cannot substitute prefix with that 72 + substituteInPlace CMakeLists.txt \ 73 + --replace 'pkg_get_variable(SYSTEMD_SYSTEM_UNIT_DIR systemd systemdsystemunitdir)' 'set(SYSTEMD_SYSTEM_UNIT_DIR "${placeholder "out"}/lib/systemd/system")' 74 + 75 + substituteInPlace src/biometry/qml/Biometryd/CMakeLists.txt \ 76 + --replace "\''${CMAKE_INSTALL_LIBDIR}/qt5/qml" "\''${CMAKE_INSTALL_PREFIX}/${qtbase.qtQmlPrefix}" 77 + '' + lib.optionalString (!finalAttrs.doCheck) '' 78 + sed -i -e '/add_subdirectory(tests)/d' CMakeLists.txt 79 + ''; 80 + 81 + strictDeps = true; 82 + 83 + nativeBuildInputs = [ 84 + cmake 85 + pkg-config 86 + qtdeclarative # qmlplugindump 87 + ]; 88 + 89 + buildInputs = [ 90 + boost 91 + cmake-extras 92 + dbus 93 + dbus-cpp 94 + libapparmor 95 + libelf 96 + process-cpp 97 + properties-cpp 98 + qtbase 99 + qtdeclarative 100 + sqlite 101 + ]; 102 + 103 + checkInputs = [ 104 + gtest 105 + ]; 106 + 107 + dontWrapQtApps = true; 108 + 109 + cmakeFlags = [ 110 + "-DENABLE_WERROR=OFF" 111 + "-DWITH_HYBRIS=OFF" 112 + ]; 113 + 114 + preBuild = '' 115 + # Generating plugins.qmltypes (also used in checkPhase?) 116 + export QT_PLUGIN_PATH=${lib.getBin qtbase}/${qtbase.qtPluginPrefix} 117 + ''; 118 + 119 + doCheck = stdenv.buildPlatform.canExecute stdenv.hostPlatform; 120 + 121 + meta = with lib; { 122 + description = "Mediates/multiplexes access to biometric devices"; 123 + longDescription = '' 124 + biometryd mediates and multiplexes access to biometric devices present 125 + on the system, enabling applications and system components to leverage 126 + them for identification and verification of users. 127 + ''; 128 + homepage = "https://gitlab.com/ubports/development/core/biometryd"; 129 + license = licenses.lgpl3Only; 130 + maintainers = teams.lomiri.members; 131 + mainProgram = "biometryd"; 132 + platforms = platforms.linux; 133 + pkgConfigModules = [ 134 + "biometryd" 135 + ]; 136 + }; 137 + })

+2 -2

pkgs/development/compilers/flix/default.nix

··· 2 2 3 3 stdenvNoCC.mkDerivation rec { 4 4 pname = "flix"; 5 - version = "0.41.0"; 5 + version = "0.42.0"; 6 6 7 7 src = fetchurl { 8 8 url = "https://github.com/flix/flix/releases/download/v${version}/flix.jar"; 9 - sha256 = "sha256-bDeqwk+grkCxmGE9H8Ks7Q8KvLxNCzaLe44DlR6E7YE="; 9 + sha256 = "sha256-fkYyJxBlJWUkXGgcszerNKFNEFRIOm6tUyiTZj0q11k="; 10 10 }; 11 11 12 12 dontUnpack = true;

+2 -2

pkgs/development/libraries/ctranslate2/default.nix

··· 24 24 in 25 25 stdenv.mkDerivation rec { 26 26 pname = "ctranslate2"; 27 - version = "3.22.0"; 27 + version = "3.23.0"; 28 28 29 29 src = fetchFromGitHub { 30 30 owner = "OpenNMT"; 31 31 repo = "CTranslate2"; 32 32 rev = "v${version}"; 33 - hash = "sha256-Fw0pMTc0Zmr4RfH2rdPgpOODZW9CL5UbDbIeH6A4zZQ="; 33 + hash = "sha256-jqeLNKOGdGtAVx7ExGGDxxgi5zDmQgmJ6bxIuguaM3k="; 34 34 fetchSubmodules = true; 35 35 }; 36 36

+2 -2

pkgs/development/libraries/libadwaita/default.nix

··· 21 21 22 22 stdenv.mkDerivation rec { 23 23 pname = "libadwaita"; 24 - version = "1.4.0"; 24 + version = "1.4.1"; 25 25 26 26 outputs = [ "out" "dev" "devdoc" ]; 27 27 outputBin = "devdoc"; # demo app ··· 31 31 owner = "GNOME"; 32 32 repo = "libadwaita"; 33 33 rev = version; 34 - hash = "sha256-LXrlTca50ALo+Nm55fwXNb4k3haLqHNnzLPc08VhA5s="; 34 + hash = "sha256-ztbvVRkNbkeAomRIxToUEQrYB5XnG1WPcfSB/iXHKoA="; 35 35 }; 36 36 37 37 depsBuildBuild = [

+59

pkgs/development/libraries/qzxing/default.nix

··· 1 + { stdenv 2 + , lib 3 + , fetchFromGitHub 4 + , nix-update-script 5 + , testers 6 + , qmake 7 + , qtmultimedia 8 + }: 9 + 10 + stdenv.mkDerivation (finalAttrs: { 11 + pname = "qzxing"; 12 + version = "3.3.0"; 13 + 14 + src = fetchFromGitHub { 15 + owner = "ftylitak"; 16 + repo = "qzxing"; 17 + rev = "v${finalAttrs.version}"; 18 + hash = "sha256-ASgsF5ocNWAiIy2jm6ygpDkggBcEpno6iVNWYkuWcVI="; 19 + }; 20 + 21 + # QMake can't find qtmultimedia in buildInputs 22 + strictDeps = false; 23 + 24 + nativeBuildInputs = [ 25 + qmake 26 + ]; 27 + 28 + buildInputs = [ 29 + qtmultimedia 30 + ]; 31 + 32 + dontWrapQtApps = true; 33 + 34 + preConfigure = '' 35 + cd src 36 + ''; 37 + 38 + qmakeFlags = [ 39 + "CONFIG+=qzxing_qml" 40 + "CONFIG+=qzxing_multimedia" 41 + "QMAKE_PKGCONFIG_PREFIX=${placeholder "out"}" 42 + ]; 43 + 44 + passthru = { 45 + tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage; 46 + updateScript = nix-update-script { }; 47 + }; 48 + 49 + meta = with lib; { 50 + description = "Qt/QML wrapper library for the ZXing library"; 51 + homepage = "https://github.com/ftylitak/qzxing"; 52 + license = licenses.asl20; 53 + maintainers = with maintainers; [ OPNA2608 ]; 54 + platforms = platforms.unix; 55 + pkgConfigModules = [ 56 + "QZXing" 57 + ]; 58 + }; 59 + })

+22 -7

pkgs/development/python-modules/amazon-ion/default.nix

··· 1 1 { lib 2 2 , buildPythonPackage 3 + , docopt 3 4 , fetchFromGitHub 4 5 , jsonconversion 5 - , six 6 6 , pytestCheckHook 7 7 , pythonOlder 8 + , setuptools 9 + , six 10 + , tabulate 8 11 }: 9 12 10 13 buildPythonPackage rec { 11 14 pname = "amazon-ion"; 12 - version = "0.10.0"; 13 - format = "setuptools"; 15 + version = "0.11.2"; 16 + pyproject = true; 14 17 15 18 disabled = pythonOlder "3.7"; 16 19 17 - # test vectors require git submodule 18 20 src = fetchFromGitHub { 19 - owner = "amzn"; 21 + owner = "amazon-ion"; 20 22 repo = "ion-python"; 21 23 rev = "refs/tags/v${version}"; 24 + # Test vectors require git submodule 22 25 fetchSubmodules = true; 23 - hash = "sha256-pCm3jd/dVqO/uIvT5N/w5yoUWU6ni62Pl2A862e+qSk="; 26 + hash = "sha256-0/+bX02qTbOydWDxex4OWL7woP7dW1yJZBmDZAivE7U="; 24 27 }; 25 28 26 29 postPatch = '' ··· 28 31 --replace "'pytest-runner'," "" 29 32 ''; 30 33 34 + nativeBuildInputs = [ 35 + setuptools 36 + ]; 37 + 31 38 propagatedBuildInputs = [ 32 39 jsonconversion 33 40 six 34 41 ]; 35 42 36 43 nativeCheckInputs = [ 44 + docopt 37 45 pytestCheckHook 46 + tabulate 38 47 ]; 39 48 40 49 disabledTests = [ ··· 42 51 "test_roundtrips" 43 52 ]; 44 53 54 + disabledTestPaths = [ 55 + # Exclude benchmarks 56 + "tests/test_benchmark_cli.py" 57 + ]; 58 + 45 59 pythonImportsCheck = [ 46 60 "amazon.ion" 47 61 ]; 48 62 49 63 meta = with lib; { 50 64 description = "Python implementation of Amazon Ion"; 51 - homepage = "https://github.com/amzn/ion-python"; 65 + homepage = "https://github.com/amazon-ion/ion-python"; 66 + changelog = "https://github.com/amazon-ion/ion-python/releases/tag/v${version}"; 52 67 sourceProvenance = with sourceTypes; [ 53 68 fromSource 54 69 binaryNativeCode

+42

pkgs/development/python-modules/vprof/default.nix

··· 1 + { lib 2 + , buildPythonPackage 3 + , fetchPypi 4 + , setuptools 5 + , wheel 6 + , psutil 7 + }: 8 + 9 + buildPythonPackage rec { 10 + pname = "vprof"; 11 + version = "0.38"; 12 + pyproject = true; 13 + 14 + # We use the Pypi source rather than the GitHub ones because the former include the javascript 15 + # dependency for the UI. 16 + src = fetchPypi { 17 + inherit pname version; 18 + hash = "sha256-fxAAkS7rekUMfJTTzJZzmvRa0P8B1avMCwmhddQP+ts="; 19 + }; 20 + 21 + nativeBuildInputs = [ 22 + setuptools 23 + wheel 24 + ]; 25 + 26 + propagatedBuildInputs = [ 27 + psutil 28 + ]; 29 + 30 + pythonImportsCheck = [ "vprof" ]; 31 + 32 + # The tests are not included in the Pypi sources 33 + doCheck = false; 34 + 35 + meta = with lib; { 36 + description = "Visual profiler for Python"; 37 + homepage = "https://github.com/nvdv/vprof"; 38 + license = licenses.bsd2; 39 + maintainers = with maintainers; [ GaetanLepage ]; 40 + mainProgram = "vprof"; 41 + }; 42 + }

+3 -3

pkgs/development/tools/misc/hydra/unstable.nix

··· 123 123 in 124 124 stdenv.mkDerivation rec { 125 125 pname = "hydra"; 126 - version = "2023-11-17"; 126 + version = "2023-12-01"; 127 127 128 128 src = fetchFromGitHub { 129 129 owner = "NixOS"; 130 130 repo = "hydra"; 131 - rev = "8f48e4ddecbf403be35f8243b97d73cb39dd61bb"; 132 - hash = "sha256-5q/7yz6jJedD8YU3SuYyXtN3qEAlOBRKGZxOcYt/0X8="; 131 + rev = "4d1c8505120961f10897b8fe9a070d4e193c9a13"; 132 + hash = "sha256-vXTuE83GL15mgZHegbllVAsVdDFcWWSayPfZxTJN5ys="; 133 133 }; 134 134 135 135 buildInputs = [

+2 -2

pkgs/development/tools/misc/phpunit/default.nix pkgs/by-name/ph/phpunit/package.nix

··· 2 2 3 3 php.buildComposerProject (finalAttrs: { 4 4 pname = "phpunit"; 5 - version = "10.5.0"; 5 + version = "10.5.1"; 6 6 7 7 src = fetchFromGitHub { 8 8 owner = "sebastianbergmann"; 9 9 repo = "phpunit"; 10 10 rev = finalAttrs.version; 11 - hash = "sha256-CpgYMUJE7c2eRBYkK/vMRdGgzY7Y7K/wMmyUH+Bssjs="; 11 + hash = "sha256-uYSVzKLefcBMqfrHaF6pg4gohAeb6LVg8QGaTS8jwfE="; 12 12 }; 13 13 14 14 vendorHash = "sha256-uUdgz3ZZ+3nU07pUC1sdkNgU1b1beo3sS/yySUzdZwU=";

+15 -3

pkgs/development/tools/rust/ravedude/default.nix

··· 3 3 , fetchCrate 4 4 , pkg-config 5 5 , udev 6 + , nix-update-script 7 + , testers 8 + , ravedude 6 9 }: 7 10 8 11 rustPlatform.buildRustPackage rec { 9 12 pname = "ravedude"; 10 - version = "0.1.5"; 13 + version = "0.1.6"; 11 14 12 15 src = fetchCrate { 13 16 inherit pname version; 14 - hash = "sha256-wcY9fvfIn1pWMAh5FI/QFl18CV2xjmRGSwwoRfGvujo="; 17 + hash = "sha256-LhPRz3DUMDoe50Hq3yO+2BHpyh5fQ4sMNGLttjkdSZw="; 15 18 }; 16 19 17 - cargoHash = "sha256-AOIrB0FRagbA2+JEURF41d+th0AbR++U5WKCcZmh4Os="; 20 + cargoHash = "sha256-Uo8wlTAHBkn/WeGPhPP+BU80wjSyNHsWQj8QvA7mHrk="; 18 21 19 22 nativeBuildInputs = [ pkg-config ]; 20 23 21 24 buildInputs = [ udev ]; 22 25 26 + passthru = { 27 + updateScript = nix-update-script { }; 28 + tests.version = testers.testVersion { 29 + package = ravedude; 30 + version = "v${version}"; 31 + }; 32 + }; 33 + 23 34 meta = with lib; { 24 35 description = "Tool to easily flash code onto an AVR microcontroller with avrdude"; 25 36 homepage = "https://crates.io/crates/ravedude"; 26 37 license = with licenses; [ mit /* or */ asl20 ]; 27 38 platforms = platforms.linux; 28 39 maintainers = with maintainers; [ rvarago ]; 40 + mainProgram = "ravedude"; 29 41 }; 30 42 }

+3 -3

pkgs/tools/admin/berglas/default.nix

··· 27 27 28 28 buildGoModule rec { 29 29 pname = "berglas"; 30 - version = "1.0.3"; 30 + version = "2.0.1"; 31 31 32 32 src = fetchFromGitHub { 33 33 owner = "GoogleCloudPlatform"; 34 34 repo = pname; 35 35 rev = "v${version}"; 36 - sha256 = "sha256-4hbRX0kKMWixcu5SWjrM5lVvhLMOaeBdG4GH5NVAh70="; 36 + sha256 = "sha256-Jf6yPVydM7UnG1yiLEFe+7FMkWANIQebZ3QAwg6/OQs="; 37 37 }; 38 38 39 - vendorHash = "sha256-qcFS07gma7GVxhdrYca0E6rcczNcZmU8JcjjcpEaxp0="; 39 + vendorHash = "sha256-3WDBl/GqCgRFMmh6TQvtHhACCRzf9sdIO8fel8CAMP0="; 40 40 41 41 ldflags = [ 42 42 "-s"

+15

pkgs/tools/security/clevis/default.nix

··· 16 16 , ninja 17 17 , pkg-config 18 18 , tpm2-tools 19 + , nixosTests 19 20 }: 20 21 21 22 stdenv.mkDerivation rec { ··· 28 29 rev = "refs/tags/v${version}"; 29 30 hash = "sha256-3J3ti/jRiv+p3eVvJD7u0ko28rPd8Gte0mCJaVaqyOs="; 30 31 }; 32 + 33 + patches = [ 34 + # Replaces the clevis-decrypt 300s timeout to a 10s timeout 35 + # https://github.com/latchset/clevis/issues/289 36 + ./tang-timeout.patch 37 + ]; 31 38 32 39 postPatch = '' 33 40 for f in $(find src/ -type f); do ··· 64 71 "out" 65 72 "man" 66 73 ]; 74 + 75 + passthru.tests = { 76 + inherit (nixosTests.installer) clevisBcachefs clevisBcachefsFallback clevisLuks clevisLuksFallback clevisZfs clevisZfsFallback; 77 + clevisLuksSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuks; 78 + clevisLuksFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuksFallback; 79 + clevisZfsSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfs; 80 + clevisZfsFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfsFallback; 81 + }; 67 82 68 83 meta = with lib; { 69 84 description = "Automated Encryption Framework";

+13

pkgs/tools/security/clevis/tang-timeout.patch

··· 1 + diff --git a/src/pins/tang/clevis-decrypt-tang b/src/pins/tang/clevis-decrypt-tang 2 + index 72393b4..40b660f 100755 3 + --- a/src/pins/tang/clevis-decrypt-tang 4 + +++ b/src/pins/tang/clevis-decrypt-tang 5 + @@ -101,7 +101,7 @@ xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")" 6 + 7 + rec_url="$url/rec/$kid" 8 + ct="Content-Type: application/jwk+json" 9 + -if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then 10 + +if ! rep="$(curl --connect-timeout 10 -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then 11 + echo "Error communicating with server $url" >&2 12 + exit 1 13 + fi

+4 -2

pkgs/tools/security/qdigidoc/default.nix

··· 2 2 , mkDerivation 3 3 , fetchurl 4 4 , cmake 5 + , flatbuffers 5 6 , gettext 6 7 , pkg-config 7 8 , libdigidocpp ··· 16 17 17 18 mkDerivation rec { 18 19 pname = "qdigidoc"; 19 - version = "4.2.12"; 20 + version = "4.4.0"; 20 21 21 22 src = fetchurl { 22 23 url = 23 24 "https://github.com/open-eid/DigiDoc4-Client/releases/download/v${version}/qdigidoc4-${version}.tar.gz"; 24 - hash = "sha256-6bso1qvhVhbBfrcTq4S+aHtHli7X2A926N4r45ztq4E="; 25 + hash = "sha256-5zo0yoY0wufm9DWRIccxJ5g4DXn75nT4fd2h+5QP4oQ="; 25 26 }; 26 27 27 28 tsl = fetchurl { ··· 37 38 ''; 38 39 39 40 buildInputs = [ 41 + flatbuffers 40 42 libdigidocpp 41 43 opensc 42 44 openldap

+5 -2

pkgs/tools/wayland/sov/default.nix pkgs/by-name/so/sov/package.nix

··· 11 11 , libxkbcommon 12 12 , wayland 13 13 , wayland-protocols 14 + , gitUpdater 14 15 }: 15 16 16 17 stdenv.mkDerivation (finalAttrs: { 17 18 pname = "sov"; 18 - version = "0.92b"; 19 + version = "0.93"; 19 20 20 21 src = fetchFromGitHub { 21 22 owner = "milgra"; 22 23 repo = "sov"; 23 24 rev = finalAttrs.version; 24 - hash = "sha256-1L5D0pzcXbkz3VS7VB6ID8BJEbGeNxjo3xCr71CGcIo="; 25 + hash = "sha256-Oc25ixrl0QX0jBBMV34BPAixyBikvevXJ1JNGZymPhg="; 25 26 }; 26 27 27 28 patches = [ ··· 53 54 wayland 54 55 wayland-protocols 55 56 ]; 57 + 58 + passthru.updateScript = gitUpdater { }; 56 59 57 60 meta = { 58 61 description = "Workspace overview app for sway";

+6 -8

pkgs/top-level/all-packages.nix

··· 2114 2114 2115 2115 vopono = callPackage ../tools/networking/vopono { }; 2116 2116 2117 + vprof = with python3Packages; toPythonApplication vprof; 2118 + 2117 2119 vrc-get = callPackage ../tools/misc/vrc-get { 2118 2120 inherit (darwin.apple_sdk.frameworks) Security; 2119 2121 }; ··· 4777 4779 shotman = callPackage ../tools/wayland/shotman { }; 4778 4780 4779 4781 slurp = callPackage ../tools/wayland/slurp { }; 4780 - 4781 - sov = callPackage ../tools/wayland/sov { }; 4782 4782 4783 4783 swaykbdd = callPackage ../tools/wayland/swaykbdd { }; 4784 4784 ··· 18291 18291 18292 18292 karma-runner = callPackage ../development/tools/karma-runner { }; 18293 18293 18294 - phpunit = callPackage ../development/tools/misc/phpunit { }; 18295 - 18296 18294 teller = callPackage ../development/tools/teller { }; 18297 18295 18298 18296 yakut = python3Packages.callPackage ../development/tools/misc/yakut { }; ··· 19160 19158 19161 19159 fprettify = callPackage ../development/tools/fprettify { }; 19162 19160 19163 - framac = callPackage ../development/tools/analysis/frama-c { }; 19161 + framac = callPackage ../development/tools/analysis/frama-c { 19162 + why3 = pkgs.why3.override { version = "1.6.0"; }; 19163 + }; 19164 19164 19165 19165 frame = callPackage ../development/libraries/frame { }; 19166 19166 ··· 22062 22062 22063 22063 hwloc = callPackage ../development/libraries/hwloc { }; 22064 22064 22065 - hydra_unstable = callPackage ../development/tools/misc/hydra/unstable.nix { nix = nixVersions.nix_2_17; }; 22065 + hydra_unstable = callPackage ../development/tools/misc/hydra/unstable.nix { nix = nixVersions.nix_2_18; }; 22066 22066 22067 22067 hydra-cli = callPackage ../development/tools/misc/hydra-cli { }; 22068 22068 ··· 34378 34378 nheko = libsForQt5.callPackage ../applications/networking/instant-messengers/nheko { }; 34379 34379 34380 34380 nomacs = libsForQt5.callPackage ../applications/graphics/nomacs { }; 34381 - 34382 - normcap = callPackage ../applications/graphics/normcap { }; 34383 34381 34384 34382 notepad-next = libsForQt5.callPackage ../applications/editors/notepad-next { }; 34385 34383

+2

pkgs/top-level/python-packages.nix

··· 15585 15585 15586 15586 vpk = callPackage ../development/python-modules/vpk { }; 15587 15587 15588 + vprof = callPackage ../development/python-modules/vprof { }; 15589 + 15588 15590 vqgan-jax = callPackage ../development/python-modules/vqgan-jax { }; 15589 15591 15590 15592 vsts = callPackage ../development/python-modules/vsts { };

+2

pkgs/top-level/qt5-packages.nix

··· 246 246 247 247 qxlsx = callPackage ../development/libraries/qxlsx { }; 248 248 249 + qzxing = callPackage ../development/libraries/qzxing { }; 250 + 249 251 soqt = callPackage ../development/libraries/soqt { }; 250 252 251 253 telepathy = callPackage ../development/libraries/telepathy/qt { };

+2

pkgs/top-level/qt6-packages.nix

··· 50 50 51 51 qxlsx = callPackage ../development/libraries/qxlsx { }; 52 52 53 + qzxing = callPackage ../development/libraries/qzxing { }; 54 + 53 55 poppler = callPackage ../development/libraries/poppler { 54 56 lcms = pkgs.lcms2; 55 57 qt6Support = true;