movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-11 12:15:34 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'origin/master' into staging-next

Browse source
This commit is contained in:
K900 2025-04-04 21:11:09 +03:00
commit 79542ad7f3
55 changed files with 894 additions and 363 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/eval.yml vendored
View file

@ -75,6 +75,9 @@ jobs:
with:
extra_nix_config: sandbox = true
- name: Ensure flake outputs on all systems still evaluate
run: nix --experimental-features 'nix-command flakes' flake check --all-systems --no-build ./nixpkgs
- name: Query nixpkgs with aliases enabled to check for basic syntax errors
run: |
time nix-env -I ./nixpkgs -f ./nixpkgs -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null

31
flake.nix
View file

@ -98,15 +98,26 @@
checks = forAllSystems (
system:
{
tarball = jobs.${system}.tarball;
}
{ }
//
lib.optionalAttrs
(
# Exclude x86_64-freebsd because "Failed to evaluate rustc-wrapper-1.85.0: «broken»: is marked as broken"
system != "x86_64-freebsd"
)
{
tarball = jobs.${system}.tarball;
}
//
lib.optionalAttrs
(
self.legacyPackages.${system}.stdenv.hostPlatform.isLinux
# Exclude power64 due to "libressl is not available on the requested hostPlatform" with hostPlatform being power64
&& !self.legacyPackages.${system}.targetPlatform.isPower64
# Exclude armv6l-linux because "cannot bootstrap GHC on this platform ('armv6l-linux' with libc 'defaultLibc')"
&& system != "armv6l-linux"
# Exclude riscv64-linux because "cannot bootstrap GHC on this platform ('riscv64-linux' with libc 'defaultLibc')"
&& system != "riscv64-linux"
)
{
# Test that ensures that the nixosSystem function can accept a lib argument
@ -156,8 +167,8 @@
system != "armv6l-linux"
# Exclude riscv64-linux because "Package ghc-9.6.6 in .../pkgs/development/compilers/ghc/common-hadrian.nix:579 is not available on the requested hostPlatform"
&& system != "riscv64-linux"
# Exclude FreeBSD because "Package ghc-9.6.6 in .../pkgs/development/compilers/ghc/common-hadrian.nix:579 is not available on the requested hostPlatform"
&& !self.legacyPackages.${system}.stdenv.hostPlatform.isFreeBSD
# Exclude x86_64-freebsd because "Package ghc-9.6.6 in .../pkgs/development/compilers/ghc/common-hadrian.nix:579 is not available on the requested hostPlatform"
&& system != "x86_64-freebsd"
)
{
/**
@ -167,7 +178,15 @@
}
);
formatter = forAllSystems (system: (import ./ci { inherit system; }).fmt.pkg);
formatter = lib.filterAttrs (
system: _:
# Exclude armv6l-linux because "cannot bootstrap GHC on this platform ('armv6l-linux' with libc 'defaultLibc')"
system != "armv6l-linux"
# Exclude riscv64-linux because "cannot bootstrap GHC on this platform ('riscv64-linux' with libc 'defaultLibc')"
&& system != "riscv64-linux"
# Exclude x86_64-freebsd because "Package go-1.22.12-freebsd-amd64-bootstrap in /nix/store/0yw40qnrar3lvc5hax5n49abl57apjbn-source/pkgs/development/compilers/go/binary.nix:50 is not available on the requested hostPlatform"
&& system != "x86_64-freebsd"
) (forAllSystems (system: (import ./ci { inherit system; }).fmt.pkg));
/**
A nested structure of [packages](https://nix.dev/manual/nix/latest/glossary#package-attribute-set) and other values.

2
nixos/doc/manual/release-notes/rl-2505.section.md
View file

@ -166,6 +166,8 @@
- [mqtt-exporter](https://github.com/kpetremann/mqtt-exporter/), a Prometheus exporter for exposing messages from MQTT. Available as [services.prometheus.exporters.mqtt](#opt-services.prometheus.exporters.mqtt.enable).
- [pocket-id](https://pocket-id.org/), an OIDC provider with passkeys support. Available as [services.pocket-id](#opt-services.pocket-id.enable).
- [nvidia-gpu](https://github.com/utkuozdemir/nvidia_gpu_exporter), a Prometheus exporter that scrapes `nvidia-smi` for GPU metrics. Available as [services.prometheus.exporters.nvidia-gpu](#opt-services.prometheus.exporters.nvidia-gpu.enable).
- [OpenGamepadUI](https://github.com/ShadowBlip/OpenGamepadUI/), an open source gamepad-native game launcher and overlay for Linux. Available as [programs.opengamepadui](#opt-programs.opengamepadui.enable).

1
nixos/modules/module-list.nix
View file

@ -1419,6 +1419,7 @@
./services/security/paretosecurity.nix
./services/security/pass-secret-service.nix
./services/security/physlock.nix
./services/security/pocket-id.nix
./services/security/shibboleth-sp.nix
./services/security/sks.nix
./services/security/sshguard.nix

20
nixos/modules/services/misc/paperless.nix
View file

@ -421,8 +421,7 @@ in
};
environment = env;
preStart =
''
preStart = ''
# remove old papaerless-manage symlink
# TODO: drop with NixOS 25.11
[[ -L '${cfg.dataDir}/paperless-manage' ]] && rm '${cfg.dataDir}/paperless-manage'
@ -448,13 +447,15 @@ in
${cfg.package}/bin/paperless-ngx document_index reindex
fi
echo ${cfg.package.version} > "$versionFile"
fi
''
+ lib.optionalString (cfg.passwordFile != null) ''
echo ${cfg.package.version} > "$versionFile"
fi
if ${lib.boolToString (cfg.passwordFile != null)} || [[ -n $PAPERLESS_ADMIN_PASSWORD ]]; then
export PAPERLESS_ADMIN_USER="''${PAPERLESS_ADMIN_USER:-admin}"
PAPERLESS_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD")
export PAPERLESS_ADMIN_PASSWORD
if [[ -e $CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD ]]; then
PAPERLESS_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD")
export PAPERLESS_ADMIN_PASSWORD
fi
superuserState="$PAPERLESS_ADMIN_USER:$PAPERLESS_ADMIN_PASSWORD"
superuserStateFile="${cfg.dataDir}/superuser-state"
@ -462,7 +463,8 @@ in
${cfg.package}/bin/paperless-ngx manage_superuser
echo "$superuserState" > "$superuserStateFile"
fi
'';
fi
'';
requires = lib.optional cfg.database.createLocally "postgresql.service";
after =
lib.optional enableRedis "redis-paperless.service"

14
nixos/modules/services/security/paretosecurity.nix
View file

@ -24,6 +24,17 @@
# dependencies here. This creates the necessary symlinks in the proper locations.
systemd.sockets.paretosecurity.wantedBy = [ "sockets.target" ];
# In NixOS, systemd services are configured with minimal PATH. However,
# paretosecurity helper looks for installed software to do its job, so
# it needs the full system PATH. For example, it runs `iptables` to see if
# firewall is configured. And it looks for various password managers to see
# if one is installed.
# The `paretosecurity-user` timer service that is configured lower has
# the same need.
systemd.services.paretosecurity.serviceConfig.Environment = [
"PATH=${config.system.path}/bin:${config.system.path}/sbin"
];
# Enable the tray icon and timer services if the trayIcon option is enabled
systemd.user = lib.mkIf config.services.paretosecurity.trayIcon {
services.paretosecurity-trayicon = {
@ -31,6 +42,9 @@
};
services.paretosecurity-user = {
wantedBy = [ "graphical-session.target" ];
serviceConfig.Environment = [
"PATH=${config.system.path}/bin:${config.system.path}/sbin"
];
};
timers.paretosecurity-user = {
wantedBy = [ "timers.target" ];

278
nixos/modules/services/security/pocket-id.nix Normal file
View file

@ -0,0 +1,278 @@
{
lib,
pkgs,
config,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
optionalAttrs
optional
mkPackageOption
;
inherit (lib.types)
bool
path
str
submodule
;
cfg = config.services.pocket-id;
format = pkgs.formats.keyValue { };
settingsFile = format.generate "pocket-id-env-vars" cfg.settings;
in
{
meta.maintainers = with lib.maintainers; [
gepbird
ymstnt
];
options.services.pocket-id = {
enable = mkEnableOption "Pocket ID server";
package = mkPackageOption pkgs "pocket-id" { };
environmentFile = mkOption {
type = path;
description = ''
Path to an environment file loaded for the Pocket ID service.
This can be used to securely store tokens and secrets outside of the world-readable Nix store.
Example contents of the file:
MAXMIND_LICENSE_KEY=your-license-key
'';
default = "/dev/null";
example = "/var/lib/secrets/pocket-id";
};
settings = mkOption {
type = submodule {
freeformType = format.type;
options = {
PUBLIC_APP_URL = mkOption {
type = str;
description = ''
The URL where you will access the app.
'';
default = "http://localhost";
};
TRUST_PROXY = mkOption {
type = bool;
description = ''
Whether the app is behind a reverse proxy.
'';
default = false;
};
};
};
default = { };
description = ''
Environment variables that will be passed to Pocket ID, see
[configuration options](https://pocket-id.org/docs/configuration/environment-variables)
for supported values.
'';
};
dataDir = mkOption {
type = path;
default = "/var/lib/pocket-id";
description = ''
The directory where Pocket ID will store its data, such as the database.
'';
};
user = mkOption {
type = str;
default = "pocket-id";
description = "User account under which Pocket ID runs.";
};
group = mkOption {
type = str;
default = "pocket-id";
description = "Group account under which Pocket ID runs.";
};
};
config = mkIf cfg.enable {
warnings = (
optional (cfg.settings ? MAXMIND_LICENSE_KEY)
"config.services.pocket-id.settings.MAXMIND_LICENSE_KEY will be stored as plaintext in the Nix store. Use config.services.pocket-id.environmentFile instead."
);
systemd.tmpfiles.rules = [
"d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group}"
];
systemd.services = {
pocket-id-backend = {
description = "Pocket ID backend";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [
cfg.package
cfg.environmentFile
settingsFile
];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
WorkingDirectory = cfg.dataDir;
ExecStart = "${cfg.package}/bin/pocket-id-backend";
Restart = "always";
EnvironmentFile = [
cfg.environmentFile
settingsFile
];
# Hardening
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
DevicePolicy = "closed";
#IPAddressDeny = "any"; # communicates with the frontend
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateNetwork = false; # communicates with the frontend
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full"; # needs to write in cfg.dataDir
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = lib.concatStringsSep " " [
"~"
"@clock"
"@cpu-emulation"
"@debug"
"@module"
"@mount"
"@obsolete"
"@privileged"
"@raw-io"
"@reboot"
#"@resources" # vm test segfaults
"@swap"
];
UMask = "0077";
};
};
pocket-id-frontend = {
description = "Pocket ID frontend";
after = [
"network.target"
"pocket-id-backend.service"
];
wantedBy = [ "multi-user.target" ];
restartTriggers = [
cfg.package
cfg.environmentFile
settingsFile
];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.package}/bin/pocket-id-frontend";
Restart = "always";
EnvironmentFile = [
cfg.environmentFile
settingsFile
];
# Hardening
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
DevicePolicy = "closed";
#IPAddressDeny = "any"; # communicates with the backend and client
LockPersonality = true;
MemoryDenyWriteExecute = false; # V8_Fatal segfault
NoNewPrivileges = true;
PrivateDevices = true;
PrivateNetwork = false; # communicates with the backend and client
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = lib.concatStringsSep " " [
"~"
"@clock"
"@cpu-emulation"
"@debug"
"@module"
"@mount"
"@obsolete"
"@privileged"
"@raw-io"
"@reboot"
"@resources"
"@swap"
];
UMask = "0077";
};
};
};
users.users = optionalAttrs (cfg.user == "pocket-id") {
pocket-id = {
isSystemUser = true;
group = cfg.group;
description = "Pocket ID backend user";
home = cfg.dataDir;
};
};
users.groups = optionalAttrs (cfg.group == "pocket-id") {
pocket-id = { };
};
};
}

18
nixos/modules/services/security/vaultwarden/default.nix
View file

@ -65,6 +65,7 @@ let
vaultwarden = cfg.package.override { inherit (cfg) dbBackend; };
useSendmail = configEnv.USE_SENDMAIL or null == "true";
in
{
imports = [
@ -236,10 +237,10 @@ in
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
NoNewPrivileges = !useSendmail;
PrivateDevices = !useSendmail;
PrivateTmp = true;
PrivateUsers = true;
PrivateUsers = !useSendmail;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
@ -262,10 +263,13 @@ in
inherit StateDirectory;
StateDirectoryMode = "0700";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
SystemCallFilter =
[
"@system-service"
]
++ lib.optionals (!useSendmail) [
"~@privileged"
];
Restart = "always";
UMask = "0077";
};

2
nixos/modules/services/web-apps/archtika.nix
View file

@ -17,7 +17,7 @@ let
in
{
options.services.archtika = {
enable = mkEnableOption "Whether to enable the archtika service";
enable = mkEnableOption "the archtika CMS";
package = mkPackageOption pkgs "archtika" { };

16
nixos/modules/services/web-apps/onlyoffice.nix
View file

@ -114,7 +114,7 @@ in
proxy_pass http://onlyoffice-docservice/$2$3;
'';
# /etc/nginx/includes/ds-docservice.conf
#disable caching for api.js
# disable caching for api.js
"~ ^(\\/[\\d]+\\.[\\d]+\\.[\\d]+[\\.|-][\\w]+)?\\/(web-apps\\/apps\\/api\\/documents\\/api\\.js)$".extraConfig =
''
expires -1;
@ -124,26 +124,23 @@ in
"~ ^(\\/[\\d]+\\.[\\d]+\\.[\\d]+[\\.|-][\\w]+)?\\/(document_editor_service_worker\\.js)$".extraConfig =
''
expires 365d;
# gzip_static on;
alias ${cfg.package}/var/www/onlyoffice/documentserver/sdkjs/common/serviceworker/$2;
alias ${cfg.package}/var/www/onlyoffice/documentserver/sdkjs/common/serviceworker/$2;
'';
#suppress logging the unsupported locale error in web-apps
# suppress logging the unsupported locale error in web-apps
"~ ^(\\/[\\d]+\\.[\\d]+\\.[\\d]+[\\.|-][\\w]+)?\\/(web-apps)(\\/.*\\.json)$".extraConfig = ''
expires 365d;
error_log /dev/null crit;
alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
'';
#suppress logging the unsupported locale error in plugins
# suppress logging the unsupported locale error in plugins
"~ ^(\\/[\\d]+\\.[\\d]+\\.[\\d]+[\\.|-][\\w]+)?\\/(sdkjs-plugins)(\\/.*\\.json)$".extraConfig = ''
expires 365d;
error_log /dev/null crit;
# gzip_static on;
alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
'';
"~ ^(\\/[\\d]+\\.[\\d]+\\.[\\d]+[\\.|-][\\w]+)?\\/(web-apps|sdkjs|sdkjs-plugins|fonts|dictionaries)(\\/.*)$".extraConfig =
''
expires 365d;
# gzip_static on;
alias ${cfg.package}/var/www/onlyoffice/documentserver/$2$3;
'';
"~* ^(\\/cache\\/files.*)(\\/.*)".extraConfig = ''
@ -302,9 +299,8 @@ in
' /run/onlyoffice/config/default.json | sponge /run/onlyoffice/config/default.json
chmod u+w /run/onlyoffice/config/production-linux.json
jq '
.FileConverter.converter.x2tPath = "${cfg.x2t}/bin/x2t"
' /run/onlyoffice/config/production-linux.json | sponge /run/onlyoffice/config/production-linux.json
jq '.FileConverter.converter.x2tPath = "${cfg.x2t}/bin/x2t"' \
/run/onlyoffice/config/production-linux.json | sponge /run/onlyoffice/config/production-linux.json
if psql -d onlyoffice -c "SELECT 'task_result'::regclass;" >/dev/null; then
psql -f ${cfg.package}/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql

9
nixos/tests/all-tests.nix
View file

@ -691,7 +691,7 @@ in
leaps = handleTest ./leaps.nix { };
lemmy = handleTest ./lemmy.nix { };
libinput = handleTest ./libinput.nix { };
librenms = handleTest ./librenms.nix { };
librenms = runTest ./librenms.nix;
libresprite = handleTest ./libresprite.nix { };
libreswan = runTest ./libreswan.nix;
libreswan-nat = runTest ./libreswan-nat.nix;
@ -703,7 +703,7 @@ in
libvirtd = handleTest ./libvirtd.nix { };
lidarr = handleTest ./lidarr.nix { };
lightdm = handleTest ./lightdm.nix { };
lighttpd = handleTest ./lighttpd.nix { };
lighttpd = runTest ./lighttpd.nix;
limesurvey = handleTest ./limesurvey.nix { };
limine = import ./limine { inherit runTest; };
listmonk = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./listmonk.nix { };
@ -1039,6 +1039,7 @@ in
pleroma = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./pleroma.nix { };
plikd = handleTest ./plikd.nix { };
plotinus = handleTest ./plotinus.nix { };
pocket-id = handleTest ./pocket-id.nix { };
podgrab = handleTest ./podgrab.nix { };
podman = handleTestOn [ "aarch64-linux" "x86_64-linux" ] ./podman/default.nix { };
podman-tls-ghostunnel = handleTestOn [
@ -1202,7 +1203,7 @@ in
sssd-ldap = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-ldap.nix { };
stalwart-mail = handleTest ./stalwart-mail.nix { };
stargazer = runTest ./web-servers/stargazer.nix;
starship = handleTest ./starship.nix { };
starship = runTest ./starship.nix;
stash = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./stash.nix { };
static-web-server = handleTest ./web-servers/static-web-server.nix { };
step-ca = handleTestOn [ "x86_64-linux" ] ./step-ca.nix { };
@ -1351,7 +1352,7 @@ in
tuptime = handleTest ./tuptime.nix { };
turbovnc-headless-server = handleTest ./turbovnc-headless-server.nix { };
turn-rs = handleTest ./turn-rs.nix { };
tuxguitar = handleTest ./tuxguitar.nix { };
tuxguitar = runTest ./tuxguitar.nix;
twingate = runTest ./twingate.nix;
typesense = handleTest ./typesense.nix { };
ucarp = handleTest ./ucarp.nix { };

178
nixos/tests/librenms.nix
View file

@ -1,106 +1,104 @@
import ./make-test-python.nix (
{ pkgs, lib, ... }:
{ pkgs, lib, ... }:
let
api_token = "f87f42114e44b63ad1b9e3c3d33d6fbe"; # random md5 hash
wrong_api_token = "e68ba041fcf1eab923a7a6de3af5f726"; # another random md5 hash
in
{
name = "librenms";
meta.maintainers = lib.teams.wdz.members;
let
api_token = "f87f42114e44b63ad1b9e3c3d33d6fbe"; # random md5 hash
wrong_api_token = "e68ba041fcf1eab923a7a6de3af5f726"; # another random md5 hash
in
{
name = "librenms";
meta.maintainers = lib.teams.wdz.members;
nodes.librenms = {
time.timeZone = "Europe/Berlin";
nodes.librenms = {
time.timeZone = "Europe/Berlin";
environment.systemPackages = with pkgs; [
curl
jq
];
environment.systemPackages = with pkgs; [
curl
jq
];
services.librenms = {
enable = true;
hostname = "librenms";
database = {
createLocally = true;
host = "localhost";
database = "librenms";
username = "librenms";
passwordFile = pkgs.writeText "librenms-db-pass" "librenmsdbpass";
};
nginx = {
default = true;
};
enableOneMinutePolling = true;
settings = {
enable_billing = true;
};
services.librenms = {
enable = true;
hostname = "librenms";
database = {
createLocally = true;
host = "localhost";
database = "librenms";
username = "librenms";
passwordFile = pkgs.writeText "librenms-db-pass" "librenmsdbpass";
};
# systemd oneshot to create a dummy admin user and a API token for testing
systemd.services.lnms-api-init = {
description = "LibreNMS API init";
after = [ "librenms-setup.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "root";
Group = "root";
};
script = ''
API_USER_NAME=api
API_TOKEN=${api_token} # random md5 hash
# seeding database to get the admin roles
${pkgs.librenms}/artisan db:seed --force --no-interaction
# we don't need to know the password, it just has to exist
API_USER_PASS=$(${pkgs.pwgen}/bin/pwgen -s 64 1)
${pkgs.librenms}/artisan user:add $API_USER_NAME -r admin -p $API_USER_PASS
API_USER_ID=$(${pkgs.mariadb}/bin/mysql -D librenms -N -B -e "SELECT user_id FROM users WHERE username = '$API_USER_NAME';")
${pkgs.mariadb}/bin/mysql -D librenms -e "INSERT INTO api_tokens (user_id, token_hash, description) VALUES ($API_USER_ID, '$API_TOKEN', 'API User')"
'';
nginx = {
default = true;
};
enableOneMinutePolling = true;
settings = {
enable_billing = true;
};
};
nodes.snmphost = {
services.snmpd = {
enable = true;
openFirewall = true;
configText = ''
com2sec readonly default public
group MyROGroup v2c readonly
view all included .1 80
access MyROGroup "" any noauth exact all none none
syslocation Testcity, Testcountry
syscontact Testi mc Test <test@example.com>
'';
# systemd oneshot to create a dummy admin user and a API token for testing
systemd.services.lnms-api-init = {
description = "LibreNMS API init";
after = [ "librenms-setup.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "root";
Group = "root";
};
script = ''
API_USER_NAME=api
API_TOKEN=${api_token} # random md5 hash
# seeding database to get the admin roles
${pkgs.librenms}/artisan db:seed --force --no-interaction
# we don't need to know the password, it just has to exist
API_USER_PASS=$(${pkgs.pwgen}/bin/pwgen -s 64 1)
${pkgs.librenms}/artisan user:add $API_USER_NAME -r admin -p $API_USER_PASS
API_USER_ID=$(${pkgs.mariadb}/bin/mysql -D librenms -N -B -e "SELECT user_id FROM users WHERE username = '$API_USER_NAME';")
${pkgs.mariadb}/bin/mysql -D librenms -e "INSERT INTO api_tokens (user_id, token_hash, description) VALUES ($API_USER_ID, '$API_TOKEN', 'API User')"
'';
};
};
testScript = ''
start_all()
nodes.snmphost = {
snmphost.wait_for_unit("snmpd.service")
services.snmpd = {
enable = true;
openFirewall = true;
librenms.wait_for_unit("lnms-api-init.service")
librenms.wait_for_open_port(80)
configText = ''
com2sec readonly default public
# Test that we can authenticate against the API
librenms.succeed("curl --fail -H 'X-Auth-Token: ${api_token}' http://localhost/api/v0")
librenms.fail("curl --fail -H 'X-Auth-Token: ${wrong_api_token}' http://localhost/api/v0")
group MyROGroup v2c readonly
view all included .1 80
access MyROGroup "" any noauth exact all none none
# add snmphost as a device
librenms.succeed("curl --fail -X POST -d '{\"hostname\":\"snmphost\",\"version\":\"v2c\",\"community\":\"public\"}' -H 'X-Auth-Token: ${api_token}' http://localhost/api/v0/devices")
syslocation Testcity, Testcountry
syscontact Testi mc Test <test@example.com>
'';
# wait until snmphost gets polled
librenms.wait_until_succeeds("test $(curl -H 'X-Auth-Token: ${api_token}' http://localhost/api/v0/devices/snmphost | jq -Mr .devices[0].last_polled) != 'null'")
'';
}
)
};
};
testScript = ''
start_all()
snmphost.wait_for_unit("snmpd.service")
librenms.wait_for_unit("lnms-api-init.service")
librenms.wait_for_open_port(80)
# Test that we can authenticate against the API
librenms.succeed("curl --fail -H 'X-Auth-Token: ${api_token}' http://localhost/api/v0")
librenms.fail("curl --fail -H 'X-Auth-Token: ${wrong_api_token}' http://localhost/api/v0")
# add snmphost as a device
librenms.succeed("curl --fail -X POST -d '{\"hostname\":\"snmphost\",\"version\":\"v2c\",\"community\":\"public\"}' -H 'X-Auth-Token: ${api_token}' http://localhost/api/v0/devices")
# wait until snmphost gets polled
librenms.wait_until_succeeds("test $(curl -H 'X-Auth-Token: ${api_token}' http://localhost/api/v0/devices/snmphost | jq -Mr .devices[0].last_polled) != 'null'")
'';
}

42
nixos/tests/lighttpd.nix
View file

@ -1,25 +1,23 @@
import ./make-test-python.nix (
{ lib, pkgs, ... }:
{
name = "lighttpd";
meta.maintainers = with lib.maintainers; [ bjornfor ];
{ lib, pkgs, ... }:
{
name = "lighttpd";
meta.maintainers = with lib.maintainers; [ bjornfor ];
nodes = {
server = {
services.lighttpd.enable = true;
services.lighttpd.document-root = pkgs.runCommand "document-root" { } ''
mkdir -p "$out"
echo "hello nixos test" > "$out/file.txt"
'';
};
nodes = {
server = {
services.lighttpd.enable = true;
services.lighttpd.document-root = pkgs.runCommand "document-root" { } ''
mkdir -p "$out"
echo "hello nixos test" > "$out/file.txt"
'';
};
};
testScript = ''
start_all()
server.wait_for_unit("lighttpd.service")
res = server.succeed("curl --fail http://localhost/file.txt")
assert "hello nixos test" in res, f"bad server response: '{res}'"
server.succeed("systemctl reload lighttpd")
'';
}
)
testScript = ''
start_all()
server.wait_for_unit("lighttpd.service")
res = server.succeed("curl --fail http://localhost/file.txt")
assert "hello nixos test" in res, f"bad server response: '{res}'"
server.succeed("systemctl reload lighttpd")
'';
}

11
nixos/tests/paretosecurity.nix
View file

@ -29,6 +29,8 @@
package = patchedPareto;
};
networking.firewall.enable = true;
};
nodes.dashboard =
@ -64,6 +66,12 @@
services.displayManager.autoLogin = {
enable = true;
user = "alice";
};
virtualisation.resolution = {
x = 640;
y = 480;
};
environment.systemPackages = [ pkgs.xdotool ];
@ -94,7 +102,6 @@
+ " --skip 21830a4e-84f1-48fe-9c5b-beab436b2cdb" # Disk encryption
+ " --skip 44e4754a-0b42-4964-9cc2-b88b2023cb1e" # Pareto Security is up to date
+ " --skip f962c423-fdf5-428a-a57a-827abc9b253e" # Password manager installed
+ " --skip 2e46c89a-5461-4865-a92e-3b799c12034a" # Firewall is enabled
+ "'"
)
@ -117,7 +124,7 @@
]:
status, out = xfce.systemctl("is-enabled " + unit, "alice")
assert status == 0, f"Unit {unit} is not enabled (status: {status}): {out}"
xfce.succeed("xdotool mousemove 850 10")
xfce.succeed("xdotool mousemove 460 10")
xfce.wait_for_text("Pareto Security")
xfce.succeed("xdotool click 1")
xfce.wait_for_text("Run Checks")

47
nixos/tests/pocket-id.nix Normal file
View file

@ -0,0 +1,47 @@
import ./make-test-python.nix (
{ lib, ... }:
{
name = "pocket-id";
meta.maintainers = with lib.maintainers; [
gepbird
ymstnt
];
nodes = {
machine =
{ ... }:
{
services.pocket-id = {
enable = true;
settings = {
PORT = 10001;
INTERNAL_BACKEND_URL = "http://localhost:10002";
BACKEND_PORT = 10002;
};
};
};
};
testScript =
{ nodes, ... }:
let
inherit (nodes.machine.services.pocket-id) settings;
inherit (builtins) toString;
in
''
machine.wait_for_unit("pocket-id-backend.service")
machine.wait_for_open_port(${toString settings.BACKEND_PORT})
machine.wait_for_unit("pocket-id-frontend.service")
machine.wait_for_open_port(${toString settings.PORT})
backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.BACKEND_PORT}/api/users/me")
assert backend_status == "401"
machine.succeed("grep 'You are not signed in' /tmp/backend-output")
frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}")
assert frontend_status == "200"
machine.succeed("grep 'Sign in to Pocket ID' /tmp/frontend-output")
'';
}
)

92
nixos/tests/starship.nix
View file

@ -1,53 +1,51 @@
import ./make-test-python.nix (
{ pkgs, ... }:
{
name = "starship";
meta.maintainers = pkgs.starship.meta.maintainers;
{ pkgs, ... }:
{
name = "starship";
meta.maintainers = pkgs.starship.meta.maintainers;
nodes.machine = {
programs = {
fish.enable = true;
zsh.enable = true;
nodes.machine = {
programs = {
fish.enable = true;
zsh.enable = true;
starship = {
enable = true;
settings.format = "<starship>";
};
starship = {
enable = true;
settings.format = "<starship>";
};
environment.systemPackages =
map
(
shell:
pkgs.writeScriptBin "expect-${shell}" ''
#!${pkgs.expect}/bin/expect -f
spawn env TERM=xterm ${shell} -i
expect "<starship>" {
send "exit\n"
} timeout {
send_user "\n${shell} failed to display Starship\n"
exit 1
}
expect eof
''
)
[
"bash"
"fish"
"zsh"
];
};
testScript = ''
start_all()
machine.wait_for_unit("default.target")
environment.systemPackages =
map
(
shell:
pkgs.writeScriptBin "expect-${shell}" ''
#!${pkgs.expect}/bin/expect -f
machine.succeed("expect-bash")
machine.succeed("expect-fish")
machine.succeed("expect-zsh")
'';
}
)
spawn env TERM=xterm ${shell} -i
expect "<starship>" {
send "exit\n"
} timeout {
send_user "\n${shell} failed to display Starship\n"
exit 1
}
expect eof
''
)
[
"bash"
"fish"
"zsh"
];
};
testScript = ''
start_all()
machine.wait_for_unit("default.target")
machine.succeed("expect-bash")
machine.succeed("expect-fish")
machine.succeed("expect-zsh")
'';
}

50
nixos/tests/tuxguitar.nix
View file

@ -1,29 +1,25 @@
import ./make-test-python.nix (
{ pkgs, ... }:
{
name = "tuxguitar";
meta = with pkgs.lib.maintainers; {
maintainers = [ ];
{ ... }:
{
name = "tuxguitar";
meta.maintainers = [ ];
nodes.machine =
{ config, pkgs, ... }:
{
imports = [
./common/x11.nix
];
services.xserver.enable = true;
environment.systemPackages = [ pkgs.tuxguitar ];
};
nodes.machine =
{ config, pkgs, ... }:
{
imports = [
./common/x11.nix
];
services.xserver.enable = true;
environment.systemPackages = [ pkgs.tuxguitar ];
};
testScript = ''
machine.wait_for_x()
machine.succeed("tuxguitar >&2 &")
machine.wait_for_window("TuxGuitar - Untitled.tg")
machine.sleep(1)
machine.screenshot("tuxguitar")
'';
}
)
testScript = ''
machine.wait_for_x()
machine.succeed("tuxguitar >&2 &")
machine.wait_for_window("TuxGuitar - Untitled.tg")
machine.sleep(1)
machine.screenshot("tuxguitar")
'';
}

6
pkgs/applications/networking/browsers/firefox/wrapper.nix
View file

@ -405,10 +405,12 @@ let
+ lib.optionalString isDarwin ''
cd "${appPath}"
# These files have to be copied and not symlinked, otherwise tabs crash.
# The omni.ja files have to be copied and not symlinked, otherwise tabs crash.
# Maybe related to how omni.ja file is mmapped into memory. See:
# https://github.com/mozilla/gecko-dev/blob/b1662b447f306e6554647914090d4b73ac8e1664/modules/libjar/nsZipArchive.cpp#L204
for file in $(find . -type l -name "omni.ja"); do
#
# The *.dylib files are copied, otherwise some basic functionality, e.g. Crypto API, is broken.
for file in $(find . -name "omni.ja" -o -name "*.dylib"); do
rm "$file"
cp "${browser}/${appPath}/$file" "$file"
done

4
pkgs/applications/networking/feedreaders/rssguard/default.nix
View file

@ -9,13 +9,13 @@
stdenv.mkDerivation rec {
pname = "rssguard";
version = "4.8.1";
version = "4.8.2";
src = fetchFromGitHub {
owner = "martinrotter";
repo = pname;
tag = version;
sha256 = "sha256-qWxcjGl4EaLXZ0q6RVy+IKyBcqlx/yYojlGivSXy5Io=";
sha256 = "sha256-C5iA5qK8+FhCUeFtyskY/vd4evaYS3TY1SHAc83/36w=";
};
buildInputs = [

11
pkgs/by-name/ar/archtika/package.nix
View file

@ -9,19 +9,19 @@
}:
let
version = "1.2.0";
version = "1.2.1";
src = fetchFromGitHub {
owner = "archtika";
repo = "archtika";
tag = "v${version}";
hash = "sha256-ba9da7LqCE/e2lhRVHD7GOhwOj1fNTBbN/pARPMzIg4=";
hash = "sha256-GffYAtLs12v2Lt1WoKJOG5dZsmzDcySZKFBQwCT9nnY=";
};
web = buildNpmPackage {
name = "web-app";
src = "${src}/web-app";
npmDepsHash = "sha256-RTyo7K/Hr1hBGtcBKynrziUInl91JqZl84NkJg16ufA=";
npmDepsHash = "sha256-2udi8vLLvdoZxIyRKLOCfEpEMsooxsIrM1wiua1QPAI=";
npmFlags = [ "--legacy-peer-deps" ];
installPhase = ''
mkdir -p $out/web-app
@ -50,7 +50,10 @@ symlinkJoin {
api
];
passthru.updateScript = nix-update-script { };
passthru = {
inherit src web;
updateScript = nix-update-script { };
};
meta = {
description = "Modern, performant and lightweight CMS";

4
pkgs/by-name/az/azure-cli/package.nix
View file

@ -26,14 +26,14 @@
}:
let
version = "2.70.0";
version = "2.71.0";
src = fetchFromGitHub {
name = "azure-cli-${version}-src";
owner = "Azure";
repo = "azure-cli";
rev = "azure-cli-${version}";
hash = "sha256-vvX/LkG8qA53AxVlvq7FSTqbVblvE5xbDq4V0SINCAk=";
hash = "sha256-vtuDgj3UJCmKxYg0OgG59ezQh7HlscNywz61BHDzJF8=";
};
# put packages that needs to be overridden in the py package scope

4
pkgs/by-name/az/azurehound/package.nix
View file

@ -7,13 +7,13 @@
buildGoModule rec {
pname = "azurehound";
version = "2.3.0";
version = "2.3.1";
src = fetchFromGitHub {
owner = "SpecterOps";
repo = "AzureHound";
tag = "v${version}";
hash = "sha256-BbwQ3u1SD4AjNjHzT6QB0x7QJAZ59m1DtvhjZapLIx4=";
hash = "sha256-12ae0y3hjeNPwB33J+XP26h+JfFN5M8+bF8CSon1jp4=";
};
vendorHash = "sha256-FG3207OTzkMEoSvQsTH7Ky9T3ur7glG7k0ERfd12SO0=";

6
pkgs/by-name/ca/cariddi/package.nix
View file

@ -6,16 +6,16 @@
buildGoModule rec {
pname = "cariddi";
version = "1.3.5";
version = "1.3.6";
src = fetchFromGitHub {
owner = "edoardottt";
repo = "cariddi";
tag = "v${version}";
hash = "sha256-mRrUTRknax3b4hs3frQMzg0GyB3WjMDZJk0RQSAC88U=";
hash = "sha256-ixjHPO0FXKbWOfjMVz1YD+wWpL8wcn2CCO46KF1zb0U=";
};
vendorHash = "sha256-ML1aLbrYhs2IxnN2ywKFOpvAV6yuYb8GI+dtoxwJl4A=";
vendorHash = "sha256-7v92+iDAYG0snJjVCX35rLKV/ZEzaVX2au4HOwa/ILU=";
ldflags = [
"-w"

29
pkgs/by-name/co/copilot-language-server/package.nix
View file

@ -1,6 +1,7 @@
{
lib,
stdenvNoCC,
buildFHSEnv,
fetchzip,
nix-update-script,
}:
@ -24,8 +25,24 @@ let
}
."${stdenvNoCC.hostPlatform.system}"
or (throw "Unsupported system: ${stdenvNoCC.hostPlatform.system}");
in
executableName = "copilot-language-server";
fhs =
{ package }:
buildFHSEnv {
name = package.meta.mainProgram;
version = package.version;
targetPkgs = pkgs: [ pkgs.stdenv.cc.cc.lib ];
runScript = lib.getExe package;
meta = package.meta // {
description =
package.meta.description
+ " (FHS-wrapped, expand package details for further information when to use it)";
longDescription = "Use this version if you encounter an error like `Could not start dynamically linked executable` or `SyntaxError: Invalid or unexpected token` (see nixpkgs issue [391730](https://github.com/NixOS/nixpkgs/issues/391730)).";
};
};
in
stdenvNoCC.mkDerivation (finalAttrs: {
pname = "copilot-language-server";
version = "1.294.0";
@ -36,18 +53,20 @@ stdenvNoCC.mkDerivation (finalAttrs: {
stripRoot = false;
};
npmDepsHash = "sha256-PLX/mN7xu8gMh2BkkyTncP3+rJ3nBmX+pHxl0ONXbe4=";
installPhase = ''
runHook preInstall
install -Dt "$out"/bin "${os}-${arch}"/copilot-language-server
install "${os}-${arch}/${executableName}" -Dm755 -t "$out"/bin
runHook postInstall
'';
dontStrip = true;
passthru.updateScript = nix-update-script { };
passthru = {
updateScript = nix-update-script { };
fhs = fhs { package = finalAttrs.finalPackage; };
};
meta = {
description = "Use GitHub Copilot with any editor or IDE via the Language Server Protocol";
@ -60,7 +79,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
shortName = "GitHub Copilot License";
url = "https://github.com/customer-terms/github-copilot-product-specific-terms";
};
mainProgram = "copilot-language-server";
mainProgram = executableName;
platforms = [
"x86_64-linux"
"aarch64-linux"

4
pkgs/by-name/er/erlang-language-platform/package.nix
View file

@ -14,14 +14,14 @@ let
hashes = {
linux-aarch64-unknown-linux-gnu = "sha256-i6XsOK8csrJ/9TDzltA7mGjdutLZONFiYGV5tqSCy8o=";
linux-x86_64-unknown-linux-gnu = "sha256-gBIzG0LaP9qxivkr47JpBu1z9km7o/1Wppk/6k2WslE=";
linux-x86_64-unknown-linux-gnu = "sha256-XK3DPWIdPDoIL10EATa8p1bnlpZaOzOdU0LnuKbj++E=";
macos-aarch64-apple-darwin = "sha256-8e5duQYDVFyZejMjuZPuWhg1on3CBku9eBuilG5p1BY=";
macos-x86_64-apple-darwin = "sha256-dnouUBUUAkMr1h+IJWYamxmk8IC7JdeIUS9/YI0GzOU=";
};
in
stdenv.mkDerivation rec {
pname = "erlang-language-platform";
version = "2025-02-13";
version = "2025-04-02";
src = fetchurl {
url = "https://github.com/WhatsApp/erlang-language-platform/releases/download/${version}/elp-${release}-otp-26.2.tar.gz";

7
pkgs/by-name/go/gojq/package.nix
View file

@ -4,6 +4,7 @@
fetchFromGitHub,
testers,
gojq,
installShellFiles,
}:
buildGoModule rec {
@ -24,6 +25,12 @@ buildGoModule rec {
"-w"
];
nativeBuildInputs = [ installShellFiles ];
postInstall = ''
installShellCompletion --cmd gojq --zsh _gojq
'';
passthru.tests.version = testers.testVersion {
package = gojq;
};

6
pkgs/by-name/go/gosec/package.nix
View file

@ -6,16 +6,16 @@
buildGoModule rec {
pname = "gosec";
version = "2.22.2";
version = "2.22.3";
src = fetchFromGitHub {
owner = "securego";
repo = pname;
rev = "v${version}";
hash = "sha256-j9MRMtINGPn4Hn9Z3+19/Q+Weu277WVONXKtJf9x5Cc=";
hash = "sha256-MQ/dDK2t9H7bSsr5MMtlKySLAJIDimRbpATHyOYxrBo=";
};
vendorHash = "sha256-lZFTmf4/J3NDdawfp2WpPoaVxepbyazIyC8ahOwPcZo=";
vendorHash = "sha256-R1w+dHx3Aond6DmwCHRVZXmUABWfpsbLgcDW67Ukz0E=";
subPackages = [
"cmd/gosec"

4
pkgs/by-name/gr/grafana-loki/package.nix
View file

@ -12,14 +12,14 @@
}:
buildGoModule rec {
version = "3.4.2";
version = "3.4.3";
pname = "grafana-loki";
src = fetchFromGitHub {
owner = "grafana";
repo = "loki";
rev = "v${version}";
hash = "sha256-GE92NlFCOk6qFtrgeBvLDI0OkmWaJ1j07Q14+jgi9+w=";
hash = "sha256-1tI9X2eIKuWEWJBbN4UAw8yeRrjgfqcenJyTNMk5rqU=";
};
vendorHash = null;

29
pkgs/by-name/jn/jnv/package.nix
View file

@ -2,39 +2,38 @@
lib,
rustPlatform,
fetchFromGitHub,
stdenv,
darwin,
versionCheckHook,
nix-update-script,
}:
rustPlatform.buildRustPackage rec {
rustPlatform.buildRustPackage (finalAttrs: {
pname = "jnv";
version = "0.6.0";
src = fetchFromGitHub {
owner = "ynqa";
repo = "jnv";
rev = "v${version}";
tag = "v${finalAttrs.version}";
hash = "sha256-HKZ+hF5Y7vTA4EODSAd9xYJHaipv5YukTl470ejPLtM=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-VLVoURqmUhhekNZ0a75bwjvSiLfaQ79IlltbmWVyBrI=";
buildInputs = lib.optional stdenv.hostPlatform.isDarwin (
with darwin.apple_sdk.frameworks;
[
CoreGraphics
AppKit
]
);
nativeInstallCheckInputs = [ versionCheckHook ];
versionCheckProgramArg = "--version";
doInstallCheck = true;
meta = with lib; {
passthru.updateScript = nix-update-script { };
meta = {
description = "Interactive JSON filter using jq";
mainProgram = "jnv";
homepage = "https://github.com/ynqa/jnv";
license = with licenses; [ mit ];
maintainers = with maintainers; [
license = with lib.licenses; [ mit ];
maintainers = with lib.maintainers; [
nealfennimore
nshalman
];
};
}
})

6
pkgs/by-name/ka/kanata/package.nix
View file

@ -12,17 +12,17 @@
}:
rustPlatform.buildRustPackage rec {
pname = "kanata";
version = "1.8.0";
version = "1.8.1";
src = fetchFromGitHub {
owner = "jtroo";
repo = "kanata";
rev = "v${version}";
sha256 = "sha256-RTFP063NGNfjlOlZ4wghpcUQEmmj73Xlu3KPIxeUI/I=";
sha256 = "sha256-w/PeSqj51gJOWmAV5UPMprntdzinX/IL49D2ZUMfeSM=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-/r4u7pM7asCvG3LkbuP1Y63WVls1uZtV/L3cSOzUXr4=";
cargoHash = "sha256-T9fZxv3aujYparzVphfYBJ+5ti/T1VkeCeCqWPyllY8=";
buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [
apple-sdk_13

4
pkgs/by-name/mi/mill/package.nix
View file

@ -8,11 +8,11 @@
stdenv.mkDerivation (finalAttrs: {
pname = "mill";
version = "0.12.9";
version = "0.12.10";
src = fetchurl {
url = "https://repo1.maven.org/maven2/com/lihaoyi/mill-dist/${finalAttrs.version}/mill-dist-${finalAttrs.version}-assembly.jar";
hash = "sha256-Ntqzivy8dfsRlBclPNsWOZ4h1Xk7D3UJV7GLVGIEcAU=";
hash = "sha256-TESwISFz4Xf/F4kgnaTQbi/uVrc75bearih8mydPqHM=";
};
nativeBuildInputs = [ makeWrapper ];

98
pkgs/by-name/ni/nix-update/package.nix
View file

@ -6,57 +6,55 @@
nix-prefetch-git,
nixpkgs-review,
python3Packages,
nix-update,
}:
let
self = python3Packages.buildPythonApplication {
pname = "nix-update";
version = "1.10.0";
pyproject = true;
python3Packages.buildPythonApplication rec {
pname = "nix-update";
version = "1.11.0";
pyproject = true;
src = fetchFromGitHub {
owner = "Mic92";
repo = "nix-update";
tag = self.version;
hash = "sha256-fGs/EdCEoDA9N5gPtHU6CaDZo9e/aqW6pm6atsjK7PI=";
};
build-system = [ python3Packages.setuptools ];
makeWrapperArgs = [
"--prefix"
"PATH"
":"
(lib.makeBinPath [
nix
nix-prefetch-git
nixpkgs-review
])
];
checkPhase = ''
runHook preCheck
$out/bin/nix-update --help >/dev/null
runHook postCheck
'';
passthru = {
nix-update-script = callPackage ./nix-update-script.nix { nix-update = self; };
};
meta = {
description = "Swiss-knife for updating nix packages";
homepage = "https://github.com/Mic92/nix-update/";
changelog = "https://github.com/Mic92/nix-update/releases/tag/${self.version}";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [
figsoda
mic92
];
mainProgram = "nix-update";
};
src = fetchFromGitHub {
owner = "Mic92";
repo = "nix-update";
tag = version;
hash = "sha256-G5YehePEMhTgxCnLp8Dg+bDHvOe+QltlCkQHVwMtYx0=";
};
in
self
build-system = [ python3Packages.setuptools ];
makeWrapperArgs = [
"--prefix"
"PATH"
":"
(lib.makeBinPath [
nix
nix-prefetch-git
nixpkgs-review
])
];
checkPhase = ''
runHook preCheck
$out/bin/nix-update --help >/dev/null
runHook postCheck
'';
passthru = {
nix-update-script = callPackage ./nix-update-script.nix { inherit nix-update; };
};
meta = {
description = "Swiss-knife for updating nix packages";
homepage = "https://github.com/Mic92/nix-update/";
changelog = "https://github.com/Mic92/nix-update/releases/tag/${version}";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [
figsoda
mic92
];
mainProgram = "nix-update";
};
}

2
pkgs/by-name/ni/nixfmt-rfc-style/date.txt
View file

@ -1 +1 @@
2025-03-03
2025-04-04

4
pkgs/by-name/ni/nixfmt-rfc-style/generated-package.nix
View file

@ -25,8 +25,8 @@ mkDerivation {
pname = "nixfmt";
version = "0.6.0";
src = fetchzip {
url = "https://github.com/nixos/nixfmt/archive/3261d1016ecc753c59ff92767a257f91b587e705.tar.gz";
sha256 = "0jk6mgp710iwxyc7wa5kzz0p0rpcwbbs21smnv14cyii0jniz42s";
url = "https://github.com/nixos/nixfmt/archive/65af4b69133d19f534d97746c97c2d5b464f43b4.tar.gz";
sha256 = "0l0w3janvss1n1j7qkcml97zndm2jm2gbrzzs9d8l0ixnrw0cd5r";
};
isLibrary = true;
isExecutable = true;

6
pkgs/by-name/on/onlyoffice-documentserver/package.nix
View file

@ -61,9 +61,9 @@ let
mkdir -p var/lib/onlyoffice/ var/www/onlyoffice/documentserver/fonts/
# see usr/bin/documentserver-flush-cache.sh
cp var/www/onlyoffice/documentserver/web-apps/apps/api/documents/api.js.tpl var/www/onlyoffice/documentserver/web-apps/apps/api/documents/api.js
HASH=$(basename $out | cut -d '-' -f 1)
sed -i "s/{{HASH_POSTFIX}}/$HASH/g" var/www/onlyoffice/documentserver/web-apps/apps/api/documents/api.js
cp var/www/onlyoffice/documentserver/web-apps/apps/api/documents/api.js{.tpl,}
substituteInPlace var/www/onlyoffice/documentserver/web-apps/apps/api/documents/api.js \
--replace-fail '{{HASH_POSTFIX}}' "$(basename $out | cut -d '-' -f 1)"
mv * $out/
'';

6
pkgs/by-name/pa/paretosecurity/package.nix
View file

@ -9,16 +9,16 @@
buildGoModule rec {
pname = "paretosecurity";
version = "0.0.96";
version = "0.1.3";
src = fetchFromGitHub {
owner = "ParetoSecurity";
repo = "agent";
rev = version;
hash = "sha256-SyeIGSDvrnOvyOJ0zC8CulpaMa+iZeRaMTJUSydz2tw=";
hash = "sha256-ovyfHqLCf5U3UR1HfoA+UQhqLZ6IaILcpqptPRQsb60=";
};
vendorHash = "sha256-O/OF3Y6HiiikMxf657k9eIM7UfkicIImAUxVVf/TgR8=";
vendorHash = "sha256-7mKAFkKGpBOjXc3J/sfF3k3pJF53tFybXZgbfJInuSY=";
proxyVendor = true;
ldflags = [

4
pkgs/by-name/pl/plemoljp-hs/package.nix
View file

@ -6,11 +6,11 @@
stdenvNoCC.mkDerivation rec {
pname = "plemoljp-hs";
version = "2.0.3";
version = "2.0.4";
src = fetchzip {
url = "https://github.com/yuru7/PlemolJP/releases/download/v${version}/PlemolJP_HS_v${version}.zip";
hash = "sha256-rKWZMIK6TP6IV6KjFGuZE2S6IiMtjtHZeWM44tULduk=";
hash = "sha256-+pRbMgRaIbsXo8e7rQre377F8LhbK9rBjG/vYrdeFQM=";
};
installPhase = ''

4
pkgs/by-name/pl/plemoljp/package.nix
View file

@ -6,11 +6,11 @@
stdenvNoCC.mkDerivation rec {
pname = "plemoljp";
version = "2.0.3";
version = "2.0.4";
src = fetchzip {
url = "https://github.com/yuru7/PlemolJP/releases/download/v${version}/PlemolJP_v${version}.zip";
hash = "sha256-cT2BpD2PoAd38uYCQlq5fv9NYgwInblrYdK/XDEmOWI=";
hash = "sha256-pajE86IK05mm3Z507bvoMGy8JJwuGWZnUiSrXndiBTk=";
};
installPhase = ''

119
pkgs/by-name/po/pocket-id/package.nix Normal file
View file

@ -0,0 +1,119 @@
{
lib,
fetchFromGitHub,
buildGoModule,
buildNpmPackage,
fetchurl,
makeWrapper,
nodejs,
stdenvNoCC,
nixosTests,
nix-update-script,
}:
let
version = "0.45.0";
src = fetchFromGitHub {
owner = "pocket-id";
repo = "pocket-id";
tag = "v${version}";
hash = "sha256-x5Y3ArkIPxiE6avk9DNyFdfkc/pY6h3JH3PZCS8U/GM=";
};
backend = buildGoModule {
pname = "pocket-id-backend";
inherit version src;
sourceRoot = "${src.name}/backend";
vendorHash = "sha256-mqpBP+A2X5ome1Ppg/Kki0C+A77jFtWzUjI/RN+ZCzg=";
preFixup = ''
mv $out/bin/cmd $out/bin/pocket-id-backend
'';
};
frontend = buildNpmPackage (finalAttrs: {
pname = "pocket-id-frontend";
inherit version src;
sourceRoot = "${src.name}/frontend";
npmDepsHash = "sha256-cpmZzlz+wusfRLN4iIGdk+I4SWrX/gk2fbhg+Gg3paw=";
npmFlags = [ "--legacy-peer-deps" ];
nativeBuildInputs = [
makeWrapper
];
installPhase = ''
runHook preInstall
# even though vite build creates most of the minified js files,
# it still needs a few packages from node_modules, try to strip that
npm prune --omit=dev --omit=optional $npmFlags
# larger seemingly unused packages
rm -r node_modules/{lucide-svelte,bits-ui,jiti,@swc,.bin}
# unused file types
for pattern in '*.map' '*.map.js' '*.ts'; do
find . -type f -name "$pattern" -exec rm {} +
done
mkdir -p $out/{bin,lib/pocket-id-frontend}
cp -r build $out/lib/pocket-id-frontend/dist
cp -r node_modules $out/lib/pocket-id-frontend/node_modules
makeWrapper ${lib.getExe nodejs} $out/bin/pocket-id-frontend \
--add-flags $out/lib/pocket-id-frontend/dist/index.js
runHook postInstall
'';
});
in
stdenvNoCC.mkDerivation rec {
pname = "pocket-id";
inherit
version
src
backend
frontend
;
dontUnpack = true;
installPhase = ''
runHook preInstall
mkdir -p $out/bin
ln -s ${backend}/bin/pocket-id-backend $out/bin/pocket-id-backend
ln -s ${frontend}/bin/pocket-id-frontend $out/bin/pocket-id-frontend
runHook postInstall
'';
passthru = {
tests = {
inherit (nixosTests) pocket-id;
};
updateScript = nix-update-script {
extraArgs = [
"--subpackage"
"backend"
"--subpackage"
"frontend"
];
};
};
meta = {
description = "OIDC provider with passkeys support";
homepage = "https://pocket-id.org";
changelog = "https://github.com/pocket-id/pocket-id/releases/tag/v${version}";
license = lib.licenses.bsd2;
maintainers = with lib.maintainers; [
gepbird
ymstnt
];
platforms = lib.platforms.unix;
};
}

3
pkgs/by-name/rd/rdkafka/package.nix
View file

@ -8,6 +8,7 @@
curl,
cmake,
ninja,
deterministic-host-uname,
}:
stdenv.mkDerivation (finalAttrs: {
@ -29,6 +30,8 @@ stdenv.mkDerivation (finalAttrs: {
nativeBuildInputs = [
cmake
ninja
# cross: build system uses uname to determine host system
deterministic-host-uname
];
buildInputs = [

4
pkgs/by-name/ti/tippecanoe/package.nix
View file

@ -10,13 +10,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "tippecanoe";
version = "2.75.1";
version = "2.77.0";
src = fetchFromGitHub {
owner = "felt";
repo = "tippecanoe";
tag = finalAttrs.version;
hash = "sha256-rBuk34lOrp9aW7yK0LOTRqFJg3J8IogR01kcFhgK12Y=";
hash = "sha256-7yRrUn1U0iERlix/8/oaMaizlpzqdiSIHj298ykaJjE=";
};
buildInputs = [

4
pkgs/by-name/yt/ytui-music/package.nix
View file

@ -8,7 +8,7 @@
stdenv,
darwin,
mpv,
youtube-dl,
yt-dlp,
makeBinaryWrapper,
}:
@ -49,7 +49,7 @@ rustPlatform.buildRustPackage rec {
postInstall = ''
wrapProgram $out/bin/ytui_music \
--prefix PATH : ${lib.makeBinPath [ youtube-dl ]}
--prefix PATH : ${lib.makeBinPath [ yt-dlp ]}
'';
doInstallCheck = true;

6
pkgs/by-name/zw/zwave-js-ui/package.nix
View file

@ -7,15 +7,15 @@
buildNpmPackage rec {
pname = "zwave-js-ui";
version = "9.32.0";
version = "10.1.2";
src = fetchFromGitHub {
owner = "zwave-js";
repo = "zwave-js-ui";
tag = "v${version}";
hash = "sha256-DZm3IoLc28YMbwWL6+qHd5BSyRQswRatEvGmwuIzBZM=";
hash = "sha256-j56kDnMw/YX6ONkIjPjopsu6xE2Kt1cZV5u+tX2TqlM=";
};
npmDepsHash = "sha256-FZ/iStpC5DiNthV42/QAzek261ZUAL1DOEIixVlArZ0=";
npmDepsHash = "sha256-hkfDztDtLug9qdxi9NRWnzCN6Parv27stVknZ0cSYpo=";
passthru.tests.zwave-js-ui = nixosTests.zwave-js-ui;

4
pkgs/development/beam-modules/erlfmt/default.nix
View file

@ -6,12 +6,12 @@
rebar3Relx rec {
pname = "erlfmt";
version = "1.6.0";
version = "1.6.1";
releaseType = "escript";
src = fetchFromGitHub {
owner = "WhatsApp";
repo = "erlfmt";
sha256 = "sha256-p4cdnKDY02XqdFOkijhOo527eZenfMF8J2dbuvH/hcY=";
sha256 = "sha256-O7+7dMgmnNd9hHuRcJqMAI0gmONz5EO3qSlUC3tufh0=";
rev = "v${version}";
};
meta = with lib; {

4
pkgs/development/interpreters/erlang/27.nix
View file

@ -1,6 +1,6 @@
{ mkDerivation }:
mkDerivation {
version = "27.3.1";
sha256 = "sha256-VuVRwcS2TgDYT7buLMHOe8r0AWM+R9DxydcHErAy8xw=";
version = "27.3.2";
sha256 = "sha256-Pybkcm3pLt0wV+S9ia/BAmM1AKp/nVSAckEzNn4KjSg=";
}

7
pkgs/development/python-modules/aider-chat/default.nix
View file

@ -112,6 +112,7 @@
torch,
nltk,
boto3,
nix-update-script,
}:
let
@ -123,7 +124,7 @@ let
];
};
version = "0.80.0";
version = "0.81.0";
aider-chat = buildPythonPackage {
pname = "aider-chat";
inherit version;
@ -136,7 +137,7 @@ let
owner = "Aider-AI";
repo = "aider";
tag = "v${version}";
hash = "sha256-W3GO5+0rprQHmn1upL3pcXuv2e9Wir6TW0tUnvZj48E=";
hash = "sha256-xWOXsffLAVBZvJM8PuAJ12IrmNLfXuqHrbIMtPM1leE=";
};
pythonRelaxDeps = true;
@ -365,6 +366,8 @@ let
makeWrapperArgs = makeWrapperArgs ++ playwrightArgs ++ helpArgs;
}
);
updateScript = nix-update-script { };
};
meta = {

3
pkgs/development/python-modules/azure-mgmt-keyvault/default.nix
View file

@ -17,7 +17,8 @@ buildPythonPackage rec {
disabled = pythonOlder "3.8";
src = fetchPypi {
inherit pname version;
pname = "azure_mgmt_keyvault";
inherit version;
hash = "sha256-/PsTZoUpJvKjEeG8bmp4brioof1G5gJdTBFO3iy0ZC4=";
};

4
pkgs/development/python-modules/microsoft-security-utilities-secret-masker/default.nix
View file

@ -8,13 +8,13 @@
buildPythonPackage rec {
pname = "microsoft-security-utilities-secret-masker";
version = "1.0.0b3";
version = "1.0.0b4";
pyproject = true;
src = fetchPypi {
pname = "microsoft_security_utilities_secret_masker";
inherit version;
hash = "sha256-0EVIIwxno70stGCyjnH+bKwWj0jwbXapadnKR732c0M=";
hash = "sha256-owvTYawYyLUvaEQHa8JkZTNZSeqcegBNlfUZbsb97z4=";
};
build-system = [

4
pkgs/development/python-modules/posthog/default.nix
View file

@ -19,14 +19,14 @@
buildPythonPackage rec {
pname = "posthog";
version = "3.18.1";
version = "3.23.0";
pyproject = true;
src = fetchFromGitHub {
owner = "PostHog";
repo = "posthog-python";
tag = "v${version}";
hash = "sha256-1jJACzDf8J4Vsrvtj0PgeK1Ck2Bzy5ThHm0Ohd+LyYs=";
hash = "sha256-+nmCmO1vPnNgZJdZSWwapeFfckNXEcdc/129yaLygf8=";
};
build-system = [ setuptools ];

6
pkgs/development/python-modules/xiaomi-ble/default.nix
View file

@ -19,7 +19,7 @@
buildPythonPackage rec {
pname = "xiaomi-ble";
version = "0.35.0";
version = "0.36.0";
pyproject = true;
disabled = pythonOlder "3.9";
@ -28,7 +28,7 @@ buildPythonPackage rec {
owner = "Bluetooth-Devices";
repo = "xiaomi-ble";
tag = "v${version}";
hash = "sha256-+mXn5R9zRjTPKqzB0vFHSO2+Jx+61K7/Ksp+jmMUDo4=";
hash = "sha256-qk8eoPuyU8deEuQkRRtTt1AxIpjaXaS/byDxMfZnLgI=";
};
build-system = [ poetry-core ];
@ -57,7 +57,7 @@ buildPythonPackage rec {
meta = with lib; {
description = "Library for Xiaomi BLE devices";
homepage = "https://github.com/Bluetooth-Devices/xiaomi-ble";
changelog = "https://github.com/Bluetooth-Devices/xiaomi-ble/releases/tag/v${version}";
changelog = "https://github.com/Bluetooth-Devices/xiaomi-ble/releases/tag/${src.tag}";
license = licenses.mit;
maintainers = with maintainers; [ fab ];
};

2
pkgs/os-specific/linux/kernel/htmldocs.nix
View file

@ -19,7 +19,7 @@ stdenv.mkDerivation {
patchShebangs \
Documentation/sphinx/parse-headers.pl \
scripts/{get_abi.pl,get_feat.pl,kernel-doc,sphinx-pre-install} \
tools/net/ynl/ynl-gen-rst.py
tools/net/ynl/pyynl/ynl_gen_rst.py
'';
FONTCONFIG_FILE = makeFontsConf {

12
pkgs/servers/home-assistant/default.nix
View file

@ -151,6 +151,18 @@ let
];
});
# Pinned due to home-assistant still needing 1.10.0 verison
# Remove this when home-assistant upates the jellyfin-apiclient-python version
jellyfin-apiclient-python = super.jellyfin-apiclient-python.overridePythonAttrs (oldAttrs: rec {
version = "1.10.0";
src = fetchFromGitHub {
owner = "jellyfin";
repo = "jellyfin-apiclient-python";
tag = "v${version}";
hash = "sha256-H1FqypNuVIZ17cFdNDEmmKICswxJkUGq2LhlingbCVk=";
};
});
# acme and thus hass-nabucasa doesn't support josepy v2
# https://github.com/certbot/certbot/issues/10185
josepy = super.josepy.overridePythonAttrs (old: rec {

4
pkgs/tools/security/trufflehog/default.nix
View file

@ -8,13 +8,13 @@
buildGoModule rec {
pname = "trufflehog";
version = "3.88.20";
version = "3.88.21";
src = fetchFromGitHub {
owner = "trufflesecurity";
repo = "trufflehog";
tag = "v${version}";
hash = "sha256-JLBHg1hCTOOBRTJbjXJitILD/HSmH1WDuzm0t3/OJaA=";
hash = "sha256-hUBUpsfVKifeQ9DpeNKwBGnoLH1OK2T4IOb7yFWxz+Q=";
};
vendorHash = "sha256-vJl2gIS14NA9nV9j+81xKv3NnsDce4V7XoeipOZV+wI=";

7
pkgs/tools/virtualization/mkosi/default.nix
View file

@ -2,6 +2,7 @@
lib,
fetchFromGitHub,
stdenv,
python,
systemd,
pandoc,
kmod,
@ -15,13 +16,11 @@
replaceVars,
# Python packages
python,
setuptools,
setuptools-scm,
wheel,
buildPythonApplication,
pytestCheckHook,
pefile,
# Optional dependencies
withQemu ? false,
@ -46,7 +45,7 @@ let
withKernelInstall = true;
};
python3pefile = python.withPackages (_: [ pefile ]);
pythonWithPefile = python.withPackages (ps: [ ps.pefile ]);
deps =
[
@ -85,7 +84,7 @@ buildPythonApplication rec {
[
(replaceVars ./0001-Use-wrapped-binaries-instead-of-Python-interpreter.patch {
UKIFY = "${systemdForMkosi}/lib/systemd/ukify";
PYTHON_PEFILE = "${python3pefile}/bin/python3.12";
PYTHON_PEFILE = lib.getExe pythonWithPefile;
NIX_PATH = toString (lib.makeBinPath deps);
MKOSI_SANDBOX = null; # will be replaced in postPatch
})

2
pkgs/top-level/all-packages.nix
View file

@ -359,6 +359,8 @@ with pkgs;
coolercontrol = recurseIntoAttrs (callPackage ../applications/system/coolercontrol { });
copilot-language-server-fhs = copilot-language-server.fhs;
curv = callPackage ../by-name/cu/curv/package.nix {
openexr = openexr_3;
};