dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into staging-next

Browse Source
This commit is contained in:
K900 2024-07-26 14:31:21 +03:00
commit 26801aa449
28 changed files with 878 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -48,6 +48,8 @@
- [Localsend](https://localsend.org/), an open source cross-platform alternative to AirDrop. Available as [programs.localsend](#opt-programs.localsend.enable).
- [cryptpad](https://cryptpad.org/), a privacy-oriented collaborative platform (docs/drive/etc), has been added back. Available as [services.cryptpad](#opt-services.cryptpad.enable).
- [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in rust. Available as [services.realm.enable](#opt-services.realm.enable).
- [Gotenberg](https://gotenberg.dev), an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as [services.gotenberg](options.html#opt-services.gotenberg).

1
nixos/modules/module-list.nix
View File

@ -1378,6 +1378,7 @@
./services/web-apps/convos.nix
./services/web-apps/crabfit.nix
./services/web-apps/davis.nix
./services/web-apps/cryptpad.nix
./services/web-apps/dex.nix
./services/web-apps/discourse.nix
./services/web-apps/documize.nix

4
nixos/modules/programs/neovim.nix
View File

@ -150,6 +150,10 @@ in
cfg.finalPackage
];
environment.variables.EDITOR = lib.mkIf cfg.defaultEditor (lib.mkOverride 900 "nvim");
# On most NixOS configurations /share is already included, so it includes
# this directory as well. But This makes sure that /share/nvim/site paths
# from other packages will be used by neovim.
environment.pathsToLink = [ "/share/nvim" ];
environment.etc = builtins.listToAttrs (builtins.attrValues (builtins.mapAttrs
(name: value: {

1
nixos/modules/rename.nix
View File

@ -117,7 +117,6 @@ in
(mkRemovedOptionModule [ "services" "virtuoso" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "openfire" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "riak" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "cryptpad" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "rtsp-simple-server" ] "Package has been completely rebranded by upstream as mediamtx, and thus the service and the package were renamed in NixOS as well.")
(mkRemovedOptionModule [ "services" "prayer" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "restya-board" ] "The corresponding package was removed from nixpkgs.")

293
nixos/modules/services/web-apps/cryptpad.nix Normal file
View File

@ -0,0 +1,293 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.cryptpad;
inherit (lib)
mkIf
mkMerge
mkOption
strings
types
;
# The Cryptpad configuration file isn't JSON, but a JavaScript source file that assigns a JSON value
# to a variable.
cryptpadConfigFile = builtins.toFile "cryptpad_config.js" ''
module.exports = ${builtins.toJSON cfg.settings}
'';
# Derive domain names for Nginx configuration from Cryptpad configuration
mainDomain = strings.removePrefix "https://" cfg.settings.httpUnsafeOrigin;
sandboxDomain =
if cfg.settings.httpSafeOrigin == null then
mainDomain
else
strings.removePrefix "https://" cfg.settings.httpSafeOrigin;
in
{
options.services.cryptpad = {
enable = lib.mkEnableOption "cryptpad";
package = lib.mkPackageOption pkgs "cryptpad" { };
configureNginx = mkOption {
description = ''
Configure Nginx as a reverse proxy for Cryptpad.
Note that this makes some assumptions on your setup, and sets settings that will
affect other virtualHosts running on your Nginx instance, if any.
Alternatively you can configure a reverse-proxy of your choice.
'';
type = types.bool;
default = false;
};
settings = mkOption {
description = ''
Cryptpad configuration settings.
See https://github.com/cryptpad/cryptpad/blob/main/config/config.example.js for a more extensive
reference documentation.
Test your deployed instance through `https://<domain>/checkup/`.
'';
type = types.submodule {
freeformType = (pkgs.formats.json { }).type;
options = {
httpUnsafeOrigin = mkOption {
type = types.str;
example = "https://cryptpad.example.com";
default = "";
description = "This is the URL that users will enter to load your instance";
};
httpSafeOrigin = mkOption {
type = types.nullOr types.str;
example = "https://cryptpad-ui.example.com. Apparently optional but recommended.";
description = "Cryptpad sandbox URL";
};
httpAddress = mkOption {
type = types.str;
default = "127.0.0.1";
description = "Address on which the Node.js server should listen";
};
httpPort = mkOption {
type = types.int;
default = 3000;
description = "Port on which the Node.js server should listen";
};
websocketPort = mkOption {
type = types.int;
default = 3003;
description = "Port for the websocket that needs to be separate";
};
maxWorkers = mkOption {
type = types.nullOr types.int;
default = null;
description = "Number of child processes, defaults to number of cores available";
};
adminKeys = mkOption {
type = types.listOf types.str;
default = [ ];
description = "List of public signing keys of users that can access the admin panel";
example = [ "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]" ];
};
logToStdout = mkOption {
type = types.bool;
default = true;
description = "Controls whether log output should go to stdout of the systemd service";
};
logLevel = mkOption {
type = types.str;
default = "info";
description = "Controls log level";
};
blockDailyCheck = mkOption {
type = types.bool;
default = true;
description = ''
Disable telemetry. This setting is only effective if the 'Disable server telemetry'
setting in the admin menu has been untouched, and will be ignored by cryptpad once
that option is set either way.
Note that due to the service confinement, just enabling the option in the admin
menu will not be able to resolve DNS and fail; this setting must be set as well.
'';
};
installMethod = mkOption {
type = types.str;
default = "nixos";
description = ''
Install method is listed in telemetry if you agree to it through the consentToContact
setting in the admin panel.
'';
};
};
};
};
};
config = mkIf cfg.enable (mkMerge [
{
systemd.services.cryptpad = {
description = "Cryptpad service";
wantedBy = [ "multi-user.target" ];
after = [ "networking.target" ];
serviceConfig = {
BindReadOnlyPaths = [
cryptpadConfigFile
# apparently needs proc for workers management
"/proc"
"/dev/urandom"
];
DynamicUser = true;
Environment = [
"CRYPTPAD_CONFIG=${cryptpadConfigFile}"
"HOME=%S/cryptpad"
];
ExecStart = lib.getExe cfg.package;
Restart = "always";
StateDirectory = "cryptpad";
WorkingDirectory = "%S/cryptpad";
# security way too many numerous options, from the systemd-analyze security output
# at end of test: block everything except
# - SystemCallFiters=@resources is required for node
# - MemoryDenyWriteExecute for node JIT
# - RestrictAddressFamilies=~AF_(INET|INET6) / PrivateNetwork to bind to sockets
# - IPAddressDeny likewise allow localhost if binding to localhost or any otherwise
# - PrivateUsers somehow service doesn't start with that
# - DeviceAllow (char-rtc r added by ProtectClock)
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RuntimeDirectoryMode = "700";
SocketBindAllow = [
"tcp:${builtins.toString cfg.settings.httpPort}"
"tcp:${builtins.toString cfg.settings.websocketPort}"
];
SocketBindDeny = [ "any" ];
StateDirectoryMode = "0700";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@pkey"
"@system-service"
"~@chown"
"~@keyring"
"~@memlock"
"~@privileged"
"~@resources"
"~@setuid"
"~@timer"
];
UMask = "0077";
};
confinement = {
enable = true;
binSh = null;
mode = "chroot-only";
};
};
}
# block external network access if not phoning home and
# binding to localhost (default)
(mkIf
(
cfg.settings.blockDailyCheck
&& (builtins.elem cfg.settings.httpAddress [
"127.0.0.1"
"::1"
])
)
{
systemd.services.cryptpad = {
serviceConfig = {
IPAddressAllow = [ "localhost" ];
IPAddressDeny = [ "any" ];
};
};
}
)
# .. conversely allow DNS & TLS if telemetry is explicitly enabled
(mkIf (!cfg.settings.blockDailyCheck) {
systemd.services.cryptpad = {
serviceConfig = {
BindReadOnlyPaths = [
"-/etc/resolv.conf"
"-/run/systemd"
"/etc/hosts"
"/etc/ssl/certs/ca-certificates.crt"
];
};
};
})
(mkIf cfg.configureNginx {
assertions = [
{
assertion = cfg.settings.httpUnsafeOrigin != "";
message = "services.cryptpad.settings.httpUnsafeOrigin is required";
}
{
assertion = strings.hasPrefix "https://" cfg.settings.httpUnsafeOrigin;
message = "services.cryptpad.settings.httpUnsafeOrigin must start with https://";
}
{
assertion =
cfg.settings.httpSafeOrigin == null || strings.hasPrefix "https://" cfg.settings.httpSafeOrigin;
message = "services.cryptpad.settings.httpSafeOrigin must start with https:// (or be unset)";
}
];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts = mkMerge [
{
"${mainDomain}" = {
serverAliases = lib.optionals (cfg.settings.httpSafeOrigin != null) [ sandboxDomain ];
enableACME = lib.mkDefault true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${cfg.settings.httpAddress}:${builtins.toString cfg.settings.httpPort}";
extraConfig = ''
client_max_body_size 150m;
'';
};
locations."/cryptpad_websocket" = {
proxyPass = "http://${cfg.settings.httpAddress}:${builtins.toString cfg.settings.websocketPort}";
proxyWebsockets = true;
};
};
}
];
};
})
]);
}

1
nixos/tests/all-tests.nix
View File

@ -235,6 +235,7 @@ in {
couchdb = handleTest ./couchdb.nix {};
crabfit = handleTest ./crabfit.nix {};
cri-o = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cri-o.nix {};
cryptpad = runTest ./cryptpad.nix;
cups-pdf = handleTest ./cups-pdf.nix {};
curl-impersonate = handleTest ./curl-impersonate.nix {};
custom-ca = handleTest ./custom-ca.nix {};

71
nixos/tests/cryptpad.nix Normal file
View File

@ -0,0 +1,71 @@
{ pkgs, ... }:
let
certs = pkgs.runCommand "cryptpadSelfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
mkdir -p $out
cd $out
openssl req -x509 -newkey rsa:4096 \
-keyout key.pem -out cert.pem -nodes -days 3650 \
-subj '/CN=cryptpad.localhost' \
-addext 'subjectAltName = DNS.1:cryptpad.localhost, DNS.2:cryptpad-sandbox.localhost'
'';
# data sniffed from cryptpad's /checkup network trace, seems to be re-usable
test_write_data = pkgs.writeText "cryptpadTestData" ''
{"command":"WRITE_BLOCK","content":{"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","signature":"aXcM9SMO59lwA7q7HbYB+AnzymmxSyy/KhkG/cXIBVzl8v+kkPWXmFuWhcuKfRF8yt3Zc3ktIsHoFyuyDSAwAA==","ciphertext":"AFwCIfBHKdFzDKjMg4cu66qlJLpP+6Yxogbl3o9neiQou5P8h8yJB8qgnQ=="},"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","nonce":"bitSbJMNSzOsg98nEzN80a231PCkBQeH"}
'';
in
{
name = "cryptpad";
meta = with pkgs.lib.maintainers; {
maintainers = [ martinetd ];
};
nodes.machine = {
services.cryptpad = {
enable = true;
configureNginx = true;
settings = {
httpUnsafeOrigin = "https://cryptpad.localhost";
httpSafeOrigin = "https://cryptpad-sandbox.localhost";
};
};
services.nginx = {
virtualHosts."cryptpad.localhost" = {
enableACME = false;
sslCertificate = "${certs}/cert.pem";
sslCertificateKey = "${certs}/key.pem";
};
};
security = {
pki.certificateFiles = [ "${certs}/cert.pem" ];
};
};
testScript = ''
machine.wait_for_unit("cryptpad.service")
machine.wait_for_unit("nginx.service")
machine.wait_for_open_port(3000)
# test home page
machine.succeed("curl --fail https://cryptpad.localhost -o /tmp/cryptpad_home.html")
machine.succeed("grep -F 'CryptPad: Collaboration suite' /tmp/cryptpad_home.html")
# test scripts/build.js actually generated customize content from config
machine.succeed("grep -F 'meta property=\"og:url\" content=\"https://cryptpad.localhost/index.html' /tmp/cryptpad_home.html")
# make sure child pages are accessible (e.g. check nginx try_files paths)
machine.succeed(
"grep -oE '/(customize|components)[^\"]*' /tmp/cryptpad_home.html"
" | while read -r page; do"
" curl -O --fail https://cryptpad.localhost$page || exit;"
" done")
# test some API (e.g. check cryptpad main process)
machine.succeed("curl --fail -d @${test_write_data} -H 'Content-Type: application/json' https://cryptpad.localhost/api/auth")
# test telemetry has been disabled
machine.fail("journalctl -u cryptpad | grep TELEMETRY");
# for future improvements
machine.log(machine.execute("systemd-analyze security cryptpad.service")[1])
'';
}

27
pkgs/applications/misc/1password-gui/darwin.nix
View File

@ -1,16 +1,25 @@
{ stdenv
, pname
, version
, src
, meta
, unzip
, undmg
{
stdenv,
pname,
version,
src,
meta,
unzip,
undmg,
}:
stdenv.mkDerivation {
inherit pname version src meta;
inherit
pname
version
src
meta
;
nativeBuildInputs = [ unzip undmg ];
nativeBuildInputs = [
unzip
undmg
];
sourceRoot = ".";

60
pkgs/applications/misc/1password-gui/default.nix
View File

@ -1,13 +1,14 @@
{ stdenv
, callPackage
, channel ? "stable"
, fetchurl
, lib
# This is only relevant for Linux, so we need to pass it through
, polkitPolicyOwners ? [ ] }:
{
stdenv,
callPackage,
channel ? "stable",
fetchurl,
lib,
# This is only relevant for Linux, so we need to pass it through
polkitPolicyOwners ? [ ],
}:
let
pname = "1password";
version = if channel == "stable" then "8.10.36" else "8.10.38-13.BETA";
@ -51,19 +52,46 @@ let
};
src = fetchurl {
inherit (sources.${channel}.${stdenv.system} or (throw "unsupported system ${stdenv.hostPlatform.system}")) url hash;
inherit
(sources.${channel}.${stdenv.system} or (throw "unsupported system ${stdenv.hostPlatform.system}"))
url
hash
;
};
meta = with lib; {
meta = {
# Requires to be installed in "/Application" which is not possible for now (https://github.com/NixOS/nixpkgs/issues/254944)
broken = stdenv.isDarwin;
description = "Multi-platform password manager";
homepage = "https://1password.com/";
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
license = licenses.unfree;
maintainers = with maintainers; [ timstott savannidgerinel sebtm ];
sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
license = lib.licenses.unfree;
maintainers = with lib.maintainers; [
timstott
savannidgerinel
sebtm
];
platforms = builtins.attrNames sources.${channel};
mainProgram = "1password";
};
in if stdenv.isDarwin
then callPackage ./darwin.nix { inherit pname version src meta; }
else callPackage ./linux.nix { inherit pname version src meta polkitPolicyOwners; }
in
if stdenv.isDarwin then
callPackage ./darwin.nix {
inherit
pname
version
src
meta
;
}
else
callPackage ./linux.nix {
inherit
pname
version
src
meta
polkitPolicyOwners
;
}

167
pkgs/applications/misc/1password-gui/linux.nix
View File

@ -1,55 +1,65 @@
{ lib
, stdenv
, pname
, version
, src
, meta
, makeShellWrapper
, wrapGAppsHook3
, alsa-lib
, at-spi2-atk
, at-spi2-core
, atk
, cairo
, cups
, dbus
, expat
, gdk-pixbuf
, glib
, gtk3
, libX11
, libXcomposite
, libXdamage
, libXext
, libXfixes
, libXrandr
, libdrm
, libxcb
, libxkbcommon
, libxshmfence
, libGL
, libappindicator-gtk3
, mesa
, nspr
, nss
, pango
, systemd
, udev
, xdg-utils
{
lib,
stdenv,
pname,
version,
src,
meta,
makeShellWrapper,
wrapGAppsHook3,
alsa-lib,
at-spi2-atk,
at-spi2-core,
atk,
cairo,
cups,
dbus,
expat,
gdk-pixbuf,
glib,
gtk3,
libX11,
libXcomposite,
libXdamage,
libXext,
libXfixes,
libXrandr,
libdrm,
libxcb,
libxkbcommon,
libxshmfence,
libGL,
libappindicator-gtk3,
mesa,
nspr,
nss,
pango,
systemd,
udev,
xdg-utils,
# The 1Password polkit file requires a list of users for whom polkit
# integrations should be enabled. This should be a list of strings that
# correspond to usernames.
, polkitPolicyOwners ? []
polkitPolicyOwners ? [ ],
}:
let
# Convert the polkitPolicyOwners variable to a polkit-compatible string for the polkit file.
policyOwners = lib.concatStringsSep " " (map (user: "unix-user:${user}") polkitPolicyOwners);
in stdenv.mkDerivation {
inherit pname version src meta;
in
stdenv.mkDerivation {
inherit
pname
version
src
meta
;
nativeBuildInputs = [ makeShellWrapper wrapGAppsHook3 ];
nativeBuildInputs = [
makeShellWrapper
wrapGAppsHook3
];
buildInputs = [ glib ];
dontConfigure = true;
@ -58,37 +68,41 @@ in stdenv.mkDerivation {
dontWrapGApps = true;
installPhase =
let rpath = lib.makeLibraryPath [
alsa-lib
at-spi2-atk
at-spi2-core
atk
cairo
cups
dbus
expat
gdk-pixbuf
glib
gtk3
libX11
libXcomposite
libXdamage
libXext
libXfixes
libXrandr
libdrm
libxcb
libxkbcommon
libxshmfence
libGL
libappindicator-gtk3
mesa
nspr
nss
pango
systemd
] + ":${stdenv.cc.cc.lib}/lib64";
in ''
let
rpath =
lib.makeLibraryPath [
alsa-lib
at-spi2-atk
at-spi2-core
atk
cairo
cups
dbus
expat
gdk-pixbuf
glib
gtk3
libX11
libXcomposite
libXdamage
libXext
libXfixes
libXrandr
libdrm
libxcb
libxkbcommon
libxshmfence
libGL
libappindicator-gtk3
mesa
nspr
nss
pango
systemd
]
+ ":${stdenv.cc.cc.lib}/lib64";
in
''
runHook preInstall
mkdir -p $out/bin $out/share/1password
@ -99,12 +113,13 @@ in stdenv.mkDerivation {
substituteInPlace $out/share/applications/${pname}.desktop \
--replace 'Exec=/opt/1Password/${pname}' 'Exec=${pname}'
'' + (lib.optionalString (polkitPolicyOwners != [ ])
''
''
+ (lib.optionalString (polkitPolicyOwners != [ ]) ''
# Polkit file
mkdir -p $out/share/polkit-1/actions
substitute com.1password.1Password.policy.tpl $out/share/polkit-1/actions/com.1password.1Password.policy --replace "\''${POLICY_OWNERS}" "${policyOwners}"
'') + ''
'')
+ ''
# Icons
cp -a resources/icons $out/share

30
pkgs/applications/networking/browsers/chromium/common.nix
View File

@ -267,6 +267,31 @@ let
commit = "a976cb05b4024b7a6452d1541378d718cdfe33e6";
hash = "sha256-K2PSeJAvhGH2/Yp63/4mJ85NyqXqDDkMWY+ptrpgmOI=";
})
] ++ lib.optionals (versionRange "127" "128") [
# Fix missing chrome/browser/ui/webui_name_variants.h dependency
# and ninja 1.12 compat in M127.
# https://issues.chromium.org/issues/345645751
# https://issues.chromium.org/issues/40253918
# https://chromium-review.googlesource.com/c/chromium/src/+/5641516
(githubPatch {
commit = "2c101186b60ed50f2ba4feaa2e963bd841bcca47";
hash = "sha256-luu3ggo6XoeeECld1cKZ6Eh8x/qQYmmKI/ThEhuutuY=";
})
# https://chromium-review.googlesource.com/c/chromium/src/+/5644627
(githubPatch {
commit = "f2b43c18b8ecfc3ddc49c42c062d796c8b563984";
hash = "sha256-uxXxSsiS8R0827Oi3xsG2gtT0X+jJXziwZ1y8+7K+Qg=";
})
# https://chromium-review.googlesource.com/c/chromium/src/+/5646245
(githubPatch {
commit = "4ca70656fde83d2db6ed5a8ac9ec9e7443846924";
hash = "sha256-iQuRRZjDDtJfr+B7MV+TvUDDX3bvpCnv8OpSLJ1WqCE=";
})
# https://chromium-review.googlesource.com/c/chromium/src/+/5647662
(githubPatch {
commit = "50d63ffee3f7f1b1b9303363742ad8ebbfec31fa";
hash = "sha256-H+dv+lgXSdry3NkygpbCdTAWWdTVdKdVD3Aa62w091E=";
})
] ++ [
# Required to fix the build with a more recent wayland-protocols version
# (we currently package 1.26 in Nixpkgs while Chromium bundles 1.21):
@ -365,7 +390,7 @@ let
patchShebangs .
# Link to our own Node.js and Java (required during the build):
mkdir -p third_party/node/linux/node-linux-x64/bin
ln -s "${pkgsBuildHost.nodejs}/bin/node" third_party/node/linux/node-linux-x64/bin/node
ln -s${lib.optionalString (chromiumVersionAtLeast "127") "f"} "${pkgsBuildHost.nodejs}/bin/node" third_party/node/linux/node-linux-x64/bin/node
ln -s "${pkgsBuildHost.jdk17_headless}/bin/java" third_party/jdk/current/bin/
# Allow building against system libraries in official builds
@ -462,6 +487,9 @@ let
use_system_libffi = true;
# Use nixpkgs Rust compiler instead of the one shipped by Chromium.
rust_sysroot_absolute = "${buildPackages.rustc}";
} // lib.optionalAttrs (chromiumVersionAtLeast "127") {
rust_bindgen_root = "${buildPackages.rust-bindgen}";
} // {
enable_rust = true;
# While we technically don't need the cache-invalidation rustc_version provides, rustc_version
# is still used in some scripts (e.g. build/rust/std/find_std_rlibs.py).

6
pkgs/applications/networking/browsers/chromium/default.nix
View File

@ -54,8 +54,12 @@ let
src = fetchgit {
inherit (upstream-info.deps.gn) url rev hash;
};
} // lib.optionalAttrs (chromiumVersionAtLeast "127") {
# Relax hardening as otherwise gn unstable 2024-06-06 and later fail with:
# cc1plus: error: '-Wformat-security' ignored without '-Wformat' [-Werror=format-security]
hardeningDisable = [ "format" ];
});
recompressTarball = callPackage ./recompress-tarball.nix { };
recompressTarball = callPackage ./recompress-tarball.nix { inherit chromiumVersionAtLeast; };
});
browser = callPackage ./browser.nix {

10
pkgs/applications/networking/browsers/chromium/recompress-tarball.nix
View File

@ -1,10 +1,11 @@
{ zstd
, fetchurl
, lib
, chromiumVersionAtLeast
}:
{ version
, hash ? ""
, ...
} @ args:
fetchurl ({
@ -35,6 +36,13 @@ fetchurl ({
--exclude=third_party/llvm \
--exclude=third_party/rust-src \
--exclude='build/linux/debian_*-sysroot' \
'' + lib.optionalString (chromiumVersionAtLeast "127") ''
--exclude='*.tar.[a-zA-Z0-9][a-zA-Z0-9]' \
--exclude='*.tar.[a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9]' \
--exclude=third_party/llvm-build \
--exclude=third_party/rust-toolchain \
--exclude=third_party/instrumented_libs \
'' + ''
--strip-components=1
tar \

6
pkgs/applications/networking/browsers/chromium/update.py
View File

@ -1,5 +1,5 @@
#! /usr/bin/env nix-shell
#! nix-shell -i python -p python3 nix nixfmt-classic nix-prefetch-git
#! nix-shell -i python -p python3Packages.looseversion nix nixfmt-classic nix-prefetch-git
"""This script automatically updates chromium, google-chrome, chromedriver, and ungoogled-chromium
via upstream-info.nix."""
@ -15,7 +15,7 @@ import sys
from codecs import iterdecode
from collections import OrderedDict
from datetime import datetime
from distutils.version import LooseVersion
from looseversion import LooseVersion
from os.path import abspath, dirname
from urllib.request import urlopen
@ -214,7 +214,7 @@ with urlopen(RELEASES_URL) as resp:
releases.append(get_latest_ungoogled_chromium_build(linux_stable_versions))
for release in releases:
channel_name = re.findall("chrome\/platforms\/linux\/channels\/(.*)\/versions\/", release['name'])[0]
channel_name = re.findall("chrome/platforms/linux/channels/(.*)/versions/", release['name'])[0]
# If we've already found a newer release for this channel, we're
# no longer interested in it.

18
pkgs/applications/networking/browsers/chromium/upstream-info.nix
View File

@ -1,22 +1,22 @@
{
stable = {
chromedriver = {
hash_darwin = "sha256-YdQgrcTgyGtSfT6wBedSfBt40DaK3fG+uvB0yanvROU=";
hash_darwin = "sha256-c/lMkOdoW/tX57opl/weJGh/iyUeTTF5Xejs7IpA+Qg=";
hash_darwin_aarch64 =
"sha256-ht7LoA4ibEcWuXOk+JimCN0sjjPomHBcO8IZFNnMauk=";
hash_linux = "sha256-VeCNeBKsKZ2bEM6Z9lJJaBVRjS1pW2gK2DMvmghfNEA=";
version = "126.0.6478.182";
"sha256-sst73OxUsrs2yWA72qdonARGi/W0FYObNfolidCiXio=";
hash_linux = "sha256-p5cQmMdte7TfTPohg+rpIsyyYk1OKSNb0BwaMWmHuCo=";
version = "127.0.6533.72";
};
deps = {
gn = {
hash = "sha256-mNoQeHSSM+rhR0UHrpbyzLJC9vFqfxK1SD0X8GiRsqw=";
rev = "df98b86690c83b81aedc909ded18857296406159";
hash = "sha256-vzZu/Mo4/xATSD9KgKcRuBKVg9CoRZC9i0PEajYr4UM=";
rev = "b3a0bff47dd81073bfe67a402971bad92e4f2423";
url = "https://gn.googlesource.com/gn";
version = "2024-05-13";
version = "2024-06-06";
};
};
hash = "sha256-vZ7P8+vHTMCo6lXkV84ENqRZVG3/fDEwl+BTNJTGMn4=";
version = "126.0.6478.182";
hash = "sha256-m99HaGCuIihDdbVnmu6xatnC/QDxgLVby2TWY/L+RHk=";
version = "127.0.6533.72";
};
ungoogled-chromium = {
deps = {

48
pkgs/applications/networking/p2p/magnetico/default.nix
View File

@ -1,55 +1,37 @@
{ lib
, fetchFromGitHub
, fetchpatch
, nixosTests
, stdenv
, fetchFromGitea
, buildGoModule
, nixosTests
, sqlite
}:
buildGoModule {
buildGoModule rec {
pname = "magnetico";
version = "unstable-2022-08-10";
version = "0.12.1";
src = fetchFromGitHub {
owner = "ireun";
src = fetchFromGitea {
domain = "maxwell.ydns.eu/git";
owner = "rnhmjoj";
repo = "magnetico";
rev = "828e230d3b3c0759d3274e27f5a7b70400f4d6ea";
hash = "sha256-V1pBzillWTk9iuHAhFztxYaq4uLL3U3HYvedGk6ffbk=";
rev = "v${version}";
hash = "sha256-cO5TVtQ1jdW1YkFtj35kmRfJG46/lXjXyz870NCPT0g=";
};
patches = [
# https://github.com/ireun/magnetico/pull/15
(fetchpatch {
url = "https://github.com/ireun/magnetico/commit/90db34991aa44af9b79ab4710c638607c6211c1c.patch";
hash = "sha256-wC9lVQqfngQ5AaRgb4TtoWSgbQ2iSHeQ2UBDUyWjMK8=";
})
];
vendorHash = "sha256-JDrBXjnQAcWp8gKvnm+q1F5oV+FozKUvhHK/Me/Cyj8=";
vendorHash = "sha256-jIVMQtPCq9RYaYsH4LSZJFspH6TpCbgzHN0GX8cM/CI=";
buildInputs = [ sqlite ];
buildPhase = ''
runHook preBuild
tags = [ "fts5" "libsqlite3" ];
ldflags = [ "-s" "-w" ];
make magneticow magneticod
runHook postBuild
'';
checkPhase = ''
runHook preCheck
make test
runHook postCheck
'';
doCheck = !stdenv.hostPlatform.isStatic;
passthru.tests = { inherit (nixosTests) magnetico; };
meta = with lib; {
description = "Autonomous (self-hosted) BitTorrent DHT search engine suite";
homepage = "https://github.com/ireun/magnetico";
homepage = "https://maxwell.ydns.eu/git/rnhmjoj/magnetico";
license = licenses.agpl3Only;
badPlatforms = platforms.darwin;
maintainers = with maintainers; [ rnhmjoj ];

4
pkgs/applications/video/obs-studio/default.nix
View File

@ -63,13 +63,13 @@ in
stdenv.mkDerivation (finalAttrs: {
pname = "obs-studio";
version = "30.2.0";
version = "30.2.2";
src = fetchFromGitHub {
owner = "obsproject";
repo = "obs-studio";
rev = finalAttrs.version;
hash = "sha256-mwh2KLSz+I/8f3i/wST/2vKL/hWTCTaq53sinIEX75M=";
hash = "sha256-yMtLN/86+3wuNR+gGhsaxN4oGIC21bAcjbQfyTuXIYc=";
fetchSubmodules = true;
};

4
pkgs/by-name/bu/budgie-analogue-clock-applet/package.nix
View File

@ -14,13 +14,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "budgie-analogue-clock-applet";
version = "2.0";
version = "2.1";
src = fetchFromGitHub {
owner = "samlane-ma";
repo = "analogue-clock-applet";
rev = "v${finalAttrs.version}";
hash = "sha256-yId5bbdmELinBmZ5eISa5hQSYkeZCkix2FJ287GdcCs=";
hash = "sha256-NvXX5paRrjeJFqnOeJS9yNp+7cRohsN3+eocLqvcVj8=";
};
nativeBuildInputs = [

56
pkgs/by-name/cr/cryptpad/0001-env.js-fix-httpSafePort-handling.patch Normal file
View File

@ -0,0 +1,56 @@
From 4bf0be64fe51a9c9fd9e410ada15251378b743bf Mon Sep 17 00:00:00 2001
From: Dominique Martinet <asmadeus@codewreck.org>
Date: Sat, 26 Aug 2023 09:28:59 +0900
Subject: [PATCH] env.js: fix httpSafePort handling
It has been clarified that this is only a dev option that should not be
used in production, but setting the value in config was still ignored,
so fix the init code to consider the config value and make it clear that
this port is not bound if safeOrigin is set.
---
config/config.example.js | 3 ++-
lib/env.js | 5 +++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/config/config.example.js b/config/config.example.js
index 7c8184c6c2f6..77263643c354 100644
--- a/config/config.example.js
+++ b/config/config.example.js
@@ -89,8 +89,9 @@ module.exports = {
/* httpSafePort purpose is to emulate another origin for the sandbox when
* you don't have two domains at hand (i.e. when httpSafeOrigin not defined).
- * It is meant to be used only in case where you are working on a local
+ * It is meant to be used only in case where you are working on a local
* development instance. The default value is your httpPort + 1.
+ * Setting this to 0 or setting httpSafeOrigin disables this listener.
*
*/
//httpSafePort: 3001,
diff --git a/lib/env.js b/lib/env.js
index d3748750f21e..f0660cba3e11 100644
--- a/lib/env.js
+++ b/lib/env.js
@@ -74,8 +74,9 @@ module.exports.create = function (config) {
if (typeof(config.httpSafeOrigin) !== 'string') {
NO_SANDBOX = true;
- if (typeof(config.httpSafePort) !== 'number') { httpSafePort = httpPort + 1; }
httpSafeOrigin = deriveSandboxOrigin(httpUnsafeOrigin, httpSafePort);
+ // only set if httpSafeOrigin isn't set.
+ httpSafePort = isValidPort(config.httpSafePort) ? config.httpSafePort : (httpPort + 1);
} else {
httpSafeOrigin = canonicalizeOrigin(config.httpSafeOrigin);
}
@@ -115,7 +116,7 @@ module.exports.create = function (config) {
permittedEmbedders: typeof(permittedEmbedders) === 'string' && permittedEmbedders? permittedEmbedders: httpSafeOrigin,
removeDonateButton: config.removeDonateButton,
- httpPort: isValidPort(config.httpPort)? config.httpPort: 3000,
+ httpPort: httpPort,
httpAddress: typeof(config.httpAddress) === 'string'? config.httpAddress: 'localhost',
websocketPath: config.externalWebsocketURL,
logIP: config.logIP,
--
2.45.2

135
pkgs/by-name/cr/cryptpad/package.nix Normal file
View File

@ -0,0 +1,135 @@
{
buildNpmPackage,
fetchFromGitHub,
lib,
makeBinaryWrapper,
nixosTests,
nodejs,
rdfind,
}:
let
version = "2024.6.0";
# nix version of install-onlyoffice.sh
# a later version could rebuild from sdkjs/web-apps as per
# https://github.com/cryptpad/onlyoffice-builds/blob/main/build.sh
onlyoffice_build =
rev: hash:
fetchFromGitHub {
inherit rev hash;
owner = "cryptpad";
repo = "onlyoffice-builds";
};
onlyoffice_install = oo: ''
oo_dir="$out_cryptpad/www/common/onlyoffice/dist/${oo.subdir}"
cp -a "${onlyoffice_build oo.rev oo.hash}/." "$oo_dir"
chmod -R +w "$oo_dir"
echo "${oo.rev}" > "$oo_dir/.commit"
'';
onlyoffice_versions = [
{
subdir = "v1";
rev = "4f370beb";
hash = "sha256-TE/99qOx4wT2s0op9wi+SHwqTPYq/H+a9Uus9Zj4iSY=";
}
{
subdir = "v2b";
rev = "d9da72fd";
hash = "sha256-SiRDRc2vnLwCVnvtk+C8PKw7IeuSzHBaJmZHogRe3hQ=";
}
{
subdir = "v4";
rev = "6ebc6938";
hash = "sha256-eto1+8Tk/s3kbUCpbUh8qCS8EOq700FYG1/KiHyynaA=";
}
{
subdir = "v5";
rev = "88a356f0";
hash = "sha256-8j1rlAyHlKx6oAs2pIhjPKcGhJFj6ZzahOcgenyeOCc=";
}
{
subdir = "v6";
rev = "abd8a309";
hash = "sha256-BZdExj2q/bqUD3k9uluOot2dlrWKA+vpad49EdgXKww=";
}
{
subdir = "v7";
rev = "9d8b914a";
hash = "sha256-M+rPJ/Xo2olhqB5ViynGRaesMLLfG/1ltUoLnepMPnM=";
}
];
in
buildNpmPackage {
inherit version;
pname = "cryptpad";
src = fetchFromGitHub {
owner = "cryptpad";
repo = "cryptpad";
rev = version;
hash = "sha256-huIhhnjatkaVfm1zDeqi88EX/nAUBQ0onPNOwn7hrX4=";
};
npmDepsHash = "sha256-Oh1fBvP7OXC+VDiH3D+prHmi8pRrxld06n30sqw5apY=";
nativeBuildInputs = [
makeBinaryWrapper
rdfind
];
patches = [
# fix httpSafePort setting
# https://github.com/cryptpad/cryptpad/pull/1571
./0001-env.js-fix-httpSafePort-handling.patch
];
# cryptpad build tries to write in cache dir
makeCacheWritable = true;
# 'npm build run' (scripts/build.js) generates a customize directory, but:
# - that is not installed by npm install
# - it embeds values from config into the directory, so needs to be
# run before starting the server (it's just a few quick replaces)
# Skip it here.
dontNpmBuild = true;
postInstall = ''
out_cryptpad="$out/lib/node_modules/cryptpad"
# 'npm run install:components' (scripts/copy-component.js) copies
# required node modules to www/component in the build tree...
# Move to install directory manually.
npm run install:components
mv www/components "$out_cryptpad/www/"
# install OnlyOffice (install-onlyoffice.sh without network)
mkdir -p "$out_cryptpad/www/common/onlyoffice/dist"
${lib.concatMapStringsSep "\n" onlyoffice_install onlyoffice_versions}
rdfind -makehardlinks true -makeresultsfile false "$out_cryptpad/www/common/onlyoffice/dist"
# cryptpad assumes it runs in the source directory and also outputs
# its state files there, which is not exactly great for us.
# There are relative paths everywhere so just substituing source paths
# is difficult and will likely break on a future update, instead we
# make links to the required source directories before running.
# The build.js step populates 'customize' from customize.dist and config;
# one would normally want to re-run it after modifying config but since it
# would overwrite user modifications only run it if there is no customize
# directory.
makeWrapper "${lib.getExe nodejs}" "$out/bin/cryptpad" \
--add-flags "$out_cryptpad/server.js" \
--run "for d in customize.dist lib www; do ln -sf \"$out_cryptpad/\$d\" .; done" \
--run "if ! [ -d customize ]; then \"${lib.getExe nodejs}\" \"$out_cryptpad/scripts/build.js\"; fi"
'';
passthru.tests.cryptpad = nixosTests.cryptpad;
meta = {
description = "Collaborative office suite, end-to-end encrypted and open-source.";
homepage = "https://cryptpad.org/";
license = lib.licenses.agpl3Plus;
mainProgram = "cryptpad";
maintainers = with lib.maintainers; [ martinetd ];
};
}

4
pkgs/by-name/kc/kcl/package.nix
View File

@ -30,9 +30,7 @@ buildGoModule rec {
"-X=kcl-lang.io/cli/pkg/version.version=v${version}"
];
nativeBuildInputs = [ makeWrapper installShellFiles ] ++ (
lib.optionals stdenv.isDarwin [ darwin.cctools ]
);
nativeBuildInputs = [ makeWrapper installShellFiles ];
buildInputs = [ kclvm kclvm_cli ] ++ (
lib.optional stdenv.isDarwin [

1
pkgs/by-name/kc/kclvm/package.nix
View File

@ -29,7 +29,6 @@ rustPlatform.buildRustPackage rec {
};
buildInputs = [ rustc ] ++ lib.optionals stdenv.isDarwin [
darwin.cctools
darwin.apple_sdk.frameworks.Security
darwin.apple_sdk.frameworks.CoreServices
darwin.apple_sdk.frameworks.SystemConfiguration

1
pkgs/by-name/kc/kclvm_cli/package.nix
View File

@ -24,7 +24,6 @@ rustPlatform.buildRustPackage rec {
buildInputs = [ kclvm rustc ] ++ (
lib.optionals stdenv.isDarwin [
darwin.cctools
darwin.apple_sdk.frameworks.Security
darwin.apple_sdk.frameworks.CoreServices
darwin.apple_sdk.frameworks.SystemConfiguration

78
pkgs/by-name/sc/screego/package.nix Normal file
View File

@ -0,0 +1,78 @@
{
lib,
buildGoModule,
fetchFromGitHub,
fetchYarnDeps,
yarnConfigHook,
yarnBuildHook,
nodejs,
stdenv,
}:
let
version = "1.10.3";
src = fetchFromGitHub {
owner = "screego";
repo = "server";
rev = "v${version}";
hash = "sha256-X8KZAUh1cO8qNYH6nc9zZ+mnfItgef8N948ErJLlZII=";
};
ui = stdenv.mkDerivation {
pname = "screego-ui";
inherit version;
src = src + "/ui";
offlineCache = fetchYarnDeps {
yarnLock = "${src}/ui/yarn.lock";
hash = "sha256-ye8UDkal10k/5uCd0VrZsG2FJGB727q+luExFTUmB/M=";
};
nativeBuildInputs = [
yarnConfigHook
yarnBuildHook
nodejs
];
installPhase = ''
cp -r build $out
'';
};
in
buildGoModule rec {
inherit src version;
pname = "screego-server";
vendorHash = "sha256-ry8LO+KmNU9MKL8/buk9qriDe/zq+2uIsws6wVZmoo4=";
ldflags = [
"-s"
"-w"
"-X=main.version=${version}"
"-X=main.commitHash=${src.rev}"
"-X=main.mode=prod"
];
postPatch = ''
mkdir -p ./ui/build
cp -r "${ui}" ./ui/build
'';
postInstall = ''
mv $out/bin/server $out/bin/screego
'';
meta = with lib; {
description = "Screen sharing for developers";
homepage = "https://screego.net";
license = licenses.gpl3Only;
maintainers = with maintainers; [ pinpox ];
mainProgram = "screego";
};
}

6
pkgs/by-name/st/stackql/package.nix
View File

@ -8,16 +8,16 @@
buildGoModule rec {
pname = "stackql";
version = "0.5.665";
version = "0.5.699";
src = fetchFromGitHub {
owner = "stackql";
repo = "stackql";
rev = "v${version}";
hash = "sha256-oX1WB6XkjEPzbj3qqXoD8urp827LAU7Cc7lLcpTTZJE=";
hash = "sha256-nObrqCStZI80pgzZOvumgK5Osycf5Uj5ESETpWkqBx0=";
};
vendorHash = "sha256-JCWXs3tfTG+aj4hG0eFhl52FmNFvPiBuWpQG2RC6FTM=";
vendorHash = "sha256-dFrJS7qd5N2Vmm6GOhRcCltbvUh0aTJTfqnxRHMmMJo=";
ldflags = [
"-s"

4
pkgs/development/php-packages/phan/default.nix
View File

@ -7,13 +7,13 @@
(php.withExtensions ({ enabled, all }: enabled ++ (with all; [ ast ]))).buildComposerProject
(finalAttrs: {
pname = "phan";
version = "5.4.3";
version = "5.4.4";
src = fetchFromGitHub {
owner = "phan";
repo = "phan";
rev = finalAttrs.version;
hash = "sha256-O0dtnDsz6X99B99VbRQf3Wr/xJfsJqd+2l5Z5iWxHyU=";
hash = "sha256-9kHTDuCvh0qV6Av6uLD0t4vJO5XLL9dgRAgaREsV7zM=";
};
vendorHash = "sha256-yE85MBseJa0VGV5EbjT0te4QT3697YvtumGkMMfZtxI=";

9
pkgs/development/python-modules/mkdocs-awesome-pages-plugin/default.nix
View File

@ -14,7 +14,7 @@
}:
buildPythonPackage rec {
pname = "mkdocs-awesome-pages-plugin";
version = "2.9.2";
version = "2.9.3";
pyproject = true;
disabled = pythonOlder "3.9";
@ -23,7 +23,7 @@ buildPythonPackage rec {
owner = "lukasgeiter";
repo = "mkdocs-awesome-pages-plugin";
rev = "refs/tags/v${version}";
hash = "sha256-pYyZ84eNrslxgLSBr3teQqmV7hA+LHwJ+Z99QgPdh6U=";
hash = "sha256-jDPoMAJ20n9bQu11CRNvKLQthRUh3+jR6t+fM3+vGzY=";
};
propagatedBuildInputs = [
@ -41,11 +41,6 @@ buildPythonPackage rec {
importlib-metadata
];
disabledTestPaths = [
# requires "generatedfiles" mkdocs plugin
"mkdocs_awesome_pages_plugin/tests/e2e/test_gen_files.py"
];
meta = with lib; {
description = "An MkDocs plugin that simplifies configuring page titles and their order";
homepage = "https://github.com/lukasgeiter/mkdocs-awesome-pages-plugin";

4
pkgs/development/tools/qtcreator/default.nix
View File

@ -30,11 +30,11 @@
stdenv.mkDerivation rec {
pname = "qtcreator";
version = "13.0.2";
version = "14.0.0";
src = fetchurl {
url = "https://download.qt.io/official_releases/${pname}/${lib.versions.majorMinor version}/${version}/qt-creator-opensource-src-${version}.tar.xz";
hash = "sha256-wSXMVSJhnH+PwoBadQq5bLu1al/fw4i2yxWrda9+wM4=";
hash = "sha256-8v3P+cuO1/1csfx3k1LHp6lCkieIygAN6F2229eo1FQ=";
};
nativeBuildInputs = [