diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 5421ead2811f..fe02667c9b84 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -48,6 +48,8 @@ - [Localsend](https://localsend.org/), an open source cross-platform alternative to AirDrop. Available as [programs.localsend](#opt-programs.localsend.enable). +- [cryptpad](https://cryptpad.org/), a privacy-oriented collaborative platform (docs/drive/etc), has been added back. Available as [services.cryptpad](#opt-services.cryptpad.enable). + - [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in rust. Available as [services.realm.enable](#opt-services.realm.enable). - [Gotenberg](https://gotenberg.dev), an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as [services.gotenberg](options.html#opt-services.gotenberg). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index e028704c5d0f..090236780abf 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1378,6 +1378,7 @@ ./services/web-apps/convos.nix ./services/web-apps/crabfit.nix ./services/web-apps/davis.nix + ./services/web-apps/cryptpad.nix ./services/web-apps/dex.nix ./services/web-apps/discourse.nix ./services/web-apps/documize.nix diff --git a/nixos/modules/programs/neovim.nix b/nixos/modules/programs/neovim.nix index 8fe6a664b675..142cca9f322a 100644 --- a/nixos/modules/programs/neovim.nix +++ b/nixos/modules/programs/neovim.nix @@ -150,6 +150,10 @@ in cfg.finalPackage ]; environment.variables.EDITOR = lib.mkIf cfg.defaultEditor (lib.mkOverride 900 "nvim"); + # On most NixOS configurations /share is already included, so it includes + # this directory as well. But This makes sure that /share/nvim/site paths + # from other packages will be used by neovim. + environment.pathsToLink = [ "/share/nvim" ]; environment.etc = builtins.listToAttrs (builtins.attrValues (builtins.mapAttrs (name: value: { diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index fca814512e08..2e37a984a34e 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -117,7 +117,6 @@ in (mkRemovedOptionModule [ "services" "virtuoso" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "openfire" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "riak" ] "The corresponding package was removed from nixpkgs.") - (mkRemovedOptionModule [ "services" "cryptpad" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "rtsp-simple-server" ] "Package has been completely rebranded by upstream as mediamtx, and thus the service and the package were renamed in NixOS as well.") (mkRemovedOptionModule [ "services" "prayer" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "restya-board" ] "The corresponding package was removed from nixpkgs.") diff --git a/nixos/modules/services/web-apps/cryptpad.nix b/nixos/modules/services/web-apps/cryptpad.nix new file mode 100644 index 000000000000..770eefc00739 --- /dev/null +++ b/nixos/modules/services/web-apps/cryptpad.nix @@ -0,0 +1,293 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.services.cryptpad; + + inherit (lib) + mkIf + mkMerge + mkOption + strings + types + ; + + # The Cryptpad configuration file isn't JSON, but a JavaScript source file that assigns a JSON value + # to a variable. + cryptpadConfigFile = builtins.toFile "cryptpad_config.js" '' + module.exports = ${builtins.toJSON cfg.settings} + ''; + + # Derive domain names for Nginx configuration from Cryptpad configuration + mainDomain = strings.removePrefix "https://" cfg.settings.httpUnsafeOrigin; + sandboxDomain = + if cfg.settings.httpSafeOrigin == null then + mainDomain + else + strings.removePrefix "https://" cfg.settings.httpSafeOrigin; + +in +{ + options.services.cryptpad = { + enable = lib.mkEnableOption "cryptpad"; + + package = lib.mkPackageOption pkgs "cryptpad" { }; + + configureNginx = mkOption { + description = '' + Configure Nginx as a reverse proxy for Cryptpad. + Note that this makes some assumptions on your setup, and sets settings that will + affect other virtualHosts running on your Nginx instance, if any. + Alternatively you can configure a reverse-proxy of your choice. + ''; + type = types.bool; + default = false; + }; + + settings = mkOption { + description = '' + Cryptpad configuration settings. + See https://github.com/cryptpad/cryptpad/blob/main/config/config.example.js for a more extensive + reference documentation. + Test your deployed instance through `https:///checkup/`. + ''; + type = types.submodule { + freeformType = (pkgs.formats.json { }).type; + options = { + httpUnsafeOrigin = mkOption { + type = types.str; + example = "https://cryptpad.example.com"; + default = ""; + description = "This is the URL that users will enter to load your instance"; + }; + httpSafeOrigin = mkOption { + type = types.nullOr types.str; + example = "https://cryptpad-ui.example.com. Apparently optional but recommended."; + description = "Cryptpad sandbox URL"; + }; + httpAddress = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "Address on which the Node.js server should listen"; + }; + httpPort = mkOption { + type = types.int; + default = 3000; + description = "Port on which the Node.js server should listen"; + }; + websocketPort = mkOption { + type = types.int; + default = 3003; + description = "Port for the websocket that needs to be separate"; + }; + maxWorkers = mkOption { + type = types.nullOr types.int; + default = null; + description = "Number of child processes, defaults to number of cores available"; + }; + adminKeys = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "List of public signing keys of users that can access the admin panel"; + example = [ "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]" ]; + }; + logToStdout = mkOption { + type = types.bool; + default = true; + description = "Controls whether log output should go to stdout of the systemd service"; + }; + logLevel = mkOption { + type = types.str; + default = "info"; + description = "Controls log level"; + }; + blockDailyCheck = mkOption { + type = types.bool; + default = true; + description = '' + Disable telemetry. This setting is only effective if the 'Disable server telemetry' + setting in the admin menu has been untouched, and will be ignored by cryptpad once + that option is set either way. + Note that due to the service confinement, just enabling the option in the admin + menu will not be able to resolve DNS and fail; this setting must be set as well. + ''; + }; + installMethod = mkOption { + type = types.str; + default = "nixos"; + description = '' + Install method is listed in telemetry if you agree to it through the consentToContact + setting in the admin panel. + ''; + }; + }; + }; + }; + }; + + config = mkIf cfg.enable (mkMerge [ + { + systemd.services.cryptpad = { + description = "Cryptpad service"; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" ]; + serviceConfig = { + BindReadOnlyPaths = [ + cryptpadConfigFile + # apparently needs proc for workers management + "/proc" + "/dev/urandom" + ]; + DynamicUser = true; + Environment = [ + "CRYPTPAD_CONFIG=${cryptpadConfigFile}" + "HOME=%S/cryptpad" + ]; + ExecStart = lib.getExe cfg.package; + Restart = "always"; + StateDirectory = "cryptpad"; + WorkingDirectory = "%S/cryptpad"; + # security way too many numerous options, from the systemd-analyze security output + # at end of test: block everything except + # - SystemCallFiters=@resources is required for node + # - MemoryDenyWriteExecute for node JIT + # - RestrictAddressFamilies=~AF_(INET|INET6) / PrivateNetwork to bind to sockets + # - IPAddressDeny likewise allow localhost if binding to localhost or any otherwise + # - PrivateUsers somehow service doesn't start with that + # - DeviceAllow (char-rtc r added by ProtectClock) + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + DeviceAllow = ""; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RuntimeDirectoryMode = "700"; + SocketBindAllow = [ + "tcp:${builtins.toString cfg.settings.httpPort}" + "tcp:${builtins.toString cfg.settings.websocketPort}" + ]; + SocketBindDeny = [ "any" ]; + StateDirectoryMode = "0700"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@pkey" + "@system-service" + "~@chown" + "~@keyring" + "~@memlock" + "~@privileged" + "~@resources" + "~@setuid" + "~@timer" + ]; + UMask = "0077"; + }; + confinement = { + enable = true; + binSh = null; + mode = "chroot-only"; + }; + }; + } + # block external network access if not phoning home and + # binding to localhost (default) + (mkIf + ( + cfg.settings.blockDailyCheck + && (builtins.elem cfg.settings.httpAddress [ + "127.0.0.1" + "::1" + ]) + ) + { + systemd.services.cryptpad = { + serviceConfig = { + IPAddressAllow = [ "localhost" ]; + IPAddressDeny = [ "any" ]; + }; + }; + } + ) + # .. conversely allow DNS & TLS if telemetry is explicitly enabled + (mkIf (!cfg.settings.blockDailyCheck) { + systemd.services.cryptpad = { + serviceConfig = { + BindReadOnlyPaths = [ + "-/etc/resolv.conf" + "-/run/systemd" + "/etc/hosts" + "/etc/ssl/certs/ca-certificates.crt" + ]; + }; + }; + }) + + (mkIf cfg.configureNginx { + assertions = [ + { + assertion = cfg.settings.httpUnsafeOrigin != ""; + message = "services.cryptpad.settings.httpUnsafeOrigin is required"; + } + { + assertion = strings.hasPrefix "https://" cfg.settings.httpUnsafeOrigin; + message = "services.cryptpad.settings.httpUnsafeOrigin must start with https://"; + } + { + assertion = + cfg.settings.httpSafeOrigin == null || strings.hasPrefix "https://" cfg.settings.httpSafeOrigin; + message = "services.cryptpad.settings.httpSafeOrigin must start with https:// (or be unset)"; + } + ]; + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + virtualHosts = mkMerge [ + { + "${mainDomain}" = { + serverAliases = lib.optionals (cfg.settings.httpSafeOrigin != null) [ sandboxDomain ]; + enableACME = lib.mkDefault true; + forceSSL = true; + locations."/" = { + proxyPass = "http://${cfg.settings.httpAddress}:${builtins.toString cfg.settings.httpPort}"; + extraConfig = '' + client_max_body_size 150m; + ''; + }; + locations."/cryptpad_websocket" = { + proxyPass = "http://${cfg.settings.httpAddress}:${builtins.toString cfg.settings.websocketPort}"; + proxyWebsockets = true; + }; + }; + } + ]; + }; + }) + ]); +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index cc31fbade123..f485b6a77844 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -235,6 +235,7 @@ in { couchdb = handleTest ./couchdb.nix {}; crabfit = handleTest ./crabfit.nix {}; cri-o = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cri-o.nix {}; + cryptpad = runTest ./cryptpad.nix; cups-pdf = handleTest ./cups-pdf.nix {}; curl-impersonate = handleTest ./curl-impersonate.nix {}; custom-ca = handleTest ./custom-ca.nix {}; diff --git a/nixos/tests/cryptpad.nix b/nixos/tests/cryptpad.nix new file mode 100644 index 000000000000..9d6af15f5f86 --- /dev/null +++ b/nixos/tests/cryptpad.nix @@ -0,0 +1,71 @@ +{ pkgs, ... }: +let + certs = pkgs.runCommand "cryptpadSelfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' + mkdir -p $out + cd $out + openssl req -x509 -newkey rsa:4096 \ + -keyout key.pem -out cert.pem -nodes -days 3650 \ + -subj '/CN=cryptpad.localhost' \ + -addext 'subjectAltName = DNS.1:cryptpad.localhost, DNS.2:cryptpad-sandbox.localhost' + ''; + # data sniffed from cryptpad's /checkup network trace, seems to be re-usable + test_write_data = pkgs.writeText "cryptpadTestData" '' + {"command":"WRITE_BLOCK","content":{"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","signature":"aXcM9SMO59lwA7q7HbYB+AnzymmxSyy/KhkG/cXIBVzl8v+kkPWXmFuWhcuKfRF8yt3Zc3ktIsHoFyuyDSAwAA==","ciphertext":"AFwCIfBHKdFzDKjMg4cu66qlJLpP+6Yxogbl3o9neiQou5P8h8yJB8qgnQ=="},"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","nonce":"bitSbJMNSzOsg98nEzN80a231PCkBQeH"} + ''; +in +{ + name = "cryptpad"; + meta = with pkgs.lib.maintainers; { + maintainers = [ martinetd ]; + }; + + nodes.machine = { + services.cryptpad = { + enable = true; + configureNginx = true; + settings = { + httpUnsafeOrigin = "https://cryptpad.localhost"; + httpSafeOrigin = "https://cryptpad-sandbox.localhost"; + }; + }; + services.nginx = { + virtualHosts."cryptpad.localhost" = { + enableACME = false; + sslCertificate = "${certs}/cert.pem"; + sslCertificateKey = "${certs}/key.pem"; + }; + }; + security = { + pki.certificateFiles = [ "${certs}/cert.pem" ]; + }; + }; + + testScript = '' + machine.wait_for_unit("cryptpad.service") + machine.wait_for_unit("nginx.service") + machine.wait_for_open_port(3000) + + # test home page + machine.succeed("curl --fail https://cryptpad.localhost -o /tmp/cryptpad_home.html") + machine.succeed("grep -F 'CryptPad: Collaboration suite' /tmp/cryptpad_home.html") + + # test scripts/build.js actually generated customize content from config + machine.succeed("grep -F 'meta property=\"og:url\" content=\"https://cryptpad.localhost/index.html' /tmp/cryptpad_home.html") + + # make sure child pages are accessible (e.g. check nginx try_files paths) + machine.succeed( + "grep -oE '/(customize|components)[^\"]*' /tmp/cryptpad_home.html" + " | while read -r page; do" + " curl -O --fail https://cryptpad.localhost$page || exit;" + " done") + + # test some API (e.g. check cryptpad main process) + machine.succeed("curl --fail -d @${test_write_data} -H 'Content-Type: application/json' https://cryptpad.localhost/api/auth") + + # test telemetry has been disabled + machine.fail("journalctl -u cryptpad | grep TELEMETRY"); + + # for future improvements + machine.log(machine.execute("systemd-analyze security cryptpad.service")[1]) + ''; +} diff --git a/pkgs/applications/misc/1password-gui/darwin.nix b/pkgs/applications/misc/1password-gui/darwin.nix index 6f3d86f51c34..66af74630c34 100644 --- a/pkgs/applications/misc/1password-gui/darwin.nix +++ b/pkgs/applications/misc/1password-gui/darwin.nix @@ -1,16 +1,25 @@ -{ stdenv -, pname -, version -, src -, meta -, unzip -, undmg +{ + stdenv, + pname, + version, + src, + meta, + unzip, + undmg, }: stdenv.mkDerivation { - inherit pname version src meta; + inherit + pname + version + src + meta + ; - nativeBuildInputs = [ unzip undmg ]; + nativeBuildInputs = [ + unzip + undmg + ]; sourceRoot = "."; diff --git a/pkgs/applications/misc/1password-gui/default.nix b/pkgs/applications/misc/1password-gui/default.nix index 07ed8dcd573f..9d9a9fd4eb60 100644 --- a/pkgs/applications/misc/1password-gui/default.nix +++ b/pkgs/applications/misc/1password-gui/default.nix @@ -1,13 +1,14 @@ -{ stdenv -, callPackage -, channel ? "stable" -, fetchurl -, lib -# This is only relevant for Linux, so we need to pass it through -, polkitPolicyOwners ? [ ] }: +{ + stdenv, + callPackage, + channel ? "stable", + fetchurl, + lib, + # This is only relevant for Linux, so we need to pass it through + polkitPolicyOwners ? [ ], +}: let - pname = "1password"; version = if channel == "stable" then "8.10.36" else "8.10.38-13.BETA"; @@ -51,19 +52,46 @@ let }; src = fetchurl { - inherit (sources.${channel}.${stdenv.system} or (throw "unsupported system ${stdenv.hostPlatform.system}")) url hash; + inherit + (sources.${channel}.${stdenv.system} or (throw "unsupported system ${stdenv.hostPlatform.system}")) + url + hash + ; }; - meta = with lib; { + meta = { + # Requires to be installed in "/Application" which is not possible for now (https://github.com/NixOS/nixpkgs/issues/254944) + broken = stdenv.isDarwin; description = "Multi-platform password manager"; homepage = "https://1password.com/"; - sourceProvenance = with sourceTypes; [ binaryNativeCode ]; - license = licenses.unfree; - maintainers = with maintainers; [ timstott savannidgerinel sebtm ]; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + license = lib.licenses.unfree; + maintainers = with lib.maintainers; [ + timstott + savannidgerinel + sebtm + ]; platforms = builtins.attrNames sources.${channel}; mainProgram = "1password"; }; -in if stdenv.isDarwin -then callPackage ./darwin.nix { inherit pname version src meta; } -else callPackage ./linux.nix { inherit pname version src meta polkitPolicyOwners; } +in +if stdenv.isDarwin then + callPackage ./darwin.nix { + inherit + pname + version + src + meta + ; + } +else + callPackage ./linux.nix { + inherit + pname + version + src + meta + polkitPolicyOwners + ; + } diff --git a/pkgs/applications/misc/1password-gui/linux.nix b/pkgs/applications/misc/1password-gui/linux.nix index bfd9df01dbfa..3361d4e92d9c 100644 --- a/pkgs/applications/misc/1password-gui/linux.nix +++ b/pkgs/applications/misc/1password-gui/linux.nix @@ -1,55 +1,65 @@ -{ lib -, stdenv -, pname -, version -, src -, meta -, makeShellWrapper -, wrapGAppsHook3 -, alsa-lib -, at-spi2-atk -, at-spi2-core -, atk -, cairo -, cups -, dbus -, expat -, gdk-pixbuf -, glib -, gtk3 -, libX11 -, libXcomposite -, libXdamage -, libXext -, libXfixes -, libXrandr -, libdrm -, libxcb -, libxkbcommon -, libxshmfence -, libGL -, libappindicator-gtk3 -, mesa -, nspr -, nss -, pango -, systemd -, udev -, xdg-utils +{ + lib, + stdenv, + pname, + version, + src, + meta, + makeShellWrapper, + wrapGAppsHook3, + alsa-lib, + at-spi2-atk, + at-spi2-core, + atk, + cairo, + cups, + dbus, + expat, + gdk-pixbuf, + glib, + gtk3, + libX11, + libXcomposite, + libXdamage, + libXext, + libXfixes, + libXrandr, + libdrm, + libxcb, + libxkbcommon, + libxshmfence, + libGL, + libappindicator-gtk3, + mesa, + nspr, + nss, + pango, + systemd, + udev, + xdg-utils, # The 1Password polkit file requires a list of users for whom polkit # integrations should be enabled. This should be a list of strings that # correspond to usernames. -, polkitPolicyOwners ? [] + polkitPolicyOwners ? [ ], }: let # Convert the polkitPolicyOwners variable to a polkit-compatible string for the polkit file. policyOwners = lib.concatStringsSep " " (map (user: "unix-user:${user}") polkitPolicyOwners); -in stdenv.mkDerivation { - inherit pname version src meta; +in +stdenv.mkDerivation { + inherit + pname + version + src + meta + ; - nativeBuildInputs = [ makeShellWrapper wrapGAppsHook3 ]; + nativeBuildInputs = [ + makeShellWrapper + wrapGAppsHook3 + ]; buildInputs = [ glib ]; dontConfigure = true; @@ -58,37 +68,41 @@ in stdenv.mkDerivation { dontWrapGApps = true; installPhase = - let rpath = lib.makeLibraryPath [ - alsa-lib - at-spi2-atk - at-spi2-core - atk - cairo - cups - dbus - expat - gdk-pixbuf - glib - gtk3 - libX11 - libXcomposite - libXdamage - libXext - libXfixes - libXrandr - libdrm - libxcb - libxkbcommon - libxshmfence - libGL - libappindicator-gtk3 - mesa - nspr - nss - pango - systemd - ] + ":${stdenv.cc.cc.lib}/lib64"; - in '' + let + rpath = + lib.makeLibraryPath [ + alsa-lib + at-spi2-atk + at-spi2-core + atk + cairo + cups + dbus + expat + gdk-pixbuf + glib + gtk3 + libX11 + libXcomposite + libXdamage + libXext + libXfixes + libXrandr + libdrm + libxcb + libxkbcommon + libxshmfence + libGL + libappindicator-gtk3 + mesa + nspr + nss + pango + systemd + ] + + ":${stdenv.cc.cc.lib}/lib64"; + in + '' runHook preInstall mkdir -p $out/bin $out/share/1password @@ -99,12 +113,13 @@ in stdenv.mkDerivation { substituteInPlace $out/share/applications/${pname}.desktop \ --replace 'Exec=/opt/1Password/${pname}' 'Exec=${pname}' - '' + (lib.optionalString (polkitPolicyOwners != [ ]) - '' + '' + + (lib.optionalString (polkitPolicyOwners != [ ]) '' # Polkit file mkdir -p $out/share/polkit-1/actions substitute com.1password.1Password.policy.tpl $out/share/polkit-1/actions/com.1password.1Password.policy --replace "\''${POLICY_OWNERS}" "${policyOwners}" - '') + '' + '') + + '' # Icons cp -a resources/icons $out/share diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix index fab1bbdff39e..8275a287450b 100644 --- a/pkgs/applications/networking/browsers/chromium/common.nix +++ b/pkgs/applications/networking/browsers/chromium/common.nix @@ -267,6 +267,31 @@ let commit = "a976cb05b4024b7a6452d1541378d718cdfe33e6"; hash = "sha256-K2PSeJAvhGH2/Yp63/4mJ85NyqXqDDkMWY+ptrpgmOI="; }) + ] ++ lib.optionals (versionRange "127" "128") [ + # Fix missing chrome/browser/ui/webui_name_variants.h dependency + # and ninja 1.12 compat in M127. + # https://issues.chromium.org/issues/345645751 + # https://issues.chromium.org/issues/40253918 + # https://chromium-review.googlesource.com/c/chromium/src/+/5641516 + (githubPatch { + commit = "2c101186b60ed50f2ba4feaa2e963bd841bcca47"; + hash = "sha256-luu3ggo6XoeeECld1cKZ6Eh8x/qQYmmKI/ThEhuutuY="; + }) + # https://chromium-review.googlesource.com/c/chromium/src/+/5644627 + (githubPatch { + commit = "f2b43c18b8ecfc3ddc49c42c062d796c8b563984"; + hash = "sha256-uxXxSsiS8R0827Oi3xsG2gtT0X+jJXziwZ1y8+7K+Qg="; + }) + # https://chromium-review.googlesource.com/c/chromium/src/+/5646245 + (githubPatch { + commit = "4ca70656fde83d2db6ed5a8ac9ec9e7443846924"; + hash = "sha256-iQuRRZjDDtJfr+B7MV+TvUDDX3bvpCnv8OpSLJ1WqCE="; + }) + # https://chromium-review.googlesource.com/c/chromium/src/+/5647662 + (githubPatch { + commit = "50d63ffee3f7f1b1b9303363742ad8ebbfec31fa"; + hash = "sha256-H+dv+lgXSdry3NkygpbCdTAWWdTVdKdVD3Aa62w091E="; + }) ] ++ [ # Required to fix the build with a more recent wayland-protocols version # (we currently package 1.26 in Nixpkgs while Chromium bundles 1.21): @@ -365,7 +390,7 @@ let patchShebangs . # Link to our own Node.js and Java (required during the build): mkdir -p third_party/node/linux/node-linux-x64/bin - ln -s "${pkgsBuildHost.nodejs}/bin/node" third_party/node/linux/node-linux-x64/bin/node + ln -s${lib.optionalString (chromiumVersionAtLeast "127") "f"} "${pkgsBuildHost.nodejs}/bin/node" third_party/node/linux/node-linux-x64/bin/node ln -s "${pkgsBuildHost.jdk17_headless}/bin/java" third_party/jdk/current/bin/ # Allow building against system libraries in official builds @@ -462,6 +487,9 @@ let use_system_libffi = true; # Use nixpkgs Rust compiler instead of the one shipped by Chromium. rust_sysroot_absolute = "${buildPackages.rustc}"; + } // lib.optionalAttrs (chromiumVersionAtLeast "127") { + rust_bindgen_root = "${buildPackages.rust-bindgen}"; + } // { enable_rust = true; # While we technically don't need the cache-invalidation rustc_version provides, rustc_version # is still used in some scripts (e.g. build/rust/std/find_std_rlibs.py). diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix index 1998972cc217..09b575811b83 100644 --- a/pkgs/applications/networking/browsers/chromium/default.nix +++ b/pkgs/applications/networking/browsers/chromium/default.nix @@ -54,8 +54,12 @@ let src = fetchgit { inherit (upstream-info.deps.gn) url rev hash; }; + } // lib.optionalAttrs (chromiumVersionAtLeast "127") { + # Relax hardening as otherwise gn unstable 2024-06-06 and later fail with: + # cc1plus: error: '-Wformat-security' ignored without '-Wformat' [-Werror=format-security] + hardeningDisable = [ "format" ]; }); - recompressTarball = callPackage ./recompress-tarball.nix { }; + recompressTarball = callPackage ./recompress-tarball.nix { inherit chromiumVersionAtLeast; }; }); browser = callPackage ./browser.nix { diff --git a/pkgs/applications/networking/browsers/chromium/recompress-tarball.nix b/pkgs/applications/networking/browsers/chromium/recompress-tarball.nix index e663c393d8dc..ab1c81338f97 100644 --- a/pkgs/applications/networking/browsers/chromium/recompress-tarball.nix +++ b/pkgs/applications/networking/browsers/chromium/recompress-tarball.nix @@ -1,10 +1,11 @@ { zstd , fetchurl +, lib +, chromiumVersionAtLeast }: { version , hash ? "" -, ... } @ args: fetchurl ({ @@ -35,6 +36,13 @@ fetchurl ({ --exclude=third_party/llvm \ --exclude=third_party/rust-src \ --exclude='build/linux/debian_*-sysroot' \ + '' + lib.optionalString (chromiumVersionAtLeast "127") '' + --exclude='*.tar.[a-zA-Z0-9][a-zA-Z0-9]' \ + --exclude='*.tar.[a-zA-Z0-9][a-zA-Z0-9][a-zA-Z0-9]' \ + --exclude=third_party/llvm-build \ + --exclude=third_party/rust-toolchain \ + --exclude=third_party/instrumented_libs \ + '' + '' --strip-components=1 tar \ diff --git a/pkgs/applications/networking/browsers/chromium/update.py b/pkgs/applications/networking/browsers/chromium/update.py index d92a9dae8a8c..17bd20c1a794 100755 --- a/pkgs/applications/networking/browsers/chromium/update.py +++ b/pkgs/applications/networking/browsers/chromium/update.py @@ -1,5 +1,5 @@ #! /usr/bin/env nix-shell -#! nix-shell -i python -p python3 nix nixfmt-classic nix-prefetch-git +#! nix-shell -i python -p python3Packages.looseversion nix nixfmt-classic nix-prefetch-git """This script automatically updates chromium, google-chrome, chromedriver, and ungoogled-chromium via upstream-info.nix.""" @@ -15,7 +15,7 @@ import sys from codecs import iterdecode from collections import OrderedDict from datetime import datetime -from distutils.version import LooseVersion +from looseversion import LooseVersion from os.path import abspath, dirname from urllib.request import urlopen @@ -214,7 +214,7 @@ with urlopen(RELEASES_URL) as resp: releases.append(get_latest_ungoogled_chromium_build(linux_stable_versions)) for release in releases: - channel_name = re.findall("chrome\/platforms\/linux\/channels\/(.*)\/versions\/", release['name'])[0] + channel_name = re.findall("chrome/platforms/linux/channels/(.*)/versions/", release['name'])[0] # If we've already found a newer release for this channel, we're # no longer interested in it. diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix index 5a133f0b5bf6..4d04fec278fa 100644 --- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix +++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix @@ -1,22 +1,22 @@ { stable = { chromedriver = { - hash_darwin = "sha256-YdQgrcTgyGtSfT6wBedSfBt40DaK3fG+uvB0yanvROU="; + hash_darwin = "sha256-c/lMkOdoW/tX57opl/weJGh/iyUeTTF5Xejs7IpA+Qg="; hash_darwin_aarch64 = - "sha256-ht7LoA4ibEcWuXOk+JimCN0sjjPomHBcO8IZFNnMauk="; - hash_linux = "sha256-VeCNeBKsKZ2bEM6Z9lJJaBVRjS1pW2gK2DMvmghfNEA="; - version = "126.0.6478.182"; + "sha256-sst73OxUsrs2yWA72qdonARGi/W0FYObNfolidCiXio="; + hash_linux = "sha256-p5cQmMdte7TfTPohg+rpIsyyYk1OKSNb0BwaMWmHuCo="; + version = "127.0.6533.72"; }; deps = { gn = { - hash = "sha256-mNoQeHSSM+rhR0UHrpbyzLJC9vFqfxK1SD0X8GiRsqw="; - rev = "df98b86690c83b81aedc909ded18857296406159"; + hash = "sha256-vzZu/Mo4/xATSD9KgKcRuBKVg9CoRZC9i0PEajYr4UM="; + rev = "b3a0bff47dd81073bfe67a402971bad92e4f2423"; url = "https://gn.googlesource.com/gn"; - version = "2024-05-13"; + version = "2024-06-06"; }; }; - hash = "sha256-vZ7P8+vHTMCo6lXkV84ENqRZVG3/fDEwl+BTNJTGMn4="; - version = "126.0.6478.182"; + hash = "sha256-m99HaGCuIihDdbVnmu6xatnC/QDxgLVby2TWY/L+RHk="; + version = "127.0.6533.72"; }; ungoogled-chromium = { deps = { diff --git a/pkgs/applications/networking/p2p/magnetico/default.nix b/pkgs/applications/networking/p2p/magnetico/default.nix index f3579c494ba8..aeb6ec21fb26 100644 --- a/pkgs/applications/networking/p2p/magnetico/default.nix +++ b/pkgs/applications/networking/p2p/magnetico/default.nix @@ -1,55 +1,37 @@ { lib -, fetchFromGitHub -, fetchpatch -, nixosTests +, stdenv +, fetchFromGitea , buildGoModule +, nixosTests , sqlite }: -buildGoModule { +buildGoModule rec { pname = "magnetico"; - version = "unstable-2022-08-10"; + version = "0.12.1"; - src = fetchFromGitHub { - owner = "ireun"; + src = fetchFromGitea { + domain = "maxwell.ydns.eu/git"; + owner = "rnhmjoj"; repo = "magnetico"; - rev = "828e230d3b3c0759d3274e27f5a7b70400f4d6ea"; - hash = "sha256-V1pBzillWTk9iuHAhFztxYaq4uLL3U3HYvedGk6ffbk="; + rev = "v${version}"; + hash = "sha256-cO5TVtQ1jdW1YkFtj35kmRfJG46/lXjXyz870NCPT0g="; }; - patches = [ - # https://github.com/ireun/magnetico/pull/15 - (fetchpatch { - url = "https://github.com/ireun/magnetico/commit/90db34991aa44af9b79ab4710c638607c6211c1c.patch"; - hash = "sha256-wC9lVQqfngQ5AaRgb4TtoWSgbQ2iSHeQ2UBDUyWjMK8="; - }) - ]; - - vendorHash = "sha256-JDrBXjnQAcWp8gKvnm+q1F5oV+FozKUvhHK/Me/Cyj8="; + vendorHash = "sha256-jIVMQtPCq9RYaYsH4LSZJFspH6TpCbgzHN0GX8cM/CI="; buildInputs = [ sqlite ]; - buildPhase = '' - runHook preBuild + tags = [ "fts5" "libsqlite3" ]; + ldflags = [ "-s" "-w" ]; - make magneticow magneticod - - runHook postBuild - ''; - - checkPhase = '' - runHook preCheck - - make test - - runHook postCheck - ''; + doCheck = !stdenv.hostPlatform.isStatic; passthru.tests = { inherit (nixosTests) magnetico; }; meta = with lib; { description = "Autonomous (self-hosted) BitTorrent DHT search engine suite"; - homepage = "https://github.com/ireun/magnetico"; + homepage = "https://maxwell.ydns.eu/git/rnhmjoj/magnetico"; license = licenses.agpl3Only; badPlatforms = platforms.darwin; maintainers = with maintainers; [ rnhmjoj ]; diff --git a/pkgs/applications/science/chemistry/jmol/default.nix b/pkgs/applications/science/chemistry/jmol/default.nix index 8bdd3f4b5da6..3e9cd1aaeaa6 100644 --- a/pkgs/applications/science/chemistry/jmol/default.nix +++ b/pkgs/applications/science/chemistry/jmol/default.nix @@ -32,7 +32,7 @@ stdenv.mkDerivation rec { baseVersion = "${lib.versions.major version}.${lib.versions.minor version}"; in fetchurl { url = "mirror://sourceforge/jmol/Jmol/Version%20${baseVersion}/Jmol%20${version}/Jmol-${version}-binary.tar.gz"; - hash = "sha256-Lpy5A7TWxSrBeGSsp+HlEXDrbkB840QZlvIeop6YUTw="; + hash = "sha256-uOPRdTmEbU376G7a7om5UpBjemkN170PwGCskJY41HE="; }; patchPhase = '' diff --git a/pkgs/applications/video/obs-studio/default.nix b/pkgs/applications/video/obs-studio/default.nix index 3663c45a4ed2..0adac748460e 100644 --- a/pkgs/applications/video/obs-studio/default.nix +++ b/pkgs/applications/video/obs-studio/default.nix @@ -63,13 +63,13 @@ in stdenv.mkDerivation (finalAttrs: { pname = "obs-studio"; - version = "30.2.0"; + version = "30.2.2"; src = fetchFromGitHub { owner = "obsproject"; repo = "obs-studio"; rev = finalAttrs.version; - hash = "sha256-mwh2KLSz+I/8f3i/wST/2vKL/hWTCTaq53sinIEX75M="; + hash = "sha256-yMtLN/86+3wuNR+gGhsaxN4oGIC21bAcjbQfyTuXIYc="; fetchSubmodules = true; }; diff --git a/pkgs/by-name/bu/budgie-analogue-clock-applet/package.nix b/pkgs/by-name/bu/budgie-analogue-clock-applet/package.nix index ebc2947a4e5b..fe3c54487f6d 100644 --- a/pkgs/by-name/bu/budgie-analogue-clock-applet/package.nix +++ b/pkgs/by-name/bu/budgie-analogue-clock-applet/package.nix @@ -14,13 +14,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "budgie-analogue-clock-applet"; - version = "2.0"; + version = "2.1"; src = fetchFromGitHub { owner = "samlane-ma"; repo = "analogue-clock-applet"; rev = "v${finalAttrs.version}"; - hash = "sha256-yId5bbdmELinBmZ5eISa5hQSYkeZCkix2FJ287GdcCs="; + hash = "sha256-NvXX5paRrjeJFqnOeJS9yNp+7cRohsN3+eocLqvcVj8="; }; nativeBuildInputs = [ diff --git a/pkgs/by-name/cr/cryptpad/0001-env.js-fix-httpSafePort-handling.patch b/pkgs/by-name/cr/cryptpad/0001-env.js-fix-httpSafePort-handling.patch new file mode 100644 index 000000000000..838ee033871f --- /dev/null +++ b/pkgs/by-name/cr/cryptpad/0001-env.js-fix-httpSafePort-handling.patch @@ -0,0 +1,56 @@ +From 4bf0be64fe51a9c9fd9e410ada15251378b743bf Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 26 Aug 2023 09:28:59 +0900 +Subject: [PATCH] env.js: fix httpSafePort handling + +It has been clarified that this is only a dev option that should not be +used in production, but setting the value in config was still ignored, +so fix the init code to consider the config value and make it clear that +this port is not bound if safeOrigin is set. +--- + config/config.example.js | 3 ++- + lib/env.js | 5 +++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/config/config.example.js b/config/config.example.js +index 7c8184c6c2f6..77263643c354 100644 +--- a/config/config.example.js ++++ b/config/config.example.js +@@ -89,8 +89,9 @@ module.exports = { + + /* httpSafePort purpose is to emulate another origin for the sandbox when + * you don't have two domains at hand (i.e. when httpSafeOrigin not defined). +- * It is meant to be used only in case where you are working on a local ++ * It is meant to be used only in case where you are working on a local + * development instance. The default value is your httpPort + 1. ++ * Setting this to 0 or setting httpSafeOrigin disables this listener. + * + */ + //httpSafePort: 3001, +diff --git a/lib/env.js b/lib/env.js +index d3748750f21e..f0660cba3e11 100644 +--- a/lib/env.js ++++ b/lib/env.js +@@ -74,8 +74,9 @@ module.exports.create = function (config) { + + if (typeof(config.httpSafeOrigin) !== 'string') { + NO_SANDBOX = true; +- if (typeof(config.httpSafePort) !== 'number') { httpSafePort = httpPort + 1; } + httpSafeOrigin = deriveSandboxOrigin(httpUnsafeOrigin, httpSafePort); ++ // only set if httpSafeOrigin isn't set. ++ httpSafePort = isValidPort(config.httpSafePort) ? config.httpSafePort : (httpPort + 1); + } else { + httpSafeOrigin = canonicalizeOrigin(config.httpSafeOrigin); + } +@@ -115,7 +116,7 @@ module.exports.create = function (config) { + permittedEmbedders: typeof(permittedEmbedders) === 'string' && permittedEmbedders? permittedEmbedders: httpSafeOrigin, + + removeDonateButton: config.removeDonateButton, +- httpPort: isValidPort(config.httpPort)? config.httpPort: 3000, ++ httpPort: httpPort, + httpAddress: typeof(config.httpAddress) === 'string'? config.httpAddress: 'localhost', + websocketPath: config.externalWebsocketURL, + logIP: config.logIP, +-- +2.45.2 + diff --git a/pkgs/by-name/cr/cryptpad/package.nix b/pkgs/by-name/cr/cryptpad/package.nix new file mode 100644 index 000000000000..f2137c19bac4 --- /dev/null +++ b/pkgs/by-name/cr/cryptpad/package.nix @@ -0,0 +1,135 @@ +{ + buildNpmPackage, + fetchFromGitHub, + lib, + makeBinaryWrapper, + nixosTests, + nodejs, + rdfind, +}: + +let + version = "2024.6.0"; + # nix version of install-onlyoffice.sh + # a later version could rebuild from sdkjs/web-apps as per + # https://github.com/cryptpad/onlyoffice-builds/blob/main/build.sh + onlyoffice_build = + rev: hash: + fetchFromGitHub { + inherit rev hash; + owner = "cryptpad"; + repo = "onlyoffice-builds"; + }; + onlyoffice_install = oo: '' + oo_dir="$out_cryptpad/www/common/onlyoffice/dist/${oo.subdir}" + cp -a "${onlyoffice_build oo.rev oo.hash}/." "$oo_dir" + chmod -R +w "$oo_dir" + echo "${oo.rev}" > "$oo_dir/.commit" + ''; + onlyoffice_versions = [ + { + subdir = "v1"; + rev = "4f370beb"; + hash = "sha256-TE/99qOx4wT2s0op9wi+SHwqTPYq/H+a9Uus9Zj4iSY="; + } + { + subdir = "v2b"; + rev = "d9da72fd"; + hash = "sha256-SiRDRc2vnLwCVnvtk+C8PKw7IeuSzHBaJmZHogRe3hQ="; + } + { + subdir = "v4"; + rev = "6ebc6938"; + hash = "sha256-eto1+8Tk/s3kbUCpbUh8qCS8EOq700FYG1/KiHyynaA="; + } + { + subdir = "v5"; + rev = "88a356f0"; + hash = "sha256-8j1rlAyHlKx6oAs2pIhjPKcGhJFj6ZzahOcgenyeOCc="; + } + { + subdir = "v6"; + rev = "abd8a309"; + hash = "sha256-BZdExj2q/bqUD3k9uluOot2dlrWKA+vpad49EdgXKww="; + } + { + subdir = "v7"; + rev = "9d8b914a"; + hash = "sha256-M+rPJ/Xo2olhqB5ViynGRaesMLLfG/1ltUoLnepMPnM="; + } + ]; + +in +buildNpmPackage { + inherit version; + pname = "cryptpad"; + + src = fetchFromGitHub { + owner = "cryptpad"; + repo = "cryptpad"; + rev = version; + hash = "sha256-huIhhnjatkaVfm1zDeqi88EX/nAUBQ0onPNOwn7hrX4="; + }; + + npmDepsHash = "sha256-Oh1fBvP7OXC+VDiH3D+prHmi8pRrxld06n30sqw5apY="; + + nativeBuildInputs = [ + makeBinaryWrapper + rdfind + ]; + + patches = [ + # fix httpSafePort setting + # https://github.com/cryptpad/cryptpad/pull/1571 + ./0001-env.js-fix-httpSafePort-handling.patch + ]; + + # cryptpad build tries to write in cache dir + makeCacheWritable = true; + + # 'npm build run' (scripts/build.js) generates a customize directory, but: + # - that is not installed by npm install + # - it embeds values from config into the directory, so needs to be + # run before starting the server (it's just a few quick replaces) + # Skip it here. + dontNpmBuild = true; + + postInstall = '' + out_cryptpad="$out/lib/node_modules/cryptpad" + + # 'npm run install:components' (scripts/copy-component.js) copies + # required node modules to www/component in the build tree... + # Move to install directory manually. + npm run install:components + mv www/components "$out_cryptpad/www/" + + # install OnlyOffice (install-onlyoffice.sh without network) + mkdir -p "$out_cryptpad/www/common/onlyoffice/dist" + ${lib.concatMapStringsSep "\n" onlyoffice_install onlyoffice_versions} + rdfind -makehardlinks true -makeresultsfile false "$out_cryptpad/www/common/onlyoffice/dist" + + # cryptpad assumes it runs in the source directory and also outputs + # its state files there, which is not exactly great for us. + # There are relative paths everywhere so just substituing source paths + # is difficult and will likely break on a future update, instead we + # make links to the required source directories before running. + # The build.js step populates 'customize' from customize.dist and config; + # one would normally want to re-run it after modifying config but since it + # would overwrite user modifications only run it if there is no customize + # directory. + makeWrapper "${lib.getExe nodejs}" "$out/bin/cryptpad" \ + --add-flags "$out_cryptpad/server.js" \ + --run "for d in customize.dist lib www; do ln -sf \"$out_cryptpad/\$d\" .; done" \ + --run "if ! [ -d customize ]; then \"${lib.getExe nodejs}\" \"$out_cryptpad/scripts/build.js\"; fi" + ''; + + passthru.tests.cryptpad = nixosTests.cryptpad; + + meta = { + description = "Collaborative office suite, end-to-end encrypted and open-source."; + homepage = "https://cryptpad.org/"; + license = lib.licenses.agpl3Plus; + mainProgram = "cryptpad"; + maintainers = with lib.maintainers; [ martinetd ]; + }; +} diff --git a/pkgs/by-name/ka/kanidm/package.nix b/pkgs/by-name/ka/kanidm/package.nix index de9694227fcd..855bd8a12526 100644 --- a/pkgs/by-name/ka/kanidm/package.nix +++ b/pkgs/by-name/ka/kanidm/package.nix @@ -71,6 +71,9 @@ rustPlatform.buildRustPackage rec { cp -r server/web_ui/pkg $out/ui ''; + # Otherwise build breaks on some unused code + env.RUSTFLAGS = "-A dead_code"; + # Not sure what pathological case it hits when compiling tests with LTO, # but disabling it takes the total `cargo check` time from 40 minutes to # around 5 on a 16-core machine. diff --git a/pkgs/by-name/kc/kcl/package.nix b/pkgs/by-name/kc/kcl/package.nix index 7a18f5d9e91a..af6933a9cd47 100644 --- a/pkgs/by-name/kc/kcl/package.nix +++ b/pkgs/by-name/kc/kcl/package.nix @@ -30,9 +30,7 @@ buildGoModule rec { "-X=kcl-lang.io/cli/pkg/version.version=v${version}" ]; - nativeBuildInputs = [ makeWrapper installShellFiles ] ++ ( - lib.optionals stdenv.isDarwin [ darwin.cctools ] - ); + nativeBuildInputs = [ makeWrapper installShellFiles ]; buildInputs = [ kclvm kclvm_cli ] ++ ( lib.optional stdenv.isDarwin [ diff --git a/pkgs/by-name/kc/kclvm/package.nix b/pkgs/by-name/kc/kclvm/package.nix index db1a2c232d92..249c9bca9812 100644 --- a/pkgs/by-name/kc/kclvm/package.nix +++ b/pkgs/by-name/kc/kclvm/package.nix @@ -29,7 +29,6 @@ rustPlatform.buildRustPackage rec { }; buildInputs = [ rustc ] ++ lib.optionals stdenv.isDarwin [ - darwin.cctools darwin.apple_sdk.frameworks.Security darwin.apple_sdk.frameworks.CoreServices darwin.apple_sdk.frameworks.SystemConfiguration diff --git a/pkgs/by-name/kc/kclvm_cli/package.nix b/pkgs/by-name/kc/kclvm_cli/package.nix index e91a8bd450af..15e86da2f872 100644 --- a/pkgs/by-name/kc/kclvm_cli/package.nix +++ b/pkgs/by-name/kc/kclvm_cli/package.nix @@ -24,7 +24,6 @@ rustPlatform.buildRustPackage rec { buildInputs = [ kclvm rustc ] ++ ( lib.optionals stdenv.isDarwin [ - darwin.cctools darwin.apple_sdk.frameworks.Security darwin.apple_sdk.frameworks.CoreServices darwin.apple_sdk.frameworks.SystemConfiguration diff --git a/pkgs/by-name/li/libetonyek/package.nix b/pkgs/by-name/li/libetonyek/package.nix index 8ff8349b9d40..393f542a9ea9 100644 --- a/pkgs/by-name/li/libetonyek/package.nix +++ b/pkgs/by-name/li/libetonyek/package.nix @@ -12,6 +12,7 @@ , librevenge , libxml2 , mdds +, zlib }: stdenv.mkDerivation rec { @@ -39,6 +40,7 @@ stdenv.mkDerivation rec { librevenge libxml2 mdds + zlib ]; configureFlags = ["--with-mdds=2.1"]; diff --git a/pkgs/by-name/ol/ollama/package.nix b/pkgs/by-name/ol/ollama/package.nix index a1f4dcc20629..122d8fe23e15 100644 --- a/pkgs/by-name/ol/ollama/package.nix +++ b/pkgs/by-name/ol/ollama/package.nix @@ -40,13 +40,13 @@ assert builtins.elem acceleration [ let pname = "ollama"; # don't forget to invalidate all hashes each update - version = "0.2.8"; + version = "0.3.0"; src = fetchFromGitHub { owner = "ollama"; repo = "ollama"; rev = "v${version}"; - hash = "sha256-uir/GoFs0nhhHpznyYkwVjAUWxwjWmGZ7liU2htyQ04="; + hash = "sha256-69CpRAggx6a1NJq+CA9QliXuUbDgC1ERRuA3y17KVAM="; fetchSubmodules = true; }; diff --git a/pkgs/by-name/sc/screego/package.nix b/pkgs/by-name/sc/screego/package.nix new file mode 100644 index 000000000000..90ac0304c4fc --- /dev/null +++ b/pkgs/by-name/sc/screego/package.nix @@ -0,0 +1,78 @@ +{ + lib, + buildGoModule, + fetchFromGitHub, + fetchYarnDeps, + yarnConfigHook, + yarnBuildHook, + nodejs, + stdenv, +}: +let + + version = "1.10.3"; + + src = fetchFromGitHub { + owner = "screego"; + repo = "server"; + rev = "v${version}"; + hash = "sha256-X8KZAUh1cO8qNYH6nc9zZ+mnfItgef8N948ErJLlZII="; + }; + + ui = stdenv.mkDerivation { + pname = "screego-ui"; + inherit version; + + src = src + "/ui"; + + offlineCache = fetchYarnDeps { + yarnLock = "${src}/ui/yarn.lock"; + hash = "sha256-ye8UDkal10k/5uCd0VrZsG2FJGB727q+luExFTUmB/M="; + }; + + nativeBuildInputs = [ + yarnConfigHook + yarnBuildHook + nodejs + ]; + + installPhase = '' + cp -r build $out + ''; + + }; + +in + +buildGoModule rec { + inherit src version; + + pname = "screego-server"; + + vendorHash = "sha256-ry8LO+KmNU9MKL8/buk9qriDe/zq+2uIsws6wVZmoo4="; + + ldflags = [ + "-s" + "-w" + "-X=main.version=${version}" + "-X=main.commitHash=${src.rev}" + "-X=main.mode=prod" + ]; + + postPatch = '' + mkdir -p ./ui/build + cp -r "${ui}" ./ui/build + ''; + + postInstall = '' + mv $out/bin/server $out/bin/screego + ''; + + meta = with lib; { + description = "Screen sharing for developers"; + homepage = "https://screego.net"; + license = licenses.gpl3Only; + maintainers = with maintainers; [ pinpox ]; + mainProgram = "screego"; + }; +} diff --git a/pkgs/by-name/st/stackql/package.nix b/pkgs/by-name/st/stackql/package.nix index d1d749d971fa..4c13281ea436 100644 --- a/pkgs/by-name/st/stackql/package.nix +++ b/pkgs/by-name/st/stackql/package.nix @@ -8,16 +8,16 @@ buildGoModule rec { pname = "stackql"; - version = "0.5.665"; + version = "0.5.699"; src = fetchFromGitHub { owner = "stackql"; repo = "stackql"; rev = "v${version}"; - hash = "sha256-oX1WB6XkjEPzbj3qqXoD8urp827LAU7Cc7lLcpTTZJE="; + hash = "sha256-nObrqCStZI80pgzZOvumgK5Osycf5Uj5ESETpWkqBx0="; }; - vendorHash = "sha256-JCWXs3tfTG+aj4hG0eFhl52FmNFvPiBuWpQG2RC6FTM="; + vendorHash = "sha256-dFrJS7qd5N2Vmm6GOhRcCltbvUh0aTJTfqnxRHMmMJo="; ldflags = [ "-s" diff --git a/pkgs/development/interpreters/ruby/default.nix b/pkgs/development/interpreters/ruby/default.nix index 2a7115fd27df..c2a6604cf29d 100644 --- a/pkgs/development/interpreters/ruby/default.nix +++ b/pkgs/development/interpreters/ruby/default.nix @@ -173,6 +173,14 @@ let export HOME=$TMPDIR ''; + # Work around useSystemCoreFoundationFramework hook causing issues with the ld64 upgrade. + # This will be fixed on staging in https://github.com/NixOS/nixpkgs/pull/329529 + preBuild = + if lib.versionAtLeast ver.majMin "3.3" && stdenv.isDarwin && stdenv.isx86_64 then + "unset NIX_COREFOUNDATION_RPATH" + else + null; + # fails with "16993 tests, 2229489 assertions, 105 failures, 14 errors, 89 skips" # mostly TZ- and patch-related tests # TZ- failures are caused by nix sandboxing, I didn't investigate others diff --git a/pkgs/development/libraries/appstream/qt.nix b/pkgs/development/libraries/appstream/qt.nix index 1916774b8cfc..4699c7ce934e 100644 --- a/pkgs/development/libraries/appstream/qt.nix +++ b/pkgs/development/libraries/appstream/qt.nix @@ -24,9 +24,13 @@ stdenv.mkDerivation { dontWrapQtApps = true; + # AppStreamQt tries to be relocatable, in hacky cmake ways that generally fail + # horribly on NixOS. Just hardcode the paths. postFixup = '' sed -i "$dev/lib/cmake/AppStreamQt${qtSuffix}/AppStreamQt${qtSuffix}Config.cmake" \ -e "/INTERFACE_INCLUDE_DIRECTORIES/ s@\''${PACKAGE_PREFIX_DIR}@$dev@" + sed -i "$dev/lib/cmake/AppStreamQt${qtSuffix}/AppStreamQt${qtSuffix}Config.cmake" \ + -e "/IMPORTED_LOCATION/ s@\''${PACKAGE_PREFIX_DIR}@$out@" ''; passthru = appstream.passthru // { diff --git a/pkgs/development/php-packages/phan/default.nix b/pkgs/development/php-packages/phan/default.nix index af95847c37bf..bfa5b81aa1b1 100644 --- a/pkgs/development/php-packages/phan/default.nix +++ b/pkgs/development/php-packages/phan/default.nix @@ -7,13 +7,13 @@ (php.withExtensions ({ enabled, all }: enabled ++ (with all; [ ast ]))).buildComposerProject (finalAttrs: { pname = "phan"; - version = "5.4.3"; + version = "5.4.4"; src = fetchFromGitHub { owner = "phan"; repo = "phan"; rev = finalAttrs.version; - hash = "sha256-O0dtnDsz6X99B99VbRQf3Wr/xJfsJqd+2l5Z5iWxHyU="; + hash = "sha256-9kHTDuCvh0qV6Av6uLD0t4vJO5XLL9dgRAgaREsV7zM="; }; vendorHash = "sha256-yE85MBseJa0VGV5EbjT0te4QT3697YvtumGkMMfZtxI="; diff --git a/pkgs/development/python-modules/mkdocs-awesome-pages-plugin/default.nix b/pkgs/development/python-modules/mkdocs-awesome-pages-plugin/default.nix index f7bf173400dd..8799dfcd380a 100644 --- a/pkgs/development/python-modules/mkdocs-awesome-pages-plugin/default.nix +++ b/pkgs/development/python-modules/mkdocs-awesome-pages-plugin/default.nix @@ -14,7 +14,7 @@ }: buildPythonPackage rec { pname = "mkdocs-awesome-pages-plugin"; - version = "2.9.2"; + version = "2.9.3"; pyproject = true; disabled = pythonOlder "3.9"; @@ -23,7 +23,7 @@ buildPythonPackage rec { owner = "lukasgeiter"; repo = "mkdocs-awesome-pages-plugin"; rev = "refs/tags/v${version}"; - hash = "sha256-pYyZ84eNrslxgLSBr3teQqmV7hA+LHwJ+Z99QgPdh6U="; + hash = "sha256-jDPoMAJ20n9bQu11CRNvKLQthRUh3+jR6t+fM3+vGzY="; }; propagatedBuildInputs = [ @@ -41,11 +41,6 @@ buildPythonPackage rec { importlib-metadata ]; - disabledTestPaths = [ - # requires "generatedfiles" mkdocs plugin - "mkdocs_awesome_pages_plugin/tests/e2e/test_gen_files.py" - ]; - meta = with lib; { description = "An MkDocs plugin that simplifies configuring page titles and their order"; homepage = "https://github.com/lukasgeiter/mkdocs-awesome-pages-plugin"; diff --git a/pkgs/development/tools/qtcreator/default.nix b/pkgs/development/tools/qtcreator/default.nix index ef3d61e60f77..5a097393d639 100644 --- a/pkgs/development/tools/qtcreator/default.nix +++ b/pkgs/development/tools/qtcreator/default.nix @@ -30,11 +30,11 @@ stdenv.mkDerivation rec { pname = "qtcreator"; - version = "13.0.2"; + version = "14.0.0"; src = fetchurl { url = "https://download.qt.io/official_releases/${pname}/${lib.versions.majorMinor version}/${version}/qt-creator-opensource-src-${version}.tar.xz"; - hash = "sha256-wSXMVSJhnH+PwoBadQq5bLu1al/fw4i2yxWrda9+wM4="; + hash = "sha256-8v3P+cuO1/1csfx3k1LHp6lCkieIygAN6F2229eo1FQ="; }; nativeBuildInputs = [ diff --git a/pkgs/kde/frameworks/kimageformats/default.nix b/pkgs/kde/frameworks/kimageformats/default.nix index 21c84cb56992..e15c863003a8 100644 --- a/pkgs/kde/frameworks/kimageformats/default.nix +++ b/pkgs/kde/frameworks/kimageformats/default.nix @@ -4,6 +4,9 @@ libheif, libjxl, libavif, + dav1d, + libaom, + libyuv, libraw, openexr_3, }: @@ -12,5 +15,5 @@ mkKdeDerivation { extraCmakeFlags = ["-DKIMAGEFORMATS_HEIF=1"]; extraNativeBuildInputs = [pkg-config]; - extraBuildInputs = [libheif libjxl libavif libraw openexr_3]; + extraBuildInputs = [libheif libjxl libavif dav1d libaom libyuv libraw openexr_3]; } diff --git a/pkgs/servers/bazarr/default.nix b/pkgs/servers/bazarr/default.nix index e30beee899ef..daa8f55e87cb 100644 --- a/pkgs/servers/bazarr/default.nix +++ b/pkgs/servers/bazarr/default.nix @@ -1,9 +1,9 @@ -{ stdenv, lib, fetchurl, makeWrapper, unzip, python3, unar, ffmpeg, nixosTests }: +{ stdenv, lib, fetchurl, makeWrapper, unzip, python3, libarchive, ffmpeg, nixosTests }: let runtimeProgDeps = [ ffmpeg - unar + libarchive ]; in stdenv.mkDerivation rec {