Merge master into staging-next
This commit is contained in:
commit
4826e00f32
@ -6186,6 +6186,12 @@
|
||||
github = "meutraa";
|
||||
githubId = 68550871;
|
||||
};
|
||||
mephistophiles = {
|
||||
email = "mussitantesmortem@gmail.com";
|
||||
name = "Maxim Zhukov";
|
||||
github = "Mephistophiles";
|
||||
githubId = 4850908;
|
||||
};
|
||||
mfossen = {
|
||||
email = "msfossen@gmail.com";
|
||||
github = "mfossen";
|
||||
|
@ -23,6 +23,9 @@
|
||||
Support is planned until the end of December 2021, handing over to 21.11.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>The default Linux kernel was updated to the 5.10 LTS series, coming from the 5.4 LTS series.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para>
|
||||
</listitem>
|
||||
|
@ -49,7 +49,7 @@ in {
|
||||
rt5677-firmware
|
||||
rtl8723bs-firmware
|
||||
rtl8761b-firmware
|
||||
rtlwifi_new-firmware
|
||||
rtw88-firmware
|
||||
zd1211fw
|
||||
alsa-firmware
|
||||
sof-firmware
|
||||
|
@ -949,6 +949,7 @@
|
||||
./services/web-servers/nginx/default.nix
|
||||
./services/web-servers/nginx/gitweb.nix
|
||||
./services/web-servers/phpfpm/default.nix
|
||||
./services/web-servers/pomerium.nix
|
||||
./services/web-servers/unit/default.nix
|
||||
./services/web-servers/shellinabox.nix
|
||||
./services/web-servers/tomcat.nix
|
||||
|
131
nixos/modules/services/web-servers/pomerium.nix
Normal file
131
nixos/modules/services/web-servers/pomerium.nix
Normal file
@ -0,0 +1,131 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
format = pkgs.formats.yaml {};
|
||||
in
|
||||
{
|
||||
options.services.pomerium = {
|
||||
enable = mkEnableOption "the Pomerium authenticating reverse proxy";
|
||||
|
||||
configFile = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
description = "Path to Pomerium config YAML. If set, overrides services.pomerium.settings.";
|
||||
};
|
||||
|
||||
useACMEHost = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
description = ''
|
||||
If set, use a NixOS-generated ACME certificate with the specified name.
|
||||
|
||||
Note that this will require you to use a non-HTTP-based challenge, or
|
||||
disable Pomerium's in-built HTTP redirect server by setting
|
||||
http_redirect_addr to null and use a different HTTP server for serving
|
||||
the challenge response.
|
||||
|
||||
If you're using an HTTP-based challenge, you should use the
|
||||
Pomerium-native autocert option instead.
|
||||
'';
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
description = ''
|
||||
The contents of Pomerium's config.yaml, in Nix expressions.
|
||||
|
||||
Specifying configFile will override this in its entirety.
|
||||
|
||||
See <link xlink:href="https://pomerium.io/reference/">the Pomerium
|
||||
configuration reference</link> for more information about what to put
|
||||
here.
|
||||
'';
|
||||
default = {};
|
||||
type = format.type;
|
||||
};
|
||||
|
||||
secretsFile = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to file containing secrets for Pomerium, in systemd
|
||||
EnvironmentFile format. See the systemd.exec(5) man page.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = let
|
||||
cfg = config.services.pomerium;
|
||||
cfgFile = if cfg.configFile != null then cfg.configFile else (format.generate "pomerium.yaml" cfg.settings);
|
||||
in mkIf cfg.enable ({
|
||||
systemd.services.pomerium = {
|
||||
description = "Pomerium authenticating reverse proxy";
|
||||
wants = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
|
||||
after = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
environment = optionalAttrs (cfg.useACMEHost != null) {
|
||||
CERTIFICATE_FILE = "fullchain.pem";
|
||||
CERTIFICATE_KEY_FILE = "key.pem";
|
||||
};
|
||||
startLimitIntervalSec = 60;
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
StateDirectory = [ "pomerium" ];
|
||||
ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
|
||||
|
||||
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
||||
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
||||
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
DevicePolicy = "closed";
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelLogs = true;
|
||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
LockPersonality = true;
|
||||
SystemCallArchitectures = "native";
|
||||
|
||||
EnvironmentFile = cfg.secretsFile;
|
||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||
|
||||
WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
|
||||
LoadCredential = optionals (cfg.useACMEHost != null) [
|
||||
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
||||
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
# postRun hooks on cert renew can't be used to restart Nginx since renewal
|
||||
# runs as the unprivileged acme user. sslTargets are added to wantedBy + before
|
||||
# which allows the acme-finished-$cert.target to signify the successful updating
|
||||
# of certs end-to-end.
|
||||
systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) {
|
||||
# TODO(lukegb): figure out how to make config reloading work with credentials.
|
||||
|
||||
wantedBy = [ "acme-finished-${cfg.useACMEHost}.target" "multi-user.target" ];
|
||||
# Before the finished targets, after the renew services.
|
||||
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
|
||||
after = [ "acme-${cfg.useACMEHost}.service" ];
|
||||
# Block reloading if not all certs exist yet.
|
||||
unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
TimeoutSec = 60;
|
||||
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
||||
ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
|
||||
};
|
||||
};
|
||||
});
|
||||
}
|
@ -319,6 +319,7 @@ in
|
||||
plikd = handleTest ./plikd.nix {};
|
||||
plotinus = handleTest ./plotinus.nix {};
|
||||
podman = handleTestOn ["x86_64-linux"] ./podman.nix {};
|
||||
pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {};
|
||||
postfix = handleTest ./postfix.nix {};
|
||||
postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {};
|
||||
postgis = handleTest ./postgis.nix {};
|
||||
|
102
nixos/tests/pomerium.nix
Normal file
102
nixos/tests/pomerium.nix
Normal file
@ -0,0 +1,102 @@
|
||||
import ./make-test-python.nix ({ pkgs, ... }: {
|
||||
name = "pomerium";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
maintainers = [ lukegb ];
|
||||
};
|
||||
|
||||
nodes = let base = myIP: { pkgs, lib, ... }: {
|
||||
virtualisation.vlans = [ 1 ];
|
||||
networking = {
|
||||
dhcpcd.enable = false;
|
||||
firewall.allowedTCPPorts = [ 80 443 ];
|
||||
hosts = {
|
||||
"192.168.1.1" = [ "pomerium" "pom-auth" ];
|
||||
"192.168.1.2" = [ "backend" "dummy-oidc" ];
|
||||
};
|
||||
interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [
|
||||
{ address = myIP; prefixLength = 24; }
|
||||
];
|
||||
};
|
||||
}; in {
|
||||
pomerium = { pkgs, lib, ... }: {
|
||||
imports = [ (base "192.168.1.1") ];
|
||||
services.pomerium = {
|
||||
enable = true;
|
||||
settings = {
|
||||
address = ":80";
|
||||
insecure_server = true;
|
||||
authenticate_service_url = "http://pom-auth";
|
||||
|
||||
idp_provider = "oidc";
|
||||
idp_scopes = [ "oidc" ];
|
||||
idp_client_id = "dummy";
|
||||
idp_provider_url = "http://dummy-oidc";
|
||||
|
||||
policy = [{
|
||||
from = "https://my.website";
|
||||
to = "http://192.168.1.2";
|
||||
allow_public_unauthenticated_access = true;
|
||||
preserve_host_header = true;
|
||||
} {
|
||||
from = "https://login.required";
|
||||
to = "http://192.168.1.2";
|
||||
allowed_domains = [ "my.domain" ];
|
||||
preserve_host_header = true;
|
||||
}];
|
||||
};
|
||||
secretsFile = pkgs.writeText "pomerium-secrets" ''
|
||||
# 12345678901234567890123456789012 in base64
|
||||
COOKIE_SECRET=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=
|
||||
IDP_CLIENT_SECRET=dummy
|
||||
'';
|
||||
};
|
||||
};
|
||||
backend = { pkgs, lib, ... }: {
|
||||
imports = [ (base "192.168.1.2") ];
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts."my.website" = {
|
||||
root = pkgs.runCommand "testdir" {} ''
|
||||
mkdir "$out"
|
||||
echo hello world > "$out/index.html"
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts."dummy-oidc" = {
|
||||
root = pkgs.runCommand "testdir" {} ''
|
||||
mkdir -p "$out/.well-known"
|
||||
cat <<EOF >"$out/.well-known/openid-configuration"
|
||||
{
|
||||
"issuer": "http://dummy-oidc",
|
||||
"authorization_endpoint": "http://dummy-oidc/auth.txt",
|
||||
"token_endpoint": "http://dummy-oidc/token",
|
||||
"jwks_uri": "http://dummy-oidc/jwks.json",
|
||||
"userinfo_endpoint": "http://dummy-oidc/userinfo",
|
||||
"id_token_signing_alg_values_supported": ["RS256"]
|
||||
}
|
||||
EOF
|
||||
echo hello I am login page >"$out/auth.txt"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = { ... }: ''
|
||||
backend.wait_for_unit("nginx")
|
||||
backend.wait_for_open_port(80)
|
||||
|
||||
pomerium.wait_for_unit("pomerium")
|
||||
pomerium.wait_for_open_port(80)
|
||||
|
||||
with subtest("no authentication required"):
|
||||
pomerium.succeed(
|
||||
"curl --resolve my.website:80:127.0.0.1 http://my.website | grep -q 'hello world'"
|
||||
)
|
||||
|
||||
with subtest("login required"):
|
||||
pomerium.succeed(
|
||||
"curl -I --resolve login.required:80:127.0.0.1 http://login.required | grep -q pom-auth"
|
||||
)
|
||||
pomerium.succeed(
|
||||
"curl -L --resolve login.required:80:127.0.0.1 http://login.required | grep -q 'hello I am login page'"
|
||||
)
|
||||
'';
|
||||
})
|
@ -19,20 +19,20 @@
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "pika-backup";
|
||||
version = "0.2.2";
|
||||
version = "0.2.3";
|
||||
|
||||
src = fetchFromGitLab {
|
||||
domain = "gitlab.gnome.org";
|
||||
owner = "World";
|
||||
repo = "pika-backup";
|
||||
rev = "v${version}";
|
||||
sha256 = "16284gv31wdwmb99056962d1gh6xz26ami6synr47nsbbp5l0s6k";
|
||||
sha256 = "sha256-jy22eyuzM2y7vByT3TOlAUuTKtPepkB9iiHQT1YGQ88=";
|
||||
};
|
||||
|
||||
cargoDeps = rustPlatform.fetchCargoTarball {
|
||||
inherit src;
|
||||
name = "${pname}-${version}";
|
||||
sha256 = "12ymjwpxx3sdna8w5j9fnwwfk8ynk9ziwl0lkpq68y0vyllln5an";
|
||||
sha256 = "1ndcpgw18w3l5f7vv5vw8lxhgd5y1zxfarwnyfx13m7kcv8m3vyj";
|
||||
};
|
||||
|
||||
patches = [
|
||||
|
33
pkgs/applications/blockchains/crypto-org-wallet.nix
Normal file
33
pkgs/applications/blockchains/crypto-org-wallet.nix
Normal file
@ -0,0 +1,33 @@
|
||||
{ lib, fetchurl, makeDesktopItem, appimageTools, imagemagick }:
|
||||
|
||||
let
|
||||
pname = "chain-desktop-wallet";
|
||||
version = "0.1.1";
|
||||
name = "${pname}-${version}";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/crypto-com/${pname}/releases/download/v${version}/${name}-x86_64.AppImage";
|
||||
sha256 = "12076hf8dlz0hg1pb2ixwlslrh8gi6s1iawnvhnn6vz4jmjvq356";
|
||||
};
|
||||
|
||||
appimageContents = appimageTools.extractType2 { inherit name src; };
|
||||
in appimageTools.wrapType2 rec {
|
||||
inherit name src;
|
||||
|
||||
extraInstallCommands = ''
|
||||
mv $out/bin/${name} $out/bin/${pname}
|
||||
install -m 444 -D ${appimageContents}/${pname}.desktop $out/share/applications/${pname}.desktop
|
||||
${imagemagick}/bin/convert ${appimageContents}/${pname}.png -resize 512x512 ${pname}_512.png
|
||||
install -m 444 -D ${pname}_512.png $out/share/icons/hicolor/512x512/apps/${pname}.png
|
||||
substituteInPlace $out/share/applications/${pname}.desktop \
|
||||
--replace 'Exec=AppRun --no-sandbox %U' "Exec=$out/bin/${pname}"
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "Crypto.org Chain desktop wallet (Beta)";
|
||||
homepage = "https://github.com/crypto-com/chain-desktop-wallet";
|
||||
license = licenses.asl20;
|
||||
maintainers = with maintainers; [ th0rgal ];
|
||||
platforms = [ "x86_64-linux" ];
|
||||
};
|
||||
}
|
@ -1,8 +1,8 @@
|
||||
{
|
||||
"stable": {
|
||||
"version": "89.0.4389.90",
|
||||
"sha256": "16i7bgk2jbcqs2p28nk5mlf0k6wah594pcsfm8b154nxbyf0iihi",
|
||||
"sha256bin64": "1hgpx7isp9krarj7jpbhs97ym4i9j9a1srywv9pdfzbhw6cid2pk",
|
||||
"version": "89.0.4389.114",
|
||||
"sha256": "007df9p78bbmk3iyfi8qn57mmn68qqrdhx6z8n2hl8ksd7lspw7j",
|
||||
"sha256bin64": "06wblyvyr93032fbzwm6qpzz4jjm6adziq4i4n6kmfdix2ajif8a",
|
||||
"deps": {
|
||||
"gn": {
|
||||
"version": "2021-01-07",
|
||||
|
@ -14,13 +14,13 @@
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "lagrange";
|
||||
version = "1.2.2";
|
||||
version = "1.3.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "skyjake";
|
||||
repo = "lagrange";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-Y+BiXKxlUSZXaLcz75l333ZBkKyII9IyTmKQwjshBkE=";
|
||||
sha256 = "sha256-85KshJEL7ri10mSm/KgcT03WLEwRMMTGczb6mGx66Jw=";
|
||||
fetchSubmodules = true;
|
||||
};
|
||||
|
||||
|
@ -26,6 +26,7 @@
|
||||
, libuuid
|
||||
, libxcb
|
||||
, libxkbcommon
|
||||
, libxshmfence
|
||||
, mesa
|
||||
, nspr
|
||||
, nss
|
||||
@ -117,6 +118,7 @@ let
|
||||
xorg.libXi
|
||||
xorg.libXrandr
|
||||
xorg.libXrender
|
||||
xorg.libxshmfence
|
||||
xorg.libXtst
|
||||
xorg.libxkbfile
|
||||
] + ":${stdenv.cc.cc.lib}/lib64";
|
||||
|
26
pkgs/applications/window-managers/i3/auto-layout.nix
Normal file
26
pkgs/applications/window-managers/i3/auto-layout.nix
Normal file
@ -0,0 +1,26 @@
|
||||
{ lib, rustPlatform, fetchFromGitHub }:
|
||||
|
||||
rustPlatform.buildRustPackage rec {
|
||||
pname = "i3-auto-layout";
|
||||
version = "0.2";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "chmln";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
sha256 = "0ps08lga6qkgc8cgf5cx2lgwlqcnd2yazphh9xd2fznnzrllfxxz";
|
||||
};
|
||||
|
||||
cargoSha256 = "1ch5mh515rlqmr65x96xcvrx6iaigqgjxc7sbwbznzkc5kmvwhc0";
|
||||
|
||||
# Currently no tests are implemented, so we avoid building the package twice
|
||||
doCheck = false;
|
||||
|
||||
meta = with lib; {
|
||||
description = "Automatic, optimal tiling for i3wm";
|
||||
homepage = "https://github.com/chmln/i3-auto-layout";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ mephistophiles ];
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
}
|
@ -203,7 +203,9 @@ let
|
||||
qtvirtualkeyboard = callPackage ../modules/qtvirtualkeyboard.nix {};
|
||||
qtwayland = callPackage ../modules/qtwayland.nix {};
|
||||
qtwebchannel = callPackage ../modules/qtwebchannel.nix {};
|
||||
qtwebengine = callPackage ../modules/qtwebengine.nix {};
|
||||
qtwebengine = callPackage ../modules/qtwebengine.nix {
|
||||
inherit (srcs.qtwebengine) version;
|
||||
};
|
||||
qtwebglplugin = callPackage ../modules/qtwebglplugin.nix {};
|
||||
qtwebkit = callPackage ../modules/qtwebkit.nix {};
|
||||
qtwebsockets = callPackage ../modules/qtwebsockets.nix {};
|
||||
|
@ -17,6 +17,7 @@
|
||||
, cups, darwin, openbsm, runCommand, xcbuild, writeScriptBin
|
||||
, ffmpeg_3 ? null
|
||||
, lib, stdenv, fetchpatch
|
||||
, version ? null
|
||||
, qtCompatVersion
|
||||
}:
|
||||
|
||||
@ -230,6 +231,9 @@ qtModule {
|
||||
[Paths]
|
||||
Prefix = ..
|
||||
EOF
|
||||
'' + lib.optionalString (lib.versions.majorMinor qtCompatVersion == "5.15") ''
|
||||
# Fix for out-of-sync QtWebEngine and Qt releases (since 5.15.3)
|
||||
sed 's/${lib.head (lib.splitString "-" version)} /${qtCompatVersion} /' -i "$out"/lib/cmake/*/*Config.cmake
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
|
34
pkgs/development/libraries/zlib-ng/default.nix
Normal file
34
pkgs/development/libraries/zlib-ng/default.nix
Normal file
@ -0,0 +1,34 @@
|
||||
{ lib, stdenv, fetchFromGitHub
|
||||
, cmake, pkg-config
|
||||
, withZlibCompat ? false
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "zlib-ng";
|
||||
version = "2.0.2";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "zlib-ng";
|
||||
repo = "zlib-ng";
|
||||
rev = version;
|
||||
sha256 = "1cl6asrav2512j7p02zcpibywjljws0m7aazvb3q2r9qiyvyswji";
|
||||
};
|
||||
|
||||
outputs = [ "out" "dev" "bin" ];
|
||||
|
||||
nativeBuildInputs = [ cmake pkg-config ];
|
||||
|
||||
cmakeFlags = [
|
||||
"-DCMAKE_INSTALL_PREFIX=/"
|
||||
"-DBUILD_SHARED_LIBS=ON"
|
||||
"-DINSTALL_UTILS=ON"
|
||||
] ++ lib.optionals withZlibCompat [ "-DZLIB_COMPAT=ON" ];
|
||||
|
||||
meta = with lib; {
|
||||
description = "zlib data compression library for the next generation systems";
|
||||
homepage = "https://github.com/zlib-ng/zlib-ng";
|
||||
license = licenses.zlib;
|
||||
platforms = platforms.all;
|
||||
maintainers = with maintainers; [ izorkin ];
|
||||
};
|
||||
}
|
@ -13,11 +13,11 @@
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "boto3";
|
||||
version = "1.17.40"; # N.B: if you change this, change botocore and awscli to a matching version
|
||||
version = "1.17.41"; # N.B: if you change this, change botocore and awscli to a matching version
|
||||
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "sha256-7pmbRrLGMOUOewUtbf4iQgOjSNg7AOFoylAAmvDydsE=";
|
||||
sha256 = "sha256-2FsOBdfelhabACS3aykr5isB729cqFOlElBjRrgtKrs=";
|
||||
};
|
||||
|
||||
propagatedBuildInputs = [ botocore jmespath s3transfer ] ++ lib.optionals (!isPy3k) [ futures ];
|
||||
|
@ -13,11 +13,11 @@
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "botocore";
|
||||
version = "1.20.40"; # N.B: if you change this, change boto3 and awscli to a matching version
|
||||
version = "1.20.41"; # N.B: if you change this, change boto3 and awscli to a matching version
|
||||
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "sha256-ajWpl3zb16g52UjdX549JgwZt93nTgqETJcgaITTu6A=";
|
||||
sha256 = "sha256-Y/ZQ/Ja84UHoGUp2HmiQ/qL7puASU676Ma5p8UUBXCE=";
|
||||
};
|
||||
|
||||
propagatedBuildInputs = [
|
||||
|
@ -10,6 +10,7 @@
|
||||
, protobuf3-to-dict
|
||||
, smdebug-rulesconfig
|
||||
, pandas
|
||||
, packaging
|
||||
}:
|
||||
|
||||
buildPythonPackage rec {
|
||||
@ -32,6 +33,7 @@ buildPythonPackage rec {
|
||||
google-pasta
|
||||
importlib-metadata
|
||||
numpy
|
||||
packaging
|
||||
protobuf
|
||||
protobuf3-to-dict
|
||||
smdebug-rulesconfig
|
||||
|
@ -2,11 +2,11 @@
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "heroku";
|
||||
version = "7.47.11";
|
||||
version = "7.51.0";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://cli-assets.heroku.com/heroku-v${version}/heroku-v${version}.tar.xz";
|
||||
sha256 = "1inf2radpkd9jndap91cw0wbb2qmi71i287vyydl492372cf3cs2";
|
||||
sha256 = "0wcqk4iy4r57k6fd6l0732yp5mclqfla1lfvx96ay45jnhh7rknx";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ makeWrapper ];
|
||||
|
@ -2,21 +2,23 @@
|
||||
|
||||
let
|
||||
|
||||
major = "2020";
|
||||
minor = "11";
|
||||
patch = "23";
|
||||
major = "2021";
|
||||
minor = "03";
|
||||
patch.seriousproton = "30";
|
||||
patch.emptyepsilon = "31";
|
||||
|
||||
version = "${major}.${minor}.${patch}";
|
||||
version.seriousproton = "${major}.${minor}.${patch.seriousproton}";
|
||||
version.emptyepsilon = "${major}.${minor}.${patch.emptyepsilon}";
|
||||
|
||||
serious-proton = stdenv.mkDerivation {
|
||||
pname = "serious-proton";
|
||||
inherit version;
|
||||
version = version.seriousproton;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "daid";
|
||||
repo = "SeriousProton";
|
||||
rev = "EE-${version}";
|
||||
sha256 = "sha256-/gwJPlvvOCv5XIsiVgZ8Eb/7vgwG/V+s/soGVCfYrwo=";
|
||||
rev = "EE-${version.seriousproton}";
|
||||
sha256 = "sha256-wxb/CxJ/HKsVngeahjygZFPMMxitkHdVD0EQ3svxgIU=";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ cmake ];
|
||||
@ -36,13 +38,13 @@ in
|
||||
|
||||
stdenv.mkDerivation {
|
||||
pname = "empty-epsilon";
|
||||
inherit version;
|
||||
version = version.emptyepsilon;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "daid";
|
||||
repo = "EmptyEpsilon";
|
||||
rev = "EE-${version}";
|
||||
sha256 = "sha256-HbF6xThR+ogNHbAcXF03DaBhwVhNEr5BJO7jeeVZH/o=";
|
||||
rev = "EE-${version.emptyepsilon}";
|
||||
sha256 = "sha256-x0XJPMU0prubTb4ti/W/dH5P9abNwbjqkeUhKQpct9o=";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ cmake ];
|
||||
@ -50,10 +52,10 @@ stdenv.mkDerivation {
|
||||
|
||||
cmakeFlags = [
|
||||
"-DSERIOUS_PROTON_DIR=${serious-proton.src}"
|
||||
"-DCPACK_PACKAGE_VERSION=${version}"
|
||||
"-DCPACK_PACKAGE_VERSION=${version.emptyepsilon}"
|
||||
"-DCPACK_PACKAGE_VERSION_MAJOR=${major}"
|
||||
"-DCPACK_PACKAGE_VERSION_MINOR=${minor}"
|
||||
"-DCPACK_PACKAGE_VERSION_PATCH=${patch}"
|
||||
"-DCPACK_PACKAGE_VERSION_PATCH=${patch.emptyepsilon}"
|
||||
];
|
||||
|
||||
meta = with lib; {
|
||||
|
@ -106,6 +106,7 @@ in buildFHSUserEnv rec {
|
||||
gst_all_1.gst-plugins-ugly
|
||||
gst_all_1.gst-plugins-base
|
||||
libdrm
|
||||
libxkbcommon # paradox launcher
|
||||
mono
|
||||
xorg.xkeyboardconfig
|
||||
xorg.libpciaccess
|
||||
@ -205,7 +206,6 @@ in buildFHSUserEnv rec {
|
||||
libidn
|
||||
tbb
|
||||
wayland
|
||||
libxkbcommon
|
||||
|
||||
# Other things from runtime
|
||||
flac
|
||||
|
@ -13,15 +13,15 @@
|
||||
},
|
||||
"5.10": {
|
||||
"extra": "-hardened1",
|
||||
"name": "linux-hardened-5.10.25-hardened1.patch",
|
||||
"sha256": "0d5fid229769frifr7g20ly553gxdqqvajfwyzqwjpr82jjzxlis",
|
||||
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.25-hardened1/linux-hardened-5.10.25-hardened1.patch"
|
||||
"name": "linux-hardened-5.10.26-hardened1.patch",
|
||||
"sha256": "08f4yks3fjv5zi85zbxa3aqfllb6nbr58hm6kchd83l6rknnix4r",
|
||||
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.26-hardened1/linux-hardened-5.10.26-hardened1.patch"
|
||||
},
|
||||
"5.11": {
|
||||
"extra": "-hardened1",
|
||||
"name": "linux-hardened-5.11.9-hardened1.patch",
|
||||
"sha256": "169jcalr81ckad08vx489h8j6k42s0rzxbpkr6knyrd7rv06ddk0",
|
||||
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.11.9-hardened1/linux-hardened-5.11.9-hardened1.patch"
|
||||
"name": "linux-hardened-5.11.10-hardened1.patch",
|
||||
"sha256": "16083fvl5km751dps7mzjc2fl1qp9jqnyn7lg8jlfxc8w32bbxwv",
|
||||
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.11.10-hardened1/linux-hardened-5.11.10-hardened1.patch"
|
||||
},
|
||||
"5.4": {
|
||||
"extra": "-hardened1",
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
buildLinux (args // rec {
|
||||
version = "5.11.9";
|
||||
version = "5.11.10";
|
||||
|
||||
# modDirVersion needs to be x.y.z, will automatically add .0 if needed
|
||||
modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
|
||||
@ -13,6 +13,6 @@ buildLinux (args // rec {
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
|
||||
sha256 = "0dcqn6s85sd4zl7rv8ay88p5z12xvy2rma0dx6g6b480rg68sxal";
|
||||
sha256 = "07fw48sy8p17jmm24x3rl99cwxiwhwjrxnmy3g542w9kzawaqwnk";
|
||||
};
|
||||
} // (args.argsOverride or {}))
|
||||
|
@ -6,7 +6,7 @@
|
||||
, ... } @ args:
|
||||
|
||||
let
|
||||
version = "5.10.21-rt34"; # updated by ./update-rt.sh
|
||||
version = "5.10.25-rt35"; # updated by ./update-rt.sh
|
||||
branch = lib.versions.majorMinor version;
|
||||
kversion = builtins.elemAt (lib.splitString "-" version) 0;
|
||||
in buildLinux (args // {
|
||||
@ -18,14 +18,14 @@ in buildLinux (args // {
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
|
||||
sha256 = "1bz2gmyvpl4vsk0r6fsnh451fzvvfbv63rw8ia75gfv52vzyczwy";
|
||||
sha256 = "1p8s8vp5b6vjmvhj3plm0pr0d9qp5lrwm6l40a4bjr1vk9myf2lk";
|
||||
};
|
||||
|
||||
kernelPatches = let rt-patch = {
|
||||
name = "rt";
|
||||
patch = fetchurl {
|
||||
url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
|
||||
sha256 = "12c2qpifcgij7hilhd7xrnqaz04gqf41m93pmlm8cv4nxz58cy36";
|
||||
sha256 = "0kvawcyxg0xzhx73xs9g9s0hr7bs44sy4zvfzvcg2m9hdyafry0k";
|
||||
};
|
||||
}; in [ rt-patch ] ++ lib.remove rt-patch kernelPatches;
|
||||
|
||||
|
@ -6,6 +6,7 @@
|
||||
, go
|
||||
, ninja
|
||||
, python3
|
||||
, nixosTests
|
||||
}:
|
||||
|
||||
let
|
||||
@ -110,6 +111,11 @@ buildBazelPackage rec {
|
||||
"--cxxopt=-Wno-uninitialized"
|
||||
];
|
||||
|
||||
passthru.tests = {
|
||||
# No tests for Envoy itself (yet), but it's tested as a core component of Pomerium.
|
||||
inherit (nixosTests) pomerium;
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://envoyproxy.io";
|
||||
description = "Cloud-native edge and service proxy";
|
||||
|
@ -1,6 +1,6 @@
|
||||
{ callPackage, ... }@args:
|
||||
|
||||
callPackage ./generic.nix args {
|
||||
version = "1.19.8";
|
||||
sha256 = "01cb6hsaik1sfjihbrldmwrcn54gk4plfy350sl1b4rml6qik29h";
|
||||
version = "1.19.9";
|
||||
sha256 = "0hfqqyfgqa6wqazmb3d434nb3r5p8szfisa0m6nfh9lqdbqdyd9f";
|
||||
}
|
||||
|
80
pkgs/servers/http/pomerium/default.nix
Normal file
80
pkgs/servers/http/pomerium/default.nix
Normal file
@ -0,0 +1,80 @@
|
||||
{ buildGoModule
|
||||
, fetchFromGitHub
|
||||
, lib
|
||||
, envoy
|
||||
, zip
|
||||
, nixosTests
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib) concatStringsSep mapAttrsToList;
|
||||
in
|
||||
buildGoModule rec {
|
||||
pname = "pomerium";
|
||||
version = "0.13.3";
|
||||
src = fetchFromGitHub {
|
||||
owner = "pomerium";
|
||||
repo = "pomerium";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-g0w1aIHvf2rJANvGWHeUxdnyCDsvy/PQ9Kp8nDdT/0w=";
|
||||
};
|
||||
|
||||
vendorSha256 = "sha256-grihU85OcGyf9/KKrv87xZonX5r+Z1oHQTf84Ya61fg=";
|
||||
subPackages = [
|
||||
"cmd/pomerium"
|
||||
"cmd/pomerium-cli"
|
||||
];
|
||||
|
||||
buildFlagsArray = let
|
||||
# Set a variety of useful meta variables for stamping the build with.
|
||||
setVars = {
|
||||
Version = "v${version}";
|
||||
BuildMeta = "nixpkgs";
|
||||
ProjectName = "pomerium";
|
||||
ProjectURL = "github.com/pomerium/pomerium";
|
||||
};
|
||||
varFlags = concatStringsSep " " (mapAttrsToList (name: value: "-X github.com/pomerium/pomerium/internal/version.${name}=${value}") setVars);
|
||||
in [
|
||||
"-ldflags=${varFlags}"
|
||||
];
|
||||
|
||||
nativeBuildInputs = [
|
||||
zip
|
||||
];
|
||||
|
||||
# Pomerium expects to have envoy append to it in a zip.
|
||||
# We use a store-only (-0) zip, so that the Nix scanner can find any store references we had in the envoy binary.
|
||||
postBuild = ''
|
||||
# Append Envoy
|
||||
pushd $NIX_BUILD_TOP
|
||||
mkdir -p envoy
|
||||
cd envoy
|
||||
cp ${envoy}/bin/envoy envoy
|
||||
zip -0 envoy.zip envoy
|
||||
popd
|
||||
|
||||
mv $GOPATH/bin/pomerium $GOPATH/bin/pomerium.old
|
||||
cat $GOPATH/bin/pomerium.old $NIX_BUILD_TOP/envoy/envoy.zip >$GOPATH/bin/pomerium
|
||||
zip --adjust-sfx $GOPATH/bin/pomerium
|
||||
'';
|
||||
|
||||
# We also need to set dontStrip to avoid having the envoy ZIP stripped off the end.
|
||||
dontStrip = true;
|
||||
|
||||
installPhase = ''
|
||||
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
|
||||
install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||||
'';
|
||||
|
||||
passthru.tests = {
|
||||
inherit (nixosTests) pomerium;
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://pomerium.io";
|
||||
description = "Authenticating reverse proxy";
|
||||
license = licenses.asl20;
|
||||
maintainers = with maintainers; [ lukegb ];
|
||||
platforms = [ "x86_64-linux" ]; # Envoy derivation is x86_64-linux only.
|
||||
};
|
||||
}
|
@ -5,15 +5,15 @@
|
||||
, git, nix, nixfmt, jq, coreutils, gnused, curl, cacert }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
version = "2021-03-28";
|
||||
version = "2021-03-31";
|
||||
pname = "oh-my-zsh";
|
||||
rev = "69507c9518f7c7889d8f47ec8e67bfda02405817";
|
||||
rev = "2b1d4122796fea12dcaa7545cfca59fb43e6393e";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
inherit rev;
|
||||
owner = "ohmyzsh";
|
||||
repo = "ohmyzsh";
|
||||
sha256 = "0p5jjynwnf6yh2n0z46avavy7kb7dlqd145hd1qakig7csaclphd";
|
||||
sha256 = "1c1hcmvfrfwds1zn165vpfh11a19s6kb20bxy2dzpby5cs15g6bc";
|
||||
};
|
||||
|
||||
installPhase = ''
|
||||
|
@ -21,11 +21,11 @@ let
|
||||
in
|
||||
with py.pkgs; buildPythonApplication rec {
|
||||
pname = "awscli";
|
||||
version = "1.19.40"; # N.B: if you change this, change botocore and boto3 to a matching version too
|
||||
version = "1.19.41"; # N.B: if you change this, change botocore and boto3 to a matching version too
|
||||
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "sha256-J1IuTA/DrBCDclRA3cjAU71Um4Eygjgo+rMTyvT/my4=";
|
||||
sha256 = "sha256-DKKE2iMn6BHmcohHY6Uv7q9Om8FkbTbsk0CaxueBJHA=";
|
||||
};
|
||||
|
||||
# https://github.com/aws/aws-cli/issues/4837
|
||||
|
@ -2,11 +2,11 @@
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "abcMIDI";
|
||||
version = "2021.03.27";
|
||||
version = "2021.03.30";
|
||||
|
||||
src = fetchzip {
|
||||
url = "https://ifdo.ca/~seymour/runabc/${pname}-${version}.zip";
|
||||
sha256 = "sha256-dOUdxH1jJUr9MkU6mf0nwbjY5NYUJpHGkjUZWbRSGsw=";
|
||||
sha256 = "sha256-eOQbvs/mtFn7AmvSezO/jRm8+cO5tF7ggcF9DwwfqVc=";
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
|
@ -2,16 +2,16 @@
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "oneshot";
|
||||
version = "1.3.1";
|
||||
version = "1.4.1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "raphaelreyna";
|
||||
repo = "oneshot";
|
||||
rev = "v${version}";
|
||||
sha256 = "047mncv9abs4xj7bh9lhc3wan37cldjjyrpkis7pvx6zhzml74kf";
|
||||
sha256 = "sha256-UD67xYBb1rvGMSPurte5z2Hcd7+JtXDPbgp3BVBdLuk=";
|
||||
};
|
||||
|
||||
vendorSha256 = "1cxr96yrrmz37r542mc5376jll9lqjqm18k8761h9jqfbzmh9rkp";
|
||||
vendorSha256 = "sha256-d+YE618OywSDOWiiULHENFEqzRmFVUFKPuPXnL1JubM=";
|
||||
|
||||
doCheck = false;
|
||||
|
||||
|
@ -12,16 +12,16 @@
|
||||
|
||||
rustPlatform.buildRustPackage rec {
|
||||
pname = "prs";
|
||||
version = "0.2.6";
|
||||
version = "0.2.7";
|
||||
|
||||
src = fetchFromGitLab {
|
||||
owner = "timvisee";
|
||||
repo = "prs";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-2fpR9XCcKby+hI7Dzpr2qi1QgOzdgJp0Um57tQmi01A=";
|
||||
sha256 = "sha256-1Jrgf5UW6k0x3q6kQIB6Q7moOhConEnUU9r+21W5Uu8=";
|
||||
};
|
||||
|
||||
cargoSha256 = "sha256-0oWNGrJ24gPkPp5PR/pQ1tIYkXztQJFAdPz162V5THY=";
|
||||
cargoSha256 = "sha256-N3pLW/OGeurrl+AlwdfbZ3T7WzEOAuyUMdIR164Xp7k=";
|
||||
|
||||
postPatch = ''
|
||||
# The GPGME backend is recommended
|
||||
|
35
pkgs/tools/video/play-with-mpv/default.nix
Normal file
35
pkgs/tools/video/play-with-mpv/default.nix
Normal file
@ -0,0 +1,35 @@
|
||||
{ lib, python3Packages, fetchFromGitHub, fetchurl, youtube-dl, git }:
|
||||
|
||||
let
|
||||
install_freedesktop = fetchurl {
|
||||
url = "https://github.com/thann/install_freedesktop/tarball/2673e8da4a67bee0ffc52a0ea381a541b4becdd4";
|
||||
sha256 = "0j8d5jdcyqbl5p6sc1ags86v3hr2sghmqqi99d1mvc064g90ckrv";
|
||||
};
|
||||
in
|
||||
python3Packages.buildPythonApplication rec {
|
||||
pname = "play-with-mpv";
|
||||
version = "unstable-2020-05-18";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "thann";
|
||||
repo = "play-with-mpv";
|
||||
rev = "656448e03fe9de9e8bd21959f2a3b47c4acb8c3e";
|
||||
sha256 = "1qma8b3lnkdhxdjsnrq7n9zgy53q62j4naaqqs07kjxbn72zb4p4";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ git ];
|
||||
propagatedBuildInputs = [ youtube-dl ];
|
||||
|
||||
postPatch = ''
|
||||
substituteInPlace setup.py --replace \
|
||||
'"https://github.com/thann/install_freedesktop/tarball/master#egg=install_freedesktop-0.2.0"' \
|
||||
'"file://${install_freedesktop}#egg=install_freedesktop-0.2.0"'
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "Chrome extension and python server that allows you to play videos in webpages with MPV instead";
|
||||
homepage = "https://github.com/Thann/play-with-mpv";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ dawidsowa ];
|
||||
};
|
||||
}
|
@ -1496,6 +1496,8 @@ in
|
||||
|
||||
pebble = callPackage ../tools/admin/pebble { };
|
||||
|
||||
play-with-mpv = callPackage ../tools/video/play-with-mpv { };
|
||||
|
||||
reattach-to-user-namespace = callPackage ../os-specific/darwin/reattach-to-user-namespace {};
|
||||
|
||||
skhd = callPackage ../os-specific/darwin/skhd {
|
||||
@ -17781,6 +17783,8 @@ in
|
||||
|
||||
zlib = callPackage ../development/libraries/zlib { };
|
||||
|
||||
zlib-ng = callPackage ../development/libraries/zlib-ng { };
|
||||
|
||||
libdynd = callPackage ../development/libraries/libdynd { };
|
||||
|
||||
zlog = callPackage ../development/libraries/zlog { };
|
||||
@ -18535,6 +18539,8 @@ in
|
||||
};
|
||||
pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
|
||||
|
||||
pomerium = callPackage ../servers/http/pomerium { };
|
||||
|
||||
postgrey = callPackage ../servers/mail/postgrey { };
|
||||
|
||||
pshs = callPackage ../servers/http/pshs { };
|
||||
@ -19889,7 +19895,7 @@ in
|
||||
});
|
||||
|
||||
# The current default kernel / kernel modules.
|
||||
linuxPackages = linuxPackages_5_4;
|
||||
linuxPackages = linuxPackages_5_10;
|
||||
linux = linuxPackages.kernel;
|
||||
|
||||
# Update this when adding the newest kernel major version!
|
||||
@ -23364,6 +23370,8 @@ in
|
||||
xcb-util-cursor = if stdenv.isDarwin then xcb-util-cursor-HEAD else xcb-util-cursor;
|
||||
};
|
||||
|
||||
i3-auto-layout = callPackage ../applications/window-managers/i3/auto-layout.nix { };
|
||||
|
||||
i3-gaps = callPackage ../applications/window-managers/i3/gaps.nix { };
|
||||
|
||||
i3altlayout = callPackage ../applications/window-managers/i3/altlayout.nix { };
|
||||
@ -28624,6 +28632,8 @@ in
|
||||
|
||||
cryptoverif = callPackage ../applications/science/logic/cryptoverif { };
|
||||
|
||||
crypto-org-wallet = callPackage ../applications/blockchains/crypto-org-wallet.nix { };
|
||||
|
||||
caprice32 = callPackage ../misc/emulators/caprice32 { };
|
||||
|
||||
cubicle = callPackage ../applications/science/logic/cubicle {
|
||||
|
Loading…
Reference in New Issue
Block a user