Merge master into staging-next

This commit is contained in:
github-actions[bot] 2021-03-31 18:15:00 +00:00 committed by GitHub
commit 4826e00f32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 536 additions and 56 deletions

View File

@ -6186,6 +6186,12 @@
github = "meutraa";
githubId = 68550871;
};
mephistophiles = {
email = "mussitantesmortem@gmail.com";
name = "Maxim Zhukov";
github = "Mephistophiles";
githubId = 4850908;
};
mfossen = {
email = "msfossen@gmail.com";
github = "mfossen";

View File

@ -23,6 +23,9 @@
Support is planned until the end of December 2021, handing over to 21.11.
</para>
</listitem>
<listitem>
<para>The default Linux kernel was updated to the 5.10 LTS series, coming from the 5.4 LTS series.</para>
</listitem>
<listitem>
<para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para>
</listitem>

View File

@ -49,7 +49,7 @@ in {
rt5677-firmware
rtl8723bs-firmware
rtl8761b-firmware
rtlwifi_new-firmware
rtw88-firmware
zd1211fw
alsa-firmware
sof-firmware

View File

@ -949,6 +949,7 @@
./services/web-servers/nginx/default.nix
./services/web-servers/nginx/gitweb.nix
./services/web-servers/phpfpm/default.nix
./services/web-servers/pomerium.nix
./services/web-servers/unit/default.nix
./services/web-servers/shellinabox.nix
./services/web-servers/tomcat.nix

View File

@ -0,0 +1,131 @@
{ config, lib, pkgs, ... }:
with lib;
let
format = pkgs.formats.yaml {};
in
{
options.services.pomerium = {
enable = mkEnableOption "the Pomerium authenticating reverse proxy";
configFile = mkOption {
type = with types; nullOr path;
default = null;
description = "Path to Pomerium config YAML. If set, overrides services.pomerium.settings.";
};
useACMEHost = mkOption {
type = with types; nullOr str;
default = null;
description = ''
If set, use a NixOS-generated ACME certificate with the specified name.
Note that this will require you to use a non-HTTP-based challenge, or
disable Pomerium's in-built HTTP redirect server by setting
http_redirect_addr to null and use a different HTTP server for serving
the challenge response.
If you're using an HTTP-based challenge, you should use the
Pomerium-native autocert option instead.
'';
};
settings = mkOption {
description = ''
The contents of Pomerium's config.yaml, in Nix expressions.
Specifying configFile will override this in its entirety.
See <link xlink:href="https://pomerium.io/reference/">the Pomerium
configuration reference</link> for more information about what to put
here.
'';
default = {};
type = format.type;
};
secretsFile = mkOption {
type = with types; nullOr path;
default = null;
description = ''
Path to file containing secrets for Pomerium, in systemd
EnvironmentFile format. See the systemd.exec(5) man page.
'';
};
};
config = let
cfg = config.services.pomerium;
cfgFile = if cfg.configFile != null then cfg.configFile else (format.generate "pomerium.yaml" cfg.settings);
in mkIf cfg.enable ({
systemd.services.pomerium = {
description = "Pomerium authenticating reverse proxy";
wants = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
after = [ "network.target" ] ++ (optional (cfg.useACMEHost != null) "acme-finished-${cfg.useACMEHost}.target");
wantedBy = [ "multi-user.target" ];
environment = optionalAttrs (cfg.useACMEHost != null) {
CERTIFICATE_FILE = "fullchain.pem";
CERTIFICATE_KEY_FILE = "key.pem";
};
startLimitIntervalSec = 60;
serviceConfig = {
DynamicUser = true;
StateDirectory = [ "pomerium" ];
ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute = false; # breaks LuaJIT
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
DevicePolicy = "closed";
ProtectSystem = "strict";
ProtectHome = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectKernelLogs = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
LockPersonality = true;
SystemCallArchitectures = "native";
EnvironmentFile = cfg.secretsFile;
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
LoadCredential = optionals (cfg.useACMEHost != null) [
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
];
};
};
# postRun hooks on cert renew can't be used to restart Nginx since renewal
# runs as the unprivileged acme user. sslTargets are added to wantedBy + before
# which allows the acme-finished-$cert.target to signify the successful updating
# of certs end-to-end.
systemd.services.pomerium-config-reload = mkIf (cfg.useACMEHost != null) {
# TODO(lukegb): figure out how to make config reloading work with credentials.
wantedBy = [ "acme-finished-${cfg.useACMEHost}.target" "multi-user.target" ];
# Before the finished targets, after the renew services.
before = [ "acme-finished-${cfg.useACMEHost}.target" ];
after = [ "acme-${cfg.useACMEHost}.service" ];
# Block reloading if not all certs exist yet.
unitConfig.ConditionPathExists = [ "${certs.${cfg.useACMEHost}.directory}/fullchain.pem" ];
serviceConfig = {
Type = "oneshot";
TimeoutSec = 60;
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
};
};
});
}

View File

@ -319,6 +319,7 @@ in
plikd = handleTest ./plikd.nix {};
plotinus = handleTest ./plotinus.nix {};
podman = handleTestOn ["x86_64-linux"] ./podman.nix {};
pomerium = handleTestOn ["x86_64-linux"] ./pomerium.nix {};
postfix = handleTest ./postfix.nix {};
postfix-raise-smtpd-tls-security-level = handleTest ./postfix-raise-smtpd-tls-security-level.nix {};
postgis = handleTest ./postgis.nix {};

102
nixos/tests/pomerium.nix Normal file
View File

@ -0,0 +1,102 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "pomerium";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ lukegb ];
};
nodes = let base = myIP: { pkgs, lib, ... }: {
virtualisation.vlans = [ 1 ];
networking = {
dhcpcd.enable = false;
firewall.allowedTCPPorts = [ 80 443 ];
hosts = {
"192.168.1.1" = [ "pomerium" "pom-auth" ];
"192.168.1.2" = [ "backend" "dummy-oidc" ];
};
interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [
{ address = myIP; prefixLength = 24; }
];
};
}; in {
pomerium = { pkgs, lib, ... }: {
imports = [ (base "192.168.1.1") ];
services.pomerium = {
enable = true;
settings = {
address = ":80";
insecure_server = true;
authenticate_service_url = "http://pom-auth";
idp_provider = "oidc";
idp_scopes = [ "oidc" ];
idp_client_id = "dummy";
idp_provider_url = "http://dummy-oidc";
policy = [{
from = "https://my.website";
to = "http://192.168.1.2";
allow_public_unauthenticated_access = true;
preserve_host_header = true;
} {
from = "https://login.required";
to = "http://192.168.1.2";
allowed_domains = [ "my.domain" ];
preserve_host_header = true;
}];
};
secretsFile = pkgs.writeText "pomerium-secrets" ''
# 12345678901234567890123456789012 in base64
COOKIE_SECRET=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=
IDP_CLIENT_SECRET=dummy
'';
};
};
backend = { pkgs, lib, ... }: {
imports = [ (base "192.168.1.2") ];
services.nginx.enable = true;
services.nginx.virtualHosts."my.website" = {
root = pkgs.runCommand "testdir" {} ''
mkdir "$out"
echo hello world > "$out/index.html"
'';
};
services.nginx.virtualHosts."dummy-oidc" = {
root = pkgs.runCommand "testdir" {} ''
mkdir -p "$out/.well-known"
cat <<EOF >"$out/.well-known/openid-configuration"
{
"issuer": "http://dummy-oidc",
"authorization_endpoint": "http://dummy-oidc/auth.txt",
"token_endpoint": "http://dummy-oidc/token",
"jwks_uri": "http://dummy-oidc/jwks.json",
"userinfo_endpoint": "http://dummy-oidc/userinfo",
"id_token_signing_alg_values_supported": ["RS256"]
}
EOF
echo hello I am login page >"$out/auth.txt"
'';
};
};
};
testScript = { ... }: ''
backend.wait_for_unit("nginx")
backend.wait_for_open_port(80)
pomerium.wait_for_unit("pomerium")
pomerium.wait_for_open_port(80)
with subtest("no authentication required"):
pomerium.succeed(
"curl --resolve my.website:80:127.0.0.1 http://my.website | grep -q 'hello world'"
)
with subtest("login required"):
pomerium.succeed(
"curl -I --resolve login.required:80:127.0.0.1 http://login.required | grep -q pom-auth"
)
pomerium.succeed(
"curl -L --resolve login.required:80:127.0.0.1 http://login.required | grep -q 'hello I am login page'"
)
'';
})

View File

@ -19,20 +19,20 @@
stdenv.mkDerivation rec {
pname = "pika-backup";
version = "0.2.2";
version = "0.2.3";
src = fetchFromGitLab {
domain = "gitlab.gnome.org";
owner = "World";
repo = "pika-backup";
rev = "v${version}";
sha256 = "16284gv31wdwmb99056962d1gh6xz26ami6synr47nsbbp5l0s6k";
sha256 = "sha256-jy22eyuzM2y7vByT3TOlAUuTKtPepkB9iiHQT1YGQ88=";
};
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
name = "${pname}-${version}";
sha256 = "12ymjwpxx3sdna8w5j9fnwwfk8ynk9ziwl0lkpq68y0vyllln5an";
sha256 = "1ndcpgw18w3l5f7vv5vw8lxhgd5y1zxfarwnyfx13m7kcv8m3vyj";
};
patches = [

View File

@ -0,0 +1,33 @@
{ lib, fetchurl, makeDesktopItem, appimageTools, imagemagick }:
let
pname = "chain-desktop-wallet";
version = "0.1.1";
name = "${pname}-${version}";
src = fetchurl {
url = "https://github.com/crypto-com/${pname}/releases/download/v${version}/${name}-x86_64.AppImage";
sha256 = "12076hf8dlz0hg1pb2ixwlslrh8gi6s1iawnvhnn6vz4jmjvq356";
};
appimageContents = appimageTools.extractType2 { inherit name src; };
in appimageTools.wrapType2 rec {
inherit name src;
extraInstallCommands = ''
mv $out/bin/${name} $out/bin/${pname}
install -m 444 -D ${appimageContents}/${pname}.desktop $out/share/applications/${pname}.desktop
${imagemagick}/bin/convert ${appimageContents}/${pname}.png -resize 512x512 ${pname}_512.png
install -m 444 -D ${pname}_512.png $out/share/icons/hicolor/512x512/apps/${pname}.png
substituteInPlace $out/share/applications/${pname}.desktop \
--replace 'Exec=AppRun --no-sandbox %U' "Exec=$out/bin/${pname}"
'';
meta = with lib; {
description = "Crypto.org Chain desktop wallet (Beta)";
homepage = "https://github.com/crypto-com/chain-desktop-wallet";
license = licenses.asl20;
maintainers = with maintainers; [ th0rgal ];
platforms = [ "x86_64-linux" ];
};
}

View File

@ -1,8 +1,8 @@
{
"stable": {
"version": "89.0.4389.90",
"sha256": "16i7bgk2jbcqs2p28nk5mlf0k6wah594pcsfm8b154nxbyf0iihi",
"sha256bin64": "1hgpx7isp9krarj7jpbhs97ym4i9j9a1srywv9pdfzbhw6cid2pk",
"version": "89.0.4389.114",
"sha256": "007df9p78bbmk3iyfi8qn57mmn68qqrdhx6z8n2hl8ksd7lspw7j",
"sha256bin64": "06wblyvyr93032fbzwm6qpzz4jjm6adziq4i4n6kmfdix2ajif8a",
"deps": {
"gn": {
"version": "2021-01-07",

View File

@ -14,13 +14,13 @@
stdenv.mkDerivation rec {
pname = "lagrange";
version = "1.2.2";
version = "1.3.0";
src = fetchFromGitHub {
owner = "skyjake";
repo = "lagrange";
rev = "v${version}";
sha256 = "sha256-Y+BiXKxlUSZXaLcz75l333ZBkKyII9IyTmKQwjshBkE=";
sha256 = "sha256-85KshJEL7ri10mSm/KgcT03WLEwRMMTGczb6mGx66Jw=";
fetchSubmodules = true;
};

View File

@ -26,6 +26,7 @@
, libuuid
, libxcb
, libxkbcommon
, libxshmfence
, mesa
, nspr
, nss
@ -117,6 +118,7 @@ let
xorg.libXi
xorg.libXrandr
xorg.libXrender
xorg.libxshmfence
xorg.libXtst
xorg.libxkbfile
] + ":${stdenv.cc.cc.lib}/lib64";

View File

@ -0,0 +1,26 @@
{ lib, rustPlatform, fetchFromGitHub }:
rustPlatform.buildRustPackage rec {
pname = "i3-auto-layout";
version = "0.2";
src = fetchFromGitHub {
owner = "chmln";
repo = pname;
rev = "v${version}";
sha256 = "0ps08lga6qkgc8cgf5cx2lgwlqcnd2yazphh9xd2fznnzrllfxxz";
};
cargoSha256 = "1ch5mh515rlqmr65x96xcvrx6iaigqgjxc7sbwbznzkc5kmvwhc0";
# Currently no tests are implemented, so we avoid building the package twice
doCheck = false;
meta = with lib; {
description = "Automatic, optimal tiling for i3wm";
homepage = "https://github.com/chmln/i3-auto-layout";
license = licenses.mit;
maintainers = with maintainers; [ mephistophiles ];
platforms = platforms.linux;
};
}

View File

@ -203,7 +203,9 @@ let
qtvirtualkeyboard = callPackage ../modules/qtvirtualkeyboard.nix {};
qtwayland = callPackage ../modules/qtwayland.nix {};
qtwebchannel = callPackage ../modules/qtwebchannel.nix {};
qtwebengine = callPackage ../modules/qtwebengine.nix {};
qtwebengine = callPackage ../modules/qtwebengine.nix {
inherit (srcs.qtwebengine) version;
};
qtwebglplugin = callPackage ../modules/qtwebglplugin.nix {};
qtwebkit = callPackage ../modules/qtwebkit.nix {};
qtwebsockets = callPackage ../modules/qtwebsockets.nix {};

View File

@ -17,6 +17,7 @@
, cups, darwin, openbsm, runCommand, xcbuild, writeScriptBin
, ffmpeg_3 ? null
, lib, stdenv, fetchpatch
, version ? null
, qtCompatVersion
}:
@ -230,6 +231,9 @@ qtModule {
[Paths]
Prefix = ..
EOF
'' + lib.optionalString (lib.versions.majorMinor qtCompatVersion == "5.15") ''
# Fix for out-of-sync QtWebEngine and Qt releases (since 5.15.3)
sed 's/${lib.head (lib.splitString "-" version)} /${qtCompatVersion} /' -i "$out"/lib/cmake/*/*Config.cmake
'';
meta = with lib; {

View File

@ -0,0 +1,34 @@
{ lib, stdenv, fetchFromGitHub
, cmake, pkg-config
, withZlibCompat ? false
}:
stdenv.mkDerivation rec {
pname = "zlib-ng";
version = "2.0.2";
src = fetchFromGitHub {
owner = "zlib-ng";
repo = "zlib-ng";
rev = version;
sha256 = "1cl6asrav2512j7p02zcpibywjljws0m7aazvb3q2r9qiyvyswji";
};
outputs = [ "out" "dev" "bin" ];
nativeBuildInputs = [ cmake pkg-config ];
cmakeFlags = [
"-DCMAKE_INSTALL_PREFIX=/"
"-DBUILD_SHARED_LIBS=ON"
"-DINSTALL_UTILS=ON"
] ++ lib.optionals withZlibCompat [ "-DZLIB_COMPAT=ON" ];
meta = with lib; {
description = "zlib data compression library for the next generation systems";
homepage = "https://github.com/zlib-ng/zlib-ng";
license = licenses.zlib;
platforms = platforms.all;
maintainers = with maintainers; [ izorkin ];
};
}

View File

@ -13,11 +13,11 @@
buildPythonPackage rec {
pname = "boto3";
version = "1.17.40"; # N.B: if you change this, change botocore and awscli to a matching version
version = "1.17.41"; # N.B: if you change this, change botocore and awscli to a matching version
src = fetchPypi {
inherit pname version;
sha256 = "sha256-7pmbRrLGMOUOewUtbf4iQgOjSNg7AOFoylAAmvDydsE=";
sha256 = "sha256-2FsOBdfelhabACS3aykr5isB729cqFOlElBjRrgtKrs=";
};
propagatedBuildInputs = [ botocore jmespath s3transfer ] ++ lib.optionals (!isPy3k) [ futures ];

View File

@ -13,11 +13,11 @@
buildPythonPackage rec {
pname = "botocore";
version = "1.20.40"; # N.B: if you change this, change boto3 and awscli to a matching version
version = "1.20.41"; # N.B: if you change this, change boto3 and awscli to a matching version
src = fetchPypi {
inherit pname version;
sha256 = "sha256-ajWpl3zb16g52UjdX549JgwZt93nTgqETJcgaITTu6A=";
sha256 = "sha256-Y/ZQ/Ja84UHoGUp2HmiQ/qL7puASU676Ma5p8UUBXCE=";
};
propagatedBuildInputs = [

View File

@ -10,6 +10,7 @@
, protobuf3-to-dict
, smdebug-rulesconfig
, pandas
, packaging
}:
buildPythonPackage rec {
@ -32,6 +33,7 @@ buildPythonPackage rec {
google-pasta
importlib-metadata
numpy
packaging
protobuf
protobuf3-to-dict
smdebug-rulesconfig

View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "heroku";
version = "7.47.11";
version = "7.51.0";
src = fetchurl {
url = "https://cli-assets.heroku.com/heroku-v${version}/heroku-v${version}.tar.xz";
sha256 = "1inf2radpkd9jndap91cw0wbb2qmi71i287vyydl492372cf3cs2";
sha256 = "0wcqk4iy4r57k6fd6l0732yp5mclqfla1lfvx96ay45jnhh7rknx";
};
nativeBuildInputs = [ makeWrapper ];

View File

@ -2,21 +2,23 @@
let
major = "2020";
minor = "11";
patch = "23";
major = "2021";
minor = "03";
patch.seriousproton = "30";
patch.emptyepsilon = "31";
version = "${major}.${minor}.${patch}";
version.seriousproton = "${major}.${minor}.${patch.seriousproton}";
version.emptyepsilon = "${major}.${minor}.${patch.emptyepsilon}";
serious-proton = stdenv.mkDerivation {
pname = "serious-proton";
inherit version;
version = version.seriousproton;
src = fetchFromGitHub {
owner = "daid";
repo = "SeriousProton";
rev = "EE-${version}";
sha256 = "sha256-/gwJPlvvOCv5XIsiVgZ8Eb/7vgwG/V+s/soGVCfYrwo=";
rev = "EE-${version.seriousproton}";
sha256 = "sha256-wxb/CxJ/HKsVngeahjygZFPMMxitkHdVD0EQ3svxgIU=";
};
nativeBuildInputs = [ cmake ];
@ -36,13 +38,13 @@ in
stdenv.mkDerivation {
pname = "empty-epsilon";
inherit version;
version = version.emptyepsilon;
src = fetchFromGitHub {
owner = "daid";
repo = "EmptyEpsilon";
rev = "EE-${version}";
sha256 = "sha256-HbF6xThR+ogNHbAcXF03DaBhwVhNEr5BJO7jeeVZH/o=";
rev = "EE-${version.emptyepsilon}";
sha256 = "sha256-x0XJPMU0prubTb4ti/W/dH5P9abNwbjqkeUhKQpct9o=";
};
nativeBuildInputs = [ cmake ];
@ -50,10 +52,10 @@ stdenv.mkDerivation {
cmakeFlags = [
"-DSERIOUS_PROTON_DIR=${serious-proton.src}"
"-DCPACK_PACKAGE_VERSION=${version}"
"-DCPACK_PACKAGE_VERSION=${version.emptyepsilon}"
"-DCPACK_PACKAGE_VERSION_MAJOR=${major}"
"-DCPACK_PACKAGE_VERSION_MINOR=${minor}"
"-DCPACK_PACKAGE_VERSION_PATCH=${patch}"
"-DCPACK_PACKAGE_VERSION_PATCH=${patch.emptyepsilon}"
];
meta = with lib; {

View File

@ -106,6 +106,7 @@ in buildFHSUserEnv rec {
gst_all_1.gst-plugins-ugly
gst_all_1.gst-plugins-base
libdrm
libxkbcommon # paradox launcher
mono
xorg.xkeyboardconfig
xorg.libpciaccess
@ -205,7 +206,6 @@ in buildFHSUserEnv rec {
libidn
tbb
wayland
libxkbcommon
# Other things from runtime
flac

View File

@ -13,15 +13,15 @@
},
"5.10": {
"extra": "-hardened1",
"name": "linux-hardened-5.10.25-hardened1.patch",
"sha256": "0d5fid229769frifr7g20ly553gxdqqvajfwyzqwjpr82jjzxlis",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.25-hardened1/linux-hardened-5.10.25-hardened1.patch"
"name": "linux-hardened-5.10.26-hardened1.patch",
"sha256": "08f4yks3fjv5zi85zbxa3aqfllb6nbr58hm6kchd83l6rknnix4r",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.26-hardened1/linux-hardened-5.10.26-hardened1.patch"
},
"5.11": {
"extra": "-hardened1",
"name": "linux-hardened-5.11.9-hardened1.patch",
"sha256": "169jcalr81ckad08vx489h8j6k42s0rzxbpkr6knyrd7rv06ddk0",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.11.9-hardened1/linux-hardened-5.11.9-hardened1.patch"
"name": "linux-hardened-5.11.10-hardened1.patch",
"sha256": "16083fvl5km751dps7mzjc2fl1qp9jqnyn7lg8jlfxc8w32bbxwv",
"url": "https://github.com/anthraxx/linux-hardened/releases/download/5.11.10-hardened1/linux-hardened-5.11.10-hardened1.patch"
},
"5.4": {
"extra": "-hardened1",

View File

@ -3,7 +3,7 @@
with lib;
buildLinux (args // rec {
version = "5.11.9";
version = "5.11.10";
# modDirVersion needs to be x.y.z, will automatically add .0 if needed
modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@ -13,6 +13,6 @@ buildLinux (args // rec {
src = fetchurl {
url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
sha256 = "0dcqn6s85sd4zl7rv8ay88p5z12xvy2rma0dx6g6b480rg68sxal";
sha256 = "07fw48sy8p17jmm24x3rl99cwxiwhwjrxnmy3g542w9kzawaqwnk";
};
} // (args.argsOverride or {}))

View File

@ -6,7 +6,7 @@
, ... } @ args:
let
version = "5.10.21-rt34"; # updated by ./update-rt.sh
version = "5.10.25-rt35"; # updated by ./update-rt.sh
branch = lib.versions.majorMinor version;
kversion = builtins.elemAt (lib.splitString "-" version) 0;
in buildLinux (args // {
@ -18,14 +18,14 @@ in buildLinux (args // {
src = fetchurl {
url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
sha256 = "1bz2gmyvpl4vsk0r6fsnh451fzvvfbv63rw8ia75gfv52vzyczwy";
sha256 = "1p8s8vp5b6vjmvhj3plm0pr0d9qp5lrwm6l40a4bjr1vk9myf2lk";
};
kernelPatches = let rt-patch = {
name = "rt";
patch = fetchurl {
url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
sha256 = "12c2qpifcgij7hilhd7xrnqaz04gqf41m93pmlm8cv4nxz58cy36";
sha256 = "0kvawcyxg0xzhx73xs9g9s0hr7bs44sy4zvfzvcg2m9hdyafry0k";
};
}; in [ rt-patch ] ++ lib.remove rt-patch kernelPatches;

View File

@ -6,6 +6,7 @@
, go
, ninja
, python3
, nixosTests
}:
let
@ -110,6 +111,11 @@ buildBazelPackage rec {
"--cxxopt=-Wno-uninitialized"
];
passthru.tests = {
# No tests for Envoy itself (yet), but it's tested as a core component of Pomerium.
inherit (nixosTests) pomerium;
};
meta = with lib; {
homepage = "https://envoyproxy.io";
description = "Cloud-native edge and service proxy";

View File

@ -1,6 +1,6 @@
{ callPackage, ... }@args:
callPackage ./generic.nix args {
version = "1.19.8";
sha256 = "01cb6hsaik1sfjihbrldmwrcn54gk4plfy350sl1b4rml6qik29h";
version = "1.19.9";
sha256 = "0hfqqyfgqa6wqazmb3d434nb3r5p8szfisa0m6nfh9lqdbqdyd9f";
}

View File

@ -0,0 +1,80 @@
{ buildGoModule
, fetchFromGitHub
, lib
, envoy
, zip
, nixosTests
}:
let
inherit (lib) concatStringsSep mapAttrsToList;
in
buildGoModule rec {
pname = "pomerium";
version = "0.13.3";
src = fetchFromGitHub {
owner = "pomerium";
repo = "pomerium";
rev = "v${version}";
hash = "sha256-g0w1aIHvf2rJANvGWHeUxdnyCDsvy/PQ9Kp8nDdT/0w=";
};
vendorSha256 = "sha256-grihU85OcGyf9/KKrv87xZonX5r+Z1oHQTf84Ya61fg=";
subPackages = [
"cmd/pomerium"
"cmd/pomerium-cli"
];
buildFlagsArray = let
# Set a variety of useful meta variables for stamping the build with.
setVars = {
Version = "v${version}";
BuildMeta = "nixpkgs";
ProjectName = "pomerium";
ProjectURL = "github.com/pomerium/pomerium";
};
varFlags = concatStringsSep " " (mapAttrsToList (name: value: "-X github.com/pomerium/pomerium/internal/version.${name}=${value}") setVars);
in [
"-ldflags=${varFlags}"
];
nativeBuildInputs = [
zip
];
# Pomerium expects to have envoy append to it in a zip.
# We use a store-only (-0) zip, so that the Nix scanner can find any store references we had in the envoy binary.
postBuild = ''
# Append Envoy
pushd $NIX_BUILD_TOP
mkdir -p envoy
cd envoy
cp ${envoy}/bin/envoy envoy
zip -0 envoy.zip envoy
popd
mv $GOPATH/bin/pomerium $GOPATH/bin/pomerium.old
cat $GOPATH/bin/pomerium.old $NIX_BUILD_TOP/envoy/envoy.zip >$GOPATH/bin/pomerium
zip --adjust-sfx $GOPATH/bin/pomerium
'';
# We also need to set dontStrip to avoid having the envoy ZIP stripped off the end.
dontStrip = true;
installPhase = ''
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
'';
passthru.tests = {
inherit (nixosTests) pomerium;
};
meta = with lib; {
homepage = "https://pomerium.io";
description = "Authenticating reverse proxy";
license = licenses.asl20;
maintainers = with maintainers; [ lukegb ];
platforms = [ "x86_64-linux" ]; # Envoy derivation is x86_64-linux only.
};
}

View File

@ -5,15 +5,15 @@
, git, nix, nixfmt, jq, coreutils, gnused, curl, cacert }:
stdenv.mkDerivation rec {
version = "2021-03-28";
version = "2021-03-31";
pname = "oh-my-zsh";
rev = "69507c9518f7c7889d8f47ec8e67bfda02405817";
rev = "2b1d4122796fea12dcaa7545cfca59fb43e6393e";
src = fetchFromGitHub {
inherit rev;
owner = "ohmyzsh";
repo = "ohmyzsh";
sha256 = "0p5jjynwnf6yh2n0z46avavy7kb7dlqd145hd1qakig7csaclphd";
sha256 = "1c1hcmvfrfwds1zn165vpfh11a19s6kb20bxy2dzpby5cs15g6bc";
};
installPhase = ''

View File

@ -21,11 +21,11 @@ let
in
with py.pkgs; buildPythonApplication rec {
pname = "awscli";
version = "1.19.40"; # N.B: if you change this, change botocore and boto3 to a matching version too
version = "1.19.41"; # N.B: if you change this, change botocore and boto3 to a matching version too
src = fetchPypi {
inherit pname version;
sha256 = "sha256-J1IuTA/DrBCDclRA3cjAU71Um4Eygjgo+rMTyvT/my4=";
sha256 = "sha256-DKKE2iMn6BHmcohHY6Uv7q9Om8FkbTbsk0CaxueBJHA=";
};
# https://github.com/aws/aws-cli/issues/4837

View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "abcMIDI";
version = "2021.03.27";
version = "2021.03.30";
src = fetchzip {
url = "https://ifdo.ca/~seymour/runabc/${pname}-${version}.zip";
sha256 = "sha256-dOUdxH1jJUr9MkU6mf0nwbjY5NYUJpHGkjUZWbRSGsw=";
sha256 = "sha256-eOQbvs/mtFn7AmvSezO/jRm8+cO5tF7ggcF9DwwfqVc=";
};
meta = with lib; {

View File

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "oneshot";
version = "1.3.1";
version = "1.4.1";
src = fetchFromGitHub {
owner = "raphaelreyna";
repo = "oneshot";
rev = "v${version}";
sha256 = "047mncv9abs4xj7bh9lhc3wan37cldjjyrpkis7pvx6zhzml74kf";
sha256 = "sha256-UD67xYBb1rvGMSPurte5z2Hcd7+JtXDPbgp3BVBdLuk=";
};
vendorSha256 = "1cxr96yrrmz37r542mc5376jll9lqjqm18k8761h9jqfbzmh9rkp";
vendorSha256 = "sha256-d+YE618OywSDOWiiULHENFEqzRmFVUFKPuPXnL1JubM=";
doCheck = false;

View File

@ -12,16 +12,16 @@
rustPlatform.buildRustPackage rec {
pname = "prs";
version = "0.2.6";
version = "0.2.7";
src = fetchFromGitLab {
owner = "timvisee";
repo = "prs";
rev = "v${version}";
sha256 = "sha256-2fpR9XCcKby+hI7Dzpr2qi1QgOzdgJp0Um57tQmi01A=";
sha256 = "sha256-1Jrgf5UW6k0x3q6kQIB6Q7moOhConEnUU9r+21W5Uu8=";
};
cargoSha256 = "sha256-0oWNGrJ24gPkPp5PR/pQ1tIYkXztQJFAdPz162V5THY=";
cargoSha256 = "sha256-N3pLW/OGeurrl+AlwdfbZ3T7WzEOAuyUMdIR164Xp7k=";
postPatch = ''
# The GPGME backend is recommended

View File

@ -0,0 +1,35 @@
{ lib, python3Packages, fetchFromGitHub, fetchurl, youtube-dl, git }:
let
install_freedesktop = fetchurl {
url = "https://github.com/thann/install_freedesktop/tarball/2673e8da4a67bee0ffc52a0ea381a541b4becdd4";
sha256 = "0j8d5jdcyqbl5p6sc1ags86v3hr2sghmqqi99d1mvc064g90ckrv";
};
in
python3Packages.buildPythonApplication rec {
pname = "play-with-mpv";
version = "unstable-2020-05-18";
src = fetchFromGitHub {
owner = "thann";
repo = "play-with-mpv";
rev = "656448e03fe9de9e8bd21959f2a3b47c4acb8c3e";
sha256 = "1qma8b3lnkdhxdjsnrq7n9zgy53q62j4naaqqs07kjxbn72zb4p4";
};
nativeBuildInputs = [ git ];
propagatedBuildInputs = [ youtube-dl ];
postPatch = ''
substituteInPlace setup.py --replace \
'"https://github.com/thann/install_freedesktop/tarball/master#egg=install_freedesktop-0.2.0"' \
'"file://${install_freedesktop}#egg=install_freedesktop-0.2.0"'
'';
meta = with lib; {
description = "Chrome extension and python server that allows you to play videos in webpages with MPV instead";
homepage = "https://github.com/Thann/play-with-mpv";
license = licenses.mit;
maintainers = with maintainers; [ dawidsowa ];
};
}

View File

@ -1496,6 +1496,8 @@ in
pebble = callPackage ../tools/admin/pebble { };
play-with-mpv = callPackage ../tools/video/play-with-mpv { };
reattach-to-user-namespace = callPackage ../os-specific/darwin/reattach-to-user-namespace {};
skhd = callPackage ../os-specific/darwin/skhd {
@ -17781,6 +17783,8 @@ in
zlib = callPackage ../development/libraries/zlib { };
zlib-ng = callPackage ../development/libraries/zlib-ng { };
libdynd = callPackage ../development/libraries/libdynd { };
zlog = callPackage ../development/libraries/zlog { };
@ -18535,6 +18539,8 @@ in
};
pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
pomerium = callPackage ../servers/http/pomerium { };
postgrey = callPackage ../servers/mail/postgrey { };
pshs = callPackage ../servers/http/pshs { };
@ -19889,7 +19895,7 @@ in
});
# The current default kernel / kernel modules.
linuxPackages = linuxPackages_5_4;
linuxPackages = linuxPackages_5_10;
linux = linuxPackages.kernel;
# Update this when adding the newest kernel major version!
@ -23364,6 +23370,8 @@ in
xcb-util-cursor = if stdenv.isDarwin then xcb-util-cursor-HEAD else xcb-util-cursor;
};
i3-auto-layout = callPackage ../applications/window-managers/i3/auto-layout.nix { };
i3-gaps = callPackage ../applications/window-managers/i3/gaps.nix { };
i3altlayout = callPackage ../applications/window-managers/i3/altlayout.nix { };
@ -28624,6 +28632,8 @@ in
cryptoverif = callPackage ../applications/science/logic/cryptoverif { };
crypto-org-wallet = callPackage ../applications/blockchains/crypto-org-wallet.nix { };
caprice32 = callPackage ../misc/emulators/caprice32 { };
cubicle = callPackage ../applications/science/logic/cubicle {