Merge staging-next into staging

This commit is contained in:
github-actions[bot] 2021-05-03 00:53:51 +00:00 committed by GitHub
commit afe3fd192f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 264 additions and 66 deletions

View file

@ -330,7 +330,7 @@
</listitem>
<listitem>
<para>
<literal>vim</literal> switched to Python 3, dropping all Python 2 support.
<literal>vim</literal> and <literal>neovim</literal> switched to Python 3, dropping all Python 2 support.
</para>
</listitem>
<listitem>

View file

@ -245,22 +245,85 @@ in {
rm -f "${cfg.configDir}/ui-lovelace.yaml"
ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml"
'');
serviceConfig = {
ExecStart = "${package}/bin/hass --config '${cfg.configDir}'";
serviceConfig = let
# List of capabilities to equip home-assistant with, depending on configured components
capabilities = [
# Empty string first, so we will never accidentally have an empty capability bounding set
# https://github.com/NixOS/nixpkgs/issues/120617#issuecomment-830685115
""
] ++ (unique (optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [
# Required for interaction with hci devices and bluetooth sockets
# https://www.home-assistant.io/integrations/bluetooth_le_tracker/#rootless-setup-on-core-installs
"CAP_NET_ADMIN"
"CAP_NET_RAW"
] ++ lib.optionals (useComponent "emulated_hue") [
# Alexa looks for the service on port 80
# https://www.home-assistant.io/integrations/emulated_hue
"CAP_NET_BIND_SERVICE"
] ++ lib.optionals (useComponent "nmap_tracker") [
# https://www.home-assistant.io/integrations/nmap_tracker#linux-capabilities
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
]));
in {
ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = "hass";
Group = "hass";
Restart = "on-failure";
RestartForceExitStatus = "100";
SuccessExitStatus = "100";
KillSignal = "SIGINT";
# Hardening
AmbientCapabilities = capabilities;
CapabilityBoundingSet = capabilities;
DeviceAllow = [
"char-ttyACM rw"
"char-ttyAMA rw"
"char-ttyUSB rw"
];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = false; # prevents gaining capabilities in the host namespace
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RemoveIPC = true;
ReadWritePaths = let
# Allow rw access to explicitly configured paths
cfgPath = [ "config" "homeassistant" "allowlist_external_dirs" ];
value = attrByPath cfgPath [] cfg;
allowPaths = if isList value then value else singleton value;
in [ "${cfg.configDir}" ] ++ allowPaths;
KillSignal = "SIGINT";
PrivateTmp = true;
RemoveIPC = true;
AmbientCapabilities = "cap_net_raw,cap_net_admin+eip";
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [
"AF_BLUETOOTH"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SupplementaryGroups = [ "dialout" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
path = [
"/run/wrappers" # needed for ping
@ -278,7 +341,6 @@ in {
home = cfg.configDir;
createHome = true;
group = "hass";
extraGroups = [ "dialout" ];
uid = config.ids.uids.hass;
};

View file

@ -20,8 +20,7 @@ let
acl_file ${aclFile}
persistence true
allow_anonymous ${boolToString cfg.allowAnonymous}
bind_address ${cfg.host}
port ${toString cfg.port}
listener ${toString cfg.port} ${cfg.host}
${passwordConf}
${listenerConf}
${cfg.extraConf}
@ -233,15 +232,50 @@ in
ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ProtectSystem = "strict";
ProtectHome = true;
# Hardening
CapabilityBoundingSet = "";
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ReadWritePaths = "${cfg.dataDir}";
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
NoNewPrivileges = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
ReadWritePaths = [
cfg.dataDir
"/tmp" # mosquitto_passwd creates files in /tmp before moving them
];
ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [
certfile
keyfile
cafile
];
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_UNIX" # for sd_notify() call
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
UMask = "0077";
};
preStart = ''
rm -f ${cfg.dataDir}/passwd

View file

@ -1,4 +1,4 @@
import ./make-test-python.nix ({ pkgs, ... }:
import ./make-test-python.nix ({ pkgs, lib, ... }:
let
configDir = "/var/lib/foobar";
@ -6,9 +6,7 @@ let
mqttPassword = "secret";
in {
name = "home-assistant";
meta = with pkgs.lib; {
maintainers = with maintainers; [ dotlambda ];
};
meta.maintainers = lib.teams.home-assistant.members;
nodes.hass = { pkgs, ... }: {
environment.systemPackages = with pkgs; [ mosquitto ];
@ -47,6 +45,10 @@ in {
payload_on = "let_there_be_light";
payload_off = "off";
}];
emulated_hue = {
host_ip = "127.0.0.1";
listen_port = 80;
};
logger = {
default = "info";
logs."homeassistant.components.mqtt" = "debug";
@ -82,6 +84,9 @@ in {
hass.succeed(
"mosquitto_pub -V mqttv5 -t home-assistant/test -u ${mqttUsername} -P '${mqttPassword}' -m let_there_be_light"
)
with subtest("Check that capabilities are passed for emulated_hue to bind to port 80"):
hass.wait_for_open_port(80)
hass.succeed("curl --fail http://localhost:80/description.xml")
with subtest("Print log to ease debugging"):
output_log = hass.succeed("cat ${configDir}/home-assistant.log")
print("\n### home-assistant.log ###\n")
@ -93,5 +98,8 @@ in {
# example line: 2020-06-20 10:01:32 DEBUG (MainThread) [homeassistant.components.mqtt] Received message on home-assistant/test: b'let_there_be_light'
with subtest("Check we received the mosquitto message"):
assert "let_there_be_light" in output_log
with subtest("Check systemd unit hardening"):
hass.log(hass.succeed("systemd-analyze security home-assistant.service"))
'';
})

View file

@ -1,4 +1,4 @@
import ./make-test-python.nix ({ pkgs, ... }:
import ./make-test-python.nix ({ pkgs, lib, ... }:
let
port = 1888;
@ -30,6 +30,9 @@ in {
];
};
};
# disable private /tmp for this test
systemd.services.mosquitto.serviceConfig.PrivateTmp = lib.mkForce false;
};
client1 = client;

View file

@ -6,7 +6,7 @@
# now defaults to false because some tests can be flaky (clipboard etc)
, doCheck ? false
, nodejs ? null, fish ? null, python ? null
, nodejs ? null, fish ? null, python3 ? null
}:
with lib;
@ -19,7 +19,7 @@ let
]
));
pyEnv = python.withPackages(ps: [ ps.pynvim ps.msgpack ]);
pyEnv = python3.withPackages(ps: with ps; [ pynvim msgpack ]);
# FIXME: this is verry messy and strange.
# see https://github.com/NixOS/nixpkgs/pull/80528

View file

@ -1,5 +1,5 @@
{ lib, mkDerivation, fetchFromGitHub, cmake, doxygen, makeWrapper
, msgpack, neovim, pythonPackages, qtbase }:
, msgpack, neovim, python3Packages, qtbase }:
mkDerivation rec {
pname = "neovim-qt-unwrapped";
@ -20,7 +20,7 @@ mkDerivation rec {
buildInputs = [
neovim.unwrapped # only used to generate help tags at build time
qtbase
] ++ (with pythonPackages; [
] ++ (with python3Packages; [
jinja2 python msgpack
]);

View file

@ -1,11 +1,14 @@
{ lib, fetchFromGitHub, pythonPackages }:
{ lib
, fetchFromGitHub
, python3
, neovim
}:
with lib;
pythonPackages.buildPythonApplication rec {
with python3.pkgs; buildPythonApplication rec {
pname = "neovim-remote";
version = "2.4.0";
disabled = !pythonPackages.isPy3k;
src = fetchFromGitHub {
owner = "mhinz";
@ -14,12 +17,24 @@ pythonPackages.buildPythonApplication rec {
sha256 = "0jlw0qksak4bdzddpsj74pm2f2bgpj3cwrlspdjjy0j9qzg0mpl9";
};
propagatedBuildInputs = with pythonPackages; [
propagatedBuildInputs = [
pynvim
psutil
setuptools
];
checkInputs = [
neovim
pytestCheckHook
];
disabledTests = [
# these tests get stuck and never return
"test_escape_filenames_properly"
"test_escape_single_quotes_in_filenames"
"test_escape_double_quotes_in_filenames"
];
meta = {
description = "A tool that helps controlling nvim processes from a terminal";
homepage = "https://github.com/mhinz/neovim-remote/";

View file

@ -1,5 +1,4 @@
{ lib, stdenv, mkDerivation, fetchFromGitHub, cmake, doxygen, makeWrapper
, msgpack, neovim, pythonPackages, qtbase, neovim-qt-unwrapped }:
{ stdenv, makeWrapper, neovim, neovim-qt-unwrapped }:
let
unwrapped = neovim-qt-unwrapped;

View file

@ -4,7 +4,6 @@
, neovim-unwrapped
, bundlerEnv
, ruby
, pythonPackages
, python3Packages
, writeText
, wrapNeovimUnstable
@ -48,12 +47,6 @@ let
requiredPlugins = vimUtils.requiredPlugins configure;
getDeps = attrname: map (plugin: plugin.${attrname} or (_: [ ]));
pluginPython2Packages = getDeps "pythonDependencies" requiredPlugins;
python2Env = pythonPackages.python.withPackages (ps:
[ ps.pynvim ]
++ (extraPython2Packages ps)
++ (lib.concatMap (f: f ps) pluginPython2Packages));
pluginPython3Packages = getDeps "python3Dependencies" requiredPlugins;
python3Env = python3Packages.python.withPackages (ps:
[ ps.pynvim ]
@ -69,7 +62,6 @@ let
# While the latter tells nvim that this provider is not available
hostprog_check_table = {
node = withNodeJs;
python = withPython2;
python3 = withPython3;
ruby = withRuby;
};
@ -99,11 +91,12 @@ let
manifestRc = vimUtils.vimrcContent (configure // { customRC = ""; });
neovimRcContent = vimUtils.vimrcContent configure;
in
assert withPython2 -> throw "Python2 support has been removed from neovim, please remove withPython2 and extraPython2Packages.";
args // {
wrapperArgs = makeWrapperArgs;
inherit neovimRcContent;
inherit manifestRc;
inherit python2Env;
inherit python3Env;
inherit withNodeJs;
} // lib.optionalAttrs withRuby {
@ -120,7 +113,7 @@ let
# to keep backwards compatibility
legacyWrapper = neovim: {
extraMakeWrapperArgs ? ""
, withPython ? true
, withPython ? false
/* the function you would have passed to python.withPackages */
, extraPythonPackages ? (_: [])
/* the function you would have passed to python.withPackages */
@ -138,14 +131,14 @@ let
else funOrList);
res = makeNeovimConfig {
withPython2 = withPython;
extraPythonPackages = compatFun extraPythonPackages;
inherit withPython3;
extraPython3Packages = compatFun extraPython3Packages;
inherit withNodeJs withRuby viAlias vimAlias;
inherit configure;
};
in
assert withPython -> throw "Python2 support has been removed from neovim, please remove withPython and extraPythonPackages.";
wrapNeovimUnstable neovim (res // {
wrapperArgs = lib.escapeShellArgs (
res.wrapperArgs ++ lib.optionals (configure != {}) [

View file

@ -3,7 +3,6 @@
, bundlerEnv, ruby
, nodejs
, nodePackages
, pythonPackages
, python3Packages
}:
with lib;
@ -15,7 +14,7 @@ let
# should contain all args but the binary
wrapperArgs ? ""
, manifestRc ? null
, withPython2 ? true, python2Env ? null
, withPython2 ? false
, withPython3 ? true, python3Env ? null
, withNodeJs ? false
, rubyEnv ? null
@ -35,6 +34,8 @@ let
[ "${neovim}/bin/nvim" "${placeholder "out"}/bin/nvim" ] ++
[ "--set" "NVIM_SYSTEM_RPLUGIN_MANIFEST" "${placeholder "out"}/rplugin.vim" ];
in
assert withPython2 -> throw "Python2 support has been removed from the neovim wrapper, please remove withPython2 and python2Env.";
symlinkJoin {
name = "neovim-${lib.getVersion neovim}";
# Remove the symlinks created by symlinkJoin which we need to perform
@ -44,9 +45,6 @@ let
substitute ${neovim}/share/applications/nvim.desktop $out/share/applications/nvim.desktop \
--replace 'Name=Neovim' 'Name=WrappedNeovim'
''
+ optionalString withPython2 ''
makeWrapper ${python2Env}/bin/python $out/bin/nvim-python --unset PYTHONPATH
''
+ optionalString withPython3 ''
makeWrapper ${python3Env}/bin/python3 $out/bin/nvim-python3 --unset PYTHONPATH
''

View file

@ -1,7 +1,8 @@
{ stdenv, lib, makeDesktopItem
, unzip, libsecret, libXScrnSaver, libxshmfence, wrapGAppsHook
, gtk2, atomEnv, at-spi2-atk, autoPatchelfHook
, systemd, fontconfig, libdbusmenu
, systemd, fontconfig, libdbusmenu, buildFHSUserEnvBubblewrap
, writeShellScriptBin
# Populate passthru.tests
, tests
@ -13,13 +14,14 @@
let
inherit (stdenv.hostPlatform) system;
in
stdenv.mkDerivation {
unwrapped = stdenv.mkDerivation {
inherit pname version src sourceRoot;
passthru = {
inherit executableName tests;
fhs = fhs {};
fhsWithPackages = f: fhs { additionalPkgs = f; };
};
desktopItem = makeDesktopItem {
@ -97,4 +99,64 @@ in
'';
inherit meta;
}
};
# Vscode and variants allow for users to download and use extensions
# which often include the usage of pre-built binaries.
# This has been an on-going painpoint for many users, as
# a full extension update cycle has to be done through nixpkgs
# in order to create or update extensions.
# See: #83288 #91179 #73810 #41189
#
# buildFHSUserEnv allows for users to use the existing vscode
# extension tooling without significant pain.
fhs = { additionalPkgs ? pkgs: [] }: buildFHSUserEnvBubblewrap {
# also determines the name of the wrapped command
name = executableName;
# additional libraries which are commonly needed for extensions
targetPkgs = pkgs: (with pkgs; [
# ld-linux-x86-64-linux.so.2 and others
glibc
# dotnet
curl
icu
libunwind
libuuid
openssl
zlib
# mono
krb5
]) ++ additionalPkgs pkgs;
# restore desktop item icons
extraInstallCommands = ''
mkdir -p $out/share/applications
for item in ${unwrapped}/share/applications/*.desktop; do
ln -s $item $out/share/applications/
done
'';
runScript = "${unwrapped}/bin/${executableName}";
# vscode likes to kill the parent so that the
# gui application isn't attached to the terminal session
dieWithParent = false;
passthru = {
inherit executableName;
inherit (unwrapped) pname version; # for home-manager module
};
meta = meta // {
description = ''
Wrapped variant of ${pname} which launches in a FHS compatible envrionment.
Should allow for easy usage of extensions without nix-specific modifications.
'';
};
};
in
unwrapped

View file

@ -2,18 +2,18 @@
buildGoModule rec {
pname = "kubelogin";
version = "1.23.0";
version = "1.23.1";
src = fetchFromGitHub {
owner = "int128";
repo = pname;
rev = "v${version}";
sha256 = "0n94nx17c6ln2nd6d9yr93vc251y1xphq1wj2vzs4j2l8dqfyjpn";
sha256 = "sha256-YK/QGx6QzSeyeZ61KgdYO3POJQFK1F6yJayd2gcRWS4=";
};
subPackages = ["."];
vendorSha256 = "1dvrk6z6k66wawgb50n8hbgdd8fly399mlbgnvxi671vfi7lkz09";
vendorSha256 = "sha256-tnjgs8Ziqdo1ciVOWtL0D8puv2SZGqSHgo2SV7N8F0M=";
# Rename the binary instead of symlinking to avoid conflict with the
# Azure version of kubelogin

View file

@ -14,6 +14,7 @@ args @ {
, unshareNet ? false
, unshareUts ? true
, unshareCgroup ? true
, dieWithParent ? true
, ...
}:
@ -22,7 +23,7 @@ let
buildFHSEnv = callPackage ./env.nix { };
env = buildFHSEnv (removeAttrs args [
"runScript" "extraInstallCommands" "meta" "passthru"
"runScript" "extraInstallCommands" "meta" "passthru" "dieWithParent"
"unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc"
]);
@ -30,6 +31,13 @@ let
files = [
# NixOS Compatibility
"static"
"nix" # mainly for nixUnstable users, but also for access to nix/netrc
# Shells
"bashrc"
"zshenv"
"zshrc"
"zinputrc"
"zprofile"
# Users, Groups, NSS
"passwd"
"group"
@ -136,7 +144,7 @@ let
${lib.optionalString unshareNet "--unshare-net"}
${lib.optionalString unshareUts "--unshare-uts"}
${lib.optionalString unshareCgroup "--unshare-cgroup"}
--die-with-parent
${lib.optionalString dieWithParent "--die-with-parent"}
--ro-bind /nix /nix
# Our glibc will look for the cache in its own path in `/nix/store`.
# As such, we need a cache to exist there, because pressure-vessel

View file

@ -1,6 +1,6 @@
{ fetchFromGitHub, gtk3, hicolor-icon-theme, jdupes, lib, stdenv }:
{ fetchFromGitHub, gtk3, hicolor-icon-theme, jdupes, lib, stdenvNoCC }:
stdenv.mkDerivation rec {
stdenvNoCC.mkDerivation rec {
pname = "tela-icon-theme";
version = "2021-01-21";
@ -17,6 +17,10 @@ stdenv.mkDerivation rec {
dontDropIconThemeCache = true;
# These fixup steps are slow and unnecessary.
dontPatchELF = true;
dontRewriteSymlinks = true;
installPhase = ''
runHook preInstall
@ -31,7 +35,7 @@ stdenv.mkDerivation rec {
meta = with lib; {
description = "A flat colorful Design icon theme";
homepage = "https://github.com/vinceliuice/tela-icon-theme";
license = licenses.gpl3Plus;
license = licenses.gpl3Only;
platforms = platforms.unix;
maintainers = with maintainers; [ figsoda ];
};

View file

@ -11,6 +11,11 @@ stdenv.mkDerivation rec {
sha256 = "04i2z7hrig78clc59q3i1z2hh24g7z1bfvxznlzxv00d4s57nhpi";
};
postPatch = lib.optionalString stdenv.cc.isClang ''
substituteInPlace test/setup.py \
--replace "'-Werror', " ""
'';
makeFlags = [
"prefix=${placeholder "out"}"
];
@ -26,6 +31,6 @@ stdenv.mkDerivation rec {
homepage = "https://github.com/encukou/py3c";
description = "Python 2/3 compatibility layer for C extensions";
license = licenses.mit;
maintainers = with maintainers; [ ajs124 ];
maintainers = with maintainers; [ ajs124 dotlambda ];
};
}

View file

@ -14,14 +14,14 @@
buildPythonPackage rec {
pname = "csvw";
version = "1.10.1";
version = "1.10.2";
disabled = isPy27;
src = fetchFromGitHub {
owner = "cldf";
repo = "csvw";
rev = "v${version}";
sha256 = "1764nfa4frjdd7v6wj35y7prnciaqz57wwygy5zfavl4laxn4nxd";
sha256 = "0z0qxlsfxwz1qapxb4d0mz3wkj99d7zi9yrg1cbd2xp7giagb6d4";
};
patchPhase = ''

View file

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "pngquant";
version = "2.12.5";
version = "2.14.1";
src = fetchFromGitHub {
owner = "pornel";
owner = "kornelski";
repo = "pngquant";
rev = version;
sha256 = "0sq398iv5cacblz6pb4j2hn16cnszsbkahikdpfq84rb9bj0ya40";
sha256 = "054hi33qp3jc7hv0141wi8drwdg24v5zfp8znwjmz4mcdls8vxbb";
fetchSubmodules = true;
};
@ -17,11 +17,14 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ pkg-config ];
buildInputs = [ libpng zlib lcms2 ];
doCheck = true;
meta = with lib; {
homepage = "https://pngquant.org/";
description = "A tool to convert 24/32-bit RGBA PNGs to 8-bit palette with alpha channel preserved";
changelog = "https://github.com/kornelski/pngquant/raw/${version}/CHANGELOG";
platforms = platforms.unix;
license = licenses.gpl3;
license = with licenses; [ gpl3Plus hpnd bsd2 ];
maintainers = [ maintainers.volth ];
};
}

View file

@ -26636,7 +26636,7 @@ in
gnvim = callPackage ../applications/editors/neovim/gnvim/wrapper.nix { };
neovim-remote = callPackage ../applications/editors/neovim/neovim-remote.nix { pythonPackages = python3Packages; };
neovim-remote = callPackage ../applications/editors/neovim/neovim-remote.nix { };
vis = callPackage ../applications/editors/vis {
inherit (lua52Packages) lpeg;
@ -26754,6 +26754,8 @@ in
};
vscode = callPackage ../applications/editors/vscode/vscode.nix { };
vscode-fhs = vscode.fhs;
vscode-fhsWithPackages = vscode.fhsWithPackages;
vscode-with-extensions = callPackage ../applications/editors/vscode/with-extensions.nix {};
@ -26762,6 +26764,8 @@ in
vscode-extensions = recurseIntoAttrs (callPackage ../misc/vscode-extensions {});
vscodium = callPackage ../applications/editors/vscode/vscodium.nix { };
vscodium-fhs = vscodium.fhs;
vscodium-fhsWithPackages = vscodium.fhsWithPackages;
code-server = callPackage ../servers/code-server {
inherit (darwin.apple_sdk.frameworks) AppKit Cocoa Security;