13 changed files with 60 additions and 117 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -345,11 +345,8 @@ pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq

 # Pretix
 pkgs/by-name/pr/pretix/ @mweinelt
-pkgs/by-name/pr/pretalx/ @mweinelt
 nixos/modules/services/web-apps/pretix.nix @mweinelt
-nixos/modules/services/web-apps/pretalx.nix @mweinelt
 nixos/tests/web-apps/pretix.nix @mweinelt
-nixos/tests/web-apps/pretalx.nix @mweinelt

 # incus/lxc/lxd
 nixos/maintainers/scripts/lxd/          @adamcstephens
--- a/nixos/modules/services/web-apps/pretalx.nix
+++ b/nixos/modules/services/web-apps/pretalx.nix
@ -24,7 +24,7 @@ in

 {
  meta = with lib; {
-    maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;
+    maintainers = teams.c3d2.members;
  };

  options.services.pretalx = {
@ -329,47 +329,10 @@ in
        serviceConfig = {
          User = "pretalx";
          Group = "pretalx";
-          StateDirectory = [
-            "pretalx"
-            "pretalx/media"
-          ];
-          StateDirectoryMode = "0750";
+          StateDirectory = [ "pretalx" "pretalx/media" ];
          LogsDirectory = "pretalx";
          WorkingDirectory = cfg.settings.filesystem.data;
          SupplementaryGroups = [ "redis-pretalx" ];
-          AmbientCapabilities = "";
-          CapabilityBoundingSet = [ "" ];
-          DevicePolicy = "closed";
-          LockPersonality = true;
-          MemoryDenyWriteExecute = true;
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateTmp = true;
-          ProcSubset = "pid";
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectProc = "invisible";
-          ProtectSystem = "strict";
-          RemoveIPC = true;
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-          ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@privileged"
-            "@chown"
-          ];
-          UMask = "0027";
        };
      };
    in {
@ -432,8 +395,6 @@ in
        wantedBy = [ "multi-user.target" ];
        serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}";
      });
-
-      nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ];
    };

    systemd.sockets.pretalx-web.socketConfig = {
@ -442,9 +403,11 @@ in
    };

    users = {
-      groups.${cfg.group} = {};
-      users.${cfg.user} = {
+      groups."${cfg.group}" = {};
+      users."${cfg.user}" = {
        isSystemUser = true;
+        createHome = true;
+        home = cfg.settings.filesystem.data;
        inherit (cfg) group;
      };
    };
--- a/nixos/modules/services/web-apps/pretix.nix
+++ b/nixos/modules/services/web-apps/pretix.nix
@ -468,7 +468,7 @@ in
          StateDirectory = [
            "pretix"
          ];
-          StateDirectoryMode = "0750";
+          StateDirectoryMode = "0755";
          CacheDirectory = "pretix";
          LogsDirectory = "pretix";
          WorkingDirectory = cfg.settings.pretix.datadir;
@ -507,7 +507,7 @@ in
            "~@privileged"
            "@chown"
          ];
-          UMask = "0027";
+          UMask = "0022";
        };
      };
    in {
@ -561,8 +561,6 @@ in
        wantedBy = [ "multi-user.target" ];
        serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}";
      };
-
-      nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ];
    };

    systemd.sockets.pretix-web.socketConfig = {
@ -571,9 +569,11 @@ in
    };

    users = {
-      groups.${cfg.group} = {};
-      users.${cfg.user} = {
+      groups."${cfg.group}" = {};
+      users."${cfg.user}" = {
        isSystemUser = true;
+        createHome = true;
+        home = cfg.settings.pretix.datadir;
        inherit (cfg) group;
      };
    };
--- a/nixos/modules/testing/test-instrumentation.nix
+++ b/nixos/modules/testing/test-instrumentation.nix
@ -218,7 +218,7 @@ in

    services.displayManager.logToJournal = true;

-    services.logrotate.enable = mkOverride 150 false;
+    services.logrotate.enable = lib.mkDefault false;

    # Make sure we use the Guest Agent from the QEMU package for testing
    # to reduce the closure size required for the tests.
--- a/nixos/tests/web-apps/pretalx.nix
+++ b/nixos/tests/web-apps/pretalx.nix
@ -27,9 +27,5 @@
    pretalx.wait_for_unit("pretalx-worker.service")

    pretalx.wait_until_succeeds("curl -q --fail http://talks.local/orga/")
-
-    pretalx.succeed("pretalx-manage --help")
-
-    pretalx.log(pretalx.succeed("systemd-analyze security pretalx-web.service"))
  '';
 }
--- a/pkgs/by-name/ca/cargo-bloat/package.nix
+++ b/pkgs/by-name/ca/cargo-bloat/package.nix
@ -2,16 +2,16 @@

 rustPlatform.buildRustPackage rec {
  pname = "cargo-bloat";
-  version = "0.12.1";
+  version = "0.12.0";

  src = fetchFromGitHub {
    owner = "RazrFalcon";
    repo = pname;
    rev = "v${version}";
-    hash = "sha256-B71VX7cJe1giOLmk3cQE8Zxr7fKGyQkoXRuM+NzBcb8=";
+    hash = "sha256-vPk6ERl0VM1TjK/JRMcXqCvKqSTuw78MsmQ0xImQyd4=";
  };

-  cargoHash = "sha256-BBFLyMx1OPT2XAM6pofs2kV/3n3FrNu0Jkyr/Y3smnI=";
+  cargoHash = "sha256-6fMFGLH16Z1O+ETlr0685TXHup1vJetfzPdNC2Lw9uM=";

  meta = with lib; {
    description = "A tool and Cargo subcommand that helps you find out what takes most of the space in your executable";
--- a/pkgs/by-name/pr/pretalx/package.nix
+++ b/pkgs/by-name/pr/pretalx/package.nix
@ -42,7 +42,7 @@ let
    homepage = "https://github.com/pretalx/pretalx";
    changelog = "https://docs.pretalx.org/en/latest/changelog.html";
    license = licenses.asl20;
-    maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;
+    maintainers = teams.c3d2.members;
    platforms = platforms.linux;
  };

--- a/pkgs/development/libraries/webrtc-audio-processing/default.nix
+++ b/pkgs/development/libraries/webrtc-audio-processing/default.nix
@ -53,8 +53,7 @@ stdenv.mkDerivation rec {
    homepage = "https://www.freedesktop.org/software/pulseaudio/webrtc-audio-processing";
    description = "A more Linux packaging friendly copy of the AudioProcessing module from the WebRTC project";
    license = licenses.bsd3;
-    # https://gitlab.freedesktop.org/pulseaudio/webrtc-audio-processing/-/blob/master/webrtc/rtc_base/system/arch.h
-    platforms = intersectLists platforms.unix (platforms.arm ++ platforms.aarch64 ++ platforms.mips ++ platforms.power ++ platforms.riscv ++ platforms.x86);
+    platforms = platforms.unix;
    # BE platforms are unsupported
    # https://gitlab.freedesktop.org/pulseaudio/webrtc-audio-processing/-/issues/31
    badPlatforms = platforms.bigEndian;
--- a/pkgs/development/python-modules/bellows/default.nix
+++ b/pkgs/development/python-modules/bellows/default.nix
@ -1,19 +1,18 @@
-{
-  lib,
-  async-timeout,
-  buildPythonPackage,
-  click,
-  click-log,
-  fetchFromGitHub,
-  pure-pcapy3,
-  pyserial-asyncio,
-  pytest-asyncio,
-  pytest-timeout,
-  pytestCheckHook,
-  pythonOlder,
-  setuptools,
-  voluptuous,
-  zigpy,
+{ lib
+, async-timeout
+, buildPythonPackage
+, click
+, click-log
+, fetchFromGitHub
+, pure-pcapy3
+, pyserial-asyncio
+, pytest-asyncio
+, pytest-timeout
+, pytestCheckHook
+, pythonOlder
+, setuptools
+, voluptuous
+, zigpy
 }:

 buildPythonPackage rec {
@ -36,7 +35,9 @@ buildPythonPackage rec {
      --replace-fail 'dynamic = ["version"]' 'version = "${version}"'
  '';

-  build-system = [ setuptools ];
+  build-system = [
+    setuptools
+  ];

  dependencies = [
    click
@ -45,7 +46,9 @@ buildPythonPackage rec {
    pyserial-asyncio
    voluptuous
    zigpy
-  ] ++ lib.optionals (pythonOlder "3.11") [ async-timeout ];
+  ] ++ lib.optionals (pythonOlder "3.11") [
+    async-timeout
+  ];

  nativeCheckInputs = [
    pytestCheckHook
@ -53,7 +56,9 @@ buildPythonPackage rec {
    pytest-timeout
  ];

-  pythonImportsCheck = [ "bellows" ];
+  pythonImportsCheck = [
+    "bellows"
+  ];

  meta = with lib; {
    description = "Python module to implement EZSP for EmberZNet devices";
--- a/pkgs/development/python-modules/bsddb3/default.nix
+++ b/pkgs/development/python-modules/bsddb3/default.nix
@ -1,30 +1,22 @@
 { lib
 , buildPythonPackage
 , fetchPypi
-, setuptools
 , pkgs
 , python
-, pythonOlder
 }:

 buildPythonPackage rec {
  pname = "bsddb3";
  version = "6.2.9";
-  pyproject = true;
+  format = "setuptools";

  src = fetchPypi {
    inherit pname version;
    sha256 = "70d05ec8dc568f42e70fc919a442e0daadc2a905a1cfb7ca77f549d49d6e7801";
  };

-  build-system = [
-    setuptools
-  ];
-
  buildInputs = [ pkgs.db ];

-  doCheck = pythonOlder "3.12"; # distutils usage
-
  checkPhase = ''
    ${python.interpreter} test.py
  '';
--- a/pkgs/development/python-modules/peco/default.nix
+++ b/pkgs/development/python-modules/peco/default.nix
@ -1,28 +1,29 @@
-{
-  lib,
-  aiohttp,
-  buildPythonPackage,
-  fetchPypi,
-  pydantic,
-  pythonOlder,
-  setuptools,
+{ lib
+, aiohttp
+, buildPythonPackage
+, fetchPypi
+, pydantic
+, pythonOlder
+, setuptools
 }:

 buildPythonPackage rec {
  pname = "peco";
-  version = "0.0.30";
-  pyproject = true;
+  version = "0.0.29";
+  format = "pyproject";

  disabled = pythonOlder "3.7";

  src = fetchPypi {
    inherit pname version;
-    hash = "sha256-a3MPqtbDftbLGtpJ66CFVC5wJFa9L3dqOKPfBZCaHpM=";
+    hash = "sha256-zL0tBTwm+l5eyxlWr2xoE+nLpMfUKri1/yD+WgTUqHQ=";
  };

-  build-system = [ setuptools ];
+  nativeBuildInputs = [
+    setuptools
+  ];

-  dependencies = [
+  propagatedBuildInputs = [
    aiohttp
    pydantic
  ];
@ -30,7 +31,9 @@ buildPythonPackage rec {
  # Module has no tests
  doCheck = false;

-  pythonImportsCheck = [ "peco" ];
+  pythonImportsCheck = [
+    "peco"
+  ];

  meta = with lib; {
    description = "Library for interacting with the PECO outage map";
--- a/pkgs/development/python-modules/pynvml/default.nix
+++ b/pkgs/development/python-modules/pynvml/default.nix
@ -6,7 +6,6 @@
 , addOpenGLRunpath
 , setuptools
 , pytestCheckHook
-, versioneer
 }:

 buildPythonPackage rec {
@ -29,14 +28,8 @@ buildPythonPackage rec {
    })
  ];

-  # unvendor versioneer
-  postPatch = ''
-    rm versioneer.py
-  '';
-
  nativeBuildInputs = [
    setuptools
-    versioneer
  ];

  pythonImportsCheck = [ "pynvml" "pynvml.smi" ];
--- a/pkgs/servers/nosql/apache-jena/fuseki-binary.nix
+++ b/pkgs/servers/nosql/apache-jena/fuseki-binary.nix
@ -24,12 +24,9 @@ stdenv.mkDerivation rec {
    chmod +x $out/fuseki
    ln -s "$out"/{fuseki-backup,fuseki-server,fuseki} "$out/bin"
    for i in "$out"/bin/*; do
-      # It is necessary to set the default $FUSEKI_BASE directory to a writable location
-      # By default it points to $FUSEKI_HOME/run which is in the nix store
      wrapProgram "$i" \
        --prefix "PATH" : "${java}/bin/:${coreutils}/bin:${which}/bin" \
        --set-default "FUSEKI_HOME" "$out" \
-        --run "if [ -z \"\$FUSEKI_BASE\" ]; then export FUSEKI_BASE=\"\$HOME/.local/fuseki\" ; mkdir -p \"\$HOME/.local/fuseki\" ; fi" \
        ;
    done
  '';
@ -43,9 +40,7 @@ stdenv.mkDerivation rec {
    license = licenses.asl20;
    maintainers = with maintainers; [ raskin ];
    platforms = platforms.all;
-    sourceProvenance = with sourceTypes; [ binaryBytecode binaryNativeCode ];
    homepage = "https://jena.apache.org";
    downloadPage = "https://archive.apache.org/dist/jena/binaries/";
-    mainProgram = "fuseki";
  };
 }