Merge pull request #310421 from mweinelt/bsddb3-tests

python312Packages.bsddb3: disable tests
Merge pull request #310577 from zebreus/fix-fuseki
2024-05-10 15:36:28 +02:00 · 2024-05-10 13:32:36 +00:00 · 2024-05-10 16:31:17 +03:00 · 2024-05-10 16:25:51 +03:00 · 2024-05-10 13:10:33 +00:00 · 2024-05-10 14:50:24 +02:00
13 changed files with 117 additions and 60 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -345,8 +345,11 @@ pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq

 # Pretix
 pkgs/by-name/pr/pretix/ @mweinelt
+pkgs/by-name/pr/pretalx/ @mweinelt
 nixos/modules/services/web-apps/pretix.nix @mweinelt
+nixos/modules/services/web-apps/pretalx.nix @mweinelt
 nixos/tests/web-apps/pretix.nix @mweinelt
+nixos/tests/web-apps/pretalx.nix @mweinelt

 # incus/lxc/lxd
 nixos/maintainers/scripts/lxd/          @adamcstephens
--- a/nixos/modules/services/web-apps/pretalx.nix
+++ b/nixos/modules/services/web-apps/pretalx.nix
@ -24,7 +24,7 @@ in

 {
  meta = with lib; {
-    maintainers = teams.c3d2.members;
+    maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;
  };

  options.services.pretalx = {
@ -329,10 +329,47 @@ in
        serviceConfig = {
          User = "pretalx";
          Group = "pretalx";
-          StateDirectory = [ "pretalx" "pretalx/media" ];
+          StateDirectory = [
+            "pretalx"
+            "pretalx/media"
+          ];
+          StateDirectoryMode = "0750";
          LogsDirectory = "pretalx";
          WorkingDirectory = cfg.settings.filesystem.data;
          SupplementaryGroups = [ "redis-pretalx" ];
+          AmbientCapabilities = "";
+          CapabilityBoundingSet = [ "" ];
+          DevicePolicy = "closed";
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          ProcSubset = "pid";
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_UNIX"
+          ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [
+            "@system-service"
+            "~@privileged"
+            "@chown"
+          ];
+          UMask = "0027";
        };
      };
    in {
@ -395,6 +432,8 @@ in
        wantedBy = [ "multi-user.target" ];
        serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}";
      });
+
+      nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ];
    };

    systemd.sockets.pretalx-web.socketConfig = {
@ -403,11 +442,9 @@ in
    };

    users = {
-      groups."${cfg.group}" = {};
-      users."${cfg.user}" = {
+      groups.${cfg.group} = {};
+      users.${cfg.user} = {
        isSystemUser = true;
-        createHome = true;
-        home = cfg.settings.filesystem.data;
        inherit (cfg) group;
      };
    };
--- a/nixos/modules/services/web-apps/pretix.nix
+++ b/nixos/modules/services/web-apps/pretix.nix
@ -468,7 +468,7 @@ in
          StateDirectory = [
            "pretix"
          ];
-          StateDirectoryMode = "0755";
+          StateDirectoryMode = "0750";
          CacheDirectory = "pretix";
          LogsDirectory = "pretix";
          WorkingDirectory = cfg.settings.pretix.datadir;
@ -507,7 +507,7 @@ in
            "~@privileged"
            "@chown"
          ];
-          UMask = "0022";
+          UMask = "0027";
        };
      };
    in {
@ -561,6 +561,8 @@ in
        wantedBy = [ "multi-user.target" ];
        serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}";
      };
+
+      nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ];
    };

    systemd.sockets.pretix-web.socketConfig = {
@ -569,11 +571,9 @@ in
    };

    users = {
-      groups."${cfg.group}" = {};
-      users."${cfg.user}" = {
+      groups.${cfg.group} = {};
+      users.${cfg.user} = {
        isSystemUser = true;
-        createHome = true;
-        home = cfg.settings.pretix.datadir;
        inherit (cfg) group;
      };
    };
--- a/nixos/modules/testing/test-instrumentation.nix
+++ b/nixos/modules/testing/test-instrumentation.nix
@ -218,7 +218,7 @@ in

    services.displayManager.logToJournal = true;

-    services.logrotate.enable = lib.mkDefault false;
+    services.logrotate.enable = mkOverride 150 false;

    # Make sure we use the Guest Agent from the QEMU package for testing
    # to reduce the closure size required for the tests.
--- a/nixos/tests/web-apps/pretalx.nix
+++ b/nixos/tests/web-apps/pretalx.nix
@ -27,5 +27,9 @@
    pretalx.wait_for_unit("pretalx-worker.service")

    pretalx.wait_until_succeeds("curl -q --fail http://talks.local/orga/")
+
+    pretalx.succeed("pretalx-manage --help")
+
+    pretalx.log(pretalx.succeed("systemd-analyze security pretalx-web.service"))
  '';
 }
--- a/pkgs/by-name/ca/cargo-bloat/package.nix
+++ b/pkgs/by-name/ca/cargo-bloat/package.nix
@ -2,16 +2,16 @@

 rustPlatform.buildRustPackage rec {
  pname = "cargo-bloat";
-  version = "0.12.0";
+  version = "0.12.1";

  src = fetchFromGitHub {
    owner = "RazrFalcon";
    repo = pname;
    rev = "v${version}";
-    hash = "sha256-vPk6ERl0VM1TjK/JRMcXqCvKqSTuw78MsmQ0xImQyd4=";
+    hash = "sha256-B71VX7cJe1giOLmk3cQE8Zxr7fKGyQkoXRuM+NzBcb8=";
  };

-  cargoHash = "sha256-6fMFGLH16Z1O+ETlr0685TXHup1vJetfzPdNC2Lw9uM=";
+  cargoHash = "sha256-BBFLyMx1OPT2XAM6pofs2kV/3n3FrNu0Jkyr/Y3smnI=";

  meta = with lib; {
    description = "A tool and Cargo subcommand that helps you find out what takes most of the space in your executable";
--- a/pkgs/by-name/pr/pretalx/package.nix
+++ b/pkgs/by-name/pr/pretalx/package.nix
@ -42,7 +42,7 @@ let
    homepage = "https://github.com/pretalx/pretalx";
    changelog = "https://docs.pretalx.org/en/latest/changelog.html";
    license = licenses.asl20;
-    maintainers = teams.c3d2.members;
+    maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;
    platforms = platforms.linux;
  };

--- a/pkgs/development/libraries/webrtc-audio-processing/default.nix
+++ b/pkgs/development/libraries/webrtc-audio-processing/default.nix
@ -53,7 +53,8 @@ stdenv.mkDerivation rec {
    homepage = "https://www.freedesktop.org/software/pulseaudio/webrtc-audio-processing";
    description = "A more Linux packaging friendly copy of the AudioProcessing module from the WebRTC project";
    license = licenses.bsd3;
-    platforms = platforms.unix;
+    # https://gitlab.freedesktop.org/pulseaudio/webrtc-audio-processing/-/blob/master/webrtc/rtc_base/system/arch.h
+    platforms = intersectLists platforms.unix (platforms.arm ++ platforms.aarch64 ++ platforms.mips ++ platforms.power ++ platforms.riscv ++ platforms.x86);
    # BE platforms are unsupported
    # https://gitlab.freedesktop.org/pulseaudio/webrtc-audio-processing/-/issues/31
    badPlatforms = platforms.bigEndian;
--- a/pkgs/development/python-modules/bellows/default.nix
+++ b/pkgs/development/python-modules/bellows/default.nix
@ -1,18 +1,19 @@
-{ lib
-, async-timeout
-, buildPythonPackage
-, click
-, click-log
-, fetchFromGitHub
-, pure-pcapy3
-, pyserial-asyncio
-, pytest-asyncio
-, pytest-timeout
-, pytestCheckHook
-, pythonOlder
-, setuptools
-, voluptuous
-, zigpy
+{
+  lib,
+  async-timeout,
+  buildPythonPackage,
+  click,
+  click-log,
+  fetchFromGitHub,
+  pure-pcapy3,
+  pyserial-asyncio,
+  pytest-asyncio,
+  pytest-timeout,
+  pytestCheckHook,
+  pythonOlder,
+  setuptools,
+  voluptuous,
+  zigpy,
 }:

 buildPythonPackage rec {
@ -35,9 +36,7 @@ buildPythonPackage rec {
      --replace-fail 'dynamic = ["version"]' 'version = "${version}"'
  '';

-  build-system = [
-    setuptools
-  ];
+  build-system = [ setuptools ];

  dependencies = [
    click
@ -46,9 +45,7 @@ buildPythonPackage rec {
    pyserial-asyncio
    voluptuous
    zigpy
-  ] ++ lib.optionals (pythonOlder "3.11") [
-    async-timeout
-  ];
+  ] ++ lib.optionals (pythonOlder "3.11") [ async-timeout ];

  nativeCheckInputs = [
    pytestCheckHook
@ -56,9 +53,7 @@ buildPythonPackage rec {
    pytest-timeout
  ];

-  pythonImportsCheck = [
-    "bellows"
-  ];
+  pythonImportsCheck = [ "bellows" ];

  meta = with lib; {
    description = "Python module to implement EZSP for EmberZNet devices";
--- a/pkgs/development/python-modules/bsddb3/default.nix
+++ b/pkgs/development/python-modules/bsddb3/default.nix
@ -1,22 +1,30 @@
 { lib
 , buildPythonPackage
 , fetchPypi
+, setuptools
 , pkgs
 , python
+, pythonOlder
 }:

 buildPythonPackage rec {
  pname = "bsddb3";
  version = "6.2.9";
-  format = "setuptools";
+  pyproject = true;

  src = fetchPypi {
    inherit pname version;
    sha256 = "70d05ec8dc568f42e70fc919a442e0daadc2a905a1cfb7ca77f549d49d6e7801";
  };

+  build-system = [
+    setuptools
+  ];
+
  buildInputs = [ pkgs.db ];

+  doCheck = pythonOlder "3.12"; # distutils usage
+
  checkPhase = ''
    ${python.interpreter} test.py
  '';
--- a/pkgs/development/python-modules/peco/default.nix
+++ b/pkgs/development/python-modules/peco/default.nix
@ -1,29 +1,28 @@
-{ lib
-, aiohttp
-, buildPythonPackage
-, fetchPypi
-, pydantic
-, pythonOlder
-, setuptools
+{
+  lib,
+  aiohttp,
+  buildPythonPackage,
+  fetchPypi,
+  pydantic,
+  pythonOlder,
+  setuptools,
 }:

 buildPythonPackage rec {
  pname = "peco";
-  version = "0.0.29";
-  format = "pyproject";
+  version = "0.0.30";
+  pyproject = true;

  disabled = pythonOlder "3.7";

  src = fetchPypi {
    inherit pname version;
-    hash = "sha256-zL0tBTwm+l5eyxlWr2xoE+nLpMfUKri1/yD+WgTUqHQ=";
+    hash = "sha256-a3MPqtbDftbLGtpJ66CFVC5wJFa9L3dqOKPfBZCaHpM=";
  };

-  nativeBuildInputs = [
-    setuptools
-  ];
+  build-system = [ setuptools ];

-  propagatedBuildInputs = [
+  dependencies = [
    aiohttp
    pydantic
  ];
@ -31,9 +30,7 @@ buildPythonPackage rec {
  # Module has no tests
  doCheck = false;

-  pythonImportsCheck = [
-    "peco"
-  ];
+  pythonImportsCheck = [ "peco" ];

  meta = with lib; {
    description = "Library for interacting with the PECO outage map";
--- a/pkgs/development/python-modules/pynvml/default.nix
+++ b/pkgs/development/python-modules/pynvml/default.nix
@ -6,6 +6,7 @@
 , addOpenGLRunpath
 , setuptools
 , pytestCheckHook
+, versioneer
 }:

 buildPythonPackage rec {
@ -28,8 +29,14 @@ buildPythonPackage rec {
    })
  ];

+  # unvendor versioneer
+  postPatch = ''
+    rm versioneer.py
+  '';
+
  nativeBuildInputs = [
    setuptools
+    versioneer
  ];

  pythonImportsCheck = [ "pynvml" "pynvml.smi" ];
--- a/pkgs/servers/nosql/apache-jena/fuseki-binary.nix
+++ b/pkgs/servers/nosql/apache-jena/fuseki-binary.nix
@ -24,9 +24,12 @@ stdenv.mkDerivation rec {
    chmod +x $out/fuseki
    ln -s "$out"/{fuseki-backup,fuseki-server,fuseki} "$out/bin"
    for i in "$out"/bin/*; do
+      # It is necessary to set the default $FUSEKI_BASE directory to a writable location
+      # By default it points to $FUSEKI_HOME/run which is in the nix store
      wrapProgram "$i" \
        --prefix "PATH" : "${java}/bin/:${coreutils}/bin:${which}/bin" \
        --set-default "FUSEKI_HOME" "$out" \
+        --run "if [ -z \"\$FUSEKI_BASE\" ]; then export FUSEKI_BASE=\"\$HOME/.local/fuseki\" ; mkdir -p \"\$HOME/.local/fuseki\" ; fi" \
        ;
    done
  '';
@ -40,7 +43,9 @@ stdenv.mkDerivation rec {
    license = licenses.asl20;
    maintainers = with maintainers; [ raskin ];
    platforms = platforms.all;
+    sourceProvenance = with sourceTypes; [ binaryBytecode binaryNativeCode ];
    homepage = "https://jena.apache.org";
    downloadPage = "https://archive.apache.org/dist/jena/binaries/";
+    mainProgram = "fuseki";
  };
 }
Author	SHA1	Message	Date
Martin Weinelt	5c0c6e1492	Merge pull request #310421 from mweinelt/bsddb3-tests python312Packages.bsddb3: disable tests	2024-05-10 15:36:28 +02:00
7c6f434c	6005362903	Merge pull request #310577 from zebreus/fix-fuseki apache-jena-fuseki: fix running with nix run	2024-05-10 13:32:36 +00:00
K900	936124b122	Merge pull request #310581 from K900/fix-test-eval nixos/tests: set non-conflicting priority for logrotate disabling	2024-05-10 16:31:17 +03:00
K900	4733c9feec	nixos/tests: set non-conflicting priority for logrotate disabling CC https://github.com/NixOS/nixpkgs/pull/267880	2024-05-10 16:25:51 +03:00
nixpkgs-merge-bot[bot]	d42c1c8d44	Merge pull request #310568 from r-ryantm/auto-update/cargo-bloat cargo-bloat: 0.12.0 -> 0.12.1	2024-05-10 13:10:33 +00:00
Martin Weinelt	7da17ece76	Merge pull request #310366 from mweinelt/pretix-pretalx-homemode pretix, pretalx: fixes, hardening	2024-05-10 14:50:24 +02:00
Weijia Wang	d51389b604	Merge pull request #310530 from alyssais/webrtc-audio-processing_1-platforms webrtc-audio-processing_1: tighten platforms	2024-05-10 14:49:47 +02:00
Fabian Affolter	b9ce4f0d09	Merge pull request #310556 from fabaff/peco-bump python312Packages.peco: 0.0.29 -> 0.0.30	2024-05-10 14:49:30 +02:00
Fabian Affolter	2ddef55de9	Merge pull request #309044 from fabaff/bellows-bump python312Packages.bellows: format with nixfmt	2024-05-10 14:49:05 +02:00
Weijia Wang	6340bfba1b	Merge pull request #310565 from annaleeleaves/pynvml-unvendor-versioner python312Packages.pynvml: unvendor versioneer	2024-05-10 14:42:15 +02:00
Zebreus	1135620d73	fuseki: fix running with nix run	2024-05-10 14:42:02 +02:00
R. Ryantm	8e4c17768e	cargo-bloat: 0.12.0 -> 0.12.1	2024-05-10 12:16:27 +00:00
annalee	e5267bdb13	python312Packages.pynvml: unvendor versioneer	2024-05-10 11:55:11 +00:00
Fabian Affolter	61706d2720	python312Packages.bellows: format with nixfmt	2024-05-10 13:01:55 +02:00
Fabian Affolter	312c697e2b	python312Packages.peco: format with nixfmt	2024-05-10 12:37:10 +02:00
Fabian Affolter	ad8572d0d9	python312Packages.peco: refactor	2024-05-10 12:36:34 +02:00
Fabian Affolter	e17c022a87	python312Packages.peco: 0.0.29 -> 0.0.30	2024-05-10 12:35:45 +02:00
Alyssa Ross	6326c8a6dc	webrtc-audio-processing_1: tighten platforms Only supports an explicitly-enumerated list of platforms. This matches what we do for webrtc-audio-processing_0_3.	2024-05-10 10:24:54 +02:00
Martin Weinelt	b7b5775f93	python312Packages.bsddb3: disable tests They require distutils, which has been removed in 3.12. Closes: #308232	2024-05-09 22:16:56 +02:00
Martin Weinelt	622af635bb	pretalx: adopt and set up code ownership	2024-05-09 18:20:14 +02:00
Martin Weinelt	9afcf733f3	nixos/pretix: update hardening - Transition from world-readable to group-readable UMask - Remove world permissions from state directory	2024-05-09 18:20:14 +02:00
Martin Weinelt	e2ccc754ac	nixos/tests/pretalx: test cli wrapper and print systemd unit security	2024-05-09 18:20:13 +02:00
Martin Weinelt	82f2cc7489	nixos/pretalx: set up hardening	2024-05-09 18:20:13 +02:00
Martin Weinelt	b4b3165619	nixos/pretalx: fix state directory mode The state directory contains static files that need to be accessible by a webserver, but homeMode defaults to 0750 and switching the generation will always force the homeMode, thereby breaking access to the assets. Instead, fully rely on systemd to provide the StateDirectory with the correct mode.	2024-05-09 18:20:13 +02:00
Martin Weinelt	a4193dba8f	nixos/pretix: fix state directory mode The state directory contains static files that need to be accessible by a webserver, but homeMode defaults to 0750 and switching the generation will always force the homeMode, thereby breaking access to the assets. Instead, fully rely on systemd to provide the StateDirectory with the correct mode.	2024-05-09 17:00:02 +02:00