cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Compare commits

base: cafkafk:dce477bd4192add087dfe21e0357834b70d21e13
Branches Tags
cafkafk:master
...
compare: cafkafk:5c0c6e14926c39d5c90073f01ca7fa6d24e3671b
Branches Tags
cafkafk:master

25 commits
dce477bd41 ... 5c0c6e1492

Author SHA1 Message Date
Martin Weinelt
5c0c6e1492
Merge pull request #310421 from mweinelt/bsddb3-tests 
python312Packages.bsddb3: disable tests
 2024-05-10 15:36:28 +02:00
7c6f434c
6005362903
Merge pull request #310577 from zebreus/fix-fuseki 
apache-jena-fuseki: fix running with nix run
 2024-05-10 13:32:36 +00:00
K900
936124b122
Merge pull request #310581 from K900/fix-test-eval 
nixos/tests: set non-conflicting priority for logrotate disabling
 2024-05-10 16:31:17 +03:00
K900
4733c9feec nixos/tests: set non-conflicting priority for logrotate disabling 
CC https://github.com/NixOS/nixpkgs/pull/267880
 2024-05-10 16:25:51 +03:00
nixpkgs-merge-bot[bot]
d42c1c8d44
Merge pull request #310568 from r-ryantm/auto-update/cargo-bloat 
cargo-bloat: 0.12.0 -> 0.12.1
 2024-05-10 13:10:33 +00:00
Martin Weinelt
7da17ece76
Merge pull request #310366 from mweinelt/pretix-pretalx-homemode 
pretix, pretalx: fixes, hardening
 2024-05-10 14:50:24 +02:00
Weijia Wang
d51389b604
Merge pull request #310530 from alyssais/webrtc-audio-processing_1-platforms 
webrtc-audio-processing_1: tighten platforms
 2024-05-10 14:49:47 +02:00
Fabian Affolter
b9ce4f0d09
Merge pull request #310556 from fabaff/peco-bump 
python312Packages.peco: 0.0.29 -> 0.0.30
 2024-05-10 14:49:30 +02:00
Fabian Affolter
2ddef55de9
Merge pull request #309044 from fabaff/bellows-bump 
python312Packages.bellows: format with nixfmt
 2024-05-10 14:49:05 +02:00
Weijia Wang
6340bfba1b
Merge pull request #310565 from annaleeleaves/pynvml-unvendor-versioner 
python312Packages.pynvml: unvendor versioneer
 2024-05-10 14:42:15 +02:00
Zebreus
1135620d73 fuseki: fix running with nix run 2024-05-10 14:42:02 +02:00
R. Ryantm
8e4c17768e cargo-bloat: 0.12.0 -> 0.12.1 2024-05-10 12:16:27 +00:00
annalee
e5267bdb13
python312Packages.pynvml: unvendor versioneer 2024-05-10 11:55:11 +00:00
Fabian Affolter
61706d2720 python312Packages.bellows: format with nixfmt 2024-05-10 13:01:55 +02:00
Fabian Affolter
312c697e2b python312Packages.peco: format with nixfmt 2024-05-10 12:37:10 +02:00
Fabian Affolter
ad8572d0d9 python312Packages.peco: refactor 2024-05-10 12:36:34 +02:00
Fabian Affolter
e17c022a87 python312Packages.peco: 0.0.29 -> 0.0.30 2024-05-10 12:35:45 +02:00
Alyssa Ross
6326c8a6dc
webrtc-audio-processing_1: tighten platforms 
Only supports an explicitly-enumerated list of platforms.
This matches what we do for webrtc-audio-processing_0_3.
 2024-05-10 10:24:54 +02:00
Martin Weinelt
b7b5775f93
python312Packages.bsddb3: disable tests 
They require distutils, which has been removed in 3.12.

Closes: #308232
 2024-05-09 22:16:56 +02:00
Martin Weinelt
622af635bb
pretalx: adopt and set up code ownership 2024-05-09 18:20:14 +02:00
Martin Weinelt
9afcf733f3
nixos/pretix: update hardening 
- Transition from world-readable to group-readable UMask
- Remove world permissions from state directory
 2024-05-09 18:20:14 +02:00
Martin Weinelt
e2ccc754ac
nixos/tests/pretalx: test cli wrapper and print systemd unit security 2024-05-09 18:20:13 +02:00
Martin Weinelt
82f2cc7489
nixos/pretalx: set up hardening 2024-05-09 18:20:13 +02:00
Martin Weinelt
b4b3165619
nixos/pretalx: fix state directory mode 
The state directory contains static files that need to be accessible by
a webserver, but homeMode defaults to 0750 and switching the generation
will always force the homeMode, thereby breaking access to the assets.

Instead, fully rely on systemd to provide the StateDirectory with the
correct mode.
 2024-05-09 18:20:13 +02:00
Martin Weinelt
a4193dba8f
nixos/pretix: fix state directory mode 
The state directory contains static files that need to be accessible by
a webserver, but homeMode defaults to 0750 and switching the generation
will always force the homeMode, thereby breaking access to the assets.

Instead, fully rely on systemd to provide the StateDirectory with the
correct mode.
 2024-05-09 17:00:02 +02:00
13 changed files with 117 additions and 60 deletions
Show stats Expand all files Collapse all files

3
.github/CODEOWNERS vendored
View file

@ -345,8 +345,11 @@ pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq
# Pretix # Pretix
pkgs/by-name/pr/pretix/ @mweinelt pkgs/by-name/pr/pretix/ @mweinelt
pkgs/by-name/pr/pretalx/ @mweinelt
nixos/modules/services/web-apps/pretix.nix @mweinelt nixos/modules/services/web-apps/pretix.nix @mweinelt
nixos/modules/services/web-apps/pretalx.nix @mweinelt
nixos/tests/web-apps/pretix.nix @mweinelt nixos/tests/web-apps/pretix.nix @mweinelt
nixos/tests/web-apps/pretalx.nix @mweinelt
# incus/lxc/lxd # incus/lxc/lxd
nixos/maintainers/scripts/lxd/ @adamcstephens nixos/maintainers/scripts/lxd/ @adamcstephens

49
nixos/modules/services/web-apps/pretalx.nix
View file

@ -24,7 +24,7 @@ in
{ {
meta = with lib; { meta = with lib; {
maintainers = teams.c3d2.members; maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;
}; };
options.services.pretalx = { options.services.pretalx = {
@ -329,10 +329,47 @@ in
serviceConfig = { serviceConfig = {
User = "pretalx"; User = "pretalx";
Group = "pretalx"; Group = "pretalx";
StateDirectory = [ "pretalx" "pretalx/media" ]; StateDirectory = [
"pretalx"
"pretalx/media"
];
StateDirectoryMode = "0750";
LogsDirectory = "pretalx"; LogsDirectory = "pretalx";
WorkingDirectory = cfg.settings.filesystem.data; WorkingDirectory = cfg.settings.filesystem.data;
SupplementaryGroups = [ "redis-pretalx" ]; SupplementaryGroups = [ "redis-pretalx" ];
AmbientCapabilities = "";
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown"
];
UMask = "0027";
}; };
}; };
in { in {
@ -395,6 +432,8 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}"; serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}";
}); });
nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ];
}; };
systemd.sockets.pretalx-web.socketConfig = { systemd.sockets.pretalx-web.socketConfig = {
@ -403,11 +442,9 @@ in
}; };
users = { users = {
groups."${cfg.group}" = {}; groups.${cfg.group} = {};
users."${cfg.user}" = { users.${cfg.user} = {
isSystemUser = true; isSystemUser = true;
createHome = true;
home = cfg.settings.filesystem.data;
inherit (cfg) group; inherit (cfg) group;
}; };
}; };

12
nixos/modules/services/web-apps/pretix.nix
View file

@ -468,7 +468,7 @@ in
StateDirectory = [ StateDirectory = [
"pretix" "pretix"
]; ];
StateDirectoryMode = "0755"; StateDirectoryMode = "0750";
CacheDirectory = "pretix"; CacheDirectory = "pretix";
LogsDirectory = "pretix"; LogsDirectory = "pretix";
WorkingDirectory = cfg.settings.pretix.datadir; WorkingDirectory = cfg.settings.pretix.datadir;
@ -507,7 +507,7 @@ in
"~@privileged" "~@privileged"
"@chown" "@chown"
]; ];
UMask = "0022"; UMask = "0027";
}; };
}; };
in { in {
@ -561,6 +561,8 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}"; serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}";
}; };
nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ];
}; };
systemd.sockets.pretix-web.socketConfig = { systemd.sockets.pretix-web.socketConfig = {
@ -569,11 +571,9 @@ in
}; };
users = { users = {
groups."${cfg.group}" = {}; groups.${cfg.group} = {};
users."${cfg.user}" = { users.${cfg.user} = {
isSystemUser = true; isSystemUser = true;
createHome = true;
home = cfg.settings.pretix.datadir;
inherit (cfg) group; inherit (cfg) group;
}; };
}; };

2
nixos/modules/testing/test-instrumentation.nix
View file

@ -218,7 +218,7 @@ in
services.displayManager.logToJournal = true; services.displayManager.logToJournal = true;
services.logrotate.enable = lib.mkDefault false; services.logrotate.enable = mkOverride 150 false;
# Make sure we use the Guest Agent from the QEMU package for testing # Make sure we use the Guest Agent from the QEMU package for testing
# to reduce the closure size required for the tests. # to reduce the closure size required for the tests.

4
nixos/tests/web-apps/pretalx.nix
View file

@ -27,5 +27,9 @@
pretalx.wait_for_unit("pretalx-worker.service") pretalx.wait_for_unit("pretalx-worker.service")
pretalx.wait_until_succeeds("curl -q --fail http://talks.local/orga/") pretalx.wait_until_succeeds("curl -q --fail http://talks.local/orga/")
pretalx.succeed("pretalx-manage --help")
pretalx.log(pretalx.succeed("systemd-analyze security pretalx-web.service"))
''; '';
} }

6
pkgs/by-name/ca/cargo-bloat/package.nix
View file

@ -2,16 +2,16 @@
rustPlatform.buildRustPackage rec { rustPlatform.buildRustPackage rec {
pname = "cargo-bloat"; pname = "cargo-bloat";
version = "0.12.0"; version = "0.12.1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "RazrFalcon"; owner = "RazrFalcon";
repo = pname; repo = pname;
rev = "v${version}"; rev = "v${version}";
hash = "sha256-vPk6ERl0VM1TjK/JRMcXqCvKqSTuw78MsmQ0xImQyd4="; hash = "sha256-B71VX7cJe1giOLmk3cQE8Zxr7fKGyQkoXRuM+NzBcb8=";
}; };
cargoHash = "sha256-6fMFGLH16Z1O+ETlr0685TXHup1vJetfzPdNC2Lw9uM="; cargoHash = "sha256-BBFLyMx1OPT2XAM6pofs2kV/3n3FrNu0Jkyr/Y3smnI=";
meta = with lib; { meta = with lib; {
description = "A tool and Cargo subcommand that helps you find out what takes most of the space in your executable"; description = "A tool and Cargo subcommand that helps you find out what takes most of the space in your executable";

2
pkgs/by-name/pr/pretalx/package.nix
View file

@ -42,7 +42,7 @@ let
homepage = "https://github.com/pretalx/pretalx"; homepage = "https://github.com/pretalx/pretalx";
changelog = "https://docs.pretalx.org/en/latest/changelog.html"; changelog = "https://docs.pretalx.org/en/latest/changelog.html";
license = licenses.asl20; license = licenses.asl20;
maintainers = teams.c3d2.members; maintainers = with maintainers; [ hexa] ++ teams.c3d2.members;
platforms = platforms.linux; platforms = platforms.linux;
}; };

3
pkgs/development/libraries/webrtc-audio-processing/default.nix
View file

@ -53,7 +53,8 @@ stdenv.mkDerivation rec {
homepage = "https://www.freedesktop.org/software/pulseaudio/webrtc-audio-processing"; homepage = "https://www.freedesktop.org/software/pulseaudio/webrtc-audio-processing";
description = "A more Linux packaging friendly copy of the AudioProcessing module from the WebRTC project"; description = "A more Linux packaging friendly copy of the AudioProcessing module from the WebRTC project";
license = licenses.bsd3; license = licenses.bsd3;
platforms = platforms.unix; # https://gitlab.freedesktop.org/pulseaudio/webrtc-audio-processing/-/blob/master/webrtc/rtc_base/system/arch.h
platforms = intersectLists platforms.unix (platforms.arm ++ platforms.aarch64 ++ platforms.mips ++ platforms.power ++ platforms.riscv ++ platforms.x86);
# BE platforms are unsupported # BE platforms are unsupported
# https://gitlab.freedesktop.org/pulseaudio/webrtc-audio-processing/-/issues/31 # https://gitlab.freedesktop.org/pulseaudio/webrtc-audio-processing/-/issues/31
badPlatforms = platforms.bigEndian; badPlatforms = platforms.bigEndian;

43
pkgs/development/python-modules/bellows/default.nix
View file

@ -1,18 +1,19 @@
{ lib {
, async-timeout lib,
, buildPythonPackage async-timeout,
, click buildPythonPackage,
, click-log click,
, fetchFromGitHub click-log,
, pure-pcapy3 fetchFromGitHub,
, pyserial-asyncio pure-pcapy3,
, pytest-asyncio pyserial-asyncio,
, pytest-timeout pytest-asyncio,
, pytestCheckHook pytest-timeout,
, pythonOlder pytestCheckHook,
, setuptools pythonOlder,
, voluptuous setuptools,
, zigpy voluptuous,
zigpy,
}: }:
buildPythonPackage rec { buildPythonPackage rec {
@ -35,9 +36,7 @@ buildPythonPackage rec {
--replace-fail 'dynamic = ["version"]' 'version = "${version}"' --replace-fail 'dynamic = ["version"]' 'version = "${version}"'
''; '';
build-system = [ build-system = [ setuptools ];
setuptools
];
dependencies = [ dependencies = [
click click
@ -46,9 +45,7 @@ buildPythonPackage rec {
pyserial-asyncio pyserial-asyncio
voluptuous voluptuous
zigpy zigpy
] ++ lib.optionals (pythonOlder "3.11") [ ] ++ lib.optionals (pythonOlder "3.11") [ async-timeout ];
async-timeout
];
nativeCheckInputs = [ nativeCheckInputs = [
pytestCheckHook pytestCheckHook
@ -56,9 +53,7 @@ buildPythonPackage rec {
pytest-timeout pytest-timeout
]; ];
pythonImportsCheck = [ pythonImportsCheck = [ "bellows" ];
"bellows"
];
meta = with lib; { meta = with lib; {
description = "Python module to implement EZSP for EmberZNet devices"; description = "Python module to implement EZSP for EmberZNet devices";

10
pkgs/development/python-modules/bsddb3/default.nix
View file

@ -1,22 +1,30 @@
{ lib { lib
, buildPythonPackage , buildPythonPackage
, fetchPypi , fetchPypi
, setuptools
, pkgs , pkgs
, python , python
, pythonOlder
}: }:
buildPythonPackage rec { buildPythonPackage rec {
pname = "bsddb3"; pname = "bsddb3";
version = "6.2.9"; version = "6.2.9";
format = "setuptools"; pyproject = true;
src = fetchPypi { src = fetchPypi {
inherit pname version; inherit pname version;
sha256 = "70d05ec8dc568f42e70fc919a442e0daadc2a905a1cfb7ca77f549d49d6e7801"; sha256 = "70d05ec8dc568f42e70fc919a442e0daadc2a905a1cfb7ca77f549d49d6e7801";
}; };
build-system = [
setuptools
];
buildInputs = [ pkgs.db ]; buildInputs = [ pkgs.db ];
doCheck = pythonOlder "3.12"; # distutils usage
checkPhase = '' checkPhase = ''
${python.interpreter} test.py ${python.interpreter} test.py
''; '';

31
pkgs/development/python-modules/peco/default.nix
View file

@ -1,29 +1,28 @@
{ lib {
, aiohttp lib,
, buildPythonPackage aiohttp,
, fetchPypi buildPythonPackage,
, pydantic fetchPypi,
, pythonOlder pydantic,
, setuptools pythonOlder,
setuptools,
}: }:
buildPythonPackage rec { buildPythonPackage rec {
pname = "peco"; pname = "peco";
version = "0.0.29"; version = "0.0.30";
format = "pyproject"; pyproject = true;
disabled = pythonOlder "3.7"; disabled = pythonOlder "3.7";
src = fetchPypi { src = fetchPypi {
inherit pname version; inherit pname version;
hash = "sha256-zL0tBTwm+l5eyxlWr2xoE+nLpMfUKri1/yD+WgTUqHQ="; hash = "sha256-a3MPqtbDftbLGtpJ66CFVC5wJFa9L3dqOKPfBZCaHpM=";
}; };
nativeBuildInputs = [ build-system = [ setuptools ];
setuptools
];
propagatedBuildInputs = [ dependencies = [
aiohttp aiohttp
pydantic pydantic
]; ];
@ -31,9 +30,7 @@ buildPythonPackage rec {
# Module has no tests # Module has no tests
doCheck = false; doCheck = false;
pythonImportsCheck = [ pythonImportsCheck = [ "peco" ];
"peco"
];
meta = with lib; { meta = with lib; {
description = "Library for interacting with the PECO outage map"; description = "Library for interacting with the PECO outage map";

7
pkgs/development/python-modules/pynvml/default.nix
View file

@ -6,6 +6,7 @@
, addOpenGLRunpath , addOpenGLRunpath
, setuptools , setuptools
, pytestCheckHook , pytestCheckHook
, versioneer
}: }:
buildPythonPackage rec { buildPythonPackage rec {
@ -28,8 +29,14 @@ buildPythonPackage rec {
}) })
]; ];
# unvendor versioneer
postPatch = ''
rm versioneer.py
'';
nativeBuildInputs = [ nativeBuildInputs = [
setuptools setuptools
versioneer
]; ];
pythonImportsCheck = [ "pynvml" "pynvml.smi" ]; pythonImportsCheck = [ "pynvml" "pynvml.smi" ];

5
pkgs/servers/nosql/apache-jena/fuseki-binary.nix
View file

@ -24,9 +24,12 @@ stdenv.mkDerivation rec {
chmod +x $out/fuseki chmod +x $out/fuseki
ln -s "$out"/{fuseki-backup,fuseki-server,fuseki} "$out/bin" ln -s "$out"/{fuseki-backup,fuseki-server,fuseki} "$out/bin"
for i in "$out"/bin/*; do for i in "$out"/bin/*; do
# It is necessary to set the default $FUSEKI_BASE directory to a writable location
# By default it points to $FUSEKI_HOME/run which is in the nix store
wrapProgram "$i" \ wrapProgram "$i" \
--prefix "PATH" : "${java}/bin/:${coreutils}/bin:${which}/bin" \ --prefix "PATH" : "${java}/bin/:${coreutils}/bin:${which}/bin" \
--set-default "FUSEKI_HOME" "$out" \ --set-default "FUSEKI_HOME" "$out" \
--run "if [ -z \"\$FUSEKI_BASE\" ]; then export FUSEKI_BASE=\"\$HOME/.local/fuseki\" ; mkdir -p \"\$HOME/.local/fuseki\" ; fi" \
; ;
done done
''; '';
@ -40,7 +43,9 @@ stdenv.mkDerivation rec {
license = licenses.asl20; license = licenses.asl20;
maintainers = with maintainers; [ raskin ]; maintainers = with maintainers; [ raskin ];
platforms = platforms.all; platforms = platforms.all;
sourceProvenance = with sourceTypes; [ binaryBytecode binaryNativeCode ];
homepage = "https://jena.apache.org"; homepage = "https://jena.apache.org";
downloadPage = "https://archive.apache.org/dist/jena/binaries/"; downloadPage = "https://archive.apache.org/dist/jena/binaries/";
mainProgram = "fuseki";
}; };
} }