swendel/nixpkgs
1
0
Fork 0
mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-10-01 09:30:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge master into haskell-updates

Browse source
This commit is contained in:
github-actions[bot] 2021-09-14 00:06:32 +00:00 committed by GitHub
parent f2a3df2f30 3d1fe451d4
commit 514366b478
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
113 changed files with 1766 additions and 319 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
maintainers/maintainer-list.nix
View file

@ -8582,7 +8582,7 @@
githubId = 1719781;
name = "Pablo Ovelleiro Corral";
keys = [{
longkeyid = "sa4096/0x823A6154426408D3";
longkeyid = "rsa4096/0x823A6154426408D3";
fingerprint = "D03B 218C AE77 1F77 D7F9 20D9 823A 6154 4264 08D3";
}];
};

38
nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
View file

@ -239,6 +239,17 @@
<link xlink:href="options.html#opt-programs.git.enable">programs.git</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://domainaware.github.io/parsedmarc/">parsedmarc</link>,
a service which parses incoming
<link xlink:href="https://dmarc.org/">DMARC</link> reports and
stores or sends them to a downstream service for further
analysis. Documented in
<link linkend="module-services-parsedmarc">its manual
entry</link>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-21.11-incompatibilities">
@ -356,6 +367,33 @@ Superuser created successfully.
notes</link>).
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-users.users._name_.group">users.users.&lt;name&gt;.group</link>
no longer defaults to <literal>nogroup</literal>, which was
insecure. Out-of-tree modules are likely to require
adaptation: instead of
</para>
<programlisting language="bash">
{
users.users.foo = {
isSystemUser = true;
};
}
</programlisting>
<para>
also create a group for your user:
</para>
<programlisting language="bash">
{
users.users.foo = {
isSystemUser = true;
group = &quot;foo&quot;;
};
users.groups.foo = {};
}
</programlisting>
</listitem>
<listitem>
<para>
<literal>services.geoip-updater</literal> was broken and has

24
nixos/doc/manual/release-notes/rl-2111.section.md
View file

@ -73,6 +73,11 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable
- [git](https://git-scm.com), a distributed version control system. Available as [programs.git](options.html#opt-programs.git.enable).
- [parsedmarc](https://domainaware.github.io/parsedmarc/), a service
which parses incoming [DMARC](https://dmarc.org/) reports and stores
or sends them to a downstream service for further analysis.
Documented in [its manual entry](#module-services-parsedmarc).
## Backward Incompatibilities {#sec-release-21.11-incompatibilities}
@ -131,6 +136,25 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable
- The `erigon` ethereum node has moved it's database location in `2021-08-03`, users upgrading must manually move their chaindata (see [release notes](https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03)).
- [users.users.&lt;name&gt;.group](options.html#opt-users.users._name_.group) no longer defaults to `nogroup`, which was insecure. Out-of-tree modules are likely to require adaptation: instead of
```nix
{
users.users.foo = {
isSystemUser = true;
};
}
```
also create a group for your user:
```nix
{
users.users.foo = {
isSystemUser = true;
group = "foo";
};
users.groups.foo = {};
}
```
- `services.geoip-updater` was broken and has been replaced by [services.geoipupdate](options.html#opt-services.geoipupdate.enable).
- PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.

12
nixos/modules/config/users-groups.nix
View file

@ -123,7 +123,7 @@ let
group = mkOption {
type = types.str;
apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x;
default = "nogroup";
default = "";
description = "The user's primary group.";
};
@ -640,6 +640,16 @@ in {
Exactly one of users.users.${user.name}.isSystemUser and users.users.${user.name}.isNormalUser must be set.
'';
}
{
assertion = user.group != "";
message = ''
users.users.${user.name}.group is unset. This used to default to
nogroup, but this is unsafe. For example you can create a group
for this user with:
users.users.${user.name}.group = "${user.name}";
users.groups.${user.name} = {};
'';
}
]
));

42
nixos/modules/misc/ids.nix
View file

@ -83,14 +83,14 @@ in
#fourstore = 42; # dropped in 20.03
#fourstorehttp = 43; # dropped in 20.03
virtuoso = 44;
rtkit = 45;
#rtkit = 45; # dynamically allocated 2021-09-03
dovecot2 = 46;
dovenull2 = 47;
prayer = 49;
mpd = 50;
clamav = 51;
fprot = 52;
bind = 53;
# bind = 53; #dynamically allocated as of 2021-09-03
wwwrun = 54;
#adm = 55; # unused
spamd = 56;
@ -134,13 +134,13 @@ in
firebird = 95;
#keys = 96; # unused
#haproxy = 97; # dynamically allocated as of 2020-03-11
mongodb = 98;
#mongodb = 98; #dynamically allocated as of 2021-09-03
#openldap = 99; # dynamically allocated as of PR#94610
#users = 100; # unused
cgminer = 101;
munin = 102;
logcheck = 103;
nix-ssh = 104;
#nix-ssh = 104; #dynamically allocated as of 2021-09-03
dictd = 105;
couchdb = 106;
#searx = 107; # dynamically allocated as of 2020-10-27
@ -149,9 +149,9 @@ in
systemd-journal-gateway = 110;
#notbit = 111; # unused
aerospike = 111;
ngircd = 112;
#ngircd = 112; #dynamically allocated as of 2021-09-03
#btsync = 113; # unused
minecraft = 114;
#minecraft = 114; #dynamically allocated as of 2021-09-03
vault = 115;
rippled = 116;
murmur = 117;
@ -169,19 +169,19 @@ in
mopidy = 130;
#docker = 131; # unused
gdm = 132;
dhcpd = 133;
#dhcpd = 133; # dynamically allocated as of 2021-09-03
siproxd = 134;
mlmmj = 135;
neo4j = 136;
#neo4j = 136;# dynamically allocated as of 2021-09-03
riemann = 137;
riemanndash = 138;
radvd = 139;
zookeeper = 140;
dnsmasq = 141;
#radvd = 139;# dynamically allocated as of 2021-09-03
#zookeeper = 140;# dynamically allocated as of 2021-09-03
#dnsmasq = 141;# dynamically allocated as of 2021-09-03
#uhub = 142; # unused
yandexdisk = 143;
mxisd = 144; # was once collectd
consul = 145;
#consul = 145;# dynamically allocated as of 2021-09-03
mailpile = 146;
redmine = 147;
#seeks = 148; # removed 2020-06-21
@ -192,7 +192,7 @@ in
systemd-resolve = 153;
systemd-timesync = 154;
liquidsoap = 155;
etcd = 156;
#etcd = 156;# dynamically allocated as of 2021-09-03
hbase = 158;
opentsdb = 159;
scollector = 160;
@ -204,7 +204,7 @@ in
tox-bootstrapd = 166;
cadvisor = 167;
nylon = 168;
apache-kafka = 169;
#apache-kafka = 169;# dynamically allocated as of 2021-09-03
#panamax = 170; # unused
exim = 172;
#fleet = 173; # unused
@ -241,7 +241,7 @@ in
gateone = 207;
namecoin = 208;
#lxd = 210; # unused
kibana = 211;
#kibana = 211;# dynamically allocated as of 2021-09-03
xtreemfs = 212;
calibre-server = 213;
heapster = 214;
@ -264,7 +264,7 @@ in
avahi-autoipd = 231;
nntp-proxy = 232;
mjpg-streamer = 233;
radicale = 234;
#radicale = 234;# dynamically allocated as of 2021-09-03
hydra-queue-runner = 235;
hydra-www = 236;
syncthing = 237;
@ -272,14 +272,14 @@ in
taskd = 240;
# factorio = 241; # DynamicUser = true
# emby = 242; # unusued, removed 2019-05-01
graylog = 243;
#graylog = 243;# dynamically allocated as of 2021-09-03
sniproxy = 244;
nzbget = 245;
mosquitto = 246;
toxvpn = 247;
# squeezelite = 248; # DynamicUser = true
turnserver = 249;
smokeping = 250;
#smokeping = 250;# dynamically allocated as of 2021-09-03
gocd-agent = 251;
gocd-server = 252;
terraria = 253;
@ -554,7 +554,7 @@ in
#shout = 206; #unused
gateone = 207;
namecoin = 208;
lxd = 210; # unused
#lxd = 210; # unused
#kibana = 211;
xtreemfs = 212;
calibre-server = 213;
@ -573,7 +573,7 @@ in
cfdyndns = 227;
pdnsd = 229;
octoprint = 230;
radicale = 234;
#radicale = 234;# dynamically allocated as of 2021-09-03
syncthing = 237;
caddy = 239;
taskd = 240;
@ -585,7 +585,7 @@ in
#toxvpn = 247; # unused
#squeezelite = 248; #unused
turnserver = 249;
smokeping = 250;
#smokeping = 250;# dynamically allocated as of 2021-09-03
gocd-agent = 251;
gocd-server = 252;
terraria = 253;

1
nixos/modules/module-list.nix
View file

@ -621,6 +621,7 @@
./services/monitoring/munin.nix
./services/monitoring/nagios.nix
./services/monitoring/netdata.nix
./services/monitoring/parsedmarc.nix
./services/monitoring/prometheus/default.nix
./services/monitoring/prometheus/alertmanager.nix
./services/monitoring/prometheus/exporters.nix

5
nixos/modules/security/rtkit.nix
View file

@ -35,9 +35,12 @@ with lib;
services.dbus.packages = [ pkgs.rtkit ];
users.users.rtkit =
{ uid = config.ids.uids.rtkit;
{
isSystemUser = true;
group = "rtkit";
description = "RealtimeKit daemon";
};
users.groups.rtkit = {};
};

1
nixos/modules/services/backup/borgbackup.nix
View file

@ -169,6 +169,7 @@ let
(map (mkAuthorizedKey cfg false) cfg.authorizedKeys
++ map (mkAuthorizedKey cfg true) cfg.authorizedKeysAppendOnly);
useDefaultShell = true;
group = cfg.group;
isSystemUser = true;
};
groups.${cfg.group} = { };

1
nixos/modules/services/databases/influxdb.nix
View file

@ -185,6 +185,7 @@ in
users.users = optionalAttrs (cfg.user == "influxdb") {
influxdb = {
uid = config.ids.uids.influxdb;
group = "influxdb";
description = "Influxdb daemon user";
};
};

2
nixos/modules/services/databases/memcached.nix
View file

@ -67,7 +67,9 @@ in
users.users = optionalAttrs (cfg.user == "memcached") {
memcached.description = "Memcached server user";
memcached.isSystemUser = true;
memcached.group = "memcached";
};
users.groups = optionalAttrs (cfg.user == "memcached") { memcached = {}; };
environment.systemPackages = [ memcached ];

4
nixos/modules/services/databases/mongodb.nix
View file

@ -123,9 +123,11 @@ in
users.users.mongodb = mkIf (cfg.user == "mongodb")
{ name = "mongodb";
uid = config.ids.uids.mongodb;
isSystemUser = true;
group = "mongodb";
description = "MongoDB server user";
};
users.groups.mongodb = mkIf (cfg.user == "mongodb") {};
environment.systemPackages = [ mongodb ];

4
nixos/modules/services/databases/neo4j.nix
View file

@ -651,10 +651,12 @@ in {
environment.systemPackages = [ cfg.package ];
users.users.neo4j = {
uid = config.ids.uids.neo4j;
isSystemUser = true;
group = "neo4j";
description = "Neo4j daemon user";
home = cfg.directories.home;
};
users.groups.neo4j = {};
};
meta = {

1
nixos/modules/services/databases/redis.nix
View file

@ -246,6 +246,7 @@ in {
users.users.redis = {
description = "Redis database user";
group = "redis";
isSystemUser = true;
};
users.groups.redis = {};

4
nixos/modules/services/games/minecraft-server.nix
View file

@ -167,8 +167,10 @@ in {
description = "Minecraft server service user";
home = cfg.dataDir;
createHome = true;
uid = config.ids.uids.minecraft;
isSystemUser = true;
group = "minecraft";
};
users.groups.minecraft = {};
systemd.services.minecraft-server = {
description = "Minecraft Server Service";

4
nixos/modules/services/logging/graylog.nix
View file

@ -128,10 +128,12 @@ in
users.users = mkIf (cfg.user == "graylog") {
graylog = {
uid = config.ids.uids.graylog;
isSystemUser = true;
group = "graylog";
description = "Graylog server daemon user";
};
};
users.groups = mkIf (cfg.user == "graylog") {};
systemd.tmpfiles.rules = [
"d '${cfg.messageJournalDir}' - ${cfg.user} - - -"

2
nixos/modules/services/misc/airsonic.nix
View file

@ -165,10 +165,12 @@ in {
users.users.airsonic = {
description = "Airsonic service user";
group = "airsonic";
name = cfg.user;
home = cfg.home;
createHome = true;
isSystemUser = true;
};
users.groups.airsonic = {};
};
}

4
nixos/modules/services/misc/apache-kafka.nix
View file

@ -120,10 +120,12 @@ in {
environment.systemPackages = [cfg.package];
users.users.apache-kafka = {
uid = config.ids.uids.apache-kafka;
isSystemUser = true;
group = "apache-kafka";
description = "Apache Kafka daemon user";
home = head cfg.logDirs;
};
users.groups.apache-kafka = {};
systemd.tmpfiles.rules = map (logDir: "d '${logDir}' 0700 apache-kafka - - -") cfg.logDirs;

2
nixos/modules/services/misc/docker-registry.nix
View file

@ -151,7 +151,9 @@ in {
home = cfg.storagePath;
}
else {}) // {
group = "docker-registry";
isSystemUser = true;
};
users.groups.docker-registry = {};
};
}

4
nixos/modules/services/misc/etcd.nix
View file

@ -187,9 +187,11 @@ in {
environment.systemPackages = [ pkgs.etcd ];
users.users.etcd = {
uid = config.ids.uids.etcd;
isSystemUser = true;
group = "etcd";
description = "Etcd daemon user";
home = cfg.dataDir;
};
users.groups.etcd = {};
};
}

4
nixos/modules/services/misc/nix-ssh-serve.nix
View file

@ -44,9 +44,11 @@ in {
users.users.nix-ssh = {
description = "Nix SSH store user";
uid = config.ids.uids.nix-ssh;
isSystemUser = true;
group = "nix-ssh";
useDefaultShell = true;
};
users.groups.nix-ssh = {};
services.openssh.enable = true;

4
nixos/modules/services/misc/zookeeper.nix
View file

@ -148,9 +148,11 @@ in {
};
users.users.zookeeper = {
uid = config.ids.uids.zookeeper;
isSystemUser = true;
group = "zookeeper";
description = "Zookeeper daemon user";
home = cfg.dataDir;
};
users.groups.zookeeper = {};
};
}

1
nixos/modules/services/monitoring/graphite.nix
View file

@ -561,6 +561,7 @@ in {
) {
users.users.graphite = {
uid = config.ids.uids.graphite;
group = "graphite";
description = "Graphite daemon user";
home = dataDir;
};

1
nixos/modules/services/monitoring/netdata.nix
View file

@ -258,6 +258,7 @@ in {
users.users = optionalAttrs (cfg.user == defaultUser) {
${defaultUser} = {
group = defaultUser;
isSystemUser = true;
};
};

113
nixos/modules/services/monitoring/parsedmarc.md Normal file
View file

@ -0,0 +1,113 @@
# parsedmarc {#module-services-parsedmarc}
[parsedmarc](https://domainaware.github.io/parsedmarc/) is a service
which parses incoming [DMARC](https://dmarc.org/) reports and stores
or sends them to a downstream service for further analysis. In
combination with Elasticsearch, Grafana and the included Grafana
dashboard, it provides a handy overview of DMARC reports over time.
## Basic usage {#module-services-parsedmarc-basic-usage}
A very minimal setup which reads incoming reports from an external
email address and saves them to a local Elasticsearch instance looks
like this:
```nix
services.parsedmarc = {
enable = true;
settings.imap = {
host = "imap.example.com";
user = "alice@example.com";
password = "/path/to/imap_password_file";
watch = true;
};
provision.geoIp = false; # Not recommended!
};
```
Note that GeoIP provisioning is disabled in the example for
simplicity, but should be turned on for fully functional reports.
## Local mail
Instead of watching an external inbox, a local inbox can be
automatically provisioned. The recipient's name is by default set to
`dmarc`, but can be configured in
[services.parsedmarc.provision.localMail.recipientName](options.html#opt-services.parsedmarc.provision.localMail.recipientName). You
need to add an MX record pointing to the host. More concretely: for
the example to work, an MX record needs to be set up for
`monitoring.example.com` and the complete email address that should be
configured in the domain's dmarc policy is
`dmarc@monitoring.example.com`.
```nix
services.parsedmarc = {
enable = true;
provision = {
localMail = {
enable = true;
hostname = monitoring.example.com;
};
geoIp = false; # Not recommended!
};
};
```
## Grafana and GeoIP
The reports can be visualized and summarized with parsedmarc's
official Grafana dashboard. For all views to work, and for the data to
be complete, GeoIP databases are also required. The following example
shows a basic deployment where the provisioned Elasticsearch instance
is automatically added as a Grafana datasource, and the dashboard is
added to Grafana as well.
```nix
services.parsedmarc = {
enable = true;
provision = {
localMail = {
enable = true;
hostname = url;
};
grafana = {
datasource = true;
dashboard = true;
};
};
};
# Not required, but recommended for full functionality
services.geoipupdate = {
settings = {
AccountID = 000000;
LicenseKey = "/path/to/license_key_file";
};
};
services.grafana = {
enable = true;
addr = "0.0.0.0";
domain = url;
rootUrl = "https://" + url;
protocol = "socket";
security = {
adminUser = "admin";
adminPasswordFile = "/path/to/admin_password_file";
secretKeyFile = "/path/to/secret_key_file";
};
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
upstreams.grafana.servers."unix:/${config.services.grafana.socket}" = {};
virtualHosts.${url} = {
root = config.services.grafana.staticRootPath;
enableACME = true;
forceSSL = true;
locations."/".tryFiles = "$uri @grafana";
locations."@grafana".proxyPass = "http://grafana";
};
};
users.users.nginx.extraGroups = [ "grafana" ];
```

537
nixos/modules/services/monitoring/parsedmarc.nix Normal file
View file

@ -0,0 +1,537 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.parsedmarc;
ini = pkgs.formats.ini {};
in
{
options.services.parsedmarc = {
enable = lib.mkEnableOption ''
parsedmarc, a DMARC report monitoring service
'';
provision = {
localMail = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether Postfix and Dovecot should be set up to receive
mail locally. parsedmarc will be configured to watch the
local inbox as the automatically created user specified in
<xref linkend="opt-services.parsedmarc.provision.localMail.recipientName" />
'';
};
recipientName = lib.mkOption {
type = lib.types.str;
default = "dmarc";
description = ''
The DMARC mail recipient name, i.e. the name part of the
email address which receives DMARC reports.
A local user with this name will be set up and assigned a
randomized password on service start.
'';
};
hostname = lib.mkOption {
type = lib.types.str;
default = config.networking.fqdn;
defaultText = "config.networking.fqdn";
example = "monitoring.example.com";
description = ''
The hostname to use when configuring Postfix.
Should correspond to the host's fully qualified domain
name and the domain part of the email address which
receives DMARC reports. You also have to set up an MX record
pointing to this domain name.
'';
};
};
geoIp = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to enable and configure the <link
linkend="opt-services.geoipupdate.enable">geoipupdate</link>
service to automatically fetch GeoIP databases. Not crucial,
but recommended for full functionality.
To finish the setup, you need to manually set the <xref
linkend="opt-services.geoipupdate.settings.AccountID" /> and
<xref linkend="opt-services.geoipupdate.settings.LicenseKey" />
options.
'';
};
elasticsearch = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to set up and use a local instance of Elasticsearch.
'';
};
grafana = {
datasource = lib.mkOption {
type = lib.types.bool;
default = cfg.provision.elasticsearch && config.services.grafana.enable;
apply = x: x && cfg.provision.elasticsearch;
description = ''
Whether the automatically provisioned Elasticsearch
instance should be added as a grafana datasource. Has no
effect unless
<xref linkend="opt-services.parsedmarc.provision.elasticsearch" />
is also enabled.
'';
};
dashboard = lib.mkOption {
type = lib.types.bool;
default = config.services.grafana.enable;
description = ''
Whether the official parsedmarc grafana dashboard should
be provisioned to the local grafana instance.
'';
};
};
};
settings = lib.mkOption {
description = ''
Configuration parameters to set in
<filename>parsedmarc.ini</filename>. For a full list of
available parameters, see
<link xlink:href="https://domainaware.github.io/parsedmarc/#configuration-file" />.
'';
type = lib.types.submodule {
freeformType = ini.type;
options = {
general = {
save_aggregate = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Save aggregate report data to Elasticsearch and/or Splunk.
'';
};
save_forensic = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Save forensic report data to Elasticsearch and/or Splunk.
'';
};
};
imap = {
host = lib.mkOption {
type = lib.types.str;
default = "localhost";
description = ''
The IMAP server hostname or IP address.
'';
};
port = lib.mkOption {
type = lib.types.port;
default = 993;
description = ''
The IMAP server port.
'';
};
ssl = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Use an encrypted SSL/TLS connection.
'';
};
user = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
description = ''
The IMAP server username.
'';
};
password = lib.mkOption {
type = with lib.types; nullOr path;
default = null;
description = ''
The path to a file containing the IMAP server password.
'';
};
watch = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Use the IMAP IDLE command to process messages as they arrive.
'';
};
delete = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Delete messages after processing them, instead of archiving them.
'';
};
};
smtp = {
host = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
description = ''
The SMTP server hostname or IP address.
'';
};
port = lib.mkOption {
type = with lib.types; nullOr port;
default = null;
description = ''
The SMTP server port.
'';
};
ssl = lib.mkOption {
type = with lib.types; nullOr bool;
default = null;
description = ''
Use an encrypted SSL/TLS connection.
'';
};
user = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
description = ''
The SMTP server username.
'';
};
password = lib.mkOption {
type = with lib.types; nullOr path;
default = null;
description = ''
The path to a file containing the SMTP server password.
'';
};
from = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
description = ''
The <literal>From</literal> address to use for the
outgoing mail.
'';
};
to = lib.mkOption {
type = with lib.types; nullOr (listOf str);
default = null;
description = ''
The addresses to send outgoing mail to.
'';
};
};
elasticsearch = {
hosts = lib.mkOption {
default = [];
type = with lib.types; listOf str;
apply = x: if x == [] then null else lib.concatStringsSep "," x;
description = ''
A list of Elasticsearch hosts to push parsed reports
to.
'';
};
user = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
description = ''
Username to use when connecting to Elasticsearch, if
required.
'';
};
password = lib.mkOption {
type = with lib.types; nullOr path;
default = null;
description = ''
The path to a file containing the password to use when
connecting to Elasticsearch, if required.
'';
};
ssl = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to use an encrypted SSL/TLS connection.
'';
};
cert_path = lib.mkOption {
type = lib.types.path;
default = "/etc/ssl/certs/ca-certificates.crt";
description = ''
The path to a TLS certificate bundle used to verify
the server's certificate.
'';
};
};
kafka = {
hosts = lib.mkOption {
default = [];
type = with lib.types; listOf str;
apply = x: if x == [] then null else lib.concatStringsSep "," x;
description = ''
A list of Apache Kafka hosts to publish parsed reports
to.
'';
};
user = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
description = ''
Username to use when connecting to Kafka, if
required.
'';
};
password = lib.mkOption {
type = with lib.types; nullOr path;
default = null;
description = ''
The path to a file containing the password to use when
connecting to Kafka, if required.
'';
};
ssl = lib.mkOption {
type = with lib.types; nullOr bool;
default = null;
description = ''
Whether to use an encrypted SSL/TLS connection.
'';
};
aggregate_topic = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
example = "aggregate";
description = ''
The Kafka topic to publish aggregate reports on.
'';
};
forensic_topic = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
example = "forensic";
description = ''
The Kafka topic to publish forensic reports on.
'';
};
};
};
};
};
};
config = lib.mkIf cfg.enable {
services.elasticsearch.enable = lib.mkDefault cfg.provision.elasticsearch;
services.geoipupdate = lib.mkIf cfg.provision.geoIp {
enable = true;
settings = {
EditionIDs = [
"GeoLite2-ASN"
"GeoLite2-City"
"GeoLite2-Country"
];
DatabaseDirectory = "/var/lib/GeoIP";
};
};
services.dovecot2 = lib.mkIf cfg.provision.localMail.enable {
enable = true;
protocols = [ "imap" ];
};
services.postfix = lib.mkIf cfg.provision.localMail.enable {
enable = true;
origin = cfg.provision.localMail.hostname;
config = {
myhostname = cfg.provision.localMail.hostname;
mydestination = cfg.provision.localMail.hostname;
};
};
services.grafana = {
declarativePlugins = with pkgs.grafanaPlugins;
lib.mkIf cfg.provision.grafana.dashboard [
grafana-worldmap-panel
grafana-piechart-panel
];
provision = {
enable = cfg.provision.grafana.datasource || cfg.provision.grafana.dashboard;
datasources =
let
pkgVer = lib.getVersion config.services.elasticsearch.package;
esVersion =
if lib.versionOlder pkgVer "7" then
"60"
else if lib.versionOlder pkgVer "8" then
"70"
else
throw "When provisioning parsedmarc grafana datasources: unknown Elasticsearch version.";
in
lib.mkIf cfg.provision.grafana.datasource [
{
name = "dmarc-ag";
type = "elasticsearch";
access = "proxy";
url = "localhost:9200";
jsonData = {
timeField = "date_range";
inherit esVersion;
};
}
{
name = "dmarc-fo";
type = "elasticsearch";
access = "proxy";
url = "localhost:9200";
jsonData = {
timeField = "date_range";
inherit esVersion;
};
}
];
dashboards = lib.mkIf cfg.provision.grafana.dashboard [{
name = "parsedmarc";
options.path = "${pkgs.python3Packages.parsedmarc.dashboard}";
}];
};
};
services.parsedmarc.settings = lib.mkMerge [
(lib.mkIf cfg.provision.elasticsearch {
elasticsearch = {
hosts = [ "localhost:9200" ];
ssl = false;
};
})
(lib.mkIf cfg.provision.localMail.enable {
imap = {
host = "localhost";
port = 143;
ssl = false;
user = cfg.provision.localMail.recipientName;
password = "${pkgs.writeText "imap-password" "@imap-password@"}";
watch = true;
};
})
];
systemd.services.parsedmarc =
let
# Remove any empty attributes from the config, i.e. empty
# lists, empty attrsets and null. This makes it possible to
# list interesting options in `settings` without them always
# ending up in the resulting config.
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! builtins.elem v [ null [] {} ])) cfg.settings;
parsedmarcConfig = ini.generate "parsedmarc.ini" filteredConfig;
mkSecretReplacement = file:
lib.optionalString (file != null) ''
replace-secret '${file}' '${file}' /run/parsedmarc/parsedmarc.ini
'';
in
{
wantedBy = [ "multi-user.target" ];
after = [ "postfix.service" "dovecot2.service" "elasticsearch.service" ];
path = with pkgs; [ replace-secret openssl shadow ];
serviceConfig = {
ExecStartPre = let
startPreFullPrivileges = ''
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
umask u=rwx,g=,o=
cp ${parsedmarcConfig} /run/parsedmarc/parsedmarc.ini
chown parsedmarc:parsedmarc /run/parsedmarc/parsedmarc.ini
${mkSecretReplacement cfg.settings.smtp.password}
${mkSecretReplacement cfg.settings.imap.password}
${mkSecretReplacement cfg.settings.elasticsearch.password}
${mkSecretReplacement cfg.settings.kafka.password}
'' + lib.optionalString cfg.provision.localMail.enable ''
openssl rand -hex 64 >/run/parsedmarc/dmarc_user_passwd
replace-secret '@imap-password@' '/run/parsedmarc/dmarc_user_passwd' /run/parsedmarc/parsedmarc.ini
echo "Setting new randomized password for user '${cfg.provision.localMail.recipientName}'."
cat <(echo -n "${cfg.provision.localMail.recipientName}:") /run/parsedmarc/dmarc_user_passwd | chpasswd
'';
in
"+${pkgs.writeShellScript "parsedmarc-start-pre-full-privileges" startPreFullPrivileges}";
Type = "simple";
User = "parsedmarc";
Group = "parsedmarc";
DynamicUser = true;
RuntimeDirectory = "parsedmarc";
RuntimeDirectoryMode = 0700;
CapabilityBoundingSet = "";
PrivateDevices = true;
PrivateMounts = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictRealtime = true;
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallArchitectures = "native";
ExecStart = "${pkgs.python3Packages.parsedmarc}/bin/parsedmarc -c /run/parsedmarc/parsedmarc.ini";
};
};
users.users.${cfg.provision.localMail.recipientName} = lib.mkIf cfg.provision.localMail.enable {
isNormalUser = true;
description = "DMARC mail recipient";
};
};
# Don't edit the docbook xml directly, edit the md and generate it:
# `pandoc parsedmarc.md -t docbook --top-level-division=chapter --extract-media=media -f markdown+smart > parsedmarc.xml`
meta.doc = ./parsedmarc.xml;
meta.maintainers = [ lib.maintainers.talyz ];
}

125
nixos/modules/services/monitoring/parsedmarc.xml Normal file
View file

@ -0,0 +1,125 @@
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="module-services-parsedmarc">
<title>parsedmarc</title>
<para>
<link xlink:href="https://domainaware.github.io/parsedmarc/">parsedmarc</link>
is a service which parses incoming
<link xlink:href="https://dmarc.org/">DMARC</link> reports and
stores or sends them to a downstream service for further analysis.
In combination with Elasticsearch, Grafana and the included Grafana
dashboard, it provides a handy overview of DMARC reports over time.
</para>
<section xml:id="module-services-parsedmarc-basic-usage">
<title>Basic usage</title>
<para>
A very minimal setup which reads incoming reports from an external
email address and saves them to a local Elasticsearch instance
looks like this:
</para>
<programlisting language="bash">
services.parsedmarc = {
enable = true;
settings.imap = {
host = &quot;imap.example.com&quot;;
user = &quot;alice@example.com&quot;;
password = &quot;/path/to/imap_password_file&quot;;
watch = true;
};
provision.geoIp = false; # Not recommended!
};
</programlisting>
<para>
Note that GeoIP provisioning is disabled in the example for
simplicity, but should be turned on for fully functional reports.
</para>
</section>
<section xml:id="local-mail">
<title>Local mail</title>
<para>
Instead of watching an external inbox, a local inbox can be
automatically provisioned. The recipients name is by default set
to <literal>dmarc</literal>, but can be configured in
<link xlink:href="options.html#opt-services.parsedmarc.provision.localMail.recipientName">services.parsedmarc.provision.localMail.recipientName</link>.
You need to add an MX record pointing to the host. More
concretely: for the example to work, an MX record needs to be set
up for <literal>monitoring.example.com</literal> and the complete
email address that should be configured in the domains dmarc
policy is <literal>dmarc@monitoring.example.com</literal>.
</para>
<programlisting language="bash">
services.parsedmarc = {
enable = true;
provision = {
localMail = {
enable = true;
hostname = monitoring.example.com;
};
geoIp = false; # Not recommended!
};
};
</programlisting>
</section>
<section xml:id="grafana-and-geoip">
<title>Grafana and GeoIP</title>
<para>
The reports can be visualized and summarized with parsedmarcs
official Grafana dashboard. For all views to work, and for the
data to be complete, GeoIP databases are also required. The
following example shows a basic deployment where the provisioned
Elasticsearch instance is automatically added as a Grafana
datasource, and the dashboard is added to Grafana as well.
</para>
<programlisting language="bash">
services.parsedmarc = {
enable = true;
provision = {
localMail = {
enable = true;
hostname = url;
};
grafana = {
datasource = true;
dashboard = true;
};
};
};
# Not required, but recommended for full functionality
services.geoipupdate = {
settings = {
AccountID = 000000;
LicenseKey = &quot;/path/to/license_key_file&quot;;
};
};
services.grafana = {
enable = true;
addr = &quot;0.0.0.0&quot;;
domain = url;
rootUrl = &quot;https://&quot; + url;
protocol = &quot;socket&quot;;
security = {
adminUser = &quot;admin&quot;;
adminPasswordFile = &quot;/path/to/admin_password_file&quot;;
secretKeyFile = &quot;/path/to/secret_key_file&quot;;
};
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
upstreams.grafana.servers.&quot;unix:/${config.services.grafana.socket}&quot; = {};
virtualHosts.${url} = {
root = config.services.grafana.staticRootPath;
enableACME = true;
forceSSL = true;
locations.&quot;/&quot;.tryFiles = &quot;$uri @grafana&quot;;
locations.&quot;@grafana&quot;.proxyPass = &quot;http://grafana&quot;;
};
};
users.users.nginx.extraGroups = [ &quot;grafana&quot; ];
</programlisting>
</section>
</chapter>

1
nixos/modules/services/monitoring/tuptime.nix
View file

@ -36,6 +36,7 @@ in {
groups._tuptime.members = [ "_tuptime" ];
users._tuptime = {
isSystemUser = true;
group = "_tuptime";
description = "tuptime database owner";
};
};

5
nixos/modules/services/network-filesystems/orangefs/server.nix
View file

@ -193,7 +193,10 @@ in {
environment.systemPackages = [ pkgs.orangefs ];
# orangefs daemon will run as user
users.users.orangefs.isSystemUser = true;
users.users.orangefs = {
isSystemUser = true;
group = "orangfs";
};
users.groups.orangefs = {};
# To format the file system the config file is needed.

4
nixos/modules/services/networking/bind.nix
View file

@ -229,9 +229,11 @@ in
users.users.${bindUser} =
{
uid = config.ids.uids.bind;
group = bindUser;
description = "BIND daemon user";
isSystemUser = true;
};
users.groups.${bindUser} = {};
systemd.services.bind = {
description = "BIND Domain Name Server";

4
nixos/modules/services/networking/consul.nix
View file

@ -159,10 +159,12 @@ in
users.users.consul = {
description = "Consul agent daemon user";
uid = config.ids.uids.consul;
isSystemUser = true;
group = "consul";
# The shell is needed for health checks
shell = "/run/current-system/sw/bin/bash";
};
users.groups.consul = {};
environment = {
etc."consul.json".text = builtins.toJSON configOptions;

1
nixos/modules/services/networking/coturn.nix
View file

@ -311,6 +311,7 @@ in {
{
users.users.turnserver =
{ uid = config.ids.uids.turnserver;
group = "turnserver";
description = "coturn TURN server user";
};
users.groups.turnserver =

4
nixos/modules/services/networking/dhcpd.nix
View file

@ -212,9 +212,11 @@ in
users = {
users.dhcpd = {
uid = config.ids.uids.dhcpd;
isSystemUser = true;
group = "dhcpd";
description = "DHCP daemon user";
};
groups.dhcpd = {};
};
systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6;

4
nixos/modules/services/networking/dnsmasq.nix
View file

@ -87,9 +87,11 @@ in
services.dbus.packages = [ dnsmasq ];
users.users.dnsmasq = {
uid = config.ids.uids.dnsmasq;
isSystemUser = true;
group = "dnsmasq";
description = "Dnsmasq daemon user";
};
users.groups.dnsmasq = {};
networking.resolvconf = mkIf cfg.resolveLocalQueries {
useLocalResolver = mkDefault true;

1
nixos/modules/services/networking/git-daemon.nix
View file

@ -107,6 +107,7 @@ in
users.users = optionalAttrs (cfg.user == "git") {
git = {
uid = config.ids.uids.git;
group = "git";
description = "Git daemon user";
};
};

1
nixos/modules/services/networking/iodine.nix
View file

@ -190,6 +190,7 @@ in
users.users.${iodinedUser} = {
uid = config.ids.uids.iodined;
group = "iodined";
description = "Iodine daemon user";
};
users.groups.iodined.gid = config.ids.gids.iodined;

2
nixos/modules/services/networking/morty.nix
View file

@ -77,7 +77,9 @@ in
createHome = true;
home = "/var/lib/morty";
isSystemUser = true;
group = "morty";
};
users.groups.morty = {};
systemd.services.morty =
{

2
nixos/modules/services/networking/ncdns.nix
View file

@ -245,8 +245,10 @@ in
users.users.ncdns = {
isSystemUser = true;
group = "ncdns";
description = "ncdns daemon user";
};
users.groups.ncdns = {};
systemd.services.ncdns = {
description = "ncdns daemon";

1
nixos/modules/services/networking/networkmanager.nix
View file

@ -464,6 +464,7 @@ in {
users.users = {
nm-openvpn = {
uid = config.ids.uids.nm-openvpn;
group = "nm-openvpn";
extraGroups = [ "networkmanager" ];
};
nm-iodine = {

5
nixos/modules/services/networking/ngircd.nix
View file

@ -52,8 +52,11 @@ in {
};
users.users.ngircd = {
uid = config.ids.uids.ngircd;
isSystemUser = true;
group = "ngircd";
description = "ngircd user.";
};
users.groups.ngircd = {};
};
}

2
nixos/modules/services/networking/pleroma.nix
View file

@ -74,7 +74,7 @@ in {
users."${cfg.user}" = {
description = "Pleroma user";
home = cfg.stateDir;
extraGroups = [ cfg.group ];
group = cfg.group;
isSystemUser = true;
};
groups."${cfg.group}" = {};

7
nixos/modules/services/networking/radicale.nix
View file

@ -140,9 +140,12 @@ in {
environment.systemPackages = [ pkg ];
users.users.radicale.uid = config.ids.uids.radicale;
users.users.radicale = {
isSystemUser = true;
group = "radicale";
};
users.groups.radicale.gid = config.ids.gids.radicale;
users.groups.radicale = {};
systemd.services.radicale = {
description = "A Simple Calendar and Contact Server";

5
nixos/modules/services/networking/radvd.nix
View file

@ -55,9 +55,12 @@ in
config = mkIf cfg.enable {
users.users.radvd =
{ uid = config.ids.uids.radvd;
{
isSystemUser = true;
group = "radvd";
description = "Router Advertisement Daemon User";
};
users.groups.radvd = {};
systemd.services.radvd =
{ description = "IPv6 Router Advertisement Daemon";

5
nixos/modules/services/networking/smokeping.nix
View file

@ -259,7 +259,7 @@ in
user = mkOption {
type = types.str;
default = "smokeping";
description = "User that runs smokeping and (optionally) thttpd";
description = "User that runs smokeping and (optionally) thttpd. A group of the same name will be created as well.";
};
webService = mkOption {
type = types.bool;
@ -285,11 +285,12 @@ in
users.users.${cfg.user} = {
isNormalUser = false;
isSystemUser = true;
uid = config.ids.uids.smokeping;
group = cfg.user;
description = "smokeping daemon user";
home = smokepingHome;
createHome = true;
};
users.groups.${cfg.user} = {};
systemd.services.smokeping = {
wantedBy = [ "multi-user.target"];
serviceConfig = {

5
nixos/modules/services/networking/ssh/sshd.nix
View file

@ -401,9 +401,12 @@ in
config = mkIf cfg.enable {
users.users.sshd =
{ isSystemUser = true;
{
isSystemUser = true;
group = "sshd";
description = "SSH privilege separation user";
};
users.groups.sshd = {};
services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli";
services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server";

6
nixos/modules/services/networking/tinydns.nix
View file

@ -32,7 +32,11 @@ with lib;
config = mkIf config.services.tinydns.enable {
environment.systemPackages = [ pkgs.djbdns ];
users.users.tinydns.isSystemUser = true;
users.users.tinydns = {
isSystemUser = true;
group = "tinydns";
};
users.groups.tinydns = {};
systemd.services.tinydns = {
description = "djbdns tinydns server";

4
nixos/modules/services/scheduling/atd.nix
View file

@ -58,7 +58,9 @@ in
security.pam.services.atd = {};
users.users.atd =
{ uid = config.ids.uids.atd;
{
uid = config.ids.uids.atd;
group = "atd";
description = "atd user";
home = "/var/empty";
};

7
nixos/modules/services/search/elasticsearch.nix
View file

@ -201,6 +201,13 @@ in
if [ "$(id -u)" = 0 ]; then chown -R elasticsearch:elasticsearch ${cfg.dataDir}; fi
'';
postStart = ''
# Make sure elasticsearch is up and running before dependents
# are started
while ! ${pkgs.curl}/bin/curl -sS -f http://localhost:${toString cfg.port} 2>/dev/null; do
sleep 1
done
'';
};
environment.systemPackages = [ cfg.package ];

4
nixos/modules/services/search/kibana.nix
View file

@ -199,10 +199,12 @@ in {
environment.systemPackages = [ cfg.package ];
users.users.kibana = {
uid = config.ids.uids.kibana;
isSystemUser = true;
description = "Kibana service user";
home = cfg.dataDir;
createHome = true;
group = "kibana";
};
users.groups.kibana = {};
};
}

2
nixos/modules/services/security/hockeypuck.nix
View file

@ -82,8 +82,10 @@ in {
users.users.hockeypuck = {
isSystemUser = true;
group = "hockeypuck";
description = "Hockeypuck user";
};
users.groups.hockeypuck = {};
systemd.services.hockeypuck = {
description = "Hockeypuck OpenPGP Key Server";

2
nixos/modules/services/torrent/magnetico.nix
View file

@ -172,8 +172,10 @@ in {
users.users.magnetico = {
description = "Magnetico daemons user";
group = "magnetico";
isSystemUser = true;
};
users.groups.magnetico = {};
systemd.services.magneticod = {
description = "Magnetico DHT crawler";

6
nixos/modules/services/torrent/peerflix.nix
View file

@ -60,6 +60,10 @@ in {
};
};
users.users.peerflix.uid = config.ids.uids.peerflix;
users.users.peerflix = {
isSystemUser = true;
group = "peerflix";
};
users.groups.peerflix = {};
};
}

1
nixos/modules/services/web-apps/node-red.nix
View file

@ -114,6 +114,7 @@ in
users.users = optionalAttrs (cfg.user == defaultUser) {
${defaultUser} = {
isSystemUser = true;
group = defaultUser;
};
};

4
nixos/modules/system/activation/top-level.nix
View file

@ -61,8 +61,8 @@ let
substituteInPlace $out/dry-activate --subst-var out
chmod u+x $out/activate $out/dry-activate
unset activationScript dryActivationScript
${pkgs.runtimeShell} -n $out/activate
${pkgs.runtimeShell} -n $out/dry-activate
${pkgs.stdenv.shell} -n $out/activate
${pkgs.stdenv.shell} -n $out/dry-activate
cp ${config.system.build.bootStage2} $out/init
substituteInPlace $out/init --subst-var-by systemConfig $out

15
nixos/modules/system/boot/systemd.nix
View file

@ -1056,10 +1056,19 @@ in
services.dbus.enable = true;
users.users.systemd-coredump.uid = config.ids.uids.systemd-coredump;
users.users.systemd-network.uid = config.ids.uids.systemd-network;
users.users.systemd-coredump = {
uid = config.ids.uids.systemd-coredump;
group = "systemd-coredump";
};
users.users.systemd-network = {
uid = config.ids.uids.systemd-network;
group = "systemd-network";
};
users.groups.systemd-network.gid = config.ids.gids.systemd-network;
users.users.systemd-resolve.uid = config.ids.uids.systemd-resolve;
users.users.systemd-resolve = {
uid = config.ids.uids.systemd-resolve;
group = "systemd-resolve";
};
users.groups.systemd-resolve.gid = config.ids.gids.systemd-resolve;
# Target for charon send-keys to hook into.

2
nixos/modules/virtualisation/lxd.nix
View file

@ -158,7 +158,7 @@ in {
};
};
users.groups.lxd.gid = config.ids.gids.lxd;
users.groups.lxd = {};
users.users.root = {
subUidRanges = [ { startUid = 1000000; count = 65536; } ];

1
nixos/tests/all-tests.nix
View file

@ -336,6 +336,7 @@ in
pam-u2f = handleTest ./pam-u2f.nix {};
pantheon = handleTest ./pantheon.nix {};
paperless-ng = handleTest ./paperless-ng.nix {};
parsedmarc = handleTest ./parsedmarc {};
pdns-recursor = handleTest ./pdns-recursor.nix {};
peerflix = handleTest ./peerflix.nix {};
pgjwt = handleTest ./pgjwt.nix {};

224
nixos/tests/parsedmarc/default.nix Normal file
View file

@ -0,0 +1,224 @@
# This tests parsedmarc by sending a report to its monitored email
# address and reading the results out of Elasticsearch.
{ pkgs, ... }@args:
let
inherit (import ../../lib/testing-python.nix args) makeTest;
dmarcTestReport = builtins.fetchurl {
name = "dmarc-test-report";
url = "https://github.com/domainaware/parsedmarc/raw/f45ab94e0608088e0433557608d9f4e9517d3afe/samples/aggregate/estadocuenta1.infonacot.gob.mx!example.com!1536853302!1536939702!2940.xml.zip";
sha256 = "0dq64cj49711kbja27pjl2hy0d3azrjxg91kqrh40x46fkn1dwkx";
};
sendEmail = address:
pkgs.writeScriptBin "send-email" ''
#!${pkgs.python3.interpreter}
import smtplib
from email import encoders
from email.mime.base import MIMEBase
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
sender_email = "dmarc_tester@fake.domain"
receiver_email = "${address}"
message = MIMEMultipart()
message["From"] = sender_email
message["To"] = receiver_email
message["Subject"] = "DMARC test"
message.attach(MIMEText("Testing parsedmarc", "plain"))
attachment = MIMEBase("application", "zip")
with open("${dmarcTestReport}", "rb") as report:
attachment.set_payload(report.read())
encoders.encode_base64(attachment)
attachment.add_header(
"Content-Disposition",
"attachment; filename= estadocuenta1.infonacot.gob.mx!example.com!1536853302!1536939702!2940.xml.zip",
)
message.attach(attachment)
text = message.as_string()
with smtplib.SMTP('localhost') as server:
server.sendmail(sender_email, receiver_email, text)
server.quit()
'';
in
{
localMail = makeTest
{
name = "parsedmarc-local-mail";
meta = with pkgs.lib.maintainers; {
maintainers = [ talyz ];
};
nodes.parsedmarc =
{ nodes, ... }:
{
virtualisation.memorySize = 2048;
services.postfix = {
enableSubmission = true;
enableSubmissions = true;
submissionsOptions = {
smtpd_sasl_auth_enable = "yes";
smtpd_client_restrictions = "permit";
};
};
services.parsedmarc = {
enable = true;
provision = {
geoIp = false;
localMail = {
enable = true;
hostname = "localhost";
};
};
};
services.elasticsearch.package = pkgs.elasticsearch7-oss;
environment.systemPackages = [
(sendEmail "dmarc@localhost")
pkgs.jq
];
};
testScript = { nodes }:
let
esPort = toString nodes.parsedmarc.config.services.elasticsearch.port;
in ''
parsedmarc.start()
parsedmarc.wait_for_unit("postfix.service")
parsedmarc.wait_for_unit("dovecot2.service")
parsedmarc.wait_for_unit("parsedmarc.service")
parsedmarc.wait_until_succeeds(
"curl -sS -f http://localhost:${esPort}"
)
parsedmarc.fail(
"curl -sS -f http://localhost:${esPort}/_search?q=report_id:2940 | jq -e 'if .hits.total.value > 0 then true else null end'"
)
parsedmarc.succeed("send-email")
parsedmarc.wait_until_succeeds(
"curl -sS -f http://localhost:${esPort}/_search?q=report_id:2940 | jq -e 'if .hits.total.value > 0 then true else null end'"
)
'';
};
externalMail =
let
certs = import ../common/acme/server/snakeoil-certs.nix;
mailDomain = certs.domain;
parsedmarcDomain = "parsedmarc.fake.domain";
in
makeTest {
name = "parsedmarc-external-mail";
meta = with pkgs.lib.maintainers; {
maintainers = [ talyz ];
};
nodes = {
parsedmarc =
{ nodes, ... }:
{
virtualisation.memorySize = 2048;
security.pki.certificateFiles = [
certs.ca.cert
];
networking.extraHosts = ''
127.0.0.1 ${parsedmarcDomain}
${nodes.mail.config.networking.primaryIPAddress} ${mailDomain}
'';
services.parsedmarc = {
enable = true;
provision.geoIp = false;
settings.imap = {
host = mailDomain;
port = 993;
ssl = true;
user = "alice";
password = "${pkgs.writeText "imap-password" "foobar"}";
watch = true;
};
};
services.elasticsearch.package = pkgs.elasticsearch7-oss;
environment.systemPackages = [
pkgs.jq
];
};
mail =
{ nodes, ... }:
{
imports = [ ../common/user-account.nix ];
networking.extraHosts = ''
127.0.0.1 ${mailDomain}
${nodes.parsedmarc.config.networking.primaryIPAddress} ${parsedmarcDomain}
'';
services.dovecot2 = {
enable = true;
protocols = [ "imap" ];
sslCACert = "${certs.ca.cert}";
sslServerCert = "${certs.${mailDomain}.cert}";
sslServerKey = "${certs.${mailDomain}.key}";
};
services.postfix = {
enable = true;
origin = mailDomain;
config = {
myhostname = mailDomain;
mydestination = mailDomain;
};
enableSubmission = true;
enableSubmissions = true;
submissionsOptions = {
smtpd_sasl_auth_enable = "yes";
smtpd_client_restrictions = "permit";
};
};
environment.systemPackages = [ (sendEmail "alice@${mailDomain}") ];
networking.firewall.allowedTCPPorts = [ 993 ];
};
};
testScript = { nodes }:
let
esPort = toString nodes.parsedmarc.config.services.elasticsearch.port;
in ''
mail.start()
mail.wait_for_unit("postfix.service")
mail.wait_for_unit("dovecot2.service")
parsedmarc.start()
parsedmarc.wait_for_unit("parsedmarc.service")
parsedmarc.wait_until_succeeds(
"curl -sS -f http://localhost:${esPort}"
)
parsedmarc.fail(
"curl -sS -f http://localhost:${esPort}/_search?q=report_id:2940 | jq -e 'if .hits.total.value > 0 then true else null end'"
)
mail.succeed("send-email")
parsedmarc.wait_until_succeeds(
"curl -sS -f http://localhost:${esPort}/_search?q=report_id:2940 | jq -e 'if .hits.total.value > 0 then true else null end'"
)
'';
};
}

11
nixos/tests/unbound.nix
View file

@ -145,13 +145,22 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
# user that is permitted to access the unix socket
someuser = {
isSystemUser = true;
group = "someuser";
extraGroups = [
config.users.users.unbound.group
];
};
# user that is not permitted to access the unix socket
unauthorizeduser = { isSystemUser = true; };
unauthorizeduser = {
isSystemUser = true;
group = "unauthorizeduser";
};
};
users.groups = {
someuser = {};
unauthorizeduser = {};
};
# Used for testing configuration reloading

4
pkgs/applications/graphics/lightburn/default.nix
View file

@ -6,7 +6,7 @@
stdenv.mkDerivation rec {
pname = "lightburn";
version = "1.0.00";
version = "1.0.01";
nativeBuildInputs = [
p7zip
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
src = fetchurl {
url = "https://github.com/LightBurnSoftware/deployment/releases/download/${version}/LightBurn-Linux64-v${version}.7z";
sha256 = "sha256-jNqLykVQjer2lps1gnw4fd2FH+ZQrzqQILAsl4Z5Hqk=";
sha256 = "sha256-UnTZcZjR8edHGflThkiu6OeWJU9x/bH/Ml/CRwWYgFU=";
};
buildInputs = [

4
pkgs/applications/graphics/yacreader/default.nix
View file

@ -5,13 +5,13 @@
mkDerivation rec {
pname = "yacreader";
version = "9.7.1";
version = "9.8.2";
src = fetchFromGitHub {
owner = "YACReader";
repo = pname;
rev = version;
sha256 = "17kzh69sxpyk4n7c2gkbsvr9y4j14azdy1qxzghsbwp7ij4iw9kv";
sha256 = "sha256-Xvf0xXtMs3x1fPgAvS4GJXrZgDZWhzIgrOF4yECr7/g=";
};
nativeBuildInputs = [ qmake pkg-config ];

4
pkgs/applications/misc/mkgmap/default.nix
View file

@ -14,11 +14,11 @@ let
in
stdenv.mkDerivation rec {
pname = "mkgmap";
version = "4608";
version = "4806";
src = fetchurl {
url = "https://www.mkgmap.org.uk/download/mkgmap-r${version}-src.tar.gz";
sha256 = "uj/iZZHML4nqEKdFBQSDdegkalZFJdzEE4xQrOruEp0=";
sha256 = "kCjcjl0qXxtAS+WGpZB3o5Eq9Xg0vY0gcjFosYJbAsI=";
};
patches = [

4
pkgs/applications/misc/mkgmap/splitter/default.nix
View file

@ -13,11 +13,11 @@ let
in
stdenv.mkDerivation rec {
pname = "splitter";
version = "598";
version = "642";
src = fetchurl {
url = "https://www.mkgmap.org.uk/download/splitter-r${version}-src.tar.gz";
sha256 = "gpbJpDBXA9tmSmx9oKLa7xWtIOHBTYd1iPPgNTC2C2M=";
sha256 = "zMuMutkk0RsbEH+5undcMmZRCGYJ7LRvdK1pxAgQRYk=";
};
patches = [

4
pkgs/applications/misc/nwg-drawer/default.nix
View file

@ -10,13 +10,13 @@
buildGoModule rec {
pname = "nwg-drawer";
version = "0.1.7";
version = "0.1.8";
src = fetchFromGitHub {
owner = "nwg-piotr";
repo = pname;
rev = "v${version}";
sha256 = "sha256-WUYWS0pkYJwXadhlZDHIl9BuirLTu5TNITZ+cBMArVw=";
sha256 = "sha256-XEMD5Z0RejySamxmkGBDoAj0ARUyPm/31EPuf96Whlk=";
};
vendorSha256 = "sha256-HyrjquJ91ddkyS8JijHd9HjtfwSQykXCufa2wzl8RNk=";

4
pkgs/applications/misc/yambar/default.nix
View file

@ -32,14 +32,14 @@ in
stdenv.mkDerivation rec {
pname = "yambar";
version = "1.6.2";
version = "1.7.0";
src = fetchFromGitea {
domain = "codeberg.org";
owner = "dnkl";
repo = "yambar";
rev = version;
sha256 = "sha256-GPKR2BYl3ebxxXbVfH/oZLs7639EYwWU4ZsilJn0Ss8=";
sha256 = "sha256-NzJrlPOkzstMbw37yBTah/uFYezlPB/1hrxCiXduSmc=";
};
nativeBuildInputs = [

17
pkgs/applications/networking/browsers/firefox/common.nix
View file

@ -155,6 +155,23 @@ buildStdenv.mkDerivation ({
sha256 = "0qc62di5823r7ly2lxkclzj9rhg2z7ms81igz44nv0fzv3dszdab";
})
# These fix Firefox on sway and other non-Gnome wayland WMs. They should be
# removed whenever the following two patches make it onto a release:
# 1. https://hg.mozilla.org/mozilla-central/rev/51c13987d1b8
# 2. https://hg.mozilla.org/integration/autoland/rev/3b856ecc00e4
# This will probably happen in the next point release, but let's be careful
# and double check whether it's working on sway on the next v bump.
++ lib.optionals (lib.versionAtLeast version "92") [
(fetchpatch {
url = "https://hg.mozilla.org/integration/autoland/raw-rev/3b856ecc00e4";
sha256 = "sha256-d8IRJD6ELC3ZgEs1ES/gy2kTNu/ivoUkUNGMEUoq8r8=";
})
(fetchpatch {
url = "https://hg.mozilla.org/mozilla-central/raw-rev/51c13987d1b8";
sha256 = "sha256-C2jcoWLuxW0Ic+Mbh3UpEzxTKZInljqVdcuA9WjspoA=";
})
]
++ patches;

2
pkgs/applications/networking/instant-messengers/element/element-desktop-package.json
View file

@ -2,7 +2,7 @@
"name": "element-desktop",
"productName": "Element",
"main": "lib/electron-main.js",
"version": "1.8.2",
"version": "1.8.4",
"description": "A feature-rich client for Matrix.org",
"author": "Element",
"repository": {

13
pkgs/applications/networking/instant-messengers/element/element-desktop.nix
View file

@ -7,6 +7,8 @@
, electron
, element-web
, callPackage
, fetchpatch
, Security
, AppKit
, CoreServices
@ -19,12 +21,12 @@
let
executableName = "element-desktop";
version = "1.8.2";
version = "1.8.4";
src = fetchFromGitHub {
owner = "vector-im";
repo = "element-desktop";
rev = "v${version}";
sha256 = "sha256-6DPMfx3LF45YWn2do02zDMLYZGBgBrOMJx3XBAO0ZyM=";
sha256 = "sha256-MmrO9Ref/qpW7ssjw8IAb7dYZHMRBfdfH2whsZJq/14=";
};
electron_exec = if stdenv.isDarwin then "${electron}/Applications/Electron.app/Contents/MacOS/Electron" else "${electron}/bin/electron";
in
@ -32,6 +34,13 @@ mkYarnPackage rec {
name = "element-desktop-${version}";
inherit version src;
patches = [
(fetchpatch {
url = "https://github.com/vector-im/element-desktop/commit/96e5389779f60c91b8fe80d7bd9af413d72ec61f.patch";
sha256 = "sha256-82I5BDNDWIfp+m2HpzTA5+39hMv2bTbmJlXfM4YUjDY=";
})
];
packageJSON = ./element-desktop-package.json;
yarnNix = ./element-desktop-yarndeps.nix;

4
pkgs/applications/networking/instant-messengers/element/element-web.nix
View file

@ -12,11 +12,11 @@ let
in stdenv.mkDerivation rec {
pname = "element-web";
version = "1.8.2";
version = "1.8.4";
src = fetchurl {
url = "https://github.com/vector-im/element-web/releases/download/v${version}/element-v${version}.tar.gz";
sha256 = "sha256-SgVxYPmdgFn6Nll1a6b1Sn2H5I0Vkjorn3gA9d5FamQ=";
sha256 = "sha256-V4ekSs6FmSCpUFlAipTyrde4z+ErQCb9zzktbX8YtC8=";
};
installPhase = ''

6
pkgs/applications/networking/instant-messengers/slack/default.nix
View file

@ -147,6 +147,8 @@ let
dontPatchELF = true;
installPhase = ''
runHook preInstall
# The deb file contains a setuid binary, so 'dpkg -x' doesn't work here
dpkg --fsys-tarfile $src | tar --extract
rm -rf usr/share/lintian
@ -172,6 +174,8 @@ let
substituteInPlace $out/share/applications/slack.desktop \
--replace /usr/bin/ $out/bin/ \
--replace /usr/share/ $out/share/
runHook postInstall
'';
};
@ -185,9 +189,11 @@ let
sourceRoot = "Slack.app";
installPhase = ''
runHook preInstall
mkdir -p $out/Applications/Slack.app
cp -R . $out/Applications/Slack.app
/usr/bin/defaults write com.tinyspeck.slackmacgap SlackNoAutoUpdates -bool YES
runHook postInstall
'';
};
in

4
pkgs/applications/networking/mailreaders/evolution/evolution-ews/default.nix
View file

@ -3,11 +3,11 @@
stdenv.mkDerivation rec {
pname = "evolution-ews";
version = "3.40.3";
version = "3.40.4";
src = fetchurl {
url = "mirror://gnome/sources/${pname}/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
sha256 = "ZAIE5rpPOyZT3VSPYOR143bP8Na7Kv0NQRhQ+p2oxJY=";
sha256 = "0eAjb8gWhiyjqaOT5ur9gPoQv6W2u37u28qAJVMuUBU=";
};
nativeBuildInputs = [ cmake gettext intltool pkg-config ];

10
pkgs/applications/science/biology/sambamba/default.nix
View file

@ -2,21 +2,21 @@
stdenv.mkDerivation rec {
pname = "sambamba";
version = "0.8.0";
version = "0.8.1";
src = fetchFromGitHub {
owner = "biod";
repo = "sambamba";
rev = "v${version}";
sha256 = "sha256:0kx5a0fmvv9ldz2hnh7qavgf7711kqc73zxf51k4cca4hr58zxr9";
sha256 = "0f4qngnys2zjb0ri54k6kxqnssg938mnnscs4z9713hjn41rk7yd";
fetchSubmodules = true;
};
patches = [
# Fixes hardcoded gcc, making clang build possible.
# make ldc 1.27.1 compatible
(fetchpatch {
url = "https://github.com/biod/sambamba/commit/c50a1c91e1ba062635467f197139bf6784e9be15.patch";
sha256 = "1y0vlybmb9wpg4z1nca7m96mk9hxmvd3yrg7w8rxscj45hcqvf8q";
url = "https://github.com/biod/sambamba/pull/480/commits/b5c80feb62683d24ec0529f685a1d7a36962a1d4.patch";
sha256 = "0yr9baxqbhyb4scwcwczk77z8gazhkl60jllhz9dnrb7p5qsvs7r";
})
];

4
pkgs/applications/video/openshot-qt/default.nix
View file

@ -5,13 +5,13 @@
mkDerivationWith python3Packages.buildPythonApplication rec {
pname = "openshot-qt";
version = "2.6.0";
version = "2.6.1";
src = fetchFromGitHub {
owner = "OpenShot";
repo = "openshot-qt";
rev = "v${version}";
sha256 = "0b11h335krvflpksdlhsrq3rqkb8asipnyaf62di2z32ci3irrpq";
sha256 = "0pa8iwl217503bjlqg2zlrw5lxyq5hvxrf5apxrh3843hj1w1myv";
};
nativeBuildInputs = [ doxygen wrapGAppsHook ];

1
pkgs/build-support/fetchzip/default.nix
View file

@ -40,6 +40,7 @@ in {
renamed="$TMPDIR/${tmpFilename}"
mv "$downloadedFile" "$renamed"
unpackFile "$renamed"
chmod -R +w "$unpackDir"
''
+ (if stripRoot then ''
if [ $(ls "$unpackDir" | wc -l) != 1 ]; then

4
pkgs/desktops/gnome/core/gnome-initial-setup/default.nix
View file

@ -35,11 +35,11 @@
stdenv.mkDerivation rec {
pname = "gnome-initial-setup";
version = "40.3";
version = "40.4";
src = fetchurl {
url = "mirror://gnome/sources/${pname}/${lib.versions.major version}/${pname}-${version}.tar.xz";
sha256 = "5QP9HUiFL112qr9iLR7ymWs4TYjaMf0WoQ1RPwmpDdc=";
sha256 = "QSplhO5upN+WN8QimT9Or4FYTSkZD16JOvmnhxy5Axs=";
};
patches = [

206
pkgs/development/compilers/dmd/default.nix
View file

@ -1,26 +1,25 @@
{ stdenv, lib, fetchFromGitHub
, makeWrapper, unzip, which, writeTextFile
, curl, tzdata, gdb, darwin, git, callPackage
, curl, tzdata, gdb, Foundation, git, callPackage
, targetPackages, fetchpatch, bash
, dmdBootstrap ? callPackage ./bootstrap.nix { }
, HOST_DMD ? "${dmdBootstrap}/bin/dmd"
, version ? "2.095.1"
, dmdSha256 ? "sha256:0faca1y42a1h16aml4lb7z118mh9k9fjx3xlw3ki5f1h3ln91xhk"
, druntimeSha256 ? "sha256:0ad4pa5llr9m9wqbvfv4yrcra4zz9qxlh5kx43mrv48f9bcxm2ha"
, phobosSha256 ? "sha256:04w6jw4izix2vbw62j13wvz6q3pi7vivxnmxqj0g8904j5g0cxjl"
, HOST_DMD? "${callPackage ./bootstrap.nix { }}/bin/dmd"
, version? "2.097.2"
, dmdSha256? "16ldkk32y7ln82n7g2ym5d1xf3vly3i31hf8600cpvimf6yhr6kb"
, druntimeSha256? "1sayg6ia85jln8g28vb4m124c27lgbkd6xzg9gblss8ardb8dsp1"
, phobosSha256? "0czg13h65b6qwhk9ibya21z3iv3fpk3rsjr3zbcrpc2spqjknfw5"
}:
let
dmdConfFile = writeTextFile {
name = "dmd.conf";
text = (lib.generators.toINI {} {
Environment = {
DFLAGS = ''-I@out@/include/dmd -L-L@out@/lib -fPIC ${lib.optionalString (!targetPackages.stdenv.cc.isClang) "-L--export-dynamic"}'';
};
});
name = "dmd.conf";
text = (lib.generators.toINI {} {
Environment = {
DFLAGS = ''-I@out@/include/dmd -L-L@out@/lib -fPIC ${lib.optionalString (!targetPackages.stdenv.cc.isClang) "-L--export-dynamic"}'';
};
});
};
bits = builtins.toString stdenv.hostPlatform.parsed.cpu.bits;
in
stdenv.mkDerivation rec {
@ -30,27 +29,27 @@ stdenv.mkDerivation rec {
enableParallelBuilding = true;
srcs = [
(fetchFromGitHub {
owner = "dlang";
repo = "dmd";
rev = "v${version}";
sha256 = dmdSha256;
name = "dmd";
})
(fetchFromGitHub {
owner = "dlang";
repo = "druntime";
rev = "v${version}";
sha256 = druntimeSha256;
name = "druntime";
})
(fetchFromGitHub {
owner = "dlang";
repo = "phobos";
rev = "v${version}";
sha256 = phobosSha256;
name = "phobos";
})
(fetchFromGitHub {
owner = "dlang";
repo = "dmd";
rev = "v${version}";
sha256 = dmdSha256;
name = "dmd";
})
(fetchFromGitHub {
owner = "dlang";
repo = "druntime";
rev = "v${version}";
sha256 = druntimeSha256;
name = "druntime";
})
(fetchFromGitHub {
owner = "dlang";
repo = "phobos";
rev = "v${version}";
sha256 = phobosSha256;
name = "phobos";
})
];
sourceRoot = ".";
@ -58,61 +57,73 @@ stdenv.mkDerivation rec {
# https://issues.dlang.org/show_bug.cgi?id=19553
hardeningDisable = [ "fortify" ];
postUnpack = ''
patchShebangs .
# Not using patches option to make it easy to patch, for example, dmd and
# Phobos at same time if that's required
patchPhase =
lib.optionalString (builtins.compareVersions version "2.092.1" <= 0) ''
patch -p1 -F3 --directory=druntime -i ${(fetchpatch {
url = "https://github.com/dlang/druntime/commit/438990def7e377ca1f87b6d28246673bb38022ab.patch";
sha256 = "0nxzkrd1rzj44l83j7jj90yz2cv01na8vn9d116ijnm85jl007b4";
})}
'' + postPatch;
postPatch =
''
patchShebangs .
'' + lib.optionalString (version == "2.092.1") ''
rm dmd/test/dshell/test6952.d
'' + lib.optionalString (builtins.compareVersions "2.092.1" version < 0) ''
substituteInPlace dmd/test/dshell/test6952.d --replace "/usr/bin/env bash" "${bash}/bin/bash"
'' + ''
rm dmd/test/runnable/gdb1.d
rm dmd/test/runnable/gdb10311.d
rm dmd/test/runnable/gdb14225.d
rm dmd/test/runnable/gdb14276.d
rm dmd/test/runnable/gdb14313.d
rm dmd/test/runnable/gdb14330.d
rm dmd/test/runnable/gdb15729.sh
rm dmd/test/runnable/gdb4149.d
rm dmd/test/runnable/gdb4181.d
'' + lib.optionalString stdenv.isLinux ''
substituteInPlace phobos/std/socket.d --replace "assert(ih.addrList[0] == 0x7F_00_00_01);" ""
'' + lib.optionalString stdenv.isDarwin ''
substituteInPlace phobos/std/socket.d --replace "foreach (name; names)" "names = []; foreach (name; names)"
'';
postPatch = ''
substituteInPlace dmd/test/dshell/test6952.d --replace "/usr/bin/env bash" "${bash}/bin/bash"
nativeBuildInputs = [ makeWrapper unzip which git ];
rm dmd/test/runnable/gdb1.d
rm dmd/test/runnable/gdb10311.d
rm dmd/test/runnable/gdb14225.d
rm dmd/test/runnable/gdb14276.d
rm dmd/test/runnable/gdb14313.d
rm dmd/test/runnable/gdb14330.d
rm dmd/test/runnable/gdb15729.sh
rm dmd/test/runnable/gdb4149.d
rm dmd/test/runnable/gdb4181.d
''
+ lib.optionalString stdenv.hostPlatform.isLinux ''
substituteInPlace phobos/std/socket.d --replace "assert(ih.addrList[0] == 0x7F_00_00_01);" ""
''
+ lib.optionalString stdenv.hostPlatform.isDarwin ''
substituteInPlace phobos/std/socket.d --replace "foreach (name; names)" "names = []; foreach (name; names)"
'';
buildInputs = [ gdb curl tzdata ]
++ lib.optional stdenv.isDarwin [ Foundation gdb ];
nativeBuildInputs = [ makeWrapper unzip which gdb git ]
++ lib.optional stdenv.hostPlatform.isDarwin (with darwin.apple_sdk.frameworks; [
Foundation
]);
buildInputs = [ curl tzdata ];
bits = builtins.toString stdenv.hostPlatform.parsed.cpu.bits;
osname = if stdenv.hostPlatform.isDarwin then
osname = if stdenv.isDarwin then
"osx"
else
stdenv.hostPlatform.parsed.kernel.name;
top = "$(echo $NIX_BUILD_TOP)";
top = "$NIX_BUILD_TOP";
pathToDmd = "${top}/dmd/generated/${osname}/release/${bits}/dmd";
# Buid and install are based on http://wiki.dlang.org/Building_DMD
# Build and install are based on http://wiki.dlang.org/Building_DMD
buildPhase = ''
cd dmd
make -j$NIX_BUILD_CORES -f posix.mak INSTALL_DIR=$out BUILD=release ENABLE_RELEASE=1 PIC=1 HOST_DMD=${HOST_DMD}
cd ../druntime
make -j$NIX_BUILD_CORES -f posix.mak BUILD=release ENABLE_RELEASE=1 PIC=1 INSTALL_DIR=$out DMD=${pathToDmd}
cd ../phobos
echo ${tzdata}/share/zoneinfo/ > TZDatabaseDirFile
echo ${curl.out}/lib/libcurl${stdenv.hostPlatform.extensions.sharedLibrary} > LibcurlPathFile
make -j$NIX_BUILD_CORES -f posix.mak BUILD=release ENABLE_RELEASE=1 PIC=1 INSTALL_DIR=$out DMD=${pathToDmd} DFLAGS="-version=TZDatabaseDir -version=LibcurlPath -J$(pwd)"
cd ..
cd dmd
make -j$NIX_BUILD_CORES -f posix.mak INSTALL_DIR=$out BUILD=release ENABLE_RELEASE=1 PIC=1 HOST_DMD=${HOST_DMD}
cd ../druntime
make -j$NIX_BUILD_CORES -f posix.mak BUILD=release ENABLE_RELEASE=1 PIC=1 INSTALL_DIR=$out DMD=${pathToDmd}
cd ../phobos
echo ${tzdata}/share/zoneinfo/ > TZDatabaseDirFile
echo ${curl.out}/lib/libcurl${stdenv.hostPlatform.extensions.sharedLibrary} > LibcurlPathFile
make -j$NIX_BUILD_CORES -f posix.mak BUILD=release ENABLE_RELEASE=1 PIC=1 INSTALL_DIR=$out DMD=${pathToDmd} DFLAGS="-version=TZDatabaseDir -version=LibcurlPath -J$(pwd)"
cd ..
'';
doCheck = true;
# many tests are disbled because they are failing
# NOTE: Purity check is disabled for checkPhase because it doesn't fare well
# with the DMD linker. See https://github.com/NixOS/nixpkgs/issues/97420
checkPhase = ''
@ -132,43 +143,42 @@ stdenv.mkDerivation rec {
'';
installPhase = ''
cd dmd
mkdir $out
mkdir $out/bin
cp ${pathToDmd} $out/bin
cd dmd
mkdir $out
mkdir $out/bin
cp ${pathToDmd} $out/bin
mkdir -p $out/share/man/man1
mkdir -p $out/share/man/man5
cp -r docs/man/man1/* $out/share/man/man1/
cp -r docs/man/man5/* $out/share/man/man5/
mkdir -p $out/share/man/man1
mkdir -p $out/share/man/man5
cp -r docs/man/man1/* $out/share/man/man1/
cp -r docs/man/man5/* $out/share/man/man5/
cd ../druntime
mkdir $out/include
mkdir $out/include/dmd
cp -r import/* $out/include/dmd
cd ../druntime
mkdir $out/include
mkdir $out/include/dmd
cp -r import/* $out/include/dmd
cd ../phobos
mkdir $out/lib
cp generated/${osname}/release/${bits}/libphobos2.* $out/lib
cd ../phobos
mkdir $out/lib
cp generated/${osname}/release/${bits}/libphobos2.* $out/lib
cp -r std $out/include/dmd
cp -r etc $out/include/dmd
cp -r std $out/include/dmd
cp -r etc $out/include/dmd
wrapProgram $out/bin/dmd \
--prefix PATH ":" "${targetPackages.stdenv.cc}/bin" \
--set-default CC "${targetPackages.stdenv.cc}/bin/cc"
wrapProgram $out/bin/dmd \
--prefix PATH ":" "${targetPackages.stdenv.cc}/bin" \
--set-default CC "${targetPackages.stdenv.cc}/bin/cc"
substitute ${dmdConfFile} "$out/bin/dmd.conf" --subst-var out
substitute ${dmdConfFile} "$out/bin/dmd.conf" --subst-var out
'';
meta = with lib; {
description = "Official reference compiler for the D language";
homepage = "http://dlang.org/";
homepage = "https://dlang.org/";
# Everything is now Boost licensed, even the backend.
# https://github.com/dlang/dmd/pull/6680
license = licenses.boost;
maintainers = with maintainers; [ ThomasMader lionello ];
platforms = [ "x86_64-linux" "i686-linux" "x86_64-darwin" ];
# many tests are failing
};
}

4
pkgs/development/compilers/ldc/default.nix
View file

@ -1,4 +1,4 @@
import ./generic.nix {
version = "1.25.1";
ldcSha256 = "sha256-DjcW/pknvpEmTR/eXEEHECb2xEJic16evaU4CJthLUA=";
version = "1.27.1";
ldcSha256 = "1775001ba6n8w46ln530kb5r66vs935ingnppgddq8wqnc0gbj4k";
}

4
pkgs/development/interpreters/php/7.4.nix
View file

@ -2,8 +2,8 @@
let
base = callPackage ./generic.nix (_args // {
version = "7.4.21";
sha256 = "0al2697d5hwq0f39rgncl1pwfxzzpc0afmr0fjvw5qjpww163v1n";
version = "7.4.23";
sha256 = "d1e094fe6e4f832e0a64be9c69464ba5d593fb216f914efa8bbb084e0a7a5727";
});
in

4
pkgs/development/interpreters/php/8.0.nix
View file

@ -2,8 +2,8 @@
let
base = callPackage ./generic.nix (_args // {
version = "8.0.8";
sha256 = "0vyi9hhy7yl4l589dniwb3gq29sp3giq7ni4nca3x54q3bbpgg8l";
version = "8.0.10";
sha256 = "sha256-yUVHJxQQkAhFsITsK8s0Zq82PuypLLJL1hHcvcJvFYc=";
});
in

5
pkgs/development/libraries/gtkd/default.nix
View file

@ -27,6 +27,11 @@ in stdenv.mkDerivation rec {
url = "https://github.com/gtkd-developers/GtkD/commit/a9db09117ab27127ca4c3b8d2f308fae483a9199.patch";
sha256 = "0ngyqifw1kandc1vk01kms3z65pcisfd75q7z09rml96glhfzjd6";
})
# Fix breakage with dmd ldc 1.26 and newer
(fetchpatch {
url = "https://github.com/gtkd-developers/GtkD/commit/323ff96c648882eaca2faee170bd9e90c6e1e9c3.patch";
sha256 = "1rhyi0isl6fl5i6fgsinvgq6v72xq7c6sajrxcsnmrzpvw91il3d";
})
];
prePatch = ''

4
pkgs/development/libraries/pangomm/2.48.nix
View file

@ -14,13 +14,13 @@
stdenv.mkDerivation rec {
pname = "pangomm";
version= "2.48.0";
version= "2.48.1";
outputs = [ "out" "dev" ];
src = fetchurl {
url = "mirror://gnome/sources/${pname}/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
sha256 = "sha256-ng7UdMM/jCACyp4rYcoNHz2OQJ4J6Z9NjBnur8z1W3g=";
sha256 = "sha256-d2rVPnkeQxBrf0D/CDS+5uTrHGrXy20hVUb3o98O3E0=";
};
nativeBuildInputs = [

6
pkgs/development/python-modules/azure-mgmt-batchai/default.nix
View file

@ -2,10 +2,9 @@
, buildPythonPackage
, fetchPypi
, azure-common
, azure-mgmt-core
, azure-mgmt-nspkg
, msrestazure
, python
, isPy3k
}:
buildPythonPackage rec {
@ -21,8 +20,9 @@ buildPythonPackage rec {
propagatedBuildInputs = [
msrestazure
azure-common
azure-mgmt-core
azure-mgmt-nspkg
];
];
pythonNamespaces = [ "azure.mgmt" ];

7
pkgs/development/python-modules/azure-mgmt-iothubprovisioningservices/default.nix
View file

@ -2,27 +2,28 @@
, buildPythonPackage
, fetchPypi
, python
, isPy3k
, msrest
, msrestazure
, azure-common
, azure-mgmt-core
, azure-mgmt-nspkg
}:
buildPythonPackage rec {
pname = "azure-mgmt-iothubprovisioningservices";
version = "0.2.0";
version = "1.0.0";
src = fetchPypi {
inherit pname version;
extension = "zip";
sha256 = "8c37acfd1c33aba845f2e0302ef7266cad31cba503cc990a48684659acb7b91d";
sha256 = "sha256-5YcbA0iLWubfxEHNvaQMs5wABjXuV8UTBTeSs8FYJqk=";
};
propagatedBuildInputs = [
msrest
msrestazure
azure-common
azure-mgmt-core
azure-mgmt-nspkg
];

8
pkgs/development/python-modules/azure-mgmt-sqlvirtualmachine/default.nix
View file

@ -1,5 +1,6 @@
{ lib, buildPythonPackage, fetchPypi, isPy27
, azure-common
, azure-mgmt-core
, msrest
, msrestazure
}:
@ -15,7 +16,12 @@ buildPythonPackage rec {
extension = "zip";
};
propagatedBuildInputs = [ azure-common msrest msrestazure ];
propagatedBuildInputs = [
azure-common
azure-mgmt-core
msrest
msrestazure
];
# no tests included
doCheck = false;

33
pkgs/development/python-modules/azure-synapse-managedprivateendpoints/default.nix Normal file
View file

@ -0,0 +1,33 @@
{ lib, buildPythonPackage, fetchPypi
, azure-common
, azure-core
, msrest
}:
buildPythonPackage rec {
pname = "azure-synapse-managedprivateendpoints";
version = "0.4.0";
src = fetchPypi {
inherit pname version;
extension = "zip";
sha256 = "900eaeaccffdcd01012b248a7d049008c92807b749edd1c9074ca9248554c17e";
};
propagatedBuildInputs = [
azure-common
azure-core
msrest
];
pythonNamespaces = [ "azure.synapse" ];
pythonImportsCheck = [ "azure.synapse.managedprivateendpoints" ];
meta = with lib; {
description = "Microsoft Azure Synapse Managed Private Endpoints Client Library for Python";
homepage = "https://github.com/Azure/azure-sdk-for-python";
license = licenses.mit;
maintainers = with maintainers; [ jonringer ];
};
}

4
pkgs/development/python-modules/dpath/default.nix
View file

@ -10,13 +10,13 @@
buildPythonPackage rec {
pname = "dpath";
version = "2.0.4";
version = "2.0.5";
disabled = isPy27; # uses python3 imports
src = fetchPypi {
inherit pname version;
sha256 = "0qjaa4sjw0m4b91mm18074wpkhir3xx7s87qwckmzpfb165gk837";
sha256 = "0kk7wl15r305496q13ka4r6n2r13j99rrrpy2b4575j704dk4x7g";
};
# use pytest as nosetests hangs

4
pkgs/development/python-modules/google-cloud-audit-log/default.nix
View file

@ -2,11 +2,11 @@
buildPythonPackage rec {
pname = "google-cloud-audit-log";
version = "0.1.0";
version = "0.1.1";
src = fetchPypi {
inherit pname version;
sha256 = "5bf5a53c641b13828154ab21fb209669be69d71cd462f5d6456bf87722fc0eeb";
sha256 = "a87fdf3c393b830b35c8f7db09094790d0d7babb35068736bea64e1618d286fe";
};
propagatedBuildInputs = [ googleapis-common-protos protobuf ];

39
pkgs/development/python-modules/mailsuite/default.nix Normal file
View file

@ -0,0 +1,39 @@
{ buildPythonPackage
, fetchPypi
, pythonOlder
, lib
# pythonPackages
, dnspython
, html2text
, mail-parser
, IMAPClient
}:
buildPythonPackage rec {
pname = "mailsuite";
version = "1.6.1";
disabled = pythonOlder "3.6";
src = fetchPypi {
inherit pname version;
sha256 = "17bsnfjjzv8hx5h397p5pa92l6cqc53i0zjjz2p7bjj3xqzhs45a";
};
propagatedBuildInputs = [
dnspython
html2text
mail-parser
IMAPClient
];
pythonImportsCheck = [ "mailsuite" ];
meta = {
description = "A Python package to simplify receiving, parsing, and sending email";
homepage = "https://seanthegeek.github.io/mailsuite/";
maintainers = with lib.maintainers; [ talyz ];
license = lib.licenses.asl20;
};
}

74
pkgs/development/python-modules/parsedmarc/default.nix Normal file
View file

@ -0,0 +1,74 @@
{ buildPythonPackage
, fetchPypi
, fetchurl
, pythonOlder
, lib
, nixosTests
# pythonPackages
, tqdm
, dnspython
, expiringdict
, urllib3
, requests
, publicsuffix2
, xmltodict
, geoip2
, IMAPClient
, dateparser
, elasticsearch-dsl
, kafka-python
, mailsuite
, lxml
, boto3
}:
let
dashboard = fetchurl {
url = "https://raw.githubusercontent.com/domainaware/parsedmarc/77331b55c54cb3269205295bd57d0ab680638964/grafana/Grafana-DMARC_Reports.json";
sha256 = "0wbihyqbb4ndjg79qs8088zgrcg88km8khjhv2474y7nzjzkf43i";
};
in
buildPythonPackage rec {
pname = "parsedmarc";
version = "7.0.1";
disabled = pythonOlder "3.7";
src = fetchPypi {
inherit pname version;
sha256 = "1mi4hx410y7ikpfy1582lm252si0c3yryj0idqgqbx417fm21jjc";
};
propagatedBuildInputs = [
tqdm
dnspython
expiringdict
urllib3
requests
publicsuffix2
xmltodict
geoip2
IMAPClient
dateparser
elasticsearch-dsl
kafka-python
mailsuite
lxml
boto3
];
pythonImportsCheck = [ "parsedmarc" ];
passthru = {
inherit dashboard;
tests = nixosTests.parsedmarc;
};
meta = {
description = "Python module and CLI utility for parsing DMARC reports";
homepage = "https://domainaware.github.io/parsedmarc/";
maintainers = with lib.maintainers; [ talyz ];
license = lib.licenses.asl20;
};
}

4
pkgs/development/python-modules/phonenumbers/default.nix
View file

@ -6,11 +6,11 @@
buildPythonPackage rec {
pname = "phonenumbers";
version = "8.12.31";
version = "8.12.32";
src = fetchPypi {
inherit pname version;
sha256 = "sha256-CR7SsxWFZ/EsmfcZVwocys4AF585tE8ea4lfWdk9rcg=";
sha256 = "c52c9c3607483072303ba8d8759063edc44d2f8fe7b85afef40bd8d1aafb6483";
};
checkInputs = [

4
pkgs/development/r-modules/default.nix
View file

@ -786,7 +786,9 @@ let
});
RMySQL = old.RMySQL.overrideDerivation (attrs: {
MYSQL_DIR="${pkgs.libmysqlclient}";
MYSQL_DIR = "${pkgs.libmysqlclient}";
PKGCONFIG_CFLAGS = "-I${pkgs.libmysqlclient.dev}/include/mysql";
NIX_CFLAGS_LINK = "-L${pkgs.libmysqlclient}/lib/mysql -lmysqlclient";
preConfigure = ''
patchShebangs configure
'';

4
pkgs/development/tools/database/squirrel-sql/default.nix
View file

@ -6,11 +6,11 @@
}:
stdenv.mkDerivation rec {
pname = "squirrel-sql";
version = "4.1.0";
version = "4.2.0";
src = fetchurl {
url = "mirror://sourceforge/project/squirrel-sql/1-stable/${version}-plainzip/squirrelsql-${version}-standard.zip";
sha256 = "0ni7cva0acrin5bkcfkiiv28sf58dzz7xsbl3y4536hmph0g68k6";
sha256 = "sha256-pNcmIey50nWZghoXVGnm0EFzGoqBpAaJ2lhYvVzjWto=";
};
nativeBuildInputs = [ makeWrapper unzip ];

4
pkgs/development/tools/kafkacat/default.nix
View file

@ -3,13 +3,13 @@
stdenv.mkDerivation rec {
pname = "kafkacat";
version = "1.7.0";
version = "1.6.0";
src = fetchFromGitHub {
owner = "edenhill";
repo = "kafkacat";
rev = version;
sha256 = "sha256-koDhj/RQc9fhfqjrJylhURw6tppPELhLlBGbNVJsii8=";
sha256 = "0z3bw00s269myfd1xqksjyznmgp74xfs09xqlq347adsgby3cmfs";
};
nativeBuildInputs = [ pkg-config ];

22
pkgs/development/tools/misc/arcanist/default.nix
View file

@ -3,6 +3,7 @@
, flex
, php
, lib, stdenv
, installShellFiles
}:
# Make a custom wrapper. If `wrapProgram` is used, arcanist thinks .arc-wrapped is being
@ -29,7 +30,10 @@ stdenv.mkDerivation {
rev = "2565cc7b4d1dbce6bc7a5b3c4e72ae94be4712fe";
sha256 = "0jiv4aj4m5750dqw9r8hizjkwiyxk4cg4grkr63sllsa2dpiibxw";
};
buildInputs = [ bison flex php ];
buildInputs = [ php ];
nativeBuildInputs = [ bison flex installShellFiles ];
postPatch = lib.optionalString stdenv.isAarch64 ''
substituteInPlace support/xhpast/Makefile \
@ -37,18 +41,26 @@ stdenv.mkDerivation {
'';
buildPhase = ''
make cleanall -C support/xhpast
make xhpast -C support/xhpast
runHook preBuild
make cleanall -C support/xhpast $makeFlags "''${makeFlagsArray[@]}" -j $NIX_BUILD_CORES
make xhpast -C support/xhpast $makeFlags "''${makeFlagsArray[@]}" -j $NIX_BUILD_CORES
runHook postBuild
'';
installPhase = ''
runHook preInstall
mkdir -p $out/bin $out/libexec
make install -C support/xhpast
make cleanall -C support/xhpast
make install -C support/xhpast $makeFlags "''${makeFlagsArray[@]}" -j $NIX_BUILD_CORES
make cleanall -C support/xhpast $makeFlags "''${makeFlagsArray[@]}" -j $NIX_BUILD_CORES
cp -R . $out/libexec/arcanist
${makeArcWrapper "arc"}
${makeArcWrapper "phage"}
$out/bin/arc shell-complete --generate --
installShellCompletion --cmd arc --bash $out/libexec/arcanist/support/shell/rules/bash-rules.sh
installShellCompletion --cmd phage --bash $out/libexec/arcanist/support/shell/rules/bash-rules.sh
runHook postInstall
'';
doInstallCheck = true;

6
pkgs/development/tools/pscale/default.nix
View file

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "pscale";
version = "0.65.0";
version = "0.68.0";
src = fetchFromGitHub {
owner = "planetscale";
repo = "cli";
rev = "v${version}";
sha256 = "sha256-RIyxO2nTysJLdYQvlmhZpS8R2kkwN+XeTlk4Ocbk9C8=";
sha256 = "sha256-SAKbz33Fpi3sQcqwD2UK5wloJqNs2HohsiGMl1gkfA0=";
};
vendorSha256 = "sha256-8zgWM5e+aKggGbLoL/Fmy7AuALVlLa74eHBxNGjTSy4=";
vendorSha256 = "sha256-dEkCJe6qiyB/pNh78o2/TTRmWQDsUV2TsXiuchC1JLA=";
meta = with lib; {
homepage = "https://www.planetscale.com/";

4
pkgs/games/xsnow/default.nix
View file

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "xsnow";
version = "3.3.0";
version = "3.3.1";
src = fetchurl {
url = "https://ratrabbit.nl/downloads/xsnow/xsnow-${version}.tar.gz";
sha256 = "1xnpqbamhglv7xsxzlrlpvsz6bbzlrvdpn5x2n9baww9kcrkbwjg";
sha256 = "sha256-3piLgcZXQicHisAqr5XxbFqAMHyK7HzU5Re0mvfOBhE=";
};
nativeBuildInputs = [ pkg-config ];

25
pkgs/misc/emulators/melonDS/default.nix
View file

@ -2,40 +2,41 @@
, fetchFromGitHub
, mkDerivation
, cmake
, pkg-config
, SDL2
, qtbase
, epoxy
, libarchive
, libpcap
, libslirp
, wrapGAppsHook
, pkg-config
, qtbase
, SDL2
}:
mkDerivation rec {
pname = "melonDS";
version = "0.9.1";
version = "0.9.3";
src = fetchFromGitHub {
owner = "Arisotura";
repo = pname;
rev = version;
sha256 = "sha256-bvi0Y+zwfEcsZMNxoH85hxwIGn0UIYlg/ZaE6yJ7vlo=";
sha256 = "1v8a060gbpx7rdkk2w4hym361l2wip7yjjn8wny1gfsa273k3zy5";
};
nativeBuildInputs = [ cmake pkg-config wrapGAppsHook ];
nativeBuildInputs = [ cmake pkg-config ];
buildInputs = [
SDL2
qtbase
epoxy
libarchive
libpcap
libslirp
qtbase
SDL2
];
cmakeFlags = [ "-UUNIX_PORTABLE" ];
meta = with lib; {
homepage = "http://melonds.kuribo64.net/";
description = "Work in progress Nintendo DS emulator";
license = licenses.gpl3Plus;
maintainers = with maintainers; [ artemist benley shamilton ];
maintainers = with maintainers; [ artemist benley shamilton xfix ];
platforms = platforms.linux;
};
}

6
pkgs/misc/emulators/punes/default.nix
View file

@ -19,13 +19,13 @@
mkDerivation rec {
pname = "punes";
version = "unstable-2021-07-19";
version = "unstable-2021-09-11";
src = fetchFromGitHub {
owner = "punesemu";
repo = "puNES";
rev = "15ab85dabb220889419df0c249c06f3db2b09dc0";
sha256 = "1w0c5lfdl9ha4sxxva6hcpcaa444px6x25471q37l69n71rmjpy8";
rev = "60ca36fcb066c41d0b3f2b550ca94dc7d12d84d6";
sha256 = "JOi6AE1bpAc/wj9fQqHrUNc6vceeUyP0phT2f9kcJTY=";
};
postPatch = ''

4
pkgs/os-specific/linux/smemstat/default.nix
View file

@ -2,10 +2,10 @@
stdenv.mkDerivation rec {
pname = "smemstat";
version = "0.02.08";
version = "0.02.10";
src = fetchurl {
url = "https://kernel.ubuntu.com/~cking/tarballs/smemstat/smemstat-${version}.tar.xz";
sha256 = "1agigvkv1868cskivzrwyiixl658x5bv7xpz4xjc8mlii4maivpp";
sha256 = "sha256-Vrs1jOg5yHdEffVo769aaxSawo4iZtGrFJ65Nu+RhcU=";
};
buildInputs = [ ncurses ];
installFlags = [ "DESTDIR=$(out)" ];

4
pkgs/servers/http/nginx/mainline.nix
View file

@ -1,6 +1,6 @@
{ callPackage, ... }@args:
callPackage ./generic.nix args {
version = "1.21.1";
sha256 = "0q2m2pd9x287py54kp49ys5pwnn0j17x7jjl0cx1c5916h8h7fk8";
version = "1.21.3";
sha256 = "0nhps7igdqcpcy1r8677ar807rfclpylmz3y858a678m1np4lxql";
}

4
pkgs/servers/irc/inspircd/default.nix
View file

@ -142,13 +142,13 @@ in
stdenv.mkDerivation rec {
pname = "inspircd";
version = "3.10.0";
version = "3.11.0";
src = fetchFromGitHub {
owner = pname;
repo = pname;
rev = "v${version}";
sha256 = "1817gmxk4v7k5398d2fb6qkwadg0fd980gqmr80wdnppx450ikn7";
sha256 = "083fp69fi4nhrw9v1dan5m3mgb19a2gpqnap356xs9nnqy01sgv7";
};
outputs = [ "bin" "lib" "man" "doc" "out" ];

Some files were not shown because too many files have changed in this diff Show more