Merge staging-next into staging

NixOS · Oct 8, 2024 · 5a96e99 · 5a96e99
2 parents 7ba9e42 + 0846895
commit 5a96e99
Show file tree

Hide file tree

Showing 123 changed files with 1,532 additions and 5,498 deletions.
diff --git a/.github/workflows/basic-eval.yml b/.github/workflows/basic-eval.yml
@@ -20,7 +20,7 @@ jobs:
     # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
     steps:
     - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-    - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
     - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
       with:
         # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.

diff --git a/.github/workflows/check-maintainers-sorted.yaml b/.github/workflows/check-maintainers-sorted.yaml
@@ -21,7 +21,7 @@ jobs:
           sparse-checkout: |
             lib
             maintainers
-      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

diff --git a/.github/workflows/check-nix-format.yml b/.github/workflows/check-nix-format.yml
@@ -38,7 +38,7 @@ jobs:
           # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
           rev=$(jq -r .rev ci/pinned-nixpkgs.json)
           echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

diff --git a/.github/workflows/check-nixf-tidy.yml b/.github/workflows/check-nixf-tidy.yml
@@ -32,7 +32,7 @@ jobs:
           # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
           rev=$(jq -r .rev ci/pinned-nixpkgs.json)
           echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml
@@ -14,7 +14,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
       - name: Build shell
         run: nix-build shell.nix
 
@@ -26,6 +26,6 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
       - name: Build shell
         run: nix-build shell.nix
diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig.yml
@@ -29,7 +29,7 @@ jobs:
       with:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
-    - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
       with:
         # nixpkgs commit is pinned so that it doesn't break
         # editorconfig-checker 2.4.0

diff --git a/.github/workflows/manual-nixos.yml b/.github/workflows/manual-nixos.yml
@@ -19,7 +19,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

diff --git a/.github/workflows/manual-nixpkgs.yml b/.github/workflows/manual-nixpkgs.yml
@@ -21,7 +21,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

diff --git a/.github/workflows/nix-parse.yml b/.github/workflows/nix-parse.yml
@@ -30,7 +30,7 @@ jobs:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
       if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
-    - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+    - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
       with:
         nix_path: nixpkgs=channel:nixpkgs-unstable
     - name: Parse all changed or added nix files

diff --git a/.github/workflows/nixpkgs-vet.yml b/.github/workflows/nixpkgs-vet.yml
@@ -85,7 +85,7 @@ jobs:
           base=$(mktemp -d)
           git worktree add "$base" "$(git rev-parse HEAD^1)"
           echo "base=$base" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         if: env.mergedSha
       - name: Fetching the pinned tool
         if: env.mergedSha

diff --git a/.github/workflows/update-terraform-providers.yml b/.github/workflows/update-terraform-providers.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-      - uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
+      - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
         with:
           nix_path: nixpkgs=channel:nixpkgs-unstable
       - name: setup

diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
@@ -9477,6 +9477,13 @@
     githubId = 7558482;
     name = "Jack Gerrits";
   };
+  jacobkoziej = {
+    name = "Jacob Koziej";
+    email = "[email protected]";
+    github = "jacobkoziej";
+    githubId = 45084216;
+    keys = [ { fingerprint = "1BF9 8D10 E0D0 0B41 5723  5836 4C13 3A84 E646 9228"; } ];
+  };
   jaduff = {
     email = "[email protected]";
     github = "jaduff";

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -497,6 +497,9 @@
 - The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer.
   Consequently the package `pkgs.ma1sd` has also been removed.
 
+- The `rss-bridge` service drops the support to load a configuration file from `${config.services.rss-bridge.dataDir}/config.ini.php`.
+  Consider using the `services.rss-bridge.config` option instead.
+
 - The `xdg.portal.gtkUsePortal` option has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`.
 
 - The `services.trust-dns` module has been renamed to `services.hickory-dns`.

diff --git a/nixos/modules/services/web-apps/rss-bridge.nix b/nixos/modules/services/web-apps/rss-bridge.nix
@@ -5,7 +5,6 @@ let
 
   poolName = "rss-bridge";
 
-  configAttr = lib.recursiveUpdate { FileCache.path = "${cfg.dataDir}/cache/"; } cfg.config;
   cfgHalf = lib.mapAttrsRecursive (path: value: let
     envName = lib.toUpper ("RSSBRIDGE_" + lib.concatStringsSep "_" path);
     envValue = if lib.isList value then
@@ -14,7 +13,7 @@ let
       lib.boolToString value
     else
       toString value;
-  in "fastcgi_param \"${envName}\" \"${envValue}\";") configAttr;
+  in if (value != null) then "fastcgi_param \"${envName}\" \"${envValue}\";" else null) cfg.config;
   cfgEnv = lib.concatStringsSep "\n" (lib.collect lib.isString cfgHalf);
 in
 {
@@ -70,9 +69,26 @@ in
       };
 
       config = mkOption {
-        type = with types; attrsOf (attrsOf (oneOf [ bool int str (listOf str) ]));
-        default = {};
-        defaultText = options.literalExpression "FileCache.path = \"\${config.services.rss-bridge.dataDir}/cache/\"";
+        type = types.submodule {
+          freeformType = (pkgs.formats.ini {}).type;
+          options = {
+            system = {
+              enabled_bridges = mkOption {
+                type = with types; nullOr (either str (listOf str));
+                description = "Only enabled bridges are available for feed production";
+                default = null;
+              };
+            };
+            FileCache = {
+              path = mkOption {
+                type = types.str;
+                description = "Directory where to store cache files (if cache.type = \"file\").";
+                default = "${cfg.dataDir}/cache/";
+                defaultText = options.literalExpression "\${config.services.rss-bridge.dataDir}/cache/";
+              };
+            };
+          };
+        };
         example = options.literalExpression ''
           {
             system.enabled_bridges = [ "*" ];
@@ -112,15 +128,13 @@ in
         };
       };
     };
-    systemd.tmpfiles.settings.rss-bridge = let
-      perm = {
-        mode = "0750";
-        user = cfg.user;
-        group = cfg.group;
-      };
-    in {
-      "${configAttr.FileCache.path}".d = perm;
-      "${cfg.dataDir}/config.ini.php".z = perm;
+
+    systemd.tmpfiles.settings.rss-bridge = {
+      "${cfg.config.FileCache.path}".d = {
+          mode = "0750";
+          user = cfg.user;
+          group = cfg.group;
+        };
     };
 
     services.nginx = mkIf (cfg.virtualHost != null) {
@@ -139,7 +153,6 @@ in
               fastcgi_split_path_info ^(.+\.php)(/.+)$;
               fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.socket};
               fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-              fastcgi_param RSSBRIDGE_DATA ${cfg.dataDir};
               ${cfgEnv}
             '';
           };

diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix
@@ -33,7 +33,8 @@ with lib;
 
             if ! [ -e /root/.ssh/authorized_keys ]; then
                 echo "obtaining SSH key..."
-                mkdir -m 0700 -p /root/.ssh
+                mkdir -p /root/.ssh
+                chown 0700 /root/.ssh
                 if [ -s /etc/ec2-metadata/public-keys-0-openssh-key ]; then
                     (umask 177; cat /etc/ec2-metadata/public-keys-0-openssh-key >> /root/.ssh/authorized_keys)
                     echo "new key added to authorized_keys"
@@ -45,19 +46,20 @@ with lib;
             # generate one normally.
             userData=/etc/ec2-metadata/user-data
 
-            mkdir -m 0755 -p /etc/ssh
+            mkdir -p /etc/ssh
+            chown 0755 /etc/ssh
 
             if [ -s "$userData" ]; then
               key="$(sed 's/|/\n/g; s/SSH_HOST_DSA_KEY://; t; d' $userData)"
               key_pub="$(sed 's/SSH_HOST_DSA_KEY_PUB://; t; d' $userData)"
-              if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_dsa_key ]; then
+              if [ -n "$key" ] && [ -n "$key_pub" ] && [ ! -e /etc/ssh/ssh_host_dsa_key ]; then
                   (umask 077; echo "$key" > /etc/ssh/ssh_host_dsa_key)
                   echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub
               fi
 
               key="$(sed 's/|/\n/g; s/SSH_HOST_ED25519_KEY://; t; d' $userData)"
               key_pub="$(sed 's/SSH_HOST_ED25519_KEY_PUB://; t; d' $userData)"
-              if [ -n "$key" -a -n "$key_pub" -a ! -e /etc/ssh/ssh_host_ed25519_key ]; then
+              if [ -n "$key" ] && [ -n "$key_pub" ] && [ ! -e /etc/ssh/ssh_host_ed25519_key ]; then
                   (umask 077; echo "$key" > /etc/ssh/ssh_host_ed25519_key)
                   echo "$key_pub" > /etc/ssh/ssh_host_ed25519_key.pub
               fi
@@ -79,7 +81,7 @@ with lib;
             # ec2-get-console-output.
             echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----" > /dev/console
             for i in /etc/ssh/ssh_host_*_key.pub; do
-                ${config.programs.ssh.package}/bin/ssh-keygen -l -f $i || true > /dev/console
+                ${config.programs.ssh.package}/bin/ssh-keygen -l -f "$i" || true > /dev/console
             done
             echo "-----END SSH HOST KEY FINGERPRINTS-----" > /dev/console
           '';

diff --git a/nixos/modules/virtualisation/ec2-metadata-fetcher.sh b/nixos/modules/virtualisation/ec2-metadata-fetcher.sh
@@ -1,5 +1,6 @@
 metaDir=/etc/ec2-metadata
-mkdir -m 0755 -p "$metaDir"
+mkdir -p "$metaDir"
+chown 0755 "$metaDir"
 rm -f "$metaDir/*"
 
 get_imds_token() {
@@ -40,7 +41,7 @@ while [ $try -le 3 ]; do
   sleep 1
 done
 
-if [ "x$IMDS_TOKEN" == "x" ]; then
+if [ "$IMDS_TOKEN" == "" ]; then
   echo "failed to fetch an IMDS2v token."
 fi
 

diff --git a/pkgs/applications/audio/reaper/default.nix b/pkgs/applications/audio/reaper/default.nix
@@ -28,13 +28,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "reaper";
-  version = "7.22";
+  version = "7.24";
 
   src = fetchurl {
     url = url_for_platform version stdenv.hostPlatform.qemuArch;
-    hash = if stdenv.hostPlatform.isDarwin then "sha256-dIRZCUIfqnGTxBaLzczwzD6hA/PyAxPqfa+FfCRKdu0=" else {
-      x86_64-linux = "sha256-aa2KcL8yZYG+Dki7J6U473E2BQgdACAIzRLtD9zuHV0=";
-      aarch64-linux = "sha256-NECEEUKtTQajl0MZK8/NsbhcuyihHOo0Q5Y5UpAAgrM=";
+    hash = if stdenv.hostPlatform.isDarwin then "sha256-g+Bh7M9r/NfkWGH6NSTw2s3Whoh7eP80rmAosdfj0Bg=" else {
+      x86_64-linux = "sha256-3suK57NKevCLTGclJmbX/Mm01pRzH/rb8CSByfKHUvM=";
+      aarch64-linux = "sha256-bCJSSc5d9doc86aqvpas42gHuP3eyWKJQSumKR+oZoY=";
     }.${stdenv.hostPlatform.system};
   };
 

diff --git a/pkgs/applications/audio/schismtracker/default.nix b/pkgs/applications/audio/schismtracker/default.nix
@@ -3,27 +3,36 @@
 , fetchFromGitHub
 , autoreconfHook
 , alsa-lib
-, python3
+, perl
+, pkg-config
 , SDL2
 , libXext
 , Cocoa
 }:
 
 stdenv.mkDerivation rec {
   pname = "schismtracker";
-  version = "20240328";
+  version = "20240809";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = version;
-    sha256 = "sha256-hoP/14lbqsuQ37oJDErPoQWWk04UshImmApCFrf5wno=";
+    sha256 = "sha256-J4al7XU+vvehDnp2fRrVesWyUN4i63g5btUkjarpXbk=";
   };
 
+  # If we let it try to get the version from git, it will fail and fall back
+  # on running `date`, which will output the epoch, which is considered invalid
+  # in this assert: https://github.com/schismtracker/schismtracker/blob/a106b57e0f809b95d9e8bcf5a3975d27e0681b5a/schism/version.c#L112
+  postPatch = ''
+    substituteInPlace configure.ac \
+      --replace-fail 'git log' 'echo ${version} #'
+  '';
+
   configureFlags = [ "--enable-dependency-tracking" ]
     ++ lib.optional stdenv.hostPlatform.isDarwin "--disable-sdltest";
 
-  nativeBuildInputs = [ autoreconfHook python3 ];
+  nativeBuildInputs = [ autoreconfHook perl pkg-config ];
 
   buildInputs = [ SDL2 ]
     ++ lib.optionals stdenv.hostPlatform.isLinux [ alsa-lib libXext ]

diff --git a/pkgs/applications/graphics/gscreenshot/default.nix b/pkgs/applications/graphics/gscreenshot/default.nix
@@ -18,13 +18,13 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "gscreenshot";
-  version = "3.6.2";
+  version = "3.6.3";
 
   src = fetchFromGitHub {
     owner = "thenaterhood";
     repo = "${pname}";
     rev = "refs/tags/v${version}";
-    sha256 = "sha256-dYmdM9QtemVKggEmMMcprVIM1fe02jQOyBPniy7p9ns=";
+    sha256 = "sha256-fpxKhgLpXbuUhALzF6n4v3FLcLaqbqLLxwQJE/wJrAY=";
   };
 
   # needed for wrapGAppsHook3 to function

diff --git a/pkgs/applications/misc/collision/default.nix b/pkgs/applications/misc/collision/default.nix
@@ -20,13 +20,13 @@
 
 crystal.buildCrystalPackage rec {
   pname = "Collision";
-  version = "3.8.1";
+  version = "3.9.0";
 
   src = fetchFromGitHub {
     owner = "GeopJr";
     repo = "Collision";
     rev = "v${version}";
-    hash = "sha256-55qCHc+snMAUFAT31Z8EPtJ/HLrnv1BveCEzjkn7N5g=";
+    hash = "sha256-c/74LzDM63w5zW8z2T8o4Efvuzj791/zTSKEDN32uak=";
   };
 
   postPatch = ''

diff --git a/pkgs/applications/misc/collision/shards.nix b/pkgs/applications/misc/collision/shards.nix
@@ -11,13 +11,13 @@
   };
   gi-crystal = {
     url = "https://github.com/hugopl/gi-crystal.git";
-    rev = "v0.22.3";
-    sha256 = "1xyj5bf3l2i1yzqxb8yyj0fc3kwi9nnd57n5dhs5xm9jxzcvw1kk";
+    rev = "v0.24.0";
+    sha256 = "0x356xn35008l573qhyl1sdddc9cc5i3bsa4c7865kgq9521ifyh";
   };
   gtk4 = {
     url = "https://github.com/hugopl/gtk4.cr.git";
-    rev = "v0.16.1";
-    sha256 = "1cqkbh072y70l8g0p040vf50k920p32ry1larnwn9mqabd74jwaj";
+    rev = "v0.17.0";
+    sha256 = "0lv3nvsanxi4g2322zvkf1jxx5zgzaapk228vcw2cl0ja1drm06d";
   };
   harfbuzz = {
     url = "https://github.com/hugopl/harfbuzz.cr.git";

diff --git a/pkgs/applications/misc/webfontkitgenerator/default.nix b/pkgs/applications/misc/webfontkitgenerator/default.nix
@@ -20,13 +20,13 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "webfont-kit-generator";
-  version = "1.1.1";
+  version = "1.2.0";
 
   src = fetchFromGitHub {
     owner = "rafaelmardojai";
     repo = "webfont-kit-generator";
     rev = finalAttrs.version;
-    hash = "sha256-RrmzHgRnpgQUNECgYA/AJfoxKpX1HQ5I1Pqjb3MK+P4=";
+    hash = "sha256-ZfyF1Didce88/HaLeMNTw0nGzj3EZnC7V9OzsN21L40=";
   };
 
   nativeBuildInputs = [