Merge staging-next into staging

ci/OWNERS

@@ -102,6 +102,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/default.nix                                    @infinisil
 /nixos/lib/from-env.nix                               @infinisil
 /nixos/lib/eval-config.nix                            @infinisil
+/nixos/modules/misc/ids.nix                           @R-VdP
 /nixos/modules/system/activation/bootspec.nix         @grahamc @cole-h @raitobezarius
 /nixos/modules/system/activation/bootspec.cue         @grahamc @cole-h @raitobezarius
 

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -55,6 +55,8 @@
 
 - [Bat](https://github.com/sharkdp/bat), a {manpage}`cat(1)` clone with wings. Available as [programs.bat](options.html#opt-programs.bat).
 
+- [µStreamer](https://github.com/pikvm/ustreamer), a lightweight MJPEG-HTTP streamer. Available as [services.ustreamer](options.html#opt-services.ustreamer).
+
 - [Whoogle Search](https://github.com/benbusby/whoogle-search), a self-hosted, ad-free, privacy-respecting metasearch engine. Available as [services.whoogle-search](options.html#opt-services.whoogle-search.enable).
 
 - [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](options.html#opt-services.agorakit.enable).

nixos/modules/hardware/uinput.nix

@@ -11,7 +11,7 @@ in
   config = lib.mkIf cfg.enable {
     boot.kernelModules = [ "uinput" ];
 
-    users.groups.uinput.gid = config.ids.gids.uinput;
+    users.groups.uinput = { };
 
     services.udev.extraRules = ''
       SUBSYSTEM=="misc", KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput"

nixos/modules/misc/ids.nix

@@ -2,12 +2,15 @@
 # central list to prevent id collisions.
 
 # IMPORTANT!
-# We only add static uids and gids for services where it is not feasible
-# to change uids/gids on service start, for example a service with a lot of
-# files. Please also check if the service is applicable for systemd's
-# DynamicUser option and does not need a uid/gid allocation at all.
-# Systemd can also change ownership of service directories using the
-# RuntimeDirectory/StateDirectory options.
+#
+# https://github.com/NixOS/rfcs/blob/master/rfcs/0052-dynamic-ids.md
+#
+# Use of static ids is deprecated within NixOS. Dynamic allocation is
+# required, barring special circumstacnes. Please check if the service
+# is applicable for systemd's DynamicUser option and does not need a
+# uid/gid allocation at all.  Systemd can also change ownership of
+# service directories using the RuntimeDirectory/StateDirectory
+# options.
 
 { lib, ... }:
 
@@ -355,7 +358,6 @@ in
       rstudio-server = 324;
       localtimed = 325;
       automatic-timezoned = 326;
-      whisparr = 328;
 
       # When adding a uid, make sure it doesn't match an existing gid.
       #
@@ -683,8 +685,6 @@ in
       rstudio-server = 324;
       localtimed = 325;
       automatic-timezoned = 326;
-      uinput = 327;
-      whisparr = 328;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/module-list.nix

@@ -1417,6 +1417,7 @@
   ./services/video/mirakurun.nix
   ./services/video/photonvision.nix
   ./services/video/mediamtx.nix
+  ./services/video/ustreamer.nix
   ./services/video/v4l2-relayd.nix
   ./services/video/wivrn.nix
   ./services/wayland/cage.nix

nixos/modules/services/misc/whisparr.nix

@@ -64,10 +64,10 @@ in
       whisparr = {
         group = cfg.group;
         home = cfg.dataDir;
-        uid = config.ids.uids.whisparr;
+        isSystemUser = true;
       };
     };
 
-    users.groups = lib.mkIf (cfg.group == "whisparr") { whisparr.gid = config.ids.gids.whisparr; };
+    users.groups.whisparr = lib.mkIf (cfg.group == "whisparr") { };
   };
 }

nixos/modules/services/video/ustreamer.nix

@@ -0,0 +1,110 @@
+{
+  config,
+  lib,
+  pkgs,
+  utils,
+  ...
+}:
+let
+  inherit (lib)
+    getExe
+    mkEnableOption
+    mkIf
+    mkOption
+    mkPackageOption
+    optionals
+    types
+    ;
+
+  cfg = config.services.ustreamer;
+in
+{
+  options.services.ustreamer = {
+    enable = mkEnableOption "µStreamer, a lightweight MJPEG-HTTP streamer";
+
+    package = mkPackageOption pkgs "ustreamer" { };
+
+    autoStart = mkOption {
+      description = ''
+        Wether to start µStreamer on boot. Disabling this will use socket
+        activation. The service will stop gracefully after some inactivity.
+        Disabling this will set `--exit-on-no-clients=300`
+      '';
+      type = types.bool;
+      default = true;
+      example = false;
+    };
+
+    listenAddress = mkOption {
+      description = ''
+        Address to expose the HTTP server. This accepts values for
+        ListenStream= defined in {manpage}`systemd.socket(5)`
+      '';
+      type = types.str;
+      default = "0.0.0.0:8080";
+      example = "/run/ustreamer.sock";
+    };
+
+    device = mkOption {
+      description = ''
+        The v4l2 device to stream.
+      '';
+      type = types.path;
+      default = "/dev/video0";
+      example = "/dev/v4l/by-id/usb-0000_Dummy_abcdef-video-index0";
+    };
+
+    extraArgs = mkOption {
+      description = ''
+        Extra arguments to pass to `ustreamer`. See {manpage}`ustreamer(1)`
+      '';
+      type = with types; listOf str;
+      default = [ ];
+      example = [ "--resolution=1920x1080" ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.ustreamer.extraArgs =
+      [
+        "--device=${cfg.device}"
+      ]
+      ++ optionals (!cfg.autoStart) [
+        "--exit-on-no-clients=300"
+      ];
+
+    systemd.services."ustreamer" = {
+      description = "µStreamer, a lightweight MJPEG-HTTP streamer";
+      after = [ "network.target" ];
+      requires = [ "ustreamer.socket" ];
+      wantedBy = mkIf cfg.autoStart [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = utils.escapeSystemdExecArgs (
+          [
+            (getExe cfg.package)
+            "--systemd"
+          ]
+          ++ cfg.extraArgs
+        );
+        Restart = if cfg.autoStart then "always" else "on-failure";
+
+        DynamicUser = true;
+        SupplementaryGroups = [ "video" ];
+
+        NoNewPrivileges = true;
+        ProcSubset = "pid";
+        ProtectProc = "noaccess";
+        ProtectClock = "yes";
+        DeviceAllow = [ cfg.device ];
+      };
+    };
+
+    systemd.sockets."ustreamer" = {
+      wantedBy = [ "sockets.target" ];
+      partOf = [ "ustreamer.service" ];
+      socketConfig = {
+        ListenStream = cfg.listenAddress;
+      };
+    };
+  };
+}

nixos/modules/virtualisation/podman/default.nix

@@ -5,29 +5,18 @@ let
 
   inherit (lib) mkOption types;
 
-  podmanPackage = pkgs.podman.override {
-    extraPackages = cfg.extraPackages ++ [
-        "/run/wrappers" # setuid shadow
-        config.systemd.package # To allow systemd-based container healthchecks
-      ] ++ lib.optional (config.boot.supportedFilesystems.zfs or false) config.boot.zfs.package;
-    extraRuntimes = [ pkgs.runc ]
-      ++ lib.optionals (config.virtualisation.containers.containersConf.settings.network.default_rootless_network_cmd or "" == "slirp4netns") (with pkgs; [
-      slirp4netns
-    ]);
-  };
-
   # Provides a fake "docker" binary mapping to podman
-  dockerCompat = pkgs.runCommand "${podmanPackage.pname}-docker-compat-${podmanPackage.version}"
+  dockerCompat = pkgs.runCommand "${cfg.package.pname}-docker-compat-${cfg.package.version}"
     {
       outputs = [ "out" "man" ];
-      inherit (podmanPackage) meta;
+      inherit (cfg.package) meta;
       preferLocalBuild = true;
     } ''
     mkdir -p $out/bin
-    ln -s ${podmanPackage}/bin/podman $out/bin/docker
+    ln -s ${cfg.package}/bin/podman $out/bin/docker
 
     mkdir -p $man/share/man/man1
-    for f in ${podmanPackage.man}/share/man/man1/*; do
+    for f in ${cfg.package.man}/share/man/man1/*; do
       basename=$(basename $f | sed s/podman/docker/g)
       ln -s $f $man/share/man/man1/$basename
     done
@@ -137,13 +126,21 @@ in
       };
     };
 
-    package = lib.mkOption {
-      type = types.package;
-      default = podmanPackage;
-      internal = true;
-      description = ''
-        The final Podman package (including extra packages).
+    package = (lib.mkPackageOption pkgs "podman" {
+      extraDescription = ''
+        This package will automatically include extra packages and runtimes.
       '';
+    }) // {
+      apply = pkg: pkg.override {
+        extraPackages = cfg.extraPackages ++ [
+            "/run/wrappers" # setuid shadow
+            config.systemd.package # To allow systemd-based container healthchecks
+          ] ++ lib.optional (config.boot.supportedFilesystems.zfs or false) config.boot.zfs.package;
+        extraRuntimes = [ pkgs.runc ]
+          ++ lib.optionals (config.virtualisation.containers.containersConf.settings.network.default_rootless_network_cmd or "" == "slirp4netns") (with pkgs; [
+          slirp4netns
+        ]);
+      };
     };
 
     defaultNetwork.settings = lib.mkOption {

nixos/tests/ustreamer.nix

@@ -46,22 +46,13 @@ import ./make-test-python.nix (
           '';
         in
         {
-          environment.systemPackages = [ pkgs.ustreamer ];
-          networking.firewall.enable = false;
-          systemd.services.ustreamer = {
-            description = "ustreamer service";
-            wantedBy = [ "multi-user.target" ];
-            serviceConfig = {
-              DynamicUser = true;
-              ExecStart = "${pkgs.ustreamer}/bin/ustreamer --host=0.0.0.0 --port 8000 --device /dev/video9 --device-timeout=8";
-              PrivateTmp = true;
-              BindReadOnlyPaths = "/dev/video9";
-              SupplementaryGroups = [
-                "video"
-              ];
-              Restart = "always";
-            };
+          services.ustreamer = {
+            enable = true;
+            device = "/dev/video9";
+            extraArgs = [ "--device-timeout=8" ];
           };
+          networking.firewall.allowedTCPPorts = [ 8080 ];
+
           boot.extraModulePackages = [ config.boot.kernelPackages.akvcam ];
           boot.kernelModules = [ "akvcam" ];
           boot.extraModprobeConfig = ''
@@ -74,10 +65,10 @@ import ./make-test-python.nix (
       start_all()
 
       camera.wait_for_unit("ustreamer.service")
-      camera.wait_for_open_port(8000)
+      camera.wait_for_open_port(8080)
 
       client.wait_for_unit("multi-user.target")
-      client.succeed("curl http://camera:8000")
+      client.succeed("curl http://camera:8080")
     '';
   }
 )

pkgs/applications/editors/vim/plugins/overrides.nix

@@ -1381,10 +1381,10 @@ in
     dependencies = [ self.vim-floaterm ];
   };
 
-  lightline-bufferline = super.lightline-bufferline.overrideAttrs {
+  lightline-bufferline = super.lightline-bufferline.overrideAttrs (oa: {
     # Requires web-devicons but mini.icons can mock them up
-    nativeCheckInputs = [ self.nvim-web-devicons ];
-  };
+    nativeCheckInputs = oa.nativeCheckInputs ++ [ self.nvim-web-devicons ];
+  });
 
   lir-nvim = super.lir-nvim.overrideAttrs {
     dependencies = [ self.plenary-nvim ];
@@ -2118,10 +2118,10 @@ in
     ];
   };
 
-  nvim-nonicons = super.nvim-nonicons.overrideAttrs {
+  nvim-nonicons = super.nvim-nonicons.overrideAttrs (oa: {
     # Requires web-devicons but mini.icons can mock them up
-    nativeCheckInputs = [ self.nvim-web-devicons ];
-  };
+    nativeCheckInputs = oa.nativeCheckInputs ++ [ self.nvim-web-devicons ];
+  });
 
   nvim-nu = super.nvim-nu.overrideAttrs {
     dependencies = with self; [

pkgs/applications/networking/gns3/default.nix

@@ -12,25 +12,26 @@ in
 {
   guiStable = mkGui {
     channel = "stable";
-    version = "2.2.50";
-    hash = "sha256-A6aLp/fN/0u5VIOX6d0QrZ2zWuNPvhI1xfw7cKU9jRA=";
+    version = "2.2.51";
+    hash = "sha256-HXuhaJEcr33qYm2v/wFqnO7Ba4lyZgSzvh6dkNZX9XI=";
   };
 
   guiPreview = mkGui {
     channel = "stable";
-    version = "2.2.50";
-    hash = "sha256-A6aLp/fN/0u5VIOX6d0QrZ2zWuNPvhI1xfw7cKU9jRA=";
+    version = "2.2.51";
+    hash = "sha256-HXuhaJEcr33qYm2v/wFqnO7Ba4lyZgSzvh6dkNZX9XI=";
   };
 
   serverStable = mkServer {
     channel = "stable";
-    version = "2.2.50";
-    hash = "sha256-m5Od3IPn31JaFOtilKh79aISH4lRd+KatSLRqsF8n4Y=";
+    version = "2.2.51";
+    hash = "sha256-Yw6RvHZzVU2wWXVxvuIu7GLFyqjakwqJ0EV6H0ZdVcQ=";
   };
 
   serverPreview = mkServer {
     channel = "stable";
-    version = "2.2.50";
-    hash = "sha256-m5Od3IPn31JaFOtilKh79aISH4lRd+KatSLRqsF8n4Y=";
+    version = "2.2.51";
+    hash = "sha256-Yw6RvHZzVU2wWXVxvuIu7GLFyqjakwqJ0EV6H0ZdVcQ=";
   };
 }
+

pkgs/applications/virtualization/qemu/default.nix

@@ -56,16 +56,6 @@ assert lib.assertMsg (xenSupport -> hostCpuTargets == [ "i386-softmmu" ]) "Xen s
 
 let
   hexagonSupport = hostCpuTargets == null || lib.elem "hexagon" hostCpuTargets;
-
-  buildPlatformStdenv =
-    if stdenv.buildPlatform.isDarwin then
-      overrideSDK buildPackages.stdenv {
-        # Keep these values in sync with `all-packages.nix`.
-        darwinSdkVersion = "12.3";
-        darwinMinVersion = "12.0";
-      }
-    else
-      buildPackages.stdenv;
 in
 
 stdenv.mkDerivation (finalAttrs: {
@@ -82,7 +72,7 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-+FnwvGXh9TPQQLvoySvP7O5a8skhpmh8ZS+0TQib2JQ=";
   };
 
-  depsBuildBuild = [ buildPlatformStdenv.cc ]
+  depsBuildBuild = [ buildPackages.stdenv.cc ]
     ++ lib.optionals hexagonSupport [ pkg-config ];
 
   nativeBuildInputs = [