Merge staging-next into staging

NixOS · Oct 3, 2024 · 6a5c2ed · 6a5c2ed
2 parents 6d24a9c + ca0b5f7
commit 6a5c2ed
Show file tree

Hide file tree

Showing 42 changed files with 719 additions and 184 deletions.
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
@@ -407,7 +407,6 @@ in {
     ''
       import time
 
-
       TOTAL_RETRIES = 20
 
 
@@ -428,6 +427,16 @@ in {
 
               return retries + 1
 
+          def protect(self, func):
+              def wrapper(*args, retries: int = 0, **kwargs):
+                  try:
+                      return func(*args, **kwargs)
+                  except Exception as err:
+                      retries = self.handle_fail(retries, err.args)
+                      return wrapper(*args, retries=retries, **kwargs)
+
+              return wrapper
+
 
       backoff = BackoffTracker()
 
@@ -437,11 +446,13 @@ in {
           # quickly switch between derivations
           root_specs = "/tmp/specialisation"
           node.execute(
-            f"test -e {root_specs}"
-            f" || ln -s $(readlink /run/current-system)/specialisation {root_specs}"
+              f"test -e {root_specs}"
+              f" || ln -s $(readlink /run/current-system)/specialisation {root_specs}"
           )
 
-          switcher_path = f"/run/current-system/specialisation/{name}/bin/switch-to-configuration"
+          switcher_path = (
+              f"/run/current-system/specialisation/{name}/bin/switch-to-configuration"
+          )
           rc, _ = node.execute(f"test -e '{switcher_path}'")
           if rc > 0:
               switcher_path = f"/tmp/specialisation/{name}/bin/switch-to-configuration"
@@ -465,51 +476,57 @@ in {
               actual_issuer = node.succeed(
                   f"openssl x509 -noout -issuer -in /var/lib/acme/{cert_name}/{fname}"
               ).partition("=")[2]
-              print(f"{fname} issuer: {actual_issuer}")
-              assert issuer.lower() in actual_issuer.lower()
+              assert (
+                  issuer.lower() in actual_issuer.lower()
+              ), f"{fname} issuer mismatch. Expected {issuer} got {actual_issuer}"
 
 
       # Ensure cert comes before chain in fullchain.pem
       def check_fullchain(node, cert_name):
-          subject_data = node.succeed(
-              f"openssl crl2pkcs7 -nocrl -certfile /var/lib/acme/{cert_name}/fullchain.pem"
-              " | openssl pkcs7 -print_certs -noout"
+          cert_file = f"/var/lib/acme/{cert_name}/fullchain.pem"
+          num_certs = node.succeed(f"grep -o 'END CERTIFICATE' {cert_file}")
+          assert len(num_certs.strip().split("\n")) > 1, "Insufficient certs in fullchain.pem"
+
+          first_cert_data = node.succeed(
+              f"grep -m1 -B50 'END CERTIFICATE' {cert_file}"
+              " | openssl x509 -noout -text"
           )
-          for line in subject_data.lower().split("\n"):
-              if "subject" in line:
-                  print(f"First subject in fullchain.pem: {line}")
-                  assert cert_name.lower() in line
+          for line in first_cert_data.lower().split("\n"):
+              if "dns:" in line:
+                  print(f"First DNSName in fullchain.pem: {line}")
+                  assert cert_name.lower() in line, f"{cert_name} not found in {line}"
                   return
 
           assert False
 
 
-      def check_connection(node, domain, retries=0):
+      @backoff.protect
+      def check_connection(node, domain):
           result = node.succeed(
               "openssl s_client -brief -verify 2 -CAfile /tmp/ca.crt"
               f" -servername {domain} -connect {domain}:443 < /dev/null 2>&1"
           )
 
           for line in result.lower().split("\n"):
-              if "verification" in line and "error" in line:
-                  retries = backoff.handle_fail(retries, f"Failed to connect to https://{domain}")
-                  return check_connection(node, domain, retries)
+              assert not (
+                  "verification" in line and "error" in line
+              ), f"Failed to connect to https://{domain}"
 
 
-      def check_connection_key_bits(node, domain, bits, retries=0):
+      @backoff.protect
+      def check_connection_key_bits(node, domain, bits):
           result = node.succeed(
               "openssl s_client -CAfile /tmp/ca.crt"
               f" -servername {domain} -connect {domain}:443 < /dev/null"
               " | openssl x509 -noout -text | grep -i Public-Key"
           )
           print("Key type:", result)
 
-          if bits not in result:
-              retries = backoff.handle_fail(retries, f"Did not find expected number of bits ({bits}) in key")
-              return check_connection_key_bits(node, domain, bits, retries)
+          assert bits in result, f"Did not find expected number of bits ({bits}) in key"
 
 
-      def check_stapling(node, domain, retries=0):
+      @backoff.protect
+      def check_stapling(node, domain):
           # Pebble doesn't provide a full OCSP responder, so just check the URL
           result = node.succeed(
               "openssl s_client -CAfile /tmp/ca.crt"
@@ -518,30 +535,28 @@ in {
           )
           print("OCSP Responder URL:", result)
 
-          if "${caDomain}:4002" not in result.lower():
-              retries = backoff.handle_fail(retries, "OCSP Stapling check failed")
-              return check_stapling(node, domain, retries)
+          assert "${caDomain}:4002" in result.lower(), "OCSP Stapling check failed"
 
 
-      def download_ca_certs(node, retries=0):
-          exit_code, _ = node.execute("curl https://${caDomain}:15000/roots/0 > /tmp/ca.crt")
-          exit_code_2, _ = node.execute(
-              "curl https://${caDomain}:15000/intermediate-keys/0 >> /tmp/ca.crt"
-          )
+      @backoff.protect
+      def download_ca_certs(node):
+          node.succeed("curl https://${caDomain}:15000/roots/0 > /tmp/ca.crt")
+          node.succeed("curl https://${caDomain}:15000/intermediate-keys/0 >> /tmp/ca.crt")
 
-          if exit_code + exit_code_2 > 0:
-              retries = backoff.handle_fail(retries, "Failed to connect to pebble to download root CA certs")
-              return download_ca_certs(node, retries)
+
+      @backoff.protect
+      def set_a_record(node):
+          node.succeed(
+              'curl --data \'{"host": "${caDomain}", "addresses": ["${nodes.acme.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'
+          )
 
 
       start_all()
 
       dnsserver.wait_for_unit("pebble-challtestsrv.service")
       client.wait_for_unit("default.target")
 
-      client.succeed(
-          'curl --data \'{"host": "${caDomain}", "addresses": ["${nodes.acme.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'
-      )
+      set_a_record(client)
 
       acme.systemctl("start network-online.target")
       acme.wait_for_unit("network-online.target")
@@ -638,7 +653,7 @@ in {
           webserver.wait_for_unit("acme-finished-lego.example.test.target")
           webserver.wait_for_unit("nginx.service")
           webserver.succeed("echo HENLO && systemctl cat nginx.service")
-          webserver.succeed("test \"$(stat -c '%U' /var/lib/acme/* | uniq)\" = \"root\"")
+          webserver.succeed('test "$(stat -c \'%U\' /var/lib/acme/* | uniq)" = "root"')
           check_connection(client, "a.example.test")
           check_connection(client, "lego.example.test")
 

diff --git a/nixos/tests/scrutiny.nix b/nixos/tests/scrutiny.nix
@@ -49,10 +49,6 @@ import ./make-test-python.nix ({ lib, ... }:
   testScript = ''
     start_all()
 
-    # Wait for InfluxDB to be available
-    machine.wait_for_unit("influxdb2")
-    machine.wait_for_open_port(8086)
-
     # Wait for Scrutiny to be available
     machine.wait_for_unit("scrutiny")
     machine.wait_for_open_port(8080)

diff --git a/pkgs/applications/graphics/dosage/default.nix b/pkgs/applications/graphics/dosage/default.nix
@@ -1,22 +1,43 @@
-{ lib, python3Packages, fetchPypi }:
+{
+  lib,
+  python3Packages,
+  fetchPypi,
+}:
 
 python3Packages.buildPythonApplication rec {
   pname = "dosage";
-  version = "2.17";
+  version = "3.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "0vmxgn9wd3j80hp4gr5iq06jrl4gryz5zgfdd2ah30d12sfcfig0";
+    sha256 = "sha256-mHV/U9Vqv7fSsLYNrCXckkJ1YpsccLd8HsJ78IwLX0Y=";
   };
 
+  pyproject = true;
+
   nativeCheckInputs = with python3Packages; [
-    pytestCheckHook pytest-xdist responses
+    pytestCheckHook
+    pytest-xdist
+    responses
   ];
 
-  nativeBuildInputs = with python3Packages; [ setuptools-scm ];
+  build-system = [ python3Packages.setuptools-scm ];
+
+  dependencies = with python3Packages; [
+    colorama
+    imagesize
+    lxml
+    requests
+    six
+    platformdirs
+  ];
 
-  propagatedBuildInputs = with python3Packages; [
-    colorama imagesize lxml requests setuptools six
+  disabledTests = [
+    # need network connect to api.github.com
+    "test_update_available"
+    "test_no_update_available"
+    "test_update_broken"
+    "test_current"
   ];
 
   meta = {

diff --git a/pkgs/applications/misc/lscolors/default.nix b/pkgs/applications/misc/lscolors/default.nix
@@ -2,14 +2,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "lscolors";
-  version = "0.19.0";
+  version = "0.20.0";
 
   src = fetchCrate {
     inherit version pname;
-    hash = "sha256-9xYWjpeXg646JEW7faRLE1Au6LRVU6QQ7zfAwmYffT0=";
+    hash = "sha256-EUUPVSpHc9tN1Hi7917hJ2psTZq5nnGw6PBeApvlVtw=";
   };
 
-  cargoHash = "sha256-gtcznStbuYWcBPKZ/hdH15cwRQL0+Q0fZHe+YW5Rek0=";
+  cargoHash = "sha256-1wAHd0WrJfjxDyGRAJjXGFY9ZBFlBOQFr2+cxoTufW0=";
 
   buildFeatures = [ "nu-ansi-term" ];
 

diff --git a/pkgs/applications/networking/cluster/talosctl/default.nix b/pkgs/applications/networking/cluster/talosctl/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "talosctl";
-  version = "1.7.6";
+  version = "1.8.0";
 
   src = fetchFromGitHub {
     owner = "siderolabs";
     repo = "talos";
     rev = "v${version}";
-    hash = "sha256-uyPnln1Cj4j1oPVERBIHMJXJWR+jPUq6AE7rZXr2yQo=";
+    hash = "sha256-Ezie6RQsigmJgdvnSVk6awuUu2kODSio9DNg4bow76M=";
   };
 
-  vendorHash = "sha256-ZJGhPT2KYYIMKmRWqdOppvXSD2W8kYtxK/900TdVdUg=";
+  vendorHash = "sha256-9qkealjjdBO659fdWdgFii3ThPRwKpYasB03L3Bktqs=";
 
   ldflags = [ "-s" "-w" ];
 

diff --git a/pkgs/applications/science/logic/easycrypt/default.nix b/pkgs/applications/science/logic/easycrypt/default.nix
@@ -1,14 +1,14 @@
-{ lib, stdenv, fetchFromGitHub, ocamlPackages, why3, python3 }:
+{ lib, stdenv, darwin, fetchFromGitHub, ocamlPackages, why3, python3 }:
 
 stdenv.mkDerivation rec {
   pname = "easycrypt";
-  version = "2024.01";
+  version = "2024.09";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "r${version}";
-    hash = "sha256-UYDoVMi5TtYxgPq5nkp/oRtcMcHl2p7KAG8ptvuOL5U=";
+    hash = "sha256-ZGYklG1eXfytRKzFvRSB6jFrOCm1gjyG8W78eMve5Ng=";
   };
 
   nativeBuildInputs = with ocamlPackages; [
@@ -17,10 +17,12 @@ stdenv.mkDerivation rec {
     menhir
     ocaml
     python3.pkgs.wrapPython
-  ];
+  ] ++ lib.optional stdenv.hostPlatform.isDarwin darwin.sigtool;
+
   buildInputs = with ocamlPackages; [
     batteries
     dune-build-info
+    dune-site
     inifiles
     why3
     yojson
@@ -32,7 +34,7 @@ stdenv.mkDerivation rec {
   strictDeps = true;
 
   postPatch = ''
-    substituteInPlace dune-project --replace '(name easycrypt)' '(name easycrypt)(version ${version})'
+    substituteInPlace dune-project --replace-fail '(name easycrypt)' '(name easycrypt)(version ${version})'
   '';
 
   pythonPath = with python3.pkgs; [ pyyaml ];

diff --git a/pkgs/applications/video/glaxnimate/default.nix b/pkgs/applications/video/glaxnimate/default.nix
@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchFromGitLab
+, fetchpatch
 , cmake
 , zlib
 , potrace
@@ -47,6 +48,15 @@ stdenv.mkDerivation rec {
     fetchSubmodules = true;
   };
 
+  patches = [
+    # Backport fix for newer ffmpeg
+    # FIXME: remove in next update
+    (fetchpatch {
+      url = "https://invent.kde.org/graphics/glaxnimate/-/commit/4fb2b67a0f0ce2fbffb6fe9f87c3bf7914c8a602.patch";
+      hash = "sha256-QjCnscGa7n+zwrImA4mbQiTQb9jmDGm8Y/7TK8jZXvM=";
+    })
+  ];
+
   nativeBuildInputs = [
     cmake
     wrapQtAppsHook

diff --git a/pkgs/applications/video/obs-studio/plugins/obs-move-transition.nix b/pkgs/applications/video/obs-studio/plugins/obs-move-transition.nix
@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation rec {
   pname = "obs-move-transition";
-  version = "3.0.2";
+  version = "3.1.0";
 
   src = fetchFromGitHub {
     owner = "exeldro";
     repo = "obs-move-transition";
     rev = version;
-    sha256 = "sha256-Vwm0Eyb8MevZtS3PTqnFQAbCj7JuTw9Ju0lS9CZ6rf8=";
+    sha256 = "sha256-ZmxopTv6YuAZ/GykvMRcP2PQwQk08ObmqZ9kBcR0UH4=";
   };
 
   nativeBuildInputs = [ cmake ];

diff --git a/pkgs/by-name/an/ansible-navigator/package.nix b/pkgs/by-name/an/ansible-navigator/package.nix
@@ -7,15 +7,15 @@
 }:
 python3Packages.buildPythonApplication rec {
   pname = "ansible-navigator";
-  version = "24.7.0";
+  version = "24.9.0";
   pyproject = true;
 
   disabled = python3Packages.pythonOlder "3.10";
 
   src = fetchPypi {
     inherit version;
     pname = "ansible_navigator";
-    hash = "sha256-XMwJzDxo/VZ+0qy5MLg/Kw/7j3V594qfV+T6jeVEWzg=";
+    hash = "sha256-eW38/n3vh2l2hKrh1xpW2fiB5yOkTnK77AnevDStD7s=";
   };
 
   build-system = with python3Packages; [

diff --git a/pkgs/by-name/cr/cryptpad/package.nix b/pkgs/by-name/cr/cryptpad/package.nix
@@ -9,7 +9,7 @@
 }:
 
 let
-  version = "2024.6.1";
+  version = "2024.9.0";
   # nix version of install-onlyoffice.sh
   # a later version could rebuild from sdkjs/web-apps as per
   # https://github.com/cryptpad/onlyoffice-builds/blob/main/build.sh
@@ -68,10 +68,10 @@ buildNpmPackage {
     owner = "cryptpad";
     repo = "cryptpad";
     rev = version;
-    hash = "sha256-qwyXpTY8Ds7R5687PVGZa/rlEyrAZjNzJ4+VQZpF8v0=";
+    hash = "sha256-OUtWaDVLRUbKS0apwY0aNq4MalGFv+fH9VA7LvWWYRs=";
   };
 
-  npmDepsHash = "sha256-GSTPsXqe/rxiDh5OW2t+ZY1YRNgRSDxkJ0pvcLIFtFw=";
+  npmDepsHash = "sha256-pK0b7q1kJja9l8ANwudbfo3jpldwuO56kuulS8X9A5s=";
 
   nativeBuildInputs = [
     makeBinaryWrapper