Merge master into staging-next

nixos/doc/manual/release-notes/rl-2105.xml

@@ -680,6 +680,13 @@ environment.systemPackages = [
      All CUDA toolkit versions prior to CUDA 10 have been removed.
     </para>
    </listitem>
+   <listitem>
+     <para>
+       The <package>babeld</package> service is now being run as an unprivileged user. To achieve that the module configures
+       <literal>skip-kernel-setup true</literal> and takes care of setting forwarding and rp_filter sysctls by itself as well
+       as for each interface in <varname>services.babeld.interfaces</varname>.
+     </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/services/networking/babeld.nix

@@ -19,7 +19,10 @@ let
     "interface ${name} ${paramsString interface}\n";
 
   configFile = with cfg; pkgs.writeText "babeld.conf" (
-    (optionalString (cfg.interfaceDefaults != null) ''
+    ''
+      skip-kernel-setup true
+    ''
+    + (optionalString (cfg.interfaceDefaults != null) ''
       default ${paramsString cfg.interfaceDefaults}
     '')
     + (concatMapStrings interfaceConfig (attrNames cfg.interfaces))
@@ -84,21 +87,30 @@ in
 
   config = mkIf config.services.babeld.enable {
 
+    boot.kernel.sysctl = {
+      "net.ipv6.conf.all.forwarding" = 1;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.all.forwarding" = 1;
+      "net.ipv4.conf.all.rp_filter" = 0;
+    } // lib.mapAttrs' (ifname: _: lib.nameValuePair "net.ipv4.conf.${ifname}.rp_filter" (lib.mkDefault 0)) config.services.babeld.interfaces;
+
     systemd.services.babeld = {
       description = "Babel routing daemon";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state";
+        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
         CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
+        DynamicUser = true;
         IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ];
         IPAddressDeny = "any";
         LockPersonality = true;
         NoNewPrivileges = true;
         MemoryDenyWriteExecute = true;
         ProtectSystem = "strict";
         ProtectClock = true;
-        ProtectKernelTunables = false; # Couldn't write sysctl: Read-only file system
+        ProtectKernelTunables = true;
         ProtectKernelModules = true;
         ProtectKernelLogs = true;
         ProtectControlGroups = true;

nixos/tests/babeld.nix

@@ -25,9 +25,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
       {
         virtualisation.vlans = [ 10 20 ];
 
-        boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1;
-        boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
-
         networking = {
           useDHCP = false;
           firewall.enable = false;
@@ -74,9 +71,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
       {
         virtualisation.vlans = [ 20 30 ];
 
-        boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1;
-        boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
-
         networking = {
           useDHCP = false;
           firewall.enable = false;

pkgs/applications/graphics/drawing/default.nix

@@ -17,15 +17,15 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "drawing";
-  version = "0.4.13";
+  version = "0.8.0";
 
   format = "other";
 
   src = fetchFromGitHub {
     owner = "maoschanz";
     repo = pname;
     rev = version;
-    sha256 = "0mj2nmfrckv89srgkn16fnbrb35f5a655ak8bb3rd9na3hd5bq53";
+    sha256 = "03cx6acb0ph7b3difshjfddi8ld79wp8d12bdp7dp1q1820j5mz0";
   };
 
   nativeBuildInputs = [

pkgs/applications/networking/mailreaders/himalaya/default.nix

@@ -11,16 +11,16 @@
 }:
 rustPlatform.buildRustPackage rec {
   pname = "himalaya";
-  version = "0.2.6";
+  version = "0.2.7";
 
   src = fetchFromGitHub {
     owner = "soywod";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1fl3lingb4wdh6bz4calzbibixg44wnnwi1qh0js1ijp8b6ll560";
+    sha256 = "0yp3gc5hmlrs5rcmb2qbi4iqb5ndflgqw20qa7ziqayrdd15kzpn";
   };
 
-  cargoSha256 = "10p8di71w7hn36b1994wgk33fnj641lsp80zmccinlg5fiwyzncx";
+  cargoSha256 = "1abz3s9c3byqc0vaws839hjlf96ivq4zbjyijsbg004ffbmbccpn";
 
   nativeBuildInputs = [ ]
     ++ lib.optionals (enableCompletions) [ installShellFiles ]
@@ -34,9 +34,6 @@ rustPlatform.buildRustPackage rec {
       openssl
     ];
 
-  # The completions are correctly installed, and there is issue that himalaya
-  # generate empty completion files without mail configure.
-  # This supposed to be fixed in 0.2.7
   postInstall = lib.optionalString enableCompletions ''
     # Install shell function
     installShellCompletion --cmd himalaya \

pkgs/common-updater/scripts/update-source-version

@@ -19,6 +19,7 @@ args=()
 for arg in "$@"; do
     case $arg in
         --system=*)
+            system="${arg#*=}"
             systemArg="--system ${arg#*=}"
         ;;
         --version-key=*)
@@ -59,6 +60,9 @@ newVersion=${args[1]}
 newHash=${args[2]}
 newUrl=${args[3]}
 
+# Third-party repositories might not accept arguments in their default.nix.
+importTree="(let tree = import ./.; in if builtins.isFunction tree then tree {} else tree)"
+
 if (( "${#args[*]}" < 2 )); then
     echo "$scriptName: Too few arguments"
     usage
@@ -75,11 +79,39 @@ if [[ -z "$versionKey" ]]; then
     versionKey=version
 fi
 
+# Allow finding packages among flake outputs in repos using flake-compat.
+pname=$(nix-instantiate $systemArg --eval --strict -A "$attr.name" || echo)
+if [[ -z "$pname" ]]; then
+    if [[ -z "$system" ]]; then
+        system=$(nix-instantiate --eval -E 'builtins.currentSystem' | tr -d '"')
+    fi
+
+    pname=$(nix-instantiate $systemArg --eval --strict -A "packages.$system.$attr.name" || echo)
+    if [[ -n "$pname" ]]; then
+        attr="packages.$system.$attr"
+    else
+        pname=$(nix-instantiate $systemArg --eval --strict -A "legacyPackages.$system.$attr.name" || echo)
+        if [[ -n "$pname" ]]; then
+            attr="legacyPackages.$system.$attr"
+        else
+            die "Could not find attribute '$attr'!"
+        fi
+    fi
+fi
+
 if [[ -z "$nixFile" ]]; then
     nixFile=$(nix-instantiate $systemArg --eval --strict -A "$attr.meta.position" | sed -re 's/^"(.*):[0-9]+"$/\1/')
     if [[ ! -f "$nixFile" ]]; then
         die "Couldn't evaluate '$attr.meta.position' to locate the .nix file!"
     fi
+
+    # flake-compat will return paths in the Nix store, we need to correct for that.
+    possiblyOutPath=$(nix-instantiate $systemArg --eval -E "with $importTree; outPath" | tr -d '"')
+    if [[ -n "$possiblyOutPath" ]]; then
+        outPathEscaped=$(echo "$possiblyOutPath" | sed 's#[$^*\\.[|]#\\&#g')
+        pwdEscaped=$(echo "$PWD" | sed 's#[$^*\\.[|]#\\&#g')
+        nixFile=$(echo "$nixFile" | sed "s|^$outPathEscaped|$pwdEscaped|")
+    fi
 fi
 
 oldHashAlgo=$(nix-instantiate $systemArg --eval --strict -A "$attr.src.drvAttrs.outputHashAlgo" | tr -d '"')
@@ -93,17 +125,16 @@ if [[ $(grep --count "$oldHash" "$nixFile") != 1 ]]; then
     die "Couldn't locate old source hash '$oldHash' (or it appeared more than once) in '$nixFile'!"
 fi
 
-oldUrl=$(nix-instantiate $systemArg --eval -E "with import ./. {}; builtins.elemAt ($attr.src.drvAttrs.urls or [ $attr.src.url ]) 0" | tr -d '"')
+oldUrl=$(nix-instantiate $systemArg --eval -E "with $importTree; builtins.elemAt ($attr.src.drvAttrs.urls or [ $attr.src.url ]) 0" | tr -d '"')
 
 if [[ -z "$oldUrl" ]]; then
     die "Couldn't evaluate source url from '$attr.src'!"
 fi
 
-drvName=$(nix-instantiate $systemArg --eval -E "with import ./. {}; lib.getName $attr" | tr -d '"')
-oldVersion=$(nix-instantiate $systemArg --eval -E "with import ./. {}; $attr.${versionKey} or (lib.getVersion $attr)" | tr -d '"')
+oldVersion=$(nix-instantiate $systemArg --eval -E "with $importTree; $attr.${versionKey} or (builtins.parseDrvName $attr.name).version" | tr -d '"')
 
-if [[ -z "$drvName" || -z "$oldVersion" ]]; then
-    die "Couldn't evaluate name and version from '$attr.name'!"
+if [[ -z "$oldVersion" ]]; then
+    die "Couldn't find out the old version of '$attr'!"
 fi
 
 if [[ "$oldVersion" = "$newVersion" ]]; then
@@ -115,7 +146,7 @@ if [[ "$oldVersion" = "$newVersion" ]]; then
 fi
 
 if [[ -n "$newRevision" ]]; then
-    oldRevision=$(nix-instantiate $systemArg --eval -E "with import ./. {}; $attr.src.rev" | tr -d '"')
+    oldRevision=$(nix-instantiate $systemArg --eval -E "with $importTree; $attr.src.rev" | tr -d '"')
     if [[ -z "$oldRevision" ]]; then
         die "Couldn't evaluate source revision from '$attr.src'!"
     fi

pkgs/development/libraries/liburing/default.nix

@@ -12,6 +12,14 @@ stdenv.mkDerivation rec {
     sha256 = "0has1yd1ns5q5jgcmhrbgwhbwq0wix3p7xv3dyrwdf784p56izkn";
   };
 
+  patches = [
+    # Fix build on 32-bit ARM
+    (fetchpatch {
+      url = "https://github.com/axboe/liburing/commit/808b6c72ab753bda0c300b5683cfd31750d1d49b.patch";
+      sha256 = "1x7a9c5a6rwhfsbjqmhbnwh2aiin6yylckrqdjbzljrprzf11wrd";
+    })
+  ];
+
   separateDebugInfo = true;
   enableParallelBuilding = true;
   # Upstream's configure script is not autoconf generated, but a hand written one.

pkgs/development/tools/build-managers/buck/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, jdk11, ant, python3, watchman, bash, makeWrapper }:
+{ lib, stdenv, fetchFromGitHub, jdk8, ant, python3, watchman, bash, makeWrapper }:
 
 stdenv.mkDerivation rec {
   pname = "buck";
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
     grep -l -r '/bin/bash' --null | xargs -0 sed -i -e "s!/bin/bash!${bash}/bin/bash!g"
   '';
 
-  nativeBuildInputs = [ makeWrapper python3 jdk11 ant watchman ];
+  nativeBuildInputs = [ makeWrapper python3 jdk8 ant watchman ];
 
   buildPhase = ''
     # Set correct version, see https://github.com/facebook/buck/issues/2607
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
   installPhase = ''
     install -D -m755 buck-out/gen/*/programs/buck.pex $out/bin/buck
     wrapProgram $out/bin/buck \
-      --prefix PATH : "${lib.makeBinPath [ jdk11 watchman python3 ]}"
+      --prefix PATH : "${lib.makeBinPath [ jdk8 watchman python3 ]}"
   '';
 
   meta = with lib; {

pkgs/development/tools/database/pgsync/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gem 'pgsync'

pkgs/development/tools/database/pgsync/Gemfile.lock

@@ -0,0 +1,23 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    parallel (1.20.1)
+    pg (1.2.3)
+    pgsync (0.6.6)
+      parallel
+      pg (>= 0.18.2)
+      slop (>= 4.8.2)
+      tty-spinner
+    slop (4.8.2)
+    tty-cursor (0.7.1)
+    tty-spinner (0.9.3)
+      tty-cursor (~> 0.7)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  pgsync
+
+BUNDLED WITH
+   2.1.4

pkgs/development/tools/database/pgsync/default.nix

@@ -0,0 +1,15 @@
+{ lib, bundlerApp }:
+
+bundlerApp rec {
+  gemdir = ./.;
+  pname = "pgsync";
+  exes = [ "pgsync" ];
+
+  meta = with lib; {
+    description = "Sync data from one Postgres database to another (like `pg_dump`/`pg_restore`)";
+    homepage    = "https://github.com/ankane/pgsync";
+    license     = with licenses; mit;
+    maintainers = with maintainers; [ fabianhjr ];
+    platforms   = platforms.all;
+  };
+}

pkgs/development/tools/database/pgsync/gemset.nix

@@ -0,0 +1,64 @@
+{
+  parallel = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0055br0mibnqz0j8wvy20zry548dhkakws681bhj3ycb972awkzd";
+      type = "gem";
+    };
+    version = "1.20.1";
+  };
+  pg = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "13mfrysrdrh8cka1d96zm0lnfs59i5x2g6ps49r2kz5p3q81xrzj";
+      type = "gem";
+    };
+    version = "1.2.3";
+  };
+  pgsync = {
+    dependencies = ["parallel" "pg" "slop" "tty-spinner"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0wjvcfsgm7xxhb2lxil19qjxvvihqxbjd2ykmm5d43p0h2l9wvxr";
+      type = "gem";
+    };
+    version = "0.6.6";
+  };
+  slop = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "05d1xv8r9cmd0mmlqpa853yzd7xhcyha063w1g8dpf84scxbxmd3";
+      type = "gem";
+    };
+    version = "4.8.2";
+  };
+  tty-cursor = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0j5zw041jgkmn605ya1zc151bxgxl6v192v2i26qhxx7ws2l2lvr";
+      type = "gem";
+    };
+    version = "0.7.1";
+  };
+  tty-spinner = {
+    dependencies = ["tty-cursor"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0hh5awmijnzw9flmh5ak610x1d00xiqagxa5mbr63ysggc26y0qf";
+      type = "gem";
+    };
+    version = "0.9.3";
+  };
+}

pkgs/development/tools/misc/stlink/default.nix

@@ -9,25 +9,22 @@ let
 
 in stdenv.mkDerivation rec {
   pname = "stlink";
-  version = "1.6.0";
+  version = "1.7.0";
 
   src = fetchFromGitHub {
-    owner = "texane";
+    owner = "stlink-org";
     repo = "stlink";
     rev = "v${version}";
-    sha256 = "1mlkrxjxg538335g59hjb0zc739dx4mhbspb26z5gz3lf7d4xv6x";
+    sha256 = "03xypffpbp4imrczbxmq69vgkr7mbp0ps9dk815br5wwlz6vgygl";
   };
 
   buildInputs = [ libusb1' ];
   nativeBuildInputs = [ cmake ];
-  patchPhase = ''
-    sed -i 's@/etc/udev/rules.d@$ENV{out}/etc/udev/rules.d@' CMakeLists.txt
-    sed -i 's@/etc/modprobe.d@$ENV{out}/etc/modprobe.d@' CMakeLists.txt
-  '';
-  preInstall = ''
-    mkdir -p $out/etc/udev/rules.d
-    mkdir -p $out/etc/modprobe.d
-  '';
+
+  cmakeFlags = [
+    "-DSTLINK_MODPROBED_DIR=${placeholder "out"}/etc/modprobe.d"
+    "-DSTLINK_UDEV_RULES_DIR=${placeholder "out"}/lib/udev/rules.d"
+  ];
 
   meta = with lib; {
     description = "In-circuit debug and programming for ST-Link devices";