jinja2: fix dependencies

.github/workflows/pending-clear.yml

@@ -12,24 +12,10 @@ jobs:
       if: github.repository_owner == 'NixOS' && github.event.check_suite.app.name == 'OfBorg'
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        GSU_VERSION: "0.5.0"
-        GSU_HASH: "49df54dc0ed5eaa037400b66be8114bd62fa0af51ed36565f6203dc312711cc6"
-        GSU_URL: "https://github.com/cloudposse/github-status-updater/releases/download"
       run: |
-        curl -sSf -O -L -C - \
-        "$GSU_URL/$GSU_VERSION/github-status-updater_linux_amd64" && \
-        if [ "$(shasum -a 256 github-status-updater_linux_amd64 | cut -c1-64)" != "$GSU_HASH" ]; then
-          echo "checksum mismatch"
-          exit 1
-        fi
-        chmod +x github-status-updater_linux_amd64 && \
-        ./github-status-updater_linux_amd64 \
-          -action update_state \
-          -token "$GITHUB_TOKEN" \
-          -owner NixOS \
-          -repo nixpkgs \
-          -state success \
-          -context "Wait for ofborg" \
-          -description " " \
-          -url " " \
-          -ref "${{ github.event.check_suite.head_sha }}"
+        curl \
+          -X POST \
+          -H "Accept: application/vnd.github.v3+json" \
+          -H "Authorization: token $GITHUB_TOKEN" \
+          -d '{"state": "success", "target_url": " ", "description": " ", "context": "Wait for ofborg"}' \
+          "https://api.github.com/repos/NixOS/nixpkgs/statuses/${{ github.event.check_suite.head_sha }}"

.github/workflows/pending-set.yml

@@ -11,24 +11,10 @@ jobs:
       if: github.repository_owner == 'NixOS'
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        GSU_VERSION: "0.5.0"
-        GSU_HASH: "49df54dc0ed5eaa037400b66be8114bd62fa0af51ed36565f6203dc312711cc6"
-        GSU_URL: "https://github.com/cloudposse/github-status-updater/releases/download"
       run: |
-        curl -sSf -O -L -C - \
-        "$GSU_URL/$GSU_VERSION/github-status-updater_linux_amd64" && \
-        if [ "$(shasum -a 256 github-status-updater_linux_amd64 | cut -c1-64)" != "$GSU_HASH" ]; then
-          echo "checksum mismatch"
-          exit 1
-        fi
-        chmod +x github-status-updater_linux_amd64 && \
-        ./github-status-updater_linux_amd64 \
-          -action update_state \
-          -token "$GITHUB_TOKEN" \
-          -owner NixOS \
-          -repo nixpkgs \
-          -state failure \
-          -context "Wait for ofborg" \
-          -description "This failed status will be cleared when ofborg finishes eval." \
-          -url " " \
-          -ref "${{ github.event.pull_request.head.sha }}"
+        curl \
+          -X POST \
+          -H "Accept: application/vnd.github.v3+json" \
+          -H "Authorization: token $GITHUB_TOKEN" \
+          -d '{"state": "failure", "target_url": " ", "description": "This failed status will be cleared when ofborg finishes eval.", "context": "Wait for ofborg"}' \
+          "https://api.github.com/repos/NixOS/nixpkgs/statuses/${{ github.event.pull_request.head.sha }}"

maintainers/maintainer-list.nix

@@ -2717,6 +2717,12 @@
     githubId = 857308;
     name = "Joe Hermaszewski";
   };
+  extends = {
+    email = "sharosari@gmail.com";
+    github = "ImExtends";
+    githubId = 55919390;
+    name = "Vincent VILLIAUMEY";
+  };
   eyjhb = {
     email = "eyjhbb@gmail.com";
     github = "eyJhb";
@@ -9474,4 +9480,14 @@
     github = "yevhenshymotiuk";
     githubId = 44244245;
   };
+  hmenke = {
+    name = "Henri Menke";
+    email = "henri@henrimenke.de";
+    github = "hmenke";
+    githubId = 1903556;
+    keys = [{
+      longkeyid = "rsa4096/0xD65C9AFB4C224DA3";
+      fingerprint = "F1C5 760E 45B9 9A44 72E9  6BFB D65C 9AFB 4C22 4DA3";
+    }];
+  };
 }

nixos/modules/misc/nixpkgs.nix

@@ -178,8 +178,6 @@ in
       type = types.nullOr types.attrs; # TODO utilize lib.systems.parsedPlatform
       default = null;
       example = { system = "aarch64-linux"; config = "aarch64-unknown-linux-gnu"; };
-      defaultText = literalExample
-        ''(import "''${nixos}/../lib").lib.systems.examples.aarch64-multiplatform'';
       description = ''
         Specifies the platform for which NixOS should be
         built. Specify this only if it is different from

nixos/modules/profiles/hardened.nix

@@ -1,7 +1,7 @@
 # A profile with most (vanilla) hardening options enabled by default,
 # potentially at the cost of features and performance.
 
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 
@@ -27,6 +27,9 @@ with lib;
 
   security.forcePageTableIsolation = mkDefault true;
 
+  # This is required by podman to run containers in rootless mode.
+  security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
+
   security.virtualisation.flushL1DataCache = mkDefault "always";
 
   security.apparmor.enable = mkDefault true;

nixos/modules/security/misc.nix

@@ -27,6 +27,16 @@ with lib;
       '';
     };
 
+    security.unprivilegedUsernsClone = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        When disabled, unprivileged users will not be able to create new namespaces.
+        By default unprivileged user namespaces are disabled.
+        This option only works in a hardened profile.
+      '';
+    };
+
     security.protectKernelImage = mkOption {
       type = types.bool;
       default = false;
@@ -115,6 +125,10 @@ with lib;
       ];
     })
 
+    (mkIf config.security.unprivilegedUsernsClone {
+      boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkDefault true;
+    })
+
     (mkIf config.security.protectKernelImage {
       # Disable hibernation (allows replacing the running kernel)
       boot.kernelParams = [ "nohibernate" ];

nixos/modules/services/networking/shadowsocks.nix

@@ -11,8 +11,13 @@ let
     method = cfg.encryptionMethod;
     mode = cfg.mode;
     user = "nobody";
-    fast_open = true;
-  } // optionalAttrs (cfg.password != null) { password = cfg.password; };
+    fast_open = cfg.fastOpen;
+  } // optionalAttrs (cfg.plugin != null) {
+    plugin = cfg.plugin;
+    plugin_opts = cfg.pluginOpts;
+  } // optionalAttrs (cfg.password != null) {
+    password = cfg.password;
+  };
 
   configFile = pkgs.writeText "shadowsocks.json" (builtins.toJSON opts);
 
@@ -74,6 +79,14 @@ in
         '';
       };
 
+      fastOpen = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          use TCP fast-open
+        '';
+      };
+
       encryptionMethod = mkOption {
         type = types.str;
         default = "chacha20-ietf-poly1305";
@@ -82,6 +95,23 @@ in
         '';
       };
 
+      plugin = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "\${pkgs.shadowsocks-v2ray-plugin}/bin/v2ray-plugin";
+        description = ''
+          SIP003 plugin for shadowsocks
+        '';
+      };
+
+      pluginOpts = mkOption {
+        type = types.str;
+        default = "";
+        example = "server;host=example.com";
+        description = ''
+          Options to pass to the plugin if one was specified
+        '';
+      };
     };
 
   };
@@ -99,7 +129,7 @@ in
       description = "shadowsocks-libev Daemon";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      path = [ pkgs.shadowsocks-libev ] ++ optional (cfg.passwordFile != null) pkgs.jq;
+      path = [ pkgs.shadowsocks-libev cfg.plugin ] ++ optional (cfg.passwordFile != null) pkgs.jq;
       serviceConfig.PrivateTmp = true;
       script = ''
         ${optionalString (cfg.passwordFile != null) ''

nixos/tests/all-tests.nix

@@ -307,6 +307,7 @@ in
   sanoid = handleTest ./sanoid.nix {};
   sddm = handleTest ./sddm.nix {};
   service-runner = handleTest ./service-runner.nix {};
+  shadowsocks = handleTest ./shadowsocks.nix {};
   shattered-pixel-dungeon = handleTest ./shattered-pixel-dungeon.nix {};
   shiori = handleTest ./shiori.nix {};
   signal-desktop = handleTest ./signal-desktop.nix {};

nixos/tests/shadowsocks.nix

@@ -0,0 +1,80 @@
+import ./make-test-python.nix ({ pkgs, lib, ... }: {
+    name = "shadowsocks";
+    meta = {
+      maintainers = with lib.maintainers; [ hmenke ];
+    };
+
+    nodes = {
+      server = {
+        boot.kernel.sysctl."net.ipv4.ip_forward" = "1";
+        networking.useDHCP = false;
+        networking.interfaces.eth1.ipv4.addresses = [
+          { address = "192.168.0.1"; prefixLength = 24; }
+        ];
+        networking.firewall.rejectPackets = true;
+        networking.firewall.allowedTCPPorts = [ 8488 ];
+        networking.firewall.allowedUDPPorts = [ 8488 ];
+        services.shadowsocks = {
+          enable = true;
+          encryptionMethod = "chacha20-ietf-poly1305";
+          password = "pa$$w0rd";
+          localAddress = [ "0.0.0.0" ];
+          port = 8488;
+          fastOpen = false;
+          mode = "tcp_and_udp";
+          plugin = "${pkgs.shadowsocks-v2ray-plugin}/bin/v2ray-plugin";
+          pluginOpts = "server;host=nixos.org";
+        };
+        services.nginx = {
+          enable = true;
+          virtualHosts.server = {
+            locations."/".root = pkgs.writeTextDir "index.html" "It works!";
+          };
+        };
+      };
+
+      client = {
+        networking.useDHCP = false;
+        networking.interfaces.eth1.ipv4.addresses = [
+          { address = "192.168.0.2"; prefixLength = 24; }
+        ];
+        systemd.services.shadowsocks-client = {
+          description = "connect to shadowsocks";
+          after = [ "network.target" ];
+          wantedBy = [ "multi-user.target" ];
+          path = with pkgs; [
+            shadowsocks-libev
+            shadowsocks-v2ray-plugin
+          ];
+          script = ''
+            exec ss-local \
+                -s 192.168.0.1 \
+                -p 8488 \
+                -l 1080 \
+                -k 'pa$$w0rd' \
+                -m chacha20-ietf-poly1305 \
+                -a nobody \
+                --plugin "${pkgs.shadowsocks-v2ray-plugin}/bin/v2ray-plugin" \
+                --plugin-opts "host=nixos.org"
+          '';
+        };
+      };
+    };
+
+    testScript = ''
+      start_all()
+
+      server.wait_for_unit("shadowsocks-libev.service")
+      client.wait_for_unit("shadowsocks-client.service")
+
+      client.fail(
+          "${pkgs.curl}/bin/curl 192.168.0.1:80"
+      )
+
+      msg = client.succeed(
+          "${pkgs.curl}/bin/curl --socks5 localhost:1080 192.168.0.1:80"
+      )
+      assert msg == "It works!", "Could not connect through shadowsocks"
+    '';
+  }
+)