diff --git a/doc/languages-frameworks/python.section.md b/doc/languages-frameworks/python.section.md
index fe28f94c069d..9cb9d2ba7bfd 100644
--- a/doc/languages-frameworks/python.section.md
+++ b/doc/languages-frameworks/python.section.md
@@ -982,12 +982,13 @@ in python.withPackages(ps: [ps.blaze])).env
#### Optional extra dependencies
Some packages define optional dependencies for additional features. With
-`setuptools` this is called `extras_require` and `flit` calls it `extras-require`. A
+`setuptools` this is called `extras_require` and `flit` calls it
+`extras-require`, while PEP 621 calls these `optional-dependencies`. A
method for supporting this is by declaring the extras of a package in its
`passthru`, e.g. in case of the package `dask`
```nix
-passthru.extras-require = {
+passthru.optional-dependencies = {
complete = [ distributed ];
};
```
@@ -997,7 +998,7 @@ and letting the package requiring the extra add the list to its dependencies
```nix
propagatedBuildInputs = [
...
-] ++ dask.extras-require.complete;
+] ++ dask.optional-dependencies.complete;
```
Note this method is preferred over adding parameters to builders, as that can
diff --git a/lib/systems/doubles.nix b/lib/systems/doubles.nix
index 3cdebbc07c1f..90a6eb9f35c9 100644
--- a/lib/systems/doubles.nix
+++ b/lib/systems/doubles.nix
@@ -41,7 +41,7 @@ let
# none
"aarch64_be-none" "aarch64-none" "arm-none" "armv6l-none" "avr-none" "i686-none"
"msp430-none" "or1k-none" "m68k-none" "powerpc-none" "powerpcle-none"
- "riscv32-none" "riscv64-none" "s390-none" "s390x-none" "vc4-none"
+ "riscv32-none" "riscv64-none" "rx-none" "s390-none" "s390x-none" "vc4-none"
"x86_64-none"
# OpenBSD
@@ -76,6 +76,7 @@ in {
riscv = filterDoubles predicates.isRiscV;
riscv32 = filterDoubles predicates.isRiscV32;
riscv64 = filterDoubles predicates.isRiscV64;
+ rx = filterDoubles predicates.isRx;
vc4 = filterDoubles predicates.isVc4;
or1k = filterDoubles predicates.isOr1k;
m68k = filterDoubles predicates.isM68k;
diff --git a/lib/systems/examples.nix b/lib/systems/examples.nix
index 997a7a8c273a..170db6fb9fa0 100644
--- a/lib/systems/examples.nix
+++ b/lib/systems/examples.nix
@@ -145,6 +145,11 @@ rec {
libc = "newlib";
};
+ rx-embedded = {
+ config = "rx-none-elf";
+ libc = "newlib";
+ };
+
msp430 = {
config = "msp430-elf";
libc = "newlib";
diff --git a/lib/systems/inspect.nix b/lib/systems/inspect.nix
index 27c25deafec3..00cbe4f012cb 100644
--- a/lib/systems/inspect.nix
+++ b/lib/systems/inspect.nix
@@ -26,6 +26,7 @@ rec {
isRiscV = { cpu = { family = "riscv"; }; };
isRiscV32 = { cpu = { family = "riscv"; bits = 32; }; };
isRiscV64 = { cpu = { family = "riscv"; bits = 64; }; };
+ isRx = { cpu = { family = "rx"; }; };
isSparc = { cpu = { family = "sparc"; }; };
isWasm = { cpu = { family = "wasm"; }; };
isMsp430 = { cpu = { family = "msp430"; }; };
diff --git a/lib/systems/parse.nix b/lib/systems/parse.nix
index 3ceddbb599b9..bf436ec8db57 100644
--- a/lib/systems/parse.nix
+++ b/lib/systems/parse.nix
@@ -116,6 +116,7 @@ rec {
alpha = { bits = 64; significantByte = littleEndian; family = "alpha"; };
+ rx = { bits = 32; significantByte = littleEndian; family = "rx"; };
msp430 = { bits = 16; significantByte = littleEndian; family = "msp430"; };
avr = { bits = 8; family = "avr"; };
diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl
index 26ce561013b6..5a21cb45d52b 100644
--- a/nixos/modules/config/update-users-groups.pl
+++ b/nixos/modules/config/update-users-groups.pl
@@ -223,10 +223,10 @@ foreach my $u (@{$spec->{users}}) {
}
# Ensure home directory incl. ownership and permissions.
- if ($u->{createHome}) {
- make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home} and ! $is_dry;
+ if ($u->{createHome} and !$is_dry) {
+ make_path($u->{home}, { mode => oct($u->{homeMode}) }) if ! -e $u->{home};
chown $u->{uid}, $u->{gid}, $u->{home};
- chmod 0700, $u->{home};
+ chmod oct($u->{homeMode}), $u->{home};
}
if (defined $u->{passwordFile}) {
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index b0f96c754fa5..d3bdf218c339 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -48,7 +48,7 @@ let
services such as SSH, or indirectly via su or
sudo). This should only be used for e.g. bootable
live systems. Note: this is different from setting an empty password,
- which ca be achieved using .
+ which can be achieved using .
If set to null (default) this user will not
be able to log in using a password (i.e. via login
@@ -139,6 +139,12 @@ let
description = "The user's home directory.";
};
+ homeMode = mkOption {
+ type = types.strMatching "[0-7]{1,5}";
+ default = "700";
+ description = "The user's home directory mode in numeric format. See chmod(1). The mode is only applied if is true.";
+ };
+
cryptHomeLuks = mkOption {
type = with types; nullOr str;
default = null;
@@ -319,6 +325,7 @@ let
group = mkDefault "users";
createHome = mkDefault true;
home = mkDefault "/home/${config.name}";
+ homeMode = mkDefault "700";
useDefaultShell = mkDefault true;
isSystemUser = mkDefault false;
})
@@ -430,7 +437,7 @@ let
inherit (cfg) mutableUsers;
users = mapAttrsToList (_: u:
{ inherit (u)
- name uid group description home createHome isSystemUser
+ name uid group description home homeMode createHome isSystemUser
password passwordFile hashedPassword
autoSubUidGidRange subUidRanges subGidRanges
initialPassword initialHashedPassword;
diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix
index b41a2fd27be2..256d9457d396 100644
--- a/nixos/modules/services/networking/mosquitto.nix
+++ b/nixos/modules/services/networking/mosquitto.nix
@@ -199,6 +199,7 @@ let
allow_anonymous = 1;
allow_zero_length_clientid = 1;
auto_id_prefix = 1;
+ bind_interface = 1;
cafile = 1;
capath = 1;
certfile = 1;
@@ -295,7 +296,7 @@ let
};
listenerAsserts = prefix: listener:
- assertKeysValid prefix freeformListenerKeys listener.settings
+ assertKeysValid "${prefix}.settings" freeformListenerKeys listener.settings
++ userAsserts prefix listener.users
++ imap0
(i: v: authAsserts "${prefix}.authPlugins.${toString i}" v)
@@ -397,7 +398,7 @@ let
};
bridgeAsserts = prefix: bridge:
- assertKeysValid prefix freeformBridgeKeys bridge.settings
+ assertKeysValid "${prefix}.settings" freeformBridgeKeys bridge.settings
++ [ {
assertion = length bridge.addresses > 0;
message = "Bridge ${prefix} needs remote broker addresses";
@@ -526,7 +527,7 @@ let
globalAsserts = prefix: cfg:
flatten [
- (assertKeysValid prefix freeformGlobalKeys cfg.settings)
+ (assertKeysValid "${prefix}.settings" freeformGlobalKeys cfg.settings)
(imap0 (n: l: listenerAsserts "${prefix}.listener.${toString n}" l) cfg.listeners)
(mapAttrsToList (n: b: bridgeAsserts "${prefix}.bridge.${n}" b) cfg.bridges)
];
@@ -629,9 +630,10 @@ in
]));
RemoveIPC = true;
RestrictAddressFamilies = [
- "AF_UNIX" # for sd_notify() call
+ "AF_UNIX"
"AF_INET"
"AF_INET6"
+ "AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix
index 2c9ee9fc319f..679c5210a6b3 100644
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@@ -35,11 +35,11 @@ let
"nss-lookup.target"
"nss-user-lookup.target"
"time-sync.target"
- ] ++ (optionals cfg.package.withCryptsetup [
+ ] ++ optionals cfg.package.withCryptsetup [
"cryptsetup.target"
"cryptsetup-pre.target"
"remote-cryptsetup.target"
- ]) ++ [
+ ] ++ [
"sigpwr.target"
"timers.target"
"paths.target"
@@ -133,20 +133,27 @@ let
# Slices / containers.
"slices.target"
+ ] ++ optionals cfg.package.withImportd [
+ "systemd-importd.service"
+ ] ++ optionals cfg.package.withMachined [
"machine.slice"
"machines.target"
- "systemd-importd.service"
"systemd-machined.service"
+ ] ++ [
"systemd-nspawn@.service"
# Misc.
"systemd-sysctl.service"
+ ] ++ optionals cfg.package.withTimedated [
"dbus-org.freedesktop.timedate1.service"
- "dbus-org.freedesktop.locale1.service"
- "dbus-org.freedesktop.hostname1.service"
"systemd-timedated.service"
+ ] ++ optionals cfg.package.withLocaled [
+ "dbus-org.freedesktop.locale1.service"
"systemd-localed.service"
+ ] ++ optionals cfg.package.withHostnamed [
+ "dbus-org.freedesktop.hostname1.service"
"systemd-hostnamed.service"
+ ] ++ [
"systemd-exit.service"
"systemd-update-done.service"
] ++ cfg.additionalUpstreamSystemUnits;
diff --git a/nixos/modules/system/boot/systemd/logind.nix b/nixos/modules/system/boot/systemd/logind.nix
index c1e6cfe61d04..97ac588bce17 100644
--- a/nixos/modules/system/boot/systemd/logind.nix
+++ b/nixos/modules/system/boot/systemd/logind.nix
@@ -81,8 +81,11 @@ in
"systemd-logind.service"
"autovt@.service"
"systemd-user-sessions.service"
+ ] ++ optionals config.systemd.package.withImportd [
"dbus-org.freedesktop.import1.service"
+ ] ++ optionals config.systemd.package.withMachined [
"dbus-org.freedesktop.machine1.service"
+ ] ++ [
"dbus-org.freedesktop.login1.service"
"user@.service"
"user-runtime-dir@.service"
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 84433806b48c..f4b6ee73562e 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -365,6 +365,7 @@ in
nginx = handleTest ./nginx.nix {};
nginx-auth = handleTest ./nginx-auth.nix {};
nginx-etag = handleTest ./nginx-etag.nix {};
+ nginx-http3 = handleTest ./nginx-http3.nix {};
nginx-modsecurity = handleTest ./nginx-modsecurity.nix {};
nginx-pubhtml = handleTest ./nginx-pubhtml.nix {};
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
@@ -579,6 +580,7 @@ in
uptermd = handleTest ./uptermd.nix {};
usbguard = handleTest ./usbguard.nix {};
user-activation-scripts = handleTest ./user-activation-scripts.nix {};
+ user-home-mode = handleTest ./user-home-mode.nix {};
uwsgi = handleTest ./uwsgi.nix {};
v2ray = handleTest ./v2ray.nix {};
vault = handleTest ./vault.nix {};
diff --git a/nixos/tests/mosquitto.nix b/nixos/tests/mosquitto.nix
index 36cc8e3e3d9b..d516d3373d9f 100644
--- a/nixos/tests/mosquitto.nix
+++ b/nixos/tests/mosquitto.nix
@@ -4,6 +4,7 @@ let
port = 1888;
tlsPort = 1889;
anonPort = 1890;
+ bindTestPort = 1891;
password = "VERY_secret";
hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw==";
topic = "test/foo";
@@ -125,6 +126,10 @@ in {
};
};
}
+ {
+ settings.bind_interface = "eth0";
+ port = bindTestPort;
+ }
];
};
};
@@ -134,6 +139,8 @@ in {
};
testScript = ''
+ import json
+
def mosquitto_cmd(binary, user, topic, port):
return (
"mosquitto_{} "
@@ -162,6 +169,27 @@ in {
start_all()
server.wait_for_unit("mosquitto.service")
+ with subtest("bind_interface"):
+ addrs = dict()
+ for iface in json.loads(server.succeed("ip -json address show")):
+ for addr in iface['addr_info']:
+ # don't want to deal with multihoming here
+ assert addr['local'] not in addrs
+ addrs[addr['local']] = (iface['ifname'], addr['family'])
+
+ # mosquitto grabs *one* random address per type for bind_interface
+ (has4, has6) = (False, False)
+ for line in server.succeed("ss -HlptnO sport = ${toString bindTestPort}").splitlines():
+ items = line.split()
+ if "mosquitto" not in items[5]: continue
+ listener = items[3].rsplit(':', maxsplit=1)[0].strip('[]')
+ assert listener in addrs
+ assert addrs[listener][0] == "eth0"
+ has4 |= addrs[listener][1] == 'inet'
+ has6 |= addrs[listener][1] == 'inet6'
+ assert has4
+ assert has6
+
with subtest("check passwords"):
client1.succeed(publish("-m test", "password_store"))
client1.succeed(publish("-m test", "password_file"))
diff --git a/nixos/tests/nginx-http3.nix b/nixos/tests/nginx-http3.nix
new file mode 100644
index 000000000000..edd0759464c8
--- /dev/null
+++ b/nixos/tests/nginx-http3.nix
@@ -0,0 +1,90 @@
+import ./make-test-python.nix ({lib, pkgs, ...}:
+let
+ hosts = ''
+ 192.168.2.101 acme.test
+ '';
+
+in
+{
+ name = "nginx-http3";
+ meta.maintainers = with pkgs.lib.maintainers; [ izorkin ];
+
+ nodes = {
+ server = { pkgs, ... }: {
+ networking = {
+ interfaces.eth1 = {
+ ipv4.addresses = [
+ { address = "192.168.2.101"; prefixLength = 24; }
+ ];
+ };
+ extraHosts = hosts;
+ firewall.allowedTCPPorts = [ 443 ];
+ firewall.allowedUDPPorts = [ 443 ];
+ };
+
+ security.pki.certificates = [
+ (builtins.readFile ./common/acme/server/ca.cert.pem)
+ ];
+
+ services.nginx = {
+ enable = true;
+ package = pkgs.nginxQuic;
+
+ virtualHosts."acme.test" = {
+ onlySSL = true;
+ sslCertificate = ./common/acme/server/acme.test.cert.pem;
+ sslCertificateKey = ./common/acme/server/acme.test.key.pem;
+ http2 = true;
+ http3 = true;
+ reuseport = true;
+ root = lib.mkForce (pkgs.runCommandLocal "testdir2" {} ''
+ mkdir "$out"
+ cat > "$out/index.html" <Hello World!