Merge master into staging-next

2022-10-14 06:20:50 +00:00 · 2022-10-14 06:20:50 +00:00 · 283841a1ce
parent 182a2100db 6740eb3eb0
commit 283841a1ce
11 changed files with 102 additions and 38 deletions
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@ -16,7 +16,7 @@
     certain packets anyway, you can insert rules at the start of
     this chain.

-   - ‘nixos-fw-rpfilter’ is used as the main chain in the raw table,
+   - ‘nixos-fw-rpfilter’ is used as the main chain in the mangle table,
     called from the built-in ‘PREROUTING’ chain.  If the kernel
     supports it and `cfg.checkReversePath` is set this chain will
     perform a reverse path filter test.
@ -109,28 +109,28 @@ let
    ip46tables -N nixos-fw

    # Clean up rpfilter rules
-    ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true
-    ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true
-    ip46tables -t raw -X nixos-fw-rpfilter 2> /dev/null || true
+    ip46tables -t mangle -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true
+    ip46tables -t mangle -F nixos-fw-rpfilter 2> /dev/null || true
+    ip46tables -t mangle -X nixos-fw-rpfilter 2> /dev/null || true

    ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''
      # Perform a reverse-path test to refuse spoofers
-      # For now, we just drop, as the raw table doesn't have a log-refuse yet
-      ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true
-      ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter --validmark ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN
+      # For now, we just drop, as the mangle table doesn't have a log-refuse yet
+      ip46tables -t mangle -N nixos-fw-rpfilter 2> /dev/null || true
+      ip46tables -t mangle -A nixos-fw-rpfilter -m rpfilter --validmark ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN

      # Allows this host to act as a DHCP4 client without first having to use APIPA
-      iptables -t raw -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN
+      iptables -t mangle -A nixos-fw-rpfilter -p udp --sport 67 --dport 68 -j RETURN

      # Allows this host to act as a DHCPv4 server
-      iptables -t raw -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN
+      iptables -t mangle -A nixos-fw-rpfilter -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j RETURN

      ${optionalString cfg.logReversePathDrops ''
-        ip46tables -t raw -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: "
+        ip46tables -t mangle -A nixos-fw-rpfilter -j LOG --log-level info --log-prefix "rpfilter drop: "
      ''}
-      ip46tables -t raw -A nixos-fw-rpfilter -j DROP
+      ip46tables -t mangle -A nixos-fw-rpfilter -j DROP

-      ip46tables -t raw -A PREROUTING -j nixos-fw-rpfilter
+      ip46tables -t mangle -A PREROUTING -j nixos-fw-rpfilter
    ''}

    # Accept all traffic on the trusted interfaces.
@ -218,7 +218,7 @@ let
    ip46tables -D INPUT -j nixos-fw 2>/dev/null || true

    ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''
-      ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true
+      ip46tables -t mangle -D PREROUTING -j nixos-fw-rpfilter 2>/dev/null || true
    ''}

    ${cfg.extraStopCommands}
--- a/nixos/modules/services/networking/wg-quick.nix
+++ b/nixos/modules/services/networking/wg-quick.nix
@ -328,9 +328,6 @@ in {
  config = mkIf (cfg.interfaces != {}) {
    boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard;
    environment.systemPackages = [ pkgs.wireguard-tools ];
-    # This is forced to false for now because the default "--validmark" rpfilter we apply on reverse path filtering
-    # breaks the wg-quick routing because wireguard packets leave with a fwmark from wireguard.
-    networking.firewall.checkReversePath = false;
    systemd.services = mapAttrs' generateUnit cfg.interfaces;

    # Prevent networkd from clearing the rules set by wg-quick when restarted (e.g. when waking up from suspend).
--- a/pkgs/applications/misc/ulauncher/default.nix
+++ b/pkgs/applications/misc/ulauncher/default.nix
@ -31,6 +31,7 @@ python3Packages.buildPythonApplication rec {

  nativeBuildInputs = with python3Packages; [
    distutils_extra
+    gobject-introspection
    intltool
    wrapGAppsHook
    gdk-pixbuf
@ -40,7 +41,6 @@ python3Packages.buildPythonApplication rec {
    gdk-pixbuf
    glib
    gnome.adwaita-icon-theme
-    gobject-introspection
    gtk3
    keybinder3
    libappindicator
--- a/pkgs/applications/networking/cluster/terraform-providers/providers.json
+++ b/pkgs/applications/networking/cluster/terraform-providers/providers.json
@ -120,13 +120,13 @@
    "version": "2.29.0"
  },
  "azurerm": {
-    "hash": "sha256-3dJ/nXpMYEK7sB6VAnkbUfQRoCsiqXhBkU6gCYBpmHY=",
+    "hash": "sha256-MWbw0E5TtqHaoU9nxeMVrUCPlRE73KYxvC6A6tMrjC0=",
    "owner": "hashicorp",
    "provider-source-address": "registry.terraform.io/hashicorp/azurerm",
    "repo": "terraform-provider-azurerm",
-    "rev": "v3.26.0",
+    "rev": "v3.27.0",
    "vendorHash": null,
-    "version": "3.26.0"
+    "version": "3.27.0"
  },
  "azurestack": {
    "hash": "sha256-aSwVa7y1AJ6sExx+bO/93oLBNgSBDJjuPYPY8i3C9T0=",
@ -385,13 +385,13 @@
    "version": "2.2.2"
  },
  "fastly": {
-    "hash": "sha256-CafrOJiDkIrRph8X+EvvBkI1T7j0qUlOnyhrylToJ7s=",
+    "hash": "sha256-WxFkJBi87IvO4a/8bmftMKCc/JcfoQILCtklvr9bcuc=",
    "owner": "fastly",
    "provider-source-address": "registry.terraform.io/fastly/fastly",
    "repo": "terraform-provider-fastly",
-    "rev": "v2.3.3",
+    "rev": "v2.4.0",
    "vendorHash": null,
-    "version": "2.3.3"
+    "version": "2.4.0"
  },
  "flexibleengine": {
    "hash": "sha256-2eXNumT1Hkc33bW635qYr5jxlByX+yZ8zSKRpgKWQJo=",
@ -423,13 +423,13 @@
    "version": "2.2.0"
  },
  "github": {
-    "hash": "sha256-XivwHkibeaoFTeJRtTF8xqt2IwXbzcKtKwAmwCf8Ll4=",
+    "hash": "sha256-dUL01cuP5fQdPPm6+R1XDQNups5BJC2oq8LSjJ1+tB0=",
    "owner": "integrations",
    "provider-source-address": "registry.terraform.io/integrations/github",
    "repo": "terraform-provider-github",
-    "rev": "v5.4.0",
+    "rev": "v5.5.0",
    "vendorHash": null,
-    "version": "5.4.0"
+    "version": "5.5.0"
  },
  "gitlab": {
    "hash": "sha256-eNd1o0UjG6A9OTRmcJfcPLLtWIJmdZ+viDnSZhyHpgY=",
@ -615,13 +615,13 @@
    "version": "0.3.0"
  },
  "keycloak": {
-    "hash": "sha256-5IMSUSaSoe+zqwtcL6aQ7PTtLpNiWxYp/J38Zm+Hniw=",
+    "hash": "sha256-1yV3w3hhZf113XMxvpRvr3ADaRcuCl7BCIa5SIZPcCs=",
    "owner": "mrparkers",
    "provider-source-address": "registry.terraform.io/mrparkers/keycloak",
    "repo": "terraform-provider-keycloak",
-    "rev": "v4.0.0",
+    "rev": "v4.0.1",
    "vendorHash": "sha256-nDvnLEOtXkUJFY22pKogOzkWrj4qjyQbdlJ5pa/xnK8=",
-    "version": "4.0.0"
+    "version": "4.0.1"
  },
  "ksyun": {
    "hash": "sha256-sfvmDByxAQbbdPHb9l5tIT5dyu8eA3r63i5FZJYEYTI=",
--- a/pkgs/applications/networking/flexget/default.nix
+++ b/pkgs/applications/networking/flexget/default.nix
@ -5,14 +5,14 @@

 python3Packages.buildPythonApplication rec {
  pname = "flexget";
-  version = "3.3.33";
+  version = "3.3.34";

  # Fetch from GitHub in order to use `requirements.in`
  src = fetchFromGitHub {
    owner = "flexget";
    repo = "flexget";
    rev = "refs/tags/v${version}";
-    hash = "sha256-dJdRGqHBPbdGrxqhOmQJSZmR+YacQCDKgu03WtrGqVA=";
+    hash = "sha256-eDSfKkVR06rqSQkVWTEL/v5XLXWHagV0h8ClWNFaYak=";
  };

  postPatch = ''
--- a/pkgs/applications/version-management/srvc/default.nix
+++ b/pkgs/applications/version-management/srvc/default.nix
@ -0,0 +1,22 @@
+{ lib, fetchFromGitHub, rustPlatform }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "srvc";
+  version = "0.6.0";
+
+  src = fetchFromGitHub {
+    owner = "insilica";
+    repo = "rs-srvc";
+    rev = "v${version}";
+    sha256 = "sha256-PBs86cvEacvCt/2JnURL4qKvXGXRZHWaGYrPUSsnt0I=";
+  };
+
+  cargoSha256 = "sha256-5CUbfI67gsINdHcxN8KbIN10Mu90rAU53DbmQ5QotWg=";
+
+  meta = with lib; {
+    description = "Sysrev version control";
+    homepage = "https://github.com/insilica/rs-srvc";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ john-shaffer ];
+  };
+}
--- a/pkgs/data/misc/v2ray-geoip/default.nix
+++ b/pkgs/data/misc/v2ray-geoip/default.nix
@ -2,13 +2,13 @@

 stdenv.mkDerivation rec {
  pname = "v2ray-geoip";
-  version = "202210060105";
+  version = "202210130107";

  src = fetchFromGitHub {
    owner = "v2fly";
    repo = "geoip";
-    rev = "0bb2420d643555aa19b21f3c06b517a7c14826b6";
-    sha256 = "sha256-5vr7iO2vny9yalJblBVgNwupEQ9w3LZXM+VKb4xSVD0=";
+    rev = "becf974734e41542c356a0c0ae21a619c476d500";
+    sha256 = "sha256-IF7mcyiZc4CTFWSflxQBH8Z9NloCcsCymOhU85GaoEg=";
  };

  installPhase = ''
--- a/pkgs/development/libraries/boost-ext/boost-sml/default.nix
+++ b/pkgs/development/libraries/boost-ext/boost-sml/default.nix
@ -0,0 +1,41 @@
+{ stdenv
+, lib
+, cmake
+, fetchFromGitHub
+, boost
+}:
+
+stdenv.mkDerivation rec {
+  pname = "boost-sml";
+  # This is first commit since 1.1.6 that passes all tests (test_policies_logging is commented out)
+  version = "1.1.6";
+  working_tests = "24d762d1901f4f6afaa5c5e0d1b7b77537964694";
+
+  src = fetchFromGitHub {
+    owner = "boost-ext";
+    repo = "sml";
+    rev = "${working_tests}";
+    hash = "sha256-ZhIfyYdzrzPTAYevOz5I6tAcUiLRMV8HENKX9jychEY=";
+  };
+
+  buildInputs = [ boost ];
+  nativeBuildInputs = [ cmake ];
+
+  cmakeFlags = [
+    "-DSML_BUILD_BENCHMARKS=OFF"
+    "-DSML_BUILD_EXAMPLES=OFF"
+    "-DSML_BUILD_TESTS=ON"
+    "-DSML_USE_EXCEPTIONS=ON"
+  ];
+
+  doCheck = true;
+
+  meta = with lib; {
+    description = "Header only state machine library with no dependencies";
+    homepage = "https://github.com/boost-ext/sml";
+    license = licenses.boost;
+    maintainers = with maintainers; [ prtzl ];
+    platforms = platforms.all;
+  };
+}
+
--- a/pkgs/development/python-modules/azure-mgmt-network/default.nix
+++ b/pkgs/development/python-modules/azure-mgmt-network/default.nix
@ -9,7 +9,7 @@
 }:

 buildPythonPackage rec {
-  version = "21.0.1";
+  version = "22.0.0";
  pname = "azure-mgmt-network";
  format = "setuptools";

@ -18,7 +18,7 @@ buildPythonPackage rec {
  src = fetchPypi {
    inherit pname version;
    extension = "zip";
-    hash = "sha256-7PduPg0JK4f/3q/b5pq58TjqVk+Iu+vxa+aJKDnScy8=";
+    hash = "sha256-qXWmZuiYA6BwFP/uydPi8mV68WlXrJlwP9eiTk+q1Ak=";
  };

  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/pyro5/default.nix
+++ b/pkgs/development/python-modules/pyro5/default.nix
@ -9,13 +9,13 @@

 buildPythonPackage rec {
  pname = "Pyro5";
-  version = "5.13.1";
+  version = "5.14";

  disabled = pythonOlder "3.6";

  src = fetchPypi {
    inherit pname version;
-    sha256 = "2be9da379ae0ec4cf69ffb3c5c589b698eea00e614a9af7945b87fa9bb09baf2";
+    sha256 = "sha256-ZP3OE3sP5TLohhTSRrfJi74KT0JnhsUkU5rNxeaUCGo=";
  };

  propagatedBuildInputs = [ serpent ];
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -4772,6 +4772,8 @@ with pkgs;

  spacevim = callPackage ../applications/editors/spacevim { };

+  srvc = callPackage ../applications/version-management/srvc { };
+
  ssmsh = callPackage ../tools/admin/ssmsh { };

  stacs = callPackage ../tools/security/stacs { };
@ -11300,6 +11302,8 @@ with pkgs;
    inherit (darwin.apple_sdk.frameworks) Cocoa;
  };

+  boost-sml = callPackage ../development/libraries/boost-ext/boost-sml {};
+
  smu = callPackage ../tools/text/smu { };

  smug = callPackage ../tools/misc/smug { };