alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

Merge staging-next into staging

Browse source
This commit is contained in:
github-actions[bot] 2023-05-27 06:01:44 +00:00 committed by GitHub
parent 997323e4a2 a269ac5872
commit 824f05f73f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
33 changed files with 468 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2311.section.md
View file

@ -17,3 +17,5 @@
## Other Notable Changes {#sec-release-23.11-notable-changes}
- A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing `virtualisation.vlans` is still supported for cases where the name of the network interface is irrelevant.
- `services.nginx` gained a `defaultListen` option at server-level with support for PROXY protocol listeners, also `proxyProtocol` is now exposed in `services.nginx.virtualHosts.<name>.listen` option. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see [#213510](https://github.com/NixOS/nixpkgs/pull/213510/) for more details.

3
nixos/modules/services/matrix/mautrix-facebook.nix
View file

@ -29,6 +29,7 @@ in {
};
appservice = rec {
id = "facebook";
address = "http://${hostname}:${toString port}";
hostname = "localhost";
port = 29319;
@ -171,7 +172,7 @@ in {
services.mautrix-facebook = {
registrationData = {
id = "mautrix-facebook";
id = cfg.settings.appservice.id;
namespaces = {
users = [

100
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -309,36 +309,54 @@ let
onlySSL = vhost.onlySSL || vhost.enableSSL;
hasSSL = onlySSL || vhost.addSSL || vhost.forceSSL;
# First evaluation of defaultListen based on a set of listen lines.
mkDefaultListenVhost = listenLines:
# If this vhost has SSL or is a SSL rejection host.
# We enable a TLS variant for lines without explicit ssl or ssl = true.
optionals (hasSSL || vhost.rejectSSL)
(map (listen: { port = cfg.defaultSSLListenPort; ssl = true; } // listen)
(filter (listen: !(listen ? ssl) || listen.ssl) listenLines))
# If this vhost is supposed to serve HTTP
# We provide listen lines for those without explicit ssl or ssl = false.
++ optionals (!onlySSL)
(map (listen: { port = cfg.defaultHTTPListenPort; ssl = false; } // listen)
(filter (listen: !(listen ? ssl) || !listen.ssl) listenLines));
defaultListen =
if vhost.listen != [] then vhost.listen
else
if cfg.defaultListen != [] then mkDefaultListenVhost
# Cleanup nulls which will mess up with //.
# TODO: is there a better way to achieve this? i.e. mergeButIgnoreNullPlease?
(map (listenLine: filterAttrs (_: v: (v != null)) listenLine) cfg.defaultListen)
else
let addrs = if vhost.listenAddresses != [] then vhost.listenAddresses else cfg.defaultListenAddresses;
in optionals (hasSSL || vhost.rejectSSL) (map (addr: { inherit addr; port = cfg.defaultSSLListenPort; ssl = true; }) addrs)
++ optionals (!onlySSL) (map (addr: { inherit addr; port = cfg.defaultHTTPListenPort; ssl = false; }) addrs);
in mkDefaultListenVhost (map (addr: { inherit addr; }) addrs);
hostListen =
if vhost.forceSSL
then filter (x: x.ssl) defaultListen
else defaultListen;
listenString = { addr, port, ssl, extraParameters ? [], ... }:
listenString = { addr, port, ssl, proxyProtocol ? false, extraParameters ? [], ... }:
# UDP listener for QUIC transport protocol.
(optionalString (ssl && vhost.quic) ("
listen ${addr}:${toString port} quic "
+ optionalString vhost.default "default_server "
+ optionalString vhost.reuseport "reuseport "
+ optionalString (extraParameters != []) (concatStringsSep " " (
let inCompatibleParameters = [ "ssl" "proxy_protocol" "http2" ];
+ optionalString (extraParameters != []) (concatStringsSep " "
(let inCompatibleParameters = [ "ssl" "proxy_protocol" "http2" ];
isCompatibleParameter = param: !(any (p: p == param) inCompatibleParameters);
in filter isCompatibleParameter extraParameters))
+ ";"))
+ "
listen ${addr}:${toString port} "
+ optionalString (ssl && vhost.http2) "http2 "
+ optionalString ssl "ssl "
+ optionalString vhost.default "default_server "
+ optionalString vhost.reuseport "reuseport "
+ optionalString proxyProtocol "proxy_protocol "
+ optionalString (extraParameters != []) (concatStringsSep " " extraParameters)
+ ";";
@ -539,6 +557,49 @@ in
'';
};
defaultListen = mkOption {
type = with types; listOf (submodule {
options = {
addr = mkOption {
type = str;
description = lib.mdDoc "IP address.";
};
port = mkOption {
type = nullOr port;
description = lib.mdDoc "Port number.";
default = null;
};
ssl = mkOption {
type = nullOr bool;
default = null;
description = lib.mdDoc "Enable SSL.";
};
proxyProtocol = mkOption {
type = bool;
description = lib.mdDoc "Enable PROXY protocol.";
default = false;
};
extraParameters = mkOption {
type = listOf str;
description = lib.mdDoc "Extra parameters of this listen directive.";
default = [ ];
example = [ "backlog=1024" "deferred" ];
};
};
});
default = [];
example = literalExpression ''[
{ addr = "10.0.0.12"; proxyProtocol = true; ssl = true; }
{ addr = "0.0.0.0"; }
{ addr = "[::0]"; }
]'';
description = lib.mdDoc ''
If vhosts do not specify listen, use these addresses by default.
This option takes precedence over {option}`defaultListenAddresses` and
other listen-related defaults options.
'';
};
defaultListenAddresses = mkOption {
type = types.listOf types.str;
default = [ "0.0.0.0" ] ++ optional enableIPv6 "[::0]";
@ -546,6 +607,7 @@ in
example = literalExpression ''[ "10.0.0.12" "[2002:a00:1::]" ]'';
description = lib.mdDoc ''
If vhosts do not specify listenAddresses, use these addresses by default.
This is akin to writing `defaultListen = [ { addr = "0.0.0.0" } ]`.
'';
};
@ -1078,6 +1140,32 @@ in
which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`.
'';
}
{
# The idea is to understand whether there is a virtual host with a listen configuration
# that requires ACME configuration but has no HTTP listener which will make deterministically fail
# this operation.
# Options' priorities are the following at the moment:
# listen (vhost) > defaultListen (server) > listenAddresses (vhost) > defaultListenAddresses (server)
assertion =
let
hasAtLeastHttpListener = listenOptions: any (listenLine: if listenLine ? proxyProtocol then !listenLine.proxyProtocol else true) listenOptions;
hasAtLeastDefaultHttpListener = if cfg.defaultListen != [] then hasAtLeastHttpListener cfg.defaultListen else (cfg.defaultListenAddresses != []);
in
all (host:
let
hasAtLeastVhostHttpListener = if host.listen != [] then hasAtLeastHttpListener host.listen else (host.listenAddresses != []);
vhostAuthority = host.listen != [] || (cfg.defaultListen == [] && host.listenAddresses != []);
in
# Either vhost has precedence and we need a vhost specific http listener
# Either vhost set nothing and inherit from server settings
host.enableACME -> ((vhostAuthority && hasAtLeastVhostHttpListener) || (!vhostAuthority && hasAtLeastDefaultHttpListener))
) (attrValues virtualHosts);
message = ''
services.nginx.virtualHosts.<name>.enableACME requires a HTTP listener
to answer to ACME requests.
'';
}
] ++ map (name: mkCertOwnershipAssertion {
inherit (cfg) group user;
cert = config.security.acme.certs.${name};

37
nixos/modules/services/web-servers/nginx/vhost-options.nix
View file

@ -27,12 +27,35 @@ with lib;
};
listen = mkOption {
type = with types; listOf (submodule { options = {
addr = mkOption { type = str; description = lib.mdDoc "IP address."; };
port = mkOption { type = port; description = lib.mdDoc "Port number."; default = 80; };
ssl = mkOption { type = bool; description = lib.mdDoc "Enable SSL."; default = false; };
extraParameters = mkOption { type = listOf str; description = lib.mdDoc "Extra parameters of this listen directive."; default = []; example = [ "backlog=1024" "deferred" ]; };
}; });
type = with types; listOf (submodule {
options = {
addr = mkOption {
type = str;
description = lib.mdDoc "IP address.";
};
port = mkOption {
type = port;
description = lib.mdDoc "Port number.";
default = 80;
};
ssl = mkOption {
type = bool;
description = lib.mdDoc "Enable SSL.";
default = false;
};
proxyProtocol = mkOption {
type = bool;
description = lib.mdDoc "Enable PROXY protocol.";
default = false;
};
extraParameters = mkOption {
type = listOf str;
description = lib.mdDoc "Extra parameters of this listen directive.";
default = [ ];
example = [ "backlog=1024" "deferred" ];
};
};
});
default = [];
example = [
{ addr = "195.154.1.1"; port = 443; ssl = true; }
@ -45,7 +68,7 @@ with lib;
and `onlySSL`.
If you only want to set the addresses manually and not
the ports, take a look at `listenAddresses`
the ports, take a look at `listenAddresses`.
'';
};

1
nixos/tests/all-tests.nix
View file

@ -521,6 +521,7 @@ in {
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
nginx-sso = handleTest ./nginx-sso.nix {};
nginx-variants = handleTest ./nginx-variants.nix {};
nginx-proxyprotocol = handleTest ./nginx-proxyprotocol {};
nifi = handleTestOn ["x86_64-linux"] ./web-apps/nifi.nix {};
nitter = handleTest ./nitter.nix {};
nix-ld = handleTest ./nix-ld.nix {};

20
nixos/tests/nginx-proxyprotocol/_.test.nix.cert.pem Normal file
View file

@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDLjCCAhagAwIBAgIIP2+4GFxOYMgwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
AxMVbWluaWNhIHJvb3QgY2EgNGU3NTJiMB4XDTIzMDEzMDAzNDExOFoXDTQzMDEz
MDAzNDExOFowFTETMBEGA1UEAwwKKi50ZXN0Lm5peDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMarJSCzelnzTMT5GMoIKA/MXBNk5j277uI2Gq2MCky/
DlBpx+tjSsKsz6QLBduKMF8OH5AgjrVAKQAtsVPDseY0Qcyx/5dgJjkdO4on+DFb
V0SJ3ZhYPKACrqQ1SaoG+Xup37puw7sVR13J7oNvP6fAYRcjYqCiFC7VMjJNG4dR
251jvWWidSc7v5CYw2AxrngtBgHeQuyG9QCJ1DRH8h6ioV7IeonwReN7noYtTWh8
NDjGnw9HH2nYMcL91E+DWCxWVmbC9/orvYOT7u0Orho0t1w9BB0/zzcdojwQpMCv
HahEmFQmdGbWTuI4caBeaDBJVsSwKlTcxLSS4MAZ0c8CAwEAAaN3MHUwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB8GA1UdIwQYMBaAFGyXySYI3gL88d7GHnGMU6wpiBf2MBUGA1UdEQQO
MAyCCioudGVzdC5uaXgwDQYJKoZIhvcNAQELBQADggEBAJ/DpwiLVBgWyozsn++f
kR4m0dUjnuCgpHo2EMoMZh+9og+OC0vq6WITXHaJytB3aBMxFOUTim3vwxPyWPXX
/vy+q6jJ6QMLx1J3VIWZdmXsT+qLGbVzL/4gNoaRsLPGO06p3yVjhas+OBFx1Fee
6kTHb82S/dzBojOJLRRo18CU9yw0FUXOPqN7HF7k2y+Twe6+iwCuCKGSFcvmRjxe
bWy11C921bTienW0Rmq6ppFWDaUNYP8kKpMN2ViAvc0tyF6wwk5lyOiqCR+pQHJR
H/J4qSeKDchYLKECuzd6SySz8FW/xPKogQ28zba+DBD86hpqiEJOBzxbrcN3cjUn
7N4=
-----END CERTIFICATE-----

27
nixos/tests/nginx-proxyprotocol/_.test.nix.key.pem Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxqslILN6WfNMxPkYyggoD8xcE2TmPbvu4jYarYwKTL8OUGnH
62NKwqzPpAsF24owXw4fkCCOtUApAC2xU8Ox5jRBzLH/l2AmOR07iif4MVtXRInd
mFg8oAKupDVJqgb5e6nfum7DuxVHXcnug28/p8BhFyNioKIULtUyMk0bh1HbnWO9
ZaJ1Jzu/kJjDYDGueC0GAd5C7Ib1AInUNEfyHqKhXsh6ifBF43uehi1NaHw0OMaf
D0cfadgxwv3UT4NYLFZWZsL3+iu9g5Pu7Q6uGjS3XD0EHT/PNx2iPBCkwK8dqESY
VCZ0ZtZO4jhxoF5oMElWxLAqVNzEtJLgwBnRzwIDAQABAoIBAFuNGOH184cqKJGI
3RSVJ6kIGtJRKA0A4vfZyPd61nBBhx4lcRyXOCd4LYPCFKP0DZBwWLk5V6pM89gC
NnqMbxnPsRbcXBVtGJAvWXW0L5rHJfMOuVBwMRfnxIUljVnONv/264PlcUtwZd/h
o4lsJeBvNg7MnrG5nyVp1+T4RZxYm1P86HLp5zyT+fdj4Cr82b9j6QpxGXEfm1jV
QA1xr1ZkrV8fgETyaE0TBIKcdt6xNfv1mpI1RE5gaP/YzcCs/mL+G0kMar4l7pO/
6OHXTvHz+W3G6Xlha7Wq1ADoqYz2K7VoL/OgSQhIxRNujyWR6lir7eladVrKkCzu
uzFi/HECgYEA0vSNCIK3useSypMPHhYUVNbZ4hbK0WgqSAxfJQtL3nC7KviVMAXj
IKVR90xuzJB+ih88KCJpH84JH90paMpW0Gq1yEae90bnWa8Nj7ULLS/Zuj0WrelU
+DEGbx47IUPOtiLBxooxFKyIVhX3hWRwZ0pokSQzbgb5zYnlM6tqZ3cCgYEA8Rb2
wtt0XmqEQedFacs4fobJoVWMcETjpuxYp0m5Kje/4QkptZIbspXGBgNtPBBRGg51
AYSu8wYkGEueI77KiFDgY8AAkpOk2MrMVPszjOhUiO1oEfbT6ynOY5RDOuXcY6jo
8RpSk46VkfVxt6LVmappqcVFtVWcAjdGfXeSLmkCgYAWP7SgMSkvidzxgJEXmzyJ
th9EuSKq81GCR8vBHG/kBf+3iIAzkGtkBgufCXCmIpc1+hVeJkLwF8rekXTMmIqP
cLG7bbdWXSQJUW0cuvtyyJkuC0NZFELh6knDbmzOFVi33PKS/gAvLgMzER4J843n
VvGwXSEPeazfAKwrxuhyAQKBgQCOm5TPYlyNVNhy20h18d2zCivOoPn3luhKXtd5
7OP4kw2PIYpoesqjcnC2MeS1eLlgfli70y5hVqqXLHOYlUzcIWr51iMAkREbo6oG
QqkVmoAWlsfOiICGRC5vPM4f0sPwt4NCyt05p0fWFKd1hn5u7Ryfba90OfWUYfny
UX5IsQKBgQCswer4Qc3UepkiYxGwSTxgIh4kYlmamU2I00Kar4uFAr9JsCbk98f0
kaCUNZjrrvTwgRmdhwcpMDiMW/F4QkNk0I2unHcoAvzNop6c22VhHJU2XJhrQ57h
n1iPiw0NLXiA4RQwMUMjtt3nqlpLOTXGtsF8TmpWPcAN2QcTxOutzw==
-----END RSA PRIVATE KEY-----

20
nixos/tests/nginx-proxyprotocol/ca.cert.pem Normal file
View file

@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIITnUr3xFw4oEwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
AxMVbWluaWNhIHJvb3QgY2EgNGU3NTJiMCAXDTIzMDEzMDAzNDExOFoYDzIxMjMw
MTMwMDM0MTE4WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA0ZTc1MmIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1SrJT9k3zXIXApEyL5UDlw7F6
MMOqE5d+8ZwMccHbEKLu0ssNRY+j31tnNYQ/r5iCNeNgUZccKBgzdU0ysyw5n4tw
0y+MTD9fCfUXYcc8pJRPRolo6zxYO9W7WJr0nfJZ+p7zFRAjRCmzXdnZjKz0EGcg
x9mHwn//3SuLt1ItK1n3aZ6im9NlcVtunDe3lCSL0tRgy7wDGNvWDZMO49jk4AFU
BlMqScuiNpUzYgCxNaaGMuH3M0f0YyRAxSs6FWewLtqTIaVql7HL+3PcGAhvlKEZ
fvfaf80F9aWI88sbEddTA0s5837zEoDwGpZl3K5sPU/O3MVEHIhAY5ICG0IBAgMB
AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRsl8kmCN4C/PHe
xh5xjFOsKYgX9jAfBgNVHSMEGDAWgBRsl8kmCN4C/PHexh5xjFOsKYgX9jANBgkq
hkiG9w0BAQsFAAOCAQEAmvgpU+q+TBbz+9Y2rdiIeTfeDXtMNPf+nKI3zxYztRGC
MoKP6jCQaFSQra4BVumFLV38DoqR1pOV1ojkiyO5c/9Iym/1Wmm8LeqgsHNqSgyS
C7wvBcb/N9PzIBQFq/RiboDoC7bqK/0zQguCmBtGceH+AVpQyfXM+P78B1EkHozu
67igP8GfouPp2s4Vd5P2XGkA6vMgYCtFEnCbtmmo7C8B+ymhD/D9axpMKQ1OaBg9
jfqLOlk+Rc2nYZuaDjnUmlTkYjC6EwCNe9weYkSJgQ9QzoGJLIRARsdQdsp3C2fZ
l2UZKkDJ2GPrrc+TdaGXZTYi0uMmvQsEKZXtqAzorQ==
-----END CERTIFICATE-----

27
nixos/tests/nginx-proxyprotocol/ca.key.pem Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtUqyU/ZN81yFwKRMi+VA5cOxejDDqhOXfvGcDHHB2xCi7tLL
DUWPo99bZzWEP6+YgjXjYFGXHCgYM3VNMrMsOZ+LcNMvjEw/Xwn1F2HHPKSUT0aJ
aOs8WDvVu1ia9J3yWfqe8xUQI0Qps13Z2Yys9BBnIMfZh8J//90ri7dSLStZ92me
opvTZXFbbpw3t5Qki9LUYMu8Axjb1g2TDuPY5OABVAZTKknLojaVM2IAsTWmhjLh
9zNH9GMkQMUrOhVnsC7akyGlapexy/tz3BgIb5ShGX732n/NBfWliPPLGxHXUwNL
OfN+8xKA8BqWZdyubD1PztzFRByIQGOSAhtCAQIDAQABAoIBAQCLeAWs1kWtvTYg
t8UzspC0slItAKrmgt//hvxYDoPmdewC8yPG+AbDOSfmRKOTIxGeyro79UjdHnNP
0yQqpvCU/AqYJ7/inR37jXuCG3TdUHfQbSF1F9N6xb1tvYKoQYKaelYiB8g8eUnj
dYYM+U5tDNlpvJW6/YTfYFUJzWRo3i8jj5lhbkjcJDvdOhVxMXNXJgJAymu1KysE
N1da2l4fzmuoN82wFE9KMyYSn+LOLWBReQQmXHZPP+2LjRIVrWoFoV49k2Ylp9tH
yeaFx1Ya/wVx3PRnSW+zebWDcc0bAua9XU3Fi42yRq5iXOyoXHyefDfJoId7+GAO
IF2qRw9hAoGBAM1O1l4ceOEDsEBh7HWTvmfwVfkXgT6VHeI6LGEjb88FApXgT+wT
1s1IWVVOigLl9OKQbrjqlg9xgzrPDHYRwu5/Oz3X2WaH6wlF+d+okoqls6sCEAeo
GfzF3sKOHQyIYjttCXE5G38uhIgVFFFfK97AbUiY8egYBr0zjVXK7xINAoGBAOIN
1pDBFBQIoKj64opm/G9lJBLUpWLBFdWXhXS6q2jNsdY1mLMRmu/RBaKSfGz7W1a/
a2WBedjcnTWJ/84tBsn4Qj5tLl8xkcXiN/pslWzg724ZnVsbyxM9KvAdXAma3F0g
2EsYq8mhvbAEkpE+aoM6jwOJBnMhTRZrNMKN2lbFAoGAHmZWB4lfvLG3H1FgmehO
gUVs9X0tff7GdgD3IUsF+zlasKaOLv6hB7R2xdLjTJqQMBwCyQ6zOYYtUD/oMHNg
0b+1HesgHbZybuUVorBrQmxWtjOP/BJABtWlrlkso/Zt1S7H/yPdlm9k4GF+qK3W
6RzFEcLTzvH/zXQcsV9jFuECgYEAhaX+1KiC0XFkY2OpaoCHAOlAUa3NdjyIRzcF
XUU8MINkgCxB8qUXAHCJL1wCGoDluL0FpwbM3m1YuR200tYGLIUNzVDJ2Ng6wk8E
H5fxJGU8ydB1Gzescdx5NWt2Tet0G89ecc/NSTHKL3YUnbDUUm/dvA5YdNscc4PA
tsIdc60CgYEArvU1MwqGQUTDKUmaM2t3qm70fbwmOViHfyTWpn4aAQR3sK16iJMm
V+dka62L/VYs5CIbzXvCioyugUMZGJi/zIwrViRzqJQbNnPADAW4lG88UxXqHHAH
q33ivjgd9omGFb37saKOmR44KmjUIDvSIZF4W3EPwAMEyl5mM31Ryns=
-----END RSA PRIVATE KEY-----

144
nixos/tests/nginx-proxyprotocol/default.nix Normal file
View file

@ -0,0 +1,144 @@
let
certs = import ./snakeoil-certs.nix;
in
import ../make-test-python.nix ({ pkgs, ... }: {
name = "nginx-proxyprotocol";
nodes = {
webserver = { pkgs, lib, ... }: {
environment.systemPackages = [ pkgs.netcat ];
security.pki.certificateFiles = [
certs.ca.cert
];
networking.extraHosts = ''
127.0.0.5 proxy.test.nix
127.0.0.5 noproxy.test.nix
127.0.0.3 direct-nossl.test.nix
127.0.0.4 unsecure-nossl.test.nix
127.0.0.2 direct-noproxy.test.nix
127.0.0.1 direct-proxy.test.nix
'';
services.nginx = {
enable = true;
defaultListen = [
{ addr = "127.0.0.1"; proxyProtocol = true; ssl = true; }
{ addr = "127.0.0.2"; }
{ addr = "127.0.0.3"; ssl = false; }
{ addr = "127.0.0.4"; ssl = false; proxyProtocol = true; }
];
commonHttpConfig = ''
log_format pcombined '(proxy_protocol=$proxy_protocol_addr) - (remote_addr=$remote_addr) - (realip=$realip_remote_addr) - (upstream=) - (remote_user=$remote_user) [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log pcombined;
error_log /var/log/nginx/error.log;
'';
virtualHosts =
let
commonConfig = {
locations."/".return = "200 '$remote_addr'";
extraConfig = ''
set_real_ip_from 127.0.0.5/32;
real_ip_header proxy_protocol;
'';
};
in
{
"*.test.nix" = commonConfig // {
sslCertificate = certs."*.test.nix".cert;
sslCertificateKey = certs."*.test.nix".key;
forceSSL = true;
};
"direct-nossl.test.nix" = commonConfig;
"unsecure-nossl.test.nix" = commonConfig // {
extraConfig = ''
real_ip_header proxy_protocol;
'';
};
};
};
services.sniproxy = {
enable = true;
config = ''
error_log {
syslog daemon
}
access_log {
syslog daemon
}
listener 127.0.0.5:443 {
protocol tls
source 127.0.0.5
}
table {
^proxy\.test\.nix$ 127.0.0.1 proxy_protocol
^noproxy\.test\.nix$ 127.0.0.2
}
'';
};
};
};
testScript = ''
def check_origin_ip(src_ip: str, dst_url: str, failure: bool = False, proxy_protocol: bool = False, expected_ip: str | None = None):
check = webserver.fail if failure else webserver.succeed
if expected_ip is None:
expected_ip = src_ip
return check(f"curl {'--haproxy-protocol' if proxy_protocol else '''} --interface {src_ip} --fail -L {dst_url} | grep '{expected_ip}'")
webserver.wait_for_unit("nginx")
webserver.wait_for_unit("sniproxy")
# This should be closed by virtue of ssl = true;
webserver.wait_for_closed_port(80, "127.0.0.1")
# This should be open by virtue of no explicit ssl
webserver.wait_for_open_port(80, "127.0.0.2")
# This should be open by virtue of ssl = true;
webserver.wait_for_open_port(443, "127.0.0.1")
# This should be open by virtue of no explicit ssl
webserver.wait_for_open_port(443, "127.0.0.2")
# This should be open by sniproxy
webserver.wait_for_open_port(443, "127.0.0.5")
# This should be closed by sniproxy
webserver.wait_for_closed_port(80, "127.0.0.5")
# Sanity checks for the NGINX module
# direct-HTTP connection to NGINX without TLS, this checks that ssl = false; works well.
check_origin_ip("127.0.0.10", "http://direct-nossl.test.nix/")
# webserver.execute("openssl s_client -showcerts -connect direct-noproxy.test.nix:443")
# direct-HTTP connection to NGINX with TLS
check_origin_ip("127.0.0.10", "http://direct-noproxy.test.nix/")
check_origin_ip("127.0.0.10", "https://direct-noproxy.test.nix/")
# Well, sniproxy is not listening on 80 and cannot redirect
check_origin_ip("127.0.0.10", "http://proxy.test.nix/", failure=True)
check_origin_ip("127.0.0.10", "http://noproxy.test.nix/", failure=True)
# Actual PROXY protocol related tests
# Connecting through sniproxy should passthrough the originating IP address.
check_origin_ip("127.0.0.10", "https://proxy.test.nix/")
# Connecting through sniproxy to a non-PROXY protocol enabled listener should not pass the originating IP address.
check_origin_ip("127.0.0.10", "https://noproxy.test.nix/", expected_ip="127.0.0.5")
# Attack tests against spoofing
# Let's try to spoof our IP address by connecting direct-y to the PROXY protocol listener.
# FIXME(RaitoBezarius): rewrite it using Python + (Scapy|something else) as this is too much broken unfortunately.
# Or wait for upstream curl patch.
# def generate_attacker_request(original_ip: str, target_ip: str, dst_url: str):
# return f"""PROXY TCP4 {original_ip} {target_ip} 80 80
# GET / HTTP/1.1
# Host: {dst_url}
# """
# def spoof(original_ip: str, target_ip: str, dst_url: str, tls: bool = False, expect_failure: bool = True):
# method = webserver.fail if expect_failure else webserver.succeed
# port = 443 if tls else 80
# print(webserver.execute(f"cat <<EOF | nc {target_ip} {port}\n{generate_attacker_request(original_ip, target_ip, dst_url)}\nEOF"))
# return method(f"cat <<EOF | nc {target_ip} {port} | grep {original_ip}\n{generate_attacker_request(original_ip, target_ip, dst_url)}\nEOF")
# check_origin_ip("127.0.0.10", "http://unsecure-nossl.test.nix", proxy_protocol=True)
# spoof("1.1.1.1", "127.0.0.4", "direct-nossl.test.nix")
# spoof("1.1.1.1", "127.0.0.4", "unsecure-nossl.test.nix", expect_failure=False)
'';
})

30
nixos/tests/nginx-proxyprotocol/generate-certs.nix Normal file
View file

@ -0,0 +1,30 @@
# Minica can provide a CA key and cert, plus a key
# and cert for our fake CA server's Web Front End (WFE).
{
pkgs ? import <nixpkgs> {},
minica ? pkgs.minica,
runCommandCC ? pkgs.runCommandCC,
}:
let
conf = import ./snakeoil-certs.nix;
domain = conf.domain;
domainSanitized = pkgs.lib.replaceStrings ["*"] ["_"] domain;
in
runCommandCC "generate-tests-certs" {
buildInputs = [ (minica.overrideAttrs (old: {
postPatch = ''
sed -i 's_NotAfter: time.Now().AddDate(2, 0, 30),_NotAfter: time.Now().AddDate(20, 0, 0),_' main.go
'';
})) ];
} ''
minica \
--ca-key ca.key.pem \
--ca-cert ca.cert.pem \
--domains "${domain}"
mkdir -p $out
mv ca.*.pem $out/
mv ${domainSanitized}/key.pem $out/${domainSanitized}.key.pem
mv ${domainSanitized}/cert.pem $out/${domainSanitized}.cert.pem
''

14
nixos/tests/nginx-proxyprotocol/snakeoil-certs.nix Normal file
View file

@ -0,0 +1,14 @@
let
domain = "*.test.nix";
domainSanitized = "_.test.nix";
in {
inherit domain;
ca = {
cert = ./ca.cert.pem;
key = ./ca.key.pem;
};
"${domain}" = {
cert = ./. + "/${domainSanitized}.cert.pem";
key = ./. + "/${domainSanitized}.key.pem";
};
}

4
pkgs/applications/editors/orbiton/default.nix
View file

@ -4,13 +4,13 @@
buildGoModule rec {
pname = "orbiton";
version = "2.61.0";
version = "2.62.0";
src = fetchFromGitHub {
owner = "xyproto";
repo = "orbiton";
rev = "v${version}";
hash = "sha256-GknQXHwpdIRzSjIc1ITsoiaks4Vi5KmVqL7sHzmfnmQ=";
hash = "sha256-DmS0rn1v9zksSzO7FVl5YsIIXvhQ3zhSBC/i7tosdag=";
};
vendorHash = null;

16
pkgs/applications/networking/cluster/terraform-providers/default.nix
View file

@ -19,8 +19,8 @@ let
, rev
, spdx ? "UNSET"
, version ? lib.removePrefix "v" rev
, hash ? throw "use hash instead of sha256" # added 2202/09
, vendorHash ? throw "use vendorHash instead of vendorSha256" # added 2202/09
, hash
, vendorHash
, deleteVendor ? false
, proxyVendor ? false
, mkProviderFetcher ? fetchFromGitHub
@ -88,22 +88,10 @@ let
removed-providers =
let
archived = name: date: throw "the ${name} terraform provider has been archived by upstream on ${date}";
license = name: date: throw "the ${name} terraform provider removed from nixpkgs on ${date} because of unclear licensing";
removed = name: date: throw "the ${name} terraform provider removed from nixpkgs on ${date}";
in
lib.optionalAttrs config.allowAliases {
b2 = removed "b2" "2022/06";
checkpoint = removed "checkpoint" "2022/11";
dome9 = removed "dome9" "2022/08";
ksyun = removed "ksyun" "2023/04";
logicmonitor = license "logicmonitor" "2022/11";
ncloud = removed "ncloud" "2022/08";
nsxt = license "nsxt" "2022/11";
opc = archived "opc" "2022/05";
oraclepaas = archived "oraclepaas" "2022/05";
panos = removed "panos" "2022/05";
template = archived "template" "2022/05";
vercel = license "vercel" "2022/11";
};
# excluding aliases, used by terraform-full

32
pkgs/applications/networking/cluster/terraform-providers/providers.json
View file

@ -110,11 +110,11 @@
"vendorHash": null
},
"aws": {
"hash": "sha256-I0iGgrvgjdqjeoiRMzItg2FELC/X2ACP5qLW5HguP78=",
"hash": "sha256-eHU3dsu/aJ72BTwe4CAWhf29ZueUhyg10Ncs9yUxi80=",
"homepage": "https://registry.terraform.io/providers/hashicorp/aws",
"owner": "hashicorp",
"repo": "terraform-provider-aws",
"rev": "v5.0.0",
"rev": "v5.0.1",
"spdx": "MPL-2.0",
"vendorHash": "sha256-53BHSeRBgnT5LuSuTUA5R/bbeozd2gOxsXd/2tlrbYU="
},
@ -128,11 +128,11 @@
"vendorHash": null
},
"azurerm": {
"hash": "sha256-4gNXamhda8EyEyOQXnxYNy+S5SyGqtYaxRk/fAG7vvA=",
"hash": "sha256-GVxIr57y5tlOrZYtu09FI0IYG2cLkHkYMMofdqdCans=",
"homepage": "https://registry.terraform.io/providers/hashicorp/azurerm",
"owner": "hashicorp",
"repo": "terraform-provider-azurerm",
"rev": "v3.57.0",
"rev": "v3.58.0",
"spdx": "MPL-2.0",
"vendorHash": null
},
@ -665,13 +665,13 @@
"vendorHash": "sha256-4jAJf2FC83NdH4t1l7EA26yQ0pqteWmTIyrZDJdi7fg="
},
"linode": {
"hash": "sha256-4cUmKscy0KrhG3CbQo/Uz0BI3tq/MUyDtzNqeXwUtxg=",
"hash": "sha256-dVoITwVwvWX6gXNgNv8fpCT2d19nYN893L8CL/TvcPc=",
"homepage": "https://registry.terraform.io/providers/linode/linode",
"owner": "linode",
"repo": "terraform-provider-linode",
"rev": "v2.2.0",
"rev": "v2.3.0",
"spdx": "MPL-2.0",
"vendorHash": "sha256-MsVYFt8u9czVs1vGCqBrw3BZ5C4OFNrEuZZ57GEVBqE="
"vendorHash": "sha256-a8IjMAojj15yl1sh/6r5WJsuqzWqHeDZLEqib7xOCw0="
},
"linuxbox": {
"hash": "sha256-MzasMVtXO7ZeZ+qEx2Z+7881fOIA0SFzSvXVHeEROtg=",
@ -801,11 +801,11 @@
},
"nutanix": {
"deleteVendor": true,
"hash": "sha256-szqvEU1cxEIBKIeHmeqT6YAEsXZDvINxfDyp76qswzw=",
"hash": "sha256-kxLsQeseSncGRJCeh/1yD7oouS5OYwo5N5YorzwQdBs=",
"homepage": "https://registry.terraform.io/providers/nutanix/nutanix",
"owner": "nutanix",
"repo": "terraform-provider-nutanix",
"rev": "v1.8.1",
"rev": "v1.9.0",
"spdx": "MPL-2.0",
"vendorHash": "sha256-LRIfxQGwG988HE5fftGl6JmBG7tTknvmgpm4Fu1NbWI="
},
@ -864,11 +864,11 @@
"vendorHash": "sha256-2EuGZxHrpPwDicSrIf/Jx/c4LhOtE5HvTz9LkJ4xCSY="
},
"opsgenie": {
"hash": "sha256-vwHymj6kNTfxpqLEJixB55SeET1wtlkoN8RH8Uw0iPA=",
"hash": "sha256-fcQChRIwxAeAdYPTYC9rPSdbrmXaBIOotF7vQhO9Sl0=",
"homepage": "https://registry.terraform.io/providers/opsgenie/opsgenie",
"owner": "opsgenie",
"repo": "terraform-provider-opsgenie",
"rev": "v0.6.22",
"rev": "v0.6.23",
"spdx": "MPL-2.0",
"vendorHash": null
},
@ -1044,13 +1044,13 @@
"vendorHash": "sha256-NO1r/EWLgH1Gogru+qPeZ4sW7FuDENxzNnpLSKstnE8="
},
"spotinst": {
"hash": "sha256-fNJhshwaMX0w5SuL/B8MDMrUN/que8H8UXqiPfKuIVg=",
"hash": "sha256-VzIQqxEZl3+cRk19vxJGF0DbzutrfOWeP27TMat//Es=",
"homepage": "https://registry.terraform.io/providers/spotinst/spotinst",
"owner": "spotinst",
"repo": "terraform-provider-spotinst",
"rev": "v1.119.1",
"rev": "v1.120.0",
"spdx": "MPL-2.0",
"vendorHash": "sha256-VZlTrUcfE7ZoAU3wWrM31pZbKSsUc1Oph7b8wb6k8cY="
"vendorHash": "sha256-/sXd/qAChMpVTY/JN45fb2XFG0nsqc1ytC2FjXpva3c="
},
"stackpath": {
"hash": "sha256-7KQUddq+M35WYyAIAL8sxBjAaXFcsczBRO1R5HURUZg=",
@ -1098,11 +1098,11 @@
"vendorHash": "sha256-GNSKSlaFBj2P+z40U+0uwPSOuQBy+9vOVFfPe8p0A24="
},
"tencentcloud": {
"hash": "sha256-fHcEVQZLLmtaKsAaeFcnRxzPBcGv/UUZOpNHsB9VGXA=",
"hash": "sha256-2xyJ6rrgQKIhdtGNSnSYbL+fQhaqlEsWfGA2vYZeQBQ=",
"homepage": "https://registry.terraform.io/providers/tencentcloudstack/tencentcloud",
"owner": "tencentcloudstack",
"repo": "terraform-provider-tencentcloud",
"rev": "v1.81.1",
"rev": "v1.81.2",
"spdx": "MPL-2.0",
"vendorHash": null
},

4
pkgs/applications/networking/coreth/default.nix
View file

@ -6,13 +6,13 @@
buildGoModule rec {
pname = "coreth";
version = "0.12.1";
version = "0.12.2";
src = fetchFromGitHub {
owner = "ava-labs";
repo = pname;
rev = "v${version}";
hash = "sha256-Wf4abvBOX98A2IjALkMMOAqDvEtXtLddxhrV2LQM1dU=";
hash = "sha256-WkSZ+7ygg2dkotv3vwTrWaVsSQvgmPJ0xhPCqZdQit8=";
};
# go mod vendor has a bug, see: golang/go#57529

6
pkgs/applications/networking/netmaker/default.nix
View file

@ -10,16 +10,16 @@
buildGoModule rec {
pname = "netmaker";
version = "0.19.0";
version = "0.20.0";
src = fetchFromGitHub {
owner = "gravitl";
repo = pname;
rev = "v${version}";
hash = "sha256-wiexultPliYD3WrLVtWUdLs762OzLAmoH66phwjOuUw=";
hash = "sha256-pzU9MiUL5M7EkGIXjZ0VqJmk4qOlbgCLCg84iPIXG70=";
};
vendorHash = "sha256-Msvonap1soJExzBymouY8kZJnHT4SIwpfJjBgpkO2Rw=";
vendorHash = "sha256-euqQztEUEejCWy7WqtzMEIZrBDZpD/6dqnFsYhXajdE=";
inherit subPackages;

4
pkgs/development/python-modules/aliyun-python-sdk-config/default.nix
View file

@ -7,14 +7,14 @@
buildPythonPackage rec {
pname = "aliyun-python-sdk-config";
version = "2.2.8";
version = "2.2.9";
format = "setuptools";
disabled = pythonOlder "3.7";
src = fetchPypi {
inherit pname version;
hash = "sha256-0rGI2YMT78gstfHmQD63hdvICQ3WlKgkx8unsDegaXw=";
hash = "sha256-5uRiOJAxq1zcJX+CyDnTG5BG1eFcJ43HdfpWUoZ5FSM=";
};
propagatedBuildInputs = [

6
pkgs/development/python-modules/faraday-plugins/default.nix
View file

@ -6,6 +6,7 @@
, fetchFromGitHub
, html2text
, lxml
, markdown
, pytestCheckHook
, python-dateutil
, pythonOlder
@ -17,7 +18,7 @@
buildPythonPackage rec {
pname = "faraday-plugins";
version = "1.11.0";
version = "1.12.0";
format = "setuptools";
disabled = pythonOlder "3.7";
@ -26,7 +27,7 @@ buildPythonPackage rec {
owner = "infobyte";
repo = "faraday_plugins";
rev = "refs/tags/${version}";
hash = "sha256-rbmD+UeMzsccYq7AzANziUZCgKtShRe/fJersODMrF8=";
hash = "sha256-dtSGNLQUG4Co+p/sPBgKxMhB7drZAMxUas+eH6g/cS8=";
};
postPatch = ''
@ -40,6 +41,7 @@ buildPythonPackage rec {
colorama
html2text
lxml
markdown
python-dateutil
pytz
requests

4
pkgs/development/python-modules/onvif-zeep-async/default.nix
View file

@ -9,14 +9,14 @@
buildPythonPackage rec {
pname = "onvif-zeep-async";
version = "3.1.7";
version = "3.1.8";
format = "setuptools";
disabled = pythonOlder "3.7";
src = fetchPypi {
inherit pname version;
hash = "sha256-ra/1qKKmuWWvJCrr1uTCU5Awv5+GShgDHlHw0igLc4c=";
hash = "sha256-UiONj4ANsB5l2/ypWWfUK5ELoLsnUuyrFeldgITwIo4=";
};
propagatedBuildInputs = [

4
pkgs/development/python-modules/pydeps/default.nix
View file

@ -11,7 +11,7 @@
buildPythonPackage rec {
pname = "pydeps";
version = "1.12.7";
version = "1.12.8";
format = "setuptools";
disabled = pythonOlder "3.7";
@ -20,7 +20,7 @@ buildPythonPackage rec {
owner = "thebjorn";
repo = pname;
rev = "refs/tags/v${version}";
hash = "sha256-D57IO+1KS/budIjScEjVKP/5IbEx9KSDS46URuymC4s=";
hash = "sha256-6NxI67K1gw6VRO10T2o+5pwMsvCqIgMnHueLbg88XSQ=";
};
buildInputs = [

4
pkgs/development/python-modules/pysigma-backend-insightidr/default.nix
View file

@ -10,7 +10,7 @@
buildPythonPackage rec {
pname = "pysigma-backend-insightidr";
version = "0.1.8";
version = "0.1.9";
format = "pyproject";
disabled = pythonOlder "3.8";
@ -19,7 +19,7 @@ buildPythonPackage rec {
owner = "SigmaHQ";
repo = "pySigma-backend-insightidr";
rev = "refs/tags/v${version}";
hash = "sha256-3Tr6WvYuHddc0vGb8li6hZLk2GgfXr67/T2AnYQ7qeo=";
hash = "sha256-/oHwWe8EcE1CS/hOmzJm9smfRLS/wShfbSGqOuvp8rU=";
};
nativeBuildInputs = [

4
pkgs/development/python-modules/python-otbr-api/default.nix
View file

@ -12,7 +12,7 @@
buildPythonPackage rec {
pname = "python-otbr-api";
version = "1.1.0";
version = "1.2.0";
format = "pyproject";
disabled = pythonOlder "3.9";
@ -21,7 +21,7 @@ buildPythonPackage rec {
owner = "home-assistant-libs";
repo = pname;
rev = "refs/tags/${version}";
hash = "sha256-0JPniehl4cnoTWgqmq1fMZwU8FFl2Zx4CF81az6iaxQ=";
hash = "sha256-IPglUB+Xla+IjWzHhfG+SDHY/jucg46ppnhHBHKTEiE=";
};
nativeBuildInputs = [

4
pkgs/development/python-modules/reolink-aio/default.nix
View file

@ -11,7 +11,7 @@
buildPythonPackage rec {
pname = "reolink-aio";
version = "0.5.15";
version = "0.5.16";
format = "setuptools";
disabled = pythonOlder "3.9";
@ -20,7 +20,7 @@ buildPythonPackage rec {
owner = "starkillerOG";
repo = "reolink_aio";
rev = "refs/tags/${version}";
hash = "sha256-YTBx0tMWSyy6A1OuTBmfEpRnZE4gHLIY5qFH9YL+YEo=";
hash = "sha256-FyrTZqp4h4GOCxld+y3wDEfLOl6a6dCgs/LJetjmr8I=";
};
postPatch = ''

7
pkgs/development/tools/database/surrealdb-migrations/default.nix
View file

@ -24,13 +24,6 @@ rustPlatform.buildRustPackage rec {
cargoSha256 = "sha256-1+cvOhDeH9vx/8J1RwKLPdkBmqBKFmbNXv3H44pZfj0=";
# nativeBuildInputs = [
# pkg-config
# # needed on top of LIBCLANG_PATH to compile rquickjs
# llvmPackages.clang
# ];
buildInputs = [ ]
++ lib.optionals stdenv.isDarwin [ Security ];

4
pkgs/development/tools/parinfer-rust/default.nix
View file

@ -13,9 +13,7 @@ rustPlatform.buildRustPackage rec {
cargoSha256 = "1lam4gwzcj6w0pyxf61l2cpbvvf5gmj2gwi8dangnhd60qhlnvrx";
nativeBuildInputs = [ llvmPackages.clang ];
buildInputs = [ llvmPackages.libclang ];
LIBCLANG_PATH = "${llvmPackages.libclang.lib}/lib";
nativeBuildInputs = [ llvmPackages.clang rustPlatform.bindgenHook ];
postInstall = ''
mkdir -p $out/share/kak/autoload/plugins

6
pkgs/development/tools/sentry-cli/default.nix
View file

@ -9,13 +9,13 @@
}:
rustPlatform.buildRustPackage rec {
pname = "sentry-cli";
version = "2.18.0";
version = "2.18.1";
src = fetchFromGitHub {
owner = "getsentry";
repo = "sentry-cli";
rev = version;
sha256 = "sha256-ZHhx31V67cZEusbOKFfgNWxXlriS9brlExYG6Z3JjlE=";
sha256 = "sha256-RIZLXJIc5a8jgJ2snos6AOqnWmbiKiRlFomvsKg/9rw=";
};
doCheck = false;
@ -25,7 +25,7 @@ rustPlatform.buildRustPackage rec {
buildInputs = [ openssl ] ++ lib.optionals stdenv.isDarwin [ Security SystemConfiguration ];
nativeBuildInputs = [ pkg-config ];
cargoHash = "sha256-ovRdso1ke4e4rQijORxMixSDdjns6tEIK+SLjLv+AV4=";
cargoHash = "sha256-b4WKszoxBlm0fZzK4YkwwY3+Jff8mXxxoyqwepg1MLo=";
meta = with lib; {
homepage = "https://docs.sentry.io/cli/";

2
pkgs/servers/http/nginx/generic.nix
View file

@ -178,7 +178,7 @@ stdenv.mkDerivation {
passthru = {
inherit modules;
tests = {
inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-pubhtml nginx-sandbox nginx-sso;
inherit (nixosTests) nginx nginx-auth nginx-etag nginx-globalredirect nginx-http3 nginx-pubhtml nginx-sandbox nginx-sso nginx-proxyprotocol;
variants = lib.recurseIntoAttrs nixosTests.nginx-variants;
acme-integration = nixosTests.acme;
} // passthru.tests;

9
pkgs/servers/nosql/surrealdb/default.nix
View file

@ -4,7 +4,6 @@
, fetchFromGitHub
, pkg-config
, openssl
, llvmPackages
, rocksdb
, testers
, surrealdb
@ -25,7 +24,10 @@ rustPlatform.buildRustPackage rec {
cargoSha256 = "sha256-eLJ+sxsK45pkgNUYrNuUOAqutwIjvEhGGjsvwGzfVKI=";
LIBCLANG_PATH = "${llvmPackages.libclang.lib}/lib";
# error: linker `aarch64-linux-gnu-gcc` not found
postPatch = ''
rm .cargo/config.toml
'';
PROTOC = "${protobuf}/bin/protoc";
PROTOC_INCLUDE = "${protobuf}/include";
@ -35,8 +37,7 @@ rustPlatform.buildRustPackage rec {
nativeBuildInputs = [
pkg-config
# needed on top of LIBCLANG_PATH to compile rquickjs
llvmPackages.clang
rustPlatform.bindgenHook
];
buildInputs = [ openssl ]

8
pkgs/servers/search/sonic-server/default.nix
View file

@ -1,7 +1,5 @@
{ lib
, rustPlatform
, llvmPackages
, clang
, fetchFromGitHub
}:
@ -21,12 +19,8 @@ rustPlatform.buildRustPackage {
doCheck = false;
nativeBuildInputs = [
llvmPackages.libclang
llvmPackages.libcxxClang
clang
rustPlatform.bindgenHook
];
LIBCLANG_PATH = "${llvmPackages.libclang.lib}/lib";
BINDGEN_EXTRA_CLANG_ARGS = "-isystem ${llvmPackages.libclang.lib}/lib/clang/${lib.getVersion clang}/include";
postPatch = ''
substituteInPlace src/main.rs --replace "./config.cfg" "$out/etc/sonic/config.cfg"

8
pkgs/tools/backup/rdedup/default.nix
View file

@ -1,5 +1,5 @@
{ lib, stdenv, fetchFromGitHub, rustPlatform, pkg-config, openssl, libsodium
, llvmPackages, clang, xz
, xz
, Security }:
rustPlatform.buildRustPackage rec {
@ -15,14 +15,10 @@ rustPlatform.buildRustPackage rec {
cargoSha256 = "sha256-I6d3IyPBcUsrvlzF7W0hFM4hcXi4wWro9bCeP4eArHI=";
nativeBuildInputs = [ pkg-config llvmPackages.libclang clang ];
nativeBuildInputs = [ pkg-config rustPlatform.bindgenHook ];
buildInputs = [ openssl libsodium xz ]
++ (lib.optional stdenv.isDarwin Security);
configurePhase = ''
export LIBCLANG_PATH="${llvmPackages.libclang.lib}/lib"
'';
meta = with lib; {
description = "Data deduplication with compression and public key encryption";
homepage = "https://github.com/dpc/rdedup";

2
pkgs/tools/misc/vector/default.nix
View file

@ -24,7 +24,7 @@
# TODO investigate adding "vrl-cli" and various "vendor-*"
# "disk-buffer" is using leveldb TODO: investigate how useful
# it would be, perhaps only for massive scale?
, features ? ([ "api" "api-client" "enrichment-tables" "sinks" "sources" "transforms" "vrl-cli" ]
, features ? ([ "api" "api-client" "enrichment-tables" "sinks" "sources" "sources-dnstap" "transforms" "vrl-cli" ]
# the second feature flag is passed to the rdkafka dependency
# building on linux fails without this feature flag (both x86_64 and AArch64)
++ lib.optionals enableKafka [ "rdkafka?/gssapi-vendored" ]

4
pkgs/tools/networking/easyrsa/default.nix
View file

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "easyrsa";
version = "3.1.2";
version = "3.1.4";
src = fetchFromGitHub {
owner = "OpenVPN";
repo = "easy-rsa";
rev = "v${version}";
sha256 = "sha256-nZjEBAJnho2Qis5uzQs1sVZVFHHSgJVa5aJS+dAfFCg=";
sha256 = "sha256-2UIeHc5I6cvuD9DAFxwFbWOKNjV1StIBItxARohe0qk=";
};
nativeBuildInputs = [ makeWrapper ];