mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 21:50:55 +00:00
Code Issues Wiki Activity

Merge master into staging-next

Browse source
This commit is contained in:
Frederik Rietdijk 2020-09-07 16:31:11 +02:00
parent 1936b11f63 dc09e3edfc
commit 2ea24451d6
85 changed files with 2263 additions and 1768 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
nixos/doc/manual/release-notes/rl-2009.xml
View file

@ -394,6 +394,20 @@ php.override {
</para>
</listitem>
<listitem>
<para>
The ACME module has been overhauled for simplicity and maintainability.
Cert generation now implicitly uses the <literal>acme</literal>
user, and the <literal>security.acme.certs._name_.user</literal> option
has been removed. Instead, certificate access from other services is now
managed through group permissions. The module no longer runs lego
twice under certain conditions, and will correctly renew certificates if
their configuration is changed. Services which reload nginx and httpd after
certificate renewal are now properly configured too so you no longer have
to do this manually if you are using HTTPS enabled virtual hosts. A mechanism
for regenerating certs on demand has also been added and documented.
</para>
</listitem>
<listitem>
<para>
Gollum received a major update to version 5.x and you may have to change

637
nixos/modules/security/acme.nix
View file

@ -1,11 +1,314 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, options, ... }:
with lib;
let
cfg = config.security.acme;
# Used to calculate timer accuracy for coalescing
numCerts = length (builtins.attrNames cfg.certs);
_24hSecs = 60 * 60 * 24;
# There are many services required to make cert renewals work.
# They all follow a common structure:
# - They inherit this commonServiceConfig
# - They all run as the acme user
# - They all use BindPath and StateDirectory where possible
# to set up a sort of build environment in /tmp
# The Group can vary depending on what the user has specified in
# security.acme.certs.<cert>.group on some of the services.
commonServiceConfig = {
Type = "oneshot";
User = "acme";
Group = mkDefault "acme";
UMask = 0027;
StateDirectoryMode = 750;
ProtectSystem = "full";
PrivateTmp = true;
WorkingDirectory = "/tmp";
};
# In order to avoid race conditions creating the CA for selfsigned certs,
# we have a separate service which will create the necessary files.
selfsignCAService = {
description = "Generate self-signed certificate authority";
path = with pkgs; [ minica ];
unitConfig = {
ConditionPathExists = "!/var/lib/acme/.minica/key.pem";
};
serviceConfig = commonServiceConfig // {
StateDirectory = "acme/.minica";
BindPaths = "/var/lib/acme/.minica:/tmp/ca";
};
# Working directory will be /tmp
script = ''
minica \
--ca-key ca/key.pem \
--ca-cert ca/cert.pem \
--domains selfsigned.local
chmod 600 ca/*
'';
};
# Previously, all certs were owned by whatever user was configured in
# config.security.acme.certs.<cert>.user. Now everything is owned by and
# run by the acme user.
userMigrationService = {
description = "Fix owner and group of all ACME certificates";
script = with builtins; concatStringsSep "\n" (mapAttrsToList (cert: data: ''
for fixpath in /var/lib/acme/${escapeShellArg cert} /var/lib/acme/.lego/${escapeShellArg cert}; do
if [ -d "$fixpath" ]; then
chmod -R 750 "$fixpath"
chown -R acme:${data.group} "$fixpath"
fi
done
'') certConfigs);
# We don't want this to run every time a renewal happens
serviceConfig.RemainAfterExit = true;
};
certToConfig = cert: data: let
acmeServer = if data.server != null then data.server else cfg.server;
useDns = data.dnsProvider != null;
destPath = "/var/lib/acme/${cert}";
selfsignedDeps = optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];
# Minica and lego have a "feature" which replaces * with _. We need
# to make this substitution to reference the output files from both programs.
# End users never see this since we rename the certs.
keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
# FIXME when mkChangedOptionModule supports submodules, change to that.
# This is a workaround
extraDomains = data.extraDomainNames ++ (
optionals
(data.extraDomains != "_mkMergedOptionModule")
(builtins.attrNames data.extraDomains)
);
# Create hashes for cert data directories based on configuration
# Flags are separated to avoid collisions
hashData = with builtins; ''
${concatStringsSep " " data.extraLegoFlags} -
${concatStringsSep " " data.extraLegoRunFlags} -
${concatStringsSep " " data.extraLegoRenewFlags} -
${toString acmeServer} ${toString data.dnsProvider}
${toString data.ocspMustStaple} ${data.keyType}
'';
mkHash = with builtins; val: substring 0 20 (hashString "sha256" val);
certDir = mkHash hashData;
domainHash = mkHash "${concatStringsSep " " extraDomains} ${data.domain}";
othersHash = mkHash "${toString acmeServer} ${data.keyType}";
accountDir = "/var/lib/acme/.lego/accounts/" + othersHash;
protocolOpts = if useDns then (
[ "--dns" data.dnsProvider ]
++ optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ]
) else (
[ "--http" "--http.webroot" data.webroot ]
);
commonOpts = [
"--accept-tos" # Checking the option is covered by the assertions
"--path" "."
"-d" data.domain
"--email" data.email
"--key-type" data.keyType
] ++ protocolOpts
++ optionals data.ocspMustStaple [ "--must-staple" ]
++ optionals (acmeServer != null) [ "--server" acmeServer ]
++ concatMap (name: [ "-d" name ]) extraDomains
++ data.extraLegoFlags;
runOpts = escapeShellArgs (
commonOpts
++ [ "run" ]
++ data.extraLegoRunFlags
);
renewOpts = escapeShellArgs (
commonOpts
++ [ "renew" "--reuse-key" ]
++ data.extraLegoRenewFlags
);
in {
inherit accountDir selfsignedDeps;
webroot = data.webroot;
group = data.group;
renewTimer = {
description = "Renew ACME Certificate for ${cert}";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.renewInterval;
Unit = "acme-${cert}.service";
Persistent = "yes";
# Allow systemd to pick a convenient time within the day
# to run the check.
# This allows the coalescing of multiple timer jobs.
# We divide by the number of certificates so that if you
# have many certificates, the renewals are distributed over
# the course of the day to avoid rate limits.
AccuracySec = "${toString (_24hSecs / numCerts)}s";
# Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.
RandomizedDelaySec = "24h";
};
};
selfsignService = {
description = "Generate self-signed certificate for ${cert}";
after = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ];
requires = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ];
path = with pkgs; [ minica ];
unitConfig = {
ConditionPathExists = "!/var/lib/acme/${cert}/key.pem";
};
serviceConfig = commonServiceConfig // {
Group = data.group;
StateDirectory = "acme/${cert}";
BindPaths = "/var/lib/acme/.minica:/tmp/ca /var/lib/acme/${cert}:/tmp/${keyName}";
};
# Working directory will be /tmp
# minica will output to a folder sharing the name of the first domain
# in the list, which will be ${data.domain}
script = ''
minica \
--ca-key ca/key.pem \
--ca-cert ca/cert.pem \
--domains ${escapeShellArg (builtins.concatStringsSep "," ([ data.domain ] ++ extraDomains))}
# Create files to match directory layout for real certificates
cd '${keyName}'
cp ../ca/cert.pem chain.pem
cat cert.pem chain.pem > fullchain.pem
cat key.pem fullchain.pem > full.pem
chmod 640 *
# Group might change between runs, re-apply it
chown 'acme:${data.group}' *
'';
};
renewService = {
description = "Renew ACME certificate for ${cert}";
after = [ "network.target" "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps;
wants = [ "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps;
# https://github.com/NixOS/nixpkgs/pull/81371#issuecomment-605526099
wantedBy = optionals (!config.boot.isContainer) [ "multi-user.target" ];
path = with pkgs; [ lego coreutils diffutils ];
serviceConfig = commonServiceConfig // {
Group = data.group;
# AccountDir dir will be created by tmpfiles to ensure correct permissions
# And to avoid deletion during systemctl clean
# acme/.lego/${cert} is listed so that it is deleted during systemctl clean
StateDirectory = "acme/${cert} acme/.lego/${cert} acme/.lego/${cert}/${certDir}";
# Needs to be space separated, but can't use a multiline string because that'll include newlines
BindPaths =
"${accountDir}:/tmp/accounts " +
"/var/lib/acme/${cert}:/tmp/out " +
"/var/lib/acme/.lego/${cert}/${certDir}:/tmp/certificates ";
# Only try loading the credentialsFile if the dns challenge is enabled
EnvironmentFile = mkIf useDns data.credentialsFile;
# Run as root (Prefixed with +)
ExecStartPost = "+" + (pkgs.writeShellScript "acme-postrun" ''
cd /var/lib/acme/${escapeShellArg cert}
if [ -e renewed ]; then
rm renewed
${data.postRun}
fi
'');
};
# Working directory will be /tmp
script = ''
set -euo pipefail
echo '${domainHash}' > domainhash.txt
# Check if we can renew
if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' ]; then
# When domains are updated, there's no need to do a full
# Lego run, but it's likely renew won't work if days is too low.
if [ -e certificates/domainhash.txt ] && cmp -s domainhash.txt certificates/domainhash.txt; then
lego ${renewOpts} --days ${toString cfg.validMinDays}
else
# Any number > 90 works, but this one is over 9000 ;-)
lego ${renewOpts} --days 9001
fi
# Otherwise do a full run
else
lego ${runOpts}
fi
mv domainhash.txt certificates/
chmod 640 certificates/*
chmod -R 700 accounts/*
# Group might change between runs, re-apply it
chown 'acme:${data.group}' certificates/*
# Copy all certs to the "real" certs directory
CERT='certificates/${keyName}.crt'
if [ -e "$CERT" ] && ! cmp -s "$CERT" out/fullchain.pem; then
touch out/renewed
echo Installing new certificate
cp -vp 'certificates/${keyName}.crt' out/fullchain.pem
cp -vp 'certificates/${keyName}.key' out/key.pem
cp -vp 'certificates/${keyName}.issuer.crt' out/chain.pem
ln -sf fullchain.pem out/cert.pem
cat out/key.pem out/fullchain.pem > out/full.pem
fi
'';
};
};
certConfigs = mapAttrs certToConfig cfg.certs;
certOpts = { name, ... }: {
options = {
# user option has been removed
user = mkOption {
visible = false;
default = "_mkRemovedOptionModule";
};
# allowKeysForGroup option has been removed
allowKeysForGroup = mkOption {
visible = false;
default = "_mkRemovedOptionModule";
};
# extraDomains was replaced with extraDomainNames
extraDomains = mkOption {
visible = false;
default = "_mkMergedOptionModule";
};
webroot = mkOption {
type = types.nullOr types.str;
default = null;
@ -41,35 +344,19 @@ let
description = "Contact email address for the CA to be able to reach you.";
};
user = mkOption {
type = types.str;
default = "root";
description = "User running the ACME client.";
};
group = mkOption {
type = types.str;
default = "root";
default = "acme";
description = "Group running the ACME client.";
};
allowKeysForGroup = mkOption {
type = types.bool;
default = false;
description = ''
Give read permissions to the specified group
(<option>security.acme.cert.&lt;name&gt;.group</option>) to read SSL private certificates.
'';
};
postRun = mkOption {
type = types.lines;
default = "";
example = "systemctl reload nginx.service";
example = "cp full.pem backup.pem";
description = ''
Commands to run after new certificates go live. Typically
the web server and other servers using certificates need to
be reloaded.
Commands to run after new certificates go live. Note that
these commands run as the root user.
Executed in the same directory with the new certificate.
'';
@ -82,18 +369,17 @@ let
description = "Directory where certificate and other state is stored.";
};
extraDomains = mkOption {
type = types.attrsOf (types.nullOr types.str);
default = {};
extraDomainNames = mkOption {
type = types.listOf types.str;
default = [];
example = literalExample ''
{
"example.org" = null;
"mydomain.org" = null;
}
[
"example.org"
"mydomain.org"
]
'';
description = ''
A list of extra domain names, which are included in the one certificate to be issued.
Setting a distinct server root is deprecated and not functional in 20.03+
'';
};
@ -176,24 +462,8 @@ let
};
};
in
in {
{
###### interface
imports = [
(mkRemovedOptionModule [ "security" "acme" "production" ] ''
Use security.acme.server to define your staging ACME server URL instead.
To use Let's Encrypt's staging server, use security.acme.server =
"https://acme-staging-v02.api.letsencrypt.org/directory".
''
)
(mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
(mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
(mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
(mkChangedOptionModule [ "security" "acme" "validMin"] [ "security" "acme" "validMinDays"] (config: config.security.acme.validMin / (24 * 3600)))
];
options = {
security.acme = {
@ -266,7 +536,7 @@ in
"example.com" = {
webroot = "/var/www/challenges/";
email = "foo@example.com";
extraDomains = { "www.example.com" = null; "foo.example.com" = null; };
extraDomainNames = [ "www.example.com" "foo.example.com" ];
};
"bar.example.com" = {
webroot = "/var/www/challenges/";
@ -278,25 +548,40 @@ in
};
};
###### implementation
imports = [
(mkRemovedOptionModule [ "security" "acme" "production" ] ''
Use security.acme.server to define your staging ACME server URL instead.
To use the let's encrypt staging server, use security.acme.server =
"https://acme-staging-v02.api.letsencrypt.org/directory".
''
)
(mkRemovedOptionModule [ "security" "acme" "directory" ] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
(mkRemovedOptionModule [ "security" "acme" "preDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
(mkRemovedOptionModule [ "security" "acme" "activationDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
(mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600)))
];
config = mkMerge [
(mkIf (cfg.certs != { }) {
# FIXME Most of these custom warnings and filters for security.acme.certs.* are required
# because using mkRemovedOptionModule/mkChangedOptionModule with attrsets isn't possible.
warnings = filter (w: w != "") (mapAttrsToList (cert: data: if data.extraDomains != "_mkMergedOptionModule" then ''
The option definition `security.acme.certs.${cert}.extraDomains` has changed
to `security.acme.certs.${cert}.extraDomainNames` and is now a list of strings.
Setting a custom webroot for extra domains is not possible, instead use separate certs.
'' else "") cfg.certs);
assertions = let
certs = (mapAttrsToList (k: v: v) cfg.certs);
certs = attrValues cfg.certs;
in [
{
assertion = all (certOpts: certOpts.dnsProvider == null || certOpts.webroot == null) certs;
message = ''
Options `security.acme.certs.<name>.dnsProvider` and
`security.acme.certs.<name>.webroot` are mutually exclusive.
'';
}
{
assertion = cfg.email != null || all (certOpts: certOpts.email != null) certs;
message = ''
You must define `security.acme.certs.<name>.email` or
`security.acme.email` to register with the CA.
`security.acme.email` to register with the CA. Note that using
many different addresses for certs may trigger account rate limits.
'';
}
{
@ -307,184 +592,78 @@ in
to `true`. For Let's Encrypt's ToS see https://letsencrypt.org/repository/
'';
}
];
] ++ (builtins.concatLists (mapAttrsToList (cert: data: [
{
assertion = data.user == "_mkRemovedOptionModule";
message = ''
The option definition `security.acme.certs.${cert}.user' no longer has any effect; Please remove it.
Certificate user is now hard coded to the "acme" user. If you would
like another user to have access, consider adding them to the
"acme" group or changing security.acme.certs.${cert}.group.
'';
}
{
assertion = data.allowKeysForGroup == "_mkRemovedOptionModule";
message = ''
The option definition `security.acme.certs.${cert}.allowKeysForGroup' no longer has any effect; Please remove it.
All certs are readable by the configured group. If this is undesired,
consider changing security.acme.certs.${cert}.group to an unused group.
'';
}
# * in the cert value breaks building of systemd services, and makes
# referencing them as a user quite weird too. Best practice is to use
# the domain option.
{
assertion = ! hasInfix "*" cert;
message = ''
The cert option path `security.acme.certs.${cert}.dnsProvider`
cannot contain a * character.
Instead, set `security.acme.certs.${cert}.domain = "${cert}";`
and remove the wildcard from the path.
'';
}
{
assertion = data.dnsProvider == null || data.webroot == null;
message = ''
Options `security.acme.certs.${cert}.dnsProvider` and
`security.acme.certs.${cert}.webroot` are mutually exclusive.
'';
}
]) cfg.certs));
systemd.services = let
services = concatLists servicesLists;
servicesLists = mapAttrsToList certToServices cfg.certs;
certToServices = cert: data:
let
# StateDirectory must be relative, and will be created under /var/lib by systemd
lpath = "acme/${cert}";
apath = "/var/lib/${lpath}";
spath = "/var/lib/acme/.lego/${cert}";
keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
requestedDomains = pipe ([ data.domain ] ++ (attrNames data.extraDomains)) [
(domains: sort builtins.lessThan domains)
(domains: concatStringsSep "," domains)
];
fileMode = if data.allowKeysForGroup then "640" else "600";
globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ])
++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]
++ data.extraLegoFlags;
certOpts = optionals data.ocspMustStaple [ "--must-staple" ];
runOpts = escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts ++ data.extraLegoRunFlags);
renewOpts = escapeShellArgs (globalOpts ++
[ "renew" "--days" (toString cfg.validMinDays) ] ++
certOpts ++ data.extraLegoRenewFlags);
acmeService = {
description = "Renew ACME Certificate for ${cert}";
path = with pkgs; [ openssl ];
after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = mkIf (!config.boot.isContainer) [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
User = data.user;
Group = data.group;
PrivateTmp = true;
StateDirectory = "acme/.lego/${cert} acme/.lego/accounts ${lpath}";
StateDirectoryMode = if data.allowKeysForGroup then "750" else "700";
WorkingDirectory = spath;
# Only try loading the credentialsFile if the dns challenge is enabled
EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null;
ExecStart = pkgs.writeScript "acme-start" ''
#!${pkgs.runtimeShell} -e
test -L ${spath}/accounts -o -d ${spath}/accounts || ln -s ../accounts ${spath}/accounts
LEGO_ARGS=(${runOpts})
if [ -e ${spath}/certificates/${keyName}.crt ]; then
REQUESTED_DOMAINS="${requestedDomains}"
EXISTING_DOMAINS="$(openssl x509 -in ${spath}/certificates/${keyName}.crt -noout -ext subjectAltName | tail -n1 | sed -e 's/ *DNS://g')"
if [ "''${REQUESTED_DOMAINS}" == "''${EXISTING_DOMAINS}" ]; then
LEGO_ARGS=(${renewOpts})
fi
fi
${pkgs.lego}/bin/lego ''${LEGO_ARGS[@]}
'';
ExecStartPost =
let
script = pkgs.writeScript "acme-post-start" ''
#!${pkgs.runtimeShell} -e
cd ${apath}
users.users.acme = {
home = "/var/lib/acme";
group = "acme";
isSystemUser = true;
};
# Test that existing cert is older than new cert
KEY=${spath}/certificates/${keyName}.key
KEY_CHANGED=no
if [ -e $KEY -a $KEY -nt key.pem ]; then
KEY_CHANGED=yes
cp -p ${spath}/certificates/${keyName}.key key.pem
cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
ln -sf fullchain.pem cert.pem
cat key.pem fullchain.pem > full.pem
fi
users.groups.acme = {};
chmod ${fileMode} *.pem
chown '${data.user}:${data.group}' *.pem
systemd.services = {
"acme-fixperms" = userMigrationService;
} // (mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewService) certConfigs)
// (optionalAttrs (cfg.preliminarySelfsigned) ({
"acme-selfsigned-ca" = selfsignCAService;
} // (mapAttrs' (cert: conf: nameValuePair "acme-selfsigned-${cert}" conf.selfsignService) certConfigs)));
if [ "$KEY_CHANGED" = "yes" ]; then
: # noop in case postRun is empty
${data.postRun}
fi
'';
in
"+${script}";
};
systemd.timers = mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewTimer) certConfigs;
};
selfsignedService = {
description = "Create preliminary self-signed certificate for ${cert}";
path = [ pkgs.openssl ];
script =
''
workdir="$(mktemp -d)"
# .lego and .lego/accounts specified to fix any incorrect permissions
systemd.tmpfiles.rules = [
"d /var/lib/acme/.lego - acme acme"
"d /var/lib/acme/.lego/accounts - acme acme"
] ++ (unique (concatMap (conf: [
"d ${conf.accountDir} - acme acme"
] ++ (optional (conf.webroot != null) "d ${conf.webroot}/.well-known/acme-challenge - acme ${conf.group}")
) (attrValues certConfigs)));
# Create CA
openssl genrsa -des3 -passout pass:xxxx -out $workdir/ca.pass.key 2048
openssl rsa -passin pass:xxxx -in $workdir/ca.pass.key -out $workdir/ca.key
openssl req -new -key $workdir/ca.key -out $workdir/ca.csr \
-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com"
openssl x509 -req -days 1 -in $workdir/ca.csr -signkey $workdir/ca.key -out $workdir/ca.crt
# Create key
openssl genrsa -des3 -passout pass:xxxx -out $workdir/server.pass.key 2048
openssl rsa -passin pass:xxxx -in $workdir/server.pass.key -out $workdir/server.key
openssl req -new -key $workdir/server.key -out $workdir/server.csr \
-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
openssl x509 -req -days 1 -in $workdir/server.csr -CA $workdir/ca.crt \
-CAkey $workdir/ca.key -CAserial $workdir/ca.srl -CAcreateserial \
-out $workdir/server.crt
# Copy key to destination
cp $workdir/server.key ${apath}/key.pem
# Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates)
cat $workdir/{server.crt,ca.crt} > "${apath}/fullchain.pem"
# Create full.pem for e.g. lighttpd
cat $workdir/{server.key,server.crt,ca.crt} > "${apath}/full.pem"
# Give key acme permissions
chown '${data.user}:${data.group}' "${apath}/"{key,fullchain,full}.pem
chmod ${fileMode} "${apath}/"{key,fullchain,full}.pem
'';
serviceConfig = {
Type = "oneshot";
PrivateTmp = true;
StateDirectory = lpath;
User = data.user;
Group = data.group;
};
unitConfig = {
# Do not create self-signed key when key already exists
ConditionPathExists = "!${apath}/key.pem";
};
};
in (
[ { name = "acme-${cert}"; value = acmeService; } ]
++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; }
);
servicesAttr = listToAttrs services;
in
servicesAttr;
systemd.tmpfiles.rules =
map (data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}") (filter (data: data.webroot != null) (attrValues cfg.certs));
systemd.timers = let
# Allow systemd to pick a convenient time within the day
# to run the check.
# This allows the coalescing of multiple timer jobs.
# We divide by the number of certificates so that if you
# have many certificates, the renewals are distributed over
# the course of the day to avoid rate limits.
numCerts = length (attrNames cfg.certs);
_24hSecs = 60 * 60 * 24;
AccuracySec = "${toString (_24hSecs / numCerts)}s";
in flip mapAttrs' cfg.certs (cert: data: nameValuePair
("acme-${cert}")
({
description = "Renew ACME Certificate for ${cert}";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.renewInterval;
Unit = "acme-${cert}.service";
Persistent = "yes";
inherit AccuracySec;
# Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.
RandomizedDelaySec = "24h";
};
})
);
systemd.targets.acme-selfsigned-certificates = mkIf cfg.preliminarySelfsigned {};
systemd.targets.acme-certificates = {};
# Create some targets which can be depended on to be "active" after cert renewals
systemd.targets = mapAttrs' (cert: conf: nameValuePair "acme-finished-${cert}" {
wantedBy = [ "default.target" ];
requires = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
after = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
}) certConfigs;
})
];
meta = {

20
nixos/modules/security/acme.xml
View file

@ -72,7 +72,7 @@ services.nginx = {
"foo.example.com" = {
<link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
<link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
# All serverAliases will be added as <link linkend="opt-security.acme.certs._name_.extraDomains">extra domains</link> on the certificate.
# All serverAliases will be added as <link linkend="opt-security.acme.certs._name_.extraDomainNames">extra domain names</link> on the certificate.
<link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [ "bar.example.com" ];
locations."/" = {
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www";
@ -80,8 +80,8 @@ services.nginx = {
};
# We can also add a different vhost and reuse the same certificate
# but we have to append extraDomains manually.
<link linkend="opt-security.acme.certs._name_.extraDomains">security.acme.certs."foo.example.com".extraDomains."baz.example.com"</link> = null;
# but we have to append extraDomainNames manually.
<link linkend="opt-security.acme.certs._name_.extraDomainNames">security.acme.certs."foo.example.com".extraDomainNames</link> = [ "baz.example.com" ];
"baz.example.com" = {
<link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
<link linkend="opt-services.nginx.virtualHosts._name_.useACMEHost">useACMEHost</link> = "foo.example.com";
@ -165,7 +165,7 @@ services.httpd = {
# Since we have a wildcard vhost to handle port 80,
# we can generate certs for anything!
# Just make sure your DNS resolves them.
<link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains</link> = [ "mail.example.com" ];
<link linkend="opt-security.acme.certs._name_.extraDomainNames">extraDomainNames</link> = [ "mail.example.com" ];
};
</programlisting>
@ -251,4 +251,16 @@ chmod 400 /var/lib/secrets/certs.secret
journalctl -fu acme-example.com.service</literal> and watching its log output.
</para>
</section>
<section xml:id="module-security-acme-regenerate">
<title>Regenerating certificates</title>
<para>
Should you need to regenerate a particular certificate in a hurry, such
as when a vulnerability is found in Let's Encrypt, there is now a convenient
mechanism for doing so. Running <literal>systemctl clean acme-example.com.service</literal>
will remove all certificate files for the given domain, allowing you to then
<literal>systemctl start acme-example.com.service</literal> to generate fresh
ones.
</para>
</section>
</chapter>

22
nixos/modules/services/backup/borgbackup.xml
View file

@ -197,26 +197,8 @@ sudo borg init --encryption=repokey-blake2 \
disk failure, ransomware and theft.
</para>
<para>
It is available as a flatpak package. To enable it you must set the
following two configuration items.
</para>
<para>
<programlisting>
services.flatpak.enable = true ;
# next line is needed to avoid the Error
# Error deploying: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown:
services.accounts-daemon.enable = true;
</programlisting>
</para>
<para>As a normal user you must first install, then run vorta using the
following commands:
<programlisting>
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak install flathub com.borgbase.Vorta
flatpak run --branch=stable --arch=x86_64 --command=vorta com.borgbase.Vorta
</programlisting>
After running <code>flatpak install</code> you can start Vorta also via
the KDE application menu.
It can be installed in NixOS e.g. by adding <package>pkgs.vorta</package>
to <xref linkend="opt-environment.systemPackages" />.
</para>
<para>
Details about using Vorta can be found under <link

13
nixos/modules/services/development/lorri.nix
View file

@ -15,6 +15,15 @@ in {
issued by the `lorri` command.
'';
};
package = lib.mkOption {
default = pkgs.lorri;
type = lib.types.package;
description = ''
The lorri package to use.
'';
defaultText = lib.literalExample "pkgs.lorri";
example = lib.literalExample "pkgs.lorri";
};
};
};
@ -34,7 +43,7 @@ in {
after = [ "lorri.socket" ];
path = with pkgs; [ config.nix.package git gnutar gzip ];
serviceConfig = {
ExecStart = "${pkgs.lorri}/bin/lorri daemon";
ExecStart = "${cfg.package}/bin/lorri daemon";
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = "read-only";
@ -42,6 +51,6 @@ in {
};
};
environment.systemPackages = [ pkgs.lorri ];
environment.systemPackages = [ cfg.package ];
};
}

3
nixos/modules/services/monitoring/prometheus/exporters.nix
View file

@ -84,7 +84,8 @@ let
};
firewallFilter = mkOption {
type = types.str;
default = "-p tcp -m tcp --dport ${toString port}";
default = "-p tcp -m tcp --dport ${toString cfg.${name}.port}";
defaultText = "-p tcp -m tcp --dport ${toString port}";
example = literalExample ''
"-i eth0 -p tcp -m tcp --dport ${toString port}"
'';

5
nixos/modules/services/networking/prosody.xml
View file

@ -65,7 +65,7 @@ services.prosody = {
you'll need a single TLS certificate covering your main endpoint,
the MUC one as well as the HTTP Upload one. We can generate such a
certificate by leveraging the ACME
<link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains</link> module option.
<link linkend="opt-security.acme.certs._name_.extraDomainNames">extraDomainNames</link> module option.
</para>
<para>
Provided the setup detailed in the previous section, you'll need the following acme configuration to generate
@ -78,8 +78,7 @@ security.acme = {
"example.org" = {
<link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/example.org";
<link linkend="opt-security.acme.certs._name_.email">email</link> = "root@example.org";
<link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains."conference.example.org"</link> = null;
<link linkend="opt-security.acme.certs._name_.extraDomains">extraDomains."upload.example.org"</link> = null;
<link linkend="opt-security.acme.certs._name_.extraDomainNames">extraDomainNames</link> = [ "conference.example.org" "upload.example.org" ];
};
};
};</programlisting>

10
nixos/modules/services/networking/ssh/sshd.nix
View file

@ -232,6 +232,14 @@ in
'';
};
banner = mkOption {
type = types.nullOr types.lines;
default = null;
description = ''
Message to display to the remote user before authentication is allowed.
'';
};
authorizedKeysFiles = mkOption {
type = types.listOf types.str;
default = [];
@ -474,6 +482,8 @@ in
''
UsePAM yes
Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
${concatMapStrings (port: ''
Port ${toString port}

77
nixos/modules/services/web-servers/apache-httpd/default.nix
View file

@ -6,6 +6,8 @@ let
cfg = config.services.httpd;
certs = config.security.acme.certs;
runtimeDir = "/run/httpd";
pkg = cfg.package.out;
@ -26,6 +28,13 @@ let
vhosts = attrValues cfg.virtualHosts;
# certName is used later on to determine systemd service names.
acmeEnabledVhosts = map (hostOpts: hostOpts // {
certName = if hostOpts.useACMEHost != null then hostOpts.useACMEHost else hostOpts.hostName;
}) (filter (hostOpts: hostOpts.enableACME || hostOpts.useACMEHost != null) vhosts);
dependentCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);
mkListenInfo = hostOpts:
if hostOpts.listen != [] then hostOpts.listen
else (
@ -125,13 +134,13 @@ let
useACME = hostOpts.enableACME || hostOpts.useACMEHost != null;
sslCertDir =
if hostOpts.enableACME then config.security.acme.certs.${hostOpts.hostName}.directory
else if hostOpts.useACMEHost != null then config.security.acme.certs.${hostOpts.useACMEHost}.directory
if hostOpts.enableACME then certs.${hostOpts.hostName}.directory
else if hostOpts.useACMEHost != null then certs.${hostOpts.useACMEHost}.directory
else abort "This case should never happen.";
sslServerCert = if useACME then "${sslCertDir}/full.pem" else hostOpts.sslServerCert;
sslServerCert = if useACME then "${sslCertDir}/fullchain.pem" else hostOpts.sslServerCert;
sslServerKey = if useACME then "${sslCertDir}/key.pem" else hostOpts.sslServerKey;
sslServerChain = if useACME then "${sslCertDir}/fullchain.pem" else hostOpts.sslServerChain;
sslServerChain = if useACME then "${sslCertDir}/chain.pem" else hostOpts.sslServerChain;
acmeChallenge = optionalString useACME ''
Alias /.well-known/acme-challenge/ "${hostOpts.acmeRoot}/.well-known/acme-challenge/"
@ -347,7 +356,6 @@ let
cat ${php.phpIni} > $out
echo "$options" >> $out
'';
in
@ -647,14 +655,17 @@ in
wwwrun.gid = config.ids.gids.wwwrun;
};
security.acme.certs = mapAttrs (name: hostOpts: {
user = cfg.user;
group = mkDefault cfg.group;
email = if hostOpts.adminAddr != null then hostOpts.adminAddr else cfg.adminAddr;
webroot = hostOpts.acmeRoot;
extraDomains = genAttrs hostOpts.serverAliases (alias: null);
postRun = "systemctl reload httpd.service";
}) (filterAttrs (name: hostOpts: hostOpts.enableACME) cfg.virtualHosts);
security.acme.certs = let
acmePairs = map (hostOpts: nameValuePair hostOpts.hostName {
group = mkDefault cfg.group;
webroot = hostOpts.acmeRoot;
extraDomainNames = hostOpts.serverAliases;
# Use the vhost-specific email address if provided, otherwise let
# security.acme.email or security.acme.certs.<cert>.email be used.
email = mkOverride 2000 (if hostOpts.adminAddr != null then hostOpts.adminAddr else cfg.adminAddr);
# Filter for enableACME-only vhosts. Don't want to create dud certs
}) (filter (hostOpts: hostOpts.useACMEHost == null) acmeEnabledVhosts);
in listToAttrs acmePairs;
environment.systemPackages = [
apachectl
@ -724,16 +735,12 @@ in
"Z '${cfg.logDir}' - ${svc.User} ${svc.Group}"
];
systemd.services.httpd =
let
vhostsACME = filter (hostOpts: hostOpts.enableACME) vhosts;
in
{ description = "Apache HTTPD";
systemd.services.httpd = {
description = "Apache HTTPD";
wantedBy = [ "multi-user.target" ];
wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME);
after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME;
before = map (hostOpts: "acme-${hostOpts.hostName}.service") vhostsACME;
wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) dependentCertNames);
after = [ "network.target" ] ++ map (certName: "acme-selfsigned-${certName}.service") dependentCertNames;
before = map (certName: "acme-${certName}.service") dependentCertNames;
path = [ pkg pkgs.coreutils pkgs.gnugrep ];
@ -767,5 +774,31 @@ in
};
};
# postRun hooks on cert renew can't be used to restart Apache since renewal
# runs as the unprivileged acme user. sslTargets are added to wantedBy + before
# which allows the acme-finished-$cert.target to signify the successful updating
# of certs end-to-end.
systemd.services.httpd-config-reload = let
sslServices = map (certName: "acme-${certName}.service") dependentCertNames;
sslTargets = map (certName: "acme-finished-${certName}.target") dependentCertNames;
in mkIf (sslServices != []) {
wantedBy = sslServices ++ [ "multi-user.target" ];
# Before the finished targets, after the renew services.
# This service might be needed for HTTP-01 challenges, but we only want to confirm
# certs are updated _after_ config has been reloaded.
before = sslTargets;
after = sslServices;
# Block reloading if not all certs exist yet.
# Happens when config changes add new vhosts/certs.
unitConfig.ConditionPathExists = map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames;
serviceConfig = {
Type = "oneshot";
TimeoutSec = 60;
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active httpd.service";
ExecStartPre = "${pkg}/bin/httpd -f ${httpdConf} -t";
ExecStart = "/run/current-system/systemd/bin/systemctl reload httpd.service";
};
};
};
}

88
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -6,23 +6,23 @@ let
cfg = config.services.nginx;
certs = config.security.acme.certs;
vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;
acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs;
acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME || vhostConfig.useACMEHost != null) vhostsConfigs;
dependentCertNames = unique (map (hostOpts: hostOpts.certName) acmeEnabledVhosts);
virtualHosts = mapAttrs (vhostName: vhostConfig:
let
serverName = if vhostConfig.serverName != null
then vhostConfig.serverName
else vhostName;
certName = if vhostConfig.useACMEHost != null
then vhostConfig.useACMEHost
else serverName;
in
vhostConfig // {
inherit serverName;
} // (optionalAttrs vhostConfig.enableACME {
sslCertificate = "${certs.${serverName}.directory}/fullchain.pem";
sslCertificateKey = "${certs.${serverName}.directory}/key.pem";
sslTrustedCertificate = "${certs.${serverName}.directory}/full.pem";
}) // (optionalAttrs (vhostConfig.useACMEHost != null) {
sslCertificate = "${certs.${vhostConfig.useACMEHost}.directory}/fullchain.pem";
sslCertificateKey = "${certs.${vhostConfig.useACMEHost}.directory}/key.pem";
sslTrustedCertificate = "${certs.${vhostConfig.useACMEHost}.directory}/fullchain.pem";
inherit serverName certName;
} // (optionalAttrs (vhostConfig.enableACME || vhostConfig.useACMEHost != null) {
sslCertificate = "${certs.${certName}.directory}/fullchain.pem";
sslCertificateKey = "${certs.${certName}.directory}/key.pem";
sslTrustedCertificate = "${certs.${certName}.directory}/chain.pem";
})
) cfg.virtualHosts;
enableIPv6 = config.networking.enableIPv6;
@ -691,12 +691,12 @@ in
systemd.services.nginx = {
description = "Nginx Web Server";
wantedBy = [ "multi-user.target" ];
wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts);
after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts;
wants = concatLists (map (certName: [ "acme-finished-${certName}.target" ]) dependentCertNames);
after = [ "network.target" ] ++ map (certName: "acme-selfsigned-${certName}.service") dependentCertNames;
# Nginx needs to be started in order to be able to request certificates
# (it's hosting the acme challenge after all)
# This fixes https://github.com/NixOS/nixpkgs/issues/81842
before = map (vhostConfig: "acme-${vhostConfig.serverName}.service") acmeEnabledVhosts;
before = map (certName: "acme-${certName}.service") dependentCertNames;
stopIfChanged = false;
preStart = ''
${cfg.preStart}
@ -753,37 +753,41 @@ in
source = configFile;
};
systemd.services.nginx-config-reload = mkIf cfg.enableReload {
wants = [ "nginx.service" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ configFile ];
# commented, because can cause extra delays during activate for this config:
# services.nginx.virtualHosts."_".locations."/".proxyPass = "http://blabla:3000";
# stopIfChanged = false;
serviceConfig.Type = "oneshot";
serviceConfig.TimeoutSec = 60;
script = ''
if /run/current-system/systemd/bin/systemctl -q is-active nginx.service ; then
/run/current-system/systemd/bin/systemctl reload nginx.service
fi
'';
serviceConfig.RemainAfterExit = true;
# postRun hooks on cert renew can't be used to restart Nginx since renewal
# runs as the unprivileged acme user. sslTargets are added to wantedBy + before
# which allows the acme-finished-$cert.target to signify the successful updating
# of certs end-to-end.
systemd.services.nginx-config-reload = let
sslServices = map (certName: "acme-${certName}.service") dependentCertNames;
sslTargets = map (certName: "acme-finished-${certName}.target") dependentCertNames;
in mkIf (cfg.enableReload || sslServices != []) {
wants = optionals (cfg.enableReload) [ "nginx.service" ];
wantedBy = sslServices ++ [ "multi-user.target" ];
# Before the finished targets, after the renew services.
# This service might be needed for HTTP-01 challenges, but we only want to confirm
# certs are updated _after_ config has been reloaded.
before = sslTargets;
after = sslServices;
restartTriggers = optionals (cfg.enableReload) [ configFile ];
# Block reloading if not all certs exist yet.
# Happens when config changes add new vhosts/certs.
unitConfig.ConditionPathExists = optionals (sslServices != []) (map (certName: certs.${certName}.directory + "/fullchain.pem") dependentCertNames);
serviceConfig = {
Type = "oneshot";
TimeoutSec = 60;
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active nginx.service";
ExecStart = "/run/current-system/systemd/bin/systemctl reload nginx.service";
};
};
security.acme.certs = filterAttrs (n: v: v != {}) (
let
acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = {
user = cfg.user;
group = lib.mkDefault cfg.group;
webroot = vhostConfig.acmeRoot;
extraDomains = genAttrs vhostConfig.serverAliases (alias: null);
postRun = ''
/run/current-system/systemd/bin/systemctl reload nginx
'';
}; }) acmeEnabledVhosts;
in
listToAttrs acmePairs
);
security.acme.certs = let
acmePairs = map (vhostConfig: nameValuePair vhostConfig.serverName {
group = mkDefault cfg.group;
webroot = vhostConfig.acmeRoot;
extraDomainNames = vhostConfig.serverAliases;
# Filter for enableACME-only vhosts. Don't want to create dud certs
}) (filter (vhostConfig: vhostConfig.useACMEHost == null) acmeEnabledVhosts);
in listToAttrs acmePairs;
users.users = optionalAttrs (cfg.user == "nginx") {
nginx = {

372
nixos/tests/acme.nix
View file

@ -1,29 +1,43 @@
let
commonConfig = ./common/acme/client;
dnsScript = {writeScript, dnsAddress, bash, curl}: writeScript "dns-hook.sh" ''
#!${bash}/bin/bash
dnsServerIP = nodes: nodes.dnsserver.config.networking.primaryIPAddress;
dnsScript = {pkgs, nodes}: let
dnsAddress = dnsServerIP nodes;
in pkgs.writeShellScript "dns-hook.sh" ''
set -euo pipefail
echo '[INFO]' "[$2]" 'dns-hook.sh' $*
if [ "$1" = "present" ]; then
${curl}/bin/curl --data '{"host": "'"$2"'", "value": "'"$3"'"}' http://${dnsAddress}:8055/set-txt
${pkgs.curl}/bin/curl --data '{"host": "'"$2"'", "value": "'"$3"'"}' http://${dnsAddress}:8055/set-txt
else
${curl}/bin/curl --data '{"host": "'"$2"'"}' http://${dnsAddress}:8055/clear-txt
${pkgs.curl}/bin/curl --data '{"host": "'"$2"'"}' http://${dnsAddress}:8055/clear-txt
fi
'';
documentRoot = pkgs: pkgs.runCommand "docroot" {} ''
mkdir -p "$out"
echo hello world > "$out/index.html"
'';
vhostBase = pkgs: {
forceSSL = true;
locations."/".root = documentRoot pkgs;
};
in import ./make-test-python.nix ({ lib, ... }: {
name = "acme";
meta.maintainers = lib.teams.acme.members;
nodes = rec {
nodes = {
# The fake ACME server which will respond to client requests
acme = { nodes, lib, ... }: {
imports = [ ./common/acme/server ];
networking.nameservers = lib.mkForce [
nodes.dnsserver.config.networking.primaryIPAddress
];
networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];
};
# A fake DNS server which can be configured with records as desired
# Used to test DNS-01 challenge
dnsserver = { nodes, pkgs, ... }: {
networking.firewall.allowedTCPPorts = [ 8055 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
@ -39,112 +53,97 @@ in import ./make-test-python.nix ({ lib, ... }: {
};
};
acmeStandalone = { nodes, lib, config, pkgs, ... }: {
imports = [ commonConfig ];
networking.nameservers = lib.mkForce [
nodes.dnsserver.config.networking.primaryIPAddress
];
networking.firewall.allowedTCPPorts = [ 80 ];
security.acme.certs."standalone.test" = {
webroot = "/var/lib/acme/acme-challenges";
};
systemd.targets."acme-finished-standalone.test" = {
after = [ "acme-standalone.test.service" ];
wantedBy = [ "acme-standalone.test.service" ];
};
services.nginx.enable = true;
services.nginx.virtualHosts."standalone.test" = {
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenges";
};
};
webserver = { nodes, config, pkgs, lib, ... }: {
# A web server which will be the node requesting certs
webserver = { pkgs, nodes, lib, config, ... }: {
imports = [ commonConfig ];
networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.nameservers = lib.mkForce [
nodes.dnsserver.config.networking.primaryIPAddress
];
# A target remains active. Use this to probe the fact that
# a service fired eventhough it is not RemainAfterExit
systemd.targets."acme-finished-a.example.test" = {
after = [ "acme-a.example.test.service" ];
wantedBy = [ "acme-a.example.test.service" ];
# OpenSSL will be used for more thorough certificate validation
environment.systemPackages = [ pkgs.openssl ];
# Set log level to info so that we can see when the service is reloaded
services.nginx.enable = true;
services.nginx.logError = "stderr info";
# First tests configure a basic cert and run a bunch of openssl checks
services.nginx.virtualHosts."a.example.test" = (vhostBase pkgs) // {
enableACME = true;
};
services.nginx.enable = true;
# Used to determine if service reload was triggered
systemd.targets.test-renew-nginx = {
wants = [ "acme-a.example.test.service" ];
after = [ "acme-a.example.test.service" "nginx-config-reload.service" ];
};
services.nginx.virtualHosts."a.example.test" = {
enableACME = true;
forceSSL = true;
locations."/".root = pkgs.runCommand "docroot" {} ''
mkdir -p "$out"
echo hello world > "$out/index.html"
# Cert config changes will not cause the nginx configuration to change.
# This tests that the reload service is correctly triggered.
# It also tests that postRun is exec'd as root
specialisation.cert-change.configuration = { pkgs, ... }: {
security.acme.certs."a.example.test".keyType = "ec384";
security.acme.certs."a.example.test".postRun = ''
set -euo pipefail
touch test
chown root:root test
echo testing > test
'';
};
security.acme.server = "https://acme.test/dir";
specialisation.second-cert.configuration = {pkgs, ...}: {
systemd.targets."acme-finished-b.example.test" = {
after = [ "acme-b.example.test.service" ];
wantedBy = [ "acme-b.example.test.service" ];
};
services.nginx.virtualHosts."b.example.test" = {
enableACME = true;
forceSSL = true;
locations."/".root = pkgs.runCommand "docroot" {} ''
mkdir -p "$out"
echo hello world > "$out/index.html"
'';
# Now adding an alias to ensure that the certs are updated
specialisation.nginx-aliases.configuration = { pkgs, ... }: {
services.nginx.virtualHosts."a.example.test" = {
serverAliases = [ "b.example.test" ];
};
};
specialisation.dns-01.configuration = {pkgs, config, nodes, lib, ...}: {
# Test using Apache HTTPD
specialisation.httpd-aliases.configuration = { pkgs, config, lib, ... }: {
services.nginx.enable = lib.mkForce false;
services.httpd.enable = true;
services.httpd.adminAddr = config.security.acme.email;
services.httpd.virtualHosts."c.example.test" = {
serverAliases = [ "d.example.test" ];
forceSSL = true;
enableACME = true;
documentRoot = documentRoot pkgs;
};
# Used to determine if service reload was triggered
systemd.targets.test-renew-httpd = {
wants = [ "acme-c.example.test.service" ];
after = [ "acme-c.example.test.service" "httpd-config-reload.service" ];
};
};
# Validation via DNS-01 challenge
specialisation.dns-01.configuration = { pkgs, config, nodes, ... }: {
security.acme.certs."example.test" = {
domain = "*.example.test";
group = config.services.nginx.group;
dnsProvider = "exec";
dnsPropagationCheck = false;
credentialsFile = with pkgs; writeText "wildcard.env" ''
EXEC_PATH=${dnsScript { inherit writeScript bash curl; dnsAddress = nodes.dnsserver.config.networking.primaryIPAddress; }}
credentialsFile = pkgs.writeText "wildcard.env" ''
EXEC_PATH=${dnsScript { inherit pkgs nodes; }}
'';
user = config.services.nginx.user;
group = config.services.nginx.group;
};
systemd.targets."acme-finished-example.test" = {
after = [ "acme-example.test.service" ];
wantedBy = [ "acme-example.test.service" ];
};
systemd.services."acme-example.test" = {
before = [ "nginx.service" ];
wantedBy = [ "nginx.service" ];
};
services.nginx.virtualHosts."c.example.test" = {
forceSSL = true;
sslCertificate = config.security.acme.certs."example.test".directory + "/cert.pem";
sslTrustedCertificate = config.security.acme.certs."example.test".directory + "/full.pem";
sslCertificateKey = config.security.acme.certs."example.test".directory + "/key.pem";
locations."/".root = pkgs.runCommand "docroot" {} ''
mkdir -p "$out"
echo hello world > "$out/index.html"
'';
services.nginx.virtualHosts."dns.example.test" = (vhostBase pkgs) // {
useACMEHost = "example.test";
};
};
# When nginx depends on a service that is slow to start up, requesting used to fail
# certificates fail. Reproducer for https://github.com/NixOS/nixpkgs/issues/81842
specialisation.slow-startup.configuration = { pkgs, config, nodes, lib, ...}: {
# Validate service relationships by adding a slow start service to nginx' wants.
# Reproducer for https://github.com/NixOS/nixpkgs/issues/81842
specialisation.slow-startup.configuration = { pkgs, config, nodes, lib, ... }: {
systemd.services.my-slow-service = {
wantedBy = [ "multi-user.target" "nginx.service" ];
before = [ "nginx.service" ];
preStart = "sleep 5";
script = "${pkgs.python3}/bin/python -m http.server";
};
systemd.targets."acme-finished-d.example.com" = {
after = [ "acme-d.example.com.service" ];
wantedBy = [ "acme-d.example.com.service" ];
};
services.nginx.virtualHosts."d.example.com" = {
services.nginx.virtualHosts."slow.example.com" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:8000";
@ -152,11 +151,13 @@ in import ./make-test-python.nix ({ lib, ... }: {
};
};
client = {nodes, lib, ...}: {
# The client will be used to curl the webserver to validate configuration
client = {nodes, lib, pkgs, ...}: {
imports = [ commonConfig ];
networking.nameservers = lib.mkForce [
nodes.dnsserver.config.networking.primaryIPAddress
];
networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];
# OpenSSL will be used for more thorough certificate validation
environment.systemPackages = [ pkgs.openssl ];
};
};
@ -167,73 +168,168 @@ in import ./make-test-python.nix ({ lib, ... }: {
in
# Note, wait_for_unit does not work for oneshot services that do not have RemainAfterExit=true,
# this is because a oneshot goes from inactive => activating => inactive, and never
# reaches the active state. To work around this, we create some mock target units which
# get pulled in by the oneshot units. The target units linger after activation, and hence we
# can use them to probe that a oneshot fired. It is a bit ugly, but it is the best we can do
# reaches the active state. Targets do not have this issue.
''
import time
has_switched = False
def switch_to(node, name):
global has_switched
if has_switched:
node.succeed(
"${switchToNewServer}"
)
has_switched = True
node.succeed(
f"/run/current-system/specialisation/{name}/bin/switch-to-configuration test"
)
# Ensures the issuer of our cert matches the chain
# and matches the issuer we expect it to be.
# It's a good validation to ensure the cert.pem and fullchain.pem
# are not still selfsigned afer verification
def check_issuer(node, cert_name, issuer):
for fname in ("cert.pem", "fullchain.pem"):
actual_issuer = node.succeed(
f"openssl x509 -noout -issuer -in /var/lib/acme/{cert_name}/{fname}"
).partition("=")[2]
print(f"{fname} issuer: {actual_issuer}")
assert issuer.lower() in actual_issuer.lower()
# Ensure cert comes before chain in fullchain.pem
def check_fullchain(node, cert_name):
subject_data = node.succeed(
f"openssl crl2pkcs7 -nocrl -certfile /var/lib/acme/{cert_name}/fullchain.pem"
" | openssl pkcs7 -print_certs -noout"
)
for line in subject_data.lower().split("\n"):
if "subject" in line:
print(f"First subject in fullchain.pem: ", line)
assert cert_name.lower() in line
return
assert False
def check_connection(node, domain, retries=3):
assert retries >= 0
result = node.succeed(
"openssl s_client -brief -verify 2 -CAfile /tmp/ca.crt"
f" -servername {domain} -connect {domain}:443 < /dev/null 2>&1"
)
for line in result.lower().split("\n"):
if "verification" in line and "error" in line:
time.sleep(1)
return check_connection(node, domain, retries - 1)
def check_connection_key_bits(node, domain, bits, retries=3):
assert retries >= 0
result = node.succeed(
"openssl s_client -CAfile /tmp/ca.crt"
f" -servername {domain} -connect {domain}:443 < /dev/null"
" | openssl x509 -noout -text | grep -i Public-Key"
)
print("Key type:", result)
if bits not in result:
time.sleep(1)
return check_connection_key_bits(node, domain, bits, retries - 1)
client.start()
dnsserver.start()
acme.wait_for_unit("default.target")
dnsserver.wait_for_unit("pebble-challtestsrv.service")
client.wait_for_unit("default.target")
client.succeed(
'curl --data \'{"host": "acme.test", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a'
)
client.succeed(
'curl --data \'{"host": "standalone.test", "addresses": ["${nodes.acmeStandalone.config.networking.primaryIPAddress}"]}\' http://${nodes.dnsserver.config.networking.primaryIPAddress}:8055/add-a'
'curl --data \'{"host": "acme.test", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'
)
acme.start()
acmeStandalone.start()
webserver.start()
acme.wait_for_unit("default.target")
acme.wait_for_unit("pebble.service")
with subtest("can request certificate with HTTPS-01 challenge"):
acmeStandalone.wait_for_unit("default.target")
acmeStandalone.succeed("systemctl start acme-standalone.test.service")
acmeStandalone.wait_for_unit("acme-finished-standalone.test.target")
client.wait_for_unit("default.target")
client.succeed("curl https://acme.test:15000/roots/0 > /tmp/ca.crt")
client.succeed("curl https://acme.test:15000/intermediate-keys/0 >> /tmp/ca.crt")
with subtest("Can request certificate for nginx service"):
with subtest("Can request certificate with HTTPS-01 challenge"):
webserver.wait_for_unit("acme-finished-a.example.test.target")
client.succeed(
"curl --cacert /tmp/ca.crt https://a.example.test/ | grep -qF 'hello world'"
)
check_fullchain(webserver, "a.example.test")
check_issuer(webserver, "a.example.test", "pebble")
check_connection(client, "a.example.test")
with subtest("Can add another certificate for nginx service"):
webserver.succeed(
"/run/current-system/specialisation/second-cert/bin/switch-to-configuration test"
)
webserver.wait_for_unit("acme-finished-b.example.test.target")
client.succeed(
"curl --cacert /tmp/ca.crt https://b.example.test/ | grep -qF 'hello world'"
)
with subtest("Can generate valid selfsigned certs"):
webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
webserver.succeed("systemctl start acme-selfsigned-a.example.test.service")
check_fullchain(webserver, "a.example.test")
check_issuer(webserver, "a.example.test", "minica")
# Will succeed if nginx can load the certs
webserver.succeed("systemctl start nginx-config-reload.service")
with subtest("Can reload nginx when timer triggers renewal"):
webserver.succeed("systemctl start test-renew-nginx.target")
check_issuer(webserver, "a.example.test", "pebble")
check_connection(client, "a.example.test")
with subtest("Can reload web server when cert configuration changes"):
switch_to(webserver, "cert-change")
webserver.wait_for_unit("acme-finished-a.example.test.target")
check_connection_key_bits(client, "a.example.test", "384")
webserver.succeed("grep testing /var/lib/acme/a.example.test/test")
with subtest("Can request certificate with HTTPS-01 when nginx startup is delayed"):
switch_to(webserver, "slow-startup")
webserver.wait_for_unit("acme-finished-slow.example.com.target")
check_issuer(webserver, "slow.example.com", "pebble")
check_connection(client, "slow.example.com")
with subtest("Can request certificate for vhost + aliases (nginx)"):
# Check the key hash before and after adding an alias. It should not change.
# The previous test reverts the ed384 change
webserver.wait_for_unit("acme-finished-a.example.test.target")
keyhash_old = webserver.succeed("md5sum /var/lib/acme/a.example.test/key.pem")
switch_to(webserver, "nginx-aliases")
webserver.wait_for_unit("acme-finished-a.example.test.target")
check_issuer(webserver, "a.example.test", "pebble")
check_connection(client, "a.example.test")
check_connection(client, "b.example.test")
keyhash_new = webserver.succeed("md5sum /var/lib/acme/a.example.test/key.pem")
assert keyhash_old == keyhash_new
with subtest("Can request certificates for vhost + aliases (apache-httpd)"):
switch_to(webserver, "httpd-aliases")
webserver.wait_for_unit("acme-finished-c.example.test.target")
check_issuer(webserver, "c.example.test", "pebble")
check_connection(client, "c.example.test")
check_connection(client, "d.example.test")
with subtest("Can reload httpd when timer triggers renewal"):
# Switch to selfsigned first
webserver.succeed("systemctl clean acme-c.example.test.service --what=state")
webserver.succeed("systemctl start acme-selfsigned-c.example.test.service")
check_issuer(webserver, "c.example.test", "minica")
webserver.succeed("systemctl start httpd-config-reload.service")
webserver.succeed("systemctl start test-renew-httpd.target")
check_issuer(webserver, "c.example.test", "pebble")
check_connection(client, "c.example.test")
with subtest("Can request wildcard certificates using DNS-01 challenge"):
webserver.succeed(
"${switchToNewServer}"
)
webserver.succeed(
"/run/current-system/specialisation/dns-01/bin/switch-to-configuration test"
)
switch_to(webserver, "dns-01")
webserver.wait_for_unit("acme-finished-example.test.target")
client.succeed(
"curl --cacert /tmp/ca.crt https://c.example.test/ | grep -qF 'hello world'"
)
with subtest("Can request certificate of nginx when startup is delayed"):
webserver.succeed(
"${switchToNewServer}"
)
webserver.succeed(
"/run/current-system/specialisation/slow-startup/bin/switch-to-configuration test"
)
webserver.wait_for_unit("acme-finished-d.example.com.target")
client.succeed("curl --cacert /tmp/ca.crt https://d.example.com/")
check_issuer(webserver, "example.test", "pebble")
check_connection(client, "dns.example.test")
'';
})

1
nixos/tests/all-tests.nix
View file

@ -325,6 +325,7 @@ in
sonarr = handleTest ./sonarr.nix {};
sslh = handleTest ./sslh.nix {};
sssd = handleTestOn ["x86_64-linux"] ./sssd.nix {};
sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {};
strongswan-swanctl = handleTest ./strongswan-swanctl.nix {};
sudo = handleTest ./sudo.nix {};
switchTest = handleTest ./switch-test.nix {};

11
nixos/tests/common/acme/client/default.nix
View file

@ -1,15 +1,14 @@
{ lib, nodes, pkgs, ... }:
let
acme-ca = nodes.acme.config.test-support.acme.caCert;
in
caCert = nodes.acme.config.test-support.acme.caCert;
caDomain = nodes.acme.config.test-support.acme.caDomain;
{
in {
security.acme = {
server = "https://acme.test/dir";
server = "https://${caDomain}/dir";
email = "hostmaster@example.test";
acceptTerms = true;
};
security.pki.certificateFiles = [ acme-ca ];
security.pki.certificateFiles = [ caCert ];
}

72
nixos/tests/common/acme/server/default.nix
View file

@ -3,7 +3,7 @@
# config.test-support.acme.caCert
#
# This value can be used inside the configuration of other test nodes to inject
# the snakeoil certificate into security.pki.certificateFiles or into package
# the test certificate into security.pki.certificateFiles or into package
# overlays.
#
# Another value that's needed if you don't use a custom resolver (see below for
@ -50,19 +50,13 @@
# Also make sure that whenever you use a resolver from a different test node
# that it has to be started _before_ the ACME service.
{ config, pkgs, lib, ... }:
let
snakeOilCerts = import ./snakeoil-certs.nix;
testCerts = import ./snakeoil-certs.nix {
minica = pkgs.minica;
mkDerivation = pkgs.stdenv.mkDerivation;
};
domain = testCerts.domain;
wfeDomain = "acme.test";
wfeCertFile = snakeOilCerts.${wfeDomain}.cert;
wfeKeyFile = snakeOilCerts.${wfeDomain}.key;
siteDomain = "acme.test";
siteCertFile = snakeOilCerts.${siteDomain}.cert;
siteKeyFile = snakeOilCerts.${siteDomain}.key;
pebble = pkgs.pebble;
resolver = let
message = "You need to define a resolver for the acme test module.";
firstNS = lib.head config.networking.nameservers;
@ -71,8 +65,9 @@ let
pebbleConf.pebble = {
listenAddress = "0.0.0.0:443";
managementListenAddress = "0.0.0.0:15000";
certificate = snakeOilCerts.${wfeDomain}.cert;
privateKey = snakeOilCerts.${wfeDomain}.key;
# These certs and keys are used for the Web Front End (WFE)
certificate = testCerts.${domain}.cert;
privateKey = testCerts.${domain}.key;
httpPort = 80;
tlsPort = 443;
ocspResponderURL = "http://0.0.0.0:4002";
@ -80,18 +75,30 @@ let
};
pebbleConfFile = pkgs.writeText "pebble.conf" (builtins.toJSON pebbleConf);
pebbleDataDir = "/root/pebble";
in {
imports = [ ../../resolver.nix ];
options.test-support.acme.caCert = lib.mkOption {
type = lib.types.path;
description = ''
A certificate file to use with the <literal>nodes</literal> attribute to
inject the snakeoil CA certificate used in the ACME server into
<option>security.pki.certificateFiles</option>.
'';
options.test-support.acme = with lib; {
caDomain = mkOption {
type = types.str;
readOnly = true;
default = domain;
description = ''
A domain name to use with the <literal>nodes</literal> attribute to
identify the CA server.
'';
};
caCert = mkOption {
type = types.path;
readOnly = true;
default = testCerts.ca.cert;
description = ''
A certificate file to use with the <literal>nodes</literal> attribute to
inject the test CA certificate used in the ACME server into
<option>security.pki.certificateFiles</option>.
'';
};
};
config = {
@ -99,35 +106,32 @@ in {
resolver.enable = let
isLocalResolver = config.networking.nameservers == [ "127.0.0.1" ];
in lib.mkOverride 900 isLocalResolver;
acme.caCert = snakeOilCerts.ca.cert;
};
# This has priority 140, because modules/testing/test-instrumentation.nix
# already overrides this with priority 150.
networking.nameservers = lib.mkOverride 140 [ "127.0.0.1" ];
networking.firewall.enable = false;
networking.firewall.allowedTCPPorts = [ 80 443 15000 4002 ];
networking.extraHosts = ''
127.0.0.1 ${wfeDomain}
${config.networking.primaryIPAddress} ${wfeDomain} ${siteDomain}
127.0.0.1 ${domain}
${config.networking.primaryIPAddress} ${domain}
'';
systemd.services = {
pebble = {
enable = true;
description = "Pebble ACME server";
requires = [ ];
wantedBy = [ "network.target" ];
preStart = ''
mkdir ${pebbleDataDir}
'';
script = ''
cd ${pebbleDataDir}
${pebble}/bin/pebble -config ${pebbleConfFile}
'';
serviceConfig = {
RuntimeDirectory = "pebble";
WorkingDirectory = "/run/pebble";
# Required to bind on privileged ports.
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
ExecStart = "${pkgs.pebble}/bin/pebble -config ${pebbleConfFile}";
};
};
};

69
nixos/tests/common/acme/server/mkcerts.nix
View file

@ -1,69 +0,0 @@
{ pkgs ? import <nixpkgs> {}
, lib ? pkgs.lib
, domains ? [ "acme.test" ]
}:
pkgs.runCommand "acme-snakeoil-ca" {
nativeBuildInputs = [ pkgs.openssl ];
} ''
addpem() {
local file="$1"; shift
local storeFileName="$(IFS=.; echo "$*")"
echo -n " " >> "$out"
# Every following argument is an attribute, so let's recurse and check
# every attribute whether it must be quoted and write it into $out.
while [ -n "$1" ]; do
if expr match "$1" '^[a-zA-Z][a-zA-Z0-9]*$' > /dev/null; then
echo -n "$1" >> "$out"
else
echo -n '"' >> "$out"
echo -n "$1" | sed -e 's/["$]/\\&/g' >> "$out"
echo -n '"' >> "$out"
fi
shift
[ -z "$1" ] || echo -n . >> "$out"
done
echo " = builtins.toFile \"$storeFileName\" '''" >> "$out"
sed -e 's/^/ /' "$file" >> "$out"
echo " ''';" >> "$out"
}
echo '# Generated via mkcert.sh in the same directory.' > "$out"
echo '{' >> "$out"
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 \
-subj '/CN=Snakeoil CA' -nodes -out ca.pem -keyout ca.key
addpem ca.key ca key
addpem ca.pem ca cert
${lib.concatMapStrings (fqdn: let
opensslConfig = pkgs.writeText "snakeoil.cnf" ''
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
CN = ${fqdn}
[req_ext]
subjectAltName = DNS:${fqdn}
'';
in ''
export OPENSSL_CONF=${lib.escapeShellArg opensslConfig}
openssl genrsa -out snakeoil.key 4096
openssl req -new -key snakeoil.key -out snakeoil.csr
openssl x509 -req -in snakeoil.csr -sha256 -set_serial 666 \
-CA ca.pem -CAkey ca.key -out snakeoil.pem -days 36500 \
-extfile "$OPENSSL_CONF" -extensions req_ext
addpem snakeoil.key ${lib.escapeShellArg fqdn} key
addpem snakeoil.pem ${lib.escapeShellArg fqdn} cert
'') domains}
echo '}' >> "$out"
''

6
nixos/tests/common/acme/server/mkcerts.sh
View file

@ -1,6 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -p nix bash -i bash
set -e
cd "$(dirname "$0")"
storepath="$(nix-build --no-out-link mkcerts.nix)"
cat "$storepath" > snakeoil-certs.nix

207
nixos/tests/common/acme/server/snakeoil-certs.nix
View file

@ -1,172 +1,37 @@
# Generated via mkcert.sh in the same directory.
{
ca.key = builtins.toFile "ca.key" ''
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDd1G7OFpXIoHnr
rxdw+hiJVDY6nQDDKFt9FBKwlv7x2hCvX7bnyvHaL7H61c+80McGPISrQn3+MjuR
Zuqwax49DddNXbGt4WqGlx4LAeI37OgNUUz9foNr2rDDV744vwp14/PD1f3nqpWf
Ogzzsh8rxac0mZ5Se9HxOIpI7NRNuHJjj7HWZ4YxeOvi289rmpu0JPcp25njw7h6
FNfHu8GGp34Uj6wAxubdRyfViV8z9FMfbglLuA9i1OiSy3NQpq8VwBG+u/0iC7PQ
sQjxSragQu25sfATYIrFJQ4ZCvh0nxqKMeyPPBi6dAcMpa2AZAqtqv+CwWdo36Bt
S5XiC7rApgYn+yteKQHSbnCiG2W/boSbfg9lRk3w41dESENCADVajLb3Eovvp0tB
O/BALudvWjzAPbpXleVNr6ngWtGlsZTC7LXDgBqdW2KlzpZGcz+PW3ATlwip/ZFR
t7A15u5dVkWPVoPuQ0w1Tw+g9dxWFTNk3h+2d7K87IxQbcvqxeIDSEVFMrxo0e4C
G2udMcelZwARl6iNTAETa2zJW0XtAdGVM+HY1S/kU6U9J3nubDttAkAMABjPwyjL
G7hfyWqUHf9yPs49GsftAVvIy8XIeu0shD1BG11/VzvwpUCiRc+btuWi2erZ4ZfP
oQ5YoS9gt4S+Ipz7TPGBl+AUk9HO2QIDAQABAoICAGW+aLAXxc2GZUVHQp4r55Md
T94kYtQgL4435bafGwH8vchiQzcfazxiweRFqwl0TMS8fzE5xyYPDilLpfsStoTU
U1sFzVfuWviuWTY9P+/ctjZdgs2F+GtAm/CMzw+h9/9IdWbuQI3APO4SJxyjJw7h
kiZbCzXT2uAjybFXBq07GyQ1JSEszGzmhHLB1OoKuL2wcrj9IyFHhNZhtvLCWCoV
qotttjuI/xyg5VFYt5TRzEpPIu5a1pvDAYVK0XI9cXKtbLYp7RlveqMOgAaD+S2a
ZQTV60JH9n4j18p+sKR00SxvZ4vuyXzDePRBDUolGIy9MIJdiLueTiuzDmTmclnM
8Yy7oliawW2Bn+1gaWpqmgzEUw9bXRSqIp2zGZ7HaQ+5c/MhS002+/i8WQyssfeg
9EfI+Vl0D2avTxCECmsfjUxtkhzMYPVNbRPjt0QBEM+s8lDoNsP2zhMO441+TKpe
/5KZHIW+Y0US6GMIUs1o1byKfNz8Nj5HjEKO9CMyK6SBMJnCMroPD4H6opqk3lw9
4mk04BdN556EzyJDT0a5/VpXG2DUYwFaNwE1ZPMu3Yx6IBoM1xx8mR80vHQCddmF
NP+BzkpUiHf0Txyy0YQWECZ/anTt0Bo0XqY5tirIM2dkG0ngNl9tGlw6gVAY1ky8
+cr7qKmhhwMWojaX/L+9AoIBAQD/BZAeF3l9I5RBh6ktWA+opzVyd6ejdLpc2Q1z
fmSmtUKRsEe51sWaIf6Sez408UaCMT2IQuppPgMnV8xfMM1/og75Cs8aPyAohwKo
IbOenXhLfFZiYB4y/Pac3F+FzNKsTT6n+fsE+82UHafY5ZI2FlPb2L0lfyx09zXv
fBYhcXgwSx5ymJLJSl8zFaEGn9qi3UB5ss44SaNM0n8SFGUQUk3PR7SFWSWgNxtl
CP7LWTsjXYoC/qBMe7b8JieK5aFk1EkkG1EkJvdiMnulMcMJzl+kj6LqVPmVDoZS
mMGvgKGJPpFgrbJ5wlA7uOhucGmMpFWP9RCav66DY4GHrLJPAoIBAQDerkZQ03AN
i2iJVjtL97TvDjrE8vtNFS/Auh8JyDIW4GGK3Y/ZoMedQpuu3e6NYM9aMjh+QJoA
kqhaiZ/tMXjEXJByglpc3a43g2ceWtJg5yLgexGgRtegbA57PRCo35Vhc6WycD1l
6FZNxpTkd2BXX/69KWZ6PpSiLYPvdzxP5ZkYqoWRQIa4ee4orHfz/lUXJm1XwmyG
mx3hN9Z9m8Q/PGMGfwrorcp4DK53lmmhTZyPh+X5T5/KkVmrw/v5HEEB3JsknStR
3DAqp2XZcRHsGQef9R7H+PINJm9nebjCraataaE4gr76znXKT23P80Ce5Lw6OQUW
XHhoL16gS+pXAoIBADTuz6ofTz01PFmZsfjSdXWZN1PKGEaqPOB2wP7+9h9QMkAR
KeId/Sfv9GotII1Woz70v4Pf983ebEMnSyla9NyQI7F3l+MnxSIEW/3P+PtsTgLF
DR0gPERzEzEd4Mnh6LyQz/eHwJ2ZMmOTADrZ8848Ni3EwAXfbrfcdBqAVAufBMZp
YSmCF72mLTpqO+EnHvd9GxvnjDxMtJOGgY+cIhoQK0xh4stm5JNrvMjs5A4LOGYv
zSyv80/Mwf92X/DJlwVZttDCxsXNPL3qIpX4TTZk2p9KnRMsjh1tRV4xjMpD1cOp
8/zwMMJrHcI3sC70MERb+9KEmGy2ap+k8MbbhqsCggEAUAqqocDupR+4Kq2BUPQv
6EHgJA0HAZUc/hSotXZtcsWiqiyr2Vkuhzt7BGcnqU/kGJK2tcL42D3fH/QaNUM0
Grj+/voWCw1v4uprtYCF4GkUo0X5dvgf570Pk4LGqzz6z/Wm2LX5i9jwtLItsNWs
HpwVz97CxCwcdxMPOpNMbZek6TXaHvTnuAWz8pDT6TNBWLnqUcJECjpVii/s/Gdy
KhzFp38g57QYdABy8e9x9pYUMY9yvaO+VyzZ46DlwIxEXavzZDzOZnVUJvDW7krz
Wz8/+2I7dzvnnYx0POiG3gtXPzwZxFtS1IpD0r2sRjQ0xSiI9BCs4HXKngBw7gN7
rwKCAQEAloJOFw4bafVXZVXuQVnLDm0/MNTfqxUzFE6V2WkMVkJqcpKt+ndApM8P
MJvojHWw1fmxDzIAwqZ9rXgnwWKydjSZBDYNjhGFUACVywHe5AjC4PPMUdltGptU
lY0BjC7qtwkVugr65goQkEzU61y9JgTqKpYsr3D+qXcoiDvWRuqk5Q0WfYJrUlE0
APWaqbxmkqUVDRrXXrifiluupk+BCV7cFSnnknSYbd9FZd9DuKaoNBlkp2J9LZE+
Ux74Cfro8SHINHmvqL+YLFUPVDWNeuXh5Kl6AaJ7yclCLXLxAIix3/rIf6mJeIGc
s9o9Sr49cibZ3CbMjCSNE3AOeVE1/Q==
-----END PRIVATE KEY-----
'';
ca.cert = builtins.toFile "ca.cert" ''
-----BEGIN CERTIFICATE-----
MIIFDzCCAvegAwIBAgIUX0P6NfX4gRUpFz+TNV/f26GHokgwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLU25ha2VvaWwgQ0EwIBcNMjAwODI0MDc0MjEyWhgPMjEy
MDA3MzEwNzQyMTJaMBYxFDASBgNVBAMMC1NuYWtlb2lsIENBMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEA3dRuzhaVyKB5668XcPoYiVQ2Op0AwyhbfRQS
sJb+8doQr1+258rx2i+x+tXPvNDHBjyEq0J9/jI7kWbqsGsePQ3XTV2xreFqhpce
CwHiN+zoDVFM/X6Da9qww1e+OL8KdePzw9X956qVnzoM87IfK8WnNJmeUnvR8TiK
SOzUTbhyY4+x1meGMXjr4tvPa5qbtCT3KduZ48O4ehTXx7vBhqd+FI+sAMbm3Ucn
1YlfM/RTH24JS7gPYtTokstzUKavFcARvrv9Iguz0LEI8Uq2oELtubHwE2CKxSUO
GQr4dJ8aijHsjzwYunQHDKWtgGQKrar/gsFnaN+gbUuV4gu6wKYGJ/srXikB0m5w
ohtlv26Em34PZUZN8ONXREhDQgA1Woy29xKL76dLQTvwQC7nb1o8wD26V5XlTa+p
4FrRpbGUwuy1w4AanVtipc6WRnM/j1twE5cIqf2RUbewNebuXVZFj1aD7kNMNU8P
oPXcVhUzZN4ftneyvOyMUG3L6sXiA0hFRTK8aNHuAhtrnTHHpWcAEZeojUwBE2ts
yVtF7QHRlTPh2NUv5FOlPSd57mw7bQJADAAYz8Moyxu4X8lqlB3/cj7OPRrH7QFb
yMvFyHrtLIQ9QRtdf1c78KVAokXPm7blotnq2eGXz6EOWKEvYLeEviKc+0zxgZfg
FJPRztkCAwEAAaNTMFEwHQYDVR0OBBYEFNhBZxryvykCjfPO85xB3wof2enAMB8G
A1UdIwQYMBaAFNhBZxryvykCjfPO85xB3wof2enAMA8GA1UdEwEB/wQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggIBAEZwlsQ+3yd1MVxLRy9RjoA8hI7iWBNmvPUyNjlb
l/L9N+dZgdx9G5h/KPRUyzvUc/uk/ZxTWVPIOp13WI65qwsBKrwvYKiXiwzjt+9V
CKDRc1sOghTSXk4FD3L5UcKvTQ2lRcFsqxbkopEwQWhoCuhe4vFyt3Nx8ZGLCBUD
3I5zMHtO8FtpZWKJPw46Yc1kasv0nlfly/vUbnErYfgjWX1hgWUcRgYdKwO4sOZ7
KbNma0WUsX5mWhXo4Kk7D15wATHO+j9s+j8m86duBL3A4HzpTo1DhHvBi0dkg0CO
XuSdByIzVLIPh3yhCHN1loRCP2rbzKM8IQeU/X5Q4UJeC/x9ew8Kk+RKXoHc8Y2C
JQO1DxuidyDJRhbb98wZo2YfIsdWQGjYZBe1XQRwBD28JnB+Rb9shml6lORWQn9y
P/STo9uWm5zvOCfqwbnCoetljDweItINx622G9SafBwPZc3o79oL7QSl8DgCtN6g
p0wGIlIBx+25w/96PqZcrYb8B7/uBHJviiKjBXDoIJWNiNRhW5HaFjeJdSKq7KIL
I/PO9KuHafif36ksG69X02Rio2/cTjgjEW1hGHcDRyyJWWaj7bd2eWuouh6FF22b
PA6FGY4vewDPnbLKLaix2ZIKxtedUDOH/qru3Mv58IFXmQ4iyM8oC8aOxYSQLZDn
1yJD
-----END CERTIFICATE-----
'';
"acme.test".key = builtins.toFile "acme.test.key" ''
-----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEA3dJl4ByHHRcqbZzblszHIS5eEW3TcXTvllqC1nedGLGU9dnA
YbdpDUYhvWz/y9AfRZ1d8jYz01jZtt5xWYG0QoQUdkCc9QPPh0Axrl38cGliB6IZ
IY0qftW9zrLSgCOUnXL/45JqSpD57DHMSSiJl3hoOo4keBaMRN/UK6F3DxD/nZEs
h+yBBh2js3qxleExqkX8InmjK9pG8j7qa4Be5Lh4iILBHbGAMaxM7ViNAg4KgWyg
d5+4qB86JFtE/cJ+r3D62ARjVaxU6ePOL0AwS/vx5ls6DFQC7+1CpGCNemgLPzcc
70s0V0SAnF73xHYqRWjJFtumyvyTkiQWLg0zDQOugWd3B9ADuaIEx2nviPyphAtj
M3ZKrL2zN1aIfqzbxJ/L8TQFa2WPsPU2+iza/m9kMfLXZ4XPF/SJxQ+5yVH+rxx5
OWrXZ13nCMyeVoaXQofmG7oZvOQbtuT9r5DQZd9WN0P3G3sy0/dNnlNVn8uCBvXJ
TQhRKsy1FESZdgcFNtpJEG7BRG9Gc6i0V39aSRzShZyKJSBQhlc0FMTlX445EYsh
PKjEC/+Suq9wy/LuLjIkkqBbVg4617IlibLz0fDY/yrZqkfSqhCVsWnra21Ty3Mp
vD+wnskTzuGrvCVTe3KcWp+wkeH0xvhr8FXX6nn492YCfvZSITO3FF+qWt8CAwEA
AQKCAgEAk2xV0NCk66yNwjPRrTOD1IWgdyzqrijtYpvdAPSWL+c1/P8vYMIoy22k
1uQuTSKQ5g9kdKmZYAlZCLRl2Pre9qYZg04GAsD5mAYN/rjwITWotTICSc4sRAeC
EnG+fPMovkvDzVdt1QjtURD3mFeculKH0wLNMhKqPswTkrvJCPZfLDVjxyJjzdC9
D3enttjnzSaeH7t/upFjPXSbD79NUe1YDkH4XuetL1Y3+jYz4P279bBgJaC9dN7s
IWWXQJ+W2rrXu+GOs03JUXjZe4XJk3ZqmpJezfq3yQWCmQSigovLjcPvMwpkSut4
HnTvbl6qUV8G5m4tOBMNcL8TDqAvIGY8Q2NAT0iKJN187FbHpjSwQL/Ckgqz/taJ
Q82LfIA1+IjwW372gY2Wge8tM/s3+2vOEn2k91sYfiKtrRFfrHBurehVQSpJb2gL
YPoUhUGu4C1nx44sQw+DgugOBp1BTKA1ZOBIk6NyS/J9sU3jSgMr88n10TyepP6w
OVk9kcNomnm/QIOyTDW4m76uoaxslg7kwOJ4j6wycddS8JtvEO4ZPk/fHZCbvlMv
/dAKsC3gigO2zW6IYYb7mSXI07Ew/rFH1NfSILiGw8GofJHDq3plGHZo9ycB6JC+
9C8n9IWjn8ahwbulCoQQhdHwXvf61t+RzNFuFiyAT0PF2FtD/eECggEBAPYBNSEY
DSQc/Wh+UlnwQsevxfzatohgQgQJRU1ZpbHQrl2uxk1ISEwrfqZwFmFotdjjzSYe
e1WQ0uFYtdm1V/QeQK+8W0u7E7/fof4dR6XxrzJ2QmtWEmCnLOBUKCfPc7/4p4IU
7Q8PDwuwvXgaASZDaEsyTxL9bBrNMLFx9hIScQ9CaygpKvufilCHG79maoKArLwX
s7G16qlT4YeEdiNuLGv0Ce0txJuFYp7cGClWQhruw+jIbr+Sn9pL9cn8GboCiUAq
VgZKsofhEkKIEbP1uFypX2JnyRSE/h0qDDcH1sEXjR9zYYpQjVpk3Jiipgw4PXis
79uat5/QzUqVc1sCggEBAObVp686K9NpxYNoEliMijIdzFnK5J/TvoX9BBMz0dXc
CgQW40tBcroU5nRl3oCjT1Agn8mxWLXH3czx6cPlSA8fnMTJmev8FaLnEcM15pGI
8/VCBbTegdezJ8vPRS/T9c4CViXo7d0qDMkjNyn22ojPPFYh8M1KVNhibDTEpXMQ
vJxBJgvHePj+5pMOIKwAvQicqD07fNp6jVPmB/GnprBkjcCQZtshNJzWrW3jk7Fr
xWpQJ8nam8wHdMvfKhpzvD6azahwmfKKaQmh/RwmH4xdtIKdh4j+u+Ax+Bxi0g7V
GQfusIFB1MO48yS6E56WZMmsPy+jhTcIB4prIbfu4c0CggEBALgqqUKwRc4+Ybvj
rfUk+GmT/s3QUwx/u4xYAGjq7y/SgWcjG9PphC559WPWz/p2sITB7ehWs5CYTjdj
+SgWKdVY/KZThamJUTy4yAZ8lxH1gGpvvEOs+S8gmGkMt88t8ILMPWMWFW7LoEDp
PL74ANpLZn29GROnY1IhQQ3mughHhBqfZ6d2QnaDtsGYlD5TBvPSLv7VY7Jr9VR0
toeEtAjMRzc+SFwmgmTHk9BIB1KTAAQ3sbTIsJh8xW1gpo5jTEND+Mpvp10oeMVe
yxPB2Db4gt/j8MOz3QaelbrxqplcJfsCjaT49RHeQiRlE/y070iApgx8s0idaFCd
ucLXZbcCggEBANkcsdg9RYVWoeCj3UWOAll6736xN/IgDb4mqVOKVN3qVT1dbbGV
wFvHVq66NdoWQH4kAUaKWN65OyQNkQqgt/MJj8EDwZNVCeCrp2hNZS0TfCn9TDK/
aa7AojivHesLWNHIHtEPUdLIPzhbuAHvXcJ58M0upTfhpwXTJOVI5Dji0BPDrw47
Msw3rBU6n35IP4Q/HHpjXl58EDuOS4B+aGjWWwF4kFWg2MR/oqWN/JdOv2LsO1A/
HnR7ut4aa5ZvrunPXooERrf6eSsHQnLcZKX4aNTFZ/pxZbJMLYo9ZEdxJVbxqPAa
RA1HAuJTZiquV+Pb755WFfEZy0Xk19URiS0CggEAPT1e+9sdNC15z79SxvJQ4pmT
xiXat+1pq9pxp5HEOre2sSAd7CF5lu/1VQd6p0gtLZY+Aw4BXOyMtzYWgIap+u9j
ThFl9qrTFppG5KlFKKpQ8dQQ8ofO1akS8cK8nQeSdvrqEC/kGT2rmVdeevhBlfGy
BZi2ikhEQrz5jsLgIdT7sN2aLFYtmzLU9THTvlfm4ckQ7jOTxvVahb+WRe/iMCwP
Exrb83JDo31jHvAoYqUFrZkmPA+DUWFlrqb21pCzmC/0iQSuDcayRRjZkY/s5iAh
gtI6YyAsSL8hKvFVCC+VJf1QvFOpgUfsZjrIZuSc3puBWtN2dirHf7EfyxgEOg==
-----END RSA PRIVATE KEY-----
'';
"acme.test".cert = builtins.toFile "acme.test.cert" ''
-----BEGIN CERTIFICATE-----
MIIEwDCCAqigAwIBAgICApowDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLU25h
a2VvaWwgQ0EwIBcNMjAwODI0MDc0MjEzWhgPMjEyMDA3MzEwNzQyMTNaMBQxEjAQ
BgNVBAMMCWFjbWUudGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AN3SZeAchx0XKm2c25bMxyEuXhFt03F075ZagtZ3nRixlPXZwGG3aQ1GIb1s/8vQ
H0WdXfI2M9NY2bbecVmBtEKEFHZAnPUDz4dAMa5d/HBpYgeiGSGNKn7Vvc6y0oAj
lJ1y/+OSakqQ+ewxzEkoiZd4aDqOJHgWjETf1Cuhdw8Q/52RLIfsgQYdo7N6sZXh
MapF/CJ5oyvaRvI+6muAXuS4eIiCwR2xgDGsTO1YjQIOCoFsoHefuKgfOiRbRP3C
fq9w+tgEY1WsVOnjzi9AMEv78eZbOgxUAu/tQqRgjXpoCz83HO9LNFdEgJxe98R2
KkVoyRbbpsr8k5IkFi4NMw0DroFndwfQA7miBMdp74j8qYQLYzN2Sqy9szdWiH6s
28Sfy/E0BWtlj7D1Nvos2v5vZDHy12eFzxf0icUPuclR/q8ceTlq12dd5wjMnlaG
l0KH5hu6GbzkG7bk/a+Q0GXfVjdD9xt7MtP3TZ5TVZ/Lggb1yU0IUSrMtRREmXYH
BTbaSRBuwURvRnOotFd/Wkkc0oWciiUgUIZXNBTE5V+OORGLITyoxAv/krqvcMvy
7i4yJJKgW1YOOteyJYmy89Hw2P8q2apH0qoQlbFp62ttU8tzKbw/sJ7JE87hq7wl
U3tynFqfsJHh9Mb4a/BV1+p5+PdmAn72UiEztxRfqlrfAgMBAAGjGDAWMBQGA1Ud
EQQNMAuCCWFjbWUudGVzdDANBgkqhkiG9w0BAQsFAAOCAgEAM5WrCpBOmLrZ1QX8
l6vxVXwoI8pnqyy3cbAm3aLRPbw4gb0Ot90Pv/LoMhP0fkrNOKwH/FGRjSXyti0X
TheKrP7aEf6XL2/Xnb8rK2jYMQo6YJU9T+wBJA6Q+GBrc8SE75KfOi5NWJr8T4Ju
Etb+G05hXClrN19VFzIoz3L4kRV+xNMialcOT3xQfHtXCQUgwAWpPlwcJA/Jf60m
XsfwQwk2Ir16wq+Lc3y+mQ7d/dbG+FVrngFk4qN2B9M/Zyv4N9ZBbqeDUn3mYtJE
FeJrwHgmwH6slf1gBN3gxUKRW7Bvzxk548NdmLOyN+Y4StsqbOaYGtShUJA7f1Ng
qQqdgvxZ9MNwwMv9QVDZEnaaew3/oWOSmQGAai4hrc7gLMLJmIxzgfd5P6Dr06e4
2zwsMuI8Qh/IDqu/CfmFYvaua0FEeyAtpoID9Y/KPM7fu9bJuxjZ6kqLVFkEi9nF
/rCMchcSA8N2z/vLPabpNotO7OYH3VD7aQGTfCL82dMlp1vwZ39S3Z1TFLLh3MZ+
BYcAv8kUvCV6kIdPAXvJRSQOJUlJRV7XiI2mwugdDzMx69wQ0Zc1e4WyGfiSiVYm
ckSJ/EkxuwT/ZYLqCAKSFGMlFhad9g1Zyvd67XgfZq5p0pJTtGxtn5j8QHy6PM6m
NbjvWnP8lDU8j2l3eSG58S14iGs=
-----END CERTIFICATE-----
'';
# Minica can provide a CA key and cert, plus a key
# and cert for our fake CA server's Web Front End (WFE).
{ minica, mkDerivation }:
let
domain = "acme.test";
selfSignedCertData = mkDerivation {
name = "test-certs";
buildInputs = [ minica ];
phases = [ "buildPhase" "installPhase" ];
buildPhase = ''
mkdir ca
minica \
--ca-key ca/key.pem \
--ca-cert ca/cert.pem \
--domains ${domain}
chmod 600 ca/*
chmod 640 ${domain}/*.pem
'';
installPhase = ''
mkdir -p $out
mv ${domain} ca $out/
'';
};
in {
inherit domain;
ca = {
cert = "${selfSignedCertData}/ca/cert.pem";
key = "${selfSignedCertData}/ca/key.pem";
};
"${domain}" = {
cert = "${selfSignedCertData}/${domain}/cert.pem";
key = "${selfSignedCertData}/${domain}/key.pem";
};
}

2
nixos/tests/installer.nix
View file

@ -285,7 +285,7 @@ let
];
virtualisation.diskSize = 8 * 1024;
virtualisation.memorySize = 1024;
virtualisation.memorySize = 1536;
# Use a small /dev/vdb as the root disk for the
# installer. This ensures the target disk (/dev/vda) is

3
nixos/tests/postfix-raise-smtpd-tls-security-level.nix
View file

@ -1,6 +1,3 @@
let
certs = import ./common/acme/server/snakeoil-certs.nix;
in
import ./make-test-python.nix {
name = "postfix";

13
nixos/tests/postfix.nix
View file

@ -1,5 +1,6 @@
let
certs = import ./common/acme/server/snakeoil-certs.nix;
domain = certs.domain;
in
import ./make-test-python.nix {
name = "postfix";
@ -11,8 +12,8 @@ import ./make-test-python.nix {
enableSubmission = true;
enableSubmissions = true;
sslCACert = certs.ca.cert;
sslCert = certs."acme.test".cert;
sslKey = certs."acme.test".key;
sslCert = certs.${domain}.cert;
sslKey = certs.${domain}.key;
submissionsOptions = {
smtpd_sasl_auth_enable = "yes";
smtpd_client_restrictions = "permit";
@ -25,7 +26,7 @@ import ./make-test-python.nix {
];
networking.extraHosts = ''
127.0.0.1 acme.test
127.0.0.1 ${domain}
'';
environment.systemPackages = let
@ -33,7 +34,7 @@ import ./make-test-python.nix {
#!${pkgs.python3.interpreter}
import smtplib
with smtplib.SMTP('acme.test') as smtp:
with smtplib.SMTP('${domain}') as smtp:
smtp.sendmail('root@localhost', 'alice@localhost', 'Subject: Test\n\nTest data.')
smtp.quit()
'';
@ -45,7 +46,7 @@ import ./make-test-python.nix {
ctx = ssl.create_default_context()
with smtplib.SMTP('acme.test') as smtp:
with smtplib.SMTP('${domain}') as smtp:
smtp.ehlo()
smtp.starttls(context=ctx)
smtp.ehlo()
@ -60,7 +61,7 @@ import ./make-test-python.nix {
ctx = ssl.create_default_context()
with smtplib.SMTP_SSL(host='acme.test', context=ctx) as smtp:
with smtplib.SMTP_SSL(host='${domain}', context=ctx) as smtp:
smtp.sendmail('root@localhost', 'alice@localhost', 'Subject: Test SMTPS\n\nTest data.')
smtp.quit()
'';

78
nixos/tests/sssd-ldap.nix Normal file
View file

@ -0,0 +1,78 @@
import ./make-test-python.nix ({ pkgs, ... }:
let
dbDomain = "example.org";
dbSuffix = "dc=example,dc=org";
ldapRootUser = "admin";
ldapRootPassword = "foobar";
testUser = "alice";
in
{
name = "sssd-ldap";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ bbigras ];
};
machine = { pkgs, ... }: {
services.openldap = {
enable = true;
rootdn = "cn=${ldapRootUser},${dbSuffix}";
rootpw = ldapRootPassword;
suffix = dbSuffix;
declarativeContents = ''
dn: ${dbSuffix}
objectClass: top
objectClass: dcObject
objectClass: organization
o: ${dbDomain}
dn: ou=posix,${dbSuffix}
objectClass: top
objectClass: organizationalUnit
dn: ou=accounts,ou=posix,${dbSuffix}
objectClass: top
objectClass: organizationalUnit
dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
objectClass: person
objectClass: posixAccount
# userPassword: somePasswordHash
homeDirectory: /home/${testUser}
uidNumber: 1234
gidNumber: 1234
cn: ""
sn: ""
'';
};
services.sssd = {
enable = true;
config = ''
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = ${dbDomain}
[domain/${dbDomain}]
auth_provider = ldap
id_provider = ldap
ldap_uri = ldap://127.0.0.1:389
ldap_search_base = ${dbSuffix}
ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
ldap_default_authtok_type = password
ldap_default_authtok = ${ldapRootPassword}
'';
};
};
testScript = ''
machine.start()
machine.wait_for_unit("openldap.service")
machine.wait_for_unit("sssd.service")
machine.succeed("getent passwd ${testUser}")
'';
}
)

6
pkgs/applications/blockchains/exodus/default.nix
View file

@ -4,11 +4,11 @@ cups, vivaldi-ffmpeg-codecs, libpulseaudio, at-spi2-core }:
stdenv.mkDerivation rec {
pname = "exodus";
version = "20.1.30";
version = "20.8.28";
src = fetchurl {
url = "https://downloads.exodus.io/releases/${pname}-linux-x64-${version}.zip";
sha256 = "0jns5zqjm0gqn18ypghbgk6gb713mh7p44ax1r8y4vcwijlp5nql";
sha256 = "fde9165f71f0d641f6892ddce3ec26d200e8095a383f2b4c8f924de4041d65ef";
};
sourceRoot = ".";
@ -75,6 +75,6 @@ stdenv.mkDerivation rec {
description = "Top-rated cryptocurrency wallet with Trezor integration and built-in Exchange";
license = licenses.unfree;
platforms = platforms.linux;
maintainers = [ maintainers.mmahut ];
maintainers = with maintainers; [ mmahut rople380 ];
};
}

7
pkgs/applications/graphics/pdfcpu/default.nix
View file

@ -2,17 +2,18 @@
buildGoModule rec {
pname = "pdfcpu";
version = "0.3.4";
version = "0.3.5";
src = fetchFromGitHub {
owner = "pdfcpu";
repo = pname;
rev = "v${version}";
sha256 = "00c4psgfh4hia144zsdhrq83bw3fqda1ancv2gkn5ymxkbpnpyrn";
sha256 = "0fb7l1h4dhn100y2ydq50cgj63fbr4p11x8h803rv6x3xwmviwcg";
};
vendorSha256 = "09alkpfyxapycv6zsaz7prgbr0a1jzd78n7w2mh01mg4hhb2j3k7";
vendorSha256 = "06xlwygqw3kzbjqlx09rs9hl4pfsmay5pj4c5hvkrj5z123ldvyw";
# No tests
doCheck = false;
subPackages = [ "cmd/pdfcpu" ];

63
pkgs/applications/misc/calibre/default.nix
View file

@ -16,7 +16,7 @@
, hyphen
, unrarSupport ? false
, chmlib
, python2Packages
, pythonPackages
, libusb1
, libmtp
, xdg_utils
@ -24,17 +24,13 @@
, removeReferencesTo
}:
let
pypkgs = python2Packages;
in
mkDerivation rec {
pname = "calibre";
version = "4.22.0";
version = "4.23.0";
src = fetchurl {
url = "https://download.calibre-ebook.com/${version}/${pname}-${version}.tar.xz";
sha256 = "0d0wmd3ijk8px1d662igal4lfmpyzynfzs6ms1bb9nf42mq2pxai";
sha256 = "sha256-Ft5RRzzw4zb5RqVyUaHk9Pu6H4V/F9j8FKoTLn61lRg=";
};
patches = [
@ -47,7 +43,7 @@ mkDerivation rec {
] ++ lib.optional (!unrarSupport) ./dont_build_unrar_plugin.patch;
prePatch = ''
sed -i "/pyqt_sip_dir/ s:=.*:= '${pypkgs.pyqt5}/share/sip/PyQt5':" \
sed -i "/pyqt_sip_dir/ s:=.*:= '${pythonPackages.pyqt5}/share/sip/PyQt5':" \
setup/build_environment.py
# Remove unneeded files and libs
@ -61,52 +57,49 @@ mkDerivation rec {
nativeBuildInputs = [ pkgconfig qmake removeReferencesTo ];
CALIBRE_PY3_PORT = builtins.toString pypkgs.isPy3k;
CALIBRE_PY3_PORT = builtins.toString pythonPackages.isPy3k;
buildInputs = [
poppler_utils
libpng
imagemagick
libjpeg
fontconfig
podofo
qtbase
chmlib
icu
fontconfig
hunspell
hyphen
sqlite
libusb1
icu
imagemagick
libjpeg
libmtp
libpng
libusb1
podofo
poppler_utils
qtbase
sqlite
xdg_utils
] ++ (
with pypkgs; [
with pythonPackages; [
apsw
cssselect
beautifulsoup4
css-parser
cssselect
dateutil
dnspython
feedparser
html2text
html5-parser
lxml
markdown
mechanize
msgpack
netifaces
pillow
python
pyqt5
sip
regex
msgpack
beautifulsoup4
html2text
pyqtwebengine
python
regex
sip
# the following are distributed with calibre, but we use upstream instead
odfpy
]
) ++ lib.optionals (!pypkgs.isPy3k) (
with pypkgs; [
mechanize
]
);
installPhase = ''
@ -121,18 +114,17 @@ mkDerivation rec {
export FC_LIB_DIR=${fontconfig.lib}/lib
export PODOFO_INC_DIR=${podofo.dev}/include/podofo
export PODOFO_LIB_DIR=${podofo.lib}/lib
export SIP_BIN=${pypkgs.sip}/bin/sip
export SIP_BIN=${pythonPackages.sip}/bin/sip
export XDG_DATA_HOME=$out/share
export XDG_UTILS_INSTALL_MODE="user"
${pypkgs.python.interpreter} setup.py install --root=$out \
${pythonPackages.python.interpreter} setup.py install --root=$out \
--prefix=$out \
--libdir=$out/lib \
--staging-root=$out \
--staging-libdir=$out/lib \
--staging-sharedir=$out/share
PYFILES="$out/bin/* $out/lib/calibre/calibre/web/feeds/*.py
$out/lib/calibre/calibre/ebooks/metadata/*.py
$out/lib/calibre/calibre/ebooks/rtf2xml/*.py"
@ -154,7 +146,8 @@ mkDerivation rec {
# 2018-11-06) was a single string like the following:
# /nix/store/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-podofo-0.9.6-dev/include/podofo/base/PdfVariant.h
preFixup = ''
remove-references-to -t ${podofo.dev} $out/lib/calibre/calibre/plugins/podofo.so
remove-references-to -t ${podofo.dev} \
$out/lib/calibre/calibre/plugins${lib.optionalString pythonPackages.isPy3k "/3"}/podofo.so
for program in $out/bin/*; do
wrapProgram $program \

6
pkgs/applications/misc/cura/default.nix
View file

@ -2,20 +2,20 @@
mkDerivation rec {
pname = "cura";
version = "4.6.1";
version = "4.7.1";
src = fetchFromGitHub {
owner = "Ultimaker";
repo = "Cura";
rev = version;
sha256 = "0h1r9caa579d3gfpcmch54rdbkg5df64ds2v84iqsbxwjp0rmn4n";
sha256 = "19an168iad3cb5w8i71c0wbr79qnz5qnpxqx1j6dgh64qz6ffn2r";
};
materials = fetchFromGitHub {
owner = "Ultimaker";
repo = "fdm_materials";
rev = version;
sha256 = "1k5c3qmixhpz3z2yi0fysxcyyf1yhcwmdlrcypkw827lhsialqp4";
sha256 = "1w6i0dlff8b30q987x3y0zv8847fc8ppfcr9vi982msmv284c89z";
};
buildInputs = [ qtbase qtquickcontrols2 qtgraphicaleffects ];

6
pkgs/applications/misc/cura/plugins.nix
View file

@ -6,13 +6,13 @@ let
octoprint = stdenv.mkDerivation rec {
pname = "Cura-OctoPrintPlugin";
version = "3.5.12";
version = "3.5.16";
src = fetchFromGitHub {
owner = "fieldOfView";
repo = pname;
rev = "ad522c0b7ead5fbe28da686a3cc75e351274c2bc";
sha256 = "0ln11ng32bh0smfsk54mv2j3sadh0gwf031nmm95zrvbj9cr6yc0";
rev = "8affa8aa9796cb37129d3b7222fff03f86c936cd";
sha256 = "0l4qfcashkdmpdm8nm3klz6hmi1f0bmbpb9b1yn4mvg0fam6c5xi";
};
propagatedBuildInputs = with python3Packages; [

4
pkgs/applications/misc/curaengine/default.nix
View file

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "curaengine";
version = "4.6.1";
version = "4.7.1";
src = fetchFromGitHub {
owner = "Ultimaker";
repo = "CuraEngine";
rev = version;
sha256 = "1fr151hmdg2lhk9pbpan1hb1pafj784nijr4pz646ljmjh12vfk2";
sha256 = "177fk6j4gn3ssi8j1qxj8p4486f7jkz328vc75agxnh7vhd4mwsm";
};
nativeBuildInputs = [ cmake ];

4
pkgs/applications/misc/hovercraft/default.nix
View file

@ -13,14 +13,14 @@
buildPythonApplication rec {
pname = "hovercraft";
version = "2.6";
version = "2.7";
disabled = ! isPy3k;
src = fetchFromGitHub {
owner = "regebro";
repo = "hovercraft";
rev = version;
sha256 = "150sn6kvqi2s89di1akl5i0g81fasji2ipr12zq5s4dcnhw4r5wp";
sha256 = "0k0gjlqjz424rymcfdjpj6a71ppblfls5f8y2hd800d1as4im8az";
};
checkInputs = [ manuel ];

10
pkgs/applications/misc/navi/default.nix
View file

@ -1,22 +1,22 @@
{ rustPlatform, fetchFromGitHub, lib, fzf, makeWrapper }:
{ fetchFromGitHub, fzf, lib, makeWrapper, rustPlatform, wget }:
rustPlatform.buildRustPackage rec {
pname = "navi";
version = "2.9.0";
version = "2.10.0";
src = fetchFromGitHub {
owner = "denisidoro";
repo = "navi";
rev = "v${version}";
sha256 = "16rwhpyk0zqks9z9bv2a1a8vww2m6867kg33bjbr29hawjg68jql";
sha256 = "1fpfc3ikb6rhb8m0dp9ybh46mnqaw361rrsbv6yrivwfm3zc4w2w";
};
cargoSha256 = "19w9gm389lj1zwhyjifhc2fzkvrvqvyc80lwxz070cnj11ir2l9m";
cargoSha256 = "0klizxrb92h7qfxs89m08ksdq698wx4kxsdhqhr5ld9dy3b6ks32";
nativeBuildInputs = [ makeWrapper ];
postInstall = ''
wrapProgram $out/bin/navi --prefix PATH : ${lib.makeBinPath [ fzf ]}
wrapProgram $out/bin/navi --prefix PATH : ${lib.makeBinPath [ fzf wget ]}
'';
meta = with lib; {

2
pkgs/applications/misc/nimmm/default.nix
View file

@ -36,8 +36,6 @@ in stdenv.mkDerivation rec {
nativeBuildInputs = [ nim ];
buildInputs = [ termbox pcre ];
NIX_LDFLAGS = "-lpcre";
buildPhase = ''
export HOME=$TMPDIR;
nim -p:${noise} -p:${nimbox} -p:${lscolors}/src c -d:release src/nimmm.nim

9
pkgs/applications/misc/redshift/default.nix
View file

@ -24,11 +24,6 @@ let
./575.patch
];
postPatch = stdenv.lib.optionalString (pname == "gammastep") ''
substituteInPlace configure.ac \
--replace "[gammastep], [2.0]" "[gammastep], [${version}]"
'';
nativeBuildInputs = [
autoconf
automake
@ -132,13 +127,13 @@ rec {
gammastep = mkRedshift rec {
pname = "gammastep";
version = "2.0.1";
version = "2.0.2";
src = fetchFromGitLab {
owner = "chinstrap";
repo = pname;
rev = "v${version}";
sha256 = "1ky4h892sg2mfbwwq5xv0vnjflsl2x3nsy5q456r1kyk1gwkj0rg";
sha256 = "09wqlz3yya955galhs20014qfwm2yk0lxhyqdsw8gwddvcpyprzg";
};
meta = redshift.meta // {

5
pkgs/applications/misc/tippecanoe/default.nix
View file

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "tippecanoe";
version = "1.35.0";
version = "1.36.0";
src = fetchFromGitHub {
owner = "mapbox";
repo = pname;
rev = version;
sha256 = "0v5ycc3gsqnl9pps3m45yrnb1gvw5pk6jdyr0q6516b4ac6x67m5";
sha256 = "0lbmhly4ivnqc6qk1k3sdqvsg6x3nfd8gnjx846bhqj4wag3f88m";
};
buildInputs = [ sqlite zlib ];
@ -25,5 +25,6 @@ stdenv.mkDerivation rec {
license = licenses.bsd2;
maintainers = with maintainers; [ sikmir ];
platforms = with platforms; linux ++ darwin;
broken = stdenv.hostPlatform.isAarch64;
};
}

5
pkgs/applications/networking/browsers/chromium/default.nix
View file

@ -1,5 +1,5 @@
{ newScope, config, stdenv, fetchurl, makeWrapper
, llvmPackages_10, llvmPackages_11, ed, gnugrep, coreutils
, llvmPackages_10, llvmPackages_11, ed, gnugrep, coreutils, xdg_utils
, glib, gtk3, gnome3, gsettings-desktop-schemas, gn, fetchgit
, libva ? null
, pipewire_0_2
@ -204,6 +204,9 @@ in stdenv.mkDerivation {
export XDG_DATA_DIRS=$XDG_ICON_DIRS:$GSETTINGS_SCHEMAS_PATH\''${XDG_DATA_DIRS:+:}\$XDG_DATA_DIRS
# Mainly for xdg-open but also other xdg-* tools:
export PATH="${xdg_utils}/bin\''${PATH:+:}\$PATH"
.
w
EOF

8
pkgs/applications/networking/cluster/helm/default.nix
View file

@ -2,15 +2,15 @@
buildGoModule rec {
pname = "helm";
version = "3.3.0";
version = "3.3.1";
src = fetchFromGitHub {
owner = "helm";
repo = "helm";
rev = "v${version}";
sha256 = "0bp2yscrvdm46w2nxas5zs9mcvdn2yp05k0wmcjl7gh42fs6hmcs";
sha256 = "0y3ilvafzwizd9zqvp8jijkkd1c2yy7zyl5xfma1zv2x96p7xgqh";
};
vendorSha256 = "0lccglh5qpm5kp8xp1pn7y4cfxjpax83gyzjmnhh9h5y9zwgqp03";
vendorSha256 = "0f8a0psvic923rh13f5041p7hr6w8dy9qxdw3l195yky5cf3fj6w";
doCheck = false;
@ -28,6 +28,6 @@ buildGoModule rec {
homepage = "https://github.com/kubernetes/helm";
description = "A package manager for kubernetes";
license = licenses.asl20;
maintainers = with maintainers; [ rlupton20 edude03 saschagrunert Frostman ];
maintainers = with maintainers; [ rlupton20 edude03 saschagrunert Frostman Chili-Man ];
};
}

6
pkgs/applications/networking/cluster/terragrunt/default.nix
View file

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "terragrunt";
version = "0.23.33";
version = "0.23.40";
src = fetchFromGitHub {
owner = "gruntwork-io";
repo = pname;
rev = "v${version}";
sha256 = "0fsyvmdg2llnzy0yzmiihnb865ccq2sn6d3i935dflppnjyp01p4";
sha256 = "0gd2g1nl8dgj24mzk4qymcwnp6prbi3qxj863rkpi3k32zy2iw4k";
};
vendorSha256 = "05p72l724qqf61dn0frahf4awvkkcw8cpl6nhwlacd1jw8c14fjl";
vendorSha256 = "0f466qn5vp74mwx9s4rcbw1x793w8hr5dcf2c12sgshya1bxs4nl";
doCheck = false;

8
pkgs/applications/networking/newsreaders/liferea/default.nix
View file

@ -23,11 +23,11 @@
stdenv.mkDerivation rec {
pname = "liferea";
version = "1.12.6";
version = "1.12.9";
src = fetchurl {
url = "https://github.com/lwindolf/${pname}/releases/download/v${version}/${pname}-${version}b.tar.bz2";
sha256 = "03pr1gmiv5y0i92bkhcxr8s311ll91chz19wb96jkixx32xav91d";
url = "https://github.com/lwindolf/${pname}/releases/download/v${version}/${pname}-${version}.tar.bz2";
sha256 = "06ybr1wjlfir8iqjx6x0v1knd4b2hsy30qmkk4kssy6ky2ahc66q";
};
nativeBuildInputs = [
@ -73,7 +73,7 @@ stdenv.mkDerivation rec {
description = "A GTK-based news feed aggregator";
homepage = "http://lzone.de/liferea/";
license = licenses.gpl2Plus;
maintainers = with maintainers; [ vcunat romildo ];
maintainers = with maintainers; [ romildo ];
platforms = platforms.linux;
longDescription = ''

5
pkgs/applications/science/biology/mosdepth/default.nix
View file

@ -26,14 +26,15 @@ in stdenv.mkDerivation rec {
sha256 = "01gm9gj2x2zs4yx6wk761fi1papi7qr3gp4ln1kkn8n2f9y9h849";
};
buildInputs = [ nim ];
nativeBuildInputs = [ nim ];
buildInputs = [ htslib pcre ];
buildPhase = ''
HOME=$TMPDIR
nim -p:${hts-nim}/src -p:${docopt}/src c --nilseqs:on -d:release mosdepth.nim
'';
installPhase = "install -Dt $out/bin mosdepth";
fixupPhase = "patchelf --set-rpath ${stdenv.lib.makeLibraryPath [ stdenv.cc.cc htslib pcre ]} $out/bin/mosdepth";
meta = with stdenv.lib; {
description = "fast BAM/CRAM depth calculation for WGS, exome, or targeted sequencing.";

4
pkgs/applications/science/biology/picard-tools/default.nix
View file

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "picard-tools";
version = "2.23.3";
version = "2.23.4";
src = fetchurl {
url = "https://github.com/broadinstitute/picard/releases/download/${version}/picard.jar";
sha256 = "08wgi0hijfbchr2srmndxq3h2fijvyvr8b6zv680fpcjixm5bbhf";
sha256 = "0xg4nbx02a2kckr6p8pqjpv5rmp95bkmglgm1bma6f77s7hkab7q";
};
nativeBuildInputs = [ makeWrapper ];

4
pkgs/applications/science/logic/ott/default.nix
View file

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "ott";
version = "0.30";
version = "0.31";
src = fetchFromGitHub {
owner = "ott-lang";
repo = "ott";
rev = version;
sha256 = "16bxfnm30z94x36vr8vs6zd6fj55vnb7aypjl6hf7clk42040brc";
sha256 = "0l81126i2qkz11fs5yrjdgymnqgjcs5avb7f951h61yh1s68jpnn";
};
nativeBuildInputs = [ pkgconfig ];

4
pkgs/applications/science/logic/proverif/default.nix
View file

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "proverif";
version = "2.01";
version = "2.02pl1";
src = fetchurl {
url = "http://prosecco.gforge.inria.fr/personal/bblanche/proverif/proverif${version}.tar.gz";
sha256 = "01wp5431c77z0aaa99h8bnm5yhr6jslpqc8iyg0a7gxfqnb19gxi";
sha256 = "1jmzfpx0hdgfmkq0jp6i3k5av9xxgndjaj743wfy37svn0ga4jjx";
};
buildInputs = with ocamlPackages; [ ocaml findlib lablgtk ];

6
pkgs/data/themes/marwaita/default.nix
View file

@ -8,13 +8,13 @@
stdenv.mkDerivation rec {
pname = "marwaita";
version = "7.5.1";
version = "7.6.1";
src = fetchFromGitHub {
owner = "darkomarko42";
repo = pname;
rev = version;
sha256 = "0ig5wc6dkbly6yrvd13h4lyr8x0y7k3d9iv4rhg0pnjgcpna83mw";
sha256 = "1n7flwrngwh6gmh72j40apf8qk52162m93hsfhgxzrivkhg37zi0";
};
buildInputs = [
@ -37,7 +37,7 @@ stdenv.mkDerivation rec {
'';
meta = with stdenv.lib; {
description = "GTK theme supporting Budgie, Pantheon, Mate and Xfce4 desktops";
description = "GTK theme supporting Budgie, Pantheon, Mate, Xfce4 and GNOME desktops";
homepage = "https://www.pling.com/p/1239855/";
license = licenses.cc0;
platforms = platforms.unix;

23
pkgs/development/compilers/nim/NIM_CONFIG_DIR.patch Normal file
View file

@ -0,0 +1,23 @@
diff --git a/compiler/nimconf.nim b/compiler/nimconf.nim
index a470179bd..73cfa1a23 100644
--- a/compiler/nimconf.nim
+++ b/compiler/nimconf.nim
@@ -225,10 +225,15 @@ proc getUserConfigPath*(filename: RelativeFile): AbsoluteFile =
proc getSystemConfigPath*(conf: ConfigRef; filename: RelativeFile): AbsoluteFile =
# try standard configuration file (installation did not distribute files
# the UNIX way)
- let p = getPrefixDir(conf)
- result = p / RelativeDir"config" / filename
+ let
+ prefix = getPrefixDir(conf)
+ env = getEnv("NIM_CONFIG_PATH")
+ if env != "":
+ result = env.toAbsoluteDir / filename
+ else:
+ result = prefix / RelativeDir"config" / filename
when defined(unix):
- if not fileExists(result): result = p / RelativeDir"etc/nim" / filename
+ if not fileExists(result): result = prefix / RelativeDir"etc/nim" / filename
if not fileExists(result): result = AbsoluteDir"/etc/nim" / filename
proc loadConfigs*(cfg: RelativeFile; cache: IdentCache; conf: ConfigRef) =

300
pkgs/development/compilers/nim/default.nix
View file

@ -1,69 +1,255 @@
# based on https://github.com/nim-lang/Nim/blob/v0.18.0/.travis.yml
# https://nim-lang.github.io/Nim/packaging.html
{ stdenv, lib, fetchurl, makeWrapper, openssl, pcre, readline,
boehmgc, sfml, sqlite }:
{ stdenv, lib, fetchgit, fetchurl, makeWrapper, gdb, openssl, pcre, readline
, boehmgc, sqlite, nim-unwrapped, nim-stdlib, nim }:
stdenv.mkDerivation rec {
pname = "nim";
let
version = "1.2.6";
src = fetchurl {
url = "https://nim-lang.org/download/${pname}-${version}.tar.xz";
url = "https://nim-lang.org/download/nim-${version}.tar.xz";
sha256 = "0zk5qzxayqjw7kq6p92j4008g9bbyilyymhdc5xq9sln5rqym26z";
};
enableParallelBuilding = true;
NIX_LDFLAGS = "-lcrypto -lpcre -lreadline -lgc -lsqlite3";
# we could create a separate derivation for the "written in c" version of nim
# used for bootstrapping, but koch insists on moving the nim compiler around
# as part of building it, so it cannot be read-only
nativeBuildInputs = [
makeWrapper
];
buildInputs = [
openssl pcre readline boehmgc sfml sqlite
];
buildPhase = ''
runHook preBuild
# build.sh wants to write to $HOME/.cache
HOME=$TMPDIR
sh build.sh
./bin/nim c koch
./koch boot -d:release \
-d:useGnuReadline \
${lib.optionals (stdenv.isDarwin || stdenv.isLinux) "-d:nativeStacktrace"}
./koch tools -d:release
runHook postBuild
'';
installPhase = ''
runHook preInstall
install -Dt $out/bin bin/* koch
./koch install $out
mv $out/nim/bin/* $out/bin/ && rmdir $out/nim/bin
mv $out/nim/* $out/ && rmdir $out/nim
# Fortify hardening appends -O2 to gcc flags which is unwanted for unoptimized nim builds.
wrapProgram $out/bin/nim \
--run 'NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/}' \
--suffix PATH : ${lib.makeBinPath [ stdenv.cc ]}
runHook postInstall
'';
meta = with stdenv.lib; {
meta = with lib; {
description = "Statically typed, imperative programming language";
homepage = "https://nim-lang.org/";
license = licenses.mit;
maintainers = with maintainers; [ ehmry ];
platforms = with platforms; linux ++ darwin; # arbitrary
};
}
parseCpu = platform:
with platform;
# Derive a Nim CPU identifier
if isAarch32 then
"arm"
else if isAarch64 then
"arm64"
else if isAlpha then
"alpha"
else if isAvr then
"avr"
else if isMips && is32bit then
"mips"
else if isMips && is64bit then
"mips64"
else if isMsp430 then
"msp430"
else if isPowerPC && is32bit then
"powerpc"
else if isPowerPC && is64bit then
"powerpc64"
else if isRiscV && is64bit then
"riscv64"
else if isSparc then
"sparc"
else if isx86_32 then
"i386"
else if isx86_64 then
"amd64"
else
abort "no Nim CPU support known for ${config}";
parseOs = platform:
with platform;
# Derive a Nim OS identifier
if isAndroid then
"Android"
else if isDarwin then
"MacOSX"
else if isFreeBSD then
"FreeBSD"
else if isGenode then
"Genode"
else if isLinux then
"Linux"
else if isNetBSD then
"NetBSD"
else if isNone then
"Standalone"
else if isOpenBSD then
"OpenBSD"
else if isWindows then
"Windows"
else if isiOS then
"iOS"
else
abort "no Nim OS support known for ${config}";
parsePlatform = p: {
cpu = parseCpu p;
os = parseOs p;
};
nimHost = parsePlatform stdenv.hostPlatform;
nimTarget = parsePlatform stdenv.targetPlatform;
wrapperInputs = rec {
bootstrap = stdenv.mkDerivation rec {
pname = "nim-bootstrap";
version = "0.20.0";
src = fetchgit {
# A Git checkout is much smaller than a GitHub tarball.
url = "https://github.com/nim-lang/csources.git";
rev = "v" + version;
sha256 = "0i6vsfy1sgapx43n226q8m0pvn159sw2mhp50zm3hhb9zfijanis";
};
enableParallelBuilding = true;
installPhase = ''
runHook preInstall
install -Dt $out/bin bin/nim
runHook postInstall
'';
};
unwrapped = stdenv.mkDerivation {
# https://nim-lang.github.io/Nim/packaging.html
pname = "nim-unwrapped";
inherit version src;
buildInputs = [ boehmgc openssl pcre readline sqlite ];
patches = [
./NIM_CONFIG_DIR.patch
# Override compiler configuration via an environmental variable
./nixbuild.patch
# Load libraries at runtime by absolute path
];
configurePhase = ''
runHook preConfigure
cp ${bootstrap}/bin/nim bin/
echo 'define:nixbuild' >> config/nim.cfg
runHook postConfigure
'';
kochArgs = [
"--cpu:${nimHost.cpu}"
"--os:${nimHost.os}"
"-d:release"
"-d:useGnuReadline"
] ++ lib.optional (stdenv.isDarwin || stdenv.isLinux)
"-d:nativeStacktrace";
buildPhase = ''
runHook preBuild
local HOME=$TMPDIR
./bin/nim c koch
./koch boot $kochArgs --parallelBuild:$NIX_BUILD_CORES
./koch tools $kochArgs --parallelBuild:$NIX_BUILD_CORES
runHook postBuild
'';
installPhase = ''
runHook preInstall
install -Dt $out/bin bin/*
runHook postInstall
'';
inherit meta;
};
stdlib = stdenv.mkDerivation {
pname = "nim-stdlib";
inherit (nim-unwrapped) version src patches;
dontConfigure = true;
dontBuild = true;
installPhase = ''
runHook preInstall
touch bin/nim
./install.sh $TMPDIR
cp -r $TMPDIR/nim/lib $out
runHook postInstall
'';
meta = meta // {
description = meta.description + " (standard library)";
};
};
};
wrapped = let
nim = nim-unwrapped;
inherit (stdenv) targetPlatform;
in stdenv.mkDerivation {
name = "${targetPlatform.config}-nim-wrapper-${nim.version}";
inherit (nim) version;
preferLocalBuild = true;
nativeBuildInputs = [ makeWrapper ];
unpackPhase = ''
runHook preUnpack
tar xf ${nim.src} nim-$version/config/nim.cfg
cd nim-$version
runHook postUnpack
'';
dontConfigure = true;
wrapperArgs = [
"--prefix PATH : ${lib.makeBinPath [ stdenv.cc gdb ]}:${
placeholder "out"
}/bin"
"--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ stdenv.cc.libc openssl ]}"
"--set NIM_CONFIG_PATH ${placeholder "out"}/etc/nim"
];
buildPhase = with stdenv;
let
ccType = if cc.isGNU then
"gcc"
else if cc.isClang then
"clang"
else
abort "no Nim configuration available for ${cc.name}";
in ''
runHook preBuild
cat >> config/nim.cfg << EOF
define:nixbuild
os = ${nimTarget.os}
cpu = ${nimTarget.cpu}
cc = ${ccType}
EOF
mkdir -p $out/bin $out/etc/nim
export cc=$CC
export cxx=$CXX
substituteAll config/nim.cfg $out/etc/nim/nim.cfg \
--replace "cc = gcc" ""
for binpath in ${nim}/bin/nim?*; do
local binname=`basename $binpath`
makeWrapper $binpath $out/bin/${targetPlatform.config}-$binname \
$wrapperArgs
ln -s $out/bin/${targetPlatform.config}-$binname $out/bin/$binname
done
makeWrapper ${nim}/bin/nim $out/bin/${targetPlatform.config}-nim \
$wrapperArgs \
--set NIX_HARDENING_ENABLE "''${NIX_HARDENING_ENABLE/fortify}" \
--add-flags --lib:${nim-stdlib}
ln -s $out/bin/${targetPlatform.config}-nim $out/bin/nim
runHook postBuild
'';
# Fortify hardening appends -O2 to gcc flags which is unwanted for unoptimized nim builds.
dontInstall = true;
meta = meta // {
description = nim.meta.description
+ " (${targetPlatform.config} wrapper)";
platforms = lib.platforms.unix;
};
};
in wrapped // wrapperInputs

51
pkgs/development/compilers/nim/nixbuild.patch Normal file
View file

@ -0,0 +1,51 @@
commit 164ba50fc74b980f77047080b2ae1ea099ae9b27
Author: Emery Hemingway <ehmry@posteo.net>
Date: Mon Sep 7 14:09:22 2020 +0200
Load libaries by absolute path on NixOS
If "nixbuild" is defined then choose dynamic runtime libraries by
searching $NIX_LDFLAGS at compile-time.
Fix #15194
diff --git a/lib/pure/dynlib.nim b/lib/pure/dynlib.nim
index f31ae94dd..debed9c07 100644
--- a/lib/pure/dynlib.nim
+++ b/lib/pure/dynlib.nim
@@ -56,6 +56,9 @@
import strutils
+when defined(nixbuild):
+ import os
+
type
LibHandle* = pointer ## a handle to a dynamically loaded library
@@ -95,6 +98,25 @@ proc libCandidates*(s: string, dest: var seq[string]) =
libCandidates(prefix & middle & suffix, dest)
else:
add(dest, s)
+ when defined(nixbuild):
+ # Nix doesn't have a global library directory so
+ # load libraries using an absolute path if one
+ # can be derived from NIX_LDFLAGS.
+ #
+ # During Nix/NixOS packaging the line "define:nixbuild"
+ # should be appended to the ../../config/nim.cfg file
+ # to enable this behavior by default.
+ #
+ var libDirs = split(getEnv("LD_LIBRARY_PATH"), ':')
+ for flag in split(getEnv("NIX_LDFLAGS")):
+ if flag.startsWith("-L"):
+ libDirs.add(flag[2..flag.high])
+ for lib in dest:
+ for dir in libDirs:
+ let abs = dir / lib
+ if existsFile(abs):
+ dest = @[abs]
+ return
proc loadLibPattern*(pattern: string, globalSymbols = false): LibHandle =
## loads a library with name matching `pattern`, similar to what `dlimport`

4
pkgs/development/guile-modules/guile-sdl2/default.nix
View file

@ -5,13 +5,13 @@
let
name = "${pname}-${version}";
pname = "guile-sdl2";
version = "0.4.0";
version = "0.5.0";
in stdenv.mkDerivation {
inherit name;
src = fetchurl {
url = "https://files.dthompson.us/${pname}/${name}.tar.gz";
sha256 = "0zcxwgyadwpbhq6h5mv2569c3kalgra26zc186y9fqiyyzmh1v9s";
sha256 = "118x0cg7fzbsyrfhy5f9ab7dqp9czgia0ycgzp6sn3nlsdrcnr4m";
};
nativeBuildInputs = [ libtool pkgconfig ];

4
pkgs/development/libraries/catch2/default.nix
View file

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "catch2";
version = "2.12.2";
version = "2.12.3";
src = fetchFromGitHub {
owner = "catchorg";
repo = "Catch2";
rev = "v${version}";
sha256="17fr2k0jhdcrmmvvb9d8igmjbyads3hkdrakvmrpgc82srm78jcc";
sha256="0rp30754frp88wbl17ksr40mmffw5xibq73blgx9jj42d7nl891x";
};
nativeBuildInputs = [ cmake ];

4
pkgs/development/libraries/opencl-clhpp/default.nix
View file

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "opencl-clhpp";
version = "2.0.11";
version = "2.0.12";
src = fetchFromGitHub {
owner = "KhronosGroup";
repo = "OpenCL-CLHPP";
rev = "v${version}";
sha256 = "0a0n0f1lb86cwfm0ndzykcn965vz1v0n9n3rfmkiwrzkdhc9iy2y";
sha256 = "04g3mg2cpbi048fxxkghra81bpxzqr4r3gspx5mvqipx1lzypsci";
};
nativeBuildInputs = [ cmake python ];

4
pkgs/development/libraries/qwt/6_qt4.nix
View file

@ -1,11 +1,11 @@
{ stdenv, fetchurl, qt4, qmake4Hook, AGL }:
stdenv.mkDerivation rec {
name = "qwt-6.1.4";
name = "qwt-6.1.5";
src = fetchurl {
url = "mirror://sourceforge/qwt/${name}.tar.bz2";
sha256 = "1navkcnmn0qz8kzsyqmk32d929zl72l0b580w1ica7z5559j2a8m";
sha256 = "0hf0mpca248xlqn7xnzkfj8drf19gdyg5syzklvq8pibxiixwxj0";
};
buildInputs = [

4
pkgs/development/ocaml-modules/labltk/default.nix
View file

@ -52,6 +52,10 @@ let param =
version = "8.06.8";
sha256 = "0lfjc7lscq81ibqb3fcybdzs2r1i2xl7rsgi7linq46a0pcpkinw";
};
"4.11" = mkNewParam {
version = "8.06.9";
sha256 = "1k42k3bjkf22gk39lwwzqzfhgjyhxnclslldrzpg5qy1829pbnc0";
};
}.${builtins.substring 0 4 ocaml.version};
in

4
pkgs/development/python-modules/libarcus/default.nix
View file

@ -3,14 +3,14 @@
buildPythonPackage rec {
pname = "libarcus";
version = "4.6.1";
version = "4.7.1";
format = "other";
src = fetchFromGitHub {
owner = "Ultimaker";
repo = "libArcus";
rev = version;
sha256 = "1sfy8skvgw6hiihs9jmfn7a13yappqwffir98pahyg7cim7p55kr";
sha256 = "0wmrcvw7k34ib93shhmjzh6kpndgqr37kyr377sril5clmac0z1f";
};
disabled = pythonOlder "3.4.0";

4
pkgs/development/python-modules/libsavitar/default.nix
View file

@ -2,14 +2,14 @@
buildPythonPackage rec {
pname = "libsavitar";
version = "4.6.1";
version = "4.7.1";
format = "other";
src = fetchFromGitHub {
owner = "Ultimaker";
repo = "libSavitar";
rev = version;
sha256 = "0nk8zl5b0b36wrrkj271ck4phzxsigkjsazndscjslc9nkldmnpq";
sha256 = "0mzr3ynfap51bcn6kshyi2h6iny2gpavn6g3b1xcsgzzlxqgfixf";
};
postPatch = ''

4
pkgs/development/python-modules/pydub/default.nix
View file

@ -2,13 +2,13 @@
buildPythonPackage rec {
pname = "pydub";
version = "0.24.0";
version = "0.24.1";
# pypi version doesn't include required data files for tests
src = fetchFromGitHub {
owner = "jiaaro";
repo = pname;
rev = "v${version}";
sha256 = "0cnhkk44cn3wa4fmd1rwzdx2zgrn87qg25pbcp9wsisdlpn4bj6d";
sha256 = "1pv4n54kkjpbjlvwh9b6a7zyq1ylg0fjmd2q4ws9nc2a6mrcivhc";
};

50
pkgs/development/python-modules/scapy/default.nix
View file

@ -1,6 +1,6 @@
{ buildPythonPackage, fetchFromGitHub, lib, isPyPy, isPy3k, pythonOlder
{ buildPythonPackage, fetchFromGitHub, lib, isPyPy
, pycrypto, ecdsa # TODO
, enum34, mock
, tox, mock, coverage, can, brotli
, withOptionalDeps ? true, tcpdump, ipython
, withCryptography ? true, cryptography
, withVoipSupport ? true, sox
@ -13,7 +13,7 @@
buildPythonPackage rec {
pname = "scapy";
version = "2.4.3";
version = "2.4.4";
disabled = isPyPy;
@ -21,14 +21,11 @@ buildPythonPackage rec {
owner = "secdev";
repo = "scapy";
rev = "v${version}";
sha256 = "08ypdzp0p3gvmz3pwi0i9q5f7hz9cq8yn6gawia49ynallwnv4zy";
sha256 = "1wpx7gps3g8q5ykbfcd67mxwcs416zg37b53fwfzzlc1m58vhk3p";
};
# TODO: Temporary workaround
patches = [ ./fix-version.patch ];
postPatch = ''
sed -i "s/NIXPKGS_SCAPY_VERSION/${version}/" scapy/__init__.py
printf "${version}" > scapy/VERSION
'' + lib.optionalString withManufDb ''
substituteInPlace scapy/data.py --replace "/opt/wireshark" "${wireshark}"
'';
@ -38,16 +35,41 @@ buildPythonPackage rec {
++ lib.optional withCryptography cryptography
++ lib.optional withVoipSupport sox
++ lib.optional withPlottingSupport matplotlib
++ lib.optionals withGraphicsSupport [ pyx texlive.combined.scheme-minimal graphviz imagemagick ]
++ lib.optional (isPy3k && pythonOlder "3.4") enum34
++ lib.optional doCheck mock;
++ lib.optionals withGraphicsSupport [ pyx texlive.combined.scheme-minimal graphviz imagemagick ];
# Tests fail with Python 3.6 (seems to be an upstream bug, I'll investigate)
doCheck = if isPy3k then false else true;
# Running the tests seems too complicated:
doCheck = false;
checkInputs = [ tox mock coverage can brotli ];
checkPhase = ''
patchShebangs .
.config/ci/test.sh
'';
meta = with lib; {
description = "Powerful interactive network packet manipulation program";
description = "A Python-based network packet manipulation program and library";
longDescription = ''
Scapy is a powerful Python-based interactive packet manipulation program
and library.
It is able to forge or decode packets of a wide number of protocols, send
them on the wire, capture them, store or read them using pcap files,
match requests and replies, and much more. It is designed to allow fast
packet prototyping by using default values that work.
It can easily handle most classical tasks like scanning, tracerouting,
probing, unit tests, attacks or network discovery (it can replace hping,
85% of nmap, arpspoof, arp-sk, arping, tcpdump, wireshark, p0f, etc.). It
also performs very well at a lot of other specific tasks that most other
tools can't handle, like sending invalid frames, injecting your own
802.11 frames, combining techniques (VLAN hopping+ARP cache poisoning,
VoIP decoding on WEP protected channel, ...), etc.
Scapy supports Python 2.7 and Python 3 (3.4 to 3.8). It's intended to be
cross platform, and runs on many different platforms (Linux, OSX, *BSD,
and Windows).
'';
homepage = "https://scapy.net/";
changelog = "https://github.com/secdev/scapy/releases/tag/v${version}";
license = licenses.gpl2;
platforms = platforms.unix;
maintainers = with maintainers; [ primeos bjornfor ];

13
pkgs/development/python-modules/scapy/fix-version.patch
View file

@ -1,13 +0,0 @@
diff --git a/scapy/__init__.py b/scapy/__init__.py
index d5ad6164..245ce2fb 100644
--- a/scapy/__init__.py
+++ b/scapy/__init__.py
@@ -90,7 +90,7 @@ def _version():
return 'unknown.version'
-VERSION = __version__ = _version()
+VERSION = __version__ = "NIXPKGS_SCAPY_VERSION"
VERSION_MAIN = re.search(r"[0-9.]+", VERSION).group()
if __name__ == "__main__":

4
pkgs/development/python-modules/uranium/default.nix
View file

@ -2,7 +2,7 @@
, pyqt5, numpy, scipy, shapely, libarcus, doxygen, gettext, pythonOlder }:
buildPythonPackage rec {
version = "4.6.1";
version = "4.7.1";
pname = "uranium";
format = "other";
@ -10,7 +10,7 @@ buildPythonPackage rec {
owner = "Ultimaker";
repo = "Uranium";
rev = version;
sha256 = "07pksjbgxs1ks2i6pgxkwfg9c56pcql7f9p89dnwaf2rcn7yhx6r";
sha256 = "1h5d3scy3cnbyhh0pbavflpqklhn2lbp7hl193rc5gx8yzr3mqbh";
};
disabled = pythonOlder "3.5.0";

4
pkgs/development/tools/bazel-kazel/default.nix
View file

@ -2,13 +2,13 @@
buildGoModule rec {
pname = "bazel-kazel";
version = "0.0.12";
version = "0.1.0";
src = fetchFromGitHub {
owner = "kubernetes";
repo = "repo-infra";
rev = "v${version}";
sha256 = "1mnyp116q54xy7flml4cdcsbczhyyqnpyn2pnqrzy49aahbhpn5z";
sha256 = "121asn0h2vfgqnjk72wqjcfq0w15k15abjdm39i8hv455kzrc2hs";
};
vendorSha256 = "1pzkjh4n9ai8yqi98bkdhicjdr2l8j3fckl5n90c2gdcwqyxvgkf";

15
pkgs/development/tools/buildah/default.nix
View file

@ -1,6 +1,7 @@
{ stdenv
, buildGoModule
, fetchFromGitHub
, go-md2man
, installShellFiles
, pkg-config
, gpgme
@ -13,13 +14,13 @@
buildGoModule rec {
pname = "buildah";
version = "1.15.2";
version = "1.16.0";
src = fetchFromGitHub {
owner = "containers";
repo = "buildah";
rev = "v${version}";
sha256 = "13kqcdrdzkbg6h5za6hhkzdx4nbrg5yl97ydj2hfcakl00q4y0dp";
rev = "V${version}";
sha256 = "0z9fblxm3pk2jqw7h36clmj8k4k39n6ab536lyh0rp6p7hz5a988";
};
outputs = [ "out" "man" ];
@ -28,7 +29,7 @@ buildGoModule rec {
doCheck = false;
nativeBuildInputs = [ installShellFiles pkg-config ];
nativeBuildInputs = [ go-md2man installShellFiles pkg-config ];
buildInputs = [
btrfs-progs
@ -41,12 +42,12 @@ buildGoModule rec {
buildPhase = ''
patchShebangs .
make GIT_COMMIT="unknown"
make -C docs
make bin/buildah GIT_COMMIT="unknown"
make -C docs GOMD2MAN="${go-md2man}/bin/go-md2man"
'';
installPhase = ''
install -Dm755 buildah $out/bin/buildah
install -Dm755 bin/buildah $out/bin/buildah
installShellCompletion --bash contrib/completions/bash/buildah
make -C docs install PREFIX="$man"
'';

12
pkgs/development/tools/misc/scc/default.nix
View file

@ -1,20 +1,20 @@
{ stdenv, buildGoPackage, fetchFromGitHub }:
{ stdenv, buildGoModule, fetchFromGitHub }:
buildGoPackage rec {
buildGoModule rec {
pname = "scc";
version = "2.12.0";
version = "2.13.0";
src = fetchFromGitHub {
owner = "boyter";
repo = "scc";
rev = "v${version}";
sha256 = "0hbcq5qn97kr9d4q9m2p1mj3ijn8zmwycrs5bgf1kfiwr09wg2yh";
sha256 = "16p5g20n5jsbisbgikk9xny94xx6c0dxf19saa686ghh31jr2hh3";
};
goPackagePath = "github.com/boyter/scc";
vendorSha256 = null;
# scc has a scripts/ sub-package that's for testing.
subPackages = [ "./" ];
excludedPackages = [ "scripts" ];
meta = with stdenv.lib; {
homepage = "https://github.com/boyter/scc";

4
pkgs/development/tools/misc/terraform-ls/default.nix
View file

@ -2,13 +2,13 @@
buildGoPackage rec {
pname = "terraform-ls";
version = "0.6.1";
version = "0.7.0";
src = fetchFromGitHub {
owner = "hashicorp";
repo = pname;
rev = "v${version}";
sha256 = "0yhpxb9dkwi6rlabr0sd5rk15q0bin6yhww171jrzlnfl036l0sl";
sha256 = "1afdd1zs242nh1cync5ip1fbah34wc3gbsx3hwwiisc8yziwiq18";
};
goPackagePath = "github.com/hashicorp/terraform-ls";

2
pkgs/development/tools/ocaml/dune/2.nix
View file

@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
src = fetchurl {
url = "https://github.com/ocaml/dune/releases/download/${version}/dune-${version}.tbz";
sha256 = "0lnfmc06yhbdiv6mmp0aksnnvzz4aw4zabrdg89p5msyzir3qrvn";
sha256 = "0pcjf209gynjwipnpplaqyvyivnawqiwhvqnivhkybisicpqyln3";
};
buildInputs = [ ocaml findlib ];

4
pkgs/development/tools/pgformatter/default.nix
View file

@ -2,13 +2,13 @@
perlPackages.buildPerlPackage rec {
pname = "pgformatter";
version = "4.3";
version = "4.4";
src = fetchFromGitHub {
owner = "darold";
repo = "pgFormatter";
rev = "v${version}";
sha256 = "0n8ydj01nmnkd8glzjb0yrsyax1pmdfvaxb5xj4pkb2mf6zm94qy";
sha256 = "1sqjw6q005lws7qhkd26jqyb1xqmpcklzw5hk8paxxi8mzyjn0jp";
};
outputs = [ "out" ];

4
pkgs/development/tools/vultr-cli/default.nix
View file

@ -2,13 +2,13 @@
buildGoModule rec {
pname = "vultr-cli";
version = "0.3.2";
version = "0.4.0";
src = fetchFromGitHub {
owner = "vultr";
repo = pname;
rev = "v${version}";
sha256 = "1gqc4w5j9x7vxvxah6hmqd5i1lxyybpml7yfzzcbngwgwm3y5ym0";
sha256 = "0gp1v62iqh3hk46cc5sh8a1nw5nf98m969fdhgxdppwr5dhj9isp";
};
vendorSha256 = null;

4
pkgs/os-specific/linux/eventstat/default.nix
View file

@ -2,10 +2,10 @@
stdenv.mkDerivation rec {
pname = "eventstat";
version = "0.04.09";
version = "0.04.10";
src = fetchzip {
url = "https://kernel.ubuntu.com/~cking/tarballs/eventstat/eventstat-${version}.tar.gz";
sha256 = "1b3m58mak62ym2amnmk62c2d6fypk30fw6jsmirh1qz7dwix4bl5";
sha256 = "0rmg49m56qxji7gwci03pkk4f4hnaq1n2x1348dqkaf5zs5nhi6b";
};
buildInputs = [ ncurses ];
installFlags = [ "DESTDIR=$(out)" ];

2
pkgs/os-specific/linux/kernel/common-config.nix
View file

@ -244,6 +244,8 @@ let
DRM_AMDGPU_SI = whenAtLeast "4.9" yes;
# (stable) amdgpu support for bonaire and newer chipsets
DRM_AMDGPU_CIK = whenAtLeast "4.9" yes;
# Allow device firmware updates
DRM_DP_AUX_CHARDEV = whenAtLeast "4.6" yes;
} // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux") {
# Intel GVT-g graphics virtualization supports 64-bit only
DRM_I915_GVT = whenAtLeast "4.16" yes;

4
pkgs/os-specific/linux/sysvinit/default.nix
View file

@ -1,13 +1,13 @@
{ stdenv, fetchurl, withoutInitTools ? false }:
let version = "2.96"; in
let version = "2.97"; in
stdenv.mkDerivation {
name = (if withoutInitTools then "sysvtools" else "sysvinit") + "-" + version;
src = fetchurl {
url = "mirror://savannah/sysvinit/sysvinit-${version}.tar.xz";
sha256 = "11xmcamvjmrw874zp0vc37hrqc4hz02i0iy8n4xa4dd25avjcbia";
sha256 = "042iyayyh3j28vfbypzn822b73r3nfmyn79f9mixigqrfn2rcn9d";
};
prePatch = ''

4
pkgs/servers/atlassian/jira.nix
View file

@ -8,11 +8,11 @@
stdenv.mkDerivation rec {
pname = "atlassian-jira";
version = "8.10.0";
version = "8.12.0";
src = fetchurl {
url = "https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-${version}.tar.gz";
sha256 = "1l0kxh4cwqyciylbccd4vfmsvq9cr5sfd0v2gbs3lz41av79mlwa";
sha256 = "149yqj60b35mbvjz7jyh5a3ayh61kvwrz452s0zyb1q3pirj10xq";
};
buildPhase = ''

4
pkgs/servers/icingaweb2/default.nix
View file

@ -1,12 +1,12 @@
{ stdenv, lib, fetchFromGitHub, makeWrapper, php }: with lib; stdenv.mkDerivation rec {
pname = "icingaweb2";
version = "2.8.0";
version = "2.8.1";
src = fetchFromGitHub {
owner = "Icinga";
repo = "icingaweb2";
rev = "v${version}";
sha256 = "18q3d15w7d46g4vyq4iph5c1bbxcl8ikcdc8djrfi30wx36ziybs";
sha256 = "1hmw681a2qv578npr389szkxpbhcfqzq9c1wzkbjjm3avnvi37mf";
};
nativeBuildInputs = [ makeWrapper ];

4
pkgs/servers/monitoring/timescale-prometheus/default.nix
View file

@ -5,13 +5,13 @@
buildGoModule rec {
pname = "timescale-prometheus";
version = "0.1.0-beta.2";
version = "0.1.0-beta.4";
src = fetchFromGitHub {
owner = "timescale";
repo = pname;
rev = "${version}";
sha256 = "1rrr0qb27hh3kcmmxapr1j39dhfxf02vihpjf4b7zpwdf1mpvrbc";
sha256 = "1q9zjxxjxa5kkhlsh69bvgns3kzf23z84jjzg294qb7y7xypym5q";
};
vendorSha256 = "sha256:0y5rq2y48kf2z1z3a8ags6rqzfvjs54klk2679fk8x0yjamj5x04";

4
pkgs/servers/zigbee2mqtt/default.nix
View file

@ -3,7 +3,7 @@ let
package = (import ./node.nix { inherit pkgs system; }).package;
in
package.override rec {
version = "1.14.3";
version = "1.14.4";
reconstructLock = true;
postInstall = ''
@ -20,7 +20,7 @@ package.override rec {
owner = "Koenkk";
repo = "zigbee2mqtt";
rev = version;
sha256 = "164ddb8i4r6rjahjic09sd24xbms4d6b6bnwx0d9fh8sn3ib4v06";
sha256 = "1gyl4f7wh7796w4789pi0ix5y30677784miwylr8wrfqgb1hmddq";
};
passthru.tests.zigbee2mqtt = nixosTests.zigbee2mqtt;

1392
pkgs/servers/zigbee2mqtt/node-packages.nix generated
View file

File diff suppressed because it is too large Load diff

10
pkgs/tools/admin/awscli2/default.nix
View file

@ -8,12 +8,12 @@ let
py = python3.override {
packageOverrides = self: super: {
botocore = super.botocore.overridePythonAttrs (oldAttrs: rec {
version = "2.0.0dev40";
version = "2.0.0dev50";
src = fetchFromGitHub {
owner = "boto";
repo = "botocore";
rev = "6b3f96c5e985597053850f0c2761d503d4c18bfe";
sha256 = "1ffx86m3b592kj331800qbcz5f532z8kzf1wmd04i4bfiqvqn4h8";
rev = "e3dceaf9052cc8e221ea757207d5ba37054af2b8";
sha256 = "0fcf78il4z6gr4gg0jy2h5045ifkslsgldnk6zyvzcl5gykp8i2f";
};
});
prompt_toolkit = super.prompt_toolkit.overridePythonAttrs (oldAttrs: rec {
@ -29,13 +29,13 @@ let
in
with py.pkgs; buildPythonApplication rec {
pname = "awscli2";
version = "2.0.36"; # N.B: if you change this, change botocore to a matching version too
version = "2.0.46"; # N.B: if you change this, change botocore to a matching version too
src = fetchFromGitHub {
owner = "aws";
repo = "aws-cli";
rev = version;
hash = "sha256:05c9lss7jg7bwaij1nxwg50grah68zamcixy8jiw3hpc1vdighql";
hash = "sha256:10bq4m7hsmj1m7nwr3jgpfvm8bx091vl2hig574r1bjmsi32vy58";
};
postPatch = ''

4
pkgs/tools/archivers/wimlib/default.nix
View file

@ -8,7 +8,7 @@
}:
stdenv.mkDerivation rec {
version = "1.13.1";
version = "1.13.2";
pname = "wimlib";
nativeBuildInputs = [ pkgconfig makeWrapper ];
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
src = fetchurl {
url = "https://wimlib.net/downloads/${pname}-${version}.tar.gz";
sha256 = "0pxgrpr3dr81rcf2jh71aiiq3v4anc5sj1nld18f2vhvbijbrx27";
sha256 = "0id9ym3hzij4kpdrk0sz3ijxp5r0z1md5jch83pml9hdy1zbx5bj";
};
preBuild = ''

24
pkgs/tools/audio/liquidsoap/full.nix
View file

@ -2,13 +2,18 @@
, ocamlPackages
, libao, portaudio, alsaLib, libpulseaudio, libjack2
, libsamplerate, libmad, taglib, lame, libogg
, libvorbis, speex, libtheora, libopus, fdk_aac
, libvorbis, speex, libtheora, libopus
, faad2, flac, ladspaH, ffmpeg, frei0r, dssi
}:
let
pname = "liquidsoap";
version = "1.3.4";
version = "1.4.2";
ocaml-ffmpeg = fetchurl {
url = "https://github.com/savonet/ocaml-ffmpeg/releases/download/v0.4.2/ocaml-ffmpeg-0.4.2.tar.gz";
sha256 = "1lx5s1avds9fsh77828ifn71r2g89rxakhs8pp995a675phm9viw";
};
packageFilters = map (p: "-e '/ocaml-${p}/d'" )
[ "gstreamer" "shine" "aacplus" "schroedinger"
@ -19,10 +24,17 @@ stdenv.mkDerivation {
name = "${pname}-full-${version}";
src = fetchurl {
url = "https://github.com/savonet/${pname}/releases/download/${version}/${pname}-${version}-full.tar.bz2";
sha256 = "11l1h42sljfxcdhddc8klya4bk99j7a1pndwnzvscb04pvmfmlk0";
url = "https://github.com/savonet/${pname}/releases/download/v${version}/${pname}-${version}-full.tar.gz";
sha256 = "0wkwnzj1a0vizv7sr1blwk5gzm2qi0n02ndijnq1i50cwrgxs1a4";
};
# Use ocaml-srt and ocaml-fdkaac from nixpkgs
# Use ocaml-ffmpeg at 0.4.2 for compatibility with ffmpeg 4.3
prePatch = ''
rm -rf ocaml-srt*/ ocaml-fdkaac*/ ocaml-ffmpeg*/
tar xzf ${ocaml-ffmpeg}
'';
preConfigure = /* we prefer system-wide libs */ ''
sed -i "s|gsed|sed|" Makefile
make bootstrap
@ -42,10 +54,12 @@ stdenv.mkDerivation {
[ which ocamlPackages.ocaml ocamlPackages.findlib
libao portaudio alsaLib libpulseaudio libjack2
libsamplerate libmad taglib lame libogg
libvorbis speex libtheora libopus fdk_aac
libvorbis speex libtheora libopus
faad2 flac ladspaH ffmpeg frei0r dssi
ocamlPackages.xmlm ocamlPackages.ocaml_pcre
ocamlPackages.camomile
ocamlPackages.fdkaac
ocamlPackages.srt ocamlPackages.sedlex_2 ocamlPackages.menhir
];
hardeningDisable = [ "format" "fortify" ];

2
pkgs/tools/misc/exa/default.nix
View file

@ -57,6 +57,6 @@ buildRustPackage rec {
'';
homepage = "https://the.exa.website";
license = licenses.mit;
maintainers = with maintainers; [ ehegnes lilyball globin zowoq ];
maintainers = with maintainers; [ ehegnes lilyball globin ];
};
}

4
pkgs/tools/misc/fx_cast/default.nix
View file

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "fx_cast_bridge";
version = "0.0.6";
version = "0.0.7";
src = fetchurl {
url = "https://github.com/hensm/fx_cast/releases/download/v${version}/${pname}-${version}-x64.deb";
sha256 = "1mjpwd27b0cpigz4cc2mdl97d78rj5ikn2bqfdic50lqjciaqi1b";
sha256 = "0kd58vzsq1qzl7qsh1qv25ylxvr5y37li03gjb48x4vhd85slzz5";
};
nativeBuildInputs = [ dpkg ];

4
pkgs/tools/misc/lesspipe/default.nix
View file

@ -2,7 +2,7 @@
stdenv.mkDerivation rec {
pname = "lesspipe";
version = "1.84";
version = "1.85";
buildInputs = [ perl ];
preConfigure = "patchShebangs .";
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
owner = "wofr06";
repo = "lesspipe";
rev = version;
sha256 = "124ffhzrikr88ab14rk6753n8adxijpmg7q3zx7nmqc52wpkfd8q";
sha256 = "1v1jdkdq1phc93gdr6mjlk98gipxrkkq4bj8kks0kfdvjgdwkdaa";
};
patches = [

6
pkgs/tools/misc/topgrade/default.nix
View file

@ -2,16 +2,16 @@
rustPlatform.buildRustPackage rec {
pname = "topgrade";
version = "5.5.0";
version = "5.7.0";
src = fetchFromGitHub {
owner = "r-darwish";
repo = pname;
rev = "v${version}";
sha256 = "1adx029cq30g0qnrvdq2di8bpadzdxrpbsqchxfsda8zg6cprh1j";
sha256 = "0nxqi2rykfxhvn8jzprklsc47iilxp1pmm2f17ikfyf5dgi69whb";
};
cargoSha256 = "0jpjn6sb8bkwnq7np487hb8bkm6rv84mihmqwy3ymgdzlqcng6sk";
cargoSha256 = "05afmz2n006331hc8yi2mq9kj574xi1iq6gr983jj75ix7n40rgg";
buildInputs = lib.optional stdenv.isDarwin Foundation;

55
pkgs/tools/networking/hping/default.nix
View file

@ -1,50 +1,41 @@
{ stdenv, fetchurl, libpcap, tcl }:
{ stdenv, fetchFromGitHub, libpcap, withTcl ? true, tcl }:
stdenv.mkDerivation rec {
pname = "hping";
version = "20051105";
version = "2014-12-26";
src = fetchurl {
url = "http://www.hping.org/hping3-${version}.tar.gz";
sha256 = "1s5f9xd1msx05ibhwaw37jmc7l9fahcxxslqz8a83p0i5ak739pm";
src = fetchFromGitHub {
owner = "antirez";
repo = pname;
rev = "3547c7691742c6eaa31f8402e0ccbb81387c1b99"; # there are no tags/releases
sha256 = "0y0n1ybij3yg9lfgzcwfmjz1sjg913zcqrv391xx83dm0j80sdpb";
};
buildInputs = [ libpcap tcl ];
buildInputs = [ libpcap ] ++ stdenv.lib.optional withTcl tcl;
configurePhase = ''
MANPATH="$out/share/man" ./configure
sed -i -r -e 's|/usr(/s?bin)|'"$out"'\1|g' Makefile
'';
TCLSH = "${tcl}/bin/tclsh";
prePatch = ''
sed -i -e '/#if.*defined(__i386__)/a \
|| defined(__x86_64__) \\
' bytesex.h
sed -i -e 's|#include.*net/bpf.h|#include <pcap/bpf.h>|' \
postPatch = ''
substituteInPlace Makefile.in --replace "gcc" "$CC"
substituteInPlace version.c --replace "RELEASE_DATE" "\"$version\""
'' + stdenv.lib.optionalString stdenv.isLinux ''
sed -i -e 's|#include <net/bpf.h>|#include <pcap/bpf.h>|' \
libpcap_stuff.c script.c
sed -i -r -e 's|"(/usr/(local/)?)?bin/"|"${tcl}/bin"|g' \
-e 's!/usr/(local/)?(lib|include)!${tcl}/\2!g' \
configure
'';
preInstall = ''
mkdir -vp "$out/sbin" "$out/share/man/man8"
'';
configureFlags = [ (if withTcl then "TCLSH=${tcl}/bin/tclsh" else "--no-tcl") ];
postInstall = ''
ln -vs hping3.8.gz "$out/share/man/man8/hping.8.gz"
ln -vs hping3.8.gz "$out/share/man/man8/hping2.8.gz"
installPhase = ''
install -Dm755 hping3 -t $out/sbin
ln -s $out/sbin/hping3 $out/sbin/hping
ln -s $out/sbin/hping3 $out/sbin/hping2
install -Dm644 docs/hping3.8 -t $out/share/man/man8
ln -s hping3.8.gz $out/share/man/man8/hping.8.gz
ln -s hping3.8.gz $out/share/man/man8/hping2.8.gz
'';
meta = with stdenv.lib; {
description = "A command-line oriented TCP/IP packet assembler/analyzer";
homepage = "http://www.hping.org/";
license = licenses.gpl2;
platforms = platforms.all;
broken = stdenv.isDarwin;
license = licenses.gpl2Only;
platforms = platforms.unix;
};
}

4
pkgs/tools/networking/keepalived/default.nix
View file

@ -4,13 +4,13 @@
stdenv.mkDerivation rec {
pname = "keepalived";
version = "2.0.20";
version = "2.1.3";
src = fetchFromGitHub {
owner = "acassen";
repo = "keepalived";
rev = "v${version}";
sha256 = "0ijzw56hbac24dhrgjd0hjgf45072imyzq3mcgsirdl3xqjc6x12";
sha256 = "1zdfvicpll7a5iw6p12pmdcg8y30mr0j5miycn0nhjp8yzi9hdc5";
};
buildInputs = [

34
pkgs/tools/security/minica/default.nix Normal file
View file

@ -0,0 +1,34 @@
{ lib, buildGoPackage, fetchFromGitHub }:
buildGoPackage rec {
pname = "minica";
version = "1.0.2";
goPackagePath = "github.com/jsha/minica";
src = fetchFromGitHub {
owner = "jsha";
repo = "minica";
rev = "v${version}";
sha256 = "18518wp3dcjhf3mdkg5iwxqr3326n6jwcnqhyibphnb2a58ap7ny";
};
buildFlagsArray = ''
-ldflags=
-X main.BuildVersion=${version}
'';
meta = with lib; {
description = "A simple tool for generating self signed certificates.";
longDescription = ''
Minica is a simple CA intended for use in situations where the CA
operator also operates each host where a certificate will be used. It
automatically generates both a key and a certificate when asked to
produce a certificate.
'';
homepage = "https://github.com/jsha/minica/";
license = licenses.mit;
maintainers = with maintainers; [ m1cr0man ];
platforms = platforms.linux ++ platforms.darwin;
};
}

4
pkgs/tools/text/miller/default.nix
View file

@ -3,13 +3,13 @@
stdenv.mkDerivation rec {
pname = "miller";
version = "5.9.0";
version = "5.9.1";
src = fetchFromGitHub {
owner = "johnkerl";
repo = "miller";
rev = "v${version}";
sha256 = "14fi6jlqb980qjcpb90fk85cglskq9b9i2k0216bhpvjmagywgp7";
sha256 = "1i9bcpfjnl2yjnfmf0ar1l62zwq01ph0yylz0dby8k2l7cvq5ci6";
};
nativeBuildInputs = [ autoreconfHook flex libtool ];

4
pkgs/tools/text/ugrep/default.nix
View file

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "ugrep";
version = "2.5.3";
version = "2.5.5";
src = fetchFromGitHub {
owner = "Genivia";
repo = pname;
rev = "v${version}";
sha256 = "16ly1dz8wxnjk6kc88dl2x0ijmzw5v87fhai9fnardwfmycn7ivc";
sha256 = "0ba9h0m9c28rllym1djij3b97k4rj06nsgajmbxg5mpxfzplgxy2";
};
buildInputs = [ boost bzip2 lz4 pcre2 xz zlib ];

4
pkgs/tools/text/vale/default.nix
View file

@ -2,7 +2,7 @@
buildGoModule rec {
pname = "vale";
version = "2.3.3";
version = "2.3.4";
subPackages = [ "." ];
outputs = [ "out" "data" ];
@ -11,7 +11,7 @@ buildGoModule rec {
owner = "errata-ai";
repo = "vale";
rev = "v${version}";
sha256 = "13b565l87nm3gpxxhw1bpjx7yqcgf5124k3wh7r149z38xyqc3wk";
sha256 = "0vk7kk2a2891vm46lss8q2893n2zdirlicac2f3xfkrbb5lhkicd";
};
vendorSha256 = null;

24
pkgs/tools/text/vgrep/default.nix Normal file
View file

@ -0,0 +1,24 @@
{ lib, buildGoModule, fetchFromGitHub }:
buildGoModule rec {
pname = "vgrep";
version = "2.4.0";
src = fetchFromGitHub {
owner = "vrothberg";
repo = pname;
rev = "v${version}";
sha256 = "109j04my2xib8m52a0337996a27nvfgzackpg20zs3nzn66dmvb7";
};
vendorSha256 = null;
buildFlagsArray = [ "-ldflags=-s -w -X main.version=${version}" ];
meta = with lib; {
description = "User-friendly pager for grep/git-grep/ripgrep";
homepage = "https://github.com/vrothberg/vgrep";
license = licenses.gpl3Only;
maintainers = with maintainers; [ zowoq ];
};
}

17
pkgs/top-level/all-packages.nix
View file

@ -121,7 +121,9 @@ in
autoPatchelfHook = makeSetupHook { name = "auto-patchelf-hook"; }
../build-support/setup-hooks/auto-patchelf.sh;
appimageTools = callPackage ../build-support/appimage { };
appimageTools = callPackage ../build-support/appimage {
buildFHSUserEnv = buildFHSUserEnvBubblewrap;
};
appindicator-sharp = callPackage ../development/libraries/appindicator-sharp { };
@ -4855,7 +4857,6 @@ in
liquidsoap = callPackage ../tools/audio/liquidsoap/full.nix {
ffmpeg = ffmpeg-full;
ocamlPackages = ocaml-ng.ocamlPackages_4_07;
};
lksctp-tools = callPackage ../os-specific/linux/lksctp-tools { };
@ -4959,6 +4960,8 @@ in
minergate-cli = callPackage ../applications/misc/minergate-cli { };
minica = callPackage ../tools/security/minica { };
minidlna = callPackage ../tools/networking/minidlna { };
minisign = callPackage ../tools/security/minisign { };
@ -7634,6 +7637,8 @@ in
verilog = callPackage ../applications/science/electronics/verilog {};
vgrep = callPackage ../tools/text/vgrep { };
vhd2vl = callPackage ../applications/science/electronics/vhd2vl { };
video2midi = callPackage ../tools/audio/video2midi {
@ -9440,6 +9445,8 @@ in
mozart2-binary = callPackage ../development/compilers/mozart/binary.nix { };
nim = callPackage ../development/compilers/nim { };
nim-unwrapped = nim.unwrapped;
nim-stdlib = nim.stdlib;
nrpl = callPackage ../development/tools/nrpl { };
neko = callPackage ../development/compilers/neko { };
@ -19698,7 +19705,11 @@ in
calculix = callPackage ../applications/science/math/calculix {};
calibre = libsForQt5.callPackage ../applications/misc/calibre { };
calibre-py2 = libsForQt5.callPackage ../applications/misc/calibre { pythonPackages = python2Packages; };
calibre-py3 = libsForQt5.callPackage ../applications/misc/calibre { pythonPackages = python3Packages; };
calibre = calibre-py3;
calligra = libsForQt5.callPackage ../applications/office/calligra {
inherit (kdeApplications) akonadi-calendar akonadi-contacts;