diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f226194efd56..3a1907ee201e 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -638,6 +638,7 @@ ./services/networking/coredns.nix ./services/networking/corerad.nix ./services/networking/coturn.nix + ./services/networking/croc.nix ./services/networking/dante.nix ./services/networking/ddclient.nix ./services/networking/dhcpcd.nix diff --git a/nixos/modules/services/networking/croc.nix b/nixos/modules/services/networking/croc.nix new file mode 100644 index 000000000000..b218fab2196d --- /dev/null +++ b/nixos/modules/services/networking/croc.nix @@ -0,0 +1,88 @@ +{ config, lib, pkgs, ... }: +let + inherit (lib) types; + cfg = config.services.croc; + rootDir = "/run/croc"; +in +{ + options.services.croc = { + enable = lib.mkEnableOption "croc relay"; + ports = lib.mkOption { + type = with types; listOf port; + default = [9009 9010 9011 9012 9013]; + description = "Ports of the relay."; + }; + pass = lib.mkOption { + type = with types; either path str; + default = "pass123"; + description = "Password or passwordfile for the relay."; + }; + openFirewall = lib.mkEnableOption "opening of the peer port(s) in the firewall"; + debug = lib.mkEnableOption "debug logs"; + }; + + config = lib.mkIf cfg.enable { + systemd.services.croc = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.croc}/bin/croc --pass '${cfg.pass}' ${lib.optionalString cfg.debug "--debug"} relay --ports ${lib.concatMapStringsSep "," toString cfg.ports}"; + # The following options are only for optimizing: + # systemd-analyze security croc + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + DynamicUser = true; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + MountAPIVFS = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateNetwork = lib.mkDefault false; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "noaccess"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RootDirectory = rootDir; + # Avoid mounting rootDir in the own rootDir of ExecStart='s mount namespace. + InaccessiblePaths = [ "-+${rootDir}" ]; + BindReadOnlyPaths = [ + builtins.storeDir + ] ++ lib.optional (types.path.check cfg.pass) cfg.pass; + # This is for BindReadOnlyPaths= + # to allow traversal of directories they create in RootDirectory=. + UMask = "0066"; + # Create rootDir in the host's mount namespace. + RuntimeDirectory = [(baseNameOf rootDir)]; + RuntimeDirectoryMode = "700"; + SystemCallFilter = [ + "@system-service" + "~@aio" "~@chown" "~@keyring" "~@memlock" + "~@privileged" "~@resources" "~@setuid" + "~@sync" "~@timer" + ]; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + }; + }; + + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall cfg.ports; + }; + + meta.maintainers = with lib.maintainers; [ hax404 julm ]; +} diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix index 62906d5e6a0c..01710b1bd59c 100644 --- a/nixos/modules/services/web-apps/miniflux.nix +++ b/nixos/modules/services/web-apps/miniflux.nix @@ -14,17 +14,16 @@ let ADMIN_PASSWORD=password ''; - pgsu = "${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser}"; pgbin = "${config.services.postgresql.package}/bin"; preStart = pkgs.writeScript "miniflux-pre-start" '' #!${pkgs.runtimeShell} db_exists() { - [ "$(${pgsu} ${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ] + [ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ] } if ! db_exists "${dbName}"; then - ${pgsu} ${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'" - ${pgsu} ${pgbin}/createdb --owner "${dbUser}" "${dbName}" - ${pgsu} ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore" + ${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'" + ${pgbin}/createdb --owner "${dbUser}" "${dbName}" + ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore" fi ''; in @@ -73,15 +72,26 @@ in services.postgresql.enable = true; + systemd.services.miniflux-dbsetup = { + description = "Miniflux database setup"; + wantedBy = [ "multi-user.target" ]; + requires = [ "postgresql.service" ]; + after = [ "network.target" "postgresql.service" ]; + serviceConfig = { + Type = "oneshot"; + User = config.services.postgresql.superUser; + ExecStart = preStart; + }; + }; + systemd.services.miniflux = { description = "Miniflux service"; wantedBy = [ "multi-user.target" ]; requires = [ "postgresql.service" ]; - after = [ "network.target" "postgresql.service" ]; + after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ]; serviceConfig = { ExecStart = "${pkgs.miniflux}/bin/miniflux"; - ExecStartPre = "+${preStart}"; DynamicUser = true; RuntimeDirectory = "miniflux"; RuntimeDirectoryMode = "0700"; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 00e84a9df82c..251f24a9a089 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -84,6 +84,7 @@ in couchdb = handleTest ./couchdb.nix {}; cri-o = handleTestOn ["x86_64-linux"] ./cri-o.nix {}; custom-ca = handleTest ./custom-ca.nix {}; + croc = handleTest ./croc.nix {}; deluge = handleTest ./deluge.nix {}; dhparams = handleTest ./dhparams.nix {}; dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {}; diff --git a/nixos/tests/croc.nix b/nixos/tests/croc.nix new file mode 100644 index 000000000000..c1b6fc7232d7 --- /dev/null +++ b/nixos/tests/croc.nix @@ -0,0 +1,51 @@ +import ./make-test-python.nix ({ pkgs, ... }: +let + client = { pkgs, ... }: { + environment.systemPackages = [ pkgs.croc ]; + }; + pass = pkgs.writeText "pass" "PassRelay"; +in { + name = "croc"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ hax404 julm ]; + }; + + nodes = { + relay = { + services.croc = { + enable = true; + pass = pass; + openFirewall = true; + }; + }; + sender = client; + receiver = client; + }; + + testScript = '' + start_all() + + # wait until relay is up + relay.wait_for_unit("croc") + relay.wait_for_open_port(9009) + relay.wait_for_open_port(9010) + relay.wait_for_open_port(9011) + relay.wait_for_open_port(9012) + relay.wait_for_open_port(9013) + + # generate testfiles and send them + sender.wait_for_unit("multi-user.target") + sender.execute("echo Hello World > testfile01.txt") + sender.execute("echo Hello Earth > testfile02.txt") + sender.execute( + "croc --pass ${pass} --relay relay send --code topSecret testfile01.txt testfile02.txt &" + ) + + # receive the testfiles and check them + receiver.succeed( + "croc --pass ${pass} --yes --relay relay topSecret" + ) + assert "Hello World" in receiver.succeed("cat testfile01.txt") + assert "Hello Earth" in receiver.succeed("cat testfile02.txt") + ''; +}) diff --git a/nixos/tests/miniflux.nix b/nixos/tests/miniflux.nix index 9f8b52c3c857..797a2787d1aa 100644 --- a/nixos/tests/miniflux.nix +++ b/nixos/tests/miniflux.nix @@ -20,6 +20,13 @@ with lib; services.miniflux.enable = true; }; + withoutSudo = + { ... }: + { + services.miniflux.enable = true; + security.sudo.enable = false; + }; + customized = { ... }: { @@ -46,6 +53,13 @@ with lib; "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep -q '\"is_admin\":true'" ) + withoutSudo.wait_for_unit("miniflux.service") + withoutSudo.wait_for_open_port(${toString defaultPort}) + withoutSudo.succeed("curl --fail 'http://localhost:${toString defaultPort}/healthcheck' | grep -q OK") + withoutSudo.succeed( + "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep -q '\"is_admin\":true'" + ) + customized.wait_for_unit("miniflux.service") customized.wait_for_open_port(${toString port}) customized.succeed("curl --fail 'http://localhost:${toString port}/healthcheck' | grep -q OK") diff --git a/pkgs/applications/networking/cluster/helm/default.nix b/pkgs/applications/networking/cluster/helm/default.nix index 5da9e9220a80..501956ec9382 100644 --- a/pkgs/applications/networking/cluster/helm/default.nix +++ b/pkgs/applications/networking/cluster/helm/default.nix @@ -2,15 +2,15 @@ buildGoModule rec { pname = "helm"; - version = "3.5.2"; + version = "3.5.3"; src = fetchFromGitHub { owner = "helm"; repo = "helm"; rev = "v${version}"; - sha256 = "sha256-XFWJtzKQrZL6lcr8JNiEQ8ldG5289x5pE21E8XgoYkA="; + sha256 = "sha256-7xO07JDy6ujWlDF+5Xd3myRQ8ajTppCXz9fNe4yizVw="; }; - vendorSha256 = "sha256-mjWQxCCtTgj1VCFjnuJWgDjwMt/r4jiFC9Of+CXRgPg="; + vendorSha256 = "sha256-lpEoUgABtJczwShNdvD+zYAPDFTJqILSei2YY6mQ2mw="; doCheck = false; diff --git a/pkgs/development/php-packages/swoole/default.nix b/pkgs/development/php-packages/swoole/default.nix new file mode 100644 index 000000000000..b3d43acd1b32 --- /dev/null +++ b/pkgs/development/php-packages/swoole/default.nix @@ -0,0 +1,21 @@ +{ lib, buildPecl, php, valgrind, pcre' }: + +buildPecl { + pname = "swoole"; + + version = "4.6.4"; + sha256 = "0hgndnn27q7fbsb0nw6bfdg0kyy5di9vrmf7g53jc6lsnf73ha31"; + + buildInputs = [ valgrind pcre' ]; + internalDeps = lib.optionals (lib.versionOlder php.version "7.4") [ php.extensions.hash ]; + + doCheck = true; + checkTarget = "tests"; + + meta = with lib; { + description = "Coroutine-based concurrency library for PHP"; + license = licenses.asl20; + homepage = "https://www.swoole.co.uk/"; + maintainers = teams.php.members; + }; +} diff --git a/pkgs/development/python-modules/broadlink/default.nix b/pkgs/development/python-modules/broadlink/default.nix index dcb1368f4116..2418d282ce0a 100644 --- a/pkgs/development/python-modules/broadlink/default.nix +++ b/pkgs/development/python-modules/broadlink/default.nix @@ -1,25 +1,29 @@ -{ lib, fetchPypi, buildPythonPackage -, cryptography, pyaes, pycrc }: +{ lib +, buildPythonPackage +, fetchPypi +, cryptography +}: buildPythonPackage rec { pname = "broadlink"; - version = "0.16.0"; + version = "0.17.0"; src = fetchPypi { inherit pname version; - sha256 = "637dabc6f47b283b72bc521322554462da7a247f04614e458d65df8574d03a41"; + sha256 = "bfd1ff007d0d1187c17ae52be938afc8137fbd1ed6a794426e975df10d167571"; }; - postPatch = '' - substituteInPlace setup.py \ - --replace pyaes==1.6.0 pyaes - ''; - - propagatedBuildInputs = [ cryptography pyaes pycrc ]; + propagatedBuildInputs = [ + cryptography + ]; # no tests available doCheck = false; + pythonImportsCheck = [ + "broadlink" + ]; + meta = with lib; { description = "Python API for controlling Broadlink IR controllers"; homepage = "https://github.com/mjg59/python-broadlink"; diff --git a/pkgs/development/python-modules/caldav/default.nix b/pkgs/development/python-modules/caldav/default.nix index 3888bb7ec65a..2b50b5f2966a 100644 --- a/pkgs/development/python-modules/caldav/default.nix +++ b/pkgs/development/python-modules/caldav/default.nix @@ -15,13 +15,13 @@ buildPythonPackage rec { pname = "caldav"; - version = "0.7.1"; + version = "0.8.0"; src = fetchFromGitHub { owner = "python-caldav"; repo = pname; rev = "v${version}"; - sha256 = "1shfj67kq6qzd0ngyfk09hpzfggybcfxv5s7hqs87nq9l51bssv8"; + sha256 = "11q3svns3a2ywfci739krxbh67cx691qja772wq22606blyygyjy"; }; nativeBuildInputs = lib.optionals (pythonOlder "3.5") [ mock ]; @@ -34,6 +34,10 @@ buildPythonPackage rec { tzlocal ]; + checkPhase = '' + nosetests tests + ''; + # xandikos and radicale is only a optional test dependency, not available for python3 postPatch = '' substituteInPlace setup.py \ @@ -45,7 +49,7 @@ buildPythonPackage rec { meta = with lib; { description = "This project is a CalDAV (RFC4791) client library for Python."; - homepage = "https://pythonhosted.org/caldav/"; + homepage = "https://github.com/python-caldav/caldav"; license = licenses.asl20; maintainers = with maintainers; [ marenz ]; #broken = true; # requires radicale which is not packaged yet diff --git a/pkgs/development/python-modules/ciscomobilityexpress/default.nix b/pkgs/development/python-modules/ciscomobilityexpress/default.nix index 86a2bd8aa88e..d48ba03ad537 100644 --- a/pkgs/development/python-modules/ciscomobilityexpress/default.nix +++ b/pkgs/development/python-modules/ciscomobilityexpress/default.nix @@ -1,20 +1,34 @@ -{ buildPythonPackage, fetchPypi, lib, requests }: +{ lib +, buildPythonPackage +, fetchPypi +, requests +, python +}: buildPythonPackage rec { pname = "ciscomobilityexpress"; - version = "1.0.0"; + version = "1.0.2"; src = fetchPypi { inherit pname version; - sha256 = "fd3fe893d8a44f5ac1d46580af88e07f1066e73744763aca4ef2226f87d575ff"; + sha256 = "d8787245598e8371a83baa4db1df949d8a942c43f13454fa26ee3b09c3ccafc0"; }; propagatedBuildInputs = [ requests ]; - meta = { + # tests directory is set up, but has no tests + checkPhase = '' + ${python.interpreter} -m unittest + ''; + + pythonImportsCheck = [ + "ciscomobilityexpress" + ]; + + meta = with lib; { description = "Module to interact with Cisco Mobility Express APIs to fetch connected devices"; - homepage = "https://pypi.python.org/pypi/${pname}/"; - license = lib.licenses.mit; - maintainers = with lib.maintainers; [ uvnikita ]; + homepage = "https://github.com/fbradyirl/ciscomobilityexpress"; + license = licenses.mit; + maintainers = with maintainers; [ uvnikita ]; }; } diff --git a/pkgs/development/python-modules/ddt/default.nix b/pkgs/development/python-modules/ddt/default.nix index 4766d04c1f38..11d32adf3bfb 100644 --- a/pkgs/development/python-modules/ddt/default.nix +++ b/pkgs/development/python-modules/ddt/default.nix @@ -1,7 +1,6 @@ { lib , buildPythonPackage , fetchPypi -, fetchpatch , six, pyyaml, mock , pytestCheckHook , enum34 @@ -10,21 +9,13 @@ buildPythonPackage rec { pname = "ddt"; - version = "1.4.1"; + version = "1.4.2"; src = fetchPypi { inherit pname version; - sha256 = "0595e70d074e5777771a45709e99e9d215552fb1076443a25fad6b23d8bf38da"; + sha256 = "sha256-ZKZzZqJxXmNriGlMxgdcwC2ykvAQmLjjhTl8iU05U3g="; }; - patches = [ - # fix tests with recent PyYAML, https://github.com/datadriventests/ddt/pull/96 - (fetchpatch { - url = "https://github.com/datadriventests/ddt/commit/97f0a2315736e50f1b34a015447cd751da66ecb6.patch"; - sha256 = "1g7l5h7m7s4yqfxlygrg7nnhb9xhz1drjld64ssi3fbsmn7klf0a"; - }) - ]; - checkInputs = [ six pyyaml mock pytestCheckHook ]; propagatedBuildInputs = lib.optionals (!isPy3k) [ diff --git a/pkgs/development/python-modules/ntc-templates/default.nix b/pkgs/development/python-modules/ntc-templates/default.nix index a85bd0f8fc37..dc7ba5d8b681 100644 --- a/pkgs/development/python-modules/ntc-templates/default.nix +++ b/pkgs/development/python-modules/ntc-templates/default.nix @@ -2,6 +2,7 @@ , buildPythonPackage , fetchFromGitHub , isPy27 +, poetry-core , textfsm , pytestCheckHook , ruamel_yaml @@ -10,22 +11,36 @@ buildPythonPackage rec { pname = "ntc-templates"; - version = "1.6.0"; + version = "2.0.0"; + format = "pyproject"; disabled = isPy27; src = fetchFromGitHub { owner = "networktocode"; repo = pname; - rev = "dc27599b0c5f3bb6ff23049e781b5dab2849c2c3"; # not tagged - sha256 = "1vg5y5c51vc9dj3b8qcffh6dz85ri11zb1azxmyvgbq86pcvbx9f"; + rev = "v${version}"; + sha256 = "05ifbzps9jxrrkrqybsdbm67jhynfcjc298pqkhp21q5jwnlrl72"; }; - propagatedBuildInputs = [ textfsm ]; + nativeBuildInputs = [ + poetry-core + ]; - checkInputs = [ pytestCheckHook ruamel_yaml yamllint ]; + propagatedBuildInputs = [ + textfsm + ]; + + checkInputs = [ + pytestCheckHook + ruamel_yaml + yamllint + ]; # https://github.com/networktocode/ntc-templates/issues/743 - disabledTests = [ "test_raw_data_against_mock" "test_verify_parsed_and_reference_data_exists" ]; + disabledTests = [ + "test_raw_data_against_mock" + "test_verify_parsed_and_reference_data_exists" + ]; meta = with lib; { description = "TextFSM templates for parsing show commands of network devices"; diff --git a/pkgs/development/python-modules/plexapi/default.nix b/pkgs/development/python-modules/plexapi/default.nix index 810bd1ffed15..1686887a1518 100644 --- a/pkgs/development/python-modules/plexapi/default.nix +++ b/pkgs/development/python-modules/plexapi/default.nix @@ -9,14 +9,14 @@ buildPythonPackage rec { pname = "PlexAPI"; - version = "4.4.0"; + version = "4.4.1"; disabled = isPy27; src = fetchFromGitHub { owner = "pkkid"; repo = "python-plexapi"; rev = version; - sha256 = "0wzdzi5afncinavz5g77ximdr9y2ndzwb0gl819n0l6pnvbxdwp2"; + sha256 = "11zarqnrpis6xpsjdvfl3pczv1l9rzbgkawkv2lhfvzlnc00d7df"; }; propagatedBuildInputs = [ diff --git a/pkgs/servers/home-assistant/component-packages.nix b/pkgs/servers/home-assistant/component-packages.nix index 347dd2137c82..7be68d087e77 100644 --- a/pkgs/servers/home-assistant/component-packages.nix +++ b/pkgs/servers/home-assistant/component-packages.nix @@ -2,7 +2,7 @@ # Do not edit! { - version = "2021.3.3"; + version = "2021.3.4"; components = { "abode" = ps: with ps; [ abodepy ]; "accuweather" = ps: with ps; [ accuweather ]; diff --git a/pkgs/servers/home-assistant/default.nix b/pkgs/servers/home-assistant/default.nix index 34a8f7f6c04a..dc61317876b0 100644 --- a/pkgs/servers/home-assistant/default.nix +++ b/pkgs/servers/home-assistant/default.nix @@ -66,7 +66,7 @@ let extraBuildInputs = extraPackages py.pkgs; # Don't forget to run parse-requirements.py after updating - hassVersion = "2021.3.3"; + hassVersion = "2021.3.4"; in with py.pkgs; buildPythonApplication rec { pname = "homeassistant"; @@ -85,7 +85,7 @@ in with py.pkgs; buildPythonApplication rec { owner = "home-assistant"; repo = "core"; rev = version; - sha256 = "0kfvjpzz6ynw8bwd91nm0aiw1pkrmaydwf1r93dnwi8rmzq10zpb"; + sha256 = "110pvin39lr40zd3lhb8zvh2wafl0k0dy3nbmc483yafy31xa4kw"; }; # leave this in, so users don't have to constantly update their downstream patch handling diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 0b9ea75eeca2..c2aa1918ed36 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -18490,6 +18490,7 @@ in inherit (darwin.apple_sdk.frameworks) CoreServices; boost = boost173; # Configure checks for specific version. protobuf = protobuf3_7; + icu = icu67; }; mysql_jdbc = callPackage ../servers/sql/mysql/jdbc { }; diff --git a/pkgs/top-level/php-packages.nix b/pkgs/top-level/php-packages.nix index 96d3e9b423b3..d548be9ac2d5 100644 --- a/pkgs/top-level/php-packages.nix +++ b/pkgs/top-level/php-packages.nix @@ -138,6 +138,8 @@ lib.makeScope pkgs.newScope (self: with self; { sqlsrv = callPackage ../development/php-packages/sqlsrv { }; + swoole = callPackage ../development/php-packages/swoole { }; + v8 = buildPecl { version = "0.2.2"; pname = "v8";