Merge master into staging-next

NixOS · Jan 21, 2024 · cabf461 · cabf461
2 parents 2e9c9cc + 58fcc2d
commit cabf461
Show file tree

Hide file tree

Showing 46 changed files with 334 additions and 174 deletions.
diff --git a/nixos/modules/services/misc/ollama.nix b/nixos/modules/services/misc/ollama.nix
@@ -9,6 +9,13 @@ in {
       enable = lib.mkEnableOption (
         lib.mdDoc "Server for local large language models"
       );
+      listenAddress = lib.mkOption {
+        type = lib.types.str;
+        default = "127.0.0.1:11434";
+        description = lib.mdDoc ''
+          Specifies the bind address on which the ollama server HTTP interface listens.
+        '';
+      };
       package = lib.mkPackageOption pkgs "ollama" { };
     };
   };
@@ -23,6 +30,7 @@ in {
         environment = {
           HOME = "%S/ollama";
           OLLAMA_MODELS = "%S/ollama/models";
+          OLLAMA_HOST = cfg.listenAddress;
         };
         serviceConfig = {
           ExecStart = "${lib.getExe cfg.package} serve";

diff --git a/nixos/modules/services/misc/taskserver/helper-tool.py b/nixos/modules/services/misc/taskserver/helper-tool.py
@@ -61,6 +61,10 @@ def run_as_taskd_user():
     os.setuid(uid)
 
 
+def run_as_taskd_group():
+    gid = grp.getgrnam(TASKD_GROUP).gr_gid
+    os.setgid(gid)
+
 def taskd_cmd(cmd, *args, **kwargs):
     """
     Invoke taskd with the specified command with the privileges of the 'taskd'
@@ -90,7 +94,7 @@ def certtool_cmd(*args, **kwargs):
     """
     return subprocess.check_output(
         [CERTTOOL_COMMAND] + list(args),
-        preexec_fn=lambda: os.umask(0o077),
+        preexec_fn=run_as_taskd_group,
         stderr=subprocess.STDOUT,
         **kwargs
     )
@@ -156,17 +160,33 @@ def generate_key(org, user):
         sys.stderr.write(msg.format(user))
         return
 
-    basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user)
-    if os.path.exists(basedir):
+    keysdir = os.path.join(TASKD_DATA_DIR, "keys" )
+    orgdir  = os.path.join(keysdir       , org    )
+    userdir = os.path.join(orgdir        , user   )
+    if os.path.exists(userdir):
         raise OSError("Keyfile directory for {} already exists.".format(user))
 
-    privkey = os.path.join(basedir, "private.key")
-    pubcert = os.path.join(basedir, "public.cert")
+    privkey = os.path.join(userdir, "private.key")
+    pubcert = os.path.join(userdir, "public.cert")
 
     try:
-        os.makedirs(basedir, mode=0o700)
+        # We change the permissions and the owner ship of the base directories
+        # so that cfg.group and cfg.user could read the directories' contents.
+        # See also: https://bugs.python.org/issue42367
+        for bd in [keysdir, orgdir, userdir]:
+            # Allow cfg.group, but not others to read the contents of this group
+            os.makedirs(bd, exist_ok=True)
+            # not using mode= argument to makedirs intentionally - forcing the
+            # permissions we want
+            os.chmod(bd, mode=0o750)
+            os.chown(
+                bd,
+                uid=pwd.getpwnam(TASKD_USER).pw_uid,
+                gid=grp.getgrnam(TASKD_GROUP).gr_gid,
+            )
 
         certtool_cmd("-p", "--bits", CERT_BITS, "--outfile", privkey)
+        os.chmod(privkey, 0o640)
 
         template_data = [
             "organization = {0}".format(org),
@@ -187,7 +207,7 @@ def generate_key(org, user):
                 "--outfile", pubcert
             )
     except:
-        rmtree(basedir)
+        rmtree(userdir)
         raise
 
 

diff --git a/pkgs/applications/networking/instant-messengers/baresip/default.nix b/pkgs/applications/networking/instant-messengers/baresip/default.nix
@@ -27,13 +27,13 @@
 , dbusSupport ? true
 }:
 stdenv.mkDerivation rec {
-  version = "3.8.0";
+  version = "3.8.1";
   pname = "baresip";
   src = fetchFromGitHub {
     owner = "baresip";
     repo = "baresip";
     rev = "v${version}";
-    hash = "sha256-7QqaKK8zalyopn9+MkKmdt9XaCkDFBNiXwVd2iXmqMA=";
+    hash = "sha256-39HRvRTyA0V8NKFUUpj7UGc01KVXULTE3HUd9Kh06bw=";
   };
   prePatch = lib.optionalString (!dbusSupport) ''
     substituteInPlace cmake/modules.cmake --replace 'list(APPEND MODULES ctrl_dbus)' ""

diff --git a/pkgs/applications/networking/irc/weechat/default.nix b/pkgs/applications/networking/irc/weechat/default.nix
@@ -36,14 +36,14 @@ let
   in
     assert lib.all (p: p.enabled -> ! (builtins.elem null p.buildInputs)) plugins;
     stdenv.mkDerivation rec {
-      version = "4.1.2";
+      version = "4.2.0";
       pname = "weechat";
 
       hardeningEnable = [ "pie" ];
 
       src = fetchurl {
         url = "https://weechat.org/files/src/weechat-${version}.tar.xz";
-        hash = "sha256-mpuRD752i7nefHrJRPXbjyM4M/NFsuUF4W7G7zXv+7U=";
+        hash = "sha256-Mvam8hP7Y025MeKrjwGtuam1Dnf6ocUsoRbvoyBXWko=";
       };
 
       # Why is this needed? https://github.com/weechat/weechat/issues/2031

diff --git a/pkgs/applications/office/qownnotes/default.nix b/pkgs/applications/office/qownnotes/default.nix
@@ -19,14 +19,14 @@
 let
   pname = "qownnotes";
   appname = "QOwnNotes";
-  version = "24.1.2";
+  version = "24.1.4";
 in
 stdenv.mkDerivation {
-  inherit pname appname version;
+  inherit pname version;
 
   src = fetchurl {
     url = "https://github.com/pbek/QOwnNotes/releases/download/v${version}/qownnotes-${version}.tar.xz";
-    hash = "sha256-UlHLGO5Rictj0/eZKxyFKxa/2XasQOAixnejOc+dH0M=";
+    hash = "sha256-RWAg89rbmoOSzOu9YjAkDluyPiYjT6f8gmri5AAHyww=";
   };
 
   nativeBuildInputs = [

diff --git a/pkgs/by-name/te/terraform-plugin-docs/package.nix b/pkgs/by-name/te/terraform-plugin-docs/package.nix
@@ -10,16 +10,16 @@
 
 buildGoModule rec {
   pname = "terraform-plugin-docs";
-  version = "0.16.0";
+  version = "0.17.0";
 
   src = fetchFromGitHub {
     owner = "hashicorp";
     repo = "terraform-plugin-docs";
     rev = "refs/tags/v${version}";
-    sha256 = "sha256-5vbi69GMgkzvN3aEQbNTbk99rg+kfvAvUrdDsuyIm9s=";
+    sha256 = "sha256-ID+4Pz6SUPzZTZYX6IHn/U02Ffw95he/gogV0mNA2OA=";
   };
 
-  vendorHash = "sha256-AjW6BokLVDkIWXToJ7wNq/g19xKTAfpQ/gVlKCV5qw0=";
+  vendorHash = "sha256-HseQBCvflmnlKX4PygWejPbyXRJmNUyl2K2//b4/tik=";
 
   nativeBuildInputs = [ makeWrapper ];
 

diff --git a/pkgs/development/libraries/allegro/5.nix b/pkgs/development/libraries/allegro/5.nix
@@ -40,13 +40,13 @@
 
 stdenv.mkDerivation rec {
   pname = "allegro";
-  version = "5.2.9.0";
+  version = "5.2.9.1";
 
   src = fetchFromGitHub {
     owner = "liballeg";
     repo = "allegro5";
     rev = version;
-    sha256 = "sha256-lGaHhFlc9zcalRFx0Xcyd0pZdC9lln0ez5hdfRz6Kt8=";
+    sha256 = "sha256-n2OCmZmAqeXjtnCTqJgQ5q4j8/lnPfH+5tpWKIFKle0=";
   };
 
   nativeBuildInputs = [

diff --git a/pkgs/development/libraries/libnbd/default.nix b/pkgs/development/libraries/libnbd/default.nix
@@ -1,7 +1,6 @@
 { lib
 , stdenv
 , fetchurl
-, fetchpatch
 , bash-completion
 , pkg-config
 , perl
@@ -13,21 +12,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libnbd";
-  version = "1.18.1";
+  version = "1.18.2";
 
   src = fetchurl {
     url = "https://download.libguestfs.org/libnbd/${lib.versions.majorMinor version}-stable/${pname}-${version}.tar.gz";
-    hash = "sha256-UNHRphDw1ycRnp0KClzHlSuLIxs5Mc4gcjB+EF/smbY=";
+    hash = "sha256-OYtNHAIGgwJuapoJNEMVkurUK9bQ7KO+V223bGC0TFI=";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "CVE-2023-5871.patch";
-      url = "https://gitlab.com/nbdkit/libnbd/-/commit/4451e5b61ca07771ceef3e012223779e7a0c7701.patch";
-      hash = "sha256-zmg/kxSJtjp2w9917Sp33ezt7Ccj/inngzCUVesF1Tc=";
-    })
-  ];
-
   nativeBuildInputs = [
     bash-completion
     pkg-config

diff --git a/pkgs/development/libraries/qt-6/default.nix b/pkgs/development/libraries/qt-6/default.nix
@@ -164,7 +164,7 @@ let
       qtwayland = callPackage ./modules/qtwayland.nix { };
       qtwebchannel = callPackage ./modules/qtwebchannel.nix { };
       qtwebengine = callPackage ./modules/qtwebengine.nix {
-        inherit (darwin) bootstrap_cmds cctools xnu;
+        inherit (darwin) autoSignDarwinBinariesHook bootstrap_cmds cctools xnu;
         inherit (darwin.apple_sdk_11_0) libpm libunwind;
         inherit (darwin.apple_sdk_11_0.libs) sandbox;
         inherit (darwin.apple_sdk_11_0.frameworks)

diff --git a/pkgs/development/libraries/qt-6/modules/qtwebengine.nix b/pkgs/development/libraries/qt-6/modules/qtwebengine.nix
@@ -60,6 +60,7 @@
 , mesa
 , enableProprietaryCodecs ? true
   # darwin
+, autoSignDarwinBinariesHook
 , bootstrap_cmds
 , cctools
 , xcbuild
@@ -105,6 +106,7 @@ qtModule {
     gn
     nodejs
   ] ++ lib.optionals stdenv.isDarwin [
+    autoSignDarwinBinariesHook
     bootstrap_cmds
     cctools
     xcbuild
@@ -185,16 +187,19 @@ qtModule {
     "-DQT_FEATURE_pdf_xfa_gif=ON"
     "-DQT_FEATURE_pdf_xfa_png=ON"
     "-DQT_FEATURE_pdf_xfa_tiff=ON"
-    "-DQT_FEATURE_webengine_system_icu=ON"
     "-DQT_FEATURE_webengine_system_libevent=ON"
-    "-DQT_FEATURE_webengine_system_libxml=ON"
     "-DQT_FEATURE_webengine_system_ffmpeg=ON"
     # android only. https://bugreports.qt.io/browse/QTBUG-100293
     # "-DQT_FEATURE_webengine_native_spellchecker=ON"
     "-DQT_FEATURE_webengine_sanitizer=ON"
     "-DQT_FEATURE_webengine_kerberos=ON"
   ] ++ lib.optionals stdenv.isLinux [
+    "-DQT_FEATURE_webengine_system_libxml=ON"
     "-DQT_FEATURE_webengine_webrtc_pipewire=ON"
+
+    # Appears not to work on some platforms
+    # https://github.com/Homebrew/homebrew-core/issues/104008
+    "-DQT_FEATURE_webengine_system_icu=ON"
   ] ++ lib.optionals enableProprietaryCodecs [
     "-DQT_FEATURE_webengine_proprietary_codecs=ON"
   ] ++ lib.optionals stdenv.isDarwin [
@@ -222,11 +227,9 @@ qtModule {
 
     # Text rendering
     harfbuzz
-    icu
 
     openssl
     glib
-    libxml2
     libxslt
     lcms2
 
@@ -241,6 +244,9 @@ qtModule {
     protobuf
     jsoncpp
 
+    icu
+    libxml2
+
     # Audio formats
     alsa-lib
     pulseaudio

diff --git a/pkgs/development/libraries/qt-6/patches/qtwebengine-libxml-2.12.patch b/pkgs/development/libraries/qt-6/patches/qtwebengine-libxml-2.12.patch
@@ -1,22 +1,29 @@
 --- a/src/3rdparty/chromium/third_party/blink/renderer/core/xml/xslt_processor.h
 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/xml/xslt_processor.h
-@@ -77,7 +77,7 @@ class XSLTProcessor final : public ScriptWrappable {
+@@ -77,7 +77,12 @@ class XSLTProcessor final : public ScriptWrappable {
 
    void reset();
 
--  static void ParseErrorFunc(void* user_data, xmlError*);
++#if LIBXML_VERSION >= 21200
 +  static void ParseErrorFunc(void* user_data, const xmlError*);
++#else
+   static void ParseErrorFunc(void* user_data, xmlError*);
++#endif
++
    static void GenericErrorFunc(void* user_data, const char* msg, ...);
 
    // Only for libXSLT callbacks
 --- a/src/3rdparty/chromium/third_party/blink/renderer/core/xml/xslt_processor_libxslt.cc
 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/xml/xslt_processor_libxslt.cc
-@@ -66,7 +66,7 @@ void XSLTProcessor::GenericErrorFunc(void*, const char*, ...) {
+@@ -66,7 +66,11 @@ void XSLTProcessor::GenericErrorFunc(void*, const char*, ...) {
    // It would be nice to do something with this error message.
  }
 
--void XSLTProcessor::ParseErrorFunc(void* user_data, xmlError* error) {
++#if LIBXML_VERSION >= 21200
 +void XSLTProcessor::ParseErrorFunc(void* user_data, const xmlError* error) {
++#else
+ void XSLTProcessor::ParseErrorFunc(void* user_data, xmlError* error) {
++#endif
    FrameConsole* console = static_cast<FrameConsole*>(user_data);
    if (!console)
      return;
diff --git a/pkgs/development/mobile/genymotion/default.nix b/pkgs/development/mobile/genymotion/default.nix
@@ -1,5 +1,6 @@
 { stdenv, lib, fetchurl, makeWrapper, which, zlib, libGL, glib, xorg, libxkbcommon
 , xdg-utils, libXrender, fontconfig, freetype, systemd, libpulseaudio
+, cairo, gdk-pixbuf, gtk3, pixman
 # For glewinfo
 , libXmu, libXi, libXext }:
 
@@ -19,6 +20,10 @@ let
     freetype
     systemd
     libpulseaudio
+    cairo
+    gdk-pixbuf
+    gtk3
+    pixman
   ];
   libPath = lib.makeLibraryPath packages;
 in
@@ -31,8 +36,7 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-CS1A9udt47bhgnYJqqkCG3z4XaPVHmz417VTsY2ccOA=";
   };
 
-  nativeBuildInputs = [ makeWrapper ];
-  buildInputs = [ which xdg-utils ];
+  nativeBuildInputs = [ makeWrapper which xdg-utils ];
 
   unpackPhase = ''
     mkdir -p phony-home $out/share/applications
@@ -73,6 +77,8 @@ stdenv.mkDerivation rec {
 
     patchExecutable genymotion
     patchExecutable player
+    patchExecutable qemu/x86_64/bin/qemu-img
+    patchExecutable qemu/x86_64/bin/qemu-system-x86_64
 
     patchTool adb
     patchTool aapt

diff --git a/pkgs/development/php-packages/php-cs-fixer/default.nix b/pkgs/development/php-packages/php-cs-fixer/default.nix
@@ -2,14 +2,14 @@
 
 let
   pname = "php-cs-fixer";
-  version = "3.45.0";
+  version = "3.48.0";
 in
 mkDerivation {
   inherit pname version;
 
   src = fetchurl {
     url = "https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/download/v${version}/php-cs-fixer.phar";
-    sha256 = "sha256-0i5ES1BfekNAOJuGQ4q9lqle/RS3YxgLt+CJa/Ow5/k=";
+    sha256 = "sha256-JPFZ297l83PqJv+yyzTN6DIKsk82MJuo9IEdMPPAPGM=";
   };
 
   dontUnpack = true;

diff --git a/pkgs/development/python-modules/aliyun-python-sdk-iot/default.nix b/pkgs/development/python-modules/aliyun-python-sdk-iot/default.nix
@@ -7,14 +7,14 @@
 
 buildPythonPackage rec {
   pname = "aliyun-python-sdk-iot";
-  version = "8.57.0";
+  version = "8.58.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-Ea0IUn2mlu0c7QYJZkUrBUrtjUuTHoTeuvZHw/il+4A=";
+    hash = "sha256-Aafqju0EcaXv9RYkNSlcc1JnffluXXSl3KR1OcIX+OI=";
   };
 
   propagatedBuildInputs = [