Merge staging-next into staging

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -113,6 +113,8 @@
 
 - [tuxedo-rs](https://github.com/AaronErhardt/tuxedo-rs), Rust utilities for interacting with hardware from TUXEDO Computers.
 
+- [certspotter](https://github.com/SSLMate/certspotter), a certificate transparency log monitor. Available as [services.certspotter](#opt-services.certspotter.enable).
+
 - [audiobookshelf](https://github.com/advplyr/audiobookshelf/), a self-hosted audiobook and podcast server. Available as [services.audiobookshelf](#opt-services.audiobookshelf.enable).
 
 - [ZITADEL](https://zitadel.com), a turnkey identity and access management platform. Available as [services.zitadel](#opt-services.zitadel.enable).

nixos/modules/module-list.nix

@@ -767,6 +767,7 @@
   ./services/monitoring/below.nix
   ./services/monitoring/bosun.nix
   ./services/monitoring/cadvisor.nix
+  ./services/monitoring/certspotter.nix
   ./services/monitoring/cockpit.nix
   ./services/monitoring/collectd.nix
   ./services/monitoring/das_watchdog.nix

nixos/modules/services/monitoring/certspotter.md

@@ -0,0 +1,74 @@
+# Cert Spotter {#module-services-certspotter}
+
+Cert Spotter is a tool for monitoring [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency)
+logs.
+
+## Service Configuration {#modules-services-certspotter-service-configuration}
+
+A basic config that notifies you of all certificate changes for your
+domain would look as follows:
+
+```nix
+services.certspotter = {
+  enable = true;
+  # replace example.org with your domain name
+  watchlist = [ ".example.org" ];
+  emailRecipients = [ "webmaster@example.org" ];
+};
+
+# Configure an SMTP client
+programs.msmtp.enable = true;
+# Or you can use any other module that provides sendmail, like
+# services.nullmailer, services.opensmtpd, services.postfix
+```
+
+In this case, the leading dot in `".example.org"` means that Cert
+Spotter should monitor not only `example.org`, but also all of its
+subdomains.
+
+## Operation {#modules-services-certspotter-operation}
+
+**By default, NixOS configures Cert Spotter to skip all certificates
+issued before its first launch**, because checking the entire
+Certificate Transparency logs requires downloading tens of terabytes of
+data. If you want to check the *entire* logs for previously issued
+certificates, you have to set `services.certspotter.startAtEnd` to
+`false` and remove all previously saved log state in
+`/var/lib/certspotter/logs`. The downloaded logs aren't saved, so if you
+add a new domain to the watchlist and want Cert Spotter to go through
+the logs again, you will have to remove `/var/lib/certspotter/logs`
+again.
+
+After catching up with the logs, Cert Spotter will start monitoring live
+logs. As of October 2023, it uses around **20 Mbps** of traffic on
+average.
+
+## Hooks {#modules-services-certspotter-hooks}
+
+Cert Spotter supports running custom hooks instead of (or in addition
+to) sending emails. Hooks are shell scripts that will be passed certain
+environment variables.
+
+To see hook documentation, see Cert Spotter's man pages:
+
+```ShellSession
+nix-shell -p certspotter --run 'man 8 certspotter-script'
+```
+
+For example, you can remove `emailRecipients` and send email
+notifications manually using the following hook:
+
+```nix
+services.certspotter.hooks = [
+  (pkgs.writeShellScript "certspotter-hook" ''
+    function print_email() {
+      echo "Subject: [certspotter] $SUMMARY"
+      echo "Mime-Version: 1.0"
+      echo "Content-Type: text/plain; charset=US-ASCII"
+      echo
+      cat "$TEXT_FILENAME"
+    }
+    print_email | ${config.services.certspotter.sendmailPath} -i webmaster@example.org
+  '')
+];
+```

nixos/modules/services/monitoring/certspotter.nix

@@ -0,0 +1,143 @@
+{ config
+, lib
+, pkgs
+, ... }:
+
+let
+  cfg = config.services.certspotter;
+
+  configDir = pkgs.linkFarm "certspotter-config" (
+    lib.toList {
+      name = "watchlist";
+      path = pkgs.writeText "certspotter-watchlist" (builtins.concatStringsSep "\n" cfg.watchlist);
+    }
+    ++ lib.optional (cfg.emailRecipients != [ ]) {
+      name = "email_recipients";
+      path = pkgs.writeText "certspotter-email_recipients" (builtins.concatStringsSep "\n" cfg.emailRecipients);
+    }
+    # always generate hooks dir when no emails are provided to allow running cert spotter with no hooks/emails
+    ++ lib.optional (cfg.emailRecipients == [ ] || cfg.hooks != [ ]) {
+      name = "hooks.d";
+      path = pkgs.linkFarm "certspotter-hooks" (lib.imap1 (i: path: {
+        inherit path;
+        name = "hook${toString i}";
+      }) cfg.hooks);
+    });
+in
+{
+  options.services.certspotter = {
+    enable = lib.mkEnableOption "Cert Spotter, a Certificate Transparency log monitor";
+
+    package = lib.mkPackageOptionMD pkgs "certspotter" { };
+
+    startAtEnd = lib.mkOption {
+      type = lib.types.bool;
+      description = ''
+        Whether to skip certificates issued before the first launch of Cert Spotter.
+        Setting this to `false` will cause Cert Spotter to download tens of terabytes of data.
+      '';
+      default = true;
+    };
+
+    sendmailPath = lib.mkOption {
+      type = with lib.types; nullOr path;
+      description = ''
+        Path to the `sendmail` binary. By default, the local sendmail wrapper is used
+        (see {option}`services.mail.sendmailSetuidWrapper`}).
+      '';
+      example = lib.literalExpression ''"''${pkgs.system-sendmail}/bin/sendmail"'';
+    };
+
+    watchlist = lib.mkOption {
+      type = with lib.types; listOf str;
+      description = "Domain names to watch. To monitor a domain with all subdomains, prefix its name with `.` (e.g. `.example.org`).";
+      default = [ ];
+      example = [ ".example.org" "another.example.com" ];
+    };
+
+    emailRecipients = lib.mkOption {
+      type = with lib.types; listOf str;
+      description = "A list of email addresses to send certificate updates to.";
+      default = [ ];
+    };
+
+    hooks = lib.mkOption {
+      type = with lib.types; listOf path;
+      description = ''
+        Scripts to run upon the detection of a new certificate. See `man 8 certspotter-script` or
+        [the GitHub page](https://github.com/SSLMate/certspotter/blob/${pkgs.certspotter.src.rev or "master"}/man/certspotter-script.md)
+        for more info.
+      '';
+      default = [ ];
+      example = lib.literalExpression ''
+        [
+          (pkgs.writeShellScript "certspotter-hook" '''
+            echo "Event summary: $SUMMARY."
+          ''')
+        ]
+      '';
+    };
+
+    extraFlags = lib.mkOption {
+      type = with lib.types; listOf str;
+      description = "Extra command-line arguments to pass to Cert Spotter";
+      example = [ "-no_save" ];
+      default = [ ];
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = (cfg.emailRecipients != [ ]) -> (cfg.sendmailPath != null);
+        message = ''
+          You must configure the sendmail setuid wrapper (services.mail.sendmailSetuidWrapper)
+          or services.certspotter.sendmailPath
+        '';
+      }
+    ];
+
+    services.certspotter.sendmailPath = let
+      inherit (config.security) wrapperDir;
+      inherit (config.services.mail) sendmailSetuidWrapper;
+    in lib.mkMerge [
+      (lib.mkIf (sendmailSetuidWrapper != null) (lib.mkOptionDefault "${wrapperDir}/${sendmailSetuidWrapper.program}"))
+      (lib.mkIf (sendmailSetuidWrapper == null) (lib.mkOptionDefault null))
+    ];
+
+    users.users.certspotter = {
+      description = "Cert Spotter user";
+      group = "certspotter";
+      home = "/var/lib/certspotter";
+      isSystemUser = true;
+    };
+    users.groups.certspotter = { };
+
+    systemd.services.certspotter = {
+      description = "Cert Spotter - Certificate Transparency Monitor";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment.CERTSPOTTER_CONFIG_DIR = configDir;
+      environment.SENDMAIL_PATH = if cfg.sendmailPath != null then cfg.sendmailPath else "/run/current-system/sw/bin/false";
+      script = ''
+        export CERTSPOTTER_STATE_DIR="$STATE_DIRECTORY"
+        cd "$CERTSPOTTER_STATE_DIR"
+        ${lib.optionalString cfg.startAtEnd ''
+          if [[ ! -d logs ]]; then
+            # Don't download certificates issued before the first launch
+            exec ${cfg.package}/bin/certspotter -start_at_end ${lib.escapeShellArgs cfg.extraFlags}
+          fi
+        ''}
+        exec ${cfg.package}/bin/certspotter ${lib.escapeShellArgs cfg.extraFlags}
+      '';
+      serviceConfig = {
+        User = "certspotter";
+        Group = "certspotter";
+        StateDirectory = "certspotter";
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ chayleaf ];
+  meta.doc = ./certspotter.md;
+}

pkgs/applications/misc/pueue/default.nix

@@ -10,16 +10,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "pueue";
-  version = "3.3.0";
+  version = "3.3.1";
 
   src = fetchFromGitHub {
     owner = "Nukesor";
     repo = "pueue";
     rev = "v${version}";
-    hash = "sha256-X6q8ePaADv1+n/WmCp4SOhVm9lnc14qGhLSCxtc/ONw=";
+    hash = "sha256-EDd8SChQ8Vh2uNSZq5mrWdsLNT0KC4IMA7e3BPk6p04=";
   };
 
-  cargoHash = "sha256-lfWuOkKNNDQ0b6oncuCC3KOAgtQGvLptIbmdyY8vy6o=";
+  cargoHash = "sha256-H4Oyn2cLyj/RNkiMQMzbHjhs1AJIcmSkZOO83ETByWk=";
 
   nativeBuildInputs = [
     installShellFiles
@@ -60,7 +60,7 @@ rustPlatform.buildRustPackage rec {
       any terminal on the same machine. The queue will be continuously
       processed, even if you no longer have any active ssh sessions.
     '';
-    changelog = "https://github.com/Nukesor/pueue/raw/v${version}/CHANGELOG.md";
+    changelog = "https://github.com/Nukesor/pueue/blob/v${version}/CHANGELOG.md";
     license = licenses.mit;
     maintainers = with maintainers; [ marsam ];
   };

pkgs/applications/networking/ids/zeek/default.nix

@@ -26,11 +26,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "zeek";
-  version = "6.0.1";
+  version = "6.0.2";
 
   src = fetchurl {
     url = "https://download.zeek.org/zeek-${version}.tar.gz";
-    sha256 = "sha256-z8MpoXBDkZXXBw7FOH2Vzdp+trhqyF7HB7ntDp1Xaik=";
+    sha256 = "sha256-JCGYmtzuain0io9ycvcZ7b6VTWbC6G46Uuecrhd/iHw=";
   };
 
   strictDeps = true;

pkgs/by-name/ce/certspotter/package.nix

@@ -0,0 +1,39 @@
+{ lib
+, fetchFromGitHub
+, buildGoModule
+, lowdown
+}:
+
+buildGoModule rec {
+  pname = "certspotter";
+  version = "0.17.0";
+
+  src = fetchFromGitHub {
+    owner = "SSLMate";
+    repo = "certspotter";
+    rev = "v${version}";
+    hash = "sha256-6ghS+9b8FZiYdiTk54XRHP46lOq98sN1RDYvRYTt6eU=";
+  };
+
+  vendorHash = "sha256-6dV9FoPV8UfS0z5RuuopE99fHcT3RAWCdDi7jpHzVRE=";
+
+  ldflags = [ "-s" "-w" ];
+
+  nativeBuildInputs = [ lowdown ];
+
+  postInstall = ''
+    cd man
+    make
+    mkdir -p $out/share/man/man8
+    mv *.8 $out/share/man/man8
+  '';
+
+  meta = with lib; {
+    description = "Certificate Transparency Log Monitor";
+    homepage = "https://github.com/SSLMate/certspotter";
+    changelog = "https://github.com/SSLMate/certspotter/blob/${src.rev}/CHANGELOG.md";
+    license = licenses.mpl20;
+    mainProgram = "certspotter";
+    maintainers = with maintainers; [ chayleaf ];
+  };
+}

pkgs/data/fonts/iosevka/default.nix

@@ -55,16 +55,16 @@ assert (extraParameters != null) -> set != null;
 
 buildNpmPackage rec {
   pname = if set != null then "iosevka-${set}" else "iosevka";
-  version = "27.3.1";
+  version = "27.3.2";
 
   src = fetchFromGitHub {
     owner = "be5invis";
     repo = "iosevka";
     rev = "v${version}";
-    hash = "sha256-7ndJDdgDn5tnnUeB4etQ8bBZnH7NuiYoNQ9CrF2HtwQ=";
+    hash = "sha256-an2/Aqb+5t61CkiBhwL9lA0WPxhIC+tDDjhn8alcqJQ=";
   };
 
-  npmDepsHash = "sha256-MNlT8VJTIvoZDAAdEs0Fa8gqO7dWhRR9I4Kw4qlW5Ig=";
+  npmDepsHash = "sha256-BQTM/ea/X2iqRkX510fAzouPNcV7cUmtY7J/CSUMH7o=";
 
   nativeBuildInputs = [
     remarshal

pkgs/development/python-modules/python-on-whales/default.nix

@@ -0,0 +1,45 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, setuptools
+, pythonOlder
+, pydantic
+, requests
+, tqdm
+, typer
+}:
+
+buildPythonPackage rec {
+  pname = "python-on-whales";
+  version = "0.65.0";
+  pyproject = true;
+
+  disabled = pythonOlder "3.8";
+
+  src = fetchFromGitHub {
+    owner = "gabrieldemarmiesse";
+    repo = "python-on-whales";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-aFE4qeNMSxhHs7IAjYQYl15s4NkHH8balTV3N0obNPs=";
+  };
+
+  nativeBuildInputs = [ setuptools ];
+
+  propagatedBuildInputs = [
+    pydantic
+    requests
+    tqdm
+    typer
+  ];
+
+  doCheck = false;  # majority of tests require Docker and/or network access
+  pythonImportsCheck = [ "python_on_whales" ];
+
+  meta = with lib; {
+    description = "Docker client for Python, designed to be fun and intuitive";
+    homepage = "https://github.com/gabrieldemarmiesse/python-on-whales";
+    changelog = "https://github.com/gabrieldemarmiesse/python-on-whales/releases/tag/v${version}";
+    license = licenses.mit;
+    maintainers = with maintainers; [ bcdarwin ];
+  };
+}

pkgs/development/tools/bloom/default.nix

@@ -0,0 +1,55 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, yaml-cpp
+, qtbase
+, qtsvg
+, wrapQtAppsHook
+, qttools
+, libusb1
+, php
+, hidapi
+, procps
+}:
+
+stdenv.mkDerivation rec {
+  pname = "bloom";
+  version = "1.0.0";
+
+  src = fetchFromGitHub {
+    owner = "bloombloombloom";
+    repo = "Bloom";
+    rev = "v${version}";
+    hash = "sha256-ZZfclZwxsCgApUII79bJVyT5V/dF9jm7l8ynRWCh0UU=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+    php
+    wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    hidapi
+    libusb1
+    procps
+    qtbase
+    qtsvg
+    qttools
+    yaml-cpp
+  ];
+
+  postPatch = ''
+    sed -i 's|/usr|${placeholder "out"}|' cmake/Installing.cmake
+  '';
+
+  meta = {
+    description = "Debug interface for AVR-based embedded systems development on GNU/Linux";
+    homepage = "https://bloom.oscillate.io/";
+    license = lib.licenses.lgpl3Only;
+    maintainers = with lib.maintainers; [ eclairevoyant ];
+    mainProgram = "bloom";
+    platforms = lib.platforms.linux;
+  };
+}

pkgs/development/tools/language-servers/postgres-lsp/default.nix

@@ -6,25 +6,17 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "postgres-lsp";
-  version = "unstable-2023-09-21";
+  version = "unstable-2023-10-20";
 
-  src = (fetchFromGitHub {
+  src = fetchFromGitHub {
     owner = "supabase";
     repo = "postgres_lsp";
-    rev = "f25f23a683c4e14dea52e3e423584588ab349081";
-    hash = "sha256-z8WIUfgnPYdzhBit1V6A5UktjoYCblTKXxwpbHOmFJA=";
+    rev = "88901a987de9a2d8db05c36bcd87c5c877b51460";
+    hash = "sha256-HY83SO2dlXKamIqFEz53A8YDYx9EynX8FCX9EjF+tdw=";
     fetchSubmodules = true;
-  }).overrideAttrs {
-    # workaround to be able to fetch git@github.com submodules
-    # https://github.com/NixOS/nixpkgs/issues/195117
-    env = {
-      GIT_CONFIG_COUNT = 1;
-      GIT_CONFIG_KEY_0 = "url.https://github.com/.insteadOf";
-      GIT_CONFIG_VALUE_0 = "git@github.com:";
-    };
   };
 
-  cargoHash = "sha256-Nyxiere6/e5Y7YcgHitVkaiS1w3JXkbohIcBNc00YXY=";
+  cargoHash = "sha256-m8m0Q3UAq6kV2IoXMFTkP0WKzSXiWPkfOkta639dcj0=";
 
   nativeBuildInputs = [
     protobuf

pkgs/development/tools/rust/cargo-run-bin/default.nix

@@ -5,14 +5,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "cargo-run-bin";
-  version = "1.4.1";
+  version = "1.5.0";
 
   src = fetchCrate {
     inherit pname version;
-    hash = "sha256-imp7TzSVWo6l23tQu2oMMdVj/3sT9mU+lIBc0cVwO+s=";
+    hash = "sha256-FPkZk5qKHrRR3V8s04yLgOVOKj+Rln3Cu/VW2bnr2fE=";
   };
 
-  cargoHash = "sha256-TQOFXFdfD4iVy4K9IjcX0L7zLeNw9RAHb2WE5rERP/0=";
+  cargoHash = "sha256-aFHuIEDpGCel1FC7D0hTUmzHbEj7wVarsE0wNZ/3Khw=";
 
   # multiple impurities in tests
   doCheck = false;

pkgs/os-specific/darwin/sketchybar/default.nix

@@ -2,6 +2,7 @@
 , stdenv
 , fetchFromGitHub
 , AppKit
+, Carbon
 , CoreAudio
 , CoreWLAN
 , CoreVideo
@@ -21,17 +22,18 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "sketchybar";
-  version = "2.17.1";
+  version = "2.18.0";
 
   src = fetchFromGitHub {
     owner = "FelixKratz";
     repo = "SketchyBar";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-QilZurp4QkwOo4jbYXMs4SesqyXXsEgF8dDwt/Kv94s=";
+    hash = "sha256-GeFB+eE/NW9ZopwVSmSfMK3WiJLCJNXOdmQpYc3m8WE=";
   };
 
   buildInputs = [
     AppKit
+    Carbon
     CoreAudio
     CoreWLAN
     CoreVideo

pkgs/servers/jackett/default.nix

@@ -9,13 +9,13 @@
 
 buildDotnetModule rec {
   pname = "jackett";
-  version = "0.21.993";
+  version = "0.21.1096";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    hash = "sha512-LpP4BH0EJxjy4pDYpIGs9l2obxfFMLMsTEn3weJPnPRgeeAlavkACCymQxrpfG3aP1oPbaZRn6Zs/9dyohV3kQ==";
+    hash = "sha512-j9PQa54Gv6kdCHZ9/WPnKYkxD4N0eu0KtMPpATSYVDo0mP9pXdQxSoCrKdmW2gOveuo5Z/wPW4BB4r3gvFxcOg==";
   };
 
   projectFile = "src/Jackett.Server/Jackett.Server.csproj";

pkgs/servers/komga/default.nix

@@ -8,11 +8,11 @@
 
 stdenvNoCC.mkDerivation rec {
   pname = "komga";
-  version = "1.5.1";
+  version = "1.6.4";
 
   src = fetchurl {
     url = "https://github.com/gotson/${pname}/releases/download/v${version}/${pname}-${version}.jar";
-    sha256 = "sha256-mEeeMMTZlAfBxp44gV8OLjyGrzcp+XCMPJLJ/sFELHs=";
+    sha256 = "sha256-tqrC3l2njYGRVIdvt86JVKTCVaAK7GPoYacx3hFRggg=";
   };
 
   nativeBuildInputs = [

pkgs/tools/admin/azure-cli/default.nix

@@ -1,7 +1,5 @@
 { lib
-, stdenv
-, python3
-, fetchPypi
+, callPackage
 , fetchFromGitHub
 , installShellFiles
 }:
@@ -18,9 +16,7 @@ let
   };
 
   # put packages that needs to be overridden in the py package scope
-  py = import ./python-packages.nix {
-    inherit stdenv src version python3 fetchPypi;
-  };
+  py = callPackage ./python-packages.nix { inherit src version; };
 in
 
 py.pkgs.toPythonApplication (py.pkgs.buildAzureCliPackage {

pkgs/tools/admin/azure-cli/python-packages.nix

@@ -1,6 +1,7 @@
 { stdenv
 , python3
 , fetchPypi
+, fetchpatch
 , src
 , version
 }:
@@ -28,6 +29,20 @@ let
         pname = "azure-cli-core";
         inherit version src;
 
+        patches = [
+          (fetchpatch {
+            name = "fix-python311.patch";
+            url = "https://github.com/Azure/azure-cli/commit/a5198b578b17de934e15b1c92e369e45323e9658.patch";
+            hash = "sha256-qbyKF6Vvtz8QwY78sG7ptTVcbM2IR+phntOKqsrWetE=";
+            stripLen = 2;
+            includes = [
+              "azure/cli/core/tests/test_command_registration.py"
+              "azure/cli/core/tests/test_help.py"
+              "azure/cli/core/tests/test_parser.py"
+            ];
+          })
+        ];
+
         sourceRoot = "${src.name}/src/azure-cli-core";
 
         propagatedBuildInputs = with self; [

pkgs/top-level/all-packages.nix

@@ -364,6 +364,8 @@ with pkgs;
 
   blst = callPackage ../development/libraries/blst { };
 
+  bloom = qt6Packages.callPackage ../development/tools/bloom { };
+
   bloodhound-py = callPackage ../tools/security/bloodhound-py { };
 
   bodyclose = callPackage ../development/tools/bodyclose { };
@@ -13247,7 +13249,7 @@ with pkgs;
   sixpair = callPackage ../tools/misc/sixpair { };
 
   sketchybar = darwin.apple_sdk_11_0.callPackage ../os-specific/darwin/sketchybar {
-    inherit (darwin.apple_sdk_11_0.frameworks) AppKit CoreAudio CoreWLAN CoreVideo DisplayServices IOKit MediaRemote SkyLight;
+    inherit (darwin.apple_sdk_11_0.frameworks) AppKit Carbon CoreAudio CoreWLAN CoreVideo DisplayServices IOKit MediaRemote SkyLight;
   };
 
   sketchybar-app-font = callPackage ../data/fonts/sketchybar-app-font { };

pkgs/top-level/python-packages.nix

@@ -11502,6 +11502,8 @@ self: super: with self; {
 
   python-olm = callPackage ../development/python-modules/python-olm { };
 
+  python-on-whales = callPackage ../development/python-modules/python-on-whales { };
+
   python-opendata-transport = callPackage ../development/python-modules/python-opendata-transport { };
 
   python-openstackclient = callPackage ../development/python-modules/python-openstackclient { };