From b78ba9bc68b003288d56bab62693ea28e2cdfd76 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Sun, 28 Jan 2024 14:09:27 +0100 Subject: [PATCH 01/24] lib.types.unique: Check inner type deeply This doesn't change uniq. Why not? - In NixOS it seems that uniq is only used with simple types that are fully checked by t.check. - It exists for much longer and is used more widely. - I believe we should deprecate it, because unique was already better. - unique can be a proving ground. --- lib/options.nix | 33 +++++++++++++++++++++++++----- lib/tests/modules.sh | 10 +++++++++ lib/tests/modules/types-unique.nix | 27 ++++++++++++++++++++++++ lib/types.nix | 2 +- 4 files changed, 66 insertions(+), 6 deletions(-) create mode 100644 lib/tests/modules/types-unique.nix diff --git a/lib/options.nix b/lib/options.nix index 9c10dfc8b36a..03ae32d22916 100644 --- a/lib/options.nix +++ b/lib/options.nix @@ -254,13 +254,36 @@ rec { else if all isInt list && all (x: x == head list) list then head list else throw "Cannot merge definitions of `${showOption loc}'. Definition values:${showDefs defs}"; + /* + Require a single definition. + + WARNING: Does not perform nested checks, as this does not run the merge function! + */ mergeOneOption = mergeUniqueOption { message = ""; }; - mergeUniqueOption = { message }: loc: defs: - if length defs == 1 - then (head defs).value - else assert length defs > 1; - throw "The option `${showOption loc}' is defined multiple times while it's expected to be unique.\n${message}\nDefinition values:${showDefs defs}\n${prioritySuggestion}"; + /* + Require a single definition. + + NOTE: When the type is not checked completely by check, pass a merge function for further checking (of sub-attributes, etc). + */ + mergeUniqueOption = args@{ message, merge ? null }: + let + notUnique = loc: defs: + assert length defs > 1; + throw "The option `${showOption loc}' is defined multiple times while it's expected to be unique.\n${message}\nDefinition values:${showDefs defs}\n${prioritySuggestion}"; + in + if merge == null + # The inner conditional could be factored out, but this way we take advantage of partial application. + then + loc: defs: + if length defs == 1 + then (head defs).value + else notUnique loc defs + else + loc: defs: + if length defs == 1 + then merge loc defs + else notUnique loc defs; /* "Merge" option definitions by checking that they all have the same value. */ mergeEqualOption = loc: defs: diff --git a/lib/tests/modules.sh b/lib/tests/modules.sh index a90ff4ad9a2f..1221ba7143f6 100755 --- a/lib/tests/modules.sh +++ b/lib/tests/modules.sh @@ -406,6 +406,16 @@ checkConfigOutput "{}" config.submodule.a ./emptyValues.nix checkConfigError 'The option .int.a. is used but not defined' config.int.a ./emptyValues.nix checkConfigError 'The option .nonEmptyList.a. is used but not defined' config.nonEmptyList.a ./emptyValues.nix +# types.unique +# requires a single definition +checkConfigError 'The option .examples\.merged. is defined multiple times while it.s expected to be unique' config.examples.merged.a ./types-unique.nix +# user message is printed +checkConfigError 'We require a single definition, because seeing the whole value at once helps us maintain critical invariants of our system.' config.examples.merged.a ./types-unique.nix +# let the inner merge function check the values (on demand) +checkConfigError 'A definition for option .examples\.badLazyType\.a. is not of type .string.' config.examples.badLazyType.a ./types-unique.nix +# overriding still works (unlike option uniqueness) +checkConfigOutput '^"bee"$' config.examples.override.b ./types-unique.nix + ## types.raw checkConfigOutput '^true$' config.unprocessedNestingEvaluates.success ./raw.nix checkConfigOutput "10" config.processedToplevel ./raw.nix diff --git a/lib/tests/modules/types-unique.nix b/lib/tests/modules/types-unique.nix new file mode 100644 index 000000000000..115be0126975 --- /dev/null +++ b/lib/tests/modules/types-unique.nix @@ -0,0 +1,27 @@ +{ lib, ... }: +let + inherit (lib) mkOption types; +in +{ + options.examples = mkOption { + type = types.lazyAttrsOf + (types.unique + { message = "We require a single definition, because seeing the whole value at once helps us maintain critical invariants of our system."; } + (types.attrsOf types.str)); + }; + imports = [ + { examples.merged = { b = "bee"; }; } + { examples.override = lib.mkForce { b = "bee"; }; } + ]; + config.examples = { + merged = { + a = "aye"; + }; + override = { + a = "aye"; + }; + badLazyType = { + a = true; + }; + }; +} diff --git a/lib/types.nix b/lib/types.nix index cea63c598321..284c8df24f67 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -629,7 +629,7 @@ rec { unique = { message }: type: mkOptionType rec { name = "unique"; inherit (type) description descriptionClass check; - merge = mergeUniqueOption { inherit message; }; + merge = mergeUniqueOption { inherit message; inherit (type) merge; }; emptyValue = type.emptyValue; getSubOptions = type.getSubOptions; getSubModules = type.getSubModules; From 2b4a1a1d4f9db1b7007966d6205645acc5f7e57b Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Mon, 29 Jan 2024 19:13:37 +0100 Subject: [PATCH 02/24] doc/option-types: Definitions are not declared --- nixos/doc/manual/development/option-types.section.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/doc/manual/development/option-types.section.md b/nixos/doc/manual/development/option-types.section.md index f9c7ac80018e..04edf99e70b0 100644 --- a/nixos/doc/manual/development/option-types.section.md +++ b/nixos/doc/manual/development/option-types.section.md @@ -326,7 +326,7 @@ Composed types are types that take a type as parameter. `listOf `types.uniq` *`t`* : Ensures that type *`t`* cannot be merged. It is used to ensure option - definitions are declared only once. + definitions are provided only once. `types.unique` `{ message = m }` *`t`* From bd285d2c11a4d906ba5a15ee2472f33dfa113546 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Sun, 4 Feb 2024 15:48:27 +0100 Subject: [PATCH 03/24] lib.types.uniq: Check inner type We now reuse the `unique` type, which implements this. Keeping the duplication around would be bad at this point. --- lib/types.nix | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/lib/types.nix b/lib/types.nix index 284c8df24f67..e6353e3f43c7 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -613,18 +613,7 @@ rec { nestedTypes.elemType = elemType; }; - # Value of given type but with no merging (i.e. `uniq list`s are not concatenated). - uniq = elemType: mkOptionType rec { - name = "uniq"; - inherit (elemType) description descriptionClass check; - merge = mergeOneOption; - emptyValue = elemType.emptyValue; - getSubOptions = elemType.getSubOptions; - getSubModules = elemType.getSubModules; - substSubModules = m: uniq (elemType.substSubModules m); - functor = (defaultFunctor name) // { wrapped = elemType; }; - nestedTypes.elemType = elemType; - }; + uniq = unique { message = ""; }; unique = { message }: type: mkOptionType rec { name = "unique"; From 542f5d4f4d80a35d8f03aa5cf2a2a0b1a0345c41 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Sun, 4 Feb 2024 16:02:13 +0100 Subject: [PATCH 04/24] lib.option.mergeUniqueOption: Simplify and add warning about merge function The previous code was optimized for the old uniq behavior, which did not call merge. That's changed, so the legacy path is not a hot path anymore, and is not worth any tech debt. --- lib/options.nix | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/lib/options.nix b/lib/options.nix index 03ae32d22916..eea5a091b408 100644 --- a/lib/options.nix +++ b/lib/options.nix @@ -266,24 +266,19 @@ rec { NOTE: When the type is not checked completely by check, pass a merge function for further checking (of sub-attributes, etc). */ - mergeUniqueOption = args@{ message, merge ? null }: - let - notUnique = loc: defs: + mergeUniqueOption = args@{ + message, + # WARNING: the default merge function assumes that the definition is a valid (option) value. You MUST pass a merge function if the return value needs to be + # - type checked beyond what .check does (which should be very litte; only on the value head; not attribute values, etc) + # - if you want attribute values to be checked, or list items + # - if you want coercedTo-like behavior to work + merge ? loc: defs: (head defs).value }: + loc: defs: + if length defs == 1 + then merge loc defs + else assert length defs > 1; throw "The option `${showOption loc}' is defined multiple times while it's expected to be unique.\n${message}\nDefinition values:${showDefs defs}\n${prioritySuggestion}"; - in - if merge == null - # The inner conditional could be factored out, but this way we take advantage of partial application. - then - loc: defs: - if length defs == 1 - then (head defs).value - else notUnique loc defs - else - loc: defs: - if length defs == 1 - then merge loc defs - else notUnique loc defs; /* "Merge" option definitions by checking that they all have the same value. */ mergeEqualOption = loc: defs: From 11cf6ab0ddc050de98715d4b9353d9ac12f8c9cd Mon Sep 17 00:00:00 2001 From: 360ied <19516527+360ied@users.noreply.github.com> Date: Fri, 2 Feb 2024 09:34:43 -0500 Subject: [PATCH 05/24] nixos/murmur: systemd service hardening Murmur provides an official systemd service file in their repo, which contains various service hardening settings: https://github.com/mumble-voip/mumble/blob/c4b5858d141f76cce553be2f74dfc4291989fc9b/auxiliary_files/config_files/mumble-server.service.in#L7 The service configuration in nixpkgs does not include these hardening settings. This commit adds the hardening settings to the murmur service in nixpkgs. This drops the `systemd-analyze security` score of murmur.service from 9.2 (UNSAFE) to 2.1 (OK). --- nixos/modules/services/networking/murmur.nix | 23 ++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index 0cd80e134ace..5805f332a66f 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -326,6 +326,29 @@ in RuntimeDirectoryMode = "0700"; User = "murmur"; Group = "murmur"; + + # service hardening + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "full"; + RestrictAddressFamilies = "~AF_PACKET AF_NETLINK"; + RestrictNamespaces = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; }; }; From 6e5e33968095fe401acac237f316b6b9ad7968fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=A9clairevoyant?= <848000+eclairevoyant@users.noreply.github.com> Date: Wed, 17 Jan 2024 04:09:42 -0500 Subject: [PATCH 06/24] pkgs/README.md: clarify guidelines for `meta.mainProgram` --- pkgs/README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkgs/README.md b/pkgs/README.md index f614f1f72976..2b7069ee7403 100644 --- a/pkgs/README.md +++ b/pkgs/README.md @@ -384,7 +384,13 @@ All versions of a package _must_ be included in `all-packages.nix` to make sure * `meta.license` must be set and match the upstream license. * If there is no upstream license, `meta.license` should default to `lib.licenses.unfree`. * If in doubt, try to contact the upstream developers for clarification. -* `meta.mainProgram` must be set when appropriate. +* `meta.mainProgram` must be set to the name of the executable which facilitates the primary function or purpose of the package, if there is such an executable in `$bin/bin/` (or `$out/bin/`, if there is no `"bin"` output). + * Packages that only have a single executable in the applicable directory above should set `meta.mainProgram`. For example, the package `ripgrep` only has a single executable `rg` under `$out/bin/`, so `ripgrep.meta.mainProgram` is set to `"rg"`. + * Packages like `polkit_gnome` that have no executables in the applicable directory should not set `meta.mainProgram`. + * Packages like `e2fsprogs` that have multiple executables, none of which can be considered the main program, should not set `meta.mainProgram`. + * Packages which are not primarily used for a single executable do not need to set `meta.mainProgram`. + * Always prefer using a hardcoded string (don't use `pname`, for example). + * When in doubt, ask for reviewer input. * `meta.maintainers` must be set for new packages. See the Nixpkgs manual for more details on [standard meta-attributes](https://nixos.org/nixpkgs/manual/#sec-standard-meta-attributes). From c0674aafc7841fb33157f1f9c37e9ca0b6050ee4 Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Thu, 8 Feb 2024 19:45:03 +0100 Subject: [PATCH 07/24] virtualbox: use less vendored libraries --- pkgs/applications/virtualization/virtualbox/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/applications/virtualization/virtualbox/default.nix b/pkgs/applications/virtualization/virtualbox/default.nix index 9ccda28cfa73..20fbb3eb4d09 100644 --- a/pkgs/applications/virtualization/virtualbox/default.nix +++ b/pkgs/applications/virtualization/virtualbox/default.nix @@ -1,8 +1,8 @@ { config, stdenv, fetchurl, lib, acpica-tools, dev86, pam, libxslt, libxml2, wrapQtAppsHook , libX11, xorgproto, libXext, libXcursor, libXmu, libIDL, SDL2, libcap, libGL, libGLU -, libpng, glib, lvm2, libXrandr, libXinerama, libopus, qtbase, qtx11extras +, libpng, glib, lvm2, libXrandr, libXinerama, libopus, libtpms, qtbase, qtx11extras , qttools, qtsvg, qtwayland, pkg-config, which, docbook_xsl, docbook_xml_dtd_43 -, alsa-lib, curl, libvpx, nettools, dbus, substituteAll, gsoap, zlib +, alsa-lib, curl, libvpx, nettools, dbus, substituteAll, gsoap, zlib, xz , yasm, glslang , linuxPackages # If open-watcom-bin is not passed, VirtualBox will fall back to use @@ -46,7 +46,7 @@ in stdenv.mkDerivation { buildInputs = [ acpica-tools dev86 libxslt libxml2 xorgproto libX11 libXext libXcursor libIDL libcap glib lvm2 alsa-lib curl libvpx pam makeself perl - libXmu libXrandr libpng libopus python3 ] + libXmu libXrandr libpng libopus libtpms python3 xz ] ++ optional javaBindings jdk ++ optional pythonBindings python3 # Python is needed even when not building bindings ++ optional pulseSupport libpulseaudio From 4596cd09eb6dc52f0886be51144275d52337dcb9 Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Thu, 8 Feb 2024 19:45:30 +0100 Subject: [PATCH 08/24] virtualbox: allow adding config flags via overrides This is to prepare building the KVM version [1] as well. For that it will be nice to reuse the existing expressions. [1] https://github.com/cyberus-technology/virtualbox-kvm --- pkgs/applications/virtualization/virtualbox/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/virtualization/virtualbox/default.nix b/pkgs/applications/virtualization/virtualbox/default.nix index 20fbb3eb4d09..ca3d15db0fea 100644 --- a/pkgs/applications/virtualization/virtualbox/default.nix +++ b/pkgs/applications/virtualization/virtualbox/default.nix @@ -17,6 +17,7 @@ , headless ? false , enable32bitGuests ? true , enableWebService ? false +, extraConfigureFlags ? "" }: with lib; @@ -158,6 +159,7 @@ in stdenv.mkDerivation { ${optionalString (!enable32bitGuests) "--disable-vmmraw"} \ ${optionalString enableWebService "--enable-webservice"} \ ${optionalString (open-watcom-bin != null) "--with-ow-dir=${open-watcom-bin}"} \ + ${extraConfigureFlags} \ --disable-kmods sed -e 's@PKG_CONFIG_PATH=.*@PKG_CONFIG_PATH=${libIDL}/lib/pkgconfig:${glib.dev}/lib/pkgconfig ${libIDL}/bin/libIDL-config-2@' \ -i AutoConfig.kmk From d9dacad8a3cae75a319e176ffe462983747312b4 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Fri, 9 Feb 2024 09:33:37 +0000 Subject: [PATCH 09/24] openjfx17: fix `withWebKit = true` build Without the change build of `openjfx` (`greenfoot` depend) fails as https://hydra.nixos.org/build/247689718: $ nix build --no-link --impure --expr "with import ./. {}; openjfx17.override { withWebKit = true; }" ... /build/source/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/Heap.cpp:108:5: error: 'fprintf' was not declared in this scope; did you mean 'wprintf'? 108 | fprintf(stderr, "%s: %zu (%zd) %s\n", label, value, amount, note); | ^~~~~~~ | wprintf --- pkgs/development/compilers/openjdk/openjfx/17.nix | 7 +++++++ pkgs/top-level/all-packages.nix | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/pkgs/development/compilers/openjdk/openjfx/17.nix b/pkgs/development/compilers/openjdk/openjfx/17.nix index b91bde152554..58444abd3f17 100644 --- a/pkgs/development/compilers/openjdk/openjfx/17.nix +++ b/pkgs/development/compilers/openjdk/openjfx/17.nix @@ -41,6 +41,13 @@ let dontUseCmakeConfigure = true; + postPatch = '' + # Add missing includes for gcc-13 for webkit build: + sed -e '1i #include ' \ + -i modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/Heap.cpp \ + modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/IsoSharedPageInlines.h + ''; + config = writeText "gradle.properties" ('' CONF = Release JDK_HOME = ${openjdk17_headless.home} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index eab696390f33..806c5be2d3c4 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -16361,7 +16361,7 @@ with pkgs; hugs = callPackage ../development/interpreters/hugs { }; inherit (javaPackages) openjfx11 openjfx15 openjfx17 openjfx19 openjfx20 openjfx21; - openjfx = pin-to-gcc12-if-gcc13 (openjfx17.override { }); + openjfx = openjfx17; openjdk8-bootstrap = javaPackages.compiler.openjdk8-bootstrap; openjdk8 = javaPackages.compiler.openjdk8; From 1bbad171d047923009063a517e52e0075c0566ed Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Fri, 9 Feb 2024 12:00:40 +0000 Subject: [PATCH 10/24] ccache: move to pkgs/by-name --- .../tools/misc => by-name/cc}/ccache/fix-objdump-path.patch | 0 .../misc/ccache/default.nix => by-name/cc/ccache/package.nix} | 0 pkgs/top-level/all-packages.nix | 2 -- 3 files changed, 2 deletions(-) rename pkgs/{development/tools/misc => by-name/cc}/ccache/fix-objdump-path.patch (100%) rename pkgs/{development/tools/misc/ccache/default.nix => by-name/cc/ccache/package.nix} (100%) diff --git a/pkgs/development/tools/misc/ccache/fix-objdump-path.patch b/pkgs/by-name/cc/ccache/fix-objdump-path.patch similarity index 100% rename from pkgs/development/tools/misc/ccache/fix-objdump-path.patch rename to pkgs/by-name/cc/ccache/fix-objdump-path.patch diff --git a/pkgs/development/tools/misc/ccache/default.nix b/pkgs/by-name/cc/ccache/package.nix similarity index 100% rename from pkgs/development/tools/misc/ccache/default.nix rename to pkgs/by-name/cc/ccache/package.nix diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index ae1ddbfdd6f9..057fb8533713 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -18667,8 +18667,6 @@ with pkgs; cc-tool = callPackage ../development/embedded/cc-tool { }; - ccache = callPackage ../development/tools/misc/ccache { }; - # Wrapper that works as gcc or g++ # It can be used by setting in nixpkgs config like this, for example: # replaceStdenv = { pkgs }: pkgs.ccacheStdenv; From ae8007359e7d93b606481995c1ec075fcc434b94 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 6 Feb 2024 15:48:40 +0000 Subject: [PATCH 11/24] ccache: 4.9 -> 4.9.1 --- pkgs/by-name/cc/ccache/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/cc/ccache/package.nix b/pkgs/by-name/cc/ccache/package.nix index fe6e49dfad0e..393857f1fe4d 100644 --- a/pkgs/by-name/cc/ccache/package.nix +++ b/pkgs/by-name/cc/ccache/package.nix @@ -15,13 +15,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "ccache"; - version = "4.9"; + version = "4.9.1"; src = fetchFromGitHub { owner = "ccache"; repo = "ccache"; rev = "refs/tags/v${finalAttrs.version}"; - sha256 = "sha256-/R9ReX1l3okUuVD93IdomoaBTYdKvuIuggyk0sJoYmg="; + sha256 = "sha256-n0MTq8x6KNkgwhJQG7F+e3iCOS644nLkMsiRztJe8QU="; }; outputs = [ "out" "man" ]; From 2554eba2ca05a1c3bbd7aaaa443b50b2a7ae4430 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 2 Nov 2023 04:17:03 +0100 Subject: [PATCH 12/24] formats.hocon: init --- pkgs/pkgs-lib/formats.nix | 2 + pkgs/pkgs-lib/formats/hocon/default.nix | 149 +++++++++++++ pkgs/pkgs-lib/formats/hocon/src/.gitignore | 1 + pkgs/pkgs-lib/formats/hocon/src/Cargo.lock | 89 ++++++++ pkgs/pkgs-lib/formats/hocon/src/Cargo.toml | 10 + pkgs/pkgs-lib/formats/hocon/src/src/main.rs | 226 ++++++++++++++++++++ pkgs/pkgs-lib/formats/hocon/update.sh | 4 + 7 files changed, 481 insertions(+) create mode 100644 pkgs/pkgs-lib/formats/hocon/default.nix create mode 100644 pkgs/pkgs-lib/formats/hocon/src/.gitignore create mode 100644 pkgs/pkgs-lib/formats/hocon/src/Cargo.lock create mode 100644 pkgs/pkgs-lib/formats/hocon/src/Cargo.toml create mode 100644 pkgs/pkgs-lib/formats/hocon/src/src/main.rs create mode 100755 pkgs/pkgs-lib/formats/hocon/update.sh diff --git a/pkgs/pkgs-lib/formats.nix b/pkgs/pkgs-lib/formats.nix index 950547c4f001..c78bd82e01ef 100644 --- a/pkgs/pkgs-lib/formats.nix +++ b/pkgs/pkgs-lib/formats.nix @@ -41,6 +41,8 @@ rec { libconfig = (import ./formats/libconfig/default.nix { inherit lib pkgs; }).format; + hocon = (import ./formats/hocon/default.nix { inherit lib pkgs; }).format; + json = {}: { type = with lib.types; let diff --git a/pkgs/pkgs-lib/formats/hocon/default.nix b/pkgs/pkgs-lib/formats/hocon/default.nix new file mode 100644 index 000000000000..d5b6308dea60 --- /dev/null +++ b/pkgs/pkgs-lib/formats/hocon/default.nix @@ -0,0 +1,149 @@ +{ lib +, pkgs +}: +let + inherit (pkgs) buildPackages callPackage; + + hocon-generator = buildPackages.rustPlatform.buildRustPackage { + name = "hocon-generator"; + version = "0.1.0"; + src = ./src; + + passthru.updateScript = ./update.sh; + + cargoLock.lockFile = ./src/Cargo.lock; + }; + + hocon-validator = pkgs.writers.writePython3Bin "hocon-validator" { + libraries = [ pkgs.python3Packages.pyhocon ]; + } '' + from sys import argv + from pyhocon import ConfigFactory + + if not len(argv) == 2: + print("USAGE: hocon-validator ") + + ConfigFactory.parse_file(argv[1]) + ''; +in +{ + # https://github.com/lightbend/config/blob/main/HOCON.md + format = { + generator ? hocon-generator + , validator ? hocon-validator + # `include classpath("")` is not implemented in pyhocon. + # In the case that you need this functionality, + # you will have to disable pyhocon validation. + , doCheck ? true + }: { + type = let + type' = with lib.types; let + atomType = nullOr (oneOf [ + bool + float + int + path + str + ]); + in (oneOf [ + atomType + (listOf atomType) + (attrsOf type') + ]) // { + description = "HOCON value"; + }; + in type'; + + lib = { + mkInclude = value: let + includeStatement = if lib.isAttrs value && !(lib.isDerivation value) then { + required = false; + type = null; + _type = "include"; + } // value else { + value = toString value; + required = false; + type = null; + _type = "include"; + }; + in + assert lib.assertMsg (lib.elem includeStatement.type [ "file" "url" "classpath" null ]) '' + Type of HOCON mkInclude is not of type 'file', 'url' or 'classpath': + ${(lib.generators.toPretty {}) includeStatement} + ''; + includeStatement; + + mkAppend = value: { + inherit value; + _type = "append"; + }; + + mkSubstitution = value: + if lib.isString value + then + { + inherit value; + optional = false; + _type = "substitution"; + } + else + assert lib.assertMsg (lib.isAttrs value) '' + Value of invalid type provided to `hocon.lib.mkSubstition`: ${lib.typeOf value} + ''; + assert lib.assertMsg (value ? "value") '' + Argument to `hocon.lib.mkSubstition` is missing a `value`: + ${builtins.toJSON value} + ''; + { + value = value.value; + optional = value.optional or false; + _type = "substitution"; + }; + }; + + generate = name: value: + callPackage + ({ + stdenvNoCC + , hocon-generator + , hocon-validator + , writeText + }: + stdenvNoCC.mkDerivation rec { + inherit name; + + dontUnpack = true; + + json = builtins.toJSON value; + passAsFile = [ "json" ]; + + strictDeps = true; + nativeBuildInputs = [ hocon-generator ]; + buildPhase = '' + runHook preBuild + hocon-generator < $jsonPath > output.conf + runHook postBuild + ''; + + inherit doCheck; + nativeCheckInputs = [ hocon-validator ]; + checkPhase = '' + runHook preCheck + hocon-validator output.conf + runHook postCheck + ''; + + installPhase = '' + runHook preInstall + mv output.conf $out + runHook postInstall + ''; + + passthru.json = writeText "${name}.json" json; + }) + { + hocon-generator = generator; + hocon-validator = validator; + }; + }; +} diff --git a/pkgs/pkgs-lib/formats/hocon/src/.gitignore b/pkgs/pkgs-lib/formats/hocon/src/.gitignore new file mode 100644 index 000000000000..eb5a316cbd19 --- /dev/null +++ b/pkgs/pkgs-lib/formats/hocon/src/.gitignore @@ -0,0 +1 @@ +target diff --git a/pkgs/pkgs-lib/formats/hocon/src/Cargo.lock b/pkgs/pkgs-lib/formats/hocon/src/Cargo.lock new file mode 100644 index 000000000000..735461cd5f0e --- /dev/null +++ b/pkgs/pkgs-lib/formats/hocon/src/Cargo.lock @@ -0,0 +1,89 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "hocon-generator" +version = "0.1.0" +dependencies = [ + "serde", + "serde_json", +] + +[[package]] +name = "itoa" +version = "1.0.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38" + +[[package]] +name = "proc-macro2" +version = "1.0.69" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "134c189feb4956b20f6f547d2cf727d4c0fe06722b20a0eec87ed445a97f92da" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quote" +version = "1.0.33" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "ryu" +version = "1.0.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741" + +[[package]] +name = "serde" +version = "1.0.190" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91d3c334ca1ee894a2c6f6ad698fe8c435b76d504b13d436f0685d648d6d96f7" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.190" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "67c5609f394e5c2bd7fc51efda478004ea80ef42fee983d5c67a65e34f32c0e3" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "serde_json" +version = "1.0.107" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6b420ce6e3d8bd882e9b243c6eed35dbc9a6110c9769e74b584e0d68d1f20c65" +dependencies = [ + "itoa", + "ryu", + "serde", +] + +[[package]] +name = "syn" +version = "2.0.38" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e96b79aaa137db8f61e26363a0c9b47d8b4ec75da28b7d1d614c2303e232408b" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "unicode-ident" +version = "1.0.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" diff --git a/pkgs/pkgs-lib/formats/hocon/src/Cargo.toml b/pkgs/pkgs-lib/formats/hocon/src/Cargo.toml new file mode 100644 index 000000000000..e39e636a9f50 --- /dev/null +++ b/pkgs/pkgs-lib/formats/hocon/src/Cargo.toml @@ -0,0 +1,10 @@ +[package] +name = "hocon-generator" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +serde = "1.0.178" +serde_json = "1.0.104" diff --git a/pkgs/pkgs-lib/formats/hocon/src/src/main.rs b/pkgs/pkgs-lib/formats/hocon/src/src/main.rs new file mode 100644 index 000000000000..a564fc7dccdb --- /dev/null +++ b/pkgs/pkgs-lib/formats/hocon/src/src/main.rs @@ -0,0 +1,226 @@ +use serde_json::{value, Map, Value}; + +#[derive(Debug)] +enum HOCONValue { + Null, + Append(Box), + Bool(bool), + Number(value::Number), + String(String), + List(Vec), + Substitution(String, bool), + Object(Vec, Vec<(String, HOCONValue)>), +} + +#[derive(Debug)] +enum HOCONInclude { + Heuristic(String, bool), + Url(String, bool), + File(String, bool), + ClassPath(String, bool), +} + +impl HOCONInclude { + fn map_fst(&self, f: &dyn Fn(&String) -> String) -> HOCONInclude { + match self { + HOCONInclude::Heuristic(s, r) => HOCONInclude::Heuristic(f(s), *r), + HOCONInclude::Url(s, r) => HOCONInclude::Url(f(s), *r), + HOCONInclude::File(s, r) => HOCONInclude::File(f(s), *r), + HOCONInclude::ClassPath(s, r) => HOCONInclude::ClassPath(f(s), *r), + } + } +} + +fn parse_include(o: &Map) -> HOCONInclude { + let value = o + .get("value") + .expect("Missing field 'value' for include statement") + .as_str() + .expect("Field 'value' is not a string in include statement") + .to_string(); + let required = o + .get("required") + .expect("Missing field 'required' for include statement") + .as_bool() + .expect("Field 'required'is not a bool in include statement"); + let include_type = match o + .get("type") + .expect("Missing field 'type' for include statement") + { + Value::Null => None, + Value::String(s) => Some(s.as_str()), + t => panic!("Field 'type' is not a string in include statement: {:?}", t), + }; + + // Assert that this was an intentional include + debug_assert!(o.get("_type").and_then(|t| t.as_str()) == Some("include")); + + match include_type { + None => HOCONInclude::Heuristic(value, required), + Some("url") => HOCONInclude::Url(value, required), + Some("file") => HOCONInclude::File(value, required), + Some("classpath") => HOCONInclude::ClassPath(value, required), + _ => panic!( + "Could not recognize type for include statement: {}", + include_type.unwrap() + ), + } +} + +fn parse_special_types(o: &Map) -> Option { + o.get("_type") + .and_then(|r#type| r#type.as_str()) + .map(|r#type| match r#type { + "substitution" => { + let value = o + .get("value") + .expect("Missing value for substitution") + .as_str() + .unwrap_or_else(|| panic!("Substition value is not a string: {:?}", o)); + let required = o + .get("required") + .unwrap_or(&Value::Bool(false)) + .as_bool() + .unwrap_or_else(|| panic!("Substition value is not a string: {:?}", o)); + + debug_assert!(!value.contains('}')); + + HOCONValue::Substitution(value.to_string(), required) + } + "append" => { + let value = o.get("value").expect("Missing value for append"); + + HOCONValue::Append(Box::new(json_to_hocon(value))) + } + _ => panic!( + "\ + Attribute set contained special element '_type',\ + but its value is not recognized:\n{}", + r#type + ), + }) +} + +fn json_to_hocon(v: &Value) -> HOCONValue { + match v { + Value::Null => HOCONValue::Null, + Value::Bool(b) => HOCONValue::Bool(*b), + Value::Number(n) => HOCONValue::Number(n.clone()), + Value::String(s) => HOCONValue::String(s.clone()), + Value::Array(a) => { + let items = a.iter().map(json_to_hocon).collect::>(); + HOCONValue::List(items) + } + Value::Object(o) => { + if let Some(result) = parse_special_types(o) { + return result; + } + + let mut items = o + .iter() + .filter(|(key, _)| key.as_str() != "_includes") + .map(|(key, value)| (key.clone(), json_to_hocon(value))) + .collect::>(); + + items.sort_by(|(a, _), (b, _)| a.partial_cmp(b).unwrap()); + + let includes = o + .get("_includes") + .map(|x| { + x.as_array() + .expect("_includes is not an array") + .iter() + .map(|x| { + x.as_object() + .unwrap_or_else(|| panic!("Include is not an object: {}", x)) + }) + .map(parse_include) + .collect::>() + }) + .unwrap_or(vec![]); + + HOCONValue::Object(includes, items) + } + } +} + +impl ToString for HOCONValue { + fn to_string(&self) -> String { + match self { + HOCONValue::Null => "null".to_string(), + HOCONValue::Bool(b) => b.to_string(), + HOCONValue::Number(n) => n.to_string(), + HOCONValue::String(s) => serde_json::to_string(&Value::String(s.clone())).unwrap(), + HOCONValue::Substitution(v, required) => { + format!("${{{}{}}}", if *required { "" } else { "?" }, v) + } + HOCONValue::List(l) => { + let items = l + .iter() + .map(|item| item.to_string()) + .collect::>() + .join(",\n") + .split('\n') + .map(|s| " ".to_owned() + s) + .collect::>() + .join("\n"); + format!("[\n{}\n]", items) + } + HOCONValue::Object(i, o) => { + let includes = i + .iter() + .map(|x| { + x.map_fst(&|s| serde_json::to_string(&Value::String(s.clone())).unwrap()) + }) + .map(|x| match x { + HOCONInclude::Heuristic(s, r) => (s.to_string(), r), + HOCONInclude::Url(s, r) => (format!("url({})", s), r), + HOCONInclude::File(s, r) => (format!("file({})", s), r), + HOCONInclude::ClassPath(s, r) => (format!("classpath({})", s), r), + }) + .map(|(i, r)| if r { format!("required({})", i) } else { i }) + .map(|s| format!("include {}", s)) + .collect::>() + .join("\n"); + let items = o + .iter() + .map(|(key, value)| { + ( + serde_json::to_string(&Value::String(key.clone())).unwrap(), + value, + ) + }) + .map(|(key, value)| match value { + HOCONValue::Append(v) => format!("{} += {}", key, v.to_string()), + v => format!("{} = {}", key, v.to_string()), + }) + .collect::>() + .join("\n"); + + let content = (if includes.is_empty() { + items + } else { + format!("{}{}", includes, items) + }) + .split('\n') + .map(|s| format!(" {}", s)) + .collect::>() + .join("\n"); + + format!("{{\n{}\n}}", content) + } + HOCONValue::Append(_) => panic!("Append should not be present at this point"), + } + } +} + +fn main() { + let stdin = std::io::stdin().lock(); + let json = serde_json::Deserializer::from_reader(stdin) + .into_iter::() + .next() + .expect("Could not read content from stdin") + .expect("Could not parse JSON from stdin"); + + print!("{}\n\n", json_to_hocon(&json).to_string()); +} diff --git a/pkgs/pkgs-lib/formats/hocon/update.sh b/pkgs/pkgs-lib/formats/hocon/update.sh new file mode 100755 index 000000000000..ffc5ad3917f7 --- /dev/null +++ b/pkgs/pkgs-lib/formats/hocon/update.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env nix-shell +#!nix-shell -p cargo -i bash +cd "$(dirname "$0")" +cargo update From b6cdfec16ce7ce7c0d837b05ed3ad99aa6223647 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 2 Nov 2023 04:18:13 +0100 Subject: [PATCH 13/24] formats.hocon: add tests --- .../hocon/test/comprehensive/default.nix | 83 +++++++++++++++++++ .../hocon/test/comprehensive/expected.txt | 47 +++++++++++ pkgs/pkgs-lib/formats/hocon/test/default.nix | 4 + pkgs/pkgs-lib/tests/default.nix | 3 + 4 files changed, 137 insertions(+) create mode 100644 pkgs/pkgs-lib/formats/hocon/test/comprehensive/default.nix create mode 100644 pkgs/pkgs-lib/formats/hocon/test/comprehensive/expected.txt create mode 100644 pkgs/pkgs-lib/formats/hocon/test/default.nix diff --git a/pkgs/pkgs-lib/formats/hocon/test/comprehensive/default.nix b/pkgs/pkgs-lib/formats/hocon/test/comprehensive/default.nix new file mode 100644 index 000000000000..ae4fae443d41 --- /dev/null +++ b/pkgs/pkgs-lib/formats/hocon/test/comprehensive/default.nix @@ -0,0 +1,83 @@ +{ lib, formats, stdenvNoCC, writeText, ... }: +let + hocon = formats.hocon { }; + + include_file = (writeText "hocon-test-include.conf" '' + "val" = 1 + '').overrideAttrs (_: _: { + outputHashAlgo = "sha256"; + outputHashMode = "flat"; + outputHash = "sha256-UhkJLhT3bD6znq+IdDjs/ahP19mLzrLCy/R14pVrfew="; + }); + + expression = { + simple_top_level_attr = "1.0"; + nested.attrset.has.a.integer.value = 100; + some_floaty = 29.95; + + array2d = [ + [ 1 2 "a" ] + [ 2 1 "b" ] + ]; + nasty_string = "\"@\n\\\t^*\b\f\n\0\";'''$"; + + "misc attrs" = { + x = 1; + y = hocon.lib.mkAppend { a = 1; }; + }; + + "cursed \" .attrs \" " = { + "a" = 1; + "a b" = hocon.lib.mkSubstitution "a"; + "a b c" = hocon.lib.mkSubstitution { + value = "a b"; + required = false; + }; + }; + + to_include = { + _includes = [ + (hocon.lib.mkInclude include_file) + (hocon.lib.mkInclude "https://example.com") + (hocon.lib.mkInclude { + required = true; + type = "file"; + value = include_file; + }) + (hocon.lib.mkInclude { value = include_file; }) + (hocon.lib.mkInclude { + value = "https://example.com"; + type = "url"; + }) + ]; + }; + }; + + hocon-test-conf = hocon.generate "hocon-test.conf" expression; +in + stdenvNoCC.mkDerivation { + name = "pkgs.formats.hocon-test-comprehensive"; + + dontUnpack = true; + dontBuild = true; + + doCheck = true; + checkPhase = '' + runHook preCheck + + diff -U3 ${./expected.txt} ${hocon-test-conf} + + runHook postCheck + ''; + + installPhase = '' + runHook preInstall + + mkdir $out + cp ${./expected.txt} $out/expected.txt + cp ${hocon-test-conf} $out/hocon-test.conf + cp ${hocon-test-conf.passthru.json} $out/hocon-test.json + + runHook postInstall + ''; + } diff --git a/pkgs/pkgs-lib/formats/hocon/test/comprehensive/expected.txt b/pkgs/pkgs-lib/formats/hocon/test/comprehensive/expected.txt new file mode 100644 index 000000000000..ec196be4f686 --- /dev/null +++ b/pkgs/pkgs-lib/formats/hocon/test/comprehensive/expected.txt @@ -0,0 +1,47 @@ +{ + "array2d" = [ + [ + 1, + 2, + "a" + ], + [ + 2, + 1, + "b" + ] + ] + "cursed \" .attrs \" " = { + "a" = 1 + "a b" = ${?a} + "a b c" = ${?a b} + } + "misc attrs" = { + "x" = 1 + "y" += { + "a" = 1 + } + } + "nasty_string" = "\"@\n\\\t^*bf\n0\";'''$" + "nested" = { + "attrset" = { + "has" = { + "a" = { + "integer" = { + "value" = 100 + } + } + } + } + } + "simple_top_level_attr" = "1.0" + "some_floaty" = 29.95 + "to_include" = { + include "/nix/store/ccnzr53dpipdacxgci3ii3bqacvb5hxm-hocon-test-include.conf" + include "https://example.com" + include required(file("/nix/store/ccnzr53dpipdacxgci3ii3bqacvb5hxm-hocon-test-include.conf")) + include "/nix/store/ccnzr53dpipdacxgci3ii3bqacvb5hxm-hocon-test-include.conf" + include url("https://example.com") + } +} + diff --git a/pkgs/pkgs-lib/formats/hocon/test/default.nix b/pkgs/pkgs-lib/formats/hocon/test/default.nix new file mode 100644 index 000000000000..6cd03fe4854f --- /dev/null +++ b/pkgs/pkgs-lib/formats/hocon/test/default.nix @@ -0,0 +1,4 @@ +{ pkgs, ... }: +{ + comprehensive = pkgs.callPackage ./comprehensive { }; +} diff --git a/pkgs/pkgs-lib/tests/default.nix b/pkgs/pkgs-lib/tests/default.nix index 289780f57650..8e5e24301a29 100644 --- a/pkgs/pkgs-lib/tests/default.nix +++ b/pkgs/pkgs-lib/tests/default.nix @@ -17,7 +17,10 @@ let jdk11 = pkgs.callPackage ../formats/java-properties/test { jdk = pkgs.jdk11_headless; }; jdk17 = pkgs.callPackage ../formats/java-properties/test { jdk = pkgs.jdk17_headless; }; }; + libconfig = recurseIntoAttrs (import ../formats/libconfig/test { inherit pkgs; }); + + hocon = recurseIntoAttrs (import ../formats/hocon/test { inherit pkgs; }); }; flatten = prefix: as: From 39a779e269b012c721b34eee74f76afca3d03d7d Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 2 Nov 2023 04:48:06 +0100 Subject: [PATCH 14/24] treewide: use `formats.hocon` --- .../services/networking/jibri/default.nix | 15 ++--- nixos/modules/services/networking/jicofo.nix | 13 ++--- .../services/networking/jitsi-videobridge.nix | 15 +---- .../services/web-apps/suwayomi-server.nix | 55 ++----------------- 4 files changed, 17 insertions(+), 81 deletions(-) diff --git a/nixos/modules/services/networking/jibri/default.nix b/nixos/modules/services/networking/jibri/default.nix index a931831fc281..db2a17bd5590 100644 --- a/nixos/modules/services/networking/jibri/default.nix +++ b/nixos/modules/services/networking/jibri/default.nix @@ -5,12 +5,7 @@ with lib; let cfg = config.services.jibri; - # Copied from the jitsi-videobridge.nix file. - toHOCON = x: - if isAttrs x && x ? __hocon_envvar then ("\${" + x.__hocon_envvar + "}") - else if isAttrs x then "{${ concatStringsSep "," (mapAttrsToList (k: v: ''"${k}":${toHOCON v}'') x) }}" - else if isList x then "[${ concatMapStringsSep "," toHOCON x }]" - else builtins.toJSON x; + format = pkgs.formats.hocon { }; # We're passing passwords in environment variables that have names generated # from an attribute name, which may not be a valid bash identifier. @@ -38,13 +33,13 @@ let control-login = { domain = env.control.login.domain; username = env.control.login.username; - password.__hocon_envvar = toVarName "${name}_control"; + password = format.lib.mkSubstitution (toVarName "${name}_control"); }; call-login = { domain = env.call.login.domain; username = env.call.login.username; - password.__hocon_envvar = toVarName "${name}_call"; + password = format.lib.mkSubstitution (toVarName "${name}_call"); }; strip-from-room-domain = env.stripFromRoomDomain; @@ -85,13 +80,13 @@ let }; # Allow overriding leaves of the default config despite types.attrs not doing any merging. jibriConfig = recursiveUpdate defaultJibriConfig cfg.config; - configFile = pkgs.writeText "jibri.conf" (toHOCON { jibri = jibriConfig; }); + configFile = format.generate "jibri.conf" { jibri = jibriConfig; }; in { options.services.jibri = with types; { enable = mkEnableOption (lib.mdDoc "Jitsi BRoadcasting Infrastructure. Currently Jibri must be run on a host that is also running {option}`services.jitsi-meet.enable`, so for most use cases it will be simpler to run {option}`services.jitsi-meet.jibri.enable`"); config = mkOption { - type = attrs; + type = format.type; default = { }; description = lib.mdDoc '' Jibri configuration. diff --git a/nixos/modules/services/networking/jicofo.nix b/nixos/modules/services/networking/jicofo.nix index 0886bbe004c4..380344c8eaa1 100644 --- a/nixos/modules/services/networking/jicofo.nix +++ b/nixos/modules/services/networking/jicofo.nix @@ -5,14 +5,9 @@ with lib; let cfg = config.services.jicofo; - # HOCON is a JSON superset that some jitsi-meet components use for configuration - toHOCON = x: if isAttrs x && x ? __hocon_envvar then ("\${" + x.__hocon_envvar + "}") - else if isAttrs x && x ? __hocon_unquoted_string then x.__hocon_unquoted_string - else if isAttrs x then "{${ concatStringsSep "," (mapAttrsToList (k: v: ''"${k}":${toHOCON v}'') x) }}" - else if isList x then "[${ concatMapStringsSep "," toHOCON x }]" - else builtins.toJSON x; + format = pkgs.formats.hocon { }; - configFile = pkgs.writeText "jicofo.conf" (toHOCON cfg.config); + configFile = format.generate "jicofo.conf" cfg.config; in { options.services.jicofo = with types; { @@ -77,7 +72,7 @@ in }; config = mkOption { - type = (pkgs.formats.json {}).type; + type = format.type; default = { }; example = literalExpression '' { @@ -99,7 +94,7 @@ in hostname = cfg.xmppHost; username = cfg.userName; domain = cfg.userDomain; - password = { __hocon_envvar = "JICOFO_AUTH_PASS"; }; + password = format.lib.mkSubstitution "JICOFO_AUTH_PASS"; xmpp-domain = if cfg.xmppDomain == null then cfg.xmppHost else cfg.xmppDomain; }; service = client; diff --git a/nixos/modules/services/networking/jitsi-videobridge.nix b/nixos/modules/services/networking/jitsi-videobridge.nix index 37b0b1e5bf50..00ea5b9da546 100644 --- a/nixos/modules/services/networking/jitsi-videobridge.nix +++ b/nixos/modules/services/networking/jitsi-videobridge.nix @@ -6,16 +6,7 @@ let cfg = config.services.jitsi-videobridge; attrsToArgs = a: concatStringsSep " " (mapAttrsToList (k: v: "${k}=${toString v}") a); - # HOCON is a JSON superset that videobridge2 uses for configuration. - # It can substitute environment variables which we use for passwords here. - # https://github.com/lightbend/config/blob/master/README.md - # - # Substitution for environment variable FOO is represented as attribute set - # { __hocon_envvar = "FOO"; } - toHOCON = x: if isAttrs x && x ? __hocon_envvar then ("\${" + x.__hocon_envvar + "}") - else if isAttrs x then "{${ concatStringsSep "," (mapAttrsToList (k: v: ''"${k}":${toHOCON v}'') x) }}" - else if isList x then "[${ concatMapStringsSep "," toHOCON x }]" - else builtins.toJSON x; + format = pkgs.formats.hocon { }; # We're passing passwords in environment variables that have names generated # from an attribute name, which may not be a valid bash identifier. @@ -38,7 +29,7 @@ let hostname = xmppConfig.hostName; domain = xmppConfig.domain; username = xmppConfig.userName; - password = { __hocon_envvar = toVarName name; }; + password = format.lib.mkSubstitution (toVarName name); muc_jids = xmppConfig.mucJids; muc_nickname = xmppConfig.mucNickname; disable_certificate_verification = xmppConfig.disableCertificateVerification; @@ -221,7 +212,7 @@ in "-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION" = "/etc/jitsi"; "-Dnet.java.sip.communicator.SC_HOME_DIR_NAME" = "videobridge"; "-Djava.util.logging.config.file" = "/etc/jitsi/videobridge/logging.properties"; - "-Dconfig.file" = pkgs.writeText "jvb.conf" (toHOCON jvbConfig); + "-Dconfig.file" = format.generate "jvb.conf" jvbConfig; # Mitigate CVE-2021-44228 "-Dlog4j2.formatMsgNoLookups" = true; } // (mapAttrs' (k: v: nameValuePair "-D${k}" v) cfg.extraProperties); diff --git a/nixos/modules/services/web-apps/suwayomi-server.nix b/nixos/modules/services/web-apps/suwayomi-server.nix index c4c1540edbee..94dbe6f99356 100644 --- a/nixos/modules/services/web-apps/suwayomi-server.nix +++ b/nixos/modules/services/web-apps/suwayomi-server.nix @@ -3,6 +3,8 @@ let cfg = config.services.suwayomi-server; inherit (lib) mkOption mdDoc mkEnableOption mkIf types; + + format = pkgs.formats.hocon { }; in { options = { @@ -48,19 +50,7 @@ in settings = mkOption { type = types.submodule { - freeformType = - let - recursiveAttrsType = with types; attrsOf (nullOr (oneOf [ - str - path - int - float - bool - (listOf str) - (recursiveAttrsType // { description = "instances of this type recursively"; }) - ])); - in - recursiveAttrsType; + freeformType = format.type; options = { server = { ip = mkOption { @@ -180,38 +170,7 @@ in systemd.services.suwayomi-server = let - flattenConfig = prefix: config: - lib.foldl' - lib.mergeAttrs - { } - (lib.attrValues - (lib.mapAttrs - (k: v: - if !(lib.isAttrs v) - then { "${prefix}${k}" = v; } - else flattenConfig "${prefix}${k}." v - ) - config - ) - ); - - # HOCON is a JSON superset that suwayomi-server use for configuration - toHOCON = attr: - let - attrType = builtins.typeOf attr; - in - if builtins.elem attrType [ "string" "path" "int" "float" ] - then ''"${toString attr}"'' - else if attrType == "bool" - then lib.boolToString attr - else if attrType == "list" - then "[\n${lib.concatMapStringsSep ",\n" toHOCON attr}\n]" - else # attrs, lambda, null - throw '' - [suwayomi-server]: invalid config value type '${attrType}'. - ''; - - configFile = pkgs.writeText "server.conf" (lib.pipe cfg.settings [ + configFile = format.generate "server.conf" (lib.pipe cfg.settings [ (settings: lib.recursiveUpdate settings { server.basicAuthPasswordFile = null; server.basicAuthPassword = @@ -219,12 +178,8 @@ in then "$TACHIDESK_SERVER_BASIC_AUTH_PASSWORD" else null; }) - (flattenConfig "") - (lib.filterAttrs (_: x: x != null)) - (lib.mapAttrsToList (name: value: ''${name} = ${toHOCON value}'')) - lib.concatLines + (lib.filterAttrsRecursive (_: x: x != null)) ]); - in { description = "A free and open source manga reader server that runs extensions built for Tachiyomi."; From 8b06cac5f8e8217ea41333fc64cb4a8d46d826fd Mon Sep 17 00:00:00 2001 From: Sean Link Date: Thu, 8 Feb 2024 14:20:49 -0700 Subject: [PATCH 15/24] x265: run nixpkgs-fmt --- pkgs/development/libraries/x265/default.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pkgs/development/libraries/x265/default.nix b/pkgs/development/libraries/x265/default.nix index 7e62812df890..7bc923f679dd 100644 --- a/pkgs/development/libraries/x265/default.nix +++ b/pkgs/development/libraries/x265/default.nix @@ -5,14 +5,14 @@ , cmake , nasm -# NUMA support enabled by default on NUMA platforms: + # NUMA support enabled by default on NUMA platforms: , numaSupport ? (stdenv.hostPlatform.isLinux && (stdenv.hostPlatform.isx86 || stdenv.hostPlatform.isAarch64)) , numactl -# Multi bit-depth support (8bit+10bit+12bit): + # Multi bit-depth support (8bit+10bit+12bit): , multibitdepthSupport ? (stdenv.is64bit && !(stdenv.isAarch64 && stdenv.isLinux)) -# Other options: + # Other options: , cliSupport ? true # Build standalone CLI application , custatsSupport ? false # Internal profiling of encoder work , debugSupport ? false # Run-time sanity checks (debugging) @@ -137,10 +137,10 @@ stdenv.mkDerivation rec { meta = with lib; { description = "Library for encoding H.265/HEVC video streams"; - homepage = "https://www.x265.org/"; - changelog = "https://x265.readthedocs.io/en/master/releasenotes.html#version-${lib.strings.replaceStrings ["."] ["-"] version}"; - license = licenses.gpl2Plus; + homepage = "https://www.x265.org/"; + changelog = "https://x265.readthedocs.io/en/master/releasenotes.html#version-${lib.strings.replaceStrings ["."] ["-"] version}"; + license = licenses.gpl2Plus; maintainers = with maintainers; [ codyopel ]; - platforms = platforms.all; + platforms = platforms.all; }; } From 2a98f1c84eeb6f22c956ccfa160284d91a1cb099 Mon Sep 17 00:00:00 2001 From: Sean Link Date: Thu, 8 Feb 2024 14:30:26 -0700 Subject: [PATCH 16/24] x265: add mingw support Part of a larger effort to add mingw support for qtmultimedia --- pkgs/development/libraries/x265/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/development/libraries/x265/default.nix b/pkgs/development/libraries/x265/default.nix index 7bc923f679dd..0ce635a80fb7 100644 --- a/pkgs/development/libraries/x265/default.nix +++ b/pkgs/development/libraries/x265/default.nix @@ -72,6 +72,12 @@ stdenv.mkDerivation rec { substituteInPlace cmake/Version.cmake \ --replace "unknown" "${version}" \ --replace "0.0" "${version}" + '' + # There is broken and complicated logic when setting X265_LATEST_TAG for + # mingwW64 builds. This bypasses the logic by setting it at the end of the + # file + + lib.optionalString stdenv.hostPlatform.isMinGW '' + echo 'set(X265_LATEST_TAG "${version}")' >> ./cmake/Version.cmake ''; nativeBuildInputs = [ cmake nasm ] ++ lib.optionals (numaSupport) [ numactl ]; From 9ebcb6f5dbd1a091c9b073587b6906b0c0663e08 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Fri, 9 Feb 2024 18:32:23 +0100 Subject: [PATCH 17/24] pkgs-lib: Make `lib` overlays be propagated This is useful because the tests in `pkgs-lib` can mock out certain `lib` functions like this using a `lib` overlay. --- pkgs/top-level/all-packages.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 8d895297e963..e8d3f8e7b4c0 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1480,7 +1480,12 @@ with pkgs; writers = callPackage ../build-support/writers { }; # lib functions depending on pkgs - inherit (import ../pkgs-lib { inherit lib pkgs; }) formats; + inherit (import ../pkgs-lib { + # The `lib` variable in this scope doesn't include any applied lib overlays, + # `pkgs.lib` does. + inherit (pkgs) lib; + inherit pkgs; + }) formats; testers = callPackage ../build-support/testers { }; From 0e65eca7c6c724bbddeb89ae8135c1fd67f71a84 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Wed, 24 Jan 2024 05:12:30 +0100 Subject: [PATCH 18/24] formats.hocon: add backwards compatibility --- pkgs/pkgs-lib/formats/hocon/default.nix | 82 ++++++++++++++----- pkgs/pkgs-lib/formats/hocon/src/src/main.rs | 11 +++ .../test/backwards-compatibility/default.nix | 65 +++++++++++++++ .../test/backwards-compatibility/expected.txt | 22 +++++ pkgs/pkgs-lib/formats/hocon/test/default.nix | 11 +++ 5 files changed, 170 insertions(+), 21 deletions(-) create mode 100644 pkgs/pkgs-lib/formats/hocon/test/backwards-compatibility/default.nix create mode 100644 pkgs/pkgs-lib/formats/hocon/test/backwards-compatibility/expected.txt diff --git a/pkgs/pkgs-lib/formats/hocon/default.nix b/pkgs/pkgs-lib/formats/hocon/default.nix index d5b6308dea60..318ee0143320 100644 --- a/pkgs/pkgs-lib/formats/hocon/default.nix +++ b/pkgs/pkgs-lib/formats/hocon/default.nix @@ -35,26 +35,8 @@ in # In the case that you need this functionality, # you will have to disable pyhocon validation. , doCheck ? true - }: { - type = let - type' = with lib.types; let - atomType = nullOr (oneOf [ - bool - float - int - path - str - ]); - in (oneOf [ - atomType - (listOf atomType) - (attrsOf type') - ]) // { - description = "HOCON value"; - }; - in type'; - - lib = { + }: let + hoconLib = { mkInclude = value: let includeStatement = if lib.isAttrs value && !(lib.isDerivation value) then { required = false; @@ -101,7 +83,65 @@ in }; }; + in { + type = let + type' = with lib.types; let + atomType = nullOr (oneOf [ + bool + float + int + path + str + ]); + in (oneOf [ + atomType + (listOf atomType) + (attrsOf type') + ]) // { + description = "HOCON value"; + }; + in type'; + + lib = hoconLib; + generate = name: value: + let + # TODO: remove in 24.11 + # Backwards compatability for generators in the following locations: + # - nixos/modules/services/networking/jibri/default.nix (__hocon_envvar) + # - nixos/modules/services/networking/jicofo.nix (__hocon_envvar, __hocon_unquoted_string) + # - nixos/modules/services/networking/jitsi-videobridge.nix (__hocon_envvar) + replaceOldIndicators = value: + if lib.isAttrs value then + (if value ? "__hocon_envvar" + then + lib.warn '' + Use of `__hocon_envvar` has been deprecated, and will + be removed in the future. + + Please use `(pkgs.formats.hocon {}).lib.mkSubstitution` instead. + '' + (hoconLib.mkSubstitution value.__hocon_envvar) + else if value ? "__hocon_unquoted_string" + then + lib.warn '' + Use of `__hocon_unquoted_string` has been deprecated, and will + be removed in the future. + + Please make use of the freeform options of + `(pkgs.formats.hocon {}).format` instead. + '' + { + value = value.__hocon_unquoted_string; + _type = "unquoted_string"; + } + else lib.mapAttrs (_: replaceOldIndicators) value) + else if lib.isList value + then map replaceOldIndicators value + else value; + + finalValue = replaceOldIndicators value; + in callPackage ({ stdenvNoCC @@ -114,7 +154,7 @@ in dontUnpack = true; - json = builtins.toJSON value; + json = builtins.toJSON finalValue; passAsFile = [ "json" ]; strictDeps = true; diff --git a/pkgs/pkgs-lib/formats/hocon/src/src/main.rs b/pkgs/pkgs-lib/formats/hocon/src/src/main.rs index a564fc7dccdb..2e53f3fd5659 100644 --- a/pkgs/pkgs-lib/formats/hocon/src/src/main.rs +++ b/pkgs/pkgs-lib/formats/hocon/src/src/main.rs @@ -10,6 +10,7 @@ enum HOCONValue { List(Vec), Substitution(String, bool), Object(Vec, Vec<(String, HOCONValue)>), + Literal(String), } #[derive(Debug)] @@ -92,6 +93,15 @@ fn parse_special_types(o: &Map) -> Option { HOCONValue::Append(Box::new(json_to_hocon(value))) } + "unquoted_string" => { + let value = o + .get("value") + .expect("Missing value for unquoted_string") + .as_str() + .unwrap_or_else(|| panic!("Unquoted string value is not a string: {:?}", o)); + + HOCONValue::Literal(value.to_string()) + } _ => panic!( "\ Attribute set contained special element '_type',\ @@ -210,6 +220,7 @@ impl ToString for HOCONValue { format!("{{\n{}\n}}", content) } HOCONValue::Append(_) => panic!("Append should not be present at this point"), + Self::Literal(s) => s.to_string(), } } } diff --git a/pkgs/pkgs-lib/formats/hocon/test/backwards-compatibility/default.nix b/pkgs/pkgs-lib/formats/hocon/test/backwards-compatibility/default.nix new file mode 100644 index 000000000000..5f0b3d12a2d0 --- /dev/null +++ b/pkgs/pkgs-lib/formats/hocon/test/backwards-compatibility/default.nix @@ -0,0 +1,65 @@ +{ lib, formats, stdenvNoCC, writeText, ... }: +let + hocon = formats.hocon { }; + + expression = { + substitution = { __hocon_envvar = "PATH"; }; + literal = { + __hocon_unquoted_string = '' + [ + 1, + "a", + ]''; + }; + + nested = { + substitution = { __hocon_envvar = "PATH"; }; + literal = { + __hocon_unquoted_string = '' + [ + 1, + "a", + ]''; + }; + }; + + nested_in_array = [ + { __hocon_envvar = "PATH"; } + { + __hocon_unquoted_string = '' + [ + 1, + "a", + ]''; + } + ]; + }; + + hocon-test-conf = hocon.generate "hocon-test.conf" expression; +in + stdenvNoCC.mkDerivation { + name = "pkgs.formats.hocon-test-backwards-compatibility"; + + dontUnpack = true; + dontBuild = true; + + doCheck = true; + checkPhase = '' + runHook preCheck + + diff -U3 ${./expected.txt} ${hocon-test-conf} + + runHook postCheck + ''; + + installPhase = '' + runHook preInstall + + mkdir $out + cp ${./expected.txt} $out/expected.txt + cp ${hocon-test-conf} $out/hocon-test.conf + cp ${hocon-test-conf.passthru.json} $out/hocon-test.json + + runHook postInstall + ''; + } diff --git a/pkgs/pkgs-lib/formats/hocon/test/backwards-compatibility/expected.txt b/pkgs/pkgs-lib/formats/hocon/test/backwards-compatibility/expected.txt new file mode 100644 index 000000000000..2835a3c6ca39 --- /dev/null +++ b/pkgs/pkgs-lib/formats/hocon/test/backwards-compatibility/expected.txt @@ -0,0 +1,22 @@ +{ + "literal" = [ + 1, + "a", + ] + "nested" = { + "literal" = [ + 1, + "a", + ] + "substitution" = ${?PATH} + } + "nested_in_array" = [ + ${?PATH}, + [ + 1, + "a", + ] + ] + "substitution" = ${?PATH} +} + diff --git a/pkgs/pkgs-lib/formats/hocon/test/default.nix b/pkgs/pkgs-lib/formats/hocon/test/default.nix index 6cd03fe4854f..19928703b95e 100644 --- a/pkgs/pkgs-lib/formats/hocon/test/default.nix +++ b/pkgs/pkgs-lib/formats/hocon/test/default.nix @@ -1,4 +1,15 @@ { pkgs, ... }: { comprehensive = pkgs.callPackage ./comprehensive { }; + backwards-compatibility = + let + pkgsNoWarn = pkgs.extend (final: prev: { + lib = prev.lib.extend (libFinal: libPrev: { + warn = msg: v: v; + trivial = libPrev.trivial // { + warn = msg: v: v; + }; + }); + }); + in pkgsNoWarn.callPackage ./backwards-compatibility { }; } From 7065951e177847b3d2325568071b7c0ece9957ca Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 25 Jan 2024 08:20:38 +0100 Subject: [PATCH 19/24] CODEOWNERS: add h7x4 to pkgs.formats.hocon --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 3ef3d178fe5d..e58c00f6a5dc 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -52,6 +52,7 @@ /pkgs/pkgs-lib @infinisil ## Format generators/serializers /pkgs/pkgs-lib/formats/libconfig @ckiee @h7x4 +/pkgs/pkgs-lib/formats/hocon @h7x4 # pkgs/by-name /pkgs/test/nixpkgs-check-by-name @infinisil From 5c960e3981c52a968552934710f58f6aaf31e857 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 9 Feb 2024 20:23:35 +0000 Subject: [PATCH 20/24] srm-cuarzo: 0.5.0-1 -> 0.5.1-1 --- pkgs/by-name/sr/srm-cuarzo/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/sr/srm-cuarzo/package.nix b/pkgs/by-name/sr/srm-cuarzo/package.nix index 281724539586..14d07128cabf 100644 --- a/pkgs/by-name/sr/srm-cuarzo/package.nix +++ b/pkgs/by-name/sr/srm-cuarzo/package.nix @@ -14,9 +14,9 @@ }: stdenv.mkDerivation (self: { pname = "srm-cuarzo"; - version = "0.5.0-1"; + version = "0.5.1-1"; rev = "v${self.version}"; - hash = "sha256-q3pMWryiBR8BEPHvZ/g/jK2hIBTd15RxyU7uocSJsZ8="; + hash = "sha256-+Qn/obgYHWceQN0T3mbGjs/psj+lg43gm/cCBoMnRUk="; src = fetchFromGitHub { inherit (self) rev hash; From 4e3e3accfad18a9428ae85a2736ba29f0b9cb3ce Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Fri, 9 Feb 2024 21:28:56 +0000 Subject: [PATCH 21/24] kde-rounded-corners: fix source hash Without the change the build fails as: error: hash mismatch in fixed-output derivation '/nix/store/afak2xs6i8sriq08pi3wm2l753rj2k17-source.drv': specified: sha256-S6Z0j61LQHmZTYiLEpwG77JH9Nd32lF5Azb0U0+rdNg= got: sha256-DE3XTu3CQY9mGuOpehWno/4yFyLjHuh4RxdUh+aTU7M= --- .../themes/kwin-decorations/kde-rounded-corners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/data/themes/kwin-decorations/kde-rounded-corners/default.nix b/pkgs/data/themes/kwin-decorations/kde-rounded-corners/default.nix index 66b132cecfbf..b3605c9c95a9 100644 --- a/pkgs/data/themes/kwin-decorations/kde-rounded-corners/default.nix +++ b/pkgs/data/themes/kwin-decorations/kde-rounded-corners/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { owner = "matinlotfali"; repo = "KDE-Rounded-Corners"; rev = "v${version}"; - hash = "sha256-S6Z0j61LQHmZTYiLEpwG77JH9Nd32lF5Azb0U0+rdNg="; + hash = "sha256-DE3XTu3CQY9mGuOpehWno/4yFyLjHuh4RxdUh+aTU7M="; }; postConfigure = '' From fda3c01430877ffb84e05d8feee7c75647b9e63e Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Fri, 9 Feb 2024 23:17:00 +0000 Subject: [PATCH 22/24] libsForQt5.mapbox-gl-native: mark broken (`gcc-13` build failure) The build fails against `gcc-13` on `master` as https://hydra.nixos.org/build/247923347: /build/source/include/mbgl/util/geometry.hpp:9:6: error: elaborated-type-specifier for a scoped enum must not use the 'class' keyword [-Werror] 9 | enum class FeatureType : uint8_t { | ~~~~ ^~~~~ Following suggestion of package removal by marking it broken first: https://github.com/NixOS/nixpkgs/pull/284574#issuecomment-1913688797 --- pkgs/development/libraries/mapbox-gl-native/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/mapbox-gl-native/default.nix b/pkgs/development/libraries/mapbox-gl-native/default.nix index f9212ea7cba9..01d51bdf7461 100644 --- a/pkgs/development/libraries/mapbox-gl-native/default.nix +++ b/pkgs/development/libraries/mapbox-gl-native/default.nix @@ -58,6 +58,8 @@ mkDerivation rec { env.NIX_CFLAGS_COMPILE = "-Wno-error=deprecated-declarations -Wno-error=type-limits"; meta = with lib; { + # Does not build against gcc-13, the repository is archived upstream. + broken = true; description = "Interactive, thoroughly customizable maps in native Android, iOS, macOS, Node.js, and Qt applications, powered by vector tiles and OpenGL"; homepage = "https://mapbox.com/mobile"; license = licenses.bsd2; From 9ce46e61eb67e9f30e6f1035cfee382f3a13c33f Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Fri, 9 Feb 2024 23:26:29 +0000 Subject: [PATCH 23/24] nixos/hardened: fix lower bounds of hardened options Without the change build of `linux-config-4.19.306` fails as https://cache.nixos.org/log/994zy6g5fsb4p6c8jdwham8sp0mqh1w4-linux-config-4.19.306.drv: error: unused option: INIT_ON_ALLOC_DEFAULT_ON error: unused option: INIT_ON_FREE_DEFAULT_ON error: unused option: UBSAN_TRAP error: unused option: ZERO_CALL_USED_REGS --- pkgs/os-specific/linux/kernel/hardened/config.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index ea49966f46dd..dec6a757c529 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -60,11 +60,11 @@ assert (versionAtLeast version "4.9"); PAGE_POISONING_ZERO = whenOlder "5.11" yes; # Enable init_on_alloc and init_on_free by default - INIT_ON_ALLOC_DEFAULT_ON = yes; - INIT_ON_FREE_DEFAULT_ON = yes; + INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes; + INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes; # Wipe all caller-used registers on exit from a function - ZERO_CALL_USED_REGS = yes; + ZERO_CALL_USED_REGS = whenAtLeast "5.15" yes; # Enable the SafeSetId LSM SECURITY_SAFESETID = whenAtLeast "5.1" yes; @@ -86,8 +86,8 @@ assert (versionAtLeast version "4.9"); # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan UBSAN = yes; - UBSAN_TRAP = yes; - UBSAN_BOUNDS = yes; + UBSAN_TRAP = whenAtLeast "5.7" yes; + UBSAN_BOUNDS = whenAtLeast "5.7" yes; UBSAN_SANITIZE_ALL = yes; UBSAN_LOCAL_BOUNDS = option yes; # clang only CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1 From 386faef6e6d905abcbf9d4a85c92f60bbf5a61bb Mon Sep 17 00:00:00 2001 From: Manuel Frischknecht Date: Thu, 18 Jan 2024 23:04:41 +0100 Subject: [PATCH 24/24] frogmouth: use same xdg package as upstream --- pkgs/tools/text/frogmouth/default.nix | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/pkgs/tools/text/frogmouth/default.nix b/pkgs/tools/text/frogmouth/default.nix index 9ec9134c661e..68d63dc7aa5f 100644 --- a/pkgs/tools/text/frogmouth/default.nix +++ b/pkgs/tools/text/frogmouth/default.nix @@ -15,13 +15,6 @@ python3.pkgs.buildPythonApplication rec { hash = "sha256-0fcCON/M9JklE7X9aRfzTkEFG4ckJqLoQlYCSrWHHGQ="; }; - # Per , the package is - # renamed from `xdg` to `xdg_base_dirs`, but upstream isn't amenable to performing that rename. - # See . So this is a minimal fix. - postUnpack = '' - sed -i -e "s,from xdg import,from xdg_base_dirs import," $sourceRoot/frogmouth/data/{config,data_directory}.py - ''; - nativeBuildInputs = [ python3.pkgs.poetry-core python3.pkgs.pythonRelaxDepsHook @@ -31,13 +24,12 @@ python3.pkgs.buildPythonApplication rec { httpx textual typing-extensions - xdg-base-dirs + xdg ]; pythonRelaxDeps = [ "httpx" "textual" - "xdg-base-dirs" ]; pythonImportsCheck = [ "frogmouth" ];