Merge staging-next into staging

NixOS · Jan 2, 2025 · 4eff25d · 4eff25d
2 parents 131df74 + 3729f2c
commit 4eff25d
Show file tree

Hide file tree

Showing 149 changed files with 1,590 additions and 17,470 deletions.
diff --git a/doc/build-helpers/fetchers.chapter.md b/doc/build-helpers/fetchers.chapter.md
@@ -728,7 +728,7 @@ buildPythonPackage rec {
     (fetchDebianPatch {
       inherit pname version;
       debianRevision = "5";
-      name = "Add-quotes-to-SOAPAction-header-in-SoapClient.patch";
+      patch = "Add-quotes-to-SOAPAction-header-in-SoapClient.patch";
       hash = "sha256-xA8Wnrpr31H8wy3zHSNfezFNjUJt1HbSXn3qUMzeKc0=";
     })
   ];

diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
@@ -18652,6 +18652,12 @@
     githubId = 40905037;
     name = "qwqawawow";
   };
+  qxrein = {
+    email = "[email protected]";
+    github = "qxrein";
+    githubId = 101001298;
+    name = "qxrein";
+  };
   qyliss = {
     email = "[email protected]";
     github = "alyssais";

diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix
@@ -44,8 +44,8 @@ let
     borgWrapper () {
       local result
       borg "$@" && result=$? || result=$?
-      if [[ -z "${toString cfg.failOnWarnings}" ]] && [[ "$result" == 1 ]]; then
-        echo "ignoring warning return value 1"
+      if [[ -z "${toString cfg.failOnWarnings}" ]] && [[ "$result" == 1 || ("$result" -ge 100 && "$result" -le 127) ]]; then
+        echo "ignoring warning return value $result"
         return 0
       else
         return "$result"

diff --git a/nixos/modules/services/security/certmgr.nix b/nixos/modules/services/security/certmgr.nix
@@ -130,7 +130,7 @@ in
                 type = addCheck str (
                   x:
                   cfg.svcManager == "command"
-                  || elem x [
+                  || lib.elem x [
                     "restart"
                     "reload"
                     "nop"

diff --git a/nixos/modules/services/security/cfssl.nix b/nixos/modules/services/security/cfssl.nix
@@ -193,7 +193,7 @@ in
           ExecStart =
             with cfg;
             let
-              opt = n: v: optionalString (v != null) ''-${n}="${v}"'';
+              opt = n: v: lib.optionalString (v != null) ''-${n}="${v}"'';
             in
             lib.concatStringsSep " \\\n" [
               "${pkgs.cfssl}/bin/cfssl serve"

diff --git a/nixos/modules/services/security/endlessh-go.nix b/nixos/modules/services/security/endlessh-go.nix
@@ -94,14 +94,14 @@ in
           Restart = "always";
           ExecStart =
             with cfg;
-            concatStringsSep " " (
+            lib.concatStringsSep " " (
               [
                 (lib.getExe cfg.package)
                 "-logtostderr"
                 "-host=${listenAddress}"
                 "-port=${toString port}"
               ]
-              ++ optionals prometheus.enable [
+              ++ lib.optionals prometheus.enable [
                 "-enable_prometheus"
                 "-prometheus_host=${prometheus.listenAddress}"
                 "-prometheus_port=${toString prometheus.port}"
@@ -149,7 +149,7 @@ in
         };
     };
 
-    networking.firewall.allowedTCPPorts = with cfg; optionals openFirewall [ port ];
+    networking.firewall.allowedTCPPorts = with cfg; lib.optionals openFirewall [ port ];
   };
 
   meta.maintainers = with lib.maintainers; [ azahi ];

diff --git a/nixos/modules/services/security/endlessh.nix b/nixos/modules/services/security/endlessh.nix
@@ -60,7 +60,7 @@ in
           Restart = "always";
           ExecStart =
             with cfg;
-            concatStringsSep " " (
+            lib.concatStringsSep " " (
               [
                 "${pkgs.endlessh}/bin/endlessh"
                 "-p ${toString port}"
@@ -109,7 +109,7 @@ in
         };
     };
 
-    networking.firewall.allowedTCPPorts = with cfg; optionals openFirewall [ port ];
+    networking.firewall.allowedTCPPorts = with cfg; lib.optionals openFirewall [ port ];
   };
 
   meta.maintainers = with lib.maintainers; [ azahi ];

diff --git a/nixos/modules/services/security/opensnitch.nix b/nixos/modules/services/security/opensnitch.nix
@@ -150,7 +150,7 @@ in
             };
 
             Ebpf.ModulesPath = lib.mkOption {
-              type = lib.types.path;
+              type = lib.types.nullOr lib.types.path;
               default =
                 if cfg.settings.ProcMonitorMethod == "ebpf" then
                   "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd"
@@ -202,10 +202,16 @@ in
       services.opensnitchd = {
         wantedBy = [ "multi-user.target" ];
         serviceConfig = {
-          ExecStart = [
-            ""
-            "${pkgs.opensnitch}/bin/opensnitchd --config-file ${format.generate "default-config.json" cfg.settings}"
-          ];
+          ExecStart =
+            let
+              preparedSettings = removeAttrs cfg.settings (
+                lib.optional (cfg.settings.ProcMonitorMethod != "ebpf") "Ebpf"
+              );
+            in
+            [
+              ""
+              "${pkgs.opensnitch}/bin/opensnitchd --config-file ${format.generate "default-config.json" preparedSettings}"
+            ];
         };
         preStart = lib.mkIf (cfg.rules != { }) (
           let

diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix
@@ -5,7 +5,6 @@
   pkgs,
   ...
 }:
-with builtins;
 let
   cfg = config.services.tor;
   opt = options.services.tor;
@@ -15,7 +14,7 @@ let
     See [torrc manual](https://2019.www.torproject.org/docs/tor-manual.html.en#${option}).
   '';
   bindsPrivilegedPort =
-    any
+    lib.any
       (
         p0:
         let
@@ -25,7 +24,7 @@ let
           false
         else
           let
-            p2 = if isInt p1 then p1 else toInt p1;
+            p2 = if lib.isInt p1 then p1 else lib.toInt p1;
           in
           p1 != null && 0 < p2 && p2 < 1024
       )
@@ -127,7 +126,7 @@ let
             );
           config = {
             flags =
-              filter (name: config.${name} == true) isolateFlags
+              lib.filter (name: config.${name} == true) isolateFlags
               ++ lib.optional (config.SessionGroup != null) "SessionGroup=${toString config.SessionGroup}";
           };
         }
@@ -197,7 +196,7 @@ let
           config = lib.mkIf doConfig {
             # Only add flags in SOCKSPort to avoid duplicates
             flags =
-              filter (name: config.${name} == true) flags
+              lib.filter (name: config.${name} == true) flags
               ++ lib.optional (config.SessionGroup != null) "SessionGroup=${toString config.SessionGroup}";
           };
         }
@@ -245,7 +244,7 @@ let
                     }
                   );
                 config = {
-                  flags = filter (name: config.${name} == true) flags;
+                  flags = lib.filter (name: config.${name} == true) flags;
                 };
               }
             ))
@@ -272,16 +271,16 @@ let
     k: v:
     if v == null then
       ""
-    else if isBool v then
+    else if lib.isBool v then
       (if v then "1" else "0")
     else if v ? "unix" && v.unix != null then
-      "unix:" + v.unix + lib.optionalString (v ? "flags") (" " + concatStringsSep " " v.flags)
+      "unix:" + v.unix + lib.optionalString (v ? "flags") (" " + lib.concatStringsSep " " v.flags)
     else if v ? "port" && v.port != null then
       lib.optionalString (v ? "addr" && v.addr != null) "${v.addr}:"
       + toString v.port
-      + lib.optionalString (v ? "flags") (" " + concatStringsSep " " v.flags)
+      + lib.optionalString (v ? "flags") (" " + lib.concatStringsSep " " v.flags)
     else if k == "ServerTransportPlugin" then
-      lib.optionalString (v.transports != [ ]) "${concatStringsSep "," v.transports} exec ${v.exec}"
+      lib.optionalString (v.transports != [ ]) "${lib.concatStringsSep "," v.transports} exec ${v.exec}"
     else if k == "HidServAuth" then
       v.onion + " " + v.auth
     else
@@ -298,15 +297,15 @@ let
           k: v:
           # Not necesssary, but prettier rendering
           if
-            elem k [
+            lib.elem k [
               "AutomapHostsSuffixes"
               "DirPolicy"
               "ExitPolicy"
               "SocksPolicy"
             ]
             && v != [ ]
           then
-            concatStringsSep "," v
+            lib.concatStringsSep "," v
           else
             v
         ) (lib.filterAttrs (k: v: !(v == null || v == "")) settings)
@@ -750,7 +749,7 @@ in
                     ]);
                   apply = map (
                     v:
-                    if isInt v then
+                    if lib.isInt v then
                       {
                         port = v;
                         target = null;
@@ -816,7 +815,7 @@ in
                   settings.HiddenServiceVersion = config.version;
                   settings.HiddenServiceAuthorizeClient =
                     if config.authorizeClient != null then
-                      config.authorizeClient.authType + " " + concatStringsSep "," config.authorizeClient.clientNames
+                      config.authorizeClient.authType + " " + lib.concatStringsSep "," config.authorizeClient.clientNames
                     else
                       null;
                   settings.HiddenServicePort = map (
@@ -929,7 +928,7 @@ in
                           }
                         );
                       config = {
-                        flags = filter (name: config.${name} == true) flags;
+                        flags = lib.filter (name: config.${name} == true) flags;
                       };
                     }
                   ))
@@ -998,7 +997,7 @@ in
                   }
                 ))
               ]);
-            apply = p: if isInt p || isString p then { port = p; } else p;
+            apply = p: if lib.isInt p || lib.isString p then { port = p; } else p;
           };
           options.ExtORPortCookieAuthFile = optionPath "ExtORPortCookieAuthFile";
           options.ExtORPortCookieAuthFileGroupReadable = optionBool "ExtORPortCookieAuthFileGroupReadable";
@@ -1198,17 +1197,17 @@ in
         lib.mapAttrsToList (
           n: o:
           lib.optionals (o.settings.HiddenServiceVersion == 2) [
-            (optional (o.settings.HiddenServiceExportCircuitID != null) ''
+            (lib.optional (o.settings.HiddenServiceExportCircuitID != null) ''
               HiddenServiceExportCircuitID is used in the HiddenService: ${n}
               but this option is only for v3 hidden services.
             '')
           ]
           ++ lib.optionals (o.settings.HiddenServiceVersion != 2) [
-            (optional (o.settings.HiddenServiceAuthorizeClient != null) ''
+            (lib.optional (o.settings.HiddenServiceAuthorizeClient != null) ''
               HiddenServiceAuthorizeClient is used in the HiddenService: ${n}
               but this option is only for v2 hidden services.
             '')
-            (optional (o.settings.RendPostPeriod != null) ''
+            (lib.optional (o.settings.RendPostPeriod != null) ''
               RendPostPeriod is used in the HiddenService: ${n}
               but this option is only for v2 hidden services.
             '')
@@ -1245,7 +1244,7 @@ in
         }
         //
           lib.optionalAttrs
-            (elem cfg.relay.role [
+            (lib.elem cfg.relay.role [
               "bridge"
               "private-bridge"
             ])
@@ -1307,13 +1306,13 @@ in
 
     networking.firewall = lib.mkIf cfg.openFirewall {
       allowedTCPPorts =
-        concatMap
+        lib.concatMap
           (
             o:
-            if isInt o && o > 0 then
+            if lib.isInt o && o > 0 then
               [ o ]
             else
-              lib.optionals (o ? "port" && isInt o.port && o.port > 0) [ o.port ]
+              lib.optionals (o ? "port" && lib.isInt o.port && o.port > 0) [ o.port ]
           )
           (
             lib.flatten [
@@ -1341,40 +1340,40 @@ in
           (
             "+"
             + pkgs.writeShellScript "ExecStartPre" (
-              concatStringsSep "\n" (
+              lib.concatStringsSep "\n" (
                 lib.flatten (
                   [ "set -eu" ]
                   ++ lib.mapAttrsToList (
                     name: onion:
                     lib.optional (onion.authorizedClients != [ ]) ''
-                      rm -rf ${escapeShellArg onion.path}/authorized_clients
-                      install -d -o tor -g tor -m 0700 ${escapeShellArg onion.path} ${escapeShellArg onion.path}/authorized_clients
+                      rm -rf ${lib.escapeShellArg onion.path}/authorized_clients
+                      install -d -o tor -g tor -m 0700 ${lib.escapeShellArg onion.path} ${lib.escapeShellArg onion.path}/authorized_clients
                     ''
-                    ++ imap0 (i: pubKey: ''
+                    ++ lib.imap0 (i: pubKey: ''
                       echo ${pubKey} |
-                      install -o tor -g tor -m 0400 /dev/stdin ${escapeShellArg onion.path}/authorized_clients/${toString i}.auth
+                      install -o tor -g tor -m 0400 /dev/stdin ${lib.escapeShellArg onion.path}/authorized_clients/${toString i}.auth
                     '') onion.authorizedClients
                     ++ lib.optional (onion.secretKey != null) ''
-                      install -d -o tor -g tor -m 0700 ${escapeShellArg onion.path}
-                      key="$(cut -f1 -d: ${escapeShellArg onion.secretKey} | head -1)"
+                      install -d -o tor -g tor -m 0700 ${lib.escapeShellArg onion.path}
+                      key="$(cut -f1 -d: ${lib.escapeShellArg onion.secretKey} | head -1)"
                       case "$key" in
                        ("== ed25519v"*"-secret")
-                        install -o tor -g tor -m 0400 ${escapeShellArg onion.secretKey} ${escapeShellArg onion.path}/hs_ed25519_secret_key;;
+                        install -o tor -g tor -m 0400 ${lib.escapeShellArg onion.secretKey} ${lib.escapeShellArg onion.path}/hs_ed25519_secret_key;;
                        (*) echo >&2 "NixOS does not (yet) support secret key type for onion: ${name}"; exit 1;;
                       esac
                     ''
                   ) cfg.relay.onionServices
                   ++ lib.mapAttrsToList (
                     name: onion:
-                    imap0 (
+                    lib.imap0 (
                       i: prvKeyPath:
                       let
-                        hostname = removeSuffix ".onion" name;
+                        hostname = lib.removeSuffix ".onion" name;
                       in
                       ''
-                        printf "%s:" ${escapeShellArg hostname} | cat - ${escapeShellArg prvKeyPath} |
+                        printf "%s:" ${lib.escapeShellArg hostname} | cat - ${lib.escapeShellArg prvKeyPath} |
                         install -o tor -g tor -m 0700 /dev/stdin \
-                         ${runDir}/ClientOnionAuthDir/${escapeShellArg hostname}.${toString i}.auth_private
+                         ${runDir}/ClientOnionAuthDir/${lib.escapeShellArg hostname}.${toString i}.auth_private
                       ''
                     ) onion.clientAuthorizations
                   ) cfg.client.onionServices
@@ -1417,7 +1416,7 @@ in
         BindPaths = [ stateDir ];
         BindReadOnlyPaths =
           [
-            storeDir
+            builtins.storeDir
             "/etc"
           ]
           ++ lib.optionals config.services.resolved.enable [

diff --git a/nixos/modules/services/system/cloud-init.nix b/nixos/modules/services/system/cloud-init.nix
@@ -17,9 +17,9 @@ let
       util-linux
       busybox
     ]
-    ++ optional cfg.btrfs.enable btrfs-progs
-    ++ optional cfg.ext4.enable e2fsprogs
-    ++ optional cfg.xfs.enable xfsprogs
+    ++ lib.optional cfg.btrfs.enable btrfs-progs
+    ++ lib.optional cfg.ext4.enable e2fsprogs
+    ++ lib.optional cfg.xfs.enable xfsprogs
     ++ cfg.extraPackages;
   hasFs = fsName: lib.any (fs: fs.fsType == fsName) (lib.attrValues config.fileSystems);
   settingsFormat = pkgs.formats.yaml { };