devshell: add gigthub section

devshell.toml

@@ -1,10 +1,45 @@
+imports = [ "git.hooks" ]
+
 [devshell]
 name = "nixpkgs"
 packages = [
   "fd",
   "nixpkgs-fmt",
+  "editorconfig-checker",
 ]
 
+[[commands]]
+package = "editorconfig-checker"
+category = "linters"
+
+[[commands]]
+package = "gitAndTools.gh"
+category = "github"
+
+[[commands]]
+name = "bugs"
+help = "List issues labeled as bugs"
+category = "github"
+command = "gh issue list --label=\"0.kind: bug\""
+
+[[commands]]
+name = "packaging-requests"
+help = "List issues labeled as packaging requests (chill out work)"
+category = "github"
+command = "gh issue list --label=\"0.kind: packaging request\""
+
+[[commands]]
+name = "pr-status"
+help = "Information about relevant PRs"
+category = "github"
+command = "gh pr status"
+
+[[commands]]
+name = "issue-status"
+help = "Information about relevant issues"
+category = "github"
+command = "gh issue status"
+
 [[commands]]
 name = "fmt"
 help = "Check Nix formatting"
@@ -17,3 +52,34 @@ help = "Check Nix parsing"
 category = "folder tree checks"
 command = "fd --extension nix --exec nix-instantiate --parse --quiet {} >/dev/null"
 
+[git.hooks]
+enable = true
+pre-commit.text = """
+#!/usr/bin/env bash
+set -eou pipefail
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+  against=HEAD
+else
+  # Initial commit: diff against an empty tree object
+  against=$(${git}/bin/git hash-object -t tree /dev/null)
+fi
+
+diff="git diff-index --name-only --cached $against --diff-filter d"
+
+nix_files=($($diff -- '*.nix'))
+all_files=($($diff))
+
+# Format staged nix files.
+if [[ -n "${nix_files[@]}" ]]; then
+  nixpkgs-fmt "${nix_files[@]}"
+  git add "${nix_files[@]}"
+fi
+
+# check editorconfig
+if ! editorconfig-checker -- "${all_files[@]}"; then
+  echo -e "\nCode is not aligned with .editorconfig
+Review the output and commit your fixes" >&2
+  exit 1
+fi
+"""

doc/languages-frameworks/vim.section.md

@@ -116,6 +116,44 @@ The resulting package can be added to `packageOverrides` in `~/.nixpkgs/config.n
 
 After that you can install your special grafted `myVim` or `myNeovim` packages.
 
+### What if your favourite Vim plugin isn't already packaged?
+
+If one of your favourite plugins isn't packaged, you can package it yourself:
+
+```
+{ config, pkgs, ... }:
+
+let
+  easygrep = pkgs.vimUtils.buildVimPlugin {
+    name = "vim-easygrep";
+    src = pkgs.fetchFromGitHub {
+      owner = "dkprice";
+      repo = "vim-easygrep";
+      rev = "d0c36a77cc63c22648e792796b1815b44164653a";
+      sha256 = "0y2p5mz0d5fhg6n68lhfhl8p4mlwkb82q337c22djs4w5zyzggbc";
+    };
+  };
+in
+{
+  environment.systemPackages = [
+    (
+      pkgs.neovim.override {
+        configure = {
+          packages.myPlugins = with pkgs.vimPlugins; {
+          start = [
+            vim-go # already packaged plugin
+            easygrep # custom package
+          ];
+          opt = [];
+        };
+        # ...
+      };
+     }
+    )
+  ];
+}
+```
+
 ## Managing plugins with vim-plug
 
 To use [vim-plug](https://github.com/junegunn/vim-plug) to manage your Vim

maintainers/maintainer-list.nix

@@ -2195,6 +2195,16 @@
     githubId = 4971975;
     name = "Janne Heß";
   };
+  dasisdormax = {
+    email = "[email protected]";
+    github = "dasisdormax";
+    githubId = 3714905;
+    keys = [{
+      longkeyid = "rsa4096/0x02BA0D4480CA6C44";
+      fingerprint = "E59B A198 61B0 A9ED C1FA  3FB2 02BA 0D44 80CA 6C44";
+    }];
+    name = "Maximilian Wende";
+  };
   dasj19 = {
     email = "[email protected]";
     github = "dasj19";

nixos/modules/installer/tools/tools.nix

@@ -163,7 +163,8 @@ in
         # List packages installed in system profile. To search, run:
         # \$ nix search wget
         # environment.systemPackages = with pkgs; [
-        #   wget vim
+        #   nano vim # don't forget to add an editor to edit configuration.nix!
+        #   wget
         #   firefox
         # ];
 

nixos/modules/services/databases/redis.nix

@@ -5,6 +5,8 @@ with lib;
 let
   cfg = config.services.redis;
 
+  ulimitNofile = cfg.maxclients + 32;
+
   mkValueString = value:
     if value == true then "yes"
     else if value == false then "no"
@@ -14,8 +16,8 @@ let
     listsAsDuplicateKeys = true;
     mkKeyValue = generators.mkKeyValueDefault { inherit mkValueString; } " ";
   } cfg.settings);
-in
-{
+
+in {
   imports = [
     (mkRemovedOptionModule [ "services" "redis" "user" ] "The redis module now is hardcoded to the redis user.")
     (mkRemovedOptionModule [ "services" "redis" "dbpath" ] "The redis module now uses /var/lib/redis as data directory.")
@@ -121,6 +123,12 @@ in
         description = "Set the number of databases.";
       };
 
+      maxclients = mkOption {
+        type = types.int;
+        default = 10000;
+        description = "Set the max number of connected clients at the same time.";
+      };
+
       save = mkOption {
         type = with types; listOf (listOf int);
         default = [ [900 1] [300 10] [60 10000] ];
@@ -253,6 +261,7 @@ in
         logfile = cfg.logfile;
         syslog-enabled = cfg.syslog;
         databases = cfg.databases;
+        maxclients = cfg.maxclients;
         save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") cfg.save;
         dbfilename = "dump.rdb";
         dir = "/var/lib/redis";
@@ -295,6 +304,34 @@ in
         StateDirectoryMode = "0700";
         # Access write directories
         UMask = "0077";
+        # Capabilities
+        CapabilityBoundingSet = "";
+        # Security
+        NoNewPrivileges = true;
+        # Process Properties
+        LimitNOFILE = "${toString ulimitNofile}";
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap";
       };
     };
   };

nixos/modules/services/misc/matrix-appservice-irc.nix

@@ -214,7 +214,8 @@ in {
         PrivateMounts = true;
         SystemCallFilter = "~@aio @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @setuid @swap";
         SystemCallArchitectures = "native";
-        RestrictAddressFamilies = "AF_INET AF_INET6";
+        # AF_UNIX is required to connect to a postgres socket.
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
       };
     };
 

nixos/modules/services/security/oauth2_proxy.nix

@@ -90,10 +90,10 @@ in
 
     package = mkOption {
       type = types.package;
-      default = pkgs.oauth2_proxy;
-      defaultText = "pkgs.oauth2_proxy";
+      default = pkgs.oauth2-proxy;
+      defaultText = "pkgs.oauth2-proxy";
       description = ''
-        The package that provides oauth2_proxy.
+        The package that provides oauth2-proxy.
       '';
     };
 

pkgs/applications/version-management/git-and-tools/gh/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "gh";
-  version = "1.9.1";
+  version = "1.9.2";
 
   src = fetchFromGitHub {
     owner = "cli";
     repo = "cli";
     rev = "v${version}";
-    sha256 = "1nrbz049nizrrfxdpws05gj0bqk47l4mrl4wcvfb6nwispc74ib0";
+    sha256 = "0lx6sx3zkjq9855va1vxbd5g47viqkrchk5d2rb6xj7zywwm4mgb";
   };
 
-  vendorSha256 = "0j2jy7n7hca5ybwwgh7cvm77j96ngaq1a1l5bl70vjpd8hz2qapc";
+  vendorSha256 = "1zmyd566xcksgqm0f7mq0rkfnxk0fmf39k13fcp9jy30c1y9681v";
 
   nativeBuildInputs = [ installShellFiles ];
 

pkgs/applications/video/mpv/scripts/mpv-playlistmanager.nix

@@ -0,0 +1,37 @@
+{ lib, stdenvNoCC, fetchFromGitHub, youtube-dl }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "mpv-playlistmanager";
+  version = "unstable-2021-03-09";
+
+  src = fetchFromGitHub {
+    owner = "jonniek";
+    repo = "mpv-playlistmanager";
+    rev = "c15a0334cf6d4581882fa31ddb1e6e7f2d937a3e";
+    sha256 = "uxcvgcSGS61UU8MmuD6qMRqpIa53iasH/vkg1xY7MVc=";
+  };
+
+  postPatch = ''
+    substituteInPlace playlistmanager.lua \
+    --replace "'youtube-dl'" "'${youtube-dl}/bin/youtube-dl'" \
+  '';
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/share/mpv/scripts
+    cp playlistmanager.lua $out/share/mpv/scripts
+    runHook postInstall
+  '';
+
+  passthru.scriptName = "playlistmanager.lua";
+
+  meta = with lib; {
+    description = "Mpv lua script to create and manage playlists";
+    homepage = "https://github.com/jonniek/mpv-playlistmanager";
+    license = licenses.unlicense;
+    platforms = platforms.all;
+    maintainers = with maintainers; [ lunik1 ];
+  };
+}

pkgs/applications/virtualization/crun/default.nix

@@ -38,13 +38,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "crun";
-  version = "0.19";
+  version = "0.19.1";
 
   src = fetchFromGitHub {
     owner = "containers";
     repo = pname;
     rev = version;
-    sha256 = "sha256-G9asWedX03cP5Qg5HIzlSIwwqNL16kiyWairk+6Kabw=";
+    sha256 = "sha256-v5uESTEspIc8rhZXrQqLEVMDvvPcfHuFoj6lI4M5z70=";
     fetchSubmodules = true;
   };
 

pkgs/development/compilers/haxe/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, coreutils, ocaml-ng, zlib, pcre, neko, mbedtls }:
+{ lib, stdenv, fetchFromGitHub, coreutils, ocaml-ng, zlib, pcre, neko, mbedtls, Security }:
 
 let
   ocamlDependencies = version:
@@ -31,7 +31,8 @@ let
       inherit version;
 
       buildInputs = [ zlib pcre neko ]
-        ++ lib.optional (lib.versionAtLeast version "4.1") [ mbedtls ]
+        ++ lib.optional (lib.versionAtLeast version "4.1") mbedtls
+        ++ lib.optional (lib.versionAtLeast version "4.1" && stdenv.isDarwin) Security
         ++ ocamlDependencies version;
 
       src = fetchFromGitHub {

pkgs/development/python-modules/adafruit-platformdetect/default.nix

@@ -6,12 +6,12 @@
 
 buildPythonPackage rec {
   pname = "adafruit-platformdetect";
-  version = "3.5.0";
+  version = "3.6.0";
 
   src = fetchPypi {
     pname = "Adafruit-PlatformDetect";
     inherit version;
-    sha256 = "sha256-QJeb9+iiS4QZ7poOBp5oKD5KuagkG6cfTalbNRwrI1M=";
+    sha256 = "sha256-096bMTAh5d2wikrmlDcUspD9GYZlPHbdDcf/e/BLAHI=";
   };
 
   nativeBuildInputs = [ setuptools-scm ];

pkgs/development/python-modules/aiosmb/default.nix

@@ -1,6 +1,7 @@
 { lib
 , asysocks
 , buildPythonPackage
+, colorama
 , fetchPypi
 , minikerberos
 , prompt_toolkit
@@ -13,22 +14,23 @@
 
 buildPythonPackage rec {
   pname = "aiosmb";
-  version = "0.2.37";
+  version = "0.2.41";
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "0daf1fk7406vpywc0yxv0wzf4nw986js9lc2agfyfxz0q7s29lf0";
+    sha256 = "sha256-hiLLoFswh0rm5f5TsaX+zyRDkOIyzGXVO0M5J5d/gtQ=";
   };
 
   propagatedBuildInputs = [
+    asysocks
+    colorama
     minikerberos
-    winsspi
+    prompt_toolkit
     six
-    asysocks
     tqdm
-    prompt_toolkit
     winacl
+    winsspi
   ];
 
   # Project doesn't have tests