diff options
41 files changed, 450 insertions, 83 deletions
diff --git a/lib/types.nix b/lib/types.nix index e9e45dc25c72..30b053db486f 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -499,7 +499,7 @@ rec { show = v: if builtins.isString v then ''"${v}"'' else if builtins.isInt v then builtins.toString v - else if builtins.isBool v then if v then "true" else "false" + else if builtins.isBool v then boolToString v else ''<${builtins.typeOf v}>''; in mkOptionType rec { diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index c160ab5783d3..374ea1cbd165 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -99,6 +99,16 @@ to <literal>/run/pdns-recursor</literal> to match upstream. </para> </listitem> + <listitem> + <para> + PowerDNS has been updated from <literal>4.2.x</literal> to <literal>4.3.x</literal>. Please + be sure to review the <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-3-0">Upgrade Notes</link> + provided by upstream before upgrading. Worth specifically noting is that the service now runs + entirely as a dedicated <literal>pdns</literal> user, instead of starting as <literal>root</literal> + and dropping privileges, as well as the default <literal>socket-dir</literal> location changing from + <literal>/var/lib/powerdns</literal> to <literal>/run/pdns</literal>. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index aacdbe2aeed2..86a3f52107d5 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -153,7 +153,7 @@ let ${concatStringsSep "\n" (mapAttrsToList (name: value: let includeName = if name == "rspamd_proxy" then "proxy" else name; - tryOverride = if value.extraConfig == "" then "true" else "false"; + tryOverride = boolToString (value.extraConfig == ""); in '' worker "${value.type}" { type = "${value.type}"; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 2680b1cc0d3b..ed05882a6343 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -45,7 +45,7 @@ let trusted-substituters = ${toString cfg.trustedBinaryCaches} trusted-public-keys = ${toString cfg.binaryCachePublicKeys} auto-optimise-store = ${boolToString cfg.autoOptimiseStore} - require-sigs = ${if cfg.requireSignedBinaryCaches then "true" else "false"} + require-sigs = ${boolToString cfg.requireSignedBinaryCaches} trusted-users = ${toString cfg.trustedUsers} allowed-users = ${toString cfg.allowedUsers} ${optionalString (!cfg.distributedBuilds) '' diff --git a/nixos/modules/services/networking/powerdns.nix b/nixos/modules/services/networking/powerdns.nix index ba05e15389f6..8cae61b83543 100644 --- a/nixos/modules/services/networking/powerdns.nix +++ b/nixos/modules/services/networking/powerdns.nix @@ -8,42 +8,40 @@ let in { options = { services.powerdns = { - enable = mkEnableOption "Powerdns domain name server"; + enable = mkEnableOption "PowerDNS domain name server"; extraConfig = mkOption { type = types.lines; default = "launch=bind"; description = '' - Extra lines to be added verbatim to pdns.conf. - Powerdns will chroot to /var/lib/powerdns. - So any file, powerdns is supposed to be read, - should be in /var/lib/powerdns and needs to specified - relative to the chroot. + PowerDNS configuration. Refer to + <link xlink:href="https://doc.powerdns.com/authoritative/settings.html"/> + for details on supported values. ''; }; }; }; - config = mkIf config.services.powerdns.enable { + config = mkIf cfg.enable { + + systemd.packages = [ pkgs.powerdns ]; + systemd.services.pdns = { - unitConfig.Documentation = "man:pdns_server(1) man:pdns_control(1)"; - description = "Powerdns name server"; wantedBy = [ "multi-user.target" ]; - after = ["network.target" "mysql.service" "postgresql.service" "openldap.service"]; + after = [ "network.target" "mysql.service" "postgresql.service" "openldap.service" ]; serviceConfig = { - Restart="on-failure"; - RestartSec="1"; - StartLimitInterval="0"; - PrivateDevices=true; - CapabilityBoundingSet="CAP_CHOWN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT"; - NoNewPrivileges=true; - ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/powerdns"; - ExecStart = "${pkgs.powerdns}/bin/pdns_server --setuid=nobody --setgid=nogroup --chroot=/var/lib/powerdns --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}"; - ProtectSystem="full"; - ProtectHome=true; - RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6"; + ExecStart = [ "" "${pkgs.powerdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; }; }; + + users.users.pdns = { + isSystemUser = true; + group = "pdns"; + description = "PowerDNS"; + }; + + users.groups.pdns = {}; + }; } diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index a6c1cb0f4797..e7a7aa700be6 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -261,7 +261,7 @@ let toLua = x: if builtins.isString x then ''"${x}"'' - else if builtins.isBool x then (if x == true then "true" else "false") + else if builtins.isBool x then boolToString x else if builtins.isInt x then toString x else if builtins.isList x then ''{ ${lib.concatStringsSep ", " (map (n: toLua n) x) } }'' else throw "Invalid Lua value"; diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 3f84f9c2560c..cf0d72d5c531 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -282,12 +282,12 @@ in services.fail2ban.jails.DEFAULT = '' ${optionalString cfg.bantime-increment.enable '' # Bantime incremental - bantime.increment = ${if cfg.bantime-increment.enable then "true" else "false"} + bantime.increment = ${boolToString cfg.bantime-increment.enable} bantime.maxtime = ${cfg.bantime-increment.maxtime} bantime.factor = ${cfg.bantime-increment.factor} bantime.formula = ${cfg.bantime-increment.formula} bantime.multipliers = ${cfg.bantime-increment.multipliers} - bantime.overalljails = ${if cfg.bantime-increment.overalljails then "true" else "false"} + bantime.overalljails = ${boolToString cfg.bantime-increment.overalljails} ''} # Miscellaneous options ignoreip = 127.0.0.1/8 ${optionalString config.networking.enableIPv6 "::1"} ${concatStringsSep " " cfg.ignoreIP} diff --git a/nixos/modules/services/security/usbguard.nix b/nixos/modules/services/security/usbguard.nix index 16a90da52314..71fd71a2cab2 100644 --- a/nixos/modules/services/security/usbguard.nix +++ b/nixos/modules/services/security/usbguard.nix @@ -19,13 +19,13 @@ let PresentDevicePolicy=${cfg.presentDevicePolicy} PresentControllerPolicy=${cfg.presentControllerPolicy} InsertedDevicePolicy=${cfg.insertedDevicePolicy} - RestoreControllerDeviceState=${if cfg.restoreControllerDeviceState then "true" else "false"} + RestoreControllerDeviceState=${boolToString cfg.restoreControllerDeviceState} # this does not seem useful for endusers to change DeviceManagerBackend=uevent IPCAllowedUsers=${concatStringsSep " " cfg.IPCAllowedUsers} IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups} IPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d/ - DeviceRulesWithPort=${if cfg.deviceRulesWithPort then "true" else "false"} + DeviceRulesWithPort=${boolToString cfg.deviceRulesWithPort} # HACK: that way audit logs still land in the journal AuditFilePath=/dev/null ''; diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index eae70a57c781..25b424e485f3 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -264,7 +264,7 @@ in # presented and there's a little delay. environment.etc."gdm/custom.conf".text = '' [daemon] - WaylandEnable=${if cfg.gdm.wayland then "true" else "false"} + WaylandEnable=${boolToString cfg.gdm.wayland} ${optionalString cfg.autoLogin.enable ( if cfg.gdm.autoLogin.delay > 0 then '' TimedLoginEnable=true diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix index e63bb2e44539..4040b903426b 100644 --- a/nixos/modules/services/x11/display-managers/sddm.nix +++ b/nixos/modules/services/x11/display-managers/sddm.nix @@ -55,10 +55,10 @@ let XauthPath=${pkgs.xorg.xauth}/bin/xauth DisplayCommand=${Xsetup} DisplayStopCommand=${Xstop} - EnableHidpi=${if cfg.enableHidpi then "true" else "false"} + EnableHidpi=${boolToString cfg.enableHidpi} [Wayland] - EnableHidpi=${if cfg.enableHidpi then "true" else "false"} + EnableHidpi=${boolToString cfg.enableHidpi} SessionDir=${dmcfg.sessionData.desktops}/share/wayland-sessions ${optionalString dmcfg.autoLogin.enable '' diff --git a/nixos/tests/powerdns.nix b/nixos/tests/powerdns.nix index 75d71315e644..d025934ad2b3 100644 --- a/nixos/tests/powerdns.nix +++ b/nixos/tests/powerdns.nix @@ -1,13 +1,65 @@ -import ./make-test-python.nix ({ pkgs, ... }: { +# This test runs PowerDNS authoritative server with the +# generic MySQL backend (gmysql) to connect to a +# MariaDB server using UNIX sockets authentication. + +import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "powerdns"; nodes.server = { ... }: { services.powerdns.enable = true; - environment.systemPackages = [ pkgs.dnsutils ]; + services.powerdns.extraConfig = '' + launch=gmysql + gmysql-user=pdns + ''; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + ensureDatabases = [ "powerdns" ]; + ensureUsers = lib.singleton + { name = "pdns"; + ensurePermissions = { "powerdns.*" = "ALL PRIVILEGES"; }; + }; + }; + + environment.systemPackages = with pkgs; + [ dnsutils powerdns mariadb ]; }; testScript = '' - server.wait_for_unit("pdns") - server.succeed("dig version.bind txt chaos \@127.0.0.1") + import re + + with subtest("PowerDNS database exists"): + server.wait_for_unit("mysql") + server.succeed("echo 'SHOW DATABASES;' | sudo -u pdns mysql -u pdns >&2") + + with subtest("Loading the MySQL schema works"): + server.succeed( + "sudo -u pdns mysql -u pdns -D powerdns <" + "${pkgs.powerdns}/share/doc/pdns/schema.mysql.sql" + ) + + with subtest("PowerDNS server starts"): + server.wait_for_unit("pdns") + server.succeed("dig version.bind txt chaos @127.0.0.1 >&2") + + with subtest("Adding an example zone works"): + # Extract configuration file needed by pdnsutil + unit = server.succeed("systemctl cat pdns") + conf = re.search("(--config-dir=[^ ]+)", unit).group(1) + pdnsutil = "sudo -u pdns pdnsutil " + conf + server.succeed(f"{pdnsutil} create-zone example.com ns1.example.com") + server.succeed(f"{pdnsutil} add-record example.com ns1 A 192.168.1.2") + + with subtest("Querying the example zone works"): + reply = server.succeed("dig +noall +answer ns1.example.com @127.0.0.1") + assert ( + "192.168.1.2" in reply + ), f"""" + The reply does not contain the expected IP address: + Expected: + ns1.example.com. 3600 IN A 192.168.1.2 + Reply: + {reply}""" ''; }) diff --git a/pkgs/applications/audio/opustags/default.nix b/pkgs/applications/audio/opustags/default.nix new file mode 100644 index 000000000000..eb056c720d1f --- /dev/null +++ b/pkgs/applications/audio/opustags/default.nix @@ -0,0 +1,24 @@ +{ stdenv, lib, cmake, pkgconfig, libogg, fetchFromGitHub, libiconv }: +stdenv.mkDerivation rec { + pname = "opustags"; + version = "1.3.0"; + + src = fetchFromGitHub { + owner = "fmang"; + repo = "opustags"; + rev = version; + sha256 = "09z0cdg20algaj2yyhfz3hxh1biwjjvzx1pc2vdc64n8lkswqsc1"; + }; + + buildInputs = [ libogg ]; + + nativeBuildInputs = [ cmake pkgconfig ] ++ lib.optional stdenv.isDarwin libiconv; + + meta = with lib; { + homepage = "https://github.com/fmang/opustags"; + description = "Ogg Opus tags editor"; + platforms = platforms.all; + maintainers = [ maintainers.kmein ]; + license = licenses.bsd3; + }; +} diff --git a/pkgs/applications/misc/dstask/default.nix b/pkgs/applications/misc/dstask/default.nix index d5c02f695521..c9b3e2dd8983 100644 --- a/pkgs/applications/misc/dstask/default.nix +++ b/pkgs/applications/misc/dstask/default.nix @@ -2,13 +2,13 @@ buildGoModule rec { pname = "dstask"; - version = "0.21"; + version = "0.22"; src = fetchFromGitHub { owner = "naggie"; repo = pname; rev = "v${version}"; - sha256 = "0af85rs4s0wfnibdhn28qycvy90aafkczccs5vyh36y7cnyhvgkl"; + sha256 = "0vwkar827ncwmva091q37gq8fvs9jz1765zdxrcvhczlj5a0qdgi"; }; # Set vendorSha256 to null because dstask vendors its dependencies (meaning diff --git a/pkgs/applications/misc/razergenie/default.nix b/pkgs/applications/misc/razergenie/default.nix index 9042ab38e758..ac0f373dc93d 100644 --- a/pkgs/applications/misc/razergenie/default.nix +++ b/pkgs/applications/misc/razergenie/default.nix @@ -27,8 +27,8 @@ in stdenv.mkDerivation { ]; mesonFlags = [ - "-Denable_experimental=${if enableExperimental then "true" else "false"}" - "-Dinclude_matrix_discovery=${if includeMatrixDiscovery then "true" else "false"}" + "-Denable_experimental=${lib.boolToString enableExperimental}" + "-Dinclude_matrix_discovery=${lib.boolToString includeMatrixDiscovery}" ]; meta = with lib; { diff --git a/pkgs/applications/video/obs-studio/wlrobs.nix b/pkgs/applications/video/obs-studio/wlrobs.nix index 99486a9ccc0c..14bc80dd3880 100644 --- a/pkgs/applications/video/obs-studio/wlrobs.nix +++ b/pkgs/applications/video/obs-studio/wlrobs.nix @@ -7,7 +7,7 @@ # ln -s ~/.nix-profile/share/obs/obs-plugins/wlrobs/bin/64bit/libwlrobs.so ~/.config/obs-studio/plugins/wlrobs/bin/64bit { stdenv, fetchhg, wayland, obs-studio , meson, ninja, pkgconfig, libX11 -, dmabufSupport ? false, libdrm ? null, libGL ? null}: +, dmabufSupport ? false, libdrm ? null, libGL ? null, lib}: assert dmabufSupport -> libdrm != null && libGL != null; @@ -29,7 +29,7 @@ stdenv.mkDerivation { ''; mesonFlags = [ - "-Duse_dmabuf=${if dmabufSupport then "true" else "false"}" + "-Duse_dmabuf=${lib.boolToString dmabufSupport}" ]; meta = with stdenv.lib; { diff --git a/pkgs/development/go-modules/generic/default.nix b/pkgs/development/go-modules/generic/default.nix index 7db4992d1d61..9efaa8608323 100644 --- a/pkgs/development/go-modules/generic/default.nix +++ b/pkgs/development/go-modules/generic/default.nix @@ -47,7 +47,7 @@ let removeExpr = refs: ''remove-references-to ${lib.concatMapStrings (ref: " -t ${ref}") refs}''; - deleteFlag = if deleteVendor then "true" else "false"; + deleteFlag = lib.boolToString deleteVendor; vendCommand = if runVend then "${vend}/bin/vend" else "false"; diff --git a/pkgs/development/libraries/gdk-pixbuf/default.nix b/pkgs/development/libraries/gdk-pixbuf/default.nix index 08b8f70b2d9a..1f4bc5c12ada 100644 --- a/pkgs/development/libraries/gdk-pixbuf/default.nix +++ b/pkgs/development/libraries/gdk-pixbuf/default.nix @@ -21,6 +21,7 @@ , doCheck ? false , makeWrapper , fetchpatch +, lib }: stdenv.mkDerivation rec { @@ -74,7 +75,7 @@ stdenv.mkDerivation rec { mesonFlags = [ "-Ddocs=true" "-Dx11=false" # use gdk-pixbuf-xlib - "-Dgir=${if gobject-introspection != null then "true" else "false"}" + "-Dgir=${lib.boolToString (gobject-introspection != null)}" "-Dgio_sniffing=false" ]; diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix index da76c6dfedcf..74d778c5c555 100644 --- a/pkgs/development/libraries/geoclue/default.nix +++ b/pkgs/development/libraries/geoclue/default.nix @@ -39,7 +39,7 @@ stdenv.mkDerivation rec { mesonFlags = [ "-Dsystemd-system-unit-dir=${placeholder "out"}/etc/systemd/system" - "-Ddemo-agent=${if withDemoAgent then "true" else "false"}" + "-Ddemo-agent=${boolToString withDemoAgent}" "--sysconfdir=/etc" "-Dsysconfdir_install=${placeholder "out"}/etc" "-Ddbus-srv-user=geoclue" diff --git a/pkgs/development/libraries/glib/default.nix b/pkgs/development/libraries/glib/default.nix index 88848deec412..df19b9fc88cc 100644 --- a/pkgs/development/libraries/glib/default.nix +++ b/pkgs/development/libraries/glib/default.nix @@ -108,7 +108,7 @@ stdenv.mkDerivation rec { mesonFlags = [ # Avoid the need for gobject introspection binaries in PATH in cross-compiling case. # Instead we just copy them over from the native output. - "-Dgtk_doc=${if stdenv.hostPlatform == stdenv.buildPlatform then "true" else "false"}" + "-Dgtk_doc=${boolToString (stdenv.hostPlatform == stdenv.buildPlatform)}" "-Dnls=enabled" "-Ddevbindir=${placeholder ''dev''}/bin" ]; diff --git a/pkgs/development/libraries/libcec/default.nix b/pkgs/development/libraries/libcec/default.nix index a1c2967dde73..792d899333e0 100644 --- a/pkgs/development/libraries/libcec/default.nix +++ b/pkgs/development/libraries/libcec/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, cmake, pkgconfig, udev, libcec_platform, libraspberrypi ? null }: -let version = "4.0.5"; in +let version = "4.0.7"; in stdenv.mkDerivation { pname = "libcec"; @@ -8,7 +8,7 @@ stdenv.mkDerivation { src = fetchurl { url = "https://github.com/Pulse-Eight/libcec/archive/libcec-${version}.tar.gz"; - sha256 = "0hvp33mq0kg544hw20aq3vy5lxf5zid6gxm3qdga7wxw1r1lkmz4"; + sha256 = "0nii8qh3qrn92g8x3canj4glb2bjn6gc1p3f6hfp59ckd4vjrndw"; }; nativeBuildInputs = [ pkgconfig cmake ]; diff --git a/pkgs/development/libraries/libsoup/default.nix b/pkgs/development/libraries/libsoup/default.nix index a497661725b1..9f4a5bac25bf 100644 --- a/pkgs/development/libraries/libsoup/default.nix +++ b/pkgs/development/libraries/libsoup/default.nix @@ -1,6 +1,6 @@ { stdenv, fetchurl, glib, libxml2, meson, ninja, pkgconfig, gnome3 , gnomeSupport ? true, sqlite, glib-networking, gobject-introspection, vala -, libpsl, python3, brotli }: +, libpsl, python3, brotli, lib }: stdenv.mkDerivation rec { pname = "libsoup"; @@ -25,7 +25,7 @@ stdenv.mkDerivation rec { "-Dtls_check=false" # glib-networking is a runtime dependency, not a compile-time dependency "-Dgssapi=disabled" "-Dvapi=enabled" - "-Dgnome=${if gnomeSupport then "true" else "false"}" + "-Dgnome=${lib.boolToString gnomeSupport}" "-Dntlm=disabled" ]; diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix index 9fda8091ce47..aeeb0514fabb 100644 --- a/pkgs/development/libraries/mesa/default.nix +++ b/pkgs/development/libraries/mesa/default.nix @@ -129,7 +129,7 @@ stdenv.mkDerivation { "-Domx-libs-path=${placeholder "drivers"}/lib/bellagio" "-Dva-libs-path=${placeholder "drivers"}/lib/dri" "-Dd3d-drivers-path=${placeholder "drivers"}/lib/d3d" - "-Dgallium-nine=${if enableGalliumNine then "true" else "false"}" # Direct3D in Wine + "-Dgallium-nine=${boolToString enableGalliumNine}" # Direct3D in Wine "-Dosmesa=${if enableOSMesa then "gallium" else "none"}" # used by wine ] ++ optionals stdenv.isLinux [ "-Dglvnd=true" @@ -229,7 +229,7 @@ stdenv.mkDerivation { inherit (libglvnd) driverLink; }; - meta = with stdenv.lib; { + meta = { description = "An open source 3D graphics library"; longDescription = '' The Mesa project began as an open-source implementation of the OpenGL diff --git a/pkgs/development/libraries/v8/default.nix b/pkgs/development/libraries/v8/default.nix index 60e856e61dfe..e6696626cb5d 100644 --- a/pkgs/development/libraries/v8/default.nix +++ b/pkgs/development/libraries/v8/default.nix @@ -80,7 +80,7 @@ stdenv.mkDerivation rec { gnFlags = [ "use_custom_libcxx=false" - "is_clang=${if stdenv.cc.isClang then "true" else "false"}" + "is_clang=${lib.boolToString stdenv.cc.isClang}" "use_sysroot=false" # "use_system_icu=true" "is_component_build=false" diff --git a/pkgs/development/lisp-modules/clwrapper/cl-wrapper.sh b/pkgs/development/lisp-modules/clwrapper/cl-wrapper.sh index 9836bbe56428..828920c5accc 100755 --- a/pkgs/development/lisp-modules/clwrapper/cl-wrapper.sh +++ b/pkgs/development/lisp-modules/clwrapper/cl-wrapper.sh @@ -95,8 +95,8 @@ nix_lisp_run_single_form(){ nix_lisp_build_system(){ NIX_LISP_FINAL_PARAMETERS=( "$NIX_LISP_EXEC_CODE" "(progn - (asdf:make :$1) - (loop for s in (list $(for i in $3; do echo ":$i"; done)) do (asdf:make s)))" |