diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index 07c56a9b6ee0..36da1cce2346 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -126,6 +126,9 @@ to review the new defaults and description of [](#opt-services.nextcloud.poolSettings). +- `kmonad` is now hardened by default using common `systemd` settings. + If KMonad is used to execute shell commands, hardening may make some of them fail. In that case, you can disable hardening using {option}`services.kmonad.keyboards..enableHardening` option. + - `asusd` has been upgraded to version 6 which supports multiple aura devices. To account for this, the single `auraConfig` configuration option has been replaced with `auraConfigs` which is an attribute set of config options per each device. The config files may also be now specified as either source files or text strings; to account for this you will need to specify that `text` is used for your existing configs, e.g.: ```diff -services.asusd.asusdConfig = '''file contents''' diff --git a/nixos/modules/services/hardware/kmonad.nix b/nixos/modules/services/hardware/kmonad.nix index fa9b8fbb610f..72d5d7d71503 100644 --- a/nixos/modules/services/hardware/kmonad.nix +++ b/nixos/modules/services/hardware/kmonad.nix @@ -41,6 +41,19 @@ let ''; }; + enableHardening = lib.mkOption { + type = lib.types.bool; + default = true; + example = false; + description = '' + Whether to enable systemd hardening. + + ::: {.note} + If KMonad is used to execute shell commands, hardening may make some of them fail. + ::: + ''; + }; + defcfg = { enable = lib.mkEnableOption '' automatic generation of the defcfg block. @@ -128,26 +141,60 @@ let StartLimitIntervalSec = 2; StartLimitBurst = 5; }; - serviceConfig = { - ExecStart = '' - ${lib.getExe cfg.package} ${mkCfg keyboard} \ - ${utils.escapeSystemdExecArgs cfg.extraArgs} - ''; - Restart = "always"; - # Restart at increasing intervals from 2s to 1m - RestartSec = 2; - RestartSteps = 30; - RestartMaxDelaySec = "1min"; - Nice = -20; - DynamicUser = true; - User = "kmonad"; - Group = "kmonad"; - SupplementaryGroups = [ - # These ensure that our dynamic user has access to the device node - config.users.groups.input.name - config.users.groups.uinput.name - ] ++ keyboard.extraGroups; - }; + serviceConfig = + { + ExecStart = '' + ${lib.getExe cfg.package} ${mkCfg keyboard} \ + ${utils.escapeSystemdExecArgs cfg.extraArgs} + ''; + Restart = "always"; + # Restart at increasing intervals from 2s to 1m + RestartSec = 2; + RestartSteps = 30; + RestartMaxDelaySec = "1min"; + Nice = -20; + DynamicUser = true; + User = "kmonad"; + Group = "kmonad"; + SupplementaryGroups = [ + # These ensure that our dynamic user has access to the device node + config.users.groups.input.name + config.users.groups.uinput.name + ] ++ keyboard.extraGroups; + } + // lib.optionalAttrs keyboard.enableHardening { + DeviceAllow = [ + "/dev/uinput w" + "char-input r" + ]; + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + IPAddressDeny = [ "any" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateNetwork = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "none" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = [ "native" ]; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; + }; # make sure the new config is used after nixos-rebuild switch # stopIfChanged controls[0] how a service is "restarted" during # nixos-rebuild switch. By default, stopIfChanged is true, which stops diff --git a/pkgs/by-name/da/dayon/package.nix b/pkgs/by-name/da/dayon/package.nix index d183a9256730..722bc175d3df 100644 --- a/pkgs/by-name/da/dayon/package.nix +++ b/pkgs/by-name/da/dayon/package.nix @@ -11,13 +11,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "dayon"; - version = "14.0.2"; + version = "15.0.0"; src = fetchFromGitHub { owner = "RetGal"; repo = "dayon"; rev = "v${finalAttrs.version}"; - hash = "sha256-nRNqubR44ydZwwuQG3q6TRm+MHTRgRbeLI9dsk83wq4="; + hash = "sha256-Tnw1Tr+iRxvHFzSICwOcf4mErNx+imD7/WxVspiR7yo="; }; nativeBuildInputs = [ @@ -39,13 +39,13 @@ stdenv.mkDerivation (finalAttrs: { install -Dm644 build/dayon.jar $out/share/dayon/dayon.jar # jre is in PATH because dayon needs keytool to generate certificates - makeWrapper ${jre}/bin/java $out/bin/dayon \ + makeWrapper ${lib.getExe jre} $out/bin/dayon \ --prefix PATH : "${lib.makeBinPath [ jre ]}" \ --add-flags "-jar $out/share/dayon/dayon.jar" - makeWrapper ${jre}/bin/java $out/bin/dayon_assisted \ + makeWrapper ${lib.getExe jre} $out/bin/dayon_assisted \ --prefix PATH : "${lib.makeBinPath [ jre ]}" \ --add-flags "-cp $out/share/dayon/dayon.jar mpo.dayon.assisted.AssistedRunner" - makeWrapper ${jre}/bin/java $out/bin/dayon_assistant \ + makeWrapper ${lib.getExe jre} $out/bin/dayon_assistant \ --prefix PATH : "${lib.makeBinPath [ jre ]}" \ --add-flags "-cp $out/share/dayon/dayon.jar mpo.dayon.assistant.AssistantRunner" install -Dm644 resources/dayon.png $out/share/icons/hicolor/128x128/apps/dayon.png @@ -54,21 +54,16 @@ stdenv.mkDerivation (finalAttrs: { ''; desktopItems = [ - "resources/deb/dayon_assisted.desktop" - "resources/deb/dayon_assistant.desktop" + "debian/dayon_assisted.desktop" + "debian/dayon_assistant.desktop" ]; - postFixup = '' - substituteInPlace $out/share/applications/*.desktop \ - --replace "/usr/bin/dayon/dayon.png" "dayon" - ''; - - meta = with lib; { + meta = { description = "Easy to use, cross-platform remote desktop assistance solution"; homepage = "https://retgal.github.io/Dayon/index.html"; - license = licenses.gpl3Plus; # https://github.com/RetGal/Dayon/issues/59 + license = lib.licenses.gpl3Plus; # https://github.com/RetGal/Dayon/issues/59 mainProgram = "dayon"; - maintainers = with maintainers; [ fgaz ]; - platforms = platforms.all; + maintainers = with lib.maintainers; [ fgaz ]; + platforms = lib.platforms.all; }; }) diff --git a/pkgs/by-name/ev/evil-helix/package.nix b/pkgs/by-name/ev/evil-helix/package.nix index 151aa1a278f8..c34b1167462d 100644 --- a/pkgs/by-name/ev/evil-helix/package.nix +++ b/pkgs/by-name/ev/evil-helix/package.nix @@ -8,16 +8,16 @@ rustPlatform.buildRustPackage rec { pname = "evil-helix"; - version = "20240716"; + version = "20250104"; src = fetchFromGitHub { owner = "usagi-flow"; repo = "evil-helix"; rev = "release-${version}"; - hash = "sha256-nvLo8bWjiLJjM+pZArMKu4gjEFPrlqDI/Kf+W8fs9L8="; + hash = "sha256-Otp68+SbW51/MqVejPrbYzeRu4wAiYsNkDQQTZScW1Q="; }; - cargoHash = "sha256-2qrfw/QVfZZ3GTBalNne4QYQsI+JZBf5FdLJD84gnS4="; + cargoHash = "sha256-84OfCXdwoo8SUwXrgm98DIcmmBIxHxZGOJ/ZPxJuyjY="; nativeBuildInputs = [ installShellFiles ]; diff --git a/pkgs/by-name/lt/ltex-ls/package.nix b/pkgs/by-name/lt/ltex-ls/package.nix index 7de384b4776d..4204579818ec 100644 --- a/pkgs/by-name/lt/ltex-ls/package.nix +++ b/pkgs/by-name/lt/ltex-ls/package.nix @@ -34,6 +34,7 @@ stdenvNoCC.mkDerivation rec { homepage = "https://valentjn.github.io/ltex/"; description = "LSP language server for LanguageTool"; license = licenses.mpl20; + mainProgram = "ltex-ls"; maintainers = with maintainers; [ vinnymeller ]; platforms = jre_headless.meta.platforms; }; diff --git a/pkgs/by-name/ne/neocmakelsp/package.nix b/pkgs/by-name/ne/neocmakelsp/package.nix index e474831133c1..01a36d4b2f67 100644 --- a/pkgs/by-name/ne/neocmakelsp/package.nix +++ b/pkgs/by-name/ne/neocmakelsp/package.nix @@ -1,10 +1,16 @@ { lib, - rustPlatform, + stdenv, fetchFromGitHub, + meson, + ninja, + python3, + rustPlatform, + rustc, + cargo, }: -rustPlatform.buildRustPackage rec { +stdenv.mkDerivation rec { pname = "neocmakelsp"; version = "0.8.13"; @@ -15,14 +21,26 @@ rustPlatform.buildRustPackage rec { hash = "sha256-MRno86pi389p2lBTu86LCPx5yFN76CbM5AXAs4bsl7c="; }; - cargoHash = "sha256-UVXJF8jvZUcEWbsL+UmrO2VSlvowkXNGRbxCEmB89OU="; + cargoDeps = rustPlatform.fetchCargoTarball { + inherit pname version src; + hash = "sha256-UVXJF8jvZUcEWbsL+UmrO2VSlvowkXNGRbxCEmB89OU="; + }; - meta = with lib; { + nativeBuildInputs = [ + meson + ninja + python3 + rustPlatform.cargoSetupHook + rustc + cargo + ]; + + meta = { description = "CMake lsp based on tower-lsp and treesitter"; homepage = "https://github.com/Decodetalkers/neocmakelsp"; - license = licenses.mit; - platforms = platforms.unix; - maintainers = with maintainers; [ + license = lib.licenses.mit; + platforms = lib.platforms.unix; + maintainers = with lib.maintainers; [ rewine multivac61 ]; diff --git a/pkgs/by-name/sw/switch-to-configuration-ng/src/src/main.rs b/pkgs/by-name/sw/switch-to-configuration-ng/src/src/main.rs index 82c13811ecfc..93da7aff7406 100644 --- a/pkgs/by-name/sw/switch-to-configuration-ng/src/src/main.rs +++ b/pkgs/by-name/sw/switch-to-configuration-ng/src/src/main.rs @@ -154,7 +154,7 @@ fn do_pre_switch_check(command: &str, toplevel: &Path) -> Result<()> { Ok(Ok(status)) if status.success() => {} _ => { eprintln!("Pre-switch checks failed"); - die() + std::process::exit(1); } } @@ -176,7 +176,7 @@ fn do_install_bootloader(command: &str, toplevel: &Path) -> Result<()> { Ok(Ok(status)) if status.success() => {} _ => { eprintln!("Failed to install bootloader"); - die(); + std::process::exit(1); } } diff --git a/pkgs/by-name/tu/tuist/package.nix b/pkgs/by-name/tu/tuist/package.nix new file mode 100644 index 000000000000..eb113828ccc4 --- /dev/null +++ b/pkgs/by-name/tu/tuist/package.nix @@ -0,0 +1,52 @@ +{ + lib, + stdenvNoCC, + fetchurl, + unzip, + nix-update-script, +}: + +stdenvNoCC.mkDerivation (finalAttrs: { + pname = "tuist"; + version = "4.38.2"; + + src = fetchurl { + url = "https://github.com/tuist/tuist/releases/download/${finalAttrs.version}/tuist.zip"; + hash = "sha256-FK9F0Y3p04NOoy1Mnlcvimm/LGA5Y+lQ9P679SNNOzA="; + }; + + dontUnpack = true; + dontPatch = true; + dontConfigure = true; + dontBuild = true; + dontFixup = true; + + nativeBuildInputs = [ unzip ]; + + installPhase = '' + runHook preInstall + + mkdir -p $out/opt/tuist/ + unzip $src -d $out/opt/tuist/ + + mkdir -p $out/bin/ + ln -s $out/opt/tuist/tuist $out/bin/tuist + + runHook postInstall + ''; + + passthru = { + updateScript = nix-update-script { }; + }; + + meta = { + description = "Command line tool that helps you generate, maintain and interact with Xcode projects"; + homepage = "https://tuist.dev"; + changelog = "https://github.com/tuist/tuist/blob/${finalAttrs.version}/CHANGELOG.md"; + license = lib.licenses.mit; + sourceProvenance = [ lib.sourceTypes.binaryNativeCode ]; + maintainers = [ lib.maintainers.DimitarNestorov ]; + platforms = lib.platforms.darwin; + mainProgram = "tuist"; + }; +}) diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix index 40a6adf37a04..f96caa1428da 100644 --- a/pkgs/by-name/un/unbound/package.nix +++ b/pkgs/by-name/un/unbound/package.nix @@ -64,9 +64,10 @@ stdenv.mkDerivation (finalAttrs: { outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB - nativeBuildInputs = [ bison flex pkg-config ] - ++ lib.optionals withMakeWrapper [ makeWrapper ] + nativeBuildInputs = + lib.optionals withMakeWrapper [ makeWrapper ] ++ lib.optionals withDNSTAP [ protobufc ] + ++ [ pkg-config flex bison ] ++ lib.optionals withPythonModule [ swig ]; buildInputs = [ openssl nettle expat libevent ] diff --git a/pkgs/development/interpreters/tcl/9.0.nix b/pkgs/development/interpreters/tcl/9.0.nix index 48a9570675a1..30108004c318 100644 --- a/pkgs/development/interpreters/tcl/9.0.nix +++ b/pkgs/development/interpreters/tcl/9.0.nix @@ -4,13 +4,13 @@ callPackage ./generic.nix ( args // rec { release = "9.0"; - version = "${release}.0"; + version = "${release}.1"; # Note: when updating, the hash in pkgs/development/libraries/tk/9.0.nix must also be updated! src = fetchzip { url = "mirror://sourceforge/tcl/tcl${version}-src.tar.gz"; - sha256 = "sha256-QaPSY6kfxyc3x+2ptzEmN2puZ0gSFSeeNjPuxsVKXYE="; + hash = "sha256-NWwCQGyaUzfTgHqpib4lLeflULWKuLE4qYxP+0EizHs="; }; } ) diff --git a/pkgs/development/libraries/tk/9.0.nix b/pkgs/development/libraries/tk/9.0.nix index ff99ca8b4f63..671fa80ed8bc 100644 --- a/pkgs/development/libraries/tk/9.0.nix +++ b/pkgs/development/libraries/tk/9.0.nix @@ -11,7 +11,7 @@ callPackage ./generic.nix ( src = fetchzip { url = "mirror://sourceforge/tcl/tk${tcl.version}-src.tar.gz"; - sha256 = "sha256-jQ9kZuFx6ikQ+SpY7kSbvXJ5hjw4WB9VgRaNlQLtG0s="; + hash = "sha256-eX9HSPnNHeWkCaH0TBhmxQ3keTb4he3KY5rS1w4ubTo="; }; patches = [ diff --git a/pkgs/development/libraries/tk/generic.nix b/pkgs/development/libraries/tk/generic.nix index dfe14f22ec45..73d37d55db93 100644 --- a/pkgs/development/libraries/tk/generic.nix +++ b/pkgs/development/libraries/tk/generic.nix @@ -87,6 +87,6 @@ tcl.mkTclDerivation { platforms = platforms.all; maintainers = [ ]; broken = stdenv.hostPlatform.isDarwin - && lib.elem (lib.versions.majorMinor tcl.version) ["8.5" "9.0"]; + && lib.elem (lib.versions.majorMinor tcl.version) ["8.5"]; }; } diff --git a/pkgs/servers/jackett/default.nix b/pkgs/servers/jackett/default.nix index 087b224cd64a..8d5b2885b867 100644 --- a/pkgs/servers/jackett/default.nix +++ b/pkgs/servers/jackett/default.nix @@ -11,13 +11,13 @@ buildDotnetModule rec { pname = "jackett"; - version = "0.22.1109"; + version = "0.22.1177"; src = fetchFromGitHub { owner = pname; repo = pname; rev = "v${version}"; - hash = "sha512-iuhArQtzOTxHLKP9VruCZp134BIc+haOAnLUtP4phcsjrFerD7SN1OwwG581iEEzNh8jiFSEbCgQzOlltM/GyQ=="; + hash = "sha512-C4fwh47IDsJmmXPY9Rb7LKdXvFlEVQE8ycHu1s26A9ZBP69eVP+ai08ibCJDDk13DCQYk2BCO7cRtWq2PC1P8w=="; }; projectFile = "src/Jackett.Server/Jackett.Server.csproj"; diff --git a/pkgs/servers/jackett/deps.json b/pkgs/servers/jackett/deps.json index efca90b06c93..29fb32438484 100644 --- a/pkgs/servers/jackett/deps.json +++ b/pkgs/servers/jackett/deps.json @@ -106,8 +106,8 @@ }, { "pname": "Microsoft.AspNetCore.Cryptography.Internal", - "version": "8.0.10", - "hash": "sha256-zR9xbcGD4yU/oo/c9dQ4AKTMFT+HSBsfu0oNV6bjPNo=" + "version": "8.0.11", + "hash": "sha256-xEIbxQbMcTvkzNw7KKeYOK9wNMShbTAzhx7DR8QMrvM=" }, { "pname": "Microsoft.AspNetCore.DataProtection", @@ -116,8 +116,8 @@ }, { "pname": "Microsoft.AspNetCore.DataProtection", - "version": "8.0.10", - "hash": "sha256-JYzSF9NxaGA0tXobfaV2ODQdcVCbQBGtcILCRUgcKiY=" + "version": "8.0.11", + "hash": "sha256-hetvscFzzsXkbUfUTXdwoOQFMp5lU4P3klOiOqjWtGc=" }, { "pname": "Microsoft.AspNetCore.DataProtection.Abstractions", @@ -126,8 +126,8 @@ }, { "pname": "Microsoft.AspNetCore.DataProtection.Abstractions", - "version": "8.0.10", - "hash": "sha256-Fa3PLGFHOvIvAkpTRls1iESyg9ZxqY1/I5Q4elmA2SE=" + "version": "8.0.11", + "hash": "sha256-7I7SHhed3s2fGArGUwlc0Jc0MIl4/sgd+E5qZ18Mx2o=" }, { "pname": "Microsoft.AspNetCore.Diagnostics", @@ -226,8 +226,8 @@ }, { "pname": "Microsoft.AspNetCore.JsonPatch", - "version": "8.0.10", - "hash": "sha256-1MUbEqkePx6A4JkUu7bffBuuYmiP8BVTmJ3aDqwa8nk=" + "version": "8.0.11", + "hash": "sha256-7n0O/CWYMjWyicwPZgUUh+YTmdNNZA02rWhBHAzPDPU=" }, { "pname": "Microsoft.AspNetCore.Localization", @@ -281,8 +281,8 @@ }, { "pname": "Microsoft.AspNetCore.Mvc.NewtonsoftJson", - "version": "8.0.10", - "hash": "sha256-PYFjjSZjehd9R3J6wUK+OKfvTzMw6IqC+gJKocfXJbs=" + "version": "8.0.11", + "hash": "sha256-oaSZize0xvrX1qf45gjMmXHipD21tBGTp2pkr7ReS5U=" }, { "pname": "Microsoft.AspNetCore.Mvc.Razor", @@ -906,18 +906,18 @@ }, { "pname": "NLog", - "version": "5.3.2", - "hash": "sha256-b/y/IFUSe7qsSeJ8JVB0VFmJlkviFb8h934ktnn9Fgc=" + "version": "5.3.4", + "hash": "sha256-Cwr1Wu9VbOcRz3GdVKkt7lIpNwC1E4Hdb0g+qEkEr3k=" }, { "pname": "NLog.Extensions.Logging", - "version": "5.3.11", - "hash": "sha256-DP3R51h+9kk06N63U+1C4/JCZTFiADeYTROToAA2R0g=" + "version": "5.3.15", + "hash": "sha256-otzOJncsEmzeGkJ9yxuwQgYFlKIG9ALX+DaKJ/Jhux4=" }, { "pname": "NLog.Web.AspNetCore", - "version": "5.3.11", - "hash": "sha256-6bMYbKyNWtb0tn8k3418mWBuogofIAfwT9NHSopUu58=" + "version": "5.3.15", + "hash": "sha256-JaxCAfsgYM8N7bmAciDowSdOxtMS3eoMszODqWPcqao=" }, { "pname": "NUnit", @@ -936,13 +936,13 @@ }, { "pname": "Polly", - "version": "8.4.2", - "hash": "sha256-cuaH3SdTEdwLA1VddtY6CsmHTiDuYk0dVJ79r/6jSpQ=" + "version": "8.5.0", + "hash": "sha256-oXIqYMkFXoF/9y704LJSX5Non9mry19OSKA7JFviu5Q=" }, { "pname": "Polly.Core", - "version": "8.4.2", - "hash": "sha256-4fn5n6Bu29uqWg8ciii3MDsi9bO2/moPa9B3cJ9Ihe8=" + "version": "8.5.0", + "hash": "sha256-vN/OoQi5F8+oKNO46FwjPcKrgfhGMGjAQ2yCQUlHtOc=" }, { "pname": "SharpZipLib",