Merge staging-next into staging

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -126,6 +126,9 @@
   to review the new defaults and description of
   [](#opt-services.nextcloud.poolSettings).
 
+- `kmonad` is now hardened by default using common `systemd` settings.
+  If KMonad is used to execute shell commands, hardening may make some of them fail.  In that case, you can disable hardening using {option}`services.kmonad.keyboards.<name>.enableHardening` option.
+
 - `asusd` has been upgraded to version 6 which supports multiple aura devices. To account for this, the single `auraConfig` configuration option has been replaced with `auraConfigs` which is an attribute set of config options per each device. The config files may also be now specified as either source files or text strings; to account for this you will need to specify that `text` is used for your existing configs, e.g.:
   ```diff
   -services.asusd.asusdConfig = '''file contents'''

nixos/modules/services/hardware/kmonad.nix

@@ -41,6 +41,19 @@ let
           '';
         };
 
+        enableHardening = lib.mkOption {
+          type = lib.types.bool;
+          default = true;
+          example = false;
+          description = ''
+            Whether to enable systemd hardening.
+
+            ::: {.note}
+            If KMonad is used to execute shell commands, hardening may make some of them fail.
+            :::
+          '';
+        };
+
         defcfg = {
           enable = lib.mkEnableOption ''
             automatic generation of the defcfg block.
@@ -128,26 +141,60 @@ let
         StartLimitIntervalSec = 2;
         StartLimitBurst = 5;
       };
-      serviceConfig = {
-        ExecStart = ''
-          ${lib.getExe cfg.package} ${mkCfg keyboard} \
-            ${utils.escapeSystemdExecArgs cfg.extraArgs}
-        '';
-        Restart = "always";
-        # Restart at increasing intervals from 2s to 1m
-        RestartSec = 2;
-        RestartSteps = 30;
-        RestartMaxDelaySec = "1min";
-        Nice = -20;
-        DynamicUser = true;
-        User = "kmonad";
-        Group = "kmonad";
-        SupplementaryGroups = [
-          # These ensure that our dynamic user has access to the device node
-          config.users.groups.input.name
-          config.users.groups.uinput.name
-        ] ++ keyboard.extraGroups;
-      };
+      serviceConfig =
+        {
+          ExecStart = ''
+            ${lib.getExe cfg.package} ${mkCfg keyboard} \
+              ${utils.escapeSystemdExecArgs cfg.extraArgs}
+          '';
+          Restart = "always";
+          # Restart at increasing intervals from 2s to 1m
+          RestartSec = 2;
+          RestartSteps = 30;
+          RestartMaxDelaySec = "1min";
+          Nice = -20;
+          DynamicUser = true;
+          User = "kmonad";
+          Group = "kmonad";
+          SupplementaryGroups = [
+            # These ensure that our dynamic user has access to the device node
+            config.users.groups.input.name
+            config.users.groups.uinput.name
+          ] ++ keyboard.extraGroups;
+        }
+        // lib.optionalAttrs keyboard.enableHardening {
+          DeviceAllow = [
+            "/dev/uinput w"
+            "char-input r"
+          ];
+          CapabilityBoundingSet = [ "" ];
+          DevicePolicy = "closed";
+          IPAddressDeny = [ "any" ];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          PrivateNetwork = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          RestrictAddressFamilies = [ "none" ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          SystemCallArchitectures = [ "native" ];
+          SystemCallErrorNumber = "EPERM";
+          SystemCallFilter = [
+            "@system-service"
+            "~@privileged"
+            "~@resources"
+          ];
+          UMask = "0077";
+        };
       # make sure the new config is used after nixos-rebuild switch
       # stopIfChanged controls[0] how a service is "restarted" during
       # nixos-rebuild switch.  By default, stopIfChanged is true, which stops

pkgs/by-name/da/dayon/package.nix

@@ -11,13 +11,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "dayon";
-  version = "14.0.2";
+  version = "15.0.0";
 
   src = fetchFromGitHub {
     owner = "RetGal";
     repo = "dayon";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-nRNqubR44ydZwwuQG3q6TRm+MHTRgRbeLI9dsk83wq4=";
+    hash = "sha256-Tnw1Tr+iRxvHFzSICwOcf4mErNx+imD7/WxVspiR7yo=";
   };
 
   nativeBuildInputs = [
@@ -39,13 +39,13 @@ stdenv.mkDerivation (finalAttrs: {
 
     install -Dm644 build/dayon.jar $out/share/dayon/dayon.jar
     # jre is in PATH because dayon needs keytool to generate certificates
-    makeWrapper ${jre}/bin/java $out/bin/dayon \
+    makeWrapper ${lib.getExe jre} $out/bin/dayon \
       --prefix PATH : "${lib.makeBinPath [ jre ]}" \
       --add-flags "-jar $out/share/dayon/dayon.jar"
-    makeWrapper ${jre}/bin/java $out/bin/dayon_assisted \
+    makeWrapper ${lib.getExe jre} $out/bin/dayon_assisted \
       --prefix PATH : "${lib.makeBinPath [ jre ]}" \
       --add-flags "-cp $out/share/dayon/dayon.jar mpo.dayon.assisted.AssistedRunner"
-    makeWrapper ${jre}/bin/java $out/bin/dayon_assistant \
+    makeWrapper ${lib.getExe jre} $out/bin/dayon_assistant \
       --prefix PATH : "${lib.makeBinPath [ jre ]}" \
       --add-flags "-cp $out/share/dayon/dayon.jar mpo.dayon.assistant.AssistantRunner"
     install -Dm644 resources/dayon.png $out/share/icons/hicolor/128x128/apps/dayon.png
@@ -54,21 +54,16 @@ stdenv.mkDerivation (finalAttrs: {
   '';
 
   desktopItems = [
-    "resources/deb/dayon_assisted.desktop"
-    "resources/deb/dayon_assistant.desktop"
+    "debian/dayon_assisted.desktop"
+    "debian/dayon_assistant.desktop"
   ];
 
-  postFixup = ''
-    substituteInPlace $out/share/applications/*.desktop \
-        --replace "/usr/bin/dayon/dayon.png" "dayon"
-  '';
-
-  meta = with lib; {
+  meta = {
     description = "Easy to use, cross-platform remote desktop assistance solution";
     homepage = "https://retgal.github.io/Dayon/index.html";
-    license = licenses.gpl3Plus; # https://github.com/RetGal/Dayon/issues/59
+    license = lib.licenses.gpl3Plus; # https://github.com/RetGal/Dayon/issues/59
     mainProgram = "dayon";
-    maintainers = with maintainers; [ fgaz ];
-    platforms = platforms.all;
+    maintainers = with lib.maintainers; [ fgaz ];
+    platforms = lib.platforms.all;
   };
 })

pkgs/by-name/ev/evil-helix/package.nix

@@ -8,16 +8,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "evil-helix";
-  version = "20240716";
+  version = "20250104";
 
   src = fetchFromGitHub {
     owner = "usagi-flow";
     repo = "evil-helix";
     rev = "release-${version}";
-    hash = "sha256-nvLo8bWjiLJjM+pZArMKu4gjEFPrlqDI/Kf+W8fs9L8=";
+    hash = "sha256-Otp68+SbW51/MqVejPrbYzeRu4wAiYsNkDQQTZScW1Q=";
   };
 
-  cargoHash = "sha256-2qrfw/QVfZZ3GTBalNne4QYQsI+JZBf5FdLJD84gnS4=";
+  cargoHash = "sha256-84OfCXdwoo8SUwXrgm98DIcmmBIxHxZGOJ/ZPxJuyjY=";
 
   nativeBuildInputs = [ installShellFiles ];
 

pkgs/by-name/lt/ltex-ls/package.nix

@@ -34,6 +34,7 @@ stdenvNoCC.mkDerivation rec {
     homepage = "https://valentjn.github.io/ltex/";
     description = "LSP language server for LanguageTool";
     license = licenses.mpl20;
+    mainProgram = "ltex-ls";
     maintainers = with maintainers; [ vinnymeller ];
     platforms = jre_headless.meta.platforms;
   };

pkgs/by-name/ne/neocmakelsp/package.nix

@@ -1,10 +1,16 @@
 {
   lib,
-  rustPlatform,
+  stdenv,
   fetchFromGitHub,
+  meson,
+  ninja,
+  python3,
+  rustPlatform,
+  rustc,
+  cargo,
 }:
 
-rustPlatform.buildRustPackage rec {
+stdenv.mkDerivation rec {
   pname = "neocmakelsp";
   version = "0.8.13";
 
@@ -15,14 +21,26 @@ rustPlatform.buildRustPackage rec {
     hash = "sha256-MRno86pi389p2lBTu86LCPx5yFN76CbM5AXAs4bsl7c=";
   };
 
-  cargoHash = "sha256-UVXJF8jvZUcEWbsL+UmrO2VSlvowkXNGRbxCEmB89OU=";
+  cargoDeps = rustPlatform.fetchCargoTarball {
+    inherit pname version src;
+    hash = "sha256-UVXJF8jvZUcEWbsL+UmrO2VSlvowkXNGRbxCEmB89OU=";
+  };
 
-  meta = with lib; {
+  nativeBuildInputs = [
+    meson
+    ninja
+    python3
+    rustPlatform.cargoSetupHook
+    rustc
+    cargo
+  ];
+
+  meta = {
     description = "CMake lsp based on tower-lsp and treesitter";
     homepage = "https://github.com/Decodetalkers/neocmakelsp";
-    license = licenses.mit;
-    platforms = platforms.unix;
-    maintainers = with maintainers; [
+    license = lib.licenses.mit;
+    platforms = lib.platforms.unix;
+    maintainers = with lib.maintainers; [
       rewine
       multivac61
     ];

pkgs/by-name/sw/switch-to-configuration-ng/src/src/main.rs

@@ -154,7 +154,7 @@ fn do_pre_switch_check(command: &str, toplevel: &Path) -> Result<()> {
         Ok(Ok(status)) if status.success() => {}
         _ => {
             eprintln!("Pre-switch checks failed");
-            die()
+            std::process::exit(1);
         }
     }
 
@@ -176,7 +176,7 @@ fn do_install_bootloader(command: &str, toplevel: &Path) -> Result<()> {
         Ok(Ok(status)) if status.success() => {}
         _ => {
             eprintln!("Failed to install bootloader");
-            die();
+            std::process::exit(1);
         }
     }
 

pkgs/by-name/tu/tuist/package.nix

@@ -0,0 +1,52 @@
+{
+  lib,
+  stdenvNoCC,
+  fetchurl,
+  unzip,
+  nix-update-script,
+}:
+
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "tuist";
+  version = "4.38.2";
+
+  src = fetchurl {
+    url = "https://github.com/tuist/tuist/releases/download/${finalAttrs.version}/tuist.zip";
+    hash = "sha256-FK9F0Y3p04NOoy1Mnlcvimm/LGA5Y+lQ9P679SNNOzA=";
+  };
+
+  dontUnpack = true;
+  dontPatch = true;
+  dontConfigure = true;
+  dontBuild = true;
+  dontFixup = true;
+
+  nativeBuildInputs = [ unzip ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/opt/tuist/
+    unzip $src -d $out/opt/tuist/
+
+    mkdir -p $out/bin/
+    ln -s $out/opt/tuist/tuist $out/bin/tuist
+
+    runHook postInstall
+  '';
+
+  passthru = {
+    updateScript = nix-update-script { };
+  };
+
+  meta = {
+    description = "Command line tool that helps you generate, maintain and interact with Xcode projects";
+    homepage = "https://tuist.dev";
+    changelog = "https://github.com/tuist/tuist/blob/${finalAttrs.version}/CHANGELOG.md";
+    license = lib.licenses.mit;
+    sourceProvenance = [ lib.sourceTypes.binaryNativeCode ];
+    maintainers = [ lib.maintainers.DimitarNestorov ];
+    platforms = lib.platforms.darwin;
+    mainProgram = "tuist";
+  };
+})

pkgs/by-name/un/unbound/package.nix

@@ -64,9 +64,10 @@ stdenv.mkDerivation (finalAttrs: {
 
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
 
-  nativeBuildInputs = [ bison flex pkg-config ]
-    ++ lib.optionals withMakeWrapper [ makeWrapper ]
+  nativeBuildInputs =
+    lib.optionals withMakeWrapper [ makeWrapper ]
     ++ lib.optionals withDNSTAP [ protobufc ]
+    ++ [ pkg-config flex bison ]
     ++ lib.optionals withPythonModule [ swig ];
 
   buildInputs = [ openssl nettle expat libevent ]

pkgs/development/interpreters/tcl/9.0.nix

@@ -4,13 +4,13 @@ callPackage ./generic.nix (
   args
   // rec {
     release = "9.0";
-    version = "${release}.0";
+    version = "${release}.1";
 
     # Note: when updating, the hash in pkgs/development/libraries/tk/9.0.nix must also be updated!
 
     src = fetchzip {
       url = "mirror://sourceforge/tcl/tcl${version}-src.tar.gz";
-      sha256 = "sha256-QaPSY6kfxyc3x+2ptzEmN2puZ0gSFSeeNjPuxsVKXYE=";
+      hash = "sha256-NWwCQGyaUzfTgHqpib4lLeflULWKuLE4qYxP+0EizHs=";
     };
   }
 )

pkgs/development/libraries/tk/9.0.nix

@@ -11,7 +11,7 @@ callPackage ./generic.nix (
 
     src = fetchzip {
       url = "mirror://sourceforge/tcl/tk${tcl.version}-src.tar.gz";
-      sha256 = "sha256-jQ9kZuFx6ikQ+SpY7kSbvXJ5hjw4WB9VgRaNlQLtG0s=";
+      hash = "sha256-eX9HSPnNHeWkCaH0TBhmxQ3keTb4he3KY5rS1w4ubTo=";
     };
 
     patches = [

pkgs/development/libraries/tk/generic.nix

@@ -87,6 +87,6 @@ tcl.mkTclDerivation {
     platforms = platforms.all;
     maintainers = [ ];
     broken = stdenv.hostPlatform.isDarwin
-      && lib.elem (lib.versions.majorMinor tcl.version) ["8.5" "9.0"];
+      && lib.elem (lib.versions.majorMinor tcl.version) ["8.5"];
   };
 }

pkgs/servers/jackett/default.nix

@@ -11,13 +11,13 @@
 
 buildDotnetModule rec {
   pname = "jackett";
-  version = "0.22.1109";
+  version = "0.22.1177";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    hash = "sha512-iuhArQtzOTxHLKP9VruCZp134BIc+haOAnLUtP4phcsjrFerD7SN1OwwG581iEEzNh8jiFSEbCgQzOlltM/GyQ==";
+    hash = "sha512-C4fwh47IDsJmmXPY9Rb7LKdXvFlEVQE8ycHu1s26A9ZBP69eVP+ai08ibCJDDk13DCQYk2BCO7cRtWq2PC1P8w==";
   };
 
   projectFile = "src/Jackett.Server/Jackett.Server.csproj";

pkgs/servers/jackett/deps.json

@@ -106,8 +106,8 @@
   },
   {
     "pname": "Microsoft.AspNetCore.Cryptography.Internal",
-    "version": "8.0.10",
-    "hash": "sha256-zR9xbcGD4yU/oo/c9dQ4AKTMFT+HSBsfu0oNV6bjPNo="
+    "version": "8.0.11",
+    "hash": "sha256-xEIbxQbMcTvkzNw7KKeYOK9wNMShbTAzhx7DR8QMrvM="
   },
   {
     "pname": "Microsoft.AspNetCore.DataProtection",
@@ -116,8 +116,8 @@
   },
   {
     "pname": "Microsoft.AspNetCore.DataProtection",
-    "version": "8.0.10",
-    "hash": "sha256-JYzSF9NxaGA0tXobfaV2ODQdcVCbQBGtcILCRUgcKiY="
+    "version": "8.0.11",
+    "hash": "sha256-hetvscFzzsXkbUfUTXdwoOQFMp5lU4P3klOiOqjWtGc="
   },
   {
     "pname": "Microsoft.AspNetCore.DataProtection.Abstractions",
@@ -126,8 +126,8 @@
   },
   {
     "pname": "Microsoft.AspNetCore.DataProtection.Abstractions",
-    "version": "8.0.10",
-    "hash": "sha256-Fa3PLGFHOvIvAkpTRls1iESyg9ZxqY1/I5Q4elmA2SE="
+    "version": "8.0.11",
+    "hash": "sha256-7I7SHhed3s2fGArGUwlc0Jc0MIl4/sgd+E5qZ18Mx2o="
   },
   {
     "pname": "Microsoft.AspNetCore.Diagnostics",
@@ -226,8 +226,8 @@
   },
   {
     "pname": "Microsoft.AspNetCore.JsonPatch",
-    "version": "8.0.10",
-    "hash": "sha256-1MUbEqkePx6A4JkUu7bffBuuYmiP8BVTmJ3aDqwa8nk="
+    "version": "8.0.11",
+    "hash": "sha256-7n0O/CWYMjWyicwPZgUUh+YTmdNNZA02rWhBHAzPDPU="
   },
   {
     "pname": "Microsoft.AspNetCore.Localization",
@@ -281,8 +281,8 @@
   },
   {
     "pname": "Microsoft.AspNetCore.Mvc.NewtonsoftJson",
-    "version": "8.0.10",
-    "hash": "sha256-PYFjjSZjehd9R3J6wUK+OKfvTzMw6IqC+gJKocfXJbs="
+    "version": "8.0.11",
+    "hash": "sha256-oaSZize0xvrX1qf45gjMmXHipD21tBGTp2pkr7ReS5U="
   },
   {
     "pname": "Microsoft.AspNetCore.Mvc.Razor",
@@ -906,18 +906,18 @@
   },
   {
     "pname": "NLog",
-    "version": "5.3.2",
-    "hash": "sha256-b/y/IFUSe7qsSeJ8JVB0VFmJlkviFb8h934ktnn9Fgc="
+    "version": "5.3.4",
+    "hash": "sha256-Cwr1Wu9VbOcRz3GdVKkt7lIpNwC1E4Hdb0g+qEkEr3k="
   },
   {
     "pname": "NLog.Extensions.Logging",
-    "version": "5.3.11",
-    "hash": "sha256-DP3R51h+9kk06N63U+1C4/JCZTFiADeYTROToAA2R0g="
+    "version": "5.3.15",
+    "hash": "sha256-otzOJncsEmzeGkJ9yxuwQgYFlKIG9ALX+DaKJ/Jhux4="
   },
   {
     "pname": "NLog.Web.AspNetCore",
-    "version": "5.3.11",
-    "hash": "sha256-6bMYbKyNWtb0tn8k3418mWBuogofIAfwT9NHSopUu58="
+    "version": "5.3.15",
+    "hash": "sha256-JaxCAfsgYM8N7bmAciDowSdOxtMS3eoMszODqWPcqao="
   },
   {
     "pname": "NUnit",
@@ -936,13 +936,13 @@
   },
   {
     "pname": "Polly",
-    "version": "8.4.2",
-    "hash": "sha256-cuaH3SdTEdwLA1VddtY6CsmHTiDuYk0dVJ79r/6jSpQ="
+    "version": "8.5.0",
+    "hash": "sha256-oXIqYMkFXoF/9y704LJSX5Non9mry19OSKA7JFviu5Q="
   },
   {
     "pname": "Polly.Core",
-    "version": "8.4.2",
-    "hash": "sha256-4fn5n6Bu29uqWg8ciii3MDsi9bO2/moPa9B3cJ9Ihe8="
+    "version": "8.5.0",
+    "hash": "sha256-vN/OoQi5F8+oKNO46FwjPcKrgfhGMGjAQ2yCQUlHtOc="
   },
   {
     "pname": "SharpZipLib",