Merge master into staging-next

maintainers/maintainer-list.nix

@@ -2155,6 +2155,11 @@
     github = "AtilaSaraiva";
     githubId = 29521461;
   };
+  atinba = {
+    name = "Atin Bainada";
+    github = "atinba";
+    githubId = 61903527;
+  };
   atkinschang = {
     email = "atkinschang+nixpkgs@gmail.com";
     github = "AtkinsChang";

nixos/modules/services/audio/tts.nix

@@ -123,10 +123,10 @@ in
             User = "tts";
             StateDirectory = "tts";
             ExecStart =
-              "${pkgs.tts}/bin/tts-server --port ${toString options.port}"
-              + optionalString (options.model != null) " --model_name ${options.model}"
-              + optionalString (options.useCuda) " --use_cuda"
-              + (concatMapStringsSep " " escapeShellArgs options.extraArgs);
+              "${pkgs.tts}/bin/tts-server --port ${toString options.port} "
+              + optionalString (options.model != null) "--model_name ${options.model} "
+              + optionalString (options.useCuda) "--use_cuda "
+              + (escapeShellArgs options.extraArgs);
             CapabilityBoundingSet = "";
             DeviceAllow =
               if options.useCuda then

nixos/modules/services/misc/evremap.nix

@@ -7,9 +7,11 @@
 let
   cfg = config.services.evremap;
   format = pkgs.formats.toml { };
+  settings = lib.attrsets.filterAttrs (n: v: v != null) cfg.settings;
+  configFile = format.generate "evremap.toml" settings;
 
-  key = lib.types.strMatching "KEY_[[:upper:]]+" // {
-    description = "key ID prefixed with KEY_";
+  key = lib.types.strMatching "(BTN|KEY)_[[:upper:]]+" // {
+    description = "key ID prefixed with BTN_ or KEY_";
   };
 
   mkKeyOption =
@@ -63,6 +65,18 @@ in
             '';
           };
 
+          phys = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            default = null;
+            example = "usb-0000:07:00.3-2.1.1/input0";
+            description = ''
+              The physical device name to listen on.
+
+              This attribute may be specified to disambiguate multiple devices with the same device name.
+              The physical device names of each device can be obtained by running `evremap list-devices` with elevated permissions.
+            '';
+          };
+
           dual_role = lib.mkOption {
             type = lib.types.listOf dualRoleModule;
             default = [ ];
@@ -117,7 +131,7 @@ in
       description = "evremap - keyboard input remapper";
       wantedBy = [ "multi-user.target" ];
 
-      script = "${lib.getExe pkgs.evremap} remap ${format.generate "evremap.toml" cfg.settings}";
+      script = "${lib.getExe pkgs.evremap} remap ${configFile}";
 
       serviceConfig = {
         DynamicUser = true;

nixos/modules/services/networking/ntp/ntpd.nix

@@ -142,6 +142,7 @@ in
       group = "ntp";
       description = "NTP daemon user";
       home = "/var/lib/ntp";
+      createHome = true;
     };
     users.groups.ntp = { };
 
@@ -155,7 +156,6 @@ in
       serviceConfig = {
         ExecStart = "@${ntp}/bin/ntpd ntpd -g ${builtins.toString ntpFlags}";
         Type = "forking";
-        StateDirectory = "ntp";
 
         # Hardening options
         PrivateDevices = true;

nixos/modules/services/security/nginx-sso.nix

@@ -1,26 +1,28 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, utils, ... }:
 
 with lib;
 
 let
   cfg = config.services.nginx.sso;
-  pkg = getBin cfg.package;
-  configYml = pkgs.writeText "nginx-sso.yml" (builtins.toJSON cfg.configuration);
+  format = pkgs.formats.yaml { };
+  configPath = "/var/lib/nginx-sso/config.yaml";
 in {
   options.services.nginx.sso = {
     enable = mkEnableOption "nginx-sso service";
 
     package = mkPackageOption pkgs "nginx-sso" { };
 
     configuration = mkOption {
-      type = types.attrsOf types.unspecified;
+      type = format.type;
       default = {};
       example = literalExpression ''
         {
           listen = { addr = "127.0.0.1"; port = 8080; };
 
           providers.token.tokens = {
-            myuser = "MyToken";
+            myuser = {
+              _secret = "/path/to/secret/token.txt"; # File content should be the secret token
+            };
           };
 
           acl = {
@@ -37,6 +39,11 @@ in {
         nginx-sso configuration
         ([documentation](https://github.com/Luzifer/nginx-sso/wiki/Main-Configuration))
         as a Nix attribute set.
+
+        Options containing secret data should be set to an attribute set
+        with the singleton attribute `_secret` - a string value set to the path
+        to the file containing the secret value which should be used in the
+        configuration. This file must be readable by `nginx-sso`.
       '';
     };
   };
@@ -47,14 +54,29 @@ in {
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
+        StateDirectory = "nginx-sso";
+        WorkingDirectory = "/var/lib/nginx-sso";
+        ExecStartPre = pkgs.writeShellScript "merge-nginx-sso-config" ''
+          rm -f '${configPath}'
+          # Relies on YAML being a superset of JSON
+          ${utils.genJqSecretsReplacementSnippet cfg.configuration configPath}
+        '';
         ExecStart = ''
-          ${pkg}/bin/nginx-sso \
-            --config ${configYml} \
-            --frontend-dir ${pkg}/share/frontend
+          ${lib.getExe cfg.package} \
+            --config ${configPath} \
+            --frontend-dir ${lib.getBin cfg.package}/share/frontend
         '';
         Restart = "always";
-        DynamicUser = true;
+        User = "nginx-sso";
+        Group = "nginx-sso";
       };
     };
+
+    users.users.nginx-sso = {
+      isSystemUser = true;
+      group = "nginx-sso";
+    };
+
+    users.groups.nginx-sso = { };
   };
 }

nixos/modules/services/web-apps/nextcloud-notify_push.nix

@@ -40,6 +40,13 @@ in
         description = "Log level";
       };
 
+      nextcloudUrl = lib.mkOption {
+        type = lib.types.str;
+        default = "http${lib.optionalString cfgN.https "s"}://${cfgN.hostName}";
+        defaultText = lib.literalExpression ''"http''${lib.optionalString config.services.nextcloud.https "s"}://''${config.services.nextcloud.hostName}"'';
+        description = "Configure the nextcloud URL notify_push tries to connect to.";
+      };
+
       bendDomainToLocalhost = lib.mkOption {
         type = lib.types.bool;
         default = false;
@@ -71,66 +78,62 @@ in
     );
 
   config = lib.mkIf cfg.enable {
-    systemd.services.nextcloud-notify_push =
-      let
-        nextcloudUrl = "http${lib.optionalString cfgN.https "s"}://${cfgN.hostName}";
-      in
-      {
-        description = "Push daemon for Nextcloud clients";
-        documentation = [ "https://github.com/nextcloud/notify_push" ];
-        after = [
-          "phpfpm-nextcloud.service"
-          "redis-nextcloud.service"
-        ];
-        wantedBy = [ "multi-user.target" ];
-        environment = {
-          NEXTCLOUD_URL = nextcloudUrl;
-          SOCKET_PATH = cfg.socketPath;
-          DATABASE_PREFIX = cfg.dbtableprefix;
-          LOG = cfg.logLevel;
-        };
-        postStart = ''
-          ${cfgN.occ}/bin/nextcloud-occ notify_push:setup ${nextcloudUrl}/push
+    systemd.services.nextcloud-notify_push = {
+      description = "Push daemon for Nextcloud clients";
+      documentation = [ "https://github.com/nextcloud/notify_push" ];
+      after = [
+        "phpfpm-nextcloud.service"
+        "redis-nextcloud.service"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      environment = {
+        NEXTCLOUD_URL = cfg.nextcloudUrl;
+        SOCKET_PATH = cfg.socketPath;
+        DATABASE_PREFIX = cfg.dbtableprefix;
+        LOG = cfg.logLevel;
+      };
+      postStart = ''
+        ${cfgN.occ}/bin/nextcloud-occ notify_push:setup ${cfg.nextcloudUrl}/push
+      '';
+      script =
+        let
+          dbType = if cfg.dbtype == "pgsql" then "postgresql" else cfg.dbtype;
+          dbUser = lib.optionalString (cfg.dbuser != null) cfg.dbuser;
+          dbPass = lib.optionalString (cfg.dbpassFile != null) ":$DATABASE_PASSWORD";
+          dbHostHasPrefix = prefix: lib.hasPrefix prefix (toString cfg.dbhost);
+          isPostgresql = dbType == "postgresql";
+          isMysql = dbType == "mysql";
+          isSocket = (isPostgresql && dbHostHasPrefix "/") || (isMysql && dbHostHasPrefix "localhost:/");
+          dbHost = lib.optionalString (cfg.dbhost != null) (
+            if isSocket then lib.optionalString isMysql "@localhost" else "@${cfg.dbhost}"
+          );
+          dbOpts = lib.optionalString (cfg.dbhost != null && isSocket) (
+            if isPostgresql then
+              "?host=${cfg.dbhost}"
+            else if isMysql then
+              "?socket=${lib.removePrefix "localhost:" cfg.dbhost}"
+            else
+              throw "unsupported dbtype"
+          );
+          dbName = lib.optionalString (cfg.dbname != null) "/${cfg.dbname}";
+          dbUrl = "${dbType}://${dbUser}${dbPass}${dbHost}${dbName}${dbOpts}";
+        in
+        lib.optionalString (dbPass != "") ''
+          export DATABASE_PASSWORD="$(<"${cfg.dbpassFile}")"
+        ''
+        + ''
+          export DATABASE_URL="${dbUrl}"
+          exec ${cfg.package}/bin/notify_push '${cfgN.datadir}/config/config.php'
         '';
-        script =
-          let
-            dbType = if cfg.dbtype == "pgsql" then "postgresql" else cfg.dbtype;
-            dbUser = lib.optionalString (cfg.dbuser != null) cfg.dbuser;
-            dbPass = lib.optionalString (cfg.dbpassFile != null) ":$DATABASE_PASSWORD";
-            dbHostHasPrefix = prefix: lib.hasPrefix prefix (toString cfg.dbhost);
-            isPostgresql = dbType == "postgresql";
-            isMysql = dbType == "mysql";
-            isSocket = (isPostgresql && dbHostHasPrefix "/") || (isMysql && dbHostHasPrefix "localhost:/");
-            dbHost = lib.optionalString (cfg.dbhost != null) (
-              if isSocket then lib.optionalString isMysql "@localhost" else "@${cfg.dbhost}"
-            );
-            dbOpts = lib.optionalString (cfg.dbhost != null && isSocket) (
-              if isPostgresql then
-                "?host=${cfg.dbhost}"
-              else if isMysql then
-                "?socket=${lib.removePrefix "localhost:" cfg.dbhost}"
-              else
-                throw "unsupported dbtype"
-            );
-            dbName = lib.optionalString (cfg.dbname != null) "/${cfg.dbname}";
-            dbUrl = "${dbType}://${dbUser}${dbPass}${dbHost}${dbName}${dbOpts}";
-          in
-          lib.optionalString (dbPass != "") ''
-            export DATABASE_PASSWORD="$(<"${cfg.dbpassFile}")"
-          ''
-          + ''
-            export DATABASE_URL="${dbUrl}"
-            exec ${cfg.package}/bin/notify_push '${cfgN.datadir}/config/config.php'
-          '';
-        serviceConfig = {
-          User = "nextcloud";
-          Group = "nextcloud";
-          RuntimeDirectory = [ "nextcloud-notify_push" ];
-          Restart = "on-failure";
-          RestartSec = "5s";
-          Type = "notify";
-        };
+      serviceConfig = {
+        User = "nextcloud";
+        Group = "nextcloud";
+        RuntimeDirectory = [ "nextcloud-notify_push" ];
+        Restart = "on-failure";
+        RestartSec = "5s";
+        Type = "notify";
       };
+    };
 
     networking.hosts = lib.mkIf cfg.bendDomainToLocalhost {
       "127.0.0.1" = [ cfgN.hostName ];

nixos/modules/virtualisation/nixos-containers.nix

@@ -134,6 +134,10 @@ let
         extraFlags+=("--network-bridge=$HOST_BRIDGE")
       fi
 
+      if [ -n "$NETWORK_NAMESPACE_PATH" ]; then
+        extraFlags+=("--network-namespace-path=$NETWORK_NAMESPACE_PATH")
+      fi
+
       extraFlags+=(${lib.escapeShellArgs (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)})
 
       for iface in $INTERFACES; do
@@ -632,6 +636,20 @@ in
               '';
             };
 
+            networkNamespace = mkOption {
+              type = types.nullOr types.path;
+              default = null;
+              description = ''
+                Takes the path to a file representing a kernel network namespace that the container
+                shall run in. The specified path should refer to a (possibly bind-mounted) network
+                namespace file, as exposed by the kernel below /proc/<PID>/ns/net. This makes the
+                container enter the given network namespace. One of the typical use cases is to give
+                a network namespace under /run/netns created by ip-netns(8).
+                Note that this option cannot be used together with other network-related options,
+                such as --private-network or --network-interface=.
+              '';
+            };
+
             interfaces = mkOption {
               type = types.listOf types.str;
               default = [];
@@ -793,6 +811,11 @@ in
     {
       warnings = optional (!config.boot.enableContainers && config.containers != {})
         "containers.<name> is used, but boot.enableContainers is false. To use containers.<name>, set boot.enableContainers to true.";
+
+      assertions = let
+        mapper = name: cfg: optional (cfg.networkNamespace != null && (cfg.privateNetwork || cfg.interfaces != []))
+          "containers.${name}.networkNamespace is mutally exclusive to containers.${name}.privateNetwork and containers.${name}.interfaces.";
+      in mkMerge (mapAttrsToList mapper config.containers);
     }
 
     (mkIf (config.boot.enableContainers) (let
@@ -897,6 +920,9 @@ in
                   LOCAL_ADDRESS6=${cfg.localAddress6}
                 ''}
               ''}
+              ${optionalString (cfg.networkNamespace != null) ''
+                NETWORK_NAMESPACE_PATH=${cfg.networkNamespace}
+              ''}
               INTERFACES="${toString cfg.interfaces}"
               MACVLANS="${toString cfg.macvlans}"
               ${optionalString cfg.autoStart ''

nixos/tests/containers-restart_networking.nix

@@ -39,6 +39,11 @@ import ./make-test-python.nix (
           }
         ];
 
+        networking.interfaces.eth1 = {
+          ipv4.addresses = lib.mkForce [ ];
+          ipv6.addresses = lib.mkForce [ ];
+        };
+
         specialisation.eth1.configuration = {
           networking.bridges.br0.interfaces = [ "eth1" ];
           networking.interfaces = {

nixos/tests/fcitx5/default.nix

@@ -160,7 +160,7 @@ rec {
 
             ### Verify that file contents are as expected
             file_content = machine.succeed("cat ${user.home}/fcitx_test.out")
-            assert file_content == "☺一下한कか\n"
+            assert file_content == "☺一下한कか\n", f'output does not match input:\n{file_content}'
       ''
   ;
 })

nixos/tests/nextcloud/with-postgresql-and-redis.nix

@@ -38,6 +38,7 @@ runTest (
             config.dbtype = "pgsql";
             notify_push = {
               enable = true;
+              bendDomainToLocalhost = true;
               logLevel = "debug";
             };
             extraAppsEnable = true;

nixos/tests/nginx-sso.nix

@@ -11,7 +11,9 @@ import ./make-test-python.nix ({ pkgs, ... }: {
         listen = { addr = "127.0.0.1"; port = 8080; };
 
         providers.token.tokens = {
-          myuser = "MyToken";
+          myuser = {
+            _secret = pkgs.writeText "secret-token" "MyToken";
+          };
         };
 
         acl = {