Merge staging-next into staging

NixOS · Jun 5, 2022 · a1bbd60 · a1bbd60
2 parents 5906c4f + a9df2a4
commit a1bbd60
Show file tree

Hide file tree

Showing 72 changed files with 538 additions and 560 deletions.
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@@ -40,14 +40,21 @@
   </section>
   <section xml:id="sec-release-22.11-new-services">
     <title>New Services</title>
-    <itemizedlist spacing="compact">
+    <itemizedlist>
       <listitem>
         <para>
           <link xlink:href="https://github.com/jollheef/appvm">appvm</link>,
           Nix based app VMs. Available as
           <link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>,
+          a hardware True Random Number Generator dongle. Available as
+          <link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
   <section xml:id="sec-release-22.11-incompatibilities">

diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md
@@ -25,6 +25,9 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable).
 
+- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle.
+  Available as [services.infnoise](options.html#opt-services.infnoise.enable).
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-release-22.11-incompatibilities}

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -983,6 +983,7 @@
   ./services/security/hologram-server.nix
   ./services/security/hologram-agent.nix
   ./services/security/kanidm.nix
+  ./services/security/infnoise.nix
   ./services/security/munge.nix
   ./services/security/nginx-sso.nix
   ./services/security/oauth2_proxy.nix

diff --git a/nixos/modules/services/security/infnoise.nix b/nixos/modules/services/security/infnoise.nix
@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.infnoise;
+in {
+  options = {
+    services.infnoise = {
+      enable = mkEnableOption "the Infinite Noise TRNG driver";
+
+      fillDevRandom = mkOption {
+        description = ''
+          Whether to run the infnoise driver as a daemon to refill /dev/random.
+
+          If disabled, you can use the `infnoise` command-line tool to
+          manually obtain randomness.
+        '';
+        type = types.bool;
+        default = true;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.infnoise ];
+
+    services.udev.extraRules = ''
+      SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6015", SYMLINK+="infnoise", TAG+="systemd", GROUP="dialout", MODE="0664", ENV{SYSTEMD_WANTS}="infnoise.service"
+    '';
+
+    systemd.services.infnoise = mkIf cfg.fillDevRandom {
+      description = "Infinite Noise TRNG driver";
+
+      bindsTo = [ "dev-infnoise.device" ];
+      after = [ "dev-infnoise.device" ];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.infnoise}/bin/infnoise --dev-random --debug";
+        Restart = "always";
+        User = "infnoise";
+        DynamicUser = true;
+        SupplementaryGroups = [ "dialout" ];
+        DeviceAllow = [ "/dev/infnoise" ];
+        DevicePolicy = "closed";
+        PrivateNetwork = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true; # only reads entropy pool size and watermark
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+      };
+    };
+  };
+}
diff --git a/nixos/tests/nitter.nix b/nixos/tests/nitter.nix
@@ -12,7 +12,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
 
   testScript = ''
     machine.wait_for_unit("nitter.service")
-    machine.wait_for_open_port("80")
+    machine.wait_for_open_port(80)
     machine.succeed("curl --fail http://localhost:80/")
   '';
 })
diff --git a/pkgs/applications/audio/munt/libmt32emu.nix b/pkgs/applications/audio/munt/libmt32emu.nix
@@ -6,13 +6,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libmt32emu";
-  version = "2.5.3";
+  version = "2.6.3";
 
   src = fetchFromGitHub {
     owner = "munt";
     repo = "munt";
     rev = "${pname}_${lib.replaceChars [ "." ] [ "_" ] version}";
-    hash = "sha256-n5VV5Swh1tOVQGT3urEKl64A/w7cY95/0y5wC5ZuLm4=";
+    sha256 = "0ncy55fj9l2s750clxjpv102hrgcndz4qba9w2sf8lwzgy6d1xmp";
   };
 
   outputs = [ "out" "dev" ];

diff --git a/pkgs/applications/audio/munt/mt32emu-qt.nix b/pkgs/applications/audio/munt/mt32emu-qt.nix
@@ -13,15 +13,18 @@
 , withJack ? stdenv.hostPlatform.isUnix, libjack2
 }:
 
+let
+  char2underscore = char: str: lib.replaceChars [ char ] [ "_" ] str;
+in
 mkDerivation rec {
   pname = "mt32emu-qt";
-  version = "1.9.0";
+  version = "1.10.2";
 
   src = fetchFromGitHub {
     owner = "munt";
     repo = "munt";
-    rev = "mt32emu_qt_${lib.replaceChars [ "." ] [ "_" ] version}";
-    hash = "sha256-9vapBKpl1NC3mIDetuCb452IHV6c7c7NCzSyiBry5oo=";
+    rev = "${char2underscore "-" pname}_${char2underscore "." version}";
+    sha256 = "1dh5xpnsgx367ch45mm5c2p26vnxf3shax2afg2cd2lrbrlii7l9";
   };
 
   postPatch = ''
@@ -55,8 +58,8 @@ mkDerivation rec {
 
   postInstall = lib.optionalString stdenv.hostPlatform.isDarwin ''
     mkdir $out/Applications
-    mv $out/bin/${meta.mainProgram}.app $out/Applications/
-    ln -s $out/{Applications/${meta.mainProgram}.app/Contents/MacOS,bin}/${meta.mainProgram}
+    mv $out/bin/${pname}.app $out/Applications/
+    ln -s $out/{Applications/${pname}.app/Contents/MacOS,bin}/${pname}
   '';
 
   meta = with lib; {
@@ -70,6 +73,5 @@ mkDerivation rec {
     license = with licenses; [ gpl3Plus ];
     maintainers = with maintainers; [ OPNA2608 ];
     platforms = platforms.all;
-    mainProgram = "mt32emu-qt";
   };
 }
diff --git a/pkgs/applications/audio/munt/mt32emu-smf2wav.nix b/pkgs/applications/audio/munt/mt32emu-smf2wav.nix
@@ -7,15 +7,18 @@
 , pkg-config
 }:
 
+let
+  char2underscore = char: str: lib.replaceChars [ char ] [ "_" ] str;
+in
 stdenv.mkDerivation rec {
   pname = "mt32emu-smf2wav";
-  version = "1.7.0";
+  version = "1.8.2";
 
   src = fetchFromGitHub {
     owner = "munt";
     repo = "munt";
-    rev = "mt32emu_smf2wav_${lib.replaceChars [ "." ] [ "_" ] version}";
-    hash = "sha256-FnKlKJxe7P4Yqpv0oVGgV4253dMgSmgtb7EAa2FI+aI=";
+    rev = "${char2underscore "-" pname}_${char2underscore "." version}";
+    sha256 = "1dh5xpnsgx367ch45mm5c2p26vnxf3shax2afg2cd2lrbrlii7l9";
   };
 
   postPatch = ''
@@ -45,6 +48,5 @@ stdenv.mkDerivation rec {
     license = with licenses; [ gpl3Plus ];
     maintainers = with maintainers; [ OPNA2608 ];
     platforms = platforms.all;
-    mainProgram = "mt32emu-smf2wav";
   };
 }
diff --git a/pkgs/applications/audio/noisetorch/default.nix b/pkgs/applications/audio/noisetorch/default.nix
@@ -2,20 +2,21 @@
 
 buildGoModule rec {
   pname = "NoiseTorch";
-  version = "0.11.5";
+  version = "0.12.0";
 
   src = fetchFromGitHub {
-    owner = "lawl";
+    owner = "noisetorch";
     repo = "NoiseTorch";
-    rev = version;
-    sha256 = "sha256-j/6XB3vA5LvTuCxmeB0HONqEDzYg210AWW/h3nCGOD8=";
+    rev = "v${version}";
+    sha256 = "sha256-A6cX1ck47/ZIn9cnV/Ow4CxVFfOX5J0K0Q+B70jCFdQ=";
+    fetchSubmodules = true;
   };
 
   vendorSha256 = null;
 
   doCheck = false;
 
-  ldflags = [ "-X main.version=${version}"  "-X main.distribution=nix" ];
+  ldflags = [ "-X main.version=${version}" "-X main.distribution=nix" ];
 
   subPackages = [ "." ];
 
@@ -34,9 +35,10 @@ buildGoModule rec {
 
   meta = with lib; {
     insecure = true;
-    knownVulnerabilities = [ "https://github.com/lawl/NoiseTorch/releases/tag/0.11.6" ];
+    knownVulnerabilities =
+      lib.optional (lib.versionOlder version "0.12") "https://github.com/noisetorch/NoiseTorch/releases/tag/v0.12.0";
     description = "Virtual microphone device with noise supression for PulseAudio";
-    homepage = "https://github.com/lawl/NoiseTorch";
+    homepage = "https://github.com/noisetorch/NoiseTorch";
     license = licenses.gpl3Plus;
     platforms = platforms.linux;
     maintainers = with maintainers; [ panaeon lom ];

diff --git a/pkgs/applications/audio/psst/default.nix b/pkgs/applications/audio/psst/default.nix
@@ -2,22 +2,20 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "psst";
-  version = "unstable-2022-01-25";
+  version = "unstable-2022-05-19";
 
   src = fetchFromGitHub {
     owner = "jpochyla";
     repo = pname;
-    rev = "1627cd4a301dd51e9ee3034294cd7b0d94d02ddc";
-    sha256 = "sha256-kepvYhmieXx6Hj79aqaA7tYUnueaBsNx0U4lV7K6LuU=";
+    rev = "e403609e0916fe664fb1f28c7a259d01fa69b0e9";
+    sha256 = "sha256-hpAP/m9aJsfh9FtwLqaKFZllnCQn9OSYLWuNZakZJnk=";
   };
 
-  cargoSha256 = "sha256-DcdlQudGyWUUAacV7pAOLDvhd1fgAkEesdxDkHSYm4M=";
+  cargoSha256 = "sha256-gQ0iI2wTS5n5pItmQCmFXDs5L8nA2w5ZrZyZtpMlUro=";
   # specify the subdirectory of the binary crate to build from the workspace
   buildAndTestSubdir = "psst-gui";
 
-  nativeBuildInputs = [
-    pkg-config
-  ];
+  nativeBuildInputs = [ pkg-config ];
 
   buildInputs = [
     alsa-lib
@@ -30,10 +28,14 @@ rustPlatform.buildRustPackage rec {
     pango
   ];
 
+  postInstall = ''
+    install -Dm444 psst-gui/assets/logo_512.png $out/share/icons/${pname}.png
+  '';
+
   meta = with lib; {
     description = "Fast and multi-platform Spotify client with native GUI";
     homepage = "https://github.com/jpochyla/psst";
     license = licenses.mit;
-    maintainers = [ maintainers.vbrandl ];
+    maintainers = with maintainers; [ vbrandl peterhoeg ];
   };
 }
diff --git a/pkgs/applications/graphics/mcomix/default.nix b/pkgs/applications/graphics/mcomix/default.nix
@@ -0,0 +1,64 @@
+{ lib
+, fetchurl
+, gdk-pixbuf
+, gobject-introspection
+, gtk3
+, mcomix
+, python3
+, testVersion
+, wrapGAppsHook
+
+# Recommended Dependencies:
+, lhasa
+, mupdf
+, p7zip
+, unrar
+, unrarSupport ? false  # unfree software
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "mcomix";
+  version = "2.0.2";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/mcomix/${pname}-${version}.tar.gz";
+    sha256 = "sha256-7zjQcT5WoHxy+YzCDJ6s2ngOOfO4L9exuqBqacecClg=";
+  };
+
+  buildInputs = [ gobject-introspection gtk3 gdk-pixbuf ];
+  nativeBuildInputs = [ wrapGAppsHook ];
+  propagatedBuildInputs = (with python3.pkgs; [ pillow pygobject3 pycairo ]);
+
+  # Tests are broken
+  doCheck = false;
+
+  # Correct wrapper behavior, see https://github.com/NixOS/nixpkgs/issues/56943
+  # until https://github.com/NixOS/nixpkgs/pull/102613
+  strictDeps = false;
+
+  # prevent double wrapping
+  dontWrapGApps = true;
+
+  preFixup = ''
+    makeWrapperArgs+=(
+      "''${gappsWrapperArgs[@]}"
+      "--prefix" "PATH" ":" "${lib.makeBinPath ([ p7zip lhasa mupdf ] ++ lib.optional (unrarSupport) unrar)}"
+    )
+  '';
+
+  passthru.tests.version = testVersion {
+    package = mcomix;
+  };
+
+  meta = with lib; {
+    description = "Comic book reader and image viewer";
+    longDescription = ''
+      User-friendly, customizable image viewer, specifically designed to handle
+      comic books and manga supporting a variety of container formats
+      (including CBR, CBZ, CB7, CBT, LHA and PDF)
+    '';
+    homepage = "https://sourceforge.net/projects/mcomix/";
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ thiagokokada ];
+  };
+}