diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b2ae30aa9ff..223705609e1 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -827,6 +827,7 @@ ./services/networking/libreswan.nix ./services/networking/lldpd.nix ./services/networking/logmein-hamachi.nix + ./services/networking/lokinet.nix ./services/networking/lxd-image-server.nix ./services/networking/magic-wormhole-mailbox-server.nix ./services/networking/matterbridge.nix diff --git a/nixos/modules/services/networking/lokinet.nix b/nixos/modules/services/networking/lokinet.nix new file mode 100644 index 00000000000..cf091341c83 --- /dev/null +++ b/nixos/modules/services/networking/lokinet.nix @@ -0,0 +1,157 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.lokinet; + dataDir = "/var/lib/lokinet"; + settingsFormat = pkgs.formats.ini { listsAsDuplicateKeys = true; }; + configFile = settingsFormat.generate "lokinet.ini" (lib.filterAttrsRecursive (n: v: v != null) cfg.settings); +in with lib; { + options.services.lokinet = { + enable = mkEnableOption "Lokinet daemon"; + + package = mkOption { + type = types.package; + default = pkgs.lokinet; + defaultText = literalExpression "pkgs.lokinet"; + description = "Lokinet package to use."; + }; + + useLocally = mkOption { + type = types.bool; + default = false; + example = true; + description = "Whether to use Lokinet locally."; + }; + + settings = mkOption { + type = with types; + submodule { + freeformType = settingsFormat.type; + + options = { + dns = { + bind = mkOption { + type = str; + default = "127.3.2.1"; + description = "Address to bind to for handling DNS requests."; + }; + + upstream = mkOption { + type = listOf str; + default = [ "9.9.9.10" ]; + example = [ "1.1.1.1" "8.8.8.8" ]; + description = '' + Upstream resolver(s) to use as fallback for non-loki addresses. + Multiple values accepted. + ''; + }; + }; + + network = { + exit = mkOption { + type = bool; + default = false; + description = '' + Whether to act as an exit node. Beware that this + increases demand on the server and may pose liability concerns. + Enable at your own risk. + ''; + }; + + exit-node = mkOption { + type = nullOr (listOf str); + default = null; + example = '' + exit-node = [ "example.loki" ]; # maps all exit traffic to example.loki + exit-node = [ "example.loki:100.0.0.0/24" ]; # maps 100.0.0.0/24 to example.loki + ''; + description = '' + Specify a `.loki` address and an optional ip range to use as an exit broker. + See for + a list of exit nodes. + ''; + }; + + keyfile = mkOption { + type = nullOr str; + default = null; + example = "snappkey.private"; + description = '' + The private key to persist address with. If not specified the address will be ephemeral. + This keyfile is generated automatically if the specified file doesn't exist. + ''; + }; + }; + }; + }; + default = { }; + example = literalExpression '' + { + dns = { + bind = "127.3.2.1"; + upstream = [ "1.1.1.1" "8.8.8.8" ]; + }; + + network.exit-node = [ "example.loki" "example2.loki" ]; + } + ''; + description = '' + Configuration for Lokinet. + Currently, the best way to view the available settings is by + generating a config file using `lokinet -g`. + ''; + }; + }; + + config = mkIf cfg.enable { + networking.resolvconf.extraConfig = mkIf cfg.useLocally '' + name_servers="${cfg.settings.dns.bind}" + ''; + + systemd.services.lokinet = { + description = "Lokinet"; + after = [ "network-online.target" "network.target" ]; + wants = [ "network-online.target" "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + preStart = '' + ln -sf ${cfg.package}/share/bootstrap.signed ${dataDir} + ${pkgs.coreutils}/bin/install -m 600 ${configFile} ${dataDir}/lokinet.ini + + ${optionalString (cfg.settings.network.keyfile != null) '' + ${pkgs.crudini}/bin/crudini --set ${dataDir}/lokinet.ini network keyfile "${dataDir}/${cfg.settings.network.keyfile}" + ''} + ''; + + serviceConfig = { + DynamicUser = true; + StateDirectory = "lokinet"; + AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" ]; + ExecStart = "${cfg.package}/bin/lokinet ${dataDir}/lokinet.ini"; + Restart = "always"; + RestartSec = "5s"; + + # hardening + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateTmp = true; + PrivateMounts = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + ReadWritePaths = "/dev/net/tun"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + + environment.systemPackages = [ cfg.package ]; + }; +} diff --git a/pkgs/applications/networking/browsers/qutebrowser/default.nix b/pkgs/applications/networking/browsers/qutebrowser/default.nix index a9e6436c8da..ce2392ab4ed 100644 --- a/pkgs/applications/networking/browsers/qutebrowser/default.nix +++ b/pkgs/applications/networking/browsers/qutebrowser/default.nix @@ -32,12 +32,12 @@ let in mkDerivationWith python3Packages.buildPythonApplication rec { pname = "qutebrowser"; - version = "2.5.1"; + version = "2.5.2"; # the release tarballs are different from the git checkout! src = fetchurl { url = "https://github.com/qutebrowser/qutebrowser/releases/download/v${version}/${pname}-${version}.tar.gz"; - hash = "sha256-5ohYhqhM0WamumM3lKWKTGfYccJxiBJ+XdvFJ2127bw="; + hash = "sha256-qb/OFN3EA94N6y7t+YPCMc4APgdZmV7H706jTkl06Qg="; }; # Needs tox diff --git a/pkgs/applications/networking/instant-messengers/signal-desktop/default.nix b/pkgs/applications/networking/instant-messengers/signal-desktop/default.nix index 7d18a8d2925..53b7f8417ca 100644 --- a/pkgs/applications/networking/instant-messengers/signal-desktop/default.nix +++ b/pkgs/applications/networking/instant-messengers/signal-desktop/default.nix @@ -82,6 +82,7 @@ in stdenv.mkDerivation rec { runtimeDependencies = [ (lib.getLib systemd) + libappindicator-gtk3 libnotify libdbusmenu xdg-utils diff --git a/pkgs/applications/networking/p2p/lokinet/default.nix b/pkgs/applications/networking/p2p/lokinet/default.nix new file mode 100644 index 00000000000..e3e2c8e5883 --- /dev/null +++ b/pkgs/applications/networking/p2p/lokinet/default.nix @@ -0,0 +1,64 @@ +{ stdenv +, lib +, fetchFromGitHub +, cmake +, libevent +, libsodium +, libuv +, nlohmann_json +, pkg-config +, sqlite +, systemd +, unbound +, zeromq +}: + +stdenv.mkDerivation rec { + pname = "lokinet"; + version = "0.9.9"; + + src = fetchFromGitHub { + owner = "oxen-io"; + repo = "lokinet"; + rev = "v${version}"; + fetchSubmodules = true; + sha256 = "sha256-AaGsRg9S9Cng9emI/mN09QSOIRbE+x3916clWAwLnRs="; + }; + + nativeBuildInputs = [ + cmake + pkg-config + ]; + + buildInputs = [ + libevent + libuv + libsodium + nlohmann_json + sqlite + systemd + unbound + zeromq + ]; + + cmakeFlags = [ + "-DGIT_VERSION=v${version}" + "-DWITH_BOOTSTRAP=OFF" # we provide bootstrap files manually + "-DWITH_SETCAP=OFF" + ]; + + # copy bootstrap files + # see https://github.com/oxen-io/lokinet/issues/1765#issuecomment-938208774 + postInstall = '' + mkdir -p $out/share/testnet + cp $src/contrib/bootstrap/mainnet.signed $out/share/bootstrap.signed + cp $src/contrib/bootstrap/testnet.signed $out/share/testnet/bootstrap.signed + ''; + + meta = with lib; { + description = "Anonymous, decentralized and IP based overlay network for the internet"; + homepage = "https://lokinet.org/"; + license = licenses.gpl3Plus; + maintainers = with maintainers; [ wyndon ]; + }; +} diff --git a/pkgs/desktops/pantheon/desktop/wingpanel-indicators/network/default.nix b/pkgs/desktops/pantheon/desktop/wingpanel-indicators/network/default.nix index fdb6481f7e7..013884cb349 100644 --- a/pkgs/desktops/pantheon/desktop/wingpanel-indicators/network/default.nix +++ b/pkgs/desktops/pantheon/desktop/wingpanel-indicators/network/default.nix @@ -17,13 +17,13 @@ stdenv.mkDerivation rec { pname = "wingpanel-indicator-network"; - version = "2.3.2"; + version = "2.3.3"; src = fetchFromGitHub { owner = "elementary"; repo = pname; rev = version; - sha256 = "sha256-4Fg8/Gm9mUqaL3wEc8h+/pMvOfD75ILjo7LhLz6LQmo="; + sha256 = "sha256-fcR8gcexxIzSvR27SUyDhyCOlev+0r7YPPJlCNydCYM="; }; nativeBuildInputs = [ diff --git a/pkgs/development/python-modules/asana/default.nix b/pkgs/development/python-modules/asana/default.nix index d179f3f9490..09ff9588544 100644 --- a/pkgs/development/python-modules/asana/default.nix +++ b/pkgs/development/python-modules/asana/default.nix @@ -11,7 +11,7 @@ buildPythonPackage rec { pname = "asana"; - version = "0.10.9"; + version = "1.0.0"; format = "setuptools"; disabled = pythonOlder "3.7"; @@ -19,8 +19,8 @@ buildPythonPackage rec { src = fetchFromGitHub { owner = "asana"; repo = "python-asana"; - rev = "v${version}"; - sha256 = "sha256-9gOkCMY15ChdhiFdzS0TjvWpVTKKEGt7XIcK6EhkSK8="; + rev = "refs/tags/v${version}"; + sha256 = "sha256-SbYTLGBCfKbjhyzM5OnVX6kxEMnofwPIyzwuJvYORhw="; }; propagatedBuildInputs = [ diff --git a/pkgs/development/python-modules/hcloud/default.nix b/pkgs/development/python-modules/hcloud/default.nix index 3183560ba00..ad8e79b63fd 100644 --- a/pkgs/development/python-modules/hcloud/default.nix +++ b/pkgs/development/python-modules/hcloud/default.nix @@ -2,39 +2,44 @@ , buildPythonPackage , fetchPypi , future -, requests -, python-dateutil -, flake8 -, isort , mock -, pytest -, isPy27 +, pytestCheckHook +, python-dateutil +, pythonOlder +, requests }: buildPythonPackage rec { pname = "hcloud"; - version = "1.16.0"; - disabled = isPy27; + version = "1.17.0"; + format = "setuptools"; + + disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - sha256 = "c8b94557d93bcfe437f20a8176693ea4f54358b74986cc19d94ebc23f48e40cc"; + hash = "sha256-+BQuBDi+J3xvod3uE67NXaFStIxt7H/Ulw3vG13CGeI="; }; - propagatedBuildInputs = [ future requests python-dateutil ]; + propagatedBuildInputs = [ + future + requests + python-dateutil + ]; - checkInputs = [ flake8 isort mock pytest ]; + checkInputs = [ + mock + pytestCheckHook + ]; - # Skip integration tests since they require a separate external fake API endpoint. - checkPhase = '' - pytest --ignore=tests/integration - ''; + pythonImportsCheck = [ + "hcloud" + ]; meta = with lib; { - description = "Official Hetzner Cloud python library"; + description = "Library for the Hetzner Cloud API"; homepage = "https://github.com/hetznercloud/hcloud-python"; license = licenses.mit; - platforms = platforms.all; maintainers = with maintainers; [ liff ]; }; } diff --git a/pkgs/development/python-modules/pulumi-aws/default.nix b/pkgs/development/python-modules/pulumi-aws/default.nix index 838422a31a2..c1636998590 100644 --- a/pkgs/development/python-modules/pulumi-aws/default.nix +++ b/pkgs/development/python-modules/pulumi-aws/default.nix @@ -12,7 +12,7 @@ buildPythonPackage rec { pname = "pulumi-aws"; # Version is independant of pulumi's. - version = "5.9.1"; + version = "5.9.2"; format = "setuptools"; disabled = pythonOlder "3.7"; @@ -21,7 +21,7 @@ buildPythonPackage rec { owner = "pulumi"; repo = "pulumi-aws"; rev = "refs/tags/v${version}"; - hash = "sha256-LYWxdqortazhev73JSTItrEyZZYFmeXkAko/2aFKaSw="; + hash = "sha256-5jeLSTG2HITEUdgQB3B9nQLAaNRliGspKnOgzUscCpU="; }; sourceRoot = "${src.name}/sdk/python"; diff --git a/pkgs/development/python-modules/qiskit-finance/default.nix b/pkgs/development/python-modules/qiskit-finance/default.nix index ad80eb3698f..45764b4983e 100644 --- a/pkgs/development/python-modules/qiskit-finance/default.nix +++ b/pkgs/development/python-modules/qiskit-finance/default.nix @@ -22,7 +22,7 @@ buildPythonPackage rec { pname = "qiskit-finance"; - version = "0.3.2"; + version = "0.3.3"; disabled = pythonOlder "3.6"; @@ -30,7 +30,7 @@ buildPythonPackage rec { owner = "qiskit"; repo = pname; rev = "refs/tags/${version}"; - sha256 = "sha256-ZmK4nYuv3DBJ0Ah819zGAh7inGVBWDnzJvl0FABJ6KU="; + sha256 = "sha256-1XM4gBuMsvjwU4GSdQJobMyyDFZOOTbwvnUPG0nXFoc="; }; postPatch = '' diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 079ea453bbf..e60cfeaec7f 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -22,41 +22,41 @@ "5.10": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.10.125-hardened1.patch", - "sha256": "04hdgzx7yqv26i74k6yzdh3k4dzyvcmxn9y93whdw0jyal34nj5w", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.125-hardened1/linux-hardened-5.10.125-hardened1.patch" + "name": "linux-hardened-5.10.127-hardened1.patch", + "sha256": "0lmsmmj1f0zqm5plb3c4sfqkq70msa24l1hcsrynavmzys8hndmq", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.127-hardened1/linux-hardened-5.10.127-hardened1.patch" }, - "sha256": "0q4garkqdkr2280ygz44053cbmzv59yfd0lsn7q67h1j4nh6wddr", - "version": "5.10.125" + "sha256": "100m4b6w1kbc1lc3gwlmkp8xl42xai0v5wdbx0mxrq8y1gp374j1", + "version": "5.10.127" }, "5.15": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.15.50-hardened1.patch", - "sha256": "0vridxhn9s21d3r877ndnm7zg5iyqpm9lm319ccw47fwyydwwh4y", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.50-hardened1/linux-hardened-5.15.50-hardened1.patch" + "name": "linux-hardened-5.15.51-hardened1.patch", + "sha256": "0rfj0ypag0wn0ja77c920ppbqbik07i9yfrlhjanrz66vdip0z1r", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.51-hardened1/linux-hardened-5.15.51-hardened1.patch" }, - "sha256": "03yp3gz45059gkzqbijbg503rxx4wihjg4c3ikz10f526xym0kam", - "version": "5.15.50" + "sha256": "1229m4r4n61n5l8anp2pcqdhajkwmavhr1z00n8gvx3yn9w4ifhz", + "version": "5.15.51" }, "5.18": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.18.7-hardened1.patch", - "sha256": "085skg598k5q0kgk5zb2ns6m0a6j5bpdi0aa5r8iidln1pqw2894", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.18.7-hardened1/linux-hardened-5.18.7-hardened1.patch" + "name": "linux-hardened-5.18.8-hardened1.patch", + "sha256": "1i0y11flb4alxaqf2inms8x2yzar20zg6vc9s9gs507z97yh24v2", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.18.8-hardened1/linux-hardened-5.18.8-hardened1.patch" }, - "sha256": "0nsj44p1wn7ysckhv4a99ncj0a9xxhvi54v63w1047sspxjd18m1", - "version": "5.18.7" + "sha256": "0dhaj1zcsr5sfg62byzvvkhm9j419px6v9v04ngcy0d0vc2yn8q8", + "version": "5.18.8" }, "5.4": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.4.201-hardened1.patch", - "sha256": "1l0qgkwsp12wn2k78m04bpb88qknckbwn6610xj9jxvhq0n0qg4l", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.201-hardened1/linux-hardened-5.4.201-hardened1.patch" + "name": "linux-hardened-5.4.202-hardened1.patch", + "sha256": "1gkgipw7ic0l3gh6haylcyss46wbph7zhx91fdp4na20jy4dxrzv", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.202-hardened1/linux-hardened-5.4.202-hardened1.patch" }, - "sha256": "0qbfqfca4ism7k7y8grjqsxby3j50ach576szrljxxy140qxfgc1", - "version": "5.4.201" + "sha256": "0gak58h5l2d8rmbmjw48460bgqi73yf1m7swsbbhfsmbkvhvr8aw", + "version": "5.4.202" } } diff --git a/pkgs/os-specific/linux/kernel/linux-5.10.nix b/pkgs/os-specific/linux/kernel/linux-5.10.nix index 87ac3427f7a..34fce5c16d5 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.10.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.10.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "5.10.126"; + version = "5.10.127"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "0qsg5mxvq11xdbssz3qsmd794c8nydq297jwmgfwbzwkx1ll61ci"; + sha256 = "100m4b6w1kbc1lc3gwlmkp8xl42xai0v5wdbx0mxrq8y1gp374j1"; }; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-5.15.nix b/pkgs/os-specific/linux/kernel/linux-5.15.nix index 1fb189b1ef9..9a9950a301c 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.15.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.15.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "5.15.50"; + version = "5.15.51"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "03yp3gz45059gkzqbijbg503rxx4wihjg4c3ikz10f526xym0kam"; + sha256 = "1229m4r4n61n5l8anp2pcqdhajkwmavhr1z00n8gvx3yn9w4ifhz"; }; } // (args.argsOverride or { })) diff --git a/pkgs/os-specific/linux/kernel/linux-5.18.nix b/pkgs/os-specific/linux/kernel/linux-5.18.nix index ae2406b0372..43505e9d5d1 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.18.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.18.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "5.18.7"; + version = "5.18.8"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "0nsj44p1wn7ysckhv4a99ncj0a9xxhvi54v63w1047sspxjd18m1"; + sha256 = "0dhaj1zcsr5sfg62byzvvkhm9j419px6v9v04ngcy0d0vc2yn8q8"; }; } // (args.argsOverride or { })) diff --git a/pkgs/os-specific/linux/kernel/linux-5.4.nix b/pkgs/os-specific/linux/kernel/linux-5.4.nix index cd79e9680b1..6c0011b4471 100644 --- a/pkgs/os-specific/linux/kernel/linux-5.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-5.4.nix @@ -3,7 +3,7 @@ with lib; buildLinux (args // rec { - version = "5.4.201"; + version = "5.4.202"; # modDirVersion needs to be x.y.z, will automatically add .0 if needed modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg; @@ -13,6 +13,6 @@ buildLinux (args // rec { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz"; - sha256 = "0qbfqfca4ism7k7y8grjqsxby3j50ach576szrljxxy140qxfgc1"; + sha256 = "0gak58h5l2d8rmbmjw48460bgqi73yf1m7swsbbhfsmbkvhvr8aw"; }; } // (args.argsOverride or {})) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 4f48c2946a3..dc85b74cdc7 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -28235,6 +28235,8 @@ with pkgs; portaudio = null; }; + lokinet = callPackage ../applications/networking/p2p/lokinet { }; + losslesscut-bin = callPackage ../applications/video/losslesscut-bin { }; loxodo = callPackage ../applications/misc/loxodo { }; diff --git a/pkgs/top-level/linux-kernels.nix b/pkgs/top-level/linux-kernels.nix index 0d2d7cc835c..a7376042a6e 100644 --- a/pkgs/top-level/linux-kernels.nix +++ b/pkgs/top-level/linux-kernels.nix @@ -57,6 +57,10 @@ in { kernels = recurseIntoAttrs (lib.makeExtensible (self: with self; let callPackage = newScope self; in { + # NOTE: PLEASE DO NOT ADD NEW VENDOR KERNELS TO NIXPKGS. + # New vendor kernels should go to nixos-hardware instead. + # e.g. https://github.com/NixOS/nixos-hardware/tree/master/microsoft/surface/kernel + linux_mptcp_95 = callPackage ../os-specific/linux/kernel/linux-mptcp-95.nix { kernelPatches = linux_4_19.kernelPatches; };