Merge master into staging-next

nixos/modules/module-list.nix

@@ -638,6 +638,7 @@
   ./services/networking/coredns.nix
   ./services/networking/corerad.nix
   ./services/networking/coturn.nix
+  ./services/networking/croc.nix
   ./services/networking/dante.nix
   ./services/networking/ddclient.nix
   ./services/networking/dhcpcd.nix

nixos/modules/services/networking/croc.nix

@@ -0,0 +1,88 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) types;
+  cfg = config.services.croc;
+  rootDir = "/run/croc";
+in
+{
+  options.services.croc = {
+    enable = lib.mkEnableOption "croc relay";
+    ports = lib.mkOption {
+      type = with types; listOf port;
+      default = [9009 9010 9011 9012 9013];
+      description = "Ports of the relay.";
+    };
+    pass = lib.mkOption {
+      type = with types; either path str;
+      default = "pass123";
+      description = "Password or passwordfile for the relay.";
+    };
+    openFirewall = lib.mkEnableOption "opening of the peer port(s) in the firewall";
+    debug = lib.mkEnableOption "debug logs";
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.croc = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.croc}/bin/croc --pass '${cfg.pass}' ${lib.optionalString cfg.debug "--debug"} relay --ports ${lib.concatMapStringsSep "," toString cfg.ports}";
+        # The following options are only for optimizing:
+        # systemd-analyze security croc
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "";
+        DynamicUser = true;
+        # ProtectClock= adds DeviceAllow=char-rtc r
+        DeviceAllow = "";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        MountAPIVFS = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateNetwork = lib.mkDefault false;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "noaccess";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RootDirectory = rootDir;
+        # Avoid mounting rootDir in the own rootDir of ExecStart='s mount namespace.
+        InaccessiblePaths = [ "-+${rootDir}" ];
+        BindReadOnlyPaths = [
+          builtins.storeDir
+        ] ++ lib.optional (types.path.check cfg.pass) cfg.pass;
+        # This is for BindReadOnlyPaths=
+        # to allow traversal of directories they create in RootDirectory=.
+        UMask = "0066";
+        # Create rootDir in the host's mount namespace.
+        RuntimeDirectory = [(baseNameOf rootDir)];
+        RuntimeDirectoryMode = "700";
+        SystemCallFilter = [
+          "@system-service"
+          "~@aio" "~@chown" "~@keyring" "~@memlock"
+          "~@privileged" "~@resources" "~@setuid"
+          "~@sync" "~@timer"
+        ];
+        SystemCallArchitectures = "native";
+        SystemCallErrorNumber = "EPERM";
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall cfg.ports;
+  };
+
+  meta.maintainers = with lib.maintainers; [ hax404 julm ];
+}

nixos/modules/services/web-apps/miniflux.nix

@@ -14,17 +14,16 @@ let
     ADMIN_PASSWORD=password
   '';
 
-  pgsu = "${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser}";
   pgbin = "${config.services.postgresql.package}/bin";
   preStart = pkgs.writeScript "miniflux-pre-start" ''
     #!${pkgs.runtimeShell}
     db_exists() {
-      [ "$(${pgsu} ${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ]
+      [ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ]
     }
     if ! db_exists "${dbName}"; then
-      ${pgsu} ${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'"
-      ${pgsu} ${pgbin}/createdb --owner "${dbUser}" "${dbName}"
-      ${pgsu} ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
+      ${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'"
+      ${pgbin}/createdb --owner "${dbUser}" "${dbName}"
+      ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
     fi
   '';
 in
@@ -73,15 +72,26 @@ in
 
     services.postgresql.enable = true;
 
+    systemd.services.miniflux-dbsetup = {
+      description = "Miniflux database setup";
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "postgresql.service" ];
+      after = [ "network.target" "postgresql.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = config.services.postgresql.superUser;
+        ExecStart = preStart;
+      };
+    };
+
     systemd.services.miniflux = {
       description = "Miniflux service";
       wantedBy = [ "multi-user.target" ];
       requires = [ "postgresql.service" ];
-      after = [ "network.target" "postgresql.service" ];
+      after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ];
 
       serviceConfig = {
         ExecStart = "${pkgs.miniflux}/bin/miniflux";
-        ExecStartPre = "+${preStart}";
         DynamicUser = true;
         RuntimeDirectory = "miniflux";
         RuntimeDirectoryMode = "0700";

nixos/tests/all-tests.nix

@@ -84,6 +84,7 @@ in
   couchdb = handleTest ./couchdb.nix {};
   cri-o = handleTestOn ["x86_64-linux"] ./cri-o.nix {};
   custom-ca = handleTest ./custom-ca.nix {};
+  croc = handleTest ./croc.nix {};
   deluge = handleTest ./deluge.nix {};
   dhparams = handleTest ./dhparams.nix {};
   dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {};

nixos/tests/croc.nix

@@ -0,0 +1,51 @@
+import ./make-test-python.nix ({ pkgs, ... }:
+let
+  client = { pkgs, ... }: {
+    environment.systemPackages = [ pkgs.croc ];
+  };
+  pass = pkgs.writeText "pass" "PassRelay";
+in {
+  name = "croc";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ hax404 julm ];
+  };
+
+  nodes = {
+    relay = {
+      services.croc = {
+        enable = true;
+        pass = pass;
+        openFirewall = true;
+      };
+    };
+    sender = client;
+    receiver = client;
+  };
+
+  testScript = ''
+    start_all()
+
+    # wait until relay is up
+    relay.wait_for_unit("croc")
+    relay.wait_for_open_port(9009)
+    relay.wait_for_open_port(9010)
+    relay.wait_for_open_port(9011)
+    relay.wait_for_open_port(9012)
+    relay.wait_for_open_port(9013)
+
+    # generate testfiles and send them
+    sender.wait_for_unit("multi-user.target")
+    sender.execute("echo Hello World > testfile01.txt")
+    sender.execute("echo Hello Earth > testfile02.txt")
+    sender.execute(
+        "croc --pass ${pass} --relay relay send --code topSecret testfile01.txt testfile02.txt &"
+    )
+
+    # receive the testfiles and check them
+    receiver.succeed(
+        "croc --pass ${pass} --yes --relay relay topSecret"
+    )
+    assert "Hello World" in receiver.succeed("cat testfile01.txt")
+    assert "Hello Earth" in receiver.succeed("cat testfile02.txt")
+  '';
+})

nixos/tests/miniflux.nix

@@ -20,6 +20,13 @@ with lib;
         services.miniflux.enable = true;
       };
 
+    withoutSudo =
+      { ... }:
+      {
+        services.miniflux.enable = true;
+        security.sudo.enable = false;
+      };
+
     customized =
       { ... }:
       {
@@ -46,6 +53,13 @@ with lib;
         "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep -q '\"is_admin\":true'"
     )
 
+    withoutSudo.wait_for_unit("miniflux.service")
+    withoutSudo.wait_for_open_port(${toString defaultPort})
+    withoutSudo.succeed("curl --fail 'http://localhost:${toString defaultPort}/healthcheck' | grep -q OK")
+    withoutSudo.succeed(
+        "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep -q '\"is_admin\":true'"
+    )
+
     customized.wait_for_unit("miniflux.service")
     customized.wait_for_open_port(${toString port})
     customized.succeed("curl --fail 'http://localhost:${toString port}/healthcheck' | grep -q OK")

pkgs/applications/networking/cluster/helm/default.nix

@@ -2,15 +2,15 @@
 
 buildGoModule rec {
   pname = "helm";
-  version = "3.5.2";
+  version = "3.5.3";
 
   src = fetchFromGitHub {
     owner = "helm";
     repo = "helm";
     rev = "v${version}";
-    sha256 = "sha256-XFWJtzKQrZL6lcr8JNiEQ8ldG5289x5pE21E8XgoYkA=";
+    sha256 = "sha256-7xO07JDy6ujWlDF+5Xd3myRQ8ajTppCXz9fNe4yizVw=";
   };
-  vendorSha256 = "sha256-mjWQxCCtTgj1VCFjnuJWgDjwMt/r4jiFC9Of+CXRgPg=";
+  vendorSha256 = "sha256-lpEoUgABtJczwShNdvD+zYAPDFTJqILSei2YY6mQ2mw=";
 
   doCheck = false;
 

pkgs/development/php-packages/swoole/default.nix

@@ -0,0 +1,21 @@
+{ lib, buildPecl, php, valgrind, pcre' }:
+
+buildPecl {
+  pname = "swoole";
+
+  version = "4.6.4";
+  sha256 = "0hgndnn27q7fbsb0nw6bfdg0kyy5di9vrmf7g53jc6lsnf73ha31";
+
+  buildInputs = [ valgrind pcre' ];
+  internalDeps = lib.optionals (lib.versionOlder php.version "7.4") [ php.extensions.hash ];
+
+  doCheck = true;
+  checkTarget = "tests";
+
+  meta = with lib; {
+    description = "Coroutine-based concurrency library for PHP";
+    license = licenses.asl20;
+    homepage = "https://www.swoole.co.uk/";
+    maintainers = teams.php.members;
+  };
+}

pkgs/development/python-modules/broadlink/default.nix

@@ -1,25 +1,29 @@
-{ lib, fetchPypi, buildPythonPackage
-, cryptography, pyaes, pycrc }:
+{ lib
+, buildPythonPackage
+, fetchPypi
+, cryptography
+}:
 
 buildPythonPackage rec {
   pname = "broadlink";
-  version = "0.16.0";
+  version = "0.17.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "637dabc6f47b283b72bc521322554462da7a247f04614e458d65df8574d03a41";
+    sha256 = "bfd1ff007d0d1187c17ae52be938afc8137fbd1ed6a794426e975df10d167571";
   };
 
-  postPatch = ''
-    substituteInPlace setup.py \
-      --replace pyaes==1.6.0 pyaes
-    '';
-
-  propagatedBuildInputs = [ cryptography pyaes pycrc ];
+  propagatedBuildInputs = [
+    cryptography
+  ];
 
   # no tests available
   doCheck = false;
 
+  pythonImportsCheck = [
+    "broadlink"
+  ];
+
   meta = with lib; {
     description = "Python API for controlling Broadlink IR controllers";
     homepage =  "https://github.com/mjg59/python-broadlink";

pkgs/development/python-modules/caldav/default.nix

@@ -15,13 +15,13 @@
 
 buildPythonPackage rec {
   pname = "caldav";
-  version = "0.7.1";
+  version = "0.8.0";
 
   src = fetchFromGitHub {
     owner = "python-caldav";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1shfj67kq6qzd0ngyfk09hpzfggybcfxv5s7hqs87nq9l51bssv8";
+    sha256 = "11q3svns3a2ywfci739krxbh67cx691qja772wq22606blyygyjy";
   };
 
   nativeBuildInputs = lib.optionals (pythonOlder "3.5") [ mock ];
@@ -34,6 +34,10 @@ buildPythonPackage rec {
     tzlocal
   ];
 
+  checkPhase = ''
+    nosetests tests
+  '';
+
   # xandikos and radicale is only a optional test dependency, not available for python3
   postPatch = ''
     substituteInPlace setup.py \
@@ -45,7 +49,7 @@ buildPythonPackage rec {
 
   meta = with lib; {
     description = "This project is a CalDAV (RFC4791) client library for Python.";
-    homepage = "https://pythonhosted.org/caldav/";
+    homepage = "https://github.com/python-caldav/caldav";
     license = licenses.asl20;
     maintainers = with maintainers; [ marenz ];
     #broken = true; # requires radicale which is not packaged yet

pkgs/development/python-modules/ciscomobilityexpress/default.nix

@@ -1,20 +1,34 @@
-{ buildPythonPackage, fetchPypi, lib, requests }:
+{ lib
+, buildPythonPackage
+, fetchPypi
+, requests
+, python
+}:
 
 buildPythonPackage rec {
   pname = "ciscomobilityexpress";
-  version = "1.0.0";
+  version = "1.0.2";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "fd3fe893d8a44f5ac1d46580af88e07f1066e73744763aca4ef2226f87d575ff";
+    sha256 = "d8787245598e8371a83baa4db1df949d8a942c43f13454fa26ee3b09c3ccafc0";
   };
 
   propagatedBuildInputs = [ requests ];
 
-  meta = {
+  # tests directory is set up, but has no tests
+  checkPhase = ''
+    ${python.interpreter} -m unittest
+  '';
+
+  pythonImportsCheck = [
+    "ciscomobilityexpress"
+  ];
+
+  meta = with lib; {
     description = "Module to interact with Cisco Mobility Express APIs to fetch connected devices";
-    homepage = "https://pypi.python.org/pypi/${pname}/";
-    license = lib.licenses.mit;
-    maintainers = with lib.maintainers; [ uvnikita ];
+    homepage = "https://github.com/fbradyirl/ciscomobilityexpress";
+    license = licenses.mit;
+    maintainers = with maintainers; [ uvnikita ];
   };
 }

pkgs/development/python-modules/ddt/default.nix

@@ -1,7 +1,6 @@
 { lib
 , buildPythonPackage
 , fetchPypi
-, fetchpatch
 , six, pyyaml, mock
 , pytestCheckHook
 , enum34
@@ -10,21 +9,13 @@
 
 buildPythonPackage rec {
   pname = "ddt";
-  version = "1.4.1";
+  version = "1.4.2";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "0595e70d074e5777771a45709e99e9d215552fb1076443a25fad6b23d8bf38da";
+    sha256 = "sha256-ZKZzZqJxXmNriGlMxgdcwC2ykvAQmLjjhTl8iU05U3g=";
   };
 
-  patches = [
-    # fix tests with recent PyYAML, https://github.com/datadriventests/ddt/pull/96
-    (fetchpatch {
-      url = "https://github.com/datadriventests/ddt/commit/97f0a2315736e50f1b34a015447cd751da66ecb6.patch";
-      sha256 = "1g7l5h7m7s4yqfxlygrg7nnhb9xhz1drjld64ssi3fbsmn7klf0a";
-    })
-  ];
-
   checkInputs = [ six pyyaml mock pytestCheckHook ];
 
   propagatedBuildInputs = lib.optionals (!isPy3k) [

pkgs/development/python-modules/ntc-templates/default.nix

@@ -2,6 +2,7 @@
 , buildPythonPackage
 , fetchFromGitHub
 , isPy27
+, poetry-core
 , textfsm
 , pytestCheckHook
 , ruamel_yaml
@@ -10,22 +11,36 @@
 
 buildPythonPackage rec {
   pname = "ntc-templates";
-  version = "1.6.0";
+  version = "2.0.0";
+  format = "pyproject";
   disabled = isPy27;
 
   src = fetchFromGitHub {
     owner = "networktocode";
     repo = pname;
-    rev = "dc27599b0c5f3bb6ff23049e781b5dab2849c2c3";  # not tagged
-    sha256 = "1vg5y5c51vc9dj3b8qcffh6dz85ri11zb1azxmyvgbq86pcvbx9f";
+    rev = "v${version}";
+    sha256 = "05ifbzps9jxrrkrqybsdbm67jhynfcjc298pqkhp21q5jwnlrl72";
   };
 
-  propagatedBuildInputs = [ textfsm ];
+  nativeBuildInputs = [
+    poetry-core
+  ];
 
-  checkInputs = [ pytestCheckHook ruamel_yaml yamllint ];
+  propagatedBuildInputs = [
+    textfsm
+  ];
+
+  checkInputs = [
+    pytestCheckHook
+    ruamel_yaml
+    yamllint
+  ];
 
   # https://github.com/networktocode/ntc-templates/issues/743
-  disabledTests = [ "test_raw_data_against_mock" "test_verify_parsed_and_reference_data_exists" ];
+  disabledTests = [
+    "test_raw_data_against_mock"
+    "test_verify_parsed_and_reference_data_exists"
+  ];
 
   meta = with lib; {
     description = "TextFSM templates for parsing show commands of network devices";

pkgs/development/python-modules/plexapi/default.nix

@@ -9,14 +9,14 @@
 
 buildPythonPackage rec {
   pname = "PlexAPI";
-  version = "4.4.0";
+  version = "4.4.1";
   disabled = isPy27;
 
   src = fetchFromGitHub {
     owner = "pkkid";
     repo = "python-plexapi";
     rev = version;
-    sha256 = "0wzdzi5afncinavz5g77ximdr9y2ndzwb0gl819n0l6pnvbxdwp2";
+    sha256 = "11zarqnrpis6xpsjdvfl3pczv1l9rzbgkawkv2lhfvzlnc00d7df";
   };
 
   propagatedBuildInputs = [

pkgs/servers/home-assistant/component-packages.nix

@@ -2,7 +2,7 @@
 # Do not edit!
 
 {
-  version = "2021.3.3";
+  version = "2021.3.4";
   components = {
     "abode" = ps: with ps; [ abodepy ];
     "accuweather" = ps: with ps; [ accuweather ];

pkgs/servers/home-assistant/default.nix

@@ -66,7 +66,7 @@ let
   extraBuildInputs = extraPackages py.pkgs;
 
   # Don't forget to run parse-requirements.py after updating
-  hassVersion = "2021.3.3";
+  hassVersion = "2021.3.4";
 
 in with py.pkgs; buildPythonApplication rec {
   pname = "homeassistant";
@@ -85,7 +85,7 @@ in with py.pkgs; buildPythonApplication rec {
     owner = "home-assistant";
     repo = "core";
     rev = version;
-    sha256 = "0kfvjpzz6ynw8bwd91nm0aiw1pkrmaydwf1r93dnwi8rmzq10zpb";
+    sha256 = "110pvin39lr40zd3lhb8zvh2wafl0k0dy3nbmc483yafy31xa4kw";
   };
 
   # leave this in, so users don't have to constantly update their downstream patch handling

pkgs/top-level/all-packages.nix

@@ -18493,6 +18493,7 @@ in
     inherit (darwin.apple_sdk.frameworks) CoreServices;
     boost = boost173; # Configure checks for specific version.
     protobuf = protobuf3_7;
+    icu =  icu67;
   };
 
   mysql_jdbc = callPackage ../servers/sql/mysql/jdbc { };

pkgs/top-level/php-packages.nix

@@ -138,6 +138,8 @@ lib.makeScope pkgs.newScope (self: with self; {
 
     sqlsrv = callPackage ../development/php-packages/sqlsrv { };
 
+    swoole = callPackage ../development/php-packages/swoole { };
+
     v8 = buildPecl {
       version = "0.2.2";
       pname = "v8";