Merge master into staging-next

2022-08-26 12:01:48 +00:00 · 2022-08-26 12:01:48 +00:00 · d944d69ed2
parent a92964ec5d cef50cde2b
commit d944d69ed2
37 changed files with 315 additions and 62 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -470,6 +470,12 @@
          guide</link> on how to migrate your Neo4j instance.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.matrix-synapse</literal> systemd unit
+          has been hardened.
+        </para>
+      </listitem>
      <listitem>
        <para>
          Matrix Synapse now requires entries in the
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -164,6 +164,8 @@ Use `configure.packages` instead.

 - Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance.

+- The `services.matrix-synapse` systemd unit has been hardened.
+
 - Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.

 - The `diamond` package has been update from 0.8.36 to 2.0.15. See the [upstream release notes](https://github.com/bbuchfink/diamond/releases) for more details.
--- a/nixos/modules/services/matrix/synapse.nix
+++ b/nixos/modules/services/matrix/synapse.nix
@ -759,6 +759,33 @@ in {
        ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
        Restart = "on-failure";
        UMask = "0077";
+
+        # Security Hardening
+        # Refer to systemd.exec(5) for option descriptions.
+        CapabilityBoundingSet = [ "" ];
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        ReadWritePaths = [ cfg.dataDir ];
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
      };
    };

--- a/nixos/modules/services/web-apps/hedgedoc.nix
+++ b/nixos/modules/services/web-apps/hedgedoc.nix
@ -933,6 +933,14 @@ in
                Required group names.
              '';
            };
+            providerName = mkOption {
+              type = types.str;
+              default = "";
+              example = "My institution";
+              description = lib.mdDoc ''
+                Optional name to be displayed at login form indicating the SAML provider.
+              '';
+            };
            attribute = {
              id = mkOption {
                type = types.str;
--- a/nixos/modules/system/boot/networkd.nix
+++ b/nixos/modules/system/boot/networkd.nix
@ -451,6 +451,7 @@ let
          "Multicast"
          "AllMulticast"
          "Unmanaged"
+          "Group"
          "RequiredForOnline"
          "RequiredFamilyForOnline"
          "ActivationPolicy"
@ -463,6 +464,8 @@ let
        (assertValueOneOf "AllMulticast" boolValues)
        (assertValueOneOf "Promiscuous" boolValues)
        (assertValueOneOf "Unmanaged" boolValues)
+        (assertInt "Group")
+        (assertRange "Group" 0 2147483647)
        (assertValueOneOf "RequiredForOnline" (boolValues ++ [
          "missing"
          "off"
@ -800,10 +803,12 @@ let

      sectionDHCPServer = checkUnitConfig "DHCPServer" [
        (assertOnlyFields [
+          "ServerAddress"
          "PoolOffset"
          "PoolSize"
          "DefaultLeaseTimeSec"
          "MaxLeaseTimeSec"
+          "UplinkInterface"
          "EmitDNS"
          "DNS"
          "EmitNTP"
@ -817,10 +822,15 @@ let
          "EmitLPR"
          "LPR"
          "EmitRouter"
+          "Router"
          "EmitTimezone"
          "Timezone"
          "SendOption"
          "SendVendorOption"
+          "BindToInterface"
+          "RelayTarget"
+          "RelayAgentCircuitId"
+          "RelayAgentRemoteId"
        ])
        (assertInt "PoolOffset")
        (assertMinimum "PoolOffset" 0)
@ -834,6 +844,7 @@ let
        (assertValueOneOf "EmitLPR" boolValues)
        (assertValueOneOf "EmitRouter" boolValues)
        (assertValueOneOf "EmitTimezone" boolValues)
+        (assertValueOneOf "BindToInterface" boolValues)
      ];

      sectionIPv6SendRA = checkUnitConfig "IPv6SendRA" [
@ -842,6 +853,7 @@ let
          "OtherInformation"
          "RouterLifetimeSec"
          "RouterPreference"
+          "UplinkInterface"
          "EmitDNS"
          "DNS"
          "EmitDomains"
--- a/pkgs/applications/blockchains/aeon/default.nix
+++ b/pkgs/applications/blockchains/aeon/default.nix
@ -4,7 +4,7 @@
 }:

 let
-  version = "0.14.1.0";
+  version = "0.14.2.2";
 in
 stdenv.mkDerivation {
  pname = "aeon";
@ -15,7 +15,7 @@ stdenv.mkDerivation {
    repo = "aeon";
    rev = "v${version}-aeon";
    fetchSubmodules = true;
-    sha256 = "sha256-yej4w/2m9YXsMobqHwzA5GBbduhaeTVvmnHUJNWX87E=";
+    sha256 = "sha256-2MptLS12CUm9eUKm+V+yYpbLVwNyZeZ5HvAFyjEc4R4=";
  };

  nativeBuildInputs = [ cmake pkg-config git doxygen graphviz ];
--- a/pkgs/applications/networking/cluster/k3s/default.nix
+++ b/pkgs/applications/networking/cluster/k3s/default.nix
@ -46,10 +46,10 @@ with lib;
 # Those pieces of software we entirely ignore upstream's handling of, and just
 # make sure they're in the path if desired.
 let
-  k3sVersion = "1.24.3+k3s1";     # k3s git tag
-  k3sCommit = "990ba0e88c90f8ed8b50e0ccd375937b841b176e"; # k3s git commit at the above version
-  k3sRepoSha256 = "0slw2j7d7ccj7k9z06l5ch3nxi07jbm6xijs774hisyv25jx94rd";
-  k3sVendorSha256 = "sha256-8jWpTUE/tJf2qpFjdsV+0i8hRf6JqATwr/YbXrZa/iA=";
+  k3sVersion = "1.24.4+k3s1";     # k3s git tag
+  k3sCommit = "c3f830e9b9ed8a4d9d0e2aa663b4591b923a296e"; # k3s git commit at the above version
+  k3sRepoSha256 = "00ns6n7jxnacah8ahndhgdb160prgsqhswbb5809kkgvig7k8b27";
+  k3sVendorSha256 = "sha256-ReZvJCgxqffG2H39JlynGPUBSV5ngPkRtAoZ++OQZZI=";

  # taken from ./manifests/traefik.yaml, extracted from '.spec.chart' https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/download#L9
  # The 'patch' and 'minor' versions are currently hardcoded as single digits only, so ignore the trailing two digits. Weird, I know.
--- a/pkgs/applications/networking/cluster/nomad-driver-podman/default.nix
+++ b/pkgs/applications/networking/cluster/nomad-driver-podman/default.nix
@ -2,16 +2,16 @@

 buildGoModule rec {
  pname = "nomad-driver-podman";
-  version = "0.3.0";
+  version = "0.4.0";

  src = fetchFromGitHub {
    owner = "hashicorp";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-aVmXtYIquG0acVlbwNmgXUpuOgpsfMmfbnb5md9CN5w=";
+    sha256 = "sha256-33hyMKwU04ywXKv4JEhRvEbe2DWQEAQ0moy6zypXdpU=";
  };

-  vendorSha256 = "sha256-QXAXDoYN5egl5y0YV4/7yh5K0tjzjN5vRJRHyI8eU2E=";
+  vendorSha256 = "sha256-5PQIWSGSR5vizWEsResBLd//yWs99o/bj5DVpRMBwhA=";

  subPackages = [ "." ];

--- a/pkgs/applications/version-management/git-and-tools/tig/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/tig/default.nix
@ -4,13 +4,13 @@

 stdenv.mkDerivation rec {
  pname = "tig";
-  version = "2.5.6";
+  version = "2.5.7";

  src = fetchFromGitHub {
    owner = "jonas";
    repo = pname;
    rev = "${pname}-${version}";
-    sha256 = "sha256-WJtva3LbzVqtcAt0kmnti3RZTPg/CBjk6JQYa2VzpSQ=";
+    sha256 = "sha256-D5NQaxkGhwyBoScI7fZxnSHC0ABmsUeRf8pZCKooV3w=";
  };

  nativeBuildInputs = [ makeWrapper autoreconfHook asciidoc xmlto docbook_xsl docbook_xml_dtd_45 findXMLCatalogs pkg-config ];
--- a/pkgs/build-support/writers/default.nix
+++ b/pkgs/build-support/writers/default.nix
@ -237,7 +237,7 @@ let
  # makePythonWriter takes python and compatible pythonPackages and produces python script writer,
  # which validates the script with flake8 at build time. If any libraries are specified,
  # python.withPackages is used as interpreter, otherwise the "bare" python is used.
-  makePythonWriter = python: pythonPackages: name: { libraries ? [], flakeIgnore ? [] }:
+  makePythonWriter = python: pythonPackages: buildPythonPackages: name: { libraries ? [], flakeIgnore ? [] }:
  let
    ignoreAttribute = optionalString (flakeIgnore != []) "--ignore ${concatMapStringsSep "," escapeShellArg flakeIgnore}";
  in
@ -248,7 +248,7 @@ let
      else "${python.withPackages (ps: libraries)}/bin/python"
    ;
    check = optionalString python.isPy3k (writeDash "pythoncheck.sh" ''
-      exec ${pythonPackages.flake8}/bin/flake8 --show-source ${ignoreAttribute} "$1"
+      exec ${buildPythonPackages.flake8}/bin/flake8 --show-source ${ignoreAttribute} "$1"
    '');
  } name;

@ -264,7 +264,7 @@ let
  #
  #   print Test.a
  # ''
-  writePyPy2 = makePythonWriter pkgs.pypy2 pkgs.pypy2Packages;
+  writePyPy2 = makePythonWriter pkgs.pypy2 pkgs.pypy2Packages buildPackages.pypy2Packages;

  # writePyPy2Bin takes the same arguments as writePyPy2 but outputs a directory (like writeScriptBin)
  writePyPy2Bin = name:
@ -282,7 +282,7 @@ let
  #   """)
  #   print(y[0]['test'])
  # ''
-  writePython3 = makePythonWriter pkgs.python3 pkgs.python3Packages;
+  writePython3 = makePythonWriter pkgs.python3 pkgs.python3Packages buildPackages.python3Packages;

  # writePython3Bin takes the same arguments as writePython3 but outputs a directory (like writeScriptBin)
  writePython3Bin = name:
@ -300,7 +300,7 @@ let
  #   """)
  #   print(y[0]['test'])
  # ''
-  writePyPy3 = makePythonWriter pkgs.pypy3 pkgs.pypy3Packages;
+  writePyPy3 = makePythonWriter pkgs.pypy3 pkgs.pypy3Packages buildPackages.pypy3Packages;

  # writePyPy3Bin takes the same arguments as writePyPy3 but outputs a directory (like writeScriptBin)
  writePyPy3Bin = name:
--- a/pkgs/development/compilers/aspectj/default.nix
+++ b/pkgs/development/compilers/aspectj/default.nix
@ -2,14 +2,14 @@

 stdenv.mkDerivation rec {
  pname = "aspectj";
-  version = "1.9.7";
+  version = "1.9.9.1";
  builder = ./builder.sh;

  src = let
    versionSnakeCase = builtins.replaceStrings ["."] ["_"] version;
  in fetchurl {
    url = "https://github.com/eclipse/org.aspectj/releases/download/V${versionSnakeCase}/aspectj-${version}.jar";
-    sha256 = "sha256-xrg88nLOcagaAsFSnnYChhlv6EKhdBqkJJTDzhUBvTo=";
+    sha256 = "sha256-kiMQuEPXoSpHUiInkfYsrfCAcSc6mX42TRIBbeIQhWs=";
  };

  inherit jre;
--- a/pkgs/development/libraries/alkimia/default.nix
+++ b/pkgs/development/libraries/alkimia/default.nix
@ -5,11 +5,11 @@

 mkDerivation rec {
  pname = "alkimia";
-  version = "8.1.0";
+  version = "8.1.1";

  src = fetchurl {
    url = "mirror://kde/stable/alkimia/${version}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-kWgHNScHsEkM3ZymVoLv9zsAylIwKb2m/nonSaG8knw=";
+    sha256 = "sha256-lXrcY8C+VN1DPjJoo3MjvlRW5auE7OJ/c6FhapLbhtU=";
  };

  nativeBuildInputs = [ extra-cmake-modules doxygen graphviz ];
--- a/pkgs/development/libraries/flatcc/default.nix
+++ b/pkgs/development/libraries/flatcc/default.nix
@ -5,13 +5,13 @@

 stdenv.mkDerivation rec {
  pname = "flatcc";
-  version = "0.6.0";
+  version = "0.6.1";

  src = fetchFromGitHub {
    owner = "dvidelabs";
    repo = "flatcc";
    rev = "v${version}";
-    sha256 = "0cy79swgdbaf3zmsaqa6gz3b0fad2yqawwcnsipnpl9d8hn1linm";
+    sha256 = "sha256-0/IZ7eX6b4PTnlSSdoOH0FsORGK9hrLr1zlr/IHsJFQ=";
  };

  nativeBuildInputs = [ cmake ];
@ -26,9 +26,10 @@ stdenv.mkDerivation rec {
    "-Wno-error=stringop-overflow"
  ];

-  meta = {
+  meta = with lib; {
    description = "FlatBuffers Compiler and Library in C for C ";
    homepage = "https://github.com/dvidelabs/flatcc";
-    license = [ lib.licenses.asl20 ];
+    license = [ licenses.asl20 ];
+    maintainers = with maintainers; [ onny ];
  };
 }
--- a/pkgs/development/python-modules/aliyun-python-sdk-iot/default.nix
+++ b/pkgs/development/python-modules/aliyun-python-sdk-iot/default.nix
@ -7,14 +7,14 @@

 buildPythonPackage rec {
  pname = "aliyun-python-sdk-iot";
-  version = "8.41.0";
+  version = "8.42.0";
  format = "setuptools";

  disabled = pythonOlder "3.7";

  src = fetchPypi {
    inherit pname version;
-    hash = "sha256-t/SIEW1JMTyeOhhxx6IhLsbQa0D3aqD2hqGk8+Ka0ns=";
+    hash = "sha256-pp1objaT0Galxz91V1OoMfogYQyZ1lZC6XGFd4wSTq8=";
  };

  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/bthome-ble/default.nix
+++ b/pkgs/development/python-modules/bthome-ble/default.nix
@ -1,4 +1,5 @@
 { lib
+, bluetooth-data-tools
 , bluetooth-sensor-state-data
 , buildPythonPackage
 , fetchFromGitHub
@ -11,7 +12,7 @@

 buildPythonPackage rec {
  pname = "bthome-ble";
-  version = "0.3.6";
+  version = "0.3.8";
  format = "pyproject";

  disabled = pythonOlder "3.9";
@ -20,7 +21,7 @@ buildPythonPackage rec {
    owner = "Bluetooth-Devices";
    repo = pname;
    rev = "v${version}";
-    hash = "sha256-Y8BKBi5DZYpUtcJS6lLD+dVPhtL2xavQcPymVhdl7Zw=";
+    hash = "sha256-J5i9r2bZtiEOqkQJ6yhTWboqvgo2gsi8z6XeyxtHwSw=";
  };

  nativeBuildInputs = [
@ -28,6 +29,7 @@ buildPythonPackage rec {
  ];

  propagatedBuildInputs = [
+    bluetooth-data-tools
    bluetooth-sensor-state-data
    sensor-state-data
    pycryptodomex
--- a/pkgs/development/python-modules/peaqevcore/default.nix
+++ b/pkgs/development/python-modules/peaqevcore/default.nix
@ -6,14 +6,14 @@

 buildPythonPackage rec {
  pname = "peaqevcore";
-  version = "5.12.0";
+  version = "5.14.0";
  format = "setuptools";

  disabled = pythonOlder "3.7";

  src = fetchPypi {
    inherit pname version;
-    hash = "sha256-iriCCsmdHEZ/tZtCn+G2VDBFCv/DvBjPEO6aW7YmL3M=";
+    hash = "sha256-YDdQ/q/QyR9vgY0jteAfQg6A4oCPKjFLySt/g74+eyw=";
  };

  postPatch = ''
--- a/pkgs/development/python-modules/pymicrobot/default.nix
+++ b/pkgs/development/python-modules/pymicrobot/default.nix
@ -8,7 +8,7 @@

 buildPythonPackage rec {
  pname = "pymicrobot";
-  version = "0.0.4";
+  version = "0.0.5";
  format = "setuptools";

  disabled = pythonOlder "3.9";
@ -16,7 +16,7 @@ buildPythonPackage rec {
  src = fetchPypi {
    pname = "PyMicroBot";
    inherit version;
-    hash = "sha256-lNrohVQruFAtrzTxJ6qEZ8tVM5fgrCRAG7WXJSKMRFs=";
+    hash = "sha256-k+xefVwswTL6ww0k4D6nScjUKUOxOQloXUOZ75S+sbY=";
  };

  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/pyunifiprotect/default.nix
+++ b/pkgs/development/python-modules/pyunifiprotect/default.nix
@ -26,7 +26,7 @@

 buildPythonPackage rec {
  pname = "pyunifiprotect";
-  version = "4.1.3";
+  version = "4.1.7";
  format = "pyproject";

  disabled = pythonOlder "3.9";
@ -35,7 +35,7 @@ buildPythonPackage rec {
    owner = "briis";
    repo = pname;
    rev = "refs/tags/v${version}";
-    hash = "sha256-tZo8+McpnJ1gekghtgH6m5w7nmVWB8CTxz5RGHv3xtE=";
+    hash = "sha256-FaH1fNNWQAe9hLrbLf0TCfcjY6MDmHrsmo3LaEsN3W4=";
  };

  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/qingping-ble/default.nix
+++ b/pkgs/development/python-modules/qingping-ble/default.nix
@ -1,4 +1,5 @@
 { lib
+, bluetooth-data-tools
 , bluetooth-sensor-state-data
 , buildPythonPackage
 , fetchFromGitHub
@ -10,7 +11,7 @@

 buildPythonPackage rec {
  pname = "qingping-ble";
-  version = "0.3.0";
+  version = "0.6.1";
  format = "pyproject";

  disabled = pythonOlder "3.9";
@ -19,7 +20,7 @@ buildPythonPackage rec {
    owner = "bluetooth-devices";
    repo = pname;
    rev = "v${version}";
-    hash = "sha256-EZH6G/dvXU1sVH3pYoJeQQkJD1xMKuqb3omCVhHTS0A=";
+    hash = "sha256-0fa5KocDyy3JL7gohbbBghXwbCzbcjK4pVM+zckboHc=";
  };

  nativeBuildInputs = [
@ -27,6 +28,7 @@ buildPythonPackage rec {
  ];

  propagatedBuildInputs = [
+    bluetooth-data-tools
    bluetooth-sensor-state-data
    sensor-state-data
  ];
--- a/pkgs/development/python-modules/thermobeacon-ble/default.nix
+++ b/pkgs/development/python-modules/thermobeacon-ble/default.nix
@ -0,0 +1,55 @@
+{ lib
+, bluetooth-data-tools
+, bluetooth-sensor-state-data
+, buildPythonPackage
+, fetchFromGitHub
+, poetry-core
+, pytestCheckHook
+, pythonOlder
+, sensor-state-data
+}:
+
+buildPythonPackage rec {
+  pname = "thermobeacon-ble";
+  version = "0.3.1";
+  format = "pyproject";
+
+  disabled = pythonOlder "3.9";
+
+  src = fetchFromGitHub {
+    owner = "bluetooth-devices";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-OvSvhOcJSThKyLXHhiwEZtCrYt6+KB5iArUKjfoi2OI=";
+  };
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = [
+    bluetooth-data-tools
+    bluetooth-sensor-state-data
+    sensor-state-data
+  ];
+
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  postPatch = ''
+    substituteInPlace pyproject.toml \
+      --replace " --cov=thermobeacon_ble --cov-report=term-missing:skip-covered" ""
+  '';
+
+  pythonImportsCheck = [
+    "thermobeacon_ble"
+  ];
+
+  meta = with lib; {
+    description = "Library for Thermobeacon BLE devices";
+    homepage = "https://github.com/bluetooth-devices/thermobeacon-ble";
+    license = with licenses; [ mit ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
--- a/pkgs/development/python-modules/thermopro-ble/default.nix
+++ b/pkgs/development/python-modules/thermopro-ble/default.nix
@ -0,0 +1,55 @@
+{ lib
+, bluetooth-data-tools
+, bluetooth-sensor-state-data
+, buildPythonPackage
+, fetchFromGitHub
+, poetry-core
+, pytestCheckHook
+, pythonOlder
+, sensor-state-data
+}:
+
+buildPythonPackage rec {
+  pname = "thermopro-ble";
+  version = "0.4.1";
+  format = "pyproject";
+
+  disabled = pythonOlder "3.9";
+
+  src = fetchFromGitHub {
+    owner = "bluetooth-devices";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-5KfR01qsSGF2ZNklhm7he9Hskk8pqC2GEmIcsB4HpRY=";
+  };
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = [
+    bluetooth-data-tools
+    bluetooth-sensor-state-data
+    sensor-state-data
+  ];
+
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  postPatch = ''
+    substituteInPlace pyproject.toml \
+      --replace " --cov=thermopro_ble --cov-report=term-missing:skip-covered" ""
+  '';
+
+  pythonImportsCheck = [
+    "thermopro_ble"
+  ];
+
+  meta = with lib; {
+    description = "Library for Thermopro BLE devices";
+    homepage = "https://github.com/bluetooth-devices/thermopro-ble";
+    license = with licenses; [ mit ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
--- a/pkgs/development/python-modules/time-machine/default.nix
+++ b/pkgs/development/python-modules/time-machine/default.nix
@ -10,7 +10,7 @@

 buildPythonPackage rec {
  pname = "time-machine";
-  version = "2.8.0";
+  version = "2.8.1";
  format = "setuptools";

  disabled = pythonOlder "3.7";
@ -19,7 +19,7 @@ buildPythonPackage rec {
    owner = "adamchainz";
    repo = pname;
    rev = version;
-    sha256 = "sha256-L/03H91iZTyaB8vY0FGVu9iaesISAFHLIZliHI1NixI=";
+    sha256 = "sha256-65jX6R3tZ5guouEug/mClvNqg0LE4v9OGzCL0eFyqsA=";
  };

  propagatedBuildInputs = [
--- a/pkgs/development/tools/eclint/default.nix
+++ b/pkgs/development/tools/eclint/default.nix
@ -0,0 +1,26 @@
+{ lib
+, buildGoModule
+, fetchFromGitLab
+}:
+
+buildGoModule
+rec {
+  pname = "eclint";
+  version = "0.3.4";
+
+  src = fetchFromGitLab {
+    owner = "greut";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-inO41C/Ompyfy4CHPK4ksNU19KIcGyPgF/ptZC0GWXg=";
+  };
+
+  vendorSha256 = "sha256-imVQnPoKOjed9XlikLWvudmlJklRrLFHKtNZoAmznZg=";
+
+  meta = with lib; {
+    homepage = "https://gitlab.com/greut/eclint";
+    description = "EditorConfig linter written in Go";
+    license = licenses.mit;
+    maintainers = with maintainers; [ lucperkins ];
+  };
+}
--- a/pkgs/os-specific/linux/kernel/linux-4.14.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.14.nix
@ -3,7 +3,7 @@
 with lib;

 buildLinux (args // rec {
-  version = "4.14.290";
+  version = "4.14.291";

  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@ -13,6 +13,6 @@ buildLinux (args // rec {

  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0zyxb99a7fa2l85vnzmvg2nry99clj20d4j38piqm921iqxak2j4";
+    sha256 = "15h76l81zn733g8dc6gsymf52nz325plhminv3m4x3klwhav34zc";
  };
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-4.19.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.19.nix
@ -3,7 +3,7 @@
 with lib;

 buildLinux (args // rec {
-  version = "4.19.255";
+  version = "4.19.256";

  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@ -13,6 +13,6 @@ buildLinux (args // rec {

  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0hwa3g09cmllc2z01s2jqbczpznzdp3ldngx18k5c2ac7w394fbp";
+    sha256 = "0jgm7ydha9achbcq3a6q85wq1nz4qg7phx122jzk0mqb1339bpk7";
  };
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-4.9.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix
@ -1,12 +1,12 @@
 { buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:

 buildLinux (args // rec {
-  version = "4.9.325";
+  version = "4.9.326";
  extraMeta.branch = "4.9";
  extraMeta.broken = stdenv.isAarch64;

  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "04msx0x0d8v93zjr3jj0qqkgg7m4hb7rj6hk5vzrzasmgbjmb3dl";
+    sha256 = "0yw83a8nk5abjsvqrz8m2sj699c228j2f2wr5q8m95vgqzfw5wrb";
  };
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-5.10.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.10.nix
@ -3,7 +3,7 @@
 with lib;

 buildLinux (args // rec {
-  version = "5.10.137";
+  version = "5.10.138";

  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@ -13,6 +13,6 @@ buildLinux (args // rec {

  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1j0n2r793pkvymjc70fzqwqi6h2j1wkja2kx012ydmsk2i6wssy1";
+    sha256 = "1a2vmcqzi71w88j79lxsrgyycq1l1gxp0cvh5ya4afhfisxh7819";
  };
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-5.15.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.15.nix
@ -3,7 +3,7 @@
 with lib;

 buildLinux (args // rec {
-  version = "5.15.62";
+  version = "5.15.63";

  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@ -13,6 +13,6 @@ buildLinux (args // rec {

  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "0hgiag3mvdlcr6ckfy4bdr7h4471zqi53ahfybdvdkapivg7r086";
+    sha256 = "0hbkxgadz0vcslni4r46yc202wcnxblcfvkcph1017b2b8gcvlvd";
  };
 } // (args.argsOverride or { }))
--- a/pkgs/os-specific/linux/kernel/linux-5.19.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.19.nix
@ -3,7 +3,7 @@
 with lib;

 buildLinux (args // rec {
-  version = "5.19.3";
+  version = "5.19.4";

  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@ -13,6 +13,6 @@ buildLinux (args // rec {

  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "08978hjl4khc0v8nb8wvrjnc8x8csvpf7airawpb4pvg0rrdcfsi";
+    sha256 = "11xzz5glbc7p3j9mhv6dvi9iv345ykpyihm8mby8vyas12bln8d9";
  };
 } // (args.argsOverride or { }))
--- a/pkgs/os-specific/linux/kernel/linux-5.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.4.nix
@ -3,7 +3,7 @@
 with lib;

 buildLinux (args // rec {
-  version = "5.4.210";
+  version = "5.4.211";

  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@ -13,6 +13,6 @@ buildLinux (args // rec {

  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "13l8zh5balciqhi4k4328sznza30v8g871wxcqqka61cij3rc0wl";
+    sha256 = "1v1dgsk66fi6x6v9k6hg9ik3f3b3pv7a3gk8mybmgm9cnx0k5d5z";
  };
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-libre.nix
+++ b/pkgs/os-specific/linux/kernel/linux-libre.nix
@ -1,8 +1,8 @@
 { stdenv, lib, fetchsvn, linux
 , scripts ? fetchsvn {
    url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/";
-    rev = "18880";
-    sha256 = "1h5r57iv71hhx5w85m04c17dslib1rlymanbn23ll9qslv5ag4gn";
+    rev = "18885";
+    sha256 = "1ywd4bhjh6pqxvv20jgadmyvrcrdwf8333z8rzbjy6r0b4fggpra";
  }
 , ...
 }:
--- a/pkgs/tools/misc/cloud-sql-proxy/default.nix
+++ b/pkgs/tools/misc/cloud-sql-proxy/default.nix
@ -2,18 +2,18 @@

 buildGoModule rec {
  pname = "cloud-sql-proxy";
-  version = "1.30.0";
+  version = "1.31.2";

  src = fetchFromGitHub {
    owner = "GoogleCloudPlatform";
    repo = "cloudsql-proxy";
    rev = "v${version}";
-    sha256 = "sha256-EbUIzAKMqCLsz8rBMWCvw00j6VX2ZYEMtNsMEx30kBU=";
+    sha256 = "sha256-wlMwl1S9WKtCoruKhMVK1197/3/OWhvvXTT1tH/yPlI=";
  };

  subPackages = [ "cmd/cloud_sql_proxy" ];

-  vendorSha256 = "sha256-yxqLGDqdu9vX3ykHq7Kzf8oBH1ydltZkiWNWWM2l0Aw=";
+  vendorSha256 = "sha256-OMvu0LCYv0Z03ZM2o8UZx/Su2rdvTJp5DUZa8/MtQSc=";

  preCheck = ''
    buildFlagsArray+="-short"
--- a/pkgs/tools/security/cosign/default.nix
+++ b/pkgs/tools/security/cosign/default.nix
@ -2,13 +2,13 @@

 buildGoModule rec {
  pname = "cosign";
-  version = "1.11.0";
+  version = "1.11.1";

  src = fetchFromGitHub {
    owner = "sigstore";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-fEgcxxDbSr8rVZ35MwLjT7tinQ1JuqddWRtftTjDdpY=";
+    sha256 = "sha256-LKnv/+6R/RaVdRYYdp+EqVQZtUn8SnYLCr5rqgGrq68=";
  };

  buildInputs = lib.optional (stdenv.isLinux && pivKeySupport) (lib.getDev pcsclite)
@ -16,7 +16,7 @@ buildGoModule rec {

  nativeBuildInputs = [ pkg-config installShellFiles ];

-  vendorSha256 = "sha256-AdsXijxqpsx2Mh0xAvUoie6Oy3ywnGJ1WMg9ZBLWHgc=";
+  vendorSha256 = "sha256-ao1WI8M3T/oSxYM0OrW1L3/JQf9S2C7AzE4HA6VIx5w=";

  subPackages = [
    "cmd/cosign"
--- a/pkgs/tools/security/tessen/default.nix
+++ b/pkgs/tools/security/tessen/default.nix
@ -0,0 +1,49 @@
+{ lib
+, stdenvNoCC
+, fetchFromSourcehut
+, makeWrapper
+, installShellFiles
+, wtype
+, wl-clipboard
+, pass
+, bemenu
+}:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "tessen";
+  version = "unstable-2022-08-04";
+
+  src = fetchFromSourcehut {
+    owner = "~ayushnix";
+    repo  = pname;
+    rev = "8758a09345f6eef24764de4a0efad737f12562c8";
+    sha256  = "sha256-U6obXpYzIprOJ+b3QiE+eDOq1s0DYiwM55qTga9/8TE=";
+  };
+
+  nativeBuildInputs = [ makeWrapper installShellFiles ];
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    install -D tessen $out/bin/tessen
+    wrapProgram $out/bin/tessen --prefix PATH : ${ lib.makeBinPath [ bemenu pass wtype wl-clipboard ] }
+    runHook postInstall
+  '';
+
+  postInstall = ''
+    installManPage man/*
+    installShellCompletion --cmd tessen \
+      --bash completion/tessen.bash-completion \
+      --fish completion/tessen.fish-completion
+    install -Dm644 config $out/share/tessen/config
+  '';
+
+  meta = with lib; {
+    homepage = "https://sr.ht/~ayushnix/tessen";
+    description = "An interactive menu to autotype and copy Pass and GoPass data";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ monaaraj ];
+  };
+}
--- a/pkgs/tools/virtualization/cri-tools/default.nix
+++ b/pkgs/tools/virtualization/cri-tools/default.nix
@ -6,13 +6,13 @@

 buildGoModule rec {
  pname = "cri-tools";
-  version = "1.24.2";
+  version = "1.25.0";

  src = fetchFromGitHub {
    owner = "kubernetes-sigs";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-uhLaBX5vgQO/RkZUrP2uAubavq5MBvr3TRsGYchfR5s=";
+    sha256 = "sha256-soZLLDf83jmyFtiBpZR8iQMPgrnKCRJ1j8hOgty0sTQ=";
  };

  vendorSha256 = null;
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -16163,6 +16163,8 @@ with pkgs;

  easypdkprog = callPackage ../development/embedded/easypdkprog { };

+  eclint = callPackage ../development/tools/eclint { };
+
  editorconfig-checker = callPackage ../development/tools/misc/editorconfig-checker { };

  editorconfig-core-c = callPackage ../development/tools/misc/editorconfig-core-c { };
@ -31161,6 +31163,8 @@ with pkgs;

  termtosvg = callPackage ../tools/misc/termtosvg { };

+  tessen = callPackage ../tools/security/tessen { };
+
  inherit (callPackage ../applications/graphics/tesseract {
    inherit (darwin.apple_sdk.frameworks) Accelerate CoreGraphics CoreVideo;
  })
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@ -10809,6 +10809,10 @@ in {
    cudnnSupport = false;
  };

+  thermobeacon-ble = callPackage ../development/python-modules/thermobeacon-ble { };
+
+  thermopro-ble = callPackage ../development/python-modules/thermopro-ble { };
+
  thespian = callPackage ../development/python-modules/thespian { };

  thinc = callPackage ../development/python-modules/thinc {