Merge master into staging-next

maintainers/maintainer-list.nix

@@ -4134,6 +4134,12 @@
     githubId = 43564;
     name = "Claes Holmerson";
   };
+  claha = {
+    email = "[email protected]";
+    github = "claha";
+    githubId = 9336788;
+    name = "Claes Hallström";
+  };
   clebs = {
     email = "[email protected]";
     github = "clebs";
@@ -24175,7 +24181,7 @@
     githubId = 47071325;
   };
   ymstnt = {
-    name = "YMSTNT";
+    name = "ymstnt";
     github = "ymstnt";
     githubId = 21342713;
   };

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -197,6 +197,8 @@
 
 - [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](option.html#opt-services.zapret.enable).
 
+- [Glances](https://github.com/nicolargo/glances), an open-source system cross-platform monitoring tool. Available as [services.glances](option.html#opt-services.glances).
+
 ## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
 
 - Nixpkgs now requires Nix 2.3.17 or newer to allow for zstd compressed binary artifacts.

nixos/modules/module-list.nix

@@ -888,6 +888,7 @@
   ./services/monitoring/do-agent.nix
   ./services/monitoring/fusion-inventory.nix
   ./services/monitoring/gatus.nix
+  ./services/monitoring/glances.nix
   ./services/monitoring/goss.nix
   ./services/monitoring/grafana-agent.nix
   ./services/monitoring/grafana-image-renderer.nix

nixos/modules/services/monitoring/glances.md

@@ -0,0 +1,20 @@
+# Glances {#module-serives-glances}
+
+Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS
+and Windows operating systems.
+
+Visit [the Glances project page](https://github.com/nicolargo/glances) to learn
+more about it.
+
+# Quickstart {#module-serives-glances-quickstart}
+
+Use the following configuration to start a public instance of Glances locally:
+
+```nix
+{
+  services.glances = {
+    enable = true;
+    openFirewall = true;
+  };
+};
+```

nixos/modules/services/monitoring/glances.nix

@@ -0,0 +1,110 @@
+{
+  pkgs,
+  config,
+  lib,
+  utils,
+  ...
+}:
+let
+  cfg = config.services.glances;
+
+  inherit (lib)
+    getExe
+    maintainers
+    mkEnableOption
+    mkOption
+    mkIf
+    mkPackageOption
+    ;
+
+  inherit (lib.types)
+    bool
+    listOf
+    port
+    str
+    ;
+
+  inherit (utils)
+    escapeSystemdExecArgs
+    ;
+
+in
+{
+  options.services.glances = {
+    enable = mkEnableOption "Glances";
+
+    package = mkPackageOption pkgs "glances" { };
+
+    port = mkOption {
+      description = "Port the server will isten on.";
+      type = port;
+      default = 61208;
+    };
+
+    openFirewall = mkOption {
+      description = "Open port in the firewall for glances.";
+      type = bool;
+      default = false;
+    };
+
+    extraArgs = mkOption {
+      type = listOf str;
+      default = [ "--webserver" ];
+      example = [
+        "--webserver"
+        "--disable-webui"
+      ];
+      description = ''
+        Extra command-line arguments to pass to glances.
+
+        See https://glances.readthedocs.io/en/latest/cmds.html for all available options.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    environment.systemPackages = [ cfg.package ];
+
+    systemd.services."glances" = {
+      description = "Glances";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        DynamicUser = true;
+        ExecStart = "${getExe cfg.package} --port ${toString cfg.port} ${escapeSystemdExecArgs cfg.extraArgs}";
+        Restart = "on-failure";
+
+        NoNewPrivileges = true;
+        ProtectSystem = "full";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        MemoryDenyWriteExecute = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+          "AF_UNIX"
+        ];
+        LockPersonality = true;
+        RestrictRealtime = true;
+        ProtectClock = true;
+        ReadWritePaths = [ "/var/log" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+        SystemCallFilter = [ "@system-service" ];
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
+  };
+
+  meta.maintainers = with maintainers; [ claha ];
+}

nixos/tests/all-tests.nix

@@ -383,6 +383,7 @@ in {
   gitolite = handleTest ./gitolite.nix {};
   gitolite-fcgiwrap = handleTest ./gitolite-fcgiwrap.nix {};
   glance = runTest ./glance.nix;
+  glances = runTest ./glances.nix;
   glusterfs = handleTest ./glusterfs.nix {};
   gnome = handleTest ./gnome.nix {};
   gnome-extensions = handleTest ./gnome-extensions.nix {};

nixos/tests/glances.nix

@@ -0,0 +1,36 @@
+{ lib, ... }:
+
+{
+  name = "glances";
+
+  nodes = {
+    machine_default =
+      { pkgs, ... }:
+      {
+        services.glances = {
+          enable = true;
+        };
+      };
+
+    machine_custom_port =
+      { pkgs, ... }:
+      {
+        services.glances = {
+          enable = true;
+          port = 5678;
+        };
+      };
+  };
+
+  testScript = ''
+    machine_default.start()
+    machine_default.wait_for_unit("glances.service")
+    machine_default.wait_for_open_port(61208)
+
+    machine_custom_port.start()
+    machine_custom_port.wait_for_unit("glances.service")
+    machine_custom_port.wait_for_open_port(5678)
+  '';
+
+  meta.maintainers = [ lib.maintainers.claha ];
+}

pkgs/applications/audio/bitwig-studio/bitwig-studio3.nix

@@ -70,5 +70,6 @@ stdenv.mkDerivation rec {
     license = licenses.unfree;
     platforms = [ "x86_64-linux" ];
     maintainers = with maintainers; [ bfortz michalrus mrVanDalo ];
+    sourceProvenance = [ lib.sourceTypes.binaryNativeCode ];
   };
 }

pkgs/applications/audio/bitwig-studio/bitwig-studio4.nix

@@ -116,5 +116,6 @@ stdenv.mkDerivation rec {
     license = licenses.unfree;
     platforms = [ "x86_64-linux" ];
     maintainers = with maintainers; [ bfortz michalrus mrVanDalo ];
+    sourceProvenance = [ lib.sourceTypes.binaryNativeCode ];
   };
 }

pkgs/applications/audio/bitwig-studio/bitwig-studio5.nix

@@ -131,5 +131,6 @@ stdenv.mkDerivation rec {
     license = licenses.unfree;
     platforms = [ "x86_64-linux" ];
     maintainers = with maintainers; [ bfortz michalrus mrVanDalo ];
+    sourceProvenance = [ lib.sourceTypes.binaryNativeCode ];
   };
 }

pkgs/applications/audio/pianoteq/default.nix

@@ -103,6 +103,7 @@ let
         inherit mainProgram;
         platforms = [ "x86_64-linux" "aarch64-linux" ];
         maintainers = with maintainers; [ mausch ners ];
+        sourceProvenance = [ lib.sourceTypes.binaryNativeCode ];
       };
     };
 

pkgs/applications/editors/android-studio/common.nix

@@ -294,6 +294,7 @@ let
         dev = stable;
       }."${channel}";
       mainProgram = pname;
+      sourceProvenance = [ lib.sourceTypes.binaryNativeCode ];
     };
   }
   ''

pkgs/applications/editors/vscode/extensions/ms-vscode.cpptools/default.nix

@@ -129,5 +129,6 @@ vscode-utils.buildVscodeMarketplaceExtension {
       "x86_64-linux"
       "aarch64-linux"
     ];
+    sourceProvenance = [ lib.sourceTypes.binaryNativeCode ];
   };
 }

pkgs/applications/system/glances/default.nix

@@ -8,6 +8,8 @@
   packaging,
   psutil,
   setuptools,
+  pydantic,
+  nixosTests,
   # Optional dependencies:
   fastapi,
   jinja2,
@@ -69,6 +71,10 @@ buildPythonApplication rec {
     prometheus-client
   ] ++ lib.optional stdenv.hostPlatform.isLinux hddtemp;
 
+  passthru.tests = {
+    service = nixosTests.glances;
+  };
+
   meta = {
     homepage = "https://nicolargo.github.io/glances/";
     description = "Cross-platform curses-based monitoring tool";

pkgs/applications/virtualization/lima/default.nix

@@ -4,32 +4,33 @@
 , fetchFromGitHub
 , installShellFiles
 , qemu
-, xcbuild
 , sigtool
 , makeWrapper
+, nix-update-script
+, apple-sdk_15
 }:
 
 buildGoModule rec {
   pname = "lima";
-  version = "0.22.0";
+  version = "1.0.1";
 
   src = fetchFromGitHub {
     owner = "lima-vm";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-ZX2FSZz9q56zWPSHPvXUOf2lzBupjgdTXgWpH1SBJY8=";
+    sha256 = "sha256-XYB8Nxbs76xmiiZ7IYfgn+UgUr6CLOalQrl6Ibo+DRc=";
   };
 
-  vendorHash = "sha256-P0Qnfu/cqLveAwz9jf/wTXxkoh0jvazlE5C/PcUrWsA=";
+  vendorHash = "sha256-nNSBwvhKSWs6to37+RLziYQqVOYfvjYib3fRRALACho=";
 
   nativeBuildInputs = [ makeWrapper installShellFiles ]
-    ++ lib.optionals stdenv.hostPlatform.isDarwin [ xcbuild.xcrun sigtool ];
+    ++ lib.optionals stdenv.hostPlatform.isDarwin [ sigtool ];
+
+  buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [ apple-sdk_15 ];
 
-  # clean fails with read only vendor dir
   postPatch = ''
     substituteInPlace Makefile \
-      --replace 'binaries: clean' 'binaries:' \
-      --replace 'codesign --entitlements vz.entitlements -s -' 'codesign --force --entitlements vz.entitlements -s -'
+      --replace-fail 'codesign -f -v --entitlements vz.entitlements -s -' 'codesign -f --entitlements vz.entitlements -s -'
   '';
 
   # It attaches entitlements with codesign and strip removes those,
@@ -57,9 +58,11 @@ buildGoModule rec {
 
   doInstallCheck = true;
   installCheckPhase = ''
-    USER=nix $out/bin/limactl validate examples/default.yaml
+    USER=nix $out/bin/limactl validate templates/default.yaml
   '';
 
+  passthru.updateScript = nix-update-script { };
+
   meta = with lib; {
     homepage = "https://github.com/lima-vm/lima";
     description = "Linux virtual machines (on macOS, in most cases)";