Merge staging-next into staging

emilazy · Jan 1, 2025 · b69e95c · b69e95c
2 parents ca300e3 + 78d54a1
commit b69e95c
Show file tree

Hide file tree

Showing 51 changed files with 591 additions and 398 deletions.
diff --git a/doc/packages/build-support.md b/doc/packages/build-support.md
@@ -98,5 +98,5 @@ substituteAllFiles {
 }
 ```
 
-in the resulting derivation, every instance of `@hello@` will be replaced with `there` in `$out/foo.txt` and` `$out/bar.txt`; `baz.txt` will not be processed nor will it appear in `$out`.
+in the resulting derivation, every instance of `@hello@` will be replaced with `there` in `$out/foo.txt` and `$out/bar.txt`; `baz.txt` will not be processed nor will it appear in `$out`.
 :::
diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -127,6 +127,11 @@
 
 - `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL.
 
+- The `earlyoom` service is now using upstream systemd service, which enables
+  hardening and filesystem isolation by default. If you need filesystem write
+  access or want to access home directory via `killHook`, hardening setting can
+  be changed via, e.g. `systemd.services.earlyoom.serviceConfig.ProtectSystem`.
+
 - `nodePackages.vls` has been deprecated, as the upstream consumer of it, vetur, has been deprecated by upstream. Upstream suggests migrating to Volar for Vue LSP tooling instead.
 
 - `nodePackages.create-react-native-app` has been removed, as it is deprecated. Upstream suggests using a framework for React Native apps instead.

diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix
@@ -412,7 +412,7 @@ in
       ]}
       PATH=${config.systemd.services."restic-backups-${name}".environment.PATH}:$PATH
 
-      exec ${resticCmd} $@
+      exec ${resticCmd} "$@"
     '') (lib.filterAttrs (_: v: v.createWrapper) config.services.restic.backups);
   };
 }
diff --git a/nixos/modules/services/system/earlyoom.nix b/nixos/modules/services/system/earlyoom.nix
@@ -1,11 +1,14 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
   cfg = config.services.earlyoom;
 
   inherit (lib)
-    concatStringsSep
-    escapeShellArg
     literalExpression
     mkDefault
     mkEnableOption
@@ -15,7 +18,8 @@ let
     mkRemovedOptionModule
     optionalString
     optionals
-    types;
+    types
+    ;
 in
 {
   meta = {
@@ -115,6 +119,11 @@ in
         [README](https://github.com/rfjakob/earlyoom#notifications) and
         [the man page](https://github.com/rfjakob/earlyoom/blob/master/MANPAGE.md#-n-pathtoscript)
         for details.
+
+        WARNING: earlyoom is running in a sandbox with ProtectSystem="strict"
+        by default, so filesystem write is also prohibited for the hook.
+        If you want to change these protection rules, override the systemd
+        service via `systemd.services.earlyoom.serviceConfig.ProtectSystem`.
       '';
     };
 
@@ -127,8 +136,11 @@ in
 
     extraArgs = mkOption {
       type = types.listOf types.str;
-      default = [];
-      example = [ "-g" "--prefer '(^|/)(java|chromium)$'" ];
+      default = [ ];
+      example = [
+        "-g"
+        "--prefer '(^|/)(java|chromium)$'"
+      ];
       description = "Extra command-line arguments to be passed to earlyoom.";
     };
   };
@@ -149,25 +161,33 @@ in
   config = mkIf cfg.enable {
     services.systembus-notify.enable = mkDefault cfg.enableNotifications;
 
+    systemd.packages = [ cfg.package ];
+
     systemd.services.earlyoom = {
-      description = "Early OOM Daemon for Linux";
+      overrideStrategy = "asDropin";
+
       wantedBy = [ "multi-user.target" ];
       path = optionals cfg.enableNotifications [ pkgs.dbus ];
-      serviceConfig = {
-        StandardError = "journal";
-        ExecStart = concatStringsSep " " ([
-          "${lib.getExe cfg.package}"
-          ("-m ${toString cfg.freeMemThreshold}"
-           + optionalString (cfg.freeMemKillThreshold != null) ",${toString cfg.freeMemKillThreshold}")
-          ("-s ${toString cfg.freeSwapThreshold}"
-           + optionalString (cfg.freeSwapKillThreshold != null) ",${toString cfg.freeSwapKillThreshold}")
-          "-r ${toString cfg.reportInterval}"
-        ]
-        ++ optionals cfg.enableDebugInfo [ "-d" ]
-        ++ optionals cfg.enableNotifications [ "-n" ]
-        ++ optionals (cfg.killHook != null) [ "-N ${escapeShellArg cfg.killHook}" ]
-        ++ cfg.extraArgs);
-      };
+
+      # We setup `EARLYOOM_ARGS` via drop-ins, so disable the default import
+      # from /etc/default/earlyoom.
+      serviceConfig.EnvironmentFile = "";
+
+      environment.EARLYOOM_ARGS =
+        lib.cli.toGNUCommandLineShell { } {
+          m =
+            "${toString cfg.freeMemThreshold}"
+            + optionalString (cfg.freeMemKillThreshold != null) ",${toString cfg.freeMemKillThreshold}";
+          s =
+            "${toString cfg.freeSwapThreshold}"
+            + optionalString (cfg.freeSwapKillThreshold != null) ",${toString cfg.freeSwapKillThreshold}";
+          r = "${toString cfg.reportInterval}";
+          d = cfg.enableDebugInfo;
+          n = cfg.enableNotifications;
+          N = if cfg.killHook != null then cfg.killHook else null;
+        }
+        + " "
+        + lib.escapeShellArgs cfg.extraArgs;
     };
   };
 }
diff --git a/nixos/tests/earlyoom.nix b/nixos/tests/earlyoom.nix
@@ -1,16 +1,43 @@
-import ./make-test-python.nix ({ lib, ... }: {
-  name = "earlyoom";
-  meta = {
-    maintainers = with lib.maintainers; [ ncfavier AndersonTorres ];
-  };
-
-  machine = {
-    services.earlyoom = {
-      enable = true;
+import ./make-test-python.nix (
+  { lib, ... }:
+  {
+    name = "earlyoom";
+    meta = {
+      maintainers = with lib.maintainers; [
+        ncfavier
+        AndersonTorres
+        oxalica
+      ];
     };
-  };
 
-  testScript = ''
-    machine.wait_for_unit("earlyoom.service")
-  '';
-})
+    nodes.machine =
+      { pkgs, ... }:
+      {
+        # Limit VM resource usage.
+        virtualisation.memorySize = 1024;
+
+        services.earlyoom = {
+          enable = true;
+          # Use SIGKILL, or `tail` will catch SIGTERM and exit successfully.
+          freeMemKillThreshold = 90;
+        };
+
+        systemd.services.testbloat = {
+          description = "Create a lot of memory pressure";
+          serviceConfig = {
+            ExecStart = "${pkgs.coreutils}/bin/tail /dev/zero";
+          };
+        };
+      };
+
+    testScript = ''
+      machine.wait_for_unit("earlyoom.service")
+
+      with subtest("earlyoom should kill the bad service"):
+          machine.fail("systemctl start --wait testbloat.service")
+          assert machine.get_unit_info("testbloat.service")["Result"] == "signal"
+          output = machine.succeed('journalctl -u earlyoom.service -b0')
+          assert 'low memory! at or below SIGKILL limits' in output
+    '';
+  }
+)
diff --git a/pkgs/applications/networking/browsers/ladybird/default.nix b/pkgs/applications/networking/browsers/ladybird/default.nix
@@ -48,13 +48,13 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "ladybird";
-  version = "0-unstable-2024-12-23";
+  version = "0-unstable-2024-12-30";
 
   src = fetchFromGitHub {
     owner = "LadybirdWebBrowser";
     repo = "ladybird";
-    rev = "d5bbf8dcf803c429afab76610dfba3b1ee23f0ae";
-    hash = "sha256-Kew/MFFCq6sTXt8jfXC78kpQNHAjX8cQyLWO3+MeikU=";
+    rev = "4324439006a6df1179440ce4f415b67658919957";
+    hash = "sha256-vg2Nb85+fegs7Idika9Mbq+f27wrIO48pWQSUidLKwE=";
   };
 
   postPatch = ''

diff --git a/pkgs/applications/window-managers/hyprwm/hyprland-plugins/hyprsplit.nix b/pkgs/applications/window-managers/hyprwm/hyprland-plugins/hyprsplit.nix
@@ -9,13 +9,13 @@
 }:
 mkHyprlandPlugin hyprland rec {
   pluginName = "hyprsplit";
-  version = "0.46.1";
+  version = "0.46.2";
 
   src = fetchFromGitHub {
     owner = "shezdy";
     repo = "hyprsplit";
     rev = "refs/tags/v${version}";
-    hash = "sha256-Hv8cVJ4lONz0g1zMwdWCL2nBUA/P8ILy7MiFjU26OM4=";
+    hash = "sha256-G+fgzjGNkYl5y6XL9K67ixCPEhb02J45cS9uicdC110=";
   };
 
   nativeBuildInputs = [

diff --git a/pkgs/by-name/an/anyrun/package.nix b/pkgs/by-name/an/anyrun/package.nix
@@ -17,16 +17,16 @@
 
 rustPlatform.buildRustPackage {
   pname = "anyrun";
-  version = "0-unstable-2024-11-08";
+  version = "0-unstable-2024-12-27";
 
   src = fetchFromGitHub {
     owner = "kirottu";
     repo = "anyrun";
-    rev = "d2017f224b2bfd7e33573c7070e7c3e2960c7dcc";
-    hash = "sha256-L1hLXf4IDZ0KoXbFiSNNZJ7IrReEr/J+CLt6Rl4Ea3M=";
+    rev = "06017e753c8886d5296768dca80745ee09402a2d";
+    hash = "sha256-jU88Q9tP4vuvWYGQcmOdFwI9e2uMPVYJHbXdiklIH9o=";
   };
 
-  cargoHash = "sha256-DgUNSRr2Hs+GeYeR2ex8WiwotmT12G1cjSvQVK2py3c=";
+  cargoHash = "sha256-DtU5Jtx46M+aP1oSdZt+aJH5jqNdNU9G7klzwsVjcZU=";
 
   strictDeps = true;
   enableParallelBuilding = true;

diff --git a/pkgs/by-name/as/asak/package.nix b/pkgs/by-name/as/asak/package.nix
@@ -10,16 +10,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "asak";
-  version = "0.3.4";
+  version = "0.3.5";
 
   src = fetchFromGitHub {
     owner = "chaosprint";
     repo = "asak";
     tag = "v${version}";
-    hash = "sha256-Kq1WdVcTRdz6vJxUDd0bqb2bfrNGCl611upwYploR7w=";
+    hash = "sha256-7r05sVIHqBBOKwye2fr0pspo/uDqaYGjt5CpxqgqKzI=";
   };
 
-  cargoHash = "sha256-SS4BDhORiTV/HZhL3F9zwF8oBu/VFVYhF5Jzp2j0QFI=";
+  cargoHash = "sha256-lMqInjFnOfr/GPSfIf1yp2vQjdk9UYdkWA616P8p0FE=";
 
   nativeBuildInputs = [
     pkg-config

diff --git a/pkgs/by-name/ea/earlyoom/package.nix b/pkgs/by-name/ea/earlyoom/package.nix
@@ -1,11 +1,13 @@
 {
   lib,
   fetchFromGitHub,
-  installShellFiles,
   pandoc,
   stdenv,
   nixosTests,
-  # Boolean flags
+  fetchpatch,
+  # The man page requires pandoc to build and resides in a separate "man"
+  # output which is pulled in on-demand. There is no need to disabled it unless
+  # pandoc is hard to build on your platform.
   withManpage ? true,
 }:
 
@@ -22,25 +24,26 @@ stdenv.mkDerivation (finalAttrs: {
 
   outputs = [ "out" ] ++ lib.optionals withManpage [ "man" ];
 
-  patches = [ ./0000-fix-dbus-path.patch ];
-
-  nativeBuildInputs = lib.optionals withManpage [
-    installShellFiles
-    pandoc
+  patches = [
+    ./0000-fix-dbus-path.patch
+    # Respect `MANDIR`.
+    (fetchpatch {
+      url = "https://github.com/rfjakob/earlyoom/commit/c5a1799a5ff4b3fd3132d50a510e8c126933cf4a.patch";
+      hash = "sha256-64AkpTMmjiqZ6Byq6687zNIqrQ/IGRGgzzjyyAfcg14=";
+    })
+    # Correctly handle `PREFIX` as a default rather than always-concatenate.
+    (fetchpatch {
+      url = "https://github.com/rfjakob/earlyoom/commit/f7d6f1cc925962fbdcf57b1c2aeeabbf11e2d542.patch";
+      hash = "sha256-DJDeQzcEGJMoMGIi1D/ogMaKG1VQvPZN9jXtUDGjyjk=";
+    })
   ];
 
+  nativeBuildInputs = lib.optionals withManpage [ pandoc ];
+
   makeFlags = [
     "VERSION=${finalAttrs.version}"
-  ];
-
-  installPhase = ''
-    runHook preInstall
-    install -D earlyoom $out/bin/earlyoom
-  '' + lib.optionalString withManpage ''
-    installManPage earlyoom.1
-  '' + ''
-    runHook postInstall
-  '';
+    "PREFIX=${placeholder "out"}"
+  ] ++ lib.optional withManpage "MANDIR=${placeholder "man"}/share/man";
 
   passthru.tests = {
     inherit (nixosTests) earlyoom;
@@ -58,7 +61,9 @@ stdenv.mkDerivation (finalAttrs: {
     '';
     license = lib.licenses.mit;
     mainProgram = "earlyoom";
-    maintainers = with lib.maintainers; [ ];
+    maintainers = with lib.maintainers; [
+      oxalica
+    ];
     platforms = lib.platforms.linux;
   };
 })
diff --git a/pkgs/by-name/gh/gh-contribs/package.nix b/pkgs/by-name/gh/gh-contribs/package.nix
@@ -9,13 +9,13 @@
 }:
 stdenvNoCC.mkDerivation rec {
   pname = "gh-contribs";
-  version = "0.9.0";
+  version = "0.10.1";
 
   src = fetchFromGitHub {
     owner = "MintArchit";
     repo = "gh-contribs";
     rev = "v${version}";
-    hash = "sha256-yPJ9pmnbqR+fXH02Q5VMn0v2MuDQbPUpNzKw1awmKVE=";
+    hash = "sha256-fqyxq/lpMcLXOYY0MNI5uv8Go2erpg7dEIsEI+ExSVI=";
   };
 
   nativeBuildInputs = [

diff --git a/pkgs/by-name/gn/gnome-secrets/package.nix b/pkgs/by-name/gn/gnome-secrets/package.nix
@@ -19,15 +19,15 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "gnome-secrets";
-  version = "10.3";
+  version = "10.4";
   format = "other";
 
   src = fetchFromGitLab {
     domain = "gitlab.gnome.org";
     owner = "World";
     repo = "secrets";
     rev = version;
-    hash = "sha256-UcTLngBVp5L8Y1LmBxoxPuH5Zag2YfHA2Y+ByPBkh8A=";
+    hash = "sha256-FyBtw7Gkvd5XONkM7OVGxE+S5FpuUIl7KWLFHoQeoN4=";
   };
 
   nativeBuildInputs = [

diff --git a/pkgs/by-name/ke/keypunch/package.nix b/pkgs/by-name/ke/keypunch/package.nix
@@ -19,18 +19,18 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "keypunch";
-  version = "5.0";
+  version = "5.1";
 
   src = fetchFromGitHub {
     owner = "bragefuglseth";
     repo = "keypunch";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-oP/rbtX72Ng4GVsXl5s8eESrUlJiJ/n05KArZHVo00c=";
+    hash = "sha256-C0WD8vBPlKvCJHVJHSfEbMIxNARoRrCn7PNebJ0rkoI=";
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
     inherit (finalAttrs) pname version src;
-    hash = "sha256-Uz9YbD4k3o3WOXCoIW41eUdi+HIfZLZJNszr9y3qezI=";
+    hash = "sha256-RufJy5mHuirAO056p5/w63jw5h00E41t+H4VQP3kPks=";
   };
 
   strictDeps = true;
-Original file line number
+Diff line change
@@ Expand Up / @@ -98,5 +98,5 @@ substituteAllFiles { @@
     }
     ```
-    in the resulting derivation, every instance of `@hello@` will be replaced with `there` in `$out/foo.txt` and` `$out/bar.txt`; `baz.txt` will not be processed nor will it appear in `$out`.
+    in the resulting derivation, every instance of `@hello@` will be replaced with `there` in `$out/foo.txt` and `$out/bar.txt`; `baz.txt` will not be processed nor will it appear in `$out`.
     :::