Merge master into staging-next

maintainers/maintainer-list.nix

@@ -3276,6 +3276,13 @@
     githubId = 355401;
     name = "Brian Hicks";
   };
+  brianmay = {
+    name = "Brian May";
+    email = "[email protected]";
+    github = "brianmay";
+    githubId = 112729;
+    keys = [ { fingerprint = "D636 5126 A92D B560 C627  ACED 1784 577F 811F 6EAC"; } ];
+  };
   brianmcgee = {
     name = "Brian McGee";
     email = "[email protected]";
@@ -13662,6 +13669,12 @@
     githubId = 34819524;
     name = "Marcel";
   };
+  MarchCraft = {
+    email = "[email protected]";
+    github = "MarchCraft";
+    githubId = 30194994;
+    name = "Felix Nilles";
+  };
   marcovergueira = {
     email = "[email protected]";
     github = "marcovergueira";
@@ -20424,6 +20437,12 @@
     name = "夜坂雅";
     keys = [ { fingerprint = "3237 D49E 8F81 5A45 2133  64EA 4FF3 5790 F405 53A9"; } ];
   };
+  shadows_withal = {
+    email = "[email protected]";
+    github = "shadows-withal";
+    githubId = 6445316;
+    name = "liv";
+  };
   shahrukh330 = {
     email = "[email protected]";
     github = "shahrukh330";

nixos/doc/manual/development/running-nixos-tests-interactively.section.md

@@ -10,6 +10,12 @@ $ ./result/bin/nixos-test-driver
 >>>
 ```
 
+::: {.note}
+By executing the test driver in this way,
+the VMs executed may gain network & Internet access via their backdoor control interface,
+typically recognized as `eth0`.
+:::
+
 You can then take any Python statement, e.g.
 
 ```py

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -47,6 +47,8 @@
 
 - [waagent](https://github.com/Azure/WALinuxAgent), the Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. Available with [services.waagent](options.html#opt-services.waagent.enable).
 
+- [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](options.html#opt-services.nostr-rs-relay.enable).
+
 - [mqtt-exporter](https://github.com/kpetremann/mqtt-exporter/), a Prometheus exporter for exposing messages from MQTT. Available as [services.prometheus.exporters.mqtt](#opt-services.prometheus.exporters.mqtt.enable).
 
 - [Buffyboard](https://gitlab.postmarketos.org/postmarketOS/buffybox/-/tree/master/buffyboard), a framebuffer on-screen keyboard. Available as [services.buffyboard](option.html#opt-services.buffyboard).

nixos/modules/hardware/video/nvidia.nix

@@ -274,6 +274,14 @@ in
           config.hardware.nvidia.open == true || lib.versionAtLeast config.hardware.nvidia.package.version "555"
         '';
       };
+
+      videoAcceleration =
+        (lib.mkEnableOption ''
+          Whether video acceleration (VA-API) should be enabled.
+        '')
+        // {
+          default = true;
+        };
     };
   };
 
@@ -504,9 +512,7 @@ in
             "egl/egl_external_platform.d".source = "/run/opengl-driver/share/egl/egl_external_platform.d/";
           };
 
-          hardware.graphics = {
-            extraPackages = [ pkgs.nvidia-vaapi-driver ];
-          };
+          hardware.graphics.extraPackages = lib.optional cfg.videoAcceleration pkgs.nvidia-vaapi-driver;
 
           environment.systemPackages =
             lib.optional cfg.nvidiaSettings nvidia_x11.settings

nixos/modules/module-list.nix

@@ -1507,6 +1507,7 @@
   ./services/web-apps/nexus.nix
   ./services/web-apps/nifi.nix
   ./services/web-apps/node-red.nix
+  ./services/web-apps/nostr-rs-relay.nix
   ./services/web-apps/ocis.nix
   ./services/web-apps/onlyoffice.nix
   ./services/web-apps/openvscode-server.nix

nixos/modules/services/cluster/kubernetes/kubelet.nix

@@ -345,9 +345,9 @@ in
             echo "Seeding container image: ${img}"
             ${
               if (lib.hasSuffix "gz" img) then
-                ''${pkgs.gzip}/bin/zcat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import --all-platforms -''
+                ''${pkgs.gzip}/bin/zcat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -''
               else
-                ''${pkgs.coreutils}/bin/cat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import --all-platforms -''
+                ''${pkgs.coreutils}/bin/cat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -''
             }
           '') cfg.seedDockerImages}
 

nixos/modules/services/hardware/udev.nix

@@ -162,15 +162,9 @@ let
     '';
 
   compressFirmware = firmware:
-    let
-      inherit (config.boot.kernelPackages) kernelAtLeast;
-    in
-      if ! (firmware.compressFirmware or true) then
-        firmware
-      else
-        if kernelAtLeast "5.19" then pkgs.compressFirmwareZstd firmware
-        else if kernelAtLeast "5.3" then pkgs.compressFirmwareXz firmware
-        else firmware;
+    if config.hardware.firmwareCompression == "none" || (firmware.compressFirmware or false) == false then firmware
+    else if config.hardware.firmwareCompression == "zstd" then pkgs.compressFirmwareZstd firmware
+    else pkgs.compressFirmwareXz firmware;
 
   # Udev has a 512-character limit for ENV{PATH}, so create a symlink
   # tree to work around this.
@@ -279,6 +273,21 @@ in
       };
     };
 
+    hardware.firmwareCompression = lib.mkOption {
+      type = lib.types.enum [ "xz" "zstd" "none" ];
+      default = if config.boot.kernelPackages.kernelAtLeast "5.19" then "zstd"
+        else if config.boot.kernelPackages.kernelAtLeast "5.3" then "xz"
+        else "none";
+      defaultText = "auto";
+      description = ''
+        Whether to compress firmware files.
+        Defaults depend on the kernel version.
+        For kernels older than 5.3, firmware files are not compressed.
+        For kernels 5.3 and newer, firmware files are compressed with xz.
+        For kernels 5.19 and newer, firmware files are compressed with zstd.
+      '';
+    };
+
     networking.usePredictableInterfaceNames = lib.mkOption {
       default = true;
       type = lib.types.bool;
@@ -346,6 +355,23 @@ in
 
   config = lib.mkIf cfg.enable {
 
+    assertions = [
+      {
+        assertion = config.hardware.firmwareCompression == "zstd" -> config.boot.kernelPackages.kernelAtLeast "5.19";
+        message = ''
+          The firmware compression method is set to zstd, but the kernel version is too old.
+          The kernel version must be at least 5.3 to use zstd compression.
+        '';
+      }
+      {
+        assertion = config.hardware.firmwareCompression == "xz" -> config.boot.kernelPackages.kernelAtLeast "5.3";
+        message = ''
+          The firmware compression method is set to xz, but the kernel version is too old.
+          The kernel version must be at least 5.3 to use xz compression.
+        '';
+      }
+    ];
+
     services.udev.extraRules = nixosRules;
 
     services.udev.packages = [ extraUdevRules extraHwdbFile ];

nixos/modules/services/misc/paperless.nix

@@ -70,10 +70,7 @@ let
     ProtectKernelModules = true;
     ProtectKernelTunables = true;
     ProtectProc = "invisible";
-    # Don't restrict ProcSubset because django-q requires read access to /proc/stat
-    # to query CPU and memory information.
-    # Note that /proc only contains processes of user `paperless`, so this is safe.
-    # ProcSubset = "pid";
+    ProcSubset = "pid";
     RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
     RestrictNamespaces = true;
     RestrictRealtime = true;

nixos/modules/services/networking/hickory-dns.nix

@@ -3,11 +3,8 @@ let
   cfg = config.services.hickory-dns;
   toml = pkgs.formats.toml { };
 
-  configFile = toml.generate "hickory-dns.toml" (
-    lib.filterAttrsRecursive (_: v: v != null) cfg.settings
-  );
-
   zoneType = lib.types.submodule ({ config, ... }: {
+    freeformType = toml.type;
     options = with lib; {
       zone = mkOption {
         type = types.str;
@@ -82,6 +79,22 @@ in
           If neither `quiet` nor `debug` are enabled, logging defaults to the INFO level.
         '';
       };
+      configFile = mkOption {
+        type = types.path;
+        default = toml.generate "hickory-dns.toml" (
+          lib.filterAttrsRecursive (_: v: v != null) cfg.settings
+        );
+        defaultText = lib.literalExpression ''
+          let toml = pkgs.formats.toml { }; in toml.generate "hickory-dns.toml" cfg.settings
+        '';
+        description = ''
+          Path to an existing toml file to configure hickory-dns with.
+
+          This can usually be left unspecified, in which case it will be
+          generated from the values in `settings`.
+          If manually specified, then the options in `settings` are ignored.
+        '';
+      };
       settings = mkOption {
         description = ''
           Settings for hickory-dns. The options enumerated here are not exhaustive.
@@ -142,7 +155,7 @@ in
           flags =  (lib.optional cfg.debug "--debug") ++ (lib.optional cfg.quiet "--quiet");
           flagsStr = builtins.concatStringsSep " " flags;
         in ''
-          ${lib.getExe cfg.package} --config ${configFile} ${flagsStr}
+          ${lib.getExe cfg.package} --config ${cfg.configFile} ${flagsStr}
         '';
         Type = "simple";
         Restart = "on-failure";

nixos/modules/services/web-apps/nostr-rs-relay.nix

@@ -0,0 +1,96 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.nostr-rs-relay;
+  settingsFormat = pkgs.formats.toml { };
+  configFile = settingsFormat.generate "config.toml" (
+    cfg.settings
+    // {
+      database = {
+        data_directory = config.services.nostr-rs-relay.dataDir;
+      };
+      network = {
+        port = config.services.nostr-rs-relay.port;
+      };
+    }
+  );
+in
+{
+  options.services.nostr-rs-relay = {
+    enable = lib.mkEnableOption "nostr-rs-relay";
+
+    package = lib.mkPackageOption pkgs "nostr-rs-relay" { };
+
+    port = lib.mkOption {
+      default = 12849;
+      type = lib.types.port;
+      description = "Listen on this port.";
+    };
+
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/nostr-rs-relay";
+      description = "Directory for SQLite files.";
+    };
+
+    settings = lib.mkOption {
+      inherit (settingsFormat) type;
+      default = { };
+      description = "See https://git.sr.ht/~gheartsfield/nostr-rs-relay/#configuration for documentation.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.nostr-rs-relay = {
+      description = "nostr-rs-relay";
+      wants = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/nostr-rs-relay --config ${configFile}";
+        DynamicUser = true;
+        Restart = "on-failure";
+        Type = "simple";
+
+        ReadWritePaths = [ cfg.dataDir ];
+
+        RuntimeDirectory = "nostr-rs-relay";
+        StateDirectory = "nostr-rs-relay";
+
+        PrivateTmp = true;
+        PrivateUsers = true;
+        PrivateDevices = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        NoNewPrivileges = true;
+        MemoryDenyWriteExecute = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectClock = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        ProtectControlGroups = true;
+        LockPersonality = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        RestrictRealtime = true;
+        ProtectHostname = true;
+        CapabilityBoundingSet = "";
+        SystemCallFilter = [
+          "@system-service"
+        ];
+        SystemCallArchitectures = "native";
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [
+    felixzieger
+    jb55
+  ];
+}

nixos/modules/services/x11/desktop-managers/plasma5.nix

@@ -39,12 +39,12 @@ let
     # on NixOS because the timestamp never changes. As a workaround, delete the
     # icon cache at login and session activation.
     # See also: http://lists-archives.org/kde-devel/26175-what-when-will-icon-cache-refresh.html
-    rm -fv $HOME/.cache/icon-cache.kcache
+    rm -fv "$HOME"/.cache/icon-cache.kcache
 
     # xdg-desktop-settings generates this empty file but
     # it makes kbuildsyscoca5 fail silently. To fix this
     # remove that menu if it exists.
-    rm -fv ''${XDG_CONFIG_HOME}/menus/applications-merged/xdg-desktop-menu-dummy.menu
+    rm -fv "''${XDG_CONFIG_HOME}"/menus/applications-merged/xdg-desktop-menu-dummy.menu
 
     # Qt writes a weird ‘libraryPath’ line to
     # ~/.config/Trolltech.conf that causes the KDE plugin
@@ -61,7 +61,7 @@ let
     # Remove the kbuildsyscoca5 cache. It will be regenerated
     # immediately after. This is necessary for kbuildsyscoca5 to
     # recognize that software that has been removed.
-    rm -fv $HOME/.cache/ksycoca*
+    rm -fv "$HOME"/.cache/ksycoca*
 
     ${pkgs.plasma5Packages.kservice}/bin/kbuildsycoca5
   '';

nixos/modules/system/activation/activation-script.nix

@@ -260,7 +260,8 @@ in
       ''
       else ''
         rm -f /usr/bin/env
-        rmdir --ignore-fail-on-non-empty /usr/bin /usr
+        if test -d /usr/bin; then rmdir --ignore-fail-on-non-empty /usr/bin; fi
+        if test -d /usr; then rmdir --ignore-fail-on-non-empty /usr; fi
       '';
 
     system.activationScripts.specialfs =

nixos/modules/tasks/network-interfaces.nix

@@ -1446,6 +1446,7 @@ in
 
     systemd.services = {
       network-local-commands = {
+        enable = (cfg.localCommands != "");
         description = "Extra networking commands.";
         before = [ "network.target" ];
         wantedBy = [ "network.target" ];