Merge staging-next into staging

doc/languages-frameworks/julia.section.md

@@ -67,3 +67,14 @@ nix-shell -p 'julia.withPackages ["Plots"]' --run julia
 
   This normally points at a special augmented version of the Julia [General packages registry](https://github.com/JuliaRegistries/General).
   If you want to use a bleeding-edge version to pick up the latest package updates, you can plug in a later revision than the one in Nixpkgs.
+
+* `juliaCpuTarget`: Allows you to set `JULIA_CPU_TARGET` when precompiling. Has no effect if `precompile=false`.
+
+  You may want to use this if you're building a Julia depot that will end up in a Nix cache and used on machines with
+  different CPUs.
+
+  Why? Julia will detect the CPU microarchitecture of the build machine and include this information in the precompiled
+  `*.ji` files. Starting in 1.10 Julia became more strict about checking the CPU target compatibility, so it may reject
+  your precompiled files if they were compiled on a different machine.
+  A good option to provide wide compatibility is to set this to `"generic"`, although this may reduce performance.
+  You can also set a semicolon-separated list of multiple different targets. See the Julia documentation for details.

nixos/modules/services/monitoring/uptime-kuma.nix

@@ -51,21 +51,30 @@ in
         DynamicUser = true;
         ExecStart = "${cfg.package}/bin/uptime-kuma-server";
         Restart = "on-failure";
-        ProtectHome = true;
-        ProtectSystem = "strict";
-        PrivateTmp = true;
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = false; # enabling it breaks execution
+        NoNewPrivileges = true;
         PrivateDevices = true;
-        ProtectHostname = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
         ProtectClock = true;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectKernelLogs = true;
         ProtectControlGroups = true;
-        NoNewPrivileges = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "noaccess";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
+        RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
-        RemoveIPC = true;
-        PrivateMounts = true;
+        SystemCallArchitectures = "native";
+        UMask = 027;
       };
     };
   };

nixos/modules/services/network-filesystems/samba.nix

@@ -101,6 +101,19 @@ in
         };
       };
 
+      usershares = {
+        enable = lib.mkEnableOption "user-configurable Samba shares";
+        group = lib.mkOption {
+          type = lib.types.str;
+          default = "samba";
+          description = ''
+            Name of the group members of which will be allowed to create usershares.
+
+            The group will be created automatically.
+          '';
+        };
+      };
+
       nsswins = lib.mkEnableOption ''
         WINS NSS (Name Service Switch) plug-in.
 
@@ -308,5 +321,22 @@ in
           restartTriggers = [ configFile ];
         };
       })
+
+      (lib.mkIf (cfg.enable && cfg.usershares.enable) {
+        users.groups.${cfg.usershares.group} = {};
+
+        systemd.tmpfiles.settings."50-samba-usershares"."/var/lib/samba/usershares".d = {
+          user = "root";
+          group = cfg.usershares.group;
+          mode = "1775";  # sticky so users can't delete others' shares
+        };
+
+        # set some reasonable defaults
+        services.samba.settings.global = lib.mkDefault {
+          "usershare path" = "/var/lib/samba/usershares";
+          "usershare max shares" = 100;  # high enough to be considered ~unlimited
+          "usershare allow guests" = true;
+        };
+      })
     ];
 }

nixos/modules/services/security/kanidm.nix

@@ -231,7 +231,10 @@ in
     enableServer = mkEnableOption "the Kanidm server";
     enablePam = mkEnableOption "the Kanidm PAM and NSS integration";
 
-    package = mkPackageOption pkgs "kanidm" { };
+    package = mkPackageOption pkgs "kanidm" {
+      example = "kanidm_1_4";
+      extraDescription = "If not set will receive a specific version based on stateVersion. Set to `pkgs.kanidm` to always receive the latest version, with the understanding that this could introduce breaking changes.";
+    };
 
     serverSettings = mkOption {
       type = types.submodule {
@@ -811,6 +814,16 @@ in
         )
       );
 
+    services.kanidm.package =
+      let
+        pkg =
+          if lib.versionAtLeast config.system.stateVersion "24.11" then
+            pkgs.kanidm_1_4
+          else
+            lib.warn "No default kanidm package found for stateVersion = '${config.system.stateVersion}'. Using unpinned version. Consider setting `services.kanidm.package = pkgs.kanidm_1_x` to avoid upgrades introducing breaking changes." pkgs.kanidm;
+      in
+      lib.mkDefault pkg;
+
     environment.systemPackages = mkIf cfg.enableClient [ cfg.package ];
 
     systemd.tmpfiles.settings."10-kanidm" = {

nixos/modules/services/web-apps/invoiceplane.nix

@@ -226,7 +226,7 @@ in
         options.sites = mkOption {
           type = types.attrsOf (types.submodule siteOpts);
           default = {};
-          description = "Specification of one or more WordPress sites to serve";
+          description = "Specification of one or more InvoicePlane sites to serve";
         };
 
         options.webserver = mkOption {

pkgs/by-name/al/aldente/package.nix

@@ -8,11 +8,11 @@
 
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "aldente";
-  version = "1.28.6";
+  version = "1.29";
 
   src = fetchurl {
     url = "https://github.com/davidwernhart/aldente-charge-limiter/releases/download/${finalAttrs.version}/AlDente.dmg";
-    hash = "sha256-g52XHx1jK0VEgLQJL+vX16bFd8eMu0dw8Fqp4hOtVtE=";
+    hash = "sha256-F19DZnjnlZ7ydgNhPNUa7FqPp5/MzDcQRtksIkXgIis=";
   };
 
   dontBuild = true;

pkgs/by-name/ca/cargo-feature/package.nix

@@ -2,8 +2,6 @@
   lib,
   rustPlatform,
   fetchFromGitHub,
-  stdenv,
-  libiconv,
 }:
 
 rustPlatform.buildRustPackage rec {
@@ -19,8 +17,6 @@ rustPlatform.buildRustPackage rec {
 
   cargoHash = "sha256-8qrpW/gU7BvxN3nSbFWhbgu5bwsdzYZTS3w3kcwsGbU=";
 
-  buildInputs = lib.optional stdenv.hostPlatform.isDarwin libiconv;
-
   checkFlags = [
     # The following tests require empty CARGO_BUILD_TARGET env variable, but we
     # set it ever since https://github.com/NixOS/nixpkgs/pull/298108.

pkgs/by-name/ca/cargo-fuzz/package.nix

@@ -1,4 +1,4 @@
-{ lib, fetchFromGitHub, rustPlatform, stdenv, libiconv }:
+{ lib, fetchFromGitHub, rustPlatform }:
 
 rustPlatform.buildRustPackage rec {
   pname = "cargo-fuzz";
@@ -13,8 +13,6 @@ rustPlatform.buildRustPackage rec {
 
   cargoHash = "sha256-sfvepPpYtgA0TuUlu0CD50HX933AVQbUGzJBNAzFR94=";
 
-  buildInputs = lib.optional stdenv.hostPlatform.isDarwin libiconv;
-
   doCheck = false;
 
   meta = with lib; {

pkgs/by-name/ca/cargo-limit/package.nix

@@ -2,8 +2,6 @@
 , rustPlatform
 , fetchFromGitHub
 , nix-update-script
-, stdenv
-, libiconv
 }:
 
 rustPlatform.buildRustPackage rec {
@@ -19,8 +17,6 @@ rustPlatform.buildRustPackage rec {
 
   cargoHash = "sha256-dwqbG0UFeUQHa0K98ebHfjbcQuQOhK2s6ZxAT6r0cik=";
 
-  buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [ libiconv ];
-
   passthru = {
     updateScript = nix-update-script { };
   };

pkgs/by-name/ca/cargo-unfmt/package.nix

@@ -1,9 +1,6 @@
 { lib
-, stdenv
 , fetchFromGitHub
 , rustPlatform
-, darwin
-, libiconv
 }:
 
 rustPlatform.buildRustPackage {
@@ -19,8 +16,6 @@ rustPlatform.buildRustPackage {
 
   cargoHash = "sha256-mMeHTYCUIZR3jVvTxfyH4I9wGfUdCWcyn9djnksAY8k=";
 
-  buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [ libiconv darwin.apple_sdk.frameworks.Security ];
-
   # Doc tests are broken on 0.3.3
   doCheck = false;
 

pkgs/by-name/cl/cldr-annotations/package.nix

@@ -7,7 +7,7 @@ stdenvNoCC.mkDerivation rec {
   src = fetchzip {
     url = "https://unicode.org/Public/cldr/${lib.versions.major version}/cldr-common-${version}.zip";
     stripRoot = false;
-    hash = "sha256-dXfbJTBlIg/+JXSrjdf8/iS4vHo7bt5YUwh+5dlsSiw=";
+    hash = "sha256-d8VjhE4k4QdlWNtUGcQf1jx7igBxziCwNpWx0ef4h8c=";
   };
 
   installPhase = ''

pkgs/by-name/cl/clusternet/package.nix

@@ -6,13 +6,13 @@
 
 buildGoModule rec {
   pname = "clusternet";
-  version = "0.17.1";
+  version = "0.17.2";
 
   src = fetchFromGitHub {
     owner = "clusternet";
     repo = "clusternet";
     rev = "refs/tags/v${version}";
-    hash = "sha256-ZjFybox6BeezDj+Jvb6MRfaTRozpXGUIG1n1GDVS4aM=";
+    hash = "sha256-6JZdFHMbdFm2uTlMbbi0y4rcVkbUZ6gSeK57v6MiL7M=";
   };
 
   vendorHash = "sha256-hY4bgQXwKjL4UT3omDYuxy9xN9XOr00mMvGssKOSsG4=";

pkgs/by-name/db/dbip-asn-lite/package.nix

@@ -5,11 +5,11 @@
 }:
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "dbip-asn-lite";
-  version = "2024-11";
+  version = "2024-12";
 
   src = fetchurl {
     url = "https://download.db-ip.com/free/dbip-asn-lite-${finalAttrs.version}.mmdb.gz";
-    hash = "sha256-uqtn3Dy8GYjRHX3LNky0DUAc+MxEph41AKShxsPdJJM=";
+    hash = "sha256-tzeXJzgTG6AB46dCYqtdECqMm2nh9PfPigMvRif2+cM=";
   };
 
   dontUnpack = true;

pkgs/by-name/db/dbip-city-lite/package.nix

@@ -5,11 +5,11 @@
 }:
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "dbip-city-lite";
-  version = "2024-11";
+  version = "2024-12";
 
   src = fetchurl {
     url = "https://download.db-ip.com/free/dbip-city-lite-${finalAttrs.version}.mmdb.gz";
-    hash = "sha256-w/Dl89AdhIfsfNu4IvVMEVKqZtQcqg0UAjB7HJxq/OE=";
+    hash = "sha256-IkZ6d9CP+AgYXaWmQTfTz2MTHEV7h/f1HiOAGXxBH+g=";
   };
 
   dontUnpack = true;

pkgs/by-name/db/dbip-country-lite/package.nix

@@ -5,11 +5,11 @@
 }:
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "dbip-country-lite";
-  version = "2024-11";
+  version = "2024-12";
 
   src = fetchurl {
     url = "https://download.db-ip.com/free/dbip-country-lite-${finalAttrs.version}.mmdb.gz";
-    hash = "sha256-Ua4hm0duKHAD/cgtOaDqAYT/4lWsuoIdPnM7K0Lqecw=";
+    hash = "sha256-58g4ch1N1vPPymYx6M7X3Q6l6Sbr5GkEXv/Vi7K9Ivk=";
   };
 
   dontUnpack = true;

pkgs/by-name/ez/eza/package.nix

@@ -1,14 +1,11 @@
 { lib
 , gitSupport ? true
-, stdenv
 , fetchFromGitHub
 , rustPlatform
 , cmake
 , pandoc
 , pkg-config
 , zlib
-, darwin
-, libiconv
 , installShellFiles
   # once eza upstream gets support for setting up a compatibility symlink for exa, we should change
   # the handling here from postInstall to passing the required argument to the builder.
@@ -29,8 +26,7 @@ rustPlatform.buildRustPackage rec {
   cargoHash = "sha256-fXrw753Hn4fbeX6+GRoH9MKrH0udjxnBK7AVCHnqIcs=";
 
   nativeBuildInputs = [ cmake pkg-config installShellFiles pandoc ];
-  buildInputs = [ zlib ]
-    ++ lib.optionals stdenv.hostPlatform.isDarwin [ libiconv darwin.apple_sdk.frameworks.Security ];
+  buildInputs = [ zlib ];
 
   buildNoDefaultFeatures = true;
   buildFeatures = lib.optional gitSupport "git";

pkgs/by-name/fl/flottbot/package.nix

@@ -6,13 +6,13 @@
 }:
 buildGoModule rec {
   pname = "flottbot";
-  version = "0.13.1";
+  version = "0.14.0";
 
   src = fetchFromGitHub {
     owner = "target";
     repo = "flottbot";
     rev = version;
-    hash = "sha256-Fv4ZBCQA7gwt11ULIiyFwn+QgoMNgu+1TM9yy2Jz7og=";
+    hash = "sha256-yQjjdw+3JqMyyDOLR42OYVLRNiIjDz1KnSRkC2bUCj8=";
   };
 
   patches = [
@@ -24,7 +24,7 @@ buildGoModule rec {
     })
   ];
 
-  vendorHash = "sha256-wOUQKFd2Xm/2rvLw8kw8Ejbcq/JUvup/BzZs0fllBYY=";
+  vendorHash = "sha256-t2iBOrmLca7SMkstNIaNtD5RZ8dxBDFZc1n5/DxLiTQ=";
 
   subPackages = [ "cmd/flottbot" ];
 

pkgs/by-name/gp/gpu-viewer/package.nix

@@ -29,15 +29,14 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "gpu-viewer";
-  version = "3.08";
-
-  format = "other";
+  version = "3.10";
+  pyproject = false;
 
   src = fetchFromGitHub {
     owner = "arunsivaramanneo";
     repo = "gpu-viewer";
     rev = "refs/tags/v${version}";
-    hash = "sha256-P1zA/sjE4w2pdRDtJ8pGi4Rf8o4EmiRo6j17BRNu0IA=";
+    hash = "sha256-0rbg3T9OXnSZ5+2cjgfNitAv1LgdO0N90wWJifzHcsg=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/ic/icloudpd/package.nix

@@ -9,14 +9,14 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "icloudpd";
-  version = "1.24.4";
+  version = "1.25.0";
   pyproject = true;
 
   src = fetchFromGitHub {
     owner = "icloud-photos-downloader";
     repo = "icloud_photos_downloader";
     rev = "v${version}";
-    hash = "sha256-/axw1RSfQX9RIoICs2Zcn9ScWTcqU9mHAhotaMduAp8=";
+    hash = "sha256-7I/mthqlV5+EWaLRlCmBZPJaf7dWm8alpUtmlxvUNsY=";
   };
 
   pythonRelaxDeps = true;

pkgs/by-name/ka/kanidm/1_3.nix

@@ -0,0 +1,15 @@
+import ./generic.nix {
+  version = "1.3.3";
+  hash = "sha256-W5G7osV4du6w/BfyY9YrDzorcLNizRsoz70RMfO2AbY=";
+  cargoHash = "sha256-gJrzOK6vPPBgsQFkKrbMql00XSfKGjgpZhYJLTURxoI=";
+  extraMeta = {
+    knownVulnerabilities = [
+      ''
+        kanidm 1.3.x has reached EOL as of 2024-12-01.
+
+        Please upgrade by verifying `kanidmd domain upgrade-check` and setting `services.kanidm.package = pkgs.kanidm_1_4;`
+        See upgrade guide at https://kanidm.github.io/kanidm/master/server_updates.html
+      ''
+    ];
+  };
+}

pkgs/by-name/ka/kanidm/1_4.nix

@@ -0,0 +1,5 @@
+import ./generic.nix {
+  version = "1.4.4";
+  hash = "sha256-AXgq9ohnSeQvq1IIhxMhe+FhX6/hyvRsJCI4VaiN/MQ=";
+  cargoHash = "sha256-/PsQ9yqyhSub1Qg2A3wOsgucq4rM0CU4uA8tEOJhtAU=";
+}