NixOS · jtojnar · Jan 17, 2024 · Mar 27, 2024 · Jun 1, 2024 · Jun 2, 2024
@@ -24,7 +24,7 @@ jobs:
  with:
  ref: ${{ github.event.pull_request.head.sha }}
  - name: Create backport PRs
- uses: korthout/backport-action@ef20d86abccbac3ee3a73cb2efbdc06344c390e5 # v2.5.0
+ uses: korthout/backport-action@bd410d37cdcae80be6d969823ff5a225fe5c833f # v3.0.2
  with:
  # Config README: https://github.com/korthout/backport-action#backport-action
  copy_labels_pattern: 'severity:\ssecurity'

@@ -4,7 +4,7 @@ This hook helps with installing manpages and shell completion files. It exposes
 
 The `installManPage` function takes one or more paths to manpages to install. The manpages must have a section suffix, and may optionally be compressed (with `.gz` suffix). This function will place them into the correct `share/man/man<section>/` directory, in [`outputMan`](#outputman).
 
-The `installShellCompletion` function takes one or more paths to shell completion files. By default it will autodetect the shell type from the completion file extension, but you may also specify it by passing one of `--bash`, `--fish`, or `--zsh`. These flags apply to all paths listed after them (up until another shell flag is given). Each path may also have a custom installation name provided by providing a flag `--name NAME` before the path. If this flag is not provided, zsh completions will be renamed automatically such that `foobar.zsh` becomes `_foobar`. A root name may be provided for all paths using the flag `--cmd NAME`; this synthesizes the appropriate name depending on the shell (e.g. `--cmd foo` will synthesize the name `foo.bash` for bash and `_foo` for zsh). The path may also be a fifo or named fd (such as produced by `<(cmd)`), in which case the shell and name must be provided.
+The `installShellCompletion` function takes one or more paths to shell completion files. By default it will autodetect the shell type from the completion file extension, but you may also specify it by passing one of `--bash`, `--fish`, or `--zsh`. These flags apply to all paths listed after them (up until another shell flag is given). Each path may also have a custom installation name provided by providing a flag `--name NAME` before the path. If this flag is not provided, zsh completions will be renamed automatically such that `foobar.zsh` becomes `_foobar`. A root name may be provided for all paths using the flag `--cmd NAME`; this synthesizes the appropriate name depending on the shell (e.g. `--cmd foo` will synthesize the name `foo.bash` for bash and `_foo` for zsh).
 
 ```nix
 {
@@ -17,6 +17,18 @@ The `installShellCompletion` function takes one or more paths to shell completio
  installShellCompletion --zsh --name _foobar share/completions.zsh
  # implicit behavior
  installShellCompletion share/completions/foobar.{bash,fish,zsh}
+ '';
+}
+```
+
+The path may also be a fifo or named fd (such as produced by `<(cmd)`), in which case the shell and name must be provided (see below).
+
+If the destination shell completion file is not actually present or consists of zero bytes after calling `installShellCompletion` this is treated as a build failure. In particular, if completion files are not vendored but are generated by running an executable, this is likely to fail in cross compilation scenarios. The result will be a zero byte completion file and hence a build failure. To prevent this, guard the completion commands against this, e.g.
+
+```nix
+{
+ nativeBuildInputs = [ installShellFiles ];
+ postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
  # using named fd
  installShellCompletion --cmd foobar \
  --bash <($out/bin/foobar --bash-completion) \

diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
@@ -15519,6 +15519,11 @@
  githubId = 943430;
  name = "David Hagege";
  };
+ pedohorse = {
+ github = "pedohorse";
+ githubId = 13556996;
+ name = "pedohorse";
+ };
  pedrohlc = {
  email = "root@pedrohlc.com";
  github = "PedroHLC";

@@ -13,6 +13,7 @@
 , include-overlays ? false
 , keep-going ? null
 , commit ? null
+, skip-prompt ? null
 }:
 
 let
@@ -184,6 +185,10 @@ let
  that support it by adding
 
  --argstr commit true
+
+ to skip prompt:
+
+ --argstr skip-prompt true
  '';
 
  /* Transform a matched package into an object for update.py.
@@ -204,7 +209,8 @@ let
  optionalArgs =
  lib.optional (max-workers != null) "--max-workers=${max-workers}"
  ++ lib.optional (keep-going == "true") "--keep-going"
- ++ lib.optional (commit == "true") "--commit";
+ ++ lib.optional (commit == "true") "--commit"
+ ++ lib.optional (skip-prompt == "true") "--skip-prompt";
 
  args = [ packagesJson ] ++ optionalArgs;
 

@@ -207,7 +207,7 @@ async def start_updates(max_workers: int, keep_going: bool, commit: bool, packag
  eprint(e)
  sys.exit(1)
 
-def main(max_workers: int, keep_going: bool, commit: bool, packages_path: str) -> None:
+def main(max_workers: int, keep_going: bool, commit: bool, packages_path: str, skip_prompt: bool) -> None:
  with open(packages_path) as f:
  packages = json.load(f)
 
@@ -217,7 +217,8 @@ def main(max_workers: int, keep_going: bool, commit: bool, packages_path: str) -
  eprint(f" - {package['name']}")
  eprint()
 
- confirm = input('Press Enter key to continue...')
+ confirm = '' if skip_prompt else input('Press Enter key to continue...')
+
  if confirm == '':
  eprint()
  eprint('Running update for:')
@@ -236,12 +237,13 @@ def main(max_workers: int, keep_going: bool, commit: bool, packages_path: str) -
 parser.add_argument('--keep-going', '-k', dest='keep_going', action='store_true', help='Do not stop after first failure')
 parser.add_argument('--commit', '-c', dest='commit', action='store_true', help='Commit the changes')
 parser.add_argument('packages', help='JSON file containing the list of package names and their update scripts')
+parser.add_argument('--skip-prompt', '-s', dest='skip_prompt', action='store_true', help='Do not stop for prompts')
 
 if __name__ == '__main__':
  args = parser.parse_args()
 
  try:
- main(args.max_workers, args.keep_going, args.commit, args.packages)
+ main(args.max_workers, args.keep_going, args.commit, args.packages, args.skip_prompt)
  except KeyboardInterrupt as e:
  # Let’s cancel outside of the main loop too.
  sys.exit(130)
diff --git a/maintainers/team-list.nix b/maintainers/team-list.nix
@@ -496,6 +496,20 @@ with lib.maintainers;
  shortName = "Jupyter";
  };
 
+ k3s = {
+ githubTeams = [ "k3s" ];
+ members = [
+ euank
+ marcusramberg
+ mic92
+ superherointj
+ wrmilling
+ yajo
+ ];
+ scope = "Maintain K3s package, NixOS module, NixOS tests, update script";
+ shortName = "K3s";
+ };
+
  kubernetes = {
  members = [
  johanot

diff --git a/nixos/modules/i18n/input-method/ibus.nix b/nixos/modules/i18n/input-method/ibus.nix
@@ -5,8 +5,9 @@ with lib;
 let
  cfg = config.i18n.inputMethod.ibus;
  ibusPackage = pkgs.ibus-with-plugins.override { plugins = cfg.engines; };
- ibusEngine = types.package // {
+ ibusEngine = lib.types.mkOptionType {
  name = "ibus-engine";
+ inherit (lib.types.package) descriptionClass merge;
  check = x: (lib.types.package.check x) && (attrByPath ["meta" "isIbusEngine"] false x);
  };
 

diff --git a/nixos/modules/programs/vim.nix b/nixos/modules/programs/vim.nix
@@ -20,7 +20,7 @@ in
  # TODO: convert it into assert after 24.11 release
  config = lib.mkIf (cfg.enable || cfg.defaultEditor) {
  warnings = lib.mkIf (cfg.defaultEditor && !cfg.enable) [
- "programs.vim.defaultEditor will only work if programs.vim.enable is enabled, will be encfored after the 24.11 release"
+ "programs.vim.defaultEditor will only work if programs.vim.enable is enabled, which will be enforced after the 24.11 release"
  ];
  environment = {
  systemPackages = [ cfg.package ];

diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix
@@ -432,4 +432,6 @@ in
  };
  };
  };
+
+ meta.maintainers = lib.teams.k3s.members;
 }
@@ -127,6 +127,9 @@ in {
  })
  {
  systemd.targets.multi-user.wants = [ "machines.target" ];
+ systemd.services."systemd-nspawn@".environment = {
+ SYSTEMD_NSPAWN_UNIFIED_HIERARCHY = mkDefault "1";
+ };
  }
  ];
 }
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
@@ -770,6 +770,7 @@ in {
  postgresql = handleTest ./postgresql.nix {};
  postgresql-jit = handleTest ./postgresql-jit.nix {};
  postgresql-wal-receiver = handleTest ./postgresql-wal-receiver.nix {};
+ postgresql-tls-client-cert = handleTest ./postgresql-tls-client-cert.nix {};
  powerdns = handleTest ./powerdns.nix {};
  powerdns-admin = handleTest ./powerdns-admin.nix {};
  power-profiles-daemon = handleTest ./power-profiles-daemon.nix {};

diff --git a/nixos/tests/k3s/auto-deploy.nix b/nixos/tests/k3s/auto-deploy.nix
@@ -118,5 +118,7 @@ import ../make-test-python.nix (
 
  machine.shutdown()
  '';
+
+ meta.maintainers = lib.teams.k3s.members;
  }
 )
diff --git a/nixos/tests/k3s/default.nix b/nixos/tests/k3s/default.nix
@@ -7,6 +7,8 @@ let
  allK3s = lib.filterAttrs (n: _: lib.strings.hasPrefix "k3s_" n) pkgs;
 in
 {
+ # Test whether container images are imported and auto deploying manifests work
+ auto-deploy = lib.mapAttrs (_: k3s: import ./auto-deploy.nix { inherit system pkgs k3s; }) allK3s;
  # Testing K3s with Etcd backend
  etcd = lib.mapAttrs (
  _: k3s:
@@ -19,6 +21,4 @@ in
  single-node = lib.mapAttrs (_: k3s: import ./single-node.nix { inherit system pkgs k3s; }) allK3s;
  # Run a multi-node k3s cluster and verify pod networking works across nodes
  multi-node = lib.mapAttrs (_: k3s: import ./multi-node.nix { inherit system pkgs k3s; }) allK3s;
- # Test wether container images are imported and auto deploying manifests work
- auto-deploy = lib.mapAttrs (_: k3s: import ./auto-deploy.nix { inherit system pkgs k3s; }) allK3s;
 }
diff --git a/nixos/tests/k3s/etcd.nix b/nixos/tests/k3s/etcd.nix
@@ -125,6 +125,6 @@ import ../make-test-python.nix (
  etcd.shutdown()
  '';
 
- meta.maintainers = etcd.meta.maintainers ++ k3s.meta.maintainers;
+ meta.maintainers = etcd.meta.maintainers ++ lib.teams.k3s.members;
  }
 )
diff --git a/nixos/tests/k3s/multi-node.nix b/nixos/tests/k3s/multi-node.nix
@@ -189,8 +189,6 @@ import ../make-test-python.nix (
  };
  };
 
- meta.maintainers = k3s.meta.maintainers;
-
  testScript = ''
  machines = [server, server2, agent]
  for m in machines:
@@ -239,5 +237,7 @@ import ../make-test-python.nix (
  for m in machines:
  m.shutdown()
  '';
+
+ meta.maintainers = lib.teams.k3s.members;
  }
 )
diff --git a/nixos/tests/k3s/single-node.nix b/nixos/tests/k3s/single-node.nix
@@ -40,7 +40,6 @@ import ../make-test-python.nix (
  in
  {
  name = "${k3s.name}-single-node";
- meta.maintainers = k3s.meta.maintainers;
 
  nodes.machine =
  { pkgs, ... }:
@@ -120,5 +119,7 @@ import ../make-test-python.nix (
 
  machine.shutdown()
  '';
+
+ meta.maintainers = lib.teams.k3s.members;
  }
 )
diff --git a/nixos/tests/postgresql-tls-client-cert.nix b/nixos/tests/postgresql-tls-client-cert.nix
@@ -0,0 +1,141 @@
+{ system ? builtins.currentSystem
+, config ? { }
+, pkgs ? import ../.. { inherit system config; }
+, package ? null
+}:
+
+with import ../lib/testing-python.nix { inherit system pkgs; };
+
+let
+ lib = pkgs.lib;
+
+ # Makes a test for a PostgreSQL package, given by name and looked up from `pkgs`.
+ makeTestAttribute = name:
+ {
+ inherit name;
+ value = makePostgresqlTlsClientCertTest pkgs."${name}";
+ };
+
+ makePostgresqlTlsClientCertTest = pkg:
+ let
+ runWithOpenSSL = file: cmd: pkgs.runCommand file
+ {
+ buildInputs = [ pkgs.openssl ];
+ }
+ cmd;
+ caKey = runWithOpenSSL "ca.key" "openssl ecparam -name prime256v1 -genkey -noout -out $out";
+ caCert = runWithOpenSSL
+ "ca.crt"
+ ''
+ openssl req -new -x509 -sha256 -key ${caKey} -out $out -subj "/CN=test.example" -days 36500
+ '';
+ serverKey =
+ runWithOpenSSL "server.key" "openssl ecparam -name prime256v1 -genkey -noout -out $out";
+ serverKeyPath = "/var/lib/postgresql";
+ serverCert =
+ runWithOpenSSL "server.crt" ''
+ openssl req -new -sha256 -key ${serverKey} -out server.csr -subj "/CN=db.test.example"
+ openssl x509 -req -in server.csr -CA ${caCert} -CAkey ${caKey} \
+ -CAcreateserial -out $out -days 36500 -sha256
+ '';
+ clientKey =
+ runWithOpenSSL "client.key" "openssl ecparam -name prime256v1 -genkey -noout -out $out";
+ clientCert =
+ runWithOpenSSL "client.crt" ''
+ openssl req -new -sha256 -key ${clientKey} -out client.csr -subj "/CN=test"
+ openssl x509 -req -in client.csr -CA ${caCert} -CAkey ${caKey} \
+ -CAcreateserial -out $out -days 36500 -sha256
+ '';
+ clientKeyPath = "/root";
+
+ in
+ makeTest {
+ name = "postgresql-tls-client-cert-${pkg.name}";
+ meta.maintainers = with lib.maintainers; [ erictapen ];
+
+ nodes.server = { ... }: {
+ system.activationScripts = {
+ keyPlacement.text = ''
+ mkdir -p '${serverKeyPath}'
+ cp '${serverKey}' '${serverKeyPath}/server.key'
+ chown postgres:postgres '${serverKeyPath}/server.key'
+ chmod 600 '${serverKeyPath}/server.key'
+ '';
+ };
+ services.postgresql = {
+ package = pkg;
+ enable = true;
+ enableTCPIP = true;
+ ensureUsers = [
+ {
+ name = "test";
+ ensureDBOwnership = true;
+ }
+ ];
+ ensureDatabases = [ "test" ];
+ settings = {
+ ssl = "on";
+ ssl_ca_file = toString caCert;
+ ssl_cert_file = toString serverCert;
+ ssl_key_file = "${serverKeyPath}/server.key";
+ };
+ authentication = ''
+ hostssl test test ::/0 cert clientcert=verify-full
+ '';
+ };
+ networking = {
+ interfaces.eth1 = {
+ ipv6.addresses = [
+ { address = "fc00::1"; prefixLength = 120; }
+ ];
+ };
+ firewall.allowedTCPPorts = [ 5432 ];
+ };
+ };
+
+ nodes.client = { ... }: {
+ system.activationScripts = {
+ keyPlacement.text = ''
+ mkdir -p '${clientKeyPath}'
+ cp '${clientKey}' '${clientKeyPath}/client.key'
+ chown root:root '${clientKeyPath}/client.key'
+ chmod 600 '${clientKeyPath}/client.key'
+ '';
+ };
+ environment = {
+ variables = {
+ PGHOST = "db.test.example";
+ PGPORT = "5432";
+ PGDATABASE = "test";
+ PGUSER = "test";
+ PGSSLMODE = "verify-full";
+ PGSSLCERT = clientCert;
+ PGSSLKEY = "${clientKeyPath}/client.key";
+ PGSSLROOTCERT = caCert;
+ };
+ systemPackages = [ pkg ];
+ };
+ networking = {
+ interfaces.eth1 = {
+ ipv6.addresses = [
+ { address = "fc00::2"; prefixLength = 120; }
+ ];
+ };
+ hosts = { "fc00::1" = [ "db.test.example" ]; };
+ };
+ };
+
+ testScript = ''
+ server.wait_for_unit("multi-user.target")
+ client.wait_for_unit("multi-user.target")
+ client.succeed("psql -c \"SELECT 1;\"")
+ '';
+ };
+
+in
+if package == null then
+# all-tests.nix: Maps the generic function over all attributes of PostgreSQL packages
+ builtins.listToAttrs (map makeTestAttribute (builtins.attrNames (import ../../pkgs/servers/sql/postgresql pkgs)))
+else
+# Called directly from <package>.tests
+ makePostgresqlTlsClientCertTest package
diff --git a/pkgs/applications/editors/edit/default.nix b/pkgs/applications/editors/edit/default.nix
@@ -47,7 +47,7 @@ stdenv.mkDerivation {
  description = "Relaxing mix of Vi and ACME";
  homepage = "https://c9x.me/edit";
  license = lib.licenses.publicDomain;
- maintainers = with lib.maintainers; [ AndersonTorres vrthra ];
+ maintainers = with lib.maintainers; [ AndersonTorres ];
  platforms = lib.platforms.unix;
  mainProgram = "edit";
  };