chore(nixpkgs): Bump channels to 2021-05-25

* users/grfn/system/home/yeren: remove obsolete awscli2 overrides

* ops: make new isSystemUser || isNormalUser assertion happy

* users/grfn/system/system/mugwump: make buildkite agents system users

* users/tazjin/nixos/camden: set isSystemUser = true for git

* users/tazjin/emacs: Remove missing & broken packages

* third_party/openldap: remove, as the argon2 module is now enabled upstream

* third_party/gerrit_plugins: Pinned new unstable hashes

* third_party/nix, third_party/grpc: Disabled CI as these are broken

* third_party/overlays/emacs: Bumped version to stay in sync with channel

* third_party/buzz: Update LIBCLANG_PATH to reference libclang.lib,
  since libclang's default output no longer contains libclang.so

* users/grfn/system/home: Install julia-stable instead of julia (which
  aliases to julia-lts), as the latter depends on an insecure version of
  libgit

Change-Id: Iff33b0ecb0ef07a82d1de35e23c40d2f4bf0f8ed
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3001
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: grfn <grfn@gws.fyi>
This commit is contained in:
Vincent Ambo 2021-04-13 12:21:42 +02:00 committed by tazjin
parent fb36bc321b
commit 65be8f20e0
20 changed files with 44 additions and 75 deletions

View file

@ -595,7 +595,7 @@ in {
groups.git = {};
users.git = {
group = "git";
isNormalUser = false;
isSystemUser = true;
createHome = true;
home = "/var/lib/git";
};

View file

@ -66,7 +66,7 @@ in {
users.clbot = {
group = "clbot";
isNormalUser = false;
isSystemUser = true;
};
};

View file

@ -66,7 +66,7 @@ in {
users = {
users.quassel = {
isNormalUser = false;
isSystemUser = true;
group = "quassel";
};

View file

@ -39,6 +39,7 @@ in {
users = builtins.listToAttrs (map (n: rec {
name = "buildkite-agent-whitby-${toString n}";
value = {
isSystemUser = true;
group = lib.mkForce "buildkite-agents";
extraGroups = [ name ];
};

View file

@ -27,17 +27,6 @@ let
inherit (depot.ops) users;
in {
# Use our patched OpenLDAP derivation which enables stronger password hashing.
#
# Unfortunately the module for OpenLDAP has no package option, so we
# need to override it system-wide. Be aware that this triggers a
# *large* number of rebuilds of packages such as GPG and Python.
nixpkgs.overlays = [
(_: _: {
inherit (depot.third_party) openldap;
})
];
services.openldap = {
enable = true;
@ -58,7 +47,7 @@ in {
};
"cn=schema".includes =
map (schema: "${depot.third_party.openldap}/etc/schema/${schema}.ldif")
map (schema: "${pkgs.openldap}/etc/schema/${schema}.ldif")
[ "core" "cosine" "inetorgperson" "nis" ];
};

View file

@ -18,7 +18,10 @@ in {
Restart = "always";
};
};
users.users.apereo-cas = {};
users.users.apereo-cas = {
isSystemUser = true;
group = "apereo-cas";
};
users.groups.apereo-cas = {};
};
}

View file

@ -27,5 +27,5 @@ depot.third_party.naersk.buildPackage {
llvmPackages.libclang
];
LIBCLANG_PATH = "${pkgs.llvmPackages.libclang}/lib/libclang.so";
LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib/libclang.so";
}

View file

@ -6,7 +6,7 @@ in depot.nix.utils.drvTargets {
# https://gerrit.googlesource.com/plugins/owners
owners = buildGerritBazelPlugin rec {
name = "owners";
depsOutputHash = "sha256:0j7hn945l5y5pz109mrcx2hh2lb2gi5gf4wrrbypx43rmyhlz3s8";
depsOutputHash = "sha256:162hxk2qsix0x1aarhsaqi52q7j7mjpyk8af57w0a012i55ryqqa";
src = pkgs.fetchgit {
url = "https://gerrit.googlesource.com/plugins/owners";
rev = "f3335231b98e14664fdd1b325486bb0824800ac3";
@ -23,7 +23,7 @@ in depot.nix.utils.drvTargets {
# https://gerrit.googlesource.com/plugins/checks
checks = buildGerritBazelPlugin {
name = "checks";
depsOutputHash = "sha256:01krrafg5df42z3r7y74g8lx859my4610cqx3a7d02laqq9yjqc6";
depsOutputHash = "sha256:1262xhl2z1pml6iimhnjm5l3gzddz0rjj6sjq53212dk2dxs5y1b";
src = pkgs.fetchgit {
url = "https://gerrit.googlesource.com/plugins/checks";
rev = "990e936b1e050c4fe7ac3e590bdb5cfff0311232";

View file

@ -4,7 +4,7 @@ let
inherit (import ../builder.nix args) buildGerritBazelPlugin;
in buildGerritBazelPlugin rec {
name = "oauth";
depsOutputHash = "sha256:1zl0gsia9p585dvpyiyb6fiqs3q9dg7qsxnwkn8ncqdnxlg21gl7";
depsOutputHash = "sha256:008xqrvy77x06y4dd74pd1vv8rzbp0jd2dw2sqcv9b5qhav7ilyw";
src = pkgs.fetchgit {
url = "https://gerrit.googlesource.com/plugins/oauth";
rev = "4aa7322db5ec221b2419e12a9ec7af5b8c66659c";

View file

@ -9,4 +9,7 @@
"-DCMAKE_CXX_STANDARD=17"
"-DCMAKE_CXX_STANDARD_REQUIRED=ON"
];
})
}) // {
# TODO(b/132): Reenable when linker errors are fixed.
meta.ci = false;
}

View file

@ -187,6 +187,9 @@ in lib.fix (self: pkgs.llvmPackages_11.libcxxStdenv.mkDerivation {
# TODO(tazjin): integration test setup?
# TODO(tazjin): docs generation?
# TODO(b/132): Reenable when linker errors are fixed.
meta.ci = false;
passthru = {
build-shell = self.overrideAttrs (up: rec {
run_clang_tidy = pkgs.writeShellScriptBin "run-clang-tidy" ''

View file

@ -13,16 +13,16 @@ let
# nixos-unstable, and the current stable channel of the latest NixOS
# release.
# Tracking nixos-unstable as of 2021-04-09.
# Tracking nixos-unstable as of 2021-05-25.
unstableHashes = {
commit = "9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2";
sha256 = "1r3ll77hyqn28d9i4cf3vqd9v48fmaa1j8ps8c4fm4f8gqf4kpl1";
commit = "900115a4f7fdd9189e7803ca781a65be663f2c89";
sha256 = "11551nawxjbgya8sq1p6ghkbws9qz9fbfq3wqawm3zh8ayr4l13j";
};
# Tracking nixos-20.09 as of 2021-04-09.
# Tracking nixos-20.09 as of 2021-05-25.
stableHashes = {
commit = "d6f63659a7021051a46035373ed50fbea7e4e924";
sha256 = "0vblhzg57sfzqpdm24lgs08vjv2204lzcp6hv4cbjd20rz0mxs4y";
commit = "ac60476ed94fd5424d9f3410c438825f793a8cbb";
sha256 = "1dlvpdsy5v09c7rj5f7xgakyj722yqr4415davjpcmrk4n5kw76v";
};
# import the nixos-unstable package set, or optionally use the

View file

@ -1,27 +0,0 @@
# OpenLDAP by default uses a simple shalted SHA1-hash for passwords,
# which is less than ideal.
#
# It does however include a contrib module which adds support for the
# Argon2 password hashing scheme. This overrides then OpenLDAP build
# derivation to include this module.
{ pkgs, ... }:
pkgs.openldap.overrideAttrs(old: {
buildInputs = old.buildInputs ++ [ pkgs.libsodium ];
postBuild = ''
${old.postBuild}
make $makeFlags -C contrib/slapd-modules/passwd/argon2
'';
# This is required because the Makefile for this module hardcodes
# /usr/bin/install, which is not a valid path - we want it to be
# looked up from $PATH because it is included in stdenv.
installFlags = old.installFlags ++ [ "INSTALL=install" ];
postInstall = ''
${old.postInstall}
make $installFlags install-lib -C contrib/slapd-modules/passwd/argon2
'';
})

View file

@ -2,10 +2,10 @@
{ ... }:
let
# from 2020-04-13
commit = "15ed1f372a83ec748ac824bdc5b573039c18b82f";
# from 2020-05-26
commit = "5df3462dda05d8e44669cf374776274e1bc47d0a";
src = builtins.fetchTarball {
url = "https://github.com/nix-community/emacs-overlay/archive/${commit}.tar.gz";
sha256 = "0m4vb7p29rgbpaavwn9jjid1zz48k1l9za5gy3d8nadqjn7x4dm1";
sha256 = "0ggmkg4shf9948wpwb0s40bjvwijvhv2wykrkayclvp419kbrfxq";
};
in import src

View file

@ -1,7 +1,7 @@
# Utility for invoking slappasswd with the correct options for
# creating an ARGON2 password hash.
{ depot, pkgs, ... }:
{ pkgs, ... }:
pkgs.writeShellScriptBin "hash-password" ''
${depot.third_party.openldap}/bin/slappasswd -o module-load=pw-argon2 -h '{ARGON2}'
${pkgs.openldap}/bin/slappasswd -o module-load=pw-argon2 -h '{ARGON2}'
''

View file

@ -39,16 +39,7 @@ in
steam
(awscli2.overridePythonAttrs (oldAttrs: {
postPatch = ''
substituteInPlace setup.py \
--replace 'colorama>=0.2.5,<0.4.4' 'colorama' \
--replace 'wcwidth<0.2.0' 'colorama' \
--replace 'cryptography>=2.8.0,<=2.9.0' 'cryptography' \
--replace 'docutils>=0.10,<0.16' 'docutils' \
--replace 'ruamel.yaml>=0.15.0,<0.16.0' 'ruamel.yaml'
'';
}))
awscli2
];
systemd.user.services.laptop-keyboard = {

View file

@ -76,7 +76,7 @@ with lib;
nodePackages.prettier
] ++ optionals (stdenv.isLinux) [
julia
julia-stable
valgrind
];

View file

@ -274,6 +274,12 @@ with lib;
};
}) (range 1 1));
users.users."buildkite-agent-mugwump-1".extraGroups = [ "docker" ];
users.users."buildkite-agent-mugwump-2".extraGroups = [ "docker" ];
users.users."buildkite-agent-mugwump-1" = {
isSystemUser = true;
extraGroups = [ "docker" ];
};
users.users."buildkite-agent-mugwump-2" = {
isSystemUser = true;
extraGroups = [ "docker" ];
};
}

View file

@ -33,7 +33,7 @@ let
(with epkgs.melpaPackages; [
ace-window
ace-link
bazel-mode
# bazel-mode TODO(tazjin): where did this go?
browse-kill-ring
cargo
company
@ -47,7 +47,7 @@ let
eglot
elixir-mode
elm-mode
erlang
# erlang
go-mode
gruber-darker-theme
haskell-mode

View file

@ -155,7 +155,7 @@ in lib.fix(self: {
groups.git = {};
users.git = {
group = "git";
isNormalUser = false;
isSystemUser = true;
};
};