chore(nixpkgs): Bump channels to 2021-05-25
* users/grfn/system/home/yeren: remove obsolete awscli2 overrides * ops: make new isSystemUser || isNormalUser assertion happy * users/grfn/system/system/mugwump: make buildkite agents system users * users/tazjin/nixos/camden: set isSystemUser = true for git * users/tazjin/emacs: Remove missing & broken packages * third_party/openldap: remove, as the argon2 module is now enabled upstream * third_party/gerrit_plugins: Pinned new unstable hashes * third_party/nix, third_party/grpc: Disabled CI as these are broken * third_party/overlays/emacs: Bumped version to stay in sync with channel * third_party/buzz: Update LIBCLANG_PATH to reference libclang.lib, since libclang's default output no longer contains libclang.so * users/grfn/system/home: Install julia-stable instead of julia (which aliases to julia-lts), as the latter depends on an insecure version of libgit Change-Id: Iff33b0ecb0ef07a82d1de35e23c40d2f4bf0f8ed Reviewed-on: https://cl.tvl.fyi/c/depot/+/3001 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi>
This commit is contained in:
parent
fb36bc321b
commit
65be8f20e0
20 changed files with 44 additions and 75 deletions
|
@ -595,7 +595,7 @@ in {
|
|||
groups.git = {};
|
||||
users.git = {
|
||||
group = "git";
|
||||
isNormalUser = false;
|
||||
isSystemUser = true;
|
||||
createHome = true;
|
||||
home = "/var/lib/git";
|
||||
};
|
||||
|
|
|
@ -66,7 +66,7 @@ in {
|
|||
|
||||
users.clbot = {
|
||||
group = "clbot";
|
||||
isNormalUser = false;
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -66,7 +66,7 @@ in {
|
|||
|
||||
users = {
|
||||
users.quassel = {
|
||||
isNormalUser = false;
|
||||
isSystemUser = true;
|
||||
group = "quassel";
|
||||
};
|
||||
|
||||
|
|
|
@ -39,6 +39,7 @@ in {
|
|||
users = builtins.listToAttrs (map (n: rec {
|
||||
name = "buildkite-agent-whitby-${toString n}";
|
||||
value = {
|
||||
isSystemUser = true;
|
||||
group = lib.mkForce "buildkite-agents";
|
||||
extraGroups = [ name ];
|
||||
};
|
||||
|
|
|
@ -27,17 +27,6 @@ let
|
|||
inherit (depot.ops) users;
|
||||
|
||||
in {
|
||||
# Use our patched OpenLDAP derivation which enables stronger password hashing.
|
||||
#
|
||||
# Unfortunately the module for OpenLDAP has no package option, so we
|
||||
# need to override it system-wide. Be aware that this triggers a
|
||||
# *large* number of rebuilds of packages such as GPG and Python.
|
||||
nixpkgs.overlays = [
|
||||
(_: _: {
|
||||
inherit (depot.third_party) openldap;
|
||||
})
|
||||
];
|
||||
|
||||
services.openldap = {
|
||||
enable = true;
|
||||
|
||||
|
@ -58,7 +47,7 @@ in {
|
|||
};
|
||||
|
||||
"cn=schema".includes =
|
||||
map (schema: "${depot.third_party.openldap}/etc/schema/${schema}.ldif")
|
||||
map (schema: "${pkgs.openldap}/etc/schema/${schema}.ldif")
|
||||
[ "core" "cosine" "inetorgperson" "nis" ];
|
||||
};
|
||||
|
||||
|
|
|
@ -18,7 +18,10 @@ in {
|
|||
Restart = "always";
|
||||
};
|
||||
};
|
||||
users.users.apereo-cas = {};
|
||||
users.users.apereo-cas = {
|
||||
isSystemUser = true;
|
||||
group = "apereo-cas";
|
||||
};
|
||||
users.groups.apereo-cas = {};
|
||||
};
|
||||
}
|
||||
|
|
2
third_party/buzz/default.nix
vendored
2
third_party/buzz/default.nix
vendored
|
@ -27,5 +27,5 @@ depot.third_party.naersk.buildPackage {
|
|||
llvmPackages.libclang
|
||||
];
|
||||
|
||||
LIBCLANG_PATH = "${pkgs.llvmPackages.libclang}/lib/libclang.so";
|
||||
LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib/libclang.so";
|
||||
}
|
||||
|
|
4
third_party/gerrit_plugins/default.nix
vendored
4
third_party/gerrit_plugins/default.nix
vendored
|
@ -6,7 +6,7 @@ in depot.nix.utils.drvTargets {
|
|||
# https://gerrit.googlesource.com/plugins/owners
|
||||
owners = buildGerritBazelPlugin rec {
|
||||
name = "owners";
|
||||
depsOutputHash = "sha256:0j7hn945l5y5pz109mrcx2hh2lb2gi5gf4wrrbypx43rmyhlz3s8";
|
||||
depsOutputHash = "sha256:162hxk2qsix0x1aarhsaqi52q7j7mjpyk8af57w0a012i55ryqqa";
|
||||
src = pkgs.fetchgit {
|
||||
url = "https://gerrit.googlesource.com/plugins/owners";
|
||||
rev = "f3335231b98e14664fdd1b325486bb0824800ac3";
|
||||
|
@ -23,7 +23,7 @@ in depot.nix.utils.drvTargets {
|
|||
# https://gerrit.googlesource.com/plugins/checks
|
||||
checks = buildGerritBazelPlugin {
|
||||
name = "checks";
|
||||
depsOutputHash = "sha256:01krrafg5df42z3r7y74g8lx859my4610cqx3a7d02laqq9yjqc6";
|
||||
depsOutputHash = "sha256:1262xhl2z1pml6iimhnjm5l3gzddz0rjj6sjq53212dk2dxs5y1b";
|
||||
src = pkgs.fetchgit {
|
||||
url = "https://gerrit.googlesource.com/plugins/checks";
|
||||
rev = "990e936b1e050c4fe7ac3e590bdb5cfff0311232";
|
||||
|
|
2
third_party/gerrit_plugins/oauth/default.nix
vendored
2
third_party/gerrit_plugins/oauth/default.nix
vendored
|
@ -4,7 +4,7 @@ let
|
|||
inherit (import ../builder.nix args) buildGerritBazelPlugin;
|
||||
in buildGerritBazelPlugin rec {
|
||||
name = "oauth";
|
||||
depsOutputHash = "sha256:1zl0gsia9p585dvpyiyb6fiqs3q9dg7qsxnwkn8ncqdnxlg21gl7";
|
||||
depsOutputHash = "sha256:008xqrvy77x06y4dd74pd1vv8rzbp0jd2dw2sqcv9b5qhav7ilyw";
|
||||
src = pkgs.fetchgit {
|
||||
url = "https://gerrit.googlesource.com/plugins/oauth";
|
||||
rev = "4aa7322db5ec221b2419e12a9ec7af5b8c66659c";
|
||||
|
|
5
third_party/grpc/default.nix
vendored
5
third_party/grpc/default.nix
vendored
|
@ -9,4 +9,7 @@
|
|||
"-DCMAKE_CXX_STANDARD=17"
|
||||
"-DCMAKE_CXX_STANDARD_REQUIRED=ON"
|
||||
];
|
||||
})
|
||||
}) // {
|
||||
# TODO(b/132): Reenable when linker errors are fixed.
|
||||
meta.ci = false;
|
||||
}
|
||||
|
|
3
third_party/nix/default.nix
vendored
3
third_party/nix/default.nix
vendored
|
@ -187,6 +187,9 @@ in lib.fix (self: pkgs.llvmPackages_11.libcxxStdenv.mkDerivation {
|
|||
# TODO(tazjin): integration test setup?
|
||||
# TODO(tazjin): docs generation?
|
||||
|
||||
# TODO(b/132): Reenable when linker errors are fixed.
|
||||
meta.ci = false;
|
||||
|
||||
passthru = {
|
||||
build-shell = self.overrideAttrs (up: rec {
|
||||
run_clang_tidy = pkgs.writeShellScriptBin "run-clang-tidy" ''
|
||||
|
|
12
third_party/nixpkgs/default.nix
vendored
12
third_party/nixpkgs/default.nix
vendored
|
@ -13,16 +13,16 @@ let
|
|||
# nixos-unstable, and the current stable channel of the latest NixOS
|
||||
# release.
|
||||
|
||||
# Tracking nixos-unstable as of 2021-04-09.
|
||||
# Tracking nixos-unstable as of 2021-05-25.
|
||||
unstableHashes = {
|
||||
commit = "9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2";
|
||||
sha256 = "1r3ll77hyqn28d9i4cf3vqd9v48fmaa1j8ps8c4fm4f8gqf4kpl1";
|
||||
commit = "900115a4f7fdd9189e7803ca781a65be663f2c89";
|
||||
sha256 = "11551nawxjbgya8sq1p6ghkbws9qz9fbfq3wqawm3zh8ayr4l13j";
|
||||
};
|
||||
|
||||
# Tracking nixos-20.09 as of 2021-04-09.
|
||||
# Tracking nixos-20.09 as of 2021-05-25.
|
||||
stableHashes = {
|
||||
commit = "d6f63659a7021051a46035373ed50fbea7e4e924";
|
||||
sha256 = "0vblhzg57sfzqpdm24lgs08vjv2204lzcp6hv4cbjd20rz0mxs4y";
|
||||
commit = "ac60476ed94fd5424d9f3410c438825f793a8cbb";
|
||||
sha256 = "1dlvpdsy5v09c7rj5f7xgakyj722yqr4415davjpcmrk4n5kw76v";
|
||||
};
|
||||
|
||||
# import the nixos-unstable package set, or optionally use the
|
||||
|
|
27
third_party/openldap/default.nix
vendored
27
third_party/openldap/default.nix
vendored
|
@ -1,27 +0,0 @@
|
|||
# OpenLDAP by default uses a simple shalted SHA1-hash for passwords,
|
||||
# which is less than ideal.
|
||||
#
|
||||
# It does however include a contrib module which adds support for the
|
||||
# Argon2 password hashing scheme. This overrides then OpenLDAP build
|
||||
# derivation to include this module.
|
||||
{ pkgs, ... }:
|
||||
|
||||
pkgs.openldap.overrideAttrs(old: {
|
||||
buildInputs = old.buildInputs ++ [ pkgs.libsodium ];
|
||||
|
||||
postBuild = ''
|
||||
${old.postBuild}
|
||||
make $makeFlags -C contrib/slapd-modules/passwd/argon2
|
||||
'';
|
||||
|
||||
# This is required because the Makefile for this module hardcodes
|
||||
# /usr/bin/install, which is not a valid path - we want it to be
|
||||
# looked up from $PATH because it is included in stdenv.
|
||||
installFlags = old.installFlags ++ [ "INSTALL=install" ];
|
||||
|
||||
postInstall = ''
|
||||
${old.postInstall}
|
||||
make $installFlags install-lib -C contrib/slapd-modules/passwd/argon2
|
||||
'';
|
||||
|
||||
})
|
6
third_party/overlays/emacs.nix
vendored
6
third_party/overlays/emacs.nix
vendored
|
@ -2,10 +2,10 @@
|
|||
{ ... }:
|
||||
|
||||
let
|
||||
# from 2020-04-13
|
||||
commit = "15ed1f372a83ec748ac824bdc5b573039c18b82f";
|
||||
# from 2020-05-26
|
||||
commit = "5df3462dda05d8e44669cf374776274e1bc47d0a";
|
||||
src = builtins.fetchTarball {
|
||||
url = "https://github.com/nix-community/emacs-overlay/archive/${commit}.tar.gz";
|
||||
sha256 = "0m4vb7p29rgbpaavwn9jjid1zz48k1l9za5gy3d8nadqjn7x4dm1";
|
||||
sha256 = "0ggmkg4shf9948wpwb0s40bjvwijvhv2wykrkayclvp419kbrfxq";
|
||||
};
|
||||
in import src
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Utility for invoking slappasswd with the correct options for
|
||||
# creating an ARGON2 password hash.
|
||||
{ depot, pkgs, ... }:
|
||||
{ pkgs, ... }:
|
||||
|
||||
pkgs.writeShellScriptBin "hash-password" ''
|
||||
${depot.third_party.openldap}/bin/slappasswd -o module-load=pw-argon2 -h '{ARGON2}'
|
||||
${pkgs.openldap}/bin/slappasswd -o module-load=pw-argon2 -h '{ARGON2}'
|
||||
''
|
||||
|
|
|
@ -39,16 +39,7 @@ in
|
|||
|
||||
steam
|
||||
|
||||
(awscli2.overridePythonAttrs (oldAttrs: {
|
||||
postPatch = ''
|
||||
substituteInPlace setup.py \
|
||||
--replace 'colorama>=0.2.5,<0.4.4' 'colorama' \
|
||||
--replace 'wcwidth<0.2.0' 'colorama' \
|
||||
--replace 'cryptography>=2.8.0,<=2.9.0' 'cryptography' \
|
||||
--replace 'docutils>=0.10,<0.16' 'docutils' \
|
||||
--replace 'ruamel.yaml>=0.15.0,<0.16.0' 'ruamel.yaml'
|
||||
'';
|
||||
}))
|
||||
awscli2
|
||||
];
|
||||
|
||||
systemd.user.services.laptop-keyboard = {
|
||||
|
|
|
@ -76,7 +76,7 @@ with lib;
|
|||
|
||||
nodePackages.prettier
|
||||
] ++ optionals (stdenv.isLinux) [
|
||||
julia
|
||||
julia-stable
|
||||
valgrind
|
||||
];
|
||||
|
||||
|
|
|
@ -274,6 +274,12 @@ with lib;
|
|||
};
|
||||
}) (range 1 1));
|
||||
|
||||
users.users."buildkite-agent-mugwump-1".extraGroups = [ "docker" ];
|
||||
users.users."buildkite-agent-mugwump-2".extraGroups = [ "docker" ];
|
||||
users.users."buildkite-agent-mugwump-1" = {
|
||||
isSystemUser = true;
|
||||
extraGroups = [ "docker" ];
|
||||
};
|
||||
users.users."buildkite-agent-mugwump-2" = {
|
||||
isSystemUser = true;
|
||||
extraGroups = [ "docker" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -33,7 +33,7 @@ let
|
|||
(with epkgs.melpaPackages; [
|
||||
ace-window
|
||||
ace-link
|
||||
bazel-mode
|
||||
# bazel-mode TODO(tazjin): where did this go?
|
||||
browse-kill-ring
|
||||
cargo
|
||||
company
|
||||
|
@ -47,7 +47,7 @@ let
|
|||
eglot
|
||||
elixir-mode
|
||||
elm-mode
|
||||
erlang
|
||||
# erlang
|
||||
go-mode
|
||||
gruber-darker-theme
|
||||
haskell-mode
|
||||
|
|
|
@ -155,7 +155,7 @@ in lib.fix(self: {
|
|||
groups.git = {};
|
||||
users.git = {
|
||||
group = "git";
|
||||
isNormalUser = false;
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue