Merge remote-tracking branch 'origin/staging-next' into staging

NixOS · Dec 20, 2024 · 81932cf · 81932cf
2 parents b5283b1 + 522470a
commit 81932cf
Show file tree

Hide file tree

Showing 146 changed files with 8,758 additions and 11,013 deletions.
diff --git a/ci/eval/compare/generate-step-summary.jq b/ci/eval/compare/generate-step-summary.jq
@@ -4,12 +4,27 @@ def truncate(xs; n):
   end;
 
 def itemize_packages(xs):
-  # we truncate the list to stay below the GitHub limit of 1MB per step summary.
-  truncate(xs; 3000) | map("- [\(.)](https://search.nixos.org/packages?channel=unstable&show=\(.)&from=0&size=50&sort=relevance&type=packages&query=\(.))") | join("\n");
+  truncate(xs; 2000) |
+    map("- [\(.)](https://search.nixos.org/packages?channel=unstable&show=\(.)&from=0&size=50&sort=relevance&type=packages&query=\(.))")  |
+    join("\n");
+
+def get_title(s; xs):
+  s + " (" + (xs | length | tostring) + ")";
 
 def section(title; xs):
-  "<details> <summary>" + title + " (" + (xs | length | tostring) + ")</summary>\n\n" + itemize_packages(xs) + "</details>";
+  "<details> <summary>" + get_title(title; xs) + "</summary>\n\n" + itemize_packages(xs) + "</details>";
+
+def fallback_document(content; n):
+  if content | utf8bytelength > n then
+    get_title("Added packages"; .attrdiff.added) + "\n\n" +
+    get_title("Removed packages"; .attrdiff.removed) + "\n\n" +
+    get_title("Changed packages"; .attrdiff.changed)
+  else content
+  end;
 
-section("Added packages"; .attrdiff.added) + "\n\n" +
-section("Removed packages"; .attrdiff.removed) + "\n\n" +
-section("Changed packages"; .attrdiff.changed)
+# we truncate the list to stay below the GitHub limit of 1MB per step summary.
+fallback_document(
+  section("Added packages"; .attrdiff.added) + "\n\n" +
+  section("Removed packages"; .attrdiff.removed) + "\n\n" +
+  section("Changed packages"; .attrdiff.changed); 1000 * 1000
+)
diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
@@ -12850,6 +12850,13 @@
     githubId = 101508537;
     name = "Yuchen He";
   };
+  lilioid = {
+    name = "Lilly";
+    email = "li@lly.sh";
+    matrix = "@17sell:mafiasi.de";
+    github = "lilioid";
+    githubId = 12398140;
+  };
   LilleAila = {
     name = "Olai";
     email = "olai@olai.dev";
@@ -24065,6 +24072,12 @@
     githubId = 49368953;
     keys = [ { fingerprint = "D20F C904 A145 8B28 53D8  FBA0 0422 0096 01E4 87FC"; } ];
   };
+  WeetHet = {
+    name = "WeetHet";
+    matrix = "@weethet:catgirl.cloud";
+    github = "WeetHet";
+    githubId = 43210583;
+  };
   wegank = {
     name = "Weijia Wang";
     email = "contact@weijia.wang";

diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -61,6 +61,8 @@
 
 - [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](options.html#opt-services.nostr-rs-relay.enable).
 
+- [Actual Budget](https://actualbudget.org/), a local-first personal finance app. Available as [services.actual](#opt-services.actual.enable).
+
 - [mqtt-exporter](https://github.com/kpetremann/mqtt-exporter/), a Prometheus exporter for exposing messages from MQTT. Available as [services.prometheus.exporters.mqtt](#opt-services.prometheus.exporters.mqtt.enable).
 
 - [nvidia-gpu](https://github.com/utkuozdemir/nvidia_gpu_exporter), a Prometheus exporter that scrapes `nvidia-smi` for GPU metrics. Available as [services.prometheus.exporters.nvidia-gpu](#opt-services.prometheus.exporters.nvidia-gpu.enable).
@@ -167,6 +169,8 @@
 
 - `virtualisation.azure.agent` option provided by `azure-agent.nix` is replaced by `services.waagent`, and will be removed in a future release.
 
+- `matomo` now defaults to version 5 (previously available as `matomo_5`). Version 4 has been removed as it reached EOL on December 19, 2024.
+
 - `containerd` has been updated to v2, which contains breaking changes. See the [containerd
   2.0](https://github.com/containerd/containerd/blob/main/docs/containerd-2.0.md) documentation for more
   details.

diff --git a/nixos/modules/config/nix-remote-build.nix b/nixos/modules/config/nix-remote-build.nix
@@ -225,7 +225,7 @@ in
     };
   };
 
-  # distributedBuilds does *not* inhibit /etc/machines generation; caller may
+  # distributedBuilds does *not* inhibit /etc/nix/machines generation; caller may
   # override that nix option.
   config = mkIf cfg.enable {
     assertions =

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -1173,6 +1173,7 @@
   ./services/networking/nixops-dns.nix
   ./services/networking/nncp.nix
   ./services/networking/nntp-proxy.nix
+  ./services/networking/nm-file-secret-agent.nix
   ./services/networking/nomad.nix
   ./services/networking/nsd.nix
   ./services/networking/ntopng.nix
@@ -1419,6 +1420,7 @@
   ./services/video/wivrn.nix
   ./services/wayland/cage.nix
   ./services/wayland/hypridle.nix
+  ./services/web-apps/actual.nix
   ./services/web-apps/akkoma.nix
   ./services/web-apps/agorakit.nix
   ./services/web-apps/alps.nix

diff --git a/nixos/modules/services/networking/nm-file-secret-agent.nix b/nixos/modules/services/networking/nm-file-secret-agent.nix
@@ -0,0 +1,131 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.networking.networkmanager;
+  toml = pkgs.formats.toml { };
+
+  enabled = (lib.length cfg.ensureProfiles.secrets.entries) > 0;
+
+  nmFileSecretAgentConfig = {
+    entry = builtins.map (
+      i:
+      {
+        key = i.key;
+        file = i.file;
+      }
+      // lib.optionalAttrs (i.matchId != null) { match_id = i.matchId; }
+      // lib.optionalAttrs (i.matchUuid != null) { match_uuid = i.matchUuid; }
+      // lib.optionalAttrs (i.matchType != null) { match_type = i.matchType; }
+      // lib.optionalAttrs (i.matchIface != null) { match_iface = i.matchIface; }
+      // lib.optionalAttrs (i.matchSetting != null) {
+        match_setting = i.matchSetting;
+      }
+    ) cfg.ensureProfiles.secrets.entries;
+  };
+  nmFileSecretAgentConfigFile = toml.generate "config.toml" nmFileSecretAgentConfig;
+in
+{
+  meta = {
+    maintainers = [ lib.maintainers.lilioid ];
+  };
+
+  ####### interface
+  options = {
+    networking.networkmanager.ensureProfiles.secrets = {
+      package = lib.mkPackageOption pkgs "nm-file-secret-agent" { };
+      entries = lib.mkOption {
+        description = ''
+          A list of secrets to provide to NetworkManager by reading their values from configured files.
+
+          Note that NetworkManager should be configured to read secrets from a secret agent.
+          This can be done for example through the `networking.networkmanager.ensureProfiles.profiles` options.
+        '';
+        default = [ ];
+        example = [
+          {
+            matchId = "My WireGuard VPN";
+            matchType = "wireguard";
+            matchSetting = "wireguard";
+            key = "private-key";
+            file = "/root/wireguard_key";
+          }
+        ];
+        type = lib.types.listOf (
+          lib.types.submodule {
+            options = {
+              matchId = lib.mkOption {
+                description = ''
+                  connection id used by NetworkManager. Often displayed as name in GUIs.
+
+                  NetworkManager describes this as a human readable unique identifier for the connection, like "Work Wi-Fi" or "T-Mobile 3G".
+                '';
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+                example = "wifi1";
+              };
+              matchUuid = lib.mkOption {
+                description = ''
+                  UUID of the connection profile
+
+                  UUIDs are assigned once on connection creation and should never change as long as the connection still applies to the same network.
+                '';
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+                example = "669ea4c9-4cb3-4901-ab52-f9606590976e";
+              };
+              matchType = lib.mkOption {
+                description = ''
+                  NetworkManager connection type
+
+                  The NetworkManager configuration settings reference roughly corresponds to connection types.
+                  More might be available on your system depending on the installed plugins.
+
+                  https://networkmanager.dev/docs/api/latest/ch01.html
+                '';
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+                example = "wireguard";
+              };
+              matchIface = lib.mkOption {
+                description = "interface name of the NetworkManager connection";
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+              };
+              matchSetting = lib.mkOption {
+                description = "name of the setting section for which secrets are requested";
+                type = lib.types.nullOr lib.types.str;
+                default = null;
+              };
+              key = lib.mkOption {
+                description = "key in the setting section for which this entry provides a value";
+                type = lib.types.str;
+              };
+              file = lib.mkOption {
+                description = "file from which the secret value is read";
+                type = lib.types.str;
+              };
+            };
+          }
+        );
+      };
+    };
+  };
+
+  ####### implementation
+  config = lib.mkIf enabled {
+    # start nm-file-secret-agent if required
+    systemd.services."nm-file-secret-agent" = {
+      description = "NetworkManager secret agent that responds with the content of preconfigured files";
+      documentation = [ "https://github.com/lilioid/nm-file-secret-agent/" ];
+      requires = [ "NetworkManager.service" ];
+      after = [ "NetworkManager.service" ];
+      wantedBy = [ "multi-user.target" ];
+      restartTriggers = [ nmFileSecretAgentConfigFile ];
+      script = "${lib.getExe cfg.ensureProfiles.secrets.package} --conf ${nmFileSecretAgentConfigFile}";
+    };
+  };
+}
diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix
@@ -6,10 +6,9 @@ let
 
   cfg = config.services.dbus;
 
-  homeDir = "/run/dbus";
-
-  configDir = pkgs.makeDBusConf {
+  configDir = pkgs.makeDBusConf.override {
     inherit (cfg) apparmor;
+    dbus = cfg.dbusPackage;
     suidHelper = "${config.security.wrapperDir}/dbus-daemon-launch-helper";
     serviceDirectories = cfg.packages;
   };
@@ -37,6 +36,10 @@ in
         '';
       };
 
+      dbusPackage = lib.mkPackageOption pkgs "dbus" {};
+
+      brokerPackage = lib.mkPackageOption pkgs "dbus-broker" {};
+
       implementation = mkOption {
         type = types.enum [ "dbus" "broker" ];
         default = "dbus";
@@ -46,7 +49,6 @@ in
           performance and reliability, while keeping compatibility to the D-Bus
           reference implementation.
         '';
-
       };
 
       packages = mkOption {
@@ -94,7 +96,7 @@ in
       users.users.messagebus = {
         uid = config.ids.uids.messagebus;
         description = "D-Bus system message bus daemon user";
-        home = homeDir;
+        home = "/run/dbus";
         homeMode = "0755";
         group = "messagebus";
       };
@@ -103,16 +105,16 @@ in
 
       # Install dbus for dbus tools even when using dbus-broker
       environment.systemPackages = [
-        pkgs.dbus
+        cfg.dbusPackage
       ];
 
       # You still need the dbus reference implementation installed to use dbus-broker
       systemd.packages = [
-        pkgs.dbus
+        cfg.dbusPackage
       ];
 
       services.dbus.packages = [
-        pkgs.dbus
+        cfg.dbusPackage
         config.system.path
       ];
 
@@ -125,14 +127,15 @@ in
       boot.initrd.systemd = {
         users.messagebus = { };
         groups.messagebus = { };
-        contents."/etc/dbus-1".source = pkgs.makeDBusConf {
+        contents."/etc/dbus-1".source = pkgs.makeDBusConf.override {
           inherit (cfg) apparmor;
+          dbus = cfg.dbusPackage;
           suidHelper = "/bin/false";
-          serviceDirectories = [ pkgs.dbus config.boot.initrd.systemd.package ];
+          serviceDirectories = [ cfg.dbusPackage config.boot.initrd.systemd.package ];
         };
-        packages = [ pkgs.dbus ];
+        packages = [ cfg.dbusPackage ];
         storePaths = [
-          "${pkgs.dbus}/bin/dbus-daemon"
+          "${cfg.dbusPackage}/bin/dbus-daemon"
           "${config.boot.initrd.systemd.package}/share/dbus-1/system-services"
           "${config.boot.initrd.systemd.package}/share/dbus-1/system.d"
         ];
@@ -142,7 +145,7 @@ in
 
     (mkIf (cfg.implementation == "dbus") {
       security.wrappers.dbus-daemon-launch-helper = {
-        source = "${pkgs.dbus}/libexec/dbus-daemon-launch-helper";
+        source = "${cfg.dbusPackage}/libexec/dbus-daemon-launch-helper";
         owner = "root";
         group = "messagebus";
         setuid = true;
@@ -181,11 +184,11 @@ in
 
     (mkIf (cfg.implementation == "broker") {
       environment.systemPackages = [
-        pkgs.dbus-broker
+        cfg.brokerPackage
       ];
 
       systemd.packages = [
-        pkgs.dbus-broker
+        cfg.brokerPackage
       ];
 
       # Just to be sure we don't restart through the unit alias

diff --git a/nixos/modules/services/video/frigate.nix b/nixos/modules/services/video/frigate.nix
@@ -201,6 +201,7 @@ in
       enable = true;
       additionalModules = with pkgs.nginxModules; [
         develkit
+        rtmp
         secure-token
         set-misc
         vod