Merge master into staging-next

nixos/doc/manual/from_md/release-notes/rl-2305.section.xml

@@ -68,6 +68,13 @@
           <link linkend="opt-programs.fzf.fuzzyCompletion">programs.fzf</link>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/hzeller/gmrender-resurrect">gmediarender</link>,
+          a simple, headless UPnP/DLNA renderer. Available as
+          <link xlink:href="options.html#opt-services.gmediarender.enable">services.gmediarender</link>.
+        </para>
+      </listitem>
       <listitem>
         <para>
           <link xlink:href="https://github.com/StevenBlack/hosts">stevenblack-blocklist</link>,

nixos/doc/manual/release-notes/rl-2305.section.md

@@ -26,6 +26,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [fzf](https://github.com/junegunn/fzf), a command line fuzzyfinder. Available as [programs.fzf](#opt-programs.fzf.fuzzyCompletion).
 
+- [gmediarender](https://github.com/hzeller/gmrender-resurrect), a simple, headless UPnP/DLNA renderer.  Available as [services.gmediarender](options.html#opt-services.gmediarender.enable).
+
 - [stevenblack-blocklist](https://github.com/StevenBlack/hosts), A unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable).
 
 - [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable).

nixos/modules/module-list.nix

@@ -295,6 +295,7 @@
   ./services/amqp/rabbitmq.nix
   ./services/audio/alsa.nix
   ./services/audio/botamusique.nix
+  ./services/audio/gmediarender.nix
   ./services/audio/hqplayerd.nix
   ./services/audio/icecast.nix
   ./services/audio/jack.nix

nixos/modules/services/audio/gmediarender.nix

@@ -0,0 +1,116 @@
+{ pkgs, lib, config, utils, ... }:
+
+with lib;
+
+let
+  cfg = config.services.gmediarender;
+in
+{
+  options.services.gmediarender = {
+    enable = mkEnableOption (mdDoc "the gmediarender DLNA renderer");
+
+    audioDevice = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = mdDoc ''
+        The audio device to use.
+      '';
+    };
+
+    audioSink = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = mdDoc ''
+        The audio sink to use.
+      '';
+    };
+
+    friendlyName = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = mdDoc ''
+        A "friendly name" for identifying the endpoint.
+      '';
+    };
+
+    initialVolume = mkOption {
+      type = types.nullOr types.int;
+      default = 0;
+      description = mdDoc ''
+        A default volume attenuation (in dB) for the endpoint.
+      '';
+    };
+
+    package = mkPackageOptionMD pkgs "gmediarender" {
+      default = "gmrender-resurrect";
+    };
+
+    port = mkOption {
+      type = types.nullOr types.port;
+      default = null;
+      description = mdDoc "Port that will be used to accept client connections.";
+    };
+
+    uuid = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = mdDoc ''
+        A UUID for uniquely identifying the endpoint.  If you have
+        multiple renderers on your network, you MUST set this.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd = {
+      services.gmediarender = {
+        after = [ "network-online.target" ];
+        wantedBy = [ "multi-user.target" ];
+        description = "gmediarender server daemon";
+        environment = {
+          XDG_CACHE_HOME = "%t/gmediarender";
+        };
+        serviceConfig = {
+          DynamicUser = true;
+          User = "gmediarender";
+          Group = "gmediarender";
+          SupplementaryGroups = [ "audio" ];
+          ExecStart =
+            "${cfg.package}/bin/gmediarender " +
+            optionalString (cfg.audioDevice != null) ("--gstout-audiodevice=${utils.escapeSystemdExecArg cfg.audioDevice} ") +
+            optionalString (cfg.audioSink != null) ("--gstout-audiosink=${utils.escapeSystemdExecArg cfg.audioSink} ") +
+            optionalString (cfg.friendlyName != null) ("--friendly-name=${utils.escapeSystemdExecArg cfg.friendlyName} ") +
+            optionalString (cfg.initialVolume != 0) ("--initial-volume=${toString cfg.initialVolume} ") +
+            optionalString (cfg.port != null) ("--port=${toString cfg.port} ") +
+            optionalString (cfg.uuid != null) ("--uuid=${utils.escapeSystemdExecArg cfg.uuid} ");
+          Restart = "always";
+          RuntimeDirectory = "gmediarender";
+
+          # Security options:
+          CapabilityBoundingSet = "";
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          # PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [ "@system-service" "~@privileged" ];
+          UMask = 066;
+        };
+      };
+    };
+  };
+}

nixos/modules/services/networking/syncthing.nix

@@ -384,6 +384,29 @@ in {
         description = mdDoc ''
           Extra configuration options for Syncthing.
           See <https://docs.syncthing.net/users/config.html>.
+          Note that this attribute set does not exactly match the documented
+          xml format. Instead, this is the format of the json rest api. There
+          are slight differences. For example, this xml:
+          ```xml
+          <options>
+            <listenAddress>default</listenAddress>
+            <minHomeDiskFree unit="%">1</minHomeDiskFree>
+          </options>
+          ```
+          corresponds to the json:
+          ```json
+          {
+            options: {
+              listenAddresses = [
+                "default"
+              ];
+              minHomeDiskFree = {
+                unit = "%";
+                value = 1;
+              };
+            };
+          }
+          ```
         '';
         example = {
           options.localAnnounceEnabled = false;

nixos/modules/virtualisation/lxc-container.nix

@@ -150,6 +150,12 @@ in
           source = config.system.build.toplevel + "/init";
           target = "/sbin/init";
         }
+        # Technically this is not required for lxc, but having also make this configuration work with systemd-nspawn.
+        # Nixos will setup the same symlink after start.
+        {
+          source = config.system.build.toplevel + "/etc/os-release";
+          target = "/etc/os-release";
+        }
       ];
 
       extraCommands = "mkdir -p proc sys dev";

pkgs/applications/blockchains/chia-dev-tools/default.nix

@@ -0,0 +1,63 @@
+{ lib
+, fetchFromGitHub
+, substituteAll
+, python3Packages
+, chia
+,
+}:
+python3Packages.buildPythonApplication rec {
+  pname = "chia-dev-tools";
+  version = "1.1.4";
+
+  src = fetchFromGitHub {
+    owner = "Chia-Network";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-lE7FTSDqVS6AstcxZSMdQwgygMvcvh1fqYVTTSSNZpA=";
+  };
+
+  patches = [
+    (substituteAll {
+      src = ./fix-paths.patch;
+      inherit chia;
+    })
+  ];
+
+  postPatch = ''
+    substituteInPlace setup.py \
+      --replace "==" ">="
+  '';
+
+  nativeBuildInputs = [
+    python3Packages.setuptools-scm
+  ];
+
+  # give a hint to setuptools-scm on package version
+  SETUPTOOLS_SCM_PRETEND_VERSION = "v${version}";
+
+  propagatedBuildInputs = with python3Packages; [
+    (toPythonModule chia)
+    pytimeparse
+  ];
+
+  checkInputs = with python3Packages; [
+    pytestCheckHook
+    pytest-asyncio
+  ];
+
+  preCheck = ''
+    export HOME=$(mktemp -d)
+  '';
+  postCheck = "unset HOME";
+
+  disabledTests = [
+    "test_spendbundles"
+  ];
+
+  meta = with lib; {
+    homepage = "https://www.chia.net/";
+    description = "Utility for developing in the Chia ecosystem: Chialisp functions, object inspection, RPC client and more";
+    license = with licenses; [ asl20 ];
+    maintainers = teams.chia.members;
+  };
+}

pkgs/applications/blockchains/chia-dev-tools/fix-paths.patch

@@ -0,0 +1,13 @@
+diff --git a/cdv/cmds/sim_utils.py b/cdv/cmds/sim_utils.py
+index e59ba8f..20912ff 100644
+--- a/cdv/cmds/sim_utils.py
++++ b/cdv/cmds/sim_utils.py
+@@ -67,7 +67,7 @@ async def start_async(root_path: Path, group: Any, restart: bool) -> None:
+
+     from chia.cmds.start_funcs import async_start
+
+-    sys.argv[0] = str(Path(sys.executable).parent / "chia")  # this gives the correct path to the chia executable
++    sys.argv[0] = "@chia@/bin/chia"  # this gives the correct path to the chia executable
+     if root_path.exists():
+         config = load_config(root_path, "config.yaml")
+         await async_start(root_path, config, group, restart)

pkgs/applications/networking/sniffers/wireshark/default.nix

@@ -11,7 +11,7 @@ assert withQt  -> qt5  != null;
 with lib;
 
 let
-  version = "4.0.1";
+  version = "4.0.2";
   variant = if withQt then "qt" else "cli";
 
 in stdenv.mkDerivation {
@@ -21,7 +21,7 @@ in stdenv.mkDerivation {
 
   src = fetchurl {
     url = "https://www.wireshark.org/download/src/all-versions/wireshark-${version}.tar.xz";
-    sha256 = "sha256-s7AC+Z0Tu/R/ntO+frNyywwkVL0PrqKadWgZzgGf/cI=";
+    sha256 = "sha256-81kVaZ8vmyjdshEgLUDsiYTlg008kRSDFEpJhLpEQR0=";
   };
 
   cmakeFlags = [

pkgs/applications/networking/sync/rsync/default.nix

@@ -43,6 +43,9 @@ stdenv.mkDerivation rec {
     # disable the included zlib explicitly as it otherwise still compiles and
     # links them even.
     "--with-included-zlib=no"
+  ] ++ lib.optionals (stdenv.hostPlatform.isMusl && stdenv.hostPlatform.isx86_64) [
+    # fix `multiversioning needs 'ifunc' which is not supported on this target` error
+    "--disable-roll-simd"
   ];
 
   enableParallelBuilding = true;

pkgs/applications/networking/umurmur/default.nix

@@ -14,6 +14,11 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ autoreconfHook ];
   buildInputs = [ openssl protobufc libconfig ];
 
+  # https://github.com/umurmur/umurmur/issues/176
+  postPatch = ''
+    sed -i '/CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);/d' src/ssli_openssl.c
+  '';
+
   configureFlags = [
     "--with-ssl=openssl"
     "--enable-shmapi"

pkgs/applications/office/zotero/default.nix

@@ -41,12 +41,12 @@
 
 stdenv.mkDerivation rec {
   pname = "zotero";
-  version = "6.0.18";
+  version = "6.0.20";
 
   src = fetchurl {
     url =
       "https://download.zotero.org/client/release/${version}/Zotero-${version}_linux-x86_64.tar.bz2";
-    sha256 = "sha256-MIBhvhgttqfUO42ipVNXhdKbcN/0YPtFK8Ox8KlafG0=";
+    sha256 = "sha256-HsAvodqio3GJ9TK1pt4WwlEZEAo52ocH0r7cf9IQe9w=";
   };
 
   nativeBuildInputs = [ wrapGAppsHook ];

pkgs/applications/science/chemistry/cp2k/default.nix

@@ -11,13 +11,13 @@ let
 
 in stdenv.mkDerivation rec {
   pname = "cp2k";
-  version = "2022.2";
+  version = "2023.1";
 
   src = fetchFromGitHub {
     owner = "cp2k";
     repo = "cp2k";
     rev = "v${version}";
-    hash = "sha256-zDIsgPcLnA0ATJEN1vQClpkToqvIyW7KuXhyGiXJXDw=";
+    hash = "sha256-SG5Gz0cDiSfbSZ8m4K+eARMLU4iMk/xK3esN5yt05RE=";
     fetchSubmodules = true;
   };
 

pkgs/development/compilers/nextpnr/default.nix

@@ -14,14 +14,14 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "nextpnr";
-  version = "0.4";
+  version = "0.5";
 
   srcs = [
     (fetchFromGitHub {
       owner = "YosysHQ";
       repo  = "nextpnr";
       rev   = "${pname}-${version}";
-      hash  = "sha256-gnNUFSV+/SzCuP43KyUUgVNdAzjOM7lOLNJT72L8lTY=";
+      hash  = "sha256-3/a6nVr2v9kK/FFmxZq9LQLAoE/yNRcTGojiFPGRkHU=";
       name  = "nextpnr";
     })
     (fetchFromGitHub {

pkgs/development/python-modules/google-cloud-securitycenter/default.nix

@@ -12,14 +12,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-securitycenter";
-  version = "1.17.0";
+  version = "1.18.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-wkq0/LEgEQokKzREpOkprKZUK/paP8CgS51anLTy5Dk=";
+    hash = "sha256-gtzSB70x7oN6EiTP1U5P1dV4a4eWZNGtRFInYz7AyCA=";
   };
 
   propagatedBuildInputs = [

pkgs/development/tools/misc/clojure-lsp/default.nix

@@ -2,18 +2,18 @@
 
 buildGraalvmNativeImage rec {
   pname = "clojure-lsp";
-  version = "2022.11.03-00.14.57";
+  version = "2022.12.09-15.51.10";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = version;
-    sha256 = "sha256-NtvW0KT6d0k2oN//7xaTnBIoLKkc7zQFj3VdoFdgBWI=";
+    sha256 = "sha256-hWDTxYtL0c9zkJDle9/XNPMwDDCltfAnz/Os83xL3iM=";
   };
 
   jar = fetchurl {
     url = "https://github.com/clojure-lsp/clojure-lsp/releases/download/${version}/clojure-lsp-standalone.jar";
-    sha256 = "49e0a848dc32216a60f48eca68ff476cb69b999f6a79fb7310bf9fb2ffcaf4b6";
+    sha256 = "df8e000a69fc2aaa85312952f27a9b79625928d825acfe1da69cb67d220ada33";
   };
 
   extraNativeImageBuildArgs = [