Loading maintainers/maintainer-list.nix +13 −6 Original line number Diff line number Diff line Loading @@ -581,6 +581,12 @@ githubId = 1318982; name = "Anders Claesson"; }; akechishiro = { email = "akechishiro-aur+nixpkgs@lahfa.xyz"; github = "AkechiShiro"; githubId = 14914796; name = "Samy Lahfa"; }; a-kenji = { email = "aks.kenji@protonmail.com"; github = "a-kenji"; Loading Loading @@ -1505,6 +1511,13 @@ fingerprint = "DD52 6BC7 767D BA28 16C0 95E5 6840 89CE 67EB B691"; }]; }; atalii = { email = "taliauster@gmail.com"; github = "atalii"; githubId = 120901234; name = "tali auster"; matrix = "@atalii:matrix.org"; }; ataraxiasjel = { email = "nix@ataraxiadev.com"; github = "AtaraxiaSjel"; Loading Loading @@ -18462,12 +18475,6 @@ github = "zfnmxt"; githubId = 37446532; }; zgrannan = { email = "zgrannan@gmail.com"; github = "zgrannan"; githubId = 1141948; name = "Zack Grannan"; }; zhaofengli = { email = "hello@zhaofeng.li"; matrix = "@zhaofeng:zhaofeng.li"; Loading nixos/modules/services/system/nix-daemon.nix +6 −4 Original line number Diff line number Diff line Loading @@ -168,14 +168,16 @@ in systemd.packages = [ nixPackage ]; systemd.tmpfiles = if (isNixAtLeast "2.8") then { systemd.tmpfiles = mkMerge [ (mkIf (isNixAtLeast "2.8") { packages = [ nixPackage ]; } else { }) (mkIf (!isNixAtLeast "2.8") { rules = [ "d /nix/var/nix/daemon-socket 0755 root root - -" ]; }; }) ]; systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; Loading nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -203,6 +203,7 @@ in { couchdb = handleTest ./couchdb.nix {}; cri-o = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cri-o.nix {}; cups-pdf = handleTest ./cups-pdf.nix {}; curl-impersonate = handleTest ./curl-impersonate.nix {}; custom-ca = handleTest ./custom-ca.nix {}; croc = handleTest ./croc.nix {}; darling = handleTest ./darling.nix {}; Loading nixos/tests/curl-impersonate.nix 0 → 100644 +157 −0 Original line number Diff line number Diff line /* Test suite for curl-impersonate Abstract: Uses the test suite from the curl-impersonate source repo which: 1. Performs requests with libcurl and captures the TLS client-hello packets with tcpdump to compare against known-good signatures 2. Spins up an nghttpd2 server to test client HTTP/2 headers against known-good headers See https://github.com/lwthiker/curl-impersonate/tree/main/tests/signatures for details. Notes: - We need to have our own web server running because the tests expect to be able to hit domains like wikipedia.org and the sandbox has no internet - We need to be able to do (verifying) TLS handshakes without internet access. We do that by creating a trusted CA and issuing a cert that includes all of the test domains as subject-alternative names and then spoofs the hostnames in /etc/hosts. */ import ./make-test-python.nix ({ pkgs, lib, ... }: let # Update with domains in TestImpersonate.TEST_URLS if needed from: # https://github.com/lwthiker/curl-impersonate/blob/main/tests/test_impersonate.py domains = [ "www.wikimedia.org" "www.wikipedia.org" "www.mozilla.org" "www.apache.org" "www.kernel.org" "git-scm.com" ]; tls-certs = let # Configure CA with X.509 v3 extensions that would be trusted by curl ca-cert-conf = pkgs.writeText "curl-impersonate-ca.cnf" '' basicConstraints = critical, CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always keyUsage = critical, cRLSign, digitalSignature, keyCertSign ''; # Configure leaf certificate with X.509 v3 extensions that would be trusted # by curl and set subject-alternative names for test domains tls-cert-conf = pkgs.writeText "curl-impersonate-tls.cnf" '' basicConstraints = critical, CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = critical, serverAuth subjectAltName = @alt_names [alt_names] ${lib.concatStringsSep "\n" (lib.imap0 (idx: domain: "DNS.${toString idx} = ${domain}") domains)} ''; in pkgs.runCommand "curl-impersonate-test-certs" { nativeBuildInputs = [ pkgs.openssl ]; } '' # create CA certificate and key openssl req -newkey rsa:4096 -keyout ca-key.pem -out ca-csr.pem -nodes -subj '/CN=curl-impersonate-ca.nixos.test' openssl x509 -req -sha512 -in ca-csr.pem -key ca-key.pem -out ca.pem -extfile ${ca-cert-conf} -days 36500 openssl x509 -in ca.pem -text # create server certificate and key openssl req -newkey rsa:4096 -keyout key.pem -out csr.pem -nodes -subj '/CN=curl-impersonate.nixos.test' openssl x509 -req -sha512 -in csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile ${tls-cert-conf} -days 36500 openssl x509 -in cert.pem -text # output CA cert and server cert and key mkdir -p $out cp key.pem cert.pem ca.pem $out ''; # Test script curl-impersonate-test = let # Build miniature libcurl client used by test driver minicurl = pkgs.runCommandCC "minicurl" { buildInputs = [ pkgs.curl ]; } '' mkdir -p $out/bin $CC -Wall -Werror -o $out/bin/minicurl ${pkgs.curl-impersonate.src}/tests/minicurl.c `curl-config --libs` ''; in pkgs.writeShellScript "curl-impersonate-test" '' set -euxo pipefail # Test driver requirements export PATH="${with pkgs; lib.makeBinPath [ bash coreutils python3Packages.pytest nghttp2 tcpdump ]}" export PYTHONPATH="${with pkgs.python3Packages; makePythonPath [ pyyaml pytest-asyncio dpkt ]}" # Prepare test root prefix mkdir -p usr/{bin,lib} cp -rs ${pkgs.curl-impersonate}/* ${minicurl}/* usr/ cp -r ${pkgs.curl-impersonate.src}/tests ./ # Run tests cd tests pytest . --install-dir ../usr --capture-interface eth1 ''; in { name = "curl-impersonate"; meta = with lib.maintainers; { maintainers = [ lilyinstarlight ]; }; nodes = { web = { nodes, pkgs, lib, config, ... }: { networking.firewall.allowedTCPPorts = [ 80 443 ]; services = { nginx = { enable = true; virtualHosts."curl-impersonate.nixos.test" = { default = true; addSSL = true; sslCertificate = "${tls-certs}/cert.pem"; sslCertificateKey = "${tls-certs}/key.pem"; }; }; }; }; curl = { nodes, pkgs, lib, config, ... }: { networking.extraHosts = lib.concatStringsSep "\n" (map (domain: "${nodes.web.networking.primaryIPAddress} ${domain}") domains); security.pki.certificateFiles = [ "${tls-certs}/ca.pem" ]; }; }; testScript = { nodes, ... }: '' start_all() with subtest("Wait for network"): web.wait_for_unit("network-online.target") curl.wait_for_unit("network-online.target") with subtest("Wait for web server"): web.wait_for_unit("nginx.service") web.wait_for_open_port(443) with subtest("Run curl-impersonate tests"): curl.succeed("${curl-impersonate-test}") ''; }) pkgs/applications/audio/famistudio/default.nix +14 −9 Original line number Diff line number Diff line Loading @@ -2,31 +2,35 @@ , stdenv , fetchzip , autoPatchelfHook , dotnet-runtime , ffmpeg , libglvnd , makeWrapper , mono , openal , libGL }: stdenv.mkDerivation rec { pname = "famistudio"; version = "4.0.6"; version = "4.1.1"; src = fetchzip { url = "https://github.com/BleuBleu/FamiStudio/releases/download/${version}/FamiStudio${lib.strings.concatStrings (lib.splitVersion version)}-LinuxAMD64.zip"; stripRoot = false; sha256 = "sha256-Se9EIQTjZQM5qqzlEB4hGVRHDFdu6GecNGpw9gYMbW4="; hash = "sha256-fRNjboCfymBhr7Eg5ENnO1fchX0oTdeaJJ0SC3BKTVI="; }; strictDeps = true; nativeBuildInputs = [ autoPatchelfHook makeWrapper ]; buildInputs = [ mono dotnet-runtime ffmpeg libglvnd openal libGL ]; dontConfigure = true; Loading @@ -38,9 +42,10 @@ stdenv.mkDerivation rec { mkdir -p $out/{bin,lib/famistudio} mv * $out/lib/famistudio makeWrapper ${mono}/bin/mono $out/bin/famistudio \ --add-flags $out/lib/famistudio/FamiStudio.exe \ --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ libGL ]} makeWrapper ${lib.getExe dotnet-runtime} $out/bin/famistudio \ --add-flags $out/lib/famistudio/FamiStudio.dll \ --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ libglvnd ]} \ --prefix PATH : ${lib.makeBinPath [ ffmpeg ]} # Bundled openal lib freezes the application rm $out/lib/famistudio/libopenal32.so Loading Loading
maintainers/maintainer-list.nix +13 −6 Original line number Diff line number Diff line Loading @@ -581,6 +581,12 @@ githubId = 1318982; name = "Anders Claesson"; }; akechishiro = { email = "akechishiro-aur+nixpkgs@lahfa.xyz"; github = "AkechiShiro"; githubId = 14914796; name = "Samy Lahfa"; }; a-kenji = { email = "aks.kenji@protonmail.com"; github = "a-kenji"; Loading Loading @@ -1505,6 +1511,13 @@ fingerprint = "DD52 6BC7 767D BA28 16C0 95E5 6840 89CE 67EB B691"; }]; }; atalii = { email = "taliauster@gmail.com"; github = "atalii"; githubId = 120901234; name = "tali auster"; matrix = "@atalii:matrix.org"; }; ataraxiasjel = { email = "nix@ataraxiadev.com"; github = "AtaraxiaSjel"; Loading Loading @@ -18462,12 +18475,6 @@ github = "zfnmxt"; githubId = 37446532; }; zgrannan = { email = "zgrannan@gmail.com"; github = "zgrannan"; githubId = 1141948; name = "Zack Grannan"; }; zhaofengli = { email = "hello@zhaofeng.li"; matrix = "@zhaofeng:zhaofeng.li"; Loading
nixos/modules/services/system/nix-daemon.nix +6 −4 Original line number Diff line number Diff line Loading @@ -168,14 +168,16 @@ in systemd.packages = [ nixPackage ]; systemd.tmpfiles = if (isNixAtLeast "2.8") then { systemd.tmpfiles = mkMerge [ (mkIf (isNixAtLeast "2.8") { packages = [ nixPackage ]; } else { }) (mkIf (!isNixAtLeast "2.8") { rules = [ "d /nix/var/nix/daemon-socket 0755 root root - -" ]; }; }) ]; systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; Loading
nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -203,6 +203,7 @@ in { couchdb = handleTest ./couchdb.nix {}; cri-o = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cri-o.nix {}; cups-pdf = handleTest ./cups-pdf.nix {}; curl-impersonate = handleTest ./curl-impersonate.nix {}; custom-ca = handleTest ./custom-ca.nix {}; croc = handleTest ./croc.nix {}; darling = handleTest ./darling.nix {}; Loading
nixos/tests/curl-impersonate.nix 0 → 100644 +157 −0 Original line number Diff line number Diff line /* Test suite for curl-impersonate Abstract: Uses the test suite from the curl-impersonate source repo which: 1. Performs requests with libcurl and captures the TLS client-hello packets with tcpdump to compare against known-good signatures 2. Spins up an nghttpd2 server to test client HTTP/2 headers against known-good headers See https://github.com/lwthiker/curl-impersonate/tree/main/tests/signatures for details. Notes: - We need to have our own web server running because the tests expect to be able to hit domains like wikipedia.org and the sandbox has no internet - We need to be able to do (verifying) TLS handshakes without internet access. We do that by creating a trusted CA and issuing a cert that includes all of the test domains as subject-alternative names and then spoofs the hostnames in /etc/hosts. */ import ./make-test-python.nix ({ pkgs, lib, ... }: let # Update with domains in TestImpersonate.TEST_URLS if needed from: # https://github.com/lwthiker/curl-impersonate/blob/main/tests/test_impersonate.py domains = [ "www.wikimedia.org" "www.wikipedia.org" "www.mozilla.org" "www.apache.org" "www.kernel.org" "git-scm.com" ]; tls-certs = let # Configure CA with X.509 v3 extensions that would be trusted by curl ca-cert-conf = pkgs.writeText "curl-impersonate-ca.cnf" '' basicConstraints = critical, CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always keyUsage = critical, cRLSign, digitalSignature, keyCertSign ''; # Configure leaf certificate with X.509 v3 extensions that would be trusted # by curl and set subject-alternative names for test domains tls-cert-conf = pkgs.writeText "curl-impersonate-tls.cnf" '' basicConstraints = critical, CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = critical, serverAuth subjectAltName = @alt_names [alt_names] ${lib.concatStringsSep "\n" (lib.imap0 (idx: domain: "DNS.${toString idx} = ${domain}") domains)} ''; in pkgs.runCommand "curl-impersonate-test-certs" { nativeBuildInputs = [ pkgs.openssl ]; } '' # create CA certificate and key openssl req -newkey rsa:4096 -keyout ca-key.pem -out ca-csr.pem -nodes -subj '/CN=curl-impersonate-ca.nixos.test' openssl x509 -req -sha512 -in ca-csr.pem -key ca-key.pem -out ca.pem -extfile ${ca-cert-conf} -days 36500 openssl x509 -in ca.pem -text # create server certificate and key openssl req -newkey rsa:4096 -keyout key.pem -out csr.pem -nodes -subj '/CN=curl-impersonate.nixos.test' openssl x509 -req -sha512 -in csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile ${tls-cert-conf} -days 36500 openssl x509 -in cert.pem -text # output CA cert and server cert and key mkdir -p $out cp key.pem cert.pem ca.pem $out ''; # Test script curl-impersonate-test = let # Build miniature libcurl client used by test driver minicurl = pkgs.runCommandCC "minicurl" { buildInputs = [ pkgs.curl ]; } '' mkdir -p $out/bin $CC -Wall -Werror -o $out/bin/minicurl ${pkgs.curl-impersonate.src}/tests/minicurl.c `curl-config --libs` ''; in pkgs.writeShellScript "curl-impersonate-test" '' set -euxo pipefail # Test driver requirements export PATH="${with pkgs; lib.makeBinPath [ bash coreutils python3Packages.pytest nghttp2 tcpdump ]}" export PYTHONPATH="${with pkgs.python3Packages; makePythonPath [ pyyaml pytest-asyncio dpkt ]}" # Prepare test root prefix mkdir -p usr/{bin,lib} cp -rs ${pkgs.curl-impersonate}/* ${minicurl}/* usr/ cp -r ${pkgs.curl-impersonate.src}/tests ./ # Run tests cd tests pytest . --install-dir ../usr --capture-interface eth1 ''; in { name = "curl-impersonate"; meta = with lib.maintainers; { maintainers = [ lilyinstarlight ]; }; nodes = { web = { nodes, pkgs, lib, config, ... }: { networking.firewall.allowedTCPPorts = [ 80 443 ]; services = { nginx = { enable = true; virtualHosts."curl-impersonate.nixos.test" = { default = true; addSSL = true; sslCertificate = "${tls-certs}/cert.pem"; sslCertificateKey = "${tls-certs}/key.pem"; }; }; }; }; curl = { nodes, pkgs, lib, config, ... }: { networking.extraHosts = lib.concatStringsSep "\n" (map (domain: "${nodes.web.networking.primaryIPAddress} ${domain}") domains); security.pki.certificateFiles = [ "${tls-certs}/ca.pem" ]; }; }; testScript = { nodes, ... }: '' start_all() with subtest("Wait for network"): web.wait_for_unit("network-online.target") curl.wait_for_unit("network-online.target") with subtest("Wait for web server"): web.wait_for_unit("nginx.service") web.wait_for_open_port(443) with subtest("Run curl-impersonate tests"): curl.succeed("${curl-impersonate-test}") ''; })
pkgs/applications/audio/famistudio/default.nix +14 −9 Original line number Diff line number Diff line Loading @@ -2,31 +2,35 @@ , stdenv , fetchzip , autoPatchelfHook , dotnet-runtime , ffmpeg , libglvnd , makeWrapper , mono , openal , libGL }: stdenv.mkDerivation rec { pname = "famistudio"; version = "4.0.6"; version = "4.1.1"; src = fetchzip { url = "https://github.com/BleuBleu/FamiStudio/releases/download/${version}/FamiStudio${lib.strings.concatStrings (lib.splitVersion version)}-LinuxAMD64.zip"; stripRoot = false; sha256 = "sha256-Se9EIQTjZQM5qqzlEB4hGVRHDFdu6GecNGpw9gYMbW4="; hash = "sha256-fRNjboCfymBhr7Eg5ENnO1fchX0oTdeaJJ0SC3BKTVI="; }; strictDeps = true; nativeBuildInputs = [ autoPatchelfHook makeWrapper ]; buildInputs = [ mono dotnet-runtime ffmpeg libglvnd openal libGL ]; dontConfigure = true; Loading @@ -38,9 +42,10 @@ stdenv.mkDerivation rec { mkdir -p $out/{bin,lib/famistudio} mv * $out/lib/famistudio makeWrapper ${mono}/bin/mono $out/bin/famistudio \ --add-flags $out/lib/famistudio/FamiStudio.exe \ --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ libGL ]} makeWrapper ${lib.getExe dotnet-runtime} $out/bin/famistudio \ --add-flags $out/lib/famistudio/FamiStudio.dll \ --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ libglvnd ]} \ --prefix PATH : ${lib.makeBinPath [ ffmpeg ]} # Bundled openal lib freezes the application rm $out/lib/famistudio/libopenal32.so Loading
![github-actions[bot]'s avatar](https://secure.gravatar.com/avatar/e7cd911927c7d1acf6281b69d385990d8fadcd26871048bbcdbff2e88da7f607?s=48&d=identicon "github-actions[bot]")