Loading nixos/modules/services/desktops/pipewire/pipewire.nix +36 −9 Original line number Diff line number Diff line Loading @@ -83,6 +83,21 @@ let paths = cfg.extraLv2Packages ++ requiredLv2Packages; pathsToLink = [ "/lib/lv2" ]; }; requiredLadspaPackages = flatten ( concatMap (p: attrByPath [ "passthru" "requiredLadspaPackages" ] [ ] p) configPackages ); ladspaPlugins = pkgs.buildEnv { name = "pipewire-ladspa-plugins"; paths = cfg.extraLadspaPackages ++ requiredLadspaPackages; pathsToLink = [ "/lib/ladspa" ]; }; pluginsEnv = { LV2_PATH = "${lv2Plugins}/lib/lv2"; LADSPA_PATH = "${ladspaPlugins}/lib/ladspa"; }; in { meta.teams = [ teams.freedesktop ]; Loading Loading @@ -286,8 +301,8 @@ in List of packages that provide PipeWire configuration, in the form of `share/pipewire/*/*.conf` files. LV2 dependencies will be picked up from config packages automatically via `passthru.requiredLv2Packages`. LV2/LADSPA dependencies will be picked up from config packages automatically via `passthru.requiredLv2Packages`/`passthru.requiredLadspaPackages`. ''; }; Loading @@ -306,6 +321,22 @@ in [wiki-filter-chain]: https://docs.pipewire.org/page_module_filter_chain.html ''; }; extraLadspaPackages = mkOption { type = listOf package; default = [ ]; example = literalExpression "[ pkgs.noisetorch-ladspa ]"; description = '' List of packages that provide LADSPA plugins in `lib/ladspa` that should be made available to PipeWire for [filter chains][wiki-filter-chain]. Config packages have their required LADSPA plugins added automatically, so they don't need to be specified here. Config packages need to set `passthru.requiredLadspaPackages` for this to work. [wiki-filter-chain]: https://docs.pipewire.org/page_module_filter_chain.html ''; }; }; }; Loading Loading @@ -366,13 +397,9 @@ in systemd.user.sockets.pipewire.enable = !cfg.systemWide; systemd.user.services.pipewire.enable = !cfg.systemWide; systemd.services.pipewire.environment.LV2_PATH = mkIf cfg.systemWide "${lv2Plugins}/lib/lv2"; systemd.user.services.pipewire.environment.LV2_PATH = mkIf ( !cfg.systemWide ) "${lv2Plugins}/lib/lv2"; systemd.user.services.filter-chain.environment.LV2_PATH = mkIf ( !cfg.systemWide ) "${lv2Plugins}/lib/lv2"; systemd.services.pipewire.environment = mkIf cfg.systemWide pluginsEnv; systemd.user.services.pipewire.environment = mkIf (!cfg.systemWide) pluginsEnv; systemd.user.services.filter-chain.environment = pluginsEnv; # Mask pw-pulse if it's not wanted systemd.services.pipewire-pulse.enable = cfg.pulse.enable && cfg.systemWide; Loading nixos/modules/services/desktops/pipewire/wireplumber.nix +45 −21 Original line number Diff line number Diff line Loading @@ -200,8 +200,8 @@ in List of packages that provide WirePlumber configuration, in the form of `share/wireplumber/*/*.conf` files. LV2 dependencies will be picked up from config packages automatically via `passthru.requiredLv2Packages`. LV2/LADSPA dependencies will be picked up from config packages automatically via `passthru.requiredLv2Packages`/`passthru.requiredLadspaPackages`. ''; }; Loading @@ -220,6 +220,22 @@ in [wiki-filter-chain]: https://docs.pipewire.org/page_module_filter_chain.html ''; }; extraLadspaPackages = mkOption { type = listOf package; default = [ ]; example = literalExpression "[ pkgs.noisetorch-ladspa ]"; description = '' List of packages that provide LADSPA plugins in `lib/ladspa` that should be made available to WirePlumber for [filter chains][wiki-filter-chain]. Config packages have their required LADSPA plugins added automatically, so they don't need to be specified here. Config packages need to set `passthru.requiredLadspaPackages` for this to work. [wiki-filter-chain]: https://docs.pipewire.org/page_module_filter_chain.html ''; }; }; }; Loading Loading @@ -270,6 +286,25 @@ in paths = cfg.extraLv2Packages ++ requiredLv2Packages; pathsToLink = [ "/lib/lv2" ]; }; requiredLadspaPackages = flatten ( concatMap (p: attrByPath [ "passthru" "requiredLadspaPackages" ] [ ] p) configPackages ); ladspaPlugins = pkgs.buildEnv { name = "pipewire-ladspa-plugins"; paths = cfg.extraLadspaPackages ++ requiredLadspaPackages; pathsToLink = [ "/lib/ladspa" ]; }; pluginsEnv = { XDG_DATA_DIRS = makeSearchPath "share" [ configs cfg.package ]; LV2_PATH = "${lv2Plugins}/lib/lv2"; LADSPA_PATH = "${ladspaPlugins}/lib/ladspa"; }; in mkIf cfg.enable { assertions = [ Loading @@ -289,25 +324,14 @@ in systemd.services.wireplumber.wantedBy = [ "pipewire.service" ]; systemd.user.services.wireplumber.wantedBy = [ "pipewire.service" ]; systemd.services.wireplumber.environment = mkIf pwCfg.systemWide { systemd.services.wireplumber.environment = mkIf pwCfg.systemWide ( pluginsEnv // { # Force WirePlumber to use system dbus. DBUS_SESSION_BUS_ADDRESS = "unix:path=/run/dbus/system_bus_socket"; } ); # Make WirePlumber find our config/script files and lv2 plugins required by those # (but also the configs/scripts shipped with WirePlumber) XDG_DATA_DIRS = makeSearchPath "share" [ configs cfg.package ]; LV2_PATH = "${lv2Plugins}/lib/lv2"; }; systemd.user.services.wireplumber.environment = mkIf (!pwCfg.systemWide) { XDG_DATA_DIRS = makeSearchPath "share" [ configs cfg.package ]; LV2_PATH = "${lv2Plugins}/lib/lv2"; }; systemd.user.services.wireplumber.environment = mkIf (!pwCfg.systemWide) pluginsEnv; }; } nixos/modules/services/monitoring/cockpit.nix +16 −3 Original line number Diff line number Diff line Loading @@ -111,6 +111,17 @@ in }; config = mkIf cfg.enable { warnings = lib.optional (lib.versionOlder cfg.package.version "360" && cfg.settings.WebService.LoginTo or true) '' The current Cockpit version is older than 360, and logging into other hosts is enabled. This makes the system vulnerable to CVE-2026-4631, which allows unauthenticated users on the network that can reach Cockpit to gain code execution on the machine. Please upgrade your Cockpit package or disable logging into other hosts by setting the option: services.cockpit.settings.WebService.LoginTo = false; ''; environment.etc = { # generate cockpit settings Loading Loading @@ -151,7 +162,7 @@ in }; # Enable connecting to remote hosts from the login page systemd.services = mkIf (cfg.settings ? LoginTo -> cfg.settings.LoginTo) { systemd.services = mkIf (cfg.settings.WebService.LoginTo or false) { "cockpit-wsinstance-http".path = [ config.programs.ssh.package cfg.package Loading @@ -174,8 +185,10 @@ in "https://localhost:${toString config.services.cockpit.port}" ]; services.cockpit.settings.WebService.Origins = builtins.concatStringsSep " " config.services.cockpit.allowed-origins; services.cockpit.settings.WebService = { Origins = builtins.concatStringsSep " " config.services.cockpit.allowed-origins; LoginTo = lib.mkDefault false; }; }; meta.maintainers = pkgs.cockpit.meta.maintainers; Loading nixos/modules/system/boot/systemd.nix +8 −0 Original line number Diff line number Diff line Loading @@ -878,6 +878,14 @@ in pamMount = false; }; }; # the systemd vmspawn credential dropin executes sshd and expects ExecSearchPath to be set, see: # https://github.com/systemd/systemd/blob/v259.3/src/vmspawn/vmspawn.c#L2662 # this service is used, for example, when NixOS is started via systemd-vmspawn systemd.services."sshd-vsock@" = mkIf config.services.openssh.enable { serviceConfig.ExecSearchPath = "${config.services.openssh.package}/bin"; overrideStrategy = "asDropin"; }; }; # FIXME: Remove these eventually. Loading pkgs/applications/editors/vim/plugins/non-generated/fff-nvim/default.nix +2 −2 Original line number Diff line number Diff line Loading @@ -11,12 +11,12 @@ vimUtils, }: let version = "0.5.1"; version = "0.5.2"; src = fetchFromGitHub { owner = "dmtrKovalenko"; repo = "fff.nvim"; tag = "v${version}"; hash = "sha256-pFOmYa6JgGsLefkqgBtS1IvQJ+dVnkyLTXObxrfhZno="; hash = "sha256-rv33dRf53m9iJwRl56z9oU0EuY1wUChsZyHOi/3gv4A="; }; fff-nvim-lib = rustPlatform.buildRustPackage { pname = "fff-nvim-lib"; Loading Loading
nixos/modules/services/desktops/pipewire/pipewire.nix +36 −9 Original line number Diff line number Diff line Loading @@ -83,6 +83,21 @@ let paths = cfg.extraLv2Packages ++ requiredLv2Packages; pathsToLink = [ "/lib/lv2" ]; }; requiredLadspaPackages = flatten ( concatMap (p: attrByPath [ "passthru" "requiredLadspaPackages" ] [ ] p) configPackages ); ladspaPlugins = pkgs.buildEnv { name = "pipewire-ladspa-plugins"; paths = cfg.extraLadspaPackages ++ requiredLadspaPackages; pathsToLink = [ "/lib/ladspa" ]; }; pluginsEnv = { LV2_PATH = "${lv2Plugins}/lib/lv2"; LADSPA_PATH = "${ladspaPlugins}/lib/ladspa"; }; in { meta.teams = [ teams.freedesktop ]; Loading Loading @@ -286,8 +301,8 @@ in List of packages that provide PipeWire configuration, in the form of `share/pipewire/*/*.conf` files. LV2 dependencies will be picked up from config packages automatically via `passthru.requiredLv2Packages`. LV2/LADSPA dependencies will be picked up from config packages automatically via `passthru.requiredLv2Packages`/`passthru.requiredLadspaPackages`. ''; }; Loading @@ -306,6 +321,22 @@ in [wiki-filter-chain]: https://docs.pipewire.org/page_module_filter_chain.html ''; }; extraLadspaPackages = mkOption { type = listOf package; default = [ ]; example = literalExpression "[ pkgs.noisetorch-ladspa ]"; description = '' List of packages that provide LADSPA plugins in `lib/ladspa` that should be made available to PipeWire for [filter chains][wiki-filter-chain]. Config packages have their required LADSPA plugins added automatically, so they don't need to be specified here. Config packages need to set `passthru.requiredLadspaPackages` for this to work. [wiki-filter-chain]: https://docs.pipewire.org/page_module_filter_chain.html ''; }; }; }; Loading Loading @@ -366,13 +397,9 @@ in systemd.user.sockets.pipewire.enable = !cfg.systemWide; systemd.user.services.pipewire.enable = !cfg.systemWide; systemd.services.pipewire.environment.LV2_PATH = mkIf cfg.systemWide "${lv2Plugins}/lib/lv2"; systemd.user.services.pipewire.environment.LV2_PATH = mkIf ( !cfg.systemWide ) "${lv2Plugins}/lib/lv2"; systemd.user.services.filter-chain.environment.LV2_PATH = mkIf ( !cfg.systemWide ) "${lv2Plugins}/lib/lv2"; systemd.services.pipewire.environment = mkIf cfg.systemWide pluginsEnv; systemd.user.services.pipewire.environment = mkIf (!cfg.systemWide) pluginsEnv; systemd.user.services.filter-chain.environment = pluginsEnv; # Mask pw-pulse if it's not wanted systemd.services.pipewire-pulse.enable = cfg.pulse.enable && cfg.systemWide; Loading
nixos/modules/services/desktops/pipewire/wireplumber.nix +45 −21 Original line number Diff line number Diff line Loading @@ -200,8 +200,8 @@ in List of packages that provide WirePlumber configuration, in the form of `share/wireplumber/*/*.conf` files. LV2 dependencies will be picked up from config packages automatically via `passthru.requiredLv2Packages`. LV2/LADSPA dependencies will be picked up from config packages automatically via `passthru.requiredLv2Packages`/`passthru.requiredLadspaPackages`. ''; }; Loading @@ -220,6 +220,22 @@ in [wiki-filter-chain]: https://docs.pipewire.org/page_module_filter_chain.html ''; }; extraLadspaPackages = mkOption { type = listOf package; default = [ ]; example = literalExpression "[ pkgs.noisetorch-ladspa ]"; description = '' List of packages that provide LADSPA plugins in `lib/ladspa` that should be made available to WirePlumber for [filter chains][wiki-filter-chain]. Config packages have their required LADSPA plugins added automatically, so they don't need to be specified here. Config packages need to set `passthru.requiredLadspaPackages` for this to work. [wiki-filter-chain]: https://docs.pipewire.org/page_module_filter_chain.html ''; }; }; }; Loading Loading @@ -270,6 +286,25 @@ in paths = cfg.extraLv2Packages ++ requiredLv2Packages; pathsToLink = [ "/lib/lv2" ]; }; requiredLadspaPackages = flatten ( concatMap (p: attrByPath [ "passthru" "requiredLadspaPackages" ] [ ] p) configPackages ); ladspaPlugins = pkgs.buildEnv { name = "pipewire-ladspa-plugins"; paths = cfg.extraLadspaPackages ++ requiredLadspaPackages; pathsToLink = [ "/lib/ladspa" ]; }; pluginsEnv = { XDG_DATA_DIRS = makeSearchPath "share" [ configs cfg.package ]; LV2_PATH = "${lv2Plugins}/lib/lv2"; LADSPA_PATH = "${ladspaPlugins}/lib/ladspa"; }; in mkIf cfg.enable { assertions = [ Loading @@ -289,25 +324,14 @@ in systemd.services.wireplumber.wantedBy = [ "pipewire.service" ]; systemd.user.services.wireplumber.wantedBy = [ "pipewire.service" ]; systemd.services.wireplumber.environment = mkIf pwCfg.systemWide { systemd.services.wireplumber.environment = mkIf pwCfg.systemWide ( pluginsEnv // { # Force WirePlumber to use system dbus. DBUS_SESSION_BUS_ADDRESS = "unix:path=/run/dbus/system_bus_socket"; } ); # Make WirePlumber find our config/script files and lv2 plugins required by those # (but also the configs/scripts shipped with WirePlumber) XDG_DATA_DIRS = makeSearchPath "share" [ configs cfg.package ]; LV2_PATH = "${lv2Plugins}/lib/lv2"; }; systemd.user.services.wireplumber.environment = mkIf (!pwCfg.systemWide) { XDG_DATA_DIRS = makeSearchPath "share" [ configs cfg.package ]; LV2_PATH = "${lv2Plugins}/lib/lv2"; }; systemd.user.services.wireplumber.environment = mkIf (!pwCfg.systemWide) pluginsEnv; }; }
nixos/modules/services/monitoring/cockpit.nix +16 −3 Original line number Diff line number Diff line Loading @@ -111,6 +111,17 @@ in }; config = mkIf cfg.enable { warnings = lib.optional (lib.versionOlder cfg.package.version "360" && cfg.settings.WebService.LoginTo or true) '' The current Cockpit version is older than 360, and logging into other hosts is enabled. This makes the system vulnerable to CVE-2026-4631, which allows unauthenticated users on the network that can reach Cockpit to gain code execution on the machine. Please upgrade your Cockpit package or disable logging into other hosts by setting the option: services.cockpit.settings.WebService.LoginTo = false; ''; environment.etc = { # generate cockpit settings Loading Loading @@ -151,7 +162,7 @@ in }; # Enable connecting to remote hosts from the login page systemd.services = mkIf (cfg.settings ? LoginTo -> cfg.settings.LoginTo) { systemd.services = mkIf (cfg.settings.WebService.LoginTo or false) { "cockpit-wsinstance-http".path = [ config.programs.ssh.package cfg.package Loading @@ -174,8 +185,10 @@ in "https://localhost:${toString config.services.cockpit.port}" ]; services.cockpit.settings.WebService.Origins = builtins.concatStringsSep " " config.services.cockpit.allowed-origins; services.cockpit.settings.WebService = { Origins = builtins.concatStringsSep " " config.services.cockpit.allowed-origins; LoginTo = lib.mkDefault false; }; }; meta.maintainers = pkgs.cockpit.meta.maintainers; Loading
nixos/modules/system/boot/systemd.nix +8 −0 Original line number Diff line number Diff line Loading @@ -878,6 +878,14 @@ in pamMount = false; }; }; # the systemd vmspawn credential dropin executes sshd and expects ExecSearchPath to be set, see: # https://github.com/systemd/systemd/blob/v259.3/src/vmspawn/vmspawn.c#L2662 # this service is used, for example, when NixOS is started via systemd-vmspawn systemd.services."sshd-vsock@" = mkIf config.services.openssh.enable { serviceConfig.ExecSearchPath = "${config.services.openssh.package}/bin"; overrideStrategy = "asDropin"; }; }; # FIXME: Remove these eventually. Loading
pkgs/applications/editors/vim/plugins/non-generated/fff-nvim/default.nix +2 −2 Original line number Diff line number Diff line Loading @@ -11,12 +11,12 @@ vimUtils, }: let version = "0.5.1"; version = "0.5.2"; src = fetchFromGitHub { owner = "dmtrKovalenko"; repo = "fff.nvim"; tag = "v${version}"; hash = "sha256-pFOmYa6JgGsLefkqgBtS1IvQJ+dVnkyLTXObxrfhZno="; hash = "sha256-rv33dRf53m9iJwRl56z9oU0EuY1wUChsZyHOi/3gv4A="; }; fff-nvim-lib = rustPlatform.buildRustPackage { pname = "fff-nvim-lib"; Loading
![nixpkgs-ci[bot]'s avatar](https://secure.gravatar.com/avatar/21d9e4256a026824783d9069d7622ceb22d44398fd318ddfee596c72e5556369?s=48&d=identicon "nixpkgs-ci[bot]")