commit c77ac9dfc3e022dfeb2788dbf533d0d6b853f8c7 · pyrox.dev/nixpkgs

+1 -1

lib/attrsets.nix

···

       1747
        
       

     

       1748
        
         /**

     

       1749
        
           Get the first of the `outputs` provided by the package, or the default.

     

       1750
       -
           This function is alligned with `_overrideFirst()` from the `multiple-outputs.sh` setup hook.

     

       1751
        
           Like `getOutput`, the function is idempotent.

     

       1752
        
       

     

       1753
        
           # Inputs

···

       1747
        
       

     

       1748
        
         /**

     

       1749
        
           Get the first of the `outputs` provided by the package, or the default.

     

       1750
       +
           This function is aligned with `_overrideFirst()` from the `multiple-outputs.sh` setup hook.

     

       1751
        
           Like `getOutput`, the function is idempotent.

     

       1752
        
       

     

       1753
        
           # Inputs

+1 -1

lib/fixed-points.nix

···

       389
        
       

     

       390
        
             extensions = composeManyExtensions [ overlayA overlayB ];

     

       391
        
       

     

       392
       -
             # Caluculate the fixed point of all composed overlays.

     

       393
        
             fixedpoint = lib.fix (lib.extends extensions original );

     

       394
        
       

     

       395
        
           in fixedpoint

···

       389
        
       

     

       390
        
             extensions = composeManyExtensions [ overlayA overlayB ];

     

       391
        
       

     

       392
       +
             # Calculate the fixed point of all composed overlays.

     

       393
        
             fixedpoint = lib.fix (lib.extends extensions original );

     

       394
        
       

     

       395
        
           in fixedpoint

+2 -2

lib/options.nix

···

       404
        
           ```nix

     

       405
        
           myType = mkOptionType {

     

       406
        
             name = "myType";

     

       407
       -
             merge = mergeDefaultOption; # <- This line is redundant. It is the default aready.

     

       408
        
           };

     

       409
        
           ```

     

       410
        
       

     
···

       470
        
           args@{

     

       471
        
             message,

     

       472
        
             # WARNING: the default merge function assumes that the definition is a valid (option) value. You MUST pass a merge function if the return value needs to be

     

       473
       -
             #   - type checked beyond what .check does (which should be very litte; only on the value head; not attribute values, etc)

     

       474
        
             #   - if you want attribute values to be checked, or list items

     

       475
        
             #   - if you want coercedTo-like behavior to work

     

       476
        
             merge ? loc: defs: (head defs).value,

···

       404
        
           ```nix

     

       405
        
           myType = mkOptionType {

     

       406
        
             name = "myType";

     

       407
       +
             merge = mergeDefaultOption; # <- This line is redundant. It is the default already.

     

       408
        
           };

     

       409
        
           ```

     

       410
        
       

     
···

       470
        
           args@{

     

       471
        
             message,

     

       472
        
             # WARNING: the default merge function assumes that the definition is a valid (option) value. You MUST pass a merge function if the return value needs to be

     

       473
       +
             #   - type checked beyond what .check does (which should be very little; only on the value head; not attribute values, etc)

     

       474
        
             #   - if you want attribute values to be checked, or list items

     

       475
        
             #   - if you want coercedTo-like behavior to work

     

       476
        
             merge ? loc: defs: (head defs).value,

+1 -1

lib/types.nix

···

       75
        
           if pos == null then "" else " at ${pos.file}:${toString pos.line}:${toString pos.column}";

     

       76
        
       

     

       77
        
         # Internal functor to help for migrating functor.wrapped to functor.payload.elemType

     

       78
       -
         # Note that individual attributes can be overriden if needed.

     

       79
        
         elemTypeFunctor =

     

       80
        
           name:

     

       81
        
           { elemType, ... }@payload:

···

       75
        
           if pos == null then "" else " at ${pos.file}:${toString pos.line}:${toString pos.column}";

     

       76
        
       

     

       77
        
         # Internal functor to help for migrating functor.wrapped to functor.payload.elemType

     

       78
       +
         # Note that individual attributes can be overridden if needed.

     

       79
        
         elemTypeFunctor =

     

       80
        
           name:

     

       81
        
           { elemType, ... }@payload:

+2 -2

nixos/lib/make-options-doc/default.nix

···

       45
        
       

     

       46
        
         Documentation rendered as AsciiDoc. This is useful for e.g. man pages.

     

       47
        
       

     

       48
       -
         > Note: NixOS itself uses this ouput to to build the configuration.nix man page"

     

       49
        
       

     

       50
        
         ## optionsNix

     

       51
        
       

     
···

       59
        
         let

     

       60
        
           # Evaluate a NixOS configuration

     

       61
        
           eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {

     

       62
       -
             # Overriden explicitly here, this would include all modules from NixOS otherwise.

     

       63
        
             # See: docs of eval-config.nix for more details

     

       64
        
             baseModules = [];

     

       65
        
             modules = [

···

       45
        
       

     

       46
        
         Documentation rendered as AsciiDoc. This is useful for e.g. man pages.

     

       47
        
       

     

       48
       +
         > Note: NixOS itself uses this output to to build the configuration.nix man page"

     

       49
        
       

     

       50
        
         ## optionsNix

     

       51
        
       

     
···

       59
        
         let

     

       60
        
           # Evaluate a NixOS configuration

     

       61
        
           eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {

     

       62
       +
             # Overridden explicitly here, this would include all modules from NixOS otherwise.

     

       63
        
             # See: docs of eval-config.nix for more details

     

       64
        
             baseModules = [];

     

       65
        
             modules = [

+1 -1

nixos/lib/testing/network.nix

···

       130
        
               virtualisation.test.nodeName = mkOption {

     

       131
        
                 internal = true;

     

       132
        
                 default = name;

     

       133
       -
                 # We need to force this in specilisations, otherwise it'd be

     

       134
        
                 # readOnly = true;

     

       135
        
                 description = ''

     

       136
        
                   The `name` in `nodes.<name>`; stable across `specialisations`.

···

       130
        
               virtualisation.test.nodeName = mkOption {

     

       131
        
                 internal = true;

     

       132
        
                 default = name;

     

       133
       +
                 # We need to force this in specialisations, otherwise it'd be

     

       134
        
                 # readOnly = true;

     

       135
        
                 description = ''

     

       136
        
                   The `name` in `nodes.<name>`; stable across `specialisations`.

+1 -1

nixos/maintainers/option-usages.nix

···

       60
        
         inherit (eval) pkgs;

     

       61
        
       

     

       62
        
         excludedTestOptions = [

     

       63
       -
           # We cannot evluate _module.args, as it is used during the computation

     

       64
        
           # of the modules list.

     

       65
        
           "_module.args"

     

       66

···

       60
        
         inherit (eval) pkgs;

     

       61
        
       

     

       62
        
         excludedTestOptions = [

     

       63
       +
           # We cannot evaluate _module.args, as it is used during the computation

     

       64
        
           # of the modules list.

     

       65
        
           "_module.args"

     

       66

+3 -3

nixos/modules/misc/ids.nix

···

       273
        
             caddy = 239;

     

       274
        
             taskd = 240;

     

       275
        
             # factorio = 241; # DynamicUser = true

     

       276
       -
             # emby = 242; # unusued, removed 2019-05-01

     

       277
        
             #graylog = 243;# dynamically allocated as of 2021-09-03

     

       278
        
             sniproxy = 244;

     

       279
        
             nzbget = 245;

     
···

       371
        
             # system user or group of the same id in someone else's NixOS.

     

       372
        
             # This could break their system and make that person upset for a whole day.

     

       373
        
             #

     

       374
       -
             # Sidenote: the default is defined in `shadow` module[2], and the relavent change

     

       375
        
             # was made way back in 2014[3].

     

       376
        
             #

     

       377
        
             # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)

     
···

       700
        
             # system user or group of the same id in someone else's NixOS.

     

       701
        
             # This could break their system and make that person upset for a whole day.

     

       702
        
             #

     

       703
       -
             # Sidenote: the default is defined in `shadow` module[2], and the relavent change

     

       704
        
             # was made way back in 2014[3].

     

       705
        
             #

     

       706
        
             # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)

···

       273
        
             caddy = 239;

     

       274
        
             taskd = 240;

     

       275
        
             # factorio = 241; # DynamicUser = true

     

       276
       +
             # emby = 242; # unused, removed 2019-05-01

     

       277
        
             #graylog = 243;# dynamically allocated as of 2021-09-03

     

       278
        
             sniproxy = 244;

     

       279
        
             nzbget = 245;

     
···

       371
        
             # system user or group of the same id in someone else's NixOS.

     

       372
        
             # This could break their system and make that person upset for a whole day.

     

       373
        
             #

     

       374
       +
             # Sidenote: the default is defined in `shadow` module[2], and the relevant change

     

       375
        
             # was made way back in 2014[3].

     

       376
        
             #

     

       377
        
             # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)

     
···

       700
        
             # system user or group of the same id in someone else's NixOS.

     

       701
        
             # This could break their system and make that person upset for a whole day.

     

       702
        
             #

     

       703
       +
             # Sidenote: the default is defined in `shadow` module[2], and the relevant change

     

       704
        
             # was made way back in 2014[3].

     

       705
        
             #

     

       706
        
             # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)

+1 -1

nixos/modules/profiles/image-based-appliance.nix

···

       1
       -
       # This profile sets up a sytem for image based appliance usage. An appliance is

     

       2
        
       # installed as an image, cannot be re-built, has no Nix available, and is

     

       3
        
       # generally not meant for interactive use. Updates to such an appliance are

     

       4
        
       # handled by updating whole partition images via a tool like systemd-sysupdate.

···

       1
       +
       # This profile sets up a system for image based appliance usage. An appliance is

     

       2
        
       # installed as an image, cannot be re-built, has no Nix available, and is

     

       3
        
       # generally not meant for interactive use. Updates to such an appliance are

     

       4
        
       # handled by updating whole partition images via a tool like systemd-sysupdate.

+1 -1

nixos/modules/programs/turbovnc.nix

···

       45
        
           # software rendering to implement GLX (OpenGL on Xorg).

     

       46
        
           # However, just building TurboVNC with support for that is not enough

     

       47
        
           # (it only takes care of the X server side part of OpenGL);

     

       48
       -
           # the indiviudual applications (e.g. `glxgears`) also need to directly load

     

       49
        
           # the OpenGL libs.

     

       50
        
           # Thus, this creates `/run/opengl-driver` populated by Mesa so that the applications

     

       51
        
           # can find the llvmpipe `swrast.so` software rendering DRI lib via `libglvnd`.

···

       45
        
           # software rendering to implement GLX (OpenGL on Xorg).

     

       46
        
           # However, just building TurboVNC with support for that is not enough

     

       47
        
           # (it only takes care of the X server side part of OpenGL);

     

       48
       +
           # the individual applications (e.g. `glxgears`) also need to directly load

     

       49
        
           # the OpenGL libs.

     

       50
        
           # Thus, this creates `/run/opengl-driver` populated by Mesa so that the applications

     

       51
        
           # can find the llvmpipe `swrast.so` software rendering DRI lib via `libglvnd`.

+1 -1

nixos/modules/services/cluster/k3s/default.nix

···

       139
        
             [

     

       140
        
               (yamlFormat.generate "helm-chart-manifest-${name}.yaml" (mkHelmChartCR name value))

     

       141
        
             ]

     

       142
       -
             # alternate the YAML doc seperator (---) and extraDeploy manifests to create

     

       143
        
             # multi document YAMLs

     

       144
        
             ++ (lib.concatMap (x: [

     

       145
        
               yamlDocSeparator

···

       139
        
             [

     

       140
        
               (yamlFormat.generate "helm-chart-manifest-${name}.yaml" (mkHelmChartCR name value))

     

       141
        
             ]

     

       142
       +
             # alternate the YAML doc separator (---) and extraDeploy manifests to create

     

       143
        
             # multi document YAMLs

     

       144
        
             ++ (lib.concatMap (x: [

     

       145
        
               yamlDocSeparator

+1 -1

nixos/modules/services/desktops/bonsaid.nix

···

       143
        
             lib.mkDefault (json.generate "bonsai_tree.json" (filterNulls cfg.settings));

     

       144
        
       

     

       145
        
           # bonsaid is controlled by bonsaictl, so place the latter in the environment by default.

     

       146
       -
           # bonsaictl is typically invoked by scripts or a DE so this isn't strictly necesssary,

     

       147
        
           # but it's helpful while administering the service generally.

     

       148
        
           environment.systemPackages = [ cfg.package ];

     

       149

···

       143
        
             lib.mkDefault (json.generate "bonsai_tree.json" (filterNulls cfg.settings));

     

       144
        
       

     

       145
        
           # bonsaid is controlled by bonsaictl, so place the latter in the environment by default.

     

       146
       +
           # bonsaictl is typically invoked by scripts or a DE so this isn't strictly necessary,

     

       147
        
           # but it's helpful while administering the service generally.

     

       148
        
           environment.systemPackages = [ cfg.package ];

     

       149

+1 -1

nixos/modules/services/games/crossfire-server.nix

···

       176
        
             # need to be writeable, so we can't just point at the ones in the nix

     

       177
        
             # store. Instead we take the approach of copying them out of the store

     

       178
        
             # on first run. If `bookarch` already exists, we assume the rest of the

     

       179
       -
             # files do as well, and copy nothing -- otherwise we risk ovewriting

     

       180
        
             # server state information every time the server is upgraded.

     

       181
        
             preStart = ''

     

       182
        
               if [ ! -e "${cfg.stateDir}"/bookarch ]; then

···

       176
        
             # need to be writeable, so we can't just point at the ones in the nix

     

       177
        
             # store. Instead we take the approach of copying them out of the store

     

       178
        
             # on first run. If `bookarch` already exists, we assume the rest of the

     

       179
       +
             # files do as well, and copy nothing -- otherwise we risk overwriting

     

       180
        
             # server state information every time the server is upgraded.

     

       181
        
             preStart = ''

     

       182
        
               if [ ! -e "${cfg.stateDir}"/bookarch ]; then

+1 -1

nixos/modules/services/hardware/kmonad.nix

···

       201
        
             # the old service and then starts the new service after config updates.

     

       202
        
             # Since we use path-based activation[1] here, the service unit will

     

       203
        
             # immediately[2] be started by the path unit.  Probably that start is

     

       204
       -
             # before config updates, whcih causes the service unit to use the old

     

       205
        
             # config after nixos-rebuild switch.  Setting stopIfChanged to false works

     

       206
        
             # around this issue by restarting the service after config updates.

     

       207
        
             # [0]: https://nixos.org/manual/nixos/unstable/#sec-switching-systems

···

       201
        
             # the old service and then starts the new service after config updates.

     

       202
        
             # Since we use path-based activation[1] here, the service unit will

     

       203
        
             # immediately[2] be started by the path unit.  Probably that start is

     

       204
       +
             # before config updates, which causes the service unit to use the old

     

       205
        
             # config after nixos-rebuild switch.  Setting stopIfChanged to false works

     

       206
        
             # around this issue by restarting the service after config updates.

     

       207
        
             # [0]: https://nixos.org/manual/nixos/unstable/#sec-switching-systems

+1 -1

nixos/modules/services/misc/ntfy-sh.nix

···

       107
        
                 RestrictNamespaces = true;

     

       108
        
                 RestrictRealtime = true;

     

       109
        
                 MemoryDenyWriteExecute = true;

     

       110
       -
                 # Upstream Recommandation

     

       111
        
                 LimitNOFILE = 20500;

     

       112
        
               };

     

       113
        
             };

···

       107
        
                 RestrictNamespaces = true;

     

       108
        
                 RestrictRealtime = true;

     

       109
        
                 MemoryDenyWriteExecute = true;

     

       110
       +
                 # Upstream Recommendation

     

       111
        
                 LimitNOFILE = 20500;

     

       112
        
               };

     

       113
        
             };

+1 -1

nixos/modules/services/monitoring/below.nix

···

       91
        
       

     

       92
        
         config = lib.mkIf cfg.enable {

     

       93
        
           environment.systemPackages = [ pkgs.below ];

     

       94
       -
           # /etc/below.conf is also refered to by the `below` CLI tool,

     

       95
        
           #  so this can't be a store-only file whose path is passed to the service

     

       96
        
           environment.etc."below/below.conf".text = cfgContents;

     

       97

···

       91
        
       

     

       92
        
         config = lib.mkIf cfg.enable {

     

       93
        
           environment.systemPackages = [ pkgs.below ];

     

       94
       +
           # /etc/below.conf is also referred to by the `below` CLI tool,

     

       95
        
           #  so this can't be a store-only file whose path is passed to the service

     

       96
        
           environment.etc."below/below.conf".text = cfgContents;

     

       97

+1 -1

nixos/modules/services/networking/cato-client.nix

···

       55
        
             wantedBy = [ "multi-user.target" ];

     

       56
        
           };

     

       57
        
       

     

       58
       -
           # set up Security wrapper Same as inteded in deb post install

     

       59
        
           security.wrappers.cato-clientd = {

     

       60
        
             source = "${cfg.package}/bin/cato-clientd";

     

       61
        
             owner = "root";

···

       55
        
             wantedBy = [ "multi-user.target" ];

     

       56
        
           };

     

       57
        
       

     

       58
       +
           # set up Security wrapper Same as intended in deb post install

     

       59
        
           security.wrappers.cato-clientd = {

     

       60
        
             source = "${cfg.package}/bin/cato-clientd";

     

       61
        
             owner = "root";

+1 -1

nixos/modules/services/networking/fedimintd.nix

···

       289
        
       

     

       290
        
                   {

     

       291
        
                     # Note: we want by default to enable OpenSSL, but it seems anything 100 and above is

     

       292
       -
                     # overriden by default value from vhost-options.nix

     

       293
        
                     enableACME = mkOverride 99 true;

     

       294
        
                     forceSSL = mkOverride 99 true;

     

       295
        
                     locations.${cfg.nginx.path} = {

···

       289
        
       

     

       290
        
                   {

     

       291
        
                     # Note: we want by default to enable OpenSSL, but it seems anything 100 and above is

     

       292
       +
                     # overridden by default value from vhost-options.nix

     

       293
        
                     enableACME = mkOverride 99 true;

     

       294
        
                     forceSSL = mkOverride 99 true;

     

       295
        
                     locations.${cfg.nginx.path} = {

+1 -1

nixos/modules/services/networking/netbird.nix

···

       550
        
                     User = client.user.name;

     

       551
        
                     Group = client.user.group;

     

       552
        
       

     

       553
       -
                     # settings implied by DynamicUser=true, without actully using it,

     

       554
        
                     # see https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=

     

       555
        
                     RemoveIPC = true;

     

       556
        
                     PrivateTmp = true;

···

       550
        
                     User = client.user.name;

     

       551
        
                     Group = client.user.group;

     

       552
        
       

     

       553
       +
                     # settings implied by DynamicUser=true, without actually using it,

     

       554
        
                     # see https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser=

     

       555
        
                     RemoveIPC = true;

     

       556
        
                     PrivateTmp = true;

+1 -1

nixos/modules/services/networking/netbird/dashboard.nix

···

       102
        
                 # special options as its public anyway

     

       103
        
                 # As far as I know leaking this secret is just

     

       104
        
                 # an information leak as one can fetch some basic app

     

       105
       -
                 # informations from the IDP

     

       106
        
                 # To actually do something one still needs to have login

     

       107
        
                 # data and this secret so this being public will not

     

       108
        
                 # suffice for anything just decreasing security

···

       102
        
                 # special options as its public anyway

     

       103
        
                 # As far as I know leaking this secret is just

     

       104
        
                 # an information leak as one can fetch some basic app

     

       105
       +
                 # information from the IDP

     

       106
        
                 # To actually do something one still needs to have login

     

       107
        
                 # data and this secret so this being public will not

     

       108
        
                 # suffice for anything just decreasing security

+1 -1

nixos/modules/services/networking/ssh/sshd.nix

···

       42
        
             # values must be separated by whitespace or even commas.

     

       43
        
             # Consult either sshd_config(5) or, as last resort, the OpehSSH source for parsing

     

       44
        
             # the options at servconf.c:process_server_config_line_depth() to determine the right "mode"

     

       45
       -
             # for each. But fortunaly this fact is documented for most of them in the manpage.

     

       46
        
             commaSeparated = [

     

       47
        
               "Ciphers"

     

       48
        
               "KexAlgorithms"

···

       42
        
             # values must be separated by whitespace or even commas.

     

       43
        
             # Consult either sshd_config(5) or, as last resort, the OpehSSH source for parsing

     

       44
        
             # the options at servconf.c:process_server_config_line_depth() to determine the right "mode"

     

       45
       +
             # for each. But fortunately this fact is documented for most of them in the manpage.

     

       46
        
             commaSeparated = [

     

       47
        
               "Ciphers"

     

       48
        
               "KexAlgorithms"

+1 -1

nixos/modules/services/networking/yggdrasil-jumper.nix

···

       133
        
       

     

       134
        
             services.yggdrasil.settings.Listen =

     

       135
        
               let

     

       136
       -
                 # By default linux dynamically alocates ports in range 32768..60999

     

       137
        
                 # `sysctl net.ipv4.ip_local_port_range`

     

       138
        
                 # See: https://xkcd.com/221/

     

       139
        
                 prot_port = {

···

       133
        
       

     

       134
        
             services.yggdrasil.settings.Listen =

     

       135
        
               let

     

       136
       +
                 # By default linux dynamically allocates ports in range 32768..60999

     

       137
        
                 # `sysctl net.ipv4.ip_local_port_range`

     

       138
        
                 # See: https://xkcd.com/221/

     

       139
        
                 prot_port = {

+1 -1

nixos/modules/services/security/tor.nix

···

       295
        
             (

     

       296
        
               lib.mapAttrs (

     

       297
        
                 k: v:

     

       298
       -
                 # Not necesssary, but prettier rendering

     

       299
        
                 if

     

       300
        
                   lib.elem k [

     

       301
        
                     "AutomapHostsSuffixes"

···

       295
        
             (

     

       296
        
               lib.mapAttrs (

     

       297
        
                 k: v:

     

       298
       +
                 # Not necessary, but prettier rendering

     

       299
        
                 if

     

       300
        
                   lib.elem k [

     

       301
        
                     "AutomapHostsSuffixes"

+1 -1

nixos/modules/services/web-apps/davis.nix

···

       348
        
                       else if

     

       349
        
                         pgsqlLocal

     

       350
        
                       # note: davis expects a non-standard postgres uri (due to the underlying doctrine library)

     

       351
       -
                       # specifically the dummy hostname which is overriden by the host query parameter

     

       352
        
                       then

     

       353
        
                         "postgres://${user}@localhost/${db.name}?host=/run/postgresql"

     

       354
        
                       else if mysqlLocal then

···

       348
        
                       else if

     

       349
        
                         pgsqlLocal

     

       350
        
                       # note: davis expects a non-standard postgres uri (due to the underlying doctrine library)

     

       351
       +
                       # specifically the dummy hostname which is overridden by the host query parameter

     

       352
        
                       then

     

       353
        
                         "postgres://${user}@localhost/${db.name}?host=/run/postgresql"

     

       354
        
                       else if mysqlLocal then

+1 -1

nixos/modules/services/web-apps/plausible.nix

···

       224
        
                     # Thus, disable distribution for improved simplicity and security:

     

       225
        
                     #

     

       226
        
                     # When distribution is enabled,

     

       227
       -
                     # Elixir spwans the Erlang VM, which will listen by default on all

     

       228
        
                     # interfaces for messages between Erlang nodes (capable of

     

       229
        
                     # remote code execution); it can be protected by a cookie; see

     

       230
        
                     # https://erlang.org/doc/reference_manual/distributed.html#security).

···

       224
        
                     # Thus, disable distribution for improved simplicity and security:

     

       225
        
                     #

     

       226
        
                     # When distribution is enabled,

     

       227
       +
                     # Elixir spawns the Erlang VM, which will listen by default on all

     

       228
        
                     # interfaces for messages between Erlang nodes (capable of

     

       229
        
                     # remote code execution); it can be protected by a cookie; see

     

       230
        
                     # https://erlang.org/doc/reference_manual/distributed.html#security).

+1 -1

nixos/modules/services/web-apps/windmill.nix

···

       132
        
             {

     

       133
        
       

     

       134
        
               # coming from https://github.com/windmill-labs/windmill/blob/main/init-db-as-superuser.sql

     

       135
       -
               # modified to not grant priviledges on all tables

     

       136
        
               # create role windmill_user and windmill_admin only if they don't exist

     

       137
        
               postgresql.postStart = lib.mkIf cfg.database.createLocally (

     

       138
        
                 lib.mkAfter ''

···

       132
        
             {

     

       133
        
       

     

       134
        
               # coming from https://github.com/windmill-labs/windmill/blob/main/init-db-as-superuser.sql

     

       135
       +
               # modified to not grant privileges on all tables

     

       136
        
               # create role windmill_user and windmill_admin only if they don't exist

     

       137
        
               postgresql.postStart = lib.mkIf cfg.database.createLocally (

     

       138
        
                 lib.mkAfter ''

+1 -1

nixos/modules/virtualisation/azure-common.nix

···

       26
        
       

     

       27
        
           # Enable cloud-init by default for waagent.

     

       28
        
           # Otherwise waagent would try manage networking using ifupdown,

     

       29
       -
           # which is currently not availeble in nixpkgs.

     

       30
        
           services.cloud-init.enable = true;

     

       31
        
           services.cloud-init.network.enable = true;

     

       32
        
           systemd.services.cloud-config.serviceConfig.Restart = "on-failure";

···

       26
        
       

     

       27
        
           # Enable cloud-init by default for waagent.

     

       28
        
           # Otherwise waagent would try manage networking using ifupdown,

     

       29
       +
           # which is currently not available in nixpkgs.

     

       30
        
           services.cloud-init.enable = true;

     

       31
        
           services.cloud-init.network.enable = true;

     

       32
        
           systemd.services.cloud-config.serviceConfig.Restart = "on-failure";

+1 -1

nixos/modules/virtualisation/azure-image.nix

···

       105
        
             splashImage = null;

     

       106
        
             # For Gen 1 VM, configurate grub output to serial_com0.

     

       107
        
             # Not needed for Gen 2 VM wbere serial_com0 does not exist,

     

       108
       -
             # and outputing to console is enough to make Azure Serial Console working

     

       109
        
             extraConfig = lib.mkIf (!efiSupport) ''

     

       110
        
               serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1

     

       111
        
               terminal_input --append serial

···

       105
        
             splashImage = null;

     

       106
        
             # For Gen 1 VM, configurate grub output to serial_com0.

     

       107
        
             # Not needed for Gen 2 VM wbere serial_com0 does not exist,

     

       108
       +
             # and outputting to console is enough to make Azure Serial Console working

     

       109
        
             extraConfig = lib.mkIf (!efiSupport) ''

     

       110
        
               serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1

     

       111
        
               terminal_input --append serial

+1 -1

nixos/modules/virtualisation/waagent.nix

···

       67
        
               convert =

     

       68
        
                 attrs:

     

       69
        
                 pipe (recurse [ ] attrs) [

     

       70
       -
                   # Filter out null values and emoty lists

     

       71
        
                   (filter (kv: kv.value != null && kv.value != [ ]))

     

       72
        
                   # Transform to Key=Value form, then concatenate

     

       73
        
                   (map (kv: "${kv.name}=${transform kv.value}"))

···

       67
        
               convert =

     

       68
        
                 attrs:

     

       69
        
                 pipe (recurse [ ] attrs) [

     

       70
       +
                   # Filter out null values and empty lists

     

       71
        
                   (filter (kv: kv.value != null && kv.value != [ ]))

     

       72
        
                   # Transform to Key=Value form, then concatenate

     

       73
        
                   (map (kv: "${kv.name}=${transform kv.value}"))

+2 -2

nixos/tests/appliance-repart-image.nix

···

       65
        
                   repartConfig = {

     

       66
        
                     Type = "esp";

     

       67
        
                     Format = "vfat";

     

       68
       -
                     # Minimize = "guess" seems to not work very vell for vfat

     

       69
       -
                     # partitons. It's better to set a sensible default instead. The

     

       70
        
                     # aarch64 kernel seems to generally be a little bigger than the

     

       71
        
                     # x86_64 kernel. To stay on the safe side, leave some more slack

     

       72
        
                     # for every platform other than x86_64.

···

       65
        
                   repartConfig = {

     

       66
        
                     Type = "esp";

     

       67
        
                     Format = "vfat";

     

       68
       +
                     # Minimize = "guess" seems to not work very well for vfat

     

       69
       +
                     # partitions. It's better to set a sensible default instead. The

     

       70
        
                     # aarch64 kernel seems to generally be a little bigger than the

     

       71
        
                     # x86_64 kernel. To stay on the safe side, leave some more slack

     

       72
        
                     # for every platform other than x86_64.

+1 -1

nixos/tests/common/acme/server/default.nix

···

       94
        
                         ) cfg.configuration.security.acme.certs

     

       95
        
                       )

     

       96
        
                       # A specialisation's config is nested under its configuration attribute.

     

       97
       -
                       # For ease of use, nest the root node's configuration simiarly.

     

       98
        
                       ([ { configuration = node; } ] ++ (builtins.attrValues node.specialisation))

     

       99
        
                   )

     

       100
        
                 );

···

       94
        
                         ) cfg.configuration.security.acme.certs

     

       95
        
                       )

     

       96
        
                       # A specialisation's config is nested under its configuration attribute.

     

       97
       +
                       # For ease of use, nest the root node's configuration similarly.

     

       98
        
                       ([ { configuration = node; } ] ++ (builtins.attrValues node.specialisation))

     

       99
        
                   )

     

       100
        
                 );

+1 -1

nixos/tests/ntfy-sh-migration.nix

···

       4
        
       # this test works doing a migration and asserting ntfy-sh runs properly. first,

     

       5
        
       # ntfy-sh is configured to use a static user and group. then ntfy-sh is

     

       6
        
       # started and tested. after that, ntfy-sh is shut down and a systemd drop

     

       7
       -
       # in configuration file is used to upate the service configuration to use

     

       8
        
       # DynamicUser=true. then the ntfy-sh is started again and tested.

     

       9
        
       

     

       10
        
       import ./make-test-python.nix {

···

       4
        
       # this test works doing a migration and asserting ntfy-sh runs properly. first,

     

       5
        
       # ntfy-sh is configured to use a static user and group. then ntfy-sh is

     

       6
        
       # started and tested. after that, ntfy-sh is shut down and a systemd drop

     

       7
       +
       # in configuration file is used to update the service configuration to use

     

       8
        
       # DynamicUser=true. then the ntfy-sh is started again and tested.

     

       9
        
       

     

       10
        
       import ./make-test-python.nix {

+2 -2

nixos/tests/sftpgo.nix

···

       6
        
       # - downloading the file over sftp

     

       7
        
       # - assert that the ACLs are respected

     

       8
        
       # - share a file between alice and bob (using sftp)

     

       9
       -
       # - assert that eve cannot acceess the shared folder between alice and bob.

     

       10
        
       #

     

       11
        
       # Additional test coverage for the remaining protocols (i.e. ftp, http and webdav)

     

       12
        
       # would be a nice to have for the future.

     
···

       333
        
         testScript =

     

       334
        
           { nodes, ... }:

     

       335
        
           let

     

       336
       -
             # A function to generate test cases for wheter

     

       337
        
             # a specified username is expected to access the shared folder.

     

       338
        
             accessSharedFoldersSubtest =

     

       339
        
               {

···

       6
        
       # - downloading the file over sftp

     

       7
        
       # - assert that the ACLs are respected

     

       8
        
       # - share a file between alice and bob (using sftp)

     

       9
       +
       # - assert that eve cannot access the shared folder between alice and bob.

     

       10
        
       #

     

       11
        
       # Additional test coverage for the remaining protocols (i.e. ftp, http and webdav)

     

       12
        
       # would be a nice to have for the future.

     
···

       333
        
         testScript =

     

       334
        
           { nodes, ... }:

     

       335
        
           let

     

       336
       +
             # A function to generate test cases for whether

     

       337
        
             # a specified username is expected to access the shared folder.

     

       338
        
             accessSharedFoldersSubtest =

     

       339
        
               {

+1 -1

nixos/tests/systemd-sysupdate.nix

···

       1
       -
       # Tests downloading a signed update aritfact from a server to a target machine.

     

       2
        
       # This test does not rely on the `systemd.timer` units provided by the

     

       3
        
       # `systemd-sysupdate` module but triggers the `systemd-sysupdate` service

     

       4
        
       # manually to make the test more robust.

···

       1
       +
       # Tests downloading a signed update artifact from a server to a target machine.

     

       2
        
       # This test does not rely on the `systemd.timer` units provided by the

     

       3
        
       # `systemd-sysupdate` module but triggers the `systemd-sysupdate` service

     

       4
        
       # manually to make the test more robust.

+1 -1

nixos/tests/systemd-timesyncd-nscd-dnssec.nix

···

       4
        
       # correct time, we need to connect to an NTP server, which usually requires resolving its hostname.

     

       5
        
       #

     

       6
        
       # This test does the following:

     

       7
       -
       # - Sets up a DNS server (tinydns) listening on the eth1 ip addess, serving .ntp and fake.ntp records.

     

       8
        
       # - Configures that DNS server as a resolver and enables DNSSEC in systemd-resolved settings.

     

       9
        
       # - Configures systemd-timesyncd to use fake.ntp hostname as an NTP server.

     

       10
        
       # - Performs a regular DNS lookup, to ensure it fails due to broken DNSSEC.

···

       4
        
       # correct time, we need to connect to an NTP server, which usually requires resolving its hostname.

     

       5
        
       #

     

       6
        
       # This test does the following:

     

       7
       +
       # - Sets up a DNS server (tinydns) listening on the eth1 ip address, serving .ntp and fake.ntp records.

     

       8
        
       # - Configures that DNS server as a resolver and enables DNSSEC in systemd-resolved settings.

     

       9
        
       # - Configures systemd-timesyncd to use fake.ntp hostname as an NTP server.

     

       10
        
       # - Performs a regular DNS lookup, to ensure it fails due to broken DNSSEC.

+4 -4

pkgs/applications/editors/emacs/elisp-packages/melpa-packages.nix

···

       17
        
         ./update-from-overlay

     

       18
        
       

     

       19
        
         It will update both melpa and elpa packages using

     

       20
       -
         https://github.com/nix-community/emacs-overlay. It's almost instantenous and

     

       21
        
         formats commits for you.

     

       22
        
       */

     

       23
        
       

     
···

       1355
        
                 hyperbole = ignoreCompilationError (addPackageRequires (mkHome super.hyperbole) [ self.el-mock ]); # elisp error

     

       1356
        
       

     

       1357
        
                 # needs non-existent "browser database directory" during compilation

     

       1358
       -
                 # TODO report to upsteam about missing dependency websocket

     

       1359
        
                 ibrowse = ignoreCompilationError (addPackageRequires super.ibrowse [ self.websocket ]);

     

       1360
        
       

     

       1361
        
                 # elisp error and missing optional dependencies

     
···

       1368
        
       

     

       1369
        
                 indium = mkHome super.indium;

     

       1370
        
       

     

       1371
       -
                 # TODO report to upsteam

     

       1372
        
                 inlineR = addPackageRequires super.inlineR [ self.ess ];

     

       1373
        
       

     

       1374
        
                 # https://github.com/duelinmarkers/insfactor.el/issues/7

     
···

       1547
        
       

     

       1548
        
                 org-gtd = ignoreCompilationError super.org-gtd; # elisp error

     

       1549
        
       

     

       1550
       -
                 # needs newer org than the Eamcs 29.4 builtin one

     

       1551
        
                 org-link-beautify = addPackageRequires super.org-link-beautify [

     

       1552
        
                   self.org

     

       1553
        
                   self.qrencode

···

       17
        
         ./update-from-overlay

     

       18
        
       

     

       19
        
         It will update both melpa and elpa packages using

     

       20
       +
         https://github.com/nix-community/emacs-overlay. It's almost instantaneous and

     

       21
        
         formats commits for you.

     

       22
        
       */

     

       23
        
       

     
···

       1355
        
                 hyperbole = ignoreCompilationError (addPackageRequires (mkHome super.hyperbole) [ self.el-mock ]); # elisp error

     

       1356
        
       

     

       1357
        
                 # needs non-existent "browser database directory" during compilation

     

       1358
       +
                 # TODO report to upstream about missing dependency websocket

     

       1359
        
                 ibrowse = ignoreCompilationError (addPackageRequires super.ibrowse [ self.websocket ]);

     

       1360
        
       

     

       1361
        
                 # elisp error and missing optional dependencies

     
···

       1368
        
       

     

       1369
        
                 indium = mkHome super.indium;

     

       1370
        
       

     

       1371
       +
                 # TODO report to upstream

     

       1372
        
                 inlineR = addPackageRequires super.inlineR [ self.ess ];

     

       1373
        
       

     

       1374
        
                 # https://github.com/duelinmarkers/insfactor.el/issues/7

     
···

       1547
        
       

     

       1548
        
                 org-gtd = ignoreCompilationError super.org-gtd; # elisp error

     

       1549
        
       

     

       1550
       +
                 # needs newer org than the Emacs 29.4 builtin one

     

       1551
        
                 org-link-beautify = addPackageRequires super.org-link-beautify [

     

       1552
        
                   self.org

     

       1553
        
                   self.qrencode

+1 -1

pkgs/applications/editors/vscode/extensions/default.nix

···

       5709
        
         };

     

       5710
        
       

     

       5711
        
         # TODO: add overrides overlay, so that we can have a generated.nix

     

       5712
       -
         # then apply extension specific modifcations to packages.

     

       5713
        
       

     

       5714
        
         # overlays will be applied left to right, overrides should come after aliases.

     

       5715
        
         overlays = lib.optionals config.allowAliases [

···

       5709
        
         };

     

       5710
        
       

     

       5711
        
         # TODO: add overrides overlay, so that we can have a generated.nix

     

       5712
       +
         # then apply extension specific modifications to packages.

     

       5713
        
       

     

       5714
        
         # overlays will be applied left to right, overrides should come after aliases.

     

       5715
        
         overlays = lib.optionals config.allowAliases [

+1 -1

pkgs/applications/editors/vscode/extensions/ms-vscode.cpptools/default.nix

···

       33
        
       

     

       34
        
         <https://github.com/Microsoft/vscode-cpptools/issues/35>

     

       35
        
       

     

       36
       -
         Once the symbolic link temporary solution taken, everything shoud run smootly.

     

       37
        
       */

     

       38
        
       

     

       39
        
       let

···

       33
        
       

     

       34
        
         <https://github.com/Microsoft/vscode-cpptools/issues/35>

     

       35
        
       

     

       36
       +
         Once the symbolic link temporary solution taken, everything should run smootly.

     

       37
        
       */

     

       38
        
       

     

       39
        
       let

+1 -1

pkgs/applications/graphics/yacreader/default.nix

···

       49
        
             libsForQt5.qtmacextras # can be removed when using qt6

     

       50
        
           ];

     

       51
        
       

     

       52
       -
         # custom Darwin install instructions taken from the upsteam compileOSX.sh script

     

       53
        
         installPhase = lib.optionalString stdenv.hostPlatform.isDarwin ''

     

       54
        
           runHook preInstall

     

       55

···

       49
        
             libsForQt5.qtmacextras # can be removed when using qt6

     

       50
        
           ];

     

       51
        
       

     

       52
       +
         # custom Darwin install instructions taken from the upstream compileOSX.sh script

     

       53
        
         installPhase = lib.optionalString stdenv.hostPlatform.isDarwin ''

     

       54
        
           runHook preInstall

     

       55

+1 -1

pkgs/build-support/rust/build-rust-crate/default.nix

···

       15
        
         jq,

     

       16
        
         libiconv,

     

       17
        
         # Controls codegen parallelization for all crates.

     

       18
       -
         # May be overriden on a per-crate level.

     

       19
        
         # See <https://doc.rust-lang.org/rustc/codegen-options/index.html#codegen-units>

     

       20
        
         defaultCodegenUnits ? 1,

     

       21
        
       }:

···

       15
        
         jq,

     

       16
        
         libiconv,

     

       17
        
         # Controls codegen parallelization for all crates.

     

       18
       +
         # May be overridden on a per-crate level.

     

       19
        
         # See <https://doc.rust-lang.org/rustc/codegen-options/index.html#codegen-units>

     

       20
        
         defaultCodegenUnits ? 1,

     

       21
        
       }:

+3 -3

pkgs/build-support/rust/build-rust-crate/test/rcgen-crates.nix

···

       20
        
         defaultCrateOverrides ? pkgs.defaultCrateOverrides,

     

       21
        
         # The features to enable for the root_crate or the workspace_members.

     

       22
        
         rootFeatures ? [ "default" ],

     

       23
       -
         # If true, throw errors instead of issueing deprecation warnings.

     

       24
        
         strictDeprecation ? false,

     

       25
        
         # Used for conditional compilation based on CPU feature detection.

     

       26
        
         targetFeatures ? [ ],

     
···

       4485
        
               runTests ? false,

     

       4486
        
               testCrateFlags ? [ ],

     

       4487
        
               testInputs ? [ ],

     

       4488
       -
               # Any command to run immediatelly before a test is executed.

     

       4489
        
               testPreRun ? "",

     

       4490
       -
               # Any command run immediatelly after a test is executed.

     

       4491
        
               testPostRun ? "",

     

       4492
        
             }:

     

       4493
        
             lib.makeOverridable

···

       20
        
         defaultCrateOverrides ? pkgs.defaultCrateOverrides,

     

       21
        
         # The features to enable for the root_crate or the workspace_members.

     

       22
        
         rootFeatures ? [ "default" ],

     

       23
       +
         # If true, throw errors instead of issuing deprecation warnings.

     

       24
        
         strictDeprecation ? false,

     

       25
        
         # Used for conditional compilation based on CPU feature detection.

     

       26
        
         targetFeatures ? [ ],

     
···

       4485
        
               runTests ? false,

     

       4486
        
               testCrateFlags ? [ ],

     

       4487
        
               testInputs ? [ ],

     

       4488
       +
               # Any command to run immediately before a test is executed.

     

       4489
        
               testPreRun ? "",

     

       4490
       +
               # Any command run immediately after a test is executed.

     

       4491
        
               testPostRun ? "",

     

       4492
        
             }:

     

       4493
        
             lib.makeOverridable

+1 -1

pkgs/by-name/ad/adios2/package.nix

···

       85
        
             yaml-cpp

     

       86
        
             nlohmann_json

     

       87
        
       

     

       88
       -
             # Todo: add these optional dependcies in nixpkgs.

     

       89
        
             # sz

     

       90
        
             # mgard

     

       91
        
             # catalyst

···

       85
        
             yaml-cpp

     

       86
        
             nlohmann_json

     

       87
        
       

     

       88
       +
             # Todo: add these optional dependencies in nixpkgs.

     

       89
        
             # sz

     

       90
        
             # mgard

     

       91
        
             # catalyst

+1 -1

pkgs/by-name/hy/hyperhdr/package.nix

···

       45
        
         ];

     

       46
        
       

     

       47
        
         patches = [

     

       48
       -
           # Allow completly unvendoring hyperhdr

     

       49
        
           # This can be removed on the next hyperhdr release

     

       50
        
           ./unvendor.patch

     

       51
        
         ];

···

       45
        
         ];

     

       46
        
       

     

       47
        
         patches = [

     

       48
       +
           # Allow completely unvendoring hyperhdr

     

       49
        
           # This can be removed on the next hyperhdr release

     

       50
        
           ./unvendor.patch

     

       51
        
         ];

+1 -1

pkgs/by-name/il/ilmbase/package.nix

···

       3
        
         lib,

     

       4
        
         buildPackages,

     

       5
        
         cmake,

     

       6
       -
         # explicitely depending on openexr_2 because ilmbase doesn't exist for v3

     

       7
        
         openexr_2,

     

       8
        
       }:

     

       9

···

       3
        
         lib,

     

       4
        
         buildPackages,

     

       5
        
         cmake,

     

       6
       +
         # explicitly depending on openexr_2 because ilmbase doesn't exist for v3

     

       7
        
         openexr_2,

     

       8
        
       }:

     

       9

+1 -1

pkgs/by-name/im/imlib2/package.nix

···

       75
        
         enableParallelBuilding = true;

     

       76
        
       

     

       77
        
         # Do not build amd64 assembly code on Darwin, because it fails to compile

     

       78
       -
         # with unknow directive errors

     

       79
        
         configureFlags =

     

       80
        
           optional stdenv.hostPlatform.isDarwin "--enable-amd64=no"

     

       81
        
           ++ optional (!svgSupport) "--without-svg"

···

       75
        
         enableParallelBuilding = true;

     

       76
        
       

     

       77
        
         # Do not build amd64 assembly code on Darwin, because it fails to compile

     

       78
       +
         # with unknown directive errors

     

       79
        
         configureFlags =

     

       80
        
           optional stdenv.hostPlatform.isDarwin "--enable-amd64=no"

     

       81
        
           ++ optional (!svgSupport) "--without-svg"

+1 -1

pkgs/by-name/li/libcredis/package.nix

···

       13
        
           sha256 = "1l3hlw9rrc11qggbg9a2303p3bhxxx2vqkmlk8avsrbqw15r1ayr";

     

       14
        
         };

     

       15
        
       

     

       16
       -
         # credis build system has no install actions, provide our own.

     

       17
        
         installPhase = ''

     

       18
        
           mkdir -p "$out/bin"

     

       19
        
           mkdir -p "$out/lib"

···

       13
        
           sha256 = "1l3hlw9rrc11qggbg9a2303p3bhxxx2vqkmlk8avsrbqw15r1ayr";

     

       14
        
         };

     

       15
        
       

     

       16
       +
         # credits build system has no install actions, provide our own.

     

       17
        
         installPhase = ''

     

       18
        
           mkdir -p "$out/bin"

     

       19
        
           mkdir -p "$out/lib"

+1 -1

pkgs/by-name/mi/miktex/package.nix

···

       106
        
         patches = [

     

       107
        
           ./startup-config-support-nix-store.patch

     

       108
        
           # Miktex will search exectables in "GetMyPrefix(true)/bin".

     

       109
       -
           # The path evalutate to "/usr/bin" in FHS style linux distrubution,

     

       110
        
           # compared to "/nix/store/.../bin" in NixOS.

     

       111
        
           # As a result, miktex will fail to find e.g. 'pkexec','ksudo','gksu'

     

       112
        
           # under /run/wrappers/bin in NixOS.

···

       106
        
         patches = [

     

       107
        
           ./startup-config-support-nix-store.patch

     

       108
        
           # Miktex will search exectables in "GetMyPrefix(true)/bin".

     

       109
       +
           # The path evaluate to "/usr/bin" in FHS style linux distribution,

     

       110
        
           # compared to "/nix/store/.../bin" in NixOS.

     

       111
        
           # As a result, miktex will fail to find e.g. 'pkexec','ksudo','gksu'

     

       112
        
           # under /run/wrappers/bin in NixOS.

+1 -1

pkgs/by-name/mx/mxnet/package.nix

···

       14
        
         perl,

     

       15
        
         # mxnet cuda support is turned off, but dependencies like opencv can still be built with cudaSupport

     

       16
        
         # and fail to compile without the cudatoolkit

     

       17
       -
         # mxnet cuda support will not be availaible, as mxnet requires version <=11

     

       18
        
         cudaSupport ? config.cudaSupport,

     

       19
        
         cudaPackages ? { },

     

       20
        
       }:

···

       14
        
         perl,

     

       15
        
         # mxnet cuda support is turned off, but dependencies like opencv can still be built with cudaSupport

     

       16
        
         # and fail to compile without the cudatoolkit

     

       17
       +
         # mxnet cuda support will not be available, as mxnet requires version <=11

     

       18
        
         cudaSupport ? config.cudaSupport,

     

       19
        
         cudaPackages ? { },

     

       20
        
       }:

+1 -1

pkgs/by-name/ty/typical/package.nix

···

       30
        
       

     

       31
        
         patches = [

     

       32
        
           # Related to https://github.com/stepchowfun/typical/pull/501

     

       33
       -
           # Commiting a slightly different patch because the upstream one doesn't apply cleanly

     

       34
        
           ./lifetime.patch

     

       35
        
         ];

     

       36

···

       30
        
       

     

       31
        
         patches = [

     

       32
        
           # Related to https://github.com/stepchowfun/typical/pull/501

     

       33
       +
           # Committing a slightly different patch because the upstream one doesn't apply cleanly

     

       34
        
           ./lifetime.patch

     

       35
        
         ];

     

       36

+1 -1

pkgs/by-name/us/usb-reset/package.nix

···

       8
        
       stdenv.mkDerivation {

     

       9
        
         pname = "usb-reset";

     

       10
        
         # not tagged, but changelog has this with the date of the e9a9d6c commit

     

       11
       -
         # and no significant change occured between bumping the version in the Makefile and that

     

       12
        
         # and the changes since then (up to ff822d8) seem snap related

     

       13
        
         version = "0.3";

     

       14

···

       8
        
       stdenv.mkDerivation {

     

       9
        
         pname = "usb-reset";

     

       10
        
         # not tagged, but changelog has this with the date of the e9a9d6c commit

     

       11
       +
         # and no significant change occurred between bumping the version in the Makefile and that

     

       12
        
         # and the changes since then (up to ff822d8) seem snap related

     

       13
        
         version = "0.3";

     

       14

+1 -1

pkgs/by-name/yt/ytmdesktop/package.nix

···

       38
        
         };

     

       39
        
       

     

       40
        
         patches = [

     

       41
       -
           # instead of runnning git during the build process

     

       42
        
           # use the .COMMIT file generated in the fetcher FOD

     

       43
        
           ./git-rev-parse.patch

     

       44
        
         ];

···

       38
        
         };

     

       39
        
       

     

       40
        
         patches = [

     

       41
       +
           # instead of running git during the build process

     

       42
        
           # use the .COMMIT file generated in the fetcher FOD

     

       43
        
           ./git-rev-parse.patch

     

       44
        
         ];

+1 -1

pkgs/by-name/ze/zepp-simulator/package.nix

···

       6
        
         copyDesktopItems,

     

       7
        
         autoPatchelfHook,

     

       8
        
       

     

       9
       -
         # Upstream is officialy built with Electron 18

     

       10
        
         # (but it works with latest Electron with minor changes, see HACK below)

     

       11
        
         electron,

     

       12
        
         asar,

···

       6
        
         copyDesktopItems,

     

       7
        
         autoPatchelfHook,

     

       8
        
       

     

       9
       +
         # Upstream is officially built with Electron 18

     

       10
        
         # (but it works with latest Electron with minor changes, see HACK below)

     

       11
        
         electron,

     

       12
        
         asar,

+1 -1

pkgs/development/compilers/gcc/common/configure-flags.nix

···

       38
        
       

     

       39
        
       # Note [Windows Exception Handling]

     

       40
        
       # sjlj (short jump long jump) exception handling makes no sense on x86_64,

     

       41
       -
       # it's forcably slowing programs down as it produces a constant overhead.

     

       42
        
       # On x86_64 we have SEH (Structured Exception Handling) and we should use

     

       43
        
       # that. On i686, we do not have SEH, and have to use sjlj with dwarf2.

     

       44
        
       # Hence it's now conditional on x86_32 (i686 is 32bit).

···

       38
        
       

     

       39
        
       # Note [Windows Exception Handling]

     

       40
        
       # sjlj (short jump long jump) exception handling makes no sense on x86_64,

     

       41
       +
       # it's forcibly slowing programs down as it produces a constant overhead.

     

       42
        
       # On x86_64 we have SEH (Structured Exception Handling) and we should use

     

       43
        
       # that. On i686, we do not have SEH, and have to use sjlj with dwarf2.

     

       44
        
       # Hence it's now conditional on x86_32 (i686 is 32bit).

+4 -4

pkgs/development/haskell-modules/configuration-common.nix

···

       20
        
       

     

       21
        
       self: super:

     

       22
        
       {

     

       23
       -
         # Hackage's accelerate is from 2020 and incomptible with our GHC.

     

       24
        
         # The existing derivation also has missing dependencies

     

       25
        
         # compared to the source from github.

     

       26
        
         # https://github.com/AccelerateHS/accelerate/issues/553

     
···

       791
        
         katt = dontCheck super.katt;

     

       792
        
         language-slice = dontCheck super.language-slice;

     

       793
        
       

     

       794
       -
         # Bogus lower bound on data-default-class added via Hackage revison

     

       795
        
         # https://github.com/mrkkrp/req/pull/180#issuecomment-2628201485

     

       796
        
         req = overrideCabal {

     

       797
        
           revision = null;

     
···

       1963
        
           license = lib.licenses.bsd3;

     

       1964
        
           # ghc-bignum is not buildable if none of the three backends

     

       1965
        
           # is explicitly enabled. We enable Native for now as it doesn't

     

       1966
       -
           # depend on anything else as oppossed to GMP and FFI.

     

       1967
        
           # Apply patch which fixes a compilation failure we encountered.

     

       1968
        
           # Will need to be kept until we can drop ghc-bignum entirely,

     

       1969
        
           # i. e. if GHC 8.10.* and 8.8.* have been removed.

     
···

       2529
        
         # Missing test files https://github.com/kephas/xdg-basedir-compliant/issues/1

     

       2530
        
         xdg-basedir-compliant = dontCheck super.xdg-basedir-compliant;

     

       2531
        
       

     

       2532
       -
         # Test failure after libxcrypt migration, reported upstrem at

     

       2533
        
         # https://github.com/phadej/crypt-sha512/issues/13

     

       2534
        
         crypt-sha512 = dontCheck super.crypt-sha512;

     

       2535

···

       20
        
       

     

       21
        
       self: super:

     

       22
        
       {

     

       23
       +
         # Hackage's accelerate is from 2020 and incompatible with our GHC.

     

       24
        
         # The existing derivation also has missing dependencies

     

       25
        
         # compared to the source from github.

     

       26
        
         # https://github.com/AccelerateHS/accelerate/issues/553

     
···

       791
        
         katt = dontCheck super.katt;

     

       792
        
         language-slice = dontCheck super.language-slice;

     

       793
        
       

     

       794
       +
         # Bogus lower bound on data-default-class added via Hackage revision

     

       795
        
         # https://github.com/mrkkrp/req/pull/180#issuecomment-2628201485

     

       796
        
         req = overrideCabal {

     

       797
        
           revision = null;

     
···

       1963
        
           license = lib.licenses.bsd3;

     

       1964
        
           # ghc-bignum is not buildable if none of the three backends

     

       1965
        
           # is explicitly enabled. We enable Native for now as it doesn't

     

       1966
       +
           # depend on anything else as opposed to GMP and FFI.

     

       1967
        
           # Apply patch which fixes a compilation failure we encountered.

     

       1968
        
           # Will need to be kept until we can drop ghc-bignum entirely,

     

       1969
        
           # i. e. if GHC 8.10.* and 8.8.* have been removed.

     
···

       2529
        
         # Missing test files https://github.com/kephas/xdg-basedir-compliant/issues/1

     

       2530
        
         xdg-basedir-compliant = dontCheck super.xdg-basedir-compliant;

     

       2531
        
       

     

       2532
       +
         # Test failure after libxcrypt migration, reported upstream at

     

       2533
        
         # https://github.com/phadej/crypt-sha512/issues/13

     

       2534
        
         crypt-sha512 = dontCheck super.crypt-sha512;

     

       2535

+1 -1

pkgs/development/interpreters/ruby/default.nix

···

       207
        
                     # When using a baseruby, ruby always sets "libdir" to the build

     

       208
        
                     # directory, which nix rejects due to a reference in to /build/ in

     

       209
        
                     # the final product. Removing this reference doesn't seem to break

     

       210
       -
                     # anything and fixes cross compliation.

     

       211
        
                     ./dont-refer-to-build-dir.patch

     

       212
        
                   ];

     

       213

···

       207
        
                     # When using a baseruby, ruby always sets "libdir" to the build

     

       208
        
                     # directory, which nix rejects due to a reference in to /build/ in

     

       209
        
                     # the final product. Removing this reference doesn't seem to break

     

       210
       +
                     # anything and fixes cross compilation.

     

       211
        
                     ./dont-refer-to-build-dir.patch

     

       212
        
                   ];

     

       213

+1 -1

pkgs/development/libraries/ffmpeg/generic.nix

···

       34
        
         # all dependants in Nixpkgs

     

       35
        
         withSmallDeps ? ffmpegVariant == "small" || withFullDeps,

     

       36
        
       

     

       37
       -
         # Everything enabled; only guarded behind platform exclusivity or brokeness.

     

       38
        
         # If you need to depend on ffmpeg-full because ffmpeg is missing some feature

     

       39
        
         # your package needs, you should enable that feature in regular ffmpeg

     

       40
        
         # instead.

···

       34
        
         # all dependants in Nixpkgs

     

       35
        
         withSmallDeps ? ffmpegVariant == "small" || withFullDeps,

     

       36
        
       

     

       37
       +
         # Everything enabled; only guarded behind platform exclusivity or brokenness.

     

       38
        
         # If you need to depend on ffmpeg-full because ffmpeg is missing some feature

     

       39
        
         # your package needs, you should enable that feature in regular ffmpeg

     

       40
        
         # instead.

+1 -1

pkgs/development/libraries/openssl/default.nix

···

       225
        
               # This avoids conflicts between man pages of openssl subcommands (for

     

       226
        
               # example 'ts' and 'err') man pages and their equivalent top-level

     

       227
        
               # command in other packages (respectively man-pages and moreutils).

     

       228
       -
               # This is done in ubuntu and archlinux, and possiibly many other distros.

     

       229
        
               "MANSUFFIX=ssl"

     

       230
        
             ];

     

       231

···

       225
        
               # This avoids conflicts between man pages of openssl subcommands (for

     

       226
        
               # example 'ts' and 'err') man pages and their equivalent top-level

     

       227
        
               # command in other packages (respectively man-pages and moreutils).

     

       228
       +
               # This is done in ubuntu and archlinux, and possibly many other distros.

     

       229
        
               "MANSUFFIX=ssl"

     

       230
        
             ];

     

       231

+1 -1

pkgs/development/libraries/vigra/default.nix

···

       29
        
         };

     

       30
        
       

     

       31
        
         patches = [

     

       32
       -
           # Pathes to fix compiling on LLVM 19 from https://github.com/ukoethe/vigra/pull/592

     

       33
        
           ./fix-llvm-19-1.patch

     

       34
        
           ./fix-llvm-19-2.patch

     

       35
        
         ];

···

       29
        
         };

     

       30
        
       

     

       31
        
         patches = [

     

       32
       +
           # Patches to fix compiling on LLVM 19 from https://github.com/ukoethe/vigra/pull/592

     

       33
        
           ./fix-llvm-19-1.patch

     

       34
        
           ./fix-llvm-19-2.patch

     

       35
        
         ];

+1 -1

pkgs/development/python-modules/brotlicffi/default.nix

···

       4
        
         buildPythonPackage,

     

       5
        
         pythonOlder,

     

       6
        
         cffi,

     

       7
       -
         # overriden as pkgs.brotli

     

       8
        
         brotli,

     

       9
        
         setuptools,

     

       10
        
         pytestCheckHook,

···

       4
        
         buildPythonPackage,

     

       5
        
         pythonOlder,

     

       6
        
         cffi,

     

       7
       +
         # overridden as pkgs.brotli

     

       8
        
         brotli,

     

       9
        
         setuptools,

     

       10
        
         pytestCheckHook,

+1 -1

pkgs/development/python-modules/datadog/default.nix

···

       60
        
             # https://github.com/DataDog/datadogpy/issues/746

     

       61
        
             "TestDogshell"

     

       62
        
       

     

       63
       -
             # Flaky: test execution time aganst magic values

     

       64
        
             "test_distributed"

     

       65
        
             "test_timed"

     

       66
        
             "test_timed_in_ms"

···

       60
        
             # https://github.com/DataDog/datadogpy/issues/746

     

       61
        
             "TestDogshell"

     

       62
        
       

     

       63
       +
             # Flaky: test execution time against magic values

     

       64
        
             "test_distributed"

     

       65
        
             "test_timed"

     

       66
        
             "test_timed_in_ms"

+1 -1

pkgs/development/python-modules/dm-haiku/default.nix

···

       60
        
       

     

       61
        
           # AttributeError: jax.core.Var was removed in JAX v0.6.0. Use jax.extend.core.Var instead, and

     

       62
        
           # see https://docs.jax.dev/en/latest/jax.extend.html for details.

     

       63
       -
           # Alrady on master: https://github.com/google-deepmind/dm-haiku/commit/cfe8480d253a93100bf5e2d24c40435a95399c96

     

       64
        
           # TODO: remove at the next release

     

       65
        
           postPatch = ''

     

       66
        
             substituteInPlace haiku/_src/jaxpr_info.py \

···

       60
        
       

     

       61
        
           # AttributeError: jax.core.Var was removed in JAX v0.6.0. Use jax.extend.core.Var instead, and

     

       62
        
           # see https://docs.jax.dev/en/latest/jax.extend.html for details.

     

       63
       +
           # Already on master: https://github.com/google-deepmind/dm-haiku/commit/cfe8480d253a93100bf5e2d24c40435a95399c96

     

       64
        
           # TODO: remove at the next release

     

       65
        
           postPatch = ''

     

       66
        
             substituteInPlace haiku/_src/jaxpr_info.py \

+1 -1

pkgs/development/python-modules/flashinfer/default.nix

···

       3
        
       # requires the CUDA toolkit (via nvcc) to be available.

     

       4
        
       #

     

       5
        
       # This means that if you plan to use flashinfer, you will need to set the

     

       6
       -
       # environment varaible `CUDA_HOME` to `cudatoolkit`.

     

       7
        
       {

     

       8
        
         lib,

     

       9
        
         config,

···

       3
        
       # requires the CUDA toolkit (via nvcc) to be available.

     

       4
        
       #

     

       5
        
       # This means that if you plan to use flashinfer, you will need to set the

     

       6
       +
       # environment variable `CUDA_HOME` to `cudatoolkit`.

     

       7
        
       {

     

       8
        
         lib,

     

       9
        
         config,

+1 -1

pkgs/development/python-modules/fmpy/default.nix

···

       178
        
                 };

     

       179
        
       

     

       180
        
               # FMPy searches for sundials without the "lib"-prefix; strip it

     

       181
       -
               # and symlink the so-files into existance.

     

       182
        
               postFixup = ''

     

       183
        
                 pushd $out/lib

     

       184
        
                 for so in *.so; do

···

       178
        
                 };

     

       179
        
       

     

       180
        
               # FMPy searches for sundials without the "lib"-prefix; strip it

     

       181
       +
               # and symlink the so-files into existence.

     

       182
        
               postFixup = ''

     

       183
        
                 pushd $out/lib

     

       184
        
                 for so in *.so; do

+1 -1

pkgs/development/python-modules/itables/default.nix

···

       27
        
         # itables has 4 different node packages, each with their own

     

       28
        
         # package-lock.json, and partially depending on each other.

     

       29
        
         # Our fetchNpmDeps tooling in nixpkgs doesn't support this yet, so we fetch

     

       30
       -
         # the source tarball from pypi, wich includes the javascript bundle already.

     

       31
        
         src = fetchPypi {

     

       32
        
           inherit pname version;

     

       33
        
           hash = "sha256-S5HASUVfqTny+Vu15MYSSrEffCaJuL7UhDOc3eudVWI=";

···

       27
        
         # itables has 4 different node packages, each with their own

     

       28
        
         # package-lock.json, and partially depending on each other.

     

       29
        
         # Our fetchNpmDeps tooling in nixpkgs doesn't support this yet, so we fetch

     

       30
       +
         # the source tarball from pypi, which includes the javascript bundle already.

     

       31
        
         src = fetchPypi {

     

       32
        
           inherit pname version;

     

       33
        
           hash = "sha256-S5HASUVfqTny+Vu15MYSSrEffCaJuL7UhDOc3eudVWI=";

+1 -1

pkgs/development/python-modules/langchain-aws/default.nix

···

       54
        
           # Boto @ 1.35 has outstripped the version requirement

     

       55
        
           "boto3"

     

       56
        
           # Each component release requests the exact latest core.

     

       57
       -
           # That prevents us from updating individul components.

     

       58
        
           "langchain-core"

     

       59
        
         ];

     

       60

···

       54
        
           # Boto @ 1.35 has outstripped the version requirement

     

       55
        
           "boto3"

     

       56
        
           # Each component release requests the exact latest core.

     

       57
       +
           # That prevents us from updating individual components.

     

       58
        
           "langchain-core"

     

       59
        
         ];

     

       60

+1 -1

pkgs/development/python-modules/langchain-azure-dynamic-sessions/default.nix

···

       44
        
       

     

       45
        
         pythonRelaxDeps = [

     

       46
        
           # Each component release requests the exact latest core.

     

       47
       -
           # That prevents us from updating individul components.

     

       48
        
           "langchain-core"

     

       49
        
         ];

     

       50

···

       44
        
       

     

       45
        
         pythonRelaxDeps = [

     

       46
        
           # Each component release requests the exact latest core.

     

       47
       +
           # That prevents us from updating individual components.

     

       48
        
           "langchain-core"

     

       49
        
         ];

     

       50

+1 -1

pkgs/development/python-modules/langchain-chroma/default.nix

···

       32
        
       

     

       33
        
         pythonRelaxDeps = [

     

       34
        
           # Each component release requests the exact latest core.

     

       35
       -
           # That prevents us from updating individul components.

     

       36
        
           "langchain-core"

     

       37
        
           "numpy"

     

       38
        
         ];

···

       32
        
       

     

       33
        
         pythonRelaxDeps = [

     

       34
        
           # Each component release requests the exact latest core.

     

       35
       +
           # That prevents us from updating individual components.

     

       36
        
           "langchain-core"

     

       37
        
           "numpy"

     

       38
        
         ];

+1 -1

pkgs/development/python-modules/langchain-community/default.nix

···

       56
        
       

     

       57
        
         pythonRelaxDeps = [

     

       58
        
           # Each component release requests the exact latest langchain and -core.

     

       59
       -
           # That prevents us from updating individul components.

     

       60
        
           "langchain"

     

       61
        
           "langchain-core"

     

       62
        
           "numpy"

···

       56
        
       

     

       57
        
         pythonRelaxDeps = [

     

       58
        
           # Each component release requests the exact latest langchain and -core.

     

       59
       +
           # That prevents us from updating individual components.

     

       60
        
           "langchain"

     

       61
        
           "langchain-core"

     

       62
        
           "numpy"

+1 -1

pkgs/development/python-modules/langchain-groq/default.nix

···

       34
        
       

     

       35
        
         pythonRelaxDeps = [

     

       36
        
           # Each component release requests the exact latest core.

     

       37
       -
           # That prevents us from updating individul components.

     

       38
        
           "langchain-core"

     

       39
        
         ];

     

       40

···

       34
        
       

     

       35
        
         pythonRelaxDeps = [

     

       36
        
           # Each component release requests the exact latest core.

     

       37
       +
           # That prevents us from updating individual components.

     

       38
        
           "langchain-core"

     

       39
        
         ];

     

       40

+1 -1

pkgs/development/python-modules/langchain-huggingface/default.nix

···

       49
        
       

     

       50
        
         pythonRelaxDeps = [

     

       51
        
           # Each component release requests the exact latest core.

     

       52
       -
           # That prevents us from updating individul components.

     

       53
        
           "langchain-core"

     

       54
        
         ];

     

       55

···

       49
        
       

     

       50
        
         pythonRelaxDeps = [

     

       51
        
           # Each component release requests the exact latest core.

     

       52
       +
           # That prevents us from updating individual components.

     

       53
        
           "langchain-core"

     

       54
        
         ];

     

       55

+1 -1

pkgs/development/python-modules/langchain-mongodb/default.nix

···

       39
        
       

     

       40
        
         pythonRelaxDeps = [

     

       41
        
           # Each component release requests the exact latest core.

     

       42
       -
           # That prevents us from updating individul components.

     

       43
        
           "langchain-core"

     

       44
        
           "numpy"

     

       45
        
         ];

···

       39
        
       

     

       40
        
         pythonRelaxDeps = [

     

       41
        
           # Each component release requests the exact latest core.

     

       42
       +
           # That prevents us from updating individual components.

     

       43
        
           "langchain-core"

     

       44
        
           "numpy"

     

       45
        
         ];

+1 -1

pkgs/development/python-modules/langchain-ollama/default.nix

···

       40
        
       

     

       41
        
         pythonRelaxDeps = [

     

       42
        
           # Each component release requests the exact latest core.

     

       43
       -
           # That prevents us from updating individul components.

     

       44
        
           "langchain-core"

     

       45
        
         ];

     

       46

···

       40
        
       

     

       41
        
         pythonRelaxDeps = [

     

       42
        
           # Each component release requests the exact latest core.

     

       43
       +
           # That prevents us from updating individual components.

     

       44
        
           "langchain-core"

     

       45
        
         ];

     

       46

+1 -1

pkgs/development/python-modules/langchain-openai/default.nix

···

       52
        
       

     

       53
        
         pythonRelaxDeps = [

     

       54
        
           # Each component release requests the exact latest core.

     

       55
       -
           # That prevents us from updating individul components.

     

       56
        
           "langchain-core"

     

       57
        
         ];

     

       58

···

       52
        
       

     

       53
        
         pythonRelaxDeps = [

     

       54
        
           # Each component release requests the exact latest core.

     

       55
       +
           # That prevents us from updating individual components.

     

       56
        
           "langchain-core"

     

       57
        
         ];

     

       58

+1 -1

pkgs/development/python-modules/langchain-tests/default.nix

···

       42
        
       

     

       43
        
         pythonRelaxDeps = [

     

       44
        
           # Each component release requests the exact latest core.

     

       45
       -
           # That prevents us from updating individul components.

     

       46
        
           "langchain-core"

     

       47
        
           "numpy"

     

       48
        
         ];

···

       42
        
       

     

       43
        
         pythonRelaxDeps = [

     

       44
        
           # Each component release requests the exact latest core.

     

       45
       +
           # That prevents us from updating individual components.

     

       46
        
           "langchain-core"

     

       47
        
           "numpy"

     

       48
        
         ];

+1 -1

pkgs/development/python-modules/langchain-text-splitters/default.nix

···

       34
        
       

     

       35
        
         pythonRelaxDeps = [

     

       36
        
           # Each component release requests the exact latest core.

     

       37
       -
           # That prevents us from updating individul components.

     

       38
        
           "langchain-core"

     

       39
        
         ];

     

       40

···

       34
        
       

     

       35
        
         pythonRelaxDeps = [

     

       36
        
           # Each component release requests the exact latest core.

     

       37
       +
           # That prevents us from updating individual components.

     

       38
        
           "langchain-core"

     

       39
        
         ];

     

       40

+1 -1

pkgs/development/python-modules/langchain/default.nix

···

       60
        
       

     

       61
        
         pythonRelaxDeps = [

     

       62
        
           # Each component release requests the exact latest core.

     

       63
       -
           # That prevents us from updating individul components.

     

       64
        
           "langchain-core"

     

       65
        
           "numpy"

     

       66
        
           "tenacity"

···

       60
        
       

     

       61
        
         pythonRelaxDeps = [

     

       62
        
           # Each component release requests the exact latest core.

     

       63
       +
           # That prevents us from updating individual components.

     

       64
        
           "langchain-core"

     

       65
        
           "numpy"

     

       66
        
           "tenacity"

+1 -1

pkgs/development/python-modules/mpi-pytest/default.nix

···

       21
        
           hash = "sha256-r9UB5H+qAJc6k2SVAiOCI2yRDLNv2zKRmfrAan+cX9I=";

     

       22
        
         };

     

       23
        
       

     

       24
       -
         # A temporary fixup to support fork mode with openmpi implemention

     

       25
        
         # See https://github.com/firedrakeproject/mpi-pytest/pull/17

     

       26
        
         postPatch = lib.optionalString (mpi4py.mpi.pname == "openmpi") ''

     

       27
        
           substituteInPlace pytest_mpi/plugin.py \

···

       21
        
           hash = "sha256-r9UB5H+qAJc6k2SVAiOCI2yRDLNv2zKRmfrAan+cX9I=";

     

       22
        
         };

     

       23
        
       

     

       24
       +
         # A temporary fixup to support fork mode with openmpi implementation

     

       25
        
         # See https://github.com/firedrakeproject/mpi-pytest/pull/17

     

       26
        
         postPatch = lib.optionalString (mpi4py.mpi.pname == "openmpi") ''

     

       27
        
           substituteInPlace pytest_mpi/plugin.py \

+1 -1

pkgs/development/python-modules/piano-transcription-inference/default.nix

···

       68
        
         # Project has no tests.

     

       69
        
         # In order to make pythonImportsCheck work, NUMBA_CACHE_DIR env var need to

     

       70
        
         # be set to a writable dir (https://github.com/numba/numba/issues/4032#issuecomment-488102702).

     

       71
       -
         # pythonImportsCheck has no pre* hook, use checkPhase to wordaround that.

     

       72
        
         checkPhase = ''

     

       73
        
           export NUMBA_CACHE_DIR="$(mktemp -d)"

     

       74
        
         '';

···

       68
        
         # Project has no tests.

     

       69
        
         # In order to make pythonImportsCheck work, NUMBA_CACHE_DIR env var need to

     

       70
        
         # be set to a writable dir (https://github.com/numba/numba/issues/4032#issuecomment-488102702).

     

       71
       +
         # pythonImportsCheck has no pre* hook, use checkPhase to workaround that.

     

       72
        
         checkPhase = ''

     

       73
        
           export NUMBA_CACHE_DIR="$(mktemp -d)"

     

       74
        
         '';

+1 -1

pkgs/development/python-modules/pip/default.nix

···

       24
        
         tomli-w,

     

       25
        
         werkzeug,

     

       26
        
       

     

       27
       -
         # coupled downsteam dependencies

     

       28
        
         pip-tools,

     

       29
        
       }:

     

       30

···

       24
        
         tomli-w,

     

       25
        
         werkzeug,

     

       26
        
       

     

       27
       +
         # coupled downstream dependencies

     

       28
        
         pip-tools,

     

       29
        
       }:

     

       30

+1 -1

pkgs/development/python-modules/twisted/default.nix

···

       110
        
                   "MulticastTests.test_multiListen"

     

       111
        
                 ];

     

       112
        
                 "src/twisted/trial/test/test_script.py" = [

     

       113
       -
                   # Fails in LXC containers with less than all cores availaible (limits.cpu)

     

       114
        
                   "AutoJobsTests.test_cpuCount"

     

       115
        
                 ];

     

       116
        
                 "src/twisted/internet/test/test_unix.py" = [

···

       110
        
                   "MulticastTests.test_multiListen"

     

       111
        
                 ];

     

       112
        
                 "src/twisted/trial/test/test_script.py" = [

     

       113
       +
                   # Fails in LXC containers with less than all cores available (limits.cpu)

     

       114
        
                   "AutoJobsTests.test_cpuCount"

     

       115
        
                 ];

     

       116
        
                 "src/twisted/internet/test/test_unix.py" = [

+1 -1

pkgs/development/python-modules/yamllint/default.nix

···

       37
        
           [

     

       38
        
             # test failure reported upstream: https://github.com/adrienverge/yamllint/issues/373

     

       39
        
             "test_find_files_recursively"

     

       40
       -
             # Issue wih fixture

     

       41
        
             "test_codec_built_in_equivalent"

     

       42
        
           ]

     

       43
        
           ++ lib.optionals stdenv.hostPlatform.isDarwin [

···

       37
        
           [

     

       38
        
             # test failure reported upstream: https://github.com/adrienverge/yamllint/issues/373

     

       39
        
             "test_find_files_recursively"

     

       40
       +
             # Issue with fixture

     

       41
        
             "test_codec_built_in_equivalent"

     

       42
        
           ]

     

       43
        
           ++ lib.optionals stdenv.hostPlatform.isDarwin [

+1 -1

pkgs/development/tools/build-managers/bazel/bazel_6/default.nix

···

       241
        
           # guarantee that it will always run in any nix context.

     

       242
        
           #

     

       243
        
           # See also ./bazel_darwin_sandbox.patch in bazel_5. That patch uses

     

       244
       -
           # NIX_BUILD_TOP env var to conditionnally disable sleep features inside the

     

       245
        
           # sandbox.

     

       246
        
           #

     

       247
        
           # If you want to investigate the sandbox profile path,

···

       241
        
           # guarantee that it will always run in any nix context.

     

       242
        
           #

     

       243
        
           # See also ./bazel_darwin_sandbox.patch in bazel_5. That patch uses

     

       244
       +
           # NIX_BUILD_TOP env var to conditionally disable sleep features inside the

     

       245
        
           # sandbox.

     

       246
        
           #

     

       247
        
           # If you want to investigate the sandbox profile path,

+3 -3

pkgs/development/tools/build-managers/bazel/bazel_7/default.nix

···

       323
        
             # --{,tool_}java_runtime_version=local_jdk and rely on the fact no java

     

       324
        
             # toolchain registered by default uses the local_jdk, making the selection

     

       325
        
             # unambiguous.

     

       326
       -
             # This toolchain has the advantage that it can use any ambiant java jdk,

     

       327
        
             # not only a given, fixed version. It allows bazel to work correctly in any

     

       328
        
             # environment where JAVA_HOME is set to the right java version, like inside

     

       329
        
             # nix derivations.

     

       330
       -
             # However, this patch breaks bazel hermeticity, by picking the ambiant java

     

       331
        
             # version instead of the more hermetic remote_jdk prebuilt binaries that

     

       332
        
             # rules_java provide by default. It also requires the user to have a

     

       333
        
             # JAVA_HOME set to the exact version required by the project.

     
···

       347
        
             # guarantee that it will always run in any nix context.

     

       348
        
             #

     

       349
        
             # See also ./bazel_darwin_sandbox.patch in bazel_5. That patch uses

     

       350
       -
             # NIX_BUILD_TOP env var to conditionnally disable sleep features inside the

     

       351
        
             # sandbox.

     

       352
        
             #

     

       353
        
             # If you want to investigate the sandbox profile path,

···

       323
        
             # --{,tool_}java_runtime_version=local_jdk and rely on the fact no java

     

       324
        
             # toolchain registered by default uses the local_jdk, making the selection

     

       325
        
             # unambiguous.

     

       326
       +
             # This toolchain has the advantage that it can use any ambient java jdk,

     

       327
        
             # not only a given, fixed version. It allows bazel to work correctly in any

     

       328
        
             # environment where JAVA_HOME is set to the right java version, like inside

     

       329
        
             # nix derivations.

     

       330
       +
             # However, this patch breaks bazel hermeticity, by picking the ambient java

     

       331
        
             # version instead of the more hermetic remote_jdk prebuilt binaries that

     

       332
        
             # rules_java provide by default. It also requires the user to have a

     

       333
        
             # JAVA_HOME set to the exact version required by the project.

     
···

       347
        
             # guarantee that it will always run in any nix context.

     

       348
        
             #

     

       349
        
             # See also ./bazel_darwin_sandbox.patch in bazel_5. That patch uses

     

       350
       +
             # NIX_BUILD_TOP env var to conditionally disable sleep features inside the

     

       351
        
             # sandbox.

     

       352
        
             #

     

       353
        
             # If you want to investigate the sandbox profile path,

+2 -2

pkgs/servers/home-assistant/default.nix

···

       151
        
               ];

     

       152
        
             });

     

       153
        
       

     

       154
       -
             # Pinned due to home-assistant still needing 1.10.0 verison

     

       155
       -
             # Remove this when home-assistant upates the jellyfin-apiclient-python version

     

       156
        
             jellyfin-apiclient-python = super.jellyfin-apiclient-python.overridePythonAttrs (oldAttrs: rec {

     

       157
        
               version = "1.10.0";

     

       158
        
               src = fetchFromGitHub {

···

       151
        
               ];

     

       152
        
             });

     

       153
        
       

     

       154
       +
             # Pinned due to home-assistant still needing 1.10.0 version

     

       155
       +
             # Remove this when home-assistant updates the jellyfin-apiclient-python version

     

       156
        
             jellyfin-apiclient-python = super.jellyfin-apiclient-python.overridePythonAttrs (oldAttrs: rec {

     

       157
        
               version = "1.10.0";

     

       158
        
               src = fetchFromGitHub {

+1 -1

pkgs/stdenv/generic/check-meta.nix

···

       120
        
       

     

       121
        
         isMarkedInsecure = attrs: (attrs.meta.knownVulnerabilities or [ ]) != [ ];

     

       122
        
       

     

       123
       -
         # Alow granular checks to allow only some unfree packages

     

       124
        
         # Example:

     

       125
        
         # {pkgs, ...}:

     

       126
        
         # {

···

       120
        
       

     

       121
        
         isMarkedInsecure = attrs: (attrs.meta.knownVulnerabilities or [ ]) != [ ];

     

       122
        
       

     

       123
       +
         # Allow granular checks to allow only some unfree packages

     

       124
        
         # Example:

     

       125
        
         # {pkgs, ...}:

     

       126
        
         # {

+1 -1

pkgs/test/texlive/default.nix

···

       625
        
               "outocp"

     

       626
        
               "pmxab"

     

       627
        
       

     

       628
       -
               # GUI scripts that accept no argument or crash without a graphics server; please test manualy

     

       629
        
               "epspdftk"

     

       630
        
               "texdoctk"

     

       631
        
               "tlshell"

···

       625
        
               "outocp"

     

       626
        
               "pmxab"

     

       627
        
       

     

       628
       +
               # GUI scripts that accept no argument or crash without a graphics server; please test manually

     

       629
        
               "epspdftk"

     

       630
        
               "texdoctk"

     

       631
        
               "tlshell"

+6 -6

pkgs/top-level/all-packages.nix

···

       3658
        
       

     

       3659
        
         libhandy = callPackage ../development/libraries/libhandy { };

     

       3660
        
       

     

       3661
       -
         # Needed for apps that still depend on the unstable verison of the library (not libhandy-1)

     

       3662
        
         libhandy_0 = callPackage ../development/libraries/libhandy/0.x.nix { };

     

       3663
        
       

     

       3664
        
         libint = callPackage ../development/libraries/libint { };

     
···

       4853
        
       

     

       4854
        
         zbar = libsForQt5.callPackage ../tools/graphics/zbar { };

     

       4855
        
       

     

       4856
       -
         # Nvidia support does not require any propietary libraries, so CI can build it.

     

       4857
        
         # Note that when enabling this unconditionally, non-nvidia users will always have an empty "GPU" section.

     

       4858
        
         zenith-nvidia = zenith.override {

     

       4859
        
           nvidiaSupport = true;

     
···

       7057
        
         # host platform.

     

       7058
        
         #

     

       7059
        
         # Because this is the *next* stages choice, it's a bit non-modular to put

     

       7060
       -
         # here. In theory, bootstraping is supposed to not be a chain but at tree,

     

       7061
        
         # where each stage supports many "successor" stages, like multiple possible

     

       7062
        
         # futures. We don't have a better alternative, but with this downside in

     

       7063
        
         # mind, please be judicious when using this attribute. E.g. for building

     
···

       8209
        
           stdenv = stdenvNoLibc;

     

       8210
        
         };

     

       8211
        
       

     

       8212
       -
         # These are used when buiding compiler-rt / libgcc, prior to building libc.

     

       8213
        
         preLibcCrossHeaders =

     

       8214
        
           let

     

       8215
        
             inherit (stdenv.targetPlatform) libc;

     
···

       10575
        
       

     

       10576
        
         nginxModules = recurseIntoAttrs (callPackage ../servers/http/nginx/modules.nix { });

     

       10577
        
       

     

       10578
       -
         # We should move to dynmaic modules and create a nginxFull package with all modules

     

       10579
        
         nginxShibboleth = nginxStable.override {

     

       10580
        
           modules = [

     

       10581
        
             nginxModules.rtmp

     
···

       13703
        
           jdk = jdk17;

     

       13704
        
         };

     

       13705
        
       

     

       13706
       -
         # perhaps there are better apps for this task? It's how I had configured my preivous system.

     

       13707
        
         # And I don't want to rewrite all rules

     

       13708
        
         profanity = callPackage ../applications/networking/instant-messengers/profanity (

     

       13709
        
           {

···

       3658
        
       

     

       3659
        
         libhandy = callPackage ../development/libraries/libhandy { };

     

       3660
        
       

     

       3661
       +
         # Needed for apps that still depend on the unstable version of the library (not libhandy-1)

     

       3662
        
         libhandy_0 = callPackage ../development/libraries/libhandy/0.x.nix { };

     

       3663
        
       

     

       3664
        
         libint = callPackage ../development/libraries/libint { };

     
···

       4853
        
       

     

       4854
        
         zbar = libsForQt5.callPackage ../tools/graphics/zbar { };

     

       4855
        
       

     

       4856
       +
         # Nvidia support does not require any proprietary libraries, so CI can build it.

     

       4857
        
         # Note that when enabling this unconditionally, non-nvidia users will always have an empty "GPU" section.

     

       4858
        
         zenith-nvidia = zenith.override {

     

       4859
        
           nvidiaSupport = true;

     
···

       7057
        
         # host platform.

     

       7058
        
         #

     

       7059
        
         # Because this is the *next* stages choice, it's a bit non-modular to put

     

       7060
       +
         # here. In theory, bootstrapping is supposed to not be a chain but at tree,

     

       7061
        
         # where each stage supports many "successor" stages, like multiple possible

     

       7062
        
         # futures. We don't have a better alternative, but with this downside in

     

       7063
        
         # mind, please be judicious when using this attribute. E.g. for building

     
···

       8209
        
           stdenv = stdenvNoLibc;

     

       8210
        
         };

     

       8211
        
       

     

       8212
       +
         # These are used when building compiler-rt / libgcc, prior to building libc.

     

       8213
        
         preLibcCrossHeaders =

     

       8214
        
           let

     

       8215
        
             inherit (stdenv.targetPlatform) libc;

     
···

       10575
        
       

     

       10576
        
         nginxModules = recurseIntoAttrs (callPackage ../servers/http/nginx/modules.nix { });

     

       10577
        
       

     

       10578
       +
         # We should move to dynamic modules and create a nginxFull package with all modules

     

       10579
        
         nginxShibboleth = nginxStable.override {

     

       10580
        
           modules = [

     

       10581
        
             nginxModules.rtmp

     
···

       13703
        
           jdk = jdk17;

     

       13704
        
         };

     

       13705
        
       

     

       13706
       +
         # perhaps there are better apps for this task? It's how I had configured my previous system.

     

       13707
        
         # And I don't want to rewrite all rules

     

       13708
        
         profanity = callPackage ../applications/networking/instant-messengers/profanity (

     

       13709
        
           {

+1 -1

pkgs/top-level/stage.nix

···

       328
        
       

     

       329
        
         # The complete chain of package set builders, applied from top to bottom.

     

       330
        
         # stdenvOverlays must be last as it brings package forward from the

     

       331
       -
         # previous bootstrapping phases which have already been overlayed.

     

       332
        
         toFix = lib.foldl' (lib.flip lib.extends) (self: { }) (

     

       333
        
           [

     

       334
        
             stdenvBootstappingAndPlatforms

···

       328
        
       

     

       329
        
         # The complete chain of package set builders, applied from top to bottom.

     

       330
        
         # stdenvOverlays must be last as it brings package forward from the

     

       331
       +
         # previous bootstrapping phases which have already been overlaid.

     

       332
        
         toFix = lib.foldl' (lib.flip lib.extends) (self: { }) (

     

       333
        
           [

     

       334
        
             stdenvBootstappingAndPlatforms