Merge master into staging-next

nixos/doc/manual/from_md/release-notes/rl-2111.section.xml

@@ -99,7 +99,15 @@
         <para>
           <link xlink:href="https://github.com/xrelkd/clipcat/">clipcat</link>,
           an X11 clipboard manager written in Rust. Available at
-          [services.clipcat](options.html#o pt-services.clipcat.enable).
+          <link xlink:href="options.html#opt-services.clipcat.enable">services.clipcat</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/dexidp/dex">dex</link>,
+          an OpenID Connect (OIDC) identity and OAuth 2.0 provider.
+          Available at
+          <link xlink:href="options.html#opt-services.dex.enable">services.dex</link>.
         </para>
       </listitem>
       <listitem>

nixos/doc/manual/release-notes/rl-2111.section.md

@@ -32,8 +32,9 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [btrbk](https://digint.ch/btrbk/index.html), a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations. Available as [services.btrbk](options.html#opt-services.brtbk.instances).
 
-- [clipcat](https://github.com/xrelkd/clipcat/), an X11 clipboard manager written in Rust. Available at [services.clipcat](options.html#o
-  pt-services.clipcat.enable).
+- [clipcat](https://github.com/xrelkd/clipcat/), an X11 clipboard manager written in Rust. Available at [services.clipcat](options.html#opt-services.clipcat.enable).
+
+- [dex](https://github.com/dexidp/dex), an OpenID Connect (OIDC) identity and OAuth 2.0 provider. Available at [services.dex](options.html#opt-services.dex.enable).
 
 - [geoipupdate](https://github.com/maxmind/geoipupdate), a GeoIP database updater from MaxMind. Available as [services.geoipupdate](options.html#opt-services.geoipupdate.enable).
 

nixos/modules/module-list.nix

@@ -963,6 +963,7 @@
   ./services/web-apps/calibre-web.nix
   ./services/web-apps/convos.nix
   ./services/web-apps/cryptpad.nix
+  ./services/web-apps/dex.nix
   ./services/web-apps/discourse.nix
   ./services/web-apps/documize.nix
   ./services/web-apps/dokuwiki.nix

nixos/modules/services/web-apps/dex.nix

@@ -0,0 +1,115 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.dex;
+  fixClient = client: if client ? secretFile then ((builtins.removeAttrs client [ "secretFile" ]) // { secret = client.secretFile; }) else client;
+  filteredSettings = mapAttrs (n: v: if n == "staticClients" then (builtins.map fixClient v) else v) cfg.settings;
+  secretFiles = flatten (builtins.map (c: if c ? secretFile then [ c.secretFile ] else []) (cfg.settings.staticClients or []));
+
+  settingsFormat = pkgs.formats.yaml {};
+  configFile = settingsFormat.generate "config.yaml" filteredSettings;
+
+  startPreScript = pkgs.writeShellScript "dex-start-pre" (''
+  '' + (concatStringsSep "\n" (builtins.map (file: ''
+    ${pkgs.replace-secret}/bin/replace-secret '${file}' '${file}' /run/dex/config.yaml
+  '') secretFiles)));
+in
+{
+  options.services.dex = {
+    enable = mkEnableOption "the OpenID Connect and OAuth2 identity provider";
+
+    settings = mkOption {
+      type = settingsFormat.type;
+      default = {};
+      example = literalExample ''
+        {
+          # External url
+          issuer = "http://127.0.0.1:5556/dex";
+          storage = {
+            type = "postgres";
+            config.host = "/var/run/postgres";
+          };
+          web = {
+            http = "127.0.0.1:5556";
+          };
+          enablePasswordDB = true;
+          staticClients = [
+            {
+              id = "oidcclient";
+              name = "Client";
+              redirectURIs = [ "https://example.com/callback" ];
+              secretFile = "/etc/dex/oidcclient"; # The content of `secretFile` will be written into to the config as `secret`.
+            }
+          ];
+        }
+      '';
+      description = ''
+        The available options can be found in
+        <link xlink:href="https://github.com/dexidp/dex/blob/v${pkgs.dex.version}/config.yaml.dist">the example configuration</link>.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.dex = {
+      description = "dex identity provider";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "networking.target" ] ++ (optional (cfg.settings.storage.type == "postgres") "postgresql.service");
+
+      serviceConfig = {
+        ExecStart = "${pkgs.dex-oidc}/bin/dex serve /run/dex/config.yaml";
+        ExecStartPre = [
+          "${pkgs.coreutils}/bin/install -m 600 ${configFile} /run/dex/config.yaml"
+          "+${startPreScript}"
+        ];
+        RuntimeDirectory = "dex";
+
+        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+        BindReadOnlyPaths = [
+          "/nix/store"
+          "-/etc/resolv.conf"
+          "-/etc/nsswitch.conf"
+          "-/etc/hosts"
+          "-/etc/localtime"
+          "-/etc/dex"
+        ];
+        BindPaths = optional (cfg.settings.storage.type == "postgres") "/var/run/postgresql";
+        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
+        # ProtectClock= adds DeviceAllow=char-rtc r
+        DeviceAllow = "";
+        DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        # Port needs to be exposed to the host network
+        #PrivateNetwork = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        # Would re-mount paths ignored by temporary root
+        #ProtectSystem = "strict";
+        ProtectControlGroups = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
+        TemporaryFileSystem = "/:ro";
+        # Does not work well with the temporary root
+        #UMask = "0066";
+      };
+    };
+  };
+}

nixos/tests/all-tests.nix

@@ -97,6 +97,7 @@ in
   cryptpad = handleTest ./cryptpad.nix {};
   deluge = handleTest ./deluge.nix {};
   dendrite = handleTest ./dendrite.nix {};
+  dex-oidc = handleTest ./dex-oidc.nix {};
   dhparams = handleTest ./dhparams.nix {};
   disable-installer-tools = handleTest ./disable-installer-tools.nix {};
   discourse = handleTest ./discourse.nix {};

nixos/tests/dex-oidc.nix

@@ -0,0 +1,78 @@
+import ./make-test-python.nix ({ lib, ... }: {
+  name = "dex-oidc";
+  meta.maintainers = with lib.maintainers; [ Flakebi ];
+
+  nodes.machine = { pkgs, ... }: {
+    environment.systemPackages = with pkgs; [ jq ];
+    services.dex = {
+      enable = true;
+      settings = {
+        issuer = "http://127.0.0.1:8080/dex";
+        storage = {
+          type = "postgres";
+          config.host = "/var/run/postgresql";
+        };
+        web.http = "127.0.0.1:8080";
+        oauth2.skipApprovalScreen = true;
+        staticClients = [
+          {
+            id = "oidcclient";
+            name = "Client";
+            redirectURIs = [ "https://example.com/callback" ];
+            secretFile = "/etc/dex/oidcclient";
+          }
+        ];
+        connectors = [
+          {
+            type = "mockPassword";
+            id = "mock";
+            name = "Example";
+            config = {
+              username = "admin";
+              password = "password";
+            };
+          }
+        ];
+      };
+    };
+
+    # This should not be set from nix but through other means to not leak the secret.
+    environment.etc."dex/oidcclient" = {
+      mode = "0400";
+      user = "dex";
+      text = "oidcclientsecret";
+    };
+
+    services.postgresql = {
+      enable = true;
+      ensureDatabases =[ "dex" ];
+      ensureUsers = [
+        {
+          name = "dex";
+          ensurePermissions = { "DATABASE dex" = "ALL PRIVILEGES"; };
+        }
+      ];
+    };
+  };
+
+  testScript = ''
+    with subtest("Web server gets ready"):
+        machine.wait_for_unit("dex.service")
+        # Wait until server accepts connections
+        machine.wait_until_succeeds("curl -fs 'localhost:8080/dex/auth/mock?client_id=oidcclient&response_type=code&redirect_uri=https://example.com/callback&scope=openid'")
+
+    with subtest("Login"):
+        state = machine.succeed("curl -fs 'localhost:8080/dex/auth/mock?client_id=oidcclient&response_type=code&redirect_uri=https://example.com/callback&scope=openid' | sed -n 's/.*state=\\(.*\\)\">.*/\\1/p'").strip()
+        print(f"Got state {state}")
+        machine.succeed(f"curl -fs 'localhost:8080/dex/auth/mock/login?back=&state={state}' -d 'login=admin&password=password'")
+        code = machine.succeed(f"curl -fs localhost:8080/dex/approval?req={state} | sed -n 's/.*code=\\(.*\\)&.*/\\1/p'").strip()
+        print(f"Got approval code {code}")
+        bearer = machine.succeed(f"curl -fs localhost:8080/dex/token -u oidcclient:oidcclientsecret -d 'grant_type=authorization_code&redirect_uri=https://example.com/callback&code={code}' | jq .access_token -r").strip()
+        print(f"Got access token {bearer}")
+
+    with subtest("Get userinfo"):
+        assert '"sub"' in machine.succeed(
+            f"curl -fs localhost:8080/dex/userinfo --oauth2-bearer {bearer}"
+        )
+  '';
+})

pkgs/applications/science/math/sage/threejs-sage.nix

@@ -12,7 +12,8 @@ stdenv.mkDerivation rec {
   };
 
   installPhase = ''
-    mkdir -p $out/lib/node_modules/three
-    cp -r build version $out/lib/node_modules/three
+    mkdir -p "$out/lib/node_modules/three/"
+    cp version "$out/lib/node_modules/three"
+    cp -r build "$out/lib/node_modules/three/$(cat version)"
   '';
 }

pkgs/development/embedded/openocd/default.nix

@@ -5,6 +5,7 @@
 , hidapi
 , libftdi1
 , libusb1
+, libgpiod
 }:
 
 stdenv.mkDerivation rec {
@@ -17,7 +18,7 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ pkg-config ];
 
-  buildInputs = [ hidapi libftdi1 libusb1 ];
+  buildInputs = [ hidapi libftdi1 libusb1 libgpiod ];
 
   configureFlags = [
     "--enable-jtag_vpi"
@@ -29,6 +30,7 @@ stdenv.mkDerivation rec {
     (lib.enableFeature (! stdenv.isDarwin) "oocd_trace")
     "--enable-buspirate"
     (lib.enableFeature stdenv.isLinux "sysfsgpio")
+    (lib.enableFeature stdenv.isLinux "linuxgpiod")
     "--enable-remote-bitbang"
   ];
 

pkgs/development/python-modules/awslambdaric/default.nix

@@ -1,5 +1,17 @@
-{ lib, buildPythonPackage, fetchFromGitHub, isPy27, pytestCheckHook, autoconf
-, automake, cmake, gcc, libtool, perl, simplejson }:
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, fetchpatch
+, isPy27
+, pytestCheckHook
+, autoconf
+, automake
+, cmake
+, gcc
+, libtool
+, perl
+, simplejson
+}:
 
 buildPythonPackage rec {
   pname = "awslambdaric";
@@ -13,6 +25,14 @@ buildPythonPackage rec {
     sha256 = "1r4b4w5xhf6p4vs7yx89kighlqim9f96v2ryknmrnmblgr4kg0h1";
   };
 
+  patches = [
+    (fetchpatch {
+      # https://github.com/aws/aws-lambda-python-runtime-interface-client/pull/58
+      url = "https://github.com/aws/aws-lambda-python-runtime-interface-client/commit/162c3c0051bb9daa92e4a2a4af7e90aea60ee405.patch";
+      sha256 = "09qqq5x6npc9jw2qbhzifqn5sqiby4smiin1aw30psmlp21fv7j8";
+    })
+  ];
+
   postPatch = ''
     substituteInPlace requirements/base.txt \
       --replace 'simplejson==3' 'simplejson~=3'

pkgs/development/python-modules/google-cloud-container/default.nix

@@ -12,11 +12,11 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-container";
-  version = "2.7.1";
+  version = "2.8.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-nMUMGFU383TC7cXkj6EHaEe4HHS5NzcLBIxp1xgWUzg=";
+    sha256 = "f58192b534b5324c874547835808ed7d5c116e986f07e57b27b0ac5e12baddca";
   };
 
   propagatedBuildInputs = [ google-api-core grpc-google-iam-v1 libcst proto-plus ];

pkgs/development/python-modules/google-cloud-firestore/default.nix

@@ -13,11 +13,11 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-firestore";
-  version = "2.3.2";
+  version = "2.3.3";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "6e2eb65ccd75c6579214fb2099cfb98c57b2b4907ccb38a2ed21f00f492b7a50";
+    sha256 = "ef7572cbc83412dbc9cadd95962e77bfa9962a5cb030706638a4aafa7cad84aa";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/google-cloud-iam/default.nix

@@ -12,12 +12,12 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-iam";
-  version = "2.3.1";
+  version = "2.3.2";
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "166pcra1x8lisgf7cla4vq97qpc1hrpwnvlj1sza1igny2m59w5i";
+    sha256 = "c59ceebe2ff5d45a7367ddbe1a702bbbb010d6d3423d278797835d59e885fa50";
   };
 
   propagatedBuildInputs = [ google-api-core libcst proto-plus ];

pkgs/development/python-modules/google-cloud-iot/default.nix

@@ -12,11 +12,11 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-iot";
-  version = "2.2.1";
+  version = "2.3.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-vMzq4ffA7877zRtdZ+VpFdEHU0BZhDdhgxuk5154hMU=";
+    sha256 = "cb31a864be75c47880748b6c81f0c57cbce190a87e402ce32b2b772be2dba5fa";
   };
 
   propagatedBuildInputs = [ grpc-google-iam-v1 google-api-core libcst proto-plus ];

pkgs/development/python-modules/google-cloud-os-config/default.nix

@@ -2,11 +2,11 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-os-config";
-  version = "1.5.0";
+  version = "1.5.1";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "69764c406c8e1a95b66a84c042b7023c13eaef3bf79e493e60edd9ce62e8f2e4";
+    sha256 = "4dc498d6fede223049c415f301ba1129ecaf628f31a77ae87d2678e6d71556f6";
   };
 
   propagatedBuildInputs = [ google-api-core libcst proto-plus ];

pkgs/development/python-modules/google-cloud-speech/default.nix

@@ -11,11 +11,11 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-speech";
-  version = "2.9.0";
+  version = "2.9.1";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "2368beb60e5cdeb6db527509cdcc8fc1156eddfc0c73da8f62d60658a551eee1";
+    sha256 = "321a11863124d2fba73c519594d5a8803650f1f4323b08b9de3d096e536e98c1";
   };
 
   propagatedBuildInputs = [ libcst google-api-core proto-plus ];

pkgs/development/python-modules/google-cloud-tasks/default.nix

@@ -12,11 +12,11 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-tasks";
-  version = "2.5.1";
+  version = "2.5.2";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-4QOKG7Forf3x5l1XQbbX4A8upIxe+eCiwhPily26du4=";
+    sha256 = "af870971187b3d58fc87a81323cabec1628fac910c6af82076dd6270b111f17e";
   };
 
   propagatedBuildInputs = [ google-api-core grpc-google-iam-v1 libcst proto-plus ];

pkgs/development/python-modules/pyflexit/default.nix

@@ -0,0 +1,32 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, pythonOlder
+}:
+
+buildPythonPackage rec {
+  pname = "pyflexit";
+  version = "0.3";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.6";
+
+  src = fetchFromGitHub {
+    owner = "Sabesto";
+    repo = pname;
+    rev = version;
+    sha256 = "1ajlqr3z6zj4fyslqzpwpfkvh8xjx94wsznzij0vx0q7jp43bqig";
+  };
+
+  # Project has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [ "pyflexit" ];
+
+  meta = with lib; {
+    description = "Python library for Flexit A/C units";
+    homepage = "https://github.com/Sabesto/pyflexit";
+    license = with licenses; [ mit ];
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/pypoolstation/default.nix

@@ -0,0 +1,41 @@
+{ lib
+, aiohttp
+, buildPythonPackage
+, fetchPypi
+, poetry-core
+, pythonOlder
+}:
+
+buildPythonPackage rec {
+  pname = "pypoolstation";
+  version = "0.4.0";
+  format = "pyproject";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchPypi {
+    pname = "PyPoolstation";
+    inherit version;
+    sha256 = "0qacrjv3qybgx052i8jqs4il3k2g0cdhjcn2lqapv87iqyp287k0";
+  };
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = [
+    aiohttp
+  ];
+
+  # Project has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [ "pypoolstation" ];
+
+  meta = with lib; {
+    description = "Python library to interact the the Poolstation platform";
+    homepage = "https://github.com/cibernox/PyPoolstation";
+    license = licenses.mit;
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/python-owasp-zap-v2-4/default.nix

@@ -0,0 +1,41 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, pyhamcrest
+, pytestCheckHook
+, requests
+, requests-mock
+, six
+}:
+
+buildPythonPackage rec {
+  pname = "python-owasp-zap-v2-4";
+  version = "0.0.18";
+
+  src = fetchFromGitHub {
+    owner = "zaproxy";
+    repo = "zap-api-python";
+    rev = version;
+    sha256 = "0b46m9s0vwaaq8vhiqspdr2ns9qdw65fnjh8mf58gjinlsd27ygk";
+  };
+
+  propagatedBuildInputs = [
+    requests
+    six
+  ];
+
+  checkInputs = [
+    pyhamcrest
+    pytestCheckHook
+    requests-mock
+  ];
+
+  pythonImportsCheck = [ "zapv2" ];
+
+  meta = with lib; {
+    description = "Python library to access the OWASP ZAP API";
+    homepage = "https://github.com/zaproxy/zap-api-python";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/scikit-fmm/default.nix

@@ -7,11 +7,11 @@
 
 buildPythonPackage rec {
   pname = "scikit-fmm";
-  version = "2021.7.8";
+  version = "2021.9.23";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "f931a2600e7f0824ac51ebde86ee40295146cc1ad5f88fdc208b0a12fcb2ddb3";
+    sha256 = "94808e6d747143cc9d50aa946cf5b1e61dbd4d8bc6229a7a5f57db6cedf38a47";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/scikit-hep-testdata/default.nix

@@ -11,7 +11,7 @@
 
 buildPythonPackage rec {
   pname = "scikit-hep-testdata";
-  version = "0.4.8";
+  version = "0.4.9";
   format = "pyproject";
 
   # fetch from github as we want the data files
@@ -20,7 +20,7 @@ buildPythonPackage rec {
     owner = "scikit-hep";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0x5p42c9iqwdx15gdvccddlx4a5a8aix7h01345afrlgpnnpqcv4";
+    sha256 = "0y70nx94y2qf0zmaqjq4ljld31jh277ica0j4c3ck2ph7jrs5pg0";
   };
 
   nativeBuildInputs = [

pkgs/development/python-modules/thrift/default.nix

@@ -6,11 +6,11 @@
 
 buildPythonPackage rec {
   pname = "thrift";
-  version = "0.13.0";
+  version = "0.15.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "9af1c86bf73433afc6010ed376a6c6aca2b54099cc0d61895f640870a9ae7d89";
+    sha256 = "87c8205a71cf8bbb111cb99b1f7495070fbc9cabb671669568854210da5b3e29";
   };
 
   propagatedBuildInputs = [ six ];
@@ -18,11 +18,12 @@ buildPythonPackage rec {
   # No tests. Breaks when not disabling.
   doCheck = false;
 
+  pythonImportsCheck = [ "thrift" ];
+
   meta = with lib; {
     description = "Python bindings for the Apache Thrift RPC system";
-    homepage = "http://thrift.apache.org/";
+    homepage = "https://thrift.apache.org/";
     license = licenses.asl20;
     maintainers = with maintainers; [ hbunke ];
   };
-
 }

pkgs/development/tools/selenium/chromedriver/default.nix

@@ -1,7 +1,8 @@
 { lib, stdenv, fetchurl, unzip, makeWrapper
 , cairo, fontconfig, freetype, gdk-pixbuf, glib
 , glibc, gtk2, libX11, nspr, nss, pango, gconf
-, libxcb, libXi, libXrender, libXext
+, libxcb, libXi, libXrender, libXext, dbus
+, testVersion, chromedriver
 }:
 
 let
@@ -27,6 +28,7 @@ let
     gdk-pixbuf glib gtk2 gconf
     libX11 nspr nss pango libXrender
     gconf libxcb libXext libXi
+    dbus
   ];
 
 in stdenv.mkDerivation rec {
@@ -46,9 +48,11 @@ in stdenv.mkDerivation rec {
     install -m755 -D chromedriver $out/bin/chromedriver
   '' + lib.optionalString (!stdenv.isDarwin) ''
     patchelf --set-interpreter ${glibc.out}/lib/ld-linux-x86-64.so.2 $out/bin/chromedriver
-    wrapProgram "$out/bin/chromedriver" --prefix LD_LIBRARY_PATH : "${libs}:\$LD_LIBRARY_PATH"
+    wrapProgram "$out/bin/chromedriver" --prefix LD_LIBRARY_PATH : "${libs}"
   '';
 
+  passthru.tests.version = testVersion { package = chromedriver; };
+
   meta = with lib; {
     homepage = "https://chromedriver.chromium.org/";
     description = "A WebDriver server for running Selenium tests on Chrome";

pkgs/development/tools/taplo-lsp/default.nix

@@ -2,14 +2,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "taplo-lsp";
-  version = "0.2.5";
+  version = "0.2.6";
 
   src = fetchCrate {
     inherit pname version;
-    sha256 = "0a8y2fdkflc7lq0q40j7dr80hbj56bbsc585isbd7lk6xavg7cvi";
+    sha256 = "sha256-jd4l9iTCeHnUa/GC13paD3zDiCZBk9VgEbCDsOs/Xq4=";
   };
 
-  cargoSha256 = "133p5kmcfq5ksrri2f8jvnc1ljmsczq49gh3k0gmgby45yvy6xa1";
+  cargoSha256 = "sha256-zQ303JFqnbulkWL4t5+fRWijaY9zd9tLKvrvdUEvKpY=";
 
   # excludes test_tcp since it fails
   cargoTestFlags = [ "test_stdio" ];

pkgs/misc/emulators/melonDS/default.nix

@@ -26,12 +26,13 @@ mkDerivation rec {
   buildInputs = [
     epoxy
     libarchive
-    libpcap
     libslirp
     qtbase
     SDL2
   ];
 
+  qtWrapperArgs = [ "--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ libpcap ]}" ];
+
   meta = with lib; {
     homepage = "http://melonds.kuribo64.net/";
     description = "Work in progress Nintendo DS emulator";

pkgs/servers/dex/default.nix

@@ -1,17 +1,17 @@
-{ lib, buildGoModule, fetchFromGitHub }:
+{ lib, buildGoModule, fetchFromGitHub, nixosTests }:
 
 buildGoModule rec {
   pname = "dex";
-  version = "2.28.1";
+  version = "2.30.0";
 
   src = fetchFromGitHub {
     owner = "dexidp";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-MdrkQ4qclylkan8y845BjLiL+W16iqRuNMmvWsKo+zw=";
+    sha256 = "sha256-Z/X9Db57eNUJdjzLCJNIW3lCRw05JP2TQ43PqKO6CiI=";
   };
 
-  vendorSha256 = "sha256-rAqqvnP72BQY/qbSvqNzxh2ZUlF/rP0MR/+yqJai+KY=";
+  vendorSha256 = "sha256-ksN/1boBQVhevlDseVZsGUWL+Bwy4AMgGNdOPgsNNxk=";
 
   subPackages = [
     "cmd/dex"
@@ -26,6 +26,8 @@ buildGoModule rec {
     cp -r $src/web $out/share/web
   '';
 
+  passthru.tests = { inherit (nixosTests) dex-oidc; };
+
   meta = with lib; {
     description = "OpenID Connect and OAuth2 identity provider with pluggable connectors";
     homepage = "https://github.com/dexidp/dex";

pkgs/servers/http/openresty/default.nix

@@ -8,12 +8,12 @@
 
 callPackage ../nginx/generic.nix args rec {
   pname = "openresty";
-  nginxVersion = "1.19.3";
-  version = "${nginxVersion}.2";
+  nginxVersion = "1.19.9";
+  version = "${nginxVersion}.1";
 
   src = fetchurl {
     url = "https://openresty.org/download/openresty-${version}.tar.gz";
-    sha256 = "1fav3qykckqcyw9ksi8s61prpwab44zbcvj95rwfpfqgk5jffh6f";
+    sha256 = "1xn1d0x2y63z0mi0qq3js6lz6ziba92r7vyyfkj1qc738vjz8vsp";
   };
 
   # generic.nix applies fixPatch on top of every patch defined there.  This

pkgs/servers/roon-bridge/default.nix

@@ -15,20 +15,20 @@ stdenv.mkDerivation rec {
   pname = "roon-bridge";
   version = "1.8-814";
 
-  # N.B. The URL is unstable. I've asked for them to provide a stable URL but
-  # they have ignored me. If this package fails to build for you, you may need
-  # to update the version and sha256.
-  # c.f. https://community.roonlabs.com/t/latest-roon-server-is-not-available-for-download-on-nixos/118129
-  src = {
-    x86_64-linux = fetchurl {
-      url = "https://web.archive.org/web/20210729154257/http://download.roonlabs.com/builds/RoonBridge_linuxx64.tar.bz2";
-      sha256 = "sha256-dersaP/8qkl9k81FrgMieB0P4nKmDwjLW5poqKhEn7A=";
-    };
-    aarch64-linux = fetchurl {
-      url = "https://web.archive.org/web/20210803071334/http://download.roonlabs.com/builds/RoonBridge_linuxarmv8.tar.bz2";
-      sha256 = "sha256-zZj7PkLUYYHo3dngqErv1RqynSXi6/D5VPZWfrppX5U=";
-    };
-  }.${system} or throwSystem;
+  src =
+    let
+      urlVersion = builtins.replaceStrings [ "." "-" ] [ "00" "00" ] version;
+    in
+      {
+        x86_64-linux = fetchurl {
+          url = "http://download.roonlabs.com/builds/RoonBridge_linuxx64_${urlVersion}.tar.bz2";
+          sha256 = "sha256-dersaP/8qkl9k81FrgMieB0P4nKmDwjLW5poqKhEn7A=";
+        };
+        aarch64-linux = fetchurl {
+          url = "http://download.roonlabs.com/builds/RoonBridge_linuxarmv8_${urlVersion}.tar.bz2";
+          sha256 = "sha256-zZj7PkLUYYHo3dngqErv1RqynSXi6/D5VPZWfrppX5U=";
+        };
+      }.${system} or throwSystem;
 
   buildInputs = [
     alsa-lib
@@ -70,6 +70,6 @@ stdenv.mkDerivation rec {
     homepage = "https://roonlabs.com";
     license = licenses.unfree;
     maintainers = with maintainers; [ lovesegfault ];
-    platforms = platforms.linux;
+    platforms = [ "aarch64-linux" "x86_64-linux" ];
   };
 }

pkgs/servers/roon-server/default.nix

@@ -9,18 +9,19 @@
 , makeWrapper
 , stdenv
 , zlib
-}: stdenv.mkDerivation rec {
+}:
+stdenv.mkDerivation rec {
   pname = "roon-server";
   version = "1.8-831";
 
-  # N.B. The URL is unstable. I've asked for them to provide a stable URL but
-  # they have ignored me. If this package fails to build for you, you may need
-  # to update the version and sha256.
-  # c.f. https://community.roonlabs.com/t/latest-roon-server-is-not-available-for-download-on-nixos/118129
-  src = fetchurl {
-    url = "https://web.archive.org/web/20210921161727/http://download.roonlabs.com/builds/RoonServer_linuxx64.tar.bz2";
-    sha256 = "sha256-SeMSC7K6DV7rVr1w/SqMnLvipoWbypS/gJnSZmpfXZk=";
-  };
+  src =
+    let
+      urlVersion = builtins.replaceStrings [ "." "-" ] [ "00" "00" ] version;
+    in
+    fetchurl {
+      url = "http://download.roonlabs.com/builds/RoonServer_linuxx64_${urlVersion}.tar.bz2";
+      sha256 = "sha256-SeMSC7K6DV7rVr1w/SqMnLvipoWbypS/gJnSZmpfXZk=";
+    };
 
   buildInputs = [
     alsa-lib
@@ -68,6 +69,6 @@
     homepage = "https://roonlabs.com";
     license = licenses.unfree;
     maintainers = with maintainers; [ lovesegfault steell ];
-    platforms = platforms.linux;
+    platforms = [ "x86_64-linux" ];
   };
 }

pkgs/shells/powershell/default.nix

@@ -49,6 +49,10 @@ stdenv.mkDerivation rec {
   '' + lib.optionalString (!stdenv.isDarwin && !stdenv.isAarch64) ''
     patchelf --replace-needed libcrypto${ext}.1.0.0 libcrypto${ext}.1.1 $pslibs/libmi.so
     patchelf --replace-needed libssl${ext}.1.0.0 libssl${ext}.1.1 $pslibs/libmi.so
+  '' + lib.optionalString (!stdenv.isDarwin) ''
+    # Remove liblttng-ust from dependencies once
+    # https://github.com/PowerShell/PowerShell/pull/14688 is in a release
+    patchelf --replace-needed liblttng-ust${ext}.0 liblttng-ust${ext}.1 $pslibs/libcoreclrtraceptprovider.so
   '' + ''
 
     mkdir -p $out/bin
@@ -69,7 +73,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Powerful cross-platform (Windows, Linux, and macOS) shell and scripting language based on .NET";
     homepage = "https://github.com/PowerShell/PowerShell";
-    maintainers = with maintainers; [ yrashk srgom ];
+    maintainers = with maintainers; [ yrashk srgom p3psi ];
     platforms = [ "x86_64-darwin" "x86_64-linux" "aarch64-linux"];
     license = with licenses; [ mit ];
   };

pkgs/top-level/python-packages.nix

@@ -5561,6 +5561,8 @@ in {
 
   pyfireservicerota = callPackage ../development/python-modules/pyfireservicerota { };
 
+  pyflexit = callPackage ../development/python-modules/pyflexit { };
+
   pyflick = callPackage ../development/python-modules/pyflick { };
 
   pyfreedompro = callPackage ../development/python-modules/pyfreedompro { };
@@ -5587,6 +5589,8 @@ in {
 
   pypoint = callPackage ../development/python-modules/pypoint { };
 
+  pypoolstation = callPackage ../development/python-modules/pypoolstation { };
+
   pyrfxtrx = callPackage ../development/python-modules/pyrfxtrx { };
 
   pyrogram = callPackage ../development/python-modules/pyrogram { };
@@ -5627,6 +5631,8 @@ in {
 
   python-openzwave-mqtt = callPackage ../development/python-modules/python-openzwave-mqtt { };
 
+  python-owasp-zap-v2-4 = callPackage ../development/python-modules/python-owasp-zap-v2-4 { };
+
   python-songpal = callPackage ../development/python-modules/python-songpal { };
 
   python-swiftclient = callPackage ../development/python-modules/python-swiftclient { };