chore(nixpkgs): Bump channels to 2021-05-25 r/2630

* users/grfn/system/home/yeren: remove obsolete awscli2 overrides * ops: make new isSystemUser || isNormalUser assertion happy * users/grfn/system/system/mugwump: make buildkite agents system users * users/tazjin/nixos/camden: set isSystemUser = true for git * users/tazjin/emacs: Remove missing & broken packages * third_party/openldap: remove, as the argon2 module is now enabled upstream * third_party/gerrit_plugins: Pinned new unstable hashes * third_party/nix, third_party/grpc: Disabled CI as these are broken * third_party/overlays/emacs: Bumped version to stay in sync with channel * third_party/buzz: Update LIBCLANG_PATH to reference libclang.lib, since libclang's default output no longer contains libclang.so * users/grfn/system/home: Install julia-stable instead of julia (which aliases to julia-lts), as the latter depends on an insecure version of libgit Change-Id: Iff33b0ecb0ef07a82d1de35e23c40d2f4bf0f8ed Reviewed-on: https://cl.tvl.fyi/c/depot/+/3001 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: grfn <grfn@gws.fyi>
author: Vincent Ambo <mail@tazj.in> 2021-04-13T10·21+0200
committer: tazjin <mail@tazj.in> 2021-05-25T17·09+0000
commit: 65be8f20e0508cb8f81a7b42a240ebb8a03d8a93 (patch)
tree: da67033efba7be7e25c3ca87eb3cf30bb0695a6e
parent: fb36bc321b593d4ab7ecba15d73a6eb959bddecc (diff)
20 files changed, 44 insertions, 75 deletions
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index 3dd081f4cf..6d338c369f 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -595,7 +595,7 @@ in {
     groups.git = {};
     users.git = {
       group = "git";
-      isNormalUser = false;
+      isSystemUser = true;
       createHome = true;
       home = "/var/lib/git";
     };
diff --git a/ops/modules/clbot.nix b/ops/modules/clbot.nix
index ad33e25a4d..71ff2fbc32 100644
--- a/ops/modules/clbot.nix
+++ b/ops/modules/clbot.nix
@@ -66,7 +66,7 @@ in {
 
       users.clbot = {
         group = "clbot";
-        isNormalUser = false;
+        isSystemUser = true;
       };
     };
 
diff --git a/ops/modules/quassel.nix b/ops/modules/quassel.nix
index df26a39455..9c8692629a 100644
--- a/ops/modules/quassel.nix
+++ b/ops/modules/quassel.nix
@@ -66,7 +66,7 @@ in {
 
     users = {
       users.quassel = {
-        isNormalUser = false;
+        isSystemUser = true;
         group = "quassel";
       };
 
diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix
index 2aa3b81811..05a5e9b5e7 100644
--- a/ops/modules/tvl-buildkite.nix
+++ b/ops/modules/tvl-buildkite.nix
@@ -39,6 +39,7 @@ in {
       users = builtins.listToAttrs (map (n: rec {
         name = "buildkite-agent-whitby-${toString n}";
         value = {
+          isSystemUser = true;
           group = lib.mkForce "buildkite-agents";
           extraGroups = [ name ];
         };
diff --git a/ops/modules/tvl-slapd/default.nix b/ops/modules/tvl-slapd/default.nix
index cbfdeff31e..dbcf139338 100644
--- a/ops/modules/tvl-slapd/default.nix
+++ b/ops/modules/tvl-slapd/default.nix
@@ -27,17 +27,6 @@ let
   inherit (depot.ops) users;
 
 in {
-  # Use our patched OpenLDAP derivation which enables stronger password hashing.
-  #
-  # Unfortunately the module for OpenLDAP has no package option, so we
-  # need to override it system-wide. Be aware that this triggers a
-  # *large* number of rebuilds of packages such as GPG and Python.
-  nixpkgs.overlays = [
-    (_: _: {
-      inherit (depot.third_party) openldap;
-    })
-  ];
-
   services.openldap = {
     enable = true;
 
@@ -58,7 +47,7 @@ in {
       };
 
       "cn=schema".includes =
-        map (schema: "${depot.third_party.openldap}/etc/schema/${schema}.ldif")
+        map (schema: "${pkgs.openldap}/etc/schema/${schema}.ldif")
             [ "core" "cosine" "inetorgperson" "nis" ];
     };
 
diff --git a/ops/modules/tvl-sso/default.nix b/ops/modules/tvl-sso/default.nix
index 8e33c708b7..d026c1e7c9 100644
--- a/ops/modules/tvl-sso/default.nix
+++ b/ops/modules/tvl-sso/default.nix
@@ -18,7 +18,10 @@ in {
         Restart = "always";
       };
     };
-    users.users.apereo-cas = {};
+    users.users.apereo-cas = {
+      isSystemUser = true;
+      group = "apereo-cas";
+    };
     users.groups.apereo-cas = {};
   };
 }
diff --git a/third_party/buzz/default.nix b/third_party/buzz/default.nix
index fd8c0b7fce..e6cd9df998 100644
--- a/third_party/buzz/default.nix
+++ b/third_party/buzz/default.nix
@@ -27,5 +27,5 @@ depot.third_party.naersk.buildPackage {
     llvmPackages.libclang
   ];
 
-  LIBCLANG_PATH = "${pkgs.llvmPackages.libclang}/lib/libclang.so";
+  LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib/libclang.so";
 }
diff --git a/third_party/gerrit_plugins/default.nix b/third_party/gerrit_plugins/default.nix
index d14933c283..b4570e7a8a 100644
--- a/third_party/gerrit_plugins/default.nix
+++ b/third_party/gerrit_plugins/default.nix
@@ -6,7 +6,7 @@ in depot.nix.utils.drvTargets {
   # https://gerrit.googlesource.com/plugins/owners
   owners = buildGerritBazelPlugin rec {
     name = "owners";
-    depsOutputHash = "sha256:0j7hn945l5y5pz109mrcx2hh2lb2gi5gf4wrrbypx43rmyhlz3s8";
+    depsOutputHash = "sha256:162hxk2qsix0x1aarhsaqi52q7j7mjpyk8af57w0a012i55ryqqa";
     src = pkgs.fetchgit {
       url = "https://gerrit.googlesource.com/plugins/owners";
       rev = "f3335231b98e14664fdd1b325486bb0824800ac3";
@@ -23,7 +23,7 @@ in depot.nix.utils.drvTargets {
   # https://gerrit.googlesource.com/plugins/checks
   checks = buildGerritBazelPlugin {
     name = "checks";
-    depsOutputHash = "sha256:01krrafg5df42z3r7y74g8lx859my4610cqx3a7d02laqq9yjqc6";
+    depsOutputHash = "sha256:1262xhl2z1pml6iimhnjm5l3gzddz0rjj6sjq53212dk2dxs5y1b";
     src = pkgs.fetchgit {
       url = "https://gerrit.googlesource.com/plugins/checks";
       rev = "990e936b1e050c4fe7ac3e590bdb5cfff0311232";
diff --git a/third_party/gerrit_plugins/oauth/default.nix b/third_party/gerrit_plugins/oauth/default.nix
index b544ce86c2..38a5dbf02e 100644
--- a/third_party/gerrit_plugins/oauth/default.nix
+++ b/third_party/gerrit_plugins/oauth/default.nix
@@ -4,7 +4,7 @@ let
   inherit (import ../builder.nix args) buildGerritBazelPlugin;
 in buildGerritBazelPlugin rec {
   name = "oauth";
-  depsOutputHash = "sha256:1zl0gsia9p585dvpyiyb6fiqs3q9dg7qsxnwkn8ncqdnxlg21gl7";
+  depsOutputHash = "sha256:008xqrvy77x06y4dd74pd1vv8rzbp0jd2dw2sqcv9b5qhav7ilyw";
   src = pkgs.fetchgit {
     url = "https://gerrit.googlesource.com/plugins/oauth";
     rev = "4aa7322db5ec221b2419e12a9ec7af5b8c66659c";
diff --git a/third_party/grpc/default.nix b/third_party/grpc/default.nix
index 8441136929..2914d8d8e7 100644
--- a/third_party/grpc/default.nix
+++ b/third_party/grpc/default.nix
@@ -9,4 +9,7 @@
     "-DCMAKE_CXX_STANDARD=17"
     "-DCMAKE_CXX_STANDARD_REQUIRED=ON"
   ];
-})
+}) // {
+  # TODO(b/132): Reenable when linker errors are fixed.
+  meta.ci = false;
+}
diff --git a/third_party/nix/default.nix b/third_party/nix/default.nix
index 42b0324e8e..909bff9be5 100644
--- a/third_party/nix/default.nix
+++ b/third_party/nix/default.nix
@@ -187,6 +187,9 @@ in lib.fix (self: pkgs.llvmPackages_11.libcxxStdenv.mkDerivation {
   # TODO(tazjin): integration test setup?
   # TODO(tazjin): docs generation?
 
+  # TODO(b/132): Reenable when linker errors are fixed.
+  meta.ci = false;
+
   passthru = {
     build-shell = self.overrideAttrs (up: rec {
       run_clang_tidy = pkgs.writeShellScriptBin "run-clang-tidy" ''
diff --git a/third_party/nixpkgs/default.nix b/third_party/nixpkgs/default.nix
index 345b61e2d4..3911a25225 100644
--- a/third_party/nixpkgs/default.nix
+++ b/third_party/nixpkgs/default.nix
@@ -13,16 +13,16 @@ let
   # nixos-unstable, and the current stable channel of the latest NixOS
   # release.
 
-  # Tracking nixos-unstable as of 2021-04-09.
+  # Tracking nixos-unstable as of 2021-05-25.
   unstableHashes = {
-    commit = "9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2";
-    sha256 = "1r3ll77hyqn28d9i4cf3vqd9v48fmaa1j8ps8c4fm4f8gqf4kpl1";
+    commit = "900115a4f7fdd9189e7803ca781a65be663f2c89";
+    sha256 = "11551nawxjbgya8sq1p6ghkbws9qz9fbfq3wqawm3zh8ayr4l13j";
   };
 
-  # Tracking nixos-20.09 as of 2021-04-09.
+  # Tracking nixos-20.09 as of 2021-05-25.
   stableHashes = {
-    commit = "d6f63659a7021051a46035373ed50fbea7e4e924";
-    sha256 = "0vblhzg57sfzqpdm24lgs08vjv2204lzcp6hv4cbjd20rz0mxs4y";
+    commit = "ac60476ed94fd5424d9f3410c438825f793a8cbb";
+    sha256 = "1dlvpdsy5v09c7rj5f7xgakyj722yqr4415davjpcmrk4n5kw76v";
   };
 
   # import the nixos-unstable package set, or optionally use the
diff --git a/third_party/openldap/default.nix b/third_party/openldap/default.nix
deleted file mode 100644
index aed051c4e0..0000000000
--- a/third_party/openldap/default.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-# OpenLDAP by default uses a simple shalted SHA1-hash for passwords,
-# which is less than ideal.
-#
-# It does however include a contrib module which adds support for the
-# Argon2 password hashing scheme. This overrides then OpenLDAP build
-# derivation to include this module.
-{ pkgs, ... }:
-
-pkgs.openldap.overrideAttrs(old: {
-  buildInputs = old.buildInputs ++ [ pkgs.libsodium ];
-
-  postBuild = ''
-    ${old.postBuild}
-    make $makeFlags -C contrib/slapd-modules/passwd/argon2
-  '';
-
-  # This is required because the Makefile for this module hardcodes
-  # /usr/bin/install, which is not a valid path - we want it to be
-  # looked up from $PATH because it is included in stdenv.
-  installFlags = old.installFlags ++ [ "INSTALL=install" ];
-
-  postInstall = ''
-    ${old.postInstall}
-    make $installFlags install-lib -C contrib/slapd-modules/passwd/argon2
-  '';
-
-})
diff --git a/third_party/overlays/emacs.nix b/third_party/overlays/emacs.nix
index 77d1cd6f77..99844a33e7 100644
--- a/third_party/overlays/emacs.nix
+++ b/third_party/overlays/emacs.nix
@@ -2,10 +2,10 @@
 { ... }:
 
 let
-  # from 2020-04-13
-  commit = "15ed1f372a83ec748ac824bdc5b573039c18b82f";
+  # from 2020-05-26
+  commit = "5df3462dda05d8e44669cf374776274e1bc47d0a";
   src = builtins.fetchTarball {
     url = "https://github.com/nix-community/emacs-overlay/archive/${commit}.tar.gz";
-    sha256 = "0m4vb7p29rgbpaavwn9jjid1zz48k1l9za5gy3d8nadqjn7x4dm1";
+    sha256 = "0ggmkg4shf9948wpwb0s40bjvwijvhv2wykrkayclvp419kbrfxq";
   };
 in import src
diff --git a/tools/hash-password.nix b/tools/hash-password.nix
index fcf8abda78..9893d52178 100644
--- a/tools/hash-password.nix
+++ b/tools/hash-password.nix
@@ -1,7 +1,7 @@
 # Utility for invoking slappasswd with the correct options for
 # creating an ARGON2 password hash.
-{ depot, pkgs, ... }:
+{ pkgs, ... }:
 
 pkgs.writeShellScriptBin "hash-password" ''
-  ${depot.third_party.openldap}/bin/slappasswd -o module-load=pw-argon2 -h '{ARGON2}'
+  ${pkgs.openldap}/bin/slappasswd -o module-load=pw-argon2 -h '{ARGON2}'
 ''
diff --git a/users/grfn/system/home/machines/yeren.nix b/users/grfn/system/home/machines/yeren.nix
index 504a382c20..67c3968ae4 100644
--- a/users/grfn/system/home/machines/yeren.nix
+++ b/users/grfn/system/home/machines/yeren.nix
@@ -39,16 +39,7 @@ in
 
     steam
 
-    (awscli2.overridePythonAttrs (oldAttrs: {
-      postPatch = ''
-        substituteInPlace setup.py \
-          --replace 'colorama>=0.2.5,<0.4.4' 'colorama'  \
-          --replace 'wcwidth<0.2.0' 'colorama' \
-          --replace 'cryptography>=2.8.0,<=2.9.0' 'cryptography' \
-          --replace 'docutils>=0.10,<0.16' 'docutils' \
-          --replace 'ruamel.yaml>=0.15.0,<0.16.0' 'ruamel.yaml'
-      '';
-    }))
+    awscli2
   ];
 
   systemd.user.services.laptop-keyboard = {
diff --git a/users/grfn/system/home/modules/development.nix b/users/grfn/system/home/modules/development.nix
index 43bb7a79a2..a79f5b9875 100644
--- a/users/grfn/system/home/modules/development.nix
+++ b/users/grfn/system/home/modules/development.nix
@@ -76,7 +76,7 @@ with lib;
 
     nodePackages.prettier
   ] ++ optionals (stdenv.isLinux) [
-    julia
+    julia-stable
     valgrind
   ];
 
diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix
index 77c4dda9a5..f9b6e0a1da 100644
--- a/users/grfn/system/system/machines/mugwump.nix
+++ b/users/grfn/system/system/machines/mugwump.nix
@@ -274,6 +274,12 @@ with lib;
     };
   }) (range 1 1));
 
-  users.users."buildkite-agent-mugwump-1".extraGroups = [ "docker" ];
-  users.users."buildkite-agent-mugwump-2".extraGroups = [ "docker" ];
+  users.users."buildkite-agent-mugwump-1" = {
+    isSystemUser = true;
+    extraGroups = [ "docker" ];
+  };
+  users.users."buildkite-agent-mugwump-2" = {
+    isSystemUser = true;
+    extraGroups = [ "docker" ];
+  };
 }
diff --git a/users/tazjin/emacs/default.nix b/users/tazjin/emacs/default.nix
index 082346da75..12a56f9625 100644
--- a/users/tazjin/emacs/default.nix
+++ b/users/tazjin/emacs/default.nix
@@ -33,7 +33,7 @@ let
   (with epkgs.melpaPackages; [
     ace-window
     ace-link
-    bazel-mode
+    # bazel-mode TODO(tazjin): where did this go?
     browse-kill-ring
     cargo
     company
@@ -47,7 +47,7 @@ let
     eglot
     elixir-mode
     elm-mode
-    erlang
+    # erlang
     go-mode
     gruber-darker-theme
     haskell-mode
diff --git a/users/tazjin/nixos/camden/default.nix b/users/tazjin/nixos/camden/default.nix
index ec72377f4a..19a42f163c 100644
--- a/users/tazjin/nixos/camden/default.nix
+++ b/users/tazjin/nixos/camden/default.nix
@@ -155,7 +155,7 @@ in lib.fix(self: {
     groups.git = {};
     users.git = {
       group = "git";
-      isNormalUser = false;
+      isSystemUser = true;
     };
   };
author	Vincent Ambo <mail@tazj.in>	2021-04-13T10·21+0200
committer	tazjin <mail@tazj.in>	2021-05-25T17·09+0000
commit	65be8f20e0508cb8f81a7b42a240ebb8a03d8a93 (patch)
tree	da67033efba7be7e25c3ca87eb3cf30bb0695a6e
parent	fb36bc321b593d4ab7ecba15d73a6eb959bddecc (diff)