From 65be8f20e0508cb8f81a7b42a240ebb8a03d8a93 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Tue, 13 Apr 2021 12:21:42 +0200 Subject: chore(nixpkgs): Bump channels to 2021-05-25 * users/grfn/system/home/yeren: remove obsolete awscli2 overrides * ops: make new isSystemUser || isNormalUser assertion happy * users/grfn/system/system/mugwump: make buildkite agents system users * users/tazjin/nixos/camden: set isSystemUser = true for git * users/tazjin/emacs: Remove missing & broken packages * third_party/openldap: remove, as the argon2 module is now enabled upstream * third_party/gerrit_plugins: Pinned new unstable hashes * third_party/nix, third_party/grpc: Disabled CI as these are broken * third_party/overlays/emacs: Bumped version to stay in sync with channel * third_party/buzz: Update LIBCLANG_PATH to reference libclang.lib, since libclang's default output no longer contains libclang.so * users/grfn/system/home: Install julia-stable instead of julia (which aliases to julia-lts), as the latter depends on an insecure version of libgit Change-Id: Iff33b0ecb0ef07a82d1de35e23c40d2f4bf0f8ed Reviewed-on: https://cl.tvl.fyi/c/depot/+/3001 Tested-by: BuildkiteCI Reviewed-by: sterni Reviewed-by: grfn --- ops/machines/whitby/default.nix | 2 +- ops/modules/clbot.nix | 2 +- ops/modules/quassel.nix | 2 +- ops/modules/tvl-buildkite.nix | 1 + ops/modules/tvl-slapd/default.nix | 13 +------------ ops/modules/tvl-sso/default.nix | 5 ++++- third_party/buzz/default.nix | 2 +- third_party/gerrit_plugins/default.nix | 4 ++-- third_party/gerrit_plugins/oauth/default.nix | 2 +- third_party/grpc/default.nix | 5 ++++- third_party/nix/default.nix | 3 +++ third_party/nixpkgs/default.nix | 12 ++++++------ third_party/openldap/default.nix | 27 -------------------------- third_party/overlays/emacs.nix | 6 +++--- tools/hash-password.nix | 4 ++-- users/grfn/system/home/machines/yeren.nix | 11 +---------- users/grfn/system/home/modules/development.nix | 2 +- users/grfn/system/system/machines/mugwump.nix | 10 ++++++++-- users/tazjin/emacs/default.nix | 4 ++-- users/tazjin/nixos/camden/default.nix | 2 +- 20 files changed, 44 insertions(+), 75 deletions(-) delete mode 100644 third_party/openldap/default.nix diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 3dd081f4cf8a..6d338c369fc0 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -595,7 +595,7 @@ in { groups.git = {}; users.git = { group = "git"; - isNormalUser = false; + isSystemUser = true; createHome = true; home = "/var/lib/git"; }; diff --git a/ops/modules/clbot.nix b/ops/modules/clbot.nix index ad33e25a4d54..71ff2fbc3288 100644 --- a/ops/modules/clbot.nix +++ b/ops/modules/clbot.nix @@ -66,7 +66,7 @@ in { users.clbot = { group = "clbot"; - isNormalUser = false; + isSystemUser = true; }; }; diff --git a/ops/modules/quassel.nix b/ops/modules/quassel.nix index df26a3945532..9c8692629a2a 100644 --- a/ops/modules/quassel.nix +++ b/ops/modules/quassel.nix @@ -66,7 +66,7 @@ in { users = { users.quassel = { - isNormalUser = false; + isSystemUser = true; group = "quassel"; }; diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix index 2aa3b81811f4..05a5e9b5e7f6 100644 --- a/ops/modules/tvl-buildkite.nix +++ b/ops/modules/tvl-buildkite.nix @@ -39,6 +39,7 @@ in { users = builtins.listToAttrs (map (n: rec { name = "buildkite-agent-whitby-${toString n}"; value = { + isSystemUser = true; group = lib.mkForce "buildkite-agents"; extraGroups = [ name ]; }; diff --git a/ops/modules/tvl-slapd/default.nix b/ops/modules/tvl-slapd/default.nix index cbfdeff31eb0..dbcf139338ea 100644 --- a/ops/modules/tvl-slapd/default.nix +++ b/ops/modules/tvl-slapd/default.nix @@ -27,17 +27,6 @@ let inherit (depot.ops) users; in { - # Use our patched OpenLDAP derivation which enables stronger password hashing. - # - # Unfortunately the module for OpenLDAP has no package option, so we - # need to override it system-wide. Be aware that this triggers a - # *large* number of rebuilds of packages such as GPG and Python. - nixpkgs.overlays = [ - (_: _: { - inherit (depot.third_party) openldap; - }) - ]; - services.openldap = { enable = true; @@ -58,7 +47,7 @@ in { }; "cn=schema".includes = - map (schema: "${depot.third_party.openldap}/etc/schema/${schema}.ldif") + map (schema: "${pkgs.openldap}/etc/schema/${schema}.ldif") [ "core" "cosine" "inetorgperson" "nis" ]; }; diff --git a/ops/modules/tvl-sso/default.nix b/ops/modules/tvl-sso/default.nix index 8e33c708b7f3..d026c1e7c9ad 100644 --- a/ops/modules/tvl-sso/default.nix +++ b/ops/modules/tvl-sso/default.nix @@ -18,7 +18,10 @@ in { Restart = "always"; }; }; - users.users.apereo-cas = {}; + users.users.apereo-cas = { + isSystemUser = true; + group = "apereo-cas"; + }; users.groups.apereo-cas = {}; }; } diff --git a/third_party/buzz/default.nix b/third_party/buzz/default.nix index fd8c0b7fce15..e6cd9df99865 100644 --- a/third_party/buzz/default.nix +++ b/third_party/buzz/default.nix @@ -27,5 +27,5 @@ depot.third_party.naersk.buildPackage { llvmPackages.libclang ]; - LIBCLANG_PATH = "${pkgs.llvmPackages.libclang}/lib/libclang.so"; + LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib/libclang.so"; } diff --git a/third_party/gerrit_plugins/default.nix b/third_party/gerrit_plugins/default.nix index d14933c2835f..b4570e7a8a20 100644 --- a/third_party/gerrit_plugins/default.nix +++ b/third_party/gerrit_plugins/default.nix @@ -6,7 +6,7 @@ in depot.nix.utils.drvTargets { # https://gerrit.googlesource.com/plugins/owners owners = buildGerritBazelPlugin rec { name = "owners"; - depsOutputHash = "sha256:0j7hn945l5y5pz109mrcx2hh2lb2gi5gf4wrrbypx43rmyhlz3s8"; + depsOutputHash = "sha256:162hxk2qsix0x1aarhsaqi52q7j7mjpyk8af57w0a012i55ryqqa"; src = pkgs.fetchgit { url = "https://gerrit.googlesource.com/plugins/owners"; rev = "f3335231b98e14664fdd1b325486bb0824800ac3"; @@ -23,7 +23,7 @@ in depot.nix.utils.drvTargets { # https://gerrit.googlesource.com/plugins/checks checks = buildGerritBazelPlugin { name = "checks"; - depsOutputHash = "sha256:01krrafg5df42z3r7y74g8lx859my4610cqx3a7d02laqq9yjqc6"; + depsOutputHash = "sha256:1262xhl2z1pml6iimhnjm5l3gzddz0rjj6sjq53212dk2dxs5y1b"; src = pkgs.fetchgit { url = "https://gerrit.googlesource.com/plugins/checks"; rev = "990e936b1e050c4fe7ac3e590bdb5cfff0311232"; diff --git a/third_party/gerrit_plugins/oauth/default.nix b/third_party/gerrit_plugins/oauth/default.nix index b544ce86c2f4..38a5dbf02ea5 100644 --- a/third_party/gerrit_plugins/oauth/default.nix +++ b/third_party/gerrit_plugins/oauth/default.nix @@ -4,7 +4,7 @@ let inherit (import ../builder.nix args) buildGerritBazelPlugin; in buildGerritBazelPlugin rec { name = "oauth"; - depsOutputHash = "sha256:1zl0gsia9p585dvpyiyb6fiqs3q9dg7qsxnwkn8ncqdnxlg21gl7"; + depsOutputHash = "sha256:008xqrvy77x06y4dd74pd1vv8rzbp0jd2dw2sqcv9b5qhav7ilyw"; src = pkgs.fetchgit { url = "https://gerrit.googlesource.com/plugins/oauth"; rev = "4aa7322db5ec221b2419e12a9ec7af5b8c66659c"; diff --git a/third_party/grpc/default.nix b/third_party/grpc/default.nix index 84411369299b..2914d8d8e7f4 100644 --- a/third_party/grpc/default.nix +++ b/third_party/grpc/default.nix @@ -9,4 +9,7 @@ "-DCMAKE_CXX_STANDARD=17" "-DCMAKE_CXX_STANDARD_REQUIRED=ON" ]; -}) +}) // { + # TODO(b/132): Reenable when linker errors are fixed. + meta.ci = false; +} diff --git a/third_party/nix/default.nix b/third_party/nix/default.nix index 42b0324e8ea9..909bff9be5a9 100644 --- a/third_party/nix/default.nix +++ b/third_party/nix/default.nix @@ -187,6 +187,9 @@ in lib.fix (self: pkgs.llvmPackages_11.libcxxStdenv.mkDerivation { # TODO(tazjin): integration test setup? # TODO(tazjin): docs generation? + # TODO(b/132): Reenable when linker errors are fixed. + meta.ci = false; + passthru = { build-shell = self.overrideAttrs (up: rec { run_clang_tidy = pkgs.writeShellScriptBin "run-clang-tidy" '' diff --git a/third_party/nixpkgs/default.nix b/third_party/nixpkgs/default.nix index 345b61e2d4c5..3911a2522548 100644 --- a/third_party/nixpkgs/default.nix +++ b/third_party/nixpkgs/default.nix @@ -13,16 +13,16 @@ let # nixos-unstable, and the current stable channel of the latest NixOS # release. - # Tracking nixos-unstable as of 2021-04-09. + # Tracking nixos-unstable as of 2021-05-25. unstableHashes = { - commit = "9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2"; - sha256 = "1r3ll77hyqn28d9i4cf3vqd9v48fmaa1j8ps8c4fm4f8gqf4kpl1"; + commit = "900115a4f7fdd9189e7803ca781a65be663f2c89"; + sha256 = "11551nawxjbgya8sq1p6ghkbws9qz9fbfq3wqawm3zh8ayr4l13j"; }; - # Tracking nixos-20.09 as of 2021-04-09. + # Tracking nixos-20.09 as of 2021-05-25. stableHashes = { - commit = "d6f63659a7021051a46035373ed50fbea7e4e924"; - sha256 = "0vblhzg57sfzqpdm24lgs08vjv2204lzcp6hv4cbjd20rz0mxs4y"; + commit = "ac60476ed94fd5424d9f3410c438825f793a8cbb"; + sha256 = "1dlvpdsy5v09c7rj5f7xgakyj722yqr4415davjpcmrk4n5kw76v"; }; # import the nixos-unstable package set, or optionally use the diff --git a/third_party/openldap/default.nix b/third_party/openldap/default.nix deleted file mode 100644 index aed051c4e067..000000000000 --- a/third_party/openldap/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -# OpenLDAP by default uses a simple shalted SHA1-hash for passwords, -# which is less than ideal. -# -# It does however include a contrib module which adds support for the -# Argon2 password hashing scheme. This overrides then OpenLDAP build -# derivation to include this module. -{ pkgs, ... }: - -pkgs.openldap.overrideAttrs(old: { - buildInputs = old.buildInputs ++ [ pkgs.libsodium ]; - - postBuild = '' - ${old.postBuild} - make $makeFlags -C contrib/slapd-modules/passwd/argon2 - ''; - - # This is required because the Makefile for this module hardcodes - # /usr/bin/install, which is not a valid path - we want it to be - # looked up from $PATH because it is included in stdenv. - installFlags = old.installFlags ++ [ "INSTALL=install" ]; - - postInstall = '' - ${old.postInstall} - make $installFlags install-lib -C contrib/slapd-modules/passwd/argon2 - ''; - -}) diff --git a/third_party/overlays/emacs.nix b/third_party/overlays/emacs.nix index 77d1cd6f7771..99844a33e715 100644 --- a/third_party/overlays/emacs.nix +++ b/third_party/overlays/emacs.nix @@ -2,10 +2,10 @@ { ... }: let - # from 2020-04-13 - commit = "15ed1f372a83ec748ac824bdc5b573039c18b82f"; + # from 2020-05-26 + commit = "5df3462dda05d8e44669cf374776274e1bc47d0a"; src = builtins.fetchTarball { url = "https://github.com/nix-community/emacs-overlay/archive/${commit}.tar.gz"; - sha256 = "0m4vb7p29rgbpaavwn9jjid1zz48k1l9za5gy3d8nadqjn7x4dm1"; + sha256 = "0ggmkg4shf9948wpwb0s40bjvwijvhv2wykrkayclvp419kbrfxq"; }; in import src diff --git a/tools/hash-password.nix b/tools/hash-password.nix index fcf8abda78ea..9893d521787e 100644 --- a/tools/hash-password.nix +++ b/tools/hash-password.nix @@ -1,7 +1,7 @@ # Utility for invoking slappasswd with the correct options for # creating an ARGON2 password hash. -{ depot, pkgs, ... }: +{ pkgs, ... }: pkgs.writeShellScriptBin "hash-password" '' - ${depot.third_party.openldap}/bin/slappasswd -o module-load=pw-argon2 -h '{ARGON2}' + ${pkgs.openldap}/bin/slappasswd -o module-load=pw-argon2 -h '{ARGON2}' '' diff --git a/users/grfn/system/home/machines/yeren.nix b/users/grfn/system/home/machines/yeren.nix index 504a382c208c..67c3968ae410 100644 --- a/users/grfn/system/home/machines/yeren.nix +++ b/users/grfn/system/home/machines/yeren.nix @@ -39,16 +39,7 @@ in steam - (awscli2.overridePythonAttrs (oldAttrs: { - postPatch = '' - substituteInPlace setup.py \ - --replace 'colorama>=0.2.5,<0.4.4' 'colorama' \ - --replace 'wcwidth<0.2.0' 'colorama' \ - --replace 'cryptography>=2.8.0,<=2.9.0' 'cryptography' \ - --replace 'docutils>=0.10,<0.16' 'docutils' \ - --replace 'ruamel.yaml>=0.15.0,<0.16.0' 'ruamel.yaml' - ''; - })) + awscli2 ]; systemd.user.services.laptop-keyboard = { diff --git a/users/grfn/system/home/modules/development.nix b/users/grfn/system/home/modules/development.nix index 43bb7a79a21d..a79f5b98755f 100644 --- a/users/grfn/system/home/modules/development.nix +++ b/users/grfn/system/home/modules/development.nix @@ -76,7 +76,7 @@ with lib; nodePackages.prettier ] ++ optionals (stdenv.isLinux) [ - julia + julia-stable valgrind ]; diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix index 77c4dda9a558..f9b6e0a1daba 100644 --- a/users/grfn/system/system/machines/mugwump.nix +++ b/users/grfn/system/system/machines/mugwump.nix @@ -274,6 +274,12 @@ with lib; }; }) (range 1 1)); - users.users."buildkite-agent-mugwump-1".extraGroups = [ "docker" ]; - users.users."buildkite-agent-mugwump-2".extraGroups = [ "docker" ]; + users.users."buildkite-agent-mugwump-1" = { + isSystemUser = true; + extraGroups = [ "docker" ]; + }; + users.users."buildkite-agent-mugwump-2" = { + isSystemUser = true; + extraGroups = [ "docker" ]; + }; } diff --git a/users/tazjin/emacs/default.nix b/users/tazjin/emacs/default.nix index 082346da75b9..12a56f9625d9 100644 --- a/users/tazjin/emacs/default.nix +++ b/users/tazjin/emacs/default.nix @@ -33,7 +33,7 @@ let (with epkgs.melpaPackages; [ ace-window ace-link - bazel-mode + # bazel-mode TODO(tazjin): where did this go? browse-kill-ring cargo company @@ -47,7 +47,7 @@ let eglot elixir-mode elm-mode - erlang + # erlang go-mode gruber-darker-theme haskell-mode diff --git a/users/tazjin/nixos/camden/default.nix b/users/tazjin/nixos/camden/default.nix index ec72377f4a6e..19a42f163c15 100644 --- a/users/tazjin/nixos/camden/default.nix +++ b/users/tazjin/nixos/camden/default.nix @@ -155,7 +155,7 @@ in lib.fix(self: { groups.git = {}; users.git = { group = "git"; - isNormalUser = false; + isSystemUser = true; }; }; -- cgit 1.4.1