Merge staging-next into staging

maintainers/maintainer-list.nix

@@ -2769,7 +2769,7 @@
     name = "Hubert Jasudowicz";
   };
   chkno = {
-    email = "chuck@intelligence.org";
+    email = "scottworley@scottworley.com";
     github = "chkno";
     githubId = 1118859;
     name = "Scott Worley";

nixos/doc/manual/release-notes/rl-2305.section.md

@@ -199,6 +199,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 - The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services.
   This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service`
 
+- The mailman service now defaults to using a randomly generated REST API password instead of a hardcoded one.
+
 - `minio` removed support for its legacy filesystem backend in [RELEASE.2022-10-29T06-21-33Z](https://github.com/minio/minio/releases/tag/RELEASE.2022-10-29T06-21-33Z). This means if your storage was created with the old format, minio will no longer start. Unfortunately minio doesn't provide a an automatic migration, they only provide [instructions how to manually convert the node](https://min.io/docs/minio/windows/operations/install-deploy-manage/migrate-fs-gateway.html). To facilitate this migration we keep around the last version that still supports the old filesystem backend as `minio_legacy_fs`. Use it via `services.minio.package = minio_legacy_fs;` to export your data before switching to the new version. See the corresponding [issue](https://github.com/NixOS/nixpkgs/issues/199318) for more details.
 
 - `services.sourcehut.dispatch` and the corresponding package (`sourcehut.dispatchsrht`) have been removed due to [upstream deprecation](https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/).

nixos/modules/services/mail/mailman.nix

@@ -44,11 +44,9 @@ let
     transport_file_type: hash
   '';
 
-  mailmanCfg = lib.generators.toINI {}
-    (recursiveUpdate cfg.settings
-      ((optionalAttrs (cfg.restApiPassFile != null) {
-        webservice.admin_pass = "#NIXOS_MAILMAN_REST_API_PASS_SECRET#";
-      })));
+  mailmanCfg = lib.generators.toINI {} (recursiveUpdate cfg.settings {
+    webservice.admin_pass = "#NIXOS_MAILMAN_REST_API_PASS_SECRET#";
+  });
 
   mailmanCfgFile = pkgs.writeText "mailman-raw.cfg" mailmanCfg;
 
@@ -388,6 +386,7 @@ in {
 
     environment.etc."mailman3/settings.py".text = ''
       import os
+      from configparser import ConfigParser
 
       # Required by mailman_web.settings, but will be overridden when
       # settings_local.json is loaded.
@@ -404,10 +403,10 @@ in {
       with open('/var/lib/mailman-web/settings_local.json') as f:
           globals().update(json.load(f))
 
-      ${optionalString (cfg.restApiPassFile != null) ''
-        with open('${cfg.restApiPassFile}') as f:
-            MAILMAN_REST_API_PASS = f.read().rstrip('\n')
-      ''}
+      with open('/etc/mailman.cfg') as f:
+          config = ConfigParser()
+          config.read_file(f)
+          MAILMAN_REST_API_PASS = config['webservice']['admin_pass']
 
       ${optionalString (cfg.ldap.enable) ''
         import ldap
@@ -504,10 +503,14 @@ in {
         path = with pkgs; [ jq ];
         after = optional withPostgresql "postgresql.service";
         requires = optional withPostgresql "postgresql.service";
+        serviceConfig.RemainAfterExit = true;
         serviceConfig.Type = "oneshot";
         script = ''
           install -m0750 -o mailman -g mailman ${mailmanCfgFile} /etc/mailman.cfg
-          ${optionalString (cfg.restApiPassFile != null) ''
+          ${if cfg.restApiPassFile == null then ''
+            sed -i "s/#NIXOS_MAILMAN_REST_API_PASS_SECRET#/$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64)/g" \
+              /etc/mailman.cfg
+          '' else ''
             ${pkgs.replace-secret}/bin/replace-secret \
               '#NIXOS_MAILMAN_REST_API_PASS_SECRET#' \
               ${cfg.restApiPassFile} \

nixos/tests/all-tests.nix

@@ -431,6 +431,7 @@ in {
   magnetico = handleTest ./magnetico.nix {};
   mailcatcher = handleTest ./mailcatcher.nix {};
   mailhog = handleTest ./mailhog.nix {};
+  mailman = handleTest ./mailman.nix {};
   man = handleTest ./man.nix {};
   mariadb-galera = handleTest ./mysql/mariadb-galera.nix {};
   mastodon = discoverTests (import ./web-apps/mastodon { inherit handleTestOn; });

nixos/tests/mailman.nix

@@ -0,0 +1,67 @@
+import ./make-test-python.nix {
+  name = "mailman";
+
+  nodes.machine = { pkgs, ... }: {
+    environment.systemPackages = with pkgs; [ mailutils ];
+
+    services.mailman.enable = true;
+    services.mailman.serve.enable = true;
+    services.mailman.siteOwner = "postmaster@example.com";
+    services.mailman.webHosts = [ "example.com" ];
+
+    services.postfix.enable = true;
+    services.postfix.destination = [ "example.com" "example.net" ];
+    services.postfix.relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
+    services.postfix.config.local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" "proxy:unix:passwd.byname" ];
+    services.postfix.config.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
+
+    users.users.user = { isNormalUser = true; };
+
+    virtualisation.memorySize = 2048;
+
+    specialisation.restApiPassFileSystem.configuration = {
+      services.mailman.restApiPassFile = "/var/lib/mailman/pass";
+    };
+  };
+
+  testScript = { nodes, ... }: let
+    restApiPassFileSystem = "${nodes.machine.system.build.toplevel}/specialisation/restApiPassFileSystem";
+  in ''
+    def check_mail(_) -> bool:
+        status, _ = machine.execute("grep -q hello /var/spool/mail/user/new/*")
+        return status == 0
+
+    def try_api(_) -> bool:
+        status, _ = machine.execute("curl -s http://localhost:8001/")
+        return status == 0
+
+    def wait_for_api():
+        with machine.nested("waiting for Mailman REST API to be available"):
+            retry(try_api)
+
+    machine.wait_for_unit("mailman.service")
+    wait_for_api()
+
+    with subtest("subscription and delivery"):
+        creds = machine.succeed("su -s /bin/sh -c 'mailman info' mailman | grep '^REST credentials: ' | sed 's/^REST credentials: //'").strip()
+        machine.succeed(f"curl --fail-with-body -sLSu {creds} -d mail_host=example.com http://localhost:8001/3.1/domains")
+        machine.succeed(f"curl --fail-with-body -sLSu {creds} -d fqdn_listname=list@example.com http://localhost:8001/3.1/lists")
+        machine.succeed(f"curl --fail-with-body -sLSu {creds} -d list_id=list.example.com -d subscriber=root@example.com -d pre_confirmed=True -d pre_verified=True -d send_welcome_message=False http://localhost:8001/3.1/members")
+        machine.succeed(f"curl --fail-with-body -sLSu {creds} -d list_id=list.example.com -d subscriber=user@example.net -d pre_confirmed=True -d pre_verified=True -d send_welcome_message=False http://localhost:8001/3.1/members")
+        machine.succeed("mail -a 'From: root@example.com' -s hello list@example.com < /dev/null")
+        with machine.nested("waiting for mail from list"):
+            retry(check_mail)
+
+    with subtest("Postorius"):
+        machine.succeed("curl --fail-with-body -sILS http://localhost/")
+
+    with subtest("restApiPassFile"):
+        machine.succeed("echo secretpassword > /var/lib/mailman/pass")
+        machine.succeed("${restApiPassFileSystem}/bin/switch-to-configuration test >&2")
+        machine.succeed("grep secretpassword /etc/mailman.cfg")
+        machine.succeed("su -s /bin/sh -c 'mailman info' mailman | grep secretpassword")
+        wait_for_api()
+        machine.succeed("curl --fail-with-body -sLSu restadmin:secretpassword http://localhost:8001/3.1/domains")
+        machine.succeed("curl --fail-with-body -sILS http://localhost/")
+  '';
+}

pkgs/applications/editors/vim/plugins/overrides.nix

@@ -316,6 +316,53 @@ self: super: {
     '';
   });
 
+  coq_nvim = super.coq_nvim.overrideAttrs (old: {
+    passthru.python3Dependencies = ps: with ps; [
+      pynvim
+      pyyaml
+      (buildPythonPackage {
+        pname = "pynvim_pp";
+        version = "unstable-2023-05-17";
+        format = "pyproject";
+        propagatedBuildInputs = [ setuptools pynvim ];
+        src = fetchFromGitHub {
+          owner = "ms-jpq";
+          repo = "pynvim_pp";
+          rev = "91d91ec0cb173ce19d8c93c7999f5038cf08c046";
+          fetchSubmodules = false;
+          hash = "sha256-wycN9U3f3o0onmx60Z4Ws4DbBxsNwHjLTCB9UgjssLI=";
+        };
+        meta = with lib; {
+          homepage = "https://github.com/ms-jpq/pynvim_pp";
+          license = licenses.gpl3Plus;
+          maintainers = with maintainers; [ GaetanLepage ];
+        };
+      })
+      (buildPythonPackage {
+        pname = "std2";
+        version = "unstable-2023-05-17";
+        format = "pyproject";
+        propagatedBuildInputs = [ setuptools ];
+        src = fetchFromGitHub {
+          owner = "ms-jpq";
+          repo = "std2";
+          rev = "d6a7a719ef902e243b7bbd162defed762a27416f";
+          fetchSubmodules = false;
+          hash = "sha256-dtQaeB4Xkz+wcF0UkM+SajekSkVVPdoJs9n1hHQLR1k=";
+        };
+        doCheck = true;
+        meta = with lib; {
+          homepage = "https://github.com/ms-jpq/std2";
+          license = licenses.gpl3Plus;
+          maintainers = with maintainers; [ GaetanLepage ];
+        };
+      })
+    ];
+
+    # We need some patches so it stops complaining about not being in a venv
+    patches = [ ./patches/coq_nvim/emulate-venv.patch ];
+  });
+
   cpsm = super.cpsm.overrideAttrs (old: {
     nativeBuildInputs = [ cmake ];
     buildInputs = [

pkgs/applications/editors/vim/plugins/patches/coq_nvim/emulate-venv.patch

@@ -0,0 +1,35 @@
+diff --git a/coq/__main__.py b/coq/__main__.py
+index 5a6c6fd2..e0d9eec8 100644
+--- a/coq/__main__.py
++++ b/coq/__main__.py
+@@ -78,7 +78,7 @@ _EXEC_PATH = Path(executable)
+ _EXEC_PATH = _EXEC_PATH.parent.resolve(strict=True) / _EXEC_PATH.name
+ _REQ = REQUIREMENTS.read_text()
+
+-_IN_VENV = _RT_PY == _EXEC_PATH
++_IN_VENV = True
+
+
+ if command == "deps":
+@@ -152,7 +152,7 @@ elif command == "run":
+     try:
+         if not _IN_VENV:
+             raise ImportError()
+-        elif lock != _REQ:
++        elif False:
+             raise ImportError()
+         else:
+             import pynvim_pp
+diff --git a/coq/consts.py b/coq/consts.py
+index 5a027fe9..a3e0c5a4 100644
+--- a/coq/consts.py
++++ b/coq/consts.py
+@@ -9,7 +9,7 @@ TOP_LEVEL = Path(__file__).resolve(strict=True).parent.parent
+ REQUIREMENTS = TOP_LEVEL / "requirements.txt"
+
+
+-VARS = TOP_LEVEL / ".vars"
++VARS = Path.home() / ".cache/coq_nvim/vars"
+
+ RT_DIR = VARS / "runtime"
+ RT_PY = RT_DIR / "Scripts" / "python.exe" if IS_WIN else RT_DIR / "bin" / "python3"

pkgs/applications/editors/vscode/extensions/default.nix

@@ -612,8 +612,8 @@ let
         mktplcRef = {
           name = "chatgpt-reborn";
           publisher = "chris-hayes";
-          version = "3.16.1";
-          sha256 = "sha256-RVPA+O0QOtFArWzcuwXMZSpwB3zrPAzVCbEjOzUNH4I=";
+          version = "3.16.3";
+          sha256 = "wkitG5gmYKYKXRw/zVW04HN1dePiTjbnynFOY/bwxfI=";
         };
       };
 
@@ -1331,17 +1331,17 @@ let
         mktplcRef = {
           name = "chatgpt-vscode";
           publisher = "genieai";
-          version = "0.0.7";
-          sha256 = "sha256-dWp9OYj9OCsNdZiYbgAWWo/OXMjBSlB7sIupdqnQTiU=";
+          version = "0.0.8";
+          sha256 = "RKvmZkegFs4y+sEVaamPRO1F1E+k4jJyI0Q9XqKowrQ=";
         };
       };
 
       github.codespaces = buildVscodeMarketplaceExtension {
         mktplcRef = {
           publisher = "github";
           name = "codespaces";
-          version = "1.14.1";
-          sha256 = "sha256-oiAn/tW4jfccsY8zH6L7UzldeM7sV9tllSvgZD8c9aY=";
+          version = "1.14.7";
+          sha256 = "pcZGMxTVnMeD6rnNV0d9Wysk6MrYiYcJ+byuH9VR0ds=";
         };
         meta = { license = lib.licenses.unfree; };
       };
@@ -1350,8 +1350,8 @@ let
         mktplcRef = {
           publisher = "github";
           name = "copilot";
-          version = "1.78.9758";
-          sha256 = "sha256-qIaaM72SenMv+vtkTMBodD2JsroZLpw8qEttr5aIDQk=";
+          version = "1.86.82";
+          sha256 = "isaqjrAmu/08gnNKQPeMV4Xc8u0Hx8gB2c78WE54kYQ=";
         };
         meta = {
           description = "GitHub Copilot uses OpenAI Codex to suggest code and entire functions in real-time right from your editor.";
@@ -1404,8 +1404,8 @@ let
           # the VSCode Marketplace and use a calver scheme. We should avoid
           # using preview versions, because they can require insider versions
           # of VS Code
-          version = "0.60.0";
-          sha256 = "sha256-VAoKNRYrzUXUQSDAX8NM17aknCUxMRsTRd5adQu+w/s=";
+          version = "0.64.0";
+          sha256 = "tgQD3o5uMbWofVx7FPyWT1yaeu2e4aPxterN4yXA33U=";
         };
         meta = { license = lib.licenses.mit; };
       };
@@ -1614,8 +1614,8 @@ let
         mktplcRef = {
           name = "latex-workshop";
           publisher = "James-Yu";
-          version = "9.8.1";
-          sha256 = "sha256-89jP/kd5A6UQOcln9mb6DGvWQD8CiKcg+YYRpzZIDJQ=";
+          version = "9.10.0";
+          sha256 = "s0+8952svPSA69M4H29zuIxUWV6xNRpIqLNd8pzGJhY=";
         };
         meta = {
           changelog = "https://marketplace.visualstudio.com/items/James-Yu.latex-workshop/changelog";

pkgs/applications/misc/dunst/default.nix

@@ -1,5 +1,5 @@
 { stdenv, lib, fetchFromGitHub, makeWrapper
-, pkg-config, which, perl, jq, libXrandr
+, pkg-config, which, perl, jq, libXrandr, coreutils
 , cairo, dbus, systemd, gdk-pixbuf, glib, libX11, libXScrnSaver
 , wayland, wayland-protocols
 , libXinerama, libnotify, pango, xorgproto, librsvg
@@ -39,6 +39,9 @@ stdenv.mkDerivation rec {
     wrapProgram $out/bin/dunst \
       --set GDK_PIXBUF_MODULE_FILE "$GDK_PIXBUF_MODULE_FILE"
 
+    wrapProgram $out/bin/dunstctl \
+      --prefix PATH : "${lib.makeBinPath [ coreutils dbus ]}"
+
     install -D contrib/_dunst.zshcomp $out/share/zsh/site-functions/_dunst
     install -D contrib/_dunstctl.zshcomp $out/share/zsh/site-functions/_dunstctl
     substituteInPlace $out/share/zsh/site-functions/_dunstctl \

pkgs/applications/misc/klipperscreen/default.nix

@@ -1,28 +1,54 @@
-{ lib, stdenv, writeText, python3Packages, fetchFromGitHub, gtk3, gobject-introspection, gdk-pixbuf, wrapGAppsHook, librsvg }:
-python3Packages.buildPythonPackage rec {
+{ lib
+, python3
+, fetchFromGitHub
+, wrapGAppsHook
+, gobject-introspection
+, gitUpdater
+}: python3.pkgs.buildPythonApplication rec {
   pname = "KlipperScreen";
   version = "0.3.2";
+  format = "other";
 
   src = fetchFromGitHub {
     owner = "jordanruthe";
-    repo = pname;
+    repo = "KlipperScreen";
     rev = "v${version}";
     hash = "sha256-LweO5EVWr3OxziHrjtQDdWyUBCVUJ17afkw7RCZWgcg=";
   };
-  patches = [ ./fix-paths.diff ];
 
-  buildInputs = [ gtk3 librsvg ];
-  nativeBuildInputs = [ wrapGAppsHook gdk-pixbuf gobject-introspection ];
+  nativeBuildInputs = [
+    gobject-introspection
+    wrapGAppsHook
+  ];
 
-  propagatedBuildInputs = with python3Packages; [ jinja2 netifaces requests websocket-client pycairo pygobject3 mpv six dbus-python numpy pycairo ];
+  pythonPath = with python3.pkgs; [
+    jinja2
+    netifaces
+    requests
+    websocket-client
+    pycairo
+    pygobject3
+    mpv
+    six
+    dbus-python
+  ];
 
-  preBuild = ''
-    ln -s ${./setup.py} setup.py
+  dontWrapGApps = true;
+
+  preFixup = ''
+    mkdir -p $out/bin
+    cp -r . $out/dist
+    gappsWrapperArgs+=(--set PYTHONPATH "$PYTHONPATH")
+    wrapGApp $out/dist/screen.py
+    ln -s $out/dist/screen.py $out/bin/KlipperScreen
   '';
 
+  passthru.updateScript = gitUpdater { url = meta.homepage; };
+
   meta = with lib; {
     description = "Touchscreen GUI for the Klipper 3D printer firmware";
-    homepage = "https://github.com/jordanruthe/${pname}";
+    homepage = "https://github.com/jordanruthe/KlipperScreen";
     license = licenses.agpl3;
+    maintainers = with maintainers; [ cab404 ];
   };
 }