diff options
-rw-r--r-- | nixos/modules/services/web-apps/limesurvey.nix | 78 | ||||
-rw-r--r-- | nixos/tests/limesurvey.nix | 6 | ||||
-rw-r--r-- | pkgs/applications/networking/instant-messengers/discord/default.nix | 32 | ||||
-rw-r--r-- | pkgs/applications/virtualization/singularity/packages.nix | 6 | ||||
-rw-r--r-- | pkgs/by-name/go/google-chrome/package.nix | 4 | ||||
-rw-r--r-- | pkgs/development/haskell-modules/configuration-common.nix | 8 | ||||
-rw-r--r-- | pkgs/development/libraries/libndp/default.nix | 11 | ||||
-rw-r--r-- | pkgs/development/tools/documentation/doxygen/default.nix | 9 | ||||
-rw-r--r-- | pkgs/os-specific/linux/freeipa/default.nix | 4 | ||||
-rw-r--r-- | pkgs/servers/monitoring/grafana/default.nix | 6 | ||||
-rw-r--r-- | pkgs/servers/sql/mysql/8.0.x.nix | 4 | ||||
-rw-r--r-- | pkgs/tools/networking/netbird/default.nix | 6 |
12 files changed, 132 insertions, 42 deletions
diff --git a/nixos/modules/services/web-apps/limesurvey.nix b/nixos/modules/services/web-apps/limesurvey.nix index 920e6928ef5ce..ac6a1fc2bf8f7 100644 --- a/nixos/modules/services/web-apps/limesurvey.nix +++ b/nixos/modules/services/web-apps/limesurvey.nix @@ -20,7 +20,15 @@ let limesurveyConfig = pkgs.writeText "config.php" '' <?php - return json_decode('${builtins.toJSON cfg.config}', true); + return \array_merge( + \json_decode('${builtins.toJSON cfg.config}', true), + [ + 'config' => [ + 'encryptionnonce' => \trim(\file_get_contents(\getenv('CREDENTIALS_DIRECTORY') . DIRECTORY_SEPARATOR . 'encryption_nonce')), + 'encryptionsecretboxkey' => \trim(\file_get_contents(\getenv('CREDENTIALS_DIRECTORY') . DIRECTORY_SEPARATOR . 'encryption_key')), + ] + ] + ); ?> ''; @@ -35,8 +43,9 @@ in enable = mkEnableOption (lib.mdDoc "Limesurvey web application"); encryptionKey = mkOption { - type = types.str; - default = "E17687FC77CEE247F0E22BB3ECF27FDE8BEC310A892347EC13013ABA11AA7EB5"; + type = types.nullOr types.str; + default = null; + visible = false; description = lib.mdDoc '' This is a 32-byte key used to encrypt variables in the database. You _must_ change this from the default value. @@ -44,14 +53,35 @@ in }; encryptionNonce = mkOption { - type = types.str; - default = "1ACC8555619929DB91310BE848025A427B0F364A884FFA77"; + type = types.nullOr types.str; + default = null; + visible = false; description = lib.mdDoc '' This is a 24-byte nonce used to encrypt variables in the database. You _must_ change this from the default value. ''; }; + encryptionKeyFile = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + 32-byte key used to encrypt variables in the database. + + Note: It should be string not a store path in order to prevent the password from being world readable + ''; + }; + + encryptionNonceFile = mkOption { + type = types.nullOr types.path; + default = null; + description = lib.mdDoc '' + 24-byte used to encrypt variables in the database. + + Note: It should be string not a store path in order to prevent the password from being world readable + ''; + }; + database = { type = mkOption { type = types.enum [ "mysql" "pgsql" "odbc" "mssql" ]; @@ -183,6 +213,22 @@ in { assertion = cfg.database.createLocally -> cfg.database.passwordFile == null; message = "a password cannot be specified if services.limesurvey.database.createLocally is set to true"; } + { assertion = cfg.encryptionKey != null || cfg.encryptionKeyFile != null; + message = '' + You must set `services.limesurvey.encryptionKeyFile` to a file containing a 32-character uppercase hex string. + + If this message appears when updating your system, please turn off encryption + in the LimeSurvey interface and create backups before filling the key. + ''; + } + { assertion = cfg.encryptionNonce != null || cfg.encryptionNonceFile != null; + message = '' + You must set `services.limesurvey.encryptionNonceFile` to a file containing a 24-character uppercase hex string. + + If this message appears when updating your system, please turn off encryption + in the LimeSurvey interface and create backups before filling the nonce. + ''; + } ]; services.limesurvey.config = mapAttrs (name: mkDefault) { @@ -204,8 +250,6 @@ in config = { tempdir = "${stateDir}/tmp"; uploaddir = "${stateDir}/upload"; - encryptionnonce = cfg.encryptionNonce; - encryptionsecretboxkey = cfg.encryptionKey; force_ssl = mkIf (cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL) "on"; config.defaultlang = "en"; }; @@ -229,11 +273,26 @@ in phpPackage = pkgs.php81; phpEnv.DBENGINE = "${cfg.database.dbEngine}"; phpEnv.LIMESURVEY_CONFIG = "${limesurveyConfig}"; + # App code cannot access credentials directly since the service starts + # with the root user so we copy the credentials to a place accessible to Limesurvey + phpEnv.CREDENTIALS_DIRECTORY = "${stateDir}/credentials"; settings = { "listen.owner" = config.services.httpd.user; "listen.group" = config.services.httpd.group; } // cfg.poolConfig; }; + systemd.services.phpfpm-limesurvey.serviceConfig = { + ExecStartPre = pkgs.writeShellScript "limesurvey-phpfpm-exec-pre" '' + cp -f "''${CREDENTIALS_DIRECTORY}"/encryption_key "${stateDir}/credentials/encryption_key" + chown ${user}:${group} "${stateDir}/credentials/encryption_key" + cp -f "''${CREDENTIALS_DIRECTORY}"/encryption_nonce "${stateDir}/credentials/encryption_nonce" + chown ${user}:${group} "${stateDir}/credentials/encryption_nonce" + ''; + LoadCredential = [ + "encryption_key:${if cfg.encryptionKeyFile != null then cfg.encryptionKeyFile else pkgs.writeText "key" cfg.encryptionKey}" + "encryption_nonce:${if cfg.encryptionNonceFile != null then cfg.encryptionNonceFile else pkgs.writeText "nonce" cfg.encryptionKey}" + ]; + }; services.httpd = { enable = true; @@ -277,6 +336,7 @@ in "d ${stateDir}/tmp/assets 0750 ${user} ${group} - -" "d ${stateDir}/tmp/runtime 0750 ${user} ${group} - -" "d ${stateDir}/tmp/upload 0750 ${user} ${group} - -" + "d ${stateDir}/credentials 0700 ${user} ${group} - -" "C ${stateDir}/upload 0750 ${user} ${group} - ${pkg}/share/limesurvey/upload" ]; @@ -295,6 +355,10 @@ in User = user; Group = group; Type = "oneshot"; + LoadCredential = [ + "encryption_key:${if cfg.encryptionKeyFile != null then cfg.encryptionKeyFile else pkgs.writeText "key" cfg.encryptionKey}" + "encryption_nonce:${if cfg.encryptionNonceFile != null then cfg.encryptionNonceFile else pkgs.writeText "nonce" cfg.encryptionKey}" + ]; }; }; diff --git a/nixos/tests/limesurvey.nix b/nixos/tests/limesurvey.nix index 9a3193991f352..87e9fe1cdc149 100644 --- a/nixos/tests/limesurvey.nix +++ b/nixos/tests/limesurvey.nix @@ -1,6 +1,6 @@ -import ./make-test-python.nix ({ pkgs, ... }: { +import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "limesurvey"; - meta.maintainers = [ pkgs.lib.maintainers.aanderse ]; + meta.maintainers = [ lib.maintainers.aanderse ]; nodes.machine = { ... }: { services.limesurvey = { @@ -9,6 +9,8 @@ import ./make-test-python.nix ({ pkgs, ... }: { hostName = "example.local"; adminAddr = "root@example.local"; }; + encryptionKeyFile = pkgs.writeText "key" (lib.strings.replicate 32 "0"); + encryptionNonceFile = pkgs.writeText "nonce" (lib.strings.replicate 24 "0"); }; # limesurvey won't work without a dot in the hostname diff --git a/pkgs/applications/networking/instant-messengers/discord/default.nix b/pkgs/applications/networking/instant-messengers/discord/default.nix index d5496c104c001..7d77818578012 100644 --- a/pkgs/applications/networking/instant-messengers/discord/default.nix +++ b/pkgs/applications/networking/instant-messengers/discord/default.nix @@ -2,52 +2,52 @@ let versions = if stdenv.isLinux then { - stable = "0.0.56"; - ptb = "0.0.90"; - canary = "0.0.422"; - development = "0.0.19"; + stable = "0.0.58"; + ptb = "0.0.92"; + canary = "0.0.438"; + development = "0.0.21"; } else { - stable = "0.0.307"; - ptb = "0.0.119"; - canary = "0.0.531"; - development = "0.0.41"; + stable = "0.0.309"; + ptb = "0.0.121"; + canary = "0.0.547"; + development = "0.0.43"; }; version = versions.${branch}; srcs = rec { x86_64-linux = { stable = fetchurl { url = "https://dl.discordapp.net/apps/linux/${version}/discord-${version}.tar.gz"; - hash = "sha256-HpdsvzWtB4AoqZXf7LV0J50/OQDsYgK8bkQ1HGvu7Ec="; + hash = "sha256-YkyniFgkD4GMxUya+/Ke5fxosZKHKyc4+cAx3HI4w8c="; }; ptb = fetchurl { url = "https://dl-ptb.discordapp.net/apps/linux/${version}/discord-ptb-${version}.tar.gz"; - hash = "sha256-75YnLhgNTd7pwpTE9qSIF0rzBwmGJ/CYa+YgN3OQZ2w="; + hash = "sha256-1HbTRWl1w9cu7D4NNFGVbHk1hvRmMywH+q2qA4+nokc="; }; canary = fetchurl { url = "https://dl-canary.discordapp.net/apps/linux/${version}/discord-canary-${version}.tar.gz"; - hash = "sha256-MTC079WTN0Vw57aLro1WkHRL09IKYjnUsfBAMiiHjI0="; + hash = "sha256-z2SsI1vmaW1HjBDkJEH468xPuyAqigOIbRDtaL4Lgxc="; }; development = fetchurl { url = "https://dl-development.discordapp.net/apps/linux/${version}/discord-development-${version}.tar.gz"; - hash = "sha256-RP6SUM4DW3JhddSbJX6Xg8EE4iqCkSOgBL1oa7Zwp/E="; + hash = "sha256-LgRrQ2z0/mx9Xvkb7hOrhmOqaETiBITgJDO9vce/wtk="; }; }; x86_64-darwin = { stable = fetchurl { url = "https://dl.discordapp.net/apps/osx/${version}/Discord.dmg"; - hash = "sha256-FBYxQhtwctMQ8ByOgAVncWh5297k1Vh95w/rWnZg9Fw="; + hash = "sha256-9Tfn+dxvhgNjSdfj8Irb/5VU3kn39DX6hdKkppJ6HeU="; }; ptb = fetchurl { url = "https://dl-ptb.discordapp.net/apps/osx/${version}/DiscordPTB.dmg"; - hash = "sha256-Y5t6ndecfRf3zVfYEvFGiFinQxRSa7VyfnkAors8VPY="; + hash = "sha256-3Lk+kPZcBqznIELVMdA6dRpCOaOuRrchmfHv/EAyyOQ="; }; canary = fetchurl { url = "https://dl-canary.discordapp.net/apps/osx/${version}/DiscordCanary.dmg"; - hash = "sha256-eMJ/OKi+k92QEk140UW3RIi5G/UFlR6mW9f8kPZbFaw="; + hash = "sha256-ec2XF3023bQn/85i1xO8tTuYuprtsaL9exqRiZam36A="; }; development = fetchurl { url = "https://dl-development.discordapp.net/apps/osx/${version}/DiscordDevelopment.dmg"; - hash = "sha256-RiGyca/zjPpENgcq9KnRh5G4YArrUOQeueUdUBgZgjo="; + hash = "sha256-PZS7LHJExi+fb7G4CnIFk4KQx9/cL4ALXwzOcLx4sWU="; }; }; aarch64-darwin = x86_64-darwin; diff --git a/pkgs/applications/virtualization/singularity/packages.nix b/pkgs/applications/virtualization/singularity/packages.nix index 80e7d2c2a39f4..4552cc979648a 100644 --- a/pkgs/applications/virtualization/singularity/packages.nix +++ b/pkgs/applications/virtualization/singularity/packages.nix @@ -7,20 +7,20 @@ let apptainer = callPackage (import ./generic.nix rec { pname = "apptainer"; - version = "1.2.5"; + version = "1.3.2"; projectName = "apptainer"; src = fetchFromGitHub { owner = "apptainer"; repo = "apptainer"; rev = "refs/tags/v${version}"; - hash = "sha256-1XuqyNXyYrmIfqp8450z8+qET15hKVfj2v2iN9QPmDk="; + hash = "sha256-NseigaPmRKDsBk8v7RpYf+uoEGvQHVnqOMO49kP0mQ8="; }; # Update by running # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).goModules" # at the root directory of the Nixpkgs repository - vendorHash = "sha256-Y0gOqg+WGgssXGEYHc9IFwiIpkb3hetlQI89vseAQPc="; + vendorHash = "sha256-W853++SSvkAYYUczbl8vnoBQZnimUdsAEXp4MCkLPBU="; extraDescription = " (previously known as Singularity)"; extraMeta.homepage = "https://apptainer.org"; diff --git a/pkgs/by-name/go/google-chrome/package.nix b/pkgs/by-name/go/google-chrome/package.nix index 1a7cfc71075fb..a5a1ad6e24114 100644 --- a/pkgs/by-name/go/google-chrome/package.nix +++ b/pkgs/by-name/go/google-chrome/package.nix @@ -64,11 +64,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "google-chrome"; - version = "126.0.6478.114"; + version = "126.0.6478.126"; src = fetchurl { url = "https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${finalAttrs.version}-1_amd64.deb"; - hash = "sha256-CGqo6XnUwndOjODOxy+TCGxDXbAz4EwkZMOl7ZLFsAc="; + hash = "sha256-PsHK27Vc9mzFHwQh6s4ySoiDbuLZgrlFuPZ6PxMbCSQ="; }; nativeBuildInputs = [ patchelf makeWrapper ]; diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 6cc22008ab8b5..2ef46e1200bfe 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -1894,7 +1894,13 @@ self: super: { install -Dm 555 '${self.pandoc}'/share/man/man1/* -t "$out"/share/man/man1/ '' + (old.postInstall or ""); }) (super.pandoc-cli.overrideScope pandoc-cli-overlay); - pandoc_3_1_9 = doDistribute (super.pandoc_3_1_9.overrideScope pandoc-cli-overlay); + pandoc_3_1_9 = appendPatches [ + (fetchpatch { + name = "drop-usage-known-bad-actor-cdn.patch"; + url = "https://github.com/jgm/pandoc/commit/5877ec546df29115163b36de32837f5e08506092.patch"; + hash = "sha256-2ffdL2dS/hHWBjJcIHbae5OdL/VKlHNKUMDHRy3hqvc="; + }) + ] (doDistribute (super.pandoc_3_1_9.overrideScope pandoc-cli-overlay)); pandoc-lua-engine = super.pandoc-lua-engine.overrideScope pandoc-cli-overlay; }) pandoc-cli diff --git a/pkgs/development/libraries/libndp/default.nix b/pkgs/development/libraries/libndp/default.nix index 6109c48b036e0..0a8984dc90aac 100644 --- a/pkgs/development/libraries/libndp/default.nix +++ b/pkgs/development/libraries/libndp/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, autoreconfHook }: +{ lib, stdenv, fetchurl, fetchpatch, autoreconfHook }: stdenv.mkDerivation rec { pname = "libndp"; @@ -9,6 +9,15 @@ stdenv.mkDerivation rec { sha256 = "sha256-iP+2buLrUn8Ub1wC9cy8OLqX0rDVfrRr+6SIghqwwCs="; }; + patches = [ + (fetchpatch { + # https://github.com/jpirko/libndp/issues/26 + name = "CVE-2024-5564.patch"; + url = "https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af.patch"; + hash = "sha256-O7AHjCqic7iUfMbKYLGgBAU+wdR9/MDWxBWJw+CFn/c="; + }) + ]; + nativeBuildInputs = [ autoreconfHook ]; meta = with lib; { diff --git a/pkgs/development/tools/documentation/doxygen/default.nix b/pkgs/development/tools/documentation/doxygen/default.nix index d735637cb53d3..5b026cda2cfc4 100644 --- a/pkgs/development/tools/documentation/doxygen/default.nix +++ b/pkgs/development/tools/documentation/doxygen/default.nix @@ -2,6 +2,7 @@ , stdenv , cmake , fetchFromGitHub +, fetchpatch , python3 , flex , bison @@ -22,6 +23,14 @@ stdenv.mkDerivation rec { sha256 = "sha256-ezeMQk+Vyi9qNsYwbaRRruaIYGY8stFf71W7GonXqco="; }; + patches = [ + (fetchpatch { + name = "drop-usage-bad-actor-polyfill.io.patch"; + url = "https://github.com/doxygen/doxygen/commit/41e3eeed6d7c34d14f072cbfea5fe418fc65a760.patch"; + hash = "sha256-vtuVO6v2Hccm2W+Ilv3a2kmBMrRyYLCYVWLyZKx0s7s="; + }) + ]; + nativeBuildInputs = [ cmake python3 diff --git a/pkgs/os-specific/linux/freeipa/default.nix b/pkgs/os-specific/linux/freeipa/default.nix index e94f6370da984..16cffb1de5a70 100644 --- a/pkgs/os-specific/linux/freeipa/default.nix +++ b/pkgs/os-specific/linux/freeipa/default.nix @@ -64,11 +64,11 @@ let in stdenv.mkDerivation rec { pname = "freeipa"; - version = "4.11.1"; + version = "4.11.2"; src = fetchurl { url = "https://releases.pagure.org/freeipa/freeipa-${version}.tar.gz"; - sha256 = "sha256-Ubq2xAqBvjUwrzD2R6tB0i1WsdA0Y0jnJLgi4p4r8D4="; + hash = "sha256-qrMdseQMTX82qKQldIlbYuhkPqGigULbKdZDYVVBWpQ="; }; nativeBuildInputs = [ diff --git a/pkgs/servers/monitoring/grafana/default.nix b/pkgs/servers/monitoring/grafana/default.nix index 3e54db3d2f6f3..2eda8e5f25b9f 100644 --- a/pkgs/servers/monitoring/grafana/default.nix +++ b/pkgs/servers/monitoring/grafana/default.nix @@ -2,7 +2,7 @@ buildGoModule rec { pname = "grafana"; - version = "10.2.7"; + version = "10.2.8"; excludedPackages = [ "alert_webhook_listener" "clean-swagger" "release_publisher" "slow_proxy" "slow_proxy_mac" "macaron" "devenv" "modowners" ]; @@ -10,12 +10,12 @@ buildGoModule rec { owner = "grafana"; repo = "grafana"; rev = "v${version}"; - hash = "sha256-eiCkm/Bgr+681muDU2Dvw9oFz+dP3FQ+QOtokbtlK3c="; + hash = "sha256-dHArb9GuYhzOPaJpcMZseEuMDIe3guiqsMZXb1W2tpQ="; }; srcStatic = fetchurl { url = "https://dl.grafana.com/oss/release/grafana-${version}.linux-amd64.tar.gz"; - hash = "sha256-2vy3YqfdJ4I+ywAIPC90qp9OYDm7SNOfm/3PAeXPfu0="; + hash = "sha256-V+EvW9m9HmU52XhYFnQCSyuGEJJ9BDsR32BrsgVOq98="; }; vendorHash = "sha256-luPNBOyWw+fMEtvuP4XHEEh9J+srlSACwWhE5yDuZz0="; diff --git a/pkgs/servers/sql/mysql/8.0.x.nix b/pkgs/servers/sql/mysql/8.0.x.nix index 521e748198a36..2d784ce7450a8 100644 --- a/pkgs/servers/sql/mysql/8.0.x.nix +++ b/pkgs/servers/sql/mysql/8.0.x.nix @@ -5,11 +5,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "mysql"; - version = "8.0.36"; + version = "8.0.37"; src = fetchurl { url = "https://dev.mysql.com/get/Downloads/MySQL-${lib.versions.majorMinor finalAttrs.version}/mysql-${finalAttrs.version}.tar.gz"; - hash = "sha256-9PJwa5WKinOA72yVjdlyMHvb7qRR76/DQuTEbim36d0="; + hash = "sha256-4GOgkazZ7EC7BfLATfZPiZan5OJuiDu2UChJ1fa0pho="; }; nativeBuildInputs = [ bison cmake pkg-config ] diff --git a/pkgs/tools/networking/netbird/default.nix b/pkgs/tools/networking/netbird/default.nix index 24d7b5938be91..2051cc6e943d3 100644 --- a/pkgs/tools/networking/netbird/default.nix +++ b/pkgs/tools/networking/netbird/default.nix @@ -31,16 +31,16 @@ let in buildGoModule rec { pname = "netbird"; - version = "0.27.10"; + version = "0.28.3"; src = fetchFromGitHub { owner = "netbirdio"; repo = pname; rev = "v${version}"; - hash = "sha256-eliLEyw++NE+OTu4TNJWLptPDVCYUySRciBRoebmXYc="; + hash = "sha256-ue5vMZNLeDAtCa/BzX4aMEcmnxcN41hbmccME8I6VYk="; }; - vendorHash = "sha256-gV/Jx5QEVw2PjMP3BRkZCZ0lo5i8DUddSs+yntfBcTM="; + vendorHash = "sha256-/RfEjTB2n9URhcagasN6yYaejLviv7kHodPo0Y+k3mo="; nativeBuildInputs = [ installShellFiles ] ++ lib.optional ui pkg-config; |