Merge branch 'NixOS:master' into chore/update-slint-lsp

.github/ISSUE_TEMPLATE.md

@@ -8,4 +8,4 @@
 
 ## Technical details
 
-Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
+<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->

.github/ISSUE_TEMPLATE/bug_report.md

@@ -33,12 +33,8 @@ If in doubt, check `git blame` for whoever last touched something.
 -->
 
 ### Metadata
-Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
 
-```console
-[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
-output here
-```
+<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
 
 ---
 

.github/ISSUE_TEMPLATE/build_failure.md

@@ -31,12 +31,7 @@ If in doubt, check `git blame` for whoever last touched something.
 
 ### Metadata
 
-Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
-
-```console
-[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
-output here
-```
+<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
 
 ---
 

.github/workflows/codeowners.yml → .github/workflows/codeowners-v2.yml

@@ -1,17 +1,32 @@
-name: Codeowners
+name: Codeowners v2
 
-# This workflow depends on a GitHub App with the following permissions:
-# - Repository > Administration: read-only
-# - Organization > Members: read-only
-# - Repository > Pull Requests: read-write
-# The App needs to be installed on this repository
-# the OWNER_APP_ID repository variable needs to be set
-# the OWNER_APP_PRIVATE_KEY repository secret needs to be set
+# This workflow depends on two GitHub Apps with the following permissions:
+# - For checking code owners:
+#   - Permissions:
+#     - Repository > Administration: read-only
+#     - Organization > Members: read-only
+#   - Install App on this repository, setting these variables:
+#     - OWNER_RO_APP_ID (variable)
+#     - OWNER_RO_APP_PRIVATE_KEY (secret)
+# - For requesting code owners:
+#   - Permissions:
+#     - Repository > Administration: read-only
+#     - Organization > Members: read-only
+#     - Repository > Pull Requests: read-write
+#   - Install App on this repository, setting these variables:
+#     - OWNER_APP_ID (variable)
+#     - OWNER_APP_PRIVATE_KEY (secret)
+#
+# This split is done because checking code owners requires handling untrusted PR input,
+# while requesting code owners requires PR write access, and those shouldn't be mixed.
 
 on:
   pull_request_target:
     types: [opened, ready_for_review, synchronize, reopened, edited]
 
+# We don't need any default GitHub token
+permissions: {}
+
 env:
   OWNERS_FILE: ci/OWNERS
   # Don't do anything on draft PRs
@@ -45,8 +60,8 @@ jobs:
     - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
       id: app-token
       with:
-        app-id: ${{ vars.OWNER_APP_ID }}
-        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+        app-id: ${{ vars.OWNER_RO_APP_ID }}
+        private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
 
     - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with:

.github/workflows/editorconfig.yml → .github/workflows/editorconfig-v2.yml

@@ -1,6 +1,8 @@
-name: "Checking EditorConfig"
+name: "Checking EditorConfig v2"
 
-permissions: read-all
+permissions:
+  pull-requests: read
+  contents: read
 
 on:
   # avoids approving first time contributors

.github/workflows/manual-nixos.yml → .github/workflows/manual-nixos-v2.yml

@@ -1,6 +1,7 @@
-name: "Build NixOS manual"
+name: "Build NixOS manual v2"
 
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   pull_request_target:

.github/workflows/manual-nixpkgs.yml → .github/workflows/manual-nixpkgs-v2.yml

@@ -1,6 +1,7 @@
-name: "Build Nixpkgs manual"
+name: "Build Nixpkgs manual v2"
 
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   pull_request_target:

.github/workflows/nix-parse.yml → .github/workflows/nix-parse-v2.yml

@@ -1,6 +1,8 @@
-name: "Check whether nix files are parseable"
+name: "Check whether nix files are parseable v2"
 
-permissions: read-all
+permissions:
+  pull-requests: read
+  contents: read
 
 on:
   # avoids approving first time contributors

ci/OWNERS

@@ -11,13 +11,13 @@
 # - There is no need for user/team listed here to have write access.
 # - No reviews will be requested for PRs that target the wrong base branch.
 #
-# Processing of this file is implemented in workflows/codeowners.yml
+# Processing of this file is implemented in workflows/codeowners-v2.yml
 
 # CI
 /.github/workflows @NixOS/Security @Mic92 @zowoq
 /.github/workflows/check-nix-format.yml @infinisil
 /.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
-/.github/workflows/codeowners.yml @infinisil
+/.github/workflows/codeowners-v2.yml @infinisil
 /ci/OWNERS @infinisil
 /ci @infinisil @philiptaron @NixOS/Security
 
@@ -173,7 +173,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /pkgs/development/r-modules         @jbedo
 
 # Rust
-/pkgs/development/compilers/rust @Mic92 @zowoq @winterqt @figsoda
+/pkgs/development/compilers/rust @alyssais @Mic92 @zowoq @winterqt @figsoda
 /pkgs/build-support/rust @zowoq @winterqt @figsoda
 /doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda
 

doc/build-helpers/special/vm-tools.section.md

@@ -125,6 +125,8 @@ A set of functions that build a predefined set of minimal Linux distributions im
   * `debian10x86_64`
   * `debian11i386`
   * `debian11x86_64`
+  * `debian12i386`
+  * `debian12x86_64`
 
 ### Attributes {#vm-tools-diskImageFuns-attributes}
 

doc/languages-frameworks/javascript.section.md

@@ -428,7 +428,26 @@ NOTE: It is highly recommended to use a pinned version of pnpm (i.e. `pnpm_8` or
 
 In case you are patching `package.json` or `pnpm-lock.yaml`, make sure to pass `finalAttrs.patches` to the function as well (i.e. `inherit (finalAttrs) patches`.
 
-`pnpm.configHook` supports adding additional `pnpm install` flags via `pnpmInstallFlags` which can be set to a Nix string array.
+`pnpm.configHook` supports adding additional `pnpm install` flags via `pnpmInstallFlags` which can be set to a Nix string array:
+
+```nix
+{
+  pnpm,
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "foo";
+  version = "0-unstable-1980-01-01";
+
+  src = ...;
+
+  pnpmInstallFlags = [ "--shamefully-hoist" ];
+
+  pnpmDeps = pnpm.fetchDeps {
+    inherit (finalAttrs) pnpmInstallFlags;
+  };
+})
+```
 
 #### Dealing with `sourceRoot` {#javascript-pnpm-sourceRoot}
 
@@ -459,24 +478,24 @@ Assuming the following directory structure, we can define `sourceRoot` and `pnpm
 
 #### PNPM Workspaces {#javascript-pnpm-workspaces}
 
-If you need to use a PNPM workspace for your project, then set `pnpmWorkspace = "<workspace project name>"` in your `pnpm.fetchDeps` call,
-which will make PNPM only install dependencies for that workspace package.
+If you need to use a PNPM workspace for your project, then set `pnpmWorkspaces = [ "<workspace project name 1>" "<workspace project name 2>" ]`, etc, in your `pnpm.fetchDeps` call,
+which will make PNPM only install dependencies for those workspace packages.
 
 For example:
 
 ```nix
 ...
-pnpmWorkspace = "@astrojs/language-server";
+pnpmWorkspaces = [ "@astrojs/language-server" ];
 pnpmDeps = pnpm.fetchDeps {
-  inherit (finalAttrs) pnpmWorkspace;
+  inherit (finalAttrs) pnpmWorkspaces;
   ...
 }
 ```
 
 The above would make `pnpm.fetchDeps` call only install dependencies for the `@astrojs/language-server` workspace package.
 Note that you do not need to set `sourceRoot` to make this work.
 
-Usually in such cases, you'd want to use `pnpm --filter=$pnpmWorkspace build` to build your project, as `npmHooks.npmBuildHook` probably won't work. A `buildPhase` based on the following example will probably fit most workspace projects:
+Usually in such cases, you'd want to use `pnpm --filter=<pnpm workspace name> build` to build your project, as `npmHooks.npmBuildHook` probably won't work. A `buildPhase` based on the following example will probably fit most workspace projects:
 
 ```nix
 buildPhase = ''

maintainers/maintainer-list.nix

@@ -8625,6 +8625,12 @@
     githubId = 6430643;
     name = "Henry Till";
   };
+  hensoko = {
+    email = "hensoko@pub.solar";
+    github = "hensoko";
+    githubId = 13552930;
+    name = "hensoko";
+  };
   heph2 = {
     email = "srht@mrkeebs.eu";
     github = "heph2";
@@ -23179,6 +23185,17 @@
     githubId = 36118348;
     keys = [ { fingerprint = "69C9 876B 5797 1B2E 11C5  7C39 80A1 F76F C9F9 54AE"; } ];
   };
+  wizardlink = {
+    name = "wizardlink";
+    email = "contact@thewizard.link";
+    github = "wizardlink";
+    githubId = 26727907;
+    keys = [
+      {
+        fingerprint = "A1D3 A2B4 E14B D7C0 445B  B749 A576 7B54 367C FBDF";
+      }
+    ];
+  };
   wizeman = {
     email = "rcorreia@wizy.org";
     github = "wizeman";

maintainers/scripts/rebuild-amount.sh

@@ -81,11 +81,13 @@ newPkgs() {
     # could eat too much memory for a standard 4GiB machine.
     local -a list
     for i in 1 2; do
-        local l="$($MKTEMP)"
+        local l
+        l="$($MKTEMP)"
         list[$i]="$l"
         toRemove+=("$l")
 
-        local expr="$($MKTEMP)"
+        local expr
+        expr="$($MKTEMP)"
         toRemove+=("$expr")
         nixexpr "${!i}" > "$expr"
 

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -48,7 +48,7 @@
 
 - The Rust rewrite of the `switch-to-configuration` program is now used for system activation by default.
   If you experience any issues, please report them.
-  The original Perl script can still be used for now by setting `system.switch.enableNg` to `false`.
+  The original Perl script is deprecated and is planned for removal in the 25.05 release. It will remain accessible until then by setting `system.switch.enableNg` to `false`.
 
 - Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html)
   was added through the `boot.initrd.systemd.dmVerity` option.
@@ -312,6 +312,14 @@
 - The method to safely handle secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of wpa_supplicant.
   The syntax to refer to secrets has changed slightly and the option `networking.wireless.environmentFile` has been replaced by `networking.wireless.secretsFile`; see the description of the latter for how to upgrade.
 
+- NetBox was updated to `>= 4.1.0`.
+  Have a look at the breaking changes
+  of the [4.0 release](https://github.com/netbox-community/netbox/releases/tag/v4.0.0)
+  and the [4.1 release](https://github.com/netbox-community/netbox/releases/tag/v4.1.0),
+  make the required changes to your database, if needed,
+  then upgrade by setting `services.netbox.package = pkgs.netbox_4_1;`
+  in your configuration.
+
 - `services.cgit` now runs as the cgit user by default instead of root.
   This change requires granting access to the repositories to this user or
   setting the appropriate one through `services.cgit.some-instance.user`.

nixos/modules/config/resolvconf.nix

@@ -161,9 +161,12 @@ in
 
         script = ''
           ${lib.getExe cfg.package} -u
-          files=(/run/resolvconf ${lib.escapeShellArgs cfg.subscriberFiles})
-          chgrp -R resolvconf "''${files[@]}"
-          chmod -R g=u "''${files[@]}"
+          chgrp resolvconf ${lib.escapeShellArgs cfg.subscriberFiles}
+          chmod g=u ${lib.escapeShellArgs cfg.subscriberFiles}
+          ${lib.getExe' pkgs.acl "setfacl"} -R \
+            -m group:resolvconf:rwx \
+            -m default:group:resolvconf:rwx \
+            /run/resolvconf
         '';
       };
 

nixos/modules/services/misc/bazarr.nix

@@ -37,7 +37,7 @@ in
 
   config = lib.mkIf cfg.enable {
     systemd.services.bazarr = {
-      description = "bazarr";
+      description = "Bazarr";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
 

nixos/modules/services/monitoring/prometheus/default.nix

@@ -201,6 +201,26 @@ let
     };
   };
 
+  promTypes.sigv4 = types.submodule {
+    options = {
+      region = mkOpt types.str ''
+        The AWS region.
+      '';
+      access_key = mkOpt types.str ''
+        The Access Key ID.
+      '';
+      secret_key = mkOpt types.str ''
+        The Secret Access Key.
+      '';
+      profile = mkOpt types.str ''
+        The named AWS profile used to authenticate.
+      '';
+      role_arn = mkOpt types.str ''
+        The AWS role ARN.
+      '';
+    };
+  };
+
   promTypes.tls_config = types.submodule {
     options = {
       ca_file = mkOpt types.str ''
@@ -1464,6 +1484,9 @@ let
         Sets the `Authorization` header on every remote write request with the bearer token
         read from the configured file. It is mutually exclusive with `bearer_token`.
       '';
+      sigv4 = mkOpt promTypes.sigv4 ''
+        Configures AWS Signature Version 4 settings.
+      '';
       tls_config = mkOpt promTypes.tls_config ''
         Configures the remote write request's TLS settings.
       '';