Merge branch 'master' into staging-next

.github/workflows/merge-staging.yml

@@ -14,6 +14,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Merge master into staging-next
+        id: staging_next
         uses: devmasx/merge-branch@v1.3.1
         with:
           type: now
@@ -22,6 +23,7 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Merge staging-next into staging
+        id: staging
         uses: devmasx/merge-branch@v1.3.1
         with:
           type: now
@@ -35,5 +37,5 @@ jobs:
         with:
           issue-number: 105153
           body: |
-            An automatic merge [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
+            An automatic merge${{ (steps.staging_next.outcome == 'failure' && ' from master to staging-next') || ((steps.staging.outcome == 'failure' && ' from staging-next to staging') || '') }} [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).
 

nixos/doc/manual/release-notes/rl-2105.xml

@@ -726,6 +726,20 @@ environment.systemPackages = [
      The <package>yadm</package> dotfile manager has been updated from 2.x to 3.x, which has new (XDG) default locations for some data/state files. Most yadm commands will fail and print a legacy path warning (which describes how to upgrade/migrate your repository). If you have scripts, daemons, scheduled jobs, shell profiles, etc. that invoke yadm, expect them to fail or misbehave until you perform this migration and prepare accordingly.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     Instead of determining <option>services.radicale.package</option>
+     automatically based on <option>system.stateVersion</option>, the latest
+     version is always used because old versions are not officially supported.
+    </para>
+    <para>
+     Furthermore, Radicale's systemd unit was hardened which might break some
+     deployments.  In particular, a non-default
+     <literal>filesystem_folder</literal> has to be added to
+     <option>systemd.services.radicale.serviceConfig.ReadWritePaths</option> if
+     the deprecated <option>services.radicale.config</option> is used.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/installer/tools/nix-fallback-paths.nix

@@ -1,6 +1,6 @@
 {
-  x86_64-linux = "/nix/store/iwfs2bfcy7lqwhri94p2i6jc87ih55zk-nix-2.3.10";
-  i686-linux = "/nix/store/a3ccfvy9i5n418d5v0bir330kbcz3vj8-nix-2.3.10";
-  aarch64-linux = "/nix/store/bh5g6cv7bv35iz853d3xv2sphn51ybmb-nix-2.3.10";
-  x86_64-darwin = "/nix/store/8c98r6zlwn2d40qm7jnnrr2rdlqviszr-nix-2.3.10";
+  x86_64-linux = "/nix/store/d1ppfhjhdwcsb4npfzyifv5z8i00fzsk-nix-2.3.11";
+  i686-linux = "/nix/store/c6ikndcrzwpfn2sb5b9xb1f17p9b8iga-nix-2.3.11";
+  aarch64-linux = "/nix/store/fb0lfrn0m8s197d264jzd64vhz9c8zbx-nix-2.3.11";
+  x86_64-darwin = "/nix/store/qvb86ffv08q3r66qbd6nqifz425lyyhf-nix-2.3.11";
 }

nixos/modules/services/monitoring/prometheus/exporters.nix

@@ -34,6 +34,7 @@ let
     "fritzbox"
     "json"
     "jitsi"
+    "kea"
     "keylight"
     "knot"
     "lnd"

nixos/modules/services/monitoring/prometheus/exporters/kea.nix

@@ -0,0 +1,38 @@
+{ config
+, lib
+, pkgs
+, options
+}:
+
+with lib;
+
+let
+  cfg = config.services.prometheus.exporters.kea;
+in {
+  port = 9547;
+  extraOpts = {
+    controlSocketPaths = mkOption {
+      type = types.listOf types.str;
+      example = literalExample ''
+        [
+          "/run/kea/kea-dhcp4.socket"
+          "/run/kea/kea-dhcp6.socket"
+        ]
+      '';
+      description = ''
+        Paths to kea control sockets
+      '';
+    };
+  };
+  serviceOpts = {
+    serviceConfig = {
+      ExecStart = ''
+        ${pkgs.prometheus-kea-exporter}/bin/kea-exporter \
+          --address ${cfg.listenAddress} \
+          --port ${toString cfg.port} \
+          ${concatStringsSep " \\n" cfg.controlSocketPaths}
+      '';
+      SupplementaryGroups = [ "kea" ];
+    };
+  };
+}

nixos/modules/services/networking/radicale.nix

@@ -3,56 +3,103 @@
 with lib;
 
 let
-
   cfg = config.services.radicale;
 
-  confFile = pkgs.writeText "radicale.conf" cfg.config;
-
-  defaultPackage = if versionAtLeast config.system.stateVersion "20.09" then {
-    pkg = pkgs.radicale3;
-    text = "pkgs.radicale3";
-  } else if versionAtLeast config.system.stateVersion "17.09" then {
-    pkg = pkgs.radicale2;
-    text = "pkgs.radicale2";
-  } else {
-    pkg = pkgs.radicale1;
-    text = "pkgs.radicale1";
+  format = pkgs.formats.ini {
+    listToValue = concatMapStringsSep ", " (generators.mkValueStringDefault { });
   };
-in
 
-{
+  pkg = if isNull cfg.package then
+    pkgs.radicale
+  else
+    cfg.package;
+
+  confFile = if cfg.settings == { } then
+    pkgs.writeText "radicale.conf" cfg.config
+  else
+    format.generate "radicale.conf" cfg.settings;
+
+  rightsFile = format.generate "radicale.rights" cfg.rights;
 
-  options = {
-    services.radicale.enable = mkOption {
-      type = types.bool;
-      default = false;
+  bindLocalhost = cfg.settings != { } && !hasAttrByPath [ "server" "hosts" ] cfg.settings;
+
+in {
+  options.services.radicale = {
+    enable = mkEnableOption "Radicale CalDAV and CardDAV server";
+
+    package = mkOption {
+      description = "Radicale package to use.";
+      # Default cannot be pkgs.radicale because non-null values suppress
+      # warnings about incompatible configuration and storage formats.
+      type = with types; nullOr package // { inherit (package) description; };
+      default = null;
+      defaultText = "pkgs.radicale";
+    };
+
+    config = mkOption {
+      type = types.str;
+      default = "";
       description = ''
-          Enable Radicale CalDAV and CardDAV server.
+        Radicale configuration, this will set the service
+        configuration file.
+        This option is mutually exclusive with <option>settings</option>.
+        This option is deprecated.  Use <option>settings</option> instead.
       '';
     };
 
-    services.radicale.package = mkOption {
-      type = types.package;
-      default = defaultPackage.pkg;
-      defaultText = defaultPackage.text;
+    settings = mkOption {
+      type = format.type;
+      default = { };
       description = ''
-        Radicale package to use. This defaults to version 1.x if
-        <literal>system.stateVersion &lt; 17.09</literal>, version 2.x if
-        <literal>17.09 ≤ system.stateVersion &lt; 20.09</literal>, and
-        version 3.x otherwise.
+        Configuration for Radicale. See
+        <link xlink:href="https://radicale.org/3.0.html#documentation/configuration" />.
+        This option is mutually exclusive with <option>config</option>.
+      '';
+      example = literalExample ''
+        server = {
+          hosts = [ "0.0.0.0:5232" "[::]:5232" ];
+        };
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = "/etc/radicale/users";
+          htpasswd_encryption = "bcrypt";
+        };
+        storage = {
+          filesystem_folder = "/var/lib/radicale/collections";
+        };
       '';
     };
 
-    services.radicale.config = mkOption {
-      type = types.str;
-      default = "";
+    rights = mkOption {
+      type = format.type;
       description = ''
-        Radicale configuration, this will set the service
-        configuration file.
+        Configuration for Radicale's rights file. See
+        <link xlink:href="https://radicale.org/3.0.html#documentation/authentication-and-rights" />.
+        This option only works in conjunction with <option>settings</option>.
+        Setting this will also set <option>settings.rights.type</option> and
+        <option>settings.rights.file</option> to approriate values.
+      '';
+      default = { };
+      example = literalExample ''
+        root = {
+          user = ".+";
+          collection = "";
+          permissions = "R";
+        };
+        principal = {
+          user = ".+";
+          collection = "{user}";
+          permissions = "RW";
+        };
+        calendars = {
+          user = ".+";
+          collection = "{user}/[^/]+";
+          permissions = "rw";
+        };
       '';
     };
 
-    services.radicale.extraArgs = mkOption {
+    extraArgs = mkOption {
       type = types.listOf types.str;
       default = [];
       description = "Extra arguments passed to the Radicale daemon.";
@@ -60,33 +107,94 @@ in
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = [ cfg.package ];
+    assertions = [
+      {
+        assertion = cfg.settings == { } || cfg.config == "";
+        message = ''
+          The options services.radicale.config and services.radicale.settings
+          are mutually exclusive.
+        '';
+      }
+    ];
 
-    users.users.radicale =
-      { uid = config.ids.uids.radicale;
-        description = "radicale user";
-        home = "/var/lib/radicale";
-        createHome = true;
-      };
+    warnings = optional (isNull cfg.package && versionOlder config.system.stateVersion "17.09") ''
+      The configuration and storage formats of your existing Radicale
+      installation might be incompatible with the newest version.
+      For upgrade instructions see
+      https://radicale.org/2.1.html#documentation/migration-from-1xx-to-2xx.
+      Set services.radicale.package to suppress this warning.
+    '' ++ optional (isNull cfg.package && versionOlder config.system.stateVersion "20.09") ''
+      The configuration format of your existing Radicale installation might be
+      incompatible with the newest version.  For upgrade instructions see
+      https://github.com/Kozea/Radicale/blob/3.0.6/NEWS.md#upgrade-checklist.
+      Set services.radicale.package to suppress this warning.
+    '' ++ optional (cfg.config != "") ''
+      The option services.radicale.config is deprecated.
+      Use services.radicale.settings instead.
+    '';
+
+    services.radicale.settings.rights = mkIf (cfg.rights != { }) {
+      type = "from_file";
+      file = toString rightsFile;
+    };
+
+    environment.systemPackages = [ pkg ];
+
+    users.users.radicale.uid = config.ids.uids.radicale;
 
-    users.groups.radicale =
-      { gid = config.ids.gids.radicale; };
+    users.groups.radicale.gid = config.ids.gids.radicale;
 
     systemd.services.radicale = {
       description = "A Simple Calendar and Contact Server";
       after = [ "network.target" ];
+      requires = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         ExecStart = concatStringsSep " " ([
-          "${cfg.package}/bin/radicale" "-C" confFile
+          "${pkg}/bin/radicale" "-C" confFile
         ] ++ (
           map escapeShellArg cfg.extraArgs
         ));
         User = "radicale";
         Group = "radicale";
+        StateDirectory = "radicale/collections";
+        StateDirectoryMode = "0750";
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "/dev/stdin" ];
+        DevicePolicy = "strict";
+        IPAddressAllow = mkIf bindLocalhost "localhost";
+        IPAddressDeny = mkIf bindLocalhost "any";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        ReadWritePaths = lib.optional
+          (hasAttrByPath [ "storage" "filesystem_folder" ] cfg.settings)
+          cfg.settings.storage.filesystem_folder;
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+        UMask = "0027";
       };
     };
   };
 
-  meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ];
+  meta.maintainers = with lib.maintainers; [ aneeshusa infinisil dotlambda ];
 }

nixos/tests/all-tests.nix

@@ -91,6 +91,7 @@ in
   custom-ca = handleTest ./custom-ca.nix {};
   croc = handleTest ./croc.nix {};
   deluge = handleTest ./deluge.nix {};
+  dendrite = handleTest ./dendrite.nix {};
   dhparams = handleTest ./dhparams.nix {};
   discourse = handleTest ./discourse.nix {};
   dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {};

nixos/tests/dendrite.nix

@@ -0,0 +1,99 @@
+import ./make-test-python.nix (
+  { pkgs, ... }:
+    let
+      homeserverUrl = "http://homeserver:8008";
+
+      private_key = pkgs.runCommand "matrix_key.pem" {
+        buildInputs = [ pkgs.dendrite ];
+      } "generate-keys --private-key $out";
+    in
+      {
+        name = "dendrite";
+        meta = with pkgs.lib; {
+          maintainers = teams.matrix.members;
+        };
+
+        nodes = {
+          homeserver = { pkgs, ... }: {
+            services.dendrite = {
+              enable = true;
+              settings = {
+                global.server_name = "test-dendrite-server.com";
+                global.private_key = private_key;
+                client_api.registration_disabled = false;
+              };
+            };
+
+            networking.firewall.allowedTCPPorts = [ 8008 ];
+          };
+
+          client = { pkgs, ... }: {
+            environment.systemPackages = [
+              (
+                pkgs.writers.writePython3Bin "do_test"
+                  { libraries = [ pkgs.python3Packages.matrix-nio ]; } ''
+                  import asyncio
+
+                  from nio import AsyncClient
+
+
+                  async def main() -> None:
+                      # Connect to dendrite
+                      client = AsyncClient("http://homeserver:8008", "alice")
+
+                      # Register as user alice
+                      response = await client.register("alice", "my-secret-password")
+
+                      # Log in as user alice
+                      response = await client.login("my-secret-password")
+
+                      # Create a new room
+                      response = await client.room_create(federate=False)
+                      room_id = response.room_id
+
+                      # Join the room
+                      response = await client.join(room_id)
+
+                      # Send a message to the room
+                      response = await client.room_send(
+                          room_id=room_id,
+                          message_type="m.room.message",
+                          content={
+                              "msgtype": "m.text",
+                              "body": "Hello world!"
+                          }
+                      )
+
+                      # Sync responses
+                      response = await client.sync(timeout=30000)
+
+                      # Check the message was received by dendrite
+                      last_message = response.rooms.join[room_id].timeline.events[-1].body
+                      assert last_message == "Hello world!"
+
+                      # Leave the room
+                      response = await client.room_leave(room_id)
+
+                      # Close the client
+                      await client.close()
+
+                  asyncio.get_event_loop().run_until_complete(main())
+                ''
+              )
+            ];
+          };
+        };
+
+        testScript = ''
+          start_all()
+
+          with subtest("start the homeserver"):
+              homeserver.wait_for_unit("dendrite.service")
+              homeserver.wait_for_open_port(8008)
+
+          with subtest("ensure messages can be exchanged"):
+              client.succeed("do_test")
+        '';
+
+      }
+)

nixos/tests/prometheus-exporters.nix

@@ -326,6 +326,57 @@ let
       '';
     };
 
+    kea = {
+      exporterConfig = {
+        enable = true;
+        controlSocketPaths = [
+          "/run/kea/kea-dhcp6.sock"
+        ];
+      };
+      metricProvider = {
+        users.users.kea = {
+          isSystemUser = true;
+        };
+        users.groups.kea = {};
+
+        systemd.services.prometheus-kea-exporter.after = [ "kea-dhcp6.service" ];
+
+        systemd.services.kea-dhcp6 = let
+          configFile = pkgs.writeText "kea-dhcp6.conf" (builtins.toJSON {
+            Dhcp6 = {
+              "control-socket" = {
+                "socket-type" = "unix";
+                "socket-name" = "/run/kea/kea-dhcp6.sock";
+              };
+            };
+          });
+        in
+        {
+          after = [ "network.target" ];
+          wantedBy = [ "multi-user.target" ];
+
+          serviceConfig = {
+            DynamicUser = false;
+            User = "kea";
+            Group = "kea";
+            ExecStart = "${pkgs.kea}/bin/kea-dhcp6 -c ${configFile}";
+            StateDirectory = "kea";
+            RuntimeDirectory = "kea";
+            UMask = "0007";
+          };
+        };
+      };
+      exporterTest = ''
+        wait_for_unit("kea-dhcp6.service")
+        wait_for_file("/run/kea/kea-dhcp6.sock")
+        wait_for_unit("prometheus-kea-exporter.service")
+        wait_for_open_port(9547)
+        succeed(
+            "curl --fail localhost:9547/metrics | grep 'packets_received_total'"
+        )
+      '';
+    };
+
     knot = {
       exporterConfig = {
         enable = true;

nixos/tests/radicale.nix

@@ -1,140 +1,95 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }:
+
 let
   user = "someuser";
   password = "some_password";
-  port = builtins.toString 5232;
+  port = "5232";
+  filesystem_folder = "/data/radicale";
+
+  cli = "${pkgs.calendar-cli}/bin/calendar-cli --caldav-user ${user} --caldav-pass ${password}";
+in {
+  name = "radicale3";
+  meta.maintainers = with lib.maintainers; [ dotlambda ];
 
-  common = { pkgs, ... }: {
+  machine = { pkgs, ... }: {
     services.radicale = {
       enable = true;
-      config = ''
-        [auth]
-        type = htpasswd
-        htpasswd_filename = /etc/radicale/htpasswd
-        htpasswd_encryption = bcrypt
-
-        [storage]
-        filesystem_folder = /tmp/collections
-      '';
+      settings = {
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = "/etc/radicale/users";
+          htpasswd_encryption = "bcrypt";
+        };
+        storage = {
+          inherit filesystem_folder;
+          hook = "git add -A && (git diff --cached --quiet || git commit -m 'Changes by '%(user)s)";
+        };
+        logging.level = "info";
+      };
+      rights = {
+        principal = {
+          user = ".+";
+          collection = "{user}";
+          permissions = "RW";
+        };
+        calendars = {
+          user = ".+";
+          collection = "{user}/[^/]+";
+          permissions = "rw";
+        };
+      };
     };
+    systemd.services.radicale.path = [ pkgs.git ];
+    environment.systemPackages = [ pkgs.git ];
+    systemd.tmpfiles.rules = [ "d ${filesystem_folder} 0750 radicale radicale -" ];
     # WARNING: DON'T DO THIS IN PRODUCTION!
     # This puts unhashed secrets directly into the Nix store for ease of testing.
-    environment.etc."radicale/htpasswd".source = pkgs.runCommand "htpasswd" {} ''
+    environment.etc."radicale/users".source = pkgs.runCommand "htpasswd" {} ''
       ${pkgs.apacheHttpd}/bin/htpasswd -bcB "$out" ${user} ${password}
     '';
   };
-
-in
-
-  import ./make-test-python.nix ({ lib, ... }@args: {
-    name = "radicale";
-    meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ];
-
-    nodes = rec {
-      radicale = radicale1; # Make the test script read more nicely
-      radicale1 = lib.recursiveUpdate (common args) {
-        nixpkgs.overlays = [
-          (self: super: {
-            radicale1 = super.radicale1.overrideAttrs (oldAttrs: {
-              propagatedBuildInputs = with self.pythonPackages;
-                (oldAttrs.propagatedBuildInputs or []) ++ [ passlib ];
-            });
-          })
-        ];
-        system.stateVersion = "17.03";
-      };
-      radicale1_export = lib.recursiveUpdate radicale1 {
-        services.radicale.extraArgs = [
-          "--export-storage" "/tmp/collections-new"
-        ];
-        system.stateVersion = "17.03";
-      };
-      radicale2_verify = lib.recursiveUpdate radicale2 {
-        services.radicale.extraArgs = [ "--debug" "--verify-storage" ];
-        system.stateVersion = "17.09";
-      };
-      radicale2 = lib.recursiveUpdate (common args) {
-        system.stateVersion = "17.09";
-      };
-      radicale3 = lib.recursiveUpdate (common args) {
-        system.stateVersion = "20.09";
-      };
-    };
-
-    # This tests whether the web interface is accessible to an authenticated user
-    testScript = { nodes }: let
-      switchToConfig = nodeName: let
-        newSystem = nodes.${nodeName}.config.system.build.toplevel;
-      in "${newSystem}/bin/switch-to-configuration test";
-    in ''
-      with subtest("Check Radicale 1 functionality"):
-          radicale.succeed(
-              "${switchToConfig "radicale1"} >&2"
-          )
-          radicale.wait_for_unit("radicale.service")
-          radicale.wait_for_open_port(${port})
-          radicale.succeed(
-              "curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/"
-          )
-
-      with subtest("Export data in Radicale 2 format"):
-          radicale.succeed("systemctl stop radicale")
-          radicale.succeed("ls -al /tmp/collections")
-          radicale.fail("ls -al /tmp/collections-new")
-
-      with subtest("Radicale exits immediately after exporting storage"):
-          radicale.succeed(
-              "${switchToConfig "radicale1_export"} >&2"
-          )
-          radicale.wait_until_fails("systemctl status radicale")
-          radicale.succeed("ls -al /tmp/collections")
-          radicale.succeed("ls -al /tmp/collections-new")
-
-      with subtest("Verify data in Radicale 2 format"):
-          radicale.succeed("rm -r /tmp/collections/${user}")
-          radicale.succeed("mv /tmp/collections-new/collection-root /tmp/collections")
-          radicale.succeed(
-              "${switchToConfig "radicale2_verify"} >&2"
-          )
-          radicale.wait_until_fails("systemctl status radicale")
-
-          (retcode, logs) = radicale.execute("journalctl -u radicale -n 10")
-          assert (
-              retcode == 0 and "Verifying storage" in logs
-          ), "Radicale 2 didn't verify storage"
-          assert (
-              "failed" not in logs and "exception" not in logs
-          ), "storage verification failed"
-
-      with subtest("Check Radicale 2 functionality"):
-          radicale.succeed(
-              "${switchToConfig "radicale2"} >&2"
-          )
-          radicale.wait_for_unit("radicale.service")
-          radicale.wait_for_open_port(${port})
-
-          (retcode, output) = radicale.execute(
-              "curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/"
-          )
-          assert (
-              retcode == 0 and "VCALENDAR" in output
-          ), "Could not read calendar from Radicale 2"
-
-          radicale.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/")
-
-      with subtest("Check Radicale 3 functionality"):
-          radicale.succeed(
-              "${switchToConfig "radicale3"} >&2"
-          )
-          radicale.wait_for_unit("radicale.service")
-          radicale.wait_for_open_port(${port})
-
-          (retcode, output) = radicale.execute(
-              "curl --fail http://${user}:${password}@localhost:${port}/someuser/calendar.ics/"
-          )
-          assert (
-              retcode == 0 and "VCALENDAR" in output
-          ), "Could not read calendar from Radicale 3"
-
-          radicale.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/")
-    '';
+  testScript = ''
+    machine.wait_for_unit("radicale.service")
+    machine.wait_for_open_port(${port})
+
+    machine.succeed("sudo -u radicale git -C ${filesystem_folder} init")
+    machine.succeed(
+        "sudo -u radicale git -C ${filesystem_folder} config --local user.email radicale@example.com"
+    )
+    machine.succeed(
+        "sudo -u radicale git -C ${filesystem_folder} config --local user.name radicale"
+    )
+
+    with subtest("Test calendar and event creation"):
+        machine.succeed(
+            "${cli} --caldav-url http://localhost:${port}/${user} calendar create cal"
+        )
+        machine.succeed("test -d ${filesystem_folder}/collection-root/${user}/cal")
+        machine.succeed('test -z "$(ls ${filesystem_folder}/collection-root/${user}/cal)"')
+        machine.succeed(
+            "${cli} --caldav-url http://localhost:${port}/${user}/cal calendar add 2021-04-23 testevent"
+        )
+        machine.succeed('test -n "$(ls ${filesystem_folder}/collection-root/${user}/cal)"')
+        (status, stdout) = machine.execute(
+            "sudo -u radicale git -C ${filesystem_folder} log --format=oneline | wc -l"
+        )
+        assert status == 0, "git log failed"
+        assert stdout == "3\n", "there should be exactly 3 commits"
+
+    with subtest("Test rights file"):
+        machine.fail(
+            "${cli} --caldav-url http://localhost:${port}/${user} calendar create sub/cal"
+        )
+        machine.fail(
+            "${cli} --caldav-url http://localhost:${port}/otheruser calendar create cal"
+        )
+
+    with subtest("Test web interface"):
+        machine.succeed("curl --fail http://${user}:${password}@localhost:${port}/.web/")
+
+    with subtest("Test security"):
+        output = machine.succeed("systemd-analyze security radicale.service")
+        machine.log(output)
+        assert output[-9:-1] == "SAFE :-}"
+  '';
 })

nixos/tests/sway.nix

@@ -38,6 +38,9 @@ import ./make-test-python.nix ({ pkgs, lib, ...} :
 
     programs.sway.enable = true;
 
+    # To test pinentry via gpg-agent:
+    programs.gnupg.agent.enable = true;
+
     virtualisation.memorySize = 1024;
     # Need to switch to a different VGA card / GPU driver than the default one (std) so that Sway can launch:
     virtualisation.qemu.options = [ "-vga virtio" ];
@@ -80,6 +83,17 @@ import ./make-test-python.nix ({ pkgs, lib, ...} :
     machine.send_key("alt-shift-q")
     machine.wait_until_fails("pgrep alacritty")
 
+    # Test gpg-agent starting pinentry-gnome3 via D-Bus (tests if
+    # $WAYLAND_DISPLAY is correctly imported into the D-Bus user env):
+    machine.succeed(
+        "su - alice -c 'swaymsg -- exec gpg --no-tty --yes --quick-generate-key test'"
+    )
+    machine.wait_until_succeeds("pgrep --exact gpg")
+    machine.wait_for_text("Passphrase")
+    machine.screenshot("gpg_pinentry")
+    machine.send_key("alt-shift-q")
+    machine.wait_until_fails("pgrep --exact gpg")
+
     # Test swaynag:
     machine.send_key("alt-shift-e")
     machine.wait_for_text("You pressed the exit shortcut.")

pkgs/applications/audio/strawberry/default.nix

@@ -82,10 +82,6 @@ mkDerivation rec {
     util-linux
   ];
 
-  cmakeFlags = [
-    "-DUSE_SYSTEM_TAGLIB=ON"
-  ];
-
   postInstall = ''
     qtWrapperArgs+=(--prefix GST_PLUGIN_SYSTEM_PATH_1_0 : "$GST_PLUGIN_SYSTEM_PATH_1_0")
   '';

pkgs/applications/editors/emacs-modes/elpa-generated.nix

@@ -655,10 +655,10 @@
       elpaBuild {
         pname = "corfu";
         ename = "corfu";
-        version = "0.4";
+        version = "0.6";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/corfu-0.4.tar";
-          sha256 = "0yaspx58w02n3liqy5i4lm6lk5f1fm6v5lfrzp7xaqnngq1f4gbj";
+          url = "https://elpa.gnu.org/packages/corfu-0.6.tar";
+          sha256 = "0zl769l3mmy4b0pj70dwjllq0224r2w4l45xvaqbj75qfqclj6cj";
         };
         packageRequires = [ emacs ];
         meta = {
@@ -1045,10 +1045,10 @@
       elpaBuild {
         pname = "eev";
         ename = "eev";
-        version = "20210102";
+        version = "20210512";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/eev-20210102.tar";
-          sha256 = "14vpgcncmzzbv8v78v221hdhigvk00vqiizwd8dy0b7hqz6gl0rq";
+          url = "https://elpa.gnu.org/packages/eev-20210512.tar";
+          sha256 = "0dj49lpqv5vsx02h8mla8cmv5cr5f2qbz74f9dn8q4adpzxsajin";
         };
         packageRequires = [ emacs ];
         meta = {
@@ -1148,10 +1148,10 @@
       elpaBuild {
         pname = "elisp-benchmarks";
         ename = "elisp-benchmarks";
-        version = "1.11";
+        version = "1.12";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/elisp-benchmarks-1.11.tar";
-          sha256 = "0s1mpapvcivy25zbhw6ghpg0ym23vb4dsrz876rl4z2rfyckxral";
+          url = "https://elpa.gnu.org/packages/elisp-benchmarks-1.12.tar";
+          sha256 = "0jzpzif4vrjg5hl0hxg4aqvi6nv56cxa1w0amnkgcz4hsscxkvwm";
         };
         packageRequires = [];
         meta = {
@@ -1159,16 +1159,21 @@
           license = lib.licenses.free;
         };
       }) {};
-    emms = callPackage ({ cl-lib ? null, elpaBuild, fetchurl, lib, seq }:
+    emms = callPackage ({ cl-lib ? null
+                        , elpaBuild
+                        , fetchurl
+                        , lib
+                        , nadvice
+                        , seq }:
       elpaBuild {
         pname = "emms";
         ename = "emms";
-        version = "7.1";
+        version = "7.2";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/emms-7.1.tar";
-          sha256 = "1dng8dy0w0wsdvvnjnrllwv5a8wq3kj20jik994b7prdx5dn6y52";
+          url = "https://elpa.gnu.org/packages/emms-7.2.tar";
+          sha256 = "11vqqh9rnzibsfw7wx62rgzl8i8ldpf0hv1sj43nhl5c6dlc8d5z";
         };
-        packageRequires = [ cl-lib seq ];
+        packageRequires = [ cl-lib nadvice seq ];
         meta = {
           homepage = "https://elpa.gnu.org/packages/emms.html";
           license = lib.licenses.free;
@@ -2824,10 +2829,10 @@
       elpaBuild {
         pname = "pyim";
         ename = "pyim";
-        version = "3.7.1";
+        version = "3.7.5";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/pyim-3.7.1.tar";
-          sha256 = "0k73f1qdl51qshnvycjassdh70id5gp5qi5wz7k4zyl8pbampiyd";
+          url = "https://elpa.gnu.org/packages/pyim-3.7.5.tar";
+          sha256 = "09f34wgzckbxgr5xvaqrj0wdcmnfsb31a6m460f5g0acys20ams5";
         };
         packageRequires = [ async emacs xr ];
         meta = {
@@ -3950,10 +3955,10 @@
       elpaBuild {
         pname = "vertico";
         ename = "vertico";
-        version = "0.6";
+        version = "0.8";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/vertico-0.6.tar";
-          sha256 = "19f6ffljraikz83nc2y9q83zjc4cfyzn9rnwm18lwh6sjsydz6kk";
+          url = "https://elpa.gnu.org/packages/vertico-0.8.tar";
+          sha256 = "1cdq49csd57vqhrs1nbif79yw4s8c0p2i2ww5n5znzj7rnxwpva4";
         };
         packageRequires = [ emacs ];
         meta = {

pkgs/applications/editors/emacs-modes/org-generated.nix

@@ -4,10 +4,10 @@
       elpaBuild {
         pname = "org";
         ename = "org";
-        version = "20210503";
+        version = "20210510";
         src = fetchurl {
-          url = "https://orgmode.org/elpa/org-20210503.tar";
-          sha256 = "0j9p834c67qzxbxz8s1n8l5blylrpb3jh9wywphlb6jgbgl0mw09";
+          url = "https://orgmode.org/elpa/org-20210510.tar";
+          sha256 = "015c68pk52vksar7kpyb0nkcyjihlczmpq4h5vdv8xayas2qlzc7";
         };
         packageRequires = [];
         meta = {
@@ -19,10 +19,10 @@
       elpaBuild {
         pname = "org-plus-contrib";
         ename = "org-plus-contrib";
-        version = "20210503";
+        version = "20210510";
         src = fetchurl {
-          url = "https://orgmode.org/elpa/org-plus-contrib-20210503.tar";
-          sha256 = "0k0wmnx2g919h3s9ynv1cvdlyxvydglslamlwph4xng4kzcr5lrk";
+          url = "https://orgmode.org/elpa/org-plus-contrib-20210510.tar";
+          sha256 = "0pdwjnpcsk75jv4qs8n4xia6vspwn6dndbdx9z7kq5vqz7w4ykmw";
         };
         packageRequires = [];
         meta = {

pkgs/applications/editors/emacs-modes/sunrise-commander/default.nix

@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
 
   meta = with lib; {
     homepage = "https://github.com/sunrise-commander/sunrise-commander/";
-    description = "Two-pane file manager for Emacs based on Dired and inspired by MC";
+    description = "Orthodox (two-pane) file manager for Emacs";
     license = licenses.gpl3Plus;
     maintainers = [ maintainers.AndersonTorres ];
     platforms = platforms.all;

pkgs/applications/editors/vscode/vscode.nix

@@ -13,10 +13,10 @@ let
   archive_fmt = if system == "x86_64-darwin" then "zip" else "tar.gz";
 
   sha256 = {
-    x86_64-linux = "0l4lx5h2daw9c5vl4kz6sq2i58b45xy4948x4q0wnwbqdqlqc9s4";
-    x86_64-darwin = "0qqgs7vns52bz9xkys822sjjkvyq4l20iipz6sx5kinxg6h04jyy";
-    aarch64-linux = "1gnh5kk4r0kfik9yfvvcbavhws4n8kn89kyl2qzpa2ryy52kk81j";
-    armv7l-linux = "0zz5fn9nxq58i3svhgc25s6fdz7i3rxc0naflyx1jzmpzipp4v6n";
+    x86_64-linux = "08qrag9nzmngzzvs2cgbmc4zzxlb9kwn183v8caj6dvcrjvfqgbv";
+    x86_64-darwin = "0rlyr08lla3xadlh373xqcks8a9akk3x2cmakgn17q2b16988fmq";
+    aarch64-linux = "1m277940xsasqac4i88s05xrqsab99jhl3ka0zzfbixrgr2dj8q1";
+    armv7l-linux = "1qm4cggjj50vdnrx848x810gz3ahh0hndra22lsvcjdbsw8g35rk";
   }.${system};
 in
   callPackage ./generic.nix rec {
@@ -25,7 +25,7 @@ in
 
     # Please backport all compatible updates to the stable release.
     # This is important for the extension ecosystem.
-    version = "1.56.1";
+    version = "1.56.2";
     pname = "vscode";
 
     executableName = "code" + lib.optionalString isInsiders "-insiders";

pkgs/applications/networking/browsers/brave/default.nix

@@ -90,11 +90,11 @@ in
 
 stdenv.mkDerivation rec {
   pname = "brave";
-  version = "1.24.82";
+  version = "1.24.85";
 
   src = fetchurl {
     url = "https://github.com/brave/brave-browser/releases/download/v${version}/brave-browser_${version}_amd64.deb";
-    sha256 = "iWUJ5yLWWQvg510Atf+Pd9ya/1NnMNW2Sp/RVFn4PCc=";
+    sha256 = "jE9INGYz78Vyvps4ESimtH1rL4GdboAUtMx1p31XQGk=";
   };
 
   dontConfigure = true;

pkgs/applications/networking/dnscontrol/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "dnscontrol";
-  version = "3.8.1";
+  version = "3.9.0";
 
   src = fetchFromGitHub {
     owner = "StackExchange";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-x002p7wPKbcmr4uE04mgKBagHQV/maEo99Y2Jr7xgK4=";
+    sha256 = "sha256-9lIjQaMYy0FGMkR29Es3BMIAcn+jQYudyFJHwezlXKM=";
   };
 
-  vendorSha256 = "sha256-lR5+xVi/ROOFoRWyK0h/8uiSP/joQ9Zr9kMaQ+sWNhM=";
+  vendorSha256 = "sha256-thvbqDhLdY+g/byFHJ9Tdiw8WYRccu4X1Rb0pdhE34E=";
 
   subPackages = [ "." ];
 

pkgs/data/themes/amber/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "amber-theme";
-  version = "3.36-2";
+  version = "3.38-1";
 
   src = fetchFromGitHub {
     owner = "lassekongo83";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1g0hkv9sxfxfnpv8x7g64lr2by7wd4k216s3y9xpibsycdbwpyi5";
+    sha256 = "sha256-OrdBeAD+gdIu6u8ESE9PtqYadSuJ8nx1Z8fB4D9y4W4=";
   };
 
   nativeBuildInputs = [ meson ninja sassc ];

pkgs/development/compilers/zig/default.nix

@@ -1,24 +1,34 @@
-{ lib, stdenv, fetchFromGitHub, cmake, llvmPackages, libxml2, zlib, substituteAll }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, llvmPackages
+, libxml2
+, zlib
+}:
 
 llvmPackages.stdenv.mkDerivation rec {
-  version = "0.7.1";
   pname = "zig";
+  version = "0.7.1";
 
   src = fetchFromGitHub {
     owner = "ziglang";
     repo = pname;
     rev = version;
-    sha256 = "1z6c4ym9jmga46cw2arn7zv2drcpmrf3vw139gscxp27n7q2z5md";
+    hash = "sha256-rZYv8LFH3M70SyPwPVyul+Um9j82K8GZIepVmaonzPw=";
   };
 
-  nativeBuildInputs = [ cmake llvmPackages.llvm.dev ];
+  nativeBuildInputs = [
+    cmake llvmPackages.llvm.dev
+  ];
   buildInputs = [
-    llvmPackages.libclang
-    llvmPackages.llvm
-    llvmPackages.lld
     libxml2
     zlib
-  ];
+  ] ++ (with llvmPackages; [
+    libclang
+    lld
+    llvm
+  ]);
 
   preBuild = ''
     export HOME=$TMPDIR;
@@ -33,12 +43,12 @@ llvmPackages.stdenv.mkDerivation rec {
   doCheck = true;
 
   meta = with lib; {
+    homepage = "https://ziglang.org/";
     description =
       "General-purpose programming language and toolchain for maintaining robust, optimal, and reusable software";
-    homepage = "https://ziglang.org/";
     license = licenses.mit;
+    maintainers = with maintainers; [ andrewrk AndersonTorres ];
     platforms = platforms.unix;
-    maintainers = [ maintainers.andrewrk ];
     # See https://github.com/NixOS/nixpkgs/issues/86299
     broken = stdenv.isDarwin;
   };

pkgs/development/interpreters/erlang/R23.nix

@@ -3,6 +3,6 @@
 # How to obtain `sha256`:
 # nix-prefetch-url --unpack https://github.com/erlang/otp/archive/OTP-${version}.tar.gz
 mkDerivation {
-  version = "23.3.2";
-  sha256 = "eU3BmBJqrcg3FmkuAIfB3UoSNfQQfvGNyC2jBffwm/w=";
+  version = "23.3.4";
+  sha256 = "EKewwcK1Gr84mmFVxVmOLaPiFtsG3r/1ubGOUwM/EYY=";
 }

pkgs/development/libraries/libxc/default.nix

@@ -1,7 +1,7 @@
 { lib, stdenv, fetchFromGitLab, cmake, gfortran, perl }:
 
 let
-  version = "5.1.3";
+  version = "5.1.4";
 
 in stdenv.mkDerivation {
   pname = "libxc";
@@ -11,7 +11,7 @@ in stdenv.mkDerivation {
     owner = "libxc";
     repo = "libxc";
     rev = version;
-    sha256 = "14czspifznsmvvix5hcm1rk18iy590qk8p5m00p0y032gmn9i2zj";
+    sha256 = "0rs6v72zz3jr22r29zxxdk8wdsfv6wid6cx2661974z09dbvbr1f";
   };
 
   buildInputs = [ gfortran ];

pkgs/development/libraries/taglib/default.nix

@@ -1,39 +1,21 @@
-{ lib, stdenv, fetchurl, cmake, fetchpatch
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
 , zlib
 }:
 
 stdenv.mkDerivation rec {
   pname = "taglib";
-  version = "1.11.1";
+  version = "1.12";
 
-  src = fetchurl {
-    url = "http://taglib.org/releases/${pname}-${version}.tar.gz";
-    sha256 = "0ssjcdjv4qf9liph5ry1kngam1y7zp8fzr9xv4wzzrma22kabldn";
+  src = fetchFromGitHub {
+    owner = "taglib";
+    repo = "taglib";
+    rev = "v${version}";
+    sha256 = "sha256-omErajnYgxbflsbe6pS2KsexZcXisso0WGYnmIud7WA=";
   };
 
-  patches = [
-    (fetchpatch {
-      # https://github.com/taglib/taglib/issues/829
-      name = "CVE-2017-12678.patch";
-      url = "https://github.com/taglib/taglib/commit/eb9ded1206f18.patch";
-      sha256 = "1bvpxsvmlpi3by7myzss9kkpdkv405612n8ff68mw1ambj8h1m90";
-    })
-
-    (fetchpatch {
-      # https://github.com/taglib/taglib/pull/869
-      name = "CVE-2018-11439.patch";
-      url = "https://github.com/taglib/taglib/commit/272648ccfcccae30e002ccf34a22e075dd477278.patch";
-      sha256 = "0p397qq4anvcm0p8xs68mxa8hg6dl07chg260lc6k2929m34xv72";