Merge master into haskell-updates

doc/stdenv/stdenv.chapter.md

@@ -518,8 +518,10 @@ There are a number of variables that control what phases are executed and in wha
 
 Specifies the phases. You can change the order in which phases are executed, or add new phases, by setting this variable. If it’s not set, the default value is used, which is `$prePhases unpackPhase patchPhase $preConfigurePhases configurePhase $preBuildPhases buildPhase checkPhase $preInstallPhases installPhase fixupPhase installCheckPhase $preDistPhases distPhase $postPhases`.
 
+The elements of `phases` must not contain spaces. If `phases` is specified as a Nix Language attribute, it should be specified as lists instead of strings. The same rules apply to the `*Phases` variables.
+
 It is discouraged to set this variable, as it is easy to miss some important functionality hidden in some of the less obviously needed phases (like `fixupPhase` which patches the shebang of scripts).
-Usually, if you just want to add a few phases, it’s more convenient to set one of the variables below (such as `preInstallPhases`).
+Usually, if you just want to add a few phases, it’s more convenient to set one of the `*Phases` variables below.
 
 ##### `prePhases` {#var-stdenv-prePhases}
 

maintainers/maintainer-list.nix

@@ -11710,6 +11710,13 @@
     githubId = 168301;
     name = "Victor Engmark";
   };
+  l33tname = {
+    name = "l33tname";
+    email = "hi@l33t.name";
+
+    github = "Fliiiix";
+    githubId = 1682954;
+  };
   l3af = {
     email = "L3afMeAlon3@gmail.com";
     matrix = "@L3afMe:matrix.org";

maintainers/scripts/fetch-kde-qt.sh

@@ -156,7 +156,7 @@ files_before=$(grep -c 'src = ' "$SRCS")
 echo "writing output file $SRCS ..."
 cat >"$SRCS" <<EOF
 # DO NOT EDIT! This file is generated automatically.
-# Command: $0 $@
+# Command: ./maintainers/scripts/fetch-kde-qt.sh $@
 { fetchurl, mirror }:
 
 {

maintainers/scripts/kde/collect-missing-deps.py

@@ -72,6 +72,7 @@
     },
     "kwin": {
         "display-info",  # newer versions identify as libdisplay-info
+        "Libcap",  # used to call setcap at build time and nothing else
     },
     "libksysguard": {
         "Libcap",  # used to call setcap at build time and nothing else
@@ -90,6 +91,7 @@
     },
     "powerdevil": {
         "DDCUtil",  # cursed, intentionally disabled
+        "Libcap",  # used to call setcap at build time and nothing else
     },
     "print-manager": {
         "PackageKitQt6",  # used for auto-installing drivers which does not work for obvious reasons

maintainers/scripts/kde/generate-sources.py

@@ -23,7 +23,8 @@
 '''.strip())
 
 ROOT_TEMPLATE = jinja2.Template('''
-{callPackage}: {
+{ callPackage }:
+{
   {%- for p in packages %}
   {{ p }} = callPackage ./{{ p }} { };
   {%- endfor %}

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -271,6 +271,11 @@
 - The `mautrix-signal` module was adapted to incorporate the configuration rearrangement that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work.
   In case you want to update your configuration make sure to check the NixOS manual.
 
+- The dhcpcd service (`networking.useDHCP`) has been hardened and now runs exclusively as the "dhcpcd" user.
+  Users that were relying on the root privileges in `networking.dhcpcd.runHook` will have to write specific [sudo](security.sudo.extraRules) or [polkit](security.polkit.extraConfig) rules to allow dhcpcd to perform privileged actions.
+
+  As part of these changes, the DHCP lease files directory has also been moved from `/var/db/dhcpcd` to `/var/lib/dhcpcd`. This migration is performed automatically, but users may have to update their backup configuration.
+
 - `singularity-tools` have the `storeDir` argument removed from its override interface and use `builtins.storeDir` instead.
 
 - Two build helpers in `singularity-tools`, i.e., `mkLayer` and `shellScript`, are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases.
@@ -503,9 +508,6 @@
 - The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer.
   Consequently the package `pkgs.ma1sd` has also been removed.
 
-- `ffmpeg_5` has been removed. Please use the unversioned `ffmpeg`,
-  pin a newer version, or if necessary pin `ffmpeg_4` for compatibility.
-
 - The `rss-bridge` service drops the support to load a configuration file from `${config.services.rss-bridge.dataDir}/config.ini.php`.
   Consider using the `services.rss-bridge.config` option instead.
 
@@ -558,6 +560,16 @@
 - Minimal installer ISOs are no longer built on the small channel.
   Please obtain installer images from the full release channels.
 
+- The default FFmpeg version is now 7, and FFmpeg 5 has been removed.
+  Please prefer using the package variants without a version suffix,
+  or pin FFmpeg 6 or 4 if necessary for compatibility.
+  Note that we keep old versions around only as required
+  to support packages in the tree,
+  and FFmpeg 4 especially should be avoided in favour of newer versions
+  as it may be removed soon.
+
+- `openssl` now defaults to the latest version line `3.3.x`, instead of `3.0.x` before. While there should be no major code incompatibilities, newer OpenSSL versions typically strengthen the default security level. This means that you may have to explicitly allow weak ciphers, hashes and key lengths if necessary. See: [OpenSSL security level documentation](https://docs.openssl.org/3.3/man3/SSL_CTX_set_security_level/).
+
 - The `isync` package has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details.
 
 - Legacy package `globalprotect-openconnect` 1.x and related module
@@ -607,8 +619,6 @@
 
 - `nixosTests` now provide a working IPv6 setup for VLAN 1 by default.
 
-- `services.dhcpcd` is now started with additional systemd sandbox/hardening options for better security. When using `networking.dhcpcd.runHook` these settings are not applied.
-
 - Kanidm can now be provisioned using the new [`services.kanidm.provision`] option, but requires using a patched version available via `pkgs.kanidm.withSecretProvisioning`.
 
 - Kanidm previously had an incorrect systemd service type, causing dependent units with an `after` and `requires` directive to start before `kanidm*` finished startup. The module has now been updated in line with upstream recommendations.
@@ -676,6 +686,10 @@
 - `cargo-tauri.hook` was introduced to help users build [Tauri](https://tauri.app/) projects. It is meant to be used alongside
   `rustPlatform.buildRustPackage` and Node hooks such as `npmConfigHook`, `pnpm.configHook`, and the new `yarnConfig`
 
+- `power.ups` now powers off UPSs during a power outage event.
+  This saves UPS battery and ensures that host(s) get back up again when power comes back, even in the scenario when the UPS would have had enough capacity to keep power on during the whole power outage.
+  If you like the old behaviour of keeping the UPSs on (and emptying the battery) after the host(s) have shut down, and risk not getting a power cycle event to get the host(s) back up, set `power.ups.upsmon.settings.POWERDOWNFLAG = null;`.
+
 - Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)
   in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners
   should be changed to using *runner authentication tokens* by configuring

nixos/modules/config/resolvconf.nix

@@ -132,6 +132,8 @@ in
     }
 
     (lib.mkIf cfg.enable {
+      users.groups.resolvconf = {};
+
       networking.resolvconf.package = pkgs.openresolv;
 
       environment.systemPackages = [ cfg.package ];
@@ -143,12 +145,13 @@ in
         wants = [ "network-pre.target" ];
         wantedBy = [ "multi-user.target" ];
         restartTriggers = [ config.environment.etc."resolvconf.conf".source ];
+        serviceConfig.RemainAfterExit = true;
 
-        serviceConfig = {
-          Type = "oneshot";
-          ExecStart = "${cfg.package}/bin/resolvconf -u";
-          RemainAfterExit = true;
-        };
+        script = ''
+          ${lib.getExe cfg.package} -u
+          chgrp -R resolvconf /etc/resolv.conf /run/resolvconf
+          chmod -R g=u /etc/resolv.conf /run/resolvconf
+        '';
       };
 
     })

nixos/modules/installer/tools/nix-fallback-paths.nix

@@ -1,7 +1,8 @@
 {
-  x86_64-linux = "/nix/store/vhv7ckr0winivvwfqxd54d6pgq2hx1is-nix-2.18.8";
-  i686-linux = "/nix/store/8x7rmgi225r5kygpf17swvk3vll0c61y-nix-2.18.8";
-  aarch64-linux = "/nix/store/sbyj0rb1wd314zfxpf834d0clvxrxmv3-nix-2.18.8";
-  x86_64-darwin = "/nix/store/vsy1wl865md71qv177nchj0aj5p26pkl-nix-2.18.8";
-  aarch64-darwin = "/nix/store/54kqc2da3fjyjgzab4vaszxjmdvii6yk-nix-2.18.8";
+  x86_64-linux = "/nix/store/vi6fh1mhzl5m0knn3y056wnl07sri6c5-nix-2.24.8";
+  i686-linux = "/nix/store/s4wdfq4dzii2jhy1mv2h7b5hpzhf40hm-nix-2.24.8";
+  aarch64-linux = "/nix/store/g50zn4kdcnlgkwbvyi9f9icj9i2x83i5-nix-2.24.8";
+  riscv64-linux = "/nix/store/8ws83k3wc9a639hp6dyprsmvb24fd14w-nix-riscv64-unknown-linux-gnu-2.24.8";
+  x86_64-darwin = "/nix/store/1dhc9a68j5lcnkgdrcm2kbydnbzrlldg-nix-2.24.8";
+  aarch64-darwin = "/nix/store/7gv39q83hm8b7cwcpx1vlcs424qmp67p-nix-2.24.8";
 }

nixos/modules/programs/steam.nix

@@ -31,7 +31,7 @@ in {
       default = pkgs.steam;
       defaultText = lib.literalExpression "pkgs.steam";
       example = lib.literalExpression ''
-        pkgs.steam-small.override {
+        pkgs.steam.override {
           extraEnv = {
             MANGOHUD = true;
             OBS_VKCAPTURE = true;

nixos/modules/services/desktop-managers/plasma6.nix

@@ -249,10 +249,11 @@ in {
 
     xdg.portal.enable = true;
     xdg.portal.extraPortals = [
+      kdePackages.kwallet
       kdePackages.xdg-desktop-portal-kde
       pkgs.xdg-desktop-portal-gtk
     ];
-    xdg.portal.configPackages = mkDefault [kdePackages.xdg-desktop-portal-kde];
+    xdg.portal.configPackages = mkDefault [kdePackages.plasma-workspace];
     services.pipewire.enable = mkDefault true;
 
     # Enable screen reader by default

nixos/modules/services/monitoring/ups.nix

@@ -309,8 +309,10 @@ let
         defaultText = lib.literalMD ''
           {
             MINSUPPLIES = 1;
-            RUN_AS_USER = "root";
+            MONITOR = <generated from config.power.ups.upsmon.monitor>
             NOTIFYCMD = "''${pkgs.nut}/bin/upssched";
+            POWERDOWNFLAG = "/run/killpower";
+            RUN_AS_USER = "root";
             SHUTDOWNCMD = "''${pkgs.systemd}/bin/shutdown now";
           }
         '';
@@ -330,11 +332,12 @@ let
     config = {
       enable = lib.mkDefault (lib.elem cfg.mode [ "standalone" "netserver" "netclient" ]);
       settings = {
-        RUN_AS_USER = "root"; # TODO: replace 'root' by another username.
         MINSUPPLIES = lib.mkDefault 1;
+        MONITOR = lib.flip lib.mapAttrsToList cfg.upsmon.monitor (name: monitor: with monitor; [ system powerValue user "\"@upsmon_password_${name}@\"" type ]);
         NOTIFYCMD = lib.mkDefault "${pkgs.nut}/bin/upssched";
+        POWERDOWNFLAG = lib.mkDefault "/run/killpower";
+        RUN_AS_USER = "root"; # TODO: replace 'root' by another username.
         SHUTDOWNCMD = lib.mkDefault "${pkgs.systemd}/bin/shutdown now";
-        MONITOR = lib.flip lib.mapAttrsToList cfg.upsmon.monitor (name: monitor: with monitor; [ system powerValue user "\"@upsmon_password_${name}@\"" type ]);
       };
     };
   };
@@ -574,6 +577,24 @@ in
       ];
     };
 
+    systemd.services.ups-killpower = lib.mkIf (cfg.upsmon.settings.POWERDOWNFLAG != null) {
+      enable = cfg.upsd.enable;
+      description = "UPS Kill Power";
+      wantedBy = [ "shutdown.target" ];
+      after = [ "shutdown.target" ];
+      before = [ "final.target" ];
+      unitConfig = {
+        ConditionPathExists = cfg.upsmon.settings.POWERDOWNFLAG;
+        DefaultDependencies = "no";
+      };
+      environment = envVars;
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.nut}/bin/upsdrvctl shutdown";
+        Slice = "system-ups.slice";
+      };
+    };
+
     environment.etc = {
       "nut/nut.conf".source = pkgs.writeText "nut.conf"
         ''