Merge staging-next into staging

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,33 +7,38 @@ assignees: ''
 
 ---
 
-**Describe the bug**
+### Describe the bug
 A clear and concise description of what the bug is.
 
-**To Reproduce**
+### Steps To Reproduce
 Steps to reproduce the behavior:
 1. ...
 2. ...
 3. ...
 
-**Expected behavior**
+### Expected behavior
 A clear and concise description of what you expected to happen.
 
-**Screenshots**
+### Screenshots
 If applicable, add screenshots to help explain your problem.
 
-**Additional context**
+### Additional context
 Add any other context about the problem here.
 
-**Notify maintainers**
+### Notify maintainers
 <!--
 Please @ people who are in the `meta.maintainers` list of the offending package or module.
 If in doubt, check `git blame` for whoever last touched something.
 -->
 
-**Metadata**
+### Metadata
 Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
 
+```console
+[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
+output here
+```
+
 Maintainer information:
 ```yaml
 # a list of nixpkgs attributes affected by the problem

nixos/doc/manual/from_md/release-notes/rl-2111.section.xml

@@ -617,6 +617,77 @@
           be removed in 22.05.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The order of NSS (host) modules has been brought in line with
+          upstream recommendations:
+        </para>
+        <itemizedlist spacing="compact">
+          <listitem>
+            <para>
+              The <literal>myhostname</literal> module is placed before
+              the <literal>resolve</literal> (optional) and
+              <literal>dns</literal> entries, but after
+              <literal>file</literal> (to allow overriding via
+              <literal>/etc/hosts</literal> /
+              <literal>networking.extraHosts</literal>, and prevent ISPs
+              with catchall-DNS resolvers from hijacking
+              <literal>.localhost</literal> domains)
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              The <literal>mymachines</literal> module, which provides
+              hostname resolution for local containers (registered with
+              <literal>systemd-machined</literal>) is placed to the
+              front, to make sure its mappings are preferred over other
+              resolvers.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              If systemd-networkd is enabled, the
+              <literal>resolve</literal> module is placed before
+              <literal>files</literal> and
+              <literal>myhostname</literal>, as it provides the same
+              logic internally, with caching.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              The <literal>mdns(_minimal)</literal> module has been
+              updated to the new priorities.
+            </para>
+          </listitem>
+        </itemizedlist>
+        <para>
+          If you use your own NSS host modules, make sure to update your
+          priorities according to these rules:
+        </para>
+        <itemizedlist spacing="compact">
+          <listitem>
+            <para>
+              NSS modules which should be queried before
+              <literal>resolved</literal> DNS resolution should use
+              mkBefore.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              NSS modules which should be queried after
+              <literal>resolved</literal>, <literal>files</literal> and
+              <literal>myhostname</literal>, but before
+              <literal>dns</literal> should use the default priority
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              NSS modules which should come after <literal>dns</literal>
+              should use mkAfter.
+            </para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
     </itemizedlist>
   </section>
 </section>

nixos/doc/manual/release-notes/rl-2111.section.md

@@ -155,3 +155,27 @@ pt-services.clipcat.enable).
 - The wordpress module provides a new interface which allows to use different webservers with the new option [`services.wordpress.webserver`](options.html#opt-services.wordpress.webserver).  Currently `httpd` and `nginx` are supported. The definitions of wordpress sites should now be set in [`services.wordpress.sites`](options.html#opt-services.wordpress.sites).
 
   Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.
+
+- The order of NSS (host) modules has been brought in line with upstream
+  recommendations:
+
+  - The `myhostname` module is placed before the `resolve` (optional) and `dns`
+    entries, but after `file` (to allow overriding via `/etc/hosts` /
+    `networking.extraHosts`, and prevent ISPs with catchall-DNS resolvers from
+    hijacking `.localhost` domains)
+  - The `mymachines` module, which provides hostname resolution for local
+    containers (registered with `systemd-machined`) is placed to the front, to
+    make sure its mappings are preferred over other resolvers.
+  - If systemd-networkd is enabled, the `resolve` module is placed before
+    `files` and `myhostname`, as it provides the same logic internally, with
+    caching.
+  - The `mdns(_minimal)` module has been updated to the new priorities.
+
+  If you use your own NSS host modules, make sure to update your priorities
+  according to these rules:
+
+  - NSS modules which should be queried before `resolved` DNS resolution should
+    use mkBefore.
+  - NSS modules which should be queried after `resolved`, `files` and
+    `myhostname`, but before `dns` should use the default priority
+  - NSS modules which should come after `dns` should use mkAfter.

nixos/modules/config/nsswitch.nix

@@ -124,8 +124,8 @@ with lib;
       group = mkBefore [ "files" ];
       shadow = mkBefore [ "files" ];
       hosts = mkMerge [
-        (mkBefore [ "files" ])
-        (mkAfter [ "dns" ])
+        (mkOrder 998 [ "files" ])
+        (mkOrder 1499 [ "dns" ])
       ];
       services = mkBefore [ "files" ];
     };

nixos/modules/hardware/sensor/iio.nix

@@ -9,7 +9,7 @@ with lib;
     hardware.sensor.iio = {
       enable = mkOption {
         description = ''
-          Enable this option to support IIO sensors.
+          Enable this option to support IIO sensors with iio-sensor-proxy.
 
           IIO sensors are used for orientation and ambient light
           sensors on some mobile devices.

nixos/modules/services/networking/avahi-daemon.nix

@@ -240,8 +240,8 @@ in
 
     system.nssModules = optional cfg.nssmdns pkgs.nssmdns;
     system.nssDatabases.hosts = optionals cfg.nssmdns (mkMerge [
-      (mkOrder 900 [ "mdns_minimal [NOTFOUND=return]" ]) # must be before resolve
-      (mkOrder 1501 [ "mdns" ]) # 1501 to ensure it's after dns
+      (mkBefore [ "mdns_minimal [NOTFOUND=return]" ]) # before resolve
+      (mkAfter [ "mdns" ]) # after dns
     ]);
 
     environment.systemPackages = [ pkgs.avahi ];

nixos/modules/system/boot/resolved.nix

@@ -140,7 +140,8 @@ in
 
     # add resolve to nss hosts database if enabled and nscd enabled
     # system.nssModules is configured in nixos/modules/system/boot/systemd.nix
-    system.nssDatabases.hosts = optional config.services.nscd.enable "resolve [!UNAVAIL=return]";
+    # added with order 501 to allow modules to go before with mkBefore
+    system.nssDatabases.hosts = (mkOrder 501 ["resolve [!UNAVAIL=return]"]);
 
     systemd.additionalUpstreamSystemUnits = [
       "systemd-resolved.service"

nixos/modules/system/boot/systemd.nix

@@ -925,9 +925,8 @@ in
     system.nssModules = [ systemd.out ];
     system.nssDatabases = {
       hosts = (mkMerge [
-        [ "mymachines" ]
-        (mkOrder 1600 [ "myhostname" ] # 1600 to ensure it's always the last
-      )
+        (mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is mkBefore'd)
+        (mkOrder 999 ["myhostname"]) # after files (which is 998), but before regular nss modules
       ]);
       passwd = (mkMerge [
         (mkAfter [ "systemd" ])

pkgs/applications/networking/instant-messengers/slack/default.nix

@@ -50,8 +50,12 @@ let
   x86_64-linux-version = "4.17.0";
   x86_64-linux-sha256 = "07ccms58pq27ilkyhcf6cgwb7qrddwil5kgy8yv95ljikqzi5rxi";
 
+  aarch64-darwin-version = "4.17.0";
+  aarch64-darwin-sha256 = "1a5crmnbz8ng3z2pk5zw17dds9d5fyir4rkvv611fn858kq5fv46";
+
   version = {
     x86_64-darwin = x86_64-darwin-version;
+    aarch64-darwin = aarch64-darwin-version;
     x86_64-linux = x86_64-linux-version;
   }.${system} or throwSystem;
 
@@ -64,6 +68,10 @@ let
           url = "${base}/releases/macos/${version}/prod/x64/Slack-${version}-macOS.dmg";
           sha256 = x86_64-darwin-sha256;
         };
+        aarch64-darwin = fetchurl {
+          url = "${base}/releases/macos/${version}/prod/arm64/Slack-${version}-macOS.dmg";
+          sha256 = aarch64-darwin-sha256;
+        };
         x86_64-linux = fetchurl {
           url = "${base}/linux_releases/slack-desktop-${version}-amd64.deb";
           sha256 = x86_64-linux-sha256;
@@ -75,7 +83,7 @@ let
     homepage = "https://slack.com";
     license = licenses.unfree;
     maintainers = with maintainers; [ mmahut ];
-    platforms = [ "x86_64-darwin" "x86_64-linux" ];
+    platforms = [ "x86_64-darwin" "x86_64-linux" "aarch64-darwin"];
   };
 
   linux = stdenv.mkDerivation rec {

pkgs/development/python-modules/ailment/default.nix

@@ -7,14 +7,14 @@
 
 buildPythonPackage rec {
   pname = "ailment";
-  version = "9.0.9031";
+  version = "9.0.9166";
   disabled = pythonOlder "3.6";
 
   src = fetchFromGitHub {
     owner = "angr";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-xyNTcGTGH8030CJif6an+kDZIfOUVDMiRhFamVajAzk=";
+    sha256 = "09qbqn57h92f81xv35f645ai7nkkqf7cidkg3qrwfpxcwc2g9kdz";
   };
 
   propagatedBuildInputs = [ pyvex ];

pkgs/development/python-modules/angr/default.nix

@@ -43,14 +43,14 @@ in
 
 buildPythonPackage rec {
   pname = "angr";
-  version = "9.0.9031";
+  version = "9.0.9166";
   disabled = pythonOlder "3.6";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-qWAz9SHfQU0cdk4yVekJn5OIDPJPbi63CDdlHDq1Opw=";
+    sha256 = "1h1jb57zp8wy24xy60j76sl4hrzhhwfsvfx26zhbnhqzmwghpd5x";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/angrop/default.nix

@@ -9,14 +9,14 @@
 
 buildPythonPackage rec {
   pname = "angrop";
-  version = "9.0.9031";
+  version = "9.0.9166";
   disabled = pythonOlder "3.6";
 
   src = fetchFromGitHub {
     owner = "angr";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-3q/3iFR0FFOcvgmNVXtgi1Spu5xfXNJFy+QoIh8amOY=";
+    sha256 = "1myrzp5axg0dj7kxqc2mz3kfqlds3vzvavcncrj5y9xpx8m7l71m";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/archinfo/default.nix

@@ -7,13 +7,13 @@
 
 buildPythonPackage rec {
   pname = "archinfo";
-  version = "9.0.9031";
+  version = "9.0.9166";
 
   src = fetchFromGitHub {
     owner = "angr";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-pzBMyw5FwQV1FyhvOxUq39s96p0KKSrkEvJzhJQdS4E=";
+    sha256 = "0y77lyz019rm9zgxpam6dbb006c7j66hwy985h3fg6nbz74pcml5";
   };
 
   checkInputs = [

pkgs/development/python-modules/claripy/default.nix

@@ -13,14 +13,14 @@
 
 buildPythonPackage rec {
   pname = "claripy";
-  version = "9.0.9031";
+  version = "9.0.9166";
   disabled = pythonOlder "3.6";
 
   src = fetchFromGitHub {
     owner = "angr";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-UCmt2Vm8OWyKa0fmPlGuvzaFddUWs6quavUgIZasoJg=";
+    sha256 = "0rwl5q7z16agcykn0an2lyqfn2z5yvmg0xcvxfpvndf6zpnbqhx0";
   };
 
   # Use upstream z3 implementation

pkgs/development/python-modules/cle/default.nix

@@ -15,7 +15,7 @@
 
 let
   # The binaries are following the argr projects release cycle
-  version = "9.0.9031";
+  version = "9.0.9166";
 
   # Binary files from https://github.com/angr/binaries (only used for testing and only here)
   binaries = fetchFromGitHub {
@@ -35,7 +35,7 @@ buildPythonPackage rec {
     owner = "angr";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-+9aW7J8FXuKtU20dpqnoj37McPxzbkjKuYZIO8QeFF0=";
+    sha256 = "1mvdcwzim52mc7vjrr2cq8xwwi0v0ai3z608mg5nfbbf4zjji76c";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/pyvex/default.nix

@@ -11,11 +11,11 @@
 
 buildPythonPackage rec {
   pname = "pyvex";
-  version = "9.0.9031";
+  version = "9.0.9166";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-bl6bWv4c+tlaWcxrYCiljC9C+wAZZVyk+1O0rlb4kxA=";
+    sha256 = "0h7jw7blr4bal7pw711cxmwm4jjypchshc8ks04z2lyziy83ywja";
   };
 
   postPatch = lib.optionalString stdenv.isDarwin ''

pkgs/games/factorio/versions.json

@@ -10,12 +10,12 @@
         "version": "1.1.36"
       },
       "stable": {
-        "name": "factorio_alpha_x64-1.1.35.tar.xz",
+        "name": "factorio_alpha_x64-1.1.36.tar.xz",
         "needsAuth": true,
-        "sha256": "1svjjpyffdrmll1b3icsrikfi4v2r1z6j7iqq0v36iq0zw7vw3bk",
+        "sha256": "1x9a2lv6zbqawqlxg8bcbx04hjy0pq40macfa4sqi8w6h14wgww8",
         "tarDirectory": "x64",
-        "url": "https://factorio.com/get-download/1.1.35/alpha/linux64",
-        "version": "1.1.35"
+        "url": "https://factorio.com/get-download/1.1.36/alpha/linux64",
+        "version": "1.1.36"
       }
     },
     "demo": {
@@ -28,12 +28,12 @@
         "version": "1.1.35"
       },
       "stable": {
-        "name": "factorio_demo_x64-1.1.35.tar.xz",
+        "name": "factorio_demo_x64-1.1.36.tar.xz",
         "needsAuth": false,
-        "sha256": "0yqb4gf2avpxr4vwafws9pv74xyd9g84zggfikfc801ldc7sp29f",
+        "sha256": "15fl4pza7n107rrmmdm26kkc12fnrmpn6rjb4ampgzqzn1fq854s",
         "tarDirectory": "x64",
-        "url": "https://factorio.com/get-download/1.1.35/demo/linux64",
-        "version": "1.1.35"
+        "url": "https://factorio.com/get-download/1.1.36/demo/linux64",
+        "version": "1.1.36"
       }
     },
     "headless": {
@@ -46,12 +46,12 @@
         "version": "1.1.36"
       },
       "stable": {
-        "name": "factorio_headless_x64-1.1.35.tar.xz",
+        "name": "factorio_headless_x64-1.1.36.tar.xz",
         "needsAuth": false,
-        "sha256": "0xpiw89ad6cfpc576g5jpsyzwjncs3jrx01056p52wj01747fm94",
+        "sha256": "1s8g030xp5nrlmnn21frrd8n4nd7jjmb5hbpj1vhxjrk6vpijh24",
         "tarDirectory": "x64",
-        "url": "https://factorio.com/get-download/1.1.35/headless/linux64",
-        "version": "1.1.35"
+        "url": "https://factorio.com/get-download/1.1.36/headless/linux64",
+        "version": "1.1.36"
       }
     }
   }

pkgs/servers/monitoring/grafana-agent/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "grafana-agent";
-  version = "0.16.1";
+  version = "0.17.0";
 
   src = fetchFromGitHub {
     rev = "v${version}";
     owner = "grafana";
     repo = "agent";
-    sha256 = "0kqbn6fqlrxjqdkkhbr7qmm2m05a7dlskfdb7y4gr5ggi65m6ik5";
+    sha256 = "sha256-rHJGVQWbvgcvwPzt8e2uWs1n4bbaAZz6lQjyvmqmLZw=";
   };
 
-  vendorSha256 = "0xi69a1zkcmi5q8m7lfwp3xb4cbkwc2dzqm24lfqsq13xj5jq6ph";
+  vendorSha256 = "sha256-jA8M8ZdJWmrGRQb0W1duVV+XwxqJVQ/ek0Yhw6JZvX8=";
 
   patches = [
     # https://github.com/grafana/agent/issues/731

pkgs/servers/monitoring/grafana/plugins/grafana-polystat-panel/default.nix

@@ -2,8 +2,8 @@
 
 grafanaPlugin rec {
   pname = "grafana-polystat-panel";
-  version = "1.2.5";
-  zipHash = "sha256-U9vNfK4ofNzwL7MVe43tGY85gI56Jt1eb7TrCkeNrOQ=";
+  version = "1.2.6";
+  zipHash = "sha256-gbMD2o8A2YYZzkpYiXNkv8Oj958RP47fL6DXj1SBYF0=";
   meta = with lib; {
     description = "Hexagonal multi-stat panel for Grafana";
     license = licenses.asl20;

pkgs/servers/monitoring/prometheus/default.nix

@@ -1,4 +1,10 @@
-{ stdenv, lib, go, buildGoModule, fetchFromGitHub, mkYarnPackage, nixosTests
+{ stdenv
+, lib
+, go
+, buildGoModule
+, fetchFromGitHub
+, mkYarnPackage
+, nixosTests
 , fetchpatch
 }:
 
@@ -27,7 +33,8 @@ let
     installPhase = "mv build $out";
     distPhase = "true";
   };
-in buildGoModule rec {
+in
+buildGoModule rec {
   pname = "prometheus";
   inherit src version;
 
@@ -41,19 +48,21 @@ in buildGoModule rec {
   '';
 
   buildFlags = "-tags=builtinassets";
-  buildFlagsArray = let
-    t = "${goPackagePath}/vendor/github.com/prometheus/common/version";
-  in [
-    ''
-      -ldflags=
-         -X ${t}.Version=${version}
-         -X ${t}.Revision=unknown
-         -X ${t}.Branch=unknown
-         -X ${t}.BuildUser=nix@nixpkgs
-         -X ${t}.BuildDate=unknown
-         -X ${t}.GoVersion=${lib.getVersion go}
-    ''
-  ];
+  buildFlagsArray =
+    let
+      t = "${goPackagePath}/vendor/github.com/prometheus/common/version";
+    in
+    [
+      ''
+        -ldflags=
+           -X ${t}.Version=${version}
+           -X ${t}.Revision=unknown
+           -X ${t}.Branch=unknown
+           -X ${t}.BuildUser=nix@nixpkgs
+           -X ${t}.BuildDate=unknown
+           -X ${t}.GoVersion=${lib.getVersion go}
+      ''
+    ];
 
   # only run this in the real build, not during the vendor build
   # this should probably be fixed in buildGoModule
@@ -67,7 +76,8 @@ in buildGoModule rec {
     cp -a $src/console_libraries $src/consoles $out/etc/prometheus
   '';
 
-  doCheck = !stdenv.isDarwin; # https://hydra.nixos.org/build/130673870/nixlog/1
+  # doCheck = !stdenv.isDarwin; # https://hydra.nixos.org/build/130673870/nixlog/1
+  doCheck = false;
 
   passthru.tests = { inherit (nixosTests) prometheus; };
 

pkgs/servers/monitoring/seyren/default.nix

@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1fixij04n8hgmaj8kw8i6vclwyd6n94x0n6ify73ynm6dfv8g37x";
   };
 
-  phases = ["installPhase"];
+  dontUnpack = true;
 
   nativeBuildInputs = [ makeWrapper ];
   buildInputs = [ jre ];