staging-next 2025-02-09

doc/release-notes/rl-2505.section.md

@@ -12,6 +12,8 @@
   It should generally be replaced with `rustPlatform.fetchCargoVendor`, but `rustPlatform.importCargoLock` may also be appropriate in some circumstances.
   `rustPlatform.buildRustPackage` users must set `useFetchCargoVendor` to `true` and regenerate the `cargoHash`.
 
+- Default ICU version updated from 74 to 76
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ### Titanium removed {#sec-nixpkgs-release-25.05-incompatibilities-titanium-removed}

doc/stdenv/stdenv.chapter.md

@@ -1560,6 +1560,10 @@ intel_drv.so: undefined symbol: vgaHWFreeHWRec
 
 Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call.
 
+#### `stackclashprotection` {#stackclashprotection}
+
+This flag adds the `-fstack-clash-protection` compiler option, which causes growth of a program's stack to access each successive page in order. This should force the guard page to be accessed and cause an attempt to "jump over" this guard page to crash.
+
 ### Hardening flags disabled by default {#sec-hardening-flags-disabled-by-default}
 
 The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services.
@@ -1599,10 +1603,6 @@ This should be turned off or fixed for build errors such as:
 sorry, unimplemented: __builtin_clear_padding not supported for variable length aggregates
 ```
 
-#### `stackclashprotection` {#stackclashprotection}
-
-This flag adds the `-fstack-clash-protection` compiler option, which causes growth of a program's stack to access each successive page in order. This should force the guard page to be accessed and cause an attempt to "jump over" this guard page to crash.
-
 #### `pacret` {#pacret}
 
 This flag adds the `-mbranch-protection=pac-ret` compiler option on aarch64-linux targets. This uses ARM v8.3's Pointer Authentication feature to sign function return pointers before adding them to the stack. The pointer's authenticity is then validated before returning to its destination. This dramatically increases the difficulty of ROP exploitation techniques.

doc/using/configuration.chapter.md

@@ -193,7 +193,7 @@ source: ../config-options.json
 
 ### Build an environment {#sec-building-environment}
 
-Using `packageOverrides`, it is possible to manage packages declaratively. This means that we can list all of our desired packages within a declarative Nix expression. For example, to have `aspell`, `bc`, `ffmpeg`, `coreutils`, `gdb`, `nixUnstable`, `emscripten`, `jq`, `nox`, and `silver-searcher`, we could use the following in `~/.config/nixpkgs/config.nix`:
+Using `packageOverrides`, it is possible to manage packages declaratively. This means that we can list all of our desired packages within a declarative Nix expression. For example, to have `aspell`, `bc`, `ffmpeg`, `coreutils`, `gdb`, `nix`, `emscripten`, `jq`, `nox`, and `silver-searcher`, we could use the following in `~/.config/nixpkgs/config.nix`:
 
 ```nix
 {
@@ -206,7 +206,7 @@ Using `packageOverrides`, it is possible to manage packages declaratively. This
         coreutils
         gdb
         ffmpeg
-        nixUnstable
+        nix
         emscripten
         jq
         nox
@@ -230,7 +230,7 @@ To install it into our environment, you can just run `nix-env -iA nixpkgs.myPack
         coreutils
         gdb
         ffmpeg
-        nixUnstable
+        nix
         emscripten
         jq
         nox
@@ -258,7 +258,7 @@ After building that new environment, look through `~/.nix-profile` to make sure
         bc
         coreutils
         ffmpeg
-        nixUnstable
+        nix
         emscripten
         jq
         nox
@@ -292,7 +292,7 @@ This provides us with some useful documentation for using our packages.  However
         coreutils
         ffmpeg
         man
-        nixUnstable
+        nix
         emscripten
         jq
         nox
@@ -344,7 +344,7 @@ Configuring GNU info is a little bit trickier than man pages. To work correctly,
         coreutils
         ffmpeg
         man
-        nixUnstable
+        nix
         emscripten
         jq
         nox

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -479,6 +479,8 @@
 
 - `networking.wireguard` now has an optional networkd backend. It is enabled by default when `networking.useNetworkd` is enabled, and it can be enabled alongside scripted networking with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option.
 
+- The `stackclashprotection` hardening flag has been enabled by default on compilers that support it.
+
 - `services.rss-bridge` now has a `package` option as well as support for `caddy` as reverse proxy.
 
 - `services.avahi.ipv6` now defaults to true.

nixos/maintainers/scripts/incus/incus-container-image.nix

@@ -16,8 +16,7 @@
   # copy the config for nixos-rebuild
   system.activationScripts.config =
     let
-      config = pkgs.substituteAll {
-        src = ./incus-container-image-inner.nix;
+      config = pkgs.replaceVars ./incus-container-image-inner.nix {
         stateVersion = lib.trivial.release;
       };
     in

nixos/maintainers/scripts/incus/incus-virtual-machine-image.nix

@@ -16,8 +16,7 @@
   # copy the config for nixos-rebuild
   system.activationScripts.config =
     let
-      config = pkgs.substituteAll {
-        src = ./incus-virtual-machine-image-inner.nix;
+      config = pkgs.replaceVars ./incus-virtual-machine-image-inner.nix {
         stateVersion = lib.trivial.release;
       };
     in

nixos/maintainers/scripts/lxd/lxd-container-image.nix

@@ -18,8 +18,7 @@
   # copy the config for nixos-rebuild
   system.activationScripts.config =
     let
-      config = pkgs.substituteAll {
-        src = ./lxd-container-image-inner.nix;
+      config = pkgs.replaceVars ./lxd-container-image-inner.nix {
         stateVersion = lib.trivial.release;
       };
     in

nixos/maintainers/scripts/lxd/lxd-virtual-machine-image.nix

@@ -18,8 +18,7 @@
   # copy the config for nixos-rebuild
   system.activationScripts.config =
     let
-      config = pkgs.substituteAll {
-        src = ./lxd-virtual-machine-image-inner.nix;
+      config = pkgs.replaceVars ./lxd-virtual-machine-image-inner.nix {
         stateVersion = lib.trivial.release;
       };
     in

nixos/modules/installer/cd-dvd/iso-image.nix

@@ -832,11 +832,7 @@ in
         { source = config.isoImage.splashImage;
           target = "/isolinux/background.png";
         }
-        { source = pkgs.substituteAll  {
-            name = "isolinux.cfg";
-            src = pkgs.writeText "isolinux.cfg-in" isolinuxCfg;
-            bootRoot = "/boot";
-          };
+        { source = isolinuxCfg;
           target = "/isolinux/isolinux.cfg";
         }
         { source = "${pkgs.syslinux}/share/syslinux";

nixos/modules/services/databases/postgresql.nix

@@ -727,10 +727,16 @@ in
           RestrictRealtime = true;
           RestrictSUIDSGID = true;
           SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@privileged @resources"
-          ] ++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ];
+          SystemCallFilter =
+            [
+              "@system-service"
+              "~@privileged @resources"
+            ]
+            ++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ]
+            ++ lib.optionals (any extensionInstalled [ "citus" ]) [
+              "getpriority"
+              "setpriority"
+            ];
           UMask = if groupAccessAvailable then "0027" else "0077";
         }
         (mkIf (cfg.dataDir != "/var/lib/postgresql/${cfg.package.psqlSchema}") {

nixos/modules/services/misc/taskserver/default.nix

@@ -142,8 +142,7 @@ let
       src = pkgs.runCommand "nixos-taskserver-src" { preferLocalBuild = true; } ''
         mkdir -p "$out"
         cat "${
-          pkgs.substituteAll {
-            src = ./helper-tool.py;
+          pkgs.replaceVars ./helper-tool.py {
             inherit taskd certtool;
             inherit (cfg)
               dataDir

nixos/modules/system/boot/loader/grub/grub.nix

@@ -727,11 +727,13 @@ in
 
       system.build.installBootLoader =
         let
-          install-grub-pl = pkgs.substituteAll {
-            src = ./install-grub.pl;
+          install-grub-pl = pkgs.replaceVars ./install-grub.pl {
             utillinux = pkgs.util-linux;
             btrfsprogs = pkgs.btrfs-progs;
             inherit (config.system.nixos) distroName;
+            # targets of a replacement in code
+            bootPath = null;
+            bootRoot = null;
           };
           perl = pkgs.perl.withPackages (p: with p; [
             FileSlurp FileCopyRecursive

nixos/modules/system/boot/systemd/initrd.nix

@@ -538,7 +538,9 @@ in
           "${cfg.package.util-linux}/bin/umount"
           "${cfg.package.util-linux}/bin/sulogin"
 
-          # required for script services, and some tools like xfs still want the sh symlink
+          # required for services generated with writeShellScript and friends
+          pkgs.runtimeShell
+          # some tools like xfs still want the sh symlink
           "${pkgs.bash}/bin"
 
           # so NSS can look up usernames

nixos/tests/postgresql/anonymizer.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   makeTest,
+  genTests,
 }:
 
 let
@@ -107,11 +108,7 @@ let
       '';
     };
 in
-lib.recurseIntoAttrs (
-  lib.concatMapAttrs (n: p: { ${n} = makeTestFor p; }) (
-    lib.filterAttrs (_: p: p ? pkgs && !p.pkgs.anonymizer.meta.broken) pkgs.postgresqlVersions
-  )
-  // {
-    passthru.override = p: makeTestFor p;
-  }
-)
+genTests {
+  inherit makeTestFor;
+  filter = _: p: !p.pkgs.anonymizer.meta.broken;
+}

nixos/tests/postgresql/citus.nix

@@ -0,0 +1,73 @@
+{
+  pkgs,
+  makeTest,
+  genTests,
+}:
+
+let
+  inherit (pkgs) lib;
+
+  test-sql = pkgs.writeText "postgresql-test" ''
+    CREATE EXTENSION citus;
+
+    CREATE TABLE examples (
+      id bigserial,
+      shard_key int,
+      PRIMARY KEY (id, shard_key)
+    );
+
+    SELECT create_distributed_table('examples', 'shard_key');
+
+    INSERT INTO examples (shard_key) SELECT shard % 10 FROM generate_series(1,1000) shard;
+  '';
+
+  makeTestFor =
+    package:
+    makeTest {
+      name = "citus-${package.name}";
+      meta = with lib.maintainers; {
+        maintainers = [ typetetris ];
+      };
+
+      nodes.machine =
+        { ... }:
+        {
+          services.postgresql = {
+            inherit package;
+            enable = true;
+            enableJIT = lib.hasInfix "-jit-" package.name;
+            extensions =
+              ps: with ps; [
+                citus
+              ];
+            settings = {
+              shared_preload_libraries = "citus";
+            };
+          };
+        };
+
+      testScript = ''
+        def check_count(statement, lines):
+            return 'test $(sudo -u postgres psql postgres -tAc "{}") -eq {}'.format(
+                statement, lines
+            )
+
+
+        machine.start()
+        machine.wait_for_unit("postgresql")
+
+        with subtest("Postgresql with extension citus is available just after unit start"):
+            machine.succeed(
+                "sudo -u postgres psql -f ${test-sql}"
+            )
+
+        machine.succeed(check_count("SELECT count(*) FROM examples;", 1000))
+
+        machine.shutdown()
+      '';
+    };
+in
+genTests {
+  inherit makeTestFor;
+  filter = _: p: !p.pkgs.citus.meta.broken;
+}

nixos/tests/postgresql/default.nix

@@ -7,7 +7,25 @@
 with import ../../lib/testing-python.nix { inherit system pkgs; };
 
 let
-  importWithArgs = path: import path { inherit pkgs makeTest; };
+  inherit (pkgs.lib)
+    recurseIntoAttrs
+    filterAttrs
+    mapAttrs
+    const
+    ;
+  genTests =
+    {
+      makeTestFor,
+      filter ? (_: _: true),
+    }:
+    recurseIntoAttrs (
+      mapAttrs (const makeTestFor) (filterAttrs filter pkgs.postgresqlVersions)
+      // {
+        passthru.override = makeTestFor;
+      }
+    );
+
+  importWithArgs = path: import path { inherit pkgs makeTest genTests; };
 in
 {
   # postgresql
@@ -18,6 +36,7 @@ in
 
   # extensions
   anonymizer = importWithArgs ./anonymizer.nix;
+  citus = importWithArgs ./citus.nix;
   pgjwt = importWithArgs ./pgjwt.nix;
   pgvecto-rs = importWithArgs ./pgvecto-rs.nix;
   timescaledb = importWithArgs ./timescaledb.nix;

nixos/tests/postgresql/pgjwt.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   makeTest,
+  genTests,
 }:
 
 let
@@ -48,11 +49,7 @@ let
         '';
     };
 in
-lib.recurseIntoAttrs (
-  lib.concatMapAttrs (n: p: { ${n} = makeTestFor p; }) (
-    lib.filterAttrs (_: p: p ? pkgs && !p.pkgs.pgjwt.meta.broken) pkgs.postgresqlVersions
-  )
-  // {
-    passthru.override = p: makeTestFor p;
-  }
-)
+genTests {
+  inherit makeTestFor;
+  filter = _: p: !p.pkgs.pgjwt.meta.broken;
+}

nixos/tests/postgresql/pgvecto-rs.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   makeTest,
+  genTests,
 }:
 
 let
@@ -72,11 +73,7 @@ let
         '';
     };
 in
-lib.recurseIntoAttrs (
-  lib.concatMapAttrs (n: p: { ${n} = makeTestFor p; }) (
-    lib.filterAttrs (_: p: p ? pkgs && !p.pkgs.pgvecto-rs.meta.broken) pkgs.postgresqlVersions
-  )
-  // {
-    passthru.override = p: makeTestFor p;
-  }
-)
+genTests {
+  inherit makeTestFor;
+  filter = _: p: !p.pkgs.pgvecto-rs.meta.broken;
+}