Merge master into staging-next

NixOS · Dec 7, 2024 · 171c0c7 · 171c0c7
2 parents 70c02e5 + c90e086
commit 171c0c7
Show file tree

Hide file tree

Showing 91 changed files with 1,348 additions and 596 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -33,6 +33,8 @@
 
 - [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](options.html#opt-services.agorakit.enable).
 
+- [mqtt-exporter](https://github.com/kpetremann/mqtt-exporter/), a Prometheus exporter for exposing messages from MQTT. Available as [services.prometheus.exporters.mqtt](#opt-services.prometheus.exporters.mqtt.enable).
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-release-25.05-incompatibilities}

diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix
@@ -278,18 +278,32 @@ in
         PRUNE_BIND_MOUNTS = if cfg.pruneBindMounts then "yes" else "no";
       };
       serviceConfig = {
+        CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_CHOWN";
         Nice = 19;
         IOSchedulingClass = "idle";
+        IPAddressDeny = "any";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
         PrivateTmp = "yes";
+        PrivateDevices = true;
         PrivateNetwork = "yes";
-        NoNewPrivileges = "yes";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHostname = true;
+        RestrictAddressFamilies = "AF_UNIX";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
         ReadOnlyPaths = "/";
         # Use dirOf cfg.output because mlocate creates temporary files next to
         # the actual database. We could specify and create them as well,
         # but that would make this quite brittle when they change something.
         # NOTE: If /var/cache does not exist, this leads to the misleading error message:
         # update-locatedb.service: Failed at step NAMESPACE spawning …/update-locatedb-start: No such file or directory
         ReadWritePaths = dirOf cfg.output;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service @chown";
       };
     };
 

diff --git a/nixos/modules/services/desktop-managers/lomiri.nix b/nixos/modules/services/desktop-managers/lomiri.nix
@@ -90,6 +90,7 @@ in
             lomiri-filemanager-app
             lomiri-gallery-app
             lomiri-history-service
+            lomiri-mediaplayer-app
             lomiri-polkit-agent
             lomiri-schemas # exposes some required dbus interfaces
             lomiri-session # wrappers to properly launch the session

diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix
@@ -58,6 +58,7 @@ let
     "mikrotik"
     "modemmanager"
     "mongodb"
+    "mqtt"
     "mysqld"
     "nats"
     "nextcloud"

diff --git a/nixos/modules/services/monitoring/prometheus/exporters/mqtt.nix b/nixos/modules/services/monitoring/prometheus/exporters/mqtt.nix
@@ -0,0 +1,140 @@
+{
+  config,
+  lib,
+  pkgs,
+  options,
+  utils,
+}:
+
+let
+  inherit (lib)
+    mkIf
+    mkEnableOption
+    mkOption
+    types
+    ;
+  cfg = config.services.prometheus.exporters.mqtt;
+  toConfigBoolean = x: if x then "True" else "False";
+  toConfigList = builtins.concatStringsSep ",";
+in
+{
+  # https://github.com/kpetremann/mqtt-exporter/tree/master?tab=readme-ov-file#configuration
+  port = 9000;
+  extraOpts = {
+    keepFullTopic = mkEnableOption "Keep entire topic instead of the first two elements only. Usecase: Shelly 3EM";
+    logLevel = mkOption {
+      type = types.enum [
+        "CRITICAL"
+        "ERROR"
+        "WARNING"
+        "INFO"
+        "DEBUG"
+      ];
+      default = "INFO";
+      example = "DEBUG";
+      description = "Logging level";
+    };
+    logMqttMessage = mkEnableOption "Log MQTT original message, only if `LOG_LEVEL` is set to DEBUG.";
+    mqttIgnoredTopics = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = "Lists of topics to ignore. Accepts wildcards.";
+    };
+    mqttAddress = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+      description = "IP or hostname of MQTT broker.";
+    };
+    mqttPort = mkOption {
+      type = types.port;
+      default = 1883;
+      description = "TCP port of MQTT broker.";
+    };
+    mqttTopic = mkOption {
+      type = types.str;
+      default = "#";
+      description = "Topic path to subscribe to.";
+    };
+    mqttKeepAlive = mkOption {
+      type = types.int;
+      default = 60;
+      example = 30;
+      description = "Keep alive interval to maintain connection with MQTT broker.";
+    };
+    mqttUsername = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      example = "mqttexporter";
+      description = "Username which should be used to authenticate against the MQTT broker.";
+    };
+    mqttV5Protocol = mkEnableOption "Force to use MQTT protocol v5 instead of 3.1.1.";
+    mqttClientId = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Set client ID manually for MQTT connection";
+    };
+    mqttExposeClientId = mkEnableOption "Expose the client ID as a label in Prometheus metrics.";
+    prometheusPrefix = mkOption {
+      type = types.str;
+      default = "mqtt_";
+      description = "Prefix added to the metric name.";
+    };
+    topicLabel = mkOption {
+      type = types.str;
+      default = "topic";
+      description = "Define the Prometheus label for the topic.";
+    };
+    zigbee2MqttAvailability = mkEnableOption "Normalize sensor name for device availability metric added by Zigbee2MQTT.";
+    zwaveTopicPrefix = mkOption {
+      type = types.str;
+      default = "zwave/";
+      description = "MQTT topic used for Zwavejs2Mqtt messages.";
+    };
+    esphomeTopicPrefixes = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = "MQTT topic used for ESPHome messages.";
+    };
+    hubitatTopicPrefixes = mkOption {
+      type = types.listOf types.str;
+      default = [ "hubitat/" ];
+      description = "MQTT topic used for Hubitat messages.";
+    };
+    environmentFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      example = [ "/run/secrets/mqtt-exporter" ];
+      description = ''
+        File to load as environment file. Useful for e.g. setting `MQTT_PASSWORD`
+        without putting any secrets into the Nix store.
+      '';
+    };
+  };
+  serviceOpts = {
+    environment = {
+      KEEP_FULL_TOPIC = toConfigBoolean cfg.keepFullTopic;
+      LOG_LEVEL = cfg.logLevel;
+      LOG_MQTT_MESSAGE = toConfigBoolean cfg.logMqttMessage;
+      MQTT_IGNORED_TOPIC = toConfigList cfg.mqttIgnoredTopics;
+      MQTT_ADDRESS = cfg.mqttAddress;
+      MQTT_PORT = toString cfg.mqttPort;
+      MQTT_TOPIC = cfg.mqttTopic;
+      MQTT_KEEPALIVE = toString cfg.mqttKeepAlive;
+      MQTT_USERNAME = cfg.mqttUsername;
+      MQTT_V5_PROTOCOL = toConfigBoolean cfg.mqttV5Protocol;
+      MQTT_CLIENT_ID = mkIf (cfg.mqttClientId != null) cfg.mqttClientId;
+      PROMETHEUS_ADDRESS = cfg.listenAddress;
+      PROMETHEUS_PORT = toString cfg.port;
+      PROMETHEUS_PREFIX = cfg.prometheusPrefix;
+      TOPIC_LABEL = cfg.topicLabel;
+      ZIGBEE2MQTT_AVAILABILITY = toConfigBoolean cfg.zigbee2MqttAvailability;
+      ZWAVE_TOPIC_PREFIX = cfg.zwaveTopicPrefix;
+      ESPHOME_TOPIC_PREFIXES = toConfigList cfg.esphomeTopicPrefixes;
+      HUBITAT_TOPIC_PREFIXES = toConfigList cfg.hubitatTopicPrefixes;
+    };
+    serviceConfig = {
+      EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
+      ExecStart = lib.getExe pkgs.mqtt-exporter;
+    };
+  };
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
@@ -563,6 +563,7 @@ in {
   lomiri-clock-app = runTest ./lomiri-clock-app.nix;
   lomiri-docviewer-app = runTest ./lomiri-docviewer-app.nix;
   lomiri-filemanager-app = runTest ./lomiri-filemanager-app.nix;
+  lomiri-mediaplayer-app = runTest ./lomiri-mediaplayer-app.nix;
   lomiri-gallery-app = runTest ./lomiri-gallery-app.nix;
   lomiri-system-settings = handleTest ./lomiri-system-settings.nix {};
   lorri = handleTest ./lorri/default.nix {};

diff --git a/nixos/tests/lomiri-mediaplayer-app.nix b/nixos/tests/lomiri-mediaplayer-app.nix
@@ -0,0 +1,77 @@
+{ lib, ... }:
+let
+  ocrContent = "Video Test";
+  videoFile = "test.webm";
+in
+{
+  name = "lomiri-mediaplayer-app-standalone";
+  meta.maintainers = lib.teams.lomiri.members;
+
+  nodes.machine =
+    { config, pkgs, ... }:
+    {
+      imports = [ ./common/x11.nix ];
+
+      services.xserver.enable = true;
+
+      environment = {
+        # Setup video
+        etc."${videoFile}".source =
+          pkgs.runCommand videoFile
+            {
+              nativeBuildInputs = with pkgs; [
+                ffmpeg # produce video for OCR
+                (imagemagick.override { ghostscriptSupport = true; }) # produce OCR-able image
+              ];
+            }
+            ''
+              magick -size 400x400 canvas:white -pointsize 40 -fill black -annotate +100+100 '${ocrContent}' output.png
+              ffmpeg -re -loop 1 -i output.png -c:v libvpx -b:v 100K -t 120 $out -loglevel fatal
+            '';
+        systemPackages = with pkgs.lomiri; [
+          suru-icon-theme
+          lomiri-mediaplayer-app
+        ];
+        variables = {
+          UITK_ICON_THEME = "suru";
+        };
+      };
+
+      i18n.supportedLocales = [ "all" ];
+
+      fonts = {
+        packages = with pkgs; [
+          # Intended font & helps with OCR
+          ubuntu-classic
+        ];
+      };
+    };
+
+  enableOCR = true;
+
+  testScript = ''
+    machine.wait_for_x()
+
+    with subtest("lomiri mediaplayer launches"):
+        machine.succeed("lomiri-mediaplayer-app >&2 &")
+        machine.wait_for_text("Choose from")
+        machine.screenshot("lomiri-mediaplayer_open")
+
+    machine.succeed("pkill -f lomiri-mediaplayer-app")
+
+    with subtest("lomiri mediaplayer plays video"):
+        machine.succeed("lomiri-mediaplayer-app /etc/${videoFile} >&2 &")
+        machine.wait_for_text("${ocrContent}")
+        machine.screenshot("lomiri-mediaplayer_playback")
+
+    machine.succeed("pkill -f lomiri-mediaplayer-app")
+
+    with subtest("lomiri mediaplayer localisation works"):
+        # OCR struggles with finding identifying the translated window title, and lomiri-content-hub QML isn't translated
+        # Cause an error, and look for the error popup
+        machine.succeed("touch invalid.mp4")
+        machine.succeed("env LANG=de_DE.UTF-8 lomiri-mediaplayer-app invalid.mp4 >&2 &")
+        machine.wait_for_text("Fehler")
+        machine.screenshot("lomiri-mediaplayer_localised")
+  '';
+}
diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix
@@ -804,6 +804,38 @@ let
       '';
     };
 
+    mqtt = {
+      exporterConfig = {
+        enable = true;
+        environmentFile = pkgs.writeText "mqtt-exporter-envfile" ''
+          MQTT_PASSWORD=testpassword
+        '';
+      };
+      metricProvider = {
+        services.mosquitto = {
+          enable = true;
+          listeners = [{
+            users.exporter = {
+              acl = [ "read #" ];
+              passwordFile = pkgs.writeText "mosquitto-password" "testpassword";
+            };
+          }];
+        };
+        systemd.services.prometheus-mqtt-exporter ={
+          wants = [ "mosquitto.service" ];
+          after = [ "mosquitto.service" ];
+        };
+      };
+      exporterTest = ''
+        wait_for_unit("mosquitto.service")
+        wait_for_unit("prometheus-mqtt-exporter.service")
+        wait_for_open_port(9000)
+        succeed(
+          "curl -sSf http://localhost:9000/metrics | grep '^python_info'"
+        )
+      '';
+    };
+
     mysqld = {
       exporterConfig = {
         enable = true;

diff --git a/pkgs/applications/editors/vim/plugins/blink-cmp/default.nix b/pkgs/applications/editors/vim/plugins/blink-cmp/default.nix
@@ -7,12 +7,12 @@
   nix-update-script,
 }:
 let
-  version = "0.7.1";
+  version = "0.7.3";
   src = fetchFromGitHub {
     owner = "Saghen";
     repo = "blink.cmp";
     rev = "refs/tags/v${version}";
-    hash = "sha256-IHl+XIldo2kculpbiOuLIJ6RJbFODiRlQU4x8hvE7pI=";
+    hash = "sha256-nxiODLKgGeXzN5sqkLWU0PcsuSSB1scSzTC5qyCxLCI=";
   };
   libExt = if stdenv.hostPlatform.isDarwin then "dylib" else "so";
   blink-fuzzy-lib = rustPlatform.buildRustPackage {

diff --git a/pkgs/applications/graphics/xournalpp/default.nix b/pkgs/applications/graphics/xournalpp/default.nix
@@ -30,13 +30,13 @@
 
 stdenv.mkDerivation rec {
   pname = "xournalpp";
-  version = "1.2.4";
+  version = "1.2.5";
 
   src = fetchFromGitHub {
     owner = "xournalpp";
     repo = "xournalpp";
     rev = "v${version}";
-    hash = "sha256-72e47fVP0c8KioRHUqyEQIUgrLm+xMPE2Mm6+2v7pZk=";
+    hash = "sha256-Hm3NDVELOnwjg6NiV5VBbt/15slHAgOVZLTV3zBMkLI=";
   };
 
   postPatch = ''

diff --git a/pkgs/applications/networking/browsers/palemoon/bin.nix b/pkgs/applications/networking/browsers/palemoon/bin.nix
@@ -20,7 +20,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "palemoon-bin";
-  version = "33.4.1";
+  version = "33.5.0";
 
   src = finalAttrs.passthru.sources."gtk${if withGTK3 then "3" else "2"}";
 
@@ -158,11 +158,11 @@ stdenv.mkDerivation (finalAttrs: {
     in {
       gtk3 = fetchzip {
         urls = urlRegionVariants "gtk3";
-        hash = "sha256-pjOzU8atFNzYujxxoVihn0Cvq4Xvh7U2auSznE29Wpc=";
+        hash = "sha256-TlmDsZKHolTS+y+1BymyY49+AvqUv8zmUXCGNHCRPL0=";
       };
       gtk2 = fetchzip {
         urls = urlRegionVariants "gtk2";
-        hash = "sha256-ikgO0vVTySw3I6gdSu5k2e35xZ95bJY4f18Fjh+c0rA=";
+        hash = "sha256-f6vLHbpmvVfkjZr7x0DiCFoGGvfxHfFZ3KTagq2Mwp4=";
       };
     };