Merge master into staging-next

Author: nixpkgs-ci[bot]

maintainers/maintainer-list.nix

@@ -1903,6 +1903,12 @@
     matrix = "@schuelermine:matrix.org";
     keys = [ { fingerprint = "CDBF ECA8 36FE E340 1CEB  58FF BA34 EE1A BA3A 0955"; } ];
   }; # currently on hiatus, please do not ping until this notice is removed (or if it’s been like two years)
+  anstylian = {
+    email = "agathangelos.stylianidis@gmail.com";
+    github = "anstylian";
+    githubId = 11269403;
+    name = "Angelos Stylinidis";
+  };
   anthonyroussel = {
     email = "anthony@roussel.dev";
     github = "anthonyroussel";
@@ -10815,7 +10821,7 @@
   };
   husjon = {
     name = "Jon Erling Hustadnes";
-    email = "jonerling.hustadnes+nixpkgs@gmail.com";
+    email = "jonerling.hustadnes+nixpkgs@proton.me";
     github = "husjon";
     githubId = 554229;
   };
@@ -14534,6 +14540,12 @@
     github = "juuyokka";
     githubId = 15185244;
   };
+  Ladas552 = {
+    email = "l.tokshalov@gmail.com";
+    github = "Ladas552";
+    githubId = 94762349;
+    name = "Ladas552";
+  };
   lafrenierejm = {
     email = "joseph@lafreniere.xyz";
     github = "lafrenierejm";

nixos/doc/manual/redirects.json

@@ -76,6 +76,18 @@
   "module-services-tandoor-recipes-migrating-media-option-disallow-access": [
     "index.html#module-services-tandoor-recipes-migrating-media-option-disallow-access"
   ],
+  "module-virtualisation-xen": [
+    "index.html#module-virtualisation-xen"
+  ],
+  "module-virtualisation-xen-installation-dom0": [
+    "index.html#module-virtualisation-xen-installation-dom0"
+  ],
+  "module-virtualisation-xen-installation-domU": [
+    "index.html#module-virtualisation-xen-installation-domU"
+  ],
+  "module-virtualisation-xen-introduction": [
+    "index.html#module-virtualisation-xen-introduction"
+  ],
   "sec-override-nixos-test": [
     "index.html#sec-override-nixos-test"
   ],

nixos/doc/manual/release-notes/rl-2605.section.md

@@ -133,6 +133,8 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
 
 - Cinnamon has been updated to 6.6, please check the [upstream announcement](https://www.linuxmint.com/rel_zena_whatsnew.php) for more details.
 
+- Budgie has been updated to 10.10, please check the [upstream announcement](https://buddiesofbudgie.org/blog/budgie-10-10-released) for more details.
+
 - `services.frp` now supports multiple instances through `services.frp.instances` to make it possible to run multiple frp clients or servers at the same time.
 
 - `hyphen` now supports over 40 language variants through `hyphenDicts` and now allows to enable all supported languages through `hyphenDicts.all`.

nixos/modules/services/desktop-managers/budgie.nix

@@ -156,15 +156,19 @@ in
       fi
     '';
 
+    # https://docs.buddiesofbudgie.org/10.10/developer/workflow/building-budgie-desktop/#compositor-recommendations
+    programs.labwc.enable = mkDefault true;
+    programs.gtklock.enable = mkDefault true;
+
     environment.systemPackages =
       with pkgs;
       [
         # Budgie Desktop.
         budgie-backgrounds
         budgie-control-center'
+        budgie-desktop-services
         (budgie-desktop-with-plugins.override { plugins = cfg.extraPlugins; })
         budgie-desktop-view
-        budgie-screensaver
         budgie-session
 
         # Required by Budgie Menu.
@@ -190,6 +194,17 @@ in
         mate.mate-system-monitor
         vlc
 
+        # Supplemental tooling.
+        # See budgie-desktop's with-runtime-dependencies meson option.
+        gammastep
+        grim
+        killall
+        slurp
+        swaybg
+        swayidle
+        wdisplays
+        wlopm
+
         # Desktop themes.
         qogir-theme
         qogir-icon-theme
@@ -224,9 +239,6 @@ in
     services.xserver.updateDbusEnvironment = true;
     programs.dconf.enable = true;
 
-    # Required by Budgie Screensaver.
-    security.pam.services.budgie-screensaver = { };
-
     # Required by Budgie's Polkit Dialog.
     security.polkit.enable = mkDefault true;
 
@@ -240,6 +252,7 @@ in
     xdg.portal.enable = mkDefault true; # for BCC's Applications panel.
     xdg.portal.extraPortals = with pkgs; [
       xdg-desktop-portal-gtk # provides a XDG Portals implementation.
+      xdg-desktop-portal-wlr # for screenshot and screencast.
     ];
     xdg.portal.configPackages = mkDefault [ pkgs.budgie-desktop ];
 
@@ -274,11 +287,7 @@ in
     # Register packages for DBus.
     services.dbus.packages = [
       budgie-control-center'
-    ];
-
-    # Register packages for udev.
-    services.udev.packages = with pkgs; [
-      magpie
+      pkgs.budgie-desktop-services
     ];
 
     # Shell integration for MATE Terminal.

nixos/modules/services/networking/sabnzbd/default.nix

@@ -13,7 +13,6 @@ let
     mkOptionDefault
     mkIf
     literalExpression
-    optionalString
     types
     ;
   inherit (lib.generators)
@@ -79,7 +78,6 @@ let
       mkSection = (
         depth: attrs:
         let
-          atoms = extractAtoms attrs;
           sections = extractSections attrs;
           sectionHeadingLeft = lib.concatStrings (lib.replicate (depth + 1) "[");
           sectionHeadingRight = lib.concatStrings (lib.replicate (depth + 1) "]");
@@ -103,7 +101,8 @@ let
     else
       (configObjIni { }).generate "public-settings.ini" allSettings;
 
-  sabnzbdIniPath = "/var/lib/${cfg.stateDir}/sabnzbd.ini";
+  sabnzbdIniPath =
+    if cfg.configFile != null then cfg.configFile else "/var/lib/${cfg.stateDir}/sabnzbd.ini";
 in
 
 {
@@ -115,8 +114,12 @@ in
 
       configFile = mkOption {
         type = types.nullOr types.path;
-        default = null;
-        description = "Path to config file (deprecated, use `settings` instead)";
+        default =
+          if lib.versionOlder config.system.stateVersion "26.05" then
+            "/var/lib/sabnzbd/sabnzbd.ini"
+          else
+            null;
+        description = "Path to config file (deprecated, use `settings` instead and set this value to null)";
       };
 
       stateDir = mkOption {
@@ -511,7 +514,10 @@ in
     systemd.services.sabnzbd =
       let
         files =
-          (lib.optional cfg.allowConfigWrite sabnzbdIniPath) ++ [ publicSettingsIni ] ++ cfg.secretFiles;
+          if cfg.configFile != null then
+            [ sabnzbdIniPath ]
+          else
+            (lib.optional cfg.allowConfigWrite sabnzbdIniPath) ++ [ publicSettingsIni ] ++ cfg.secretFiles;
         iniPathQuoted = lib.escapeShellArg sabnzbdIniPath;
       in
       {
@@ -531,11 +537,20 @@ in
 
           ${lib.toShellVar "files" files}
 
+          tmpfile=$(mktemp)
+
           ${lib.getExe (pkgs.python3.withPackages (py: [ py.configobj ]))} \
             ${./config_merge.py} \
-            "''${files[@]}" | \
-          install -D -m ${if cfg.allowConfigWrite then "600" else "400"} \
-            -o '${cfg.user}' -g '${cfg.group}' /dev/stdin ${iniPathQuoted}
+            "''${files[@]}" \
+            > "$tmpfile"
+
+          install -D \
+            -m ${if cfg.allowConfigWrite then "600" else "400"} \
+            -o '${cfg.user}' -g '${cfg.group}' \
+            "$tmpfile" \
+            ${iniPathQuoted}
+
+          rm "$tmpfile"
         '';
       };
 

nixos/modules/services/system/userborn.nix

@@ -38,6 +38,7 @@ let
   userbornStaticFiles =
     pkgs.runCommand "static-userborn" { }
       "mkdir -p $out; ${lib.getExe cfg.package} ${userbornConfigJson} $out";
+  previousConfigPath = "/var/lib/userborn/previous-userborn.json";
 
   immutableEtc = config.system.etc.overlay.enable && !config.system.etc.overlay.mutable;
   # The filenames created by userborn.
@@ -155,6 +156,10 @@ in
         # This way we don't have to re-declare all the dependencies to other
         # services again.
         aliases = [ "systemd-sysusers.service" ];
+        environment = {
+          USERBORN_MUTABLE_USERS = lib.boolToString userCfg.mutableUsers;
+          USERBORN_PREVIOUS_CONFIG = lib.mkIf userCfg.mutableUsers previousConfigPath;
+        };
 
         unitConfig = {
           Description = "Manage Users and Groups";
@@ -165,6 +170,7 @@ in
           Type = "oneshot";
           RemainAfterExit = true;
           TimeoutSec = "90s";
+          StateDirectory = "userborn";
 
           ExecStart = "${lib.getExe cfg.package} ${userbornConfigJson} ${cfg.passwordFilesLocation}";
 
@@ -179,13 +185,18 @@ in
             ))
           ];
 
-          # Make the source files read-only after userborn has finished.
-          ExecStartPost = lib.mkIf (!userCfg.mutableUsers) (
-            lib.map (
-              file:
-              "${pkgs.util-linux}/bin/mount --bind -o ro ${cfg.passwordFilesLocation}/${file} ${cfg.passwordFilesLocation}/${file}"
-            ) passwordFiles
-          );
+          ExecStartPost =
+            if userCfg.mutableUsers then
+              # Store the config somewhere for the next invocation
+              [
+                "${pkgs.coreutils}/bin/ln -sf ${userbornConfigJson} ${previousConfigPath}"
+              ]
+            else
+              # Make the source files read-only after userborn has finished.
+              (lib.map (
+                file:
+                "${pkgs.util-linux}/bin/mount --bind -o ro ${cfg.passwordFilesLocation}/${file} ${cfg.passwordFilesLocation}/${file}"
+              ) passwordFiles);
         };
       };
     };

nixos/modules/virtualisation/xen-dom0.nix

@@ -935,5 +935,8 @@ in
       };
     };
   };
-  meta.maintainers = teams.xen.members;
+  meta = {
+    doc = ./xen.md;
+    maintainers = teams.xen.members;
+  };
 }

nixos/modules/virtualisation/xen.md

@@ -0,0 +1,62 @@
+# Xen Project Hypervisor {#module-virtualisation-xen}
+
+## Introduction {#module-virtualisation-xen-introduction}
+
+The [**Xen Project Hypervisor**](https://xenproject.org/) is an open-source
+type-1 virtual machine manager which allows multiple virtual machines, known as
+*domains*, to run concurrently with the host on the physical machine. This is
+unlike a typical type-2 hypervisor, such as QEMU, where the virtual machines run
+as applications on top of the host. NixOS runs as the privileged *Domain 0*, and
+can paravirtualise (PV Mode) or fully virtualise (HVM Mode) unprivileged domains
+(`domUs`).
+
+Xen is security-supported in NixOS. All
+[Xen Security Advisories](https://xenbits.xenproject.org/xsa) are patched within
+hours of release, and generally reach the binary cache channels within a couple
+of days.
+
+## Domain 0 Installation {#module-virtualisation-xen-installation-dom0}
+
+Xen may be used as a Domain 0 since
+[NixOS 24.11](#sec-release-24.11-highlights), using the
+{option}`virtualisation.xen.enable` option. There are various hardware and
+software requirements to running a Xen Domain 0; the module is configured to
+prevent running Xen on a NixOS system that does not meet the software
+requirements. (i.e. a NixOS system that uses the legacy, scripted initial
+ramdisk.) The module does not yet check if the hardware requirements are met:
+please manually ensure that the target machine supports
+[SLAT](Second_Level_Address_Translation) and
+[IOMMU](https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit),
+the latter being required only for non-PV domains to be virtualised.
+
+The boot menu on a Xen-enabled NixOS system will show duplicate entries for each
+generation: one boots a normal NixOS system, and the other boots into the Xen
+Project Hypervisor. The [`systemd-boot`](#opt-boot.loader.systemd-boot.enable)
+and [Limine](#opt-boot.loader.limine.enable) bootloaders are the only supported
+boot methods at this time.
+
+Xen may be managed through various frontend configuration systems. `libxenlight`
+is one such configuration system, and is built into all Xen systems. The `xl`
+command is the primary command-line interface to `libxenlight`, and is capable
+of managing a NixOS Domain 0.
+
+## Unprivileged Domain Installation {#module-virtualisation-xen-installation-domU}
+
+Known generically as guests, unprivileged domains running NixOS may import the
+[`xen-domU.nix`](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/xen-domU.nix)
+profile in their configurations to automatically enable various recommended
+optimisations which are relevant for unprivileged domains.
+
+:::{.example}
+
+# Import the Xen Unprivileged Domain profile into a NixOS configuration
+
+```nix
+{
+  imports = [
+    <nixpkgs/nixos/modules/virtualisation/xen-domU.nix>
+  ];
+}
+```
+
+:::