Merge master into staging-next

maintainers/maintainer-list.nix

@@ -17189,6 +17189,12 @@
     githubId = 7820716;
     name = "orthros";
   };
+  osbm = {
+    email = "[email protected]";
+    github = "osbm";
+    githubId = 74963545;
+    name = "Osman Bayram";
+  };
   osener = {
     email = "[email protected]";
     github = "ozanmakes";

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -69,6 +69,8 @@
 
 - [crab-hole](https://github.com/LuckyTurtleDev/crab-hole), a cross platform Pi-hole clone written in Rust using hickory-dns/trust-dns. Available as [services.crab-hole](#opt-services.crab-hole.enable).
 
+- [zwave-js-ui](https://zwave-js.github.io/zwave-js-ui/), a full featured Z-Wave Control Panel and MQTT Gateway. Available as [services.zwave-js-ui](#opt-services.zwave-js-ui.enable).
+
 - [Amazon CloudWatch Agent](https://github.com/aws/amazon-cloudwatch-agent), the official telemetry collector for AWS CloudWatch and AWS X-Ray. Available as [services.amazon-cloudwatch-agent](options.html#opt-services.amazon-cloudwatch-agent.enable).
 
 - [Bat](https://github.com/sharkdp/bat), a {manpage}`cat(1)` clone with wings. Available as [programs.bat](options.html#opt-programs.bat).
@@ -115,6 +117,8 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
+- `ast-grep` remove `sg` command to prevent conflict with `sg` command from shadow-utils. If you need legacy sg command compatibility with old code, you can use `ast-grep.override { enableLegacySg = true; }`
+
 - `binwalk` was updated to 3.1.0, which has been rewritten in rust. The python module is no longer available.
   See the release notes of [3.1.0](https://github.com/ReFirmLabs/binwalk/releases/tag/v3.1.0) for more information.
 

nixos/modules/module-list.nix

@@ -668,6 +668,7 @@
   ./services/home-automation/wyoming/satellite.nix
   ./services/home-automation/zigbee2mqtt.nix
   ./services/home-automation/zwave-js.nix
+  ./services/home-automation/zwave-js-ui.nix
   ./services/logging/SystemdJournal2Gelf.nix
   ./services/logging/awstats.nix
   ./services/logging/filebeat.nix

nixos/modules/services/home-automation/zwave-js-ui.nix

@@ -0,0 +1,120 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    getExe
+    mkIf
+    mkEnableOption
+    mkOption
+    mkPackageOption
+    types
+    ;
+  cfg = config.services.zwave-js-ui;
+in
+{
+  options.services.zwave-js-ui = {
+    enable = mkEnableOption "zwave-js-ui";
+
+    package = mkPackageOption pkgs "zwave-js-ui" { };
+
+    serialPort = mkOption {
+      type = types.path;
+      description = ''
+        Serial port for the Z-Wave controller.
+
+        Only used to grant permissions to the device; must be additionally configured in the application
+      '';
+      example = "/dev/serial/by-id/usb-example";
+    };
+
+    settings = mkOption {
+      type = types.submodule {
+        freeformType =
+          with types;
+          attrsOf (
+            nullOr (oneOf [
+              str
+              path
+              package
+            ])
+          );
+
+        options = {
+          STORE_DIR = mkOption {
+            type = types.str;
+            default = "%S/zwave-js-ui";
+            visible = false;
+            readOnly = true;
+          };
+
+          ZWAVEJS_EXTERNAL_CONFIG = mkOption {
+            type = types.str;
+            default = "%S/zwave-js-ui/.config-db";
+            visible = false;
+            readOnly = true;
+          };
+        };
+      };
+
+      description = ''
+        Extra environment variables passed to the zwave-js-ui process.
+
+        Check <https://zwave-js.github.io/zwave-js-ui/#/guide/env-vars> for possible options
+      '';
+      example = {
+        HOST = "::";
+        PORT = "8091";
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    systemd.services.zwave-js-ui = {
+      environment = cfg.settings;
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = getExe cfg.package;
+        RuntimeDirectory = "zwave-js-ui";
+        StateDirectory = "zwave-js-ui";
+        RootDirectory = "%t/zwave-js-ui";
+        BindReadOnlyPaths = [
+          "/nix/store"
+        ];
+        DeviceAllow = [ cfg.serialPort ];
+        DynamicUser = true;
+        SupplementaryGroups = [ "dialout" ];
+        CapabilityBoundingSet = [ "" ];
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = false;
+        NoNewPrivileges = true;
+        PrivateUsers = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernalTunables = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        RemoveIPC = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service @pkey"
+          "~@privileged @resources"
+        ];
+        UMask = "0077";
+      };
+    };
+  };
+  meta.maintainers = with lib.maintainers; [ cdombroski ];
+}

nixos/modules/services/networking/headscale.nix

@@ -559,16 +559,6 @@ in
 
   config = lib.mkIf cfg.enable {
     assertions = [
-      {
-        # This is stricter than it needs to be but is exactly what upstream does:
-        # https://github.com/kradalby/headscale/blob/adc084f20f843d7963c999764fa83939668d2d2c/hscontrol/types/config.go#L799
-        assertion =
-          with cfg.settings;
-          dns.use_username_in_magic_dns or false
-          || dns.base_domain == ""
-          || !lib.hasInfix dns.base_domain server_url;
-        message = "server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.";
-      }
       {
         assertion = with cfg.settings; dns.magic_dns -> dns.base_domain != "";
         message = "dns.base_domain must be set when using MagicDNS";

nixos/tests/all-tests.nix

@@ -1204,4 +1204,5 @@ in {
   zrepl = handleTest ./zrepl.nix {};
   zsh-history = handleTest ./zsh-history.nix {};
   zwave-js = handleTest ./zwave-js.nix {};
+  zwave-js-ui = handleTest ./zwave-js-ui.nix {};
 }

nixos/tests/zwave-js-ui.nix

@@ -0,0 +1,31 @@
+import ./make-test-python.nix (
+  { lib, ... }:
+  {
+    name = "zwave-js-ui";
+    meta.maintainers = with lib.maintainers; [ cdombroski ];
+
+    nodes = {
+      machine =
+        { ... }:
+        {
+          services.zwave-js-ui = {
+            enable = true;
+            serialPort = "/dev/null";
+            settings = {
+              HOST = "::";
+              PORT = "9999";
+            };
+          };
+        };
+    };
+
+    testScript = ''
+      start_all()
+
+      machine.wait_for_unit("zwave-js-ui.service")
+      machine.wait_for_open_port(9999)
+      machine.wait_until_succeeds("journalctl --since -1m --unit zwave-js-ui --grep 'Listening on port 9999host :: protocol HTTP'")
+      machine.wait_for_file("/var/lib/zwave-js-ui/nodes.json")
+    '';
+  }
+)

pkgs/applications/networking/browsers/firefox/wrapper.nix

@@ -180,7 +180,8 @@ let
       #                           #
       #############################
 
-    in stdenv.mkDerivation {
+    in stdenv.mkDerivation (finalAttrs: {
+      __structuredAttrs = true;
       inherit pname version;
 
       desktopItem = makeDesktopItem ({
@@ -245,6 +246,62 @@ let
       nativeBuildInputs = [ makeWrapper lndir jq ];
       buildInputs = [ browser.gtk3 ];
 
+      makeWrapperArgs = [
+        "--prefix"
+        "LD_LIBRARY_PATH"
+        ":"
+        "${finalAttrs.libs}"
+
+        "--suffix"
+        "GTK_PATH"
+        ":"
+        "${lib.concatStringsSep ":" finalAttrs.gtk_modules}"
+
+        "--suffix" "PATH"
+        ":"
+        "${placeholder "out"}/bin"
+
+        "--set"
+        "MOZ_APP_LAUNCHER"
+        launcherName
+
+        "--set"
+        "MOZ_LEGACY_PROFILES"
+        "1"
+
+        "--set"
+        "MOZ_ALLOW_DOWNGRADE"
+        "1"
+
+        "--suffix"
+        "XDG_DATA_DIRS"
+        ":"
+        "${adwaita-icon-theme}/share"
+
+        "--set-default"
+        "MOZ_ENABLE_WAYLAND"
+        "1"
+
+      ] ++ lib.optionals (!xdg-utils.meta.broken) [
+        # make xdg-open overrideable at runtime
+        "--suffix"
+        "PATH"
+        ":"
+        "${lib.makeBinPath [ xdg-utils ]}"
+
+      ] ++ lib.optionals hasMozSystemDirPatch [
+        "--set"
+        "MOZ_SYSTEM_DIR"
+        "${placeholder "out"}/lib/mozilla"
+
+      ] ++ lib.optionals (!hasMozSystemDirPatch && allNativeMessagingHosts != [ ]) [
+        "--run"
+        ''mkdir -p ''${MOZ_HOME:-~/.mozilla}/native-messaging-hosts''
+
+      ] ++ lib.optionals (!hasMozSystemDirPatch) (lib.concatMap (ext: [
+        "--run"
+        ''ln -sfLt ''${MOZ_HOME:-~/.mozilla}/native-messaging-hosts ${ext}/lib/mozilla/native-messaging-hosts/*''
+      ]) allNativeMessagingHosts);
 
       buildCommand = ''
         if [ ! -x "${browser}/bin/${applicationName}" ]
@@ -313,27 +370,9 @@ let
           mv "$executablePath" "$oldExe"
         fi
 
-        # make xdg-open overrideable at runtime
-        makeWrapper "$oldExe" \
-          "''${executablePath}${nameSuffix}" \
-            --prefix LD_LIBRARY_PATH ':' "$libs" \
-            --suffix-each GTK_PATH ':' "$gtk_modules" \
-            ${lib.optionalString (!xdg-utils.meta.broken) "--suffix PATH ':' \"${xdg-utils}/bin\""} \
-            --suffix PATH ':' "$out/bin" \
-            --set MOZ_APP_LAUNCHER "${launcherName}" \
-        '' + lib.optionalString hasMozSystemDirPatch ''
-            --set MOZ_SYSTEM_DIR "$out/lib/mozilla" \
-        '' + ''
-            --set MOZ_LEGACY_PROFILES 1 \
-            --set MOZ_ALLOW_DOWNGRADE 1 \
-            --prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH" \
-            --suffix XDG_DATA_DIRS : '${adwaita-icon-theme}/share' \
-            --set-default MOZ_ENABLE_WAYLAND 1 \
-        '' + lib.optionalString (!hasMozSystemDirPatch) ''
-            ${lib.optionalString (allNativeMessagingHosts != []) "--run \"mkdir -p \\\${MOZ_HOME:-~/.mozilla}/native-messaging-hosts\""} \
-            ${lib.concatMapStringsSep " " (ext: "--run \"ln -sfLt \\\${MOZ_HOME:-~/.mozilla}/native-messaging-hosts ${ext}/lib/mozilla/native-messaging-hosts/*\"") allNativeMessagingHosts} \
-        '' + ''
-            "''${oldWrapperArgs[@]}"
+        appendToVar makeWrapperArgs --prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH"
+        concatTo makeWrapperArgs oldWrapperArgs
+        makeWrapper "$oldExe" "''${executablePath}${nameSuffix}" ''${makeWrapperArgs[@]}
         #############################
         #                           #
         #   END EXTRA PREF CHANGES  #
@@ -431,5 +470,5 @@ let
         hydraPlatforms = [];
         priority = (browser.meta.priority or lib.meta.defaultPriority) - 1; # prefer wrapper over the package
       };
-    };
+    });
 in lib.makeOverridable wrapper

pkgs/applications/networking/cluster/helm/plugins/helm-diff.nix

@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "helm-diff";
-  version = "3.9.13";
+  version = "3.9.14";
 
   src = fetchFromGitHub {
     owner = "databus23";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-676xMnedfGF3aVub78eQo2KYJgJLxKg9g3Nm6D9lYA0=";
+    hash = "sha256-9YXsbxcth6v+4OW2nJjRK47dR4b8fn5izvjLfGeS5qI=";
   };
 
-  vendorHash = "sha256-qfdxEXiNJlaJPzpwY4GY+mYZAxjkMJyZO8PgcqJCPos=";
+  vendorHash = "sha256-pn5ipX2kXuR2tHO2LE5m34xJLpB7R6jLYW+KALSPgxo=";
 
   ldflags = [
     "-s"

pkgs/applications/networking/cluster/rke2/latest/versions.nix

@@ -1,14 +1,14 @@
 {
-  rke2Version = "1.31.1+rke2r1";
-  rke2Commit = "909d20d6a28cd7656b7177190f06f69f57927613";
-  rke2TarballHash = "sha256-9ZryOX6QMNpjDtsOXLOVNPjCc6AMAa+XDLOn1EpyCcg=";
-  rke2VendorHash = "sha256-7nWbWi4oJTOWZ5iZr9ptECDJJakPg4qZ7hW+tU7LBsI=";
-  k8sVersion = "v1.31.1";
-  k8sImageTag = "v1.31.1-rke2r1-build20240912";
-  etcdVersion = "v3.5.13-k3s1-build20240910";
+  rke2Version = "1.32.0+rke2r1";
+  rke2Commit = "1182e7eb91b27b1686e69306eb2e227928a27a38";
+  rke2TarballHash = "sha256-mmHQxiNcfgZTTdYPJPO7WTIlaCRM4CWsWwfRUcAR8ho=";
+  rke2VendorHash = "sha256-6Y3paEQJ8yHzONqalzoe15TjWhF3zGsM92LS1AcJ2GM=";
+  k8sVersion = "v1.32.0";
+  k8sImageTag = "v1.32.0-rke2r1-build20241212";
+  etcdVersion = "v3.5.16-k3s1-build20241106";
   pauseVersion = "3.6";
-  ccmVersion = "v1.31.0-build20240910";
-  dockerizedVersion = "v1.31.1-rke2r1";
-  golangVersion = "go1.22.6";
-  eol = "2025-10-28";
+  ccmVersion = "v1.32.0-rc3.0.20241220224140-68fbd1a6b543-build20250101";
+  dockerizedVersion = "v1.32.0-rke2r1";
+  golangVersion = "go1.23.3";
+  eol = "2026-02-28";
 }

pkgs/applications/networking/cluster/rke2/stable/versions.nix

@@ -1,14 +1,14 @@
 {
-  rke2Version = "1.30.5+rke2r1";
-  rke2Commit = "0c83bc82315cd61664880d0b52a7e070e9fbd623";
-  rke2TarballHash = "sha256-K5e7TNlL97PQ13IYnr4PSrXb4XaGJT9bPq55iWL0m1g=";
-  rke2VendorHash = "sha256-QIcVyWnedKNF10OqJ2WmZqZeKA+8hvwDQ4Pl+WUOEJY=";
-  k8sVersion = "v1.30.5";
-  k8sImageTag = "v1.30.5-rke2r1-build20240912";
-  etcdVersion = "v3.5.13-k3s1-build20240910";
+  rke2Version = "1.31.4+rke2r1";
+  rke2Commit = "5142beec71f7a61804840df5b434c2fd7137ce82";
+  rke2TarballHash = "sha256-Lebi3a7kNA9IQCVVkYfUoGEeEiLScqpOx1aTCFElDvw=";
+  rke2VendorHash = "sha256-DGmu1vFNcu1O2wuEwRZRBTL/TP2lJ9ggQ2M/Ix+jknM=";
+  k8sVersion = "v1.31.4";
+  k8sImageTag = "v1.31.4-rke2r1-build20241212";
+  etcdVersion = "v3.5.16-k3s1-build20241106";
   pauseVersion = "3.6";
-  ccmVersion = "v1.30.4-build20240910";
-  dockerizedVersion = "v1.30.5-rke2r1";
-  golangVersion = "go1.22.6";
-  eol = "2025-06-28";
+  ccmVersion = "v1.31.2-0.20241016053446-0955fa330f90-build20241016";
+  dockerizedVersion = "v1.31.4-rke2r1";
+  golangVersion = "go1.22.9";
+  eol = "2025-10-28";
 }