NixOS · Oct 15, 2018 · Oct 19, 2018 · Oct 19, 2018 · Oct 19, 2018 · Oct 19, 2018
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
@@ -266,7 +266,7 @@ let
         (mkIf config.isNormalUser {
           group = mkDefault "users";
           createHome = mkDefault true;
-          home = mkDefault "/home/${name}";
+          home = mkDefault "/home/${config.name}";
           useDefaultShell = mkDefault true;
           isSystemUser = mkDefault false;
         })

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -234,6 +234,7 @@
   ./services/desktops/dleyna-server.nix
   ./services/desktops/flatpak.nix
   ./services/desktops/geoclue2.nix
+  ./services/desktops/gsignond.nix
   ./services/desktops/pipewire.nix
   ./services/desktops/gnome3/at-spi2-core.nix
   ./services/desktops/gnome3/chrome-gnome-shell.nix

diff --git a/nixos/modules/services/desktops/gsignond.nix b/nixos/modules/services/desktops/gsignond.nix
@@ -0,0 +1,43 @@
+# Accounts-SSO gSignOn daemon
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  package = pkgs.gsignond.override { plugins = config.services.gsignond.plugins; };
+in
+{
+
+  ###### interface
+
+  options = {
+
+    services.gsignond = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable gSignOn daemon, a DBus service
+          which performs user authentication on behalf of its clients.
+        '';
+      };
+
+      plugins = mkOption {
+        type = types.listOf types.package;
+        default = [];
+        description = ''
+          What plugins to use with the gSignOn daemon.
+        '';
+      };
+    };
+  };
+
+  ###### implementation
+  config = mkIf config.services.gsignond.enable {
+    environment.etc."gsignond.conf".source = "${package}/etc/gsignond.conf";
+    services.dbus.packages = [ package ];
+  };
+
+}
diff --git a/nixos/modules/services/hardware/trezord.nix b/nixos/modules/services/hardware/trezord.nix
@@ -27,13 +27,13 @@ in {
       destination = "/etc/udev/rules.d/51-trezor.rules";
       text = ''
         # TREZOR v1 (One)
-        SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0666", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
-        KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001",  MODE="0666", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl"
+        SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n"
+        KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0660", GROUP="trezord", TAG+="uaccess"
 
         # TREZOR v2 (T)
-        SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0661", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
-        SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0666", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"
-        KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0666", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl"
+        SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n"
+        SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="trezord", TAG+="uaccess", SYMLINK+="trezor%n"
+        KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0660", GROUP="trezord", TAG+="uaccess"
       '';
     });
 

diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix
@@ -182,9 +182,10 @@ with lib;
       serviceConfig = rec {
         DynamicUser = true;
         RuntimeDirectory = StateDirectory;
+        RuntimeDirectoryMode = "0750";
         StateDirectory = builtins.baseNameOf dataDir;
         Type = "oneshot";
-        ExecStartPre = "!${lib.getBin pkgs.coreutils}/bin/install -m666 ${cfg.configFile} /run/${RuntimeDirectory}/ddclient.conf";
+        ExecStartPre = "!${lib.getBin pkgs.coreutils}/bin/install -m660 ${cfg.configFile} /run/${RuntimeDirectory}/ddclient.conf";
         ExecStart = "${lib.getBin pkgs.ddclient}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
       };
     };

diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
@@ -248,6 +248,14 @@ in {
       </itemizedlist>
     '';
 
+    ppk_id = mkOptionalStrParam ''
+       String identifying the Postquantum Preshared Key (PPK) to be used.
+    '';
+
+    ppk_required = mkYesNoParam no ''
+       Whether a Postquantum Preshared Key (PPK) is required for this connection.
+    '';
+
     keyingtries = mkIntParam 1 ''
       Number of retransmission sequences to perform during initial
       connect. Instead of giving up initiation after the first retransmission
@@ -922,6 +930,36 @@ in {
         <literal>0xffffffff</literal>.
       '';
 
+      set_mark_in = mkStrParam "0/0x00000000" ''
+        Netfilter mark applied to packets after the inbound IPsec SA processed
+        them. This way it's not necessary to mark packets via Netfilter before
+        decryption or right afterwards to match policies or process them
+        differently (e.g. via policy routing).
+
+        An additional mask may be appended to the mark, separated by
+        <literal>/</literal>. The default mask if omitted is 0xffffffff. The
+        special value <literal>%same</literal> uses the value (but not the mask)
+        from <option>mark_in</option> as mark value, which can be fixed,
+        <literal>%unique</literal> or <literal>%unique-dir</literal>.
+
+        Setting marks in XFRM input requires Linux 4.19 or higher.
+      '';
+
+      set_mark_out = mkStrParam "0/0x00000000" ''
+        Netfilter mark applied to packets after the outbound IPsec SA processed
+        them. This allows processing ESP packets differently than the original
+        traffic (e.g. via policy routing).
+
+        An additional mask may be appended to the mark, separated by
+        <literal>/</literal>. The default mask if omitted is 0xffffffff. The
+        special value <literal>%same</literal> uses the value (but not the mask)
+        from <option>mark_out</option> as mark value, which can be fixed,
+        <literal>%unique_</literal> or <literal>%unique-dir</literal>.
+
+        Setting marks in XFRM output is supported since Linux 4.14. Setting a
+        mask requires at least Linux 4.19.
+      '';
+
       tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 ''
         Pads ESP packets with additional data to have a consistent ESP packet
         size for improved Traffic Flow Confidentiality. The padding defines the
@@ -946,6 +984,33 @@ in {
         supported, but the installation does not fail otherwise.
       '';
 
+      copy_df = mkYesNoParam yes ''
+        Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This
+        effectively disables Path MTU discovery (PMTUD). Controlling this
+        behavior is not supported by all kernel interfaces.
+      '';
+
+      copy_ecn = mkYesNoParam yes ''
+        Whether to copy the ECN (Explicit Congestion Notification) header field
+        to/from the outer IP header in tunnel mode. Controlling this behavior is
+        not supported by all kernel interfaces.
+      '';
+
+      copy_dscp = mkEnumParam [ "out" "in" "yes" "no" ] "out" ''
+        Whether to copy the DSCP (Differentiated Services Field Codepoint)
+        header field to/from the outer IP header in tunnel mode. The value
+        <literal>out</literal> only copies the field from the inner to the outer
+        header, the value <literal>in</literal> does the opposite and only
+        copies the field from the outer to the inner header when decapsulating,
+        the value <literal>yes</literal> copies the field in both directions,
+        and the value <literal>no</literal> disables copying the field
+        altogether. Setting this to <literal>yes</literal> or
+        <literal>in</literal> could allow an attacker to adversely affect other
+        traffic at the receiver, which is why the default is
+        <literal>out</literal>. Controlling this behavior is not supported by
+        all kernel interfaces.
+      '';
+
       start_action = mkEnumParam ["none" "trap" "start"] "none" ''
         Action to perform after loading the configuration.
         <itemizedlist>
@@ -1060,6 +1125,24 @@ in {
       defined in a unique section having the <literal>ike</literal> prefix.
     '';
 
+    ppk = mkPrefixedAttrsOfParams {
+      secret = mkOptionalStrParam ''
+	      Value of the PPK. It may either be an ASCII string, a hex encoded string
+	      if it has a <literal>0x</literal> prefix or a Base64 encoded string if
+	      it has a <literal>0s</literal> prefix in its value. Should have at least
+	      256 bits of entropy for 128-bit security.
+      '';
+
+      id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") ''
+	      PPK identity the PPK belongs to. Multiple unique identities may be
+	      specified, each having an <literal>id</literal> prefix, if a secret is
+	      shared between multiple peers.
+      '';
+    } ''
+	    Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is
+	    defined in a unique section having the <literal>ppk</literal> prefix.
+    '';
+
     private = mkPrefixedAttrsOfParams {
       file = mkOptionalStrParam ''
         File name in the private folder for which this passphrase should be used.

diff --git a/pkgs/applications/audio/pulseeffects/default.nix b/pkgs/applications/audio/pulseeffects/default.nix
@@ -44,13 +44,13 @@ let
   ];
 in stdenv.mkDerivation rec {
   name = "pulseeffects-${version}";
-  version = "4.3.7";
+  version = "4.3.9";
 
   src = fetchFromGitHub {
     owner = "wwmm";
     repo = "pulseeffects";
     rev = "v${version}";
-    sha256 = "1x1jnbpbc9snya9k2xq39gssf0k4lnd1hr4cjrnwscg5rqybxqsk";
+    sha256 = "1vir05hy2n0nk0gaqbn680bx53ixcyi2y0hq4grgm73bbb1jzqq6";
   };
 
   nativeBuildInputs = [

diff --git a/pkgs/applications/display-managers/sddm/default.nix b/pkgs/applications/display-managers/sddm/default.nix
@@ -4,7 +4,7 @@
 }:
 
 let
-  version = "0.17.0";
+  version = "0.18.0";
 
 in mkDerivation rec {
   name = "sddm-${version}";
@@ -13,12 +13,11 @@ in mkDerivation rec {
     owner = "sddm";
     repo = "sddm";
     rev = "v${version}";
-    sha256 = "1m35ly6miwy8ivsln3j1bfv0nxbc4gyqnj7f847zzp53jsqrm3mq";
+    sha256 = "16xnm02iqgy4hydzd6my0widq981glbazbhxnihhclgsaczh8mfq";
   };
 
   patches = [
     ./sddm-ignore-config-mtime.patch
-    ./qt511.patch
   ];
 
   postPatch =

diff --git a/pkgs/applications/display-managers/sddm/qt511.patch b/pkgs/applications/display-managers/sddm/qt511.patch
diff --git a/pkgs/applications/editors/featherpad/default.nix b/pkgs/applications/editors/featherpad/default.nix
@@ -0,0 +1,23 @@
+{ stdenv, fetchurl, pkgconfig, qt5, fetchFromGitHub }:
+
+with qt5;
+
+stdenv.mkDerivation rec {
+  version = "0.9.1";
+  name = "featherpad-${version}";
+  src = fetchFromGitHub {
+    owner = "tsujan";
+    repo = "FeatherPad";
+    rev = "V${version}";
+    sha256 = "053j14f6fw31cdnfr8hqpxw6jh2v65z43qchdsymbrk5zji8gxla";
+  };
+  nativeBuildInputs = [ qmake pkgconfig qttools ];
+  buildInputs = [ qtbase qtsvg qtx11extras ];
+  meta = with stdenv.lib; {
+    description = "Lightweight Qt5 Plain-Text Editor for Linux";
+    homepage = https://github.com/tsujan/FeatherPad;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.flosse ];
+    license = licenses.gpl3;
+  };
+}
diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix
@@ -1,12 +1,12 @@
 { lib, fetchFromGitHub }:
 rec {
-  version = "8.1.0450";
+  version = "8.1.0490";
 
   src = fetchFromGitHub {
     owner = "vim";
     repo = "vim";
     rev = "v${version}";
-    sha256 = "1zhggpn4i704apfqn2kqr717kz9dvkjwnbmc3ydza621zjyrnxb2";
+    sha256 = "0gmlz2w066pcrn0jzpv3gk1qwx148f33gvgf5nkfy4nl1ljki81r";
   };
 
   enableParallelBuilding = true;

diff --git a/pkgs/applications/graphics/batik/default.nix b/pkgs/applications/graphics/batik/default.nix
@@ -15,5 +15,11 @@ stdenv.mkDerivation {
     homepage = https://xmlgraphics.apache.org/batik;
     license = licenses.asl20;
     platforms = platforms.unix;
+    knownVulnerabilities = [
+      # vulnerabilities as of 16th October 2018 from https://xmlgraphics.apache.org/security.html:
+      "CVE-2018-8013"
+      "CVE-2017-5662"
+      "CVE-2015-0250"
+    ];
   };
 }
diff --git a/pkgs/applications/misc/dmrconfig/default.nix b/pkgs/applications/misc/dmrconfig/default.nix
@@ -0,0 +1,37 @@
+{ stdenv, fetchFromGitHub
+, libusb1, systemd }:
+
+stdenv.mkDerivation rec {
+  name = "dmrconfig-${version}";
+  version = "2018-10-20";
+
+  src = fetchFromGitHub {
+    owner = "sergev";
+    repo = "dmrconfig";
+    rev = "a4c5f893d2749727493427320c7f01768966ba51";
+    sha256 = "0h7hv6fv6v5g922nvgrb0w7hsqbhaw7xmdc6vydh2p3l7sp31vg2";
+  };
+
+  buildInputs = [
+    libusb1 systemd
+  ];
+
+  preConfigure = ''
+    substituteInPlace Makefile --replace /usr/local/bin/dmrconfig $out/bin/dmrconfig
+  '';
+
+  preInstall = ''
+    mkdir -p $out/bin
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Configuration utility for DMR radios";
+    longDescription = ''
+      DMRconfig is a utility for programming digital radios via USB programming cable.
+    '';
+    homepage = https://github.com/sergev/dmrconfig;
+    license = licenses.asl20;
+    maintainers = [ maintainers.etu ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/applications/misc/kiwix/default.nix b/pkgs/applications/misc/kiwix/default.nix
@@ -103,5 +103,8 @@ stdenv.mkDerivation rec {
     license = licenses.gpl3;
     platforms = platforms.linux;
     maintainers = with maintainers; [ robbinch ];
+    knownVulnerabilities = [
+      "CVE-2015-1032"
+    ];
   };
 }
diff --git a/pkgs/applications/misc/soapysdr/default.nix b/pkgs/applications/misc/soapysdr/default.nix
@@ -6,7 +6,7 @@
 } :
 
 let
-  version = "0.6.1";
+  version = "0.7.0";
 
 in stdenv.mkDerivation {
   name = "soapysdr-${version}";
@@ -15,7 +15,7 @@ in stdenv.mkDerivation {
     owner = "pothosware";
     repo = "SoapySDR";
     rev = "soapy-sdr-${version}";
-    sha256 = "1azbb2j6dv0b2dd5ks6yqd31j17sdhi9p82czwc8zy2isymax0l9";
+    sha256 = "14fjwnfj7jz9ixvim2gy4f52y6s7d4xggzxn2ck7g4q35d879x13";
   };
 
   nativeBuildInputs = [ cmake pkgconfig ];