commit
44f6a02f39
@ -0,0 +1,138 @@ |
||||
{ config, lib, pkgs, ... }: |
||||
|
||||
with lib; |
||||
|
||||
let |
||||
cfg = config.services.endlessh-go; |
||||
in |
||||
{ |
||||
options.services.endlessh-go = { |
||||
enable = mkEnableOption (mdDoc "endlessh-go service"); |
||||
|
||||
listenAddress = mkOption { |
||||
type = types.str; |
||||
default = "0.0.0.0"; |
||||
example = "[::]"; |
||||
description = mdDoc '' |
||||
Interface address to bind the endlessh-go daemon to SSH connections. |
||||
''; |
||||
}; |
||||
|
||||
port = mkOption { |
||||
type = types.port; |
||||
default = 2222; |
||||
example = 22; |
||||
description = mdDoc '' |
||||
Specifies on which port the endlessh-go daemon listens for SSH |
||||
connections. |
||||
|
||||
Setting this to `22` may conflict with {option}`services.openssh`. |
||||
''; |
||||
}; |
||||
|
||||
prometheus = { |
||||
enable = mkEnableOption (mdDoc "Prometheus integration"); |
||||
|
||||
listenAddress = mkOption { |
||||
type = types.str; |
||||
default = "0.0.0.0"; |
||||
example = "[::]"; |
||||
description = mdDoc '' |
||||
Interface address to bind the endlessh-go daemon to answer Prometheus |
||||
queries. |
||||
''; |
||||
}; |
||||
|
||||
port = mkOption { |
||||
type = types.port; |
||||
default = 2112; |
||||
example = 9119; |
||||
description = mdDoc '' |
||||
Specifies on which port the endlessh-go daemon listens for Prometheus |
||||
queries. |
||||
''; |
||||
}; |
||||
}; |
||||
|
||||
extraOptions = mkOption { |
||||
type = with types; listOf str; |
||||
default = [ ]; |
||||
example = [ "-conn_type=tcp4" "-max_clients=8192" ]; |
||||
description = mdDoc '' |
||||
Additional command line options to pass to the endlessh-go daemon. |
||||
''; |
||||
}; |
||||
|
||||
openFirewall = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = lib.mdDoc '' |
||||
Whether to open a firewall port for the SSH listener. |
||||
''; |
||||
}; |
||||
}; |
||||
|
||||
config = mkIf cfg.enable { |
||||
systemd.services.endlessh-go = { |
||||
description = "SSH tarpit"; |
||||
requires = [ "network.target" ]; |
||||
wantedBy = [ "multi-user.target" ]; |
||||
serviceConfig = |
||||
let |
||||
needsPrivileges = cfg.port < 1024 || cfg.prometheus.port < 1024; |
||||
capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ]; |
||||
rootDirectory = "/run/endlessh-go"; |
||||
in |
||||
{ |
||||
Restart = "always"; |
||||
ExecStart = with cfg; concatStringsSep " " ([ |
||||
"${pkgs.endlessh-go}/bin/endlessh-go" |
||||
"-logtostderr" |
||||
"-host=${listenAddress}" |
||||
"-port=${toString port}" |
||||
] ++ optionals prometheus.enable [ |
||||
"-enable_prometheus" |
||||
"-prometheus_host=${prometheus.listenAddress}" |
||||
"-prometheus_port=${toString prometheus.port}" |
||||
] ++ extraOptions); |
||||
DynamicUser = true; |
||||
RootDirectory = rootDirectory; |
||||
BindReadOnlyPaths = [ builtins.storeDir ]; |
||||
InaccessiblePaths = [ "-+${rootDirectory}" ]; |
||||
RuntimeDirectory = baseNameOf rootDirectory; |
||||
RuntimeDirectoryMode = "700"; |
||||
AmbientCapabilities = capabilities; |
||||
CapabilityBoundingSet = capabilities; |
||||
UMask = "0077"; |
||||
LockPersonality = true; |
||||
MemoryDenyWriteExecute = true; |
||||
NoNewPrivileges = true; |
||||
PrivateDevices = true; |
||||
PrivateTmp = true; |
||||
PrivateUsers = !needsPrivileges; |
||||
ProtectClock = true; |
||||
ProtectControlGroups = true; |
||||
ProtectHome = true; |
||||
ProtectHostname = true; |
||||
ProtectKernelLogs = true; |
||||
ProtectKernelModules = true; |
||||
ProtectKernelTunables = true; |
||||
ProtectSystem = "strict"; |
||||
ProtectProc = "noaccess"; |
||||
ProcSubset = "pid"; |
||||
RemoveIPC = true; |
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; |
||||
RestrictNamespaces = true; |
||||
RestrictRealtime = true; |
||||
RestrictSUIDSGID = true; |
||||
SystemCallArchitectures = "native"; |
||||
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; |
||||
}; |
||||
}; |
||||
|
||||
networking.firewall.allowedTCPPorts = with cfg; |
||||
optionals openFirewall [ port prometheus.port ]; |
||||
}; |
||||
|
||||
meta.maintainers = with maintainers; [ azahi ]; |
||||
} |
@ -0,0 +1,58 @@ |
||||
import ./make-test-python.nix ({ lib, pkgs, ... }: |
||||
{ |
||||
name = "endlessh-go"; |
||||
meta.maintainers = with lib.maintainers; [ azahi ]; |
||||
|
||||
nodes = { |
||||
server = { ... }: { |
||||
services.endlessh-go = { |
||||
enable = true; |
||||
prometheus.enable = true; |
||||
openFirewall = true; |
||||
}; |
||||
|
||||
specialisation = { |
||||
unprivileged.configuration = { |
||||
services.endlessh-go = { |
||||
port = 2222; |
||||
prometheus.port = 9229; |
||||
}; |
||||
}; |
||||
|
||||
privileged.configuration = { |
||||
services.endlessh-go = { |
||||
port = 22; |
||||
prometheus.port = 92; |
||||
}; |
||||
}; |
||||
}; |
||||
}; |
||||
|
||||
client = { pkgs, ... }: { |
||||
environment.systemPackages = with pkgs; [ curl netcat ]; |
||||
}; |
||||
}; |
||||
|
||||
testScript = '' |
||||
def activate_specialisation(name: str): |
||||
server.succeed(f"/run/booted-system/specialisation/{name}/bin/switch-to-configuration test >&2") |
||||
|
||||
start_all() |
||||
|
||||
with subtest("Unprivileged"): |
||||
activate_specialisation("unprivileged") |
||||
server.wait_for_unit("endlessh-go.service") |
||||
server.wait_for_open_port(2222) |
||||
server.wait_for_open_port(9229) |
||||
client.succeed("nc -dvW5 server 2222") |
||||
client.succeed("curl -kv server:9229/metrics") |
||||
|
||||
with subtest("Privileged"): |
||||
activate_specialisation("privileged") |
||||
server.wait_for_unit("endlessh-go.service") |
||||
server.wait_for_open_port(22) |
||||
server.wait_for_open_port(92) |
||||
client.succeed("nc -dvW5 server 22") |
||||
client.succeed("curl -kv server:92/metrics") |
||||
''; |
||||
}) |
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,21 @@ |
||||
{ stdenv |
||||
, pname |
||||
, version |
||||
, src |
||||
, meta |
||||
, unzip |
||||
, undmg |
||||
}: |
||||
|
||||
stdenv.mkDerivation { |
||||
inherit pname version src meta; |
||||
|
||||
nativeBuildInputs = [ unzip undmg ]; |
||||
|
||||
sourceRoot = "."; |
||||
|
||||
installPhase = '' |
||||
mkdir -p $out/Applications |
||||
cp -r *.app $out/Applications |
||||
''; |
||||
} |
@ -1,92 +0,0 @@ |
||||
{ lib, stdenv, fetchurl, fetchpatch, libjpeg, libtiff, zlib |
||||
, postgresql, libmysqlclient, libgeotiff, python3Packages, proj, geos, openssl |
||||
, libpng, sqlite, libspatialite, poppler, hdf4, qhull, giflib, expat |
||||
, libiconv, libxml2 |
||||
, netcdfSupport ? true, netcdf, hdf5, curl |
||||
}: |
||||
|
||||
with lib; |
||||
|
||||
stdenv.mkDerivation rec { |
||||
pname = "gdal"; |
||||
version = "2.4.4"; |
||||
|
||||
src = fetchurl { |
||||
url = "https://download.osgeo.org/gdal/${version}/${pname}-${version}.tar.xz"; |
||||
sha256 = "1n6w0m2603q9cldlz0wyscp75ci561dipc36jqbf3mjmylybv0x3"; |
||||
}; |
||||
|
||||
patches = [ |
||||
(fetchpatch { |
||||
url = "https://github.com/OSGeo/gdal/commit/7a18e2669a733ebe3544e4f5c735fd4d2ded5fa3.patch"; |
||||
sha256 = "sha256-rBgIxJcgRzZR1gyzDWK/Sh7MdPWeczxEYVELbYEV8JY="; |
||||
relative = "gdal"; |
||||
# this doesn't apply correctly because of line endings |
||||
excludes = [ "third_party/LercLib/Lerc2.h" ]; |
||||
}) |
||||
]; |
||||
|
||||
buildInputs = [ libjpeg libtiff libgeotiff libpng proj openssl sqlite |
||||
libspatialite poppler hdf4 qhull giflib expat libxml2 proj ] |
||||
++ (with python3Packages; [ python numpy wrapPython ]) |
||||
++ lib.optional stdenv.isDarwin libiconv |
||||
++ lib.optionals netcdfSupport [ netcdf hdf5 curl ]; |
||||
|
||||
configureFlags = [ |
||||
"--with-expat=${expat.dev}" |
||||
"--with-jpeg=${libjpeg.dev}" |
||||
"--with-libtiff=${libtiff.dev}" # optional (without largetiff support) |
||||
"--with-png=${libpng.dev}" # optional |
||||
"--with-poppler=${poppler.dev}" # optional |
||||
"--with-libz=${zlib.dev}" # optional |
||||
"--with-pg=${postgresql}/bin/pg_config" |
||||
"--with-mysql=${getDev libmysqlclient}/bin/mysql_config" |
||||
"--with-geotiff=${libgeotiff.dev}" |
||||
"--with-sqlite3=${sqlite.dev}" |
||||
"--with-spatialite=${libspatialite}" |
||||
"--with-python" # optional |
||||
"--with-proj=${proj.dev}" # optional |
||||
"--with-geos=${geos}/bin/geos-config"# optional |
||||
"--with-hdf4=${hdf4.dev}" # optional |
||||
"--with-xml2=${libxml2.dev}/bin/xml2-config" # optional |
||||
(if netcdfSupport then "--with-netcdf=${netcdf}" else "") |
||||
]; |
||||
|
||||
hardeningDisable = [ "format" ]; |
||||
|
||||
CXXFLAGS = "-fpermissive"; |
||||
|
||||
postPatch = '' |
||||
sed -i '/ifdef bool/i\ |
||||
#ifdef swap\ |
||||
#undef swap\ |
||||
#endif' ogr/ogrsf_frmts/mysql/ogr_mysql.h |
||||
''; |
||||
|
||||
# - Unset CC and CXX as they confuse libtool. |
||||
# - teach gdal that libdf is the legacy name for libhdf |
||||
preConfigure = '' |
||||
unset CC CXX |
||||
substituteInPlace configure \ |
||||
--replace "-lmfhdf -ldf" "-lmfhdf -lhdf" |
||||
''; |
||||
|
||||
preBuild = '' |
||||
substituteInPlace swig/python/GNUmakefile \ |
||||
--replace "ifeq (\$(STD_UNIX_LAYOUT),\"TRUE\")" "ifeq (1,1)" |
||||
''; |
||||
|
||||
postInstall = '' |
||||
wrapPythonPrograms |
||||
''; |
||||
|
||||
enableParallelBuilding = true; |
||||
|
||||
meta = { |
||||
description = "Translator library for raster geospatial data formats"; |
||||
homepage = "https://www.gdal.org/"; |
||||
license = lib.licenses.mit; |
||||
maintainers = [ lib.maintainers.marcweber ]; |
||||
platforms = with lib.platforms; linux ++ darwin; |
||||
}; |
||||
} |
@ -0,0 +1,43 @@ |
||||
{ stdenv |
||||
, lib |
||||
, fetchFromGitLab |
||||
, meson |
||||
, ninja |
||||
, pkg-config |
||||
, cjson |
||||
, cmocka |
||||
, mbedtls |
||||
}: |
||||
|
||||
stdenv.mkDerivation rec { |
||||
pname = "librist"; |
||||
version = "0.2.7"; |
||||
|
||||
src = fetchFromGitLab { |
||||
domain = "code.videolan.org"; |
||||
owner = "rist"; |
||||
repo = "librist"; |
||||
rev = "v${version}"; |
||||
sha256 = "sha256-qQG2eRAPAQgxghMeUZk3nwyacX6jDl33F8BWW63nM3c="; |
||||
}; |
||||
|
||||
nativeBuildInputs = [ |
||||
meson |
||||
ninja |
||||
pkg-config |
||||
]; |
||||
|
||||
buildInputs = [ |
||||
cjson |
||||
cmocka |
||||
mbedtls |
||||
]; |
||||
|
||||
meta = with lib; { |
||||
description = "A library that can be used to easily add the RIST protocol to your application."; |
||||
homepage = "https://code.videolan.org/rist/librist"; |
||||
license = with licenses; [ bsd2 mit isc ]; |
||||
maintainers = with maintainers; [ raphaelr sebtm ]; |
||||
platforms = platforms.all; |
||||
}; |
||||
} |
@ -0,0 +1,28 @@ |
||||
From 81bf140583f7b7bf13cc8dd522e1ca2aba873fc4 Mon Sep 17 00:00:00 2001
|
||||
From: Martin Negyokru <negyokru@inf.u-szeged.hu>
|
||||
Date: Mon, 03 Oct 2022 12:20:00 +0200
|
||||
Subject: [PATCH] Do not intercept websocket connection when there is no associated frame
|
||||
|
||||
This fix is based on chrome's implementation.
|
||||
|
||||
Fixes: QTBUG-107144
|
||||
Change-Id: If042e4156b8a4bdb27a210c4db94e3a6198aed7d
|
||||
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
||||
(cherry picked from commit 64b7da9dab82713fdcb2e03d8a2715421eae5685)
|
||||
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
|
||||
---
|
||||
|
||||
diff --git a/src/core/content_browser_client_qt.cpp b/src/core/content_browser_client_qt.cpp
|
||||
index 020ae91..99a3aa3 100644
|
||||
--- a/src/core/content_browser_client_qt.cpp
|
||||
+++ b/src/core/content_browser_client_qt.cpp
|
||||
@@ -1237,8 +1237,7 @@
|
||||
|
||||
bool ContentBrowserClientQt::WillInterceptWebSocket(content::RenderFrameHost *frame)
|
||||
{
|
||||
- Q_UNUSED(frame);
|
||||
- return true; // It is probably not worth it to only intercept when interceptors are installed
|
||||
+ return frame != nullptr;
|
||||
}
|
||||
|
||||
QWebEngineUrlRequestInterceptor *getProfileInterceptorFromFrame(content::RenderFrameHost *frame)
|
@ -0,0 +1,89 @@ |
||||
{ lib |
||||
, buildPythonPackage |
||||
, fetchPypi |
||||
, pkg-config |
||||
, lndir |
||||
, sip |
||||
, pyqt-builder |
||||
, qt6Packages |
||||
, pythonOlder |
||||
, pyqt6 |
||||
, python |
||||
}: |
||||
|
||||
buildPythonPackage rec { |
||||
pname = "PyQt6_WebEngine"; |
||||
version = "6.4.0"; |
||||
format = "pyproject"; |
||||
|
||||
disabled = pythonOlder "3.6"; |
||||
|
||||
src = fetchPypi { |
||||
inherit pname version; |
||||
sha256 = "sha256-THHBMIYKvNEeBMr7IuM5g/qaOu6DI8UZCbFaFwGCjiE="; |
||||
}; |
||||
|
||||
# fix include path and increase verbosity |
||||
postPatch = '' |
||||
sed -i \ |
||||
'/\[tool.sip.project\]/a\ |
||||
verbose = true\ |
||||
sip-include-dirs = [\"${pyqt6}/${python.sitePackages}/PyQt6/bindings\"]' \ |
||||
pyproject.toml |
||||
''; |
||||
|
||||
enableParallelBuilding = true; |
||||
# HACK: paralellize compilation of make calls within pyqt's setup.py |
||||
# pkgs/stdenv/generic/setup.sh doesn't set this for us because |
||||
# make gets called by python code and not its build phase |
||||
# format=pyproject means the pip-build-hook hook gets used to build this project |
||||
# pkgs/development/interpreters/python/hooks/pip-build-hook.sh |
||||
# does not use the enableParallelBuilding flag |
||||
postUnpack = '' |
||||
export MAKEFLAGS+=" -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES" |
||||
''; |
||||
|
||||
outputs = [ "out" "dev" ]; |
||||
|
||||
dontWrapQtApps = true; |
||||
|
||||
nativeBuildInputs = with qt6Packages; [ |
||||
pkg-config |
||||
lndir |
||||
sip |
||||
qtwebengine |
||||
qmake |
||||
pyqt-builder |
||||
]; |
||||
|
||||
buildInputs = with qt6Packages; [ |
||||
qtwebengine |
||||
]; |
||||
|
||||
propagatedBuildInputs = [ |
||||
pyqt6 |
||||
]; |
||||
|
||||
passthru = { |
||||
inherit sip; |
||||
}; |
||||
|
||||
dontConfigure = true; |
||||
|
||||
# Checked using pythonImportsCheck, has no tests |
||||
doCheck = true; |
||||
|
||||
pythonImportsCheck = [ |
||||
"PyQt6.QtWebEngineCore" |
||||
"PyQt6.QtWebEngineQuick" |
||||
"PyQt6.QtWebEngineWidgets" |
||||
]; |
||||
|
||||
meta = with lib; { |
||||
description = "Python bindings for Qt6 WebEngine"; |
||||
homepage = "https://riverbankcomputing.com/"; |
||||
license = licenses.gpl3Only; |
||||
platforms = platforms.mesaPlatforms; |
||||
maintainers = with maintainers; [ LunNova nrdxp ]; |
||||
}; |
||||
} |
@ -1,19 +0,0 @@ |
||||
diff --git a/sipbuild/project.py b/sipbuild/project.py
|
||||
--- a/sipbuild/project.py
|
||||
+++ b/sipbuild/project.py
|
||||
@@ -336,13 +336,13 @@ class Project(AbstractProject, Configurable):
|
||||
# We expect a two part tag so leave anything else unchanged.
|
||||
parts = platform_tag.split('-')
|
||||
if len(parts) == 2:
|
||||
- if self.minimum_glibc_version > (2, 17):
|
||||
+ if self.minimum_glibc_version > (2, 17) or parts[1] not in {"x86_64", "i686", "aarch64", "armv7l", "ppc64", "ppc64le", "s390x"}:
|
||||
# PEP 600.
|
||||
parts[0] = 'manylinux'
|
||||
parts.insert(1,
|
||||
'{}.{}'.format(self.minimum_glibc_version[0],
|
||||
self.minimum_glibc_version[1]))
|
||||
- elif self.minimum_glibc_version > (2, 12):
|
||||
+ elif self.minimum_glibc_version > (2, 12) or parts[1] not in {"x86_64", "i686"}:
|
||||
# PEP 599.
|
||||
parts[0] = 'manylinux2014'
|
||||
elif self.minimum_glibc_version > (2, 5):
|
Loading…
Reference in new issue