Merge staging-next into staging

.git-blame-ignore-revs

@@ -160,6 +160,9 @@ ad815aebfbfe1415ff6436521d545029c803c3fb
 # nixos/nvidia: apply nixfmt-rfc-style (#313440)
 fbdcdde04a7caa007e825a8b822c75fab9adb2d6
 
+# treewide: reformat files which need reformatting after (#341407)
+e0464e47880a69896f0fb1810f00e0de469f770a
+
 # step-cli: format package.nix with nixfmt (#331629)
 fc7a83f8b62e90de5679e993d4d49ca014ea013d
 

.gitattributes

@@ -16,3 +16,5 @@ nixos/doc/default.nix linguist-documentation=false
 
 nixos/modules/module-list.nix merge=union
 # pkgs/top-level/all-packages.nix merge=union
+
+ci/OWNERS linguist-language=CODEOWNERS

.github/workflows/codeowners.yml

@@ -13,13 +13,9 @@ on:
     types: [opened, ready_for_review, synchronize, reopened, edited]
 
 env:
-  # TODO: Once confirmed that this works by seeing that the action would request
-  # reviews from the same people (or refuse for wrong base branches),
-  # move all entries from CODEOWNERS to OWNERS and change this value here
-  # OWNERS_FILE: .github/OWNERS
-  OWNERS_FILE: .github/CODEOWNERS
-  # Also remove this
-  DRY_MODE: 1
+  OWNERS_FILE: ci/OWNERS
+  # Don't do anything on draft PRs
+  DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
 
 jobs:
   # Check that code owners is valid
@@ -84,5 +80,3 @@ jobs:
       run: result/bin/request-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
       env:
         GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        # Don't do anything on draft PRs
-        DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

CONTRIBUTING.md

@@ -193,19 +193,12 @@ The last checkbox is about whether it fits the guidelines in this `CONTRIBUTING.
 [rebase]: #rebasing-between-branches-ie-from-master-to-staging
 
 From time to time, changes between branches must be rebased, for example, if the
-number of new rebuilds they would cause is too large for the target branch. When
-rebasing, care must be taken to include only the intended changes, otherwise
-many CODEOWNERS will be inadvertently requested for review. To achieve this,
-rebasing should not be performed directly on the target branch, but on the merge
-base between the current and target branch. As an additional precautionary measure,
-you should temporarily mark the PR as draft for the duration of the operation.
-This reduces the probability of mass-pinging people. (OfBorg might still
-request a couple of persons for reviews though.)
+number of new rebuilds they would cause is too large for the target branch.
 
 In the following example, we assume that the current branch, called `feature`,
 is based on `master`, and we rebase it onto the merge base between
-`master` and `staging` so that the PR can eventually be retargeted to
-`staging` without causing a mess. The example uses `upstream` as the remote for `NixOS/nixpkgs.git`
+`master` and `staging` so that the PR can be retargeted to
+`staging`. The example uses `upstream` as the remote for `NixOS/nixpkgs.git`
 while `origin` is the remote you are pushing to.
 
 
@@ -234,36 +227,6 @@ git status
 git push origin feature --force-with-lease
 ```
 
-#### Something went wrong and a lot of people were pinged
-
-It happens. Remember to be kind, especially to new contributors.
-There is no way back, so the pull request should be closed and locked
-(if possible). The changes should be re-submitted in a new PR, in which the people
-originally involved in the conversation need to manually be pinged again.
-No further discussion should happen on the original PR, as a lot of people
-are now subscribed to it.
-
-The following message (or a version thereof) might be left when closing to
-describe the situation, since closing and locking without any explanation
-is kind of rude:
-
-```markdown
-It looks like you accidentally mass-pinged a bunch of people, which are now subscribed
-and getting notifications for everything in this pull request. Unfortunately, they
-cannot be automatically unsubscribed from the issue (removing review request does not
-unsubscribe), therefore development cannot continue in this pull request anymore.
-
-Please open a new pull request with your changes, link back to this one and ping the
-people actually involved in here over there.
-
-In order to avoid this in the future, there are instructions for how to properly
-rebase between branches in our [contribution guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#rebasing-between-branches-ie-from-master-to-staging).
-Setting your pull request to draft prior to rebasing is strongly recommended.
-In draft status, you can preview the list of people that are about to be requested
-for review, which allows you to sidestep this issue.
-This is not a bulletproof method though, as OfBorg still does review requests even on draft PRs.
-```
-
 ## How to backport pull requests
 [pr-backport]: #how-to-backport-pull-requests
 
@@ -637,15 +600,15 @@ Names of files and directories should be in lowercase, with dashes between words
 
   ```nix
   {
-    buildInputs = lib.optional stdenv.isDarwin iconv;
+    buildInputs = lib.optional stdenv.hostPlatform.isDarwin iconv;
   }
   ```
 
   instead of
 
   ```nix
   {
-    buildInputs = if stdenv.isDarwin then [ iconv ] else null;
+    buildInputs = if stdenv.hostPlatform.isDarwin then [ iconv ] else null;
   }
   ```
 

.github/CODEOWNERS → ci/OWNERS

@@ -1,22 +1,24 @@
-# CODEOWNERS file
+# This file is used to describe who owns what in this repository.
+# Users/teams will get review requests for PRs that change their files.
 #
-# This file is used to describe who owns what in this repository. This file does not
-# replace `meta.maintainers` but is instead used for other things than derivations
-# and modules, like documentation, package sets, and other assets.
+# This file does not replace `meta.maintainers`
+# but is instead used for other things than derivations and modules,
+# like documentation, package sets, and other assets.
 #
-# For documentation on this file, see https://help.github.com/articles/about-codeowners/
-# Mentioned users will get code review requests.
+# This file uses the same syntax as the natively supported CODEOWNERS file,
+# see https://help.github.com/articles/about-codeowners/ for documentation.
+# However it comes with some notable differences:
+# - There is no need for user/team listed here to have write access.
+# - No reviews will be requested for PRs that target the wrong base branch.
 #
-# IMPORTANT NOTE: in order to actually get pinged, commit access is required.
-# This also holds true for GitHub teams. Since almost none of our teams have write
-# permissions, you need to list all members of the team with commit access individually.
+# Processing of this file is implemented in workflows/codeowners.yml
 
 # CI
 /.github/workflows @NixOS/Security @Mic92 @zowoq
 /.github/workflows/check-nix-format.yml @infinisil
 /.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
 /.github/workflows/codeowners.yml @infinisil
-/.github/OWNERS @infinisil
+/ci/OWNERS @infinisil
 /ci @infinisil @philiptaron @NixOS/Security
 
 # Development support

ci/request-reviews/get-reviewers.sh

@@ -10,16 +10,18 @@ log() {
     echo "$@" >&2
 }
 
-if (( "$#" < 5 )); then
-    log "Usage: $0 GIT_REPO BASE_REF HEAD_REF OWNERS_FILE PR_AUTHOR"
+if (( "$#" < 7 )); then
+    log "Usage: $0 GIT_REPO OWNERS_FILE BASE_REPO BASE_REF HEAD_REF PR_NUMBER PR_AUTHOR"
     exit 1
 fi
 
 gitRepo=$1
-baseRef=$2
-headRef=$3
-ownersFile=$4
-prAuthor=$5
+ownersFile=$2
+baseRepo=$3
+baseRef=$4
+headRef=$5
+prNumber=$6
+prAuthor=$7
 
 tmp=$(mktemp -d)
 trap 'rm -rf "$tmp"' exit
@@ -32,8 +34,8 @@ log "This PR touches ${#touchedFiles[@]} files"
 # remove code owners to avoid pinging them
 git -C "$gitRepo" show "$baseRef":"$ownersFile" > "$tmp"/codeowners
 
-# Associative arrays with the team/user as the key for easy deduplication
-declare -A teams users
+# Associative array with the user as the key for easy de-duplication
+declare -A users=()
 
 for file in "${touchedFiles[@]}"; do
     result=$(codeowners --file "$tmp"/codeowners "$file")
@@ -59,10 +61,34 @@ for file in "${touchedFiles[@]}"; do
         fi
         # The first regex match is everything after the @
         entry=${BASH_REMATCH[1]}
-        if [[ "$entry" =~ .*/(.*) ]]; then
-            # Teams look like $org/$team, where we only need $team for the API
-            # call to request reviews from teams
-            teams[${BASH_REMATCH[1]}]=
+
+        if [[ "$entry" =~ (.*)/(.*) ]]; then
+            # Teams look like $org/$team
+            org=${BASH_REMATCH[1]}
+            team=${BASH_REMATCH[2]}
+
+            # Instead of requesting a review from the team itself,
+            # we request reviews from the individual users.
+            # This is because once somebody from a team reviewed the PR,
+            # the API doesn't expose that the team was already requested for a review,
+            # so we wouldn't be able to avoid rerequesting reviews
+            # without saving some some extra state somewhere
+
+            # We could also consider implementing a more advanced heuristic
+            # in the future that e.g. only pings one team member,
+            # but escalates to somebody else if that member doesn't respond in time.
+            gh api \
+                --cache=1h \
+                -H "Accept: application/vnd.github+json" \
+                -H "X-GitHub-Api-Version: 2022-11-28" \
+                "/orgs/$org/teams/$team/members" \
+                --jq '.[].login' > "$tmp/team-members"
+            readarray -t members < "$tmp/team-members"
+            log "Team $entry has these members: ${members[*]}"
+
+            for user in "${members[@]}"; do
+                users[$user]=
+            done
         else
             # Everything else is a user
             users[$entry]=
@@ -77,11 +103,23 @@ if [[ -v users[$prAuthor] ]]; then
     unset 'users[$prAuthor]'
 fi
 
+gh api \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "/repos/$baseRepo/pulls/$prNumber/reviews" \
+    --jq '.[].user.login' > "$tmp/already-reviewed-by"
+
+# And we don't want to rerequest reviews from people who already reviewed
+while read -r user; do
+    if [[ -v users[$user] ]]; then
+        log "User $user is a code owner but has already left a review, ignoring"
+        unset 'users[$user]'
+    fi
+done < "$tmp/already-reviewed-by"
+
 # Turn it into a JSON for the GitHub API call to request PR reviewers
 jq -n \
     --arg users "${!users[*]}" \
-    --arg teams "${!teams[*]}" \
     '{
       reviewers: $users | split(" "),
-      team_reviewers: $teams | split(" ")
     }'

ci/request-reviews/request-reviews.sh

@@ -80,7 +80,7 @@ if ! "$SCRIPT_DIR"/verify-base-branch.sh "$tmp/nixpkgs.git" "$headRef" "$baseRep
 fi
 
 log "Getting code owners to request reviews from"
-"$SCRIPT_DIR"/get-reviewers.sh "$tmp/nixpkgs.git" "$baseBranch" "$headRef" "$ownersFile" "$prAuthor" > "$tmp/reviewers.json"
+"$SCRIPT_DIR"/get-reviewers.sh "$tmp/nixpkgs.git" "$ownersFile" "$baseRepo" "$baseBranch" "$headRef" "$prNumber" "$prAuthor" > "$tmp/reviewers.json"
 
 log "Requesting reviews from: $(<"$tmp/reviewers.json")"
 

ci/request-reviews/verify-base-branch.sh

@@ -90,8 +90,9 @@ for testBranch in "${devBranches[@]}"; do
         log -e "\e[33m"
         echo "The PR's base branch is set to $baseBranch, but $extraCommits commits from the $testBranch branch are included. Make sure you know the [right base branch for your changes](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#branch-conventions), then:"
         echo "- If the changes should go to the $testBranch branch, [change the base branch](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-base-branch-of-a-pull-request) to $testBranch"
-        echo "- If the changes should go to the $baseBranch branch, rebase your PR onto the merge base with the $testBranch branch:"
-        echo "  \`\`\`"
+        echo "- If the changes should go to the $baseBranch branch, rebase your PR onto the merge base with the $baseBranch branch:"
+        echo "  \`\`\`bash"
+        echo "  # git rebase --onto \$(git merge-base upstream/$baseBranch HEAD) \$(git merge-base upstream/$testBranch HEAD)"
         echo "  git rebase --onto $prMergeBase $testMergeBase"
         echo "  git push --force-with-lease"
         echo "  \`\`\`"

doc/languages-frameworks/beam.section.md

@@ -349,8 +349,8 @@ let
     nodePackages.prettier
   ];
 
-  inputs = basePackages ++ lib.optionals stdenv.isLinux [ inotify-tools ]
-    ++ lib.optionals stdenv.isDarwin
+  inputs = basePackages ++ lib.optionals stdenv.hostPlatform.isLinux [ inotify-tools ]
+    ++ lib.optionals stdenv.hostPlatform.isDarwin
     (with darwin.apple_sdk.frameworks; [ CoreFoundation CoreServices ]);
 
   # define shell startup command

doc/languages-frameworks/emscripten.section.md

@@ -84,7 +84,7 @@ One advantage is that when `pkgs.zlib` is updated, it will automatically update
     echo "================= /testing zlib using node ================="
   '';
 
-  postPatch = pkgs.lib.optionalString pkgs.stdenv.isDarwin ''
+  postPatch = pkgs.lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
     substituteInPlace configure \
       --replace-fail '/usr/bin/libtool' 'ar' \
       --replace-fail 'AR="libtool"' 'AR="ar"' \

doc/languages-frameworks/perl.section.md

@@ -125,8 +125,8 @@ On Darwin, if a script has too many `-Idir` flags in its first line (its “sheb
       hash = "sha256-vOhB/FwQMC8PPvdnjDvxRpU6jAZcC6GMQfc0AH4uwKg=";
     };
 
-    nativeBuildInputs = lib.optional stdenv.isDarwin shortenPerlShebang;
-    postInstall = lib.optionalString stdenv.isDarwin ''
+    nativeBuildInputs = lib.optional stdenv.hostPlatform.isDarwin shortenPerlShebang;
+    postInstall = lib.optionalString stdenv.hostPlatform.isDarwin ''
       shortenPerlShebang $out/bin/exiftool
     '';
   };

doc/languages-frameworks/python.section.md

@@ -1306,7 +1306,7 @@ for example:
   ] ++ lib.optionals (pythonAtLeast "3.8") [
     # broken due to python3.8 async changes
     "async"
-  ] ++ lib.optionals stdenv.isDarwin [
+  ] ++ lib.optionals stdenv.buildPlatform.isDarwin [
     # can fail when building with other packages
     "socket"
   ];

doc/stdenv/platform-notes.chapter.md

@@ -22,7 +22,7 @@ Some common issues when packaging software for Darwin:
   stdenv.mkDerivation {
     name = "libfoo-1.2.3";
     # ...
-    makeFlags = lib.optional stdenv.isDarwin "LDFLAGS=-Wl,-install_name,$(out)/lib/libfoo.dylib";
+    makeFlags = lib.optional stdenv.hostPlatform.isDarwin "LDFLAGS=-Wl,-install_name,$(out)/lib/libfoo.dylib";
   }
   ```
 

maintainers/maintainer-list.nix

@@ -668,6 +668,12 @@
     githubId = 19290901;
     name = "Andrew Brooks";
   };
+  agilesteel = {
+    email = "[email protected]";
+    github = "agilesteel";
+    githubId = 1141462;
+    name = "Vladyslav Pekker";
+  };
   aherrmann = {
     email = "[email protected]";
     github = "aherrmann";
@@ -8239,6 +8245,13 @@
     github = "hacker1024";
     githubId = 20849728;
   };
+  hadilq = {
+    name = "Hadi Lashkari Ghouchani";
+    email = "[email protected]";
+    github = "hadilq";
+    githubId = 5190539;
+    keys = [ { fingerprint = "AD3D 53CB A68A FEC0 8065  BCBB 416A D9E8 E372 C075"; } ];
+  };
   hagl = {
     email = "[email protected]";
     github = "hagl";
@@ -13923,6 +13936,13 @@
     name = "Mark Vainomaa";
     keys = [ { fingerprint = "DB43 2895 CF68 F0CE D4B7  EF60 DA01 5B05 B5A1 1B22"; } ];
   };
+  mikut = {
+    email = "[email protected]";
+    github = "Mikutut";
+    githubId = 65046942;
+    name = "Marcin Mikuła";
+    keys = [ { fingerprint = "5547 2A56 AC30 69C9 15C8  B98D 997F 71FA 1D74 6E37"; } ];
+  };
   milahu = {
     email = "[email protected]";
     github = "milahu";

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -229,6 +229,8 @@
 
 - `buildbot` was updated to 4.0, the AngularJS frontend has been replaced by a React frontend, see the [upstream release notes](https://docs.buildbot.net/current/manual/upgrading/4.0-upgrade.html).
 
+- `headscale` has been updated to version 0.23.0 which reworked large parts of the configuration including DNS, Magic DNS prefixes and ACL policy files. See the [upstream changelog](https://github.com/juanfont/headscale/releases/tag/v0.23.0) for details.
+
 - `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`.
 
 - `systemd.enableUnifiedCgroupHierarchy` option has been removed.