Merge branch 'master' of github.com:NixOS/nixpkgs into feat/acme/delay

9 files changed, 238 insertions, 35 deletions

diff --git a/maintainers/scripts/hydra-eval-failures.py b/maintainers/scripts/hydra-eval-failures.py
index d0bd1913ba8a..23669502e46d 100755
--- a/maintainers/scripts/hydra-eval-failures.py
+++ b/maintainers/scripts/hydra-eval-failures.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i python -p pythonFull pythonPackages.requests pythonPackages.pyquery pythonPackages.click
+#!nix-shell -i python3 -p 'python3.withPackages(ps: with ps; [ requests pyquery click ])'
 
 # To use, just execute this script with --help to display help.
 
@@ -16,7 +16,7 @@ maintainers_json = subprocess.check_output([
     'nix-instantiate', '-E', 'import ./maintainers/maintainer-list.nix {}', '--eval', '--json'
 ])
 maintainers = json.loads(maintainers_json)
-MAINTAINERS = {v: k for k, v in maintainers.iteritems()}
+MAINTAINERS = {v: k for k, v in maintainers.items()}
 
 
 def get_response_text(url):
@@ -45,6 +45,17 @@ def get_maintainers(attr_name):
     except:
        return []
 
+def print_build(table_row):
+    a = pq(table_row)('a')[1]
+    print("- [ ] [{}]({})".format(a.text, a.get('href')), flush=True)
+    
+    maintainers = get_maintainers(a.text)
+    if maintainers:
+        print("  - maintainers: {}".format(", ".join(map(lambda u: '@' + u, maintainers))))
+    # TODO: print last three persons that touched this file
+    # TODO: pinpoint the diff that broke this build, or maybe it's transient or maybe it never worked?
+    
+    sys.stdout.flush()
 
 @click.command()
 @click.option(
@@ -73,23 +84,17 @@ def cli(jobset):
 
     # TODO: aborted evaluations
     # TODO: dependency failed without propagated builds
+    print('\nFailures:')
     for tr in d('img[alt="Failed"]').parents('tr'):
-        a = pq(tr)('a')[1]
-        print("- [ ] [{}]({})".format(a.text, a.get('href')))
+        print_build(tr)
 
-        sys.stdout.flush()
-
-        maintainers = get_maintainers(a.text)
-        if maintainers:
-            print("  - maintainers: {}".format(", ".join(map(lambda u: '@' + u, maintainers))))
-        # TODO: print last three persons that touched this file
-        # TODO: pinpoint the diff that broke this build, or maybe it's transient or maybe it never worked?
-
-        sys.stdout.flush()
+    print('\nDependency failures:')
+    for tr in d('img[alt="Dependency failed"]').parents('tr'):
+        print_build(tr)
 
 
 if __name__ == "__main__":
     try:
         cli()
-    except:
+    except Exception as e:
         import pdb;pdb.post_mortem()
diff --git a/nixos/modules/services/computing/boinc/client.nix b/nixos/modules/services/computing/boinc/client.nix
index e43b6bbb2536..8abe3c5b8c9b 100644
--- a/nixos/modules/services/computing/boinc/client.nix
+++ b/nixos/modules/services/computing/boinc/client.nix
@@ -6,6 +6,13 @@ let
   cfg = config.services.boinc;
   allowRemoteGuiRpcFlag = optionalString cfg.allowRemoteGuiRpc "--allow_remote_gui_rpc";
 
+  fhsEnv = pkgs.buildFHSUserEnv {
+    name = "boinc-fhs-env";
+    targetPkgs = pkgs': [ cfg.package ] ++ cfg.extraEnvPackages;
+    runScript = "/bin/boinc_client";
+  };
+  fhsEnvExecutable = "${fhsEnv}/bin/${fhsEnv.name}";
+
 in
   {
     options.services.boinc = {
@@ -49,6 +56,43 @@ in
           See also: <link xlink:href="http://boinc.berkeley.edu/wiki/Controlling_BOINC_remotely#Remote_access"/>
         '';
       };
+
+      extraEnvPackages = mkOption {
+        type = types.listOf types.package;
+        default = [];
+        example = "[ pkgs.virtualbox ]";
+        description = ''
+          Additional packages to make available in the environment in which
+          BOINC will run. Common choices are:
+          <variablelist>
+            <varlistentry>
+              <term><varname>pkgs.virtualbox</varname></term>
+              <listitem><para>
+                The VirtualBox virtual machine framework. Required by some BOINC
+                projects, such as ATLAS@home.
+              </para></listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><varname>pkgs.ocl-icd</varname></term>
+              <listitem><para>
+                OpenCL infrastructure library. Required by BOINC projects that
+                use OpenCL, in addition to a device-specific OpenCL driver.
+              </para></listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><varname>pkgs.linuxPackages.nvidia_x11</varname></term>
+              <listitem><para>
+                Provides CUDA libraries. Required by BOINC projects that use
+                CUDA. Note that this requires an NVIDIA graphics device to be
+                present on the system.
+              </para><para>
+                Also provides OpenCL drivers for NVIDIA GPUs;
+                <varname>pkgs.ocl-icd</varname> is also needed in this case.
+              </para></listitem>
+            </varlistentry>
+          </variablelist>
+        '';
+      };
     };
 
     config = mkIf cfg.enable {
@@ -70,7 +114,7 @@ in
           chown boinc ${cfg.dataDir}
         '';
         script = ''
-          ${cfg.package}/bin/boinc_client --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag}
+          ${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag}
         '';
         serviceConfig = {
           PermissionsStartOnly = true; # preStart must be run as root
diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix
index 4241e6fcceab..0b52b1d3e302 100644
--- a/nixos/modules/services/networking/nsd.nix
+++ b/nixos/modules/services/networking/nsd.nix
@@ -250,6 +250,46 @@ let
           Use imports or pkgs.lib.readFile if you don't want this data in your config file.
         '';
       };
+      
+      dnssec = mkEnableOption "DNSSEC";
+
+      dnssecPolicy = {
+        algorithm = mkOption {
+          type = types.str;
+          default = "RSASHA256";
+          description = "Which algorithm to use for DNSSEC";
+        };
+        keyttl = mkOption {
+          type = types.str;
+          default = "1h";
+          description = "TTL for dnssec records";
+        };
+        coverage = mkOption {
+          type = types.str;
+          default = "1y";
+          description = ''
+            The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time.
+          '';
+        };
+        zsk = mkOption {
+          type = keyPolicy;
+          default = { keySize = 2048;
+                      prePublish = "1w";
+                      postPublish = "1w";
+                      rollPeriod = "1mo";
+                    };
+          description = "Key policy for zone signing keys";
+        };
+        ksk = mkOption {
+          type = keyPolicy;
+          default = { keySize = 4096;
+                      prePublish = "1mo";
+                      postPublish = "1mo";
+                      rollPeriod = "0";
+                    };
+          description = "Key policy for key signing keys";
+        };
+      };
 
       maxRefreshSecs = mkOption {
         type = types.nullOr types.int;
@@ -367,10 +407,61 @@ let
           and stats_noreset.
         '';
       };
+    };
+  };
 
+  keyPolicy = types.submodule {
+    options = {
+      keySize = mkOption {
+        type = types.int;
+        description = "Key size in bits";
+      };
+      prePublish = mkOption {
+        type = types.str;
+        description = "How long in advance to publish new keys";
+      };
+      postPublish = mkOption {
+        type = types.str;
+        description = "How long after deactivation to keep a key in the zone";
+      };
+      rollPeriod = mkOption {
+        type = types.str;
+        description = "How frequently to change keys";
+      };
     };
   };
 
+  dnssecZones = (filterAttrs (n: v: if v ? dnssec then v.dnssec else false) zoneConfigs);
+
+  dnssec = length (attrNames dnssecZones) != 0; 
+
+  signZones = optionalString dnssec ''
+    mkdir -p ${stateDir}/dnssec
+    chown ${username}:${username} ${stateDir}/dnssec
+    chmod 0600 ${stateDir}/dnssec
+
+    ${concatStrings (mapAttrsToList signZone dnssecZones)}
+  '';
+  signZone = name: zone: ''
+    ${pkgs.bind}/bin/dnssec-keymgr -g ${pkgs.bind}/bin/dnssec-keygen -s ${pkgs.bind}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name}
+    ${pkgs.bind}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name}
+    ${nsdPkg}/sbin/nsd-checkzone ${name} ${stateDir}/zones/${name}.signed && mv -v ${stateDir}/zones/${name}.signed ${stateDir}/zones/${name}
+  '';
+  policyFile = name: policy: pkgs.writeText "${name}.policy" ''
+    zone ${name} {
+      algorithm ${policy.algorithm};
+      key-size zsk ${toString policy.zsk.keySize};
+      key-size ksk ${toString policy.ksk.keySize};
+      keyttl ${policy.keyttl};
+      pre-publish zsk ${policy.zsk.prePublish};
+      pre-publish ksk ${policy.ksk.prePublish};
+      post-publish zsk ${policy.zsk.postPublish};
+      post-publish ksk ${policy.ksk.postPublish};
+      roll-period zsk ${policy.zsk.rollPeriod};
+      roll-period ksk ${policy.ksk.rollPeriod};
+      coverage ${policy.coverage};
+    };
+  '';
 in
 {
   # options are ordered alphanumerically
@@ -380,6 +471,14 @@ in
 
     bind8Stats = mkEnableOption "BIND8 like statistics";
 
+    dnssecInterval = mkOption {
+      type = types.str;
+      default = "1h";
+      description = ''
+        How often to check whether dnssec key rollover is required
+      '';
+    };
+
     extraConfig = mkOption {
       type = types.str;
       default = "";
@@ -741,7 +840,6 @@ in
 
     };
 
-
     zones = mkOption {
       type = types.attrsOf zoneOptions;
       default = {};
@@ -785,7 +883,6 @@ in
         serverGroup1.
       '';
     };
-
   };
 
   config = mkIf cfg.enable {
@@ -832,9 +929,9 @@ in
         mkdir -m 0700 -p "${stateDir}/var"
 
         cat > "${stateDir}/don't touch anything in here" << EOF
-        Everything in this directory except NSD's state in var is
-        automatically generated and will be purged and redeployed
-        by the nsd.service pre-start script.
+        Everything in this directory except NSD's state in var and dnssec
+        is automatically generated and will be purged and redeployed by
+        the nsd.service pre-start script.
         EOF
 
         chown ${username}:${username} -R "${stateDir}/private"
@@ -848,6 +945,34 @@ in
       '';
     };
 
+    nixpkgs.config = mkIf dnssec {
+      bind.enablePython = true;
+    };
+
+    systemd.timers."nsd-dnssec" = mkIf dnssec {
+      description = "Automatic DNSSEC key rollover";
+
+      wantedBy = [ "nsd.service" ];
+
+      timerConfig = {
+        OnActiveSec = cfg.dnssecInterval;
+        OnUnitActiveSec = cfg.dnssecInterval;
+      };
+    };
+
+    systemd.services."nsd-dnssec" = mkIf dnssec {
+      description = "DNSSEC key rollover";
+
+      wantedBy = [ "nsd.service" ];
+      before = [ "nsd.service" ];
+
+      script = signZones;
+
+      postStop = ''
+        ${pkgs.systemd}/bin/systemctl kill -s SIGHUP nsd.service
+      '';
+    };
+
   };
 
   meta.maintainers = with lib.maintainers; [ hrdinka ];
diff --git a/pkgs/development/em-modules/generic/default.nix b/pkgs/development/em-modules/generic/default.nix
index 332fab8e14aa..f03e6e42739a 100644
--- a/pkgs/development/em-modules/generic/default.nix
+++ b/pkgs/development/em-modules/generic/default.nix
@@ -22,8 +22,6 @@ pkgs.stdenv.mkDerivation (
     HOME=$TMPDIR
     runHook preConfigure
 
-    # probably requires autotools as dependency
-    ./autogen.sh
     emconfigure ./configure --prefix=$out
 
     runHook postConfigure
diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix
index 018a57ad0571..fd738faf5074 100644
--- a/pkgs/development/libraries/pupnp/default.nix
+++ b/pkgs/development/libraries/pupnp/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   name = "libupnp-${version}";
-  version = "1.8.3";
+  version = "1.6.21";
 
   src = fetchFromGitHub {
     owner = "mrjimenez";
     repo = "pupnp";
     rev = "release-${version}";
-    sha256 = "1w0kfq1pg3y2wl6gwkm1w872g0qz29w1z9wj08xxmwnk5mkpvsrl";
+    sha256 = "07ksfhadinaa20542gblrxi9pqz0v6y70a836hp3qr4037id4nm9";
   };
 
   nativeBuildInputs = [ autoreconfHook ];
diff --git a/pkgs/development/tools/cloudfoundry-cli/default.nix b/pkgs/development/tools/cloudfoundry-cli/default.nix
index fc085b3e5ea5..22c2f0774182 100644
--- a/pkgs/development/tools/cloudfoundry-cli/default.nix
+++ b/pkgs/development/tools/cloudfoundry-cli/default.nix
@@ -2,17 +2,17 @@
 
 buildGoPackage rec {
   name = "cloudfoundry-cli-${version}";
-  version = "6.32.0";
+  version = "6.36.1";
 
   goPackagePath = "code.cloudfoundry.org/cli";
 
   subPackages = [ "." ];
 
   src = fetchFromGitHub {
+    owner = "cloudfoundry";
+    repo = "cli";
     rev = "v${version}";
-    owner = "cloudfoundry-attic";
-    repo = "cli-with-i18n";
-    sha256 = "16r8zvahn4b98krmyb8zq9370i6572dhz88bfxb3fnddcv6zy1ng";
+    sha256 = "19inl7qs2acs59p3gnl5zdsxym0wp2rn05q0zfg7rwf5sjh68amp";
   };
 
   outputs = [ "out" ];
diff --git a/pkgs/servers/dns/bind/default.nix b/pkgs/servers/dns/bind/default.nix
index 86e756a0db37..4002c6b3542f 100644
--- a/pkgs/servers/dns/bind/default.nix
+++ b/pkgs/servers/dns/bind/default.nix
@@ -1,8 +1,10 @@
 { stdenv, lib, fetchurl, openssl, libtool, perl, libxml2
+, enablePython ? false, python3 ? null
 , enableSeccomp ? false, libseccomp ? null, buildPackages
 }:
 
 assert enableSeccomp -> libseccomp != null;
+assert enablePython -> python3 != null;
 
 let version = "9.12.1"; in
 
@@ -20,8 +22,9 @@ stdenv.mkDerivation rec {
     stdenv.lib.optional stdenv.isDarwin ./darwin-openssl-linking-fix.patch;
 
   nativeBuildInputs = [ perl ];
-  buildInputs = [ openssl libtool libxml2 ] ++
-    stdenv.lib.optional enableSeccomp libseccomp;
+  buildInputs = [ openssl libtool libxml2 ]
+    ++ lib.optional enableSeccomp libseccomp
+    ++ lib.optional enablePython python3;
 
   STD_CDEFINES = [ "-DDIG_SIGCHASE=1" ]; # support +sigchase
 
@@ -32,6 +35,7 @@ stdenv.mkDerivation rec {
     "--with-libtool"
     "--with-libxml2=${libxml2.dev}"
     "--with-openssl=${openssl.dev}"
+    (if enablePython then "--with-python" else "--without-python")
     "--without-atf"
     "--without-dlopen"
     "--without-docbook-xsl"
@@ -41,7 +45,6 @@ stdenv.mkDerivation rec {
     "--without-lmdb"
     "--without-pkcs11"
     "--without-purify"
-    "--without-python"
     "--with-randomdev=/dev/random"
     "--with-ecdsa"
     "--with-gost"
diff --git a/pkgs/servers/monitoring/zipkin/default.nix b/pkgs/servers/monitoring/zipkin/default.nix
new file mode 100644
index 000000000000..2925a8f2dc53
--- /dev/null
+++ b/pkgs/servers/monitoring/zipkin/default.nix
@@ -0,0 +1,26 @@
+{stdenv, fetchurl, makeWrapper, jre}:
+stdenv.mkDerivation rec {
+  version = "1.28.1";
+  name = "zipkin-server-${version}";
+  src = fetchurl {
+    url = "https://search.maven.org/remotecontent?filepath=io/zipkin/java/zipkin-server/${version}/zipkin-server-${version}-exec.jar";
+    sha256 = "02369fkv0kbl1isq6y26fh2zj5wxv3zck522m5wypsjlcfcw2apa";
+  };
+  buildInputs = [ makeWrapper ];
+
+  buildCommand =
+  ''
+    mkdir -p $out/share/java
+    cp ${src} $out/share/java/zipkin-server-${version}-exec.jar
+    mkdir -p $out/bin
+    makeWrapper ${jre}/bin/java $out/bin/zipkin-server \
+      --add-flags "-cp $out/share/java/zipkin-server-${version}-exec.jar org.springframework.boot.loader.JarLauncher"
+  '';
+  meta = with stdenv.lib; {
+    description = "Zipkin distributed tracing system";
+    homepage = "http://zipkin.io/";
+    license = licenses.asl20;
+    platforms = platforms.unix;
+    maintainers = [ maintainers.hectorj ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index b56c0de69397..0a844693fe3b 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -7644,9 +7644,7 @@ with pkgs;
 
   cl-launch = callPackage ../development/tools/misc/cl-launch {};
 
-  cloudfoundry-cli = callPackage ../development/tools/cloudfoundry-cli {
-    go = go_1_9;
-  };
+  cloudfoundry-cli = callPackage ../development/tools/cloudfoundry-cli { };
 
   coan = callPackage ../development/tools/analysis/coan { };
 
@@ -12264,7 +12262,10 @@ with pkgs;
 
   bftpd = callPackage ../servers/ftp/bftpd {};
 
-  bind = callPackage ../servers/dns/bind { };
+  bind = callPackage ../servers/dns/bind {
+    enablePython = config.bind.enablePython or false;
+    python3 = python3.withPackages (ps: with ps; [ ply ]);
+  };
   dnsutils = bind.dnsutils;
 
   inherit (callPackages ../servers/bird { })
@@ -12946,6 +12947,7 @@ with pkgs;
   zabbix20 = callPackage ../servers/monitoring/zabbix/2.0.nix { };
   zabbix22 = callPackage ../servers/monitoring/zabbix/2.2.nix { };
 
+  zipkin = callPackage ../servers/monitoring/zipkin { };
 
   ### OS-SPECIFIC