Merge master into staging-next

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

@@ -369,6 +369,16 @@
           release notes</link> for more details.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <literal>github-runner</literal> gained support for ephemeral
+          runners and registrations using a personal access token (PAT)
+          instead of a registration token. See
+          <literal>services.github-runner.ephemeral</literal> and
+          <literal>services.github-runner.tokenFile</literal> for
+          details.
+        </para>
+      </listitem>
       <listitem>
         <para>
           A new module was added for the Saleae Logic device family,

nixos/doc/manual/release-notes/rl-2211.section.md

@@ -137,6 +137,8 @@ Use `configure.packages` instead.
 
 - The `xplr` package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the [upstream release notes](https://github.com/sayanarijit/xplr/releases/tag/v0.19.0) for more details.
 
+- `github-runner` gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See `services.github-runner.ephemeral` and `services.github-runner.tokenFile` for details.
+
 - A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`.
 
 - The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default.

nixos/modules/services/continuous-integration/github-runner.nix

@@ -48,9 +48,14 @@ in
     tokenFile = mkOption {
       type = types.path;
       description = lib.mdDoc ''
-        The full path to a file which contains the runner registration token.
+        The full path to a file which contains either a runner registration token or a
+        personal access token (PAT).
         The file should contain exactly one line with the token without any newline.
-        The token can be used to re-register a runner of the same name but is time-limited.
+        If a registration token is given, it can be used to re-register a runner of the same
+        name but is time-limited. If the file contains a PAT, the service creates a new
+        registration token on startup as needed. Make sure the PAT has a scope of
+        `admin:org` for organization-wide registrations or a scope of
+        `repo` for a single repository.
 
         Changing this option or the file's content triggers a new runner registration.
       '';
@@ -117,6 +122,24 @@ in
       default = pkgs.github-runner;
       defaultText = literalExpression "pkgs.github-runner";
     };
+
+    ephemeral = mkOption {
+      type = types.bool;
+      description = lib.mdDoc ''
+        If enabled, causes the following behavior:
+
+        - Passes the `--ephemeral` flag to the runner configuration script
+        - De-registers and stops the runner with GitHub after it has processed one job
+        - On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option)
+        - Restarts the service after its successful exit
+        - On start, wipes the state directory and configures a new runner
+
+        You should only enable this option if `tokenFile` points to a file which contains a
+        personal access token (PAT). If you're using the option with a registration token, restarting the
+        service will fail as soon as the registration token expired.
+      '';
+      default = false;
+    };
   };
 
   config = mkIf cfg.enable {
@@ -136,7 +159,7 @@ in
 
       environment = {
         HOME = runtimeDir;
-        RUNNER_ROOT = runtimeDir;
+        RUNNER_ROOT = stateDir;
       };
 
       path = (with pkgs; [
@@ -150,7 +173,7 @@ in
       ] ++ cfg.extraPackages;
 
       serviceConfig = rec {
-        ExecStart = "${cfg.package}/bin/runsvc.sh";
+        ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
 
         # Does the following, sequentially:
         # - If the module configuration or the token has changed, purge the state directory,
@@ -178,7 +201,7 @@ in
               ${lines}
             '';
             currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
-            runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" ] cfg;
+            runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" ] cfg;
             newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
             newConfigTokenFilename = ".new-token";
             runnerCredFiles = [
@@ -188,17 +211,24 @@ in
             ];
             unconfigureRunner = writeScript "unconfigure" ''
               differs=
-              # Set `differs = 1` if current and new runner config differ or if `currentConfigPath` does not exist
-              ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 || differs=1
-              # Also trigger a registration if the token content changed
-              ${pkgs.diffutils}/bin/diff -q \
-                "$STATE_DIRECTORY"/${currentConfigTokenFilename} \
-                ${escapeShellArg cfg.tokenFile} \
-                >/dev/null 2>&1 || differs=1
+
+              if [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
+                # State directory is not empty
+                # Set `differs = 1` if current and new runner config differ or if `currentConfigPath` does not exist
+                ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 || differs=1
+                # Also trigger a registration if the token content changed
+                ${pkgs.diffutils}/bin/diff -q \
+                  "$STATE_DIRECTORY"/${currentConfigTokenFilename} \
+                  ${escapeShellArg cfg.tokenFile} \
+                  >/dev/null 2>&1 || differs=1
+                # If .credentials does not exist, assume a previous run de-registered the runner on stop (ephemeral mode)
+                [[ ! -f "$STATE_DIRECTORY/.credentials" ]] && differs=1
+              fi
 
               if [[ -n "$differs" ]]; then
                 echo "Config has changed, removing old runner state."
-                echo "The old runner will still appear in the GitHub Actions UI." \
+                # In ephemeral mode, the runner deletes the `.credentials` file after de-registering it with GitHub
+                [[ -f "$STATE_DIRECTORY/.credentials" ]] && echo "The old runner will still appear in the GitHub Actions UI." \
                   "You have to remove it manually."
                 find "$STATE_DIRECTORY/" -mindepth 1 -delete
 
@@ -212,17 +242,28 @@ in
               if [[ -e "$STATE_DIRECTORY/${newConfigTokenFilename}" ]]; then
                 echo "Configuring GitHub Actions Runner"
 
-                token=$(< "$STATE_DIRECTORY"/${newConfigTokenFilename})
-                RUNNER_ROOT="$STATE_DIRECTORY" ${cfg.package}/bin/config.sh \
-                  --unattended \
-                  --disableupdate \
-                  --work "$RUNTIME_DIRECTORY" \
-                  --url ${escapeShellArg cfg.url} \
-                  --token "$token" \
-                  --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} \
-                  --name ${escapeShellArg cfg.name} \
-                  ${optionalString cfg.replace "--replace"} \
+                args=(
+                  --unattended
+                  --disableupdate
+                  --work "$RUNTIME_DIRECTORY"
+                  --url ${escapeShellArg cfg.url}
+                  --labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)}
+                  --name ${escapeShellArg cfg.name}
+                  ${optionalString cfg.replace "--replace"}
                   ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
+                  ${optionalString cfg.ephemeral "--ephemeral"}
+                )
+
+                # If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option,
+                # if it is not a PAT, we assume it contains a registration token and use the --token option
+                token=$(<"$STATE_DIRECTORY/${newConfigTokenFilename}")
+                if [[ "$token" =~ ^ghp_* ]]; then
+                  args+=(--pat "$token")
+                else
+                  args+=(--token "$token")
+                fi
+
+                ${cfg.package}/bin/config.sh "''${args[@]}"
 
                 # Move the automatically created _diag dir to the logs dir
                 mkdir -p  "$STATE_DIRECTORY/_diag"
@@ -250,6 +291,10 @@ in
             setupRuntimeDir
           ];
 
+        # If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner)
+        # to trigger a fresh registration.
+        Restart = if cfg.ephemeral then "on-success" else "no";
+
         # Contains _diag
         LogsDirectory = [ systemdDir ];
         # Default RUNNER_ROOT which contains ephemeral Runner data
@@ -269,8 +314,7 @@ in
         # By default, use a dynamically allocated user
         DynamicUser = true;
 
-        KillMode = "process";
-        KillSignal = "SIGTERM";
+        KillSignal = "SIGINT";
 
         # Hardening (may overlap with DynamicUser=)
         # The following options are only for optimizing:

nixos/modules/services/networking/globalprotect-vpn.nix

@@ -5,7 +5,8 @@ with lib;
 let
   cfg = config.services.globalprotect;
 
-  execStart = if cfg.csdWrapper == null then
+  execStart =
+    if cfg.csdWrapper == null then
       "${pkgs.globalprotect-openconnect}/bin/gpservice"
     else
       "${pkgs.globalprotect-openconnect}/bin/gpservice --csd-wrapper=${cfg.csdWrapper}";
@@ -15,6 +16,22 @@ in
   options.services.globalprotect = {
     enable = mkEnableOption "globalprotect";
 
+    settings = mkOption {
+      description = ''
+        GlobalProtect-openconnect configuration. For more information, visit
+        <link
+        xlink:href="https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration"
+        />.
+      '';
+      default = { };
+      example = {
+        "vpn1.company.com" = {
+          openconnect-args = "--script=/path/to/vpnc-script";
+        };
+      };
+      type = types.attrs;
+    };
+
     csdWrapper = mkOption {
       description = lib.mdDoc ''
         A script that will produce a Host Integrity Protection (HIP) report,
@@ -29,12 +46,14 @@ in
   config = mkIf cfg.enable {
     services.dbus.packages = [ pkgs.globalprotect-openconnect ];
 
+    environment.etc."gpservice/gp.conf".text = lib.generators.toINI { } cfg.settings;
+
     systemd.services.gpservice = {
       description = "GlobalProtect openconnect DBus service";
       serviceConfig = {
-        Type="dbus";
-        BusName="com.yuezk.qt.GPService";
-        ExecStart=execStart;
+        Type = "dbus";
+        BusName = "com.yuezk.qt.GPService";
+        ExecStart = execStart;
       };
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];

nixos/modules/services/networking/headscale.nix

@@ -286,11 +286,11 @@ in
             '';
           };
           challengeType = mkOption {
-            type = types.enum [ "TLS_ALPN-01" "HTTP-01" ];
+            type = types.enum [ "TLS-ALPN-01" "HTTP-01" ];
             default = "HTTP-01";
             description = lib.mdDoc ''
               Type of ACME challenge to use, currently supported types:
-              `HTTP-01` or `TLS_ALPN-01`.
+              `HTTP-01` or `TLS-ALPN-01`.
             '';
           };
           httpListen = mkOption {

nixos/modules/services/x11/desktop-managers/cinnamon.nix

@@ -212,6 +212,7 @@ in
         # external apps shipped with linux-mint
         hexchat
         gnome-calculator
+        gnome-screenshot
       ] config.environment.cinnamon.excludePackages;
     })
   ];

pkgs/applications/audio/lsp-plugins/default.nix

@@ -1,22 +1,22 @@
 { lib, stdenv, fetchurl, pkg-config, makeWrapper
 , libsndfile, jack2
 , libGLU, libGL, lv2, cairo
-, ladspaH, php }:
+, ladspaH, php, libXrandr }:
 
 stdenv.mkDerivation rec {
-  pname = "lsp-plugins";
-  version = "1.2.1";
+        pname = "lsp-plugins";
+        version = "1.2.2";
 
-  src = fetchurl {
-    url = "https://github.com/sadko4u/${pname}/releases/download/${version}/${pname}-src-${version}.tar.gz";
-    sha256 = "sha256-wHibZJbrgy7t0z2rRDe1FUAG38BW/dR0JgoKVWYCn60=";
-  };
+        src = fetchurl {
+                url = "https://github.com/sadko4u/${pname}/releases/download/${version}/${pname}-src-${version}.tar.gz";
+                sha256 = "sha256-qIakDWNs8fQmlw/VHwTET2LmIvI+6I6zK88bmsWF4VI=";
+        };
 
-  nativeBuildInputs = [ pkg-config php makeWrapper ];
-  buildInputs = [ jack2 libsndfile libGLU libGL lv2 cairo ladspaH ];
+        nativeBuildInputs = [ pkg-config php makeWrapper ];
+        buildInputs = [ jack2 libsndfile libGLU libGL lv2 cairo ladspaH libXrandr ];
 
-  makeFlags = [
-    "PREFIX=${placeholder "out"}"
+        makeFlags = [
+                "PREFIX=${placeholder "out"}"
   ];
 
   NIX_CFLAGS_COMPILE = "-DLSP_NO_EXPERIMENTAL";