Merge staging-next-21.05 into staging-21.05

6 files changed, 157 insertions, 16 deletions

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index c0250171109f..22bf34198a30 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -46,6 +46,7 @@ let
     serviceConfig = commonServiceConfig // {
       StateDirectory = "acme/.minica";
       BindPaths = "/var/lib/acme/.minica:/tmp/ca";
+      UMask = 0077;
     };
 
     # Working directory will be /tmp
@@ -54,8 +55,6 @@ let
         --ca-key ca/key.pem \
         --ca-cert ca/cert.pem \
         --domains selfsigned.local
-
-      chmod 600 ca/*
     '';
   };
 
@@ -196,6 +195,7 @@ let
 
       serviceConfig = commonServiceConfig // {
         Group = data.group;
+        UMask = 0027;
 
         StateDirectory = "acme/${cert}";
 
@@ -220,10 +220,12 @@ let
         cat cert.pem chain.pem > fullchain.pem
         cat key.pem fullchain.pem > full.pem
 
-        chmod 640 *
-
         # Group might change between runs, re-apply it
         chown 'acme:${data.group}' *
+
+        # Default permissions make the files unreadable by group + anon
+        # Need to be readable by group
+        chmod 640 *
       '';
     };
 
@@ -340,8 +342,6 @@ let
         fi
 
         mv domainhash.txt certificates/
-        chmod 640 certificates/*
-        chmod -R u=rwX,g=,o= accounts/*
 
         # Group might change between runs, re-apply it
         chown 'acme:${data.group}' certificates/*
@@ -357,6 +357,10 @@ let
           ln -sf fullchain.pem out/cert.pem
           cat out/key.pem out/fullchain.pem > out/full.pem
         fi
+
+        # By default group will have no access to the cert files.
+        # This chmod will fix that.
+        chmod 640 out/*
       '';
     };
   };
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
index fe8c4af3ea21..6532fc4ac1d4 100644
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@@ -330,30 +330,38 @@ in import ./make-test-python.nix ({ lib, ... }: {
 
       with subtest("Can request certificate with HTTPS-01 challenge"):
           webserver.wait_for_unit("acme-finished-a.example.test.target")
-          check_fullchain(webserver, "a.example.test")
-          check_issuer(webserver, "a.example.test", "pebble")
-          check_connection(client, "a.example.test")
 
       with subtest("Certificates and accounts have safe + valid permissions"):
           group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}"
           webserver.succeed(
-              f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"
+              f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"
           )
           webserver.succeed(
-              f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/.lego/a.example.test/**/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"
+              f"test $(stat -L -c '%a %U %G' /var/lib/acme/.lego/a.example.test/**/a.example.test* | tee /dev/stderr | grep '600 acme {group}' | wc -l) -eq 4"
           )
           webserver.succeed(
-              f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1"
+              f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1"
           )
           webserver.succeed(
-              f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c \"%a %U %G\" {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"
+              f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c '%a %U %G' {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"
           )
 
+      with subtest("Certs are accepted by web server"):
+          webserver.succeed("systemctl start nginx.service")
+          check_fullchain(webserver, "a.example.test")
+          check_issuer(webserver, "a.example.test", "pebble")
+          check_connection(client, "a.example.test")
+
+      # Selfsigned certs tests happen late so we aren't fighting the system init triggering cert renewal
       with subtest("Can generate valid selfsigned certs"):
           webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
           webserver.succeed("systemctl start acme-selfsigned-a.example.test.service")
           check_fullchain(webserver, "a.example.test")
           check_issuer(webserver, "a.example.test", "minica")
+          # Check selfsigned permissions
+          webserver.succeed(
+              f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"
+          )
           # Will succeed if nginx can load the certs
           webserver.succeed("systemctl start nginx-config-reload.service")
 
@@ -376,6 +384,8 @@ in import ./make-test-python.nix ({ lib, ... }: {
           webserver.wait_for_unit("acme-finished-a.example.test.target")
           check_connection_key_bits(client, "a.example.test", "384")
           webserver.succeed("grep testing /var/lib/acme/a.example.test/test")
+          # Clean to remove the testing file (and anything else messy we did)
+          webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
 
       with subtest("Correctly implements OCSP stapling"):
           switch_to(webserver, "ocsp-stapling")
diff --git a/pkgs/applications/networking/cluster/nomad-autoscaler/default.nix b/pkgs/applications/networking/cluster/nomad-autoscaler/default.nix
new file mode 100644
index 000000000000..702bf19d5795
--- /dev/null
+++ b/pkgs/applications/networking/cluster/nomad-autoscaler/default.nix
@@ -0,0 +1,112 @@
+{ lib, fetchFromGitHub, buildGoModule, go, removeReferencesTo, buildEnv }:
+
+let
+  package = buildGoModule rec {
+    pname = "nomad-autoscaler";
+    version = "0.3.3";
+
+    outputs = [
+      "out"
+      "bin"
+      "aws_asg"
+      "azure_vmss"
+      "datadog"
+      "fixed_value"
+      "gce_mig"
+      "nomad_apm"
+      "nomad_target"
+      "pass_through"
+      "prometheus"
+      "target_value"
+      "threshold"
+    ];
+
+    src = fetchFromGitHub {
+      owner = "hashicorp";
+      repo = "nomad-autoscaler";
+      rev = "v${version}";
+      sha256 = "sha256-bN/U6aCf33B88ouQwTGG8CqARzWmIvXNr5JPr3l8cVI=";
+    };
+
+    vendorSha256 = "sha256-Ls8gkfLyxfQD8krvxjAPnZhf1r1s2MhtQfMMfp8hJII=";
+
+    subPackages = [ "." ];
+
+    nativeBuildInputs = [ removeReferencesTo ];
+
+    # buildGoModule overrides normal buildPhase, can't use makeTargets
+    postBuild = ''
+      make build plugins
+    '';
+
+    # tries to pull tests from network, and fails silently anyway
+    doCheck = false;
+
+    postInstall = ''
+      mkdir -p $bin/bin
+      mv $out/bin/nomad-autoscaler $bin/bin/nomad-autoscaler
+      ln -s $bin/bin/nomad-autoscaler $out/bin/nomad-autoscaler
+
+      for d in $outputs; do
+        mkdir -p ''${!d}/share
+      done
+      rmdir $bin/share
+
+      # have out contain all of the plugins
+      for plugin in bin/plugins/*; do
+        remove-references-to -t ${go} "$plugin"
+        cp "$plugin" $out/share/
+      done
+
+      # populate the outputs as individual plugins
+      # can't think of a more generic way to handle this
+      # bash doesn't allow for dashes '-' to be in a variable name
+      # this means that the output names will need to differ slightly from the binary
+      mv bin/plugins/aws-asg $aws_asg/share/
+      mv bin/plugins/azure-vmss $azure_vmss/share/
+      mv bin/plugins/datadog $datadog/share/
+      mv bin/plugins/fixed-value $fixed_value/share/
+      mv bin/plugins/gce-mig $gce_mig/share/
+      mv bin/plugins/nomad-apm $nomad_apm/share/
+      mv bin/plugins/nomad-target $nomad_target/share/
+      mv bin/plugins/pass-through $pass_through/share/
+      mv bin/plugins/prometheus $prometheus/share/
+      mv bin/plugins/target-value $target_value/share/
+      mv bin/plugins/threshold $threshold/share/
+    '';
+
+    # make toggle-able, so that overrided versions can disable this check if
+    # they want newer versions of the plugins without having to modify
+    # the output logic
+    doInstallCheck = true;
+    installCheckPhase = ''
+      rmdir bin/plugins || {
+        echo "Not all plugins were extracted"
+        echo "Please move the following to their related output: $(ls bin/plugins)"
+        exit 1
+      }
+    '';
+
+    passthru = {
+      inherit plugins withPlugins;
+    };
+
+    meta = with lib; {
+      description = "Autoscaling daemon for Nomad";
+      homepage = "https://github.com/hashicorp/nomad-autoscaler";
+      license = licenses.mpl20;
+      maintainers = with maintainers; [ jonringer ];
+    };
+  };
+
+  plugins = let
+      plugins = builtins.filter (n: !(lib.elem n [ "out" "bin" ])) package.outputs;
+    in lib.genAttrs plugins (output: package.${output});
+
+  # Intended to be used as: (nomad-autoscaler.withPlugins (ps: [ ps.aws_asg ps.nomad_target ])
+  withPlugins = f: buildEnv {
+    name = "nomad-autoscaler-env";
+    paths = [ package.bin ] ++ f plugins;
+  };
+in
+  package
diff --git a/pkgs/development/libraries/wolfssl/default.nix b/pkgs/development/libraries/wolfssl/default.nix
index 4635a80152de..9f8c2b3f2908 100644
--- a/pkgs/development/libraries/wolfssl/default.nix
+++ b/pkgs/development/libraries/wolfssl/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   pname = "wolfssl";
@@ -11,6 +11,19 @@ stdenv.mkDerivation rec {
     sha256 = "1aa51j0xnhi49izc8djya68l70jkjv25559pgybfb9sa4fa4gz97";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2021-37155.part-1.patch";
+      url = "https://github.com/wolfSSL/wolfssl/commit/73076940af8904f98eee085994c176fe1876b95a.patch";
+      sha256 = "1fdg6c49njhxn6yljpqrhrv2s6ci6hyw01xjs42s09ly3xvf2fcx";
+    })
+    (fetchpatch {
+      name = "CVE-2021-37155.part-2.patch";
+      url = "https://github.com/wolfSSL/wolfssl/commit/822aa92fccf77558e250131c1c6e9bb84d07afe8.patch";
+      sha256 = "1n7774hy9ybbxmg8dldqnhw279k7fkxwvw1s2mjjhkzra9w5x2zy";
+    })
+  ];
+
   # almost same as Debian but for now using --enable-all --enable-reproducible-build instead of --enable-distro to ensure options.h gets installed
   configureFlags = [ "--enable-all" "--enable-reproducible-build" "--enable-pkcs11" "--enable-tls13" "--enable-base64encode" ];
 
diff --git a/pkgs/tools/security/tor/default.nix b/pkgs/tools/security/tor/default.nix
index 2e1e1ae2a67b..f2ad0d4ba962 100644
--- a/pkgs/tools/security/tor/default.nix
+++ b/pkgs/tools/security/tor/default.nix
@@ -30,11 +30,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "tor";
-  version = "0.4.5.7";
+  version = "0.4.5.9";
 
   src = fetchurl {
     url = "https://dist.torproject.org/${pname}-${version}.tar.gz";
-    sha256 = "0x7hhl0svfc4yh9xvq7kkzgmwjcw1ak9i0794wjg4biy2fmclzs4";
+    sha256 = "0mh8yz6l7sl6kh9max76nk6rhlsq2lhwwvpiwlwnrlif21bf817k";
   };
 
   outputs = [ "out" "geoip" ];
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index fc7281674075..3c3580b4b569 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -7130,6 +7130,8 @@ in
     nvidiaGpuSupport = config.cudaSupport or false;
   };
 
+  nomad-autoscaler = callPackage ../applications/networking/cluster/nomad-autoscaler { };
+
   nomad-driver-podman = callPackage ../applications/networking/cluster/nomad-driver-podman { };
 
   notable = callPackage ../applications/misc/notable { };