Merge pull request #184 from knuton/bump-nixpkgs-2405

Bump nixpkgs to 24.11

Author: knuton

application.nix

@@ -23,6 +23,8 @@ rec {
 
     module = { config, lib, pkgs, ... }:
     let
+      sessionName = "kiosk-browser";
+
       selectDisplay = pkgs.writeShellApplication {
         name = "select-display";
         runtimeInputs = with pkgs; [
@@ -41,6 +43,18 @@ rec {
         ./application/limit-vtes.nix
       ];
 
+      boot.blacklistedKernelModules = [
+        # Blacklist NFC modules conflicting with CCID/PCSC
+        # https://ludovicrousseau.blogspot.com/2013/11/linux-nfc-driver-conflicts-with-ccid.html
+        "pn533_usb"
+        "pn533"
+        "nfc"
+
+        # Disable any USB sound cards to create a closed world where the audio
+        # landscape on the standard devices is completely predictable.
+        "snd_usb_audio"
+      ];
+
       # Kiosk runs as a non-privileged user
       users.users.play = {
         isNormalUser = true;
@@ -64,9 +78,11 @@ rec {
       # System-wide packages
       environment.systemPackages = with pkgs; [ breeze-contrast-cursor-theme ];
 
+      # Avoid bloating system image size
+      services.speechd.enable = false;
+
       # Kiosk session
-      services.xserver = let sessionName = "kiosk-browser";
-      in {
+      services.xserver = {
         enable = true;
 
         desktopManager = {
@@ -103,27 +119,28 @@ rec {
         };
 
         displayManager = {
-          # Always automatically log in play user
           lightdm = {
             enable = true;
             greeter.enable = false;
             autoLogin.timeout = 0;
           };
 
-          autoLogin = {
-            enable = true;
-            user = "play";
-          };
-
-          defaultSession = sessionName;
-
           sessionCommands = ''
             ${pkgs.xorg.xrdb}/bin/xrdb -merge <<EOF
               Xcursor.theme: ${pkgs.breeze-contrast-cursor-theme.themeName}
             EOF
           '';
         };
       };
+      services.displayManager = {
+        # Always automatically log in play user
+        autoLogin = {
+          enable = true;
+          user = "play";
+        };
+
+        defaultSession = sessionName;
+      };
 
       # Firewall configuration
       networking.firewall = {
@@ -166,15 +183,16 @@ rec {
       };
 
       # Audio
-      sound.enable = true;
+      services.pipewire.enable = false;
+
       hardware.pulseaudio = {
         enable = true;
         extraConfig = ''
           # Use HDMI output
           set-card-profile 0 output:hdmi-stereo
           # Respond to changes in connected outputs
           load-module module-switch-on-port-available
-          load-module module-switch-on-connect
+          load-module module-switch-on-connect blacklist=""
         '';
       };
 
@@ -183,8 +201,6 @@ rec {
 
       # Enable pcscd for smart card identification
       services.pcscd.enable = true;
-      # Blacklist NFC modules conflicting with CCID (https://ludovicrousseau.blogspot.com/2013/11/linux-nfc-driver-conflicts-with-ccid.html)
-      boot.blacklistedKernelModules = [ "pn533_usb" "pn533" "nfc" ];
       # Allow play user to access pcsc
       security.polkit.extraConfig = ''
         polkit.addRule(function(action, subject) {

controller/.ocamlformat

@@ -1,4 +1,4 @@
-version = 0.26.1
+version = 0.27.0
 
 profile = ocamlformat
 

controller/bindings/connman/connman.ml

@@ -684,7 +684,8 @@ module Service = struct
         Lwt.fail_with
           (Printf.sprintf
              "Connection failed, unknown error reported by manager: %s\n\
-              DBus connect exception: %s" err (Printexc.to_string exn)
+              DBus connect exception: %s"
+             err (Printexc.to_string exn)
           )
     | Error exn, Some (AgentError err) ->
         Lwt.fail_with

controller/dune-project

@@ -1 +1 @@
-(lang dune 3.11)
+(lang dune 3.16)

kiosk/default.nix

@@ -23,6 +23,7 @@ python3Packages.buildPythonApplication rec {
   nativeBuildInputs = [
     mypy
     qt6.wrapQtAppsHook
+    wrapGAppsHook
   ];
 
   propagatedBuildInputs = with python3Packages; [

kiosk/kiosk_browser/__init__.py

@@ -1,4 +1,5 @@
 import sys
+import os
 import logging
 import signal
 from PyQt6.QtCore import Qt, QUrl
@@ -7,10 +8,22 @@
 
 from kiosk_browser import main_widget
 
+# Workaround for https://bugreports.qt.io/browse/QTBUG-130273 in Qt 6.8.1
+# Should be fixed with QT 6.8.2
+# Note: doing this via env variables rather than passing `--webEngineArgs`,
+# because the env variable overrides the args (and so is easy to break in tests,
+# etc)
+def tempFixAudioIssues():
+    curFlags = os.environ.get('QTWEBENGINE_CHROMIUM_FLAGS', "")
+    os.environ['QTWEBENGINE_CHROMIUM_FLAGS'] = curFlags + " --disable-features=FFmpegAllowLists"
+
+
 def start(kiosk_url, settings_url, toggle_settings_key, fullscreen = True):
 
     logging.basicConfig(level=logging.INFO)
 
+    tempFixAudioIssues()
+
     app = QApplication(sys.argv)
     app.setApplicationName("kiosk-browser")
 

kiosk/kiosk_browser/browser_widget.py

@@ -145,7 +145,7 @@ def _view(self, status):
 
 def user_agent_with_system(user_agent, system_name, system_version):
     """Inject a specific system into a user agent string"""
-    pattern = re.compile('(Mozilla/5.0) \(([^\)]*)\)(.*)')
+    pattern = re.compile(r'(Mozilla/5.0) \(([^\)]*)\)(.*)')
     m = pattern.match(user_agent)
 
     if m == None:

kiosk/kiosk_browser/dialogable_widget.py

@@ -117,7 +117,7 @@ def title_line(
         font-size: 16px;
     """)
 
-    button = QtWidgets.QPushButton("❌", dialog)
+    button = QtWidgets.QPushButton("×", dialog)
     button.setCursor(QtGui.QCursor(QtCore.Qt.CursorShape.PointingHandCursor))
     button.setStyleSheet("""
         QPushButton {

pkgs/default.nix

@@ -3,9 +3,9 @@
 let
 
   nixpkgs = builtins.fetchTarball {
-    # nixos-23.11 2024-03-18
-    url = "https://github.com/nixos/nixpkgs/archive/614b4613980a522ba49f0d194531beddbb7220d3.tar.gz";
-    sha256 = "1kipdjdjcd1brm5a9lzlhffrgyid0byaqwfnpzlmw3q825z7nj6w";
+    # release-24.11 2025-02-10
+    url = "https://github.com/NixOS/nixpkgs/archive/edd84e9bffdf1c0ceba05c0d868356f28a1eb7de.tar.gz";
+    sha256 = "1gb61gahkq74hqiw8kbr9j0qwf2wlwnsvhb7z68zhm8wa27grqr0";
   };
 
   overlay =
@@ -15,7 +15,7 @@ let
 
       rauc = (import ./rauc) super;
 
-      ocamlPackages = super.ocamlPackages.overrideScope' (self: super: {
+      ocamlPackages = super.ocamlPackages.overrideScope (self: super: {
         semver = self.callPackage ./ocaml-modules/semver {};
         obus = self.callPackage ./ocaml-modules/obus {};
         opium = self.callPackage ./ocaml-modules/opium {};
@@ -25,14 +25,6 @@ let
             ./ocaml-modules/ppx_protocol_conv_jsonm {};
       });
 
-      # fixes getExe warning, used in tests
-      # Should be obsolete after upgrading to nixpkgs 24.05: https://github.com/NixOS/nixpkgs/pull/273952
-      tinyproxy = super.tinyproxy.overrideAttrs (_: prev: {
-        meta = prev.meta // {
-          mainProgram = "tinyproxy";
-        };
-      });
-
     };
 
 in

testing/end-to-end/profile.nix

@@ -6,8 +6,8 @@
     ];
 
     config = {
-        # don't need opengl for running tests, reduces image size vastly
-        hardware.opengl.enable = false;
+        # disable hardware-accelerated graphics, reduces image size vastly
+        hardware.graphics.enable = false;
 
         # test-instrumentation.nix sets this in the boot as kernel param,
         # but since we are booting with a custom GRUB config it has no effect,

testing/end-to-end/tests/application/kiosk-persistence-helpers.py

@@ -4,6 +4,7 @@
 import asyncio
 import pyppeteer # type: ignore
 import tempfile
+import atexit
 
 # Forward external `port` to 127.0.0.1:port and add firewall exception to allow
 # external access to internal services in PlayOS
@@ -46,9 +47,10 @@ async def retry_until_no_exception(func, retries=3, sleep=3.0):
 # due to nix sandboxing, network access is isolated, so
 # we run a minimal HTTP server for opening in the kiosk
 def run_stub_server(port):
-    d = tempfile.TemporaryDirectory()
+    d = tempfile.TemporaryDirectory(delete=False)
+    atexit.register(d.cleanup)
     with open(f"{d.name}/index.html", "w") as f:
-        f.write("Hello world")
+        f.write("Hello world\n")
 
     class Handler(http.server.SimpleHTTPRequestHandler):
         def __init__(self, *args, **kwargs):

testing/end-to-end/tests/application/kiosk-persistence.nix

@@ -152,11 +152,11 @@ with TestPrecondition("PlayOS is booted, controller is running"):
     playos.wait_for_unit('playos-controller.service')
 
 with TestPrecondition("VM can reach HTTP stub server"):
-    playos.succeed("curl --fail '${kioskUrl}'")
+    playos.succeed("curl --fail '${kioskUrl}'", timeout=3)
 
 with TestCase("xserver and kiosk are running"):
     playos.wait_for_x()
-    playos.succeed("pgrep -f kiosk-browser > /dev/null")
+    playos.succeed("pgrep --full kiosk-browser > /dev/null")
 
 with TestCase("Kiosk's debug port open, web storage is persisted") as t:
     page = aio.run(connect_and_get_kiosk_page())

testing/integration/controller-system-buttons.nix

@@ -64,13 +64,17 @@ pkgs.testers.runNixOSTest {
         # produces the reboot/shutdown log messages used in `wait_for_console_text`
         playos.wait_for_unit("systemd-logind.service")
 
+    # Executes curl without waiting for it to complete or return an exit status.
+    # This avoids issues with test-driver choking on non-decodable output.
+    def curl_POST_ignore_output(url):
+        playos.execute(f"curl -X POST {url} >&2", check_output = False)
 
     playos.start(allow_reboot=True)
     wait_for_http()
 
     # ===== Reboot works
     with subtest("Reboot works"):
-        playos.succeed("curl -X POST http://localhost:3333/system/reboot >&2")
+        curl_POST_ignore_output("http://localhost:3333/system/reboot")
         playos.wait_for_console_text("systemd.*The system will reboot now!")
 
     manual_restart()
@@ -84,7 +88,7 @@ pkgs.testers.runNixOSTest {
                 --property ActiveState \
                 playos-wipe-persistent-data.service | grep 'ActiveState=inactive'
         """)
-        playos.succeed("curl -X POST http://localhost:3333/system/factory-reset >&2")
+        curl_POST_ignore_output("http://localhost:3333/system/factory-reset")
         playos.wait_for_console_text("systemd.*Starting playos-wipe-persistent-data.service.")
         playos.wait_for_console_text("systemd.*The system will reboot now!")
 
@@ -93,15 +97,15 @@ pkgs.testers.runNixOSTest {
     # ===== Switch slot works
 
     with subtest("Switch slot works"):
-        playos.succeed("curl -X POST http://localhost:3333/system/switch/system.b >&2")
+        curl_POST_ignore_output("http://localhost:3333/system/switch/system.b")
         playos.wait_for_console_text("rauc mark: activated slot system.b")
         playos.wait_for_console_text("systemd.*The system will reboot now!")
 
     manual_restart()
 
     # ===== Shutdown works
     with subtest("Shutdown works"):
-        playos.succeed("curl -X POST http://localhost:3333/system/shutdown >&2")
+        curl_POST_ignore_output("http://localhost:3333/system/shutdown")
         playos.wait_for_console_text("systemd.*System is powering down.")
         playos.crash() # avoids "Broken pipe" test failure
   '';

testing/integration/controller-wifi.nix

@@ -48,8 +48,6 @@ pkgs.testers.runNixOSTest {
         services.connman.networkInterfaceBlacklist =
             allSimulatedAPInterfaces;
 
-        systemd.services."connman".after = [ "hostapd.service" ];
-
         # allow accesing controller GUI from the test runner
         networking.firewall.enable = mkForce false;
         virtualisation.forwardPorts = [
@@ -99,12 +97,17 @@ pkgs.testers.runNixOSTest {
         # enable 802.11 simulation
         boot.kernelModules = [ "mac80211_hwsim" ];
 
+        systemd.services.hostapd = {
+            preStart = "${pkgs.util-linux}/bin/rfkill unblock all";
+        };
+
         # wireless access points
         services.hostapd = {
           enable = true;
           # note: do not change this to wlan1 or other id, weird failures appear
           radios.wlan0 = {
             band = "2g";
+            channel = 7;
             countryCode = "US";
             networks = {
               wlan0 = {
@@ -196,7 +199,7 @@ def wait_for_http():
     playos.wait_for_unit("playos-controller.service")
     playos.wait_until_succeeds("curl --fail http://localhost:3333/")
 
-def service_req(service, endpoint, data=None, timeout=15):
+def service_req(service, endpoint, data=None, timeout=30):
     headers = {'Accept': 'application/json'}
     return requests.post(
         "http://localhost:13333/network/{id}/{endpoint}".format(