From 70b31373b4b4c5673e36f1bb6fe88045304d705f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 7 Jun 2022 13:37:11 +0200
Subject: [PATCH 01/18] tt-rss: downgrade to php 8.0

---
 nixos/modules/services/web-apps/tt-rss.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix
index 9aa38ab25c9a..c441a2a7764e 100644
--- a/nixos/modules/services/web-apps/tt-rss.nix
+++ b/nixos/modules/services/web-apps/tt-rss.nix
@@ -534,6 +534,7 @@ let
     services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
       ${poolName} = {
         inherit (cfg) user;
+        phpPackage = pkgs.php80;
         settings = mapAttrs (name: mkDefault) {
           "listen.owner" = "nginx";
           "listen.group" = "nginx";

From 6be823dd77ecd67bc335c272b6892bb5d7e24d7b Mon Sep 17 00:00:00 2001
From: Mauricio Collares <mauricio@collares.org>
Date: Sat, 11 Jun 2022 17:41:36 +0200
Subject: [PATCH 02/18] youtube-dl: fallback to throttled downloads instead of
 aborting

---
 pkgs/tools/misc/youtube-dl/default.nix | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/misc/youtube-dl/default.nix b/pkgs/tools/misc/youtube-dl/default.nix
index faf4b558ad64..4d907094653b 100644
--- a/pkgs/tools/misc/youtube-dl/default.nix
+++ b/pkgs/tools/misc/youtube-dl/default.nix
@@ -25,8 +25,8 @@ buildPythonPackage rec {
   };
 
   patches = [
-    # Fixes throttling on youtube.com. Without the patch downloads are capped at
-    # about 80KiB/s. See, e.g.,
+    # Fixes throttling on youtube.com by decoding a "n-parameter". Without the patch
+    # downloads are capped at about 80KiB/s. See, e.g.,
     #
     #   https://github.com/ytdl-org/youtube-dl/issues/29326
     #
@@ -37,6 +37,20 @@ buildPythonPackage rec {
       url = "https://github.com/ytdl-org/youtube-dl/compare/57044eacebc6f2f3cd83c345e1b6e659a22e4773...1e677567cd083d43f55daef0cc74e5fa24575ae3.diff";
       sha256 = "11s0j3w60r75xx20p0x2j3yc4d3yvz99r0572si8b5qd93lqs4pr";
     })
+    # The above patch may fail to decode the n-parameter (if, say, YouTube is updated). Failure to decode
+    # it blocks the download instead of falling back to the throttled version. The patch below implements
+    # better fallback behaviour.
+    (fetchpatch {
+      name = "avoid-crashing-if-nsig-decode-fails.patch";
+      url = "https://github.com/ytdl-org/youtube-dl/commit/41f0043983c831b7c0c3614340d2f66ec153087b.diff";
+      sha256 = "sha256-a72gWhBXCLjuBBD36PpZ5F/AHBdiBv4W8Wf9g4P/aBY=";
+    })
+    # YouTube changed the n-parameter format in April 2022, so decoder updates are required.
+    (fetchpatch {
+      name = "fix-n-descrambling.patch";
+      url = "https://github.com/ytdl-org/youtube-dl/commit/a0068bd6bec16008bda7a39caecccbf84881c603.diff";
+      sha256 = "sha256-tSuEns4jputa2nOOo6JsFXpK3hvJ/+z1/ymcLsd3A6w=";
+    })
   ];
 
   nativeBuildInputs = [ installShellFiles makeWrapper ];

From 5e52fdf6f6751c0fc3a2bebe2adb0296f18fbcfd Mon Sep 17 00:00:00 2001
From: Francesco Gazzetta <fgaz@fgaz.me>
Date: Tue, 14 Jun 2022 22:23:50 +0200
Subject: [PATCH 03/18] vengi-tools: 0.0.18 -> 0.0.20

---
 nixos/tests/vengi-tools.nix                        | 2 +-
 pkgs/applications/graphics/vengi-tools/default.nix | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/nixos/tests/vengi-tools.nix b/nixos/tests/vengi-tools.nix
index 8b80a13384e5..5bc8d72c7723 100644
--- a/nixos/tests/vengi-tools.nix
+++ b/nixos/tests/vengi-tools.nix
@@ -23,7 +23,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
       # OCR on voxedit's window is very expensive, so we avoid wasting a try
       # by letting the window load fully first
       machine.sleep(15)
-      machine.wait_for_text("Palette")
+      machine.wait_for_text("Solid")
       machine.screenshot("screen")
     '';
 })
diff --git a/pkgs/applications/graphics/vengi-tools/default.nix b/pkgs/applications/graphics/vengi-tools/default.nix
index eb5033a4a97c..fb44d36f62a6 100644
--- a/pkgs/applications/graphics/vengi-tools/default.nix
+++ b/pkgs/applications/graphics/vengi-tools/default.nix
@@ -29,13 +29,13 @@
 
 stdenv.mkDerivation rec {
   pname = "vengi-tools";
-  version = "0.0.18";
+  version = "0.0.20";
 
   src = fetchFromGitHub {
     owner = "mgerhardy";
     repo = "vengi";
     rev = "v${version}";
-    sha256 = "sha256-Ur1X5FhOa87jbjWBXievBfCHW+qP/8bqLiyKAC8+KU4=";
+    sha256 = "sha256-WsG6mjO90QQNsAarxdupZvXubdy06JjQmVYUzygl8l4=";
   };
 
   nativeBuildInputs = [

From 8d8c50ba2f86751e3c96cec356a3428563c27237 Mon Sep 17 00:00:00 2001
From: superherointj <5861043+superherointj@users.noreply.github.com>
Date: Mon, 20 Jun 2022 14:44:38 -0300
Subject: [PATCH 04/18] coredns: 1.9.2 -> 1.9.3

---
 pkgs/servers/dns/coredns/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/servers/dns/coredns/default.nix b/pkgs/servers/dns/coredns/default.nix
index c93d1235ea82..54965fd998aa 100644
--- a/pkgs/servers/dns/coredns/default.nix
+++ b/pkgs/servers/dns/coredns/default.nix
@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "coredns";
-  version = "1.9.2";
+  version = "1.9.3";
 
   src = fetchFromGitHub {
     owner = "coredns";
     repo = "coredns";
     rev = "v${version}";
-    sha256 = "sha256-6ABcXRuPEkzhjVZcltPoWGAc+fs6FwmgQCMRuLmhXxo=";
+    sha256 = "sha256-9lRZjY85SD1HXAWVCp8fpzV0d1Y+LbodT3Sp21CNp+k=";
   };
 
-  vendorSha256 = "sha256-0S77748voNlIuY6yUAa669pB09h35THojCyQKUm5VFc=";
+  vendorSha256 = "sha256-gNa+dm7n71IiSCztTO5VZ5FnGTGYfNXo/HMichNzek0=";
 
   postPatch = ''
     substituteInPlace test/file_cname_proxy_test.go \

From ee18cc78cc8d5f7fd06c68ac6834fc81453a04e0 Mon Sep 17 00:00:00 2001
From: Lily Foster <lily@lily.flowers>
Date: Wed, 22 Jun 2022 09:51:10 -0400
Subject: [PATCH 05/18] clickgen: allow building on Python 3.10+

---
 pkgs/development/python-modules/clickgen/default.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/clickgen/default.nix b/pkgs/development/python-modules/clickgen/default.nix
index b74827d1971d..d0f81a20c6d3 100644
--- a/pkgs/development/python-modules/clickgen/default.nix
+++ b/pkgs/development/python-modules/clickgen/default.nix
@@ -2,7 +2,6 @@
 , stdenv
 , buildPythonPackage
 , pythonOlder
-, pythonAtLeast
 , fetchFromGitHub
 , pillow
 , libX11
@@ -17,7 +16,7 @@ buildPythonPackage rec {
   version = "1.2.0";
   format = "setuptools";
 
-  disabled = pythonOlder "3.8" || pythonAtLeast "3.10";
+  disabled = pythonOlder "3.8";
 
   src = fetchFromGitHub {
     owner = "ful1e5";

From 57e9b1af3fed31b623157e309a7536f206970785 Mon Sep 17 00:00:00 2001
From: Malo Bourgon <mbourgon@gmail.com>
Date: Wed, 22 Jun 2022 12:16:24 -0700
Subject: [PATCH 06/18] nodePackages.aws-cdk: add meta.mainProgram

---
 pkgs/development/node-packages/main-programs.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/development/node-packages/main-programs.nix b/pkgs/development/node-packages/main-programs.nix
index b5c710bd8c84..8004f2025a91 100644
--- a/pkgs/development/node-packages/main-programs.nix
+++ b/pkgs/development/node-packages/main-programs.nix
@@ -32,6 +32,7 @@
   "@webassemblyjs/wasm-strip" = "wasm-strip";
   "@webassemblyjs/wasm-text-gen" = "wasmgen";
   "@webassemblyjs/wast-refmt" = "wast-refmt";
+  aws-cdk = "cdk";
   balanceofsatoshis = "bos";
   carbon-now-cli = "carbon-now";
   cdk8s-cli = "cdk8s";

From 19aa5e2d9cdf6460d9fccd7d7cf48c305de2bd10 Mon Sep 17 00:00:00 2001
From: kilianar <mail@kilianar.de>
Date: Thu, 23 Jun 2022 16:41:11 +0200
Subject: [PATCH 07/18] oh: 0.8.0 -> 0.8.1

https://github.com/michaelmacinnis/oh/releases/tag/v0.8.1
---
 pkgs/shells/oh/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/shells/oh/default.nix b/pkgs/shells/oh/default.nix
index 68f34fe8eb17..e9a09c8c2888 100644
--- a/pkgs/shells/oh/default.nix
+++ b/pkgs/shells/oh/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "oh";
-  version = "0.8.0";
+  version = "0.8.1";
 
   src = fetchFromGitHub {
     owner = "michaelmacinnis";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0sdpk77i5mfamkdqldybl9znzz92hqgi4xvby5j28m0a5gw46kj0";
+    sha256 = "sha256-DMxC5fv5ZLDv7gMajC/eyJd2YpO+OXFdvwAPYotnczw=";
   };
 
-  vendorSha256 = "12vlvh37hvi8c1i9arppm5wj4v9c98s7myxra10q6qpdqssgc8a0";
+  vendorSha256 = "sha256-f4rqXOu6yXUzNsseSaV9pb8c2KXItYOalB5pfH3Acnc=";
 
   meta = with lib; {
     homepage = "https://github.com/michaelmacinnis/oh";

From 955567fba80fa11e06aab378087b911eae212443 Mon Sep 17 00:00:00 2001
From: Varun Madiath <github@madiathv.com>
Date: Thu, 23 Jun 2022 17:29:52 -0400
Subject: [PATCH 08/18] {jesec,rakshasa}-rtorrent: allow passthrough of
 dependency.

Previously it was not possible to access the libtorrent dependency
---
 pkgs/applications/networking/p2p/jesec-rtorrent/default.nix   | 4 ++++
 .../applications/networking/p2p/rakshasa-rtorrent/default.nix | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/pkgs/applications/networking/p2p/jesec-rtorrent/default.nix b/pkgs/applications/networking/p2p/jesec-rtorrent/default.nix
index a760a0f96c35..df314b6591c2 100644
--- a/pkgs/applications/networking/p2p/jesec-rtorrent/default.nix
+++ b/pkgs/applications/networking/p2p/jesec-rtorrent/default.nix
@@ -21,6 +21,10 @@ stdenv.mkDerivation rec {
     hash = "sha256-i7c1jSawHshj1kaXl8tdpelIKU24okeg9K5/+ht6t2k=";
   };
 
+  passthru = {
+    inherit libtorrent;
+  };
+
   nativeBuildInputs = [
     cmake
   ];
diff --git a/pkgs/applications/networking/p2p/rakshasa-rtorrent/default.nix b/pkgs/applications/networking/p2p/rakshasa-rtorrent/default.nix
index f166f6d0e29f..fa459137f199 100644
--- a/pkgs/applications/networking/p2p/rakshasa-rtorrent/default.nix
+++ b/pkgs/applications/networking/p2p/rakshasa-rtorrent/default.nix
@@ -27,6 +27,10 @@ stdenv.mkDerivation rec {
     hash = "sha256-HTwAs8dfZVXfLRNiT6QpjKGnuahHfoMfYWqdKkedUL0=";
   };
 
+  passthru = {
+    inherit libtorrent;
+  };
+
   nativeBuildInputs = [
     autoconf-archive
     autoreconfHook

From 203b454fc19b83e5e7ebe35185d2d23430341c8a Mon Sep 17 00:00:00 2001
From: wyndon <git_pzpbjt5v@riseup.net>
Date: Fri, 24 Jun 2022 16:21:54 +0200
Subject: [PATCH 09/18] httm: 0.11.6 -> 0.12.1

---
 pkgs/tools/filesystems/httm/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/filesystems/httm/default.nix b/pkgs/tools/filesystems/httm/default.nix
index f4cfdc46e9b4..c68e692ed2d1 100644
--- a/pkgs/tools/filesystems/httm/default.nix
+++ b/pkgs/tools/filesystems/httm/default.nix
@@ -6,16 +6,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "httm";
-  version = "0.11.6";
+  version = "0.12.1";
 
   src = fetchFromGitHub {
     owner = "kimono-koans";
     repo = pname;
     rev = version;
-    sha256 = "5jeCENAas7i/eBySSBjwmdc3MEHVhWWH7/RZGS8g1Y4=";
+    sha256 = "2pShuWJns8VnxiRgj5GLv5Y7H5Qw/SfQ6lVo6VqyU/A=";
   };
 
-  cargoSha256 = "x4qfi3Wm5r0HNqDgmJBXNvS1xQDU7MQ/H2+zNpHon+s=";
+  cargoSha256 = "x5JUwQxrZ5TBG8FAMlomTkZOCxV0c/7i5sx33BCUkKo=";
 
   nativeBuildInputs = [ installShellFiles ];
 

From 5771e8fcddc1c71703a62abbdbb6536488d6aa32 Mon Sep 17 00:00:00 2001
From: midchildan <git@midchildan.org>
Date: Fri, 24 Jun 2022 10:10:36 +0900
Subject: [PATCH 10/18] tmux: fix static build

---
 pkgs/tools/misc/tmux/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/misc/tmux/default.nix b/pkgs/tools/misc/tmux/default.nix
index fd4361d27678..44cbe713f096 100644
--- a/pkgs/tools/misc/tmux/default.nix
+++ b/pkgs/tools/misc/tmux/default.nix
@@ -6,7 +6,7 @@
 , libevent
 , ncurses
 , pkg-config
-, systemd
+, withSystemd ? stdenv.isLinux && !stdenv.hostPlatform.isStatic, systemd
 , utf8proc
 }:
 
@@ -43,13 +43,13 @@ stdenv.mkDerivation rec {
   buildInputs = [
     ncurses
     libevent
-  ] ++ lib.optionals stdenv.isLinux [ systemd ]
+  ] ++ lib.optionals withSystemd [ systemd ]
   ++ lib.optionals stdenv.isDarwin [ utf8proc ];
 
   configureFlags = [
     "--sysconfdir=/etc"
     "--localstatedir=/var"
-  ] ++ lib.optionals stdenv.isLinux [ "--enable-systemd" ]
+  ] ++ lib.optionals withSystemd [ "--enable-systemd" ]
   ++ lib.optionals stdenv.isDarwin [ "--enable-utf8proc" ];
 
   enableParallelBuilding = true;

From 2c135ab9c995df38c3a8e692c167469a1b705286 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Fri, 24 Jun 2022 19:32:01 +0200
Subject: [PATCH 11/18] python310Packages.junos-eznc: update homepage

---
 pkgs/development/python-modules/junos-eznc/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/python-modules/junos-eznc/default.nix b/pkgs/development/python-modules/junos-eznc/default.nix
index d693c73130be..9830d29789b5 100644
--- a/pkgs/development/python-modules/junos-eznc/default.nix
+++ b/pkgs/development/python-modules/junos-eznc/default.nix
@@ -77,7 +77,7 @@ buildPythonPackage rec {
   pythonImportsCheck = [ "jnpr.junos" ];
 
   meta = with lib; {
-    homepage = "http://www.github.com/Juniper/py-junos-eznc";
+    homepage = "https://github.com/Juniper/py-junos-eznc";
     description = "Junos 'EZ' automation for non-programmers";
     license = licenses.asl20;
     maintainers = with maintainers; [ xnaveira ];

From 8d17794ac9d81282c5aa3d97416efe438b9b5473 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Fri, 24 Jun 2022 19:32:29 +0200
Subject: [PATCH 12/18] python310Packages.napalm: fix dependencies

---
 pkgs/development/python-modules/napalm/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/python-modules/napalm/default.nix b/pkgs/development/python-modules/napalm/default.nix
index 09d38875db8e..d7120085d632 100644
--- a/pkgs/development/python-modules/napalm/default.nix
+++ b/pkgs/development/python-modules/napalm/default.nix
@@ -1,7 +1,7 @@
 { lib, buildPythonPackage, fetchFromGitHub, fetchpatch, setuptools, cffi
 , paramiko, requests, future, textfsm, jinja2, netaddr, pyyaml, pyeapi, netmiko
 , junos-eznc, ciscoconfparse, scp, lxml, ncclient, pytestCheckHook, ddt, mock
-, pythonOlder }:
+, pythonOlder, invoke }:
 
 buildPythonPackage rec {
   pname = "napalm";
@@ -35,14 +35,13 @@ buildPythonPackage rec {
       --replace "netmiko>=3.3.0,<4.0.0" "netmiko"
   '';
 
-  buildInputs = [ setuptools ];
-
   propagatedBuildInputs = [
     cffi
     paramiko
     requests
     future
     textfsm
+    invoke
     jinja2
     netaddr
     pyyaml
@@ -51,6 +50,7 @@ buildPythonPackage rec {
     junos-eznc
     ciscoconfparse
     scp
+    setuptools
     lxml
     ncclient
   ];

From 7d2f0049576f4b75274b74ca01c6176d836f198f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Fri, 24 Jun 2022 19:32:36 +0200
Subject: [PATCH 13/18] python310Packages.napalm: move to c3d2 team

---
 pkgs/development/python-modules/napalm/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/python-modules/napalm/default.nix b/pkgs/development/python-modules/napalm/default.nix
index d7120085d632..9625c8b55649 100644
--- a/pkgs/development/python-modules/napalm/default.nix
+++ b/pkgs/development/python-modules/napalm/default.nix
@@ -62,6 +62,6 @@ buildPythonPackage rec {
       "Network Automation and Programmability Abstraction Layer with Multivendor support";
     homepage = "https://github.com/napalm-automation/napalm";
     license = licenses.asl20;
-    maintainers = [ maintainers.astro ];
+    maintainers = with maintainers; [ ] ++ teams.c3d2.members;
   };
 }

From cf4ba94f427e8806d9b9ef8d95d48a7341874c2a Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 27 Jan 2022 01:51:56 +0100
Subject: [PATCH 14/18] schleuder: init at 0.4.2

---
 pkgs/tools/security/schleuder/Gemfile      |   3 +
 pkgs/tools/security/schleuder/Gemfile.lock |  85 ++++++
 pkgs/tools/security/schleuder/default.nix  |  33 +++
 pkgs/tools/security/schleuder/gemset.nix   | 316 +++++++++++++++++++++
 pkgs/top-level/all-packages.nix            |   2 +
 5 files changed, 439 insertions(+)
 create mode 100644 pkgs/tools/security/schleuder/Gemfile
 create mode 100644 pkgs/tools/security/schleuder/Gemfile.lock
 create mode 100644 pkgs/tools/security/schleuder/default.nix
 create mode 100644 pkgs/tools/security/schleuder/gemset.nix

diff --git a/pkgs/tools/security/schleuder/Gemfile b/pkgs/tools/security/schleuder/Gemfile
new file mode 100644
index 000000000000..687c293bac91
--- /dev/null
+++ b/pkgs/tools/security/schleuder/Gemfile
@@ -0,0 +1,3 @@
+source 'https://rubygems.org' do
+  gem 'schleuder'
+end
diff --git a/pkgs/tools/security/schleuder/Gemfile.lock b/pkgs/tools/security/schleuder/Gemfile.lock
new file mode 100644
index 000000000000..a5b7312901c2
--- /dev/null
+++ b/pkgs/tools/security/schleuder/Gemfile.lock
@@ -0,0 +1,85 @@
+GEM
+  specs:
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (6.1.4.4)
+      activesupport (= 6.1.4.4)
+    activerecord (6.1.4.4)
+      activemodel (= 6.1.4.4)
+      activesupport (= 6.1.4.4)
+    activesupport (6.1.4.4)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
+    bcrypt (3.1.16)
+    charlock_holmes (0.7.7)
+    concurrent-ruby (1.1.9)
+    daemons (1.4.1)
+    eventmachine (1.2.7)
+    gpgme (2.0.20)
+      mini_portile2 (~> 2.3)
+    i18n (1.8.11)
+      concurrent-ruby (~> 1.0)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    mail-gpg (0.4.4)
+      gpgme (~> 2.0, >= 2.0.2)
+      mail (~> 2.5, >= 2.5.3)
+    mini_mime (1.1.2)
+    mini_portile2 (2.7.1)
+    minitest (5.15.0)
+    multi_json (1.15.0)
+    mustermann (1.1.1)
+      ruby2_keywords (~> 0.0.1)
+    rack (2.2.3)
+    rack-protection (2.1.0)
+      rack
+    rake (13.0.6)
+    ruby2_keywords (0.0.5)
+    schleuder (4.0.2)
+      activerecord (~> 6.1.3)
+      bcrypt (~> 3.1.2)
+      charlock_holmes (~> 0.7.6)
+      gpgme (~> 2.0, >= 2.0.19)
+      mail (~> 2.7.1)
+      mail-gpg (~> 0.3)
+      rake (>= 10.5.0)
+      sinatra (~> 2)
+      sinatra-contrib (~> 2)
+      sqlite3 (~> 1.4.2)
+      thin (~> 1)
+      thor (~> 0)
+    sinatra (2.1.0)
+      mustermann (~> 1.0)
+      rack (~> 2.2)
+      rack-protection (= 2.1.0)
+      tilt (~> 2.0)
+    sinatra-contrib (2.1.0)
+      multi_json
+      mustermann (~> 1.0)
+      rack-protection (= 2.1.0)
+      sinatra (= 2.1.0)
+      tilt (~> 2.0)
+    sqlite3 (1.4.2)
+    thin (1.8.1)
+      daemons (~> 1.0, >= 1.0.9)
+      eventmachine (~> 1.0, >= 1.0.4)
+      rack (>= 1, < 3)
+    thor (0.20.3)
+    tilt (2.0.10)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    zeitwerk (2.5.3)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  schleuder!
+
+BUNDLED WITH
+   2.2.24
diff --git a/pkgs/tools/security/schleuder/default.nix b/pkgs/tools/security/schleuder/default.nix
new file mode 100644
index 000000000000..7fc320a7043c
--- /dev/null
+++ b/pkgs/tools/security/schleuder/default.nix
@@ -0,0 +1,33 @@
+{ lib
+, bundlerApp
+, ruby
+, bundlerUpdateScript
+}:
+
+bundlerApp {
+  inherit ruby;
+
+  pname = "schleuder";
+
+  gemdir = ./.;
+
+  exes = [
+    "schleuder"
+    "schleuder-api-daemon"
+  ];
+
+  passthru.updateScript = bundlerUpdateScript "schleuder";
+
+  meta = with lib; {
+    description = "Schleuder is an encrypting mailing list manager with remailing-capabilities";
+    longDescription = ''
+      Schleuder is a group's email-gateway: subscribers can exchange
+      encrypted emails among themselves, receive emails from
+      non-subscribers and send emails to non-subscribers via the list.
+    '';
+    homepage = "https://schleuder.org";
+    changelog = "https://0xacab.org/schleuder/schleuder/blob/main/CHANGELOG.md";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ hexa lheckemann ];
+  };
+}
diff --git a/pkgs/tools/security/schleuder/gemset.nix b/pkgs/tools/security/schleuder/gemset.nix
new file mode 100644
index 000000000000..9bd9cadbb883
--- /dev/null
+++ b/pkgs/tools/security/schleuder/gemset.nix
@@ -0,0 +1,316 @@
+{
+  activemodel = {
+    dependencies = ["activesupport"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0g3qdz8dw6zkgz45jd13lwfdnm7rhgczv1pssw63g9k6qj3bkxjm";
+      type = "gem";
+    };
+    version = "6.1.4.4";
+  };
+  activerecord = {
+    dependencies = ["activemodel" "activesupport"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "090d4wl1pq06m9mibpck0m5nm8h45fwhs3fjx27297kjmnv4gzik";
+      type = "gem";
+    };
+    version = "6.1.4.4";
+  };
+  activesupport = {
+    dependencies = ["concurrent-ruby" "i18n" "minitest" "tzinfo" "zeitwerk"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0rvnz9lsf9mrkpji748sf51f54m027snkw6rm8flyvf7fq18rm98";
+      type = "gem";
+    };
+    version = "6.1.4.4";
+  };
+  bcrypt = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "02r1c3isfchs5fxivbq99gc3aq4vfyn8snhcy707dal1p8qz12qb";
+      type = "gem";
+    };
+    version = "3.1.16";
+  };
+  charlock_holmes = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0hybw8jw9ryvz5zrki3gc9r88jqy373m6v46ynxsdzv1ysiyr40p";
+      type = "gem";
+    };
+    version = "0.7.7";
+  };
+  concurrent-ruby = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0nwad3211p7yv9sda31jmbyw6sdafzmdi2i2niaz6f0wk5nq9h0f";
+      type = "gem";
+    };
+    version = "1.1.9";
+  };
+  daemons = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "07cszb0zl8mqmwhc8a2yfg36vi6lbgrp4pa5bvmryrpcz9v6viwg";
+      type = "gem";
+    };
+    version = "1.4.1";
+  };
+  eventmachine = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0wh9aqb0skz80fhfn66lbpr4f86ya2z5rx6gm5xlfhd05bj1ch4r";
+      type = "gem";
+    };
+    version = "1.2.7";
+  };
+  gpgme = {
+    dependencies = ["mini_portile2"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0xbgh9d8nbvsvyzqnd0mzhz0nr9hx4qn025kmz6d837lry4lc6gw";
+      type = "gem";
+    };
+    version = "2.0.20";
+  };
+  i18n = {
+    dependencies = ["concurrent-ruby"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0vdd1kii40qhbr9n8qx71k2gskq6rkl8ygy8hw5hfj8bb5a364xf";
+      type = "gem";
+    };
+    version = "1.8.11";
+  };
+  mail = {
+    dependencies = ["mini_mime"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "00wwz6ys0502dpk8xprwcqfwyf3hmnx6lgxaiq6vj43mkx43sapc";
+      type = "gem";
+    };
+    version = "2.7.1";
+  };
+  mail-gpg = {
+    dependencies = ["gpgme" "mail"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1rz936m8nacy7agksvpvkf6b37d1h5qvh5xkrjqvv5wbdqs3cyfj";
+      type = "gem";
+    };
+    version = "0.4.4";
+  };
+  mini_mime = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0lbim375gw2dk6383qirz13hgdmxlan0vc5da2l072j3qw6fqjm5";
+      type = "gem";
+    };
+    version = "1.1.2";
+  };
+  mini_portile2 = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0d3ga166pahsxavzwj19yjj4lr13rw1vsb36s2qs8blcxigrdp6z";
+      type = "gem";
+    };
+    version = "2.7.1";
+  };
+  minitest = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "06xf558gid4w8lwx13jwfdafsch9maz8m0g85wnfymqj63x5nbbd";
+      type = "gem";
+    };
+    version = "5.15.0";
+  };
+  multi_json = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0pb1g1y3dsiahavspyzkdy39j4q377009f6ix0bh1ag4nqw43l0z";
+      type = "gem";
+    };
+    version = "1.15.0";
+  };
+  mustermann = {
+    dependencies = ["ruby2_keywords"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0ccm54qgshr1lq3pr1dfh7gphkilc19dp63rw6fcx7460pjwy88a";
+      type = "gem";
+    };
+    version = "1.1.1";
+  };
+  rack = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0i5vs0dph9i5jn8dfc6aqd6njcafmb20rwqngrf759c9cvmyff16";
+      type = "gem";
+    };
+    version = "2.2.3";
+  };
+  rack-protection = {
+    dependencies = ["rack"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "159a4j4kragqh0z0z8vrpilpmaisnlz3n7kgiyf16bxkwlb3qlhz";
+      type = "gem";
+    };
+    version = "2.1.0";
+  };
+  rake = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "15whn7p9nrkxangbs9hh75q585yfn66lv0v2mhj6q6dl6x8bzr2w";
+      type = "gem";
+    };
+    version = "13.0.6";
+  };
+  ruby2_keywords = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1vz322p8n39hz3b4a9gkmz9y7a5jaz41zrm2ywf31dvkqm03glgz";
+      type = "gem";
+    };
+    version = "0.0.5";
+  };
+  schleuder = {
+    dependencies = ["activerecord" "bcrypt" "charlock_holmes" "gpgme" "mail" "mail-gpg" "rake" "sinatra" "sinatra-contrib" "sqlite3" "thin" "thor"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "15j1rfkfvni82msamikynsg48s50hbsx1pxm3y967caq9s80ll6c";
+      type = "gem";
+    };
+    version = "4.0.2";
+  };
+  sinatra = {
+    dependencies = ["mustermann" "rack" "rack-protection" "tilt"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0dd53rzpkxgs697pycbhhgc9vcnxra4ly4xar8ni6aiydx2f88zk";
+      type = "gem";
+    };
+    version = "2.1.0";
+  };
+  sinatra-contrib = {
+    dependencies = ["multi_json" "mustermann" "rack-protection" "sinatra" "tilt"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1rl1iiafz51yzjd0vchl2lni7lmwppjql6cn1fnfxbma707qlcja";
+      type = "gem";
+    };
+    version = "2.1.0";
+  };
+  sqlite3 = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0lja01cp9xd5m6vmx99zwn4r7s97r1w5cb76gqd8xhbm1wxyzf78";
+      type = "gem";
+    };
+    version = "1.4.2";
+  };
+  thin = {
+    dependencies = ["daemons" "eventmachine" "rack"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "123bh7qlv6shk8bg8cjc84ix8bhlfcilwnn3iy6zq3l57yaplm9l";
+      type = "gem";
+    };
+    version = "1.8.1";
+  };
+  thor = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1yhrnp9x8qcy5vc7g438amd5j9sw83ih7c30dr6g6slgw9zj3g29";
+      type = "gem";
+    };
+    version = "0.20.3";
+  };
+  tilt = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0rn8z8hda4h41a64l0zhkiwz2vxw9b1nb70gl37h1dg2k874yrlv";
+      type = "gem";
+    };
+    version = "2.0.10";
+  };
+  tzinfo = {
+    dependencies = ["concurrent-ruby"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "10qp5x7f9hvlc0psv9gsfbxg4a7s0485wsbq1kljkxq94in91l4z";
+      type = "gem";
+    };
+    version = "2.0.4";
+  };
+  zeitwerk = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0lmg9x683gr9mkrbq9df2m0zb0650mdfxqna0bs10js44inv7znx";
+      type = "gem";
+    };
+    version = "2.5.3";
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index ed9894e4516b..8e48417a5df7 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5490,6 +5490,8 @@ with pkgs;
     conf = config.schildichat-web.conf or {};
   };
 
+  schleuder = callPackage ../tools/security/schleuder { };
+
   tealdeer = callPackage ../tools/misc/tealdeer {
     inherit (darwin.apple_sdk.frameworks) Security;
   };

From 41d5a21d6a2b8dae1ea855cfab00da2f498c2064 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 27 Jan 2022 01:52:47 +0100
Subject: [PATCH 15/18] schleuder-cli: init 0.1.0

---
 pkgs/tools/security/schleuder/cli/Gemfile     |  4 +++
 .../tools/security/schleuder/cli/Gemfile.lock | 21 ++++++++++++
 pkgs/tools/security/schleuder/cli/default.nix | 34 +++++++++++++++++++
 pkgs/tools/security/schleuder/cli/gemset.nix  | 25 ++++++++++++++
 pkgs/tools/security/schleuder/default.nix     |  1 +
 pkgs/top-level/all-packages.nix               |  2 ++
 6 files changed, 87 insertions(+)
 create mode 100644 pkgs/tools/security/schleuder/cli/Gemfile
 create mode 100644 pkgs/tools/security/schleuder/cli/Gemfile.lock
 create mode 100644 pkgs/tools/security/schleuder/cli/default.nix
 create mode 100644 pkgs/tools/security/schleuder/cli/gemset.nix

diff --git a/pkgs/tools/security/schleuder/cli/Gemfile b/pkgs/tools/security/schleuder/cli/Gemfile
new file mode 100644
index 000000000000..428e856aecc6
--- /dev/null
+++ b/pkgs/tools/security/schleuder/cli/Gemfile
@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+gem "schleuder-cli", git: "https://0xacab.org/schleuder/schleuder-cli", tag: "schleuder-cli-0.1.0"
+
diff --git a/pkgs/tools/security/schleuder/cli/Gemfile.lock b/pkgs/tools/security/schleuder/cli/Gemfile.lock
new file mode 100644
index 000000000000..bd47b9df7f9a
--- /dev/null
+++ b/pkgs/tools/security/schleuder/cli/Gemfile.lock
@@ -0,0 +1,21 @@
+GIT
+  remote: https://0xacab.org/schleuder/schleuder-cli
+  revision: 1de2548695d9a74f47b7868954561b48cbc966f9
+  tag: schleuder-cli-0.1.0
+  specs:
+    schleuder-cli (0.1.0)
+      thor (~> 0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    thor (0.20.3)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  schleuder-cli!
+
+BUNDLED WITH
+   2.3.6
diff --git a/pkgs/tools/security/schleuder/cli/default.nix b/pkgs/tools/security/schleuder/cli/default.nix
new file mode 100644
index 000000000000..e34afa699f04
--- /dev/null
+++ b/pkgs/tools/security/schleuder/cli/default.nix
@@ -0,0 +1,34 @@
+{ lib
+, bundlerApp
+, ruby
+, bundlerUpdateScript
+}:
+
+bundlerApp {
+  inherit ruby;
+
+  pname = "schleuder-cli";
+
+  gemdir = ./.;
+
+  installManpages = false;
+
+  exes = [
+    "schleuder-cli"
+  ];
+
+  passthru.updateScript = bundlerUpdateScript "schleuder-cli";
+
+  meta = with lib; {
+    description = "A command line tool to create and manage schleuder-lists";
+    longDescription = ''
+      Schleuder-cli enables creating, configuring, and deleting lists,
+      subscriptions, keys, etc. It uses the Schleuder API, provided by
+      schleuder-api-daemon (part of Schleuder).
+    '';
+    homepage = "https://schleuder.org";
+    changelog = "https://0xacab.org/schleuder/schleuder-cli/-/blob/main/CHANGELOG.md";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ hexa ];
+  };
+}
diff --git a/pkgs/tools/security/schleuder/cli/gemset.nix b/pkgs/tools/security/schleuder/cli/gemset.nix
new file mode 100644
index 000000000000..45ff62f89137
--- /dev/null
+++ b/pkgs/tools/security/schleuder/cli/gemset.nix
@@ -0,0 +1,25 @@
+{
+  schleuder-cli = {
+    dependencies = ["thor"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      fetchSubmodules = false;
+      rev = "1de2548695d9a74f47b7868954561b48cbc966f9";
+      sha256 = "0k4i33w9a0bscw4wbs301vxca367g7pa89y6cr24i0014pbmhs9z";
+      type = "git";
+      url = "https://0xacab.org/schleuder/schleuder-cli";
+    };
+    version = "0.1.0";
+  };
+  thor = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1yhrnp9x8qcy5vc7g438amd5j9sw83ih7c30dr6g6slgw9zj3g29";
+      type = "gem";
+    };
+    version = "0.20.3";
+  };
+}
diff --git a/pkgs/tools/security/schleuder/default.nix b/pkgs/tools/security/schleuder/default.nix
index 7fc320a7043c..8966dbd55b22 100644
--- a/pkgs/tools/security/schleuder/default.nix
+++ b/pkgs/tools/security/schleuder/default.nix
@@ -2,6 +2,7 @@
 , bundlerApp
 , ruby
 , bundlerUpdateScript
+, defaultGemConfig
 }:
 
 bundlerApp {
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 8e48417a5df7..2bc4abf5c408 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5492,6 +5492,8 @@ with pkgs;
 
   schleuder = callPackage ../tools/security/schleuder { };
 
+  schleuder-cli = callPackage ../tools/security/schleuder/cli { };
+
   tealdeer = callPackage ../tools/misc/tealdeer {
     inherit (darwin.apple_sdk.frameworks) Security;
   };

From 1dabedae3e41d2c64a754487e351fa3c19bdb0d5 Mon Sep 17 00:00:00 2001
From: Linus Heckemann <git@sphalerite.org>
Date: Tue, 31 May 2022 17:27:54 +0200
Subject: [PATCH 16/18] nixos/schleuder: init module and accompanying test

Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>
Co-Authored-By: Cole Helbling <cole.helbling@determinate.systems>
---
 nixos/modules/module-list.nix             |   1 +
 nixos/modules/services/mail/schleuder.nix | 162 ++++++++++++++++++++++
 nixos/tests/all-tests.nix                 |   1 +
 nixos/tests/schleuder.nix                 | 128 +++++++++++++++++
 pkgs/tools/security/schleuder/default.nix |   4 +
 5 files changed, 296 insertions(+)
 create mode 100644 nixos/modules/services/mail/schleuder.nix
 create mode 100644 nixos/tests/schleuder.nix

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 43ae28ac02c5..3aae26f38543 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -516,6 +516,7 @@
   ./services/mail/rspamd.nix
   ./services/mail/rss2email.nix
   ./services/mail/roundcube.nix
+  ./services/mail/schleuder.nix
   ./services/mail/sympa.nix
   ./services/mail/nullmailer.nix
   ./services/matrix/appservice-discord.nix
diff --git a/nixos/modules/services/mail/schleuder.nix b/nixos/modules/services/mail/schleuder.nix
new file mode 100644
index 000000000000..7ba15f1070bd
--- /dev/null
+++ b/nixos/modules/services/mail/schleuder.nix
@@ -0,0 +1,162 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.schleuder;
+  settingsFormat = pkgs.formats.yaml { };
+  postfixMap = entries: lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${value}") entries);
+  writePostfixMap = name: entries: pkgs.writeText name (postfixMap entries);
+  configScript = pkgs.writeScript "schleuder-cfg" ''
+    #!${pkgs.runtimeShell}
+    set -exuo pipefail
+    umask 0077
+    ${pkgs.yq}/bin/yq \
+      --slurpfile overrides <(${pkgs.yq}/bin/yq . <${lib.escapeShellArg cfg.extraSettingsFile}) \
+      < ${settingsFormat.generate "schleuder.yml" cfg.settings} \
+      '. * $overrides[0]' \
+      > /etc/schleuder/schleuder.yml
+    chown schleuder: /etc/schleuder/schleuder.yml
+  '';
+in
+{
+  options.services.schleuder = {
+    enable = lib.mkEnableOption "Schleuder secure remailer";
+    enablePostfix = lib.mkEnableOption "automatic postfix integration" // { default = true; };
+    lists = lib.mkOption {
+      description = ''
+        List of list addresses that should be handled by Schleuder.
+
+        Note that this is only handled by the postfix integration, and
+        the setup of the lists, their members and their keys has to be
+        performed separately via schleuder's API, using a tool such as
+        schleuder-cli.
+      '';
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      example = [ "widget-team@example.com" "security@example.com" ];
+    };
+    /* maybe one day....
+      domains = lib.mkOption {
+      description = "Domains for which all mail should be handled by Schleuder.";
+      type = lib.types.listOf lib.types.str;
+      default = [];
+      example = ["securelists.example.com"];
+      };
+    */
+    settings = lib.mkOption {
+      description = ''
+        Settings for schleuder.yml.
+
+        Check the <link xlink:href="https://0xacab.org/schleuder/schleuder/blob/master/etc/schleuder.yml">example configuration</link> for possible values.
+      '';
+      type = lib.types.submodule {
+        freeformType = settingsFormat.type;
+        options.keyserver = lib.mkOption {
+          type = lib.types.str;
+          description = ''
+            Key server from which to fetch and update keys.
+
+            Note that NixOS uses a different default from upstream, since the upstream default sks-keyservers.net is deprecated.
+          '';
+          default = "keys.openpgp.org";
+        };
+      };
+      default = { };
+    };
+    extraSettingsFile = lib.mkOption {
+      description = "YAML file to merge into the schleuder config at runtime. This can be used for secrets such as API keys.";
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+    };
+    listDefaults = lib.mkOption {
+      description = ''
+        Default settings for lists (list-defaults.yml).
+
+        Check the <link xlink:href="https://0xacab.org/schleuder/schleuder/-/blob/master/etc/list-defaults.yml">example configuration</link> for possible values.
+      '';
+      type = settingsFormat.type;
+      default = { };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !(cfg.settings.api ? valid_api_keys);
+        message = ''
+          services.schleuder.settings.api.valid_api_keys is set. Defining API keys via NixOS config results in them being copied to the world-readable Nix store. Please use the extraSettingsFile option to store API keys in a non-public location.
+        '';
+      }
+      {
+        assertion = !(lib.any (db: db ? password) (lib.attrValues cfg.settings.database or {}));
+        message = ''
+          A password is defined for at least one database in services.schleuder.settings.database. Defining passwords via NixOS config results in them being copied to the world-readable Nix store. Please use the extraSettingsFile option to store database passwords in a non-public location.
+        '';
+      }
+    ];
+    users.users.schleuder.isSystemUser = true;
+    users.users.schleuder.group = "schleuder";
+    users.groups.schleuder = {};
+    environment.systemPackages = [
+      pkgs.schleuder-cli
+    ];
+    services.postfix = lib.mkIf cfg.enablePostfix {
+      extraMasterConf = ''
+        schleuder  unix  -       n       n       -       -       pipe
+          flags=DRhu user=schleuder argv=/${pkgs.schleuder}/bin/schleuder work ''${recipient}
+      '';
+      transport = lib.mkIf (cfg.lists != [ ]) (postfixMap (lib.genAttrs cfg.lists (_: "schleuder:")));
+      extraConfig = ''
+        schleuder_destination_recipient_limit = 1
+      '';
+      # review: does this make sense?
+      localRecipients = lib.mkIf (cfg.lists != [ ]) cfg.lists;
+    };
+    systemd.services = let commonServiceConfig = {
+      # We would have liked to use DynamicUser, but since the default
+      # database is SQLite and lives in StateDirectory, and that same
+      # database needs to be readable from the postfix service, this
+      # isn't trivial to do.
+      User = "schleuder";
+      StateDirectory = "schleuder";
+      StateDirectoryMode = "0700";
+    }; in
+      {
+        schleuder-init = {
+          serviceConfig = commonServiceConfig // {
+            ExecStartPre = lib.mkIf (cfg.extraSettingsFile != null) [
+              "+${configScript}"
+            ];
+            ExecStart = [ "${pkgs.schleuder}/bin/schleuder install" ];
+            Type = "oneshot";
+          };
+        };
+        schleuder-api-daemon = {
+          after = [ "local-fs.target" "network.target" "schleuder-init.service" ];
+          wantedBy = [ "multi-user.target" ];
+          requires = [ "schleuder-init.service" ];
+          serviceConfig = commonServiceConfig // {
+            ExecStart = [ "${pkgs.schleuder}/bin/schleuder-api-daemon" ];
+          };
+        };
+        schleuder-weekly-key-maintenance = {
+          after = [ "local-fs.target" "network.target" ];
+          startAt = "weekly";
+          serviceConfig = commonServiceConfig // {
+            ExecStart = [
+              "${pkgs.schleuder}/bin/schleuder refresh_keys"
+              "${pkgs.schleuder}/bin/schleuder check_keys"
+            ];
+          };
+        };
+      };
+
+    environment.etc."schleuder/schleuder.yml" = lib.mkIf (cfg.extraSettingsFile == null) {
+      source = settingsFormat.generate "schleuder.yml" cfg.settings;
+    };
+    environment.etc."schleuder/list-defaults.yml".source = settingsFormat.generate "list-defaults.yml" cfg.listDefaults;
+
+    services.schleuder = {
+      #lists_dir = "/var/lib/schleuder.lists";
+      settings.filters_dir = lib.mkDefault "/var/lib/schleuder/filters";
+      settings.keyword_handlers_dir = lib.mkDefault "/var/lib/schleuder/keyword_handlers";
+    };
+  };
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 38c320886d1a..658c62b2a4e2 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -485,6 +485,7 @@ in {
   samba = handleTest ./samba.nix {};
   samba-wsdd = handleTest ./samba-wsdd.nix {};
   sanoid = handleTest ./sanoid.nix {};
+  schleuder = handleTest ./schleuder.nix {};
   sddm = handleTest ./sddm.nix {};
   seafile = handleTest ./seafile.nix {};
   searx = handleTest ./searx.nix {};
diff --git a/nixos/tests/schleuder.nix b/nixos/tests/schleuder.nix
new file mode 100644
index 000000000000..a9e4cc325bc7
--- /dev/null
+++ b/nixos/tests/schleuder.nix
@@ -0,0 +1,128 @@
+let
+  certs = import ./common/acme/server/snakeoil-certs.nix;
+  domain = certs.domain;
+in
+import ./make-test-python.nix {
+  name = "schleuder";
+  nodes.machine = { pkgs, ... }: {
+    imports = [ ./common/user-account.nix ];
+    services.postfix = {
+      enable = true;
+      enableSubmission = true;
+      tlsTrustedAuthorities = "${certs.ca.cert}";
+      sslCert = "${certs.${domain}.cert}";
+      sslKey = "${certs.${domain}.key}";
+      inherit domain;
+      destination = [ domain ];
+      localRecipients = [ "root" "alice" "bob" ];
+    };
+    services.schleuder = {
+      enable = true;
+      # Don't do it like this in production! The point of this setting
+      # is to allow loading secrets from _outside_ the world-readable
+      # Nix store.
+      extraSettingsFile = pkgs.writeText "schleuder-api-keys.yml" ''
+        api:
+          valid_api_keys:
+            - fnord
+      '';
+      lists = [ "security@${domain}" ];
+      settings.api = {
+        tls_cert_file = "${certs.${domain}.cert}";
+        tls_key_file = "${certs.${domain}.key}";
+      };
+    };
+
+    environment.systemPackages = [
+      pkgs.gnupg
+      pkgs.msmtp
+      (pkgs.writeScriptBin "do-test" ''
+        #!${pkgs.runtimeShell}
+        set -exuo pipefail
+
+        # Generate a GPG key with no passphrase and export it
+        sudo -u alice gpg --passphrase-fd 0 --batch --yes --quick-generate-key 'alice@${domain}' rsa4096 sign,encr < <(echo)
+        sudo -u alice gpg --armor --export alice@${domain} > alice.asc
+        # Create a new mailing list with alice as the owner, and alice's key
+        schleuder-cli list new security@${domain} alice@${domain} alice.asc
+
+        # Send an email from a non-member of the list. Use --auto-from so we don't have to specify who it's from twice.
+        msmtp --auto-from security@${domain} --host=${domain} --port=25 --tls --tls-starttls <<EOF
+          Subject: really big security issue!!
+          From: root@${domain}
+
+          I found a big security problem!
+        EOF
+
+        # Wait for delivery
+        (set +o pipefail; journalctl -f -n 1000 -u postfix | grep -m 1 'delivered to maildir')
+
+        # There should be exactly one email
+        mail=(/var/spool/mail/alice/new/*)
+        [[ "''${#mail[@]}" = 1 ]]
+
+        # Find the fingerprint of the mailing list key
+        read list_key_fp address < <(schleuder-cli keys list security@${domain} | grep security@)
+        schleuder-cli keys export security@${domain} $list_key_fp > list.asc
+
+        # Import the key into alice's keyring, so we can verify it as well as decrypting
+        sudo -u alice gpg --import <list.asc
+        # And perform the decryption.
+        sudo -u alice gpg -d $mail >decrypted
+        # And check that the text matches.
+        grep "big security problem" decrypted
+      '')
+
+      # For debugging:
+      # pkgs.vim pkgs.openssl pkgs.sqliteinteractive
+    ];
+
+    security.pki.certificateFiles = [ certs.ca.cert ];
+
+    # Since we don't have internet here, use dnsmasq to provide MX records from /etc/hosts
+    services.dnsmasq = {
+      enable = true;
+      extraConfig = ''
+        selfmx
+      '';
+    };
+
+    networking.extraHosts = ''
+      127.0.0.1 ${domain}
+    '';
+
+    # schleuder-cli's config is not quite optimal in several ways:
+    # - A fingerprint _must_ be pinned, it doesn't even have an option
+    #   to trust the PKI
+    # - It compares certificate fingerprints rather than key
+    #   fingerprints, so renewals break the pin (though that's not
+    #   relevant for this test)
+    # - It compares them as strings, which means we need to match the
+    #   expected format exactly. This means removing the :s and
+    #   lowercasing it.
+    # Refs:
+    # https://0xacab.org/schleuder/schleuder-cli/-/issues/16
+    # https://0xacab.org/schleuder/schleuder-cli/-/blob/f8895b9f47083d8c7b99a2797c93f170f3c6a3c0/lib/schleuder-cli/helper.rb#L230-238
+    systemd.tmpfiles.rules = let cliconfig = pkgs.runCommand "schleuder-cli.yml"
+      {
+        nativeBuildInputs = [ pkgs.jq pkgs.openssl ];
+      } ''
+      fp=$(openssl x509 -in ${certs.${domain}.cert} -noout -fingerprint -sha256 | cut -d = -f 2 | tr -d : | tr 'A-Z' 'a-z')
+      cat > $out <<EOF
+      host: localhost
+      port: 4443
+      tls_fingerprint: "$fp"
+      api_key: fnord
+      EOF
+    ''; in
+      [
+        "L+ /root/.schleuder-cli/schleuder-cli.yml - - - - ${cliconfig}"
+      ];
+  };
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+    machine.wait_until_succeeds("nc -z localhost 4443")
+    machine.succeed("do-test")
+  '';
+}
diff --git a/pkgs/tools/security/schleuder/default.nix b/pkgs/tools/security/schleuder/default.nix
index 8966dbd55b22..84597f6f51bf 100644
--- a/pkgs/tools/security/schleuder/default.nix
+++ b/pkgs/tools/security/schleuder/default.nix
@@ -3,6 +3,7 @@
 , ruby
 , bundlerUpdateScript
 , defaultGemConfig
+, nixosTests
 }:
 
 bundlerApp {
@@ -18,6 +19,9 @@ bundlerApp {
   ];
 
   passthru.updateScript = bundlerUpdateScript "schleuder";
+  passthru.tests = {
+    inherit (nixosTests) schleuder;
+  };
 
   meta = with lib; {
     description = "Schleuder is an encrypting mailing list manager with remailing-capabilities";

From 2dbaea91860844c41f230656292671f82b963784 Mon Sep 17 00:00:00 2001
From: Linus Heckemann <git@sphalerite.org>
Date: Wed, 8 Jun 2022 16:16:28 +0200
Subject: [PATCH 17/18] bundler bin stubs: Squelch sudo warning

@ruby maintainers: please feel free to revert this and let me know,
should it cause any problems.

Stuff that's in the store shouldn't be writable! So let's disable
Bundler's requires_sudo? method, which checks if some files are
writable and suggests using sudo if not, entirely.

Previously, schleuder-cli would print to stderr when run:

Following files may not be writable, so sudo is needed:
  /nix/store/qg40x0ysrf9x6sag6qgb1klg87lskdp5-schleuder-cli-0.1.0/lib/ruby/gems/2.7.0
  /nix/store/qg40x0ysrf9x6sag6qgb1klg87lskdp5-schleuder-cli-0.1.0/lib/ruby/gems/2.7.0/bin
  /nix/store/qg40x0ysrf9x6sag6qgb1klg87lskdp5-schleuder-cli-0.1.0/lib/ruby/gems/2.7.0/bin
  /nix/store/qg40x0ysrf9x6sag6qgb1klg87lskdp5-schleuder-cli-0.1.0/lib/ruby/gems/2.7.0/build_info
  /nix/store/qg40x0ysrf9x6sag6qgb1klg87lskdp5-schleuder-cli-0.1.0/lib/ruby/gems/2.7.0/bundler
  /nix/store/qg40x0ysrf9x6sag6qgb1klg87lskdp5-schleuder-cli-0.1.0/lib/ruby/gems/2.7.0/cache
  /nix/store/qg40x0ysrf9x6sag6qgb1klg87lskdp5-schleuder-cli-0.1.0/lib/ruby/gems/2.7.0/doc
  /nix/store/qg40x0ysrf9x6sag6qgb1klg87lskdp5-schleuder-cli-0.1.0/lib/ruby/gems/2.7.0/extensions
  /nix/store/qg40x0ysrf9x6sag6qgb1klg87lskdp5-schleuder-cli-0.1.0/lib/ruby/gems/2.7.0/gems
  /nix/store/qg40x0ysrf9x6sag6qgb1klg87lskdp5-schleuder-cli-0.1.0/lib/ruby/gems/2.7.0/plugins
  /nix/store/qg40x0ysrf9x6sag6qgb1klg87lskdp5-schleuder-cli-0.1.0/lib/ruby/gems/2.7.0/specifications
---
 .../ruby-modules/bundled-common/gen-bin-stubs.rb   | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pkgs/development/ruby-modules/bundled-common/gen-bin-stubs.rb b/pkgs/development/ruby-modules/bundled-common/gen-bin-stubs.rb
index 3106e9c24ca7..822996b7cbf6 100644
--- a/pkgs/development/ruby-modules/bundled-common/gen-bin-stubs.rb
+++ b/pkgs/development/ruby-modules/bundled-common/gen-bin-stubs.rb
@@ -41,6 +41,20 @@ Gem.paths = { 'GEM_HOME' => #{bundle_path.dump} }
 $LOAD_PATH.unshift #{File.join(bundler_path, "/lib").dump}
 
 require 'bundler'
+# Monkey-patch out the check that Bundler performs to determine
+# whether the bundler env is writable. It's not writable, even for
+# root! And for this use of Bundler, it shouldn't be necessary since
+# we're not trying to perform any package management operations, only
+# produce a Gem path. Thus, we replace it with a method that will
+# always return false, to squelch a warning from Bundler saying that
+# sudo may be required.
+module Bundler
+  class <<self
+    def requires_sudo?
+      return false
+    end
+  end
+end
 Bundler.setup(#{groups.map(&:dump).join(', ')})
 
 load Gem.bin_path(#{name.dump}, #{exe.dump})

From e608c54d58daa466c494a6e09daff8d4cfbed942 Mon Sep 17 00:00:00 2001
From: Linus Heckemann <git@sphalerite.org>
Date: Fri, 24 Jun 2022 15:19:58 -0400
Subject: [PATCH 18/18] rl-2211: document schleuder addition

---
 nixos/doc/manual/from_md/release-notes/rl-2211.section.xml | 7 +++++++
 nixos/doc/manual/release-notes/rl-2211.section.md          | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
index 958000687810..b78cfad63b94 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@@ -71,6 +71,13 @@
           <link linkend="opt-services.persistent-evdev.enable">services.persistent-evdev</link>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://schleuder.org/">schleuder</link>, a
+          mailing list manager with PGP support. Enable using
+          <link linkend="opt-services.schleuder.enable">services.schleuder</link>.
+        </para>
+      </listitem>
       <listitem>
         <para>
           <link xlink:href="https://www.expressvpn.com">expressvpn</link>,
diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md
index 1a14885ed8c3..436d590fb9a6 100644
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@@ -31,6 +31,8 @@ In addition to numerous new and upgraded packages, this release has the followin
   Available as [services.infnoise](options.html#opt-services.infnoise.enable).
 - [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable).
 
+- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable).
+
 - [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable).
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->