systemd: 254.6 -> 255.2

Removed patches:

- 0007-Fix-hwdb-paths.patch

  The directory we want seems to already be included in the list. Is there
  a reason why we want to restrict it further?

- 0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch

  This patch has little to do with how the meson.build file looks now. The
  new patch 0017 is the successor to this one.

- 0015-pkg-config-derive-prefix-from-prefix.patch

  This is fixed upstream. We don't need this anymore.

nixos/modules/system/boot/luksroot.nix

@@ -1076,7 +1076,7 @@ in
     boot.initrd.systemd = {
       contents."/etc/crypttab".source = stage1Crypttab;
 
-      extraBin.systemd-cryptsetup = "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup";
+      extraBin.systemd-cryptsetup = "${config.boot.initrd.systemd.package}/bin/systemd-cryptsetup";
 
       additionalUpstreamUnits = [
         "cryptsetup-pre.target"
@@ -1084,7 +1084,7 @@ in
         "remote-cryptsetup.target"
       ];
       storePaths = [
-        "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup"
+        "${config.boot.initrd.systemd.package}/bin/systemd-cryptsetup"
         "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-cryptsetup-generator"
       ];
 

nixos/modules/system/boot/systemd/initrd.nix

@@ -70,6 +70,7 @@ let
     "systemd-tmpfiles-setup.service"
     "timers.target"
     "umount.target"
+    "systemd-bsod.service"
   ] ++ cfg.additionalUpstreamUnits;
 
   upstreamWants = [
@@ -424,6 +425,7 @@ in {
 
       storePaths = [
         # systemd tooling
+        "${cfg.package}/lib/systemd/systemd-executor"
         "${cfg.package}/lib/systemd/systemd-fsck"
         "${cfg.package}/lib/systemd/systemd-hibernate-resume"
         "${cfg.package}/lib/systemd/systemd-journald"
@@ -433,6 +435,7 @@ in {
         "${cfg.package}/lib/systemd/systemd-shutdown"
         "${cfg.package}/lib/systemd/systemd-sulogin-shell"
         "${cfg.package}/lib/systemd/systemd-sysctl"
+        "${cfg.package}/lib/systemd/systemd-bsod"
 
         # generators
         "${cfg.package}/lib/systemd/system-generators/systemd-debug-generator"

pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch

@@ -13,10 +13,10 @@ unit.  (However, this ignores the fsck unit, so it's not perfect...)
  1 file changed, 4 deletions(-)
 
 diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in
-index c0defc31de..8f80235731 100644
+index 0d68f31d36..6b52f7ed4b 100644
 --- a/rules.d/99-systemd.rules.in
 +++ b/rules.d/99-systemd.rules.in
-@@ -20,10 +20,6 @@ SUBSYSTEM=="block", TAG+="systemd"
+@@ -22,10 +22,6 @@ SUBSYSTEM=="block", TAG+="systemd"
  SUBSYSTEM=="block", ENV{DM_SUSPENDED}=="1", IMPORT{db}="SYSTEMD_READY", GOTO="systemd_end"
  SUBSYSTEM=="block", ACTION=="add", ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="1", ENV{SYSTEMD_READY}="0"
  

pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch

@@ -14,10 +14,10 @@ Original-Author: Eelco Dolstra <eelco.dolstra@logicblox.com>
  2 files changed, 6 insertions(+), 2 deletions(-)
 
 diff --git a/src/shared/fstab-util.c b/src/shared/fstab-util.c
-index 4ffec25c75..b99031c54e 100644
+index 55e76b6e16..015a608035 100644
 --- a/src/shared/fstab-util.c
 +++ b/src/shared/fstab-util.c
-@@ -43,6 +43,8 @@ bool fstab_is_extrinsic(const char *mount, const char *opts) {
+@@ -66,6 +66,8 @@ bool fstab_is_extrinsic(const char *mount, const char *opts) {
          /* Don't bother with the OS data itself */
          if (PATH_IN_SET(mount,
                          "/",
@@ -27,7 +27,7 @@ index 4ffec25c75..b99031c54e 100644
                          "/etc"))
                  return true;
 diff --git a/src/shutdown/umount.c b/src/shutdown/umount.c
-index 1586c2e214..fcae95f824 100644
+index 1a9b99d761..04ef9af1ea 100644
 --- a/src/shutdown/umount.c
 +++ b/src/shutdown/umount.c
 @@ -170,8 +170,10 @@ int mount_points_list_get(const char *mountinfo, MountPoint **head) {

pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch

@@ -10,10 +10,10 @@ container, so checking early whether it exists will fail.
  1 file changed, 2 insertions(+)
 
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index e170958fc5..898a674631 100644
+index 38196ef3d6..57d1750b00 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
-@@ -5648,6 +5648,7 @@ static int run(int argc, char *argv[]) {
+@@ -5602,6 +5602,7 @@ static int run(int argc, char *argv[]) {
                                  goto finish;
                          }
                  } else {
@@ -21,7 +21,7 @@ index e170958fc5..898a674631 100644
                          _cleanup_free_ char *p = NULL;
  
                          if (arg_pivot_root_new)
-@@ -5662,6 +5663,7 @@ static int run(int argc, char *argv[]) {
+@@ -5618,6 +5619,7 @@ static int run(int argc, char *argv[]) {
                                                      "Directory %s doesn't look like it has an OS tree (/usr/ directory is missing). Refusing.", arg_directory);
                                  goto finish;
                          }

pkgs/os-specific/linux/systemd/0004-Add-some-NixOS-specific-unit-directories.patch

@@ -11,12 +11,12 @@ Also, remove /usr and /lib as these don't exist on NixOS.
 
 Original-Author: Eelco Dolstra <eelco.dolstra@logicblox.com>
 ---
- src/basic/path-lookup.c | 17 ++---------------
+ src/basic/path-lookup.c | 18 ++----------------
  src/core/systemd.pc.in  |  8 ++++----
- 2 files changed, 6 insertions(+), 19 deletions(-)
+ 2 files changed, 6 insertions(+), 20 deletions(-)
 
 diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c
-index 7d158a8295..f9bd62b631 100644
+index 4e3d59fc56..0d18b9a2d0 100644
 --- a/src/basic/path-lookup.c
 +++ b/src/basic/path-lookup.c
 @@ -92,11 +92,7 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
@@ -31,7 +31,7 @@ index 7d158a8295..f9bd62b631 100644
          NULL
  };
  
-@@ -617,15 +613,13 @@ int lookup_paths_init(
+@@ -613,16 +609,13 @@ int lookup_paths_init(
                                          persistent_config,
                                          SYSTEM_CONFIG_UNIT_DIR,
                                          "/etc/systemd/system",
@@ -44,11 +44,12 @@ index 7d158a8295..f9bd62b631 100644
 -                                        "/usr/local/lib/systemd/system",
                                          SYSTEM_DATA_UNIT_DIR,
 -                                        "/usr/lib/systemd/system",
+-                                        /* To be used ONLY for images which might be legacy split-usr */
 -                                        STRV_IFNOTNULL(flags & LOOKUP_PATHS_SPLIT_USR ? "/lib/systemd/system" : NULL),
                                          STRV_IFNOTNULL(generator_late));
                          break;
  
-@@ -641,14 +635,11 @@ int lookup_paths_init(
+@@ -638,14 +631,11 @@ int lookup_paths_init(
                                          persistent_config,
                                          USER_CONFIG_UNIT_DIR,
                                          "/etc/systemd/user",
@@ -64,7 +65,7 @@ index 7d158a8295..f9bd62b631 100644
                                          STRV_IFNOTNULL(generator_late));
                          break;
  
-@@ -808,7 +799,6 @@ char **generator_binary_paths(RuntimeScope scope) {
+@@ -805,7 +795,6 @@ char **generator_binary_paths(RuntimeScope scope) {
                  case RUNTIME_SCOPE_SYSTEM:
                          add = strv_new("/run/systemd/system-generators",
                                         "/etc/systemd/system-generators",
@@ -72,7 +73,7 @@ index 7d158a8295..f9bd62b631 100644
                                         SYSTEM_GENERATOR_DIR);
                          break;
  
-@@ -816,7 +806,6 @@ char **generator_binary_paths(RuntimeScope scope) {
+@@ -813,7 +802,6 @@ char **generator_binary_paths(RuntimeScope scope) {
                  case RUNTIME_SCOPE_USER:
                          add = strv_new("/run/systemd/user-generators",
                                         "/etc/systemd/user-generators",
@@ -80,7 +81,7 @@ index 7d158a8295..f9bd62b631 100644
                                         USER_GENERATOR_DIR);
                          break;
  
-@@ -855,14 +844,12 @@ char **env_generator_binary_paths(RuntimeScope runtime_scope) {
+@@ -852,14 +840,12 @@ char **env_generator_binary_paths(RuntimeScope runtime_scope) {
                  case RUNTIME_SCOPE_SYSTEM:
                          add = strv_new("/run/systemd/system-environment-generators",
                                          "/etc/systemd/system-environment-generators",
@@ -96,10 +97,10 @@ index 7d158a8295..f9bd62b631 100644
                          break;
  
 diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
-index 693433b34b..5932a21b5b 100644
+index f3b85b0190..8ae544b495 100644
 --- a/src/core/systemd.pc.in
 +++ b/src/core/systemd.pc.in
-@@ -38,10 +38,10 @@ systemdsystemconfdir=${systemd_system_conf_dir}
+@@ -43,10 +43,10 @@ systemdsystemconfdir=${systemd_system_conf_dir}
  systemd_user_conf_dir=${sysconfdir}/systemd/user
  systemduserconfdir=${systemd_user_conf_dir}
  
@@ -111,8 +112,8 @@ index 693433b34b..5932a21b5b 100644
 +systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/nix/var/nix/profiles/default/lib/systemd/user:/run/systemd/user:${systemduserunitdir}
  systemduserunitpath=${systemd_user_unit_path}
  
- systemd_system_generator_dir=${root_prefix}/lib/systemd/system-generators
-@@ -50,10 +50,10 @@ systemdsystemgeneratordir=${systemd_system_generator_dir}
+ systemd_system_generator_dir=${prefix}/lib/systemd/system-generators
+@@ -55,10 +55,10 @@ systemdsystemgeneratordir=${systemd_system_generator_dir}
  systemd_user_generator_dir=${prefix}/lib/systemd/user-generators
  systemdusergeneratordir=${systemd_user_generator_dir}
  
@@ -124,4 +125,4 @@ index 693433b34b..5932a21b5b 100644
 +systemd_user_generator_path=/run/systemd/user-generators:/etc/systemd/user-generators:${systemd_user_generator_dir}
  systemdusergeneratorpath=${systemd_user_generator_path}
  
- systemd_sleep_dir=${root_prefix}/lib/systemd/system-sleep
+ systemd_sleep_dir=${prefix}/lib/systemd/system-sleep

pkgs/os-specific/linux/systemd/0005-Get-rid-of-a-useless-message-in-user-sessions.patch

@@ -13,10 +13,10 @@ in containers.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 22ec6e79b1..771e8e7f16 100644
+index e61ebee253..22cc5cc843 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -1559,7 +1559,8 @@ static unsigned manager_dispatch_stop_when_bound_queue(Manager *m) {
+@@ -1562,7 +1562,8 @@ static unsigned manager_dispatch_stop_when_bound_queue(Manager *m) {
                  if (!unit_is_bound_by_inactive(u, &culprit))
                          continue;
  

pkgs/os-specific/linux/systemd/0006-hostnamed-localed-timedated-disable-methods-that-cha.patch

@@ -11,7 +11,7 @@ Subject: [PATCH] hostnamed, localed, timedated: disable methods that change
  3 files changed, 25 insertions(+)
 
 diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
-index 9ef45f8e75..99b1ec2e36 100644
+index e1d53f2395..a224e6dadc 100644
 --- a/src/hostname/hostnamed.c
 +++ b/src/hostname/hostnamed.c
 @@ -1053,6 +1053,9 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
@@ -35,7 +35,7 @@ index 9ef45f8e75..99b1ec2e36 100644
  
          context_read_machine_info(c);
 diff --git a/src/locale/localed.c b/src/locale/localed.c
-index f544a73580..ce00c262cc 100644
+index 5d96237fae..9af35cd29c 100644
 --- a/src/locale/localed.c
 +++ b/src/locale/localed.c
 @@ -229,6 +229,9 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er
@@ -69,10 +69,10 @@ index f544a73580..ce00c262cc 100644
  
          r = x11_context_verify_and_warn(&in, LOG_ERR, error);
 diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
-index ad1d492d6b..331af34505 100644
+index c7be30f563..50f8aa8675 100644
 --- a/src/timedate/timedated.c
 +++ b/src/timedate/timedated.c
-@@ -665,6 +665,10 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
+@@ -659,6 +659,10 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
          if (r < 0)
                  return r;
  
@@ -83,7 +83,7 @@ index ad1d492d6b..331af34505 100644
          if (!timezone_is_valid(z, LOG_DEBUG))
                  return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid or not installed time zone '%s'", z);
  
-@@ -743,6 +747,9 @@ static int method_set_local_rtc(sd_bus_message *m, void *userdata, sd_bus_error
+@@ -737,6 +741,9 @@ static int method_set_local_rtc(sd_bus_message *m, void *userdata, sd_bus_error
          if (r < 0)
                  return r;
  
@@ -93,7 +93,7 @@ index ad1d492d6b..331af34505 100644
          if (lrtc == c->local_rtc && !fix_system)
                  return sd_bus_reply_method_return(m, NULL);
  
-@@ -923,6 +930,9 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
+@@ -917,6 +924,9 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
          if (r < 0)
                  return r;
  

pkgs/os-specific/linux/systemd/0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch

@@ -35,10 +35,10 @@ index e486474c44..5f373d0723 100644
      <literal>Etc/UTC</literal>. The resulting link should lead to the
      corresponding binary
 diff --git a/src/basic/time-util.c b/src/basic/time-util.c
-index 1db630003a..31744c3e68 100644
+index f9014dc560..3ee0363369 100644
 --- a/src/basic/time-util.c
 +++ b/src/basic/time-util.c
-@@ -1350,7 +1350,7 @@ static int get_timezones_from_zone1970_tab(char ***ret) {
+@@ -1412,7 +1412,7 @@ static int get_timezones_from_zone1970_tab(char ***ret) {
  
          assert(ret);
  
@@ -47,7 +47,7 @@ index 1db630003a..31744c3e68 100644
          if (!f)
                  return -errno;
  
-@@ -1391,7 +1391,7 @@ static int get_timezones_from_tzdata_zi(char ***ret) {
+@@ -1453,7 +1453,7 @@ static int get_timezones_from_tzdata_zi(char ***ret) {
  
          assert(ret);
  
@@ -56,7 +56,7 @@ index 1db630003a..31744c3e68 100644
          if (!f)
                  return -errno;
  
-@@ -1503,7 +1503,7 @@ int verify_timezone(const char *name, int log_level) {
+@@ -1565,7 +1565,7 @@ int verify_timezone(const char *name, int log_level) {
          if (p - name >= PATH_MAX)
                  return -ENAMETOOLONG;
  
@@ -65,7 +65,7 @@ index 1db630003a..31744c3e68 100644
  
          fd = open(t, O_RDONLY|O_CLOEXEC);
          if (fd < 0)
-@@ -1563,7 +1563,7 @@ int get_timezone(char **ret) {
+@@ -1625,7 +1625,7 @@ int get_timezone(char **ret) {
          if (r < 0)
                  return r; /* returns EINVAL if not a symlink */
  
@@ -75,10 +75,10 @@ index 1db630003a..31744c3e68 100644
                  return -EINVAL;
  
 diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
-index 1956ab3b13..9ef356f8af 100644
+index f77a5f6266..63bac85b29 100644
 --- a/src/firstboot/firstboot.c
 +++ b/src/firstboot/firstboot.c
-@@ -630,7 +630,7 @@ static int process_timezone(int rfd) {
+@@ -632,7 +632,7 @@ static int process_timezone(int rfd) {
          if (isempty(arg_timezone))
                  return 0;
  
@@ -88,10 +88,10 @@ index 1956ab3b13..9ef356f8af 100644
          r = symlinkat_atomic_full(e, pfd, f, /* make_relative= */ false);
          if (r < 0)
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index 898a674631..c41a416e04 100644
+index e48ebe8342..41796f3358 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
-@@ -1924,8 +1924,8 @@ int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid
+@@ -1845,8 +1845,8 @@ int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid
  static const char *timezone_from_path(const char *path) {
          return PATH_STARTSWITH_SET(
                          path,
@@ -103,10 +103,10 @@ index 898a674631..c41a416e04 100644
  
  static bool etc_writable(void) {
 diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
-index 331af34505..722c4b5b4f 100644
+index 50f8aa8675..aff156ab42 100644
 --- a/src/timedate/timedated.c
 +++ b/src/timedate/timedated.c
-@@ -282,7 +282,7 @@ static int context_read_data(Context *c) {
+@@ -276,7 +276,7 @@ static int context_read_data(Context *c) {
  
          r = get_timezone(&t);
          if (r == -EINVAL)
@@ -115,7 +115,7 @@ index 331af34505..722c4b5b4f 100644
          else if (r < 0)
                  log_warning_errno(r, "Failed to get target of /etc/localtime: %m");
  
-@@ -306,7 +306,7 @@ static int context_write_data_timezone(Context *c) {
+@@ -300,7 +300,7 @@ static int context_write_data_timezone(Context *c) {
  
          if (isempty(c->zone) || streq(c->zone, "UTC")) {
  
@@ -124,7 +124,7 @@ index 331af34505..722c4b5b4f 100644
  
                          if (unlink("/etc/localtime") < 0 && errno != ENOENT)
                                  return -errno;
-@@ -314,9 +314,9 @@ static int context_write_data_timezone(Context *c) {
+@@ -308,9 +308,9 @@ static int context_write_data_timezone(Context *c) {
                          return 0;
                  }
  

pkgs/os-specific/linux/systemd/0007-Fix-hwdb-paths.patch

@@ -1,24 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nikolay Amiantov <ab@fmap.me>
-Date: Thu, 7 Jul 2016 02:47:13 +0300
-Subject: [PATCH] Fix hwdb paths
-
-Patch by vcunat.
----
- src/libsystemd/sd-hwdb/hwdb-internal.h | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/src/libsystemd/sd-hwdb/hwdb-internal.h b/src/libsystemd/sd-hwdb/hwdb-internal.h
-index 5302679a62..39e59a527f 100644
---- a/src/libsystemd/sd-hwdb/hwdb-internal.h
-+++ b/src/libsystemd/sd-hwdb/hwdb-internal.h
-@@ -83,8 +83,4 @@ struct trie_value_entry2_f {
- } _packed_;
- 
- #define hwdb_bin_paths                          \
--        "/etc/systemd/hwdb/hwdb.bin\0"          \
--        "/etc/udev/hwdb.bin\0"                  \
--        "/usr/lib/systemd/hwdb/hwdb.bin\0"      \
--        _CONF_PATHS_SPLIT_USR_NULSTR("systemd/hwdb/hwdb.bin") \
--        UDEVLIBEXECDIR "/hwdb.bin\0"
-+        "/etc/udev/hwdb.bin\0"

pkgs/os-specific/linux/systemd/0008-localectl-use-etc-X11-xkb-for-list-x11.patch

@@ -10,7 +10,7 @@ NixOS has an option to link the xkb data files to /etc/X11, but not to
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/locale/localectl.c b/src/locale/localectl.c
-index d8db9d9d22..4601bb5431 100644
+index 32354027f1..1d231f1afc 100644
 --- a/src/locale/localectl.c
 +++ b/src/locale/localectl.c
 @@ -297,7 +297,7 @@ static int list_x11_keymaps(int argc, char **argv, void *userdata) {

pkgs/os-specific/linux/systemd/0009-add-rootprefix-to-lookup-dir-paths.patch

@@ -12,16 +12,16 @@ files that I might have missed.
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/src/basic/constants.h b/src/basic/constants.h
-index 3f96786da9..6e8fb40c08 100644
+index 6bb5f3c281..678d13737d 100644
 --- a/src/basic/constants.h
 +++ b/src/basic/constants.h
-@@ -74,13 +74,15 @@
+@@ -65,13 +65,15 @@
+         "/etc/" n "\0"                          \
          "/run/" n "\0"                          \
          "/usr/local/lib/" n "\0"                \
-         "/usr/lib/" n "\0"                      \
--        _CONF_PATHS_SPLIT_USR_NULSTR(n)
-+        _CONF_PATHS_SPLIT_USR_NULSTR(n)         \
-+        ROOTPREFIX "/lib/" n "\0"
+-        "/usr/lib/" n "\0"
++        "/usr/lib/" n "\0"                      \
++        PREFIX "/lib/" n "\0"
  
  #define CONF_PATHS_USR(n)                       \
          "/etc/" n,                              \
@@ -29,7 +29,7 @@ index 3f96786da9..6e8fb40c08 100644
          "/usr/local/lib/" n,                    \
 -        "/usr/lib/" n
 +        "/usr/lib/" n,                          \
-+        ROOTPREFIX "/lib/" n
++        PREFIX "/lib/" n
  
  #define CONF_PATHS(n)                           \
-         CONF_PATHS_USR(n)                       \
+         CONF_PATHS_USR(n)

pkgs/os-specific/linux/systemd/0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch

@@ -1,23 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Franz Pletz <fpletz@fnordicwalking.de>
-Date: Sun, 11 Feb 2018 04:37:44 +0100
-Subject: [PATCH] build: don't create statedir and don't touch prefixdir
-
----
- meson.build | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/meson.build b/meson.build
-index 395eca1943..082cd748bb 100644
---- a/meson.build
-+++ b/meson.build
-@@ -4707,9 +4707,6 @@ install_data('LICENSE.GPL2',
- install_subdir('LICENSES',
-                install_dir : docdir)
- 
--meson.add_install_script('sh', '-c', mkdir_p.format(systemdstatedir))
--meson.add_install_script('sh', '-c', 'touch $DESTDIR@0@'.format(prefixdir))
--
- ############################################################
- 
- # Ensure that changes to the docs/ directory do not break the

pkgs/os-specific/linux/systemd/0010-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch

@@ -10,10 +10,10 @@ This is needed for NixOS to use such scripts as systemd directory is immutable.
  1 file changed, 1 insertion(+)
 
 diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c
-index 8395bb429d..14fbc85bb4 100644
+index b976b7d8cf..b1c02df6fd 100644
 --- a/src/shutdown/shutdown.c
 +++ b/src/shutdown/shutdown.c
-@@ -334,6 +334,7 @@ static void init_watchdog(void) {
+@@ -336,6 +336,7 @@ static void init_watchdog(void) {
  int main(int argc, char *argv[]) {
          static const char* const dirs[] = {
                  SYSTEM_SHUTDOWN_PATH,

pkgs/os-specific/linux/systemd/0011-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch

@@ -9,10 +9,10 @@ This is needed for NixOS to use such scripts as systemd directory is immutable.
  1 file changed, 1 insertion(+)
 
 diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c
-index de1f6c7ec1..d0cdebd80a 100644
+index 21af3e9e52..6d096e3c78 100644
 --- a/src/sleep/sleep.c
 +++ b/src/sleep/sleep.c
-@@ -224,6 +224,7 @@ static int execute(
+@@ -215,6 +215,7 @@ static int execute(
          };
          static const char* const dirs[] = {
                  SYSTEM_SLEEP_PATH,

pkgs/os-specific/linux/systemd/0012-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch

@@ -10,21 +10,19 @@ systemd itself uses extensively.
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/src/basic/path-util.h b/src/basic/path-util.h
-index 97175bee11..3839704901 100644
+index 6d943e967f..d4380aa7e3 100644
 --- a/src/basic/path-util.h
 +++ b/src/basic/path-util.h
-@@ -25,11 +25,11 @@
+@@ -25,9 +25,9 @@
  #  define PATH_SBIN_BIN_NULSTR(x) PATH_NORMAL_SBIN_BIN_NULSTR(x)
  #endif
  
--#define DEFAULT_PATH_NORMAL PATH_SBIN_BIN("/usr/local/") ":" PATH_SBIN_BIN("/usr/")
--#define DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/usr/local/") PATH_SBIN_BIN_NULSTR("/usr/")
-+#define DEFAULT_PATH_NORMAL "@defaultPathNormal@"
-+#define DEFAULT_PATH_NORMAL_NULSTR "@defaultPathNormal@\0"
- #define DEFAULT_PATH_SPLIT_USR DEFAULT_PATH_NORMAL ":" PATH_SBIN_BIN("/")
- #define DEFAULT_PATH_SPLIT_USR_NULSTR DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/")
+-#define DEFAULT_PATH PATH_SBIN_BIN("/usr/local/") ":" PATH_SBIN_BIN("/usr/")
+-#define DEFAULT_PATH_NULSTR PATH_SBIN_BIN_NULSTR("/usr/local/") PATH_SBIN_BIN_NULSTR("/usr/")
 -#define DEFAULT_PATH_COMPAT PATH_SPLIT_SBIN_BIN("/usr/local/") ":" PATH_SPLIT_SBIN_BIN("/usr/") ":" PATH_SPLIT_SBIN_BIN("/")
-+#define DEFAULT_PATH_COMPAT DEFAULT_PATH_NORMAL
++#define DEFAULT_PATH "@defaultPathNormal@"
++#define DEFAULT_PATH_NULSTR "@defaultPathNormal@\0"
++#define DEFAULT_PATH_COMPAT DEFAULT_PATH
  
- #if HAVE_SPLIT_USR
- #  define DEFAULT_PATH DEFAULT_PATH_SPLIT_USR
+ #ifndef DEFAULT_USER_PATH
+ #  define DEFAULT_USER_PATH DEFAULT_PATH

pkgs/os-specific/linux/systemd/0013-inherit-systemd-environment-when-calling-generators.patch

@@ -16,10 +16,10 @@ executables that are being called from managers.
  1 file changed, 8 insertions(+)
 
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 771e8e7f16..acf3ead8d7 100644
+index 22cc5cc843..5dc7d4504f 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -3899,9 +3899,17 @@ static int build_generator_environment(Manager *m, char ***ret) {
+@@ -3914,9 +3914,17 @@ static int build_generator_environment(Manager *m, char ***ret) {
           * adjust generated units to that. Let's pass down some bits of information that are easy for us to
           * determine (but a bit harder for generator scripts to determine), as environment variables. */
  

pkgs/os-specific/linux/systemd/0014-core-don-t-taint-on-unmerged-usr.patch

@@ -13,21 +13,20 @@ so showing the taint isn't really helpful.
 
 See also: https://github.com/systemd/systemd/issues/24191
 ---
- src/core/manager.c | 4 ----
- 1 file changed, 4 deletions(-)
+ src/core/manager.c | 3 ---
+ 1 file changed, 3 deletions(-)
 
 diff --git a/src/core/manager.c b/src/core/manager.c
-index acf3ead8d7..bdbab16829 100644
+index 5dc7d4504f..6208c9aa31 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -4754,10 +4754,6 @@ char* manager_taint_string(const Manager *m) {
-         if (m->taint_usr)
-                 stage[n++] = "split-usr";
+@@ -4800,9 +4800,6 @@ char* manager_taint_string(const Manager *m) {
+         const char* stage[12] = {};
+         size_t n = 0;
  
 -        _cleanup_free_ char *usrbin = NULL;
 -        if (readlink_malloc("/bin", &usrbin) < 0 || !PATH_IN_SET(usrbin, "usr/bin", "/usr/bin"))
 -                stage[n++] = "unmerged-usr";
--
+ 
          if (access("/proc/cgroups", F_OK) < 0)
                  stage[n++] = "cgroups-missing";
- 

pkgs/os-specific/linux/systemd/0015-pkg-config-derive-prefix-from-prefix.patch

@@ -1,30 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
-Date: Sun, 6 Dec 2020 08:34:19 +0100
-Subject: [PATCH] pkg-config: derive prefix from --prefix
-
-Point prefix to the one configured, instead of `/usr` `systemd` has limited
-support for making the pkgconfig prefix overridable, and interpolates those
-values later down.
-
-So we only need to patch this one value to get the correct paths.
-See systemd/systemd@bc4e6e27922a2873985ab9367d79fb099f70b505 for details.
-
-Co-Authored-By: Florian Klink <flokli@flokli.de>
----
- src/core/systemd.pc.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
-index 5932a21b5b..20bf8e316d 100644
---- a/src/core/systemd.pc.in
-+++ b/src/core/systemd.pc.in
-@@ -11,7 +11,7 @@
- # considered deprecated (though there is no plan to remove them). New names
- # shall have underscores.
- 
--prefix=/usr
-+prefix={{PREFIX}}
- root_prefix={{ROOTPREFIX_NOSLASH}}
- rootprefix=${root_prefix}
- sysconf_dir={{SYSCONF_DIR}}

pkgs/os-specific/linux/systemd/0015-tpm2_context_init-fix-driver-name-checking.patch

@@ -27,15 +27,15 @@ filename_is_valid with path_is_valid.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
-index ae8a8bc073..c284b244f8 100644
+index 5e07b88a89..8dd7315009 100644
 --- a/src/shared/tpm2-util.c
 +++ b/src/shared/tpm2-util.c
-@@ -582,7 +582,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
+@@ -654,7 +654,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
                  fn = strjoina("libtss2-tcti-", driver, ".so.0");
  
                  /* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */
 -                if (!filename_is_valid(fn))
 +                if (!path_is_valid(fn))
-                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
+                         return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
  
                  context->tcti_dl = dlopen(fn, RTLD_NOW);

pkgs/os-specific/linux/systemd/0016-systemctl-edit-suggest-systemdctl-edit-runtime-on-sy.patch

@@ -30,10 +30,10 @@ are written into `$XDG_CONFIG_HOME/systemd/user`.
  1 file changed, 3 insertions(+)
 
 diff --git a/src/systemctl/systemctl-edit.c b/src/systemctl/systemctl-edit.c
-index e3f25d52d5..81c9c6f6b7 100644
+index 367afa20f7..5777154d01 100644
 --- a/src/systemctl/systemctl-edit.c
 +++ b/src/systemctl/systemctl-edit.c
-@@ -323,6 +323,9 @@ int verb_edit(int argc, char *argv[], void *userdata) {
+@@ -322,6 +322,9 @@ int verb_edit(int argc, char *argv[], void *userdata) {
          sd_bus *bus;
          int r;
  

pkgs/os-specific/linux/systemd/0017-meson.build-do-not-create-systemdstatedir.patch

@@ -0,0 +1,21 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: nikstur <nikstur@outlook.com>
+Date: Mon, 6 Nov 2023 22:51:38 +0100
+Subject: [PATCH] meson.build: do not create systemdstatedir
+
+---
+ meson.build | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index 7419e2b0b0..c82a527976 100644
+--- a/meson.build
++++ b/meson.build
+@@ -2497,7 +2497,6 @@ install_data('LICENSE.GPL2',
+ install_subdir('LICENSES',
+                install_dir : docdir)
+ 
+-install_emptydir(systemdstatedir)
+ 
+ ############################################################
+ 

pkgs/os-specific/linux/systemd/default.nix

@@ -65,6 +65,8 @@
 , libmicrohttpd
 , libfido2
 , p11-kit
+, libpwquality
+, qrencode
 
   # the (optional) BPF feature requires bpftool, libbpf, clang and llvm-strip to be available during build time.
   # Only libbpf should be a runtime dependency.
@@ -99,6 +101,7 @@
 , withHostnamed ? true
 , withHwdb ? true
 , withImportd ? !stdenv.hostPlatform.isMusl
+, withIptables ? true
 , withKmod ? true
 , withLibBPF ? lib.versionAtLeast buildPackages.llvmPackages.clang.version "10.0"
     && (stdenv.hostPlatform.isAarch -> lib.versionAtLeast stdenv.hostPlatform.parsed.cpu.version "6") # assumes hard floats
@@ -117,10 +120,11 @@
 , withNss ? !stdenv.hostPlatform.isMusl
 , withOomd ? true
 , withPam ? true
-, withPasswordQuality ? false
+, withPasswordQuality ? true
 , withPCRE2 ? true
 , withPolkit ? true
 , withPortabled ? !stdenv.hostPlatform.isMusl
+, withQrencode ? true
 , withRemote ? !stdenv.hostPlatform.isMusl
 , withResolved ? true
 , withShellCompletions ? true
@@ -132,6 +136,7 @@
 , withUkify ? false  # adds python to closure which is too much by default
 , withUserDb ? true
 , withUtmp ? !stdenv.hostPlatform.isMusl
+, withVmspawn ? true
   # tests assume too much system access for them to be feasible for us right now
 , withTests ? false
   # build only libudev and libsystemd
@@ -154,19 +159,17 @@ assert withHomed -> withPam;
 assert withUkify -> (withEfi && withBootloader);
 assert withRepart -> withCryptsetup;
 assert withBootloader -> withEfi;
-# passwdqc is not packaged in nixpkgs yet, if you want to fix this, please submit a PR.
-assert !withPasswordQuality;
 
 let
   wantCurl = withRemote || withImportd;
   wantGcrypt = withResolved || withImportd;
-  version = "254.6";
+  version = "255.2";
 
   # Bump this variable on every (major) version change. See below (in the meson options list) for why.
   # command:
   #  $ curl -s https://api.github.com/repos/systemd/systemd/releases/latest | \
   #     jq '.created_at|strptime("%Y-%m-%dT%H:%M:%SZ")|mktime'
-  releaseTimestamp = "1690536449";
+  releaseTimestamp = "1701895110";
 in
 stdenv.mkDerivation (finalAttrs: {
   inherit pname version;
@@ -177,7 +180,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "systemd";
     repo = "systemd-stable";
     rev = "v${version}";
-    hash = "sha256-Ku24ecDeQt0t7A8/adR3Jm47QZ19+wdMPyJRzCxU4uU=";
+    hash = "sha256-8SfJY/pcH4yrDeJi0GfIUpetTbpMwyswvSu+RSfgqfY=";
   };
 
   # On major changes, or when otherwise required, you *must* reformat the patches,
@@ -192,21 +195,19 @@ stdenv.mkDerivation (finalAttrs: {
     ./0004-Add-some-NixOS-specific-unit-directories.patch
     ./0005-Get-rid-of-a-useless-message-in-user-sessions.patch
     ./0006-hostnamed-localed-timedated-disable-methods-that-cha.patch
-    ./0007-Fix-hwdb-paths.patch
-    ./0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
-    ./0009-localectl-use-etc-X11-xkb-for-list-x11.patch
-    ./0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
-    ./0011-add-rootprefix-to-lookup-dir-paths.patch
-    ./0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
-    ./0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
-    ./0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
-    ./0015-pkg-config-derive-prefix-from-prefix.patch
-    ./0016-inherit-systemd-environment-when-calling-generators.patch
-    ./0017-core-don-t-taint-on-unmerged-usr.patch
-    ./0018-tpm2_context_init-fix-driver-name-checking.patch
-    ./0019-systemctl-edit-suggest-systemdctl-edit-runtime-on-sy.patch
+    ./0007-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
+    ./0008-localectl-use-etc-X11-xkb-for-list-x11.patch
+    ./0009-add-rootprefix-to-lookup-dir-paths.patch
+    ./0010-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
+    ./0011-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
+    ./0012-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
+    ./0013-inherit-systemd-environment-when-calling-generators.patch
+    ./0014-core-don-t-taint-on-unmerged-usr.patch
+    ./0015-tpm2_context_init-fix-driver-name-checking.patch
+    ./0016-systemctl-edit-suggest-systemdctl-edit-runtime-on-sy.patch
+    ./0017-meson.build-do-not-create-systemdstatedir.patch
   ] ++ lib.optional (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isGnu) [
-    ./0020-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch
+    ./0018-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch
   ] ++ lib.optional stdenv.hostPlatform.isMusl (
     let
       oe-core = fetchzip {
@@ -290,14 +291,17 @@ stdenv.mkDerivation (finalAttrs: {
           { name = "libbpf.so.1"; pkg = opt withLibBPF libbpf; }
           { name = "libbpf.so.0"; pkg = null; }
 
-          # We did never provide support for libxkbcommon & qrencode
+          # We did never provide support for libxkbcommon
           { name = "libxkbcommon.so.0"; pkg = null; }
-          { name = "libqrencode.so.4"; pkg = null; }
+
+          # qrencode
+          { name = "libqrencode.so.4"; pkg = opt withQrencode qrencode; }
           { name = "libqrencode.so.3"; pkg = null; }
 
-          # We did not provide libpwquality before so it is safe to disable it for
-          # now.
-          { name = "libpwquality.so.1"; pkg = null; }
+          # Password quality
+          # We currently do not package passwdqc, only libpwquality.
+          { name = "libpwquality.so.1"; pkg = opt withPasswordQuality libpwquality; }
+          { name = "libpasswdqc.so.1"; pkg = null; }
 
           # Only include cryptsetup if it is enabled. We might not be able to
           # provide it during "bootstrap" in e.g. the minimal systemd build as
@@ -329,8 +333,7 @@ stdenv.mkDerivation (finalAttrs: {
           # Support for PKCS#11 in systemd-cryptsetup, systemd-cryptenroll and systemd-homed
           { name = "libp11-kit.so.0"; pkg = opt (withHomed || withCryptsetup) p11-kit; }
 
-          # Password quality support
-          { name = "libpasswdqc.so.1"; pkg = opt withPasswordQuality null; }
+          { name = "libip4tc.so.2"; pkg = opt withIptables iptables; }
         ];
 
       patchDlOpen = dl:
@@ -425,14 +428,14 @@ stdenv.mkDerivation (finalAttrs: {
     ++ lib.optional withApparmor libapparmor
     ++ lib.optional withAudit audit
     ++ lib.optional wantCurl (lib.getDev curl)
-    ++ lib.optionals withCompression [ bzip2 lz4 xz zstd ]
+    ++ lib.optionals withCompression [ zlib bzip2 lz4 xz zstd ]
     ++ lib.optional withCoredump elfutils
     ++ lib.optional withCryptsetup (lib.getDev cryptsetup.dev)
     ++ lib.optional withKexectools kexec-tools
     ++ lib.optional withKmod kmod
     ++ lib.optional withLibidn2 libidn2
     ++ lib.optional withLibseccomp libseccomp
-    ++ lib.optional withNetworkd iptables
+    ++ lib.optional withIptables iptables
     ++ lib.optional withPam pam
     ++ lib.optional withPCRE2 pcre2
     ++ lib.optional withSelinux libselinux
@@ -442,132 +445,167 @@ stdenv.mkDerivation (finalAttrs: {
     ++ lib.optionals withLibBPF [ libbpf ]
     ++ lib.optional withTpm2Tss tpm2-tss
     ++ lib.optional withUkify (python3Packages.python.withPackages (ps: with ps; [ pefile ]))
+    ++ lib.optionals withPasswordQuality [ libpwquality ]
+    ++ lib.optionals withQrencode [ qrencode ]
   ;
 
   mesonBuildType = "release";
 
   mesonFlags = [
-    "-Dversion-tag=${version}"
+    # Options
+
     # We bump this variable on every (major) version change to ensure
     # that we have known-good value for a timestamp that is in the (not so distant) past.
     # This serves as a lower bound for valid system timestamps during startup. Systemd will
     # reset the system timestamp if this date is +- 15 years from the system time.
     # See the systemd v250 release notes for further details:
     # https://github.com/systemd/systemd/blob/60e930fc3e6eb8a36fbc184773119eb8d2f30364/NEWS#L258-L266
-    "-Dtime-epoch=${releaseTimestamp}"
-
-    "-Dmode=release"
-    "-Ddbuspolicydir=${placeholder "out"}/share/dbus-1/system.d"
-    "-Ddbussessionservicedir=${placeholder "out"}/share/dbus-1/services"
-    "-Ddbussystemservicedir=${placeholder "out"}/share/dbus-1/system-services"
-    "-Dpam=${lib.boolToString withPam}"
-    "-Dpamconfdir=${placeholder "out"}/etc/pam.d"
-    "-Drootprefix=${placeholder "out"}"
-    "-Dpkgconfiglibdir=${placeholder "dev"}/lib/pkgconfig"
-    "-Dpkgconfigdatadir=${placeholder "dev"}/share/pkgconfig"
-    "-Dloadkeys-path=${kbd}/bin/loadkeys"
-    "-Dsetfont-path=${kbd}/bin/setfont"
-    "-Dtty-gid=3" # tty in NixOS has gid 3
-    "-Ddebug-shell=${bashInteractive}/bin/bash"
-    "-Dglib=${lib.boolToString withTests}"
-    # while we do not run tests we should also not build them. Removes about 600 targets
-    "-Dtests=false"
-    "-Dacl=${lib.boolToString withAcl}"
-    "-Danalyze=${lib.boolToString withAnalyze}"
-    "-Daudit=${lib.boolToString withAudit}"
-    "-Dgcrypt=${lib.boolToString wantGcrypt}"
-    "-Dimportd=${lib.boolToString withImportd}"
-    "-Dlz4=${lib.boolToString withCompression}"
-    "-Dhomed=${lib.boolToString withHomed}"
-    "-Dlogind=${lib.boolToString withLogind}"
-    "-Dlocaled=${lib.boolToString withLocaled}"
-    "-Dhostnamed=${lib.boolToString withHostnamed}"
-    "-Dmachined=${lib.boolToString withMachined}"
-    "-Dnetworkd=${lib.boolToString withNetworkd}"
-    "-Doomd=${lib.boolToString withOomd}"
-    "-Dpolkit=${lib.boolToString withPolkit}"
-    "-Dlibcryptsetup=${lib.boolToString withCryptsetup}"
-    "-Dportabled=${lib.boolToString withPortabled}"
-    "-Dhwdb=${lib.boolToString withHwdb}"
-    "-Dremote=${lib.boolToString withRemote}"
-    "-Dtimedated=${lib.boolToString withTimedated}"
-    "-Dtimesyncd=${lib.boolToString withTimesyncd}"
-    "-Duserdb=${lib.boolToString withUserDb}"
-    "-Dcoredump=${lib.boolToString withCoredump}"
-    "-Dfirstboot=false"
-    "-Dresolve=${lib.boolToString withResolved}"
-    "-Dsplit-usr=false"
-    "-Dlibcurl=${lib.boolToString wantCurl}"
-    "-Dlibidn=false"
-    "-Dlibidn2=${lib.boolToString withLibidn2}"
-    "-Dfirstboot=${lib.boolToString withFirstboot}"
-    "-Dsysusers=${lib.boolToString withSysusers}"
-    "-Drepart=${lib.boolToString withRepart}"
-    "-Dsysupdate=${lib.boolToString withSysupdate}"
-    "-Dquotacheck=false"
-    "-Dldconfig=false"
-    "-Dsmack=true"
-    "-Db_pie=true"
-    "-Dinstall-sysconfdir=false"
-    "-Dsbat-distro=nixos"
-    "-Dsbat-distro-summary=NixOS"
-    "-Dsbat-distro-url=https://nixos.org/"
-    "-Dsbat-distro-pkgname=${pname}"
-    "-Dsbat-distro-version=${version}"
-    /*
-      As of now, systemd doesn't allow runtime configuration of these values. So
-      the settings in /etc/login.defs have no effect on it. Many people think this
-      should be supported however, see
-      - https://github.com/systemd/systemd/issues/3855
-      - https://github.com/systemd/systemd/issues/4850
-      - https://github.com/systemd/systemd/issues/9769
-      - https://github.com/systemd/systemd/issues/9843
-      - https://github.com/systemd/systemd/issues/10184
-    */
-    "-Dsystem-uid-max=999"
-    "-Dsystem-gid-max=999"
-
-    "-Dsysvinit-path="
-    "-Dsysvrcnd-path="
-
-    "-Dsulogin-path=${util-linux.login}/bin/sulogin"
-    "-Dnologin-path=${util-linux.login}/bin/nologin"
-    "-Dmount-path=${lib.getOutput "mount" util-linux}/bin/mount"
-    "-Dumount-path=${lib.getOutput "mount" util-linux}/bin/umount"
-    "-Dcreate-log-dirs=false"
+    (lib.mesonOption "time-epoch" releaseTimestamp)
 
+    (lib.mesonOption "version-tag" version)
+    (lib.mesonOption "mode" "release")
+    (lib.mesonOption "tty-gid" "3") # tty in NixOS has gid 3
+    (lib.mesonOption "debug-shell" "${bashInteractive}/bin/bash")
+    (lib.mesonOption "pamconfdir" "${placeholder "out"}/etc/pam.d")
     # Use cgroupsv2. This is already the upstream default, but better be explicit.
-    "-Ddefault-hierarchy=unified"
-    # Upstream defaulted to disable manpages since they optimize for the much
-    # more frequent development builds
-    "-Dman=true"
+    (lib.mesonOption "default-hierarchy" "unified")
+    (lib.mesonOption "kmod-path" "${kmod}/bin/kmod")
 
-    "-Defi=${lib.boolToString withEfi}"
-    "-Dbootloader=${lib.boolToString withBootloader}"
+    # D-Bus
+    (lib.mesonOption "dbuspolicydir" "${placeholder "out"}/share/dbus-1/system.d")
+    (lib.mesonOption "dbussessionservicedir" "${placeholder "out"}/share/dbus-1/services")
+    (lib.mesonOption "dbussystemservicedir" "${placeholder "out"}/share/dbus-1/system-services")
+
+    # pkgconfig
+    (lib.mesonOption "pkgconfiglibdir" "${placeholder "dev"}/lib/pkgconfig")
+    (lib.mesonOption "pkgconfigdatadir" "${placeholder "dev"}/share/pkgconfig")
+
+    # Keyboard
+    (lib.mesonOption "loadkeys-path" "${kbd}/bin/loadkeys")
+    (lib.mesonOption "setfont-path" "${kbd}/bin/setfont")
+
+    # SBAT
+    (lib.mesonOption "sbat-distro" "nixos")
+    (lib.mesonOption "sbat-distro-summary" "NixOS")
+    (lib.mesonOption "sbat-distro-url" "https://nixos.org/")
+    (lib.mesonOption "sbat-distro-pkgname" pname)
+    (lib.mesonOption "sbat-distro-version" version)
+
+    # Users
+    (lib.mesonOption "system-uid-max" "999")
+    (lib.mesonOption "system-gid-max" "999")
+
+    # SysVinit
+    (lib.mesonOption "sysvinit-path" "")
+    (lib.mesonOption "sysvrcnd-path" "")
+
+    # Login
+    (lib.mesonOption "sulogin-path" "${util-linux.login}/bin/sulogin")
+    (lib.mesonOption "nologin-path" "${util-linux.login}/bin/nologin")
+
+    # Mount
+    (lib.mesonOption "mount-path" "${lib.getOutput "mount" util-linux}/bin/mount")
+    (lib.mesonOption "umount-path" "${lib.getOutput "mount" util-linux}/bin/umount")
+
+
+    # Features
+
+    # Tests
+    (lib.mesonBool "tests" withTests)
+    (lib.mesonEnable "glib" withTests)
+    (lib.mesonEnable "dbus" withTests)
+
+    # Compression
+    (lib.mesonEnable "bzip2" withCompression)
+    (lib.mesonEnable "lz4" withCompression)
+    (lib.mesonEnable "xz" withCompression)
+    (lib.mesonEnable "zstd" withCompression)
+    (lib.mesonEnable "zlib" withCompression)
+
+    # NSS
+    (lib.mesonEnable "nss-mymachines" withNss)
+    (lib.mesonEnable "nss-resolve" withNss)
+    (lib.mesonBool "nss-myhostname" withNss)
+    (lib.mesonBool "nss-systemd" withNss)
+
+    # Cryptsetup
+    (lib.mesonEnable "libcryptsetup" withCryptsetup)
+    (lib.mesonEnable "libcryptsetup-plugins" withCryptsetup)
+    (lib.mesonEnable "p11kit" (withHomed || withCryptsetup))
+
+    # FIDO2
+    (lib.mesonEnable "libfido2" withFido2)
+    (lib.mesonEnable "openssl" withFido2)
+
+    # Password Quality
+    (lib.mesonEnable "pwquality" withPasswordQuality)
+    (lib.mesonEnable "passwdqc" false)
+
+    # Remote
+    (lib.mesonEnable "remote" withRemote)
+    (lib.mesonEnable "microhttpd" withRemote)
+
+    (lib.mesonEnable "pam" withPam)
+    (lib.mesonEnable "acl" withAcl)
+    (lib.mesonEnable "audit" withAudit)
+    (lib.mesonEnable "apparmor" withApparmor)
+    (lib.mesonEnable "gcrypt" wantGcrypt)
+    (lib.mesonEnable "importd" withImportd)
+    (lib.mesonEnable "homed" withHomed)
+    (lib.mesonEnable "polkit" withPolkit)
+    (lib.mesonEnable "elfutils" withCoredump)
+    (lib.mesonEnable "libcurl" wantCurl)
+    (lib.mesonEnable "libidn" false)
+    (lib.mesonEnable "libidn2" withLibidn2)
+    (lib.mesonEnable "libiptc" withIptables)
+    (lib.mesonEnable "repart" withRepart)
+    (lib.mesonEnable "sysupdate" withSysupdate)
+    (lib.mesonEnable "selinux" withSelinux)
+    (lib.mesonEnable "tpm2" withTpm2Tss)
+    (lib.mesonEnable "pcre2" withPCRE2)
+    (lib.mesonEnable "bpf-framework" withLibBPF)
+    (lib.mesonEnable "bootloader" withBootloader)
+    (lib.mesonEnable "ukify" withUkify)
+    (lib.mesonEnable "kmod" withKmod)
+    (lib.mesonEnable "qrencode" withQrencode)
+    (lib.mesonEnable "vmspawn" withVmspawn)
+    (lib.mesonEnable "xenctrl" false)
+    (lib.mesonEnable "gnutls" false)
+    (lib.mesonEnable "xkbcommon" false)
+    (lib.mesonEnable "man" true)
+
+    (lib.mesonBool "analyze" withAnalyze)
+    (lib.mesonBool "logind" withLogind)
+    (lib.mesonBool "localed" withLocaled)
+    (lib.mesonBool "hostnamed" withHostnamed)
+    (lib.mesonBool "machined" withMachined)
+    (lib.mesonBool "networkd" withNetworkd)
+    (lib.mesonBool "oomd" withOomd)
+    (lib.mesonBool "portabled" withPortabled)
+    (lib.mesonBool "hwdb" withHwdb)
+    (lib.mesonBool "timedated" withTimedated)
+    (lib.mesonBool "timesyncd" withTimesyncd)
+    (lib.mesonBool "userdb" withUserDb)
+    (lib.mesonBool "coredump" withCoredump)
+    (lib.mesonBool "firstboot" withFirstboot)
+    (lib.mesonBool "resolve" withResolved)
+    (lib.mesonBool "sysusers" withSysusers)
+    (lib.mesonBool "efi" withEfi)
+    (lib.mesonBool "utmp" withUtmp)
+    (lib.mesonBool "log-trace" withLogTrace)
+    (lib.mesonBool "quotacheck" false)
+    (lib.mesonBool "ldconfig" false)
+    (lib.mesonBool "install-sysconfdir" false)
+    (lib.mesonBool "create-log-dirs" false)
+    (lib.mesonBool "smack" true)
+    (lib.mesonBool "b_pie" true)
 
-    "-Dukify=${lib.boolToString withUkify}"
   ] ++ lib.optionals (withShellCompletions == false) [
-    "-Dbashcompletiondir=no"
-    "-Dzshcompletiondir=no"
-  ] ++ lib.optionals (!withNss) [
-    "-Dnss-myhostname=false"
-    "-Dnss-mymachines=false"
-    "-Dnss-resolve=false"
-    "-Dnss-systemd=false"
-  ] ++ lib.optionals withLibBPF [
-    "-Dbpf-framework=true"
-  ] ++ lib.optionals withTpm2Tss [
-    "-Dtpm2=true"
-  ] ++ lib.optionals (!withUtmp) [
-    "-Dutmp=false"
+    (lib.mesonOption "bashcompletiondir" "no")
+    (lib.mesonOption "zshcompletiondir" "no")
   ] ++ lib.optionals stdenv.hostPlatform.isMusl [
-    "-Dgshadow=false"
-    "-Didn=false"
-  ] ++ lib.optionals withKmod [
-    "-Dkmod=true"
-    "-Dkmod-path=${kmod}/bin/kmod"
-  ] ++ lib.optionals withLogTrace [
-    "-Dlog-trace=true"
+    (lib.mesonBool "gshadow" false)
+    (lib.mesonBool "idn" false)
   ];
   preConfigure =
     let
@@ -744,7 +782,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   # Wrap in the correct path for LUKS2 tokens.
   postFixup = lib.optionalString withCryptsetup ''
-    for f in lib/systemd/systemd-cryptsetup bin/systemd-cryptenroll; do
+    for f in bin/systemd-cryptsetup bin/systemd-cryptenroll; do
       # This needs to be in LD_LIBRARY_PATH because rpath on a binary is not propagated to libraries using dlopen, in this case `libcryptsetup.so`
       wrapProgram $out/$f --prefix LD_LIBRARY_PATH : ${placeholder "out"}/lib/cryptsetup
     done
@@ -754,7 +792,7 @@ stdenv.mkDerivation (finalAttrs: {
     # To cross compile a derivation that builds a UKI with ukify, we need to wrap
     # ukify with the correct binutils. When wrapping, no splicing happens so we
     # have to explicitly pull binutils from targetPackages.
-    wrapProgram $out/lib/systemd/ukify --prefix PATH : ${lib.makeBinPath [ targetPackages.stdenv.cc.bintools ] }:${placeholder "out"}/lib/systemd
+    wrapProgram $out/bin/ukify --prefix PATH : ${lib.makeBinPath [ targetPackages.stdenv.cc.bintools ] }:${placeholder "out"}/lib/systemd
   '';
 
   disallowedReferences = lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform)

pkgs/top-level/all-packages.nix

@@ -28721,6 +28721,7 @@ with pkgs;
     withHomed = false;
     withHwdb = false;
     withImportd = false;
+    withIptables = false;
     withLibBPF = false;
     withLibidn2 = false;
     withLocaled = false;
@@ -28744,6 +28745,9 @@ with pkgs;
     withUserDb = false;
     withUkify = false;
     withBootloader = false;
+    withPasswordQuality = false;
+    withVmspawn = false;
+    withQrencode = false;
   };
   systemdLibs = systemdMinimal.override {
     pname = "systemd-minimal-libs";