Merge pull request #305054 from r-ryantm/auto-update/komga

komga: 1.10.4 -> 1.11.0

.github/workflows/backport.yml

@@ -20,7 +20,7 @@ jobs:
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Create backport PRs

.github/workflows/basic-eval.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
     steps:
-    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
     - uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
     - uses: cachix/cachix-action@18cf96c7c98e048e10a83abd92116114cd8504be # v14
       with:

.github/workflows/check-by-name.yml

@@ -84,7 +84,7 @@ jobs:
             exit 1
           fi
           echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           # pull_request_target checks out the base branch by default
           ref: ${{ env.mergedSha }}

.github/workflows/check-cherry-picks.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
       with:
         fetch-depth: 0
         filter: blob:none

.github/workflows/check-maintainers-sorted.yaml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge

.github/workflows/check-nix-format.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge

.github/workflows/editorconfig.yml

@@ -24,7 +24,7 @@ jobs:
     - name: print list of changed files
       run: |
         cat "$HOME/changed_files"
-    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
       with:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge

.github/workflows/manual-nixos.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge

.github/workflows/manual-nixpkgs.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge

.github/workflows/nix-parse.yml

@@ -24,7 +24,7 @@ jobs:
         if [[ -s "$HOME/changed_files" ]]; then
           echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
         fi
-    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
       with:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge

.github/workflows/periodic-merge-24h.yml

@@ -41,7 +41,7 @@ jobs:
             into: staging-23.11
     name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
       - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
         uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0

.github/workflows/periodic-merge-6h.yml

@@ -39,7 +39,7 @@ jobs:
             into: staging
     name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
       - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
         uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0

.github/workflows/update-terraform-providers.yml

@@ -16,7 +16,7 @@ jobs:
     if: github.repository_owner == 'NixOS' && github.ref == 'refs/heads/master' # ensure workflow_dispatch only runs on master
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
       - uses: cachix/install-nix-action@8887e596b4ee1134dae06b98d573bd674693f47c # v26
         with:
           nix_path: nixpkgs=channel:nixpkgs-unstable
@@ -46,7 +46,7 @@ jobs:
         run: |
           git clean -f
       - name: create PR
-        uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2
+        uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4
         with:
           body: |
             Automatic update by [update-terraform-providers](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/update-terraform-providers.yml) action.

doc/languages-frameworks/cuda.section.md

@@ -148,4 +148,4 @@ All new projects should use the CUDA redistributables available in [`cudaPackage
 | Find libraries | `configurePhase` | Missing dependency on a `dev` output | Add the missing dependency | The `dev` output typically contain CMake configuration files |
 | Find libraries | `buildPhase` or `patchelf` | Missing dependency on a `lib` or `static` output | Add the missing dependency | The `lib` or `static` output typically contain the libraries |
 
-In the scenario you are unable to run the resulting binary: this is arguably the most complicated as it could be any combination of the previous reasons. This type of failure typically occurs when a library attempts to load or open a library it depends on that it does not declare in its `DT_NEEDED` section. As a first step, ensure that dependencies are patched with [`cudaPackages.autoAddDriverRunpath`](https://search.nixos.org/packages?channel=unstable&type=packages&query=cudaPackages.autoAddDriverRunpath). Failing that, try running the application with [`nixGL`](https://github.com/guibou/nixGL) or a similar wrapper tool. If that works, it likely means that the application is attempting to load a library that is not in the `RPATH` or `RUNPATH` of the binary.
+In the scenario you are unable to run the resulting binary: this is arguably the most complicated as it could be any combination of the previous reasons. This type of failure typically occurs when a library attempts to load or open a library it depends on that it does not declare in its `DT_NEEDED` section. As a first step, ensure that dependencies are patched with [`autoAddDriverRunpath`](https://search.nixos.org/packages?channel=unstable&type=packages&query=autoAddDriverRunpath). Failing that, try running the application with [`nixGL`](https://github.com/guibou/nixGL) or a similar wrapper tool. If that works, it likely means that the application is attempting to load a library that is not in the `RPATH` or `RUNPATH` of the binary.

lib/default.nix

@@ -47,7 +47,7 @@ let
     # misc
     asserts = callLibs ./asserts.nix;
     debug = callLibs ./debug.nix;
-    misc = callLibs ./deprecated.nix;
+    misc = callLibs ./deprecated/misc.nix;
 
     # domain-specific
     fetchers = callLibs ./fetchers.nix;
@@ -89,7 +89,7 @@ let
       recurseIntoAttrs dontRecurseIntoAttrs cartesianProduct cartesianProductOfSets
       mapCartesianProduct updateManyAttrsByPath;
     inherit (self.lists) singleton forEach foldr fold foldl foldl' imap0 imap1
-      concatMap flatten remove findSingle findFirst any all count
+      ifilter0 concatMap flatten remove findSingle findFirst any all count
       optional optionals toList range replicate partition zipListsWith zipLists
       reverseList listDfs toposort sort sortOn naturalSort compareLists take
       drop sublist last init crossLists unique allUnique intersectLists

lib/deprecated/README.md

@@ -0,0 +1,11 @@
+
+# lib/deprecated
+
+Do not add any new functions to this directory.
+
+This directory contains the `lib.misc` sublibrary, which - as a location - is deprecated.
+Furthermore, some of the functions inside are of *dubious* utility, and should perhaps be avoided,
+while some functions *may still be needed*.
+
+This directory does not play a role in the deprecation process for library functions.
+They should be deprecated in place, by putting a `lib.warn` or `lib.warnIf` call around the function.

lib/lists.nix

@@ -4,7 +4,7 @@
 { lib }:
 let
   inherit (lib.strings) toInt;
-  inherit (lib.trivial) compare min id warn;
+  inherit (lib.trivial) compare min id warn pipe;
   inherit (lib.attrsets) mapAttrs;
 in
 rec {
@@ -333,6 +333,54 @@ rec {
   */
   imap1 = f: list: genList (n: f (n + 1) (elemAt list n)) (length list);
 
+  /**
+    Filter a list for elements that satisfy a predicate function.
+    The predicate function is called with both the index and value for each element.
+    It must return `true`/`false` to include/exclude a given element in the result.
+    This function is strict in the result of the predicate function for each element.
+    This function has O(n) complexity.
+
+    Also see [`builtins.filter`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-filter) (available as `lib.lists.filter`),
+    which can be used instead when the index isn't needed.
+
+    # Inputs
+
+    `ipred`
+
+    : The predicate function, it takes two arguments:
+      - 1. (int): the index of the element.
+      - 2. (a): the value of the element.
+
+      It must return `true`/`false` to include/exclude a given element from the result.
+
+    `list`
+
+    : The list to filter using the predicate.
+
+    # Type
+    ```
+    ifilter0 :: (int -> a -> bool) -> [a] -> [a]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.lists.ifilter0` usage example
+
+    ```nix
+    ifilter0 (i: v: i == 0 || v > 2) [ 1 2 3 ]
+    => [ 1 3 ]
+    ```
+    :::
+  */
+  ifilter0 =
+    ipred:
+    input:
+    map (idx: elemAt input idx) (
+      filter (idx: ipred idx (elemAt input idx)) (
+        genList (x: x) (length input)
+      )
+    );
+
   /**
     Map and concatenate the result.
 

lib/tests/misc.nix

@@ -63,8 +63,10 @@ let
     hasAttrByPath
     hasInfix
     id
+    ifilter0
     isStorePath
     lazyDerivation
+    length
     lists
     listToAttrs
     makeExtensible
@@ -651,6 +653,31 @@ runTests {
     expected = ["b" "c"];
   };
 
+  testIfilter0Example = {
+    expr = ifilter0 (i: v: i == 0 || v > 2) [ 1 2 3 ];
+    expected = [ 1 3 ];
+  };
+  testIfilter0Empty = {
+    expr = ifilter0 (i: v: abort "shouldn't be evaluated!") [ ];
+    expected = [ ];
+  };
+  testIfilter0IndexOnly = {
+    expr = length (ifilter0 (i: v: mod i 2 == 0) [ (throw "0") (throw "1") (throw "2") (throw "3")]);
+    expected = 2;
+  };
+  testIfilter0All = {
+    expr = ifilter0 (i: v: true) [ 10 11 12 13 14 15 ];
+    expected = [ 10 11 12 13 14 15 ];
+  };
+  testIfilter0First = {
+    expr = ifilter0 (i: v: i == 0) [ 10 11 12 13 14 15 ];
+    expected = [ 10 ];
+  };
+  testIfilter0Last = {
+    expr = ifilter0 (i: v: i == 5) [ 10 11 12 13 14 15 ];
+    expected = [ 15 ];
+  };
+
   testFold =
     let
       f = op: fold: fold op 0 (range 0 100);

maintainers/maintainer-list.nix

@@ -1448,6 +1448,12 @@
     githubId = 4194320;
     name = "Anton Schirg";
   };
+  anytimetraveler = {
+    email = "simon@simonscode.org";
+    github = "AnyTimeTraveler";
+    githubId = 19378309;
+    name = "Simon Struck";
+  };
   aorith = {
     email = "aomanu+nixpkgs@gmail.com";
     github = "aorith";
@@ -4442,6 +4448,12 @@
     github = "DarkOnion0";
     githubId = 68606322;
   };
+  daru-san = {
+    name = "Daru";
+    email = "zadarumaka@proton.me";
+    github = "Daru-san";
+    githubId = 135046711;
+  };
   das-g = {
     email = "nixpkgs@raphael.dasgupta.ch";
     github = "das-g";
@@ -11656,6 +11668,12 @@
     github = "LongerHV";
     githubId = 46924944;
   };
+  lonyelon = {
+    email = "sergio@lony.xyz";
+    name = "Sergio Miguéns Iglesias";
+    github = "lonyelon";
+    githubId = 18664655;
+  };
   lopsided98 = {
     email = "benwolsieffer@gmail.com";
     github = "lopsided98";
@@ -16509,6 +16527,13 @@
       fingerprint = "7573 56D7 79BB B888 773E  415E 736C CDF9 EF51 BD97";
     }];
   };
+  qyriad = {
+    email = "qyriad@qyriad.me";
+    github = "Qyriad";
+    githubId = 1542224;
+    matrix = "@qyriad:katesiria.org";
+    name = "Qyriad";
+  };
   r3dl3g = {
     email = "redleg@rothfuss-web.de";
     github = "r3dl3g";

maintainers/scripts/eval-release.nix

@@ -5,7 +5,7 @@ let
 
   trace = if builtins.getEnv "VERBOSE" == "1" then builtins.trace else (x: y: y);
 
-  rel = removeAttrs (import ../../pkgs/top-level/release.nix { }) [ "tarball" "unstable" "xbursttools" ];
+  rel = removeAttrs (import ../../pkgs/top-level/release.nix { }) [ "tarball" "unstable" ];
 
   # Add the ‘recurseForDerivations’ attribute to ensure that
   # nix-instantiate recurses into nested attribute sets.

nixos/doc/manual/release-notes/rl-2405.section.md

@@ -46,11 +46,9 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi
 
 - The default dbus implementation has transitioned to dbus-broker from the classic dbus daemon for better performance and reliability. Users can revert to the classic dbus daemon by setting `services.dbus.implementation = "dbus";`. For detailed deviations, refer to [dbus-broker's deviations page](https://github.com/bus1/dbus-broker/wiki/Deviations).
 
-- A new option `virtualisation.containers.cdi` was added. It contains `static` and `dynamic` attributes (corresponding to `/etc/cdi` and `/run/cdi` respectively) to configure the Container Device Interface (CDI).
+- `virtualisation.docker.enableNvidia` and `virtualisation.podman.enableNvidia` options are deprecated. `hardware.nvidia-container-toolkit.enable` should be used instead. This option will expose GPUs on containers with the `--device` CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature.
 
-- `virtualisation.docker.enableNvidia` and `virtualisation.podman.enableNvidia` options are deprecated. `virtualisation.containers.cdi.dynamic.nvidia.enable` should be used instead. This option will expose GPUs on containers with the `--device` CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature.
-
-- A new option `system.etc.overlay.enable` was added. If enabled, `/etc` is
+- `system.etc.overlay.enable` option was added. If enabled, `/etc` is
   mounted via an overlayfs instead of being created by a custom perl script.
 
 - NixOS AMIs are now uploaded regularly to a new AWS Account.
@@ -237,7 +235,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `nvtop` family of packages was reorganized into nested attrset. `nvtop` has been renamed to `nvtopPackages.full`, and all `nvtop-{amd,nvidia,intel,msm}` packages are now named as `nvtopPackages.{amd,nvidia,intel,msm}`
 
-- `neo4j` has been updated to 5, you may want to read the [release notes for Neo4j 5](https://neo4j.com/release-notes/database/neo4j-5/)
+- `neo4j` has been updated to version 5, you may want to read the [release notes for Neo4j 5](https://neo4j.com/release-notes/database/neo4j-5/)
 
 - `services.neo4j.allowUpgrade` was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades.
 
@@ -251,37 +249,37 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `services.aria2.rpcSecret` has been replaced with `services.aria2.rpcSecretFile`.
   This was done so that secrets aren't stored in the world-readable nix store.
-  To migrate, you will have create a file with the same exact string, and change
+  To migrate, you will have to create a file with the same exact string, and change
   your module options to point to that file. For example, `services.aria2.rpcSecret =
   "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`
   where the file `secret_file` contains the string `mysecret`.
 
 - `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading
-  to another signature algorithm. It is however possible, for the time being, to restore the DSA keys support using `override` to set `dsaKeysSupport = true`.
+  to another signature algorithm. However, for the time being it is possible to restore DSA key support using `override` to set `dsaKeysSupport = true`.
 
-- `buildGoModule` now throws error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias.
+- `buildGoModule` now throws an error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias.
 
-- Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)
+- `services.invidious.settings.db.user`, the default database username, has changed from `kemal` to `invidious`. Setups involving an externally-provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)
 
 - `writeReferencesToFile` is deprecated in favour of the new trivial build helper `writeClosure`. The latter accepts a list of paths and has an unambiguous name and cleaner implementation.
 
 - `inetutils` now has a lower priority to avoid shadowing the commonly used `util-linux`. If one wishes to restore the default priority, simply use `lib.setPrio 5 inetutils` or override with `meta.priority = 5`.
 
-- `paperless`' `services.paperless.extraConfig` setting has been removed and converted to the freeform type and option named `services.paperless.settings`.
+- `paperless`' `services.paperless.extraConfig` setting has been removed and converted to the free-form type and option named `services.paperless.settings`.
 
-- `davfs2`' `services.davfs2.extraConfig` setting has been deprecated and converted to the freeform type option named `services.davfs2.settings` according to RFC42.
+- `davfs2`' `services.davfs2.extraConfig` setting has been deprecated and converted to the free-form type option named `services.davfs2.settings` according to RFC42.
 
-- `services.homepage-dashboard` now takes it's configuration using native Nix expressions, rather than dumping templated configurations into `/var/lib/homepage-dashboard` where they were previously managed manually. There are now new options which allow the configuration of bookmarks, services, widgets and custom CSS/JS natively in Nix.
+- `services.homepage-dashboard` now takes its configuration using native Nix expressions, rather than dumping templated configurations into `/var/lib/homepage-dashboard` where they were previously managed manually. There are now new options which allow the configuration of bookmarks, services, widgets and custom CSS/JS natively in Nix.
 
 - `hare` may now be cross-compiled. For that to work, however, `haredoc` needed to stop being built together with it. Thus, the latter is now its own package with the name of `haredoc`.
 
-- The legacy and long deprecated systemd target `network-interfaces.target` has been removed. Use `network.target` instead.
+- `network-interfaces.target` system target was removed as it has been deprecated for a long time. Use `network.target` instead.
 
 - `azure-cli` now has extension support. For example, to install the `aks-preview` extension, use
 
   ```nix
   environment.systemPackages = [
-    (azure-cli.withExtensions [ azure-cli.extensions.aks-preview ]);
+    (azure-cli.withExtensions [ azure-cli.extensions.aks-preview ])
   ];
   ```
   To make the `azure-cli` immutable and prevent clashes in case `azure-cli` is also installed via other package managers, some configuration files were moved into the derivation.
@@ -401,7 +399,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
   upgrade NetBox by changing `services.netbox.package`. Database migrations
   will be run automatically.
 
-- The executable file names for `firefox-devedition`, `firefox-beta`, `firefox-esr` now matches their package names, which is consistent with the `firefox-*-bin` packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher.
+- `gauge` now supports installing plugins using nix. For the old imperative approach, switch to `gauge-unwrapped`.
+  You can load plugins from an existing gauge manifest file using `gauge.fromManifest ./path/to/manifest.json` or
+  specify plugins in nix using `gauge.withPlugins (p: with p; [ js html-report xml-report ])`.
+
+- `firefox-devedition`, `firefox-beta`, `firefox-esr` executable file names for now match their package names, which is consistent with the `firefox-*-bin` packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher.
 
 - switch-to-configuration does not directly call systemd-tmpfiles anymore.
   Instead, the new artificial sysinit-reactivation.target is introduced which
@@ -472,14 +474,14 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `addDriverRunpath` has been added to facilitate the deprecation of the old `addOpenGLRunpath` setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration.
 
-- Cinnamon has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release and could potentially [affect Xorg sessions](https://blog.linuxmint.com/?p=4639). We suggest a reboot when switching between sessions.
+- (TODO awaiting feedback on code-casing package names) Cinnamon has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release and could potentially [affect Xorg sessions](https://blog.linuxmint.com/?p=4639). We suggest a reboot when switching between sessions.
 
-- MATE has been updated to 1.28.
+- (TODO awaiting feedback on code-casing package names) MATE has been updated to 1.28.
   - To properly support panel plugins built with Wayland (in-process) support, we are introducing `services.xserver.desktopManager.mate.extraPanelApplets` option, please use that for installing panel applets.
   - Similarly, please use `services.xserver.desktopManager.mate.extraCajaExtensions` option for installing Caja extensions.
   - To use the Wayland session, enable `services.xserver.desktopManager.mate.enableWaylandSession`. This is opt-in for now as it is in early stage and introduces a new set of Wayfire closure. Due to [known issues with LightDM](https://github.com/canonical/lightdm/issues/63), we suggest using SDDM for display manager.
 
-- The Budgie module installs gnome-terminal by default (instead of mate-terminal).
+- The (TODO awaiting feedback on code-casing package names) Budgie module installs gnome-terminal by default (instead of mate-terminal).
 
 - New `boot.loader.systemd-boot.xbootldrMountPoint` allows setting up a separate [XBOOTLDR partition](https://uapi-group.org/specifications/specs/boot_loader_specification/) to store boot files. Useful on systems with a small EFI System partition that cannot be easily repartitioned.
 
@@ -491,7 +493,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - The Matrix homeserver [Synapse](https://element-hq.github.io/synapse/) module now supports configuring UNIX domain socket [listeners](#opt-services.matrix-synapse.settings.listeners) through the `path` option.
   The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.
 
-- The initrd ssh daemon module got a new option to add authorized keys via a list of files using `boot.initrd.network.ssh.authorizedKeyFiles`.
+- `boot.initrd.network.ssh.authorizedKeyFiles` is a new option in the initrd ssh daemon module, for adding authorized keys via list of files.
 
 - Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles.
   The `nimPackages` and `nim2Packages` sets have been removed.
@@ -509,9 +511,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `libass` now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with `mpv`, `ffmpeg`, etc.
 
-- [Lilypond](https://lilypond.org/index.html) and [Denemo](https://www.denemo.org) are now compiled with Guile 3.0.
+- (TODO awaiting feedback on code-casing package names) [Lilypond](https://lilypond.org/index.html) and [Denemo](https://www.denemo.org) are now compiled with Guile 3.0.
 
-- Garage has been updated to v1.x.x. Users should read the [upstream release notes](https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v1.0.0) and follow the documentation when changing over their `services.garage.package` and performing this manual upgrade.
+- (TODO awaiting feedback on code-casing package names) Garage has been updated to v1.x.x. Users should read the [upstream release notes](https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v1.0.0) and follow the documentation when changing over their `services.garage.package` and performing this manual upgrade.
 
 - The EC2 image module now enables the [Amazon SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) by default.
 
@@ -546,7 +548,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.).
   The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime.
 
-- With a bump to `sonarr` v4, existing config database files will be upgraded automatically, but note that some old apparently-working configs [might actually be corrupt and fail to upgrade cleanly](https://forums.sonarr.tv/t/sonarr-v4-released/33089).
+- `sonarr` bumped to v4. Consequently existing config database files will be upgraded automatically, but note that some old apparently-working configs [might actually be corrupt and fail to upgrade cleanly](https://forums.sonarr.tv/t/sonarr-v4-released/33089).
 
 - The Yama LSM is now enabled by default in the kernel, which prevents ptracing
   non-child processes. This means you will not be able to attach gdb to an
@@ -556,15 +558,13 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - The netbird module now allows running multiple tunnels in parallel through [`services.netbird.tunnels`](#opt-services.netbird.tunnels).
 
 - [Nginx virtual hosts](#opt-services.nginx.virtualHosts) using `forceSSL` or
-  `globalRedirect` can now have redirect codes other than 301 through
+  `globalRedirect` can now have redirect codes other than 301 through `redirectCode`.
 
 - `bacula` now allows to configure `TLS` for encrypted communication.
 
-  `redirectCode`.
-
 - `libjxl` 0.9.0 [dropped support for the butteraugli API](https://github.com/libjxl/libjxl/pull/2576). You will no longer be able to set `enableButteraugli` on `libaom`.
 
-- The source of the `mockgen` package has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock).
+- `mockgen` package source has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock).
 
 - `security.pam.enableSSHAgentAuth` was renamed to `security.pam.sshAgentAuth.enable` and an `authorizedKeysFiles`
   option was added, to control which `authorized_keys` files are trusted.  It defaults to the previous behaviour,
@@ -581,7 +581,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `nextcloud-setup.service` no longer changes the group of each file & directory inside `/var/lib/nextcloud/{config,data,store-apps}` if one of these directories has the wrong owner group. This was part of transitioning the group used for `/var/lib/nextcloud`, but isn't necessary anymore.
 
-- `services.kavita` now uses the freeform option `services.kavita.settings` for the application settings file.
+- `services.kavita` now uses the free-form option `services.kavita.settings` for the application settings file.
   The options `services.kavita.ipAdresses` and `services.kavita.port` now exist at `services.kavita.settings.IpAddresses`
   and `services.kavita.settings.IpAddresses`. The file at `services.kavita.tokenKeyFile` now needs to contain a secret with
   512+ bits instead of 128+ bits.
@@ -592,7 +592,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `services.soju` now has a wrapper for the `sojuctl` command, pointed at the service config file. It also has the new option `adminSocket.enable`, which creates a unix admin socket at `/run/soju/admin`.
 
-- Gitea 1.21 upgrade has several breaking changes, including:
+- `gitea` upgrade to 1.21 has several breaking changes, including:
   - Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*`
   - New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command.
 
@@ -604,10 +604,10 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - The `services.networkmanager.extraConfig` was renamed to `services.networkmanager.settings` and was changed to use the ini type instead of using a multiline string.
 
-- The module `services.github-runner` has been removed. To configure a single GitHub Actions Runner refer to `services.github-runners.*`. Note that this will trigger a new runner registration.
+- `services.github-runner` module has been removed. To configure a single GitHub Actions Runner refer to `services.github-runners.*`. Note that this will trigger a new runner registration.
 
 - The `services.slskd` has been refactored to include more configuation options in
-  the freeform `services.slskd.settings` option, and some defaults (including listen ports)
+  the free-form `services.slskd.settings` option, and some defaults (including listen ports)
   have been changed to match the upstream defaults. Additionally, disk logging is now
   disabled by default, and the log rotation timer has been removed.
   The nginx virtualhost option is now of the `vhost-options` type.
@@ -629,7 +629,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - QtMultimedia has changed its default backend to `QT_MEDIA_BACKEND=ffmpeg` (previously `gstreamer` on Linux or `darwin` on MacOS).
   The previous native backends remain available but are now minimally maintained. Refer to [upstream documentation](https://doc.qt.io/qt-6/qtmultimedia-index.html#ffmpeg-as-the-default-backend) for further details about each platform.
 
-- The `drbd` out-of-tree Linux kernel driver has been added in version `9.2.7`. With it the DRBD 9.x features can be used instead of the 8.x features provided by the `8.4.11` in-tree driver.
+- The `drbd` out-of-tree Linux kernel driver has been added in version `9.2`. With it the DRBD 9.x features can be used instead of the 8.x features provided by the `8.4.11` in-tree driver.
 
 - The oil shell's c++ version is now available as `oils-for-unix`. The python version is still available as `oil`
 

nixos/lib/systemd-lib.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs }:
+{ config, lib, pkgs, utils }:
 
 let
   inherit (lib)
@@ -396,8 +396,41 @@ in rec {
     };
   };
 
-  serviceConfig = { config, ... }: {
-    config.environment.PATH = mkIf (config.path != []) "${makeBinPath config.path}:${makeSearchPathOutput "bin" "sbin" config.path}";
+  serviceConfig = { name, config, ... }: {
+    config = {
+      name = "${name}.service";
+      environment.PATH = mkIf (config.path != []) "${makeBinPath config.path}:${makeSearchPathOutput "bin" "sbin" config.path}";
+    };
+  };
+
+  pathConfig = { name, config, ... }: {
+    config = {
+      name = "${name}.path";
+    };
+  };
+
+  socketConfig = { name, config, ... }: {
+    config = {
+      name = "${name}.socket";
+    };
+  };
+
+  sliceConfig = { name, config, ... }: {
+    config = {
+      name = "${name}.slice";
+    };
+  };
+
+  targetConfig = { name, config, ... }: {
+    config = {
+      name = "${name}.target";
+    };
+  };
+
+  timerConfig = { name, config, ... }: {
+    config = {
+      name = "${name}.timer";
+    };
   };
 
   stage2ServiceConfig = {
@@ -416,6 +449,7 @@ in rec {
 
   mountConfig = { config, ... }: {
     config = {
+      name = "${utils.escapeSystemdPath config.where}.mount";
       mountConfig =
         { What = config.what;
           Where = config.where;
@@ -429,6 +463,7 @@ in rec {
 
   automountConfig = { config, ... }: {
     config = {
+      name = "${utils.escapeSystemdPath config.where}.automount";
       automountConfig =
         { Where = config.where;
         };
@@ -444,8 +479,8 @@ in rec {
       WantedBy=${concatStringsSep " " def.wantedBy}
     '';
 
-  targetToUnit = name: def:
-    { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy;
+  targetToUnit = def:
+    { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy;
       text =
         ''
           [Unit]
@@ -453,8 +488,8 @@ in rec {
         '';
     };
 
-  serviceToUnit = name: def:
-    { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy;
+  serviceToUnit = def:
+    { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy;
       text = commonUnitText def (''
         [Service]
       '' + (let env = cfg.globalEnvironment // def.environment;
@@ -463,7 +498,7 @@ in rec {
             "Environment=${toJSON "${n}=${env.${n}}"}\n";
           # systemd max line length is now 1MiB
           # https://github.com/systemd/systemd/commit/e6dde451a51dc5aaa7f4d98d39b8fe735f73d2af
-          in if stringLength s >= 1048576 then throw "The value of the environment variable ‘${n}’ in systemd service ‘${name}.service’ is too long." else s) (attrNames env))
+          in if stringLength s >= 1048576 then throw "The value of the environment variable ‘${n}’ in systemd service ‘${def.name}.service’ is too long." else s) (attrNames env))
       + (if def ? reloadIfChanged && def.reloadIfChanged then ''
         X-ReloadIfChanged=true
       '' else if (def ? restartIfChanged && !def.restartIfChanged) then ''
@@ -474,8 +509,8 @@ in rec {
       '' + attrsToSection def.serviceConfig);
     };
 
-  socketToUnit = name: def:
-    { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy;
+  socketToUnit = def:
+    { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy;
       text = commonUnitText def ''
         [Socket]
         ${attrsToSection def.socketConfig}
@@ -484,40 +519,40 @@ in rec {
       '';
     };
 
-  timerToUnit = name: def:
-    { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy;
+  timerToUnit = def:
+    { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy;
       text = commonUnitText def ''
         [Timer]
         ${attrsToSection def.timerConfig}
       '';
     };
 
-  pathToUnit = name: def:
-    { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy;
+  pathToUnit = def:
+    { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy;
       text = commonUnitText def ''
         [Path]
         ${attrsToSection def.pathConfig}
       '';
     };
 
-  mountToUnit = name: def:
-    { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy;
+  mountToUnit = def:
+    { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy;
       text = commonUnitText def ''
         [Mount]
         ${attrsToSection def.mountConfig}
       '';
     };
 
-  automountToUnit = name: def:
-    { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy;
+  automountToUnit = def:
+    { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy;
       text = commonUnitText def ''
         [Automount]
         ${attrsToSection def.automountConfig}
       '';
     };
 
-  sliceToUnit = name: def:
-    { inherit (def) aliases wantedBy requiredBy upheldBy enable overrideStrategy;
+  sliceToUnit = def:
+    { inherit (def) name aliases wantedBy requiredBy upheldBy enable overrideStrategy;
       text = commonUnitText def ''
         [Slice]
         ${attrsToSection def.sliceConfig}

nixos/lib/systemd-types.nix

@@ -5,8 +5,13 @@ let
     automountConfig
     makeUnit
     mountConfig
+    pathConfig
+    sliceConfig
+    socketConfig
     stage1ServiceConfig
     stage2ServiceConfig
+    targetConfig
+    timerConfig
     unitConfig
     ;
 
@@ -48,29 +53,32 @@ let
     ;
 in
 
-rec {
+{
   units = attrsOf (submodule ({ name, config, ... }: {
     options = concreteUnitOptions;
-    config = { unit = mkDefault (makeUnit name config); };
+    config = {
+      name = mkDefault name;
+      unit = mkDefault (makeUnit name config);
+    };
   }));
 
   services = attrsOf (submodule [ stage2ServiceOptions unitConfig stage2ServiceConfig ]);
   initrdServices = attrsOf (submodule [ stage1ServiceOptions unitConfig stage1ServiceConfig ]);
 
-  targets = attrsOf (submodule [ stage2CommonUnitOptions unitConfig ]);
-  initrdTargets = attrsOf (submodule [ stage1CommonUnitOptions unitConfig ]);
+  targets = attrsOf (submodule [ stage2CommonUnitOptions unitConfig targetConfig ]);
+  initrdTargets = attrsOf (submodule [ stage1CommonUnitOptions unitConfig targetConfig ]);
 
-  sockets = attrsOf (submodule [ stage2SocketOptions unitConfig ]);
-  initrdSockets = attrsOf (submodule [ stage1SocketOptions unitConfig ]);
+  sockets = attrsOf (submodule [ stage2SocketOptions unitConfig socketConfig]);
+  initrdSockets = attrsOf (submodule [ stage1SocketOptions unitConfig socketConfig ]);
 
-  timers = attrsOf (submodule [ stage2TimerOptions unitConfig ]);
-  initrdTimers = attrsOf (submodule [ stage1TimerOptions unitConfig ]);
+  timers = attrsOf (submodule [ stage2TimerOptions unitConfig timerConfig ]);
+  initrdTimers = attrsOf (submodule [ stage1TimerOptions unitConfig timerConfig ]);
 
-  paths = attrsOf (submodule [ stage2PathOptions unitConfig ]);
-  initrdPaths = attrsOf (submodule [ stage1PathOptions unitConfig ]);
+  paths = attrsOf (submodule [ stage2PathOptions unitConfig pathConfig ]);
+  initrdPaths = attrsOf (submodule [ stage1PathOptions unitConfig pathConfig ]);
 
-  slices = attrsOf (submodule [ stage2SliceOptions unitConfig ]);
-  initrdSlices = attrsOf (submodule [ stage1SliceOptions unitConfig ]);
+  slices = attrsOf (submodule [ stage2SliceOptions unitConfig sliceConfig ]);
+  initrdSlices = attrsOf (submodule [ stage1SliceOptions unitConfig sliceConfig ]);
 
   mounts = listOf (submodule [ stage2MountOptions unitConfig mountConfig ]);
   initrdMounts = listOf (submodule [ stage1MountOptions unitConfig mountConfig ]);

nixos/lib/systemd-unit-options.nix

@@ -65,6 +65,14 @@ in rec {
       '';
     };
 
+    name = lib.mkOption {
+      type = lib.types.str;
+      description = ''
+        The name of this systemd unit, including its extension.
+        This can be used to refer to this unit from other systemd units.
+      '';
+    };
+
     overrideStrategy = mkOption {
       default = "asDropinIfExists";
       type = types.enum [ "asDropinIfExists" "asDropin" ];

nixos/lib/utils.nix

@@ -35,7 +35,8 @@ let
   inherit (lib.strings) toJSON normalizePath escapeC;
 in
 
-rec {
+let
+utils = rec {
 
   # Copy configuration files to avoid having the entire sources in the system closure
   copyFile = filePath: pkgs.runCommand (builtins.unsafeDiscardStringContext (baseNameOf filePath)) {} ''
@@ -262,11 +263,12 @@ rec {
       filter (x: !(elem (getName x) namesToRemove)) packages;
 
   systemdUtils = {
-    lib = import ./systemd-lib.nix { inherit lib config pkgs; };
+    lib = import ./systemd-lib.nix { inherit lib config pkgs utils; };
     unitOptions = import ./systemd-unit-options.nix { inherit lib systemdUtils; };
     types = import ./systemd-types.nix { inherit lib systemdUtils pkgs; };
     network = {
       units = import ./systemd-network-units.nix { inherit lib systemdUtils; };
     };
   };
-}
+};
+in utils

nixos/modules/module-list.nix

@@ -559,7 +559,7 @@
   ./services/hardware/kanata.nix
   ./services/hardware/lcd.nix
   ./services/hardware/lirc.nix
-  ./services/hardware/nvidia-container-toolkit-cdi-generator
+  ./services/hardware/nvidia-container-toolkit
   ./services/hardware/monado.nix
   ./services/hardware/nvidia-optimus.nix
   ./services/hardware/openrgb.nix

nixos/modules/services/editors/emacs.md

@@ -366,44 +366,3 @@ convenient if you regularly edit Nix files.
 You can use `woman` to get completion of all available
 man pages. For example, type `M-x woman <RET> nixos-rebuild <RET>.`
 
-### Editing DocBook 5 XML Documents {#sec-emacs-docbook-xml}
-
-Emacs includes
-[nXML](https://www.gnu.org/software/emacs/manual/html_node/nxml-mode/Introduction.html),
-a major-mode for validating and editing XML documents. When editing DocBook
-5.0 documents, such as [this one](#book-nixos-manual),
-nXML needs to be configured with the relevant schema, which is not
-included.
-
-To install the DocBook 5.0 schemas, either add
-{var}`pkgs.docbook5` to [](#opt-environment.systemPackages)
-([NixOS](#sec-declarative-package-mgmt)), or run
-`nix-env -f '<nixpkgs>' -iA docbook5`
-([Nix](#sec-ad-hoc-packages)).
-
-Then customize the variable {var}`rng-schema-locating-files` to
-include {file}`~/.emacs.d/schemas.xml` and put the following
-text into that file:
-::: {.example #ex-emacs-docbook-xml}
-### nXML Schema Configuration (`~/.emacs.d/schemas.xml`)
-
-```xml
-<?xml version="1.0"?>
-<!--
-  To let emacs find this file, evaluate:
-  (add-to-list 'rng-schema-locating-files "~/.emacs.d/schemas.xml")
--->
-<locatingRules xmlns="http://thaiopensource.com/ns/locating-rules/1.0">
-  <!--
-    Use this variation if pkgs.docbook5 is added to environment.systemPackages
-  -->
-  <namespace ns="http://docbook.org/ns/docbook"
-             uri="/run/current-system/sw/share/xml/docbook-5.0/rng/docbookxi.rnc"/>
-  <!--
-    Use this variation if installing schema with "nix-env -iA pkgs.docbook5".
-  <namespace ns="http://docbook.org/ns/docbook"
-             uri="../.nix-profile/share/xml/docbook-5.0/rng/docbookxi.rnc"/>
-  -->
-</locatingRules>
-```
-:::

nixos/modules/services/hardware/nvidia-container-toolkit-cdi-generator/cdi-generate.nix

@@ -1,60 +0,0 @@
-{
-  addDriverRunpath,
-  glibc,
-  jq,
-  lib,
-  nvidia-container-toolkit,
-  nvidia-driver,
-  runtimeShell,
-  writeScriptBin,
-}:
-let
-  mountOptions = { options = ["ro" "nosuid" "nodev" "bind"]; };
-  mounts = [
-    # FIXME: Making /usr mounts optional
-    { hostPath = lib.getExe' nvidia-driver "nvidia-cuda-mps-control";
-      containerPath = "/usr/bin/nvidia-cuda-mps-control"; }
-    { hostPath = lib.getExe' nvidia-driver "nvidia-cuda-mps-server";
-      containerPath = "/usr/bin/nvidia-cuda-mps-server"; }
-    { hostPath = lib.getExe' nvidia-driver "nvidia-debugdump";
-      containerPath = "/usr/bin/nvidia-debugdump"; }
-    { hostPath = lib.getExe' nvidia-driver "nvidia-powerd";
-      containerPath = "/usr/bin/nvidia-powerd"; }
-    { hostPath = lib.getExe' nvidia-driver "nvidia-smi";
-      containerPath = "/usr/bin/nvidia-smi"; }
-    { hostPath = lib.getExe' nvidia-container-toolkit "nvidia-ctk";
-      containerPath = "/usr/bin/nvidia-ctk"; }
-    { hostPath = "${lib.getLib glibc}/lib";
-      containerPath = "${lib.getLib glibc}/lib"; }
-
-    # FIXME: use closureinfo
-    {
-      hostPath = addDriverRunpath.driverLink;
-      containerPath = addDriverRunpath.driverLink;
-    }
-    { hostPath = "${lib.getLib glibc}/lib";
-      containerPath = "${lib.getLib glibc}/lib"; }
-    { hostPath = "${lib.getLib glibc}/lib64";
-      containerPath = "${lib.getLib glibc}/lib64"; }
-  ];
-  jqAddMountExpression = ".containerEdits.mounts[.containerEdits.mounts | length] |= . +";
-  mountsToJq = lib.concatMap
-    (mount:
-      ["${lib.getExe jq} '${jqAddMountExpression} ${builtins.toJSON (mount // mountOptions)}'"])
-    mounts;
-in
-writeScriptBin "nvidia-cdi-generator"
-''
-#! ${runtimeShell}
-
-function cdiGenerate {
-  ${lib.getExe' nvidia-container-toolkit "nvidia-ctk"} cdi generate \
-    --format json \
-    --ldconfig-path ${lib.getExe' glibc "ldconfig"} \
-    --library-search-path ${lib.getLib nvidia-driver}/lib \
-    --nvidia-ctk-path ${lib.getExe' nvidia-container-toolkit "nvidia-ctk"}
-}
-
-cdiGenerate | \
-  ${lib.concatStringsSep " | " mountsToJq} > $RUNTIME_DIRECTORY/nvidia-container-toolkit.json
-''

nixos/modules/services/hardware/nvidia-container-toolkit-cdi-generator/default.nix

@@ -1,40 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-
-  options = {
-
-    hardware.nvidia-container-toolkit-cdi-generator.enable = lib.mkOption {
-      default = false;
-      internal = true;
-      visible = false;
-      type = lib.types.bool;
-      description = ''
-        Enable dynamic CDI configuration for NVidia devices by running
-        nvidia-container-toolkit on boot.
-      '';
-    };
-
-  };
-
-  config = {
-
-    systemd.services.nvidia-container-toolkit-cdi-generator = lib.mkIf config.hardware.nvidia-container-toolkit-cdi-generator.enable {
-      description = "Container Device Interface (CDI) for Nvidia generator";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "systemd-udev-settle.service" ];
-      serviceConfig = {
-        RuntimeDirectory = "cdi";
-        RemainAfterExit = true;
-        ExecStart =
-          let
-            script = pkgs.callPackage ./cdi-generate.nix { nvidia-driver = config.hardware.nvidia.package; };
-          in
-          lib.getExe script;
-        Type = "oneshot";
-      };
-    };
-
-  };
-
-}

nixos/modules/services/hardware/nvidia-container-toolkit/cdi-generate.nix

@@ -0,0 +1,35 @@
+{
+  glibc,
+  jq,
+  lib,
+  mounts,
+  nvidia-container-toolkit,
+  nvidia-driver,
+  runtimeShell,
+  writeScriptBin,
+}: let
+  mkMount = {hostPath, containerPath, mountOptions}: {
+    inherit hostPath containerPath;
+    options = mountOptions;
+  };
+  jqAddMountExpression = ".containerEdits.mounts[.containerEdits.mounts | length] |= . +";
+  allJqMounts = lib.concatMap
+    (mount:
+      ["${lib.getExe jq} '${jqAddMountExpression} ${builtins.toJSON (mkMount mount)}'"])
+    mounts;
+in
+writeScriptBin "nvidia-cdi-generator"
+''
+#! ${runtimeShell}
+
+function cdiGenerate {
+  ${lib.getExe' nvidia-container-toolkit "nvidia-ctk"} cdi generate \
+    --format json \
+    --ldconfig-path ${lib.getExe' glibc "ldconfig"} \
+    --library-search-path ${lib.getLib nvidia-driver}/lib \
+    --nvidia-ctk-path ${lib.getExe' nvidia-container-toolkit "nvidia-ctk"}
+}
+
+cdiGenerate | \
+  ${lib.concatStringsSep " | " allJqMounts} > $RUNTIME_DIRECTORY/nvidia-container-toolkit.json
+''

nixos/modules/services/hardware/nvidia-container-toolkit/default.nix

@@ -0,0 +1,121 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    (lib.mkRenamedOptionModule
+      [ "virtualisation" "containers" "cdi" "dynamic" "nvidia" "enable" ]
+      [ "hardware" "nvidia-container-toolkit" "enable" ])
+  ];
+
+  options = let
+    mountType = {
+      options = {
+        hostPath = lib.mkOption {
+          type = lib.types.str;
+          description = "Host path.";
+        };
+        containerPath = lib.mkOption {
+          type = lib.types.str;
+          description = "Container path.";
+        };
+        mountOptions = lib.mkOption {
+          default = [ "ro" "nosuid" "nodev" "bind" ];
+          type = lib.types.listOf lib.types.str;
+          description = "Mount options.";
+        };
+      };
+    };
+  in {
+
+    hardware.nvidia-container-toolkit = {
+      enable = lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = ''
+          Enable dynamic CDI configuration for NVidia devices by running
+          nvidia-container-toolkit on boot.
+        '';
+      };
+
+      mounts = lib.mkOption {
+        type = lib.types.listOf (lib.types.submodule mountType);
+        default = [];
+        description = "Mounts to be added to every container under the Nvidia CDI profile.";
+      };
+
+      mount-nvidia-executables = lib.mkOption {
+        default = true;
+        type = lib.types.bool;
+        description = ''
+          Mount executables nvidia-smi, nvidia-cuda-mps-control, nvidia-cuda-mps-server,
+          nvidia-debugdump, nvidia-powerd and nvidia-ctk on containers.
+        '';
+      };
+
+      mount-nvidia-docker-1-directories = lib.mkOption {
+        default = true;
+        type = lib.types.bool;
+        description = ''
+          Mount nvidia-docker-1 directories on containers: /usr/local/nvidia/lib and
+          /usr/local/nvidia/lib64.
+        '';
+      };
+    };
+
+  };
+
+  config = {
+
+    hardware.nvidia-container-toolkit.mounts = let
+      nvidia-driver = config.hardware.nvidia.package;
+    in (lib.mkMerge [
+      [{ hostPath = pkgs.addDriverRunpath.driverLink;
+         containerPath = pkgs.addDriverRunpath.driverLink; }
+       { hostPath = "${lib.getLib pkgs.glibc}/lib";
+         containerPath = "${lib.getLib pkgs.glibc}/lib"; }
+       { hostPath = "${lib.getLib pkgs.glibc}/lib64";
+         containerPath = "${lib.getLib pkgs.glibc}/lib64"; }]
+      (lib.mkIf config.hardware.nvidia-container-toolkit.mount-nvidia-executables
+        [{ hostPath = lib.getExe' nvidia-driver "nvidia-cuda-mps-control";
+           containerPath = "/usr/bin/nvidia-cuda-mps-control"; }
+         { hostPath = lib.getExe' nvidia-driver "nvidia-cuda-mps-server";
+           containerPath = "/usr/bin/nvidia-cuda-mps-server"; }
+         { hostPath = lib.getExe' nvidia-driver "nvidia-debugdump";
+           containerPath = "/usr/bin/nvidia-debugdump"; }
+         { hostPath = lib.getExe' nvidia-driver "nvidia-powerd";
+           containerPath = "/usr/bin/nvidia-powerd"; }
+         { hostPath = lib.getExe' nvidia-driver "nvidia-smi";
+           containerPath = "/usr/bin/nvidia-smi"; }])
+      # nvidia-docker 1.0 uses /usr/local/nvidia/lib{,64}
+      #   e.g.
+      #     - https://gitlab.com/nvidia/container-images/cuda/-/blob/e3ff10eab3a1424fe394899df0e0f8ca5a410f0f/dist/12.3.1/ubi9/base/Dockerfile#L44
+      #     - https://github.com/NVIDIA/nvidia-docker/blob/01d2c9436620d7dde4672e414698afe6da4a282f/src/nvidia/volumes.go#L104-L173
+      (lib.mkIf config.hardware.nvidia-container-toolkit.mount-nvidia-docker-1-directories
+        [{ hostPath = "${lib.getLib nvidia-driver}/lib";
+           containerPath = "/usr/local/nvidia/lib"; }
+         { hostPath = "${lib.getLib nvidia-driver}/lib";
+           containerPath = "/usr/local/nvidia/lib64"; }])
+    ]);
+
+    systemd.services.nvidia-container-toolkit-cdi-generator = lib.mkIf config.hardware.nvidia-container-toolkit.enable {
+      description = "Container Device Interface (CDI) for Nvidia generator";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "systemd-udev-settle.service" ];
+      serviceConfig = {
+        RuntimeDirectory = "cdi";
+        RemainAfterExit = true;
+        ExecStart =
+          let
+            script = pkgs.callPackage ./cdi-generate.nix {
+              inherit (config.hardware.nvidia-container-toolkit) mounts;
+              nvidia-driver = config.hardware.nvidia.package;
+            };
+          in
+          lib.getExe script;
+        Type = "oneshot";
+      };
+    };
+
+  };
+
+}

nixos/modules/services/home-automation/evcc.nix

@@ -63,6 +63,7 @@ in
         DynamicUser = true;
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
+        Restart = "on-failure";
         RestrictAddressFamilies = [
           "AF_INET"
           "AF_INET6"

nixos/modules/services/mail/roundcube.nix

@@ -7,7 +7,7 @@ let
   fpm = config.services.phpfpm.pools.roundcube;
   localDB = cfg.database.host == "localhost";
   user = cfg.database.username;
-  phpWithPspell = pkgs.php81.withExtensions ({ enabled, all }: [ all.pspell ] ++ enabled);
+  phpWithPspell = pkgs.php83.withExtensions ({ enabled, all }: [ all.pspell ] ++ enabled);
 in
 {
   options.services.roundcube = {

nixos/modules/services/networking/ssh/sshd.nix

@@ -346,6 +346,7 @@ in
                 violates the privacy of users and is not recommended.
               '';
             };
+            UsePAM = mkEnableOption "PAM authentication" // { default = true; };
             UseDns = mkOption {
               type = types.bool;
               # apply if cfg.useDns then "yes" else "no"
@@ -489,6 +490,8 @@ in
                 {manpage}`sshd_config(5)` for details.
               '';
             };
+            # Disabled by default, since pam_motd handles this.
+            PrintMotd = mkEnableOption "printing /etc/motd when a user logs in interactively";
           };
         });
       };
@@ -622,7 +625,7 @@ in
 
     networking.firewall.allowedTCPPorts = optionals cfg.openFirewall cfg.ports;
 
-    security.pam.services.sshd =
+    security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM
       { startSession = true;
         showMotd = true;
         unixAuth = cfg.settings.PasswordAuthentication;
@@ -638,8 +641,6 @@ in
 
     services.openssh.extraConfig = mkOrder 0
       ''
-        UsePAM yes
-
         Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}
 
         AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
@@ -657,7 +658,6 @@ in
         ${optionalString cfg.allowSFTP ''
           Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags}
         ''}
-        PrintMotd no # handled by pam_motd
         AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
         ${optionalString (cfg.authorizedKeysCommand != "none") ''
           AuthorizedKeysCommand ${cfg.authorizedKeysCommand}

nixos/modules/services/web-apps/coder.nix

@@ -169,7 +169,7 @@ in {
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
 
-      environment = config.environment.extra // {
+      environment = cfg.environment.extra // {
         CODER_ACCESS_URL = cfg.accessUrl;
         CODER_WILDCARD_ACCESS_URL = cfg.wildcardAccessUrl;
         CODER_PG_CONNECTION_URL = "user=${cfg.database.username} ${optionalString (cfg.database.password != null) "password=${cfg.database.password}"} database=${cfg.database.database} host=${cfg.database.host} ${optionalString (cfg.database.sslmode != null) "sslmode=${cfg.database.sslmode}"}";

nixos/modules/services/web-apps/mediawiki.nix

@@ -246,7 +246,9 @@ in
 
       passwordFile = mkOption {
         type = types.path;
-        description = "A file containing the initial password for the admin user.";
+        description = ''
+          A file containing the initial password for the administrator account "admin".
+        '';
         example = "/run/keys/mediawiki-password";
       };
 

nixos/modules/services/web-servers/nginx/default.nix

@@ -829,7 +829,7 @@ in
       sslCiphers = mkOption {
         type = types.nullOr types.str;
         # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate
-        default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+        default = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";
         description = "Ciphers to choose from when negotiating TLS handshakes.";
       };
 

nixos/modules/system/boot/systemd.nix

@@ -595,18 +595,17 @@ in
     };
 
     systemd.units =
-         mapAttrs' (n: v: nameValuePair "${n}.path"    (pathToUnit    n v)) cfg.paths
-      // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services
-      // mapAttrs' (n: v: nameValuePair "${n}.slice"   (sliceToUnit   n v)) cfg.slices
-      // mapAttrs' (n: v: nameValuePair "${n}.socket"  (socketToUnit  n v)) cfg.sockets
-      // mapAttrs' (n: v: nameValuePair "${n}.target"  (targetToUnit  n v)) cfg.targets
-      // mapAttrs' (n: v: nameValuePair "${n}.timer"   (timerToUnit   n v)) cfg.timers
-      // listToAttrs (map
-                   (v: let n = escapeSystemdPath v.where;
-                       in nameValuePair "${n}.mount" (mountToUnit n v)) cfg.mounts)
-      // listToAttrs (map
-                   (v: let n = escapeSystemdPath v.where;
-                       in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts);
+      let
+        withName = cfgToUnit: cfg: lib.nameValuePair cfg.name (cfgToUnit cfg);
+      in
+         mapAttrs' (_: withName pathToUnit) cfg.paths
+      // mapAttrs' (_: withName serviceToUnit) cfg.services
+      // mapAttrs' (_: withName sliceToUnit) cfg.slices
+      // mapAttrs' (_: withName socketToUnit) cfg.sockets
+      // mapAttrs' (_: withName targetToUnit) cfg.targets
+      // mapAttrs' (_: withName timerToUnit) cfg.timers
+      // listToAttrs (map (withName mountToUnit) cfg.mounts)
+      // listToAttrs (map (withName automountToUnit) cfg.automounts);
 
       # Environment of PID 1
       systemd.managerEnvironment = {

nixos/modules/system/boot/systemd/initrd.nix

@@ -490,18 +490,18 @@ in {
 
       targets.initrd.aliases = ["default.target"];
       units =
-           mapAttrs' (n: v: nameValuePair "${n}.path"    (pathToUnit    n v)) cfg.paths
-        // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services
-        // mapAttrs' (n: v: nameValuePair "${n}.slice"   (sliceToUnit   n v)) cfg.slices
-        // mapAttrs' (n: v: nameValuePair "${n}.socket"  (socketToUnit  n v)) cfg.sockets
-        // mapAttrs' (n: v: nameValuePair "${n}.target"  (targetToUnit  n v)) cfg.targets
-        // mapAttrs' (n: v: nameValuePair "${n}.timer"   (timerToUnit   n v)) cfg.timers
+           mapAttrs' (n: v: nameValuePair "${n}.path"    (pathToUnit    v)) cfg.paths
+        // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit v)) cfg.services
+        // mapAttrs' (n: v: nameValuePair "${n}.slice"   (sliceToUnit   v)) cfg.slices
+        // mapAttrs' (n: v: nameValuePair "${n}.socket"  (socketToUnit  v)) cfg.sockets
+        // mapAttrs' (n: v: nameValuePair "${n}.target"  (targetToUnit  v)) cfg.targets
+        // mapAttrs' (n: v: nameValuePair "${n}.timer"   (timerToUnit   v)) cfg.timers
         // listToAttrs (map
                      (v: let n = escapeSystemdPath v.where;
-                         in nameValuePair "${n}.mount" (mountToUnit n v)) cfg.mounts)
+                         in nameValuePair "${n}.mount" (mountToUnit v)) cfg.mounts)
         // listToAttrs (map
                      (v: let n = escapeSystemdPath v.where;
-                         in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts);
+                         in nameValuePair "${n}.automount" (automountToUnit v)) cfg.automounts);
 
       # make sure all the /dev nodes are set up
       services.systemd-tmpfiles-setup-dev.wantedBy = ["sysinit.target"];

nixos/modules/system/boot/systemd/user.nix

@@ -175,12 +175,12 @@ in {
     };
 
     systemd.user.units =
-         mapAttrs' (n: v: nameValuePair "${n}.path"    (pathToUnit    n v)) cfg.paths
-      // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.services
-      // mapAttrs' (n: v: nameValuePair "${n}.slice"   (sliceToUnit   n v)) cfg.slices
-      // mapAttrs' (n: v: nameValuePair "${n}.socket"  (socketToUnit  n v)) cfg.sockets
-      // mapAttrs' (n: v: nameValuePair "${n}.target"  (targetToUnit  n v)) cfg.targets
-      // mapAttrs' (n: v: nameValuePair "${n}.timer"   (timerToUnit   n v)) cfg.timers;
+         mapAttrs' (n: v: nameValuePair "${n}.path"    (pathToUnit    v)) cfg.paths
+      // mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit v)) cfg.services
+      // mapAttrs' (n: v: nameValuePair "${n}.slice"   (sliceToUnit   v)) cfg.slices
+      // mapAttrs' (n: v: nameValuePair "${n}.socket"  (socketToUnit  v)) cfg.sockets
+      // mapAttrs' (n: v: nameValuePair "${n}.target"  (targetToUnit  v)) cfg.targets
+      // mapAttrs' (n: v: nameValuePair "${n}.timer"   (timerToUnit   v)) cfg.timers;
 
     # Generate timer units for all services that have a ‘startAt’ value.
     systemd.user.timers =

nixos/modules/virtualisation/containers.nix

@@ -28,43 +28,6 @@ in
       description = "Enable the OCI seccomp BPF hook";
     };
 
-    cdi = {
-      dynamic.nvidia.enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Enable dynamic CDI configuration for NVidia devices by running nvidia-container-toolkit on boot.
-        '';
-      };
-
-      static = mkOption {
-        type = types.attrs;
-        default = { };
-        description = ''
-          Declarative CDI specification. Each key of the attribute set
-          will be mapped to a file in /etc/cdi. It is required for every
-          key to be provided in JSON format.
-        '';
-        example = {
-          some-vendor = builtins.fromJSON ''
-              {
-                "cdiVersion": "0.5.0",
-                "kind": "some-vendor.com/foo",
-                "devices": [],
-                "containerEdits": []
-              }
-            '';
-
-          some-other-vendor = {
-            cdiVersion = "0.5.0";
-            kind = "some-other-vendor.com/bar";
-            devices = [];
-            containerEdits = [];
-          };
-        };
-      };
-    };
-
     containersConf.settings = mkOption {
       type = toml.type;
       default = { };
@@ -150,8 +113,6 @@ in
 
   config = lib.mkIf cfg.enable {
 
-    hardware.nvidia-container-toolkit-cdi-generator.enable = lib.mkIf cfg.cdi.dynamic.nvidia.enable true;
-
     virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ];
 
     virtualisation.containers.containersConf.settings = {
@@ -163,13 +124,7 @@ in
       };
     };
 
-    environment.etc = let
-      cdiStaticConfigurationFiles = (lib.attrsets.mapAttrs'
-        (name: value:
-          lib.attrsets.nameValuePair "cdi/${name}.json"
-            { text = builtins.toJSON value; })
-        cfg.cdi.static);
-    in {
+    environment.etc = {
       "containers/containers.conf".source =
         toml.generate "containers.conf" cfg.containersConf.settings;
 
@@ -183,7 +138,7 @@ in
       "containers/policy.json".source =
         if cfg.policy != { } then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
         else "${pkgs.skopeo.policy}/default-policy.json";
-    } // cdiStaticConfigurationFiles;
+    };
 
   };
 

nixos/modules/virtualisation/incus.nix

@@ -41,6 +41,7 @@ let
         qemu-utils
         rsync
         squashfsTools
+        swtpm
         systemd
         thin-provisioning-tools
         util-linux

nixos/tests/incus/virtual-machine.nix

@@ -30,6 +30,9 @@ in
       memorySize = 1024;
       diskSize = 4096;
 
+      # Provide a TPM to test vTPM support for guests
+      tpm.enable = true;
+
       incus.enable = true;
     };
     networking.nftables.enable = true;
@@ -47,8 +50,14 @@ in
     with subtest("virtual-machine image can be imported"):
         machine.succeed("incus image import ${vm-image-metadata}/*/*.tar.xz ${vm-image-disk}/nixos.qcow2 --alias nixos")
 
+    with subtest("virtual-machine can be created"):
+        machine.succeed("incus create nixos ${instance-name} --vm --config limits.memory=512MB --config security.secureboot=false")
+
+    with subtest("virtual tpm can be configured"):
+        machine.succeed("incus config device add ${instance-name} vtpm tpm path=/dev/tpm0")
+
     with subtest("virtual-machine can be launched and become available"):
-        machine.succeed("incus launch nixos ${instance-name} --vm --config limits.memory=512MB --config security.secureboot=false")
+        machine.succeed("incus start ${instance-name}")
         with machine.nested("Waiting for instance to start and be usable"):
           retry(instance_is_up)
 

nixos/tests/openssh.nix

@@ -22,6 +22,19 @@ in {
         ];
       };
 
+    server-allowed-users =
+      { ... }:
+
+      {
+        services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; };
+        users.groups = { alice = { }; bob = { }; carol = { }; };
+        users.users = {
+          alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
+          bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
+          carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
+        };
+      };
+
     server-lazy =
       { ... }:
 
@@ -95,17 +108,21 @@ in {
         };
       };
 
-    server_allowedusers =
-      { ... }:
-
+    server-no-pam =
+      { pkgs, ... }:
       {
-        services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; };
-        users.groups = { alice = { }; bob = { }; carol = { }; };
-        users.users = {
-          alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
-          bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
-          carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
+        programs.ssh.package = pkgs.opensshPackages.openssh.override {
+          withPAM = false;
         };
+        services.openssh = {
+          enable = true;
+          settings = {
+            UsePAM = false;
+          };
+        };
+        users.users.root.openssh.authorizedKeys.keys = [
+          snakeOilPublicKey
+        ];
       };
 
     client =
@@ -119,8 +136,10 @@ in {
     start_all()
 
     server.wait_for_unit("sshd", timeout=30)
+    server_allowed_users.wait_for_unit("sshd", timeout=30)
     server_localhost_only.wait_for_unit("sshd", timeout=30)
     server_match_rule.wait_for_unit("sshd", timeout=30)
+    server_no_pam.wait_for_unit("sshd", timeout=30)
 
     server_lazy.wait_for_unit("sshd.socket", timeout=30)
     server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
@@ -166,8 +185,9 @@ in {
             "cat ${snakeOilPrivateKey} > privkey.snakeoil"
         )
         client.succeed("chmod 600 privkey.snakeoil")
+        # The final segment in this IP is allocated according to the alphabetical order of machines in this test.
         client.succeed(
-            "ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.4 true",
+            "ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.5 true",
             timeout=30
         )
 
@@ -198,15 +218,25 @@ in {
         )
         client.succeed("chmod 600 privkey.snakeoil")
         client.succeed(
-            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server_allowedusers true",
+            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server-allowed-users true",
             timeout=30
         )
         client.succeed(
-            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server_allowedusers true",
+            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server-allowed-users true",
             timeout=30
         )
         client.fail(
-            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server_allowedusers true",
+            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true",
+            timeout=30
+        )
+
+    with subtest("no-pam"):
+        client.succeed(
+            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
+        )
+        client.succeed("chmod 600 privkey.snakeoil")
+        client.succeed(
+            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true",
             timeout=30
         )
   '';

nixos/tests/systemd.nix

@@ -1,7 +1,7 @@
 import ./make-test-python.nix ({ pkgs, ... }: {
   name = "systemd";
 
-  nodes.machine = { lib, ... }: {
+  nodes.machine = { config, lib, ... }: {
     imports = [ common/user-account.nix common/x11.nix ];
 
     virtualisation.emptyDiskImages = [ 512 512 ];
@@ -38,9 +38,18 @@ import ./make-test-python.nix ({ pkgs, ... }: {
       script = "true";
     };
 
+    systemd.services.testDependency1 = {
+      description = "Test Dependency 1";
+      wantedBy = [ config.systemd.services."testservice1".name ];
+      serviceConfig.Type = "oneshot";
+      script = ''
+        true
+      '';
+    };
+
     systemd.services.testservice1 = {
       description = "Test Service 1";
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = [ config.systemd.targets.multi-user.name ];
       serviceConfig.Type = "oneshot";
       script = ''
         if [ "$XXX_SYSTEM" = foo ]; then

pkgs/applications/audio/audacious/plugins.nix

@@ -41,6 +41,7 @@
 , qtmultimedia
 , qtx11extras
 , soxr
+, vgmstream
 , wavpack
 }:
 
@@ -109,6 +110,10 @@ stdenv.mkDerivation rec {
 
   dontWrapQtApps = true;
 
+  postInstall = ''
+    ln -s ${vgmstream.override { buildAudaciousPlugin = true; }}/lib/audacious/Input/* $out/lib/audacious/Input
+  '';
+
   meta = audacious.meta // {
     description = "Plugins for Audacious music player";
   };

pkgs/applications/audio/audacity/default.nix

@@ -62,13 +62,13 @@
 
 stdenv.mkDerivation rec {
   pname = "audacity";
-  version = "3.4.2";
+  version = "3.5.0";
 
   src = fetchFromGitHub {
     owner = "audacity";
     repo = "audacity";
     rev = "Audacity-${version}";
-    hash = "sha256-YlRWCu6kQYdzast7Mf29p4FvpXJHQLG7vqqo/5SNQCQ=";
+    hash = "sha256-vJhCONoEC4Bdd1ZOLLobjNgLb/DT6auuMGk8L9lj6TU=";
   };
 
   postPatch = ''

pkgs/applications/audio/galaxy-buds-client/default.nix

@@ -2,7 +2,6 @@
 , stdenv
 , buildDotnetModule
 , fetchFromGitHub
-, autoPatchelfHook
 , fontconfig
 , xorg
 , libglvnd
@@ -27,7 +26,6 @@ buildDotnetModule rec {
   dotnetFlags = [ "-p:Runtimeidentifier=linux-x64" ];
 
   nativeBuildInputs = [
-    autoPatchelfHook
     copyDesktopItems
     graphicsmagick
   ];

pkgs/applications/audio/pt2-clone/default.nix

@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "pt2-clone";
-  version = "1.67";
+  version = "1.68";
 
   src = fetchFromGitHub {
     owner = "8bitbubsy";
     repo = "pt2-clone";
     rev = "v${finalAttrs.version}";
-    sha256 = "sha256-fTUTXwS6A72zhKkANlSljQVvPeN5rOTyuyb8vLxYfdk=";
+    sha256 = "sha256-xlXwOxmJ5cL1ouTOnFwTvx959IDQIvJ0ZRk+G9p0HbA=";
   };
 
   nativeBuildInputs = [ cmake ];

pkgs/applications/audio/pyradio/default.nix

@@ -6,13 +6,13 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "pyradio";
-  version = "0.9.3.2";
+  version = "0.9.3.4";
 
   src = fetchFromGitHub {
     owner = "coderholic";
     repo = "pyradio";
     rev = "refs/tags/${version}";
-    hash = "sha256-aIWU68bdPUsIh8QRNnF0NcK7FemmYyUHbJg9KcUALBk=";
+    hash = "sha256-QifBzQsvYU5kP5mnidOgWGBh3h2MvJm8Wo0i1v6j/cU=";
   };
 
   nativeBuildInputs = [

pkgs/applications/audio/reaper/default.nix

@@ -28,13 +28,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "reaper";
-  version = "7.14";
+  version = "7.15";
 
   src = fetchurl {
     url = url_for_platform version stdenv.hostPlatform.qemuArch;
-    hash = if stdenv.isDarwin then "sha256-cPxHriUNIG1EUmvOoW00V2Y0j+7BuxSIEbPy+qy5ZEM=" else {
-      x86_64-linux = "sha256-RgKteq157r4r088mr9wvPPa/rhmX88/lmVJ7mS17px4=";
-      aarch64-linux = "sha256-Qnb6ZoDIkfRct6dvqXKeYHgXyyEFLSj9R0hwa2bUiXo=";
+    hash = if stdenv.isDarwin then "sha256-7tWgbHIkARgsPi0buvbQb4qTqndyPwRRqut1Gj4WNZE=" else {
+      x86_64-linux = "sha256-O1xh+DKwPKTcQrNhWMX5ErKa1hXq0yeyt/XJMQav11c=";
+      aarch64-linux = "sha256-rQE8Aa+iFWpA18udCXm4JW8BPTEDeEQAupy353Sbcl8=";
     }.${stdenv.hostPlatform.system};
   };
 

pkgs/applications/audio/vgmstream/default.nix

@@ -1,6 +1,7 @@
-{ stdenv, lib, fetchFromGitHub, cmake, pkg-config
-, mpg123, ffmpeg, libvorbis, libao, jansson, speex
+{ stdenv, lib, fetchFromGitHub, cmake, pkg-config, gtk3
+, audacious, mpg123, ffmpeg, libvorbis, libao, jansson, speex
 , nix-update-script
+, buildAudaciousPlugin ? false  # only build cli by default, pkgs.audacious-plugins sets this to enable plugin support
 }:
 
 stdenv.mkDerivation rec {
@@ -19,16 +20,29 @@ stdenv.mkDerivation rec {
     extraArgs = [ "--version-regex" "r(.*)" ];
   };
 
-  nativeBuildInputs = [ cmake pkg-config ];
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+  ] ++ lib.optional buildAudaciousPlugin gtk3;
 
-  buildInputs = [ mpg123 ffmpeg libvorbis libao jansson speex ];
+  buildInputs = [
+    mpg123
+    ffmpeg
+    libvorbis
+    libao
+    jansson
+    speex
+  ] ++ lib.optional buildAudaciousPlugin (audacious.override { audacious-plugins = null; });
+
+  preConfigure = ''
+    substituteInPlace cmake/dependencies/audacious.cmake \
+      --replace "pkg_get_variable(AUDACIOUS_PLUGIN_DIR audacious plugin_dir)" "set(AUDACIOUS_PLUGIN_DIR \"$out/lib/audacious\")"
+  '';
 
   cmakeFlags = [
-    # There's no nice way to build the audacious plugin without a circular dependency
-    "-DBUILD_AUDACIOUS=OFF"
     # It always tries to download it, no option to use the system one
     "-DUSE_CELT=OFF"
-  ];
+  ] ++ lib.optional (! buildAudaciousPlugin) "-DBUILD_AUDACIOUS=OFF";
 
   meta = with lib; {
     description = "A library for playback of various streamed audio formats used in video games";

pkgs/applications/backup/pika-backup/default.nix

@@ -21,20 +21,20 @@
 
 stdenv.mkDerivation rec {
   pname = "pika-backup";
-  version = "0.7.0";
+  version = "0.7.1";
 
   src = fetchFromGitLab {
     domain = "gitlab.gnome.org";
     owner = "World";
     repo = "pika-backup";
     rev = "v${version}";
-    hash = "sha256-WeFc/4TEIxw6uzLroJX1D/rEA419sghkjBt1nsPv2Ho=";
+    hash = "sha256-yxr98CJuu15TGiIXCBhU2bOgvct6jQ5xAraD9Z0sL2Q=";
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
     inherit src;
     name = "${pname}-${version}";
-    hash = "sha256-fgPgUZxye9YUyX9/+hTye3cUypgRAegZMUTKfPxVH4s=";
+    hash = "sha256-ce8SdBvRdFp1BU9OPcByoJjCiSrAkQqtmfCeJ3B+Piw=";
   };
 
   patches = [

pkgs/applications/blockchains/bitcoin/default.nix

@@ -13,7 +13,6 @@
 , miniupnpc
 , zeromq
 , zlib
-, db48
 , sqlite
 , qrencode
 , qtbase ? null
@@ -51,7 +50,7 @@ stdenv.mkDerivation rec {
     ++ lib.optionals withGui [ wrapQtAppsHook ];
 
   buildInputs = [ boost libevent miniupnpc zeromq zlib ]
-    ++ lib.optionals withWallet [ db48 sqlite ]
+    ++ lib.optionals withWallet [ sqlite ]
     ++ lib.optionals withGui [ qrencode qtbase qttools ];
 
   postInstall = ''

pkgs/applications/blockchains/wasabibackend/default.nix

@@ -4,7 +4,6 @@
   fetchFromGitHub,
   buildDotnetModule,
   dotnetCorePackages,
-  autoPatchelfHook,
   zlib,
   openssl,
 }:
@@ -25,7 +24,6 @@ buildDotnetModule rec {
   dotnet-sdk = dotnetCorePackages.sdk_7_0;
   dotnet-runtime = dotnetCorePackages.aspnetcore_7_0;
 
-  nativeBuildInputs = [autoPatchelfHook];
   buildInputs = [stdenv.cc.cc.lib zlib];
 
   runtimeDeps = [openssl zlib];

pkgs/applications/editors/emacs/elisp-packages/manual-packages/ebuild-mode/default.nix

@@ -1,21 +1,26 @@
-{ lib, melpaBuild, fetchurl, writeText }:
+{
+  lib,
+  melpaBuild,
+  fetchzip,
+  writeText,
+}:
 
 melpaBuild rec {
   pname = "ebuild-mode";
-  version = "1.67";
+  version = "1.70";
 
-  src = fetchurl {
-    url = "https://dev.gentoo.org/~ulm/emacs/ebuild-mode-${version}.tar.xz";
-    hash = "sha256-5qxHpu1BLtI8LFnL/sAoqmo80zeyElxIdFtAsfMefUE=";
+  src = fetchzip {
+    url = "https://gitweb.gentoo.org/proj/ebuild-mode.git/snapshot/ebuild-mode-${version}.tar.bz2";
+    hash = "sha256-dOm3xJMFLelwcImIwckeQHx1GqV9PB+I45QA9UT1nCM=";
   };
 
   # not used but needs to be set; why?
-  commit = "e7b45096283ac8836f208babddfd1ea1c1d1d1d";
+  commit = "a643f177b58aa8869f2f24814e990320aa4f0f96";
 
   recipe = writeText "recipe" ''
     (ebuild-mode
-      :url "https://anongit.gentoo.org/git/proj/ebuild-mode.git"
-      :fetcher git)
+     :url "https://gitweb.gentoo.org/proj/ebuild-mode.git"
+     :fetcher git)
   '';
 
   meta = {

pkgs/applications/editors/emacs/elisp-packages/manual-packages/lsp-bridge/default.nix

@@ -11,12 +11,12 @@
 , pyright
 , ruff
 , tempel
+, writeScript
 , writeText
-, unstableGitUpdater
 }:
 
 let
-  rev = "0b30d95c6de95b150d93ecee325b95e04ff09e46";
+  rev = "4d18701bdef13f6bdc0ad58d26896dff0548dbab";
   python = python3.withPackages (ps: with ps; [
     epc
     orjson
@@ -28,13 +28,13 @@ let
 in
 melpaBuild {
   pname = "lsp-bridge";
-  version = "20231021.309"; # 3:09 UTC
+  version = "20240423.38";
 
   src = fetchFromGitHub {
     owner = "manateelazycat";
     repo = "lsp-bridge";
     inherit rev;
-    hash = "sha256-hR7bZh0ElJ8F9ToJ4dkazF19T8PE01MTcxKrjeaEp4o=";
+    hash = "sha256-6taxbsu5v/mQBwl0CPt/fsTQpclNhi2alp/xIh5omJA=";
   };
 
   commit = rev;
@@ -88,7 +88,22 @@ melpaBuild {
     runHook postCheck
   '';
 
-  passthru.updateScript = unstableGitUpdater { };
+  passthru.updateScript = writeScript "update.sh" ''
+    #!/usr/bin/env nix-shell
+    #!nix-shell -i bash -p common-updater-scripts coreutils git gnused
+    set -eu -o pipefail
+
+    tmpdir="$(mktemp -d)"
+    git clone --depth=1 https://github.com/manateelazycat/lsp-bridge.git "$tmpdir"
+
+    pushd "$tmpdir"
+    commit=$(git show -s --pretty='format:%H')
+    # Based on: https://github.com/melpa/melpa/blob/2d8716906a0c9e18d6c979d8450bf1d15dd785eb/package-build/package-build.el#L523-L533
+    version=$(TZ=UTC git show -s --pretty='format:%cd' --date='format-local:%Y%m%d.%H%M' | sed 's|\.0*|.|')
+    popd
+
+    update-source-version emacsPackages.lsp-bridge $version --rev="$commit"
+  '';
 
   meta = with lib; {
     description = "A blazingly fast LSP client for Emacs";

pkgs/applications/editors/poke/default.nix

@@ -1,37 +1,35 @@
 { lib
 , stdenv
 , fetchurl
-, gettext
 , help2man
 , pkg-config
 , texinfo
 , boehmgc
 , readline
-, guiSupport ? false, makeWrapper, tcl, tcllib, tk
-, miSupport ? true, json_c
 , nbdSupport ? !stdenv.isDarwin, libnbd
-, textStylingSupport ? true
+, textStylingSupport ? true, gettext
 , dejagnu
 
-# update script only
+  # update script only
 , writeScript
 }:
 
 let
   isCross = stdenv.hostPlatform != stdenv.buildPlatform;
-in stdenv.mkDerivation rec {
+in
+stdenv.mkDerivation (finalAttrs: {
   pname = "poke";
-  version = "3.2";
+  version = "4.0";
 
   src = fetchurl {
-    url = "mirror://gnu/${pname}/${pname}-${version}.tar.gz";
-    hash = "sha256-dY5VHdU6bM5U7JTY/CH6TWtSon0cJmcgbVmezcdPDZc=";
+    url = "mirror://gnu/poke/poke-${finalAttrs.version}.tar.gz";
+    hash = "sha256-ArqyLLH6YVOhtqknyLs81Y1QhUPBRIQqbX7nTxmXOnc=";
   };
 
   outputs = [ "out" "dev" "info" "lib" ]
-  # help2man can't cross compile because it runs `poke --help` to
-  # generate the man page
-  ++ lib.optional (!isCross) "man";
+    # help2man can't cross compile because it runs `poke --help` to
+    # generate the man page
+    ++ lib.optional (!isCross) "man";
 
   postPatch = ''
     patchShebangs .
@@ -40,53 +38,33 @@ in stdenv.mkDerivation rec {
   strictDeps = true;
 
   nativeBuildInputs = [
-    gettext
     pkg-config
     texinfo
   ] ++ lib.optionals (!isCross) [
     help2man
-  ] ++ lib.optionals guiSupport [
-    makeWrapper
-    tcl.tclPackageHook
   ];
 
   buildInputs = [ boehmgc readline ]
-  ++ lib.optionals guiSupport [ tcl tcllib tk ]
-  ++ lib.optional miSupport json_c
-  ++ lib.optional nbdSupport libnbd
-  ++ lib.optional textStylingSupport gettext
-  ++ lib.optional (!isCross) dejagnu;
+    ++ lib.optional nbdSupport libnbd
+    ++ lib.optional textStylingSupport gettext
+    ++ lib.optional finalAttrs.finalPackage.doCheck dejagnu;
 
   configureFlags = [
     # libpoke depends on $datadir/poke, so we specify the datadir in
     # $lib, and later move anything else it doesn't depend on to $out
     "--datadir=${placeholder "lib"}/share"
-  ] ++ lib.optionals guiSupport [
-    "--enable-gui"
-    "--with-tcl=${tcl}/lib"
-    "--with-tk=${tk}/lib"
-    "--with-tkinclude=${tk.dev}/include"
   ];
 
   enableParallelBuilding = true;
 
-  doCheck = !isCross;
-  nativeCheckInputs = lib.optionals (!isCross) [ dejagnu ];
+  doCheck = true;
+  nativeCheckInputs = [ dejagnu ];
 
   postInstall = ''
     moveToOutput share/emacs "$out"
     moveToOutput share/vim "$out"
   '';
 
-  # Prevent tclPackageHook from auto-wrapping all binaries, we only
-  # need to wrap poke-gui
-  dontWrapTclBinaries = true;
-
-  postFixup = lib.optionalString guiSupport ''
-    wrapProgram "$out/bin/poke-gui" \
-      --prefix TCLLIBPATH ' ' "$TCLLIBPATH"
-  '';
-
   passthru = {
     updateScript = writeScript "update-poke" ''
       #!/usr/bin/env nix-shell
@@ -97,18 +75,17 @@ in stdenv.mkDerivation rec {
       # Expect the text in format of '<a href="...">poke 2.0</a>'
       new_version="$(curl -s https://www.jemarch.net/poke |
           pcregrep -o1 '>poke ([0-9.]+)</a>')"
-      update-source-version ${pname} "$new_version"
+      update-source-version poke "$new_version"
     '';
   };
 
-  meta = with lib; {
+  meta = {
     description = "Interactive, extensible editor for binary data";
     homepage = "http://www.jemarch.net/poke";
-    changelog = "https://git.savannah.gnu.org/cgit/poke.git/plain/ChangeLog?h=releases/poke-${version}";
-    license = licenses.gpl3Plus;
-    maintainers = with maintainers; [ AndersonTorres kira-bruneau ];
-    platforms = platforms.unix;
+    changelog = "https://git.savannah.gnu.org/cgit/poke.git/plain/ChangeLog?h=releases/poke-${finalAttrs.version}";
+    license = lib.licenses.gpl3Plus;
+    maintainers = with lib.maintainers; [ AndersonTorres kira-bruneau ];
+    platforms = lib.platforms.unix;
+    broken = stdenv.isDarwin && stdenv.isAarch64;
   };
-}
-
-# TODO: Enable guiSupport by default once it's more than just a stub
+})

pkgs/applications/editors/vim/plugins/generated.nix

@@ -4715,14 +4715,14 @@ final: prev:
 
   hydra-nvim = buildVimPlugin {
     pname = "hydra.nvim";
-    version = "2023-02-06";
+    version = "2024-03-15";
     src = fetchFromGitHub {
-      owner = "anuvyklack";
+      owner = "nvimtools";
       repo = "hydra.nvim";
-      rev = "3ced42c0b6a6c85583ff0f221635a7f4c1ab0dd0";
-      sha256 = "1dwhi2543drbncrqx80nsi5hw48d6my4wbsp71gx6m0clkp4469h";
+      rev = "8578056a2226ed49fc608167edc143a87f75d809";
+      sha256 = "sha256-Qxp2FigXlupAw/ZwZRVJ+hRKzVRtupV6L4a6jOslwI0=";
     };
-    meta.homepage = "https://github.com/anuvyklack/hydra.nvim/";
+    meta.homepage = "https://github.com/nvimtools/hydra.nvim/";
   };
 
   i3config-vim = buildVimPlugin {
@@ -8184,6 +8184,18 @@ final: prev:
     meta.homepage = "https://github.com/ishan9299/nvim-solarized-lua/";
   };
 
+  nvim-sops = buildVimPlugin {
+    pname = "nvim-sops";
+    version = "2023-07-31";
+    src = fetchFromGitHub {
+      owner = "lucidph3nx";
+      repo = "nvim-sops";
+      rev = "cb2209562d00ef8c6c88bdec836d9edb8fbb96ef";
+      sha256 = "0fvxnx5ji3d4kgsxl2ssqs7s567ibk4h38mz70m3nhs3sxk696lj";
+    };
+    meta.homepage = "https://github.com/lucidph3nx/nvim-sops/";
+  };
+
   nvim-spectre = buildVimPlugin {
     pname = "nvim-spectre";
     version = "2024-04-17";

pkgs/applications/editors/vim/plugins/vim-plugin-names

@@ -394,7 +394,7 @@ https://github.com/smoka7/hop.nvim/,,
 https://github.com/rktjmp/hotpot.nvim/,,
 https://github.com/lewis6991/hover.nvim/,HEAD,
 https://github.com/othree/html5.vim/,HEAD,
-https://github.com/anuvyklack/hydra.nvim/,HEAD,
+https://github.com/nvimtools/hydra.nvim/,HEAD,
 https://github.com/mboughaba/i3config.vim/,,
 https://github.com/cocopon/iceberg.vim/,,
 https://github.com/idris-hackers/idris-vim/,,
@@ -688,6 +688,7 @@ https://github.com/dstein64/nvim-scrollview/,,
 https://github.com/s1n7ax/nvim-search-and-replace/,HEAD,
 https://github.com/dcampos/nvim-snippy/,HEAD,
 https://github.com/ishan9299/nvim-solarized-lua/,,
+https://github.com/lucidph3nx/nvim-sops/,HEAD,
 https://github.com/nvim-pack/nvim-spectre/,,
 https://github.com/chrisgrieser/nvim-spider/,HEAD,
 https://github.com/kylechui/nvim-surround/,main,

pkgs/applications/editors/vscode/extensions/default.nix

@@ -1793,8 +1793,8 @@ let
         mktplcRef = {
           publisher = "github";
           name = "copilot";
-          version = "1.172.758";
-          hash = "sha256-sK3IiA4mQ6Hse+UpZ81Zb5iBSREzTrs7ypsfGbJiXm4=";
+          version = "1.180.827";
+          hash = "sha256-HA1na9FoExIiAay+tEjxWKqpG2+wq4Oww77Gl2Bhciw=";
         };
 
         meta = {
@@ -1810,8 +1810,8 @@ let
         mktplcRef = {
           publisher = "github";
           name = "copilot-chat";
-          version = "0.13.2024022301"; # compatible with vscode >= 1.87
-          hash = "sha256-WdojLEdrg6iqTH/cNPEWb6VEfk+gIHh2M5GHrAURjy8=";
+          version = "0.14.2024032901";  # compatible with vscode 1.88.1
+          hash = "sha256-+6N7IGO5j0wP5Zg8CwapHeKGWiZzc43VM4jCtqJDJIQ=";
         };
         meta = {
           description = "GitHub Copilot Chat is a companion extension to GitHub Copilot that houses experimental chat features";
@@ -2073,6 +2073,22 @@ let
         };
       };
 
+      hiukky.flate = buildVscodeMarketplaceExtension {
+        mktplcRef = {
+          name = "flate";
+          publisher = "hiukky";
+          version = "0.7.0";
+          hash = "sha256-6ouYQk7mHCJdGrcutM1EXolJAT7/Sp1hi+Bu0983GKw=";
+        };
+        meta = {
+          description = "Colorful dark themes for VS Code";
+          downloadPage = "https://marketplace.visualstudio.com/items?itemName=hiukky.flate";
+          homepage = "https://github.com/hiukky/flate";
+          license = lib.licenses.mit;
+          maintainers = [ lib.maintainers.stunkymonkey ];
+        };
+      };
+
       hookyqr.beautify = buildVscodeMarketplaceExtension {
         mktplcRef = {
           name = "beautify";

pkgs/applications/editors/vscode/extensions/ms-python.vscode-pylance/default.nix

@@ -8,8 +8,8 @@ vscode-utils.buildVscodeMarketplaceExtension {
   mktplcRef = {
     name = "vscode-pylance";
     publisher = "MS-python";
-    version = "2023.8.50";
-    hash = "sha256-xJU/j5r/Idp/0VorEfciT4SFKRBpMCv9Z0LKO/++1Gk=";
+    version = "2024.4.1";
+    hash = "sha256-huKu6yefGXOay5Az4vksopRt8heoLxvKUrg/J1NlQFo=";
   };
 
   buildInputs = [ pyright ];

pkgs/applications/editors/vscode/extensions/nvarner.typst-lsp/default.nix

@@ -12,8 +12,8 @@ vscode-utils.buildVscodeMarketplaceExtension {
     publisher = "nvarner";
     # Please update the corresponding binary (typst-lsp) when updating
     # this extension.
-    version = "0.12.1";
-    hash = "sha256-JcfFaR1wU5XwapH8vnfVy7Cb7DfUWVeoLfBV3wEtCpE=";
+    version = "0.13.0";
+    hash = "sha256-xiFUJymZOTEqlGvCHvLiI0pVg7NLgIXhZ7x8yx+a5mY=";
   };
 
   nativeBuildInputs = [

pkgs/applications/emulators/cemu/default.nix

@@ -46,13 +46,13 @@ let
 
 in stdenv.mkDerivation rec {
   pname = "cemu";
-  version = "2.0-78";
+  version = "2.0-79";
 
   src = fetchFromGitHub {
     owner = "cemu-project";
     repo = "Cemu";
     rev = "v${version}";
-    hash = "sha256-ivdqO44+8sDgOshUDFc+4eTgzcEDSiPPIawyktYpob4=";
+    hash = "sha256-vSZLiRzOOJJMgycjI5xpgJcUAj5WCz241mAABgNuECw=";
   };
 
   patches = [

pkgs/applications/emulators/retroarch/hashes.json

@@ -693,10 +693,10 @@
         "src": {
             "owner": "libretro",
             "repo": "libretro-uae",
-            "rev": "3c4f02622bd9ab4bbfc5e90cea9c7e60cf410073",
-            "hash": "sha256-UMbD1RcgQmilBwwzvakUIWWWwg78sl1YT9EOE3Rhyao="
+            "rev": "4806716da70cf1f030788b43190d71aae61e2041",
+            "hash": "sha256-MNqk8ItSC//82HsRfXVYCH+Xd2GV8OA/2heZprx89PY="
         },
-        "version": "unstable-2024-04-12"
+        "version": "unstable-2024-04-19"
     },
     "quicknes": {
         "fetcher": "fetchFromGitHub",

pkgs/applications/emulators/wine/sources.nix

@@ -69,9 +69,9 @@ in rec {
 
   unstable = fetchurl rec {
     # NOTE: Don't forget to change the hash for staging as well.
-    version = "9.6";
+    version = "9.7";
     url = "https://dl.winehq.org/wine/source/9.x/wine-${version}.tar.xz";
-    hash = "sha256-Dglg7YK2AX6ILtozOLrRJwoRd7bPBfA6wfqxVavoIEg=";
+    hash = "sha256-2fPDM2VuiL1M71Mx80sci2nJZKUnWe73RdjdrlGhU1M=";
     inherit (stable) patches;
 
     ## see http://wiki.winehq.org/Gecko
@@ -88,9 +88,9 @@ in rec {
 
     ## see http://wiki.winehq.org/Mono
     mono = fetchurl rec {
-      version = "9.0.0";
+      version = "9.1.0";
       url = "https://dl.winehq.org/wine/wine-mono/${version}/wine-mono-${version}-x86.msi";
-      hash = "sha256-efbEMQBnVWbBEvQZm56nuUTTOBZLNL2R+hGwsKQU4cQ=";
+      hash = "sha256-igoeaDe0lN9Jkn5ddZscaQjom4ovjjrQJeHCiBiCR24=";
     };
 
     updateScript = writeShellScript "update-wine-unstable" ''
@@ -117,7 +117,7 @@ in rec {
   staging = fetchFromGitLab rec {
     # https://gitlab.winehq.org/wine/wine-staging
     inherit (unstable) version;
-    hash = "sha256-6AKN/KpmsTw9qxErhTTzqWuglgFdOAhtaoBlVRcs71Q=";
+    hash = "sha256-KU6i1P81Fr+4aZH/SJ+YibaIfX88SZMPdPcGS2mT2CE=";
     domain = "gitlab.winehq.org";
     owner = "wine";
     repo = "wine-staging";

pkgs/applications/file-managers/ranger/default.nix

@@ -1,5 +1,6 @@
-{ lib, fetchFromGitHub, python3Packages, file, less, highlight, w3m, ranger, testers
+{ lib, fetchFromGitHub, python3Packages, file, less, highlight, w3m, ranger, imagemagick, testers
 , imagePreviewSupport ? true
+, sixelPreviewSupport ? true
 , neoVimSupport ? true
 , improvedEncodingDetection ? true
 , rightToLeftTextSupport ? false
@@ -7,22 +8,23 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "ranger";
-  version = "1.9.3";
+  version = "1.9.3-unstable-2023-08-23";
 
   src = fetchFromGitHub {
     owner = "ranger";
     repo = "ranger";
-    rev = "v${version}";
-    sha256= "1rygfryczanvqxn43lmlkgs04sbqznbvbb9hlbm3h5qgdcl0xlw8";
+    rev = "38bb8901004b75a407ffee4b9e176bc0a436cb15";
+    hash = "sha256-NpsrABk95xHNvhlRjKFh326IW83mYj1cmK3aE9JQSRo=";
   };
 
   LC_ALL = "en_US.UTF-8";
 
-  nativeCheckInputs = with python3Packages; [ pytestCheckHook ];
+  nativeCheckInputs = with python3Packages; [ pytestCheckHook astroid pylint ];
   propagatedBuildInputs = [
     less
     file
   ] ++ lib.optionals imagePreviewSupport [ python3Packages.pillow ]
+    ++ lib.optionals sixelPreviewSupport [ imagemagick ]
     ++ lib.optionals neoVimSupport [ python3Packages.pynvim ]
     ++ lib.optionals improvedEncodingDetection [ python3Packages.chardet ]
     ++ lib.optionals rightToLeftTextSupport [ python3Packages.python-bidi ];
@@ -49,10 +51,6 @@ python3Packages.buildPythonApplication rec {
       --replace "set preview_images false" "set preview_images true"
   '';
 
-  passthru.tests.version = testers.testVersion {
-    package = ranger;
-  };
-
   meta =  with lib; {
     description = "File manager with minimalistic curses interface";
     homepage = "https://ranger.github.io/";

pkgs/applications/misc/1password/default.nix

@@ -63,6 +63,8 @@ stdenv.mkDerivation {
     $out/bin/${mainProgram} --version
   '';
 
+  passthru.updateScript = ./update.sh;
+
   passthru.tests.version = testers.testVersion {
     package = _1password;
   };

pkgs/applications/misc/1password/update.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p curl gnused nurl xq-xml
+
+set -eu
+
+ROOT="$(dirname "$(readlink -f "$0")")"
+NIX_DRV="$ROOT/default.nix"
+if [ ! -f "$NIX_DRV" ]; then
+  echo "ERROR: cannot find default.nix in $ROOT"
+  exit 1
+fi
+
+fetch_linux() {
+  VER="$1"
+  ARCH="$2"
+  URL="https://cache.agilebits.com/dist/1P/op2/pkg/v${VER}/op_${ARCH}_v${VER}.zip"
+  nurl --hash --expr "(import <nixpkgs> { }).fetchzip { url = \"$URL\"; stripRoot = false; }"
+}
+
+fetch_darwin() {
+  VER="$1"
+  URL="https://cache.agilebits.com/dist/1P/op2/pkg/v${VER}/op_apple_universal_v${VER}.pkg"
+  nurl --hash --expr "(import <nixpkgs> { }).fetchurl { url = \"$URL\"; }"
+}
+
+replace_sha() {
+  sed -i "s|\"$1\" \"sha256-.\{44\}\"|\"$1\" \"$2\"|" "$NIX_DRV"
+}
+
+CLI_VERSION="$(curl -Ls https://app-updates.agilebits.com/product_history/CLI2 | xq -q 'h3' | head -n1)"
+
+CLI_LINUX_AARCH64_SHA256=$(fetch_linux "$CLI_VERSION" "linux_arm64")
+CLI_LINUX_I686_SHA256=$(fetch_linux "$CLI_VERSION" "linux_386")
+CLI_LINUX_X64_SHA256=$(fetch_linux "$CLI_VERSION" "linux_amd64")
+CLI_DARWIN_UNIVERSAL_SHA256=$(fetch_darwin "$CLI_VERSION")
+
+sed -i "s/version = \".*\"/version = \"$CLI_VERSION\"/" "$NIX_DRV"
+
+replace_sha "linux_arm64" "$CLI_LINUX_AARCH64_SHA256"
+replace_sha "linux_386" "$CLI_LINUX_I686_SHA256"
+replace_sha "linux_amd64" "$CLI_LINUX_X64_SHA256"
+replace_sha "apple_universal" "$CLI_DARWIN_UNIVERSAL_SHA256"

pkgs/applications/misc/avalonia-ilspy/default.nix

@@ -15,7 +15,6 @@
 , makeDesktopItem
 , copyDesktopItems
 , icoutils
-, autoPatchelfHook
 , bintools
 , fixDarwinDylibNames
 , autoSignDarwinBinariesHook
@@ -40,8 +39,7 @@ buildDotnetModule rec {
   nativeBuildInputs = [
     copyDesktopItems
     icoutils
-  ] ++ lib.optionals stdenv.hostPlatform.isLinux [ autoPatchelfHook ]
-    ++ lib.optionals stdenv.hostPlatform.isDarwin [ bintools fixDarwinDylibNames ]
+  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ bintools fixDarwinDylibNames ]
     ++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [ autoSignDarwinBinariesHook ];
 
   buildInputs = [

pkgs/applications/misc/bambu-studio/default.nix

@@ -1,49 +1,50 @@
-{ stdenv
-, lib
-, openexr
-, jemalloc
-, c-blosc
-, binutils
-, fetchFromGitHub
-, cmake
-, pkg-config
-, wrapGAppsHook
-, boost179
-, cereal
-, cgal_5
-, curl
-, dbus
-, eigen
-, expat
-, gcc-unwrapped
-, glew
-, glfw
-, glib
-, glib-networking
-, gmp
-, gstreamer
-, gst-plugins-base
-, gst-plugins-bad
-, gst-plugins-good
-, gtest
-, gtk3
-, hicolor-icon-theme
-, ilmbase
-, libpng
-, mesa
-, mpfr
-, nlopt
-, opencascade-occt
-, openvdb
-, pcre
-, qhull
-, systemd
-, tbb_2021_11
-, webkitgtk
-, wxGTK31
-, xorg
-, fetchpatch
-, withSystemd ? stdenv.isLinux
+{
+  stdenv,
+  lib,
+  openexr,
+  jemalloc,
+  c-blosc,
+  binutils,
+  fetchFromGitHub,
+  cmake,
+  pkg-config,
+  wrapGAppsHook,
+  boost179,
+  cereal,
+  cgal_5,
+  curl,
+  dbus,
+  eigen,
+  expat,
+  gcc-unwrapped,
+  glew,
+  glfw,
+  glib,
+  glib-networking,
+  gmp,
+  gstreamer,
+  gst-plugins-base,
+  gst-plugins-bad,
+  gst-plugins-good,
+  gtest,
+  gtk3,
+  hicolor-icon-theme,
+  ilmbase,
+  libpng,
+  mesa,
+  mpfr,
+  nlopt,
+  opencascade-occt,
+  openvdb,
+  pcre,
+  qhull,
+  systemd,
+  tbb_2021_11,
+  webkitgtk,
+  wxGTK31,
+  xorg,
+  fetchpatch,
+  withSystemd ? stdenv.isLinux,
 }:
 let
   wxGTK31' = wxGTK31.overrideAttrs (old: {
@@ -53,7 +54,14 @@ let
     ];
   });
   openvdb_tbb_2021_8 = openvdb.overrideAttrs (old: rec {
-    buildInputs = [ openexr boost179 tbb_2021_11 jemalloc c-blosc ilmbase ];
+    buildInputs = [
+      openexr
+      boost179
+      tbb_2021_11
+      jemalloc
+      c-blosc
+      ilmbase
+    ];
   });
 in
 stdenv.mkDerivation rec {
@@ -106,9 +114,7 @@ stdenv.mkDerivation rec {
     webkitgtk
     wxGTK31'
     xorg.libX11
-  ] ++ lib.optionals withSystemd [
-    systemd
-  ] ++ checkInputs;
+  ] ++ lib.optionals withSystemd [ systemd ] ++ checkInputs;
 
   patches = [
     # Fix for webkitgtk linking
@@ -169,11 +175,8 @@ stdenv.mkDerivation rec {
   # needed to prevent collisions between the LICENSE.txt files of
   # bambu-studio and orca-slicer.
   postInstall = ''
-    mkdir -p $out/share/doc
-    mv $out/LICENSE.txt $out/share/doc/LICENSE.txt
-    if [ -f $out/README.md ]; then
-      mv $out/README.md $out/share/doc/README.md
-    fi
+    mv $out/LICENSE.txt $out/share/BambuStudio/LICENSE.txt
+    mv $out/README.md $out/share/BambuStudio/README.md
   '';
 
   meta = with lib; {

pkgs/applications/misc/bambu-studio/orca-slicer.nix

@@ -1,27 +1,41 @@
-{ lib, fetchFromGitHub, makeDesktopItem, bambu-studio }:
+{
+  lib,
+  fetchFromGitHub,
+  bambu-studio,
+}:
 
-bambu-studio.overrideAttrs (finalAttrs: previousAttrs: {
-  version = "2.0.0";
-  pname = "orca-slicer";
+bambu-studio.overrideAttrs (
+  finalAttrs: previousAttrs: {
+    version = "2.0.0";
+    pname = "orca-slicer";
 
-  # Don't inherit patches from bambu-studio
-  patches = [
-    ./0001-not-for-upstream-CMakeLists-Link-against-webkit2gtk-.patch
-  ];
+    # Don't inherit patches from bambu-studio
+    patches = [ ./0001-not-for-upstream-CMakeLists-Link-against-webkit2gtk-.patch ];
 
-  src = fetchFromGitHub {
-    owner = "SoftFever";
-    repo = "OrcaSlicer";
-    rev = "v${finalAttrs.version}";
-    hash = "sha256-YlLDUH3ODIfax5QwnsVJi1JjZ9WtxP3ssqRP1C4d4bw=";
-  };
+    src = fetchFromGitHub {
+      owner = "SoftFever";
+      repo = "OrcaSlicer";
+      rev = "v${finalAttrs.version}";
+      hash = "sha256-YlLDUH3ODIfax5QwnsVJi1JjZ9WtxP3ssqRP1C4d4bw=";
+    };
 
-  meta = with lib; {
-    description = "G-code generator for 3D printers (Bambu, Prusa, Voron, VzBot, RatRig, Creality, etc";
-    homepage = "https://github.com/SoftFever/OrcaSlicer";
-    license = licenses.agpl3Only;
-    maintainers = with maintainers; [ zhaofengli ovlach pinpox ];
-    mainProgram = "orca-slicer";
-    platforms = platforms.linux;
-  };
-})
+    # needed to prevent collisions between the LICENSE.txt files of
+    # bambu-studio and orca-slicer.
+    postInstall = ''
+      mv $out/LICENSE.txt $out/share/OrcaSlicer/LICENSE.txt
+    '';
+
+    meta = with lib; {
+      description = "G-code generator for 3D printers (Bambu, Prusa, Voron, VzBot, RatRig, Creality, etc";
+      homepage = "https://github.com/SoftFever/OrcaSlicer";
+      license = licenses.agpl3Only;
+      maintainers = with maintainers; [
+        zhaofengli
+        ovlach
+        pinpox
+      ];
+      mainProgram = "orca-slicer";
+      platforms = platforms.linux;
+    };
+  }
+)

pkgs/applications/misc/calibre/default.nix

@@ -32,11 +32,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "calibre";
-  version = "7.8.0";
+  version = "7.9.0";
 
   src = fetchurl {
     url = "https://download.calibre-ebook.com/${finalAttrs.version}/calibre-${finalAttrs.version}.tar.xz";
-    hash = "sha256-FxYuQzzuaWZihSsmeJc6ssG3VBr2YNEi3TkXyyymLUQ=";
+    hash = "sha256-Ilzv4HXW6ZmEVNUWQm04cHZ71FEgjfWVX9IvrfYCHIk=";
   };
 
   patches = [
@@ -44,7 +44,7 @@ stdenv.mkDerivation (finalAttrs: {
     (fetchpatch {
       name = "0001-only-plugin-update.patch";
       url = "https://raw.githubusercontent.com/debian-calibre/calibre/debian/${finalAttrs.version}+ds-1/debian/patches/0001-only-plugin-update.patch";
-      hash = "sha256-uL1mSjgCl5ZRLbSuKxJM6XTfvVwog70F7vgKtQzQNEQ=";
+      hash = "sha256-mHZkUoVcoVi9XBOSvM5jyvpOTCcM91g9+Pa/lY6L5p8=";
     })
     (fetchpatch {
       name = "0007-Hardening-Qt-code.patch";

pkgs/applications/misc/gnome-frog/default.nix

@@ -25,13 +25,13 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "gnome-frog";
-  version = "1.4.2";
+  version = "1.5.1";
 
   src = fetchFromGitHub {
     owner = "TenderOwl";
     repo = "Frog";
     rev = "refs/tags/${version}";
-    sha256 = "sha256-w/ENUhJt7bYy5htBLolb/HysK8/scRaPQX5qEezQcXY=";
+    sha256 = "sha256-zL6zuqHF1pTXT3l1mAFx2EL+0ThzjXfst/nEyNVorZg=";
   };
 
   format = "other";
@@ -70,7 +70,11 @@ python3Packages.buildPythonApplication rec {
   ];
 
   propagatedBuildInputs = with python3Packages; [
+    loguru
+    nanoid
+    posthog
     pygobject3
+    python-dateutil
     pillow
     pytesseract
     pyzbar

pkgs/applications/misc/gnome-frog/update-compatible-with-non-flatpak-env.patch

@@ -1,28 +1,8 @@
-diff --git a/frog/config.py b/frog/config.py
-index 9837755..b73e4e3 100644
---- a/frog/config.py
-+++ b/frog/config.py
-@@ -30,10 +30,14 @@ import os
- APP_ID = "com.github.tenderowl.frog"
- RESOURCE_PREFIX = "/com/github/tenderowl/frog"
- 
-+# This is based from the XDG Base Directory specification.
-+if not os.getenv('XDG_DATA_HOME'):
-+    os.environ['XDG_DATA_HOME'] = os.path.expanduser("~/.local/share")
-+
- if not os.path.exists(os.path.join(os.environ['XDG_DATA_HOME'], 'tessdata')):
-     os.mkdir(os.path.join(os.environ['XDG_DATA_HOME'], 'tessdata'))
- 
- tessdata_url = "https://github.com/tesseract-ocr/tessdata/raw/main/"
- tessdata_best_url = "https://github.com/tesseract-ocr/tessdata_best/raw/main/"
- tessdata_dir = os.path.join(os.environ['XDG_DATA_HOME'], 'tessdata')
--tessdata_config = f'--tessdata-dir {tessdata_dir} –psm 6'
-+tessdata_config = f'–-psm 6 --tessdata-dir {tessdata_dir}'
 diff --git a/frog/language_manager.py b/frog/language_manager.py
-index 5752be6..4f6a908 100644
+index d822c44..bc289db 100644
 --- a/frog/language_manager.py
 +++ b/frog/language_manager.py
-@@ -156,7 +156,7 @@ class LanguageManager(GObject.GObject):
+@@ -193,7 +193,7 @@ class LanguageManager(GObject.GObject):
              os.mkdir(tessdata_dir)
  
          dest_path = os.path.join(tessdata_dir, 'eng.traineddata')

pkgs/applications/misc/projectlibre/default.nix

@@ -1,46 +1,68 @@
-{ lib, stdenv, fetchgit, ant, jdk, makeWrapper, jre, coreutils, which }:
+{ lib
+, stdenv
+, fetchgit
+, ant
+, jdk
+, stripJavaArchivesHook
+, makeWrapper
+, jre
+, coreutils
+, which
+}:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation {
   pname = "projectlibre";
   version = "1.7.0";
 
   src = fetchgit {
     url = "https://git.code.sf.net/p/projectlibre/code";
     rev = "0c939507cc63e9eaeb855437189cdec79e9386c2"; # version 1.7.0 was not tagged
-    sha256 = "0vy5vgbp45ai957gaby2dj1hvmbxfdlfnwcanwqm9f8q16qipdbq";
+    hash = "sha256-eLUbsQkYuVQxt4px62hzfdUNg2zCL/VOSVEVctfbxW8=";
   };
 
-  nativeBuildInputs = [ makeWrapper ];
-  buildInputs = [ ant jdk ];
-  buildPhase = ''
-    export ANT_OPTS=-Dbuild.sysclasspath=ignore
-    ${ant}/bin/ant -f openproj_build/build.xml
-  '';
+  nativeBuildInputs = [
+    ant
+    jdk
+    stripJavaArchivesHook
+    makeWrapper
+  ];
 
-  resourcesPath = "openproj_build/resources";
-  desktopItem = "${resourcesPath}/projectlibre.desktop";
+  buildPhase = ''
+    runHook preBuild
+    ant -f openproj_build/build.xml
+    runHook postBuild
+  '';
 
   installPhase = ''
-    mkdir -p $out/share/{applications,projectlibre/samples,pixmaps,doc/projectlibre} $out/bin
+    runHook preInstall
+
+    mkdir -p $out/share/{projectlibre/samples,doc/projectlibre}
+
+    pushd openproj_build
+    cp -R dist/* $out/share/projectlibre
+    cp -R license $out/share/doc/projectlibre
+    cp -R resources/samples/* $out/share/projectlibre/samples
+    install -Dm644 resources/projectlibre.desktop -t $out/share/applications
+    install -Dm644 resources/projectlibre.png -t $out/share/pixmaps
+    install -Dm755 resources/projectlibre -t $out/bin
+    popd
+
+    substituteInPlace $out/bin/projectlibre \
+        --replace-fail "/usr/share/projectlibre" "$out/share/projectlibre"
 
-    substitute $resourcesPath/projectlibre $out/bin/projectlibre \
-      --replace "\"/usr/share/projectlibre\"" "\"$out/share/projectlibre\""
-    chmod +x $out/bin/projectlibre
     wrapProgram $out/bin/projectlibre \
-     --prefix PATH : "${jre}/bin:${coreutils}/bin:${which}/bin"
+        --prefix PATH : ${lib.makeBinPath [ jre coreutils which ]}
 
-    cp -R openproj_build/dist/* $out/share/projectlibre
-    cp -R openproj_build/license $out/share/doc/projectlibre
-    cp $desktopItem $out/share/applications
-    cp $resourcesPath/projectlibre.png $out/share/pixmaps
-    cp -R $resourcesPath/samples/* $out/share/projectlibre/samples
+    runHook postInstall
   '';
 
-  meta = with lib; {
-    homepage = "https://www.projectlibre.com/";
+  meta = {
     description = "Project-Management Software similar to MS-Project";
+    homepage = "https://www.projectlibre.com/";
+    license = lib.licenses.cpal10;
     mainProgram = "projectlibre";
-    maintainers = [ maintainers.Mogria ];
-    license = licenses.cpal10;
+    maintainers = with lib.maintainers; [ Mogria tomasajt ];
+    platforms = jre.meta.platforms;
   };
 }
+

pkgs/applications/misc/smpq/default.nix

@@ -1,27 +0,0 @@
-{ lib, stdenv, fetchurl, cmake, stormlib }:
-
-stdenv.mkDerivation rec {
-  pname = "smpq";
-  version = "1.6";
-
-  src = fetchurl {
-    url = "https://launchpad.net/smpq/trunk/${version}/+download/${pname}_${version}.orig.tar.gz";
-    sha256 = "1jqq5x3b17jy66x3kkf5hs5l322dx2v14djxxrqrnqp8bn5drlmm";
-  };
-
-  cmakeFlags = [
-    "-DWITH_KDE=OFF"
-  ];
-
-  nativeBuildInputs = [ cmake ];
-  buildInputs = [ stormlib ];
-
-  meta = with lib; {
-    description = "StormLib MPQ archiving utility";
-    homepage = "https://launchpad.net/smpq";
-    license = licenses.gpl3Only;
-    platforms = platforms.all;
-    maintainers = with maintainers; [ aanderse karolchmist ];
-    mainProgram = "smpq";
-  };
-}

pkgs/applications/misc/terminal-stocks/default.nix

@@ -2,16 +2,16 @@
 
 buildNpmPackage rec {
   pname = "terminal-stocks";
-  version = "1.0.16";
+  version = "1.0.17";
 
   src = fetchFromGitHub {
     owner = "shweshi";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-tu6SKeTVEqIqDJXimoSkMK9+l0uGqWSrlIO0KHoROSQ=";
+    hash = "sha256-hCKUUISn/TIr2o3ZtG2kSTgmUCut4NVzIzfIrg84PYI=";
   };
 
-  npmDepsHash = "sha256-13RiEBLhmKW04Tesg1s7c9rCYtRGOd/prnVARb6jpGQ=";
+  npmDepsHash = "sha256-t71SfoPYVFLWcrjv2ErWazDeaVTO4W46g4lFler86Sc=";
   dontNpmBuild = true;
 
   passthru.updateScript = nix-update-script {};

pkgs/applications/misc/wmenu/default.nix

@@ -9,6 +9,7 @@
 , pango
 , wayland
 , wayland-protocols
+, wayland-scanner
 , libxkbcommon
 , scdoc
 }:
@@ -34,7 +35,7 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  nativeBuildInputs = [ pkg-config meson ninja ];
+  nativeBuildInputs = [ pkg-config meson ninja wayland-scanner ];
   buildInputs = [ cairo pango wayland libxkbcommon wayland-protocols scdoc ];
 
   meta = with lib; {

pkgs/applications/networking/browsers/brave/default.nix

@@ -6,17 +6,17 @@ callPackage ./make-brave.nix (removeAttrs args [ "callPackage" ])
     if stdenv.isAarch64 then
       {
         pname = "brave";
-        version = "1.64.122";
-        url = "https://github.com/brave/brave-browser/releases/download/v1.64.122/brave-browser_1.64.122_arm64.deb";
-        hash = "sha256-PBYiCTy/QaPfxvWAzUnXLEzBELISNSKX0kG/mYTDDEA=";
+        version = "1.65.114";
+        url = "https://github.com/brave/brave-browser/releases/download/v1.65.114/brave-browser_1.65.114_arm64.deb";
+        hash = "sha256-E5IqMmkgnwn1eyKcPQ3SZX4QpGor2W8JH+rmERuUonA=";
         platform = "aarch64-linux";
       }
     else if stdenv.isx86_64 then
       {
         pname = "brave";
-        version = "1.64.122";
-        url = "https://github.com/brave/brave-browser/releases/download/v1.64.122/brave-browser_1.64.122_amd64.deb";
-        hash = "sha256-9tSoOn9XGbX/b8n9vD9Hmpi26jzmUVJomoCFdSJoaoU=";
+        version = "1.65.114";
+        url = "https://github.com/brave/brave-browser/releases/download/v1.65.114/brave-browser_1.65.114_amd64.deb";
+        hash = "sha256-Dn6havSLcf6KCxI1hd8Ad4FsLIOYBH2KO2oCJJQHJm8=";
         platform = "x86_64-linux";
       }
     else

pkgs/applications/networking/browsers/chromium/upstream-info.nix

@@ -22,18 +22,18 @@
   ungoogled-chromium = {
     deps = {
       gn = {
-        hash = "sha256-JvilCnnb4laqwq69fay+IdAujYC1EHD7uWpkF/C8tBw=";
-        rev = "d4f94f9a6c25497b2ce0356bb99a8d202c8c1d32";
+        hash = "sha256-aEL1kIhgPAFqdb174dG093HoLhCJ07O1Kpqfu7r14wQ=";
+        rev = "22581fb46c0c0c9530caa67149ee4dd8811063cf";
         url = "https://gn.googlesource.com/gn";
-        version = "2024-02-19";
+        version = "2024-03-14";
       };
       ungoogled-patches = {
-        hash = "sha256-ojKIAkJB/gfg6scCxUYNAGx4lsquAaCySBDcUCFLqSU=";
-        rev = "d5773b0fb696ef107cc6df6a94cbe732c9e905f9";
+        hash = "sha256-zgkt0stU/H5Mji429tigVbjOq27Op8UppHTjG6neoeA=";
+        rev = "124.0.6367.60-1";
       };
     };
-    hash = "sha256-7H7h621AHPyhFYbaVFO892TtS+SP3Qu7cYUVk3ICL14=";
-    hash_deb_amd64 = "sha256-tNkO1mPZg1xltBfoWeNhLekITtZV/WNgu//i2DJb17c=";
-    version = "123.0.6312.122";
+    hash = "sha256-apEniFKhIxPo4nhp9gCU+WpiV/EB40qif4RfE7Uniog=";
+    hash_deb_amd64 = "sha256-rSbigG5/xbL32d1ntOn6gnZyxSpgrg1h7lb/RD4YROI=";
+    version = "124.0.6367.60";
   };
 }

pkgs/applications/networking/browsers/firefox/packages.nix

@@ -3,10 +3,10 @@
 {
   firefox = buildMozillaMach rec {
     pname = "firefox";
-    version = "125.0.1";
+    version = "125.0.2";
     src = fetchurl {
       url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-      sha512 = "6f2f336de8b0ec9cb19ba20c909407b7b88c0319ee3b2f1f3429133516b0c45b4c7846f287985a0cdb9f34acc7d5378ed14fb48e26bef113c8ac360501a30c4d";
+      sha512 = "f6d5fff7c5c532d2e41a246d0403bdd746981cfcb7c43f9d3d8ec85a7acc3310a52043d1e18848475cef1b63c24769e81b2b06d68ae007b68016ee51436032f1";
     };
 
     extraPatches = [

pkgs/applications/networking/browsers/microsoft-edge/default.nix

@@ -1,9 +1,9 @@
 {
   beta = import ./browser.nix {
     channel = "beta";
-    version = "124.0.2478.39";
+    version = "124.0.2478.51";
     revision = "1";
-    hash = "sha256-0KQU/JS6hlv2SLMB8RKyITUiodByBUstrhcwIefn3Yw=";
+    hash = "sha256-qQTRPkQBLRZhOqBT8U0PGcmmR2zNRxJiFl3N2UPwoSo=";
   };
   dev = import ./browser.nix {
     channel = "dev";
@@ -13,8 +13,8 @@
   };
   stable = import ./browser.nix {
     channel = "stable";
-    version = "123.0.2420.97";
+    version = "124.0.2478.51";
     revision = "1";
-    hash = "sha256-q7Pcbi0JQr/wvKIrgueD9f2Z6v1DMoD2bcRJKGqDYjs=";
+    hash = "sha256-dAiTS+KvKVwL6tNp4YsQfH4wdNIJoBJngcLBXgHArjE=";
   };
 }

pkgs/applications/networking/cluster/hubble/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "hubble";
-  version = "0.13.2";
+  version = "0.13.3";
 
   src = fetchFromGitHub {
     owner = "cilium";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-0SCuQzRwluowF48lzyLxY+0rvTOyDbpkMI7Iwb6GHJo=";
+    sha256 = "sha256-tHkLUoccOUcUjODecy1QyeuDb/aXv67sK8JHJ1IspC8=";
   };
 
   vendorHash = null;

pkgs/applications/networking/cluster/istioctl/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "istioctl";
-  version = "1.21.1";
+  version = "1.21.2";
 
   src = fetchFromGitHub {
     owner = "istio";
     repo = "istio";
     rev = version;
-    hash = "sha256-zWg0UK9RHq/25GWpsvb/U5YJPkgd7aUC/Dva8jGFwfo=";
+    hash = "sha256-U0SCjozy968pcXMGyUgM47VGYYNwPq8wOzTnKp49ZY4=";
   };
   vendorHash = "sha256-23t1xJPRip0ojXmUl1qlk6QJsYHT+9EAS080m6c0d6U=";
 

pkgs/applications/networking/cluster/kubecolor/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "kubecolor";
-  version = "0.2.2";
+  version = "0.3.1";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-zXglsfPsJi9DVxlRPniSBsdF1xEMYqqGr46ThpQj3gQ=";
+    sha256 = "sha256-1gEEmF9RRMwFAvmhLwidkVh+lnibs6x5ZHy/nJRum9E=";
   };
 
-  vendorHash = "sha256-uf7nBnS1wmbz4xcVA5qF82QMPsLdSucje1NNaPyheCw=";
+  vendorHash = "sha256-Gzz+mCEMQCcLwTiGMB8/nXk7HDAEGkEapC/VOyXrn/Q=";
 
   ldflags = [ "-s" "-w" "-X main.Version=${version}" ];
 

pkgs/applications/networking/cluster/kubectl-klock/default.nix

@@ -2,7 +2,7 @@
 
 buildGoModule rec {
   pname = "kubectl-klock";
-  version = "0.5.1";
+  version = "0.6.1";
 
   nativeBuildInputs = [ makeWrapper ];
 
@@ -10,10 +10,10 @@ buildGoModule rec {
     owner = "applejag";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-q7Wq1mTjOB7tT66+LWIwwqltQcQSHD/VHLO7nCTZTQ0=";
+    hash = "sha256-QzleoHRQ/A5ImMl43kze5ppUdiLa4n/VT02lMnaXVkg=";
   };
 
-  vendorHash = "sha256-3CJ/tmFFkmq6wHxbqk8u+GxxbSrUpB/JD5s/S7hegB8=";
+  vendorHash = "sha256-smE8mdyZ8xJOevgHs4+ozS6VOlko+Whhs/37B+hIbxo=";
 
   postInstall = ''
     makeWrapper $out/bin/kubectl-klock $out/bin/kubectl_complete-klock --add-flags __complete

pkgs/applications/networking/cluster/kubernetes/default.nix

@@ -20,13 +20,13 @@
 
 buildGoModule rec {
   pname = "kubernetes";
-  version = "1.29.4";
+  version = "1.30.0";
 
   src = fetchFromGitHub {
     owner = "kubernetes";
     repo = "kubernetes";
     rev = "v${version}";
-    hash = "sha256-7Rxbcsl77iFiHkU/ovyn74aXs/i5G/m5h5Ii0y1CRho=";
+    hash = "sha256-7xRRpchjwtV3dGbZ2hN9qj6soAuiF/K7vTY0LzE6Z5w=";
   };
 
   vendorHash = null;

pkgs/applications/networking/cluster/pachyderm/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "pachyderm";
-  version = "2.9.3";
+  version = "2.9.4";
 
   src = fetchFromGitHub {
     owner = "pachyderm";
     repo = "pachyderm";
     rev = "v${version}";
-    hash = "sha256-4ER0kjp3H5B2TrR4pI3XMvmtGrUv5ZuSM8dbDeufm2s=";
+    hash = "sha256-RF8JEmZpvUf8w89wRa+d3ItMFnInEoxxQzLJvrx1mZE=";
   };
 
-  vendorHash = "sha256-+0Df3pelty9mE1E8V+4L99/SrGK5msWn68LeB0nmAIA=";
+  vendorHash = "sha256-bAB2vMPHIcJaMobPukQyKiCq0Af0n4b5mjImTswGFTo=";
 
   subPackages = [ "src/server/cmd/pachctl" ];
 

pkgs/applications/networking/cluster/pv-migrate/default.nix

@@ -2,18 +2,18 @@
 
 buildGoModule rec {
   pname = "pv-migrate";
-  version = "1.7.1";
+  version = "1.8.0";
 
   src = fetchFromGitHub {
     owner = "utkuozdemir";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-xbg32ckxAUQkkN/yumHz4v1U4FvUcmx5ftd3+4zc3/c=";
+    sha256 = "sha256-HeK8/IZTqkrJxfmNIYOm8/jY3Fbof8t7/emdHONvMZo=";
   };
 
   subPackages = [ "cmd/pv-migrate" ];
 
-  vendorHash = "sha256-AqR9Gy8sAX4wrKGPnQUj33juBOfhUn0BR8OyJPiDrO0=";
+  vendorHash = "sha256-q8/Rb26ZY/Rn3FnESnAvPr+LrIvFFlSJnN6c0k8+sHg=";
 
   ldflags = [
     "-s"

pkgs/applications/networking/cluster/velero/default.nix

@@ -2,14 +2,14 @@
 
 buildGoModule rec {
   pname = "velero";
-  version = "1.13.1";
+  version = "1.13.2";
 
 
   src = fetchFromGitHub {
     owner = "vmware-tanzu";
     repo = "velero";
     rev = "v${version}";
-    sha256 = "sha256-Fz3FqNj2NbqU9CvtdjM8cjkZh5xLCA+AAIF/QgLJ7UA=";
+    sha256 = "sha256-Dqz8UFoGb5uG5f8mrIUIRWJUYH/ZuFavhRy2wie75/Q=";
   };
 
   ldflags = [
@@ -20,7 +20,7 @@ buildGoModule rec {
     "-X github.com/vmware-tanzu/velero/pkg/buildinfo.GitSHA=none"
   ];
 
-  vendorHash = "sha256-Fu4T2VEW5s/KCdgJLk3bf0wIUhKULK6QuNEmL99MUCI=";
+  vendorHash = "sha256-L1QTqw0L/aE4bFlLWg4/mmdHL7Sb5EsT3eL0jZIpBsA=";
 
   excludedPackages = [ "issue-template-gen" "release-tools" "v1" "velero-restic-restore-helper" ];
 

pkgs/applications/networking/instant-messengers/chatterino2/default.nix

@@ -2,12 +2,12 @@
 
 stdenv.mkDerivation rec {
   pname = "chatterino2";
-  version = "2.4.6";
+  version = "2.5.0";
   src = fetchFromGitHub {
     owner = "Chatterino";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-CQviw5Fw6v5EwjCldAQoJfAIZMWKBfBzUIQZEgW34k0=";
+    sha256 = "sha256-uR2X0NNSLyOx5n3mZcp6+wW/7L7rHHH2MlOF+c0Uzm0=";
     fetchSubmodules = true;
   };
   nativeBuildInputs = [ cmake pkg-config qt6.wrapQtAppsHook ];

pkgs/applications/networking/instant-messengers/cinny-desktop/default.nix

@@ -1,6 +1,10 @@
 { lib
+, stdenv
+, darwin
 , fetchFromGitHub
+, rust
 , rustPlatform
+, cargo-tauri
 , cinny
 , copyDesktopItems
 , wrapGAppsHook
@@ -16,6 +20,7 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "cinny-desktop";
+  # We have to be using the same version as cinny-web or this isn't going to work.
   version = "3.1.0";
 
   src = fetchFromGitHub {
@@ -37,33 +42,48 @@ rustPlatform.buildRustPackage rec {
   in ''
     substituteInPlace tauri.conf.json \
       --replace '"distDir": "../cinny/dist",' '"distDir": "${cinny'}",'
-
+    substituteInPlace tauri.conf.json \
+      --replace '"cd cinny && npm run build"' '""'
+  '' + lib.optionalString stdenv.hostPlatform.isLinux ''
     substituteInPlace $cargoDepsCopy/libappindicator-sys-*/src/lib.rs \
       --replace "libayatana-appindicator3.so.1" "${libayatana-appindicator}/lib/libayatana-appindicator3.so.1"
   '';
 
-  postInstall = ''
+  postBuild = lib.optionalString stdenv.hostPlatform.isDarwin ''
+    cargo tauri build --bundles app --target "${rust.envVars.rustHostPlatform}"
+  '';
+
+  postInstall = lib.optionalString stdenv.hostPlatform.isLinux ''
     install -DT icons/128x128@2x.png $out/share/icons/hicolor/256x256@2/apps/cinny.png
     install -DT icons/128x128.png $out/share/icons/hicolor/128x128/apps/cinny.png
     install -DT icons/32x32.png $out/share/icons/hicolor/32x32/apps/cinny.png
+  '' + lib.optionalString stdenv.hostPlatform.isDarwin ''
+    mkdir -p "$out/Applications/"
+    cp -r "target/${rust.envVars.rustHostPlatform}/release/bundle/macos/Cinny.app" "$out/Applications/"
+    ln -sf "$out/Applications/Cinny.app/Contents/MacOS/Cinny" "$out/bin/cinny"
   '';
 
   nativeBuildInputs = [
     copyDesktopItems
     wrapGAppsHook
     pkg-config
+    cargo-tauri
   ];
 
   buildInputs = [
     openssl
     dbus
     glib
+  ] ++ lib.optionals stdenv.hostPlatform.isLinux [
     glib-networking
     libayatana-appindicator
     webkitgtk
+  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
+    darwin.DarwinTools
+    darwin.apple_sdk.frameworks.WebKit
   ];
 
-  desktopItems = [
+  desktopItems = lib.optionals stdenv.hostPlatform.isLinux [
     (makeDesktopItem {
       name = "cinny";
       exec = "cinny";
@@ -77,9 +97,9 @@ rustPlatform.buildRustPackage rec {
   meta = with lib; {
     description = "Yet another matrix client for desktop";
     homepage = "https://github.com/cinnyapp/cinny-desktop";
-    maintainers = [ ];
+    maintainers = with maintainers; [ qyriad ];
     license = licenses.agpl3Only;
-    platforms = platforms.linux;
+    platforms = platforms.linux ++ platforms.darwin;
     mainProgram = "cinny";
   };
 }

pkgs/applications/networking/instant-messengers/discord/default.nix

@@ -2,14 +2,14 @@
 let
   versions =
     if stdenv.isLinux then {
-      stable = "0.0.49";
-      ptb = "0.0.78";
-      canary = "0.0.346";
+      stable = "0.0.50";
+      ptb = "0.0.80";
+      canary = "0.0.357";
       development = "0.0.17";
     } else {
-      stable = "0.0.300";
-      ptb = "0.0.107";
-      canary = "0.0.468";
+      stable = "0.0.301";
+      ptb = "0.0.109";
+      canary = "0.0.477";
       development = "0.0.39";
     };
   version = versions.${branch};
@@ -17,15 +17,15 @@ let
     x86_64-linux = {
       stable = fetchurl {
         url = "https://dl.discordapp.net/apps/linux/${version}/discord-${version}.tar.gz";
-        hash = "sha256-rVSYAkTZTlurnbUeYJFCgsPcsCqjJ1bJneQQiyhmvwQ=";
+        hash = "sha256-6VXdVLk7Z8NGQMiSdgBRd8NIueUktkId6BXYKNABb+4=";
       };
       ptb = fetchurl {
         url = "https://dl-ptb.discordapp.net/apps/linux/${version}/discord-ptb-${version}.tar.gz";
-        hash = "sha256-Fp94BsR6Fzy4tV+c5ToP9GKg6GC/TryGvHWLupew4Z8=";
+        hash = "sha256-y/ntnHIYcY35Jszh0PrFy395eJ5dBWwLNpzHMoSZuNA=";
       };
       canary = fetchurl {
         url = "https://dl-canary.discordapp.net/apps/linux/${version}/discord-canary-${version}.tar.gz";
-        hash = "sha256-/FBVo3ptZk2YQPoq+VpyxMlSWYlVb8ChpKW5YH/BM7U=";
+        hash = "sha256-sDwC5kPzAfvQmsrq6M/GPFtUaT9pNAEB4uGI5Mn3oXs=";
       };
       development = fetchurl {
         url = "https://dl-development.discordapp.net/apps/linux/${version}/discord-development-${version}.tar.gz";
@@ -35,15 +35,15 @@ let
     x86_64-darwin = {
       stable = fetchurl {
         url = "https://dl.discordapp.net/apps/osx/${version}/Discord.dmg";
-        hash = "sha256-f9YIlzRESzzxtD9/us1DY5acu2HYo+UrwS7GWk9RwCk=";
+        hash = "sha256-h7C1wCKtUGcMFUhoKVdD7Vq9TGUaXfmjlVhwmRdhqYw=";
       };
       ptb = fetchurl {
         url = "https://dl-ptb.discordapp.net/apps/osx/${version}/DiscordPTB.dmg";
-        hash = "sha256-etxXrO9Ksacbdes3DT1Tm4kKD/t40jGUeSAegdexRqc=";
+        hash = "sha256-xxLnzELuI0X2r/weP1K2Bb51uRh1JjR72p7cXzy12Kc=";
       };
       canary = fetchurl {
         url = "https://dl-canary.discordapp.net/apps/osx/${version}/DiscordCanary.dmg";
-        hash = "sha256-UOoXDwAa5pFukqTCmUfM89QVK5jB13id8ek/gwWajMM=";
+        hash = "sha256-xEDtEtZNhOTtz+zRLLQBSeLbntlVAVQsocAGyAaVePM=";
       };
       development = fetchurl {
         url = "https://dl-development.discordapp.net/apps/osx/${version}/DiscordDevelopment.dmg";

pkgs/applications/networking/instant-messengers/signal-desktop/generic.nix

@@ -120,6 +120,8 @@ in stdenv.mkDerivation rec {
     libappindicator-gtk3
     libnotify
     libdbusmenu
+    pipewire
+    stdenv.cc.cc
     xdg-utils
     wayland
   ];
@@ -158,7 +160,6 @@ in stdenv.mkDerivation rec {
 
   preFixup = ''
     gappsWrapperArgs+=(
-      --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc pipewire ] }"
       --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}"
       --suffix PATH : ${lib.makeBinPath [ xdg-utils ]}
     )

pkgs/applications/networking/sync/storj-uplink/default.nix

@@ -5,13 +5,13 @@
 
 buildGoModule rec {
   pname = "storj-uplink";
-  version = "1.102.2";
+  version = "1.102.4";
 
   src = fetchFromGitHub {
     owner = "storj";
     repo = "storj";
     rev = "v${version}";
-    hash = "sha256-GpHX34iHKeoT7AuEf76QTpTIrATLZyAoUxMoIouhvyA=";
+    hash = "sha256-ryOWnVcJOUs9kToXtwjUTk7nwuAW0NCDn5Npn27hKXU=";
   };
 
   subPackages = [ "cmd/uplink" ];

pkgs/applications/office/paperwork/paperwork-backend.nix

@@ -1,6 +1,7 @@
 { buildPythonPackage
 , lib
 , fetchFromGitLab
+, fetchpatch
 , pyenchant
 , scikit-learn
 , pypillowfight
@@ -33,6 +34,13 @@ buildPythonPackage rec {
   sourceRoot = "${src.name}/paperwork-backend";
 
   patches = [
+    # fixes building with recent scipy
+    # remove on next release
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/World/OpenPaperwork/paperwork/-/commit/abcebfe9714644d4e259e53b10e0e9417b5b864f.patch";
+      hash = "sha256-YjVpphThW5Livs+PZJZDSgJvhLSXhZ1bnlWMwfY4HTg=";
+    })
+
     # disables a flaky test https://gitlab.gnome.org/World/OpenPaperwork/paperwork/-/issues/1035#note_1493700
     ./flaky_test.patch
   ];

pkgs/applications/science/engineering/brmodelo/default.nix

@@ -2,27 +2,34 @@
 , stdenv
 , fetchFromGitHub
 , fetchpatch
-, openjdk8
 , ant
+, jdk8
 , makeWrapper
 , makeDesktopItem
 , copyDesktopItems
+, strip-nondeterminism
+, stripJavaArchivesHook
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "brmodelo";
   version = "3.31";
 
   src = fetchFromGitHub {
     owner = "chcandido";
-    repo = pname;
-    rev = version;
-    sha256 = "09qrhqhv264x8phnf3pnb0cwq75l7xdsj9xkwlvhry81nxz0d5v0";
+    repo = "brmodelo";
+    rev = finalAttrs.version;
+    hash = "sha256-YJcGfrcB+Qw35bMnqVs/tBzMGVj2DmfhRZ0YsSGGGSc=";
   };
 
-  nativeBuildInputs = [ ant makeWrapper copyDesktopItems ];
-
-  buildInputs = [ openjdk8 ];
+  nativeBuildInputs = [
+    ant
+    jdk8
+    makeWrapper
+    copyDesktopItems
+    strip-nondeterminism
+    stripJavaArchivesHook
+  ];
 
   patches = [
     # Fixes for building with Ant.
@@ -30,22 +37,22 @@ stdenv.mkDerivation rec {
     (fetchpatch {
       name = "fix-self-closing-element-not-allowed.patch";
       url = "https://github.com/yuuyins/brModelo/commit/0d712b74fd5d29d67be07480ed196da28a77893b.patch";
-      sha256 = "sha256-yy03arE6xetotzyvpToi9o9crg3KnMRn1J70jDUvSXE=";
+      hash = "sha256-yy03arE6xetotzyvpToi9o9crg3KnMRn1J70jDUvSXE=";
     })
     (fetchpatch {
       name = "fix-tag-closing.patch";
       url = "https://github.com/yuuyins/brModelo/commit/e8530ff75f024cf6effe0408ed69985405e9709c.patch";
-      sha256 = "sha256-MNuh/ORbaAkB5qDSlA/nPrXN+tqzz4oOglVyEtSangI=";
+      hash = "sha256-MNuh/ORbaAkB5qDSlA/nPrXN+tqzz4oOglVyEtSangI=";
     })
     (fetchpatch {
       name = "fix-bad-use-greater-than.patch";
       url = "https://github.com/yuuyins/brModelo/commit/498a6ef8129daff5a472b318f93c8f7f2897fc7f.patch";
-      sha256 = "sha256-MmAwYUmx38DGRsiSxCWCObtpqxk0ykUQiDSC76bCpFc=";
+      hash = "sha256-MmAwYUmx38DGRsiSxCWCObtpqxk0ykUQiDSC76bCpFc=";
     })
     (fetchpatch {
       name = "fix-param-errors.patch";
       url = "https://github.com/yuuyins/brModelo/commit/8a508aaba0bcffe13a3f95cff495230beea36bc4.patch";
-      sha256 = "sha256-qME9gZChSMzu1vs9HaosD+snb+jlOrQLY97meNoA8oU=";
+      hash = "sha256-qME9gZChSMzu1vs9HaosD+snb+jlOrQLY97meNoA8oU=";
     })
 
     # Add SVG icons.
@@ -53,12 +60,14 @@ stdenv.mkDerivation rec {
     (fetchpatch {
       name = "add-brmodelo-logo-icons-svg.patch";
       url = "https://github.com/yuuyins/brModelo/commit/f260b82b664fad3325bbf3ebd7a15488d496946b.patch";
-      sha256 = "sha256-UhgcWxsHkNFS1GgaRnmlZohjDR8JwHof2cIb3SBetYs=";
+      hash = "sha256-UhgcWxsHkNFS1GgaRnmlZohjDR8JwHof2cIb3SBetYs=";
     })
   ];
 
   buildPhase = ''
+    runHook postBuild
     ant
+    runHook preBuild
   '';
 
   desktopItems = [
@@ -68,15 +77,16 @@ stdenv.mkDerivation rec {
       genericName = "Entity-relationship diagramming tool";
       exec = "brmodelo";
       icon = "brmodelo";
-      comment = meta.description;
+      comment = finalAttrs.meta.description;
       categories = [ "Development" "Education" "Database" "2DGraphics" "ComputerScience" "DataVisualization" "Engineering" "Java" ];
     })
   ];
 
   installPhase = ''
-    install -d $out/bin $out/share/doc/${pname} $out/share/java
+    runHook preInstall
 
-    cp -rv ./dist/javadoc $out/share/doc/${pname}/
+    mkdir -p $out/share/doc/brmodelo
+    cp -rv ./dist/javadoc $out/share/doc/brmodelo/
 
     install -Dm755 ./dist/brModelo.jar -t $out/share/java/
     # NOTE: The standard Java GUI toolkit has a
@@ -85,26 +95,28 @@ stdenv.mkDerivation rec {
     # in WMs that are not in that list (e.g. XMonad).
     # Solution/Workaround: set the environment variable
     # _JAVA_AWT_WM_NONREPARENTING=1.
-    makeWrapper ${openjdk8}/bin/java $out/bin/brmodelo \
+    makeWrapper ${jdk8}/bin/java $out/bin/brmodelo \
        --prefix _JAVA_AWT_WM_NONREPARENTING : 1 \
        --prefix _JAVA_OPTIONS : "-Dawt.useSystemAAFontSettings=on" \
        --add-flags "-jar $out/share/java/brModelo.jar"
 
-    runHook postInstall
-  '';
-
-  postInstall = ''
     for size in 16 24 32 48 64 128 256; do
       install -Dm644 ./src/imagens/icone_"$size"x"$size".svg \
         $out/share/icons/hicolor/"$size"x"$size"/apps/brmodelo.svg
     done
+
+    runHook postInstall
+  '';
+
+  preFixup = ''
+    find $out/share/doc/brmodelo/javadoc -name "*.html" -exec strip-nondeterminism --type javadoc {} +
   '';
 
   meta = with lib; {
     description = "Entity-relationship diagram tool for making conceptual and logical database models";
-    mainProgram = "brmodelo";
     homepage = "https://github.com/chcandido/brModelo";
     license = licenses.gpl3;
+    mainProgram = "brmodelo";
     maintainers = with maintainers; [ yuu ];
   };
-}
+})