648 changed files with 12430 additions and 16751 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -232,12 +232,10 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /nixos/modules/services/networking/babeld.nix @mweinelt
 /nixos/modules/services/networking/kea.nix @mweinelt
 /nixos/modules/services/networking/knot.nix @mweinelt
-nixos/modules/services/networking/networkmanager.nix @Janik-Haag
 /nixos/modules/services/monitoring/prometheus/exporters/kea.nix @mweinelt
 /nixos/tests/babeld.nix @mweinelt
 /nixos/tests/kea.nix @mweinelt
 /nixos/tests/knot.nix @mweinelt
-/nixos/tests/networking/* @Janik-Haag

 # Web servers
 /doc/packages/nginx.section.md @raitobezarius
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@ -2726,12 +2726,6 @@
    github = "bmwalters";
    githubId = 4380777;
  };
-  bnlrnz = {
-    github = "bnlrnz";
-    githubId = 11310385;
-    name = "Ben Lorenz";
-    email = "bnlrnz@gmail.com";
-  };
  bobakker = {
    email = "bobakk3r@gmail.com";
    github = "bobakker";
@ -8438,12 +8432,6 @@
    github = "Icy-Thought";
    githubId = 53710398;
  };
-  id3v1669 = {
-    name = "id3v1669";
-    email = "id3v1669@gmail.com";
-    github = "id3v1669";
-    githubId = 57532211;
-  };
  idlip = {
    name = "Dilip";
    email = "igoldlip@gmail.com";
@ -10219,11 +10207,6 @@
    githubId = 6544084;
    name = "Kai Harries";
  };
-  kai-tub = {
-    name = "Kai Norman Clasen";
-    github = "kai-tub";
-    githubId = 46302524;
-  };
  kalbasit = {
    email = "wael.nasreddine@gmail.com";
    matrix = "@kalbasit:matrix.org";
@ -14767,12 +14750,6 @@
    githubId = 16027994;
    name = "Nathan Viets";
  };
-  nyadiia = {
-    email = "nyadiia@pm.me";
-    github = "nyadiia";
-    githubId = 43252360;
-    name = "Nadia";
-  };
  nyanbinary = {
    email = "nyanbinary@keemail.me";
    matrix = "@niko:conduit.rs";
@ -17354,11 +17331,6 @@
    githubId = 19433256;
    name = "Radoslaw Sniezek";
  };
-  rster2002 = {
-    name = "Bjørn";
-    github = "rster2002";
-    githubId = 26026518;
-  };
  rsynnest = {
    email = "contact@rsynnest.com";
    github = "rsynnest";
@ -19428,12 +19400,6 @@
    github = "sweenu";
    githubId = 7051978;
  };
-  swendel = {
-    name = "Sebastian Wendel";
-    email = "nixpkgs.aiX5ph@srx.digital";
-    github = "SebastianWendel";
-    githubId = 919570;
-  };
  swesterfeld = {
    email = "stefan@space.twc.de";
    github = "swesterfeld";
@ -19517,12 +19483,6 @@
      fingerprint = "6866 981C 4992 4D64 D154  E1AC 19E5 A2D8 B1E4 3F19";
    }];
  };
-  t4sm5n = {
-    email = "t4sm5n@gmail.com";
-    github = "t4sm5n";
-    githubId = 28858039;
-    name = "Tuomas Mäkinen";
-  };
  tadeokondrak = {
    email = "me@tadeo.ca";
    github = "tadeokondrak";
--- a/maintainers/team-list.nix
+++ b/maintainers/team-list.nix
@ -518,7 +518,6 @@ with lib.maintainers; {
      cpages
      dschrempf
      edwtjo
-      kazenyuk
      minijackson
      peterhoeg
      sephalon
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@ -37,10 +37,6 @@ In addition to numerous new and upgraded packages, this release has the followin
 Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for PipeWire and
 `services.pipewire.wireplumber.configPackages` for WirePlumber instead."

- `teleport` has been upgraded from major version 14 to major version 15.
-  Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/)
-  and release notes for [v15](https://goteleport.com/docs/changelog/#1500-013124).
-
 - A new option `systemd.sysusers.enable` was added. If enabled, users and
  groups are created with systemd-sysusers instead of with a custom perl script.

@ -131,16 +127,12 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m

 - [transfer-sh](https://github.com/dutchcoders/transfer.sh), a tool that supports easy and fast file sharing from the command-line. Available as [services.transfer-sh](#opt-services.transfer-sh.enable).

- [FCast Receiver](https://fcast.org), an open-source alternative to Chromecast and AirPlay. Available as [programs.fcast-receiver](#opt-programs.fcast-receiver.enable).
-
 - [MollySocket](https://github.com/mollyim/mollysocket) which allows getting Signal notifications via UnifiedPush.

 - [Suwayomi Server](https://github.com/Suwayomi/Suwayomi-Server), a free and open source manga reader server that runs extensions built for [Tachiyomi](https://tachiyomi.org). Available as [services.suwayomi-server](#opt-services.suwayomi-server.enable).

 - [ping_exporter](https://github.com/czerwonk/ping_exporter), a Prometheus exporter for ICMP echo requests. Available as [services.prometheus.exporters.ping](#opt-services.prometheus.exporters.ping.enable).

- [Prometheus DNSSEC Exporter](https://github.com/chrj/prometheus-dnssec-exporter), check for validity and expiration in DNSSEC signatures and expose metrics for Prometheus. Available as [services.prometheus.exporters.dnssec](#opt-services.prometheus.exporters.dnssec.enable).
-
 - [TigerBeetle](https://tigerbeetle.com/), a distributed financial accounting database designed for mission critical safety and performance. Available as [services.tigerbeetle](#opt-services.tigerbeetle.enable).

 - [go-camo](https://github.com/cactus/go-camo), a secure image proxy server. Available as [services.go-camo](#opt-services.go-camo.enable).
@ -189,7 +181,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m

 - `k3s`: was updated to version [v1.29](https://github.com/k3s-io/k3s/releases/tag/v1.29.1%2Bk3s2), all previous versions (k3s_1_26, k3s_1_27, k3s_1_28) will be removed. See [changelog and upgrade notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes) for more information.

- `himalaya` was updated to `v1.0.0-beta.4`, which introduces breaking changes. Check out the [release note](https://github.com/soywod/himalaya/releases/tag/v1.0.0-beta.4) for details.
+- `himalaya` was updated to `v1.0.0-beta.3`, which introduces breaking changes. Check out the [release note](https://github.com/soywod/himalaya/releases/tag/v1.0.0-beta.3) for details.

 - The `power.ups` module now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS.

@ -287,8 +279,6 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
  release notes of [v19](https://github.com/systemd/mkosi/releases/tag/v19) and
  [v20](https://github.com/systemd/mkosi/releases/tag/v20) for a list of changes.

- `gonic` has been updated to v0.16.4. Config now requires `playlists-path` to be set. See the rest of the [v0.16.0 release notes](https://github.com/sentriz/gonic/releases/tag/v0.16.0) for more details.
-
 - The `services.vikunja` systemd service now uses `vikunja` as dynamic user instead of `vikunja-api`. Database users might need to be changed.

 - The `services.vikunja.setupNginx` setting has been removed. Users now need to setup the webserver configuration on their own with a proxy pass to the vikunja service.
@ -429,14 +419,6 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m

  - `nomad_1_4` has been removed, as it is now unsupported upstream.

- Dwarf Fortress has been updated to version 50, and its derivations continue to menace with spikes of Nix and bash. Version 50 is identical to the version on Steam, but without the paid elements like tilepacks.
-  dfhack and Dwarf Therapist still work, and older versions are still packaged in case you'd like to roll back. Note that DF 50 saves will not be compatible with DF 0.47 and earlier.
-  See [Bay 12 Games](http://www.bay12games.com/dwarves/) for more details on what's new in Dwarf Fortress.
-
-  - Running an earlier version can be achieved through an override: `dwarf-fortress-packages.dwarf-fortress-full.override { dfVersion = "0.47.5"; }`
-
-  - Ruby plugin support has been disabled in DFHack. Many of the Ruby plugins have been converted to Lua, and support was removed upstream due to frequent crashes.
-
 - The `livebook` package is now built as a `mix release` instead of an `escript`.
  This means that configuration now has to be done using [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) instead of command line arguments.
  This has the further implication that the `livebook` service configuration has changed:
@ -573,8 +555,6 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
  and `services.kavita.settings.IpAddresses`. The file at `services.kavita.tokenKeyFile` now needs to contain a secret with
  512+ bits instead of 128+ bits.

- `kavita` has been updated to 0.8.0, requiring a manual forced library scan on all libraries for migration. Refer to upstream's [release notes](https://github.com/Kareadita/Kavita/releases/tag/v0.8.0) for details.
-
 - The `krb5` module has been rewritten and moved to `security.krb5`, moving all options but `security.krb5.enable` and `security.krb5.package` into `security.krb5.settings`.

 - `services.soju` now has a wrapper for the `sojuctl` command, pointed at the service config file. It also has the new option `adminSocket.enable`, which creates a unix admin socket at `/run/soju/admin`.
@ -589,8 +569,6 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m

 - The `hardware.pulseaudio` module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes [issue 114399](https://github.com/NixOS/nixpkgs/issues/114399).

- The `services.networkmanager.extraConfig` was renamed to `services.networkmanager.settings` and was changed to use the ini type instead of using a multiline string.
-
 - The module `services.github-runner` has been removed. To configure a single GitHub Actions Runner refer to `services.github-runners.*`. Note that this will trigger a new runner registration.

 - The `services.slskd` has been refactored to include more configuation options in
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@ -42,8 +42,8 @@ in
        strings.  The latter is concatenated, interspersed with colon
        characters.
      '';
-      type = with types; attrsOf (oneOf [ (listOf (oneOf [ float int str ])) float int str path ]);
-      apply = mapAttrs (n: v: if isList v then concatMapStringsSep ":" toString v else toString v);
+      type = with types; attrsOf (oneOf [ (listOf str) str path ]);
+      apply = mapAttrs (n: v: if isList v then concatStringsSep ":" v else "${v}");
    };

    environment.profiles = mkOption {
--- a/nixos/modules/config/zram.nix
+++ b/nixos/modules/config/zram.nix
@ -73,7 +73,7 @@ in
      algorithm = lib.mkOption {
        default = "zstd";
        example = "lz4";
-        type = with lib.types; either (enum [ "842" "lzo" "lzo-rle" "lz4" "lz4hc" "zstd" ]) str;
+        type = with lib.types; either (enum [ "lzo" "lz4" "zstd" ]) str;
        description = ''
          Compression algorithm. `lzo` has good compression,
          but is slow. `lz4` has bad compression, but is fast.
--- a/nixos/modules/misc/nixpkgs.nix
+++ b/nixos/modules/misc/nixpkgs.nix
@ -153,10 +153,11 @@ in
        '';
      type = configType;
      description = ''
-        Global configuration for Nixpkgs.
-        The complete list of [Nixpkgs configuration options](https://nixos.org/manual/nixpkgs/unstable/#sec-config-options-reference) is in the [Nixpkgs manual section on global configuration](https://nixos.org/manual/nixpkgs/unstable/#chap-packageconfig).
+        The configuration of the Nix Packages collection.  (For
+        details, see the Nixpkgs documentation.)  It allows you to set
+        package configuration options.

-        Ignored when {option}`nixpkgs.pkgs` is set.
+        Ignored when `nixpkgs.pkgs` is set.
      '';
    };

--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -179,7 +179,6 @@
  ./programs/environment.nix
  ./programs/evince.nix
  ./programs/extra-container.nix
-  ./programs/fcast-receiver.nix
  ./programs/feedbackd.nix
  ./programs/file-roller.nix
  ./programs/firefox.nix
@ -266,7 +265,6 @@
  ./programs/skim.nix
  ./programs/slock.nix
  ./programs/sniffnet.nix
-  ./programs/soundmodem.nix
  ./programs/spacefm.nix
  ./programs/ssh.nix
  ./programs/starship.nix
@ -288,8 +286,8 @@
  ./programs/virt-manager.nix
  ./programs/wavemon.nix
  ./programs/wayland/cardboard.nix
-  ./programs/wayland/hyprland.nix
  ./programs/wayland/labwc.nix
+  ./programs/wayland/hyprland.nix
  ./programs/wayland/river.nix
  ./programs/wayland/sway.nix
  ./programs/wayland/waybar.nix
@ -1166,7 +1164,6 @@
  ./services/networking/syncthing-relay.nix
  ./services/networking/syncthing.nix
  ./services/networking/tailscale.nix
-  ./services/networking/tailscale-auth.nix
  ./services/networking/tayga.nix
  ./services/networking/tcpcrypt.nix
  ./services/networking/teamspeak3.nix
--- a/nixos/modules/profiles/demo.nix
+++ b/nixos/modules/profiles/demo.nix
@ -11,7 +11,7 @@
      uid = 1000;
    };

-  services.displayManager = {
+  services.xserver.displayManager = {
    autoLogin = {
      enable = true;
      user = "demo";
--- a/nixos/modules/profiles/graphical.nix
+++ b/nixos/modules/profiles/graphical.nix
@ -6,12 +6,13 @@
 {
  services.xserver = {
    enable = true;
-    desktopManager.plasma5.enable = true;
+    displayManager.sddm.enable = true;
+    desktopManager.plasma5 = {
+      enable = true;
+    };
    libinput.enable = true; # for touchpad support on many laptops
  };

-  services.displayManager.sddm.enable = true;
-
  # Enable sound in virtualbox appliances.
  hardware.pulseaudio.enable = true;

--- a/nixos/modules/programs/fcast-receiver.nix
+++ b/nixos/modules/programs/fcast-receiver.nix
@ -1,31 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.programs.fcast-receiver;
-in
-{
-  meta = {
-    maintainers = pkgs.fcast-receiver.meta.maintainers;
-  };
-
-  options.programs.fcast-receiver = {
-    enable = mkEnableOption (lib.mdDoc "FCast Receiver");
-    openFirewall = mkOption {
-      type = types.bool;
-      default = false;
-      description = lib.mdDoc ''
-        Open ports needed for the functionality of the program.
-      '';
-    };
-    package = mkPackageOption pkgs "fcast-receiver" { };
-  };
-
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ cfg.package ];
-    networking.firewall = mkIf cfg.openFirewall {
-      allowedTCPPorts = [ 46899 ];
-    };
-  };
-}
--- a/nixos/modules/programs/soundmodem.nix
+++ b/nixos/modules/programs/soundmodem.nix
@ -1,34 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.programs.soundmodem;
-in
-{
-  options = {
-    programs.soundmodem = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Whether to add Soundmodem to the global environment and configure a
-          wrapper for 'soundmodemconfig' for users in the 'soundmodem' group.
-        '';
-      };
-      package = mkPackageOption pkgs "soundmodem" { };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ cfg.package ];
-    users.groups.soundmodem = { };
-
-    security.wrappers.soundmodemconfig = {
-      source = "${cfg.package}/bin/soundmodemconfig";
-      owner = "root";
-      group = "soundmodem";
-      permissions = "u+rx,g+x";
-    };
-  };
-}
--- a/nixos/modules/programs/tsm-client.nix
+++ b/nixos/modules/programs/tsm-client.nix
@ -22,7 +22,7 @@ let
  serverOptions = { name, config, ... }: {
    freeformType = attrsOf (either scalarType (listOf scalarType));
    # Client system-options file directives are explained here:
-    # https://www.ibm.com/docs/en/storage-protect/8.1.22?topic=commands-processing-options
+    # https://www.ibm.com/docs/en/storage-protect/8.1.21?topic=commands-processing-options
    options.servername = mkOption {
      type = servernameType;
      default = name;
--- a/nixos/modules/services/audio/gonic.nix
+++ b/nixos/modules/services/audio/gonic.nix
@ -55,9 +55,6 @@ in
        RuntimeDirectory = "gonic";
        RootDirectory = "/run/gonic";
        ReadWritePaths = "";
-        BindPaths = [
-          cfg.settings.playlists-path
-        ];
        BindReadOnlyPaths = [
          # gonic can access scrobbling services
          "-/etc/resolv.conf"
--- a/nixos/modules/services/backup/tsm.nix
+++ b/nixos/modules/services/backup/tsm.nix
@ -90,7 +90,7 @@ in
      environment.HOME = "/var/lib/tsm-backup";
      serviceConfig = {
        # for exit status description see
-        # https://www.ibm.com/docs/en/storage-protect/8.1.22?topic=clients-client-return-codes
+        # https://www.ibm.com/docs/en/storage-protect/8.1.21?topic=clients-client-return-codes
        SuccessExitStatus = "4 8";
        # The `-se` option must come after the command.
        # The `-optfile` option suppresses a `dsm.opt`-not-found warning.
--- a/nixos/modules/services/continuous-integration/gitea-actions-runner.nix
+++ b/nixos/modules/services/continuous-integration/gitea-actions-runner.nix
@ -203,8 +203,6 @@ in
            TOKEN = "${instance.token}";
          } // optionalAttrs (wantsPodman) {
            DOCKER_HOST = "unix:///run/podman/podman.sock";
-          } // {
-            HOME = "/var/lib/gitea-runner/${name}";
          };
          path = with pkgs; [
            coreutils
--- a/nixos/modules/services/desktop-managers/lomiri.nix
+++ b/nixos/modules/services/desktop-managers/lomiri.nix
@ -38,8 +38,6 @@ in {
      ]);
    };

-    networking.networkmanager.enable = lib.mkDefault true;
-
    systemd.packages = with pkgs.lomiri; [
      hfd-service
      lomiri-download-manager
@ -75,8 +73,6 @@ in {
        ayatana-indicator-session
      ]) ++ (with pkgs.lomiri; [
        telephony-service
-      ] ++ lib.optionals config.networking.networkmanager.enable [
-        lomiri-indicator-network
      ]);
    };

@ -115,8 +111,6 @@ in {
      "/share/lomiri-app-launch"
      # TODO Try to get maliit stuff working
      "/share/maliit/plugins"
-      # At least the network indicator is still under the unity name, due to leftover Unity-isms
-      "/share/unity"
      # Data
      "/share/locale" # TODO LUITK hardcoded default locale path, fix individual apps to not rely on it
      "/share/sounds"
--- a/nixos/modules/services/hardware/udev.nix
+++ b/nixos/modules/services/hardware/udev.nix
@ -401,19 +401,17 @@ in
      }))
    ];

-    environment.etc = {
-      "udev/rules.d".source = udevRulesFor {
-        name = "udev-rules";
-        udevPackages = cfg.packages;
-        systemd = config.systemd.package;
-        binPackages = cfg.packages;
-        inherit udevPath udev;
+    environment.etc =
+      {
+        "udev/rules.d".source = udevRulesFor {
+          name = "udev-rules";
+          udevPackages = cfg.packages;
+          systemd = config.systemd.package;
+          binPackages = cfg.packages;
+          inherit udevPath udev;
+        };
+        "udev/hwdb.bin".source = hwdbBin;
      };
-      "udev/hwdb.bin".source = hwdbBin;
-    } // lib.optionalAttrs config.boot.modprobeConfig.enable {
-      # We don't place this into `extraModprobeConfig` so that stage-1 ramdisk doesn't bloat.
-      "modprobe.d/firmware.conf".text = "options firmware_class path=${config.hardware.firmware}/lib/firmware";
-    };

    system.requiredKernelConfig = with config.lib.kernelConfig; [
      (isEnabled "UNIX")
@ -421,17 +419,21 @@ in
      (isYes "NET")
    ];

-    system.activationScripts.udevd = lib.mkIf config.boot.kernel.enable ''
-      # The deprecated hotplug uevent helper is not used anymore
-      if [ -e /proc/sys/kernel/hotplug ]; then
-        echo "" > /proc/sys/kernel/hotplug
-      fi
+    # We don't place this into `extraModprobeConfig` so that stage-1 ramdisk doesn't bloat.
+    environment.etc."modprobe.d/firmware.conf".text = "options firmware_class path=${config.hardware.firmware}/lib/firmware";

-      # Allow the kernel to find our firmware.
-      if [ -e /sys/module/firmware_class/parameters/path ]; then
-        echo -n "${config.hardware.firmware}/lib/firmware" > /sys/module/firmware_class/parameters/path
-      fi
-    '';
+    system.activationScripts.udevd =
+      ''
+        # The deprecated hotplug uevent helper is not used anymore
+        if [ -e /proc/sys/kernel/hotplug ]; then
+          echo "" > /proc/sys/kernel/hotplug
+        fi
+
+        # Allow the kernel to find our firmware.
+        if [ -e /sys/module/firmware_class/parameters/path ]; then
+          echo -n "${config.hardware.firmware}/lib/firmware" > /sys/module/firmware_class/parameters/path
+        fi
+      '';

    systemd.services.systemd-udevd =
      { restartTriggers = cfg.packages;
--- a/nixos/modules/services/misc/docker-registry.nix
+++ b/nixos/modules/services/misc/docker-registry.nix
@ -41,7 +41,8 @@ let
    };
  };

-  configFile = cfg.configFile;
+  configFile = pkgs.writeText "docker-registry-config.yml" (builtins.toJSON (recursiveUpdate registryConfig cfg.extraConfig));
+
 in {
  options.services.dockerRegistry = {
    enable = mkEnableOption "Docker Registry";
@ -105,17 +106,6 @@ in {
      type = types.attrs;
    };

-    configFile = lib.mkOption {
-      default = pkgs.writeText "docker-registry-config.yml" (builtins.toJSON (recursiveUpdate registryConfig cfg.extraConfig));
-      defaultText = literalExpression ''pkgs.writeText "docker-registry-config.yml" "# my custom docker-registry-config.yml ..."'';
-      description = ''
-       Path to CNCF distribution config file.
-
-       Setting this option will override any configuration applied by the extraConfig option.
-      '';
-      type =  types.path;
-    };
-
    enableGarbageCollect = mkEnableOption "garbage collect";

    garbageCollectDates = mkOption {
--- a/nixos/modules/services/misc/ollama.nix
+++ b/nixos/modules/services/misc/ollama.nix
@ -85,7 +85,7 @@ in
      };
      serviceConfig = {
        ExecStart = "${lib.getExe ollamaPackage} serve";
-        WorkingDirectory = cfg.home;
+        WorkingDirectory = "%S/ollama";
        StateDirectory = [ "ollama" ];
        DynamicUser = true;
      };
--- a/nixos/modules/services/monitoring/prometheus/exporters.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters.nix
@ -31,7 +31,6 @@ let
    "collectd"
    "dmarc"
    "dnsmasq"
-    "dnssec"
    "domain"
    "dovecot"
    "fastly"
--- a/nixos/modules/services/monitoring/prometheus/exporters/dnssec.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/dnssec.nix
@ -1,90 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.services.prometheus.exporters.dnssec;
-  configFormat = pkgs.formats.toml { };
-  configFile = configFormat.generate "dnssec-checks.toml" cfg.configuration;
-in {
-  port = 9204;
-  extraOpts = {
-    configuration = lib.mkOption {
-      type = lib.types.nullOr lib.types.attrs;
-      default = null;
-      description = ''
-        dnssec exporter configuration as nix attribute set.
-
-        See <https://github.com/chrj/prometheus-dnssec-exporter/blob/master/README.md>
-        for the description of the configuration file format.
-      '';
-      example = lib.literalExpression ''
-        {
-          records = [
-            {
-              zone = "ietf.org";
-              record = "@";
-              type = "SOA";
-            }
-            {
-              zone = "verisigninc.com";
-              record = "@";
-              type = "SOA";
-            }
-          ];
-        }
-      '';
-    };
-
-    listenAddress = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-      description = ''
-        Listen address as host IP and port definition.
-      '';
-      example = ":9204";
-    };
-
-    resolvers = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [ ];
-      description = ''
-        DNSSEC capable resolver to be used for the check.
-      '';
-      example = [ "0.0.0.0:53" ];
-    };
-
-    timeout = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-      description = ''
-        DNS request timeout duration.
-      '';
-      example = "10s";
-    };
-
-    extraFlags = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [ ];
-      description = ''
-        Extra commandline options when launching Prometheus.
-      '';
-    };
-  };
-
-  serviceOpts = {
-    serviceConfig = let
-      startScript = pkgs.writeShellScriptBin "prometheus-dnssec-exporter-start"
-        "${lib.concatStringsSep " "
-        ([ "${pkgs.prometheus-dnssec-exporter}/bin/prometheus-dnssec-exporter" ]
-          ++ lib.optionals (cfg.configuration != null)
-          [ "-config ${configFile}" ]
-          ++ lib.optionals (cfg.listenAddress != null)
-          [ "-listen-address ${lib.escapeShellArg cfg.listenAddress}" ]
-          ++ lib.optionals (cfg.resolvers != [ ]) [
-            "-resolvers ${
-              lib.escapeShellArg (lib.concatStringsSep "," cfg.resolvers)
-            }"
-          ] ++ lib.optionals (cfg.timeout != null)
-          [ "-timeout ${lib.escapeShellArg cfg.timeout}" ] ++ cfg.extraFlags)}";
-    in { ExecStart = lib.getExe startScript; };
-  };
-}
-
--- a/nixos/modules/services/monitoring/prometheus/exporters/redis.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/redis.nix
@ -9,7 +9,6 @@ in
  port = 9121;
  serviceOpts = {
    serviceConfig = {
-      RestrictAddressFamilies = [ "AF_UNIX" ];
      ExecStart = ''
        ${pkgs.prometheus-redis-exporter}/bin/redis_exporter \
          -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
--- a/nixos/modules/services/networking/deconz.nix
+++ b/nixos/modules/services/networking/deconz.nix
@ -93,13 +93,6 @@ in
        # be garbage collected. Ensure the file gets "refreshed" on every start.
        rm -f ${stateDir}/.local/share/dresden-elektronik/deCONZ/zcldb.txt
      '';
-      postStart = ''
-        # Delay signalling service readiness until it's actually up.
-        while ! "${lib.getExe pkgs.curl}" -sSfl -o /dev/null "http://${cfg.listenAddress}:${toString cfg.httpPort}"; do
-            echo "Waiting for TCP port ${toString cfg.httpPort} to be open..."
-            sleep 1
-        done
-      '';
      environment = {
        HOME = stateDir;
        XDG_RUNTIME_DIR = "/run/${name}";
--- a/nixos/modules/services/networking/dnscrypt-proxy2.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy2.nix
@ -49,12 +49,12 @@ in
        passAsFile = [ "json" ];
      } ''
        ${if cfg.upstreamDefaults then ''
-          ${pkgs.buildPackages.remarshal}/bin/toml2json ${pkgs.dnscrypt-proxy.src}/dnscrypt-proxy/example-dnscrypt-proxy.toml > example.json
-          ${pkgs.buildPackages.jq}/bin/jq --slurp add example.json $jsonPath > config.json # merges the two
+          ${pkgs.remarshal}/bin/toml2json ${pkgs.dnscrypt-proxy.src}/dnscrypt-proxy/example-dnscrypt-proxy.toml > example.json
+          ${pkgs.jq}/bin/jq --slurp add example.json $jsonPath > config.json # merges the two
        '' else ''
          cp $jsonPath config.json
        ''}
-        ${pkgs.buildPackages.remarshal}/bin/json2toml < config.json > $out
+        ${pkgs.remarshal}/bin/json2toml < config.json > $out
      '';
      defaultText = literalMD "TOML file generated from {option}`services.dnscrypt-proxy2.settings`";
    };
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@ -10,31 +10,49 @@ let

  enableIwd = cfg.wifi.backend == "iwd";

-  configAttrs = lib.recursiveUpdate {
-    main = {
+  mkValue = v:
+    if v == true then "yes"
+    else if v == false then "no"
+    else if lib.isInt v then toString v
+    else v;
+
+  mkSection = name: attrs: ''
+    [${name}]
+    ${
+      lib.concatStringsSep "\n"
+        (lib.mapAttrsToList
+          (k: v: "${k}=${mkValue v}")
+          (lib.filterAttrs
+            (k: v: v != null)
+            attrs))
+    }
+  '';
+
+  configFile = pkgs.writeText "NetworkManager.conf" (lib.concatStringsSep "\n" [
+    (mkSection "main" {
      plugins = "keyfile";
      inherit (cfg) dhcp dns;
      # If resolvconf is disabled that means that resolv.conf is managed by some other module.
      rc-manager =
        if config.networking.resolvconf.enable then "resolvconf"
        else "unmanaged";
-    };
-    keyfile = {
+    })
+    (mkSection "keyfile" {
      unmanaged-devices =
-      if cfg.unmanaged == [ ] then null
-      else lib.concatStringsSep ";" cfg.unmanaged;
-    };
-    logging = {
+        if cfg.unmanaged == [ ] then null
+        else lib.concatStringsSep ";" cfg.unmanaged;
+    })
+    (mkSection "logging" {
      audit = config.security.audit.enable;
      level = cfg.logLevel;
-    };
-    connection = cfg.connectionConfig;
-    device = {
-        "wifi.scan-rand-mac-address" = cfg.wifi.scanRandMacAddress;
-        "wifi.backend" = cfg.wifi.backend;
-    };
-  } cfg.settings;
-  configFile = ini.generate "NetworkManager.conf" configAttrs;
+    })
+    (mkSection "connection" cfg.connectionConfig)
+    (mkSection "device" {
+      "wifi.scan-rand-mac-address" = cfg.wifi.scanRandMacAddress;
+      "wifi.backend" = cfg.wifi.backend;
+    })
+    cfg.extraConfig
+  ]);

  /*
    [network-manager]
@ -127,7 +145,7 @@ in
 {

  meta = {
-    maintainers = teams.freedesktop.members ++ [ lib.maintainers.janik ];
+    maintainers = teams.freedesktop.members;
  };

  ###### interface
@ -167,11 +185,11 @@ in
        '';
      };

-      settings = mkOption {
-        type = ini.type;
-        default = {};
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
        description = ''
-          Configuration added to the generated NetworkManager.conf, note that you can overwrite settings with this.
+          Configuration appended to the generated NetworkManager.conf.
          Refer to
          [
            https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html
@ -453,28 +471,8 @@ in
  imports = [
    (mkRenamedOptionModule
      [ "networking" "networkmanager" "packages" ]
-      [ "networking" "networkmanager" "plugins" ]
-    )
-    (mkRenamedOptionModule
-      [ "networking" "networkmanager" "useDnsmasq" ]
-      [ "networking" "networkmanager" "dns" ]
-    )
-    (mkRemovedOptionModule [ "networking" "networkmanager" "extraConfig" ] ''
-      This option was removed in favour of `networking.networkmanager.settings`,
-      which accepts structured nix-code equivalent to the ini
-      and allows for overriding settings.
-      Example patch:
-      ```patch
-         networking.networkmanager = {
-      -    extraConfig = '''
-      -      [main]
-      -      no-auto-default=*
-      -    '''
-      +    extraConfig.main.no-auto-default = "*";
-         };
-      ```
-    ''
-    )
+      [ "networking" "networkmanager" "plugins" ])
+    (mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ])
    (mkRemovedOptionModule [ "networking" "networkmanager" "enableFccUnlock" ] ''
      This option was removed, because using bundled FCC unlock scripts is risky,
      might conflict with vendor-provided unlock scripts, and should
--- a/nixos/modules/services/networking/shadowsocks.nix
+++ b/nixos/modules/services/networking/shadowsocks.nix
@ -136,16 +136,10 @@ in
  ###### implementation

  config = mkIf cfg.enable {
-    assertions = [
-      {
-        # xor, make sure either password or passwordFile be set.
-        # shadowsocks-libev not support plain/none encryption method
-        # which indicated that password must set.
-        assertion = let noPasswd = cfg.password == null; noPasswdFile = cfg.passwordFile == null;
-          in (noPasswd && !noPasswdFile) || (!noPasswd && noPasswdFile);
-        message = "Option `password` or `passwordFile` must be set and cannot be set simultaneously";
-      }
-    ];
+    assertions = singleton
+      { assertion = cfg.password == null || cfg.passwordFile == null;
+        message = "Cannot use both password and passwordFile for shadowsocks-libev";
+      };

    systemd.services.shadowsocks-libev = {
      description = "shadowsocks-libev Daemon";
--- a/nixos/modules/services/networking/tailscale-auth.nix
+++ b/nixos/modules/services/networking/tailscale-auth.nix
@ -1,104 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  inherit (lib)
-    getExe
-    maintainers
-    mkEnableOption
-    mkPackageOption
-    mkIf
-    mkOption
-    types
-    ;
-  cfg = config.services.tailscaleAuth;
-in
-{
-  options.services.tailscaleAuth = {
-    enable = mkEnableOption "Enable tailscale.nginx-auth, to authenticate users via tailscale.";
-
-    package = mkPackageOption pkgs "tailscale-nginx-auth" {};
-
-    user = mkOption {
-      type = types.str;
-      default = "tailscale-nginx-auth";
-      description = "User which runs tailscale-nginx-auth";
-    };
-
-    group = mkOption {
-      type = types.str;
-      default = "tailscale-nginx-auth";
-      description = "Group which runs tailscale-nginx-auth";
-    };
-
-    socketPath = mkOption {
-      default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock";
-      type = types.path;
-      description = ''
-        Path of the socket listening to authorization requests.
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.tailscale.enable = true;
-
-    users.users.${cfg.user} = {
-      isSystemUser = true;
-      inherit (cfg) group;
-    };
-    users.groups.${cfg.group} = { };
-
-    systemd.sockets.tailscale-nginx-auth = {
-      description = "Tailscale NGINX Authentication socket";
-      partOf = [ "tailscale-nginx-auth.service" ];
-      wantedBy = [ "sockets.target" ];
-      listenStreams = [ cfg.socketPath ];
-      socketConfig = {
-        SocketMode = "0660";
-        SocketUser = cfg.user;
-        SocketGroup = cfg.group;
-      };
-    };
-
-    systemd.services.tailscale-nginx-auth = {
-      description = "Tailscale NGINX Authentication service";
-      requires = [ "tailscale-nginx-auth.socket" ];
-
-      serviceConfig = {
-        ExecStart = getExe cfg.package;
-        RuntimeDirectory = "tailscale-nginx-auth";
-        User = cfg.user;
-        Group = cfg.group;
-
-        BindPaths = [ "/run/tailscale/tailscaled.sock" ];
-
-        CapabilityBoundingSet = "";
-        DeviceAllow = "";
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        PrivateDevices = true;
-        PrivateUsers = true;
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        RestrictNamespaces = true;
-        RestrictAddressFamilies = [ "AF_UNIX" ];
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-
-        SystemCallArchitectures = "native";
-        SystemCallErrorNumber = "EPERM";
-        SystemCallFilter = [
-          "@system-service"
-          "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
-        ];
-      };
-    };
-  };
-
-  meta.maintainers = with maintainers; [ dan-theriault phaer ];
-}
--- a/nixos/modules/services/security/oauth2_proxy_nginx.nix
+++ b/nixos/modules/services/security/oauth2_proxy_nginx.nix
@ -28,8 +28,7 @@ in
      type = types.listOf types.str;
      default = [];
      description = ''
-        A list of nginx virtual hosts to put behind the oauth2 proxy.
-        You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting.
+        A list of nginx virtual hosts to put behind the oauth2 proxy
      '';
    };
  };
@ -51,27 +50,18 @@ in
  ] ++ optional (cfg.virtualHosts != []) {
    recommendedProxySettings = true; # needed because duplicate headers
  } ++ (map (vhost: {
-    virtualHosts.${vhost} = {
-      locations = {
-        "/oauth2/auth" = {
-          proxyPass = cfg.proxy;
-          extraConfig = ''
-            auth_request off;
-            proxy_set_header X-Scheme         $scheme;
-            # nginx auth_request includes headers but not body
-            proxy_set_header Content-Length   "";
-            proxy_pass_request_body           off;
-          '';
-        };
-        "@redirectToAuth2ProxyLogin" = {
-          return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri";
-          extraConfig = ''
-            auth_request off;
-          '';
-        };
+    virtualHosts.${vhost}.locations = {
+      "/oauth2/auth" = {
+        proxyPass = cfg.proxy;
+        extraConfig = ''
+          proxy_set_header X-Scheme         $scheme;
+          # nginx auth_request includes headers but not body
+          proxy_set_header Content-Length   "";
+          proxy_pass_request_body           off;
+        '';
      };
-
-      extraConfig = ''
+      "@redirectToAuth2ProxyLogin".return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri";
+      "/".extraConfig = ''
        auth_request /oauth2/auth;
        error_page 401 = @redirectToAuth2ProxyLogin;

--- a/nixos/modules/services/web-apps/freshrss.nix
+++ b/nixos/modules/services/web-apps/freshrss.nix
@ -268,11 +268,11 @@ in

          script =
            let
-              userScriptArgs = ''--user ${cfg.defaultUser} ${optionalString (cfg.authType == "form") ''--password "$(cat ${cfg.passwordFile})"''}'';
-              updateUserScript = optionalString (cfg.authType == "form" || cfg.authType == "none") ''
+              userScriptArgs = ''--user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"'';
+              updateUserScript = optionalString (cfg.authType == "form") ''
                ./cli/update-user.php ${userScriptArgs}
              '';
-              createUserScript = optionalString (cfg.authType == "form" || cfg.authType == "none") ''
+              createUserScript = optionalString (cfg.authType == "form") ''
                ./cli/create-user.php ${userScriptArgs}
              '';
            in
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -164,7 +164,7 @@ let
      ${commonHttpConfig}

      ${optionalString (cfg.resolver.addresses != []) ''
-        resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"} ${optionalString (!cfg.resolver.ipv4) "ipv4=off"} ${optionalString (!cfg.resolver.ipv6) "ipv6=off"};
+        resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"} ${optionalString (!cfg.resolver.ipv6) "ipv6=off"};
      ''}
      ${upstreamConfig}

@ -978,15 +978,6 @@ in
                An optional valid parameter allows overriding it
              '';
            };
-            ipv4 = mkOption {
-              type = types.bool;
-              default = true;
-              description = ''
-                By default, nginx will look up both IPv4 and IPv6 addresses while resolving.
-                If looking up of IPv4 addresses is not desired, the ipv4=off parameter can be
-                specified.
-              '';
-            };
            ipv6 = mkOption {
              type = types.bool;
              default = true;
@ -1188,13 +1179,6 @@ in
          to answer to ACME requests.
        '';
      }
-
-      {
-        assertion = cfg.resolver.ipv4 || cfg.resolver.ipv6;
-        message = ''
-          At least one of services.nginx.resolver.ipv4 and services.nginx.resolver.ipv6 must be true.
-        '';
-      }
    ] ++ map (name: mkCertOwnershipAssertion {
      inherit (cfg) group user;
      cert = config.security.acme.certs.${name};
--- a/nixos/modules/services/web-servers/nginx/tailscale-auth.nix
+++ b/nixos/modules/services/web-servers/nginx/tailscale-auth.nix
@ -1,29 +1,28 @@
 { config, lib, pkgs, ... }:

+with lib;
+
 let
-  inherit (lib)
-    genAttrs
-    maintainers
-    mkAliasOptionModule
-    mkEnableOption
-    mkIf
-    mkOption
-    types
-    ;
  cfg = config.services.nginx.tailscaleAuth;
-  cfgAuth = config.services.tailscaleAuth;
 in
 {
-  imports = [
-    (mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "package" ] [ "services" "tailscaleAuth" "package" ])
-    (mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "user" ] [ "services" "tailscaleAuth" "user" ])
-    (mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "group" ] [ "services" "tailscaleAuth" "group" ])
-    (mkAliasOptionModule [ "services" "nginx" "tailscaleAuth" "socketPath" ] [ "services" "tailscaleAuth" "socketPath" ])
-  ];
-
  options.services.nginx.tailscaleAuth = {
    enable = mkEnableOption "Enable tailscale.nginx-auth, to authenticate nginx users via tailscale.";

+    package = lib.mkPackageOptionMD pkgs "tailscale-nginx-auth" {};
+
+    user = mkOption {
+      type = types.str;
+      default = "tailscale-nginx-auth";
+      description = "User which runs tailscale-nginx-auth";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "tailscale-nginx-auth";
+      description = "Group which runs tailscale-nginx-auth";
+    };
+
    expectedTailnet = mkOption {
      default = "";
      type = types.nullOr types.str;
@ -34,6 +33,14 @@ in
      '';
    };

+    socketPath = mkOption {
+      default = "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock";
+      type = types.path;
+      description = ''
+        Path of the socket listening to nginx authorization requests.
+      '';
+    };
+
    virtualHosts = mkOption {
      type = types.listOf types.str;
      default = [];
@ -44,14 +51,67 @@ in
  };

  config = mkIf cfg.enable {
-    services.tailscaleAuth.enable = true;
+    services.tailscale.enable = true;
    services.nginx.enable = true;

-    users.users.${config.services.nginx.user}.extraGroups = [ cfgAuth.group ];
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      inherit (cfg) group;
+    };
+    users.groups.${cfg.group} = { };
+    users.users.${config.services.nginx.user}.extraGroups = [ cfg.group ];
+    systemd.sockets.tailscale-nginx-auth = {
+      description = "Tailscale NGINX Authentication socket";
+      partOf = [ "tailscale-nginx-auth.service" ];
+      wantedBy = [ "sockets.target" ];
+      listenStreams = [ cfg.socketPath ];
+      socketConfig = {
+        SocketMode = "0660";
+        SocketUser = cfg.user;
+        SocketGroup = cfg.group;
+      };
+    };
+

    systemd.services.tailscale-nginx-auth = {
+      description = "Tailscale NGINX Authentication service";
      after = [ "nginx.service" ];
      wants = [ "nginx.service" ];
+      requires = [ "tailscale-nginx-auth.socket" ];
+
+      serviceConfig = {
+        ExecStart = "${lib.getExe cfg.package}";
+        RuntimeDirectory = "tailscale-nginx-auth";
+        User = cfg.user;
+        Group = cfg.group;
+
+        BindPaths = [ "/run/tailscale/tailscaled.sock" ];
+
+        CapabilityBoundingSet = "";
+        DeviceAllow = "";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictNamespaces = true;
+        RestrictAddressFamilies = [ "AF_UNIX" ];
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+
+        SystemCallArchitectures = "native";
+        SystemCallErrorNumber = "EPERM";
+        SystemCallFilter = [
+          "@system-service"
+          "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
+        ];
+      };
    };

    services.nginx.virtualHosts = genAttrs
@ -61,7 +121,7 @@ in
          extraConfig = ''
            internal;

-            proxy_pass http://unix:${cfgAuth.socketPath};
+            proxy_pass http://unix:${cfg.socketPath};
            proxy_pass_request_body off;

            # Upstream uses $http_host here, but we are using gixy to check nginx configurations
--- a/nixos/modules/virtualisation/lxd-virtual-machine.nix
+++ b/nixos/modules/virtualisation/lxd-virtual-machine.nix
@ -45,10 +45,6 @@ in {

    boot.kernelParams = ["console=tty1" "console=${serialDevice}"];

-    services.udev.extraRules = ''
-      SUBSYSTEM=="cpu", CONST{arch}=="x86-64", TEST=="online", ATTR{online}=="0", ATTR{online}="1"
-    '';
-
    virtualisation.lxd.agent.enable = lib.mkDefault true;
  };
 }
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -330,7 +330,6 @@ in {
  freshrss-sqlite = handleTest ./freshrss-sqlite.nix {};
  freshrss-pgsql = handleTest ./freshrss-pgsql.nix {};
  freshrss-http-auth = handleTest ./freshrss-http-auth.nix {};
-  freshrss-none-auth = handleTest ./freshrss-none-auth.nix {};
  frigate = handleTest ./frigate.nix {};
  frp = handleTest ./frp.nix {};
  frr = handleTest ./frr.nix {};
@ -599,7 +598,6 @@ in {
  netdata = handleTest ./netdata.nix {};
  networking.scripted = handleTest ./networking/networkd-and-scripted.nix { networkd = false; };
  networking.networkd = handleTest ./networking/networkd-and-scripted.nix { networkd = true; };
-  networking.networkmanager = handleTest ./networking/networkmanager.nix {};
  netbox_3_6 = handleTest ./web-apps/netbox.nix { netbox = pkgs.netbox_3_6; };
  netbox_3_7 = handleTest ./web-apps/netbox.nix { netbox = pkgs.netbox_3_7; };
  netbox-upgrade = handleTest ./web-apps/netbox-upgrade.nix {};
--- a/nixos/tests/docker-registry.nix
+++ b/nixos/tests/docker-registry.nix
@ -3,7 +3,7 @@
 import ./make-test-python.nix ({ pkgs, ...} : {
  name = "docker-registry";
  meta = with pkgs.lib.maintainers; {
-    maintainers = [ globin ironpinguin cafkafk ];
+    maintainers = [ globin ironpinguin ];
  };

  nodes = {
--- a/nixos/tests/forgejo.nix
+++ b/nixos/tests/forgejo.nix
@ -22,27 +22,8 @@ let
  '';
  signingPrivateKeyId = "4D642DE8B678C79D";

-  actionsWorkflowYaml = ''
-    run-name: dummy workflow
-    on:
-      push:
-    jobs:
-      cat:
-        runs-on: native
-        steps:
-          - uses: http://localhost:3000/test/checkout@main
-          - run: cat testfile
-  '';
-  # https://github.com/actions/checkout/releases
-  checkoutActionSource = pkgs.fetchFromGitHub {
-    owner = "actions";
-    repo = "checkout";
-    rev = "v4.1.1";
-    hash = "sha256-h2/UIp8IjPo3eE4Gzx52Fb7pcgG/Ww7u31w5fdKVMos=";
-  };
-
  supportedDbTypes = [ "mysql" "postgres" "sqlite3" ];
-  makeForgejoTest = type: nameValuePair type (makeTest {
+  makeGForgejoTest = type: nameValuePair type (makeTest {
    name = "forgejo-${type}";
    meta.maintainers = with maintainers; [ bendlas emilylange ];

@ -55,28 +36,21 @@ let
          settings.service.DISABLE_REGISTRATION = true;
          settings."repository.signing".SIGNING_KEY = signingPrivateKeyId;
          settings.actions.ENABLED = true;
-          settings.repository = {
-            ENABLE_PUSH_CREATE_USER = true;
-            DEFAULT_PUSH_CREATE_PRIVATE = false;
-          };
        };
-        environment.systemPackages = [ config.services.forgejo.package pkgs.gnupg pkgs.jq pkgs.file pkgs.htmlq ];
+        environment.systemPackages = [ config.services.forgejo.package pkgs.gnupg pkgs.jq pkgs.file ];
        services.openssh.enable = true;

        specialisation.runner = {
          inheritParentConfig = true;
-          configuration.services.gitea-actions-runner = {
-            package = pkgs.forgejo-runner;
-            instances."test" = {
-              enable = true;
-              name = "ci";
-              url = "http://localhost:3000";
-              labels = [
-                # type ":host" does not depend on docker/podman/lxc
-                "native:host"
-              ];
-              tokenFile = "/var/lib/forgejo/runner_token";
-            };
+          configuration.services.gitea-actions-runner.instances."test" = {
+            enable = true;
+            name = "ci";
+            url = "http://localhost:3000";
+            labels = [
+              # don't require docker/podman
+              "native:host"
+            ];
+            tokenFile = "/var/lib/forgejo/runner_token";
          };
        };
        specialisation.dump = {
@ -88,20 +62,11 @@ let
          };
        };
      };
-      client = { ... }: {
-        programs.git = {
-          enable = true;
-          config = {
-            user.email = "test@localhost";
-            user.name = "test";
-            init.defaultBranch = "main";
-          };
-        };
-        programs.ssh.extraConfig = ''
-          Host *
-            StrictHostKeyChecking no
-            IdentityFile ~/.ssh/privk
-        '';
+      client1 = { config, pkgs, ... }: {
+        environment.systemPackages = [ pkgs.git ];
+      };
+      client2 = { config, pkgs, ... }: {
+        environment.systemPackages = [ pkgs.git ];
      };
    };

@ -110,23 +75,26 @@ let
        inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
        serverSystem = nodes.server.system.build.toplevel;
        dumpFile = with nodes.server.specialisation.dump.configuration.services.forgejo.dump; "${backupDir}/${file}";
-        remoteUri = "forgejo@server:test/repo";
-        remoteUriCheckoutAction = "forgejo@server:test/checkout";
      in
      ''
        import json
+        GIT_SSH_COMMAND = "ssh -i $HOME/.ssh/privk -o StrictHostKeyChecking=no"
+        REPO = "forgejo@server:test/repo"
+        PRIVK = "${snakeOilPrivateKey}"

        start_all()

-        client.succeed("mkdir -p ~/.ssh")
-        client.succeed("(umask 0077; cat ${snakeOilPrivateKey} > ~/.ssh/privk)")
-
-        client.succeed("mkdir /tmp/repo")
-        client.succeed("git -C /tmp/repo init")
-        client.succeed("echo 'hello world' > /tmp/repo/testfile")
-        client.succeed("git -C /tmp/repo add .")
-        client.succeed("git -C /tmp/repo commit -m 'Initial import'")
-        client.succeed("git -C /tmp/repo remote add origin ${remoteUri}")
+        client1.succeed("mkdir /tmp/repo")
+        client1.succeed("mkdir -p $HOME/.ssh")
+        client1.succeed(f"cat {PRIVK} > $HOME/.ssh/privk")
+        client1.succeed("chmod 0400 $HOME/.ssh/privk")
+        client1.succeed("git -C /tmp/repo init")
+        client1.succeed("echo hello world > /tmp/repo/testfile")
+        client1.succeed("git -C /tmp/repo add .")
+        client1.succeed("git config --global user.email test@localhost")
+        client1.succeed("git config --global user.name test")
+        client1.succeed("git -C /tmp/repo commit -m 'Initial import'")
+        client1.succeed(f"git -C /tmp/repo remote add origin {REPO}")

        server.wait_for_unit("forgejo.service")
        server.wait_for_open_port(3000)
@ -175,14 +143,18 @@ let
            + ' -d \'{"key":"${snakeOilPublicKey}","read_only":true,"title":"SSH"}\'''
        )

-        client.succeed("git -C /tmp/repo push origin main")
+        client1.succeed(
+            f"GIT_SSH_COMMAND='{GIT_SSH_COMMAND}' git -C /tmp/repo push origin master"
+        )

-        client.succeed("git clone ${remoteUri} /tmp/repo-clone")
-        print(client.succeed("ls -lash /tmp/repo-clone"))
-        assert "hello world" == client.succeed("cat /tmp/repo-clone/testfile").strip()
+        client2.succeed("mkdir -p $HOME/.ssh")
+        client2.succeed(f"cat {PRIVK} > $HOME/.ssh/privk")
+        client2.succeed("chmod 0400 $HOME/.ssh/privk")
+        client2.succeed(f"GIT_SSH_COMMAND='{GIT_SSH_COMMAND}' git clone {REPO}")
+        client2.succeed('test "$(cat repo/testfile | xargs echo -n)" = "hello world"')

        with subtest("Testing git protocol version=2 over ssh"):
-            git_protocol = client.succeed("GIT_TRACE2_EVENT=true git -C /tmp/repo-clone fetch |& grep negotiated-version")
+            git_protocol = client2.succeed(f"GIT_SSH_COMMAND='{GIT_SSH_COMMAND}' GIT_TRACE2_EVENT=true git -C repo fetch |& grep negotiated-version")
            version = json.loads(git_protocol).get("value")
            assert version == "2", f"git did not negotiate protocol version 2, but version {version} instead."

@ -192,7 +164,7 @@ let
            timeout=10
        )

-        with subtest("Testing runner registration and action workflow"):
+        with subtest("Testing runner registration"):
            server.succeed(
                "su -l forgejo -c 'GITEA_WORK_DIR=/var/lib/forgejo gitea actions generate-runner-token' | sed 's/^/TOKEN=/' | tee /var/lib/forgejo/runner_token"
            )
@ -200,52 +172,6 @@ let
            server.wait_for_unit("gitea-runner-test.service")
            server.succeed("journalctl -o cat -u gitea-runner-test.service | grep -q 'Runner registered successfully'")

-            # enable actions feature for this repository, defaults to disabled
-            server.succeed(
-                "curl --fail -X PATCH http://localhost:3000/api/v1/repos/test/repo "
-                + "-H 'Accept: application/json' -H 'Content-Type: application/json' "
-                + f"-H 'Authorization: token {api_token}'"
-                + ' -d \'{"has_actions":true}\'''
-            )
-
-            # mirror "actions/checkout" action
-            client.succeed("cp -R ${checkoutActionSource}/ /tmp/checkout")
-            client.succeed("git -C /tmp/checkout init")
-            client.succeed("git -C /tmp/checkout add .")
-            client.succeed("git -C /tmp/checkout commit -m 'Initial import'")
-            client.succeed("git -C /tmp/checkout remote add origin ${remoteUriCheckoutAction}")
-            client.succeed("git -C /tmp/checkout push origin main")
-
-            # push workflow to initial repo
-            client.succeed("mkdir -p /tmp/repo/.forgejo/workflows")
-            client.succeed("cp ${pkgs.writeText "dummy-workflow.yml" actionsWorkflowYaml} /tmp/repo/.forgejo/workflows/")
-            client.succeed("git -C /tmp/repo add .")
-            client.succeed("git -C /tmp/repo commit -m 'Add dummy workflow'")
-            client.succeed("git -C /tmp/repo push origin main")
-
-            def poll_workflow_action_status(_) -> bool:
-                output = server.succeed(
-                    "curl --fail http://localhost:3000/test/repo/actions | "
-                    + 'htmlq ".flex-item-leading span" --attribute "data-tooltip-content"'
-                ).strip()
-
-                # values taken from https://codeberg.org/forgejo/forgejo/src/commit/af47c583b4fb3190fa4c4c414500f9941cc02389/options/locale/locale_en-US.ini#L3649-L3661
-                if output in [ "Failure", "Canceled", "Skipped", "Blocked" ]:
-                    raise Exception(f"Workflow status is '{output}', which we consider failed.")
-                    server.log(f"Command returned '{output}', which we consider failed.")
-
-                elif output in [ "Unknown", "Waiting", "Running", "" ]:
-                    server.log(f"Workflow status is '{output}'. Waiting some more...")
-                    return False
-
-                elif output in [ "Success" ]:
-                    return True
-
-                raise Exception(f"Workflow status is '{output}', which we don't know. Value mappings likely need updating.")
-
-            with server.nested("Waiting for the workflow run to be successful"):
-                retry(poll_workflow_action_status)
-
        with subtest("Testing backup service"):
            server.succeed("${serverSystem}/specialisation/dump/bin/switch-to-configuration test")
            server.systemctl("start forgejo-dump")
@ -255,4 +181,4 @@ let
  });
 in

-listToAttrs (map makeForgejoTest supportedDbTypes)
+listToAttrs (map makeGForgejoTest supportedDbTypes)
--- a/nixos/tests/freshrss-none-auth.nix
+++ b/nixos/tests/freshrss-none-auth.nix
@ -1,19 +0,0 @@
-import ./make-test-python.nix ({ lib, pkgs, ... }: {
-  name = "freshrss";
-  meta.maintainers = with lib.maintainers; [ mattchrist ];
-
-  nodes.machine = { pkgs, ... }: {
-    services.freshrss = {
-      enable = true;
-      baseUrl = "http://localhost";
-      authType = "none";
-    };
-  };
-
-  testScript = ''
-    machine.wait_for_unit("multi-user.target")
-    machine.wait_for_open_port(80)
-    response = machine.succeed("curl -vvv -s http://127.0.0.1:80/i/")
-    assert '<title>Main stream · FreshRSS</title>' in response, "FreshRSS stream page didn't load successfully"
-  '';
-})
--- a/nixos/tests/gonic.nix
+++ b/nixos/tests/gonic.nix
@ -2,19 +2,11 @@ import ./make-test-python.nix ({ pkgs, ... }: {
  name = "gonic";

  nodes.machine = { ... }: {
-    systemd.tmpfiles.settings = {
-      "10-gonic" = {
-        "/tmp/music"."d" = {};
-        "/tmp/podcast"."d" = {};
-        "/tmp/playlists"."d" = {};
-      };
-    };
    services.gonic = {
      enable = true;
      settings = {
-        music-path = [ "/tmp/music" ];
-        podcast-path = "/tmp/podcast";
-        playlists-path = "/tmp/playlists";
+        music-path = [ "/tmp" ];
+        podcast-path = "/tmp";
      };
    };
  };
--- a/nixos/tests/incus/virtual-machine.nix
+++ b/nixos/tests/incus/virtual-machine.nix
@ -57,14 +57,5 @@ in

    with subtest("lxd-agent has a valid path"):
        machine.succeed("incus exec ${instance-name} -- bash -c 'true'")
-
-    with subtest("guest supports cpu hotplug"):
-        machine.succeed("incus config set ${instance-name} limits.cpu=1")
-        count = int(machine.succeed("incus exec ${instance-name} -- nproc").strip())
-        assert count == 1, f"Wrong number of CPUs reported, want: 1, got: {count}"
-
-        machine.succeed("incus config set ${instance-name} limits.cpu=2")
-        count = int(machine.succeed("incus exec ${instance-name} -- nproc").strip())
-        assert count == 2, f"Wrong number of CPUs reported, want: 2, got: {count}"
  '';
 })
--- a/nixos/tests/lomiri.nix
+++ b/nixos/tests/lomiri.nix
@ -253,35 +253,22 @@ in {
    with subtest("ayatana indicators work"):
        open_starter()
        machine.send_chars("Indicators\n")
-        machine.wait_for_text(r"(Indicators|Client|List|network|datetime|session)")
+        machine.wait_for_text(r"(Indicators|Client|List|datetime|session)")
        machine.screenshot("indicators_open")

        # Element tab order within the indicator menus is not fully deterministic
        # Only check that the indicators are listed & their items load

-        with subtest("lomiri indicator network works"):
-            # Select indicator-network
-            machine.send_key("tab")
-            # Don't go further down, first entry
-            machine.send_key("ret")
-            machine.wait_for_text(r"(Flight|Wi-Fi)")
-            machine.screenshot("indicators_network")
-
-        machine.send_key("shift-tab")
-        machine.send_key("ret")
-        machine.wait_for_text(r"(Indicators|Client|List|network|datetime|session)")
-
        with subtest("ayatana indicator datetime works"):
            # Select ayatana-indicator-datetime
            machine.send_key("tab")
-            machine.send_key("down")
            machine.send_key("ret")
            machine.wait_for_text("Time and Date Settings")
            machine.screenshot("indicators_timedate")

        machine.send_key("shift-tab")
        machine.send_key("ret")
-        machine.wait_for_text(r"(Indicators|Client|List|network|datetime|session)")
+        machine.wait_for_text(r"(Indicators|Client|List|datetime|session)")

        with subtest("ayatana indicator session works"):
            # Select ayatana-indicator-session
--- a/nixos/tests/networking/networkmanager.nix
+++ b/nixos/tests/networking/networkmanager.nix
@ -1,172 +0,0 @@
-{ system ? builtins.currentSystem
-, config ? {}
-, pkgs ? import ../.. { inherit system config; }
-}:
-
-with import ../../lib/testing-python.nix { inherit system pkgs; };
-
-let
-  lib = pkgs.lib;
-  # this is intended as a client test since you shouldn't use NetworkManager for a router or server
-  # so using systemd-networkd for the router vm is fine in these tests.
-  router = import ./router.nix { networkd = true; };
-  qemu-common = import ../../lib/qemu-common.nix { inherit (pkgs) lib pkgs; };
-  clientConfig = extraConfig: lib.recursiveUpdate {
-    networking.useDHCP = false;
-
-    # Make sure that only NetworkManager configures the interface
-    networking.interfaces = lib.mkForce {
-      eth1 = {};
-    };
-    networking.networkmanager = {
-      enable = true;
-      # this is needed so NM doesn't generate 'Wired Connection' profiles and instead uses the default one
-      settings.main.no-auto-default = "*";
-      ensureProfiles.profiles.default = {
-        connection = {
-          id = "default";
-          type = "ethernet";
-          interface-name = "eth1";
-          autoconnect = true;
-        };
-      };
-    };
-  } extraConfig;
-  testCases = {
-    static = {
-      name = "static";
-      nodes = {
-        inherit router;
-        client = clientConfig {
-          networking.networkmanager.ensureProfiles.profiles.default = {
-            ipv4.method = "manual";
-            ipv4.addresses = "192.168.1.42/24";
-            ipv4.gateway = "192.168.1.1";
-            ipv6.method = "manual";
-            ipv6.addresses = "fd00:1234:5678:1::42/64";
-            ipv6.gateway = "fd00:1234:5678:1::1";
-          };
-        };
-      };
-      testScript = ''
-        start_all()
-        router.systemctl("start network-online.target")
-        router.wait_for_unit("network-online.target")
-        client.wait_for_unit("NetworkManager.service")
-
-        with subtest("Wait until we have an ip address on each interface"):
-            client.wait_until_succeeds("ip addr show dev eth1 | grep -q '192.168.1'")
-            client.wait_until_succeeds("ip addr show dev eth1 | grep -q 'fd00:1234:5678:1:'")
-
-        with subtest("Test if icmp echo works"):
-            client.wait_until_succeeds("ping -c 1 192.168.3.1")
-            client.wait_until_succeeds("ping -c 1 fd00:1234:5678:3::1")
-            router.wait_until_succeeds("ping -c 1 192.168.1.42")
-            router.wait_until_succeeds("ping -c 1 fd00:1234:5678:1::42")
-      '';
-    };
-    auto = {
-      name = "auto";
-      nodes = {
-        inherit router;
-        client = clientConfig {
-          networking.networkmanager.ensureProfiles.profiles.default = {
-            ipv4.method = "auto";
-            ipv6.method = "auto";
-          };
-        };
-      };
-      testScript = ''
-        start_all()
-        router.systemctl("start network-online.target")
-        router.wait_for_unit("network-online.target")
-        client.wait_for_unit("NetworkManager.service")
-
-        with subtest("Wait until we have an ip address on each interface"):
-            client.wait_until_succeeds("ip addr show dev eth1 | grep -q '192.168.1'")
-            client.wait_until_succeeds("ip addr show dev eth1 | grep -q 'fd00:1234:5678:1:'")
-
-        with subtest("Test if icmp echo works"):
-            client.wait_until_succeeds("ping -c 1 192.168.1.1")
-            client.wait_until_succeeds("ping -c 1 fd00:1234:5678:1::1")
-            router.wait_until_succeeds("ping -c 1 192.168.1.2")
-            router.wait_until_succeeds("ping -c 1 fd00:1234:5678:1::2")
-      '';
-    };
-    dns = {
-      name = "dns";
-      nodes = {
-        inherit router;
-        dynamic = clientConfig {
-          networking.networkmanager.ensureProfiles.profiles.default = {
-            ipv4.method = "auto";
-          };
-        };
-        static = clientConfig {
-          networking.networkmanager.ensureProfiles.profiles.default = {
-            ipv4 = {
-              method = "auto";
-              ignore-auto-dns = "true";
-              dns = "10.10.10.10";
-              dns-search = "";
-            };
-          };
-        };
-      };
-      testScript = ''
-        start_all()
-        router.systemctl("start network-online.target")
-        router.wait_for_unit("network-online.target")
-        dynamic.wait_for_unit("NetworkManager.service")
-        static.wait_for_unit("NetworkManager.service")
-
-        dynamic.wait_until_succeeds("cat /etc/resolv.conf | grep -q '192.168.1.1'")
-        static.wait_until_succeeds("cat /etc/resolv.conf | grep -q '10.10.10.10'")
-        static.wait_until_fails("cat /etc/resolv.conf | grep -q '192.168.1.1'")
-      '';
-    };
-    dispatcherScripts = {
-      name = "dispatcherScripts";
-      nodes.client = clientConfig {
-        networking.networkmanager.dispatcherScripts = [{
-          type = "pre-up";
-          source = pkgs.writeText "testHook" ''
-            touch /tmp/dispatcher-scripts-are-working
-          '';
-        }];
-      };
-      testScript = ''
-        start_all()
-        client.wait_for_unit("NetworkManager.service")
-        client.wait_until_succeeds("stat /tmp/dispatcher-scripts-are-working")
-      '';
-    };
-    envsubst = {
-      name = "envsubst";
-      nodes.client = let
-        # you should never write secrets in to your nixos configuration, please use tools like sops-nix or agenix
-        secretFile = pkgs.writeText "my-secret.env" ''
-          MY_SECRET_IP=fd00:1234:5678:1::23/64
-        '';
-      in clientConfig {
-        networking.networkmanager.ensureProfiles.environmentFiles = [ secretFile ];
-        networking.networkmanager.ensureProfiles.profiles.default = {
-          ipv6.method = "manual";
-          ipv6.addresses = "$MY_SECRET_IP";
-        };
-      };
-      testScript = ''
-        start_all()
-        client.wait_for_unit("NetworkManager.service")
-        client.wait_until_succeeds("ip addr show dev eth1 | grep -q 'fd00:1234:5678:1:'")
-        client.wait_until_succeeds("ping -c 1 fd00:1234:5678:1::23")
-      '';
-    };
-  };
-in lib.mapAttrs (lib.const (attrs: makeTest (attrs // {
-  name = "${attrs.name}-Networking-NetworkManager";
-  meta = {
-    maintainers = with lib.maintainers; [ janik ];
-  };
-
-}))) testCases
--- a/nixos/tests/prometheus-exporters.nix
+++ b/nixos/tests/prometheus-exporters.nix
@ -227,54 +227,6 @@ let
      '';
    };

-    dnssec = {
-      exporterConfig = {
-        enable = true;
-        configuration = {
-          records = [
-            {
-              zone = "example.com";
-              record = "@";
-              type = "SOA";
-            }
-          ];
-        };
-        resolvers = [ "127.0.0.1:53" ];
-      };
-      metricProvider = {
-        services.knot = {
-          enable = true;
-          settingsFile = pkgs.writeText "knot.conf" ''
-            server:
-              listen: 127.0.0.1@53
-            template:
-              - id: default
-                storage: ${pkgs.buildEnv {
-                  name = "zones";
-                  paths = [(pkgs.writeTextDir "example.com.zone" ''
-                    @ SOA ns1.example.com. noc.example.com. 2024032401 86400 7200 3600000 172800
-                    @       NS      ns1
-                    ns1     A       192.168.0.1
-                  '')];
-                }}
-                zonefile-load: difference
-                zonefile-sync: -1
-            zone:
-              - domain: example.com
-                file: example.com.zone
-                dnssec-signing: on
-          '';
-        };
-      };
-      exporterTest = ''
-        wait_for_unit("knot.service")
-        wait_for_open_port(53)
-        wait_for_unit("prometheus-dnssec-exporter.service")
-        wait_for_open_port(9204)
-        succeed("curl -sSf http://localhost:9204/metrics | grep 'example.com'")
-      '';
-    };
-
    # Access to WHOIS server is required to properly test this exporter, so
    # just perform basic sanity check that the exporter is running and returns
    # a failure.
--- a/nixos/tests/teleport.nix
+++ b/nixos/tests/teleport.nix
@ -9,8 +9,8 @@ with import ../lib/testing-python.nix { inherit system pkgs; };
 let
  packages = with pkgs; {
    "default" = teleport;
+    "12" = teleport_12;
    "13" = teleport_13;
-    "14" = teleport_14;
  };

  minimal = package: {
--- a/pkgs/applications/audio/a2jmidid/default.nix
+++ b/pkgs/applications/audio/a2jmidid/default.nix
@ -1,17 +1,15 @@
-{ lib, stdenv, fetchFromGitea, makeWrapper, pkg-config, alsa-lib, dbus, libjack2
-, python3Packages , meson, ninja, gitUpdater }:
+{ lib, stdenv, fetchFromGitHub, makeWrapper, pkg-config, alsa-lib, dbus, libjack2
+, python3Packages , meson, ninja }:

 stdenv.mkDerivation rec {
  pname = "a2jmidid";
-  version = "12";
+  version = "9";

-  src = fetchFromGitea {
-    domain = "gitea.ladish.org";
-    owner = "LADI";
-    repo = "a2jmidid";
-    rev = "refs/tags/${version}";
-    fetchSubmodules = true;
-    hash = "sha256-PZKGhHmPMf0AucPruOLB9DniM5A3BKdghFCrd5pTzeM=";
+  src = fetchFromGitHub {
+    owner = "linuxaudio";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-WNt74tSWV8bY4TnpLp86PsnrjkqWynJJt3Ra4gZl2fQ=";
  };

  nativeBuildInputs = [ pkg-config makeWrapper meson ninja ];
@ -23,12 +21,9 @@ stdenv.mkDerivation rec {
    substituteInPlace $out/bin/a2j --replace "a2j_control" "$out/bin/a2j_control"
  '';

-  passthru.updateScript = gitUpdater { };
-
  meta = with lib; {
    description = "Daemon for exposing legacy ALSA sequencer applications in JACK MIDI system";
-    homepage = "https://a2jmidid.ladish.org/";
-    license = licenses.gpl2Only;
+    license = licenses.gpl2;
    maintainers = [ maintainers.goibhniu ];
    platforms = [ "i686-linux" "x86_64-linux" "aarch64-linux" ];
  };
--- a/pkgs/applications/audio/gbsplay/default.nix
+++ b/pkgs/applications/audio/gbsplay/default.nix
@ -2,13 +2,13 @@

 stdenv.mkDerivation rec {
  pname = "gbsplay";
-  version = "0.0.97";
+  version = "0.0.96";

  src = fetchFromGitHub {
    owner = "mmitch";
    repo = "gbsplay";
    rev = version;
-    sha256 = "sha256-O4t5OzXcrGoxzSXr0nzc01bItjcp1LvFeWnbdSUDwFU=";
+    sha256 = "sha256-2sYPP+urcSP67mHzbjRiL9BYgkIpONr7fPPbGQmBOqU=";
  };

  configureFlags = [
--- a/pkgs/applications/audio/grandorgue/default.nix
+++ b/pkgs/applications/audio/grandorgue/default.nix
@ -21,14 +21,14 @@

 stdenv.mkDerivation rec {
  pname = "grandorgue";
-  version = "3.14.1-1";
+  version = "3.14.0-1";

  src = fetchFromGitHub {
    owner = "GrandOrgue";
    repo = pname;
    rev = version;
    fetchSubmodules = true;
-    hash = "sha256-EyMTWsaqJX7H7aCbu5ww9tQBMwJ7BzobWMWg5Y/ZgJE=";
+    hash = "sha256-bzGfc0kWlQSjvZsFlRERPjdLtemcZmsa6DsQGgBPoFo=";
  };

  postPatch = ''
--- a/pkgs/applications/audio/muzika/default.nix
+++ b/pkgs/applications/audio/muzika/default.nix
@ -2,7 +2,7 @@
 , desktop-file-utils
 , fetchFromGitHub
 , fetchYarnDeps
-, fixup-yarn-lock
+, prefetch-yarn-deps
 , gjs
 , glib-networking
 , gobject-introspection
@ -46,7 +46,7 @@ stdenv.mkDerivation rec {
    ninja
    nodejs
    pkg-config
-    fixup-yarn-lock
+    prefetch-yarn-deps
    wrapGAppsHook4
    yarn
  ];
--- a/pkgs/applications/audio/waylyrics/Cargo.lock
+++ b/pkgs/applications/audio/waylyrics/Cargo.lock
--- a/pkgs/applications/audio/waylyrics/default.nix
+++ b/pkgs/applications/audio/waylyrics/default.nix
@ -9,13 +9,13 @@

 rustPlatform.buildRustPackage rec {
  pname = "waylyrics";
-  version = "0.2.19";
+  version = "0.2.15";

  src = fetchFromGitHub {
    owner = "poly000";
    repo = "waylyrics";
    rev = "v${version}";
-    hash = "sha256-y8FBZ/BvCj7CBfQlNE1Ay2nuP41WC14dfTeOJhTbHYs=";
+    hash = "sha256-dGtotQfS5Ve3rl6iSsqOzs0/dOePfoRZ9Wlg9zHCXSY=";
  };

  cargoLock = {
--- a/pkgs/applications/blockchains/bitcoin/default.nix
+++ b/pkgs/applications/blockchains/bitcoin/default.nix
@ -33,14 +33,14 @@ let
 in
 stdenv.mkDerivation rec {
  pname = if withGui then "bitcoin" else "bitcoind";
-  version = "27.0";
+  version = "26.1";

  src = fetchurl {
    urls = [
      "https://bitcoincore.org/bin/bitcoin-core-${version}/bitcoin-${version}.tar.gz"
    ];
    # hash retrieved from signed SHA256SUMS
-    sha256 = "9c1ee651d3b157baccc3388be28b8cf3bfcefcd2493b943725ad6040ca6b146b";
+    sha256 = "9164ee5d717b4a20cb09f0496544d9d32f365734814fe399f5cdb4552a9b35ee";
  };

  nativeBuildInputs =
--- a/pkgs/applications/editors/jetbrains/default.nix
+++ b/pkgs/applications/editors/jetbrains/default.nix
@ -100,12 +100,10 @@ rec {
  clion = (mkJetBrainsProduct {
    pname = "clion";
    extraBuildInputs = lib.optionals (stdenv.isLinux) [
-      fontconfig
      python3
      stdenv.cc.cc
      openssl
      libxcrypt-legacy
-      lttng-ust_2_12
      musl
    ] ++ lib.optionals (stdenv.isLinux && stdenv.isAarch64) [
      expat
--- a/pkgs/applications/editors/lite-xl/default.nix
+++ b/pkgs/applications/editors/lite-xl/default.nix
@ -13,13 +13,13 @@

 stdenv.mkDerivation rec {
  pname = "lite-xl";
-  version = "2.1.4";
+  version = "2.1.3";

  src = fetchFromGitHub {
    owner = "lite-xl";
    repo = "lite-xl";
    rev = "v${version}";
-    hash = "sha256-TqrFI5TFb2hnnlHYUjLDUTDK3/Wgg1gOxIP8owLi/yo=";
+    hash = "sha256-4ykUdcNwJ4r/4u9H+c8pgupY3BaPi2y69X6yaDjCjac=";
  };

  nativeBuildInputs = [ meson ninja pkg-config ];
--- a/pkgs/applications/editors/pixelorama/default.nix
+++ b/pkgs/applications/editors/pixelorama/default.nix
@ -26,13 +26,13 @@ let
    else throw "unsupported platform";
 in stdenv.mkDerivation (finalAttrs: {
  pname = "pixelorama";
-  version = "0.11.4";
+  version = "0.11.3";

  src = fetchFromGitHub {
    owner = "Orama-Interactive";
    repo = "Pixelorama";
    rev = "v${finalAttrs.version}";
-    sha256 = "sha256-VEQjZ9kDqXz1hoT4PrsBtzoi1TYWyN+YcPMyf9qJMRE=";
+    sha256 = "sha256-+bQRUTEJluhcs5P87It9/oJOzrCcNFzDJVpixoQKXQc=";
  };

  nativeBuildInputs = [
--- a/pkgs/applications/editors/vim/plugins/generated.nix
+++ b/pkgs/applications/editors/vim/plugins/generated.nix
@ -5062,18 +5062,6 @@ final: prev:
    meta.homepage = "https://github.com/neoclide/jsonc.vim/";
  };

-  jsonfly-nvim = buildVimPlugin {
-    pname = "jsonfly.nvim";
-    version = "2024-04-12";
-    src = fetchFromGitHub {
-      owner = "Myzel394";
-      repo = "jsonfly.nvim";
-      rev = "539a0b79a5ea75d201e1e90cebfe9367154d04fc";
-      sha256 = "1v1i4x2px0zs65rxkf2yhnxn6clx33vdr54r9gaqq713qj5ddlfm";
-    };
-    meta.homepage = "https://github.com/Myzel394/jsonfly.nvim/";
-  };
-
  julia-vim = buildVimPlugin {
    pname = "julia-vim";
    version = "2023-12-15";
@ -11123,18 +11111,6 @@ final: prev:
    meta.homepage = "https://github.com/Pocco81/true-zen.nvim/";
  };

-  trust-vim = buildVimPlugin {
-    pname = "trust.vim";
-    version = "2022-04-14";
-    src = fetchFromGitHub {
-      owner = "tesaguri";
-      repo = "trust.vim";
-      rev = "3e17b29ff13f862eeda269d7ce0260571dab6cb7";
-      sha256 = "1zvxjgyzzhnza2gv528dvyp7m1nvsz5gjn0qp65jn0k7y4gh3nnl";
-    };
-    meta.homepage = "https://github.com/tesaguri/trust.vim/";
-  };
-
  tslime-vim = buildVimPlugin {
    pname = "tslime.vim";
    version = "2020-09-09";
@ -17213,17 +17189,5 @@ final: prev:
    meta.homepage = "https://github.com/jhradilek/vim-snippets/";
  };

-  gitignore-nvim = buildVimPlugin {
-    pname = "gitignore-nvim";
-    version = "2024-03-25";
-    src = fetchFromGitHub {
-      owner = "wintermute-cell";
-      repo = "gitignore.nvim";
-      rev = "2455191ec94da8ed222806a4fe3aa358eac1e558";
-      sha256 = "sha256-p6k0NP3Vne6Kl98YodzSruVmJwxyrXziJj8N7u79o1w=";
-    };
-    meta.homepage = "https://github.com/wintermute-cell/gitignore.nvim/";
-  };
-

 }
--- a/pkgs/applications/editors/vim/plugins/vim-plugin-names
+++ b/pkgs/applications/editors/vim/plugins/vim-plugin-names
@ -338,7 +338,6 @@ https://github.com/f-person/git-blame.nvim/,,
 https://github.com/akinsho/git-conflict.nvim/,HEAD,
 https://github.com/rhysd/git-messenger.vim/,,
 https://github.com/ThePrimeagen/git-worktree.nvim/,,
-https://github.com/wintermute-cell/gitignore.nvim/,HEAD,
 https://github.com/vim-scripts/gitignore.vim/,,
 https://github.com/ruifm/gitlinker.nvim/,,
 https://github.com/lewis6991/gitsigns.nvim/,,
@ -425,7 +424,6 @@ https://github.com/nanotech/jellybeans.vim/,,
 https://github.com/HiPhish/jinja.vim/,HEAD,
 https://github.com/vito-c/jq.vim/,,
 https://github.com/neoclide/jsonc.vim/,,
-https://github.com/Myzel394/jsonfly.nvim/,HEAD,
 https://github.com/JuliaEditorSupport/julia-vim/,,
 https://github.com/GCBallesteros/jupytext.nvim/,HEAD,
 https://github.com/rebelot/kanagawa.nvim/,,
@ -935,7 +933,6 @@ https://github.com/tremor-rs/tremor-vim/,,
 https://github.com/cappyzawa/trim.nvim/,,
 https://github.com/folke/trouble.nvim/,,
 https://github.com/Pocco81/true-zen.nvim/,,
-https://github.com/tesaguri/trust.vim/,HEAD,
 https://github.com/jgdavey/tslime.vim/,,
 https://github.com/Quramy/tsuquyomi/,,
 https://github.com/folke/twilight.nvim/,,
--- a/pkgs/applications/editors/vscode/extensions/default.nix
+++ b/pkgs/applications/editors/vscode/extensions/default.nix
@ -1049,8 +1049,8 @@ let
        mktplcRef = {
          name = "vscode-markdownlint";
          publisher = "DavidAnson";
-          version = "0.55.0";
-          hash = "sha256-slfHfRPcuRu+649n6kAr2bv9H6J+DvYVN/ysq1QpPQM=";
+          version = "0.54.0";
+          hash = "sha256-BrPFFRspJIz1U08hPbLziCmRUeZv2NhRrTCx6qvhOJw=";
        };
        meta = {
          changelog = "https://marketplace.visualstudio.com/items/DavidAnson.vscode-markdownlint/changelog";
@ -2352,23 +2352,6 @@ let
        };
      };

-      k--kato.intellij-idea-keybindings = buildVscodeMarketplaceExtension {
-        mktplcRef = {
-          name = "intellij-idea-keybindings";
-          publisher = "k--kato";
-          version = "1.7.0";
-          hash = "sha256-mIcSZANZlj5iO2oLiJBUHn08rXVhu/9SKsRhlu/hcvI=";
-        };
-        meta = {
-          changelog = "https://marketplace.visualstudio.com/items/k--kato.intellij-idea-keybindings/changelog";
-          description = "Visual Studio Code extension for IntelliJ IDEA keybindings";
-          downloadPage = "https://marketplace.visualstudio.com/items?itemName=k--kato.intellij-idea-keybindings";
-          homepage = "https://github.com/kasecato/vscode-intellij-idea-keybindings";
-          license = lib.licenses.mit;
-          maintainers = [ lib.maintainers.t4sm5n ];
-        };
-      };
-
      kahole.magit = buildVscodeMarketplaceExtension {
        mktplcRef = {
          name = "magit";
@ -3729,8 +3712,6 @@ let
        meta.license = lib.licenses.lgpl3Only;
      };

-      sourcery.sourcery = callPackage ./sourcery.sourcery { };
-
      spywhere.guides = buildVscodeMarketplaceExtension {
        mktplcRef = {
          name = "guides";
--- a/pkgs/applications/editors/vscode/extensions/ms-python.vscode-pylance/default.nix
+++ b/pkgs/applications/editors/vscode/extensions/ms-python.vscode-pylance/default.nix
@ -1,6 +1,6 @@
 {
  lib,
-  pyright,
+  nodePackages,
  vscode-utils,
 }:

@ -12,7 +12,7 @@ vscode-utils.buildVscodeMarketplaceExtension {
    hash = "sha256-xJU/j5r/Idp/0VorEfciT4SFKRBpMCv9Z0LKO/++1Gk=";
  };

-  buildInputs = [ pyright ];
+  buildInputs = [ nodePackages.pyright ];

  meta = {
    changelog = "https://marketplace.visualstudio.com/items/ms-python.vscode-pylance/changelog";
--- a/pkgs/applications/editors/vscode/extensions/sourcery.sourcery/default.nix
+++ b/pkgs/applications/editors/vscode/extensions/sourcery.sourcery/default.nix
@ -1,42 +0,0 @@
-{
-  lib,
-  stdenv,
-  vscode-utils,
-  autoPatchelfHook,
-  libxcrypt-legacy,
-}:
-
-vscode-utils.buildVscodeMarketplaceExtension {
-  mktplcRef = {
-    name = "sourcery";
-    publisher = "sourcery";
-    version = "1.16.0";
-    hash = "sha256-SHgS2C+ElTJW4v90Wg0QcsSL2FoSz+SxZQpgq2J4JiU=";
-  };
-
-  postPatch = ''
-    pushd sourcery_binaries/install
-    rm -r win ${if stdenv.isLinux then "mac" else "linux"}
-    popd
-  '';
-
-  nativeBuildInputs = lib.optionals stdenv.isLinux [ autoPatchelfHook ];
-
-  buildInputs = [
-    stdenv.cc.cc.lib
-    libxcrypt-legacy
-  ];
-
-  meta = {
-    changelog = "https://sourcery.ai/changelog/";
-    description = "A VSCode extension for Sourcery, an AI-powered code review and pair programming tool for Python";
-    downloadPage = "https://marketplace.visualstudio.com/items?itemName=sourcery.sourcery";
-    homepage = "https://github.com/sourcery-ai/sourcery-vscode";
-    license = lib.licenses.unfree;
-    maintainers = with lib.maintainers; [ tomasajt ];
-    platforms = [
-      "x86_64-linux"
-      "x86_64-darwin"
-    ];
-  };
-}
--- a/pkgs/applications/editors/vscode/extensions/timonwong.shellcheck/default.nix
+++ b/pkgs/applications/editors/vscode/extensions/timonwong.shellcheck/default.nix
@ -10,8 +10,8 @@ vscode-utils.buildVscodeMarketplaceExtension {
  mktplcRef = {
    name = "shellcheck";
    publisher = "timonwong";
-    version = "0.37.1";
-    sha256 = "sha256-JSS0GY76+C5xmkQ0PNjt2Nu/uTUkfiUqmPL51r64tl0=";
+    version = "0.37.0";
+    sha256 = "1d0blynn6c2hz4y9fk7b5wsa3x168gxyycr5d05zqp0rx520m5wc";
  };
  nativeBuildInputs = [
    jq
--- a/pkgs/applications/editors/vscode/vscode.nix
+++ b/pkgs/applications/editors/vscode/vscode.nix
@ -30,21 +30,21 @@ let
  archive_fmt = if stdenv.isDarwin then "zip" else "tar.gz";

  sha256 = {
-    x86_64-linux = "14m9w7wkg1704apd4d46yi6zwdlbrx2rp3fry9ffk2nn6kkahwk2";
-    x86_64-darwin = "1cp74wdkva1zib04wxjby0h8r1c56g893kq5ksdj38404i2c5hdk";
-    aarch64-linux = "00yrdmi4c5m8r11gm7vw18qb5ddcwwg5mdk8s9ykzhmxhdrkcarm";
-    aarch64-darwin = "1jjhw60jcvj5brayarg8k6avxwaa00mwdn4lrkcdzbzzh1q4knvv";
-    armv7l-linux = "1jddc3fsv65mp95ybpprx8sz3mpnp6j2ghp4nflky8iawmzz183v";
+    x86_64-linux = "0kr83pbjbyrpkhhpr432nr0kcjnvra5vwq2zhpdv1p2g1981dbxf";
+    x86_64-darwin = "0vlbd4y649r5v61322vm6fvdf3mrn2shw1vjh1q8wcbf2j84rgcl";
+    aarch64-linux = "0bp3a928sqlr103884ljyahl3s4jchyvpcvk08a648wmb1f8ibxi";
+    aarch64-darwin = "1dyg4f7hpvx1bpspghfpyqaj83xy47462zjql49zrdar17cq738r";
+    armv7l-linux = "16ri5icgvzf3zfg170dciqyz46dcwlsx6vy4r2y4w1j2hbb7afzn";
  }.${system} or throwSystem;
 in
  callPackage ./generic.nix rec {
    # Please backport all compatible updates to the stable release.
    # This is important for the extension ecosystem.
-    version = "1.88.1";
+    version = "1.88.0";
    pname = "vscode" + lib.optionalString isInsiders "-insiders";

    # This is used for VS Code - Remote SSH test
-    rev = "e170252f762678dec6ca2cc69aba1570769a5d39";
+    rev = "5c3e652f63e798a5ac2f31ffd0d863669328dc4c";

    executableName = "code" + lib.optionalString isInsiders "-insiders";
    longName = "Visual Studio Code" + lib.optionalString isInsiders " - Insiders";
@ -68,7 +68,7 @@ in
      src = fetchurl {
        name = "vscode-server-${rev}.tar.gz";
        url = "https://update.code.visualstudio.com/commit:${rev}/server-linux-x64/stable";
-        sha256 = "100nhm231gzav24lz84vxwxnqkn777kfn0fkkjmdcd30kc7g7ig9";
+        sha256 = "0vy3r9xx1gv92pkyff5wddywfwgr2i12d3qrydw53kdjhdykamsk";
      };
    };

--- a/pkgs/applications/graphics/drawio/default.nix
+++ b/pkgs/applications/graphics/drawio/default.nix
@ -4,7 +4,7 @@
 , fetchYarnDeps
 , makeDesktopItem
 , copyDesktopItems
-, fixup-yarn-lock
+, prefetch-yarn-deps
 , makeWrapper
 , autoSignDarwinBinariesHook
 , nodejs
@ -35,7 +35,7 @@ stdenv.mkDerivation rec {
  };

  nativeBuildInputs = [
-    fixup-yarn-lock
+    prefetch-yarn-deps
    makeWrapper
    nodejs
    yarn
--- a/pkgs/applications/logging/sosreport/default.nix
+++ b/pkgs/applications/logging/sosreport/default.nix
@ -10,13 +10,13 @@

 buildPythonPackage rec {
  pname = "sosreport";
-  version = "4.7.1";
+  version = "4.7.0";

  src = fetchFromGitHub {
    owner = "sosreport";
    repo = "sos";
    rev = "refs/tags/${version}";
-    sha256 = "sha256-usa4xSNAv0AaML7qv5kCQDA3VMz4IneLFDVyv7uPUcQ=";
+    sha256 = "sha256-SB8qLpa9ncAJjUkbPRuSY2eJ1fNMaLSR7BR/tgO+ZUs=";
  };

  nativeBuildInputs = [
--- a/pkgs/applications/misc/bambu-studio/default.nix
+++ b/pkgs/applications/misc/bambu-studio/default.nix
@ -58,13 +58,13 @@ let
 in
 stdenv.mkDerivation rec {
  pname = "bambu-studio";
-  version = "01.09.00.70";
+  version = "01.09.00.60";

  src = fetchFromGitHub {
    owner = "bambulab";
    repo = "BambuStudio";
    rev = "v${version}";
-    hash = "sha256-RBctBhKo7mjxsP7OJhGfoU1eIiGVuMiAqwwSU+gsMds=";
+    hash = "sha256-LJK+hGhBXCewbNIBA8CeE01vMQ/n1mO+bervN/y45P0=";
  };

  nativeBuildInputs = [
--- a/pkgs/applications/misc/bazecor/default.nix
+++ b/pkgs/applications/misc/bazecor/default.nix
@ -5,13 +5,13 @@

 appimageTools.wrapAppImage rec {
  pname = "bazecor";
-  version = "1.3.11";
+  version = "1.3.9";

  src = appimageTools.extract {
    inherit pname version;
    src = fetchurl {
      url = "https://github.com/Dygmalab/Bazecor/releases/download/v${version}/Bazecor-${version}-x64.AppImage";
-      hash = "sha256-iMurQDF0CBMnJnjmEgNIKYd8C5B4FguMi4Jqa3dHr3o=";
+      hash = "sha256-qve5xxhhyVej8dPDkZ7QQdeDUmqGO4pHJTykbS4RhAk=";
    };

    # Workaround for https://github.com/Dygmalab/Bazecor/issues/370
@ -26,7 +26,7 @@ appimageTools.wrapAppImage rec {

  # also make sure to update the udev rules in ./10-dygma.rules; most recently
  # taken from
-  # https://github.com/Dygmalab/Bazecor/blob/v1.3.11/src/main/utils/udev.ts#L6
+  # https://github.com/Dygmalab/Bazecor/blob/v1.3.9/src/main/utils/udev.ts#L6

  extraPkgs = p: (appimageTools.defaultFhsEnvArgs.multiPkgs p) ++ [
    p.glib
--- a/pkgs/applications/misc/geoipupdate/default.nix
+++ b/pkgs/applications/misc/geoipupdate/default.nix
@ -2,16 +2,16 @@

 buildGoModule rec {
  pname = "geoipupdate";
-  version = "7.0.1";
+  version = "6.1.0";

  src = fetchFromGitHub {
    owner = "maxmind";
    repo = "geoipupdate";
    rev = "v${version}";
-    sha256 = "sha256-OWo8puUjzMZXZ80HMpCrvRGUVdclnSxk7rHR5egOU1Y=";
+    sha256 = "sha256-/iLWy3yKO34nnn5ygAewR036PzgUGIqdhXNK4fx3Ym8=";
  };

-  vendorHash = "sha256-MApZUtI9JewMBbImuV3vsNG89UvCfxcBg3TZiuk/nvg=";
+  vendorHash = "sha256-jW5/09sOUvPZVM1wzL4xg/a14kZ0KsM8e+zEQoADsl4=";

  ldflags = [ "-X main.version=${version}" ];

--- a/pkgs/applications/misc/golden-cheetah/default.nix
+++ b/pkgs/applications/misc/golden-cheetah/default.nix
@ -16,13 +16,13 @@ let
  };
 in mkDerivation rec {
  pname = "golden-cheetah";
-  version = "3.7-DEV2404";
+  version = "3.6";

  src = fetchFromGitHub {
    owner = "GoldenCheetah";
    repo = "GoldenCheetah";
    rev = "refs/tags/v${version}";
-    hash = "sha256-u2igcnOulgJGZT46/Z3vSsce9mr3VsxkD3mTeQPvUOg=";
+    hash = "sha256-Ntim1/ZPaTPCHQ5p8xF5LWpqq8+OgkPfaQqqysv9j/c=";
  };

  buildInputs = [
--- a/pkgs/applications/misc/metadata-cleaner/default.nix
+++ b/pkgs/applications/misc/metadata-cleaner/default.nix
@ -18,7 +18,7 @@

 python3.pkgs.buildPythonApplication rec {
  pname = "metadata-cleaner";
-  version = "2.5.5";
+  version = "2.5.4";

  format = "other";

@ -26,7 +26,7 @@ python3.pkgs.buildPythonApplication rec {
    owner = "rmnvgr";
    repo = pname;
    rev = "v${version}";
-    hash = "sha256-0DaQvVG19X9mMYZeYBz0t/DEx4MACLMjTOGMkUv9OQg=";
+    hash = "sha256-2+ZY+ca/CTIdCiFrBOkMWKflzKjSYJ8yfwFkULNg7Xk=";
  };

  nativeBuildInputs = [
--- a/pkgs/applications/misc/pdfpc/default.nix
+++ b/pkgs/applications/misc/pdfpc/default.nix
@ -41,15 +41,9 @@ stdenv.mkDerivation rec {
      url = "https://github.com/pdfpc/pdfpc/commit/d38edfac63bec54173b4b31eae5c7fb46cd8f714.diff";
      hash = "sha256-KC2oyzcwU2fUmxaed8qAsKcePwR5KcXgpVdstJg8KmU=";
    })
-    # Allow compiling with markdown3
-    # https://github.com/pdfpc/pdfpc/pull/716
-    (fetchpatch {
-      url = "https://github.com/pdfpc/pdfpc/commit/08e66b9d432e9598c1ee9a78b2355728036ae1a1.patch";
-      hash = "sha256-SKH2GQ5/6Is36xOFmSs89Yw/w7Fnma3FrNqwjOlUQKM=";
-    })
  ];

-  cmakeFlags = lib.optional stdenv.isDarwin (lib.cmakeBool "MOVIES" false);
+  cmakeFlags = lib.optional stdenv.isDarwin "-DMOVIES=OFF";

  meta = with lib; {
    description = "A presenter console with multi-monitor support for PDF files";
--- a/pkgs/applications/misc/redshift/default.nix
+++ b/pkgs/applications/misc/redshift/default.nix
@ -24,8 +24,6 @@ let
        ./575.patch
      ];

-      strictDeps = true;
-
      nativeBuildInputs = [
        autoconf
        automake
@ -36,7 +34,6 @@ let
        wrapGAppsHook
        wrapPython
        gobject-introspection
-        python
      ];

      configureFlags = [
@ -52,6 +49,7 @@ let

      buildInputs = [
        gtk3
+        python
      ] ++ lib.optional  withRandr        libxcb
        ++ lib.optional  withGeoclue      geoclue
        ++ lib.optional  withDrm          libdrm
--- a/pkgs/applications/misc/tandoor-recipes/frontend.nix
+++ b/pkgs/applications/misc/tandoor-recipes/frontend.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchYarnDeps, fixup-yarn-lock, callPackage, nodejs }:
+{ stdenv, fetchYarnDeps, prefetch-yarn-deps, callPackage, nodejs }:
 let
  common = callPackage ./common.nix { };
 in
@ -14,7 +14,7 @@ stdenv.mkDerivation {
  };

  nativeBuildInputs = [
-    fixup-yarn-lock
+    prefetch-yarn-deps
    nodejs
    nodejs.pkgs.yarn
  ];
--- a/pkgs/applications/misc/tiramisu/default.nix
+++ b/pkgs/applications/misc/tiramisu/default.nix
@ -2,15 +2,13 @@

 stdenv.mkDerivation rec {
  pname = "tiramisu";
-  # FIXME: once a newer release in upstream is available
-  version = "2.0-unstable-2023-03-29";
+  version = "2.0.20211107";

  src = fetchFromGitHub {
    owner = "Sweets";
-    repo = "tiramisu";
-    # FIXME: use the current HEAD commit as upstream has no releases since 2021
-    rev = "5dddd83abd695bfa15640047a97a08ff0a8d9f9b";
-    hash = "sha256-owYk/YFwJbqO6/dbGKPE8SnmmH4KvH+o6uWptqQtpfI=";
+    repo = pname;
+    rev = version;
+    sha256 = "1n1x1ybbwbanibw7b90k7v4cadagl41li17hz2l8s2sapacvq3mw";
  };

  buildInputs = [ glib ];
--- a/pkgs/applications/misc/waylock/default.nix
+++ b/pkgs/applications/misc/waylock/default.nix
@ -12,7 +12,7 @@

 stdenv.mkDerivation (finalAttrs: {
  pname = "waylock";
-  version = "1.0.0";
+  version = "0.6.5";

  src = fetchFromGitea {
    domain = "codeberg.org";
@ -20,7 +20,7 @@ stdenv.mkDerivation (finalAttrs: {
    repo = "waylock";
    rev = "v${finalAttrs.version}";
    fetchSubmodules = true;
-    hash = "sha256-Z5YNaR+jocJ4hS7NT8oAlrMnqNfD8KRzOyyqdVGDSl0=";
+    hash = "sha256-wvZrRPZobDh+rB3RSaRrz0xDHuYwT2eoQEu3AbYKn8Y=";
  };

  nativeBuildInputs = [
--- a/pkgs/applications/misc/wike/default.nix
+++ b/pkgs/applications/misc/wike/default.nix
@ -18,14 +18,14 @@

 python3.pkgs.buildPythonApplication rec {
  pname = "wike";
-  version = "3.0.0";
+  version = "2.1.0";
  format = "other";

  src = fetchFromGitHub {
    owner = "hugolabe";
    repo = "Wike";
    rev = version;
-    hash = "sha256-x6HYlpCj7poKWJWB2CnvN1aoTa7LmqYwbPa62WvSYsQ=";
+    hash = "sha256-BXmLZhotQK6L4c2D8F8qF3zmOlSuzXycEN2FaC1K6/g=";
  };

  nativeBuildInputs = [
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@ -102,14 +102,7 @@ let
    "flac"
    "libjpeg"
    "libpng"
-  ] ++ lib.optionals (!chromiumVersionAtLeast "124") [
-    # Use the vendored libwebp for M124+ until we figure out how to solve:
-    # Running phase: configurePhase
-    # ERROR Unresolved dependencies.
-    # //third_party/libavif:libavif_enc(//build/toolchain/linux/unbundle:default)
-    #   needs //third_party/libwebp:libwebp_sharpyuv(//build/toolchain/linux/unbundle:default)
    "libwebp"
-  ] ++ [
    "libxslt"
    # "opus"
  ];
@ -248,15 +241,6 @@ let
      # Partial revert of https://github.com/chromium/chromium/commit/3687976b0c6d36cf4157419a24a39f6770098d61
      # allowing us to use our rustc and our clang.
      ./patches/chromium-121-rust.patch
-    ] ++ lib.optionals (chromiumVersionAtLeast "124" && !chromiumVersionAtLeast "125") [
-      # M124 shipped with broken --ozone-platform-hint flag handling, which we rely on
-      # for our NIXOS_OZONE_WL (wayland) environment variable.
-      # See <https://issues.chromium.org/issues/329678163>.
-      # This is the commit for the fix that landed in M125, which applies clean on M124.
-      (githubPatch {
-        commit = "c7f4c58f896a651eba80ad805ebdb49d19ebdbd4";
-        hash = "sha256-6nYWT2zN+j73xAIXLdGYT2eC71vGnGfiLCB0OwT0CAI=";
-      })
    ];

    postPatch = ''
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.nix
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
@ -9,15 +9,15 @@
    };
    deps = {
      gn = {
-        hash = "sha256-aEL1kIhgPAFqdb174dG093HoLhCJ07O1Kpqfu7r14wQ=";
-        rev = "22581fb46c0c0c9530caa67149ee4dd8811063cf";
+        hash = "sha256-JvilCnnb4laqwq69fay+IdAujYC1EHD7uWpkF/C8tBw=";
+        rev = "d4f94f9a6c25497b2ce0356bb99a8d202c8c1d32";
        url = "https://gn.googlesource.com/gn";
-        version = "2024-03-14";
+        version = "2024-02-19";
      };
    };
-    hash = "sha256-apEniFKhIxPo4nhp9gCU+WpiV/EB40qif4RfE7Uniog=";
-    hash_deb_amd64 = "sha256-rSbigG5/xbL32d1ntOn6gnZyxSpgrg1h7lb/RD4YROI=";
-    version = "124.0.6367.60";
+    hash = "sha256-7H7h621AHPyhFYbaVFO892TtS+SP3Qu7cYUVk3ICL14=";
+    hash_deb_amd64 = "sha256-tNkO1mPZg1xltBfoWeNhLekITtZV/WNgu//i2DJb17c=";
+    version = "123.0.6312.122";
  };
  ungoogled-chromium = {
    deps = {
--- a/pkgs/applications/networking/browsers/microsoft-edge/default.nix
+++ b/pkgs/applications/networking/browsers/microsoft-edge/default.nix
@ -1,20 +1,20 @@
 {
  beta = import ./browser.nix {
    channel = "beta";
-    version = "124.0.2478.39";
+    version = "124.0.2478.19";
    revision = "1";
-    hash = "sha256-0KQU/JS6hlv2SLMB8RKyITUiodByBUstrhcwIefn3Yw=";
+    hash = "sha256-+CanF7AadFQJj3t8OnZyoxPG2f2KO2e+EVBofKG3slg=";
  };
  dev = import ./browser.nix {
    channel = "dev";
-    version = "125.0.2518.0";
+    version = "125.0.2492.1";
    revision = "1";
-    hash = "sha256-q4TVpO0SxSSLMv/NtmJIOzClT2WqUss2qfE5vgj4O7E=";
+    hash = "sha256-S6DfXJfxR8FsHyRtCcvUialaVYP/1rPivjRVSm9XAtg=";
  };
  stable = import ./browser.nix {
    channel = "stable";
-    version = "123.0.2420.97";
+    version = "123.0.2420.81";
    revision = "1";
-    hash = "sha256-q7Pcbi0JQr/wvKIrgueD9f2Z6v1DMoD2bcRJKGqDYjs=";
+    hash = "sha256-3c4DHs0p2YDW17nzCXB+O6PR9wTMb9h98EvN11imvsM=";
  };
 }
--- a/pkgs/applications/networking/browsers/mullvad-browser/default.nix
+++ b/pkgs/applications/networking/browsers/mullvad-browser/default.nix
@ -90,7 +90,7 @@ let
      ++ lib.optionals mediaSupport [ ffmpeg ]
  );

-  version = "13.0.14";
+  version = "13.0.13";

  sources = {
    x86_64-linux = fetchurl {
@ -102,7 +102,7 @@ let
        "https://tor.eff.org/dist/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
        "https://tor.calyxinstitute.org/dist/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
      ];
-      hash = "sha256-z7fZtq+jnoAi6G8RNahGtP1LXeOXU/2wYz5ha2ddAeM=";
+      hash = "sha256-CAJJs14U9zsl5PiyZIwXYZG4dZz+Cqn7sD9u3S+/WvA=";
    };
  };

--- a/pkgs/applications/networking/browsers/tor-browser/default.nix
+++ b/pkgs/applications/networking/browsers/tor-browser/default.nix
@ -101,7 +101,7 @@ lib.warnIf (useHardenedMalloc != null)
      ++ lib.optionals mediaSupport [ ffmpeg ]
  );

-  version = "13.0.14";
+  version = "13.0.13";

  sources = {
    x86_64-linux = fetchurl {
@ -111,7 +111,7 @@ lib.warnIf (useHardenedMalloc != null)
        "https://tor.eff.org/dist/torbrowser/${version}/tor-browser-linux-x86_64-${version}.tar.xz"
        "https://tor.calyxinstitute.org/dist/torbrowser/${version}/tor-browser-linux-x86_64-${version}.tar.xz"
      ];
-      hash = "sha256-UWR2zMVXa6QMz1EIWJf43Vmj14ZIaug105esxeSd0KU=";
+      hash = "sha256-l7Ka8vjVX67ZPPzRnQixtki5/cYhP6P/J91CyGPnwfI=";
    };

    i686-linux = fetchurl {
@ -121,7 +121,7 @@ lib.warnIf (useHardenedMalloc != null)
        "https://tor.eff.org/dist/torbrowser/${version}/tor-browser-linux-i686-${version}.tar.xz"
        "https://tor.calyxinstitute.org/dist/torbrowser/${version}/tor-browser-linux-i686-${version}.tar.xz"
      ];
-      hash = "sha256-n+qj3IY4z+erOg4iUkQ4CP3rtJASTeKPg7beZRdesw4=";
+      hash = "sha256-Ro9F3SZiagtj3AnDOtHmyy1G/KOi/O9M3f775qrZig4=";
    };
  };

--- a/pkgs/applications/networking/browsers/vivaldi/default.nix
+++ b/pkgs/applications/networking/browsers/vivaldi/default.nix
@ -24,7 +24,7 @@ let
  vivaldiName = if isSnapshot then "vivaldi-snapshot" else "vivaldi";
 in stdenv.mkDerivation rec {
  pname = "vivaldi";
-  version = "6.6.3271.61";
+  version = "6.6.3271.57";

  suffix = {
    aarch64-linux = "arm64";
@ -34,8 +34,8 @@ in stdenv.mkDerivation rec {
  src = fetchurl {
    url = "https://downloads.vivaldi.com/${branch}/vivaldi-${branch}_${version}-1_${suffix}.deb";
    hash = {
-      aarch64-linux = "sha256-Rcc/pufINOQJlkQI6KkWVZtnh3KvKLS6jRWQNTxPFmU=";
-      x86_64-linux = "sha256-Xt4pLB23VZ/j9g/QCOQTrrhQduxs1nB4wyYkBefFPIQ=";
+      aarch64-linux = "sha256-v/UG4eL/66i/0sSqN8JmJJIEjHzJjTTDZLRzLMJpJMA=";
+      x86_64-linux = "sha256-uVrEVf9mePqalU2OJRMj0Zy9d7jDXwsdMwEQhn9uUh8=";
    }.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
  };

--- a/pkgs/applications/networking/cluster/argocd/default.nix
+++ b/pkgs/applications/networking/cluster/argocd/default.nix
@ -2,13 +2,13 @@

 buildGoModule rec {
  pname = "argocd";
-  version = "2.10.7";
+  version = "2.10.6";

  src = fetchFromGitHub {
    owner = "argoproj";
    repo = "argo-cd";
    rev = "v${version}";
-    hash = "sha256-0C8lVQrFxrk9ym4aCz0PhUS2iByx9rj5Id0xFIq4Efc=";
+    hash = "sha256-tKZQVI2WiqsPIMHCBGJHcZYk4gOoshiGA0WPyeoxvok=";
  };

  proxyVendor = true; # darwin/linux hash mismatch
--- a/pkgs/applications/networking/cluster/civo/default.nix
+++ b/pkgs/applications/networking/cluster/civo/default.nix
@ -2,16 +2,16 @@

 buildGoModule rec {
  pname = "civo";
-  version = "1.0.81";
+  version = "1.0.80";

  src = fetchFromGitHub {
    owner  = "civo";
    repo   = "cli";
    rev    = "v${version}";
-    sha256 = "sha256-YdrJbT9Ozp1vlvQBYQNjJX6n3vIXYj3dmKhAsBPrvi8=";
+    sha256 = "sha256-jzz9mny59YM5PLcQvcus3gHuRSbl/OISAOjDoS/4Y78=";
  };

-  vendorHash = "sha256-YNbxV79XQBmd7oTanwLOMdmt2ds4ttX1ttr8vUycVzg=";
+  vendorHash = "sha256-Uh2/4qdJQfqQdjXbOBkUVv2nF1AN+QRKRI0+yta+G5Q=";

  nativeBuildInputs = [ installShellFiles ];

--- a/pkgs/applications/networking/cluster/istioctl/default.nix
+++ b/pkgs/applications/networking/cluster/istioctl/default.nix
@ -2,15 +2,15 @@

 buildGoModule rec {
  pname = "istioctl";
-  version = "1.21.1";
+  version = "1.21.0";

  src = fetchFromGitHub {
    owner = "istio";
    repo = "istio";
    rev = version;
-    hash = "sha256-zWg0UK9RHq/25GWpsvb/U5YJPkgd7aUC/Dva8jGFwfo=";
+    hash = "sha256-d+4WiMjP9L9tMrShTadXA1k/l1U3jYj/ihP0g3HuYRE=";
  };
-  vendorHash = "sha256-23t1xJPRip0ojXmUl1qlk6QJsYHT+9EAS080m6c0d6U=";
+  vendorHash = "sha256-8nvcxBF+ygWkMLbGwJvj1NjGL06xh6mNZvaEbZJw0TM=";

  nativeBuildInputs = [ installShellFiles ];

--- a/pkgs/applications/networking/cluster/kubernetes/default.nix
+++ b/pkgs/applications/networking/cluster/kubernetes/default.nix
@ -20,13 +20,13 @@

 buildGoModule rec {
  pname = "kubernetes";
-  version = "1.29.4";
+  version = "1.29.3";

  src = fetchFromGitHub {
    owner = "kubernetes";
    repo = "kubernetes";
    rev = "v${version}";
-    hash = "sha256-7Rxbcsl77iFiHkU/ovyn74aXs/i5G/m5h5Ii0y1CRho=";
+    hash = "sha256-mtYxFy2d892uMLrtaR6ao07gjbThuGa7bzauwvJ0WOo=";
  };

  vendorHash = null;
--- a/pkgs/applications/networking/cluster/kubevpn/default.nix
+++ b/pkgs/applications/networking/cluster/kubevpn/default.nix
@ -2,13 +2,13 @@

 buildGoModule rec {
  pname = "kubevpn";
-  version = "2.2.5";
+  version = "2.2.4";

  src = fetchFromGitHub {
    owner  = "KubeNetworks";
    repo   = "kubevpn";
    rev    = "v${version}";
-    hash = "sha256-I4szQNRBW3M+QNwsfkJZlrZL3jJXcXmD2KnFF/E+jaE=";
+    hash = "sha256-taeCOmjZqULxQf4dgLzSYgN43fFYH04Ev4O/SHHG+xI=";
  };

  vendorHash = null;
--- a/pkgs/applications/networking/cluster/node-problem-detector/default.nix
+++ b/pkgs/applications/networking/cluster/node-problem-detector/default.nix
@ -2,13 +2,13 @@

 buildGoModule rec {
  pname = "node-problem-detector";
-  version = "0.8.18";
+  version = "0.8.16";

  src = fetchFromGitHub {
    owner = "kubernetes";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-/AfEnYBoCFc/XP5U6oxGDFU63q8llaeR91OPzZU7zm8=";
+    sha256 = "sha256-tuukO7y+aqgu/f1DBZNUkElRTbEeZn+zkfixnFwWWwY=";
  };

  vendorHash = null;
--- a/pkgs/applications/networking/cluster/nomad/default.nix
+++ b/pkgs/applications/networking/cluster/nomad/default.nix
@ -82,9 +82,9 @@ rec {

  nomad_1_7 = generic {
    buildGoModule = buildGo121Module;
-    version = "1.7.7";
-    sha256 = "sha256-4nuRheidR6rIoytrnDQdIP69f+sBLJ3Ias5DvqVaLFc=";
-    vendorHash = "sha256-ZuaD8iDsT+/eW0QUavf485R804Jtjl76NcQWYHA8QII=";
+    version = "1.7.6";
+    sha256 = "sha256-rEWXQwkW/muX3D0An3WmHCoboPACFCrSG7Tyzor2wnQ=";
+    vendorHash = "sha256-95yUtNfN/50LjWHHReaB4/riUqy8J67099bP8Ua7gRw=";
    license = lib.licenses.bsl11;
    passthru.tests.nomad = nixosTests.nomad;
    preCheck = ''
--- a/pkgs/applications/networking/cluster/terraform/default.nix
+++ b/pkgs/applications/networking/cluster/terraform/default.nix
@ -167,8 +167,8 @@ rec {
  mkTerraform = attrs: pluggable (generic attrs);

  terraform_1 = mkTerraform {
-    version = "1.8.1";
-    hash = "sha256-q/r1KK0svdK/5Za4bqU6bGgTcWmG+YZFJUFRKqPAWSw=";
+    version = "1.8.0";
+    hash = "sha256-An/ElR1tXQSb9x26R5o9gcb4XKTeVxlv+72Whcrdeoc=";
    vendorHash = "sha256-xpgGceAA+kvwUp4T0m9rnbPoZ3uJHU2KIRsrcGr8dRo=";
    patches = [ ./provider-path-0_15.patch ];
    passthru = {
--- a/pkgs/applications/networking/cluster/tilt/assets.nix
+++ b/pkgs/applications/networking/cluster/tilt/assets.nix
@ -2,7 +2,7 @@
 , stdenvNoCC
 , version, src
 , fetchYarnDeps
-, fixup-yarn-lock, yarn, nodejs
+, prefetch-yarn-deps, yarn, nodejs
 }:

 stdenvNoCC.mkDerivation rec {
@ -10,7 +10,7 @@ stdenvNoCC.mkDerivation rec {

  inherit src version;

-  nativeBuildInputs = [ fixup-yarn-lock yarn nodejs ];
+  nativeBuildInputs = [ prefetch-yarn-deps yarn nodejs ];

  yarnOfflineCache = fetchYarnDeps {
    yarnLock = "${src}/web/yarn.lock";
--- a/pkgs/applications/networking/feedreaders/newsboat/default.nix
+++ b/pkgs/applications/networking/feedreaders/newsboat/default.nix
@ -3,16 +3,16 @@

 rustPlatform.buildRustPackage rec {
  pname = "newsboat";
-  version = "2.35";
+  version = "2.34";

  src = fetchFromGitHub {
    owner = "newsboat";
    repo = "newsboat";
    rev = "r${version}";
-    hash = "sha256-WbicKP46N8MVjUeerYUdcHJO5Qf7rQFyYCpxexd2wDY=";
+    hash = "sha256-knF+N/HHL/E6C973t+ww5XTLV2thwy7lMAeqTyXspHY=";
  };

-  cargoHash = "sha256-B6U+DxIRm9Sn4x+dZCfNKENNDsTUVZFT6i0Yz47gjTs=";
+  cargoHash = "sha256-IsDym+tqF040SxCJF575OPm45IROYMFsCrxJcM1SAJ4=";

  # TODO: Check if that's still needed
  postPatch = lib.optionalString stdenv.isDarwin ''
--- a/pkgs/applications/networking/instant-messengers/element/element-desktop.nix
+++ b/pkgs/applications/networking/instant-messengers/element/element-desktop.nix
@ -3,7 +3,7 @@
 , fetchFromGitHub
 , makeWrapper
 , makeDesktopItem
-, fixup-yarn-lock
+, prefetch-yarn-deps
 , yarn
 , nodejs
 , fetchYarnDeps
@ -42,7 +42,7 @@ stdenv.mkDerivation (finalAttrs: builtins.removeAttrs pinData [ "hashes" ] // {
    sha256 = desktopYarnHash;
  };

-  nativeBuildInputs = [ yarn fixup-yarn-lock nodejs makeWrapper jq ]
+  nativeBuildInputs = [ yarn prefetch-yarn-deps nodejs makeWrapper jq ]
    ++ lib.optionals stdenv.isDarwin [ desktopToDarwinBundle ];

  inherit seshat;
--- a/pkgs/applications/networking/instant-messengers/element/element-web.nix
+++ b/pkgs/applications/networking/instant-messengers/element/element-web.nix
@ -6,7 +6,7 @@
 , writeText
 , jq
 , yarn
-, fixup-yarn-lock
+, prefetch-yarn-deps
 , nodejs
 , jitsi-meet
 }:
@ -33,7 +33,7 @@ stdenv.mkDerivation (finalAttrs: builtins.removeAttrs pinData [ "hashes" ] // {
    sha256 = webYarnHash;
  };

-  nativeBuildInputs = [ yarn fixup-yarn-lock jq nodejs ];
+  nativeBuildInputs = [ yarn prefetch-yarn-deps jq nodejs ];

  buildPhase = ''
    runHook preBuild
--- a/pkgs/applications/networking/instant-messengers/element/seshat/default.nix
+++ b/pkgs/applications/networking/instant-messengers/element/seshat/default.nix
@ -1,4 +1,4 @@
-{ lib, stdenv, rustPlatform, fetchFromGitHub, callPackage, sqlcipher, nodejs, python3, yarn, fixup-yarn-lock, CoreServices, fetchYarnDeps, removeReferencesTo }:
+{ lib, stdenv, rustPlatform, fetchFromGitHub, callPackage, sqlcipher, nodejs, python3, yarn, prefetch-yarn-deps, CoreServices, fetchYarnDeps, removeReferencesTo }:

 let
  pinData = lib.importJSON ./pin.json;
@ -16,7 +16,7 @@ in rustPlatform.buildRustPackage rec {

  sourceRoot = "${src.name}/seshat-node/native";

-  nativeBuildInputs = [ nodejs python3 yarn fixup-yarn-lock ];
+  nativeBuildInputs = [ nodejs python3 yarn prefetch-yarn-deps ];
  buildInputs = [ sqlcipher ] ++ lib.optional stdenv.isDarwin CoreServices;

  npm_config_nodedir = nodejs;
--- a/pkgs/applications/networking/instant-messengers/hydrogen-web/unwrapped.nix
+++ b/pkgs/applications/networking/instant-messengers/hydrogen-web/unwrapped.nix
@ -3,7 +3,7 @@
 , fetchFromGitHub
 , fetchYarnDeps
 , yarn
-, fixup-yarn-lock
+, prefetch-yarn-deps
 , nodejs
 }:

@ -23,7 +23,7 @@ stdenv.mkDerivation (finalAttrs: {
    hash = "sha256-N9lUAhfYLlEAIaWSNS3Ecq+aBTz+f7Z22Sclwj9rp6w=";
  };

-  nativeBuildInputs = [ yarn fixup-yarn-lock nodejs ];
+  nativeBuildInputs = [ yarn prefetch-yarn-deps nodejs ];

  configurePhase = ''
    runHook preConfigure
--- a/pkgs/applications/networking/instant-messengers/qq/default.nix
+++ b/pkgs/applications/networking/instant-messengers/qq/default.nix
@ -21,7 +21,6 @@
 , autoPatchelfHook
 , makeShellWrapper
 , wrapGAppsHook
-, commandLineArgs ? ""
 }:

 let
@ -84,7 +83,6 @@ stdenv.mkDerivation {
      --prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH" \
      --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ libGL ]}" \
      --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \
-      --add-flags ${lib.escapeShellArg commandLineArgs} \
      "''${gappsWrapperArgs[@]}"

    # Remove bundled libraries
--- a/pkgs/applications/networking/instant-messengers/teams-for-linux/default.nix
+++ b/pkgs/applications/networking/instant-messengers/teams-for-linux/default.nix
@ -7,7 +7,7 @@
 , yarn
 , nodejs
 , fetchYarnDeps
-, fixup-yarn-lock
+, prefetch-yarn-deps
 , electron
 , libnotify
 , libpulseaudio
@ -34,7 +34,7 @@ stdenv.mkDerivation (finalAttrs: {
    hash = "sha256-jBwyIyiWeqNmOnxmVOr7c4oMWwHElEjM25sShhTMi78=";
  };

-  nativeBuildInputs = [ yarn fixup-yarn-lock nodejs copyDesktopItems makeWrapper ];
+  nativeBuildInputs = [ yarn prefetch-yarn-deps nodejs copyDesktopItems makeWrapper ];

  configurePhase = ''
    runHook preConfigure
--- a/pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix
+++ b/pkgs/applications/networking/instant-messengers/telegram/telegram-desktop/default.nix
@ -63,14 +63,14 @@ let
 in
 stdenv.mkDerivation rec {
  pname = "telegram-desktop";
-  version = "4.16.8";
+  version = "4.16.7";

  src = fetchFromGitHub {
    owner = "telegramdesktop";
    repo = "tdesktop";
    rev = "v${version}";
    fetchSubmodules = true;
-    hash = "sha256-M8wFhuTTEJippgvS93LNRqREV2TGF04ccps5oOmSr+0=";
+    hash = "sha256-+BXuFHXGOgpmAX7wsGLxZxfzvNsntFLtd+Obhb339Yc=";
  };

  patches = [
--- a/pkgs/applications/networking/irc/thelounge/default.nix
+++ b/pkgs/applications/networking/irc/thelounge/default.nix
@ -4,7 +4,7 @@
 , fetchYarnDeps
 , nodejs
 , yarn
-, fixup-yarn-lock
+, prefetch-yarn-deps
 , python3
 , npmHooks
 , darwin
@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: {
    hash = "sha256-MM6SgVT7Pjdu96A4eWRucEzT7uNPxBqUDgHKl8mH2C0=";
  };

-  nativeBuildInputs = [ nodejs yarn fixup-yarn-lock python3 npmHooks.npmInstallHook ] ++ lib.optional stdenv.isDarwin darwin.cctools;
+  nativeBuildInputs = [ nodejs yarn prefetch-yarn-deps python3 npmHooks.npmInstallHook ] ++ lib.optional stdenv.isDarwin darwin.cctools;
  buildInputs = [ sqlite ];

  configurePhase = ''
--- a/pkgs/applications/networking/mailreaders/himalaya/default.nix
+++ b/pkgs/applications/networking/mailreaders/himalaya/default.nix
@ -3,7 +3,9 @@
 , fetchFromGitHub
 , stdenv
 , pkg-config
-, darwin
+, AppKit
+, Cocoa
+, Security
 , installShellFiles
 , installShellCompletions ? stdenv.hostPlatform == stdenv.buildPlatform
 , installManPages ? stdenv.hostPlatform == stdenv.buildPlatform
@ -14,34 +16,26 @@
 }:

 rustPlatform.buildRustPackage rec {
-  # Learn more about available cargo features at:
-  #  - <https://pimalaya.org/himalaya/cli/latest/installation.html#cargo>
  inherit buildNoDefaultFeatures buildFeatures;

  pname = "himalaya";
-  version = "1.0.0-beta.4";
+  version = "1.0.0-beta.3";

  src = fetchFromGitHub {
    owner = "soywod";
    repo = pname;
    rev = "v${version}";
-    hash = "sha256-NrWBg0sjaz/uLsNs8/T4MkUgHOUvAWRix1O5usKsw6o=";
+    hash = "sha256-B7eswDq4tKyg881i3pLd6h+HsObK0c2dQnYuvPAGJHk=";
  };

-  cargoSha256 = "YS8IamapvmdrOPptQh2Ef9Yold0IK1XIeGs0kDIQ5b8=";
+  cargoSha256 = "jOzuCXsrtXp8dmJTBqrEq4nog6smEPbdsFAy+ruPtY8=";

-  NIX_LDFLAGS = lib.optionals stdenv.isDarwin [
-    "-F${darwin.apple_sdk.frameworks.AppKit}/Library/Frameworks"
-    "-framework"
-    "AppKit"
-  ];
-
-  nativeBuildInputs = [ pkg-config ]
+  nativeBuildInputs = [ ]
    ++ lib.optional (builtins.elem "pgp-gpg" buildFeatures) pkg-config
    ++ lib.optional (installManPages || installShellCompletions) installShellFiles;

  buildInputs = [ ]
-    ++ lib.optionals stdenv.isDarwin (with darwin.apple_sdk.frameworks; [ AppKit Cocoa Security ])
+    ++ lib.optionals stdenv.isDarwin [ AppKit Cocoa Security ]
    ++ lib.optional (builtins.elem "notmuch" buildFeatures) notmuch
    ++ lib.optional (builtins.elem "pgp-gpg" buildFeatures) gpgme;

--- a/pkgs/applications/networking/sniffers/sngrep/default.nix
+++ b/pkgs/applications/networking/sniffers/sngrep/default.nix
@ -12,13 +12,13 @@

 stdenv.mkDerivation rec {
  pname = "sngrep";
-  version = "1.8.1";
+  version = "1.8.0";

  src = fetchFromGitHub {
    owner = "irontec";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-EbB5Ok/8RUoNzkgoWIhHTRvlq9Vv2KVx6Hu8ejrLkMc=";
+    sha256 = "sha256-9ccp5Pxhs7jOQuWHCmU9yvzLKeOAN8lEaieCIvnXJRA=";
  };

  nativeBuildInputs = [
--- a/pkgs/applications/networking/sync/storj-uplink/default.nix
+++ b/pkgs/applications/networking/sync/storj-uplink/default.nix
@ -5,18 +5,18 @@

 buildGoModule rec {
  pname = "storj-uplink";
-  version = "1.102.2";
+  version = "1.100.4";

  src = fetchFromGitHub {
    owner = "storj";
    repo = "storj";
    rev = "v${version}";
-    hash = "sha256-GpHX34iHKeoT7AuEf76QTpTIrATLZyAoUxMoIouhvyA=";
+    hash = "sha256-LPckEiuw+3WlEnW07jql+TFggB6mEzrvC7NI+pVBCLY=";
  };

  subPackages = [ "cmd/uplink" ];

-  vendorHash = "sha256-atIb/SmOShLIhvEsTcegX7+xoDXN+SI5a7TQrXpqdUg=";
+  vendorHash = "sha256-84PI1tZFiodnGvMwObELVxXMCgIWINOrO0ISAWRnxRM=";

  ldflags = [ "-s" "-w" ];

--- a/Show More
+++ b/Show More