Merge master into haskell-updates

lib/systems/examples.nix

@@ -206,6 +206,7 @@ rec {
   aarch64-embedded = {
     config = "aarch64-none-elf";
     libc = "newlib";
+    rustc.config = "aarch64-unknown-none";
   };
 
   aarch64be-embedded = {

maintainers/maintainer-list.nix

@@ -10770,6 +10770,12 @@
     githubId = 7878181;
     name = "Mateo Diaz";
   };
+  materus = {
+    email = "materus@podkos.pl";
+    github = "materusPL";
+    githubId = 28183516;
+    name = "Mateusz Słodkowicz";
+  };
   math-42 = {
     email = "matheus.4200@gmail.com";
     github = "Math-42";
@@ -13608,6 +13614,12 @@
     githubId = 34967;
     name = "Julius de Bruijn";
   };
+  pineapplehunter = {
+    email = "peshogo+nixpkgs@gmail.com";
+    github = "pineapplehunter";
+    githubId = 8869894;
+    name = "Shogo Takata";
+  };
   pingiun = {
     email = "nixos@pingiun.com";
     github = "pingiun";

maintainers/scripts/sha-to-sri.py

@@ -0,0 +1,228 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i "python3 -I" -p "python3.withPackages(p: with p; [ rich structlog ])"
+
+from abc import ABC, abstractclassmethod, abstractmethod
+from contextlib import contextmanager
+from pathlib import Path
+from structlog.contextvars import bound_contextvars as log_context
+from typing import ClassVar, List, Tuple
+
+import hashlib, re, structlog
+
+
+logger = structlog.getLogger("sha-to-SRI")
+
+
+class Encoding(ABC):
+    alphabet: ClassVar[str]
+
+    @classmethod
+    @property
+    def name(cls) -> str:
+        return cls.__name__.lower()
+
+    def toSRI(self, s: str) -> str:
+        digest = self.decode(s)
+        assert len(digest) == self.n
+
+        from base64 import b64encode
+        return f"{self.hashName}-{b64encode(digest).decode()}"
+
+    @classmethod
+    def all(cls, h) -> 'List[Encoding]':
+        return [ c(h) for c in cls.__subclasses__() ]
+
+    def __init__(self, h):
+        self.n = h.digest_size
+        self.hashName = h.name
+
+    @property
+    @abstractmethod
+    def length(self) -> int:
+        ...
+
+    @property
+    def regex(self) -> str:
+        return f"[{self.alphabet}]{{{self.length}}}"
+
+    @abstractmethod
+    def decode(self, s: str) -> bytes:
+        ...
+
+
+class Nix32(Encoding):
+    alphabet = "0123456789abcdfghijklmnpqrsvwxyz"
+    inverted  = { c: i for i, c in enumerate(alphabet) }
+
+    @property
+    def length(self):
+        return 1 + (8 * self.n) // 5
+    def decode(self, s: str):
+        assert len(s) == self.length
+        out = [ 0 for _ in range(self.n) ]
+        # TODO: Do better than a list of byte-sized ints
+
+        for n, c in enumerate(reversed(s)):
+            digit = self.inverted[c]
+            i, j = divmod(5 * n, 8)
+            out[i] = out[i] | (digit << j) & 0xff
+            rem = digit >> (8 - j)
+            if rem == 0:
+                continue
+            elif i < self.n:
+                out[i+1] = rem
+            else:
+                raise ValueError(f"Invalid nix32 hash: '{s}'")
+
+        return bytes(out)
+
+class Hex(Encoding):
+    alphabet = "0-9A-Fa-f"
+
+    @property
+    def length(self):
+        return 2 * self.n
+    def decode(self, s: str):
+        from binascii import unhexlify
+        return unhexlify(s)
+
+class Base64(Encoding):
+    alphabet = "A-Za-z0-9+/"
+
+    @property
+    def format(self) -> Tuple[int, int]:
+        """Number of characters in data and padding."""
+        i, k = divmod(self.n, 3)
+        return 4 * i + (0 if k == 0 else k + 1), (3 - k) % 3
+    @property
+    def length(self):
+        return sum(self.format)
+    @property
+    def regex(self):
+        data, padding = self.format
+        return f"[{self.alphabet}]{{{data}}}={{{padding}}}"
+    def decode(self, s):
+        from base64 import b64decode
+        return b64decode(s, validate = True)
+
+
+_HASHES = (hashlib.new(n) for n in ('SHA-256', 'SHA-512'))
+ENCODINGS = {
+    h.name: Encoding.all(h)
+    for h in _HASHES
+}
+
+RE = {
+    h: "|".join(
+        (f"({h}-)?" if e.name == 'base64' else '') +
+        f"(?P<{h}_{e.name}>{e.regex})"
+        for e in encodings
+    ) for h, encodings in ENCODINGS.items()
+}
+
+_DEF_RE = re.compile("|".join(
+    f"(?P<{h}>{h} = (?P<{h}_quote>['\"])({re})(?P={h}_quote);)"
+    for h, re in RE.items()
+))
+
+
+def defToSRI(s: str) -> str:
+    def f(m: re.Match[str]) -> str:
+        try:
+            for h, encodings in ENCODINGS.items():
+                if m.group(h) is None:
+                    continue
+
+                for e in encodings:
+                    s = m.group(f"{h}_{e.name}")
+                    if s is not None:
+                        return f'hash = "{e.toSRI(s)}";'
+
+                raise ValueError(f"Match with '{h}' but no subgroup")
+            raise ValueError("Match with no hash")
+
+        except ValueError as exn:
+            logger.error(
+                "Skipping",
+                exc_info = exn,
+            )
+            return m.group()
+
+    return _DEF_RE.sub(f, s)
+
+
+@contextmanager
+def atomicFileUpdate(target: Path):
+    '''Atomically replace the contents of a file.
+
+    Guarantees that no temporary files are left behind, and `target` is either
+    left untouched, or overwritten with new content if no exception was raised.
+
+    Yields a pair `(original, new)` of open files.
+    `original` is the pre-existing file at `target`, open for reading;
+    `new` is an empty, temporary file in the same filder, open for writing.
+
+    Upon exiting the context, the files are closed; if no exception was
+    raised, `new` (atomically) replaces the `target`, otherwise it is deleted.
+    '''
+    # That's mostly copied from noto-emoji.py, should DRY it out
+    from tempfile import mkstemp
+    fd, _p = mkstemp(
+        dir = target.parent,
+        prefix = target.name,
+    )
+    tmpPath = Path(_p)
+
+    try:
+        with target.open() as original:
+            with tmpPath.open('w') as new:
+                yield (original, new)
+
+        tmpPath.replace(target)
+
+    except Exception:
+        tmpPath.unlink(missing_ok = True)
+        raise
+
+
+def fileToSRI(p: Path):
+    with atomicFileUpdate(p) as (og, new):
+        for i, line in enumerate(og):
+            with log_context(line=i):
+                new.write(defToSRI(line))
+
+
+_SKIP_RE = re.compile(
+    "(generated by)|(do not edit)",
+    re.IGNORECASE
+)
+
+if __name__ == "__main__":
+    from sys import argv, stderr
+    logger.info("Starting!")
+
+    for arg in argv[1:]:
+        p = Path(arg)
+        with log_context(path=str(p)):
+            try:
+                if p.name == "yarn.nix" or p.name.find("generated") != -1:
+                    logger.warning("File looks autogenerated, skipping!")
+                    continue
+
+                with p.open() as f:
+                    for line in f:
+                        if line.strip():
+                            break
+
+                    if _SKIP_RE.search(line):
+                        logger.warning("File looks autogenerated, skipping!")
+                        continue
+
+                fileToSRI(p)
+            except Exception as exn:
+                logger.error(
+                    "Unhandled exception, skipping file!",
+                    exc_info = exn,
+                )
+            else:
+                logger.info("Finished processing file")

maintainers/scripts/sha256-to-SRI.py

@@ -1,149 +0,0 @@
-#!/usr/bin/env nix-shell
-#! nix-shell -i "python3 -I" -p "python3.withPackages(p: with p; [ rich structlog ])"
-
-from contextlib import contextmanager
-from pathlib import Path
-from structlog.contextvars import bound_contextvars as log_context
-
-import re, structlog
-
-
-logger = structlog.getLogger("sha256-to-SRI")
-
-
-nix32alphabet = "0123456789abcdfghijklmnpqrsvwxyz"
-nix32inverted  = { c: i for i, c in enumerate(nix32alphabet) }
-
-def nix32decode(s: str) -> bytes:
-    # only support sha256 hashes for now
-    assert len(s) == 52
-    out = [ 0 for _ in range(32) ]
-    # TODO: Do better than a list of byte-sized ints
-
-    for n, c in enumerate(reversed(s)):
-        digit = nix32inverted[c]
-        i, j = divmod(5 * n, 8)
-        out[i] = out[i] | (digit << j) & 0xff
-        rem = digit >> (8 - j)
-        if rem == 0:
-            continue
-        elif i < 31:
-            out[i+1] = rem
-        else:
-            raise ValueError(f"Invalid nix32 hash: '{s}'")
-
-    return bytes(out)
-
-
-def toSRI(digest: bytes) -> str:
-    from base64 import b64encode
-    assert len(digest) == 32
-    return f"sha256-{b64encode(digest).decode()}"
-
-
-RE = {
-    'nix32': f"[{nix32alphabet}]" "{52}",
-    'hex':    "[0-9A-Fa-f]{64}",
-    'base64': "[A-Za-z0-9+/]{43}=",
-}
-RE['sha256'] = '|'.join(
-    f"{'(sha256-)?' if name == 'base64' else ''}"
-    f"(?P<{name}>{r})"
-    for name, r in RE.items()
-)
-
-def sha256toSRI(m: re.Match) -> str:
-    """Produce the equivalent SRI string for any match of RE['sha256']"""
-    if m['nix32'] is not None:
-        return toSRI(nix32decode(m['nix32']))
-    if m['hex'] is not None:
-        from binascii import unhexlify
-        return toSRI(unhexlify(m['hex']))
-    if m['base64'] is not None:
-        from base64 import b64decode
-        return toSRI(b64decode(m['base64']))
-
-    raise ValueError("Got a match where none of the groups captured")
-
-
-# Ohno I used evil, irregular backrefs instead of making 2 variants  ^^'
-_def_re = re.compile(
-    "sha256 = (?P<quote>[\"'])"
-    f"({RE['sha256']})"
-    "(?P=quote);"
-)
-
-def defToSRI(s: str) -> str:
-    def f(m: re.Match[str]) -> str:
-        try:
-            return f'hash = "{sha256toSRI(m)}";'
-
-        except ValueError as exn:
-            begin, end = m.span()
-            match = m.string[begin:end]
-
-            logger.error(
-                "Skipping",
-                exc_info = exn,
-            )
-            return match
-
-    return _def_re.sub(f, s)
-
-
-@contextmanager
-def atomicFileUpdate(target: Path):
-    '''Atomically replace the contents of a file.
-
-    Guarantees that no temporary files are left behind, and `target` is either
-    left untouched, or overwritten with new content if no exception was raised.
-
-    Yields a pair `(original, new)` of open files.
-    `original` is the pre-existing file at `target`, open for reading;
-    `new` is an empty, temporary file in the same filder, open for writing.
-
-    Upon exiting the context, the files are closed; if no exception was
-    raised, `new` (atomically) replaces the `target`, otherwise it is deleted.
-    '''
-    # That's mostly copied from noto-emoji.py, should DRY it out
-    from tempfile import mkstemp
-    fd, _p = mkstemp(
-        dir = target.parent,
-        prefix = target.name,
-    )
-    tmpPath = Path(_p)
-
-    try:
-        with target.open() as original:
-            with tmpPath.open('w') as new:
-                yield (original, new)
-
-        tmpPath.replace(target)
-
-    except Exception:
-        tmpPath.unlink(missing_ok = True)
-        raise
-
-
-def fileToSRI(p: Path):
-    with atomicFileUpdate(p) as (og, new):
-        for i, line in enumerate(og):
-            with log_context(line=i):
-                new.write(defToSRI(line))
-
-
-if __name__ == "__main__":
-    from sys import argv, stderr
-
-    for arg in argv[1:]:
-        p = Path(arg)
-        with log_context(path=str(p)):
-            try:
-                fileToSRI(p)
-            except Exception as exn:
-                logger.error(
-                    "Unhandled exception, skipping file!",
-                    exc_info = exn,
-                )
-            else:
-                logger.info("Finished processing file")

nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md

@@ -21,8 +21,9 @@ If the action is `switch` or `test`, the currently running system is inspected
 and the actions to switch to the new system are calculated. This process takes
 two data sources into account: `/etc/fstab` and the current systemd status.
 Mounts and swaps are read from `/etc/fstab` and the corresponding actions are
-generated. If a new mount is added, for example, the proper `.mount` unit is
-marked to be started. The current systemd state is inspected, the difference
+generated. If the options of a mount are modified, for example, the proper `.mount`
+unit is reloaded (or restarted if anything else changed and it's neither the root
+mount or the nix store). The current systemd state is inspected, the difference
 between the current system and the desired configuration is calculated and
 actions are generated to get to this state. There are a lot of nuances that can
 be controlled by the units which are explained here.

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -11,8 +11,9 @@
 - The `nixos-rebuild` command has been given a `list-generations` subcommand. See `man nixos-rebuild` for more details.
 
 - [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.
-  Switching to it (via `security.sudo.package = pkgs.sudo-rs;`) introduces
-  slight changes in default behaviour, due to `sudo-rs`' current limitations:
+  An experimental new module `security.sudo-rs` was added.
+  Switching to it (via `security.sudo.enable = false; security.sudo-rs.enable = true;`) introduces
+  slight changes in sudo behaviour, due to `sudo-rs`' current limitations:
   - terminfo-related environment variables aren't preserved for `root` and `wheel`;
   - `root` and `wheel` are not given the ability to set (or preserve)
     arbitrary environment variables.
@@ -97,6 +98,8 @@
 
 - `pass` now does not contain `password-store.el`.  Users should get `password-store.el` from Emacs lisp package set `emacs.pkgs.password-store`.
 
+- `services.knot` now supports `.settings` from RFC42.  The change is not 100% compatible with the previous `.extraConfig`.
+
 - `mu` now does not install `mu4e` files by default.  Users should get `mu4e` from Emacs lisp package set `emacs.pkgs.mu4e`.
 
 - `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues.
@@ -219,6 +222,8 @@
 
 - `networking.networkmanager.firewallBackend` was removed as NixOS is now using iptables-nftables-compat even when using iptables, therefore Networkmanager now uses the nftables backend unconditionally.
 
+- `rome` was removed because it is no longer maintained and is succeeded by `biome`.
+
 ## Other Notable Changes {#sec-release-23.11-notable-changes}
 
 - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.
@@ -263,6 +268,8 @@ The module update takes care of the new config syntax and the data itself (user
 
 - `services.nginx` gained a `defaultListen` option at server-level with support for PROXY protocol listeners, also `proxyProtocol` is now exposed in `services.nginx.virtualHosts.<name>.listen` option. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see [#213510](https://github.com/NixOS/nixpkgs/pull/213510/) for more details.
 
+- `generic-extlinux-compatible` bootloader (and raspberry pi with uboot) supports appending secrets to the initramfs
+
 - `services.restic.backups` now adds wrapper scripts to your system path, which set the same environment variables as the service, so restic operations can easly be run from the command line. This behavior can be disabled by setting `createWrapper` to `false`, per backup configuration.
 
 - `services.prometheus.exporters` has a new exporter to monitor electrical power consumption based on PowercapRAPL sensor called [Scaphandre](https://github.com/hubblo-org/scaphandre), see [#239803](https://github.com/NixOS/nixpkgs/pull/239803) for more details.
@@ -301,6 +308,8 @@ The module update takes care of the new config syntax and the data itself (user
 
 - New `boot.bcache.enable` (default enabled) allows completely removing `bcache` mount support.
 
+- The module `services.mbpfan` now has the option `aggressive` enabled by default for better heat moderation. You can disable it for upstream defaults.
+
 - `security.sudo` now provides two extra options, that do not change the
   module's default behaviour:
   - `defaultOptions` controls the options used for the default rules;

nixos/lib/test-driver/test_driver/machine.py

@@ -582,7 +582,9 @@ class Machine:
 
         # While sh is bash on NixOS, this is not the case for every distro.
         # We explicitly call bash here to allow for the driver to boot other distros as well.
-        out_command = f"{timeout_str} bash -c {shlex.quote(command)} 2>/dev/null | (base64 -w 0; echo)\n"
+        out_command = (
+            f"{timeout_str} bash -c {shlex.quote(command)} | (base64 -w 0; echo)\n"
+        )
 
         assert self.shell
         self.shell.send(out_command.encode())

nixos/maintainers/scripts/oci/create-image.sh

@@ -0,0 +1,24 @@
+#! /usr/bin/env bash
+
+set -euo pipefail
+
+export NIX_PATH=nixpkgs=$(dirname $(readlink -f $0))/../../../..
+export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/oci-image.nix
+
+if (( $# < 1 )); then
+    (
+    echo "Usage: create-image.sh <architecture>"
+    echo
+    echo "Where <architecture> is one of:"
+    echo "  x86_64-linux"
+    echo "  aarch64-linux"
+    ) >&2
+fi
+
+system="$1"; shift
+
+nix-build '<nixpkgs/nixos>' \
+    -A config.system.build.OCIImage \
+    --argstr system "$system" \
+    --option system-features kvm \
+    -o oci-image

nixos/maintainers/scripts/oci/upload-image.sh

@@ -0,0 +1,100 @@
+#! /usr/bin/env bash
+
+set -euo pipefail
+
+script_dir="$(dirname $(readlink -f $0))"
+nixpkgs_root="$script_dir/../../../.."
+export NIX_PATH="nixpkgs=$nixpkgs_root"
+
+cat - <<EOF
+This script will locally build a NixOS image and upload it as a Custom Image
+using oci-cli. Make sure that an API key for the tenancy administrator has been
+added to '~/.oci'.
+For more info about configuring oci-cli, please visit
+https://docs.cloud.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm#Required_Keys_and_OCIDs
+
+EOF
+
+qcow="oci-image/nixos.qcow2"
+if [ ! -f "$qcow" ]; then
+    echo "OCI image $qcow does not exist"
+    echo "Building image with create-image.sh for 'x86_64-linux'"
+    "$script_dir/create-image.sh" x86_64-linux
+    [ -f "$qcow" ] || { echo "Build failed: image not present after build"; exit 1; }
+else
+    echo "Using prebuilt image $qcow"
+fi
+
+cli="$(
+  nix-build '<nixpkgs>' \
+    --no-out-link \
+    -A oci-cli
+)"
+
+PATH="$cli/bin:$PATH"
+bucket="_TEMP_NIXOS_IMAGES_$RANDOM"
+
+echo "Creating a temporary bucket"
+root_ocid="$(
+  oci iam compartment list \
+  --all \
+  --compartment-id-in-subtree true \
+  --access-level ACCESSIBLE \
+  --include-root \
+  --raw-output \
+  --query "data[?contains(\"id\",'tenancy')].id | [0]"
+)"
+bucket_ocid=$(
+  oci os bucket create \
+    -c "$root_ocid" \
+    --name "$bucket" \
+    --raw-output \
+    --query "data.id"
+)
+# Clean up bucket on script termination
+trap 'echo Removing temporary bucket; oci os bucket delete --force --name "$bucket"' INT TERM EXIT
+
+echo "Uploading image to temporary bucket"
+oci os object put -bn "$bucket" --file "$qcow"
+
+echo "Importing image as a Custom Image"
+bucket_ns="$(oci os ns get --query "data" --raw-output)"
+image_id="$(
+  oci compute image import from-object \
+    -c "$root_ocid" \
+    --namespace "$bucket_ns" \
+    --bucket-name "$bucket" \
+    --name nixos.qcow2 \
+    --operating-system NixOS \
+    --source-image-type QCOW2 \
+    --launch-mode PARAVIRTUALIZED \
+    --display-name NixOS \
+    --raw-output \
+    --query "data.id"
+)"
+
+cat - <<EOF
+Image created! Please mark all available shapes as compatible with this image by
+visiting the following link and by selecting the 'Edit Details' button on:
+https://cloud.oracle.com/compute/images/$image_id
+EOF
+
+# Workaround until https://github.com/oracle/oci-cli/issues/399 is addressed
+echo "Sleeping for 15 minutes before cleaning up files in the temporary bucket"
+sleep $((15 * 60))
+
+echo "Deleting image from bucket"
+par_id="$(
+  oci os preauth-request list \
+    --bucket-name "$bucket" \
+    --raw-output \
+    --query "data[0].id"
+)"
+
+if [[ -n $par_id ]]; then
+  oci os preauth-request delete \
+    --bucket-name "$bucket" \
+    --par-id "$par_id"
+fi
+
+oci os object delete -bn "$bucket" --object-name nixos.qcow2 --force

nixos/modules/module-list.nix

@@ -311,6 +311,7 @@
   ./security/rngd.nix
   ./security/rtkit.nix
   ./security/sudo.nix
+  ./security/sudo-rs.nix
   ./security/systemd-confinement.nix
   ./security/tpm2.nix
   ./security/wrappers/default.nix
@@ -1484,6 +1485,7 @@
   ./virtualisation/nixos-containers.nix
   ./virtualisation/oci-containers.nix
   ./virtualisation/openstack-options.nix
+  ./virtualisation/oci-options.nix
   ./virtualisation/openvswitch.nix
   ./virtualisation/parallels-guest.nix
   ./virtualisation/podman/default.nix

nixos/modules/programs/fish.nix

@@ -258,16 +258,13 @@ in
             preferLocalBuild = true;
             allowSubstitutes = false;
           };
-          generateCompletions = package: pkgs.runCommand
-            "${package.name}_fish-completions"
-            (
-              {
-                inherit package;
-                preferLocalBuild = true;
-                allowSubstitutes = false;
-              }
-              // optionalAttrs (package ? meta.priority) { meta.priority = package.meta.priority; }
-            )
+          generateCompletions = package: pkgs.runCommandLocal
+            ( with lib.strings; let
+                storeLength = stringLength storeDir + 34; # Nix' StorePath::HashLen + 2 for the separating slash and dash
+                pathName = substring storeLength (stringLength package - storeLength) package;
+              in (package.name or pathName) + "_fish-completions")
+            ( { inherit package; } //
+              optionalAttrs (package ? meta.priority) { meta.priority = package.meta.priority; })
             ''
               mkdir -p $out
               if [ -d $package/share/man ]; then

nixos/modules/security/sudo-rs.nix

@@ -0,0 +1,296 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  inherit (pkgs) sudo sudo-rs;
+
+  cfg = config.security.sudo-rs;
+
+  enableSSHAgentAuth =
+    with config.security;
+    pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
+
+  usingMillersSudo = cfg.package.pname == sudo.pname;
+  usingSudoRs = cfg.package.pname == sudo-rs.pname;
+
+  toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
+  toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
+
+  toCommandOptionsString = options:
+    "${concatStringsSep ":" options}${optionalString (length options != 0) ":"} ";
+
+  toCommandsString = commands:
+    concatStringsSep ", " (
+      map (command:
+        if (isString command) then
+          command
+        else
+          "${toCommandOptionsString command.options}${command.command}"
+      ) commands
+    );
+
+in
+
+{
+
+  ###### interface
+
+  options.security.sudo-rs = {
+
+    defaultOptions = mkOption {
+      type = with types; listOf str;
+      default = optional usingMillersSudo "SETENV";
+      defaultText = literalMD ''
+        `[ "SETENV" ]` if using the default `sudo` implementation
+      '';
+      description = mdDoc ''
+        Options used for the default rules, granting `root` and the
+        `wheel` group permission to run any command as any user.
+      '';
+    };
+
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = mdDoc ''
+        Whether to enable the {command}`sudo` command, which
+        allows non-root users to execute commands as root.
+      '';
+    };
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.sudo-rs;
+      defaultText = literalExpression "pkgs.sudo-rs";
+      description = mdDoc ''
+        Which package to use for `sudo`.
+      '';
+    };
+
+    wheelNeedsPassword = mkOption {
+      type = types.bool;
+      default = true;
+      description = mdDoc ''
+        Whether users of the `wheel` group must
+        provide a password to run commands as super user via {command}`sudo`.
+      '';
+      };
+
+    execWheelOnly = mkOption {
+      type = types.bool;
+      default = false;
+      description = mdDoc ''
+        Only allow members of the `wheel` group to execute sudo by
+        setting the executable's permissions accordingly.
+        This prevents users that are not members of `wheel` from
+        exploiting vulnerabilities in sudo such as CVE-2021-3156.
+      '';
+    };
+
+    configFile = mkOption {
+      type = types.lines;
+      # Note: if syntax errors are detected in this file, the NixOS
+      # configuration will fail to build.
+      description = mdDoc ''
+        This string contains the contents of the
+        {file}`sudoers` file.
+      '';
+    };
+
+    extraRules = mkOption {
+      description = mdDoc ''
+        Define specific rules to be in the {file}`sudoers` file.
+        More specific rules should come after more general ones in order to
+        yield the expected behavior. You can use mkBefore/mkAfter to ensure
+        this is the case when configuration options are merged.
+      '';
+      default = [];
+      example = literalExpression ''
+        [
+          # Allow execution of any command by all users in group sudo,
+          # requiring a password.
+          { groups = [ "sudo" ]; commands = [ "ALL" ]; }
+
+          # Allow execution of "/home/root/secret.sh" by user `backup`, `database`
+          # and the group with GID `1006` without a password.
+          { users = [ "backup" "database" ]; groups = [ 1006 ];
+            commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }
+
+          # Allow all users of group `bar` to run two executables as user `foo`
+          # with arguments being pre-set.
+          { groups = [ "bar" ]; runAs = "foo";
+            commands =
+              [ "/home/baz/cmd1.sh hello-sudo"
+                  { command = '''/home/baz/cmd2.sh ""'''; options = [ "SETENV" ]; } ]; }
+        ]
+      '';
+      type = with types; listOf (submodule {
+        options = {
+          users = mkOption {
+            type = with types; listOf (either str int);
+            description = mdDoc ''
+              The usernames / UIDs this rule should apply for.
+            '';
+            default = [];
+          };
+
+          groups = mkOption {
+            type = with types; listOf (either str int);
+            description = mdDoc ''
+              The groups / GIDs this rule should apply for.
+            '';
+            default = [];
+          };
+
+          host = mkOption {
+            type = types.str;
+            default = "ALL";
+            description = mdDoc ''
+              For what host this rule should apply.
+            '';
+          };
+
+          runAs = mkOption {
+            type = with types; str;
+            default = "ALL:ALL";
+            description = mdDoc ''
+              Under which user/group the specified command is allowed to run.
+
+              A user can be specified using just the username: `"foo"`.
+              It is also possible to specify a user/group combination using `"foo:bar"`
+              or to only allow running as a specific group with `":bar"`.
+            '';
+          };
+
+          commands = mkOption {
+            description = mdDoc ''
+              The commands for which the rule should apply.
+            '';
+            type = with types; listOf (either str (submodule {
+
+              options = {
+                command = mkOption {
+                  type = with types; str;
+                  description = mdDoc ''
+                    A command being either just a path to a binary to allow any arguments,
+                    the full command with arguments pre-set or with `""` used as the argument,
+                    not allowing arguments to the command at all.
+                  '';
+                };
+
+                options = mkOption {
+                  type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
+                  description = mdDoc ''
+                    Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
+                  '';
+                  default = [];
+                };
+              };
+
+            }));
+          };
+        };
+      });
+    };
+
+    extraConfig = mkOption {
+      type = types.lines;
+      default = "";
+      description = mdDoc ''
+        Extra configuration text appended to {file}`sudoers`.
+      '';
+    };
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+    security.sudo-rs.extraRules =
+      let
+        defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
+          inherit users groups;
+          commands = [ {
+            command = "ALL";
+            options = opts ++ cfg.defaultOptions;
+          } ];
+        } ];
+      in mkMerge [
+        # This is ordered before users' `mkBefore` rules,
+        # so as not to introduce unexpected changes.
+        (mkOrder 400 (defaultRule { users = [ "root" ]; }))
+
+        # This is ordered to show before (most) other rules, but
+        # late-enough for a user to `mkBefore` it.
+        (mkOrder 600 (defaultRule {
+          groups = [ "wheel" ];
+          opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD");
+        }))
+      ];
+
+    security.sudo-rs.configFile = concatStringsSep "\n" (filter (s: s != "") [
+      ''
+        # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’
+        # or ‘security.sudo-rs.extraRules’ instead.
+      ''
+      (optionalString enableSSHAgentAuth ''
+        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
+        Defaults env_keep+=SSH_AUTH_SOCK
+      '')
+      (concatStringsSep "\n" (
+        lists.flatten (
+          map (
+            rule: optionals (length rule.commands != 0) [
+              (map (user: "${toUserString user}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.users)
+              (map (group: "${toGroupString group}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.groups)
+            ]
+          ) cfg.extraRules
+        )
+      ) + "\n")
+      (optionalString (cfg.extraConfig != "") ''
+        # extraConfig
+        ${cfg.extraConfig}
+      '')
+    ]);
+
+    security.wrappers = let
+      owner = "root";
+      group = if cfg.execWheelOnly then "wheel" else "root";
+      setuid = true;
+      permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";
+    in {
+      sudo = {
+        source = "${cfg.package.out}/bin/sudo";
+        inherit owner group setuid permissions;
+      };
+      # sudo-rs does not yet ship a sudoedit (as of v0.2.0)
+      sudoedit = mkIf usingMillersSudo {
+        source = "${cfg.package.out}/bin/sudoedit";
+        inherit owner group setuid permissions;
+      };
+    };
+
+    environment.systemPackages = [ sudo ];
+
+    security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
+    security.pam.services.sudo-i = mkIf usingSudoRs
+      { sshAgentAuth = true; usshAuth = true; };
+
+    environment.etc.sudoers =
+      { source =
+          pkgs.runCommand "sudoers"
+          {
+            src = pkgs.writeText "sudoers-in" cfg.configFile;
+            preferLocalBuild = true;
+          }
+          "${pkgs.buildPackages."${cfg.package.pname}"}/bin/visudo -f $src -c && cp $src $out";
+        mode = "0440";
+      };
+
+  };
+
+  meta.maintainers = [ lib.maintainers.nicoo ];
+
+}

nixos/modules/security/sudo.nix

@@ -4,16 +4,9 @@ with lib;
 
 let
 
-  inherit (pkgs) sudo sudo-rs;
-
   cfg = config.security.sudo;
 
-  enableSSHAgentAuth =
-    with config.security;
-    pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
-
-  usingMillersSudo = cfg.package.pname == sudo.pname;
-  usingSudoRs = cfg.package.pname == sudo-rs.pname;
+  inherit (pkgs) sudo;
 
   toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
   toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
@@ -37,51 +30,41 @@ in
 
   ###### interface
 
-  options.security.sudo = {
+  options = {
 
-    defaultOptions = mkOption {
-      type = with types; listOf str;
-      default = optional usingMillersSudo "SETENV";
-      defaultText = literalMD ''
-        `[ "SETENV" ]` if using the default `sudo` implementation
-      '';
-      description = mdDoc ''
-        Options used for the default rules, granting `root` and the
-        `wheel` group permission to run any command as any user.
-      '';
-    };
-
-    enable = mkOption {
+    security.sudo.enable = mkOption {
       type = types.bool;
       default = true;
-      description = mdDoc ''
-        Whether to enable the {command}`sudo` command, which
-        allows non-root users to execute commands as root.
-      '';
+      description =
+        lib.mdDoc ''
+          Whether to enable the {command}`sudo` command, which
+          allows non-root users to execute commands as root.
+        '';
     };
 
-    package = mkOption {
+    security.sudo.package = mkOption {
       type = types.package;
       default = pkgs.sudo;
       defaultText = literalExpression "pkgs.sudo";
-      description = mdDoc ''
+      description = lib.mdDoc ''
         Which package to use for `sudo`.
       '';
     };
 
-    wheelNeedsPassword = mkOption {
+    security.sudo.wheelNeedsPassword = mkOption {
       type = types.bool;
       default = true;
-      description = mdDoc ''
-        Whether users of the `wheel` group must
-        provide a password to run commands as super user via {command}`sudo`.
-      '';
+      description =
+        lib.mdDoc ''
+          Whether users of the `wheel` group must
+          provide a password to run commands as super user via {command}`sudo`.
+        '';
       };
 
-    execWheelOnly = mkOption {
+    security.sudo.execWheelOnly = mkOption {
       type = types.bool;
       default = false;
-      description = mdDoc ''
+      description = lib.mdDoc ''
         Only allow members of the `wheel` group to execute sudo by
         setting the executable's permissions accordingly.
         This prevents users that are not members of `wheel` from
@@ -89,18 +72,19 @@ in
       '';
     };
 
-    configFile = mkOption {
+    security.sudo.configFile = mkOption {
       type = types.lines;
       # Note: if syntax errors are detected in this file, the NixOS
       # configuration will fail to build.
-      description = mdDoc ''
-        This string contains the contents of the
-        {file}`sudoers` file.
-      '';
+      description =
+        lib.mdDoc ''
+          This string contains the contents of the
+          {file}`sudoers` file.
+        '';
     };
 
-    extraRules = mkOption {
-      description = mdDoc ''
+    security.sudo.extraRules = mkOption {
+      description = lib.mdDoc ''
         Define specific rules to be in the {file}`sudoers` file.
         More specific rules should come after more general ones in order to
         yield the expected behavior. You can use mkBefore/mkAfter to ensure
@@ -130,7 +114,7 @@ in
         options = {
           users = mkOption {
             type = with types; listOf (either str int);
-            description = mdDoc ''
+            description = lib.mdDoc ''
               The usernames / UIDs this rule should apply for.
             '';
             default = [];
@@ -138,7 +122,7 @@ in
 
           groups = mkOption {
             type = with types; listOf (either str int);
-            description = mdDoc ''
+            description = lib.mdDoc ''
               The groups / GIDs this rule should apply for.
             '';
             default = [];
@@ -147,7 +131,7 @@ in
           host = mkOption {
             type = types.str;
             default = "ALL";
-            description = mdDoc ''
+            description = lib.mdDoc ''
               For what host this rule should apply.
             '';
           };
@@ -155,7 +139,7 @@ in
           runAs = mkOption {
             type = with types; str;
             default = "ALL:ALL";
-            description = mdDoc ''
+            description = lib.mdDoc ''
               Under which user/group the specified command is allowed to run.
 
               A user can be specified using just the username: `"foo"`.
@@ -165,7 +149,7 @@ in
           };
 
           commands = mkOption {
-            description = mdDoc ''
+            description = lib.mdDoc ''
               The commands for which the rule should apply.
             '';
             type = with types; listOf (either str (submodule {
@@ -173,7 +157,7 @@ in
               options = {
                 command = mkOption {
                   type = with types; str;
-                  description = mdDoc ''
+                  description = lib.mdDoc ''
                     A command being either just a path to a binary to allow any arguments,
                     the full command with arguments pre-set or with `""` used as the argument,
                     not allowing arguments to the command at all.
@@ -182,7 +166,7 @@ in
 
                 options = mkOption {
                   type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
-                  description = mdDoc ''
+                  description = lib.mdDoc ''
                     Options for running the command. Refer to the [sudo manual](https://www.sudo.ws/man/1.7.10/sudoers.man.html).
                   '';
                   default = [];
@@ -195,10 +179,10 @@ in
       });
     };
 
-    extraConfig = mkOption {
+    security.sudo.extraConfig = mkOption {
       type = types.lines;
       default = "";
-      description = mdDoc ''
+      description = lib.mdDoc ''
         Extra configuration text appended to {file}`sudoers`.
       '';
     };
@@ -208,52 +192,44 @@ in
   ###### implementation
 
   config = mkIf cfg.enable {
-    security.sudo.extraRules =
-      let
-        defaultRule = { users ? [], groups ? [], opts ? [] }: [ {
-          inherit users groups;
-          commands = [ {
-            command = "ALL";
-            options = opts ++ cfg.defaultOptions;
-          } ];
-        } ];
-      in mkMerge [
-        # This is ordered before users' `mkBefore` rules,
-        # so as not to introduce unexpected changes.
-        (mkOrder 400 (defaultRule { users = [ "root" ]; }))
+    assertions = [
+      { assertion = cfg.package.pname != "sudo-rs";
+        message = "The NixOS `sudo` module does not work with `sudo-rs` yet."; }
+    ];
 
-        # This is ordered to show before (most) other rules, but
-        # late-enough for a user to `mkBefore` it.
-        (mkOrder 600 (defaultRule {
-          groups = [ "wheel" ];
-          opts = (optional (!cfg.wheelNeedsPassword) "NOPASSWD");
-        }))
-      ];
+    # We `mkOrder 600` so that the default rule shows up first, but there is
+    # still enough room for a user to `mkBefore` it.
+    security.sudo.extraRules = mkOrder 600 [
+      { groups = [ "wheel" ];
+        commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
+      }
+    ];
 
-    security.sudo.configFile = concatStringsSep "\n" (filter (s: s != "") [
+    security.sudo.configFile =
       ''
         # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
         # or ‘security.sudo.extraRules’ instead.
-      ''
-      (optionalString enableSSHAgentAuth ''
+
         # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
         Defaults env_keep+=SSH_AUTH_SOCK
-      '')
-      (concatStringsSep "\n" (
-        lists.flatten (
-          map (
-            rule: optionals (length rule.commands != 0) [
-              (map (user: "${toUserString user}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.users)
-              (map (group: "${toGroupString group}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.groups)
-            ]
-          ) cfg.extraRules
-        )
-      ) + "\n")
-      (optionalString (cfg.extraConfig != "") ''
-        # extraConfig
+
+        # "root" is allowed to do anything.
+        root        ALL=(ALL:ALL) SETENV: ALL
+
+        # extraRules
+        ${concatStringsSep "\n" (
+          lists.flatten (
+            map (
+              rule: optionals (length rule.commands != 0) [
+                (map (user: "${toUserString user}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.users)
+                (map (group: "${toGroupString group}	${rule.host}=(${rule.runAs})	${toCommandsString rule.commands}") rule.groups)
+              ]
+            ) cfg.extraRules
+          )
+        )}
+
         ${cfg.extraConfig}
-      '')
-    ]);
+      '';
 
     security.wrappers = let
       owner = "root";
@@ -265,8 +241,7 @@ in
         source = "${cfg.package.out}/bin/sudo";
         inherit owner group setuid permissions;
       };
-      # sudo-rs does not yet ship a sudoedit (as of v0.2.0)
-      sudoedit = mkIf usingMillersSudo {
+      sudoedit = {
         source = "${cfg.package.out}/bin/sudoedit";
         inherit owner group setuid permissions;
       };
@@ -275,8 +250,6 @@ in
     environment.systemPackages = [ sudo ];
 
     security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
-    security.pam.services.sudo-i = mkIf usingSudoRs
-      { sshAgentAuth = true; usshAuth = true; };
 
     environment.etc.sudoers =
       { source =
@@ -285,12 +258,12 @@ in
             src = pkgs.writeText "sudoers-in" cfg.configFile;
             preferLocalBuild = true;
           }
-          "${cfg.package}/bin/visudo -f $src -c && cp $src $out";
+          # Make sure that the sudoers file is syntactically valid.
+          # (currently disabled - NIXOS-66)
+          "${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out";
         mode = "0440";
       };
 
   };
 
-  meta.maintainers = [ lib.maintainers.nicoo ];
-
 }

nixos/modules/services/matrix/synapse.nix

@@ -1022,7 +1022,7 @@ in {
 
     systemd.targets.matrix-synapse = lib.mkIf hasWorkers {
       description = "Synapse Matrix parent target";
-      after = [ "network.target" ] ++ optional hasLocalPostgresDB "postgresql.service";
+      after = [ "network-online.target" ] ++ optional hasLocalPostgresDB "postgresql.service";
       wantedBy = [ "multi-user.target" ];
     };
 
@@ -1036,7 +1036,7 @@ in {
             unitConfig.ReloadPropagatedFrom = "matrix-synapse.target";
           }
           else {
-            after = [ "network.target" ] ++ optional hasLocalPostgresDB "postgresql.service";
+            after = [ "network-online.target" ] ++ optional hasLocalPostgresDB "postgresql.service";
             wantedBy = [ "multi-user.target" ];
           };
         baseServiceConfig = {

nixos/modules/services/misc/mbpfan.nix

@@ -26,7 +26,7 @@ in {
 
     aggressive = mkOption {
       type = types.bool;
-      default = false;
+      default = true;
       description = lib.mdDoc "If true, favors higher default fan speeds.";
     };
 
@@ -38,17 +38,20 @@ in {
 
         options.general.low_temp = mkOption {
           type = types.int;
-          default = 63;
+          default = (if cfg.aggressive then 55 else 63);
+          defaultText = literalExpression "55";
           description = lib.mdDoc "If temperature is below this, fans will run at minimum speed.";
         };
         options.general.high_temp = mkOption {
           type = types.int;
-          default = 66;
+          default = (if cfg.aggressive then 58 else 66);
+          defaultText = literalExpression "58";
           description = lib.mdDoc "If temperature is above this, fan speed will gradually increase.";
         };
         options.general.max_temp = mkOption {
           type = types.int;
-          default = 86;
+          default = (if cfg.aggressive then 78 else 86);
+          defaultText = literalExpression "78";
           description = lib.mdDoc "If temperature is above this, fans will run at maximum speed.";
         };
         options.general.polling_interval = mkOption {
@@ -70,13 +73,6 @@ in {
   ];
 
   config = mkIf cfg.enable {
-    services.mbpfan.settings = mkIf cfg.aggressive {
-      general.min_fan1_speed = mkDefault 2000;
-      general.low_temp = mkDefault 55;
-      general.high_temp = mkDefault 58;
-      general.max_temp = mkDefault 70;
-    };
-
     boot.kernelModules = [ "coretemp" "applesmc" ];
     environment.systemPackages = [ cfg.package ];
     environment.etc."mbpfan.conf".source = settingsFile;
@@ -86,6 +82,7 @@ in {
       wantedBy = [ "sysinit.target" ];
       after = [ "syslog.target" "sysinit.target" ];
       restartTriggers = [ config.environment.etc."mbpfan.conf".source ];
+
       serviceConfig = {
         Type = "simple";
         ExecStart = "${cfg.package}/bin/mbpfan -f${verbose}";

nixos/modules/services/networking/knot.nix

@@ -5,10 +5,110 @@ with lib;
 let
   cfg = config.services.knot;
 
-  configFile = pkgs.writeTextFile {
+  yamlConfig = let
+    result = assert secsCheck; nix2yaml cfg.settings;
+
+    secAllow = n: hasPrefix "mod-" n || elem n [
+      "module"
+      "server" "xdp" "control"
+      "log"
+      "statistics" "database"
+      "keystore" "key" "remote" "remotes" "acl" "submission" "policy"
+      "template"
+      "zone"
+      "include"
+    ];
+    secsCheck = let
+      secsBad = filter (n: !secAllow n) (attrNames cfg.settings);
+    in if secsBad == [] then true else throw
+      ("services.knot.settings contains unknown sections: " + toString secsBad);
+
+    nix2yaml = nix_def: concatStrings (
+        # We output the config section in the upstream-mandated order.
+        # Ordering is important due to forward-references not being allowed.
+        # See definition of conf_export and 'const yp_item_t conf_schema'
+        # upstream for reference.  Last updated for 3.3.
+        # When changing the set of sections, also update secAllow above.
+        [ (sec_list_fa "id" nix_def "module") ]
+        ++ map (sec_plain nix_def)
+          [ "server" "xdp" "control" ]
+        ++ [ (sec_list_fa "target" nix_def "log") ]
+        ++ map (sec_plain nix_def)
+          [  "statistics" "database" ]
+        ++ map (sec_list_fa "id" nix_def)
+          [ "keystore" "key" "remote" "remotes" "acl" "submission" "policy" ]
+
+        # Export module sections before the template section.
+        ++ map (sec_list_fa "id" nix_def) (filter (hasPrefix "mod-") (attrNames nix_def))
+
+        ++ [ (sec_list_fa "id" nix_def "template") ]
+        ++ [ (sec_list_fa "domain" nix_def "zone") ]
+        ++ [ (sec_plain nix_def "include") ]
+      );
+
+    # A plain section contains directly attributes (we don't really check that ATM).
+    sec_plain = nix_def: sec_name: if !hasAttr sec_name nix_def then "" else
+      n2y "" { ${sec_name} = nix_def.${sec_name}; };
+
+    # This section contains a list of attribute sets.  In each of the sets
+    # there's an attribute (`fa_name`, typically "id") that must exist and come first.
+    # Alternatively we support using attribute sets instead of lists; example diff:
+    # -template = [ { id = "default"; /* other attributes */ }   { id = "foo"; } ]
+    # +template = { default = {       /* those attributes */ };  foo = { };      }
+    sec_list_fa = fa_name: nix_def: sec_name: if !hasAttr sec_name nix_def then "" else
+      let
+        elem2yaml = fa_val: other_attrs:
+          "  - " + n2y "" { ${fa_name} = fa_val; }
+          + "    " + n2y "    " other_attrs
+          + "\n";
+        sec = nix_def.${sec_name};
+      in
+        sec_name + ":\n" +
+          (if isList sec
+            then flip concatMapStrings sec
+              (elem: elem2yaml elem.${fa_name} (removeAttrs elem [ fa_name ]))
+            else concatStrings (mapAttrsToList elem2yaml sec)
+          );
+
+    # This convertor doesn't care about ordering of attributes.
+    # TODO: it could probably be simplified even more, now that it's not
+    # to be used directly, but we might want some other tweaks, too.
+    n2y = indent: val:
+      if doRecurse val then concatStringsSep "\n${indent}"
+        (mapAttrsToList
+          # This is a bit wacky - set directly under a set would start on bad indent,
+          # so we start those on a new line, but not other types of attribute values.
+          (aname: aval: "${aname}:${if doRecurse aval then "\n${indent}  " else " "}"
+            + n2y (indent + "  ") aval)
+          val
+        )
+        + "\n"
+        else
+      /*
+      if isList val && stringLength indent < 4 then concatMapStrings
+        (elem: "\n${indent}- " + n2y (indent + "  ") elem)
+        val
+        else
+      */
+      if isList val /* and long indent */ then
+        "[ " + concatMapStringsSep ", " quoteString val + " ]" else
+      if isBool val then (if val then "on" else "off") else
+      quoteString val;
+
+    # We don't want paths like ./my-zone.txt be converted to plain strings.
+    quoteString = s: ''"${if builtins.typeOf s == "path" then s else toString s}"'';
+    # We don't want to walk the insides of derivation attributes.
+    doRecurse = val: isAttrs val && !isDerivation val;
+
+  in result;
+
+  configFile = if cfg.settingsFile != null then
+    assert cfg.settings == {} && cfg.keyFiles == [];
+    cfg.settingsFile
+  else pkgs.writeTextFile {
     name = "knot.conf";
-    text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" +
-           cfg.extraConfig;
+    text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" + yamlConfig;
+    # TODO: maybe we could do some checks even when private keys complicate this?
     checkPhase = lib.optionalString (cfg.keyFiles == []) ''
       ${cfg.package}/bin/knotc --config=$out conf-check
     '';
@@ -60,11 +160,21 @@ in {
         '';
       };
 
-      extraConfig = mkOption {
-        type = types.lines;
-        default = "";
+      settings = mkOption {
+        type = types.attrs;
+        default = {};
         description = lib.mdDoc ''
-          Extra lines to be added verbatim to knot.conf
+          Extra configuration as nix values.
+        '';
+      };
+
+      settingsFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        description = lib.mdDoc ''
+          As alternative to ``settings``, you can provide whole configuration
+          directly in the almost-YAML format of Knot DNS.
+          You might want to utilize ``writeTextFile`` for this.
         '';
       };
 
@@ -78,6 +188,12 @@ in {
       };
     };
   };
+  imports = [
+    # Compatibility with NixOS 23.05.  At least partial, as it fails assert if used with keyFiles.
+    (mkChangedOptionModule [ "services" "knot" "extraConfig" ] [ "services" "knot" "settingsFile" ]
+      (config: pkgs.writeText "knot.conf" config.services.knot.extraConfig)
+    )
+  ];
 
   config = mkIf config.services.knot.enable {
     users.groups.knot = {};
@@ -87,6 +203,8 @@ in {
       description = "Knot daemon user";
     };
 
+    environment.etc."knot/knot.conf".source = configFile; # just for user's convenience
+
     systemd.services.knot = {
       unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/";
       description = cfg.package.meta.description;

nixos/modules/services/search/typesense.nix

@@ -83,12 +83,12 @@ in {
         Group = "typesense";
 
         StateDirectory = "typesense";
-        StateDirectoryMode = "0700";
+        StateDirectoryMode = "0750";
 
         # Hardening
         CapabilityBoundingSet = "";
         LockPersonality = true;
-        MemoryDenyWriteExecute = true;
+        # MemoryDenyWriteExecute = true; needed since 0.25.1
         NoNewPrivileges = true;
         PrivateUsers = true;
         PrivateTmp = true;

nixos/modules/system/activation/switch-to-configuration.pl

@@ -74,7 +74,7 @@ if ("@localeArchive@" ne "") {
 
 if (!defined($action) || ($action ne "switch" && $action ne "boot" && $action ne "test" && $action ne "dry-activate")) {
     print STDERR <<"EOF";
-Usage: $0 [switch|boot|test]
+Usage: $0 [switch|boot|test|dry-activate]
 
 switch:       make the configuration the boot default and activate now
 boot:         make the configuration the boot default
@@ -661,10 +661,20 @@ foreach my $mount_point (keys(%{$cur_fss})) {
         # Filesystem entry disappeared, so unmount it.
         $units_to_stop{$unit} = 1;
     } elsif ($cur->{fsType} ne $new->{fsType} || $cur->{device} ne $new->{device}) {
-        # Filesystem type or device changed, so unmount and mount it.
-        $units_to_stop{$unit} = 1;
-        $units_to_start{$unit} = 1;
-        record_unit($start_list_file, $unit);
+        if ($mount_point eq '/' or $mount_point eq '/nix') {
+            if ($cur->{options} ne $new->{options}) {
+                # Mount options changed, so remount it.
+                $units_to_reload{$unit} = 1;
+                record_unit($reload_list_file, $unit);
+            } else {
+                # Don't unmount / or /nix if the device changed
+                $units_to_skip{$unit} = 1;
+            }
+        } else {
+            # Filesystem type or device changed, so unmount and mount it.
+            $units_to_restart{$unit} = 1;
+            record_unit($restart_list_file, $unit);
+        }
     } elsif ($cur->{options} ne $new->{options}) {
         # Mount options changes, so remount it.
         $units_to_reload{$unit} = 1;

nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh

@@ -70,13 +70,33 @@ copyToKernelsDir() {
 addEntry() {
     local path=$(readlink -f "$1")
     local tag="$2" # Generation number or 'default'
+    local current="$3" # whether this is the current/latest generation
 
     if ! test -e $path/kernel -a -e $path/initrd; then
         return
     fi
 
+    if test -e "$path/append-initrd-secrets"; then
+        local initrd="$target/nixos/$(basename "$path")-initramfs-with-secrets"
+        cp $(readlink -f "$path/initrd") "$initrd"
+        chmod 600 "${initrd}"
+        chown 0:0 "${initrd}"
+        filesCopied[$initrd]=1
+
+        "$path/append-initrd-secrets" "$initrd" || if test "${current}" = "1"; then
+            echo "failed to create initrd secrets for the current generation." >&2
+            echo "are your \`boot.initrd.secrets\` still in place?" >&2
+            exit 1
+        else
+            echo "warning: failed to create initrd secrets for \"$path\", an older generation" >&2
+            echo "note: this is normal after having removed or renamed a file in \`boot.initrd.secrets\`" >&2
+        fi
+    else
+        copyToKernelsDir "$path/initrd"; initrd=$result
+    fi
+
     copyToKernelsDir "$path/kernel"; kernel=$result
-    copyToKernelsDir "$path/initrd"; initrd=$result
+
     dtbDir=$(readlink -m "$path/dtbs")
     if [ -e "$dtbDir" ]; then
         copyToKernelsDir "$dtbDir"; dtbs=$result
@@ -130,18 +150,20 @@ MENU TITLE ------------------------------------------------------------
 TIMEOUT $timeout
 EOF
 
-addEntry $default default >> $tmpFile
+addEntry $default default 1 >> $tmpFile
 
 if [ "$numGenerations" -gt 0 ]; then
     # Add up to $numGenerations generations of the system profile to the menu,
     # in reverse (most recent to least recent) order.
+    current=1
     for generation in $(
             (cd /nix/var/nix/profiles && ls -d system-*-link) \
             | sed 's/system-\([0-9]\+\)-link/\1/' \
             | sort -n -r \
             | head -n $numGenerations); do
         link=/nix/var/nix/profiles/system-$generation-link
-        addEntry $link $generation
+        addEntry $link $generation $current
+        current=0
     done >> $tmpFile
 fi
 

nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix

@@ -142,6 +142,7 @@ in
         assertion = !pkgs.stdenv.hostPlatform.isAarch64 || cfg.version >= 3;
         message = "Only Raspberry Pi >= 3 supports aarch64.";
       };
+      boot.loader.supportsInitrdSecrets = cfg.uboot.enable;
 
       system.build.installBootLoader = builder;
       system.boot.loader.id = "raspberrypi";

nixos/modules/system/boot/stage-1.nix

@@ -610,6 +610,13 @@ in
             path the secret should have inside the initrd, the value
             is the path it should be copied from (or null for the same
             path inside and out).
+
+            The loader `generic-extlinux-compatible` supports this. Because
+            it is not well know how different implementations react to
+            concatenated cpio archives, this is disabled by default. It can be
+            enabled by setting {option}`boot.loader.supportsInitrdSecrets`
+            to true. If this works for you, please report your findings at
+            https://github.com/NixOS/nixpkgs/issues/247145 .
           '';
         example = literalExpression
           ''

nixos/modules/virtualisation/oci-common.nix

@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.oci;
+in
+{
+  imports = [ ../profiles/qemu-guest.nix ];
+
+  # Taken from /proc/cmdline of Ubuntu 20.04.2 LTS on OCI
+  boot.kernelParams = [
+    "nvme.shutdown_timeout=10"
+    "nvme_core.shutdown_timeout=10"
+    "libiscsi.debug_libiscsi_eh=1"
+    "crash_kexec_post_notifiers"
+
+    # VNC console
+    "console=tty1"
+
+    # x86_64-linux
+    "console=ttyS0"
+
+    # aarch64-linux
+    "console=ttyAMA0,115200"
+  ];
+
+  boot.growPartition = true;
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+    autoResize = true;
+  };
+
+  fileSystems."/boot" = lib.mkIf cfg.efi {
+    device = "/dev/disk/by-label/ESP";
+    fsType = "vfat";
+  };
+
+  boot.loader.efi.canTouchEfiVariables = false;
+  boot.loader.grub = {
+    device = if cfg.efi then "nodev" else "/dev/sda";
+    splashImage = null;
+    extraConfig = ''
+      serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
+      terminal_input --append serial
+      terminal_output --append serial
+    '';
+    efiInstallAsRemovable = cfg.efi;
+    efiSupport = cfg.efi;
+  };
+
+  # https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/configuringntpservice.htm#Configuring_the_Oracle_Cloud_Infrastructure_NTP_Service_for_an_Instance
+  networking.timeServers = [ "169.254.169.254" ];
+
+  services.openssh.enable = true;
+
+  # Otherwise the instance may not have a working network-online.target,
+  # making the fetch-ssh-keys.service fail
+  networking.useNetworkd = true;
+}

nixos/modules/virtualisation/oci-config-user.nix

@@ -0,0 +1,12 @@
+{ modulesPath, ... }:
+
+{
+  # To build the configuration or use nix-env, you need to run
+  # either nixos-rebuild --upgrade or nix-channel --update
+  # to fetch the nixos channel.
+
+  # This configures everything but bootstrap services,
+  # which only need to be run once and have already finished
+  # if you are able to see this comment.
+  imports = [ "${modulesPath}/virtualisation/oci-common.nix" ];
+}

nixos/modules/virtualisation/oci-image.nix

@@ -0,0 +1,50 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.oci;
+in
+{
+  imports = [ ./oci-common.nix ];
+
+  config = {
+    system.build.OCIImage = import ../../lib/make-disk-image.nix {
+      inherit config lib pkgs;
+      name = "oci-image";
+      configFile = ./oci-config-user.nix;
+      format = "qcow2";
+      diskSize = 8192;
+      partitionTableType = if cfg.efi then "efi" else "legacy";
+    };
+
+    systemd.services.fetch-ssh-keys = {
+      description = "Fetch authorized_keys for root user";
+
+      wantedBy = [ "sshd.service" ];
+      before = [ "sshd.service" ];
+
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+
+      path  = [ pkgs.coreutils pkgs.curl ];
+      script = ''
+        mkdir -m 0700 -p /root/.ssh
+        if [ -f /root/.ssh/authorized_keys ]; then
+          echo "Authorized keys have already been downloaded"
+        else
+          echo "Downloading authorized keys from Instance Metadata Service v2"
+          curl -s -S -L \
+            -H "Authorization: Bearer Oracle" \
+            -o /root/.ssh/authorized_keys \
+            http://169.254.169.254/opc/v2/instance/metadata/ssh_authorized_keys
+          chmod 600 /root/.ssh/authorized_keys
+        fi
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        StandardError = "journal+console";
+        StandardOutput = "journal+console";
+      };
+    };
+  };
+}

nixos/modules/virtualisation/oci-options.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+{
+  options = {
+    oci = {
+      efi = lib.mkOption {
+        default = true;
+        internal = true;
+        description = ''
+          Whether the OCI instance is using EFI.
+        '';
+      };
+    };
+  };
+}

nixos/tests/kea.nix

@@ -134,31 +134,32 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
         extraArgs = [
           "-v"
         ];
-        extraConfig = ''
-          server:
-              listen: 0.0.0.0@53
+        settings = {
+          server.listen = [
+            "0.0.0.0@53"
+          ];
 
-          log:
-            - target: syslog
-              any: debug
+          log.syslog.any = "info";
 
-          acl:
-            - id: dhcp_ddns
-              address: 10.0.0.1
-              action: update
+          acl.dhcp_ddns = {
+            address = "10.0.0.1";
+            action = "update";
+          };
 
-          template:
-            - id: default
-              storage: ${zonesDir}
-              zonefile-sync: -1
-              zonefile-load: difference-no-serial
-              journal-content: all
+          template.default = {
+            storage = zonesDir;
+            zonefile-sync = "-1";
+            zonefile-load = "difference-no-serial";
+            journal-content = "all";
+          };
 
-          zone:
-            - domain: lan.nixos.test
-              file: lan.nixos.test.zone
-              acl: [dhcp_ddns]
-        '';
+          zone."lan.nixos.test" = {
+            file = "lan.nixos.test.zone";
+            acl = [
+              "dhcp_ddns"
+            ];
+          };
+        };
       };
 
     };

nixos/tests/knot.nix

@@ -60,44 +60,43 @@ in {
       services.knot.enable = true;
       services.knot.extraArgs = [ "-v" ];
       services.knot.keyFiles = [ tsigFile ];
-      services.knot.extraConfig = ''
-        server:
-            listen: 0.0.0.0@53
-            listen: ::@53
-            automatic-acl: true
+      services.knot.settings = {
+        server = {
+          listen = [
+            "0.0.0.0@53"
+            "::@53"
+           ];
+          automatic-acl = true;
+        };
 
-        remote:
-          - id: secondary
-            address: 192.168.0.2@53
-            key: xfr_key
+        acl.secondary_acl = {
+          address = "192.168.0.2";
+          key = "xfr_key";
+          action = "transfer";
+        };
 
-        template:
-          - id: default
-            storage: ${knotZonesEnv}
-            notify: [secondary]
-            dnssec-signing: on
-            # Input-only zone files
-            # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
-            # prevents modification of the zonefiles, since the zonefiles are immutable
-            zonefile-sync: -1
-            zonefile-load: difference
-            journal-content: changes
-            # move databases below the state directory, because they need to be writable
-            journal-db: /var/lib/knot/journal
-            kasp-db: /var/lib/knot/kasp
-            timer-db: /var/lib/knot/timer
+        remote.secondary.address = "192.168.0.2@53";
 
-        zone:
-          - domain: example.com
-            file: example.com.zone
+        template.default = {
+          storage = knotZonesEnv;
+          notify = [ "secondary" ];
+          acl = [ "secondary_acl" ];
+          dnssec-signing = true;
+          # Input-only zone files
+          # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
+          # prevents modification of the zonefiles, since the zonefiles are immutable
+          zonefile-sync = -1;
+          zonefile-load = "difference";
+          journal-content = "changes";
+        };
 
-          - domain: sub.example.com
-            file: sub.example.com.zone
+        zone = {
+          "example.com".file = "example.com.zone";
+          "sub.example.com".file = "sub.example.com.zone";
+        };
 
-        log:
-          - target: syslog
-            any: info
-      '';
+        log.syslog.any = "info";
+      };
     };
 
     secondary = { lib, ... }: {
@@ -113,41 +112,36 @@ in {
       services.knot.enable = true;
       services.knot.keyFiles = [ tsigFile ];
       services.knot.extraArgs = [ "-v" ];
-      services.knot.extraConfig = ''
-        server:
-            listen: 0.0.0.0@53
-            listen: ::@53
-            automatic-acl: true
+      services.knot.settings = {
+        server = {
+          listen = [
+            "0.0.0.0@53"
+            "::@53"
+          ];
+          automatic-acl = true;
+        };
 
-        remote:
-          - id: primary
-            address: 192.168.0.1@53
-            key: xfr_key
+        remote.primary = {
+          address = "192.168.0.1@53";
+          key = "xfr_key";
+        };
 
-        template:
-          - id: default
-            master: primary
-            # zonefileless setup
-            # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2
-            zonefile-sync: -1
-            zonefile-load: none
-            journal-content: all
-            # move databases below the state directory, because they need to be writable
-            journal-db: /var/lib/knot/journal
-            kasp-db: /var/lib/knot/kasp
-            timer-db: /var/lib/knot/timer
+        template.default = {
+          master = "primary";
+          # zonefileless setup
+          # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2
+          zonefile-sync = "-1";
+          zonefile-load = "none";
+          journal-content = "all";
+        };
 
-        zone:
-          - domain: example.com
-            file: example.com.zone
+        zone = {
+          "example.com".file = "example.com.zone";
+          "sub.example.com".file = "sub.example.com.zone";
+        };
 
-          - domain: sub.example.com
-            file: sub.example.com.zone
-
-        log:
-          - target: syslog
-            any: info
-      '';
+        log.syslog.any = "info";
+      };
     };
     client = { lib, nodes, ... }: {
       imports = [ common ];

nixos/tests/sudo-rs.nix

@@ -5,7 +5,7 @@ let
   password = "helloworld";
 in
   import ./make-test-python.nix ({ lib, pkgs, ...} : {
-    name = "sudo";
+    name = "sudo-rs";
     meta.maintainers = pkgs.sudo-rs.meta.maintainers;
 
     nodes.machine =
@@ -22,7 +22,9 @@ in
           test5 = { isNormalUser = true; };
         };
 
-        security.sudo = {
+        security.sudo.enable = false;
+
+        security.sudo-rs = {
           enable = true;
           package = pkgs.sudo-rs;
           wheelNeedsPassword = false;
@@ -54,7 +56,9 @@ in
         noadmin = { isNormalUser = true; };
       };
 
-      security.sudo = {
+      security.sudo.enable = false;
+
+      security.sudo-rs = {
         package = pkgs.sudo-rs;
         enable = true;
         wheelNeedsPassword = false;
@@ -86,7 +90,7 @@ in
             machine.succeed("sudo -u test5 sudo -n -u test1 true")
 
         with subtest("test5 user should not be able to run commands under root"):
-            machine.fail("sudo -u test5 sudo -n -u root true")
+            machine.fail("sudo -u test5 sudo -n -u root true 2>/dev/null")
 
         with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
             strict.succeed('faketty -- su - admin -c "sudo -u root true"')

nixos/tests/switch-test.nix

@@ -58,6 +58,37 @@ in {
       '');
 
       specialisation = rec {
+        brokenInitInterface.configuration.config.system.extraSystemBuilderCmds = ''
+          echo "systemd 0" > $out/init-interface-version
+        '';
+
+        modifiedSystemConf.configuration.systemd.extraConfig = ''
+          # Hello world!
+        '';
+
+        addedMount.configuration.virtualisation.fileSystems."/test" = {
+          device = "tmpfs";
+          fsType = "tmpfs";
+        };
+
+        addedMountOptsModified.configuration = {
+          imports = [ addedMount.configuration ];
+          virtualisation.fileSystems."/test".options = [ "x-test" ];
+        };
+
+        addedMountDevModified.configuration = {
+          imports = [ addedMountOptsModified.configuration ];
+          virtualisation.fileSystems."/test".device = lib.mkForce "ramfs";
+        };
+
+        storeMountModified.configuration = {
+          virtualisation.fileSystems."/".device = lib.mkForce "auto";
+        };
+
+        swap.configuration.swapDevices = lib.mkVMOverride [
+          { device = "/swapfile"; size = 1; }
+        ];
+
         simpleService.configuration = {
           systemd.services.test = {
             wantedBy = [ "multi-user.target" ];
@@ -643,6 +674,97 @@ in {
 
         # test and dry-activate actions are tested further down below
 
+        # invalid action fails the script
+        switch_to_specialisation("${machine}", "", action="broken-action", fail=True)
+        # no action fails the script
+        assert "Usage:" in machine.fail("${machine}/bin/switch-to-configuration 2>&1")
+
+    with subtest("init interface version"):
+        # Do not try to switch to an invalid init interface version
+        assert "incompatible" in switch_to_specialisation("${machine}", "brokenInitInterface", fail=True)
+
+    with subtest("systemd restarts"):
+        # systemd is restarted when its system.conf changes
+        out = switch_to_specialisation("${machine}", "modifiedSystemConf")
+        assert_contains(out, "restarting systemd...")
+
+    with subtest("continuing from an aborted switch"):
+        # An aborted switch will write into a file what it tried to start
+        # and a second switch should continue from this
+        machine.succeed("echo dbus.service > /run/nixos/start-list")
+        out = switch_to_specialisation("${machine}", "modifiedSystemConf")
+        assert_contains(out, "starting the following units: dbus.service\n")
+
+    with subtest("fstab mounts"):
+        switch_to_specialisation("${machine}", "")
+        # add a mountpoint
+        out = switch_to_specialisation("${machine}", "addedMount")
+        assert_lacks(out, "stopping the following units:")
+        assert_lacks(out, "NOT restarting the following changed units:")
+        assert_lacks(out, "\nrestarting the following units:")
+        assert_lacks(out, "\nstarting the following units:")
+        assert_contains(out, "the following new units were started: test.mount\n")
+        # modify the mountpoint's options
+        out = switch_to_specialisation("${machine}", "addedMountOptsModified")
+        assert_lacks(out, "stopping the following units:")
+        assert_lacks(out, "NOT restarting the following changed units:")
+        assert_contains(out, "reloading the following units: test.mount\n")
+        assert_lacks(out, "\nrestarting the following units:")
+        assert_lacks(out, "\nstarting the following units:")
+        assert_lacks(out, "the following new units were started:")
+        # modify the device
+        out = switch_to_specialisation("${machine}", "addedMountDevModified")
+        assert_lacks(out, "stopping the following units:")
+        assert_lacks(out, "NOT restarting the following changed units:")
+        assert_lacks(out, "reloading the following units:")
+        assert_contains(out, "\nrestarting the following units: test.mount\n")
+        assert_lacks(out, "\nstarting the following units:")
+        assert_lacks(out, "the following new units were started:")
+        # modify both
+        out = switch_to_specialisation("${machine}", "addedMount")
+        assert_lacks(out, "stopping the following units:")
+        assert_lacks(out, "NOT restarting the following changed units:")
+        assert_lacks(out, "reloading the following units:")
+        assert_contains(out, "\nrestarting the following units: test.mount\n")
+        assert_lacks(out, "\nstarting the following units:")
+        assert_lacks(out, "the following new units were started:")
+        # remove the mount
+        out = switch_to_specialisation("${machine}", "")
+        assert_contains(out, "stopping the following units: test.mount\n")
+        assert_lacks(out, "NOT restarting the following changed units:")
+        assert_contains(out, "reloading the following units: dbus.service\n")
+        assert_lacks(out, "\nrestarting the following units:")
+        assert_lacks(out, "\nstarting the following units:")
+        assert_lacks(out, "the following new units were started:")
+        # change something about the / mount
+        out = switch_to_specialisation("${machine}", "storeMountModified")
+        assert_lacks(out, "stopping the following units:")
+        assert_contains(out, "NOT restarting the following changed units: -.mount")
+        assert_contains(out, "reloading the following units: dbus.service\n")
+        assert_lacks(out, "\nrestarting the following units:")
+        assert_lacks(out, "\nstarting the following units:")
+        assert_lacks(out, "the following new units were started:")
+
+    with subtest("swaps"):
+        switch_to_specialisation("${machine}", "")
+        # add a swap
+        out = switch_to_specialisation("${machine}", "swap")
+        assert_lacks(out, "stopping the following units:")
+        assert_lacks(out, "NOT restarting the following changed units:")
+        assert_contains(out, "reloading the following units: dbus.service\n")
+        assert_lacks(out, "\nrestarting the following units:")
+        assert_lacks(out, "\nstarting the following units:")
+        assert_contains(out, "the following new units were started: swapfile.swap")
+        # remove it
+        out = switch_to_specialisation("${machine}", "")
+        assert_contains(out, "stopping swap device: /swapfile")
+        assert_lacks(out, "stopping the following units:")
+        assert_lacks(out, "NOT restarting the following changed units:")
+        assert_contains(out, "reloading the following units: dbus.service\n")
+        assert_lacks(out, "\nrestarting the following units:")
+        assert_lacks(out, "\nstarting the following units:")
+        assert_lacks(out, "the following new units were started:")
+
     with subtest("services"):
         switch_to_specialisation("${machine}", "")
         # Nothing happens when nothing is changed

pkgs/applications/audio/miniaudicle/default.nix

@@ -3,7 +3,7 @@
 , fetchFromGitHub
 , qmake
 , wrapQtAppsHook
-, qscintilla-qt6
+, qt6Packages
 , bison
 , flex
 , which
@@ -45,7 +45,7 @@ stdenv.mkDerivation (finalAttrs: {
   buildInputs = [
     alsa-lib
     libsndfile
-    qscintilla-qt6
+    qt6Packages.qscintilla
   ] ++ lib.optional (audioBackend == "pulse") libpulseaudio
     ++ lib.optional (audioBackend == "jack")  libjack2;
 

pkgs/applications/audio/plexamp/default.nix

@@ -7,7 +7,7 @@ let
   src = fetchurl {
     url = "https://plexamp.plex.tv/plexamp.plex.tv/desktop/Plexamp-${version}.AppImage";
     name="${pname}-${version}.AppImage";
-    sha512 = "CrSXmRVatVSkMyB1QaNSL/tK60rQvT9JraRtYYLl0Fau3M1LJXK9yqvt77AjwIwIvi2Dm5SROG+c4rA1XtI4Yg==";
+    hash = "sha512-CrSXmRVatVSkMyB1QaNSL/tK60rQvT9JraRtYYLl0Fau3M1LJXK9yqvt77AjwIwIvi2Dm5SROG+c4rA1XtI4Yg==";
   };
 
   appimageContents = appimageTools.extractType2 {

pkgs/applications/audio/spotify/linux.nix

@@ -84,7 +84,7 @@ stdenv.mkDerivation {
   # https://community.spotify.com/t5/Desktop-Linux/Redistribute-Spotify-on-Linux-Distributions/td-p/1695334
   src = fetchurl {
     url = "https://api.snapcraft.io/api/v1/snaps/download/pOBIoZ2LrCB3rDohMxoYGnbN14EHOgD7_${rev}.snap";
-    sha512 = "3d5a9fda88a076a22bb6d0b6b586334865f03a4e852ca8e022468e3dd3520a81dea314721e26e54ba9309603e08f66588f005ee8970e73eccbf805ff70e89dca";
+    hash = "sha512-PVqf2oigdqIrttC2tYYzSGXwOk6FLKjgIkaOPdNSCoHeoxRyHiblS6kwlgPgj2ZYjwBe6JcOc+zL+AX/cOidyg==";
   };
 
   nativeBuildInputs = [ wrapGAppsHook makeShellWrapper squashfsTools ];

pkgs/applications/blockchains/dcrctl/default.nix

@@ -19,6 +19,6 @@ buildGoModule rec {
     homepage = "https://decred.org";
     description = "A secure Decred wallet daemon written in Go (golang)";
     license = with lib.licenses; [ isc ];
-    maintainers = with lib.maintainers; [ aaronjheng ];
+    maintainers = with lib.maintainers; [ ];
   };
 }

pkgs/applications/blockchains/optimism/default.nix

@@ -6,19 +6,19 @@
 
 buildGoModule rec {
   pname = "optimism";
-  version = "1.1.1";
+  version = "1.1.4";
 
   src = fetchFromGitHub {
     owner = "ethereum-optimism";
     repo = "optimism";
     rev = "op-node/v${version}";
-    hash = "sha256-COTpmjDH1u2dJA0nKPBG1Aocpyyo8NdtowwjHDTbEKI=";
+    hash = "sha256-UDNqD3gA27qqaJYbpgOWoL0AeLb7OZRCRJcGNKRq67g=";
     fetchSubmodules = true;
   };
 
   subPackages = [ "op-node/cmd" "op-proposer/cmd" "op-batcher/cmd" ];
 
-  vendorHash = "sha256-yAUeCX05dCVEvIzp0cXB/qYVtu3gQfgFi1CNZZKllOU=";
+  vendorHash = "sha256-OGOdU6X3dcAu4BDpG62bK8LaMo+NuzFOUSjdPNhRGZM=";
 
   buildInputs = [
     libpcap

pkgs/applications/blockchains/oxen/default.nix

@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
   # Required for static linking, the only supported install path
   lbzmqsrc = fetchurl {
     url = "https://github.com/zeromq/libzmq/releases/download/v4.3.3/zeromq-4.3.3.tar.gz";
-    sha512 = "4c18d784085179c5b1fcb753a93813095a12c8d34970f2e1bfca6499be6c9d67769c71c68b7ca54ff181b20390043170e89733c22f76ff1ea46494814f7095b1";
+    hash = "sha512-TBjXhAhRecWx/LdTqTgTCVoSyNNJcPLhv8pkmb5snWd2nHHGi3ylT/GBsgOQBDFw6Jczwi92/x6kZJSBT3CVsQ==";
   };
 
   postPatch = ''

pkgs/applications/blockchains/trezor-suite/default.nix

@@ -18,7 +18,7 @@ let
 
   src = fetchurl {
     url = "https://github.com/trezor/${pname}/releases/download/v${version}/Trezor-Suite-${version}-${suffix}.AppImage";
-    sha512 = { # curl -Lfs https://github.com/trezor/trezor-suite/releases/latest/download/latest-linux{-arm64,}.yml | grep ^sha512 | sed 's/: /-/'
+    hash = { # curl -Lfs https://github.com/trezor/trezor-suite/releases/latest/download/latest-linux{-arm64,}.yml | grep ^sha512 | sed 's/: /-/'
       aarch64-linux = "sha512-+dcogzj0mENWSAVKqUG/xyF+TD/nKpA3UiNyI2M7iiCaW+tpwO5Y0uUmzb1rFRtDsKMflDPZNWe8qMJmrtaIrA==";
       x86_64-linux  = "sha512-8UyPa3hDmALiYGao451ZBQLxv9H9OLbzzHiANp4zgvjBLGNhZnPFBIYM6KGyKkgRJJiTcgd7VHCgEhPpfm0qzg==";
     }.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");

pkgs/applications/editors/eclipse/plugins.nix

@@ -355,7 +355,7 @@ rec {
 
     src = fetchzip {
       url = "https://download.jboss.org/drools/release/${version}/droolsjbpm-tools-distribution-${version}.zip";
-      sha512 = "2qzc1iszqfrfnw8xip78n3kp6hlwrvrr708vlmdk7nv525xhs0ssjaxriqdhcr0s6jripmmazxivv3763rnk2bfkh31hmbnckpx4r3m";
+      hash = "sha512-dWTS72R2VRgGnG6JafMwZ+wd+1e13pil0SAz2HDMXUmtgYa9iLLtma3SjcDJeWdOoblzWHRu7Ihblx3+Ogb2sQ==";
       postFetch = ''
         # update site is a couple levels deep, alongside some other irrelevant stuff
         cd $out;

pkgs/applications/editors/gedit/default.nix

@@ -1,6 +1,7 @@
 { stdenv
 , lib
 , meson
+, mesonEmulatorHook
 , fetchurl
 , python3
 , pkg-config
@@ -58,6 +59,8 @@ stdenv.mkDerivation rec {
     gtk-doc
     gobject-introspection
     docbook-xsl-nons
+  ] ++ lib.optionals (!stdenv.buildPlatform.canExecute stdenv.hostPlatform) [
+    mesonEmulatorHook
   ];
 
   buildInputs = [

pkgs/applications/editors/jetbrains/plugins/plugins.json

@@ -21,12 +21,12 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip",
         "232.9559.58": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip",
-        "232.9559.64": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip",
         "232.9921.42": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip",
-        "232.9921.46": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip",
         "232.9921.47": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip",
         "232.9921.48": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip"
+        "232.9921.53": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip",
+        "232.9921.62": "https://plugins.jetbrains.com/files/164/390591/IdeaVim-2.5.1-signed.zip"
       },
       "name": "ideavim"
     },
@@ -60,12 +60,12 @@
         "232.9559.28": null,
         "232.9559.58": null,
         "232.9559.61": null,
-        "232.9559.64": null,
         "232.9921.42": null,
-        "232.9921.46": null,
         "232.9921.47": null,
         "232.9921.48": null,
-        "232.9921.53": null
+        "232.9921.53": null,
+        "232.9921.55": null,
+        "232.9921.62": null
       },
       "name": "kotlin"
     },
@@ -90,12 +90,12 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/6981/383851/ini-232.9559.64.zip",
         "232.9559.58": "https://plugins.jetbrains.com/files/6981/383851/ini-232.9559.64.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/6981/383851/ini-232.9559.64.zip",
-        "232.9559.64": "https://plugins.jetbrains.com/files/6981/383851/ini-232.9559.64.zip",
-        "232.9921.42": "https://plugins.jetbrains.com/files/6981/393737/ini-232.9921.36.zip",
-        "232.9921.46": "https://plugins.jetbrains.com/files/6981/393737/ini-232.9921.36.zip",
-        "232.9921.47": "https://plugins.jetbrains.com/files/6981/393737/ini-232.9921.36.zip",
-        "232.9921.48": "https://plugins.jetbrains.com/files/6981/393737/ini-232.9921.36.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/6981/393737/ini-232.9921.36.zip"
+        "232.9921.42": "https://plugins.jetbrains.com/files/6981/398535/ini-232.9921.55.zip",
+        "232.9921.47": "https://plugins.jetbrains.com/files/6981/398535/ini-232.9921.55.zip",
+        "232.9921.48": "https://plugins.jetbrains.com/files/6981/398535/ini-232.9921.55.zip",
+        "232.9921.53": "https://plugins.jetbrains.com/files/6981/398535/ini-232.9921.55.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/6981/398535/ini-232.9921.55.zip",
+        "232.9921.62": "https://plugins.jetbrains.com/files/6981/398535/ini-232.9921.55.zip"
       },
       "name": "ini"
     },
@@ -105,8 +105,8 @@
         "phpstorm"
       ],
       "builds": {
-        "232.9559.64": "https://plugins.jetbrains.com/files/7219/389222/Symfony_Plugin-2022.1.256.zip",
-        "232.9921.47": "https://plugins.jetbrains.com/files/7219/389222/Symfony_Plugin-2022.1.256.zip"
+        "232.9921.47": "https://plugins.jetbrains.com/files/7219/401047/Symfony_Plugin-2022.1.257.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/7219/401047/Symfony_Plugin-2022.1.257.zip"
       },
       "name": "symfony-support"
     },
@@ -116,8 +116,8 @@
         "phpstorm"
       ],
       "builds": {
-        "232.9559.64": "https://plugins.jetbrains.com/files/7320/346181/PHP_Annotations-9.4.0.zip",
-        "232.9921.47": "https://plugins.jetbrains.com/files/7320/346181/PHP_Annotations-9.4.0.zip"
+        "232.9921.47": "https://plugins.jetbrains.com/files/7320/346181/PHP_Annotations-9.4.0.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/7320/346181/PHP_Annotations-9.4.0.zip"
       },
       "name": "php-annotations"
     },
@@ -132,9 +132,9 @@
       "builds": {
         "232.9559.28": "https://plugins.jetbrains.com/files/7322/381781/python-ce-232.9559.62.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/7322/381781/python-ce-232.9559.62.zip",
-        "232.9921.46": "https://plugins.jetbrains.com/files/7322/395441/python-ce-232.9921.47.zip",
-        "232.9921.47": "https://plugins.jetbrains.com/files/7322/395441/python-ce-232.9921.47.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/7322/395441/python-ce-232.9921.47.zip"
+        "232.9921.47": "https://plugins.jetbrains.com/files/7322/401058/python-ce-232.9921.77.zip",
+        "232.9921.53": "https://plugins.jetbrains.com/files/7322/401058/python-ce-232.9921.77.zip",
+        "232.9921.62": "https://plugins.jetbrains.com/files/7322/401058/python-ce-232.9921.77.zip"
       },
       "name": "python-community-edition"
     },
@@ -158,11 +158,11 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/8182/395553/intellij-rust-0.4.201.5424-232.zip",
         "232.9559.58": "https://plugins.jetbrains.com/files/8182/395553/intellij-rust-0.4.201.5424-232.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/8182/395553/intellij-rust-0.4.201.5424-232.zip",
-        "232.9559.64": "https://plugins.jetbrains.com/files/8182/395553/intellij-rust-0.4.201.5424-232.zip",
         "232.9921.42": "https://plugins.jetbrains.com/files/8182/395553/intellij-rust-0.4.201.5424-232.zip",
         "232.9921.47": "https://plugins.jetbrains.com/files/8182/395553/intellij-rust-0.4.201.5424-232.zip",
         "232.9921.48": "https://plugins.jetbrains.com/files/8182/395553/intellij-rust-0.4.201.5424-232.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/8182/395553/intellij-rust-0.4.201.5424-232.zip"
+        "232.9921.53": "https://plugins.jetbrains.com/files/8182/395553/intellij-rust-0.4.201.5424-232.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/8182/395553/intellij-rust-0.4.201.5424-232.zip"
       },
       "name": "-deprecated-rust"
     },
@@ -186,11 +186,11 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/8182/372556/intellij-rust-0.4.200.5420-232-beta.zip",
         "232.9559.58": "https://plugins.jetbrains.com/files/8182/372556/intellij-rust-0.4.200.5420-232-beta.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/8182/372556/intellij-rust-0.4.200.5420-232-beta.zip",
-        "232.9559.64": "https://plugins.jetbrains.com/files/8182/372556/intellij-rust-0.4.200.5420-232-beta.zip",
         "232.9921.42": "https://plugins.jetbrains.com/files/8182/372556/intellij-rust-0.4.200.5420-232-beta.zip",
         "232.9921.47": "https://plugins.jetbrains.com/files/8182/372556/intellij-rust-0.4.200.5420-232-beta.zip",
         "232.9921.48": "https://plugins.jetbrains.com/files/8182/372556/intellij-rust-0.4.200.5420-232-beta.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/8182/372556/intellij-rust-0.4.200.5420-232-beta.zip"
+        "232.9921.53": "https://plugins.jetbrains.com/files/8182/372556/intellij-rust-0.4.200.5420-232-beta.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/8182/372556/intellij-rust-0.4.200.5420-232-beta.zip"
       },
       "name": "-deprecated-rust-beta"
     },
@@ -234,12 +234,12 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip",
         "232.9559.58": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip",
-        "232.9559.64": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip",
         "232.9921.42": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip",
-        "232.9921.46": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip",
         "232.9921.47": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip",
         "232.9921.48": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip"
+        "232.9921.53": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip",
+        "232.9921.62": "https://plugins.jetbrains.com/files/8607/370632/NixIDEA-0.4.0.10.zip"
       },
       "name": "nixidea"
     },
@@ -273,12 +273,12 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip",
         "232.9559.58": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip",
-        "232.9559.64": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip",
         "232.9921.42": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip",
-        "232.9921.46": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip",
         "232.9921.47": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip",
         "232.9921.48": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip"
+        "232.9921.53": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip",
+        "232.9921.62": "https://plugins.jetbrains.com/files/10037/358813/CSVEditor-3.2.1-232.zip"
       },
       "name": "csv-editor"
     },
@@ -303,12 +303,12 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip",
         "232.9559.58": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip",
-        "232.9559.64": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip",
         "232.9921.42": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip",
-        "232.9921.46": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip",
         "232.9921.47": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip",
         "232.9921.48": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip"
+        "232.9921.53": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip",
+        "232.9921.62": "https://plugins.jetbrains.com/files/12062/364117/keymap-vscode-232.8660.88.zip"
       },
       "name": "vscode-keymap"
     },
@@ -333,12 +333,12 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip",
         "232.9559.58": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip",
-        "232.9559.64": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip",
         "232.9921.42": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip",
-        "232.9921.46": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip",
         "232.9921.47": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip",
         "232.9921.48": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip"
+        "232.9921.53": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip",
+        "232.9921.62": "https://plugins.jetbrains.com/files/12559/364124/keymap-eclipse-232.8660.88.zip"
       },
       "name": "eclipse-keymap"
     },
@@ -363,12 +363,12 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip",
         "232.9559.58": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip",
-        "232.9559.64": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip",
         "232.9921.42": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip",
-        "232.9921.46": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip",
         "232.9921.47": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip",
         "232.9921.48": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip"
+        "232.9921.53": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip",
+        "232.9921.62": "https://plugins.jetbrains.com/files/13017/364038/keymap-visualStudio-232.8660.88.zip"
       },
       "name": "visual-studio-keymap"
     },
@@ -393,12 +393,12 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar",
         "232.9559.58": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar",
         "232.9559.61": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar",
-        "232.9559.64": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar",
         "232.9921.42": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar",
-        "232.9921.46": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar",
         "232.9921.47": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar",
         "232.9921.48": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar",
-        "232.9921.53": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar"
+        "232.9921.53": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar",
+        "232.9921.55": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar",
+        "232.9921.62": "https://plugins.jetbrains.com/files/14059/82616/darcula-pitch-black.jar"
       },
       "name": "darcula-pitch-black"
     },
@@ -423,12 +423,12 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip",
         "232.9559.58": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip",
-        "232.9559.64": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip",
         "232.9921.42": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip",
-        "232.9921.46": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip",
         "232.9921.47": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip",
         "232.9921.48": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip"
+        "232.9921.53": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip",
+        "232.9921.62": "https://plugins.jetbrains.com/files/17718/391768/github-copilot-intellij-1.2.22.3129.zip"
       },
       "name": "github-copilot"
     },
@@ -453,12 +453,12 @@
         "232.9559.28": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip",
         "232.9559.58": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip",
         "232.9559.61": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip",
-        "232.9559.64": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip",
         "232.9921.42": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip",
-        "232.9921.46": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip",
         "232.9921.47": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip",
         "232.9921.48": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip",
-        "232.9921.53": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip"
+        "232.9921.53": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip",
+        "232.9921.55": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip",
+        "232.9921.62": "https://plugins.jetbrains.com/files/18444/165585/NetBeans6.5Keymap.zip"
       },
       "name": "netbeans-6-5-keymap"
     }
@@ -480,11 +480,11 @@
     "https://plugins.jetbrains.com/files/631/395438/python-232.9921.47.zip": "sha256-+2ow+tbZUipK92SKp0AegcRwUL1OSQuGE4FlZPOAGSk=",
     "https://plugins.jetbrains.com/files/6954/381727/kotlin-plugin-223-1.9.10-release-459-IJ8836.35.zip": "sha256-gHkNQyWh6jtY1986aI7Qo6ZNrniPy+Yq4XLLA0pKJkA=",
     "https://plugins.jetbrains.com/files/6981/383851/ini-232.9559.64.zip": "sha256-XJoRZ3ExKHkUZljuuMjMzMCcFw0A+vOyJAwtf+soHU4=",
-    "https://plugins.jetbrains.com/files/6981/393737/ini-232.9921.36.zip": "sha256-oUb3W64ZpXep3MsbL+/DG0kVzBQYEv6LG7jghb2aUQQ=",
-    "https://plugins.jetbrains.com/files/7219/389222/Symfony_Plugin-2022.1.256.zip": "sha256-PeaqtFldh89x6wMGSM1RUR2PLSnXa7mKSojOkrFM2R8=",
+    "https://plugins.jetbrains.com/files/6981/398535/ini-232.9921.55.zip": "sha256-Jntjg8pXb2HfE8yojDcECM/Lbv4k7J2AoxQ2yD2R23s=",
+    "https://plugins.jetbrains.com/files/7219/401047/Symfony_Plugin-2022.1.257.zip": "sha256-H5ZfeMT93sGUrDh/7ba9zsW/eQz37Rl/iShY6ryNM3E=",
     "https://plugins.jetbrains.com/files/7320/346181/PHP_Annotations-9.4.0.zip": "sha256-hT5K4w4lhvNwDzDMDSvsIDGj9lyaRqglfOhlbNdqpWs=",
     "https://plugins.jetbrains.com/files/7322/381781/python-ce-232.9559.62.zip": "sha256-wyqNQO4fFU9fJVbHbde/NWtY/RVOF/71o+TgWfS7VuM=",
-    "https://plugins.jetbrains.com/files/7322/395441/python-ce-232.9921.47.zip": "sha256-2oRXtVv9ima8W6vywkDX4IeUGwfVNEo4rsqYBmmWhKc=",
+    "https://plugins.jetbrains.com/files/7322/401058/python-ce-232.9921.77.zip": "sha256-cr4LxSz8xVzC+Zm+6LnWGLbF6aGBVLW56crCIQOawhc=",
     "https://plugins.jetbrains.com/files/8182/329558/intellij-rust-0.4.194.5382-223.zip": "sha256-AgaKH4ZaxLhumk1P9BVJGpvluKnpYIulCDIRQpaWlKA=",
     "https://plugins.jetbrains.com/files/8182/372556/intellij-rust-0.4.200.5420-232-beta.zip": "sha256-ZlSfPvhPixEz5JxU9qyG0nL3jiSjr4gKaf/xYcQI1vQ=",
     "https://plugins.jetbrains.com/files/8182/395553/intellij-rust-0.4.201.5424-232.zip": "sha256-pVwBEyUCx/DJET9uIm8vxFeChE8FskWyfLjDpfg2mAE=",

pkgs/applications/editors/jetbrains/versions.json

@@ -67,10 +67,10 @@
     "phpstorm": {
       "update-channel": "PhpStorm RELEASE",
       "url-template": "https://download.jetbrains.com/webide/PhpStorm-{version}.tar.gz",
-      "version": "2023.2.1",
-      "sha256": "bcb506fa27078f78da44a38f4fbab0a2000cea26385f51800c931d0cbd1b47c4",
-      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.2.1.tar.gz",
-      "build_number": "232.9559.64",
+      "version": "2023.2.2",
+      "sha256": "5e3dd021b82dcad0f51bded677aa87680dcc3f5d843951c48848a9191141bf1d",
+      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.2.2.tar.gz",
+      "build_number": "232.9921.55",
       "version-major-minor": "2022.3"
     },
     "pycharm-community": {
@@ -108,10 +108,10 @@
     "rust-rover": {
       "update-channel": "RustRover EAP",
       "url-template": "https://download.jetbrains.com/rustrover/RustRover-{version}.tar.gz",
-      "version": "2023.2",
-      "sha256": "5a51bcae179467e9c6440bc0c31bffd27c6fc58d593a0cbecd5aeb51508d27b6",
-      "url": "https://download.jetbrains.com/rustrover/RustRover-232.9921.46.tar.gz",
-      "build_number": "232.9921.46"
+      "version": "2023.2 EAP",
+      "sha256": "1f67e1a82f5cbb7c84382c7f251ae06b1e2699fa7d2fa4129e23ec2e43251687",
+      "url": "https://download.jetbrains.com/rustrover/RustRover-232.9921.62.tar.gz",
+      "build_number": "232.9921.62"
     },
     "webstorm": {
       "update-channel": "WebStorm RELEASE",
@@ -190,10 +190,10 @@
     "phpstorm": {
       "update-channel": "PhpStorm RELEASE",
       "url-template": "https://download.jetbrains.com/webide/PhpStorm-{version}.dmg",
-      "version": "2023.2.1",
-      "sha256": "5d238f0d3ddd59762256dc406ae2430e5abf79f9a04488722a87e54b70db68ef",
-      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.2.1.dmg",
-      "build_number": "232.9559.64",
+      "version": "2023.2.2",
+      "sha256": "99a9bb313a5c141ecd1810306deaca3cf52d338edf206362b3f9d9337a27890e",
+      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.2.2.dmg",
+      "build_number": "232.9921.55",
       "version-major-minor": "2022.3"
     },
     "pycharm-community": {
@@ -231,10 +231,10 @@
     "rust-rover": {
       "update-channel": "RustRover EAP",
       "url-template": "https://download.jetbrains.com/rustrover/RustRover-{version}.dmg",
-      "version": "2023.2",
-      "sha256": "4c7193acf07f44b91512d8b4c04c88068b8599e76150a81dfd728046910a0929",
-      "url": "https://download.jetbrains.com/rustrover/RustRover-232.9921.46.dmg",
-      "build_number": "232.9921.46"
+      "version": "2023.2 EAP",
+      "sha256": "dfde444bff011783cb4a5aa2aafae8ea989874c19535b01da8214df5eb3174fb",
+      "url": "https://download.jetbrains.com/rustrover/RustRover-232.9921.62.dmg",
+      "build_number": "232.9921.62"
     },
     "webstorm": {
       "update-channel": "WebStorm RELEASE",
@@ -313,10 +313,10 @@
     "phpstorm": {
       "update-channel": "PhpStorm RELEASE",
       "url-template": "https://download.jetbrains.com/webide/PhpStorm-{version}-aarch64.dmg",
-      "version": "2023.2.1",
-      "sha256": "886e79089e5e783739e71f57f8f20b9ecbc2e9e7cc9b941bb99d1444181939df",
-      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.2.1-aarch64.dmg",
-      "build_number": "232.9559.64",
+      "version": "2023.2.2",
+      "sha256": "a31daeddae532324436b2d11acbd5fb657721883f17c7ef4457ac76a51bd4189",
+      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.2.2-aarch64.dmg",
+      "build_number": "232.9921.55",
       "version-major-minor": "2022.3"
     },
     "pycharm-community": {
@@ -354,10 +354,10 @@
     "rust-rover": {
       "update-channel": "RustRover EAP",
       "url-template": "https://download.jetbrains.com/rustrover/RustRover-{version}-aarch64.dmg",
-      "version": "2023.2",
-      "sha256": "7f01fef11d89c6c6c870a79007607babde40f7a958b7103d1028aa760ed713b7",
-      "url": "https://download.jetbrains.com/rustrover/RustRover-232.9921.46-aarch64.dmg",
-      "build_number": "232.9921.46"
+      "version": "2023.2 EAP",
+      "sha256": "35d44a4f72c027283843aaa6409de701d14274cdc5a614c3fdc53121383f9389",
+      "url": "https://download.jetbrains.com/rustrover/RustRover-232.9921.62-aarch64.dmg",
+      "build_number": "232.9921.62"
     },
     "webstorm": {
       "update-channel": "WebStorm RELEASE",

pkgs/applications/misc/konsave/default.nix

@@ -0,0 +1,27 @@
+{ lib, python3Packages, fetchPypi }:
+
+python3Packages.buildPythonApplication rec {
+  pname = "konsave";
+  version = "2.2.0";
+
+  src = fetchPypi {
+    inherit version;
+    pname = "Konsave";
+    hash = "sha256-tWarqT2jFgCuSsa2NwMHRaR3/wj0khiRHidvRNMwM8M=";
+  };
+
+  nativeBuildInputs = with python3Packages; [ setuptools-scm ];
+  propagatedBuildInputs = with python3Packages; [ pyyaml setuptools ];
+
+  preCheck = ''
+    export HOME=$(mktemp -d)
+  '';
+
+  meta = with lib; {
+    description = "Save Linux Customization";
+    maintainers = with maintainers; [ MoritzBoehme ];
+    homepage = "https://github.com/Prayag2/konsave";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+  };
+}

pkgs/applications/misc/madonctl/default.nix

@@ -32,6 +32,6 @@ buildGoModule rec {
     description = "CLI for the Mastodon social network API";
     homepage = "https://github.com/McKael/madonctl";
     license = licenses.mit;
-    maintainers = with maintainers; [ aaronjheng ];
+    maintainers = with maintainers; [ ];
   };
 }

pkgs/applications/misc/nut/default.nix

@@ -57,6 +57,10 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  # Add `cgi-bin` to the default list to avoid pulling in whole
+  # of `gcc` into build closure.
+  stripDebugList = [ "cgi-bin" "lib" "lib32" "lib64" "libexec" "bin" "sbin" ];
+
   postInstall = ''
     substituteInPlace $out/lib/systemd/system-shutdown/nutshutdown \
       --replace /bin/sleep "${coreutils}/bin/sleep" \

pkgs/applications/misc/process-compose/default.nix

@@ -8,13 +8,13 @@ let config-module = "github.com/f1bonacc1/process-compose/src/config";
 in
 buildGoModule rec {
   pname = "process-compose";
-  version = "0.60.0";
+  version = "0.65.1";
 
   src = fetchFromGitHub {
     owner = "F1bonacc1";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-BsDel6F09HP5Oz2p0DDXKuS7Id5XPhZZxEzwu76vVwk=";
+    hash = "sha256-wlsZV9yE9486EBbIwVOcA4KBf9tfI0Ao1JSIPjJAcEU=";
     # populate values that require us to use git. By doing this in postFetch we
     # can delete .git afterwards and maintain better reproducibility of the src.
     leaveDotGit = true;

pkgs/applications/networking/cluster/civo/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "civo";
-  version = "1.0.65";
+  version = "1.0.66";
 
   src = fetchFromGitHub {
     owner  = "civo";
     repo   = "cli";
     rev    = "v${version}";
-    sha256 = "sha256-zuWKU2bZM0zdEupvWi1CV3S7urEhm4dc+sFYoQmljCk=";
+    sha256 = "sha256-17dRFRG3HpYJvqE4+SFI6a6nP6umkKc61rwQu4FiG6Q=";
   };
 
-  vendorHash = "sha256-Tym9Xu+oECUm78nIAyDwYYpR88wNxT4bmoy7iUwUQTU=";
+  vendorHash = "sha256-AvAS3S7bepaTFPelE+Bj5/UuQIXEDvSAtDuFaPRC9sk=";
 
   nativeBuildInputs = [ installShellFiles ];
 

pkgs/applications/networking/cluster/helm-docs/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "helm-docs";
-  version = "1.11.1";
+  version = "1.11.2";
 
   src = fetchFromGitHub {
     owner = "norwoodj";
     repo = "helm-docs";
     rev = "v${version}";
-    hash = "sha256-4o3hdqaW/AtegKStMKVerE3dRr3iZxQ+Lm2Aj3aOy98=";
+    hash = "sha256-w4QV96/02Pbs/l0lTLPYY8Ag21ZDDVPdgvuveiKUCoM=";
   };
 
   vendorHash = "sha256-6byD8FdeqdRDNUZFZ7FUUdyTuFOO8s3rb6YPGKdwLB8=";

pkgs/applications/networking/cluster/ktunnel/default.nix

@@ -1,6 +1,6 @@
 { stdenv, lib, buildGoModule, fetchFromGitHub }:
 let
-  version = "1.5.3";
+  version = "1.6.1";
 in
 buildGoModule {
   pname = "ktunnel";
@@ -10,7 +10,7 @@ buildGoModule {
     owner  = "omrikiei";
     repo   = "ktunnel";
     rev    = "v${version}";
-    sha256 = "sha256-7SWj9Emm78xpzdvJFKqpI5HVQi0ohbixkgXKGTy5C/A=";
+    sha256 = "sha256-rcUCIUIyBCSuMly7y0GUNQCdJUgsj7Oi6Hpz23uXoJw=";
   };
 
   ldflags = [

pkgs/applications/networking/cluster/kubeshark/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "kubeshark";
-  version = "50.2";
+  version = "50.4";
 
   src = fetchFromGitHub {
     owner = "kubeshark";
     repo = "kubeshark";
     rev = version;
-    sha256 = "sha256-bABPfy790cMIfunKYfZwDbEn07fhq6g0m/yqeFgJg4Y=";
+    sha256 = "sha256-+9AnzY/vnB1OGzkKmYL0sxWS17NV+MGnHNXGOtt+BKU=";
   };
 
-  vendorHash = "sha256-rcxnvKkc9zerfULRdU5eGRRqSDQQDNMYaLJ7oEMQghk=";
+  vendorHash = "sha256-Vcn1Ky/J/3QiV6M5fLedDcpkLp5WsVcXRkOEgkKPYEQ=";
 
   ldflags = let t = "github.com/kubeshark/kubeshark"; in [
    "-s" "-w"

pkgs/applications/networking/drive/default.nix

@@ -29,6 +29,6 @@ buildGoModule rec {
     homepage = "https://github.com/odeke-em/drive";
     description = "Google Drive client for the commandline";
     license = licenses.asl20;
-    maintainers = with maintainers; [ aaronjheng ];
+    maintainers = with maintainers; [ ];
   };
 }

pkgs/applications/networking/flexget/default.nix

@@ -6,7 +6,7 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "flexget";
-  version = "3.9.9";
+  version = "3.9.10";
   format = "pyproject";
 
   # Fetch from GitHub in order to use `requirements.in`
@@ -14,7 +14,7 @@ python3.pkgs.buildPythonApplication rec {
     owner = "Flexget";
     repo = "Flexget";
     rev = "refs/tags/v${version}";
-    hash = "sha256-kZ+RHkqmmRd7Ew5u8/SQADzOUa9YwCsj+nmtthCDlDw=";
+    hash = "sha256-cUcfXoqNKe5Ok0vDqe0uCpV84XokKe4iXbWeTm1Qv14=";
   };
 
   postPatch = ''

pkgs/applications/networking/gnmic/default.nix

@@ -8,13 +8,13 @@
 
 buildGoModule rec {
   pname = "gnmic";
-  version = "0.31.7";
+  version = "0.32.0";
 
   src = fetchFromGitHub {
     owner = "openconfig";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-bX8oZk0psPqoXFU8b2JQmfFaPz18yiuSVXDmhoOnpFg=";
+    hash = "sha256-aEAbIh1BH8R05SpSMSXL2IrudjIki72k7NGvjjKkxZw=";
   };
 
   vendorHash = "sha256-hIG3kG2e9Y2hnHJ+96cPLgnlp5ParsLgWQY0HZTDggY=";

pkgs/applications/networking/gopher/sacc/default.nix

@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "ftp://bitreich.org/releases/sacc/sacc-${version}.tar.gz";
-    sha512 = "7a895e432e1d28b7d9b2bb2a5326ca32350876a2c80d39dc6c19e75347d72a4847f1aa4ff11f07e8a9adea14ea71b84d70890dcc170ff6ce0b779e1d6586b4fa";
+    hash = "sha512-eoleQy4dKLfZsrsqUybKMjUIdqLIDTncbBnnU0fXKkhH8apP8R8H6Kmt6hTqcbhNcIkNzBcP9s4Ld54dZYa0+g==";
   };
 
   inherit patches;

pkgs/applications/networking/mailreaders/thunderbird/packages.nix

@@ -11,7 +11,7 @@ rec {
     binaryName = pname;
     src = fetchurl {
       url = "mirror://mozilla/thunderbird/releases/${version}/source/thunderbird-${version}.source.tar.xz";
-      sha512 = "4ae3f216833aec55421f827d55bc1b5fc2f0ad4fefecb27724a5be3318c351df24d30a4897b924e733ed2e3995be284b6d135049d46001143fb1c961fefc1830";
+      hash = "sha512-SuPyFoM67FVCH4J9VbwbX8LwrU/v7LJ3JKW+MxjDUd8k0wpIl7kk5zPtLjmVvihLbRNQSdRgARQ/sclh/vwYMA==";
     };
     extraPatches = [
       # The file to be patched is different from firefox's `no-buildconfig-ffx90.patch`.
@@ -49,7 +49,7 @@ rec {
     binaryName = pname;
     src = fetchurl {
       url = "mirror://mozilla/thunderbird/releases/${version}/source/thunderbird-${version}.source.tar.xz";
-      sha512 = "45843709c21eb19d69d43205da6b2f943b584811a29942ffef1933c1ce7882b48046b201c2ff198658fec2c53d479311d8a353731afe6ea53f97b31674d6074a";
+      hash = "sha512-RYQ3CcIesZ1p1DIF2msvlDtYSBGimUL/7xkzwc54grSARrIBwv8Zhlj+wsU9R5MR2KNTcxr+bqU/l7MWdNYHSg==";
     };
     extraPatches = [
       # The file to be patched is different from firefox's `no-buildconfig-ffx90.patch`.

pkgs/applications/office/fava/default.nix

@@ -2,12 +2,12 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "fava";
-  version = "1.26";
+  version = "1.26.1";
   format = "pyproject";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-YSxUqwmv7LQqnT9U1dau9pYaKvEEG5Tbi7orylJKkp0=";
+    hash = "sha256-pj4kaQDXahjhN7bu7xxT/ZuoCfPdGyo898482S5gnlE=";
   };
 
   nativeBuildInputs = with python3.pkgs; [ setuptools-scm ];

pkgs/applications/science/math/qalculate-gtk/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "qalculate-gtk";
-  version = "4.8.0";
+  version = "4.8.1";
 
   src = fetchFromGitHub {
     owner = "qalculate";
     repo = "qalculate-gtk";
     rev = "v${finalAttrs.version}";
-    sha256 = "sha256-GYy3Ot2vjXpCp89Rib3Ua0XeVGOOTejKcaqNZvPmxm0=";
+    sha256 = "sha256-bG0hui5GjHWHny/8Rq5sZGz3s5rYnYlpc+K8I/LwDto=";
   };
 
   hardeningDisable = [ "format" ];

pkgs/applications/science/math/qalculate-qt/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "qalculate-qt";
-  version = "4.8.0";
+  version = "4.8.1";
 
   src = fetchFromGitHub {
     owner = "qalculate";
     repo = "qalculate-qt";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-7VlaoiY+HgHCMZCegUdy2wpgfx3fKaViMtkdNRleHaA=";
+    hash = "sha256-hH+orU+5PmPcrhkLKCdsDhVCrD8Mvxp2RPTGSlsUP7Y=";
   };
 
   nativeBuildInputs = [ qmake intltool pkg-config qttools wrapQtAppsHook ];

pkgs/applications/science/physics/elmerfem/default.nix

@@ -1,14 +1,14 @@
-{ lib, stdenv, fetchFromGitHub, cmake, git, gfortran, mpi, blas, liblapack, pkg-config, libGL, libGLU, opencascade, libsForQt5, tbb, vtkWithQt5 }:
+{ lib, stdenv, fetchFromGitHub, cmake, git, gfortran, mpi, blas, liblapack, pkg-config, libGL, libGLU, opencascade-occt, libsForQt5, tbb, vtkWithQt5 }:
 
 stdenv.mkDerivation rec {
   pname = "elmerfem";
-  version = "unstable-2023-02-03";
+  version = "unstable-2023-09-18";
 
   src = fetchFromGitHub {
     owner = "elmercsc";
     repo = pname;
-    rev = "39c8784b6e4543a6bf560b5d597e0eec1eb06343";
-    hash = "sha256-yyxgFvlS+I4PouDL6eD4ZrXuONTDejCSYKq2AwQ0Iug=";
+    rev = "0fcced06f91c93f44557efd6a5f10b2da5c7066c";
+    hash = "sha256-UuARDYW7D3a4dB6I86s2Ed5ecQxc+Y/es3YIeF2VyTc=";
   };
 
   hardeningDisable = [ "format" ];
@@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
     libsForQt5.qwt
     libGL
     libGLU
-    opencascade
+    opencascade-occt
     tbb
     vtkWithQt5
   ];

pkgs/applications/version-management/gql/default.nix

@@ -2,29 +2,29 @@
 , rustPlatform
 , fetchFromGitHub
 , pkg-config
-, libgit2_1_6
+, libgit2
 , zlib
 }:
 
 rustPlatform.buildRustPackage rec {
   pname = "gql";
-  version = "0.6.0";
+  version = "0.7.0";
 
   src = fetchFromGitHub {
     owner = "AmrDeveloper";
     repo = "GQL";
     rev = version;
-    hash = "sha256-eWupAfe2lOcOp8hC4sx8Wl1jaVZT4E99I5V9YsMcDZA=";
+    hash = "sha256-iM5a0uy+egPBMSDBo6ks8QNfRoKku2GmFpzoanSDm9M=";
   };
 
-  cargoHash = "sha256-O6Y+JOMpucrjvYAJZe2D97vODFXVysuiitXzMkfcSpI=";
+  cargoHash = "sha256-bpPrnguDSj1K22vmf/hEimd4tVS6ANmTiVtdsUuN1BM=";
 
   nativeBuildInputs = [
     pkg-config
   ];
 
   buildInputs = [
-    libgit2_1_6
+    libgit2
     zlib
   ];
 

pkgs/applications/video/lbry/default.nix

@@ -12,7 +12,7 @@ in appimageTools.wrapAppImage rec {
     src = fetchurl {
       url = "https://github.com/lbryio/lbry-desktop/releases/download/v${version}/LBRY_${version}.AppImage";
       # Gotten from latest-linux.yml
-      sha512 = "WZB2pMzSuWGPj6uad+rIECOhuWEOxi0hVUQifOrhUrKj4SnBDws+oy7V2+NpDGkzbG+Kf3IO8rcWBD4wfFoo2Q==";
+      hash = "sha512-WZB2pMzSuWGPj6uad+rIECOhuWEOxi0hVUQifOrhUrKj4SnBDws+oy7V2+NpDGkzbG+Kf3IO8rcWBD4wfFoo2Q==";
     };
   };
 

pkgs/applications/video/obs-studio/default.nix

@@ -164,7 +164,7 @@ stdenv.mkDerivation rec {
       video content, efficiently
     '';
     homepage = "https://obsproject.com";
-    maintainers = with maintainers; [ jb55 MP2E V ];
+    maintainers = with maintainers; [ jb55 MP2E V materus ];
     license = licenses.gpl2Plus;
     platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
     mainProgram = "obs";

pkgs/applications/video/obs-studio/fix-nix-plugin-path.patch

@@ -1,5 +1,18 @@
+diff --git a/cmake/Modules/ObsDefaults_Linux.cmake b/cmake/Modules/ObsDefaults_Linux.cmake
+index d1e58a083..a03c6b98e 100644
+--- a/cmake/Modules/ObsDefaults_Linux.cmake
++++ b/cmake/Modules/ObsDefaults_Linux.cmake
+@@ -76,7 +76,7 @@ macro(setup_obs_project)
+     set(OBS_INSTALL_PREFIX "${CMAKE_INSTALL_PREFIX}/")
+     set(OBS_DATA_PATH "${OBS_DATA_DESTINATION}")
+ 
+-    set(OBS_SCRIPT_PLUGIN_PATH "${CMAKE_INSTALL_PREFIX}/${OBS_SCRIPT_PLUGIN_DESTINATION}")
++    set(OBS_SCRIPT_PLUGIN_PATH "${OBS_SCRIPT_PLUGIN_DESTINATION}")
+     set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/${OBS_LIBRARY_DESTINATION}")
+   else()
+     set(OBS_EXECUTABLE_DESTINATION "bin/${_ARCH_SUFFIX}bit")
 diff --git a/libobs/obs-nix.c b/libobs/obs-nix.c
-index 36aac7097..801cec788 100644
+index b006a5598..531655eb3 100644
 --- a/libobs/obs-nix.c
 +++ b/libobs/obs-nix.c
 @@ -56,7 +56,7 @@ const char *get_module_extension(void)

pkgs/applications/virtualization/driver/win-virtio/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "win-virtio";
-  version = "0.1.229-1";
+  version = "0.1.240-1";
 
   src = fetchurl {
     url = "https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/virtio-win-${version}/virtio-win.iso";
-    hash = "sha256-yIoN3jRgXq7mz4ifPioMKvPK65G130WhJcpPcBrLu+A=";
+    hash = "sha256-69SCWGaPf3jgJu0nbCip0Z2D4CD/oICtaZENyGu8vMY=";
   };
 
   nativeBuildInputs = [

pkgs/applications/window-managers/hyprwm/hyprland/default.nix

@@ -40,13 +40,13 @@ assert lib.assertMsg (!nvidiaPatches) "The option `nvidiaPatches` has been renam
 assert lib.assertMsg (!hidpiXWayland) "The option `hidpiXWayland` has been removed. Please refer https://wiki.hyprland.org/Configuring/XWayland";
 stdenv.mkDerivation (finalAttrs: {
   pname = "hyprland" + lib.optionalString debug "-debug";
-  version = "0.29.1";
+  version = "0.30.0";
 
   src = fetchFromGitHub {
     owner = "hyprwm";
     repo = finalAttrs.pname;
     rev = "v${finalAttrs.version}";
-    hash = "sha256-j9ypIwZkotNZMyk8R/W002OzDHd0C0OHSKE7uOFpf2k=";
+    hash = "sha256-a0nqm82brOC0QroGOXxcIKxOMAfl9I6pfFOYjCeRzO0=";
   };
 
   patches = [

pkgs/applications/window-managers/hyprwm/hyprland/wlroots.nix

@@ -42,8 +42,8 @@ wlroots.overrideAttrs
       domain = "gitlab.freedesktop.org";
       owner = "wlroots";
       repo = "wlroots";
-      rev = "717ded9bb0191ea31bf4368be32e7a15fe1b8294";
-      hash = "sha256-eBKkG7tMxg92NskEn8dHRFY245JwjirWRoOZzW6DnUw=";
+      rev = "98a745d926d8048bc30aef11b421df207a01c279";
+      hash = "sha256-LEIUGXvKR5DYFQUTavC3yifcObvG4XZUUHfxXmu8nEM=";
     };
 
     pname =

pkgs/applications/window-managers/hyprwm/xdg-desktop-portal-hyprland/default.nix

@@ -21,15 +21,15 @@
 , hyprland
 , slurp
 }:
-stdenv.mkDerivation {
+stdenv.mkDerivation (self: {
   pname = "xdg-desktop-portal-hyprland";
-  version = "unstable-2023-09-10";
+  version = "1.1.0";
 
   src = fetchFromGitHub {
     owner = "hyprwm";
     repo = "xdg-desktop-portal-hyprland";
-    rev = "aca51609d4c415b30e88b96c6f49f0142cbcdae7";
-    hash = "sha256-RF6LXm4J6mBF3B8VcQuABuU4g4tCPHgMYJQSoJ3DW+8=";
+    rev = "v${self.version}";
+    hash = "sha256-K1cqx+NP4lxPwRVPLEeSUfagaMI3m5hdYvQe7sZr7BU=";
   };
 
   nativeBuildInputs = [
@@ -73,4 +73,4 @@ stdenv.mkDerivation {
     maintainers = with maintainers; [ fufexan ];
     platforms = platforms.linux;
   };
-}
+})

pkgs/build-support/node/fetch-yarn-deps/default.nix

@@ -3,7 +3,7 @@
 let
   yarnpkg-lockfile-tar = fetchurl {
     url = "https://registry.yarnpkg.com/@yarnpkg/lockfile/-/lockfile-1.1.0.tgz";
-    sha512 = "sha512-GpSwvyXOcOOlV70vbnzjj4fW5xW/FdUF6nQEt1ENy7m4ZCczi1+/buVUPAqmGfqznsORNFzUMjctTIp8a9tuCQ==";
+    hash = "sha512-GpSwvyXOcOOlV70vbnzjj4fW5xW/FdUF6nQEt1ENy7m4ZCczi1+/buVUPAqmGfqznsORNFzUMjctTIp8a9tuCQ==";
   };
 
   tests = callPackage ./tests {};

pkgs/by-name/aa/aarch64-esr-decoder/package.nix

@@ -0,0 +1,27 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "aarch64-esr-decoder";
+  version = "0.2.1";
+
+  src = fetchFromGitHub {
+    owner = "google";
+    repo = "aarch64-esr-decoder";
+    rev = version;
+    hash = "sha256-YdB/8EUeELcKBj8UMbeWFzJ8HeMHvDgrP2qlOJp2dXA=";
+  };
+
+  cargoHash = "sha256-P55DiHBUkr6mreGnWET4+TzLkKnVQJ0UwvrGp6BQ304=";
+
+  meta = with lib; {
+    description = "A utility for decoding aarch64 ESR register values";
+    homepage = "https://github.com/google/aarch64-esr-decoder";
+    changelog = "https://github.com/google/aarch64-esr-decoder/blob/${src.rev}/CHANGELOG.md";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ jmbaur ];
+    mainProgram = "aarch64-esr-decoder";
+  };
+}

pkgs/by-name/ba/badger/package.nix

@@ -0,0 +1,30 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+}:
+
+buildGoModule rec {
+  pname = "badger";
+  version = "4.2.0";
+
+  src = fetchFromGitHub {
+    owner = "dgraph-io";
+    repo = "badger";
+    rev = "v${version}";
+    hash = "sha256-+b+VTGUGmqixB51f1U2QK+XfVra4zXybW19n/CeeoAQ=";
+  };
+
+  vendorHash = "sha256-YiSmxtRt8HtYcvPL9ZKMjb2ch/MZBjZp5pIIBdqQ7Nw=";
+
+  subPackages = [ "badger" ];
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "Fast key-value DB in Go";
+    homepage = "https://github.com/dgraph-io/badger";
+    license = licenses.asl20;
+    mainProgram = "badger";
+    maintainers = with maintainers; [ farcaller ];
+  };
+}

pkgs/by-name/kt/ktfmt/package.nix

@@ -0,0 +1,38 @@
+{ lib, fetchFromGitHub, jre_headless, makeWrapper, maven }:
+
+maven.buildMavenPackage rec {
+  pname = "ktfmt";
+  version = "0.46";
+
+  src = fetchFromGitHub {
+    owner = "facebook";
+    repo = "ktfmt";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-OIbJ+J5LX6SPv5tuAiY66v/edeM7nFPHj90GXV6zaxw=";
+  };
+
+  mvnHash = "sha256-pzMjkkdkbVqVxZPW2I0YWPl5/l6+SyNkhd6gkm9Uoyc=";
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin
+    install -Dm644 core/target/ktfmt-*-jar-with-dependencies.jar $out/share/ktfmt/ktfmt.jar
+
+    makeWrapper ${jre_headless}/bin/java $out/bin/ktfmt \
+      --add-flags "-jar $out/share/ktfmt/ktfmt.jar"
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "A program that reformats Kotlin source code to comply with the common community standard for Kotlin code conventions.";
+    homepage = "https://github.com/facebook/ktfmt";
+    license = licenses.apsl20;
+    mainProgram = "ktfmt";
+    maintainers = with maintainers; [ ghostbuster91 ];
+    inherit (jre_headless.meta) platforms;
+  };
+}

pkgs/by-name/la/labwc/package.nix

@@ -2,21 +2,23 @@
 , stdenv
 , fetchFromGitHub
 , cairo
+, gettext
 , glib
 , libdrm
 , libinput
+, libpng
+, librsvg
 , libxcb
 , libxkbcommon
 , libxml2
-, gettext
 , meson
 , ninja
 , pango
 , pkg-config
 , scdoc
-, wayland-scanner
 , wayland
 , wayland-protocols
+, wayland-scanner
 , wlroots
 , xcbutilwm
 , xwayland
@@ -24,13 +26,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "labwc";
-  version = "0.6.4";
+  version = "0.6.5";
 
   src = fetchFromGitHub {
     owner = "labwc";
     repo = "labwc";
     rev = finalAttrs.version;
-    hash = "sha256-8FMC0tq5Gp5qDPUmoJTCrHEergDMUbiTco17jPTJUgE=";
+    hash = "sha256-nQLxE2Q4GiLUjkag/yqctzmkKKWFw1XNFjotE8MMgBA=";
   };
 
   nativeBuildInputs = [
@@ -47,6 +49,8 @@ stdenv.mkDerivation (finalAttrs: {
     glib
     libdrm
     libinput
+    libpng
+    librsvg
     libxcb
     libxkbcommon
     libxml2
@@ -58,16 +62,20 @@ stdenv.mkDerivation (finalAttrs: {
     xwayland
   ];
 
+  outputs = [ "out" "man" ];
+
+  strictDeps = true;
+
   mesonFlags = [
     (lib.mesonEnable "xwayland" true)
   ];
 
-  meta = with lib; {
+  meta = {
     homepage = "https://github.com/labwc/labwc";
-    description = "A Wayland stacking compositor, similar to Openbox";
+    description = "A Wayland stacking compositor, inspired by Openbox";
     changelog = "https://raw.githubusercontent.com/labwc/labwc/${finalAttrs.version}/NEWS.md";
-    license = licenses.gpl2Plus;
-    maintainers = with maintainers; [ AndersonTorres ];
+    license = lib.licenses.gpl2Plus;
+    maintainers = with lib.maintainers; [ AndersonTorres ];
     inherit (wayland.meta) platforms;
   };
 })

pkgs/by-name/le/lemminx/package.nix

@@ -0,0 +1,104 @@
+{ lib
+, fetchFromGitHub
+, makeWrapper
+, jre
+, maven
+, writeScript
+, lemminx
+}:
+
+maven.buildMavenPackage rec {
+  pname = "lemminx";
+  version = "0.27.0";
+
+  src = fetchFromGitHub {
+    owner = "eclipse";
+    repo = "lemminx";
+    rev = version;
+    hash = "sha256-VWYTkYlPziNRyxHdvIWVuDlABpKdzhC/F6BUBj/opks=";
+    # Lemminx reads this git information at runtime from a git.properties
+    # file on the classpath
+    leaveDotGit = true;
+    postFetch = ''
+      cat > $out/org.eclipse.lemminx/src/main/resources/git.properties << EOF
+      git.build.version=${version}
+      git.commit.id.abbrev=$(git -C $out rev-parse --short HEAD)
+      git.commit.message.short=$(git -C $out log -1 --pretty=format:%s)
+      git.branch=main
+      EOF
+      rm -rf $out/.git
+    '';
+  };
+
+  manualMvnArtifacts = [
+    "org.apache.maven.surefire:surefire-junit-platform:3.1.2"
+    "org.junit.platform:junit-platform-launcher:1.10.0"
+  ];
+
+  mvnHash = "sha256-sIiCp1AorVQXt13Tq0vw9jGioG3zcQMqqKS/Q0Tf4MQ=";
+
+  buildOffline = true;
+
+  # disable gitcommitid plugin which needs a .git folder which we
+  # don't have
+  mvnDepsParameters = "-Dmaven.gitcommitid.skip=true";
+
+  # disable failing tests which either need internet access or are flaky
+  mvnParameters = lib.escapeShellArgs [
+    "-Dmaven.gitcommitid.skip=true"
+    "-Dtest=!XMLValidationCommandTest,
+    !XMLValidationExternalResourcesBasedOnDTDTest,
+    !XMLSchemaPublishDiagnosticsTest,
+    !PlatformTest,
+    !XMLValidationExternalResourcesBasedOnXSDTest,
+    !XMLExternalTest,
+    !XMLSchemaCompletionExtensionsTest,
+    !XMLSchemaDiagnosticsTest,
+    !MissingChildElementCodeActionTest,
+    !XSDValidationExternalResourcesTest,
+    !DocumentLifecycleParticipantTest"
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin $out/share
+    install -Dm644 org.eclipse.lemminx/target/org.eclipse.lemminx-uber.jar \
+      $out/share
+
+    makeWrapper ${jre}/bin/java $out/bin/lemminx \
+      --add-flags "-jar $out/share/org.eclipse.lemminx-uber.jar"
+
+    runHook postInstall
+  '';
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  passthru.updateScript = writeScript "update-lemminx" ''
+    #!/usr/bin/env nix-shell
+    #!nix-shell -i bash -p curl pcre common-updater-scripts jq gnused
+    set -eu -o pipefail
+
+    LATEST_TAG=$(curl https://api.github.com/repos/eclipse/lemminx/tags | \
+      jq -r '[.[] | select(.name | test("^[0-9]"))] | sort_by(.name | split(".") |
+      map(tonumber)) | reverse | .[0].name')
+    update-source-version lemminx "$LATEST_TAG"
+    sed -i '0,/mvnHash *= *"[^"]*"/{s/mvnHash = "[^"]*"/mvnHash = ""/}' ${lemminx}
+
+    echo -e "\nFetching all mvn dependencies to calculate the mvnHash. This may take a while ..."
+    nix-build -A lemminx.fetchedMavenDeps 2> lemminx-stderr.log || true
+
+    NEW_MVN_HASH=$(cat lemminx-stderr.log | grep "got:" | awk '{print ''$2}')
+    rm lemminx-stderr.log
+    # escaping double quotes looks ugly but is needed for variable substitution
+    # use # instead of / as separator because the sha256 might contain the / character
+    sed -i "0,/mvnHash *= *\"[^\"]*\"/{s#mvnHash = \"[^\"]*\"#mvnHash = \"$NEW_MVN_HASH\"#}" ${lemminx}
+  '';
+
+  meta = with lib; {
+    description = "XML Language Server";
+    homepage = "https://github.com/eclipse/lemminx";
+    license = licenses.epl20;
+    maintainers = with maintainers; [ tricktron ];
+  };
+}

pkgs/by-name/lu/luastatus/package.nix

@@ -0,0 +1,88 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+# Native Build Inputs
+, cmake
+, pkg-config
+, makeWrapper
+# Dependencies
+, yajl
+, alsa-lib
+, libpulseaudio
+, glib
+, libnl
+, udev
+, libXau
+, libXdmcp
+, pcre2
+, pcre
+, util-linux
+, libselinux
+, libsepol
+, lua5
+, docutils
+, libxcb
+, libX11
+, xcbutil
+, xcbutilwm
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "luastatus";
+  version = "0.6.0";
+
+  src = fetchFromGitHub {
+    owner = "shdown";
+    repo = "luastatus";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-whO5pjUPaCwEb2GDCIPnTk39MejSQOoRRQ5kdYEQ0Pc=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+    makeWrapper
+  ];
+
+  buildInputs = [
+    libxcb
+    libX11
+    xcbutil
+    xcbutilwm
+    libXdmcp
+    libXau
+    libpulseaudio
+    libnl
+    libselinux
+    libsepol
+    yajl
+    alsa-lib
+    glib
+    udev
+    pcre2
+    pcre
+    util-linux
+    lua5
+    docutils
+  ];
+
+  postInstall = ''
+    wrapProgram $out/bin/luastatus-stdout-wrapper \
+      --prefix LUASTATUS : $out/bin/luastatus
+
+    wrapProgram $out/bin/luastatus-i3-wrapper \
+      --prefix LUASTATUS : $out/bin/luastatus
+
+    wrapProgram $out/bin/luastatus-lemonbar-launcher \
+      --prefix LUASTATUS : $out/bin/luastatus
+  '';
+
+  meta = with lib; {
+    description = "Universal status bar content generator";
+    homepage = "https://github.com/shdown/luastatus";
+    changelog = "https://github.com/shdown/luastatus/releases/tag/${finalAttrs.version}";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ kashw2 ];
+    platforms = platforms.linux;
+  };
+})

pkgs/data/icons/whitesur-cursors/default.nix

@@ -0,0 +1,31 @@
+{ lib
+, stdenvNoCC
+, fetchFromGitHub
+}:
+
+stdenvNoCC.mkDerivation {
+  pname = "whitesur-cursors";
+  version = "unstable-2022-06-17";
+
+  src = fetchFromGitHub {
+    owner = "vinceliuice";
+    repo = "WhiteSur-cursors";
+    rev = "5c94e8c22de067282f4cf6d782afd7b75cdd08c8";
+    sha256 = "sha256-CFse0XZzJu+PWDcqmvIXvue+3cKX47oavZU9HYRDAg0=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+    install -dm 755 $out/share/icons/WhiteSur-cursors
+    cp -r dist/* $out/share/icons/WhiteSur-cursors
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "An x-cursor theme inspired by macOS and based on capitaine-cursors";
+    homepage = "https://github.com/vinceliuice/WhiteSur-cursors";
+    license = lib.licenses.gpl3Only;
+    maintainers = with lib.maintainers; [ tomasajt ];
+    platforms = lib.platforms.linux;
+  };
+}

pkgs/data/misc/ddccontrol-db/default.nix

@@ -6,13 +6,13 @@
 
 stdenv.mkDerivation rec {
   pname = "ddccontrol-db";
-  version = "20230821";
+  version = "20230911";
 
   src = fetchFromGitHub {
     owner = "ddccontrol";
     repo = pname;
     rev = version;
-    sha256 = "sha256-R+DXpT9Tgt311G/OtmKp3sqN0ex/rlLt3JuSK7kciC0=";
+    sha256 = "sha256-3lGzQ95ZS9yr9dX+wCTmX6Q+IsbMCfBa4zhcyxsG4+w=";
   };
 
   nativeBuildInputs = [ autoreconfHook intltool ];

pkgs/data/themes/catppuccin-gtk/default.nix

@@ -28,13 +28,13 @@ lib.checkListOfEnum "${pname}: tweaks" validTweaks tweaks
 
 stdenvNoCC.mkDerivation rec {
   inherit pname;
-  version = "0.6.1";
+  version = "0.6.2";
 
   src = fetchFromGitHub {
     owner = "catppuccin";
     repo = "gtk";
     rev = "v${version}";
-    sha256 = "sha256-b03V/c2do5FSm4Q0yN7V0RuoQX1fYsBd//Hj3R5MESI=";
+    hash = "sha256-BjdPe3wQBSVMYpeCifq93Cqt/G4bzsZYgOPBTilHqD8=";
   };
 
   nativeBuildInputs = [ gtk3 sassc ];
@@ -53,9 +53,12 @@ stdenvNoCC.mkDerivation rec {
   '';
 
   postPatch = ''
-    patchShebangs --build colloid/clean-old-theme.sh colloid/install.sh
+    patchShebangs --build colloid/install.sh
   '';
 
+  dontConfigure = true;
+  dontBuild = true;
+
   installPhase = ''
     runHook preInstall
 

pkgs/development/androidndk-pkgs/androidndk-pkgs.nix

@@ -11,15 +11,17 @@ let
   # than we do. We don't just use theirs because ours are less ambiguous and
   # some builds need that clarity.
   #
-  # FIXME:
-  # There's some dragons here. Build host and target concepts are being mixed up.
-  ndkInfoFun = { config, ... }: {
+  ndkBuildInfoFun = { config, ... }: {
     x86_64-apple-darwin = {
       double = "darwin-x86_64";
     };
     x86_64-unknown-linux-gnu = {
       double = "linux-x86_64";
     };
+  }.${config} or
+    (throw "Android NDK doesn't support building on ${config}, as far as we know");
+
+  ndkTargetInfoFun = { config, ... }: {
     i686-unknown-linux-android = {
       triple = "i686-linux-android";
       arch = "x86";
@@ -37,11 +39,10 @@ let
       triple = "aarch64-linux-android";
     };
   }.${config} or
-    (throw "Android NDK doesn't support ${config}, as far as we know");
+    (throw "Android NDK doesn't support targetting ${config}, as far as we know");
 
-  buildInfo = ndkInfoFun stdenv.buildPlatform;
-  hostInfo = ndkInfoFun stdenv.hostPlatform;
-  targetInfo = ndkInfoFun stdenv.targetPlatform;
+  buildInfo = ndkBuildInfoFun stdenv.buildPlatform;
+  targetInfo = ndkTargetInfoFun stdenv.targetPlatform;
 
   inherit (stdenv.targetPlatform) sdkVer;
   suffixSalt = lib.replaceStrings ["-" "."] ["_" "_"] stdenv.targetPlatform.config;

pkgs/development/androidndk-pkgs/default.nix

@@ -29,7 +29,7 @@
       # these two really are the same.
       buildAndroidndk = buildAndroidComposition.ndk-bundle;
       androidndk = androidComposition.ndk-bundle;
-      targetAndroidndkPkgs = targetPackages.androidndkPkgs_21;
+      targetAndroidndkPkgs = if targetPackages ? androidndkPkgs_21 then targetPackages.androidndkPkgs_21 else throw "androidndkPkgs_21: no targetPackages, use `buildPackages.androidndkPkgs_21";
     };
 
   "23b" =
@@ -59,7 +59,7 @@
       # these two really are the same.
       buildAndroidndk = buildAndroidComposition.ndk-bundle;
       androidndk = androidComposition.ndk-bundle;
-      targetAndroidndkPkgs = targetPackages.androidndkPkgs_23b;
+      targetAndroidndkPkgs = if targetPackages ? androidndkPkgs_23b then targetPackages.androidndkPkgs_23b else throw "androidndkPkgs_23b: no targetPackages, use `buildPackages.androidndkPkgs_23b";
     };
 
   "24" =
@@ -89,7 +89,7 @@
       # these two really are the same.
       buildAndroidndk = buildAndroidComposition.ndk-bundle;
       androidndk = androidComposition.ndk-bundle;
-      targetAndroidndkPkgs = targetPackages.androidndkPkgs_24;
+      targetAndroidndkPkgs = if targetPackages ? androidndkPkgs_24 then targetPackages.androidndkPkgs_24 else throw "androidndkPkgs_24: no targetPackages, use `buildPackages.androidndkPkgs_24";
     };
 
 }

pkgs/development/compilers/circt/default.nix

@@ -14,12 +14,12 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "circt";
-  version = "1.54.0";
+  version = "1.56.1";
   src = fetchFromGitHub {
     owner = "llvm";
     repo = "circt";
     rev = "firtool-${version}";
-    sha256 = "sha256-jHDQl6UJTyNGZ4PUTEiZCIN/RSRbBxlaVutkwrWbK9M=";
+    sha256 = "sha256-MOwjfSUd5Dvlvek763AMZWK29dUoc2fblb5qtByTqLA=";
     fetchSubmodules = true;
   };
 
@@ -78,7 +78,7 @@ stdenv.mkDerivation rec {
     description = "Circuit IR compilers and tools";
     homepage = "https://circt.org/";
     license = lib.licenses.asl20;
-    maintainers = with lib.maintainers; [ sharzy ];
+    maintainers = with lib.maintainers; [ sharzy pineapplehunter ];
     platforms = lib.platforms.all;
   };
 }

pkgs/development/compilers/ghdl/default.nix

@@ -11,26 +11,17 @@
 
 assert backend == "mcode" || backend == "llvm";
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "ghdl-${backend}";
-  version = "2.0.0";
+  version = "3.0.0";
 
   src = fetchFromGitHub {
     owner  = "ghdl";
     repo   = "ghdl";
-    rev    = "v${version}";
-    sha256 = "sha256-B/G3FGRzYy4Y9VNNB8yM3FohiIjPJhYSVbqsTN3cL5k=";
+    rev    = "v${finalAttrs.version}";
+    hash   = "sha256-94RNtHbOpbC2q/Z+PsQplrLxXmpS3LXOCXyTBB+n9c4=";
   };
 
-  patches = [
-    # https://github.com/ghdl/ghdl/issues/2056
-    (fetchpatch {
-      name = "fix-build-gcc-12.patch";
-      url = "https://github.com/ghdl/ghdl/commit/f8b87697e8b893b6293ebbfc34670c32bfb49397.patch";
-      hash = "sha256-tVbMm8veFkNPs6WFBHvaic5Jkp1niyg0LfFufa+hT/E=";
-    })
-  ];
-
   LIBRARY_PATH = "${stdenv.cc.libc}/lib";
 
   nativeBuildInputs = [
@@ -59,8 +50,6 @@ stdenv.mkDerivation rec {
     "--with-llvm-config=${llvm.dev}/bin/llvm-config"
   ];
 
-  hardeningDisable = [ "format" ];
-
   enableParallelBuilding = true;
 
   passthru = {
@@ -72,11 +61,12 @@ stdenv.mkDerivation rec {
     };
   };
 
-  meta = with lib; {
+  meta = {
     homepage = "https://github.com/ghdl/ghdl";
     description = "VHDL 2008/93/87 simulator";
-    maintainers = with maintainers; [ lucus16 thoughtpolice ];
-    platforms = platforms.linux;
-    license = licenses.gpl2;
+    license = lib.licenses.gpl2Plus;
+    mainProgram = "ghdl";
+    maintainers = with lib.maintainers; [ eclairevoyant lucus16 thoughtpolice ];
+    platforms = lib.platforms.linux;
   };
-}
+})

pkgs/development/interpreters/janet/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "janet";
-  version = "1.30.0";
+  version = "1.31.0";
 
   src = fetchFromGitHub {
     owner = "janet-lang";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-tkXEi8m7eroie/yP1kW0V6Ld5SCLA0/KmtHHI0fIsRI=";
+    hash = "sha256-Dj2fj1dsdAMl/H0vNKTf9qjPB4GVRpgWPVR+PuZWZMc=";
   };
 
   postPatch = ''

pkgs/development/interpreters/luau/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "luau";
-  version = "0.594";
+  version = "0.596";
 
   src = fetchFromGitHub {
     owner = "Roblox";
     repo = "luau";
     rev = version;
-    hash = "sha256-GRdJlVCT1jRAuQHsDjV2oqk7mtBUNDpWt8JGlP31CVs=";
+    hash = "sha256-25SMgBW5Uqh0dGM8A9qCTcUPPP7wzH8wCGk4w+0wp/c=";
   };
 
   nativeBuildInputs = [ cmake ];

pkgs/development/interpreters/octave/default.nix

@@ -50,8 +50,7 @@
 , makeWrapper
 # - Build Octave Qt GUI:
 , enableQt ? false
-, qt5
-, qscintilla
+, libsForQt5
 , libiconv
 , darwin
 }:
@@ -132,9 +131,9 @@ in stdenv.mkDerivation (finalAttrs: {
       gnuplot
       python3
     ] ++ lib.optionals enableQt [
-      qt5.qtbase
-      qt5.qtsvg
-      qscintilla
+      libsForQt5.qtbase
+      libsForQt5.qtsvg
+      libsForQt5.qscintilla
     ] ++ lib.optionals (enableJava) [
       jdk
     ] ++ lib.optionals (!stdenv.isDarwin) [
@@ -149,9 +148,9 @@ in stdenv.mkDerivation (finalAttrs: {
       gfortran
       texinfo
     ] ++ lib.optionals enableQt [
-      qt5.wrapQtAppsHook
-      qt5.qtscript
-      qt5.qttools
+      libsForQt5.wrapQtAppsHook
+      libsForQt5.qtscript
+      libsForQt5.qttools
     ];
 
     doCheck = !stdenv.isDarwin;

pkgs/development/libraries/faudio/default.nix

@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation rec {
   pname = "faudio";
-  version = "23.08";
+  version = "23.09";
 
   src = fetchFromGitHub {
     owner = "FNA-XNA";
     repo = "FAudio";
     rev = version;
-    sha256 = "sha256-ceFnk0JQtolx7Q1FnADCO0z6fCxu1RzmN3sHohy4hzU=";
+    sha256 = "sha256-Sl+dOM1YMDwCN07ThR/JFwhNS10P7+uQJNUQAvFdYa8=";
   };
 
   nativeBuildInputs = [cmake];

pkgs/development/libraries/gr-framework/Use-the-module-mode-to-search-for-the-LibXml2-package.patch

@@ -0,0 +1,25 @@
+From 5d2377ad5e99742662e056bb782d5c21afb01dfb Mon Sep 17 00:00:00 2001
+From: Pavel Sobolev <paveloom@riseup.net>
+Date: Tue, 19 Sep 2023 13:27:39 +0300
+Subject: [PATCH] Use the module mode to search for the `LibXml2` package.
+
+---
+ CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 03490335..fb69e8fd 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -96,7 +96,7 @@ find_package(Expat)
+ # CMake ships with a `FindLibXml2.cmake` module which does not configure needed libxml2 dependencies.
+ # Thus, use the `libxml2-config.cmake` config file shipped with libxml which configures dependencies correctly by
+ # skipping module search mode.
+-find_package(LibXml2 NO_MODULE)
++find_package(LibXml2 MODULE)
+ if(${CMAKE_VERSION} VERSION_GREATER "3.16.0")
+   find_package(
+     Qt6
+--
+2.42.0
+

pkgs/development/libraries/gr-framework/default.nix

@@ -1,17 +1,18 @@
-{ cairo
-, cmake
+{ lib
+, stdenv
 , fetchFromGitHub
+, nix-update-script
+
+, cairo
+, cmake
 , ffmpeg
 , freetype
 , ghostscript
 , glfw
-, lib
 , libjpeg
 , libtiff
-, nix-update-script
 , qhull
 , qtbase
-, stdenv
 , wrapQtAppsHook
 , xorg
 , zeromq
@@ -19,15 +20,19 @@
 
 stdenv.mkDerivation rec {
   pname = "gr-framework";
-  version = "0.72.9";
+  version = "0.72.10";
 
   src = fetchFromGitHub {
     owner = "sciapp";
     repo = "gr";
     rev = "v${version}";
-    hash = "sha256-4rOcrMn0sxTeRQqiQMAWULzUV39i6J96Mb096Lyblns=";
+    hash = "sha256-ZFaun8PBtPTmhZ0+OHzUu27NvcJGxsImh+c7ZvCTNa0=";
   };
 
+  patches = [
+    ./Use-the-module-mode-to-search-for-the-LibXml2-package.patch
+  ];
+
   nativeBuildInputs = [
     cmake
     wrapQtAppsHook

pkgs/development/libraries/intel-gmmlib/default.nix

@@ -1,7 +1,6 @@
 { lib
 , stdenv
 , fetchFromGitHub
-, fetchpatch
 , cmake
 # for passthru.tests
 , intel-compute-runtime
@@ -10,24 +9,15 @@
 
 stdenv.mkDerivation rec {
   pname = "intel-gmmlib";
-  version = "22.3.7";
+  version = "22.3.11";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "gmmlib";
     rev = "intel-gmmlib-${version}";
-    sha256 = "sha256-/iwTPWRVTZk1dhZD2Grcnc76ItgXjf2VrFD+93h8YvM=";
+    sha256 = "sha256-pweKUf/KW64neJkEZwjePh7ft8KEBu1I9zCIx/lMQT8=";
   };
 
-  patches = [
-    # fix build on i686
-    # https://github.com/intel/gmmlib/pull/104
-    (fetchpatch {
-      url = "https://github.com/intel/gmmlib/commit/2526286f29d8ad3d3a5833bdc29e23e5f3300b34.patch";
-      hash = "sha256-mChK6wprAt+bo39g6LTNy25kJeGoKabpXFq2gSDhaPw=";
-    })
-  ];
-
   nativeBuildInputs = [ cmake ];
 
   passthru.tests = {

pkgs/development/libraries/libdwarf/20210528.nix

@@ -2,7 +2,7 @@
 callPackage ./common.nix rec {
   version = "20210528";
   url = "https://www.prevanders.net/libdwarf-${version}.tar.gz";
-  sha512 = "e0f9c88554053ee6c1b1333960891189e7820c4a4ddc302b7e63754a4cdcfc2acb1b4b6083a722d1204a75e994fff3401ecc251b8c3b24090f8cb4046d90f870";
+  hash = "sha512-4PnIhVQFPubBsTM5YIkRieeCDEpN3DArfmN1Skzc/CrLG0tgg6ci0SBKdemU//NAHswlG4w7JAkPjLQEbZD4cA==";
   buildInputs = [ zlib libelf ];
   knownVulnerabilities = [ "CVE-2022-32200" "CVE-2022-39170" ];
 }

pkgs/development/libraries/libdwarf/common.nix

@@ -1,11 +1,11 @@
-{ lib, stdenv, fetchurl, buildInputs, sha512, version, libelf, url, knownVulnerabilities }:
+{ lib, stdenv, fetchurl, buildInputs, hash, version, libelf, url, knownVulnerabilities }:
 
 stdenv.mkDerivation rec {
   pname = "libdwarf";
   inherit version;
 
   src = fetchurl {
-    inherit url sha512;
+    inherit url hash;
   };
 
   configureFlags = [ "--enable-shared" "--disable-nonshared" ];

pkgs/development/libraries/libdwarf/default.nix

@@ -2,7 +2,7 @@
 callPackage ./common.nix rec {
   version = "0.4.2";
   url = "https://www.prevanders.net/libdwarf-${version}.tar.xz";
-  sha512 = "6d2a3ebf0104362dd9cecec272935684f977db119810eea0eec88c9f56a042f260a4f6ed3bbabde8592fe16f98cbd81b4ab2878005140e05c8f475df6380d1c2";
+  hash = "sha512-bSo+vwEENi3Zzs7CcpNWhPl32xGYEO6g7siMn1agQvJgpPbtO7q96Fkv4W+Yy9gbSrKHgAUUDgXI9HXfY4DRwg==";
   buildInputs = [ zlib ];
   knownVulnerabilities = [];
 }

pkgs/development/libraries/libgphoto2/default.nix

@@ -17,13 +17,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libgphoto2";
-  version = "2.5.30";
+  version = "2.5.31";
 
   src = fetchFromGitHub {
     owner = "gphoto";
     repo = "libgphoto2";
     rev = "libgphoto2-${builtins.replaceStrings [ "." ] [ "_" ] version}-release";
-    sha256 = "sha256-4UwD283mKhZwC7setBU0BLRLsyfjD/6m/InSedrqgAU=";
+    sha256 = "sha256-UmyDKEaPP9VJqi8f+y6JZcTlQomhMTN+/C//ODYx6/w=";
   };
 
   depsBuildBuild = [ pkg-config ];

pkgs/development/libraries/libqalculate/default.nix

@@ -18,13 +18,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "libqalculate";
-  version = "4.8.0";
+  version = "4.8.1";
 
   src = fetchFromGitHub {
     owner = "qalculate";
     repo = "libqalculate";
     rev = "v${finalAttrs.version}";
-    sha256 = "sha256-wONqqd8Ds10SvkUrj7Ps6BfqUNPE6hCnQrKDTEglVEQ=";
+    sha256 = "sha256-4WqKlwVf4/ixVr98lPFVfNL6EOIfHHfL55xLsYqxkhY=";
   };
 
   outputs = [ "out" "dev" "doc" ];

pkgs/development/libraries/opencascade/default.nix

@@ -1,65 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, fetchpatch, libGL, libGLU, libXmu, cmake, ninja,
-  pkg-config, fontconfig, freetype, expat, freeimage, vtk_8, gl2ps, tbb,
-  OpenCL, Cocoa
-}:
-
-stdenv.mkDerivation rec {
-  pname = "opencascade-oce";
-  version = "0.18.3";
-
-  src = fetchFromGitHub {
-    owner = "tpaviot";
-    repo = "oce";
-    rev = "OCE-${version}";
-    sha256 = "17wy8dcf44vqisishv1jjf3cmcxyygqq29y9c3wjdj983qi2hsig";
-  };
-
-  nativeBuildInputs = [ cmake ninja pkg-config ];
-  buildInputs = [
-    libGL libGLU libXmu freetype fontconfig expat freeimage vtk_8
-    gl2ps tbb
-  ]
-    ++ lib.optionals stdenv.isDarwin [OpenCL Cocoa]
-  ;
-
-  cmakeFlags = [
-    "-DOCE_INSTALL_PREFIX=${placeholder "out"}"
-    "-DOCE_WITH_FREEIMAGE=ON"
-    "-DOCE_WITH_VTK=ON"
-    "-DOCE_WITH_GL2PS=ON"
-    "-DOCE_MULTITHREAD_LIBRARY=TBB"
-  ]
-  ++ lib.optionals stdenv.isDarwin ["-DOCE_OSX_USE_COCOA=ON" "-DOCE_WITH_OPENCL=ON"];
-
-  patches = [
-    # Use fontconfig instead of hardcoded directory list
-    # https://github.com/tpaviot/oce/pull/714
-    (fetchpatch {
-      url = "https://github.com/tpaviot/oce/commit/9643432b27fec8974ca0ee15c3c372f5fe8fc069.patch";
-      sha256 = "1wd940rszmh5apcpk5fv6126h8mcjcy4rjifrql5d4ac90v06v4c";
-    })
-    # Fix for glibc 2.26
-    (fetchpatch {
-      url = "https://github.com/tpaviot/oce/commit/3b44656e93270d782009b06ec4be84d2a13f8126.patch";
-      sha256 = "1ccakkcwy5g0184m23x0mnh22i0lk45xm8kgiv5z3pl7nh35dh8k";
-    })
-    (fetchpatch {
-      url = "https://github.com/tpaviot/oce/commit/cf50d078cd5fac03a48fd204938bd240930a08dc.patch";
-      sha256 = "1xv94hcvggmb1c8vqwic1aiw9jw1sxk8mqbaak9xs9ycfqdvgdyc";
-    })
-  ];
-
-  postPatch = ''
-    # make sure the installed cmake file uses absolute paths for fontconfig
-    substituteInPlace adm/cmake/TKService/CMakeLists.txt \
-      --replace FONTCONFIG_LIBRARIES FONTCONFIG_LINK_LIBRARIES
-  '';
-
-  meta = with lib; {
-    description = "Open CASCADE Technology, libraries for 3D modeling and numerical simulation";
-    homepage = "https://github.com/tpaviot/oce";
-    maintainers = [ maintainers.viric ];
-    platforms = platforms.unix;
-    license = licenses.lgpl21;
-  };
-}

pkgs/development/libraries/opencv/3.x.nix

@@ -22,7 +22,6 @@
 , enablePython    ? false, pythonPackages ? null
 , enableGtk2      ? false, gtk2
 , enableGtk3      ? false, gtk3
-, enableVtk       ? false, vtk_8
 , enableFfmpeg    ? false, ffmpeg
 , enableGStreamer ? false, gst_all_1
 , enableTesseract ? false, tesseract, leptonica
@@ -191,7 +190,6 @@ stdenv.mkDerivation {
     ++ lib.optional enablePython pythonPackages.python
     ++ lib.optional enableGtk2 gtk2
     ++ lib.optional enableGtk3 gtk3
-    ++ lib.optional enableVtk vtk_8
     ++ lib.optional enableJPEG libjpeg
     ++ lib.optional enablePNG libpng
     ++ lib.optional enableTIFF libtiff

pkgs/development/libraries/openscenegraph/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchFromGitHub, cmake, pkg-config, doxygen,
+{ stdenv, lib, fetchFromGitHub, fetchpatch, cmake, pkg-config, doxygen,
   libX11, libXinerama, libXrandr, libGLU, libGL,
   glib, ilmbase, libxml2, pcre, zlib,
   AGL, Accelerate, Carbon, Cocoa, Foundation,
@@ -11,7 +11,7 @@
   gdalSupport ? false, gdal,
   curlSupport ? true, curl,
   colladaSupport ? false, collada-dom,
-  opencascadeSupport ? false, opencascade,
+  opencascadeSupport ? false, opencascade-occt,
   ffmpegSupport ? false, ffmpeg,
   nvttSupport ? false, nvidia-texture-tools,
   freetypeSupport ? true, freetype,
@@ -51,7 +51,7 @@ stdenv.mkDerivation rec {
     ++ lib.optional gdalSupport gdal
     ++ lib.optional curlSupport curl
     ++ lib.optional colladaSupport collada-dom
-    ++ lib.optional opencascadeSupport opencascade
+    ++ lib.optional opencascadeSupport opencascade-occt
     ++ lib.optional ffmpegSupport ffmpeg
     ++ lib.optional nvttSupport nvidia-texture-tools
     ++ lib.optional freetypeSupport freetype
@@ -66,7 +66,15 @@ stdenv.mkDerivation rec {
     ++ lib.optionals (!stdenv.isDarwin) [  ]
     ++ lib.optionals stdenv.isDarwin [ AGL Accelerate Carbon Cocoa Foundation ]
     ++ lib.optional (restSupport || colladaSupport) boost
-  ;
+    ;
+
+  patches = [
+    (fetchpatch {
+      name = "opencascade-api-patch";
+      url = "https://github.com/openscenegraph/OpenSceneGraph/commit/bc2daf9b3239c42d7e51ecd7947d31a92a7dc82b.patch";
+      hash = "sha256-VR8YKOV/YihB5eEGZOGaIfJNrig1EPS/PJmpKsK284c=";
+    })
+  ];
 
   cmakeFlags = lib.optional (!withApps) "-DBUILD_OSG_APPLICATIONS=OFF" ++ lib.optional withExamples "-DBUILD_OSG_EXAMPLES=ON";
 

pkgs/development/libraries/qscintilla/default.nix

@@ -6,9 +6,16 @@
 , qtmacextras ? null
 , qmake
 , fixDarwinDylibNames
+, darwin
 }:
 
-stdenv.mkDerivation rec {
+let
+  stdenv' = if stdenv.isDarwin then
+    darwin.apple_sdk_11_0.stdenv
+  else
+    stdenv
+  ;
+in stdenv'.mkDerivation rec {
   pname = "qscintilla-qt5";
   version = "2.13.2";
 

pkgs/development/libraries/science/biology/mirtk/default.nix

@@ -1,14 +1,27 @@
-{ lib, stdenv, gtest, fetchFromGitHub, cmake, boost, eigen, python3, vtk_8, zlib, tbb }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, python3
+, boost
+, eigen
+, libGLU
+, fltk
+, itk
+, vtk
+, zlib
+, tbb
+}:
 
 stdenv.mkDerivation rec {
-  version = "2.0.0";
   pname = "mirtk";
+  version = "unstable-2022-07-22";
 
   src = fetchFromGitHub {
     owner = "BioMedIA";
     repo = "MIRTK";
-    rev = "v${version}";
-    sha256 = "0i2v97m66ir5myvi5b123r7zcagwy551b73s984gk7lksl5yiqxk";
+    rev = "973ce2fe3f9508dec68892dbf97cca39067aa3d6";
+    hash = "sha256-vKgkDrbyGOcbaYlxys1duC8ZNG0Y2nqh3TtSQ06Ox0Q=";
     fetchSubmodules = true;
   };
 
@@ -16,23 +29,36 @@ stdenv.mkDerivation rec {
     "-DWITH_VTK=ON"
     "-DBUILD_ALL_MODULES=ON"
     "-DWITH_TBB=ON"
+    "-DWITH_ITK=ON"
+    "-DWITH_GIFTICLIB=ON"
+    "-DWITH_NIFTILIB=ON"
   ];
 
-  doCheck = true;
-
-  checkPhase = ''
-    ctest -E '(Polynomial|ConvolutionFunction|Downsampling|EdgeTable|InterpolateExtrapolateImage)'
+  # tries to download data during configuration
+  postPatch = ''
+    substituteInPlace Packages/DrawEM/CMakeLists.txt --replace "include(Atlases.cmake)" ""
   '';
-  # testPolynomial - segfaults for some reason
-  # testConvolutionFunction, testDownsampling - main not called correctly
-  # testEdgeTable, testInterpolateExtrapolateImageFunction - setup fails
+
+  # tests don't seem to be maintained and gtest fails to link with BUILD_TESTING=ON;
+  # unclear if specific to Nixpkgs
+  doCheck = false;
 
   postInstall = ''
     install -Dm644 -t "$out/share/bash-completion/completions/mirtk" share/completion/bash/mirtk
   '';
 
-  nativeBuildInputs = [ cmake gtest ];
-  buildInputs = [ boost eigen python3 vtk_8 zlib tbb ];
+  nativeBuildInputs = [ cmake ];
+  buildInputs = [
+    boost
+    eigen
+    fltk
+    itk
+    libGLU.dev
+    python3
+    tbb
+    vtk
+    zlib
+  ];
 
   meta = with lib; {
     homepage = "https://github.com/BioMedIA/MIRTK";

pkgs/development/libraries/smesh/default.nix

@@ -1,35 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake, ninja, opencascade
-, Cocoa }:
-
-stdenv.mkDerivation rec {
-  pname = "smesh";
-  version = "6.7.6";
-
-  src = fetchFromGitHub {
-    owner = "tpaviot";
-    repo = "smesh";
-    rev = version;
-    sha256 = "1b07j3bw3lnxk8dk3x1kkl2mbsmfwi98si84054038lflaaijzi0";
-  };
-
-  patches = [
-    (fetchpatch {
-      name = "fix-build-with-clang.patch";
-      url = "https://github.com/tpaviot/smesh/commit/e32c430f526f1637ec5973c9723acbc5be571ae3.patch";
-      sha256 = "0s4j5rb70g3jvvkgfbrxv7q52wk6yjyjiaya61gy2j64khplcjlb";
-    })
-  ];
-
-  nativeBuildInputs = [ cmake ninja ];
-  buildInputs = [ opencascade ] ++ lib.optionals stdenv.isDarwin [ Cocoa ];
-
-  env.NIX_CFLAGS_COMPILE = toString [ "-std=c++11" ];
-
-  meta = with lib; {
-    description = "Extension to OCE providing advanced meshing features";
-    homepage = "https://github.com/tpaviot/smesh";
-    license = licenses.lgpl21;
-    platforms = platforms.unix;
-    maintainers = with maintainers; [ gebner ];
-  };
-}

pkgs/development/libraries/sundials/default.nix

@@ -12,13 +12,13 @@
 
 stdenv.mkDerivation rec {
   pname = "sundials";
-  version = "6.6.1";
+  version = "6.6.0";
 
   outputs = [ "out" "examples" ];
 
   src = fetchurl {
     url = "https://github.com/LLNL/sundials/releases/download/v${version}/sundials-${version}.tar.gz";
-    hash = "sha256-UWKw5tGdexQHiiFEHgeVzzjR2IOXO+NZAeAY+bswxUM=";
+    hash = "sha256-+QApuNqEbI+v9VMP0fpIRweRiNBAVU9VwdXR4EdD0p0=";
   };
 
   nativeBuildInputs = [

pkgs/development/libraries/vtk/8.x.nix

@@ -1,18 +0,0 @@
-import ./generic.nix {
-  majorVersion = "8.2";
-  minorVersion = "0";
-  sourceSha256 = "1fspgp8k0myr6p2a6wkc21ldcswb4bvmb484m12mxgk1a9vxrhrl";
-  patchesToFetch = [{
-   url = "https://gitlab.kitware.com/vtk/vtk/-/commit/257b9d7b18d5f3db3fe099dc18f230e23f7dfbab.diff";
-   sha256 = "0qdahp4f4gcaznr28j06d5fyxiis774ys0p335aazf7h51zb8rzy";
-  }
-  {
-    url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/sci-libs/vtk/files/vtk-8.2.0-gcc-10.patch?id=c4256f68d3589570443075eccbbafacf661f785f";
-    sha256 = "sha256:0bpwrdfmi15grsg4jy7bzj2z6511a0c160cmw5lsi65aabyh7cl5";
-  }
-  {
-    url = "https://gitlab.kitware.com/vtk/vtk/-/merge_requests/6943.diff";
-    sha256 = "sha256:1nzdw3f6bsri04y528zj2klqkb9p8s4lnl9g5zvm119m1cmyhn04";
-  }
-  ];
-}

pkgs/development/libraries/zookeeper_mt/default.nix

@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "mirror://apache/zookeeper/${zookeeper.pname}-${version}/apache-${zookeeper.pname}-${version}.tar.gz";
-    sha512 = "sha512-ttYbATvfe+uRYhQWfeG1WGXl5GOztcrITfl/4EQierAzSaDvTmVxSb582hYQOdBpxw2QrVbIdnTm3/Xt4ifecg==";
+    hash = "sha512-ttYbATvfe+uRYhQWfeG1WGXl5GOztcrITfl/4EQierAzSaDvTmVxSb582hYQOdBpxw2QrVbIdnTm3/Xt4ifecg==";
   };
 
   sourceRoot = "apache-${zookeeper.pname}-${version}/zookeeper-client/zookeeper-client-c";