Merge master into haskell-updates

nixos/doc/manual/default.nix

@@ -21,6 +21,8 @@ let
     withManOptDedupPatch = true;
   };
 
+  manpageUrls = pkgs.path + "/doc/manpage-urls.json";
+
   # We need to strip references to /nix/store/* from options,
   # including any `extraSources` if some modules came from elsewhere,
   # or else the build will fail.
@@ -72,7 +74,7 @@ let
     nativeBuildInputs = [ pkgs.nixos-render-docs ];
   } ''
     nixos-render-docs manual docbook \
-      --manpage-urls ${pkgs.path + "/doc/manpage-urls.json"} \
+      --manpage-urls ${manpageUrls} \
       "$out" \
       --section \
         --section-id modules \
@@ -255,9 +257,12 @@ in rec {
   manpages = runCommand "nixos-manpages"
     { inherit sources;
       nativeBuildInputs = [
+        buildPackages.installShellFiles
+      ] ++ lib.optionals allowDocBook [
         buildPackages.libxml2.bin
         buildPackages.libxslt.bin
-        buildPackages.installShellFiles
+      ] ++ lib.optionals (! allowDocBook) [
+        buildPackages.nixos-render-docs
       ];
       allowedReferences = ["out"];
     }
@@ -265,14 +270,24 @@ in rec {
       # Generate manpages.
       mkdir -p $out/share/man/man8
       installManPage ${./manpages}/*
-      xsltproc --nonet \
-        --maxdepth 6000 \
-        --param man.output.in.separate.dir 1 \
-        --param man.output.base.dir "'$out/share/man/'" \
-        --param man.endnotes.are.numbered 0 \
-        --param man.break.after.slash 1 \
-        ${docbook_xsl_ns}/xml/xsl/docbook/manpages/docbook.xsl \
-        ${manual-combined}/man-pages-combined.xml
+      ${if allowDocBook
+        then ''
+          xsltproc --nonet \
+            --maxdepth 6000 \
+            --param man.output.in.separate.dir 1 \
+            --param man.output.base.dir "'$out/share/man/'" \
+            --param man.endnotes.are.numbered 0 \
+            --param man.break.after.slash 1 \
+            ${docbook_xsl_ns}/xml/xsl/docbook/manpages/docbook.xsl \
+            ${manual-combined}/man-pages-combined.xml
+        ''
+        else ''
+          mkdir -p $out/share/man/man5
+          nixos-render-docs options manpage \
+            --revision ${lib.escapeShellArg revision} \
+            ${optionsJSON}/share/doc/nixos/options.json \
+            $out/share/man/man5/configuration.nix.5
+        ''}
     '';
 
 }

nixos/doc/manual/from_md/release-notes/rl-2305.section.xml

@@ -922,6 +922,52 @@
           as general purpose ephemeral block devices has been removed.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          As Singularity has renamed to
+          <link xlink:href="https://apptainer.org/news/community-announcement-20211130">Apptainer</link>
+          to distinguish from
+          <link xlink:href="https://sylabs.io/2021/05/singularity-community-edition">an
+          un-renamed fork by Sylabs Inc.</link>, there are now two
+          packages of Singularity/Apptainer:
+        </para>
+        <itemizedlist spacing="compact">
+          <listitem>
+            <para>
+              <literal>apptainer</literal>: From
+              <literal>github.com/apptainer/apptainer</literal>, which
+              is the new repo after renaming.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>singularity</literal>: From
+              <literal>github.com/sylabs/singularity</literal>, which is
+              the fork by Sylabs Inc..
+            </para>
+          </listitem>
+        </itemizedlist>
+        <para>
+          <literal>programs.singularity</literal> got a new
+          <literal>package</literal> option to specify which package to
+          use.
+        </para>
+        <para>
+          <literal>singularity-tools.buildImage</literal> got a new
+          input argument <literal>singularity</literal> to specify which
+          package to use.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The new option
+          <literal>programs.singularity.enableFakeroot</literal>, if set
+          to <literal>true</literal>, provides
+          <literal>--fakeroot</literal> support for
+          <literal>apptainer</literal> and
+          <literal>singularity</literal>.
+        </para>
+      </listitem>
       <listitem>
         <para>
           The <literal>unifi-poller</literal> package and corresponding

nixos/doc/manual/release-notes/rl-2305.section.md

@@ -225,6 +225,18 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - The `zramSwap` is now implemented with `zram-generator`, and the option `zramSwap.numDevices` for using ZRAM devices as general purpose ephemeral block devices has been removed.
 
+- As Singularity has renamed to [Apptainer](https://apptainer.org/news/community-announcement-20211130)
+  to distinguish from [an un-renamed fork by Sylabs Inc.](https://sylabs.io/2021/05/singularity-community-edition),
+  there are now two packages of Singularity/Apptainer:
+  * `apptainer`: From `github.com/apptainer/apptainer`, which is the new repo after renaming.
+  * `singularity`: From `github.com/sylabs/singularity`, which is the fork by Sylabs Inc..
+
+  `programs.singularity` got a new `package` option to specify which package to use.
+
+  `singularity-tools.buildImage` got a new input argument `singularity` to specify which package to use.
+
+- The new option `programs.singularity.enableFakeroot`, if set to `true`, provides `--fakeroot` support for `apptainer` and `singularity`.
+
 - The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream.
 
 - The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.

nixos/lib/make-options-doc/default.nix

@@ -78,7 +78,7 @@ let
           title = args.title or null;
           name = args.name or (lib.concatStringsSep "." args.path);
         in ''
-          - [`${lib.optionalString (title != null) "${title} aka "}pkgs.${name}`](
+          - [${lib.optionalString (title != null) "${title} aka "}`pkgs.${name}`](
               https://search.nixos.org/packages?show=${name}&sort=relevance&query=${name}
             )${
               lib.optionalString (args ? comment) "\n\n  ${args.comment}"

nixos/modules/config/stevenblack.nix

@@ -15,7 +15,7 @@ let
 in
 {
   options.networking.stevenblack = {
-    enable = mkEnableOption (mdDoc "Enable the stevenblack hosts file blocklist.");
+    enable = mkEnableOption (mdDoc "Enable the stevenblack hosts file blocklist");
 
     block = mkOption {
       type = types.listOf (types.enum [ "fakenews" "gambling" "porn" "social" ]);

nixos/modules/programs/k3b.nix

@@ -28,7 +28,7 @@ with lib;
       k3b
       dvdplusrwtools
       cdrdao
-      cdrkit
+      cdrtools
     ];
 
     security.wrappers = {
@@ -44,7 +44,7 @@ with lib;
         owner = "root";
         group = "cdrom";
         permissions = "u+wrx,g+x";
-        source = "${pkgs.cdrkit}/bin/cdrecord";
+        source = "${pkgs.cdrtools}/bin/cdrecord";
       };
     };
 

nixos/modules/programs/proxychains.nix

@@ -86,7 +86,7 @@ in {
         description = lib.mdDoc "Proxy DNS requests - no leak for DNS data.";
       };
 
-      quietMode = mkEnableOption (lib.mdDoc "Quiet mode (no output from the library).");
+      quietMode = mkEnableOption (lib.mdDoc "Quiet mode (no output from the library)");
 
       remoteDNSSubnet = mkOption {
         type = types.enum [ 10 127 224 ];

nixos/modules/programs/singularity.nix

@@ -3,32 +3,90 @@
 with lib;
 let
   cfg = config.programs.singularity;
-  singularity = pkgs.singularity.overrideAttrs (attrs : {
-    installPhase = attrs.installPhase + ''
-      mv $out/libexec/singularity/bin/starter-suid $out/libexec/singularity/bin/starter-suid.orig
-      ln -s /run/wrappers/bin/singularity-suid $out/libexec/singularity/bin/starter-suid
-    '';
-  });
-in {
+in
+{
+
   options.programs.singularity = {
-    enable = mkEnableOption (lib.mdDoc "Singularity");
+    enable = mkEnableOption (mdDoc "singularity") // {
+      description = mdDoc ''
+        Whether to install Singularity/Apptainer with system-level overriding such as SUID support.
+      '';
+    };
+    package = mkOption {
+      type = types.package;
+      default = pkgs.singularity;
+      defaultText = literalExpression "pkgs.singularity";
+      example = literalExpression "pkgs.apptainer";
+      description = mdDoc ''
+        Singularity/Apptainer package to override and install.
+      '';
+    };
+    packageOverriden = mkOption {
+      type = types.nullOr types.package;
+      default = null;
+      description = mdDoc ''
+        This option provides access to the overriden result of `programs.singularity.package`.
+
+        For example, the following configuration makes all the Nixpkgs packages use the overriden `singularity`:
+        ```Nix
+        { config, lib, pkgs, ... }:
+        {
+          nixpkgs.overlays = [
+            (final: prev: {
+              _singularity-orig = prev.singularity;
+              singularity = config.programs.singularity.packageOverriden;
+            })
+          ];
+          programs.singularity.enable = true;
+          programs.singularity.package = pkgs._singularity-orig;
+        }
+        ```
+
+        Use `lib.mkForce` to forcefully specify the overriden package.
+      '';
+    };
+    enableFakeroot = mkOption {
+      type = types.bool;
+      default = true;
+      example = false;
+      description = mdDoc ''
+        Whether to enable the `--fakeroot` support of Singularity/Apptainer.
+      '';
+    };
+    enableSuid = mkOption {
+      type = types.bool;
+      default = true;
+      example = false;
+      description = mdDoc ''
+        Whether to enable the SUID support of Singularity/Apptainer.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
-      environment.systemPackages = [ singularity ];
-      security.wrappers.singularity-suid =
-      { setuid = true;
-        owner = "root";
-        group = "root";
-        source = "${singularity}/libexec/singularity/bin/starter-suid.orig";
-      };
-      systemd.tmpfiles.rules = [
-        "d /var/singularity/mnt/session 0770 root root -"
-        "d /var/singularity/mnt/final 0770 root root -"
-        "d /var/singularity/mnt/overlay 0770 root root -"
-        "d /var/singularity/mnt/container 0770 root root -"
-        "d /var/singularity/mnt/source 0770 root root -"
-      ];
+    programs.singularity.packageOverriden = (cfg.package.override (
+      optionalAttrs cfg.enableFakeroot {
+        newuidmapPath = "/run/wrappers/bin/newuidmap";
+        newgidmapPath = "/run/wrappers/bin/newgidmap";
+      } // optionalAttrs cfg.enableSuid {
+        enableSuid = true;
+        starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
+      }
+    ));
+    environment.systemPackages = [ cfg.packageOverriden ];
+    security.wrappers."${cfg.packageOverriden.projectName}-suid" = mkIf cfg.enableSuid {
+      setuid = true;
+      owner = "root";
+      group = "root";
+      source = "${cfg.packageOverriden}/libexec/${cfg.packageOverriden.projectName}/bin/starter-suid.orig";
+    };
+    systemd.tmpfiles.rules = [
+      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/session 0770 root root -"
+      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/final 0770 root root -"
+      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/overlay 0770 root root -"
+      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/container 0770 root root -"
+      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/source 0770 root root -"
+    ];
   };
 
 }

nixos/modules/security/polkit.nix

@@ -14,7 +14,7 @@ in
 
     security.polkit.enable = mkEnableOption (lib.mdDoc "polkit");
 
-    security.polkit.debug = mkEnableOption (lib.mdDoc "debug logs from polkit. This is required in order to see log messages from rule definitions.");
+    security.polkit.debug = mkEnableOption (lib.mdDoc "debug logs from polkit. This is required in order to see log messages from rule definitions");
 
     security.polkit.extraConfig = mkOption {
       type = types.lines;

nixos/modules/services/backup/zfs-replication.nix

@@ -9,7 +9,7 @@ let
 in {
   options = {
     services.zfs.autoReplication = {
-      enable = mkEnableOption (lib.mdDoc "ZFS snapshot replication.");
+      enable = mkEnableOption (lib.mdDoc "ZFS snapshot replication");
 
       followDelete = mkOption {
         description = lib.mdDoc "Remove remote snapshots that don't have a local correspondent.";

nixos/modules/services/cluster/kubernetes/addon-manager.nix

@@ -62,7 +62,7 @@ in
       '';
     };
 
-    enable = mkEnableOption (lib.mdDoc "Kubernetes addon manager.");
+    enable = mkEnableOption (lib.mdDoc "Kubernetes addon manager");
   };
 
   ###### implementation

nixos/modules/services/cluster/kubernetes/kubelet.nix

@@ -146,7 +146,7 @@ in
       default = "unix:///run/containerd/containerd.sock";
     };
 
-    enable = mkEnableOption (lib.mdDoc "Kubernetes kubelet.");
+    enable = mkEnableOption (lib.mdDoc "Kubernetes kubelet");
 
     extraOpts = mkOption {
       description = lib.mdDoc "Kubernetes kubelet extra command line options.";

nixos/modules/services/desktops/gnome/evolution-data-server.nix

@@ -27,7 +27,7 @@ with lib;
   options = {
 
     services.gnome.evolution-data-server = {
-      enable = mkEnableOption (lib.mdDoc "Evolution Data Server, a collection of services for storing addressbooks and calendars.");
+      enable = mkEnableOption (lib.mdDoc "Evolution Data Server, a collection of services for storing addressbooks and calendars");
       plugins = mkOption {
         type = types.listOf types.package;
         default = [ ];
@@ -35,7 +35,7 @@ with lib;
       };
     };
     programs.evolution = {
-      enable = mkEnableOption (lib.mdDoc "Evolution, a Personal information management application that provides integrated mail, calendaring and address book functionality.");
+      enable = mkEnableOption (lib.mdDoc "Evolution, a Personal information management application that provides integrated mail, calendaring and address book functionality");
       plugins = mkOption {
         type = types.listOf types.package;
         default = [ ];

nixos/modules/services/development/zammad.nix

@@ -28,7 +28,7 @@ in
 
   options = {
     services.zammad = {
-      enable = mkEnableOption (lib.mdDoc "Zammad, a web-based, open source user support/ticketing solution.");
+      enable = mkEnableOption (lib.mdDoc "Zammad, a web-based, open source user support/ticketing solution");
 
       package = mkOption {
         type = types.package;

nixos/modules/services/games/freeciv.nix

@@ -54,7 +54,7 @@ in
             default = 0;
             description = lib.mdDoc "Set debug log level.";
           };
-          options.exit-on-end = mkEnableOption (lib.mdDoc "exit instead of restarting when a game ends.");
+          options.exit-on-end = mkEnableOption (lib.mdDoc "exit instead of restarting when a game ends");
           options.Guests = mkEnableOption (lib.mdDoc "guests to login if auth is enabled");
           options.Newusers = mkEnableOption (lib.mdDoc "new users to login if auth is enabled");
           options.port = mkOption {

nixos/modules/services/hardware/udisks2.nix

@@ -19,7 +19,7 @@ in
 
     services.udisks2 = {
 
-      enable = mkEnableOption (lib.mdDoc "udisks2, a DBus service that allows applications to query and manipulate storage devices.");
+      enable = mkEnableOption (lib.mdDoc "udisks2, a DBus service that allows applications to query and manipulate storage devices");
 
       settings = mkOption rec {
         type = types.attrsOf settingsFormat.type;

nixos/modules/services/mail/dovecot.nix

@@ -171,11 +171,11 @@ in
   options.services.dovecot2 = {
     enable = mkEnableOption (lib.mdDoc "the dovecot 2.x POP3/IMAP server");
 
-    enablePop3 = mkEnableOption (lib.mdDoc "starting the POP3 listener (when Dovecot is enabled).");
+    enablePop3 = mkEnableOption (lib.mdDoc "starting the POP3 listener (when Dovecot is enabled)");
 
-    enableImap = mkEnableOption (lib.mdDoc "starting the IMAP listener (when Dovecot is enabled).") // { default = true; };
+    enableImap = mkEnableOption (lib.mdDoc "starting the IMAP listener (when Dovecot is enabled)") // { default = true; };
 
-    enableLmtp = mkEnableOption (lib.mdDoc "starting the LMTP listener (when Dovecot is enabled).");
+    enableLmtp = mkEnableOption (lib.mdDoc "starting the LMTP listener (when Dovecot is enabled)");
 
     protocols = mkOption {
       type = types.listOf types.str;
@@ -300,9 +300,9 @@ in
       description = lib.mdDoc "Path to the server's private key.";
     };
 
-    enablePAM = mkEnableOption (lib.mdDoc "creating a own Dovecot PAM service and configure PAM user logins.") // { default = true; };
+    enablePAM = mkEnableOption (lib.mdDoc "creating a own Dovecot PAM service and configure PAM user logins") // { default = true; };
 
-    enableDHE = mkEnableOption (lib.mdDoc "enable ssl_dh and generation of primes for the key exchange.") // { default = true; };
+    enableDHE = mkEnableOption (lib.mdDoc "enable ssl_dh and generation of primes for the key exchange") // { default = true; };
 
     sieveScripts = mkOption {
       type = types.attrsOf types.path;
@@ -310,7 +310,7 @@ in
       description = lib.mdDoc "Sieve scripts to be executed. Key is a sequence, e.g. 'before2', 'after' etc.";
     };
 
-    showPAMFailure = mkEnableOption (lib.mdDoc "showing the PAM failure message on authentication error (useful for OTPW).");
+    showPAMFailure = mkEnableOption (lib.mdDoc "showing the PAM failure message on authentication error (useful for OTPW)");
 
     mailboxes = mkOption {
       type = with types; coercedTo
@@ -326,7 +326,7 @@ in
       description = lib.mdDoc "Configure mailboxes and auto create or subscribe them.";
     };
 
-    enableQuota = mkEnableOption (lib.mdDoc "the dovecot quota service.");
+    enableQuota = mkEnableOption (lib.mdDoc "the dovecot quota service");
 
     quotaPort = mkOption {
       type = types.str;

nixos/modules/services/misc/atuin.nix

@@ -8,7 +8,7 @@ in
 {
   options = {
     services.atuin = {
-      enable = mkEnableOption (mdDoc "Enable server for shell history sync with atuin.");
+      enable = mkEnableOption (mdDoc "Enable server for shell history sync with atuin");
 
       openRegistration = mkOption {
         type = types.bool;

nixos/modules/services/misc/input-remapper.nix

@@ -6,7 +6,7 @@ let cfg = config.services.input-remapper; in
 {
   options = {
     services.input-remapper = {
-      enable = mkEnableOption (lib.mdDoc "input-remapper, an easy to use tool to change the mapping of your input device buttons.");
+      enable = mkEnableOption (lib.mdDoc "input-remapper, an easy to use tool to change the mapping of your input device buttons");
       package = mkPackageOptionMD pkgs "input-remapper" { };
       enableUdevRules = mkEnableOption (lib.mdDoc "udev rules added by input-remapper to handle hotplugged devices. Currently disabled by default due to https://github.com/sezanzeb/input-remapper/issues/140");
       serviceWantedBy = mkOption {

nixos/modules/services/misc/sourcehut/default.nix

@@ -438,7 +438,7 @@ in
         };
 
         options."lists.sr.ht" = commonServiceSettings "lists" // {
-          allow-new-lists = mkEnableOption (lib.mdDoc "Allow creation of new lists.");
+          allow-new-lists = mkEnableOption (lib.mdDoc "Allow creation of new lists");
           notify-from = mkOption {
             description = lib.mdDoc "Outgoing email for notifications generated by users.";
             type = types.str;

nixos/modules/services/monitoring/mackerel-agent.nix

@@ -11,7 +11,7 @@ in {
 
     # the upstream package runs as root, but doesn't seem to be strictly
     # necessary for basic functionality
-    runAsRoot = mkEnableOption (lib.mdDoc "Whether to run as root.");
+    runAsRoot = mkEnableOption (lib.mdDoc "Whether to run as root");
 
     autoRetirement = mkEnableOption (lib.mdDoc ''
       Whether to automatically retire the host upon OS shutdown.

nixos/modules/services/monitoring/prometheus/exporters/unpoller.nix

@@ -24,9 +24,9 @@ in {
     inherit (options.services.unpoller.unifi) controllers;
     inherit (options.services.unpoller) loki;
     log = {
-      debug = mkEnableOption (lib.mdDoc "debug logging including line numbers, high resolution timestamps, per-device logs.");
-      quiet = mkEnableOption (lib.mdDoc "startup and error logs only.");
-      prometheusErrors = mkEnableOption (lib.mdDoc "emitting errors to prometheus.");
+      debug = mkEnableOption (lib.mdDoc "debug logging including line numbers, high resolution timestamps, per-device logs");
+      quiet = mkEnableOption (lib.mdDoc "startup and error logs only");
+      prometheusErrors = mkEnableOption (lib.mdDoc "emitting errors to prometheus");
     };
   };
 

nixos/modules/services/monitoring/uptime-kuma.nix

@@ -11,7 +11,7 @@ in
 
   options = {
     services.uptime-kuma = {
-      enable = mkEnableOption (mdDoc "Uptime Kuma, this assumes a reverse proxy to be set.");
+      enable = mkEnableOption (mdDoc "Uptime Kuma, this assumes a reverse proxy to be set");
 
       package = mkOption {
         type = types.package;
@@ -20,7 +20,7 @@ in
         description = lib.mdDoc "Uptime Kuma package to use.";
       };
 
-      appriseSupport = mkEnableOption (mdDoc "apprise support for notifications.");
+      appriseSupport = mkEnableOption (mdDoc "apprise support for notifications");
 
       settings = lib.mkOption {
         type = lib.types.submodule { freeformType = with lib.types; attrsOf str; };

nixos/modules/services/network-filesystems/moosefs.nix

@@ -85,7 +85,7 @@ in {
         description = lib.mdDoc "Run daemons as user moosefs instead of root.";
       };
 
-      client.enable = mkEnableOption (lib.mdDoc "Moosefs client.");
+      client.enable = mkEnableOption (lib.mdDoc "Moosefs client");
 
       master = {
         enable = mkOption {
@@ -131,7 +131,7 @@ in {
       };
 
       metalogger = {
-        enable = mkEnableOption (lib.mdDoc "Moosefs metalogger daemon.");
+        enable = mkEnableOption (lib.mdDoc "Moosefs metalogger daemon");
 
         settings = mkOption {
           type = types.submodule {
@@ -149,7 +149,7 @@ in {
       };
 
       chunkserver = {
-        enable = mkEnableOption (lib.mdDoc "Moosefs chunkserver daemon.");
+        enable = mkEnableOption (lib.mdDoc "Moosefs chunkserver daemon");
 
         openFirewall = mkOption {
           type = types.bool;

nixos/modules/services/networking/blockbook-frontend.nix

@@ -10,7 +10,7 @@ let
 
     options = {
 
-      enable = mkEnableOption (lib.mdDoc "blockbook-frontend application.");
+      enable = mkEnableOption (lib.mdDoc "blockbook-frontend application");
 
       package = mkOption {
         type = types.package;

nixos/modules/services/security/kanidm.nix

@@ -55,7 +55,7 @@ in
   options.services.kanidm = {
     enableClient = lib.mkEnableOption (lib.mdDoc "the Kanidm client");
     enableServer = lib.mkEnableOption (lib.mdDoc "the Kanidm server");
-    enablePam = lib.mkEnableOption (lib.mdDoc "the Kanidm PAM and NSS integration.");
+    enablePam = lib.mkEnableOption (lib.mdDoc "the Kanidm PAM and NSS integration");
 
     serverSettings = lib.mkOption {
       type = lib.types.submodule {

nixos/modules/services/web-apps/cloudlog.nix

@@ -68,7 +68,7 @@ let
 in
 {
   options.services.cloudlog = with types; {
-    enable = mkEnableOption (mdDoc "Whether to enable Cloudlog.");
+    enable = mkEnableOption (mdDoc "Whether to enable Cloudlog");
     dataDir = mkOption {
       type = str;
       default = "/var/lib/cloudlog";

nixos/modules/services/web-apps/dokuwiki.nix

@@ -148,7 +148,7 @@ let
       ];
 
       options = {
-        enable = mkEnableOption (lib.mdDoc "DokuWiki web application.");
+        enable = mkEnableOption (lib.mdDoc "DokuWiki web application");
 
         package = mkOption {
           type = types.package;

nixos/modules/services/web-apps/galene.nix

@@ -12,7 +12,7 @@ in
 {
   options = {
     services.galene = {
-      enable = mkEnableOption (lib.mdDoc "Galene Service.");
+      enable = mkEnableOption (lib.mdDoc "Galene Service");
 
       stateDir = mkOption {
         default = defaultstateDir;

nixos/modules/services/web-apps/hledger-web.nix

@@ -7,7 +7,7 @@ in {
 
     enable = mkEnableOption (lib.mdDoc "hledger-web service");
 
-    serveApi = mkEnableOption (lib.mdDoc "Serve only the JSON web API, without the web UI.");
+    serveApi = mkEnableOption (lib.mdDoc "Serve only the JSON web API, without the web UI");
 
     host = mkOption {
       type = types.str;

nixos/modules/services/web-apps/jirafeau.nix

@@ -36,7 +36,7 @@ in
       description = lib.mdDoc "Location of Jirafeau storage directory.";
     };
 
-    enable = mkEnableOption (lib.mdDoc "Jirafeau file upload application.");
+    enable = mkEnableOption (lib.mdDoc "Jirafeau file upload application");
 
     extraConfig = mkOption {
       type = types.lines;

nixos/modules/services/web-apps/limesurvey.nix

@@ -32,7 +32,7 @@ in
   # interface
 
   options.services.limesurvey = {
-    enable = mkEnableOption (lib.mdDoc "Limesurvey web application.");
+    enable = mkEnableOption (lib.mdDoc "Limesurvey web application");
 
     database = {
       type = mkOption {

nixos/modules/services/x11/desktop-managers/plasma5.nix

@@ -448,6 +448,7 @@ in
             dolphin-plugins
             ffmpegthumbs
             kdegraphics-thumbnailers
+            pkgs.kio-admin
             kio-extras
           ];
           optionalPackages = [

nixos/modules/services/x11/extra-layouts.nix

@@ -106,9 +106,9 @@ in
       description = lib.mdDoc ''
         Extra custom layouts that will be included in the xkb configuration.
         Information on how to create a new layout can be found here:
-        [](https://www.x.org/releases/current/doc/xorg-docs/input/XKB-Enhancing.html#Defining_New_Layouts).
+        <https://www.x.org/releases/current/doc/xorg-docs/input/XKB-Enhancing.html#Defining_New_Layouts>.
         For more examples see
-        [](https://wiki.archlinux.org/index.php/X_KeyBoard_extension#Basic_examples)
+        <https://wiki.archlinux.org/index.php/X_KeyBoard_extension#Basic_examples>
       '';
     };
 

nixos/modules/system/boot/kernel.nix

@@ -20,7 +20,7 @@ in
   ###### interface
 
   options = {
-    boot.kernel.enable = mkEnableOption (lib.mdDoc "the Linux kernel. This is useful for systemd-like containers which do not require a kernel.") // {
+    boot.kernel.enable = mkEnableOption (lib.mdDoc "the Linux kernel. This is useful for systemd-like containers which do not require a kernel") // {
       default = true;
     };
 

nixos/modules/system/boot/luksroot.nix

@@ -929,7 +929,14 @@ in
       ++ (if builtins.elem "xts" luks.cryptoModules then ["ecb"] else []);
 
     # copy the cryptsetup binary and it's dependencies
-    boot.initrd.extraUtilsCommands = mkIf (!config.boot.initrd.systemd.enable) ''
+    boot.initrd.extraUtilsCommands = let
+      pbkdf2-sha512 = pkgs.runCommandCC "pbkdf2-sha512" { buildInputs = [ pkgs.openssl ]; } ''
+        mkdir -p "$out/bin"
+        cc -O3 -lcrypto ${./pbkdf2-sha512.c} -o "$out/bin/pbkdf2-sha512"
+        strip -s "$out/bin/pbkdf2-sha512"
+      '';
+    in
+    mkIf (!config.boot.initrd.systemd.enable) ''
       copy_bin_and_libs ${pkgs.cryptsetup}/bin/cryptsetup
       copy_bin_and_libs ${askPass}/bin/cryptsetup-askpass
       sed -i s,/bin/sh,$out/bin/sh, $out/bin/cryptsetup-askpass
@@ -939,9 +946,7 @@ in
         copy_bin_and_libs ${pkgs.yubikey-personalization}/bin/ykinfo
         copy_bin_and_libs ${pkgs.openssl.bin}/bin/openssl
 
-        cc -O3 -I${pkgs.openssl.dev}/include -L${lib.getLib pkgs.openssl}/lib ${./pbkdf2-sha512.c} -o pbkdf2-sha512 -lcrypto
-        strip -s pbkdf2-sha512
-        copy_bin_and_libs pbkdf2-sha512
+        copy_bin_and_libs ${pbkdf2-sha512}/bin/pbkdf2-sha512
 
         mkdir -p $out/etc/ssl
         cp -pdv ${pkgs.openssl.out}/etc/ssl/openssl.cnf $out/etc/ssl

nixos/modules/tasks/filesystems/envfs.nix

@@ -7,11 +7,11 @@ let
       device = "none";
       fsType = "envfs";
       options = [
-        "fallback-path=${pkgs.runCommand "fallback-path" {} ''
+        "fallback-path=${pkgs.runCommand "fallback-path" {} (''
           mkdir -p $out
-          ln -s ${pkgs.coreutils}/bin/env $out/env
-          ln -s ${config.system.build.binsh}/bin/sh $out/sh
-        ''}"
+          ln -s ${config.environment.usrbinenv} $out/env
+          ln -s ${config.environment.binsh} $out/sh
+        '' + cfg.extraFallbackPathCommands)}"
       ];
     };
     "/bin" = {
@@ -31,11 +31,19 @@ in {
           etc.
         '';
       };
+
       package = lib.mkOption {
         type = lib.types.package;
-        description = lib.mdDoc "Which package to use for the envfs.";
         default = pkgs.envfs;
         defaultText = lib.literalExpression "pkgs.envfs";
+        description = lib.mdDoc "Which package to use for the envfs.";
+      };
+
+      extraFallbackPathCommands = lib.mkOption {
+        type = lib.types.lines;
+        default = "";
+        example = "ln -s $''{pkgs.bash}/bin/bash $out/bash";
+        description = lib.mdDoc "Extra commands to run in the package that contains fallback executables in case not other executable is found";
       };
     };
   };

pkgs/applications/audio/callaudiod/default.nix

@@ -11,14 +11,14 @@
 
 stdenv.mkDerivation rec {
   pname = "callaudiod";
-  version = "0.1.4";
+  version = "0.1.7";
 
   src = fetchFromGitLab {
     domain = "gitlab.com";
     owner = "mobian1";
     repo = pname;
     rev = version;
-    sha256 = "sha256-71+9ALz55aqxXRBRwOcs9fwiQK31pJ9E72pGRmt0OkE=";
+    sha256 = "sha256-BDEu3ASlnovMK0lQC+CQvpXvtdt33BRntstPAWaAnsg=";
   };
 
   strictDeps = true;

pkgs/applications/audio/snapcast/default.nix

@@ -9,13 +9,13 @@ assert pulseaudioSupport -> libpulseaudio != null;
 
 stdenv.mkDerivation rec {
   pname = "snapcast";
-  version = "0.26.0";
+  version = "0.27.0";
 
   src = fetchFromGitHub {
     owner  = "badaix";
     repo   = "snapcast";
     rev    = "v${version}";
-    sha256 = "sha256-CCifn9OEFM//Hk1PJj8T3MXIV8pXCTdBBXPsHuZwLyQ=";
+    sha256 = "sha256-dlK1xQQqst4VQjioC7MZzqXwMC+JfqtvnD5lrOqGhYI=";
   };
 
   nativeBuildInputs = [ cmake pkg-config ];

pkgs/applications/blockchains/erigon/default.nix

@@ -2,7 +2,7 @@
 
 let
   pname = "erigon";
-  version = "2.37.0";
+  version = "2.38.1";
 in
 buildGoModule {
   inherit pname version;
@@ -11,11 +11,11 @@ buildGoModule {
     owner = "ledgerwatch";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-r/mumt/f0wrOsXyEHo/NX0lJGt8zqXEVNC+9DWDkHAM=";
+    sha256 = "sha256-sLJMmSEUQNsodZ9Ms0ipDwN2QOYa9pZTlEqt4CF23Sc=";
     fetchSubmodules = true;
   };
 
-  vendorSha256 = "sha256-vSJZ1wIx1CiLE04ZBDnQDQqM2v8BBLxw5qbAsixC3/U=";
+  vendorSha256 = "sha256-KESY+PSbWQHPJphop4GnVF4T8Q/MPb2GFDEko0ieXEM=";
   proxyVendor = true;
 
   # Build errors in mdbx when format hardening is enabled:

pkgs/applications/blockchains/torq/default.nix

@@ -1,9 +1,10 @@
 { lib
 , buildGoModule
+, buildNpmPackage
 , fetchFromGitHub
 }:
 
-buildGoModule rec {
+let
   pname = "torq";
   version = "0.17.3";
 
@@ -14,6 +15,27 @@ buildGoModule rec {
     hash = "sha256-fqHJZi1NQCrZqsa+N+FVYZ8s9o0D555Sqn5qNlJ1MmI=";
   };
 
+  web = buildNpmPackage {
+    pname = "${pname}-frontend";
+    inherit version;
+    src = "${src}/web";
+    npmDepsHash = "sha256-8mUfTFzPjQlQvhC3zZf+WruDBkYnmGt3yckNi0CPWs0=";
+
+    # copied from upstream Dockerfile
+    npmInstallFlags = [ "--legacy-peer-deps" ];
+    TSX_COMPILE_ON_ERROR="true";
+    ESLINT_NO_DEV_ERRORS="true";
+
+    # override npmInstallHook, we only care about the build/ directory
+    installPhase = ''
+      mkdir $out
+      cp -r build $out/
+    '';
+  };
+in
+buildGoModule rec {
+  inherit pname version src;
+
   vendorHash = "sha256-HETN2IMnpxnTyg6bQDpoD0saJu+gKocdEf0VzEi12Gs=";
 
   subPackages = [ "cmd/torq" ];
@@ -24,6 +46,10 @@ buildGoModule rec {
     "-X github.com/lncapital/torq/build.version=v${version}"
   ];
 
+  postInstall = ''
+    ln -s ${web} $out/web
+  '';
+
   meta = with lib; {
     description = "Capital management tool for lightning network nodes";
     license = licenses.mit;

pkgs/applications/editors/vscode/extensions/default.nix

@@ -2580,8 +2580,8 @@ let
         mktplcRef = {
           name = "code-spell-checker";
           publisher = "streetsidesoftware";
-          version = "2.15.0";
-          sha256 = "sha256-YfcO/01nO+92xZEJgYyLYAkqXMqfV/QDkcN9Dnjp5ZA=";
+          version = "2.16.0";
+          sha256 = "sha256-Qr4cYAEvAkvvE6KytVeInJzcMQJZqr/e/KPfelVzjUA=";
         };
         meta = with lib; {
           changelog = "https://marketplace.visualstudio.com/items/streetsidesoftware.code-spell-checker/changelog";

pkgs/applications/graphics/drawio/default.nix

@@ -11,11 +11,11 @@
 
 stdenv.mkDerivation rec {
   pname = "drawio";
-  version = "20.8.10";
+  version = "20.8.16";
 
   src = fetchurl {
     url = "https://github.com/jgraph/drawio-desktop/releases/download/v${version}/drawio-x86_64-${version}.rpm";
-    sha256 = "118e9c9a328c92aeeda3c5925c8d8ed50d0993c07715726447ee720699958626";
+    sha256 = "sha256-FBnyogqf5BHLRInjJzC2dENnAwFcWMHDvJ+F0I3ffVg=";
   };
 
   nativeBuildInputs = [

pkgs/applications/misc/1password-gui/default.nix

@@ -9,43 +9,43 @@
 let
 
   pname = "1password";
-  version = if channel == "stable" then "8.9.10" else "8.9.12-4.BETA";
+  version = if channel == "stable" then "8.9.14" else "8.10.0-20.BETA";
 
   sources = {
     stable = {
       x86_64-linux = {
         url = "https://downloads.1password.com/linux/tar/stable/x86_64/1password-${version}.x64.tar.gz";
-        sha256 = "sha256-aoa00W5zvZQeHKd2Eqyrxl5Z1PwLMHc5lkMUskLiD74=";
+        sha256 = "sha256-rlLzPDPOmzamDnRxuvgrpAW0QrMINw/PsdLxOiBpMnA=";
       };
       aarch64-linux = {
         url = "https://downloads.1password.com/linux/tar/stable/aarch64/1password-${version}.arm64.tar.gz";
-        sha256 = "sha256-Zt64UGKI3+DayS6XP7jTE+pxv52tUUZbUHiuzjcm1JI=";
+        sha256 = "sha256-hJTqFr6/KOl4C+1oyo/zrnCbqvRQin6HjyLKOppUl/M=";
       };
       x86_64-darwin = {
         url = "https://downloads.1password.com/mac/1Password-${version}-x86_64.zip";
-        sha256 = "sha256-sx9eASpMcgkIH1GRzJMqSQa5Y5GJlYU/20CZFyFK+OU=";
+        sha256 = "sha256-3/aiUj+WYZfPItYrYNQKsUSpkRTgOhyb8L5gURt1O74=";
       };
       aarch64-darwin = {
         url = "https://downloads.1password.com/mac/1Password-${version}-aarch64.zip";
-        sha256 = "sha256-Z1cEynO9iWZra542CVGmefrTNerMe13OcTAzWXNi8jI=";
+        sha256 = "sha256-n0xqD5WbcC9B6spisa5V7JJRXGZubBwzJFUS8edvz/Q=";
       };
     };
     beta = {
       x86_64-linux = {
         url = "https://downloads.1password.com/linux/tar/beta/x86_64/1password-${version}.x64.tar.gz";
-        sha256 = "sha256-/WXaLINqLFLft+wrmr+fV0kM9qS5w4etFiGltnzoVdo=";
+        sha256 = "sha256-r2MRyw0dfD3vGnCcPW624K5rSaNSCjTVW4cWFgPAIaY=";
       };
       aarch64-linux = {
         url = "https://downloads.1password.com/linux/tar/beta/aarch64/1password-${version}.arm64.tar.gz";
-        sha256 = "sha256-Zv9uHkFCZ0flBMAwQBjNhqFWhAXKyHBfZk733hbSag4=";
+        sha256 = "sha256-98sv4yLvLw8J5uQBB66qTV3lRWnyeZiifhEOW7shz8s=";
       };
       x86_64-darwin = {
         url = "https://downloads.1password.com/mac/1Password-${version}-x86_64.zip";
-        sha256 = "sha256-Vryk6nMQY+0NIgwJkZ2j3vrxyhrzxbe96jbyoNbPIR0=";
+        sha256 = "sha256-ezHk6OgUsmFfMfsY+yyWqn+6JgHSmpkFWGNCCaBv/Bo=";
       };
       aarch64-darwin = {
         url = "https://downloads.1password.com/mac/1Password-${version}-aarch64.zip";
-        sha256 = "sha256-74iOaNkuPRKUsTNNd7UTpy5ahjoMmxiNT84Op5ztRGk=";
+        sha256 = "sha256-JmCrEBucXGPpGbiKOxA8vu6bUVYsavfsYA5QY58Grnw=";
       };
     };
   };

pkgs/applications/misc/1password-gui/update.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p jq
+#shellcheck shell=bash
+
+CURRENT_HASH=""
+
+print_hash() {
+    OS="$1"
+    CHANNEL="$2"
+    ARCH="$3"
+    VERSION="$4"
+
+    if [[ "$OS" == "linux" ]]; then
+        if [[ "$ARCH" == "x86_64" ]]; then
+            EXT="x64.tar.gz"
+        else
+            EXT="arm64.tar.gz"
+        fi
+        URL="https://downloads.1password.com/${OS}/tar/${CHANNEL}/${ARCH}/1password-${VERSION}.${EXT}"
+    else
+        EXT="$ARCH.zip"
+        URL="https://downloads.1password.com/${OS}/1Password-${VERSION}-${EXT}"
+    fi
+
+    CURRENT_HASH=$(nix store prefetch-file "$URL" --json | jq -r '.hash')
+
+    echo "$CHANNEL ${ARCH}-${OS}: $CURRENT_HASH"
+}
+
+if [[ -z "$STABLE_VER" ]]; then
+    echo "No 'STABLE_VER' environment variable provided, skipping"
+else
+    print_hash "linux" "stable" "x86_64" "$STABLE_VER"
+    print_hash "linux" "stable" "aarch64" "$STABLE_VER"
+    print_hash "mac" "stable" "x86_64" "$STABLE_VER"
+    print_hash "mac" "stable" "aarch64" "$STABLE_VER"
+fi
+
+if [[ -z "$BETA_VER" ]]; then
+    echo "No 'BETA_VER' environment variable provided, skipping"
+else
+    print_hash "linux" "beta" "x86_64" "$BETA_VER"
+    print_hash "linux" "beta" "aarch64" "$BETA_VER"
+    print_hash "mac" "beta" "x86_64" "$BETA_VER"
+    print_hash "mac" "beta" "aarch64" "$BETA_VER"
+fi

pkgs/applications/misc/cubiomes-viewer/default.nix

@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "cubiomes-viewer";
-  version = "3.0.1";
+  version = "3.1.0";
 
   src = fetchFromGitHub {
     owner = "Cubitect";
     repo = pname;
     rev = version;
-    sha256 = "sha256-UPphXaxq/Hnt1U3J+lgwa0lp3vX1B/Ou8eqD9rHe3sw=";
+    sha256 = "sha256-pA+SWktSjgH7lRqK14yJX2ziLoKpxMCpEIh0H6slpxw=";
     fetchSubmodules = true;
   };
 

pkgs/applications/misc/klayout/default.nix

@@ -5,13 +5,13 @@
 
 mkDerivation rec {
   pname = "klayout";
-  version = "0.28.4";
+  version = "0.28.5";
 
   src = fetchFromGitHub {
     owner = "KLayout";
     repo = "klayout";
     rev = "v${version}";
-    hash = "sha256-6RIzgC/PA2DqO24vKu+d/+GttufUbIH+k9GZe09M0vM=";
+    hash = "sha256-fjKxQ3oVtnFwzLeeE6kN0jKE5PIfBZubTF54KO+k/DE=";
   };
 
   postPatch = ''

pkgs/applications/misc/nwg-panel/default.nix

@@ -14,13 +14,13 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "nwg-panel";
-  version = "0.7.11";
+  version = "0.7.16";
 
   src = fetchFromGitHub {
     owner = "nwg-piotr";
     repo = "nwg-panel";
     rev = "refs/tags/v${version}";
-    sha256 = "sha256-Esr1OPyQCCQIOfgkl6RIn93ZaJkF0O2RM9ObIgBlPi4=";
+    sha256 = "sha256-dwnDrFQZVz6Vxa8bX0gFPBZFQwRJ3+wUy6Rsxvb2dhw=";
   };
 
   # No tests
@@ -56,6 +56,6 @@ python3Packages.buildPythonApplication rec {
     description = "GTK3-based panel for Sway window manager";
     license = licenses.mit;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ berbiche ];
+    maintainers = with maintainers; [ ];
   };
 }

pkgs/applications/misc/oxker/default.nix

@@ -2,14 +2,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "oxker";
-  version = "0.2.1";
+  version = "0.2.3";
 
   src = fetchCrate {
     inherit pname version;
-    sha256 = "sha256-CsfzQN7n/LsNIivJShDG02cHwPktkXl/0udBSPz0i2U=";
+    sha256 = "sha256-J+3wi1nqkxR3ZDfR+F3rvFjUz1DJ7/jhjmcvFdMzWYc=";
   };
 
-  cargoHash = "sha256-FSuhG+ZSQzwj1YB3xs3A1uFWPhwK8FIfVfUY9V/J2Z8=";
+  cargoHash = "sha256-oQPCUm/X2vt6wN5AKhtgq8tzQQrp0H42bBK7Az+I9BE=";
 
   meta = with lib; {
     description = "A simple tui to view & control docker containers";

pkgs/applications/misc/ttdl/default.nix

@@ -0,0 +1,26 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "ttdl";
+  version = "3.6.3";
+
+  src = fetchFromGitHub {
+    owner = "VladimirMarkelov";
+    repo = "ttdl";
+    rev = "v${version}";
+    sha256 = "sha256-IR0cDXQHnMDI71Vg50atS98YorqAQKc95EF1+m9cxFY=";
+  };
+
+  cargoSha256 = "sha256-658mN3R3opjvqfnIDcbh11ZSOTDbpYnhCgGGx46Mrrc=";
+
+  meta = with lib; {
+    description = "A CLI tool to manage todo lists in todo.txt format";
+    homepage = "https://github.com/VladimirMarkelov/ttdl";
+    changelog = "https://github.com/VladimirMarkelov/ttdl/blob/v${version}/changelog";
+    license = with licenses; [ mit ];
+    maintainers = with maintainers; [ _3JlOy-PYCCKUi ];
+  };
+}

pkgs/applications/misc/yubioath-flutter/default.nix

@@ -10,19 +10,19 @@
 }:
 let
   vendorHashes = {
-    x86_64-linux = "sha256-BwhWA8N0S55XkljDKPNkDhsj0QSpmJJ5MwEnrPjymS8=";
-    aarch64-linux = "sha256-T1aGz3+2Sls+rkUVDUo39Ky2igg+dxGSUaf3qpV7ovQ=";
+    x86_64-linux = "sha256-Upe0cEDG02RJD50Ht9VNMwkelsJHX8zOuJZssAhMuMY=";
+    aarch64-linux = "sha256-lKER4+gcyFqnCvgBl/qdVBCbUpocWUnXGLXsX82MSy4=";
   };
 in
 flutter.mkFlutterApp rec {
   pname = "yubioath-flutter";
-  version = "6.0.2";
+  version = "6.1.0";
 
   src = fetchFromGitHub {
     owner = "Yubico";
     repo = "yubioath-flutter";
     rev = version;
-    sha256 = "13nh5qpq02c6azfdh4cbzhlrq0hs9is45q5z5cnxg84hrx26hd4k";
+    sha256 = "sha256-N9/qwC79mG9r+zMPLHSPjNSQ+srGtnXuKsf0ijtH7CI=";
   };
 
   passthru.helper = python3.pkgs.callPackage ./helper.nix { inherit src version meta; };

pkgs/applications/networking/browsers/chromium/upstream-info.json

@@ -1,21 +1,21 @@
 {
   "stable": {
-    "version": "109.0.5414.119",
-    "sha256": "0bdyb14v12izxkldq27jx532p0bid3wdwfpd1mwm7jqswxgfzkfb",
-    "sha256bin64": "0iap6i4zmflp4fsj16knwdp03gixsdkbys0scbvvzs3fzy2r5zkx",
+    "version": "110.0.5481.77",
+    "sha256": "1kl1k29sr5qw8pg7shvizw4b37fxjlgah56p57kq641iqhnsnj73",
+    "sha256bin64": "0jjdgfps6siy9hk2r553vvh0jmkn987ad77sv2zqs9gvx0vsrwgp",
     "deps": {
       "gn": {
-        "version": "2022-11-10",
+        "version": "2022-12-12",
         "url": "https://gn.googlesource.com/gn",
-        "rev": "1c4151ff5c1d6fbf7fa800b8d4bb34d3abc03a41",
-        "sha256": "02621c9nqpr4pwcapy31x36l5kbyd0vdgd0wdaxj5p8hrxk67d6b"
+        "rev": "5e19d2fb166fbd4f6f32147fbb2f497091a54ad8",
+        "sha256": "1b5fwldfmkkbpp5x63n1dxv0nc965hphc8rm8ah7zg44zscm9z30"
       }
     },
     "chromedriver": {
-      "version": "109.0.5414.74",
-      "sha256_linux": "1mhnw4maixwfhrz3r3mhpr9bl9hn7cvr2ji6y6ai32hxa1ix9m6f",
-      "sha256_darwin": "0w46xd05m7irfxqsfnjwgd2v65c9vgnh8awaknqgh02wmdgx3nm0",
-      "sha256_darwin_aarch64": "0amb2kd4cq4clir9gqr1b1mdy46m8nwzka227xxjd2i14vwzckb0"
+      "version": "110.0.5481.30",
+      "sha256_linux": "08j28ahyahlgmy67hcm8b1vd4kilvf2yvc25746a46gdf8zz0nmw",
+      "sha256_darwin": "0xlq0fi9g15yvd6ysqcfkxpbr37av32h0f3af9vxl8vbywjfsxn4",
+      "sha256_darwin_aarch64": "03j47ha9janbawbjxy9n84sx70iisk6qr0bvb218cq5j1d5x058b"
     }
   },
   "beta": {
@@ -32,9 +32,9 @@
     }
   },
   "dev": {
-    "version": "111.0.5563.8",
-    "sha256": "0gflrk5i6dr5vrywhxab73044gryxj49px59blgl6nyphw7swpwy",
-    "sha256bin64": "1dgfjz9pnziy1zymk7g15i5zdb002g77q8kqhkwgi4m0fndknpmj",
+    "version": "111.0.5563.19",
+    "sha256": "0hrapzi45jpkb1b87nzlb896jd2h2jbz1mq91md5r2y6ag6fc55w",
+    "sha256bin64": "02aaqny23dcdp611n6jr7swkjnx1wd0lb8dgxq53b806f0s374cp",
     "deps": {
       "gn": {
         "version": "2022-12-12",

pkgs/applications/networking/cluster/k3s/1_23/0001-script-download-strip-downloading-just-package-CRD.patch

@@ -0,0 +1,41 @@
+From 6f53bd36a40da4c71486e3b79f6e32d53d6eea5d Mon Sep 17 00:00:00 2001
+From: Euan Kemp <euank@euank.com>
+Date: Thu, 3 Feb 2022 23:50:40 -0800
+Subject: [PATCH 2/2] scrips/download: strip downloading, just package CRD
+
+The CRD packaging is a complicated set of commands, so let's reuse it.
+---
+ scripts/download | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/scripts/download b/scripts/download
+index 5effc0562a..82361803ee 100755
+--- a/scripts/download
++++ b/scripts/download
+@@ -24,12 +24,6 @@ rm -rf ${CONTAINERD_DIR}
+ mkdir -p ${CHARTS_DIR}
+ mkdir -p ${DATA_DIR}
+ 
+-curl --compressed -sfL https://github.com/k3s-io/k3s-root/releases/download/${VERSION_ROOT}/k3s-root-${ARCH}.tar | tar xf - --exclude=bin/socat
+-
+-git clone --single-branch --branch=${VERSION_RUNC} --depth=1 https://github.com/opencontainers/runc ${RUNC_DIR}
+-
+-git clone --single-branch --branch=${VERSION_CONTAINERD} --depth=1 https://github.com/k3s-io/containerd ${CONTAINERD_DIR}
+-
+ setup_tmp() {
+     TMP_DIR=$(mktemp -d --tmpdir=${CHARTS_DIR})
+     cleanup() {
+@@ -44,8 +38,8 @@ setup_tmp() {
+ 
+ download_and_package_traefik () {
+   echo "Downloading Traefik Helm chart from ${TRAEFIK_URL}"
+-  curl -sfL ${TRAEFIK_URL} -o ${TMP_DIR}/${TRAEFIK_FILE}
+-  code=$?
++  # nixpkgs: copy in our known traefik chart instead
++  cp $TRAEFIK_CHART_FILE ${TMP_DIR}/${TRAEFIK_FILE}
+ 
+   if [ $code -ne 0 ]; then
+     echo "Error: Failed to download Traefik Helm chart!"
+-- 
+2.34.1
+

pkgs/applications/networking/cluster/k3s/1_23/default.nix

@@ -0,0 +1,331 @@
+{ stdenv
+, lib
+, makeWrapper
+, socat
+, iptables
+, iproute2
+, bridge-utils
+, btrfs-progs
+, conntrack-tools
+, buildGoModule
+, runc
+, rsync
+, kmod
+, libseccomp
+, pkg-config
+, ethtool
+, util-linux
+, fetchFromGitHub
+, fetchurl
+, fetchzip
+, fetchgit
+, zstd
+, yq-go
+, nixosTests
+, k3s
+, pkgsBuildBuild
+}:
+
+with lib;
+
+# k3s is a kinda weird derivation. One of the main points of k3s is the
+# simplicity of it being one binary that can perform several tasks.
+# However, when you have a good package manager (like nix), that doesn't
+# actually make much of a difference; you don't really care if it's one binary
+# or 10 since with a good package manager, installing and running it is
+# identical.
+# Since upstream k3s packages itself as one large binary with several
+# "personalities" (in the form of subcommands like 'k3s agent' and 'k3s
+# kubectl'), it ends up being easiest to mostly mimic upstream packaging, with
+# some exceptions.
+# K3s also carries patches to some packages (such as containerd and cni
+# plugins), so we intentionally use the k3s versions of those binaries for k3s,
+# even if the upstream version of those binaries exist in nixpkgs already. In
+# the end, that means we have a thick k3s binary that behaves like the upstream
+# one for the most part.
+# However, k3s also bundles several pieces of unpatched software, from the
+# strongswan vpn software, to iptables, to socat, conntrack, busybox, etc.
+# Those pieces of software we entirely ignore upstream's handling of, and just
+# make sure they're in the path if desired.
+let
+  k3sVersion = "1.23.6+k3s1";     # k3s git tag
+  k3sCommit = "418c3fa858b69b12b9cefbcff0526f666a6236b9"; # k3s git commit at the above version
+  k3sRepoSha256 = "0fmw491dn5mpi058mr7sij51i5m4qg2grx30cnl3h2v4s0sdkx2i";
+  k3sVendorSha256 = "sha256-iHg5ySMaiSWXs98YGmxPwdZr4zdBIFma12dNEuf30Hs=";
+
+  # taken from ./manifests/traefik.yaml, extracted from '.spec.chart' https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/download#L9
+  # The 'patch' and 'minor' versions are currently hardcoded as single digits only, so ignore the trailing two digits. Weird, I know.
+  traefikChartVersion = "10.19.3";
+  traefikChartSha256 = "04zg5li957svgscdmkzmzjkwljaljyav68rzxmhakkwgav6q9058";
+
+  # taken from ./scripts/version.sh VERSION_ROOT https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L47
+  k3sRootVersion = "0.11.0";
+  k3sRootSha256 = "016n56vi09xkvjph7wgzb2m86mhd5x65fs4d11pmh20hl249r620";
+
+  # taken from ./scripts/version.sh VERSION_CNIPLUGINS https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L45
+  k3sCNIVersion = "1.0.1-k3s1";
+  k3sCNISha256 = "11ihlzzdnqf9p21y0a4ckpbxac016nm7746dcykhj26ym9zxyv92";
+
+  # taken from go.mod, the 'github.com/containerd/containerd' line
+  # run `grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}'`
+  containerdVersion = "1.5.11-k3s2";
+  containerdSha256 = "16132snvrg8r0vwm6c0lz0q6fx686s2ix53nm3aka9a83xs75vf2";
+
+  # run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag
+  criCtlVersion = "1.22.0-k3s1";
+
+  baseMeta = k3s.meta;
+
+  # https://github.com/k3s-io/k3s/blob/5fb370e53e0014dc96183b8ecb2c25a61e891e76/scripts/build#L19-L40
+  versionldflags = [
+    "-X github.com/rancher/k3s/pkg/version.Version=v${k3sVersion}"
+    "-X github.com/rancher/k3s/pkg/version.GitCommit=${lib.substring 0 8 k3sCommit}"
+    "-X k8s.io/client-go/pkg/version.gitVersion=v${k3sVersion}"
+    "-X k8s.io/client-go/pkg/version.gitCommit=${k3sCommit}"
+    "-X k8s.io/client-go/pkg/version.gitTreeState=clean"
+    "-X k8s.io/client-go/pkg/version.buildDate=1970-01-01T01:01:01Z"
+    "-X k8s.io/component-base/version.gitVersion=v${k3sVersion}"
+    "-X k8s.io/component-base/version.gitCommit=${k3sCommit}"
+    "-X k8s.io/component-base/version.gitTreeState=clean"
+    "-X k8s.io/component-base/version.buildDate=1970-01-01T01:01:01Z"
+    "-X github.com/kubernetes-sigs/cri-tools/pkg/version.Version=v${criCtlVersion}"
+    "-X github.com/containerd/containerd/version.Version=v${containerdVersion}"
+    "-X github.com/containerd/containerd/version.Package=github.com/k3s-io/containerd"
+  ];
+
+  # bundled into the k3s binary
+  traefikChart = fetchurl {
+    url = "https://helm.traefik.io/traefik/traefik-${traefikChartVersion}.tgz";
+    sha256 = traefikChartSha256;
+  };
+  # so, k3s is a complicated thing to package
+  # This derivation attempts to avoid including any random binaries from the
+  # internet. k3s-root is _mostly_ binaries built to be bundled in k3s (which
+  # we don't care about doing, we can add those as build or runtime
+  # dependencies using a real package manager).
+  # In addition to those binaries, it's also configuration though (right now
+  # mostly strongswan configuration), and k3s does use those files.
+  # As such, we download it in order to grab 'etc' and bundle it into the final
+  # k3s binary.
+  k3sRoot = fetchzip {
+    # Note: marked as apache 2.0 license
+    url = "https://github.com/k3s-io/k3s-root/releases/download/v${k3sRootVersion}/k3s-root-amd64.tar";
+    sha256 = k3sRootSha256;
+    stripRoot = false;
+  };
+  k3sCNIPlugins = buildGoModule rec {
+    pname = "k3s-cni-plugins";
+    version = k3sCNIVersion;
+    vendorSha256 = null;
+
+    subPackages = [ "." ];
+
+    src = fetchFromGitHub {
+      owner = "rancher";
+      repo = "plugins";
+      rev = "v${version}";
+      sha256 = k3sCNISha256;
+    };
+
+    postInstall = ''
+      mv $out/bin/plugins $out/bin/cni
+    '';
+
+    meta = baseMeta // {
+      description = "CNI plugins, as patched by rancher for k3s";
+    };
+  };
+  # Grab this separately from a build because it's used by both stages of the
+  # k3s build.
+  k3sRepo = fetchgit {
+    url = "https://github.com/k3s-io/k3s";
+    rev = "v${k3sVersion}";
+    sha256 = k3sRepoSha256;
+  };
+  # Stage 1 of the k3s build:
+  # Let's talk about how k3s is structured.
+  # One of the ideas of k3s is that there's the single "k3s" binary which can
+  # do everything you need, from running a k3s server, to being a worker node,
+  # to running kubectl.
+  # The way that actually works is that k3s is a single go binary that contains
+  # a bunch of bindata that it unpacks at runtime into directories (either the
+  # user's home directory or /var/lib/rancher if run as root).
+  # This bindata includes both binaries and configuration.
+  # In order to let nixpkgs do all its autostripping/patching/etc, we split this into two derivations.
+  # First, we build all the binaries that get packed into the thick k3s binary
+  # (and output them from one derivation so they'll all be suitably patched up).
+  # Then, we bundle those binaries into our thick k3s binary and use that as
+  # the final single output.
+  # This approach was chosen because it ensures the bundled binaries all are
+  # correctly built to run with nix (we can lean on the existing buildGoModule
+  # stuff), and we can again lean on that tooling for the final k3s binary too.
+  # Other alternatives would be to manually run the
+  # strip/patchelf/remove-references step ourselves in the installPhase of the
+  # derivation when we've built all the binaries, but haven't bundled them in
+  # with generated bindata yet.
+
+  k3sServer = buildGoModule rec {
+    pname = "k3s-server";
+    version = k3sVersion;
+
+    src = k3sRepo;
+    vendorSha256 = k3sVendorSha256;
+
+    nativeBuildInputs = [ pkg-config ];
+    buildInputs = [ libseccomp ];
+
+    subPackages = [ "cmd/server" ];
+    ldflags = versionldflags;
+
+    # create the multicall symlinks for k3s
+    postInstall = ''
+      mv $out/bin/server $out/bin/k3s
+      pushd $out
+      # taken verbatim from https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/build#L105-L113
+      ln -s k3s ./bin/k3s-agent
+      ln -s k3s ./bin/k3s-server
+      ln -s k3s ./bin/k3s-etcd-snapshot
+      ln -s k3s ./bin/k3s-secrets-encrypt
+      ln -s k3s ./bin/k3s-certificate
+      ln -s k3s ./bin/kubectl
+      ln -s k3s ./bin/crictl
+      ln -s k3s ./bin/ctr
+      popd
+    '';
+
+    meta = baseMeta // {
+      description = "The various binaries that get packaged into the final k3s binary";
+    };
+  };
+  k3sContainerd = buildGoModule {
+    pname = "k3s-containerd";
+    version = containerdVersion;
+    src = fetchFromGitHub {
+      owner = "k3s-io";
+      repo = "containerd";
+      rev = "v${containerdVersion}";
+      sha256 = containerdSha256;
+    };
+    vendorSha256 = null;
+    buildInputs = [ btrfs-progs ];
+    subPackages = [ "cmd/containerd" "cmd/containerd-shim-runc-v2" ];
+    ldflags = versionldflags;
+  };
+in
+buildGoModule rec {
+  pname = "k3s";
+  version = k3sVersion;
+
+  src = k3sRepo;
+  vendorSha256 = k3sVendorSha256;
+
+  patches = [
+    ./0001-script-download-strip-downloading-just-package-CRD.patch
+  ];
+
+  postPatch = ''
+    # Nix prefers dynamically linked binaries over static binary.
+
+    substituteInPlace scripts/package-cli \
+      --replace '"$LDFLAGS $STATIC" -o' \
+                '"$LDFLAGS" -o' \
+      --replace "STATIC=\"-extldflags \'-static\'\"" \
+                ""
+
+    # Upstream codegen fails with trimpath set. Removes "trimpath" for 'go generate':
+
+    substituteInPlace scripts/package-cli \
+      --replace '"''${GO}" generate' \
+                'GOFLAGS="" \
+                 GOOS="${pkgsBuildBuild.go.GOOS}" \
+                 GOARCH="${pkgsBuildBuild.go.GOARCH}" \
+                 CC="${pkgsBuildBuild.stdenv.cc}/bin/cc" \
+                 "''${GO}" generate'
+  '';
+
+  # Important utilities used by the kubelet, see
+  # https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
+  # Note the list in that issue is stale and some aren't relevant for k3s.
+  k3sRuntimeDeps = [
+    kmod
+    socat
+    iptables
+    iproute2
+    bridge-utils
+    ethtool
+    util-linux # kubelet wants 'nsenter' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388
+    conntrack-tools
+  ];
+
+  buildInputs = k3sRuntimeDeps;
+
+  nativeBuildInputs = [
+    makeWrapper
+    rsync
+    yq-go
+    zstd
+  ];
+
+  # embedded in the final k3s cli
+  propagatedBuildInputs = [
+    k3sCNIPlugins
+    k3sContainerd
+    k3sServer
+    runc
+  ];
+
+  # We override most of buildPhase due to peculiarities in k3s's build.
+  # Specifically, it has a 'go generate' which runs part of the package. See
+  # this comment:
+  # https://github.com/NixOS/nixpkgs/pull/158089#discussion_r799965694
+  # So, why do we use buildGoModule at all? For the `vendorSha256` / `go mod download` stuff primarily.
+  buildPhase = ''
+    patchShebangs ./scripts/package-cli ./scripts/download ./scripts/build-upload
+
+    # copy needed 'go generate' inputs into place
+    mkdir -p ./bin/aux
+    rsync -a --no-perms ${k3sServer}/bin/ ./bin/
+    ln -vsf ${runc}/bin/runc ./bin/runc
+    ln -vsf ${k3sCNIPlugins}/bin/cni ./bin/cni
+    ln -vsf ${k3sContainerd}/bin/* ./bin/
+    rsync -a --no-perms --chmod u=rwX ${k3sRoot}/etc/ ./etc/
+    mkdir -p ./build/static/charts
+    # Note, upstream's chart has a 00 suffix. This seems to not matter though, so we're ignoring that naming detail.
+    export TRAEFIK_CHART_FILE=${traefikChart}
+    # place the traefik chart using their code since it's complicated
+    # We trim the actual download, see patches
+    ./scripts/download
+
+    export ARCH=$GOARCH
+    export DRONE_TAG="v${k3sVersion}"
+    export DRONE_COMMIT="${k3sCommit}"
+    # use ./scripts/package-cli to run 'go generate' + 'go build'
+
+    ./scripts/package-cli
+    mkdir -p $out/bin
+  '';
+
+  # Otherwise it depends on 'getGoDirs', which is normally set in buildPhase
+  doCheck = false;
+
+  installPhase = ''
+    # wildcard to match the arm64 build too
+    install -m 0755 dist/artifacts/k3s* -D $out/bin/k3s
+    wrapProgram $out/bin/k3s \
+      --prefix PATH : ${lib.makeBinPath k3sRuntimeDeps} \
+      --prefix PATH : "$out/bin"
+  '';
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    $out/bin/k3s --version | grep -F "v${k3sVersion}" >/dev/null
+  '';
+
+  # Fix-Me: Needs to be adapted specifically for 1.23
+  # passthru.updateScript = ./update.sh;
+
+  # Fix-Me: Needs to be adapted specifically for 1.23
+  # passthru.tests = { inherit (nixosTests) k3s-single-node k3s-single-node-docker; };
+
+  meta = baseMeta;
+}

pkgs/applications/networking/cluster/k3s/1_24/0001-script-download-strip-downloading-just-package-CRD.patch

@@ -0,0 +1,41 @@
+From 6f53bd36a40da4c71486e3b79f6e32d53d6eea5d Mon Sep 17 00:00:00 2001
+From: Euan Kemp <euank@euank.com>
+Date: Thu, 3 Feb 2022 23:50:40 -0800
+Subject: [PATCH 2/2] scrips/download: strip downloading, just package CRD
+
+The CRD packaging is a complicated set of commands, so let's reuse it.
+---
+ scripts/download | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/scripts/download b/scripts/download
+index 5effc0562a..82361803ee 100755
+--- a/scripts/download
++++ b/scripts/download
+@@ -24,12 +24,6 @@ rm -rf ${CONTAINERD_DIR}
+ mkdir -p ${CHARTS_DIR}
+ mkdir -p ${DATA_DIR}
+ 
+-curl --compressed -sfL https://github.com/k3s-io/k3s-root/releases/download/${VERSION_ROOT}/k3s-root-${ARCH}.tar | tar xf - --exclude=bin/socat
+-
+-git clone --single-branch --branch=${VERSION_RUNC} --depth=1 https://github.com/opencontainers/runc ${RUNC_DIR}
+-
+-git clone --single-branch --branch=${VERSION_CONTAINERD} --depth=1 https://github.com/k3s-io/containerd ${CONTAINERD_DIR}
+-
+ setup_tmp() {
+     TMP_DIR=$(mktemp -d --tmpdir=${CHARTS_DIR})
+     cleanup() {
+@@ -44,8 +38,8 @@ setup_tmp() {
+ 
+ download_and_package_traefik () {
+   echo "Downloading Traefik Helm chart from ${TRAEFIK_URL}"
+-  curl -sfL ${TRAEFIK_URL} -o ${TMP_DIR}/${TRAEFIK_FILE}
+-  code=$?
++  # nixpkgs: copy in our known traefik chart instead
++  cp $TRAEFIK_CHART_FILE ${TMP_DIR}/${TRAEFIK_FILE}
+ 
+   if [ $code -ne 0 ]; then
+     echo "Error: Failed to download Traefik Helm chart!"
+-- 
+2.34.1
+

pkgs/applications/networking/cluster/k3s/1_24/default.nix

@@ -0,0 +1,329 @@
+{ stdenv
+, lib
+, makeWrapper
+, socat
+, iptables
+, iproute2
+, bridge-utils
+, btrfs-progs
+, conntrack-tools
+, buildGoModule
+, runc
+, rsync
+, kmod
+, libseccomp
+, pkg-config
+, ethtool
+, util-linux
+, fetchFromGitHub
+, fetchurl
+, fetchzip
+, fetchgit
+, zstd
+, yq-go
+, nixosTests
+, k3s
+, pkgsBuildBuild
+}:
+
+# k3s is a kinda weird derivation. One of the main points of k3s is the
+# simplicity of it being one binary that can perform several tasks.
+# However, when you have a good package manager (like nix), that doesn't
+# actually make much of a difference; you don't really care if it's one binary
+# or 10 since with a good package manager, installing and running it is
+# identical.
+# Since upstream k3s packages itself as one large binary with several
+# "personalities" (in the form of subcommands like 'k3s agent' and 'k3s
+# kubectl'), it ends up being easiest to mostly mimic upstream packaging, with
+# some exceptions.
+# K3s also carries patches to some packages (such as containerd and cni
+# plugins), so we intentionally use the k3s versions of those binaries for k3s,
+# even if the upstream version of those binaries exist in nixpkgs already. In
+# the end, that means we have a thick k3s binary that behaves like the upstream
+# one for the most part.
+# However, k3s also bundles several pieces of unpatched software, from the
+# strongswan vpn software, to iptables, to socat, conntrack, busybox, etc.
+# Those pieces of software we entirely ignore upstream's handling of, and just
+# make sure they're in the path if desired.
+let
+  k3sVersion = "1.24.4+k3s1";     # k3s git tag
+  k3sCommit = "c3f830e9b9ed8a4d9d0e2aa663b4591b923a296e"; # k3s git commit at the above version
+  k3sRepoSha256 = "00ns6n7jxnacah8ahndhgdb160prgsqhswbb5809kkgvig7k8b27";
+  k3sVendorSha256 = "sha256-ReZvJCgxqffG2H39JlynGPUBSV5ngPkRtAoZ++OQZZI=";
+
+  # taken from ./manifests/traefik.yaml, extracted from '.spec.chart' https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/download#L9
+  # The 'patch' and 'minor' versions are currently hardcoded as single digits only, so ignore the trailing two digits. Weird, I know.
+  traefikChartVersion = "10.19.3";
+  traefikChartSha256 = "04zg5li957svgscdmkzmzjkwljaljyav68rzxmhakkwgav6q9058";
+
+  # taken from ./scripts/version.sh VERSION_ROOT https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L47
+  k3sRootVersion = "0.11.0";
+  k3sRootSha256 = "016n56vi09xkvjph7wgzb2m86mhd5x65fs4d11pmh20hl249r620";
+
+  # taken from ./scripts/version.sh VERSION_CNIPLUGINS https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L45
+  k3sCNIVersion = "1.1.1-k3s1";
+  k3sCNISha256 = "14mb3zsqibj1sn338gjmsyksbm0mxv9p016dij7zidccx2rzn6nl";
+
+  # taken from go.mod, the 'github.com/containerd/containerd' line
+  # run `grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}'`
+  containerdVersion = "1.5.13-k3s1";
+  containerdSha256 = "09bj4ghwbsj9whkv1d5icqs52k64m449j8b73dmak2wz62fbzbvp";
+
+  # run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag
+  criCtlVersion = "1.24.0-k3s1";
+
+  baseMeta = k3s.meta;
+
+  # https://github.com/k3s-io/k3s/blob/5fb370e53e0014dc96183b8ecb2c25a61e891e76/scripts/build#L19-L40
+  versionldflags = [
+    "-X github.com/rancher/k3s/pkg/version.Version=v${k3sVersion}"
+    "-X github.com/rancher/k3s/pkg/version.GitCommit=${lib.substring 0 8 k3sCommit}"
+    "-X k8s.io/client-go/pkg/version.gitVersion=v${k3sVersion}"
+    "-X k8s.io/client-go/pkg/version.gitCommit=${k3sCommit}"
+    "-X k8s.io/client-go/pkg/version.gitTreeState=clean"
+    "-X k8s.io/client-go/pkg/version.buildDate=1970-01-01T01:01:01Z"
+    "-X k8s.io/component-base/version.gitVersion=v${k3sVersion}"
+    "-X k8s.io/component-base/version.gitCommit=${k3sCommit}"
+    "-X k8s.io/component-base/version.gitTreeState=clean"
+    "-X k8s.io/component-base/version.buildDate=1970-01-01T01:01:01Z"
+    "-X github.com/kubernetes-sigs/cri-tools/pkg/version.Version=v${criCtlVersion}"
+    "-X github.com/containerd/containerd/version.Version=v${containerdVersion}"
+    "-X github.com/containerd/containerd/version.Package=github.com/k3s-io/containerd"
+  ];
+
+  # bundled into the k3s binary
+  traefikChart = fetchurl {
+    url = "https://helm.traefik.io/traefik/traefik-${traefikChartVersion}.tgz";
+    sha256 = traefikChartSha256;
+  };
+  # so, k3s is a complicated thing to package
+  # This derivation attempts to avoid including any random binaries from the
+  # internet. k3s-root is _mostly_ binaries built to be bundled in k3s (which
+  # we don't care about doing, we can add those as build or runtime
+  # dependencies using a real package manager).
+  # In addition to those binaries, it's also configuration though (right now
+  # mostly strongswan configuration), and k3s does use those files.
+  # As such, we download it in order to grab 'etc' and bundle it into the final
+  # k3s binary.
+  k3sRoot = fetchzip {
+    # Note: marked as apache 2.0 license
+    url = "https://github.com/k3s-io/k3s-root/releases/download/v${k3sRootVersion}/k3s-root-amd64.tar";
+    sha256 = k3sRootSha256;
+    stripRoot = false;
+  };
+  k3sCNIPlugins = buildGoModule rec {
+    pname = "k3s-cni-plugins";
+    version = k3sCNIVersion;
+    vendorSha256 = null;
+
+    subPackages = [ "." ];
+
+    src = fetchFromGitHub {
+      owner = "rancher";
+      repo = "plugins";
+      rev = "v${version}";
+      sha256 = k3sCNISha256;
+    };
+
+    postInstall = ''
+      mv $out/bin/plugins $out/bin/cni
+    '';
+
+    meta = baseMeta // {
+      description = "CNI plugins, as patched by rancher for k3s";
+    };
+  };
+  # Grab this separately from a build because it's used by both stages of the
+  # k3s build.
+  k3sRepo = fetchgit {
+    url = "https://github.com/k3s-io/k3s";
+    rev = "v${k3sVersion}";
+    sha256 = k3sRepoSha256;
+  };
+  # Stage 1 of the k3s build:
+  # Let's talk about how k3s is structured.
+  # One of the ideas of k3s is that there's the single "k3s" binary which can
+  # do everything you need, from running a k3s server, to being a worker node,
+  # to running kubectl.
+  # The way that actually works is that k3s is a single go binary that contains
+  # a bunch of bindata that it unpacks at runtime into directories (either the
+  # user's home directory or /var/lib/rancher if run as root).
+  # This bindata includes both binaries and configuration.
+  # In order to let nixpkgs do all its autostripping/patching/etc, we split this into two derivations.
+  # First, we build all the binaries that get packed into the thick k3s binary
+  # (and output them from one derivation so they'll all be suitably patched up).
+  # Then, we bundle those binaries into our thick k3s binary and use that as
+  # the final single output.
+  # This approach was chosen because it ensures the bundled binaries all are
+  # correctly built to run with nix (we can lean on the existing buildGoModule
+  # stuff), and we can again lean on that tooling for the final k3s binary too.
+  # Other alternatives would be to manually run the
+  # strip/patchelf/remove-references step ourselves in the installPhase of the
+  # derivation when we've built all the binaries, but haven't bundled them in
+  # with generated bindata yet.
+
+  k3sServer = buildGoModule rec {
+    pname = "k3s-server";
+    version = k3sVersion;
+
+    src = k3sRepo;
+    vendorSha256 = k3sVendorSha256;
+
+    nativeBuildInputs = [ pkg-config ];
+    buildInputs = [ libseccomp ];
+
+    subPackages = [ "cmd/server" ];
+    ldflags = versionldflags;
+
+    # create the multicall symlinks for k3s
+    postInstall = ''
+      mv $out/bin/server $out/bin/k3s
+      pushd $out
+      # taken verbatim from https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/build#L105-L113
+      ln -s k3s ./bin/k3s-agent
+      ln -s k3s ./bin/k3s-server
+      ln -s k3s ./bin/k3s-etcd-snapshot
+      ln -s k3s ./bin/k3s-secrets-encrypt
+      ln -s k3s ./bin/k3s-certificate
+      ln -s k3s ./bin/kubectl
+      ln -s k3s ./bin/crictl
+      ln -s k3s ./bin/ctr
+      popd
+    '';
+
+    meta = baseMeta // {
+      description = "The various binaries that get packaged into the final k3s binary";
+    };
+  };
+  k3sContainerd = buildGoModule {
+    pname = "k3s-containerd";
+    version = containerdVersion;
+    src = fetchFromGitHub {
+      owner = "k3s-io";
+      repo = "containerd";
+      rev = "v${containerdVersion}";
+      sha256 = containerdSha256;
+    };
+    vendorSha256 = null;
+    buildInputs = [ btrfs-progs ];
+    subPackages = [ "cmd/containerd" "cmd/containerd-shim-runc-v2" ];
+    ldflags = versionldflags;
+  };
+in
+buildGoModule rec {
+  pname = "k3s";
+  version = k3sVersion;
+
+  src = k3sRepo;
+  vendorSha256 = k3sVendorSha256;
+
+  patches = [
+    ./0001-script-download-strip-downloading-just-package-CRD.patch
+  ];
+
+  postPatch = ''
+    # Nix prefers dynamically linked binaries over static binary.
+
+    substituteInPlace scripts/package-cli \
+      --replace '"$LDFLAGS $STATIC" -o' \
+                '"$LDFLAGS" -o' \
+      --replace "STATIC=\"-extldflags \'-static\'\"" \
+                ""
+
+    # Upstream codegen fails with trimpath set. Removes "trimpath" for 'go generate':
+
+    substituteInPlace scripts/package-cli \
+      --replace '"''${GO}" generate' \
+                'GOFLAGS="" \
+                 GOOS="${pkgsBuildBuild.go.GOOS}" \
+                 GOARCH="${pkgsBuildBuild.go.GOARCH}" \
+                 CC="${pkgsBuildBuild.stdenv.cc}/bin/cc" \
+                 "''${GO}" generate'
+  '';
+
+  # Important utilities used by the kubelet, see
+  # https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
+  # Note the list in that issue is stale and some aren't relevant for k3s.
+  k3sRuntimeDeps = [
+    kmod
+    socat
+    iptables
+    iproute2
+    bridge-utils
+    ethtool
+    util-linux # kubelet wants 'nsenter' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388
+    conntrack-tools
+  ];
+
+  buildInputs = k3sRuntimeDeps;
+
+  nativeBuildInputs = [
+    makeWrapper
+    rsync
+    yq-go
+    zstd
+  ];
+
+  # embedded in the final k3s cli
+  propagatedBuildInputs = [
+    k3sCNIPlugins
+    k3sContainerd
+    k3sServer
+    runc
+  ];
+
+  # We override most of buildPhase due to peculiarities in k3s's build.
+  # Specifically, it has a 'go generate' which runs part of the package. See
+  # this comment:
+  # https://github.com/NixOS/nixpkgs/pull/158089#discussion_r799965694
+  # So, why do we use buildGoModule at all? For the `vendorSha256` / `go mod download` stuff primarily.
+  buildPhase = ''
+    patchShebangs ./scripts/package-cli ./scripts/download ./scripts/build-upload
+
+    # copy needed 'go generate' inputs into place
+    mkdir -p ./bin/aux
+    rsync -a --no-perms ${k3sServer}/bin/ ./bin/
+    ln -vsf ${runc}/bin/runc ./bin/runc
+    ln -vsf ${k3sCNIPlugins}/bin/cni ./bin/cni
+    ln -vsf ${k3sContainerd}/bin/* ./bin/
+    rsync -a --no-perms --chmod u=rwX ${k3sRoot}/etc/ ./etc/
+    mkdir -p ./build/static/charts
+    # Note, upstream's chart has a 00 suffix. This seems to not matter though, so we're ignoring that naming detail.
+    export TRAEFIK_CHART_FILE=${traefikChart}
+    # place the traefik chart using their code since it's complicated
+    # We trim the actual download, see patches
+    ./scripts/download
+
+    export ARCH=$GOARCH
+    export DRONE_TAG="v${k3sVersion}"
+    export DRONE_COMMIT="${k3sCommit}"
+    # use ./scripts/package-cli to run 'go generate' + 'go build'
+
+    ./scripts/package-cli
+    mkdir -p $out/bin
+  '';
+
+  # Otherwise it depends on 'getGoDirs', which is normally set in buildPhase
+  doCheck = false;
+
+  installPhase = ''
+    # wildcard to match the arm64 build too
+    install -m 0755 dist/artifacts/k3s* -D $out/bin/k3s
+    wrapProgram $out/bin/k3s \
+      --prefix PATH : ${lib.makeBinPath k3sRuntimeDeps} \
+      --prefix PATH : "$out/bin"
+  '';
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    $out/bin/k3s --version | grep -F "v${k3sVersion}" >/dev/null
+  '';
+
+  # Fix-Me: Needs to be adapted specifically for 1.24
+  # passthru.updateScript = ./update.sh;
+
+  # Fix-Me: Needs to be adapted specifically for 1.24
+  # passthru.tests = nixosTests.k3s;
+
+  meta = baseMeta;
+}

pkgs/applications/networking/cluster/k3s/1_25/0001-script-download-strip-downloading-just-package-CRD.patch

@@ -0,0 +1,41 @@
+From 6f53bd36a40da4c71486e3b79f6e32d53d6eea5d Mon Sep 17 00:00:00 2001
+From: Euan Kemp <euank@euank.com>
+Date: Thu, 3 Feb 2022 23:50:40 -0800
+Subject: [PATCH 2/2] scrips/download: strip downloading, just package CRD
+
+The CRD packaging is a complicated set of commands, so let's reuse it.
+---
+ scripts/download | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/scripts/download b/scripts/download
+index 5effc0562a..82361803ee 100755
+--- a/scripts/download
++++ b/scripts/download
+@@ -24,12 +24,6 @@ rm -rf ${CONTAINERD_DIR}
+ mkdir -p ${CHARTS_DIR}
+ mkdir -p ${DATA_DIR}
+ 
+-curl --compressed -sfL https://github.com/k3s-io/k3s-root/releases/download/${VERSION_ROOT}/k3s-root-${ARCH}.tar | tar xf - --exclude=bin/socat
+-
+-git clone --single-branch --branch=${VERSION_RUNC} --depth=1 https://github.com/opencontainers/runc ${RUNC_DIR}
+-
+-git clone --single-branch --branch=${VERSION_CONTAINERD} --depth=1 https://github.com/k3s-io/containerd ${CONTAINERD_DIR}
+-
+ setup_tmp() {
+     TMP_DIR=$(mktemp -d --tmpdir=${CHARTS_DIR})
+     cleanup() {
+@@ -44,8 +38,8 @@ setup_tmp() {
+ 
+ download_and_package_traefik () {
+   echo "Downloading Traefik Helm chart from ${TRAEFIK_URL}"
+-  curl -sfL ${TRAEFIK_URL} -o ${TMP_DIR}/${TRAEFIK_FILE}
+-  code=$?
++  # nixpkgs: copy in our known traefik chart instead
++  cp $TRAEFIK_CHART_FILE ${TMP_DIR}/${TRAEFIK_FILE}
+ 
+   if [ $code -ne 0 ]; then
+     echo "Error: Failed to download Traefik Helm chart!"
+-- 
+2.34.1
+

pkgs/applications/networking/cluster/k3s/1_25/default.nix

@@ -0,0 +1,329 @@
+{ stdenv
+, lib
+, makeWrapper
+, socat
+, iptables
+, iproute2
+, bridge-utils
+, btrfs-progs
+, conntrack-tools
+, buildGoModule
+, runc
+, rsync
+, kmod
+, libseccomp
+, pkg-config
+, ethtool
+, util-linux
+, fetchFromGitHub
+, fetchurl
+, fetchzip
+, fetchgit
+, zstd
+, yq-go
+, nixosTests
+, pkgsBuildBuild
+, k3s
+}:
+
+# k3s is a kinda weird derivation. One of the main points of k3s is the
+# simplicity of it being one binary that can perform several tasks.
+# However, when you have a good package manager (like nix), that doesn't
+# actually make much of a difference; you don't really care if it's one binary
+# or 10 since with a good package manager, installing and running it is
+# identical.
+# Since upstream k3s packages itself as one large binary with several
+# "personalities" (in the form of subcommands like 'k3s agent' and 'k3s
+# kubectl'), it ends up being easiest to mostly mimic upstream packaging, with
+# some exceptions.
+# K3s also carries patches to some packages (such as containerd and cni
+# plugins), so we intentionally use the k3s versions of those binaries for k3s,
+# even if the upstream version of those binaries exist in nixpkgs already. In
+# the end, that means we have a thick k3s binary that behaves like the upstream
+# one for the most part.
+# However, k3s also bundles several pieces of unpatched software, from the
+# strongswan vpn software, to iptables, to socat, conntrack, busybox, etc.
+# Those pieces of software we entirely ignore upstream's handling of, and just
+# make sure they're in the path if desired.
+let
+  k3sVersion = "1.25.3+k3s1";     # k3s git tag
+  k3sCommit = "f2585c1671b31b4b34bddbb3bf4e7d69662b0821"; # k3s git commit at the above version
+  k3sRepoSha256 = "0zwf3iwjcidx14zw36s1hr0q8wmmbfc0rfqwd7fmpjq597h8zkms";
+  k3sVendorSha256 = "sha256-U67tJRGqPFk5AfRe7I50zKGC9HJ2oh+iI/C7qF/76BQ=";
+
+  # taken from ./manifests/traefik.yaml, extracted from '.spec.chart' https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/download#L9
+  # The 'patch' and 'minor' versions are currently hardcoded as single digits only, so ignore the trailing two digits. Weird, I know.
+  traefikChartVersion = "12.0.0";
+  traefikChartSha256 = "1sqmi71fi3ad5dh5fmsp9mv80x6pkgqwi4r9fr8l6i9sdnai6f1a";
+
+  # taken from ./scripts/version.sh VERSION_ROOT https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L47
+  k3sRootVersion = "0.11.0";
+  k3sRootSha256 = "016n56vi09xkvjph7wgzb2m86mhd5x65fs4d11pmh20hl249r620";
+
+  # taken from ./scripts/version.sh VERSION_CNIPLUGINS https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L45
+  k3sCNIVersion = "1.1.1-k3s1";
+  k3sCNISha256 = "14mb3zsqibj1sn338gjmsyksbm0mxv9p016dij7zidccx2rzn6nl";
+
+  # taken from go.mod, the 'github.com/containerd/containerd' line
+  # run `grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}'`
+  containerdVersion = "1.5.13-k3s2";
+  containerdSha256 = "1pfr2ji4aij9js90gf4a3hqnhyw5hshcjdccm62l700j68gs5z97";
+
+  # run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag
+  criCtlVersion = "1.25.0-k3s1";
+
+  baseMeta = k3s.meta;
+
+  # https://github.com/k3s-io/k3s/blob/5fb370e53e0014dc96183b8ecb2c25a61e891e76/scripts/build#L19-L40
+  versionldflags = [
+    "-X github.com/rancher/k3s/pkg/version.Version=v${k3sVersion}"
+    "-X github.com/rancher/k3s/pkg/version.GitCommit=${lib.substring 0 8 k3sCommit}"
+    "-X k8s.io/client-go/pkg/version.gitVersion=v${k3sVersion}"
+    "-X k8s.io/client-go/pkg/version.gitCommit=${k3sCommit}"
+    "-X k8s.io/client-go/pkg/version.gitTreeState=clean"
+    "-X k8s.io/client-go/pkg/version.buildDate=1970-01-01T01:01:01Z"
+    "-X k8s.io/component-base/version.gitVersion=v${k3sVersion}"
+    "-X k8s.io/component-base/version.gitCommit=${k3sCommit}"
+    "-X k8s.io/component-base/version.gitTreeState=clean"
+    "-X k8s.io/component-base/version.buildDate=1970-01-01T01:01:01Z"
+    "-X github.com/kubernetes-sigs/cri-tools/pkg/version.Version=v${criCtlVersion}"
+    "-X github.com/containerd/containerd/version.Version=v${containerdVersion}"
+    "-X github.com/containerd/containerd/version.Package=github.com/k3s-io/containerd"
+  ];
+
+  # bundled into the k3s binary
+  traefikChart = fetchurl {
+    url = "https://helm.traefik.io/traefik/traefik-${traefikChartVersion}.tgz";
+    sha256 = traefikChartSha256;
+  };
+  # so, k3s is a complicated thing to package
+  # This derivation attempts to avoid including any random binaries from the
+  # internet. k3s-root is _mostly_ binaries built to be bundled in k3s (which
+  # we don't care about doing, we can add those as build or runtime
+  # dependencies using a real package manager).
+  # In addition to those binaries, it's also configuration though (right now
+  # mostly strongswan configuration), and k3s does use those files.
+  # As such, we download it in order to grab 'etc' and bundle it into the final
+  # k3s binary.
+  k3sRoot = fetchzip {
+    # Note: marked as apache 2.0 license
+    url = "https://github.com/k3s-io/k3s-root/releases/download/v${k3sRootVersion}/k3s-root-amd64.tar";
+    sha256 = k3sRootSha256;
+    stripRoot = false;
+  };
+  k3sCNIPlugins = buildGoModule rec {
+    pname = "k3s-cni-plugins";
+    version = k3sCNIVersion;
+    vendorSha256 = null;
+
+    subPackages = [ "." ];
+
+    src = fetchFromGitHub {
+      owner = "rancher";
+      repo = "plugins";
+      rev = "v${version}";
+      sha256 = k3sCNISha256;
+    };
+
+    postInstall = ''
+      mv $out/bin/plugins $out/bin/cni
+    '';
+
+    meta = baseMeta // {
+      description = "CNI plugins, as patched by rancher for k3s";
+    };
+  };
+  # Grab this separately from a build because it's used by both stages of the
+  # k3s build.
+  k3sRepo = fetchgit {
+    url = "https://github.com/k3s-io/k3s";
+    rev = "v${k3sVersion}";
+    sha256 = k3sRepoSha256;
+  };
+  # Stage 1 of the k3s build:
+  # Let's talk about how k3s is structured.
+  # One of the ideas of k3s is that there's the single "k3s" binary which can
+  # do everything you need, from running a k3s server, to being a worker node,
+  # to running kubectl.
+  # The way that actually works is that k3s is a single go binary that contains
+  # a bunch of bindata that it unpacks at runtime into directories (either the
+  # user's home directory or /var/lib/rancher if run as root).
+  # This bindata includes both binaries and configuration.
+  # In order to let nixpkgs do all its autostripping/patching/etc, we split this into two derivations.
+  # First, we build all the binaries that get packed into the thick k3s binary
+  # (and output them from one derivation so they'll all be suitably patched up).
+  # Then, we bundle those binaries into our thick k3s binary and use that as
+  # the final single output.
+  # This approach was chosen because it ensures the bundled binaries all are
+  # correctly built to run with nix (we can lean on the existing buildGoModule
+  # stuff), and we can again lean on that tooling for the final k3s binary too.
+  # Other alternatives would be to manually run the
+  # strip/patchelf/remove-references step ourselves in the installPhase of the
+  # derivation when we've built all the binaries, but haven't bundled them in
+  # with generated bindata yet.
+
+  k3sServer = buildGoModule rec {
+    pname = "k3s-server";
+    version = k3sVersion;
+
+    src = k3sRepo;
+    vendorSha256 = k3sVendorSha256;
+
+    nativeBuildInputs = [ pkg-config ];
+    buildInputs = [ libseccomp ];
+
+    subPackages = [ "cmd/server" ];
+    ldflags = versionldflags;
+
+    # create the multicall symlinks for k3s
+    postInstall = ''
+      mv $out/bin/server $out/bin/k3s
+      pushd $out
+      # taken verbatim from https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/build#L105-L113
+      ln -s k3s ./bin/k3s-agent
+      ln -s k3s ./bin/k3s-server
+      ln -s k3s ./bin/k3s-etcd-snapshot
+      ln -s k3s ./bin/k3s-secrets-encrypt
+      ln -s k3s ./bin/k3s-certificate
+      ln -s k3s ./bin/kubectl
+      ln -s k3s ./bin/crictl
+      ln -s k3s ./bin/ctr
+      popd
+    '';
+
+    meta = baseMeta // {
+      description = "The various binaries that get packaged into the final k3s binary";
+    };
+  };
+  k3sContainerd = buildGoModule {
+    pname = "k3s-containerd";
+    version = containerdVersion;
+    src = fetchFromGitHub {
+      owner = "k3s-io";
+      repo = "containerd";
+      rev = "v${containerdVersion}";
+      sha256 = containerdSha256;
+    };
+    vendorSha256 = null;
+    buildInputs = [ btrfs-progs ];
+    subPackages = [ "cmd/containerd" "cmd/containerd-shim-runc-v2" ];
+    ldflags = versionldflags;
+  };
+in
+buildGoModule rec {
+  pname = "k3s";
+  version = k3sVersion;
+
+  src = k3sRepo;
+  vendorSha256 = k3sVendorSha256;
+
+  patches = [
+    ./0001-script-download-strip-downloading-just-package-CRD.patch
+  ];
+
+  postPatch = ''
+    # Nix prefers dynamically linked binaries over static binary.
+
+    substituteInPlace scripts/package-cli \
+      --replace '"$LDFLAGS $STATIC" -o' \
+                '"$LDFLAGS" -o' \
+      --replace "STATIC=\"-extldflags \'-static\'\"" \
+                ""
+
+    # Upstream codegen fails with trimpath set. Removes "trimpath" for 'go generate':
+
+    substituteInPlace scripts/package-cli \
+      --replace '"''${GO}" generate' \
+                'GOFLAGS="" \
+                 GOOS="${pkgsBuildBuild.go.GOOS}" \
+                 GOARCH="${pkgsBuildBuild.go.GOARCH}" \
+                 CC="${pkgsBuildBuild.stdenv.cc}/bin/cc" \
+                 "''${GO}" generate'
+  '';
+
+  # Important utilities used by the kubelet, see
+  # https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
+  # Note the list in that issue is stale and some aren't relevant for k3s.
+  k3sRuntimeDeps = [
+    kmod
+    socat
+    iptables
+    iproute2
+    bridge-utils
+    ethtool
+    util-linux # kubelet wants 'nsenter' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388
+    conntrack-tools
+  ];
+
+  buildInputs = k3sRuntimeDeps;
+
+  nativeBuildInputs = [
+    makeWrapper
+    rsync
+    yq-go
+    zstd
+  ];
+
+  # embedded in the final k3s cli
+  propagatedBuildInputs = [
+    k3sCNIPlugins
+    k3sContainerd
+    k3sServer
+    runc
+  ];
+
+  # We override most of buildPhase due to peculiarities in k3s's build.
+  # Specifically, it has a 'go generate' which runs part of the package. See
+  # this comment:
+  # https://github.com/NixOS/nixpkgs/pull/158089#discussion_r799965694
+  # So, why do we use buildGoModule at all? For the `vendorSha256` / `go mod download` stuff primarily.
+  buildPhase = ''
+    patchShebangs ./scripts/package-cli ./scripts/download ./scripts/build-upload
+
+    # copy needed 'go generate' inputs into place
+    mkdir -p ./bin/aux
+    rsync -a --no-perms ${k3sServer}/bin/ ./bin/
+    ln -vsf ${runc}/bin/runc ./bin/runc
+    ln -vsf ${k3sCNIPlugins}/bin/cni ./bin/cni
+    ln -vsf ${k3sContainerd}/bin/* ./bin/
+    rsync -a --no-perms --chmod u=rwX ${k3sRoot}/etc/ ./etc/
+    mkdir -p ./build/static/charts
+    # Note, upstream's chart has a 00 suffix. This seems to not matter though, so we're ignoring that naming detail.
+    export TRAEFIK_CHART_FILE=${traefikChart}
+    # place the traefik chart using their code since it's complicated
+    # We trim the actual download, see patches
+    ./scripts/download
+
+    export ARCH=$GOARCH
+    export DRONE_TAG="v${k3sVersion}"
+    export DRONE_COMMIT="${k3sCommit}"
+    # use ./scripts/package-cli to run 'go generate' + 'go build'
+
+    ./scripts/package-cli
+    mkdir -p $out/bin
+  '';
+
+  # Otherwise it depends on 'getGoDirs', which is normally set in buildPhase
+  doCheck = false;
+
+  installPhase = ''
+    # wildcard to match the arm64 build too
+    install -m 0755 dist/artifacts/k3s* -D $out/bin/k3s
+    wrapProgram $out/bin/k3s \
+      --prefix PATH : ${lib.makeBinPath k3sRuntimeDeps} \
+      --prefix PATH : "$out/bin"
+  '';
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    $out/bin/k3s --version | grep -F "v${k3sVersion}" >/dev/null
+  '';
+
+  # Fix-Me: Needs to be adapted specifically for 1.25
+  # passthru.updateScript = ./update.sh;
+
+  # Fix-Me: Needs to be adapted specifically for 1.25
+  # passthru.tests = nixosTests.k3s;
+
+  meta = baseMeta;
+}

pkgs/applications/networking/cluster/temporal/default.nix

@@ -2,16 +2,18 @@
 
 buildGoModule rec {
   pname = "temporal";
-  version = "1.17.5";
+  version = "1.19.1";
 
   src = fetchFromGitHub {
     owner = "temporalio";
     repo = "temporal";
     rev = "v${version}";
-    sha256 = "sha256-u8GyaXpiVZdPDoPAqIa+TY+JQFZeSGOLrUy+e3E4kig=";
+    hash = "sha256-j2+K/ZDDNakofrToxhyA1gh534l3Eq6G/fNXE0ktceY=";
   };
 
-  vendorSha256 = "sha256-MT/BmGTdyEzmXjuwlA6WhLIWlrQz3Wc4Tl5dMI1587Q=";
+  vendorHash = "sha256-KkgyL37VJy1DhfCB5RJpjczBPbzQwt1xsovQ0xCXGr4=";
+
+  excludedPackages = [ "./build" ];
 
   CGO_ENABLED = 0;
 
@@ -26,6 +28,7 @@ buildGoModule rec {
     install -Dm755 "$GOPATH/bin/server" -T $out/bin/temporal-server
     install -Dm755 "$GOPATH/bin/cassandra" -T $out/bin/temporal-cassandra-tool
     install -Dm755 "$GOPATH/bin/sql" -T $out/bin/temporal-sql-tool
+    install -Dm755 "$GOPATH/bin/tdbg" -T $out/bin/tdbg
 
     runHook postInstall
   '';

pkgs/applications/networking/cluster/terraform-providers/providers.json

@@ -812,11 +812,11 @@
     "vendorHash": "sha256-LRIfxQGwG988HE5fftGl6JmBG7tTknvmgpm4Fu1NbWI="
   },
   "oci": {
-    "hash": "sha256-L8y00f+57hndpVevliJ2kNqpGeNR2Jv/FHbqkAUIRMI=",
+    "hash": "sha256-ecel4aXOqkPmeOzG5G/D8vmjo2HP9TG+c8H27pCYn2g=",
     "homepage": "https://registry.terraform.io/providers/oracle/oci",
     "owner": "oracle",
     "repo": "terraform-provider-oci",
-    "rev": "v4.105.0",
+    "rev": "v4.106.0",
     "spdx": "MPL-2.0",
     "vendorHash": null
   },
@@ -1091,11 +1091,11 @@
     "vendorHash": "sha256-2wPmLpjhG6QgG+BUCO0oIzHjBOWIOYuptgdtSIm9TZw="
   },
   "tencentcloud": {
-    "hash": "sha256-QJUxLwKG3XabACbAvLLKBG9+cmCYRQFpRTWRU6rKwfI=",
+    "hash": "sha256-yVI1f86Gpkwl3jCAs5d54rZS8lM7cjbwWq+HUXwi8EU=",
     "homepage": "https://registry.terraform.io/providers/tencentcloudstack/tencentcloud",
     "owner": "tencentcloudstack",
     "repo": "terraform-provider-tencentcloud",
-    "rev": "v1.79.7",
+    "rev": "v1.79.8",
     "spdx": "MPL-2.0",
     "vendorHash": null
   },

pkgs/applications/networking/cluster/velero/default.nix

@@ -2,14 +2,14 @@
 
 buildGoModule rec {
   pname = "velero";
-  version = "1.10.0";
+  version = "1.10.1";
 
 
   src = fetchFromGitHub {
     owner = "vmware-tanzu";
     repo = "velero";
     rev = "v${version}";
-    sha256 = "sha256-PBCTVws5N42q68rKcMLW7GgZvdsQgmdlsKMpJ5bCF00=";
+    sha256 = "sha256-jN45chUeoGJGJWD6Rj6duNE36/QCzPqci8V3h1OHtw4=";
   };
 
   ldflags = [
@@ -20,7 +20,7 @@ buildGoModule rec {
     "-X github.com/vmware-tanzu/velero/pkg/buildinfo.GitSHA=none"
   ];
 
-  vendorSha256 = "sha256-5Po8TRCE6VP+RcaIJImYjElTMHHS/2JwbrHreeWLxio=";
+  vendorHash = "sha256-mvVwf4w/65L+F6aiTNf2jmJtaT1EpWCQJ6r9NHUUUqQ=";
 
   excludedPackages = [ "issue-template-gen" "release-tools" "v1" "velero-restic-restore-helper" ];
 

pkgs/applications/networking/feedreaders/rssguard/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "rssguard";
-  version = "4.3.1";
+  version = "4.3.2";
 
   src = fetchFromGitHub {
     owner = "martinrotter";
     repo = pname;
     rev = version;
-    sha256 = "sha256-hfUtxPGPhPC2VgGLLIaYHlEMpXHAPZ5fkLL0glhyQcY=";
+    sha256 = "sha256-2h9fVah0WZ8X0GsCLtiUWRan1Gkl4WBxuEQ3gx4FFBo=";
   };
 
   buildInputs =  [ qtwebengine qttools ];

pkgs/applications/networking/instant-messengers/flare-signal/default.nix

@@ -0,0 +1,59 @@
+{ lib
+, stdenv
+, fetchFromGitLab
+, meson
+, ninja
+, pkg-config
+, protobuf
+, libsecret
+, libadwaita
+, rustPlatform
+, desktop-file-utils
+, wrapGAppsHook4
+}:
+
+stdenv.mkDerivation rec {
+  pname = "flare";
+  version = "0.6.0";
+
+  src = fetchFromGitLab {
+    domain = "gitlab.com";
+    owner = "Schmiddiii";
+    repo = pname;
+    rev = version;
+    hash = "sha256-wY95sXWGDjEy8vvP79XliJOn5GQkAvDmOXKmRz0TPEw=";
+  };
+
+  cargoDeps = rustPlatform.fetchCargoTarball {
+    inherit src;
+    name = "${pname}-${version}";
+    hash = "sha256-J3MGQlPYGjhZKH599vfW2WhkXx+Tdr53PviiVpye4R0=";
+  };
+
+  nativeBuildInputs = [
+    desktop-file-utils # for update-desktop-database
+    meson
+    ninja
+    pkg-config
+    wrapGAppsHook4
+  ] ++ (with rustPlatform; [
+    cargoSetupHook
+    rust.cargo
+    rust.rustc
+  ]);
+
+  buildInputs = [
+    libadwaita
+    libsecret
+    protobuf
+  ];
+
+  meta = {
+    changelog = "https://gitlab.com/Schmiddiii/flare/-/blob/${src.rev}/CHANGELOG.md";
+    description = "An unofficial Signal GTK client";
+    homepage = "https://gitlab.com/Schmiddiii/flare";
+    license = lib.licenses.agpl3Plus;
+    maintainers = with lib.maintainers; [ dotlambda tomfitzhenry ];
+    platforms = lib.platforms.linux;
+  };
+}

pkgs/applications/networking/instant-messengers/zoom-us/default.nix

@@ -48,23 +48,23 @@ let
   # and often with different versions.  We write them on three lines
   # like this (rather than using {}) so that the updater script can
   # find where to edit them.
-  versions.aarch64-darwin = "5.13.6.14918";
-  versions.x86_64-darwin = "5.13.6.14918";
-  versions.x86_64-linux = "5.13.5.431";
+  versions.aarch64-darwin = "5.13.7.15481";
+  versions.x86_64-darwin = "5.13.7.15481";
+  versions.x86_64-linux = "5.13.7.683";
 
   srcs = {
     aarch64-darwin = fetchurl {
       url = "https://zoom.us/client/${versions.aarch64-darwin}/zoomusInstallerFull.pkg?archType=arm64";
       name = "zoomusInstallerFull.pkg";
-      hash = "sha256-QY9z1bTKtL32HE4XWnBIvCNmDF+3x5N9BdfqJA+24fA=";
+      hash = "sha256-lCg8xCEuZSWnd4fieug9xjudE9q6pNICRsbvA4ATVK8=";
     };
     x86_64-darwin = fetchurl {
       url = "https://zoom.us/client/${versions.x86_64-darwin}/zoomusInstallerFull.pkg";
-      hash = "sha256-eSPKzxDPXCbME0eTTDlfsI5KM5qRm79JTtnGJvpiS98=";
+      hash = "sha256-jmMpkqUga/KQJfXFbGURcWQudnCKlIi5NGY6LuekjKw=";
     };
     x86_64-linux = fetchurl {
       url = "https://zoom.us/client/${versions.x86_64-linux}/zoom_x86_64.pkg.tar.xz";
-      hash = "sha256-R0IMV/+R7AGFy/ZvNyyvIBv10t1x1U1X6jdHoo6UHKY=";
+      hash = "sha256-1aA3W9eXYhjxr39PoTSAVG7mToFInF7uz8MCiJhk/10=";
     };
   };
 

pkgs/applications/networking/mailreaders/evolution/evolution/wrapper.nix

@@ -7,10 +7,16 @@ symlinkJoin {
   nativeBuildInputs = [ makeWrapper ];
 
   postBuild = ''
+    declare -a schemas;
+    for plugin in ${toString plugins}; do
+      for schema in $plugin/share/gsettings-schemas/*; do
+        schemas+=($schema);
+      done
+    done
     for i in $out/bin/* $out/libexec/**; do
     if [ ! -d $i ]; then
       echo wrapping $i
-      wrapProgram $i --set EDS_EXTRA_PREFIXES "${lib.concatStringsSep ":" plugins}"
+      wrapProgram $i --set EDS_EXTRA_PREFIXES "${lib.concatStringsSep ":" plugins}" --prefix XDG_DATA_DIRS : "''${schemas[@]}"
     fi
     done
 

pkgs/applications/networking/mailreaders/thunderbird/packages.nix

@@ -5,13 +5,13 @@ rec {
 
   thunderbird-102 = (buildMozillaMach rec {
     pname = "thunderbird";
-    version = "102.7.1";
+    version = "102.7.2";
     application = "comm/mail";
     applicationName = "Mozilla Thunderbird";
     binaryName = pname;
     src = fetchurl {
       url = "mirror://mozilla/thunderbird/releases/${version}/source/thunderbird-${version}.source.tar.xz";
-      sha512 = "6310f3f122a1a61917ec2d0efe3a031b199ac13681e9fb4035abc0f4de0dbafb12accffbd63facb23f2cebf0124a13f7538a33176a2a513d1f685bee40db50ba";
+      sha512 = "7371079d59cceb47fdd0e9661f79eae7510ab0f5bf8e80c21952dfb5fed3db72279a4ac9d3a3de3617194fb36a9420ae814a69ee19a93ba242d2aa2b921e3010";
     };
     extraPatches = [
       # The file to be patched is different from firefox's `no-buildconfig-ffx90.patch`.

pkgs/applications/networking/nextcloud-client/0001-Explicitly-copy-dbus-files-into-the-store-dir.patch

@@ -8,18 +8,13 @@ Subject: [PATCH] Explicitly copy dbus files into the store dir
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/shell_integration/libcloudproviders/CMakeLists.txt b/shell_integration/libcloudproviders/CMakeLists.txt
-index 1f35335..7f76951 100644
+index 2e7349ef7..512d4b188 100644
 --- a/shell_integration/libcloudproviders/CMakeLists.txt
 +++ b/shell_integration/libcloudproviders/CMakeLists.txt
-@@ -19,7 +19,7 @@ MACRO(PKGCONFIG_GETVAR _package _var _output_variable)
- ENDMACRO(PKGCONFIG_GETVAR _package _var _output_variable)
- 
+@@ -1,5 +1,6 @@
  macro(dbus_add_activation_service _sources)
--    PKGCONFIG_GETVAR(dbus-1 session_bus_services_dir _install_dir)
+     pkg_get_variable(_install_dir dbus-1 session_bus_services_dir)
 +    set(_install_dir "${CMAKE_INSTALL_DATADIR}/dbus-1/service")
      foreach (_i ${_sources})
          get_filename_component(_service_file ${_i} ABSOLUTE)
          string(REGEX REPLACE "\\.service.*$" ".service" _output_file ${_i})
--- 
-2.19.2
-

pkgs/applications/networking/nextcloud-client/default.nix

@@ -26,7 +26,7 @@
 
 mkDerivation rec {
   pname = "nextcloud-client";
-  version = "3.6.6";
+  version = "3.7.1";
 
   outputs = [ "out" "dev" ];
 
@@ -34,7 +34,7 @@ mkDerivation rec {
     owner = "nextcloud";
     repo = "desktop";
     rev = "v${version}";
-    sha256 = "sha256-P3LSgrcMZZM0OY3yQz8t3Cf5spJJTB+JTIpoT9U3+xc=";
+    sha256 = "sha256-MbxGS1Msb3xCW0z8FrIZEY3XaBa4BmN+JFBkV/Pf79A=";
   };
 
   patches = [

pkgs/applications/networking/sniffnet/default.nix

@@ -1,9 +1,11 @@
 { lib
 , rustPlatform
-, fetchCrate
+, fetchFromGitHub
 , pkg-config
 , libpcap
 , stdenv
+, alsa-lib
+, expat
 , fontconfig
 , libGL
 , xorg
@@ -12,20 +14,24 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "sniffnet";
-  version = "1.0.1";
+  version = "1.1.0";
 
-  src = fetchCrate {
-    inherit pname version;
-    sha256 = "sha256-8K774j04BOEuJjnFYjaSctPwBrKYYKqjFS2+PyxJ2FM=";
+  src = fetchFromGitHub {
+    owner = "gyulyvgc";
+    repo = "sniffnet";
+    rev = "v${version}";
+    hash = "sha256-zqk0N1S0vylleyyXaSflIZyWncZV0+wbSy1oAbyLx/4=";
   };
 
-  cargoSha256 = "sha256-096i4wDdoJCICd0L2QNY+7cKHQnijK22zj4XaQNuko8=";
+  cargoHash = "sha256-9CTA7Yh2O5S8DvRjwvkrb4ye0/8f+l0tsTxNBMmxLpQ=";
 
   nativeBuildInputs = [ pkg-config ];
 
   buildInputs = [
     libpcap
   ] ++ lib.optionals stdenv.isLinux [
+    alsa-lib
+    expat
     fontconfig
     libGL
     xorg.libX11
@@ -34,6 +40,7 @@ rustPlatform.buildRustPackage rec {
     xorg.libXrandr
   ] ++ lib.optionals stdenv.isDarwin [
     darwin.apple_sdk.frameworks.AppKit
+    rustPlatform.bindgenHook
   ];
 
   postFixup = lib.optionalString stdenv.isLinux ''

pkgs/applications/radio/hackrf/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "hackrf";
-  version = "2022.09.1";
+  version = "2023.01.1";
 
   src = fetchFromGitHub {
     owner = "greatscottgadgets";
     repo = "hackrf";
     rev = "v${version}";
-    sha256 = "sha256-c+9DEMxioIbEDNTdLSOnxX1zpFk07K9rlGP9goEJMlU=";
+    sha256 = "sha256-zvSSCNtqHOZVlrBggjgxEyUTqTiAIAhdzUkm4Pm9b3k=";
   };
 
   nativeBuildInputs = [

pkgs/applications/science/math/bliss/default.nix

@@ -32,6 +32,6 @@ stdenv.mkDerivation rec {
     description = "An open source tool for computing automorphism groups and canonical forms of graphs. It has both a command line user interface as well as C++ and C programming language APIs";
     homepage = "http://www.tcs.hut.fi/Software/bliss/";
     license = licenses.lgpl3;
-    platforms = [ "i686-linux" "x86_64-linux" ];
+    platforms = [ "i686-linux" "x86_64-linux" "aarch64-linux" ];
   };
 }

pkgs/applications/science/math/polymake/default.nix

@@ -25,13 +25,13 @@
 
 stdenv.mkDerivation rec {
   pname = "polymake";
-  version = "4.8";
+  version = "4.9";
 
   src = fetchurl {
     # "The minimal version is a packager friendly version which omits
     # the bundled sources of cdd, lrs, libnormaliz, nauty and jReality."
     url = "https://polymake.org/lib/exe/fetch.php/download/polymake-${version}-minimal.tar.bz2";
-    sha256 = "sha256-GfsAypJBpHwpvoEl/IzJ1gQfeMcYwB7oNe01xWJ+86w=";
+    sha256 = "sha256-BMkLgms6JsWmPhi+MZv/Eqie8BKL+KaPtk3xBZSyWfM=";
   };
 
   nativeBuildInputs = [

pkgs/applications/science/molecular-dynamics/gromacs/default.nix

@@ -19,11 +19,11 @@ let
 
 in stdenv.mkDerivation rec {
   pname = "gromacs";
-  version = "2022.4";
+  version = "2023";
 
   src = fetchurl {
     url = "ftp://ftp.gromacs.org/pub/gromacs/gromacs-${version}.tar.gz";
-    sha256 = "sha256-xRG+YC/ylAIGW1CQaEHe+YdSY5uSqV8bChBg2bXicpc=";
+    sha256 = "sha256-rJLG2nL7vMpBT9io2Xnlbs8XxMHNq+0tpc+05yd7e6g=";
   };
 
   nativeBuildInputs = [ cmake ];

pkgs/applications/version-management/gfold/default.nix

@@ -12,7 +12,7 @@
 
 let
   pname = "gfold";
-  version = "4.2.0";
+  version = "4.3.0";
 in
 rustPlatform.buildRustPackage {
   inherit pname version;
@@ -21,10 +21,10 @@ rustPlatform.buildRustPackage {
     owner = "nickgerace";
     repo = pname;
     rev = version;
-    sha256 = "sha256-cH4FhXrdT0ejpyt8G2rSGw9WE9sfOXRkSA9+FVwRmtQ=";
+    sha256 = "sha256-yvMp5x1uiJGkWHnwfONx4pVotSSE6sTW4uqWpI2AFXg=";
   };
 
-  cargoSha256 = "sha256-NmVmqBzRUdumWQ9MzolZTo0VQW9JTjIyYRwUTzGiQZ4=";
+  cargoHash = "sha256-MBWaNjs840twU9SQLvgVcXTT0RN2QJ7PiaAohiiQu3s=";
 
   buildInputs = lib.optionals stdenv.isDarwin [ libiconv Security ];
 

pkgs/applications/version-management/gh/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "gh";
-  version = "2.22.1";
+  version = "2.23.0";
 
   src = fetchFromGitHub {
     owner = "cli";
     repo = "cli";
     rev = "v${version}";
-    hash = "sha256-TREy2pzVAHClwbryfEgX2WqtQ8+RmJtCNrESeaHDHMs=";
+    hash = "sha256-91TmPIjFOCeZmbobn3mIJis5qofJFmNGuX19+Cyo8Ck=";
   };
 
-  vendorHash = "sha256-OjTl43UQGGHqCrw0kMBShuS8aonjWczfzQGmGJLhdrU=";
+  vendorHash = "sha256-NiXC0ooUkAqFCLp3eRBpryazQU94gSnw0gYFwQNeCo4=";
 
   nativeBuildInputs = [ installShellFiles ];
 

pkgs/applications/version-management/git-machete/default.nix

@@ -12,13 +12,13 @@
 
 buildPythonApplication rec {
   pname = "git-machete";
-  version = "3.14.3";
+  version = "3.15.0";
 
   src = fetchFromGitHub {
     owner = "virtuslab";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-VOny8r00JYUT4Z7LukvWTH9ZTn86vn2Dc1YhPmtdE5s=";
+    hash = "sha256-HSgCvHjSOrMPsdOPtgFUeK6b0ioVnwTtg2oHGg4BrZw=";
   };
 
   nativeBuildInputs = [ installShellFiles ];

pkgs/applications/version-management/glab/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "glab";
-  version = "1.24.1";
+  version = "1.25.3";
 
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "cli";
     rev = "v${version}";
-    sha256 = "sha256-CUchYPMBTINkMJg8TC8rKMVkrcj/Gy+ZxV7jbtMFvpg=";
+    hash = "sha256-x/VH6cRrJZ2t2iftBPC86FcgIwjRNzV11MwLG2y+Paw=";
   };
 
-  vendorSha256 = "sha256-NuK63ibb1t+HnSR/gCFS7HWVtfGLazVx2M+qxRNCR1I=";
+  vendorHash = "sha256-FZ1CiR8Rj/sMoCnQm6ArGQfRTlvmD14EZDmufnlTSTk=";
 
   ldflags = [
     "-s"

pkgs/applications/version-management/sourcehut/default.nix

@@ -2,6 +2,7 @@
 , callPackage
 , recurseIntoAttrs
 , nixosTests
+, config
 }:
 
 # To expose the *srht modules, they have to be a python module so we use `buildPythonModule`
@@ -28,12 +29,10 @@ let
     };
   };
 in
-with python.pkgs; recurseIntoAttrs {
+with python.pkgs; recurseIntoAttrs ({
   inherit python;
   coresrht = toPythonApplication srht;
   buildsrht = toPythonApplication buildsrht;
-  # Added 2022-10-29
-  dispatchsrht = throw "dispatch is deprecated. See https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/ for more information.";
   gitsrht = toPythonApplication gitsrht;
   hgsrht = toPythonApplication hgsrht;
   hubsrht = toPythonApplication hubsrht;
@@ -46,4 +45,7 @@ with python.pkgs; recurseIntoAttrs {
   passthru.tests = {
     nixos-sourcehut = nixosTests.sourcehut;
   };
-}
+} // lib.optionalAttrs config.allowAliases {
+  # Added 2022-10-29
+  dispatchsrht = throw "dispatch is deprecated. See https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/ for more information.";
+})

pkgs/applications/virtualization/singularity/default.nix

@@ -1,73 +0,0 @@
-{ lib
-, fetchurl
-, util-linux
-, gpgme
-, openssl
-, libuuid
-, coreutils
-, which
-, makeWrapper
-, cryptsetup
-, squashfsTools
-, buildGoPackage}:
-
-with lib;
-
-buildGoPackage rec {
-  pname = "singularity";
-  version = "3.8.7";
-
-  src = fetchurl {
-    url = "https://github.com/hpcng/singularity/releases/download/v${version}/singularity-${version}.tar.gz";
-    sha256 = "sha256-Myny5YP4SoNDyywDgKHWy86vrn0eYztcvK33FD6shZs=";
-  };
-
-  goPackagePath = "github.com/sylabs/singularity";
-
-  buildInputs = [ gpgme openssl libuuid ];
-  nativeBuildInputs = [ util-linux which makeWrapper cryptsetup ];
-  propagatedBuildInputs = [ coreutils squashfsTools ];
-
-  postPatch = ''
-    substituteInPlace internal/pkg/build/files/copy.go \
-      --replace /bin/cp ${coreutils}/bin/cp
-  '';
-
-  postConfigure = ''
-    cd go/src/github.com/sylabs/singularity
-
-    patchShebangs .
-    sed -i 's|defaultPath := "[^"]*"|defaultPath := "${lib.makeBinPath propagatedBuildInputs}"|' cmd/internal/cli/actions.go
-
-    ./mconfig -V ${version} -p $out --localstatedir=/var
-
-    # Don't install SUID binaries
-    sed -i 's/-m 4755/-m 755/g' builddir/Makefile
-  '';
-
-  buildPhase = ''
-    runHook preBuild
-    make -C builddir
-    runHook postBuild
-  '';
-
-  installPhase = ''
-    runHook preInstall
-    make -C builddir install LOCALSTATEDIR=$out/var
-    chmod 755 $out/libexec/singularity/bin/starter-suid
-
-    # Explicitly configure paths in the config file
-    sed -i 's|^# mksquashfs path =.*$|mksquashfs path = ${lib.makeBinPath [squashfsTools]}/mksquashfs|' $out/etc/singularity/singularity.conf
-    sed -i 's|^# cryptsetup path =.*$|cryptsetup path = ${lib.makeBinPath [cryptsetup]}/cryptsetup|' $out/etc/singularity/singularity.conf
-
-    runHook postInstall
-  '';
-
-  meta = with lib; {
-    homepage = "http://www.sylabs.io/";
-    description = "Application containers for linux";
-    license = licenses.bsd3;
-    platforms = platforms.linux;
-    maintainers = [ maintainers.jbedo ];
-  };
-}

pkgs/applications/virtualization/singularity/generic.nix

@@ -0,0 +1,236 @@
+# Configurations that should only be overrided by
+# overrideAttrs
+{ pname
+, version
+, src
+, projectName # "apptainer" or "singularity"
+, vendorHash ? null
+, deleteVendor ? false
+, proxyVendor ? false
+, extraConfigureFlags ? [ ]
+, extraDescription ? ""
+, extraMeta ? { }
+}:
+
+let
+  # Workaround for vendor-related attributes not overridable (#86349)
+  # should be removed when the issue is resolved
+  _defaultGoVendorArgs = {
+    inherit
+      vendorHash
+      deleteVendor
+      proxyVendor
+      ;
+  };
+in
+{ lib
+, buildGoModule
+, runCommandLocal
+  # Native build inputs
+, makeWrapper
+, pkg-config
+, util-linux
+, which
+  # Build inputs
+, bash
+, conmon
+, coreutils
+, cryptsetup
+, fakeroot
+, go
+, gpgme
+, libseccomp
+, libuuid
+  # This is for nvidia-container-cli
+, nvidia-docker
+, openssl
+, squashfsTools
+, squashfuse
+  # Overridable configurations
+, enableNvidiaContainerCli ? true
+  # Compile with seccomp support
+  # SingularityCE 3.10.0 and above requires explicit --without-seccomp when libseccomp is not available.
+, enableSeccomp ? true
+  # Whether the configure script treat SUID support as default
+, defaultToSuid ? true
+  # Whether to compile with SUID support
+, enableSuid ? false
+, starterSuidPath ? null
+  # newuidmapPath and newgidmapPath are to support --fakeroot
+  # where those SUID-ed executables are unavailable from the FHS system PATH.
+  # Path to SUID-ed newuidmap executable
+, newuidmapPath ? null
+  # Path to SUID-ed newgidmap executable
+, newgidmapPath ? null
+  # Remove the symlinks to `singularity*` when projectName != "singularity"
+, removeCompat ? false
+  # Workaround #86349
+  # should be removed when the issue is resolved
+, vendorHash ? _defaultGoVendorArgs.vendorHash
+, deleteVendor ? _defaultGoVendorArgs.deleteVendor
+, proxyVendor ? _defaultGoVendorArgs.proxyVendor
+}:
+
+let
+  defaultPathOriginal = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin";
+  privileged-un-utils = if ((isNull newuidmapPath) && (isNull newgidmapPath)) then null else
+  (runCommandLocal "privileged-un-utils" { } ''
+    mkdir -p "$out/bin"
+    ln -s ${lib.escapeShellArg newuidmapPath} "$out/bin/newuidmap"
+    ln -s ${lib.escapeShellArg newgidmapPath} "$out/bin/newgidmap"
+  '');
+in
+buildGoModule {
+  inherit pname version src;
+
+  # Override vendorHash with the output got from
+  # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).go-modules"
+  # or with `null` when using vendored source tarball.
+  inherit vendorHash deleteVendor proxyVendor;
+
+  # go is used to compile extensions when building container images
+  allowGoReference = true;
+
+  strictDeps = true;
+
+  passthru = {
+    inherit
+      enableSeccomp
+      enableSuid
+      projectName
+      removeCompat
+      starterSuidPath
+      ;
+  };
+
+  nativeBuildInputs = [
+    makeWrapper
+    pkg-config
+    util-linux
+    which
+  ];
+
+  buildInputs = [
+    bash # To patch /bin/sh shebangs.
+    conmon
+    cryptsetup
+    gpgme
+    libuuid
+    openssl
+    squashfsTools
+    squashfuse
+  ]
+  ++ lib.optional enableNvidiaContainerCli nvidia-docker
+  ++ lib.optional enableSeccomp libseccomp
+  ;
+
+  configureScript = "./mconfig";
+
+  configureFlags = [
+    "--localstatedir=/var/lib"
+    "--runstatedir=/var/run"
+  ]
+  ++ lib.optional (!enableSeccomp) "--without-seccomp"
+  ++ lib.optional (defaultToSuid && !enableSuid) "--without-suid"
+  ++ lib.optional (!defaultToSuid && enableSuid) "--with-suid"
+  ++ extraConfigureFlags
+  ;
+
+  # Packages to prefix to the Apptainer/Singularity container runtime default PATH
+  # Use overrideAttrs to override
+  defaultPathInputs = [
+    bash
+    coreutils
+    cryptsetup # cryptsetup
+    go
+    privileged-un-utils
+    squashfsTools # mksquashfs unsquashfs # Make / unpack squashfs image
+    squashfuse # squashfuse_ll squashfuse # Mount (without unpacking) a squashfs image without privileges
+  ]
+  ++ lib.optional enableNvidiaContainerCli nvidia-docker
+  ;
+
+  postPatch = ''
+    if [[ ! -e .git || ! -e VERSION ]]; then
+      echo "${version}" > VERSION
+    fi
+    # Patch shebangs for script run during build
+    patchShebangs --build "$configureScript" makeit e2e scripts mlocal/scripts
+    # Patching the hard-coded defaultPath by prefixing the packages in defaultPathInputs
+    substituteInPlace cmd/internal/cli/actions.go \
+      --replace "defaultPath = \"${defaultPathOriginal}\"" "defaultPath = \"''${defaultPathInputs// /\/bin:}''${defaultPathInputs:+/bin:}${defaultPathOriginal}\""
+  '';
+
+  postConfigure = ''
+    # Code borrowed from pkgs/stdenv/generic/setup.sh configurePhase()
+
+    # set to empty if unset
+    : ''${configureFlags=}
+
+    # shellcheck disable=SC2086
+    $configureScript -V ${version} "''${prefixKey:---prefix=}$prefix" $configureFlags "''${configureFlagsArray[@]}"
+
+    # End of the code from pkgs/stdenv/generic/setup.sh configurPhase()
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+    make -C builddir -j"$NIX_BUILD_CORES"
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    make -C builddir install LOCALSTATEDIR="$out/var/lib"
+    runHook postInstall
+  '';
+
+  postFixup = ''
+    substituteInPlace "$out/bin/run-singularity" \
+      --replace "/usr/bin/env ${projectName}" "$out/bin/${projectName}"
+    wrapProgram "$out/bin/${projectName}" \
+      --prefix PATH : "${lib.makeBinPath [
+        fakeroot
+        squashfsTools # Singularity (but not Apptainer) expects unsquashfs from the host PATH
+      ]}"
+    # Make changes in the config file
+    ${lib.optionalString enableNvidiaContainerCli ''
+      substituteInPlace "$out/etc/${projectName}/${projectName}.conf" \
+        --replace "use nvidia-container-cli = no" "use nvidia-container-cli = yes"
+    ''}
+    ${lib.optionalString (removeCompat && (projectName != "singularity")) ''
+      unlink "$out/bin/singularity"
+      for file in "$out"/share/man/man?/singularity*.gz; do
+        if [[ -L "$file" ]]; then
+          unlink "$file"
+        fi
+      done
+      for file in "$out"/share/*-completion/completions/singularity; do
+        if [[ -e "$file" ]]
+        rm "$file"
+      done
+    ''}
+    ${lib.optionalString enableSuid (lib.warnIf (isNull starterSuidPath) "${projectName}: Null starterSuidPath when enableSuid produces non-SUID-ed starter-suid and run-time permission denial." ''
+      chmod +x $out/libexec/${projectName}/bin/starter-suid
+    '')}
+    ${lib.optionalString (enableSuid && !isNull starterSuidPath) ''
+      mv "$out"/libexec/${projectName}/bin/starter-suid{,.orig}
+      ln -s ${lib.escapeShellArg starterSuidPath} "$out/libexec/${projectName}/bin/starter-suid"
+    ''}
+  '';
+
+  meta = with lib; {
+    description = "Application containers for linux" + extraDescription;
+    longDescription = ''
+      Singularity (the upstream) renamed themselves to Apptainer
+      to distinguish themselves from a fork made by Sylabs Inc.. See
+
+      https://sylabs.io/2021/05/singularity-community-edition
+      https://apptainer.org/news/community-announcement-20211130
+    '';
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ jbedo ShamrockLee ];
+    mainProgram = projectName;
+  } // extraMeta;
+}

pkgs/applications/virtualization/singularity/packages.nix

@@ -0,0 +1,94 @@
+{ callPackage
+, fetchFromGitHub
+, nixos
+, conmon
+}:
+let
+  apptainer = callPackage
+    (import ./generic.nix rec {
+      pname = "apptainer";
+      # TODO: Upgrade to 1.1.4 only after https://github.com/apptainer/apptainer/pull/967 get merge
+      # and https://github.com/apptainer/apptainer/issues/958 get fixed
+      version = "1.1.3";
+      projectName = "apptainer";
+
+      src = fetchFromGitHub {
+        owner = "apptainer";
+        repo = "apptainer";
+        rev = "v${version}";
+        hash = "sha256-QFg6RC77OE/a6Qlzn6Zi5I7Iaq/U3/m0eI9yLArzuNc=";
+      };
+
+      # Update by running
+      # nix-prefetch -E "{ sha256 }: ((import ./. { }).apptainer.override { vendorHash = sha256; }).go-modules"
+      # at the root directory of the Nixpkgs repository
+      vendorHash = "sha256-tAnh7A8Lw5KtY7hq+sqHMEUlgXvgeeCKKIfRZFoRtug=";
+
+      extraDescription = " (previously known as Singularity)";
+      extraMeta.homepage = "https://apptainer.org";
+    })
+    {
+      # Apptainer doesn't depend on conmon
+      conmon = null;
+
+      # defaultToSuid becomes false since Apptainer 1.1.0
+      # https://github.com/apptainer/apptainer/pull/495
+      # https://github.com/apptainer/apptainer/releases/tag/v1.1.0
+      defaultToSuid = false;
+    };
+
+  singularity = callPackage
+    (import ./generic.nix rec {
+      pname = "singularity-ce";
+      version = "3.10.4";
+      projectName = "singularity";
+
+      src = fetchFromGitHub {
+        owner = "sylabs";
+        repo = "singularity";
+        rev = "v${version}";
+        hash = "sha256-bUnQXQVwaVA3Lkw3X9TBWqNBgiPxAVCHnkq0vc+CIsM=";
+      };
+
+      # Update by running
+      # nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).go-modules"
+      # at the root directory of the Nixpkgs repository
+      vendorHash = "sha256-K8helLcOuz3E4LzBE9y3pnZqwdwhO/iMPTN1o22ipVg=";
+
+      # Do not build conmon from the Git submodule source,
+      # Use Nixpkgs provided version
+      extraConfigureFlags = [
+        "--without-conmon"
+      ];
+
+      extraDescription = " (Sylabs Inc's fork of Singularity, a.k.a. SingularityCE)";
+      extraMeta.homepage = "https://sylabs.io/";
+    })
+    {
+      defaultToSuid = true;
+    };
+
+  genOverridenNixos = package: packageName: (nixos {
+    programs.singularity = {
+      enable = true;
+      inherit package;
+    };
+  }).config.programs.singularity.packageOverriden.overrideAttrs (oldAttrs: {
+    meta = oldAttrs.meta // {
+      description = "";
+      longDescription = ''
+        This package produces identical store derivations to `pkgs.${packageName}`
+        overriden and installed by the NixOS module `programs.singularity`
+        with default configuration.
+
+        This is for binary substitutes only. Use pkgs.${packageName} instead.
+      '';
+    };
+  });
+in
+{
+  inherit apptainer singularity;
+
+  apptainer-overriden-nixos = genOverridenNixos apptainer "apptainer";
+  singularity-overriden-nixos = genOverridenNixos singularity "singularity";
+}

pkgs/build-support/build-graalvm-native-image/default.nix

@@ -10,7 +10,6 @@
   # except in special cases. In most cases, use extraNativeBuildArgs instead
 , nativeImageBuildArgs ? [
     "-jar" jar
-    "-H:CLibraryPath=${lib.getLib graalvm}/lib"
     (lib.optionalString stdenv.isDarwin "-H:-CheckToolchain")
     "-H:Name=${executable}"
     "--verbose"
@@ -50,6 +49,8 @@ stdenv.mkDerivation (args // {
     runHook postInstall
   '';
 
+  disallowedReferences = [ graalvmDrv ];
+
   meta = {
     # default to graalvm's platforms
     platforms = graalvmDrv.meta.platforms;

pkgs/build-support/singularity-tools/default.nix

@@ -10,8 +10,8 @@
 , gawk
 , util-linux
 , runtimeShell
-, e2fsprogs }:
-
+, e2fsprogs
+}:
 rec {
   shellScript = name: text:
     writeScript name ''
@@ -20,40 +20,51 @@ rec {
       ${text}
     '';
 
-  mkLayer = {
-    name,
-    contents ? [],
-  }:
-    runCommand "singularity-layer-${name}" {
-      inherit contents;
-    } ''
+  mkLayer =
+    { name
+    , contents ? [ ]
+      # May be "apptainer" instead of "singularity"
+    , projectName ? (singularity.projectName or "singularity")
+    }:
+    runCommand "${projectName}-layer-${name}"
+      {
+        inherit contents;
+      } ''
       mkdir $out
       for f in $contents ; do
         cp -ra $f $out/
       done
     '';
 
-  buildImage = {
-    name,
-    contents ? [],
-    diskSize ? 1024,
-    runScript ? "#!${stdenv.shell}\nexec /bin/sh",
-    runAsRoot ? null,
-    memSize ? 512
-  }:
-    let layer = mkLayer {
-          inherit name;
-          contents = contents ++ [ bash runScriptFile ];
-          };
-        runAsRootFile = shellScript "run-as-root.sh" runAsRoot;
-        runScriptFile = shellScript "run-script.sh" runScript;
-        result = vmTools.runInLinuxVM (
-          runCommand "singularity-image-${name}.img" {
+  buildImage =
+    let
+      defaultSingularity = singularity;
+    in
+    { name
+    , contents ? [ ]
+    , diskSize ? 1024
+    , runScript ? "#!${stdenv.shell}\nexec /bin/sh"
+    , runAsRoot ? null
+    , memSize ? 512
+    , singularity ? defaultSingularity
+    }:
+    let
+      projectName = singularity.projectName or "singularity";
+      layer = mkLayer {
+        inherit name;
+        contents = contents ++ [ bash runScriptFile ];
+        inherit projectName;
+      };
+      runAsRootFile = shellScript "run-as-root.sh" runAsRoot;
+      runScriptFile = shellScript "run-script.sh" runScript;
+      result = vmTools.runInLinuxVM (
+        runCommand "${projectName}-image-${name}.img"
+          {
             buildInputs = [ singularity e2fsprogs util-linux gawk ];
             layerClosure = writeReferencesToFile layer;
             preVM = vmTools.createEmptyImage {
               size = diskSize;
-              fullName = "singularity-run-disk";
+              fullName = "${projectName}-run-disk";
             };
             inherit memSize;
           }
@@ -92,19 +103,20 @@ rec {
             if [ ! -e bin/sh ]; then
               ln -s ${runtimeShell} bin/sh
             fi
-            mkdir -p .singularity.d
-            ln -s ${runScriptFile} .singularity.d/runscript
+            mkdir -p .${projectName}.d
+            ln -s ${runScriptFile} .${projectName}.d/runscript
 
-            # Fill out .singularity.d
-            mkdir -p .singularity.d/env
-            touch .singularity.d/env/94-appsbase.sh
+            # Fill out .${projectName}.d
+            mkdir -p .${projectName}.d/env
+            touch .${projectName}.d/env/94-appsbase.sh
 
             cd ..
-            mkdir -p /var/singularity/mnt/{container,final,overlay,session,source}
+            mkdir -p /var/lib/${projectName}/mnt/{container,final,overlay,session,source}
             echo "root:x:0:0:System administrator:/root:/bin/sh" > /etc/passwd
             echo > /etc/resolv.conf
-            TMPDIR=$(pwd -P) singularity build $out ./img
+            TMPDIR=$(pwd -P) ${projectName} build $out ./img
           '');
 
-    in result;
+    in
+    result;
 }

pkgs/data/documentation/scheme-manpages/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "scheme-manpages";
-  version = "unstable-2022-07-04";
+  version = "unstable-2023-02-06";
 
   src = fetchFromGitHub {
     owner = "schemedoc";
     repo = "manpages";
-    rev = "0b95de112857b185b83141ac9324fb0e786c56df";
-    sha256 = "sha256-HWkZJd4t7gsbbSGiQ92Lav9EMBPMLXmXFT6HVfyFLSI=";
+    rev = "ccaa76761a1b100e99287c120196bd5f32d4a403";
+    hash = "sha256-RL/94dQiZJ60cXHQ9r4P3hRBqe55oUissCmSp4XLM+o=";
   };
 
   dontBuild = true;

pkgs/data/fonts/iosevka/default.nix

@@ -1,9 +1,8 @@
 { stdenv
 , lib
-, pkgs
 , buildNpmPackage
 , fetchFromGitHub
-, nodejs
+, darwin
 , remarshal
 , ttfautohint-nox
   # Custom font set options.
@@ -67,7 +66,13 @@ buildNpmPackage rec {
 
   npmDepsHash = "sha256-Ncf07ggyOnz/2SpgdmaYS2X/8Bad+J2sz8Yyx9Iri3E=";
 
-  nativeBuildInputs = [ nodejs remarshal ttfautohint-nox ];
+  nativeBuildInputs = [
+    remarshal
+    ttfautohint-nox
+  ] ++ lib.optionals stdenv.isDarwin [
+    # libtool
+    darwin.cctools
+  ];
 
   buildPlan =
     if builtins.isAttrs privateBuildPlan then

pkgs/data/misc/v2ray-geoip/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "v2ray-geoip";
-  version = "202302020047";
+  version = "202302081046";
 
   src = fetchFromGitHub {
     owner = "v2fly";
     repo = "geoip";
-    rev = "9ab244ed78fea88a1ce5bf789fb31bbcd81e8d17";
-    sha256 = "sha256-2NYuvzOU0W3qZqWZMr3rTNqX+0rH3fhIr1zCD5dSdWc=";
+    rev = "d85771a99440dd75294bfd9d00011307b7596d0d";
+    sha256 = "sha256-gVL7koUG3BgY8HAYWa2fTwTJIE3svGUgauwI1jlA2/M=";
   };
 
   installPhase = ''

pkgs/desktops/deepin/default.nix

@@ -3,6 +3,15 @@ let
   packages = self:
   let
     inherit (self) callPackage;
+
+    replaceAll = x: y: ''
+      echo Replacing "${x}" to "${y}":
+      for file in $(grep -rl "${x}"); do
+        echo -- $file
+        substituteInPlace $file \
+          --replace "${x}" "${y}"
+      done
+    '';
   in {
     #### LIBRARIES
     dtkcommon = callPackage ./library/dtkcommon { };
@@ -30,6 +39,15 @@ let
     deepin-picker = callPackage ./apps/deepin-picker { };
     deepin-terminal = callPackage ./apps/deepin-terminal { };
 
+    #### Go Packages
+    go-lib = callPackage ./go-package/go-lib { inherit replaceAll; };
+    go-gir-generator = callPackage ./go-package/go-gir-generator { };
+    go-dbus-factory = callPackage ./go-package/go-dbus-factory { };
+    deepin-pw-check = callPackage ./go-package/deepin-pw-check { };
+
+    #### TOOLS
+    deepin-gettext-tools = callPackage ./tools/deepin-gettext-tools { };
+
     #### ARTWORK
     dde-account-faces = callPackage ./artwork/dde-account-faces { };
     deepin-icon-theme = callPackage ./artwork/deepin-icon-theme { };

pkgs/desktops/deepin/go-package/deepin-pw-check/default.nix

@@ -0,0 +1,84 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, buildGoPackage
+, pkg-config
+, deepin-gettext-tools
+, go-dbus-factory
+, go-gir-generator
+, go-lib
+, gtk3
+, glib
+, libxcrypt
+, gettext
+, iniparser
+, cracklib
+, linux-pam
+}:
+
+buildGoPackage rec {
+  pname = "deepin-pw-check";
+  version = "5.1.18";
+
+  goPackagePath = "github.com/linuxdeepin/deepin-pw-check";
+
+  src = fetchFromGitHub {
+    owner = "linuxdeepin";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-v1Z4ArkrejjOCO1vD+BhfEl9pTfuvKgLM6Ont0IUCQk=";
+  };
+
+  goDeps = ./deps.nix;
+
+  nativeBuildInputs = [
+    pkg-config
+    gettext
+    deepin-gettext-tools
+  ];
+
+  buildInputs = [
+    go-dbus-factory
+    go-gir-generator
+    go-lib
+    glib
+    libxcrypt
+    gtk3
+    iniparser
+    cracklib
+    linux-pam
+  ];
+
+  postPatch = ''
+    sed -i 's|iniparser/||' */*.c
+    substituteInPlace misc/pkgconfig/libdeepin_pw_check.pc \
+      --replace "/usr" "$out"
+    substituteInPlace misc/system-services/com.deepin.daemon.PasswdConf.service \
+      --replace "/usr/lib/deepin-pw-check/deepin-pw-check" "$out/lib/deepin-pw-check/deepin-pw-check"
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+    GOPATH="$GOPATH:${go-dbus-factory}/share/gocode"
+    GOPATH="$GOPATH:${go-gir-generator}/share/gocode"
+    GOPATH="$GOPATH:${go-lib}/share/gocode"
+    make -C go/src/${goPackagePath}
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    make install PREFIX="$out" PKG_FILE_DIR=$out/lib/pkg-config PAM_MODULE_DIR=$out/etc/pam.d -C go/src/${goPackagePath}
+    # https://github.com/linuxdeepin/deepin-pw-check/blob/d5597482678a489077a506a87f06d2b6c4e7e4ed/debian/rules#L21
+    ln -s $out/lib/libdeepin_pw_check.so $out/lib/libdeepin_pw_check.so.1
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Tool to verify the validity of the password";
+    homepage = "https://github.com/linuxdeepin/deepin-pw-check";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = teams.deepin.members;
+  };
+}

pkgs/desktops/deepin/go-package/deepin-pw-check/deps.nix

@@ -0,0 +1,75 @@
+[
+  {
+    goPackagePath = "github.com/fsnotify/fsnotify";
+    fetch = {
+      type = "git";
+      url = "https://github.com/fsnotify/fsnotify";
+      rev = "v1.5.1";
+      sha256 = "sha256-B8kZ8yiWgallT7R2j1kSRJcJkSGFVf9ise+TpXa+7XY=";
+    };
+  }
+  {
+    goPackagePath = "github.com/godbus/dbus";
+    fetch = {
+      type = "git";
+      url = "https://github.com/godbus/dbus";
+      rev = "v5.1.0";
+      sha256 = "sha256-JSPtmkGEStBEVrKGszeLCb7P38SzQKgMiDC3eDppXs0=";
+    };
+  }
+  {
+    goPackagePath = "github.com/stretchr/testify";
+    fetch = {
+      type = "git";
+      url = "https://github.com/stretchr/testify";
+      rev = "v1.7.1";
+      sha256 = "sha256-disUVIHiIDSj/go3APtJH8awSl8QwKRRFLKI7LRnl0w=";
+    };
+  }
+  {
+    goPackagePath = "golang.org/x/sys";
+    fetch = {
+      type = "git";
+      url = "https://github.com/golang/sys";
+      rev = "289d7a0edf712062d9f1484b07bdf2383f48802f";
+      sha256 = "sha256-AzS/J3OocI7mA0xsIfQzyskNKVija7F2yvuts+EFJBs=";
+    };
+  }
+  {
+    goPackagePath = "gopkg.in/yaml.v3";
+    fetch = {
+      type = "git";
+      url = "https://github.com/go-yaml/yaml";
+      rev = "496545a6307b2a7d7a710fd516e5e16e8ab62dbc";
+      sha256 = "sha256-j8yDji+vqsitpRZirpb4w/Em8nstgf28wpwkcrOlxBk=";
+    };
+  }
+  {
+    goPackagePath = "github.com/davecgh/go-spew";
+    fetch = {
+      type = "git";
+      url = "https://github.com/davecgh/go-spew";
+      rev = "v1.1.1";
+      sha256 = "sha256-nhzSUrE1fCkN0+RL04N4h8jWmRFPPPWbCuDc7Ss0akI=";
+    };
+  }
+  {
+    goPackagePath = "github.com/stretchr/objx";
+    fetch = {
+      type = "git";
+      url = "https://github.com/stretchr/objx";
+      rev = "v0.3.0";
+      sha256 = "sha256-T753/EiD5Cpk6H2JFhd+s1gFvpNptG2XlEHxZF6dQaw=";
+    };
+  }
+  {
+    goPackagePath = "github.com/pmezard/go-difflib";
+    fetch = {
+      type = "git";
+      url = "https://github.com/pmezard/go-difflib";
+      rev = "5d4384ee4fb2527b0a1256a821ebfc92f91efefc";
+      sha256 = "sha256-XA4Oj1gdmdV/F/+8kMI+DBxKPthZ768hbKsO3d9Gx90=";
+    };
+  }
+]
+

pkgs/desktops/deepin/go-package/go-dbus-factory/default.nix

@@ -0,0 +1,26 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+}:
+
+stdenv.mkDerivation rec {
+  pname = "go-dbus-factory";
+  version = "1.10.23";
+
+  src = fetchFromGitHub {
+    owner = "linuxdeepin";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-6u9Bpoa80j/K1MipncfM378/qmSSMZAlx88jE4hHYBk=";
+  };
+
+  makeFlags = [ "PREFIX=${placeholder "out"}" ];
+
+  meta = with lib; {
+    description = "Generate go binding of D-Bus interfaces";
+    homepage = "https://github.com/linuxdeepin/go-dbus-factory";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = teams.deepin.members;
+  };
+}

pkgs/desktops/deepin/go-package/go-gir-generator/default.nix

@@ -0,0 +1,43 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, go
+, pkg-config
+, libgudev
+, gobject-introspection
+}:
+
+stdenv.mkDerivation rec {
+  pname = "go-gir-generator";
+  version = "2.2.0";
+
+  src = fetchFromGitHub {
+    owner = "linuxdeepin";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-lFseui/M3+TyfYoa+rnS0cGhN6gdLrgpzgOwqzYcyPk=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    go
+  ];
+
+  buildInputs = [
+    libgudev
+    gobject-introspection
+  ];
+
+  makeFlags = [
+    "PREFIX=${placeholder "out"}"
+    "GOCACHE=$(TMPDIR)/go-cache"
+  ];
+
+  meta = with lib; {
+    description = "Generate static golang bindings for GObject";
+    homepage = "https://github.com/linuxdeepin/go-gir-generator";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = teams.deepin.members;
+  };
+}

pkgs/desktops/deepin/go-package/go-lib/default.nix

@@ -0,0 +1,45 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, fetchpatch
+, replaceAll
+, runtimeShell
+}:
+
+stdenv.mkDerivation rec {
+  pname = "go-lib";
+  version = "5.8.27";
+
+  src = fetchFromGitHub {
+    owner = "linuxdeepin";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-ZV5zWu7UvNKVcVo79/iKMhF4H09rGyDCvEL61H05lZc=";
+  };
+
+  patches = [
+    (fetchpatch {
+      name = "fix_IsDir_for_symlink";
+      url = "https://github.com/linuxdeepin/go-lib/commit/79239904679dc70a11e1ac8e65670afcfdd7c122.patch";
+      sha256 = "sha256-RsN9hK26i/W6P/+e1l1spCLdlgIEWTehhIW6POBOvW4=";
+    })
+  ];
+
+  postPatch = replaceAll "/bin/sh" "${runtimeShell}";
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/share/gocode/src/github.com/linuxdeepin/go-lib
+    cp -a * $out/share/gocode/src/github.com/linuxdeepin/go-lib
+    rm -r $out/share/gocode/src/github.com/linuxdeepin/go-lib/debian
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Library containing many useful go routines for things such as glib, gettext, archive, graphic, etc";
+    homepage = "https://github.com/linuxdeepin/go-lib";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = teams.deepin.members;
+  };
+}

pkgs/desktops/deepin/tools/deepin-gettext-tools/default.nix

@@ -0,0 +1,50 @@
+{ stdenv
+, lib
+, fetchFromGitHub
+, gettext
+, python3Packages
+, perlPackages
+}:
+
+stdenv.mkDerivation rec {
+  pname = "deepin-gettext-tools";
+  version = "1.0.10";
+
+  src = fetchFromGitHub {
+    owner = "linuxdeepin";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-5Dd2QU6JYwuktusssNDfA7IHa6HbFcWo9sZf5PS7NtI=";
+  };
+
+  postPatch = ''
+    substituteInPlace src/generate_mo.py --replace "sudo cp" "cp"
+  '';
+
+  nativeBuildInputs = [ python3Packages.wrapPython ];
+
+  buildInputs = [
+    gettext
+    perlPackages.perl
+    perlPackages.ConfigTiny
+    perlPackages.XMLLibXML
+  ];
+
+  makeFlags = [
+    "PREFIX=${placeholder "out"}"
+  ];
+
+  postFixup = ''
+    wrapPythonPrograms
+    wrapPythonProgramsIn "$out/lib/${pname}"
+    wrapProgram $out/bin/deepin-desktop-ts-convert --set PERL5LIB $PERL5LIB
+  '';
+
+  meta = with lib; {
+    description = "Translation file processing utils for DDE development";
+    homepage = "https://github.com/linuxdeepin/deepin-gettext-tools";
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
+    maintainers = teams.deepin.members;
+  };
+}

pkgs/development/compilers/graalvm/community-edition/mkGraal.nix

@@ -28,10 +28,6 @@
   # Path for the sources file that will be used
   # See `update.nix` file for a description on how this file works
 , sourcesPath ? ./. + "/graalvm${javaVersion}-ce-sources.json"
-  # Use musl instead of glibc to allow true static builds in GraalVM's
-  # Native Image (i.e.: `--static --libc=musl`). This will cause glibc static
-  # builds to fail, so it should be used with care
-, useMusl ? false
 }:
 
 { stdenv
@@ -66,6 +62,12 @@
 , gtk3
 , jq
 , writeShellScript
+  # Use musl instead of glibc to allow true static builds in GraalVM's
+  # Native Image (i.e.: `--static --libc=musl`). This will cause glibc static
+  # builds to fail, so it should be used with care
+, useMusl ? false
+  # Extra libraries to be included in native-image using '-H:CLibraryPath' flag
+, extraCLibs ? [ ]
 }:
 
 assert useMusl -> stdenv.isLinux;
@@ -76,6 +78,11 @@ let
   name = "graalvm${javaVersion}-ce";
   sources = builtins.fromJSON (builtins.readFile sourcesPath);
 
+  cLibs = [ glibc zlib.static ]
+    ++ lib.optionals (!useMusl) [ glibc.static ]
+    ++ lib.optionals useMusl [ musl ]
+    ++ extraCLibs;
+
   runtimeLibraryPath = lib.makeLibraryPath
     ([ cups ] ++ lib.optionals gtkSupport [ cairo glib gtk3 ]);
 
@@ -118,6 +125,8 @@ let
       ++ lib.optional stdenv.hostPlatform.isLinux autoPatchelfHook;
 
     unpackPhase = ''
+      runHook preUnpack
+
       unpack_jar() {
         jar=$1
         unzip -q -o $jar -d $out
@@ -164,13 +173,13 @@ let
       for jar in "''${arr[@]:1}"; do
         unpack_jar "$jar"
       done
+
+      runHook postUnpack
     '';
 
-    outputs = [ "out" "lib" ];
-
     installPhase = ''
-      # ensure that $lib/lib exists to avoid breaking builds
-      mkdir -p "$lib/lib"
+      runHook preInstall
+
       # jni.h expects jni_md.h to be in the header search path.
       ln -s $out/include/linux/*_md.h $out/include/
 
@@ -181,26 +190,15 @@ let
         if [ -z "\''${JAVA_HOME-}" ]; then export JAVA_HOME=$out; fi
       EOF
       ${
-        lib.optionalString (stdenv.isLinux) ''
-          # provide libraries needed for static compilation
-          ${
-            if useMusl then
-              ''for f in "${musl.stdenv.cc.cc}/lib/"* "${musl}/lib/"* "${zlib.static}/lib/"*; do''
-            else
-              ''for f in "${glibc}/lib/"* "${glibc.static}/lib/"* "${zlib.static}/lib/"*; do''
-          }
-            ln -s "$f" "$out/lib/svm/clibraries/${platform.arch}/$(basename $f)"
-          done
-
-          # add those libraries to $lib output too, so we can use them with
-          # `native-image -H:CLibraryPath=''${lib.getLib graalvmXX-ce}/lib ...` and reduce
-          # closure size by not depending on GraalVM $out (that is much bigger)
-          # we always use glibc here, since musl is only supported for static compilation
-          for f in "${glibc}/lib/"*; do
-            ln -s "$f" "$lib/lib/$(basename $f)"
-          done
+        # Wrap native-image binary to pass -H:CLibraryPath flag and find glibc
+        lib.optionalString (withNativeImageSvm && stdenv.isLinux) ''
+          wrapProgram $out/bin/native-image \
+            ${lib.concatStringsSep " "
+              (map (l: "--add-flags '-H:CLibraryPath=${l}/lib'") cLibs)}
         ''
       }
+
+      runHook postInstall
     '';
 
     dontStrip = true;
@@ -240,6 +238,8 @@ let
 
     doInstallCheck = true;
     installCheckPhase = ''
+      runHook preInstallCheck
+
       echo ${
         lib.escapeShellArg ''
           public class HelloWorld {
@@ -252,16 +252,25 @@ let
       $out/bin/javac HelloWorld.java
 
       # run on JVM with Graal Compiler
+      echo "Testing GraalVM"
       $out/bin/java -XX:+UnlockExperimentalVMOptions -XX:+EnableJVMCI -XX:+UseJVMCICompiler HelloWorld | fgrep 'Hello World'
 
+      ${
+        lib.optionalString withNativeImageSvm ''
+          echo "Ahead-Of-Time compilation"
+          $out/bin/native-image -H:-CheckToolchain -H:+ReportExceptionStackTraces HelloWorld
+          ./helloworld | fgrep 'Hello World'
+        ''
+      }
+
       ${# --static flag doesn't work for darwin
         lib.optionalString (withNativeImageSvm && stdenv.isLinux && !useMusl) ''
-          echo "Ahead-Of-Time compilation"
-          $out/bin/native-image -H:-CheckToolchain -H:+ReportExceptionStackTraces --no-server HelloWorld
+          echo "Ahead-Of-Time compilation with -H:+StaticExecutableWithDynamicLibC"
+          $out/bin/native-image -H:+StaticExecutableWithDynamicLibC HelloWorld
           ./helloworld | fgrep 'Hello World'
 
           echo "Ahead-Of-Time compilation with --static"
-          $out/bin/native-image --no-server --static HelloWorld
+          $out/bin/native-image --static HelloWorld
           ./helloworld | fgrep 'Hello World'
         ''
       }
@@ -269,7 +278,7 @@ let
       ${# --static flag doesn't work for darwin
         lib.optionalString (withNativeImageSvm && stdenv.isLinux && useMusl) ''
           echo "Ahead-Of-Time compilation with --static and --libc=musl"
-          $out/bin/native-image --no-server --libc=musl --static HelloWorld
+          $out/bin/native-image --libc=musl --static HelloWorld
           ./helloworld | fgrep 'Hello World'
         ''
       }
@@ -302,6 +311,8 @@ let
           echo '1 + 1' | $out/bin/irb
         ''
       }
+
+      runHook postInstallCheck
     '';
 
     passthru = {

pkgs/development/compilers/kotlin/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "kotlin";
-  version = "1.8.0";
+  version = "1.8.10";
 
   src = fetchurl {
     url = "https://github.com/JetBrains/kotlin/releases/download/v${version}/kotlin-compiler-${version}.zip";
-    hash = "sha256-C7lBn6yYMqVqOhnK0oL48tbxI30tRn3I3+m9SipDxC4=";
+    hash = "sha256-TD+nvBu57zBYojGdi8w7cZYHn4jpL9zY0wSkb0trV4c=";
   };
 
   propagatedBuildInputs = [ jre ] ;

pkgs/development/interpreters/rakudo/zef.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "zef";
-  version = "0.14.6";
+  version = "0.15.0";
 
   src = fetchFromGitHub {
     owner = "ugexe";
     repo = "zef";
     rev = "v${version}";
-    sha256 = "sha256-3FRzqHbzNhmYg3wRvajMzTWB7lOlgrxwQvvnB3fggGM=";
+    sha256 = "sha256-MJKG/8b8l2RqWec5JoWcYLYrEKI9zrhJMyLqVcvAY+g=";
   };
 
   nativeBuildInputs = [ makeWrapper ];

pkgs/development/libraries/SDL2_image/default.nix

@@ -1,15 +1,20 @@
 { lib, stdenv, fetchurl
 , pkg-config
 , SDL2, libpng, libjpeg, libtiff, giflib, libwebp, libXpm, zlib, Foundation
+, version ? "2.6.3"
+, hash ? "sha256-kxyb5b8dfI+um33BV4KLfu6HTiPH8ktEun7/a0g2MSw="
 }:
 
-stdenv.mkDerivation rec {
+let
   pname = "SDL2_image";
-  version = "2.0.5";
+in
+
+stdenv.mkDerivation {
+  inherit pname version;
 
   src = fetchurl {
     url = "https://www.libsdl.org/projects/SDL_image/release/${pname}-${version}.tar.gz";
-    sha256 = "1l0864kas9cwpp2d32yxl81g98lx40dhbdp03dz7sbv84vhgdmdx";
+    inherit hash;
   };
 
   nativeBuildInputs = [ pkg-config ];