Merge master into staging-next

nixos/modules/services/matrix/synapse.xml

@@ -33,21 +33,26 @@
    <link xlink:href="https://github.com/matrix-org/synapse#synapse-installation">
    installation instructions of Synapse </link>.
 <programlisting>
-{ pkgs, lib, ... }:
+{ pkgs, lib, config, ... }:
 let
-  fqdn =
-    let
-      join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}";
-    in join config.networking.hostName config.networking.domain;
-in {
-  networking = {
-    <link linkend="opt-networking.hostName">hostName</link> = "myhostname";
-    <link linkend="opt-networking.domain">domain</link> = "example.org";
+  fqdn = "${config.networking.hostName}.${config.networking.domain}";
+  clientConfig = {
+    "m.homeserver".base_url = "https://${fqdn}";
+    "m.identity_server" = {};
   };
-  <link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ];
+  serverConfig."m.server" = "${config.services.matrix-synapse.settings.server_name}:443";
+  mkWellKnown = data: ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in {
+  <xref linkend="opt-networking.hostName" /> = "myhostname";
+  <xref linkend="opt-networking.domain" /> = "example.org";
+  <xref linkend="opt-networking.firewall.allowedTCPPorts" /> = [ 80 443 ];
 
-  <link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true;
-  <link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link> = pkgs.writeText "synapse-init.sql" ''
+  <xref linkend="opt-services.postgresql.enable" /> = true;
+  <xref linkend="opt-services.postgresql.initialScript" /> = pkgs.writeText "synapse-init.sql" ''
     CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
     CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
       TEMPLATE template0
@@ -57,78 +62,41 @@ in {
 
   services.nginx = {
     <link linkend="opt-services.nginx.enable">enable</link> = true;
-    # only recommendedProxySettings and recommendedGzipSettings are strictly required,
-    # but the rest make sense as well
     <link linkend="opt-services.nginx.recommendedTlsSettings">recommendedTlsSettings</link> = true;
     <link linkend="opt-services.nginx.recommendedOptimisation">recommendedOptimisation</link> = true;
     <link linkend="opt-services.nginx.recommendedGzipSettings">recommendedGzipSettings</link> = true;
     <link linkend="opt-services.nginx.recommendedProxySettings">recommendedProxySettings</link> = true;
-
     <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = {
-      # This host section can be placed on a different host than the rest,
-      # i.e. to delegate from the host being accessible as ${config.networking.domain}
-      # to another host actually running the Matrix homeserver.
-      "${config.networking.domain}" = {
+      "${config.networking.domain}" = { <co xml:id='ex-matrix-synapse-dns' />
         <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
         <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
-
-        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/server".extraConfig</link> =
-          let
-            # use 443 instead of the default 8448 port to unite
-            # the client-server and server-server port for simplicity
-            server = { "m.server" = "${fqdn}:443"; };
-          in ''
-            add_header Content-Type application/json;
-            return 200 '${builtins.toJSON server}';
-          '';
-        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/client".extraConfig</link> =
-          let
-            client = {
-              "m.homeserver" =  { "base_url" = "https://${fqdn}"; };
-              "m.identity_server" =  { "base_url" = "https://vector.im"; };
-            };
-          # ACAO required to allow element-web on any URL to request this json file
-          in ''
-            add_header Content-Type application/json;
-            add_header Access-Control-Allow-Origin *;
-            return 200 '${builtins.toJSON client}';
-          '';
+        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/server".extraConfig</link> = mkWellKnown serverConfig; <co xml:id='ex-matrix-synapse-well-known-server' />
+        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/client".extraConfig</link> = mkWellKnown clientConfig; <co xml:id='ex-matrix-synapse-well-known-client' />
       };
-
-      # Reverse proxy for Matrix client-server and server-server communication
-      ${fqdn} = {
+      "${fqdn}" = {
         <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
         <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
-
-        # Or do a redirect instead of the 404, or whatever is appropriate for you.
-        # But do not put a Matrix Web client here! See the Element web section below.
-        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."/".extraConfig</link> = ''
+        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."/".extraConfig</link> = '' <co xml:id='ex-matrix-synapse-rev-default' />
           return 404;
         '';
-
-        # forward all Matrix API calls to the synapse Matrix homeserver
-        locations."/_matrix" = {
-          <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.proxyPass">proxyPass</link> = "http://[::1]:8008"; # without a trailing /
-        };
+        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.proxyPass">locations."/_matrix".proxyPass</link> = "http://[::1]:8008"; <co xml:id='ex-matrix-synapse-rev-proxy-pass' />
+        <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.proxyPass">locations."/_synapse/client".proxyPass</link> = "http://[::1]:8008"; <co xml:id='ex-matrix-synapse-rev-client' />
       };
     };
   };
+
   services.matrix-synapse = {
     <link linkend="opt-services.matrix-synapse.enable">enable</link> = true;
-    <link linkend="opt-services.matrix-synapse.settings.server_name">server_name</link> = config.networking.domain;
-    <link linkend="opt-services.matrix-synapse.settings.listeners">listeners</link> = [
-      {
-        <link linkend="opt-services.matrix-synapse.settings.listeners._.port">port</link> = 8008;
+    <link linkend="opt-services.matrix-synapse.settings.server_name">settings.server_name</link> = config.networking.domain;
+    <link linkend="opt-services.matrix-synapse.settings.listeners">settings.listeners</link> = [
+      { <link linkend="opt-services.matrix-synapse.settings.listeners._.port">port</link> = 8008;
         <link linkend="opt-services.matrix-synapse.settings.listeners._.bind_addresses">bind_addresses</link> = [ "::1" ];
         <link linkend="opt-services.matrix-synapse.settings.listeners._.type">type</link> = "http";
         <link linkend="opt-services.matrix-synapse.settings.listeners._.tls">tls</link> = false;
         <link linkend="opt-services.matrix-synapse.settings.listeners._.x_forwarded">x_forwarded</link> = true;
         <link linkend="opt-services.matrix-synapse.settings.listeners._.resources">resources</link> = [ {
-          <link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.names">names</link> = [ "client" ];
+          <link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.names">names</link> = [ "client" "federation" ];
           <link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.compress">compress</link> = true;
-        } {
-          <link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.names">names</link> = [ "federation" ];
-          <link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.compress">compress</link> = false;
         } ];
       }
     ];
@@ -136,20 +104,59 @@ in {
 }
 </programlisting>
   </para>
-
-  <para>
-   If the <code>A</code> and <code>AAAA</code> DNS records on
-   <literal>example.org</literal> do not point on the same host as the records
-   for <code>myhostname.example.org</code>, you can easily move the
-   <code>/.well-known</code> virtualHost section of the code to the host that
-   is serving <literal>example.org</literal>, while the rest stays on
-   <literal>myhostname.example.org</literal> with no other changes required.
-   This pattern also allows to seamlessly move the homeserver from
-   <literal>myhostname.example.org</literal> to
-   <literal>myotherhost.example.org</literal> by only changing the
-   <code>/.well-known</code> redirection target.
-  </para>
-
+  <calloutlist>
+   <callout arearefs='ex-matrix-synapse-dns'>
+    <para>
+     If the <code>A</code> and <code>AAAA</code> DNS records on
+     <literal>example.org</literal> do not point on the same host as the records
+     for <code>myhostname.example.org</code>, you can easily move the
+     <code>/.well-known</code> virtualHost section of the code to the host that
+     is serving <literal>example.org</literal>, while the rest stays on
+     <literal>myhostname.example.org</literal> with no other changes required.
+     This pattern also allows to seamlessly move the homeserver from
+     <literal>myhostname.example.org</literal> to
+     <literal>myotherhost.example.org</literal> by only changing the
+     <code>/.well-known</code> redirection target.
+    </para>
+   </callout>
+   <callout arearefs='ex-matrix-synapse-well-known-server'>
+    <para>
+     This section is not needed if the <link linkend="opt-services.matrix-synapse.settings.server_name">server_name</link>
+     of <package>matrix-synapse</package> is equal to the domain (i.e.
+     <literal>example.org</literal> from <literal>@foo:example.org</literal>)
+     and the federation port is 8448.
+     Further reference can be found in the <link xlink:href="https://matrix-org.github.io/synapse/latest/delegate.html">docs
+     about delegation</link>.
+    </para>
+   </callout>
+   <callout arearefs='ex-matrix-synapse-well-known-client'>
+    <para>
+     This is usually needed for homeserver discovery (from e.g. other Matrix clients).
+     Further reference can be found in the <link xlink:href="https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient">upstream docs</link>
+    </para>
+   </callout>
+   <callout arearefs='ex-matrix-synapse-rev-default'>
+    <para>
+     It's also possible to do a redirect here or something else, this vhost is not
+     needed for Matrix. It's recommended though to <emphasis>not put</emphasis> element
+     here, see also the <link linkend='ex-matrix-synapse-rev-default'>section about Element</link>.
+    </para>
+   </callout>
+   <callout arearefs='ex-matrix-synapse-rev-proxy-pass'>
+    <para>
+     Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
+     <emphasis>must not</emphasis> be used here.
+    </para>
+   </callout>
+   <callout arearefs='ex-matrix-synapse-rev-client'>
+    <para>
+     Forward requests for e.g. SSO and password-resets.
+    </para>
+   </callout>
+  </calloutlist>
+ </section>
+ <section xml:id="module-services-matrix-register-users">
+  <title>Registering Matrix users</title>
   <para>
    If you want to run a server with public registration by anybody, you can
    then enable <literal><link linkend="opt-services.matrix-synapse.settings.enable_registration">services.matrix-synapse.settings.enable_registration</link> =
@@ -159,7 +166,7 @@ in {
    To create a new user or admin, run the following after you have set the secret
    and have rebuilt NixOS:
 <screen>
-<prompt>$ </prompt>nix run nixpkgs.matrix-synapse
+<prompt>$ </prompt>nix-shell -p matrix-synapse
 <prompt>$ </prompt>register_new_matrix_user -k <replaceable>your-registration-shared-secret</replaceable> http://localhost:8008
 <prompt>New user localpart: </prompt><replaceable>your-username</replaceable>
 <prompt>Password:</prompt>
@@ -168,12 +175,51 @@ in {
 Success!
 </screen>
    In the example, this would create a user with the Matrix Identifier
-   <literal>@your-username:example.org</literal>. Note that the registration
-   secret ends up in the nix store and therefore is world-readable by any user
-   on your machine, so it makes sense to only temporarily activate the
-   <link linkend="opt-services.matrix-synapse.settings.registration_shared_secret">registration_shared_secret</link>
-   option until a better solution for NixOS is in place.
+   <literal>@your-username:example.org</literal>.
+   <warning>
+    <para>
+     When using <xref linkend="opt-services.matrix-synapse.settings.registration_shared_secret" />, the secret
+     will end up in the world-readable store. Instead it's recommended to deploy the secret
+     in an additional file like this:
+     <itemizedlist>
+      <listitem>
+       <para>
+        Create a file with the following contents:
+<programlisting>registration_shared_secret: your-very-secret-secret</programlisting>
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+        Deploy the file with a secret-manager such as <link xlink:href="https://nixops.readthedocs.io/en/latest/overview.html#managing-keys"><option>deployment.keys</option></link>
+        from <citerefentry><refentrytitle>nixops</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+        or <link xlink:href="https://github.com/Mic92/sops-nix/">sops-nix</link> to
+        e.g. <filename>/run/secrets/matrix-shared-secret</filename> and ensure that it's readable
+        by <package>matrix-synapse</package>.
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+        Include the file like this in your configuration:
+<programlisting>
+{
+  <xref linkend="opt-services.matrix-synapse.extraConfigFiles" /> = [
+    "/run/secrets/matrix-shared-secret"
+  ];
+}
+</programlisting>
+       </para>
+      </listitem>
+     </itemizedlist>
+    </para>
+   </warning>
   </para>
+  <note>
+   <para>
+    It's also possible to user alternative authentication mechanism such as
+    <link xlink:href="https://github.com/matrix-org/matrix-synapse-ldap3">LDAP (via <literal>matrix-synapse-ldap3</literal>)</link>
+    or <link xlink:href="https://matrix-org.github.io/synapse/latest/openid.html">OpenID</link>.
+   </para>
+  </note>
  </section>
  <section xml:id="module-services-matrix-element-web">
   <title>Element (formerly known as Riot) Web Client</title>
@@ -206,10 +252,7 @@ Success!
 
     <link linkend="opt-services.nginx.virtualHosts._name_.root">root</link> = pkgs.element-web.override {
       conf = {
-        default_server_config."m.homeserver" = {
-          "base_url" = "https://${fqdn}";
-          "server_name" = "${fqdn}";
-        };
+        default_server_config = clientConfig; # see `clientConfig` from the snippet above.
       };
     };
   };
@@ -217,15 +260,17 @@ Success!
 </programlisting>
   </para>
 
-  <para>
-   Note that the Element developers do not recommend running Element and your Matrix
-   homeserver on the same fully-qualified domain name for security reasons. In
-   the example, this means that you should not reuse the
-   <literal>myhostname.example.org</literal> virtualHost to also serve Element,
-   but instead serve it on a different subdomain, like
-   <literal>element.example.org</literal> in the example. See the
-   <link xlink:href="https://github.com/vector-im/riot-web#important-security-note">Element
-   Important Security Notes</link> for more information on this subject.
-  </para>
+  <note>
+   <para>
+    The Element developers do not recommend running Element and your Matrix
+    homeserver on the same fully-qualified domain name for security reasons. In
+    the example, this means that you should not reuse the
+    <literal>myhostname.example.org</literal> virtualHost to also serve Element,
+    but instead serve it on a different subdomain, like
+    <literal>element.example.org</literal> in the example. See the
+    <link xlink:href="https://github.com/vector-im/element-web/tree/v1.10.0#important-security-notes">Element
+    Important Security Notes</link> for more information on this subject.
+   </para>
+  </note>
  </section>
 </chapter>

nixos/modules/services/misc/gitlab.nix

@@ -1063,7 +1063,7 @@ in {
         chown ${cfg.user}:${cfg.group} ${cfg.registry.certFile}
       '';
 
-      serviceConfig = {
+      unitConfig = {
         ConditionPathExists = "!${cfg.registry.certFile}";
       };
     };

pkgs/applications/editors/your-editor/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "your-editor";
-  version = "1400";
+  version = "1403";
 
   src = fetchFromGitHub {
     owner = "your-editor";
     repo = "yed";
     rev = version;
-    sha256 = "sha256-qF+fMFHfY1fdWPAFEoCxcKHB++sFNwOaHeaMv+6gakg=";
+    sha256 = "sha256-hG0ZRAxWOdFtDgKcDysu89LOdULZmJHLi7grfVjAbwM=";
   };
 
   installPhase = ''

pkgs/applications/misc/moolticute/default.nix

@@ -9,13 +9,13 @@
 
 mkDerivation rec {
   pname = "moolticute";
-  version = "0.53.7";
+  version = "0.55.0";
 
   src = fetchFromGitHub {
     owner = "mooltipass";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-1hVvpfrfL/+DIeiPW5iVBEnoc8dy8vVWim4JjhsBlzM=";
+    sha256 = "sha256-up78503+YqUB2fR9B6W6plYksTJzTj5pkmFJ5eL/mLY=";
   };
 
   outputs = [ "out" "udev" ];

pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix

@@ -87,7 +87,7 @@ let
   fteLibPath = makeLibraryPath [ stdenv.cc.cc gmp ];
 
   # Upstream source
-  version = "11.0.14";
+  version = "11.0.15";
 
   lang = "en-US";
 
@@ -98,7 +98,7 @@ let
         "https://tor.eff.org/dist/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz"
         "https://tor.calyxinstitute.org/dist/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz"
       ];
-      sha256 = "19lsxdxbdismjrv2kmvm10cmr1x5klc2khlmrybycdw2vx7r41mn";
+      sha256 = "1gv44bi3gfg5z46fvs9wy46fgvfshad5kbxl43x3x4r70ps1nc3l";
     };
 
     i686-linux = fetchurl {
@@ -107,7 +107,7 @@ let
         "https://tor.eff.org/dist/torbrowser/${version}/tor-browser-linux32-${version}_${lang}.tar.xz"
         "https://tor.calyxinstitute.org/dist/torbrowser/${version}/tor-browser-linux32-${version}_${lang}.tar.xz"
       ];
-      sha256 = "0hkj4vn5jk3z32mdgzzwmhj5xa4mv5p1nnwqhlsbc3g5b5q8bc7q";
+      sha256 = "109291wwcy63k8hs23kx8vffpj4zvywdpy8srwaq367l0ffvfqn2";
     };
   };
 in

pkgs/applications/networking/mailreaders/neomutt/default.nix

@@ -27,6 +27,7 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   postPatch = ''
+    substituteInPlace auto.def --replace /usr/sbin/sendmail sendmail
     substituteInPlace contrib/smime_keys \
       --replace /usr/bin/openssl ${openssl}/bin/openssl
 
@@ -60,8 +61,6 @@ stdenv.mkDerivation rec {
     # To make it not reference .dev outputs. See:
     # https://github.com/neomutt/neomutt/pull/2367
     "--disable-include-path-in-cflags"
-    # Look in $PATH at runtime, instead of hardcoding /usr/bin/sendmail
-    "ac_cv_path_SENDMAIL=sendmail"
     "--zlib"
   ];
 

pkgs/applications/science/misc/boinc/default.nix

@@ -4,7 +4,7 @@ sqlite, gtk2, patchelf, libXScrnSaver, libnotify, libX11, libxcb }:
 
 let
   majorVersion = "7.20";
-  minorVersion = "0";
+  minorVersion = "1";
 in
 
 stdenv.mkDerivation rec {
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
     owner = "BOINC";
     repo = "boinc";
     rev = "client_release/${majorVersion}/${version}";
-    sha256 = "sha256-W8+ALVO2OHxxBi80ZFgc8RxXneGINCHYNeMXimp9TIw=";
+    sha256 = "sha256-FRU5s/nvT3VKU78AXYlbzeru7XQwNSqDNMGrdQ3jd1w=";
   };
 
   nativeBuildInputs = [ libtool automake autoconf m4 pkg-config ];

pkgs/applications/science/misc/snakemake/default.nix

@@ -5,14 +5,14 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "snakemake";
-  version = "7.8.3";
+  version = "7.8.5";
   format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "snakemake";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-fYrsum056PCRRp4P5xO6yLfog3WrE/JR1ID7+iV85fc=";
+    hash = "sha256-y1rjBp5O0aiVeFlCIw7IK4A3ehOhzy+NKa9/abhFrFo=";
   };
 
   propagatedBuildInputs = with python3.pkgs; [

pkgs/applications/window-managers/weston/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, meson, ninja, pkg-config, wayland-scanner, python3
+{ lib, stdenv, fetchurl, fetchpatch, meson, ninja, pkg-config, wayland-scanner, python3
 , wayland, libGL, mesa, libxkbcommon, cairo, libxcb
 , libXcursor, xlibsWrapper, udev, libdrm, mtdev, libjpeg, pam, dbus, libinput, libevdev
 , colord, lcms2, pipewire ? null
@@ -17,6 +17,14 @@ stdenv.mkDerivation rec {
     sha256 = "1bj7wnadr7ssn6xw7k8ki0wpj6np3kjd2pcysfz3h0mr290rc8sw";
   };
 
+  patches = [
+    # Fix race condition in build system
+    (fetchpatch {
+      url = "https://gitlab.freedesktop.org/wayland/weston/-/commit/0d3e438d080433ed5d203c876e7de6c7f8a14f98.patch";
+      sha256 = "sha256-d9NG1vUIuL4jpXqCo0myz/97JuFYesH+8kJnegQXeMU=";
+    })
+  ];
+
   nativeBuildInputs = [ meson ninja pkg-config wayland-scanner python3 ];
   buildInputs = [
     wayland libGL mesa libxkbcommon cairo libxcb libXcursor xlibsWrapper udev libdrm

pkgs/data/themes/kwin-decorations/sierra-breeze-enhanced/default.nix

@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "sierra-breeze-enhanced";
-  version = "1.0.3";
+  version = "1.1.0";
 
   src = fetchFromGitHub {
     owner = "kupiqu";
     repo = "SierraBreezeEnhanced";
     rev = "V${version}";
-    sha256 = "0kqbfn1jqsbii3hqcqlb93x8cg8dyh5mf66i9r237w41knks5mnw";
+    sha256 = "sha256-G1Ra7ld34AMPLZM0+3iEJHRFRMHVewZKTTXfmiu7PAk=";
   };
 
   nativeBuildInputs = [ cmake extra-cmake-modules wrapQtAppsHook ];

pkgs/desktops/pantheon/apps/switchboard-plugs/wacom/default.nix

@@ -1,7 +1,6 @@
 { lib
 , stdenv
 , fetchFromGitHub
-, fetchpatch
 , nix-update-script
 , meson
 , ninja
@@ -19,24 +18,15 @@
 
 stdenv.mkDerivation rec {
   pname = "switchboard-plug-wacom";
-  version = "1.0.0";
+  version = "1.0.1";
 
   src = fetchFromGitHub {
     owner = "elementary";
     repo = pname;
     rev = version;
-    sha256 = "1n2yfq4s9xpnfqjikchjp4z2nk8cmfz4g0p18cplzh5w1lvz17lm";
+    sha256 = "sha256-+E+MTIi2Dvv7TvzYEzudeIqlDcP8VP61eBh/PQz9SWI=";
   };
 
-  patches = [
-    # Upstream code not respecting our localedir
-    # https://github.com/elementary/switchboard-plug-wacom/pull/29
-    (fetchpatch {
-      url = "https://github.com/elementary/switchboard-plug-wacom/commit/2a7dee180d73ffb3521d806efb7028f5a71cb511.patch";
-      sha256 = "06ra5c0f14brmj2mmsqscpc4d1114i4qazgnsazzh2hrp04ilnva";
-    })
-  ];
-
   nativeBuildInputs = [
     meson
     ninja

pkgs/desktops/pantheon/desktop/gala/default.nix

@@ -46,6 +46,13 @@ stdenv.mkDerivation rec {
       url = "https://github.com/elementary/gala/commit/1f94db16c627f73af5dc69714611815e4691b5e8.patch";
       sha256 = "sha256-PLNbAXyOG0TMn1y2QIBnL6BOQVqBA+DBgPOVJo4nDr8=";
     })
+
+    # WindowSwitcher: fix initial alt-tab switcher indicator visibility
+    # https://github.com/elementary/gala/pull/1417
+    (fetchpatch {
+      url = "https://github.com/elementary/gala/commit/e0095415cdbfc369e6482e84b8aaffc6a04cafe7.patch";
+      sha256 = "sha256-n/BJPIrUaCQtBgDotOLq/bCAAccdbL6OwciXY115HsM=";
+    })
   ];
 
   nativeBuildInputs = [

pkgs/desktops/pantheon/desktop/wingpanel-indicators/notifications/default.nix

@@ -16,13 +16,13 @@
 
 stdenv.mkDerivation rec {
   pname = "wingpanel-indicator-notifications";
-  version = "6.0.4";
+  version = "6.0.5";
 
   src = fetchFromGitHub {
     owner = "elementary";
     repo = pname;
     rev = version;
-    sha256 = "sha256-tIpR/WIhE0Mmt2EploNNDVlAX4OUNI3VnEflTLVkfSo=";
+    sha256 = "sha256-Y/oDD/AsA9ZiKsfEV3/jnT3tmQYAIIToAZjMRVriK98=";
   };
 
   nativeBuildInputs = [

pkgs/desktops/pantheon/granite/7/default.nix

@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchFromGitHub
+, fetchpatch
 , nix-update-script
 , python3
 , meson
@@ -29,6 +30,16 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-fuyjQDH3C8qRYuAfQDDeW3aSWVTLtGzMAjcuAHCB1Zw=";
   };
 
+  patches = [
+    # MessageDialog: Fix large height bug
+    # https://github.com/elementary/granite/pull/616
+    (fetchpatch {
+      url = "https://github.com/elementary/granite/commit/28e9b60fc8257b2d8e76412518e96a7e03efc6e4.patch";
+      sha256 = "sha256-3VH5bhX8tuNR3Iabz3JjkLfVVyO5eSnYacFgdqurU0A=";
+      excludes = [ "data/granite.appdata.xml.in" ];
+    })
+  ];
+
   nativeBuildInputs = [
     gettext
     gobject-introspection

pkgs/development/interpreters/janet/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "janet";
-  version = "1.22.0";
+  version = "1.23.0";
 
   src = fetchFromGitHub {
     owner = "janet-lang";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-FOs8ZfO61A1amovLy4EDSZiZ6XlwVNXf1TiPvNo6BnQ=";
+    sha256 = "sha256-FQZ9I9ROC1gWGfMCxsNMN3g/arenRtC6LHsOIAKGyuE=";
   };
 
   # This release fails the test suite on darwin, remove when debugged.
@@ -26,6 +26,12 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
+  doInstallCheck = true;
+
+  installCheckPhase = ''
+    $out/bin/janet --help
+  '';
+
   meta = with lib; {
     description = "Janet programming language";
     homepage = "https://janet-lang.org/";

pkgs/development/interpreters/janet/jpm.nix

@@ -13,13 +13,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "jpm";
-  version = "0.0.2";
+  version = "1.1.0";
 
   src = fetchFromGitHub {
     owner = "janet-lang";
     repo = pname;
-    rev = version;
-    sha256 = "sha256-nv+vkDjEY711L+C5ibw48DUSNqq2UJiFC2i5LntuBNM=";
+    rev = "v${version}";
+    sha256 = "sha256-lPB4jew6RkJlDp8xOQ4YA9MkgLBImaBHcvv4WF/sLRc=";
   };
 
   # `auto-shebangs true` gives us a shebang line that points to janet inside the

pkgs/development/libraries/gtk-engine-murrine/default.nix

@@ -9,8 +9,9 @@ stdenv.mkDerivation rec {
     sha256 = "129cs5bqw23i76h3nmc29c9mqkm9460iwc8vkl7hs4xr07h8mip9";
   };
 
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ intltool gtk2 ];
+  strictDeps = true;
+  nativeBuildInputs = [ pkg-config intltool ];
+  buildInputs = [ gtk2 ];
 
   meta = {
     description = "A very flexible theme engine";

pkgs/development/libraries/jose/default.nix

@@ -1,19 +1,19 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config
+{ lib, stdenv, fetchFromGitHub, meson, pkg-config, ninja, asciidoc
 , zlib, jansson, openssl
 }:
 
 stdenv.mkDerivation rec {
   pname = "jose";
-  version = "10";
+  version = "11";
 
   src = fetchFromGitHub {
     owner = "latchset";
     repo = pname;
     rev = "v${version}";
-    sha256 = "15ac8a656m66rd9qg4dj53smykwaagqv606h18w7fiqn0ykxl4vi";
+    hash = "sha256-TKcXswF50B8MS+XHSEvqHaFSAct7VdsnZ0RtZCF04Lc=";
   };
 
-  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  nativeBuildInputs = [ meson pkg-config ninja asciidoc ];
   buildInputs = [ zlib jansson openssl ];
 
   outputs = [ "out" "dev" "man" ];

pkgs/development/ocaml-modules/digestif/default.nix

@@ -1,29 +1,27 @@
 { lib, ocaml, fetchurl, buildDunePackage
 , pkg-config, which
-, bigarray-compat, eqaf, stdlib-shims
+, eqaf
 , alcotest, astring, bos, findlib, fpath
 }:
 
 buildDunePackage rec {
   pname = "digestif";
-  version = "1.1.0";
+  version = "1.1.2";
 
-  useDune2 = true;
+  minimalOCamlVersion = "4.08";
 
   src = fetchurl {
-    url = "https://github.com/mirage/digestif/releases/download/v${version}/digestif-v${version}.tbz";
-    sha256 = "01gwkbrznci4xdcbww4ysgsciz2qs0r8jsmhp0siwbcgcrf1jjv5";
+    url = "https://github.com/mirage/digestif/releases/download/v${version}/digestif-${version}.tbz";
+    sha256 = "sha256-edNM5ROxFIV+OAqr328UcyGPGwXdflHQOJB3ntAbRmY=";
   };
 
   nativeBuildInputs = [ findlib which ];
   buildInputs = [ ocaml ];
 
-  propagatedBuildInputs = [ bigarray-compat eqaf stdlib-shims ];
-
-  strictDeps = !doCheck;
+  propagatedBuildInputs = [ eqaf ];
 
   checkInputs = [ alcotest astring bos fpath ];
-  doCheck = lib.versionAtLeast ocaml.version "4.05";
+  doCheck = true;
 
   postCheck = ''
     ocaml -I ${findlib}/lib/ocaml/${ocaml.version}/site-lib/ test/test_runes.ml

pkgs/development/python-modules/google-auth/default.nix

@@ -13,7 +13,6 @@
 , pytest-localserver
 , responses
 , rsa
-, pyopenssl
 }:
 
 buildPythonPackage rec {
@@ -29,7 +28,6 @@ buildPythonPackage rec {
     cachetools
     pyasn1-modules
     rsa
-    pyopenssl
     pyu2f
   ];
 

pkgs/development/python-modules/iminuit/default.nix

@@ -9,14 +9,14 @@
 
 buildPythonPackage rec {
   pname = "iminuit";
-  version = "2.12.0";
+  version = "2.12.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-zQ48t1EwLAZphOqzBhLF0kGaVDF/6+UbUL4fohr8Uak=";
+    hash = "sha256-+le1b3wpze7QL5U1p7ZYB6zWoZfyCIUQlIIiLxoCPt4=";
   };
 
   nativeBuildInputs = [

pkgs/development/python-modules/pecan/default.nix

@@ -16,14 +16,14 @@
 
 buildPythonPackage rec {
   pname = "pecan";
-  version = "1.4.1";
+  version = "1.4.2";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-LL0O7btXR8BM3xjEquTxxunZUPOvcK8lRLB09+16BIA=";
+    sha256 = "sha256-SbJV5wHD8UYWBfWw6PVPDCGSLXhF1BTCTdZAn+aV1VA=";
   };
 
   propagatedBuildInputs = [

pkgs/development/tools/open-policy-agent/default.nix

@@ -11,13 +11,13 @@ assert enableWasmEval && stdenv.isDarwin -> builtins.throw "building with wasm o
 
 buildGoModule rec {
   pname = "open-policy-agent";
-  version = "0.41.0";
+  version = "0.42.0";
 
   src = fetchFromGitHub {
     owner = "open-policy-agent";
     repo = "opa";
     rev = "v${version}";
-    sha256 = "sha256-mvTaVKNE+XSBhJkodKSkLHoxJPOInPCycsoeeEJXABQ=";
+    sha256 = "sha256-Sn0vtC6skQE/IxXj3cjrq5iXYjM1wi17d4eavPKhk+g=";
   };
   vendorSha256 = null;
 

pkgs/misc/drivers/epson-escpr2/default.nix

@@ -2,15 +2,15 @@
 
 stdenv.mkDerivation rec {
   pname = "epson-inkjet-printer-escpr2";
-  version = "1.1.46";
+  version = "1.1.48";
 
   src = fetchurl {
     # To find new versions, visit
     # http://download.ebz.epson.net/dsc/search/01/search/?OSC=LX and search for
     # some printer like for instance "WF-7210" to get to the most recent
     # version.
-    url = "https://download3.ebz.epson.net/dsc/f/03/00/13/43/83/99e36ae2747bfae54a5dd32dacaf189a073278aa/epson-inkjet-printer-escpr2-1.1.46-1lsb3.2.src.rpm";
-    sha256 = "sha256-7AeDULD/BB+swLBOwijilcM+yJi5slOMw2lEtquLyYw=";
+    url = "https://download3.ebz.epson.net/dsc/f/03/00/13/52/26/977f2b2c13cc185981479fbd225b802c35c92beb/epson-inkjet-printer-escpr2-1.1.48-1lsb3.2.src.rpm";
+    sha256 = "sha256-E+ZZLt7hdXojQkKr0qgdL+UuSZXAESWW9AHIfAX1jK0=";
   };
 
   unpackPhase = ''

pkgs/servers/jellyfin/nuget-deps.nix

@@ -11,6 +11,8 @@
   (fetchNuGet { pname = "Humanizer.Core"; version = "2.8.26"; sha256 = "1v8xd12yms4qq1md4vh6faxicmqrvahqdd7sdkyzrphab9v44nsm"; })
   (fetchNuGet { pname = "Jellyfin.XmlTv"; version = "10.8.0"; sha256 = "0fv923y58z9l97zhlrifmki0x1m7r52avglhrl2h1jjv1x1wkvzx"; })
   (fetchNuGet { pname = "libse"; version = "3.6.5"; sha256 = "1h0rm8jbwjp0qgayal48zdzgsqr7c7v9lnc4v8x0r0pxrb4f0x1k"; })
+  (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-arm"; version = "6.0.6"; sha256 = "1fv3xvqc98l3ma4s8f2g4fklifbj1i24fngcvlhfm4j6s295xjj1"; })
+  (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-arm64"; version = "6.0.6"; sha256 = "1z50gqg0jimk98yd0zr2vxn087h3h1qn08fdcqbaxfgpcw30yi87"; })
   (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-x64"; version = "6.0.6"; sha256 = "0ndah9cqkgswhi60wrnni10j1d2hdg8jljij83lk1wbfqbng86jm"; })
   (fetchNuGet { pname = "Microsoft.AspNetCore.Authorization"; version = "6.0.6"; sha256 = "027ffl755kl1ffc190xq3g30nxzwy3zz0v9f85405lgj5ikh9cr9"; })
   (fetchNuGet { pname = "Microsoft.AspNetCore.Metadata"; version = "6.0.6"; sha256 = "17hwh9yh72wmqn1zbx6fbinqxln89yx2sryksk7xsgypzs2dcf5n"; })
@@ -82,6 +84,10 @@
   (fetchNuGet { pname = "Microsoft.Extensions.Primitives"; version = "3.1.9"; sha256 = "0538fvjz9c27nvc6kv83b0912qvc71wz2w60svl0mscj86ds49wc"; })
   (fetchNuGet { pname = "Microsoft.Extensions.Primitives"; version = "5.0.0"; sha256 = "0swqcknyh87ns82w539z1mvy804pfwhgzs97cr3nwqk6g5s42gd6"; })
   (fetchNuGet { pname = "Microsoft.Extensions.Primitives"; version = "6.0.0"; sha256 = "1kjiw6s4yfz9gm7mx3wkhp06ghnbs95icj9hi505shz9rjrg42q2"; })
+  (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-arm"; version = "6.0.6"; sha256 = "0kygwac98rxq89g83lyzn21kslvgdkcqfd1dnba2ssw7q056fbgy"; })
+  (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-arm64"; version = "6.0.6"; sha256 = "0hlxq0k60ras0wj7d7q94dxd8nzjcry0kixxs6z1hyrbm4q0y3ls"; })
+  (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-arm"; version = "6.0.6"; sha256 = "088ggz1ac5z4ir707xmxiw4dlcaacfgmyvvlgwvsxhnv3fngf8b6"; })
+  (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-arm64"; version = "6.0.6"; sha256 = "117rz4gm7ihns5jlc2x05h7kdcgrl0ic4v67dzfbbr9kpra1bmcw"; })
   (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-x64"; version = "6.0.6"; sha256 = "0fjbjh7yxqc9h47ix37y963xi9f9y99jvl26cw3x3kvjlb8x0bgj"; })
   (fetchNuGet { pname = "Microsoft.NETCore.Platforms"; version = "1.0.1"; sha256 = "01al6cfxp68dscl15z7rxfw9zvhm64dncsw09a1vmdkacsa2v6lr"; })
   (fetchNuGet { pname = "Microsoft.NETCore.Platforms"; version = "1.1.0"; sha256 = "08vh1r12g6ykjygq5d3vq09zylgb84l63k49jc4v8faw9g93iqqm"; })

pkgs/servers/jellyfin/update.sh

@@ -29,7 +29,11 @@ chmod -R +w "$src"
 pushd "$src"
 
 mkdir ./nuget_tmp.packages
+
+dotnet restore Jellyfin.Server --packages ./nuget_tmp.packages --runtime linux-x86
 dotnet restore Jellyfin.Server --packages ./nuget_tmp.packages --runtime linux-x64
+dotnet restore Jellyfin.Server --packages ./nuget_tmp.packages --runtime linux-arm
+dotnet restore Jellyfin.Server --packages ./nuget_tmp.packages --runtime linux-arm64
 
 nuget-to-nix ./nuget_tmp.packages > "$nugetDepsFile"
 

pkgs/servers/monitoring/nagios/plugins/check_ssl_cert.nix

@@ -10,13 +10,13 @@
 
 stdenv.mkDerivation rec {
   pname = "check_ssl_cert";
-  version = "2.32.0";
+  version = "2.33.0";
 
   src = fetchFromGitHub {
     owner = "matteocorti";
     repo = "check_ssl_cert";
     rev = "v${version}";
-    hash = "sha256-CoWoV9Vv9j0VmkRw7bQFArkKZA2Qq+7ae3ujogsUWso=";
+    hash = "sha256-LNs7v56Gk8pLM+vUwQKx85cTvcCZxfpuceOXih9t6kE=";
   };
 
   nativeBuildInputs = [

pkgs/servers/web-apps/phylactery/default.nix

@@ -2,7 +2,7 @@
 
 buildGoPackage rec {
   pname = "phylactery";
-  version = "0.1.1";
+  version = "0.1.2";
 
   goPackagePath = "git.sr.ht/~cnx/phylactery";
 
@@ -10,7 +10,7 @@ buildGoPackage rec {
     owner = "~cnx";
     repo = pname;
     rev = version;
-    sha256 = "sha256-HcpdPQ1WOMFNdfsZb//GvUVBCbmS3jARbcXjchlv2oE=";
+    sha256 = "sha256-HQN6wJ/4YeuQaDcNgdHj0RgYnn2NxXGRfxybmv60EdQ=";
   };
 
   # Upstream repo doesn't provide any test.

pkgs/tools/misc/flameshot/default.nix

@@ -10,13 +10,13 @@
 
 mkDerivation rec {
   pname = "flameshot";
-  version = "12.0.0";
+  version = "12.1.0";
 
   src = fetchFromGitHub {
     owner = "flameshot-org";
     repo = "flameshot";
     rev = "v${version}";
-    sha256 = "sha256-ByW+XYTaeBTTbOaxNeF367nqgnBM+EC8jm+PmwHcVGQ=";
+    sha256 = "sha256-omyMN8d+g1uYsEw41KmpJCwOmVWLokEfbW19vIvG79w=";
   };
 
   passthru = {

pkgs/tools/misc/panoply/default.nix

@@ -2,11 +2,11 @@
 
 stdenvNoCC.mkDerivation rec {
   pname = "panoply";
-  version = "5.0.6";
+  version = "5.1.0";
 
   src = fetchurl {
     url = "https://www.giss.nasa.gov/tools/panoply/download/PanoplyJ-${version}.tgz";
-    sha256 = "0nbr22sxfmk48ngk9gb1vcwv3fkd5m0v208xx6vl00nlnbh4kms4";
+    sha256 = "08wh9i0pk7qq2az0nd8g8gqlzwril49qffi0zcrmn7r0nx44cdjm";
   };
 
   nativeBuildInputs = [ makeWrapper ];

pkgs/tools/networking/vopono/default.nix

@@ -5,14 +5,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "vopono";
-  version = "0.9.2";
+  version = "0.10.0";
 
   src = fetchCrate {
     inherit pname version;
-    sha256 = "sha256-Z9eAbGq4ePbLyp6SWSbgLy4ogo2EFMps2HT8JUQFuR4=";
+    sha256 = "sha256-89Mzn2knClBJwVlCglR5BOOo5dXRP1Gqp/mmwHvwM3c=";
   };
 
-  cargoHash = "sha256-aeukVOn6uBZlsPl35erJNlKxp929czuFCzllswYOWhM=";
+  cargoHash = "sha256-8m/zlmeYcYCxycP9W6eweRJ2Vf/8+GSYf+NNz3NtnIw=";
 
   meta = with lib; {
     description = "Run applications through VPN connections in network namespaces";

pkgs/tools/security/commix/default.nix

@@ -5,14 +5,14 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "commix";
-  version = "3.4";
+  version = "3.5";
   format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "commixproject";
     repo = pname;
-    rev = "v${version}";
-    hash = "sha256-JM4NE77LpgsdWhzPe/8K0sQhOSpzDu9usuH7pfQ6dR0=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-3UCHTgIW7ArXQD0Kj5XwE1I5VszsueXDJ68QWdQrAho=";
   };
 
   # Project has no tests

pkgs/tools/security/kdigger/default.nix

@@ -3,18 +3,17 @@
 , buildGoModule
 , fetchFromGitHub
 , installShellFiles
-, fetchpatch
 }:
 
 buildGoModule rec {
   pname = "kdigger";
-  version = "1.2.0";
+  version = "1.2.1";
 
   src = fetchFromGitHub {
     owner = "quarkslab";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-j4HIwfRIUpV25DmbQ+9go8aJMEYaFDPxrdr/zGWBeVU=";
+    sha256 = "sha256-xNOfxJJa0KbrxP1YRDEhnJEmKmpWzXchJWZ/2StR2O0=";
     # populate values that require us to use git. By doing this in postFetch we
     # can delete .git afterwards and maintain better reproducibility of the src.
     leaveDotGit = true;
@@ -26,17 +25,11 @@ buildGoModule rec {
   };
   vendorSha256 = "sha256-3vn3MsE/4lBw89wgYgzm0RuJJ5RQTkgS6O74PpfFcUk=";
 
-  patches = [
-    (fetchpatch {
-      name = "simplify-ldflags.patch";
-      url = "https://github.com/quarkslab/kdigger/pull/2.patch";
-      sha256 = "sha256-d/NdoAdnheVgdqr2EF2rNn3gJvbjRZtOKFw2DqWR8TY=";
-    })
-  ];
-
   nativeBuildInputs = [ installShellFiles ];
 
+  # static to be easily copied into containers since it's an in-pod pen-testing tool
   CGO_ENABLED = 0;
+
   ldflags = [
     "-s"
     "-w"
@@ -76,7 +69,6 @@ buildGoModule rec {
     '';
     license = licenses.asl20;
     maintainers = with maintainers; [ jk ];
-    # aarch64-linux support progress - https://github.com/quarkslab/kdigger/issues/3
-    platforms = [ "x86_64-linux" ];
+    platforms = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" ];
   };
 }

pkgs/tools/security/vaultwarden/vault.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "vaultwarden-vault";
-  version = "2.27.0";
+  version = "2022.5.2";
 
   src = fetchurl {
     url = "https://github.com/dani-garcia/bw_web_builds/releases/download/v${version}/bw_web_v${version}.tar.gz";
-    sha256 = "sha256-r4z45gjVB+RMZM0IE/ec0yf+rt4YDz5IpZEz5FlQSds=";
+    sha256 = "sha256-clsiEC9nwfrGMIBwT95G3tR3KLxMvMM553s8it/3JtM=";
   };
 
   buildCommand = ''