Merge master into staging-next

maintainers/maintainer-list.nix

@@ -8570,6 +8570,12 @@
     name = "John Soo";
     githubId = 10039785;
   };
+  jsusk = {
+    email = "joshua@suskalo.org";
+    github = "IGJoshua";
+    name = "Joshua Suskalo";
+    githubId = 27734541;
+  };
   jtbx = {
     email = "jtbx@duck.com";
     name = "Jeremy Baxter";

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -261,6 +261,8 @@ The module update takes care of the new config syntax and the data itself (user
 
 - The `cawbird` package is dropped from nixpkgs, as it got broken by the Twitter API closing down and has been abandoned upstream.
 
+- Certificate generation via the `security.acme` now limits the concurrent number of running certificate renewals and generation jobs, to avoid spiking resource usage when processing many certificates at once. The limit defaults to *5* and can be adjusted via `maxConcurrentRenewals`. Setting it to *0* disables the limits altogether.
+
 ## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals}
 
 - The use of `sourceRoot = "source";`, `sourceRoot = "source/subdir";`, and similar lines in package derivations using the default `unpackPhase` is deprecated as it requires `unpackPhase` to always produce a directory named "source". Use `sourceRoot = src.name`, `sourceRoot = "${src.name}/subdir";`, or `setSourceRoot = "sourceRoot=$(echo */subdir)";` or similar instead.

nixos/modules/security/acme/default.nix

@@ -1,6 +1,8 @@
 { config, lib, pkgs, options, ... }:
 with lib;
 let
+
+
   cfg = config.security.acme;
   opt = options.security.acme;
   user = if cfg.useRoot then "root" else "acme";
@@ -14,6 +16,36 @@ let
   mkAccountHash = acmeServer: data: mkHash "${toString acmeServer} ${data.keyType} ${data.email}";
   accountDirRoot = "/var/lib/acme/.lego/accounts/";
 
+  lockdir = "/run/acme/";
+  concurrencyLockfiles = map (n: "${toString n}.lock") (lib.range 1 cfg.maxConcurrentRenewals);
+  # Assign elements of `baseList` to each element of `needAssignmentList`, until the latter is exhausted.
+  # returns: [{fst = "element of baseList"; snd = "element of needAssignmentList"}]
+  roundRobinAssign = baseList: needAssignmentList:
+    if baseList == [] then []
+    else _rrCycler baseList baseList needAssignmentList;
+  _rrCycler = with builtins; origBaseList: workingBaseList: needAssignmentList:
+    if (workingBaseList == [] || needAssignmentList == [])
+    then []
+    else
+      [{ fst = head workingBaseList; snd = head needAssignmentList;}] ++
+      _rrCycler origBaseList (if (tail workingBaseList == []) then origBaseList else tail workingBaseList) (tail needAssignmentList);
+  attrsToList = mapAttrsToList (attrname: attrval: {name = attrname; value = attrval;});
+  # for an AttrSet `funcsAttrs` having functions as values, apply single arguments from
+  # `argsList` to them in a round-robin manner.
+  # Returns an attribute set with the applied functions as values.
+  roundRobinApplyAttrs = funcsAttrs: argsList: lib.listToAttrs (map (x: {inherit (x.snd) name; value = x.snd.value x.fst;}) (roundRobinAssign argsList (attrsToList funcsAttrs)));
+  wrapInFlock = lockfilePath: script:
+    # explainer: https://stackoverflow.com/a/60896531
+    ''
+      exec {LOCKFD}> ${lockfilePath}
+      echo "Waiting to acquire lock ${lockfilePath}"
+      ${pkgs.flock}/bin/flock ''${LOCKFD} || exit 1
+      echo "Acquired lock ${lockfilePath}"
+    ''
+    + script + "\n"
+    + ''echo "Releasing lock ${lockfilePath}"  # only released after process exit'';
+
+
   # There are many services required to make cert renewals work.
   # They all follow a common structure:
   #   - They inherit this commonServiceConfig
@@ -31,6 +63,7 @@ let
     ProtectSystem = "strict";
     ReadWritePaths = [
       "/var/lib/acme"
+      lockdir
     ];
     PrivateTmp = true;
 
@@ -118,7 +151,8 @@ let
       # We don't want this to run every time a renewal happens
       RemainAfterExit = true;
 
-      # These StateDirectory entries negate the need for tmpfiles
+      # StateDirectory entries are a cleaner, service-level mechanism
+      # for dealing with persistent service data
       StateDirectory = [ "acme" "acme/.lego" "acme/.lego/accounts" ];
       StateDirectoryMode = 755;
       WorkingDirectory = "/var/lib/acme";
@@ -127,6 +161,25 @@ let
       ExecStart = "+" + (pkgs.writeShellScript "acme-fixperms" script);
     };
   };
+  lockfilePrepareService = {
+    description = "Manage lock files for acme services";
+
+    # ensure all required lock files exist, but none more
+    script = ''
+      GLOBIGNORE="${concatStringsSep ":" concurrencyLockfiles}"
+      rm -f *
+      unset GLOBIGNORE
+
+      xargs touch <<< "${toString concurrencyLockfiles}"
+    '';
+
+    serviceConfig = commonServiceConfig // {
+      # We don't want this to run every time a renewal happens
+      RemainAfterExit = true;
+      WorkingDirectory = lockdir;
+    };
+  };
+
 
   certToConfig = cert: data: let
     acmeServer = data.server;
@@ -229,10 +282,10 @@ let
       };
     };
 
-    selfsignService = {
+    selfsignService = lockfileName: {
       description = "Generate self-signed certificate for ${cert}";
-      after = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ];
-      requires = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ];
+      after = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ] ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
+      requires = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ] ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
 
       path = with pkgs; [ minica ];
 
@@ -256,7 +309,7 @@ let
       # Working directory will be /tmp
       # minica will output to a folder sharing the name of the first domain
       # in the list, which will be ${data.domain}
-      script = ''
+      script = (if (lockfileName == null) then lib.id else wrapInFlock "${lockdir}${lockfileName}") ''
         minica \
           --ca-key ca/key.pem \
           --ca-cert ca/cert.pem \
@@ -277,10 +330,10 @@ let
       '';
     };
 
-    renewService = {
+    renewService = lockfileName: {
       description = "Renew ACME certificate for ${cert}";
-      after = [ "network.target" "network-online.target" "acme-fixperms.service" "nss-lookup.target" ] ++ selfsignedDeps;
-      wants = [ "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps;
+      after = [ "network.target" "network-online.target" "acme-fixperms.service" "nss-lookup.target" ] ++ selfsignedDeps ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
+      wants = [ "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
 
       # https://github.com/NixOS/nixpkgs/pull/81371#issuecomment-605526099
       wantedBy = optionals (!config.boot.isContainer) [ "multi-user.target" ];
@@ -329,7 +382,7 @@ let
       };
 
       # Working directory will be /tmp
-      script = ''
+      script = (if (lockfileName == null) then lib.id else wrapInFlock "${lockdir}${lockfileName}") ''
         ${optionalString data.enableDebugLogs "set -x"}
         set -euo pipefail
 
@@ -755,6 +808,17 @@ in {
           }
         '';
       };
+      maxConcurrentRenewals = mkOption {
+        default = 5;
+        type = types.int;
+        description = lib.mdDoc ''
+          Maximum number of concurrent certificate generation or renewal jobs. All other
+          jobs will queue and wait running jobs to finish. Reduces the system load of
+          certificate generation.
+
+          Set to `0` to allow unlimited number of concurrent job runs."
+          '';
+      };
     };
   };
 
@@ -875,12 +939,28 @@ in {
 
       users.groups.acme = {};
 
-      systemd.services = {
-        "acme-fixperms" = userMigrationService;
-      } // (mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewService) certConfigs)
+      # for lock files, still use tmpfiles as they should better reside in /run
+      systemd.tmpfiles.rules = [
+        "d ${lockdir} 0700 ${user} - - -"
+        "Z ${lockdir} 0700 ${user} - - -"
+      ];
+
+      systemd.services = let
+        renewServiceFunctions = mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewService) certConfigs;
+        renewServices =  if cfg.maxConcurrentRenewals > 0
+          then roundRobinApplyAttrs renewServiceFunctions concurrencyLockfiles
+          else mapAttrs (_: f: f null) renewServiceFunctions;
+        selfsignServiceFunctions = mapAttrs' (cert: conf: nameValuePair "acme-selfsigned-${cert}" conf.selfsignService) certConfigs;
+        selfsignServices = if cfg.maxConcurrentRenewals > 0
+          then roundRobinApplyAttrs selfsignServiceFunctions concurrencyLockfiles
+          else mapAttrs (_: f: f null) selfsignServiceFunctions;
+        in
+        { "acme-fixperms" = userMigrationService; }
+        // (optionalAttrs (cfg.maxConcurrentRenewals > 0) {"acme-lockfiles" = lockfilePrepareService; })
+        // renewServices
         // (optionalAttrs (cfg.preliminarySelfsigned) ({
         "acme-selfsigned-ca" = selfsignCAService;
-      } // (mapAttrs' (cert: conf: nameValuePair "acme-selfsigned-${cert}" conf.selfsignService) certConfigs)));
+      } // selfsignServices));
 
       systemd.timers = mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewTimer) certConfigs;
 

nixos/modules/services/home-automation/zigbee2mqtt.nix

@@ -66,9 +66,10 @@ in
         server = mkDefault "mqtt://localhost:1883";
       };
       serial.port = mkDefault "/dev/ttyACM0";
-      # reference device configuration, that is kept in a separate file
+      # reference device/group configuration, that is kept in a separate file
       # to prevent it being overwritten in the units ExecStartPre script
       devices = mkDefault "devices.yaml";
+      groups = mkDefault "groups.yaml";
     };
 
     systemd.services.zigbee2mqtt = {

nixos/tests/acme.nix

@@ -266,6 +266,37 @@ in {
           }
         ];
 
+        concurrency-limit.configuration = {pkgs, ...}: lib.mkMerge [
+          webserverBasicConfig {
+            security.acme.maxConcurrentRenewals = 1;
+
+            services.nginx.virtualHosts = {
+              "f.example.test" = vhostBase // {
+                enableACME = true;
+              };
+              "g.example.test" = vhostBase // {
+                enableACME = true;
+              };
+              "h.example.test" = vhostBase // {
+                enableACME = true;
+              };
+            };
+
+            systemd.services = {
+              # check for mutual exclusion of starting renew services
+              "acme-f.example.test".serviceConfig.ExecPreStart = "+" + (pkgs.writeShellScript "test-f" ''
+                test "$(systemctl is-active acme-{g,h}.example.test.service | grep activating | wc -l)" -le 0
+                '');
+              "acme-g.example.test".serviceConfig.ExecPreStart = "+" + (pkgs.writeShellScript "test-g" ''
+                test "$(systemctl is-active acme-{f,h}.example.test.service | grep activating | wc -l)" -le 0
+                '');
+              "acme-h.example.test".serviceConfig.ExecPreStart = "+" + (pkgs.writeShellScript "test-h" ''
+                test "$(systemctl is-active acme-{g,f}.example.test.service | grep activating | wc -l)" -le 0
+                '');
+              };
+          }
+        ];
+
         # Test lego internal server (listenHTTP option)
         # Also tests useRoot option
         lego-server.configuration = { ... }: {
@@ -297,7 +328,7 @@ in {
 
           services.caddy = {
             enable = true;
-            virtualHosts."a.exmaple.test" = {
+            virtualHosts."a.example.test" = {
               useACMEHost = "example.test";
               extraConfig = ''
                 root * ${documentRoot}
@@ -591,6 +622,15 @@ in {
           webserver.wait_for_unit("nginx.service")
           check_connection(client, "slow.example.test")
 
+      with subtest("Can limit concurrency of running renewals"):
+          switch_to(webserver, "concurrency-limit")
+          webserver.wait_for_unit("acme-finished-f.example.test.target")
+          webserver.wait_for_unit("acme-finished-g.example.test.target")
+          webserver.wait_for_unit("acme-finished-h.example.test.target")
+          check_connection(client, "f.example.test")
+          check_connection(client, "g.example.test")
+          check_connection(client, "h.example.test")
+
       with subtest("Works with caddy"):
           switch_to(webserver, "caddy")
           webserver.wait_for_unit("acme-finished-example.test.target")

pkgs/applications/finance/denaro/default.nix

@@ -14,13 +14,13 @@
 
 buildDotnetModule rec {
   pname = "denaro";
-  version = "2023.8.1";
+  version = "2023.9.1";
 
   src = fetchFromGitHub {
     owner = "NickvisionApps";
     repo = "Denaro";
     rev = version;
-    hash = "sha256-wq5dwSgfmEHy38LPjWOE+J+prjIYy2z4Hezq/45Ddjk=";
+    hash = "sha256-WODAdIKCnDaOWmLir1OfYfAUaULwV8yEFMlfyO/cmfE=";
   };
 
   dotnet-sdk = dotnetCorePackages.sdk_7_0;
@@ -65,7 +65,7 @@ buildDotnetModule rec {
     mainProgram = "NickvisionMoney.GNOME";
     license = licenses.mit;
     changelog = "https://github.com/nlogozzo/NickvisionMoney/releases/tag/${version}";
-    maintainers = with maintainers; [ chuangzhu ];
+    maintainers = with maintainers; [ chuangzhu kashw2 ];
     platforms = platforms.linux;
   };
 }

pkgs/applications/finance/denaro/deps.nix

@@ -37,7 +37,7 @@
   (fetchNuGet { pname = "Microsoft.NETCore.Targets"; version = "5.0.0"; sha256 = "0z3qyv7qal5irvabc8lmkh58zsl42mrzd1i0sssvzhv4q4kl3cg6"; })
   (fetchNuGet { pname = "Microsoft.Win32.Primitives"; version = "4.3.0"; sha256 = "0j0c1wj4ndj21zsgivsc24whiya605603kxrbiw6wkfdync464wq"; })
   (fetchNuGet { pname = "NETStandard.Library"; version = "1.6.1"; sha256 = "1z70wvsx2d847a2cjfii7b83pjfs34q05gb037fdjikv5kbagml8"; })
-  (fetchNuGet { pname = "Nickvision.Aura"; version = "2023.8.8"; sha256 = "0l8khkg0df26dqra26wl74s73cxidbqw3k5l7jv0579gvkkv9893"; })
+  (fetchNuGet { pname = "Nickvision.Aura"; version = "2023.9.1"; sha256 = "sha256-+6CXO7K/liVUHFPwdBUEUi2r5d5+/cHfoiZ15xURBBg="; })
   (fetchNuGet { pname = "Nickvision.GirExt"; version = "2023.7.3"; sha256 = "1ahf4mld9khk2gaja30zfcjmhclz2l2nims0q4l7jk2nm9p7rzi9"; })
   (fetchNuGet { pname = "OfxSharp.NetStandard"; version = "1.0.0"; sha256 = "1v7yw2glyywb4s0y5fw306bzh2vw175bswrhi5crvd92wf93makj"; })
   (fetchNuGet { pname = "PdfSharpCore"; version = "1.3.56"; sha256 = "0a01b2a14gygh25rq3509rky85331l8808q052br2fzidhb2vc10"; })

pkgs/applications/networking/browsers/chromium/upstream-info.nix

@@ -41,9 +41,9 @@
         version = "2023-06-09";
       };
     };
-    sha256 = "0v3i688wszchyfs10zgax6yyig2wrdb38fhlzmlsbfh5vawpg5pq";
-    sha256bin64 = "1y442x3n76x9ahsw45m8yw65854h7b5zpmp4ipyvlwm5fx15zn6d";
-    version = "116.0.5845.140";
+    sha256 = "09b0i48sr5ynlhpya4lwnhgp081q4lqd23cc5l59dsxzh5ivbycb";
+    sha256bin64 = "1d49qcjh5mhfzqzjn4ilj23dpzd6nyl1pij5iv43dwxl8z2r3l3m";
+    version = "116.0.5845.179";
   };
   ungoogled-chromium = {
     deps = {
@@ -54,12 +54,12 @@
         version = "2023-06-09";
       };
       ungoogled-patches = {
-        rev = "116.0.5845.140-1";
-        sha256 = "1ydki4hmrx01q39jprv2drln934b589lgy0j7g0y1df7lp02h95n";
+        rev = "116.0.5845.179-1";
+        sha256 = "0if5717w6211fbhqzgfrigy5q6yag7lj6ycdjpn1b5d0ryc97rnr";
       };
     };
-    sha256 = "0v3i688wszchyfs10zgax6yyig2wrdb38fhlzmlsbfh5vawpg5pq";
-    sha256bin64 = "1y442x3n76x9ahsw45m8yw65854h7b5zpmp4ipyvlwm5fx15zn6d";
-    version = "116.0.5845.140";
+    sha256 = "09b0i48sr5ynlhpya4lwnhgp081q4lqd23cc5l59dsxzh5ivbycb";
+    sha256bin64 = "1d49qcjh5mhfzqzjn4ilj23dpzd6nyl1pij5iv43dwxl8z2r3l3m";
+    version = "116.0.5845.179";
   };
 }

pkgs/applications/networking/cluster/nixops/default.nix

@@ -74,15 +74,12 @@ let
           cryptography = super.cryptography.overridePythonAttrs (old: {
             meta = old.meta // {
               knownVulnerabilities = old.meta.knownVulnerabilities or [ ]
-                ++ lib.optionals (lib.versionOlder old.version "39.0.1") [
-                  "CVE-2022-4304"
-                  "CVE-2023-0215"
-                  "CVE-2023-0216"
-                  "CVE-2023-0217"
-                  "CVE-2023-0401"
-                  "CVE-2022-4203"
-                  "CVE-2022-4450"
-                  "CVE-2023-23931"
+                ++ lib.optionals (lib.versionOlder old.version "41.0.0") [
+                  "CVE-2023-2650"
+                  "CVE-2023-2975"
+                  "CVE-2023-3446"
+                  "CVE-2023-3817"
+                  "CVE-2023-38325"
                 ];
             };
           });

pkgs/applications/networking/instant-messengers/signal-desktop/default.nix

@@ -1,12 +1,12 @@
 { callPackage }: builtins.mapAttrs (pname: attrs: callPackage ./generic.nix (attrs // { inherit pname; })) {
   signal-desktop = {
     dir = "Signal";
-    version = "6.29.1";
-    hash = "sha256-QtQVH8cs42vwzJNiq6klaSQO2pmB80OYjzAR4Bibb/s";
+    version = "6.30.1";
+    hash = "sha256-tG5R4A+Uz/ynw0cD7tW5/Fp8KlnNk+zmnRp01m/6vZU=";
   };
   signal-desktop-beta = {
     dir = "Signal Beta";
-    version = "6.30.0-beta.2";
-    hash = "sha256-EMgstKlHA6ilSlbDmsPAu/jNC21XGzF7LS7QzWcK2F0";
+    version = "6.31.0-beta.1";
+    hash = "sha256-j3DY+FY7kVVGvVuVZw/JxIpwxtgBttSyWcRaa9MCSjE=";
   };
 }

pkgs/applications/networking/remote/freerdp/default.nix

@@ -76,13 +76,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "freerdp";
-  version = "2.11.0";
+  version = "2.11.1";
 
   src = fetchFromGitHub {
     owner = "FreeRDP";
     repo = "FreeRDP";
     rev = version;
-    sha256 = "sha256-yyJs6J2R2L2YtNKzHFW6X6I1aJTHipBA1+yuT7bR9Zg=";
+    sha256 = "sha256-x97I0TDPAd/zULM/FpAvYQTcArG2CwGoUUp/eEM4vdc=";
   };
 
   postPatch = ''

pkgs/applications/office/beamerpresenter/default.nix

@@ -7,6 +7,7 @@
 , wrapQtAppsHook
 , gst_all_1
 , qtbase
+, qtsvg
 , qtmultimedia
 , qttools
 , qtwayland
@@ -27,13 +28,13 @@
 
 stdenv.mkDerivation rec {
   pname = "beamerpresenter";
-  version = "0.2.3-1";
+  version = "0.2.4";
 
   src = fetchFromGitHub {
     owner = "stiglers-eponym";
     repo = "BeamerPresenter";
-    rev = "dd41a00b3c6c8b881fa62945165c965634df66f0";
-    sha256 = "11yj1zl8hdnqbynkbyzg8kwyx1jl8c87x8f8qyllpk0s6cg304d0";
+    rev = "v${version}";
+    hash = "sha256-UQbyzkFjrIDPcrE6yGuOWsXNjz8jWyJEWiQwHmf91/8=";
   };
 
   nativeBuildInputs = [
@@ -51,6 +52,7 @@ stdenv.mkDerivation rec {
     gst_all_1.gst-plugins-good
     zlib
     qtbase
+    qtsvg
     qtmultimedia
     qttools
   ] ++ lib.optionals stdenv.isLinux [
@@ -70,10 +72,10 @@ stdenv.mkDerivation rec {
     "-DUSE_POPPLER=${if usePoppler then "ON" else "OFF"}"
     "-DUSE_MUPDF=${if useMupdf then "ON" else "OFF"}"
     "-DUSE_QTPDF=OFF"
-    "-DUSE_MUPDF_THIRD=ON"
+    "-DLINK_MUPDF_THIRD=ON"
     "-DUSE_EXTERNAL_RENDERER=${if useExternalRenderer then "ON" else "OFF"}"
-    "-DUSE_MUJS=OFF"
-    "-DUSE_GUMBO=ON"
+    "-DLINK_MUJS=OFF"
+    "-DLINK_GUMBO=ON"
     "-DUSE_TRANSLATIONS=ON"
     "-DQT_VERSION_MAJOR=${lib.versions.major qtbase.version}"
   ];

pkgs/applications/science/logic/netlistsvg/default.nix

@@ -47,7 +47,7 @@ buildNpmPackage rec {
 
   meta = {
     description = "Draw SVG digital circuits schematics from yosys JSON netlists";
-    homepage = "https://neilturley.dev/netlistsvg/";
+    homepage = "https://github.com/nturley/netlistsvg";
     license = lib.licenses.mit;
     maintainers = with lib.maintainers; [ pbsds ];
   };

pkgs/applications/version-management/gitlab/data.json

@@ -1,15 +1,15 @@
 {
-  "version": "16.3.1",
-  "repo_hash": "sha256-E0aa+sUoc8CxQ4ucHOPJL3+A1Al23xWT0TpYSSpZxgc=",
-  "yarn_hash": "0lks2s0g7x7psdfmcq353z7gjp9lw1wm72hvkvw26fy21yglml6s",
+  "version": "16.3.2",
+  "repo_hash": "sha256-SFxmbVWFEq0kWhzCLESdAksxUd0tiNeLGCOKNRHKMqI=",
+  "yarn_hash": "02g51sfpn065513n5ngcw6rqvzaws6yfq0y7gyj4lc4d8fhis088",
   "owner": "gitlab-org",
   "repo": "gitlab",
-  "rev": "v16.3.1-ee",
+  "rev": "v16.3.2-ee",
   "passthru": {
-    "GITALY_SERVER_VERSION": "16.3.1",
-    "GITLAB_PAGES_VERSION": "16.3.1",
+    "GITALY_SERVER_VERSION": "16.3.2",
+    "GITLAB_PAGES_VERSION": "16.3.2",
     "GITLAB_SHELL_VERSION": "14.26.0",
     "GITLAB_ELASTICSEARCH_INDEXER_VERSION": "4.3.8",
-    "GITLAB_WORKHORSE_VERSION": "16.3.1"
+    "GITLAB_WORKHORSE_VERSION": "16.3.2"
   }
 }

pkgs/applications/version-management/gitlab/gitaly/default.nix

@@ -13,7 +13,7 @@
 }:
 
 let
-  version = "16.3.1";
+  version = "16.3.2";
   package_version = "v${lib.versions.major version}";
   gitaly_package = "gitlab.com/gitlab-org/gitaly/${package_version}";
 
@@ -24,10 +24,10 @@ let
       owner = "gitlab-org";
       repo = "gitaly";
       rev = "v${version}";
-      sha256 = "sha256-Tc7JsGuTF+JK5SLmaQwVbmdSy/Wvm3VNoZqHTyZFd6k=";
+      hash = "sha256-Q2wXoc4tLJvc0LwSct3cCswOqhUJSVVhoG/uFXeVOB4=";
     };
 
-    vendorSha256 = "sha256-abyouKgn31yO3+oeowtxZcuvS6mazVM8zOMEFsyw4C0=";
+    vendorHash = "sha256-abyouKgn31yO3+oeowtxZcuvS6mazVM8zOMEFsyw4C0=";
 
     ldflags = [ "-X ${gitaly_package}/internal/version.version=${version}" "-X ${gitaly_package}/internal/version.moduleVersion=${version}" ];
 

pkgs/applications/version-management/gitlab/gitlab-pages/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "gitlab-pages";
-  version = "16.3.1";
+  version = "16.3.2";
 
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitlab-pages";
     rev = "v${version}";
-    sha256 = "sha256-gUUmUVBk6Ox4oKOef8RDqmW2Hs2wQL/lpbIEbwbzgHY=";
+    hash = "sha256-1e3s+RLuNilNtsKzfKrsbAD0dzA87LbLH/c43CKh5EU=";
   };
 
   vendorHash = "sha256-Pdb+bWsECe7chgvPKFGXxVAWb+AbGF6khVJSdDsHqKM=";

pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix

@@ -5,7 +5,7 @@ in
 buildGoModule rec {
   pname = "gitlab-workhorse";
 
-  version = "16.3.1";
+  version = "16.3.2";
 
   src = fetchFromGitLab {
     owner = data.owner;

pkgs/applications/window-managers/i3/status-rust.nix

@@ -15,16 +15,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "i3status-rust";
-  version = "0.32.1";
+  version = "0.32.2";
 
   src = fetchFromGitHub {
     owner = "greshake";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-F09gIDByRIJENwbzUb2IlWkyXjva0b7ivORgXotL/20=";
+    hash = "sha256-CKL4XsOBo8y4k06t5E7k2HBmI4VABW4rxU6Bjl52fhs=";
   };
 
-  cargoHash = "sha256-D0XGH6b6dJrgLnFUViRAl9+AhnR2Bt4J2hDXUyJhOyg=";
+  cargoHash = "sha256-7v5813veJPP5NVe2gFZr+iXJmK+aLajSZuhEkgsMxuY=";
 
   nativeBuildInputs = [ pkg-config makeWrapper ];
 

pkgs/by-name/ir/ironbar/package.nix

@@ -0,0 +1,80 @@
+{ gtk3
+, gdk-pixbuf
+, librsvg
+, webp-pixbuf-loader
+, gobject-introspection
+, glib-networking
+, glib
+, shared-mime-info
+, gsettings-desktop-schemas
+, wrapGAppsHook
+, gtk-layer-shell
+, gnome
+, libxkbcommon
+, openssl
+, pkg-config
+, hicolor-icon-theme
+, rustPlatform
+, lib
+, fetchFromGitHub
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "ironbar";
+  version = "0.13.0";
+
+  src = fetchFromGitHub {
+    owner = "JakeStanger";
+    repo = "ironbar";
+    rev = "v${version}";
+    hash = "sha256-e79eJGc/kxQjRwa1HnF7V/pCbrMTstJsBOl1Luo6i0g=";
+  };
+
+  cargoHash = "sha256-N8uAisQ50W/9zCr9bRX6tZ0slEoe1zCEMDXuvmoWEs4=";
+
+  buildInputs = [
+    gtk3
+    gdk-pixbuf
+    glib
+    gtk-layer-shell
+    glib-networking
+    shared-mime-info
+    gnome.adwaita-icon-theme
+    hicolor-icon-theme
+    gsettings-desktop-schemas
+    libxkbcommon
+    openssl
+  ];
+
+  nativeBuildInputs = [
+    pkg-config
+    wrapGAppsHook
+    gobject-introspection
+  ];
+
+  propagatedBuildInputs = [
+    gtk3
+  ];
+
+  preFixup = ''
+    gappsWrapperArgs+=(
+      # Thumbnailers
+      --prefix XDG_DATA_DIRS : "${gdk-pixbuf}/share"
+      --prefix XDG_DATA_DIRS : "${librsvg}/share"
+      --prefix XDG_DATA_DIRS : "${webp-pixbuf-loader}/share"
+      --prefix XDG_DATA_DIRS : "${shared-mime-info}/share"
+
+      # gtk-launch
+      --suffix PATH : "${lib.makeBinPath [ gtk3 ]}"
+    )
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/JakeStanger/ironbar";
+    description = "Customizable gtk-layer-shell wlroots/sway bar written in Rust";
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ yavko donovanglover jakestanger ];
+    mainProgram = "ironbar";
+  };
+}

pkgs/by-name/pa/passes/package.nix

@@ -0,0 +1,67 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, appstream-glib
+, blueprint-compiler
+, desktop-file-utils
+, gettext
+, gtk4
+, libadwaita
+, meson
+, ninja
+, pkg-config
+, python3
+, wrapGAppsHook4
+, zint
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "passes";
+  version = "0.8";
+
+  src = fetchFromGitHub {
+    owner = "pablo-s";
+    repo = "passes";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-SIJLBVWyW9+Hzb6ebfUnBfUuvNmYBm9ojKrnFOS3BGc=";
+  };
+
+  postPatch = ''
+    substituteInPlace src/model/meson.build \
+      --replace /app/lib ${zint}/lib
+    substituteInPlace src/view/window.blp \
+      --replace reveal_flap reveal-flap
+    substituteInPlace build-aux/meson/postinstall.py \
+      --replace gtk-update-icon-cache gtk4-update-icon-cache
+    patchShebangs build-aux/meson/postinstall.py
+  '';
+
+  strictDeps = true;
+
+  nativeBuildInputs = [
+    appstream-glib
+    blueprint-compiler
+    desktop-file-utils
+    gettext
+    meson
+    ninja
+    pkg-config
+    (python3.withPackages (pp: [pp.pygobject3]))
+    wrapGAppsHook4
+  ];
+
+  buildInputs = [
+    gtk4
+    libadwaita
+    zint
+  ];
+
+  meta = with lib; {
+    description = "A digital pass manager";
+    homepage = "https://github.com/pablo-s/passes";
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ fgaz ];
+    platforms = platforms.all;
+    broken = stdenv.isDarwin; # Crashes
+  };
+})

pkgs/by-name/wo/wonderdraft/package.nix

@@ -0,0 +1,62 @@
+{ lib
+, stdenv
+, requireFile
+, dpkg
+, xorg
+, libGL
+, alsa-lib
+, pulseaudio
+}:
+
+stdenv.mkDerivation rec {
+  pname = "wonderdraft";
+  version = "1.1.7.3";
+
+  src = requireFile {
+    name = "Wonderdraft-${version}-Linux64.deb";
+    url = "https://wonderdraft.net/";
+    hash = "sha256-i8YZF5w1dIWUyk99SUhHU7eJRjPXJDPbYUzGC1uN8JQ=";
+  };
+  sourceRoot = ".";
+  unpackCmd = "${dpkg}/bin/dpkg-deb -x $curSrc .";
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/bin
+    cp -R usr/share opt $out/
+    substituteInPlace \
+      $out/share/applications/Wonderdraft.desktop \
+      --replace /opt/ $out/opt/
+    ln -s $out/opt/Wonderdraft/Wonderdraft.x86_64 $out/bin/Wonderdraft.x86_64
+    runHook postInstall
+  '';
+  preFixup = let
+    libPath = lib.makeLibraryPath [
+      xorg.libXcursor
+      xorg.libXinerama
+      xorg.libXrandr
+      xorg.libX11
+      xorg.libXi
+      libGL
+      alsa-lib
+      pulseaudio
+    ];
+  in ''
+    patchelf \
+      --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
+      --set-rpath "${libPath}" \
+      $out/opt/Wonderdraft/Wonderdraft.x86_64
+  '';
+
+  meta = with lib; {
+    homepage = "https://wonderdraft.net/";
+    description = "A mapmaking tool for Tabletop Roleplaying Games, designed for city, region, or world scale";
+    license = licenses.unfree;
+    platforms = [ "x86_64-linux" ];
+    maintainers = with maintainers; [ jsusk ];
+    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
+  };
+}

pkgs/data/fonts/iosevka/default.nix

@@ -55,16 +55,16 @@ assert (extraParameters != null) -> set != null;
 
 buildNpmPackage rec {
   pname = if set != null then "iosevka-${set}" else "iosevka";
-  version = "26.3.0";
+  version = "26.3.3";
 
   src = fetchFromGitHub {
     owner = "be5invis";
     repo = "iosevka";
     rev = "v${version}";
-    hash = "sha256-t08S6CH8GB+TIQ4MOHjG2NGSuTnrKlqhaub/eZYIz/w=";
+    hash = "sha256-V4JBN7yPI25fA36wK1XItLiI5jLWYAaHoVCT+RQCN6k=";
   };
 
-  npmDepsHash = "sha256-D5uykh/DKfJg3ZOIVK6ZL+CFZMEmtFTr0rEUgfJU7Bc=";
+  npmDepsHash = "sha256-sJSBaAi4478zgUZFohOAUbQr7f/nBytcoXxFuLJS3y8=";
 
   nativeBuildInputs = [
     remarshal

pkgs/development/compilers/ocaml/5.1.nix

@@ -0,0 +1,9 @@
+import ./generic.nix {
+  major_version = "5";
+  minor_version = "1";
+  patch_version = "0-rc3";
+  src = fetchTarball {
+    url = "https://caml.inria.fr/pub/distrib/ocaml-5.1/ocaml-5.1.0~rc3.tar.xz";
+    sha256 = "sha256:0cbvdcsq1qh70mm116dcgk6y7d4g4nrypzq20k7i6ww7am1563d3";
+  };
+}

pkgs/development/interpreters/python/hooks/default.nix

@@ -221,9 +221,9 @@ in {
     inherit (pkgs.buildPackages) makeWrapper;
   };
 
-  sphinxHook = callPackage ({ makePythonHook, sphinx, installShellFiles }:
+  sphinxHook = callPackage ({ makePythonHook, installShellFiles }:
     makePythonHook {
       name = "python${python.pythonVersion}-sphinx-hook";
-      propagatedBuildInputs = [ sphinx installShellFiles ];
+      propagatedBuildInputs = [ pythonForBuild.pkgs.sphinx installShellFiles ];
     } ./sphinx-hook.sh) {};
 }

pkgs/development/node-packages/aliases.nix

@@ -57,6 +57,7 @@ mapAliases {
   inherit (pkgs) carto; # added 2023-08-17
   castnow = pkgs.castnow; # added 2023-07-30
   inherit (pkgs) clean-css-cli; # added 2023-08-18
+  inherit (pkgs) clubhouse-cli; # added 2023-08-18
   coc-imselect = throw "coc-imselect was removed because it was broken"; # added 2023-08-21
   coffee-script = pkgs.coffeescript; # added 2023-08-18
   inherit (pkgs) configurable-http-proxy; # added 2023-08-19
@@ -95,6 +96,7 @@ mapAliases {
   node-inspector = throw "node-inspector was removed because it was broken"; # added 2023-08-21
   inherit (pkgs) npm-check-updates; # added 2023-08-22
   ocaml-language-server = throw "ocaml-language-server was removed because it was abandoned upstream"; # added 2023-09-04
+  parcel-bundler = parcel; # added 2023-09-04
   inherit (pkgs) react-static; # added 2023-08-21
   readability-cli = pkgs.readability-cli; # Added 2023-06-12
   reveal-md = pkgs.reveal-md; # added 2023-07-31

pkgs/development/node-packages/main-programs.nix

@@ -29,7 +29,6 @@
   cdk8s-cli = "cdk8s";
   cdktf-cli = "cdktf";
   clipboard-cli = "clipboard";
-  clubhouse-cli = "club";
   conventional-changelog-cli = "conventional-changelog";
   cpy-cli = "cpy";
   diff2html-cli = "diff2html";
@@ -49,7 +48,6 @@
   lua-fmt = "luafmt";
   near-cli = "near";
   neovim = "neovim-node-host";
-  parcel-bundler = "parcel";
   parsoid = "parse.js";
   poor-mans-t-sql-formatter-cli = "sqlformat";
   postcss-cli = "postcss";

pkgs/development/node-packages/node-packages.json

@@ -38,7 +38,6 @@
 , "cdk8s-cli"
 , "cdktf-cli"
 , "clipboard-cli"
-, "clubhouse-cli"
 , "coc-clangd"
 , "coc-cmake"
 , "coc-css"
@@ -193,7 +192,6 @@
 , "npm-merge-driver"
 , "nrm"
 , "orval"
-, "parcel-bundler"
 , "parcel"
 , "parsoid"
 , "patch-package"

pkgs/development/node-packages/overrides.nix

@@ -256,13 +256,6 @@ final: prev: {
     '';
   };
 
-  parcel = prev.parcel.override {
-    buildInputs = [ final.node-gyp-build ];
-    preRebuild = ''
-      sed -i -e "s|#!/usr/bin/env node|#! ${nodejs}/bin/node|" node_modules/node-gyp-build/bin.js
-    '';
-  };
-
   pnpm = prev.pnpm.override {
     nativeBuildInputs = [ pkgs.buildPackages.makeWrapper ];
 

pkgs/development/ocaml-modules/awa/default.nix

@@ -1,5 +1,5 @@
 { lib, buildDunePackage, fetchurl
-, ppx_sexp_conv, ppx_cstruct
+, ppx_sexp_conv
 , mirage-crypto, mirage-crypto-ec, mirage-crypto-rng, mirage-crypto-pk
 , x509, cstruct, cstruct-unix, cstruct-sexp, sexplib, eqaf
 , rresult, mtime, logs, fmt, cmdliner, base64
@@ -24,8 +24,6 @@ buildDunePackage rec {
     ppx_sexp_conv eqaf
   ];
 
-  buildInputs = [ ppx_cstruct ];
-
   doCheck = true;
   checkInputs = [ cstruct-unix cmdliner fmt ];
 

pkgs/development/ocaml-modules/ppx_tools/default.nix

@@ -35,6 +35,7 @@ let param =
   "4.13" = v6_6;
   "4.14" = v6_6;
   "5.0" = v6_6;
+  "5.1" = v6_6;
 }.${ocaml.meta.branch};
 in
 

pkgs/development/python-modules/anel-pwrctrl-homeassistant/default.nix

@@ -0,0 +1,30 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchPypi,
+}:
+buildPythonPackage rec {
+  pname = "anel-pwrctrl-homeassistant";
+  version = "0.0.1.dev2";
+  format = "setuptools";
+
+  src = fetchPypi {
+    inherit version;
+    pname = "anel_pwrctrl-homeassistant";
+    hash = "sha256-AcsnYD9CeGAarm5QdweUF6CUFwUywhfmU46NG8+Cm4s=";
+  };
+
+  # No tests
+  doCheck = false;
+
+  pythonImportsCheck = [
+    "anel_pwrctrl"
+  ];
+
+  meta = with lib; {
+    description = "Discover and control ANEL NET-PwrCtrl devices";
+    homepage = "https://github.com/mweinelt/anel-pwrctrl";
+    license = licenses.mit;
+    maintainers = with maintainers; [jamiemagee];
+  };
+}

pkgs/development/python-modules/debianbts/default.nix

@@ -1,6 +1,7 @@
 { lib
 , buildPythonPackage
 , fetchPypi
+, nix-update-script
 , pysimplesoap
 , pytest , pytest-xdist
 , pythonOlder
@@ -13,6 +14,7 @@ buildPythonPackage rec {
   format = "pyproject";
 
   disabled = pythonOlder "3.7";
+  passthru.updateScript = nix-update-script { };
 
   src = fetchPypi {
     inherit pname version;

pkgs/development/python-modules/fastembed/default.nix

@@ -0,0 +1,53 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, pythonOlder
+, poetry-core
+, onnxruntime
+, requests
+, tokenizers
+, tqdm
+, pytestCheckHook
+}:
+
+buildPythonPackage {
+  pname = "fastembed";
+  version = "unstable-2023-09-07";
+  format = "pyproject";
+
+  disabled = pythonOlder "3.8";
+
+  src = fetchFromGitHub {
+    owner = "qdrant";
+    repo = "fastembed";
+    rev = "9c5d32f271dfe9ae4730694727ff5df480983942";
+    hash = "sha256-d7Zb0IL0NOPEPsCHe/ZMNELnSCG4+y8JmGAXnCRUd50=";
+  };
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = [
+    onnxruntime
+    requests
+    tokenizers
+    tqdm
+  ];
+
+  pythonImportsCheck = [ "fastembed" ];
+
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
+
+  # there is one test and it requires network
+  doCheck = false;
+
+  meta = with lib; {
+    description = "Fast, Accurate, Lightweight Python library to make State of the Art Embedding";
+    homepage = "https://github.com/qdrant/fastembed";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ happysalada ];
+  };
+}

pkgs/development/python-modules/mypy-boto3-builder/default.nix

@@ -18,7 +18,7 @@
 
 buildPythonPackage rec {
   pname = "mypy-boto3-builder";
-  version = "7.18.2";
+  version = "7.19.0";
   format = "pyproject";
 
   disabled = pythonOlder "3.10";
@@ -27,7 +27,7 @@ buildPythonPackage rec {
     owner = "youtype";
     repo = "mypy_boto3_builder";
     rev = "refs/tags/${version}";
-    hash = "sha256-43kyDgolXEu5J5OVaLKqjVdyWaobfGNvevNFh4CFjss=";
+    hash = "sha256-Wczk1DNoOpvd7efnZFUf4FSjYqHdkMKMNwNVeQOPeEg=";
   };
 
   nativeBuildInputs = [

pkgs/development/python-modules/pysimplesoap/default.nix

@@ -3,13 +3,15 @@
 , fetchPypi
 , buildPythonPackage
 , m2crypto
+, nix-update-script
 }:
 
 buildPythonPackage rec {
   pname = "pysimplesoap";
-  # Unfortunately, the latest stable release is broken on Python 3.
   version = "1.16.2";
 
+  passthru.updateScript = nix-update-script { };
+
   src = fetchPypi {
     pname = "PySimpleSOAP";
     inherit version;
@@ -20,6 +22,7 @@ buildPythonPackage rec {
     m2crypto
   ];
 
+  # Patches necessary for Python 3 compatibility plus bugfixes
   patches = map (args: fetchDebianPatch ({
     inherit pname version;
     debianRevision = "5";

pkgs/development/python-modules/qdrant-client/default.nix

@@ -3,20 +3,22 @@
 , fetchFromGitHub
 , grpcio
 , grpcio-tools
-, h2
 , httpx
 , numpy
 , pytestCheckHook
 , poetry-core
 , pydantic
 , pythonOlder
-, typing-extensions
 , urllib3
+, portalocker
+, fastembed
+# check inputs
+, pytest-asyncio
 }:
 
 buildPythonPackage rec {
   pname = "qdrant-client";
-  version = "1.1.0";
+  version = "1.5.0";
   format = "pyproject";
 
   disabled = pythonOlder "3.7";
@@ -25,7 +27,7 @@ buildPythonPackage rec {
     owner = "qdrant";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-rpNTV3VBTND39iW/kve0aG1KJzAIl1whmhH+e6RbOhw=";
+    hash = "sha256-k+ggx4QyVduqtV4WwHELyQDAHdaGE0bizpG1ie6x7FM=";
   };
 
   nativeBuildInputs = [
@@ -36,32 +38,29 @@ buildPythonPackage rec {
     numpy
     httpx
     grpcio
-    typing-extensions
+    # typing-extensions
     grpcio-tools
     pydantic
     urllib3
-    h2
-  ];
-
-  nativeCheckInputs = [
-    pytestCheckHook
-  ];
+    portalocker
+  ] ++ httpx.optional-dependencies.http2;
 
   pythonImportsCheck = [
     "qdrant_client"
   ];
 
-  disabledTests = [
-    # Tests require network access
-    "test_conditional_payload_update"
-    "test_locks"
-    "test_multiple_vectors"
-    "test_points_crud"
-    "test_qdrant_client_integration"
-    "test_quantization_config"
-    "test_record_upload"
+  nativeCheckInputs = [
+    pytestCheckHook
+    pytest-asyncio
   ];
 
+  # tests require network access
+  doCheck = false;
+
+  passthru.optional-dependencies = {
+    fastembed = [ fastembed ];
+  };
+
   meta = with lib; {
     description = "Python client for Qdrant vector search engine";
     homepage = "https://github.com/qdrant/qdrant-client";

pkgs/development/python-modules/yangson/default.nix

@@ -2,18 +2,18 @@
 , buildPythonPackage
 , fetchPypi
 , setuptools-scm
-, pyxb
+, elementpath
 , pytestCheckHook
 }:
 
 buildPythonPackage rec {
   pname = "yangson";
-  version = "1.4.16";
+  version = "1.4.18";
   format = "setuptools";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-P447JnQ8zhalcg9k8prW1QQE3h5PqY155hFtvLvBVSI=";
+    hash = "sha256-VMgx2MTiOoAw8tW8SckheN950JVbdWWSS3PWDNs0dT0=";
   };
 
   nativeBuildInputs = [
@@ -21,7 +21,7 @@ buildPythonPackage rec {
   ];
 
   propagatedBuildInputs = [
-    pyxb
+    elementpath
   ];
 
   nativeCheckInputs = [

pkgs/development/python-modules/yaspin/default.nix

@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "yaspin";
-  version = "2.3.0";
+  version = "3.0.1";
   format = "pyproject";
 
   disabled = pythonOlder "3.7";
@@ -18,7 +18,7 @@ buildPythonPackage rec {
     owner = "pavdmyt";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-TURfjhEqkg8TT7dsoIOn2iAeD7+lX8+s9hItritf1GU=";
+    hash = "sha256-cYTCJyHZ9yNg6BfpZ+g3P0yMWFhYUxgYtlbANNgfohQ=";
   };
 
   nativeBuildInputs = [

pkgs/development/tools/frugal/default.nix

@@ -2,18 +2,18 @@
 
 buildGoModule rec {
   pname = "frugal";
-  version = "3.16.24";
+  version = "3.16.27";
 
   src = fetchFromGitHub {
     owner = "Workiva";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-DXdecPsxYE12YkOn6acuai+mbqNkzZUEXEw1+ZcJlt8=";
+    sha256 = "sha256-ZHDx6xE/apYF05CXtGJxlp2AWfeEAkWi3zloTFFr78M=";
   };
 
   subPackages = [ "." ];
 
-  vendorHash = "sha256-9ZWK5xw2onwm9F/o/upGuo080X6neXUrSF+0WR+FpCs=";
+  vendorHash = "sha256-2+7GQ54AHEF8ukvn/xUAD1eGESo8jO6TlRFPwlEvZ6A=";
 
   meta = with lib; {
     description = "Thrift improved";

pkgs/development/tools/go-task/default.nix

@@ -8,16 +8,16 @@
 
 buildGoModule rec {
   pname = "go-task";
-  version = "3.28.0";
+  version = "3.29.1";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = "task";
     rev = "refs/tags/v${version}";
-    hash = "sha256-jVRQnZGM+N3W/f4mW322qPiv7PFrFoyUHNdZNoAkpAc=";
+    hash = "sha256-RzXJCYiIxbSgXuUinS5ixKCobZtMx5MM/ilzSPzTdsI=";
   };
 
-  vendorHash = "sha256-gXWuKOTb/7AIF6orXlIHpdSxdYxl12Es2cl4egdJfxo=";
+  vendorHash = "sha256-+8nLU2mg7fiWSRu0w9ZMd5KvyFyYbNO1tyJpZASdc2c=";
 
   doCheck = false;
 

pkgs/servers/gotify/default.nix

@@ -5,19 +5,18 @@
 , sqlite
 , callPackage
 , nixosTests
+, nix-update-script
 }:
 
 buildGoModule rec {
   pname = "gotify-server";
-  # should be update just like all other files imported like that via the
-  # `update.sh` script.
-  version = import ./version.nix;
+  version = "2.3.0";
 
   src = fetchFromGitHub {
     owner = "gotify";
     repo = "server";
     rev = "v${version}";
-    sha256 = import ./source-sha.nix;
+    hash = "sha256-fWcdnmpLZycg7hmPNnphGcuSMTI4bsq57XPoSyQSGDA=";
   };
 
   # With `allowGoReference = true;`, `buildGoModule` adds the `-trimpath`
@@ -26,20 +25,28 @@ buildGoModule rec {
   #   server[780]: stat /var/lib/private/ui/build/index.html: no such file or directory
   allowGoReference = true;
 
-  vendorSha256 = import ./vendor-sha.nix;
+  vendorHash = "sha256-im7Pauit0tWi0BcyKtxybOqsu7rrIHZwY5Olta3nJJI=";
 
   doCheck = false;
 
-  buildInputs = [ sqlite ];
+  buildInputs = [
+    sqlite
+  ];
 
   ui = callPackage ./ui.nix { };
 
   preBuild = ''
-    cp -r ${ui}/libexec/gotify-ui/deps/gotify-ui/build ui/build && go run hack/packr/packr.go
+    if [ -n "$ui" ] # to make the preBuild a no-op inside the goModules fixed-output derivation, where it would fail
+    then
+      cp -r $ui ui/build
+    fi
   '';
 
   passthru = {
-    updateScript = ./update.sh;
+    # For nix-update to detect the location of this attribute from this
+    # derivation.
+    inherit (ui) offlineCache;
+    updateScript = nix-update-script { };
     tests = {
       nixos = nixosTests.gotify-server;
     };
@@ -60,5 +67,4 @@ buildGoModule rec {
     maintainers = with maintainers; [ doronbehar ];
     mainProgram = "server";
   };
-
 }

pkgs/servers/gotify/package.json

@@ -1,87 +0,0 @@
-{
-  "name": "gotify-ui",
-  "version": "0.2.0",
-  "private": true,
-  "homepage": ".",
-  "proxy": "http://localhost:80",
-  "dependencies": {
-    "@material-ui/core": "^4.11.4",
-    "@material-ui/icons": "^4.9.1",
-    "axios": "^0.21.1",
-    "codemirror": "^5.61.1",
-    "detect-browser": "^5.2.0",
-    "js-base64": "^3.6.1",
-    "mobx": "^5.15.6",
-    "mobx-react": "^6.3.0",
-    "mobx-utils": "^5.6.1",
-    "notifyjs": "^3.0.0",
-    "prop-types": "^15.6.2",
-    "react": "^16.4.2",
-    "react-codemirror2": "^7.2.1",
-    "react-dom": "^16.4.2",
-    "react-infinite": "^0.13.0",
-    "react-markdown": "^6.0.2",
-    "react-router": "^5.2.0",
-    "react-router-dom": "^5.2.0",
-    "react-timeago": "^6.2.1",
-    "remark-gfm": "^1.0.0",
-    "remove-markdown": "^0.3.0",
-    "typeface-roboto": "1.1.13"
-  },
-  "scripts": {
-    "start": "react-scripts start",
-    "build": "react-scripts build",
-    "test": "react-scripts test --env=node",
-    "eject": "react-scripts eject",
-    "lint": "eslint \"src/**/*.{ts,tsx}\"",
-    "format": "prettier \"src/**/*.{ts,tsx}\" --write",
-    "testformat": "prettier \"src/**/*.{ts,tsx}\" --list-different"
-  },
-  "devDependencies": {
-    "@types/codemirror": "5.60.0",
-    "@types/detect-browser": "^4.0.0",
-    "@types/get-port": "^4.0.0",
-    "@types/jest": "^26.0.23",
-    "@types/js-base64": "^3.3.1",
-    "@types/node": "^15.12.2",
-    "@types/notifyjs": "^3.0.2",
-    "@types/puppeteer": "^5.4.6",
-    "@types/react": "^16.9.49",
-    "@types/react-dom": "^16.9.8",
-    "@types/react-infinite": "0.0.35",
-    "@types/react-router-dom": "^5.1.7",
-    "@types/remove-markdown": "^0.3.0",
-    "@types/rimraf": "^3.0.0",
-    "@typescript-eslint/eslint-plugin": "^4.1.0",
-    "@typescript-eslint/parser": "^4.1.0",
-    "eslint-config-prettier": "^6.11.0",
-    "eslint-plugin-import": "^2.22.0",
-    "eslint-plugin-jest": "^24.0.0",
-    "eslint-plugin-prefer-arrow": "^1.2.2",
-    "eslint-plugin-react": "^7.20.6",
-    "eslint-plugin-unicorn": "^21.0.0",
-    "get-port": "^5.1.1",
-    "prettier": "^2.3.1",
-    "puppeteer": "^17.1.3",
-    "react-scripts": "^4.0.3",
-    "rimraf": "^3.0.2",
-    "tree-kill": "^1.2.0",
-    "typescript": "4.0.2",
-    "wait-on": "^5.3.0"
-  },
-  "eslintConfig": {
-    "extends": "react-app"
-  },
-  "browserslist": {
-    "production": [
-      ">0.2%",
-      "not dead",
-      "not op_mini all"
-    ],
-    "development": [
-      "last 1 chrome version",
-      "last 1 firefox version",
-      "last 1 safari version"
-    ]
-  }
-}

pkgs/servers/gotify/source-sha.nix

@@ -1 +0,0 @@
-"1kc4l95hrhi7lb9x8gy19xpwj12j4syg6w1kbllf3g3k83sr444f"

pkgs/servers/gotify/ui.nix

@@ -1,67 +1,47 @@
-{ yarn2nix-moretea
-, fetchFromGitHub, applyPatches
+{ stdenv
+, yarn
+, fixup_yarn_lock
+, nodejs-slim
+, fetchFromGitHub
 , fetchYarnDeps
+, gotify-server
 }:
 
-yarn2nix-moretea.mkYarnPackage rec {
+stdenv.mkDerivation rec {
   pname = "gotify-ui";
+  inherit (gotify-server) version;
 
-  packageJSON = ./package.json;
+  src = gotify-server.src + "/ui";
 
   offlineCache = fetchYarnDeps {
     yarnLock = "${src}/yarn.lock";
     hash = "sha256-ejHzo6NHCMlNiYePWvfMY9Blb58pj3UQ5PFI0V84flI=";
   };
 
-  version = import ./version.nix;
+  nativeBuildInputs = [ yarn fixup_yarn_lock nodejs-slim ];
 
-  src_all = applyPatches {
-    src = fetchFromGitHub {
-      owner = "gotify";
-      repo = "server";
-      rev = "v${version}";
-      sha256 = import ./source-sha.nix;
-    };
-    postPatch = ''
-      substituteInPlace ui/yarn.lock \
-        --replace \
-          "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001237.tgz" \
-          "https___registry.npmjs.org_caniuse_lite___caniuse_lite_1.0.30001237.tgz"
-    '';
-  };
-  src = "${src_all}/ui";
-
-  buildPhase = ''
-    export HOME=$(mktemp -d)
-    export WRITABLE_NODE_MODULES="$(pwd)/tmp"
-    export NODE_OPTIONS=--openssl-legacy-provider
-    mkdir -p "$WRITABLE_NODE_MODULES"
-
-    # react-scripts requires a writable node_modules/.cache, so we have to copy the symlink's contents back
-    # into `node_modules/`.
-    # See https://github.com/facebook/create-react-app/issues/11263
-    cd deps/gotify-ui
-    node_modules="$(readlink node_modules)"
-    rm node_modules
-    mkdir -p "$WRITABLE_NODE_MODULES"/.cache
-    cp -r $node_modules/* "$WRITABLE_NODE_MODULES"
-
-    # In `node_modules/.bin` are relative symlinks that would be broken after copying them over,
-    # so we take care of them here.
-    mkdir -p "$WRITABLE_NODE_MODULES"/.bin
-    for x in "$node_modules"/.bin/*; do
-      ln -sfv "$node_modules"/.bin/"$(readlink "$x")" "$WRITABLE_NODE_MODULES"/.bin/"$(basename "$x")"
-    done
-
-    ln -sfv "$WRITABLE_NODE_MODULES" node_modules
-    cd ../..
-
-    yarn build
-
-    cd deps/gotify-ui
-    rm -rf node_modules
-    ln -sf $node_modules node_modules
-    cd ../..
+  postPatch = ''
+    export HOME=$NIX_BUILD_TOP/fake_home
+    yarn config --offline set yarn-offline-mirror $offlineCache
+    fixup_yarn_lock yarn.lock
+    yarn install --offline --frozen-lockfile --ignore-scripts --no-progress --non-interactive
+    patchShebangs node_modules/
   '';
 
+  buildPhase = ''
+    runHook preBuild
+
+    export NODE_OPTIONS=--openssl-legacy-provider
+    yarn --offline build
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mv build $out
+
+    runHook postInstall
+  '';
 }

pkgs/servers/gotify/update.sh

@@ -1,40 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p wget yarn2nix-moretea.yarn2nix nix-prefetch-git jq
-
-set -euo pipefail
-
-dirname="$(dirname "$0")"
-
-latest_release=$(curl --silent https://api.github.com/repos/gotify/server/releases/latest)
-version=$(jq -r '.tag_name' <<<"$latest_release")
-echo got version $version
-echo \""${version#v}"\" > "$dirname/version.nix"
-printf '%s\n' $(nix-prefetch-git --quiet --rev ${version} https://github.com/gotify/server | jq .sha256) > $dirname/source-sha.nix
-tput setaf 1
-echo zeroing vendorSha256 in $dirname/vendor-sha.nix
-tput sgr0
-printf '"%s"\n' "0000000000000000000000000000000000000000000000000000" > $dirname/vendor-sha.nix
-
-GOTIFY_WEB_SRC="https://raw.githubusercontent.com/gotify/server/$version"
-
-curl --silent "$GOTIFY_WEB_SRC/ui/package.json" -o $dirname/package.json
-echo downloaded package.json
-curl --silent "$GOTIFY_WEB_SRC/ui/yarn.lock" -o $dirname/yarn.lock
-echo downloaded yarndeps.nix
-echo running yarn2nix
-yarn2nix --lockfile=$dirname/yarn.lock > $dirname/yarndeps.nix
-rm $dirname/yarn.lock
-echo removed yarn.lock
-
-echo running nix-build for ui
-nix-build -A gotify-server.ui
-echo running nix-build for gotify itself in order to get vendorSha256
-set +e
-vendorSha256="$(nix-build -A gotify-server 2>&1 | grep "got:" | cut -d':' -f2)"
-set -e
-printf '"%s"\n' "$vendorSha256" > $dirname/vendor-sha.nix
-tput setaf 2
-echo got vendorSha256 of: $vendorSha256
-tput sgr0
-echo running nix-build -A gotify-server which should build gotify-server normally
-nix-build -A gotify-server

pkgs/servers/gotify/vendor-sha.nix

@@ -1 +0,0 @@
-"sha256-TxxiyfWzlzQ2R2hgeBzB11FIiOz5rIBfaIm15DQ+dL0="

pkgs/servers/gotify/version.nix

@@ -1 +0,0 @@
-"2.2.4"

pkgs/servers/home-assistant/component-packages.nix

@@ -157,7 +157,8 @@
       androidtvremote2
     ];
     "anel_pwrctrl" = ps: with ps; [
-    ]; # missing inputs: anel-pwrctrl-homeassistant
+      anel-pwrctrl-homeassistant
+    ];
     "anova" = ps: with ps; [
     ]; # missing inputs: anova-wifi
     "anthemav" = ps: with ps; [

pkgs/servers/nats-server/default.nix

@@ -23,6 +23,7 @@ buildGoModule rec {
 
   meta = with lib; {
     description = "High-Performance server for NATS";
+    mainProgram = "nats-server";
     homepage = "https://nats.io/";
     changelog = "https://github.com/nats-io/nats-server/releases/tag/v${version}";
     license = licenses.asl20;

pkgs/servers/sql/postgresql/ext/pgtap.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "pgtap";
-  version = "1.2.0";
+  version = "1.3.0";
 
   src = fetchFromGitHub {
     owner = "theory";
     repo = "pgtap";
     rev = "v${version}";
-    sha256 = "sha256-lb0PRffwo6J5a6Hqw1ggvn0cW7gPZ02OEcLPi9ineI8=";
+    sha256 = "sha256-RaafUnrMRbvyf2m2Z+tK6XxVXDGnaOkYkSMxIJLnf6A=";
   };
 
   nativeBuildInputs = [ postgresql perl perlPackages.TAPParserSourceHandlerpgTAP which ];

pkgs/servers/web-apps/wallabag/default.nix

@@ -1,7 +1,6 @@
 { lib
 , stdenv
 , fetchurl
-, fetchpatch
 }:
 
 # Point the environment variable $WALLABAG_DATA to a data directory
@@ -16,30 +15,19 @@
 
 let
   pname = "wallabag";
-  version = "2.5.4";
+  version = "2.6.6";
 in
 stdenv.mkDerivation {
   inherit pname version;
 
   # Release tarball includes vendored files
   src = fetchurl {
-    urls = [
-      "https://static.wallabag.org/releases/wallabag-release-${version}.tar.gz"
-      "https://github.com/wallabag/wallabag/releases/download/${version}/wallabag-${version}.tar.gz"
-    ];
-    hash = "sha256-yVMQXjGB8Yv1klQaHEbDGMZmOtANRocFJnawKn10xhg=";
+    url = "https://github.com/wallabag/wallabag/releases/download/${version}/wallabag-${version}.tar.gz";
+    hash = "sha256-0CkJFSHPnOz333+7uMUqXI3A9dsA9FchZXXmwq7F09o=";
   };
 
   patches = [
     ./wallabag-data.patch # exposes $WALLABAG_DATA
-
-    # Use sendmail from php.ini instead of FHS path.
-    (fetchpatch {
-      url = "https://github.com/symfony/swiftmailer-bundle/commit/31a4fed8f621f141ba70cb42ffb8f73184995f4c.patch";
-      stripLen = 1;
-      extraPrefix = "vendor/symfony/swiftmailer-bundle/";
-      sha256 = "rxHiGhKFd/ZWnIfTt6omFLLoNFlyxOYNCHIv/UtxCho=";
-    })
   ];
 
   dontBuild = true;

pkgs/servers/web-apps/wallabag/wallabag-data.patch

@@ -1,9 +1,9 @@
 diff --git a/app/AppKernel.php b/app/AppKernel.php
-index 347197e..902b558 100644
+index 61b734e06..d25d1aaa3 100644
 --- a/app/AppKernel.php
 +++ b/app/AppKernel.php
-@@ -69,19 +69,24 @@ class AppKernel extends Kernel
-         return __DIR__;
+@@ -62,14 +62,19 @@ class AppKernel extends Kernel
+         return $bundles;
      }
  
 +    public function getProjectDir()
@@ -24,9 +24,3 @@ index 347197e..902b558 100644
      }
  
      public function registerContainerConfiguration(LoaderInterface $loader)
-     {
--        $loader->load($this->getRootDir() . '/config/config_' . $this->getEnvironment() . '.yml');
-+        $loader->load($this->getProjectDir() . '/app/config/config_' . $this->getEnvironment() . '.yml');
- 
-         $loader->load(function ($container) {
-             if ($container->getParameter('use_webpack_dev_server')) {

pkgs/tools/misc/clubhouse-cli/default.nix

@@ -0,0 +1,27 @@
+{ lib
+, buildNpmPackage
+, fetchFromGitHub
+}:
+
+buildNpmPackage rec {
+  pname = "clubhouse-cli";
+  version = "2.7.0";
+
+  src = fetchFromGitHub {
+    owner = "andjosh";
+    repo = "clubhouse-cli";
+    rev = "v${version}";
+    hash = "sha256-OGUEPWKL3GBIQHEDljX1gXMRDEztIrJT5ivAIcyW91k=";
+  };
+
+  npmDepsHash = "sha256-QlCLEvmqLVkWwgTVlToYD6bptLp/MVfQ10Wdfr3PIr4=";
+
+  meta = {
+    description = "A command line tool for viewing, creating and updating clubhouse.io stories";
+    homepage = "https://github.com/andjosh/clubhouse-cli";
+    changelog = "https://github.com/andjosh/clubhouse-cli/blob/${src.rev}/CHANGELOG.md";
+    license = lib.licenses.mit;
+    mainProgram = "club";
+    maintainers = with lib.maintainers; [ tobim ];
+  };
+}

pkgs/tools/misc/sharedown/default.nix

@@ -12,6 +12,7 @@
 , makeDesktopItem
 , copyDesktopItems
 , yarn2nix-moretea
+, fetchYarnDeps
 , chromium
 }:
 
@@ -51,7 +52,7 @@ stdenvNoCC.mkDerivation rec {
         yt-dlp
       ]);
 
-      modules = yarn2nix-moretea.mkYarnModules {
+      modules = yarn2nix-moretea.mkYarnModules rec {
         name = "${pname}-modules-${version}";
         inherit pname version;
 
@@ -87,7 +88,11 @@ stdenvNoCC.mkDerivation rec {
 
         packageJSON = "${src}/package.json";
         yarnLock = ./yarn.lock;
-        yarnNix = ./yarndeps.nix;
+
+        offlineCache = fetchYarnDeps {
+          inherit yarnLock;
+          hash = "sha256-NzWzkZbf5R1R72K7KVJbZUCzso1UZ0p3+lRYZE2M/dI=";
+        };
       };
     in
     ''

pkgs/tools/security/sudo-rs/default.nix

@@ -3,6 +3,7 @@
 , fetchFromGitHub
 , fetchpatch
 , installShellFiles
+, nix-update-script
 , pam
 , pandoc
 , rustPlatform
@@ -72,6 +73,8 @@ rustPlatform.buildRustPackage rec {
     "su::context::tests::invalid_shell"
   ];
 
+  passthru.updateScript = nix-update-script { };
+
   meta = with lib; {
     description = "A memory safe implementation of sudo and su.";
     homepage = "https://github.com/memorysafety/sudo-rs";

pkgs/tools/security/trueseeing/default.nix

@@ -5,14 +5,14 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "trueseeing";
-  version = "2.1.5";
+  version = "2.1.7";
   format = "flit";
 
   src = fetchFromGitHub {
     owner = "alterakey";
     repo = pname;
-    rev = "v${version}";
-    hash = "sha256-7iQOQ81k2bPBber4ewyvDy82s26j4P3Vv8MzSs04KAw=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-pnIn+Rqun5J3F9cgeBUBX4e9WP5fgbm+vwN3Wqh/yEc=";
   };
 
   nativeBuildInputs = with python3.pkgs; [
@@ -45,6 +45,7 @@ python3.pkgs.buildPythonApplication rec {
   meta = with lib; {
     description = "Non-decompiling Android vulnerability scanner";
     homepage = "https://github.com/alterakey/trueseeing";
+    changelog = "https://github.com/alterakey/trueseeing/releases/tag/v${version}";
     license = with licenses; [ gpl3Plus ];
     maintainers = with maintainers; [ fab ];
   };

pkgs/top-level/all-packages.nix

@@ -1707,6 +1707,8 @@ with pkgs;
 
   clematis = callPackage ../tools/misc/clematis { };
 
+  clubhouse-cli = callPackage ../tools/misc/clubhouse-cli { };
+
   colorless = callPackage ../tools/misc/colorless { };
 
   configurable-http-proxy = callPackage ../tools/networking/configurable-http-proxy { };

pkgs/top-level/ocaml-packages.nix

@@ -1927,6 +1927,8 @@ in let inherit (pkgs) callPackage; in rec
 
   ocamlPackages_5_0 = mkOcamlPackages (callPackage ../development/compilers/ocaml/5.0.nix { });
 
+  ocamlPackages_5_1 = mkOcamlPackages (callPackage ../development/compilers/ocaml/5.1.nix { });
+
   ocamlPackages_latest = ocamlPackages_5_0;
 
   ocamlPackages = ocamlPackages_4_14;

pkgs/top-level/python-packages.nix

@@ -512,6 +512,8 @@ self: super: with self; {
 
   androguard = callPackage ../development/python-modules/androguard { };
 
+  anel-pwrctrl-homeassistant = callPackage ../development/python-modules/anel-pwrctrl-homeassistant { };
+
   angr = callPackage ../development/python-modules/angr { };
 
   angrcli = callPackage ../development/python-modules/angrcli {
@@ -1348,9 +1350,7 @@ self: super: with self; {
 
   beautiful-date = callPackage ../development/python-modules/beautiful-date { };
 
-  beautifulsoup4 = callPackage ../development/python-modules/beautifulsoup4 {
-    inherit (python.pythonForBuild.pkgs) sphinxHook; # hook splicing broken since #194205
-  };
+  beautifulsoup4 = callPackage ../development/python-modules/beautifulsoup4 { };
 
   beautifultable = callPackage ../development/python-modules/beautifultable { };
 
@@ -3701,6 +3701,8 @@ self: super: with self; {
 
   fastecdsa = callPackage ../development/python-modules/fastecdsa { };
 
+  fastembed = callPackage ../development/python-modules/fastembed { };
+
   fasteners = callPackage ../development/python-modules/fasteners { };
 
   fastentrypoints = callPackage ../development/python-modules/fastentrypoints { };