Merge master into staging-next

maintainers/maintainer-list.nix

@@ -21514,6 +21514,13 @@
     githubId = 12422133;
     name = "Chromo-residuum-opec";
   };
+  uku3lig = {
+    name = "uku";
+    email = "hi@uku.moe";
+    matrix = "@uku:m.uku.moe";
+    github = "uku3lig";
+    githubId = 61147779;
+  };
   ulrikstrid = {
     email = "ulrik.strid@outlook.com";
     github = "ulrikstrid";

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -34,9 +34,6 @@
   Users that want to keep PulseAudio will want to set `services.pipewire.enable = false;` and `hardware.pulseaudio.enable = true;`.
   There is currently no plan to fully deprecate and remove PulseAudio, however, PipeWire should generally be preferred for new installs.
 
-- Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html)
-  was added through the `boot.initrd.systemd.dmVerity` option.
-
 ## New Modules {#sec-release-24.11-new-modules}
 
 - [TaskChampion Sync-Server](https://github.com/GothenburgBitFactory/taskchampion-sync-server), a [Taskwariror 3](https://taskwarrior.org/docs/upgrade-3/) sync server, replacing Taskwarrior 2's sync server named [`taskserver`](https://github.com/GothenburgBitFactory/taskserver).
@@ -412,6 +409,8 @@
 
 - The `openlens` package got removed, suggested replacment `lens-desktop`
 
+- The NixOS installation media no longer support the ReiserFS or JFS file systems by default.
+
 ## Other Notable Changes {#sec-release-24.11-notable-changes}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

nixos/modules/module-list.nix

@@ -1622,7 +1622,6 @@
   ./system/boot/stage-2.nix
   ./system/boot/systemd.nix
   ./system/boot/systemd/coredump.nix
-  ./system/boot/systemd/dm-verity.nix
   ./system/boot/systemd/initrd-secrets.nix
   ./system/boot/systemd/initrd.nix
   ./system/boot/systemd/journald.nix

nixos/modules/profiles/base.nix

@@ -50,7 +50,7 @@
 
   # Include support for various filesystems and tools to create / manipulate them.
   boot.supportedFilesystems =
-    [ "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs" ] ++
+    [ "btrfs" "cifs" "f2fs" "ntfs" "vfat" "xfs" ] ++
     lib.optional (lib.meta.availableOn pkgs.stdenv.hostPlatform config.boot.zfs.package) "zfs";
 
   # Configure host id for ZFS to work

nixos/modules/security/acme/default.nix

@@ -1,5 +1,4 @@
 { config, lib, pkgs, options, ... }:
-with lib;
 let
 
 
@@ -8,11 +7,11 @@ let
   user = if cfg.useRoot then "root" else "acme";
 
   # Used to calculate timer accuracy for coalescing
-  numCerts = length (builtins.attrNames cfg.certs);
+  numCerts = lib.length (builtins.attrNames cfg.certs);
   _24hSecs = 60 * 60 * 24;
 
   # Used to make unique paths for each cert/account config set
-  mkHash = with builtins; val: substring 0 20 (hashString "sha256" val);
+  mkHash = with builtins; val: lib.substring 0 20 (hashString "sha256" val);
   mkAccountHash = acmeServer: data: mkHash "${toString acmeServer} ${data.keyType} ${data.email}";
   accountDirRoot = "/var/lib/acme/.lego/accounts/";
 
@@ -29,7 +28,7 @@ let
     else
       [{ fst = head workingBaseList; snd = head needAssignmentList;}] ++
       _rrCycler origBaseList (if (tail workingBaseList == []) then origBaseList else tail workingBaseList) (tail needAssignmentList);
-  attrsToList = mapAttrsToList (attrname: attrval: {name = attrname; value = attrval;});
+  attrsToList = lib.mapAttrsToList (attrname: attrval: {name = attrname; value = attrval;});
   # for an AttrSet `funcsAttrs` having functions as values, apply single arguments from
   # `argsList` to them in a round-robin manner.
   # Returns an attribute set with the applied functions as values.
@@ -57,7 +56,7 @@ let
   commonServiceConfig = {
     Type = "oneshot";
     User = user;
-    Group = mkDefault "acme";
+    Group = lib.mkDefault "acme";
     UMask = "0022";
     StateDirectoryMode = "750";
     ProtectSystem = "strict";
@@ -136,8 +135,8 @@ let
   userMigrationService = let
     script = with builtins; ''
       chown -R ${user} .lego/accounts
-    '' + (concatStringsSep "\n" (mapAttrsToList (cert: data: ''
+    '' + (lib.concatStringsSep "\n" (lib.mapAttrsToList (cert: data: ''
-      for fixpath in ${escapeShellArg cert} .lego/${escapeShellArg cert}; do
+      for fixpath in ${lib.escapeShellArg cert} .lego/${lib.escapeShellArg cert}; do
         if [ -d "$fixpath" ]; then
           chmod -R u=rwX,g=rX,o= "$fixpath"
           chown -R ${user}:${data.group} "$fixpath"
@@ -166,7 +165,7 @@ let
 
     # ensure all required lock files exist, but none more
     script = ''
-      GLOBIGNORE="${concatStringsSep ":" concurrencyLockfiles}"
+      GLOBIGNORE="${lib.concatStringsSep ":" concurrencyLockfiles}"
       rm -f *
       unset GLOBIGNORE
 
@@ -186,7 +185,7 @@ let
     useDns = data.dnsProvider != null;
     useDnsOrS3 = useDns || data.s3Bucket != null;
     destPath = "/var/lib/acme/${cert}";
-    selfsignedDeps = optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];
+    selfsignedDeps = lib.optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];
 
     # Minica and lego have a "feature" which replaces * with _. We need
     # to make this substitution to reference the output files from both programs.
@@ -196,7 +195,7 @@ let
     # FIXME when mkChangedOptionModule supports submodules, change to that.
     # This is a workaround
     extraDomains = data.extraDomainNames ++ (
-      optionals
+      lib.optionals
       (data.extraDomains != "_mkMergedOptionModule")
       (builtins.attrNames data.extraDomains)
     );
@@ -204,22 +203,22 @@ let
     # Create hashes for cert data directories based on configuration
     # Flags are separated to avoid collisions
     hashData = with builtins; ''
-      ${concatStringsSep " " data.extraLegoFlags} -
+      ${lib.concatStringsSep " " data.extraLegoFlags} -
-      ${concatStringsSep " " data.extraLegoRunFlags} -
+      ${lib.concatStringsSep " " data.extraLegoRunFlags} -
-      ${concatStringsSep " " data.extraLegoRenewFlags} -
+      ${lib.concatStringsSep " " data.extraLegoRenewFlags} -
       ${toString acmeServer} ${toString data.dnsProvider}
       ${toString data.ocspMustStaple} ${data.keyType}
     '';
     certDir = mkHash hashData;
     # TODO remove domainHash usage entirely. Waiting on go-acme/lego#1532
-    domainHash = mkHash "${concatStringsSep " " extraDomains} ${data.domain}";
+    domainHash = mkHash "${lib.concatStringsSep " " extraDomains} ${data.domain}";
     accountHash = (mkAccountHash acmeServer data);
     accountDir = accountDirRoot + accountHash;
 
     protocolOpts = if useDns then (
       [ "--dns" data.dnsProvider ]
-      ++ optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ]
+      ++ lib.optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ]
-      ++ optionals (data.dnsResolver != null) [ "--dns.resolvers" data.dnsResolver ]
+      ++ lib.optionals (data.dnsResolver != null) [ "--dns.resolvers" data.dnsResolver ]
     ) else if data.s3Bucket != null then [ "--http" "--http.s3-bucket" data.s3Bucket ]
     else if data.listenHTTP != null then [ "--http" "--http.port" data.listenHTTP ]
     else [ "--http" "--http.webroot" data.webroot ];
@@ -231,22 +230,22 @@ let
       "--email" data.email
       "--key-type" data.keyType
     ] ++ protocolOpts
-      ++ optionals (acmeServer != null) [ "--server" acmeServer ]
+      ++ lib.optionals (acmeServer != null) [ "--server" acmeServer ]
-      ++ concatMap (name: [ "-d" name ]) extraDomains
+      ++ lib.concatMap (name: [ "-d" name ]) extraDomains
       ++ data.extraLegoFlags;
 
     # Although --must-staple is common to both modes, it is not declared as a
     # mode-agnostic argument in lego and thus must come after the mode.
-    runOpts = escapeShellArgs (
+    runOpts = lib.escapeShellArgs (
       commonOpts
       ++ [ "run" ]
-      ++ optionals data.ocspMustStaple [ "--must-staple" ]
+      ++ lib.optionals data.ocspMustStaple [ "--must-staple" ]
       ++ data.extraLegoRunFlags
     );
-    renewOpts = escapeShellArgs (
+    renewOpts = lib.escapeShellArgs (
       commonOpts
       ++ [ "renew" "--no-random-sleep" ]
-      ++ optionals data.ocspMustStaple [ "--must-staple" ]
+      ++ lib.optionals data.ocspMustStaple [ "--must-staple" ]
       ++ data.extraLegoRenewFlags
     );
 
@@ -286,8 +285,8 @@ let
 
     selfsignService = lockfileName: {
       description = "Generate self-signed certificate for ${cert}";
-      after = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ] ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
+      after = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ] ++ lib.optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
-      requires = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ] ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
+      requires = [ "acme-selfsigned-ca.service" "acme-fixperms.service" ] ++ lib.optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
 
       path = with pkgs; [ minica ];
 
@@ -315,7 +314,7 @@ let
         minica \
           --ca-key ca/key.pem \
           --ca-cert ca/cert.pem \
-          --domains ${escapeShellArg (builtins.concatStringsSep "," ([ data.domain ] ++ extraDomains))}
+          --domains ${lib.escapeShellArg (builtins.concatStringsSep "," ([ data.domain ] ++ extraDomains))}
 
         # Create files to match directory layout for real certificates
         cd '${keyName}'
@@ -334,11 +333,11 @@ let
 
     renewService = lockfileName: {
       description = "Renew ACME certificate for ${cert}";
-      after = [ "network.target" "network-online.target" "acme-fixperms.service" "nss-lookup.target" ] ++ selfsignedDeps ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
+      after = [ "network.target" "network-online.target" "acme-fixperms.service" "nss-lookup.target" ] ++ selfsignedDeps ++ lib.optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
-      wants = [ "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps ++ optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
+      wants = [ "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps ++ lib.optional (cfg.maxConcurrentRenewals > 0) "acme-lockfiles.service";
 
       # https://github.com/NixOS/nixpkgs/pull/81371#issuecomment-605526099
-      wantedBy = optionals (!config.boot.isContainer) [ "multi-user.target" ];
+      wantedBy = lib.optionals (!config.boot.isContainer) [ "multi-user.target" ];
 
       path = with pkgs; [ lego coreutils diffutils openssl ];
 
@@ -368,33 +367,33 @@ let
           "/var/lib/acme/.lego/${cert}/${certDir}:/tmp/certificates"
         ];
 
-        EnvironmentFile = mkIf useDnsOrS3 data.environmentFile;
+        EnvironmentFile = lib.mkIf useDnsOrS3 data.environmentFile;
 
-        Environment = mkIf useDnsOrS3
+        Environment = lib.mkIf useDnsOrS3
-          (mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles);
+          (lib.mapAttrsToList (k: v: ''"${k}=%d/${k}"'') data.credentialFiles);
 
-        LoadCredential = mkIf useDnsOrS3
+        LoadCredential = lib.mkIf useDnsOrS3
-          (mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles);
+          (lib.mapAttrsToList (k: v: "${k}:${v}") data.credentialFiles);
 
         # Run as root (Prefixed with +)
         ExecStartPost = "+" + (pkgs.writeShellScript "acme-postrun" ''
-          cd /var/lib/acme/${escapeShellArg cert}
+          cd /var/lib/acme/${lib.escapeShellArg cert}
           if [ -e renewed ]; then
             rm renewed
             ${data.postRun}
-            ${optionalString (data.reloadServices != [])
+            ${lib.optionalString (data.reloadServices != [])
-                "systemctl --no-block try-reload-or-restart ${escapeShellArgs data.reloadServices}"
+                "systemctl --no-block try-reload-or-restart ${lib.escapeShellArgs data.reloadServices}"
             }
           fi
         '');
-      } // optionalAttrs (data.listenHTTP != null && toInt (last (splitString ":" data.listenHTTP)) < 1024) {
+      } // lib.optionalAttrs (data.listenHTTP != null && lib.toInt (lib.last (lib.splitString ":" data.listenHTTP)) < 1024) {
         CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
         AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
       };
 
       # Working directory will be /tmp
       script = (if (lockfileName == null) then lib.id else wrapInFlock "${lockdir}${lockfileName}") ''
-        ${optionalString data.enableDebugLogs "set -x"}
+        ${lib.optionalString data.enableDebugLogs "set -x"}
         set -euo pipefail
 
         # This reimplements the expiration date check, but without querying
@@ -425,7 +424,7 @@ let
           [[ $expiration_days -gt ${toString data.validMinDays} ]]
         }
 
-        ${optionalString (data.webroot != null) ''
+        ${lib.optionalString (data.webroot != null) ''
           # Ensure the webroot exists. Fixing group is required in case configuration was changed between runs.
           # Lego will fail if the webroot does not exist at all.
           (
@@ -461,7 +460,7 @@ let
           # Produce a nice error for those doing their first nixos-rebuild with these certs
           echo Failed to fetch certificates. \
             This may mean your DNS records are set up incorrectly. \
-            ${optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}
+            ${lib.optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}
           # Exit 10 so that users can potentially amend SuccessExitStatus to ignore this error.
           # High number to avoid Systemd reserved codes.
           exit 10
@@ -490,7 +489,7 @@ let
     };
   };
 
-  certConfigs = mapAttrs certToConfig cfg.certs;
+  certConfigs = lib.mapAttrs certToConfig cfg.certs;
 
   # These options can be specified within
   # security.acme.defaults or security.acme.certs.<name>
@@ -504,22 +503,22 @@ let
       # stay constant. Though notably it wouldn't matter much, because to get
       # the option information, a submodule with name `<name>` is evaluated
       # without any definitions.
-      defaultText = if isDefaults then default else literalExpression "config.security.acme.defaults.${name}";
+      defaultText = if isDefaults then default else lib.literalExpression "config.security.acme.defaults.${name}";
     };
   in {
     imports = [
-      (mkRenamedOptionModule [ "credentialsFile" ] [ "environmentFile" ])
+      (lib.mkRenamedOptionModule [ "credentialsFile" ] [ "environmentFile" ])
     ];
 
     options = {
-      validMinDays = mkOption {
+      validMinDays = lib.mkOption {
-        type = types.int;
+        type = lib.types.int;
         inherit (defaultAndText "validMinDays" 30) default defaultText;
         description = "Minimum remaining validity before renewal in days.";
       };
 
-      renewInterval = mkOption {
+      renewInterval = lib.mkOption {
-        type = types.str;
+        type = lib.types.str;
         inherit (defaultAndText "renewInterval" "daily") default defaultText;
         description = ''
           Systemd calendar expression when to check for renewal. See
@@ -527,12 +526,12 @@ let
         '';
       };
 
-      enableDebugLogs = mkEnableOption "debug logging for this certificate" // {
+      enableDebugLogs = lib.mkEnableOption "debug logging for this certificate" // {
         inherit (defaultAndText "enableDebugLogs" true) default defaultText;
       };
 
-      webroot = mkOption {
+      webroot = lib.mkOption {
-        type = types.nullOr types.str;
+        type = lib.types.nullOr lib.types.str;
         inherit (defaultAndText "webroot" null) default defaultText;
         example = "/var/lib/acme/acme-challenge";
         description = ''
@@ -544,8 +543,8 @@ let
         '';
       };
 
-      server = mkOption {
+      server = lib.mkOption {
-        type = types.nullOr types.str;
+        type = lib.types.nullOr lib.types.str;
         inherit (defaultAndText "server" "https://acme-v02.api.letsencrypt.org/directory") default defaultText;
         example = "https://acme-staging-v02.api.letsencrypt.org/directory";
         description = ''
@@ -556,8 +555,8 @@ let
         '';
       };
 
-      email = mkOption {
+      email = lib.mkOption {
-        type = types.nullOr types.str;
+        type = lib.types.nullOr lib.types.str;
         inherit (defaultAndText "email" null) default defaultText;
         description = ''
           Email address for account creation and correspondence from the CA.
@@ -566,14 +565,14 @@ let
         '';
       };
 
-      group = mkOption {
+      group = lib.mkOption {
-        type = types.str;
+        type = lib.types.str;
         inherit (defaultAndText "group" "acme") default defaultText;
         description = "Group running the ACME client.";
       };
 
-      reloadServices = mkOption {
+      reloadServices = lib.mkOption {
-        type = types.listOf types.str;
+        type = lib.types.listOf lib.types.str;
         inherit (defaultAndText "reloadServices" []) default defaultText;
         description = ''
           The list of systemd services to call `systemctl try-reload-or-restart`
@@ -581,8 +580,8 @@ let
         '';
       };
 
-      postRun = mkOption {
+      postRun = lib.mkOption {
-        type = types.lines;
+        type = lib.types.lines;
         inherit (defaultAndText "postRun" "") default defaultText;
         example = "cp full.pem backup.pem";
         description = ''
@@ -593,8 +592,8 @@ let
         '';
       };
 
-      keyType = mkOption {
+      keyType = lib.mkOption {
-        type = types.str;
+        type = lib.types.str;
         inherit (defaultAndText "keyType" "ec256") default defaultText;
         description = ''
           Key type to use for private keys.
@@ -603,8 +602,8 @@ let
         '';
       };
 
-      dnsProvider = mkOption {
+      dnsProvider = lib.mkOption {
-        type = types.nullOr types.str;
+        type = lib.types.nullOr lib.types.str;
         inherit (defaultAndText "dnsProvider" null) default defaultText;
         example = "route53";
         description = ''
@@ -613,8 +612,8 @@ let
         '';
       };
 
-      dnsResolver = mkOption {
+      dnsResolver = lib.mkOption {
-        type = types.nullOr types.str;
+        type = lib.types.nullOr lib.types.str;
         inherit (defaultAndText "dnsResolver" null) default defaultText;
         example = "1.1.1.1:53";
         description = ''
@@ -624,8 +623,8 @@ let
         '';
       };
 
-      environmentFile = mkOption {
+      environmentFile = lib.mkOption {
-        type = types.nullOr types.path;
+        type = lib.types.nullOr lib.types.path;
         inherit (defaultAndText "environmentFile" null) default defaultText;
         description = ''
           Path to an EnvironmentFile for the cert's service containing any required and
@@ -636,8 +635,8 @@ let
         example = "/var/src/secrets/example.org-route53-api-token";
       };
 
-      credentialFiles = mkOption {
+      credentialFiles = lib.mkOption {
-        type = types.attrsOf (types.path);
+        type = lib.types.attrsOf (lib.types.path);
         inherit (defaultAndText "credentialFiles" {}) default defaultText;
         description = ''
           Environment variables suffixed by "_FILE" to set for the cert's service
@@ -647,15 +646,15 @@ let
           This allows to securely pass credential files to lego by leveraging systemd
           credentials.
         '';
-        example = literalExpression ''
+        example = lib.literalExpression ''
           {
             "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org";
           }
         '';
       };
 
-      dnsPropagationCheck = mkOption {
+      dnsPropagationCheck = lib.mkOption {
-        type = types.bool;
+        type = lib.types.bool;
         inherit (defaultAndText "dnsPropagationCheck" true) default defaultText;
         description = ''
           Toggles lego DNS propagation check, which is used alongside DNS-01
@@ -663,8 +662,8 @@ let
         '';
       };
 
-      ocspMustStaple = mkOption {
+      ocspMustStaple = lib.mkOption {
-        type = types.bool;
+        type = lib.types.bool;
         inherit (defaultAndText "ocspMustStaple" false) default defaultText;
         description = ''
           Turns on the OCSP Must-Staple TLS extension.
@@ -675,24 +674,24 @@ let
         '';
       };
 
-      extraLegoFlags = mkOption {
+      extraLegoFlags = lib.mkOption {
-        type = types.listOf types.str;
+        type = lib.types.listOf lib.types.str;
         inherit (defaultAndText "extraLegoFlags" []) default defaultText;
         description = ''
           Additional global flags to pass to all lego commands.
         '';
       };
 
-      extraLegoRenewFlags = mkOption {
+      extraLegoRenewFlags = lib.mkOption {
-        type = types.listOf types.str;
+        type = lib.types.listOf lib.types.str;
         inherit (defaultAndText "extraLegoRenewFlags" []) default defaultText;
         description = ''
           Additional flags to pass to lego renew.
         '';
       };
 
-      extraLegoRunFlags = mkOption {
+      extraLegoRunFlags = lib.mkOption {
-        type = types.listOf types.str;
+        type = lib.types.listOf lib.types.str;
         inherit (defaultAndText "extraLegoRunFlags" []) default defaultText;
         description = ''
           Additional flags to pass to lego run.
@@ -704,40 +703,40 @@ let
   certOpts = { name, config, ... }: {
     options = {
       # user option has been removed
-      user = mkOption {
+      user = lib.mkOption {
         visible = false;
         default = "_mkRemovedOptionModule";
       };
 
       # allowKeysForGroup option has been removed
-      allowKeysForGroup = mkOption {
+      allowKeysForGroup = lib.mkOption {
         visible = false;
         default = "_mkRemovedOptionModule";
       };
 
       # extraDomains was replaced with extraDomainNames
-      extraDomains = mkOption {
+      extraDomains = lib.mkOption {
         visible = false;
         default = "_mkMergedOptionModule";
       };
 
-      directory = mkOption {
+      directory = lib.mkOption {
-        type = types.str;
+        type = lib.types.str;
         readOnly = true;
         default = "/var/lib/acme/${name}";
         description = "Directory where certificate and other state is stored.";
       };
 
-      domain = mkOption {
+      domain = lib.mkOption {
-        type = types.str;
+        type = lib.types.str;
         default = name;
         description = "Domain to fetch certificate for (defaults to the entry name).";
       };
 
-      extraDomainNames = mkOption {
+      extraDomainNames = lib.mkOption {
-        type = types.listOf types.str;
+        type = lib.types.listOf lib.types.str;
         default = [];
-        example = literalExpression ''
+        example = lib.literalExpression ''
           [
             "example.org"
             "mydomain.org"
@@ -751,8 +750,8 @@ let
       # This setting must be different for each configured certificate, otherwise
       # two or more renewals may fail to bind to the address. Hence, it is not in
       # the inheritableOpts.
-      listenHTTP = mkOption {
+      listenHTTP = lib.mkOption {
-        type = types.nullOr types.str;
+        type = lib.types.nullOr lib.types.str;
         default = null;
         example = ":1360";
         description = ''
@@ -762,8 +761,8 @@ let
         '';
       };
 
-      s3Bucket = mkOption {
+      s3Bucket = lib.mkOption {
-        type = types.nullOr types.str;
+        type = lib.types.nullOr lib.types.str;
         default = null;
         example = "acme";
         description = ''
@@ -771,7 +770,7 @@ let
         '';
       };
 
-      inheritDefaults = mkOption {
+      inheritDefaults = lib.mkOption {
         default = true;
         example = true;
         description = "Whether to inherit values set in `security.acme.defaults` or not.";
@@ -784,8 +783,8 @@ in {
 
   options = {
     security.acme = {
-      preliminarySelfsigned = mkOption {
+      preliminarySelfsigned = lib.mkOption {
-        type = types.bool;
+        type = lib.types.bool;
         default = true;
         description = ''
           Whether a preliminary self-signed certificate should be generated before
@@ -797,8 +796,8 @@ in {
         '';
       };
 
-      acceptTerms = mkOption {
+      acceptTerms = lib.mkOption {
-        type = types.bool;
+        type = lib.types.bool;
         default = false;
         description = ''
           Accept the CA's terms of service. The default provider is Let's Encrypt,
@@ -806,8 +805,8 @@ in {
         '';
       };
 
-      useRoot = mkOption {
+      useRoot = lib.mkOption {
-        type = types.bool;
+        type = lib.types.bool;
         default = false;
         description = ''
           Whether to use the root user when generating certs. This is not recommended
@@ -818,8 +817,8 @@ in {
         '';
       };
 
-      defaults = mkOption {
+      defaults = lib.mkOption {
-        type = types.submodule (inheritableModule true);
+        type = lib.types.submodule (inheritableModule true);
         description = ''
           Default values inheritable by all configured certs. You can
           use this to define options shared by all your certs. These defaults
@@ -828,9 +827,9 @@ in {
         '';
       };
 
-      certs = mkOption {
+      certs = lib.mkOption {
         default = { };
-        type = with types; attrsOf (submodule [ (inheritableModule false) certOpts ]);
+        type = with lib.types; attrsOf (submodule [ (inheritableModule false) certOpts ]);
         description = ''
           Attribute set of certificates to get signed and renewed. Creates
           `acme-''${cert}.{service,timer}` systemd units for
@@ -838,7 +837,7 @@ in {
           to those units if they rely on the certificates being present,
           or trigger restarts of the service if certificates get renewed.
         '';
-        example = literalExpression ''
+        example = lib.literalExpression ''
           {
             "example.com" = {
               webroot = "/var/lib/acme/acme-challenge/";
@@ -852,9 +851,9 @@ in {
           }
         '';
       };
-      maxConcurrentRenewals = mkOption {
+      maxConcurrentRenewals = lib.mkOption {
         default = 5;
-        type = types.int;
+        type = lib.types.int;
         description = ''
           Maximum number of concurrent certificate generation or renewal jobs. All other
           jobs will queue and wait running jobs to finish. Reduces the system load of
@@ -867,39 +866,39 @@ in {
   };
 
   imports = [
-    (mkRemovedOptionModule [ "security" "acme" "production" ] ''
+    (lib.mkRemovedOptionModule [ "security" "acme" "production" ] ''
       Use security.acme.server to define your staging ACME server URL instead.
 
       To use the let's encrypt staging server, use security.acme.server =
       "https://acme-staging-v02.api.letsencrypt.org/directory".
     '')
-    (mkRemovedOptionModule [ "security" "acme" "directory" ] "ACME Directory is now hardcoded to /var/lib/acme and its permissions are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
+    (lib.mkRemovedOptionModule [ "security" "acme" "directory" ] "ACME Directory is now hardcoded to /var/lib/acme and its permissions are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
-    (mkRemovedOptionModule [ "security" "acme" "preDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
+    (lib.mkRemovedOptionModule [ "security" "acme" "preDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
-    (mkRemovedOptionModule [ "security" "acme" "activationDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
+    (lib.mkRemovedOptionModule [ "security" "acme" "activationDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
-    (mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "defaults" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600)))
+    (lib.mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "defaults" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600)))
-    (mkChangedOptionModule [ "security" "acme" "validMinDays" ] [ "security" "acme" "defaults" "validMinDays" ] (config: config.security.acme.validMinDays))
+    (lib.mkChangedOptionModule [ "security" "acme" "validMinDays" ] [ "security" "acme" "defaults" "validMinDays" ] (config: config.security.acme.validMinDays))
-    (mkChangedOptionModule [ "security" "acme" "renewInterval" ] [ "security" "acme" "defaults" "renewInterval" ] (config: config.security.acme.renewInterval))
+    (lib.mkChangedOptionModule [ "security" "acme" "renewInterval" ] [ "security" "acme" "defaults" "renewInterval" ] (config: config.security.acme.renewInterval))
-    (mkChangedOptionModule [ "security" "acme" "email" ] [ "security" "acme" "defaults" "email" ] (config: config.security.acme.email))
+    (lib.mkChangedOptionModule [ "security" "acme" "email" ] [ "security" "acme" "defaults" "email" ] (config: config.security.acme.email))
-    (mkChangedOptionModule [ "security" "acme" "server" ] [ "security" "acme" "defaults" "server" ] (config: config.security.acme.server))
+    (lib.mkChangedOptionModule [ "security" "acme" "server" ] [ "security" "acme" "defaults" "server" ] (config: config.security.acme.server))
-    (mkChangedOptionModule [ "security" "acme" "enableDebugLogs" ] [ "security" "acme" "defaults" "enableDebugLogs" ] (config: config.security.acme.enableDebugLogs))
+    (lib.mkChangedOptionModule [ "security" "acme" "enableDebugLogs" ] [ "security" "acme" "defaults" "enableDebugLogs" ] (config: config.security.acme.enableDebugLogs))
   ];
 
-  config = mkMerge [
+  config = lib.mkMerge [
-    (mkIf (cfg.certs != { }) {
+    (lib.mkIf (cfg.certs != { }) {
 
       # FIXME Most of these custom warnings and filters for security.acme.certs.* are required
       # because using mkRemovedOptionModule/mkChangedOptionModule with attrsets isn't possible.
-      warnings = filter (w: w != "") (mapAttrsToList (cert: data: optionalString (data.extraDomains != "_mkMergedOptionModule") ''
+      warnings = lib.filter (w: w != "") (lib.mapAttrsToList (cert: data: lib.optionalString (data.extraDomains != "_mkMergedOptionModule") ''
         The option definition `security.acme.certs.${cert}.extraDomains` has changed
         to `security.acme.certs.${cert}.extraDomainNames` and is now a list of strings.
         Setting a custom webroot for extra domains is not possible, instead use separate certs.
       '') cfg.certs);
 
       assertions = let
-        certs = attrValues cfg.certs;
+        certs = lib.attrValues cfg.certs;
       in [
         {
-          assertion = cfg.defaults.email != null || all (certOpts: certOpts.email != null) certs;
+          assertion = cfg.defaults.email != null || lib.all (certOpts: certOpts.email != null) certs;
           message = ''
             You must define `security.acme.certs.<name>.email` or
             `security.acme.defaults.email` to register with the CA. Note that using
@@ -914,7 +913,7 @@ in {
             to `true`. For Let's Encrypt's ToS see https://letsencrypt.org/repository/
           '';
         }
-      ] ++ (builtins.concatLists (mapAttrsToList (cert: data: [
+      ] ++ (builtins.concatLists (lib.mapAttrsToList (cert: data: [
         {
           assertion = data.user == "_mkRemovedOptionModule";
           message = ''
@@ -936,7 +935,7 @@ in {
         # referencing them as a user quite weird too. Best practice is to use
         # the domain option.
         {
-          assertion = ! hasInfix "*" cert;
+          assertion = ! lib.hasInfix "*" cert;
           message = ''
             The cert option path `security.acme.certs.${cert}.dnsProvider`
             cannot contain a * character.
@@ -959,7 +958,7 @@ in {
           '';
         })
         {
-          assertion = all (hasSuffix "_FILE") (attrNames data.credentialFiles);
+          assertion = lib.all (lib.hasSuffix "_FILE") (lib.attrNames data.credentialFiles);
           message = ''
             Option `security.acme.certs.${cert}.credentialFiles` can only be
             used for variables suffixed by "_FILE".
@@ -982,27 +981,27 @@ in {
       ];
 
       systemd.services = let
-        renewServiceFunctions = mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewService) certConfigs;
+        renewServiceFunctions = lib.mapAttrs' (cert: conf: lib.nameValuePair "acme-${cert}" conf.renewService) certConfigs;
         renewServices =  if cfg.maxConcurrentRenewals > 0
           then roundRobinApplyAttrs renewServiceFunctions concurrencyLockfiles
-          else mapAttrs (_: f: f null) renewServiceFunctions;
+          else lib.mapAttrs (_: f: f null) renewServiceFunctions;
-        selfsignServiceFunctions = mapAttrs' (cert: conf: nameValuePair "acme-selfsigned-${cert}" conf.selfsignService) certConfigs;
+        selfsignServiceFunctions = lib.mapAttrs' (cert: conf: lib.nameValuePair "acme-selfsigned-${cert}" conf.selfsignService) certConfigs;
         selfsignServices = if cfg.maxConcurrentRenewals > 0
           then roundRobinApplyAttrs selfsignServiceFunctions concurrencyLockfiles
-          else mapAttrs (_: f: f null) selfsignServiceFunctions;
+          else lib.mapAttrs (_: f: f null) selfsignServiceFunctions;
         in
         { "acme-fixperms" = userMigrationService; }
-        // (optionalAttrs (cfg.maxConcurrentRenewals > 0) {"acme-lockfiles" = lockfilePrepareService; })
+        // (lib.optionalAttrs (cfg.maxConcurrentRenewals > 0) {"acme-lockfiles" = lockfilePrepareService; })
         // renewServices
-        // (optionalAttrs (cfg.preliminarySelfsigned) ({
+        // (lib.optionalAttrs (cfg.preliminarySelfsigned) ({
         "acme-selfsigned-ca" = selfsignCAService;
       } // selfsignServices));
 
-      systemd.timers = mapAttrs' (cert: conf: nameValuePair "acme-${cert}" conf.renewTimer) certConfigs;
+      systemd.timers = lib.mapAttrs' (cert: conf: lib.nameValuePair "acme-${cert}" conf.renewTimer) certConfigs;
 
       systemd.targets = let
         # Create some targets which can be depended on to be "active" after cert renewals
-        finishedTargets = mapAttrs' (cert: conf: nameValuePair "acme-finished-${cert}" {
+        finishedTargets = lib.mapAttrs' (cert: conf: lib.nameValuePair "acme-finished-${cert}" {
           wantedBy = [ "default.target" ];
           requires = [ "acme-${cert}.service" ];
           after = [ "acme-${cert}.service" ];
@@ -1017,15 +1016,15 @@ in {
         # Using a target here is fine - account creation is a one time event. Even if
         # systemd clean --what=state is used to delete the account, so long as the user
         # then runs one of the cert services, there won't be any issues.
-        accountTargets = mapAttrs' (hash: confs: let
+        accountTargets = lib.mapAttrs' (hash: confs: let
           leader = "acme-${(builtins.head confs).cert}.service";
           dependantServices = map (conf: "acme-${conf.cert}.service") (builtins.tail confs);
-        in nameValuePair "acme-account-${hash}" {
+        in lib.nameValuePair "acme-account-${hash}" {
           requiredBy = dependantServices;
           before = dependantServices;
           requires = [ leader ];
           after = [ leader ];
-        }) (groupBy (conf: conf.accountHash) (attrValues certConfigs));
+        }) (lib.groupBy (conf: conf.accountHash) (lib.attrValues certConfigs));
       in finishedTargets // accountTargets;
     })
   ];

nixos/modules/services/matrix/appservice-irc.nix

@@ -137,6 +137,37 @@ in {
                   type = submodule { freeformType = jsonType; };
                   description = "IRC servers to connect to";
                 };
+
+                mediaProxy = {
+                  signingKeyPath = lib.mkOption {
+                    type = path;
+                    default = "/var/lib/matrix-appservice-irc/media-signingkey.jwk";
+                    description = ''
+                      Path to the signing key file for authenticated media.
+                    '';
+                  };
+                  ttlSeconds = lib.mkOption {
+                    type = ints.positive;
+                    default = 3600;
+                    description = ''
+                      Lifetime in seconds, that generated URLs stay valid.
+                    '';
+                  };
+                  bindPort = lib.mkOption {
+                    type = port;
+                    default = 11111;
+                    description = ''
+                      Port that the media proxy binds to.
+                    '';
+                  };
+                  publicUrl = lib.mkOption {
+                    type = str;
+                    example = "https://matrix.example.com/media";
+                    description = ''
+                      URL under which the media proxy is publicly acccessible.
+                    '';
+                  };
+                };
               };
             };
           };
@@ -144,6 +175,7 @@ in {
       };
     };
   };
+
   config = lib.mkIf cfg.enable {
     systemd.services.matrix-appservice-irc = {
       description = "Matrix-IRC bridge";
@@ -181,6 +213,9 @@ in {
           sed -i "s/^hs_token:.*$/$hs_token/g" ${registrationFile}
           sed -i "s/^as_token:.*$/$as_token/g" ${registrationFile}
         fi
+        if ! [ -f "${cfg.settings.ircService.mediaProxy.signingKeyPath}"]; then
+          ${lib.getExe pkgs.nodejs} ${pkg}/lib/generate-signing-key.js > "${cfg.settings.ircService.mediaProxy.signingKeyPath}"
+        fi
         # Allow synapse access to the registration
         if ${pkgs.getent}/bin/getent group matrix-synapse > /dev/null; then
           chgrp matrix-synapse ${registrationFile}

nixos/modules/services/matrix/synapse.md

@@ -188,7 +188,7 @@ or [OpenID](https://element-hq.github.io/synapse/latest/openid.html).
 
 ## Element (formerly known as Riot) Web Client {#module-services-matrix-element-web}
 
-[Element Web](https://github.com/vector-im/riot-web/) is
+[Element Web](https://github.com/element-hq/element-web) is
 the reference web client for Matrix and developed by the core team at
 matrix.org. Element was formerly known as Riot.im, see the
 [Element introductory blog post](https://element.io/blog/welcome-to-element/)
@@ -228,6 +228,6 @@ the example, this means that you should not reuse the
 `myhostname.example.org` virtualHost to also serve Element,
 but instead serve it on a different subdomain, like
 `element.example.org` in the example. See the
-[Element Important Security Notes](https://github.com/vector-im/element-web/tree/v1.10.0#important-security-notes)
+[Element Important Security Notes](https://github.com/element-hq/element-web/tree/v1.10.0#important-security-notes)
 for more information on this subject.
 :::

nixos/modules/system/boot/resolved.nix

@@ -205,11 +205,12 @@ in
 
       boot.initrd.systemd = {
         contents = {
-          "/etc/tmpfiles.d/resolv.conf".text =
-            "L /etc/resolv.conf - - - - /run/systemd/resolve/stub-resolv.conf";
           "/etc/systemd/resolved.conf".text = resolvedConf;
         };
 
+        tmpfiles.settings.systemd-resolved-stub."/etc/resolv.conf".L.argument =
+          "/run/systemd/resolve/stub-resolv.conf";
+
         additionalUpstreamUnits = ["systemd-resolved.service"];
         users.systemd-resolve = {};
         groups.systemd-resolve = {};

nixos/modules/system/boot/systemd/dm-verity.nix

@@ -1,65 +0,0 @@
-{ config, lib, ... }:
-
-let
-  cfg = config.boot.initrd.systemd.dmVerity;
-in
-{
-  options = {
-    boot.initrd.systemd.dmVerity = {
-      enable = lib.mkEnableOption "dm-verity" // {
-        description = ''
-          Mount verity-protected block devices in the initrd.
-
-          Enabling this option allows to use `systemd-veritysetup` and
-          `systemd-veritysetup-generator` in the initrd.
-        '';
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = cfg.enable -> config.boot.initrd.systemd.enable;
-        message = ''
-          'boot.initrd.systemd.dmVerity.enable' requires 'boot.initrd.systemd.enable' to be enabled.
-        '';
-      }
-    ];
-
-    boot.initrd = {
-      availableKernelModules = [
-        # For documentation, see https://docs.kernel.org/admin-guide/device-mapper/dm-init.html
-        "dm_mod"
-        # For documentation, see:
-        # - https://docs.kernel.org/admin-guide/device-mapper/verity.html
-        # - https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMVerity
-        "dm_verity"
-      ];
-
-      # dm-verity needs additional udev rules from LVM to work.
-      services.lvm.enable = true;
-
-      # The additional targets and store paths allow users to integrate verity-protected devices
-      # through the systemd tooling.
-      systemd = {
-        additionalUpstreamUnits = [
-          # https://github.com/systemd/systemd/blob/main/units/veritysetup-pre.target
-          "veritysetup-pre.target"
-          # https://github.com/systemd/systemd/blob/main/units/veritysetup.target
-          "veritysetup.target"
-          # https://github.com/systemd/systemd/blob/main/units/remote-veritysetup.target
-          "remote-veritysetup.target"
-        ];
-
-        storePaths = [
-          # These are the two binaries mentioned in https://github.com/systemd/systemd/blob/main/src/veritysetup/meson.build; there are no others.
-          "${config.boot.initrd.systemd.package}/lib/systemd/systemd-veritysetup"
-          "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-veritysetup-generator"
-        ];
-      };
-    };
-  };
-
-  meta.maintainers = [ lib.maintainers.msanft ];
-}

nixos/modules/system/boot/systemd/initrd.nix

@@ -218,7 +218,7 @@ in {
     };
 
     root = lib.mkOption {
-      type = lib.types.nullOr (lib.types.enum [ "fstab" "gpt-auto" ]);
+      type = lib.types.enum [ "fstab" "gpt-auto" ];
       default = "fstab";
       example = "gpt-auto";
       description = ''
@@ -227,9 +227,6 @@ in {
         allow specifying the root file system itself this
         way. Instead, the `fstab` value is used in order to interpret
         the root file system specified with the `fileSystems` option.
-
-        If the root FS is mounted by other means, such as systemd generators other than
-        `fstab`, `gpt-auto` or a custom generator, set this to `null`.
       '';
     };
 
@@ -401,9 +398,9 @@ in {
     ++ lib.optional (cfg.enableTpm2 && !(pkgs.stdenv.hostPlatform.isRiscV64 || pkgs.stdenv.hostPlatform.isArmv7)) "tpm-crb"
     ++ lib.optional cfg.package.withEfi "efivarfs";
 
-    boot.kernelParams =
+    boot.kernelParams = [
-      lib.optional (config.boot.initrd.systemd.root != null) "root=${config.boot.initrd.systemd.root}"
+      "root=${config.boot.initrd.systemd.root}"
-      ++ lib.optional (config.boot.resumeDevice != "") "resume=${config.boot.resumeDevice}"
+    ] ++ lib.optional (config.boot.resumeDevice != "") "resume=${config.boot.resumeDevice}"
       # `systemd` mounts root in initrd as read-only unless "rw" is on the kernel command line.
       # For NixOS activation to succeed, we need to have root writable in initrd.
       ++ lib.optional (config.boot.initrd.systemd.root == "gpt-auto") "rw";

nixos/modules/system/boot/systemd/tmpfiles.nix

@@ -163,6 +163,20 @@ in
   };
 
   config = {
+    warnings =
+      let
+        paths = lib.filter (path:
+          path != null && lib.hasPrefix "/etc/tmpfiles.d/" path
+        ) (map (path: path.target) config.boot.initrd.systemd.storePaths);
+      in
+      lib.optional (lib.length paths > 0) (lib.concatStringsSep " " [
+        "Files inside /etc/tmpfiles.d in the initrd need to be created with"
+        "boot.initrd.systemd.tmpfiles.settings."
+        "Creating them by hand using boot.initrd.systemd.contents or"
+        "boot.initrd.systemd.storePaths will lead to errors in the future."
+        "Found these problematic files: ${lib.concatStringsSep ", " paths}"
+      ]);
+
     systemd.additionalUpstreamSystemUnits = [
       "systemd-tmpfiles-clean.service"
       "systemd-tmpfiles-clean.timer"

nixos/tests/all-tests.nix

@@ -259,7 +259,6 @@ in {
   dhparams = handleTest ./dhparams.nix {};
   disable-installer-tools = handleTest ./disable-installer-tools.nix {};
   discourse = handleTest ./discourse.nix {};
-  dm-verity = runTest ./dm-verity.nix;
   dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {};
   dnscrypt-wrapper = runTestOn ["x86_64-linux"] ./dnscrypt-wrapper;
   dnsdist = import ./dnsdist.nix { inherit pkgs runTest; };
@@ -571,7 +570,7 @@ in {
   mate-wayland = handleTest ./mate-wayland.nix {};
   matter-server = handleTest ./matter-server.nix {};
   matomo = handleTest ./matomo.nix {};
-  matrix-appservice-irc = handleTest ./matrix/appservice-irc.nix {};
+  matrix-appservice-irc = runTest ./matrix/appservice-irc.nix;
   matrix-conduit = handleTest ./matrix/conduit.nix {};
   matrix-synapse = handleTest ./matrix/synapse.nix {};
   matrix-synapse-workers = handleTest ./matrix/synapse-workers.nix {};

nixos/tests/dm-verity.nix

@@ -1,245 +0,0 @@
-# Tests a NixOS system with a read-only root filesystem that's integrity-protected
-# through DM-verity. The root filesystem is mounted read-only, and for NixOS activation
-# to succeed, an overlay `tmpfs` is mounted on top of it.
-# This test uses systemd-repart to create a bootable disk image, as it supplies handy
-# utilities for creating verity partitions, but it can also be setup manually through
-# `systemd-veritysetup`.
-
-{ lib, pkgs, ... }:
-
-let
-  imageId = "verity-root-image";
-  imageVersion = "1-rc1";
-
-  # Use a random, but fixed root hash placeholder to allow us specifying the "real" root hash
-  # after the image is first built.
-  roothashPlaceholder = "61fe0f0c98eff2a595dd2f63a5e481a0a25387261fa9e34c37e3a4910edf32b8";
-in
-{
-  name = "verity-root";
-
-  meta.maintainers = with lib.maintainers; [ msanft ];
-
-  nodes.machine =
-    {
-      lib,
-      pkgs,
-      config,
-      modulesPath,
-      ...
-    }:
-    {
-
-      imports = [ "${modulesPath}/image/repart.nix" ];
-
-      virtualisation.directBoot.enable = false;
-      virtualisation.mountHostNixStore = false;
-      virtualisation.useEFIBoot = true;
-
-      # Disable boot loaders, as a UKI is used, which contains systemd-stub.
-      # TODO(raitobezarius): revisit this when #244907 lands
-      boot.loader.grub.enable = false;
-
-      system.image.id = imageId;
-      system.image.version = imageVersion;
-
-      # systemd-veritysetup-generator takes care of setting up the root filesystem.
-      fileSystems = lib.mkForce { };
-      virtualisation.fileSystems = lib.mkForce { };
-
-      # Provides 'veritysetup' to check if the verity-protected device
-      # has been mapped correctly.
-      environment.systemPackages = with pkgs; [ cryptsetup ];
-
-      boot.initrd = {
-        kernelModules = [ "overlay" ];
-        supportedFilesystems = [ "erofs" ];
-
-        systemd = {
-          enable = true;
-          dmVerity.enable = true;
-          root = null; # systemd-veritysetup-generator takes care of mounting /
-
-          tmpfiles.settings = {
-            "10-mountpoints" =
-              let
-                conf = {
-                  mode = "0755";
-                  user = "root";
-                  group = "root";
-                };
-              in
-              {
-                "/run/etc/upper".d = conf;
-                "/run/etc/work".d = conf;
-                "/run/var/upper".d = conf;
-                "/run/var/work".d = conf;
-                "/run/tmp/upper".d = conf;
-                "/run/tmp/work".d = conf;
-              };
-          };
-
-          # We directly define the mount units here, as we need to specify dependencies very
-          # granularly, and systemd-fstab-generator doesn't give us that flexibility.
-          mounts = [
-            {
-              where = "/sysroot/etc";
-              what = "overlay";
-              type = "overlay";
-              options = "lowerdir=/sysroot${config.system.build.etc}/etc,upperdir=/run/etc/upper,workdir=/run/etc/work";
-              wantedBy = [
-                "initrd-fs.target"
-                "initrd-switch-root.target"
-                "default.target"
-              ];
-              before = [ "initrd-fs.target" ];
-              after = [ "systemd-tmpfiles-setup.service" ];
-              unitConfig.RequiresMountsFor = "/sysroot/nix/store";
-              unitConfig.DefaultDependencies = false;
-            }
-            {
-              where = "/sysroot/var";
-              what = "overlay";
-              type = "overlay";
-              options = "lowerdir=/sysroot/var,upperdir=/run/var/upper,workdir=/run/var/work";
-              wantedBy = [
-                "initrd-fs.target"
-                "initrd-switch-root.target"
-                "default.target"
-              ];
-              before = [ "initrd-fs.target" ];
-              after = [ "systemd-tmpfiles-setup.service" ];
-              unitConfig.RequiresMountsFor = "/sysroot/nix/store";
-              unitConfig.DefaultDependencies = false;
-            }
-            {
-              where = "/sysroot/tmp";
-              what = "overlay";
-              type = "overlay";
-              options = "lowerdir=/sysroot/tmp,upperdir=/run/tmp/upper,workdir=/run/tmp/work";
-              wantedBy = [
-                "initrd-fs.target"
-                "initrd-switch-root.target"
-                "default.target"
-              ];
-              before = [ "initrd-fs.target" ];
-              after = [ "systemd-tmpfiles-setup.service" ];
-              unitConfig.RequiresMountsFor = "/sysroot/nix/store";
-              unitConfig.DefaultDependencies = false;
-            }
-          ];
-        };
-      };
-
-      boot.kernelParams = [
-        "systemd.verity=yes"
-        "roothash=${roothashPlaceholder}"
-      ];
-
-      image.repart = {
-        name = imageId;
-        # OVMF does not work with the default repart sector size of 4096
-        sectorSize = 512;
-        partitions = {
-          # ESP
-          "00-esp" = {
-            contents =
-              let
-                efiArch = config.nixpkgs.hostPlatform.efiArch;
-              in
-              {
-                "/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
-
-                "/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
-              };
-            repartConfig = {
-              Type = "esp";
-              Format = "vfat";
-              # Minimize = "guess" seems to not work very well for vfat
-              # partitions. It's better to set a sensible default instead. The
-              # aarch64 kernel seems to generally be a little bigger than the
-              # x86_64 kernel. To stay on the safe side, leave some more slack
-              # for every platform other than x86_64.
-              SizeMinBytes = if config.nixpkgs.hostPlatform.isx86_64 then "64M" else "96M";
-            };
-          };
-
-          # Root Partition
-          "10-root" = {
-            storePaths = [ config.system.build.toplevel ];
-            repartConfig = {
-              Type = "root";
-              Format = "erofs";
-              Label = "root";
-              Verity = "data";
-              VerityMatchKey = "root";
-              Minimize = "best";
-              # We need to ensure that mountpoints are available.
-              MakeDirectories = "/bin /boot /dev /etc /home /lib /lib64 /mnt /nix /opt /proc /root /run /srv /sys /tmp /usr /var";
-            };
-          };
-
-          # Verity hashtree for the root partition
-          "20-root-verity" = {
-            repartConfig = {
-              Type = "root-verity";
-              Label = "root-verity";
-              Verity = "hash";
-              VerityMatchKey = "root";
-              Minimize = "best";
-            };
-          };
-        };
-      };
-    };
-
-  testScript =
-    let
-      # We override the build of the image by extending it with code to replace the placeholder with the real root hash.
-      # This way, we can build the image first and then set the root hash afterwards in a single derivation.
-      buildOverride = oldAttrs: {
-        nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ pkgs.jq ];
-        postInstall = ''
-          # Replace the placeholder with the real root hash.
-          realRoothash=$(${pkgs.jq}/bin/jq -r "[.[] | select(.roothash != null)] | .[0].roothash" $out/repart-output.json)
-          sed -i "0,/${roothashPlaceholder}/ s/${roothashPlaceholder}/$realRoothash/" $out/${oldAttrs.pname}_${oldAttrs.version}.raw
-        '';
-      };
-    in
-    { nodes, ... }:
-    ''
-      import os, subprocess, tempfile
-
-      tmp_disk_image = tempfile.NamedTemporaryFile()
-
-      subprocess.run([
-        "${nodes.machine.virtualisation.qemu.package}/bin/qemu-img",
-        "create",
-        "-f",
-        "qcow2",
-        "-b",
-        "${nodes.machine.system.build.image.overrideAttrs buildOverride}/${nodes.machine.image.repart.imageFile}",
-        "-F",
-        "raw",
-        tmp_disk_image.name,
-      ])
-
-      # Set NIX_DISK_IMAGE so that the qemu script finds the right disk image.
-      os.environ['NIX_DISK_IMAGE'] = tmp_disk_image.name
-
-      os_release = machine.succeed("cat /etc/os-release")
-      assert 'IMAGE_ID="${imageId}"' in os_release
-      assert 'IMAGE_VERSION="${imageVersion}"' in os_release
-
-      bootctl_status = machine.succeed("bootctl status")
-      assert "Boot Loader Specification Type #2 (.efi)" in bootctl_status
-
-      verity_status = machine.succeed("veritysetup status root")
-      assert "type:        VERITY" in verity_status
-      assert "status:      verified" in verity_status
-
-      commandline = machine.succeed("cat /proc/cmdline")
-      roothash = commandline.split("roothash=")[1].split(" ")[0]
-      assert roothash in verity_status
-    '';
-}

nixos/tests/matrix/appservice-irc.nix

@@ -1,4 +1,4 @@
-import ../make-test-python.nix ({ pkgs, ... }:
+{ pkgs, ... }:
   let
     homeserverUrl = "http://homeserver:8008";
   in
@@ -9,7 +9,7 @@ import ../make-test-python.nix ({ pkgs, ... }:
     };
 
     nodes = {
-      homeserver = { pkgs, ... }: {
+      homeserver = {
         # We'll switch to this once the config is copied into place
         specialisation.running.configuration = {
           services.matrix-synapse = {
@@ -46,7 +46,7 @@ import ../make-test-python.nix ({ pkgs, ... }:
         };
       };
 
-      ircd = { pkgs, ... }: {
+      ircd = {
         services.ngircd = {
           enable = true;
           config = ''
@@ -75,13 +75,16 @@ import ../make-test-python.nix ({ pkgs, ... }:
             homeserver.url = homeserverUrl;
             homeserver.domain = "homeserver";
 
-            ircService.servers."ircd" = {
+            ircService = {
-              name = "IRCd";
+              servers."ircd" = {
-              port = 6667;
+                name = "IRCd";
-              dynamicChannels = {
+                port = 6667;
-                enabled = true;
+                dynamicChannels = {
-                aliasTemplate = "#irc_$CHANNEL";
+                  enabled = true;
+                  aliasTemplate = "#irc_$CHANNEL";
+                };
               };
+              mediaProxy.publicUrl = "http://localhost:11111/media";
             };
           };
         };
@@ -203,6 +206,8 @@ import ../make-test-python.nix ({ pkgs, ... }:
       with subtest("start the appservice"):
           appservice.wait_for_unit("matrix-appservice-irc.service")
           appservice.wait_for_open_port(8009)
+          appservice.wait_for_file("/var/lib/matrix-appservice-irc/media-signingkey.jwk")
+          appservice.wait_for_open_port(11111)
 
       with subtest("copy the registration file"):
           appservice.copy_from_vm("/var/lib/matrix-appservice-irc/registration.yml")
@@ -222,4 +227,4 @@ import ../make-test-python.nix ({ pkgs, ... }:
       with subtest("ensure messages can be exchanged"):
           client.succeed("do_test ${homeserverUrl} >&2")
     '';
-  })
+  }

pkgs/applications/audio/picard/default.nix

@@ -21,14 +21,14 @@ in
 pythonPackages.buildPythonApplication rec {
   pname = "picard";
   # nix-update --commit picard --version-regex 'release-(.*)'
-  version = "2.12.2";
+  version = "2.12.3";
   format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "metabrainz";
     repo = "picard";
     rev = "refs/tags/release-${version}";
-    hash = "sha256-m0cFJKkYNH01YzcRrbKgkXpjlZ9ZEymwGDnOFQfZKv0=";
+    hash = "sha256-ysHOiX8b9tlUaQDGl4qHUVLrLUF9MUDc4+vOQB76cj4=";
   };
 
   nativeBuildInputs = [

pkgs/applications/graphics/ImageMagick/default.nix

@@ -133,7 +133,7 @@ stdenv.mkDerivation (finalAttrs: {
     version = testers.testVersion { package = finalAttrs.finalPackage; };
     inherit nixos-icons;
     inherit (perlPackages) ImageMagick;
-    inherit (python3.pkgs) img2pdf;
+    inherit (python3.pkgs) img2pdf willow;
     pkg-config = testers.hasPkgConfigModules {
       package = finalAttrs.finalPackage;
       version = lib.head (lib.splitString "-" finalAttrs.version);

pkgs/applications/networking/cluster/k3s/1_28/images-versions.json

@@ -1,18 +1,18 @@
 {
   "airgap-images-amd64": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.28.12%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.28.13%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
-    "sha256": "0dhzkn5y3ng7blyxj4bwrhbq5qvl3hq1hzg0h9633h8swv0xbsss"
+    "sha256": "1v3vyrb86xijyvljs0s0skhxpjbarjqg2sx9m40332dfq9din7xq"
   },
   "airgap-images-arm": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.28.12%2Bk3s1/k3s-airgap-images-arm.tar.zst",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.28.13%2Bk3s1/k3s-airgap-images-arm.tar.zst",
-    "sha256": "1225nqsfg7p6iq7a7qibzf3d0r7iwn53hnd9w6l189dxqna97015"
+    "sha256": "0yifpx6vix5bjzkz81i5rsn89hkpp0rhk77ndl1lgy66pq4csbmm"
   },
   "airgap-images-arm64": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.28.12%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.28.13%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
-    "sha256": "1lic564naj9323dkkq0z0y10n3j3yfmhixargqqs60syanfvj2p7"
+    "sha256": "1p8zf47pghhjqhrcvmzdbcfxxy78pjpqwvmhm3wdidsa8xyy375a"
   },
   "images-list": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.28.12%2Bk3s1/k3s-images.txt",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.28.13%2Bk3s1/k3s-images.txt",
-    "sha256": "1my3lfs5rfazcnnpsc9dj84dfnxx88xydrl86z6yw5n5p84x4nif"
+    "sha256": "1f1d33jn4g5b6zmzdzzm4ffwfrmjwh60v9gnph0ysxjwsq1k0pxp"
   }
 }

pkgs/applications/networking/cluster/k3s/1_28/versions.nix

@@ -1,15 +1,15 @@
 {
-  k3sVersion = "1.28.12+k3s1";
+  k3sVersion = "1.28.13+k3s1";
-  k3sCommit = "4717e2a58e04f0ba3d9f43d574a7eff01dea9146";
+  k3sCommit = "47737e1c4c941325574e8aa14e4a3af2e596f696";
-  k3sRepoSha256 = "02wywlqqna0dj9cam6q3ykb3p5mi96f6lclrg5yhjky7jdvkffds";
+  k3sRepoSha256 = "1x66n36lxcvi5d9bdz0f1w2p24493rh3vbk1pskqd1f3v3fbv7kn";
-  k3sVendorHash = "sha256-RyUlaGQnfrCm4cB5FRs9IAeF+zn4LzAXmIViU3o30Z4=";
+  k3sVendorHash = "sha256-/knBr0l7dZ6lX9QpohyPNrFEi4WQpNM01zOE5bCIB2E=";
   chartVersions = import ./chart-versions.nix;
   imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
   k3sRootVersion = "0.14.0";
   k3sRootSha256 = "15cs9faw3jishsb5nhgmb5ldjc47hkwf7hz2126fp8ahf80m0fcl";
   k3sCNIVersion = "1.4.0-k3s2";
   k3sCNISha256 = "17dg6jgjx18nrlyfmkv14dhzxsljz4774zgwz5dchxcf38bvarqa";
-  containerdVersion = "1.7.17-k3s1.28";
+  containerdVersion = "1.7.20-k3s2.28";
-  containerdSha256 = "0nhhx932j551ran3kkvyp4nmsg5c71mq0g6jrcbs2j4nn7yqdkhm";
+  containerdSha256 = "0jqqa9202d94qd7g8d5zy161snlsc42cdjpmp50w4j3pnp2i1cki";
   criCtlVersion = "1.26.0-rc.0-k3s1";
 }

pkgs/applications/networking/cluster/k3s/1_29/images-versions.json

@@ -1,18 +1,18 @@
 {
   "airgap-images-amd64": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.29.7%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.29.8%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
-    "sha256": "1dyh107ygnlv9gyq2f9jdgrwjiyg25a61id69z48vc60gq480888"
+    "sha256": "1v3vyrb86xijyvljs0s0skhxpjbarjqg2sx9m40332dfq9din7xq"
   },
   "airgap-images-arm": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.29.7%2Bk3s1/k3s-airgap-images-arm.tar.zst",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.29.8%2Bk3s1/k3s-airgap-images-arm.tar.zst",
-    "sha256": "16l6d1ix3ri1l2wr2k5brg11a1snbkqhqasrk69wrix6diddklrn"
+    "sha256": "0yifpx6vix5bjzkz81i5rsn89hkpp0rhk77ndl1lgy66pq4csbmm"
   },
   "airgap-images-arm64": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.29.7%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.29.8%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
-    "sha256": "0pg4nzh1rf28003yxhl3jklxs41vjjgldviybvnqqp146ib6hy0r"
+    "sha256": "1p8zf47pghhjqhrcvmzdbcfxxy78pjpqwvmhm3wdidsa8xyy375a"
   },
   "images-list": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.29.7%2Bk3s1/k3s-images.txt",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.29.8%2Bk3s1/k3s-images.txt",
-    "sha256": "1my3lfs5rfazcnnpsc9dj84dfnxx88xydrl86z6yw5n5p84x4nif"
+    "sha256": "1f1d33jn4g5b6zmzdzzm4ffwfrmjwh60v9gnph0ysxjwsq1k0pxp"
   }
 }

pkgs/applications/networking/cluster/k3s/1_29/versions.nix

@@ -1,15 +1,15 @@
 {
-  k3sVersion = "1.29.7+k3s1";
+  k3sVersion = "1.29.8+k3s1";
-  k3sCommit = "f246bbc390a05f45431e49617b58013fe06a460d";
+  k3sCommit = "33fdc35dd67cf6c07989327e992fd26ed89b2449";
-  k3sRepoSha256 = "0fv628rxxavqmb2gv0ncsx4m8ghn3v6ddn2n06x8q4ar27d9gijg";
+  k3sRepoSha256 = "0ky5f039nkhdj6y5v9yr6lk875l29c67j6kqc2dzdb3iqbwskcbr";
-  k3sVendorHash = "sha256-pAOyGgEaO6ewNv+6yhDt83NZl95rmLseFUs4vlXNH6Q=";
+  k3sVendorHash = "sha256-VxVGBvpeKf/nuw09Llf85d4P8oCD2GvD1f0Mxt6fMj8=";
   chartVersions = import ./chart-versions.nix;
   imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
   k3sRootVersion = "0.14.0";
   k3sRootSha256 = "15cs9faw3jishsb5nhgmb5ldjc47hkwf7hz2126fp8ahf80m0fcl";
   k3sCNIVersion = "1.4.0-k3s2";
   k3sCNISha256 = "17dg6jgjx18nrlyfmkv14dhzxsljz4774zgwz5dchxcf38bvarqa";
-  containerdVersion = "1.7.17-k3s1";
+  containerdVersion = "1.7.20-k3s1";
-  containerdSha256 = "1j61mbgx346ydvnjd8b07wf7nmvvplx28wi5jjdzi1k688r2hxpf";
+  containerdSha256 = "12ihr3z8vcglv5b0v9ris29zkkkdvjbcp3bf7ym71a0xdbg83s8i";
   criCtlVersion = "1.29.0-k3s1";
 }

pkgs/applications/networking/cluster/k3s/1_30/images-versions.json

@@ -1,18 +1,18 @@
 {
   "airgap-images-amd64": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.30.3%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.30.4%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
-    "sha256": "1ym7cdm3a2f05wgh4vba2g7q1zihrfvvm2zngcs0gm8djj7hy4d9"
+    "sha256": "145sj4gpwdjvfv3bphpdg6db1d83bbwl0shbnsqpjizsm3ifvmm9"
   },
   "airgap-images-arm": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.30.3%2Bk3s1/k3s-airgap-images-arm.tar.zst",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.30.4%2Bk3s1/k3s-airgap-images-arm.tar.zst",
-    "sha256": "15mj949msrd30xhqryhpsvx1bi3pywm1z5bmi0h40qyzc1mcfvjk"
+    "sha256": "0sdkfsjxxi5sq0nxjw7g7r1p7711l74r39y5ss12q85q4sla0m7l"
   },
   "airgap-images-arm64": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.30.3%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.30.4%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
-    "sha256": "1k2q6rzczajnrkj57p97fdr7lgmrfv7x54by2syngfwb5in8fhd5"
+    "sha256": "1kw85g79rywk6n3wda7ffvjhf030wwj8g3x8n73rgiprvksw4p7j"
   },
   "images-list": {
-    "url": "https://github.com/k3s-io/k3s/releases/download/v1.30.3%2Bk3s1/k3s-images.txt",
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.30.4%2Bk3s1/k3s-images.txt",
-    "sha256": "1my3lfs5rfazcnnpsc9dj84dfnxx88xydrl86z6yw5n5p84x4nif"
+    "sha256": "1f1d33jn4g5b6zmzdzzm4ffwfrmjwh60v9gnph0ysxjwsq1k0pxp"
   }
 }

pkgs/applications/networking/cluster/k3s/1_30/versions.nix

@@ -1,15 +1,15 @@
 {
-  k3sVersion = "1.30.3+k3s1";
+  k3sVersion = "1.30.4+k3s1";
-  k3sCommit = "f646604010affc6a1d3233a8a0870bca46bf80cf";
+  k3sCommit = "98262b5dee29fe5ac849a0cef90b5d50292b020b";
-  k3sRepoSha256 = "1sqa4cx5rihrqcnriq7if7sm4hx73ma975yyr5k9nvhg71dvlig3";
+  k3sRepoSha256 = "1iwg7j0divbh41dx40kz69qkvscvppqb37dqvxayw3ha1yja4sq6";
-  k3sVendorHash = "sha256-HMlYdWDUoELpwsfCtyCxVIcFULdvu5gna83lc79AUWc=";
+  k3sVendorHash = "sha256-EovTZ3DvDqWFR9vxhtjgcZcPXVk1C0PYNCxEV5XA6wg=";
   chartVersions = import ./chart-versions.nix;
   imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
   k3sRootVersion = "0.14.0";
   k3sRootSha256 = "15cs9faw3jishsb5nhgmb5ldjc47hkwf7hz2126fp8ahf80m0fcl";
   k3sCNIVersion = "1.4.0-k3s2";
   k3sCNISha256 = "17dg6jgjx18nrlyfmkv14dhzxsljz4774zgwz5dchxcf38bvarqa";
-  containerdVersion = "1.7.17-k3s1";
+  containerdVersion = "1.7.20-k3s1";
-  containerdSha256 = "1j61mbgx346ydvnjd8b07wf7nmvvplx28wi5jjdzi1k688r2hxpf";
+  containerdSha256 = "12ihr3z8vcglv5b0v9ris29zkkkdvjbcp3bf7ym71a0xdbg83s8i";
   criCtlVersion = "1.29.0-k3s1";
 }

pkgs/applications/networking/cluster/k3s/1_31/chart-versions.nix

@@ -0,0 +1,10 @@
+{
+  traefik-crd = {
+    url = "https://k3s.io/k3s-charts/assets/traefik-crd/traefik-crd-25.0.3+up25.0.0.tgz";
+    sha256 = "1z693i4kd3jyf26ccnb0sxjyxadipl6k13n7jyg5v4y93fv1rpdw";
+  };
+  traefik = {
+    url = "https://k3s.io/k3s-charts/assets/traefik/traefik-25.0.3+up25.0.0.tgz";
+    sha256 = "1a24qlp7c6iri72ka1i37l1lzn13xibrd26dy295z2wzr55gg7if";
+  };
+}

pkgs/applications/networking/cluster/k3s/1_31/images-versions.json

@@ -0,0 +1,18 @@
+{
+  "airgap-images-amd64": {
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.31.0%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
+    "sha256": "13pakr8nxlbqhqcz40gyjncw4bghk7x7ryb2ynmr5airspqcdrl6"
+  },
+  "airgap-images-arm": {
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.31.0%2Bk3s1/k3s-airgap-images-arm.tar.zst",
+    "sha256": "0vc2v89qy9gbzfbmfrdb0l5yzyprk7yma5ps0yfj60jd9av07qvh"
+  },
+  "airgap-images-arm64": {
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.31.0%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
+    "sha256": "10ffa45pm1scavcd5cimdaw29rlc55c9i40qzh3n3451g1yqlmmk"
+  },
+  "images-list": {
+    "url": "https://github.com/k3s-io/k3s/releases/download/v1.31.0%2Bk3s1/k3s-images.txt",
+    "sha256": "0y4x02fj1iysghq6s88wsiqfpsajrrwrg89m59qk431cii23nrza"
+  }
+}

pkgs/applications/networking/cluster/k3s/1_31/versions.nix

@@ -0,0 +1,15 @@
+{
+  k3sVersion = "1.31.0+k3s1";
+  k3sCommit = "34be6d96d17d8d65fda86272b62b752cb0e9c45e";
+  k3sRepoSha256 = "16yzsx56jmca07jdnzjvy4pcfrvvibv987l1mzdaws1vkm3xqfnw";
+  k3sVendorHash = "sha256-1uYlvGkW6n4aiUVX/2OjppczdobY/fk1ZaK6j3AEwvM=";
+  chartVersions = import ./chart-versions.nix;
+  imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
+  k3sRootVersion = "0.14.0";
+  k3sRootSha256 = "15cs9faw3jishsb5nhgmb5ldjc47hkwf7hz2126fp8ahf80m0fcl";
+  k3sCNIVersion = "1.4.0-k3s2";
+  k3sCNISha256 = "17dg6jgjx18nrlyfmkv14dhzxsljz4774zgwz5dchxcf38bvarqa";
+  containerdVersion = "1.7.20-k3s1";
+  containerdSha256 = "12ihr3z8vcglv5b0v9ris29zkkkdvjbcp3bf7ym71a0xdbg83s8i";
+  criCtlVersion = "1.31.0-k3s2";
+}

pkgs/applications/networking/cluster/k3s/builder.nix

@@ -211,7 +211,7 @@ let
     sed --quiet '/# --- run the install process --/q;p' ${k3sRepo}/install.sh > install.sh
 
     # Let killall expect "containerd-shim" in the Nix store
-    to_replace="k3s/data/\[\^/\]\*/bin/containerd-shim"
+    to_replace="/data/\[\^/\]\*/bin/containerd-shim"
     replacement="/nix/store/.*k3s-containerd.*/bin/containerd-shim"
     changes=$(sed -i "s|$to_replace|$replacement| w /dev/stdout" install.sh)
     if [ -z "$changes" ]; then

pkgs/applications/networking/cluster/k3s/default.nix

@@ -43,4 +43,14 @@ in
       ];
     }
   ) extraArgs;
+
+  k3s_1_31 = common (
+    (import ./1_31/versions.nix)
+    // {
+      updateScript = [
+        ./update-script.sh
+        "31"
+      ];
+    }
+  ) extraArgs;
 }

pkgs/applications/networking/cluster/k3s/update-script.sh

@@ -107,7 +107,13 @@ CONTAINERD_VERSION=$(grep github.com/containerd/containerd ${FILE_GO_MOD} \
 CONTAINERD_SHA256=$(nix-prefetch-url --quiet --unpack \
     "https://github.com/k3s-io/containerd/archive/refs/tags/v${CONTAINERD_VERSION}.tar.gz")
 
-CRI_CTL_VERSION=$(grep github.com/kubernetes-sigs/cri-tools ${FILE_GO_MOD} \
+# The repository of "cri-tools" changes for 1.31.x, this can likely be removed in future releases
+if [ "$MINOR_VERSION" -gt 30 ]; then
+    CRI_CTL_REPO=sigs.k8s.io
+else
+    CRI_CTL_REPO=github.com/kubernetes-sigs
+fi
+CRI_CTL_VERSION=$(grep "$CRI_CTL_REPO/cri-tools" ${FILE_GO_MOD} \
     | head -n1 | awk '{print $4}' | sed -e 's/"//g' -e 's/^v//')
 
 setKV () {

pkgs/applications/networking/cluster/kubectl-view-allocations/default.nix

@@ -2,7 +2,6 @@
 , stdenv
 , rustPlatform
 , fetchFromGitHub
-, perl
 , Security ? null
 }:
 
@@ -25,7 +24,6 @@ rustPlatform.buildRustPackage rec {
     lockFile = ./Cargo.lock;
   };
 
-  nativeBuildInputs = [ perl ];
   buildInputs = lib.optionals stdenv.isDarwin [ Security ];
 
   meta = with lib; {

pkgs/applications/networking/cluster/kubergrunt/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "kubergrunt";
-  version = "0.15.0";
+  version = "0.16.0";
 
   src = fetchFromGitHub {
     owner = "gruntwork-io";
     repo = "kubergrunt";
     rev = "v${version}";
-    sha256 = "sha256-yN5tpe3ayQPhTlBvxlt7CD6mSURCB4lxGatEK9OThzs=";
+    sha256 = "sha256-FOXnerB6qmUUotWLlTTsR5x0+A0Q9D8PVDTMG8j8b9o=";
   };
 
-  vendorHash = "sha256-VJkqg2cnpYHuEYOv5+spoyRWFAdFWE7YIVYaN9OmIZM=";
+  vendorHash = "sha256-rgU6Yv+gmKShWfpPaWtK2VIBPgFSsPVOnUzIp2+V7oI=";
 
   # Disable tests since it requires network access and relies on the
   # presence of certain AWS infrastructure

pkgs/applications/networking/cluster/kuttl/default.nix

@@ -2,17 +2,17 @@
 
 buildGoModule rec {
   pname = "kuttl";
-  version = "0.18.0";
+  version = "0.19.0";
   cli = "kubectl-kuttl";
 
   src = fetchFromGitHub {
     owner = "kudobuilder";
     repo = "kuttl";
     rev = "v${version}";
-    sha256 = "sha256-wTnBMNgwHqK8PdpEa3RAsVJemnGw/ymn6GJciPFsYrU=";
+    sha256 = "sha256-7fcVmLvRbKYuWuqwqZWlQf08YEyowcTxrp5RteV8qyU=";
   };
 
-  vendorHash = "sha256-RKQM1JxyZA1HwqRjCULY4X3jZK9SgclW55/qXp395cQ=";
+  vendorHash = "sha256-E6gzr9gCLbRaoJU/pYA2cAy0rv5SUVmwf0m34lchF+M=";
 
   subPackages = [ "cmd/kubectl-kuttl" ];
 

pkgs/applications/networking/instant-messengers/element/element-desktop.nix

@@ -30,7 +30,7 @@ stdenv.mkDerivation (finalAttrs: builtins.removeAttrs pinData [ "hashes" ] // {
   pname = "element-desktop";
   name = "${finalAttrs.pname}-${finalAttrs.version}";
   src = fetchFromGitHub {
-    owner = "vector-im";
+    owner = "element-hq";
     repo = "element-desktop";
     rev = "v${finalAttrs.version}";
     hash = desktopSrcHash;
@@ -112,7 +112,7 @@ stdenv.mkDerivation (finalAttrs: builtins.removeAttrs pinData [ "hashes" ] // {
   '';
 
   # The desktop item properties should be kept in sync with data from upstream:
-  # https://github.com/vector-im/element-desktop/blob/develop/package.json
+  # https://github.com/element-hq/element-desktop/blob/develop/package.json
   desktopItem = makeDesktopItem {
     name = "element-desktop";
     exec = "${executableName} %u";
@@ -147,7 +147,7 @@ stdenv.mkDerivation (finalAttrs: builtins.removeAttrs pinData [ "hashes" ] // {
   meta = with lib; {
     description = "A feature-rich client for Matrix.org";
     homepage = "https://element.io/";
-    changelog = "https://github.com/vector-im/element-desktop/blob/v${finalAttrs.version}/CHANGELOG.md";
+    changelog = "https://github.com/element-hq/element-desktop/blob/v${finalAttrs.version}/CHANGELOG.md";
     license = licenses.asl20;
     maintainers = teams.matrix.members;
     inherit (electron.meta) platforms;

pkgs/applications/networking/instant-messengers/element/element-web.nix

@@ -20,7 +20,7 @@ stdenv.mkDerivation (finalAttrs: builtins.removeAttrs pinData [ "hashes" ] // {
   pname = "element-web";
 
   src = fetchFromGitHub {
-    owner = "vector-im";
+    owner = "element-hq";
     repo = "element-web";
     rev = "v${finalAttrs.version}";
     hash = webSrcHash;
@@ -51,7 +51,7 @@ stdenv.mkDerivation (finalAttrs: builtins.removeAttrs pinData [ "hashes" ] // {
     # with the update of openssl3, some key ciphers are not supported anymore
     # this flag will allow those codecs again as a workaround
     # see https://medium.com/the-node-js-collection/node-js-17-is-here-8dba1e14e382#5f07
-    # and https://github.com/vector-im/element-web/issues/21043
+    # and https://github.com/element-hq/element-web/issues/21043
     export NODE_OPTIONS=--openssl-legacy-provider
     mkdir -p $HOME
 
@@ -77,7 +77,7 @@ stdenv.mkDerivation (finalAttrs: builtins.removeAttrs pinData [ "hashes" ] // {
   meta = {
     description = "Glossy Matrix collaboration client for the web";
     homepage = "https://element.io/";
-    changelog = "https://github.com/vector-im/element-web/blob/v${finalAttrs.version}/CHANGELOG.md";
+    changelog = "https://github.com/element-hq/element-web/blob/v${finalAttrs.version}/CHANGELOG.md";
     maintainers = lib.teams.matrix.members;
     license = lib.licenses.asl20;
     platforms = lib.platforms.all;

pkgs/applications/networking/instant-messengers/element/update.sh

@@ -12,15 +12,15 @@ version="$1"
 set -euo pipefail
 
 if [ -z "$version" ]; then
-  version="$(wget -q -O- "https://api.github.com/repos/vector-im/element-desktop/releases?per_page=1" | jq -r '.[0].tag_name')"
+  version="$(wget -q -O- "https://api.github.com/repos/element-hq/element-desktop/releases?per_page=1" | jq -r '.[0].tag_name')"
 fi
 
 # strip leading "v"
 version="${version#v}"
 
 # Element Web
-web_src="https://raw.githubusercontent.com/vector-im/element-web/v$version"
+web_src="https://raw.githubusercontent.com/element-hq/element-web/v$version"
-web_src_hash=$(nix-prefetch-github vector-im element-web --rev v${version} | jq -r .hash)
+web_src_hash=$(nix-prefetch-github element-hq element-web --rev v${version} | jq -r .hash)
 
 web_tmpdir=$(mktemp -d)
 trap 'rm -rf "$web_tmpdir"' EXIT
@@ -31,8 +31,8 @@ web_yarn_hash=$(prefetch-yarn-deps yarn.lock)
 popd
 
 # Element Desktop
-desktop_src="https://raw.githubusercontent.com/vector-im/element-desktop/v$version"
+desktop_src="https://raw.githubusercontent.com/element-hq/element-desktop/v$version"
-desktop_src_hash=$(nix-prefetch-github vector-im element-desktop --rev v${version} | jq -r .hash)
+desktop_src_hash=$(nix-prefetch-github element-hq element-desktop --rev v${version} | jq -r .hash)
 
 desktop_tmpdir=$(mktemp -d)
 trap 'rm -rf "$desktop_tmpdir"' EXIT

pkgs/applications/networking/instant-messengers/hydrogen-web/unwrapped.nix

@@ -12,7 +12,7 @@ stdenv.mkDerivation (finalAttrs: {
   version = "0.4.0";
 
   src = fetchFromGitHub {
-    owner = "vector-im";
+    owner = "element-hq";
     repo = "hydrogen-web";
     rev = "v${finalAttrs.version}";
     hash = "sha256-u8Yex3r7EZH+JztQHJbfncYeyyl6hgb1ZNFIg//wcb0=";
@@ -57,7 +57,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     description = "Lightweight matrix client with legacy and mobile browser support";
-    homepage = "https://github.com/vector-im/hydrogen-web";
+    homepage = "https://github.com/element-hq/hydrogen-web";
     maintainers = lib.teams.matrix.members;
     license = lib.licenses.asl20;
     platforms = lib.platforms.all;

pkgs/applications/networking/xpipe/default.nix

@@ -33,14 +33,14 @@ let
   }.${system} or throwSystem;
 
   hash = {
-    x86_64-linux = "sha256-l67oq9Jj2mmxcLsEMI4t+85cKD65xxMNkTNJrrRrwJQ=";
+    x86_64-linux = "sha256-DoN6I1lk4WpOZ+jC+od7jum3lxBHFppea5QFTuqY5nk=";
   }.${system} or throwSystem;
 
   displayname = "XPipe";
 
 in stdenvNoCC.mkDerivation rec {
   pname = "xpipe";
-  version = "11.0";
+  version = "11.1";
 
   src = fetchzip {
     url = "https://github.com/xpipe-io/xpipe/releases/download/${version}/xpipe-portable-linux-${arch}.tar.gz";

pkgs/applications/office/appflowy/default.nix

@@ -17,11 +17,11 @@ let
     rec {
       x86_64-linux = {
         urlSuffix = "linux-x86_64.tar.gz";
-        hash = "sha256-2v7LF53UmVxFzoNHwv+B2zN7I6pSP66x32OplcIR7Fk=";
+        hash = "sha256-sQ3dxwPWHLUoWgnR9+oHaFoDzXxtwKRiBvz2wkFB01g=";
       };
       x86_64-darwin = {
         urlSuffix = "macos-universal.zip";
-        hash = "sha256-73Do2Jhso6GJsyDiSz3ACN8pEmZbuPNW3vjW3BFLhY4=";
+        hash = "sha256-4bU/qecZBrTr34SZAjDDgwpXAAHDITz6lV6mJGjElko=";
       };
       aarch64-darwin = x86_64-darwin;
     }
@@ -29,7 +29,7 @@ let
 in
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "appflowy";
-  version = "0.6.6";
+  version = "0.6.8";
 
   src = fetchzip {
     url = "https://github.com/AppFlowy-IO/appflowy/releases/download/${finalAttrs.version}/AppFlowy-${finalAttrs.version}-${dist.urlSuffix}";

pkgs/applications/science/robotics/qgroundcontrol/default.nix

@@ -4,7 +4,7 @@
 
 stdenv.mkDerivation rec {
   pname = "qgroundcontrol";
-  version = "4.4.1";
+  version = "4.4.2";
 
   propagatedBuildInputs = [
     qtbase qtcharts qtlocation qtserialport qtsvg qtquickcontrols2
@@ -67,7 +67,7 @@ stdenv.mkDerivation rec {
     owner = "mavlink";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-FdF9QQYCF7HbmjvUQgV6HytJo2Aje2OEDPO2GSl1dqE=";
+    hash = "sha256-2Bc4uC/2e+PTsvFZ4RjnTzkOiBO9vsYHeLPkcwpDRrg=";
     fetchSubmodules = true;
   };
 

pkgs/applications/system/qjournalctl/default.nix

@@ -40,6 +40,6 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/pentix/qjournalctl";
     license = licenses.gpl3Only;
     platforms = platforms.all;
-    maintainers = with maintainers; [ srgom romildo ];
+    maintainers = with maintainers; [ romildo ];
   };
 }

pkgs/applications/version-management/sublime-merge/default.nix

@@ -11,9 +11,9 @@ in
   } { };
 
   sublime-merge-dev = common {
-    buildVersion = "2095";
+    buildVersion = "2099";
     dev = true;
-    aarch64sha256 = "FmXz8VAWS7e0bB9NeXbihnhdhWMyNJJs6PNt+K2G0Bk=";
+    aarch64sha256 = "6rfUwzSBCJ3CRrL5E4+wBQ3FuB3PaAUCwh5pDtAbNKE=";
-    x64sha256 = "83Hw27RgGPgugpf4eMuWT6/MSQ2Q2VBCbaXoSGFtTPI=";
+    x64sha256 = "qIXDlsdaxY8wvky/ClwhZykZTVrUShsV56utb6BRCWQ=";
   } { };
 }

pkgs/by-name/ag/age-plugin-fido2-hmac/package.nix

@@ -1,10 +1,27 @@
-{ lib
+{
-, buildGoModule
+  lib,
-, fetchFromGitHub
+  buildGoModule,
-, libfido2
+  fetchFromGitHub,
-, stdenv
+  stdenv,
+  libfido2,
+  openssl,
+  libcbor
 }:
+let
+  darwin_arch = if stdenv.hostPlatform.system == "aarch64-darwin" then "arm64" else "amd64";
+  darwin_configure = ''
+    chmod -R +w vendor/github.com/keys-pub/go-libfido2
+    cat << EOF > vendor/github.com/keys-pub/go-libfido2/fido2_static_${darwin_arch}.go
+    package libfido2
 
+    /*
+    #cgo darwin LDFLAGS: -framework CoreFoundation -framework IOKit -L${lib.getLib openssl}/lib -L${lib.getLib libcbor}/lib -lfido2
+    #cgo darwin CFLAGS: -I${libfido2.dev}/include -I${openssl.dev}/include
+    */
+    import "C"
+    EOF
+  '';
+in
 buildGoModule rec {
   pname = "age-plugin-fido2-hmac";
   version = "0.2.3";
@@ -18,11 +35,11 @@ buildGoModule rec {
 
   vendorHash = "sha256-h4/tyq9oZt41IfRJmmsLHUpJiPJ7YuFu59ccM7jHsFo=";
 
-  ldflags = [ "-s" "-w" ];
+  ldflags = [ "-s" "-w" "-X main.version=v${version}" ];
 
-  buildInputs = [
+  buildInputs = [ libfido2 ];
-    libfido2
+
-  ];
+  postConfigure = lib.optional stdenv.isDarwin darwin_configure;
 
   meta = with lib; {
     description = "Age plugin to encrypt files with fido2 tokens using the hmac-secret extension and non-discoverable credentials";
@@ -30,6 +47,5 @@ buildGoModule rec {
     license = licenses.mit;
     maintainers = with maintainers; [ matthewcroughan ];
     mainProgram = "age-plugin-fido2-hmac";
-    broken = stdenv.isDarwin;
   };
 }

pkgs/by-name/an/anytype/package.nix

@@ -2,11 +2,11 @@
 
 let
   pname = "anytype";
-  version = "0.42.5";
+  version = "0.42.6";
   name = "Anytype-${version}";
   src = fetchurl {
     url = "https://github.com/anyproto/anytype-ts/releases/download/v${version}/${name}.AppImage";
-    hash = "sha256-43g/CdmmQTSxk7OTZMPIiWIYJjCG2zJNM9kaAq1jOqE=";
+    hash = "sha256-ubYk3CsdaUW4AtMYskmFunznUAVcBdbJh4dyGgSs1Io=";
   };
   appimageContents = appimageTools.extractType2 { inherit pname version src; };
 in appimageTools.wrapType2 {

pkgs/by-name/at/atlauncher/package.nix

@@ -21,13 +21,13 @@
 
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "atlauncher";
-  version = "3.4.36.10";
+  version = "3.4.37.2";
 
   src = fetchFromGitHub {
     owner = "ATLauncher";
     repo = "ATLauncher";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-EMV/M5W/acJaQJsi4COoRQC2YVfuJG9HGcwvGfakoNo=";
+    hash = "sha256-1sIzQBJWbkGk8VrZdRi3eIHBAfiu90lodEZVouZNzVM=";
   };
 
   postPatch = ''

pkgs/by-name/ci/civo/package.nix

@@ -7,16 +7,16 @@
 
 buildGoModule rec {
   pname = "civo";
-  version = "1.0.89";
+  version = "1.0.90";
 
   src = fetchFromGitHub {
     owner = "civo";
     repo = "cli";
     rev = "v${version}";
-    sha256 = "sha256-hX/tmeQYcTDs3JZSFhvzCrcbqvfa78MXtTo8VcuAqxY=";
+    sha256 = "sha256-2UWEQZRbtPArYK7Kr0eHtF8+XWXl06v86nAb8nka50g=";
   };
 
-  vendorHash = "sha256-bwmJnKxdvVskrrTCa0cdpiYeFVZWTYyaFNEbeymT7P0=";
+  vendorHash = "sha256-ZnomzHbsNKWwAsRjOjESKSdR+KgSiMMlG0xq33qpzX0=";
 
   nativeBuildInputs = [ installShellFiles ];
 

pkgs/by-name/fa/fast-float/package.nix

@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "fast-float";
-  version = "6.1.4";
+  version = "6.1.5";
 
   src = fetchFromGitHub {
     owner = "fastfloat";
     repo = "fast_float";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-0eVovauN7SnO3nSIWBRWAJ4dR7q5beZrIGUZ18M2pao=";
+    hash = "sha256-tFHrvwZKZkNkJM5VEpWRPD+yDMH1seuNDR/Rd9pCqBg=";
   };
 
   nativeBuildInputs = [ cmake ];

pkgs/by-name/la/lazysql/package.nix

@@ -8,13 +8,13 @@
 
 buildGoModule rec {
   pname = "lazysql";
-  version = "0.2.5";
+  version = "0.2.9";
 
   src = fetchFromGitHub {
     owner = "jorgerojas26";
     repo = "lazysql";
     rev = "v${version}";
-    hash = "sha256-QzvaQMSr0PjeAGJr5ThAQ/U0dRMa17E5hiPnc2ViUNo=";
+    hash = "sha256-6aJrLkmebOhLrnVhl9cnbW1ZBt0vq8lR7Lhz9nPFr8Q=";
   };
 
   vendorHash = "sha256-celee8uyoirX+vtAww2iQJtRwJEHyfHL2mZA2muSRiQ=";

pkgs/by-name/le/leetgo/package.nix

@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "leetgo";
-  version = "1.4.8";
+  version = "1.4.9";
 
   src = fetchFromGitHub {
     owner = "j178";
     repo = "leetgo";
     rev = "v${version}";
-    hash = "sha256-4Y/NwgLNBdd2uL7oiIdM1I08ZnLjreHf397s/vhS+Ac=";
+    hash = "sha256-FlQYTNz1Fh0igwnufjVXN4bsUYBB1kls19D+/v7Ztps=";
   };
 
-  vendorHash = "sha256-zpS+6Z31m6g67we4JaQ0sPodqC315lgftqGzZkelDCU=";
+  vendorHash = "sha256-DdAe9yyusA6Ac8ioKqLiM5lcOt9Xy7F77gMG6yBTl7Q=";
 
   nativeBuildInputs = [ installShellFiles ];
 

pkgs/by-name/si/sink-rotate/package.nix

@@ -21,7 +21,7 @@ rustPlatform.buildRustPackage {
 
   cargoHash = "sha256-MPeyPTkxpi6iw/BT5m4S7jVBD0c2zG2rsv+UZWQxpUU=";
 
-  buildInputs = [ makeWrapper ];
+  nativeBuildInputs = [ makeWrapper ];
 
   postFixup = ''
     wrapProgram $out/bin/sink-rotate \

pkgs/by-name/un/unrar-free/package.nix

@@ -34,7 +34,7 @@ stdenv.mkDerivation (finalAttrs: {
     '';
     homepage = "https://gitlab.com/bgermann/unrar-free";
     license = lib.licenses.gpl2Plus;
-    mainProgram = "unrar";
+    mainProgram = "unrar-free";
     maintainers = with lib.maintainers; [ thiagokokada ];
     platforms = lib.platforms.unix;
     broken = stdenv.isDarwin;

pkgs/by-name/vc/vcpkg/package.nix

@@ -8,13 +8,13 @@
 
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "vcpkg";
-  version = "2024.07.12";
+  version = "2024.08.23";
 
   src = fetchFromGitHub {
     owner = "microsoft";
     repo = "vcpkg";
     rev = finalAttrs.version;
-    hash = "sha256-WE+BeF9BYR9/Gmi60g6ApXsWQ2vch2N6XhH1A9HAHsc=";
+    hash = "sha256-cJOy7DG5Ea5cpnHvUiv70FV2ULrevs64Bu5eBJi9BLs=";
     leaveDotGit = true;
     postFetch = ''
       cd "$out"

pkgs/by-name/vp/vpsfree-client/Gemfile

@@ -2,4 +2,4 @@
 
 source "https://rubygems.org"
 
-gem "vpsfree-client", "0.18.0"
+gem "vpsfree-client"

pkgs/by-name/vp/vpsfree-client/Gemfile.lock

@@ -1,45 +1,48 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.1.3.2)
+    activesupport (7.2.1)
       base64
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
       minitest (>= 5.1)
-      mutex_m
+      securerandom (>= 0.3)
-      tzinfo (~> 2.0)
+      tzinfo (~> 2.0, >= 2.0.5)
     base64 (0.2.0)
-    bigdecimal (3.1.6)
+    bigdecimal (3.1.8)
-    concurrent-ruby (1.2.3)
+    concurrent-ruby (1.3.4)
     connection_pool (2.4.1)
-    curses (1.4.4)
+    curses (1.4.6)
     domain_name (0.6.20240107)
     drb (2.2.1)
-    haveapi-client (0.19.3)
+    haveapi-client (0.23.7)
       activesupport (>= 7.0)
-      highline (~> 2.1.0)
+      highline (~> 3.1)
       json
       require_all (~> 2.0.0)
       rest-client (~> 2.1.0)
       ruby-progressbar (~> 1.13.0)
-    highline (2.1.0)
+    highline (3.1.1)
+      reline
     http-accept (1.7.0)
-    http-cookie (1.0.5)
+    http-cookie (1.0.7)
       domain_name (~> 0.5)
-    i18n (1.14.3)
+    i18n (1.14.5)
       concurrent-ruby (~> 1.0)
-      racc (~> 1.7)
+    io-console (0.7.2)
-    json (2.7.1)
+    json (2.7.2)
+    logger (1.6.1)
     mime-types (3.5.2)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2024.0305)
+    mime-types-data (3.2024.0903)
-    minitest (5.22.2)
+    minitest (5.25.1)
-    mutex_m (0.2.0)
     netrc (0.11.0)
-    racc (1.7.3)
+    reline (0.5.10)
+      io-console (~> 0.5)
     require_all (2.0.0)
     rest-client (2.1.0)
       http-accept (>= 1.7.0, < 2.0)
@@ -47,20 +50,21 @@ GEM
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
     ruby-progressbar (1.13.0)
+    securerandom (0.3.1)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    vpsadmin-client (3.0.0.master.20231229.pre.0.51d41b07)
+    vpsadmin-client (4.0.0)
       curses
-      haveapi-client (~> 0.19.0)
+      haveapi-client (~> 0.23.6)
       json
-    vpsfree-client (0.18.0)
+    vpsfree-client (0.19.0)
-      vpsadmin-client (= 3.0.0.master.20231229.pre.0.51d41b07)
+      vpsadmin-client (~> 4.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  vpsfree-client (= 0.18.0)
+  vpsfree-client
 
 BUNDLED WITH
-   2.4.22
+   2.5.9

pkgs/by-name/vp/vpsfree-client/gemset.nix

@@ -1,14 +1,14 @@
 {
   activesupport = {
-    dependencies = ["base64" "bigdecimal" "concurrent-ruby" "connection_pool" "drb" "i18n" "minitest" "mutex_m" "tzinfo"];
+    dependencies = ["base64" "bigdecimal" "concurrent-ruby" "connection_pool" "drb" "i18n" "logger" "minitest" "securerandom" "tzinfo"];
     groups = ["default"];
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "0blbbf2x7dn7ar4g9aij403582zb6zscbj48bz63lvaamsvlb15d";
+      sha256 = "094cv9kxa8hwlsw3c0njkvvayd0wszcz9b6xywv4yajrg83zlmvm";
       type = "gem";
     };
-    version = "7.1.3.2";
+    version = "7.2.1";
   };
   base64 = {
     groups = ["default"];
@@ -25,20 +25,20 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "00db5v09k1z3539g1zrk7vkjrln9967k08adh6qx33ng97a2gg5w";
+      sha256 = "1gi7zqgmqwi5lizggs1jhc3zlwaqayy9rx2ah80sxy24bbnng558";
       type = "gem";
     };
-    version = "3.1.6";
+    version = "3.1.8";
   };
   concurrent-ruby = {
     groups = ["default"];
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1qh1b14jwbbj242klkyz5fc7npd4j0mvndz62gajhvl1l3wd7zc2";
+      sha256 = "0chwfdq2a6kbj6xz9l6zrdfnyghnh32si82la1dnpa5h75ir5anl";
       type = "gem";
     };
-    version = "1.2.3";
+    version = "1.3.4";
   };
   connection_pool = {
     groups = ["default"];
@@ -55,10 +55,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "00y9g79lzfffxarj3rmhnkblsnyx7izx91mh8c1sdcs9y2pdfq53";
+      sha256 = "15pj04v9m06lj7xcq5xjk6b0nqfpq3kiaisjmh2pysmi6nvsg9ly";
       type = "gem";
     };
-    version = "1.4.4";
+    version = "1.4.6";
   };
   domain_name = {
     groups = ["default"];
@@ -86,20 +86,21 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "0yjcf6yf90sqjsywlcxzfrfrl835ndw96x6bh4grvc75zbb5ijki";
+      sha256 = "1a6k0milq4rfybf1pc8gzikpr18dmnzpz1wi2avzdkp0dpqkvaw3";
       type = "gem";
     };
-    version = "0.19.3";
+    version = "0.23.7";
   };
   highline = {
+    dependencies = ["reline"];
     groups = ["default"];
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1f8cr014j7mdqpdb9q17fp5vb5b8n1pswqaif91s3ylg5x3pygfn";
+      sha256 = "1q0f7izfi542sp93gl276spm0xyws1kpqxm0alrwwmz06mz4i0ks";
       type = "gem";
     };
-    version = "2.1.0";
+    version = "3.1.1";
   };
   http-accept = {
     groups = ["default"];
@@ -117,31 +118,51 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "13rilvlv8kwbzqfb644qp6hrbsj82cbqmnzcvqip1p6vqx36sxbk";
+      sha256 = "0lr2yk5g5vvf9nzlmkn3p7mhh9mn55gpdc7kl2w21xs46fgkjynb";
       type = "gem";
     };
-    version = "1.0.5";
+    version = "1.0.7";
   };
   i18n = {
-    dependencies = ["concurrent-ruby" "racc"];
+    dependencies = ["concurrent-ruby"];
     groups = ["default"];
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1j9zl6ssshkdjdn21lckdhsfkkw1n4wcynqp8n67afa5qps2gmds";
+      sha256 = "1ffix518y7976qih9k1lgnc17i3v6yrlh0a3mckpxdb4wc2vrp16";
       type = "gem";
     };
-    version = "1.14.3";
+    version = "1.14.5";
+  };
+  io-console = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "08d2lx42pa8jjav0lcjbzfzmw61b8imxr9041pva8xzqabrczp7h";
+      type = "gem";
+    };
+    version = "0.7.2";
   };
   json = {
     groups = ["default"];
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "0r9jmjhg2ly3l736flk7r2al47b5c8cayh0gqkq0yhjqzc9a6zhq";
+      sha256 = "0b4qsi8gay7ncmigr0pnbxyb17y3h8kavdyhsh7nrlqwr35vb60q";
       type = "gem";
     };
-    version = "2.7.1";
+    version = "2.7.2";
+  };
+  logger = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0lwncq2rf8gm79g2rcnnyzs26ma1f4wnfjm6gs4zf2wlsdz5in9s";
+      type = "gem";
+    };
+    version = "1.6.1";
   };
   mime-types = {
     dependencies = ["mime-types-data"];
@@ -159,30 +180,20 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "00x7w5xqsj9m33v3vkmy23wipkkysafksib53ypzn27p5g81w455";
+      sha256 = "0d5bmxcq87nj6h5rx6b1fkdzq8256yba97s2vlkszpwhc47m9rfs";
       type = "gem";
     };
-    version = "3.2024.0305";
+    version = "3.2024.0903";
   };
   minitest = {
     groups = ["default"];
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "0667vf0zglacry87nkcl3ns8421aydvz71vfa3g3yjhiq8zh19f5";
+      sha256 = "1n1akmc6bibkbxkzm1p1wmfb4n9vv397knkgz0ffykb3h1d7kdix";
       type = "gem";
     };
-    version = "5.22.2";
+    version = "5.25.1";
-  };
-  mutex_m = {
-    groups = ["default"];
-    platforms = [];
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "1ma093ayps1m92q845hmpk0dmadicvifkbf05rpq9pifhin0rvxn";
-      type = "gem";
-    };
-    version = "0.2.0";
   };
   netrc = {
     groups = ["default"];
@@ -194,15 +205,16 @@
     };
     version = "0.11.0";
   };
-  racc = {
+  reline = {
+    dependencies = ["io-console"];
     groups = ["default"];
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "01b9662zd2x9bp4rdjfid07h09zxj7kvn7f5fghbqhzc625ap1dp";
+      sha256 = "0rl1jmxs7pay58l7lkxkrn6nkdpk52k8rvnfwqsd1swjlxlwjq0n";
       type = "gem";
     };
-    version = "1.7.3";
+    version = "0.5.10";
   };
   require_all = {
     groups = ["default"];
@@ -235,6 +247,16 @@
     };
     version = "1.13.0";
   };
+  securerandom = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1phv6kh417vkanhssbjr960c0gfqvf8z7d3d9fd2yvd41q64bw4q";
+      type = "gem";
+    };
+    version = "0.3.1";
+  };
   tzinfo = {
     dependencies = ["concurrent-ruby"];
     groups = ["default"];
@@ -252,10 +274,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "0d1bdyda8l42x8csf4ri2cqcr3xf6pcnv7s1k859rb8ysj7y8aqx";
+      sha256 = "1qy0l0gyhsyz9hdbqdb324l4zlgs78hml1cnp3gx1jl5ndj62znc";
       type = "gem";
     };
-    version = "3.0.0.master.20231229.pre.0.51d41b07";
+    version = "4.0.0";
   };
   vpsfree-client = {
     dependencies = ["vpsadmin-client"];
@@ -263,9 +285,9 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "038a57avnp4wmfqdya5a6r4a135nh6crzs6nf0khnhdhb9kkjfjg";
+      sha256 = "0cl6r20r7hksd3g6sjqrgi9x21ykbvv170vszf2l06a8ifrrqlk7";
       type = "gem";
     };
-    version = "0.18.0";
+    version = "0.19.0";
   };
 }

pkgs/by-name/vs/vsce/package.nix

@@ -12,16 +12,16 @@
 
 buildNpmPackage rec {
   pname = "vsce";
-  version = "3.0.0";
+  version = "3.1.0";
 
   src = fetchFromGitHub {
     owner = "microsoft";
     repo = "vscode-vsce";
     rev = "v${version}";
-    hash = "sha256-FoJfpzrbui+tKCEq15wGC0o44iLCBAuVYBISiy+zOmE=";
+    hash = "sha256-k2jeYeDLpSVw3puiOqlrtQ1a156OV1Er/TqdJuJ+578=";
   };
 
-  npmDepsHash = "sha256-TTFolysg+La605EoS87gmhEjlzwNUVYmnXKr49De7fk=";
+  npmDepsHash = "sha256-k6LdGCpVoBNpHe4z7NrS0T/gcB1EQBvBxGAM3zo+AAo=";
 
   postPatch = ''
     substituteInPlace package.json --replace '"version": "0.0.0"' '"version": "${version}"'

pkgs/by-name/we/weblate/package.nix

@@ -28,7 +28,7 @@ let
 in
 python.pkgs.buildPythonApplication rec {
   pname = "weblate";
-  version = "5.7.1";
+  version = "5.7.2";
 
   pyproject = true;
 
@@ -41,7 +41,7 @@ python.pkgs.buildPythonApplication rec {
     owner = "WeblateOrg";
     repo = "weblate";
     rev = "refs/tags/weblate-${version}";
-    hash = "sha256-h5+0lOMD+H0ehtZ0bngA9bI5va1I5KjZH9boaEtXJPo=";
+    hash = "sha256-cIwCNYXbg7l6z9OAkMAGJ783QI/nCOyrhLPURDcDv+Y=";
   };
 
   patches = [

pkgs/by-name/wi/wine-discord-ipc-bridge/package.nix

@@ -0,0 +1,38 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+}:
+
+stdenv.mkDerivation {
+  pname = "wine-discord-ipc-bridge";
+  version = "unstable-2023-08-09";
+
+  src = fetchFromGitHub {
+    owner = "0e4ef622";
+    repo = "wine-discord-ipc-bridge";
+    rev = "f8198c9d52e708143301017a296f7557c4387127";
+    hash = "sha256-tAknITFlG63+gI5cN9SfUIUZkbIq/MgOPoGIcvoNo4Q=";
+  };
+
+  postPatch = ''
+    patchShebangs winediscordipcbridge-steam.sh
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/bin
+    cp winediscordipcbridge.exe $out/bin
+    cp winediscordipcbridge-steam.sh $out/bin
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Enable games running under wine to use Discord Rich Presence";
+    homepage = "https://github.com/0e4ef622/wine-discord-ipc-bridge";
+    license = licenses.mit;
+    maintainers = [ maintainers.uku3lig ];
+    mainProgram = "winediscordipcbridge";
+    platforms = [ "mingw32" ];
+  };
+}

pkgs/by-name/ya/yarg/package.nix

@@ -0,0 +1,126 @@
+{
+  lib,
+  stdenv,
+  fetchzip,
+  autoPatchelfHook,
+  alsa-lib,
+  gtk3,
+  zlib,
+  dbus,
+  hidapi,
+  libGL,
+  libXcursor,
+  libXext,
+  libXi,
+  libXinerama,
+  libxkbcommon,
+  libXrandr,
+  libXScrnSaver,
+  libXxf86vm,
+  udev,
+  vulkan-loader,
+  wayland, # (not used by default, enable with SDL_VIDEODRIVER=wayland - doesn't support HiDPI)
+  makeDesktopItem,
+  nix-update-script,
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "yarg";
+  version = "0.12.6";
+
+  src = fetchzip {
+    url = "https://github.com/YARC-Official/YARG/releases/download/v${finalAttrs.version}/YARG_v${finalAttrs.version}-Linux-x86_64.zip";
+    stripRoot = false;
+    hash = "sha256-Za+CnuSTfJZVdW0pWvGDnKcbhZsgtNPRWYj1qOA8+Zs=";
+  };
+
+  nativeBuildInputs = [ autoPatchelfHook ];
+
+  buildInputs = [
+    # Load-time libraries (loaded from DT_NEEDED section in ELF binary)
+    alsa-lib
+    gtk3
+    stdenv.cc.cc.lib
+    zlib
+
+    # Run-time libraries (loaded with dlopen)
+    dbus
+    hidapi
+    libGL
+    libXcursor
+    libXext
+    libXi
+    libXinerama
+    libxkbcommon
+    libXrandr
+    libXScrnSaver
+    libXxf86vm
+    udev
+    vulkan-loader
+    wayland
+  ];
+
+  desktopItem = makeDesktopItem {
+    name = "yarg";
+    desktopName = "YARG";
+    comment = finalAttrs.meta.description;
+    icon = "yarg";
+    exec = "yarg";
+    categories = [ "Game" ];
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    install -Dm755 YARG "$out/bin/yarg"
+    install -Dm644 UnityPlayer.so "$out/libexec/yarg/UnityPlayer.so"
+
+    mkdir -p "$out/share/pixmaps"
+    cp -r YARG_Data "$out/share/yarg"
+    ln -s "$out/share/yarg" "$out/bin/yarg_Data"
+    ln -s "$out/share/yarg/Resources/UnityPlayer.png" "$out/share/pixmaps/yarg.png"
+    install -Dm644 "$desktopItem/share/applications/yarg.desktop" "$out/share/applications/yarg.desktop"
+
+    runHook postInstall
+  '';
+
+  # Patch required run-time libraries as load-time libraries
+  #
+  # Libraries found with:
+  # > strings UnityPlayer.so | grep '\.so'
+  # and:
+  # > LD_DEBUG=libs yarg
+  postFixup = ''
+    patchelf \
+      --add-needed libasound.so.2 \
+      --add-needed libdbus-1.so.3 \
+      --add-needed libGL.so.1 \
+      --add-needed libhidapi-hidraw.so.0 \
+      --add-needed libpthread.so.0 \
+      --add-needed libudev.so.1 \
+      --add-needed libvulkan.so.1 \
+      --add-needed libwayland-client.so.0 \
+      --add-needed libwayland-cursor.so.0 \
+      --add-needed libwayland-egl.so.1 \
+      --add-needed libX11.so.6 \
+      --add-needed libXcursor.so.1 \
+      --add-needed libXext.so.6 \
+      --add-needed libXi.so.6 \
+      --add-needed libXinerama.so.1 \
+      --add-needed libxkbcommon.so.0 \
+      --add-needed libXrandr.so.2 \
+      --add-needed libXss.so.1 \
+      --add-needed libXxf86vm.so.1 \
+      "$out/libexec/yarg/UnityPlayer.so"
+  '';
+
+  passthru.updateScript = nix-update-script { };
+
+  meta = with lib; {
+    description = "Free, open-source, plastic guitar game";
+    homepage = "https://yarg.in";
+    license = licenses.lgpl3Plus;
+    maintainers = with maintainers; [ kira-bruneau ];
+    platforms = [ "x86_64-linux" ];
+  };
+})

pkgs/development/compilers/idris2/idris2-lsp.nix

@@ -35,7 +35,7 @@ let
     };
     idrisLibraries = [idris2Api lspLib];
 
-    buildInputs = [makeWrapper];
+    nativeBuildInputs = [ makeWrapper ];
     postInstall = ''
       wrapProgram $out/bin/idris2-lsp \
         --suffix IDRIS2_PACKAGE_PATH ':' "${globalLibrariesPath}"

pkgs/development/lisp-modules/packages.nix

@@ -104,7 +104,6 @@ let
     nativeBuildInputs = [ pkgs.allegro5 ];
     nativeLibs = [ pkgs.allegro5 ];
     lispLibs = super.cl-liballegro-nuklear.lispLibs ++ [ self.cl-liballegro ];
-    patches = [ ./patches/cl-liballegro-nuklear-missing-dll.patch ];
   };
 
   lessp = build-asdf-system {

pkgs/development/lisp-modules/patches/cl-liballegro-nuklear-missing-dll.patch

@@ -1,17 +0,0 @@
-Fix system not loading due to:
-
-Unhandled CFFI:LOAD-FOREIGN-LIBRARY-ERROR 
-  Unable to load foreign library (LIBALLEGRO-NUKLEAR).
-  Error opening shared object "/build/source/src/liballegro_nuklear.so":
-  /build/source/src/liballegro_nuklear.so: undefined symbol: al_draw_ellipse.
---- a/cl-liballegro-nuklear.asd
-+++ b/cl-liballegro-nuklear.asd
-@@ -12,7 +12,7 @@
-   :description "CFFI wrapper for the Nuklear IM GUI library with liballegro backend, to be used with cl-liballegro."
-   :author "Andrew Kravchuk <awkravchuk@gmail.com>"
-   :license "MIT"
--  :depends-on (:cffi :cffi-libffi :trivial-features)
-+  :depends-on (:cl-liballegro :cffi :cffi-libffi :trivial-features)
-   :pathname "src"
-   :serial t
-   :components ((:makefile "Makefile")

pkgs/development/python-modules/ansible-runner/default.nix

@@ -35,7 +35,7 @@ buildPythonPackage rec {
 
   postPatch = ''
     substituteInPlace pyproject.toml \
-      --replace '"setuptools>=45, <=69.0.2", "setuptools-scm[toml]>=6.2, <=8.0.4"' '"setuptools", "setuptools-scm"'
+      --replace-fail '"setuptools>=45, <=69.0.2", "setuptools-scm[toml]>=6.2, <=8.0.4"' '"setuptools", "setuptools-scm"'
   '';
 
   build-system = [
@@ -69,13 +69,18 @@ buildPythonPackage rec {
   '';
 
   disabledTests = [
-    # Requires network access
+    # Tests require network access
     "test_callback_plugin_task_args_leak"
     "test_env_accuracy"
     # Times out on slower hardware
     "test_large_stdout_blob"
     # Failed: DID NOT RAISE <class 'RuntimeError'>
     "test_validate_pattern"
+    # Assertion error
+    "test_get_role_list"
+    "test_include_role_from_collection_events"
+    "test_resolved_actions"
+    "test_callback_plugin_censoring_does_not_overwrite"
   ];
 
   disabledTestPaths =
@@ -95,9 +100,10 @@ buildPythonPackage rec {
 
   meta = with lib; {
     description = "Helps when interfacing with Ansible";
-    mainProgram = "ansible-runner";
     homepage = "https://github.com/ansible/ansible-runner";
+    changelog = "https://github.com/ansible/ansible-runner/releases/tag/${version}";
     license = licenses.asl20;
     maintainers = [ ];
+    mainProgram = "ansible-runner";
   };
 }

pkgs/development/python-modules/asyncssh/default.nix

@@ -21,14 +21,14 @@
 
 buildPythonPackage rec {
   pname = "asyncssh";
-  version = "2.15.0";
+  version = "2.17.0";
   pyproject = true;
 
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-ChOkOBb0bPCEZX+wVZaCO5PVtI5173djyKdW7BIXg3o=";
+    hash = "sha256-OxWcEFqjiMHiJFxPr0g/VArajK2ZQCKBEZEAFm5e2zw=";
   };
 
   build-system = [ setuptools ];

pkgs/development/python-modules/azure-appconfiguration/default.nix

@@ -10,14 +10,14 @@
 
 buildPythonPackage rec {
   pname = "azure-appconfiguration";
-  version = "1.6.0";
+  version = "1.7.1";
   pyporject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-z2KKPh6mZDR5ZDzSRt2kZO3Eq3hXQzOaao/oCbwTf+w=";
+    hash = "sha256-Pr5B6b4/SubKYeXbxCxLfMAHoBBUqFBlAaJt/Bmf0+w=";
   };
 
   build-system = [ setuptools ];

pkgs/development/python-modules/azure-mgmt-appcontainers/default.nix

@@ -11,14 +11,14 @@
 
 buildPythonPackage rec {
   pname = "azure-mgmt-appcontainers";
-  version = "3.0.0";
+  version = "3.1.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-oqKPEOnZaIU7IMzDqT552IBJr9RtWt3vFO3SlG8igs0=";
+    hash = "sha256-PHlDnxK8788UCvjG572LUWJOlx/ZH1rOmKzAc8Lm+uw=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/azure-mgmt-datafactory/default.nix

@@ -11,14 +11,14 @@
 
 buildPythonPackage rec {
   pname = "azure-mgmt-datafactory";
-  version = "8.0.0";
+  version = "9.0.0";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-CL1Z50yjbEkncmKT4FhJ7UaOiUtw1CD85TVEJ7KHjQ4=";
+    hash = "sha256-j1TMe2/jkSVa7p4Ar9HmZjh56GNqtkHP+QbSuyTDT04=";
   };
 
   nativeBuildInputs = [ setuptools ];

pkgs/development/python-modules/azure-mgmt-netapp/default.nix

@@ -11,14 +11,14 @@
 
 buildPythonPackage rec {
   pname = "azure-mgmt-netapp";
-  version = "13.1.0";
+  version = "13.2.0";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-8JzJFZTplNGo74wBelP8Geo7+FQ7WYmAOAef4jv533M=";
+    hash = "sha256-31wzzDeQrs04AL8Qsz050RY/AllvXwy+8Ng+QbUihjo=";
   };
 
   build-system = [ setuptools ];

pkgs/development/python-modules/azure-mgmt-network/default.nix

@@ -11,14 +11,14 @@
 
 buildPythonPackage rec {
   pname = "azure-mgmt-network";
-  version = "25.4.0";
+  version = "26.0.0";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-ozjmLYH9vwUPgCFDwoy5ZbB+3UOADvBQTN+muIVNdVQ=";
+    hash = "sha256-TeZ2GEGVBT/bEGpuoQQqiU5wxzGm08imM9UvUin07hs=";
   };
 
   nativeBuildInputs = [ setuptools ];

pkgs/development/python-modules/azure-mgmt-web/default.nix

@@ -10,14 +10,14 @@
 
 buildPythonPackage rec {
   pname = "azure-mgmt-web";
-  version = "7.3.0";
+  version = "7.3.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.8";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-IDK/TVDfC7uCLqAMrDv74OZ0h9LJzBGCwIWPgxSc3qk=";
+    hash = "sha256-h7dxQ2vJmnqN9Z0K0YW5aHmgbc4UdkoGs/w9r6j8tWs=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/blis/default.nix

@@ -3,33 +3,41 @@
   buildPythonPackage,
   fetchFromGitHub,
   setuptools,
-  cython_0,
+  cython,
   hypothesis,
   numpy,
   pytestCheckHook,
   pythonOlder,
+  blis,
+  numpy_2,
   gitUpdater,
 }:
 
 buildPythonPackage rec {
   pname = "blis";
-  version = "0.7.11";
+  version = "1.0.0";
   pyproject = true;
 
-  disabled = pythonOlder "3.7";
+  disabled = pythonOlder "3.9";
 
   src = fetchFromGitHub {
     owner = "explosion";
     repo = "cython-blis";
-    rev = "refs/tags/v${version}";
+    rev = "refs/tags/release-v${version}";
-    hash = "sha256-p8pzGZc5OiiGTvXULDgzsBC3jIhovTKUq3RtPnQ/+to=";
+    hash = "sha256-XS6h2c+8BJ9pAvIX8340C4vRZEBRmEZc6/6tH7ooqNU=";
   };
 
   postPatch = ''
+    # The commit pinning numpy to version 2 doesn't have any functional changes:
+    # https://github.com/explosion/cython-blis/pull/108
+    # BLIS should thus work with numpy and numpy_2.
+    substituteInPlace pyproject.toml setup.py \
+      --replace-fail "numpy>=2.0.0,<3.0.0" numpy
+
     # See https://github.com/numpy/numpy/issues/21079
     # has no functional difference as the name is only used in log output
     substituteInPlace blis/benchmark.py \
-      --replace 'numpy.__config__.blas_ilp64_opt_info["libraries"]' '["dummy"]'
+      --replace-fail 'numpy.__config__.blas_ilp64_opt_info["libraries"]' '["dummy"]'
   '';
 
   preCheck = ''
@@ -37,12 +45,13 @@ buildPythonPackage rec {
     rm -rf ./blis
   '';
 
-  nativeBuildInputs = [
+  build-system = [
     setuptools
-    cython_0
+    cython
+    numpy
   ];
 
-  propagatedBuildInputs = [ numpy ];
+  dependencies = [ numpy ];
 
   nativeCheckInputs = [
     hypothesis
@@ -52,16 +61,18 @@ buildPythonPackage rec {
   pythonImportsCheck = [ "blis" ];
 
   passthru = {
-    # Do not update to BLIS 0.9.x until the following issue is resolved:
+    tests = {
-    # https://github.com/explosion/thinc/issues/771#issuecomment-1255825935
+      numpy_2 = blis.overridePythonAttrs (old: {
-    skipBulkUpdate = true;
+        numpy = numpy_2;
+      });
+    };
     updateScript = gitUpdater {
-      rev-prefix = "v";
+      rev-prefix = "release-v";
-      ignoredVersions = "0\.9\..*";
     };
   };
 
   meta = with lib; {
+    changelog = "https://github.com/explosion/cython-blis/releases/tag/release-v${version}";
     description = "BLAS-like linear algebra library";
     homepage = "https://github.com/explosion/cython-blis";
     license = licenses.bsd3;

pkgs/development/python-modules/blocksat-cli/default.nix

@@ -5,6 +5,7 @@
   fetchFromGitHub,
   pyasyncore,
   pysnmp,
+  pysnmplib,
   pytestCheckHook,
   python-gnupg,
   pythonAtLeast,
@@ -16,7 +17,7 @@
 
 buildPythonPackage rec {
   pname = "blocksat-cli";
-  version = "2.4.6";
+  version = "2.4.7";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -25,14 +26,17 @@ buildPythonPackage rec {
     owner = "Blockstream";
     repo = "satellite";
     rev = "refs/tags/v${version}";
-    hash = "sha256-1gz2lAS/AHeY54AaVXGeofLC68KjAP7POsIaBL3v2EY=";
+    hash = "sha256-OmIQUrUH3kWgf+v+9Hl2OgDdGPwb3guNY0+H64CWkeg=";
   };
 
-  nativeBuildInputs = [ setuptools ];
+  pythonRelaxDeps = [ "pyasyncore" ];
 
-  propagatedBuildInputs = [
+  build-system = [ setuptools ];
+
+  dependencies = [
     distro
     pysnmp
+    pysnmplib
     python-gnupg
     qrcode
     requests
@@ -50,10 +54,10 @@ buildPythonPackage rec {
 
   meta = with lib; {
     description = "Blockstream Satellite CLI";
-    mainProgram = "blocksat-cli";
     homepage = "https://github.com/Blockstream/satellite";
     changelog = "https://github.com/Blockstream/satellite/releases/tag/v${version}";
     license = licenses.gpl3Only;
     maintainers = with maintainers; [ prusnak ];
+    mainProgram = "blocksat-cli";
   };
 }

pkgs/development/python-modules/catppuccin/default.nix

@@ -12,7 +12,7 @@
 
 buildPythonPackage rec {
   pname = "catppuccin";
-  version = "2.3.0";
+  version = "2.3.1";
 
   pyproject = true;
 
@@ -20,7 +20,7 @@ buildPythonPackage rec {
     owner = "catppuccin";
     repo = "python";
     rev = "refs/tags/v${version}";
-    hash = "sha256-1CPNs+n9S7fV+EvhFWBwnv6/N3UWQ/jiyRcn4XKzmd8=";
+    hash = "sha256-MIxhl9D6nur26ZrbcXAwH8xO9YZlBvVKlB82qKX3Tx0=";
   };
 
   build-system = [

pkgs/development/python-modules/ctypesgen/default.nix

@@ -0,0 +1,46 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  unittestCheckHook,
+  pythonOlder,
+  setuptools-scm,
+  setuptools,
+  toml,
+  wheel,
+}:
+
+buildPythonPackage rec {
+  pname = "ctypesgen";
+  version = "1.1.1";
+  pyproject = true;
+
+  disabled = pythonOlder "3.11";
+
+  src = fetchFromGitHub {
+    owner = "ctypesgen";
+    repo = "ctypesgen";
+    rev = "refs/tags/${version}";
+    hash = "sha256-TwIWPellmjMpTGQ+adJBLNMdAqB0kLOMl4YAubvXKqo=";
+  };
+
+  build-system = [
+    setuptools
+    setuptools-scm
+    toml
+    wheel
+  ];
+
+  # Various compiler errors
+  doCheck = false;
+
+  pythonImportsCheck = [ "ctypesgen" ];
+
+  meta = with lib; {
+    description = "Pure-python wrapper generator for ctypes";
+    homepage = "https://github.com/ctypesgen/ctypesgen";
+    changelog = "https://github.com/ctypesgen/ctypesgen/blob/${src.rev}/CHANGELOG.md";
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/django-modeltranslation/default.nix

@@ -13,7 +13,7 @@
 let
   # 0.18.12 was yanked from PyPI, it refers to this issue:
   # https://github.com/deschler/django-modeltranslation/issues/701
-  version = "0.19.7";
+  version = "0.19.8";
 in
 buildPythonPackage {
   pname = "django-modeltranslation";
@@ -23,7 +23,7 @@ buildPythonPackage {
     owner = "deschler";
     repo = "django-modeltranslation";
     rev = "refs/tags/v${version}";
-    hash = "sha256-jZm51HmK4pgEPeDirMkbLdLJQONspjuqSc2HgiSCtOY=";
+    hash = "sha256-23htGjPtupmg/oSO/5SuxOfbDmRQKrqx2/lvfqYp7dA=";
   };
 
   disabled = pythonOlder "3.6";

pkgs/development/python-modules/exchangelib/default.nix

@@ -29,7 +29,7 @@
 
 buildPythonPackage rec {
   pname = "exchangelib";
-  version = "5.4.2";
+  version = "5.4.3";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -38,7 +38,7 @@ buildPythonPackage rec {
     owner = "ecederstrand";
     repo = "exchangelib";
     rev = "refs/tags/v${version}";
-    hash = "sha256-UAc8Aju2+AM7m8XbWliVNzfWlL5fdPDa2q6Fsw04nHQ=";
+    hash = "sha256-SX5F0OXKdxA2HoDwvCe4M7RftdjUEdQuFbxRyuABC4E=";
   };
 
   pythonRelaxDeps = [ "defusedxml" ];

pkgs/development/python-modules/fastcore/default.nix

@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "fastcore";
-  version = "1.7.2";
+  version = "1.7.4";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -18,7 +18,7 @@ buildPythonPackage rec {
     owner = "fastai";
     repo = "fastcore";
     rev = "refs/tags/${version}";
-    hash = "sha256-3BOsOd3g+SepFUH2czywyaBnA88qLVyu/8eyHGkuEPY=";
+    hash = "sha256-pm/8YRefobh7urVWiAlb05COQbaBrXB70buDmuKY/qc=";
   };
 
   build-system = [ setuptools ];

pkgs/development/python-modules/fickling/default.nix

@@ -0,0 +1,55 @@
+{
+  lib,
+  astunparse,
+  buildPythonPackage,
+  distutils,
+  fetchFromGitHub,
+  fickling,
+  flit-core,
+  numpy,
+  pytestCheckHook,
+  pythonOlder,
+  torch,
+  torchvision,
+}:
+
+buildPythonPackage rec {
+  pname = "fickling";
+  version = "0.1.3";
+  pyproject = true;
+
+  disabled = pythonOlder "3.8";
+
+  src = fetchFromGitHub {
+    owner = "trailofbits";
+    repo = "fickling";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-/cV1XhJ8KMFby9nZ/qXEYxf+P6352Q2DZOLuvebyuHQ=";
+  };
+
+  build-system = [
+    distutils
+    flit-core
+  ];
+
+  dependencies = [ astunparse ];
+
+  optional-dependencies = {
+    torch = [
+      torch
+      torchvision
+    ];
+  };
+
+  nativeCheckInputs = [ pytestCheckHook ] ++ lib.flatten (builtins.attrValues optional-dependencies);
+
+  pythonImportsCheck = [ "fickling" ];
+
+  meta = with lib; {
+    description = "A Python pickling decompiler and static analyzer";
+    homepage = "https://github.com/trailofbits/fickling";
+    changelog = "https://github.com/trailofbits/fickling/releases/tag/v${version}";
+    license = licenses.lgpl3Plus;
+    maintainers = with maintainers; [ ];
+  };
+}

pkgs/development/python-modules/flipr-api/default.nix

@@ -13,7 +13,7 @@
 
 buildPythonPackage rec {
   pname = "flipr-api";
-  version = "1.6.0";
+  version = "1.6.1";
   pyproject = true;
 
   disabled = pythonOlder "3.9";
@@ -22,7 +22,7 @@ buildPythonPackage rec {
     owner = "cnico";
     repo = "flipr-api";
     rev = "refs/tags/${version}";
-    hash = "sha256-sFCeWfu5rwImIizzik9RzfCWaEHiqhsQrapfuCXHr+4=";
+    hash = "sha256-/px8NuBwukAPMxdXvHdyfO/j/a9UatKbdrjDNuT0f4k=";
   };
 
   build-system = [ poetry-core ];

pkgs/development/python-modules/graphtage/default.nix

@@ -1,14 +1,17 @@
 {
   lib,
   buildPythonPackage,
-  fetchFromGitHub,
-  pytestCheckHook,
-  pythonOlder,
   colorama,
+  distutils,
+  fetchFromGitHub,
+  fickling,
   intervaltree,
   json5,
+  pytestCheckHook,
+  pythonOlder,
   pyyaml,
   scipy,
+  setuptools,
   tqdm,
   typing-extensions,
 }:
@@ -16,24 +19,27 @@
 buildPythonPackage rec {
   pname = "graphtage";
   version = "0.3.1";
-  format = "setuptools";
+  pyproject = true;
 
-  disabled = pythonOlder "3.6";
+  disabled = pythonOlder "3.8";
 
   src = fetchFromGitHub {
     owner = "trailofbits";
-    repo = pname;
+    repo = "graphtage";
     rev = "refs/tags/v${version}";
     hash = "sha256-Bz2T8tVdVOdXt23yPITkDNL46Y5LZPhY3SXZ5bF3CHw=";
   };
 
-  postPatch = ''
+  pythonRelaxDeps = [ "json5" ];
-    substituteInPlace setup.py \
-      --replace "json5==0.9.5" "json5>=0.9.5"
-  '';
 
-  propagatedBuildInputs = [
+  build-system = [
+    distutils
+    setuptools
+  ];
+
+  dependencies = [
     colorama
+    fickling
     intervaltree
     json5
     pyyaml
@@ -48,10 +54,10 @@ buildPythonPackage rec {
 
   meta = with lib; {
     description = "Utility to diff tree-like files such as JSON and XML";
-    mainProgram = "graphtage";
     homepage = "https://github.com/trailofbits/graphtage";
     changelog = "https://github.com/trailofbits/graphtage/releases/tag/v${version}";
     license = licenses.lgpl3Plus;
     maintainers = with maintainers; [ veehaitch ];
+    mainProgram = "graphtage";
   };
 }

pkgs/development/python-modules/jaxlib/bin.nix

@@ -181,7 +181,7 @@ buildPythonPackage {
         or (throw "jaxlib-bin is not supported on ${stdenv.hostPlatform.system}")
       )
     else
-      gpuSrcs."${gpuSrcVersionString}";
+      gpuSrcs."${gpuSrcVersionString}" or (throw "jaxlib-bin: No gpuSrc for ${gpuSrcVersionString}");
 
   # Prebuilt wheels are dynamically linked against things that nix can't find.
   # Run `autoPatchelfHook` to automagically fix them.

pkgs/development/python-modules/mizani/default.nix

@@ -19,7 +19,7 @@
 
 buildPythonPackage rec {
   pname = "mizani";
-  version = "0.12.1";
+  version = "0.12.2";
   pyproject = true;
 
   disabled = pythonOlder "3.10";
@@ -28,7 +28,7 @@ buildPythonPackage rec {
     owner = "has2k1";
     repo = "mizani";
     rev = "refs/tags/v${version}";
-    hash = "sha256-a/+yZ7oUZG0fKgBUMwIf3XHUjac8Gsh3AosDVuUVoJU=";
+    hash = "sha256-aTc8LC/2zLrrTfOXABWs049m752PctpvlguA6qhyhp8=";
   };
 
   build-system = [ setuptools-scm ];

pkgs/development/python-modules/msoffcrypto-tool/default.nix

@@ -12,7 +12,7 @@
 
 buildPythonPackage rec {
   pname = "msoffcrypto-tool";
-  version = "5.4.1";
+  version = "5.4.2";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "nolze";
     repo = "msoffcrypto-tool";
     rev = "refs/tags/v${version}";
-    hash = "sha256-BVm4hMKvvNI3bJ82t4NIRcx8o8mgQgoulIerDwoVIT0=";
+    hash = "sha256-nwCjgcZqD0hptHC0WqIodHC5m/JHYyUdfEngIoXzNqA=";
   };
 
   build-system = [ poetry-core ];

pkgs/development/python-modules/nomadnet/default.nix

@@ -12,7 +12,7 @@
 
 buildPythonPackage rec {
   pname = "nomadnet";
-  version = "0.4.9";
+  version = "0.5.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "markqvist";
     repo = "NomadNet";
     rev = "refs/tags/${version}";
-    hash = "sha256-Ut/YifODoiHCo3bhN8nV5ZPNIr70FM6MjlZCrUuNaFc=";
+    hash = "sha256-pYlEstApB0SYnkEfQ0kZl53xtbvTkRV+930TrCMqhbA=";
   };
 
   build-system = [ setuptools ];

pkgs/development/python-modules/numpy/2.nix

@@ -58,7 +58,7 @@ let
 in
 buildPythonPackage rec {
   pname = "numpy";
-  version = "2.1.0";
+  version = "2.1.1";
   pyproject = true;
 
   disabled = pythonOlder "3.10";
@@ -66,7 +66,7 @@ buildPythonPackage rec {
   src = fetchPypi {
     inherit pname version;
     extension = "tar.gz";
-    hash = "sha256-fckNoAgffh2knsTjmO3mqOnMT16+X54GtEPtiJ7pqqI=";
+    hash = "sha256-0M99VbEFE4eAdAWziY76+oYpl7TLqKpdvmV755Sv6v0=";
   };
 
   patches = lib.optionals python.hasDistutilsCxxPatch [
@@ -176,5 +176,6 @@ buildPythonPackage rec {
     description = "Scientific tools for Python";
     homepage = "https://numpy.org/";
     license = lib.licenses.bsd3;
+    maintainers = with lib.maintainers; [ doronbehar ];
   };
 }

pkgs/development/python-modules/pykdtree/default.nix

@@ -17,12 +17,12 @@
 
 buildPythonPackage rec {
   pname = "pykdtree";
-  version = "1.3.12";
+  version = "1.3.13";
   pyproject = true;
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-zCCypnxkBWSFoxTSwrbbo1SvfuHI+42uG+byk2o3Q0E=";
+    hash = "sha256-Osz4UulGZT45nD1Nu+EZ28bT9yz9LVqVyr8L8Mf5JP4=";
   };
 
   postPatch = ''

pkgs/development/python-modules/pynslookup/default.nix

@@ -0,0 +1,39 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  setuptools,
+  dnspython,
+  pythonOlder,
+}:
+
+buildPythonPackage rec {
+  pname = "pynslookup";
+  version = "1.8.1";
+  pyproject = true;
+
+  disabled = pythonOlder "3.8";
+
+  src = fetchFromGitHub {
+    owner = "wesinator";
+    repo = "pynslookup";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-cb8oyI8D8SzBP+tm1jGPPshJYhPegYOH0RwIH03/K/A=";
+  };
+
+  build-system = [ setuptools ];
+
+  dependencies = [ dnspython ];
+
+  # Module has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [ "nslookup" ];
+
+  meta = with lib; {
+    description = "Module to do DNS lookups";
+    homepage = "https://github.com/wesinator/pynslookup";
+    license = licenses.mpl20;
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/spacy/default.nix

@@ -10,13 +10,11 @@
   fetchPypi,
   hypothesis,
   jinja2,
-  jsonschema,
   langcodes,
   mock,
   murmurhash,
   numpy,
   packaging,
-  pathy,
   preshed,
   pydantic,
   pytestCheckHook,
@@ -29,7 +27,6 @@
   thinc,
   tqdm,
   typer,
-  typing-extensions,
   wasabi,
   weasel,
   writeScript,
@@ -40,36 +37,39 @@
 
 buildPythonPackage rec {
   pname = "spacy";
-  version = "3.7.5";
+  version = "3.7.6";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-pkjGy/Ksx6Vaae6ef6TyK99pqoKKWHobxc//CM88LdM=";
+    hash = "sha256-9AZcCqxcSLv7L/4ZHVXMszv7AFN2r71MzW1ek0FRTjQ=";
   };
 
-  pythonRelaxDeps = [
+  postPatch = ''
-    "smart-open"
+    # thinc version 8.3.0 had no functional changes
-    "typer"
+    # also see https://github.com/explosion/spaCy/issues/13607
-  ];
+    substituteInPlace pyproject.toml setup.cfg \
+      --replace-fail "thinc>=8.2.2,<8.3.0" "thinc>=8.2.2,<8.4.0"
+  '';
 
-  nativeBuildInputs = [
+  build-system = [
+    cymem
     cython_0
+    murmurhash
+    numpy
+    thinc
   ];
 
-  propagatedBuildInputs = [
+  dependencies = [
-    blis
     catalogue
     cymem
     jinja2
-    jsonschema
     langcodes
     murmurhash
     numpy
     packaging
-    pathy
     preshed
     pydantic
     requests
@@ -82,7 +82,7 @@ buildPythonPackage rec {
     typer
     wasabi
     weasel
-  ] ++ lib.optionals (pythonOlder "3.8") [ typing-extensions ];
+  ];
 
   nativeCheckInputs = [
     pytestCheckHook
@@ -90,8 +90,6 @@ buildPythonPackage rec {
     mock
   ];
 
-  doCheck = true;
-
   # Fixes ModuleNotFoundError when running tests on Cythonized code. See #255262
   preCheck = ''
     cd $out
@@ -132,7 +130,7 @@ buildPythonPackage rec {
     description = "Industrial-strength Natural Language Processing (NLP)";
     mainProgram = "spacy";
     homepage = "https://github.com/explosion/spaCy";
-    changelog = "https://github.com/explosion/spaCy/releases/tag/v${version}";
+    changelog = "https://github.com/explosion/spaCy/releases/tag/release-v${version}";
     license = licenses.mit;
     maintainers = [ ];
   };

pkgs/development/python-modules/sshfs/default.nix

@@ -54,10 +54,15 @@ buildPythonPackage rec {
     pytestCheckHook
   ];
 
-  disabledTests = lib.optionals stdenv.isDarwin [
+  disabledTests =
-    # test fails with sandbox enabled
+    [
-    "test_checksum"
+      # Test requires network access
-  ];
+      "test_config_expansions"
+    ]
+    ++ lib.optionals stdenv.isDarwin [
+      # Test fails with sandbox enabled
+      "test_checksum"
+    ];
 
   pythonImportsCheck = [ "sshfs" ];
 

pkgs/development/python-modules/tencentcloud-sdk-python/default.nix

@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "tencentcloud-sdk-python";
-  version = "3.0.1224";
+  version = "3.0.1225";
   pyproject = true;
 
   disabled = pythonOlder "3.9";
@@ -19,7 +19,7 @@ buildPythonPackage rec {
     owner = "TencentCloud";
     repo = "tencentcloud-sdk-python";
     rev = "refs/tags/${version}";
-    hash = "sha256-HO4W3EevyPC1nmPsTOVAFyc18CTKAE3cKYnQ7onlLPg=";
+    hash = "sha256-Fckkv5Oq8JqTqAqw4aOYqxELfk3+TMVOF5eTsGIRjLY=";
   };
 
   build-system = [ setuptools ];

pkgs/development/python-modules/thinc/default.nix

@@ -16,7 +16,6 @@
   mock,
   murmurhash,
   numpy,
-  plac,
   preshed,
   pydantic,
   pytestCheckHook,
@@ -24,51 +23,59 @@
   pythonOlder,
   setuptools,
   srsly,
-  tqdm,
   typing-extensions,
   wasabi,
 }:
 
 buildPythonPackage rec {
   pname = "thinc";
-  version = "8.2.3";
+  version = "8.3.0";
-  format = "setuptools";
+  pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-9a/FIikSqAvai9zslYNiorpTjXAn3I22FUhF0oWdynY=";
+    hash = "sha256-6zvtVPXADsmt2qogjFHM+gWUg9cxQM1RWqMzc3Fcblk=";
   };
 
   postPatch = ''
+    # As per https://github.com/explosion/thinc/releases/tag/release-v8.3.0 no
+    # code changes were required for NumPy 2.0. Thus Thinc should be compatible
+    # with NumPy 1.0 and 2.0.
+    substituteInPlace pyproject.toml setup.cfg \
+      --replace-fail "numpy>=2.0.0,<2.1.0" numpy
     substituteInPlace setup.cfg \
-      --replace "preshed>=3.0.2,<3.1.0" "preshed"
+      --replace-fail "numpy>=2.0.1,<2.1.0" numpy
   '';
 
-  nativeBuildInputs = [ setuptools ];
+  build-system = [
+    blis
+    cymem
+    cython_0
+    murmurhash
+    numpy
+    preshed
+    setuptools
+  ];
 
-  buildInputs =
+  buildInputs = lib.optionals stdenv.isDarwin [
-    [ cython_0 ]
+    Accelerate
-    ++ lib.optionals stdenv.isDarwin [
+    CoreFoundation
-      Accelerate
+    CoreGraphics
-      CoreFoundation
+    CoreVideo
-      CoreGraphics
+  ];
-      CoreVideo
-    ];
 
-  propagatedBuildInputs = [
+  dependencies = [
     blis
     catalogue
     confection
     cymem
     murmurhash
     numpy
-    plac
     preshed
     pydantic
     srsly
-    tqdm
     wasabi
   ] ++ lib.optionals (pythonOlder "3.8") [ typing-extensions ];
 
@@ -78,10 +85,7 @@ buildPythonPackage rec {
     pytestCheckHook
   ];
 
-  # Add native extensions.
   preCheck = ''
-    export PYTHONPATH=$out/${python.sitePackages}:$PYTHONPATH
-
     # avoid local paths, relative imports wont resolve correctly
     mv thinc/tests tests
     rm -r thinc

pkgs/development/python-modules/twilio/default.nix

@@ -20,7 +20,7 @@
 
 buildPythonPackage rec {
   pname = "twilio";
-  version = "9.2.4";
+  version = "9.3.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
@@ -29,7 +29,7 @@ buildPythonPackage rec {
     owner = "twilio";
     repo = "twilio-python";
     rev = "refs/tags/${version}";
-    hash = "sha256-5HHHSAvyUxR5myKucWpjkF7NQv/b1pViij606TZGzTY=";
+    hash = "sha256-v+Xq2t9eaKHLQFypNUTzLVBLo+3m0bKkjI09jwD3ieQ=";
   };
 
   build-system = [ setuptools ];

pkgs/development/tools/analysis/checkov/default.nix

@@ -6,14 +6,14 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "checkov";
-  version = "3.2.243";
+  version = "3.2.246";
   pyproject = true;
 
   src = fetchFromGitHub {
     owner = "bridgecrewio";
     repo = "checkov";
     rev = "refs/tags/${version}";
-    hash = "sha256-cOBbfBCpF+//f+lB65XjQqUarZDepkuvh6OvJz7xSdA=";
+    hash = "sha256-oEAu/GDW7u/jPCGLkvazmFJ5c73gAMDWwRu/AkVLDpk=";
   };
 
   patches = [ ./flake8-compat-5.x.patch ];

pkgs/development/tools/azure-static-sites-client/versions.json

@@ -1,25 +1,44 @@
 [
   {
     "version": "latest",
-    "buildId": "1.0.026911",
+    "buildId": "19449a00c0269fefc8f29a6d01801c4b19308181",
-    "publishDate": "2024-05-15T19:23:23.3973684Z",
+    "publishDate": "2024-08-06T04:39:59.0569065Z",
     "files": {
       "linux-x64": {
-        "url": "https://swalocaldeploy.azureedge.net/downloads/1.0.026911/linux/StaticSitesClient",
+        "url": "https://swalocaldeploy.azureedge.net/downloads/19449a00c0269fefc8f29a6d01801c4b19308181/linux/StaticSitesClient",
-        "sha": "e1d9e033c973a35f64b7e41b6a114bd8e48022c9c3f7676e79047e87245a874d"
+        "sha": "87b0852f6a839fcf8e7d76df78aea1d36b803bb4cc4610fa9cd9531ff53175f0"
       },
       "win-x64": {
-        "url": "https://swalocaldeploy.azureedge.net/downloads/1.0.026911/windows/StaticSitesClient.exe",
+        "url": "https://swalocaldeploy.azureedge.net/downloads/19449a00c0269fefc8f29a6d01801c4b19308181/windows/StaticSitesClient.exe",
-        "sha": "c67e5eed2b28fcf5c98348732653d1e2b37d842e6dde9a6b30322832c5d86fc7"
+        "sha": "8d21e065a68a9aa983fdf95f6965b76f19286dba3dcc159d9af212b3fea31126"
       },
       "osx-x64": {
-        "url": "https://swalocaldeploy.azureedge.net/downloads/1.0.026911/macOS/StaticSitesClient",
+        "url": "https://swalocaldeploy.azureedge.net/downloads/19449a00c0269fefc8f29a6d01801c4b19308181/macOS/StaticSitesClient",
-        "sha": "18ca42a1b13db9b8b6db6bd8c77e65def56fa7bf3ce3fb1184e890d8cd7dd033"
+        "sha": "a8d40d343d4135ccca4ebfd754d0e5c0d71821786a4d7c1b0d42c1b2679c80c1"
       }
     }
   },
   {
     "version": "stable",
+    "buildId": "19449a00c0269fefc8f29a6d01801c4b19308181",
+    "publishDate": "2024-08-06T04:39:59.0569065Z",
+    "files": {
+      "linux-x64": {
+        "url": "https://swalocaldeploy.azureedge.net/downloads/19449a00c0269fefc8f29a6d01801c4b19308181/linux/StaticSitesClient",
+        "sha": "87b0852f6a839fcf8e7d76df78aea1d36b803bb4cc4610fa9cd9531ff53175f0"
+      },
+      "win-x64": {
+        "url": "https://swalocaldeploy.azureedge.net/downloads/19449a00c0269fefc8f29a6d01801c4b19308181/windows/StaticSitesClient.exe",
+        "sha": "8d21e065a68a9aa983fdf95f6965b76f19286dba3dcc159d9af212b3fea31126"
+      },
+      "osx-x64": {
+        "url": "https://swalocaldeploy.azureedge.net/downloads/19449a00c0269fefc8f29a6d01801c4b19308181/macOS/StaticSitesClient",
+        "sha": "a8d40d343d4135ccca4ebfd754d0e5c0d71821786a4d7c1b0d42c1b2679c80c1"
+      }
+    }
+  },
+  {
+    "version": "backup",
     "buildId": "1.0.026911",
     "publishDate": "2024-05-15T19:23:23.3973684Z",
     "files": {
@@ -36,24 +55,5 @@
         "sha": "18ca42a1b13db9b8b6db6bd8c77e65def56fa7bf3ce3fb1184e890d8cd7dd033"
       }
     }
-  },
-  {
-    "version": "backup",
-    "buildId": "1.0.026792",
-    "publishDate": "2024-05-03T18:31:36.0288058Z",
-    "files": {
-      "linux-x64": {
-        "url": "https://swalocaldeploy.azureedge.net/downloads/1.0.026792/linux/StaticSitesClient",
-        "sha": "a9dcd998d22a3476fb97fe1c446e83cc7f060a3a36cdb6757b828d0facc42347"
-      },
-      "win-x64": {
-        "url": "https://swalocaldeploy.azureedge.net/downloads/1.0.026792/windows/StaticSitesClient.exe",
-        "sha": "15f03e3f91208db2ea4015c4fce0623a692da1a289f23a782578ab7bc8a810e2"
-      },
-      "osx-x64": {
-        "url": "https://swalocaldeploy.azureedge.net/downloads/1.0.026792/macOS/StaticSitesClient",
-        "sha": "454b10f0351694ec3475a3d85b8746356932b2061a5be7e7fc093a6509cf000c"
-      }
-    }
   }
 ]

pkgs/development/tools/build-managers/moon/default.nix

@@ -9,16 +9,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "moon";
-  version = "1.27.6";
+  version = "1.27.10";
 
   src = fetchFromGitHub {
     owner = "moonrepo";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-oadbF1bXDaJPp6R7C6Ozm5NgFPmvPwgiPIDuRiNrWg8=";
+    hash = "sha256-RAOPF47uUgF8ORECr04YcngWacaKQrMlQaG9YnECVdc=";
   };
 
-  cargoHash = "sha256-p3CBjdWOutEWIQMWS5nAYAsE9BQf2MViyoLIOD1OE/s=";
+  cargoHash = "sha256-pQvto1G0XptEaAStbOKd2q4nlt4sKpIYu7K9lqakkTk=";
 
   env = {
     RUSTFLAGS = "-C strip=symbols";

pkgs/development/tools/circup/default.nix

@@ -1,56 +1,55 @@
-{ lib
+{
-, fetchFromGitHub
+  lib,
-, python3
+  fetchFromGitHub,
+  python3,
 }:
 
 python3.pkgs.buildPythonApplication rec {
   pname = "circup";
-  version = "1.4.0";
+  version = "2.0.4";
-  format = "setuptools";
+  pyproject = true;
 
   src = fetchFromGitHub {
     owner = "adafruit";
-    repo = pname;
+    repo = "circup";
     rev = "refs/tags/${version}";
-    hash = "sha256-kax4gnvRkHSqj0Y6Rk8eyPpT7Wia2QngCQtxpqWSl9s=";
+    hash = "sha256-Iid6IwPoj7F9X6Yb0ESsuvD9/tZdRQyCceGOVt2R1qw=";
   };
 
-  pythonRelaxDeps = [
+  pythonRelaxDeps = [ "semver" ];
-    "semver"
-  ];
 
-  nativeBuildInputs = with python3.pkgs; [
+  build-system = with python3.pkgs; [ setuptools-scm ];
-    setuptools-scm
-  ];
 
-  propagatedBuildInputs = with python3.pkgs; [
+  dependencies = with python3.pkgs; [
     appdirs
     click
     findimports
     requests
     semver
     setuptools
+    toml
     update-checker
   ];
 
-  nativeCheckInputs = with python3.pkgs; [
+  nativeCheckInputs = with python3.pkgs; [ pytestCheckHook ];
-    pytestCheckHook
-  ];
 
   postBuild = ''
     export HOME=$(mktemp -d);
   '';
 
-  pythonImportsCheck = [
+  pythonImportsCheck = [ "circup" ];
-    "circup"
+
+  disabledTests = [
+    # Test requires network access
+    "test_libraries_from_imports_bad"
   ];
 
   meta = with lib; {
     description = "CircuitPython library updater";
-    mainProgram = "circup";
     homepage = "https://github.com/adafruit/circup";
     changelog = "https://github.com/adafruit/circup/releases/tag/${version}";
     license = with licenses; [ mit ];
     maintainers = with maintainers; [ fab ];
+    mainProgram = "circup";
   };
 }

pkgs/development/tools/json2hcl/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "json2hcl";
-  version = "0.1.1";
+  version = "0.2.0";
 
   src = fetchFromGitHub {
     owner = "kvz";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-0ku8sON4fzWAirqY+dhYAks2LSyC7OH/LKI0kb+QhpM=";
+    sha256 = "sha256-h7DudYVWvDRCbjoIgOoCIudf7ZfUfWXp5OJ4ni0nm6c=";
   };
 
   vendorHash = "sha256-GxYuFak+5CJyHgC1/RsS0ub84bgmgL+bI4YKFTb+vIY=";

pkgs/development/tools/misc/terraform-ls/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "terraform-ls";
-  version = "0.34.2";
+  version = "0.34.3";
 
   src = fetchFromGitHub {
     owner = "hashicorp";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-4k9ro5XfcZs68p4QmvO+SBxfgBFf2Z8yrXiWmkbOj1c=";
+    hash = "sha256-fN/C7H0s7ZhXSg8pLn9iex6WglMKsx6hA8OK/HYqbRU=";
   };
 
-  vendorHash = "sha256-znBfzX6oS19auL1ptcVXM0l2Thpnb7DrciYs5Z2XVJY=";
+  vendorHash = "sha256-NL5pqcQTjauxLschhj3kCiZLBLagABSCU/zHLcG2anM=";
 
   ldflags = [ "-s" "-w" ];
 

pkgs/development/tools/rust/rust-analyzer/default.nix

@@ -13,14 +13,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "rust-analyzer-unwrapped";
-  version = "2024-08-27";
+  version = "2024-09-02";
-  cargoHash = "sha256-zYKBNByyHjLbShhmoVTvqWe30EKVf3XBKzktZzGjifo=";
+  cargoHash = "sha256-t45RzYkuywGByGWwUON3dW0aKjLYcFXB8uy4CybPuf4=";
 
   src = fetchFromGitHub {
     owner = "rust-lang";
     repo = "rust-analyzer";
     rev = version;
-    hash = "sha256-tRaJTAfFpV2y+kqf8ZzX74waPpkZ0r2EB4WIKLQAsrw=";
+    hash = "sha256-YH0kH5CSOnAuPUB1BUzUqvnKiv5SgDhfMNjrkki9Ahk=";
   };
 
   cargoBuildFlags = [ "--bin" "rust-analyzer" "--bin" "rust-analyzer-proc-macro-srv" ];

pkgs/servers/matrix-synapse/matrix-appservice-irc/default.nix

@@ -13,19 +13,19 @@
 
 let
   pname = "matrix-appservice-irc";
-  version = "2.0.1";
+  version = "3.0.0";
 
   src = fetchFromGitHub {
     owner = "matrix-org";
     repo = pname;
     rev = "refs/tags/${version}";
-    hash = "sha256-ue3fOkrEBRI/NRE+uKFR+NaqP8QvzVVeX3LUh4aZYJA=";
+    hash = "sha256-ZT8ugev+Tgu47KLuVVo5sFfiGtWLDc6JW5NZvsQ1mA8=";
   };
 
   yarnOfflineCache = fetchYarnDeps {
     name = "${pname}-${version}-offline-cache";
     yarnLock = "${src}/yarn.lock";
-    hash = "sha256-hapEbdjvvzeZHfrpYRW9W3vXkQVNyGZ0qydO34+mQqQ=";
+    hash = "sha256-13OUcxZOlW1pp4uB1aRmqlzKf6rTgyP/nMnLmksXV3w=";
   };
 
 in

pkgs/servers/spicedb/zed.nix

@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "zed";
-  version = "0.21.0";
+  version = "0.21.1";
 
   src = fetchFromGitHub {
     owner = "authzed";
     repo = "zed";
     rev = "v${version}";
-    hash = "sha256-jHKugGQ3tta9vGjMtVEyTrLrmivLc41VFYVqAjH/IGQ=";
+    hash = "sha256-X8kZjPjFGMUfSQLdS6/XA1eNRQH6n/FffgbC19r1WRU=";
   };
 
-  vendorHash = "sha256-nYf/ruU1IPDOcumhQz6LGEpKLyAxgASgxjPT7qz0N8c=";
+  vendorHash = "sha256-Q8OW9aBs1fcUdKin6uX1s6oD289eCUffmAK5nr3xn0s=";
 
   ldflags = [
     "-X 'github.com/jzelinskie/cobrautil/v2.Version=${src.rev}'"