Merge remote-tracking branch 'origin/staging-next' into staging

2024-07-31 08:57:17 +03:00 · 2024-07-31 08:57:17 +03:00 · 4f29b5a16b
commit 4f29b5a16b
parent 2c0bb9fe8a 1d8103b2a4
2562 changed files with 41797 additions and 26007 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -44,6 +44,10 @@ indent_size = 4
 indent_size = 2
 indent_style = space
 # Match package.json, which are generally pulled from upstream and accept them as they are
 [package.json]
 indent_style = unset
 # Disable file types or individual files
 # some of these files may be auto-generated and/or require significant changes
--- a/doc/build-helpers/dev-shell-tools.chapter.md
+++ b/doc/build-helpers/dev-shell-tools.chapter.md
@ -27,3 +27,49 @@ devShellTools.valueToString (builtins.toFile "foo" "bar")
 devShellTools.valueToString false
 => ""
 ```
 :::
 ## `devShellTools.unstructuredDerivationInputEnv` {#sec-devShellTools-unstructuredDerivationInputEnv}
 Convert a set of derivation attributes (as would be passed to [`derivation`]) to a set of environment variables that can be used in a shell script.
 This function does not support `__structuredAttrs`, but does support `passAsFile`.
 :::{.example}
 ## `unstructuredDerivationInputEnv` usage example
 ```nix
 devShellTools.unstructuredDerivationInputEnv {
  drvAttrs = {
    name = "foo";
    buildInputs = [ hello figlet ];
    builder = bash;
    args = [ "-c" "${./builder.sh}" ];
  };
 }
 => {
  name = "foo";
  buildInputs = "/nix/store/...-hello /nix/store/...-figlet";
  builder = "/nix/store/...-bash";
 }
 ```
 Note that `args` is not included, because Nix does not added it to the builder process environment.
 :::
 ## `devShellTools.derivationOutputEnv` {#sec-devShellTools-derivationOutputEnv}
 Takes the relevant parts of a derivation and returns a set of environment variables, that would be present in the derivation.
 :::{.example}
 ## `derivationOutputEnv` usage example
 ```nix
 let
  pkg = hello;
 in
 devShellTools.derivationOutputEnv { outputList = pkg.outputs; outputMap = pkg; }
 ```
 :::
--- a/doc/doc-support/package.nix
+++ b/doc/doc-support/package.nix
@ -60,7 +60,7 @@ stdenvNoCC.mkDerivation (
      nixos-render-docs manual html \
        --manpage-urls ./manpage-urls.json \
-        --revision ${lib.trivial.revisionWithDefault (nixpkgs.rev or "master")} \
+        --revision ${nixpkgs.rev or "master"} \
        --stylesheet style.css \
        --stylesheet highlightjs/mono-blue.css \
        --script ./highlightjs/highlight.pack.js \
--- a/doc/interoperability.md
+++ b/doc/interoperability.md
@ -0,0 +1,5 @@
 # Interoperability Standards {#part-interoperability}
 ```{=include=} chapters
 interoperability/cyclonedx.md
 ```
--- a/doc/interoperability/cyclonedx.md
+++ b/doc/interoperability/cyclonedx.md
@ -0,0 +1,79 @@
 # CycloneDX {#chap-interop-cyclonedx}
 [OWASP](https://owasp.org/) [CycloneDX](https://cyclonedx.org/) is a Software [Bill of Materials](https://en.wikipedia.org/wiki/Bill_of_materials) (SBOM) standard.
 The standards described here are for including Nix specific information within SBOMs in a way that is interoperable with external SBOM tooling.
 ## `nix` Namespace Property Taxonomy  {#sec-interop.cylonedx-nix}
 The following tables describe namespaces for [properties](https://cyclonedx.org/docs/1.6/json/#components_items_properties) that may be attached to components within SBOMs.
 Component properties are lists of name-value-pairs where values must be strings.
 Properties with the same name may appear more than once.
 Names and values are case-sensitive.
 | Property         | Description |
 |------------------|-------------|
 | `nix:store_path` | A Nix store path for the given component. This property should be contextualized by additional properties that describe the production of the store path, such as those from the `nix:narinfo:` and `nix:fod` namespaces. |
 | Namespace     | Description |
 |---------------|-------------|
 | [`nix:narinfo`](#sec-interop.cylonedx-narinfo) | Namespace for properties that are specific to how a component is stored as a [Nix archive](https://nixos.org/manual/nix/stable/glossary#gloss-nar) (NAR) in a [binary cache](https://nixos.org/manual/nix/stable/glossary#gloss-binary-cache). |
 | [`nix:fod`](#sec-interop.cylonedx-fod) | Namespace for properties that describe a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation). |
 ### `nix:narinfo` {#sec-interop.cylonedx-narinfo}
 Narinfo properties describe component archives that may be available from binary caches.
 The `nix:narinfo` properties should be accompanied by a `nix:store_path` property within the same property list.
 | Property                  | Description |
 |---------------------------|-------------|
 | `nix:narinfo:store_path`  | Store path for the given store component. |
 | `nix:narinfo:url`         | URL path component. |
 | `nix:narinfo:nar_hash`    | Hash of the file system object part of the component when serialized as a Nix Archive. |
 | `nix:narinfo:nar_size`    | Size of the component when serialized as a Nix Archive. |
 | `nix:narinfo:compression` | The compression format that component archive is in. |
 | `nix:narinfo:file_hash`   | A digest for the compressed component archive itself, as opposed to the data contained within. |
 | `nix:narinfo:file_size`   | The size of the compressed component archive itself. |
 | `nix:narinfo:deriver`     | The path to the derivation from which this component is produced. |
 | `nix:narinfo:system`      | The hardware and software platform on which this component is produced. |
 | `nix:narinfo:sig`         | Signatures claiming that this component is what it claims to be. |
 | `nix:narinfo:ca`          | Content address of this store object's file system object, used to compute its store path. |
 | `nix:narinfo:references`  | A whitespace separated array of store paths that this component references. |
 ### `nix:fod` {#sec-interop.cylonedx-fod}
 FOD properties describe a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation).
 The `nix:fod:method` property is required and must be accompanied by a `nix:store_path` property within the same property list.
 All other properties in this namespace are method-specific.
 To reproduce the build of a component the `nix:fod:method` value is resolved to an [appropriate function](#chap-pkgs-fetchers) within Nixpkgs whose arguments intersect with the given properties.
 When generating `nix:fod` properties the method selected should be a stable function with a minimal number arguments.
 For example, the `fetchFromGitHub` is commonly used within Nixpkgs but should be reduced to a call to the function by which it is implemented, `fetchzip`.
 | Property         | Description |
 |------------------|-------------|
 | `nix:fod:method` | Nixpkg function that produces this FOD. Required. Examples: `"fetchzip"`, `"fetchgit"` |
 | `nix:fod:name`   | Derivation name, present when method is `"fetchzip"` |
 | `nix:fod:ref`    | [Git ref](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrefaref), present when method is `"fetchgit"` |
 | `nix:fod:rev`    | [Git rev](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrevisionarevision), present when method is `"fetchgit"` |
 | `nix:fod:sha256` | FOD hash |
 | `nix:fod:url`    | URL to fetch |
 `nix:fod` properties may be extracted and evaluated to a derivation using code similar to the following, assuming a fictitious function `filterPropertiesToAttrs`:
 ```nix
 { pkgs, filterPropertiesToAttrs, properties }:
 let
  fodProps = filterPropertiesToAttrs "nix:fod:" properties;
  methods = {
    fetchzip =
      { name, url, sha256, ... }:
      pkgs.fetchzip {
        inherit name url sha256;
      };
  };
 in methods.${fodProps.method} fodProps
 ```
--- a/doc/languages-frameworks/python.section.md
+++ b/doc/languages-frameworks/python.section.md
@ -162,7 +162,8 @@ following are specific to `buildPythonPackage`:
 * `dontWrapPythonPrograms ? false`: Skip wrapping of Python programs.
 * `permitUserSite ? false`: Skip setting the `PYTHONNOUSERSITE` environment
  variable in wrapped programs.
-* `pyproject`: Whether the pyproject format should be used. When set to `true`,
+* `pyproject`: Whether the pyproject format should be used. As all other formats
  are deprecated, you are recommended to set this to `true`. When you do so,
  `pypaBuildHook` will be used, and you can add the required build dependencies
  from `build-system.requires` to `build-system`. Note that the pyproject
  format falls back to using `setuptools`, so you can use `pyproject = true`
--- a/doc/languages-frameworks/rust.section.md
+++ b/doc/languages-frameworks/rust.section.md
@ -41,7 +41,7 @@ rustPlatform.buildRustPackage rec {
    description = "Fast line-oriented regex search tool, similar to ag and ack";
    homepage = "https://github.com/BurntSushi/ripgrep";
    license = lib.licenses.unlicense;
-    maintainers = [];
+    maintainers = [ ];
  };
 }
 ```
@ -642,6 +642,7 @@ builds the `retworkx` Python package. `fetchCargoTarball` and
 buildPythonPackage rec {
  pname = "retworkx";
  version = "0.6.0";
  pyproject = true;
  src = fetchFromGitHub {
    owner = "Qiskit";
@ -656,8 +657,6 @@ buildPythonPackage rec {
    hash = "sha256-heOBK8qi2nuc/Ib+I/vLzZ1fUUD/G/KTw9d7M4Hz5O0=";
  };
  format = "pyproject";
  nativeBuildInputs = with rustPlatform; [ cargoSetupHook maturinBuildHook ];
  # ...
--- a/doc/manual.md.in
+++ b/doc/manual.md.in
@ -12,4 +12,5 @@ stdenv.md
 build-helpers.md
 development.md
 contributing.md
 interoperability.md
 ```
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@ -15060,6 +15060,12 @@
    githubId = 158758;
    name = "Oliver Dunkl";
  };
  odygrd = {
    email = "odysseas.georgoudis@gmail.com";
    github = "odygrd";
    githubId = 7397786;
    name = "Odysseas Georgoudis";
  };
  ofek = {
    email = "oss@ofek.dev";
    github = "ofek";
--- a/maintainers/scripts/convert-to-import-cargo-lock/shell.nix
+++ b/maintainers/scripts/convert-to-import-cargo-lock/shell.nix
@ -1,5 +1,17 @@
-with import ../../../. { };
+{
-
+  pkgs ? import ../../.. { },
 }:
 let
  inherit (pkgs) lib stdenv mkShell;
 in
 mkShell {
-  packages = [ rustc cargo clippy rustfmt ] ++ lib.optional stdenv.isDarwin libiconv;
+  packages =
    with pkgs;
    [
      rustc
      cargo
      clippy
      rustfmt
    ]
    ++ lib.optional stdenv.isDarwin pkgs.libiconv;
 }
--- a/maintainers/scripts/luarocks-packages.csv
+++ b/maintainers/scripts/luarocks-packages.csv
@ -35,6 +35,7 @@ ldoc,,,,,,
 lgi,,,,,,
 linenoise,https://raw.githubusercontent.com/hoelzro/lua-linenoise/master/linenoise-0.9-1.rockspec,,,,,
 ljsyscall,,,,,5.1,lblasc
 llscheck,,,,,,mrcjkb
 lmathx,,,,,5.3,alexshpilkin
 lmpfrlib,,,,,5.3,alexshpilkin
 loadkit,,,,,,alerque
--- a/maintainers/team-list.nix
+++ b/maintainers/team-list.nix
@ -1019,10 +1019,7 @@ with lib.maintainers;
  };
  zig = {
-    members = [
+    members = [ figsoda ];
      AndersonTorres
      figsoda
    ];
    scope = "Maintain the Zig compiler toolchain and nixpkgs integration.";
    shortName = "Zig";
    enableFeatureFreezePing = true;
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -231,6 +231,8 @@
  Explicitly set `kubelet.hostname` to `networking.fqdnOrHostName` to get back
  the old default behavior.
 - Docker now defaults to 27.x, because version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084).
 - `keycloak` was updated to version 25, which introduces new hostname related options.
  See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions.
@ -304,6 +306,8 @@
 - The `shadowstack` hardening flag has been added, though disabled by default.
 - `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).
 - Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)
  in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners
  should be changed to using *runner authentication tokens* by configuring
--- a/nixos/lib/test-driver/shell.nix
+++ b/nixos/lib/test-driver/shell.nix
@ -1,2 +1,4 @@
-with import ../../.. {};
+{
-pkgs.callPackage ./default.nix {}
+  pkgs ? import ../../.. { },
 }:
 pkgs.callPackage ./default.nix { }
--- a/nixos/maintainers/scripts/azure-new/shell.nix
+++ b/nixos/maintainers/scripts/azure-new/shell.nix
@ -1,13 +1,16 @@
-with (import ../../../../default.nix {});
+{
-stdenv.mkDerivation {
+  pkgs ? import ../../../../default.nix { },
 }:
 pkgs.stdenv.mkDerivation {
  name = "nixcfg-azure-devenv";
-  nativeBuildInputs = [
+  nativeBuildInputs = with pkgs; [
    azure-cli
    bash
    cacert
    azure-storage-azcopy
  ];
-  AZURE_CONFIG_DIR="/tmp/azure-cli/.azure";
+  AZURE_CONFIG_DIR = "/tmp/azure-cli/.azure";
 }
--- a/nixos/modules/hardware/ckb-next.nix
+++ b/nixos/modules/hardware/ckb-next.nix
@ -41,6 +41,6 @@ in
    };
    meta = {
-      maintainers = with lib.maintainers; [ ];
+      maintainers = [ ];
    };
  }
--- a/nixos/modules/hardware/raid/hpsa.nix
+++ b/nixos/modules/hardware/raid/hpsa.nix
@ -40,7 +40,7 @@ let
      homepage = "https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/";
      license = licenses.unfreeRedistributable;
      platforms = [ "x86_64-linux" ];
-      maintainers = with maintainers; [ ];
+      maintainers = [ ];
    };
  };
 in {
--- a/nixos/modules/hardware/video/nvidia.nix
+++ b/nixos/modules/hardware/video/nvidia.nix
@ -256,7 +256,9 @@ in
      open = lib.mkEnableOption ''
        the open source NVIDIA kernel module
-      '';
+      '' // {
        defaultText = lib.literalExpression ''lib.versionAtLeast config.hardware.nvidia.package.version "560"'';
      };
    };
  };
@ -305,6 +307,8 @@ in
            extraPackages32 = [ nvidia_x11.lib32 ];
          };
          environment.systemPackages = [ nvidia_x11.bin ];
          hardware.nvidia.open = lib.mkDefault (lib.versionAtLeast nvidia_x11.version "560");
        })
        # X11
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -304,6 +304,7 @@
  ./programs/wayland/hyprlock.nix
  ./programs/wayland/hyprland.nix
  ./programs/wayland/labwc.nix
  ./programs/wayland/miracle-wm.nix
  ./programs/wayland/river.nix
  ./programs/wayland/sway.nix
  ./programs/wayland/waybar.nix
--- a/nixos/modules/programs/dmrconfig.nix
+++ b/nixos/modules/programs/dmrconfig.nix
@ -4,7 +4,7 @@ let
  cfg = config.programs.dmrconfig;
 in {
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = [ ];
  ###### interface
  options = {
--- a/nixos/modules/programs/wayland/miracle-wm.nix
+++ b/nixos/modules/programs/wayland/miracle-wm.nix
@ -0,0 +1,43 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.programs.wayland.miracle-wm;
 in
 {
  options.programs.wayland.miracle-wm = {
    enable = lib.mkEnableOption ''
      miracle-wm, a tiling Mir based Wayland compositor. You can manually launch miracle-wm by
      executing "exec miracle-wm" on a TTY, or launch it from a display manager.
      Consult the USERGUIDE.md at <https://github.com/mattkae/miracle-wm> for information on
      how to use & configure it
    '';
  };
  config = lib.mkIf cfg.enable (
    lib.mkMerge [
      {
        environment = {
          systemPackages = [ pkgs.miracle-wm ];
        };
        # To make the miracle-wm session available if a display manager like SDDM is enabled:
        services.displayManager.sessionPackages = [ pkgs.miracle-wm ];
      }
      (import ./wayland-session.nix {
        inherit lib pkgs;
        # Hardcoded path in Mir, not really possible to disable
        enableXWayland = true;
        # No portal support yet: https://github.com/mattkae/miracle-wm/issues/164
        enableWlrPortal = false;
      })
    ]
  );
  meta.maintainers = with lib.maintainers; [ OPNA2608 ];
 }
--- a/nixos/modules/programs/wayland/wayfire.nix
+++ b/nixos/modules/programs/wayland/wayfire.nix
@ -1,4 +1,9 @@
-{ config, lib, pkgs, ...}:
+{
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.programs.wayfire;
 in
@ -12,7 +17,10 @@ in
    plugins = lib.mkOption {
      type = lib.types.listOf lib.types.package;
-      default = with pkgs.wayfirePlugins; [ wcm wf-shell ];
+      default = with pkgs.wayfirePlugins; [
        wcm
        wf-shell
      ];
      defaultText = lib.literalExpression "with pkgs.wayfirePlugins; [ wcm wf-shell ]";
      example = lib.literalExpression ''
        with pkgs.wayfirePlugins; [
@ -25,26 +33,39 @@ in
        Additional plugins to use with the wayfire window manager.
      '';
    };
-  };
+    xwayland.enable = lib.mkEnableOption "XWayland" // {
-
+      default = true;
  config = let
    finalPackage = pkgs.wayfire-with-plugins.override {
      wayfire = cfg.package;
      plugins = cfg.plugins;
    };
  in
  lib.mkIf cfg.enable {
    environment.systemPackages = [
      finalPackage
    ];
    services.displayManager.sessionPackages = [ finalPackage ];
    xdg.portal = {
      enable = lib.mkDefault true;
      wlr.enable = lib.mkDefault true;
      # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050914
      config.wayfire.default = lib.mkDefault [ "wlr" "gtk" ];
    };
  };
  config =
    let
      finalPackage = pkgs.wayfire-with-plugins.override {
        wayfire = cfg.package;
        plugins = cfg.plugins;
      };
    in
    lib.mkIf cfg.enable (
      lib.mkMerge [
        {
          environment.systemPackages = [ finalPackage ];
          services.displayManager.sessionPackages = [ finalPackage ];
          xdg.portal = {
            enable = lib.mkDefault true;
            wlr.enable = lib.mkDefault true;
            # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050914
            config.wayfire.default = lib.mkDefault [
              "wlr"
              "gtk"
            ];
          };
        }
        (import ./wayland-session.nix {
          inherit lib pkgs;
          enableXWayland = cfg.xwayland.enable;
        })
      ]
    );
 }
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -99,6 +99,7 @@ let
    }));
  };
  package = config.security.pam.package;
  parentConfig = config;
  pamOpts = { config, name, ... }: let cfg = config; in let config = parentConfig; in {
@ -648,16 +649,16 @@ let
          # The required pam_unix.so module has to come after all the sufficient modules
          # because otherwise, the account lookup will fail if the user does not exist
          # locally, for example with MySQL- or LDAP-auth.
-          { name = "unix"; control = "required"; modulePath = "pam_unix.so"; }
+          { name = "unix"; control = "required"; modulePath = "${package}/lib/security/pam_unix.so"; }
        ];
        auth = autoOrderRules ([
          { name = "oslogin_login"; enable = cfg.googleOsLoginAuthentication; control = "[success=done perm_denied=die default=ignore]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so"; }
-          { name = "rootok"; enable = cfg.rootOK; control = "sufficient"; modulePath = "pam_rootok.so"; }
+          { name = "rootok"; enable = cfg.rootOK; control = "sufficient"; modulePath = "${package}/lib/security/pam_rootok.so"; }
-          { name = "wheel"; enable = cfg.requireWheel; control = "required"; modulePath = "pam_wheel.so"; settings = {
+          { name = "wheel"; enable = cfg.requireWheel; control = "required"; modulePath = "${package}/lib/security/pam_wheel.so"; settings = {
            use_uid = true;
          }; }
-          { name = "faillock"; enable = cfg.logFailures; control = "required"; modulePath = "pam_faillock.so"; }
+          { name = "faillock"; enable = cfg.logFailures; control = "required"; modulePath = "${package}/lib/security/pam_faillock.so"; }
          { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
            config_file = "/etc/security/pam_mysql.conf";
          }; }
@ -710,7 +711,7 @@ let
              || cfg.zfs))
            [
              { name = "systemd_home-early"; enable = config.services.homed.enable; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }
-              { name = "unix-early"; enable = cfg.unixAuth; control = "optional"; modulePath = "pam_unix.so"; settings = {
+              { name = "unix-early"; enable = cfg.unixAuth; control = "optional"; modulePath = "${package}/lib/security/pam_unix.so"; settings = {
                nullok = cfg.allowNullPassword;
                inherit (cfg) nodelay;
                likeauth = true;
@ -731,7 +732,7 @@ let
              { name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; settings = {
                store-only = cfg.gnupg.storeOnly;
              }; }
-              { name = "faildelay"; enable = cfg.failDelay.enable; control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_faildelay.so"; settings = {
+              { name = "faildelay"; enable = cfg.failDelay.enable; control = "optional"; modulePath = "${package}/lib/security/pam_faildelay.so"; settings = {
                inherit (cfg.failDelay) delay;
              }; }
              { name = "google_authenticator"; enable = cfg.googleAuthenticator.enable; control = "required"; modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so"; settings = {
@ -740,7 +741,7 @@ let
              { name = "duo"; enable = cfg.duoSecurity.enable; control = "required"; modulePath = "${pkgs.duo-unix}/lib/security/pam_duo.so"; }
            ]) ++ [
          { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }
-          { name = "unix"; enable = cfg.unixAuth; control = "sufficient"; modulePath = "pam_unix.so"; settings = {
+          { name = "unix"; enable = cfg.unixAuth; control = "sufficient"; modulePath = "${package}/lib/security/pam_unix.so"; settings = {
            nullok = cfg.allowNullPassword;
            inherit (cfg) nodelay;
            likeauth = true;
@ -768,12 +769,12 @@ let
            action = "store";
            use_first_pass = true;
          }; }
-          { name = "deny"; control = "required"; modulePath = "pam_deny.so"; }
+          { name = "deny"; control = "required"; modulePath = "${package}/lib/security/pam_deny.so"; }
        ]);
        password = autoOrderRules [
          { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }
-          { name = "unix"; control = "sufficient"; modulePath = "pam_unix.so"; settings = {
+          { name = "unix"; control = "sufficient"; modulePath = "${package}/lib/security/pam_unix.so"; settings = {
            nullok = true;
            yescrypt = true;
          }; }
@ -798,24 +799,24 @@ let
        ];
        session = autoOrderRules [
-          { name = "env"; enable = cfg.setEnvironment; control = "required"; modulePath = "pam_env.so"; settings = {
+          { name = "env"; enable = cfg.setEnvironment; control = "required"; modulePath = "${package}/lib/security/pam_env.so"; settings = {
            conffile = "/etc/pam/environment";
            readenv = 0;
          }; }
-          { name = "unix"; control = "required"; modulePath = "pam_unix.so"; }
+          { name = "unix"; control = "required"; modulePath = "${package}/lib/security/pam_unix.so"; }
-          { name = "loginuid"; enable = cfg.setLoginUid; control = if config.boot.isContainer then "optional" else "required"; modulePath = "pam_loginuid.so"; }
+          { name = "loginuid"; enable = cfg.setLoginUid; control = if config.boot.isContainer then "optional" else "required"; modulePath = "${package}/lib/security/pam_loginuid.so"; }
-          { name = "tty_audit"; enable = cfg.ttyAudit.enable; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_tty_audit.so"; settings = {
+          { name = "tty_audit"; enable = cfg.ttyAudit.enable; control = "required"; modulePath = "${package}/lib/security/pam_tty_audit.so"; settings = {
            open_only = cfg.ttyAudit.openOnly;
            enable = cfg.ttyAudit.enablePattern;
            disable = cfg.ttyAudit.disablePattern;
          }; }
          { name = "systemd_home"; enable = config.services.homed.enable; control = "required"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }
-          { name = "mkhomedir"; enable = cfg.makeHomeDir; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_mkhomedir.so"; settings = {
+          { name = "mkhomedir"; enable = cfg.makeHomeDir; control = "required"; modulePath = "${package}/lib/security/pam_mkhomedir.so"; settings = {
            silent = true;
            skel = config.security.pam.makeHomeDir.skelDirectory;
            inherit (config.security.pam.makeHomeDir) umask;
          }; }
-          { name = "lastlog"; enable = cfg.updateWtmp; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_lastlog.so"; settings = {
+          { name = "lastlog"; enable = cfg.updateWtmp; control = "required"; modulePath = "${package}/lib/security/pam_lastlog.so"; settings = {
            silent = true;
          }; }
          { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; }
@ -823,11 +824,11 @@ let
          # Skips the pam_fscrypt module for systemd-user sessions which do not have a password
          # anyways.
          # See also https://github.com/google/fscrypt/issues/95
-          { name = "fscrypt-skip-systemd"; enable = config.security.pam.enableFscrypt; control = "[success=1 default=ignore]"; modulePath = "pam_succeed_if.so"; args = [
+          { name = "fscrypt-skip-systemd"; enable = config.security.pam.enableFscrypt; control = "[success=1 default=ignore]"; modulePath = "${package}/lib/security/pam_succeed_if.so"; args = [
            "service" "=" "systemd-user"
          ]; }
          { name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; }
-          { name = "zfs_key-skip-systemd"; enable = cfg.zfs; control = "[success=1 default=ignore]"; modulePath = "pam_succeed_if.so"; args = [
+          { name = "zfs_key-skip-systemd"; enable = cfg.zfs; control = "[success=1 default=ignore]"; modulePath = "${package}/lib/security/pam_succeed_if.so"; args = [
            "service" "=" "systemd-user"
          ]; }
          { name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; settings = {
@ -846,14 +847,14 @@ let
          { name = "krb5"; enable = config.security.pam.krb5.enable; control = "optional"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; }
          { name = "otpw"; enable = cfg.otpwAuth; control = "optional"; modulePath = "${pkgs.otpw}/lib/security/pam_otpw.so"; }
          { name = "systemd"; enable = cfg.startSession; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd.so"; }
-          { name = "xauth"; enable = cfg.forwardXAuth; control = "optional"; modulePath = "pam_xauth.so"; settings = {
+          { name = "xauth"; enable = cfg.forwardXAuth; control = "optional"; modulePath = "${package}/lib/security/pam_xauth.so"; settings = {
            xauthpath = "${pkgs.xorg.xauth}/bin/xauth";
            systemuser = 99;
          }; }
-          { name = "limits"; enable = cfg.limits != []; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_limits.so"; settings = {
+          { name = "limits"; enable = cfg.limits != []; control = "required"; modulePath = "${package}/lib/security/pam_limits.so"; settings = {
            conf = "${makeLimitsConf cfg.limits}";
          }; }
-          { name = "motd"; enable = cfg.showMotd && (config.users.motd != null || config.users.motdFile != null); control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_motd.so"; settings = {
+          { name = "motd"; enable = cfg.showMotd && (config.users.motd != null || config.users.motdFile != null); control = "optional"; modulePath = "${package}/lib/security/pam_motd.so"; settings = {
            inherit motd;
          }; }
          { name = "apparmor"; enable = cfg.enableAppArmor && config.security.apparmor.enable; control = "optional"; modulePath = "${pkgs.apparmor-pam}/lib/security/pam_apparmor.so"; settings = {
@ -967,6 +968,8 @@ in
  options = {
    security.pam.package = mkPackageOption pkgs "pam" { };
    security.pam.loginLimits = mkOption {
      default = [];
      type = limitsType;
@ -1515,7 +1518,7 @@ in
    environment.systemPackages =
      # Include the PAM modules in the system path mostly for the manpages.
-      [ pkgs.pam ]
+      [ package ]
      ++ optional config.users.ldap.enable pam_ldap
      ++ optional config.services.kanidm.enablePam config.services.kanidm.package
      ++ optional config.services.sssd.enable pkgs.sssd
@ -1533,7 +1536,7 @@ in
        setuid = true;
        owner = "root";
        group = "root";
-        source = "${pkgs.pam}/bin/unix_chkpwd";
+        source = "${package}/bin/unix_chkpwd";
      };
    };
@ -1574,11 +1577,6 @@ in
      lib.concatMapStrings
        (name: "r ${config.environment.etc."pam.d/${name}".source},\n")
        (attrNames config.security.pam.services) +
      ''
      mr ${getLib pkgs.pam}/lib/security/pam_filter/*,
      mr ${getLib pkgs.pam}/lib/security/pam_*.so,
      r ${getLib pkgs.pam}/lib/security/,
      '' +
      (with lib; pipe config.security.pam.services [
        attrValues
        (catAttrs "rules")
@ -1586,6 +1584,12 @@ in
        (concatMap attrValues)
        (filter (rule: rule.enable))
        (catAttrs "modulePath")
        # TODO(@uninsane): replace this warning + filter with just an assertion
        (map (modulePath: lib.warnIfNot
          (hasPrefix "/" modulePath)
          ''non-absolute PAM modulePath "${modulePath}" is unsupported by apparmor and will be treated as an error by future versions of nixpkgs; see <https://github.com/NixOS/nixpkgs/pull/314791>''
          modulePath
        ))
        (filter (hasPrefix "/"))
        unique
        (map (module: "mr ${module},"))
--- a/nixos/modules/services/audio/jmusicbot.nix
+++ b/nixos/modules/services/audio/jmusicbot.nix
@ -40,5 +40,5 @@ in
    };
  };
-  meta.maintainers = with maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/services/backup/restic.nix
+++ b/nixos/modules/services/backup/restic.nix
@ -83,6 +83,15 @@ in
          '';
        };
        inhibitsSleep = mkOption {
          default = false;
          type = types.bool;
          example = true;
          description = ''
            Prevents the system from sleeping while backing up.
          '';
        };
        repository = mkOption {
          type = with types; nullOr str;
          default = null;
@ -299,7 +308,14 @@ in
        (name: backup:
          let
            extraOptions = concatMapStrings (arg: " -o ${arg}") backup.extraOptions;
-            resticCmd = "${backup.package}/bin/restic${extraOptions}";
+            inhibitCmd = concatStringsSep " " [
              "${pkgs.systemd}/bin/systemd-inhibit"
              "--mode='block'"
              "--who='restic'"
              "--what='sleep'"
              "--why=${escapeShellArg "Scheduled backup ${name}"} "
            ];
            resticCmd = "${optionalString backup.inhibitsSleep inhibitCmd}${backup.package}/bin/restic${extraOptions}";
            excludeFlags = optional (backup.exclude != []) "--exclude-file=${pkgs.writeText "exclude-patterns" (concatStringsSep "\n" backup.exclude)}";
            filesFromTmpFile = "/run/restic-backups-${name}/includes";
            doBackup = (backup.dynamicFilesFrom != null) || (backup.paths != null && backup.paths != []);
--- a/nixos/modules/services/hardware/openrgb.nix
+++ b/nixos/modules/services/hardware/openrgb.nix
@ -51,5 +51,5 @@ in {
    };
  };
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/services/misc/fstrim.nix
+++ b/nixos/modules/services/misc/fstrim.nix
@ -41,5 +41,5 @@ in {
  };
-  meta.maintainers = with maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/services/misc/gitweb.nix
+++ b/nixos/modules/services/misc/gitweb.nix
@ -55,6 +55,6 @@ in
  };
-  meta.maintainers = with maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/services/misc/mame.nix
+++ b/nixos/modules/services/misc/mame.nix
@ -65,5 +65,5 @@ in
    };
  };
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/services/misc/ollama.nix
+++ b/nixos/modules/services/misc/ollama.nix
@ -215,6 +215,7 @@ in
            # https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf
            "char-nvidiactl"
            "char-nvidia-caps"
            "char-nvidia-frontend"
            "char-nvidia-uvm"
            # ROCm
            "char-drm"
--- a/nixos/modules/services/misc/private-gpt.nix
+++ b/nixos/modules/services/misc/private-gpt.nix
@ -117,5 +117,5 @@ in
    };
  };
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/services/misc/rkvm.nix
+++ b/nixos/modules/services/misc/rkvm.nix
@ -7,7 +7,7 @@ let
  toml = pkgs.formats.toml { };
 in
 {
-  meta.maintainers = with maintainers; [ ];
+  meta.maintainers = [ ];
  options.services.rkvm = {
    enable = mkOption {
--- a/nixos/modules/services/misc/zoneminder.nix
+++ b/nixos/modules/services/misc/zoneminder.nix
@ -372,5 +372,5 @@ in {
    };
  };
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/services/networking/bee.nix
+++ b/nixos/modules/services/networking/bee.nix
@ -8,7 +8,7 @@ let
 in {
  meta = {
    # doc = ./bee.xml;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
  };
  ### interface
--- a/nixos/modules/services/networking/eternal-terminal.nix
+++ b/nixos/modules/services/networking/eternal-terminal.nix
@ -90,6 +90,6 @@ in
  };
  meta = {
-    maintainers = with lib.maintainers; [ ];
+    maintainers = [ ];
  };
 }
--- a/nixos/modules/services/networking/firefox-syncserver.nix
+++ b/nixos/modules/services/networking/firefox-syncserver.nix
@ -316,7 +316,7 @@ in
  };
  meta = {
-    maintainers = with lib.maintainers; [ ];
+    maintainers = [ ];
    doc = ./firefox-syncserver.md;
  };
 }
--- a/nixos/modules/services/networking/hans.nix
+++ b/nixos/modules/services/networking/hans.nix
@ -141,5 +141,5 @@ in
    };
  };
-  meta.maintainers = with maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/services/networking/i2pd.nix
+++ b/nixos/modules/services/networking/i2pd.nix
@ -183,37 +183,45 @@ let
  in
    pkgs.writeText "i2pd.conf" (concatStringsSep "\n" opts);
-  tunnelConf = let opts = [
+  tunnelConf = let
-    notice
+    mkOutTunnel = tun:
-    (flip map
+      let
-      (collect (tun: tun ? port && tun ? destination) cfg.outTunnels)
+        outTunOpts = [
-      (tun: let outTunOpts = [
+          (sec tun.name)
-        (sec tun.name)
+          "type = client"
-        "type = client"
+          (intOpt "port" tun.port)
-        (intOpt "port" tun.port)
+          (strOpt "destination" tun.destination)
        (strOpt "destination" tun.destination)
        ] ++ (optionals (tun ? destinationPort) (optionalNullInt "destinationport" tun.destinationPort))
-        ++ (optionals (tun ? keys) (optionalNullString "keys" tun.keys))
+          ++ (optionals (tun ? keys) (optionalNullString "keys" tun.keys))
-        ++ (optionals (tun ? address) (optionalNullString "address" tun.address))
+          ++ (optionals (tun ? address) (optionalNullString "address" tun.address))
-        ++ (optionals (tun ? inbound.length) (optionalNullInt "inbound.length" tun.inbound.length))
+          ++ (optionals (tun ? inbound.length) (optionalNullInt "inbound.length" tun.inbound.length))
-        ++ (optionals (tun ? inbound.quantity) (optionalNullInt "inbound.quantity" tun.inbound.quantity))
+          ++ (optionals (tun ? inbound.quantity) (optionalNullInt "inbound.quantity" tun.inbound.quantity))
-        ++ (optionals (tun ? outbound.length) (optionalNullInt "outbound.length" tun.outbound.length))
+          ++ (optionals (tun ? outbound.length) (optionalNullInt "outbound.length" tun.outbound.length))
-        ++ (optionals (tun ? outbound.quantity) (optionalNullInt "outbound.quantity" tun.outbound.quantity))
+          ++ (optionals (tun ? outbound.quantity) (optionalNullInt "outbound.quantity" tun.outbound.quantity))
-        ++ (optionals (tun ? crypto.tagsToSend) (optionalNullInt "crypto.tagstosend" tun.crypto.tagsToSend));
+          ++ (optionals (tun ? crypto.tagsToSend) (optionalNullInt "crypto.tagstosend" tun.crypto.tagsToSend));
-        in concatStringsSep "\n" outTunOpts))
+      in
-    (flip map
+        concatStringsSep "\n" outTunOpts;
-      (collect (tun: tun ? port && tun ? address) cfg.inTunnels)
+
-      (tun: let inTunOpts = [
+    mkInTunnel = tun:
-        (sec tun.name)
+      let
-        "type = server"
+        inTunOpts = [
-        (intOpt "port" tun.port)
+          (sec tun.name)
-        (strOpt "host" tun.address)
+          "type = server"
-      ] ++ (optionals (tun ? destination) (optionalNullString "destination" tun.destination))
+          (intOpt "port" tun.port)
-        ++ (optionals (tun ? keys) (optionalNullString "keys" tun.keys))
+          (strOpt "host" tun.address)
-        ++ (optionals (tun ? inPort) (optionalNullInt "inport" tun.inPort))
+        ] ++ (optionals (tun ? destination) (optionalNullString "destination" tun.destination))
-        ++ (optionals (tun ? accessList) (optionalEmptyList "accesslist" tun.accessList));
+          ++ (optionals (tun ? keys) (optionalNullString "keys" tun.keys))
-        in concatStringsSep "\n" inTunOpts))];
+          ++ (optionals (tun ? inPort) (optionalNullInt "inport" tun.inPort))
-    in pkgs.writeText "i2pd-tunnels.conf" opts;
+          ++ (optionals (tun ? accessList) (optionalEmptyList "accesslist" tun.accessList));
      in
        concatStringsSep "\n" inTunOpts;
    allOutTunnels = collect (tun: tun ? port && tun ? destination) cfg.outTunnels;
    allInTunnels = collect (tun: tun ? port && tun ? address) cfg.inTunnels;
    opts = [ notice ] ++ (map mkOutTunnel allOutTunnels) ++ (map mkInTunnel allInTunnels);
  in
    pkgs.writeText "i2pd-tunnels.conf" (concatStringsSep "\n" opts);
  i2pdFlags = concatStringsSep " " (
    optional (cfg.address != null) ("--host=" + cfg.address) ++ [
--- a/nixos/modules/services/networking/mosquitto.nix
+++ b/nixos/modules/services/networking/mosquitto.nix
@ -721,7 +721,7 @@ in
  };
  meta = {
-    maintainers = with lib.maintainers; [ ];
+    maintainers = [ ];
    doc = ./mosquitto.md;
  };
 }
--- a/nixos/modules/services/networking/pppd.nix
+++ b/nixos/modules/services/networking/pppd.nix
@ -7,7 +7,7 @@ let
 in
 {
  meta = {
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
  };
  options = {
--- a/nixos/modules/services/networking/resilio.nix
+++ b/nixos/modules/services/networking/resilio.nix
@ -291,5 +291,5 @@ in
    };
  };
-  meta.maintainers = with maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/services/security/hologram-agent.nix
+++ b/nixos/modules/services/security/hologram-agent.nix
@ -54,5 +54,5 @@ in {
  };
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/services/security/shibboleth-sp.nix
+++ b/nixos/modules/services/security/shibboleth-sp.nix
@ -70,5 +70,5 @@ in {
    };
  };
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/services/security/step-ca.nix
+++ b/nixos/modules/services/security/step-ca.nix
@ -4,7 +4,7 @@ let
  settingsFormat = (pkgs.formats.json { });
 in
 {
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = [ ];
  options = {
    services.step-ca = {
--- a/nixos/modules/services/web-servers/nginx/gitweb.nix
+++ b/nixos/modules/services/web-servers/nginx/gitweb.nix
@ -89,6 +89,6 @@ in
  };
-  meta.maintainers = with maintainers; [ ];
+  meta.maintainers = [ ];
 }
--- a/nixos/modules/system/boot/plymouth.nix
+++ b/nixos/modules/system/boot/plymouth.nix
@ -219,7 +219,7 @@ in
        # Fonts
        "/etc/plymouth/fonts".source = pkgs.runCommand "plymouth-initrd-fonts" {} ''
          mkdir -p $out
-          cp ${cfg.font} $out
+          cp ${escapeShellArg cfg.font} $out
        '';
        "/etc/fonts/fonts.conf".text = ''
          <?xml version="1.0"?>
--- a/nixos/modules/virtualisation/ec2-data.nix
+++ b/nixos/modules/virtualisation/ec2-data.nix
@ -79,7 +79,7 @@ with lib;
            # ec2-get-console-output.
            echo "-----BEGIN SSH HOST KEY FINGERPRINTS-----" > /dev/console
            for i in /etc/ssh/ssh_host_*_key.pub; do
-                ${config.programs.ssh.package}/bin/ssh-keygen -l -f $i > /dev/console
+                ${config.programs.ssh.package}/bin/ssh-keygen -l -f $i || true > /dev/console
            done
            echo "-----END SSH HOST KEY FINGERPRINTS-----" > /dev/console
          '';
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -264,6 +264,7 @@ in {
  docker-rootless = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker-rootless.nix {};
  docker-registry = handleTest ./docker-registry.nix {};
  docker-tools = handleTestOn ["x86_64-linux"] ./docker-tools.nix {};
  docker-tools-nix-shell = runTest ./docker-tools-nix-shell.nix;
  docker-tools-cross = handleTestOn ["x86_64-linux" "aarch64-linux"] ./docker-tools-cross.nix {};
  docker-tools-overlay = handleTestOn ["x86_64-linux"] ./docker-tools-overlay.nix {};
  documize = handleTest ./documize.nix {};
@ -578,6 +579,7 @@ in {
  minidlna = handleTest ./minidlna.nix {};
  miniflux = handleTest ./miniflux.nix {};
  minio = handleTest ./minio.nix {};
  miracle-wm = runTest ./miracle-wm.nix;
  miriway = handleTest ./miriway.nix {};
  misc = handleTest ./misc.nix {};
  mjolnir = handleTest ./matrix/mjolnir.nix {};
--- a/nixos/tests/armagetronad.nix
+++ b/nixos/tests/armagetronad.nix
@ -13,7 +13,7 @@ let
    { imports = [ ./common/user-account.nix ./common/x11.nix ];
      hardware.graphics.enable = true;
-      virtualisation.memorySize = 256;
+      virtualisation.memorySize = 384;
      environment = {
        systemPackages = [ pkgs.armagetronad ];
        variables.XAUTHORITY = "/home/${user}/.Xauthority";
@ -208,7 +208,7 @@ makeTest {
        barrier.wait()
      # Get to the Server Bookmarks screen on both clients. This takes a while so do it asynchronously.
-      barrier = threading.Barrier(3, timeout=120)
+      barrier = threading.Barrier(len(clients) + 1, timeout=240)
      for client in clients:
        threading.Thread(target=client_setup, args=(client, servers, barrier)).start()
      barrier.wait()
--- a/nixos/tests/crabfit.nix
+++ b/nixos/tests/crabfit.nix
@ -4,7 +4,7 @@ import ./make-test-python.nix (
  {
    name = "crabfit";
-    meta.maintainers = with lib.maintainers; [ ];
+    meta.maintainers = [ ];
    nodes = {
      machine =
--- a/nixos/tests/docker-tools-nix-shell.nix
+++ b/nixos/tests/docker-tools-nix-shell.nix
@ -0,0 +1,95 @@
 # nix-build -A nixosTests.docker-tools-nix-shell
 { config, lib, ... }:
 let
  inherit (config.node.pkgs.dockerTools) examples;
 in
 {
  name = "docker-tools-nix-shell";
  meta = with lib.maintainers; {
    maintainers = [
      infinisil
      roberth
    ];
  };
  nodes = {
    docker =
      { ... }:
      {
        virtualisation = {
          diskSize = 3072;
          docker.enable = true;
        };
      };
  };
  testScript = ''
    docker.wait_for_unit("sockets.target")
    with subtest("buildImageWithNixDB: Has a nix database"):
        docker.succeed(
            "docker load --input='${examples.nix}'",
            "docker run --rm ${examples.nix.imageName} nix-store -q --references /bin/bash"
        )
    with subtest("buildNixShellImage: Can build a basic derivation"):
        docker.succeed(
            "${examples.nix-shell-basic} | docker load",
            "docker run --rm nix-shell-basic bash -c 'buildDerivation && $out/bin/hello' | grep '^Hello, world!$'"
        )
    with subtest("buildNixShellImage: Runs the shell hook"):
        docker.succeed(
            "${examples.nix-shell-hook} | docker load",
            "docker run --rm -it nix-shell-hook | grep 'This is the shell hook!'"
        )
    with subtest("buildNixShellImage: Sources stdenv, making build inputs available"):
        docker.succeed(
            "${examples.nix-shell-inputs} | docker load",
            "docker run --rm -it nix-shell-inputs | grep 'Hello, world!'"
        )
    with subtest("buildNixShellImage: passAsFile works"):
        docker.succeed(
            "${examples.nix-shell-pass-as-file} | docker load",
            "docker run --rm -it nix-shell-pass-as-file | grep 'this is a string'"
        )
    with subtest("buildNixShellImage: run argument works"):
        docker.succeed(
            "${examples.nix-shell-run} | docker load",
            "docker run --rm -it nix-shell-run | grep 'This shell is not interactive'"
        )
    with subtest("buildNixShellImage: command argument works"):
        docker.succeed(
            "${examples.nix-shell-command} | docker load",
            "docker run --rm -it nix-shell-command | grep 'This shell is interactive'"
        )
    with subtest("buildNixShellImage: home directory is writable by default"):
        docker.succeed(
            "${examples.nix-shell-writable-home} | docker load",
            "docker run --rm -it nix-shell-writable-home"
        )
    with subtest("buildNixShellImage: home directory can be made non-existent"):
        docker.succeed(
            "${examples.nix-shell-nonexistent-home} | docker load",
            "docker run --rm -it nix-shell-nonexistent-home"
        )
    with subtest("buildNixShellImage: can build derivations"):
        docker.succeed(
            "${examples.nix-shell-build-derivation} | docker load",
            "docker run --rm -it nix-shell-build-derivation"
        )
    with subtest("streamLayeredImage: with nix db"):
        docker.succeed(
            "${examples.nix-layered} | docker load",
            "docker run --rm ${examples.nix-layered.imageName} nix-store -q --references /bin/bash"
        )
  '';
 }
--- a/nixos/tests/docker-tools.nix
+++ b/nixos/tests/docker-tools.nix
@ -60,7 +60,7 @@ let
    };
  nonRootTestImage =
-    pkgs.dockerTools.streamLayeredImage rec {
+    pkgs.dockerTools.streamLayeredImage {
      name = "non-root-test";
      tag = "latest";
      uid = 1000;
@ -567,66 +567,6 @@ in {
        docker.succeed("docker run --rm image-with-certs:latest test -r /etc/pki/tls/certs/ca-bundle.crt")
        docker.succeed("docker image rm image-with-certs:latest")
    with subtest("buildImageWithNixDB: Has a nix database"):
        docker.succeed(
            "docker load --input='${examples.nix}'",
            "docker run --rm ${examples.nix.imageName} nix-store -q --references /bin/bash"
        )
    with subtest("buildNixShellImage: Can build a basic derivation"):
        docker.succeed(
            "${examples.nix-shell-basic} | docker load",
            "docker run --rm nix-shell-basic bash -c 'buildDerivation && $out/bin/hello' | grep '^Hello, world!$'"
        )
    with subtest("buildNixShellImage: Runs the shell hook"):
        docker.succeed(
            "${examples.nix-shell-hook} | docker load",
            "docker run --rm -it nix-shell-hook | grep 'This is the shell hook!'"
        )
    with subtest("buildNixShellImage: Sources stdenv, making build inputs available"):
        docker.succeed(
            "${examples.nix-shell-inputs} | docker load",
            "docker run --rm -it nix-shell-inputs | grep 'Hello, world!'"
        )
    with subtest("buildNixShellImage: passAsFile works"):
        docker.succeed(
            "${examples.nix-shell-pass-as-file} | docker load",
            "docker run --rm -it nix-shell-pass-as-file | grep 'this is a string'"
        )
    with subtest("buildNixShellImage: run argument works"):
        docker.succeed(
            "${examples.nix-shell-run} | docker load",
            "docker run --rm -it nix-shell-run | grep 'This shell is not interactive'"
        )
    with subtest("buildNixShellImage: command argument works"):
        docker.succeed(
            "${examples.nix-shell-command} | docker load",
            "docker run --rm -it nix-shell-command | grep 'This shell is interactive'"
        )
    with subtest("buildNixShellImage: home directory is writable by default"):
        docker.succeed(
            "${examples.nix-shell-writable-home} | docker load",
            "docker run --rm -it nix-shell-writable-home"
        )
    with subtest("buildNixShellImage: home directory can be made non-existent"):
        docker.succeed(
            "${examples.nix-shell-nonexistent-home} | docker load",
            "docker run --rm -it nix-shell-nonexistent-home"
        )
    with subtest("buildNixShellImage: can build derivations"):
        docker.succeed(
            "${examples.nix-shell-build-derivation} | docker load",
            "docker run --rm -it nix-shell-build-derivation"
        )
    with subtest("streamLayeredImage: chown is persistent in fakeRootCommands"):
        docker.succeed(
            "${chownTestImage} | docker load",
@ -638,11 +578,5 @@ in {
            "${nonRootTestImage} | docker load",
            "docker run --rm ${chownTestImage.imageName} | diff /dev/stdin <(echo 12345:12345)"
        )
    with subtest("streamLayeredImage: with nix db"):
        docker.succeed(
            "${examples.nix-layered} | docker load",
            "docker run --rm ${examples.nix-layered.imageName} nix-store -q --references /bin/bash"
        )
  '';
 })
--- a/nixos/tests/graylog.nix
+++ b/nixos/tests/graylog.nix
@ -1,6 +1,6 @@
 import ./make-test-python.nix ({ pkgs, lib, ... }: {
  name = "graylog";
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = [ ];
  nodes.machine = { pkgs, ... }: {
    virtualisation.memorySize = 4096;
--- a/nixos/tests/miracle-wm.nix
+++ b/nixos/tests/miracle-wm.nix
@ -0,0 +1,131 @@
 { pkgs, lib, ... }:
 {
  name = "miracle-wm";
  meta = {
    maintainers = with lib.maintainers; [ OPNA2608 ];
  };
  nodes.machine =
    { config, ... }:
    {
      imports = [
        ./common/auto.nix
        ./common/user-account.nix
      ];
      # Seems to very rarely get interrupted by oom-killer
      virtualisation.memorySize = 2047;
      test-support.displayManager.auto = {
        enable = true;
        user = "alice";
      };
      services.xserver.enable = true;
      services.displayManager.defaultSession = lib.mkForce "miracle-wm";
      programs.wayland.miracle-wm.enable = true;
      # To ensure a specific config for the tests
      systemd.tmpfiles.rules =
        let
          testConfig = (pkgs.formats.yaml { }).generate "miracle-wm.yaml" {
            terminal = "env WINIT_UNIX_BACKEND=x11 WAYLAND_DISPLAY= alacritty";
            startup_apps = [
              {
                command = "foot";
                restart_on_death = false;
              }
            ];
          };
        in
        [
          "d ${config.users.users.alice.home}/.config 0700 alice users - -"
          "L ${config.users.users.alice.home}/.config/miracle-wm.yaml - - - - ${testConfig}"
        ];
      environment = {
        shellAliases = {
          test-wayland = "wayland-info | tee /tmp/test-wayland.out && touch /tmp/test-wayland-exit-ok";
          test-x11 = "glinfo | tee /tmp/test-x11.out && touch /tmp/test-x11-exit-ok";
        };
        systemPackages = with pkgs; [
          mesa-demos
          wayland-utils
          foot
          alacritty
        ];
        # To help with OCR
        etc."xdg/foot/foot.ini".text = lib.generators.toINI { } {
          main = {
            font = "inconsolata:size=16";
          };
          colors = rec {
            foreground = "000000";
            background = "ffffff";
            regular2 = foreground;
          };
        };
        etc."xdg/alacritty/alacritty.yml".text = lib.generators.toYAML { } {
          font = rec {
            normal.family = "Inconsolata";
            bold.family = normal.family;
            italic.family = normal.family;
            bold_italic.family = normal.family;
            size = 16;
          };
          colors = rec {
            primary = {
              foreground = "0x000000";
              background = "0xffffff";
            };
            normal = {
              green = primary.foreground;
            };
          };
        };
      };
      fonts.packages = [ pkgs.inconsolata ];
    };
  enableOCR = true;
  testScript =
    { ... }:
    ''
      start_all()
      machine.wait_for_unit("multi-user.target")
      # Wait for Miriway to complete startup
      machine.wait_for_file("/run/user/1000/wayland-0")
      machine.succeed("pgrep miracle-wm")
      machine.screenshot("miracle-wm_launched")
      # Test Wayland
      with subtest("wayland client works"):
          # We let miracle-wm start the first terminal, as we might get stuck if it's not ready to process the first keybind
          # machine.send_key("ctrl-alt-t")
          machine.wait_for_text("alice@machine")
          machine.send_chars("test-wayland\n")
          machine.wait_for_file("/tmp/test-wayland-exit-ok")
          machine.copy_from_vm("/tmp/test-wayland.out")
          machine.screenshot("foot_wayland_info")
          machine.send_chars("exit\n")
          machine.wait_until_fails("pgrep foot")
      # Test XWayland
      with subtest("x11 client works"):
          machine.send_key("meta_l-ret")
          machine.wait_for_text("alice@machine")
          machine.send_chars("test-x11\n")
          machine.wait_for_file("/tmp/test-x11-exit-ok")
          machine.copy_from_vm("/tmp/test-x11.out")
          machine.screenshot("alacritty_glinfo")
          machine.send_chars("exit\n")
          machine.wait_until_fails("pgrep alacritty")
    '';
 }
--- a/nixos/tests/networking-proxy.nix
+++ b/nixos/tests/networking-proxy.nix
@ -12,7 +12,7 @@ let default-config = {
 in import ./make-test-python.nix ({ pkgs, ...} : {
  name = "networking-proxy";
  meta = with pkgs.lib.maintainers; {
-    maintainers = [  ];
+    maintainers = [ ];
  };
  nodes = {
--- a/nixos/tests/networking/networkmanager.nix
+++ b/nixos/tests/networking/networkmanager.nix
@ -166,7 +166,7 @@ let
 in lib.mapAttrs (lib.const (attrs: makeTest (attrs // {
  name = "${attrs.name}-Networking-NetworkManager";
  meta = {
-    maintainers = with lib.maintainers; [ ];
+    maintainers = [ ];
  };
 }))) testCases
--- a/nixos/tests/restic.nix
+++ b/nixos/tests/restic.nix
@ -4,6 +4,7 @@ import ./make-test-python.nix (
  let
    remoteRepository = "/root/restic-backup";
    remoteFromFileRepository = "/root/restic-backup-from-file";
    remoteInhibitTestRepository = "/root/restic-backup-inhibit-test";
    remoteNoInitRepository = "/root/restic-backup-no-init";
    rcloneRepository = "rclone:local:/root/restic-rclone-backup";
@ -66,6 +67,12 @@ import ./make-test-python.nix (
                find /opt -mindepth 1 -maxdepth 1 ! -name a_dir # all files in /opt except for a_dir
              '';
            };
            inhibit-test = {
              inherit passwordFile paths exclude pruneOpts;
              repository = remoteInhibitTestRepository;
              initialize = true;
              inhibitsSleep = true;
            };
            remote-noinit-backup = {
              inherit passwordFile exclude pruneOpts paths;
              initialize = false;
@ -190,6 +197,13 @@ import ./make-test-python.nix (
          'restic-remotebackup snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
      )
      # test that the inhibit option is working
      server.systemctl("start --no-block restic-backups-inhibit-test.service")
      server.wait_until_succeeds(
          "systemd-inhibit --no-legend --no-pager | grep -q restic",
          5
      )
    '';
  }
 )
--- a/nixos/tests/sogo.nix
+++ b/nixos/tests/sogo.nix
@ -1,7 +1,7 @@
 import ./make-test-python.nix ({ pkgs, ... }: {
  name = "sogo";
  meta = with pkgs.lib.maintainers; {
-    maintainers = [];
+    maintainers = [ ];
  };
  nodes = {
--- a/nixos/tests/soju.nix
+++ b/nixos/tests/soju.nix
@ -8,7 +8,7 @@ let
 in
 {
  name = "soju";
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = [ ];
  nodes.machine = { ... }: {
    services.soju = {
--- a/nixos/tests/vector/syslog-quickwit.nix
+++ b/nixos/tests/vector/syslog-quickwit.nix
@ -61,6 +61,7 @@ import ../make-test-python.nix ({ lib, pkgs, ... }:
                }
                .scope_name = structured.msgid
                del(.message)
                del(.host)
                del(.timestamp)
                del(.service)
                del(.source_type)
--- a/nixos/tests/vscode-remote-ssh.nix
+++ b/nixos/tests/vscode-remote-ssh.nix
@ -14,7 +14,7 @@ import ./make-test-python.nix ({ lib, ... }@args: let
  inherit (pkgs.vscode.passthru) rev vscodeServer;
 in {
  name = "vscode-remote-ssh";
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = [ ];
  nodes = let
    serverAddress = "192.168.0.2";
--- a/pkgs/applications/audio/ashuffle/default.nix
+++ b/pkgs/applications/audio/ashuffle/default.nix
@ -12,13 +12,13 @@
 stdenv.mkDerivation rec {
  pname = "ashuffle";
-  version = "3.14.7";
+  version = "3.14.8";
  src = fetchFromGitHub {
    owner = "joshkunz";
    repo = "ashuffle";
    rev = "v${version}";
-    hash = "sha256-id55Ss/7PLBPn55RikAlqr3VkNzgm8NiL/ruFGAmH30=";
+    hash = "sha256-XnibLlwUspI2aveWfMg/TOe59vK6Z2WEnF7gafUmx6E=";
    fetchSubmodules = true;
  };
--- a/pkgs/applications/audio/aumix/default.nix
+++ b/pkgs/applications/audio/aumix/default.nix
@ -43,7 +43,7 @@ stdenv.mkDerivation rec {
    '';
    homepage = "http://www.jpj.net/~trevor/aumix.html";
    license = licenses.gpl2Plus;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    platforms = platforms.linux;
  };
 }
--- a/pkgs/applications/audio/gmpc/default.nix
+++ b/pkgs/applications/audio/gmpc/default.nix
@ -60,7 +60,7 @@ stdenv.mkDerivation rec {
    homepage = "https://gmpclient.org";
    description = "GTK2 frontend for Music Player Daemon";
    license = licenses.gpl2;
-    maintainers = [];
+    maintainers = [ ];
    platforms = platforms.linux;
  };
 }
--- a/pkgs/applications/audio/in-formant/default.nix
+++ b/pkgs/applications/audio/in-formant/default.nix
@ -66,6 +66,6 @@ stdenv.mkDerivation rec {
    license = licenses.asl20;
    # currently broken on i686-linux and aarch64-linux due to other nixpkgs dependencies
    platforms = [ "x86_64-linux" ];
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
  };
 }
--- a/pkgs/applications/audio/jmusicbot/default.nix
+++ b/pkgs/applications/audio/jmusicbot/default.nix
@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
    homepage = "https://github.com/jagrosh/MusicBot";
    sourceProvenance = with sourceTypes; [ binaryBytecode ];
    license = licenses.asl20;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    inherit (jre_headless.meta) platforms;
    mainProgram = "JMusicBot";
  };
--- a/pkgs/applications/audio/mikmod/default.nix
+++ b/pkgs/applications/audio/mikmod/default.nix
@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
    description = "Tracker music player for the terminal";
    homepage = "http://mikmod.shlomifish.org/";
    license = lib.licenses.gpl2Plus;
-    maintainers = with lib.maintainers; [ ];
+    maintainers = [ ];
    platforms = with lib.platforms; linux;
    mainProgram = "mikmod";
  };
--- a/pkgs/applications/audio/mopidy/moped.nix
+++ b/pkgs/applications/audio/mopidy/moped.nix
@ -20,7 +20,7 @@ pythonPackages.buildPythonApplication rec {
    homepage = "https://github.com/martijnboland/moped";
    description = "Web client for Mopidy";
    license = licenses.mit;
-    maintainers = [];
+    maintainers = [ ];
    hydraPlatforms = [];
  };
 }
--- a/pkgs/applications/audio/mopidy/muse.nix
+++ b/pkgs/applications/audio/mopidy/muse.nix
@ -24,6 +24,6 @@ pythonPackages.buildPythonApplication rec {
    description = "Mopidy web client with Snapcast support";
    homepage = "https://github.com/cristianpb/muse";
    license = licenses.asl20;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
  };
 }
--- a/pkgs/applications/audio/mopidy/musicbox-webclient.nix
+++ b/pkgs/applications/audio/mopidy/musicbox-webclient.nix
@ -26,6 +26,6 @@ pythonPackages.buildPythonApplication rec {
    homepage = "https://github.com/pimusicbox/mopidy-musicbox-webclient";
    changelog = "https://github.com/pimusicbox/mopidy-musicbox-webclient/blob/v${version}/CHANGELOG.rst";
    license = licenses.asl20;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
  };
 }
--- a/pkgs/applications/audio/mopidy/notify.nix
+++ b/pkgs/applications/audio/mopidy/notify.nix
@ -24,6 +24,6 @@ pythonPackages.buildPythonApplication rec {
    homepage = "https://github.com/phijor/mopidy-notify";
    description = "Mopidy extension for showing desktop notifications on track change";
    license = licenses.asl20;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
  };
 }
--- a/pkgs/applications/audio/mopidy/tunein.nix
+++ b/pkgs/applications/audio/mopidy/tunein.nix
@ -20,6 +20,6 @@ python3Packages.buildPythonApplication rec {
    description = "Mopidy extension for playing music from tunein";
    homepage = "https://github.com/kingosticks/mopidy-tunein";
    license = licenses.asl20;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
  };
 }
--- a/pkgs/applications/audio/mopidy/youtube.nix
+++ b/pkgs/applications/audio/mopidy/youtube.nix
@ -67,6 +67,6 @@ python3.pkgs.buildPythonApplication rec {
    description = "Mopidy extension for playing music from YouTube";
    homepage = "https://github.com/natumbri/mopidy-youtube";
    license = licenses.asl20;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
  };
 }
--- a/pkgs/applications/audio/open-stage-control/default.nix
+++ b/pkgs/applications/audio/open-stage-control/default.nix
@ -88,7 +88,7 @@ buildNpmPackage rec {
    description = "Libre and modular OSC / MIDI controller";
    homepage = "https://openstagecontrol.ammd.net/";
    license = licenses.gpl3Only;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    platforms = platforms.linux;
    mainProgram = "open-stage-control";
  };
--- a/pkgs/applications/audio/openutau/default.nix
+++ b/pkgs/applications/audio/openutau/default.nix
@ -83,7 +83,7 @@ buildDotnetModule rec {
      # worldline resampler binary - no source is available (hence "unfree") but usage of the binary is MIT
      unfreeRedistributable
    ];
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    platforms = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
    mainProgram = "OpenUtau";
  };
--- a/pkgs/applications/audio/opus-tools/default.nix
+++ b/pkgs/applications/audio/opus-tools/default.nix
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
    description = "Tools to work with opus encoded audio streams";
    homepage = "https://www.opus-codec.org/";
    license = lib.licenses.bsd2;
-    maintainers = with lib.maintainers; [ ];
+    maintainers = [ ];
    platforms = with lib.platforms; unix;
  };
 }
--- a/pkgs/applications/audio/pavucontrol/default.nix
+++ b/pkgs/applications/audio/pavucontrol/default.nix
@ -1,56 +1,72 @@
-{ fetchurl
+{
-, lib
+  fetchFromGitLab,
-, stdenv
+  lib,
-, pkg-config
+  stdenv,
-, intltool
+  pkg-config,
-, libpulseaudio
+  intltool,
-, gtkmm3
+  libpulseaudio,
-, libsigcxx
+  gtkmm4,
-, libcanberra-gtk3
+  libsigcxx,
-, json-glib
+  # Since version 6.0, libcanberra is optional
-, adwaita-icon-theme
+  withLibcanberra ? true,
-, wrapGAppsHook3
+  libcanberra-gtk3,
  json-glib,
  adwaita-icon-theme,
  wrapGAppsHook4,
  meson,
  ninja,
  libpressureaudio,
 }:
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
  pname = "pavucontrol";
-  version = "5.0";
+  version = "6.0";
-  src = fetchurl {
+  src = fetchFromGitLab {
-    url = "https://freedesktop.org/software/pulseaudio/${pname}/${pname}-${version}.tar.xz";
+    domain = "gitlab.freedesktop.org";
-    sha256 = "sha256-zityw7XxpwrQ3xndgXUPlFW9IIcNHTo20gU2ry6PTno=";
+    owner = "pulseaudio";
    repo = "pavucontrol";
    rev = "refs/tags/v${finalAttrs.version}";
    hash = "sha256-nxzFvD/KUevIJOw9jgcr0Hfvg7KiSOmTBfKN3jLu3Cg=";
  };
  buildInputs = [
    libpulseaudio
-    gtkmm3
+    gtkmm4
    libsigcxx
-    libcanberra-gtk3
+    (lib.optionals withLibcanberra libcanberra-gtk3)
    json-glib
    adwaita-icon-theme
    libpressureaudio
  ];
-  nativeBuildInputs = [ pkg-config intltool wrapGAppsHook3 ];
+  nativeBuildInputs = [
    pkg-config
    intltool
    wrapGAppsHook4
    meson
    ninja
  ];
-  configureFlags = [ "--disable-lynx" ];
+  mesonFlags = [
    "--prefix=${placeholder "out"}"
    (lib.mesonBool "lynx" false)
  ];
  enableParallelBuilding = true;
-  meta = with lib; {
+  meta = {
    changelog = "https://freedesktop.org/software/pulseaudio/pavucontrol/#news";
    description = "PulseAudio Volume Control";
-
+    homepage = "http://freedesktop.org/software/pulseaudio/pavucontrol/";
    license = lib.licenses.gpl2Plus;
    longDescription = ''
      PulseAudio Volume Control (pavucontrol) provides a GTK
      graphical user interface to connect to a PulseAudio server and
      easily control the volume of all clients, sinks, etc.
    '';
    homepage = "http://freedesktop.org/software/pulseaudio/pavucontrol/";
    license = lib.licenses.gpl2Plus;
    maintainers = with maintainers; [ abbradar ];
    platforms = platforms.linux;
    mainProgram = "pavucontrol";
    maintainers = with lib.maintainers; [ abbradar ];
    platforms = lib.platforms.linux;
  };
-}
+})
--- a/pkgs/applications/audio/pmidi/default.nix
+++ b/pkgs/applications/audio/pmidi/default.nix
@ -16,7 +16,7 @@ stdenv.mkDerivation {
  meta = with lib; {
    homepage = "https://www.parabola.me.uk/alsa/pmidi.html";
    description = "Straightforward command line program to play midi files through the ALSA sequencer";
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    license = licenses.gpl2;
    mainProgram = "pmidi";
  };
--- a/pkgs/applications/audio/projectm/default.nix
+++ b/pkgs/applications/audio/projectm/default.nix
@ -56,7 +56,7 @@ mkDerivation rec {
    description = "Cross-platform Milkdrop-compatible music visualizer";
    license = lib.licenses.lgpl21;
    platforms = lib.platforms.unix;
-    maintainers = with lib.maintainers; [ ];
+    maintainers = [ ];
    longDescription = ''
      The open-source project that reimplements the esteemed Winamp Milkdrop by Geiss in a more modern, cross-platform reusable library.
      Read an audio input and produces mesmerizing visuals, detecting tempo, and rendering advanced equations into a limitless array of user-contributed visualizations.
--- a/pkgs/applications/audio/pulseeffects-legacy/default.nix
+++ b/pkgs/applications/audio/pulseeffects-legacy/default.nix
@ -104,7 +104,7 @@ in stdenv.mkDerivation rec {
    mainProgram = "pulseeffects";
    homepage = "https://github.com/wwmm/pulseeffects";
    license = licenses.gpl3Plus;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    platforms = platforms.linux;
  };
 }
--- a/pkgs/applications/audio/pwvucontrol/Cargo.lock
+++ b/pkgs/applications/audio/pwvucontrol/Cargo.lock
--- a/pkgs/applications/audio/pwvucontrol/default.nix
+++ b/pkgs/applications/audio/pwvucontrol/default.nix
@ -32,21 +32,21 @@ let
    };
  });
 in
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
  pname = "pwvucontrol";
-  version = "0.4.2";
+  version = "0.4.5";
  src = fetchFromGitHub {
    owner = "saivert";
    repo = "pwvucontrol";
-    rev = version;
+    rev = "refs/tags/${finalAttrs.version}";
-    hash = "sha256-cWNWdCMk9hF8Nzq2UFBEKSx1zS8JlplMG7B5gv7BaZA=";
+    hash = "sha256-s4sop1qmqPVOGX7erRfClUUcixNhi+wUY5MXSmv+zVk=";
  };
  cargoDeps = rustPlatform.importCargoLock {
    lockFile = ./Cargo.lock;
    outputHashes = {
-      "wireplumber-0.1.0" = "sha256-r3p4OpmMgiFgjn1Fj4LeMOhx6R2UWollIdJRy/0kiNM=";
+      "wireplumber-0.1.0" = "sha256-ocagwmjyhfx6n/9xKxF2vhylqy2HunKQRx3eMo6m/l4=";
    };
  };
@ -73,12 +73,16 @@ stdenv.mkDerivation rec {
    wireplumber_0_4
  ];
-  meta = with lib; {
+  meta = {
    description = "Pipewire Volume Control";
    homepage = "https://github.com/saivert/pwvucontrol";
-    license = licenses.gpl3Plus;
+    license = lib.licenses.gpl3Plus;
-    maintainers = with maintainers; [ figsoda Guanran928 ];
+    maintainers = with lib.maintainers; [
      figsoda
      Guanran928
      johnrtitor
    ];
    mainProgram = "pwvucontrol";
-    platforms = platforms.linux;
+    platforms = lib.platforms.linux;
  };
-}
+})
--- a/pkgs/applications/audio/radiotray-ng/default.nix
+++ b/pkgs/applications/audio/radiotray-ng/default.nix
@ -105,7 +105,7 @@ stdenv.mkDerivation rec {
    description = "Internet radio player for linux";
    homepage = "https://github.com/ebruck/radiotray-ng";
    license = licenses.gpl3;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    platforms = platforms.linux;
  };
 }
--- a/pkgs/applications/audio/snd/default.nix
+++ b/pkgs/applications/audio/snd/default.nix
@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
    homepage = "https://ccrma.stanford.edu/software/snd/";
    platforms = platforms.unix;
    license = licenses.free;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    mainProgram = "snd";
  };
 }
--- a/pkgs/applications/audio/touchosc/default.nix
+++ b/pkgs/applications/audio/touchosc/default.nix
@ -101,7 +101,7 @@ stdenv.mkDerivation rec {
    description = "Next generation modular control surface";
    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
    license = licenses.unfree;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    platforms = [ "aarch64-linux" "armv7l-linux" "x86_64-linux" ];
    mainProgram = "TouchOSC";
  };
--- a/pkgs/applications/backup/restic-integrity/default.nix
+++ b/pkgs/applications/backup/restic-integrity/default.nix
@ -5,23 +5,23 @@
 rustPlatform.buildRustPackage rec {
  pname = "restic-integrity";
-  version = "1.2.2";
+  version = "1.3.0";
  src = fetchFromGitea {
    domain = "git.nwex.de";
    owner = "networkException";
    repo = "restic-integrity";
    rev = version;
-    hash = "sha256-QiISJCxxJH8wQeH/klB48POn6W9juQmIMCLGzGSyl6w=";
+    hash = "sha256-mryHePqfEawW/vLgxfm+eh4oSbcALhxvRid4kF9klTs=";
  };
-  cargoHash = "sha256-GxehJjDd0AHbEc8kPWyLXAOPbrPCT59LddAL1ydnT5g=";
+  cargoHash = "sha256-0BvB1ijsppblEC2PNLfVt+sgM4wTdSLZ/RoDH4JrQy4=";
  meta = with lib; {
    description = "CLI tool to check the integrity of a restic repository without unlocking it";
    homepage = "https://git.nwex.de/networkException/restic-integrity";
    license = with licenses; [ bsd2 ];
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ networkexception ];
    mainProgram = "restic-integrity";
  };
 }
--- a/pkgs/applications/blockchains/dcrctl/default.nix
+++ b/pkgs/applications/blockchains/dcrctl/default.nix
@ -19,7 +19,7 @@ buildGoModule rec {
    homepage = "https://decred.org";
    description = "Secure Decred wallet daemon written in Go (golang)";
    license = with lib.licenses; [ isc ];
-    maintainers = with lib.maintainers; [ ];
+    maintainers = [ ];
    mainProgram = "dcrctl";
  };
 }
--- a/pkgs/applications/blockchains/namecoin/default.nix
+++ b/pkgs/applications/blockchains/namecoin/default.nix
@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
    description = "Decentralized open source information registration and transfer system based on the Bitcoin cryptocurrency";
    homepage = "https://namecoin.org";
    license = licenses.mit;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    platforms = platforms.linux;
  };
 }
--- a/pkgs/applications/blockchains/wownero/default.nix
+++ b/pkgs/applications/blockchains/wownero/default.nix
@ -101,7 +101,7 @@ stdenv.mkDerivation rec {
    '';
    homepage = "https://wownero.org/";
    license = licenses.bsd3;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    platforms = platforms.unix;
  };
 }
--- a/pkgs/applications/editors/bviplus/default.nix
+++ b/pkgs/applications/editors/bviplus/default.nix
@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
    homepage = "https://bviplus.sourceforge.net";
    license = licenses.gpl3;
    platforms = platforms.linux;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
    mainProgram = "bviplus";
  };
 }
--- a/pkgs/applications/editors/emacs/elisp-packages/elpa-devel-generated.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/elpa-devel-generated.nix
--- a/pkgs/applications/editors/emacs/elisp-packages/elpa-devel-packages.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/elpa-devel-packages.nix
@ -22,7 +22,7 @@ formats commits for you.
 */
-{ lib, stdenv, texinfo, writeText, gcc, pkgs, buildPackages }:
+{ lib, pkgs, buildPackages }:
 self: let
@ -32,11 +32,6 @@ self: let
    });
  };
  elpaBuild = import ../build-support/elpa.nix {
    inherit lib stdenv texinfo writeText gcc;
    inherit (self) emacs;
  };
  # Use custom elpa url fetcher with fallback/uncompress
  fetchurl = buildPackages.callPackage ./fetchelpa.nix { };
@ -99,6 +94,6 @@ self: let
    elpaDevelPackages = super // overrides;
-  in elpaDevelPackages // { inherit elpaBuild; });
+  in elpaDevelPackages);
 in generateElpa { }
--- a/pkgs/applications/editors/emacs/elisp-packages/elpa-generated.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/elpa-generated.nix
--- a/pkgs/applications/editors/emacs/elisp-packages/elpa-packages.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/elpa-packages.nix
@ -22,7 +22,7 @@ formats commits for you.
 */
-{ lib, stdenv, texinfo, writeText, gcc, pkgs, buildPackages }:
+{ lib, pkgs, buildPackages }:
 self: let
@ -32,11 +32,6 @@ self: let
    });
  };
  elpaBuild = import ../build-support/elpa.nix {
    inherit lib stdenv texinfo writeText gcc;
    inherit (self) emacs;
  };
  # Use custom elpa url fetcher with fallback/uncompress
  fetchurl = buildPackages.callPackage ./fetchelpa.nix { };
@ -188,7 +183,7 @@ self: let
    elpaPackages = super // overrides;
-  in elpaPackages // { inherit elpaBuild; });
+  in elpaPackages);
 in
 generateElpa { }
--- a/pkgs/applications/editors/emacs/elisp-packages/emacs2nix.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/emacs2nix.nix
@ -4,8 +4,8 @@ let
  src = pkgs.fetchFromGitHub {
    owner = "nix-community";
    repo = "emacs2nix";
-    rev = "e5389c3d7be9c3af135f022d86c61767d41c364f";
+    rev = "cf706a3e7a4c56be2d4dc83cc453810dfa023967";
-    sha256 = "sha256-mueyrGXgbjvmXQqPRuLUJdJuB5dqiGGdzCQ74Ud+Z9Y=";
+    hash = "sha256-jVbRcjNNKfuOIz76EMbrQxnKCN9d9C+szrk0zC8DaNE=";
    fetchSubmodules = true;
  };
 in
@ -13,6 +13,7 @@ pkgs.mkShell {
  packages = [
    pkgs.bash
    pkgs.nixfmt-rfc-style
  ];
  EMACS2NIX = src;
--- a/pkgs/applications/editors/emacs/elisp-packages/libgenerated.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/libgenerated.nix
@ -1,63 +1,111 @@
 lib: self:
 let
  inherit (lib) elemAt;
-    fetcherGenerators = { repo ? null
+  matchForgeRepo = builtins.match "(.+)/(.+)";
-                        , url ? null
+
-                        , ... }:
+  fetchers = lib.mapAttrs (_: fetcher: self.callPackage fetcher { }) {
-                        { sha256
+    github =
-                        , commit
+      { fetchFromGitHub }:
-                        , ...}: {
+      {
-      github = self.callPackage ({ fetchFromGitHub }:
+        repo ? null,
-        fetchFromGitHub {
+        ...
-          owner = lib.head (lib.splitString "/" repo);
+      }:
-          repo = lib.head (lib.tail (lib.splitString "/" repo));
+      { sha256, commit, ... }:
-          rev = commit;
+      let
-          inherit sha256;
+        m = matchForgeRepo repo;
-        }
+      in
-      ) {};
+      assert m != null;
-      gitlab = self.callPackage ({ fetchFromGitLab }:
+      fetchFromGitHub {
-        fetchFromGitLab {
+        owner = elemAt m 0;
-          owner = lib.head (lib.splitString "/" repo);
+        repo = elemAt m 1;
-          repo = lib.head (lib.tail (lib.splitString "/" repo));
+        rev = commit;
-          rev = commit;
+        inherit sha256;
-          inherit sha256;
+      };
-        }
+
-      ) {};
+    gitlab =
-      git = self.callPackage ({ fetchgit }:
+      { fetchFromGitLab }:
-        (fetchgit {
+      {
-          rev = commit;
+        repo ? null,
-          inherit sha256 url;
+        ...
-        }).overrideAttrs(_: {
+      }:
-          GIT_SSL_NO_VERIFY = true;
+      { sha256, commit, ... }:
-        })
+      let
-      ) {};
+        m = matchForgeRepo repo;
-      bitbucket = self.callPackage ({ fetchhg }:
+      in
-        fetchhg {
+      assert m != null;
-          rev = commit;
+      fetchFromGitLab {
-          url = "https://bitbucket.com/${repo}";
+        owner = elemAt m 0;
-          inherit sha256;
+        repo = elemAt m 1;
-        }
+        rev = commit;
-      ) {};
+        inherit sha256;
-      hg = self.callPackage ({ fetchhg }:
+      };
-        fetchhg {
+
-          rev = commit;
+    git = (
-          inherit sha256 url;
+      { fetchgit }:
-        }
+      {
-      ) {};
+        url ? null,
-      sourcehut = self.callPackage ({ fetchzip }:
+        ...
-        fetchzip {
+      }:
-          url = "https://git.sr.ht/~${repo}/archive/${commit}.tar.gz";
+      { sha256, commit, ... }:
-          inherit sha256;
+      (fetchgit {
-        }
+        rev = commit;
-      ) {};
+        inherit sha256 url;
-      codeberg = self.callPackage ({ fetchzip }:
+      }).overrideAttrs(_: {
-        fetchzip {
+        GIT_SSL_NO_VERIFY = true;
-          url = "https://codeberg.org/${repo}/archive/${commit}.tar.gz";
+      })
-          inherit sha256;
+    );
-        }
+
-      ) {};
+    bitbucket =
-    };
+      { fetchhg }:
      {
        repo ? null,
        ...
      }:
      { sha256, commit, ... }:
      fetchhg {
        rev = commit;
        url = "https://bitbucket.com/${repo}";
        inherit sha256;
      };
    hg =
      { fetchhg }:
      {
        url ? null,
        ...
      }:
      { sha256, commit, ... }:
      fetchhg {
        rev = commit;
        inherit sha256 url;
      };
    sourcehut =
      { fetchzip }:
      {
        repo ? null,
        ...
      }:
      { sha256, commit, ... }:
      fetchzip {
        url = "https://git.sr.ht/~${repo}/archive/${commit}.tar.gz";
        inherit sha256;
      };
    codeberg =
      { fetchzip }:
      {
        repo ? null,
        ...
      }:
      { sha256, commit, ... }:
      fetchzip {
        url = "https://codeberg.org/${repo}/archive/${commit}.tar.gz";
        inherit sha256;
      };
  };
 in {
@ -88,7 +136,7 @@ in {
                (builtins.filter (n: n >= 0) version)));
            # TODO: Broken should not result in src being null (hack to avoid eval errors)
            src = if (sha256 == null || broken) then null else
-              lib.getAttr fetcher (fetcherGenerators args sourceArgs);
+              fetchers.${fetcher} args sourceArgs;
            recipe = if commit == null then null else
              fetchurl {
                name = pname + "-recipe";
--- a/pkgs/applications/editors/emacs/elisp-packages/manual-packages/copilot/package.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/manual-packages/copilot/package.nix
@ -36,6 +36,7 @@ melpaBuild {
    license = lib.licenses.mit;
    maintainers = with lib.maintainers; [ bbigras ];
    platforms = [
      "aarch64-darwin"
      "x86_64-darwin"
      "x86_64-linux"
      "x86_64-windows"
--- a/pkgs/applications/editors/emacs/elisp-packages/manual-packages/ligo-mode/package.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/manual-packages/ligo-mode/package.nix
@ -24,6 +24,6 @@ melpaBuild {
    description = "Major mode for editing LIGO source code";
    homepage = "https://gitlab.com/ligolang/ligo";
    license = lib.licenses.mit;
-    maintainers = with lib.maintainers; [ ];
+    maintainers = [ ];
  };
 }
--- a/pkgs/applications/editors/emacs/elisp-packages/manual-packages/lsp-bridge/default.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/manual-packages/lsp-bridge/default.nix
@ -29,13 +29,13 @@ let
 in
 melpaBuild {
  pname = "lsp-bridge";
-  version = "0-unstable-2024-07-14";
+  version = "0-unstable-2024-07-27";
  src = fetchFromGitHub {
    owner = "manateelazycat";
    repo = "lsp-bridge";
-    rev = "023924926ae6adfbcf5458c350b90dea7c05d51b";
+    rev = "92d58ff0fb938ced513d690e0daadef74737e5d4";
-    hash = "sha256-59bl4YbKS3HgrGJlUfM3LPabxKuuE+dT7CnVUJIl05k=";
+    hash = "sha256-qeoKPwK3qKcvUFchaQYCCQmSlXgN+Tt2kU+lXqiUwaw=";
  };
  patches = [
--- a/pkgs/applications/editors/emacs/elisp-packages/manual-packages/session-management-for-emacs/package.nix
+++ b/pkgs/applications/editors/emacs/elisp-packages/manual-packages/session-management-for-emacs/package.nix
@ -24,6 +24,6 @@ stdenv.mkDerivation rec {
    description = "Small session management for emacs";
    homepage = "https://emacs-session.sourceforge.net/";
    license = licenses.gpl2;
-    maintainers = with maintainers; [ ];
+    maintainers = [ ];
  };
 }
--- a/Show More
+++ b/Show More