Merge master into haskell-updates

doc/languages-frameworks/haskell.section.md

@@ -1,4 +1,4 @@
-# Haskell {#sec-haskell}
+# Haskell {#haskell}
 
 The Haskell infrastructure in nixpkgs has two main purposes: The primary purpose
 is to provide a Haskell compiler and build tools as well as infrastructure for
@@ -7,19 +7,10 @@ packaging Haskell-based packages.
 The secondary purpose is to provide support for Haskell development environment
 including prebuilt Haskell libraries. However, in this area sacrifices have been
 made due to self-imposed restrictions in nixpkgs, to lessen the maintenance
-effort and improve performance. Therefore, it may be advantageous to use an
+effort and improve performance. (More details in the subsection
-alternative to the Haskell infrastructure in nixpkgs for development
+[Limitations.](#haskell-limitations))
-environments in some cases. The main limitations are that we only provide
-first-class support for the default compiler (currently GHC 9.2.4) and usually
-only provide a default and (if different) the latest version of a haskell
-package.
 
-<!-- TODO(@sternensemann): Fix duplication w.r.t. package set generations
+## Available packages {#haskell-available-packages}
-and package set rationale from a maintenance perspective. Probably just add
-a dedicated section for this…
--->
-
-## Available packages {#sec-haskell-available-packages}
 
 The compiler and most build tools are exposed at the top level:
 
@@ -30,11 +21,12 @@ Many “normal” user facing packages written in Haskell, like `niv` or `cachix
 are also exposed at the top level, so there is nothing haskell specific to
 installing and using them.
 
-All of these packages originally lived in the `haskellPackages` package set and
+All of these packages originally are defined in the `haskellPackages` package
-are re-exposed with a reduced dependency closure for convenience.
+set and are re-exposed with a reduced dependency closure for convenience.
+(see `justStaticExecutables` below)
 
 The `haskellPackages` set includes at least one version of every package from
-hackage as well as some manually injected packages. This amounts to a lot of
+Hackage as well as some manually injected packages. This amounts to a lot of
 packages, so it is hidden from `nix-env -qa` by default for performance reasons.
 You can still list all packages in the set like this, though:
 
@@ -47,24 +39,17 @@ haskellPackages.abacate                                                     abac
 haskellPackages.abc-puzzle                                                  abc-puzzle-0.2.1
 …
 ```
+Also the default set `haskellPackages` is included on [search.nixos.org].
 
 The attribute names in `haskellPackages` always correspond with their name on
-hackage. Since hackage allows names that are not valid nix without extra
+Hackage. Since Hackage allows names that are not valid Nix without extra
 escaping, you sometimes need to extra care when handling attribute names like
 `3dmodels`.
 
 For packages that are part of [Stackage], we use the version prescribed by a
 Stackage solver (usually the current LTS one) as the default version. For all
-other packages we use the latest version from Hackage. Sometimes alternative
+other packages we use the latest version from Hackage. See
-versions of packages are provided whose attribute names are their normal name
+[below](#haskell-available-versions) to learn which versions exactly are provided.
-with their version appended after an underscore, e.g. `Cabal_3_8_1_0`.
-
-<!--
-TODO(@sternenseemann):
-If you are interested in details how the package set is
-populated, read the section [Package set
-generation](#sec-haskell-package-set-generation).
--->
 
 Roughly half of the 16K packages contained in `haskellPackages` don't actually
 build and are marked as broken semi-automatically. Most of those packages are
@@ -74,7 +59,7 @@ Very often fixing them is not a lot of work.
 <!--
 TODO(@sternenseemann):
 How you can help with that is
-described in [Fixing a broken package](#sec-haskell-fixing-a-broken-package).
+described in [Fixing a broken package](#haskell-fixing-a-broken-package).
 -->
 
 `haskellPackages` is built with our default compiler, but we also provide other
@@ -134,6 +119,91 @@ haskell.packages.ghc924.abc-puzzle
 
 Every package set also re-exposes the GHC used to build its packages as `haskell.packages.*.ghc`.
 
+### Available package versions {#haskell-available-versions}
+
+We aim for a “blessed” package set which only contains one version of each
+package, like Stackage (and based on it) but with more packages. Normally in
+nixpkgs the number of building Haskell packages is roughly two to three times
+the size of Stackage. For choosing the version to use for a certain package we
+use the following rules:
+
+1. By default, for every package `haskellPackages.foo` is the newest version
+found on Hackage (at the time of the last update of our package set).
+2. If the Stackage snapshot that we use (usually the newest LTS snapshot)
+contains a package, we use the Stackage version as default version for that
+package.
+3. For some packages, which are not on Stackage, we have manual overrides to
+set the default version to a version older than the newest on Hackage. We do
+this to get them or their reverse dependencies to compile in our package set.
+4. For all packages, for which the newest Hackage version is not the default
+version, there will also be a `haskellPackages.foo_x_y_z` package with the
+newest version.
+5. For some packages, we also manually add other `haskellPackages.foo_x_y_z`
+versions, if they are required for a certain build.
+
+Relying on `haskellPackages.foo_x_y_z` attributes in derivations outside
+nixpkgs is discouraged because they may change or disappear with every package
+set update.
+<!-- TODO(@maralorn) We should add a link to callHackage, etc. once we added
+them to the docs. -->
+
+All `haskell.packages.*` package sets use the same package descriptions and the same sets
+of versions by default. There are however GHC version specific override `.nix`
+files to loosen this a bit.
+
+### Dependency resolution
+
+Normally when you build Haskell packages with `cabal-install`, `cabal-install`
+does dependency resolution. It will look at all Haskell package versions known
+on Hackage and tries to pick for every (transitive) dependency of your build
+exactly one version. Those versions need to satisfy all the version constraints
+given in the `.cabal` file of your package and all its dependencies.
+
+The [Haskell builder in nixpkgs](#haskell-mkderivation) does no such thing.
+It will simply take as input packages with names off the desired dependencies
+and just check whether they fulfill the version bounds and (by default, see
+`jailbreak`) fail if they don’t.
+
+The package resolution is done by the `haskellPackages.callPackage` function
+which will, e.g., use `haskellPackages.aeson` for a package input of name
+`aeson`.
+While this is the default behavior, it is possible to override the dependencies
+for a specific package, see
+[`override` and `overrideScope`](#haskell-overriding-haskell-packages).
+
+### Limitations {#haskell-limitations}
+
+Our main objective with `haskellPackages` is to package Haskell software in
+nixpkgs. This entails some limitations, partially due to self-imposed
+restrictions of nixpkgs, partially in the name of maintainability:
+
+* Only the packages built with the default compiler see extensive testing of the
+  whole package set. For other GHC versions only a few essential packages are
+  tested and cached.
+* As described above we only build one version of most packages.
+
+The experience using an older or newer packaged compiler or using different
+versions may be worse, because builds will not be cached on `cache.nixos.org`
+or may fail.
+
+Thus, to get the best experience, make sure that your project can be compiled
+using the default compiler of nixpkgs and recent versions of its dependencies.
+
+A result of this setup is, that getting a valid build plan for a given
+package can sometimes be quite painful, and in fact this is where most of the
+maintenance work for `haskellPackages` is required. Besides that, it is not
+possible to get the dependencies of a legacy project from nixpkgs or to use a
+specific stack solver for compiling a project.
+
+Even though we couldn‘t use them directly in nixpkgs, it would be desirable
+to have tooling to generate working Nix package sets from build plans generated
+by `cabal-install` or a specific Stackage snapshot via import-from-derivation.
+Sadly we currently don’t have tooling for this. For this you might be
+interested in the alternative [haskell.nix] framework, which, be warned, is
+completely incompatible with packages from `haskellPackages`.
+
+<!-- TODO(@maralorn) Link to package set generation docs in the contributers guide below. -->
+
 ## `haskellPackages.mkDerivation` {#haskell-mkderivation}
 
 Every haskell package set has its own haskell-aware `mkDerivation` which is used
@@ -141,7 +211,7 @@ to build its packages. Generally you won't have to interact with this builder
 since [cabal2nix][cabal2nix] can generate packages
 using it for an arbitrary cabal package definition. Still it is useful to know
 the parameters it takes when you need to
-[override](#sec-haskell-overriding-haskell-packages) a generated nix expression.
+[override](#haskell-overriding-haskell-packages) a generated Nix expression.
 
 `haskellPackages.mkDerivation` is a wrapper around `stdenv.mkDerivation` which
 re-defines the default phases to be haskell aware and handles dependency
@@ -152,20 +222,20 @@ but uses the underlying `Cabal` library instead.
 ### General arguments
 
 `pname`
-: Package name, assumed to be the same as on hackage (if applicable)
+: Package name, assumed to be the same as on Hackage (if applicable)
 
 `version`
-: Packaged version, assumed to be the same as on hackage (if applicable)
+: Packaged version, assumed to be the same as on Hackage (if applicable)
 
 `src`
 : Source of the package. If omitted, fetch package corresponding to `pname`
-and `version` from hackage.
+and `version` from Hackage.
 
 `sha256`
 : Hash to use for the default case of `src`.
 
 `revision`
-: Revision number of the updated cabal file to fetch from hackage.
+: Revision number of the updated cabal file to fetch from Hackage.
 If `null` (which is the default value), the one included in `src` is used.
 
 `editedCabalFile`
@@ -221,7 +291,7 @@ package. Disabled by default.
 Enabled by default if supported.
 
 `enableHsc2hsViaAsm`
-: Whether to pass `--via-asm` to `hsc2hs`.
+: Whether to pass `--via-asm` to `hsc2hs`. Enabled by default only on Windows.
 
 `hyperlinkSource`
 : Whether to render the source as well as part of the haddock documentation
@@ -237,7 +307,7 @@ Defaults to `true`.
 `jailbreak`
 : Whether to execute [jailbreak-cabal][jailbreak-cabal] before `configurePhase`
 to lift any version constraints in the cabal file. Note that this can't
-lift version bounds if they are conditional, e.g. if a dependency is hidden
+lift version bounds if they are conditional, i.e. if a dependency is hidden
 behind a flag.
 
 `enableParallelBuilding`
@@ -245,7 +315,7 @@ behind a flag.
 
 `maxBuildCores`
 : Upper limit of jobs to use in parallel for compilation regardless of
-`$NIX_BUILD_CORES`. Defaults to 16 as haskell compilation with GHC currently
+`$NIX_BUILD_CORES`. Defaults to 16 as Haskell compilation with GHC currently
 sees a [performance regression](https://gitlab.haskell.org/ghc/ghc/-/issues/9221)
 if too many parallel jobs are used.
 
@@ -254,7 +324,7 @@ if too many parallel jobs are used.
 Defaults to `false`.
 
 `doHaddock`
-: Wether to build (HTML) documentation using [haddock][haddock].
+: Whether to build (HTML) documentation using [haddock][haddock].
 Defaults to `true` if supported.
 
 `testTarget`
@@ -291,8 +361,9 @@ Defaults to `false`.
 Is automatically enabled if `doHaddock` is `true`.
 
 `allowInconsistentDependencies`
-: If enabled, allow multiple versions of the same package at configure time.
+: If enabled, allow multiple versions of the same Haskell package in the
-Usually in such a situation compilation would later fail. Defaults to `false`.
+dependency tree at configure time. Often in such a situation compilation would
+later fail because of type mismatches. Defaults to `false`.
 
 `enableLibraryForGhci`
 : Build and install a special object file for GHCi. This improves performance
@@ -303,7 +374,7 @@ disk space. Defaults to `false`.
 : Name of the executable or library to build and install.
 If unset, all available targets are built and installed.
 
-### Specifying dependencies
+### Specifying dependencies {#haskell-derivation-deps}
 
 Since `haskellPackages.mkDerivation` is intended to be generated from cabal
 files, it reflects cabal's way of specifying dependencies. For one, dependencies
@@ -393,7 +464,7 @@ That only leaves the following extra ways for specifying dependencies:
 : Deprecated, use either `benchmarkHaskellDepends` or `benchmarkSystemDepends`.
 
 The dependency specification methods in this list which are unconditional
-are especially useful when writing [overrides](#sec-haskell-overriding-haskell-packages)
+are especially useful when writing [overrides](#haskell-overriding-haskell-packages)
 when you want to make sure that they are definitely included. However, it is
 recommended to use the more accurate ones listed above when possible.
 
@@ -404,7 +475,7 @@ arguments which are transparently set in `meta` of the resulting derivation. See
 the [Meta-attributes section](#chap-meta) for their documentation.
 
 * These attributes are populated with a default value if omitted:
-    * `homepage`: defaults to the hackage page for `pname`.
+    * `homepage`: defaults to the Hackage page for `pname`.
     * `platforms`: defaults to `lib.platforms.all` (since GHC can cross-compile)
 * These attributes are only set if given:
     * `description`
@@ -414,41 +485,24 @@ the [Meta-attributes section](#chap-meta) for their documentation.
     * `broken`
     * `hydraPlatforms`
 
-## Development environments {#sec-haskell-development-environments}
+## Development environments {#haskell-development-environments}
 
 In addition to building and installing Haskell software, nixpkgs can also
 provide development environments for Haskell projects. This has the obvious
 advantage that you benefit from `cache.nixos.org` and no longer need to compile
-all project dependencies yourself.
+all project dependencies yourself. While it is often very useful, this is not
+the primary use case of our package set. Have a look at the section
+[available package versions](#haskell-available-versions) to learn which
+versions of packages we provide and the section
+[limitations](#haskell-limitations), to judge whether a `haskellPackages`
+based development environment for your project is feasible.
 
-Our main objective with `haskellPackages` is to package Haskell software in
+By default, every derivation built using
-nixpkgs. This entails some limitations, partially due to self-imposed
+[`haskellPackages.mkDerivation`](#haskell-mkderivation) exposes an environment
-restrictions of nixpkgs, partially in the name of maintainability:
+suitable for building it interactively as the `env` attribute. For example, if
-
+you have a local checkout of `random`, you can enter a development environment
-* Only the packages built with the default compiler see extensive testing of the
+for it like this (if the dependencies in the development and packaged version
-  whole package set. The experience using an older or newer packaged compiler
+match):
-  may be worse.
-
-* We aim for a “blessed” package set which only contains one version of each
-  package.
-
-Thus, to get the best experience, make sure that your project can be compiled
-using the default compiler of nixpkgs and recent versions of its dependencies.
-“Recent” can either mean the version contained in a certain [Stackage] snapshot
-(usually the latest LTS or nightly one) <!-- TODO(@sternenseemann): document our use of solvers -->
-or the latest version from Hackage. Similarly to Stackage, we sometimes
-intervene and downgrade packages to ensure as many packages as possible can
-be compiled together.
-
-In particular, it is not possible to get the dependencies of a legacy project
-from nixpkgs or to use a specific stack solver for compiling a project.
-
-Now for the actual development environments: By default every derivation built
-using [`haskellPackages.mkDerivation`](#haskell-mkderivation) exposes an
-environment suitable for building it interactively as the `env` attribute. For
-example, if you have a local checkout of `random`, you can enter a development
-environment for it like this (if the dependencies in the development and
-packaged version match):
 
 ```console
 $ cd ~/src/random
@@ -469,27 +523,26 @@ dependencies of `random`. Note that this environment does not mirror
 the environment used to build the package, but is intended as a convenient
 tool for development and simple debugging. `env` relies on the `ghcWithPackages`
 wrapper which automatically injects a pre-populated package-db into every
-GHC invocation. When building the derivation, the appropriate flags would always
+GHC invocation. In contrast, using `nix-shell -A haskellPackages.random` will
-be passed explicitly.
+not result in an environment in which the dependencies are in GHCs package
+database. Instead, the Haskell builder will pass in all dependencies explicitly
+via configure flags.
 
 `env` mirrors the normal derivation environment in one aspect: It does not include
 familiar development tools like `cabal-install`, since we rely on plain `Setup.hs`
 to build all packages. However, `cabal-install` will work as expected if in
 `PATH` (e.g. when installed globally and using a `nix-shell` without `--pure`).
 A declarative and pure way of adding arbitrary development tools is provided
-via [`shellFor`](#ssec-haskell-shellFor).
+via [`shellFor`](#haskell-shellFor).
 
-<!-- TODO(@sternenseemann): this doesn't work in practice (anymore?)
+When using `cabal-install` for dependency resolution you need to be a bit
-This topic needs to be investigated again; Deleting the local hackage db is
+careful to achieve build purity. `cabal-install` will find and use all
-an easy workaround (ty @maralorn), but some useful features of cabal2nix
+dependencies installed from the packages `env` via Nix, but it will also
-depend on it (i.e. cabal2nix cabal://pkg-version).
+consult Hackage to potentially download and compile dependencies if it can‘t
-
+find a valid build plan locally. To prevent this you can either never run
-You can make sure that `cabal-install` doesn't download or build any packages
+`cabal update`, remove the cabal database from your `~/.cabal` folder or run
-not provided using Nix by passing `--offline`. There is of course a better way
+`cabal` with `--offline`. Note though, that for some usecases `cabal2nix` needs
-to add any number of development tools to your `nix-shell` which we'll discuss
+the local Hackage db.
-later.
-
--->
 
 Often you won't work on a package that is already part of `haskellPackages` or
 Hackage, so we first need to write a Nix expression to obtain the development
@@ -502,7 +555,7 @@ my-project.cabal src …
 $ cabal2nix ./. > my-project.nix
 ```
 
-The generated nix expression evaluates to a function ready to be
+The generated Nix expression evaluates to a function ready to be
 `callPackage`-ed. For now, we can add a minimal `default.nix` which does just
 that:
 
@@ -519,7 +572,7 @@ enter a shell with all the package's dependencies available using `nix-shell
 -A env default.nix`. If you have `cabal-install` installed globally, it'll work
 inside the shell as expected.
 
-### shellFor {#ssec-haskell-shellFor}
+### shellFor {#haskell-shellFor}
 
 Having to install tools globally is obviously not great, especially if you want
 to provide a batteries-included `shell.nix` with your project. Luckily there's a
@@ -533,8 +586,8 @@ development environment inside `nix-shell`:
 development environment. This should be a function which takes a haskell package
 set and returns a list of packages. `shellFor` will pass the used package set to
 this function and include all dependencies of the returned package in the build
-environment. This means you can reuse nix expressions of packages included in
+environment. This means you can reuse Nix expressions of packages included in
-nixpkgs, but also use local nix expressions like this: `hpkgs: [
+nixpkgs, but also use local Nix expressions like this: `hpkgs: [
 (hpkgs.callPackage ./my-project.nix { }) ]`.
 
 `nativeBuildInputs`
@@ -545,9 +598,8 @@ Defaults to `[]`.
 `buildInputs`
 : Expects a list of derivations to add as library dependencies, like `openssl`.
 This is rarely necessary as the haskell package expressions usually track system
-dependencies as well. Defaults to `[]`.
+dependencies as well. Defaults to `[]`. (see also
-
+[derivation dependencies](#haskell-derivation-deps))
-<!-- TODO link specifying deps section here -->
 
 `withHoogle`
 : If this is true, `hoogle` will be added to `nativeBuildInputs`.
@@ -579,7 +631,7 @@ pkgs.haskellPackages.shellFor {
   packages = hpkgs: [
     # reuse the nixpkgs for this package
     hpkgs.distribution-nixpkgs
-    # call our generated nix expression manually
+    # call our generated Nix expression manually
     (hpkgs.callPackage ./my-project/my-project.nix { })
   ];
 
@@ -602,7 +654,54 @@ pkgs.haskellPackages.shellFor {
 
 <!-- TODO(@sternenseemann): deps are not included if not selected -->
 
-## Overriding haskell packages {#sec-haskell-overriding-haskell-packages}
+### haskell-language-server {#haskell-language-server}
+
+To use HLS in short: Install `pkgs.haskell-language-server` e.g. in
+`nativeBuildInputs` in `shellFor` and use the `haskell-language-server-wrapper`
+command to run it. See the [HLS user guide] on how to configure your text
+editor to use HLS and how to test your setup.
+
+HLS needs to be compiled with the GHC version of the project you use it
+on.
+
+``pkgs.haskell-language-server`` provides
+``haskell-language-server-wrapper``, ``haskell-language-server``
+and ``haskell-language-server-x.x.x``
+binaries, where ``x.x.x`` is the GHC version for which it is compiled. By
+default, it only includes binaries for the current GHC version, to reduce
+closure size. The closure size is large, because HLS needs to be dynamically
+linked to work reliably. You can override the list of supported GHC versions
+with e.g.
+
+```nix
+pkgs.haskell-language-server.override { supportedGhcVersions = [ "90" "94" ]; }
+```
+Where all strings `version` are allowed such that
+`haskell.packages.ghc${version}` is an existing package set.
+
+When you run `haskell-language-server-wrapper` it will detect the GHC
+version used by the project you are working on (by asking e.g. cabal or
+stack) and pick the appropriate versioned binary from your path.
+
+Be careful when installing HLS globally and using a pinned nixpkgs for a
+Haskell project in a `nix-shell`. If the nixpkgs versions deviate to much
+(e.g., use different `glibc` versions) the `haskell-language-server-?.?.?`
+executable will try to detect these situations and refuse to start. It is
+recommended to obtain HLS via `nix-shell` from the nixpkgs version pinned in
+there instead.
+
+The top level `pkgs.haskell-language-server` attribute is just a convenience
+wrapper to make it possible to install HLS for multiple GHC versions at the
+same time. If you know, that you only use one GHC version, e.g., in a project
+specific `nix-shell` you can simply use
+`pkgs.haskellPackages.haskell-language-server` or
+`pkgs.haskell.packages.*.haskell-language-server` from the package set you use.
+
+If you use `nix-shell` for your development environments remember to start your
+editor in that environment. You may want to use something like `direnv` and/or an
+editor plugin to achieve this.
+
+## Overriding Haskell packages {#haskell-overriding-haskell-packages}
 
 ### Overriding a single package
 
@@ -644,7 +743,7 @@ haskellPackages.haskell-ci.overrideScope (self: super: {
 
 The custom interface comes into play when you want to override the arguments
 passed to `haskellPackages.mkDerivation`. For this, the function `overrideCabal`
-from `haskell.lib.compose` is used. E.g. if you want to install a man page
+from `haskell.lib.compose` is used. E.g., if you want to install a man page
 that is distributed with the package, you can do something like this:
 
 ```nix
@@ -900,10 +999,10 @@ you are working with or – even better – from the `self`/`final` fix point of
 Note: Some functions like `shellFor` that are not intended for overriding per se, are omitted
 in this section. <!-- TODO(@sternenseemann): note about ifd section -->
 
-`cabalSdist { src, name }`
+`cabalSdist { src, name ? ... }`
 : Generates the Cabal sdist tarball for `src`, suitable for uploading to Hackage.
 Contrary to `haskell.lib.compose.sdistTarball`, it uses `cabal-install` over `Setup.hs`,
-so it is usually faster: No build dependencies need to be downloaded and we can
+so it is usually faster: No build dependencies need to be downloaded, and we can
 skip compiling `Setup.hs`.
 
 `buildFromCabalSdist drv`
@@ -929,15 +1028,15 @@ TODO(@NixOS/haskell): finish these planned sections
 * `callHackage`, `callHackageDirect`
 * `developPackage`
 
-## Contributing {#sec-haskell-contributing}
+## Contributing {#haskell-contributing}
 
-### Fixing a broken package {#sec-haskell-fixing-a-broken-package}
+### Fixing a broken package {#haskell-fixing-a-broken-package}
 
-### Package set generation {#sec-haskell-package-set-generation}
+### Package set generation {#haskell-package-set-generation}
 
 ### Packaging a Haskell project
 
-### Backporting {#sec-haskell-backporting}
+### Backporting {#haskell-backporting}
 
 Backporting changes to a stable NixOS version in general is covered
 in nixpkgs' `CONTRIBUTING.md` in general. In particular refer to the
@@ -950,7 +1049,7 @@ it does for the unstable branches.
 
 -->
 
-## F.A.Q. {#sec-haskell-faq}
+## F.A.Q. {#haskell-faq}
 
 ### Why is topic X not covered in this section? Why is section Y missing?
 
@@ -963,15 +1062,18 @@ If you feel any important topic is not documented at all, feel free to comment
 on the issue linked above.
 
 [Stackage]: https://www.stackage.org
+[cabal-project-files]: https://cabal.readthedocs.io/en/latest/cabal-project.html
 [cabal2nix]: https://github.com/nixos/cabal2nix
-[hoogle]: https://wiki.haskell.org/Hoogle
+[cpphs]: https://Hackage.haskell.org/package/cpphs
-[haddock]: https://www.haskell.org/haddock/
 [haddock-hoogle-option]: https://haskell-haddock.readthedocs.io/en/latest/invoking.html#cmdoption-hoogle
 [haddock-hyperlinked-source-option]: https://haskell-haddock.readthedocs.io/en/latest/invoking.html#cmdoption-hyperlinked-source
-[profiling]: https://downloads.haskell.org/~ghc/latest/docs/html/users_guide/profiling.html
+[haddock]: https://www.haskell.org/haddock/
 [haskell-program-coverage]: https://downloads.haskell.org/~ghc/latest/docs/html/users_guide/profiling.html#observing-code-coverage
-[profiling-detail]: https://cabal.readthedocs.io/en/latest/cabal-project.html#cfg-field-profiling-detail
+[haskell.nix]: https://input-output-hk.github.io/haskell.nix/index.html
+[HLS user guide]: https://haskell-language-server.readthedocs.io/en/latest/configuration.html#configuring-your-editor
+[hoogle]: https://wiki.haskell.org/Hoogle
 [jailbreak-cabal]: https://github.com/NixOS/jailbreak-cabal/
-[cpphs]: https://hackage.haskell.org/package/cpphs
-[cabal-project-files]: https://cabal.readthedocs.io/en/latest/cabal-project.html
 [optparse-applicative-completions]: https://github.com/pcapriotti/optparse-applicative/blob/7726b63796aa5d0df82e926d467f039b78ca09e2/README.md#bash-zsh-and-fish-completions
+[profiling-detail]: https://cabal.readthedocs.io/en/latest/cabal-project.html#cfg-field-profiling-detail
+[profiling]: https://downloads.haskell.org/~ghc/latest/docs/html/users_guide/profiling.html
+[search.nixos.org]: https://search.nixos.org

maintainers/maintainer-list.nix

@@ -6876,6 +6876,12 @@
     githubId = 310981;
     name = "Joel Burget";
   };
+  joelkoen = {
+    email = "mail@joelkoen.com";
+    github = "joelkoen";
+    githubId = 122502655;
+    name = "Joel Koen";
+  };
   joelmo = {
     email = "joel.moberg@gmail.com";
     github = "joelmo";
@@ -7266,12 +7272,6 @@
     githubId = 20658981;
     name = "Jarosław Wygoda";
   };
-  jyooru = {
-    email = "joel@joel.tokyo";
-    github = "jyooru";
-    githubId = 63786778;
-    name = "Joel";
-  };
   jyp = {
     email = "jeanphilippe.bernardy@gmail.com";
     github = "jyp";
@@ -14420,6 +14420,12 @@
     githubId = 52011418;
     name = "Travis Davis";
   };
+  traxys = {
+    email = "quentin+dev@familleboyer.net";
+    github = "traxys";
+    githubId = 5623227;
+    name = "Quentin Boyer";
+  };
   TredwellGit = {
     email = "tredwell@tutanota.com";
     github = "TredwellGit";
@@ -16319,4 +16325,10 @@
     github = "RossComputerGuy";
     githubId = 19699320;
   };
+  franzmondlichtmann = {
+    name = "Franz Schroepf";
+    email = "franz-schroepf@t-online.de";
+    github = "franzmondlichtmann";
+    githubId = 105480088;
+  };
 }

nixos/doc/manual/configuration/ssh.section.md

@@ -8,7 +8,7 @@ services.openssh.enable = true;
 
 By default, root logins using a password are disallowed. They can be
 disabled entirely by setting
-[](#opt-services.openssh.permitRootLogin) to `"no"`.
+[](#opt-services.openssh.settings.PermitRootLogin) to `"no"`.
 
 You can declaratively specify authorised RSA/DSA public keys for a user
 as follows:

nixos/doc/manual/from_md/configuration/ssh.section.xml

@@ -9,7 +9,7 @@ services.openssh.enable = true;
   <para>
     By default, root logins using a password are disallowed. They can be
     disabled entirely by setting
-    <xref linkend="opt-services.openssh.permitRootLogin" /> to
+    <xref linkend="opt-services.openssh.settings.PermitRootLogin" /> to
     <literal>&quot;no&quot;</literal>.
   </para>
   <para>

nixos/doc/manual/from_md/release-notes/rl-2305.section.xml

@@ -10,7 +10,7 @@
       In addition to numerous new and upgraded packages, this release
       has the following highlights:
     </para>
-    <itemizedlist spacing="compact">
+    <itemizedlist>
       <listitem>
         <para>
           Cinnamon has been updated to 5.6, see
@@ -18,6 +18,14 @@
           pull request</link> for what is changed.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <literal>nixos-rebuild</literal> now supports an extra
+          <literal>--specialisation</literal> option that can be used to
+          change specialisation for <literal>switch</literal> and
+          <literal>test</literal> commands.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
   <section xml:id="sec-release-23.05-new-services">
@@ -99,6 +107,14 @@
           <link xlink:href="options.html#opt-services.ulogd.enable">services.ulogd</link>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://photoprism.app/">photoprism</link>,
+          a AI-Powered Photos App for the Decentralized Web. Available
+          as
+          <link xlink:href="options.html#opt-services.photoprism.enable">services.photoprism</link>.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
   <section xml:id="sec-release-23.05-incompatibilities">
@@ -324,6 +340,24 @@
           <link linkend="opt-services.usbmuxd.package">services.usbmuxd.package</link>
         </para>
       </listitem>
+      <listitem>
+        <para>
+          A few openssh options have been moved from extraConfig to the
+          new freeform option <literal>settings</literal> and renamed as
+          follow:
+          <literal>services.openssh.kbdInteractiveAuthentication</literal>
+          to
+          <literal>services.openssh.settings.KbdInteractiveAuthentication</literal>,
+          <literal>services.openssh.passwordAuthentication</literal> to
+          <literal>services.openssh.settings.PasswordAuthentication</literal>,
+          <literal>services.openssh.useDns</literal> to
+          <literal>services.openssh.settings.UseDns</literal>,
+          <literal>services.openssh.permitRootLogin</literal> to
+          <literal>services.openssh.settings.PermitRootLogin</literal>,
+          <literal>services.openssh.logLevel</literal> to
+          <literal>services.openssh.settings.LogLevel</literal>.
+        </para>
+      </listitem>
       <listitem>
         <para>
           <literal>services.mastodon</literal> gained a tootctl wrapped

nixos/doc/manual/man-nixos-rebuild.xml

@@ -113,6 +113,18 @@
      </group> <replaceable>name</replaceable>
    </arg>
 
+   <arg>
+    <group choice='req'>
+    <arg choice='plain'>
+     <option>--specialisation</option>
+    </arg>
+
+    <arg choice='plain'>
+     <option>-c</option>
+    </arg>
+     </group> <replaceable>name</replaceable>
+   </arg>
+
    <sbr />
 
    <arg>
@@ -204,6 +216,20 @@
        <command>nixos-rebuild switch</command> or <command>nixos-rebuild
        boot</command> remain available in the GRUB menu.
       </para>
+      <para>
+        Note that if you are using specializations, running just
+        <command>nixos-rebuild switch</command> will switch you back to the
+        unspecialized, base system - in that case, you might want to use this
+        instead:
+<screen>
+<prompt>$ </prompt>nixos-rebuild switch --specialisation your-specialisation-name
+</screen>
+        This command will build all specialisations and make them bootable just
+        like regular <command>nixos-rebuild switch</command> does - the only
+        thing different is that it will switch to given specialisation instead
+        of the base system; it can be also used to switch from the base system
+        into a specialised one, or to switch between specialisations.
+      </para>
      </listitem>
     </varlistentry>
 
@@ -233,6 +259,16 @@
        configuration resulting from the last call to <command>nixos-rebuild
        switch</command> or <command>nixos-rebuild boot</command>).
       </para>
+      <para>
+        Note that if you are using specialisations, running just
+        <command>nixos-rebuild test</command> will activate the unspecialised,
+        base system - in that case, you might want to use this instead:
+<screen>
+<prompt>$ </prompt>nixos-rebuild test --specialisation your-specialisation-name
+</screen>
+        This command can be also used to switch from the base system into a
+        specialised one, or to switch between specialisations.
+      </para>
      </listitem>
     </varlistentry>
 
@@ -499,6 +535,21 @@
     </listitem>
    </varlistentry>
 
+   <varlistentry>
+    <term>
+     <option>--specialisation</option>
+    </term>
+    <term>
+     <option>-c</option>
+    </term>
+    <listitem>
+     <para>
+      Activates given specialisation; when not specified, switching and testing
+      will activate the base, unspecialised system.
+     </para>
+    </listitem>
+   </varlistentry>
+
    <varlistentry>
     <term>
      <option>--build-host</option>

nixos/doc/manual/release-notes/rl-2305.section.md

@@ -10,6 +10,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - Cinnamon has been updated to 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what is changed.
 
+- `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands.
+
 ## New Services {#sec-release-23.05-new-services}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -34,6 +36,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [ulogd](https://www.netfilter.org/projects/ulogd/index.html), a userspace logging daemon for netfilter/iptables related logging. Available as [services.ulogd](options.html#opt-services.ulogd.enable).
 
+- [photoprism](https://photoprism.app/), a AI-Powered Photos App for the Decentralized Web. Available as [services.photoprism](options.html#opt-services.photoprism.enable).
+
 ## Backward Incompatibilities {#sec-release-23.05-incompatibilities}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -85,6 +89,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)
 
+- A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follow: `services.openssh.kbdInteractiveAuthentication` to `services.openssh.settings.KbdInteractiveAuthentication`, `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`, `services.openssh.useDns` to `services.openssh.settings.UseDns`, `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`, `services.openssh.logLevel` to `services.openssh.settings.LogLevel`.
+
 - `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.
 
 - The `dnsmasq` service now takes configuration via the

nixos/modules/installer/cd-dvd/iso-image.nix

@@ -52,7 +52,7 @@ let
   buildMenuAdditionalParamsGrub2 = additional:
   let
     finalCfg = {
-      name = "NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel}";
+      name = "${config.system.nixos.distroName} ${config.system.nixos.label}${config.isoImage.appendToMenuLabel}";
       params = "init=${config.system.build.toplevel}/init ${additional} ${toString config.boot.kernelParams}";
       image = "/boot/${config.system.boot.loader.kernelFile}";
       initrd = "/boot/initrd";
@@ -109,35 +109,35 @@ let
     DEFAULT boot
 
     LABEL boot
-    MENU LABEL NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel}
+    MENU LABEL ${config.system.nixos.distroName} ${config.system.nixos.label}${config.isoImage.appendToMenuLabel}
     LINUX /boot/${config.system.boot.loader.kernelFile}
     APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}
     INITRD /boot/${config.system.boot.loader.initrdFile}
 
     # A variant to boot with 'nomodeset'
     LABEL boot-nomodeset
-    MENU LABEL NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (nomodeset)
+    MENU LABEL ${config.system.nixos.distroName} ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (nomodeset)
     LINUX /boot/${config.system.boot.loader.kernelFile}
     APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} nomodeset
     INITRD /boot/${config.system.boot.loader.initrdFile}
 
     # A variant to boot with 'copytoram'
     LABEL boot-copytoram
-    MENU LABEL NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (copytoram)
+    MENU LABEL ${config.system.nixos.distroName} ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (copytoram)
     LINUX /boot/${config.system.boot.loader.kernelFile}
     APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} copytoram
     INITRD /boot/${config.system.boot.loader.initrdFile}
 
     # A variant to boot with verbose logging to the console
     LABEL boot-debug
-    MENU LABEL NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (debug)
+    MENU LABEL ${config.system.nixos.distroName} ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (debug)
     LINUX /boot/${config.system.boot.loader.kernelFile}
     APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} loglevel=7
     INITRD /boot/${config.system.boot.loader.initrdFile}
 
     # A variant to boot with a serial console enabled
     LABEL boot-serial
-    MENU LABEL NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (serial console=ttyS0,115200n8)
+    MENU LABEL ${config.system.nixos.distroName} ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (serial console=ttyS0,115200n8)
     LINUX /boot/${config.system.boot.loader.kernelFile}
     APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} console=ttyS0,115200n8
     INITRD /boot/${config.system.boot.loader.initrdFile}
@@ -458,7 +458,7 @@ in
     };
 
     isoImage.isoBaseName = mkOption {
-      default = "nixos";
+      default = config.system.nixos.distroId;
       description = lib.mdDoc ''
         Prefix of the name of the generated ISO image file.
       '';
@@ -579,7 +579,7 @@ in
 
     isoImage.syslinuxTheme = mkOption {
       default = ''
-        MENU TITLE NixOS
+        MENU TITLE ${config.system.nixos.distroName}
         MENU RESOLUTION 800 600
         MENU CLEAR
         MENU ROWS 6

nixos/modules/misc/version.nix

@@ -16,18 +16,18 @@ let
     ) + "\n";
 
   osReleaseContents = {
-    NAME = "NixOS";
+    NAME = "${cfg.distroName}";
-    ID = "nixos";
+    ID = "${cfg.distroId}";
     VERSION = "${cfg.release} (${cfg.codeName})";
     VERSION_CODENAME = toLower cfg.codeName;
     VERSION_ID = cfg.release;
     BUILD_ID = cfg.version;
-    PRETTY_NAME = "NixOS ${cfg.release} (${cfg.codeName})";
+    PRETTY_NAME = "${cfg.distroName} ${cfg.release} (${cfg.codeName})";
     LOGO = "nix-snowflake";
-    HOME_URL = "https://nixos.org/";
+    HOME_URL = lib.optionalString (cfg.distroId == "nixos") "https://nixos.org/";
-    DOCUMENTATION_URL = "https://nixos.org/learn.html";
+    DOCUMENTATION_URL = lib.optionalString (cfg.distroId == "nixos") "https://nixos.org/learn.html";
-    SUPPORT_URL = "https://nixos.org/community.html";
+    SUPPORT_URL = lib.optionalString (cfg.distroId == "nixos") "https://nixos.org/community.html";
-    BUG_REPORT_URL = "https://github.com/NixOS/nixpkgs/issues";
+    BUG_REPORT_URL = lib.optionalString (cfg.distroId == "nixos") "https://github.com/NixOS/nixpkgs/issues";
   } // lib.optionalAttrs (cfg.variant_id != null) {
     VARIANT_ID = cfg.variant_id;
   };
@@ -89,6 +89,20 @@ in
       description = lib.mdDoc "The NixOS release code name (e.g. `Emu`).";
     };
 
+    nixos.distroId = mkOption {
+      internal = true;
+      type = types.str;
+      default = "nixos";
+      description = lib.mdDoc "The id of the operating system";
+    };
+
+    nixos.distroName = mkOption {
+      internal = true;
+      type = types.str;
+      default = "NixOS";
+      description = lib.mdDoc "The name of the operating system";
+    };
+
     nixos.variant_id = mkOption {
       type = types.nullOr (types.strMatching "^[a-z0-9._-]+$");
       default = null;
@@ -155,10 +169,10 @@ in
     environment.etc = {
       "lsb-release".text = attrsToText {
         LSB_VERSION = "${cfg.release} (${cfg.codeName})";
-        DISTRIB_ID = "nixos";
+        DISTRIB_ID = "${cfg.distroId}";
         DISTRIB_RELEASE = cfg.release;
         DISTRIB_CODENAME = toLower cfg.codeName;
-        DISTRIB_DESCRIPTION = "NixOS ${cfg.release} (${cfg.codeName})";
+        DISTRIB_DESCRIPTION = "${cfg.distroName} ${cfg.release} (${cfg.codeName})";
       };
 
       "os-release".text = attrsToText osReleaseContents;

nixos/modules/module-list.nix

@@ -1165,6 +1165,7 @@
   ./services/web-apps/peertube.nix
   ./services/web-apps/pgpkeyserver-lite.nix
   ./services/web-apps/phylactery.nix
+  ./services/web-apps/photoprism.nix
   ./services/web-apps/pict-rs.nix
   ./services/web-apps/plantuml-server.nix
   ./services/web-apps/plausible.nix

nixos/modules/profiles/installation-device.nix

@@ -72,7 +72,7 @@ with lib;
     # mounting the storage in a different system.
     services.openssh = {
       enable = true;
-      permitRootLogin = "yes";
+      settings.PermitRootLogin = "yes";
     };
 
     # Enable wpa_supplicant, but don't start it by default.

nixos/modules/services/misc/autorandr.nix

@@ -254,6 +254,12 @@ in {
         '';
       };
 
+      ignoreLid = mkOption {
+        default = false;
+        type = types.bool;
+        description = lib.mdDoc "Treat outputs as connected even if their lids are closed";
+      };
+
       hooks = mkOption {
         type = hooksModule;
         description = lib.mdDoc "Global hook scripts";
@@ -340,7 +346,13 @@ in {
       startLimitIntervalSec = 5;
       startLimitBurst = 1;
       serviceConfig = {
-        ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default ${cfg.defaultTarget}";
+        ExecStart = ''
+          ${pkgs.autorandr}/bin/autorandr \
+            --batch \
+            --change \
+            --default ${cfg.defaultTarget} \
+            ${optionalString cfg.ignoreLid "--ignore-lid"}
+        '';
         Type = "oneshot";
         RemainAfterExit = false;
         KillMode = "process";

nixos/modules/services/misc/gitea.nix

@@ -468,12 +468,14 @@ in
       "d '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -"
       "d '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -"
       "d '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -"
+      "d '${cfg.stateDir}/data' 0750 ${cfg.user} gitea - -"
       "d '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -"
       "z '${cfg.stateDir}' 0750 ${cfg.user} gitea - -"
       "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} gitea - -"
       "z '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -"
       "z '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -"
       "z '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -"
+      "z '${cfg.stateDir}/data' 0750 ${cfg.user} gitea - -"
       "z '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -"
       "Z '${cfg.stateDir}' - ${cfg.user} gitea - -"
 
@@ -633,7 +635,6 @@ in
     systemd.services.gitea-dump = mkIf cfg.dump.enable {
        description = "gitea dump";
        after = [ "gitea.service" ];
-       wantedBy = [ "default.target" ];
        path = [ gitea ];
 
        environment = {

nixos/modules/services/misc/ntfy-sh.nix

@@ -59,6 +59,10 @@ in
         systemPackages = [ cfg.package ];
       };
 
+      services.ntfy-sh.settings = {
+        auth-file = mkDefault "/var/lib/ntfy-sh/user.db";
+      };
+
       systemd.services.ntfy-sh = {
         description = "Push notifications server";
 
@@ -68,6 +72,7 @@ in
         serviceConfig = {
           ExecStart = "${cfg.package}/bin/ntfy serve -c ${configuration}";
           User = cfg.user;
+          StateDirectory = "ntfy-sh";
 
           AmbientCapabilities = "CAP_NET_BIND_SERVICE";
           PrivateTmp = true;

nixos/modules/services/monitoring/prometheus/exporters/rspamd.nix

@@ -9,7 +9,7 @@ let
     pkgs.writeText "rspamd-exporter-config.yml" (builtins.toJSON conf);
 
   generateConfig = extraLabels: {
-    metrics = (map (path: {
+    modules.default.metrics = (map (path: {
       name = "rspamd_${replaceStrings [ "[" "." " " "]" "\\" "'" ] [ "_" "_" "_" "" "" "" ] path}";
       path = "{ .${path} }";
       labels = extraLabels;

nixos/modules/services/monitoring/uptime-kuma.nix

@@ -18,9 +18,10 @@ in
         description = lib.mdDoc "Uptime Kuma package to use.";
       };
 
+      appriseSupport = mkEnableOption (mdDoc "apprise support for notifications.");
+
       settings = lib.mkOption {
-        type =
+        type = lib.types.submodule { freeformType = with lib.types; attrsOf str; };
-          lib.types.submodule { freeformType = with lib.types; attrsOf str; };
         default = { };
         example = {
           PORT = "4000";
@@ -47,6 +48,7 @@ in
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       environment = cfg.settings;
+      path = lib.mkIf cfg.appriseSupport (with pkgs; [ apprise ]);
       serviceConfig = {
         Type = "simple";
         StateDirectory = "uptime-kuma";

nixos/modules/services/networking/hostapd.nix

@@ -94,7 +94,8 @@ in
       };
 
       ssid = mkOption {
-        default = "nixos";
+        default = config.system.nixos.distroId;
+        defaultText = literalExpression "config.system.nixos.distroId";
         example = "mySpecialSSID";
         type = types.str;
         description = lib.mdDoc "SSID to be used in IEEE 802.11 management frames.";

nixos/modules/services/networking/ssh/sshd.nix

@@ -12,8 +12,23 @@ let
     then cfgc.package
     else pkgs.buildPackages.openssh;
 
+  # reports boolean as yes / no
+  mkValueStringSshd = v:
+        if isInt           v then toString v
+        else if isString   v then v
+        else if true  ==   v then "yes"
+        else if false ==   v then "no"
+        else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
+
+  # dont use the "=" operator
+  settingsFormat = (pkgs.formats.keyValue {
+      mkKeyValue = lib.generators.mkKeyValueDefault {
+      mkValueString = mkValueStringSshd;
+    } " ";});
+
+  configFile = settingsFormat.generate "config" cfg.settings;
   sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } ''
-    cat >$out <<EOL
+    cat ${configFile} - >$out <<EOL
     ${cfg.extraConfig}
     EOL
 
@@ -24,6 +39,7 @@ let
   cfg  = config.services.openssh;
   cfgc = config.programs.ssh;
 
+
   nssModulesPath = config.system.nssModules.path;
 
   userOptions = {
@@ -82,6 +98,12 @@ in
     (mkAliasOptionModuleMD [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ])
     (mkAliasOptionModuleMD [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ])
     (mkRenamedOptionModule [ "services" "openssh" "challengeResponseAuthentication" ] [ "services" "openssh" "kbdInteractiveAuthentication" ])
+
+    (mkRenamedOptionModule [ "services" "openssh" "kbdInteractiveAuthentication" ] [  "services" "openssh" "settings" "KbdInteractiveAuthentication" ])
+    (mkRenamedOptionModule [ "services" "openssh" "passwordAuthentication" ] [  "services" "openssh" "settings" "PasswordAuthentication" ])
+    (mkRenamedOptionModule [ "services" "openssh" "useDns" ] [  "services" "openssh" "settings" "UseDns" ])
+    (mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [  "services" "openssh" "settings" "PermitRootLogin" ])
+    (mkRenamedOptionModule [ "services" "openssh" "logLevel" ] [  "services" "openssh" "settings" "LogLevel" ])
   ];
 
   ###### interface
@@ -145,14 +167,6 @@ in
         '';
       };
 
-      permitRootLogin = mkOption {
-        default = "prohibit-password";
-        type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"];
-        description = lib.mdDoc ''
-          Whether the root user can login using ssh.
-        '';
-      };
-
       gatewayPorts = mkOption {
         type = types.str;
         default = "no";
@@ -210,22 +224,6 @@ in
         '';
       };
 
-      passwordAuthentication = mkOption {
-        type = types.bool;
-        default = true;
-        description = lib.mdDoc ''
-          Specifies whether password authentication is allowed.
-        '';
-      };
-
-      kbdInteractiveAuthentication = mkOption {
-        type = types.bool;
-        default = true;
-        description = lib.mdDoc ''
-          Specifies whether keyboard-interactive authentication is allowed.
-        '';
-      };
-
       hostKeys = mkOption {
         type = types.listOf types.attrs;
         default =
@@ -346,19 +344,26 @@ in
         '';
       };
 
-      logLevel = mkOption {
+
+      settings = mkOption {
+        description = lib.mdDoc "Verbatim contents of {file}`sshd_config`.";
+        example = literalExpression ''{
+          UseDns true;
+        }'';
+        type = types.submodule ({name, ...}: {
+          freeformType = settingsFormat.type;
+          options = {
+            LogLevel = mkOption {
               type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ];
               default = "INFO"; # upstream default
               description = lib.mdDoc ''
-          Gives the verbosity level that is used when logging messages from sshd(8). The possible values are:
+                Gives the verbosity level that is used when logging messages from sshd(8). Logging with a DEBUG level
-          QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1
-          are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level
                 violates the privacy of users and is not recommended.
               '';
             };
-
+            UseDns = mkOption {
-      useDns = mkOption {
               type = types.bool;
+              # apply if cfg.useDns then "yes" else "no"
               default = false;
               description = lib.mdDoc ''
                 Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for
@@ -368,6 +373,31 @@ in
               '';
             };
 
+            PasswordAuthentication = mkOption {
+              type = types.bool;
+              default = true;
+              description = lib.mdDoc ''
+                Specifies whether password authentication is allowed.
+              '';
+            };
+            PermitRootLogin = mkOption {
+              default = "prohibit-password";
+              type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"];
+              description = lib.mdDoc ''
+                Whether the root user can login using ssh.
+              '';
+            };
+            KbdInteractiveAuthentication = mkOption {
+              type = types.bool;
+              default = true;
+              description = lib.mdDoc ''
+                Specifies whether keyboard-interactive authentication is allowed.
+              '';
+            };
+          };
+        });
+      };
+
       extraConfig = mkOption {
         type = types.lines;
         default = "";
@@ -496,7 +526,7 @@ in
     security.pam.services.sshd =
       { startSession = true;
         showMotd = true;
-        unixAuth = cfg.passwordAuthentication;
+        unixAuth = cfg.settings.PasswordAuthentication;
       };
 
     # These values are merged with the ones defined externally, see:
@@ -530,10 +560,7 @@ in
           Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags}
         ''}
 
-        PermitRootLogin ${cfg.permitRootLogin}
         GatewayPorts ${cfg.gatewayPorts}
-        PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"}
-        KbdInteractiveAuthentication ${if cfg.kbdInteractiveAuthentication then "yes" else "no"}
 
         PrintMotd no # handled by pam_motd
 
@@ -550,11 +577,6 @@ in
         KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}
         Ciphers ${concatStringsSep "," cfg.ciphers}
         MACs ${concatStringsSep "," cfg.macs}
-
-        LogLevel ${cfg.logLevel}
-
-        UseDNS ${if cfg.useDns then "yes" else "no"}
-
       '';
 
     assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;

nixos/modules/services/security/fail2ban.nix

@@ -339,7 +339,7 @@ in
     # Block SSH if there are too many failing connection attempts.
     # Benefits from verbose sshd logging to observe failed login attempts,
     # so we set that here unless the user overrode it.
-    services.openssh.logLevel = lib.mkDefault "VERBOSE";
+    services.openssh.settings.LogLevel = lib.mkDefault "VERBOSE";
     services.fail2ban.jails.sshd = mkDefault ''
       enabled = true
       port    = ${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}

nixos/modules/services/web-apps/photoprism.nix

@@ -0,0 +1,155 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.photoprism;
+
+  env = {
+    PHOTOPRISM_ORIGINALS_PATH = cfg.originalsPath;
+    PHOTOPRISM_STORAGE_PATH = cfg.storagePath;
+    PHOTOPRISM_IMPORT_PATH = cfg.importPath;
+    PHOTOPRISM_HTTP_HOST = cfg.address;
+    PHOTOPRISM_HTTP_PORT = toString cfg.port;
+  } // (
+    lib.mapAttrs (_: toString) cfg.settings
+  );
+
+  manage =
+    let
+      setupEnv = lib.concatStringsSep "\n" (lib.mapAttrsToList (name: val: "export ${name}=${lib.escapeShellArg val}") env);
+    in
+    pkgs.writeShellScript "manage" ''
+      ${setupEnv}
+      exec ${cfg.package}/bin/photoprism "$@"
+    '';
+in
+{
+  meta.maintainers = with lib.maintainers; [ stunkymonkey ];
+
+  options.services.photoprism = {
+
+    enable = lib.mkEnableOption (lib.mdDoc "Photoprism web server");
+
+    passwordFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      description = lib.mdDoc ''
+        Admin password file.
+      '';
+    };
+
+    address = lib.mkOption {
+      type = lib.types.str;
+      default = "localhost";
+      description = lib.mdDoc ''
+        Web interface address.
+      '';
+    };
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 2342;
+      description = lib.mdDoc ''
+        Web interface port.
+      '';
+    };
+
+    originalsPath = lib.mkOption {
+      type = lib.types.path;
+      default = null;
+      example = "/data/photos";
+      description = lib.mdDoc ''
+        Storage path of your original media files (photos and videos).
+      '';
+    };
+
+    importPath = lib.mkOption {
+      type = lib.types.str;
+      default = "import";
+      description = lib.mdDoc ''
+        Relative or absolute to the `originalsPath` from where the files should be imported.
+      '';
+    };
+
+    storagePath = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/photoprism";
+      description = lib.mdDoc ''
+        Location for sidecar, cache, and database files.
+      '';
+    };
+
+    package = lib.mkPackageOptionMD pkgs "photoprism" { };
+
+    settings = lib.mkOption {
+      type = lib.types.attrsOf lib.types.str;
+      default = { };
+      description = lib.mdDoc ''
+        See [the getting-started guide](https://docs.photoprism.app/getting-started/config-options/) for available options.
+      '';
+      example = {
+        PHOTOPRISM_DEFAULT_LOCALE = "de";
+        PHOTOPRISM_ADMIN_USER = "root";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.photoprism = {
+      description = "Photoprism server";
+
+      serviceConfig = {
+        Restart = "on-failure";
+        User = "photoprism";
+        Group = "photoprism";
+        DynamicUser = true;
+        StateDirectory = "photoprism";
+        WorkingDirectory = "/var/lib/photoprism";
+        RuntimeDirectory = "photoprism";
+
+        LoadCredential = lib.optionalString (cfg.passwordFile != null)
+          "PHOTOPRISM_ADMIN_PASSWORD:${cfg.passwordFile}";
+
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ];
+        UMask = "0066";
+      } // lib.optionalAttrs (cfg.port < 1024) {
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+      };
+
+      wantedBy = [ "multi-user.target" ];
+      environment = env;
+
+      # reminder: easier password configuration will come in https://github.com/photoprism/photoprism/pull/2302
+      preStart = ''
+        ln -sf ${manage} photoprism-manage
+
+        ${lib.optionalString (cfg.passwordFile != null) ''
+          export PHOTOPRISM_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/PHOTOPRISM_ADMIN_PASSWORD")
+        ''}
+        exec ${cfg.package}/bin/photoprism migrations run -f
+      '';
+
+      script = ''
+        ${lib.optionalString (cfg.passwordFile != null) ''
+          export PHOTOPRISM_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/PHOTOPRISM_ADMIN_PASSWORD")
+        ''}
+        exec ${cfg.package}/bin/photoprism start
+      '';
+    };
+  };
+}
+

nixos/modules/system/activation/bootspec.nix

@@ -22,7 +22,7 @@ let
               system = config.boot.kernelPackages.stdenv.hostPlatform.system;
               kernel = "${config.boot.kernelPackages.kernel}/${config.system.boot.loader.kernelFile}";
               kernelParams = config.boot.kernelParams;
-              label = "NixOS ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})";
+              label = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})";
 
               inherit (cfg) extensions;
             } // lib.optionalAttrs config.boot.initrd.enable {

nixos/modules/system/activation/switch-to-configuration.pl

@@ -84,7 +84,7 @@ EOF
 
 # This is a NixOS installation if it has /etc/NIXOS or a proper
 # /etc/os-release.
-if (!-f "/etc/NIXOS" && (read_file("/etc/os-release", err_mode => "quiet") // "") !~ /^ID="?nixos"?/msx) {
+if (!-f "/etc/NIXOS" && (read_file("/etc/os-release", err_mode => "quiet") // "") !~ /^ID="?@distroId@"?/msx) {
     die("This is not a NixOS installation!\n");
 }
 

nixos/modules/system/activation/top-level.nix

@@ -65,6 +65,7 @@ let
 
       mkdir $out/bin
       export localeArchive="${config.i18n.glibcLocales}/lib/locale/locale-archive"
+      export distroId=${config.system.nixos.distroId};
       substituteAll ${./switch-to-configuration.pl} $out/bin/switch-to-configuration
       chmod +x $out/bin/switch-to-configuration
       ${optionalString (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) ''

nixos/modules/system/boot/loader/grub/grub.nix

@@ -55,7 +55,7 @@ let
       grubTargetEfi = if cfg.efiSupport && (cfg.version == 2) then f (grubEfi.grubTarget or "") else "";
       bootPath = args.path;
       storePath = config.boot.loader.grub.storePath;
-      bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId;
+      bootloaderId = if args.efiBootloaderId == null then "${config.system.nixos.distroName}${efiSysMountPoint'}" else args.efiBootloaderId;
       timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout;
       users = if cfg.users == {} || cfg.version != 1 then cfg.users else throw "GRUB version 1 does not support user accounts.";
       theme = f cfg.theme;
@@ -759,6 +759,7 @@ in
             src = ./install-grub.pl;
             utillinux = pkgs.util-linux;
             btrfsprogs = pkgs.btrfs-progs;
+            inherit (config.system.nixos) distroName;
           };
           perl = pkgs.perl.withPackages (p: with p; [
             FileSlurp FileCopyRecursive

nixos/modules/system/boot/loader/grub/install-grub.pl

@@ -511,7 +511,7 @@ sub addEntry {
 # Add default entries.
 $conf .= "$extraEntries\n" if $extraEntriesBeforeNixOS;
 
-addEntry("NixOS - Default", $defaultConfig, $entryOptions);
+addEntry("@distroName@ - Default", $defaultConfig, $entryOptions);
 
 $conf .= "$extraEntries\n" unless $extraEntriesBeforeNixOS;
 
@@ -536,7 +536,7 @@ foreach my $link (@links) {
         my $linkname = basename($link);
         $entryName = "($linkname - $date - $version)";
     }
-    addEntry("NixOS - $entryName", $link);
+    addEntry("@distroName@ - $entryName", $link);
 }
 
 my $grubBootPath = $grubBoot->path;
@@ -568,19 +568,19 @@ sub addProfile {
             -e "$link/nixos-version"
             ? readFile("$link/nixos-version")
             : basename((glob(dirname(Cwd::abs_path("$link/kernel")) . "/lib/modules/*"))[0]);
-        addEntry("NixOS - Configuration " . nrFromGen($link) . " ($date - $version)", $link, $subEntryOptions);
+        addEntry("@distroName@ - Configuration " . nrFromGen($link) . " ($date - $version)", $link, $subEntryOptions);
     }
 
     $conf .= "}\n" if $grubVersion == 2;
 }
 
-addProfile "/nix/var/nix/profiles/system", "NixOS - All configurations";
+addProfile "/nix/var/nix/profiles/system", "@distroName@ - All configurations";
 
 if ($grubVersion == 2) {
     for my $profile (glob "/nix/var/nix/profiles/system-profiles/*") {
         my $name = basename($profile);
         next unless $name =~ /^\w+$/;
-        addProfile $profile, "NixOS - Profile '$name'";
+        addProfile $profile, "@distroName@ - Profile '$name'";
     }
 }
 

nixos/modules/system/boot/loader/init-script/init-script-builder.sh

@@ -64,13 +64,13 @@ addEntry() {
 
 mkdir -p /boot /sbin
 
-addEntry "NixOS - Default" $defaultConfig ""
+addEntry "@distroName@ - Default" $defaultConfig ""
 
 # Add all generations of the system profile to the menu, in reverse
 # (most recent to least recent) order.
 for link in $((ls -d $defaultConfig/specialisation/* ) | sort -n); do
     date=$(stat --printf="%y\n" $link | sed 's/\..*//')
-    addEntry "NixOS - variation" $link ""
+    addEntry "@distroName@ - variation" $link ""
 done
 
 for generation in $(
@@ -85,7 +85,7 @@ for generation in $(
     else
       suffix="($date)"
     fi
-    addEntry "NixOS - Configuration $generation $suffix" $link "$generation ($date)"
+    addEntry "@distroName@ - Configuration $generation $suffix" $link "$generation ($date)"
 done
 
 mv $tmpOther $targetOther

nixos/modules/system/boot/loader/init-script/init-script.nix

@@ -8,6 +8,7 @@ let
     src = ./init-script-builder.sh;
     isExecutable = true;
     inherit (pkgs) bash;
+    inherit (config.nixos.system) distroName;
     path = [pkgs.coreutils pkgs.gnused pkgs.gnugrep];
   };
 

nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py

@@ -42,7 +42,7 @@ def system_dir(profile: Optional[str], generation: int, specialisation: Optional
     else:
         return d
 
-BOOT_ENTRY = """title NixOS{profile}{specialisation}
+BOOT_ENTRY = """title @distroName@{profile}{specialisation}
 version Generation {generation} {description}
 linux {kernel}
 initrd {initrd}
@@ -99,7 +99,7 @@ def describe_generation(generation_dir: str) -> str:
     build_time = int(os.path.getctime(generation_dir))
     build_date = datetime.datetime.fromtimestamp(build_time).strftime('%F')
 
-    description = "NixOS {}, Linux Kernel {}, Built on {}".format(
+    description = "@distroName@ {}, Linux Kernel {}, Built on {}".format(
         nixos_version, kernel_version, build_date
     )
 
@@ -206,8 +206,8 @@ def get_profiles() -> List[str]:
         return []
 
 def main() -> None:
-    parser = argparse.ArgumentParser(description='Update NixOS-related systemd-boot files')
+    parser = argparse.ArgumentParser(description='Update @distroName@-related systemd-boot files')
-    parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help='The default NixOS config to boot')
+    parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help='The default @distroName@ config to boot')
     args = parser.parse_args()
 
     try:

nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix

@@ -30,6 +30,8 @@ let
 
     inherit (efi) efiSysMountPoint canTouchEfiVariables;
 
+    inherit (config.system.nixos) distroName;
+
     memtest86 = if cfg.memtest86.enable then pkgs.memtest86-efi else "";
 
     netbootxyz = if cfg.netbootxyz.enable then pkgs.netbootxyz-efi else "";

nixos/modules/system/boot/stage-1-init.sh

@@ -73,7 +73,7 @@ trap 'fail' 0
 
 # Print a greeting.
 info
-info "<<< NixOS Stage 1 >>>"
+info "<<< @distroName@ Stage 1 >>>"
 info
 
 # Make several required directories.
@@ -234,8 +234,7 @@ done
 mkdir -p /lib
 ln -s @modulesClosure@/lib/modules /lib/modules
 ln -s @modulesClosure@/lib/firmware /lib/firmware
-# see comment in stage-1.nix for explanation
+echo @extraUtils@/bin/modprobe > /proc/sys/kernel/modprobe
-echo @extraUtils@/bin/modprobe-kernel > /proc/sys/kernel/modprobe
 for i in @kernelModules@; do
     info "loading module $(basename $i)..."
     modprobe $i
@@ -422,7 +421,7 @@ lustrateRoot () {
     local root="$1"
 
     echo
-    echo -e "\e[1;33m<<< NixOS is now lustrating the root filesystem (cruft goes to /old-root) >>>\e[0m"
+    echo -e "\e[1;33m<<< @distroName@ is now lustrating the root filesystem (cruft goes to /old-root) >>>\e[0m"
     echo
 
     mkdir -m 0755 -p "$root/old-root.tmp"

nixos/modules/system/boot/stage-1.nix

@@ -150,26 +150,6 @@ let
       copy_bin_and_libs ${pkgs.kmod}/bin/kmod
       ln -sf kmod $out/bin/modprobe
 
-      # Dirty hack to make sure the kernel properly loads modules
-      # such as ext4 on demand (e.g. on a `mount(2)` syscall). This is necessary
-      # because `kmod` isn't linked against `libpthread.so.0` anymore (since
-      # it was merged into `libc.so.6` since version `2.34`), but still needs
-      # to access it for some reason. This is not an issue in stage-1 itself
-      # because of the `LD_LIBRARY_PATH`-variable and anytime later because the rpath of
-      # kmod/modprobe points to glibc's `$out/lib` where `libpthread.so.6` exists.
-      # However, this is a problem when the kernel calls `modprobe` inside
-      # the initial ramdisk because it doesn't know about the
-      # `LD_LIBRARY_PATH` and the rpath was nuked.
-      #
-      # Also, we can't use `makeWrapper` here because `kmod` only does
-      # `modprobe` functionality if `argv[0] == "modprobe"`.
-      cat >$out/bin/modprobe-kernel <<EOF
-      #!$out/bin/ash
-      export LD_LIBRARY_PATH=$out/lib
-      exec $out/bin/modprobe "\$@"
-      EOF
-      chmod +x $out/bin/modprobe-kernel
-
       # Copy resize2fs if any ext* filesystems are to be resized
       ${optionalString (any (fs: fs.autoResize && (lib.hasPrefix "ext" fs.fsType)) fileSystems) ''
         # We need mke2fs in the initrd.
@@ -342,6 +322,8 @@ let
 
     inherit (config.boot) resumeDevice;
 
+    inherit (config.system.nixos) distroName;
+
     inherit (config.system.build) earlyMountScript;
 
     inherit (config.boot.initrd) checkJournalingFS verbose

nixos/modules/system/boot/stage-2-init.sh

@@ -19,7 +19,7 @@ if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" != true ]; then
 
     # Print a greeting.
     echo
-    echo -e "\e[1;32m<<< NixOS Stage 2 >>>\e[0m"
+    echo -e "\e[1;32m<<< @distroName@ Stage 2 >>>\e[0m"
     echo
 
 

nixos/modules/system/boot/stage-2.nix

@@ -11,6 +11,7 @@ let
     shellDebug = "${pkgs.bashInteractive}/bin/bash";
     shell = "${pkgs.bash}/bin/bash";
     inherit (config.boot) readOnlyNixStore systemdExecutable extraSystemdUnitPaths;
+    inherit (config.system.nixos) distroName;
     isExecutable = true;
     inherit useHostResolvConf;
     inherit (config.system.build) earlyMountScript;

nixos/modules/tasks/network-interfaces.nix

@@ -434,7 +434,8 @@ in
   options = {
 
     networking.hostName = mkOption {
-      default = "nixos";
+      default = config.system.nixos.distroId;
+      defaultText = literalExpression "config.system.nixos.distroId";
       # Only allow hostnames without the domain name part (i.e. no FQDNs, see
       # e.g. "man 5 hostname") and require valid DNS labels (recommended
       # syntax). Note: We also allow underscores for compatibility/legacy

nixos/modules/virtualisation/amazon-image.nix

@@ -85,7 +85,7 @@ in
     # Allow root logins only using the SSH key that the user specified
     # at instance creation time.
     services.openssh.enable = true;
-    services.openssh.permitRootLogin = "prohibit-password";
+    services.openssh.settings.PermitRootLogin = "prohibit-password";
 
     # Enable the serial console on ttyS0
     systemd.services."serial-getty@ttyS0".enable = true;

nixos/modules/virtualisation/azure-common.nix

@@ -30,10 +30,8 @@ with lib;
   # Allow root logins only using the SSH key that the user specified
   # at instance creation time, ping client connections to avoid timeouts
   services.openssh.enable = true;
-  services.openssh.permitRootLogin = "prohibit-password";
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
-  services.openssh.extraConfig = ''
+  services.openssh.settings.ClientAliveInterval = 180;
-    ClientAliveInterval 180
-  '';
 
   # Force getting the hostname from Azure
   networking.hostName = mkDefault "";

nixos/modules/virtualisation/brightbox-image.nix

@@ -103,7 +103,7 @@ in
   # Allow root logins only using the SSH key that the user specified
   # at instance creation time.
   services.openssh.enable = true;
-  services.openssh.permitRootLogin = "prohibit-password";
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
 
   # Force getting the hostname from Google Compute.
   networking.hostName = mkDefault "";

nixos/modules/virtualisation/cloudstack-config.nix

@@ -21,7 +21,7 @@ with lib;
     # Allow root logins
     services.openssh = {
       enable = true;
-      permitRootLogin = "prohibit-password";
+      settings.PermitRootLogin = "prohibit-password";
     };
 
     # Cloud-init configuration.

nixos/modules/virtualisation/digital-ocean-config.nix

@@ -49,7 +49,7 @@ with lib;
       };
       services.openssh = {
         enable = mkDefault true;
-        passwordAuthentication = mkDefault false;
+        settings.PasswordAuthentication = mkDefault false;
       };
       services.do-agent.enable = mkDefault true;
       networking = {

nixos/modules/virtualisation/google-compute-config.nix

@@ -29,8 +29,8 @@ with lib;
   # Allow root logins only using SSH keys
   # and disable password authentication in general
   services.openssh.enable = true;
-  services.openssh.permitRootLogin = "prohibit-password";
+  services.openssh.settings.PermitRootLogin = "prohibit-password";
-  services.openssh.passwordAuthentication = mkDefault false;
+  services.openssh.settings.PasswordAuthentication = mkDefault false;
 
   # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on
   # instance or project level

nixos/modules/virtualisation/lxc-container.nix

@@ -123,8 +123,8 @@ in
             architecture = builtins.elemAt (builtins.match "^([a-z0-9_]+).+" (toString pkgs.system)) 0;
             creation_date = 1;
             properties = {
-              description = "NixOS ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.system}";
+              description = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.system}";
-              os = "nixos";
+              os = "${config.system.nixos.distroId}";
               release = "${config.system.nixos.codeName}";
             };
             templates = templates.properties;

nixos/modules/virtualisation/openstack-config.nix

@@ -59,8 +59,8 @@ in
     # Allow root logins
     services.openssh = {
       enable = true;
-      permitRootLogin = "prohibit-password";
+      settings.PermitRootLogin = "prohibit-password";
-      passwordAuthentication = mkDefault false;
+      settings.PasswordAuthentication = mkDefault false;
     };
 
     users.users.root.initialPassword = "foobar";

nixos/modules/virtualisation/virtualbox-image.nix

@@ -41,7 +41,7 @@ in {
       };
       vmName = mkOption {
         type = types.str;
-        default = "NixOS ${config.system.nixos.label} (${pkgs.stdenv.hostPlatform.system})";
+        default = "${config.system.nixos.distroName} ${config.system.nixos.label} (${pkgs.stdenv.hostPlatform.system})";
         description = lib.mdDoc ''
           The name of the VirtualBox appliance.
         '';

nixos/tests/all-tests.nix

@@ -436,7 +436,6 @@ in {
   netdata = handleTest ./netdata.nix {};
   networking.networkd = handleTest ./networking.nix { networkd = true; };
   networking.scripted = handleTest ./networking.nix { networkd = false; };
-  specialisation = handleTest ./specialisation.nix {};
   netbox = handleTest ./web-apps/netbox.nix {};
   # TODO: put in networking.nix after the test becomes more complete
   networkingProxy = handleTest ./networking-proxy.nix {};
@@ -464,6 +463,7 @@ in {
   nix-serve-ssh = handleTest ./nix-serve-ssh.nix {};
   nixops = handleTest ./nixops/default.nix {};
   nixos-generate-config = handleTest ./nixos-generate-config.nix {};
+  nixos-rebuild-specialisations = handleTest ./nixos-rebuild-specialisations.nix {};
   nixpkgs = pkgs.callPackage ../modules/misc/nixpkgs/test.nix { inherit evalMinimalConfig; };
   node-red = handleTest ./node-red.nix {};
   nomad = handleTest ./nomad.nix {};
@@ -513,6 +513,7 @@ in {
   pgjwt = handleTest ./pgjwt.nix {};
   pgmanage = handleTest ./pgmanage.nix {};
   phosh = handleTest ./phosh.nix {};
+  photoprism = handleTest ./photoprism.nix {};
   php = handleTest ./php {};
   php80 = handleTest ./php { php = pkgs.php80; };
   php81 = handleTest ./php { php = pkgs.php81; };

nixos/tests/borgbackup.nix

@@ -117,8 +117,10 @@ in {
     server = { ... }: {
       services.openssh = {
         enable = true;
-        passwordAuthentication = false;
+        settings = {
-        kbdInteractiveAuthentication = false;
+          PasswordAuthentication = false;
+          KbdInteractiveAuthentication = false;
+        };
       };
 
       services.borgbackup.repos.repo1 = {

nixos/tests/btrbk.nix

@@ -52,8 +52,10 @@ import ./make-test-python.nix ({ pkgs, ... }:
         environment.systemPackages = with pkgs; [ btrfs-progs ];
         services.openssh = {
           enable = true;
-          passwordAuthentication = false;
+          settings = {
-          kbdInteractiveAuthentication = false;
+            KbdInteractiveAuthentication = false;
+            PasswordAuthentication = false;
+          };
         };
         services.btrbk = {
           extraPackages = [ pkgs.lz4 ];

nixos/tests/google-oslogin/server.nix

@@ -17,8 +17,8 @@ in {
   };
 
   services.openssh.enable = true;
-  services.openssh.kbdInteractiveAuthentication = false;
+  services.openssh.settings.KbdInteractiveAuthentication = false;
-  services.openssh.passwordAuthentication = false;
+  services.openssh.settings.PasswordAuthentication = false;
 
   security.googleOsLogin.enable = true;
 

nixos/tests/installer.nix

@@ -21,6 +21,8 @@ let
             <nixpkgs/nixos/modules/testing/test-instrumentation.nix>
           ];
 
+        documentation.enable = false;
+
         # To ensure that we can rebuild the grub configuration on the nixos-rebuild
         system.extraDependencies = with pkgs; [ stdenvNoCC ];
 
@@ -307,7 +309,7 @@ let
           # builds stuff in the VM, needs more juice
           virtualisation.diskSize = 8 * 1024;
           virtualisation.cores = 8;
-          virtualisation.memorySize = 1536;
+          virtualisation.memorySize = 2047;
 
           boot.initrd.systemd.enable = systemdStage1;
 

nixos/tests/kernel-generic.nix

@@ -31,6 +31,7 @@ let
       linux_5_10_hardened
       linux_5_15_hardened
       linux_6_0_hardened
+      linux_6_1_hardened
 
       linux_testing;
   };

nixos/tests/nixos-rebuild-specialisations.nix

@@ -0,0 +1,131 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+  name = "nixos-rebuild-specialisations";
+
+  nodes = {
+    machine = { lib, pkgs, ... }: {
+      imports = [
+        ../modules/profiles/installation-device.nix
+        ../modules/profiles/base.nix
+      ];
+
+      nix.settings = {
+        substituters = lib.mkForce [ ];
+        hashed-mirrors = null;
+        connect-timeout = 1;
+      };
+
+      system.extraDependencies = with pkgs; [
+        curl
+        desktop-file-utils
+        docbook5
+        docbook_xsl_ns
+        grub2
+        kmod.dev
+        libarchive
+        libarchive.dev
+        libxml2.bin
+        libxslt.bin
+        python3Minimal
+        shared-mime-info
+        stdenv
+        sudo
+        xorg.lndir
+      ];
+
+      virtualisation = {
+        cores = 2;
+        memorySize = 2048;
+      };
+    };
+  };
+
+  testScript =
+    let
+      configFile = pkgs.writeText "configuration.nix" ''
+        { lib, pkgs, ... }: {
+          imports = [
+            ./hardware-configuration.nix
+            <nixpkgs/nixos/modules/testing/test-instrumentation.nix>
+          ];
+
+          boot.loader.grub = {
+            enable = true;
+            device = "/dev/vda";
+            forceInstall = true;
+          };
+
+          documentation.enable = false;
+
+          environment.systemPackages = [
+            (pkgs.writeShellScriptBin "parent" "")
+          ];
+
+          specialisation.foo = {
+            inheritParentConfig = true;
+
+            configuration = { ... }: {
+              environment.systemPackages = [
+                (pkgs.writeShellScriptBin "foo" "")
+              ];
+            };
+          };
+
+          specialisation.bar = {
+            inheritParentConfig = true;
+
+            configuration = { ... }: {
+              environment.systemPackages = [
+                (pkgs.writeShellScriptBin "bar" "")
+              ];
+            };
+          };
+        }
+      '';
+
+    in
+    ''
+      machine.start()
+      machine.succeed("udevadm settle")
+      machine.wait_for_unit("multi-user.target")
+
+      machine.succeed("nixos-generate-config")
+      machine.copy_from_host(
+          "${configFile}",
+          "/etc/nixos/configuration.nix",
+      )
+
+      with subtest("Switch to the base system"):
+          machine.succeed("nixos-rebuild switch")
+          machine.succeed("parent")
+          machine.fail("foo")
+          machine.fail("bar")
+
+      with subtest("Switch from base system into a specialization"):
+          machine.succeed("nixos-rebuild switch --specialisation foo")
+          machine.succeed("parent")
+          machine.succeed("foo")
+          machine.fail("bar")
+
+      with subtest("Switch from specialization into another specialization"):
+          machine.succeed("nixos-rebuild switch -c bar")
+          machine.succeed("parent")
+          machine.fail("foo")
+          machine.succeed("bar")
+
+      with subtest("Switch from specialization into the base system"):
+          machine.succeed("nixos-rebuild switch")
+          machine.succeed("parent")
+          machine.fail("foo")
+          machine.fail("bar")
+
+      with subtest("Switch into specialization using `nixos-rebuild test`"):
+          machine.succeed("nixos-rebuild test --specialisation foo")
+          machine.succeed("parent")
+          machine.succeed("foo")
+          machine.fail("bar")
+
+      with subtest("Make sure nonsense command combinations are forbidden"):
+          machine.fail("nixos-rebuild boot --specialisation foo")
+          machine.fail("nixos-rebuild boot -c foo")
+    '';
+})

nixos/tests/ntfy-sh.nix

@@ -12,6 +12,8 @@ import ./make-test-python.nix {
 
     machine.wait_for_unit("multi-user.target")
 
+    machine.wait_for_open_port(80)
+
     machine.succeed(f"curl -d '{msg}' localhost:80/test")
 
     notif = json.loads(machine.succeed("curl -s localhost:80/test/json?poll=1"))

nixos/tests/photoprism.nix

@@ -0,0 +1,23 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }: {
+  name = "photoprism";
+  meta.maintainers = with lib.maintainers; [ stunkymonkey ];
+
+  nodes.machine = { pkgs, ... }: {
+    services.photoprism = {
+      enable = true;
+      port = 8080;
+      originalsPath = "/media/photos/";
+      passwordFile = pkgs.writeText "password" "secret";
+    };
+    environment.extraInit = ''
+      mkdir -p /media/photos
+    '';
+  };
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+    machine.wait_for_open_port(8080)
+    response = machine.succeed("curl -vvv -s -H 'Host: photoprism' http://127.0.0.1:8080/library/login")
+    assert '<title>PhotoPrism</title>' in response, "Login page didn't load successfully"
+  '';
+})

nixos/tests/sourcehut.nix

@@ -18,8 +18,10 @@ let
           # passwordless ssh server
           services.openssh = {
             enable = true;
-            permitRootLogin = "yes";
+            settings = {
-            extraConfig = "PermitEmptyPasswords yes";
+              PermitRootLogin = "yes";
+              PermitEmptyPasswords = true;
+            };
           };
 
           users = {

nixos/tests/specialisation.nix

@@ -1,43 +0,0 @@
-import ./make-test-python.nix {
-  name = "specialisation";
-  nodes =  {
-    inheritconf = { pkgs, ... }: {
-      environment.systemPackages = [ pkgs.cowsay ];
-      specialisation.inheritconf.configuration = { pkgs, ... }: {
-        environment.systemPackages = [ pkgs.hello ];
-      };
-    };
-    noinheritconf = { pkgs, ... }: {
-      environment.systemPackages = [ pkgs.cowsay ];
-      specialisation.noinheritconf = {
-        inheritParentConfig = false;
-        configuration = { pkgs, ... }: {
-          environment.systemPackages = [ pkgs.hello ];
-        };
-      };
-    };
-  };
-  testScript = ''
-    inheritconf.wait_for_unit("default.target")
-    inheritconf.succeed("cowsay hey")
-    inheritconf.fail("hello")
-
-    with subtest("Nested clones do inherit from parent"):
-        inheritconf.succeed(
-            "/run/current-system/specialisation/inheritconf/bin/switch-to-configuration test"
-        )
-        inheritconf.succeed("cowsay hey")
-        inheritconf.succeed("hello")
-
-        noinheritconf.wait_for_unit("default.target")
-        noinheritconf.succeed("cowsay hey")
-        noinheritconf.fail("hello")
-
-    with subtest("Nested children do not inherit from parent"):
-        noinheritconf.succeed(
-            "/run/current-system/specialisation/noinheritconf/bin/switch-to-configuration test"
-        )
-        noinheritconf.fail("cowsay hey")
-        noinheritconf.succeed("hello")
-  '';
-}

nixos/tests/turbovnc-headless-server.nix

@@ -26,7 +26,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
     # So that we can ssh into the VM, see e.g.
     # http://blog.patapon.info/nixos-local-vm/#accessing-the-vm-with-ssh
     services.openssh.enable = true;
-    services.openssh.permitRootLogin = "yes";
+    services.openssh.settings.PermitRootLogin = "yes";
     users.extraUsers.root.password = "";
     users.mutableUsers = false;
   };

pkgs/applications/audio/strawberry/default.nix

@@ -42,13 +42,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "strawberry";
-  version = "1.0.12";
+  version = "1.0.13";
 
   src = fetchFromGitHub {
     owner = "jonaski";
     repo = pname;
     rev = version;
-    hash = "sha256-XJCU9cGhmwJ6f79y3tAW1qfJKO7YESVpHY/1FmPQ/Mo=";
+    hash = "sha256-szvCI1olC7GccJUGwR2Cx+FNGvfxeESsiSwWPTXWbc0=";
   };
 
   # the big strawberry shown in the context menu is *very* much in your face, so use the grey version instead

pkgs/applications/editors/eclipse/build-eclipse.nix

@@ -2,7 +2,7 @@
 , zlib, jdk, glib, glib-networking, gtk, libXtst, libsecret, gsettings-desktop-schemas, webkitgtk
 , makeWrapper, perl, ... }:
 
-{ name, src ? builtins.getAttr stdenv.hostPlatform.system sources, sources ? null, description, productVersion }:
+{ name, src ? builtins.getAttr stdenv.hostPlatform.system sources, sources ? null, description }:
 
 stdenv.mkDerivation rec {
   inherit name src;
@@ -38,13 +38,14 @@ stdenv.mkDerivation rec {
     # settings in ~/.eclipse/org.eclipse.platform_<version> rather
     # than ~/.eclipse/org.eclipse.platform_<version>_<number>.
     productId=$(sed 's/id=//; t; d' $out/eclipse/.eclipseproduct)
+    productVersion=$(sed 's/version=//; t; d' $out/eclipse/.eclipseproduct)
 
     makeWrapper $out/eclipse/eclipse $out/bin/eclipse \
       --prefix PATH : ${jdk}/bin \
       --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath ([ glib gtk libXtst libsecret ] ++ lib.optional (webkitgtk != null) webkitgtk)} \
       --prefix GIO_EXTRA_MODULES : "${glib-networking}/lib/gio/modules" \
       --prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH" \
-      --add-flags "-configuration \$HOME/.eclipse/''${productId}_${productVersion}/configuration"
+      --add-flags "-configuration \$HOME/.eclipse/''${productId}_$productVersion/configuration"
 
     # Create desktop item.
     mkdir -p $out/share/applications

pkgs/applications/editors/eclipse/default.nix

@@ -14,21 +14,19 @@
 
 let
   platform_major = "4";
-  platform_minor = "25";
+  platform_minor = "26";
   year = "2022";
-  month = "09"; #release month
+  month = "12"; #release month
-  buildmonth = "08"; #sometimes differs from release month
+  buildmonth = "11"; #sometimes differs from release month
-  timestamp = "${year}${buildmonth}311800";
+  timestamp = "${year}${buildmonth}231800";
   gtk = gtk3;
 in rec {
 
-  # work around https://bugs.eclipse.org/bugs/show_bug.cgi?id=476075#c3
+  buildEclipse = callPackage ./build-eclipse.nix {
-  buildEclipseUnversioned = callPackage ./build-eclipse.nix {
     inherit stdenv makeDesktopItem freetype fontconfig libX11 libXrender zlib
             jdk glib gtk libXtst gsettings-desktop-schemas webkitgtk
             makeWrapper;
   };
-  buildEclipse = eclipseData: buildEclipseUnversioned (eclipseData // { productVersion = "${platform_major}.${platform_minor}"; });
 
   ### Eclipse CPP
 
@@ -38,7 +36,7 @@ in rec {
     src =
       fetchurl {
         url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-cpp-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
-        hash = "sha512-1sUQ/jDOQMqnKLKY6oh28STvS5pbH89+2zs+H77euiJOsBgB+yEkEntnhI39O67qmOK/EkQ3y3NkQcumbax56A==";
+        hash = "sha512-nqqY4dewq1bjeNoZdWvOez+cBti+f9qXshx1eqJ2lB7sGJva5mcR9e+CZTVD0+EtVJ/U+8viJ+E1Veht1ZnqOw==";
       };
   };
 
@@ -50,7 +48,7 @@ in rec {
     src =
       fetchurl {
         url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-modeling-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
-        hash = "sha512-Qb2BmfXtmVeTLIZZav91hayPkwSGYMAG3fod3BmyJdo1DPas6VC+MzBwklAjpC1wqLTzKCAKzVZtdtPYC9QCqw==";
+        hash = "sha512-WU2BJt6GL3ug3yOUOd5y6/AbGLcr2MkCg+QJiNIMkSXvoU9TF6R6oimoGVc3kPZmazRy6WYoes55T3bWrHnO8Q==";
       };
   };
 
@@ -62,17 +60,16 @@ in rec {
     src =
       fetchurl {
         url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops${platform_major}/R-${platform_major}.${platform_minor}-${timestamp}/eclipse-platform-${platform_major}.${platform_minor}-linux-gtk-x86_64.tar.gz";
-        hash = "sha512-RW+5H82AcH/U9XUzIlUCU5heN9qQAlMl3rmxsKnTYxVWdIjSN461Nf71F6jPhL/Q+VCAMesguOEF0AqyhnH0nw==";
+        hash = "sha512-hmdWGteMDt4HhYq+k9twuftalpTzHtGnVVLphZcpJcw+6vJfersciDMaeLRqbCAeFbzJdgzjYo76bpP6FubySw==";
       };
   };
 
   ### Eclipse Scala SDK
 
   eclipse-scala-sdk =
-    buildEclipseUnversioned.override { jdk = jdk8; gtk = gtk2; } {
+    buildEclipse.override { jdk = jdk8; gtk = gtk2; } {
       name = "eclipse-scala-sdk-4.7.0";
       description = "Eclipse IDE for Scala Developers";
-      productVersion = "4.7";
       src =
         fetchurl {
           url = "https://downloads.typesafe.com/scalaide-pack/4.7.0-vfinal-oxygen-212-20170929/scala-SDK-4.7.0-vfinal-2.12-linux.gtk.x86_64.tar.gz";
@@ -88,7 +85,7 @@ in rec {
     src =
       fetchurl {
         url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops${platform_major}/R-${platform_major}.${platform_minor}-${timestamp}/eclipse-SDK-${platform_major}.${platform_minor}-linux-gtk-x86_64.tar.gz";
-        hash = "sha512-1wjKNBl6A2XENRVZNtDelPSMAYtc4wRXdQ4CJX/1YcFUPEzbPsX7plO2uJXmDpZcjw3wkQNxqy4bmZF6YnXy/Q==";
+        hash = "sha512-yH4/K9sBLCUc2EVYwPL0dLql/S3AfaV6fFh7ewAuIb7yHtcsOWMqy/h1hZUlFFg2ykfwDWDDHEK7qfTI0hM7BQ==";
       };
   };
 
@@ -100,7 +97,7 @@ in rec {
     src =
       fetchurl {
         url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-java-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
-        hash = "sha512-UejE0pzgwBYpmNbdGEegMM5iEOMYP+VvebU17YQeJUzh/qYr0B6sfXwJ+cdTCavKCNGLMMDenJMYk9V/6DSZHw==";
+        hash = "sha512-71mXYVLVnyDjYZbJGBKc0aDPq8sbTxlVZRQq7GlSUDv2fsoNYWYgqYfK7RSED5yoasCfs3HUYr7QowRAKJOnfQ==";
       };
   };
 
@@ -112,7 +109,7 @@ in rec {
     src =
       fetchurl {
         url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-jee-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
-        hash = "sha512-9E0Zwv64qRwVdPouhmIYT6SkbTkd3zLnfkHduHy2VXvmqW7xaOfmplvxpr+V1RDpnfDfw4RouU+WQdhFqBqcWg==";
+        hash = "sha512-55i9YVOa+vKHt72vHIqy9BmKMkg1KaLqMStjTtfaLTH5yP0ei+NTP2XL8IBHOgu0hCEJqYXTq+3I3RQy476etQ==";
       };
   };
 
@@ -124,7 +121,7 @@ in rec {
     src =
       fetchurl {
         url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-committers-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
-        hash = "sha512-V7GmvqQVZnTkkhKmuGyMiZlFlRpFbXM7r6w9yS0FxBOHNHIzkX4pJ6sgn+ww1lvwsdPqBFYtbWUiuKo73eTKzg==";
+        hash = "sha512-zGeynifM0dn1214HEVS7OVtv7xa8asjLzOXh5riJK8c/DWvNrRduHn6o6PGnxYOYVIfC9BzNRAjG1STkWu9j+Q==";
       };
   };
 
@@ -136,7 +133,7 @@ in rec {
     src =
       fetchurl {
         url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-rcp-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
-        hash = "sha256-8qQWwUiNemJLTAncZwO14fBfr7kTmmXPSeqBLfV8wTw=";
+        hash = "sha256-ml76ix0fHuR0KqYWQuTftEBAgq7iaOIyvr8V6WhuzeU=";
       };
   };
 

pkgs/applications/editors/eclipse/plugins.nix

@@ -255,12 +255,12 @@ rec {
   cdt = buildEclipseUpdateSite rec {
     name = "cdt-${version}";
     # find current version at https://www.eclipse.org/cdt/downloads.php
-    version = "10.7.0";
+    version = "11.0.0";
 
     src = fetchzip {
       stripRoot = false;
       url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/tools/cdt/releases/${lib.versions.majorMinor version}/${name}/${name}.zip";
-      hash = "sha256-/lQ3TLFQ1IgwYM540gxAFiEGOfHQIQQMf/pqCZ29ztQ=";
+      hash = "sha256-2rt9crMqNFevIHFIdOGWDq+j0ZJPVt1a9Z7P9HG58Ks=";
     };
 
     meta = with lib; {

pkgs/applications/editors/sublime/4/common.nix

@@ -3,6 +3,7 @@
 { fetchurl, stdenv, lib, xorg, glib, libglvnd, glibcLocales, gtk3, cairo, pango, makeWrapper, wrapGAppsHook
 , writeShellScript, common-updater-scripts, curl
 , openssl_1_1, bzip2, bash, unzip, zip
+, sqlite
 }:
 
 let
@@ -15,7 +16,19 @@ let
   versionUrl = "https://download.sublimetext.com/latest/${if dev then "dev" else "stable"}";
   versionFile = builtins.toString ./packages.nix;
 
-  libPath = lib.makeLibraryPath [ xorg.libX11 xorg.libXtst glib libglvnd openssl_1_1 gtk3 cairo pango curl ];
+  neededLibraries = [
+    xorg.libX11
+    xorg.libXtst
+    glib
+    libglvnd
+    openssl_1_1
+    gtk3
+    cairo
+    pango
+    curl
+  ] ++ lib.optionals (lib.versionAtLeast buildVersion "4145") [
+    sqlite
+  ];
 in let
   binaryPackage = stdenv.mkDerivation rec {
     pname = "${pnameBase}-bin";
@@ -52,7 +65,7 @@ in let
       for binary in ${ builtins.concatStringsSep " " binaries }; do
         patchelf \
           --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
-          --set-rpath ${libPath}:${stdenv.cc.cc.lib}/lib${lib.optionalString stdenv.is64bit "64"} \
+          --set-rpath ${lib.makeLibraryPath neededLibraries}:${stdenv.cc.cc.lib}/lib${lib.optionalString stdenv.is64bit "64"} \
           $binary
       done
 
@@ -67,6 +80,7 @@ in let
 
       # No need to patch these libraries, it works well with our own
       rm libcrypto.so.1.1 libssl.so.1.1
+      ${lib.optionalString (lib.versionAtLeast buildVersion "4145") "rm libsqlite3.so"}
 
       mkdir -p $out
       cp -r * $out/

pkgs/applications/editors/sublime/4/packages.nix

@@ -11,9 +11,9 @@ in
     } {};
 
     sublime4-dev = common {
-      buildVersion = "4141";
+      buildVersion = "4147";
       dev = true;
-      x64sha256 = "eFo9v4hSrp1gV56adVyFB9sOApOXlKNvVBW0wbFYG4g=";
+      x64sha256 = "9zs+2cp+pid0y/v5tHJN4jp7sM1oGB5EgGzMASL3y4o=";
-      aarch64sha256 = "MmwSptvSH507+X9GT8GC4tzZFzEfT2pKc+/Qu5SbMkM=";
+      aarch64sha256 = "KyvHJPqBEfeQQJnuyWZA7vGhWkYFqMaTMx+uy+3cZ30=";
     } {};
   }

pkgs/applications/editors/vscode/extensions/default.nix

@@ -2229,8 +2229,8 @@ let
         mktplcRef = {
           name = "adwaita-theme";
           publisher = "piousdeer";
-          version = "1.0.8";
+          version = "1.1.0";
-          sha256 = "XyzxiwKQGDUIXp6rnt1BmPzfpd1WrG8HnEqYEOJV6P8=";
+          sha256 = "sha256-tKpKLUcc33YrgDS95PJu22ngxhwjqeVMC1Mhhy+IPGE=";
         };
         meta = with lib; {
           description = "Theme for the GNOME desktop";

pkgs/applications/misc/dasel/default.nix

@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "dasel";
-  version = "2.0.2";
+  version = "2.1.0";
 
   src = fetchFromGitHub {
     owner = "TomWright";
     repo = "dasel";
     rev = "v${version}";
-    sha256 = "sha256-VdOXmhfgDzMyspoCFQl64obpQph14XZxR0Nas+crelA=";
+    sha256 = "sha256-7JGafJE9nwZ95bOWUyVw2uWA2LltE9HxolHGYU079to=";
   };
 
-  vendorSha256 = "sha256-GO5Vg8zsXfjMBzRDC1/s/SYpviKUf59JB14vauKVFcE=";
+  vendorHash = "sha256-GO5Vg8zsXfjMBzRDC1/s/SYpviKUf59JB14vauKVFcE=";
 
   ldflags = [
     "-s" "-w" "-X github.com/tomwright/dasel/internal.Version=${version}"

pkgs/applications/misc/process-viewer/default.nix

@@ -4,28 +4,24 @@
 , pkg-config
 , gtk4
 , stdenv
-, DiskArbitration
+, darwin
-, Foundation
-, IOKit
 }:
 
 rustPlatform.buildRustPackage rec {
   pname = "process-viewer";
-  version = "0.5.5";
+  version = "0.5.6";
 
   src = fetchCrate {
     inherit pname version;
-    sha256 = "sha256-MHVKjbD1/h7G94x6dpyRT/BPWQVUFurW7EvAUJ2xZeU=";
+    sha256 = "sha256-ELASfcXNhUCE/mhPKBHA78liFMbcT9RB/aoLt4ZRPa0=";
   };
 
-  cargoSha256 = "sha256-NkJjwB4rBV4hFRwYHILMET8o4x1+95sVsFqNaVN8tMg=";
+  cargoSha256 = "sha256-K2kyZwKRALh9ImPngijgpoHyLS+c5sDYviN74JxhJLM=";
 
   nativeBuildInputs = [ pkg-config ];
 
   buildInputs = [ gtk4 ] ++ lib.optionals stdenv.isDarwin [
-    DiskArbitration
+    darwin.apple_sdk_11_0.frameworks.Foundation
-    Foundation
-    IOKit
   ];
 
   postInstall = ''

pkgs/applications/misc/thedesk/default.nix

@@ -3,11 +3,11 @@
 
 stdenv.mkDerivation rec {
   pname = "thedesk";
-  version = "23.0.3";
+  version = "23.0.5";
 
   src = fetchurl {
     url = "https://github.com/cutls/TheDesk/releases/download/v${version}/${pname}_${version}_amd64.deb";
-    sha256 = "sha256-X1WNfpsHRkk2UNTExn338r4pWhtC1osrCo6V8g7Pxcc=";
+    sha256 = "sha256-6pXbHkLdJw0+G9lep/tGkbSGAf8AobkQQgvw6gPYlro=";
   };
 
   nativeBuildInputs = [

pkgs/applications/networking/browsers/chromium/upstream-info.json

@@ -19,22 +19,22 @@
     }
   },
   "beta": {
-    "version": "109.0.5414.74",
+    "version": "110.0.5481.30",
-    "sha256": "0pcfaj3n3rjk4va9g0ajlsv1719kdhqcnjdd4piinqxb4qy27vgd",
+    "sha256": "03r2mpnrw9p188lajf69lpd94rcgj5a9hs2nlf01f0czl6nij0bx",
-    "sha256bin64": "1ihjjf8x5080p9bizhqrrr0rcjf0l1nps9xq9naa2f48y5zfshkd",
+    "sha256bin64": "0bpv4qgbbi8651x5mp8qyqxlxqm5x9csml1yi3789f7d40hs4vj9",
     "deps": {
       "gn": {
-        "version": "2022-11-10",
+        "version": "2022-12-12",
         "url": "https://gn.googlesource.com/gn",
-        "rev": "1c4151ff5c1d6fbf7fa800b8d4bb34d3abc03a41",
+        "rev": "5e19d2fb166fbd4f6f32147fbb2f497091a54ad8",
-        "sha256": "02621c9nqpr4pwcapy31x36l5kbyd0vdgd0wdaxj5p8hrxk67d6b"
+        "sha256": "1b5fwldfmkkbpp5x63n1dxv0nc965hphc8rm8ah7zg44zscm9z30"
       }
     }
   },
   "dev": {
-    "version": "110.0.5481.24",
+    "version": "111.0.5532.2",
-    "sha256": "1656qjbrrv276xxdlw0iv635sgm89r7nx32780zglm0lag3jx6ai",
+    "sha256": "0aaxfi4f88s1cfzyhngmsmb84awy85xjy6a8pk3bfamssgxj0981",
-    "sha256bin64": "0pzd441qghdhibcnh1f2fldsx5ddjjwfrjv1nwi15pf3cabymz5g",
+    "sha256bin64": "1jjmqi27qwbnmcfq043gxws31v47yfkzs7jk7mxzzxbaqj7v3wf6",
     "deps": {
       "gn": {
         "version": "2022-12-12",

pkgs/applications/networking/browsers/firefox/common.nix

@@ -471,6 +471,8 @@ buildStdenv.mkDerivation ({
   separateDebugInfo = enableDebugSymbols;
   enableParallelBuilding = true;
 
+  NIX_LDFLAGS = if (with stdenv; isAarch64 && isLinux) then [ "-lgcc" ] else null;
+
   # tests were disabled in configureFlags
   doCheck = false;
 

pkgs/applications/networking/browsers/vivaldi/default.nix

@@ -21,11 +21,11 @@ let
   vivaldiName = if isSnapshot then "vivaldi-snapshot" else "vivaldi";
 in stdenv.mkDerivation rec {
   pname = "vivaldi";
-  version = "5.6.2867.36";
+  version = "5.6.2867.58";
 
   src = fetchurl {
     url = "https://downloads.vivaldi.com/${branch}/vivaldi-${branch}_${version}-1_amd64.deb";
-    sha256 = "sha256-dTXppRn/bl+HYVzqyrKBXb2YAaw0lRJkwAeukalv3a4=d";
+    sha256 = "sha256-eRHQaKztf66o9FoCNSRyXS5Ht6d51GTilNO5DxItUCw=";
   };
 
   unpackPhase = ''

pkgs/applications/networking/cluster/calico/default.nix

@@ -2,16 +2,16 @@
 
 builtins.mapAttrs (pname: { doCheck ? true, mainProgram ? pname, subPackages }: buildGoModule rec {
   inherit pname;
-  version = "3.24.5";
+  version = "3.25.0";
 
   src = fetchFromGitHub {
     owner = "projectcalico";
     repo = "calico";
     rev = "v${version}";
-    hash = "sha256-fB9FHiIqVieVkPfHmBvcaUmUqkT1ZbDT26+DUE9lbdc=";
+    hash = "sha256-sD79WiGKfwjtoiYlLow4h58skbHpuZyzMQ0VOyBKRnk=";
   };
 
-  vendorHash = "sha256-ogQ/REf5cngoGAFIBN++txew6UqOw1hqCVsixyuGtug=";
+  vendorHash = "sha256-p4Ve6qWnYyHUUyKmLfbaZIGGfleLuzz+MZgGRSsBoWM=";
 
   inherit doCheck subPackages;
 

pkgs/applications/networking/cluster/cmctl/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "cmctl";
-  version = "1.10.1";
+  version = "1.11.0";
 
   src = fetchFromGitHub {
     owner = "cert-manager";
     repo = "cert-manager";
-    rev = "a96bae172ddb1fcd4b57f1859ab9d1a9e94f7451";
+    rev = "2a0ef53b06e183356d922cd58af2510d8885bef5";
-    sha256 = "0wj2fshkfdrqrjyq3khzpdjiw5x3djjw9x7qq8mdgzyj84cmz11w";
+    sha256 = "0cvsmc06gg8w5j2k1zj4i8qpqlvpjfa6d7wn24v0hs1a1qk8c7a8";
   };
 
-  vendorSha256 = "sha256-WPFteR3t9qQiuBcCLqvp8GterqcD2SxJi59Wb7BvDT4=";
+  vendorSha256 = "sha256-aLEQoNt/5ikMw+wExSUITey/68Gk4+dsRbSydsiEiEg=";
 
   subPackages = [ "cmd/ctl" ];
 

pkgs/applications/networking/instant-messengers/SkypeExport/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, cmake, boost166 }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, cmake, boost }:
 
 stdenv.mkDerivation rec {
   pname = "SkypeExport";
@@ -11,8 +11,16 @@ stdenv.mkDerivation rec {
     sha256 = "1ilkh0s3dz5cp83wwgmscnfmnyck5qcwqg1yxp9zv6s356dxnbak";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "boost167.patch";
+      url = "https://github.com/Temptin/SkypeExport/commit/ef60f2e4fc9e4a5764c8d083a73b585457bc10b1.patch";
+      sha256 = "sha256-t+/v7c66OULmQCD/sNt+iDJeQ/6UG0CJ8uQY2PVSFQo=";
+    })
+  ];
+
   nativeBuildInputs = [ cmake ];
-  buildInputs = [ boost166 ];
+  buildInputs = [ boost ];
 
   preConfigure = "cd src/SkypeExport/_gccbuild/linux";
   installPhase = "install -Dt $out/bin SkypeExport";
@@ -21,7 +29,7 @@ stdenv.mkDerivation rec {
     description = "Export Skype history to HTML";
     homepage = "https://github.com/Temptin/SkypeExport";
     license = licenses.gpl2;
-    platforms = platforms.linux;
+    platforms = platforms.unix;
     maintainers = with maintainers; [ yana ];
   };
 }

pkgs/applications/networking/instant-messengers/cinny/default.nix

@@ -4,11 +4,11 @@ let
   configOverrides = writeText "cinny-config-overrides.json" (builtins.toJSON conf);
 in stdenv.mkDerivation rec {
   pname = "cinny";
-  version = "2.2.2";
+  version = "2.2.3";
 
   src = fetchurl {
     url = "https://github.com/ajbura/cinny/releases/download/v${version}/cinny-v${version}.tar.gz";
-    sha256 = "sha256-MNmU6MvDwGbFNQt7qe08klXjy1n2LiABlPkARGvjVJU=";
+    hash = "sha256-Q6f24LRYCxdgAguUVl7jf7srkd2L1IptiBgHJQq2dHE=";
   };
 
   installPhase = ''

pkgs/applications/networking/instant-messengers/discord/default.nix

@@ -1,7 +1,7 @@
 { branch ? "stable", callPackage, fetchurl, lib, stdenv }:
 let
   versions = if stdenv.isLinux then {
-    stable = "0.0.22";
+    stable = "0.0.24";
     ptb = "0.0.38";
     canary = "0.0.145";
   } else {
@@ -14,7 +14,7 @@ let
     x86_64-linux = {
       stable = fetchurl {
         url = "https://dl.discordapp.net/apps/linux/${version}/discord-${version}.tar.gz";
-        sha256 = "sha256-F1xzdx4Em6Ref7HTe9EH7whx49iFc0DFpaQKdFquq6c=";
+        sha256 = "sha256-SG+34ft0mTqtg9rFiI60N6JIONyqF8c8SlnRcn5a4Xc=";
       };
       ptb = fetchurl {
         url = "https://dl-ptb.discordapp.net/apps/linux/${version}/discord-ptb-${version}.tar.gz";

pkgs/applications/office/paperless-ngx/default.nix

@@ -81,12 +81,12 @@ let
 in
 python.pkgs.pythonPackages.buildPythonApplication rec {
   pname = "paperless-ngx";
-  version = "1.10.2";
+  version = "1.11.3";
 
   # Fetch the release tarball instead of a git ref because it contains the prebuilt frontend
   src = fetchurl {
     url = "https://github.com/paperless-ngx/paperless-ngx/releases/download/v${version}/${pname}-v${version}.tar.xz";
-    hash = "sha256-uOrRHHNqIYsDbzKcA7EsYZjadpLyAB4Ks+PU+BNsTWE=";
+    hash = "sha256-wGNkdczgV+UDd9ZO+BXMSWotpetE/+c/jJAAH+6SXps=";
   };
 
   format = "other";
@@ -99,6 +99,7 @@ python.pkgs.pythonPackages.buildPythonApplication rec {
     attrs
     autobahn
     automat
+    bleach
     blessed
     celery
     certifi
@@ -128,6 +129,7 @@ python.pkgs.pythonPackages.buildPythonApplication rec {
     httptools
     humanfriendly
     hyperlink
+    imagehash
     idna
     imap-tools
     img2pdf
@@ -138,6 +140,7 @@ python.pkgs.pythonPackages.buildPythonApplication rec {
     langdetect
     lxml
     msgpack
+    nltk
     numpy
     ocrmypdf
     pathvalidate

pkgs/applications/science/astronomy/stellarium/default.nix

@@ -69,6 +69,6 @@ stdenv.mkDerivation rec {
     homepage = "https://stellarium.org/";
     license = licenses.gpl2Plus;
     platforms = platforms.unix;
-    maintainers = with maintainers; [ ma27 ];
+    maintainers = with maintainers; [ ];
   };
 }

pkgs/applications/science/electronics/dsview/default.nix

@@ -6,13 +6,13 @@
 mkDerivation rec {
   pname = "dsview";
 
-  version = "1.2.1";
+  version = "1.2.2";
 
   src = fetchFromGitHub {
       owner = "DreamSourceLab";
       repo = "DSView";
       rev = "v${version}";
-      sha256 = "sha256-TE2yfzv2h77GLMkmoVGXmzs7J0l/N+n1eYxyrtnrnGU=";
+      sha256 = "sha256-QaCVu/n9PDbAiJgPDVN6SJMILeUO/KRkKcHYAstm86Q=";
   };
 
   patches = [

pkgs/applications/science/math/wxmaxima/default.nix

@@ -7,17 +7,18 @@
 , maxima
 , wxGTK
 , gnome
+, glib
 }:
 
 stdenv.mkDerivation rec {
   pname = "wxmaxima";
-  version = "22.05.0";
+  version = "22.12.0";
 
   src = fetchFromGitHub {
     owner = "wxMaxima-developers";
     repo = "wxmaxima";
     rev = "Version-${version}";
-    sha256 = "sha256-pcKnEjJmvMXCBpjtOSLyl4I0x3fjh0os9Sdp39I2Re0=";
+    sha256 = "sha256-RT6y4M6LQD1fXJcjtdSXnDmoJvv160g2asdV4WtTcok=";
   };
 
   buildInputs = [
@@ -25,6 +26,8 @@ stdenv.mkDerivation rec {
     maxima
     # So it won't embed svg files into headers.
     gnome.adwaita-icon-theme
+    # So it won't crash under Sway.
+    glib
   ];
 
   nativeBuildInputs = [
@@ -33,6 +36,10 @@ stdenv.mkDerivation rec {
     gettext
   ];
 
+  cmakeFlags = [
+    "-DwxWidgets_LIBRARIES=${wxGTK}/lib"
+  ];
+
   preConfigure = ''
     gappsWrapperArgs+=(--prefix PATH ":" ${maxima}/bin)
   '';

pkgs/applications/science/misc/megam/default.nix

@@ -12,11 +12,16 @@ stdenv.mkDerivation {
 
   patches = [ ./ocaml-includes.patch ./ocaml-3.12.patch ];
 
-  buildInputs = [ ocaml ncurses ];
+  strictDeps = true;
 
-  nativeBuildInputs = [ makeWrapper ];
+  nativeBuildInputs = [ makeWrapper ocaml ];
 
-  makeFlags = [ "CAML_INCLUDES=${ocaml}/lib/ocaml/caml" ];
+  buildInputs = [ ncurses ];
+
+  makeFlags = [
+    "CAML_INCLUDES=${ocaml}/lib/ocaml/caml"
+    "WITHBIGARRAY=bigarray.cma"
+  ];
 
   # see https://bugzilla.redhat.com/show_bug.cgi?id=435559
   dontStrip = true;
@@ -42,6 +47,6 @@ stdenv.mkDerivation {
     license = "non-commercial";
 
     maintainers = [ ];
-    platforms = lib.platforms.gnu ++ lib.platforms.linux;  # arbitrary choice
+    platforms = lib.platforms.unix;
   };
 }

pkgs/applications/version-management/delta/default.nix

@@ -7,6 +7,7 @@
 , Foundation
 , libiconv
 , Security
+, git
 }:
 
 rustPlatform.buildRustPackage rec {
@@ -26,12 +27,18 @@ rustPlatform.buildRustPackage rec {
 
   buildInputs = lib.optionals stdenv.isDarwin [ DiskArbitration Foundation libiconv Security ];
 
+  checkInputs = [ git ];
+
   postInstall = ''
     installShellCompletion --bash --name delta.bash etc/completion/completion.bash
     installShellCompletion --zsh --name _delta etc/completion/completion.zsh
     installShellCompletion --fish --name delta.fish etc/completion/completion.fish
   '';
 
+  checkFlags = lib.optionals stdenv.isDarwin [
+    "--skip=test_diff_same_non_empty_file"
+  ];
+
   meta = with lib; {
     homepage = "https://github.com/dandavison/delta";
     description = "A syntax-highlighting pager for git";

pkgs/applications/version-management/git-machete/default.nix

@@ -12,13 +12,13 @@
 
 buildPythonApplication rec {
   pname = "git-machete";
-  version = "3.14.0";
+  version = "3.14.2";
 
   src = fetchFromGitHub {
     owner = "virtuslab";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-UgWPm4IxzydO1qqhjbodUIAmqIhTIITYARMvw+F9T7E=";
+    hash = "sha256-uIVt7pneJq7l/kMSa7VqhcQgXhHCrpBGEqE7QZaDyQQ=";
   };
 
   nativeBuildInputs = [ installShellFiles ];

pkgs/applications/version-management/github-desktop/default.nix

@@ -15,15 +15,16 @@
 , cups
 , mesa
 , systemd
+, openssl
 }:
 
 stdenv.mkDerivation rec {
   pname = "github-desktop";
-  version = "3.0.6";
+  version = "3.1.1";
 
   src = fetchurl {
     url = "https://github.com/shiftkey/desktop/releases/download/release-${version}-linux1/GitHubDesktop-linux-${version}-linux1.deb";
-    hash = "sha256-UQsMT4/D571xgrU8C4HBoRO+qf08GCGerA4Y5gHcjRc=";
+    hash = "sha256-R8t0y7b2upMOsWebIBr9+qT2GqQ/ahzWLcFIWwK4JTs=";
   };
 
   nativeBuildInputs = [
@@ -44,6 +45,7 @@ stdenv.mkDerivation rec {
     alsa-lib
     cups
     mesa
+    openssl
   ];
 
   unpackPhase = ''

pkgs/applications/version-management/sapling/default.nix

@@ -1,6 +1,6 @@
 { lib
 , stdenv
-, python38Packages
+, python3Packages
 , fetchFromGitHub
 , fetchurl
 , sd
@@ -90,11 +90,7 @@ let
   };
 
   # Builds the main `sl` binary and its Python extensions
-  #
+  sapling = python3Packages.buildPythonPackage {
-  # FIXME(lf-): when next updating this package, delete the python 3.8 override
-  # here, since the fix for https://github.com/facebook/sapling/issues/279 that
-  # required it will be in the next release.
-  sapling = python38Packages.buildPythonPackage {
     pname = "sapling-main";
     inherit src version;
 
@@ -135,7 +131,7 @@ let
     #    so that 'sl web' always works
     # 4) 'sl web' will still work if 'nodejs' is in $PATH, just not OOTB
     preFixup = ''
-      sitepackages=$out/lib/${python38Packages.python.libPrefix}/site-packages
+      sitepackages=$out/lib/${python3Packages.python.libPrefix}/site-packages
       chmod +w $sitepackages
       cp -r ${isl} $sitepackages/edenscm-isl
     '' + lib.optionalString (!enableMinimal) ''

pkgs/applications/video/aegisub/default.nix

@@ -25,6 +25,7 @@
 , pcre
 , pkg-config
 , which
+, wrapGAppsHook
 , wxGTK
 , zlib
 
@@ -75,6 +76,7 @@ stdenv.mkDerivation rec {
     pkg-config
     which
     cmake
+    wrapGAppsHook
   ];
 
   buildInputs = [

pkgs/applications/video/kodi/unwrapped.nix

@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchFromGitHub, autoconf, automake, libtool, makeWrapper
+{ stdenv, lib, fetchFromGitHub, fetchpatch, autoconf, automake, libtool, makeWrapper
 , pkg-config, cmake, yasm, python3Packages
 , libxcrypt, libgcrypt, libgpg-error, libunistring
 , boost, avahi, lame
@@ -107,13 +107,20 @@ in stdenv.mkDerivation {
 
     src = kodi_src;
 
+    patches = [
       # This is a backport of
       # https://github.com/xbmc/xbmc/commit/a6dedce7ba1f03bdd83b019941d1e369a06f7888
       # to Kodi 19.4 Matrix.
-    # This can be removed once a new release of Kodi comes out and we upgrade
+      # This can be removed once a new major release of Kodi comes out and we upgrade
       # to it.
-    patches = [
       ./add-KODI_WEBSERVER_EXTRA_WHITELIST.patch
+
+      # A patch to fix build until the next major release of Kodi comes out and we upgrade
+      # https://github.com/xbmc/xbmc/pull/22291
+      (fetchpatch {
+        url = "https://github.com/xbmc/xbmc/commit/5449652abf0bb9dddd0d796de4120e60f19f89a5.patch";
+        sha256 = "sha256-vqX08dTSPhIur4aVu2BzXEpAxMOjaadwRNI43GSV9Og=";
+      })
     ];
 
     buildInputs = [

pkgs/applications/window-managers/i3/status-rust.nix

@@ -57,7 +57,7 @@ rustPlatform.buildRustPackage rec {
     description = "Very resource-friendly and feature-rich replacement for i3status";
     homepage = "https://github.com/greshake/i3status-rust";
     license = licenses.gpl3Only;
-    maintainers = with maintainers; [ backuitist globin ma27 ];
+    maintainers = with maintainers; [ backuitist globin ];
     platforms = platforms.linux;
   };
 }

pkgs/applications/window-managers/sway/lock-effects.nix

@@ -48,6 +48,6 @@ stdenv.mkDerivation rec {
     inherit (src.meta) homepage;
     license = licenses.mit;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ gnxlxnxx ma27 ];
+    maintainers = with maintainers; [ gnxlxnxx ];
   };
 }

pkgs/data/fonts/hannom/default.nix

@@ -1,27 +1,28 @@
-{ lib, fetchzip }:
+{ lib, stdenvNoCC, fetchzip }:
 
-let
+stdenvNoCC.mkDerivation rec {
+  pname = "hannom";
   version = "2005";
-in fetchzip {
-  name = "hannom-${version}";
 
+  src = fetchzip {
     url = "mirror://sourceforge/vietunicode/hannom/hannom%20v${version}/hannomH.zip";
-
     stripRoot = false;
+    hash = "sha256-Oh8V72tYvVA6Sk0f9UTIkRQYjdUbEB/fmCSaRYfyoP8=";
+  };
+
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
 
-  postFetch = ''
     mkdir -p $out/share/fonts/truetype
-    mv $out/*.ttf -t $out/share/fonts/truetype
+    mv *.ttf -t $out/share/fonts/truetype
-    shopt -s extglob dotglob
-    rm -rf $out/!(share)
-    shopt -u extglob dotglob
-  '';
 
-  sha256 = "sha256-zOYJxEHl4KM0ncVQDBs9+e3z8DxzF2ef3pRj0OVSuUo=";
+    runHook postInstall
+  '';
 
   meta = with lib; {
     description = "UNICODE Han Nom Font Set";
-    homepage = "http://vietunicode.sourceforge.net/fonts/fonts_hannom.html";
     longDescription = ''
       The true type fonts HAN NOM A and HAN NOM B have been developed by Chan
       Nguyen Do Quoc Bao (Germany), To Minh Tam (USA) and Ni sinh Thien Vien Vien
@@ -31,6 +32,7 @@ in fetchzip {
       code points by the Unicode Standard. Two sets of true type fonts are
       available with high and low resolutions.
     '';
+    homepage = "https://vietunicode.sourceforge.net/fonts/fonts_hannom.html";
     license = licenses.unfree;
     maintainers = with maintainers; [ wegank ];
     platforms = platforms.all;

pkgs/data/misc/dtv-scan-tables/default.nix

@@ -1,32 +0,0 @@
-{ lib
-, stdenv
-, fetchFromGitHub
-, v4l-utils
-}:
-
-stdenv.mkDerivation rec {
-  pname = "dtv-scan-tables";
-  version = "20221027";
-
-  src = fetchFromGitHub {
-    owner = "tvheadend";
-    repo = "dtv-scan-tables";
-    rev = "2a3dbfbab129c00d3f131c9c2f06b2be4c06fec6";
-    hash = "sha256-bJ+naUs3TDFul4PmpnWYld3j1Se+1X6U9jnECe3sno0=";
-  };
-
-  nativeBuildInputs = [
-    v4l-utils
-  ];
-
-  installFlags = [
-    "DATADIR=$(out)"
-  ];
-
-  meta = with lib; {
-    description = "Digital TV scan tables";
-    homepage = "https://github.com/tvheadend/dtv-scan-tables";
-    license = with licenses; [ gpl2Only lgpl21Only ];
-    maintainers = with maintainers; [ ];
-  };
-}

pkgs/data/misc/dtv-scan-tables/linuxtv.nix

@@ -0,0 +1,54 @@
+{ lib
+, stdenv
+, fetchurl
+, v4l-utils
+}:
+
+let
+
+  version_ = "2022-04-30-57ed29822750";
+
+in
+
+stdenv.mkDerivation rec {
+  pname = "dtv-scan-tables";
+  version = "${version_}-linuxtv";
+
+  src = fetchurl {
+    url = "https://linuxtv.org/downloads/${pname}/${pname}-${version_}.tar.bz2";
+    hash = "sha256-amJoqjkkWTePo6E5IvwBWj+mP/gi9LDWTTPXE1Cm7J4=";
+  };
+
+  nativeBuildInputs = [
+    v4l-utils
+  ];
+
+  sourceRoot = "usr/share/dvb";
+
+  makeFlags = [
+    "PREFIX=$(out)"
+  ];
+
+  allowedReferences = [ ];
+
+  meta = with lib; {
+    # git repo with current revision is here:
+    #downloadPage = "https://git.linuxtv.org/dtv-scan-tables.git";
+    # Weekly releases are supposed to be here
+    downloadPage = "https://linuxtv.org/downloads/dtv-scan-tables/";
+    # but sometimes they lag behind several weeks or even months.
+    description = "Digital TV (DVB) channel/transponder scan tables";
+    homepage = "https://www.linuxtv.org/wiki/index.php/Dtv-scan-tables";
+    license = with licenses; [ gpl2Only lgpl21Only ];
+    longDescription = ''
+      When scanning for dvb channels,
+      most applications require an initial set of
+      transponder coordinates (frequencies etc.).
+      These coordinates differ, depending of the
+      receiver's location or on the satellite.
+      The package delivers a collection of transponder
+      tables ready to be used by software like "dvbv5-scan".
+    '';
+    maintainers = with maintainers; [ yarny ];
+  };
+}

pkgs/data/misc/dtv-scan-tables/tvheadend.nix

@@ -0,0 +1,45 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, v4l-utils
+}:
+
+stdenv.mkDerivation rec {
+  pname = "dtv-scan-tables";
+  version = "20221027-tvheadend";
+
+  src = fetchFromGitHub {
+    owner = "tvheadend";
+    repo = "dtv-scan-tables";
+    rev = "2a3dbfbab129c00d3f131c9c2f06b2be4c06fec6";
+    hash = "sha256-bJ+naUs3TDFul4PmpnWYld3j1Se+1X6U9jnECe3sno0=";
+  };
+
+  nativeBuildInputs = [
+    v4l-utils
+  ];
+
+  makeFlags = [
+    "PREFIX=$(out)"
+  ];
+
+  allowedReferences = [ ];
+
+  meta = with lib; {
+    description = "Digital TV (DVB) channel/transponder scan tables";
+    homepage = "https://github.com/tvheadend/dtv-scan-tables";
+    license = with licenses; [ gpl2Only lgpl21Only ];
+    longDescription = ''
+      When scanning for dvb channels,
+      most applications require an initial set of
+      transponder coordinates (frequencies etc.).
+      These coordinates differ, depending of the
+      receiver's location or on the satellite.
+      The package delivers a collection of transponder
+      tables ready to be used by software like "dvbv5-scan".
+      The package at hand is maintained and used by tvheadend,
+      it is a fork of the original one hosted by linuxtv.org.
+    '';
+    maintainers = with maintainers; [ ];
+  };
+}

pkgs/desktops/gnome-2/bindings/gnome-python-desktop/default.nix

@@ -1,32 +0,0 @@
-{ lib, stdenv, fetchurl, gnome_python, librsvg, libwnck2, libgtop, pkg-config, python2, gtk2 }:
-
-let
-  inherit (python2.pkgs) python pygtk;
-in stdenv.mkDerivation rec {
-  ver_maj = "2.32";
-  ver_min = "0";
-  version = "${ver_maj}.${ver_min}";
-  pname = "gnome-python-desktop";
-
-  src = fetchurl {
-    url = "mirror://gnome/sources/gnome-python-desktop/${ver_maj}/gnome-python-desktop-${version}.tar.bz2";
-    sha256 = "1s8f9rns9v7qlwjv9qh9lr8crp88dpzfm45hj47zc3ivpy0dbnq9";
-  };
-
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ gtk2 librsvg libwnck2 libgtop python ];
-  propagatedBuildInputs = [ gnome_python pygtk ];
-
-  # gnome-python-desktop expects that .pth file is already installed by PyGTK
-  # in the same directory. This is not the case for Nix.
-  postInstall = ''
-    echo "gtk-2.0" > $out/${python2.sitePackages}/${pname}-${version}.pth
-  '';
-
-  meta = with lib; {
-    homepage = "http://www.pygtk.org";
-    description = "Python bindings for GNOME desktop packages";
-    license = licenses.lgpl21;
-    maintainers = [ maintainers.goibhniu ];
-  };
-}

pkgs/desktops/gnome-2/bindings/gnome-python/default.nix

@@ -1,33 +0,0 @@
-{ lib, stdenv, fetchurl, python2, pkg-config, libgnome, GConf, glib, gtk2, gnome_vfs }:
-
-with lib;
-
-let
-  inherit (python2.pkgs) python pygobject2 pygtk dbus-python;
-in stdenv.mkDerivation rec {
-  pname = "gnome-python";
-  version = "2.28.1";
-
-  src = fetchurl {
-    url = "mirror://gnome/sources/gnome-python/${lib.versions.majorMinor version}/gnome-python-${version}.tar.bz2";
-    sha256 = "759ce9344cbf89cf7f8449d945822a0c9f317a494f56787782a901e4119b96d8";
-  };
-
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ python glib gtk2 GConf libgnome gnome_vfs ];
-  propagatedBuildInputs = [ pygobject2 pygtk dbus-python ];
-
-  # gnome-python expects that .pth file is already installed by PyGTK in the
-  # same directory. This is not the case for Nix.
-  postInstall = ''
-    echo "gtk-2.0" > $out/${python2.sitePackages}/gnome-python-${version}.pth
-  '';
-
-  meta = with lib; {
-    homepage = "http://pygtk.org/";
-    description = "Python wrapper for GNOME libraries";
-    platforms = platforms.linux;
-    license = licenses.lgpl2;
-    maintainers = with maintainers; [ qknight ];
-  };
-}

pkgs/desktops/gnome-2/default.nix

@@ -33,10 +33,6 @@ lib.makeScope pkgs.newScope (self: with self; {
 
   gnome_mime_data = callPackage ./platform/gnome-mime-data { };
 
-  gnome_python = callPackage ./bindings/gnome-python { };
-
-  gnome_python_desktop = callPackage ./bindings/gnome-python-desktop { };
-
   gnome_vfs = callPackage ./platform/gnome-vfs { };
 
   libgnome = callPackage ./platform/libgnome { };
@@ -72,7 +68,6 @@ lib.makeScope pkgs.newScope (self: with self; {
 
   gtk = pkgs.gtk2;
   gtkmm = pkgs.gtkmm2;
-  python_rsvg = self.gnome_python_desktop;
 
   gtkdoc = pkgs.gtk-doc;
   startup_notification = pkgs.libstartup_notification;
@@ -82,5 +77,8 @@ lib.makeScope pkgs.newScope (self: with self; {
   gnome_icon_theme = self.gnome-icon-theme;
   gnomeicontheme = self.gnome-icon-theme;
   gnome_common = gnome-common;
-  libglademm = throw "libglademm has been removed"; # 2022-01-15
+  gnome_python = throw "gnome2.gnome_python has been removed"; # 2023-01-14
+  gnome_python_desktop = throw "gnome2.gnome_python_desktop has been removed"; # 2023-01-14
+  libglademm = throw "gnome2.libglademm has been removed"; # 2022-01-15
+  python_rsvg = throw "gnome2.python_rsvg has been removed"; # 2023-01-14
 })

pkgs/desktops/gnome-2/desktop/mail-notification/patches/mail-notification-dont-link-against-bsd-compat.patch

@@ -1,10 +0,0 @@
---- jbsrc/jb.c.orig	2014-01-19 20:06:48.525462981 +0100
-+++ jbsrc/jb.c	2014-01-19 20:07:36.087934897 +0100
-@@ -425,7 +425,6 @@
-        */
-       jb_compile_options_add_cflags(object->compile_options, "-std=c99");
-       jb_compile_options_add_cppflags(object->compile_options, "-D_BSD_SOURCE -D_POSIX_C_SOURCE=199309L");
--      jb_compile_options_add_libs(object->compile_options, "-lbsd-compat");
-     }
- 
-   jb_compile_options_add_string_defines(object->compile_options,

pkgs/desktops/gnome/apps/gnome-boxes/default.nix

@@ -51,11 +51,11 @@
 
 stdenv.mkDerivation rec {
   pname = "gnome-boxes";
-  version = "43.1";
+  version = "43.2";
 
   src = fetchurl {
     url = "mirror://gnome/sources/${pname}/${lib.versions.major version}/${pname}-${version}.tar.xz";
-    sha256 = "NB5qXO1RrVAPwd00ZZ1YhsP3YEViS1POZBv/Y8WwimE=";
+    sha256 = "nD4OlDPBhTqZ7VLt7BMmP0Q/hW28o7IWXC46cLhjKzA=";
   };
 
   patches = [

pkgs/desktops/gnome/apps/gnome-maps/default.nix

@@ -28,11 +28,11 @@
 
 stdenv.mkDerivation rec {
   pname = "gnome-maps";
-  version = "43.2";
+  version = "43.3";
 
   src = fetchurl {
     url = "mirror://gnome/sources/${pname}/${lib.versions.major version}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-wCIdJQvkXqNulxrmO/3pcaRhRclnscZZ6WxbBypxVR0=";
+    sha256 = "sha256-iVUelLEnEwXP/yBLRMGDZyZ3gaV9LMt7b3u6Yo4JxRE=";
   };
 
   doCheck = true;

pkgs/desktops/gnome/apps/gnome-text-editor/default.nix

@@ -24,11 +24,11 @@
 
 stdenv.mkDerivation rec {
   pname = "gnome-text-editor";
-  version = "43.1";
+  version = "43.2";
 
   src = fetchurl {
     url = "mirror://gnome/sources/gnome-text-editor/${lib.versions.major version}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-lzpLDeto+fkaVKTdQVtq/em1rj7mhLx2FHH5QpD59ss=";
+    sha256 = "sha256-MwRcehI/qife5+ubqabybxsXGMWg52M30Hmg1MkA4UY=";
   };
 
   nativeBuildInputs = [

pkgs/desktops/gnome/core/eog/default.nix

@@ -30,13 +30,13 @@
 
 stdenv.mkDerivation rec {
   pname = "eog";
-  version = "43.1";
+  version = "43.2";
 
   outputs = [ "out" "dev" "devdoc" ];
 
   src = fetchurl {
     url = "mirror://gnome/sources/${pname}/${lib.versions.major version}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-/tef88oZusYvJxVcm91p7vh1hwuXHm3LCqOMCT0TGXE=";
+    sha256 = "sha256-nc/c5VhakOK7HPV+N3yx6xLUG9m8ubus31BrwbE1Tvk=";
   };
 
   patches = [

pkgs/desktops/gnome/core/gnome-remote-desktop/default.nix

@@ -30,11 +30,11 @@
 
 stdenv.mkDerivation rec {
   pname = "gnome-remote-desktop";
-  version = "43.2";
+  version = "43.3";
 
   src = fetchurl {
     url = "mirror://gnome/sources/${pname}/${lib.versions.major version}/${pname}-${version}.tar.xz";
-    hash = "sha256-hKn9Zam62M73NIL9otIKzRIvC4Uhsd6GyUE4ibn6l3E=";
+    hash = "sha256-EdRR0f3kTxgJ6/Ya/0vqX570/cAjWaiWR/bp59RUKaw=";
   };
 
   nativeBuildInputs = [

pkgs/desktops/gnome/core/gnome-software/default.nix

@@ -45,11 +45,11 @@ in
 
 stdenv.mkDerivation rec {
   pname = "gnome-software";
-  version = "43.2";
+  version = "43.3";
 
   src = fetchurl {
     url = "mirror://gnome/sources/gnome-software/${lib.versions.major version}/${pname}-${version}.tar.xz";
-    sha256 = "Iqp/CjF8dw9ouJfp5RKyy+2xgbaV/9sLZY2Zu9ZPNo0=";
+    sha256 = "k+6AdHl4rSzALlrnPQo9Psgu6hNPx3niqpFpAbu1gJA=";
   };
 
   patches = [