Release NixOS 25.05

nixosTests.lomiri-filemanager-app: Fix OCR
(cherry picked from commit 66301f51a3)
2026-06-06 05:13:37 +00:00 · 2025-05-23 20:56:20 +02:00 · 2025-05-23 23:25:53 +05:30 · 2025-05-23 23:25:53 +05:30 · 2025-05-23 18:47:35 +01:00 · 2025-05-23 17:39:28 +00:00
544 changed files with 10977 additions and 24923 deletions
--- a/.github/workflows/check-format.yml
+++ b/.github/workflows/check-format.yml
@@ -5,7 +5,6 @@ on:
    paths:
      - .github/workflows/check-format.yml
  pull_request_target:
-    types: [opened, synchronize, reopened, edited]

 permissions: {}

--- a/.github/workflows/codeowners-v2.yml
+++ b/.github/workflows/codeowners-v2.yml
@@ -27,7 +27,7 @@ on:
    paths:
      - .github/workflows/codeowners-v2.yml
  pull_request_target:
-    types: [opened, ready_for_review, synchronize, reopened, edited]
+    types: [opened, ready_for_review, synchronize, reopened]

 permissions: {}

--- a/.github/workflows/edited.yml
+++ b/.github/workflows/edited.yml
@@ -0,0 +1,49 @@
+# Some workflows depend on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
+# Instead it causes an `edited` event.
+# Since `edited` is also triggered when PR title/body is changed, we use this wrapper workflow, to run the other workflows conditionally only.
+# There are already feature requests for adding a `base_changed` event:
+# - https://github.com/orgs/community/discussions/35058
+# - https://github.com/orgs/community/discussions/64119
+#
+# Instead of adding this to each workflow's pull_request_target event, we trigger this in a separate workflow.
+# This has the advantage, that we can actually skip running those jobs for simple edits like changing the title or description.
+# The actual trigger happens by closing and re-opening the pull request, which triggers the default pull_request_target events.
+# This is much simpler and reliable than other approaches.
+
+name: "Edited base branch"
+
+on:
+  pull_request_target:
+    types: [edited]
+
+permissions: {}
+
+jobs:
+  base:
+    name: Trigger jobs
+    runs-on: ubuntu-24.04
+    if: github.event.changes.base.ref.from && github.event.changes.base.ref.from != github.event.pull_request.base.ref
+    steps:
+      # Use a GitHub App to create the PR so that CI gets triggered
+      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
+      # We only need Pull Requests: write here, but the app is also used for backports.
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        id: app-token
+        with:
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
+          permission-pull-requests: write
+
+      - env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          REPOSITORY: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+        run: |
+          gh api \
+            --method PATCH \
+            /repos/"$REPOSITORY"/pulls/"$NUMBER" \
+            -f "state=closed"
+          gh api \
+            --method PATCH \
+            /repos/"$REPOSITORY"/pulls/"$NUMBER" \
+            -f "state=open"
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@@ -154,9 +154,12 @@ jobs:
            --arg beforeResultDir ./targetResult \
            --arg afterResultDir "$(realpath prResult)" \
            --arg touchedFilesJson ./touched-files.json \
+            --argstr githubAuthorId "$AUTHOR_ID" \
            -o comparison

          cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY"
+        env:
+          AUTHOR_ID: ${{ github.event.pull_request.user.id }}

      - name: Upload the combined results
        if: steps.targetRunId.outputs.targetRunId
@@ -211,10 +214,10 @@ jobs:
      - name: Labelling pull request
        if: ${{ github.event_name == 'pull_request_target' && github.repository_owner == 'NixOS' }}
        run: |
-          # Get all currently set rebuild labels
+          # Get all currently set labels that we manage
          gh api \
            /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
-            --jq '.[].name | select(startswith("10.rebuild"))' \
+            --jq '.[].name | select(startswith("10.rebuild") or . == "11.by: package-maintainer")' \
            | sort > before

          # And the labels that should be there
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -7,7 +7,6 @@ name: "Label PR"

 on:
  pull_request_target:
-    types: [edited, opened, synchronize, reopened]

 permissions:
  contents: read
--- a/.github/workflows/nixpkgs-vet.yml
+++ b/.github/workflows/nixpkgs-vet.yml
@@ -10,11 +10,6 @@ on:
    paths:
      - .github/workflows/nixpkgs-vet.yml
  pull_request_target:
-    # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
-    # Instead it causes an `edited` event, so we need to add it explicitly here.
-    # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.
-    # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058
-    types: [opened, synchronize, reopened, edited]

 permissions: {}

--- a/.github/workflows/no-channel.yml
+++ b/.github/workflows/no-channel.yml
@@ -5,8 +5,6 @@ on:
    paths:
      - .github/workflows/no-channel.yml
  pull_request_target:
-    # Re-run should be triggered when the base branch is updated, instead of silently failing
-    types: [opened, synchronize, reopened, edited]

 permissions: {}

--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -35,10 +35,12 @@ jobs:
            into: staging-next-25.05
          - from: staging-next-25.05
            into: staging-25.05
-          - from: master staging
+          - name: merge-base(master,staging) → haskell-updates
+            from: master staging
            into: haskell-updates
    uses: ./.github/workflows/periodic-merge.yml
    with:
      from: ${{ matrix.pairs.from }}
      into: ${{ matrix.pairs.into }}
+    name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
    secrets: inherit
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@@ -35,4 +35,5 @@ jobs:
    with:
      from: ${{ matrix.pairs.from }}
      into: ${{ matrix.pairs.into }}
+    name: ${{ format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
    secrets: inherit
--- a/.github/workflows/periodic-merge.yml
+++ b/.github/workflows/periodic-merge.yml
@@ -15,7 +15,6 @@ on:
 jobs:
  merge:
    runs-on: ubuntu-24.04-arm
-    name: ${{ inputs.from }} → ${{ inputs.into }}
    steps:
      # Use a GitHub App to create the PR so that CI gets triggered
      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
--- a/ci/OWNERS
+++ b/ci/OWNERS
@@ -471,7 +471,7 @@ pkgs/development/interpreters/lfe/      @NixOS/beam
 pkgs/by-name/oc/octodns/ @anthonyroussel

 # Teleport
-pkgs/servers/teleport   @arianvp @justinas @sigma @tomberek @freezeboy @techknowlogick @JuliusFreudenberger
+pkgs/by-name/te/teleport*   @arianvp @justinas @sigma @tomberek @freezeboy @techknowlogick @JuliusFreudenberger

 # Warp-terminal
 pkgs/by-name/wa/warp-terminal/  @emilytrau @imadnyc @donteatoreo @johnrtitor
--- a/ci/eval/compare/default.nix
+++ b/ci/eval/compare/default.nix
@@ -10,6 +10,7 @@
  beforeResultDir,
  afterResultDir,
  touchedFilesJson,
+  githubAuthorId,
  byName ? false,
 }:
 let
@@ -114,7 +115,15 @@ let
          # Adds "10.rebuild-*-stdenv" label if the "stdenv" attribute was changed
          ++ lib.mapAttrsToList (kernel: _: "10.rebuild-${kernel}-stdenv") (
            lib.filterAttrs (_: kernelRebuilds: kernelRebuilds ? "stdenv") rebuildsByKernel
-          );
+          )
+          # Adds the "11.by: package-maintainer" label if all of the packages directly
+          # changed are maintained by the PR's author. (https://github.com/NixOS/ofborg/blob/df400f44502d4a4a80fa283d33f2e55a4e43ee90/ofborg/src/tagger.rs#L83-L88)
+          ++ lib.optional (
+            maintainers ? ${githubAuthorId}
+            && lib.all (lib.flip lib.elem maintainers.${githubAuthorId}) (
+              lib.flatten (lib.attrValues maintainers)
+            )
+          ) "11.by: package-maintainer";
      }
    );

--- a/ci/eval/default.nix
+++ b/ci/eval/default.nix
@@ -8,7 +8,6 @@
  procps,
  nixVersions,
  jq,
-  sta,
  python3,
 }:

@@ -31,11 +30,14 @@ let
      );
    };

-  nix = nixVersions.nix_2_24;
+  nix = nixVersions.latest;

  supportedSystems = builtins.fromJSON (builtins.readFile ../supportedSystems.json);

  attrpathsSuperset =
+    {
+      evalSystem,
+    }:
    runCommand "attrpaths-superset.json"
      {
        src = nixpkgs;
@@ -55,6 +57,7 @@ let
            -I "$src" \
            --option restrict-eval true \
            --option allow-import-from-derivation false \
+            --option eval-system "${evalSystem}" \
            --arg enableWarnings false > $out/paths.json
      '';

@@ -65,7 +68,7 @@ let
      # because `--argstr system` would only be passed to the ci/default.nix file!
      evalSystem,
      # The path to the `paths.json` file from `attrpathsSuperset`
-      attrpathFile ? "${attrpathsSuperset}/paths.json",
+      attrpathFile ? "${attrpathsSuperset { inherit evalSystem; }}/paths.json",
      # The number of attributes per chunk, see ./README.md for more info.
      chunkSize,
      checkMeta ? true,
@@ -184,10 +187,7 @@ let
          rm "$chunkOutputDir"/stats/"$seq_end"
        fi

-        # Make sure the glob doesn't break when there's no files
-        shopt -s nullglob
        cat "$chunkOutputDir"/result/* > $out/paths
-        cat "$chunkOutputDir"/stats/* > $out/stats.jsonstream
      '';

  combine =
@@ -198,7 +198,6 @@ let
      {
        nativeBuildInputs = [
          jq
-          sta
        ];
      }
      ''
@@ -221,39 +220,6 @@ let
            ) | from_entries
          ' > $out/outpaths.json

-        # Computes min, mean, error, etc. for a list of values and outputs a JSON from that
-        statistics() {
-          local stat=$1
-          sta --transpose |
-            jq --raw-input --argjson stat "$stat" -n '
-              [
-                inputs |
-                  split("\t") |
-                  { key: .[0], value: (.[1] | fromjson) }
-              ] |
-                from_entries |
-                {
-                  key: ($stat | join(".")),
-                  value: .
-                }'
-        }
-
-        # Gets all available number stats (without .sizes because those are constant and not interesting)
-        readarray -t stats < <(jq -cs '.[0] | del(.sizes) | paths(type == "number")' ${resultsDir}/*/stats.jsonstream)
-
-        # Combines the statistics from all evaluations
-        {
-          echo "{ \"key\": \"minAvailMemory\", \"value\": $(cat ${resultsDir}/*/min-avail-memory | sta --brief --min) }"
-          echo "{ \"key\": \"minFreeSwap\", \"value\": $(cat ${resultsDir}/*/min-free-swap | sta --brief --min) }"
-          cat ${resultsDir}/*/total-time | statistics '["totalTime"]'
-          for stat in "''${stats[@]}"; do
-            cat ${resultsDir}/*/stats.jsonstream |
-              jq --argjson stat "$stat" 'getpath($stat)' |
-              statistics "$stat"
-          done
-        } |
-          jq -s from_entries > $out/stats.json
-
        mkdir -p $out/stats

        for d in ${resultsDir}/*; do
--- a/doc/hooks/tauri.section.md
+++ b/doc/hooks/tauri.section.md
@@ -30,8 +30,8 @@ rustPlatform.buildRustPackage (finalAttrs: {

  # Assuming our app's frontend uses `npm` as a package manager
  npmDeps = fetchNpmDeps {
-    name = "${finalAttrs.pname}-npm-deps-${finalAttrs.version}";
-    inherit src;
+    name = "${finalAttrs.pname}-${finalAttrs.version}-npm-deps";
+    inherit (finalAttrs) src;
    hash = "...";
  };

@@ -51,17 +51,16 @@ rustPlatform.buildRustPackage (finalAttrs: {
      wrapGAppsHook4
    ];

-  buildInputs =
-    [ openssl ]
-    ++ lib.optionals stdenv.hostPlatform.isLinux [
-      glib-networking # Most Tauri apps need networking
-      webkitgtk_4_1
-    ];
+  buildInputs = lib.optionals stdenv.hostPlatform.isLinux [
+    glib-networking # Most Tauri apps need networking
+    openssl
+    webkitgtk_4_1
+  ];

  # Set our Tauri source directory
  cargoRoot = "src-tauri";
  # And make sure we build there too
-  buildAndTestSubdir = cargoRoot;
+  buildAndTestSubdir = finalAttrs.cargoRoot;

  # ...
 })
--- a/doc/redirects.json
+++ b/doc/redirects.json
@@ -133,7 +133,8 @@
    "release-notes.html#sec-nixpkgs-release-25.05-highlights"
  ],
  "sec-nixpkgs-release-25.05-incompatibilities": [
-    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities"
+    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities",
+    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded"
  ],
  "sec-nixpkgs-release-25.05-incompatibilities-titanium-removed": [
    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-titanium-removed",
@@ -141,9 +142,6 @@
    "index.html#building-a-titanium-app",
    "index.html#emulating-or-simulating-the-app"
  ],
-  "sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded": [
-    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded"
-  ],
  "sec-nixpkgs-release-25.05-lib": [
    "release-notes.html#sec-nixpkgs-release-25.05-lib"
  ],
--- a/doc/release-notes/rl-2505.section.md
+++ b/doc/release-notes/rl-2505.section.md
@@ -1,4 +1,4 @@
-# Nixpkgs 25.05 (2025.05/??) {#sec-nixpkgs-release-25.05}
+# Nixpkgs 25.05 (2025.05/23) {#sec-nixpkgs-release-25.05}

 ## Highlights {#sec-nixpkgs-release-25.05-highlights}

@@ -17,17 +17,26 @@

 - The default GHC version has been updated from 9.6 to 9.8.
  `haskellPackages` also uses Stackage LTS 23 (instead of LTS 22) as a baseline.
+  We aim to remove the old GHC versions 8.10, 9.0 and 9.2 in the next release in accordance with [the new GHC deprecation policy](https://discourse.nixos.org/t/nixpkgs-ghc-deprecation-policy-user-feedback-necessary/64153).

 - LLVM has been updated from LLVM 16 (on Darwin) and LLVM 18 (on other platforms) to LLVM 19.
  This introduces some backwards‐incompatible changes; see the [upstream release notes](https://releases.llvm.org/) for details.

 - The Factor programming language packages were reworked. `factor-lang-scope` is now named `factorPackages` and provides a `buildFactorApplication` function to deploy Factor programs as binaries. It has also received proper documentation in the Nixpkgs manual.

+- The packaging of Mesa graphics drivers has been significantly reworked, in particular:
+  - Applications linked against different Mesa versions than installed on the system should now work correctly going forward (however, applications against older Mesa, e.g. from Nixpkgs releases before 25.05, remain broken)
+  - Packages that used to depend on Mesa for libgbm or libdri should use `libgbm` or `dri-pkgconfig-stub` as inputs, respectively
+
+- OpenSSH has been updated from 9.9p2 to 10.0p2, dropping support for DSA keys and adding a new `ssh-auth` binary to handle user authentication in a different address space from unauthenticated sessions. Additionally, we now enable a configure option by default that attempts to lock sshd into RAM to prevent it from being swapped out, which may improve performance if the system is under memory pressure. See the [full changelog](https://www.openwall.com/lists/oss-security/2025/04/09/1) for more details.
+
 - Emacs has been updated to 30.1.
  This introduces some backwards‐incompatible changes; see the NEWS for details.
  NEWS can been viewed from Emacs by typing `C-h n`, or by clicking `Help->Emacs News` from the menu bar.
  It can also be browsed [online](https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30).

+- The `intel` video driver for X.org (from the xf86-video-intel package, which was previously removed because it was non-functional) has been fixed and the driver has been re-introduced.
+
 - The default openexr version has been updated to 3.2.4.

 - The default PHP version has been updated to 8.4.
@@ -36,8 +45,6 @@

 - The default Elixir version has been updated to 1.18.

- `buildPythonPackage`, `buildPythonApplication` and the Python building setup hooks now support both `__structuredAttrs = true` and `__structuredAttrs = false`.
-
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

 ## Backward Incompatibilities {#sec-nixpkgs-release-25.05-incompatibilities}
@@ -57,6 +64,8 @@
  The hook can be disabled by providing `dontCheckForBrokenSymlinks = true;` as an argument to `mkDerivation`.
  For more information, [check the docs](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) or [see this PR](https://github.com/NixOS/nixpkgs/pull/370750).

+- `gkraken` has been removed. The recommended alternative is `coolercontrol`.
+
 - `opensmtpd-extras` has been deprecated by upstream and is not compatible with
  OpenSMTPD 7.6.0 or later. The package has been removed in favor of a set of new
  `opensmtpd-table-*` packages.
@@ -65,20 +74,42 @@
  configuration settings. Notably, it now defaults to listening on a socket
  rather than a port. See [Migrating from version 1.x](https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#migrating-from-version-1x) and [Postfix Setup](https://github.com/roehling/postsrsd?tab=readme-ov-file#postfix-setup) for details.

+- `renovate` was updated to v39. See the [upstream release notes](https://docs.renovatebot.com/release-notes-for-major-versions/#version-39) for breaking changes.
+  Like upstream's docker images, renovate now runs on NodeJS 22.
+
 - The hand written `perlPackages.SearchXapian` bindings have been dropped in favor of the (mostly compatible)
  `perlPackages.Xapian`.

+- `varnish` was updated from 7.5.0 to 7.7.0, see [Varnish 7.6.0 upgrade guide](https://varnish-cache.org/docs/7.6/whats-new/upgrading-7.6.html) and
+[Varnish 7.7.0 upgrade guide](https://varnish-cache.org/docs/7.7/whats-new/upgrading-7.7.html#whatsnew-upgrading-7-7).
+
 - The `config` triple for `aarch64-darwin` has been changed from `aarch64-apple-darwin` to `arm64-apple-darwin` to match the Apple toolchain and LLVM’s expectations.

 - The `electron` packages will now provide their headers (available via `electron.headers`) in extracted form instead of in a tarball.

+- The udev rules of the `libjaylink` package require users to be in the `jlink` instead of `plugdev` group now, since the `plugdev` group is very uncommon for NixOS. Alternatively, access is granted to seat sessions.
+
 - The `ephemeral` package was removed due to upstream archival in early 2022.

+- The `gotenberg` package has been updated to 8.16.0, which brings breaking changes to the configuration from version 8.13.0. See the [upstream release notes](https://github.com/gotenberg/gotenberg/releases/tag/v8.13.0) for that release to get all the details.
+
+- `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL.
+
 - The `vocal` package was removed due to upstream archival. The upstream developer suggests using `gnome-podcasts` or `kasts` instead.

+- `timescaledb` requires manual upgrade steps.
+    After you run ALTER EXTENSION, you must run [this SQL script](https://github.com/timescale/timescaledb-extras/blob/master/utils/2.15.X-fix_hypertable_foreign_keys.sql). For more details, see the following pull requests [#6797](https://github.com/timescale/timescaledb/pull/6797).
+    PostgreSQL 13 is no longer supported in TimescaleDB v2.16.
+
+- `paperless-ngx` has been updated to minor version 2.15 which switched the web server from Gunicorn to Granian. If you set Gunicorn specific envs (usually contain GUNICORN) they must be updated.
+
 - [testers.shellcheck](https://nixos.org/manual/nixpkgs/unstable/#tester-shellcheck) now warns when `name` is not provided.
  The `name` argument will become mandatory in a future release.

+- `tauon` 7.9.0+ when launched for the first time, migrates its database to a new schema that is not backwards compatible. Older versions will refuse to start at all with that database afterwards. If you need to still use older tauon versions, make sure to back up `~/.local/share/TauonMusicBox`.
+
+- `aws-workspaces` has dropped support for PCoiP networking.
+
 - [GIMP 3.0](https://www.gimp.org/news/2025/03/16/gimp-3-0-released/) available as `gimp3`.

 - `grafana-agent` and `services.grafana-agent` have been removed in favor of
@@ -87,10 +118,35 @@
  Grafana recommends migrating to `grafana-alloy` (`services.alloy`).
  See https://grafana.com/docs/alloy/latest/set-up/migrate/ for details.

+- `slskd` has been updated to v0.22.3, which includes breaking changes to `script` integrations. Please review the [changelog](https://github.com/slskd/slskd/releases/tag/0.22.3)
+  and the accompanying [pull request](https://github.com/slskd/slskd/pull/1292).
+
+- `forgejo` and `forgejo-lts` have been updated to v11.
+  See upstreams [release blog post](https://forgejo.org/2025-04-release-v11-0/) for more information.
+
+- `unifi` has been updated to v9.1.
+  This version should be backward compatible with v8.x, however as a result, `unifi8` package has been removed.
+
 - `xdragon` package has been renamed to `dragon-drop`.
  `xdragon` is an alias to `dragon-drop` and the package still provides `bin/xdragon`.
  `bin/dragon` is no longer supplied.

+- `python3Packages.bpycv` has been removed due to being incompatible with Blender 4 and unmaintained.
+
+- `python3Packages.jaeger-client` was removed because it was deprecated upstream. [OpenTelemetry](https://opentelemetry.io) is the recommended replacement.
+
+- `rocmPackages_6` has been updated to ROCm 6.3.
+
+- `rocmPackages_5` has been removed.
+
+- `rocmPackages.rocm-thunk` has been removed and its functionality has been integrated with the ROCm CLR. Use `rocmPackages.clr` instead.
+
+- `rocmPackages.clang-ocl` has been removed. [It was deprecated by AMD in 2023.](https://github.com/ROCm/clang-ocl)
+
+- `nodePackages.meshcommander` has been removed, as the package was deprecated by Intel.
+
+- The default version of `z3` has been updated from 4.8 to 4.13. There are still a few packages that need specific older versions; those will continue to be maintained as long as other packages depend on them but may be removed in the future.
+
 - The `nixLog*` family of functions made available through the standard environment have been rewritten to prefix messages with both the debug level and the function name of the caller.
  The `nixLog` function, which logs unconditionally, was also re-introduced and modified to prefix messages with the function name of the caller.
  For more information, [see this PR](https://github.com/NixOS/nixpkgs/pull/370742).
@@ -113,6 +169,10 @@
  and the [4.2 release](https://github.com/netbox-community/netbox/releases/tag/v4.2.0),
  make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_2;` in your configuration.

+- `nodePackages.expo-cli` has been removed, as it was deprecated by upstream. The suggested replacement is the `npx expo` command.
+
+- The `conduwuit` matrix server implementation has officially been discontinued by upstream and the package has thus been marked as vulnerable, as it is a security-sensitive package that has reached EOL.
+
 - NetBox version 4.0.X available as `netbox_4_0` was removed. Please upgrade to `4.2`.

 - `golangci-lint` has reached `v2`. Please read the changes and view the migration guide [here](https://golangci-lint.run/product/changelog/#200).
@@ -127,6 +187,8 @@

 - Default ICU version updated from 74 to 76

+- The packages `signald`, `signaldctl` and `purple-signald` have been dropped as they are unmaintained upstream and have been incompatible with the official Signal servers for a long while.
+
 - Apache Kafka was updated to `>= 4.0.0`. Please note that this is the first release which operates
  entirely without Apache ZooKeeper support, and all clusters need to be migrated to KRaft mode. See
  the [release announcement](https://kafka.apache.org/blog#apache_kafka_400_release_announcement)
@@ -232,6 +294,8 @@

 - `dwarf-fortress-packages` now only contains one minor version for each major version since version 0.44. Saves should still be compatible, but you may have to change which minor version you were using if it was one other than the newest.

+- `tpm2-pkcs11` now is compiled without abrmd (Access Broker and Resource Manager Daemon) support by default, preferring the kernel resource manager. Use `tpm2-pkcs11.abrmd` if you would like a version with abrmd support. Note that the NixOS module picks the correct one automatically based on `security.tpm2.abrmd`.
+
 - `zig_0_9` and `zig_0_10` have been removed, you should upgrade to `zig_0_13` (also available as just `zig`), `zig_0_12` or `zig_0_11` instead.

 - `webpack-cli` was updated to major version 6, which has breaking changes from the previous version 5.1.4. See the [upstream release notes](https://github.com/webpack/webpack-cli/releases/tag/webpack-cli%406.0.0) for details on these changes.
@@ -270,7 +334,7 @@

 - `nodePackages.meshcommander` has been removed, as the package was deprecated by Intel.

- The default version of `z3` has been updated from 4.8 to 4.14, and all old versions have been dropped. Note that `fstar` still depends on specific versions, and maintains them as overrides.
+- The default version of `z3` has been updated from 4.8 to 4.15, and all old versions have been dropped. Note that `fstar` still depends on specific versions, and maintains them as overrides.

 - `prometheus` has been updated from 2.55.0 to 3.1.0.
  Read the [release blog post](https://prometheus.io/blog/2024/11/14/prometheus-3-0/) and
@@ -328,12 +392,22 @@
 - `docker_24` has been removed, as it was EOL with vulnerabilities since June 08, 2024.

 - Emacs 28 and 29 have been removed.
+
 - Emacs 28 Macport has been removed, while CVEs of Emacs 29 Macport are patched.

 - `containerd` has been updated to v2, which contains breaking changes. See the [containerd
  2.0](https://github.com/containerd/containerd/blob/main/docs/containerd-2.0.md) documentation for more
  details.

+- The `tinycc` package now has the `dev`, `doc` and `lib` outputs, thus,
+`tinycc.out` may now only provide the tcc and cross compilers binaries.
+
+- The `testTarget` argument of `haskellPackages.mkDerivation` has been deprecated in favour of `testTargets`.
+  `testTarget` took a space separated string of targets, whereas the new `testTargets` argument takes a list of targets.
+  For instance, `testTarget = "foo bar baz"` should become `testTargets = [ "foo" "bar" "baz" ]`.
+
+- `rustPlatform.buildRustPackage` stops handling the deprecated argument `cargoSha256`. Out-of-tree packages that haven't migrated from `cargoSha256` to `cargoHash` now receive errors.
+
 - `nodePackages.stackdriver-statsd-backend` has been removed, as the StackDriver service has been discontinued by Google, and therefore the package no longer works.

 - `python3Packages.opentracing` has been removed due to being unmaintained upstream. [OpenTelemetry](https://opentelemetry.io/) is the recommended replacement.
@@ -374,9 +448,16 @@
  - `i18n.extraLocales` should now be the preferred way to install additional locales.
  - `i18n.supportedLocales` is now considered an implementation detail and will be hidden from the documentation. But the option will still continue to work.
  - `i18n.supportedLocales` will now trigger a warning when it omits any locale set in `i18n.defaultLocale`, `i18n.extraLocales` or `i18n.extraLocaleSettings`.
+  - The options `i18n.defaultCharset` & `i18n.localeCharsets` were added, and they complement `i18n.defaultLocale` & `i18n.extraLocaleSettings` respectively - allowing to control the character set used per locale setting.
+
+- Plasma 5 and Qt 5 based versions of associated software are deprecated in NixOS 25.05, and will be removed in NixOS 25.11. Users are encouraged to upgrade to Plasma 6.

 - `titaniumenv`, `titanium`, and `titanium-alloy` have been removed due to lack of maintenance in Nixpkgs []{#sec-nixpkgs-release-25.05-incompatibilities-titanium-removed}.

+- [Cursor](https://cursor.com/) — a vscode-based editor that uses AI to help you write code faster — has been packaged as `cursor`.
+
+- `octave` (and `octaveFull`) was updated to version `10.x`. The update broke a few `octavePackages`, and `librsb`. See [the PR's commits](https://github.com/NixOS/nixpkgs/pull/394495/commits) for more details.
+
 - androidenv has been improved:
  - All versions specified in composeAndroidPackages now track the latest. Android packages are automatically updated on unstable, and run the androidenv test suite on every update.
  - Many androidenv packages are now searchable on [search.nixos.org](https://search.nixos.org).
@@ -386,26 +467,79 @@

 - `gerbera` now has wavpack support.

+- `buildPythonPackage`, `buildPythonApplication` and the Python building setup hooks now support both `__structuredAttrs = true` and `__structuredAttrs = false`.
+
+- `buildGoModule` now supports a self-referencing `finalAttrs:` parameter
+  containing the final arguments including overrides.
+  This allows packaging configuration to be overridden in a consistent manner by
+  providing an alternative to `rec {}` syntax.
+
+- Caddy can now be built with plugins by using `caddy.withPlugins`, a `passthru` function that accepts an attribute set as a parameter. The `plugins` argument represents a list of Caddy plugins, with each Caddy plugin being a versioned module. The `hash` argument represents the `vendorHash` of the resulting Caddy source code with the plugins added.
+
+  Example:
+  ```nix
+  let
+    pkgs = import <nixpkgs> { };
+  in
+
+  pkgs.caddy.withPlugins {
+    plugins = [
+      # tagged upstream
+      "github.com/caddy-dns/powerdns@v1.0.1"
+      # pseudo-version number generated by Go
+      "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
+      "github.com/mholt/caddy-webdav@v0.0.0-20241008162340-42168ba04c9d"
+    ];
+    hash = "sha256-wqXSd1Ep9TVpQi570TTb96LwzNYvWL5EBJXMJfYWCAk=";
+  }
+  ```
+
+  To get the necessary hash of the vendored dependencies, omit `hash`. The build will fail and tell you the correct value.
+
+  Note that all provided plugins must have versions/tags (string after `@`), even if upstream repo does not tag each release. For untagged plugins, you can either create an empty Go project and run `go get <plugin>` and see changes in `go.mod` to get the pseudo-version number, or provide a commit hash in place of version/tag for the first run, and update the plugin string based on the error output.
+
+- The `godot-export-templates` package now has its content at `share/godot/export_templates/$version` instead of the output root. This makes it more convenient for for symlinking into `~/.local`, but scripts expecting the old layout will need to be changed.
+
 - GOverlay has been updated to 1.2, please check the [upstream changelog](https://github.com/benjamimgois/goverlay/releases) for more details.

 - `tpm2-pkcs11` now has the variant `tpm2-pkcs11-fapi`, which has been patched to default to the Feature API backend. It has also been split into `tpm2-pkcs11-esapi`, which _only_ supports the older Enhanced System API backend. Note the [differences](https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.1/docs/FAPI.md), and that `tpm2-pkcs11` itself still needs `TPM2_PKCS11_BACKEND=fapi` exported in order to use the Feature API, whereas `tpm2-pkcs11-fapi` does not, and `tpm2-pkcs11-esapi` just does not support fapi entirely.

 - For matrix homeserver Synapse we are now following the upstream recommendation to enable jemalloc as the memory allocator by default.

+- Mattermost, a self-hosted chat collaboration platform supporting calls, playbooks, and boards, has been updated. It now has multiple versions, disabled telemetry, and a native frontend build in nixpkgs, removing all upstream prebuilt blobs.
+  - A new `pkgs.mattermost.buildPlugin` function has been added, which allows plugins to be built from source, including webapp frontends with a supported package-lock.json. See the Mattermost NixOS test and [manual](https://nixos.org/manual/nixos/unstable#sec-mattermost-plugins-build) for an example.
+  - The Mattermost frontend is now built from source and can be overridden. Note that the Mattermost derivation containing both the webapp and server is now wrapped to allow them to be built independently, so overrides to both webapp and server look like `mattermost.overrideAttrs (prev: { webapp = prev.webapp.override { ... }; server = prev.server.override { ... }; })` now.
+  - `pkgs.mattermost` has been updated from 9.11 to 10.5 to track the latest extended support release, since 9.11 will become end-of-life during the lifetime of NixOS 25.05.
+  - `pkgs.mattermostLatest` is now an option to track the latest (non-prerelease) Mattermost release. We test upgrade migrations from ESR releases (`pkgs.mattermost`) to `pkgs.mattermostLatest`.
+
+- A new hardening flag, `nostrictaliasing` was made available, corresponding to the gcc/clang option `-fno-strict-aliasing`.
+
+- The `stackclashprotection` hardening flag has been enabled by default on compilers that support it.
+
 - In `dovecot` package removed hard coding path to module directory.

+- `authelia` version 4.39.0 has made some changes which deprecate older configurations.
+  They are still expected to be working until future version 5.0.0, but will generate warnings in logs.
+  Read the [release notes](https://www.authelia.com/blog/4.39-release-notes/) for human readable summaries of the changes.
+
+- `hddfancontrol` has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes.
+
+- `nextcloud-news-updater` is unmaintained and was removed from nixpkgs.
+
+- KDE Partition Manager `partitionmanager`'s support for ReiserFS is removed.
+  ReiserFS has not been actively maintained for many years. It has been marked as obsolete since Linux 6.6, and
+  [is removed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c01f664e4ca210823b7594b50669bbd9b0a3c3b0)
+  in Linux 6.13.
+
+- `gerbera` now has wavpack support.
+
 - `signal-desktop` has been migrated to a from source build. No state migration is necessary. In case there's no working source build available (like on Darwin), the the binary build is still available at `signal-desktop-bin`.

 - `ddclient` was updated from 3.11.2 to 4.0.0 [Release notes](https://github.com/ddclient/ddclient/releases/tag/v4.0.0)

-### NexusMods.App upgraded {#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded}
-
 - `nexusmods-app` has been upgraded from version 0.6.3 to 0.10.2.
-
  - Before upgrading, you **must reset all app state** (mods, games, settings, etc). NexusMods.App will crash if any state from a version older than 0.7.0 is still present.
-
  - Typically, you can can reset to a clean state by running `NexusMods.App uninstall-app`. See Nexus Mod's [how to uninstall the app](https://nexus-mods.github.io/NexusMods.App/users/Uninstall) documentation for more detail and alternative methods.
-
  - This should not be necessary going forward, because loading app state from 0.7.0 or newer is now supported. This is documented in the [0.7.1 changelog](https://github.com/Nexus-Mods/NexusMods.App/releases/tag/v0.7.1).

 ## Nixpkgs Library {#sec-nixpkgs-release-25.05-lib}
@@ -416,15 +550,7 @@
  - [`lib.types.enum`](https://nixos.org/manual/nixos/unstable/#sec-option-types-basic): Previously the `functor.payload` was the list of enum values directly. Now it is an attribute set containing the values in the `values` attribute.
  - [`lib.types.separatedString`](https://nixos.org/manual/nixos/unstable/#sec-option-types-string): Previously the `functor.payload` was the separator directly. Now it is an attribute set containing the separator in the `sep` attribute.

- The `tinycc` package now has the `dev`, `doc` and `lib` outputs, thus,
-`tinycc.out` may now only provide the tcc and cross compilers binaries.
-
- The `virtualisation.hypervGuest.videoMode` option has been removed. Standard tooling can now be used to configure display modes for Hyper-V VMs.
-
- [`lib.packagesFromDirectoryRecursive`] now rejects unknown arguments.
-  [`lib.packagesFromDirectoryRecursive`]: https://nixos.org/manual/nixpkgs/stable/#function-library-lib.filesystem.packagesFromDirectoryRecursive
-
- The `godot-export-templates` package now has its content at `share/godot/export_templates/$version` instead of the output root. This makes it more convenient for for symlinking into `~/.local`, but scripts expecting the old layout will need to be changed.
+- [`lib.packagesFromDirectoryRecursive`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.filesystem.packagesFromDirectoryRecursive) now rejects unknown arguments.

 ### Deprecations {#sec-nixpkgs-release-25.05-lib-deprecations}

@@ -438,14 +564,6 @@
    - `lib.types.coercedTo`
    - `lib.types.either`

- The `testTarget` argument of `haskellPackages.mkDerivation` has been deprecated in favour of `testTargets`.
-  `testTarget` took a space separated string of targets, whereas the new `testTargets` argument takes a list of targets.
-  For instance, `testTarget = "foo bar baz"` should become `testTargets = [ "foo" "bar" "baz" ]`.
-
- Plasma 5 and Qt 5 based versions of associated software are deprecated in NixOS 25.05, and will be removed in NixOS 25.11. Users are encouraged to upgrade to Plasma 6.
-
- `rustPlatform.buildRustPackage` stops handling the deprecated argument `cargoSha256`. Out-of-tree packages that haven't migrated from `cargoSha256` to `cargoHash` now receive errors.
-
 ### Additions and Improvements {#sec-nixpkgs-release-25.05-lib-additions-improvements}

- [`lib.packagesFromDirectoryRecursive`] can now construct nested scopes matching the directory tree passed as input.
+- [`lib.packagesFromDirectoryRecursive`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.filesystem.packagesFromDirectoryRecursive) can now construct nested scopes matching the directory tree passed as input.
--- a/lib/meta.nix
+++ b/lib/meta.nix
@@ -289,8 +289,7 @@ rec {
  */
  availableOn =
    platform: pkg:
-    pkg != null
-    && ((!pkg ? meta.platforms) || any (platformMatch platform) pkg.meta.platforms)
+    ((!pkg ? meta.platforms) || any (platformMatch platform) pkg.meta.platforms)
    && all (elem: !platformMatch platform elem) (pkg.meta.badPlatforms or [ ]);

  /**
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -7195,7 +7195,6 @@
    email = "fedi.jamoussi@protonmail.ch";
    github = "eljamm";
    githubId = 83901271;
-    keys = [ { fingerprint = "FF59 E027 4EE2 E792 512B  BDC8 7630 FDF7 C8FB 1F3F"; } ];
  };
  elkowar = {
    email = "thereal.elkowar@gmail.com";
@@ -7423,6 +7422,11 @@
    githubId = 5085029;
    name = "Emanuele Peruffo";
  };
+  epireyn = {
+    github = "epireyn";
+    githubId = 48213068;
+    name = "Edgar Pireyn";
+  };
  equirosa = {
    email = "eduardo@eduardoquiros.com";
    github = "equirosa";
@@ -18218,10 +18222,11 @@
    name = "Dakota";
  };
  ohheyrj = {
-    email = "richard+nix@ohheyrj.co.uk";
+    email = "richard@ohheyrj.co.uk";
    github = "ohheyrj";
    name = "ohheyrj";
    githubId = 5339261;
+    keys = [ { fingerprint = "4258 3FE7 12E9 6071 E84D  53C7 6E1D A270 0B72 746D"; } ];
  };
  oida = {
    email = "oida@posteo.de";
@@ -20967,6 +20972,12 @@
    githubId = 807447;
    name = "Robert Scott";
  };
+  Rishabh5321 = {
+    name = "Rishabh Singh";
+    email = "rishabh98818@gmail.com";
+    github = "Rishabh5321";
+    githubId = 40533251;
+  };
  Rishik-Y = {
    name = "Rishik Yalamanchili";
    email = "202301258@daiict.ac.in";
@@ -24569,6 +24580,12 @@
    githubId = 6579555;
    name = "Jeroen Jetten";
  };
+  thetaoofsu = {
+    email = "TheTaoOfSu@protonmail.com";
+    github = "TheTaoOfSu";
+    githubId = 45526311;
+    name = "TheTaoOfSu";
+  };
  theuni = {
    email = "ct@flyingcircus.io";
    github = "ctheune";
@@ -25084,6 +25101,12 @@
    github = "totoroot";
    githubId = 39650930;
  };
+  tournev = {
+    name = "Vincent Tourneur";
+    email = "vincent@pimoid.fr";
+    github = "vtourneur";
+    githubId = 48284424;
+  };
  ToxicFrog = {
    email = "toxicfrog@ancilla.ca";
    github = "ToxicFrog";
--- a/nixos/doc/manual/installation/upgrading.chapter.md
+++ b/nixos/doc/manual/installation/upgrading.chapter.md
@@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated
 automatically from NixOS's Git repository after certain tests have
 passed and all packages have been built. These channels are:

-   *Stable channels*, such as [`nixos-24.11`](https://channels.nixos.org/nixos-24.11).
+-   *Stable channels*, such as [`nixos-25.05`](https://channels.nixos.org/nixos-25.05).
    These only get conservative bug fixes and package upgrades. For
    instance, a channel update may cause the Linux kernel on your system
    to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
@@ -19,7 +19,7 @@ passed and all packages have been built. These channels are:
    radical changes between channel updates. It's not recommended for
    production systems.

-   *Small channels*, such as [`nixos-24.11-small`](https://channels.nixos.org/nixos-24.11-small)
+-   *Small channels*, such as [`nixos-25.05-small`](https://channels.nixos.org/nixos-25.05-small)
    or [`nixos-unstable-small`](https://channels.nixos.org/nixos-unstable-small).
    These are identical to the stable and unstable channels described above,
    except that they contain fewer binary packages. This means they get updated
@@ -38,8 +38,8 @@ supported stable release.

 When you first install NixOS, you're automatically subscribed to the
 NixOS channel that corresponds to your installation source. For
-instance, if you installed from a 24.11 ISO, you will be subscribed to
-the `nixos-24.11` channel. To see which NixOS channel you're subscribed
+instance, if you installed from a 25.05 ISO, you will be subscribed to
+the `nixos-25.05` channel. To see which NixOS channel you're subscribed
 to, run the following as root:

 ```ShellSession
@@ -54,16 +54,16 @@ To switch to a different NixOS channel, do
 ```

 (Be sure to include the `nixos` parameter at the end.) For instance, to
-use the NixOS 24.11 stable channel:
+use the NixOS 25.05 stable channel:

 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-24.11 nixos
+# nix-channel --add https://channels.nixos.org/nixos-25.05 nixos
 ```

 If you have a server, you may want to use the "small" channel instead:

 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-24.11-small nixos
+# nix-channel --add https://channels.nixos.org/nixos-25.05-small nixos
 ```

 And if you want to live on the bleeding edge:
@@ -117,6 +117,6 @@ modules. You can also specify a channel explicitly, e.g.

 ```nix
 {
-  system.autoUpgrade.channel = "https://channels.nixos.org/nixos-24.11";
+  system.autoUpgrade.channel = "https://channels.nixos.org/nixos-25.05";
 }
 ```
--- a/nixos/doc/manual/redirects.json
+++ b/nixos/doc/manual/redirects.json
@@ -2001,7 +2001,8 @@
    "release-notes.html#sec-nixpkgs-release-25.05"
  ],
  "sec-nixpkgs-release-25.05-incompatibilities": [
-    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities"
+    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities",
+    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded"
  ],
  "sec-nixpkgs-release-25.05-incompatibilities-titanium-removed": [
    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-titanium-removed",
@@ -2009,9 +2010,6 @@
    "index.html#building-a-titanium-app",
    "index.html#emulating-or-simulating-the-app"
  ],
-  "sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded": [
-    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded"
-  ],
  "sec-nixpkgs-release-25.05-lib": [
    "release-notes.html#sec-nixpkgs-release-25.05-lib"
  ],
--- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -1,26 +1,21 @@
-# Nixos 25.05 (“Warbler”, 2025.05/??) {#sec-release-25.05}
+# Release 25.05 (“Warbler”, 2025.05/23) {#sec-release-25.05}

 ## Highlights {#sec-release-25.05-highlights}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

+Alongside many enhancements to NixOS modules and general system improvements, this release features the following highlights:
+
 - NixOS now has initial support for the [**COSMIC DE**](https://system76.com/cosmic) which is currently at **Alpha 7**. COSMIC is a Rust-based Desktop Environment by System76, makers of Pop!_OS. You can use COSMIC by enabling the greeter (login manager) with [](#opt-services.displayManager.cosmic-greeter.enable), and the DE itself by enabling [](#opt-services.desktopManager.cosmic.enable). The support in NixOS/Nixpkgs is stable but still considered experimental because of the recent the addition. The COSMIC maintainers will be waiting for one more release of NixOS to determine if the experimental tag should be removed or not. Until then, please report any issues to the [COSMIC DE tracker in Nixpkgs](https://github.com/NixOS/nixpkgs/issues/259641) instead of upstream.

 - `nixos-rebuild-ng`, a full rewrite of `nixos-rebuild` in Python, is available for testing. You can enable it by setting [](#opt-system.rebuild.enableNg) in your configuration (this will replace the old `nixos-rebuild`), or by adding `nixos-rebuild-ng` to your `environment.systemPackages` (in this case, it will live side-by-side with `nixos-rebuild` as `nixos-rebuild-ng`). It is expected that the next major version of NixOS (25.11) will enable `system.rebuild.enableNg` by default.

- The `nixos-generate-config` command now supports a optional `--flake` option, which will generate a flake.nix file alongside the `configuration.nix` and `hardware-configuration.nix`, providing an easy introduction into flake-based system configurations.
-
 - A `nixos-rebuild build-image` sub-command has been added.
  It allows users to build platform-specific (disk) images from their NixOS configurations. `nixos-rebuild build-image` works similar to the popular [nix-community/nixos-generators](https://github.com/nix-community/nixos-generators) project. See new [section on image building in the NixOS manual](#sec-image-nixos-rebuild-build-image). It is also available for `nixos-rebuild-ng`.

 - `nixos-option` has been rewritten to a Nix expression called by a simple bash script. This lowers our maintenance threshold, makes eval errors less verbose, adds support for flake-based configurations, descending into `attrsOf` and `listOf` submodule options, and `--show-trace`.

- The packaging of Mesa graphics drivers has been significantly reworked, in particular:
-  - Applications linked against different Mesa versions than installed on the system should now work correctly going forward (however, applications against older Mesa, e.g. from Nixpkgs releases before 25.05, remain broken)
-  - The global Mesa version can now be managed without a mass rebuild by setting [](#opt-hardware.graphics.package)
-  - Packages that used to depend on Mesa for libgbm or libdri should use `libgbm` or `dri-pkgconfig-stub` as inputs, respectively
-
- OpenSSH has been updated from 9.9p2 to 10.0p2, dropping support for DSA keys and adding a new `ssh-auth` binary to handle user authentication in a different address space from unauthenticated sessions. Additionally, we now enable a configure option by default that attempts to lock sshd into RAM to prevent it from being swapped out, which may improve performance if the system is under memory pressure. See the [full changelog](https://www.openwall.com/lists/oss-security/2025/04/09/1) for more details.
+- The global Mesa version can now be managed without a mass rebuild by setting [](#opt-hardware.graphics.package).

 - GNOME has been updated to version 48.

@@ -32,7 +27,10 @@

  Refer to the [GNOME release notes](https://release.gnome.org/48/) for more details.

- The `intel` video driver for X.org (from the xf86-video-intel package, which was previously removed because it was non-functional) has been fixed and the driver has been re-introduced.
+- [channels.nixos.org](https://channels.nixos.org) now supports the Lockable HTTP Tarball Protocol. This allows using the channel `nixexprs.tar` as Nix Flake input, e.g.:
+  ```
+  inputs.nixpkgs.url = "https://channels.nixos.org/nixos-25.05/nixexprs.tar.xz";
+  ```

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

@@ -44,8 +42,7 @@
  - [programs.amnezia-vpn](#opt-programs.amnezia-vpn.enable): a GUI client which can also deploy a VPN endpoint to a remote server
  - {option}`networking.wireguard` adds support for the [AmneziaWG](https://docs.amnezia.org/documentation/amnezia-wg/) variant of the protocol, featuring better masking against Deep Packet Inspection. The variant to be used is set per interface as `networking.wireguard.interfaces.<name>.type`, defaulting to wireguard.

-
- [Bazecor](https://github.com/Dygmalab/Bazecor), the graphical configurator for Dygma Products.
+- [Bazecor](https://github.com/Dygmalab/Bazecor), the graphical configurator for Dygma Products. Available as [programs.bazecor](#opt-programs.bazecor.enable).

 - [Bonsai](https://git.sr.ht/~stacyharper/bonsai), a general-purpose event mapper/state machine primarily used to create complex key shortcuts, and as part of the [SXMO](https://sxmo.org/) desktop environment. Available as [services.bonsaid](#opt-services.bonsaid.enable).

@@ -53,9 +50,9 @@

 - [Kimai](https://www.kimai.org/), a web-based multi-user time-tracking application. Available as [services.kimai](options.html#opt-services.kimai).

- [Kismet](https://www.kismetwireless.net/), a Wi-Fi, Bluetooth, and RF monitoring application supporting a wide range of hardware. Available as {option}`services.kismet`.
+- [Kismet](https://www.kismetwireless.net/), a Wi-Fi, Bluetooth, and RF monitoring application supporting a wide range of hardware. Available as [services.kismet](#opt-services.kismet.enable).

- [vwifi](https://github.com/Raizo62/vwifi), a Wi-Fi simulator daemon leveraging the `mac80211_hwsim` and `vhost_vsock` kernel modules for efficient simulation of multi-node Wi-Fi networks. Available as {option}`services.vwifi`.
+- [vwifi](https://github.com/Raizo62/vwifi), a Wi-Fi simulator daemon leveraging the `mac80211_hwsim` and `vhost_vsock` kernel modules for efficient simulation of multi-node Wi-Fi networks. Available as [services.vwifi](#opt-services.vwifi.client.enable).

 - [Oncall](https://oncall.tools), a web-based calendar tool designed for scheduling and managing on-call shifts. Available as [services.oncall](options.html#opt-services.oncall).

@@ -65,18 +62,20 @@

 - [Omnom](https://github.com/asciimoo/omnom), a webpage bookmarking and snapshotting service. Available as [services.omnom](options.html#opt-services.omnom.enable).

- [Yggdrasil-Jumper](https://github.com/one-d-wide/yggdrasil-jumper) is an independent project that aims to transparently reduce latency of a connection over Yggdrasil network, utilizing NAT traversal to automatically bypass intermediary nodes.
+- [Yggdrasil-Jumper](https://github.com/one-d-wide/yggdrasil-jumper), an independent project that aims to transparently reduce latency of a connection over Yggdrasil network, utilizing NAT traversal to automatically bypass intermediary nodes. Available as [services.yggdrasil-jumper](#opt-services.yggdrasil-jumper.enable).

- [xpad-noone](https://github.com/medusalix/xpad-noone) is the original upstream xpad driver from the Linux kernel with support for Xbox One controllers removed， especially useful for people who want to use an XBox One controller under the xone driver and an Xbox 360 controller under the xpad driver at the same time. Available as [hardware.xpad-noone](options.html#hardware.xpad-noone).
+- [xpad-noone](https://github.com/medusalix/xpad-noone) is the original upstream xpad driver from the Linux kernel with support for Xbox One controllers removed — especially useful for people who want to use an XBox One controller under the `xone` driver and an Xbox 360 controller under the `xpad` driver at the same time. Available as [hardware.xpad-noone](options.html#hardware.xpad-noone).

 - [uMurmur](https://umurmur.net), minimalistic Mumble server primarily targeted to run on embedded computers. Available as [services.umurmur](options.html#opt-services.umurmur).

- [Zenoh](https://zenoh.io/), a pub/sub/query protocol with low overhead. The Zenoh router daemon is available as [services.zenohd](options.html#opt-services.zenohd.enable)
+- [Zenoh](https://zenoh.io/), a pub/sub/query protocol with low overhead. The Zenoh router daemon is available as [services.zenohd](options.html#opt-services.zenohd.enable).

 - [ytdl-sub](https://github.com/jmbannon/ytdl-sub), a tool that downloads media via yt-dlp and prepares it for your favorite media player, including Kodi, Jellyfin, Plex, Emby, and modern music players. Available as [services.ytdl-sub](options.html#opt-services.ytdl-sub.instances).

 - [MaryTTS](https://github.com/marytts/marytts), an open-source, multilingual text-to-speech synthesis system written in pure Java. Available as [services.marytts](options.html#opt-services.marytts).

+- [Continuwuity](https://continuwuity.org/), a federated chat server implementing the Matrix protocol, forked from Conduwuit. Available as [services.matrix-continuwuity](#opt-services.matrix-continuwuity.enable).
+
 - [Reposilite](https://reposilite.com), a lightweight and easy-to-use repository manager for Maven-based artifacts in the JVM ecosystem. Available as [services.reposilite](options.html#opt-services.reposilite).

 - [networking.modemmanager](options.html#opt-networking.modemmanager) has been split out of [networking.networkmanager](options.html#opt-networking.networkmanager). NetworkManager still enables ModemManager by default, but options exist now to run NetworkManager without ModemManager.
@@ -97,6 +96,8 @@

 - [crab-hole](https://github.com/LuckyTurtleDev/crab-hole), a cross platform Pi-hole clone written in Rust using hickory-dns/trust-dns. Available as [services.crab-hole](#opt-services.crab-hole.enable).

+- [agnos](https://github.com/krtab/agnos), a program that obtains TLS certificates from an ACME provider via the DNS-01 challenge without using third-party DNS provider APIs. Available as [security.agnos](#opt-security.agnos.enable).
+
 - [zwave-js-ui](https://zwave-js.github.io/zwave-js-ui/), a full featured Z-Wave Control Panel and MQTT Gateway. Available as [services.zwave-js-ui](#opt-services.zwave-js-ui.enable).

 - [Pinchflat](https://github.com/kieraneglin/pinchflat), a selfhosted YouTube media manager used to track channels and download videos on release. Available as [services.pinchflat](#opt-services.pinchflat.enable).
@@ -125,7 +126,7 @@

 - [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](options.html#opt-services.agorakit.enable).

- [vivid](https://github.com/sharkdp/vivid), a generator for LS_COLOR. Available as [programs.vivid](#opt-programs.vivid.enable).
+- [vivid](https://github.com/sharkdp/vivid), a generator for `LS_COLOR`. Available as [programs.vivid](#opt-programs.vivid.enable).

 - [matrix-alertmanager](https://github.com/jaywink/matrix-alertmanager), a bot to receive Alertmanager webhook events and forward them to chosen Matrix rooms. Available as [services.matrix-alertmanager](options.html#opt-services.matrix-alertmanager.enable).

@@ -135,13 +136,13 @@

 - [grav](https://getgrav.org/), a modern flat-file CMS. Available with [services.grav](options.html#opt-services.grav.enable).

- [duckdns](https://www.duckdns.org), free dynamic DNS. Available with [services.duckdns](options.html#opt-services.duckdns.enable)
+- [duckdns](https://www.duckdns.org), free dynamic DNS. Available with [services.duckdns](options.html#opt-services.duckdns.enable).

- [Zoxide](https://github.com/ajeetdsouza/zoxide), a smarter cd command, inspired by z and autojump. Available as [programs.zoxide](options.html#opt-programs.zoxide.enable)
+- [Zoxide](https://github.com/ajeetdsouza/zoxide), a smarter cd command, inspired by z and autojump. Available as [programs.zoxide](options.html#opt-programs.zoxide.enable).

- [victorialogs](https://docs.victoriametrics.com/victorialogs/), log database from VictoriaMetrics. Available as [services.victorialogs](#opt-services.victorialogs.enable)
+- [victorialogs](https://docs.victoriametrics.com/victorialogs/), log database from VictoriaMetrics. Available as [services.victorialogs](#opt-services.victorialogs.enable).

- [gokapi](https://github.com/Forceu/Gokapi), Lightweight selfhosted Firefox Send alternative without public upload. AWS S3 supported. Available with [services.gokapi](options.html#opt-services.gokapi.enable)
+- [gokapi](https://github.com/Forceu/Gokapi), Lightweight selfhosted Firefox Send alternative without public upload. AWS S3 supported. Available with [services.gokapi](options.html#opt-services.gokapi.enable).

 - [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](options.html#opt-services.nostr-rs-relay.enable).

@@ -149,7 +150,7 @@

 - [strfry](https://github.com/hoytech/strfry), a relay for the nostr protocol. Available as [services.strfry](options.html#opt-services.strfry.enable).

- [Prometheus Node Cert Exporter](https://github.com/amimof/node-cert-exporter), a prometheus exporter to check for SSL cert expiry. Available under [services.prometheus.exporters.node-cert](#opt-services.prometheus.exporters.node-cert.enable).
+- [Prometheus Node Cert Exporter](https://github.com/amimof/node-cert-exporter), a prometheus exporter to check for SSL cert expiry. Available as [services.prometheus.exporters.node-cert](#opt-services.prometheus.exporters.node-cert.enable).

 - [Actual Budget](https://actualbudget.org/), a local-first personal finance app. Available as [services.actual](#opt-services.actual.enable).

@@ -165,7 +166,7 @@

 - [alertmanager-ntfy](https://github.com/alexbakker/alertmanager-ntfy), forwards Prometheus Alertmanager notifications to ntfy.sh. Available as [services.prometheus.alertmanager-ntfy](#opt-services.prometheus.alertmanager-ntfy.enable).

- [Stash](https://github.com/stashapp/stash), An organizer for your adult videos/images, written in Go. Available as [services.stash](#opt-services.stash.enable).
+- [Stash](https://github.com/stashapp/stash), an organizer for your adult videos/images, written in Go. Available as [services.stash](#opt-services.stash.enable).

 - [vsmartcard-vpcd](https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html), a virtual smart card driver. Available as [services.vsmartcard-vpcd](#opt-services.vsmartcard-vpcd.enable).

@@ -205,7 +206,7 @@

 - [KanBoard](https://github.com/kanboard/kanboard), a project management tool that focuses on the Kanban methodology. Available as [services.kanboard](#opt-services.kanboard.enable).

- [git-worktree-switcher](https://github.com/mateusauler/git-worktree-switcher), switch between git worktrees with speed. Available as [programs.git-worktree-switcher](#opt-programs.git-worktree-switcher.enable)
+- [git-worktree-switcher](https://github.com/mateusauler/git-worktree-switcher), switch between git worktrees with speed. Available as [programs.git-worktree-switcher](#opt-programs.git-worktree-switcher.enable).

 - [GLPI-Agent](https://github.com/glpi-project/glpi-agent), GLPI Agent. Available as [services.glpiAgent](options.html#opt-services.glpiAgent.enable).

@@ -215,25 +216,23 @@

 - [Rebuilderd](https://github.com/kpcyrd/rebuilderd) an independent verification of binary packages - Reproducible Builds. Available as [services.rebuilderd](#opt-services.rebuilderd.enable).

- [Limine](https://github.com/limine-bootloader/limine) a modern, advanced, portable, multiprotocol bootloader and boot manager. Available as [boot.loader.limine](#opt-boot.loader.limine.enable)
+- [Limine](https://github.com/limine-bootloader/limine) a modern, advanced, portable, multiprotocol bootloader and boot manager. Available as [boot.loader.limine](#opt-boot.loader.limine.enable).

 - [Orthanc](https://orthanc.uclouvain.be/) a lightweight, RESTful DICOM server for healthcare and medical research. Available as [services.orthanc](#opt-services.orthanc.enable).

 - [Docling Serve](https://github.com/docling-project/docling-serve) running [Docling](https://github.com/docling-project/docling) as an API service. Available as [services.docling-serve](#opt-services.docling-serve.enable).

- [Pareto Security](https://paretosecurity.com/) is an alternative to corporate compliance solutions for companies that care about security but know it doesn't have to be invasive. Available as [services.paretosecurity](#opt-services.paretosecurity.enable)
-
- [Cursor](https://cursor.com/) is a vscode-based editor that uses AI to help you write code faster.
+- [Pareto Security](https://paretosecurity.com/) is an alternative to corporate compliance solutions for companies that care about security but know it doesn't have to be invasive. Available as [services.paretosecurity](#opt-services.paretosecurity.enable).

 - [GNU Rush](https://gnu.org/software/rush/) is a Restricted User Shell, designed for systems providing limited remote access to their resources. Available as [programs.rush](#opt-programs.rush.enable).

- [ipfs-cluster](https://ipfscluster.io/), Pinset orchestration for IPFS. Available as [services.ipfs-cluster](#opt-services.ipfs-cluster.enable)
+- [ipfs-cluster](https://ipfscluster.io/), Pinset orchestration for IPFS. Available as [services.ipfs-cluster](#opt-services.ipfs-cluster.enable).

 - [bitbox-bridge](https://github.com/BitBoxSwiss/bitbox-bridge), a bridge software that connects BitBox hardware wallets to computers & web wallets like [Rabby](https://rabby.io/). Allows one to interact & transact with smart contracts, Web3 websites & financial services without storing private keys anywhere other than the hardware wallet. Available as [services.bitbox-bridge](#opt-services.bitbox-bridge.enable).

 - [GoDNS](https://github.com/TimothyYe/godns), a dynamic DNS client written in Go, which supports multiple DNS providers. Available as [services.godns](option.html#opt-services.godns.enable).

- [CookCLI](https://cooklang.org/cli/) Server, a web UI for cooklang recipes.
+- [CookCLI](https://cooklang.org/cli/) Server, a web UI for cooklang recipes. Available as [services.cook-cli](#opt-services.cook-cli.enable).

 - [Prometheus eBPF Exporter](https://github.com/cloudflare/ebpf_exporter),
  Prometheus exporter for custom eBPF metrics. Available as
@@ -253,8 +252,6 @@
  and error starting 25.05 with instructions the following instructions:
  The canonical source for NixOS AMIs is the AWS API. Please see https://nixos.org/download/#nixos-amazon or  https://nixos.github.io/amis/ for instructions.

- The udev rules of the libjaylink package require users to be in the `jlink` instead of `plugdev` group now, since the `plugdev` group is very uncommon for NixOS. Alternatively, access is granted to seat sessions.
-
 - The latest available version of Nextcloud is v31 (available as `pkgs.nextcloud31`). The installation logic is as follows:
  - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
  - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.11, `pkgs.nextcloud30` will be installed by default.
@@ -268,11 +265,20 @@
  [not recommended by upstream](https://docs.nextcloud.com/server/30/admin_manual/installation/system_requirements.html)
  and thus doesn't qualify as default.

+- PowerDNS Recursor has been updated to version 5.1.2, which comes with a new YAML configuration format (`recursor.yml`)
+  and deprecates the previous format (`recursor.conf`). Accordingly, the NixOS option `services.pdns-recursor.settings`
+  has been renamed to [old-settings](#opt-services.pdns-recursor.old-settings) and will be provided for backward compatibility
+  until the next NixOS release. Users are asked to migrate their settings to the new [yaml-settings](#opt-services.pdns-recursor.old-settings)
+  option following this [guide](https://doc.powerdns.com/recursor/appendices/yamlconversion.html).
+  Note that options other than `services.pdns-recursor.settings` are unaffacted by this change.
+
+- The `virtualisation.hypervGuest.videoMode` option has been removed. Standard tooling can now be used to configure display modes for Hyper-V VMs.
+
 - Nextcloud's default FPM pool settings have been increased according to upstream recommentations. It's advised
  to review the new defaults and description of
  [](#opt-services.nextcloud.poolSettings).

- In `users.users` allocation on systems with multiple users it could happen that collided with others. Now these users get new subuid ranges assigned. When this happens, a warning is issued on the first activation. If the subuids were used (e.g. with rootless container managers like podman), please change the ownership of affected files accordingly.
+- In `users.users` subuid allocation on systems with multiple users it could happen that some users' allocated subuid ranges collided with others. Now these users get new subuid ranges assigned. When this happens, a warning is issued on the first activation. If the subuids were used (e.g. with rootless container managers like podman), please change the ownership of affected files accordingly.

 - The `services.locate` module does no longer support findutil's `locate` due to its inferior performance compared to `mlocate` and `plocate`. The new default is `plocate`.
  As the `service.locate.localuser` option only applied when using findutil's `locate`, it has also been removed.
@@ -280,12 +286,6 @@
 - `services.paperless` now installs `paperless-manage` as a normal system package instead of creating a symlink in `/var/lib/paperless`.
  `paperless-manage` now also changes to the appropriate user when being executed.

- The `gotenberg` package has been updated to 8.16.0, which brings breaking changes to the configuration from version 8.13.0. See the [upstream release notes](https://github.com/gotenberg/gotenberg/releases/tag/v8.13.0)
-  for that release to get all the details. The `services.gotenberg` module has been updated appropriately to ensure your configuration is valid with this new release.
-
- `varnish` was updated from 7.5.0 to 7.7.0, see [Varnish 7.6.0 upgrade guide](https://varnish-cache.org/docs/7.6/whats-new/upgrading-7.6.html) and
-[Varnish 7.7.0 upgrade guide](https://varnish-cache.org/docs/7.7/whats-new/upgrading-7.7.html#whatsnew-upgrading-7-7).
-
 - `asusd` has been upgraded to version 6 which supports multiple aura devices. To account for this, the single `auraConfig` configuration option has been replaced with `auraConfigs` which is an attribute set of config options per each device. The config files may also be now specified as either source files or text strings; to account for this you will need to specify that `text` is used for your existing configs, e.g.:
  ```diff
  -services.asusd.asusdConfig = '''file contents'''
@@ -294,21 +294,13 @@

 - `linuxPackages.nvidiaPackages.stable` now defaults to the `production` variant instead of `latest`.

- `paperless-ngx` has been updated to minor version 2.15 which switched the web server from Gunicorn to Granian. If you set Gunicorn specific envs (usually contain GUNICORN) they must be updated. Also `services.paperless.address` no longer accepts a domain name and Granian also does not support listening on unix domain sockets.
-
- `timescaledb` requires manual upgrade steps.
-    After you run ALTER EXTENSION, you must run [this SQL script](https://github.com/timescale/timescaledb-extras/blob/master/utils/2.15.X-fix_hypertable_foreign_keys.sql). For more details, see the following pull requests [#6797](https://github.com/timescale/timescaledb/pull/6797).
-    PostgreSQL 13 is no longer supported in TimescaleDB v2.16.
+- `services.paperless.address` no longer accepts a domain name or Unix domain socket.

 - `networking.wireguard.enable = true` does not always add `wireguard-tools` to system packages anymore. Only when wireguard interfaces are configured, the backing implementation packages are added to system PATH.

 - `virtualisation/azure-common.nix`'s filesystem and grub configurations have been moved to `virtualisation/azure-image.nix`. This makes `azure-common.nix` more generic so it could be used for users who generate Azure image using other methods (e.g. nixos-generators and disko). For existing users depending on these configurations, please also import `azure-image.nix`.

- `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL.
-
- `tauon` 7.9.0+ when launched for the first time, migrates its database to a new schema that is not backwards compatible. Older versions will refuse to start at all with that database afterwards. If you need to still use older tauon versions, make sure to back up `~/.local/share/TauonMusicBox`.
-
- `aws-workspaces` has dropped support for PCoiP networking.
+- `services.signald` has been removed as `signald` is unmaintained upstream and has been incompatible to official Signal servers for a long while.

 - The `earlyoom` service is now using upstream systemd service, which enables
  hardening and filesystem isolation by default. If you need filesystem write
@@ -329,58 +321,18 @@

 - `services.bird2` has been renamed to `services.bird` and the default bird package has been switched to `bird3`. `bird2` can still be chosen via the `services.bird.package` option.

- `renovate` was updated to v39. See the [upstream release notes](https://docs.renovatebot.com/release-notes-for-major-versions/#version-39) for breaking changes.
-  Like upstream's docker images, renovate now runs on NodeJS 22.
-
 - The behavior of the `networking.nat.externalIP` and `networking.nat.externalIPv6` options has been changed. `networking.nat.forwardPorts` now only forwards packets destined for the specified IP addresses.

+- `gitlab` has been updated from 17.x to 18.x and requires `postgresql` >= 16, as stated in the [documentation](https://docs.gitlab.com/18.0/install/requirements/#postgresql). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation.
+
 - `services.gitlab` now requires the setting of `activeRecordPrimaryKeyFile`, `activeRecordDeterministicKeyFile`, `activeRecordSaltFile` as GitLab introduced Rails ActiveRecord encryption.

- `python3Packages.bpycv` has been removed due to being incompatible with Blender 4 and unmaintained.
-
- `python3Packages.jaeger-client` was removed because it was deprecated upstream. [OpenTelemetry](https://opentelemetry.io) is the recommended replacement.
-
- `rocmPackages_6` has been updated to ROCm 6.3.
-
- `rocmPackages_5` has been removed.
-
- `rocmPackages.rocm-thunk` has been removed and its functionality has been integrated with the ROCm CLR. Use `rocmPackages.clr` instead.
-
- `rocmPackages.clang-ocl` has been removed. [It was deprecated by AMD in 2023.](https://github.com/ROCm/clang-ocl)
-
- `nodePackages.meshcommander` has been removed, as the package was deprecated by Intel.
-
- The default version of `z3` has been updated from 4.8 to 4.13. There are still a few packages that need specific older versions; those will continue to be maintained as long as other packages depend on them but may be removed in the future.
-
- `prometheus` has been updated from 2.55.0 to 3.1.0.
-  Read the [release blog post](https://prometheus.io/blog/2024/11/14/prometheus-3-0/) and
-  [migration guide](https://prometheus.io/docs/prometheus/3.1/migration/).
-
 - The Mattermost module ([`services.mattermost`](#opt-services.mattermost.enable)) and packages (`mattermost` and `mmctl`) have been substantially updated:
  - `services.mattermost.listenAddress` has been split into [](#opt-services.mattermost.host) and [](#opt-services.mattermost.port). If your `listenAddress` contained a port, you will need to edit your configuration. This will be the only truly breaking change in this release for most configurations.
  - [](#opt-services.mattermost.preferNixConfig) now defaults to true if you advance [](#opt-system.stateVersion) to 25.05. This means that if you have [](#opt-services.mattermost.mutableConfig) set, NixOS will override settings set in the Admin Console to those that you define in the module configuration. It is recommended to leave this at the default, even if you used a fully mutable configuration before, because it will ensure that your Mattermost data directories are correct. If you moved your data directories, you may want to review the module changes before upgrading.
  - Mattermost now supports peer authentication on both MySQL and Postgres database backends. Updating [](#opt-system.stateVersion) to 25.05 or later will result in peer authentication being used by default if the Mattermost server would otherwise be connecting to localhost. This is the recommended configuration.
  - Note that the Mattermost module will create an account _without_ a well-known UID if the username differs from the default (`mattermost`). If you used Mattermost with a nonstandard username, you may want to review the module changes before upgrading.

- `kanata` was updated to v1.8.0, which introduces several breaking changes.
-  See the release notes of
-  [v1.7.0](https://github.com/jtroo/kanata/releases/tag/v1.7.0) and
-  [v1.8.0](https://github.com/jtroo/kanata/releases/tag/v1.8.0)
-  for more information.
-
- `authelia` version 4.39.0 has made changes on the default claims for ID Tokens, to mirror the standard claims from the specification.
-  This change may affect some clients in unexpected ways, so manual intervention may be required.
-  Read the [release notes](https://www.authelia.com/blog/4.39-release-notes/), along with [the guide](https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter) to work around issues that may be encountered.
-
- `ags` was updated to v2, which is just a CLI for Astal now. Components are available as a different package set `astal.*`.
-  If you want to use v1, it is available as `ags_1` package.
-
-  See the release notes of
-  [v2.0.0](https://github.com/Aylur/ags/releases/tag/v2.0.0)
-  for more information.
-
- `nodePackages.expo-cli` has been removed, as it was deprecated by upstream. The suggested replacement is the `npx expo` command.
-
 - DokuWiki with the Caddy webserver (`services.dokuwiki.webserver = "caddy"`) now sets up sites with Caddy's automatic HTTPS instead of HTTP-only.
  To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.
  If you set custom Caddy options for a DokuWiki site, migrate these options by removing `http://` from `services.caddy.virtualHosts."http://example.com"`.
@@ -389,21 +341,10 @@
  Given a site example.com, http://example.com now 301 redirects to https://example.com.
  To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.

- `slskd` has been updated to v0.22.3, which includes breaking changes to `script` integrations. Please review the [changelog](https://github.com/slskd/slskd/releases/tag/0.22.3)
-  and the accompanying [pull request](https://github.com/slskd/slskd/pull/1292).
-
- `forgejo` and `forgejo-lts` have been updated to v11.
-  See upstreams [release blog post](https://forgejo.org/2025-04-release-v11-0/) for more information.
-
- `unifi` has been updated to v9.1.
-  This version should be backward compatible with v8.x, however as a result, `unifi8` package has been removed.
-
 - The behavior of `services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers` was changed to not include `CCMP-256` anymore.
  Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd.

- The `conduwuit` matrix server implementation has officially been discontinued by upstream and the package has thus been marked as vulnerable, as it is a security-sensitive package that has reached EOL.
-
- `gkraken` software and `hardware.gkraken.enable` option have been removed, use `coolercontrol` via `programs.coolercontrol.enable` option instead.
+- The `hardware.gkraken` module has been removed. The recommended alternative is [`programs.coolercontrol`](#opt-programs.coolercontrol.enable).

 - To avoid delaying user logins unnecessarily the `multi-user.target` is no longer ordered after `network-online.target`.
  System services requiring a connection to start correctly must explicitly state so, i.e.
@@ -434,7 +375,7 @@
  Names are now known at evaluation time and customizable via the new options `image.baseName`, `image.extension`, `image.fileName` and `image.filePath` with the latter returning a path relative to the derivations out path (e.g. `iso/${image.fileName` for iso images).

  | `system.build` Option    | Old Filename                                               | New Filename                                                    |
-  |--------------------------+------------------------------------------------------------+-----------------------------------------------------------------|
+  | ------------------------ | ---------------------------------------------------------- | ----------------------------------------------------------------|
  | amazonImage              | nixos-amazon-image-25.05pre-git-x86_64-linux.vhd           | nixos-image-amazon-25.05pre-git-x86_64-linux.vhd                |
  | azureImage               | disk.vhd                                                   | nixos-image-azure-25.05pre-git-x86_64-linux.vhd                 |
  | digitalOceanImage        | nixos.qcow2.gz                                             | nixos-image-digital-ocean-25.05pre-git-x86_64-linux.qcow2.gz    |
@@ -457,10 +398,10 @@

 - `security.apparmor.policies.<name>.enforce` and `security.apparmor.policies.<name>.enable` were removed.
  Configuring the state of apparmor policies must now be done using `security.apparmor.policies.<name>.state` tristate option.
+
 - `services.graylog.package` now defaults to `graylog-6_0` as previous default `graylog-5_1` is EOL and therefore removed.
  Check the migration guides on [5.1→5.2](https://go2docs.graylog.org/5-2/upgrading_graylog/upgrading_to_graylog_5.2.x.htm) and [5.2→6.0](https://go2docs.graylog.org/6-0/upgrading_graylog/upgrading_to_graylog_6.0.x.html) for breaking changes.

-
 - `programs.clash-verge.tunMode` was deprecated and removed because now service mode is necessary to start program. Without `programs.clash-verge.enable`, clash-verge-rev will refuse to start.
 - `services.discourse` now requires PostgreSQL 15 per default. Please update before upgrading.

@@ -499,6 +440,8 @@

 - PAM services for `i3lock`/`i3lock-color`, `vlock`, `xlock`, and `xscreensaver` now default to disabled unless other corresponding NixOS options are set (`programs.i3lock.enable`, `console.enable`, `services.xserver.enable`, and `services.xscreensaver.enable`, respectively). If for some reason you want one of them back without setting the corresponding option, set, e.g., `security.pam.services.xlock.enable = true`.

+- The `nixos-generate-config` command now supports a optional `--flake` option, which will generate a flake.nix file alongside the `configuration.nix` and `hardware-configuration.nix`, providing an easy introduction into flake-based system configurations.
+
 - [`system.stateVersion`](#opt-system.stateVersion) is now validated and must be in the `"YY.MM"` format, ideally corresponding to a prior NixOS release.

 - [`hardware.xone`](options.html#opt-hardware.xone.enable) will also enable [`hardware.xpad-noone`](options.html#opt-hardware.xpad-noone.enable) to provide Xbox 360 driver by default.
@@ -542,21 +485,15 @@

 - `networking.wireguard` now has an optional networkd backend. It is enabled by default when `networking.useNetworkd` is enabled, and it can be enabled alongside scripted networking with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option.

- The `stackclashprotection` hardening flag has been enabled by default on compilers that support it.
-
 - `services.rss-bridge` now has a `package` option as well as support for `caddy` as reverse proxy.

 - `services.avahi.ipv6` now defaults to true.

- A new hardening flag, `nostrictaliasing` was made available, corresponding to the gcc/clang option `-fno-strict-aliasing`.
-
 - In the `services.xserver.displayManager.startx` module, two new options [generateScript](#opt-services.xserver.displayManager.startx.generateScript) and [extraCommands](#opt-services.xserver.displayManager.startx.extraCommands) have been added to to declaratively configure the .xinitrc script.

 - All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`.

- hddfancontrol has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes. The settings options have been modified to use an attrset, enabling configurations with multiple instances of the daemon running at once, eg, for two separate drive bays.
-
- `nextcloud-news-updater` is unmaintained and was removed from nixpkgs.
+- [`services.hddfancontrol`](#opt-services.hddfancontrol.enable) has been modified to use an attribute set for settings, enabling configurations with multiple instances of the daemon running at once (e.g., for two separate drive bays).

 - `services.cloudflared` now uses a dynamic user, and its `user` and `group` options have been removed. If the user or group is still necessary, they can be created manually.

@@ -580,68 +517,26 @@

 - There is a new set of NixOS test tools for testing virtual Wi-Fi networks in many different topologies. See the {option}`services.vwifi` module, {option}`services.kismet` NixOS test, and [manual](https://nixos.org/manual/nixpkgs/unstable/#sec-nixos-test-wifi) for documentation and examples.

- The paperless module now has an option for regular automatic export of
-  documents data using the integrated document exporter.
+- The paperless module now has an option for regular automatic export of documents data using the integrated document exporter.
+
+- Exposed the `paperless-manage` script package via the `services.paperless.manage` read-only option.

 - New options for the declarative configuration of the user space part of ALSA have been introduced under [hardware.alsa](options.html#opt-hardware.alsa.enable), including setting the default capture and playback device, defining sound card aliases and volume controls.
  Note: these are intended for users not running a sound server like PulseAudio or PipeWire, but having ALSA as their only sound system.

 - `services.k3s` now provides the `autoDeployCharts` option that allows to automatically deploy Helm charts via the k3s Helm controller.

- Caddy can now be built with plugins by using `caddy.withPlugins`, a `passthru` function that accepts an attribute set as a parameter. The `plugins` argument represents a list of Caddy plugins, with each Caddy plugin being a versioned module. The `hash` argument represents the `vendorHash` of the resulting Caddy source code with the plugins added.
-
-  Example:
-  ```nix
-  services.caddy = {
-    enable = true;
-    package = pkgs.caddy.withPlugins {
-      plugins = [
-        # tagged upstream
-        "github.com/caddy-dns/powerdns@v1.0.1"
-        # pseudo-version number generated by Go
-        "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
-        "github.com/mholt/caddy-webdav@v0.0.0-20241008162340-42168ba04c9d"
-      ];
-      hash = "sha256-wqXSd1Ep9TVpQi570TTb96LwzNYvWL5EBJXMJfYWCAk=";
-    };
-  };
-  ```
-
-  To get the necessary hash of the vendored dependencies, omit `hash`. The build will fail and tell you the correct value.
-
-  Note that all provided plugins must have versions/tags (string after `@`), even if upstream repo does not tag each release. For untagged plugins, you can either create an empty Go project and run `go get <plugin>` and see changes in `go.mod` to get the pseudo-version number, or provide a commit hash in place of version/tag for the first run, and update the plugin string based on the error output.
-
- `buildGoModule` now supports a self-referencing `finalAttrs:` parameter
-  containing the final arguments including overrides.
-  This allows packaging configuration to be overridden in a consistent manner by
-  providing an alternative to `rec {}` syntax.
-
 - [Mattermost](#opt-services.mattermost.enable), a self-hosted chat collaboration platform supporting calls, playbooks, and boards, has been updated. It now has multiple versions, disabled telemetry, and a native frontend build in nixpkgs, removing all upstream prebuilt blobs.
-  - A new `pkgs.mattermost.buildPlugin` function has been added, which allows plugins to be built from source, including webapp frontends with a supported package-lock.json. See the Mattermost NixOS test and [manual](https://nixos.org/manual/nixpkgs/unstable/#sec-mattermost-plugins-build) for an example.
  - Mattermost telemetry reporting is now disabled by default, though security update notifications are enabled. Look at [`services.mattermost.telemetry`](#opt-services.mattermost.telemetry.enableDiagnostics) for options to control this behavior.
-  - The Mattermost frontend is now built from source and can be overridden. Note that the Mattermost derivation containing both the webapp and server is now wrapped to allow them to be built independently, so overrides to both webapp and server look like `mattermost.overrideAttrs (prev: { webapp = prev.webapp.override { ... }; server = prev.server.override { ... }; })` now.
-  - `pkgs.mattermost` has been updated from 9.11 to 10.5 to track the latest extended support release, since 9.11 will become end-of-life during the lifetime of NixOS 25.05.
-  - `pkgs.mattermostLatest` is now an option to track the latest (non-prerelease) Mattermost release. We test upgrade migrations from ESR releases (`pkgs.mattermost`) to `pkgs.mattermostLatest`.
  - The Mattermost module will produce eval warnings if a database password would end up in the Nix store, and recommend alternatives such as peer authentication or using the environment file.
  - We now support `mmctl` for Mattermost administration if both [](#opt-services.mattermost.socket.enable) and [](#opt-services.mattermost.socket.export) are set, which export the Mattermost control socket path into the system environment.

- KDE Partition Manager `partitionmanager`'s support for ReiserFS is removed.
-  ReiserFS has not been actively maintained for many years. It has been marked as obsolete since Linux 6.6, and
-  [is removed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c01f664e4ca210823b7594b50669bbd9b0a3c3b0)
-  in Linux 6.13.
-
 - `services.geoclue2` now uses [beaconDB](https://beacondb.net/) as a default geolocation service, replacing Mozilla Location Services which was [retired in June 2024](https://github.com/mozilla/ichnaea/issues/2065).

- `authelia` version 4.39.0 has made some changes which deprecate older configurations.
-  They are still expected to be working until future version 5.0.0, but will generate warnings in logs.
-  Read the [release notes](https://www.authelia.com/blog/4.39-release-notes/) for human readable summaries of the changes.
+- `security.acme` now supports renewal using CSRs (Certificate Signing Request) through the options `security.acme.*.csr` and `security.acme.*.csrKey`.

 - `programs.fzf.keybindings` now supports the fish shell.

- `gerbera` now has wavpack support.
-
- `octave` (and `octaveFull`) was updated to version `10.x`. The update broke a few `octavePackages`, and `librsb`. See [the PR's commits](https://github.com/NixOS/nixpkgs/pull/394495/commits) for more details.
-
 - A toggle has been added under `users.users.<name>.enable` to allow toggling individual users conditionally. If set to false, the user account will not be created.

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -10,7 +10,7 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- Create the first release note entry in this section!
+- [gtklock](https://github.com/jovanlanik/gtklock), a GTK-based lockscreen for Wayland. Available as [programs.gtklock](#opt-programs.gtklock.enable).

 ## Backward Incompatibilities {#sec-release-25.11-incompatibilities}

--- a/nixos/maintainers/scripts/ec2/amazon-image.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-image.nix
@@ -83,7 +83,7 @@ in

  # Use a priority just below mkOptionDefault (1500) instead of lib.mkDefault
  # to avoid breaking existing configs using that.
-  config.virtualisation.diskSize = lib.mkOverride 1490 (3 * 1024);
+  config.virtualisation.diskSize = lib.mkOverride 1490 (4 * 1024);
  config.virtualisation.diskSizeAutoSupported = !config.ec2.zfs.enable;

  config.system.nixos.tags = [ "amazon" ];
@@ -140,7 +140,7 @@ in
           echo "file ${cfg.format} $rootDisk" >> $out/nix-support/hydra-build-products

          ${pkgs.jq}/bin/jq -n \
-            --arg system_label ${lib.escapeShellArg config.system.nixos.label} \
+            --arg system_version ${lib.escapeShellArg config.system.nixos.version} \
            --arg system ${lib.escapeShellArg pkgs.stdenv.hostPlatform.system} \
            --arg root_logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$rootDisk" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
            --arg boot_logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$bootDisk" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
@@ -148,7 +148,7 @@ in
            --arg root "$rootDisk" \
            --arg boot "$bootDisk" \
           '{}
-             | .label = $system_label
+             | .label = $system_version
             | .boot_mode = $boot_mode
             | .system = $system
             | .disks.boot.logical_bytes = $boot_logical_bytes
@@ -181,13 +181,13 @@ in
           echo "file ${cfg.format} $diskImage" >> $out/nix-support/hydra-build-products

          ${pkgs.jq}/bin/jq -n \
-            --arg system_label ${lib.escapeShellArg config.system.nixos.label} \
+            --arg system_version ${lib.escapeShellArg config.system.nixos.version} \
            --arg system ${lib.escapeShellArg pkgs.stdenv.hostPlatform.system} \
            --arg logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$diskImage" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
            --arg boot_mode "${amiBootMode}" \
            --arg file "$diskImage" \
             '{}
-             | .label = $system_label
+             | .label = $system_version
             | .boot_mode = $boot_mode
             | .system = $system
             | .logical_bytes = $logical_bytes
--- a/nixos/modules/config/i18n.nix
+++ b/nixos/modules/config/i18n.nix
@@ -5,15 +5,21 @@
  ...
 }:
 let
+  sanitizeUTF8Capitalization =
+    lang: (lib.replaceStrings [ "utf8" "utf-8" "UTF8" ] [ "UTF-8" "UTF-8" "UTF-8" ] lang);
  aggregatedLocales =
-    (builtins.map
-      (l: (lib.replaceStrings [ "utf8" "utf-8" "UTF8" ] [ "UTF-8" "UTF-8" "UTF-8" ] l) + "/UTF-8")
-      (
-        [ config.i18n.defaultLocale ]
-        ++ (lib.optionals (builtins.isList config.i18n.extraLocales) config.i18n.extraLocales)
-        ++ (lib.attrValues (lib.filterAttrs (n: v: n != "LANGUAGE") config.i18n.extraLocaleSettings))
-      )
-    )
+    [
+      "${config.i18n.defaultLocale}/${config.i18n.defaultCharset}"
+    ]
+    ++ lib.pipe config.i18n.extraLocaleSettings [
+      # See description of extraLocaleSettings for why is this ignored here.
+      (lib.filterAttrs (n: v: n != "LANGUAGE"))
+      (lib.mapAttrs (n: v: (sanitizeUTF8Capitalization v)))
+      (lib.mapAttrsToList (LCRole: lang: lang + "/" + (config.i18n.localeCharsets.${LCRole} or "UTF-8")))
+    ]
+    ++ (builtins.map sanitizeUTF8Capitalization (
+      lib.optionals (builtins.isList config.i18n.extraLocales) config.i18n.extraLocales
+    ))
    ++ (lib.optional (builtins.isString config.i18n.extraLocales) config.i18n.extraLocales);
 in
 {
@@ -48,16 +54,24 @@ in
        default = "en_US.UTF-8";
        example = "nl_NL.UTF-8";
        description = ''
-          The default locale.  It determines the language for program
-          messages, the format for dates and times, sort order, and so on.
-          It also determines the character set, such as UTF-8.
+          The default locale. It determines the language for program messages,
+          the format for dates and times, sort order, and so on. Setting the
+          default character set is done via {option}`i18n.defaultCharset`.
+        '';
+      };
+      defaultCharset = lib.mkOption {
+        type = lib.types.str;
+        default = "UTF-8";
+        example = "ISO-8859-8";
+        description = ''
+          The default locale character set.
        '';
      };

      extraLocales = lib.mkOption {
        type = lib.types.either (lib.types.listOf lib.types.str) (lib.types.enum [ "all" ]);
        default = [ ];
-        example = [ "nl_NL.UTF-8" ];
+        example = [ "nl_NL.UTF-8/UTF-8" ];
        description = ''
          Additional locales that the system should support, besides the ones
          configured with {option}`i18n.defaultLocale` and
@@ -74,9 +88,30 @@ in
          LC_TIME = "de_DE.UTF-8";
        };
        description = ''
-          A set of additional system-wide locale settings other than
-          `LANG` which can be configured with
-          {option}`i18n.defaultLocale`.
+          A set of additional system-wide locale settings other than `LANG`
+          which can be configured with {option}`i18n.defaultLocale`. Note that
+          the `/UTF-8` suffix used in {option}`i18n.extraLocales` indicates a
+          character set, and it must not be added manually here. To use a
+          non-`UTF-8` character set such as ISO-XXXX-8, the
+          {option}`i18n.localeCharsets` can be used.
+
+          Note that if the [`LANGUAGE`
+          key](https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html)
+          is used in this option, it is ignored when computing the locales
+          required to be installed, because the possible values of this key are
+          more diverse and flexible then the others.
+        '';
+      };
+      localeCharsets = lib.mkOption {
+        type = lib.types.attrsOf lib.types.str;
+        default = { };
+        example = {
+          LC_MESSAGES = "ISO-8859-15";
+          LC_TIME = "ISO-8859-1";
+        };
+        description = ''
+          Per each {option}`i18n.extraLocaleSettings`, choose the character set
+          to use for it. Essentially defaults to UTF-8 for all of them.
        '';
      };

--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -331,6 +331,7 @@
  ./programs/vivid.nix
  ./programs/wavemon.nix
  ./programs/wayland/cardboard.nix
+  ./programs/wayland/gtklock.nix
  ./programs/wayland/hyprland.nix
  ./programs/wayland/hyprlock.nix
  ./programs/wayland/labwc.nix
@@ -603,7 +604,6 @@
  ./services/games/archisteamfarm.nix
  ./services/games/armagetronad.nix
  ./services/games/crossfire-server.nix
-  ./services/games/deliantra-server.nix
  ./services/games/factorio.nix
  ./services/games/freeciv.nix
  ./services/games/mchprs.nix
@@ -752,6 +752,7 @@
  ./services/matrix/appservice-discord.nix
  ./services/matrix/appservice-irc.nix
  ./services/matrix/conduit.nix
+  ./services/matrix/continuwuity.nix
  ./services/matrix/dendrite.nix
  ./services/matrix/hebbot.nix
  ./services/matrix/hookshot.nix
@@ -903,7 +904,6 @@
  ./services/misc/servarr/whisparr.nix
  ./services/misc/serviio.nix
  ./services/misc/sickbeard.nix
-  ./services/misc/signald.nix
  ./services/misc/siproxd.nix
  ./services/misc/snapper.nix
  ./services/misc/soft-serve.nix
--- a/nixos/modules/profiles/nix-builder-vm.nix
+++ b/nixos/modules/profiles/nix-builder-vm.nix
@@ -126,6 +126,20 @@ in
    # TODO system.switch.enable = false;?
    system.disableInstallerTools = true;

+    # Allow the system derivation to be substituted, so that
+    # users are less likely to run into a state where they need
+    # the builder running to build the builder if they just want
+    # to make a tweak that only affects the macOS side of things,
+    # like changing the QEMU args.
+    #
+    # TODO(winter): Move to qemu-vm? Trying it here for now as a
+    # low impact change that'll probably improve people's experience.
+    #
+    # (I have no clue what is going on in https://github.com/nix-darwin/nix-darwin/issues/1081
+    # though, as this fix would only apply to one person in that thread... hopefully someone
+    # comes across with a reproducer if this doesn't do it.)
+    system.systemBuilderArgs.allowSubstitutes = true;
+
    nix.settings = {
      min-free = cfg.min-free;

--- a/nixos/modules/programs/foot/zshrc
+++ b/nixos/modules/programs/foot/zshrc
@@ -8,7 +8,6 @@ function osc7-pwd() {
 function chpwd-osc7-pwd() {
    (( ZSH_SUBSHELL )) || osc7-pwd
 }
-add-zsh-hook -Uz chpwd chpwd-osc7-pwd

 precmd() {
    print -Pn "\e]133;A\e\\"
@@ -23,3 +22,6 @@ function precmd {
 function preexec {
    print -n "\e]133;C\e\\"
 }
+
+autoload -U add-zsh-hook
+add-zsh-hook -Uz chpwd chpwd-osc7-pwd
--- a/nixos/modules/programs/wayland/gtklock.nix
+++ b/nixos/modules/programs/wayland/gtklock.nix
@@ -0,0 +1,78 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.programs.gtklock;
+  configFormat = pkgs.formats.ini {
+    listToValue = builtins.concatStringsSep ";";
+  };
+
+  inherit (lib)
+    types
+    mkOption
+    mkEnableOption
+    mkPackageOption
+    ;
+in
+{
+  options.programs.gtklock = {
+    enable = mkEnableOption "gtklock, a GTK-based lockscreen for Wayland";
+
+    package = mkPackageOption pkgs "gtklock" { };
+
+    config = mkOption {
+      type = configFormat.type;
+      example = lib.literalExpression ''
+        {
+          main = {
+            idle-hide = true;
+            idle-timeout = 10;
+          };
+        }'';
+      description = ''
+        Configuration for gtklock.
+        See [`gtklock(1)`](https://github.com/jovanlanik/gtklock/blob/master/man/gtklock.1.scd) man page for details.
+      '';
+    };
+
+    style = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      description = ''
+        CSS Stylesheet for gtklock.
+        See [gtklock's wiki](https://github.com/jovanlanik/gtklock/wiki#Styling) for details.
+      '';
+    };
+
+    modules = mkOption {
+      type = with types; listOf package;
+      default = [ ];
+      example = lib.literalExpression ''
+        with pkgs; [
+          gtklock-playerctl-module
+          gtklock-powerbar-module
+          gtklock-userinfo-module
+        ]'';
+      description = "gtklock modules to load.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs.gtklock.config.main = {
+      style = lib.mkIf (cfg.style != null) "${pkgs.writeText "style.css" cfg.style}";
+
+      modules = lib.mkIf (cfg.modules != [ ]) (
+        map (pkg: "${pkg}/lib/gtklock/${lib.removePrefix "gtklock-" pkg.pname}.so") cfg.modules
+      );
+    };
+
+    environment.etc."xdg/gtklock/config.ini".source = configFormat.generate "config.ini" cfg.config;
+
+    environment.systemPackages = [ cfg.package ];
+
+    security.pam.services.gtklock = { };
+  };
+}
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -318,6 +318,10 @@ in
      The conduwuit project has been discontinued by upstream.
      See https://github.com/NixOS/nixpkgs/pull/397902 for more information.
    '')
+    (mkRemovedOptionModule [ "services" "signald" ] ''
+      The signald project is unmaintained and has long been incompatible with the
+      official Signal servers.
+    '')

    # Do NOT add any option renames here, see top of the file
  ];
--- a/nixos/modules/security/acme/default.nix
+++ b/nixos/modules/security/acme/default.nix
@@ -236,13 +236,16 @@ let

      # Create hashes for cert data directories based on configuration
      # Flags are separated to avoid collisions
-      hashData = with builtins; ''
-        ${lib.concatStringsSep " " data.extraLegoFlags} -
-        ${lib.concatStringsSep " " data.extraLegoRunFlags} -
-        ${lib.concatStringsSep " " data.extraLegoRenewFlags} -
-        ${toString acmeServer} ${toString data.dnsProvider}
-        ${toString data.ocspMustStaple} ${data.keyType}
-      '';
+      hashData =
+        with builtins;
+        ''
+          ${lib.concatStringsSep " " data.extraLegoFlags} -
+          ${lib.concatStringsSep " " data.extraLegoRunFlags} -
+          ${lib.concatStringsSep " " data.extraLegoRenewFlags} -
+          ${toString acmeServer} ${toString data.dnsProvider}
+          ${toString data.ocspMustStaple} ${data.keyType}
+        ''
+        + (lib.optionalString (data.csr != null) (" - " + data.csr));
      certDir = mkHash hashData;
      # TODO remove domainHash usage entirely. Waiting on go-acme/lego#1532
      domainHash = mkHash "${lib.concatStringsSep " " extraDomains} ${data.domain}";
@@ -286,18 +289,24 @@ let
          "--accept-tos" # Checking the option is covered by the assertions
          "--path"
          "."
-          "-d"
-          data.domain
          "--email"
          data.email
-          "--key-type"
-          data.keyType
        ]
        ++ protocolOpts
        ++ lib.optionals (acmeServer != null) [
          "--server"
          acmeServer
        ]
+        ++ lib.optionals (data.csr != null) [
+          "--csr"
+          data.csr
+        ]
+        ++ lib.optionals (data.csr == null) [
+          "--key-type"
+          data.keyType
+          "-d"
+          data.domain
+        ]
        ++ lib.concatMap (name: [
          "-d"
          name
@@ -327,6 +336,8 @@ let
      webroots = lib.remove null (
        lib.unique (builtins.map (certAttrs: certAttrs.webroot) (lib.attrValues config.security.acme.certs))
      );
+
+      certificateKey = if data.csrKey != null then "${data.csrKey}" else "certificates/${keyName}.key";
    in
    {
      inherit accountHash cert selfsignedDeps;
@@ -529,7 +540,7 @@ let
          # Check if we can renew.
          # We can only renew if the list of domains has not changed.
          # We also need an account key. Avoids #190493
-          if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' ] && [ -e 'certificates/${keyName}.crt' ] && [ -n "$(find accounts -name '${data.email}.key')" ]; then
+          if cmp -s domainhash.txt certificates/domainhash.txt && [ -e '${certificateKey}' ] && [ -e 'certificates/${keyName}.crt' ] && [ -n "$(find accounts -name '${data.email}.key')" ]; then

            # Even if a cert is not expired, it may be revoked by the CA.
            # Try to renew, and silently fail if the cert is not expired.
@@ -564,7 +575,7 @@ let
            touch out/renewed
            echo Installing new certificate
            cp -vp 'certificates/${keyName}.crt' out/fullchain.pem
-            cp -vp 'certificates/${keyName}.key' out/key.pem
+            cp -vp '${certificateKey}' out/key.pem
            cp -vp 'certificates/${keyName}.issuer.crt' out/chain.pem
            ln -sf fullchain.pem out/cert.pem
            cat out/key.pem out/fullchain.pem > out/full.pem
@@ -845,6 +856,18 @@ let
          description = "Domain to fetch certificate for (defaults to the entry name).";
        };

+        csr = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+          description = "Path to a certificate signing request to apply when fetching the certificate.";
+        };
+
+        csrKey = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+          description = "Path to the private key to the matching certificate signing request.";
+        };
+
        extraDomainNames = lib.mkOption {
          type = lib.types.listOf lib.types.str;
          default = [ ];
@@ -1113,6 +1136,17 @@ in
                used for variables suffixed by "_FILE".
              '';
            }
+
+            {
+              assertion = lib.all (
+                certOpts:
+                (certOpts.csr == null && certOpts.csrKey == null)
+                || (certOpts.csr != null && certOpts.csrKey != null)
+              ) certs;
+              message = ''
+                When passing a certificate signing request both `security.acme.certs.${cert}.csr` and `security.acme.certs.${cert}.csrKey` need to be set.
+              '';
+            }
          ]) cfg.certs
        ));

--- a/nixos/modules/security/tpm2.nix
+++ b/nixos/modules/security/tpm2.nix
@@ -75,8 +75,8 @@ in
      package = lib.mkOption {
        description = "tpm2-pkcs11 package to use";
        type = lib.types.package;
-        default = pkgs.tpm2-pkcs11;
-        defaultText = lib.literalExpression "pkgs.tpm2-pkcs11";
+        default = if cfg.abrmd.enable then pkgs.tpm2-pkcs11.abrmd else pkgs.tpm2-pkcs11;
+        defaultText = lib.literalExpression "if config.security.tpm2.abrmd.enable then pkgs.tpm2-pkcs11.abrmd else pkgs.tpm2-pkcs11";
      };
    };

--- a/nixos/modules/services/accessibility/orca.nix
+++ b/nixos/modules/services/accessibility/orca.nix
@@ -20,6 +20,7 @@ in

  config = mkIf cfg.enable {
    environment.systemPackages = [ cfg.package ];
+    systemd.services.display-manager.path = [ cfg.package ];
    services.speechd.enable = true;
  };
 }
--- a/nixos/modules/services/audio/spotifyd.nix
+++ b/nixos/modules/services/audio/spotifyd.nix
@@ -28,7 +28,7 @@ in
        type = lib.types.lines;
        description = ''
          (Deprecated) Configuration for Spotifyd. For syntax and directives, see
-          <https://docs.spotifyd.rs/config/File.html>.
+          <https://docs.spotifyd.rs/configuration/index.html#config-file>.
        '';
      };

@@ -40,7 +40,7 @@ in
        };
        description = ''
          Configuration for Spotifyd. For syntax and directives, see
-          <https://docs.spotifyd.rs/config/File.html>.
+          <https://docs.spotifyd.rs/configuration/index.html#config-file>.
        '';
      };
    };
--- a/nixos/modules/services/games/deliantra-server.nix
+++ b/nixos/modules/services/games/deliantra-server.nix
@@ -1,182 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.services.deliantra-server;
-  serverPort = 13327;
-in
-{
-  options.services.deliantra-server = {
-    enable = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = ''
-        If enabled, the Deliantra game server will be started at boot.
-      '';
-    };
-
-    package = lib.mkPackageOption pkgs "deliantra-server" {
-      extraDescription = ''
-        ::: {.note}
-        This will also be used for map/arch data, if you don't change {option}`dataDir`
-        :::
-      '';
-    };
-
-    dataDir = lib.mkOption {
-      type = lib.types.str;
-      default = "${pkgs.deliantra-data}";
-      defaultText = lib.literalExpression ''"''${pkgs.deliantra-data}"'';
-      description = ''
-        Where to store readonly data (maps, archetypes, sprites, etc).
-        Note that if you plan to use the live map editor (rather than editing
-        the maps offline and then nixos-rebuilding), THIS MUST BE WRITEABLE --
-        copy the deliantra-data someplace writeable (say,
-        /var/lib/deliantra/data) and update this option accordingly.
-      '';
-    };
-
-    stateDir = lib.mkOption {
-      type = lib.types.str;
-      default = "/var/lib/deliantra";
-      description = ''
-        Where to store runtime data (save files, persistent items, etc).
-
-        If left at the default, this will be automatically created on server
-        startup if it does not already exist. If changed, it is the admin's
-        responsibility to make sure that the directory exists and is writeable
-        by the `crossfire` user.
-      '';
-    };
-
-    openFirewall = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = ''
-        Whether to open ports in the firewall for the server.
-      '';
-    };
-
-    configFiles = lib.mkOption {
-      type = lib.types.attrsOf lib.types.str;
-      description = ''
-        Contents of the server configuration files. These will be appended to
-        the example configurations the server comes with and overwrite any
-        default settings defined therein.
-
-        The example here is not comprehensive. See the files in
-        /etc/deliantra-server after enabling this module for full documentation.
-      '';
-      example = lib.literalExpression ''
-        {
-          dm_file = '''
-            admin:secret_password:localhost
-            alice:xyzzy:*
-          ''';
-          motd = "Welcome to Deliantra!";
-          settings = '''
-            # Settings for game mechanics.
-            stat_loss_on_death true
-            armor_max_enchant 7
-          ''';
-          config = '''
-            # Settings for the server daemon.
-            hiscore_url https://deliantra.example.net/scores/
-            max_map_reset 86400
-          ''';
-        }
-      '';
-      default = {
-        motd = "";
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    users.users.deliantra = {
-      description = "Deliantra server daemon user";
-      home = cfg.stateDir;
-      createHome = false;
-      isSystemUser = true;
-      group = "deliantra";
-    };
-    users.groups.deliantra = { };
-
-    # Merge the cfg.configFiles setting with the default files shipped with
-    # Deliantra.
-    # For most files this consists of reading
-    # ${deliantra}/etc/deliantra-server/${name} and appending the user setting
-    # to it.
-    environment.etc =
-      lib.attrsets.mapAttrs'
-        (
-          name: value:
-          lib.attrsets.nameValuePair "deliantra-server/${name}" {
-            mode = "0644";
-            text =
-              # Deliantra doesn't come with a motd file, but respects it if present
-              # in /etc.
-              (lib.optionalString (name != "motd") (
-                lib.fileContents "${cfg.package}/etc/deliantra-server/${name}"
-              ))
-              + "\n${value}";
-          }
-        )
-        (
-          {
-            motd = "";
-            settings = "";
-            config = "";
-            dm_file = "";
-          }
-          // cfg.configFiles
-        );
-
-    systemd.services.deliantra-server = {
-      description = "Deliantra Server Daemon";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-
-      environment = {
-        DELIANTRA_DATADIR = "${cfg.dataDir}";
-        DELIANTRA_LOCALDIR = "${cfg.stateDir}";
-        DELIANTRA_CONFDIR = "/etc/deliantra-server";
-      };
-
-      serviceConfig = lib.mkMerge [
-        {
-          ExecStart = "${cfg.package}/bin/deliantra-server";
-          Restart = "always";
-          User = "deliantra";
-          Group = "deliantra";
-          WorkingDirectory = cfg.stateDir;
-        }
-        (lib.mkIf (cfg.stateDir == "/var/lib/deliantra") {
-          StateDirectory = "deliantra";
-        })
-      ];
-
-      # The deliantra server needs access to a bunch of files at runtime that
-      # are not created automatically at server startup; they're meant to be
-      # installed in $PREFIX/var/deliantra-server by `make install`. And those
-      # files need to be writeable, so we can't just point at the ones in the
-      # nix store. Instead we take the approach of copying them out of the store
-      # on first run. If `bookarch` already exists, we assume the rest of the
-      # files do as well, and copy nothing -- otherwise we risk ovewriting
-      # server state information every time the server is upgraded.
-      preStart = ''
-        if [ ! -e "${cfg.stateDir}"/bookarch ]; then
-          ${pkgs.rsync}/bin/rsync -a --chmod=u=rwX,go=rX \
-            "${cfg.package}/var/deliantra-server/" "${cfg.stateDir}/"
-        fi
-      '';
-    };
-
-    networking.firewall = lib.mkIf cfg.openFirewall {
-      allowedTCPPorts = [ serverPort ];
-    };
-  };
-}
--- a/nixos/modules/services/matrix/continuwuity.nix
+++ b/nixos/modules/services/matrix/continuwuity.nix
@@ -0,0 +1,268 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.matrix-continuwuity;
+  defaultUser = "continuwuity";
+  defaultGroup = "continuwuity";
+
+  format = pkgs.formats.toml { };
+  configFile = format.generate "continuwuity.toml" cfg.settings;
+in
+{
+  meta.maintainers = with lib.maintainers; [
+    nyabinary
+    snaki
+  ];
+  options.services.matrix-continuwuity = {
+    enable = lib.mkEnableOption "continuwuity";
+
+    user = lib.mkOption {
+      type = lib.types.nonEmptyStr;
+      description = ''
+        The user {command}`continuwuity` is run as.
+      '';
+      default = defaultUser;
+    };
+
+    group = lib.mkOption {
+      type = lib.types.nonEmptyStr;
+      description = ''
+        The group {command}`continuwuity` is run as.
+      '';
+      default = defaultGroup;
+    };
+
+    extraEnvironment = lib.mkOption {
+      type = lib.types.attrsOf lib.types.str;
+      description = "Extra Environment variables to pass to the continuwuity server.";
+      default = { };
+      example = {
+        RUST_BACKTRACE = "yes";
+      };
+    };
+
+    package = lib.mkPackageOption pkgs "matrix-continuwuity" { };
+
+    settings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+        options = {
+          global.server_name = lib.mkOption {
+            type = lib.types.nonEmptyStr;
+            example = "example.com";
+            description = "The server_name is the name of this server. It is used as a suffix for user and room ids.";
+          };
+          global.address = lib.mkOption {
+            type = lib.types.nullOr (lib.types.listOf lib.types.nonEmptyStr);
+            default = null;
+            example = [
+              "127.0.0.1"
+              "::1"
+            ];
+            description = ''
+              Addresses (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator.
+              If set to `null`, continuwuity will listen on IPv4 and IPv6 localhost.
+              Must be `null` if `unix_socket_path` is set.
+            '';
+          };
+          global.port = lib.mkOption {
+            type = lib.types.listOf lib.types.port;
+            default = [ 6167 ];
+            description = ''
+              The port(s) continuwuity will be running on.
+              You need to set up a reverse proxy in your web server (e.g. apache or nginx),
+              so all requests to /_matrix on port 443 and 8448 will be forwarded to the continuwuity
+              instance running on this port.
+            '';
+          };
+          global.unix_socket_path = lib.mkOption {
+            type = lib.types.nullOr lib.types.path;
+            default = null;
+            description = ''
+              Listen on a UNIX socket at the specified path. If listening on a UNIX socket,
+              listening on an address will be disabled. The `address` option must be set to
+              `null` (the default value). The option {option}`services.continuwuity.group` must
+              be set to a group your reverse proxy is part of.
+
+              This will automatically add a system user "continuwuity" to your system if
+              {option}`services.continuwuity.user` is left at the default, and a "continuwuity"
+              group if {option}`services.continuwuity.group` is left at the default.
+            '';
+          };
+          global.unix_socket_perms = lib.mkOption {
+            type = lib.types.ints.positive;
+            default = 660;
+            description = "The default permissions (in octal) to create the UNIX socket with.";
+          };
+          global.max_request_size = lib.mkOption {
+            type = lib.types.ints.positive;
+            default = 20000000;
+            description = "Max request size in bytes. Don't forget to also change it in the proxy.";
+          };
+          global.allow_registration = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = ''
+              Whether new users can register on this server.
+
+              Registration with token requires `registration_token` or `registration_token_file` to be set.
+
+              If set to true without a token configured, and
+              `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
+              is set to true, users can freely register.
+            '';
+          };
+          global.allow_encryption = lib.mkOption {
+            type = lib.types.bool;
+            default = true;
+            description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
+          };
+          global.allow_federation = lib.mkOption {
+            type = lib.types.bool;
+            default = true;
+            description = ''
+              Whether this server federates with other servers.
+            '';
+          };
+          global.trusted_servers = lib.mkOption {
+            type = lib.types.listOf lib.types.nonEmptyStr;
+            default = [ "matrix.org" ];
+            description = ''
+              Servers listed here will be used to gather public keys of other servers
+              (notary trusted key servers).
+
+              Currently, continuwuity doesn't support inbound batched key requests, so
+              this list should only contain other Synapse servers.
+
+              Example: `[ "matrix.org" "constellatory.net" "tchncs.de" ]`
+            '';
+          };
+          global.database_path = lib.mkOption {
+            readOnly = true;
+            type = lib.types.path;
+            default = "/var/lib/continuwuity/";
+            description = ''
+              Path to the continuwuity database, the directory where continuwuity will save its data.
+              Note that database_path cannot be edited because of the service's reliance on systemd StateDir.
+            '';
+          };
+          global.allow_announcements_check = lib.mkOption {
+            type = lib.types.bool;
+            default = true;
+            description = ''
+              If enabled, continuwuity will send a simple GET request periodically to
+              <https://continuwuity.org/.well-known/continuwuity/announcements> for any new announcements made.
+            '';
+          };
+        };
+      };
+      default = { };
+      # TOML does not allow null values, so we use null to omit those fields
+      apply = lib.filterAttrsRecursive (_: v: v != null);
+      description = ''
+        Generates the continuwuity.toml configuration file. Refer to
+        <https://continuwuity.org/configuration.html>
+        for details on supported values.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !(cfg.settings ? global.unix_socket_path) || !(cfg.settings ? global.address);
+        message = ''
+          In `services.continuwuity.settings.global`, `unix_socket_path` and `address` cannot be set at the
+          same time.
+          Leave one of the two options unset or explicitly set them to `null`.
+        '';
+      }
+      {
+        assertion = cfg.user != defaultUser -> config ? users.users.${cfg.user};
+        message = "If `services.continuwuity.user` is changed, the configured user must already exist.";
+      }
+      {
+        assertion = cfg.group != defaultGroup -> config ? users.groups.${cfg.group};
+        message = "If `services.continuwuity.group` is changed, the configured group must already exist.";
+      }
+    ];
+
+    users.users = lib.mkIf (cfg.user == defaultUser) {
+      ${defaultUser} = {
+        group = cfg.group;
+        home = cfg.settings.global.database_path;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = lib.mkIf (cfg.group == defaultGroup) {
+      ${defaultGroup} = { };
+    };
+
+    systemd.services.continuwuity = {
+      description = "Continuwuity Matrix Server";
+      documentation = [ "https://continuwuity.org/" ];
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+      environment = lib.mkMerge [
+        { CONDUWUIT_CONFIG = configFile; }
+        cfg.extraEnvironment
+      ];
+      startLimitBurst = 5;
+      startLimitIntervalSec = 60;
+      serviceConfig = {
+        DynamicUser = true;
+        User = cfg.user;
+        Group = cfg.group;
+
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        PrivateIPC = true;
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service @resources"
+          "~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc"
+        ];
+        SystemCallErrorNumber = "EPERM";
+
+        StateDirectory = "continuwuity";
+        StateDirectoryMode = "0700";
+        RuntimeDirectory = "continuwuity";
+        RuntimeDirectoryMode = "0750";
+
+        ExecStart = lib.getExe cfg.package;
+        Restart = "on-failure";
+        RestartSec = 10;
+      };
+    };
+  };
+}
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@@ -1237,8 +1237,8 @@ in
        message = "services.gitlab.secrets.activeRecordSaltFile must be set!";
      }
      {
-        assertion = versionAtLeast postgresqlPackage.version "14.9";
-        message = "PostgreSQL >= 14.9 is required to run GitLab 17. Follow the instructions in the manual section for upgrading PostgreSQL here: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading";
+        assertion = versionAtLeast postgresqlPackage.version "16";
+        message = "PostgreSQL >= 16 is required to run GitLab 18. Follow the instructions in the manual section for upgrading PostgreSQL here: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading";
      }
    ];

--- a/nixos/modules/services/misc/paperless.nix
+++ b/nixos/modules/services/misc/paperless.nix
@@ -366,11 +366,21 @@ in
        Whether to configure Tika and Gotenberg to process Office and e-mail files with OCR.
      '';
    };
+
+    manage = lib.mkOption {
+      type = lib.types.package;
+      readOnly = true;
+      description = ''
+        The package derivation for the `paperless-manage` wrapper script.
+        Useful for other modules that need to add this specific script to a service's PATH.
+      '';
+    };
  };

  config = lib.mkIf cfg.enable (
    lib.mkMerge [
      {
+        services.paperless.manage = manage;
        environment.systemPackages = [ manage ];

        services.redis.servers.paperless.enable = lib.mkIf enableRedis true;
--- a/nixos/modules/services/misc/signald.nix
+++ b/nixos/modules/services/misc/signald.nix
@@ -1,116 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.services.signald;
-  dataDir = "/var/lib/signald";
-  defaultUser = "signald";
-in
-{
-  options.services.signald = {
-    enable = lib.mkEnableOption "signald, the unofficial daemon for interacting with Signal";
-
-    user = lib.mkOption {
-      type = lib.types.str;
-      default = defaultUser;
-      description = "User under which signald runs.";
-    };
-
-    group = lib.mkOption {
-      type = lib.types.str;
-      default = defaultUser;
-      description = "Group under which signald runs.";
-    };
-
-    socketPath = lib.mkOption {
-      type = lib.types.str;
-      default = "/run/signald/signald.sock";
-      description = "Path to the signald socket";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    users.users = lib.optionalAttrs (cfg.user == defaultUser) {
-      ${defaultUser} = {
-        group = cfg.group;
-        isSystemUser = true;
-      };
-    };
-
-    users.groups = lib.optionalAttrs (cfg.group == defaultUser) {
-      ${defaultUser} = { };
-    };
-
-    systemd.services.signald = {
-      description = "A daemon for interacting with the Signal Private Messenger";
-      wants = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-
-      serviceConfig = {
-        User = cfg.user;
-        Group = cfg.group;
-        ExecStart = "${pkgs.signald}/bin/signald -d ${dataDir} -s ${cfg.socketPath}";
-        ExecStartPre = "${pkgs.signald}/bin/signald -d ${dataDir} -s ${cfg.socketPath} --migrate-data";
-        Restart = "on-failure";
-        StateDirectory = "signald";
-        RuntimeDirectory = "signald";
-        StateDirectoryMode = "0750";
-        RuntimeDirectoryMode = "0750";
-
-        BindReadOnlyPaths = [
-          "/nix/store"
-          "-/etc/resolv.conf"
-          "-/etc/nsswitch.conf"
-          "-/etc/hosts"
-          "-/etc/localtime"
-        ];
-        CapabilityBoundingSet = "";
-        # ProtectClock= adds DeviceAllow=char-rtc r
-        DeviceAllow = "";
-        # Use a static user so other applications can access the files
-        #DynamicUser = true;
-        LockPersonality = true;
-        # Needed for java
-        #MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        PrivateMounts = true;
-        # Needs network access
-        #PrivateNetwork = true;
-        PrivateTmp = true;
-        PrivateUsers = true;
-        ProcSubset = "pid";
-        ProtectClock = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        # Would re-mount paths ignored by temporary root
-        #ProtectSystem = "strict";
-        ProtectControlGroups = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged @resources @setuid @keyring"
-        ];
-        TemporaryFileSystem = "/:ro";
-        # Does not work well with the temporary root
-        #UMask = "0066";
-      };
-    };
-  };
-}
--- a/nixos/modules/services/misc/sourcehut/default.nix
+++ b/nixos/modules/services/misc/sourcehut/default.nix
@@ -97,13 +97,14 @@ let
                # Those paths are mounted using BindPaths= or BindReadOnlyPaths=
                # for services needing access to them.
                "builds.sr.ht::worker".buildlogs = "/var/log/sourcehut/buildsrht-worker";
-                "git.sr.ht".post-update-script = "/usr/bin/gitsrht-update-hook";
+                "git.sr.ht".post-update-script = "/usr/bin/git.sr.ht-update-hook";
                "git.sr.ht".repos = cfg.settings."git.sr.ht".repos;
-                "hg.sr.ht".changegroup-script = "/usr/bin/hgsrht-hook-changegroup";
+                "hg.sr.ht".changegroup-script = "/usr/bin/hg.sr.ht-hook-changegroup";
                "hg.sr.ht".repos = cfg.settings."hg.sr.ht".repos;
                # Making this a per service option despite being in a global section,
                # so that it uses the redis-server used by the service.
                "sr.ht".redis-host = cfg.${srv}.redis.host;
+                "sr.ht".assets = "${cfg.${srv}.package}/share/sourcehut";
              }
            )
        )
@@ -376,7 +377,7 @@ in
          redis = mkOption {
            description = "The Redis connection used for the Celery worker.";
            type = types.str;
-            default = "redis+socket:///run/redis-sourcehut-buildsrht/redis.sock?virtual_host=2";
+            default = "redis+socket:///run/redis-sourcehut-builds.sr.ht/redis.sock?virtual_host=2";
          };
          shell = mkOption {
            description = ''
@@ -436,8 +437,8 @@ in
              This setting is propagated to newer and existing repositories.
            '';
            type = types.path;
-            default = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook";
-            defaultText = "\${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook";
+            default = "${cfg.git.package}/bin/git.sr.ht-update-hook";
+            defaultText = "\${pkgs.sourcehut.gitsrht}/bin/git.sr.ht-update-hook";
          };
          repos = mkOption {
            description = ''
@@ -446,12 +447,12 @@ in
              the gitsrht's user as read and write access to it.
            '';
            type = types.str;
-            default = "/var/lib/sourcehut/gitsrht/repos";
+            default = "/var/lib/sourcehut/git.sr.ht/repos";
          };
          webhooks = mkOption {
            description = "The Redis connection used for the webhooks worker.";
            type = types.str;
-            default = "redis+socket:///run/redis-sourcehut-gitsrht/redis.sock?virtual_host=1";
+            default = "redis+socket:///run/redis-sourcehut-git.sr.ht/redis.sock?virtual_host=1";
          };
        };
        options."git.sr.ht::api" = {
@@ -477,8 +478,8 @@ in
              This setting is propagated to newer and existing repositories.
            '';
            type = types.str;
-            default = "${pkgs.sourcehut.hgsrht}/bin/hgsrht-hook-changegroup";
-            defaultText = "\${pkgs.sourcehut.hgsrht}/bin/hgsrht-hook-changegroup";
+            default = "${cfg.hg.package}/bin/hg.sr.ht-hook-changegroup";
+            defaultText = "\${pkgs.sourcehut.hgsrht}/bin/hg.sr.ht-hook-changegroup";
          };
          repos = mkOption {
            description = ''
@@ -487,7 +488,7 @@ in
              the hgsrht's user as read and write access to it.
            '';
            type = types.str;
-            default = "/var/lib/sourcehut/hgsrht/repos";
+            default = "/var/lib/sourcehut/hg.sr.ht/repos";
          };
          srhtext = mkOptionNullOrStr ''
            Path to the srht mercurial extension
@@ -507,7 +508,7 @@ in
          webhooks = mkOption {
            description = "The Redis connection used for the webhooks worker.";
            type = types.str;
-            default = "redis+socket:///run/redis-sourcehut-hgsrht/redis.sock?virtual_host=1";
+            default = "redis+socket:///run/redis-sourcehut-hg.sr.ht/redis.sock?virtual_host=1";
          };
        };

@@ -529,12 +530,12 @@ in
          redis = mkOption {
            description = "The Redis connection used for the Celery worker.";
            type = types.str;
-            default = "redis+socket:///run/redis-sourcehut-listssrht/redis.sock?virtual_host=2";
+            default = "redis+socket:///run/redis-sourcehut-lists.sr.ht/redis.sock?virtual_host=2";
          };
          webhooks = mkOption {
            description = "The Redis connection used for the webhooks worker.";
            type = types.str;
-            default = "redis+socket:///run/redis-sourcehut-listssrht/redis.sock?virtual_host=1";
+            default = "redis+socket:///run/redis-sourcehut-lists.sr.ht/redis.sock?virtual_host=1";
          };
        };
        options."lists.sr.ht::worker" = {
@@ -584,7 +585,7 @@ in
            webhooks = mkOption {
              description = "The Redis connection used for the webhooks worker.";
              type = types.str;
-              default = "redis+socket:///run/redis-sourcehut-metasrht/redis.sock?virtual_host=1";
+              default = "redis+socket:///run/redis-sourcehut-meta.sr.ht/redis.sock?virtual_host=1";
            };
            welcome-emails = mkEnableOption "sending stock sourcehut welcome emails after signup";
          };
@@ -691,7 +692,7 @@ in
          webhooks = mkOption {
            description = "The Redis connection used for the webhooks worker.";
            type = types.str;
-            default = "redis+socket:///run/redis-sourcehut-todosrht/redis.sock?virtual_host=1";
+            default = "redis+socket:///run/redis-sourcehut-todo.sr.ht/redis.sock?virtual_host=1";
          };
        };
        options."todo.sr.ht::mail" = {
@@ -763,7 +764,7 @@ in
    };

    git = {
-      package = mkPackageOption pkgs "git" {
+      gitPackage = mkPackageOption pkgs "git" {
        example = "gitFull";
      };
      fcgiwrap.preforkProcess = mkOption {
@@ -774,7 +775,7 @@ in
    };

    hg = {
-      package = mkPackageOption pkgs "mercurial" { };
+      mercurialPackage = mkPackageOption pkgs "mercurial" { };
      cloneBundles = mkOption {
        type = types.bool;
        default = false;
@@ -806,6 +807,7 @@ in

  config = mkIf cfg.enable (mkMerge [
    {
+      # TODO: make configurable
      environment.systemPackages = [ pkgs.sourcehut.coresrht ];

      services.sourcehut.settings = {
@@ -875,14 +877,14 @@ in
          set -e
          set -x
          cd /etc/ssh/sourcehut/subdir
-          ${pkgs.sourcehut.gitsrht}/bin/gitsrht-dispatch "$@"
+          ${cfg.git.package}/bin/git.sr.ht-dispatch "$@"
        '';
      };
      systemd.tmpfiles.settings."10-sourcehut-gitsrht" = mkIf cfg.git.enable (mkMerge [
        (builtins.listToAttrs (
          map
            (name: {
-              name = "/var/log/sourcehut/gitsrht-${name}";
+              name = "/var/log/sourcehut/git.sr.ht-${name}";
              value.f = {
                inherit (cfg.git) user group;
                mode = "0644";
@@ -903,7 +905,7 @@ in
      ]);
      systemd.services.sshd = {
        preStart = mkIf cfg.hg.enable ''
-          chown ${cfg.hg.user}:${cfg.hg.group} /var/log/sourcehut/hgsrht-keys
+          chown ${cfg.hg.user}:${cfg.hg.group} /var/log/sourcehut/hg.sr.ht-keys
        '';
        serviceConfig = {
          LogsDirectory = "sourcehut";
@@ -919,62 +921,62 @@ in
              "${pkgs.writeShellScript "buildsrht-keys-wrapper" ''
                set -e
                cd /run/sourcehut/buildsrht/subdir
-                exec -a "$0" ${pkgs.sourcehut.buildsrht}/bin/buildsrht-keys "$@"
+                exec -a "$0" ${cfg.builds.package}/bin/builds.sr.ht-keys "$@"
              ''}:/usr/bin/buildsrht-keys"
-              "${pkgs.sourcehut.buildsrht}/bin/master-shell:/usr/bin/master-shell"
-              "${pkgs.sourcehut.buildsrht}/bin/runner-shell:/usr/bin/runner-shell"
+              "${cfg.builds.package}/bin/master-shell:/usr/bin/master-shell"
+              "${cfg.builds.package}/bin/runner-shell:/usr/bin/runner-shell"
            ]
            ++ optionals cfg.git.enable [
              # /path/to/gitsrht-keys calls /path/to/gitsrht-shell,
              # or [git.sr.ht] shell= if set.
              "${pkgs.writeShellScript "gitsrht-keys-wrapper" ''
                set -e
-                cd /run/sourcehut/gitsrht/subdir
-                exec -a "$0" ${pkgs.sourcehut.gitsrht}/bin/gitsrht-keys "$@"
-              ''}:/usr/bin/gitsrht-keys"
+                cd /run/sourcehut/git.sr.ht/subdir
+                exec -a "$0" ${cfg.git.package}/bin/git.sr.ht-keys "$@"
+              ''}:/usr/bin/git.sr.ht-keys"
              "${pkgs.writeShellScript "gitsrht-shell-wrapper" ''
                set -e
-                cd /run/sourcehut/gitsrht/subdir
-                export PATH="${cfg.git.package}/bin:$PATH"
-                export SRHT_CONFIG=/run/sourcehut/gitsrht/config.ini
-                exec -a "$0" ${pkgs.sourcehut.gitsrht}/bin/gitsrht-shell "$@"
-              ''}:/usr/bin/gitsrht-shell"
+                cd /run/sourcehut/git.sr.ht/subdir
+                export PATH="${cfg.git.gitPackage}/bin:$PATH"
+                export SRHT_CONFIG=/run/sourcehut/git.sr.ht/config.ini
+                exec -a "$0" ${cfg.git.package}/bin/git.sr.ht-shell "$@"
+              ''}:/usr/bin/git.sr.ht-shell"
              "${pkgs.writeShellScript "gitsrht-update-hook" ''
                set -e
-                export SRHT_CONFIG=/run/sourcehut/gitsrht/config.ini
+                export SRHT_CONFIG=/run/sourcehut/git.sr.ht/config.ini
                # hooks/post-update calls /usr/bin/gitsrht-update-hook as hooks/stage-3
                # but this wrapper being a bash script, it overrides $0 with /usr/bin/gitsrht-update-hook
                # hence this hack to put hooks/stage-3 back into gitsrht-update-hook's $0
                if test "''${STAGE3:+set}"
                then
-                  exec -a hooks/stage-3 ${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook "$@"
+                  exec -a hooks/stage-3 ${cfg.git.package}/bin/git.sr.ht-update-hook "$@"
                else
                  export STAGE3=set
-                  exec -a "$0" ${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook "$@"
+                  exec -a "$0" ${cfg.git.package}/bin/git.sr.ht-update-hook "$@"
                fi
-              ''}:/usr/bin/gitsrht-update-hook"
+              ''}:/usr/bin/git.sr.ht-update-hook"
            ]
            ++ optionals cfg.hg.enable [
              # /path/to/hgsrht-keys calls /path/to/hgsrht-shell,
              # or [hg.sr.ht] shell= if set.
              "${pkgs.writeShellScript "hgsrht-keys-wrapper" ''
                set -e
-                cd /run/sourcehut/hgsrht/subdir
-                exec -a "$0" ${pkgs.sourcehut.hgsrht}/bin/hgsrht-keys "$@"
-              ''}:/usr/bin/hgsrht-keys"
-              "${pkgs.writeShellScript "hgsrht-shell-wrapper" ''
+                cd /run/sourcehut/hg.sr.ht/subdir
+                exec -a "$0" ${cfg.hg.package}/bin/hg.sr.ht-keys "$@"
+              ''}:/usr/bin/hg.sr.ht-keys"
+              "${pkgs.writeShellScript "hg.sr.ht-shell-wrapper" ''
                set -e
-                cd /run/sourcehut/hgsrht/subdir
-                exec -a "$0" ${pkgs.sourcehut.hgsrht}/bin/hgsrht-shell "$@"
-              ''}:/usr/bin/hgsrht-shell"
+                cd /run/sourcehut/hg.sr.ht/subdir
+                exec -a "$0" ${cfg.hg.package}/bin/hg.sr.ht-shell "$@"
+              ''}:/usr/bin/hg.sr.ht-shell"
              # Mercurial's changegroup hooks are run relative to their repository's directory,
              # but hgsrht-hook-changegroup looks up ./config.ini
              "${pkgs.writeShellScript "hgsrht-hook-changegroup" ''
                set -e
                test -e "''$PWD"/config.ini ||
-                ln -s /run/sourcehut/hgsrht/config.ini "''$PWD"/config.ini
-                exec -a "$0" ${pkgs.sourcehut.hgsrht}/bin/hgsrht-hook-changegroup "$@"
-              ''}:/usr/bin/hgsrht-hook-changegroup"
+                ln -s /run/sourcehut/hg.sr.ht/config.ini "''$PWD"/config.ini
+                exec -a "$0" ${cfg.hg.package}/bin/hg.sr.ht-hook-changegroup "$@"
+              ''}:/usr/bin/hg.sr.ht-hook-changegroup"
            ];
        };
      };
@@ -985,17 +987,17 @@ in

    (import ./service.nix "builds" {
      inherit configIniOfService;
-      srvsrht = "buildsrht";
+      pkgname = "buildsrht";
      port = 5002;
-      extraServices.buildsrht-api = {
+      extraServices."build.sr.ht-api" = {
        serviceConfig.Restart = "always";
        serviceConfig.RestartSec = "5s";
-        serviceConfig.ExecStart = "${pkgs.sourcehut.buildsrht}/bin/buildsrht-api -b ${cfg.listenAddress}:${
+        serviceConfig.ExecStart = "${cfg.builds.package}/bin/builds.sr.ht-api -b ${cfg.listenAddress}:${
          toString (cfg.builds.port + 100)
        }";
      };
      # TODO: a celery worker on the master and worker are apparently needed
-      extraServices.buildsrht-worker =
+      extraServices."build.sr.ht-worker" =
        let
          qemuPackage = pkgs.qemu_kvm;
          serviceName = "buildsrht-worker";
@@ -1024,7 +1026,7 @@ in
            fi
          '';
          serviceConfig = {
-            ExecStart = "${pkgs.sourcehut.buildsrht}/bin/buildsrht-worker";
+            ExecStart = "${cfg.builds.package}/bin/builds.sr.ht-worker";
            BindPaths = [ cfg.settings."builds.sr.ht::worker".buildlogs ];
            LogsDirectory = [ "sourcehut/${serviceName}" ];
            RuntimeDirectory = [ "sourcehut/${serviceName}/subdir" ];
@@ -1055,7 +1057,7 @@ in
            name = "buildsrht-worker-images-pre";
            paths = image_dirs;
            # FIXME: not working, apparently because ubuntu/latest is a broken link
-            # ++ [ "${pkgs.sourcehut.buildsrht}/lib/images" ];
+            # ++ [ "${cfg.builds.package}/lib/images" ];
          };
          image_dir = pkgs.runCommand "buildsrht-worker-images" { } ''
            mkdir -p $out/images
@@ -1072,7 +1074,7 @@ in
              {
                # Note that git.sr.ht::dispatch is not a typo,
                # gitsrht-dispatch always use this section
-                "git.sr.ht::dispatch"."/usr/bin/buildsrht-keys" =
+                "git.sr.ht::dispatch"."/usr/bin/builds.sr.ht-keys" =
                  mkDefault "${cfg.builds.user}:${cfg.builds.group}";
              }
              (mkIf cfg.builds.enableWorker {
@@ -1113,8 +1115,10 @@ in
    (import ./service.nix "git" (
      let
        baseService = {
-          path = [ cfg.git.package ];
-          serviceConfig.BindPaths = [ "${cfg.settings."git.sr.ht".repos}:/var/lib/sourcehut/gitsrht/repos" ];
+          path = [ cfg.git.gitPackage ];
+          serviceConfig.BindPaths = [
+            "${cfg.settings."git.sr.ht".repos}:/var/lib/sourcehut/git.sr.ht/repos"
+          ];
        };
      in
      {
@@ -1123,23 +1127,23 @@ in
          baseService
          {
            serviceConfig.StateDirectory = [
-              "sourcehut/gitsrht"
-              "sourcehut/gitsrht/repos"
+              "sourcehut/git.sr.ht"
+              "sourcehut/git.sr.ht/repos"
            ];
            preStart = mkIf (versionOlder config.system.stateVersion "22.05") (mkBefore ''
              # Fix Git hooks of repositories pre-dating https://github.com/NixOS/nixpkgs/pull/133984
              (
              set +f
              shopt -s nullglob
-              for h in /var/lib/sourcehut/gitsrht/repos/~*/*/hooks/{pre-receive,update,post-update}
-              do ln -fnsv /usr/bin/gitsrht-update-hook "$h"; done
+              for h in /var/lib/sourcehut/git.sr.ht/repos/~*/*/hooks/{pre-receive,update,post-update}
+              do ln -fnsv /usr/bin/git.sr.ht-update-hook "$h"; done
              )
            '');
          }
        ];
        port = 5001;
        webhooks = true;
-        extraTimers.gitsrht-periodic = {
+        extraTimers."git.sr.ht-periodic" = {
          service = baseService;
          timerConfig.OnCalendar = [ "*:0/20" ];
        };
@@ -1149,7 +1153,7 @@ in
            # Probably could use gitsrht-shell if output is restricted to just parameters...
            users.users.${cfg.git.user}.shell = pkgs.bash;
            services.sourcehut.settings = {
-              "git.sr.ht::dispatch"."/usr/bin/gitsrht-keys" = mkDefault "${cfg.git.user}:${cfg.git.group}";
+              "git.sr.ht::dispatch"."/usr/bin/git.sr.ht-keys" = mkDefault "${cfg.git.user}:${cfg.git.group}";
            };
            systemd.services.sshd = baseService;
          }
@@ -1164,49 +1168,50 @@ in
                '';
              };
              locations."~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$" = {
-                root = "/var/lib/sourcehut/gitsrht/repos";
+                root = "/var/lib/sourcehut/git.sr.ht/repos";
                fastcgiParams = {
                  GIT_HTTP_EXPORT_ALL = "";
                  GIT_PROJECT_ROOT = "$document_root";
                  PATH_INFO = "$uri";
-                  SCRIPT_FILENAME = "${cfg.git.package}/bin/git-http-backend";
+                  SCRIPT_FILENAME = "${cfg.git.gitPackage}/bin/git-http-backend";
                };
                extraConfig = ''
                  auth_request /authorize;
                  fastcgi_read_timeout 500s;
-                  fastcgi_pass unix:/run/gitsrht-fcgiwrap.sock;
+                  fastcgi_pass unix:/run/git.sr.ht-fcgiwrap.sock;
                  gzip off;
                '';
              };
            };
-            systemd.sockets.gitsrht-fcgiwrap = {
+            systemd.sockets."git.sr.ht-fcgiwrap" = {
              before = [ "nginx.service" ];
              wantedBy = [
                "sockets.target"
-                "gitsrht.service"
+                "git.sr.ht.service"
              ];
              # This path remains accessible to nginx.service, which has no RootDirectory=
-              socketConfig.ListenStream = "/run/gitsrht-fcgiwrap.sock";
+              socketConfig.ListenStream = "/run/git.sr.ht-fcgiwrap.sock";
              socketConfig.SocketUser = nginx.user;
              socketConfig.SocketMode = "600";
            };
          })
        ];
-        extraServices.gitsrht-api.serviceConfig = {
+        extraServices."git.sr.ht-api".serviceConfig = {
          Restart = "always";
          RestartSec = "5s";
-          ExecStart = "${pkgs.sourcehut.gitsrht}/bin/gitsrht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}";
-          BindPaths = [ "${cfg.settings."git.sr.ht".repos}:/var/lib/sourcehut/gitsrht/repos" ];
+          ExecStart = "${cfg.git.package}/bin/git.sr.ht-api -b ${cfg.listenAddress}:${toString (cfg.git.port + 100)}";
+          BindPaths = [ "${cfg.settings."git.sr.ht".repos}:/var/lib/sourcehut/git.sr.ht/repos" ];
        };
-        extraServices.gitsrht-fcgiwrap = mkIf cfg.nginx.enable {
+        extraServices."git.sr.ht-fcgiwrap" = mkIf cfg.nginx.enable {
          serviceConfig = {
            # Socket is passed by gitsrht-fcgiwrap.socket
-            ExecStart = "${pkgs.fcgiwrap}/sbin/fcgiwrap -c ${toString cfg.git.fcgiwrap.preforkProcess}";
+            ExecStart = "${pkgs.fcgiwrap}/bin/fcgiwrap -c ${toString cfg.git.fcgiwrap.preforkProcess}";
            # No need for config.ini
            ExecStartPre = mkForce [ ];
-            User = null;
-            DynamicUser = true;
-            BindReadOnlyPaths = [ "${cfg.settings."git.sr.ht".repos}:/var/lib/sourcehut/gitsrht/repos" ];
+            # FIXME: Fails to start with dynamic user
+            # User = null;
+            # DynamicUser = true;
+            BindReadOnlyPaths = [ "${cfg.settings."git.sr.ht".repos}:/var/lib/sourcehut/git.sr.ht/repos" ];
            IPAddressDeny = "any";
            InaccessiblePaths = [
              "-+/run/postgresql"
@@ -1232,8 +1237,8 @@ in
    (import ./service.nix "hg" (
      let
        baseService = {
-          path = [ cfg.hg.package ];
-          serviceConfig.BindPaths = [ "${cfg.settings."hg.sr.ht".repos}:/var/lib/sourcehut/hgsrht/repos" ];
+          path = [ cfg.hg.mercurialPackage ];
+          serviceConfig.BindPaths = [ "${cfg.settings."hg.sr.ht".repos}:/var/lib/sourcehut/hg.sr.ht/repos" ];
        };
      in
      {
@@ -1242,26 +1247,26 @@ in
          baseService
          {
            serviceConfig.StateDirectory = [
-              "sourcehut/hgsrht"
-              "sourcehut/hgsrht/repos"
+              "sourcehut/hg.sr.ht"
+              "sourcehut/hg.sr.ht/repos"
            ];
          }
        ];
        port = 5010;
        webhooks = true;
-        extraTimers.hgsrht-periodic = {
+        extraTimers."hg.sr.ht-periodic" = {
          service = baseService;
          timerConfig.OnCalendar = [ "*:0/20" ];
        };
-        extraTimers.hgsrht-clonebundles = mkIf cfg.hg.cloneBundles {
+        extraTimers."hg.sr.ht-clonebundles" = mkIf cfg.hg.cloneBundles {
          service = baseService;
          timerConfig.OnCalendar = [ "daily" ];
          timerConfig.AccuracySec = "1h";
        };
-        extraServices.hgsrht-api = {
+        extraServices."hg.sr.ht-api" = {
          serviceConfig.Restart = "always";
          serviceConfig.RestartSec = "5s";
-          serviceConfig.ExecStart = "${pkgs.sourcehut.hgsrht}/bin/hgsrht-api -b ${cfg.listenAddress}:${toString (cfg.hg.port + 100)}";
+          serviceConfig.ExecStart = "${cfg.hgsrht.package}/bin/hg.sr.ht-api -b ${cfg.listenAddress}:${toString (cfg.hg.port + 100)}";
        };
        extraConfig = mkMerge [
          {
@@ -1269,7 +1274,7 @@ in
            services.sourcehut.settings = {
              # Note that git.sr.ht::dispatch is not a typo,
              # gitsrht-dispatch always uses this section.
-              "git.sr.ht::dispatch"."/usr/bin/hgsrht-keys" = mkDefault "${cfg.hg.user}:${cfg.hg.group}";
+              "git.sr.ht::dispatch"."/usr/bin/hg.sr.ht-keys" = mkDefault "${cfg.hg.user}:${cfg.hg.group}";
            };
            systemd.services.sshd = baseService;
          }
@@ -1290,7 +1295,7 @@ in
              # so someone would need to know or guess a SHA value to download anything.
              # TODO: proxyPass to an hg serve service?
              locations."~ ^/[~^][a-z0-9_]+/[a-zA-Z0-9_.-]+/\\.hg/bundles/.*$" = {
-                root = "/var/lib/nginx/hgsrht/repos";
+                root = "/var/lib/nginx/hg.sr.ht/repos";
                extraConfig = ''
                  auth_request /authorize;
                  gzip off;
@@ -1299,7 +1304,7 @@ in
            };
            systemd.services.nginx = {
              serviceConfig.BindReadOnlyPaths = [
-                "${cfg.settings."hg.sr.ht".repos}:/var/lib/nginx/hgsrht/repos"
+                "${cfg.settings."hg.sr.ht".repos}:/var/lib/nginx/hg.sr.ht/repos"
              ];
            };
          })
@@ -1330,23 +1335,23 @@ in
        inherit configIniOfService;
        port = 5006;
        webhooks = true;
-        extraServices.listssrht-api = {
+        extraServices."lists.sr.ht-api" = {
          serviceConfig.Restart = "always";
          serviceConfig.RestartSec = "5s";
-          serviceConfig.ExecStart = "${pkgs.sourcehut.listssrht}/bin/listssrht-api -b ${cfg.listenAddress}:${
+          serviceConfig.ExecStart = "${cfg.lists.package}/bin/lists.sr.ht-api -b ${cfg.listenAddress}:${
            toString (cfg.lists.port + 100)
          }";
        };
        # Receive the mail from Postfix and enqueue them into Redis and PostgreSQL
-        extraServices.listssrht-lmtp = {
+        extraServices."lists.sr.ht-lmtp" = {
          wants = [ "postfix.service" ];
          unitConfig.JoinsNamespaceOf = optional cfg.postfix.enable "postfix.service";
-          serviceConfig.ExecStart = "${pkgs.sourcehut.listssrht}/bin/listssrht-lmtp";
+          serviceConfig.ExecStart = "${cfg.lists.package}/bin/lists.sr.ht-lmtp";
          # Avoid crashing: os.chown(sock, os.getuid(), sock_gid)
          serviceConfig.PrivateUsers = mkForce false;
        };
        # Dequeue the mails from Redis and dispatch them
-        extraServices.listssrht-process = {
+        extraServices."lists.sr.ht-process" = {
          serviceConfig = {
            preStart = ''
              cp ${pkgs.writeText "${srvsrht}-webhooks-celeryconfig.py" cfg.lists.process.celeryConfig} \
@@ -1392,7 +1397,7 @@ in
        OnCalendar = [ "daily" ];
        AccuracySec = "1h";
      };
-      extraServices.metasrht-api = {
+      extraServices."meta.sr.ht-api" = {
        serviceConfig.Restart = "always";
        serviceConfig.RestartSec = "5s";
        preStart =
@@ -1414,7 +1419,7 @@ in
              ) cfg.settings
            )
          );
-        serviceConfig.ExecStart = "${pkgs.sourcehut.metasrht}/bin/metasrht-api -b ${cfg.listenAddress}:${toString (cfg.meta.port + 100)}";
+        serviceConfig.ExecStart = "${cfg.meta.package}/bin/meta.sr.ht-api -b ${cfg.listenAddress}:${toString (cfg.meta.port + 100)}";
      };
      extraConfig = {
        assertions = [
@@ -1428,14 +1433,14 @@ in
          }
        ];
        environment.systemPackages = optional cfg.meta.enable (
-          pkgs.writeShellScriptBin "metasrht-manageuser" ''
+          pkgs.writeShellScriptBin "meta.sr.ht-manageuser" ''
            set -eux
            if test "$(${pkgs.coreutils}/bin/id -n -u)" != '${cfg.meta.user}'
            then exec sudo -u '${cfg.meta.user}' "$0" "$@"
            else
              # In order to load config.ini
-              if cd /run/sourcehut/metasrht
-              then exec ${pkgs.sourcehut.metasrht}/bin/metasrht-manageuser "$@"
+              if cd /run/sourcehut/meta.sr.ht
+              then exec ${cfg.meta.package}/bin/meta.sr.ht-manageuser "$@"
              else cat <<EOF
                Please run: sudo systemctl start metasrht
            EOF
@@ -1452,8 +1457,9 @@ in
      port = 5112;
      mainService =
        let
+          package = cfg.pages.package;
          srvsrht = "pagessrht";
-          version = pkgs.sourcehut.${srvsrht}.version;
+          version = package.version;
          stateDir = "/var/lib/sourcehut/${srvsrht}";
          iniKey = "pages.sr.ht";
        in
@@ -1467,13 +1473,13 @@ in
            if test ! -e ${stateDir}/db; then
              ${postgresql.package}/bin/psql '${
                cfg.settings.${iniKey}.connection-string
-              }' -f ${pkgs.sourcehut.pagessrht}/share/sql/schema.sql
+              }' -f ${cfg.pages.package}/share/sql/schema.sql
              echo ${version} >${stateDir}/db
            fi

            ${optionalString cfg.settings.${iniKey}.migrate-on-upgrade ''
              # Just try all the migrations because they're not linked to the version
-              for sql in ${pkgs.sourcehut.pagessrht}/share/sql/migrations/*.sql; do
+              for sql in ${package}/share/sql/migrations/*.sql; do
                ${postgresql.package}/bin/psql '${cfg.settings.${iniKey}.connection-string}' -f "$sql" || true
              done
            ''}
@@ -1482,7 +1488,7 @@ in
            touch ${stateDir}/webhook
          '';
          serviceConfig = {
-            ExecStart = mkForce "${pkgs.sourcehut.pagessrht}/bin/pages.sr.ht -b ${cfg.listenAddress}:${toString cfg.pages.port}";
+            ExecStart = mkForce "${cfg.pages.package}/bin/pages.sr.ht -b ${cfg.listenAddress}:${toString cfg.pages.port}";
          };
        };
    })
@@ -1490,10 +1496,10 @@ in
    (import ./service.nix "paste" {
      inherit configIniOfService;
      port = 5011;
-      extraServices.pastesrht-api = {
+      extraServices."paste.sr.ht-api" = {
        serviceConfig.Restart = "always";
        serviceConfig.RestartSec = "5s";
-        serviceConfig.ExecStart = "${pkgs.sourcehut.pastesrht}/bin/pastesrht-api -b ${cfg.listenAddress}:${
+        serviceConfig.ExecStart = "${cfg.paste.package}/bin/paste.sr.ht-api -b ${cfg.listenAddress}:${
          toString (cfg.paste.port + 100)
        }";
      };
@@ -1503,15 +1509,15 @@ in
      inherit configIniOfService;
      port = 5003;
      webhooks = true;
-      extraServices.todosrht-api = {
+      extraServices."todo.sr.ht-api" = {
        serviceConfig.Restart = "always";
        serviceConfig.RestartSec = "5s";
-        serviceConfig.ExecStart = "${pkgs.sourcehut.todosrht}/bin/todosrht-api -b ${cfg.listenAddress}:${toString (cfg.todo.port + 100)}";
+        serviceConfig.ExecStart = "${cfg.todo.package}/bin/todo.sr.ht-api -b ${cfg.listenAddress}:${toString (cfg.todo.port + 100)}";
      };
-      extraServices.todosrht-lmtp = {
+      extraServices."todo.sr.ht-lmtp" = {
        wants = [ "postfix.service" ];
        unitConfig.JoinsNamespaceOf = optional cfg.postfix.enable "postfix.service";
-        serviceConfig.ExecStart = "${pkgs.sourcehut.todosrht}/bin/todosrht-lmtp";
+        serviceConfig.ExecStart = "${cfg.todo.package}/bin/todo.sr.ht-lmtp";
        # Avoid crashing: os.chown(sock, os.getuid(), sock_gid)
        serviceConfig.PrivateUsers = mkForce false;
      };
--- a/nixos/modules/services/misc/sourcehut/service.nix
+++ b/nixos/modules/services/misc/sourcehut/service.nix
@@ -1,7 +1,8 @@
 srv:
 {
  configIniOfService,
-  srvsrht ? "${srv}srht", # Because "buildsrht" does not follow that pattern (missing an "s").
+  pkgname ? "${srv}srht", # Because "buildsrht" does not follow that pattern (missing an "s").
+  srvsrht ? "${srv}.sr.ht",
  iniKey ? "${srv}.sr.ht",
  webhooks ? false,
  extraTimers ? { },
@@ -28,7 +29,7 @@ let
    mkIf
    mkMerge
    ;
-  inherit (lib.options) mkEnableOption mkOption;
+  inherit (lib.options) mkEnableOption mkOption mkPackageOption;
  inherit (lib.strings) concatStringsSep hasSuffix optionalString;
  inherit (config.services) postgresql;
  redis = config.services.redis.servers."sourcehut-${srvsrht}";
@@ -162,6 +163,8 @@ in
    {
      enable = mkEnableOption "${srv} service";

+      package = mkPackageOption pkgs [ "sourcehut" pkgname ] { };
+
      user = mkOption {
        type = types.str;
        default = srvsrht;
@@ -276,7 +279,7 @@ in
            forceSSL = mkDefault true;
            locations."/".proxyPass = "http://${cfg.listenAddress}:${toString srvCfg.port}";
            locations."/static" = {
-              root = "${pkgs.sourcehut.${srvsrht}}/${pkgs.sourcehut.python.sitePackages}/${srvsrht}";
+              root = "${srvCfg.package}/${pkgs.sourcehut.python.sitePackages}/${srvsrht}";
              extraConfig = mkDefault ''
                expires 30d;
              '';
@@ -367,12 +370,12 @@ in
                StateDirectory = [ "sourcehut/${srvsrht}" ];
                StateDirectoryMode = "2750";
                ExecStart =
-                  "${cfg.python}/bin/gunicorn ${srvsrht}.app:app --name ${srvsrht} --bind ${cfg.listenAddress}:${toString srvCfg.port} "
+                  "${cfg.python}/bin/gunicorn ${pkgname}.app:app --name ${srvsrht} --bind ${cfg.listenAddress}:${toString srvCfg.port} "
                  + concatStringsSep " " srvCfg.gunicorn.extraArgs;
              };
              preStart =
                let
-                  package = pkgs.sourcehut.${srvsrht};
+                  package = srvCfg.package;
                  version = package.version;
                  stateDir = "/var/lib/sourcehut/${srvsrht}";
                in
@@ -385,7 +388,7 @@ in
                  if test ! -e ${stateDir}/db; then
                    # Setup the initial database.
                    # Note that it stamps the alembic head afterward
-                    ${package}/bin/${srvsrht}-initdb
+                    ${postgresql.package}/bin/psql -d ${srvsrht} -f ${package}/share/sourcehut/${srvsrht}-schema.sql
                    echo ${version} >${stateDir}/db
                  fi

@@ -401,7 +404,7 @@ in
                  # See https://lists.sr.ht/~sircmpwn/sr.ht-admins/<20190302181207.GA13778%40cirno.my.domain>
                  if test ! -e ${stateDir}/webhook; then
                    # Update ${iniKey}'s users' profile copy to the latest
-                    ${cfg.python}/bin/srht-update-profiles ${iniKey}
+                    ${cfg.python}/bin/sr.ht-update-profiles ${iniKey}
                    touch ${stateDir}/webhook
                  fi
                '';
@@ -424,7 +427,7 @@ in
              Type = "simple";
              Restart = "always";
              ExecStart =
-                "${cfg.python}/bin/celery --app ${srvsrht}.webhooks worker --hostname ${srvsrht}-webhooks@%%h "
+                "${cfg.python}/bin/celery --app ${pkgname}.webhooks worker --hostname ${srvsrht}-webhooks@%%h "
                + concatStringsSep " " srvCfg.webhooks.extraArgs;
              # Avoid crashing: os.getloadavg()
              ProcSubset = mkForce "all";
@@ -443,7 +446,7 @@ in
              ];
              serviceConfig = {
                Type = "oneshot";
-                ExecStart = "${pkgs.sourcehut.${srvsrht}}/bin/${timerName}";
+                ExecStart = "${srvCfg.package}/bin/${timerName}";
              };
            }
            (timer.service or { })
--- a/nixos/modules/services/networking/netbird/dashboard.nix
+++ b/nixos/modules/services/networking/netbird/dashboard.nix
@@ -87,7 +87,7 @@ in
    assertions = [
      {
        assertion = hasAttr "AUTH_AUTHORITY" cfg.settings;
-        message = "The setting AUTH_AUTHORITY is required for the dasboard to function.";
+        message = "The setting AUTH_AUTHORITY is required for the dashboard to function.";
      }
    ];

--- a/nixos/modules/services/networking/pdns-recursor.nix
+++ b/nixos/modules/services/networking/pdns-recursor.nix
@@ -38,12 +38,34 @@ let
    else
      "";

-  configDir = pkgs.writeTextDir "recursor.conf" (
-    concatStringsSep "\n" (flip mapAttrsToList cfg.settings (name: val: "${name}=${serialize val}"))
-  );
+  settingsFormat = pkgs.formats.yaml { };

  mkDefaultAttrs = mapAttrs (n: v: mkDefault v);

+  mkForwardZone = mapAttrsToList (
+    zone: uri: {
+      inherit zone;
+      forwarders = [ uri ];
+    }
+  );
+
+  configFile =
+    if cfg.old-settings != { } then
+      # Convert recursor.conf to recursor.yml and merge it
+      let
+        conf = pkgs.writeText "recursor.conf" (
+          concatStringsSep "\n" (mapAttrsToList (name: val: "${name}=${serialize val}") cfg.old-settings)
+        );
+
+        yaml = settingsFormat.generate "recursor.yml" cfg.yaml-settings;
+      in
+      pkgs.runCommand "recursor-merged.yml" { } ''
+        ${pkgs.pdns-recursor}/bin/rec_control show-yaml --config ${conf} > override.yml
+        ${pkgs.yq-go}/bin/yq '. *= load("override.yml")' ${yaml} > $out
+      ''
+    else
+      settingsFormat.generate "recursor.yml" cfg.yaml-settings;
+
 in
 {
  options.services.pdns-recursor = {
@@ -175,7 +197,7 @@ in
      '';
    };

-    settings = mkOption {
+    old-settings = mkOption {
      type = configType;
      default = { };
      example = literalExpression ''
@@ -184,11 +206,34 @@ in
          log-common-errors = true;
        }
      '';
+      description = ''
+        Older PowerDNS Recursor settings. Use this option to configure
+        Recursor settings not exposed in a NixOS option or to bypass one.
+        See the full documentation at
+        <https://doc.powerdns.com/recursor/settings.html>
+        for the available options.
+
+        ::: {.warning}
+        This option is provided for backward compatibility only
+        and will be removed in the next release of NixOS.
+        :::
+      '';
+    };
+
+    yaml-settings = mkOption {
+      type = settingsFormat.type;
+      default = { };
+      example = literalExpression ''
+        {
+          loglevel = 8;
+          log-common-errors = true;
+        }
+      '';
      description = ''
        PowerDNS Recursor settings. Use this option to configure Recursor
        settings not exposed in a NixOS option or to bypass one.
        See the full documentation at
-        <https://doc.powerdns.com/recursor/settings.html>
+        <https://doc.powerdns.com/recursor/yamlsettings.html>
        for the available options.
      '';
    };
@@ -205,42 +250,44 @@ in

  config = mkIf cfg.enable {

-    environment.etc."pdns-recursor".source = configDir;
+    environment.etc."/pdns-recursor/recursor.yml".source = configFile;

-    services.pdns-recursor.settings = mkDefaultAttrs {
-      local-address = cfg.dns.address;
-      local-port = cfg.dns.port;
-      allow-from = cfg.dns.allowFrom;
+    services.pdns-recursor.yaml-settings = {
+      incoming = mkDefaultAttrs {
+        listen = cfg.dns.address;
+        port = cfg.dns.port;
+        allow_from = cfg.dns.allowFrom;
+      };

-      webserver-address = cfg.api.address;
-      webserver-port = cfg.api.port;
-      webserver-allow-from = cfg.api.allowFrom;
+      webservice = mkDefaultAttrs {
+        address = cfg.api.address;
+        port = cfg.api.port;
+        allow_from = cfg.api.allowFrom;
+      };

-      forward-zones = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZones;
-      forward-zones-recurse = mapAttrsToList (zone: uri: "${zone}.=${uri}") cfg.forwardZonesRecurse;
-      export-etc-hosts = cfg.exportHosts;
-      dnssec = cfg.dnssecValidation;
-      serve-rfc1918 = cfg.serveRFC1918;
-      lua-config-file = pkgs.writeText "recursor.lua" cfg.luaConfig;
+      recursor = mkDefaultAttrs {
+        forward_zones = mkForwardZone cfg.forwardZones;
+        forward_zones_recurse = mkForwardZone cfg.forwardZonesRecurse;
+        export_etc_hosts = cfg.exportHosts;
+        serve_rfc1918 = cfg.serveRFC1918;
+        lua_config_file = pkgs.writeText "recursor.lua" cfg.luaConfig;
+        daemon = false;
+        write_pid = false;
+      };

-      daemon = false;
-      write-pid = false;
-      log-timestamp = false;
-      disable-syslog = true;
+      dnssec = mkDefaultAttrs {
+        validation = cfg.dnssecValidation;
+      };
+
+      logging = mkDefaultAttrs {
+        timestamp = false;
+        disable_syslog = true;
+      };
    };

    systemd.packages = [ pkgs.pdns-recursor ];

-    systemd.services.pdns-recursor = {
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig = {
-        ExecStart = [
-          ""
-          "${pkgs.pdns-recursor}/bin/pdns_recursor --config-dir=${configDir}"
-        ];
-      };
-    };
+    systemd.services.pdns-recursor.wantedBy = [ "multi-user.target" ];

    users.users.pdns-recursor = {
      isSystemUser = true;
@@ -250,6 +297,15 @@ in

    users.groups.pdns-recursor = { };

+    warnings = lib.optional (cfg.old-settings != { }) ''
+      pdns-recursor has changed its configuration file format from pdns-recursor.conf
+      (mapped to `services.pdns-recursor.old-settings`) to the newer pdns-recursor.yml
+      (mapped to `services.pdns-recursor.yaml-settings`).
+
+      Support for the older format will be removed in a future version, so please migrate
+      your settings over. See <https://doc.powerdns.com/recursor/yamlsettings.html>.
+    '';
+
  };

  imports = [
@@ -258,6 +314,19 @@ in
      "pdns-recursor"
      "extraConfig"
    ] "To change extra Recursor settings use services.pdns-recursor.settings instead.")
+
+    (mkRenamedOptionModule
+      [
+        "services"
+        "pdns-recursor"
+        "settings"
+      ]
+      [
+        "services"
+        "pdns-recursor"
+        "old-settings"
+      ]
+    )
  ];

  meta.maintainers = with lib.maintainers; [ rnhmjoj ];
--- a/nixos/modules/services/search/meilisearch.nix
+++ b/nixos/modules/services/search/meilisearch.nix
@@ -129,6 +129,22 @@ in

  config = lib.mkIf cfg.enable {

+    warnings = lib.optional (lib.versionOlder cfg.package.version "1.12") ''
+      Meilisearch 1.11 will be removed in NixOS 25.11. As it was the last
+      version not to support dumpless upgrades, you will have to manually
+      migrate your data before that. Instructions can be found at
+      https://www.meilisearch.com/docs/learn/update_and_migration/updating#using-a-dump
+      and afterwards, you can set `services.meilisearch.package = pkgs.meilisearch;`
+      to use the latest version.
+    '';
+
+    services.meilisearch.package = lib.mkDefault (
+      if lib.versionAtLeast config.system.stateVersion "25.05" then
+        pkgs.meilisearch
+      else
+        pkgs.meilisearch_1_11
+    );
+
    # used to restore dumps
    environment.systemPackages = [ cfg.package ];

--- a/nixos/modules/system/activation/specialisation.nix
+++ b/nixos/modules/system/activation/specialisation.nix
@@ -10,6 +10,8 @@
 let
  inherit (lib)
    concatStringsSep
+    escapeShellArg
+    hasInfix
    mapAttrs
    mapAttrsToList
    mkOption
@@ -84,10 +86,18 @@ in
  };

  config = {
+    assertions = mapAttrsToList (name: _: {
+      assertion = !hasInfix "/" name;
+      message = ''
+        Specialisation names must not contain forward slashes.
+        Invalid specialisation name: ${name}
+      '';
+    }) config.specialisation;
+
    system.systemBuilderCommands = ''
      mkdir $out/specialisation
      ${concatStringsSep "\n" (
-        mapAttrsToList (name: path: "ln -s ${path} $out/specialisation/${name}") children
+        mapAttrsToList (name: path: "ln -s ${path} $out/specialisation/${escapeShellArg name}") children
      )}
    '';
  };
--- a/nixos/modules/system/boot/loader/limine/limine-install.py
+++ b/nixos/modules/system/boot/loader/limine/limine-install.py
@@ -74,6 +74,7 @@ def is_encrypted(device: str) -> bool:
 def is_fs_type_supported(fs_type: str) -> bool:
    return fs_type.startswith('vfat')

+paths = {}

 def get_copied_path_uri(path: str, target: str) -> str:
    result = ''
@@ -85,6 +86,8 @@ def get_copied_path_uri(path: str, target: str) -> str:

    if not os.path.exists(dest_path):
        copy_file(path, dest_path)
+    else:
+        paths[dest_path] = True

    path_with_prefix = os.path.join('/limine', target, dest_file)
    result = f'boot():{path_with_prefix}'
@@ -165,14 +168,29 @@ def config_entry(levels: int, bootspec: BootSpec, label: str, time: str) -> str:
    return entry


-def generate_config_entry(profile: str, gen: str) -> str:
+def generate_config_entry(profile: str, gen: str, special: bool) -> str:
    time = datetime.datetime.fromtimestamp(os.stat(get_system_path(profile,gen), follow_symlinks=False).st_mtime).strftime("%F %H:%M:%S")
    boot_json = json.load(open(os.path.join(get_system_path(profile, gen), 'boot.json'), 'r'))
    boot_spec = bootjson_to_bootspec(boot_json)

-    entry = config_entry(2, boot_spec, f'Generation {gen}', time)
-    for spec, spec_boot_spec in boot_spec.specialisations.items():
-        entry += config_entry(2, spec_boot_spec, f'Generation {gen}, Specialisation {spec}', str(time))
+    specialisation_list = boot_spec.specialisations.items()
+    depth = 2
+    entry = ""
+
+    if len(specialisation_list) > 0:
+        depth += 1
+        entry += '/' * (depth-1)
+
+        if special:
+            entry += '+'
+
+        entry += f'Generation {gen}' + '\n'
+        entry += config_entry(depth, boot_spec, f'Default', str(time))
+    else:
+        entry += config_entry(depth, boot_spec, f'Generation {gen}', str(time))
+
+    for spec, spec_boot_spec in specialisation_list:
+        entry += config_entry(depth, spec_boot_spec, f'{spec}', str(time))
    return entry


@@ -203,7 +221,10 @@ def copy_file(from_path: str, to_path: str):
    if not os.path.exists(dirname):
        os.makedirs(dirname)

-    shutil.copyfile(from_path, to_path)
+    shutil.copyfile(from_path, to_path + ".tmp")
+    os.rename(to_path + ".tmp", to_path)
+
+    paths[to_path] = True

 def option_from_config(name: str, config_path: List[str], conversion: Callable[[str], str] | None = None) -> str:
    if config(*config_path):
@@ -245,12 +266,10 @@ def main():

    if not os.path.exists(limine_dir):
        os.makedirs(limine_dir)
-
-    if os.path.exists(os.path.join(limine_dir, 'kernels')):
-        print(f'nuking {os.path.join(limine_dir, "kernels")}')
-        shutil.rmtree(os.path.join(limine_dir, 'kernels'))
-
-    os.makedirs(os.path.join(limine_dir, "kernels"))
+    else:
+        for dir, dirs, files in os.walk(limine_dir, topdown=True):
+            for file in files:
+                paths[os.path.join(dir, file)] = False

    profiles = [('system', get_gens())]

@@ -261,22 +280,19 @@ def main():
    editor_enabled = 'yes' if config('enableEditor') else 'no'
    hash_mismatch_panic = 'yes' if config('panicOnChecksumMismatch') else 'no'

+    last_gen = get_gens()[-1]
+    last_gen_json = json.load(open(os.path.join(get_system_path('system', last_gen), 'boot.json'), 'r'))
+    last_gen_boot_spec = bootjson_to_bootspec(last_gen_json)
+
    config_file = config('extraConfig') + '\n'
    config_file += textwrap.dedent(f'''
        timeout: {timeout}
        editor_enabled: {editor_enabled}
        hash_mismatch_panic: {hash_mismatch_panic}
        graphics: yes
-        default_entry: 2
+        default_entry: {3 if len(last_gen_boot_spec.specialisations.items()) > 0 else 2}
    ''')

-    if os.path.exists(os.path.join(limine_dir, 'wallpapers')):
-        print(f'nuking {os.path.join(limine_dir, "wallpapers")}')
-        shutil.rmtree(os.path.join(limine_dir, 'wallpapers'))
-
-    if len(config('style', 'wallpapers')) > 0:
-        os.makedirs(os.path.join(limine_dir, 'wallpapers'))
-
    for wallpaper in config('style', 'wallpapers'):
        config_file += f'''wallpaper: {get_copied_path_uri(wallpaper, 'wallpapers')}\n'''

@@ -306,8 +322,11 @@ def main():
        group_name = 'default profile' if profile == 'system' else f"profile '{profile}'"
        config_file += f'/+NixOS {group_name}\n'

+        isFirst = True
+
        for gen in sorted(gens, key=lambda x: x, reverse=True):
-            config_file += generate_config_entry(profile, gen)
+            config_file += generate_config_entry(profile, gen, isFirst)
+            isFirst = False

    config_file_path = os.path.join(limine_dir, 'limine.conf')
    config_file += '\n# NixOS boot entries end here\n\n'
@@ -318,6 +337,8 @@ def main():
        file.truncate()
        file.write(config_file.strip())

+    paths[config_file_path] = True
+
    for dest_path, source_path in config('additionalFiles').items():
        dest_path = os.path.join(limine_dir, dest_path)

@@ -363,9 +384,16 @@ def main():
                efibootmgr = os.path.join(config('efiBootMgrPath'), 'bin', 'efibootmgr')
                efi_partition = find_mounted_device(config('efiMountPoint'))
                efi_disk = find_disk_device(efi_partition)
+
+                efibootmgr_output = subprocess.check_output([efibootmgr], stderr=subprocess.STDOUT, universal_newlines=True)
+                create_flag = '-c'
+                # Check the output of `efibootmgr` to find if limine is already installed and present in the boot record
+                if matches := re.findall(r'Boot[0-9a-fA-F]{4}\*? Limine', efibootmgr_output):
+                    create_flag = '-C' # if present, keep the same boot order
+
                efibootmgr_output = subprocess.check_output([
                    efibootmgr,
-                    '-c',
+                    create_flag,
                    '-d', efi_disk,
                    '-p', efi_partition.removeprefix(efi_disk).removeprefix('p'),
                    '-l', f'\\efi\\limine\\{boot_file}',
@@ -409,4 +437,9 @@ def main():
                'Failed to deploy BIOS stage 1 Limine bootloader!\n' +
                'You might want to try enabling the `boot.loader.limine.forceMbr` option.')

+    print("removing unused boot files...")
+    for path in paths:
+        if not paths[path]:
+            os.remove(path)
+
 main()
--- a/nixos/modules/system/boot/systemd/journald.nix
+++ b/nixos/modules/system/boot/systemd/journald.nix
@@ -116,22 +116,19 @@ in
  };

  config = {
-    systemd.additionalUpstreamSystemUnits =
-      [
-        "systemd-journald.socket"
-        "systemd-journald@.socket"
-        "systemd-journald-varlink@.socket"
-        "systemd-journald.service"
-        "systemd-journald@.service"
-        "systemd-journal-flush.service"
-        "systemd-journal-catalog-update.service"
-        "systemd-journald-sync@.service"
-      ]
-      ++ (lib.optional (!config.boot.isContainer) "systemd-journald-audit.socket")
-      ++ [
-        "systemd-journald-dev-log.socket"
-        "syslog.socket"
-      ];
+    systemd.additionalUpstreamSystemUnits = [
+      "systemd-journald.socket"
+      "systemd-journald@.socket"
+      "systemd-journald-varlink@.socket"
+      "systemd-journald.service"
+      "systemd-journald@.service"
+      "systemd-journal-flush.service"
+      "systemd-journal-catalog-update.service"
+      "systemd-journald-sync@.service"
+      "systemd-journald-audit.socket"
+      "systemd-journald-dev-log.socket"
+      "syslog.socket"
+    ];

    systemd.sockets.systemd-journald-audit.wantedBy = [
      "systemd-journald.service"
--- a/nixos/tests/acme/http01-builtin.nix
+++ b/nixos/tests/acme/http01-builtin.nix
@@ -99,6 +99,45 @@ in
              "builtin-3.${domain}".listenHTTP = ":80";
            };
          };
+
+          csr.configuration =
+            let
+              conf = pkgs.writeText "openssl.csr.conf" ''
+                [req]
+                default_bits = 2048
+                prompt = no
+                default_md = sha256
+                req_extensions = req_ext
+                distinguished_name = dn
+
+                [ dn ]
+                CN = ${config.networking.fqdn}
+
+                [ req_ext ]
+                subjectAltName = @alt_names
+
+                [ alt_names ]
+                DNS.1 = ${config.networking.fqdn}
+              '';
+              csrData =
+                pkgs.runCommandNoCC "csr-and-key"
+                  {
+                    buildInputs = [ pkgs.openssl ];
+                  }
+                  ''
+                    mkdir -p $out
+                    openssl req -new -newkey rsa:2048 -nodes \
+                      -keyout $out/key.pem \
+                      -out $out/request.csr \
+                      -config ${conf}
+                  '';
+            in
+            {
+              security.acme.certs."${config.networking.fqdn}" = {
+                csr = "${csrData}/request.csr";
+                csrKey = "${csrData}/key.pem";
+              };
+            };
        };
      };
  };
@@ -211,5 +250,10 @@ in

      with subtest("Validate permissions (self-signed)"):
          check_permissions(builtin, cert, "acme")
+
+      with subtest("Can renew using a CSR"):
+          builtin.succeed(f"systemctl clean acme-{cert}.service --what=state")
+          switch_to(builtin, "csr")
+          check_issuer(builtin, cert, "pebble")
    '';
 }
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -781,6 +781,7 @@ in
  matrix-alertmanager = runTest ./matrix/matrix-alertmanager.nix;
  matrix-appservice-irc = runTest ./matrix/appservice-irc.nix;
  matrix-conduit = handleTest ./matrix/conduit.nix { };
+  matrix-continuwuity = runTest ./matrix/continuwuity.nix;
  matrix-synapse = handleTest ./matrix/synapse.nix { };
  matrix-synapse-workers = handleTest ./matrix/synapse-workers.nix { };
  mautrix-meta-postgres = handleTest ./matrix/mautrix-meta-postgres.nix { };
@@ -993,6 +994,7 @@ in
  orthanc = runTest ./orthanc.nix;
  owncast = handleTest ./owncast.nix { };
  outline = handleTest ./outline.nix { };
+  i18n = runTest ./i18n.nix;
  image-contents = handleTest ./image-contents.nix { };
  openvscode-server = handleTest ./openvscode-server.nix { };
  open-webui = runTest ./open-webui.nix;
@@ -1018,7 +1020,7 @@ in
  paperless = handleTest ./paperless.nix { };
  parsedmarc = handleTest ./parsedmarc { };
  password-option-override-ordering = handleTest ./password-option-override-ordering.nix { };
-  pdns-recursor = handleTest ./pdns-recursor.nix { };
+  pdns-recursor = runTest ./pdns-recursor.nix;
  pds = handleTest ./pds.nix { };
  peerflix = handleTest ./peerflix.nix { };
  peering-manager = handleTest ./web-apps/peering-manager.nix { };
--- a/nixos/tests/bitbox-bridge.nix
+++ b/nixos/tests/bitbox-bridge.nix
@@ -5,13 +5,10 @@ let
 in
 {
  name = "bitbox-bridge";
-  meta = {
-    platforms = lib.platforms.linux;
-    maintainers = with lib.maintainers; [
-      izelnakri
-      tensor5
-    ];
-  };
+  meta.maintainers = with lib.maintainers; [
+    izelnakri
+    tensor5
+  ];

  nodes.machine = {
    services.bitbox-bridge = {
--- a/nixos/tests/brscan5.nix
+++ b/nixos/tests/brscan5.nix
@@ -48,6 +48,10 @@ import ./make-test-python.nix (
      print(scanimage)
      assert """device `brother5:net1;dev0' is a Brother b ADS-1200""" in scanimage
      assert """device `brother5:net1;dev1' is a Brother a ADS-1200""" in scanimage
+
+      # Confirm systemd-udevd no longer logs errors about SYSFS
+      logs = machine.succeed('journalctl --unit systemd-udevd')
+      assert "Invalid key 'SYSFS'" not in logs
    '';
  }
 )
--- a/nixos/tests/common/x11.nix
+++ b/nixos/tests/common/x11.nix
@@ -14,4 +14,9 @@
  # Don't use a desktop manager.
  services.displayManager.defaultSession = lib.mkDefault "none+icewm";
  services.xserver.windowManager.icewm.enable = true;
+
+  # Help with OCR
+  environment.etc."icewm/theme".text = ''
+    Theme="gtk2/default.theme"
+  '';
 }
--- a/nixos/tests/cosmic.nix
+++ b/nixos/tests/cosmic.nix
@@ -10,10 +10,7 @@
 {
  name = testName;

-  meta = {
-    platforms = lib.platforms.linux;
-    maintainers = lib.teams.cosmic.members;
-  };
+  meta.maintainers = lib.teams.cosmic.members;

  nodes.machine = {
    imports = [ ./common/user-account.nix ];
--- a/nixos/tests/curl-impersonate.nix
+++ b/nixos/tests/curl-impersonate.nix
@@ -19,6 +19,9 @@
      We do that by creating a trusted CA and issuing a cert that includes
      all of the test domains as subject-alternative names and then spoofs the
      hostnames in /etc/hosts.
+    - We started skipping the test_http2_headers test due to log format differences
+      between the nghttpd2 version in nixpkgs and the outdated one curl-impersonate
+      uses upstream for its tests.
 */

 import ./make-test-python.nix (
@@ -125,7 +128,7 @@ import ./make-test-python.nix (

        # Run tests
        cd tests
-        pytest . --install-dir ../usr --capture-interface eth1
+        pytest . --install-dir ../usr --capture-interface eth1 --exitfirst -k 'not test_http2_headers'
      '';
  in
  {
--- a/nixos/tests/custom-ca.nix
+++ b/nixos/tests/custom-ca.nix
@@ -1,6 +1,6 @@
 # Checks that `security.pki` options are working in curl and the main browser
-# engines: Gecko (via Firefox), Chromium, QtWebEngine (via qutebrowser) and
-# WebKitGTK (via Midori). The test checks that certificates issued by a custom
+# engines: Gecko (via Firefox), Chromium, QtWebEngine (via qutebrowser).
+# The test checks that certificates issued by a custom
 # trusted CA are accepted but those from an unknown CA are rejected.

 {
@@ -210,8 +210,4 @@ in
    args = "-T";
    error = "Certificate error";
  };
-  midori = {
-    args = "-p";
-    error = "Security";
-  };
 }
--- a/nixos/tests/i18n.nix
+++ b/nixos/tests/i18n.nix
@@ -0,0 +1,43 @@
+{ lib, ... }:
+{
+  name = "glibLocales-custom-builds";
+  meta.maintainers = with lib.maintainers; [ doronbehar ];
+
+  nodes = {
+    nonUTF8Charset = {
+      i18n = {
+        defaultLocale = "en_US";
+        defaultCharset = "ISO-8859-1";
+      };
+    };
+    extraLocales1 = {
+      i18n = {
+        defaultLocale = "en_US.UTF-8";
+        extraLocales = [
+          "nl_NL.UTF-8/UTF-8"
+        ];
+      };
+    };
+    extraLocaleSettings = {
+      i18n = {
+        defaultLocale = "en_US.UTF-8";
+        extraLocaleSettings = {
+          LC_MESSAGES = "en_US.UTF-8";
+          LC_TIME = "de_DE.UTF-8";
+        };
+      };
+    };
+    localeCharsets = {
+      i18n = {
+        defaultLocale = "en_US.UTF-8";
+        extraLocaleSettings = {
+          LC_TIME = "de_DE";
+        };
+        localeCharsets = {
+          LC_TIME = "ISO-8859-1";
+        };
+      };
+    };
+  };
+  testScript = { nodes, ... }: "";
+}
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@@ -651,14 +651,11 @@ let
        # put global maintainers here, individuals go into makeInstallerTest fkt call
        maintainers = (meta.maintainers or [ ]);
        # non-EFI tests can only run on x86
-        platforms =
-          if isEfi then
-            platforms.linux
-          else
-            [
-              "x86_64-linux"
-              "i686-linux"
-            ];
+        platforms = mkIf (!isEfi) [
+          "x86_64-linux"
+          "x86_64-darwin"
+          "i686-linux"
+        ];
      };
      nodes =
        let
--- a/nixos/tests/k3s/default.nix
+++ b/nixos/tests/k3s/default.nix
@@ -4,9 +4,11 @@
  lib ? pkgs.lib,
 }:
 let
-  allK3s = lib.filterAttrs (n: _: lib.strings.hasPrefix "k3s_" n) pkgs;
+  allK3s = lib.filterAttrs (
+    n: _: lib.strings.hasPrefix "k3s_" n && (builtins.tryEval pkgs.${n}).success
+  ) pkgs;
 in
-{
+lib.recurseIntoAttrs {
  airgap-images = lib.mapAttrs (
    _: k3s: import ./airgap-images.nix { inherit system pkgs k3s; }
  ) allK3s;
--- a/nixos/tests/kanidm-provisioning.nix
+++ b/nixos/tests/kanidm-provisioning.nix
@@ -23,7 +23,7 @@ import ./make-test-python.nix (
      { pkgs, lib, ... }:
      {
        services.kanidm = {
-          package = pkgs.kanidmWithSecretProvisioning;
+          package = pkgs.kanidmWithSecretProvisioning_1_6;
          enableServer = true;
          serverSettings = {
            origin = "https://${serverDomain}";
--- a/nixos/tests/kanidm.nix
+++ b/nixos/tests/kanidm.nix
@@ -26,6 +26,7 @@ import ./make-test-python.nix (
      { pkgs, ... }:
      {
        services.kanidm = {
+          package = pkgs.kanidm_1_6;
          enableServer = true;
          serverSettings = {
            origin = "https://${serverDomain}";
@@ -55,6 +56,7 @@ import ./make-test-python.nix (
      { nodes, ... }:
      {
        services.kanidm = {
+          package = pkgs.kanidm_1_6;
          enableClient = true;
          clientSettings = {
            uri = "https://${serverDomain}";
--- a/nixos/tests/kernel-generic.nix
+++ b/nixos/tests/kernel-generic.nix
@@ -42,6 +42,7 @@ let
      linux_6_6_hardened
      linux_6_12_hardened
      linux_6_13_hardened
+      linux_6_14_hardened
      linux_rt_5_4
      linux_rt_5_10
      linux_rt_5_15
--- a/nixos/tests/limine/checksum.nix
+++ b/nixos/tests/limine/checksum.nix
@@ -6,11 +6,6 @@
    phip1611
    programmerlexi
  ];
-  meta.platforms = [
-    "aarch64-linux"
-    "i686-linux"
-    "x86_64-linux"
-  ];
  nodes.machine =
    { ... }:
    {
--- a/nixos/tests/limine/uefi.nix
+++ b/nixos/tests/limine/uefi.nix
@@ -6,11 +6,6 @@
    phip1611
    programmerlexi
  ];
-  meta.platforms = [
-    "aarch64-linux"
-    "i686-linux"
-    "x86_64-linux"
-  ];
  nodes.machine =
    { ... }:
    {
--- a/nixos/tests/lomiri-calendar-app.nix
+++ b/nixos/tests/lomiri-calendar-app.nix
@@ -1,11 +1,7 @@
 { pkgs, lib, ... }:
 {
  name = "lomiri-calendar-app-standalone";
-  meta = {
-    maintainers = lib.teams.lomiri.members;
-    # This needs a Linux VM
-    platforms = lib.platforms.linux;
-  };
+  meta.maintainers = lib.teams.lomiri.members;

  nodes.machine =
    { config, pkgs, ... }:
--- a/nixos/tests/lomiri-filemanager-app.nix
+++ b/nixos/tests/lomiri-filemanager-app.nix
@@ -34,14 +34,22 @@
    machine.wait_for_x()

    with subtest("lomiri filemanager launches"):
-        machine.execute("lomiri-filemanager-app >&2 &")
+        machine.succeed("lomiri-filemanager-app >&2 &")
+        machine.wait_for_console_text("QFSFileEngine::open: No file name specified")
+        machine.sleep(10)
+        machine.send_key("alt-f10")
+        machine.sleep(5)
        machine.wait_for_text(r"(filemanager.ubports|alice|items|directories|files|folder)")
        machine.screenshot("lomiri-filemanager_open")

    machine.succeed("pkill -f lomiri-filemanager-app")

    with subtest("lomiri filemanager localisation works"):
-        machine.execute("env LANG=de_DE.UTF-8 lomiri-filemanager-app >&2 &")
+        machine.succeed("env LANG=de_DE.UTF-8 lomiri-filemanager-app >&2 &")
+        machine.wait_for_console_text("QFSFileEngine::open: No file name specified")
+        machine.sleep(10)
+        machine.send_key("alt-f10")
+        machine.sleep(5)
        machine.wait_for_text(r"(Elemente|Verzeichnisse|Dateien|Ordner)")
        machine.screenshot("lomiri-filemanager_localised")
  '';
--- a/nixos/tests/lomiri-music-app.nix
+++ b/nixos/tests/lomiri-music-app.nix
@@ -8,11 +8,7 @@ let
 in
 {
  name = "lomiri-music-app-standalone";
-  meta = {
-    maintainers = lib.teams.lomiri.members;
-    # This needs a Linux VM
-    platforms = lib.platforms.linux;
-  };
+  meta.maintainers = lib.teams.lomiri.members;

  nodes.machine =
    { config, pkgs, ... }:
--- a/nixos/tests/matrix/continuwuity.nix
+++ b/nixos/tests/matrix/continuwuity.nix
@@ -0,0 +1,104 @@
+{ lib, ... }:
+let
+  name = "continuwuity";
+in
+{
+  inherit name;
+
+  nodes = {
+    continuwuity = {
+      services.matrix-continuwuity = {
+        enable = true;
+        settings.global = {
+          server_name = name;
+          address = [ "0.0.0.0" ];
+          allow_registration = true;
+          yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
+        };
+        extraEnvironment.RUST_BACKTRACE = "yes";
+      };
+      networking.firewall.allowedTCPPorts = [ 6167 ];
+    };
+    client =
+      { pkgs, ... }:
+      {
+        environment.systemPackages = [
+          (pkgs.writers.writePython3Bin "do_test" { libraries = [ pkgs.python3Packages.matrix-nio ]; } ''
+            import asyncio
+            import nio
+
+
+            async def main() -> None:
+                # Connect to continuwuity
+                client = nio.AsyncClient("http://continuwuity:6167", "alice")
+
+                # Register as user alice
+                response = await client.register("alice", "my-secret-password")
+
+                # Log in as user alice
+                response = await client.login("my-secret-password")
+
+                # Create a new room
+                response = await client.room_create(federate=False)
+                print("Matrix room create response:", response)
+                assert isinstance(response, nio.RoomCreateResponse)
+                room_id = response.room_id
+
+                # Join the room
+                response = await client.join(room_id)
+                print("Matrix join response:", response)
+                assert isinstance(response, nio.JoinResponse)
+
+                # Send a message to the room
+                response = await client.room_send(
+                    room_id=room_id,
+                    message_type="m.room.message",
+                    content={
+                        "msgtype": "m.text",
+                        "body": "Hello continuwuity!"
+                    }
+                )
+                print("Matrix room send response:", response)
+                assert isinstance(response, nio.RoomSendResponse)
+
+                # Sync responses
+                response = await client.sync(timeout=30000)
+                print("Matrix sync response:", response)
+                assert isinstance(response, nio.SyncResponse)
+
+                # Check the message was received by continuwuity
+                last_message = response.rooms.join[room_id].timeline.events[-1].body
+                assert last_message == "Hello continuwuity!"
+
+                # Leave the room
+                response = await client.room_leave(room_id)
+                print("Matrix room leave response:", response)
+                assert isinstance(response, nio.RoomLeaveResponse)
+
+                # Close the client
+                await client.close()
+
+
+            if __name__ == "__main__":
+                asyncio.run(main())
+          '')
+        ];
+      };
+  };
+
+  testScript = ''
+    start_all()
+
+    with subtest("start continuwuity"):
+          continuwuity.wait_for_unit("continuwuity.service")
+          continuwuity.wait_for_open_port(6167)
+
+    with subtest("ensure messages can be exchanged"):
+          client.succeed("do_test >&2")
+  '';
+
+  meta.maintainers = with lib.maintainers; [
+    nyabinary
+    snaki
+  ];
+}
--- a/nixos/tests/pdns-recursor.nix
+++ b/nixos/tests/pdns-recursor.nix
@@ -1,20 +1,25 @@
-import ./make-test-python.nix (
-  { pkgs, ... }:
-  {
-    name = "powerdns-recursor";
+{ lib, pkgs, ... }:

-    nodes.server =
-      { ... }:
-      {
-        services.pdns-recursor.enable = true;
-        services.pdns-recursor.exportHosts = true;
-        networking.hosts."192.0.2.1" = [ "example.com" ];
-      };
+{
+  name = "powerdns-recursor";
+  meta.maintainers = with lib.maintainers; [ rnhmjoj ];

-    testScript = ''
+  nodes.server = {
+    services.pdns-recursor.enable = true;
+    services.pdns-recursor.exportHosts = true;
+    services.pdns-recursor.old-settings.dnssec-log-bogus = true;
+    networking.hosts."192.0.2.1" = [ "example.com" ];
+  };
+
+  testScript = ''
+    with subtest("pdns-recursor is running"):
      server.wait_for_unit("pdns-recursor")
      server.wait_for_open_port(53)
+
+    with subtest("can resolve names"):
      assert "192.0.2.1" in server.succeed("host example.com localhost")
-    '';
-  }
-)
+
+    with subtest("old-settings have been merged in"):
+      server.succeed("${lib.getExe pkgs.yq-go} -e .dnssec.log_bogus /etc/pdns-recursor/recursor.yml")
+  '';
+}
--- a/nixos/tests/shadps4.nix
+++ b/nixos/tests/shadps4.nix
@@ -3,7 +3,6 @@
  name = "shadps4-openorbis-example";
  meta = {
    inherit (pkgs.shadps4.meta) maintainers;
-    platforms = lib.intersectLists lib.platforms.linux pkgs.shadps4.meta.platforms;
  };

  nodes.machine =
--- a/nixos/tests/sourcehut/builds.nix
+++ b/nixos/tests/sourcehut/builds.nix
@@ -49,15 +49,15 @@ import ../make-test-python.nix (
      machine.wait_for_unit("multi-user.target")

      with subtest("Check whether meta comes up"):
-           machine.wait_for_unit("metasrht-api.service")
-           machine.wait_for_unit("metasrht.service")
-           machine.wait_for_unit("metasrht-webhooks.service")
+           machine.wait_for_unit("meta.sr.ht-api.service")
+           machine.wait_for_unit("meta.sr.ht.service")
+           machine.wait_for_unit("meta.sr.ht-webhooks.service")
           machine.wait_for_open_port(5000)
           machine.succeed("curl -sL http://localhost:5000 | grep meta.${domain}")
           machine.succeed("curl -sL http://meta.${domain} | grep meta.${domain}")

      with subtest("Check whether builds comes up"):
-           machine.wait_for_unit("buildsrht.service")
+           machine.wait_for_unit("builds.sr.ht.service")
           machine.wait_for_open_port(5002)
           machine.succeed("curl -sL http://localhost:5002 | grep builds.${domain}")
           #machine.wait_for_unit("buildsrht-worker.service")
--- a/nixos/tests/sourcehut/git.nix
+++ b/nixos/tests/sourcehut/git.nix
@@ -63,25 +63,26 @@ import ../make-test-python.nix (
        machine.wait_for_unit("sshd.service")

        with subtest("Check whether meta comes up"):
-             machine.wait_for_unit("metasrht-api.service")
-             machine.wait_for_unit("metasrht.service")
-             machine.wait_for_unit("metasrht-webhooks.service")
+             machine.wait_for_unit("meta.sr.ht-api.service")
+             machine.wait_for_unit("meta.sr.ht.service")
+             machine.wait_for_unit("meta.sr.ht-webhooks.service")
             machine.wait_for_open_port(5000)
             machine.succeed("curl -sL http://localhost:5000 | grep meta.${domain}")
             machine.succeed("curl -sL http://meta.${domain} | grep meta.${domain}")

        with subtest("Create a new user account and OAuth access key"):
-             machine.succeed("echo ${userPass} | metasrht-manageuser -ps -e ${userName}@${domain}\
-                              -t active_paying ${userName}");
+             machine.succeed("echo ${userPass} | meta.sr.ht-manageuser -ps -e ${userName}@${domain}\
+                              -t USER ${userName}");
+             cmd = "srht-gen-oauth-tok -i ${domain} -q ${userName} ${userPass}"
             (_, token) = machine.execute("srht-gen-oauth-tok -i ${domain} -q ${userName} ${userPass}")
             token = token.strip().replace("/", r"\\/") # Escape slashes in token before passing it to sed
             machine.execute("mkdir -p ~/.config/hut/")
             machine.execute("sed s/OAUTH-TOKEN/" + token + "/ ${hutConfig} > ~/.config/hut/config")

        with subtest("Check whether git comes up"):
-             machine.wait_for_unit("gitsrht-api.service")
-             machine.wait_for_unit("gitsrht.service")
-             machine.wait_for_unit("gitsrht-webhooks.service")
+             machine.wait_for_unit("git.sr.ht-api.service")
+             machine.wait_for_unit("git.sr.ht.service")
+             machine.wait_for_unit("git.sr.ht-webhooks.service")
             machine.succeed("curl -sL http://git.${domain} | grep git.${domain}")

        with subtest("Add an SSH key for Git access"):
@@ -95,7 +96,7 @@ import ../make-test-python.nix (
             machine.execute("cd test && git add .")
             machine.execute("cd test && git commit -m \"Initial commit\"")
             machine.execute("cd test && git tag v0.1")
-             machine.succeed("cd test && git remote add origin gitsrht@git.${domain}:~${userName}/test")
+             machine.succeed("cd test && git remote add origin git.sr.ht@git.${domain}:~${userName}/test")
             machine.execute("( echo -n 'git.${domain} '; cat /etc/ssh/ssh_host_ed25519_key.pub ) > ~/.ssh/known_hosts")
             machine.succeed("hut git create test")
             machine.succeed("cd test && git push --tags --set-upstream origin master")
--- a/nixos/tests/systemd-journal.nix
+++ b/nixos/tests/systemd-journal.nix
@@ -12,11 +12,23 @@ import ./make-test-python.nix (
    };
    nodes.auditd = {
      security.auditd.enable = true;
+      security.audit.enable = true;
      environment.systemPackages = [ pkgs.audit ];
+      boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
+      boot.kernelParams = [ "audit_backlog_limit=8192" ];
    };
    nodes.journaldAudit = {
      services.journald.audit = true;
+      security.audit.enable = true;
      environment.systemPackages = [ pkgs.audit ];
+      boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
+      boot.kernelParams = [ "audit_backlog_limit=8192" ];
+    };
+    nodes.containerCheck = {
+      containers.c1 = {
+        autoStart = true;
+        config = { };
+      };
    };

    testScript = ''
@@ -50,6 +62,16 @@ import ./make-test-python.nix (
        # logs ideally should NOT end up in kmesg, but they do due to
        # https://github.com/systemd/systemd/issues/15324
        journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'")
+
+
+      with subtest("container systemd-journald-audit not running"):
+        containerCheck.wait_for_unit("multi-user.target");
+        containerCheck.wait_until_succeeds("systemctl -M c1 is-active default.target");
+
+        # systemd-journald-audit.socket should exist but not run due to the upstream unit's `Condition*` settings
+        (status, output) = containerCheck.execute("systemctl -M c1 is-active systemd-journald-audit.socket")
+        containerCheck.log(output)
+        assert status == 3 and output == "inactive\n", f"systemd-journald-audit.socket should exist in a container but remain inactive, was {output}"
    '';
  }
 )
--- a/nixos/tests/vaultwarden.nix
+++ b/nixos/tests/vaultwarden.nix
@@ -36,6 +36,17 @@ let
              from selenium.webdriver.firefox.options import Options
              from selenium.webdriver.support.ui import WebDriverWait
              from selenium.webdriver.support import expected_conditions as EC
+              from selenium.common.exceptions import ElementClickInterceptedException
+
+
+              def click_when_unobstructed(mark):
+                  while True:
+                      try:
+                          wait.until(EC.element_to_be_clickable(mark)).click()
+                          break
+                      except ElementClickInterceptedException:
+                          continue
+

              options = Options()
              options.add_argument('--headless')
@@ -74,7 +85,7 @@ let
              )
              driver.find_element(By.XPATH, "//button[contains(., 'Log in with master password')]").click()

-              wait.until(EC.presence_of_element_located((By.CSS_SELECTOR, 'button#newItemDropdown'))).click()
+              click_when_unobstructed((By.CSS_SELECTOR, 'button#newItemDropdown'))
              driver.find_element(By.XPATH, "//button[contains(., 'Item')]").click()

              driver.find_element(By.CSS_SELECTOR, 'input#name').send_keys(
@@ -178,6 +189,8 @@ let
            testScript
          else
            ''
+              import json
+
              start_all()
              server.wait_for_unit("vaultwarden.service")
              server.wait_for_open_port(8080)
@@ -202,11 +215,9 @@ let
                  client.succeed(f"bw --nointeraction --raw --session {key} sync -f")

              with subtest("get the password with the cli"):
-                  password = client.wait_until_succeeds(
-                      f"bw --nointeraction --raw --session {key} list items | ${pkgs.jq}/bin/jq -r .[].login.password",
-                      timeout=60
-                  )
-                  assert password.strip() == "${storedPassword}"
+                  output = json.loads(client.succeed(f"bw --nointeraction --raw --session {key} list items"))
+
+                  assert output[0]['login']['password'] == "${storedPassword}"

              with subtest("Check systemd unit hardening"):
                  server.log(server.succeed("systemd-analyze security vaultwarden.service | grep -v ✓"))
--- a/nixos/tests/velocity.nix
+++ b/nixos/tests/velocity.nix
@@ -1,13 +1,7 @@
 { lib, pkgs, ... }:
 {
  name = "velocity";
-  meta = {
-    platforms = [
-      "x86_64-linux"
-      "aarch64-linux"
-    ];
-    maintainers = [ lib.maintainers.Tert0 ];
-  };
+  meta.maintainers = [ lib.maintainers.Tert0 ];

  nodes.server =
    { ... }:
--- a/nixos/tests/web-apps/oncall.nix
+++ b/nixos/tests/web-apps/oncall.nix
@@ -45,7 +45,7 @@ in
              username = "uid";
              full_name = "cn";
              email = "mail";
-              mobile = "telephoneNumber";
+              call = "telephoneNumber";
              sms = "mobile";
            };
          };
--- a/nixos/tests/wstunnel.nix
+++ b/nixos/tests/wstunnel.nix
@@ -8,8 +8,6 @@ in
 {
  name = "wstunnel";

-  meta.platforms = lib.platforms.linux;
-
  nodes = {
    server = {
      virtualisation.vlans = [ 1 ];
--- a/pkgs/applications/audio/plexamp/default.nix
+++ b/pkgs/applications/audio/plexamp/default.nix
@@ -7,12 +7,12 @@

 let
  pname = "plexamp";
-  version = "4.12.2";
+  version = "4.12.3";

  src = fetchurl {
    url = "https://plexamp.plex.tv/plexamp.plex.tv/desktop/Plexamp-${version}.AppImage";
    name = "${pname}-${version}.AppImage";
-    hash = "sha512-qsuJv5rnw8Gprlfb3pNChMTCXDYuCd1B5Kz+TWsbjbOw8+u2mieh4gGIiPLIy2jhFBjtZUacqM6eibXL+wHGEg==";
+    hash = "sha512-gjOjk/JtHbhEDGzWH/bBtNd7qsYS97hBlPbRw7uWH/PCXD4urUWBrlihNWAOgYClVwl7nbrx/y7mhCrI2N6c1w==";
  };

  appimageContents = appimageTools.extractType2 {
@@ -38,7 +38,7 @@ appimageTools.wrapType2 {
  meta = with lib; {
    description = "Beautiful Plex music player for audiophiles, curators, and hipsters";
    homepage = "https://plexamp.com/";
-    changelog = "https://forums.plex.tv/t/plexamp-release-notes/221280/79";
+    changelog = "https://forums.plex.tv/t/plexamp-release-notes/221280/80";
    license = licenses.unfree;
    maintainers = with maintainers; [
      killercup
--- a/pkgs/applications/audio/qpwgraph/default.nix
+++ b/pkgs/applications/audio/qpwgraph/default.nix
@@ -14,14 +14,14 @@

 stdenv.mkDerivation (finalAttrs: {
  pname = "qpwgraph";
-  version = "0.9.0";
+  version = "0.9.2";

  src = fetchFromGitLab {
    domain = "gitlab.freedesktop.org";
    owner = "rncbc";
    repo = "qpwgraph";
    rev = "v${finalAttrs.version}";
-    sha256 = "sha256-KNYP/290UdgjuduOnRfI71VSHIuO+7kTeCJo+Qs8Nks=";
+    sha256 = "sha256-SCco66Czu8dW7iSSX/exhIlOXS+ayCwGUuCfJuUCRjM=";
  };

  nativeBuildInputs = [
--- a/pkgs/applications/audio/vorbis-tools/default.nix
+++ b/pkgs/applications/audio/vorbis-tools/default.nix
@@ -22,13 +22,6 @@ stdenv.mkDerivation rec {
    hash = "sha256-of493Gd3vc6/a3l+ft/gQ3lUskdW/8yMa4FrY+BGDd4=";
  };

-  # ld64 on darwin doesn't support nested archives and as the nested lib
-  # (libbase64.a) is not required to build so leave it out
-  postPatch = lib.optionalString stdenv.hostPlatform.isDarwin ''
-    substituteInPlace share/Makefile.am \
-      --replace-fail libpicture_a_LIBADD '#libpicture_a_LIBADD'
-  '';
-
  nativeBuildInputs = [
    autoreconfHook
    pkg-config
--- a/pkgs/applications/editors/geany/with-vte.nix
+++ b/pkgs/applications/editors/geany/with-vte.nix
@@ -24,5 +24,15 @@ symlinkJoin {
      --prefix LD_LIBRARY_PATH : ${vte}/lib
  '';

-  inherit (geany.meta) ;
+  meta = {
+    inherit (geany.meta)
+      description
+      longDescription
+      homepage
+      license
+      maintainers
+      platforms
+      mainProgram
+      ;
+  };
 }
--- a/pkgs/applications/editors/leo-editor/default.nix
+++ b/pkgs/applications/editors/leo-editor/default.nix
@@ -99,7 +99,7 @@ mkDerivation rec {
  '';

  meta = with lib; {
-    homepage = "http://leoeditor.com";
+    homepage = "https://leo-editor.github.io/leo-editor/";
    description = "A powerful folding editor";
    longDescription = "Leo is a PIM, IDE and outliner that accelerates the work flow of programmers, authors and web designers.";
    license = licenses.mit;
--- a/pkgs/applications/graphics/yacreader/darwin-unarr-use-pkg-config.patch
+++ b/pkgs/applications/graphics/yacreader/darwin-unarr-use-pkg-config.patch
@@ -0,0 +1,13 @@
+diff --git a/compressed_archive/unarr/unarr-wrapper.pri b/compressed_archive/unarr/unarr-wrapper.pri
+index 0115267..5d3d6f5 100644
+--- a/compressed_archive/unarr/unarr-wrapper.pri
+++ b/compressed_archive/unarr/unarr-wrapper.pri
+@@ -6,7 +6,7 @@ HEADERS += $$PWD/extract_delegate.h \
+ 
+ SOURCES += $$PWD/compressed_archive.cpp
+ 
+-if(mingw|unix):!macx:!contains(QT_CONFIG, no-pkg-config):packagesExist(libunarr) {
+if(mingw|unix):!contains(QT_CONFIG, no-pkg-config):packagesExist(libunarr) {
+   message(Using system provided unarr installation found by pkg-config.)
+   CONFIG += link_pkgconfig
+   PKGCONFIG += libunarr
--- a/pkgs/applications/graphics/yacreader/default.nix
+++ b/pkgs/applications/graphics/yacreader/default.nix
@@ -2,11 +2,10 @@
  lib,
  stdenv,
  fetchFromGitHub,
-  libsForQt5,
-  poppler,
-  pkg-config,
-  libunarr,
  libGLU,
+  libunarr,
+  libsForQt5,
+  pkg-config,
 }:

 stdenv.mkDerivation rec {
@@ -15,28 +14,63 @@ stdenv.mkDerivation rec {

  src = fetchFromGitHub {
    owner = "YACReader";
-    repo = pname;
-    rev = version;
-    sha256 = "sha256-5vCjr8WRwa7Q/84Itgg07K1CJKGnWA1z53et2IxxReE=";
+    repo = "yacreader";
+    tag = version;
+    hash = "sha256-5vCjr8WRwa7Q/84Itgg07K1CJKGnWA1z53et2IxxReE=";
  };

+  patches = [
+    # make the unarr backend logic use pkg-config even on Darwin
+    ./darwin-unarr-use-pkg-config.patch
+  ];
+
+  qmakeFlags = [
+    # force unarr backend on all platforms
+    "CONFIG+=unarr"
+  ];
+
  nativeBuildInputs = [
    libsForQt5.qmake
-    pkg-config
+    libsForQt5.qttools # for translations
    libsForQt5.wrapQtAppsHook
+    pkg-config
  ];
-  buildInputs = [
-    libunarr
-    libGLU
-    libsForQt5.poppler
-    libsForQt5.qtmultimedia
-    libsForQt5.qtscript
-  ];
-  propagatedBuildInputs = [
-    libsForQt5.qtquickcontrols2
-    libsForQt5.qtgraphicaleffects
-    libsForQt5.qtdeclarative
-  ];
+
+  buildInputs =
+    [
+      libGLU
+      libsForQt5.poppler
+      libsForQt5.qtgraphicaleffects # imported, but not declared as a dependency
+      libsForQt5.qtmultimedia
+      libsForQt5.qtquickcontrols2
+      libunarr
+    ]
+    ++ lib.optionals stdenv.hostPlatform.isDarwin [
+      libsForQt5.qtmacextras # can be removed when using qt6
+    ];
+
+  # custom Darwin install instructions taken from the upsteam compileOSX.sh script
+  installPhase = lib.optionalString stdenv.hostPlatform.isDarwin ''
+    runHook preInstall
+
+    mkdir -p "$out"/Applications
+
+    cp -r YACReader/YACReader.app "$out"/Applications/
+    cp -r YACReaderLibrary/YACReaderLibrary.app "$out"/Applications/
+    cp -r YACReaderLibraryServer/YACReaderLibraryServer.app "$out"/Applications/
+
+    cp -r release/server "$out"/Applications/YACReaderLibrary.app/Contents/MacOS/
+    cp -r release/server "$out"/Applications/YACReaderLibraryServer.app/Contents/MacOS/
+    cp -r release/languages "$out"/Applications/YACReader.app/Contents/MacOS/
+    cp -r release/languages "$out"/Applications/YACReaderLibrary.app/Contents/MacOS/
+    cp -r release/languages "$out"/Applications/YACReaderLibraryServer.app/Contents/MacOS/
+
+    makeWrapper "$out"/Applications/YACReader.app/Contents/MacOS/YACReader "$out/bin/YACReader"
+    makeWrapper "$out"/Applications/YACReaderLibrary.app/Contents/MacOS/YACReaderLibrary "$out/bin/YACReaderLibrary"
+    makeWrapper "$out"/Applications/YACReaderLibraryServer.app/Contents/MacOS/YACReaderLibraryServer "$out/bin/YACReaderLibraryServer"
+
+    runHook postInstall
+  '';

  meta = {
    description = "Comic reader for cross-platform reading and managing your digital comic collection";
--- a/pkgs/applications/misc/lutris/default.nix
+++ b/pkgs/applications/misc/lutris/default.nix
@@ -6,6 +6,7 @@
  # build inputs
  atk,
  file,
+  glib,
  gdk-pixbuf,
  glib-networking,
  gnome-desktop,
@@ -16,6 +17,8 @@
  pango,
  webkitgtk_4_1,
  wrapGAppsHook3,
+  meson,
+  ninja,

  # check inputs
  xvfb-run,
@@ -45,11 +48,15 @@
  pulseaudio,
  p7zip,
  xgamma,
+  gettext,
  libstrangle,
  fluidsynth,
  xorgserver,
  xorg,
  util-linux,
+  pkg-config,
+  desktop-file-utils,
+  appstream-glib,
 }:

 let
@@ -83,9 +90,18 @@ buildPythonApplication rec {
    hash = "sha256-CAXKnx5+60MITRM8enkYgFl5ZKM6HCXhCYNyG7kHhuQ=";
  };

+  format = "other";
+
  nativeBuildInputs = [
-    wrapGAppsHook3
+    appstream-glib
+    desktop-file-utils
+    gettext
+    glib
    gobject-introspection
+    meson
+    ninja
+    wrapGAppsHook3
+    pkg-config
  ];
  buildInputs =
    [
@@ -128,20 +144,6 @@ buildPythonApplication rec {
      --replace '"libmagic.so.1"' "'${lib.getLib file}/lib/libmagic.so.1'"
  '';

-  nativeCheckInputs = [
-    xvfb-run
-    nose2
-    flake8
-  ] ++ requiredTools;
-  checkPhase = ''
-    runHook preCheck
-
-    export HOME=$PWD
-    xvfb-run -s '-screen 0 800x600x24' make test
-
-    runHook postCheck
-  '';
-
  # avoid double wrapping
  dontWrapGApps = true;
  makeWrapperArgs = [
--- a/pkgs/applications/misc/organicmaps/default.nix
+++ b/pkgs/applications/misc/organicmaps/default.nix
@@ -19,6 +19,7 @@
  icu,
  freetype,
  pugixml,
+  xorg,
  nix-update-script,
 }:

@@ -32,13 +33,13 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
  pname = "organicmaps";
-  version = "2025.03.02-7";
+  version = "2025.05.20-5";

  src = fetchFromGitHub {
    owner = "organicmaps";
    repo = "organicmaps";
    tag = "${finalAttrs.version}-android";
-    hash = "sha256-5WX+YDgu8Ll5+rZWWxfbNW0pBFz+2XWkw/ahM14Ml08=";
+    hash = "sha256-cqcFI5cXREOeHusPkXsMwdCopzpea50mZQ/+ogLlemk=";
    fetchSubmodules = true;
  };

@@ -78,6 +79,9 @@ stdenv.mkDerivation (finalAttrs: {
    icu
    freetype
    pugixml
+    xorg.libXrandr
+    xorg.libXinerama
+    xorg.libXcursor
  ];

  # Yes, this is PRE configure. The configure phase uses cmake
@@ -94,14 +98,14 @@ stdenv.mkDerivation (finalAttrs: {
    };
  };

-  meta = with lib; {
+  meta = {
    # darwin: "invalid application of 'sizeof' to a function type"
    broken = stdenv.hostPlatform.isDarwin;
    homepage = "https://organicmaps.app/";
    description = "Detailed Offline Maps for Travellers, Tourists, Hikers and Cyclists";
-    license = licenses.asl20;
-    maintainers = with maintainers; [ fgaz ];
-    platforms = platforms.all;
+    license = lib.licenses.asl20;
+    maintainers = with lib.maintainers; [ fgaz ];
+    platforms = lib.platforms.all;
    mainProgram = "OMaps";
  };
 })
--- a/pkgs/applications/networking/browsers/firefox-bin/release_sources.nix
+++ b/pkgs/applications/networking/browsers/firefox-bin/release_sources.nix
--- a/pkgs/applications/networking/browsers/firefox/common.nix
+++ b/pkgs/applications/networking/browsers/firefox/common.nix
@@ -76,7 +76,7 @@ in
  gnum4,
  gtk3,
  icu73,
-  icu77,
+  icu77, # if you fiddle with the icu parameters, please check Thunderbird's overrides
  libGL,
  libGLU,
  libevent,
--- a/pkgs/applications/networking/browsers/firefox/packages/firefox-esr-128.nix
+++ b/pkgs/applications/networking/browsers/firefox/packages/firefox-esr-128.nix
@@ -9,11 +9,11 @@

 buildMozillaMach rec {
  pname = "firefox";
-  version = "128.10.0esr";
+  version = "128.10.1esr";
  applicationName = "Firefox ESR";
  src = fetchurl {
    url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-    sha512 = "c0f349cba626e6ec16ff0b52b7d21e05681acd1377fd1111992860f8079373f631ff997d833a3596c72a6d8c6e4f1d051927fa719f1d37a72553dcbd5348659c";
+    sha512 = "6e7363d8cbecda1cedaf534ac10dc046b5f515399ec754492357e8a558c61ee3389f7bb90aa929dbcb4d6eba041ae1e778a0a8f90aa1e1f939eea517333b6c45";
  };

  meta = {
--- a/pkgs/applications/networking/browsers/firefox/packages/firefox.nix
+++ b/pkgs/applications/networking/browsers/firefox/packages/firefox.nix
@@ -9,10 +9,10 @@

 buildMozillaMach rec {
  pname = "firefox";
-  version = "138.0.3";
+  version = "138.0.4";
  src = fetchurl {
    url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-    sha512 = "0f1c8ee05bec465b55429c18d788856574c5b2e31d911f15f76d31c00de84d8b8681961799c4101cd1540bd228afd201a4b59fd7c9a88918695040965b9dc0f1";
+    sha512 = "64d80456da8df27d7eeed7eb20c35fcf213bc948eb48739b6101e2c476ea9a9133da928477a79683c96c160f8d53bed52be487f01a8d29e38d39071f12676806";
  };

  meta = {
--- a/pkgs/applications/networking/browsers/floorp/default.nix
+++ b/pkgs/applications/networking/browsers/floorp/default.nix
@@ -9,7 +9,7 @@
 (
  (buildMozillaMach rec {
    pname = "floorp";
-    packageVersion = "11.26.1";
+    packageVersion = "11.26.2";
    applicationName = "Floorp";
    binaryName = "floorp";
    branding = "browser/branding/official";
@@ -17,14 +17,14 @@
    allowAddonSideload = true;

    # Must match the contents of `browser/config/version.txt` in the source tree
-    version = "128.10.0";
+    version = "128.11.0";

    src = fetchFromGitHub {
      owner = "Floorp-Projects";
      repo = "Floorp";
      fetchSubmodules = true;
      rev = "v${packageVersion}";
-      hash = "sha256-WX7I81Rjv/6+L+HCN6j/HvLOPJk0vyiLpUmxoK+FDn8=";
+      hash = "sha256-tbdEiCFwMkeBB5n82TycyZ0wwE2+cCgLmjROl9kTHS8=";
    };

    extraConfigureFlags = [
--- a/pkgs/applications/networking/browsers/librewolf/src.json
+++ b/pkgs/applications/networking/browsers/librewolf/src.json
@@ -1,11 +1,11 @@
 {
-  "packageVersion": "138.0.1-2",
+  "packageVersion": "138.0.4-1",
  "source": {
-    "rev": "138.0.1-2",
-    "hash": "sha256-H4GvKTrx0+GdUFOjW+E53VwZcZnrrBiXiMvR6aCEKDE="
+    "rev": "138.0.4-1",
+    "hash": "sha256-KR8ZiueaEOXt2dw8T6ZvrQURV49Xu4cYe0XE8tEUmbw="
  },
  "firefox": {
-    "version": "138.0.1",
-    "hash": "sha512-vFqNZYFAxMPbKdURNMlxBaAiVWfVzhR1f2lZQGa/akShPgYmzr3it6B4usEooUaQ7gYIPQMG13id4qXp2DlLIw=="
+    "version": "138.0.4",
+    "hash": "sha512-ZNgEVtqN8n1+7tfrIMNfzyE7yUjrSHObYQHixHbqmpEz2pKEd6eWg8lsFg+NU77VK+SH8BqNKeONOQcfEmdoBg=="
  }
 }
--- a/pkgs/applications/networking/browsers/vivaldi/default.nix
+++ b/pkgs/applications/networking/browsers/vivaldi/default.nix
@@ -71,7 +71,7 @@ let
 in
 stdenv.mkDerivation rec {
  pname = "vivaldi";
-  version = "7.3.3635.11";
+  version = "7.3.3635.12";

  suffix =
    {
@@ -84,8 +84,8 @@ stdenv.mkDerivation rec {
    url = "https://downloads.vivaldi.com/${branch}/vivaldi-${branch}_${version}-1_${suffix}.deb";
    hash =
      {
-        aarch64-linux = "sha256-w1/wWP3lZUQ5tBvv6XOCkoR1OCoByURBEvaaemsY19U=";
-        x86_64-linux = "sha256-kJNFPXiZekjofGtKFbGc85c8yQymhntkCBuhylwQBpE=";
+        aarch64-linux = "sha256-Gplg0QD7DcibaOv1Q8RUnefACZdNnM8yKYYiP1dpY58=";
+        x86_64-linux = "sha256-qcV4n9/nAbb0Gw8azorDSjpjy4cXe2XlR94WwuwUEyc=";
      }
      .${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
  };
--- a/pkgs/applications/networking/cluster/helmfile/default.nix
+++ b/pkgs/applications/networking/cluster/helmfile/default.nix
@@ -9,16 +9,16 @@

 buildGoModule rec {
  pname = "helmfile";
-  version = "1.0.0";
+  version = "1.1.0";

  src = fetchFromGitHub {
    owner = "helmfile";
    repo = "helmfile";
    rev = "v${version}";
-    hash = "sha256-JvjReRKFTwKku7DXjS8zq/KFdbPU9B9EccYUmTMLV6E=";
+    hash = "sha256-xLVUyzRl6Q9GJOoYJCo1pbYxheVjEvnQIa4BMJVR9PY=";
  };

-  vendorHash = "sha256-SWvRnoqxNJMRdAomvkIxGOdyeqVWblM9LaQ4wF2g6ms=";
+  vendorHash = "sha256-biFRdHnOvxd2hgTGPotZtlmbyqNrkW8f158kjAuLkuA=";

  proxyVendor = true; # darwin/linux hash mismatch

--- a/pkgs/applications/networking/cluster/k3s/builder.nix
+++ b/pkgs/applications/networking/cluster/k3s/builder.nix
@@ -41,6 +41,7 @@ lib:
  ethtool,
  fetchFromGitHub,
  fetchgit,
+  fetchpatch,
  fetchurl,
  fetchzip,
  findutils,
@@ -69,7 +70,7 @@ lib:
  sqlite,
  stdenv,
  systemd,
-  util-linux,
+  util-linuxMinimal,
  yq-go,
  zstd,
 }:
@@ -331,6 +332,17 @@ let
      ldflags = versionldflags;
    }).overrideAttrs
      overrideContainerdAttrs;
+
+  # TODO (#405952): remove this patch. We had to add it to avoid a mass rebuild
+  # for the 25.05 release. Once the above PR is merged, switch back to plain util-linuxMinimal.
+  k3sUtilLinux = util-linuxMinimal.overrideAttrs (prev: {
+    patches =
+      prev.patches or [ ]
+      ++ lib.singleton (fetchpatch {
+        url = "https://github.com/util-linux/util-linux/commit/7dbfe31a83f45d5aef2b508697e9511c569ffbc8.patch";
+        hash = "sha256-bJqpZiPli5Pm/XpDA445Ab5jesXrlcnaO6e4V0B3rSw=";
+      });
+  });
 in
 buildGoModule rec {
  pname = "k3s";
@@ -377,7 +389,7 @@ buildGoModule rec {
    ipset
    bridge-utils
    ethtool
-    util-linux # kubelet wants 'nsenter' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388
+    k3sUtilLinux # kubelet wants 'nsenter' and 'mount' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388
    conntrack-tools
    runc
    bash
--- a/pkgs/applications/networking/instant-messengers/discord/default.nix
+++ b/pkgs/applications/networking/instant-messengers/discord/default.nix
@@ -10,16 +10,16 @@ let
    if stdenv.hostPlatform.isLinux then
      {
        stable = "0.0.94";
-        ptb = "0.0.141";
-        canary = "0.0.668";
-        development = "0.0.74";
+        ptb = "0.0.143";
+        canary = "0.0.678";
+        development = "0.0.75";
      }
    else
      {
-        stable = "0.0.344";
-        ptb = "0.0.171";
-        canary = "0.0.774";
-        development = "0.0.87";
+        stable = "0.0.345";
+        ptb = "0.0.173";
+        canary = "0.0.784";
+        development = "0.0.88";
      };
  version = versions.${branch};
  srcs = rec {
@@ -30,33 +30,33 @@ let
      };
      ptb = fetchurl {
        url = "https://ptb.dl2.discordapp.net/apps/linux/${version}/discord-ptb-${version}.tar.gz";
-        hash = "sha256-0teCE1yQLikK2MkyT8rQL1riaE9i/YGbCXw37RaRB3I=";
+        hash = "sha256-Ki6+o+8/yQjc6kxKS7Re2gBbpfMi3m02L69muqsNm04=";
      };
      canary = fetchurl {
        url = "https://canary.dl2.discordapp.net/apps/linux/${version}/discord-canary-${version}.tar.gz";
-        hash = "sha256-1nY/g0g5C/xETO6mjaPRjjOHtVJrfcfRemAXH1KedGE=";
+        hash = "sha256-Z+pTuR5xZfbmucdx9aBti5diNp5oCpP1mu60mq7oPB8=";
      };
      development = fetchurl {
        url = "https://development.dl2.discordapp.net/apps/linux/${version}/discord-development-${version}.tar.gz";
-        hash = "sha256-tF3Evi9SiGuBWJa+O9O6TpSJXiBgioZe6nmdjwcahwY=";
+        hash = "sha256-wxbmdEzJu66CqJ87cdOKH5fhWKFvD/FBaeJVFxRCvlQ=";
      };
    };
    x86_64-darwin = {
      stable = fetchurl {
        url = "https://stable.dl2.discordapp.net/apps/osx/${version}/Discord.dmg";
-        hash = "sha256-uKP7XSlDkK88mBUfI6Oq7PYlWqi933A99c1VqHf/ruE=";
+        hash = "sha256-uyMcHV8dbCwKFQWy/s77KfEHKc+NiAq1X9Q0ih1ELLk=";
      };
      ptb = fetchurl {
        url = "https://ptb.dl2.discordapp.net/apps/osx/${version}/DiscordPTB.dmg";
-        hash = "sha256-TMd586LFm8B0TxxlM50MaeAtsWLuV1nlCHyYYb0sBOo=";
+        hash = "sha256-Fmh3EGjF3Xb2Vv39WEchrseo2t+4y1k+nLdb43GhJXI=";
      };
      canary = fetchurl {
        url = "https://canary.dl2.discordapp.net/apps/osx/${version}/DiscordCanary.dmg";
-        hash = "sha256-1/1cPuz/nkxEosFNsJ557f7WiJhnOv9cFTbpSKjNtJY=";
+        hash = "sha256-N3OdQZiLpkkaxr4yTfszHPj9/zfeVlUup5r2GB8OCMg=";
      };
      development = fetchurl {
        url = "https://development.dl2.discordapp.net/apps/osx/${version}/DiscordDevelopment.dmg";
-        hash = "sha256-XPHAVJjEOx+2qv+xxOCbVutrbZdPLvoTUMvRDK4nEL8=";
+        hash = "sha256-vjpbLg1YIXOSCwnuMwlXo7Sj8B28i812lJ3yV2NLMrE=";
      };
    };
    aarch64-darwin = x86_64-darwin;
--- a/pkgs/applications/networking/instant-messengers/pidgin/pidgin-plugins/default.nix
+++ b/pkgs/applications/networking/instant-messengers/pidgin/pidgin-plugins/default.nix
@@ -63,8 +63,6 @@ lib.makeScope newScope (

    purple-plugin-pack = callPackage ./purple-plugin-pack { };

-    purple-signald = callPackage ./purple-signald { };
-
    purple-slack = callPackage ./purple-slack { };

    purple-vk-plugin = callPackage ./purple-vk-plugin { };
--- a/pkgs/applications/networking/instant-messengers/pidgin/pidgin-plugins/purple-signald/default.nix
+++ b/pkgs/applications/networking/instant-messengers/pidgin/pidgin-plugins/purple-signald/default.nix
@@ -1,39 +0,0 @@
-{
-  lib,
-  stdenv,
-  fetchFromGitHub,
-  pidgin,
-  json-glib,
-  signald,
-}:
-
-stdenv.mkDerivation rec {
-  pname = "purple-signald";
-  version = "0.11.0";
-
-  src = fetchFromGitHub {
-    owner = "hoehermann";
-    repo = "libpurple-signald";
-    rev = "v${version}";
-    hash = "sha256-2LiHjVRBwdPbfravIVM+gvsh3Gq4bhjtRD6eWAbkWmc=";
-    fetchSubmodules = true;
-  };
-
-  buildInputs = [
-    pidgin
-    json-glib
-    signald
-  ];
-
-  PKG_CONFIG_PURPLE_PLUGINDIR = "${placeholder "out"}/lib/purple-2";
-  PKG_CONFIG_PURPLE_DATADIR = "${placeholder "out"}/share";
-  PKG_CONFIG_PIDGIN_DATADIR = "${placeholder "out"}/share";
-
-  meta = with lib; {
-    homepage = "https://github.com/hoehermann/libpurple-signald";
-    description = "Signal support for Pidgin / libpurple";
-    license = licenses.gpl3Only;
-    platforms = platforms.linux;
-    maintainers = with maintainers; [ hufman ];
-  };
-}
--- a/pkgs/applications/networking/mailreaders/thunderbird-bin/release_esr_sources.nix
+++ b/pkgs/applications/networking/mailreaders/thunderbird-bin/release_esr_sources.nix
--- a/pkgs/applications/networking/mailreaders/thunderbird-bin/release_sources.nix
+++ b/pkgs/applications/networking/mailreaders/thunderbird-bin/release_sources.nix
--- a/pkgs/applications/networking/mailreaders/thunderbird/packages.nix
+++ b/pkgs/applications/networking/mailreaders/thunderbird/packages.nix
@@ -5,23 +5,28 @@
  callPackage,
  fetchurl,
  icu73,
+  icu77,
  fetchpatch2,
  config,
 }:

 let
-  icu73' = icu73.overrideAttrs (attrs: {
-    # standardize vtzone output
-    # Work around ICU-22132 https://unicode-org.atlassian.net/browse/ICU-22132
-    # https://bugzilla.mozilla.org/show_bug.cgi?id=1790071
-    patches = attrs.patches ++ [
-      (fetchpatch2 {
-        url = "https://hg.mozilla.org/mozilla-central/raw-file/fb8582f80c558000436922fb37572adcd4efeafc/intl/icu-patches/bug-1790071-ICU-22132-standardize-vtzone-output.diff";
-        stripLen = 3;
-        hash = "sha256-MGNnWix+kDNtLuACrrONDNcFxzjlUcLhesxwVZFzPAM=";
-      })
-    ];
-  });
+  patchICU =
+    icu:
+    icu.overrideAttrs (attrs: {
+      # standardize vtzone output
+      # Work around ICU-22132 https://unicode-org.atlassian.net/browse/ICU-22132
+      # https://bugzilla.mozilla.org/show_bug.cgi?id=1790071
+      patches = attrs.patches ++ [
+        (fetchpatch2 {
+          url = "https://hg.mozilla.org/mozilla-central/raw-file/fb8582f80c558000436922fb37572adcd4efeafc/intl/icu-patches/bug-1790071-ICU-22132-standardize-vtzone-output.diff";
+          stripLen = 3;
+          hash = "sha256-MGNnWix+kDNtLuACrrONDNcFxzjlUcLhesxwVZFzPAM=";
+        })
+      ];
+    });
+  icu73' = patchICU icu73;
+  icu77' = patchICU icu77;

  common =
    {
@@ -52,6 +57,7 @@ let

      extraPassthru = {
        icu73 = icu73';
+        icu77 = icu77';
      };

      meta = with lib; {
@@ -78,6 +84,7 @@ let
        pgoSupport = false; # console.warn: feeds: "downloadFeed: network connection unavailable"

        icu73 = icu73';
+        icu77 = icu77';
      };

 in
@@ -85,8 +92,8 @@ rec {
  thunderbird = thunderbird-latest;

  thunderbird-latest = common {
-    version = "138.0";
-    sha512 = "923d76cf0a14f29146e5dcfc75dd9522d465512f6c604de6e0acc0812d4240331c170913a821fc0aa03d5945019577f996053498c9a7c691b21a2678a622ac02";
+    version = "138.0.1";
+    sha512 = "2e71ee537292ec1a49237e93c43ed4c1a9eae58becfc7fa9ca0daf1e982c38704cb6d44e92b1bf7b45c5b8c27b23eb3aa7f48b375580f49ee60884dadc5d85b5";

    updateScript = callPackage ./update.nix {
      attrPath = "thunderbirdPackages.thunderbird-latest";
@@ -99,8 +106,8 @@ rec {
  thunderbird-128 = common {
    applicationName = "Thunderbird ESR";

-    version = "128.10.0esr";
-    sha512 = "b02582ea4fa0297a06d30eda1555bbf3ed79ae7a35a8993f2a70b0ec84af28a4d084cd7ebe1c73676e689ff9366e779cc5ef67a197638949bf232a40b740d1b6";
+    version = "128.10.1esr";
+    sha512 = "09b54450928c6e0d948cd79a56c28bdb5fe5a81d7c710470a1ec195dd295c433b872682102c74930f19b1184391c30115293dadcd7dc8a08ae8baeb12770ef9c";

    updateScript = callPackage ./update.nix {
      attrPath = "thunderbirdPackages.thunderbird-128";
--- a/pkgs/applications/networking/mumble/default.nix
+++ b/pkgs/applications/networking/mumble/default.nix
@@ -62,6 +62,7 @@ let
        cmakeFlags = [
          "-D g15=OFF"
          "-D CMAKE_CXX_STANDARD=17" # protobuf >22 requires C++ 17
+          "-D BUILD_NUMBER=${lib.versions.patch source.version}"
        ] ++ (overrides.configureFlags or [ ]);

        preConfigure = ''
--- a/Show More
+++ b/Show More