Release NixOS 23.11

(cherry picked from commit 04220ed676)

.editorconfig

@@ -17,10 +17,6 @@ end_of_line = unset
 insert_final_newline = unset
 trim_trailing_whitespace = unset
 
-# We want readFile .version to return the version without a newline.
-[.version]
-insert_final_newline = false
-
 # see https://nixos.org/nixpkgs/manual/#chap-conventions
 
 # Match json/lockfiles/markdown/nix/perl/python/ruby/shell/docbook files, set indent to spaces
@@ -94,9 +90,6 @@ insert_final_newline = unset
 indent_style = unset
 trim_trailing_whitespace = unset
 
-[pkgs/misc/documentation-highlighter/**]
-insert_final_newline = unset
-
 [pkgs/servers/dict/wordnet_structures.py]
 trim_trailing_whitespace = unset
 
@@ -112,7 +105,3 @@ charset = unset
 [lib/tests/*.plist]
 indent_style = tab
 insert_final_newline = unset
-
-[pkgs/kde/generated/**]
-insert_final_newline = unset
-end_of_line = unset

.git-blame-ignore-revs

@@ -96,63 +96,3 @@ fb0e5be84331188a69b3edd31679ca6576edb75a
 
 # nixos/*: add trivial defaultText for options with simple defaults
 25124556397ba17bfd70297000270de1e6523b0a
-
-# systemd: rewrite comments
-92dfeb7b3dab820ae307c56c216d175c69ee93cd
-
-# systemd: break too long lines of Nix code
-67643f8ec84bef1482204709073e417c9f07eb87
-
-# {pkgs/development/cuda-modules,pkgs/test/cuda,pkgs/top-level/cuda-packages.nix}: reformat all CUDA files with nixfmt-rfc-style 2023-03-01
-802a1b4d3338f24cbc4efd704616654456d75a94
-
-# postgresql: move packages.nix to ext/default.nix
-719034f6f6749d624faa28dff259309fc0e3e730
-
-# php ecosystem: reformat with nixfmt-rfc-style
-75ae7621330ff8db944ce4dff4374e182d5d151f
-c759efa5e7f825913f9a69ef20f025f50f56dc4d
-
-# pkgs/os-specific/bsd: Reformat with nixfmt-rfc-style 2024-03-01
-3fe3b055adfc020e6a923c466b6bcd978a13069a
-
-# k3s: format with nixfmt-rfc-style
-6cfcd3c75428ede517bc6b15a353d704837a2830
-
-# python3Packages: format with nixfmt
-59b1aef59071cae6e87859dc65de973d2cc595c0
-
-# treewide description changes (#317959)
-bf995e3641950f4183c1dd9010349263dfa0123b
-755b915a158c9d588f08e9b08da9f7f3422070cc
-f8c4a98e8e138e21353a2c33b90db3359f539b37
-
-# vscode-extensions.*: format with nixfmt (RFC 166)
-7bf9febfa6271012b1ef86647a3a06f06875fdcf
-
-# remove uses of mdDoc (#303841)
-1a24330f792c8625746d07d842290e6fd95ae6f9
-acd0e3898feb321cb9a71a0fd376f1157d0f4553
-1b28414d2886c57343864326dbb745a634d3e37d
-6afb255d976f85f3359e4929abd6f5149c323a02
-
-# azure-cli: move to by-name, nixfmt #325950
-96cd538b68bd1d0a0a37979356d669abbba32ebc
-
-# poptracker: format with nixfmt-rfc-style (#326697)
-ff5c8f6cc3d1f2e017e86d50965c14b71f00567b
-
-# mangal: format with nixfmt-rfc-style #328284
-3bb5e993cac3a6e1c3056d2bc9bf43eb2c7a5951
-
-# pico-sdk: switch to finalAttrs (#329438)
-8946018b0391ae594d167f1e58497b18de068968
-
-# ollama: format with nixfmt-rfc-style (#329353)
-bdfde18037f8d9f9b641a4016c8ada4dc4cbf856
-
-# nixos/ollama: format with nixfmt-rfc-style (#329561)
-246d1ee533810ac1946d863bbd9de9b525818d56
-
-# nixos/nvidia: apply nixfmt-rfc-style (#313440)
-fbdcdde04a7caa007e825a8b822c75fab9adb2d6

.github/CODEOWNERS

@@ -11,30 +11,22 @@
 # This also holds true for GitHub teams. Since almost none of our teams have write
 # permissions, you need to list all members of the team with commit access individually.
 
-# CI
+# GitHub actions
 /.github/workflows @NixOS/Security @Mic92 @zowoq
-/.github/workflows/check-nix-format.yml @infinisil
-/ci @infinisil @NixOS/Security
+/.github/workflows/merge-staging @FRidh
 
-# Develompent support
+# EditorConfig
 /.editorconfig @Mic92 @zowoq
-/shell.nix @infinisil @NixOS/Security
 
 # Libraries
 /lib                        @infinisil
-/lib/systems                @alyssais @ericson2314
+/lib/systems                @alyssais @ericson2314 @amjoseph-nixpkgs
 /lib/generators.nix         @infinisil @Profpatsch
 /lib/cli.nix                @infinisil @Profpatsch
 /lib/debug.nix              @infinisil @Profpatsch
 /lib/asserts.nix            @infinisil @Profpatsch
-/lib/path.*                 @infinisil
+/lib/path.*                 @infinisil @fricklerhandwerk
 /lib/fileset                @infinisil
-## Libraries / Module system
-/lib/modules.nix            @infinisil @roberth
-/lib/types.nix              @infinisil @roberth
-/lib/options.nix            @infinisil @roberth
-/lib/tests/modules.sh       @infinisil @roberth
-/lib/tests/modules          @infinisil @roberth
 
 # Nixpkgs Internals
 /default.nix                                     @Ericson2314
@@ -43,21 +35,20 @@
 /pkgs/top-level/stage.nix                        @Ericson2314
 /pkgs/top-level/splice.nix                       @Ericson2314
 /pkgs/top-level/release-cross.nix                @Ericson2314
-/pkgs/stdenv/generic                             @Ericson2314
-/pkgs/stdenv/generic/check-meta.nix              @Ericson2314
-/pkgs/stdenv/cross                               @Ericson2314
-/pkgs/build-support/cc-wrapper                   @Ericson2314
+/pkgs/stdenv/generic                             @Ericson2314 @amjoseph-nixpkgs
+/pkgs/stdenv/generic/check-meta.nix              @Ericson2314 @piegamesde
+/pkgs/stdenv/cross                               @Ericson2314 @amjoseph-nixpkgs
+/pkgs/build-support/cc-wrapper                   @Ericson2314 @amjoseph-nixpkgs
 /pkgs/build-support/bintools-wrapper             @Ericson2314
 /pkgs/build-support/setup-hooks                  @Ericson2314
 /pkgs/build-support/setup-hooks/auto-patchelf.sh @layus
 /pkgs/build-support/setup-hooks/auto-patchelf.py @layus
 /pkgs/pkgs-lib                                   @infinisil
 ## Format generators/serializers
-/pkgs/pkgs-lib/formats/libconfig                 @h7x4
-/pkgs/pkgs-lib/formats/hocon                     @h7x4
+/pkgs/pkgs-lib/formats/libconfig                 @ckiee
 
 # pkgs/by-name
-/pkgs/test/check-by-name @infinisil
+/pkgs/test/nixpkgs-check-by-name @infinisil
 /pkgs/by-name/README.md @infinisil
 /pkgs/top-level/by-name-overlay.nix @infinisil
 /.github/workflows/check-by-name.yml @infinisil
@@ -69,13 +60,6 @@
 /doc/build-helpers/images/makediskimage.section.md  @raitobezarius
 /nixos/lib/make-disk-image.nix                 @raitobezarius
 
-# Nix, the package manager
-# @raitobezarius is not "code owner", but is listed here to be notified of changes
-# pertaining to the Nix package manager.
-# i.e. no authority over those files.
-pkgs/tools/package-management/nix/                    @raitobezarius
-nixos/modules/installer/tools/nix-fallback-paths.nix  @raitobezarius
-
 # Nixpkgs documentation
 /maintainers/scripts/db-to-md.sh @jtojnar @ryantm
 /maintainers/scripts/doc @jtojnar @ryantm
@@ -83,8 +67,8 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @raitobezarius
 # Contributor documentation
 /CONTRIBUTING.md @infinisil
 /.github/PULL_REQUEST_TEMPLATE.md @infinisil
-/doc/contributing/ @infinisil
-/doc/contributing/contributing-to-documentation.chapter.md @jtojnar @infinisil
+/doc/contributing/ @fricklerhandwerk @infinisil
+/doc/contributing/contributing-to-documentation.chapter.md @jtojnar @fricklerhandwerk @infinisil
 /lib/README.md @infinisil
 /doc/README.md @infinisil
 /nixos/README.md @infinisil
@@ -99,6 +83,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @raitobezarius
 /nixos/default.nix                                    @infinisil
 /nixos/lib/from-env.nix                               @infinisil
 /nixos/lib/eval-config.nix                            @infinisil
+/nixos/modules/system                                 @dasJ
 /nixos/modules/system/activation/bootspec.nix         @grahamc @cole-h @raitobezarius
 /nixos/modules/system/activation/bootspec.cue         @grahamc @cole-h @raitobezarius
 
@@ -108,21 +93,15 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @raitobezarius
 # NixOS QEMU virtualisation
 /nixos/virtualisation/qemu-vm.nix           @raitobezarius
 
-# ACME
-/nixos/modules/security/acme                @arianvp @flokli @aanderse # no merge permission: @m1cr0man @emilazy
-
 # Systemd
 /nixos/modules/system/boot/systemd.nix      @NixOS/systemd
 /nixos/modules/system/boot/systemd          @NixOS/systemd
 /nixos/lib/systemd-*.nix                    @NixOS/systemd
 /pkgs/os-specific/linux/systemd             @NixOS/systemd
 
-# Systemd-boot
-/nixos/modules/system/boot/loader/systemd-boot      @JulienMalka
-
 # Images and installer media
-/nixos/modules/installer/cd-dvd/
-/nixos/modules/installer/sd-card/
+/nixos/modules/installer/cd-dvd/            @samueldr
+/nixos/modules/installer/sd-card/           @samueldr
 
 # Updaters
 ## update.nix
@@ -132,38 +111,41 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @raitobezarius
 /pkgs/common-updater/scripts/update-source-version    @jtojnar
 
 # Python-related code and docs
-/doc/languages-frameworks/python.section.md   @mweinelt @natsukium
-/maintainers/scripts/update-python-libraries            @natsukium
-/pkgs/development/interpreters/python                   @natsukium
-/pkgs/top-level/python-packages.nix                     @natsukium
-/pkgs/top-level/release-python.nix                      @natsukium
+/maintainers/scripts/update-python-libraries	              @FRidh
+/pkgs/development/interpreters/python                       @FRidh
+/doc/languages-frameworks/python.section.md                 @FRidh @mweinelt
+/pkgs/development/interpreters/python/hooks                 @FRidh @jonringer
 
 # Haskell
-/doc/languages-frameworks/haskell.section.md  @sternenseemann @maralorn @ncfavier
-/maintainers/scripts/haskell                  @sternenseemann @maralorn @ncfavier
-/pkgs/development/compilers/ghc               @sternenseemann @maralorn @ncfavier
-/pkgs/development/haskell-modules             @sternenseemann @maralorn @ncfavier
-/pkgs/test/haskell                            @sternenseemann @maralorn @ncfavier
-/pkgs/top-level/release-haskell.nix           @sternenseemann @maralorn @ncfavier
-/pkgs/top-level/haskell-packages.nix          @sternenseemann @maralorn @ncfavier
+/doc/languages-frameworks/haskell.section.md  @cdepillabout @sternenseemann @maralorn @ncfavier
+/maintainers/scripts/haskell                  @cdepillabout @sternenseemann @maralorn @ncfavier
+/pkgs/development/compilers/ghc               @cdepillabout @sternenseemann @maralorn @ncfavier
+/pkgs/development/haskell-modules             @cdepillabout @sternenseemann @maralorn @ncfavier
+/pkgs/test/haskell                            @cdepillabout @sternenseemann @maralorn @ncfavier
+/pkgs/top-level/release-haskell.nix           @cdepillabout @sternenseemann @maralorn @ncfavier
+/pkgs/top-level/haskell-packages.nix          @cdepillabout @sternenseemann @maralorn @ncfavier
 
 # Perl
-/pkgs/development/interpreters/perl @stigtsp @zakame @marcusramberg
-/pkgs/top-level/perl-packages.nix   @stigtsp @zakame @marcusramberg
-/pkgs/development/perl-modules      @stigtsp @zakame @marcusramberg
+/pkgs/development/interpreters/perl @stigtsp @zakame @dasJ
+/pkgs/top-level/perl-packages.nix   @stigtsp @zakame @dasJ
+/pkgs/development/perl-modules      @stigtsp @zakame @dasJ
 
 # R
 /pkgs/applications/science/math/R   @jbedo
 /pkgs/development/r-modules         @jbedo
 
+# Ruby
+/pkgs/development/interpreters/ruby @marsam
+/pkgs/development/ruby-modules      @marsam
+
 # Rust
 /pkgs/development/compilers/rust @Mic92 @zowoq @winterqt @figsoda
 /pkgs/build-support/rust @zowoq @winterqt @figsoda
 /doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda
 
 # C compilers
-/pkgs/development/compilers/gcc
-/pkgs/development/compilers/llvm @RossComputerGuy
+/pkgs/development/compilers/gcc @amjoseph-nixpkgs
+/pkgs/development/compilers/llvm @RaitoBezarius
 /pkgs/development/compilers/emscripten @raitobezarius
 /doc/languages-frameworks/emscripten.section.md @raitobezarius
 
@@ -175,8 +157,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @raitobezarius
 
 # Browsers
 /pkgs/applications/networking/browsers/firefox @mweinelt
-/pkgs/applications/networking/browsers/chromium @emilylange
-/nixos/tests/chromium.nix @emilylange
 
 # Certificate Authorities
 pkgs/data/misc/cacert/ @ajs124 @lukegb @mweinelt
@@ -189,21 +169,14 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 # Licenses
 /lib/licenses.nix @alyssais
 
-# Qt
-/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
-/pkgs/development/libraries/qt-6 @K900 @NickCao @SuperSandro2000 @ttuegel
-
-# KDE / Plasma 5
-/pkgs/applications/kde @K900 @NickCao @SuperSandro2000 @ttuegel
-/pkgs/desktops/plasma-5 @K900 @NickCao @SuperSandro2000 @ttuegel
-/pkgs/development/libraries/kde-frameworks @K900 @NickCao @SuperSandro2000 @ttuegel
-
-# KDE / Plasma 6
-/pkgs/kde @K900 @NickCao @SuperSandro2000 @ttuegel
-/maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel
+# Qt / KDE
+/pkgs/applications/kde @ttuegel
+/pkgs/desktops/plasma-5 @ttuegel
+/pkgs/development/libraries/kde-frameworks @ttuegel
+/pkgs/development/libraries/qt-5 @ttuegel
 
 # PostgreSQL and related stuff
-/pkgs/servers/sql/postgresql @thoughtpolice
+/pkgs/servers/sql/postgresql @thoughtpolice @marsam
 /nixos/modules/services/databases/postgresql.xml @thoughtpolice
 /nixos/modules/services/databases/postgresql.nix @thoughtpolice
 /nixos/tests/postgresql.nix @thoughtpolice
@@ -268,22 +241,29 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/top-level/emacs-packages.nix              @adisbladis
 
 # Neovim
-/pkgs/applications/editors/neovim      @figsoda @teto
+/pkgs/applications/editors/neovim      @figsoda @jonringer @teto
 
 # VimPlugins
-/pkgs/applications/editors/vim/plugins         @figsoda
+/pkgs/applications/editors/vim/plugins         @figsoda @jonringer
 
 # VsCode Extensions
-/pkgs/applications/editors/vscode/extensions
+/pkgs/applications/editors/vscode/extensions   @jonringer
 
 # PHP interpreter, packages, extensions, tests and documentation
-/doc/languages-frameworks/php.section.md          @aanderse @drupol @globin @ma27 @talyz
-/nixos/tests/php                                  @aanderse @drupol @globin @ma27 @talyz
-/pkgs/build-support/php/build-pecl.nix            @aanderse @drupol @globin @ma27 @talyz
-/pkgs/build-support/php                                     @drupol
-/pkgs/development/interpreters/php       @jtojnar @aanderse @drupol @globin @ma27 @talyz
-/pkgs/development/php-packages                    @aanderse @drupol @globin @ma27 @talyz
-/pkgs/top-level/php-packages.nix         @jtojnar @aanderse @drupol @globin @ma27 @talyz
+/doc/languages-frameworks/php.section.md          @aanderse @drupol @etu @globin @ma27 @talyz
+/nixos/tests/php                                  @aanderse @drupol @etu @globin @ma27 @talyz
+/pkgs/build-support/php/build-pecl.nix            @aanderse @drupol @etu @globin @ma27 @talyz
+/pkgs/build-support/php                                     @drupol @etu
+/pkgs/development/interpreters/php       @jtojnar @aanderse @drupol @etu @globin @ma27 @talyz
+/pkgs/development/php-packages                    @aanderse @drupol @etu @globin @ma27 @talyz
+/pkgs/top-level/php-packages.nix         @jtojnar @aanderse @drupol @etu @globin @ma27 @talyz
+
+# Podman, CRI-O modules and related
+/nixos/modules/virtualisation/containers.nix @adisbladis
+/nixos/modules/virtualisation/cri-o.nix      @adisbladis
+/nixos/modules/virtualisation/podman         @adisbladis
+/nixos/tests/cri-o.nix                       @adisbladis
+/nixos/tests/podman                          @adisbladis
 
 # Docker tools
 /pkgs/build-support/docker                   @roberth
@@ -294,21 +274,17 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/applications/blockchains  @mmahut @RaghavSood
 
 # Go
-/doc/languages-frameworks/go.section.md @kalbasit @katexochen @Mic92 @zowoq
-/pkgs/build-support/go @kalbasit @katexochen @Mic92 @zowoq
-/pkgs/development/compilers/go @kalbasit @katexochen @Mic92 @zowoq
+/doc/languages-frameworks/go.section.md @kalbasit @Mic92 @zowoq
+/pkgs/build-support/go @kalbasit @Mic92 @zowoq
+/pkgs/development/compilers/go @kalbasit @Mic92 @zowoq
 
 # GNOME
 /pkgs/desktops/gnome                              @jtojnar
-/pkgs/desktops/gnome/extensions                   @jtojnar
+/pkgs/desktops/gnome/extensions       @piegamesde @jtojnar
 /pkgs/build-support/make-hardcode-gsettings-patch @jtojnar
 
 # Cinnamon
-/pkgs/by-name/ci/cinnamon-*    @mkg20001
-/pkgs/by-name/cj/cjs           @mkg20001
-/pkgs/by-name/mu/muffin        @mkg20001
-/pkgs/by-name/ne/nemo          @mkg20001
-/pkgs/by-name/ne/nemo-*        @mkg20001
+/pkgs/desktops/cinnamon @mkg20001
 
 # nim
 /pkgs/development/compilers/nim   @ehmry
@@ -318,23 +294,27 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 # terraform providers
 /pkgs/applications/networking/cluster/terraform-providers @zowoq
 
+# Matrix
+/pkgs/servers/heisenbridge                                 @piegamesde
+/pkgs/servers/matrix-conduit                               @piegamesde
+/nixos/modules/services/misc/heisenbridge.nix              @piegamesde
+/nixos/modules/services/misc/matrix-conduit.nix            @piegamesde
+/nixos/tests/matrix-conduit.nix                            @piegamesde
+
 # Forgejo
-nixos/modules/services/misc/forgejo.nix @adamcstephens @bendlas @emilylange
-pkgs/by-name/fo/forgejo/package.nix     @adamcstephens @bendlas @emilylange
+nixos/modules/services/misc/forgejo.nix      @bendlas @emilylange
+pkgs/applications/version-management/forgejo @bendlas @emilylange
 
 # Dotnet
-/pkgs/build-support/dotnet                  @corngood
-/pkgs/development/compilers/dotnet          @corngood
-/pkgs/test/dotnet                           @corngood
-/doc/languages-frameworks/dotnet.section.md @corngood
+/pkgs/build-support/dotnet                  @IvarWithoutBones
+/pkgs/development/compilers/dotnet          @IvarWithoutBones
+/pkgs/test/dotnet                           @IvarWithoutBones
+/doc/languages-frameworks/dotnet.section.md @IvarWithoutBones
 
 # Node.js
-/pkgs/build-support/node/build-npm-package      @winterqt
-/pkgs/build-support/node/fetch-npm-deps         @winterqt
-/doc/languages-frameworks/javascript.section.md @winterqt
-
-# environment.noXlibs option aka NoX
-/nixos/modules/config/no-x-libs.nix  @SuperSandro2000
+/pkgs/build-support/node/build-npm-package      @lilyinstarlight @winterqt
+/pkgs/build-support/node/fetch-npm-deps         @lilyinstarlight @winterqt
+/doc/languages-frameworks/javascript.section.md @lilyinstarlight @winterqt
 
 # OCaml
 /pkgs/build-support/ocaml           @ulrikstrid
@@ -342,48 +322,15 @@ pkgs/by-name/fo/forgejo/package.nix     @adamcstephens @bendlas @emilylange
 /pkgs/development/ocaml-modules     @ulrikstrid
 
 # ZFS
-pkgs/os-specific/linux/zfs/2_1.nix        @raitobezarius
-pkgs/os-specific/linux/zfs/generic.nix    @raitobezarius
+pkgs/os-specific/linux/zfs                @raitobezarius
+nixos/lib/make-single-disk-zfs-image.nix  @raitobezarius
+nixos/lib/make-multi-disk-zfs-image.nix   @raitobezarius
 nixos/modules/tasks/filesystems/zfs.nix   @raitobezarius
 nixos/tests/zfs.nix                       @raitobezarius
 
 # Zig
-/pkgs/development/compilers/zig @figsoda
-/doc/hooks/zig.section.md       @figsoda
+/pkgs/development/compilers/zig @AndersonTorres @figsoda
+/doc/hooks/zig.section.md @AndersonTorres @figsoda
 
-# Buildbot
-nixos/modules/services/continuous-integration/buildbot @Mic92 @zowoq
-nixos/tests/buildbot.nix                               @Mic92 @zowoq
-pkgs/development/tools/continuous-integration/buildbot @Mic92 @zowoq
-
-# Pretix
-pkgs/by-name/pr/pretix/ @mweinelt
-pkgs/by-name/pr/pretalx/ @mweinelt
-nixos/modules/services/web-apps/pretix.nix @mweinelt
-nixos/modules/services/web-apps/pretalx.nix @mweinelt
-nixos/tests/web-apps/pretix.nix @mweinelt
-nixos/tests/web-apps/pretalx.nix @mweinelt
-
-# incus/lxc/lxd
-nixos/maintainers/scripts/lxd/          @adamcstephens
-nixos/modules/virtualisation/incus.nix  @adamcstephens
-nixos/modules/virtualisation/lxc*       @adamcstephens
-nixos/modules/virtualisation/lxd*       @adamcstephens
-nixos/tests/incus/                      @adamcstephens
-nixos/tests/lxd/                        @adamcstephens
-pkgs/by-name/in/incus/                  @adamcstephens
-pkgs/by-name/lx/lxc*                    @adamcstephens
-pkgs/by-name/lx/lxd*                    @adamcstephens
-
-# ExpidusOS, Flutter
-/pkgs/development/compilers/flutter @RossComputerGuy
-/pkgs/desktops/expidus              @RossComputerGuy
-
-# GNU Tar & Zip
-/pkgs/tools/archivers/gnutar        @RossComputerGuy
-/pkgs/tools/archivers/zip           @RossComputerGuy
-
-# SELinux
-/pkgs/os-specific/linux/checkpolicy @RossComputerGuy
-/pkgs/os-specific/linux/libselinux  @RossComputerGuy
-/pkgs/os-specific/linux/libsepol    @RossComputerGuy
+# Linux Kernel
+pkgs/os-specific/linux/kernel/manual-config.nix   @amjoseph-nixpkgs

.github/ISSUE_TEMPLATE/bug_report.md

@@ -40,7 +40,7 @@ Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
 output here
 ```
 
----
+### Priorities
 
 Add a :+1: [reaction] to [issues you find important].
 

.github/ISSUE_TEMPLATE/build_failure.md

@@ -38,7 +38,7 @@ Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
 output here
 ```
 
----
+### Priorities
 
 Add a :+1: [reaction] to [issues you find important].
 

.github/ISSUE_TEMPLATE/missing_documentation.md

@@ -30,7 +30,7 @@ assignees: ''
 [open documentation issues]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22
 [open documentation pull requests]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+documentation%22%2C%226.topic%3A+documentation%22
 
----
+### Priorities
 
 Add a :+1: [reaction] to [issues you find important].
 

.github/ISSUE_TEMPLATE/out_of_date_package_report.md

@@ -27,7 +27,7 @@ There's a high chance that you'll have the new version right away while helping
 
 Note for maintainers: Please tag this issue in your PR.
 
----
+**Priorities**
 
 Add a :+1: [reaction] to [issues you find important].
 

.github/ISSUE_TEMPLATE/packaging_request.md

@@ -18,7 +18,7 @@ assignees: ''
 * license: mit, bsd, gpl2+ , ...
 * platforms: unix, linux, darwin, ...
 
----
+**Priorities**
 
 Add a :+1: [reaction] to [issues you find important].
 

.github/ISSUE_TEMPLATE/unreproducible_package.md

@@ -86,7 +86,7 @@ nix log $(nix path-info --derivation nixpkgs#<package>)
 (please share the relevant fragment of the diffoscope output here, and any
 additional analysis you may have done)
 
----
+### Priorities
 
 Add a :+1: [reaction] to [issues you find important].
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -19,12 +19,12 @@ For new packages please briefly describe the package or provide a link to its ho
   - [ ] `sandbox = true`
 - [ ] Tested, as applicable:
   - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
-  - and/or [package tests](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests)
+  - and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests)
   - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test)
   - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages
 - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
 - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
-- [24.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) (or backporting [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) and [24.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) Release notes)
+- [23.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) (or backporting [23.05 Release notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2305.section.md))
   - [ ] (Package updates) Added a release notes entry if the change is major or breaking
   - [ ] (Module updates) Added a release notes entry if the change is significant
   - [ ] (Module addition) Added a release notes entry if adding a new NixOS module
@@ -38,10 +38,10 @@ Reviewing helps to reduce the average time-to-merge for everyone.
 Thanks a lot if you do!
 
 List of open PRs: https://github.com/NixOS/nixpkgs/pulls
-Reviewing guidelines: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#reviewing-contributions
+Reviewing guidelines: https://nixos.org/manual/nixpkgs/unstable/#chap-reviewing-contributions
 -->
 
----
+### Priorities
 
 Add a :+1: [reaction] to [pull requests you find important].
 

.github/labeler.yml

@@ -1,415 +1,209 @@
 "6.topic: agda":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/agda.section.md
-        - nixos/tests/agda.nix
-        - pkgs/build-support/agda/**/*
-        - pkgs/development/libraries/agda/**/*
-        - pkgs/top-level/agda-packages.nix
+  - doc/languages-frameworks/agda.section.md
+  - nixos/tests/agda.nix
+  - pkgs/build-support/agda/**/*
+  - pkgs/development/libraries/agda/**/*
+  - pkgs/top-level/agda-packages.nix
 
 "6.topic: cinnamon":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/x11/desktop-managers/cinnamon.nix
-        - nixos/tests/cinnamon.nix
-        - nixos/tests/cinnamon-wayland.nix
-        - pkgs/by-name/ci/cinnamon-*/**/*
-        - pkgs/by-name/cj/cjs/**/*
-        - pkgs/by-name/mu/muffin/**/*
-        - pkgs/by-name/ne/nemo/**/*
-        - pkgs/by-name/ne/nemo-*/**/*
-
-"6.topic: dotnet":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/dotnet.section.md
-        - maintainers/scripts/update-dotnet-lockfiles.nix
-        - pkgs/build-support/dotnet/**/*
-        - pkgs/development/compilers/dotnet/**/*
-        - pkgs/test/dotnet/**/*
-        - pkgs/top-level/dotnet-packages.nix
+  - pkgs/desktops/cinnamon/**/*
+  - nixos/modules/services/x11/desktop-managers/cinnamon.nix
+  - nixos/tests/cinnamon.nix
 
 "6.topic: emacs":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/editors/emacs.nix
-        - nixos/modules/services/editors/emacs.xml
-        - nixos/tests/emacs-daemon.nix
-        - pkgs/applications/editors/emacs/build-support/**/*
-        - pkgs/applications/editors/emacs/elisp-packages/**/*
-        - pkgs/applications/editors/emacs/**/*
-        - pkgs/top-level/emacs-packages.nix
+  - nixos/modules/services/editors/emacs.nix
+  - nixos/modules/services/editors/emacs.xml
+  - nixos/tests/emacs-daemon.nix
+  - pkgs/applications/editors/emacs/elisp-packages/**/*
+  - pkgs/applications/editors/emacs/**/*
+  - pkgs/build-support/emacs/**/*
+  - pkgs/top-level/emacs-packages.nix
 
 "6.topic: Enlightenment DE":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/x11/desktop-managers/enlightenment.nix
-        - pkgs/desktops/enlightenment/**/*
-        - pkgs/development/python-modules/python-efl/*
+  - nixos/modules/services/x11/desktop-managers/enlightenment.nix
+  - pkgs/desktops/enlightenment/**/*
+  - pkgs/development/python-modules/python-efl/*
 
 "6.topic: erlang":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/beam.section.md
-        - pkgs/development/beam-modules/**/*
-        - pkgs/development/interpreters/elixir/**/*
-        - pkgs/development/interpreters/erlang/**/*
-        - pkgs/development/tools/build-managers/rebar/**/*
-        - pkgs/development/tools/build-managers/rebar3/**/*
-        - pkgs/development/tools/erlang/**/*
-        - pkgs/top-level/beam-packages.nix
+  - doc/languages-frameworks/beam.section.md
+  - pkgs/development/beam-modules/**/*
+  - pkgs/development/interpreters/elixir/**/*
+  - pkgs/development/interpreters/erlang/**/*
+  - pkgs/development/tools/build-managers/rebar/**/*
+  - pkgs/development/tools/build-managers/rebar3/**/*
+  - pkgs/development/tools/erlang/**/*
+  - pkgs/top-level/beam-packages.nix
 
 "6.topic: fetch":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/build-support/fetch*/**/*
+  - pkgs/build-support/fetch*/**/*
 
 "6.topic: flakes":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - '**/flake.nix'
-        - lib/systems/flake-systems.nix
-        - nixos/modules/config/nix-flakes.nix
-
-"6.topic: flutter":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/build-support/flutter/*.nix
-        - pkgs/development/compilers/flutter/**/*.nix
+  - '**/flake.nix'
+  - lib/systems/flake-systems.nix
+  - nixos/modules/config/nix-flakes.nix
 
 "6.topic: GNOME":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/gnome.section.md
-        - nixos/modules/services/desktops/gnome/**/*
-        - nixos/modules/services/x11/desktop-managers/gnome.nix
-        - nixos/tests/gnome-xorg.nix
-        - nixos/tests/gnome.nix
-        - pkgs/desktops/gnome/**/*
+  - doc/languages-frameworks/gnome.section.md
+  - nixos/modules/services/desktops/gnome/**/*
+  - nixos/modules/services/x11/desktop-managers/gnome.nix
+  - nixos/tests/gnome-xorg.nix
+  - nixos/tests/gnome.nix
+  - pkgs/desktops/gnome/**/*
 
 "6.topic: golang":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/go.section.md
-        - pkgs/build-support/go/**/*
-        - pkgs/development/compilers/go/**/*
+  - doc/languages-frameworks/go.section.md
+  - pkgs/build-support/go/**/*
+  - pkgs/development/compilers/go/**/*
 
 "6.topic: haskell":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/haskell.section.md
-        - maintainers/scripts/haskell/**/*
-        - pkgs/development/compilers/ghc/**/*
-        - pkgs/development/haskell-modules/**/*
-        - pkgs/development/tools/haskell/**/*
-        - pkgs/test/haskell/**/*
-        - pkgs/top-level/haskell-packages.nix
-        - pkgs/top-level/release-haskell.nix
-
-"6.topic: julia":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/julia.section.md
-        - pkgs/development/compilers/julia/**/*
-        - pkgs/development/julia-modules/**/*
-
-"6.topic: jupyter":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/development/python-modules/jupyter*/**/*
-        - pkgs/development/python-modules/mkdocs-jupyter/*
-        - nixos/modules/services/development/jupyter/**/*
-        - pkgs/applications/editors/jupyter-kernels/**/*
-        - pkgs/applications/editors/jupyter/**/*
-
-"6.topic: k3s":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/cluster/k3s/**/*
-        - nixos/tests/k3s/**/*
-        - pkgs/applications/networking/cluster/k3s/**/*
+  - doc/languages-frameworks/haskell.section.md
+  - maintainers/scripts/haskell/**/*
+  - pkgs/development/compilers/ghc/**/*
+  - pkgs/development/haskell-modules/**/*
+  - pkgs/development/tools/haskell/**/*
+  - pkgs/test/haskell/**/*
+  - pkgs/top-level/haskell-packages.nix
+  - pkgs/top-level/release-haskell.nix
 
 "6.topic: kernel":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/build-support/kernel/**/*
-        - pkgs/os-specific/linux/kernel/**/*
+  - pkgs/build-support/kernel/**/*
+  - pkgs/os-specific/linux/kernel/**/*
 
 "6.topic: lib":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - lib/**
-
-"6.topic: llvm/clang":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/development/compilers/llvm/**/*
+  - lib/**
 
 "6.topic: lua":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/development/tools/misc/luarocks/*
-        - pkgs/development/interpreters/lua-5/**/*
-        - pkgs/development/interpreters/luajit/**/*
-        - pkgs/development/lua-modules/**/*
-        - pkgs/top-level/lua-packages.nix
+  - pkgs/development/interpreters/lua-5/**/*
+  - pkgs/development/interpreters/luajit/**/*
+  - pkgs/development/lua-modules/**/*
+  - pkgs/top-level/lua-packages.nix
 
 "6.topic: Lumina DE":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/x11/desktop-managers/lumina.nix
-        - pkgs/desktops/lumina/**/*
+  - nixos/modules/services/x11/desktop-managers/lumina.nix
+  - pkgs/desktops/lumina/**/*
 
 "6.topic: LXQt":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/x11/desktop-managers/lxqt.nix
-        - pkgs/desktops/lxqt/**/*
+  - nixos/modules/services/x11/desktop-managers/lxqt.nix
+  - pkgs/desktops/lxqt/**/*
 
 "6.topic: mate":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/x11/desktop-managers/mate.nix
-        - nixos/tests/mate.nix
-        - pkgs/desktops/mate/**/*
+  - nixos/modules/services/x11/desktop-managers/mate.nix
+  - nixos/tests/mate.nix
+  - pkgs/desktops/mate/**/*
 
 "6.topic: module system":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - lib/modules.nix
-        - lib/types.nix
-        - lib/options.nix
-        - lib/tests/modules.sh
-        - lib/tests/modules/**
+  - lib/modules.nix
+  - lib/types.nix
+  - lib/options.nix
+  - lib/tests/modules.sh
+  - lib/tests/modules/**
 
 "6.topic: nixos":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/**/*
-        - pkgs/os-specific/linux/nixos-rebuild/**/*
+  - nixos/**/*
+  - pkgs/os-specific/linux/nixos-rebuild/**/*
 
 "6.topic: nim":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/nim.section.md
-        - pkgs/development/compilers/nim/*
-        - pkgs/development/nim-packages/**/*
-        - pkgs/top-level/nim-packages.nix
+  - doc/languages-frameworks/nim.section.md
+  - pkgs/development/compilers/nim/*
+  - pkgs/development/nim-packages/**/*
+  - pkgs/top-level/nim-packages.nix
 
 "6.topic: nodejs":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/javascript.section.md
-        - pkgs/build-support/node/**/*
-        - pkgs/development/node-packages/**/*
-        - pkgs/development/tools/yarn/*
-        - pkgs/development/tools/yarn2nix-moretea/**/*
-        - pkgs/development/tools/pnpm/**/*
-        - pkgs/development/web/nodejs/*
+  - doc/languages-frameworks/javascript.section.md
+  - pkgs/build-support/node/**/*
+  - pkgs/development/node-packages/**/*
+  - pkgs/development/tools/yarn/*
+  - pkgs/development/tools/yarn2nix-moretea/**/*
+  - pkgs/development/web/nodejs/*
 
 "6.topic: ocaml":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/ocaml.section.md
-        - pkgs/development/compilers/ocaml/**/*
-        - pkgs/development/compilers/reason/**/*
-        - pkgs/development/ocaml-modules/**/*
-        - pkgs/development/tools/ocaml/**/*
-        - pkgs/top-level/ocaml-packages.nix
+  - doc/languages-frameworks/ocaml.section.md
+  - pkgs/development/compilers/ocaml/**/*
+  - pkgs/development/compilers/reason/**/*
+  - pkgs/development/ocaml-modules/**/*
+  - pkgs/development/tools/ocaml/**/*
+  - pkgs/top-level/ocaml-packages.nix
 
 "6.topic: pantheon":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/desktops/pantheon/**/*
-        - nixos/modules/services/x11/desktop-managers/pantheon.nix
-        - nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix
-        - nixos/tests/pantheon.nix
-        - pkgs/desktops/pantheon/**/*
-
-"6.topic: php":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/php.section.md
-        - pkgs/build-support/php/**/*
-        - pkgs/development/interpreters/php/*
-        - pkgs/development/php-packages/**/*
-        - pkgs/test/php/default.nix
-        - pkgs/top-level/php-packages.nix
+  - nixos/modules/services/desktops/pantheon/**/*
+  - nixos/modules/services/x11/desktop-managers/pantheon.nix
+  - nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix
+  - nixos/tests/pantheon.nix
+  - pkgs/desktops/pantheon/**/*
 
 "6.topic: policy discussion":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - .github/**/*
+  - .github/**/*
 
 "6.topic: printing":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/services/printing/cupsd.nix
-        - pkgs/misc/cups/**/*
+  - nixos/modules/services/printing/cupsd.nix
+  - pkgs/misc/cups/**/*
 
 "6.topic: python":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/python.section.md
-        - pkgs/development/interpreters/python/**/*
-        - pkgs/development/python-modules/**/*
-        - pkgs/top-level/python-packages.nix
+  - doc/languages-frameworks/python.section.md
+  - pkgs/development/interpreters/python/**/*
+  - pkgs/development/python-modules/**/*
+  - pkgs/top-level/python-packages.nix
 
 "6.topic: qt/kde":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/qt.section.md
-        - nixos/modules/services/x11/desktop-managers/plasma5.nix
-        - nixos/tests/plasma5.nix
-        - pkgs/applications/kde/**/*
-        - pkgs/desktops/plasma-5/**/*
-        - pkgs/development/libraries/kde-frameworks/**/*
-        - pkgs/development/libraries/qt-5/**/*
+  - doc/languages-frameworks/qt.section.md
+  - nixos/modules/services/x11/desktop-managers/plasma5.nix
+  - nixos/tests/plasma5.nix
+  - pkgs/applications/kde/**/*
+  - pkgs/desktops/plasma-5/**/*
+  - pkgs/development/libraries/kde-frameworks/**/*
+  - pkgs/development/libraries/qt-5/**/*
 
 "6.topic: ruby":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/ruby.section.md
-        - pkgs/development/interpreters/ruby/**/*
-        - pkgs/development/ruby-modules/**/*
+  - doc/languages-frameworks/ruby.section.md
+  - pkgs/development/interpreters/ruby/**/*
+  - pkgs/development/ruby-modules/**/*
 
 "6.topic: rust":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/rust.section.md
-        - pkgs/build-support/rust/**/*
-        - pkgs/development/compilers/rust/**/*
+  - doc/languages-frameworks/rust.section.md
+  - pkgs/build-support/rust/**/*
+  - pkgs/development/compilers/rust/**/*
 
 "6.topic: stdenv":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/stdenv/**/*
+  - pkgs/stdenv/**/*
 
 "6.topic: steam":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/games/steam/**/*
+  - pkgs/games/steam/**/*
 
 "6.topic: systemd":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/os-specific/linux/systemd/**/*
-        - nixos/modules/system/boot/systemd*/**/*
+  - pkgs/os-specific/linux/systemd/**/*
+  - nixos/modules/system/boot/systemd*/**/*
 
 "6.topic: TeX":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/texlive.section.md
-        - pkgs/test/texlive/**
-        - pkgs/tools/typesetting/tex/**/*
-
-"6.topic: testing":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        # NOTE: Let's keep the scope limited to test frameworks that are
-        #       *developed in this repo*;
-        #       - not individual tests
-        #       - not packages for test frameworks
-        - pkgs/build-support/testers/**
-        - nixos/lib/testing/**
-        - nixos/lib/test-driver/**
-        - nixos/tests/nixos-test-driver/**
-        - nixos/lib/testing-python.nix      # legacy
-        - nixos/tests/make-test-python.nix  # legacy
-        # lib/debug.nix has a test framework (runTests) but it's not the main focus
+  - doc/languages-frameworks/texlive.section.md
+  - pkgs/test/texlive/**
+  - pkgs/tools/typesetting/tex/**/*
 
 "6.topic: vim":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/languages-frameworks/vim.section.md
-        - pkgs/applications/editors/vim/**/*
-        - pkgs/applications/editors/vim/plugins/**/*
-        - nixos/modules/programs/neovim.nix
-        - pkgs/applications/editors/neovim/**/*
+  - doc/languages-frameworks/vim.section.md
+  - pkgs/applications/editors/vim/**/*
+  - pkgs/applications/editors/vim/plugins/**/*
+  - nixos/modules/programs/neovim.nix
+  - pkgs/applications/editors/neovim/**/*
 
 "6.topic: vscode":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/applications/editors/vscode/**/*
+  - pkgs/applications/editors/vscode/**/*
 
 "6.topic: xfce":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/doc/manual/configuration/xfce.xml
-        - nixos/modules/services/x11/desktop-managers/xfce.nix
-        - nixos/tests/xfce.nix
-        - pkgs/desktops/xfce/**/*
+  - nixos/doc/manual/configuration/xfce.xml
+  - nixos/modules/services/x11/desktop-managers/xfce.nix
+  - nixos/tests/xfce.nix
+  - pkgs/desktops/xfce/**/*
 
 "6.topic: zig":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - pkgs/development/compilers/zig/**/*
-        - doc/hooks/zig.section.md
+  - pkgs/development/compilers/zig/**/*
+  - doc/hooks/zig.section.md
 
 "8.has: changelog":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/doc/manual/release-notes/**/*
+  - nixos/doc/manual/release-notes/**/*
 
 "8.has: documentation":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - doc/**/*
-        - nixos/doc/**/*
+  - doc/**/*
+  - nixos/doc/**/*
 
 "8.has: module (update)":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - nixos/modules/**/*
-"8.has: maintainer-list (update)":
-  - any:
-    - changed-files:
-      - any-glob-to-any-file:
-        - maintainers/maintainer-list.nix
+  - nixos/modules/**/*

.github/workflows/backport.yml

@@ -20,11 +20,11 @@ jobs:
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Create backport PRs
-        uses: korthout/backport-action@bd410d37cdcae80be6d969823ff5a225fe5c833f # v3.0.2
+        uses: korthout/backport-action@v2.1.1
         with:
           # Config README: https://github.com/korthout/backport-action#backport-action
           copy_labels_pattern: 'severity:\ssecurity'

.github/workflows/basic-eval.yml

@@ -18,12 +18,12 @@ jobs:
     runs-on: ubuntu-latest
     # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
     steps:
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-    - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
-    - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
+    - uses: actions/checkout@v4
+    - uses: cachix/install-nix-action@v23
+    - uses: cachix/cachix-action@v12
       with:
         # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
         name: nixpkgs-ci
         signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
     # explicit list of supportedSystems is needed until aarch64-darwin becomes part of the trunk jobset
-    - run: nix-build pkgs/top-level/release.nix -A release-checks --arg supportedSystems '[ "aarch64-darwin" "aarch64-linux" "x86_64-linux" "x86_64-darwin"  ]'
+    - run: nix-build pkgs/top-level/release.nix -A tarball.nixpkgs-basic-release-checks --arg supportedSystems '[ "aarch64-darwin" "aarch64-linux" "x86_64-linux" "x86_64-darwin"  ]'

.github/workflows/check-by-name.yml

@@ -1,52 +1,28 @@
 # Checks pkgs/by-name (see pkgs/by-name/README.md)
-# using the nixpkgs-check-by-name tool (see https://github.com/NixOS/nixpkgs-check-by-name)
-#
-# When you make changes to this workflow, also update pkgs/test/check-by-name/run-local.sh adequately
+# using the nixpkgs-check-by-name tool (see pkgs/test/nixpkgs-check-by-name)
 name: Check pkgs/by-name
 
+# The pre-built tool is fetched from a channel,
+# making it work predictable on all PRs.
 on:
   # Using pull_request_target instead of pull_request avoids having to approve first time contributors
-  pull_request_target:
-    # This workflow depends on the base branch of the PR,
-    # but changing the base branch is not included in the default trigger events,
-    # which would be `opened`, `synchronize` or `reopened`.
-    # Instead it causes an `edited` event, so we need to add it explicitly here
-    # While `edited` is also triggered when the PR title/body is changed,
-    # this PR action is fairly quick, and PR's don't get edited that often,
-    # so it shouldn't be a problem
-    # There is a feature request for adding a `base_changed` event:
-    # https://github.com/orgs/community/discussions/35058
-    types: [opened, synchronize, reopened, edited]
+  pull_request_target
 
+# The tool doesn't need any permissions, it only outputs success or not based on the checkout
 permissions: {}
 
-# We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit
-# trigger), and contributers would get notified on any canceled run.
-# There is a feature request for supressing notifications on concurrency-canceled runs:
-# https://github.com/orgs/community/discussions/13015
-
 jobs:
   check:
-    # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases
+    # This is x86_64-linux, for which the tool is always prebuilt on the nixos-* channels,
+    # as specified in nixos/release-combined.nix
     runs-on: ubuntu-latest
-    # This should take 1 minute at most, but let's be generous.
-    # The default of 6 hours is definitely too long
-    timeout-minutes: 10
     steps:
-      # This step has to be in this file,
-      # because it's needed to determine which revision of the repository to fetch,
-      # and we can only use other files from the repository once it's fetched.
       - name: Resolving the merge commit
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
           # This checks for mergeability of a pull request as recommended in
           # https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests
-
-          # Retry the API query this many times
-          retryCount=5
-          # Start with 5 seconds, but double every retry
-          retryInterval=5
           while true; do
             echo "Checking whether the pull request can be merged"
             prInfo=$(gh api \
@@ -57,19 +33,10 @@ jobs:
             mergedSha=$(jq -r .merge_commit_sha <<< "$prInfo")
 
             if [[ "$mergeable" == "null" ]]; then
-              if (( retryCount == 0 )); then
-                echo "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
-                exit 1
-              else
-                (( retryCount -= 1 )) || true
-
-                # null indicates that GitHub is still computing whether it's mergeable
-                # Wait a couple seconds before trying again
-                echo "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
-                sleep "$retryInterval"
-
-                (( retryInterval *= 2 )) || true
-              fi
+              # null indicates that GitHub is still computing whether it's mergeable
+              # Wait a couple seconds before trying again
+              echo "GitHub is still computing whether this PR can be merged, waiting 5 seconds before trying again"
+              sleep 5
             else
               break
             fi
@@ -77,47 +44,136 @@ jobs:
 
           if [[ "$mergeable" == "true" ]]; then
             echo "The PR can be merged, checking the merge commit $mergedSha"
-            echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
           else
-            echo "The PR cannot be merged, it has a merge conflict, skipping the rest.."
+            echo "The PR cannot be merged, it has a merge conflict"
+            exit 1
           fi
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        if: env.mergedSha
+          echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
+      - uses: actions/checkout@v4
         with:
           # pull_request_target checks out the base branch by default
           ref: ${{ env.mergedSha }}
           # Fetches the merge commit and its parents
           fetch-depth: 2
-      - name: Checking out base branch
-        if: env.mergedSha
+      - name: Determining PR git hashes
         run: |
-          base=$(mktemp -d)
-          git worktree add "$base" "$(git rev-parse HEAD^1)"
-          echo "base=$base" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
-        if: env.mergedSha
-      - name: Fetching the pinned tool
-        if: env.mergedSha
-        # Update the pinned version using pkgs/test/check-by-name/update-pinned-tool.sh
+          # For pull_request_target this is the same as $GITHUB_SHA
+          echo "baseSha=$(git rev-parse HEAD^1)" >> "$GITHUB_ENV"
+
+          echo "headSha=$(git rev-parse HEAD^2)" >> "$GITHUB_ENV"
+      - uses: cachix/install-nix-action@v23
+      - name: Determining channel to use for dependencies
         run: |
-          # The pinned version of the tooling to use
-          toolVersion=$(<pkgs/test/check-by-name/pinned-version.txt)
-          # Fetch the x86_64-linux-specific release artifact containing the Gzipped NAR of the pre-built tool
-          toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-check-by-name/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
-            | gzip -cd | nix-store --import | tail -1)
-          # Adds a result symlink as a GC root
-          nix-store --realise "$toolPath" --add-root result
-      - name: Running nixpkgs-check-by-name
-        if: env.mergedSha
-        env:
-          # Force terminal colors to be enabled. The library that
-          # nixpkgs-check-by-name uses respects: https://bixense.com/clicolors/
-          CLICOLOR_FORCE: 1
-        run: |
-          if result/bin/nixpkgs-check-by-name --base "$base" .; then
-            exit 0
+          echo "Determining the preferred channel to use for PR base branch $GITHUB_BASE_REF"
+          if [[ "$GITHUB_BASE_REF" =~ ^(release|staging|staging-next)-([0-9][0-9]\.[0-9][0-9])$ ]]; then
+              # Use the release channel for all PRs to release-XX.YY, staging-XX.YY and staging-next-XX.YY
+              channel=nixos-${BASH_REMATCH[2]}
+              echo "PR is for a release branch, preferred channel is $channel"
           else
-            exitCode=$?
-            echo "To run locally: ./maintainers/scripts/check-by-name.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
-            exit "$exitCode"
+              # Use the nixos-unstable channel for all other PRs
+              channel=nixos-unstable
+              echo "PR is for a non-release branch, preferred channel is $channel"
           fi
+          # Check that the channel exists. It doesn't exist for fresh release branches
+          if ! curl -fSs "https://channels.nixos.org/$channel"; then
+            # Fall back to nixos-unstable, makes sense for fresh release branches
+            echo "Preferred channel $channel could not be fetched, falling back to nixos-unstable"
+            channel=nixos-unstable
+          fi
+          echo "channel=$channel" >> "$GITHUB_ENV"
+      - name: Fetching latest version of channel
+        run: |
+          echo "Fetching latest version of channel $channel"
+          # This is probably the easiest way to get Nix to output the path to a downloaded channel!
+          nixpkgs=$(nix-instantiate --find-file nixpkgs -I nixpkgs=channel:"$channel")
+          # This file only exists in channels
+          rev=$(<"$nixpkgs"/.git-revision)
+          echo "Channel $channel is at revision $rev"
+          echo "nixpkgs=$nixpkgs" >> "$GITHUB_ENV"
+          echo "rev=$rev" >> "$GITHUB_ENV"
+      - name: Fetching pre-built nixpkgs-check-by-name from the channel
+        run: |
+          echo "Fetching pre-built nixpkgs-check-by-name from channel $channel at revision $rev"
+          # Passing --max-jobs 0 makes sure that we won't build anything
+          nix-build "$nixpkgs" -A tests.nixpkgs-check-by-name --max-jobs 0
+      - name: Running nixpkgs-check-by-name
+        run: |
+          echo "Checking whether the check succeeds on the base branch $GITHUB_BASE_REF"
+          git checkout -q "$baseSha"
+          if baseOutput=$(result/bin/nixpkgs-check-by-name . 2>&1); then
+            baseSuccess=1
+          else
+            baseSuccess=
+          fi
+          printf "%s\n" "$baseOutput"
+
+          echo "Checking whether the check would succeed after merging this pull request"
+          git checkout -q "$mergedSha"
+          if mergedOutput=$(result/bin/nixpkgs-check-by-name . 2>&1); then
+            mergedSuccess=1
+            exitCode=0
+          else
+            mergedSuccess=
+            exitCode=1
+          fi
+          printf "%s\n" "$mergedOutput"
+
+          resultToEmoji() {
+            if [[ -n "$1" ]]; then
+              echo ":heavy_check_mark:"
+            else
+              echo ":x:"
+            fi
+          }
+
+          # Print a markdown summary in GitHub actions
+          {
+            echo "| Nixpkgs version | Check result |"
+            echo "| --- | --- |"
+            echo "| Latest base commit | $(resultToEmoji "$baseSuccess") |"
+            echo "| After merging this PR | $(resultToEmoji "$mergedSuccess") |"
+            echo ""
+
+            if [[ -n "$baseSuccess" ]]; then
+              if [[ -n "$mergedSuccess" ]]; then
+                echo "The check succeeds on both the base branch and after merging this PR"
+              else
+                echo "The check succeeds on the base branch, but would fail after merging this PR:"
+                echo "\`\`\`"
+                echo "$mergedOutput"
+                echo "\`\`\`"
+                echo ""
+              fi
+            else
+              if [[ -n "$mergedSuccess" ]]; then
+                echo "The check fails on the base branch, but this PR fixes it, nicely done!"
+              else
+                echo "The check fails on both the base branch and after merging this PR, unknown if only this PRs changes would satisfy the check, the base branch needs to be fixed first."
+                echo ""
+                echo "Failure on the base branch:"
+                echo "\`\`\`"
+                echo "$baseOutput"
+                echo "\`\`\`"
+                echo ""
+                echo "Failure after merging this PR:"
+                echo "\`\`\`"
+                echo "$mergedOutput"
+                echo "\`\`\`"
+                echo ""
+              fi
+            fi
+
+            echo "### Details"
+            echo "- nixpkgs-check-by-name tool:"
+            echo "  - Channel: $channel"
+            echo "  - Nixpkgs commit: [$rev](https://github.com/${GITHUB_REPOSITORY}/commit/$rev)"
+            echo "  - Store path: \`$(realpath result)\`"
+            echo "- Tested Nixpkgs:"
+            echo "  - Base branch: $GITHUB_BASE_REF"
+            echo "  - Latest base branch commit: [$baseSha](https://github.com/${GITHUB_REPOSITORY}/commit/$baseSha)"
+            echo "  - Latest PR commit: [$headSha](https://github.com/${GITHUB_REPOSITORY}/commit/$headSha)"
+            echo "  - Merge commit: [$mergedSha](https://github.com/${GITHUB_REPOSITORY}/commit/$mergedSha)"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          exit "$exitCode"
+

.github/workflows/check-cherry-picks.yml

@@ -1,25 +0,0 @@
-name: "Check cherry-picks"
-on:
-  pull_request_target:
-    branches:
-     - 'release-**'
-     - 'staging-**'
-     - '!staging-next'
-
-permissions: {}
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    if: github.repository_owner == 'NixOS'
-    steps:
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      with:
-        fetch-depth: 0
-        filter: blob:none
-    - name: Check cherry-picks
-      env:
-        BASE_SHA: ${{ github.event.pull_request.base.sha }}
-        HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-      run: |
-        ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"

.github/workflows/check-maintainers-sorted.yaml

@@ -12,15 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v4
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-          # Only these directories to perform the check
-          sparse-checkout: |
-            lib
-            maintainers
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@v23
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

.github/workflows/check-nix-format.yml

@@ -1,88 +0,0 @@
-# This file was copied mostly from check-maintainers-sorted.yaml.
-# NOTE: Formatting with the RFC-style nixfmt command is not yet stable. See
-# https://github.com/NixOS/rfcs/pull/166.
-# Because of this, this action is not yet enabled for all files -- only for
-# those who have opted in.
-name: Check that Nix files are formatted
-
-on:
-  pull_request_target:
-    # See the comment at the same location in ./check-by-name.yml
-    types: [opened, synchronize, reopened, edited]
-permissions:
-  contents: read
-
-jobs:
-  nixos:
-    runs-on: ubuntu-latest
-    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
-          # Fetches the merge commit and its parents
-          fetch-depth: 2
-      - name: Checking out base branch
-        run: |
-          base=$(mktemp -d)
-          baseRev=$(git rev-parse HEAD^1)
-          git worktree add "$base" "$baseRev"
-          echo "baseRev=$baseRev" >> "$GITHUB_ENV"
-          echo "base=$base" >> "$GITHUB_ENV"
-      - name: Get Nixpkgs revision for nixfmt
-        run: |
-          # pin to a commit from nixpkgs-unstable to avoid e.g. building nixfmt
-          # from staging
-          # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
-          rev=$(jq -r .rev ci/pinned-nixpkgs.json)
-          echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
-        with:
-          # explicitly enable sandbox
-          extra_nix_config: sandbox = true
-          nix_path: nixpkgs=${{ env.url }}
-      - name: Install nixfmt
-        run: "nix-env -f '<nixpkgs>' -iAP nixfmt-rfc-style"
-      - name: Check that Nix files are formatted according to the RFC style
-        run: |
-          unformattedFiles=()
-
-          # TODO: Make this more parallel
-
-          # Loop through all Nix files touched by the PR
-          while readarray -d '' -n 2 entry && (( ${#entry[@]} != 0 )); do
-            type=${entry[0]}
-            file=${entry[1]}
-            case $type in
-              A*)
-                source=""
-                dest=$file
-                ;;
-              M*)
-                source=$file
-                dest=$file
-                ;;
-              C*|R*)
-                source=$file
-                read -r -d '' dest
-                ;;
-              *)
-                echo "Ignoring file $file with type $type"
-                continue
-            esac
-
-            # Ignore files that weren't already formatted
-            if [[ -n "$source" ]] && ! nixfmt --check ${{ env.base }}/"$source" 2>/dev/null; then
-              echo "Ignoring file $file because it's not formatted in the base commit"
-            elif ! nixfmt --check "$dest"; then
-              unformattedFiles+=("$dest")
-            fi
-          done < <(git diff -z --name-status ${{ env.baseRev }} -- '*.nix')
-
-          if (( "${#unformattedFiles[@]}" > 0 )); then
-            echo "Some new/changed Nix files are not properly formatted"
-            echo "Please run the following in \`nix-shell\`:"
-            echo "nixfmt ${unformattedFiles[*]@Q}"
-            exit 1
-          fi

.github/workflows/check-nixf-tidy.yml

@@ -1,128 +0,0 @@
-name: Check changed Nix files with nixf-tidy (experimental)
-
-on:
-  pull_request_target:
-    types: [opened, synchronize, reopened, edited]
-permissions:
-  contents: read
-
-jobs:
-  nixos:
-    runs-on: ubuntu-latest
-    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
-          # Fetches the merge commit and its parents
-          fetch-depth: 2
-      - name: Checking out base branch
-        run: |
-          base=$(mktemp -d)
-          baseRev=$(git rev-parse HEAD^1)
-          git worktree add "$base" "$baseRev"
-          echo "baseRev=$baseRev" >> "$GITHUB_ENV"
-          echo "base=$base" >> "$GITHUB_ENV"
-      - name: Get Nixpkgs revision for nixf
-        run: |
-          # pin to a commit from nixpkgs-unstable to avoid e.g. building nixf
-          # from staging
-          # This should not be a URL, because it would allow PRs to run arbitrary code in CI!
-          rev=$(jq -r .rev ci/pinned-nixpkgs.json)
-          echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
-        with:
-          # explicitly enable sandbox
-          extra_nix_config: sandbox = true
-          nix_path: nixpkgs=${{ env.url }}
-      - name: Install nixf and jq
-        # provided jq is incompatible with our expression
-        run: "nix-env -f '<nixpkgs>' -iAP nixf jq"
-      - name: Check that Nix files pass nixf-tidy
-        run: |
-          # Filtering error messages we don't like
-          nixf_wrapper(){
-            nixf-tidy --variable-lookup < "$1" | jq -r '
-              [
-                "sema-escaping-with"
-              ]
-              as $ignored_errors|[.[]|select(.sname as $s|$ignored_errors|index($s)|not)]
-            '
-          }
-
-          failedFiles=()
-
-          # Don't report errors to file overview
-          # to avoid duplicates when editing title and description
-          if [[ "${{ github.event.action }}" == 'edited' ]] && [[ -z "${{ github.event.edited.changes.base }}" ]]; then
-            DONT_REPORT_ERROR=1
-          else
-            DONT_REPORT_ERROR=
-          fi
-          # TODO: Make this more parallel
-
-          # Loop through all Nix files touched by the PR
-          while readarray -d '' -n 2 entry && (( ${#entry[@]} != 0 )); do
-            type=${entry[0]}
-            file=${entry[1]}
-            case $type in
-              A*)
-                source=""
-                dest=$file
-                ;;
-              M*)
-                source=$file
-                dest=$file
-                ;;
-              C*|R*)
-                source=$file
-                read -r -d '' dest
-                ;;
-              *)
-                echo "Ignoring file $file with type $type"
-                continue
-            esac
-
-            if [[ -n "$source" ]] && [[ "$(nixf_wrapper ${{ env.base }}/"$source")" != '[]' ]] 2>/dev/null; then
-              echo "Ignoring file $file because it doesn't pass nixf-tidy in the base commit"
-              echo # insert blank line
-            else
-              nixf_report="$(nixf_wrapper "$dest")"
-              if [[ "$nixf_report" != '[]' ]]; then
-                echo "$dest doesn't pass nixf-tidy. Reported by nixf-tidy:"
-                errors=$(echo "$nixf_report" | jq -r --arg dest "$dest" '
-                  def getLCur: "line=" + (.line+1|tostring) + ",col=" + (.column|tostring);
-                  def getRCur: "endLine=" + (.line+1|tostring) + ",endColumn=" + (.column|tostring);
-                  def getRange: "file=\($dest)," + (.lCur|getLCur) + "," + (.rCur|getRCur);
-                  def getBody: . as $top|(.range|getRange) + ",title="+ .sname + "::" +
-                    (.message|sub("{}" ; ($top.args.[]|tostring)));
-                  def getNote: "\n::notice " + (.|getBody);
-                  def getMessage: "::error " + (.|getBody) + (if (.notes|length)>0 then
-                    ([.notes.[]|getNote]|add) else "" end);
-                  .[]|getMessage
-                ')
-                if [[ -z "$DONT_REPORT_ERROR" ]]; then
-                  echo "$errors"
-                else
-                  # just print in plain text
-                  echo "$errors" | sed 's/^:://'
-                  echo # add one empty line
-                fi
-                failedFiles+=("$dest")
-              fi
-            fi
-          done < <(git diff -z --name-status ${{ env.baseRev }} -- '*.nix')
-
-          if [[ -n "$DONT_REPORT_ERROR" ]]; then
-            echo "Edited the PR but didn't change the base branch, only the description/title."
-            echo "Not reporting errors again to avoid duplication."
-            echo # add one empty line
-          fi
-
-          if (( "${#failedFiles[@]}" > 0 )); then
-            echo "Some new/changed Nix files don't pass nixf-tidy."
-            echo "See ${{ github.event.pull_request.html_url }}/files for reported errors."
-            echo "If you believe this is a false positive, ping @Aleksanaa and @inclyc in this PR."
-            exit 1
-          fi

.github/workflows/check-shell.yml

@@ -1,29 +0,0 @@
-name: "Check shell"
-
-on:
-  pull_request_target:
-
-permissions: {}
-
-jobs:
-  x86_64-linux:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
-      - name: Build shell
-        run: nix-build shell.nix
-
-  aarch64-darwin:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
-      - name: Build shell
-        run: nix-build shell.nix

.github/workflows/editorconfig.yml

@@ -24,11 +24,11 @@ jobs:
     - name: print list of changed files
       run: |
         cat "$HOME/changed_files"
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: actions/checkout@v4
       with:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
-    - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+    - uses: cachix/install-nix-action@v23
       with:
         # nixpkgs commit is pinned so that it doesn't break
         # editorconfig-checker 2.4.0

.github/workflows/labels.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
-    - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+    - uses: actions/labeler@v4
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         sync-labels: true

.github/workflows/manual-nixos.yml

@@ -14,18 +14,18 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v4
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@v23
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
-      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
+      - uses: cachix/cachix-action@v12
         with:
           # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
           name: nixpkgs-ci
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
       - name: Building NixOS manual
         run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux

.github/workflows/manual-nixpkgs.yml

@@ -9,25 +9,24 @@ on:
     paths:
       - 'doc/**'
       - 'lib/**'
-      - 'pkgs/tools/nix/nixdoc/**'
 
 jobs:
   nixpkgs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'NixOS'
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v4
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: cachix/install-nix-action@v23
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
-      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
+      - uses: cachix/cachix-action@v12
         with:
           # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
           name: nixpkgs-ci
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
       - name: Building Nixpkgs manual
-        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual

.github/workflows/nix-parse.yml

@@ -1,42 +0,0 @@
-name: "Check whether nix files are parseable"
-
-permissions: read-all
-
-on:
-  # avoids approving first time contributors
-  pull_request_target:
-    branches-ignore:
-      - 'release-**'
-
-jobs:
-  tests:
-    runs-on: ubuntu-latest
-    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
-    steps:
-    - name: Get list of changed files from PR
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        gh api \
-          repos/NixOS/nixpkgs/pulls/${{github.event.number}}/files --paginate \
-          | jq --raw-output '.[] | select(.status != "removed" and (.filename | endswith(".nix"))) | .filename' \
-          > "$HOME/changed_files"
-        if [[ -s "$HOME/changed_files" ]]; then
-          echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
-        fi
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      with:
-        # pull_request_target checks out the base branch by default
-        ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
-    - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
-      with:
-        nix_path: nixpkgs=channel:nixpkgs-unstable
-    - name: Parse all changed or added nix files
-      run: |
-        ret=0
-        while IFS= read -r file; do
-          out="$(nix-instantiate --parse "$file")" || { echo "$out" && ret=1; }
-        done < "$HOME/changed_files"
-        exit "$ret"
-      if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}

.github/workflows/periodic-merge-24h.yml

@@ -13,7 +13,6 @@ on:
     # * is a special character in YAML so you have to quote this string
     # Merge every 24 hours
     - cron:  '0 0 * * *'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -35,16 +34,16 @@ jobs:
         pairs:
           - from: master
             into: haskell-updates
-          - from: release-24.05
-            into: staging-next-24.05
-          - from: staging-next-24.05
-            into: staging-24.05
+          - from: release-23.05
+            into: staging-next-23.05
+          - from: staging-next-23.05
+            into: staging-23.05
     name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v4
 
       - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
-        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
+        uses: devmasx/merge-branch@1.4.0
         with:
           type: now
           from_branch: ${{ matrix.pairs.from }}
@@ -52,7 +51,7 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Comment on failure
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        uses: peter-evans/create-or-update-comment@v3
         if: ${{ failure() }}
         with:
           issue-number: 105153

.github/workflows/periodic-merge-6h.yml

@@ -13,7 +13,6 @@ on:
     # * is a special character in YAML so you have to quote this string
     # Merge every 6 hours
     - cron:  '0 */6 * * *'
-  workflow_dispatch:
 
 permissions:
   contents: read
@@ -39,10 +38,10 @@ jobs:
             into: staging
     name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@v4
 
       - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
-        uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0
+        uses: devmasx/merge-branch@1.4.0
         with:
           type: now
           from_branch: ${{ matrix.pairs.from }}
@@ -50,7 +49,7 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Comment on failure
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        uses: peter-evans/create-or-update-comment@v3
         if: ${{ failure() }}
         with:
           issue-number: 105153

.github/workflows/update-terraform-providers.yml

@@ -16,8 +16,8 @@ jobs:
     if: github.repository_owner == 'NixOS' && github.ref == 'refs/heads/master' # ensure workflow_dispatch only runs on master
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      - uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v23
         with:
           nix_path: nixpkgs=channel:nixpkgs-unstable
       - name: setup
@@ -46,7 +46,7 @@ jobs:
         run: |
           git clean -f
       - name: create PR
-        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
+        uses: peter-evans/create-pull-request@v5
         with:
           body: |
             Automatic update by [update-terraform-providers](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/update-terraform-providers.yml) action.
@@ -60,7 +60,7 @@ jobs:
 
             Check that all providers build with:
             ```
-            @ofborg build opentofu.full
+            @ofborg build terraform.full
             ```
             If there is more than ten commits in the PR `ofborg` won't build it automatically and you will need to use the above command.
           branch: terraform-providers-update

.gitignore

@@ -7,21 +7,18 @@
 .idea/
 .nixos-test-history
 .vscode/
-.helix/
 outputs/
 result-*
 result
 repl-result-*
-tags
 !pkgs/development/python-modules/result
 /doc/NEWS.html
 /doc/NEWS.txt
 /doc/manual.html
 /doc/manual.pdf
+/result
 /source/
 .version-suffix
-.direnv
-.envrc
 
 .DS_Store
 .mypy_cache

.mailmap

@@ -10,8 +10,5 @@ Robert Hensing <robert@roberthensing.nl> <roberth@users.noreply.github.com>
 Sandro Jäckel <sandro.jaeckel@gmail.com>
 Sandro Jäckel <sandro.jaeckel@gmail.com> <sandro.jaeckel@sap.com>
 superherointj <5861043+superherointj@users.noreply.github.com>
-Tomodachi94 <tomodachi94@protonmail.com> Tomo <68489118+Tomodachi94@users.noreply.github.com>
 Vladimír Čunát <v@cunat.cz> <vcunat@gmail.com>
 Vladimír Čunát <v@cunat.cz> <vladimir.cunat@nic.cz>
-Yifei Sun <ysun@hey.com> StepBroBD <Hi@StepBroBD.com>
-Yifei Sun <ysun@hey.com> <ysun+git@stepbrobd.com>

.version

@@ -1 +0,0 @@
-lib/.version

.version

@@ -0,0 +1 @@
+23.11

CONTRIBUTING.md

@@ -26,7 +26,7 @@ This file contains general contributing information, but individual parts also h
 
 This section describes in some detail how changes can be made and proposed with pull requests.
 
-> [!Note]
+> **Note**
 > Be aware that contributing implies licensing those contributions under the terms of [COPYING](./COPYING), an MIT-like license.
 
 0. Set up a local version of Nixpkgs to work with using GitHub and Git
@@ -129,17 +129,19 @@ When a PR is created, it will be pre-populated with some checkboxes detailed bel
 
 #### Tested using sandboxing
 
-When sandbox builds are enabled, Nix will set up an isolated environment for each build process.
-It is used to remove further hidden dependencies set by the build environment to improve reproducibility.
-This includes access to the network during the build outside of `fetch*` functions and files outside the Nix store.
-Depending on the operating system, access to other resources is blocked as well (e.g., inter-process communication is isolated on Linux); see [sandbox](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-sandbox) in the Nix manual for details.
+When sandbox builds are enabled, Nix will setup an isolated environment for each build process. It is used to remove further hidden dependencies set by the build environment to improve reproducibility. This includes access to the network during the build outside of `fetch*` functions and files outside the Nix store. Depending on the operating system access to other resources are blocked as well (ex. inter process communication is isolated on Linux); see [sandbox](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-sandbox) in the Nix manual for details.
 
-In pull requests for [nixpkgs](https://github.com/NixOS/nixpkgs/) people are asked to test builds with sandboxing enabled (see `Tested using sandboxing` in the pull request template) because in [Hydra](https://nixos.org/hydra/) sandboxing is also used.
+Sandboxing is not enabled by default in Nix due to a small performance hit on each build. In pull requests for [nixpkgs](https://github.com/NixOS/nixpkgs/) people are asked to test builds with sandboxing enabled (see `Tested using sandboxing` in the pull request template) because in [Hydra](https://nixos.org/hydra/) sandboxing is also used.
 
-If you are on Linux, sandboxing is enabled by default.
-On other platforms, sandboxing is disabled by default due to a small performance hit on each build.
+Depending if you use NixOS or other platforms you can use one of the following methods to enable sandboxing **before** building the package:
 
-Please enable sandboxing **before** building the package by adding the following to: `/etc/nix/nix.conf`:
+- **Globally enable sandboxing on NixOS**: add the following to `configuration.nix`
+
+  ```nix
+  nix.settings.sandbox = true;
+  ```
+
+- **Globally enable sandboxing on non-NixOS platforms**: add the following to: `/etc/nix/nix.conf`
 
   ```ini
   sandbox = true
@@ -271,7 +273,7 @@ Once a pull request has been merged into `master`, a backport pull request to th
 
 ### Automatically backporting changes
 
-> [!Note]
+> **Note**
 > You have to be a [Nixpkgs maintainer](./maintainers) to automatically create a backport pull request.
 
 Add the [`backport release-YY.MM` label](https://github.com/NixOS/nixpkgs/labels?q=backport) to the pull request on the `master` branch.
@@ -283,17 +285,16 @@ This can be done on both open or already merged pull requests.
 To manually create a backport pull request, follow [the standard pull request process][pr-create], with these notable differences:
 
 - Use `release-YY.MM` for the base branch, both for the local branch and the pull request.
-
-> [!Warning]
-> Do not use the `nixos-YY.MM` branch, that is a branch pointing to the tested release channel commit
+  > **Warning**
+  > Do not use the `nixos-YY.MM` branch, that is a branch pointing to the tested release channel commit
 
 - Instead of manually making and committing the changes, use [`git cherry-pick -x`](https://git-scm.com/docs/git-cherry-pick) for each commit from the pull request you'd like to backport.
   Either `git cherry-pick -x <commit>` when the reason for the backport is obvious (such as minor versions, fixes, etc.), otherwise use `git cherry-pick -xe <commit>` to add a reason for the backport to the commit message.
   Here is [an example](https://github.com/nixos/nixpkgs/commit/5688c39af5a6c5f3d646343443683da880eaefb8) of this.
 
-> [!Warning]
-> Ensure the commits exists on the master branch.
-> In the case of squashed or rebased merges, the commit hash will change and the new commits can be found in the merge message at the bottom of the master pull request.
+  > **Warning**
+  > Ensure the commits exists on the master branch.
+  > In the case of squashed or rebased merges, the commit hash will change and the new commits can be found in the merge message at the bottom of the master pull request.
 
 - In the pull request description, link to the original pull request to `master`.
   The pull request title should include `[YY.MM]` matching the release you're backporting to.
@@ -304,7 +305,7 @@ To manually create a backport pull request, follow [the standard pull request pr
 ## How to review pull requests
 [pr-review]: #how-to-review-pull-requests
 
-> [!Warning]
+> **Warning**
 > The following section is a draft, and the policy for reviewing is still being discussed in issues such as [#11166](https://github.com/NixOS/nixpkgs/issues/11166) and [#20836](https://github.com/NixOS/nixpkgs/issues/20836).
 
 The Nixpkgs project receives a fairly high number of contributions via GitHub pull requests. Reviewing and approving these is an important task and a way to contribute to the project.
@@ -321,7 +322,7 @@ All the review template samples provided in this section are generic and meant a
 
 To get more information about how to review specific parts of Nixpkgs, refer to the documents linked to in the [overview section][overview].
 
-If a pull request contains documentation changes that might require feedback from the documentation team, ping [@NixOS/documentation-team](https://github.com/orgs/nixos/teams/documentation-team) on the pull request.
+If a pull request contains documentation changes that might require feedback from the documentation team, ping @NixOS/documentation-team on the pull request.
 
 If you consider having enough knowledge and experience in a topic and would like to be a long-term reviewer for related submissions, please contact the current reviewers for that topic. They will give you information about the reviewing process. The main reviewers for a topic can be hard to find as there is no list, but checking past pull requests to see who reviewed or git-blaming the code to see who committed to that topic can give some hints.
 
@@ -330,14 +331,7 @@ Container system, boot system and library changes are some examples of the pull
 ## How to merge pull requests
 [pr-merge]: #how-to-merge-pull-requests
 
-To streamline automated updates, leverage the nixpkgs-merge-bot by simply commenting `@NixOS/nixpkgs-merge-bot merge`. The bot will verify if the following conditions are met, refusing to merge otherwise:
-
-- the commenter that issued the command should be among the package maintainers;
-- the package should reside in `pkgs/by-name`.
-
-Further, nixpkgs-merge-bot will ensure all ofBorg checks (except the Darwin-related ones) are successfully completed before merging the pull request. Should the checks still be underway, the bot patiently waits for ofBorg to finish before attempting the merge again.
-
-For other pull requests, the *Nixpkgs committers* are people who have been given
+The *Nixpkgs committers* are people who have been given
 permission to merge.
 
 It is possible for community members that have enough knowledge and experience on a special topic to contribute by merging pull requests.
@@ -366,7 +360,7 @@ See [Nix Channel Status](https://status.nixos.org/) for the current channels and
 Here's a brief overview of the main Git branches and what channels they're used for:
 
 - `master`: The main branch, used for the unstable channels such as `nixpkgs-unstable`, `nixos-unstable` and `nixos-unstable-small`.
-- `release-YY.MM` (e.g. `release-24.05`): The NixOS release branches, used for the stable channels such as `nixos-24.05`, `nixos-24.05-small` and `nixpkgs-24.05-darwin`.
+- `release-YY.MM` (e.g. `release-23.05`): The NixOS release branches, used for the stable channels such as `nixos-23.05`, `nixos-23.05-small` and `nixpkgs-23.05-darwin`.
 
 When a channel is updated, a corresponding Git branch is also updated to point to the corresponding commit.
 So e.g. the [`nixpkgs-unstable` branch](https://github.com/nixos/nixpkgs/tree/nixpkgs-unstable) corresponds to the Git commit from the [`nixpkgs-unstable` channel](https://channels.nixos.org/nixpkgs-unstable).
@@ -379,20 +373,18 @@ See [this section][branch] to know when to use the release branches.
 [staging]: #staging
 
 The staging workflow exists to batch Hydra builds of many packages together.
-It is coordinated in the [Staging room](https://matrix.to/#/#staging:nixos.org) on Matrix.
 
 It works by directing commits that cause [mass rebuilds][mass-rebuild] to a separate `staging` branch that isn't directly built by Hydra.
 Regularly, the `staging` branch is _manually_ merged into a `staging-next` branch to be built by Hydra using the [`nixpkgs:staging-next` jobset](https://hydra.nixos.org/jobset/nixpkgs/staging-next).
-The `staging-next` branch should then only receive changes that fix Hydra builds;
-**for anything else, ask the [Staging room](https://matrix.to/#/#staging:nixos.org) first**.
-Once it is verified that there are no major regressions, it is merged into `master` using [a pull request](https://github.com/NixOS/nixpkgs/pulls?q=head%3Astaging-next).
+The `staging-next` branch should then only receive direct commits in order to fix Hydra builds.
+Once it is verified that there are no major regressions, it is merged into `master` using [a pull requests](https://github.com/NixOS/nixpkgs/pulls?q=head%3Astaging-next).
 This is done manually in order to ensure it's a good use of Hydra's computing resources.
 By keeping the `staging-next` branch separate from `staging`, this batching does not block developers from merging changes into `staging`.
 
 In order for the `staging` and `staging-next` branches to be up-to-date with the latest commits on `master`, there are regular _automated_ merges from `master` into `staging-next` and `staging`.
 This is implemented using GitHub workflows [here](.github/workflows/periodic-merge-6h.yml) and [here](.github/workflows/periodic-merge-24h.yml).
 
-> [!Note]
+> **Note**
 > Changes must be sufficiently tested before being merged into any branch.
 > Hydra builds should not be used as testing platform.
 
@@ -448,14 +440,14 @@ gitGraph
 
 Here's an overview of the different branches:
 
-| branch | `master` | `staging-next` | `staging` |
+| branch | `master` | `staging` | `staging-next` |
 | --- | --- | --- | --- |
-| Used for development | ✔️ | ❌ | ✔️ |
-| Built by Hydra | ✔️ | ✔️ | ❌ |
-| [Mass rebuilds][mass-rebuild] | ❌ | ⚠️  Only to fix Hydra builds | ✔️ |
-| Critical security fixes | ✔️ for non-mass-rebuilds | ✔️ for mass-rebuilds | ❌ |
-| Automatically merged into | `staging-next` | `staging` | - |
-| Manually merged into | - | `master` | `staging-next` |
+| Used for development | ✔️ | ✔️ | ❌ |
+| Built by Hydra | ✔️ | ❌ | ✔️ |
+| [Mass rebuilds][mass-rebuild] | ❌ | ✔️ | ⚠️  Only to fix Hydra builds |
+| Critical security fixes | ✔️ for non-mass-rebuilds | ❌ | ✔️ for mass-rebuilds |
+| Automatically merged into | `staging-next` | - | `staging` |
+| Manually merged into | - | `staging-next` | `master` |
 
 The staging workflow is used for all main branches, `master` and `release-YY.MM`, with corresponding names:
 - `master`/`release-YY.MM`
@@ -521,7 +513,6 @@ To get a sense for what changes are considered mass rebuilds, see [previously me
 - Check for unnecessary whitespace with `git diff --check` before committing.
 
 - If you have commits `pkg-name: oh, forgot to insert whitespace`: squash commits in this case. Use `git rebase -i`.
-  See [Squashing Commits](https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History#_squashing) for additional information.
 
 - For consistency, there should not be a period at the end of the commit message's summary line (the first line of the commit message).
 
@@ -557,28 +548,151 @@ Names of files and directories should be in lowercase, with dashes between words
 
 ### Syntax
 
-- Set up [editorconfig](https://editorconfig.org/) for your editor, such that [the settings](./.editorconfig) are automatically applied.
+- Use 2 spaces of indentation per indentation level in Nix expressions, 4 spaces in shell scripts.
+
+- Do not use tab characters, i.e. configure your editor to use soft tabs. For instance, use `(setq-default indent-tabs-mode nil)` in Emacs. Everybody has different tab settings so it’s asking for trouble.
 
 - Use `lowerCamelCase` for variable names, not `UpperCamelCase`. Note, this rule does not apply to package attribute names, which instead follow the rules in [package naming](./pkgs/README.md#package-naming).
 
-- New files must be formatted by entering the `nix-shell` from the repository root and running `nixfmt`.
-
-- Functions should list their expected arguments as precisely as possible. That is, write
+- Function calls with attribute set arguments are written as
 
   ```nix
-  { stdenv, fetchurl, perl }: <...>
+  foo {
+    arg = ...;
+  }
   ```
 
-  instead of
+  not
 
   ```nix
-  args: with args; <...>
+  foo
+  {
+    arg = ...;
+  }
+  ```
+
+  Also fine is
+
+  ```nix
+  foo { arg = ...; }
+  ```
+
+  if it's a short call.
+
+- In attribute sets or lists that span multiple lines, the attribute names or list elements should be aligned:
+
+  ```nix
+  # A long list.
+  list = [
+    elem1
+    elem2
+    elem3
+  ];
+
+  # A long attribute set.
+  attrs = {
+    attr1 = short_expr;
+    attr2 =
+      if true then big_expr else big_expr;
+  };
+
+  # Combined
+  listOfAttrs = [
+    {
+      attr1 = 3;
+      attr2 = "fff";
+    }
+    {
+      attr1 = 5;
+      attr2 = "ggg";
+    }
+  ];
+  ```
+
+- Short lists or attribute sets can be written on one line:
+
+  ```nix
+  # A short list.
+  list = [ elem1 elem2 elem3 ];
+
+  # A short set.
+  attrs = { x = 1280; y = 1024; };
+  ```
+
+- Breaking in the middle of a function argument can give hard-to-read code, like
+
+  ```nix
+  someFunction { x = 1280;
+    y = 1024; } otherArg
+    yetAnotherArg
+  ```
+
+  (especially if the argument is very large, spanning multiple lines).
+
+  Better:
+
+  ```nix
+  someFunction
+    { x = 1280; y = 1024; }
+    otherArg
+    yetAnotherArg
   ```
 
   or
 
   ```nix
-  { stdenv, fetchurl, perl, ... }: <...>
+  let res = { x = 1280; y = 1024; };
+  in someFunction res otherArg yetAnotherArg
+  ```
+
+- The bodies of functions, asserts, and withs are not indented to prevent a lot of superfluous indentation levels, i.e.
+
+  ```nix
+  { arg1, arg2 }:
+  assert system == "i686-linux";
+  stdenv.mkDerivation { ...
+  ```
+
+  not
+
+  ```nix
+  { arg1, arg2 }:
+    assert system == "i686-linux";
+      stdenv.mkDerivation { ...
+  ```
+
+- Function formal arguments are written as:
+
+  ```nix
+  { arg1, arg2, arg3 }:
+  ```
+
+  but if they don't fit on one line they're written as:
+
+  ```nix
+  { arg1, arg2, arg3
+  , arg4, ...
+  , # Some comment...
+    argN
+  }:
+  ```
+
+- Functions should list their expected arguments as precisely as possible. That is, write
+
+  ```nix
+  { stdenv, fetchurl, perl }: ...
+  ```
+
+  instead of
+
+  ```nix
+  args: with args; ...
+  ```
+
+  or
+
+  ```nix
+  { stdenv, fetchurl, perl, ... }: ...
   ```
 
   For functions that are truly generic in the number of arguments (such as wrappers around `mkDerivation`) that have some required arguments, you should write them using an `@`-pattern:
@@ -587,7 +701,7 @@ Names of files and directories should be in lowercase, with dashes between words
   { stdenv, doCoverageAnalysis ? false, ... } @ args:
 
   stdenv.mkDerivation (args // {
-    foo = if doCoverageAnalysis then "bla" else "";
+    ... if doCoverageAnalysis then "bla" else "" ...
   })
   ```
 
@@ -597,40 +711,32 @@ Names of files and directories should be in lowercase, with dashes between words
   args:
 
   args.stdenv.mkDerivation (args // {
-    foo = if args ? doCoverageAnalysis && args.doCoverageAnalysis then "bla" else "";
+    ... if args ? doCoverageAnalysis && args.doCoverageAnalysis then "bla" else "" ...
   })
   ```
 
 - Unnecessary string conversions should be avoided. Do
 
   ```nix
-  {
-    rev = version;
-  }
+  rev = version;
   ```
 
   instead of
 
   ```nix
-  {
-    rev = "${version}";
-  }
+  rev = "${version}";
   ```
 
 - Building lists conditionally _should_ be done with `lib.optional(s)` instead of using `if cond then [ ... ] else null` or `if cond then [ ... ] else [ ]`.
 
   ```nix
-  {
-    buildInputs = lib.optional stdenv.isDarwin iconv;
-  }
+  buildInputs = lib.optional stdenv.isDarwin iconv;
   ```
 
   instead of
 
   ```nix
-  {
-    buildInputs = if stdenv.isDarwin then [ iconv ] else null;
-  }
+  buildInputs = if stdenv.isDarwin then [ iconv ] else null;
   ```
 
   As an exception, an explicit conditional expression with null can be used when fixing a important bug without triggering a mass rebuild.

COPYING

@@ -1,4 +1,4 @@
-Copyright (c) 2003-2024 Eelco Dolstra and the Nixpkgs/NixOS contributors
+Copyright (c) 2003-2023 Eelco Dolstra and the Nixpkgs/NixOS contributors
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -1,10 +1,9 @@
 <p align="center">
-  <a href="https://nixos.org">
-    <picture>
-      <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png">
-      <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-      <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/main/public/logo/nixos-hires.png" width="500px" alt="NixOS logo">
-    </picture>
+  <a href="https://nixos.org#gh-light-mode-only">
+    <img src="https://raw.githubusercontent.com/NixOS/nixos-homepage/master/logo/nixos-hires.png" width="500px" alt="NixOS logo"/>
+  </a>
+  <a href="https://nixos.org#gh-dark-mode-only">
+    <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png" width="500px" alt="NixOS logo"/>
   </a>
 </p>
 
@@ -14,7 +13,7 @@
 </p>
 
 [Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over
-100,000 software packages that can be installed with the
+80,000 software packages that can be installed with the
 [Nix](https://nixos.org/nix/) package manager. It also implements
 [NixOS](https://nixos.org/nixos/), a purely-functional Linux distribution.
 
@@ -29,8 +28,8 @@
 * [Discourse Forum](https://discourse.nixos.org/)
 * [Matrix Chat](https://matrix.to/#/#community:nixos.org)
 * [NixOS Weekly](https://weekly.nixos.org/)
-* [Official wiki](https://wiki.nixos.org/)
-* [Community-maintained list of ways to get in touch](https://wiki.nixos.org/wiki/Get_In_Touch#Chat) (Discord, Telegram, IRC, etc.)
+* [Community-maintained wiki](https://nixos.wiki/)
+* [Community-maintained list of ways to get in touch](https://nixos.wiki/wiki/Get_In_Touch#Chat) (Discord, Telegram, IRC, etc.)
 
 # Other Project Repositories
 
@@ -52,9 +51,9 @@ Nixpkgs and NixOS are built and tested by our continuous integration
 system, [Hydra](https://hydra.nixos.org/).
 
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for the NixOS 24.05 release](https://hydra.nixos.org/jobset/nixos/release-24.05)
+* [Continuous package builds for the NixOS 23.11 release](https://hydra.nixos.org/jobset/nixos/release-23.11)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for the NixOS 24.05 release](https://hydra.nixos.org/job/nixos/release-24.05/tested#tabs-constituents)
+* [Tests for the NixOS 23.11 release](https://hydra.nixos.org/job/nixos/release-23.11/tested#tabs-constituents)
 
 Artifacts successfully built with Hydra are published to cache at
 https://cache.nixos.org/. When successful build and test criteria are

ci/README.md

@@ -1,12 +0,0 @@
-# CI support files
-
-This directory contains files to support CI, such as [GitHub Actions](https://github.com/NixOS/nixpkgs/tree/master/.github/workflows) and [Ofborg](https://github.com/nixos/ofborg).
-This is in contrast with [`maintainers/scripts`](`../maintainers/scripts`) which is for human use instead.
-
-## Pinned Nixpkgs
-
-CI may need certain packages from Nixpkgs.
-In order to ensure that the needed packages are generally available without building,
-[`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.
-
-Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.

ci/pinned-nixpkgs.json

@@ -1,4 +0,0 @@
-{
-  "rev": "521d48afa9ae596930a95325529df27fa7135ff5",
-  "sha256": "0a1pa5azw990narsfipdli1wng4nc3vhvrp00hb8v1qfchcq7dc9"
-}

ci/update-pinned-nixpkgs.sh

@@ -1,17 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p jq
-
-set -euo pipefail
-
-# https://stackoverflow.com/a/246128
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-
-repo=https://github.com/nixos/nixpkgs
-branch=nixpkgs-unstable
-file=$SCRIPT_DIR/pinned-nixpkgs.json
-
-defaultRev=$(git ls-remote "$repo" refs/heads/"$branch" | cut -f1)
-rev=${1:-$defaultRev}
-sha256=$(nix-prefetch-url --unpack "$repo/archive/$rev.tar.gz" --name source)
-
-jq -n --arg rev "$rev" --arg sha256 "$sha256" '$ARGS.named' | tee /dev/stderr > $file

doc/README.md

@@ -1,18 +1,14 @@
-# Contributing to the Nixpkgs reference manual
+# Contributing to the Nixpkgs manual
 
-This directory houses the sources files for the Nixpkgs reference manual.
-
-Going forward, it should only contain [reference](https://nix.dev/contributing/documentation/diataxis#reference) documentation.
-For tutorials, guides and explanations, contribute to <https://nix.dev/> instead.
-
-For documentation only relevant for contributors, use Markdown files and code comments in the source code.
-
-Rendered documentation:
-- [Unstable (from master)](https://nixos.org/manual/nixpkgs/unstable/)
-- [Stable (from latest release)](https://nixos.org/manual/nixpkgs/stable/)
+This directory houses the sources files for the Nixpkgs manual.
 
+You can find the [rendered documentation for Nixpkgs `unstable` on nixos.org](https://nixos.org/manual/nixpkgs/unstable/).
 The rendering tool is [nixos-render-docs](../pkgs/tools/nix/nixos-render-docs/src/nixos_render_docs), sometimes abbreviated `nrd`.
 
+[Docs for Nixpkgs stable](https://nixos.org/manual/nixpkgs/stable/) are also available.
+
+If you're only getting started with Nix, go to [nixos.org/learn](https://nixos.org/learn).
+
 ## Contributing to this documentation
 
 You can quickly check your edits with `nix-build`:
@@ -52,7 +48,7 @@ It uses the widely compatible [header attributes](https://github.com/jgm/commonm
 ## Syntax {#sec-contributing-markup}
 ```
 
-> [!Note]
+> **Note**
 > NixOS option documentation does not support headings in general.
 
 #### Inline Anchors
@@ -62,7 +58,7 @@ Allow linking arbitrary place in the text (e.g. individual list items, sentences
 They are defined using a hybrid of the link syntax with the attributes syntax known from headings, called [bracketed spans](https://github.com/jgm/commonmark-hs/blob/master/commonmark-extensions/test/bracketed_spans.md):
 
 ```markdown
-- []{#ssec-gnome-hooks-glib} `glib` setup hook will populate `GSETTINGS_SCHEMAS_PATH` and then `wrapGApps*` hook will prepend it to `XDG_DATA_DIRS`.
+- []{#ssec-gnome-hooks-glib} `glib` setup hook will populate `GSETTINGS_SCHEMAS_PATH` and then `wrapGAppsHook` will prepend it to `XDG_DATA_DIRS`.
 ```
 
 #### Automatic links
@@ -71,11 +67,6 @@ If you **omit a link text** for a link pointing to a section, the text will be s
 
 This syntax is taken from [MyST](https://myst-parser.readthedocs.io/en/latest/using/syntax.html#targets-and-cross-referencing).
 
-
-#### HTML
-
-Inlining HTML is not allowed. Parts of the documentation gets rendered to various non-HTML formats, such as man pages in the case of NixOS manual.
-
 #### Roles
 
 If you want to link to a man page, you can use `` {manpage}`nix.conf(5)` ``. The references will turn into links when a mapping exists in [`doc/manpage-urls.json`](./manpage-urls.json).
@@ -106,24 +97,11 @@ This is a warning
 
 The following are supported:
 
-- `caution`
-- `important`
-- `note`
-- `tip`
-- `warning`
-- `example`
-
-Example admonitions require a title to work.
-If you don't provide one, the manual won't be built.
-
-```markdown
-::: {.example #ex-showing-an-example}
-
-# Title for this example
-
-Text for the example.
-:::
-```
+- [`caution`](https://tdg.docbook.org/tdg/5.0/caution.html)
+- [`important`](https://tdg.docbook.org/tdg/5.0/important.html)
+- [`note`](https://tdg.docbook.org/tdg/5.0/note.html)
+- [`tip`](https://tdg.docbook.org/tdg/5.0/tip.html)
+- [`warning`](https://tdg.docbook.org/tdg/5.0/warning.html)
 
 #### [Definition lists](https://github.com/jgm/commonmark-hs/blob/master/commonmark-extensions/test/definition_lists.md)
 
@@ -157,192 +135,3 @@ watermelon
     Closes #216321.
 
 - If the commit contains more than just documentation changes, follow the commit message format relevant for the rest of the changes.
-
-## Documentation conventions
-
-In an effort to keep the Nixpkgs manual in a consistent style, please follow the conventions below, unless they prevent you from properly documenting something.
-In that case, please open an issue about the particular documentation convention and tag it with a "needs: documentation" label.
-When needed, each convention explain why it exists, so you can make a decision whether to follow it or not based on your particular case.
-Note that these conventions are about the **structure** of the manual (and its source files), not about the content that goes in it.
-You, as the writer of documentation, are still in charge of its content.
-
-- Put each sentence in its own line.
-  This makes reviews and suggestions much easier, since GitHub's review system is based on lines.
-  It also helps identifying long sentences at a glance.
-
-- Use the [admonition syntax](#admonitions) for callouts and examples.
-
-- Provide at least one example per function, and make examples self-contained.
-  This is easier to understand for beginners.
-  It also helps with testing that it actually works – especially once we introduce automation.
-
-  Example code should be such that it can be passed to `pkgs.callPackage`.
-  Instead of something like:
-
-  ```nix
-  pkgs.dockerTools.buildLayeredImage {
-    name = "hello";
-    contents = [ pkgs.hello ];
-  }
-  ```
-
-  Write something like:
-
-  ```nix
-  { dockerTools, hello }:
-  dockerTools.buildLayeredImage {
-    name = "hello";
-    contents = [ hello ];
-  }
-  ```
-
-- When showing inputs/outputs of any [REPL](https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop), such as a shell or the Nix REPL, use a format as you'd see in the REPL, while trying to visually separate inputs from outputs.
-  This means that for a shell, you should use a format like the following:
-  ```shell
-  $ nix-build -A hello '<nixpkgs>' \
-    --option require-sigs false \
-    --option trusted-substituters file:///tmp/hello-cache \
-    --option substituters file:///tmp/hello-cache
-  /nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1
-  ```
-  Note how the input is preceded by `$` on the first line and indented on subsequent lines, and how the output is provided as you'd see on the shell.
-
-  For the Nix REPL, you should use a format like the following:
-  ```shell
-  nix-repl> builtins.attrNames { a = 1; b = 2; }
-  [ "a" "b" ]
-  ```
-  Note how the input is preceded by `nix-repl>` and the output is provided as you'd see on the Nix REPL.
-
-- When documenting functions or anything that has inputs/outputs and example usage, use nested headings to clearly separate inputs, outputs, and examples.
-  Keep examples as the last nested heading, and link to the examples wherever applicable in the documentation.
-
-  The purpose of this convention is to provide a familiar structure for navigating the manual, so any reader can expect to find content related to inputs in an "inputs" heading, examples in an "examples" heading, and so on.
-  An example:
-  ```
-  ## buildImage
-
-  Some explanation about the function here.
-  Describe a particular scenario, and point to [](#ex-dockerTools-buildImage), which is an example demonstrating it.
-
-  ### Inputs
-
-  Documentation for the inputs of `buildImage`.
-  Perhaps even point to [](#ex-dockerTools-buildImage) again when talking about something specifically linked to it.
-
-  ### Passthru outputs
-
-  Documentation for any passthru outputs of `buildImage`.
-
-  ### Examples
-
-  Note that this is the last nested heading in the `buildImage` section.
-
-  :::{.example #ex-dockerTools-buildImage}
-
-  # Using `buildImage`
-
-  Example of how to use `buildImage` goes here.
-
-  :::
-  ```
-
-- Use [definition lists](#definition-lists) to document function arguments, and the attributes of such arguments as well as their [types](https://nixos.org/manual/nix/stable/language/values).
-  For example:
-
-  ```markdown
-  # pkgs.coolFunction
-
-  Description of what `coolFunction` does.
-
-  ## Inputs
-
-  `coolFunction` expects a single argument which should be an attribute set, with the following possible attributes:
-
-  `name` (String)
-
-  : The name of the resulting image.
-
-  `tag` (String; _optional_)
-
-  : Tag of the generated image.
-
-    _Default:_ the output path's hash.
-  ```
-
-#### Examples
-
-To define a referenceable figure use the following fencing:
-
-```markdown
-:::{.example #an-attribute-set-example}
-# An attribute set example
-
-You can add text before
-
-    ```nix
-    { a = 1; b = 2;}
-    ```
-
-and after code fencing
-:::
-```
-
-Defining examples through the `example` fencing class adds them to a "List of Examples" section after the Table of Contents.
-Though this is not shown in the rendered documentation on nixos.org.
-
-#### Figures
-
-To define a referenceable figure use the following fencing:
-
-```markdown
-::: {.figure #nixos-logo}
-# NixOS Logo
-![NixOS logo](./nixos_logo.png)
-:::
-```
-
-Defining figures through the `figure` fencing class adds them to a `List  of Figures` after the `Table of Contents`.
-Though this is not shown in the rendered documentation on nixos.org.
-
-#### Footnotes
-
-To add a foonote explanation, use the following syntax:
-
-```markdown
-Sometimes it's better to add context [^context] in a footnote.
-
-[^context]: This explanation will be rendered at the end of the chapter.
-```
-
-#### Inline comments
-
-Inline comments are supported with following syntax:
-
-```markdown
-<!-- This is an inline comment -->
-```
-
-The comments will not be rendered in the rendered HTML.
-
-#### Link reference definitions
-
-Links can reference a label, for example, to make the link target reusable:
-
-```markdown
-::: {.note}
-Reference links can also be used to [shorten URLs][url-id] and keep the markdown readable.
-:::
-
-[url-id]: https://github.com/NixOS/nixpkgs/blob/19d4f7dc485f74109bd66ef74231285ff797a823/doc/README.md
-```
-
-This syntax is taken from [CommonMark](https://spec.commonmark.org/0.30/#link-reference-definitions).
-
-#### Typographic replacements
-
-Typographic replacements are enabled. Check the [list of possible replacement patterns check](https://github.com/executablebooks/markdown-it-py/blob/3613e8016ecafe21709471ee0032a90a4157c2d1/markdown_it/rules_core/replacements.py#L1-L15).
-
-## Getting help
-
-If you need documentation-specific help or reviews, ping [@NixOS/documentation-team](https://github.com/orgs/nixos/teams/documentation-team) on your pull request.

doc/anchor-use.js

@@ -1,3 +0,0 @@
-document.addEventListener('DOMContentLoaded', function(event) {
-  anchors.add('h1[id]:not(div.note h1, div.warning h1, div.tip h1, div.caution h1, div.important h1), h2[id]:not(div.note h2, div.warning h2, div.tip h2, div.caution h2, div.important h2), h3[id]:not(div.note h3, div.warning h3, div.tip h3, div.caution h3, div.important h3), h4[id]:not(div.note h4, div.warning h4, div.tip h4, div.caution h4, div.important h4), h5[id]:not(div.note h5, div.warning h5, div.tip h5, div.caution h5, div.important h5), h6[id]:not(div.note h6, div.warning h6, div.tip h6, div.caution h6, div.important h6)');
-});

doc/build-helpers.md

@@ -20,7 +20,6 @@ There is no uniform interface for build helpers.
 build-helpers/fetchers.chapter.md
 build-helpers/trivial-build-helpers.chapter.md
 build-helpers/testers.chapter.md
-build-helpers/dev-shell-tools.chapter.md
 build-helpers/special.md
 build-helpers/images.md
 hooks/index.md

doc/build-helpers/dev-shell-tools.chapter.md

@@ -1,75 +0,0 @@
-# Development Shell helpers {#chap-devShellTools}
-
-The `nix-shell` command has popularized the concept of transient shell environments for development or testing purposes.
-<!--
-  We should try to document the product, not its development process in the Nixpkgs reference manual,
-  but *something* needs to be said to provide context for this library.
-  This is the most future proof sentence I could come up with while Nix itself does yet make use of this.
-  Relevant is the current status of the devShell attribute "project": https://github.com/NixOS/nix/issues/7501
-  -->
-However, `nix-shell` is not the only way to create such environments, and even `nix-shell` itself can indirectly benefit from this library.
-
-This library provides a set of functions that help create such environments.
-
-## `devShellTools.valueToString` {#sec-devShellTools-valueToString}
-
-Converts Nix values to strings in the way the [`derivation` built-in function](https://nix.dev/manual/nix/2.23/language/derivations) does.
-
-:::{.example}
-## `valueToString` usage examples
-
-```nix
-devShellTools.valueToString (builtins.toFile "foo" "bar")
-=> "/nix/store/...-foo"
-```
-
-```nix
-devShellTools.valueToString false
-=> ""
-```
-
-:::
-
-## `devShellTools.unstructuredDerivationInputEnv` {#sec-devShellTools-unstructuredDerivationInputEnv}
-
-Convert a set of derivation attributes (as would be passed to [`derivation`]) to a set of environment variables that can be used in a shell script.
-This function does not support `__structuredAttrs`, but does support `passAsFile`.
-
-:::{.example}
-## `unstructuredDerivationInputEnv` usage example
-
-```nix
-devShellTools.unstructuredDerivationInputEnv {
-  drvAttrs = {
-    name = "foo";
-    buildInputs = [ hello figlet ];
-    builder = bash;
-    args = [ "-c" "${./builder.sh}" ];
-  };
-}
-=> {
-  name = "foo";
-  buildInputs = "/nix/store/...-hello /nix/store/...-figlet";
-  builder = "/nix/store/...-bash";
-}
-```
-
-Note that `args` is not included, because Nix does not added it to the builder process environment.
-
-:::
-
-## `devShellTools.derivationOutputEnv` {#sec-devShellTools-derivationOutputEnv}
-
-Takes the relevant parts of a derivation and returns a set of environment variables, that would be present in the derivation.
-
-:::{.example}
-## `derivationOutputEnv` usage example
-
-```nix
-let
-  pkg = hello;
-in
-devShellTools.derivationOutputEnv { outputList = pkg.outputs; outputMap = pkg; }
-```
-
-:::

doc/build-helpers/fetchers.chapter.md

@@ -1,681 +1,84 @@
 # Fetchers {#chap-pkgs-fetchers}
 
 Building software with Nix often requires downloading source code and other files from the internet.
-To this end, we use functions that we call _fetchers_, which obtain remote sources via various protocols and services.
-
-Nix provides built-in fetchers such as [`builtins.fetchTarball`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-fetchTarball).
-Nixpkgs provides its own fetchers, which work differently:
+To this end, Nixpkgs provides *fetchers*: functions to obtain remote sources via various protocols and services.
 
+Nixpkgs fetchers differ from built-in fetchers such as [`builtins.fetchTarball`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-fetchTarball):
 - A built-in fetcher will download and cache files at evaluation time and produce a [store path](https://nixos.org/manual/nix/stable/glossary#gloss-store-path).
-  A Nixpkgs fetcher will create a ([fixed-output](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation)) [derivation](https://nixos.org/manual/nix/stable/glossary#gloss-derivation), and files are downloaded at build time.
+  A Nixpkgs fetcher will create a ([fixed-output](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation)) [derivation](https://nixos.org/manual/nix/stable/language/derivations), and files are downloaded at build time.
 - Built-in fetchers will invalidate their cache after [`tarball-ttl`](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-tarball-ttl) expires, and will require network activity to check if the cache entry is up to date.
-  Nixpkgs fetchers only re-download if the specified hash changes or the store object is not available.
+  Nixpkgs fetchers only re-download if the specified hash changes or the store object is not otherwise available.
 - Built-in fetchers do not use [substituters](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-substituters).
   Derivations produced by Nixpkgs fetchers will use any configured binary cache transparently.
 
-This significantly reduces the time needed to evaluate Nixpkgs, and allows [Hydra](https://nixos.org/hydra) to retain and re-distribute sources used by Nixpkgs in the [public binary cache](https://cache.nixos.org).
-For these reasons, Nix's built-in fetchers are not allowed in Nixpkgs.
+This significantly reduces the time needed to evaluate the entirety of Nixpkgs, and allows [Hydra](https://nixos.org/hydra) to retain and re-distribute sources used by Nixpkgs in the [public binary cache](https://cache.nixos.org).
+For these reasons, built-in fetchers are not allowed in Nixpkgs source code.
 
-The following table summarises the differences:
+The following table shows an overview of the differences:
 
 | Fetchers | Download | Output | Cache | Re-download when |
 |-|-|-|-|-|
 | `builtins.fetch*` | evaluation time | store path | `/nix/store`, `~/.cache/nix` | `tarball-ttl` expires, cache miss in `~/.cache/nix`, output store object not in local store |
 | `pkgs.fetch*` | build time | derivation | `/nix/store`, substituters | output store object not available |
 
-:::{.tip}
-`pkgs.fetchFrom*` helpers retrieve _snapshots_ of version-controlled sources, as opposed to the entire version history, which is more efficient.
-`pkgs.fetchgit` by default also has the same behaviour, but can be changed through specific attributes given to it.
-:::
-
 ## Caveats {#chap-pkgs-fetchers-caveats}
 
-Because Nixpkgs fetchers are fixed-output derivations, an [output hash](https://nixos.org/manual/nix/stable/language/advanced-attributes#adv-attr-outputHash) has to be specified, usually indirectly through a `hash` attribute.
-This hash refers to the derivation output, which can be different from the remote source itself!
-
-This has the following implications that you should be aware of:
-
-- Use Nix (or Nix-aware) tooling to produce the output hash.
-
-- When changing any fetcher parameters, always update the output hash.
-  Use one of the methods from [](#sec-pkgs-fetchers-updating-source-hashes).
-  Otherwise, existing store objects that match the output hash will be re-used rather than fetching new content.
-
-  :::{.note}
-  A similar problem arises while testing changes to a fetcher's implementation.
-  If the output of the derivation already exists in the Nix store, test failures can go undetected.
-  The [`invalidateFetcherByDrvHash`](#tester-invalidateFetcherByDrvHash) function helps prevent reusing cached derivations.
-  :::
-
-## Updating source hashes {#sec-pkgs-fetchers-updating-source-hashes}
-
-There are several ways to obtain the hash corresponding to a remote source.
-Unless you understand how the fetcher you're using calculates the hash from the downloaded contents, you should use [the fake hash method](#sec-pkgs-fetchers-updating-source-hashes-fakehash-method).
-
-1. []{#sec-pkgs-fetchers-updating-source-hashes-fakehash-method} The fake hash method: In your package recipe, set the hash to one of
-
-   - `""`
-   - `lib.fakeHash`
-   - `lib.fakeSha256`
-   - `lib.fakeSha512`
-
-   Attempt to build, extract the calculated hashes from error messages, and put them into the recipe.
-
-   :::{.warning}
-   You must use one of these four fake hashes and not some arbitrarily-chosen hash.
-   See [](#sec-pkgs-fetchers-secure-hashes) for details.
-   :::
-
-   :::{.example #ex-fetchers-update-fod-hash}
-   # Update source hash with the fake hash method
-
-   Consider the following recipe that produces a plain file:
-
-   ```nix
-   { fetchurl }:
-   fetchurl {
-     url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.05/.version";
-     hash = "sha256-ZHl1emidXVojm83LCVrwULpwIzKE/mYwfztVkvpruOM=";
-   }
-   ```
-
-   A common mistake is to update a fetcher parameter, such as `url`, without updating the hash:
-
-   ```nix
-   { fetchurl }:
-   fetchurl {
-     url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
-     hash = "sha256-ZHl1emidXVojm83LCVrwULpwIzKE/mYwfztVkvpruOM=";
-   }
-   ```
-
-   **This will produce the same output as before!**
-   Set the hash to an empty string:
-
-   ```nix
-   { fetchurl }:
-   fetchurl {
-     url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
-     hash = "";
-   }
-   ```
-
-   When building the package, use the error message to determine the correct hash:
-
-   ```shell
-   $ nix-build
-   (some output removed for clarity)
-   error: hash mismatch in fixed-output derivation '/nix/store/7yynn53jpc93l76z9zdjj4xdxgynawcw-version.drv':
-           specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-               got:    sha256-BZqI7r0MNP29yGH5+yW2tjU9OOpOCEvwWKrWCv5CQ0I=
-   error: build of '/nix/store/bqdjcw5ij5ymfbm41dq230chk9hdhqff-version.drv' failed
-   ```
-   :::
-
-2. Prefetch the source with [`nix-prefetch-<type> <URL>`](https://search.nixos.org/packages?buckets={%22package_attr_set%22%3A[%22No%20package%20set%22]%2C%22package_license_set%22%3A[]%2C%22package_maintainers_set%22%3A[]%2C%22package_platforms%22%3A[]}&query=nix-prefetch), where `<type>` is one of
-
-   - `url`
-   - `git`
-   - `hg`
-   - `cvs`
-   - `bzr`
-   - `svn`
-
-   The hash is printed to stdout.
-
-3. Prefetch by package source (with `nix-prefetch-url '<nixpkgs>' -A <package>.src`, where `<package>` is package attribute name).
-   The hash is printed to stdout.
-
-   This works well when you've upgraded the existing package version and want to find out new hash, but is useless if the package can't be accessed by attribute or the package has multiple sources (`.srcs`, architecture-dependent sources, etc).
-
-4. Upstream hash: use it when upstream provides `sha256` or `sha512`.
-   Don't use it when upstream provides `md5`, compute `sha256` instead.
-
-   A little nuance is that `nix-prefetch-*` tools produce hashes with the `nix32` encoding (a Nix-specific base32 adaptation), but upstream usually provides hexadecimal (`base16`) encoding.
-   Fetchers understand both formats.
-   Nixpkgs does not standardise on any one format.
-
-   You can convert between hash formats with [`nix-hash`](https://nixos.org/manual/nix/stable/command-ref/nix-hash).
-
-5. Extract the hash from a local source archive with `sha256sum`.
-   Use `nix-prefetch-url file:///path/to/archive` if you want the custom Nix `base32` hash.
-
-## Obtaining hashes securely {#sec-pkgs-fetchers-secure-hashes}
-
-It's always a good idea to avoid Man-in-the-Middle (MITM) attacks when downloading source contents.
-Otherwise, you could unknowingly download malware instead of the intended source, and instead of the actual source hash, you'll end up using the hash of malware.
-Here are security considerations for this scenario:
-
-- `http://` URLs are not secure to prefetch hashes.
-
-- Upstream hashes should be obtained via a secure protocol.
-
-- `https://` URLs give you more protections when using `nix-prefetch-*` or for upstream hashes.
-
-- `https://` URLs are secure when using the [fake hash method](#sec-pkgs-fetchers-updating-source-hashes-fakehash-method) *only if* you use one of the listed fake hashes.
-  If you use any other hash, the download will be exposed to MITM attacks even if you use HTTPS URLs.
-
-  In more concrete terms, if you use any other hash, the [`--insecure` flag](https://curl.se/docs/manpage.html#-k) will be passed to the underlying call to `curl` when downloading content.
-
-[]{#fetchurl}
-## `fetchurl` {#sec-pkgs-fetchers-fetchurl}
-
-`fetchurl` returns a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary.html#gloss-fixed-output-derivation) which downloads content from a given URL and stores the unaltered contents within the Nix store.
-
-It uses {manpage}`curl(1)` internally, and allows its behaviour to be modified by specifying a few attributes in the argument to `fetchurl` (see the documentation for attributes `curlOpts`, `curlOptsList`, and `netrcPhase`).
-
-The resulting [store path](https://nixos.org/manual/nix/stable/store/store-path) is determined by the hash given to `fetchurl`, and also the `name` (or `pname` and `version`) values.
-
-If neither `name` nor `pname` and `version` are specified when calling `fetchurl`, it will default to using the [basename](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-baseNameOf) of `url` or the first element of `urls`.
-If `pname` and `version` are specified, `fetchurl` will use those values and will ignore `name`, even if it is also specified.
-
-### Inputs {#sec-pkgs-fetchers-fetchurl-inputs}
-
-`fetchurl` requires an attribute set with the following attributes:
-
-`url` (String; _optional_)
-: The URL to download from.
-
-  :::{.note}
-  Either `url` or `urls` must be specified, but not both.
-  :::
-
-  All URLs of the format [specified here](https://curl.se/docs/url-syntax.html#rfc-3986-plus) are supported.
-
-  _Default value:_ `""`.
-
-`urls` (List of String; _optional_)
-: A list of URLs, specifying download locations for the same content.
-  Each URL will be tried in order until one of them succeeds with some content or all of them fail.
-  See [](#ex-fetchers-fetchurl-nixpkgs-version-multiple-urls) to understand how this attribute affects the behaviour of `fetchurl`.
-
-  :::{.note}
-  Either `url` or `urls` must be specified, but not both.
-  :::
-
-  _Default value:_ `[]`.
-
-`hash` (String; _optional_)
-: Hash of the derivation output of `fetchurl`, following the format for integrity metadata as defined by [SRI](https://www.w3.org/TR/SRI/).
-  For more information, see [](#chap-pkgs-fetchers-caveats).
-
-  :::{.note}
-  It is recommended that you use the `hash` attribute instead of the other hash-specific attributes that exist for backwards compatibility.
-
-  If `hash` is not specified, you must specify `outputHash` and `outputHashAlgo`, or one of `sha512`, `sha256`, or `sha1`.
-  :::
-
-  _Default value:_ `""`.
-
-`outputHash` (String; _optional_)
-: Hash of the derivation output of `fetchurl` in the format expected by Nix.
-  See [the documentation on the Nix manual](https://nixos.org/manual/nix/stable/language/advanced-attributes.html#adv-attr-outputHash) for more information about its format.
-
-  :::{.note}
-  It is recommended that you use the `hash` attribute instead.
-
-  If `outputHash` is specified, you must also specify `outputHashAlgo`.
-  :::
-
-  _Default value:_ `""`.
-
-`outputHashAlgo` (String; _optional_)
-: Algorithm used to generate the value specified in `outputHash`.
-  See [the documentation on the Nix manual](https://nixos.org/manual/nix/stable/language/advanced-attributes.html#adv-attr-outputHashAlgo) for more information about the values it supports.
-
-  :::{.note}
-  It is recommended that you use the `hash` attribute instead.
-
-  The value specified in `outputHashAlgo` will be ignored if `outputHash` isn't also specified.
-  :::
-
-  _Default value:_ `""`.
-
-`sha1` (String; _optional_)
-: SHA-1 hash of the derivation output of `fetchurl` in the format expected by Nix.
-  See [the documentation on the Nix manual](https://nixos.org/manual/nix/stable/language/advanced-attributes.html#adv-attr-outputHash) for more information about its format.
-
-  :::{.note}
-  It is recommended that you use the `hash` attribute instead.
-  :::
-
-  _Default value:_ `""`.
-
-`sha256` (String; _optional_)
-: SHA-256 hash of the derivation output of `fetchurl` in the format expected by Nix.
-  See [the documentation on the Nix manual](https://nixos.org/manual/nix/stable/language/advanced-attributes.html#adv-attr-outputHash) for more information about its format.
-
-  :::{.note}
-  It is recommended that you use the `hash` attribute instead.
-  :::
-
-  _Default value:_ `""`.
-
-`sha512` (String; _optional_)
-: SHA-512 hash of the derivation output of `fetchurl` in the format expected by Nix.
-  See [the documentation on the Nix manual](https://nixos.org/manual/nix/stable/language/advanced-attributes.html#adv-attr-outputHash) for more information about its format.
-
-  :::{.note}
-  It is recommended that you use the `hash` attribute instead.
-  :::
-
-  _Default value:_ `""`.
-
-`name` (String; _optional_)
-: The symbolic name of the downloaded file when saved in the Nix store.
-  See [the `fetchurl` overview](#sec-pkgs-fetchers-fetchurl) for details on how the name of the file is decided.
-
-  _Default value:_ `""`.
-
-`pname` (String; _optional_)
-: A base name, which will be combined with `version` to form the symbolic name of the downloaded file when saved in the Nix store.
-  See [the `fetchurl` overview](#sec-pkgs-fetchers-fetchurl) for details on how the name of the file is decided.
-
-  :::{.note}
-  If `pname` is specified, you must also specify `version`, otherwise `fetchurl` will ignore the value of `pname`.
-  :::
-
-  _Default value:_ `""`.
-
-`version` (String; _optional_)
-: A version, which will be combined with `pname` to form the symbolic name of the downloaded file when saved in the Nix store.
-  See [the `fetchurl` overview](#sec-pkgs-fetchers-fetchurl) for details on how the name of the file is decided.
-
-  _Default value:_ `""`.
-
-`recursiveHash` (Boolean; _optional_) []{#sec-pkgs-fetchers-fetchurl-inputs-recursiveHash}
-: If set to `true`, will signal to Nix that the hash given to `fetchurl` was calculated using the `"recursive"` mode.
-  See [the documentation on the Nix manual](https://nixos.org/manual/nix/stable/language/advanced-attributes.html#adv-attr-outputHashMode) for more information about the existing modes.
-
-  By default, `fetchurl` uses `"recursive"` mode when the `executable` attribute is set to `true`, so you don't need to specify `recursiveHash` in this case.
-
-  _Default value:_ `false`.
-
-`executable` (Boolean; _optional_)
-: If `true`, sets the executable bit on the downloaded file.
-
-  _Default value_: `false`.
-
-`downloadToTemp` (Boolean; _optional_) []{#sec-pkgs-fetchers-fetchurl-inputs-downloadToTemp}
-: If `true`, saves the downloaded file to a temporary location instead of the expected Nix store location.
-  This is useful when used in conjunction with `postFetch` attribute, otherwise `fetchurl` will not produce any meaningful output.
-
-  The location of the downloaded file will be set in the `$downloadedFile` variable, which should be used by the script in the `postFetch` attribute.
-  See [](#ex-fetchers-fetchurl-nixpkgs-version-postfetch) to understand how to work with this attribute.
-
-  _Default value:_ `false`.
-
-`postFetch` (String; _optional_)
-: Script executed after the file has been downloaded successfully, and before `fetchurl` finishes running.
-  Useful for post-processing, to check or transform the file in some way.
-  See [](#ex-fetchers-fetchurl-nixpkgs-version-postfetch) to understand how to work with this attribute.
-
-  _Default value:_ `""`.
-
-`netrcPhase` (String or Null; _optional_)
-: Script executed to create a {manpage}`netrc(5)` file to be used with {manpage}`curl(1)`.
-  The script should create the `netrc` file (note that it does not begin with a ".") in the directory it's currently running in (`$PWD`).
-
-  The script is executed during the setup done by `fetchurl` before it runs any of its code to download the specified content.
-
-  :::{.note}
-  If specified, `fetchurl` will automatically alter its invocation of {manpage}`curl(1)` to use the `netrc` file, so you don't need to add anything to `curlOpts` or `curlOptsList`.
-  :::
-
-  :::{.caution}
-  Since `netrcPhase` needs to be specified in your source Nix code, any secrets that you put directly in it will be world-readable by design (both in your source code, and when the derivation gets created in the Nix store).
-
-  If you want to avoid this behaviour, see the documentation of `netrcImpureEnvVars` for an alternative way of dealing with these secrets.
-  :::
-
-  _Default value_: `null`.
-
-`netrcImpureEnvVars` (List of String; _optional_)
-: If specified, `fetchurl` will add these environment variable names to the list of [impure environment variables](https://nixos.org/manual/nix/stable/language/advanced-attributes.html#adv-attr-impureEnvVars), which will be passed from the environment of the calling user to the builder running the `fetchurl` code.
-
-  This is useful when used with `netrcPhase` to hide any secrets that are used in it, because the script in `netrcPhase` only needs to reference the environment variables with the secrets in them instead.
-  However, note that these are called _impure_ variables for a reason:
-  the environment that starts the build needs to have these variables declared for everything to work properly, which means that additional setup is required outside what Nix controls.
-
-  _Default value:_ `[]`.
-
-`curlOpts` (String; _optional_)
-: If specified, this value will be appended to the invocation of {manpage}`curl(1)` when downloading the URL(s) given to `fetchurl`.
-  Multiple arguments can be separated by spaces normally, but values with whitespaces will be interpreted as multiple arguments (instead of a single value), even if the value is escaped.
-  See `curlOptsList` for a way to pass values with whitespaces in them.
-
-  _Default value:_ `""`.
-
-`curlOptsList` (List of String; _optional_)
-: If specified, each element of this list will be passed as an argument to the invocation of {manpage}`curl(1)` when downloading the URL(s) given to `fetchurl`.
-  This allows passing values that contain spaces, with no escaping needed.
-
-  _Default value:_ `[]`.
-
-`showURLs` (Boolean; _optional_)
-: If set to `true`, this will stop `fetchurl` from downloading anything at all.
-  Instead, it will output a list of all the URLs it would've used to download the content (after resolving `mirror://` URLs, for example).
-  This is useful for debugging.
-
-  _Default value:_ `false`.
-
-`meta` (Attribute Set; _optional_)
-: Specifies any [meta-attributes](#chap-meta) for the derivation returned by `fetchurl`.
-
-  _Default value:_ `{}`.
-
-`passthru` (Attribute Set; _optional_)
-: Specifies any extra [`passthru`](#chap-passthru) attributes for the derivation returned by `fetchurl`.
-  Note that `fetchurl` defines [`passthru` attributes of its own](#ssec-pkgs-fetchers-fetchurl-passthru-outputs).
-  Attributes specified in `passthru` can override the default attributes returned by `fetchurl`.
-
-  _Default value:_ `{}`.
-
-`preferLocalBuild` (Boolean; _optional_)
-: This is the same attribute as [defined in the Nix manual](https://nixos.org/manual/nix/stable/language/advanced-attributes.html#adv-attr-preferLocalBuild).
-  It is `true` by default because making a remote machine download the content just duplicates network traffic (since the local machine might download the results from the derivation anyway), but this could be useful in cases where network access is restricted on local machines.
-
-  _Default value:_ `true`.
-
-`nativeBuildInputs` (List of Attribute Set; _optional_)
-: Additional packages needed to download the content.
-  This is useful if you need extra packages for `postFetch` or `netrcPhase`, for example.
-  Has the same semantics as in [](#var-stdenv-nativeBuildInputs).
-  See [](#ex-fetchers-fetchurl-nixpkgs-version-postfetch) to understand how this can be used with `postFetch`.
-
-  _Default value:_ `[]`.
-
-### Passthru outputs {#ssec-pkgs-fetchers-fetchurl-passthru-outputs}
-
-`fetchurl` also defines its own [`passthru`](#chap-passthru) attributes:
-
-`url` (String)
-
-: The same `url` attribute passed in the argument to `fetchurl`.
-
-### Examples {#ssec-pkgs-fetchers-fetchurl-examples}
-
-:::{.example #ex-fetchers-fetchurl-nixpkgs-version}
-# Using `fetchurl` to download a file
-
-The following package downloads a small file from a URL and shows the most common way to use `fetchurl`:
+The fact that the hash belongs to the Nix derivation output and not the file itself can lead to confusion.
+For example, consider the following fetcher:
 
 ```nix
-{ fetchurl }:
 fetchurl {
-  url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
-  hash = "sha256-BZqI7r0MNP29yGH5+yW2tjU9OOpOCEvwWKrWCv5CQ0I=";
-}
+  url = "http://www.example.org/hello-1.0.tar.gz";
+  hash = "sha256-lTeyxzJNQeMdu1IVdovNMtgn77jRIhSybLdMbTkf2Ww=";
+};
 ```
 
-After building the package, the file will be downloaded and place into the Nix store:
-
-```shell
-$ nix-build
-(output removed for clarity)
-/nix/store/4g9y3x851wqrvim4zcz5x2v3zivmsq8n-version
-
-$ cat /nix/store/4g9y3x851wqrvim4zcz5x2v3zivmsq8n-version
-23.11
-```
-:::
-
-:::{.example #ex-fetchers-fetchurl-nixpkgs-version-multiple-urls}
-# Using `fetchurl` to download a file with multiple possible URLs
-
-The following package adapts [](#ex-fetchers-fetchurl-nixpkgs-version) to use multiple URLs.
-The first URL was crafted to intentionally return an error to illustrate how `fetchurl` will try multiple URLs until it finds one that works (or all URLs fail).
+A common mistake is to update a fetcher’s URL, or a version parameter, without updating the hash.
 
 ```nix
-{ fetchurl }:
 fetchurl {
-  urls = [
-    "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/does-not-exist"
-    "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version"
-  ];
-  hash = "sha256-BZqI7r0MNP29yGH5+yW2tjU9OOpOCEvwWKrWCv5CQ0I=";
-}
+  url = "http://www.example.org/hello-1.1.tar.gz";
+  hash = "sha256-lTeyxzJNQeMdu1IVdovNMtgn77jRIhSybLdMbTkf2Ww=";
+};
 ```
 
-After building the package, both URLs will be used to download the file:
-
-```shell
-$ nix-build
-(some output removed for clarity)
-trying https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/does-not-exist
-(some output removed for clarity)
-curl: (22) The requested URL returned error: 404
-
-trying https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version
-(some output removed for clarity)
-/nix/store/n9asny31z32q7sdw6a8r1gllrsfy53kl-does-not-exist
-
-$ cat /nix/store/n9asny31z32q7sdw6a8r1gllrsfy53kl-does-not-exist
-23.11
-```
-
-However, note that the name of the file was derived from the first URL (this is further explained in [the `fetchurl` overview](#sec-pkgs-fetchers-fetchurl)).
-To ensure the result will have the same name regardless of which URLs are used, we can modify the package:
+**This will reuse the old contents**.
+Remember to invalidate the hash argument, in this case by setting the `hash` attribute to an empty string.
 
 ```nix
-{ fetchurl }:
 fetchurl {
-  name = "nixpkgs-version";
-  urls = [
-    "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/does-not-exist"
-    "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version"
-  ];
-  hash = "sha256-BZqI7r0MNP29yGH5+yW2tjU9OOpOCEvwWKrWCv5CQ0I=";
-}
+  url = "http://www.example.org/hello-1.1.tar.gz";
+  hash = "";
+};
 ```
 
-After building the package, the result will have the name we specified:
+Use the resulting error message to determine the correct hash.
 
-```shell
-$ nix-build
-(output removed for clarity)
-/nix/store/zczb6wl3al6jm9sm5h3pr6nqn0i5ji9z-nixpkgs-version
 ```
-:::
+error: hash mismatch in fixed-output derivation '/path/to/my.drv':
+         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+            got:    sha256-lTeyxzJNQeMdu1IVdovNMtgn77jRIhSybLdMbTkf2Ww=
+```
 
-:::{.example #ex-fetchers-fetchurl-nixpkgs-version-postfetch}
-# Manipulating the content downloaded by `fetchurl`
+A similar problem arises while testing changes to a fetcher's implementation. If the output of the derivation already exists in the Nix store, test failures can go undetected. The [`invalidateFetcherByDrvHash`](#tester-invalidateFetcherByDrvHash) function helps prevent reusing cached derivations.
 
-It might be useful to manipulate the content downloaded by `fetchurl` directly in its derivation.
-In this example, we'll adapt [](#ex-fetchers-fetchurl-nixpkgs-version) to append the result of running the `hello` package to the contents we download, purely to illustrate how to manipulate the content.
+## `fetchurl` and `fetchzip` {#fetchurl}
+
+Two basic fetchers are `fetchurl` and `fetchzip`. Both of these have two required arguments, a URL and a hash. The hash is typically `hash`, although many more hash algorithms are supported. Nixpkgs contributors are currently recommended to use `hash`. This hash will be used by Nix to identify your source. A typical usage of `fetchurl` is provided below.
 
 ```nix
-{ fetchurl, hello, lib }:
-fetchurl {
-  url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
+{ stdenv, fetchurl }:
 
-  nativeBuildInputs = [ hello ];
-
-  downloadToTemp = true;
-  postFetch = ''
-    ${lib.getExe hello} >> $downloadedFile
-    mv $downloadedFile $out
-  '';
-
-  hash = "sha256-ceooQQYmDx5+0nfg40uU3NNI2yKrixP7HZ/xLZUNv+w=";
+stdenv.mkDerivation {
+  name = "hello";
+  src = fetchurl {
+    url = "http://www.example.org/hello.tar.gz";
+    hash = "sha256-BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=";
+  };
 }
 ```
 
-After building the package, the resulting file will have "Hello, world!" appended to it:
-
-```shell
-$ nix-build
-(output removed for clarity)
-/nix/store/ifi6pp7q0ag5h7c5v9h1c1c7bhd10c7f-version
-
-$ cat /nix/store/ifi6pp7q0ag5h7c5v9h1c1c7bhd10c7f-version
-23.11
-Hello, world!
-```
-
-Note that the `hash` specified in the package is different than the hash specified in [](#ex-fetchers-fetchurl-nixpkgs-version), because the contents of the output have changed (even though the actual file that was downloaded is the same).
-See [](#chap-pkgs-fetchers-caveats) for more details on how to work with the `hash` attribute when the output changes.
-:::
-
-## `fetchzip` {#sec-pkgs-fetchers-fetchzip}
-
-Returns a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary.html#gloss-fixed-output-derivation) which downloads an archive from a given URL and decompresses it.
-
-Despite its name, `fetchzip` is not limited to `.zip` files but can also be used with [various compressed tarball formats](#tar-files) by default.
-This can extended by specifying additional attributes, see [](#ex-fetchers-fetchzip-rar-archive) to understand how to do that.
-
-### Inputs {#sec-pkgs-fetchers-fetchzip-inputs}
-
-`fetchzip` requires an attribute set, and most attributes are passed to the underlying call to [`fetchurl`](#sec-pkgs-fetchers-fetchurl).
-
-The attributes below are treated differently by `fetchzip` when compared to what `fetchurl` expects:
-
-`name` (String; _optional_)
-: Works as defined in `fetchurl`, but has a different default value than `fetchurl`.
-
-  _Default value:_ `"source"`.
-
-`nativeBuildInputs` (List of Attribute Set; _optional_)
-: Works as defined in `fetchurl`, but it is also augmented by `fetchzip` to include packages to deal with additional archives (such as `.zip`).
-
-  _Default value:_ `[]`.
-
-`postFetch` (String; _optional_)
-: Works as defined in `fetchurl`, but it is also augmented with the code needed to make `fetchzip` work.
-
-  :::{.caution}
-  It is only safe to modify files in `$out` in `postFetch`.
-  Consult the implementation of `fetchzip` for anything more involved.
-  :::
-
-  _Default value:_ `""`.
-
-`stripRoot` (Boolean; _optional_)
-: If `true`, the decompressed contents are moved one level up the directory tree.
-
-  This is useful for archives that decompress into a single directory which commonly includes some values that change with time, such as version numbers.
-  When this is the case (and `stripRoot` is `true`), `fetchzip` will remove this directory and make the decompressed contents available in the top-level directory.
-
-  [](#ex-fetchers-fetchzip-simple-striproot) shows what this attribute does.
-
-  This attribute is **not** passed through to `fetchurl`.
-
-  _Default value:_ `true`.
-
-`extension` (String or Null; _optional_)
-: If set, the archive downloaded by `fetchzip` will be renamed to a filename with the extension specified in this attribute.
-
-  This is useful when making `fetchzip` support additional types of archives, because the implementation may use the extension of an archive to determine whether they can decompress it.
-  If the URL you're using to download the contents doesn't end with the extension associated with the archive, use this attribute to fix the filename of the archive.
-
-  This attribute is **not** passed through to `fetchurl`.
-
-  _Default value:_ `null`.
-
-`recursiveHash` (Boolean; _optional_)
-: Works [as defined in `fetchurl`](#sec-pkgs-fetchers-fetchurl-inputs-recursiveHash), but its default value is different than for `fetchurl`.
-
-  _Default value:_ `true`.
-
-`downloadToTemp` (Boolean; _optional_)
-: Works [as defined in `fetchurl`](#sec-pkgs-fetchers-fetchurl-inputs-downloadToTemp), but its default value is different than for `fetchurl`.
-
-  _Default value:_ `true`.
-
-`extraPostFetch` **DEPRECATED**
-: This attribute is deprecated.
-  Please use `postFetch` instead.
-
-  This attribute is **not** passed through to `fetchurl`.
-
-### Examples {#sec-pkgs-fetchers-fetchzip-examples}
-
-::::{.example #ex-fetchers-fetchzip-simple-striproot}
-# Using `fetchzip` to output contents directly
-
-The following recipe shows how to use `fetchzip` to decompress a `.tar.gz` archive:
-
-```nix
-{ fetchzip }:
-fetchzip {
-  url = "https://github.com/NixOS/patchelf/releases/download/0.18.0/patchelf-0.18.0.tar.gz";
-  hash = "sha256-3ABYlME9R8klcpJ7MQpyFEFwHmxDDEzIYBqu/CpDYmg=";
-}
-```
-
-This archive has all its contents in a directory named `patchelf-0.18.0`.
-This means that after decompressing, you'd have to enter this directory to see the contents of the archive.
-However, `fetchzip` makes this easier through the attribute `stripRoot` (enabled by default).
-
-After building the recipe, the derivation output will show all the files in the archive at the top level:
-
-```shell
-$ nix-build
-(output removed for clarity)
-/nix/store/1b7h3fvmgrcddvs0m299hnqxlgli1yjw-source
-
-$ ls /nix/store/1b7h3fvmgrcddvs0m299hnqxlgli1yjw-source
-aclocal.m4  completions  configure.ac  m4           Makefile.in  patchelf.spec     README.md  tests
-build-aux   configure    COPYING       Makefile.am  patchelf.1   patchelf.spec.in  src        version
-```
-
-If `stripRoot` is set to `false`, the derivation output will be the decompressed archive as-is:
-
-```nix
-{ fetchzip }:
-fetchzip {
-  url = "https://github.com/NixOS/patchelf/releases/download/0.18.0/patchelf-0.18.0.tar.gz";
-  hash = "sha256-uv3FuKE4DqpHT3yfE0qcnq0gYjDNQNKZEZt2+PUAneg=";
-  stripRoot = false;
-}
-```
-
-:::{.caution}
-The hash changed!
-Whenever changing attributes of a Nixpkgs fetcher, [remember to invalidate the hash](#chap-pkgs-fetchers-caveats), otherwise you won't get the results you're expecting!
-:::
-
-After building the recipe:
-
-```shell
-$ nix-build
-(output removed for clarity)
-/nix/store/2hy5bxw7xgbgxkn0i4x6hjr8w3dbx16c-source
-
-$ ls /nix/store/2hy5bxw7xgbgxkn0i4x6hjr8w3dbx16c-source
-patchelf-0.18.0
-```
-::::
-
-::::{.example #ex-fetchers-fetchzip-rar-archive}
-# Using `fetchzip` to decompress a `.rar` file
-
-The `unrar` package provides a [setup hook](#ssec-setup-hooks) to decompress `.rar` archives during the [unpack phase](#ssec-unpack-phase), which can be used with `fetchzip` to decompress those archives:
-
-```nix
-{ fetchzip, unrar }:
-fetchzip {
-  url = "https://archive.org/download/SpaceCadet_Plus95/Space_Cadet.rar";
-  hash = "sha256-fC+zsR8BY6vXpUkVd6i1jF0IZZxVKVvNi6VWCKT+pA4=";
-  stripRoot = false;
-  nativeBuildInputs = [ unrar ];
-}
-```
-
-Since this particular `.rar` file doesn't put its contents in a directory inside the archive, `stripRoot` must be set to `false`.
-
-After building the recipe, the derivation output will show the decompressed files:
-
-```shell
-$ nix-build
-(output removed for clarity)
-/nix/store/zpn7knxfva6rfjja2gbb4p3l9w1f0d36-source
-
-$ ls /nix/store/zpn7knxfva6rfjja2gbb4p3l9w1f0d36-source
-FONT.DAT      PINBALL.DAT  PINBALL.EXE	PINBALL2.MID  TABLE.BMP    WMCONFIG.EXE
-MSCREATE.DIR  PINBALL.DOC  PINBALL.MID	Sounds	     WAVEMIX.INF
-```
-::::
+The main difference between `fetchurl` and `fetchzip` is in how they store the contents. `fetchurl` will store the unaltered contents of the URL within the Nix store. `fetchzip` on the other hand, will decompress the archive for you, making files and directories directly accessible in the future. `fetchzip` can only be used with archives. Despite the name, `fetchzip` is not limited to .zip files and can also be used with any tarball.
 
 ## `fetchpatch` {#fetchpatch}
 
@@ -716,7 +119,7 @@ Here is an example of `fetchDebianPatch` in action:
 buildPythonPackage rec {
   pname = "pysimplesoap";
   version = "1.16.2";
-  src = <...>;
+  src = ...;
 
   patches = [
     (fetchDebianPatch {
@@ -727,7 +130,7 @@ buildPythonPackage rec {
     })
   ];
 
-  # ...
+  ...
 }
 ```
 
@@ -836,7 +239,7 @@ This is a useful last-resort workaround for license restrictions that prohibit r
 If the requested file is present in the Nix store, the resulting derivation will not be built, because its expected output is already available.
 Otherwise, the builder will run, but fail with a message explaining to the user how to provide the file. The following code, for example:
 
-```nix
+```
 requireFile {
   name = "jdk-${version}_linux-x64_bin.tar.gz";
   url = "https://www.oracle.com/java/technologies/javase-jdk11-downloads.html";
@@ -855,21 +258,17 @@ or
 
 ***
 ```
-
-This function should only be used by non-redistributable software with an unfree license that we need to require the user to download manually.
-It produces packages that cannot be built automatically.
-
 ## `fetchtorrent` {#fetchtorrent}
 
 `fetchtorrent` expects two arguments. `url` which can either be a Magnet URI (Magnet Link) such as `magnet:?xt=urn:btih:dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c` or an HTTP URL pointing to a `.torrent` file. It can also take a `config` argument which will craft a `settings.json` configuration file and give it to `transmission`, the underlying program that is performing the fetch. The available config options for `transmission` can be found [here](https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md#options)
 
-```nix
+```
 { fetchtorrent }:
 
 fetchtorrent {
   config = { peer-limit-global = 100; };
   url = "magnet:?xt=urn:btih:dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c";
-  hash = "";
+  sha256 = "";
 }
 ```
 

doc/build-helpers/images.md

@@ -6,6 +6,7 @@ This chapter describes tools for creating various types of images.
 images/appimagetools.section.md
 images/dockertools.section.md
 images/ocitools.section.md
+images/snaptools.section.md
 images/portableservice.section.md
 images/makediskimage.section.md
 images/binarycache.section.md

doc/build-helpers/images/appimagetools.section.md

@@ -1,167 +1,48 @@
 # pkgs.appimageTools {#sec-pkgs-appimageTools}
 
-`pkgs.appimageTools` is a set of functions for extracting and wrapping [AppImage](https://appimage.org/) files.
-They are meant to be used if traditional packaging from source is infeasible, or if it would take too long.
-To quickly run an AppImage file, `pkgs.appimage-run` can be used as well.
+`pkgs.appimageTools` is a set of functions for extracting and wrapping [AppImage](https://appimage.org/) files. They are meant to be used if traditional packaging from source is infeasible, or it would take too long. To quickly run an AppImage file, `pkgs.appimage-run` can be used as well.
 
 ::: {.warning}
 The `appimageTools` API is unstable and may be subject to backwards-incompatible changes in the future.
 :::
 
+## AppImage formats {#ssec-pkgs-appimageTools-formats}
+
+There are different formats for AppImages, see [the specification](https://github.com/AppImage/AppImageSpec/blob/74ad9ca2f94bf864a4a0dac1f369dd4f00bd1c28/draft.md#image-format) for details.
+
+- Type 1 images are ISO 9660 files that are also ELF executables.
+- Type 2 images are ELF executables with an appended filesystem.
+
+They can be told apart with `file -k`:
+
+```ShellSession
+$ file -k type1.AppImage
+type1.AppImage: ELF 64-bit LSB executable, x86-64, version 1 (SYSV) ISO 9660 CD-ROM filesystem data 'AppImage' (Lepton 3.x), scale 0-0,
+spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.000000, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=d629f6099d2344ad82818172add1d38c5e11bc6d, stripped\012- data
+
+$ file -k type2.AppImage
+type2.AppImage: ELF 64-bit LSB executable, x86-64, version 1 (SYSV) (Lepton 3.x), scale 232-60668, spot sensor temperature -4.187500, color scheme 15, show scale bar, calibration: offset -0.000000, slope 0.000000 (Lepton 2.x), scale 4111-45000, spot sensor temperature 412442.250000, color scheme 3, minimum point enabled, calibration: offset -75402534979642766821519867692934234112.000000, slope 5815371847733706829839455140374904832.000000, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=79dcc4e55a61c293c5e19edbd8d65b202842579f, stripped\012- data
+```
+
+Note how the type 1 AppImage is described as an `ISO 9660 CD-ROM filesystem`, and the type 2 AppImage is not.
+
 ## Wrapping {#ssec-pkgs-appimageTools-wrapping}
 
-Use `wrapType2` to wrap any AppImage.
-This will create a FHS environment with many packages [expected to exist](https://github.com/AppImage/pkg2appimage/blob/master/excludelist) for the AppImage to work.
-`wrapType2` expects an argument with the `src` attribute, and either a `name` attribute or `pname` and `version` attributes.
-
-It will eventually call into [`buildFHSEnv`](#sec-fhs-environments), and any extra attributes in the argument to `wrapType2` will be passed through to it.
-This means that you can pass the `extraInstallCommands` attribute, for example, and it will have the same effect as described in [`buildFHSEnv`](#sec-fhs-environments).
-
-::: {.note}
-In the past, `appimageTools` provided both `wrapType1` and `wrapType2`, to be used depending on the type of AppImage that was being wrapped.
-However, [those were unified early 2020](https://github.com/NixOS/nixpkgs/pull/81833), meaning that both `wrapType1` and `wrapType2` have the same behaviour now.
-:::
-
-:::{.example #ex-wrapping-appimage-from-github}
-
-# Wrapping an AppImage from GitHub
+Depending on the type of AppImage you're wrapping, you'll have to use `wrapType1` or `wrapType2`.
 
 ```nix
-{ appimageTools, fetchurl }:
-let
-  pname = "nuclear";
-  version = "0.6.30";
-
+appimageTools.wrapType2 { # or wrapType1
+  name = "patchwork";
   src = fetchurl {
-    url = "https://github.com/nukeop/nuclear/releases/download/v${version}/${pname}-v${version}.AppImage";
-    hash = "sha256-he1uGC1M/nFcKpMM9JKY4oeexJcnzV0ZRxhTjtJz6xw=";
+    url = "https://github.com/ssbc/patchwork/releases/download/v3.11.4/Patchwork-3.11.4-linux-x86_64.AppImage";
+    hash = "sha256-OqTitCeZ6xmWbqYTXp8sDrmVgTNjPZNW0hzUPW++mq4=";
   };
-in
-appimageTools.wrapType2 {
-  inherit pname version src;
+  extraPkgs = pkgs: with pkgs; [ ];
 }
 ```
 
-:::
-
-The argument passed to `wrapType2` can also contain an `extraPkgs` attribute, which allows you to include additional packages inside the FHS environment your AppImage is going to run in.
-`extraPkgs` must be a function that returns a list of packages.
-There are a few ways to learn which dependencies an application needs:
-
-  - Looking through the extracted AppImage files, reading its scripts and running `patchelf` and `ldd` on its executables.
-    This can also be done in `appimage-run`, by setting `APPIMAGE_DEBUG_EXEC=bash`.
+- `name` specifies the name of the resulting image.
+- `src` specifies the AppImage file to extract.
+- `extraPkgs` allows you to pass a function to include additional packages inside the FHS environment your AppImage is going to run in. There are a few ways to learn which dependencies an application needs:
+  - Looking through the extracted AppImage files, reading its scripts and running `patchelf` and `ldd` on its executables. This can also be done in `appimage-run`, by setting `APPIMAGE_DEBUG_EXEC=bash`.
   - Running `strace -vfefile` on the wrapped executable, looking for libraries that can't be found.
-
-:::{.example #ex-wrapping-appimage-with-extrapkgs}
-
-# Wrapping an AppImage with extra packages
-
-```nix
-{ appimageTools, fetchurl }:
-let
-  pname = "irccloud";
-  version = "0.16.0";
-
-  src = fetchurl {
-    url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
-    sha256 = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
-  };
-in appimageTools.wrapType2 {
-  inherit pname version src;
-  extraPkgs = pkgs: [ pkgs.at-spi2-core ];
-}
-```
-
-:::
-
-## Extracting {#ssec-pkgs-appimageTools-extracting}
-
-Use `extract` if you need to extract the contents of an AppImage.
-This is usually used in Nixpkgs to install extra files in addition to [wrapping](#ssec-pkgs-appimageTools-wrapping) the AppImage.
-`extract` expects an argument with the `src` attribute, and either a `name` attribute or `pname` and `version` attributes.
-
-::: {.note}
-In the past, `appimageTools` provided both `extractType1` and `extractType2`, to be used depending on the type of AppImage that was being extracted.
-However, [those were unified early 2020](https://github.com/NixOS/nixpkgs/pull/81572), meaning that both `extractType1` and `extractType2` have the same behaviour as `extract` now.
-:::
-
-:::{.example #ex-extracting-appimage}
-
-# Extracting an AppImage to install extra files
-
-This example was adapted from a real package in Nixpkgs to show how `extract` is usually used in combination with `wrapType2`.
-Note how `appimageContents` is used in `extraInstallCommands` to install additional files that were extracted from the AppImage.
-
-```nix
-{ appimageTools, fetchurl }:
-let
-  pname = "irccloud";
-  version = "0.16.0";
-
-  src = fetchurl {
-    url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
-    sha256 = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
-  };
-
-  appimageContents = appimageTools.extract {
-    inherit pname version src;
-  };
-in appimageTools.wrapType2 {
-  inherit pname version src;
-
-  extraPkgs = pkgs: [ pkgs.at-spi2-core ];
-
-  extraInstallCommands = ''
-    mv $out/bin/${pname}-${version} $out/bin/${pname}
-    install -m 444 -D ${appimageContents}/irccloud.desktop $out/share/applications/irccloud.desktop
-    install -m 444 -D ${appimageContents}/usr/share/icons/hicolor/512x512/apps/irccloud.png \
-      $out/share/icons/hicolor/512x512/apps/irccloud.png
-    substituteInPlace $out/share/applications/irccloud.desktop \
-      --replace 'Exec=AppRun' 'Exec=${pname}'
-  '';
-}
-```
-
-:::
-
-The argument passed to `extract` can also contain a `postExtract` attribute, which allows you to execute additional commands after the files are extracted from the AppImage.
-`postExtract` must be a string with commands to run.
-
-:::{.example #ex-extracting-appimage-with-postextract}
-
-# Extracting an AppImage to install extra files, using `postExtract`
-
-This is a rewrite of [](#ex-extracting-appimage) to use `postExtract`.
-
-```nix
-{ appimageTools, fetchurl }:
-let
-  pname = "irccloud";
-  version = "0.16.0";
-
-  src = fetchurl {
-    url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
-    sha256 = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
-  };
-
-  appimageContents = appimageTools.extract {
-    inherit pname version src;
-    postExtract = ''
-      substituteInPlace $out/irccloud.desktop --replace 'Exec=AppRun' 'Exec=${pname}'
-    '';
-  };
-in appimageTools.wrapType2 {
-  inherit pname version src;
-
-  extraPkgs = pkgs: [ pkgs.at-spi2-core ];
-
-  extraInstallCommands = ''
-    mv $out/bin/${pname}-${version} $out/bin/${pname}
-    install -m 444 -D ${appimageContents}/irccloud.desktop $out/share/applications/irccloud.desktop
-    install -m 444 -D ${appimageContents}/usr/share/icons/hicolor/512x512/apps/irccloud.png \
-      $out/share/icons/hicolor/512x512/apps/irccloud.png
-  '';
-}
-```
-
-:::

doc/build-helpers/images/binarycache.section.md

@@ -1,58 +1,49 @@
 # pkgs.mkBinaryCache {#sec-pkgs-binary-cache}
 
-`pkgs.mkBinaryCache` is a function for creating Nix flat-file binary caches.
-Such a cache exists as a directory on disk, and can be used as a Nix substituter by passing `--substituter file:///path/to/cache` to Nix commands.
+`pkgs.mkBinaryCache` is a function for creating Nix flat-file binary caches. Such a cache exists as a directory on disk, and can be used as a Nix substituter by passing `--substituter file:///path/to/cache` to Nix commands.
 
-Nix packages are most commonly shared between machines using [HTTP, SSH, or S3](https://nixos.org/manual/nix/stable/package-management/sharing-packages.html), but a flat-file binary cache can still be useful in some situations.
-For example, you can copy it directly to another machine, or make it available on a network file system.
-It can also be a convenient way to make some Nix packages available inside a container via bind-mounting.
+Nix packages are most commonly shared between machines using [HTTP, SSH, or S3](https://nixos.org/manual/nix/stable/package-management/sharing-packages.html), but a flat-file binary cache can still be useful in some situations. For example, you can copy it directly to another machine, or make it available on a network file system. It can also be a convenient way to make some Nix packages available inside a container via bind-mounting.
 
-`mkBinaryCache` expects an argument with the `rootPaths` attribute.
-`rootPaths` must be a list of derivations.
-The transitive closure of these derivations' outputs will be copied into the cache.
+Note that this function is meant for advanced use-cases. The more idiomatic way to work with flat-file binary caches is via the [nix-copy-closure](https://nixos.org/manual/nix/stable/command-ref/nix-copy-closure.html) command. You may also want to consider [dockerTools](#sec-pkgs-dockerTools) for your containerization needs.
 
-::: {.note}
-This function is meant for advanced use cases.
-The more idiomatic way to work with flat-file binary caches is via the [nix-copy-closure](https://nixos.org/manual/nix/stable/command-ref/nix-copy-closure.html) command.
-You may also want to consider [dockerTools](#sec-pkgs-dockerTools) for your containerization needs.
-:::
-
-[]{#sec-pkgs-binary-cache-example}
-:::{.example #ex-mkbinarycache-copying-package-closure}
-
-# Copying a package and its closure to another machine with `mkBinaryCache`
+## Example {#sec-pkgs-binary-cache-example}
 
 The following derivation will construct a flat-file binary cache containing the closure of `hello`.
 
 ```nix
-{ mkBinaryCache, hello }:
 mkBinaryCache {
   rootPaths = [hello];
 }
 ```
 
-Build the cache on a machine.
-Note that the command still builds the exact nix package above, but adds some boilerplate to build it directly from an expression.
+- `rootPaths` specifies a list of root derivations. The transitive closure of these derivations' outputs will be copied into the cache.
+
+Here's an example of building and using the cache.
+
+Build the cache on one machine, `host1`:
 
 ```shellSession
-$ nix-build -E 'let pkgs = import <nixpkgs> {}; in pkgs.callPackage ({ mkBinaryCache, hello }: mkBinaryCache { rootPaths = [hello]; }) {}'
-/nix/store/azf7xay5xxdnia4h9fyjiv59wsjdxl0g-binary-cache
+nix-build -E 'with import <nixpkgs> {}; mkBinaryCache { rootPaths = [hello]; }'
 ```
 
-Copy the resulting directory to another machine, which we'll call `host2`:
-
 ```shellSession
-$ scp result host2:/tmp/hello-cache
+/nix/store/cc0562q828rnjqjyfj23d5q162gb424g-binary-cache
 ```
 
-At this point, the cache can be used as a substituter when building derivations on `host2`:
+Copy the resulting directory to the other machine, `host2`:
 
 ```shellSession
-$ nix-build -A hello '<nixpkgs>' \
+scp result host2:/tmp/hello-cache
+```
+
+Substitute the derivation using the flat-file binary cache on the other machine, `host2`:
+```shellSession
+nix-build -A hello '<nixpkgs>' \
   --option require-sigs false \
   --option trusted-substituters file:///tmp/hello-cache \
   --option substituters file:///tmp/hello-cache
-/nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1
 ```
 
-:::
+```shellSession
+/nix/store/gl5a41azbpsadfkfmbilh9yk40dh5dl0-hello-2.12.1
+```

doc/build-helpers/images/makediskimage.section.md

@@ -85,14 +85,14 @@ let
 in
   make-disk-image {
     inherit pkgs lib;
-    inherit (evalConfig {
+    config = evalConfig {
       modules = [
         {
           fileSystems."/" = { device = "/dev/vda"; fsType = "ext4"; autoFormat = true; };
           boot.grub.device = "/dev/vda";
         }
       ];
-    }) config;
+    };
     format = "qcow2";
     onlyNixStore = false;
     partitionTableType = "legacy+gpt";
@@ -104,3 +104,5 @@ in
     memSize = 2048; # Qemu VM memory size in megabytes. Defaults to 1024M.
   }
 ```
+
+

doc/build-helpers/images/ocitools.section.md

@@ -1,104 +1,37 @@
 # pkgs.ociTools {#sec-pkgs-ociTools}
 
-`pkgs.ociTools` is a set of functions for creating runtime container bundles according to the [OCI runtime specification v1.0.0](https://github.com/opencontainers/runtime-spec/blob/v1.0.0/spec.md).
-It makes no assumptions about the container runner you choose to use to run the created container.
-
-The set of functions in `pkgs.ociTools` currently does not handle the [OCI image specification](https://github.com/opencontainers/image-spec).
-
-At a high-level an OCI implementation would download an OCI Image then unpack that image into an OCI Runtime filesystem bundle.
-At this point the OCI Runtime Bundle would be run by an OCI Runtime.
-`pkgs.ociTools` provides utilities to create OCI Runtime bundles.
+`pkgs.ociTools` is a set of functions for creating containers according to the [OCI container specification v1.0.0](https://github.com/opencontainers/runtime-spec). Beyond that, it makes no assumptions about the container runner you choose to use to run the created container.
 
 ## buildContainer {#ssec-pkgs-ociTools-buildContainer}
 
-This function creates an OCI runtime container (consisting of a `config.json` and a root filesystem directory) that runs a single command inside of it.
-The nix store of the container will contain all referenced dependencies of the given command.
+This function creates a simple OCI container that runs a single command inside of it. An OCI container consists of a `config.json` and a rootfs directory. The nix store of the container will contain all referenced dependencies of the given command.
 
-This function has an assumption that the container will run on POSIX platforms, and sets configurations (such as the user running the process or certain mounts) according to this assumption.
-Because of this, a container built with `buildContainer` will not work on Windows or other non-POSIX platforms without modifications to the container configuration.
-These modifications aren't supported by `buildContainer`.
-
-For `linux` platforms, `buildContainer` also configures the following namespaces (see {manpage}`unshare(1)`) to isolate the OCI container from the global namespace:
-PID, network, mount, IPC, and UTS.
-
-Note that no user namespace is created, which means that you won't be able to run the container unless you are the `root` user.
-
-### Inputs {#ssec-pkgs-ociTools-buildContainer-inputs}
-
-`buildContainer` expects an argument with the following attributes:
-
-`args` (List of String)
-
-: Specifies a set of arguments to run inside the container.
-  Any packages referenced by `args` will be made available inside the container.
-
-`mounts` (Attribute Set; _optional_)
-
-: Would specify additional mounts that the runtime must make available to the container.
-
-  :::{.warning}
-  As explained in [issue #290879](https://github.com/NixOS/nixpkgs/issues/290879), this attribute is currently ignored.
-  :::
-
-  :::{.note}
-  `buildContainer` includes a minimal set of necessary filesystems to be mounted into the container, and this set can't be changed with the `mounts` attribute.
-  :::
-
-  _Default value:_ `{}`.
-
-`readonly` (Boolean; _optional_)
-
-: If `true`, sets the container's root filesystem as read-only.
-
-  _Default value:_ `false`.
-
-`os` **DEPRECATED**
-
-: Specifies the operating system on which the container filesystem is based on.
-  If specified, its value should follow the [OCI Image Configuration Specification](https://github.com/opencontainers/image-spec/blob/main/config.md#properties).
-  According to the linked specification, all possible values for `$GOOS` in [the Go docs](https://go.dev/doc/install/source#environment) should be valid, but will commonly be one of `darwin` or `linux`.
-
-  _Default value:_ `"linux"`.
-
-`arch` **DEPRECATED**
-
-: Used to specify the architecture for which the binaries in the container filesystem have been compiled.
-  If specified, its value should follow the [OCI Image Configuration Specification](https://github.com/opencontainers/image-spec/blob/main/config.md#properties).
-  According to the linked specification, all possible values for `$GOARCH` in [the Go docs](https://go.dev/doc/install/source#environment) should be valid, but will commonly be one of `386`, `amd64`, `arm`, or `arm64`.
-
-  _Default value:_ `x86_64`.
-
-### Examples {#ssec-pkgs-ociTools-buildContainer-examples}
-
-::: {.example #ex-ociTools-buildContainer-bash}
-# Creating an OCI runtime container that runs `bash`
-
-This example uses `ociTools.buildContainer` to create a simple container that runs `bash`.
+The parameters of `buildContainer` with an example value are described below:
 
 ```nix
-{ ociTools, lib, bash }:
-ociTools.buildContainer {
+buildContainer {
   args = [
-    (lib.getExe bash)
+    (with pkgs;
+      writeScript "run.sh" ''
+        #!${bash}/bin/bash
+        exec ${bash}/bin/bash
+      '').outPath
   ];
 
+  mounts = {
+    "/data" = {
+      type = "none";
+      source = "/var/lib/mydata";
+      options = [ "bind" ];
+    };
+  };
+
   readonly = false;
 }
 ```
 
-As an example of how to run the container generated by this package, we'll use `runc` to start the container.
-Any other tool that supports OCI containers could be used instead.
+- `args` specifies a set of arguments to run inside the container. This is the only required argument for `buildContainer`. All referenced packages inside the derivation will be made available inside the container.
 
-```shell
-$ nix-build
-(some output removed for clarity)
-/nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join
+- `mounts` specifies additional mount points chosen by the user. By default only a minimal set of necessary filesystems are mounted into the container (e.g procfs, cgroupfs)
 
-$ cd /nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join
-$ nix-shell -p runc
-[nix-shell:/nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join]$ sudo runc run ocitools-example
-help
-GNU bash, version 5.2.26(1)-release (x86_64-pc-linux-gnu)
-(some output removed for clarity)
-```
-:::
+- `readonly` makes the container's rootfs read-only if it is set to true. The default value is false `false`.

doc/build-helpers/images/portableservice.section.md

@@ -1,174 +1,81 @@
 # pkgs.portableService {#sec-pkgs-portableService}
 
-`pkgs.portableService` is a function to create [Portable Services](https://systemd.io/PORTABLE_SERVICES/) in a read-only, immutable, `squashfs` raw disk image.
-This lets you use Nix to build images which can be run on many recent Linux distributions.
+`pkgs.portableService` is a function to create _portable service images_,
+as read-only, immutable, `squashfs` archives.
+
+systemd supports a concept of [Portable Services](https://systemd.io/PORTABLE_SERVICES/).
+Portable Services are a delivery method for system services that uses two specific features of container management:
+
+* Applications are bundled. I.e. multiple services, their binaries and
+  all their dependencies are packaged in an image, and are run directly from it.
+* Stricter default security policies, i.e. sandboxing of applications.
+
+This allows using Nix to build images which can be run on many recent Linux distributions.
+
+The primary tool for interacting with Portable Services is `portablectl`,
+and they are managed by the `systemd-portabled` system service.
 
 ::: {.note}
 Portable services are supported starting with systemd 239 (released on 2018-06-22).
 :::
 
-The generated image will contain the file system structure as required by the Portable Services specification, along with the packages given to `portableService` and all of their dependencies.
-When generated, the image will exist in the Nix store with the `.raw` file extension, as required by the specification.
-See [](#ex-portableService-hello) to understand how to use the output of `portableService`.
-
-## Inputs {#ssec-pkgs-portableService-inputs}
-
-`portableService` expects one argument with the following attributes:
-
-`pname` (String)
-
-: The name of the portable service.
-  The generated image will be named according to the template `$pname_$version.raw`, which is supported by the Portable Services specification.
-
-`version` (String)
-
-: The version of the portable service.
-  The generated image will be named according to the template `$pname_$version.raw`, which is supported by the Portable Services specification.
-
-`units` (List of Attribute Set)
-
-: A list of derivations for systemd unit files.
-  Each derivation must produce a single file, and must have a name that starts with the value of `pname` and ends with the suffix of the unit type (e.g. ".service", ".socket", ".timer", and so on).
-  See [](#ex-portableService-hello) to better understand this naming constraint.
-
-`description` (String or Null; _optional_)
-
-: If specified, the value is added as `PORTABLE_PRETTY_NAME` to the `/etc/os-release` file in the generated image.
-  This could be used to provide more information to anyone inspecting the image.
-
-  _Default value:_ `null`.
-
-`homepage` (String or Null; _optional_)
-
-: If specified, the value is added as `HOME_URL` to the `/etc/os-release` file in the generated image.
-  This could be used to provide more information to anyone inspecting the image.
-
-  _Default value:_ `null`.
-
-`symlinks` (List of Attribute Set; _optional_)
-
-: A list of attribute sets in the format `{object, symlink}`.
-  For each item in the list, `portableService` will create a symlink in the path specified by `symlink` (relative to the root of the image) that points to `object`.
-
-  All packages that `object` depends on and their dependencies are automatically copied into the image.
-
-  This can be used to create symlinks for applications that assume some files to exist globally (`/etc/ssl` or `/bin/bash`, for example).
-  See [](#ex-portableService-symlinks) to understand how to do that.
-
-  _Default value:_ `[]`.
-
-`contents` (List of Attribute Set; _optional_)
-
-: A list of additional derivations to be included as-is in the image.
-  These derivations will be included directly in a `/nix/store` directory inside the image.
-
-  _Default value:_ `[]`.
-
-`squashfsTools` (Attribute Set; _optional_)
-
-: Allows you to override the package that provides {manpage}`mksquashfs(1)`, which is used internally by `portableService`.
-
-  _Default value:_ `pkgs.squashfsTools`.
-
-`squash-compression` (String; _optional_)
-
-: Passed as the compression option to {manpage}`mksquashfs(1)`, which is used internally by `portableService`.
-
-  _Default value:_ `"xz -Xdict-size 100%"`.
-
-`squash-block-size` (String; _optional_)
-
-: Passed as the block size option to {manpage}`mksquashfs(1)`, which is used internally by `portableService`.
-
-  _Default value:_ `"1M"`.
-
-## Examples {#ssec-pkgs-portableService-examples}
+A very simple example of using `portableService` is described below:
 
 []{#ex-pkgs-portableService}
-:::{.example #ex-portableService-hello}
-# Building a Portable Service image
-
-The following example builds a Portable Service image with the `hello` package, along with a service unit that runs it.
 
 ```nix
-{ lib, writeText, portableService, hello }:
-let
-  hello-service = writeText "hello.service" ''
-    [Unit]
-    Description=Hello world service
-
-    [Service]
-    Type=oneshot
-    ExecStart=${lib.getExe hello}
-  '';
-in
-portableService {
-  pname = "hello";
-  inherit (hello) version;
-  units = [ hello-service ];
+pkgs.portableService {
+  pname = "demo";
+  version = "1.0";
+  units = [ demo-service demo-socket ];
 }
 ```
 
-After building the package, the generated image can be loaded into a system through {manpage}`portablectl(1)`:
+The above example will build an squashfs archive image in `result/$pname_$version.raw`. The image will contain the
+file system structure as required by the portable service specification, and a subset of the Nix store with all the
+dependencies of the two derivations in the `units` list.
+`units` must be a list of derivations, and their names must be prefixed with the service name (`"demo"` in this case).
+Otherwise `systemd-portabled` will ignore them.
 
-```shell
-$ nix-build
-(some output removed for clarity)
-/nix/store/8c20z1vh7z8w8dwagl8w87b45dn5k6iq-hello-img-2.12.1
-
-$ portablectl attach /nix/store/8c20z1vh7z8w8dwagl8w87b45dn5k6iq-hello-img-2.12.1/hello_2.12.1.raw
-Created directory /etc/systemd/system.attached.
-Created directory /etc/systemd/system.attached/hello.service.d.
-Written /etc/systemd/system.attached/hello.service.d/20-portable.conf.
-Created symlink /etc/systemd/system.attached/hello.service.d/10-profile.conf → /usr/lib/systemd/portable/profile/default/service.conf.
-Copied /etc/systemd/system.attached/hello.service.
-Created symlink /etc/portables/hello_2.12.1.raw → /nix/store/8c20z1vh7z8w8dwagl8w87b45dn5k6iq-hello-img-2.12.1/hello_2.12.1.raw.
-
-$ systemctl start hello
-$ journalctl -u hello
-Feb 28 22:39:16 hostname systemd[1]: Starting Hello world service...
-Feb 28 22:39:16 hostname hello[102887]: Hello, world!
-Feb 28 22:39:16 hostname systemd[1]: hello.service: Deactivated successfully.
-Feb 28 22:39:16 hostname systemd[1]: Finished Hello world service.
-
-$ portablectl detach hello_2.12.1
-Removed /etc/systemd/system.attached/hello.service.
-Removed /etc/systemd/system.attached/hello.service.d/10-profile.conf.
-Removed /etc/systemd/system.attached/hello.service.d/20-portable.conf.
-Removed /etc/systemd/system.attached/hello.service.d.
-Removed /etc/portables/hello_2.12.1.raw.
-Removed /etc/systemd/system.attached.
-```
+::: {.note}
+The `.raw` file extension of the image is required by the portable services specification.
 :::
 
-:::{.example #ex-portableService-symlinks}
-# Specifying symlinks when building a Portable Service image
+Some other options available are:
+- `description`, `homepage`
 
-Some services may expect files or directories to be available globally.
-An example is a service which expects all trusted SSL certificates to exist in a specific location by default.
+  Are added to the `/etc/os-release` in the image and are shown by the portable services tooling.
+  Default to empty values, not added to os-release.
+- `symlinks`
 
-To make things available globally, you must specify the `symlinks` attribute when using `portableService`.
-The following package builds on the package from [](#ex-portableService-hello) to make `/etc/ssl` available globally (this is only for illustrative purposes, because `hello` doesn't use `/etc/ssl`).
+  A list of attribute sets {object, symlink}. Symlinks will be created  in the root filesystem of the image to
+  objects in the Nix store. Defaults to an empty list.
+- `contents`
 
+  A list of additional derivations to be included in the image Nix store, as-is. Defaults to an empty list.
+- `squashfsTools`
+
+  Defaults to `pkgs.squashfsTools`, allows you to override the package that provides `mksquashfs`.
+- `squash-compression`, `squash-block-size`
+
+  Options to `mksquashfs`. Default to `"xz -Xdict-size 100%"` and `"1M"` respectively.
+
+A typical usage of `symlinks` would be:
 ```nix
-{ lib, writeText, portableService, hello, cacert }:
-let
-  hello-service = writeText "hello.service" ''
-    [Unit]
-    Description=Hello world service
-
-    [Service]
-    Type=oneshot
-    ExecStart=${lib.getExe hello}
-  '';
-in
-portableService {
-  pname = "hello";
-  inherit (hello) version;
-  units = [ hello-service ];
   symlinks = [
-    { object = "${cacert}/etc/ssl"; symlink = "/etc/ssl"; }
+    { object = "${pkgs.cacert}/etc/ssl"; symlink = "/etc/ssl"; }
+    { object = "${pkgs.bash}/bin/bash"; symlink = "/bin/sh"; }
+    { object = "${pkgs.php}/bin/php"; symlink = "/usr/bin/php"; }
   ];
-}
 ```
+to create these symlinks for legacy applications that assume them existing globally.
+
+Once the image is created, and deployed on a host in `/var/lib/portables/`, you can attach the image and run the service. As root run:
+```console
+portablectl attach demo_1.0.raw
+systemctl enable --now demo.socket
+systemctl enable --now demo.service
+```
+::: {.note}
+See the [man page](https://www.freedesktop.org/software/systemd/man/portablectl.html) of `portablectl` for more info on its usage.
 :::

doc/build-helpers/images/snaptools.section.md

@@ -0,0 +1,71 @@
+# pkgs.snapTools {#sec-pkgs-snapTools}
+
+`pkgs.snapTools` is a set of functions for creating Snapcraft images. Snap and Snapcraft is not used to perform these operations.
+
+## The makeSnap Function {#ssec-pkgs-snapTools-makeSnap-signature}
+
+`makeSnap` takes a single named argument, `meta`. This argument mirrors [the upstream `snap.yaml` format](https://docs.snapcraft.io/snap-format) exactly.
+
+The `base` should not be specified, as `makeSnap` will force set it.
+
+Currently, `makeSnap` does not support creating GUI stubs.
+
+## Build a Hello World Snap {#ssec-pkgs-snapTools-build-a-snap-hello}
+
+The following expression packages GNU Hello as a Snapcraft snap.
+
+``` {#ex-snapTools-buildSnap-hello .nix}
+let
+  inherit (import <nixpkgs> { }) snapTools hello;
+in snapTools.makeSnap {
+  meta = {
+    name = "hello";
+    summary = hello.meta.description;
+    description = hello.meta.longDescription;
+    architectures = [ "amd64" ];
+    confinement = "strict";
+    apps.hello.command = "${hello}/bin/hello";
+  };
+}
+```
+
+`nix-build` this expression and install it with `snap install ./result --dangerous`. `hello` will now be the Snapcraft version of the package.
+
+## Build a Graphical Snap {#ssec-pkgs-snapTools-build-a-snap-firefox}
+
+Graphical programs require many more integrations with the host. This example uses Firefox as an example because it is one of the most complicated programs we could package.
+
+``` {#ex-snapTools-buildSnap-firefox .nix}
+let
+  inherit (import <nixpkgs> { }) snapTools firefox;
+in snapTools.makeSnap {
+  meta = {
+    name = "nix-example-firefox";
+    summary = firefox.meta.description;
+    architectures = [ "amd64" ];
+    apps.nix-example-firefox = {
+      command = "${firefox}/bin/firefox";
+      plugs = [
+        "pulseaudio"
+        "camera"
+        "browser-support"
+        "avahi-observe"
+        "cups-control"
+        "desktop"
+        "desktop-legacy"
+        "gsettings"
+        "home"
+        "network"
+        "mount-observe"
+        "removable-media"
+        "x11"
+      ];
+    };
+    confinement = "strict";
+  };
+}
+```
+
+`nix-build` this expression and install it with `snap install ./result --dangerous`. `nix-example-firefox` will now be the Snapcraft version of the Firefox package.
+
+The specific meaning behind plugs can be looked up in the [Snapcraft interface documentation](https://docs.snapcraft.io/supported-interfaces).

doc/build-helpers/special.md

@@ -3,10 +3,8 @@
 This chapter describes several special build helpers.
 
 ```{=include=} sections
-special/fakenss.section.md
 special/fhs-environments.section.md
 special/makesetuphook.section.md
 special/mkshell.section.md
 special/vm-tools.section.md
-special/checkpoint-build.section.md
 ```

doc/build-helpers/special/checkpoint-build.section.md

@@ -1,43 +0,0 @@
-# pkgs.checkpointBuildTools  {#sec-checkpoint-build}
-
-`pkgs.checkpointBuildTools` provides a way to build derivations incrementally. It consists of two functions to make checkpoint builds using Nix possible.
-
-For hermeticity, Nix derivations do not allow any state to be carried over between builds, making a transparent incremental build within a derivation impossible.
-
-However, we can tell Nix explicitly what the previous build state was, by representing that previous state as a derivation output. This allows the passed build state to be used for an incremental build.
-
-To change a normal derivation to a checkpoint based build, these steps must be taken:
-  - apply `prepareCheckpointBuild` on the desired derivation, e.g.
-```nix
-{
-  checkpointArtifacts = (pkgs.checkpointBuildTools.prepareCheckpointBuild pkgs.virtualbox);
-}
-```
-  - change something you want in the sources of the package, e.g. use a source override:
-```nix
-{
-  changedVBox = pkgs.virtualbox.overrideAttrs (old: {
-    src = path/to/vbox/sources;
-  });
-}
-```
-  - use `mkCheckpointBuild changedVBox checkpointArtifacts`
-  - enjoy shorter build times
-
-## Example {#sec-checkpoint-build-example}
-```nix
-{ pkgs ? import <nixpkgs> {} }:
-let
-  inherit (pkgs.checkpointBuildTools)
-    prepareCheckpointBuild
-    mkCheckpointBuild
-    ;
-  helloCheckpoint = prepareCheckpointBuild pkgs.hello;
-  changedHello = pkgs.hello.overrideAttrs (_: {
-    doCheck = false;
-    patchPhase = ''
-      sed -i 's/Hello, world!/Hello, Nix!/g' src/hello.c
-    '';
-  });
-in mkCheckpointBuild changedHello helloCheckpoint
-```

doc/build-helpers/special/fakenss.section.md

@@ -1,77 +0,0 @@
-# fakeNss {#sec-fakeNss}
-
-Provides `/etc/passwd` and `/etc/group` files that contain `root` and `nobody`, allowing user/group lookups to work in binaries that insist on doing those.
-This might be a better choice than a custom script running `useradd` and related utilities if you only need those files to exist with some entries.
-
-`fakeNss` also provides `/etc/nsswitch.conf`, configuring NSS host resolution to first check `/etc/hosts` before checking DNS, since the default in the absence of a config file (`dns [!UNAVAIL=return] files`) is quite unexpected.
-
-It also creates an empty directory at `/var/empty` because it uses that as the home directory for the `root` and `nobody` users.
-The `/var/empty` directory can also be used as a `chroot` target to prevent file access in processes that do not need to access files, if your container runs such processes.
-
-The user entries created by `fakeNss` use the `/bin/sh` shell, which is not provided by `fakeNss` because in most cases it won't be used.
-If you need that to be available, see [`dockerTools.binSh`](#sssec-pkgs-dockerTools-helpers-binSh) or provide your own.
-
-## Inputs {#sec-fakeNss-inputs}
-
-`fakeNss` is made available in Nixpkgs as a package rather than a function, but it has two attributes that can be overridden and might be useful in particular cases.
-For more details on how overriding works, see [](#ex-fakeNss-overriding) and [](#sec-pkg-override).
-
-`extraPasswdLines` (List of Strings; _optional_)
-
-: A list of lines that will be added to `/etc/passwd`.
-  Useful if extra users need to exist in the output of `fakeNss`.
-  If `extraPasswdLines` is specified, it will **not** override the `root` and `nobody` entries created by `fakeNss`.
-  Those entries will always exist.
-
-  Lines specified here must follow the format in {manpage}`passwd(5)`.
-
-  _Default value:_ `[]`.
-
-`extraGroupLines` (List of Strings; _optional_)
-
-: A list of lines that will be added to `/etc/group`.
-  Useful if extra groups need to exist in the output of `fakeNss`.
-  If `extraGroupLines` is specified, it will **not** override the `root` and `nobody` entries created by `fakeNss`.
-  Those entries will always exist.
-
-  Lines specified here must follow the format in {manpage}`group(5)`.
-
-  _Default value:_ `[]`.
-
-## Examples {#sec-fakeNss-examples}
-
-:::{.example #ex-fakeNss-dockerTools-buildImage}
-# Using `fakeNss` with `dockerTools.buildImage`
-
-This example shows how to use `fakeNss` as-is.
-It is useful with functions in `dockerTools` to allow building Docker images that have the `/etc/passwd` and `/etc/group` files.
-This example includes the `hello` binary in the image so it can do something besides just have the extra files.
-
-```nix
-{ dockerTools, fakeNss, hello }:
-dockerTools.buildImage {
-  name = "image-with-passwd";
-  tag = "latest";
-
-  copyToRoot = [ fakeNss hello ];
-
-  config = {
-    Cmd = [ "/bin/hello" ];
-  };
-}
-```
-:::
-
-:::{.example #ex-fakeNss-overriding}
-# Using `fakeNss` with an override to add extra lines
-
-The following code uses `override` to add extra lines to `/etc/passwd` and `/etc/group` to create another user and group entry.
-
-```nix
-{ fakeNss }:
-fakeNss.override {
-  extraPasswdLines = ["newuser:x:9001:9001:new user:/var/empty:/bin/sh"];
-  extraGroupLines = ["newuser:x:9001:"];
-}
-```
-:::

doc/build-helpers/special/fhs-environments.section.md

@@ -6,11 +6,7 @@ It uses Linux' namespaces feature to create temporary lightweight environments w
 Accepted arguments are:
 
 - `name`
-        The name of the environment, and the wrapper executable if `pname` is unset.
-- `pname`
-        The pname of the environment and the wrapper executable.
-- `version`
-        The version of the environment.
+        The name of the environment and the wrapper executable.
 - `targetPkgs`
         Packages to be installed for the main host's architecture (i.e. x86_64 on x86_64 installations). Along with libraries binaries are also installed.
 - `multiPkgs`
@@ -57,4 +53,4 @@ You can create a simple environment using a `shell.nix` like this:
 Running `nix-shell` on it would drop you into a shell inside an FHS env where those libraries and binaries are available in FHS-compliant paths. Applications that expect an FHS structure (i.e. proprietary binaries) can run inside this environment without modification.
 You can build a wrapper by running your binary in `runScript`, e.g. `./bin/start.sh`. Relative paths work as expected.
 
-Additionally, the FHS builder links all relocated gsettings-schemas (the glib setup-hook moves them to `share/gsettings-schemas/${name}/glib-2.0/schemas`) to their standard FHS location. This means you don't need to wrap binaries with `wrapGApps*` hook.
+Additionally, the FHS builder links all relocated gsettings-schemas (the glib setup-hook moves them to `share/gsettings-schemas/${name}/glib-2.0/schemas`) to their standard FHS location. This means you don't need to wrap binaries with `wrapGAppsHook`.

doc/build-helpers/special/makesetuphook.section.md

@@ -9,40 +9,22 @@ pkgs.makeSetupHook {
   name = "something-hook";
   propagatedBuildInputs = [ pkgs.commandsomething ];
   depsTargetTargetPropagated = [ pkgs.libsomething ];
-} ./script.sh;
+} ./script.sh
 ```
 
 ### setup hook that depends on the hello package and runs hello and @shell@ is substituted with path to bash {#sec-pkgs.makeSetupHook-usage-example}
 
 ```nix
-pkgs.makeSetupHook
-  {
+pkgs.makeSetupHook {
     name = "run-hello-hook";
-    # Put dependencies here if they have hooks or necessary dependencies propagated
-    # otherwise prefer direct paths to executables.
-    propagatedBuildInputs = [
-      pkgs.hello
-      pkgs.cowsay
-    ];
-    substitutions = {
-      shell = "${pkgs.bash}/bin/bash";
-      cowsay = "${pkgs.cowsay}/bin/cowsay";
-    };
-  }
-  (
-    writeScript "run-hello-hook.sh" ''
-      #!@shell@
-      # the direct path to the executable has to be here because
-      # this will be run when the file is sourced
-      # at which point '$PATH' has not yet been populated with inputs
-      @cowsay@ cow
-
-      _printHelloHook() {
-        hello
-      }
-      preConfigureHooks+=(_printHelloHook)
-    ''
-  );
+    propagatedBuildInputs = [ pkgs.hello ];
+    substitutions = { shell = "${pkgs.bash}/bin/bash"; };
+    passthru.tests.greeting = callPackage ./test { };
+    meta.platforms = lib.platforms.linux;
+} (writeScript "run-hello-hook.sh" ''
+    #!@shell@
+    hello
+'')
 ```
 
 ## Attributes {#sec-pkgs.makeSetupHook-attributes}

doc/build-helpers/special/mkshell.section.md

@@ -29,10 +29,6 @@ pkgs.mkShell {
 
 ... all the attributes of `stdenv.mkDerivation`.
 
-## Variants {#sec-pkgs-mkShell-variants}
-
-`pkgs.mkShellNoCC` is a variant that uses `stdenvNoCC` instead of `stdenv` as base environment. This is useful if no C compiler is needed in the shell environment.
-
 ## Building the shell {#sec-pkgs-mkShell-building}
 
 This derivation output will contain a text file that contains a reference to

doc/build-helpers/testers.chapter.md

@@ -1,5 +1,4 @@
 # Testers {#chap-testers}
-
 This chapter describes several testing builders which are available in the `testers` namespace.
 
 ## `hasPkgConfigModules` {#tester-hasPkgConfigModules}
@@ -7,214 +6,62 @@ This chapter describes several testing builders which are available in the `test
 <!-- Old anchor name so links still work -->
 []{#tester-hasPkgConfigModule}
 Checks whether a package exposes a given list of `pkg-config` modules.
-If the `moduleNames` argument is omitted, `hasPkgConfigModules` will use `meta.pkgConfigModules`.
+If the `moduleNames` argument is omitted, `hasPkgConfigModules` will
+use `meta.pkgConfigModules`.
 
-:::{.example #ex-haspkgconfigmodules-defaultvalues}
-
-# Check that `pkg-config` modules are exposed using default values
+Example:
 
 ```nix
-{
-  passthru.tests.pkg-config = testers.hasPkgConfigModules {
-    package = finalAttrs.finalPackage;
-  };
-
-  meta.pkgConfigModules = [ "libfoo" ];
-}
+passthru.tests.pkg-config = testers.hasPkgConfigModules {
+  package = finalAttrs.finalPackage;
+  moduleNames = [ "libfoo" ];
+};
 ```
 
-:::
-
-:::{.example #ex-haspkgconfigmodules-explicitmodules}
-
-# Check that `pkg-config` modules are exposed using explicit module names
+If the package in question has `meta.pkgConfigModules` set, it is even simpler:
 
 ```nix
-{
-  passthru.tests.pkg-config = testers.hasPkgConfigModules {
-    package = finalAttrs.finalPackage;
-    moduleNames = [ "libfoo" ];
-  };
-}
+passthru.tests.pkg-config = testers.hasPkgConfigModules {
+  package = finalAttrs.finalPackage;
+};
+
+meta.pkgConfigModules = [ "libfoo" ];
 ```
 
-:::
-
-## `lycheeLinkCheck` {#tester-lycheeLinkCheck}
-
-Check a packaged static site's links with the [`lychee` package](https://search.nixos.org/packages?show=lychee&type=packages&query=lychee).
-
-You may use Nix to reproducibly build static websites, such as for software documentation.
-Some packages will install documentation in their `out` or `doc` outputs, or maybe you have dedicated package where you've made your static site reproducible by running a generator, such as [Hugo](https://gohugo.io/) or [mdBook](https://rust-lang.github.io/mdBook/), in a derivation.
-
-If you have a static site that can be built with Nix, you can use `lycheeLinkCheck` to check that the hyperlinks in your site are correct, and do so as part of your Nix workflow and CI.
-
-:::{.example #ex-lycheelinkcheck}
-
-# Check hyperlinks in the `nix` documentation
-
-```nix
-testers.lycheeLinkCheck {
-  site = nix.doc + "/share/doc/nix/manual";
-}
-```
-
-:::
-
-### Return value {#tester-lycheeLinkCheck-return}
-
-This tester produces a package that does not produce useful outputs, but only succeeds if the hyperlinks in your site are correct. The build log will list the broken links.
-
-It has two modes:
-
-- Build the returned derivation; its build process will check that internal hyperlinks are correct. This runs in the sandbox, so it will not check external hyperlinks, but it is quick and reliable.
-
-- Invoke the `.online` attribute with [`nix run`](https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-run) ([experimental](https://nixos.org/manual/nix/stable/contributing/experimental-features#xp-feature-nix-command)). This runs outside the sandbox, and checks that both internal and external hyperlinks are correct.
-  Example:
-
-  ```shell
-  nix run nixpkgs#lychee.tests.ok.online
-  ```
-
-### Inputs {#tester-lycheeLinkCheck-inputs}
-
-`site` (path or derivation) {#tester-lycheeLinkCheck-param-site}
-
-: The path to the files to check.
-
-`remap` (attribe set, optional) {#tester-lycheeLinkCheck-param-remap}
-
-: An attribute set where the attribute names are regular expressions.
-  The values should be strings, derivations, or path values.
-
-  In the returned check's default configuration, external URLs are only checked when you run the `.online` attribute.
-
-  By adding remappings, you can check offline that URLs to external resources are correct, by providing a stand-in from the file system.
-
-  Before checking the existence of a URL, the regular expressions are matched and replaced by their corresponding values.
-
-  Example:
-
-  ```nix
-  {
-    "https://nix\\.dev/manual/nix/[a-z0-9.-]*" = "${nix.doc}/share/doc/nix/manual";
-    "https://nixos\\.org/manual/nix/(un)?stable" = "${emptyDirectory}/placeholder-to-disallow-old-nix-docs-urls";
-  }
-  ```
-
-  Store paths in the attribute values are automatically prefixed with `file://`, because lychee requires this for paths in the file system.
-  If this is a problem, or if you need to control the order in which replacements are performed, use `extraConfig.remap` instead.
-
-`extraConfig` (attribute set) {#tester-lycheeLinkCheck-param-extraConfig}
-
-: Extra configuration to pass to `lychee` in its [configuration file](https://github.com/lycheeverse/lychee/blob/master/lychee.example.toml).
-  It is automatically [translated](https://nixos.org/manual/nixos/stable/index.html#sec-settings-nix-representable) to TOML.
-
-  Example: `{ "include_verbatim" = true; }`
-
-`lychee` (derivation, optional) {#tester-lycheeLinkCheck-param-lychee}
-
-: The `lychee` package to use.
-
-## `shellcheck` {#tester-shellcheck}
-
-Runs files through `shellcheck`, a static analysis tool for shell scripts.
-
-:::{.example #ex-shellcheck}
-# Run `testers.shellcheck`
-
-A single script
-
-```nix
-testers.shellcheck {
-  name = "shellcheck";
-  src = ./script.sh;
-}
-```
-
-Multiple files
-
-```nix
-let
-  inherit (lib) fileset;
-in
-testers.shellcheck {
-  name = "shellcheck";
-  src = fileset.toSource {
-    root = ./.;
-    fileset = fileset.unions [
-      ./lib.sh
-      ./nixbsd-activate
-    ];
-  };
-}
-```
-
-:::
-
-### Inputs {#tester-shellcheck-inputs}
-
-[`src` (path or string)]{#tester-shellcheck-param-src}
-
-: The path to the shell script(s) to check.
-  This can be a single file or a directory containing shell files.
-  All files in `src` will be checked, so you may want to provide `fileset`-based source instead of a whole directory.
-
-### Return value {#tester-shellcheck-return}
-
-A derivation that runs `shellcheck` on the given script(s).
-The build will fail if `shellcheck` finds any issues.
-
 ## `testVersion` {#tester-testVersion}
 
-Checks that the output from running a command contains the specified version string in it as a whole word.
+Checks the command output contains the specified version
 
-NOTE: In most cases, [`versionCheckHook`](#versioncheckhook) should be preferred, but this function is provided and documented here anyway. The motivation for adding either tests would be:
+Although simplistic, this test assures that the main program
+can run. While there's no substitute for a real test case,
+it does catch dynamic linking errors and such. It also provides
+some protection against accidentally building the wrong version,
+for example when using an 'old' hash in a fixed-output derivation.
 
-- Catch dynamic linking errors and such and missing environment variables that should be added by wrapping.
-- Probable protection against accidentally building the wrong version, for example when using an "old" hash in a fixed-output derivation.
-
-By default, the command to be run will be inferred from the given `package` attribute:
-it will check `meta.mainProgram` first, and fall back to `pname` or `name`.
-The default argument to the command is `--version`, and the version to be checked will be inferred from the given `package` attribute as well.
-
-:::{.example #ex-testversion-hello}
-
-# Check a program version using all the default values
-
-This example will run the command `hello --version`, and then check that the version of the `hello` package is in the output of the command.
+Examples:
 
 ```nix
-{
-  passthru.tests.version = testers.testVersion { package = hello; };
-}
+passthru.tests.version = testers.testVersion { package = hello; };
+
+passthru.tests.version = testers.testVersion {
+  package = seaweedfs;
+  command = "weed version";
+};
+
+passthru.tests.version = testers.testVersion {
+  package = key;
+  command = "KeY --help";
+  # Wrong '2.5' version in the code. Drop on next version.
+  version = "2.5";
+};
+
+passthru.tests.version = testers.testVersion {
+  package = ghr;
+  # The output needs to contain the 'version' string without any prefix or suffix.
+  version = "v${version}";
+};
 ```
 
-:::
-
-:::{.example #ex-testversion-different-commandversion}
-
-# Check the program version using a specified command and expected version string
-
-This example will run the command `leetcode -V`, and then check that `leetcode 0.4.2` is in the output of the command as a whole word (separated by whitespaces).
-This means that an output like "leetcode 0.4.21" would fail the tests, and an output like "You're running leetcode 0.4.2" would pass the tests.
-
-A common usage of the `version` attribute is to specify `version = "v${version}"`.
-
-```nix
-{
-  version = "0.4.2";
-
-  passthru.tests.version = testers.testVersion {
-    package = leetcode-cli;
-    command = "leetcode -V";
-    version = "leetcode ${version}";
-  };
-}
-```
-
-:::
-
 ## `testBuildFailure` {#tester-testBuildFailure}
 
 Make sure that a build does not succeed. This is useful for testing testers.
@@ -225,18 +72,7 @@ This returns a derivation with an override on the builder, with the following ef
  - Move `$out` to `$out/result`, if it exists (assuming `out` is the default output)
  - Save the build log to `$out/testBuildFailure.log` (same)
 
-While `testBuildFailure` is designed to keep changes to the original builder's environment to a minimum, some small changes are inevitable:
-
- - The file `$TMPDIR/testBuildFailure.log` is present. It should not be deleted.
- - `stdout` and `stderr` are a pipe instead of a tty. This could be improved.
- - One or two extra processes are present in the sandbox during the original builder's execution.
- - The derivation and output hashes are different, but not unusual.
- - The derivation includes a dependency on `buildPackages.bash` and `expect-failure.sh`, which is built to include a transitive dependency on `buildPackages.coreutils` and possibly more.
-   These are not added to `PATH` or any other environment variable, so they should be hard to observe.
-
-:::{.example #ex-testBuildFailure-showingenvironmentchanges}
-
-# Check that a build fails, and verify the changes made during build
+Example:
 
 ```nix
 runCommand "example" {
@@ -250,18 +86,27 @@ runCommand "example" {
   grep -F 'failing though' $failed/testBuildFailure.log
   [[ 3 = $(cat $failed/testBuildFailure.exit) ]]
   touch $out
-''
+'';
 ```
 
-:::
+While `testBuildFailure` is designed to keep changes to the original builder's
+environment to a minimum, some small changes are inevitable.
 
-## `testEqualContents` {#tester-testEqualContents}
+ - The file `$TMPDIR/testBuildFailure.log` is present. It should not be deleted.
+ - `stdout` and `stderr` are a pipe instead of a tty. This could be improved.
+ - One or two extra processes are present in the sandbox during the original
+   builder's execution.
+ - The derivation and output hashes are different, but not unusual.
+ - The derivation includes a dependency on `buildPackages.bash` and
+   `expect-failure.sh`, which is built to include a transitive dependency on
+   `buildPackages.coreutils` and possibly more. These are not added to `PATH`
+   or any other environment variable, so they should be hard to observe.
+
+## `testEqualContents` {#tester-equalContents}
 
 Check that two paths have the same contents.
 
-:::{.example #ex-testEqualContents-toyexample}
-
-# Check that two paths have the same contents
+Example:
 
 ```nix
 testers.testEqualContents {
@@ -281,20 +126,17 @@ testers.testEqualContents {
 }
 ```
 
-:::
-
 ## `testEqualDerivation` {#tester-testEqualDerivation}
 
 Checks that two packages produce the exact same build instructions.
 
-This can be used to make sure that a certain difference of configuration, such as the presence of an overlay does not cause a cache miss.
+This can be used to make sure that a certain difference of configuration,
+such as the presence of an overlay does not cause a cache miss.
 
 When the derivations are equal, the return value is an empty file.
 Otherwise, the build log explains the difference via `nix-diff`.
 
-:::{.example #ex-testEqualDerivation-hello}
-
-# Check that two packages produce the same derivation
+Example:
 
 ```nix
 testers.testEqualDerivation
@@ -303,51 +145,46 @@ testers.testEqualDerivation
   (hello.overrideAttrs(o: { doCheck = true; }))
 ```
 
-:::
-
 ## `invalidateFetcherByDrvHash` {#tester-invalidateFetcherByDrvHash}
 
 Use the derivation hash to invalidate the output via name, for testing.
 
 Type: `(a@{ name, ... } -> Derivation) -> a -> Derivation`
 
-Normally, fixed output derivations can and should be cached by their output hash only, but for testing we want to re-fetch everytime the fetcher changes.
+Normally, fixed output derivations can and should be cached by their output
+hash only, but for testing we want to re-fetch everytime the fetcher changes.
 
-Changes to the fetcher become apparent in the drvPath, which is a hash of how to fetch, rather than a fixed store path.
-By inserting this hash into the name, we can make sure to re-run the fetcher every time the fetcher changes.
+Changes to the fetcher become apparent in the drvPath, which is a hash of
+how to fetch, rather than a fixed store path.
+By inserting this hash into the name, we can make sure to re-run the fetcher
+every time the fetcher changes.
 
-This relies on the assumption that Nix isn't clever enough to reuse its database of local store contents to optimize fetching.
+This relies on the assumption that Nix isn't clever enough to reuse its
+database of local store contents to optimize fetching.
 
-You might notice that the "salted" name derives from the normal invocation, not the final derivation.
-`invalidateFetcherByDrvHash` has to invoke the fetcher function twice:
-once to get a derivation hash, and again to produce the final fixed output derivation.
+You might notice that the "salted" name derives from the normal invocation,
+not the final derivation. `invalidateFetcherByDrvHash` has to invoke the fetcher
+function twice: once to get a derivation hash, and again to produce the final
+fixed output derivation.
 
-:::{.example #ex-invalidateFetcherByDrvHash-nix}
-
-# Prevent nix from reusing the output of a fetcher
+Example:
 
 ```nix
-{
-  tests.fetchgit = testers.invalidateFetcherByDrvHash fetchgit {
-    name = "nix-source";
-    url = "https://github.com/NixOS/nix";
-    rev = "9d9dbe6ed05854e03811c361a3380e09183f4f4a";
-    hash = "sha256-7DszvbCNTjpzGRmpIVAWXk20P0/XTrWZ79KSOGLrUWY=";
-  };
-}
+tests.fetchgit = testers.invalidateFetcherByDrvHash fetchgit {
+  name = "nix-source";
+  url = "https://github.com/NixOS/nix";
+  rev = "9d9dbe6ed05854e03811c361a3380e09183f4f4a";
+  hash = "sha256-7DszvbCNTjpzGRmpIVAWXk20P0/XTrWZ79KSOGLrUWY=";
+};
 ```
 
-:::
-
 ## `runNixOSTest` {#tester-runNixOSTest}
 
 A helper function that behaves exactly like the NixOS `runTest`, except it also assigns this Nixpkgs package set as the `pkgs` of the test and makes the `nixpkgs.*` options read-only.
 
 If your test is part of the Nixpkgs repository, or if you need a more general entrypoint, see ["Calling a test" in the NixOS manual](https://nixos.org/manual/nixos/stable/index.html#sec-calling-nixos-tests).
 
-:::{.example #ex-runNixOSTest-hello}
-
-# Run a NixOS test using `runNixOSTest`
+Example:
 
 ```nix
 pkgs.testers.runNixOSTest ({ lib, ... }: {
@@ -361,17 +198,19 @@ pkgs.testers.runNixOSTest ({ lib, ... }: {
 })
 ```
 
-:::
-
 ## `nixosTest` {#tester-nixosTest}
 
 Run a NixOS VM network test using this evaluation of Nixpkgs.
 
 NOTE: This function is primarily for external use. NixOS itself uses `make-test-python.nix` directly. Packages defined in Nixpkgs [reuse NixOS tests via `nixosTests`, plural](#ssec-nixos-tests-linking).
 
-It is mostly equivalent to the function `import ./make-test-python.nix` from the [NixOS manual](https://nixos.org/nixos/manual/index.html#sec-nixos-tests), except that the current application of Nixpkgs (`pkgs`) will be used, instead of letting NixOS invoke Nixpkgs anew.
+It is mostly equivalent to the function `import ./make-test-python.nix` from the
+[NixOS manual](https://nixos.org/nixos/manual/index.html#sec-nixos-tests),
+except that the current application of Nixpkgs (`pkgs`) will be used, instead of
+letting NixOS invoke Nixpkgs anew.
 
-If a test machine needs to set NixOS options under `nixpkgs`, it must set only the `nixpkgs.pkgs` option.
+If a test machine needs to set NixOS options under `nixpkgs`, it must set only the
+`nixpkgs.pkgs` option.
 
 ### Parameter {#tester-nixosTest-parameter}
 

doc/build-helpers/trivial-build-helpers.chapter.md

@@ -1,15 +1,12 @@
 # Trivial build helpers {#chap-trivial-builders}
 
-Nixpkgs provides a variety of wrapper functions that help build commonly useful derivations.
-Like [`stdenv.mkDerivation`](#sec-using-stdenv), each of these build helpers creates a derivation, but the arguments passed are different (usually simpler) from those required by `stdenv.mkDerivation`.
+Nixpkgs provides a couple of functions that help with building derivations. The most important one, `stdenv.mkDerivation`, has already been documented above. The following functions wrap `stdenv.mkDerivation`, making it easier to use in certain cases.
 
 ## `runCommand` {#trivial-builder-runCommand}
 
 `runCommand :: String -> AttrSet -> String -> Derivation`
 
-The result of `runCommand name drvAttrs buildCommand` is a derivation that is built by running the specified shell commands.
-
-By default `runCommand` runs in a stdenv with no compiler environment, whereas [`runCommandCC`](#trivial-builder-runCommandCC) uses the default stdenv, `pkgs.stdenv`.
+`runCommand name drvAttrs buildCommand` returns a derivation that is built by running the specified shell commands.
 
 `name :: String`
 :   The name that Nix will append to the store path in the same way that `stdenv.mkDerivation` uses its `name` attribute.
@@ -61,525 +58,63 @@ Variant of `runCommand` that forces the derivation to be built locally, it is no
 This sets [`allowSubstitutes` to `false`](https://nixos.org/nix/manual/#adv-attr-allowSubstitutes), so only use `runCommandLocal` if you are certain the user will always have a builder for the `system` of the derivation. This should be true for most trivial use cases (e.g., just copying some files to a different location or adding symlinks) because there the `system` is usually the same as `builtins.currentSystem`.
 :::
 
-## Writing text files {#trivial-builder-text-writing}
+## `writeTextFile`, `writeText`, `writeTextDir`, `writeScript`, `writeScriptBin` {#trivial-builder-writeText}
 
-Nixpkgs provides the following functions for producing derivations which write text files or executable scripts into the Nix store.
-They are useful for creating files from Nix expression, and are all implemented as convenience wrappers around `writeTextFile`.
+These functions write `text` to the Nix store. This is useful for creating scripts from Nix expressions. `writeTextFile` takes an attribute set and expects two arguments, `name` and `text`. `name` corresponds to the name used in the Nix store path. `text` will be the contents of the file. You can also set `executable` to true to make this file have the executable bit set.
 
-Each of these functions will cause a derivation to be produced.
-When you coerce the result of each of these functions to a string with [string interpolation](https://nixos.org/manual/nix/stable/language/string-interpolation) or [`builtins.toString`](https://nixos.org/manual/nix/stable/language/builtins#builtins-toString), it will evaluate to the [store path](https://nixos.org/manual/nix/stable/store/store-path) of this derivation.
-
-:::: {.note}
-Some of these functions will put the resulting files within a directory inside the [derivation output](https://nixos.org/manual/nix/stable/language/derivations#attr-outputs).
-If you need to refer to the resulting files somewhere else in a Nix expression, append their path to the derivation's store path.
-
-For example, if the file destination is a directory:
-
-```nix
-{
-  my-file = writeTextFile {
-    name = "my-file";
-    text = ''
-      Contents of File
-    '';
-    destination = "/share/my-file";
-  };
-}
-```
-
-Remember to append "/share/my-file" to the resulting store path when using it elsewhere:
-
-```nix
-writeShellScript "evaluate-my-file.sh" ''
-  cat ${my-file}/share/my-file
-''
-```
-::::
-
-### `makeDesktopItem` {#trivial-builder-makeDesktopItem}
-
-Write an [XDG desktop file](https://specifications.freedesktop.org/desktop-entry-spec/1.4/) to the Nix store.
-
-This function is usually used to add desktop items to a package through the `copyDesktopItems` hook.
-
-`makeDesktopItem` adheres to version 1.4 of the specification.
-
-#### Inputs {#trivial-builder-makeDesktopItem-inputs}
-
-`makeDesktopItem` takes an attribute set that accepts most values from the [XDG specification](https://specifications.freedesktop.org/desktop-entry-spec/1.4/ar01s06.html).
-
-All recognised keys from the specification are supported with the exception of the "Hidden" field. The keys are converted into camelCase format, but correspond 1:1 to their equivalent in the specification: `genericName`, `noDisplay`, `comment`, `icon`, `onlyShowIn`, `notShowIn`, `dbusActivatable`, `tryExec`, `exec`, `path`, `terminal`, `mimeTypes`, `categories`, `implements`, `keywords`, `startupNotify`, `startupWMClass`, `url`, `prefersNonDefaultGPU`.
-
-The "Version" field is hardcoded to the version `makeDesktopItem` currently adheres to.
-
-The following fields are either required, are of a different type than in the specification, carry specific default values, or are additional fields supported by `makeDesktopItem`:
-
-`name` (String)
-
-: The name of the desktop file in the Nix store.
-
-`type` (String; _optional_)
-
-: Default value: `"Application"`
-
-`desktopName` (String)
-
-: Corresponds to the "Name" field of the specification.
-
-`actions` (List of Attribute set; _optional_)
-
-: A list of attribute sets {name, exec?, icon?}
-
-`extraConfig` (Attribute set; _optional_)
-
-: Additional key/value pairs to be added verbatim to the desktop file. Attributes need to be prefixed with 'X-'.
-
-#### Examples {#trivial-builder-makeDesktopItem-examples}
-
-::: {.example #ex-makeDesktopItem}
-# Usage 1 of `makeDesktopItem`
-
-Write a desktop file `/nix/store/<store path>/my-program.desktop` to the Nix store.
-
-```nix
-{makeDesktopItem}:
-makeDesktopItem {
-  name = "my-program";
-  desktopName = "My Program";
-  genericName = "Video Player";
-  noDisplay = false;
-  comment = "Cool video player";
-  icon = "/path/to/icon";
-  onlyShowIn = [ "KDE" ];
-  dbusActivatable = true;
-  tryExec = "my-program";
-  exec = "my-program --someflag";
-  path = "/some/working/path";
-  terminal = false;
-  actions.example = {
-    name = "New Window";
-    exec = "my-program --new-window";
-    icon = "/some/icon";
-  };
-  mimeTypes = [ "video/mp4" ];
-  categories = [ "Utility" ];
-  implements = [ "org.my-program" ];
-  keywords = [ "Video" "Player" ];
-  startupNotify = false;
-  startupWMClass = "MyProgram";
-  prefersNonDefaultGPU = false;
-  extraConfig.X-SomeExtension = "somevalue";
-}
-```
-
-:::
-
-::: {.example #ex2-makeDesktopItem}
-# Usage 2 of `makeDesktopItem`
-
-Override the `hello` package to add a desktop item.
-
-```nix
-{ copyDesktopItems
-, hello
-, makeDesktopItem }:
-
-hello.overrideAttrs {
-  nativeBuildInputs = [ copyDesktopItems ];
-
-  desktopItems = [(makeDesktopItem {
-    name = "hello";
-    desktopName = "Hello";
-    exec = "hello";
-  })];
-}
-```
-
-:::
-
-### `writeTextFile` {#trivial-builder-writeTextFile}
-
-Write a text file to the Nix store.
-
-`writeTextFile` takes an attribute set with the following possible attributes:
-
-`name` (String)
-
-: Corresponds to the name used in the Nix store path identifier.
-
-`text` (String)
-
-: The contents of the file.
-
-`executable` (Bool, _optional_)
-
-: Make this file have the executable bit set.
-
-  Default: `false`
-
-`destination` (String, _optional_)
-
-: A subpath under the derivation's output path into which to put the file.
-  Subdirectories are created automatically when the derivation is realised.
-
-  By default, the store path itself will be a file containing the text contents.
-
-  Default: `""`
-
-`checkPhase` (String, _optional_)
-
-: Commands to run after generating the file.
-
-  Default: `""`
-
-`meta` (Attribute set, _optional_)
-
-: Additional metadata for the derivation.
-
-  Default: `{}`
-
-`allowSubstitutes` (Bool, _optional_)
-
-: Whether to allow substituting from a binary cache.
-  Passed through to [`allowSubstitutes`](https://nixos.org/manual/nix/stable/language/advanced-attributes#adv-attr-allowSubstitutes) of the underlying call to `builtins.derivation`.
-
-  It defaults to `false`, as running the derivation's simple `builder` executable locally is assumed to be faster than network operations.
-  Set it to true if the `checkPhase` step is expensive.
-
-  Default: `false`
-
-`preferLocalBuild` (Bool, _optional_)
-
-: Whether to prefer building locally, even if faster [remote build machines](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-substituters) are available.
-
-  Passed through to [`preferLocalBuild`](https://nixos.org/manual/nix/stable/language/advanced-attributes#adv-attr-preferLocalBuild) of the underlying call to `builtins.derivation`.
-
-  It defaults to `true` for the same reason `allowSubstitutes` defaults to `false`.
-
-  Default: `true`
-
-`derivationArgs` (Attribute set, _optional_)
-
-: Extra arguments to pass to the underlying call to `stdenv.mkDerivation`.
-
-  Default: `{}`
-
-The resulting store path will include some variation of the name, and it will be a file unless `destination` is used, in which case it will be a directory.
-
-::: {.example #ex-writeTextFile}
-# Usage 1 of `writeTextFile`
-
-Write `my-file` to `/nix/store/<store path>/some/subpath/my-cool-script`, making it executable.
-Also run a check on the resulting file in a `checkPhase`, and supply values for the less-used options.
-
-```nix
-writeTextFile {
-  name = "my-cool-script";
-  text = ''
-    #!/bin/sh
-    echo "This is my cool script!"
-  '';
-  executable = true;
-  destination = "/some/subpath/my-cool-script";
-  checkPhase = ''
-    ${pkgs.shellcheck}/bin/shellcheck $out/some/subpath/my-cool-script
-  '';
-  meta = {
-    license = pkgs.lib.licenses.cc0;
-  };
-  allowSubstitutes = true;
-  preferLocalBuild = false;
-}
-```
-:::
-
-::: {.example #ex2-writeTextFile}
-# Usage 2 of `writeTextFile`
-
-Write the string `Contents of File` to `/nix/store/<store path>`.
-See also the [](#trivial-builder-writeText) helper function.
+Many more commands wrap `writeTextFile` including `writeText`, `writeTextDir`, `writeScript`, and `writeScriptBin`. These are convenience functions over `writeTextFile`.
 
+Here are a few examples:
 ```nix
+# Writes my-file to /nix/store/<store path>
 writeTextFile {
   name = "my-file";
   text = ''
     Contents of File
   '';
 }
-```
-:::
+# See also the `writeText` helper function below.
 
-::: {.example #ex3-writeTextFile}
-# Usage 3 of `writeTextFile`
-
-Write an executable script `my-script` to `/nix/store/<store path>/bin/my-script`.
-See also the [](#trivial-builder-writeScriptBin) helper function.
-
-```nix
+# Writes executable my-file to /nix/store/<store path>/bin/my-file
 writeTextFile {
-  name = "my-script";
+  name = "my-file";
   text = ''
-    echo "hi"
+    Contents of File
   '';
   executable = true;
-  destination = "/bin/my-script";
+  destination = "/bin/my-file";
 }
-```
-:::
-
-### `writeText` {#trivial-builder-writeText}
-
-Write a text file to the Nix store
-
-`writeText` takes the following arguments:
-a string.
-
-`name` (String)
-
-: The name used in the Nix store path.
-
-`text` (String)
-
-: The contents of the file.
-
-The store path will include the name, and it will be a file.
-
-::: {.example #ex-writeText}
-# Usage of `writeText`
-
-Write the string `Contents of File` to `/nix/store/<store path>`:
-
-```nix
+# Writes contents of file to /nix/store/<store path>
 writeText "my-file"
   ''
   Contents of File
-  ''
-```
-:::
-
-This is equivalent to:
-
-```nix
-writeTextFile {
-  name = "my-file";
-  text = ''
-    Contents of File
   '';
-}
-```
-
-### `writeTextDir` {#trivial-builder-writeTextDir}
-
-Write a text file within a subdirectory of the Nix store.
-
-`writeTextDir` takes the following arguments:
-
-`path` (String)
-
-: The destination within the Nix store path under which to create the file.
-
-`text` (String)
-
-: The contents of the file.
-
-The store path will be a directory.
-
-::: {.example #ex-writeTextDir}
-# Usage of `writeTextDir`
-
-Write the string `Contents of File` to `/nix/store/<store path>/share/my-file`:
-
-```nix
+# Writes contents of file to /nix/store/<store path>/share/my-file
 writeTextDir "share/my-file"
   ''
   Contents of File
-  ''
-```
-:::
-
-This is equivalent to:
-
-```nix
-writeTextFile {
-  name = "my-file";
-  text = ''
-    Contents of File
   '';
-  destination = "share/my-file";
-}
-```
-
-### `writeScript` {#trivial-builder-writeScript}
-
-Write an executable script file to the Nix store.
-
-`writeScript` takes the following arguments:
-
-`name` (String)
-
-: The name used in the Nix store path.
-
-`text` (String)
-
-: The contents of the file.
-
-The created file is marked as executable.
-The store path will include the name, and it will be a file.
-
-::: {.example #ex-writeScript}
-# Usage of `writeScript`
-
-Write the string `Contents of File` to `/nix/store/<store path>` and make the file executable.
-
-```nix
+# Writes my-file to /nix/store/<store path> and makes executable
 writeScript "my-file"
   ''
   Contents of File
-  ''
-```
-:::
-
-This is equivalent to:
-
-```nix
-writeTextFile {
-  name = "my-file";
-  text = ''
-    Contents of File
   '';
-  executable = true;
-}
-```
-
-### `writeScriptBin` {#trivial-builder-writeScriptBin}
-
-Write a script within a `bin` subdirectory of a directory in the Nix store.
-This is for consistency with the convention of software packages placing executables under `bin`.
-
-`writeScriptBin` takes the following arguments:
-
-`name` (String)
-
-: The name used in the Nix store path and within the file created under the store path.
-
-`text` (String)
-
-: The contents of the file.
-
-The created file is marked as executable.
-The file's contents will be put into `/nix/store/<store path>/bin/<name>`.
-The store path will include the name, and it will be a directory.
-
-::: {.example #ex-writeScriptBin}
-# Usage of `writeScriptBin`
-
-```nix
-writeScriptBin "my-script"
+# Writes my-file to /nix/store/<store path>/bin/my-file and makes executable.
+writeScriptBin "my-file"
   ''
-  echo "hi"
-  ''
-```
-:::
-
-This is equivalent to:
-
-```nix
-writeTextFile {
-  name = "my-script";
-  text = ''
-    echo "hi"
+  Contents of File
   '';
-  executable = true;
-  destination = "bin/my-script";
-}
-```
-
-### `writeShellScript` {#trivial-builder-writeShellScript}
-
-Write a Bash script to the store.
-
-`writeShellScript` takes the following arguments:
-
-`name` (String)
-
-: The name used in the Nix store path.
-
-`text` (String)
-
-: The contents of the file.
-
-The created file is marked as executable.
-The store path will include the name, and it will be a file.
-
-This function is almost exactly like [](#trivial-builder-writeScript), except that it prepends to the file a [shebang](https://en.wikipedia.org/wiki/Shebang_%28Unix%29) line that points to the version of Bash used in Nixpkgs.
-<!-- this cannot be changed in practice, so there is no point pretending it's somehow generic -->
-
-::: {.example #ex-writeShellScript}
-# Usage of `writeShellScript`
-
-```nix
-writeShellScript "my-script"
+# Writes my-file to /nix/store/<store path> and makes executable.
+writeShellScript "my-file"
   ''
-  echo "hi"
-  ''
-```
-:::
-
-This is equivalent to:
-
-```nix
-writeTextFile {
-  name = "my-script";
-  text = ''
-    #! ${pkgs.runtimeShell}
-    echo "hi"
+  Contents of File
   '';
-  executable = true;
-}
-```
-
-### `writeShellScriptBin` {#trivial-builder-writeShellScriptBin}
-
-Write a Bash script to a "bin" subdirectory of a directory in the Nix store.
-
-`writeShellScriptBin` takes the following arguments:
-
-`name` (String)
-
-: The name used in the Nix store path and within the file generated under the store path.
-
-`text` (String)
-
-: The contents of the file.
-
-The file's contents will be put into `/nix/store/<store path>/bin/<name>`.
-The store path will include the the name, and it will be a directory.
-
-This function is a combination of [](#trivial-builder-writeShellScript) and [](#trivial-builder-writeScriptBin).
-
-::: {.example #ex-writeShellScriptBin}
-# Usage of `writeShellScriptBin`
-
-```nix
-writeShellScriptBin "my-script"
+# Writes my-file to /nix/store/<store path>/bin/my-file and makes executable.
+writeShellScriptBin "my-file"
   ''
-  echo "hi"
-  ''
-```
-:::
-
-This is equivalent to:
-
-```nix
-writeTextFile {
-  name = "my-script";
-  text = ''
-    #! ${pkgs.runtimeShell}
-    echo "hi"
+  Contents of File
   '';
-  executable = true;
-  destination = "bin/my-script";
-}
+
 ```
 
 ## `concatTextFile`, `concatText`, `concatScript` {#trivial-builder-concatText}
@@ -613,14 +148,9 @@ concatScript "my-file" [ file1 file2 ]
 
 ## `writeShellApplication` {#trivial-builder-writeShellApplication}
 
-`writeShellApplication` is similar to `writeShellScriptBin` and `writeScriptBin` but supports runtime dependencies with `runtimeInputs`.
-Writes an executable shell script to `/nix/store/<store path>/bin/<name>` and checks its syntax with [`shellcheck`](https://github.com/koalaman/shellcheck) and the `bash`'s `-n` option.
-Some basic Bash options are set by default (`errexit`, `nounset`, and `pipefail`), but can be overridden with `bashOptions`.
+This can be used to easily produce a shell script that has some dependencies (`runtimeInputs`). It automatically sets the `PATH` of the script to contain all of the listed inputs, sets some sanity shellopts (`errexit`, `nounset`, `pipefail`), and checks the resulting script with [`shellcheck`](https://github.com/koalaman/shellcheck).
 
-Extra arguments may be passed to `stdenv.mkDerivation` by setting `derivationArgs`; note that variables set in this manner will be set when the shell script is _built,_ not when it's run.
-Runtime environment variables can be set with the `runtimeEnv` argument.
-
-For example, the following shell application can refer to `curl` directly, rather than needing to write `${curl}/bin/curl`:
+For example, look at the following code:
 
 ```nix
 writeShellApplication {
@@ -634,6 +164,10 @@ writeShellApplication {
 }
 ```
 
+Unlike with normal `writeShellScriptBin`, there is no need to manually write out `${curl}/bin/curl`, setting the PATH
+was handled by `writeShellApplication`. Moreover, the script is being checked with `shellcheck` for more strict
+validation.
+
 ## `symlinkJoin` {#trivial-builder-symlinkJoin}
 
 This can be used to put many derivations into the same directory structure. It works by creating a new derivation and adding symlinks to each of the paths listed. It expects two arguments, `name`, and `paths`. `name` is the name used in the Nix store path for the created derivation. `paths` is a list of paths that will be symlinked. These paths can be to Nix store derivations or any other subdirectory contained within.
@@ -660,23 +194,19 @@ This creates a derivation with a directory structure like the following:
 
 ## `writeReferencesToFile` {#trivial-builder-writeReferencesToFile}
 
-Deprecated. Use [`writeClosure`](#trivial-builder-writeClosure) instead.
+Writes the closure of transitive dependencies to a file.
 
-## `writeClosure` {#trivial-builder-writeClosure}
-
-Given a list of [store paths](https://nixos.org/manual/nix/stable/glossary#gloss-store-path) (or string-like expressions coercible to store paths), write their collective [closure](https://nixos.org/manual/nix/stable/glossary#gloss-closure) to a text file.
-
-The result is equivalent to the output of `nix-store -q --requisites`.
+This produces the equivalent of `nix-store -q --requisites`.
 
 For example,
 
 ```nix
-writeClosure [ (writeScriptBin "hi" ''${hello}/bin/hello'') ]
+writeReferencesToFile (writeScriptBin "hi" ''${hello}/bin/hello'')
 ```
 
 produces an output path `/nix/store/<hash>-runtime-deps` containing
 
-```
+```nix
 /nix/store/<hash>-hello-2.10
 /nix/store/<hash>-hi
 /nix/store/<hash>-libidn2-2.3.0
@@ -702,7 +232,7 @@ writeDirectReferencesToFile (writeScriptBin "hi" ''${hello}/bin/hello'')
 
 produces an output path `/nix/store/<hash>-runtime-references` containing
 
-```
+```nix
 /nix/store/<hash>-hello-2.10
 ```
 

doc/common.nix

@@ -0,0 +1,4 @@
+{
+  outputPath = "share/doc/nixpkgs";
+  indexPath = "manual.html";
+}

doc/default.nix

@@ -1,6 +1,152 @@
-{
-  pkgs ? (import ./.. { }),
-  nixpkgs ? { },
-}:
+{ pkgs ? (import ./.. { }), nixpkgs ? { }}:
+let
+  inherit (pkgs) lib;
+  inherit (lib) hasPrefix removePrefix;
 
-pkgs.nixpkgs-manual.override { inherit nixpkgs; }
+  common = import ./common.nix;
+
+  lib-docs = import ./doc-support/lib-function-docs.nix {
+    inherit pkgs nixpkgs;
+    libsets = [
+      { name = "asserts"; description = "assertion functions"; }
+      { name = "attrsets"; description = "attribute set functions"; }
+      { name = "strings"; description = "string manipulation functions"; }
+      { name = "versions"; description = "version string functions"; }
+      { name = "trivial"; description = "miscellaneous functions"; }
+      { name = "fixedPoints"; baseName = "fixed-points"; description = "explicit recursion functions"; }
+      { name = "lists"; description = "list manipulation functions"; }
+      { name = "debug"; description = "debugging functions"; }
+      { name = "options"; description = "NixOS / nixpkgs option handling"; }
+      { name = "path"; description = "path functions"; }
+      { name = "filesystem"; description = "filesystem functions"; }
+      { name = "fileset"; description = "file set functions"; }
+      { name = "sources"; description = "source filtering functions"; }
+      { name = "cli"; description = "command-line serialization functions"; }
+      { name = "gvariant"; description = "GVariant formatted string serialization functions"; }
+      { name = "customisation"; description = "Functions to customise (derivation-related) functions, derivatons, or attribute sets"; }
+      { name = "meta"; description = "functions for derivation metadata"; }
+    ];
+  };
+
+  epub = pkgs.runCommand "manual.epub" {
+    nativeBuildInputs = with pkgs; [ libxslt zip ];
+
+    epub = ''
+      <book xmlns="http://docbook.org/ns/docbook"
+            xmlns:xlink="http://www.w3.org/1999/xlink"
+            version="5.0"
+            xml:id="nixpkgs-manual">
+        <info>
+          <title>Nixpkgs Manual</title>
+          <subtitle>Version ${pkgs.lib.version}</subtitle>
+        </info>
+        <chapter>
+          <title>Temporarily unavailable</title>
+          <para>
+            The Nixpkgs manual is currently not available in EPUB format,
+            please use the <link xlink:href="https://nixos.org/nixpkgs/manual">HTML manual</link>
+            instead.
+          </para>
+          <para>
+            If you've used the EPUB manual in the past and it has been useful to you, please
+            <link xlink:href="https://github.com/NixOS/nixpkgs/issues/237234">let us know</link>.
+          </para>
+        </chapter>
+      </book>
+    '';
+
+    passAsFile = [ "epub" ];
+  } ''
+    mkdir scratch
+    xsltproc \
+      --param chapter.autolabel 0 \
+      --nonet \
+      --output scratch/ \
+      ${pkgs.docbook_xsl_ns}/xml/xsl/docbook/epub/docbook.xsl \
+      $epubPath
+
+    echo "application/epub+zip" > mimetype
+    zip -0Xq "$out" mimetype
+    cd scratch && zip -Xr9D "$out" *
+  '';
+
+  # NB: This file describes the Nixpkgs manual, which happens to use module
+  #     docs infra originally developed for NixOS.
+  optionsDoc = pkgs.nixosOptionsDoc {
+    inherit (pkgs.lib.evalModules {
+      modules = [ ../pkgs/top-level/config.nix ];
+      class = "nixpkgsConfig";
+    }) options;
+    documentType = "none";
+    transformOptions = opt:
+      opt // {
+        declarations =
+          map
+            (decl:
+              if hasPrefix (toString ../..) (toString decl)
+              then
+                let subpath = removePrefix "/" (removePrefix (toString ../.) (toString decl));
+                in { url = "https://github.com/NixOS/nixpkgs/blob/master/${subpath}"; name = subpath; }
+              else decl)
+            opt.declarations;
+        };
+  };
+in pkgs.stdenv.mkDerivation {
+  name = "nixpkgs-manual";
+
+  nativeBuildInputs = with pkgs; [
+    nixos-render-docs
+  ];
+
+  src = ./.;
+
+  postPatch = ''
+    ln -s ${optionsDoc.optionsJSON}/share/doc/nixos/options.json ./config-options.json
+  '';
+
+  buildPhase = ''
+    cat \
+      ./functions/library.md.in \
+      ${lib-docs}/index.md \
+      > ./functions/library.md
+    substitute ./manual.md.in ./manual.md \
+      --replace '@MANUAL_VERSION@' '${pkgs.lib.version}'
+
+    mkdir -p out/media
+
+    mkdir -p out/highlightjs
+    cp -t out/highlightjs \
+      ${pkgs.documentation-highlighter}/highlight.pack.js \
+      ${pkgs.documentation-highlighter}/LICENSE \
+      ${pkgs.documentation-highlighter}/mono-blue.css \
+      ${pkgs.documentation-highlighter}/loader.js
+
+    cp -t out ./overrides.css ./style.css
+
+    nixos-render-docs manual html \
+      --manpage-urls ./manpage-urls.json \
+      --revision ${pkgs.lib.trivial.revisionWithDefault (pkgs.rev or "master")} \
+      --stylesheet style.css \
+      --stylesheet overrides.css \
+      --stylesheet highlightjs/mono-blue.css \
+      --script ./highlightjs/highlight.pack.js \
+      --script ./highlightjs/loader.js \
+      --toc-depth 1 \
+      --section-toc-depth 1 \
+      manual.md \
+      out/index.html
+  '';
+
+  installPhase = ''
+    dest="$out/${common.outputPath}"
+    mkdir -p "$(dirname "$dest")"
+    mv out "$dest"
+    mv "$dest/index.html" "$dest/${common.indexPath}"
+
+    cp ${epub} "$dest/nixpkgs-manual.epub"
+
+    mkdir -p $out/nix-support/
+    echo "doc manual $dest ${common.indexPath}" >> $out/nix-support/hydra-build-products
+    echo "doc manual $dest nixpkgs-manual.epub" >> $out/nix-support/hydra-build-products
+  '';
+}

doc/doc-support/epub.nix

@@ -1,54 +0,0 @@
-# To build this derivation, run `nix-build -A nixpkgs-manual.epub`
-{
-  lib,
-  runCommand,
-  docbook_xsl_ns,
-  libxslt,
-  zip,
-}:
-runCommand "manual.epub"
-  {
-    nativeBuildInputs = [
-      libxslt
-      zip
-    ];
-
-    epub = ''
-      <book xmlns="http://docbook.org/ns/docbook"
-            xmlns:xlink="http://www.w3.org/1999/xlink"
-            version="5.0"
-            xml:id="nixpkgs-manual">
-        <info>
-          <title>Nixpkgs Manual</title>
-          <subtitle>Version ${lib.version}</subtitle>
-        </info>
-        <chapter>
-          <title>Temporarily unavailable</title>
-          <para>
-            The Nixpkgs manual is currently not available in EPUB format,
-            please use the <link xlink:href="https://nixos.org/nixpkgs/manual">HTML manual</link>
-            instead.
-          </para>
-          <para>
-            If you've used the EPUB manual in the past and it has been useful to you, please
-            <link xlink:href="https://github.com/NixOS/nixpkgs/issues/237234">let us know</link>.
-          </para>
-        </chapter>
-      </book>
-    '';
-
-    passAsFile = [ "epub" ];
-  }
-  ''
-    mkdir scratch
-    xsltproc \
-      --param chapter.autolabel 0 \
-      --nonet \
-      --output scratch/ \
-      ${docbook_xsl_ns}/xml/xsl/docbook/epub/docbook.xsl \
-      $epubPath
-
-    echo "application/epub+zip" > mimetype
-    zip -0Xq -b "$TMPDIR" "$out" mimetype
-    cd scratch && zip -Xr9D -b "$TMPDIR" "$out" *
-  ''

doc/doc-support/lib-function-docs.nix

@@ -1,122 +1,27 @@
 # Generates the documentation for library functions via nixdoc.
-# To build this derivation, run `nix-build -A nixpkgs-manual.lib-docs`
-{
-  lib,
-  stdenvNoCC,
-  nixdoc,
-  nix,
-  nixpkgs ? { },
-  libsets ? [
-    {
-      name = "asserts";
-      description = "assertion functions";
-    }
-    {
-      name = "attrsets";
-      description = "attribute set functions";
-    }
-    {
-      name = "strings";
-      description = "string manipulation functions";
-    }
-    {
-      name = "versions";
-      description = "version string functions";
-    }
-    {
-      name = "trivial";
-      description = "miscellaneous functions";
-    }
-    {
-      name = "fixedPoints";
-      baseName = "fixed-points";
-      description = "explicit recursion functions";
-    }
-    {
-      name = "lists";
-      description = "list manipulation functions";
-    }
-    {
-      name = "debug";
-      description = "debugging functions";
-    }
-    {
-      name = "options";
-      description = "NixOS / nixpkgs option handling";
-    }
-    {
-      name = "path";
-      description = "path functions";
-    }
-    {
-      name = "filesystem";
-      description = "filesystem functions";
-    }
-    {
-      name = "fileset";
-      description = "file set functions";
-    }
-    {
-      name = "sources";
-      description = "source filtering functions";
-    }
-    {
-      name = "cli";
-      description = "command-line serialization functions";
-    }
-    {
-      name = "generators";
-      description = "functions that create file formats from nix data structures";
-    }
-    {
-      name = "gvariant";
-      description = "GVariant formatted string serialization functions";
-    }
-    {
-      name = "customisation";
-      description = "Functions to customise (derivation-related) functions, derivatons, or attribute sets";
-    }
-    {
-      name = "meta";
-      description = "functions for derivation metadata";
-    }
-    {
-      name = "derivations";
-      description = "miscellaneous derivation-specific functions";
-    }
-  ],
-}:
 
-stdenvNoCC.mkDerivation {
+{ pkgs, nixpkgs, libsets }:
+
+with pkgs;
+
+let
+  locationsJSON = import ./lib-function-locations.nix { inherit pkgs nixpkgs libsets; };
+in
+stdenv.mkDerivation {
   name = "nixpkgs-lib-docs";
+  src = ../../lib;
 
-  src = lib.fileset.toSource {
-    root = ../..;
-    fileset = ../../lib;
-  };
-
-  buildInputs = [
-    nixdoc
-    nix
-  ];
-
+  buildInputs = [ nixdoc ];
   installPhase = ''
-    export NIX_STATE_DIR=$(mktemp -d)
-    nix-instantiate --eval --strict --json ${./lib-function-locations.nix} \
-      --arg nixpkgsPath "./." \
-      --argstr revision ${nixpkgs.rev or "master"} \
-      --argstr libsetsJSON ${lib.escapeShellArg (builtins.toJSON libsets)} \
-      > locations.json
-
     function docgen {
       name=$1
       baseName=$2
       description=$3
       # TODO: wrap lib.$name in <literal>, make nixdoc not escape it
-      if [[ -e "lib/$baseName.nix" ]]; then
-        nixdoc -c "$name" -d "lib.$name: $description" -l locations.json -f "lib/$baseName.nix" > "$out/$name.md"
+      if [[ -e "../lib/$baseName.nix" ]]; then
+        nixdoc -c "$name" -d "lib.$name: $description" -l ${locationsJSON} -f "$baseName.nix" > "$out/$name.md"
       else
-        nixdoc -c "$name" -d "lib.$name: $description" -l locations.json -f "lib/$baseName/default.nix" > "$out/$name.md"
+        nixdoc -c "$name" -d "lib.$name: $description" -l ${locationsJSON} -f "$baseName/default.nix" > "$out/$name.md"
       fi
       echo "$out/$name.md" >> "$out/index.md"
     }
@@ -124,19 +29,12 @@ stdenvNoCC.mkDerivation {
     mkdir -p "$out"
 
     cat > "$out/index.md" << 'EOF'
-    ```{=include=} sections auto-id-prefix=auto-generated
+    ```{=include=} sections
     EOF
 
-    ${lib.concatMapStrings (
-      {
-        name,
-        baseName ? name,
-        description,
-      }:
-      ''
-        docgen ${name} ${baseName} ${lib.escapeShellArg description}
-      ''
-    ) libsets}
+    ${lib.concatMapStrings ({ name, baseName ? name, description }: ''
+      docgen ${name} ${baseName} ${lib.escapeShellArg description}
+    '') libsets}
 
     echo '```' >> "$out/index.md"
   '';

doc/doc-support/lib-function-locations.nix

@@ -1,14 +1,13 @@
-{ nixpkgsPath, revision, libsetsJSON }:
+{ pkgs, nixpkgs ? { }, libsets }:
 let
-  lib = import (nixpkgsPath + "/lib");
-  libsets = builtins.fromJSON libsetsJSON;
+  revision = pkgs.lib.trivial.revisionWithDefault (nixpkgs.rev or "master");
 
   libDefPos = prefix: set:
     builtins.concatMap
       (name: [{
         name = builtins.concatStringsSep "." (prefix ++ [name]);
         location = builtins.unsafeGetAttrPos name set;
-      }] ++ lib.optionals
+      }] ++ nixpkgsLib.optionals
         (builtins.length prefix == 0 && builtins.isAttrs set.${name})
         (libDefPos (prefix ++ [name]) set.${name})
       ) (builtins.attrNames set);
@@ -21,6 +20,8 @@ let
       })
       (builtins.map (x: x.name) libsets);
 
+  nixpkgsLib = pkgs.lib;
+
   flattenedLibSubset = { subsetname, functions }:
   builtins.map
     (fn: {
@@ -37,13 +38,13 @@ let
       substr = builtins.substring prefixLen filenameLen filename;
       in substr;
 
-  removeNixpkgs = removeFilenamePrefix (builtins.toString nixpkgsPath);
+  removeNixpkgs = removeFilenamePrefix (builtins.toString pkgs.path);
 
   liblocations =
     builtins.filter
       (elem: elem.value != null)
-      (lib.lists.flatten
-        (locatedlibsets lib));
+      (nixpkgsLib.lists.flatten
+        (locatedlibsets nixpkgsLib));
 
   fnLocationRelative = { name, value }:
     {
@@ -71,4 +72,4 @@ let
     relativeLocs);
 
 in
-jsonLocs
+pkgs.writeText "locations.json" (builtins.toJSON jsonLocs)

doc/doc-support/options-doc.nix

@@ -1,28 +0,0 @@
-# To build this derivation, run `nix-build -A nixpkgs-manual.optionsDoc`
-{ lib, nixosOptionsDoc }:
-
-let
-  modules = lib.evalModules {
-    modules = [ ../../pkgs/top-level/config.nix ];
-    class = "nixpkgsConfig";
-  };
-
-  root = toString ../..;
-
-  transformDeclaration =
-    decl:
-    let
-      declStr = toString decl;
-      subpath = lib.removePrefix "/" (lib.removePrefix root declStr);
-    in
-    assert lib.hasPrefix root declStr;
-    {
-      url = "https://github.com/NixOS/nixpkgs/blob/master/${subpath}";
-      name = subpath;
-    };
-in
-nixosOptionsDoc {
-  inherit (modules) options;
-  documentType = "none";
-  transformOptions = opt: opt // { declarations = map transformDeclaration opt.declarations; };
-}

doc/doc-support/package.nix

@@ -1,106 +0,0 @@
-# This file describes the Nixpkgs manual, which happens to use module docs infra originally
-# developed for NixOS. To build this derivation, run `nix-build -A nixpkgs-manual`.
-#
-{
-  lib,
-  stdenvNoCC,
-  callPackage,
-  documentation-highlighter,
-  nixos-render-docs,
-  nixpkgs ? { },
-}:
-
-stdenvNoCC.mkDerivation (
-  finalAttrs:
-  let
-    inherit (finalAttrs.finalPackage.optionsDoc) optionsJSON;
-    inherit (finalAttrs.finalPackage) epub lib-docs pythonInterpreterTable;
-  in
-  {
-    name = "nixpkgs-manual";
-
-    nativeBuildInputs = [ nixos-render-docs ];
-
-    src = lib.fileset.toSource {
-      root = ../.;
-      fileset = lib.fileset.unions [
-        (lib.fileset.fileFilter (file: file.hasExt "md" || file.hasExt "md.in") ../.)
-        ../style.css
-        ../anchor-use.js
-        ../anchor.min.js
-        ../manpage-urls.json
-      ];
-    };
-
-    postPatch = ''
-      ln -s ${optionsJSON}/share/doc/nixos/options.json ./config-options.json
-    '';
-
-    buildPhase = ''
-      substituteInPlace ./languages-frameworks/python.section.md \
-        --subst-var-by python-interpreter-table "$(<"${pythonInterpreterTable}")"
-
-      cat \
-        ./functions/library.md.in \
-        ${lib-docs}/index.md \
-        > ./functions/library.md
-      substitute ./manual.md.in ./manual.md \
-        --replace-fail '@MANUAL_VERSION@' '${lib.version}'
-
-      mkdir -p out/media
-
-      mkdir -p out/highlightjs
-      cp -t out/highlightjs \
-        ${documentation-highlighter}/highlight.pack.js \
-        ${documentation-highlighter}/LICENSE \
-        ${documentation-highlighter}/mono-blue.css \
-        ${documentation-highlighter}/loader.js
-
-      cp -t out ./style.css ./anchor.min.js ./anchor-use.js
-
-      nixos-render-docs manual html \
-        --manpage-urls ./manpage-urls.json \
-        --revision ${lib.trivial.revisionWithDefault (nixpkgs.rev or "master")} \
-        --stylesheet style.css \
-        --stylesheet highlightjs/mono-blue.css \
-        --script ./highlightjs/highlight.pack.js \
-        --script ./highlightjs/loader.js \
-        --script ./anchor.min.js \
-        --script ./anchor-use.js \
-        --toc-depth 1 \
-        --section-toc-depth 1 \
-        manual.md \
-        out/index.html
-    '';
-
-    installPhase = ''
-      dest="$out/share/doc/nixpkgs"
-      mkdir -p "$(dirname "$dest")"
-      mv out "$dest"
-      mv "$dest/index.html" "$dest/manual.html"
-
-      cp ${epub} "$dest/nixpkgs-manual.epub"
-
-      mkdir -p $out/nix-support/
-      echo "doc manual $dest manual.html" >> $out/nix-support/hydra-build-products
-      echo "doc manual $dest nixpkgs-manual.epub" >> $out/nix-support/hydra-build-products
-    '';
-
-    passthru = {
-      lib-docs = callPackage ./lib-function-docs.nix { inherit nixpkgs; };
-
-      epub = callPackage ./epub.nix { };
-
-      optionsDoc = callPackage ./options-doc.nix { };
-
-      pythonInterpreterTable = callPackage ./python-interpreter-table.nix { };
-
-      shell = callPackage ../../pkgs/tools/nix/web-devmode.nix {
-        buildArgs = "./.";
-        open = "/share/doc/nixpkgs/manual.html";
-      };
-
-      tests.manpage-urls = callPackage ../tests/manpage-urls.nix { };
-    };
-  }
-)

doc/doc-support/python-interpreter-table.nix

@@ -1,64 +0,0 @@
-# To build this derivation, run `nix-build -A nixpkgs-manual.pythonInterpreterTable`
-{
-  lib,
-  writeText,
-  pkgs,
-  pythonInterpreters,
-}:
-let
-  isPythonInterpreter =
-    name:
-    /*
-      NB: Package names that don't follow the regular expression:
-      - `python-cosmopolitan` is not part of `pkgs.pythonInterpreters`.
-      - `_prebuilt` interpreters are used for bootstrapping internally.
-      - `python3Minimal` contains python packages, left behind conservatively.
-      - `rustpython` lacks `pythonVersion` and `implementation`.
-    */
-    (lib.strings.match "(pypy|python)([[:digit:]]*)" name) != null;
-
-  interpreterName =
-    pname:
-    let
-      cuteName = {
-        cpython = "CPython";
-        pypy = "PyPy";
-      };
-      interpreter = pkgs.${pname};
-    in
-    "${cuteName.${interpreter.implementation}} ${interpreter.pythonVersion}";
-
-  interpreters = lib.reverseList (
-    lib.naturalSort (lib.filter isPythonInterpreter (lib.attrNames pythonInterpreters))
-  );
-
-  aliases =
-    pname:
-    lib.attrNames (
-      lib.filterAttrs (
-        name: value:
-        isPythonInterpreter name && name != pname && interpreterName name == interpreterName pname
-      ) pkgs
-    );
-
-  result = map (pname: {
-    inherit pname;
-    aliases = aliases pname;
-    interpreter = interpreterName pname;
-  }) interpreters;
-
-  toMarkdown =
-    data:
-    let
-      line = package: ''
-        | ${package.pname} | ${lib.concatStringsSep ", " package.aliases or [ ]} | ${package.interpreter} |
-      '';
-    in
-    lib.concatStringsSep "" (map line data);
-
-in
-writeText "python-interpreter-table.md" ''
-  | Package | Aliases | Interpeter |
-  |---------|---------|------------|
-  ${toMarkdown result}
-''

doc/functions/generators.section.md

@@ -6,9 +6,8 @@ All generators follow a similar call interface: `generatorName configFunctions d
 Generators can be fine-tuned to produce exactly the file format required by your application/service. One example is an INI-file format which uses `: ` as separator, the strings `"yes"`/`"no"` as boolean values and requires all string values to be quoted:
 
 ```nix
+with lib;
 let
-  inherit (lib) generators isString;
-
   customToINI = generators.toINI {
     # specifies how to format a key/value pair
     mkKeyValue = generators.mkKeyValueDefault {
@@ -54,4 +53,4 @@ merge:"diff3"
 Nix store paths can be converted to strings by enclosing a derivation attribute like so: `"${drv}"`.
 :::
 
-Detailed documentation for each generator can be found [here](#sec-functions-library-generators)
+Detailed documentation for each generator can be found in `lib/generators.nix`.

doc/functions/nix-gitignore.section.md

@@ -7,30 +7,27 @@
 `pkgs.nix-gitignore` exports a number of functions, but you'll most likely need either `gitignoreSource` or `gitignoreSourcePure`. As their first argument, they both accept either 1. a file with gitignore lines or 2. a string with gitignore lines, or 3. a list of either of the two. They will be concatenated into a single big string.
 
 ```nix
-{ pkgs ? import <nixpkgs> {} }: {
+{ pkgs ? import <nixpkgs> {} }:
 
- src = nix-gitignore.gitignoreSource [] ./source;
+ nix-gitignore.gitignoreSource [] ./source
      # Simplest version
 
- src = nix-gitignore.gitignoreSource "supplemental-ignores\n" ./source;
+ nix-gitignore.gitignoreSource "supplemental-ignores\n" ./source
      # This one reads the ./source/.gitignore and concats the auxiliary ignores
 
- src = nix-gitignore.gitignoreSourcePure "ignore-this\nignore-that\n" ./source;
+ nix-gitignore.gitignoreSourcePure "ignore-this\nignore-that\n" ./source
      # Use this string as gitignore, don't read ./source/.gitignore.
 
- src = nix-gitignore.gitignoreSourcePure ["ignore-this\nignore-that\n" ~/.gitignore] ./source;
+ nix-gitignore.gitignoreSourcePure ["ignore-this\nignore-that\n", ~/.gitignore] ./source
      # It also accepts a list (of strings and paths) that will be concatenated
      # once the paths are turned to strings via readFile.
-}
 ```
 
 These functions are derived from the `Filter` functions by setting the first filter argument to `(_: _: true)`:
 
 ```nix
-{
-  gitignoreSourcePure = gitignoreFilterSourcePure (_: _: true);
-  gitignoreSource = gitignoreFilterSource (_: _: true);
-}
+gitignoreSourcePure = gitignoreFilterSourcePure (_: _: true);
+gitignoreSource = gitignoreFilterSource (_: _: true);
 ```
 
 Those filter functions accept the same arguments the `builtins.filterSource` function would pass to its filters, thus `fn: gitignoreFilterSourcePure fn ""` should be extensionally equivalent to `filterSource`. The file is blacklisted if it's blacklisted by either your filter or the gitignoreFilter.
@@ -38,9 +35,7 @@ Those filter functions accept the same arguments the `builtins.filterSource` fun
 If you want to make your own filter from scratch, you may use
 
 ```nix
-{
-  gitignoreFilter = ign: root: filterPattern (gitignoreToPatterns ign) root;
-}
+gitignoreFilter = ign: root: filterPattern (gitignoreToPatterns ign) root;
 ```
 
 ## gitignore files in subdirectories {#sec-pkgs-nix-gitignore-usage-recursive}
@@ -48,9 +43,7 @@ If you want to make your own filter from scratch, you may use
 If you wish to use a filter that would search for .gitignore files in subdirectories, just like git does by default, use this function:
 
 ```nix
-{
-  # gitignoreFilterRecursiveSource = filter: patterns: root:
-  # OR
-  gitignoreRecursiveSource = gitignoreFilterSourcePure (_: _: true);
-}
+gitignoreFilterRecursiveSource = filter: patterns: root:
+# OR
+gitignoreRecursiveSource = gitignoreFilterSourcePure (_: _: true);
 ```

doc/hooks/breakpoint.section.md

@@ -3,9 +3,7 @@
 This hook will make a build pause instead of stopping when a failure happens. It prevents nix from cleaning up the build environment immediately and allows the user to attach to a build environment using the `cntr` command. Upon build error it will print instructions on how to use `cntr`, which can be used to enter the environment for debugging. Installing cntr and running the command will provide shell access to the build sandbox of failed build. At `/var/lib/cntr` the sandboxed filesystem is mounted. All commands and files of the system are still accessible within the shell. To execute commands from the sandbox use the cntr exec subcommand. `cntr` is only supported on Linux-based platforms. To use it first add `cntr` to your `environment.systemPackages` on NixOS or alternatively to the root user on non-NixOS systems. Then in the package that is supposed to be inspected, add `breakpointHook` to `nativeBuildInputs`.
 
 ```nix
-{
-  nativeBuildInputs = [ breakpointHook ];
-}
+nativeBuildInputs = [ breakpointHook ];
 ```
 
 When a build failure happens there will be an instruction printed that shows how to attach with `cntr` to the build sandbox.

doc/hooks/index.md

@@ -29,7 +29,6 @@ scons.section.md
 tetex-tex-live.section.md
 unzip.section.md
 validatePkgConfig.section.md
-versionCheckHook.section.md
 waf.section.md
 zig.section.md
 xcbuild.section.md

doc/hooks/installShellFiles.section.md

@@ -2,38 +2,24 @@
 
 This hook helps with installing manpages and shell completion files. It exposes 2 shell functions `installManPage` and `installShellCompletion` that can be used from your `postInstall` hook.
 
-The `installManPage` function takes one or more paths to manpages to install. The manpages must have a section suffix, and may optionally be compressed (with `.gz` suffix). This function will place them into the correct `share/man/man<section>/` directory, in [`outputMan`](#outputman).
+The `installManPage` function takes one or more paths to manpages to install. The manpages must have a section suffix, and may optionally be compressed (with `.gz` suffix). This function will place them into the correct directory.
 
-The `installShellCompletion` function takes one or more paths to shell completion files. By default it will autodetect the shell type from the completion file extension, but you may also specify it by passing one of `--bash`, `--fish`, or `--zsh`. These flags apply to all paths listed after them (up until another shell flag is given). Each path may also have a custom installation name provided by providing a flag `--name NAME` before the path. If this flag is not provided, zsh completions will be renamed automatically such that `foobar.zsh` becomes `_foobar`. A root name may be provided for all paths using the flag `--cmd NAME`; this synthesizes the appropriate name depending on the shell (e.g. `--cmd foo` will synthesize the name `foo.bash` for bash and `_foo` for zsh).
+The `installShellCompletion` function takes one or more paths to shell completion files. By default it will autodetect the shell type from the completion file extension, but you may also specify it by passing one of `--bash`, `--fish`, or `--zsh`. These flags apply to all paths listed after them (up until another shell flag is given). Each path may also have a custom installation name provided by providing a flag `--name NAME` before the path. If this flag is not provided, zsh completions will be renamed automatically such that `foobar.zsh` becomes `_foobar`. A root name may be provided for all paths using the flag `--cmd NAME`; this synthesizes the appropriate name depending on the shell (e.g. `--cmd foo` will synthesize the name `foo.bash` for bash and `_foo` for zsh). The path may also be a fifo or named fd (such as produced by `<(cmd)`), in which case the shell and name must be provided.
 
 ```nix
-{
-  nativeBuildInputs = [ installShellFiles ];
-  postInstall = ''
-    installManPage doc/foobar.1 doc/barfoo.3
-    # explicit behavior
-    installShellCompletion --bash --name foobar.bash share/completions.bash
-    installShellCompletion --fish --name foobar.fish share/completions.fish
-    installShellCompletion --zsh --name _foobar share/completions.zsh
-    # implicit behavior
-    installShellCompletion share/completions/foobar.{bash,fish,zsh}
-  '';
-}
-```
-
-The path may also be a fifo or named fd (such as produced by `<(cmd)`), in which case the shell and name must be provided (see below).
-
-If the destination shell completion file is not actually present or consists of zero bytes after calling `installShellCompletion` this is treated as a build failure. In particular, if completion files are not vendored but are generated by running an executable, this is likely to fail in cross compilation scenarios. The result will be a zero byte completion file and hence a build failure. To prevent this, guard the completion commands against this, e.g.
-
-```nix
-{
-  nativeBuildInputs = [ installShellFiles ];
-  postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
-    # using named fd
-    installShellCompletion --cmd foobar \
-      --bash <($out/bin/foobar --bash-completion) \
-      --fish <($out/bin/foobar --fish-completion) \
-      --zsh <($out/bin/foobar --zsh-completion)
-  '';
-}
+nativeBuildInputs = [ installShellFiles ];
+postInstall = ''
+  installManPage doc/foobar.1 doc/barfoo.3
+  # explicit behavior
+  installShellCompletion --bash --name foobar.bash share/completions.bash
+  installShellCompletion --fish --name foobar.fish share/completions.fish
+  installShellCompletion --zsh --name _foobar share/completions.zsh
+  # implicit behavior
+  installShellCompletion share/completions/foobar.{bash,fish,zsh}
+  # using named fd
+  installShellCompletion --cmd foobar \
+    --bash <($out/bin/foobar --bash-completion) \
+    --fish <($out/bin/foobar --fish-completion) \
+    --zsh <($out/bin/foobar --zsh-completion)
+'';
 ```

doc/hooks/mpi-check-hook.section.md

@@ -12,14 +12,13 @@ Example:
 
 ```nix
   { mpiCheckPhaseHook, mpi, ... }:
-  {
-    # ...
 
-    nativeCheckInputs = [
-      openssh
-      mpiCheckPhaseHook
-    ];
-  }
+  ...
+
+  nativeCheckInputs = [
+    openssh
+    mpiCheckPhaseHook
+  ];
 ```
 
 

doc/hooks/postgresql-test-hook.section.md

@@ -45,7 +45,6 @@ Bash-only variables:
  - `postgresqlTestSetupCommands`: bash commands to run after database start, defaults to running `$postgresqlTestSetupSQL` as database administrator.
  - `postgresqlEnableTCP`: set to `1` to enable TCP listening. Flaky; not recommended.
  - `postgresqlStartCommands`: defaults to `pg_ctl start`.
- - `postgresqlExtraSettings`: Additional configuration to add to `postgresql.conf`
 
 ## Hooks {#sec-postgresqlTestHook-hooks}
 

doc/hooks/python.section.md

@@ -1,3 +1,3 @@
 # Python {#setup-hook-python}
 
-Adds the `python.sitePackages` subdirectory (i.e. `lib/pythonX.Y/site-packages`) of each build input to the `PYTHONPATH` environment variable.
+Adds the `lib/${python.libPrefix}/site-packages` subdirectory of each build input to the `PYTHONPATH` environment variable.

doc/hooks/versionCheckHook.section.md

@@ -1,35 +0,0 @@
-# versionCheckHook {#versioncheckhook}
-
-This hook adds a `versionCheckPhase` to the [`preInstallCheckHooks`](#ssec-installCheck-phase) that runs the main program of the derivation with a `--help` or `--version` argument, and checks that the `${version}` string is found in that output. You use it like this:
-
-```nix
-{
-  lib,
-  stdenv,
-  versionCheckHook,
-  # ...
-}:
-
-stdenv.mkDerivation (finalAttrs: {
-  # ...
-
-  nativeInstallCheckInputs = [
-    versionCheckHook
-  ];
-  doInstallCheck = true;
-
-  # ...
-})
-```
-
-Note that for [`buildPythonPackage`](#buildpythonpackage-function) and [`buildPythonApplication`](#buildpythonapplication-function), `doInstallCheck` is enabled by default.
-
-It does so in a clean environment (using `env --ignore-environment`), and it checks for the `${version}` string in both the `stdout` and the `stderr` of the command. It will report to you in the build log the output it received and it will fail the build if it failed to find `${version}`.
-
-The variables that this phase control are:
-
-- `dontVersionCheck`: Disable adding this hook to the [`preDistPhases`](#var-stdenv-preDist). Useful if you do want to load the bash functions of the hook, but run them differently.
-- `versionCheckProgram`: The full path to the program that should print the `${version}` string. Defaults roughly to `${placeholder "out"}/bin/${pname}`. Using `$out` in the value of this variable won't work, as environment variables from this variable are not expanded by the hook. Hence using `placeholder` is unavoidable.
-- `versionCheckProgramArg`: The argument that needs to be passed to `versionCheckProgram`. If undefined the hook tries first `--help` and then `--version`. Examples: `version`, `-V`, `-v`.
-- `preVersionCheck`: A hook to run before the check is done.
-- `postVersionCheck`: A hook to run after the check is done.

doc/hooks/waf.section.md

@@ -20,6 +20,10 @@ If `wafPath` doesn't exist, then `wafHook` will copy the `waf` provided from Nix
 
 Controls the flags passed to waf tool during build and install phases. For settings specific to build or install phases, use `wafBuildFlags` or `wafInstallFlags` respectively.
 
+#### `dontAddWafCrossFlags` {#dont-add-waf-cross-flags}
+
+When set to `true`, don't add cross compilation flags during configure phase.
+
 #### `dontUseWafConfigure` {#dont-use-waf-configure}
 
 When set to true, don't use the predefined `wafConfigurePhase`.

doc/hooks/zig.section.md

@@ -9,14 +9,14 @@ In Nixpkgs, `zig.hook` overrides the default build, check and install phases.
 ```nix
 { lib
 , stdenv
-, zig
+, zig_0_11
 }:
 
 stdenv.mkDerivation {
   # . . .
 
   nativeBuildInputs = [
-    zig.hook
+    zig_0_11.hook
   ];
 
   zigBuildFlags = [ "-Dman-pages=true" ];

doc/interoperability.md

@@ -1,5 +0,0 @@
-# Interoperability Standards {#part-interoperability}
-
-```{=include=} chapters
-interoperability/cyclonedx.md
-```

doc/interoperability/cyclonedx.md

@@ -1,79 +0,0 @@
-# CycloneDX {#chap-interop-cyclonedx}
-
-[OWASP](https://owasp.org/) [CycloneDX](https://cyclonedx.org/) is a Software [Bill of Materials](https://en.wikipedia.org/wiki/Bill_of_materials) (SBOM) standard.
-The standards described here are for including Nix specific information within SBOMs in a way that is interoperable with external SBOM tooling.
-
-## `nix` Namespace Property Taxonomy  {#sec-interop.cylonedx-nix}
-
-The following tables describe namespaces for [properties](https://cyclonedx.org/docs/1.6/json/#components_items_properties) that may be attached to components within SBOMs.
-Component properties are lists of name-value-pairs where values must be strings.
-Properties with the same name may appear more than once.
-Names and values are case-sensitive.
-
-| Property         | Description |
-|------------------|-------------|
-| `nix:store_path` | A Nix store path for the given component. This property should be contextualized by additional properties that describe the production of the store path, such as those from the `nix:narinfo:` and `nix:fod` namespaces. |
-
-
-| Namespace     | Description |
-|---------------|-------------|
-| [`nix:narinfo`](#sec-interop.cylonedx-narinfo) | Namespace for properties that are specific to how a component is stored as a [Nix archive](https://nixos.org/manual/nix/stable/glossary#gloss-nar) (NAR) in a [binary cache](https://nixos.org/manual/nix/stable/glossary#gloss-binary-cache). |
-| [`nix:fod`](#sec-interop.cylonedx-fod) | Namespace for properties that describe a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation). |
-
-
-### `nix:narinfo` {#sec-interop.cylonedx-narinfo}
-
-Narinfo properties describe component archives that may be available from binary caches.
-The `nix:narinfo` properties should be accompanied by a `nix:store_path` property within the same property list.
-
-| Property                  | Description |
-|---------------------------|-------------|
-| `nix:narinfo:store_path`  | Store path for the given store component. |
-| `nix:narinfo:url`         | URL path component. |
-| `nix:narinfo:nar_hash`    | Hash of the file system object part of the component when serialized as a Nix Archive. |
-| `nix:narinfo:nar_size`    | Size of the component when serialized as a Nix Archive. |
-| `nix:narinfo:compression` | The compression format that component archive is in. |
-| `nix:narinfo:file_hash`   | A digest for the compressed component archive itself, as opposed to the data contained within. |
-| `nix:narinfo:file_size`   | The size of the compressed component archive itself. |
-| `nix:narinfo:deriver`     | The path to the derivation from which this component is produced. |
-| `nix:narinfo:system`      | The hardware and software platform on which this component is produced. |
-| `nix:narinfo:sig`         | Signatures claiming that this component is what it claims to be. |
-| `nix:narinfo:ca`          | Content address of this store object's file system object, used to compute its store path. |
-| `nix:narinfo:references`  | A whitespace separated array of store paths that this component references. |
-
-### `nix:fod` {#sec-interop.cylonedx-fod}
-
-FOD properties describe a [fixed-output derivation](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation).
-The `nix:fod:method` property is required and must be accompanied by a `nix:store_path` property within the same property list.
-All other properties in this namespace are method-specific.
-To reproduce the build of a component the `nix:fod:method` value is resolved to an [appropriate function](#chap-pkgs-fetchers) within Nixpkgs whose arguments intersect with the given properties.
-When generating `nix:fod` properties the method selected should be a stable function with a minimal number arguments.
-For example, the `fetchFromGitHub` is commonly used within Nixpkgs but should be reduced to a call to the function by which it is implemented, `fetchzip`.
-
-| Property         | Description |
-|------------------|-------------|
-| `nix:fod:method` | Nixpkg function that produces this FOD. Required. Examples: `"fetchzip"`, `"fetchgit"` |
-| `nix:fod:name`   | Derivation name, present when method is `"fetchzip"` |
-| `nix:fod:ref`    | [Git ref](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrefaref), present when method is `"fetchgit"` |
-| `nix:fod:rev`    | [Git rev](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrevisionarevision), present when method is `"fetchgit"` |
-| `nix:fod:sha256` | FOD hash |
-| `nix:fod:url`    | URL to fetch |
-
-
-`nix:fod` properties may be extracted and evaluated to a derivation using code similar to the following, assuming a fictitious function `filterPropertiesToAttrs`:
-
-```nix
-{ pkgs, filterPropertiesToAttrs, properties }:
-let
-  fodProps = filterPropertiesToAttrs "nix:fod:" properties;
-
-  methods = {
-    fetchzip =
-      { name, url, sha256, ... }:
-      pkgs.fetchzip {
-        inherit name url sha256;
-      };
-  };
-
-in methods.${fodProps.method} fodProps
-```

doc/languages-frameworks/agda.section.md

@@ -114,7 +114,7 @@ This can be overridden by a different version of `ghc` as follows:
 
 ```nix
 agda.withPackages {
-  pkgs = [ /* ... */ ];
+  pkgs = [ ... ];
   ghc = haskell.compiler.ghcHEAD;
 }
 ```
@@ -180,7 +180,6 @@ To add an Agda package to `nixpkgs`, the derivation should be written to `pkgs/d
 
 ```nix
 { mkDerivation, standard-library, fetchFromGitHub }:
-{}
 ```
 
 Note that the derivation function is called with `mkDerivation` set to `agdaPackages.mkDerivation`, therefore you
@@ -194,7 +193,7 @@ mkDerivation {
   version = "1.5.0";
   pname = "iowa-stdlib";
 
-  src = <...>;
+  src = ...
 
   libraryFile = "";
   libraryName = "IAL-1.3";

doc/languages-frameworks/android.section.md

@@ -3,36 +3,10 @@
 The Android build environment provides three major features and a number of
 supporting features.
 
-## Using androidenv with Android Studio {#using-androidenv-with-android-studio}
-
-Use the `android-studio-full` attribute for a very complete Android SDK, including system images:
-
-```nix
-buildInputs = [ android-studio-full ];
-```
-
-This is identical to:
-
-```nix
-buildInputs = [ androidStudioPackages.stable.full ];
-```
-
-Alternatively, you can pass composeAndroidPackages to the `withSdk` passthru:
-
-```nix
-buildInputs = [
-  (android-studio.withSdk (androidenv.composeAndroidPackages {
-    includeNDK = true;
-  }).androidsdk)
-];
-```
-
-These will export ANDROID_SDK_ROOT and ANDROID_NDK_ROOT to the SDK and NDK directories
-in the specified Android build environment.
-
 ## Deploying an Android SDK installation with plugins {#deploying-an-android-sdk-installation-with-plugins}
 
-Alternatively, you can deploy the SDK separately with a desired set of plugins, or subsets of an SDK.
+The first use case is deploying the SDK with a desired set of plugins or subsets
+of an SDK.
 
 ```nix
 with import <nixpkgs> {};
@@ -130,20 +104,18 @@ pull from:
   repo.json to the Nix store based on the given repository XMLs.
 
 ```nix
-{
-  repoXmls = {
-    packages = [ ./xml/repository2-1.xml ];
-    images = [
-      ./xml/android-sys-img2-1.xml
-      ./xml/android-tv-sys-img2-1.xml
-      ./xml/android-wear-sys-img2-1.xml
-      ./xml/android-wear-cn-sys-img2-1.xml
-      ./xml/google_apis-sys-img2-1.xml
-      ./xml/google_apis_playstore-sys-img2-1.xml
-    ];
-    addons = [ ./xml/addon2-1.xml ];
-  };
-}
+repoXmls = {
+  packages = [ ./xml/repository2-1.xml ];
+  images = [
+    ./xml/android-sys-img2-1.xml
+    ./xml/android-tv-sys-img2-1.xml
+    ./xml/android-wear-sys-img2-1.xml
+    ./xml/android-wear-cn-sys-img2-1.xml
+    ./xml/google_apis-sys-img2-1.xml
+    ./xml/google_apis_playstore-sys-img2-1.xml
+  ];
+  addons = [ ./xml/addon2-1.xml ];
+};
 ```
 
 When building the above expression with:
@@ -171,14 +143,16 @@ androidComposition.platform-tools
 ## Using predefined Android package compositions {#using-predefined-android-package-compositions}
 
 In addition to composing an Android package set manually, it is also possible
-to use a predefined composition that contains a fairly complete set of Android packages:
+to use a predefined composition that contains all basic packages for a specific
+Android version, such as version 9.0 (API-level 28).
 
-The following Nix expression can be used to deploy the entire SDK:
+The following Nix expression can be used to deploy the entire SDK with all basic
+plugins:
 
 ```nix
 with import <nixpkgs> {};
 
-androidenv.androidPkgs.androidsdk
+androidenv.androidPkgs_9_0.androidsdk
 ```
 
 It is also possible to use one plugin only:
@@ -186,9 +160,50 @@ It is also possible to use one plugin only:
 ```nix
 with import <nixpkgs> {};
 
-androidenv.androidPkgs.platform-tools
+androidenv.androidPkgs_9_0.platform-tools
 ```
 
+## Building an Android application {#building-an-android-application}
+
+In addition to the SDK, it is also possible to build an Ant-based Android
+project and automatically deploy all the Android plugins that a project
+requires.
+
+
+```nix
+with import <nixpkgs> {};
+
+androidenv.buildApp {
+  name = "MyAndroidApp";
+  src = ./myappsources;
+  release = true;
+
+  # If release is set to true, you need to specify the following parameters
+  keyStore = ./keystore;
+  keyAlias = "myfirstapp";
+  keyStorePassword = "mykeystore";
+  keyAliasPassword = "myfirstapp";
+
+  # Any Android SDK parameters that install all the relevant plugins that a
+  # build requires
+  platformVersions = [ "24" ];
+
+  # When we include the NDK, then ndk-build is invoked before Ant gets invoked
+  includeNDK = true;
+}
+```
+
+Aside from the app-specific build parameters (`name`, `src`, `release` and
+keystore parameters), the `buildApp {}` function supports all the function
+parameters that the SDK composition function (the function shown in the
+previous section) supports.
+
+This build function is particularly useful when it is desired to use
+[Hydra](https://nixos.org/hydra): the Nix-based continuous integration solution
+to build Android apps. An Android APK gets exposed as a build product and can be
+installed on any Android device with a web browser by navigating to the build
+result page.
+
 ## Spawning emulator instances {#spawning-emulator-instances}
 
 For testing purposes, it can also be quite convenient to automatically generate
@@ -232,11 +247,11 @@ In addition to prebuilt APKs, you can also bind the APK parameter to a
 
 ## Notes on environment variables in Android projects {#notes-on-environment-variables-in-android-projects}
 
-* `ANDROID_HOME` should point to the Android SDK. In your Nix expressions, this should be
-  `${androidComposition.androidsdk}/libexec/android-sdk`. Note that `ANDROID_SDK_ROOT` is deprecated,
+* `ANDROID_SDK_ROOT` should point to the Android SDK. In your Nix expressions, this should be
+  `${androidComposition.androidsdk}/libexec/android-sdk`. Note that `ANDROID_HOME` is deprecated,
   but if you rely on tools that need it, you can export it too.
 * `ANDROID_NDK_ROOT` should point to the Android NDK, if you're doing NDK development.
-  In your Nix expressions, this should be `${ANDROID_HOME}/ndk-bundle`.
+  In your Nix expressions, this should be `${ANDROID_SDK_ROOT}/ndk-bundle`.
 
 If you are running the Android Gradle plugin, you need to export GRADLE_OPTS to override aapt2
 to point to the aapt2 binary in the Nix store as well, or use a FHS environment so the packaged
@@ -250,11 +265,11 @@ let
   androidComposition = <...>;
 in
 pkgs.mkShell rec {
-  ANDROID_HOME = "${androidComposition.androidsdk}/libexec/android-sdk";
-  ANDROID_NDK_ROOT = "${ANDROID_HOME}/ndk-bundle";
+  ANDROID_SDK_ROOT = "${androidComposition.androidsdk}/libexec/android-sdk";
+  ANDROID_NDK_ROOT = "${ANDROID_SDK_ROOT}/ndk-bundle";
 
   # Use the same buildToolsVersion here
-  GRADLE_OPTS = "-Dorg.gradle.project.android.aapt2FromMavenOverride=${ANDROID_HOME}/build-tools/${buildToolsVersion}/aapt2";
+  GRADLE_OPTS = "-Dorg.gradle.project.android.aapt2FromMavenOverride=${ANDROID_SDK_ROOT}/build-tools/${buildToolsVersion}/aapt2";
 }
 ```
 
@@ -270,18 +285,18 @@ let
   androidComposition = <...>;
 in
 pkgs.mkShell rec {
-  ANDROID_HOME = "${androidComposition.androidsdk}/libexec/android-sdk";
-  ANDROID_NDK_ROOT = "${ANDROID_HOME}/ndk-bundle";
+  ANDROID_SDK_ROOT = "${androidComposition.androidsdk}/libexec/android-sdk";
+  ANDROID_NDK_ROOT = "${ANDROID_SDK_ROOT}/ndk-bundle";
 
   # Use the same cmakeVersion here
   shellHook = ''
-    export PATH="$(echo "$ANDROID_HOME/cmake/${cmakeVersion}".*/bin):$PATH"
+    export PATH="$(echo "$ANDROID_SDK_ROOT/cmake/${cmakeVersion}".*/bin):$PATH"
   '';
 }
 ```
 
-Note that running Android Studio with ANDROID_HOME set will automatically write a
-`local.properties` file with `sdk.dir` set to $ANDROID_HOME if one does not already
+Note that running Android Studio with ANDROID_SDK_ROOT set will automatically write a
+`local.properties` file with `sdk.dir` set to $ANDROID_SDK_ROOT if one does not already
 exist. If you are using the NDK as well, you may have to add `ndk.dir` to this file.
 
 An example shell.nix that does all this for you is provided in examples/shell.nix.
@@ -332,44 +347,3 @@ To update the expressions run the `generate.sh` script that is stored in the
 ```bash
 ./generate.sh
 ```
-
-## Building an Android application with Ant {#building-an-android-application-with-ant}
-
-In addition to the SDK, it is also possible to build an Ant-based Android
-project and automatically deploy all the Android plugins that a project
-requires. Most newer Android projects use Gradle, and this is included for historical
-purposes.
-
-```nix
-with import <nixpkgs> {};
-
-androidenv.buildApp {
-  name = "MyAndroidApp";
-  src = ./myappsources;
-  release = true;
-
-  # If release is set to true, you need to specify the following parameters
-  keyStore = ./keystore;
-  keyAlias = "myfirstapp";
-  keyStorePassword = "mykeystore";
-  keyAliasPassword = "myfirstapp";
-
-  # Any Android SDK parameters that install all the relevant plugins that a
-  # build requires
-  platformVersions = [ "24" ];
-
-  # When we include the NDK, then ndk-build is invoked before Ant gets invoked
-  includeNDK = true;
-}
-```
-
-Aside from the app-specific build parameters (`name`, `src`, `release` and
-keystore parameters), the `buildApp {}` function supports all the function
-parameters that the SDK composition function (the function shown in the
-previous section) supports.
-
-This build function is particularly useful when it is desired to use
-[Hydra](https://nixos.org/hydra): the Nix-based continuous integration solution
-to build Android apps. An Android APK gets exposed as a build product and can be
-installed on any Android device with a web browser by navigating to the build
-result page.

doc/languages-frameworks/beam.section.md

@@ -117,7 +117,6 @@ If there are git dependencies.
 - From the mix_deps.nix file, remove the dependencies that had git versions and pass them as an override to the import function.
 
 ```nix
-{
   mixNixDeps = import ./mix.nix {
     inherit beamPackages lib;
     overrides = (final: prev: {
@@ -139,9 +138,8 @@ If there are git dependencies.
         # you can re-use the same beamDeps argument as generated
         beamDeps = with final; [ prometheus ];
       };
-    });
-  };
-}
+  });
+};
 ```
 
 You will need to run the build process once to fix the hash to correspond to your new git src.
@@ -155,13 +153,11 @@ Practical steps
 - start with the following argument to mixRelease
 
 ```nix
-{
   mixFodDeps = fetchMixDeps {
     pname = "mix-deps-${pname}";
     inherit src version;
     hash = lib.fakeHash;
   };
-}
 ```
 
 The first build will complain about the hash value, you can replace with the suggested value after that.
@@ -220,7 +216,7 @@ in packages.mixRelease {
 Setup will require the following steps:
 
 - Move your secrets to runtime environment variables. For more information refer to the [runtime.exs docs](https://hexdocs.pm/mix/Mix.Tasks.Release.html#module-runtime-configuration). On a fresh Phoenix build that would mean that both `DATABASE_URL` and `SECRET_KEY` need to be moved to `runtime.exs`.
-- `cd assets` and `nix-shell -p node2nix --run "node2nix --development"` will generate a Nix expression containing your frontend dependencies
+- `cd assets` and `nix-shell -p node2nix --run node2nix --development` will generate a Nix expression containing your frontend dependencies
 - commit and push those changes
 - you can now `nix-build .`
 - To run the release, set the `RELEASE_TMP` environment variable to a directory that your program has write access to. It will be used to store the BEAM settings.

doc/languages-frameworks/bower.section.md

@@ -28,7 +28,7 @@ buildEnv { name = "bower-env"; ignoreCollisions = true; paths = [
   (fetchbower "angular" "1.5.3" "~1.5.0" "1749xb0firxdra4rzadm4q9x90v6pzkbd7xmcyjk6qfza09ykk9y")
   (fetchbower "bootstrap" "3.3.6" "~3.3.6" "1vvqlpbfcy0k5pncfjaiskj3y6scwifxygfqnw393sjfxiviwmbv")
   (fetchbower "jquery" "2.2.2" "1.9.1 - 2" "10sp5h98sqwk90y4k6hbdviwqzvzwqf47r3r51pakch5ii2y7js1")
-]; }
+];
 ```
 
 Using the `bower2nix` command line arguments, the output can be redirected to a file. A name like `bower-packages.nix` would be fine.
@@ -42,13 +42,11 @@ The function is implemented in [pkgs/development/bower-modules/generic/default.n
 ### Example buildBowerComponents {#ex-buildBowerComponents}
 
 ```nix
-{
-  bowerComponents = buildBowerComponents {
-    name = "my-web-app";
-    generated = ./bower-packages.nix; # note 1
-    src = myWebApp; # note 2
-  };
-}
+bowerComponents = buildBowerComponents {
+  name = "my-web-app";
+  generated = ./bower-packages.nix; # note 1
+  src = myWebApp; # note 2
+};
 ```
 
 In ["buildBowerComponents" example](#ex-buildBowerComponents) the following arguments are of special significance to the function:

doc/languages-frameworks/chicken.section.md

@@ -13,12 +13,10 @@ done in the typical Nix fashion. For example, to include support for [SRFI
 might write:
 
 ```nix
-{
   buildInputs = [
     chicken
     chickenPackages.chickenEggs.srfi-189
   ];
-}
 ```
 
 Both `chicken` and its eggs have a setup hook which configures the environment
@@ -69,12 +67,12 @@ let
       chickenEggs = super.chickenEggs.overrideScope' (eggself: eggsuper: {
         srfi-180 = eggsuper.srfi-180.overrideAttrs {
           # path to a local copy of srfi-180
-          src = <...>;
+          src = ...
         };
       });
   });
 in
 # Here, `myChickenPackages.chickenEggs.json-rpc`, which depends on `srfi-180` will use
 # the local copy of `srfi-180`.
-<...>
+# ...
 ```

doc/languages-frameworks/coq.section.md

@@ -55,18 +55,17 @@ Here is a simple package example. It is a pure Coq library, thus it depends on C
 ```nix
 { lib, mkCoqDerivation, version ? null
 , coq, mathcomp, mathcomp-finmap, mathcomp-bigenough }:
-
-mkCoqDerivation {
+with lib; mkCoqDerivation {
   /* namePrefix leads to e.g. `name = coq8.11-mathcomp1.11-multinomials-1.5.2` */
   namePrefix = [ "coq" "mathcomp" ];
   pname = "multinomials";
   owner = "math-comp";
   inherit version;
-  defaultVersion = with lib.versions; lib.switch [ coq.version mathcomp.version ] [
-      { cases = [ (range "8.7" "8.12") (isEq "1.11") ];        out = "1.5.2"; }
-      { cases = [ (range "8.7" "8.11") (range "1.8" "1.10") ]; out = "1.5.0"; }
-      { cases = [ (range "8.7" "8.10") (range "1.8" "1.10") ]; out = "1.4"; }
-      { cases = [ (isEq "8.6")         (range "1.6" "1.7") ];  out = "1.1"; }
+  defaultVersion =  with versions; switch [ coq.version mathcomp.version ] [
+      { cases = [ (range "8.7" "8.12")  "1.11.0" ];             out = "1.5.2"; }
+      { cases = [ (range "8.7" "8.11")  (range "1.8" "1.10") ]; out = "1.5.0"; }
+      { cases = [ (range "8.7" "8.10")  (range "1.8" "1.10") ]; out = "1.4"; }
+      { cases = [ "8.6"                 (range "1.6" "1.7") ];  out = "1.1"; }
     ] null;
   release = {
     "1.5.2".sha256 = "15aspf3jfykp1xgsxf8knqkxv8aav2p39c2fyirw7pwsfbsv2c4s";
@@ -84,8 +83,8 @@ mkCoqDerivation {
     [ mathcomp.ssreflect mathcomp.algebra mathcomp-finmap mathcomp-bigenough ];
 
   meta = {
-    description = "Coq/SSReflect Library for Monoidal Rings and Multinomials";
-    license = lib.licenses.cecill-c;
+    description = "A Coq/SSReflect Library for Monoidal Rings and Multinomials";
+    license = licenses.cecill-c;
   };
 }
 ```

doc/languages-frameworks/crystal.section.md

@@ -33,26 +33,22 @@ crystal.buildCrystalPackage rec {
   # Insert the path to your shards.nix file here
   shardsFile = ./shards.nix;
 
-  # ...
+  ...
 }
 ```
 
 This won't build anything yet, because we haven't told it what files build. We can specify a mapping from binary names to source files with the `crystalBinaries` attribute. The project's compilation instructions should show this. For Mint, the binary is called "mint", which is compiled from the source file `src/mint.cr`, so we'll specify this as follows:
 
 ```nix
-{
   crystalBinaries.mint.src = "src/mint.cr";
 
   # ...
-}
 ```
 
 Additionally you can override the default `crystal build` options (which are currently `--release --progress --no-debug --verbose`) with
 
 ```nix
-{
   crystalBinaries.mint.options = [ "--release" "--verbose" ];
-}
 ```
 
 Depending on the project, you might need additional steps to get it to compile successfully. In Mint's case, we need to link against openssl, so in the end the Nix file looks as follows:

doc/languages-frameworks/cuda.section.md

@@ -16,28 +16,24 @@ To use one or more CUDA packages in an expression, give the expression a `cudaPa
 , cudaSupport ? config.cudaSupport
 , cudaPackages ? { }
 , ...
-}: {}
+}:
 ```
 
 When using `callPackage`, you can choose to pass in a different variant, e.g.
 when a different version of the toolkit suffices
 ```nix
-{
-  mypkg = callPackage { cudaPackages = cudaPackages_11_5; };
-}
+mypkg = callPackage { cudaPackages = cudaPackages_11_5; }
 ```
 
 If another version of say `cudnn` or `cutensor` is needed, you can override the
 package set to make it the default. This guarantees you get a consistent package
 set.
 ```nix
-{
-  mypkg = let
-    cudaPackages = cudaPackages_11_5.overrideScope (final: prev: {
-      cudnn = prev.cudnn_8_3;
-    });
-  in callPackage { inherit cudaPackages; };
-}
+mypkg = let
+  cudaPackages = cudaPackages_11_5.overrideScope (final: prev: {
+    cudnn = prev.cudnn_8_3;
+  }});
+in callPackage { inherit cudaPackages; };
 ```
 
 The CUDA NVCC compiler requires flags to determine which hardware you
@@ -72,45 +68,16 @@ All new projects should use the CUDA redistributables available in [`cudaPackage
 ### Updating CUDA redistributables {#updating-cuda-redistributables}
 
 1. Go to NVIDIA's index of CUDA redistributables: <https://developer.download.nvidia.com/compute/cuda/redist/>
-2. Make a note of the new version of CUDA available.
-3. Run
+2. Copy the `redistrib_*.json` corresponding to the release to `pkgs/development/compilers/cudatoolkit/redist/manifests`.
+3. Generate the `redistrib_features_*.json` file by running:
 
-   ```bash
-   nix run github:connorbaker/cuda-redist-find-features -- \
-      download-manifests \
-      --log-level DEBUG \
-      --version <newest CUDA version> \
-      https://developer.download.nvidia.com/compute/cuda/redist \
-      ./pkgs/development/cuda-modules/cuda/manifests
-   ```
+    ```bash
+    nix run github:ConnorBaker/cuda-redist-find-features -- <path to manifest>
+    ```
 
-   This will download a copy of the manifest for the new version of CUDA.
-4. Run
+    That command will generate the `redistrib_features_*.json` file in the same directory as the manifest.
 
-   ```bash
-   nix run github:connorbaker/cuda-redist-find-features -- \
-      process-manifests \
-      --log-level DEBUG \
-      --version <newest CUDA version> \
-      https://developer.download.nvidia.com/compute/cuda/redist \
-      ./pkgs/development/cuda-modules/cuda/manifests
-   ```
-
-   This will generate a `redistrib_features_<newest CUDA version>.json` file in the same directory as the manifest.
-5. Update the `cudaVersionMap` attribute set in `pkgs/development/cuda-modules/cuda/extension.nix`.
-
-### Updating cuTensor {#updating-cutensor}
-
-1. Repeat the steps present in [Updating CUDA redistributables](#updating-cuda-redistributables) with the following changes:
-   - Use the index of cuTensor redistributables: <https://developer.download.nvidia.com/compute/cutensor/redist>
-   - Use the newest version of cuTensor available instead of the newest version of CUDA.
-   - Use `pkgs/development/cuda-modules/cutensor/manifests` instead of `pkgs/development/cuda-modules/cuda/manifests`.
-   - Skip the step of updating `cudaVersionMap` in `pkgs/development/cuda-modules/cuda/extension.nix`.
-
-### Updating supported compilers and GPUs {#updating-supported-compilers-and-gpus}
-
-1. Update `nvcc-compatibilities.nix` in `pkgs/development/cuda-modules/` to include the newest release of NVCC, as well as any newly supported host compilers.
-2. Update `gpus.nix` in `pkgs/development/cuda-modules/` to include any new GPUs supported by the new release of CUDA.
+4. Include the path to the new manifest in `pkgs/development/compilers/cudatoolkit/redist/extension.nix`.
 
 ### Updating the CUDA Toolkit runfile installer {#updating-the-cuda-toolkit}
 
@@ -132,7 +99,7 @@ All new projects should use the CUDA redistributables available in [`cudaPackage
    nix store prefetch-file --hash-type sha256 <link>
    ```
 
-4. Update `pkgs/development/cuda-modules/cudatoolkit/releases.nix` to include the release.
+4. Update `pkgs/development/compilers/cudatoolkit/versions.toml` to include the release.
 
 ### Updating the CUDA package set {#updating-the-cuda-package-set}
 
@@ -140,7 +107,7 @@ All new projects should use the CUDA redistributables available in [`cudaPackage
 
    - NOTE: Changing the default CUDA package set should occur in a separate PR, allowing time for additional testing.
 
-2. Successfully build the closure of the new package set, updating `pkgs/development/cuda-modules/cuda/overrides.nix` as needed. Below are some common failures:
+2. Successfully build the closure of the new package set, updating `pkgs/development/compilers/cudatoolkit/redist/overrides.nix` as needed. Below are some common failures:
 
 | Unable to ... | During ... | Reason | Solution | Note |
 | --- | --- | --- | --- | --- |
@@ -148,4 +115,4 @@ All new projects should use the CUDA redistributables available in [`cudaPackage
 | Find libraries | `configurePhase` | Missing dependency on a `dev` output | Add the missing dependency | The `dev` output typically contain CMake configuration files |
 | Find libraries | `buildPhase` or `patchelf` | Missing dependency on a `lib` or `static` output | Add the missing dependency | The `lib` or `static` output typically contain the libraries |
 
-In the scenario you are unable to run the resulting binary: this is arguably the most complicated as it could be any combination of the previous reasons. This type of failure typically occurs when a library attempts to load or open a library it depends on that it does not declare in its `DT_NEEDED` section. As a first step, ensure that dependencies are patched with [`autoAddDriverRunpath`](https://search.nixos.org/packages?channel=unstable&type=packages&query=autoAddDriverRunpath). Failing that, try running the application with [`nixGL`](https://github.com/guibou/nixGL) or a similar wrapper tool. If that works, it likely means that the application is attempting to load a library that is not in the `RPATH` or `RUNPATH` of the binary.
+In the scenario you are unable to run the resulting binary: this is arguably the most complicated as it could be any combination of the previous reasons. This type of failure typically occurs when a library attempts to load or open a library it depends on that it does not declare in its `DT_NEEDED` section. As a first step, ensure that dependencies are patched with [`cudaPackages.autoAddOpenGLRunpath`](https://search.nixos.org/packages?channel=unstable&type=packages&query=cudaPackages.autoAddOpenGLRunpath). Failing that, try running the application with [`nixGL`](https://github.com/guibou/nixGL) or a similar wrapper tool. If that works, it likely means that the application is attempting to load a library that is not in the `RPATH` or `RUNPATH` of the binary.

doc/languages-frameworks/cuelang.section.md

@@ -26,7 +26,7 @@ Cuelang schemas are similar to JSON, here is a quick cheatsheet:
 Nixpkgs provides a `pkgs.writeCueValidator` helper, which will write a validation script based on the provided Cuelang schema.
 
 Here is an example:
-```nix
+```
 pkgs.writeCueValidator
   (pkgs.writeText "schema.cue" ''
     #Def1: {
@@ -42,7 +42,7 @@ pkgs.writeCueValidator
 `document` : match your input data against this fragment of structure or definition, e.g. you may use the same schema file but different documents based on the data you are validating.
 
 Another example, given the following `validator.nix` :
-```nix
+```
 { pkgs ? import <nixpkgs> {} }:
 let
   genericValidator = version:

doc/languages-frameworks/dart.section.md

@@ -4,33 +4,22 @@
 
 The function `buildDartApplication` builds Dart applications managed with pub.
 
-It fetches its Dart dependencies automatically through `pub2nix`, and (through a series of hooks) builds and installs the executables specified in the pubspec file. The hooks can be used in other derivations, if needed. The phases can also be overridden to do something different from installing binaries.
+It fetches its Dart dependencies automatically through `fetchDartDeps`, and (through a series of hooks) builds and installs the executables specified in the pubspec file. The hooks can be used in other derivations, if needed. The phases can also be overridden to do something different from installing binaries.
 
 If you are packaging a Flutter desktop application, use [`buildFlutterApplication`](#ssec-dart-flutter) instead.
 
-`pubspecLock` is the parsed pubspec.lock file. pub2nix uses this to download required packages.
-This can be converted to JSON from YAML with something like `yq . pubspec.lock`, and then read by Nix.
+`vendorHash`: is the hash of the output of the dependency fetcher derivation. To obtain it, set it to `lib.fakeHash` (or omit it) and run the build ([more details here](#sec-source-hashes)).
 
-Alternatively, `autoPubspecLock` can be used instead, and set to a path to a regular `pubspec.lock` file. This relies on import-from-derivation, and is not permitted in Nixpkgs, but can be useful at other times.
+If the upstream source is missing a `pubspec.lock` file, you'll have to vendor one and specify it using `pubspecLockFile`. If it is needed, one will be generated for you and printed when attempting to build the derivation.
 
-::: {.warning}
-When using `autoPubspecLock` with a local source directory, make sure to use a
-concatenation operator (e.g. `autoPubspecLock = src + "/pubspec.lock";`), and
-not string interpolation.
-
-String interpolation will copy your entire source directory to the Nix store and
-use its store path, meaning that unrelated changes to your source tree will
-cause the generated `pubspec.lock` derivation to rebuild!
-:::
-
-If the package has Git package dependencies, the hashes must be provided in the `gitHashes` set. If a hash is missing, an error message prompting you to add it will be shown.
+The `depsListFile` must always be provided when packaging in Nixpkgs. It will be generated and printed if the derivation is attempted to be built without one. Alternatively, `autoDepsList` may be set to `true` only when outside of Nixpkgs, as it relies on import-from-derivation.
 
 The `dart` commands run can be overridden through `pubGetScript` and `dartCompileCommand`, you can also add flags using `dartCompileFlags` or `dartJitFlags`.
 
 Dart supports multiple [outputs types](https://dart.dev/tools/dart-compile#types-of-output), you can choose between them using `dartOutputType` (defaults to `exe`). If you want to override the binaries path or the source path they come from, you can use `dartEntryPoints`. Outputs that require a runtime will automatically be wrapped with the relevant runtime (`dartaotruntime` for `aot-snapshot`, `dart run` for `jit-snapshot` and `kernel`, `node` for `js`), this can be overridden through `dartRuntimeCommand`.
 
 ```nix
-{ lib, buildDartApplication, fetchFromGitHub }:
+{ buildDartApplication, fetchFromGitHub }:
 
 buildDartApplication rec {
   pname = "dart-sass";
@@ -43,96 +32,35 @@ buildDartApplication rec {
     hash = "sha256-U6enz8yJcc4Wf8m54eYIAnVg/jsGi247Wy8lp1r1wg4=";
   };
 
-  pubspecLock = lib.importJSON ./pubspec.lock.json;
+  pubspecLockFile = ./pubspec.lock;
+  depsListFile = ./deps.json;
+  vendorHash = "sha256-Atm7zfnDambN/BmmUf4BG0yUz/y6xWzf0reDw3Ad41s=";
 }
 ```
 
-### Patching dependencies {#ssec-dart-applications-patching-dependencies}
-
-Some Dart packages require patches or build environment changes. Package derivations can be customised with the `customSourceBuilders` argument.
-
-A collection of such customisations can be found in Nixpkgs, in the `development/compilers/dart/package-source-builders` directory.
-
-This allows fixes for packages to be shared between all applications that use them. It is strongly recommended to add to this collection instead of including fixes in your application derivation itself.
-
-### Running executables from dev_dependencies {#ssec-dart-applications-build-tools}
-
-Many Dart applications require executables from the `dev_dependencies` section in `pubspec.yaml` to be run before building them.
-
-This can be done in `preBuild`, in one of two ways:
-
-1. Packaging the tool with `buildDartApplication`, adding it to Nixpkgs, and running it like any other application
-2. Running the tool from the package cache
-
-Of these methods, the first is recommended when using a tool that does not need
-to be of a specific version.
-
-For the second method, the `packageRun` function from the `dartConfigHook` can be used.
-This is an alternative to `dart run` that does not rely on Pub.
-
-e.g., for `build_runner`:
-
-```bash
-packageRun build_runner build
-```
-
-Do _not_ use `dart run <package_name>`, as this will attempt to download dependencies with Pub.
-
-### Usage with nix-shell {#ssec-dart-applications-nix-shell}
-
-#### Using dependencies from the Nix store {#ssec-dart-applications-nix-shell-deps}
-
-As `buildDartApplication` provides dependencies instead of `pub get`, Dart needs to be explicitly told where to find them.
-
-Run the following commands in the source directory to configure Dart appropriately.
-Do not use `pub` after doing so; it will download the dependencies itself and overwrite these changes.
-
-```bash
-cp --no-preserve=all "$pubspecLockFilePath" pubspec.lock
-mkdir -p .dart_tool && cp --no-preserve=all "$packageConfig" .dart_tool/package_config.json
-```
-
 ## Flutter applications {#ssec-dart-flutter}
 
 The function `buildFlutterApplication` builds Flutter applications.
 
 See the [Dart documentation](#ssec-dart-applications) for more details on required files and arguments.
 
-`flutter` in Nixpkgs always points to `flutterPackages.stable`, which is the latest packaged version. To avoid unforeseen breakage during upgrade, packages in Nixpkgs should use a specific flutter version, such as `flutter319` and `flutter322`, instead of using `flutter` directly.
-
 ```nix
-{  flutter322, fetchFromGitHub }:
+{  flutter, fetchFromGitHub }:
 
-flutter322.buildFlutterApplication {
+flutter.buildFlutterApplication {
   pname = "firmware-updater";
-  version = "0-unstable-2023-04-30";
-
-  # To build for the Web, use the targetFlutterPlatform argument.
-  # targetFlutterPlatform = "web";
+  version = "unstable-2023-04-30";
 
   src = fetchFromGitHub {
     owner = "canonical";
     repo = "firmware-updater";
     rev = "6e7dbdb64e344633ea62874b54ff3990bd3b8440";
-    hash = "sha256-s5mwtr5MSPqLMN+k851+pFIFFPa0N1hqz97ys050tFA=";
+    sha256 = "sha256-s5mwtr5MSPqLMN+k851+pFIFFPa0N1hqz97ys050tFA=";
     fetchSubmodules = true;
   };
 
-  pubspecLock = lib.importJSON ./pubspec.lock.json;
+  pubspecLockFile = ./pubspec.lock;
+  depsListFile = ./deps.json;
+  vendorHash = "sha256-cdMO+tr6kYiN5xKXa+uTMAcFf2C75F3wVPrn21G4QPQ=";
 }
 ```
-
-### Usage with nix-shell {#ssec-dart-flutter-nix-shell}
-
-Flutter-specific `nix-shell` usage notes are included here. See the [Dart documentation](#ssec-dart-applications-nix-shell) for general `nix-shell` instructions.
-
-#### Entering the shell {#ssec-dart-flutter-nix-shell-enter}
-
-By default, dependencies for only the `targetFlutterPlatform` are available in the
-build environment. This is useful for keeping closures small, but be problematic
-during development. It's common, for example, to build Web apps for Linux during
-development to take advantage of native features such as stateful hot reload.
-
-To enter a shell with all the usual target platforms available, use the `multiShell` attribute.
-
-e.g. `nix-shell '<nixpkgs>' -A fluffychat-web.multiShell`.

doc/languages-frameworks/dhall.section.md

@@ -187,7 +187,6 @@ wish to specify `source = true` for all Dhall packages, then you can amend the
 Dhall overlay like this:
 
 ```nix
-{
   dhallOverrides = self: super: {
     # Enable source for all Dhall packages
     buildDhallPackage =
@@ -195,7 +194,6 @@ Dhall overlay like this:
 
     true = self.callPackage ./true.nix { };
   };
-}
 ```
 
 … and now the Prelude will contain the fully decoded result of interpreting
@@ -431,26 +429,22 @@ $ dhall-to-nixpkgs github https://github.com/dhall-lang/dhall-lang.git \
 the Prelude globally for all packages, like this:
 
 ```nix
-{
   dhallOverrides = self: super: {
     true = self.callPackage ./true.nix { };
 
     Prelude = self.callPackage ./Prelude.nix { };
   };
-}
 ```
 
 … or selectively overriding the Prelude dependency for just the `true` package,
 like this:
 
 ```nix
-{
   dhallOverrides = self: super: {
     true = self.callPackage ./true.nix {
       Prelude = self.callPackage ./Prelude.nix { };
     };
   };
-}
 ```
 
 ## Overrides {#ssec-dhall-overrides}
@@ -460,13 +454,11 @@ You can override any of the arguments to `buildDhallGitHubPackage` or
 For example, suppose we wanted to selectively enable `source = true` just for the Prelude.  We can do that like this:
 
 ```nix
-{
   dhallOverrides = self: super: {
     Prelude = super.Prelude.overridePackage { source = true; };
 
-    # ...
+    …
   };
-}
 ```
 
 [semantic-integrity-checks]: https://docs.dhall-lang.org/tutorials/Language-Tour.html#installing-packages

doc/languages-frameworks/dlang.section.md

@@ -1,69 +0,0 @@
-# D (Dlang) {#dlang}
-
-Nixpkgs provides multiple D compilers such as `ldc`, `dmd` and `gdc`.
-These can be used like any other package during build time.
-
-However, Nixpkgs provides a build helper for compiling packages using the `dub` package manager.
-
-Here's an example:
-```nix
-{
-  lib,
-  buildDubPackage,
-  fetchFromGitHub,
-  ncurses,
-  zlib,
-}:
-
-buildDubPackage rec {
-  pname = "btdu";
-  version = "0.5.1";
-
-  src = fetchFromGitHub {
-    owner = "CyberShadow";
-    repo = "btdu";
-    rev = "v${version}";
-    hash = "sha256-3sSZq+5UJH02IO0Y1yL3BLHDb4lk8k6awb5ZysBQciE=";
-  };
-
-  # generated by dub-to-nix, see below
-  dubLock = ./dub-lock.json;
-
-  buildInputs = [
-    ncurses
-    zlib
-  ];
-
-  installPhase = ''
-    runHook preInstall
-    install -Dm755 btdu -t $out/bin
-    runHook postInstall
-  '';
-}
-```
-
-Note that you need to define `installPhase` because `dub` doesn't know where files should go in `$out`.
-
-Also note that running `dub test` is disabled by default. You can enable it by setting `doCheck = true`.
-
-## Lockfiles {#dub-lockfiles}
-Nixpkgs has its own lockfile format for `dub` dependencies, because `dub`'s official "lockfile" format (`dub.selections.json`) is not hash based.
-
-A lockfile can be generated using the `dub-to-nix` helper package.
-* Firstly, install `dub-to-nix` into your shell session by running `nix-shell -p dub-to-nix`
-* Then navigate to the root of the source of the program you want to package
-* Finally, run `dub-to-nix` and it will print the lockfile to stdout. You could pipe stdout into a text file or just copy the output manually into a file.
-
-## `buildDubPackage` parameters {#builddubpackage-parameters}
-
-The `buildDubPackage` function takes an attrset of parameters that are passed on to `stdenv.mkDerivation`.
-
-The following parameters are specific to `buildDubPackage`:
-
-* `dubLock`: A lockfile generated by `dub-to-nix` from the source of the package. Can be either a path to the file, or an attrset already parsed with `lib.importJSON`.
-  The latter useful if the package uses `dub` dependencies not already in the lockfile. (e.g. if the package calls `dub run some-dub-package` manually)
-* `dubBuildType ? "release"`: The build type to pass to `dub build` as a value for the `--build=` flag.
-* `dubFlags ? []`: The flags to pass to `dub build` and `dub test`.
-* `dubBuildFlags ? []`: The flags to pass to `dub build`.
-* `dubTestFlags ? []`: The flags to pass to `dub test`.
-* `compiler ? ldc`: The D compiler to be used by `dub`.

doc/languages-frameworks/dotnet.section.md

@@ -93,11 +93,7 @@ The `dotnetCorePackages.sdk` contains both a runtime and the full sdk of a given
 To package Dotnet applications, you can use `buildDotnetModule`. This has similar arguments to `stdenv.mkDerivation`, with the following additions:
 
 * `projectFile` is used for specifying the dotnet project file, relative to the source root. These have `.sln` (entire solution) or `.csproj` (single project) file extensions. This can be a list of multiple projects as well. When omitted, will attempt to find and build the solution (`.sln`). If running into problems, make sure to set it to a file (or a list of files) with the `.csproj` extension - building applications as entire solutions is not fully supported by the .NET CLI.
-* `nugetDeps` takes either a path to a `deps.nix` file, or a derivation. The `deps.nix` file can be generated using the script attached to `passthru.fetch-deps`. If the argument is a derivation, it will be used directly and assume it has the same output as `mkNugetDeps`.
-::: {.note}
-For more detail about managing the `deps.nix` file, see [Generating and updating NuGet dependencies](#generating-and-updating-nuget-dependencies)
-:::
-
+* `nugetDeps` takes either a path to a `deps.nix` file, or a derivation. The `deps.nix` file can be generated using the script attached to `passthru.fetch-deps`. This file can also be generated manually using `nuget-to-nix` tool, which is available in nixpkgs. If the argument is a derivation, it will be used directly and assume it has the same output as `mkNugetDeps`.
 * `packNupkg` is used to pack project as a `nupkg`, and installs it to `$out/share`. If set to `true`, the derivation can be used as a dependency for another dotnet project by adding it to `projectReferences`.
 * `projectReferences` can be used to resolve `ProjectReference` project items. Referenced projects can be packed with `buildDotnetModule` by setting the `packNupkg = true` attribute and passing a list of derivations to `projectReferences`. Since we are sharing referenced projects as NuGets they must be added to csproj/fsproj files as `PackageReference` as well.
  For example, your project has a local dependency:
@@ -117,6 +113,7 @@ For more detail about managing the `deps.nix` file, see [Generating and updating
 * `useDotnetFromEnv` will change the binary wrapper so that it uses the .NET from the environment. The runtime specified by `dotnet-runtime` is given as a fallback in case no .NET is installed in the user's environment. This is most useful for .NET global tools and LSP servers, which often extend the .NET CLI and their runtime should match the users' .NET runtime.
 * `dotnet-sdk` is useful in cases where you need to change what dotnet SDK is being used. You can also set this to the result of `dotnetSdkPackages.combinePackages`, if the project uses multiple SDKs to build.
 * `dotnet-runtime` is useful in cases where you need to change what dotnet runtime is being used. This can be either a regular dotnet runtime, or an aspnetcore.
+* `dotnet-test-sdk` is useful in cases where unit tests expect a different dotnet SDK. By default, this is set to the `dotnet-sdk` attribute.
 * `testProjectFile` is useful in cases where the regular project file does not contain the unit tests. It gets restored and build, but not installed. You may need to regenerate your nuget lockfile after setting this. Note that if set, only tests from this project are executed.
 * `disabledTests` is used to disable running specific unit tests. This gets passed as: `dotnet test --filter "FullyQualifiedName!={}"`, to ensure compatibility with all unit test frameworks.
 * `dotnetRestoreFlags` can be used to pass flags to `dotnet restore`.
@@ -133,7 +130,7 @@ Here is an example `default.nix`, using some of the previously discussed argumen
 { lib, buildDotnetModule, dotnetCorePackages, ffmpeg }:
 
 let
-  referencedProject = import ../../bar { /* ... */ };
+  referencedProject = import ../../bar { ... };
 in buildDotnetModule rec {
   pname = "someDotnetApplication";
   version = "0.1";
@@ -141,11 +138,13 @@ in buildDotnetModule rec {
   src = ./.;
 
   projectFile = "src/project.sln";
-  nugetDeps = ./deps.nix; # see "Generating and updating NuGet dependencies" section for details
+  # File generated with `nix-build -A package.passthru.fetch-deps`.
+  # To run fetch-deps when this file does not yet exist, set nugetDeps to null
+  nugetDeps = ./deps.nix;
 
   projectReferences = [ referencedProject ]; # `referencedProject` must contain `nupkg` in the folder structure.
 
-  dotnet-sdk = dotnetCorePackages.sdk_6_0;
+  dotnet-sdk = dotnetCorePackages.sdk_6.0;
   dotnet-runtime = dotnetCorePackages.runtime_6_0;
 
   executables = [ "foo" ]; # This wraps "$out/lib/$pname/foo" to `$out/bin/foo`.
@@ -157,8 +156,6 @@ in buildDotnetModule rec {
 }
 ```
 
-Keep in mind that you can tag the [`@NixOS/dotnet`](https://github.com/orgs/nixos/teams/dotnet) team for help and code review.
-
 ## Dotnet global tools {#dotnet-global-tools}
 
 [.NET Global tools](https://learn.microsoft.com/en-us/dotnet/core/tools/global-tools) are a mechanism provided by the dotnet CLI to install .NET binaries from Nuget packages.
@@ -194,7 +191,7 @@ This helper has the same arguments as `buildDotnetModule`, with a few difference
 
 * `pname` and `version` are required, and will be used to find the NuGet package of the tool
 * `nugetName` can be used to override the NuGet package name that will be downloaded, if it's different from `pname`
-* `nugetHash` is the hash of the fetched NuGet package. `nugetSha256` is also supported, but not recommended. Set this to `lib.fakeHash` for the first build, and it will error out, giving you the proper hash. Also remember to update it during version updates (it will not error out if you just change the version while having a fetched package in `/nix/store`)
+* `nugetSha256` is the hash of the fetched NuGet package. Set this to `lib.fakeHash256` for the first build, and it will error out, giving you the proper hash. Also remember to update it during version updates (it will not error out if you just change the version while having a fetched package in `/nix/store`)
 * `dotnet-runtime` is set to `dotnet-sdk` by default. When changing this, remember that .NET tools fetched from NuGet require an SDK.
 
 Here is an example of packaging `pbm`, an unfree binary without source available:
@@ -205,58 +202,15 @@ buildDotnetGlobalTool {
   pname = "pbm";
   version = "1.3.1";
 
-  nugetHash = "sha256-ZG2HFyKYhVNVYd2kRlkbAjZJq88OADe3yjxmLuxXDUo=";
+  nugetSha256 = "sha256-ZG2HFyKYhVNVYd2kRlkbAjZJq88OADe3yjxmLuxXDUo=";
 
-  meta = {
+  meta = with lib; {
     homepage = "https://cmd.petabridge.com/index.html";
     changelog = "https://cmd.petabridge.com/articles/RELEASE_NOTES.html";
-    license = lib.licenses.unfree;
-    platforms = lib.platforms.linux;
+    license = licenses.unfree;
+    platforms = platforms.linux;
   };
 }
 ```
-## Generating and updating NuGet dependencies {#generating-and-updating-nuget-dependencies}
 
-When writing a new expression, you can use the generated `fetch-deps` script to initialise the lockfile.
-After creating a blank `deps.nix` and pointing `nugetDeps` to it,
-build the script with `nix-build -A package.fetch-deps` and then run the result.
-(When the root attr is your package, it's simply `nix-build -A fetch-deps`.)
-
-There is also a manual method:
-First, restore the packages to the `out` directory, ensure you have cloned
-the upstream repository and you are inside it.
-
-```bash
-$ dotnet restore --packages out
-  Determining projects to restore...
-  Restored /home/lychee/Celeste64/Celeste64.csproj (in 1.21 sec).
-```
-
-Next, use `nuget-to-nix` tool provided in nixpkgs to generate a lockfile to `deps.nix` from
-the packages inside the `out` directory.
-
-```bash
-$ nuget-to-nix out > deps.nix
-```
-Which `nuget-to-nix` will generate an output similar to below
-```nix
-{ fetchNuGet }: [
-  (fetchNuGet { pname = "FosterFramework"; version = "0.1.15-alpha"; hash = "sha256-lM6eYgOGjl1fx6WFD7rnRi/YAQieM0mx60h0p5dr+l8="; })
-  (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-x64"; version = "8.0.1"; hash = "sha256-QbUQXjCzr8j8u/5X0af9jE++EugdoxMhT08F49MZX74="; })
-  (fetchNuGet { pname = "Microsoft.NET.ILLink.Tasks"; version = "8.0.1"; hash = "sha256-SopZpGaZ48/8dpUwDFDM3ix+g1rP4Yqs1PGuzRp+K7c="; })
-  (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-x64"; version = "8.0.1"; hash = "sha256-jajBI5GqG2IIcsIMgxTHfXbMapoXrZGl/EEhShwYq7w="; })
-  (fetchNuGet { pname = "SharpGLTF.Core"; version = "1.0.0-alpha0031"; hash = "sha256-Bs4baD5wNIH6wAbGK4Xaem0i3luQkOQs37izBWdFx1I="; })
-  (fetchNuGet { pname = "SharpGLTF.Runtime"; version = "1.0.0-alpha0031"; hash = "sha256-TwJO6b8ubmwBQh6NyHha8+JT5zHDJ4dROBbsEbUaa1M="; })
-  (fetchNuGet { pname = "Sledge.Formats"; version = "1.2.2"; hash = "sha256-0Ddhuwpu3wwIzA4NuPaEVdMkx6tUukh8uKD6nKoxFPg="; })
-  (fetchNuGet { pname = "Sledge.Formats.Map"; version = "1.1.5"; hash = "sha256-hkYJ2iWIz7vhPWlDOw2fvTenlh+4/D/37Z71tCEwnK8="; })
-  (fetchNuGet { pname = "System.Numerics.Vectors"; version = "4.5.0"; hash = "sha256-qdSTIFgf2htPS+YhLGjAGiLN8igCYJnCCo6r78+Q+c8="; })
-]
-```
-
-Finally, you move the `deps.nix` file to the appropriate location to be used by `nugetDeps`, then you're all set!
-
-If you ever need to update the dependencies of a package, you instead do
-
-* `nix-build -A package.fetch-deps` to generate the update script for `package`
-* Run `./result` to regenerate the lockfile to the path passed for `nugetDeps` (keep in mind if it can't be resolved to a local path, the script will write to `$1` or a temporary path instead)
-* Finally, ensure the correct file was written and the derivation can be built.
+When packaging a new .NET application in nixpkgs, you can tag the [`@NixOS/dotnet`](https://github.com/orgs/nixos/teams/dotnet) team for help and code review.

doc/languages-frameworks/emscripten.section.md

@@ -86,9 +86,9 @@ One advantage is that when `pkgs.zlib` is updated, it will automatically update
 
   postPatch = pkgs.lib.optionalString pkgs.stdenv.isDarwin ''
     substituteInPlace configure \
-      --replace-fail '/usr/bin/libtool' 'ar' \
-      --replace-fail 'AR="libtool"' 'AR="ar"' \
-      --replace-fail 'ARFLAGS="-o"' 'ARFLAGS="-r"'
+      --replace '/usr/bin/libtool' 'ar' \
+      --replace 'AR="libtool"' 'AR="ar"' \
+      --replace 'ARFLAGS="-o"' 'ARFLAGS="-r"'
   '';
 })
 ```

doc/languages-frameworks/gnome.section.md

@@ -8,7 +8,7 @@ Programs in the GNOME universe are written in various languages but they all use
 
 [GSettings](https://developer.gnome.org/gio/stable/GSettings.html) API is often used for storing settings. GSettings schemas are required, to know the type and other metadata of the stored values. GLib looks for `glib-2.0/schemas/gschemas.compiled` files inside the directories of `XDG_DATA_DIRS`.
 
-On Linux, GSettings API is implemented using [dconf](https://gitlab.gnome.org/GNOME/dconf) backend. You will need to add `dconf` [GIO module](#ssec-gnome-gio-modules) to `GIO_EXTRA_MODULES` variable, otherwise the `memory` backend will be used and the saved settings will not be persistent.
+On Linux, GSettings API is implemented using [dconf](https://wiki.gnome.org/Projects/dconf) backend. You will need to add `dconf` [GIO module](#ssec-gnome-gio-modules) to `GIO_EXTRA_MODULES` variable, otherwise the `memory` backend will be used and the saved settings will not be persistent.
 
 Last you will need the dconf database D-Bus service itself. You can enable it using `programs.dconf.enable`.
 
@@ -47,7 +47,6 @@ When an application uses icons, an icon theme should be available in `XDG_DATA_D
 In the rare case you need to use icons from dependencies (e.g. when an app forces an icon theme), you can use the following to pick them up:
 
 ```nix
-{
   buildInputs = [
     pantheon.elementary-icon-theme
   ];
@@ -57,7 +56,6 @@ In the rare case you need to use icons from dependencies (e.g. when an app force
       --prefix XDG_DATA_DIRS : "$XDG_ICON_DIRS"
     )
   '';
-}
 ```
 
 To avoid costly file system access when locating icons, GTK, [as well as Qt](https://woboq.com/blog/qicon-reads-gtk-icon-cache-in-qt57.html), can rely on `icon-theme.cache` files from the themes' top-level directories. These files are generated using `gtk-update-icon-cache`, which is expected to be run whenever an icon is added or removed to an icon theme (typically an application icon into `hicolor` theme) and some programs do indeed run this after icon installation. However, since packages are installed into their own prefix by Nix, this would lead to conflicts. For that reason, `gtk3` provides a [setup hook](#ssec-gnome-hooks-gtk-drop-icon-theme-cache) that will clean the file from installation. Since most applications only ship their own icon that will be loaded on start-up, it should not affect them too much. On the other hand, icon themes are much larger and more widely used so we need to cache them. Because we recommend installing icon themes globally, we will generate the cache files from all packages in a profile using a NixOS module. You can enable the cache generation using `gtk.iconCache.enable` option if your desktop environment does not already do that.
@@ -76,88 +74,80 @@ Previously, a GTK theme needed to be in `XDG_DATA_DIRS`. This is no longer neces
 
 ### GObject introspection typelibs {#ssec-gnome-typelibs}
 
-[GObject introspection](https://gitlab.gnome.org/GNOME/gobject-introspection) allows applications to use C libraries in other languages easily. It does this through `typelib` files searched in `GI_TYPELIB_PATH`.
+[GObject introspection](https://wiki.gnome.org/Projects/GObjectIntrospection) allows applications to use C libraries in other languages easily. It does this through `typelib` files searched in `GI_TYPELIB_PATH`.
 
 ### Various plug-ins {#ssec-gnome-plugins}
 
-If your application uses [GStreamer](https://gstreamer.freedesktop.org/) or [Grilo](https://gitlab.gnome.org/GNOME/grilo), you should set `GST_PLUGIN_SYSTEM_PATH_1_0` and `GRL_PLUGIN_PATH`, respectively.
+If your application uses [GStreamer](https://gstreamer.freedesktop.org/) or [Grilo](https://wiki.gnome.org/Projects/Grilo), you should set `GST_PLUGIN_SYSTEM_PATH_1_0` and `GRL_PLUGIN_PATH`, respectively.
 
-## Onto `wrapGApps*` hooks {#ssec-gnome-hooks}
+## Onto `wrapGAppsHook` {#ssec-gnome-hooks}
 
 Given the requirements above, the package expression would become messy quickly:
 
 ```nix
-{
-  preFixup = ''
-    for f in $(find $out/bin/ $out/libexec/ -type f -executable); do
-      wrapProgram "$f" \
-        --prefix GIO_EXTRA_MODULES : "${getLib dconf}/lib/gio/modules" \
-        --prefix XDG_DATA_DIRS : "$out/share" \
-        --prefix XDG_DATA_DIRS : "$out/share/gsettings-schemas/${name}" \
-        --prefix XDG_DATA_DIRS : "${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}" \
-        --prefix XDG_DATA_DIRS : "${hicolor-icon-theme}/share" \
-        --prefix GI_TYPELIB_PATH : "${lib.makeSearchPath "lib/girepository-1.0" [ pango json-glib ]}"
-    done
-  '';
-}
+preFixup = ''
+  for f in $(find $out/bin/ $out/libexec/ -type f -executable); do
+    wrapProgram "$f" \
+      --prefix GIO_EXTRA_MODULES : "${getLib dconf}/lib/gio/modules" \
+      --prefix XDG_DATA_DIRS : "$out/share" \
+      --prefix XDG_DATA_DIRS : "$out/share/gsettings-schemas/${name}" \
+      --prefix XDG_DATA_DIRS : "${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}" \
+      --prefix XDG_DATA_DIRS : "${hicolor-icon-theme}/share" \
+      --prefix GI_TYPELIB_PATH : "${lib.makeSearchPath "lib/girepository-1.0" [ pango json-glib ]}"
+  done
+'';
 ```
 
-Fortunately, we have a [family of hooks]{#ssec-gnome-hooks-wrapgappshook} that automate this. They work in conjunction with other setup hooks that populate environment variables, and will then wrap all executables in `bin` and `libexec` directories using said variables.
+Fortunately, there is [`wrapGAppsHook`]{#ssec-gnome-hooks-wrapgappshook}. It works in conjunction with other setup hooks that populate environment variables, and it will then wrap all executables in `bin` and `libexec` directories using said variables.
 
-- [`wrapGAppsHook3`]{#ssec-gnome-hooks-wrapgappshook3} for GTK 3 apps. For convenience, it also adds `dconf.lib` for a GIO module implementing a GSettings backend using `dconf`, `gtk3` for GSettings schemas, and `librsvg` for GdkPixbuf loader to the closure.
-- [`wrapGAppsHook4`]{#ssec-gnome-hooks-wrapgappshook4} for GTK 4 apps. Same as `wrapGAppsHook3` but replaces `gtk3` with `gtk4`.
-- [`wrapGAppsNoGuiHook`]{#ssec-gnome-hooks-wrapgappsnoguihook} for programs without a graphical interface. Same as the above but does not bring `gtk3` and `librsvg` into the closure.
+For convenience, it also adds `dconf.lib` for a GIO module implementing a GSettings backend using `dconf`, `gtk3` for GSettings schemas, and `librsvg` for GdkPixbuf loader to the closure. There is also [`wrapGAppsHook4`]{#ssec-gnome-hooks-wrapgappshook4}, which replaces GTK 3 with GTK 4. And in case you are packaging a program without a graphical interface, you might want to use [`wrapGAppsNoGuiHook`]{#ssec-gnome-hooks-wrapgappsnoguihook}, which runs the same script as `wrapGAppsHook` but does not bring `gtk3` and `librsvg` into the closure.
 
-The hooks do the the following:
+- `wrapGAppsHook` itself will add the package’s `share` directory to `XDG_DATA_DIRS`.
 
-- `wrapGApps*` hook itself will add the package’s `share` directory to `XDG_DATA_DIRS`.
+- []{#ssec-gnome-hooks-glib} `glib` setup hook will populate `GSETTINGS_SCHEMAS_PATH` and then `wrapGAppsHook` will prepend it to `XDG_DATA_DIRS`.
 
-- []{#ssec-gnome-hooks-glib} `glib` setup hook will populate `GSETTINGS_SCHEMAS_PATH` and then `wrapGApps*` hook will prepend it to `XDG_DATA_DIRS`.
-
-- []{#ssec-gnome-hooks-gdk-pixbuf} `gdk-pixbuf` setup hook will populate `GDK_PIXBUF_MODULE_FILE` with the path to biggest `loaders.cache` file from the dependencies containing [GdkPixbuf loaders](#ssec-gnome-gdk-pixbuf-loaders). This works fine when there are only two packages containing loaders (`gdk-pixbuf` and e.g. `librsvg`) – it will choose the second one, reasonably expecting that it will be bigger since it describes extra loader in addition to the default ones. But when there are more than two loader packages, this logic will break. One possible solution would be constructing a custom cache file for each package containing a program like `services/x11/gdk-pixbuf.nix` NixOS module does. `wrapGApps*` hook copies the `GDK_PIXBUF_MODULE_FILE` environment variable into the produced wrapper.
+- []{#ssec-gnome-hooks-gdk-pixbuf} `gdk-pixbuf` setup hook will populate `GDK_PIXBUF_MODULE_FILE` with the path to biggest `loaders.cache` file from the dependencies containing [GdkPixbuf loaders](#ssec-gnome-gdk-pixbuf-loaders). This works fine when there are only two packages containing loaders (`gdk-pixbuf` and e.g. `librsvg`) – it will choose the second one, reasonably expecting that it will be bigger since it describes extra loader in addition to the default ones. But when there are more than two loader packages, this logic will break. One possible solution would be constructing a custom cache file for each package containing a program like `services/x11/gdk-pixbuf.nix` NixOS module does. `wrapGAppsHook` copies the `GDK_PIXBUF_MODULE_FILE` environment variable into the produced wrapper.
 
 - []{#ssec-gnome-hooks-gtk-drop-icon-theme-cache} One of `gtk3`’s setup hooks will remove `icon-theme.cache` files from package’s icon theme directories to avoid conflicts. Icon theme packages should prevent this with `dontDropIconThemeCache = true;`.
 
-- []{#ssec-gnome-hooks-dconf} `dconf.lib` is a dependency of `wrapGApps*` hook, which then also adds it to the `GIO_EXTRA_MODULES` variable.
+- []{#ssec-gnome-hooks-dconf} `dconf.lib` is a dependency of `wrapGAppsHook`, which then also adds it to the `GIO_EXTRA_MODULES` variable.
 
 - []{#ssec-gnome-hooks-hicolor-icon-theme} `hicolor-icon-theme`’s setup hook will add icon themes to `XDG_ICON_DIRS`.
 
-- []{#ssec-gnome-hooks-gobject-introspection} `gobject-introspection` setup hook populates `GI_TYPELIB_PATH` variable with `lib/girepository-1.0` directories of dependencies, which is then added to wrapper by `wrapGApps*` hook. It also adds `share` directories of dependencies to `XDG_DATA_DIRS`, which is intended to promote GIR files but it also [pollutes the closures](https://github.com/NixOS/nixpkgs/issues/32790) of packages using `wrapGApps*` hook.
+- []{#ssec-gnome-hooks-gobject-introspection} `gobject-introspection` setup hook populates `GI_TYPELIB_PATH` variable with `lib/girepository-1.0` directories of dependencies, which is then added to wrapper by `wrapGAppsHook`. It also adds `share` directories of dependencies to `XDG_DATA_DIRS`, which is intended to promote GIR files but it also [pollutes the closures](https://github.com/NixOS/nixpkgs/issues/32790) of packages using `wrapGAppsHook`.
 
-- []{#ssec-gnome-hooks-gst-grl-plugins} Setup hooks of `gst_all_1.gstreamer` and `grilo` will populate the `GST_PLUGIN_SYSTEM_PATH_1_0` and `GRL_PLUGIN_PATH` variables, respectively, which will then be added to the wrapper by `wrapGApps*` hook.
+- []{#ssec-gnome-hooks-gst-grl-plugins} Setup hooks of `gst_all_1.gstreamer` and `grilo` will populate the `GST_PLUGIN_SYSTEM_PATH_1_0` and `GRL_PLUGIN_PATH` variables, respectively, which will then be added to the wrapper by `wrapGAppsHook`.
 
 You can also pass additional arguments to `makeWrapper` using `gappsWrapperArgs` in `preFixup` hook:
 
 ```nix
-{
-  preFixup = ''
-    gappsWrapperArgs+=(
-      # Thumbnailers
-      --prefix XDG_DATA_DIRS : "${gdk-pixbuf}/share"
-      --prefix XDG_DATA_DIRS : "${librsvg}/share"
-      --prefix XDG_DATA_DIRS : "${shared-mime-info}/share"
-    )
-  '';
-}
+preFixup = ''
+  gappsWrapperArgs+=(
+    # Thumbnailers
+    --prefix XDG_DATA_DIRS : "${gdk-pixbuf}/share"
+    --prefix XDG_DATA_DIRS : "${librsvg}/share"
+    --prefix XDG_DATA_DIRS : "${shared-mime-info}/share"
+  )
+'';
 ```
 
 ## Updating GNOME packages {#ssec-gnome-updating}
 
-Most GNOME package offer [`updateScript`](#var-passthru-updateScript), it is therefore possible to update to latest source tarball by running `nix-shell maintainers/scripts/update.nix --argstr package nautilus` or even en masse with `nix-shell maintainers/scripts/update.nix --argstr path gnome`. Read the package’s `NEWS` file to see what changed.
+Most GNOME package offer [`updateScript`](#var-passthru-updateScript), it is therefore possible to update to latest source tarball by running `nix-shell maintainers/scripts/update.nix --argstr package gnome.nautilus` or even en masse with `nix-shell maintainers/scripts/update.nix --argstr path gnome`. Read the package’s `NEWS` file to see what changed.
 
 ## Frequently encountered issues {#ssec-gnome-common-issues}
 
 ### `GLib-GIO-ERROR **: 06:04:50.903: No GSettings schemas are installed on the system` {#ssec-gnome-common-issues-no-schemas}
 
-There are no schemas available in `XDG_DATA_DIRS`. Temporarily add a random package containing schemas like `gsettings-desktop-schemas` to `buildInputs`. [`glib`](#ssec-gnome-hooks-glib) and [`wrapGApps*`](#ssec-gnome-hooks-wrapgappshook) setup hooks will take care of making the schemas available to application and you will see the actual missing schemas with the [next error](#ssec-gnome-common-issues-missing-schema). Or you can try looking through the source code for the actual schemas used.
+There are no schemas available in `XDG_DATA_DIRS`. Temporarily add a random package containing schemas like `gsettings-desktop-schemas` to `buildInputs`. [`glib`](#ssec-gnome-hooks-glib) and [`wrapGAppsHook`](#ssec-gnome-hooks-wrapgappshook) setup hooks will take care of making the schemas available to application and you will see the actual missing schemas with the [next error](#ssec-gnome-common-issues-missing-schema). Or you can try looking through the source code for the actual schemas used.
 
 ### `GLib-GIO-ERROR **: 06:04:50.903: Settings schema ‘org.gnome.foo’ is not installed` {#ssec-gnome-common-issues-missing-schema}
 
 Package is missing some GSettings schemas. You can find out the package containing the schema with `nix-locate org.gnome.foo.gschema.xml` and let the hooks handle the wrapping as [above](#ssec-gnome-common-issues-no-schemas).
 
-### When using `wrapGApps*` hook with special derivers you can end up with double wrapped binaries. {#ssec-gnome-common-issues-double-wrapped}
+### When using `wrapGAppsHook` with special derivers you can end up with double wrapped binaries. {#ssec-gnome-common-issues-double-wrapped}
 
-This is because derivers like `python.pkgs.buildPythonApplication` or `qt5.mkDerivation` have setup-hooks automatically added that produce wrappers with makeWrapper. The simplest way to workaround that is to disable the `wrapGApps*` hook automatic wrapping with `dontWrapGApps = true;` and pass the arguments it intended to pass to makeWrapper to another.
+This is because derivers like `python.pkgs.buildPythonApplication` or `qt5.mkDerivation` have setup-hooks automatically added that produce wrappers with makeWrapper. The simplest way to workaround that is to disable the `wrapGAppsHook` automatic wrapping with `dontWrapGApps = true;` and pass the arguments it intended to pass to makeWrapper to another.
 
 In the case of a Python application it could look like:
 
@@ -167,9 +157,9 @@ python3.pkgs.buildPythonApplication {
   version = "3.32.2";
 
   nativeBuildInputs = [
-    wrapGAppsHook3
+    wrapGAppsHook
     gobject-introspection
-    # ...
+    ...
   ];
 
   dontWrapGApps = true;
@@ -189,9 +179,9 @@ mkDerivation {
   version = "3.47.0";
 
   nativeBuildInputs = [
-    wrapGAppsHook3
+    wrapGAppsHook
     qmake
-    # ...
+    ...
   ];
 
   dontWrapGApps = true;

doc/languages-frameworks/go.section.md

@@ -1,63 +1,46 @@
 # Go {#sec-language-go}
 
-## Building Go modules with `buildGoModule` {#ssec-language-go}
+## Go modules {#ssec-language-go}
 
-The function `buildGoModule` builds Go programs managed with Go modules. It builds [Go Modules](https://go.dev/wiki/Modules) through a two phase build:
+The function `buildGoModule` builds Go programs managed with Go modules. It builds a [Go Modules](https://github.com/golang/go/wiki/Modules) through a two phase build:
 
-- An intermediate fetcher derivation called `goModules`. This derivation will be used to fetch all the dependencies of the Go module.
+- An intermediate fetcher derivation. This derivation will be used to fetch all of the dependencies of the Go module.
 - A final derivation will use the output of the intermediate derivation to build the binaries and produce the final output.
 
-### Attributes of `buildGoModule` {#buildgomodule-parameters}
-
-The `buildGoModule` function accepts the following parameters in addition to the [attributes accepted by both Go builders](#ssec-go-common-attributes):
-
-- `vendorHash`: is the hash of the output of the intermediate fetcher derivation (the dependencies of the Go modules).
-
-  `vendorHash` can be set to `null`.
-  In that case, rather than fetching the dependencies, the dependencies already vendored in the `vendor` directory of the source repo will be used.
-
-  To avoid updating this field when dependencies change, run `go mod vendor` in your source repo and set `vendorHash = null;`.
-  You can read more about [vendoring in the Go documentation](https://go.dev/ref/mod#vendoring).
-
-  To obtain the actual hash, set `vendorHash = lib.fakeHash;` and run the build ([more details here](#sec-source-hashes)).
-- `proxyVendor`: If `true`, the intermediate fetcher downloads dependencies from the
-  [Go module proxy](https://go.dev/ref/mod#module-proxy) (using `go mod download`) instead of vendoring them. The resulting
-  [module cache](https://go.dev/ref/mod#module-cache) is then passed to the final derivation.
-
-  This is useful if your code depends on C code and `go mod tidy` does not include the needed sources to build or
-  if any dependency has case-insensitive conflicts which will produce platform-dependent `vendorHash` checksums.
-
-  Defaults to `false`.
-- `modPostBuild`: Shell commands to run after the build of the goModules executes `go mod vendor`, and before calculating fixed output derivation's `vendorHash`.
-  Note that if you change this attribute, you need to update `vendorHash` attribute.
-- `modRoot`: The root directory of the Go module that contains the `go.mod` file.
-  Defaults to `./`, which is the root of `src`.
-
 ### Example for `buildGoModule` {#ex-buildGoModule}
 
-The following is an example expression using `buildGoModule`:
+In the following is an example expression using `buildGoModule`, the following arguments are of special significance to the function:
+
+- `vendorHash`: is the hash of the output of the intermediate fetcher derivation.
+
+  `vendorHash` can also be set to `null`.
+  In that case, rather than fetching the dependencies and vendoring them, the dependencies vendored in the source repo will be used.
+
+  To avoid updating this field when dependencies change, run `go mod vendor` in your source repo and set `vendorHash = null;`
+
+  To obtain the actual hash, set `vendorHash = lib.fakeHash;` and run the build ([more details here](#sec-source-hashes)).
+- `proxyVendor`: Fetches (go mod download) and proxies the vendor directory. This is useful if your code depends on c code and go mod tidy does not include the needed sources to build or if any dependency has case-insensitive conflicts which will produce platform-dependent `vendorHash` checksums.
+- `modPostBuild`: Shell commands to run after the build of the goModules executes `go mod vendor`, and before calculating fixed output derivation's `vendorHash`. Note that if you change this attribute, you need to update `vendorHash` attribute.
 
 ```nix
-{
-  pet = buildGoModule rec {
-    pname = "pet";
-    version = "0.3.4";
+pet = buildGoModule rec {
+  pname = "pet";
+  version = "0.3.4";
 
-    src = fetchFromGitHub {
-      owner = "knqyf263";
-      repo = "pet";
-      rev = "v${version}";
-      hash = "sha256-Gjw1dRrgM8D3G7v6WIM2+50r4HmTXvx0Xxme2fH9TlQ=";
-    };
+  src = fetchFromGitHub {
+    owner = "knqyf263";
+    repo = "pet";
+    rev = "v${version}";
+    hash = "sha256-Gjw1dRrgM8D3G7v6WIM2+50r4HmTXvx0Xxme2fH9TlQ=";
+  };
 
-    vendorHash = "sha256-ciBIR+a1oaYH+H1PcC8cD8ncfJczk1IiJ8iYNM+R6aA=";
+  vendorHash = "sha256-ciBIR+a1oaYH+H1PcC8cD8ncfJczk1IiJ8iYNM+R6aA=";
 
-    meta = {
-      description = "Simple command-line snippet manager, written in Go";
-      homepage = "https://github.com/knqyf263/pet";
-      license = lib.licenses.mit;
-      maintainers = with lib.maintainers; [ kalbasit ];
-    };
+  meta = with lib; {
+    description = "Simple command-line snippet manager, written in Go";
+    homepage = "https://github.com/knqyf263/pet";
+    license = licenses.mit;
+    maintainers = with maintainers; [ kalbasit ];
   };
 }
 ```
@@ -66,49 +49,28 @@ The following is an example expression using `buildGoModule`:
 
 The function `buildGoPackage` builds legacy Go programs, not supporting Go modules.
 
-::: {.warning}
-`buildGoPackage` is deprecated and will be removed for the 25.05 release.
-:::
-
-### Migrating from `buildGoPackage` to `buildGoModule` {#buildGoPackage-migration}
-
-Go modules, released 6y ago, are now widely adopted in the ecosystem.
-Most upstream projects are using Go modules, and the tooling previously used for dependency management in Go is mostly deprecated, archived or at least unmaintained at this point.
-
-In case a project doesn't have external dependencies or dependencies are vendored in a way understood by `go mod init`, migration can be done with a few changes in the package.
-
-- Switch the builder from `buildGoPackage` to `buildGoModule`
-- Remove `goPackagePath` and other attributes specific to `buildGoPackage`
-- Set `vendorHash = null;`
-- Run `go mod init <module name>` in `postPatch`
-
-In case the package has external dependencies that aren't vendored or the build setup is more complex the upstream source might need to be patched.
-Examples for the migration can be found in the [issue tracking migration withing nixpkgs](https://github.com/NixOS/nixpkgs/issues/318069).
-
 ### Example for `buildGoPackage` {#example-for-buildgopackage}
 
-In the following is an example expression using `buildGoPackage`, the following arguments are of special significance to the function:
+In the following is an example expression using buildGoPackage, the following arguments are of special significance to the function:
 
 - `goPackagePath` specifies the package's canonical Go import path.
 - `goDeps` is where the Go dependencies of a Go program are listed as a list of package source identified by Go import path. It could be imported as a separate `deps.nix` file for readability. The dependency data structure is described below.
 
 ```nix
-{
-  deis = buildGoPackage rec {
-    pname = "deis";
-    version = "1.13.0";
+deis = buildGoPackage rec {
+  pname = "deis";
+  version = "1.13.0";
 
-    goPackagePath = "github.com/deis/deis";
+  goPackagePath = "github.com/deis/deis";
 
-    src = fetchFromGitHub {
-      owner = "deis";
-      repo = "deis";
-      rev = "v${version}";
-      hash = "sha256-XCPD4LNWtAd8uz7zyCLRfT8rzxycIUmTACjU03GnaeM=";
-    };
-
-    goDeps = ./deps.nix;
+  src = fetchFromGitHub {
+    owner = "deis";
+    repo = "deis";
+    rev = "v${version}";
+    hash = "sha256-XCPD4LNWtAd8uz7zyCLRfT8rzxycIUmTACjU03GnaeM=";
   };
+
+  goDeps = ./deps.nix;
 }
 ```
 
@@ -141,7 +103,7 @@ The `goDeps` attribute can be imported from a separate `nix` file that defines w
 ]
 ```
 
-To extract dependency information from a Go package in automated way use [go2nix (deprecated)](https://github.com/kamilchm/go2nix). It can produce complete derivation and `goDeps` file for Go programs.
+To extract dependency information from a Go package in automated way use [go2nix](https://github.com/kamilchm/go2nix). It can produce complete derivation and `goDeps` file for Go programs.
 
 You may use Go packages installed into the active Nix profiles by adding the following to your ~/.bashrc:
 
@@ -151,7 +113,7 @@ for p in $NIX_PROFILES; do
 done
 ```
 
-## Attributes used by both builders {#ssec-go-common-attributes}
+## Attributes used by the builders {#ssec-go-common-attributes}
 
 Many attributes [controlling the build phase](#variables-controlling-the-build-phase) are respected by both `buildGoModule` and `buildGoPackage`. Note that `buildGoModule` reads the following attributes also when building the `vendor/` goModules fixed output derivation as well:
 
@@ -161,148 +123,44 @@ Many attributes [controlling the build phase](#variables-controlling-the-build-p
 - [`patchFlags`](#var-stdenv-patchFlags)
 - [`postPatch`](#var-stdenv-postPatch)
 - [`preBuild`](#var-stdenv-preBuild)
-- `env`: useful for passing down variables such as `GOWORK`.
-
-To control test execution of the build derivation, the following attributes are of interest:
-
-- [`checkInputs`](#var-stdenv-checkInputs)
-- [`preCheck`](#var-stdenv-preCheck)
-- [`checkFlags`](#var-stdenv-checkFlags)
 
 In addition to the above attributes, and the many more variables respected also by `stdenv.mkDerivation`, both `buildGoModule` and `buildGoPackage` respect Go-specific attributes that tweak them to behave slightly differently:
 
 ### `ldflags` {#var-go-ldflags}
 
-A string list of flags to pass to the Go linker tool via the `-ldflags` argument of `go build`. Possible values can be retrieved by running `go tool link --help`.
-The most common use case for this argument is to make the resulting executable aware of its own version by injecting the value of string variable using the `-X` flag. For example:
+Arguments to pass to the Go linker tool via the `-ldflags` argument of `go build`. The most common use case for this argument is to make the resulting executable aware of its own version. For example:
 
 ```nix
-{
   ldflags = [
+    "-s" "-w"
     "-X main.Version=${version}"
     "-X main.Commit=${version}"
   ];
-}
 ```
 
 ### `tags` {#var-go-tags}
 
-A string list of [Go build tags (also called build constraints)](https://pkg.go.dev/cmd/go#hdr-Build_constraints) that are passed via the `-tags` argument of `go build`.  These constraints control whether Go files from the source should be included in the build. For example:
+Arguments to pass to the Go via the `-tags` argument of `go build`. For example:
 
 ```nix
-{
   tags = [
     "production"
     "sqlite"
   ];
-}
 ```
 
-Tags can also be set conditionally:
-
 ```nix
-{
   tags = [ "production" ] ++ lib.optionals withSqlite [ "sqlite" ];
-}
 ```
 
 ### `deleteVendor` {#var-go-deleteVendor}
 
-If set to `true`, removes the pre-existing vendor directory. This should only be used if the dependencies included in the vendor folder are broken or incomplete.
+Removes the pre-existing vendor directory. This should only be used if the dependencies included in the vendor folder are broken or incomplete.
 
 ### `subPackages` {#var-go-subPackages}
 
 Specified as a string or list of strings. Limits the builder from building child packages that have not been listed. If `subPackages` is not specified, all child packages will be built.
 
-Many Go projects keep the main package in a `cmd` directory.
-Following example could be used to only build the example-cli and example-server binaries:
-
-```nix
-{
-  subPackages = [
-    "cmd/example-cli"
-    "cmd/example-server"
-  ];
-}
-```
-
 ### `excludedPackages` {#var-go-excludedPackages}
 
-Specified as a string or list of strings. Causes the builder to skip building child packages that match any of the provided values.
-
-### `CGO_ENABLED` {#var-go-CGO_ENABLED}
-
-When set to `0`, the [cgo](https://pkg.go.dev/cmd/cgo) command is disabled. As consequence, the build
-program can't link against C libraries anymore, and the resulting binary is statically linked.
-
-When building with CGO enabled, Go will likely link some packages from the Go standard library against C libraries,
-even when the target code does not explicitly call into C dependencies. With `CGO_ENABLED = 0;`, Go
-will always use the Go native implementation of these internal packages. For reference see
-[net](https://pkg.go.dev/net#hdr-Name_Resolution) and [os/user](https://pkg.go.dev/os/user#pkg-overview) packages.
-Notice that the decision whether these packages should use native Go implementation or not can also be controlled
-on a per package level using build tags (`tags`). In case CGO is disabled, these tags have no additional effect.
-
-When a Go program depends on C libraries, place those dependencies in `buildInputs`:
-
-```nix
-{
-  buildInputs = [
-    libvirt
-    libxml2
-  ];
-}
-```
-
-`CGO_ENABLED` defaults to `1`.
-
-### `enableParallelBuilding` {#var-go-enableParallelBuilding}
-
-Whether builds and tests should run in parallel.
-
-Defaults to `true`.
-
-### `allowGoReference` {#var-go-allowGoReference}
-
-Whether the build result should be allowed to contain references to the Go tool chain. This might be needed for programs that are coupled with the compiler, but shouldn't be set without a good reason.
-
-Defaults to `false`
-
-## Controlling the Go environment {#ssec-go-environment}
-
-The Go build can be further tweaked by setting environment variables. In most cases, this isn't needed. Possible values can be found in the [Go documentation of accepted environment variables](https://pkg.go.dev/cmd/go#hdr-Environment_variables). Notice that some of these flags are set by the builder itself and should not be set explicitly. If in doubt, grep the implementation of the builder.
-
-## Skipping tests {#ssec-skip-go-tests}
-
-`buildGoModule` runs tests by default. Failing tests can be disabled using the `checkFlags` parameter.
-This is done with the [`-skip` or `-run`](https://pkg.go.dev/cmd/go#hdr-Testing_flags) flags of the `go test` command.
-
-For example, only a selection of tests could be run with:
-
-```nix
-{
-  # -run and -skip accept regular expressions
-  checkFlags = [
-    "-run=^Test(Simple|Fast)$"
-  ];
-}
-```
-
-If a larger amount of tests should be skipped, the following pattern can be used:
-
-```nix
-{
-  checkFlags =
-    let
-      # Skip tests that require network access
-      skippedTests = [
-        "TestNetwork"
-        "TestDatabase/with_mysql" # exclude only the subtest
-        "TestIntegration"
-      ];
-    in
-    [ "-skip=^${builtins.concatStringsSep "$|^" skippedTests}$" ];
-}
-```
-
-To disable tests altogether, set `doCheck = false;`.
-`buildGoPackage` does not execute tests by default.
+Specified as a string or list of strings. Causes the builder to skip building child packages that match any of the provided values. If `excludedPackages` is not specified, all child packages will be built.

doc/languages-frameworks/gradle.section.md

@@ -1,189 +0,0 @@
-# Gradle {#gradle}
-
-Gradle is a popular build tool for Java/Kotlin. Gradle itself doesn't
-currently provide tools to make dependency resolution reproducible, so
-nixpkgs has a proxy designed for intercepting Gradle web requests to
-record dependencies so they can be restored in a reproducible fashion.
-
-## Building a Gradle package {#building-a-gradle-package}
-
-Here's how a typical derivation will look like:
-
-```nix
-stdenv.mkDerivation (finalAttrs: {
-  pname = "pdftk";
-  version = "3.3.3";
-
-  src = fetchFromGitLab {
-    owner = "pdftk-java";
-    repo = "pdftk";
-    rev = "v${finalAttrs.version}";
-    hash = "sha256-ciKotTHSEcITfQYKFZ6sY2LZnXGChBJy0+eno8B3YHY=";
-  };
-
-  nativeBuildInputs = [ gradle ];
-
-  # if the package has dependencies, mitmCache must be set
-  mitmCache = gradle.fetchDeps {
-    inherit (finalAttrs) pname;
-    data = ./deps.json;
-  };
-
-  # this is required for using mitm-cache on Darwin
-  __darwinAllowLocalNetworking = true;
-
-  gradleFlags = [ "-Dfile.encoding=utf-8" ];
-
-  # defaults to "assemble"
-  gradleBuildTask = "shadowJar";
-
-  # will run the gradleCheckTask (defaults to "test")
-  doCheck = true;
-
-  installPhase = ''
-    mkdir -p $out/{bin,share/pdftk}
-    cp build/libs/pdftk-all.jar $out/share/pdftk
-
-    makeWrapper ${jre}/bin/java $out/bin/pdftk \
-      --add-flags "-jar $out/share/pdftk/pdftk-all.jar"
-
-    cp ${finalAttrs.src}/pdftk.1 $out/share/man/man1
-  '';
-
-  meta.sourceProvenance = with lib.sourceTypes; [
-    fromSource
-    binaryBytecode # mitm cache
-  ];
-})
-```
-
-To update (or initialize) dependencies, run the update script via
-something like `$(nix-build -A <pname>.mitmCache.updateScript)`
-(`nix-build` builds the `updateScript`, `$(...)` runs the script at the
-path printed by `nix-build`).
-
-If your package can't be evaluated using a simple `pkgs.<pname>`
-expression (for example, if your package isn't located in nixpkgs, or if
-you want to override some of its attributes), you will usually have to
-pass `pkg` instead of `pname` to `gradle.fetchDeps`. There are two ways
-of doing it.
-
-The first is to add the derivation arguments required for getting the
-package. Using the pdftk example above:
-
-```nix
-{ lib
-, stdenv
-# ...
-, pdftk
-}:
-
-stdenv.mkDerivation (finalAttrs: {
-  # ...
-  mitmCache = gradle.fetchDeps {
-    pkg = pdftk;
-    data = ./deps.json;
-  };
-})
-```
-
-This allows you to `override` any arguments of the `pkg` used for
-the update script (for example, `pkg = pdftk.override { enableSomeFlag =
-true };`), so this is the preferred way.
-
-The second is to create a `let` binding for the package, like this:
-
-```nix
-let self = stdenv.mkDerivation {
-  # ...
-  mitmCache = gradle.fetchDeps {
-    pkg = self;
-    data = ./deps.json;
-  };
-}; in self
-```
-
-This is useful if you can't easily pass the derivation as its own
-argument, or if your `mkDerivation` call is responsible for building
-multiple packages.
-
-In the former case, the update script will stay the same even if the
-derivation is called with different arguments. In the latter case, the
-update script will change depending on the derivation arguments. It's up
-to you to decide which one would work best for your derivation.
-
-## Update Script {#gradle-update-script}
-
-The update script does the following:
-
-- Build the derivation's source via `pkgs.srcOnly`
-- Enter a `nix-shell` for the derivation in a `bwrap` sandbox (the
-  sandbox is only used on Linux)
-- Set the `IN_GRADLE_UPDATE_DEPS` environment variable to `1`
-- Run the derivation's `unpackPhase`, `patchPhase`, `configurePhase`
-- Run the derivation's `gradleUpdateScript` (the Gradle setup hook sets
-  a default value for it, which runs `preBuild`, `preGradleUpdate`
-  hooks, fetches the dependencies using `gradleUpdateTask`, and finally
-  runs the `postGradleUpdate` hook)
-- Finally, store all of the fetched files' hashes in the lockfile. They
-  may be `.jar`/`.pom` files from Maven repositories, or they may be
-  files otherwise used for building the package.
-
-`fetchDeps` takes the following arguments:
-
-- `attrPath` - the path to the package in nixpkgs (for example,
-  `"javaPackages.openjfx22"`). Used for update script metadata.
-- `pname` - an alias for `attrPath` for convenience. This is what you
-  will generally use instead of `pkg` or `attrPath`.
-- `pkg` - the package to be used for fetching the dependencies. Defaults
-  to `getAttrFromPath (splitString "." attrPath) pkgs`.
-- `bwrapFlags` - allows you to override bwrap flags (only relevant for
-  downstream, non-nixpkgs projects)
-- `data` - path to the dependencies lockfile (can be relative to the
-  package, can be absolute). In nixpkgs, it's discouraged to have the
-  lockfiles be named anything other `deps.json`, consider creating
-  subdirectories if your package requires multiple `deps.json` files.
-
-## Environment {#gradle-environment}
-
-The Gradle setup hook accepts the following environment variables:
-
-- `mitmCache` - the MITM proxy cache imported using `gradle.fetchDeps`
-- `gradleFlags` - command-line flags to be used for every Gradle
-  invocation (this simply registers a function that uses the necessary
-  flags).
-  - You can't use `gradleFlags` for flags that contain spaces, in that
-    case you must add `gradleFlagsArray+=("-flag with spaces")` to the
-    derivation's bash code instead.
-  - If you want to build the package using a specific Java version, you
-    can pass `"-Dorg.gradle.java.home=${jdk}"` as one of the flags.
-- `gradleBuildTask` - the Gradle task (or tasks) to be used for building
-  the package. Defaults to `assemble`.
-- `gradleCheckTask` - the Gradle task (or tasks) to be used for checking
-  the package if `doCheck` is set to `true`. Defaults to `test`.
-- `gradleUpdateTask` - the Gradle task (or tasks) to be used for
-  fetching all of the package's dependencies in
-  `mitmCache.updateScript`. Defaults to `nixDownloadDeps`.
-- `gradleUpdateScript` - the code to run for fetching all of the
-  package's dependencies in `mitmCache.updateScript`. Defaults to
-  running the `preBuild` and `preGradleUpdate` hooks, running the
-  `gradleUpdateTask`, and finally running the `postGradleUpdate` hook.
-- `gradleInitScript` - path to the `--init-script` to pass to Gradle. By
-  default, a simple init script that enables reproducible archive
-  creation is used.
-  - Note that reproducible archives might break some builds. One example
-    of an error caused by it is `Could not create task ':jar'. Replacing
-    an existing task that may have already been used by other plugins is
-    not supported`. If you get such an error, the easiest "fix" is
-    disabling reproducible archives altogether by setting
-    `gradleInitScript` to something like `writeText
-    "empty-init-script.gradle" ""`
-- `enableParallelBuilding` / `enableParallelChecking` /
-  `enableParallelUpdating` - pass `--parallel` to Gradle in the
-  build/check phase or in the update script. Defaults to true. If the
-  build fails for mysterious reasons, consider setting this to false.
-- `dontUseGradleConfigure` / `dontUseGradleBuild` / `dontUseGradleCheck`
-  \- force disable the Gradle setup hook for certain phases.
-  - Note that if you disable the configure hook, you may face issues
-    such as `Failed to load native library 'libnative-platform.so'`,
-    because the configure hook is responsible for initializing Gradle.

doc/languages-frameworks/hare.section.md

@@ -1,53 +0,0 @@
-# Hare {#sec-language-hare}
-
-## Building Hare programs with `hareHook` {#ssec-language-hare}
-
-The `hareHook` package sets up the environment for building Hare programs by
-doing the following:
-
-1. Setting the `HARECACHE`, `HAREPATH` and `NIX_HAREFLAGS` environment variables;
-1. Propagating `harec`, `qbe` and two wrapper scripts  for the hare binary.
-
-It is not a function as is the case for some other languages --- *e. g.*, Go or
-Rust ---, but a package to be added to `nativeBuildInputs`.
-
-## Attributes of `hareHook` {#hareHook-attributes}
-
-The following attributes are accepted by `hareHook`:
-
-1. `hareBuildType`: Either `release` (default) or `debug`. It controls if the
-   `-R` flag is added to `NIX_HAREFLAGS`.
-
-## Example for `hareHook` {#ex-hareHook}
-
-```nix
-{
-  hareHook,
-  lib,
-  stdenv,
-}: stdenv.mkDerivation {
-  pname = "<name>";
-  version = "<version>";
-  src = "<src>";
-
-  nativeBuildInputs = [ hareHook ];
-
-  meta = {
-    description = "<description>";
-    inherit (hareHook) badPlatforms platforms;
-  };
-}
-```
-
-## Cross Compilation {#hareHook-cross-compilation}
-
-`hareHook` should handle cross compilation out of the box. This is the main
-purpose of `NIX_HAREFLAGS`: In it, the `-a` flag is passed with the architecture
-of the `hostPlatform`.
-
-However, manual intervention may be needed when a binary compiled by the build
-process must be run for the build to complete --- *e. g.*, when using Hare's
-`hare` module for code generation.
-
-In those cases, `hareHook` provides the `hare-native` script, which is a wrapper
-around the hare binary for using the native (`buildPlatform`) toolchain.

doc/languages-frameworks/haskell.section.md

@@ -21,14 +21,25 @@ Many “normal” user facing packages written in Haskell, like `niv` or `cachix
 are also exposed at the top level, and there is nothing Haskell specific to
 installing and using them.
 
-All of these packages are originally defined in the `haskellPackages` package set.
-The same packages are re-exposed with a reduced dependency closure for convenience (see `justStaticExecutables` or `separateBinOutput` below).
+All of these packages are originally defined in the `haskellPackages` package
+set and are re-exposed with a reduced dependency closure for convenience.
+(see `justStaticExecutables` or `separateBinOutput` below)
 
-:::{.note}
-See [](#chap-language-support) for techniques to explore package sets.
-:::
+The `haskellPackages` set includes at least one version of every package from
+Hackage as well as some manually injected packages. This amounts to a lot of
+packages, so it is hidden from `nix-env -qa` by default for performance reasons.
+You can still list all packages in the set like this:
 
-The `haskellPackages` set includes at least one version of every package from [Hackage](https://hackage.haskell.org/) as well as some manually injected packages.
+```console
+$ nix-env -f '<nixpkgs>' -qaP -A haskellPackages
+haskellPackages.a50                                                         a50-0.5
+haskellPackages.AAI                                                         AAI-0.2.0.1
+haskellPackages.aasam                                                       aasam-0.2.0.0
+haskellPackages.abacate                                                     abacate-0.0.0.0
+haskellPackages.abc-puzzle                                                  abc-puzzle-0.2.1
+…
+```
+Also, the `haskellPackages` set is included on [search.nixos.org].
 
 The attribute names in `haskellPackages` always correspond with their name on
 Hackage. Since Hackage allows names that are not valid Nix without escaping,
@@ -38,7 +49,8 @@ For packages that are part of [Stackage] (a curated set of known to be
 compatible packages), we use the version prescribed by a Stackage snapshot
 (usually the current LTS one) as the default version. For all other packages we
 use the latest version from [Hackage](https://hackage.org) (the repository of
-basically all open source Haskell packages). See [below](#haskell-available-versions) for a few more details on this.
+basically all open source Haskell packages). See [below](#haskell-available-
+versions) for a few more details on this.
 
 Roughly half of the 16K packages contained in `haskellPackages` don’t actually
 build and are [marked as broken semi-automatically](https://github.com/NixOS/nixpkgs/blob/haskell-updates/pkgs/development/haskell-modules/configuration-hackage2nix/broken.yaml).
@@ -51,14 +63,64 @@ How you can help with that is
 described in [Fixing a broken package](#haskell-fixing-a-broken-package).
 -->
 
-`haskellPackages` is built with our default compiler, but we also provide other releases of GHC and package sets built with them.
-Available compilers are collected under `haskell.compiler`.
+`haskellPackages` is built with our default compiler, but we also provide other
+releases of GHC and package sets built with them. You can list all available
+compilers like this:
 
-Each of those compiler versions has a corresponding attribute set `packages` built with
+```console
+$ nix-env -f '<nixpkgs>' -qaP -A haskell.compiler
+haskell.compiler.ghc810                  ghc-8.10.7
+haskell.compiler.ghc88                   ghc-8.8.4
+haskell.compiler.ghc90                   ghc-9.0.2
+haskell.compiler.ghc924                  ghc-9.2.4
+haskell.compiler.ghc925                  ghc-9.2.5
+haskell.compiler.ghc926                  ghc-9.2.6
+haskell.compiler.ghc92                   ghc-9.2.7
+haskell.compiler.ghc942                  ghc-9.4.2
+haskell.compiler.ghc943                  ghc-9.4.3
+haskell.compiler.ghc94                   ghc-9.4.4
+haskell.compiler.ghcHEAD                 ghc-9.7.20221224
+haskell.compiler.ghc8102Binary           ghc-binary-8.10.2
+haskell.compiler.ghc8102BinaryMinimal    ghc-binary-8.10.2
+haskell.compiler.ghc8107BinaryMinimal    ghc-binary-8.10.7
+haskell.compiler.ghc8107Binary           ghc-binary-8.10.7
+haskell.compiler.ghc865Binary            ghc-binary-8.6.5
+haskell.compiler.ghc924Binary            ghc-binary-9.2.4
+haskell.compiler.ghc924BinaryMinimal     ghc-binary-9.2.4
+haskell.compiler.integer-simple.ghc810   ghc-integer-simple-8.10.7
+haskell.compiler.integer-simple.ghc8107  ghc-integer-simple-8.10.7
+haskell.compiler.integer-simple.ghc88    ghc-integer-simple-8.8.4
+haskell.compiler.integer-simple.ghc884   ghc-integer-simple-8.8.4
+haskell.compiler.native-bignum.ghc90     ghc-native-bignum-9.0.2
+haskell.compiler.native-bignum.ghc902    ghc-native-bignum-9.0.2
+haskell.compiler.native-bignum.ghc924    ghc-native-bignum-9.2.4
+haskell.compiler.native-bignum.ghc925    ghc-native-bignum-9.2.5
+haskell.compiler.native-bignum.ghc926    ghc-native-bignum-9.2.6
+haskell.compiler.native-bignum.ghc92     ghc-native-bignum-9.2.7
+haskell.compiler.native-bignum.ghc927    ghc-native-bignum-9.2.7
+haskell.compiler.native-bignum.ghc942    ghc-native-bignum-9.4.2
+haskell.compiler.native-bignum.ghc943    ghc-native-bignum-9.4.3
+haskell.compiler.native-bignum.ghc94     ghc-native-bignum-9.4.4
+haskell.compiler.native-bignum.ghc944    ghc-native-bignum-9.4.4
+haskell.compiler.native-bignum.ghcHEAD   ghc-native-bignum-9.7.20221224
+haskell.compiler.ghcjs                   ghcjs-8.10.7
+```
+
+Each of those compiler versions has a corresponding attribute set built using
 it. However, the non-standard package sets are not tested regularly and, as a
 result, contain fewer working packages. The corresponding package set for GHC
 9.4.5 is `haskell.packages.ghc945`. In fact `haskellPackages` is just an alias
-for `haskell.packages.ghc964`:
+for `haskell.packages.ghc927`:
+
+```console
+$ nix-env -f '<nixpkgs>' -qaP -A haskell.packages.ghc927
+haskell.packages.ghc927.a50                                                         a50-0.5
+haskell.packages.ghc927.AAI                                                         AAI-0.2.0.1
+haskell.packages.ghc927.aasam                                                       aasam-0.2.0.0
+haskell.packages.ghc927.abacate                                                     abacate-0.0.0.0
+haskell.packages.ghc927.abc-puzzle                                                  abc-puzzle-0.2.1
+…
+```
 
 Every package set also re-exposes the GHC used to build its packages as `haskell.packages.*.ghc`.
 
@@ -165,7 +227,7 @@ completely incompatible with packages from `haskellPackages`.
 
 Every haskell package set has its own haskell-aware `mkDerivation` which is used
 to build its packages. Generally you won't have to interact with this builder
-since [cabal2nix](#haskell-cabal2nix) can generate packages
+since [cabal2nix][cabal2nix] can generate packages
 using it for an arbitrary cabal package definition. Still it is useful to know
 the parameters it takes when you need to
 [override](#haskell-overriding-haskell-packages) a generated Nix expression.
@@ -858,61 +920,14 @@ for this to work.
 
 `justStaticExecutables drv`
 : Only build and install the executables produced by `drv`, removing everything
-  that may refer to other Haskell packages' store paths (like libraries and
-  documentation). This dramatically reduces the closure size of the resulting
-  derivation. Note that the executables are only statically linked against their
-  Haskell dependencies, but will still link dynamically against libc, GMP and
-  other system library dependencies.
-
-  If a library or its dependencies use their Cabal-generated
-  `Paths_*` module, this may not work as well if GHC's dead code elimination is
-  unable to remove the references to the dependency's store path that module
-  contains.
-  As a consequence, an unused reference may be created from the static binary to such a _library_ store path.
-  (See [nixpkgs#164630][164630] for more information.)
-
-  Importing the `Paths_*` module may cause builds to fail with this message:
-
-  ```
-  error: output '/nix/store/64k8iw0ryz76qpijsnl9v87fb26v28z8-my-haskell-package-1.0.0.0' is not allowed to refer to the following paths:
-           /nix/store/5q5s4a07gaz50h04zpfbda8xjs8wrnhg-ghc-9.6.3
-  ```
-
-  If that happens, first disable the check for GHC references and rebuild the
-  derivation:
-
-  ```nix
-  pkgs.haskell.lib.overrideCabal
-    (pkgs.haskell.lib.justStaticExecutables my-haskell-package)
-    (drv: {
-      disallowGhcReference = false;
-    })
-  ```
-
-  Then use `strings` to determine which libraries are responsible:
-
-  ```
-  $ nix-build ...
-  $ strings result/bin/my-haskell-binary | grep /nix/store/
-  ...
-  /nix/store/n7ciwdlg8yyxdhbrgd6yc2d8ypnwpmgq-hs-opentelemetry-sdk-0.0.3.6/bin
-  ...
-  ```
-
-  Finally, use `remove-references-to` to delete those store paths from the produced output:
-
-  ```nix
-  pkgs.haskell.lib.overrideCabal
-    (pkgs.haskell.lib.justStaticExecutables my-haskell-package)
-    (drv: {
-      postInstall = ''
-        ${drv.postInstall or ""}
-        remove-references-to -t ${pkgs.haskellPackages.hs-opentelemetry-sdk}
-      '';
-    })
-  ```
-
-[164630]: https://github.com/NixOS/nixpkgs/issues/164630
+that may refer to other Haskell packages' store paths (like libraries and
+documentation). This dramatically reduces the closure size of the resulting
+derivation. Note that the executables are only statically linked against their
+Haskell dependencies, but will still link dynamically against libc, GMP and
+other system library dependencies. If dependencies use their Cabal-generated
+`Paths_*` module, this may not work as well if GHC's dead code elimination
+is unable to remove the references to the dependency's store path that module
+contains.
 
 `enableSeparateBinOutput drv`
 : Install executables produced by `drv` to a separate `bin` output. This
@@ -1002,11 +1017,6 @@ failing because of e.g. a syntax error in the Haddock documentation.
 : Sets `doCheck` to `false` for `drv`. Useful if a package has a broken,
 flaky or otherwise problematic test suite breaking the build.
 
-`dontCheckIf condition drv`
-: Sets `doCheck` to `false` for `drv`, but only if `condition` applies.
-Otherwise it's a no-op. Useful to conditionally disable tests for a package
-without interfering with previous overrides or default values.
-
 <!-- Purposefully omitting the non-list variants here. They are a bit
 ugly, and we may want to deprecate them at some point. -->
 
@@ -1105,75 +1115,18 @@ for [this to work][optparse-applicative-completions].
 Note that this feature is automatically disabled when cross-compiling, since it
 requires executing the binaries in question.
 
-## Import-from-Derivation helpers {#haskell-import-from-derivation}
-
-### cabal2nix {#haskell-cabal2nix}
-
-[`cabal2nix`][cabal2nix] can generate Nix package definitions for arbitrary
-Haskell packages using [import from derivation][import-from-derivation].
-`cabal2nix` will generate Nix expressions that look like this:
-
-```nix
-# cabal get mtl-2.2.1 && cd mtl-2.2.1 && cabal2nix .
-{ mkDerivation, base, lib, transformers }:
-mkDerivation {
-  pname = "mtl";
-  version = "2.2.1";
-  src = ./.;
-  libraryHaskellDepends = [ base transformers ];
-  homepage = "http://github.com/ekmett/mtl";
-  description = "Monad classes, using functional dependencies";
-  license = lib.licenses.bsd3;
-}
-```
-
-This expression should be called with `haskellPackages.callPackage`, which will
-supply [`haskellPackages.mkDerivation`](#haskell-mkderivation) and the Haskell
-dependencies as arguments.
-
-`callCabal2nix name src args`
-: Create a package named `name` from the source derivation `src` using
-  `cabal2nix`.
-
-  `args` are extra arguments provided to `haskellPackages.callPackage`.
-
-`callCabal2nixWithOptions name src opts args`
-: Create a package named `name` from the source derivation `src` using
-  `cabal2nix`.
-
-  `opts` are extra options for calling `cabal2nix`. If `opts` is a string, it
-  will be used as extra command line arguments for `cabal2nix`, e.g. `--subpath
-  path/to/dir/containing/cabal-file`. Otherwise, `opts` should be an AttrSet
-  which can contain the following attributes:
-
-  `extraCabal2nixOptions`
-  : Extra command line arguments for `cabal2nix`.
-
-  `srcModifier`
-  : A function which is used to modify the given `src` instead of the default
-    filter.
-
-    The default source filter will remove all files from `src` except for
-    `.cabal` files and `package.yaml` files.
-
-<!--
-
-`callHackage`
-: TODO
-
-`callHackageDirect`
-: TODO
-
-`developPackage`
-: TODO
-
--->
-
 <!--
 
 TODO(@NixOS/haskell): finish these planned sections
 ### Overriding the entire package set
 
+
+## Import-from-Derivation helpers
+
+* `callCabal2nix`
+* `callHackage`, `callHackageDirect`
+* `developPackage`
+
 ## Contributing {#haskell-contributing}
 
 ### Fixing a broken package {#haskell-fixing-a-broken-package}
@@ -1273,12 +1226,10 @@ in
   in
 
   {
-    haskell = prev.haskell // {
-      compiler = prev.haskell.compiler // {
-        ${ghcName} = prev.haskell.compiler.${ghcName}.override {
-          # Unfortunately, the GHC setting is named differently for historical reasons
-          enableProfiledLibs = enableProfiling;
-        };
+    haskell = lib.recursiveUpdate prev.haskell {
+      compiler.${ghcName} = prev.haskell.compiler.${ghcName}.override {
+        # Unfortunately, the GHC setting is named differently for historical reasons
+        enableProfiledLibs = enableProfiling;
       };
     };
   })
@@ -1290,33 +1241,31 @@ in
   in
 
   {
-    haskell = prev.haskell // {
-      packages = prev.haskell.packages // {
-        ${ghcName} = prev.haskell.packages.${ghcName}.override {
-          overrides = hfinal: hprev: {
-            mkDerivation = args: hprev.mkDerivation (args // {
-              # Since we are forcing our ideas upon mkDerivation, this change will
-              # affect every package in the package set.
-              enableLibraryProfiling = enableProfiling;
+    haskell = lib.recursiveUpdate prev.haskell {
+      packages.${ghcName} = prev.haskell.packages.${ghcName}.override {
+        overrides = hfinal: hprev: {
+          mkDerivation = args: hprev.mkDerivation (args // {
+            # Since we are forcing our ideas upon mkDerivation, this change will
+            # affect every package in the package set.
+            enableLibraryProfiling = enableProfiling;
 
-              # To actually use profiling on an executable, executable profiling
-              # needs to be enabled for the executable you want to profile. You
-              # can either do this globally or…
-              enableExecutableProfiling = enableProfiling;
-            });
+            # To actually use profiling on an executable, executable profiling
+            # needs to be enabled for the executable you want to profile. You
+            # can either do this globally or…
+            enableExecutableProfiling = enableProfiling;
+          });
 
-            # …only for the package that contains an executable you want to profile.
-            # That saves on unnecessary rebuilds for packages that you only depend
-            # on for their library, but also contain executables (e.g. pandoc).
-            my-executable = haskellLib.enableExecutableProfiling hprev.my-executable;
+          # …only for the package that contains an executable you want to profile.
+          # That saves on unnecessary rebuilds for packages that you only depend
+          # on for their library, but also contain executables (e.g. pandoc).
+          my-executable = haskellLib.enableExecutableProfiling hprev.my-executable;
 
-            # If you are disabling profiling to save on build time, but want to
-            # retain the ability to substitute from the binary cache. Drop the
-            # override for mkDerivation above and instead have an override like
-            # this for the specific packages you are building locally and want
-            # to make cheaper to build.
-            my-library = haskellLib.disableLibraryProfiling hprev.my-library;
-          };
+          # If you are disabling profiling to save on build time, but want to
+          # retain the ability to substitute from the binary cache. Drop the
+          # override for mkDerivation above and instead have an override like
+          # this for the specific packages you are building locally and want
+          # to make cheaper to build.
+          my-library = haskellLib.disableLibraryProfiling hprev.my-library;
         };
       };
     };
@@ -1348,4 +1297,3 @@ relevant.
 [profiling]: https://downloads.haskell.org/~ghc/latest/docs/html/users_guide/profiling.html
 [search.nixos.org]: https://search.nixos.org
 [turtle]: https://hackage.haskell.org/package/turtle
-[import-from-derivation]: https://nixos.org/manual/nix/stable/language/import-from-derivation