Release NixOS 25.05

nixosTests.lomiri-filemanager-app: Fix OCR
(cherry picked from commit 66301f51a3)
2026-06-06 13:23:41 +00:00 · 2025-05-23 20:56:20 +02:00 · 2025-05-23 23:25:53 +05:30 · 2025-05-23 23:25:53 +05:30 · 2025-05-23 18:47:35 +01:00 · 2025-05-23 17:39:28 +00:00
5247 changed files with 119896 additions and 104242 deletions
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -266,6 +266,3 @@ a034fb50f79816c6738fb48b48503b09ea3b0132

 # treewide: switch instances of lib.teams.*.members to the new meta.teams attribute
 05580f4b4433fda48fff30f60dfd303d6ee05d21
-
-# nixos/redmine: Get rid of global lib expansions
-d7f1102f04c58b2edfc74c9a1d577e3aebfca775
--- a/.github/ISSUE_TEMPLATE/01_bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/01_bug_report.yml
@@ -34,9 +34,9 @@ body:
        > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
+++ b/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
@@ -34,9 +34,9 @@ body:
        > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
+++ b/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
@@ -34,9 +34,9 @@ body:
        > If you are using an older version, please [update to the latest stable version](https://nixos.org/download) and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/04_build_failure.yml
+++ b/.github/ISSUE_TEMPLATE/04_build_failure.yml
@@ -35,9 +35,9 @@ body:
        > If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/05_update_request.yml
+++ b/.github/ISSUE_TEMPLATE/05_update_request.yml
@@ -35,9 +35,9 @@ body:
        > If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/06_module_request.yml
+++ b/.github/ISSUE_TEMPLATE/06_module_request.yml
@@ -34,9 +34,9 @@ body:
        > If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
      options:
        - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
      default: 0
    validations:
      required: true
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -25,9 +25,8 @@ For new packages please briefly describe the package or provide a link to its ho
  - made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
 - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
 - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [Nixpkgs 25.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/doc/release-notes/rl-2511.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/doc/manual/release-notes/rl-2505.section.md) Nixpkgs Release notes)
+- [25.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) Release notes)
  - [ ] (Package updates) Added a release notes entry if the change is major or breaking
- [NixOS 25.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2511.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) NixOS Release notes)
  - [ ] (Module updates) Added a release notes entry if the change is significant
  - [ ] (Module addition) Added a release notes entry if adding a new NixOS module
 - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).
--- a/.github/actions/get-merge-commit/action.yml
+++ b/.github/actions/get-merge-commit/action.yml
@@ -1,88 +0,0 @@
-name: Get merge commit
-
-description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
-
-inputs:
-  merged-as-untrusted:
-    description: "Whether to checkout the merge commit in the ./untrusted folder."
-    type: boolean
-  target-as-trusted:
-    description: "Whether to checkout the target commit in the ./trusted folder."
-    type: boolean
-
-outputs:
-  mergedSha:
-    description: "The merge commit SHA"
-    value: ${{ steps.commits.outputs.mergedSha }}
-  targetSha:
-    description: "The target commit SHA"
-    value: ${{ steps.commits.outputs.targetSha }}
-
-runs:
-  using: composite
-  steps:
-    - id: commits
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-      with:
-        script: |
-          if (context.eventName == 'push') return core.setOutput('mergedSha', context.sha)
-
-          for (const retryInterval of [5, 10, 20, 40, 80]) {
-            console.log("Checking whether the pull request can be merged...")
-            const prInfo = (await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.payload.pull_request.number
-            })).data
-
-            if (prInfo.state != 'open') throw new Error ("PR is not open anymore.")
-
-            if (prInfo.mergeable == null) {
-              console.log(`GitHub is still computing whether this PR can be merged, waiting ${retryInterval} seconds before trying again...`)
-              await new Promise(resolve => setTimeout(resolve, retryInterval * 1000))
-              continue
-            }
-
-            let mergedSha, targetSha
-
-            if (prInfo.mergeable) {
-              console.log("The PR can be merged.")
-
-              mergedSha = prInfo.merge_commit_sha
-              targetSha = (await github.rest.repos.getCommit({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                ref: prInfo.merge_commit_sha
-              })).data.parents[0].sha
-            } else {
-              console.log("The PR has a merge conflict.")
-
-              mergedSha = prInfo.head.sha
-              targetSha = (await github.rest.repos.compareCommitsWithBasehead({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                basehead: `${prInfo.base.sha}...${prInfo.head.sha}`
-              })).data.merge_base_commit.sha
-            }
-
-            console.log(`Checking the commits:\nmerged:${mergedSha}\ntarget:${targetSha}`)
-            core.setOutput('mergedSha', mergedSha)
-            core.setOutput('targetSha', targetSha)
-            return
-          }
-          throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.")
-
-      # Would be great to do the checkouts in git worktrees of the existing spare checkout instead,
-      # but Nix is broken with them:
-      # https://github.com/NixOS/nix/issues/6073
-    - if: inputs.merged-as-untrusted && steps.commits.outputs.mergedSha
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ steps.commits.outputs.mergedSha }}
-        path: untrusted
-
-    - if: inputs.target-as-trusted && steps.commits.outputs.targetSha
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ steps.commits.outputs.targetSha }}
-        path: trusted
--- a/.github/labeler-no-sync.yml
+++ b/.github/labeler-no-sync.yml
@@ -22,7 +22,7 @@
        - doc/**/*
        - nixos/doc/**/*

-"backport release-25.05":
+"backport release-24.11":
  - any:
    - changed-files:
      - any-glob-to-any-file:
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -162,7 +162,7 @@
      - any-glob-to-any-file:
        - doc/languages-frameworks/gnome.section.md
        - nixos/modules/services/desktops/gnome/**/*
-        - nixos/modules/services/desktop-managers/gnome.nix
+        - nixos/modules/services/x11/desktop-managers/gnome.nix
        - nixos/tests/gnome-xorg.nix
        - nixos/tests/gnome.nix
        - pkgs/desktops/gnome/**/*
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -9,9 +9,7 @@ on:
  pull_request_target:
    types: [closed, labeled]

-permissions:
-  contents: read
-  pull-requests: write
+permissions: {}

 jobs:
  backport:
@@ -50,8 +48,7 @@ jobs:
      - name: "Add 'has: port to stable' label"
        if: steps.backport.outputs.created_pull_numbers != ''
        env:
-          # Not the app on purpose to avoid triggering another workflow run after adding this label
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
          REPOSITORY: ${{ github.repository }}
          NUMBER: ${{ github.event.number }}
        run: |
--- a/.github/workflows/check-cherry-picks.yml
+++ b/.github/workflows/check-cherry-picks.yml
@@ -20,12 +20,11 @@ jobs:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
-          filter: tree:0
-          path: trusted
+          filter: blob:none

      - name: Check cherry-picks
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
-          ./trusted/ci/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"
+          ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"
--- a/.github/workflows/check-format.yml
+++ b/.github/workflows/check-format.yml
@@ -9,17 +9,18 @@ on:
 permissions: {}

 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
  nixos:
    name: fmt-check
    runs-on: ubuntu-24.04-arm
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
@@ -30,7 +31,7 @@ jobs:
          # Note that it's fine to run this on untrusted code because:
          # - There's no secrets accessible here
          # - The build is sandboxed
-          if ! nix-build untrusted/ci -A fmt.check; then
+          if ! nix-build ci -A fmt.check; then
            echo "Some files are not properly formatted"
            echo "Please format them by going to the Nixpkgs root directory and running one of:"
            echo "  nix-shell --run treefmt"
--- a/.github/workflows/check-shell.yml
+++ b/.github/workflows/check-shell.yml
@@ -32,13 +32,9 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31

      - name: Build shell
-        run: nix-build untrusted/ci -A shell
+        run: nix-build ci -A shell
--- a/.github/workflows/codeowners-v2.yml
+++ b/.github/workflows/codeowners-v2.yml
@@ -37,21 +37,17 @@ env:
  DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

 jobs:
+  get-merge-commit:
+    if: github.repository_owner == 'NixOS'
+    uses: ./.github/workflows/get-merge-commit.yml
+
  # Check that code owners is valid
  check:
    name: Check
    runs-on: ubuntu-24.04-arm
-    if: github.repository_owner == 'NixOS'
+    needs: get-merge-commit
+    if: github.repository_owner == 'NixOS' && needs.get-merge-commit.outputs.mergedSha
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge and target commits
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-          target-as-trusted: true
-
      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31

      - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
@@ -60,8 +56,15 @@ jobs:
          name: nixpkgs-ci
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

+      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
+      # We later build and run code from the base branch with access to secrets,
+      # so it's important this is not the PRs code.
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: base
+
      - name: Build codeowners validator
-        run: nix-build trusted/ci -A codeownersValidator
+        run: nix-build base/ci -A codeownersValidator

      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
        if: vars.OWNER_RO_APP_ID
@@ -72,16 +75,21 @@ jobs:
          permission-administration: read
          permission-members: read

+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: pr
+
      - name: Validate codeowners
        if: steps.app-token.outputs.token
+        run: result/bin/codeowners-validator
        env:
-          OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }}
+          OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
          GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY_PATH: untrusted
+          REPOSITORY_PATH: pr
          OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
          # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
          EXPERIMENTAL_CHECKS: "avoid-shadowing"
-        run: result/bin/codeowners-validator

  # Request reviews from code owners
  request:
@@ -94,8 +102,6 @@ jobs:
      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
      # This is intentional, because we need to request the review of owners as declared in the base branch.
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: trusted

      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
        if: vars.OWNER_APP_ID
@@ -108,10 +114,10 @@ jobs:
          permission-pull-requests: write

      - name: Build review request package
-        run: nix-build trusted/ci -A requestReviews
+        run: nix-build ci -A requestReviews

      - name: Request reviews
        if: steps.app-token.outputs.token
+        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
--- a/.github/workflows/eval-aliases.yml
+++ b/.github/workflows/eval-aliases.yml
@@ -9,17 +9,19 @@ on:
 permissions: {}

 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
  eval-aliases:
    name: Eval nixpkgs with aliases enabled
    runs-on: ubuntu-24.04-arm
+    needs: [ get-merge-commit ]
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Check out the PR at the test merge commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: nixpkgs

      - name: Install Nix
        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
@@ -27,8 +29,8 @@ jobs:
          extra_nix_config: sandbox = true

      - name: Ensure flake outputs on all systems still evaluate
-        run: nix flake check --all-systems --no-build ./untrusted
+        run: nix flake check --all-systems --no-build ./nixpkgs

      - name: Query nixpkgs with aliases enabled to check for basic syntax errors
        run: |
-          time nix-env -I ./untrusted -f ./untrusted -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null
+          time nix-env -I ./nixpkgs -f ./nixpkgs -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@@ -4,8 +4,8 @@ on:
  pull_request:
    paths:
      - .github/workflows/eval.yml
-      - .github/workflows/reviews.yml # needs eval results from the same event type
  pull_request_target:
+    types: [opened, ready_for_review, synchronize, reopened]
  push:
    # Keep this synced with ci/request-reviews/dev-branches.txt
    branches:
@@ -19,36 +19,17 @@ on:
 permissions: {}

 jobs:
-  prepare:
-    name: Prepare
-    runs-on: ubuntu-24.04-arm
-    outputs:
-      mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }}
-      targetSha: ${{ steps.get-merge-commit.outputs.targetSha }}
-      systems: ${{ steps.systems.outputs.systems }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: |
-            .github/actions
-            ci/supportedSystems.json
-      - name: Check if the PR can be merged and get the test merge commit
-        uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - name: Load supported systems
-        id: systems
-        run: |
-          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml

  outpaths:
    name: Outpaths
    runs-on: ubuntu-24.04-arm
-    needs: [ prepare ]
+    needs: [ get-merge-commit ]
    strategy:
      fail-fast: false
      matrix:
-        system: ${{ fromJSON(needs.prepare.outputs.systems) }}
+        system: ${{ fromJSON(needs.get-merge-commit.outputs.systems) }}
    steps:
      - name: Enable swap
        run: |
@@ -60,8 +41,8 @@ jobs:
      - name: Check out the PR at the test merge commit
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{ needs.prepare.outputs.mergedSha }}
-          path: untrusted
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: nixpkgs

      - name: Install Nix
        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
@@ -72,26 +53,57 @@ jobs:
        env:
          MATRIX_SYSTEM: ${{ matrix.system }}
        run: |
-          nix-build untrusted/ci -A eval.singleSystem \
+          nix-build nixpkgs/ci -A eval.singleSystem \
            --argstr evalSystem "$MATRIX_SYSTEM" \
-            --arg chunkSize 10000 \
-            --out-link merged
+            --arg chunkSize 10000
          # If it uses too much memory, slightly decrease chunkSize

      - name: Upload the output paths and eval stats
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
-          name: merged-${{ matrix.system }}
-          path: merged/*
+          name: intermediate-${{ matrix.system }}
+          path: result/*
+
+  process:
+    name: Process
+    runs-on: ubuntu-24.04-arm
+    needs: [ outpaths, get-merge-commit ]
+    outputs:
+      targetRunId: ${{ steps.targetRunId.outputs.targetRunId }}
+    steps:
+      - name: Download output paths and eval stats for all systems
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          pattern: intermediate-*
+          path: intermediate
+
+      - name: Check out the PR at the test merge commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          fetch-depth: 2
+          path: nixpkgs
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+        with:
+          extra_nix_config: sandbox = true
+
+      - name: Combine all output paths and eval stats
+        run: |
+          nix-build nixpkgs/ci -A eval.combine \
+            --arg resultsDir ./intermediate \
+            -o prResult
+
+      - name: Upload the combined results
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: result
+          path: prResult/*

      - name: Get target run id
-        if: needs.prepare.outputs.targetSha
+        if: needs.get-merge-commit.outputs.targetSha
        id: targetRunId
-        env:
-          GH_TOKEN: ${{ github.token }}
-          MATRIX_SYSTEM: ${{ matrix.system }}
-          REPOSITORY: ${{ github.repository }}
-          TARGET_SHA: ${{ needs.prepare.outputs.targetSha }}
        run: |
          # Get the latest eval.yml workflow run for the PR's target commit
          if ! run=$(gh api --method GET /repos/"$REPOSITORY"/actions/workflows/eval.yml/runs \
@@ -103,119 +115,104 @@ jobs:
          fi
          echo "Comparing against $(jq .html_url <<< "$run")"
          runId=$(jq .id <<< "$run")
-
-          if ! job=$(gh api --method GET /repos/"$REPOSITORY"/actions/runs/"$runId"/jobs \
-            --jq ".jobs[] | select (.name == \"Outpaths ($MATRIX_SYSTEM)\")") \
-            || [[ -z "$job" ]]; then
-            echo "Could not find the Outpaths ($MATRIX_SYSTEM) job for workflow run $runId, cannot make comparison"
-            exit 1
-          fi
-          jobId=$(jq .id <<< "$job")
-          conclusion=$(jq -r .conclusion <<< "$job")
+          conclusion=$(jq -r .conclusion <<< "$run")

          while [[ "$conclusion" == null || "$conclusion" == "" ]]; do
-            echo "Job not done, waiting 10 seconds before checking again"
+            echo "Workflow not done, waiting 10 seconds before checking again"
            sleep 10
-            conclusion=$(gh api /repos/"$REPOSITORY"/actions/jobs/"$jobId" --jq '.conclusion')
+            conclusion=$(gh api /repos/"$REPOSITORY"/actions/runs/"$runId" --jq '.conclusion')
          done

          if [[ "$conclusion" != "success" ]]; then
-            echo "Job was not successful (conclusion: $conclusion), cannot make comparison"
+            echo "Workflow was not successful (conclusion: $conclusion), cannot make comparison"
            exit 1
          fi

          echo "targetRunId=$runId" >> "$GITHUB_OUTPUT"
+        env:
+          REPOSITORY: ${{ github.repository }}
+          TARGET_SHA: ${{ needs.get-merge-commit.outputs.targetSha }}
+          GH_TOKEN: ${{ github.token }}

      - uses: actions/download-artifact@v4
        if: steps.targetRunId.outputs.targetRunId
        with:
-          run-id: ${{ steps.targetRunId.outputs.targetRunId }}
-          name: merged-${{ matrix.system }}
-          path: target
+          name: result
+          path: targetResult
          github-token: ${{ github.token }}
-          merge-multiple: true
-
-      - name: Compare outpaths against the target branch
-        if: steps.targetRunId.outputs.targetRunId
-        env:
-          MATRIX_SYSTEM: ${{ matrix.system }}
-        run: |
-          nix-build untrusted/ci -A eval.diff \
-            --arg beforeDir ./target \
-            --arg afterDir "$(readlink ./merged)" \
-            --argstr evalSystem "$MATRIX_SYSTEM" \
-            --out-link diff
-
-      - name: Upload outpaths diff and stats
-        if: steps.targetRunId.outputs.targetRunId
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: diff-${{ matrix.system }}
-          path: diff/*
-
-  compare:
-    name: Comparison
-    runs-on: ubuntu-24.04-arm
-    needs: [ prepare, outpaths ]
-    if: needs.prepare.outputs.targetSha
-    permissions:
-      issues: write # needed to create *new* labels
-      pull-requests: write
-      statuses: write
-    steps:
-      - name: Download output paths and eval stats for all systems
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          pattern: diff-*
-          path: diff
-          merge-multiple: true
-
-      - name: Check out the PR at the target commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.prepare.outputs.targetSha }}
-          path: trusted
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Combine all output paths and eval stats
-        run: |
-          nix-build trusted/ci -A eval.combine \
-            --arg diffDir ./diff \
-            --out-link combined
+          run-id: ${{ steps.targetRunId.outputs.targetRunId }}

      - name: Compare against the target branch
-        env:
-          AUTHOR_ID: ${{ github.event.pull_request.user.id }}
+        if: steps.targetRunId.outputs.targetRunId
        run: |
-          git -C trusted fetch --depth 1 origin ${{ needs.prepare.outputs.mergedSha }}
-          git -C trusted diff --name-only ${{ needs.prepare.outputs.mergedSha }} \
+          git -C nixpkgs worktree add ../target ${{ needs.get-merge-commit.outputs.targetSha }}
+          git -C nixpkgs diff --name-only ${{ needs.get-merge-commit.outputs.targetSha }} \
            | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json

          # Use the target branch to get accurate maintainer info
-          nix-build trusted/ci -A eval.compare \
-            --arg combinedDir "$(realpath ./combined)" \
+          nix-build target/ci -A eval.compare \
+            --arg beforeResultDir ./targetResult \
+            --arg afterResultDir "$(realpath prResult)" \
            --arg touchedFilesJson ./touched-files.json \
            --argstr githubAuthorId "$AUTHOR_ID" \
-            --out-link comparison
+            -o comparison

          cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY"
+        env:
+          AUTHOR_ID: ${{ github.event.pull_request.user.id }}

-      - name: Upload the comparison results
+      - name: Upload the combined results
+        if: steps.targetRunId.outputs.targetRunId
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: comparison
          path: comparison/*

+  # Separate job to have a very tightly scoped PR write token
+  tag:
+    name: Tag
+    runs-on: ubuntu-24.04-arm
+    needs: [ get-merge-commit, process ]
+    if: needs.process.outputs.targetRunId
+    permissions:
+      pull-requests: write
+      statuses: write
+    steps:
+      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
+      # Can't use the token received from permissions above, because it can't get enough permissions
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        if: vars.OWNER_APP_ID
+        id: app-token
+        with:
+          app-id: ${{ vars.OWNER_APP_ID }}
+          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+          permission-administration: read
+          permission-members: read
+          permission-pull-requests: write
+
+      - name: Download process result
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: comparison
+          path: comparison
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+
+      # Important: This workflow job runs with extra permissions,
+      # so we need to make sure to not run untrusted code from PRs
+      - name: Check out Nixpkgs at the base commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.targetSha }}
+          path: base
+          sparse-checkout: ci
+
+      - name: Build the requestReviews derivation
+        run: nix-build base/ci -A requestReviews
+
      - name: Labelling pull request
-        if: ${{ github.event_name == 'pull_request_target' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
+        if: ${{ github.event_name == 'pull_request_target' && github.repository_owner == 'NixOS' }}
        run: |
          # Get all currently set labels that we manage
          gh api \
@@ -244,12 +241,13 @@ jobs:
              -f "labels[]=$toAdd"
          done < <(comm -13 before after)

-      - name: Add eval summary to commit statuses
-        if: ${{ github.event_name == 'pull_request_target' }}
        env:
          GH_TOKEN: ${{ github.token }}
-          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          REPOSITORY: ${{ github.repository }}
          NUMBER: ${{ github.event.number }}
+
+      - name: Add eval summary to commit statuses
+        if: ${{ github.event_name == 'pull_request_target' && github.repository_owner == 'NixOS' }}
        run: |
          description=$(jq -r '
          "Package: added " + (.attrdiff.added | length | tostring) +
@@ -263,13 +261,24 @@ jobs:
            -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
            "/repos/$GITHUB_REPOSITORY/statuses/$PR_HEAD_SHA" \
            -f "context=Eval / Summary" -f "state=success" -f "description=$description" -f "target_url=$target_url"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          NUMBER: ${{ github.event.number }}

-  reviewers:
-    name: Reviewers
-    # No dependency on "compare", so that it can start at the same time.
-    # We only wait for the "comparison" artifact to be available, which makes the start-to-finish time
-    # for the eval workflow considerably faster.
-    needs: [ prepare, outpaths ]
-    if: needs.prepare.outputs.targetSha
-    uses: ./.github/workflows/reviewers.yml
-    secrets: inherit
+      - name: Requesting maintainer reviews
+        if: ${{ steps.app-token.outputs.token && github.repository_owner == 'NixOS' }}
+        run: |
+          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
+          # There appears to be no API to request reviews based on GitHub IDs
+          jq -r 'keys[]' comparison/maintainers.json \
+            | while read -r id; do gh api /user/"$id" --jq .login; done \
+            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
+
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPOSITORY: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+          AUTHOR: ${{ github.event.pull_request.user.login }}
+          # Don't request reviewers on draft PRs
+          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
--- a/.github/workflows/get-merge-commit.yml
+++ b/.github/workflows/get-merge-commit.yml
@@ -0,0 +1,58 @@
+name: Get merge commit
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/get-merge-commit.yml
+  workflow_call:
+    outputs:
+      mergedSha:
+        description: "The merge commit SHA"
+        value: ${{ jobs.resolve-merge-commit.outputs.mergedSha }}
+      targetSha:
+        description: "The target commit SHA"
+        value: ${{ jobs.resolve-merge-commit.outputs.targetSha }}
+      systems:
+        description: "The supported systems"
+        value: ${{ jobs.resolve-merge-commit.outputs.systems }}
+
+permissions: {}
+
+jobs:
+  resolve-merge-commit:
+    runs-on: ubuntu-24.04-arm
+    outputs:
+      mergedSha: ${{ steps.merged.outputs.mergedSha }}
+      targetSha: ${{ steps.merged.outputs.targetSha }}
+      systems: ${{ steps.systems.outputs.systems }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: base
+          sparse-checkout: ci
+
+      - name: Check if the PR can be merged and get the test merge commit
+        id: merged
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_EVENT: ${{ github.event_name }}
+        run: |
+          case "$GH_EVENT" in
+            push)
+              echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+              ;;
+            pull_request*)
+              if commits=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
+                echo -e "Checking the commits:\n$commits"
+                echo "$commits" >> "$GITHUB_OUTPUT"
+              else
+                # Skipping so that no notifications are sent
+                echo "Skipping the rest..."
+              fi
+              ;;
+          esac
+
+      - name: Load supported systems
+        id: systems
+        run: |
+          echo "systems=$(jq -c <base/ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -10,14 +10,13 @@ on:

 permissions:
  contents: read
-  issues: write # needed to create *new* labels
  pull-requests: write

 jobs:
  labels:
    name: label-pr
    runs-on: ubuntu-24.04-arm
-    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
    steps:
      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
        if: |
--- a/.github/workflows/lib-tests.yml
+++ b/.github/workflows/lib-tests.yml
@@ -12,17 +12,18 @@ on:
 permissions: {}

 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
  nixpkgs-lib-tests:
    name: nixpkgs-lib-tests
    runs-on: ubuntu-24.04
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
@@ -30,4 +31,4 @@ jobs:

      - name: Building Nixpkgs lib-tests
        run: |
-          nix-build untrusted/ci -A lib-tests
+          nix-build ci -A lib-tests
--- a/.github/workflows/manual-nixos-v2.yml
+++ b/.github/workflows/manual-nixos-v2.yml
@@ -34,11 +34,7 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
@@ -52,7 +48,7 @@ jobs:

      - name: Build NixOS manual
        id: build-manual
-        run: NIX_PATH=nixpkgs=$(pwd)/untrusted nix-build --option restrict-eval true untrusted/ci -A manual-nixos --argstr system ${{ matrix.system }}
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixos --argstr system ${{ matrix.system }}

      - name: Upload NixOS manual
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
--- a/.github/workflows/manual-nixpkgs-v2.yml
+++ b/.github/workflows/manual-nixpkgs-v2.yml
@@ -5,6 +5,8 @@ on:
    paths:
      - .github/workflows/manual-nixpkgs-v2.yml
  pull_request_target:
+    branches:
+      - master
    paths:
      - 'doc/**'
      - 'lib/**'
@@ -19,11 +21,7 @@ jobs:
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
@@ -36,4 +34,4 @@ jobs:
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

      - name: Building Nixpkgs manual
-        run: nix-build untrusted/ci -A manual-nixpkgs -A manual-nixpkgs-tests
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixpkgs -A manual-nixpkgs-tests
--- a/.github/workflows/nix-parse-v2.yml
+++ b/.github/workflows/nix-parse-v2.yml
@@ -9,18 +9,18 @@ on:
 permissions: {}

 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
  tests:
    name: nix-files-parseable-check
    runs-on: ubuntu-24.04-arm
-    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    needs: get-merge-commit
+    if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
        with:
@@ -30,4 +30,4 @@ jobs:
      - name: Parse all nix files
        run: |
          # Tests multiple versions at once, let's make sure all of them run, so keep-going.
-          nix-build untrusted/ci -A parse --keep-going
+          nix-build ci -A parse --keep-going
--- a/.github/workflows/nixpkgs-vet.yml
+++ b/.github/workflows/nixpkgs-vet.yml
@@ -17,29 +17,51 @@ permissions: {}
 # There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015

 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
  check:
    name: nixpkgs-vet
-    runs-on: ubuntu-24.04-arm
+    # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
+    runs-on: ubuntu-24.04
    # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
    timeout-minutes: 10
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout merged and target commits
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-          target-as-trusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          # Fetches the merge commit and its parents
+          fetch-depth: 2
+
+      - name: Checking out target branch
+        run: |
+          target=$(mktemp -d)
+          git worktree add "$target" "$(git rev-parse HEAD^1)"
+          echo "target=$target" >> "$GITHUB_ENV"

      - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31

+      - name: Fetching the pinned tool
+        # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh
+        run: |
+          # The pinned version of the tooling to use.
+          toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt)
+
+          # Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool.
+          toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
+            | gzip -cd | nix-store --import | tail -1)
+
+          # Adds a result symlink as a GC root.
+          nix-store --realise "$toolPath" --add-root result
+
      - name: Running nixpkgs-vet
        env:
          # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
          CLICOLOR_FORCE: 1
        run: |
-          if nix-build untrusted/ci -A nixpkgs-vet --arg base "./trusted" --arg head "./untrusted"; then
+          if result/bin/nixpkgs-vet --base "$target" .; then
            exit 0
          else
            exitCode=$?
--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -31,7 +31,7 @@ jobs:
            into: staging-next-24.11
          - from: staging-next-24.11
            into: staging-24.11
-          - from: release-25.05
+          - from: master
            into: staging-next-25.05
          - from: staging-next-25.05
            into: staging-25.05
--- a/.github/workflows/reviewers.yml
+++ b/.github/workflows/reviewers.yml
@@ -1,98 +0,0 @@
-# This workflow will request reviews from the maintainers of each package
-# listed in the PR's most recent eval comparison artifact.
-
-name: Reviewers
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/reviewers.yml
-  pull_request_target:
-    types: [ready_for_review]
-  workflow_call:
-
-permissions: {}
-
-jobs:
-  request:
-    name: Request
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - name: Check out the PR at the base commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: trusted
-          sparse-checkout: ci
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Build the requestReviews derivation
-        run: nix-build trusted/ci -A requestReviews
-
-      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
-      # Can't use the token received from permissions above, because it can't get enough permissions
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_APP_ID }}
-          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
-          permission-pull-requests: write
-
-
-      # In the regular case, this workflow is called via workflow_call from the eval workflow directly.
-      # In the more special case, when a PR is undrafted an eval run will have started already.
-      - name: Wait for comparison to be done
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            const run_id = (await github.rest.actions.listWorkflowRuns({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              workflow_id: 'eval.yml',
-              event: context.eventName,
-              head_sha: context.payload.pull_request.head.sha
-            })).data.workflow_runs[0].id
-
-            // Waiting 120 * 5 sec = 10 min. max.
-            // The extreme case is an Eval run that just started when the PR is undrafted.
-            // Eval takes max 5-6 minutes, normally.
-            for (let i = 0; i < 120; i++) {
-              const result = await github.rest.actions.listWorkflowRunArtifacts({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                run_id,
-                name: 'comparison'
-              })
-              if (result.data.total_count > 0) return
-              await new Promise(resolve => setTimeout(resolve, 5000))
-            }
-            throw new Error("No comparison artifact found.")
-
-      - name: Download the comparison results
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          pattern: comparison
-          path: comparison
-          merge-multiple: true
-
-      - name: Requesting maintainer reviews
-        if: ${{ steps.app-token.outputs.token }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-          AUTHOR: ${{ github.event.pull_request.user.login }}
-          # Don't request reviewers on draft PRs
-          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
-        run: |
-          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
-          # There appears to be no API to request reviews based on GitHub IDs
-          jq -r 'keys[]' comparison/maintainers.json \
-            | while read -r id; do gh api /user/"$id" --jq .login; done \
-            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -345,7 +345,7 @@ See [Nix Channel Status](https://status.nixos.org/) for the current channels and
 Here's a brief overview of the main Git branches and what channels they're used for:

 - `master`: The main branch, used for the unstable channels such as `nixpkgs-unstable`, `nixos-unstable` and `nixos-unstable-small`.
- `release-YY.MM` (e.g. `release-25.11`): The NixOS release branches, used for the stable channels such as `nixos-25.11`, `nixos-25.11-small` and `nixpkgs-25.11-darwin`.
+- `release-YY.MM` (e.g. `release-25.05`): The NixOS release branches, used for the stable channels such as `nixos-25.05`, `nixos-25.05-small` and `nixpkgs-25.05-darwin`.

 When a channel is updated, a corresponding Git branch is also updated to point to the corresponding commit.
 So e.g. the [`nixpkgs-unstable` branch](https://github.com/nixos/nixpkgs/tree/nixpkgs-unstable) corresponds to the Git commit from the [`nixpkgs-unstable` channel](https://channels.nixos.org/nixpkgs-unstable).
@@ -533,7 +533,7 @@ Names of files and directories should be in lowercase, with dashes between words

 ### Formatting

-CI [enforces](./.github/workflows/check-format.yml) all Nix files to be
+CI [enforces](./.github/workflows/check-nix-format.yml) all Nix files to be
 formatted using the [official Nix formatter](https://github.com/NixOS/nixfmt).

 You can ensure this locally using either of these commands:
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
 <p align="center">
  <a href="https://nixos.org">
    <picture>
-      <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg">
+      <source media="(prefers-color-scheme: light)" srcset="https://nixos.org/logo/nixos-hires.png">
      <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-      <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg" width="500px" alt="NixOS logo">
+      <img src="https://nixos.org/logo/nixos-hires.png" width="500px" alt="NixOS logo">
    </picture>
  </a>
 </p>
--- a/ci/OWNERS
+++ b/ci/OWNERS
@@ -15,7 +15,6 @@

 # CI
 /.github/*_TEMPLATE*                    @SigmaSquadron
-/.github/actions                        @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
 /.github/workflows                      @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
 /.github/workflows/check-format.yml     @infinisil @wolfgangwalther
 /.github/workflows/codeowners-v2.yml    @infinisil @wolfgangwalther
@@ -131,8 +130,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/modules/system/boot/loader/systemd-boot      @JulienMalka

 # Limine
-/nixos/modules/system/boot/loader/limine        @lzcunt @phip1611 @programmerlexi @johnrtitor
-/nixos/tests/limine                             @johnrtitor
+/nixos/modules/system/boot/loader/limine        @lzcunt @phip1611 @programmerlexi

 # Images and installer media
 /nixos/modules/profiles/installation-device.nix @ElvishJerricco
@@ -165,13 +163,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 ## common-updater-scripts
 /pkgs/common-updater/scripts/update-source-version    @jtojnar

-# Android tools, libraries, and environments
-/pkgs/development/android*                    @NixOS/android
-/pkgs/development/mobile/android*             @NixOS/android
-/pkgs/applications/editors/android-studio*    @NixOS/android
-/doc/languages-frameworks/android*            @NixOS/android
-/pkgs/by-name/an/android*                     @NixOS/android
-
 # Python-related code and docs
 /doc/languages-frameworks/python.section.md   @mweinelt @natsukium
 /maintainers/scripts/update-python-libraries  @mweinelt @natsukium
@@ -220,7 +211,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /pkgs/development/compilers/gcc
 /pkgs/development/compilers/llvm @alyssais @RossComputerGuy @NixOS/llvm
 /pkgs/development/compilers/emscripten @raitobezarius
-/doc/toolchains/llvm.chapter.md @alyssais @RossComputerGuy @NixOS/llvm
 /doc/languages-frameworks/emscripten.section.md @raitobezarius

 # Audio
@@ -250,7 +240,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/applications/editors/jetbrains @edwtjo @leona-ya @theCapypara

 # Licenses
-/lib/licenses.nix @alyssais @emilazy
+/lib/licenses.nix @alyssais

 # Qt
 /pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
@@ -477,9 +467,6 @@ pkgs/development/interpreters/erlang/   @NixOS/beam
 pkgs/development/interpreters/elixir/   @NixOS/beam
 pkgs/development/interpreters/lfe/      @NixOS/beam

-# Authelia
-pkgs/servers/authelia/ @06kellyjac @dit7ya @nicomem
-
 # OctoDNS
 pkgs/by-name/oc/octodns/ @anthonyroussel

--- a/ci/README.md
+++ b/ci/README.md
@@ -40,3 +40,46 @@ Why not just build the tooling right from the PRs Nixpkgs version?
 - Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
 - Because it improves security, since we don't have to build potentially untrusted code from PRs.
  The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
+
+## `get-merge-commit.sh GITHUB_REPO PR_NUMBER`
+
+Check whether a PR is mergeable and return the test merge commit as
+[computed by GitHub](https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests) and its parent.
+
+Arguments:
+- `GITHUB_REPO`: The repository of the PR, e.g. `NixOS/nixpkgs`
+- `PR_NUMBER`: The PR number, e.g. `1234`
+
+Exit codes:
+- 0: The PR can be merged, the hashes of the test merge commit and the target commit are returned on stdout
+- 1: The PR cannot be merged because it's not open anymore
+- 2: The PR cannot be merged because it has a merge conflict
+- 3: The merge commit isn't being computed, GitHub is likely having internal issues, unknown if the PR is mergeable
+
+### Usage
+
+This script is implemented as a reusable GitHub Actions workflow, and can be used as follows:
+
+```yaml
+on: pull_request_target
+
+# We need a token to query the API, but it doesn't need any special permissions
+permissions: {}
+
+jobs:
+  get-merge-commit:
+    # use the relative path of the get-merge-commit workflow yaml here
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  build:
+    name: Build
+    runs-on: ubuntu-24.04
+    needs: get-merge-commit
+    steps:
+      - uses: actions/checkout@<VERSION>
+        # Add this to _all_ subsequent steps to skip them
+        if: needs.get-merge-commit.outputs.mergedSha
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+      - ...
+```
--- a/ci/default.nix
+++ b/ci/default.nix
@@ -82,9 +82,8 @@ in
  # CI jobs
  lib-tests = import ../lib/tests/release.nix { inherit pkgs; };
  manual-nixos = (import ../nixos/release.nix { }).manual.${system} or null;
-  manual-nixpkgs = (import ../doc { });
-  manual-nixpkgs-tests = (import ../doc { }).tests;
-  nixpkgs-vet = pkgs.callPackage ./nixpkgs-vet.nix { };
+  manual-nixpkgs = (import ../pkgs/top-level/release.nix { }).manual;
+  manual-nixpkgs-tests = (import ../pkgs/top-level/release.nix { }).manual.tests;
  parse = pkgs.lib.recurseIntoAttrs {
    latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
    lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; };
--- a/ci/eval/compare/default.nix
+++ b/ci/eval/compare/default.nix
@@ -1,13 +1,14 @@
 {
-  callPackage,
  lib,
  jq,
  runCommand,
  writeText,
  python3,
+  ...
 }:
 {
-  combinedDir,
+  beforeResultDir,
+  afterResultDir,
  touchedFilesJson,
  githubAuthorId,
  byName ? false,
@@ -19,7 +20,7 @@ let

    ---
    Inputs:
-    - beforeDir, afterDir: The evaluation result from before and after the change.
+    - beforeResultDir, afterResultDir: The evaluation result from before and after the change.
      They can be obtained by running `nix-build -A ci.eval.full` on both revisions.

    ---
@@ -65,6 +66,7 @@ let
      Example: { name = "python312Packages.numpy"; platform = "x86_64-linux"; }
  */
  inherit (import ./utils.nix { inherit lib; })
+    diff
    groupByKernel
    convertToPackagePlatformAttrs
    groupByPlatform
@@ -72,10 +74,22 @@ let
    getLabels
    ;

+  getAttrs =
+    dir:
+    let
+      raw = builtins.readFile "${dir}/outpaths.json";
+      # The file contains Nix paths; we need to ignore them for evaluation purposes,
+      # else there will be a "is not allowed to refer to a store path" error.
+      data = builtins.unsafeDiscardStringContext raw;
+    in
+    builtins.fromJSON data;
+  beforeAttrs = getAttrs beforeResultDir;
+  afterAttrs = getAttrs afterResultDir;
+
  # Attrs
  # - keys: "added", "changed" and "removed"
  # - values: lists of `packagePlatformPath`s
-  diffAttrs = builtins.fromJSON (builtins.readFile "${combinedDir}/combined-diff.json");
+  diffAttrs = diff beforeAttrs afterAttrs;

  rebuilds = diffAttrs.added ++ diffAttrs.changed;
  rebuildsPackagePlatformAttrs = convertToPackagePlatformAttrs rebuilds;
@@ -113,7 +127,7 @@ let
      }
    );

-  maintainers = callPackage ./maintainers.nix { } {
+  maintainers = import ./maintainers.nix {
    changedattrs = lib.attrNames (lib.groupBy (a: a.name) rebuildsPackagePlatformAttrs);
    changedpathsjson = touchedFilesJson;
    inherit byName;
@@ -135,8 +149,8 @@ runCommand "compare"
    maintainers = builtins.toJSON maintainers;
    passAsFile = [ "maintainers" ];
    env = {
-      BEFORE_DIR = "${combinedDir}/before";
-      AFTER_DIR = "${combinedDir}/after";
+      BEFORE_DIR = "${beforeResultDir}";
+      AFTER_DIR = "${afterResultDir}";
    };
  }
  ''
--- a/ci/eval/compare/maintainers.nix
+++ b/ci/eval/compare/maintainers.nix
@@ -1,6 +1,3 @@
-{
-  lib,
-}:
 # Almost directly vendored from https://github.com/NixOS/ofborg/blob/5a4e743f192fb151915fcbe8789922fa401ecf48/ofborg/src/maintainers.nix
 {
  changedattrs,
@@ -13,6 +10,7 @@ let
    config = { };
    overlays = [ ];
  };
+  inherit (pkgs) lib;

  changedpaths = builtins.fromJSON (builtins.readFile changedpathsjson);

--- a/ci/eval/compare/utils.nix
+++ b/ci/eval/compare/utils.nix
@@ -93,6 +93,32 @@ rec {
    in
    uniqueStrings (builtins.map (p: p.name) packagePlatformAttrs);

+  /*
+    Computes the key difference between two attrs
+
+    {
+      added: [ <keys only in the second object> ],
+      removed: [ <keys only in the first object> ],
+      changed: [ <keys with different values between the two objects> ],
+    }
+  */
+  diff =
+    let
+      filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
+    in
+    old: new: {
+      added = filterKeys (n: _: !(old ? ${n})) new;
+      removed = filterKeys (n: _: !(new ? ${n})) old;
+      changed = filterKeys (
+        n: v:
+        # Filter out attributes that don't exist anymore
+        (new ? ${n})
+
+        # Filter out attributes that are the same as the new value
+        && (v != (new.${n}))
+      ) old;
+    };
+
  /*
    Group a list of `packagePlatformAttr`s by platforms

--- a/ci/eval/default.nix
+++ b/ci/eval/default.nix
@@ -1,10 +1,9 @@
 {
-  callPackage,
  lib,
  runCommand,
  writeShellScript,
  writeText,
-  symlinkJoin,
+  linkFarm,
  time,
  procps,
  nixVersions,
@@ -73,9 +72,7 @@ let
      # The number of attributes per chunk, see ./README.md for more info.
      chunkSize,
      checkMeta ? true,
-
-      # Don't try to eval packages marked as broken.
-      includeBroken ? false,
+      includeBroken ? true,
      # Whether to just evaluate a single chunk for quick testing
      quickTest ? false,
    }:
@@ -98,7 +95,7 @@ let
          --option restrict-eval true \
          --option allow-import-from-derivation false \
          --query --available \
-          --out-path --json \
+          --no-name --attr-path --out-path \
          --show-trace \
          --arg chunkSize "$chunkSize" \
          --arg myChunk "$myChunk" \
@@ -150,7 +147,7 @@ let
        chunkCount=$(( (attrCount - 1) / chunkSize + 1 ))
        echo "Chunk count: $chunkCount"

-        mkdir -p $out/${evalSystem}
+        mkdir $out

        # Record and print stats on free memory and swap in the background
        (
@@ -159,11 +156,11 @@ let
            freeSwap=$(free -b | grep Swap | awk '{print $4}')
            echo "Available memory: $(( availMemory / 1024 / 1024 )) MiB, free swap: $(( freeSwap / 1024 / 1024 )) MiB"

-            if [[ ! -f "$out/${evalSystem}/min-avail-memory" ]] || (( availMemory < $(<$out/${evalSystem}/min-avail-memory) )); then
-              echo "$availMemory" > $out/${evalSystem}/min-avail-memory
+            if [[ ! -f "$out/min-avail-memory" ]] || (( availMemory < $(<$out/min-avail-memory) )); then
+              echo "$availMemory" > $out/min-avail-memory
            fi
-            if [[ ! -f $out/${evalSystem}/min-free-swap ]] || (( availMemory < $(<$out/${evalSystem}/min-free-swap) )); then
-              echo "$freeSwap" > $out/${evalSystem}/min-free-swap
+            if [[ ! -f $out/min-free-swap ]] || (( availMemory < $(<$out/min-free-swap) )); then
+              echo "$freeSwap" > $out/min-free-swap
            fi
            sleep 4
          done
@@ -179,27 +176,25 @@ let
        mkdir "$chunkOutputDir"/{result,stats,timestats,stderr}

        seq -w 0 "$seq_end" |
-          command time -f "%e" -o "$out/${evalSystem}/total-time" \
+          command time -f "%e" -o "$out/total-time" \
          xargs -I{} -P"$cores" \
          ${singleChunk} "$chunkSize" {} "$evalSystem" "$chunkOutputDir"

-        cp -r "$chunkOutputDir"/stats $out/${evalSystem}/stats-by-chunk
+        cp -r "$chunkOutputDir"/stats $out/stats-by-chunk

        if (( chunkSize * chunkCount != attrCount )); then
          # A final incomplete chunk would mess up the stats, don't include it
          rm "$chunkOutputDir"/stats/"$seq_end"
        fi

-        cat "$chunkOutputDir"/result/* | jq -s 'add | map_values(.outputs)' > $out/${evalSystem}/paths.json
+        cat "$chunkOutputDir"/result/* > $out/paths
      '';

-  diff = callPackage ./diff.nix { };
-
  combine =
    {
-      diffDir,
+      resultsDir,
    }:
-    runCommand "combined-eval"
+    runCommand "combined-result"
      {
        nativeBuildInputs = [
          jq
@@ -208,27 +203,40 @@ let
      ''
        mkdir -p $out

-        # Combine output paths from all systems
-        cat ${diffDir}/*/diff.json | jq -s '
-          reduce .[] as $item ({}; {
-            added: (.added + $item.added),
-            changed: (.changed + $item.changed),
-            removed: (.removed + $item.removed)
-          })
-        ' > $out/combined-diff.json
+        # Transform output paths to JSON
+        cat ${resultsDir}/*/paths |
+          jq --sort-keys --raw-input --slurp '
+            split("\n") |
+            map(select(. != "") | split(" ") | map(select(. != ""))) |
+            map(
+              {
+                key: .[0],
+                value: .[1] | split(";") | map(split("=") |
+                  if length == 1 then
+                    { key: "out", value: .[0] }
+                  else
+                    { key: .[0], value: .[1] }
+                  end) | from_entries}
+            ) | from_entries
+          ' > $out/outpaths.json

-        mkdir -p $out/before/stats
-        for d in ${diffDir}/before/*; do
-          cp -r "$d"/stats-by-chunk $out/before/stats/$(basename "$d")
-        done
+        mkdir -p $out/stats

-        mkdir -p $out/after/stats
-        for d in ${diffDir}/after/*; do
-          cp -r "$d"/stats-by-chunk $out/after/stats/$(basename "$d")
+        for d in ${resultsDir}/*; do
+          cp -r "$d"/stats-by-chunk $out/stats/$(basename "$d")
        done
      '';

-  compare = callPackage ./compare { };
+  compare = import ./compare {
+    inherit
+      lib
+      jq
+      runCommand
+      writeText
+      supportedSystems
+      python3
+      ;
+  };

  full =
    {
@@ -239,26 +247,17 @@ let
      quickTest ? false,
    }:
    let
-      diffs = symlinkJoin {
-        name = "diffs";
-        paths = map (
-          evalSystem:
-          let
-            eval = singleSystem {
-              inherit quickTest evalSystem chunkSize;
-            };
-          in
-          diff {
-            inherit evalSystem;
-            # Local "full" evaluation doesn't do a real diff.
-            beforeDir = eval;
-            afterDir = eval;
-          }
-        ) evalSystems;
-      };
+      results = linkFarm "results" (
+        map (evalSystem: {
+          name = evalSystem;
+          path = singleSystem {
+            inherit quickTest evalSystem chunkSize;
+          };
+        }) evalSystems
+      );
    in
    combine {
-      diffDir = diffs;
+      resultsDir = results;
    };

 in
@@ -266,7 +265,6 @@ in
  inherit
    attrpathsSuperset
    singleSystem
-    diff
    combine
    compare
    # The above three are used by separate VMs in a GitHub workflow,
--- a/ci/eval/diff.nix
+++ b/ci/eval/diff.nix
@@ -1,61 +0,0 @@
-{
-  lib,
-  runCommand,
-  writeText,
-}:
-
-{
-  beforeDir,
-  afterDir,
-  evalSystem,
-}:
-
-let
-  /*
-    Computes the key difference between two attrs
-
-    {
-      added: [ <keys only in the second object> ],
-      removed: [ <keys only in the first object> ],
-      changed: [ <keys with different values between the two objects> ],
-    }
-  */
-  diff =
-    let
-      filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
-    in
-    old: new: {
-      added = filterKeys (n: _: !(old ? ${n})) new;
-      removed = filterKeys (n: _: !(new ? ${n})) old;
-      changed = filterKeys (
-        n: v:
-        # Filter out attributes that don't exist anymore
-        (new ? ${n})
-
-        # Filter out attributes that are the same as the new value
-        && (v != (new.${n}))
-      ) old;
-    };
-
-  getAttrs =
-    dir:
-    let
-      raw = builtins.readFile "${dir}/${evalSystem}/paths.json";
-      # The file contains Nix paths; we need to ignore them for evaluation purposes,
-      # else there will be a "is not allowed to refer to a store path" error.
-      data = builtins.unsafeDiscardStringContext raw;
-    in
-    builtins.fromJSON data;
-
-  beforeAttrs = getAttrs beforeDir;
-  afterAttrs = getAttrs afterDir;
-  diffAttrs = diff beforeAttrs afterAttrs;
-  diffJson = writeText "diff.json" (builtins.toJSON diffAttrs);
-in
-runCommand "diff" { } ''
-  mkdir -p $out/${evalSystem}
-
-  cp -r ${beforeDir} $out/before
-  cp -r ${afterDir} $out/after
-  cp ${diffJson} $out/${evalSystem}/diff.json
-''
--- a/ci/get-merge-commit.sh
+++ b/ci/get-merge-commit.sh
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# See ./README.md for docs
+
+set -euo pipefail
+
+log() {
+    echo "$@" >&2
+}
+
+if (( $# < 2 )); then
+    log "Usage: $0 GITHUB_REPO PR_NUMBER"
+    exit 99
+fi
+repo=$1
+prNumber=$2
+
+# Retry the API query this many times
+retryCount=5
+# Start with 5 seconds, but double every retry
+retryInterval=5
+
+while true; do
+    log "Checking whether the pull request can be merged"
+    prInfo=$(gh api \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        "/repos/$repo/pulls/$prNumber")
+
+    # Non-open PRs won't have their mergeability computed no matter what
+    state=$(jq -r .state <<< "$prInfo")
+    if [[ "$state" != open ]]; then
+        log "PR is not open anymore"
+        exit 1
+    fi
+
+    mergeable=$(jq -r .mergeable <<< "$prInfo")
+    if [[ "$mergeable" == "null" ]]; then
+        if (( retryCount == 0 )); then
+            log "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
+            exit 3
+        else
+            (( retryCount -= 1 )) || true
+
+            # null indicates that GitHub is still computing whether it's mergeable
+            # Wait a couple seconds before trying again
+            log "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
+            sleep "$retryInterval"
+
+            (( retryInterval *= 2 )) || true
+        fi
+    else
+        break
+    fi
+done
+
+if [[ "$mergeable" == "true" ]]; then
+    log "The PR can be merged"
+    mergedSha="$(jq -r .merge_commit_sha <<< "$prInfo")"
+    echo "mergedSha=$mergedSha"
+    targetSha="$(gh api "/repos/$repo/commits/$mergedSha" --jq '.parents[0].sha')"
+    echo "targetSha=$targetSha"
+else
+    log "The PR has a merge conflict"
+    exit 2
+fi
--- a/ci/nixpkgs-vet.nix
+++ b/ci/nixpkgs-vet.nix
@@ -1,31 +0,0 @@
-{
-  lib,
-  nix,
-  nixpkgs-vet,
-  runCommand,
-}:
-{
-  base ? ../.,
-  head ? ../.,
-}:
-let
-  filtered =
-    with lib.fileset;
-    path:
-    toSource {
-      fileset = (gitTracked path);
-      root = path;
-    };
-in
-runCommand "nixpkgs-vet"
-  {
-    nativeBuildInputs = [
-      nixpkgs-vet
-    ];
-    env.NIXPKGS_VET_NIX_PACKAGE = nix;
-  }
-  ''
-    nixpkgs-vet --base ${filtered base} ${filtered head}
-
-    touch $out
-  ''
--- a/ci/nixpkgs-vet.sh
+++ b/ci/nixpkgs-vet.sh
@@ -65,5 +65,7 @@ trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
 toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
 trace -e "\e[34m$toolVersion\e[0m"

+trace -n "Building tool.. "
+nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
 trace "Running nixpkgs-vet.."
-nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"
+"$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"
--- a/ci/pinned-nixpkgs.json
+++ b/ci/pinned-nixpkgs.json
@@ -1,4 +1,4 @@
 {
-  "rev": "3d1f29646e4b57ed468d60f9d286cde23a8d1707",
-  "sha256": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07"
+  "rev": "eaeed9530c76ce5f1d2d8232e08bec5e26f18ec1",
+  "sha256": "132nimgi1g88fbhddk4b8b1qk68jly494x2mnphyk3xa1d2wy9q7"
 }
--- a/doc/README.md
+++ b/doc/README.md
@@ -34,27 +34,7 @@ $ nix-build doc

 If the build succeeds, the manual will be in `./result/share/doc/nixpkgs/manual.html`.

-### Development environment
-
-In order to reduce repetition, consider using tools from the provided development environment:
-
-Load it from the Nixpkgs documentation directory with
-
-```ShellSession
-$ cd /path/to/nixpkgs/doc
-$ nix-shell
-```
-
-To load the development utilities automatically when entering that directory, [set up `nix-direnv`](https://nix.dev/guides/recipes/direnv).
-
-Make sure that your local files aren't added to Git history by adding the following lines to `.git/info/exclude` at the root of the Nixpkgs repository:
-
-```
-/**/.envrc
-/**/.direnv
-```
-
-#### `devmode`
+### devmode

 The shell in the manual source directory makes available a command, `devmode`.
 It is a daemon, that:
--- a/doc/build-helpers/fetchers.chapter.md
+++ b/doc/build-helpers/fetchers.chapter.md
@@ -795,10 +795,6 @@ Additionally, the following optional arguments can be given:
 : Clone the entire repository as opposing to just creating a shallow clone.
  This implies `leaveDotGit`.

-*`fetchTags`* (Boolean)
-
-: Whether to fetch all tags from the remote repository. This is useful when the build process needs to run `git describe` or other commands that require tag information to be available. This parameter implies `leaveDotGit`, as tags are stored in the `.git` directory.
-
 *`sparseCheckout`* (List of String)

 : Prevent git from fetching unnecessary blobs from server.
--- a/doc/build-helpers/special/checkpoint-build.section.md
+++ b/doc/build-helpers/special/checkpoint-build.section.md
@@ -37,7 +37,7 @@ let
  helloCheckpoint = prepareCheckpointBuild pkgs.hello;
  changedHello = pkgs.hello.overrideAttrs (_: {
    doCheck = false;
-    postPatch = ''
+    patchPhase = ''
      sed -i 's/Hello, world!/Hello, Nix!/g' src/hello.c
    '';
  });
--- a/doc/default.nix
+++ b/doc/default.nix
@@ -1,6 +1,6 @@
 {
-  pkgs ? (import ../ci { }).pkgs,
+  pkgs ? (import ./.. { }),
  nixpkgs ? { },
 }:

-pkgs.callPackage ./doc-support/package.nix { inherit nixpkgs; }
+pkgs.nixpkgs-manual.override { inherit nixpkgs; }
--- a/doc/doc-support/lib-function-docs.nix
+++ b/doc/doc-support/lib-function-docs.nix
@@ -102,8 +102,6 @@ stdenvNoCC.mkDerivation {
  ];

  installPhase = ''
-    runHook preInstall
-
    cd ..

    export NIX_STATE_DIR=$(mktemp -d)
@@ -145,7 +143,5 @@ stdenvNoCC.mkDerivation {
    ) libsets}

    echo '```' >> "$out/index.md"
-
-    runHook postInstall
  '';
 }
--- a/doc/doc-support/package.nix
+++ b/doc/doc-support/package.nix
@@ -14,8 +14,8 @@
  nixpkgs ? { },
  markdown-code-runner,
  roboto,
-  treefmt,
 }:
+
 stdenvNoCC.mkDerivation (
  finalAttrs:
  let
@@ -47,8 +47,6 @@ stdenvNoCC.mkDerivation (

    postPatch = ''
      ln -s ${optionsJSON}/share/doc/nixos/options.json ./config-options.json
-      ln -s ${treefmt.functionsDoc.markdown} ./packages/treefmt-functions.section.md
-      ln -s ${treefmt.optionsDoc.optionsJSON}/share/doc/nixos/options.json ./treefmt-options.json
    '';

    buildPhase = ''
@@ -99,14 +97,14 @@ stdenvNoCC.mkDerivation (
      dest="$out/share/doc/nixpkgs"
      mkdir -p "$(dirname "$dest")"
      mv out "$dest"
-      cp "$dest/index.html" "$dest/manual.html"
+      mv "$dest/index.html" "$dest/manual.html"

      cp ${roboto.src}/web/Roboto\[ital\,wdth\,wght\].ttf "$dest/Roboto.ttf"

      cp ${epub} "$dest/nixpkgs-manual.epub"

      mkdir -p $out/nix-support/
-      echo "doc manual $dest index.html" >> $out/nix-support/hydra-build-products
+      echo "doc manual $dest manual.html" >> $out/nix-support/hydra-build-products
      echo "doc manual $dest nixpkgs-manual.epub" >> $out/nix-support/hydra-build-products

      runHook postInstall
@@ -125,7 +123,7 @@ stdenvNoCC.mkDerivation (
        let
          devmode' = devmode.override {
            buildArgs = toString ../.;
-            open = "/share/doc/nixpkgs/index.html";
+            open = "/share/doc/nixpkgs/manual.html";
          };
          nixos-render-docs-redirects' = writeShellScriptBin "redirects" "${lib.getExe nixos-render-docs-redirects} --file ${toString ../redirects.json} $@";
        in
--- a/doc/languages-frameworks/agda.section.md
+++ b/doc/languages-frameworks/agda.section.md
@@ -121,8 +121,6 @@ agda.withPackages {
 }
 ```

-To install Agda without GHC, use `ghc = null;`.
-
 ## Writing Agda packages {#writing-agda-packages}

 To write a nix derivation for an Agda library, first check that the library has a `*.agda-lib` file.
--- a/doc/languages-frameworks/bower.section.md
+++ b/doc/languages-frameworks/bower.section.md
@@ -118,13 +118,7 @@ pkgs.stdenv.mkDerivation {
    runHook postBuild
  '';

-  installPhase = ''
-    runHook preInstall
-
-    mv gulpdist $out
-
-    runHook postInstall
-  '';
+  installPhase = "mv gulpdist $out";
 }
 ```

--- a/doc/languages-frameworks/cuda.section.md
+++ b/doc/languages-frameworks/cuda.section.md
@@ -115,8 +115,8 @@ All new projects should use the CUDA redistributables available in [`cudaPackage

 ### Updating supported compilers and GPUs {#updating-supported-compilers-and-gpus}

-1. Update `nvccCompatibilities` in `pkgs/development/cuda-modules/_cuda/data/nvcc.nix` to include the newest release of NVCC, as well as any newly supported host compilers.
-2. Update `cudaCapabilityToInfo` in `pkgs/development/cuda-modules/_cuda/data/cuda.nix` to include any new GPUs supported by the new release of CUDA.
+1. Update `nvcc-compatibilities.nix` in `pkgs/development/cuda-modules/` to include the newest release of NVCC, as well as any newly supported host compilers.
+2. Update `gpus.nix` in `pkgs/development/cuda-modules/` to include any new GPUs supported by the new release of CUDA.

 ### Updating the CUDA Toolkit runfile installer {#updating-the-cuda-toolkit}

--- a/doc/languages-frameworks/emscripten.section.md
+++ b/doc/languages-frameworks/emscripten.section.md
@@ -192,7 +192,6 @@ pkgs.buildEmscriptenPackage {
    cp *.json $out/share
    cp *.rng $out/share
    cp README.md $doc/share/${name}
-
    runHook postInstall
  '';

--- a/doc/languages-frameworks/java.section.md
+++ b/doc/languages-frameworks/java.section.md
@@ -69,13 +69,9 @@ script to run it using a JRE. You can use `makeWrapper` for this:
  nativeBuildInputs = [ makeWrapper ];

  installPhase = ''
-    runHook preInstall
-
    mkdir -p $out/bin
    makeWrapper ${jre}/bin/java $out/bin/foo \
      --add-flags "-cp $out/share/java/foo.jar org.foo.Main"
-
-    runHook postInstall
  '';
 }
 ```
--- a/doc/languages-frameworks/javascript.section.md
+++ b/doc/languages-frameworks/javascript.section.md
@@ -690,11 +690,7 @@ The configure phase can sometimes fail because it makes many assumptions which m
 ```nix
 {
  configurePhase = ''
-    runHook preConfigure
-
    ln -s $node_modules node_modules
-
-    runHook postConfigure
  '';
 }
 ```
@@ -704,12 +700,8 @@ or if you need a writeable node_modules directory:
 ```nix
 {
  configurePhase = ''
-    runHook preConfigure
-
    cp -r $node_modules node_modules
    chmod +w node_modules
-
-    runHook postConfigure
  '';
 }
 ```
--- a/doc/languages-frameworks/lisp.section.md
+++ b/doc/languages-frameworks/lisp.section.md
@@ -59,11 +59,7 @@ Such a Lisp can be now used e.g. to compile your sources:
 ```nix
 {
  buildPhase = ''
-    runHook preBuild
-
    ${sbcl'}/bin/sbcl --load my-build-file.lisp
-
-    runHook postBuild
  '';
 }
 ```
--- a/doc/languages-frameworks/neovim.section.md
+++ b/doc/languages-frameworks/neovim.section.md
@@ -59,7 +59,7 @@ For instance, `sqlite-lua` needs `g:sqlite_clib_path` to be set to work. Nixpkgs
 - `neovimRcContent`: Extra vimL code sourced by the generated `init.lua`.
 - `wrapperArgs`: Extra arguments forwarded to the `makeWrapper` call.
 - `wrapRc`: Nix, not being able to write in your `$HOME`, loads the
-  generated Neovim configuration via the `$VIMINIT` environment variable, i.e. : `export VIMINIT='lua dofile("/nix/store/…-init.lua")'`. This has side effects like preventing Neovim from sourcing your `init.lua` in `$XDG_CONFIG_HOME/nvim` (see bullet 7 of [`:help startup`](https://neovim.io/doc/user/starting.html#startup) in Neovim). Disable it if you want to generate your own wrapper. You can still reuse the generated vimscript init code via `neovim.passthru.initRc`.
+  generated Neovim configuration via its  `-u` argument, i.e. : `-u /nix/store/...generatedInit.lua`. This has side effects like preventing Neovim from reading your config in `$XDG_CONFIG_HOME` (see bullet 7 of [`:help startup`](https://neovim.io/doc/user/starting.html#_initialization) in Neovim). Disable it if you want to generate your own wrapper. You can still reuse while reusing the logic of the nixpkgs wrapper and access the generated config via `neovim.passthru.initRc`.
 - `plugins`: A list of plugins to add to the wrapper.

 ```
--- a/doc/languages-frameworks/swift.section.md
+++ b/doc/languages-frameworks/swift.section.md
@@ -103,13 +103,7 @@ stdenv.mkDerivation (finalAttrs: {

  # The helper provides a configure snippet that will prepare all dependencies
  # in the correct place, where SwiftPM expects them.
-  configurePhase = ''
-    runHook preConfigure
-
-    ${generated.configure}
-
-    runHook postConfigure
-  '';
+  configurePhase = generated.configure;

  installPhase = ''
    runHook preInstall
@@ -174,17 +168,11 @@ with a writable copy:

 ```nix
 {
-  configurePhase = ''
-    runHook preConfigure
-
-    ${generated.configure}
-
+  configurePhase = generated.configure ++ ''
    # Replace the dependency symlink with a writable copy.
    swiftpmMakeMutable swift-crypto
    # Now apply a patch.
    patch -p1 -d .build/checkouts/swift-crypto -i ${./some-fix.patch}
-
-    runHook postConfigure
  '';
 }
 ```
--- a/doc/languages-frameworks/vim.section.md
+++ b/doc/languages-frameworks/vim.section.md
@@ -177,7 +177,7 @@ Finally, there are some plugins that are also packaged in nodePackages because t
 Run the update script with a GitHub API token that has at least `public_repo` access. Running the script without the token is likely to result in rate-limiting (429 errors). For steps on creating an API token, please refer to [GitHub's token documentation](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token).

 ```sh
-nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater --github-token=mytoken' # or set GITHUB_TOKEN environment variable
+nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater --github-token=mytoken' # or set GITHUB_API_TOKEN environment variable
 ```

 Alternatively, set the number of processes to a lower count to avoid rate-limiting.
--- a/doc/manual.md.in
+++ b/doc/manual.md.in
@@ -9,7 +9,6 @@ preface.chapter.md
 using-nixpkgs.md
 lib.md
 stdenv.md
-toolchains.md
 build-helpers.md
 development.md
 contributing.md
--- a/doc/packages/index.md
+++ b/doc/packages/index.md
@@ -25,7 +25,6 @@ nginx.section.md
 opengl.section.md
 shell-helpers.section.md
 python-tree-sitter.section.md
-treefmt.section.md
 steam.section.md
 cataclysm-dda.section.md
 urxvt.section.md
--- a/doc/packages/treefmt.section.md
+++ b/doc/packages/treefmt.section.md
@@ -1,23 +0,0 @@
-# treefmt {#treefmt}
-
-[treefmt](https://github.com/numtide/treefmt) streamlines the process of applying formatters to your project, making it a breeze with just one command line.
-
-The [`treefmt` package](https://search.nixos.org/packages?channel=unstable&show=treefmt)
-provides functions for configuring treefmt using the module system, which are [documented below](#sec-functions-library-treefmt), along with [their options](#sec-treefmt-options-reference).
-
-Alternatively, treefmt can be configured using [treefmt-nix](https://github.com/numtide/treefmt-nix).
-
-```{=include=} sections auto-id-prefix=auto-generated-treefmt-functions
-treefmt-functions.section.md
-```
-
-## Options Reference {#sec-treefmt-options-reference}
-
-The following attributes can be passed to [`withConfig`](#pkgs.treefmt.withConfig) or [`evalConfig`](#pkgs.treefmt.evalConfig):
-
-```{=include=} options
-id-prefix: opt-treefmt-
-list-id: configuration-variable-list
-source: ../treefmt-options.json
-```
-
--- a/doc/packages/weechat.section.md
+++ b/doc/packages/weechat.section.md
@@ -113,13 +113,9 @@ stdenv.mkDerivation {
    "bar.lua"
  ];
  installPhase = ''
-    runHook preInstall
-
    mkdir $out/share
    cp foo.py $out/share
    cp bar.lua $out/share
-
-    runHook postInstall
  '';
 }
 ```
--- a/doc/redirects.json
+++ b/doc/redirects.json
@@ -5,9 +5,6 @@
  "chap-release-notes": [
    "release-notes.html#chap-release-notes"
  ],
-  "chap-toolchains": [
-    "index.html#chap-toolchains"
-  ],
  "cmake-ctest": [
    "index.html#cmake-ctest"
  ],
@@ -69,18 +66,6 @@
  "pkgs-replacevarswith": [
    "index.html#pkgs-replacevarswith"
  ],
-  "part-toolchains": [
-    "index.html#part-toolchains"
-  ],
-  "pkgs.treefmt.buildConfig": [
-    "index.html#pkgs.treefmt.buildConfig"
-  ],
-  "pkgs.treefmt.evalConfig": [
-    "index.html#pkgs.treefmt.evalConfig"
-  ],
-  "pkgs.treefmt.withConfig": [
-    "index.html#pkgs.treefmt.withConfig"
-  ],
  "preface": [
    "index.html#preface"
  ],
@@ -114,15 +99,6 @@
  "sec-build-helper-extendMkDerivation": [
    "index.html#sec-build-helper-extendMkDerivation"
  ],
-  "sec-building-packages-with-llvm": [
-    "index.html#sec-building-packages-with-llvm"
-  ],
-  "sec-building-packages-with-llvm-using-clang-stdenv": [
-    "index.html#sec-building-packages-with-llvm-using-clang-stdenv"
-  ],
-  "sec-functions-library-treefmt": [
-    "index.html#sec-functions-library-treefmt"
-  ],
  "sec-inkscape": [
    "index.html#sec-inkscape"
  ],
@@ -150,30 +126,6 @@
  "chap-overlays": [
    "index.html#chap-overlays"
  ],
-  "sec-nixpkgs-release-25.11": [
-    "release-notes.html#sec-nixpkgs-release-25.11"
-  ],
-  "sec-nixpkgs-release-25.11-highlights": [
-    "release-notes.html#sec-nixpkgs-release-25.11-highlights"
-  ],
-  "sec-nixpkgs-release-25.11-incompatibilities": [
-    "release-notes.html#sec-nixpkgs-release-25.11-incompatibilities"
-  ],
-  "sec-nixpkgs-release-25.11-lib": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib"
-  ],
-  "sec-nixpkgs-release-25.11-lib-breaking": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib-breaking"
-  ],
-  "sec-nixpkgs-release-25.11-lib-deprecations": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib-deprecations"
-  ],
-  "sec-nixpkgs-release-25.11-lib-additions-improvements": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib-additions-improvements"
-  ],
-  "sec-nixpkgs-release-25.11-notable-changes": [
-    "release-notes.html#sec-nixpkgs-release-25.11-notable-changes"
-  ],
  "sec-nixpkgs-release-25.05": [
    "release-notes.html#sec-nixpkgs-release-25.05"
  ],
@@ -406,9 +358,6 @@
  "chap-stdenv": [
    "index.html#chap-stdenv"
  ],
-  "sec-using-llvm": [
-    "index.html#sec-using-llvm"
-  ],
  "sec-using-stdenv": [
    "index.html#sec-using-stdenv"
  ],
@@ -418,9 +367,6 @@
  "sec-tools-of-stdenv": [
    "index.html#sec-tools-of-stdenv"
  ],
-  "sec-treefmt-options-reference": [
-    "index.html#sec-treefmt-options-reference"
-  ],
  "ssec-cosmic-common-issues": [
    "index.html#ssec-cosmic-common-issues"
  ],
@@ -496,9 +442,6 @@
  "tester-testEqualArrayOrMap-return": [
    "index.html#tester-testEqualArrayOrMap-return"
  ],
-  "treefmt": [
-    "index.html#treefmt"
-  ],
  "typst": [
    "index.html#typst",
    "doc/languages-frameworks/typst.section.md#typst"
--- a/doc/release-notes/release-notes.md
+++ b/doc/release-notes/release-notes.md
@@ -3,6 +3,5 @@
 This section lists the release notes for each stable version of Nixpkgs and current unstable revision.

 ```{=include=} sections
-rl-2511.section.md
 rl-2505.section.md
 ```
--- a/doc/release-notes/rl-2505.section.md
+++ b/doc/release-notes/rl-2505.section.md
@@ -28,7 +28,7 @@
  - Applications linked against different Mesa versions than installed on the system should now work correctly going forward (however, applications against older Mesa, e.g. from Nixpkgs releases before 25.05, remain broken)
  - Packages that used to depend on Mesa for libgbm or libdri should use `libgbm` or `dri-pkgconfig-stub` as inputs, respectively

- OpenSSH has been updated from 9.9p2 to 10.0p2, dropping support for DSA keys and adding a new `ssh-auth` binary to handle user authentication in a different address space from unauthenticated sessions. See the [full changelog](https://www.openwall.com/lists/oss-security/2025/04/09/1) for more details.
+- OpenSSH has been updated from 9.9p2 to 10.0p2, dropping support for DSA keys and adding a new `ssh-auth` binary to handle user authentication in a different address space from unauthenticated sessions. Additionally, we now enable a configure option by default that attempts to lock sshd into RAM to prevent it from being swapped out, which may improve performance if the system is under memory pressure. See the [full changelog](https://www.openwall.com/lists/oss-security/2025/04/09/1) for more details.

 - Emacs has been updated to 30.1.
  This introduces some backwards‐incompatible changes; see the NEWS for details.
@@ -74,7 +74,7 @@
  configuration settings. Notably, it now defaults to listening on a socket
  rather than a port. See [Migrating from version 1.x](https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#migrating-from-version-1x) and [Postfix Setup](https://github.com/roehling/postsrsd?tab=readme-ov-file#postfix-setup) for details.

- `renovate` was updated to v39. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/39.0.0) for breaking changes.
+- `renovate` was updated to v39. See the [upstream release notes](https://docs.renovatebot.com/release-notes-for-major-versions/#version-39) for breaking changes.
  Like upstream's docker images, renovate now runs on NodeJS 22.

 - The hand written `perlPackages.SearchXapian` bindings have been dropped in favor of the (mostly compatible)
@@ -247,10 +247,6 @@
 - `strawberry` has been updated to 1.2, which drops support for the VLC backend and Qt 5. The `strawberry-qt5` package
  and `withGstreamer`/`withVlc` override options have been removed due to this.

- `nexusmods-app` has been upgraded from version 0.6.3. If you were running a version older than 0.7.0, then before upgrading, you **must reset all app state** (mods, games, settings, etc). Otherwise, NexusMods.App will crash due to app state files incompatibility.
-  - Typically, you can can reset to a clean state by running `NexusMods.App uninstall-app`. See Nexus Mod's [how to uninstall the app](https://nexus-mods.github.io/NexusMods.App/users/Uninstall) documentation for more detail and alternative methods.
-  - This should not be necessary going forward, because loading app state from 0.7.0 or newer is now supported. This is documented in the [0.7.1 changelog](https://github.com/Nexus-Mods/NexusMods.App/releases/tag/v0.7.1).
-
 - `nezha` and its agent `nezha-agent` have been updated to v1, which contains breaking changes. See the [official wiki](https://nezha.wiki/en_US/) for more details.

 - `ps3-disc-dumper` was updated to 4.2.5, which removed the CLI project and now exclusively offers the GUI
@@ -327,6 +323,9 @@

 - `tldr` now uses [`tldr-python-client`](https://github.com/tldr-pages/tldr-python-client) instead of [`tldr-c-client`](https://github.com/tldr-pages/tldr-c-client) which is unmaintained.

+- `renovate` was updated to v39. See the [upstream release notes](https://docs.renovatebot.com/release-notes-for-major-versions/#version-39) for breaking changes.
+  Like upstream's docker images, renovate now runs on NodeJS 22.
+
 - The behavior of the `networking.nat.externalIP` and `networking.nat.externalIPv6` options has been changed. `networking.nat.forwardPorts` now only forwards packets destined for the specified IP addresses.

 - `python3Packages.bpycv` has been removed due to being incompatible with Blender 4 and unmaintained.
@@ -441,10 +440,6 @@
  There is also a breaking change in the handling of CUDA. Instead of using a CUDA compatible jaxlib
  as before, you can use plugins like `python3Packages.jax-cuda12-plugin`.

- Added `allowVariants` to gate availability of package sets like `pkgsLLVM`, `pkgsMusl`, `pkgsZig`, etc. This was done in an effort to
-  decrease evaluation times by limiting the number of instances of nixpkgs to evaluate. The option will be removed in the future as a
-  new mechanism is in the works for handling cross compilation.
-
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

 ## Other Notable Changes {#sec-nixpkgs-release-25.05-notable-changes}
@@ -542,6 +537,11 @@

 - `ddclient` was updated from 3.11.2 to 4.0.0 [Release notes](https://github.com/ddclient/ddclient/releases/tag/v4.0.0)

+- `nexusmods-app` has been upgraded from version 0.6.3 to 0.10.2.
+  - Before upgrading, you **must reset all app state** (mods, games, settings, etc). NexusMods.App will crash if any state from a version older than 0.7.0 is still present.
+  - Typically, you can can reset to a clean state by running `NexusMods.App uninstall-app`. See Nexus Mod's [how to uninstall the app](https://nexus-mods.github.io/NexusMods.App/users/Uninstall) documentation for more detail and alternative methods.
+  - This should not be necessary going forward, because loading app state from 0.7.0 or newer is now supported. This is documented in the [0.7.1 changelog](https://github.com/Nexus-Mods/NexusMods.App/releases/tag/v0.7.1).
+
 ## Nixpkgs Library {#sec-nixpkgs-release-25.05-lib}

 ### Breaking changes {#sec-nixpkgs-release-25.05-lib-breaking}
--- a/doc/release-notes/rl-2511.section.md
+++ b/doc/release-notes/rl-2511.section.md
@@ -1,13 +1,9 @@
-# Nixpkgs 25.11 ("Xantusia", 2025.11/??) {#sec-nixpkgs-release-25.11}
+# Nixpkgs 25.11 (2025.11/??) {#sec-nixpkgs-release-25.11}

 ## Highlights {#sec-nixpkgs-release-25.11-highlights}
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- The initial work to support native compilation on LoongArch64 has completed, with further changes currently
-  in preparation. In accordance with the [Software Development and Build Convention for LoongArch Architectures](https://github.com/loongson/la-softdev-convention),
-  this release sets the default march level to `la64v1.0`, covering the desktop and server processors of 3X5000
-  and newer series. However, embedded chips without LSX (Loongson SIMD eXtension), such as 2K0300 SoC, are not
-  supported. `pkgsCross.loongarch64-linux-embedded` can be used to build software and systems for these platforms.
+- Create the first release note entry in this section!

 ## Backward Incompatibilities {#sec-nixpkgs-release-25.11-incompatibilities}

@@ -37,6 +33,5 @@

 ### Additions and Improvements {#sec-nixpkgs-release-25.11-lib-additions-improvements}

- `neovim`: Added support for the `vim.o.exrc` option, the `VIMINIT` environment variable, and sourcing of `sysinit.vim`.
+- Create the first release note entry in this section!

-  See the neovim help page [`:help startup`](https://neovim.io/doc/user/starting.html#startup) for more information, as well as [the nixpkgs neovim wrapper documentation](#neovim-custom-configuration).
--- a/doc/shell.nix
+++ b/doc/shell.nix
@@ -1 +1,7 @@
-(import ./default.nix { }).shell
+let
+  pkgs = import ../. {
+    config = { };
+    overlays = [ ];
+  };
+in
+pkgs.nixpkgs-manual.shell
--- a/doc/stdenv/stdenv.chapter.md
+++ b/doc/stdenv/stdenv.chapter.md
@@ -261,7 +261,7 @@ stdenv.mkDerivation (finalAttrs: {
    util-linux
    qemu
  ];
-  # `checkPhase` elided
+  checkPhase = ''[elided]'';
 })
 ```

--- a/doc/toolchains.md
+++ b/doc/toolchains.md
@@ -1,5 +0,0 @@
-# Toolchains {#part-toolchains}
-
-```{=include=} chapters
-toolchains/llvm.chapter.md
-```
--- a/doc/toolchains/llvm.chapter.md
+++ b/doc/toolchains/llvm.chapter.md
@@ -1,35 +0,0 @@
-# The LLVM Toolchain {#chap-toolchains}
-
-LLVM is a target-independent optimizer and code generator and serves as the basis for many compilers such as Haskell's GHC, rustc, Zig, and many others. It forms the base tools for Apple's Darwin platform.
-
-## Using LLVM {#sec-using-llvm}
-
-LLVM has two ways of being used. One is by using it across all of Nixpkgs and the other is to compile and build individual packages.
-
-### Building packages with LLVM {#sec-building-packages-with-llvm}
-
-Nixpkgs supports two methods of compiling the world with LLVM. One is via setting `useLLVM` in `crossSystem` while importing. This is the recommended way when cross compiling as it is more expressive. An example of doing `aarch64-linux` cross compilation from `x86_64-linux` with LLVM on the target is the following:
-
-```nix
-import <nixpkgs> {
-  localSystem = {
-    system = "x86_64-linux";
-  };
-  crossSystem = {
-    useLLVM = true;
-    linker = "lld";
-  };
-}
-```
-
-Note that we set `linker` to `lld`. This is because LLVM has its own linker called "lld". By setting it, we utilize Clang and lld within this new instance of Nixpkgs. There is a shorthand method for building everything with LLVM: `pkgsLLVM`. This is easier to use with `nix-build` (or `nix build`):
-
-```bash
-nix-build -A pkgsLLVM.hello
-```
-
-This will compile the GNU hello package with LLVM and the lld linker like previously mentioned.
-
-#### Using `clangStdenv` {#sec-building-packages-with-llvm-using-clang-stdenv}
-
-Another simple way is to override the stdenv with `clangStdenv`. This causes a single package to be built with Clang. However, this `stdenv` does not override platform defaults to use compiler-rt, libc++, and libunwind. This is the preferred way to make a single package in Nixpkgs build with Clang. There are cases where just Clang isn't enough. For these situations, there is `libcxxStdenv`, which uses Clang with libc++ and compiler-rt.
--- a/flake.nix
+++ b/flake.nix
@@ -20,24 +20,6 @@
      );
    in
    {
-      /**
-        The Nixpkgs repository/flake houses multiple components that provide functions.
-
-        These include the Nixpkgs `lib` library, with a larger number of functions for various purposes, as well as the `nixpkgs` (TBD) and `nixos` libraries whose main purpose is to provide configurability for those respective components.
-       */
-      # This attribute set is intentionally not extensible. Its purpose is not dependency injection.
-      libs = {
-        /**
-          [The Nixpkgs library](https://nixos.org/manual/nixpkgs/unstable/#id-1.4)
-         */
-        lib = import ./lib;
-
-        /**
-          Entrypoints into [NixOS](https://nixos.org/manual/nixos/unstable/), including [`runTest`](https://nixos.org/manual/nixos/unstable/#sec-call-nixos-test-outside-nixos).
-        */
-        nixos = import ./nixos/lib { };
-      };
-
      /**
        `nixpkgs.lib` is a combination of the [Nixpkgs library](https://nixos.org/manual/nixpkgs/unstable/#id-1.4), and other attributes
        that are _not_ part of the Nixpkgs library, but part of the Nixpkgs flake:
--- a/lib/.version
+++ b/lib/.version
@@ -1 +1 @@
-25.11
+25.05
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -309,7 +309,6 @@ let
        stringLength
        substring
        isString
-        replaceString
        replaceStrings
        intersperse
        concatStringsSep
@@ -346,7 +345,6 @@ let
        upperChars
        toLower
        toUpper
-        toCamelCase
        toSentenceCase
        addContextFrom
        splitString
--- a/lib/fileset/default.nix
+++ b/lib/fileset/default.nix
@@ -703,7 +703,7 @@ in
    # Type

    ```
-    difference :: FileSet -> FileSet -> FileSet
+    union :: FileSet -> FileSet -> FileSet
    ```

    # Examples
--- a/lib/gvariant.nix
+++ b/lib/gvariant.nix
@@ -18,7 +18,7 @@ let
    concatStrings
    escape
    head
-    replaceString
+    replaceStrings
    ;

  mkPrimitive = t: v: {
@@ -451,7 +451,7 @@ rec {
  mkString =
    v:
    let
-      sanitize = s: replaceString "\n" "\\n" (escape [ "'" "\\" ] s);
+      sanitize = s: replaceStrings [ "\n" ] [ "\\n" ] (escape [ "'" "\\" ] s);
    in
    mkPrimitive type.string v
    // {
--- a/lib/strings.nix
+++ b/lib/strings.nix
@@ -332,41 +332,6 @@ rec {
  */
  concatLines = concatMapStrings (s: s + "\n");

-  /**
-    Given string `s`, replace every occurrence of the string `from` with the string `to`.
-
-    # Inputs
-
-    `from`
-    : The string to be replaced
-
-    `to`
-    : The string to replace with
-
-    `s`
-    : The original string where replacements will be made
-
-    # Type
-
-    ```
-    replaceString :: string -> string -> string -> string
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.replaceString` usage example
-
-    ```nix
-    replaceString "world" "Nix" "Hello, world!"
-    => "Hello, Nix!"
-    replaceString "." "_" "v1.2.3"
-    => "v1_2_3"
-    ```
-
-    :::
-  */
-  replaceString = from: to: replaceStrings [ from ] [ to ];
-
  /**
    Repeat a string `n` times,
    and concatenate the parts into a new string.
@@ -1173,7 +1138,7 @@ rec {
      string = toString arg;
    in
    if match "[[:alnum:],._+:@%/-]+" string == null then
-      "'${replaceString "'" "'\\''" string}'"
+      "'${replaceStrings [ "'" ] [ "'\\''" ] string}'"
    else
      string;

@@ -1535,63 +1500,6 @@ rec {
        addContextFrom str (toUpper firstChar + toLower rest)
      );

-  /**
-    Converts a string to camelCase. Handles snake_case, PascalCase,
-    kebab-case strings as well as strings delimited by spaces.
-
-    # Inputs
-
-    `string`
-    : The string to convert to camelCase
-
-    # Type
-
-    ```
-    toCamelCase :: string -> string
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.toCamelCase` usage example
-
-    ```nix
-    toCamelCase "hello-world"
-    => "helloWorld"
-    toCamelCase "hello_world"
-    => "helloWorld"
-    toCamelCase "hello world"
-    => "helloWorld"
-    toCamelCase "HelloWorld"
-    => "helloWorld"
-    ```
-
-    :::
-  */
-  toCamelCase =
-    str:
-    lib.throwIfNot (isString str) "toCamelCase does only accepts string values, but got ${typeOf str}" (
-      let
-        separators = splitStringBy (
-          prev: curr:
-          elem curr [
-            "-"
-            "_"
-            " "
-          ]
-        ) false str;
-
-        parts = lib.flatten (
-          map (splitStringBy (
-            prev: curr: match "[a-z]" prev != null && match "[A-Z]" curr != null
-          ) true) separators
-        );
-
-        first = if length parts > 0 then toLower (head parts) else "";
-        rest = if length parts > 1 then map toSentenceCase (tail parts) else [ ];
-      in
-      concatStrings (map (addContextFrom str) ([ first ] ++ rest))
-    );
-
  /**
    Appends string context from string like object `src` to `target`.

--- a/lib/systems/architectures.nix
+++ b/lib/systems/architectures.nix
@@ -329,39 +329,6 @@ rec {
      "avx512"
      "fma"
    ];
-    # LoongArch64
-    # https://github.com/loongson/la-toolchain-conventions
-    loongarch64 = [
-      "fpu64"
-    ];
-    la464 = [
-      "fpu64"
-      "lsx"
-      "lasx"
-    ];
-    la664 = [
-      "fpu64"
-      "lsx"
-      "lasx"
-      "div32"
-      "frecipe"
-      "lam-bh"
-      "lamcas"
-      "ld-seq-sa"
-    ];
-    "la64v1.0" = [
-      "fpu64"
-      "lsx"
-    ];
-    "la64v1.1" = [
-      "fpu64"
-      "lsx"
-      "div32"
-      "frecipe"
-      "lam-bh"
-      "lamcas"
-      "ld-seq-sa"
-    ];
    # other
    armv5te = [ ];
    armv6 = [ ];
@@ -519,16 +486,6 @@ rec {
      ampere1a = [ "ampere1" ] ++ inferiors.ampere1;
      ampere1b = [ "ampere1a" ] ++ inferiors.ampere1a;

-      # LoongArch64
-      loongarch64 = [ ];
-      "la64v1.0" = [ "loongarch64" ];
-      la464 = [ "la64v1.0" ] ++ inferiors."la64v1.0";
-      "la64v1.1" = [ "la64v1.0" ] ++ inferiors."la64v1.0";
-      la664 = withInferiors [
-        "la464"
-        "la64v1.1"
-      ];
-
      # other
      armv5te = [ ];
      armv6 = [ ];
@@ -537,70 +494,6 @@ rec {
      loongson2f = [ ];
    };

-  /**
-    Check whether one GCC architecture has the the other inferior architecture.
-
-    # Inputs
-
-    `arch1`
-    : GCC architecture in string
-
-    `arch2`
-    : GCC architecture in string
-
-    # Type
-
-    ```
-    hasInferior :: string -> string -> bool
-    ```
-
-    # Examples
-    ::: {.example}
-    ## `lib.systems.architectures.hasInferior` usage example
-
-    ```nix
-    hasInferior "x86-64-v3" "x86-64"
-    => true
-    hasInferior "x86-64" "x86-64-v3"
-    => false
-    hasInferior "x86-64" "x86-64"
-    => false
-    ```
-  */
-  hasInferior = arch1: arch2: inferiors ? ${arch1} && lib.elem arch2 inferiors.${arch1};
-
-  /**
-    Check whether one GCC architecture can execute the other.
-
-    # Inputs
-
-    `arch1`
-    : GCC architecture in string
-
-    `arch2`
-    : GCC architecture in string
-
-    # Type
-
-    ```
-    canExecute :: string -> string -> bool
-    ```
-
-    # Examples
-    ::: {.example}
-    ## `lib.systems.architectures.canExecute` usage example
-
-    ```nix
-    canExecute "x86-64" "x86-64-v3"
-    => false
-    canExecute "x86-64-v3" "x86-64"
-    => true
-    canExecute "x86-64" "x86-64"
-    => true
-    ```
-  */
-  canExecute = arch1: arch2: arch1 == arch2 || hasInferior arch1 arch2;
-
  predicates =
    let
      featureSupport = feature: x: builtins.elem feature features.${x} or [ ];
@@ -617,7 +510,5 @@ rec {
      aesSupport = featureSupport "aes";
      fmaSupport = featureSupport "fma";
      fma4Support = featureSupport "fma4";
-      lsxSupport = featureSupport "lsx";
-      lasxSupport = featureSupport "lasx";
    };
 }
--- a/lib/systems/default.nix
+++ b/lib/systems/default.nix
@@ -14,7 +14,7 @@ let
    optionalAttrs
    optionalString
    removeSuffix
-    replaceString
+    replaceStrings
    toUpper
    ;

@@ -97,21 +97,7 @@ let
            platform:
            final.isAndroid == platform.isAndroid
            && parse.isCompatible final.parsed.cpu platform.parsed.cpu
-            && final.parsed.kernel == platform.parsed.kernel
-            && (
-              # Only perform this check when cpus have the same type;
-              # assume compatible cpu have all the instructions included
-              final.parsed.cpu == platform.parsed.cpu
-              ->
-                # if both have gcc.arch defined, check whether final can execute the given platform
-                (
-                  (final ? gcc.arch && platform ? gcc.arch)
-                  -> architectures.canExecute final.gcc.arch platform.gcc.arch
-                )
-                # if platform has gcc.arch defined but final doesn't, don't assume it can be executed
-                || (platform ? gcc.arch -> !(final ? gcc.arch))
-            );
-
+            && final.parsed.kernel == platform.parsed.kernel;
          isCompatible =
            _:
            throw "2022-05-23: isCompatible has been removed in favor of canExecute, refer to the 22.11 changelog for details";
@@ -522,7 +508,7 @@ let
            #
            # https://github.com/rust-lang/cargo/pull/9169
            # https://github.com/rust-lang/cargo/issues/8285#issuecomment-634202431
-            cargoEnvVarTarget = replaceString "-" "_" (toUpper final.rust.cargoShortTarget);
+            cargoEnvVarTarget = replaceStrings [ "-" ] [ "_" ] (toUpper final.rust.cargoShortTarget);

            # True if the target is no_std
            # https://github.com/rust-lang/rust/blob/2e44c17c12cec45b6a682b1e53a04ac5b5fcc9d2/src/bootstrap/config.rs#L415-L421
@@ -556,7 +542,7 @@ let
                "x86_64" = "amd64";
                "wasm32" = "wasm";
              }
-              .${final.parsed.cpu.name} or null;
+              .${final.parsed.cpu.name} or (throw "Unknown CPU variant ${final.parsed.cpu.name} by Go");
            GOOS = if final.isWasi then "wasip1" else final.parsed.kernel.name;

            # See https://go.dev/wiki/GoArm
--- a/lib/systems/examples.nix
+++ b/lib/systems/examples.nix
@@ -170,17 +170,9 @@ rec {
    libc = "newlib";
  };

-  # https://github.com/loongson/la-softdev-convention/blob/master/la-softdev-convention.adoc#10-operating-system-package-build-requirements
-  loongarch64-linux = lib.recursiveUpdate platforms.loongarch64-multiplatform {
+  loongarch64-linux = {
    config = "loongarch64-unknown-linux-gnu";
  };
-  loongarch64-linux-embedded = lib.recursiveUpdate platforms.loongarch64-multiplatform {
-    config = "loongarch64-unknown-linux-gnu";
-    gcc = {
-      arch = "loongarch64";
-      strict-align = true;
-    };
-  };

  mmix = {
    config = "mmix-unknown-mmixware";
--- a/lib/systems/platforms.nix
+++ b/lib/systems/platforms.nix
@@ -572,27 +572,6 @@ rec {
    };
  };

-  loongarch64-multiplatform = {
-    gcc = {
-      # https://github.com/loongson/la-softdev-convention/blob/master/la-softdev-convention.adoc#10-operating-system-package-build-requirements
-      arch = "la64v1.0";
-      strict-align = false;
-      # Avoid text sections of large apps exceeding default code model
-      # Will be default behavior in LLVM 21 and hopefully GCC16
-      # https://github.com/loongson-community/discussions/issues/43
-      # https://github.com/llvm/llvm-project/pull/132173
-      cmodel = "medium";
-    };
-    linux-kernel = {
-      name = "loongarch-multiplatform";
-      target = "vmlinuz.efi";
-      autoModules = true;
-      preferBuiltin = true;
-      baseConfig = "defconfig";
-      DTB = true;
-    };
-  };
-
  # This function takes a minimally-valid "platform" and returns an
  # attrset containing zero or more additional attrs which should be
  # included in the platform in order to further elaborate it.
@@ -619,9 +598,6 @@ rec {
    else if platform.isAarch64 then
      if platform.isDarwin then apple-m1 else aarch64-multiplatform

-    else if platform.isLoongArch64 then
-      loongarch64-multiplatform
-
    else if platform.isRiscV then
      riscv-multiplatform

@@ -631,8 +607,6 @@ rec {
    else if platform.parsed.cpu == lib.systems.parse.cpuTypes.powerpc64le then
      powernv

-    else if platform.isLoongArch64 then
-      loongarch64-multiplatform
    else
      { };
 }
--- a/lib/tests/maintainers.nix
+++ b/lib/tests/maintainers.nix
@@ -1,6 +1,6 @@
 # to run these tests (and the others)
 # nix-build nixpkgs/lib/tests/release.nix
-# These tests should stay in sync with the comment in maintainers/maintainer-list.nix
+# These tests should stay in sync with the comment in maintainers/maintainers-list.nix
 {
  # The pkgs used for dependencies for the testing itself
  pkgs ? import ../.. { },
--- a/lib/tests/misc.nix
+++ b/lib/tests/misc.nix
@@ -91,7 +91,6 @@ let
    range
    recursiveUpdateUntil
    removePrefix
-    replaceString
    replicate
    runTests
    setFunctionArgs
@@ -498,11 +497,6 @@ runTests {
    expected = "/usr/include:/usr/local/include";
  };

-  testReplaceStringString = {
-    expr = strings.replaceString "." "_" "v1.2.3";
-    expected = "v1_2_3";
-  };
-
  testReplicateString = {
    expr = strings.replicate 5 "hello";
    expected = "hellohellohellohellohello";
@@ -975,28 +969,6 @@ runTests {

  testToSentenceCasePath = testingThrow (strings.toSentenceCase ./.);

-  testToCamelCase = {
-    expr = strings.toCamelCase "hello world";
-    expected = "helloWorld";
-  };
-
-  testToCamelCaseFromKebab = {
-    expr = strings.toCamelCase "hello-world";
-    expected = "helloWorld";
-  };
-
-  testToCamelCaseFromSnake = {
-    expr = strings.toCamelCase "hello_world";
-    expected = "helloWorld";
-  };
-
-  testToCamelCaseFromPascal = {
-    expr = strings.toCamelCase "HelloWorld";
-    expected = "helloWorld";
-  };
-
-  testToCamelCasePath = testingThrow (strings.toCamelCase ./.);
-
  testToInt = testAllTrue [
    # Naive
    (123 == toInt "123")
@@ -1734,11 +1706,6 @@ runTests {
    ];
  };

-  testReplaceString = {
-    expr = replaceString "world" "Nix" "Hello, world!";
-    expected = "Hello, Nix!";
-  };
-
  testReplicate = {
    expr = replicate 3 "a";
    expected = [
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@@ -439,7 +439,7 @@ in
    On each release the first letter is bumped and a new animal is chosen
    starting with that new letter.
  */
-  codeName = "Xantusia";
+  codeName = "Warbler";

  /**
    Returns the current nixpkgs version suffix as string.
--- a/maintainers/README.md
+++ b/maintainers/README.md
@@ -40,10 +40,6 @@ In order to do so, add yourself to the
 [`maintainer-list.nix`](./maintainer-list.nix), and then to the desired
 package's `meta.maintainers` list, and send a PR with the changes.

-If you're adding yourself as a maintainer as part of another PR (in which
-you become a maintainer of a package, for example), make your change to
-`maintainer-list.nix` in a separate commit.
-
 ### How to lose maintainer status

 Maintainers who have become inactive on a given package can be removed. This
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -2135,11 +2135,6 @@
    githubId = 56650223;
    name = "Artturi N";
  };
-  artur-sannikov = {
-    name = "Artur Sannikov";
-    github = "artur-sannikov";
-    githubId = 40318410;
-  };
  arturcygan = {
    email = "arczicygan@gmail.com";
    github = "arcz";
@@ -2343,10 +2338,11 @@
    githubId = 11548989;
  };
  atalii = {
-    email = "me@tali.network";
+    email = "taliauster@gmail.com";
    github = "atalii";
    githubId = 120901234;
-    name = "Tali Auster";
+    name = "tali auster";
+    matrix = "@atalii:matrix.org";
  };
  atar13 = {
    name = "Anthony Tarbinian";
@@ -3059,12 +3055,6 @@
    github = "benhiemer";
    githubId = 16649926;
  };
-  benjajaja = {
-    name = "Benjamin Große";
-    email = "ste3ls@gmail.com";
-    github = "benjajaja";
-    githubId = 310215;
-  };
  benjaminedwardwebb = {
    name = "Ben Webb";
    email = "benjaminedwardwebb@gmail.com";
@@ -3486,11 +3476,6 @@
    githubId = 50839;
    name = "Brian Jones";
  };
-  bokicoder = {
-    github = "bokicoder";
-    githubId = 193465580;
-    name = "bokicoder";
-  };
  boldikoller = {
    email = "boldi.koller@wtss.eu";
    github = "boldikoller";
@@ -4011,18 +3996,6 @@
    githubId = 141733;
    name = "Andrew Bruce";
  };
-  Cameo007 = {
-    name = "Pascal Dietrich";
-    email = "pascal.1.dietrich@hotmail.com";
-    matrix = "@cameo007:mintux.de";
-    github = "Cameo007";
-    githubId = 80521473;
-    keys = [
-      {
-        fingerprint = "2D62 24B9 1250 86AF E318 12A0 F1D1 5228 0511 FB91";
-      }
-    ];
-  };
  camerondugan = {
    email = "cameron.dugan@protonmail.com";
    github = "camerondugan";
@@ -4438,13 +4411,6 @@
    githubId = 631802;
    keys = [ { fingerprint = "099E 3F97 FA08 3D47 8C75  EBEC E0EB AD78 F019 0BD9"; } ];
  };
-  chillcicada = {
-    email = "2210227279@qq.com";
-    name = "chillcicada";
-    github = "chillcicada";
-    githubId = 116548943;
-    keys = [ { fingerprint = "734C 20B3 33C4 FAB3 0BD0  743A 34C2 1231 0A99 754B"; } ];
-  };
  chiroptical = {
    email = "chiroptical@gmail.com";
    github = "chiroptical";
@@ -5674,12 +5640,6 @@
    githubId = 4971975;
    name = "Janne Heß";
  };
-  dashietm = {
-    email = "fabio.lenherr@gmail.com";
-    github = "DashieTM";
-    githubId = 72016555;
-    name = "Fabio Lenherr";
-  };
  dasisdormax = {
    email = "dasisdormax@mailbox.org";
    github = "dasisdormax";
@@ -6519,12 +6479,6 @@
    githubId = 131907205;
    name = "David Thievon";
  };
-  dolphindalt = {
-    email = "dolphindalt@gmail.com";
-    github = "dolphindalt";
-    githubId = 13937320;
-    name = "Dalton Caron";
-  };
  domenkozar = {
    email = "domen@dev.si";
    github = "domenkozar";
@@ -6554,7 +6508,7 @@
    name = "DontEatOreo";
    github = "DontEatOreo";
    githubId = 57304299;
-    matrix = "@donteatoreo:matrix.org";
+    keys = [ { fingerprint = "33CD 5C0A 673C C54D 661E  5E4C 0DB5 361B EEE5 30AB"; } ];
  };
  dopplerian = {
    name = "Dopplerian";
@@ -6606,12 +6560,6 @@
    github = "dottybot";
    githubId = 12519979;
  };
-  douzebis = {
-    email = "fred@atlant.is";
-    github = "douzebis";
-    githubId = 61088438;
-    name = "Frédéric Ruget";
-  };
  dpaetzel = {
    email = "david.paetzel@posteo.de";
    github = "dpaetzel";
@@ -7881,12 +7829,6 @@
    github = "hatch01";
    githubId = 42416805;
  };
-  ezrizhu = {
-    name = "Ezri Zhu";
-    email = "me@ezrizhu.com";
-    github = "ezrizhu";
-    githubId = 44515009;
-  };
  f--t = {
    email = "git@f-t.me";
    github = "f--t";
@@ -8156,12 +8098,6 @@
    githubId = 8182846;
    name = "Francesco Gazzetta";
  };
-  fgrcl = {
-    email = "fgrclaberge@gmail.com";
-    github = "FGRCL";
-    githubId = 35940434;
-    name = "Francois LaBerge";
-  };
  fidgetingbits = {
    name = "fidgetingbits";
    email = "nixpkgs.xe7au@passmail.net";
@@ -10130,12 +10066,6 @@
    githubId = 130903;
    name = "Ana Hobden";
  };
-  hpfr = {
-    email = "liam@hpfr.net";
-    github = "hpfr";
-    githubId = 44043764;
-    name = "Liam Hupfer";
-  };
  hqurve = {
    email = "hqurve@outlook.com";
    github = "hqurve";
@@ -11200,7 +11130,6 @@
    name = "Jappie Klooster";
  };
  jappie3 = {
-    email = "jappie3+git@jappie.dev";
    name = "Jappie3";
    matrix = "@jappie:jappie.dev";
    github = "Jappie3";
@@ -11531,12 +11460,6 @@
    githubId = 30251156;
    name = "Jesse Moore";
  };
-  jethair = {
-    email = "jethair@duck.com";
-    github = "JetHair";
-    githubId = 106916147;
-    name = "JetHair";
-  };
  jethro = {
    email = "jethrokuan95@gmail.com";
    github = "jethrokuan";
@@ -13037,6 +12960,12 @@
    githubId = 843652;
    name = "Kim Burgess";
  };
+  kindrowboat = {
+    email = "hello@kindrobot.ca";
+    github = "kindrowboat";
+    githubId = 777773;
+    name = "Stef Dunlap";
+  };
  kini = {
    email = "keshav.kini@gmail.com";
    github = "kini";
@@ -13643,12 +13572,6 @@
    github = "L0L1P0P1";
    githubId = 73695812;
  };
-  l0r3v = {
-    email = "l0r3v@pasqui.casa";
-    github = "l0r3v";
-    githubId = 27364685;
-    name = "Lorenzo Pasqui";
-  };
  l1npengtul = {
    email = "l1npengtul@l1npengtul.lol";
    github = "l1npengtul";
@@ -14028,12 +13951,6 @@
    github = "LogicalOverflow";
    githubId = 5919957;
  };
-  lheintzmann1 = {
-    email = "lheintzmann1@disroot.org";
-    github = "lheintzmann1";
-    githubId = 141759313;
-    name = "Lucas Heintzmann";
-  };
  lhvwb = {
    email = "nathaniel.baxter@gmail.com";
    github = "nathanielbaxter";
@@ -15720,16 +15637,6 @@
    name = "John McParland";
    keys = [ { fingerprint = "39D2 171D D733 C718 DD21  285E B326 E14B 05D8 7A4E"; } ];
  };
-  MCSeekeri = {
-    email = "mcseekeri@outlook.com";
-    github = "mcseekeri";
-    githubId = 20928094;
-    name = "MCSeekeri";
-    keys = [
-      { fingerprint = "5922 79AB D9D6 85EB 9D16  754C ECDC AD89 5A38 4A12"; }
-      { fingerprint = "0762 A387 F160 76F1 116C  BF13 3276 6666 6666 6666"; }
-    ];
-  };
  McSinyx = {
    email = "cnx@loang.net";
    github = "McSinyx";
@@ -16174,12 +16081,6 @@
    githubId = 978196;
    name = "Michaël Faille";
  };
-  mikehorn = {
-    email = "mikehornproton@proton.me";
-    github = "MikeHorn-git";
-    githubId = 123373126;
-    name = "Mike Horn";
-  };
  mikesperber = {
    email = "sperber@deinprogramm.de";
    github = "mikesperber";
@@ -16608,10 +16509,8 @@
  moraxyc = {
    name = "Moraxyc Xu";
    email = "i@qaq.li";
-    matrix = "@moraxyc:qaq.li";
    github = "Moraxyc";
    githubId = 69713071;
-    keys = [ { fingerprint = "7DD1 A4DF 7DD6 AEEB F07B  1108 8296 4F3A B1D9 DE79"; } ];
  };
  moredread = {
    email = "code@apb.name";
@@ -16836,12 +16735,6 @@
    githubId = 7026881;
    name = "Jarosław Jedynak";
  };
-  msoos = {
-    email = "soos.mate@gmail.com";
-    github = "msoos";
-    githubId = 1334841;
-    name = "Mate Soos";
-  };
  mstarzyk = {
    email = "mstarzyk@gmail.com";
    github = "mstarzyk";
@@ -16891,6 +16784,12 @@
    githubId = 72663763;
    keys = [ { fingerprint = "DB3E A12D B291 594A 79C5 F6B3 10AB 6868 37F6 FA3F"; } ];
  };
+  mtreca = {
+    email = "maxime.treca@gmail.com";
+    github = "mtreca";
+    githubId = 16440823;
+    name = "Maxime Tréca";
+  };
  mtreskin = {
    email = "zerthurd@gmail.com";
    github = "Zert";
@@ -17615,7 +17514,7 @@
  };
  nicoo = {
    email = "nicoo@debian.org";
-    github = "nicoonoclaste";
+    github = "nbraud";
    githubId = 1155801;
    name = "nicoo";
    keys = [ { fingerprint = "E44E 9EA5 4B8E 256A FB73 49D3 EC9D 3708 72BC 7A8C"; } ];
@@ -18746,12 +18645,6 @@
    name = "Philipp Rintz";
    matrix = "@philipp:srv.icu";
  };
-  p0lyw0lf = {
-    email = "p0lyw0lf@protonmail.com";
-    name = "PolyWolf";
-    github = "p0lyw0lf";
-    githubId = 31190026;
-  };
  p3psi = {
    name = "Elliot Boo";
    email = "p3psi.boo@gmail.com";
@@ -20881,12 +20774,6 @@
    githubId = 3302;
    name = "Renzo Carbonara";
  };
-  repparw = {
-    email = "ubritos@gmail.com";
-    github = "repparw";
-    githubId = 45952970;
-    name = "repparw";
-  };
  reputable2772 = {
    name = "Reputable2772";
    github = "Reputable2772";
@@ -21778,12 +21665,6 @@
    githubId = 7309170;
    name = "Ryota Kameoka";
  };
-  ryota2357 = {
-    email = "contact@ryota2357.com";
-    github = "ryota2357";
-    githubId = 61523777;
-    name = "Ryota Otsuki";
-  };
  rypervenche = {
    email = "git@ryper.org";
    github = "rypervenche";
@@ -22936,11 +22817,6 @@
    matrix = "@c3n21:matrix.org";
    githubId = 37077738;
  };
-  sinjin2300 = {
-    name = "Sinjin";
-    github = "Sinjin2300";
-    githubId = 35543336;
-  };
  sioodmy = {
    name = "Antoni Sokołowski";
    github = "sioodmy";
@@ -23454,13 +23330,6 @@
    githubId = 16364318;
    name = "Jeffrey Harmon";
  };
-  squat = {
-    matrix = "@squat:beeper.com";
-    name = "squat";
-    github = "squat";
-    githubId = 20484159;
-    keys = [ { fingerprint = "F246 425A 7650 6F37 0552  BA8D DEA9 C405 09D9 65F5"; } ];
-  };
  srghma = {
    email = "srghma@gmail.com";
    github = "srghma";
@@ -24083,12 +23952,6 @@
    githubId = 40228615;
    name = "Taha Yassine";
  };
-  tahlonbrahic = {
-    email = "tahlonbrahic@proton.me";
-    github = "tahlonbrahic";
-    githubId = 104690672;
-    name = "Tahlon Brahic";
-  };
  taikx4 = {
    email = "taikx4@taikx4szlaj2rsdupcwabg35inbny4jk322ngeb7qwbbhd5i55nf5yyd.onion";
    github = "taikx4";
@@ -24729,20 +24592,6 @@
    githubId = 1220572;
    name = "Christian Theune";
  };
-  thevar1able = {
-    email = "var1able+nixpkgs@var1able.network";
-    github = "thevar1able";
-    githubId = 875885;
-    name = "Konstantin Bogdanov";
-    keys = [
-      { fingerprint = "3221 7A73 EB95 0E9E E550  36A3 DB39 9448 D9FE 52F1"; }
-    ];
-  };
-  theverygaming = {
-    name = "theverygaming";
-    github = "theverygaming";
-    githubId = 18639279;
-  };
  thiagokokada = {
    email = "thiagokokada@gmail.com";
    github = "thiagokokada";
@@ -25802,11 +25651,6 @@
    github = "deviant";
    githubId = 68829907;
  };
-  vaavaav = {
-    name = "Pedro Peixoto";
-    github = "vaavaav";
-    githubId = 56087034;
-  };
  vaci = {
    email = "vaci@vaci.org";
    github = "vaci";
@@ -26396,12 +26240,6 @@
    github = "waynr";
    githubId = 1441126;
  };
-  wcarlsen = {
-    name = "Willi Carlsen";
-    email = "carlsenwilli@gmail.com";
-    github = "wcarlsen";
-    githubId = 17003032;
-  };
  wchresta = {
    email = "wchresta.nix@chrummibei.ch";
    github = "wchresta";
@@ -26741,12 +26579,6 @@
    githubId = 9132420;
    keys = [ { fingerprint = "F943 A0BC 720C 5BEF 73CD E02D B398 93FA 5F65 CAE1"; } ];
  };
-  womeier = {
-    name = "Wolfgang Meier";
-    email = "womeier@posteo.de";
-    github = "womeier";
-    githubId = 55190123;
-  };
  womfoo = {
    email = "kranium@gikos.net";
    github = "womfoo";
--- a/maintainers/scripts/README.md
+++ b/maintainers/scripts/README.md
@@ -16,7 +16,7 @@ a given nixpkgs maintainer, equivalent to `lib.maintainers.${x} // { handle = x;

 This allows looking up a maintainer's attrset (including GitHub and Matrix
 handles, email address etc.) based on any of their handles, more correctly and
-robustly than text search through `maintainer-list.nix`.
+robustly than text search through `maintainers-list.nix`.

 ```
 ❯ ./get-maintainer.sh nicoo
--- a/maintainers/scripts/check-cherry-picks.sh
+++ b/maintainers/scripts/check-cherry-picks.sh
@@ -1,25 +1,17 @@
 #!/usr/bin/env bash
 # Find alleged cherry-picks

-set -eo pipefail
+set -e

 if [ $# != "2" ] ; then
  echo "usage: check-cherry-picks.sh base_rev head_rev"
  exit 2
 fi

-# Make sure we are inside the nixpkgs repo, even when called from outside
-cd "$(dirname "${BASH_SOURCE[0]}")"
-
-PICKABLE_BRANCHES="master staging release-??.?? staging-??.?? haskell-updates python-updates staging-next staging-next-??.??"
+PICKABLE_BRANCHES=${PICKABLE_BRANCHES:-master staging release-??.?? staging-??.??}
 problem=0

-# Not everyone calls their remote "origin"
-remote="$(git remote -v | grep -i 'NixOS/nixpkgs' | head -n1 | cut -f1 || true)"
-
-commits="$(git rev-list --reverse "$1..$2")"
-
-while read -r new_commit_sha ; do
+while read new_commit_sha ; do
  if [ -z "$new_commit_sha" ] ; then
    continue  # skip empty lines
  fi
@@ -34,47 +26,30 @@ while read -r new_commit_sha ; do
  original_commit_sha=$(
    git rev-list --max-count=1 --format=format:%B "$new_commit_sha" \
    | grep -Ei -m1 "cherry.*[0-9a-f]{40}" \
-    | grep -Eoi -m1 '[0-9a-f]{40}' || true
+    | grep -Eoi -m1 '[0-9a-f]{40}'
  )
-  if [ -z "$original_commit_sha" ] ; then
-    if [ "$GITHUB_ACTIONS" = 'true' ] ; then
-      echo ::endgroup::
-      echo -n "::error ::"
-    else
-      echo -n "  ✘ "
-    fi
-    echo "Couldn't locate original commit hash in message"
-    echo "Note this should not necessarily be treated as a hard fail, but a reviewer's attention should" \
-      "be drawn to it and github actions have no way of doing that but to raise a 'failure'"
-    problem=1
+  if [ "$?" != "0" ] ; then
+    echo "  ? Couldn't locate original commit hash in message"
+    [ "$GITHUB_ACTIONS" = 'true' ] && echo ::endgroup::
    continue
  fi

  set -f # prevent pathname expansion of patterns
-  for pattern in $PICKABLE_BRANCHES ; do
+  for branch_pattern in $PICKABLE_BRANCHES ; do
    set +f # re-enable pathname expansion

-    # Reverse sorting by refname and taking one match only means we can only backport
-    # from unstable and the latest stable. That makes sense, because even right after
-    # branch-off, when we have two supported stable branches, we only ever want to cherry-pick
-    # **to** the older one, but never **from** it.
-    # This makes the job significantly faster in the case when commits can't be found,
-    # because it doesn't need to iterate through 20+ branches, which all need to be fetched.
-    branches="$(git for-each-ref --sort=-refname --format="%(refname)" \
-      "refs/remotes/${remote:-origin}/$pattern" | head -n1)"
-
    while read -r picked_branch ; do
      if git merge-base --is-ancestor "$original_commit_sha" "$picked_branch" ; then
        echo "  ✔ $original_commit_sha present in branch $picked_branch"

-        range_diff_common='git --no-pager range-diff
+        range_diff_common='git range-diff
          --no-notes
          --creation-factor=100
          '"$original_commit_sha~..$original_commit_sha"'
          '"$new_commit_sha~..$new_commit_sha"'
        '

-        if $range_diff_common --no-color 2> /dev/null | grep -E '^ {4}[+-]{2}' > /dev/null ; then
+        if $range_diff_common --no-color | grep -E '^ {4}[+-]{2}' > /dev/null ; then
          if [ "$GITHUB_ACTIONS" = 'true' ] ; then
            echo ::endgroup::
            echo -n "::warning ::"
@@ -97,7 +72,11 @@ while read -r new_commit_sha ; do
        # move on to next commit
        continue 3
      fi
-    done <<< "$branches"
+    done <<< "$(
+      git for-each-ref \
+      --format="%(refname)" \
+      "refs/remotes/origin/$branch_pattern"
+    )"
  done

  if [ "$GITHUB_ACTIONS" = 'true' ] ; then
@@ -109,6 +88,10 @@ while read -r new_commit_sha ; do
  echo "$original_commit_sha not found in any pickable branch"

  problem=1
-done <<< "$commits"
+done <<< "$(
+  git rev-list \
+    -E -i --grep="cherry.*[0-9a-f]{40}" --reverse \
+    "$1..$2"
+)"

 exit $problem
--- a/maintainers/scripts/pluginupdate-py/pluginupdate.py
+++ b/maintainers/scripts/pluginupdate-py/pluginupdate.py
@@ -558,16 +558,7 @@ class Editor:
        }

        for plugin_desc, plugin, redirect in fetched:
-            # Check if plugin is a Plugin object and has normalized_name attribute
-            if isinstance(plugin, Plugin) and hasattr(plugin, 'normalized_name'):
-                result[plugin.normalized_name] = (plugin_desc, plugin, redirect)
-            elif isinstance(plugin, Exception):
-                # For exceptions, we can't determine the normalized_name
-                # Just log the error and continue
-                log.error(f"Error fetching plugin {plugin_desc.name}: {plugin!r}")
-            else:
-                # For unexpected types, log the issue
-                log.error(f"Unexpected plugin type for {plugin_desc.name}: {type(plugin)}")
+            result[plugin.normalized_name] = (plugin_desc, plugin, redirect)

        return list(result.values())

@@ -624,9 +615,9 @@ class Editor:
            "--github-token",
            "-t",
            type=str,
-            default=os.getenv("GITHUB_TOKEN"),
+            default=os.getenv("GITHUB_API_TOKEN"),
            help="""Allows to set --proc to higher values.
-            Uses GITHUB_TOKEN environment variables as the default value.""",
+            Uses GITHUB_API_TOKEN environment variables as the default value.""",
        )
        common.add_argument(
            "--no-commit",
--- a/maintainers/team-list.nix
+++ b/maintainers/team-list.nix
@@ -63,6 +63,7 @@ with lib.maintainers;
    shortName = "apm employees";
    # Edits to this list should only be done by an already existing member.
    members = [
+      wolfgangwalther
      DutchGerman
    ];
  };
@@ -1191,12 +1192,7 @@ with lib.maintainers;
  };

  systemd = {
-    members = [
-      flokli
-      arianvp
-      elvishjerricco
-      aanderse
-    ];
+    members = [ ];
    githubTeams = [ "systemd" ];
    scope = "Maintain systemd for NixOS.";
    shortName = "systemd";
--- a/nixos/doc/manual/configuration/x-windows.chapter.md
+++ b/nixos/doc/manual/configuration/x-windows.chapter.md
@@ -29,7 +29,7 @@ Thus you should pick one or more of the following lines:
 {
  services.xserver.desktopManager.plasma5.enable = true;
  services.xserver.desktopManager.xfce.enable = true;
-  services.desktopManager.gnome.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
  services.xserver.desktopManager.mate.enable = true;
  services.xserver.windowManager.xmonad.enable = true;
  services.xserver.windowManager.twm.enable = true;
@@ -46,7 +46,7 @@ alternative one by picking one of the following lines:
 ```nix
 {
  services.displayManager.sddm.enable = true;
-  services.displayManager.gdm.enable = true;
+  services.xserver.displayManager.gdm.enable = true;
 }
 ```

--- a/nixos/doc/manual/contributing-to-this-manual.chapter.md
+++ b/nixos/doc/manual/contributing-to-this-manual.chapter.md
@@ -17,28 +17,6 @@ There's also [a convenient development daemon](https://nixos.org/manual/nixpkgs/

 The above instructions don't deal with the appendix of available `configuration.nix` options, and the manual pages related to NixOS. These are built, and written in a different location and in a different format, as explained in the next sections.

-## Development environment {#sec-contributing-development-env}
-
-In order to reduce repetition, consider using tools from the provided development environment:
-
-Load it from the NixOS documentation directory with
-
-```ShellSession
-$ cd /path/to/nixpkgs/nixos/doc/manual
-$ nix-shell
-```
-
-To load the development utilities automatically when entering that directory, [set up `nix-direnv`](https://nix.dev/guides/recipes/direnv).
-
-Make sure that your local files aren't added to Git history by adding the following lines to `.git/info/exclude` at the root of the Nixpkgs repository:
-
-```
-/**/.envrc
-/**/.direnv
-```
-
-You might want to also use [`devmode`](https://github.com/NixOS/nixpkgs/blob/master/doc/README.md#devmode) while editing the manual.
-
 ## Testing redirects {#sec-contributing-redirects}

 Once you have a successful build, you can open the relevant HTML (path mentioned above) in a browser along with the anchor, and observe the redirection.
--- a/nixos/doc/manual/installation/upgrading.chapter.md
+++ b/nixos/doc/manual/installation/upgrading.chapter.md
@@ -4,9 +4,7 @@ The best way to keep your NixOS installation up to date is to use one of
 the NixOS *channels*. A channel is a Nix mechanism for distributing Nix
 expressions and associated binaries. The NixOS channels are updated
 automatically from NixOS's Git repository after certain tests have
-passed and a selection of packages has been built successfully
-(see `nixos/release-combined.nix` and `nixos/release-small.nix`).
-These channels are:
+passed and all packages have been built. These channels are:

 -   *Stable channels*, such as [`nixos-25.05`](https://channels.nixos.org/nixos-25.05).
    These only get conservative bug fixes and package upgrades. For
--- a/nixos/doc/manual/redirects.json
+++ b/nixos/doc/manual/redirects.json
@@ -50,12 +50,6 @@
  "module-services-crab-hole-upstream-options": [
    "index.html#module-services-crab-hole-upstream-options"
  ],
-  "module-services-opencloud": [
-    "index.html#module-services-opencloud"
-  ],
-  "module-services-opencloud-basic-usage": [
-    "index.html#module-services-opencloud-basic-usage"
-  ],
  "module-services-strfry": [
    "index.html#module-services-strfry"
  ],
@@ -77,9 +71,6 @@
  "ch-installation": [
    "index.html#ch-installation"
  ],
-  "sec-contributing-development-env": [
-    "index.html#sec-contributing-development-env"
-  ],
  "sec-mattermost": [
    "index.html#sec-mattermost"
  ],
@@ -1988,21 +1979,6 @@
  "ch-release-notes": [
    "release-notes.html#ch-release-notes"
  ],
-  "sec-release-25.11": [
-    "release-notes.html#sec-release-25.11"
-  ],
-  "sec-release-25.11-highlights": [
-    "release-notes.html#sec-release-25.11-highlights"
-  ],
-  "sec-release-25.11-new-modules": [
-    "release-notes.html#sec-release-25.11-new-modules"
-  ],
-  "sec-release-25.11-incompatibilities": [
-    "release-notes.html#sec-release-25.11-incompatibilities"
-  ],
-  "sec-release-25.11-notable-changes": [
-    "release-notes.html#sec-release-25.11-notable-changes"
-  ],
  "sec-release-25.05": [
    "release-notes.html#sec-release-25.05"
  ],
--- a/nixos/doc/manual/release-notes/release-notes.md
+++ b/nixos/doc/manual/release-notes/release-notes.md
@@ -3,7 +3,6 @@
 This section lists the release notes for each stable version of NixOS and current unstable revision.

 ```{=include=} sections
-rl-2511.section.md
 rl-2505.section.md
 rl-2411.section.md
 rl-2405.section.md
--- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -20,7 +20,7 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 - GNOME has been updated to version 48.

  - `decibels` music player is now installed by default. You can disable it using [](#opt-environment.gnome.excludePackages).
-  - `gnome-shell-extensions` extension collection (which included GNOME Classic extensions, Apps Menu, and User Themes, among others) are no longer installed by default. You can install them again with {option}`services.xserver.desktopManager.gnome.sessionPath`.
+  - `gnome-shell-extensions` extension collection (which included GNOME Classic extensions, Apps Menu, and User Themes, among others) are no longer installed by default. You can install them again with [](#opt-services.xserver.desktopManager.gnome.sessionPath).
  - Option [](#opt-services.gnome.core-developer-tools.enable) now also installs `sysprof` and `d-spy`.
  - Option `services.gnome.core-utilities.enable` has been renamed to [](#opt-services.gnome.core-apps.enable).
  - `cantarell-fonts`, `source-code-pro` and `source-sans` fonts are no longer installed by default. They have been replaced by `adwaita-fonts`.
@@ -48,43 +48,43 @@ Alongside many enhancements to NixOS modules and general system improvements, th

 - [scanservjs](https://github.com/sbs20/scanservjs/), a web UI for SANE scanners. Available at [services.scanservjs](#opt-services.scanservjs.enable).

- [Kimai](https://www.kimai.org/), a web-based multi-user time-tracking application. Available as [services.kimai](#opt-services.kimai.sites).
+- [Kimai](https://www.kimai.org/), a web-based multi-user time-tracking application. Available as [services.kimai](options.html#opt-services.kimai).

 - [Kismet](https://www.kismetwireless.net/), a Wi-Fi, Bluetooth, and RF monitoring application supporting a wide range of hardware. Available as [services.kismet](#opt-services.kismet.enable).

 - [vwifi](https://github.com/Raizo62/vwifi), a Wi-Fi simulator daemon leveraging the `mac80211_hwsim` and `vhost_vsock` kernel modules for efficient simulation of multi-node Wi-Fi networks. Available as [services.vwifi](#opt-services.vwifi.client.enable).

- [Oncall](https://oncall.tools), a web-based calendar tool designed for scheduling and managing on-call shifts. Available as [services.oncall](#opt-services.oncall.enable).
+- [Oncall](https://oncall.tools), a web-based calendar tool designed for scheduling and managing on-call shifts. Available as [services.oncall](options.html#opt-services.oncall).

- [Homer](https://homer-demo.netlify.app/), a very simple static homepage for your server. Available as [services.homer](#opt-services.homer.enable).
+- [Homer](https://homer-demo.netlify.app/), a very simple static homepage for your server. Available as [services.homer](options.html#opt-services.homer).

- [Ghidra](https://ghidra-sre.org/), a software reverse engineering (SRE) suite of tools. Available as [programs.ghidra](#opt-programs.ghidra.enable).
+- [Ghidra](https://ghidra-sre.org/), a software reverse engineering (SRE) suite of tools. Available as [programs.ghidra](options.html#opt-programs.ghidra).

- [Omnom](https://github.com/asciimoo/omnom), a webpage bookmarking and snapshotting service. Available as [services.omnom](#opt-services.omnom.enable).
+- [Omnom](https://github.com/asciimoo/omnom), a webpage bookmarking and snapshotting service. Available as [services.omnom](options.html#opt-services.omnom.enable).

 - [Yggdrasil-Jumper](https://github.com/one-d-wide/yggdrasil-jumper), an independent project that aims to transparently reduce latency of a connection over Yggdrasil network, utilizing NAT traversal to automatically bypass intermediary nodes. Available as [services.yggdrasil-jumper](#opt-services.yggdrasil-jumper.enable).

- [xpad-noone](https://github.com/medusalix/xpad-noone) is the original upstream xpad driver from the Linux kernel with support for Xbox One controllers removed — especially useful for people who want to use an XBox One controller under the `xone` driver and an Xbox 360 controller under the `xpad` driver at the same time. Available as [hardware.xpad-noone](#opt-hardware.xpad-noone.enable).
+- [xpad-noone](https://github.com/medusalix/xpad-noone) is the original upstream xpad driver from the Linux kernel with support for Xbox One controllers removed — especially useful for people who want to use an XBox One controller under the `xone` driver and an Xbox 360 controller under the `xpad` driver at the same time. Available as [hardware.xpad-noone](options.html#hardware.xpad-noone).

- [uMurmur](https://umurmur.net), minimalistic Mumble server primarily targeted to run on embedded computers. Available as [services.umurmur](#opt-services.umurmur.enable).
+- [uMurmur](https://umurmur.net), minimalistic Mumble server primarily targeted to run on embedded computers. Available as [services.umurmur](options.html#opt-services.umurmur).

- [Zenoh](https://zenoh.io/), a pub/sub/query protocol with low overhead. The Zenoh router daemon is available as [services.zenohd](#opt-services.zenohd.enable).
+- [Zenoh](https://zenoh.io/), a pub/sub/query protocol with low overhead. The Zenoh router daemon is available as [services.zenohd](options.html#opt-services.zenohd.enable).

- [ytdl-sub](https://github.com/jmbannon/ytdl-sub), a tool that downloads media via yt-dlp and prepares it for your favorite media player, including Kodi, Jellyfin, Plex, Emby, and modern music players. Available as [services.ytdl-sub](#opt-services.ytdl-sub.instances).
+- [ytdl-sub](https://github.com/jmbannon/ytdl-sub), a tool that downloads media via yt-dlp and prepares it for your favorite media player, including Kodi, Jellyfin, Plex, Emby, and modern music players. Available as [services.ytdl-sub](options.html#opt-services.ytdl-sub.instances).

- [MaryTTS](https://github.com/marytts/marytts), an open-source, multilingual text-to-speech synthesis system written in pure Java. Available as [services.marytts](#opt-services.marytts.enable).
+- [MaryTTS](https://github.com/marytts/marytts), an open-source, multilingual text-to-speech synthesis system written in pure Java. Available as [services.marytts](options.html#opt-services.marytts).

 - [Continuwuity](https://continuwuity.org/), a federated chat server implementing the Matrix protocol, forked from Conduwuit. Available as [services.matrix-continuwuity](#opt-services.matrix-continuwuity.enable).

- [Reposilite](https://reposilite.com), a lightweight and easy-to-use repository manager for Maven-based artifacts in the JVM ecosystem. Available as [services.reposilite](#opt-services.reposilite.enable).
+- [Reposilite](https://reposilite.com), a lightweight and easy-to-use repository manager for Maven-based artifacts in the JVM ecosystem. Available as [services.reposilite](options.html#opt-services.reposilite).

- [networking.modemmanager](#opt-networking.modemmanager.enable) has been split out of [networking.networkmanager](#opt-networking.networkmanager.enable). NetworkManager still enables ModemManager by default, but options exist now to run NetworkManager without ModemManager.
+- [networking.modemmanager](options.html#opt-networking.modemmanager) has been split out of [networking.networkmanager](options.html#opt-networking.networkmanager). NetworkManager still enables ModemManager by default, but options exist now to run NetworkManager without ModemManager.

- [Routinator 3000](https://nlnetlabs.nl/projects/routing/routinator/), a full-featured RPKI Relying Party software package that runs as a service which periodically downloads and verifies RPKI data. Available as [services.routinator](#opt-services.routinator.enable).
+- [Routinator 3000](https://nlnetlabs.nl/projects/routing/routinator/), a full-featured RPKI Relying Party software package that runs as a service which periodically downloads and verifies RPKI data.

- [doh-server](https://github.com/m13253/dns-over-https), a high performance DNS over HTTPS server. Available as [services.doh-server](#opt-services.doh-server.enable).
+- [doh-server](https://github.com/m13253/dns-over-https), a high performance DNS over HTTPS server. Available as [services.doh-server](options.html#opt-services.doh-server.enable).

- [ncps](https://github.com/kalbasit/ncps), a Nix binary cache proxy service implemented in Go using [go-nix](https://github.com/nix-community/go-nix). Available as [services.ncps](#opt-services.ncps.enable).
+- [ncps](https://github.com/kalbasit/ncps), a Nix binary cache proxy service implemented in Go using [go-nix](https://github.com/nix-community/go-nix). Available as [services.ncps](options.html#opt-services.ncps.enable).

 - [Readeck](https://readeck.org/), a read-it later web-application. Available as [services.readeck](#opt-services.readeck.enable).

@@ -102,21 +102,21 @@ Alongside many enhancements to NixOS modules and general system improvements, th

 - [Pinchflat](https://github.com/kieraneglin/pinchflat), a selfhosted YouTube media manager used to track channels and download videos on release. Available as [services.pinchflat](#opt-services.pinchflat.enable).

- [Amazon CloudWatch Agent](https://github.com/aws/amazon-cloudwatch-agent), the official telemetry collector for AWS CloudWatch and AWS X-Ray. Available as [services.amazon-cloudwatch-agent](#opt-services.amazon-cloudwatch-agent.enable).
+- [Amazon CloudWatch Agent](https://github.com/aws/amazon-cloudwatch-agent), the official telemetry collector for AWS CloudWatch and AWS X-Ray. Available as [services.amazon-cloudwatch-agent](options.html#opt-services.amazon-cloudwatch-agent.enable).

 - [Fluent Bit](https://github.com/fluent/fluent-bit), a fast Log, Metrics and Traces Processor and Forwarder. Available as [services.fluent-bit](#opt-services.fluent-bit.enable).

- [Bat](https://github.com/sharkdp/bat), a {manpage}`cat(1)` clone with wings. Available as [programs.bat](#opt-programs.bat.enable).
+- [Bat](https://github.com/sharkdp/bat), a {manpage}`cat(1)` clone with wings. Available as [programs.bat](options.html#opt-programs.bat).

- [Autotier](https://github.com/45Drives/autotier), a passthrough FUSE filesystem. Available as [services.autotierfs](#opt-services.autotierfs.enable).
+- [Autotier](https://github.com/45Drives/autotier), a passthrough FUSE filesystem. Available as [services.autotierfs](options.html#opt-services.autotierfs.enable).

- [PostgREST](https://postgrest.org), a standalone web server that turns your PostgreSQL database directly into a RESTful API. Available as [services.postgrest](#opt-services.postgrest.enable).
+- [PostgREST](https://postgrest.org), a standalone web server that turns your PostgreSQL database directly into a RESTful API. Available as [services.postgrest](options.html#opt-services.postgrest.enable).

- [postgres-websockets](https://github.com/diogob/postgres-websockets), a middleware that adds websockets capabilities on top of PostgreSQL's asynchronous notifications using LISTEN and NOTIFY commands. Available as [services.postgres-websockets](#opt-services.postgres-websockets.enable).
+- [postgres-websockets](https://github.com/diogob/postgres-websockets), a middleware that adds websockets capabilities on top of PostgreSQL's asynchronous notifications using LISTEN and NOTIFY commands. Available as [services.postgres-websockets](options.html#opt-services.postgres-websockets.enable).

- [µStreamer](https://github.com/pikvm/ustreamer), a lightweight MJPEG-HTTP streamer. Available as [services.ustreamer](#opt-services.ustreamer.enable).
+- [µStreamer](https://github.com/pikvm/ustreamer), a lightweight MJPEG-HTTP streamer. Available as [services.ustreamer](options.html#opt-services.ustreamer).

- [Whoogle Search](https://github.com/benbusby/whoogle-search), a self-hosted, ad-free, privacy-respecting metasearch engine. Available as [services.whoogle-search](#opt-services.whoogle-search.enable).
+- [Whoogle Search](https://github.com/benbusby/whoogle-search), a self-hosted, ad-free, privacy-respecting metasearch engine. Available as [services.whoogle-search](options.html#opt-services.whoogle-search.enable).

 - [autobrr](https://autobrr.com), a modern download automation tool for torrents and usenets. Available as [services.autobrr](#opt-services.autobrr.enable).

@@ -124,31 +124,31 @@ Alongside many enhancements to NixOS modules and general system improvements, th

 - [Froide-Govplan](https://github.com/okfde/froide-govplan), a web application government planer. Available as [services.froide-govplan](#opt-services.froide-govplan.enable).

- [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](#opt-services.agorakit.enable).
+- [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](options.html#opt-services.agorakit.enable).

 - [vivid](https://github.com/sharkdp/vivid), a generator for `LS_COLOR`. Available as [programs.vivid](#opt-programs.vivid.enable).

- [matrix-alertmanager](https://github.com/jaywink/matrix-alertmanager), a bot to receive Alertmanager webhook events and forward them to chosen Matrix rooms. Available as [services.matrix-alertmanager](#opt-services.matrix-alertmanager.enable).
+- [matrix-alertmanager](https://github.com/jaywink/matrix-alertmanager), a bot to receive Alertmanager webhook events and forward them to chosen Matrix rooms. Available as [services.matrix-alertmanager](options.html#opt-services.matrix-alertmanager.enable).

- [waagent](https://github.com/Azure/WALinuxAgent), the Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. Available with [services.waagent](#opt-services.waagent.enable).
+- [waagent](https://github.com/Azure/WALinuxAgent), the Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. Available with [services.waagent](options.html#opt-services.waagent.enable).

 - [nfc-nci](https://github.com/StarGate01/ifdnfc-nci), an alternative NFC stack and PC/SC driver for the NXP PN54x chipset, commonly found in Lenovo systems as NXP1001 (NPC300). Available as [hardware.nfc-nci](#opt-hardware.nfc-nci.enable).

- [grav](https://getgrav.org/), a modern flat-file CMS. Available with [services.grav](#opt-services.grav.enable).
+- [grav](https://getgrav.org/), a modern flat-file CMS. Available with [services.grav](options.html#opt-services.grav.enable).

- [duckdns](https://www.duckdns.org), free dynamic DNS. Available with [services.duckdns](#opt-services.duckdns.enable).
+- [duckdns](https://www.duckdns.org), free dynamic DNS. Available with [services.duckdns](options.html#opt-services.duckdns.enable).

- [Zoxide](https://github.com/ajeetdsouza/zoxide), a smarter cd command, inspired by z and autojump. Available as [programs.zoxide](#opt-programs.zoxide.enable).
+- [Zoxide](https://github.com/ajeetdsouza/zoxide), a smarter cd command, inspired by z and autojump. Available as [programs.zoxide](options.html#opt-programs.zoxide.enable).

 - [victorialogs](https://docs.victoriametrics.com/victorialogs/), log database from VictoriaMetrics. Available as [services.victorialogs](#opt-services.victorialogs.enable).

- [gokapi](https://github.com/Forceu/Gokapi), Lightweight selfhosted Firefox Send alternative without public upload. AWS S3 supported. Available with [services.gokapi](#opt-services.gokapi.enable).
+- [gokapi](https://github.com/Forceu/Gokapi), Lightweight selfhosted Firefox Send alternative without public upload. AWS S3 supported. Available with [services.gokapi](options.html#opt-services.gokapi.enable).

- [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](#opt-services.nostr-rs-relay.enable).
+- [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](options.html#opt-services.nostr-rs-relay.enable).

- [haven](https://github.com/bitvora/haven), is a high availability vault for events on nostr. Available as [services.haven](#opt-services.haven.enable).
+- [haven](https://github.com/bitvora/haven), is a high availability vault for events on nostr. Available as [services.haven](options.html#opt-services.haven.enable).

- [strfry](https://github.com/hoytech/strfry), a relay for the nostr protocol. Available as [services.strfry](#opt-services.strfry.enable).
+- [strfry](https://github.com/hoytech/strfry), a relay for the nostr protocol. Available as [services.strfry](options.html#opt-services.strfry.enable).

 - [Prometheus Node Cert Exporter](https://github.com/amimof/node-cert-exporter), a prometheus exporter to check for SSL cert expiry. Available as [services.prometheus.exporters.node-cert](#opt-services.prometheus.exporters.node-cert.enable).

@@ -172,9 +172,9 @@ Alongside many enhancements to NixOS modules and general system improvements, th

 - [Fider](https://fider.io/), an open platform to collect and prioritize feedback. Available as [services.fider](#opt-services.fider.enable).

- [PDS](https://github.com/bluesky-social/pds), Personal Data Server for [bsky](https://bsky.social/). Available as [services.pds](#opt-services.pds.enable).
+- [PDS](https://github.com/bluesky-social/pds), Personal Data Server for [bsky](https://bsky.social/). Available as [services.pds](option.html#opt-services.pds).

- [Anubis](https://github.com/TecharoHQ/anubis), a scraper defense software. Available as [services.anubis](#opt-services.anubis.defaultOptions).
+- [Anubis](https://github.com/TecharoHQ/anubis), a scraper defense software. Available as [services.anubis](options.html#opt-services.anubis).

 - [synapse-auto-compressor](https://github.com/matrix-org/rust-synapse-compress-state?tab=readme-ov-file#automated-tool-synapse_auto_compressor), a rust-based matrix-synapse state compressor for postgresql. Available as [services.synapse-auto-compressor](#opt-services.synapse-auto-compressor.enable).

@@ -196,23 +196,21 @@ Alongside many enhancements to NixOS modules and general system improvements, th

 - [`g3proxy`](https://github.com/bytedance/g3), an open source enterprise forward proxy from ByteDance, similar to Squid or tinyproxy. Available as [services.g3proxy](#opt-services.g3proxy.enable).

- [OpenCloud](https://opencloud.eu/), an open-source, modern file-sync and sharing platform. It is a fork of oCIS, a ground-up rewrite of the well-known PHP-based NextCloud server. Available as [services.opencloud](#opt-services.opencloud.enable).
-
 - [echoip](https://github.com/mpolden/echoip), a simple service for looking up your IP address. Available as [services.echoip](#opt-services.echoip.enable).

 - [whoami](https://github.com/traefik/whoami), a tiny Go server that prints OS information and HTTP request to output. Available as [services.whoami](#opt-services.whoami.enable).

 - [LiteLLM](https://github.com/BerriAI/litellm), a LLM Gateway to provide model access, fallbacks and spend tracking across 100+ LLMs. All in the OpenAI format. Available as [services.litellm](#opt-services.litellm.enable).

- [Buffyboard](https://gitlab.postmarketos.org/postmarketOS/buffybox/-/tree/master/buffyboard), a framebuffer on-screen keyboard. Available as [services.buffyboard](#opt-services.buffyboard.enable).
+- [Buffyboard](https://gitlab.postmarketos.org/postmarketOS/buffybox/-/tree/master/buffyboard), a framebuffer on-screen keyboard. Available as [services.buffyboard](option.html#opt-services.buffyboard).

 - [KanBoard](https://github.com/kanboard/kanboard), a project management tool that focuses on the Kanban methodology. Available as [services.kanboard](#opt-services.kanboard.enable).

 - [git-worktree-switcher](https://github.com/mateusauler/git-worktree-switcher), switch between git worktrees with speed. Available as [programs.git-worktree-switcher](#opt-programs.git-worktree-switcher.enable).

- [GLPI-Agent](https://github.com/glpi-project/glpi-agent), GLPI Agent. Available as [services.glpiAgent](#opt-services.glpiAgent.enable).
+- [GLPI-Agent](https://github.com/glpi-project/glpi-agent), GLPI Agent. Available as [services.glpiAgent](options.html#opt-services.glpiAgent.enable).

- [pgBackRest](https://pgbackrest.org), a reliable backup and restore solution for PostgreSQL. Available as [services.pgbackrest](#opt-services.pgbackrest.enable).
+- [pgBackRest](https://pgbackrest.org), a reliable backup and restore solution for PostgreSQL. Available as [services.pgbackrest](options.html#opt-services.pgbackrest.enable).

 - [Recyclarr](https://github.com/recyclarr/recyclarr) a TRaSH Guides synchronizer for Sonarr and Radarr. Available as [services.recyclarr](#opt-services.recyclarr.enable).

@@ -232,7 +230,7 @@ Alongside many enhancements to NixOS modules and general system improvements, th

 - [bitbox-bridge](https://github.com/BitBoxSwiss/bitbox-bridge), a bridge software that connects BitBox hardware wallets to computers & web wallets like [Rabby](https://rabby.io/). Allows one to interact & transact with smart contracts, Web3 websites & financial services without storing private keys anywhere other than the hardware wallet. Available as [services.bitbox-bridge](#opt-services.bitbox-bridge.enable).

- [GoDNS](https://github.com/TimothyYe/godns), a dynamic DNS client written in Go, which supports multiple DNS providers. Available as [services.godns](#opt-services.godns.enable).
+- [GoDNS](https://github.com/TimothyYe/godns), a dynamic DNS client written in Go, which supports multiple DNS providers. Available as [services.godns](option.html#opt-services.godns.enable).

 - [CookCLI](https://cooklang.org/cli/) Server, a web UI for cooklang recipes. Available as [services.cook-cli](#opt-services.cook-cli.enable).

@@ -258,7 +256,7 @@ Alongside many enhancements to NixOS modules and general system improvements, th
  - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
  - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.11, `pkgs.nextcloud30` will be installed by default.
  - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud31` will be installed by default.
-  - Please note that an upgrade from v29 (or older) to v31 directly is not possible. Please upgrade to `nextcloud30` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud30;`](#opt-services.nextcloud.package).
+  - Please note that an upgrade from v29 (or older) to v31 directly is not possible. Please upgrade to `nextcloud30` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud30;`](options.html#opt-services.nextcloud.package).

 - `services.cloudflare-dyndns.apiTokenFile` now must be just your Cloudflare api token. Previously it was supposed to be a file of the form `CLOUDFLARE_API_TOKEN=...`.

@@ -446,7 +444,7 @@ Alongside many enhancements to NixOS modules and general system improvements, th

 - [`system.stateVersion`](#opt-system.stateVersion) is now validated and must be in the `"YY.MM"` format, ideally corresponding to a prior NixOS release.

- [`hardware.xone`](#opt-hardware.xone.enable) will also enable [`hardware.xpad-noone`](#opt-hardware.xpad-noone.enable) to provide Xbox 360 driver by default.
+- [`hardware.xone`](options.html#opt-hardware.xone.enable) will also enable [`hardware.xpad-noone`](options.html#opt-hardware.xpad-noone.enable) to provide Xbox 360 driver by default.

 - `services.mysql` now supports easy cluster setup via [`services.mysql.galeraCluster`](#opt-services.mysql.galeraCluster.enable) option.

@@ -515,8 +513,6 @@ Alongside many enhancements to NixOS modules and general system improvements, th

 - `bind.cacheNetworks` now only controls access for recursive queries, where it previously controlled access for all queries.

- The [Starship](https://starship.rs) module now automatically loads the starship prompt when using [`xonsh`](https://xon.sh).
-
 - [`services.mongodb.enableAuth`](#opt-services.mongodb.enableAuth) now uses the newer [mongosh](https://github.com/mongodb-js/mongosh) shell instead of the legacy shell to configure the initial superuser. You can configure the mongosh package to use through the [`services.mongodb.mongoshPackage`](#opt-services.mongodb.mongoshPackage) option.

 - There is a new set of NixOS test tools for testing virtual Wi-Fi networks in many different topologies. See the {option}`services.vwifi` module, {option}`services.kismet` NixOS test, and [manual](https://nixos.org/manual/nixpkgs/unstable/#sec-nixos-test-wifi) for documentation and examples.
@@ -525,7 +521,7 @@ Alongside many enhancements to NixOS modules and general system improvements, th

 - Exposed the `paperless-manage` script package via the `services.paperless.manage` read-only option.

- New options for the declarative configuration of the user space part of ALSA have been introduced under [hardware.alsa](#opt-hardware.alsa.enable), including setting the default capture and playback device, defining sound card aliases and volume controls.
+- New options for the declarative configuration of the user space part of ALSA have been introduced under [hardware.alsa](options.html#opt-hardware.alsa.enable), including setting the default capture and playback device, defining sound card aliases and volume controls.
  Note: these are intended for users not running a sound server like PulseAudio or PipeWire, but having ALSA as their only sound system.

 - `services.k3s` now provides the `autoDeployCharts` option that allows to automatically deploy Helm charts via the k3s Helm controller.
@@ -543,11 +539,6 @@ Alongside many enhancements to NixOS modules and general system improvements, th

 - A toggle has been added under `users.users.<name>.enable` to allow toggling individual users conditionally. If set to false, the user account will not be created.

- New hooks were added:
-  - `writableTmpDirAsHomeHook`: This setup hook ensures that the directory specified by the `HOME` environment variable is writable.
-  - `addBinToPathHook`: This setup hook checks if the `bin/` directory exists in the `$out` output path and, if so, adds it to the `PATH` environment variable.
-  - `gitSetupHook`: This setup hook sets up a valid Git configuration, including the `user.name` and `user.email` fields.
-
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

 ## NixOS Wiki {#sec-release-25.05-wiki}
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -1,10 +1,10 @@
-# Release 25.11 ("Xantusia", 2025.11/??) {#sec-release-25.11}
+# Release 25.11 (2025.11/??) {#sec-release-25.11}

 ## Highlights {#sec-release-25.11-highlights}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- Secure boot support can now be enabled for the Limine bootloader through {option}`boot.loader.limine.secureBoot.enable`. Bootloader install script signs the bootloader, then kernels are hashed during system rebuild and written to a config. This allows Limine to boot only the kernels installed through NixOS system.
+- Create the first release note entry in this section!

 ## New Modules {#sec-release-25.11-new-modules}

@@ -12,28 +12,14 @@

 - [gtklock](https://github.com/jovanlanik/gtklock), a GTK-based lockscreen for Wayland. Available as [programs.gtklock](#opt-programs.gtklock.enable).

- [FileBrowser](https://filebrowser.org/), a web application for managing and sharing files. Available as [services.filebrowser](#opt-services.filebrowser.enable).
-
- [LACT](https://github.com/ilya-zlobintsev/LACT), a GPU monitoring and configuration tool, can now be enabled through [services.lact.enable](#opt-services.lact.enable).
-  Note that for LACT to work properly on AMD GPU systems, you need to enable [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable).
-
- [SuiteNumérique Docs](https://github.com/suitenumerique/docs), a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as [services.lasuite-docs](#opt-services.lasuite-docs.enable).
-
 ## Backward Incompatibilities {#sec-release-25.11-incompatibilities}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream.
-
- The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/).
-
- `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes.
+- Create the first release note entry in this section!

 ## Other Notable Changes {#sec-release-25.11-notable-changes}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- `services.clamsmtp` is unmaintained and was removed from Nixpkgs.
-
- `amdgpu` kernel driver overdrive mode can now be enabled by setting [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable) and customized through [hardware.amdgpu.overdrive.ppfeaturemask](#opt-hardware.amdgpu.overdrive.ppfeaturemask).
-  This allows for fine-grained control over the GPU's performance and maybe required by overclocking softwares like Corectrl and Lact. These new options replace old options such as {option}`programs.corectrl.gpuOverclock.enable` and {option}`programs.tuxclocker.enableAMD`.
+- Create the first release note entry in this section!
--- a/nixos/lib/make-disk-image.nix
+++ b/nixos/lib/make-disk-image.nix
@@ -39,14 +39,6 @@

  This partition layout is unsuitable for UEFI.

-  #### `legacy+boot`
-
-  The image is partitioned using MBR and:
-  - creates a FAT32 BOOT partition from 1MiB to specified `bootSize` parameter (256MiB by default), set it bootable ;
-  - creates a primary ext4 partition starting after the boot partition and extending to the full disk image
-
-  This partition layout is unsuitable for UEFI.
-
  #### `legacy+gpt`

  This partition table type uses GPT and:
@@ -114,7 +106,7 @@
  additionalSpace ? "512M",

  # size of the boot partition, is only used if partitionTableType is
-  # either "efi", "hybrid", or "legacy+boot"
+  # either "efi" or "hybrid"
  # This will be undersized slightly, as this is actually the offset of
  # the end of the partition. Generally it will be 1MiB smaller.
  bootSize ? "256M",
@@ -205,7 +197,6 @@
 assert (
  lib.assertOneOf "partitionTableType" partitionTableType [
    "legacy"
-    "legacy+boot"
    "legacy+gpt"
    "efi"
    "efixbootldr"
@@ -269,7 +260,6 @@ let
    {
      # switch-case
      legacy = "1";
-      "legacy+boot" = "2";
      "legacy+gpt" = "2";
      efi = "2";
      efixbootldr = "3";
@@ -286,14 +276,6 @@ let
          mkpart primary ext4 1MiB 100% \
          print
      '';
-      "legacy+boot" = ''
-        parted --script $diskImage -- \
-          mklabel msdos \
-          mkpart primary fat32 1MiB $bootSizeMiB \
-          set 1 boot on \
-          mkpart primary ext4 $bootSizeMiB 100% \
-          print
-      '';
      "legacy+gpt" = ''
        parted --script $diskImage -- \
          mklabel gpt \
@@ -558,12 +540,6 @@ let
                # Add the 1MiB aligned reserved space (includes MBR)
                reservedSpace=$(( mebibyte ))
              ''
-            else if partitionTableType == "legacy+boot" then
-              ''
-                # The explanation from the above "efi" case applies here too,
-                # but gptSpace is not needed without a GPT.
-                reservedSpace=$(( bootSize ))
-              ''
            else
              ''
                reservedSpace=0
@@ -718,11 +694,6 @@ let

          ${lib.optionalString touchEFIVars "mount -t efivarfs efivarfs /sys/firmware/efi/efivars"}
        ''}
-        ${lib.optionalString (partitionTableType == "legacy+boot") ''
-          mkdir -p /mnt/boot
-          mkfs.vfat -n BOOT /dev/vda1
-          mount /dev/vda1 /mnt/boot
-        ''}

        # Install a configuration.nix
        mkdir -p /mnt/etc/nixos
@@ -731,28 +702,19 @@ let
        ''}

        ${lib.optionalString installBootLoader ''
-          # In this throwaway resource, we only have /dev/vda, but the actual VM may refer to another disk for bootloader, e.g. /dev/vdb
-          # Use this option to create a symlink from vda to any arbitrary device you want.
-          ${lib.optionalString (config.boot.loader.grub.enable) (
-            lib.concatMapStringsSep " " (
-              device:
-              lib.optionalString (device != "/dev/vda") ''
-                mkdir -p "$(dirname ${device})"
-                ln -s /dev/vda ${device}
-              ''
-            ) config.boot.loader.grub.devices
-          )}
-          ${
-            let
-              limine = config.boot.loader.limine;
-            in
-            lib.optionalString (limine.enable && limine.biosSupport && limine.biosDevice != "/dev/vda") ''
-              mkdir -p "$(dirname ${limine.biosDevice})"
-              ln -s /dev/vda ${limine.biosDevice}
-            ''
-          }
+            # In this throwaway resource, we only have /dev/vda, but the actual VM may refer to another disk for bootloader, e.g. /dev/vdb
+            # Use this option to create a symlink from vda to any arbitrary device you want.
+            ${lib.optionalString (config.boot.loader.grub.enable) (
+              lib.concatMapStringsSep " " (
+                device:
+                lib.optionalString (device != "/dev/vda") ''
+                  mkdir -p "$(dirname ${device})"
+                  ln -s /dev/vda ${device}
+                ''
+              ) config.boot.loader.grub.devices
+            )}

-          # Set up core system link, bootloader (sd-boot, GRUB, uboot, etc.), etc.
+            # Set up core system link, bootloader (sd-boot, GRUB, uboot, etc.), etc.

          # NOTE: systemd-boot-builder.py calls nix-env --list-generations which
          # clobbers $HOME/.nix-defexpr/channels/nixos This would cause a  folder
--- a/nixos/lib/make-squashfs.nix
+++ b/nixos/lib/make-squashfs.nix
@@ -55,8 +55,7 @@ stdenv.mkDerivation {
    + ''

      # Generate the squashfs image.
-      # We have to set SOURCE_DATE_EPOCH to 0 here for reproducibility (https://github.com/NixOS/nixpkgs/issues/390696)
-      SOURCE_DATE_EPOCH=0 mksquashfs nix-path-registration $(cat $closureInfo/store-paths) $imgPath ${pseudoFilesArgs} \
+      mksquashfs nix-path-registration $(cat $closureInfo/store-paths) $imgPath ${pseudoFilesArgs} \
        -no-hardlinks ${lib.optionalString noStrip "-no-strip"} -keep-as-directory -all-root -b 1048576 ${compFlag} \
        -processors $NIX_BUILD_CORES -root-mode 0755
    ''
--- a/nixos/modules/config/nix-channel.nix
+++ b/nixos/modules/config/nix-channel.nix
@@ -71,7 +71,7 @@ in
      defaultChannel = mkOption {
        internal = true;
        type = types.str;
-        default = "https://nixos.org/channels/nixos-unstable";
+        default = "https://nixos.org/channels/nixos-25.05";
        description = "Default NixOS channel to which the root user is subscribed.";
      };
    };
--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@@ -277,7 +277,6 @@ in
            # avoid this race condition.
            after = [ "systemd-modules-load.service" ];
            wantedBy = [ "${realDevice'}.swap" ];
-            requiredBy = lib.optionals sw.randomEncryption.enable [ "${realDevice'}.swap" ];
            before = [
              "${realDevice'}.swap"
              "shutdown.target"
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -477,7 +477,7 @@ let
        (mkIf config.isNormalUser {
          group = mkDefault "users";
          createHome = mkDefault true;
-          home = mkDefault "${cfg.defaultUserHome}/${config.name}";
+          home = mkDefault "/home/${config.name}";
          homeMode = mkDefault "700";
          useDefaultShell = mkDefault true;
          isSystemUser = mkDefault false;
@@ -753,14 +753,6 @@ in
      '';
    };

-    users.defaultUserHome = mkOption {
-      type = types.str;
-      default = "/home";
-      description = ''
-        The default home directory for normal users.
-      '';
-    };
-
    # systemd initrd
    boot.initrd.systemd.users = mkOption {
      description = ''
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .11
 .05