netboot: add bootloader-related stuff only if they are available on host platform

.github/CODEOWNERS

@@ -58,9 +58,13 @@
 /maintainers/scripts/db-to-md.sh @jtojnar @ryantm
 /maintainers/scripts/doc @jtojnar @ryantm
 
+/doc/* @fricklerhandwerk
 /doc/build-aux/pandoc-filters @jtojnar
+/doc/builders/trivial-builders.chapter.md @fricklerhandwerk
 /doc/contributing/ @fricklerhandwerk
 /doc/contributing/contributing-to-documentation.chapter.md @jtojnar @fricklerhandwerk
+/doc/stdenv @fricklerhandwerk
+/doc/using @fricklerhandwerk
 
 # NixOS Internals
 /nixos/default.nix                                    @infinisil
@@ -298,9 +302,9 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /doc/languages-frameworks/javascript.section.md @winterqt
 
 # OCaml
-/pkgs/build-support/ocaml           @ulrikstrid
-/pkgs/development/compilers/ocaml   @ulrikstrid
-/pkgs/development/ocaml-modules     @ulrikstrid
+/pkgs/build-support/ocaml           @romildo @ulrikstrid
+/pkgs/development/compilers/ocaml   @romildo @ulrikstrid
+/pkgs/development/ocaml-modules     @romildo @ulrikstrid
 
 # ZFS
 pkgs/os-specific/linux/zfs                @raitobezarius

CONTRIBUTING.md

@@ -66,12 +66,9 @@ Useful git commands that can help a lot with this are `git commit --patch --amen
 From time to time, changes between branches must be rebased, for example, if the
 number of new rebuilds they would cause is too large for the target branch. When
 rebasing, care must be taken to include only the intended changes, otherwise
-many CODEOWNERS will be inadvertently requested for review. To achieve this,
+many CODEOWNERS will be inadvertently requested for review.  To achieve this,
 rebasing should not be performed directly on the target branch, but on the merge
-base between the current and target branch. As an additional precautionary measure,
-you should temporarily mark the PR as draft for the duration of the operation.
-This reduces the probability of mass-pinging people. (OfBorg might still
-request a couple of persons for reviews though.)
+base between the current and target branch.
 
 In the following example, we assume that the current branch, called `feature`,
 is based on `master`, and we rebase it onto the merge base between
@@ -105,36 +102,6 @@ git status
 git push origin feature --force-with-lease
 ```
 
-### Something went wrong and a lot of people were pinged
-
-It happens. Remember to be kind, especially to new contributors.
-There is no way back, so the pull request should be closed and locked
-(if possible). The changes should be re-submitted in a new PR, in which the people
-originally involved in the conversation need to manually be pinged again.
-No further discussion should happen on the original PR, as a lot of people
-are now subscribed to it.
-
-The following message (or a version thereof) might be left when closing to
-describe the situation, since closing and locking without any explanation
-is kind of rude:
-
-```markdown
-It looks like you accidentally mass-pinged a bunch of people, which are now subscribed
-and getting notifications for everything in this pull request. Unfortunately, they
-cannot be automatically unsubscribed from the issue (removing review request does not
-unsubscribe), therefore development cannot continue in this pull request anymore.
-
-Please open a new pull request with your changes, link back to this one and ping the
-people actually involved in here over there.
-
-In order to avoid this in the future, there are instructions for how to properly
-rebase between branches in our [contribution guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#rebasing-between-branches-ie-from-master-to-staging).
-Setting your pull request to draft prior to rebasing is strongly recommended.
-In draft status, you can preview the list of people that are about to be requested
-for review, which allows you to sidestep this issue.
-This is not a bulletproof method though, as OfBorg still does review requests even on draft PRs.
-```
-
 ## Backporting changes
 
 Follow these steps to backport a change into a release branch in compliance with the [commit policy](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches).

doc/Makefile

@@ -66,13 +66,18 @@ out/html/index.html: doc-support/result manual-full.xml style.css highlightjs
 	cp doc-support/result/xsl/docbook/images/callouts/*.svg out/html/images/callouts/
 	chmod u+w -R out/html/
 
-out/epub/manual.epub: epub.xml
+out/epub/manual.epub: manual-full.xml
 	mkdir -p out/epub/scratch
 	xsltproc --nonet \
 		--output out/epub/scratch/ \
 		doc-support/result/epub.xsl \
-		./epub.xml
+		./manual-full.xml
 
+	cp -r $(pandoc_media_dir) out/epub/scratch/OEBPS
+	cp ./overrides.css out/epub/scratch/OEBPS
+	cp ./style.css out/epub/scratch/OEBPS
+	mkdir -p out/epub/scratch/OEBPS/images/callouts/
+	cp doc-support/result/xsl/docbook/images/callouts/*.svg out/epub/scratch/OEBPS/images/callouts/
 	echo "application/epub+zip" > mimetype
 	zip -0Xq "out/epub/manual.epub" mimetype
 	rm mimetype

doc/builders/fetchers.chapter.md

@@ -132,16 +132,11 @@ A number of fetcher functions wrap part of `fetchurl` and `fetchzip`. They are m
 
 `fetchFromGitHub` expects four arguments. `owner` is a string corresponding to the GitHub user or organization that controls this repository. `repo` corresponds to the name of the software repository. These are located at the top of every GitHub HTML page as `owner`/`repo`. `rev` corresponds to the Git commit hash or tag (e.g `v1.0`) that will be downloaded from Git. Finally, `hash` corresponds to the hash of the extracted directory. Again, other hash algorithms are also available, but `hash` is currently preferred.
 
-To use a different GitHub instance, use `githubBase` (defaults to `"github.com"`).
-
 `fetchFromGitHub` uses `fetchzip` to download the source archive generated by GitHub for the specified revision. If `leaveDotGit`, `deepClone` or `fetchSubmodules` are set to `true`, `fetchFromGitHub` will use `fetchgit` instead. Refer to its section for documentation of these options.
 
 ## `fetchFromGitLab` {#fetchfromgitlab}
 
-This is used with GitLab repositories. It behaves similarly to `fetchFromGitHub`, and expects `owner`, `repo`, `rev`, and `hash`.
-
-To use a specific GitLab instance, use `domain` (defaults to `"gitlab.com"`).
-
+This is used with GitLab repositories. The arguments expected are very similar to `fetchFromGitHub` above.
 
 ## `fetchFromGitiles` {#fetchfromgitiles}
 
@@ -149,7 +144,7 @@ This is used with Gitiles repositories. The arguments expected are similar to `f
 
 ## `fetchFromBitbucket` {#fetchfrombitbucket}
 
-This is used with BitBucket repositories. The arguments expected are very similar to `fetchFromGitHub` above.
+This is used with BitBucket repositories. The arguments expected are very similar to fetchFromGitHub above.
 
 ## `fetchFromSavannah` {#fetchfromsavannah}
 

doc/builders/special/darwin-builder.section.md

@@ -62,7 +62,7 @@ builders-use-substitutes = true
 $ sudo launchctl kickstart -k system/org.nixos.nix-daemon
 ```
 
-## Example flake usage {#sec-darwin-builder-example-flake}
+## Example flake usage
 
 ```
 {
@@ -120,7 +120,7 @@ $ sudo launchctl kickstart -k system/org.nixos.nix-daemon
 }
 ```
 
-## Reconfiguring the builder {#sec-darwin-builder-reconfiguring}
+## Reconfiguring the builder
 
 Initially you should not change the builder configuration else you will not be
 able to use the binary cache. However, after you have the builder running locally

doc/builders/special/makesetuphook.section.md

@@ -12,7 +12,7 @@ pkgs.makeSetupHook {
 } ./script.sh
 ```
 
-### setup hook that depends on the hello package and runs hello and @shell@ is substituted with path to bash {#sec-pkgs.makeSetupHook-usage-example}
+#### setup hook that depends on the hello package and runs hello and @shell@ is substituted with path to bash {#sec-pkgs.makeSetupHook-usage-example}
 
 ```nix
 pkgs.makeSetupHook {

doc/builders/special/vm-tools.section.md

@@ -6,7 +6,7 @@ A set of VM related utilities, that help in building some packages in more advan
 
 A bash script fragment that produces a disk image at `destination`.
 
-### Attributes {#vm-tools-createEmptyImage-attributes}
+### Attributes
 
 * `size`. The disk size, in MiB.
 * `fullName`. Name that will be written to `${destination}/nix-support/full-name`.
@@ -20,14 +20,14 @@ Thus, any pure Nix derivation should run unmodified.
 
 If the build fails and Nix is run with the `-K/--keep-failed` option, a script `run-vm` will be left behind in the temporary build directory that allows you to boot into the VM and debug it interactively.
 
-### Attributes {#vm-tools-runInLinuxVM-attributes}
+### Attributes
 
 * `preVM` (optional). Shell command to be evaluated *before* the VM is started (i.e., on the host).
 * `memSize` (optional, default `512`). The memory size of the VM in MiB.
 * `diskImage` (optional). A file system image to be attached to `/dev/sda`.
   Note that currently we expect the image to contain a filesystem, not a full disk image with a partition table etc.
 
-### Examples {#vm-tools-runInLinuxVM-examples}
+### Examples
 
 Build the derivation hello inside a VM:
 ```nix
@@ -56,13 +56,13 @@ runInLinuxVM (hello.overrideAttrs (_: {
 
 Takes a file, such as an ISO, and extracts its contents into the store.
 
-### Attributes {#vm-tools-extractFs-attributes}
+### Attributes
 
 * `file`. Path to the file to be extracted.
   Note that currently we expect the image to contain a filesystem, not a full disk image with a partition table etc.
 * `fs` (optional). Filesystem of the contents of the file.
 
-### Examples {#vm-tools-extractFs-examples}
+### Examples
 
 Extract the contents of an ISO file:
 ```nix
@@ -82,7 +82,7 @@ Like [](#vm-tools-runInLinuxVM), but instead of using `stdenv` from the Nix stor
 
 Generate a script that can be used to run an interactive session in the given image.
 
-### Examples {#vm-tools-makeImageTestScript-examples}
+### Examples
 
 Create a script for running a Fedora 27 VM:
 ```nix
@@ -100,7 +100,7 @@ makeImageTestScript diskImages.ubuntu2004x86_64
 
 A set of functions that build a predefined set of minimal Linux distributions images.
 
-### Images {#vm-tools-diskImageFuns-images}
+### Images
 
 * Fedora
   * `fedora26x86_64`
@@ -126,12 +126,12 @@ A set of functions that build a predefined set of minimal Linux distributions im
   * `debian11i386`
   * `debian11x86_64`
 
-### Attributes {#vm-tools-diskImageFuns-attributes}
+### Attributes
 
 * `size` (optional, defaults to `4096`). The size of the image, in MiB.
 * `extraPackages` (optional). A list names of additional packages from the distribution that should be included in the image.
 
-### Examples {#vm-tools-diskImageFuns-examples}
+### Examples
 
 8GiB image containing Firefox in addition to the default packages:
 ```nix

doc/builders/testers.chapter.md

@@ -1,5 +1,5 @@
 # Testers {#chap-testers}
-This chapter describes several testing builders which are available in the `testers` namespace.
+This chapter describes several testing builders which are available in the <literal>testers</literal> namespace.
 
 ## `hasPkgConfigModule` {#tester-hasPkgConfigModule}
 

doc/contributing/coding-conventions.chapter.md

@@ -220,9 +220,7 @@ There are a few naming guidelines:
 
 - The `version` attribute _must_ start with a digit e.g`"0.3.1rc2".
 
-- If a package is a commit from a repository without a version assigned, then the `version` attribute _should_ be the latest upstream version preceding that commit, followed by `-unstable-` and the date of the (fetched) commit. The date _must_ be in `"YYYY-MM-DD"` format.
-
-Example: Given a project had its latest releases `2.2` in November 2021, and `3.0` in January 2022, a commit authored on March 15, 2022 for an upcoming bugfix release `2.2.1` would have `version = "2.2-unstable-2022-03-15"`.
+- If a package is not a release but a commit from a repository, then the `version` attribute _must_ be the date of that (fetched) commit. The date _must_ be in `"unstable-YYYY-MM-DD"` format.
 
 - Dashes in the package `pname` _should_ be preserved in new variable names, rather than converted to underscores or camel cased — e.g., `http-parser` instead of `http_parser` or `httpParser`. The hyphenated style is preferred in all three package names.
 

doc/contributing/reviewing-contributions.chapter.md

@@ -12,7 +12,7 @@ When reviewing a pull request, please always be nice and polite. Controversial c
 
 GitHub provides reactions as a simple and quick way to provide feedback to pull requests or any comments. The thumb-down reaction should be used with care and if possible accompanied with some explanation so the submitter has directions to improve their contribution.
 
-Pull request reviews should include a list of what has been reviewed in a comment, so other reviewers and mergers can know the state of the review.
+pull request reviews should include a list of what has been reviewed in a comment, so other reviewers and mergers can know the state of the review.
 
 All the review template samples provided in this section are generic and meant as examples. Their usage is optional and the reviewer is free to adapt them to their liking.
 
@@ -201,7 +201,7 @@ checks should be performed:
     them to either recommit using that key or to remove their key
     information.
 
-    Given a maintainer entry like this:
+    Given a maintainter entry like this:
 
     ``` nix
     {

doc/default.nix

@@ -20,33 +20,7 @@ in pkgs.stdenv.mkDerivation {
     ln -s ${doc-support} ./doc-support/result
   '';
 
-  epub = ''
-    <book xmlns="http://docbook.org/ns/docbook"
-          xmlns:xlink="http://www.w3.org/1999/xlink"
-          version="5.0"
-          xml:id="nixpkgs-manual">
-      <info>
-        <title>Nixpkgs Manual</title>
-        <subtitle>Version ${pkgs.lib.version}</subtitle>
-      </info>
-      <chapter>
-        <title>Temporarily unavailable</title>
-        <para>
-          The Nixpkgs manual is currently not available in EPUB format,
-          please use the <link xlink:href="https://nixos.org/nixpkgs/manual">HTML manual</link>
-          instead.
-        </para>
-        <para>
-          If you've used the EPUB manual in the past and it has been useful to you, please
-          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/237234">let us know</link>.
-        </para>
-      </chapter>
-    </book>
-  '';
-  passAsFile = [ "epub" ];
-
   preBuild = ''
-    cp $epubPath epub.xml
     make -j$NIX_BUILD_CORES render-md
   '';
 

doc/functions/generators.section.md

@@ -16,7 +16,7 @@ let
              if v == true then ''"yes"''
         else if v == false then ''"no"''
         else if isString v then ''"${v}"''
-        # and delegates all other values to the default generator
+        # and delegats all other values to the default generator
         else generators.mkValueStringDefault {} v;
     } ":";
   };

doc/hooks/autoconf.section.md

@@ -1,3 +1,4 @@
-# Autoconf {#setup-hook-autoconf}
+
+### Autoconf {#setup-hook-autoconf}
 
 The `autoreconfHook` derivation adds `autoreconfPhase`, which runs autoreconf, libtoolize and automake, essentially preparing the configure script in autotools-based builds. Most autotools-based packages come with the configure script pre-generated, but this hook is necessary for a few packages and when you need to patch the package’s configure scripts.

doc/hooks/automake.section.md

@@ -1,3 +1,4 @@
-# Automake {#setup-hook-automake}
+
+### Automake {#setup-hook-automake}
 
 Adds the `share/aclocal` subdirectory of each build input to the `ACLOCAL_PATH` environment variable.

doc/hooks/autopatchelf.section.md

@@ -1,4 +1,5 @@
-# autoPatchelfHook {#setup-hook-autopatchelfhook}
+
+### autoPatchelfHook {#setup-hook-autopatchelfhook}
 
 This is a special setup hook which helps in packaging proprietary software in that it automatically tries to find missing shared library dependencies of ELF files based on the given `buildInputs` and `nativeBuildInputs`.
 

doc/hooks/breakpoint.section.md

@@ -1,4 +1,5 @@
-# breakpointHook {#breakpointhook}
+
+### breakpointHook {#breakpointhook}
 
 This hook will make a build pause instead of stopping when a failure happens. It prevents nix from cleaning up the build environment immediately and allows the user to attach to a build environment using the `cntr` command. Upon build error it will print instructions on how to use `cntr`, which can be used to enter the environment for debugging. Installing cntr and running the command will provide shell access to the build sandbox of failed build. At `/var/lib/cntr` the sandboxed filesystem is mounted. All commands and files of the system are still accessible within the shell. To execute commands from the sandbox use the cntr exec subcommand. `cntr` is only supported on Linux-based platforms. To use it first add `cntr` to your `environment.systemPackages` on NixOS or alternatively to the root user on non-NixOS systems. Then in the package that is supposed to be inspected, add `breakpointHook` to `nativeBuildInputs`.
 

doc/hooks/cmake.section.md

@@ -1,3 +1,4 @@
-# cmake {#cmake}
+
+### cmake {#cmake}
 
 Overrides the default configure phase to run the CMake command. By default, we use the Make generator of CMake. In addition, dependencies are added automatically to `CMAKE_PREFIX_PATH` so that packages are correctly detected by CMake. Some additional flags are passed in to give similar behavior to configure-based packages. You can disable this hook’s behavior by setting `configurePhase` to a custom value, or by setting `dontUseCmakeConfigure`. `cmakeFlags` controls flags passed only to CMake. By default, parallel building is enabled as CMake supports parallel building almost everywhere. When Ninja is also in use, CMake will detect that and use the ninja generator.

doc/hooks/gdk-pixbuf.section.md

@@ -1,3 +1,4 @@
-# gdk-pixbuf {#setup-hook-gdk-pixbuf}
+
+### gdk-pixbuf {#setup-hook-gdk-pixbuf}
 
 Exports `GDK_PIXBUF_MODULE_FILE` environment variable to the builder. Add librsvg package to `buildInputs` to get svg support. See also the [setup hook description in GNOME platform docs](#ssec-gnome-hooks-gdk-pixbuf).

doc/hooks/ghc.section.md

@@ -1,3 +1,4 @@
-# GHC {#ghc}
+
+### GHC {#ghc}
 
 Creates a temporary package database and registers every Haskell build input in it (TODO: how?).

doc/hooks/gnome.section.md

@@ -1,3 +1,4 @@
-# GNOME platform {#gnome-platform}
+
+### GNOME platform {#gnome-platform}
 
 Hooks related to GNOME platform and related libraries like GLib, GTK and GStreamer are described in [](#sec-language-gnome).

doc/hooks/installShellFiles.section.md

@@ -1,4 +1,5 @@
-# `installShellFiles` {#installshellfiles}
+
+### `installShellFiles` {#installshellfiles}
 
 This hook helps with installing manpages and shell completion files. It exposes 2 shell functions `installManPage` and `installShellCompletion` that can be used from your `postInstall` hook.
 

doc/hooks/libiconv.section.md

@@ -1,3 +1,4 @@
-# libiconv, libintl {#libiconv-libintl}
+
+### libiconv, libintl {#libiconv-libintl}
 
 A few libraries automatically add to `NIX_LDFLAGS` their library, making their symbols automatically available to the linker. This includes libiconv and libintl (gettext). This is done to provide compatibility between GNU Linux, where libiconv and libintl are bundled in, and other systems where that might not be the case. Sometimes, this behavior is not desired. To disable this behavior, set `dontAddExtraLibs`.

doc/hooks/libxml2.section.md

@@ -1,3 +1,4 @@
-# libxml2 {#setup-hook-libxml2}
+
+### libxml2 {#setup-hook-libxml2}
 
 Adds every file named `catalog.xml` found under the `xml/dtd` and `xml/xsl` subdirectories of each build input to the `XML_CATALOG_FILES` environment variable.

doc/hooks/meson.section.md

@@ -1,25 +1,26 @@
-# Meson {#meson}
+
+### Meson {#meson}
 
 Overrides the configure phase to run meson to generate Ninja files. To run these files, you should accompany Meson with ninja. By default, `enableParallelBuilding` is enabled as Meson supports parallel building almost everywhere.
 
-## Variables controlling Meson {#variables-controlling-meson}
+#### Variables controlling Meson {#variables-controlling-meson}
 
-### `mesonFlags` {#mesonflags}
+##### `mesonFlags` {#mesonflags}
 
 Controls the flags passed to meson.
 
-### `mesonBuildType` {#mesonbuildtype}
+##### `mesonBuildType` {#mesonbuildtype}
 
 Which [`--buildtype`](https://mesonbuild.com/Builtin-options.html#core-options) to pass to Meson. We default to `plain`.
 
-### `mesonAutoFeatures` {#mesonautofeatures}
+##### `mesonAutoFeatures` {#mesonautofeatures}
 
 What value to set [`-Dauto_features=`](https://mesonbuild.com/Builtin-options.html#core-options) to. We default to `enabled`.
 
-### `mesonWrapMode` {#mesonwrapmode}
+##### `mesonWrapMode` {#mesonwrapmode}
 
 What value to set [`-Dwrap_mode=`](https://mesonbuild.com/Builtin-options.html#core-options) to. We default to `nodownload` as we disallow network access.
 
-### `dontUseMesonConfigure` {#dontusemesonconfigure}
+##### `dontUseMesonConfigure` {#dontusemesonconfigure}
 
 Disables using Meson’s `configurePhase`.

doc/hooks/ninja.section.md

@@ -1,3 +1,4 @@
-# ninja {#ninja}
+
+### ninja {#ninja}
 
 Overrides the build, install, and check phase to run ninja instead of make. You can disable this behavior with the `dontUseNinjaBuild`, `dontUseNinjaInstall`, and `dontUseNinjaCheck`, respectively. Parallel building is enabled by default in Ninja.

doc/hooks/perl.section.md

@@ -1,3 +1,4 @@
-# Perl {#setup-hook-perl}
+
+### Perl {#setup-hook-perl}
 
 Adds the `lib/site_perl` subdirectory of each build input to the `PERL5LIB` environment variable. For instance, if `buildInputs` contains Perl, then the `lib/site_perl` subdirectory of each input is added to the `PERL5LIB` environment variable.

doc/hooks/pkg-config.section.md

@@ -1,3 +1,4 @@
-# pkg-config {#setup-hook-pkg-config}
+
+### pkg-config {#setup-hook-pkg-config}
 
 Adds the `lib/pkgconfig` and `share/pkgconfig` subdirectories of each build input to the `PKG_CONFIG_PATH` environment variable.

doc/hooks/python.section.md

@@ -1,3 +1,4 @@
-# Python {#setup-hook-python}
+
+### Python {#setup-hook-python}
 
 Adds the `lib/${python.libPrefix}/site-packages` subdirectory of each build input to the `PYTHONPATH` environment variable.

doc/hooks/qt-4.section.md

@@ -1,3 +1,4 @@
-# Qt 4 {#qt-4}
+
+### Qt 4 {#qt-4}
 
 Sets the `QTDIR` environment variable to Qt’s path.

doc/hooks/scons.section.md

@@ -1,3 +1,4 @@
-# scons {#scons}
+
+### scons {#scons}
 
 Overrides the build, install, and check phases. This uses the scons build system as a replacement for make. scons does not provide a configure phase, so everything is managed at build and install time.

doc/hooks/tetex-tex-live.section.md

@@ -1,3 +1,4 @@
-# teTeX / TeX Live {#tetex-tex-live}
+
+### teTeX / TeX Live {#tetex-tex-live}
 
 Adds the `share/texmf-nix` subdirectory of each build input to the `TEXINPUTS` environment variable.

doc/hooks/unzip.section.md

@@ -1,3 +1,4 @@
-# unzip {#unzip}
+
+### unzip {#unzip}
 
 This setup hook will allow you to unzip .zip files specified in `$src`. There are many similar packages like `unrar`, `undmg`, etc.

doc/hooks/validatePkgConfig.section.md

@@ -1,3 +1,4 @@
-# validatePkgConfig {#validatepkgconfig}
+
+### validatePkgConfig {#validatepkgconfig}
 
 The `validatePkgConfig` hook validates all pkg-config (`.pc`) files in a package. This helps catching some common errors in pkg-config files, such as undefined variables.

doc/hooks/waf.section.md

@@ -1,3 +1,4 @@
-# wafHook {#wafhook}
+
+### wafHook {#wafhook}
 
 Overrides the configure, build, and install phases. This will run the “waf” script used by many projects. If `wafPath` (default `./waf`) doesn’t exist, it will copy the version of waf available in Nixpkgs. `wafFlags` can be used to pass flags to the waf script.

doc/hooks/xcbuild.section.md

@@ -1,3 +1,4 @@
-# xcbuildHook {#xcbuildhook}
+
+### xcbuildHook {#xcbuildhook}
 
 Overrides the build and install phases to run the "xcbuild" command. This hook is needed when a project only comes with build files for the XCode build system. You can disable this behavior by setting buildPhase and configurePhase to a custom value. xcbuildFlags controls flags passed only to xcbuild.

doc/languages-frameworks/bower.section.md

@@ -1,6 +1,6 @@
 # Bower {#sec-bower}
 
-[Bower](https://bower.io) is a package manager for web site front-end components. Bower packages (comprising of build artifacts and sometimes sources) are stored in `git` repositories, typically on Github. The package registry is run by the Bower team with package metadata coming from the `bower.json` file within each package.
+[Bower](https://bower.io) is a package manager for web site front-end components. Bower packages (comprising of build artefacts and sometimes sources) are stored in `git` repositories, typically on Github. The package registry is run by the Bower team with package metadata coming from the `bower.json` file within each package.
 
 The end result of running Bower is a `bower_components` directory which can be included in the web app's build process.
 
@@ -41,18 +41,32 @@ The function is implemented in [pkgs/development/bower-modules/generic/default.n
 
 ### Example buildBowerComponents {#ex-buildBowerComponents}
 
-```nix
+```{=docbook}
+<programlisting language="nix">
 bowerComponents = buildBowerComponents {
   name = "my-web-app";
-  generated = ./bower-packages.nix; # note 1
-  src = myWebApp; # note 2
+  generated = ./bower-packages.nix; <co xml:id="ex-buildBowerComponents-1" />
+  src = myWebApp; <co xml:id="ex-buildBowerComponents-2" />
 };
+</programlisting>
 ```
 
 In ["buildBowerComponents" example](#ex-buildBowerComponents) the following arguments are of special significance to the function:
 
-1. `generated` specifies the file which was created by {command}`bower2nix`.
-2. `src` is your project's sources. It needs to contain a {file}`bower.json` file.
+```{=docbook}
+<calloutlist>
+  <callout arearefs="ex-buildBowerComponents-1">
+    <para>
+      <varname>generated</varname> specifies the file which was created by <command>bower2nix</command>.
+    </para>
+    </callout>
+      <callout arearefs="ex-buildBowerComponents-2">
+    <para>
+      <varname>src</varname> is your project's sources. It needs to contain a <filename>bower.json</filename> file.
+    </para>
+  </callout>
+</calloutlist>
+```
 
 `buildBowerComponents` will run Bower to link together the output of `bower2nix`, resulting in a `bower_components` directory which can be used.
 
@@ -77,9 +91,10 @@ gulp.task('build', [], function () {
 
 ### Example Full example — default.nix {#ex-buildBowerComponentsDefaultNix}
 
-```nix
+```{=docbook}
+<programlisting language="nix">
 { myWebApp ? { outPath = ./.; name = "myWebApp"; }
-, pkgs ? import <nixpkgs> {}
+, pkgs ? import &lt;nixpkgs&gt; {}
 }:
 
 pkgs.stdenv.mkDerivation {
@@ -88,29 +103,49 @@ pkgs.stdenv.mkDerivation {
 
   buildInputs = [ pkgs.nodePackages.gulp ];
 
-  bowerComponents = pkgs.buildBowerComponents { # note 1
+  bowerComponents = pkgs.buildBowerComponents { <co xml:id="ex-buildBowerComponentsDefault-1" />
     name = "my-web-app";
     generated = ./bower-packages.nix;
     src = myWebApp;
   };
 
   buildPhase = ''
-    cp --reflink=auto --no-preserve=mode -R $bowerComponents/bower_components . # note 2
-    export HOME=$PWD # note 3
-    ${pkgs.nodePackages.gulp}/bin/gulp build # note 4
+    cp --reflink=auto --no-preserve=mode -R $bowerComponents/bower_components . <co xml:id="ex-buildBowerComponentsDefault-2" />
+    export HOME=$PWD <co xml:id="ex-buildBowerComponentsDefault-3" />
+    ${pkgs.nodePackages.gulp}/bin/gulp build <co xml:id="ex-buildBowerComponentsDefault-4" />
   '';
 
   installPhase = "mv gulpdist $out";
 }
+</programlisting>
 ```
 
 A few notes about [Full example — `default.nix`](#ex-buildBowerComponentsDefaultNix):
 
-1. The result of `buildBowerComponents` is an input to the frontend build.
-2. Whether to symlink or copy the {file}`bower_components` directory depends on the build tool in use.
-   In this case a copy is used to avoid {command}`gulp` silliness with permissions.
-3. {command}`gulp` requires `HOME` to refer to a writeable directory.
-4. The actual build command in this example is {command}`gulp`. Other tools could be used instead.
+```{=docbook}
+<calloutlist>
+  <callout arearefs="ex-buildBowerComponentsDefault-1">
+    <para>
+      The result of <varname>buildBowerComponents</varname> is an input to the frontend build.
+    </para>
+  </callout>
+  <callout arearefs="ex-buildBowerComponentsDefault-2">
+    <para>
+      Whether to symlink or copy the <filename>bower_components</filename> directory depends on the build tool in use. In this case a copy is used to avoid <command>gulp</command> silliness with permissions.
+    </para>
+  </callout>
+  <callout arearefs="ex-buildBowerComponentsDefault-3">
+    <para>
+      <command>gulp</command> requires <varname>HOME</varname> to refer to a writeable directory.
+    </para>
+  </callout>
+  <callout arearefs="ex-buildBowerComponentsDefault-4">
+    <para>
+      The actual build command. Other tools could be used.
+    </para>
+  </callout>
+</calloutlist>
+```
 
 ## Troubleshooting {#ssec-bower2nix-troubleshooting}
 

doc/languages-frameworks/gnome.section.md

@@ -27,7 +27,7 @@ The modules are typically installed to `lib/gio/modules/` directory of a package
 
 In particular, we recommend:
 
-* adding `dconf.lib` for any software on Linux that reads [GSettings](#ssec-gnome-settings) (even transitively through e.g. GTK’s file manager)
+* adding `dconf.lib` for any software on Linux that reads [GSettings](#ssec-gnome-settings) (even transitivily through e.g. GTK’s file manager)
 * adding `glib-networking` for any software that accesses network using GIO or libsoup – glib-networking contains a module that implements TLS support and loads system-wide proxy settings
 
 To allow software to use various virtual file systems, `gvfs` package can be also added. But that is usually an optional feature so we typically use `gvfs` from the system (e.g. installed globally using NixOS module).
@@ -137,15 +137,15 @@ Most GNOME package offer [`updateScript`](#var-passthru-updateScript), it is the
 
 ## Frequently encountered issues {#ssec-gnome-common-issues}
 
-### `GLib-GIO-ERROR **: 06:04:50.903: No GSettings schemas are installed on the system` {#ssec-gnome-common-issues-no-schemas}
+#### `GLib-GIO-ERROR **: 06:04:50.903: No GSettings schemas are installed on the system` {#ssec-gnome-common-issues-no-schemas}
 
 There are no schemas available in `XDG_DATA_DIRS`. Temporarily add a random package containing schemas like `gsettings-desktop-schemas` to `buildInputs`. [`glib`](#ssec-gnome-hooks-glib) and [`wrapGAppsHook`](#ssec-gnome-hooks-wrapgappshook) setup hooks will take care of making the schemas available to application and you will see the actual missing schemas with the [next error](#ssec-gnome-common-issues-missing-schema). Or you can try looking through the source code for the actual schemas used.
 
-### `GLib-GIO-ERROR **: 06:04:50.903: Settings schema ‘org.gnome.foo’ is not installed` {#ssec-gnome-common-issues-missing-schema}
+#### `GLib-GIO-ERROR **: 06:04:50.903: Settings schema ‘org.gnome.foo’ is not installed` {#ssec-gnome-common-issues-missing-schema}
 
 Package is missing some GSettings schemas. You can find out the package containing the schema with `nix-locate org.gnome.foo.gschema.xml` and let the hooks handle the wrapping as [above](#ssec-gnome-common-issues-no-schemas).
 
-### When using `wrapGAppsHook` with special derivers you can end up with double wrapped binaries. {#ssec-gnome-common-issues-double-wrapped}
+#### When using `wrapGAppsHook` with special derivers you can end up with double wrapped binaries. {#ssec-gnome-common-issues-double-wrapped}
 
 This is because derivers like `python.pkgs.buildPythonApplication` or `qt5.mkDerivation` have setup-hooks automatically added that produce wrappers with makeWrapper. The simplest way to workaround that is to disable the `wrapGAppsHook` automatic wrapping with `dontWrapGApps = true;` and pass the arguments it intended to pass to makeWrapper to another.
 
@@ -193,7 +193,7 @@ mkDerivation {
 }
 ```
 
-### I am packaging a project that cannot be wrapped, like a library or GNOME Shell extension. {#ssec-gnome-common-issues-unwrappable-package}
+#### I am packaging a project that cannot be wrapped, like a library or GNOME Shell extension. {#ssec-gnome-common-issues-unwrappable-package}
 
 You can rely on applications depending on the library setting the necessary environment variables but that is often easy to miss. Instead we recommend to patch the paths in the source code whenever possible. Here are some examples:
 
@@ -209,6 +209,6 @@ You can rely on applications depending on the library setting the necessary envi
 
   []{#ssec-gnome-common-issues-unwrappable-package-gsettings-c} [Hard-coding GSettings schema path in C library](https://github.com/NixOS/nixpkgs/blob/29c120c065d03b000224872251bed93932d42412/pkgs/development/libraries/glib-networking/default.nix#L31-L34) – nothing special other than using [Coccinelle patch](https://github.com/NixOS/nixpkgs/pull/67957#issuecomment-527717467) to generate the patch itself.
 
-### I need to wrap a binary outside `bin` and `libexec` directories. {#ssec-gnome-common-issues-weird-location}
+#### I need to wrap a binary outside `bin` and `libexec` directories. {#ssec-gnome-common-issues-weird-location}
 
 You can manually trigger the wrapping with `wrapGApp` in `preFixup` phase. It takes a path to a program as a first argument; the remaining arguments are passed directly to [`wrapProgram`](#fun-wrapProgram) function.

doc/languages-frameworks/haskell.section.md

@@ -1057,7 +1057,7 @@ benchmark component.
 `dontBenchmark drv`
 : Set `doBenchmark` to `false` for `drv`.
 
-`setBuildTargets drv list`
+`setBuildTargets list drv`
 : Sets the `buildTarget` argument for `drv` so that the targets specified in `list` are built.
 
 `doCoverage drv`

doc/languages-frameworks/ios.section.md

@@ -104,7 +104,7 @@ The above function takes a variety of parameters:
   and the location where the source code resides
 * `sdkVersion` specifies which version of the iOS SDK to use.
 
-It also possible to adjust the `xcodebuild` parameters. This is only needed in
+It also possile to adjust the `xcodebuild` parameters. This is only needed in
 rare circumstances. In most cases the default values should suffice:
 
 * Specifies which `xcodebuild` target to build. By default it takes the target
@@ -130,7 +130,7 @@ In addition, you need to set the following parameters:
   store certificates.
 * `generateIPA` specifies that we want to produce an IPA file (this is probably
   what you want)
-* `generateXCArchive` specifies that we want to produce an xcarchive file.
+* `generateXCArchive` specifies thet we want to produce an xcarchive file.
 
 When building IPA files on Hydra and when it is desired to allow iOS devices to
 install IPAs by browsing to the Hydra build products page, you can enable the

doc/languages-frameworks/javascript.section.md

@@ -143,7 +143,7 @@ To update NPM packages in nixpkgs, run the same `generate.sh` script:
 #### Git protocol error {#javascript-git-error}
 
 Some packages may have Git dependencies from GitHub specified with `git://`.
-GitHub has [disabled unencrypted Git connections](https://github.blog/2021-09-01-improving-git-protocol-security-github/#no-more-unauthenticated-git), so you may see the following error when running the generate script:
+GitHub has [disabled unecrypted Git connections](https://github.blog/2021-09-01-improving-git-protocol-security-github/#no-more-unauthenticated-git), so you may see the following error when running the generate script:
 
 ```
 The unauthenticated git protocol on port 9418 is no longer supported

doc/languages-frameworks/python.section.md

@@ -995,7 +995,7 @@ and in this case the `python3` interpreter is automatically used.
 ### Interpreters {#interpreters}
 
 Versions 2.7, 3.8, 3.9, 3.10 and 3.11 of the CPython interpreter are available
-as respectively `python27`, `python38`, `python39`, `python310` and `python311`.
+as respectively `python27`, python38`, `python39`, `python310` and `python311`.
 The aliases `python2` and `python3` correspond to respectively `python27` and
 `python310`. The attribute `python` maps to `python2`. The PyPy interpreters
 compatible with Python 2.7 and 3 are available as `pypy27` and `pypy3`, with

doc/languages-frameworks/qt.section.md

@@ -10,22 +10,37 @@ pure and explicit at build-time, at the cost of introducing an extra indirection
 
 ## Nix expression for a Qt package (default.nix) {#qt-default-nix}
 
-```nix
-{ stdenv, lib, qtbase, wrapQtAppsHook }:
+```{=docbook}
+<programlisting>
+{ stdenv, lib, qtbase, wrapQtAppsHook }: <co xml:id='qt-default-nix-co-1' />
 
 stdenv.mkDerivation {
   pname = "myapp";
   version = "1.0";
 
   buildInputs = [ qtbase ];
-  nativeBuildInputs = [ wrapQtAppsHook ];
+  nativeBuildInputs = [ wrapQtAppsHook ]; <co xml:id='qt-default-nix-co-2' />
 }
+</programlisting>
+
+ <calloutlist>
+  <callout arearefs='qt-default-nix-co-1'>
+   <para>
+    Import Qt modules directly, that is: <literal>qtbase</literal>, <literal>qtdeclarative</literal>, etc.
+    <emphasis>Do not</emphasis> import Qt package sets such as <literal>qt5</literal>
+    because the Qt versions of dependencies may not be coherent, causing build and runtime failures.
+   </para>
+  </callout>
+  <callout arearefs='qt-default-nix-co-2'>
+    <para>
+      All Qt packages must include <literal>wrapQtAppsHook</literal> in
+      <literal>nativeBuildInputs</literal>, or you must explicitly set
+      <literal>dontWrapQtApps</literal>.
+    </para>
+  </callout>
+ </calloutlist>
 ```
 
-It is important to import Qt modules directly, that is: `qtbase`, `qtdeclarative`, etc. *Do not* import Qt package sets such as `qt5` because the Qt versions of dependencies may not be coherent, causing build and runtime failures.
-
-Additionally all Qt packages must include `wrapQtAppsHook` in `nativeBuildInputs`, or you must explicitly set `dontWrapQtApps`.
-
 ## Locating runtime dependencies {#qt-runtime-dependencies}
 
 Qt applications must be wrapped to find runtime dependencies.

doc/stdenv/meta.chapter.md

@@ -70,7 +70,7 @@ A list of the maintainers of this Nix expression. Maintainers are defined in [`n
 
 ### `mainProgram` {#var-meta-mainProgram}
 
-The name of the main binary for the package. This affects the binary `nix run` executes and falls back to the name of the package. Example: `"rg"`
+The name of the main binary for the package. This effects the binary `nix run` executes and falls back to the name of the package. Example: `"rg"`
 
 ### `priority` {#var-meta-priority}
 
@@ -128,7 +128,7 @@ Prefer `passthru.tests` for tests that are introduced in nixpkgs because:
 * we can run `passthru.tests` independently
 * `installCheckPhase` adds overhead to each build
 
-For more on how to write and run package tests, see [](#sec-package-tests).
+For more on how to write and run package tests, see <xref linkend="sec-package-tests"/>.
 
 #### NixOS tests {#var-meta-tests-nixos}
 

doc/stdenv/stdenv.chapter.md

@@ -286,7 +286,7 @@ This is where “sum-like” comes in from above: We can just sum all of the hos
 
 Because of the bounds checks, the uncommon cases are `h = t` and `h + 2 = t`. In the former case, the motivation for `mapOffset` is that since its host and target platforms are the same, no transitive dependency of it should be able to “discover” an offset greater than its reduced target offsets. `mapOffset` effectively “squashes” all its transitive dependencies’ offsets so that none will ever be greater than the target offset of the original `h = t` package. In the other case, `h + 1` is skipped over between the host and target offsets. Instead of squashing the offsets, we need to “rip” them apart so no transitive dependencies’ offset is that one.
 
-Overall, the unifying theme here is that propagation shouldn’t be introducing transitive dependencies involving platforms the depending package is unaware of. \[One can imagine the depending package asking for dependencies with the platforms it knows about; other platforms it doesn’t know how to ask for. The platform description in that scenario is a kind of unforgeable capability.\] The offset bounds checking and definition of `mapOffset` together ensure that this is the case. Discovering a new offset is discovering a new platform, and since those platforms weren’t in the derivation “spec” of the needing package, they cannot be relevant. From a capability perspective, we can imagine that the host and target platforms of a package are the capabilities a package requires, and the depending package must provide the capability to the dependency.
+Overall, the unifying theme here is that propagation shouldn’t be introducing transitive dependencies involving platforms the depending package is unaware of. \[One can imagine the dependending package asking for dependencies with the platforms it knows about; other platforms it doesn’t know how to ask for. The platform description in that scenario is a kind of unforagable capability.\] The offset bounds checking and definition of `mapOffset` together ensure that this is the case. Discovering a new offset is discovering a new platform, and since those platforms weren’t in the derivation “spec” of the needing package, they cannot be relevant. From a capability perspective, we can imagine that the host and target platforms of a package are the capabilities a package requires, and the depending package must provide the capability to the dependency.
 
 #### Variables specifying dependencies {#variables-specifying-dependencies}
 
@@ -971,8 +971,7 @@ to `~/.gdbinit`. GDB will then be able to find debug information installed via `
 
 The installCheck phase checks whether the package was installed correctly by running its test suite against the installed directories. The default `installCheck` calls `make installcheck`.
 
-It is often better to add tests that are not part of the source distribution to `passthru.tests` (see
-[](#var-meta-tests)). This avoids adding overhead to every build and enables us to run them independently.
+It is often better to add tests that are not part of the source distribution to `passthru.tests` (see <xref linkend="var-meta-tests"/>). This avoids adding overhead to every build and enables us to run them independently.
 
 #### Variables controlling the installCheck phase {#variables-controlling-the-installcheck-phase}
 
@@ -1235,7 +1234,7 @@ This runs the strip command on installed binaries and libraries. This removes un
 
 This setup hook patches installed scripts to add Nix store paths to their shebang interpreter as found in the build environment. The [shebang](https://en.wikipedia.org/wiki/Shebang_(Unix)) line tells a Unix-like operating system which interpreter to use to execute the script's contents.
 
-::: {.note}
+::: note
 The [generic builder][generic-builder] populates `PATH` from inputs of the derivation.
 :::
 
@@ -1273,7 +1272,7 @@ patchShebangs --build configure
 
 Interpreter paths that point to a valid Nix store location are not changed.
 
-::: {.note}
+::: note
 A script file must be marked as executable, otherwise it will not be
 considered.
 :::

lib/licenses.nix

@@ -215,12 +215,6 @@ in mkLicense lset) ({
     url = "https://opensource.org/licenses/CAL-1.0";
   };
 
-  caldera = {
-    spdxId = "Caldera";
-    fullName = "Caldera License";
-    url = "http://www.lemis.com/grog/UNIX/ancient-source-all.pdf";
-  };
-
   capec = {
     fullName = "Common Attack Pattern Enumeration and Classification";
     url = "https://capec.mitre.org/about/termsofuse.html";
@@ -562,12 +556,6 @@ in mkLicense lset) ({
     fullName = "Imlib2 License";
   };
 
-  info-zip = {
-    spdxId = "Info-ZIP";
-    fullName = "Info-ZIP License";
-    url = "http://www.info-zip.org/pub/infozip/license.html";
-  };
-
   inria-compcert = {
     fullName  = "INRIA Non-Commercial License Agreement for the CompCert verified compiler";
     url       = "https://compcert.org/doc/LICENSE.txt";

lib/lists.nix

@@ -198,38 +198,8 @@ rec {
     default:
     # Input list
     list:
-    let
-      # A naive recursive implementation would be much simpler, but
-      # would also overflow the evaluator stack. We use `foldl'` as a workaround
-      # because it reuses the same stack space, evaluating the function for one
-      # element after another. We can't return early, so this means that we
-      # sacrifice early cutoff, but that appears to be an acceptable cost. A
-      # clever scheme with "exponential search" is possible, but appears over-
-      # engineered for now. See https://github.com/NixOS/nixpkgs/pull/235267
-
-      # Invariant:
-      # - if index < 0 then el == elemAt list (- index - 1) and all elements before el didn't satisfy pred
-      # - if index >= 0 then pred (elemAt list index) and all elements before (elemAt list index) didn't satisfy pred
-      #
-      # We start with index -1 and the 0'th element of the list, which satisfies the invariant
-      resultIndex = foldl' (index: el:
-        if index < 0 then
-          # No match yet before the current index, we need to check the element
-          if pred el then
-            # We have a match! Turn it into the actual index to prevent future iterations from modifying it
-            - index - 1
-          else
-            # Still no match, update the index to the next element (we're counting down, so minus one)
-            index - 1
-        else
-          # There's already a match, propagate the index without evaluating anything
-          index
-      ) (-1) list;
-    in
-    if resultIndex < 0 then
-      default
-    else
-      elemAt list resultIndex;
+    let found = filter pred list;
+    in if found == [] then default else head found;
 
   /* Return true if function `pred` returns true for at least one
      element of `list`.

lib/tests/misc.nix

@@ -518,46 +518,6 @@ runTests {
     expected = false;
   };
 
-  testFindFirstExample1 = {
-    expr = findFirst (x: x > 3) 7 [ 1 6 4 ];
-    expected = 6;
-  };
-
-  testFindFirstExample2 = {
-    expr = findFirst (x: x > 9) 7 [ 1 6 4 ];
-    expected = 7;
-  };
-
-  testFindFirstEmpty = {
-    expr = findFirst (abort "when the list is empty, the predicate is not needed") null [];
-    expected = null;
-  };
-
-  testFindFirstSingleMatch = {
-    expr = findFirst (x: x == 5) null [ 5 ];
-    expected = 5;
-  };
-
-  testFindFirstSingleDefault = {
-    expr = findFirst (x: false) null [ (abort "if the predicate doesn't access the value, it must not be evaluated") ];
-    expected = null;
-  };
-
-  testFindFirstNone = {
-    expr = builtins.tryEval (findFirst (x: x == 2) null [ 1 (throw "the last element must be evaluated when there's no match") ]);
-    expected = { success = false; value = false; };
-  };
-
-  # Makes sure that the implementation doesn't cause a stack overflow
-  testFindFirstBig = {
-    expr = findFirst (x: x == 1000000) null (range 0 1000000);
-    expected = 1000000;
-  };
-
-  testFindFirstLazy = {
-    expr = findFirst (x: x == 1) 7 [ 1 (abort "list elements after the match must not be evaluated") ];
-    expected = 1;
-  };
 
 # ATTRSETS
 

maintainers/maintainer-list.nix

@@ -64,12 +64,6 @@
     githubId = 64707304;
     name = "Dmitry Kulikov";
   };
-  _0x120581f = {
-    email = "nixpkgs@0x120581f.dev";
-    name = "0x120581f";
-    github = "0x120581f";
-    githubId = 130835755;
-  };
   _0x4A6F = {
     email = "mail-maintainer@0x4A6F.dev";
     matrix = "@0x4a6f:matrix.org";
@@ -315,12 +309,6 @@
     githubId = 2321000;
     name = "Ruslan Babayev";
   };
-  abustany = {
-    email = "adrien@bustany.org";
-    github = "abustany";
-    githubId = 2526296;
-    name = "Adrien Bustany";
-  };
   acairncross = {
     email = "acairncross@gmail.com";
     github = "acairncross";
@@ -2222,13 +2210,6 @@
     githubId = 68566724;
     name = "bootstrap-prime";
   };
-  boozedog = {
-    email = "code@booze.dog";
-    github = "boozedog";
-    githubId = 1410808;
-    matrix = "@boozedog:matrix.org";
-    name = "David A. Buser";
-  };
   borisbabic = {
     email = "boris.ivan.babic@gmail.com";
     github = "borisbabic";
@@ -2962,7 +2943,7 @@
   };
   citadelcore = {
     email = "alex@arctarus.co.uk";
-    github = "VertexA115";
+    github = "CitadelCore";
     githubId = 5567402;
     name = "Alex Zero";
     keys = [{
@@ -3567,12 +3548,6 @@
       fingerprint = "4779 D1D5 3C97 2EAE 34A5  ED3D D8AF C4BF 0567 0F9D";
     }];
   };
-  dariof4 = {
-    name = "dariof4";
-    email = "dazedtank@gmail.com";
-    github = "dariof4";
-    githubId = 9992814;
-  };
   darkonion0 = {
     name = "Alexandre Peruggia";
     email = "darkgenius1@protonmail.com";
@@ -4959,12 +4934,6 @@
     githubId = 1847524;
     name = "Evan Stoll";
   };
-  evanrichter = {
-    email = "evanjrichter@gmail.com";
-    github = "evanrichter";
-    githubId = 330292;
-    name = "Evan Richter";
-  };
   evax = {
     email = "nixos@evax.fr";
     github = "evax";
@@ -4983,12 +4952,6 @@
     githubId = 2512008;
     name = "Even Brenden";
   };
-  evilmav = {
-    email = "elenskiy.ilya@gmail.com";
-    github = "evilmav";
-    githubId = 6803717;
-    name = "Ilya Elenskiy";
-  };
   evils = {
     email = "evils.devils@protonmail.com";
     matrix = "@evils:nixos.dev";
@@ -5459,7 +5422,7 @@
     githubId = 7551358;
     name = "Frede Emil";
   };
-  Freed-Wu = {
+ Freed-Wu = {
     email = "wuzhenyu@ustc.edu";
     github = "Freed-Wu";
     githubId = 32936898;
@@ -5568,7 +5531,7 @@
   };
   fuzen = {
     email = "me@fuzen.cafe";
-    github = "LovingMelody";
+    github = "Fuzen-py";
     githubId = 17859309;
     name = "Fuzen";
   };
@@ -5768,12 +5731,6 @@
     githubId = 10353047;
     name = "Tobias Happ";
   };
-  getchoo = {
-    email = "getchoo@tuta.io";
-    github = "getchoo";
-    githubId = 48872998;
-    name = "Seth";
-  };
   gfrascadorio = {
     email = "gfrascadorio@tutanota.com";
     github = "gfrascadorio";
@@ -5928,6 +5885,15 @@
     githubId = 1621335;
     name = "Andrew Trachenko";
   };
+  gordias = {
+    name = "Gordias";
+    email = "gordias@disroot.org";
+    github = "gordiasdot";
+    githubId = 94724133;
+    keys = [{
+      fingerprint = "C006 B8A0 0618 F3B6 E0E4  2ECD 5D47 2848 30FA A4FA";
+    }];
+  };
   gotcha = {
     email = "gotcha@bubblenet.be";
     github = "gotcha";
@@ -6802,7 +6768,7 @@
   };
   ilya-kolpakov = {
     email = "ilya.kolpakov@gmail.com";
-    github = "1pakch";
+    github = "ilya-kolpakov";
     githubId = 592849;
     name = "Ilya Kolpakov";
   };
@@ -7204,7 +7170,7 @@
   jayesh-bhoot = {
     name = "Jayesh Bhoot";
     email = "jb@jayeshbhoot.com";
-    github = "bhootjb";
+    github = "jayeshbhoot";
     githubId = 1915507;
   };
   jayman2000 = {
@@ -7689,10 +7655,10 @@
     name = "Jocelyn Thode";
   };
   joedevivo = {
-    github = "joedevivo";
-    githubId = 55951;
-    name = "Joe DeVivo";
-  };
+     github = "joedevivo";
+     githubId = 55951;
+     name = "Joe DeVivo";
+   };
   joelancaster = {
     email = "joe.a.lancas@gmail.com";
     github = "JoeLancaster";
@@ -8022,7 +7988,7 @@
   };
   juaningan = {
     email = "juaningan@gmail.com";
-    github = "oneingan";
+    github = "uningan";
     githubId = 810075;
     name = "Juan Rodal";
   };
@@ -8985,7 +8951,7 @@
     github = "leifhelm";
     githubId = 31693262;
     name = "Jakob Leifhelm";
-    keys = [{
+    keys =[{
       fingerprint = "4A82 F68D AC07 9FFD 8BF0  89C4 6817 AA02 3810 0822";
     }];
   };
@@ -9227,12 +9193,6 @@
       fingerprint = "74F5 E5CC 19D3 B5CB 608F  6124 68FF 81E6 A785 0F49";
     }];
   };
-  liyangau = {
-    email = "d@aufomm.com";
-    github = "liyangau";
-    githubId = 71299093;
-    name = "Li Yang";
-  };
   lizelive = {
     email = "nixpkgs@lize.live";
     github = "lizelive";
@@ -9427,12 +9387,6 @@
     githubId = 59375051;
     name = "Lucas Ransan";
   };
-  LucaGuerra = {
-    email = "luca@guerra.sh";
-    github = "LucaGuerra";
-    githubId = 35580196;
-    name = "Luca Guerra";
-  };
   lucasew = {
     email = "lucas59356@gmail.com";
     github = "lucasew";
@@ -9512,12 +9466,6 @@
       fingerprint = "97A0 AE5E 03F3 499B 7D7A  65C6 76A4 1432 37EF 5817";
     }];
   };
-  lukaswrz = {
-    email = "lukas@wrz.one";
-    github = "lukaswrz";
-    githubId = 84395723;
-    name = "Lukas Wurzinger";
-  };
   lukeadams = {
     email = "luke.adams@belljar.io";
     github = "lukeadams";
@@ -10060,7 +10008,7 @@
     githubId = 95194;
     name = "Mauricio Scheffer";
   };
-  maxbrunet = {
+   maxbrunet = {
     email = "max@brnt.mx";
     github = "maxbrunet";
     githubId = 32458727;
@@ -10432,7 +10380,7 @@
     name = "Michael Pacheco";
     github = "MichaelPachec0";
     githubId = 48970112;
-    keys = [{
+    keys = [ {
       fingerprint = "8D12 991F 5558 C501 70B2  779C 7811 46B0 B5F9 5F64";
     }];
   };
@@ -10818,12 +10766,6 @@
       fingerprint = "6460 4147 C434 F65E C306  A21F 135E EDD0 F719 34F3";
     }];
   };
-  moody = {
-    email = "moody@posixcafe.org";
-    github = "majiru";
-    githubId = 3579600;
-    name = "Jacob Moody";
-  };
   moosingin3space = {
     email = "moosingin3space@gmail.com";
     github = "moosingin3space";
@@ -11519,12 +11461,6 @@
       fingerprint = "E576 BFB2 CF6E B13D F571  33B9 E315 A758 4613 1564";
     }];
   };
-  nielsegberts = {
-    email = "nix@nielsegberts.nl";
-    github = "nielsegberts";
-    githubId = 368712;
-    name = "Niels Egberts";
-  };
   nigelgbanks = {
     name = "Nigel Banks";
     email = "nigel.g.banks@gmail.com";
@@ -12041,15 +11977,6 @@
     github = "ony";
     githubId = 11265;
   };
-  ooliver1 = {
-    name = "Oliver Wilkes";
-    email = "oliverwilkes2006@icloud.com";
-    github = "ooliver1";
-    githubId = 34910574;
-    keys = [{
-      fingerprint = "D055 8A23 3947 B7A0 F966  B07F 0B41 0348 9833 7273";
-    }];
-  };
   opeik = {
     email = "sandro@stikic.com";
     github = "opeik";
@@ -16194,12 +16121,6 @@
     githubId = 3159881;
     name = "Tobias Markus";
   };
-  tm-drtina = {
-    email = "tm.drtina@gmail.com";
-    github = "tm-drtina";
-    githubId = 26902865;
-    name = "Tomas Drtina";
-  };
   tmountain = {
     email = "tinymountain@gmail.com";
     github = "tmountain";
@@ -16556,15 +16477,6 @@
       fingerprint = "EE59 5E29 BB5B F2B3 5ED2  3F1C D276 FF74 6700 7335";
     }];
   };
-  undefined-moe = {
-    name = "undefined";
-    email = "i@undefined.moe";
-    github = "undefined-moe";
-    githubId = 29992205;
-    keys = [{
-      fingerprint = "6684 4E7D D213 C75D 8828  6215 C714 A58B 6C1E 0F52";
-    }];
-  };
   unhammer = {
     email = "unhammer@fsfe.org";
     github = "unhammer";
@@ -16805,12 +16717,6 @@
     github = "vdot0x23";
     githubId = 40716069;
   };
-  vector1dev = {
-    name = "vector1dev";
-    matrix = "@vector1dev:vector1.dev";
-    github = "vector1dev";
-    githubId = 127302590;
-  };
   veehaitch = {
     name = "Vincent Haupert";
     email = "mail@vincent-haupert.de";
@@ -17094,6 +17000,16 @@
     github = "wdavidw";
     githubId = 46896;
   };
+  WeebSorceress = {
+    name = "WeebSorceress";
+    email = "hello@weebsorceress.anonaddy.me";
+    matrix = "@weebsorceress:matrix.org";
+    github = "WeebSorceress";
+    githubId = 106774777;
+    keys = [{
+      fingerprint = "659A 9BC3 F904 EC24 1461  2EFE 7F57 3443 17F0 FA43";
+    }];
+  };
   wegank = {
     name = "Weijia Wang";
     email = "contact@weijia.wang";
@@ -17872,12 +17788,6 @@
     githubId = 2189609;
     name = "Zhaofeng Li";
   };
-  zi3m5f = {
-    name = "zi3m5f";
-    email = "k7n3o3a6f@mozmail.com";
-    github = "zi3m5f";
-    githubId = 113244000;
-  };
   ziguana = {
     name = "Zig Uana";
     email = "git@ziguana.dev";

maintainers/scripts/fix-maintainers.pl

@@ -42,7 +42,7 @@ while(my($k, $v) = each %$maintainers_json) {
     }
     my $resp_json = from_json($resp->content);
     my $api_user = %$resp_json{"login"};
-    if (lc($current_user) ne lc($api_user)) {
+    if ($current_user ne $api_user) {
         print $current_user . " is now known on github as " . $api_user . ". Editing maintainer-list.nix…\n";
         my $file = path($maintainers_list_nix);
         my $data = $file->slurp_utf8;

maintainers/team-list.nix

@@ -538,6 +538,7 @@ with lib.maintainers; {
       ma27
       fadenb
       mguentner
+      ekleog
       ralith
       dandellion
       sumnerevans

nixos/doc/manual/configuration/customizing-packages.section.md

@@ -12,29 +12,6 @@ Unfortunately, Nixpkgs currently lacks a way to query available
 configuration options.
 :::
 
-::: {.note}
-Alternatively, many packages come with extensions one might add.
-Examples include:
-- [`passExtensions.pass-otp`](https://search.nixos.org/packages/query=passExtensions.pass-otp)
-- [`python310Packages.requests`](https://search.nixos.org/packages/query=python310Packages.requests)
-
-You can use them like this:
-```nix
-environment.systemPackages = with pkgs; [
-  sl
-  (pass.withExtensions (subpkgs: with subpkgs; [
-    pass-audit
-    pass-otp
-    pass-genphrase
-  ]))
-  (python3.withPackages (subpkgs: with subpkgs; [
-      requests
-  ]))
-  cowsay
-];
-```
-:::
-
 Apart from high-level options, it's possible to tweak a package in
 almost arbitrary ways, such as changing or disabling dependencies of a
 package. For instance, the Emacs package in Nixpkgs by default has a

nixos/doc/manual/default.nix

@@ -267,41 +267,19 @@ in rec {
 
   manualEpub = runCommand "nixos-manual-epub"
     { nativeBuildInputs = [ buildPackages.libxml2.bin buildPackages.libxslt.bin buildPackages.zip ];
-      doc = ''
-        <book xmlns="http://docbook.org/ns/docbook"
-              xmlns:xlink="http://www.w3.org/1999/xlink"
-              version="5.0"
-              xml:id="book-nixos-manual">
-          <info>
-            <title>NixOS Manual</title>
-            <subtitle>Version ${lib.version}</subtitle>
-          </info>
-          <chapter>
-            <title>Temporarily unavailable</title>
-            <para>
-              The NixOS manual is currently not available in EPUB format,
-              please use the <link xlink:href="https://nixos.org/nixos/manual">HTML manual</link>
-              instead.
-            </para>
-            <para>
-              If you've used the EPUB manual in the past and it has been useful to you, please
-              <link xlink:href="https://github.com/NixOS/nixpkgs/issues/237234">let us know</link>.
-            </para>
-          </chapter>
-        </book>
-      '';
-      passAsFile = [ "doc" ];
     }
     ''
       # Generate the epub manual.
       dst=$out/share/doc/nixos
 
       xsltproc \
-        --param chapter.autolabel 0 \
+        ${manualXsltprocOptions} \
         --nonet --xinclude --output $dst/epub/ \
         ${docbook_xsl_ns}/xml/xsl/docbook/epub/docbook.xsl \
-        $docPath
+        ${manual-combined}/manual-combined.xml
 
+      mkdir -p $dst/epub/OEBPS/images/callouts
+      cp -r ${docbook_xsl_ns}/xml/xsl/docbook/images/callouts/*.svg $dst/epub/OEBPS/images/callouts # */
       echo "application/epub+zip" > mimetype
       manual="$dst/nixos-manual.epub"
       zip -0Xq "$manual" mimetype

nixos/doc/manual/release-notes/rl-2305.section.md

@@ -42,9 +42,6 @@ In addition to numerous new and updated packages, this release has the following
 
 - [KDE Plasma](https://kde.org/de/plasma-desktop/) has been updated to version 5.27, see [the release notes](https://kde.org/announcements/plasma/5/5.27.0/) for what was changed.
 
-- `openra` was updated to `20230225`. Due to large scope of the update, currently only `openraPackages.engines.release` and `openraPackages.engines.latest` packages are available.
-  If you want to use the old engine versions or mods, they were moved to the `openraPackages_2019` namespace.
-
 ## New Services {#sec-release-23.05-new-services}
 
 - [Akkoma](https://akkoma.social), an ActivityPub microblogging server. Available as [services.akkoma](options.html#opt-services.akkoma.enable).
@@ -201,7 +198,7 @@ In addition to numerous new and updated packages, this release has the following
 
 - `graylog` has been updated to version 5, which can not be updated directly from the previously packaged version 3.3. If you had installed the previously packaged version 3.3, please follow the [upgrade path](https://go2docs.graylog.org/5-0/upgrading_graylog/upgrade_path.htm) from 3.3 to 4.0 to 4.3 to 5.0.
 
-- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implemenation is still available via `buildFHSEnvChroot` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs.
+- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implemenation is still available via `buildFHSEnvChrootenv` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs.
 
 - `nushell` has been updated to at least version 0.77.0, which includes potential breaking changes in aliases. The old aliases are now available as `old-alias` but it is recommended you migrate to the new format. See [Reworked aliases](https://www.nushell.sh/blog/2023-03-14-nushell_0_77.html#reworked-aliases-breaking-changes-kubouch).
 
@@ -359,8 +356,6 @@ In addition to numerous new and updated packages, this release has the following
 
 - Only `k3s` version 1.26 is included. Users of the `k3s_1_24` or `k3s_1_25` packages should upgrade to use the `1.26` version of the package.
 
-- The `nerdfonts` package has been updated to major version 3, which includes potential [breaking changes](https://github.com/ryanoasis/nerd-fonts/releases/tag/v3.0.0).
-
 ## Other Notable Changes {#sec-release-23.05-notable-changes}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -525,7 +520,7 @@ In addition to numerous new and updated packages, this release has the following
 
 - The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.
 
-- `openjdk` from version 11 and above is not build with `openjfx` (i.e.: JavaFX) support by default anymore. You can re-enable it by overriding, e.g.: `openjdk11.override { enableJavaFX = true; };`.
+- `openjdk` from versioggn 11 and above is not build with `openjfx` (i.e.: JavaFX) support by default anymore. You can re-enable it by overriding, e.g.: `openjdk11.override { enableJavaFX = true; };`.
 
 - [Xastir](https://xastir.org/index.php/Main_Page) can now access AX.25 interfaces via the `libax25` package.
 

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -14,32 +14,18 @@
 
 - [river](https://github.com/riverwm/river), A dynamic tiling wayland compositor. Available as [programs.river](#opt-programs.river.enable).
 
-- [GoToSocial](https://gotosocial.org/), an ActivityPub social network server, written in Golang. Available as [services.gotosocial](#opt-services.gotosocial.enable).
-
 - [sitespeed-io](https://sitespeed.io), a tool that can generate metrics (timings, diagnostics) for websites. Available as [services.sitespeed-io](#opt-services.sitespeed-io.enable).
 
 ## Backward Incompatibilities {#sec-release-23.11-incompatibilities}
 
-- `writeTextFile` now requires `executable` to be boolean, values like `null` or `""` will now fail to evaluate.
-
 - The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`.
 
 - `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`.
 
-- `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues.
-
 - `etcd` has been updated to 3.5, you will want to read the [3.3 to 3.4](https://etcd.io/docs/v3.5/upgrades/upgrade_3_4/) and [3.4 to 3.5](https://etcd.io/docs/v3.5/upgrades/upgrade_3_5/) upgrade guides
 
-- `himalaya` has been updated to `0.8.0`, which drops the native TLS support (in favor of Rustls) and add OAuth 2.0 support. See the [release note](https://github.com/soywod/himalaya/releases/tag/v0.8.0) for more details.
-
-- The [services.caddy.acmeCA](#opt-services.caddy.acmeCA) option now defaults to `null` instead of `"https://acme-v02.api.letsencrypt.org/directory"`, to use all of Caddy's default ACME CAs and enable Caddy's automatic issuer fallback feature by default, as recommended by upstream.
-
 - `util-linux` is now supported on Darwin and is no longer an alias to `unixtools`. Use the `unixtools.util-linux` package for access to the Apple variants of the utilities.
 
-- `fileSystems.<name>.autoFormat` now uses `systemd-makefs`, which does not accept formatting options. Therefore, `fileSystems.<name>.formatOptions` has been removed.
-
-- `fileSystems.<name>.autoResize` now uses `systemd-growfs` to resize the file system online in stage 2. This means that `f2fs` and `ext2` can no longer be auto resized, while `xfs` and `btrfs` now can be.
-
 ## Other Notable Changes {#sec-release-23.11-notable-changes}
 
 - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.

nixos/maintainers/scripts/ec2/amazon-image.nix

@@ -43,7 +43,7 @@ in {
 
     sizeMB = mkOption {
       type = with types; either (enum [ "auto" ]) int;
-      default = 3072;
+      default = 2048;
       example = 8192;
       description = lib.mdDoc "The size in MB of the image";
     };

nixos/modules/config/no-x-libs.nix

@@ -38,7 +38,6 @@ with lib;
       gpsd = super.gpsd.override { guiSupport = false; };
       graphviz = super.graphviz-nox;
       gst_all_1 = super.gst_all_1 // {
-        gst-plugins-bad = super.gst_all_1.gst-plugins-bad.override { guiSupport = false; };
         gst-plugins-base = super.gst_all_1.gst-plugins-base.override { enableX11 = false; };
       };
       imagemagick = super.imagemagick.override { libX11Support = false; libXtSupport = false; };

nixos/modules/config/qt.nix

@@ -20,7 +20,7 @@ let
       pkgs.adwaita-qt6
     ]
     else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ]
-    else if isQt5ct then [ pkgs.libsForQt5.qt5ct pkgs.qt6Packages.qt6ct ]
+    else if isQt5ct then [ pkgs.libsForQt5.qt5ct ]
     else if isLxqt then [ pkgs.lxqt.lxqt-qtplugin pkgs.lxqt.lxqt-config ]
     else if isKde then [ pkgs.libsForQt5.plasma-integration pkgs.libsForQt5.systemsettings ]
     else throw "`qt.platformTheme` ${cfg.platformTheme} and `qt.style` ${cfg.style} are not compatible.";

nixos/modules/config/users-groups.nix

@@ -652,7 +652,7 @@ in {
       deps = [ "users" ];
       text = ''
         users=()
-        while IFS=: read -r user hash _; do
+        while IFS=: read -r user hash tail; do
           if [[ "$hash" = "$"* && ! "$hash" =~ ^\''$${cryptSchemeIdPatternGroup}\$ ]]; then
             users+=("$user")
           fi

nixos/modules/hardware/i2c.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 
 with lib;
 
@@ -31,14 +31,10 @@ in
       i2c = { };
     };
 
-    services.udev.packages = lib.singleton (pkgs.writeTextFile
-      { name = "i2c-udev-rules";
-        text = ''
-          # allow group ${cfg.group} and users with a seat use of i2c devices
-          ACTION=="add", KERNEL=="i2c-[0-9]*", TAG+="uaccess", GROUP="${cfg.group}", MODE="660"
-        '';
-        destination = "/etc/udev/rules.d/70-i2c.rules";
-      });
+    services.udev.extraRules = ''
+      # allow group ${cfg.group} and users with a seat use of i2c devices
+      ACTION=="add", KERNEL=="i2c-[0-9]*", TAG+="uaccess", GROUP="${cfg.group}", MODE="660"
+    '';
 
   };
 

nixos/modules/installer/netboot/netboot.nix

@@ -38,10 +38,7 @@ with lib;
     boot.loader.grub.enable = false;
 
     # !!! Hack - attributes expected by other modules.
-    environment.systemPackages = [ pkgs.grub2_efi ]
-      ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"
-          then []
-          else [ pkgs.grub2 pkgs.syslinux ]);
+    environment.systemPackages = lib.filter (lib.meta.availableOn pkgs.stdenv.hostPlatform) [ pkgs.grub2_efi pkgs.grub2 pkgs.syslinux ];
 
     fileSystems."/" = mkImageMediaOverride
       { fsType = "tmpfs";

nixos/modules/installer/tools/nix-fallback-paths.nix

@@ -1,7 +1,7 @@
 {
-  x86_64-linux = "/nix/store/ny9r65799s7xhp605bc2753sjvzkxrrs-nix-2.15.1";
-  i686-linux = "/nix/store/ck55dz5klc7szi8rx9ghhm8gi2b5q5bw-nix-2.15.1";
-  aarch64-linux = "/nix/store/cl0a02vr28913dgw98hrm45a4baqr3z1-nix-2.15.1";
-  x86_64-darwin = "/nix/store/wq228jdbz16pp2lnxf32n8dv27pw53p8-nix-2.15.1";
-  aarch64-darwin = "/nix/store/x11cpsjg4q236msfz5scc325pfp9xy64-nix-2.15.1";
+  x86_64-linux = "/nix/store/mc43d38fibi94pp5crfwacl5gbslccd0-nix-2.13.3";
+  i686-linux = "/nix/store/09m966pj26cgd4ihlg8ihl1106j3vih8-nix-2.13.3";
+  aarch64-linux = "/nix/store/7f191d125akld27gc6jl0r13l8pl7x0h-nix-2.13.3";
+  x86_64-darwin = "/nix/store/1wn9jkvi2zqfjnjgg7lnp30r2q2y8whd-nix-2.13.3";
+  aarch64-darwin = "/nix/store/8w0v2mffa10chrf1h66cbvbpw86qmh85-nix-2.13.3";
 }

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -85,7 +85,7 @@ sub debug {
 
 
 # nixpkgs.system
-push @attrs, "nixpkgs.hostPlatform = lib.mkDefault \"@hostPlatformSystem@\";";
+push @attrs, "nixpkgs.hostPlatform = lib.mkDefault \"@system@\";";
 
 
 my $cpuinfo = read_file "/proc/cpuinfo";

nixos/modules/installer/tools/tools.nix

@@ -35,7 +35,7 @@ let
     name = "nixos-generate-config";
     src = ./nixos-generate-config.pl;
     perl = "${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl";
-    hostPlatformSystem = pkgs.stdenv.hostPlatform.system;
+    system = pkgs.stdenv.hostPlatform.system;
     detectvirt = "${config.systemd.package}/bin/systemd-detect-virt";
     btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
     inherit (config.system.nixos-generate-config) configuration desktopConfiguration;

nixos/modules/module-list.nix

@@ -328,8 +328,6 @@
   ./services/audio/spotifyd.nix
   ./services/audio/squeezelite.nix
   ./services/audio/tts.nix
-  ./services/audio/wyoming/faster-whisper.nix
-  ./services/audio/wyoming/piper.nix
   ./services/audio/ympd.nix
   ./services/backup/automysqlbackup.nix
   ./services/backup/bacula.nix
@@ -1190,7 +1188,6 @@
   ./services/web-apps/galene.nix
   ./services/web-apps/gerrit.nix
   ./services/web-apps/gotify-server.nix
-  ./services/web-apps/gotosocial.nix
   ./services/web-apps/grocy.nix
   ./services/web-apps/pixelfed.nix
   ./services/web-apps/healthchecks.nix

nixos/modules/programs/nano.nix

@@ -35,17 +35,8 @@ in
   ###### implementation
 
   config = lib.mkIf (cfg.nanorc != "" || cfg.syntaxHighlight) {
-    environment.etc.nanorc.text = lib.concatStringsSep LF (
-      ( lib.optionals cfg.syntaxHighlight [
-          "# The line below is added because value of programs.nano.syntaxHighlight is set to true"
-          ''include "${pkgs.nano}/share/nano/*.nanorc"''
-          ""
-      ])
-      ++ ( lib.optionals (cfg.nanorc != "") [
-        "# The lines below have been set from value of programs.nano.nanorc"
-        cfg.nanorc
-      ])
-    );
+    environment.etc.nanorc.text = lib.concatStrings [ cfg.nanorc
+      (lib.optionalString cfg.syntaxHighlight ''${LF}include "${pkgs.nano}/share/nano/*.nanorc"'') ];
   };
 
 }

nixos/modules/security/pam.nix

@@ -484,9 +484,6 @@ let
           optionalString cfg.mysqlAuth ''
             account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
           '' +
-          optionalString (config.services.kanidm.enablePam) ''
-            account sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user
-          '' +
           optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
             account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
           '' +
@@ -620,9 +617,6 @@ let
           optionalString use_ldap ''
             auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass
           '' +
-          optionalString config.services.kanidm.enablePam ''
-            auth sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user use_first_pass
-          '' +
           optionalString config.services.sssd.enable ''
             auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass
           '' +
@@ -659,9 +653,6 @@ let
           optionalString cfg.mysqlAuth ''
             password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
           '' +
-          optionalString config.services.kanidm.enablePam ''
-            password sufficient ${pkgs.kanidm}/lib/pam_kanidm.so
-          '' +
           optionalString config.services.sssd.enable ''
             password sufficient ${pkgs.sssd}/lib/security/pam_sss.so
           '' +
@@ -723,9 +714,6 @@ let
           optionalString cfg.mysqlAuth ''
             session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
           '' +
-          optionalString config.services.kanidm.enablePam ''
-            session optional ${pkgs.kanidm}/lib/pam_kanidm.so
-          '' +
           optionalString config.services.sssd.enable ''
             session optional ${pkgs.sssd}/lib/security/pam_sss.so
           '' +
@@ -1310,7 +1298,6 @@ in
       # Include the PAM modules in the system path mostly for the manpages.
       [ pkgs.pam ]
       ++ optional config.users.ldap.enable pam_ldap
-      ++ optional config.services.kanidm.enablePam pkgs.kanidm
       ++ optional config.services.sssd.enable pkgs.sssd
       ++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds]
       ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
@@ -1377,9 +1364,6 @@ in
       optionalString use_ldap ''
          mr ${pam_ldap}/lib/security/pam_ldap.so,
       '' +
-      optionalString config.services.kanidm.enablePam ''
-        mr ${pkgs.kanidm}/lib/pam_kanidm.so,
-      '' +
       optionalString config.services.sssd.enable ''
         mr ${pkgs.sssd}/lib/security/pam_sss.so,
       '' +

nixos/modules/services/audio/wyoming/faster-whisper.nix

@@ -1,186 +0,0 @@
-{ config
-, lib
-, pkgs
-, ...
-}:
-
-let
-  cfg = config.services.wyoming.faster-whisper;
-
-  inherit (lib)
-    escapeShellArgs
-    mkOption
-    mdDoc
-    mkEnableOption
-    mkPackageOptionMD
-    types
-    ;
-
-  inherit (builtins)
-    toString
-    ;
-
-in
-
-{
-  options.services.wyoming.faster-whisper = with types; {
-    package = mkPackageOptionMD pkgs "wyoming-faster-whisper" { };
-
-    servers = mkOption {
-      default = {};
-      description = mdDoc ''
-        Attribute set of faster-whisper instances to spawn.
-      '';
-      type = types.attrsOf (types.submodule (
-        { ... }: {
-          options = {
-            enable = mkEnableOption (mdDoc "Wyoming faster-whisper server");
-
-            model = mkOption {
-              type = enum [
-                "tiny"
-                "tiny-int8"
-                "base"
-                "base-int8"
-                "small"
-                "small-int8"
-                "medium"
-                "medium-int8"
-              ];
-              default = "tiny-int8";
-              example = "medium-int8";
-              description = mdDoc ''
-                Name of the voice model to use.
-              '';
-            };
-
-            uri = mkOption {
-              type = strMatching "^(tcp|unix)://.*$";
-              example = "tcp://0.0.0.0:10300";
-              description = mdDoc ''
-                URI to bind the wyoming server to.
-              '';
-            };
-
-            device = mkOption {
-              # https://opennmt.net/CTranslate2/python/ctranslate2.models.Whisper.html#
-              type = types.enum [
-                "cpu"
-                "cuda"
-                "auto"
-              ];
-              default = "cpu";
-              description = mdDoc ''
-                Id of a speaker in a multi-speaker model.
-              '';
-            };
-
-            language = mkOption {
-              type = enum [
-                # https://github.com/home-assistant/addons/blob/master/whisper/config.yaml#L20
-                "auto" "af" "am" "ar" "as" "az" "ba" "be" "bg" "bn" "bo" "br" "bs" "ca" "cs" "cy" "da" "de" "el" "en" "es" "et" "eu" "fa" "fi" "fo" "fr" "gl" "gu" "ha" "haw" "he" "hi" "hr" "ht" "hu" "hy" "id" "is" "it" "ja" "jw" "ka" "kk" "km" "kn" "ko" "la" "lb" "ln" "lo" "lt" "lv" "mg" "mi" "mk" "ml" "mn" "mr" "ms" "mt" "my" "ne" "nl" "nn" "no" "oc" "pa" "pl" "ps" "pt" "ro" "ru" "sa" "sd" "si" "sk" "sl" "sn" "so" "sq" "sr" "su" "sv" "sw" "ta" "te" "tg" "th" "tk" "tl" "tr" "tt" "uk" "ur" "uz" "vi" "yi" "yo" "zh"
-              ];
-              example = "en";
-              description = mdDoc ''
-                The language used to to parse words and sentences.
-              '';
-            };
-
-            beamSize = mkOption {
-              type = ints.unsigned;
-              default = 1;
-              example = 5;
-              description = mdDoc ''
-                The number of beams to use in beam search.
-              '';
-              apply = toString;
-            };
-
-            extraArgs = mkOption {
-              type = listOf str;
-              default = [ ];
-              description = mdDoc ''
-                Extra arguments to pass to the server commandline.
-              '';
-              apply = escapeShellArgs;
-            };
-          };
-        }
-      ));
-    };
-  };
-
-  config = let
-    inherit (lib)
-      mapAttrs'
-      mkIf
-      nameValuePair
-    ;
-  in mkIf (cfg.servers != {}) {
-    systemd.services = mapAttrs' (server: options:
-      nameValuePair "wyoming-faster-whisper-${server}" {
-        description = "Wyoming faster-whisper server instance ${server}";
-        after = [
-          "network-online.target"
-        ];
-        wantedBy = [
-          "multi-user.target"
-        ];
-        serviceConfig = {
-          DynamicUser = true;
-          User = "wyoming-faster-whisper";
-          StateDirectory = "wyoming/faster-whisper";
-          # https://github.com/home-assistant/addons/blob/master/whisper/rootfs/etc/s6-overlay/s6-rc.d/whisper/run
-          ExecStart = ''
-            ${cfg.package}/bin/wyoming-faster-whisper \
-              --data-dir $STATE_DIRECTORY \
-              --download-dir $STATE_DIRECTORY \
-              --uri ${options.uri} \
-              --model ${options.model} \
-              --language ${options.language} \
-              --beam-size ${options.beamSize} ${options.extraArgs}
-          '';
-          CapabilityBoundingSet = "";
-          DeviceAllow = if builtins.elem options.device [ "cuda" "auto" ] then [
-            # https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf
-            "/dev/nvidia1"
-            "/dev/nvidia2"
-            "/dev/nvidia3"
-            "/dev/nvidia4"
-            "/dev/nvidia-caps/nvidia-cap1"
-            "/dev/nvidia-caps/nvidia-cap2"
-            "/dev/nvidiactl"
-            "/dev/nvidia-modeset"
-            "/dev/nvidia-uvm"
-            "/dev/nvidia-uvm-tools"
-          ] else "";
-          DevicePolicy = "closed";
-          LockPersonality = true;
-          MemoryDenyWriteExecute = true;
-          PrivateDevices = true;
-          PrivateUsers = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectControlGroups = true;
-          ProtectProc = "invisible";
-          ProcSubset = "pid";
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-          ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@privileged"
-          ];
-          UMask = "0077";
-        };
-      }) cfg.servers;
-  };
-}

nixos/modules/services/audio/wyoming/piper.nix

@@ -1,174 +0,0 @@
-{ config
-, lib
-, pkgs
-, ...
-}:
-
-let
-  cfg = config.services.wyoming.piper;
-
-  inherit (lib)
-    escapeShellArgs
-    mkOption
-    mdDoc
-    mkEnableOption
-    mkPackageOptionMD
-    types
-    ;
-
-  inherit (builtins)
-    toString
-    ;
-
-in
-
-{
-  meta.buildDocsInSandbox = false;
-
-  options.services.wyoming.piper = with types; {
-    package = mkPackageOptionMD pkgs "wyoming-piper" { };
-
-    servers = mkOption {
-      default = {};
-      description = mdDoc ''
-        Attribute set of piper instances to spawn.
-      '';
-      type = types.attrsOf (types.submodule (
-        { ... }: {
-          options = {
-            enable = mkEnableOption (mdDoc "Wyoming Piper server");
-
-            piper = mkPackageOptionMD pkgs "piper-tts" { };
-
-            voice = mkOption {
-              type = str;
-              example = "en-us-ryan-medium";
-              description = mdDoc ''
-                Name of the voice model to use. See the following website for samples:
-                https://rhasspy.github.io/piper-samples/
-              '';
-            };
-
-            uri = mkOption {
-              type = strMatching "^(tcp|unix)://.*$";
-              example = "tcp://0.0.0.0:10200";
-              description = mdDoc ''
-                URI to bind the wyoming server to.
-              '';
-            };
-
-            speaker = mkOption {
-              type = ints.unsigned;
-              default = 0;
-              description = mdDoc ''
-                ID of a specific speaker in a multi-speaker model.
-              '';
-              apply = toString;
-            };
-
-            noiseScale = mkOption {
-              type = float;
-              default = 0.667;
-              description = mdDoc ''
-                Generator noise value.
-              '';
-              apply = toString;
-            };
-
-            noiseWidth = mkOption {
-              type = float;
-              default = 0.333;
-              description = mdDoc ''
-                Phoneme width noise value.
-              '';
-              apply = toString;
-            };
-
-            lengthScale = mkOption {
-              type = float;
-              default = 1.0;
-              description = mdDoc ''
-                Phoneme length value.
-              '';
-              apply = toString;
-            };
-
-            extraArgs = mkOption {
-              type = listOf str;
-              default = [ ];
-              description = mdDoc ''
-                Extra arguments to pass to the server commandline.
-              '';
-              apply = escapeShellArgs;
-            };
-          };
-        }
-      ));
-    };
-  };
-
-  config = let
-    inherit (lib)
-      mapAttrs'
-      mkIf
-      nameValuePair
-    ;
-  in mkIf (cfg.servers != {}) {
-    systemd.services = mapAttrs' (server: options:
-      nameValuePair "wyoming-piper-${server}" {
-        description = "Wyoming Piper server instance ${server}";
-        after = [
-          "network-online.target"
-        ];
-        wantedBy = [
-          "multi-user.target"
-        ];
-        serviceConfig = {
-          DynamicUser = true;
-          User = "wyoming-piper";
-          StateDirectory = "wyoming/piper";
-          # https://github.com/home-assistant/addons/blob/master/piper/rootfs/etc/s6-overlay/s6-rc.d/piper/run
-          ExecStart = ''
-            ${cfg.package}/bin/wyoming-piper \
-              --data-dir $STATE_DIRECTORY \
-              --download-dir $STATE_DIRECTORY \
-              --uri ${options.uri} \
-              --piper ${options.piper}/bin/piper \
-              --voice ${options.voice} \
-              --speaker ${options.speaker} \
-              --length-scale ${options.lengthScale} \
-              --noise-scale ${options.noiseScale} \
-              --noise-w ${options.noiseWidth} ${options.extraArgs}
-          '';
-          CapabilityBoundingSet = "";
-          DeviceAllow = "";
-          DevicePolicy = "closed";
-          LockPersonality = true;
-          MemoryDenyWriteExecute = true;
-          PrivateDevices = true;
-          PrivateUsers = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectControlGroups = true;
-          ProtectProc = "invisible";
-          ProcSubset = "pid";
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-          ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@privileged"
-          ];
-          UMask = "0077";
-        };
-      }) cfg.servers;
-  };
-}

nixos/modules/services/continuous-integration/buildkite-agents.nix

@@ -11,7 +11,7 @@ let
       default = null;
       description = lib.mdDoc description;
       type = types.nullOr types.lines;
-    } // (lib.optionalAttrs (example != null) { inherit example; });
+    } // (if example == null then {} else { inherit example; });
   };
   mkHookOptions = hooks: listToAttrs (map mkHookOption hooks);
 

nixos/modules/services/continuous-integration/github-runner.nix

@@ -21,5 +21,5 @@ in
     services.github-runners.${cfg.name} = cfg;
   };
 
-  meta.maintainers = with maintainers; [ veehaitch newam thomasjm ];
+  meta.maintainers = with maintainers; [ veehaitch newam ];
 }

nixos/modules/services/databases/foundationdb.md

@@ -6,7 +6,7 @@
 
 *Maintainer:* Austin Seipp
 
-*Available version(s):* 7.1.x
+*Available version(s):* 5.1.x, 5.2.x, 6.0.x
 
 FoundationDB (or "FDB") is an open source, distributed, transactional
 key-value store.
@@ -17,7 +17,7 @@ To enable FoundationDB, add the following to your
 {file}`configuration.nix`:
 ```
 services.foundationdb.enable = true;
-services.foundationdb.package = pkgs.foundationdb71; # FoundationDB 7.1.x
+services.foundationdb.package = pkgs.foundationdb52; # FoundationDB 5.2.x
 ```
 
 The {option}`services.foundationdb.package` option is required, and
@@ -66,7 +66,7 @@ necessary Python modules).
 ```ShellSession
 a@link> cat fdb-status.py
 #! /usr/bin/env nix-shell
-#! nix-shell -i python -p python pythonPackages.foundationdb71
+#! nix-shell -i python -p python pythonPackages.foundationdb52
 
 import fdb
 import json

nixos/modules/services/mail/exim.nix

@@ -116,8 +116,8 @@ in
       wantedBy = [ "multi-user.target" ];
       restartTriggers = [ config.environment.etc."exim.conf".source ];
       serviceConfig = {
-        ExecStart   = "!${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}";
-        ExecReload  = "!${coreutils}/bin/kill -HUP $MAINPID";
+        ExecStart   = "+${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}";
+        ExecReload  = "+${coreutils}/bin/kill -HUP $MAINPID";
         User        = cfg.user;
       };
       preStart = ''

nixos/modules/services/mail/public-inbox.nix

@@ -275,8 +275,9 @@ in
           default = {};
           description = lib.mdDoc "public inboxes";
           type = types.submodule {
-            # Support both global options like `services.public-inbox.settings.publicinbox.imapserver`
-            # and inbox specific options like `services.public-inbox.settings.publicinbox.foo.address`.
+            # Keeping in line with the tradition of unnecessarily specific types, allow users to set
+            # freeform settings either globally under the `publicinbox` section, or for specific
+            # inboxes through additional nesting.
             freeformType = with types; attrsOf (oneOf [ iniAtom (attrsOf iniAtom) ]);
 
             options.css = mkOption {
@@ -284,24 +285,12 @@ in
               default = [];
               description = lib.mdDoc "The local path name of a CSS file for the PSGI web interface.";
             };
-            options.imapserver = mkOption {
-              type = with types; listOf str;
-              default = [];
-              example = [ "imap.public-inbox.org" ];
-              description = lib.mdDoc "IMAP URLs to this public-inbox instance";
-            };
             options.nntpserver = mkOption {
               type = with types; listOf str;
               default = [];
               example = [ "nntp://news.public-inbox.org" "nntps://news.public-inbox.org" ];
               description = lib.mdDoc "NNTP URLs to this public-inbox instance";
             };
-            options.pop3server = mkOption {
-              type = with types; listOf str;
-              default = [];
-              example = [ "pop.public-inbox.org" ];
-              description = lib.mdDoc "POP3 URLs to this public-inbox instance";
-            };
             options.wwwlisting = mkOption {
               type = with types; enum [ "all" "404" "match=domain" ];
               default = "404";

nixos/modules/services/mail/rspamd.nix

@@ -215,7 +215,7 @@ let
       text = v.extraConfig;
     })
     (filterAttrs (n: v: v.extraConfig != "") cfg.workers))
-    // (lib.optionalAttrs (cfg.extraConfig != "") {
+    // (if cfg.extraConfig == "" then {} else {
       "extra-config.inc".text = cfg.extraConfig;
     });
 in

nixos/modules/services/misc/atuin.nix

@@ -46,13 +46,6 @@ in
         description = mdDoc "Open ports in the firewall for the atuin server.";
       };
 
-      database = {
-        createLocally = mkOption {
-          type = types.bool;
-          default = true;
-          description = lib.mdDoc "Create the database and database user locally.";
-        };
-      };
     };
   };
 
@@ -72,8 +65,7 @@ in
 
     systemd.services.atuin = {
       description = "atuin server";
-      requires = lib.optionals cfg.database.createLocally [ "postgresql.service" ];
-      after = [ "network.target" ] ++ lib.optionals cfg.database.createLocally [ "postgresql.service" ] ;
+      after = [ "network.target" "postgresql.service" ];
       wantedBy = [ "multi-user.target" ];
 
       serviceConfig = {
@@ -88,7 +80,7 @@ in
         ATUIN_PORT = toString cfg.port;
         ATUIN_MAX_HISTORY_LENGTH = toString cfg.maxHistoryLength;
         ATUIN_OPEN_REGISTRATION = boolToString cfg.openRegistration;
-        ATUIN_DB_URI =  mkIf cfg.database.createLocally "postgresql:///atuin";
+        ATUIN_DB_URI = "postgresql:///atuin";
         ATUIN_PATH = cfg.path;
         ATUIN_CONFIG_DIR = "/run/atuin"; # required to start, but not used as configuration is via environment variables
       };

nixos/modules/services/misc/gitlab.nix

@@ -1231,7 +1231,7 @@ in {
     services.dockerRegistry = optionalAttrs cfg.registry.enable {
       enable = true;
       enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly
-      package = cfg.registry.package;
+      package = cfg.package;
       extraConfig = {
         auth.token = {
           realm = "http${optionalString (cfg.https == true) "s"}://${cfg.host}/jwt/auth";

nixos/modules/services/misc/nix-daemon.nix

@@ -520,17 +520,10 @@ in
                 will set up automatically for each build. This prevents impurities
                 in builds by disallowing access to dependencies outside of the Nix
                 store by using network and mount namespaces in a chroot environment.
-
                 This is enabled by default even though it has a possible performance
                 impact due to the initial setup time of a sandbox for each build. It
                 doesn't affect derivation hashes, so changing this option will not
                 trigger a rebuild of packages.
-
-                When set to "relaxed", this option permits derivations that set
-                `__noChroot = true;` to run outside of the sandboxed environment.
-                Exercise caution when using this mode of operation! It is intended to
-                be a quick hack when building with packages that are not easily setup
-                to be built reproducibly.
               '';
             };
 
@@ -648,7 +641,7 @@ in
         '';
         description = lib.mdDoc ''
           Configuration for Nix, see
-          <https://nixos.org/manual/nix/stable/command-ref/conf-file.html> or
+          <https://nixos.org/manual/nix/stable/#sec-conf-file> or
           {manpage}`nix.conf(5)` for available options.
           The value declared here will be translated directly to the key-value pairs Nix expects.
 

nixos/modules/services/monitoring/grafana.nix

@@ -121,11 +121,6 @@ let
         default = false;
         description = lib.mdDoc "Allow users to edit datasources from the UI.";
       };
-      jsonData = mkOption {
-        type = types.nullOr types.attrs;
-        default = null;
-        description = lib.mdDoc "Extra data for datasource plugins.";
-      };
       secureJsonData = mkOption {
         type = types.nullOr types.attrs;
         default = null;

nixos/modules/services/monitoring/prometheus/exporters.nix

@@ -40,7 +40,6 @@ let
     "ipmi"
     "json"
     "jitsi"
-    "junos-czerwonk"
     "kea"
     "keylight"
     "knot"

nixos/modules/services/monitoring/prometheus/exporters/junos-czerwonk.nix

@@ -1,72 +0,0 @@
-{ config, lib, pkgs, options }:
-
-with lib;
-
-let
-  cfg = config.services.prometheus.exporters.junos-czerwonk;
-
-  configFile = if cfg.configuration != null then configurationFile else (escapeShellArg cfg.configurationFile);
-
-  configurationFile = pkgs.writeText "prometheus-junos-czerwonk-exporter.conf" (builtins.toJSON (cfg.configuration));
-in
-{
-  port = 9326;
-  extraOpts = {
-    environmentFile = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      description = lib.mdDoc ''
-        File containing env-vars to be substituted into the exporter's config.
-      '';
-    };
-    configurationFile = mkOption {
-      type = types.nullOr types.path;
-      default = null;
-      description = lib.mdDoc ''
-        Specify the JunOS exporter configuration file to use.
-      '';
-    };
-    configuration = mkOption {
-      type = types.nullOr types.attrs;
-      default = null;
-      description = lib.mdDoc ''
-        JunOS exporter configuration as nix attribute set. Mutually exclusive with the `configurationFile` option.
-      '';
-      example = {
-        devices = [
-          {
-            host = "router1";
-            key_file = "/path/to/key";
-          }
-        ];
-      };
-    };
-    telemetryPath = mkOption {
-      type = types.str;
-      default = "/metrics";
-      description = lib.mdDoc ''
-        Path under which to expose metrics.
-      '';
-    };
-  };
-  serviceOpts = {
-    serviceConfig = {
-      DynamicUser = false;
-      EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
-      RuntimeDirectory = "prometheus-junos-czerwonk-exporter";
-      ExecStartPre = [
-        "${pkgs.writeShellScript "subst-secrets-junos-czerwonk-exporter" ''
-          umask 0077
-          ${pkgs.envsubst}/bin/envsubst -i ${configFile} -o ''${RUNTIME_DIRECTORY}/junos-exporter.json
-        ''}"
-      ];
-      ExecStart = ''
-        ${pkgs.prometheus-junos-czerwonk-exporter}/bin/junos_exporter \
-          -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
-          -web.telemetry-path ${cfg.telemetryPath} \
-          -config.file ''${RUNTIME_DIRECTORY}/junos-exporter.json \
-          ${concatStringsSep " \\\n  " cfg.extraFlags}
-      '';
-    };
-  };
-}

nixos/modules/services/networking/gnunet.nix

@@ -155,7 +155,7 @@ in
       description = "GNUnet";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      restartTriggers = [ config.environment.etc."gnunet.conf".source ];
+      restartTriggers = [ configFile ];
       path = [ cfg.package pkgs.miniupnpc ];
       serviceConfig.ExecStart = "${cfg.package}/lib/gnunet/libexec/gnunet-service-arm -c /etc/gnunet.conf";
       serviceConfig.User = "gnunet";

nixos/modules/services/networking/smokeping.nix

@@ -8,36 +8,36 @@ let
   smokepingPidDir = "/run";
   configFile =
     if cfg.config == null
-    then
-      ''
-        *** General ***
-        cgiurl   = ${cfg.cgiUrl}
-        contact = ${cfg.ownerEmail}
-        datadir  = ${smokepingHome}/data
-        imgcache = ${smokepingHome}/cache
-        imgurl   = ${cfg.imgUrl}
-        linkstyle = ${cfg.linkStyle}
-        ${lib.optionalString (cfg.mailHost != "") "mailhost = ${cfg.mailHost}"}
-        owner = ${cfg.owner}
-        pagedir = ${smokepingHome}/cache
-        piddir  = ${smokepingPidDir}
-        ${lib.optionalString (cfg.sendmail != null) "sendmail = ${cfg.sendmail}"}
-        smokemail = ${cfg.smokeMailTemplate}
-        *** Presentation ***
-        template = ${cfg.presentationTemplate}
-        ${cfg.presentationConfig}
-        *** Alerts ***
-        ${cfg.alertConfig}
-        *** Database ***
-        ${cfg.databaseConfig}
-        *** Probes ***
-        ${cfg.probeConfig}
-        *** Targets ***
-        ${cfg.targetConfig}
-        ${cfg.extraConfig}
-      ''
-    else
-      cfg.config;
+      then
+        ''
+          *** General ***
+          cgiurl   = ${cfg.cgiUrl}
+          contact = ${cfg.ownerEmail}
+          datadir  = ${smokepingHome}/data
+          imgcache = ${smokepingHome}/cache
+          imgurl   = ${cfg.imgUrl}
+          linkstyle = ${cfg.linkStyle}
+          ${lib.optionalString (cfg.mailHost != "") "mailhost = ${cfg.mailHost}"}
+          owner = ${cfg.owner}
+          pagedir = ${smokepingHome}/cache
+          piddir  = ${smokepingPidDir}
+          ${lib.optionalString (cfg.sendmail != null) "sendmail = ${cfg.sendmail}"}
+          smokemail = ${cfg.smokeMailTemplate}
+          *** Presentation ***
+          template = ${cfg.presentationTemplate}
+          ${cfg.presentationConfig}
+          *** Alerts ***
+          ${cfg.alertConfig}
+          *** Database ***
+          ${cfg.databaseConfig}
+          *** Probes ***
+          ${cfg.probeConfig}
+          *** Targets ***
+          ${cfg.targetConfig}
+          ${cfg.extraConfig}
+        ''
+      else
+        cfg.config;
 
   configPath = pkgs.writeText "smokeping.conf" configFile;
   cgiHome = pkgs.writeScript "smokeping.fcgi" ''
@@ -141,7 +141,7 @@ in
         '';
       };
       linkStyle = mkOption {
-        type = types.enum [ "original" "absolute" "relative" ];
+        type = types.enum ["original" "absolute" "relative"];
         default = "relative";
         example = "absolute";
         description = lib.mdDoc "DNS name for the urls generated in the cgi.";
@@ -301,8 +301,7 @@ in
     ];
     security.wrappers = {
       fping =
-        {
-          setuid = true;
+        { setuid = true;
           owner = "root";
           group = "root";
           source = "${pkgs.fping}/bin/fping";
@@ -340,16 +339,16 @@ in
       };
       preStart = ''
         mkdir -m 0755 -p ${smokepingHome}/cache ${smokepingHome}/data
-        ln -snf ${cfg.package}/htdocs/css ${smokepingHome}/css
-        ln -snf ${cfg.package}/htdocs/js ${smokepingHome}/js
-        ln -snf ${cgiHome} ${smokepingHome}/smokeping.fcgi
+        ln -sf ${cfg.package}/htdocs/css ${smokepingHome}/css
+        ln -sf ${cfg.package}/htdocs/js ${smokepingHome}/js
+        ln -sf ${cgiHome} ${smokepingHome}/smokeping.fcgi
         ${cfg.package}/bin/smokeping --check --config=${configPath}
         ${cfg.package}/bin/smokeping --static --config=${configPath}
       '';
     };
     systemd.services.thttpd = mkIf cfg.webService {
-      requiredBy = [ "multi-user.target" ];
-      requires = [ "smokeping.service" ];
+      requiredBy = [ "multi-user.target"];
+      requires = [ "smokeping.service"];
       path = with pkgs; [ bash rrdtool smokeping thttpd ];
       serviceConfig = {
         Restart = "always";

nixos/modules/services/networking/ssh/sshd.nix

@@ -375,13 +375,6 @@ in
                 <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
               '';
             };
-            StrictModes = mkOption {
-              type = types.bool;
-              default = true;
-              description = lib.mdDoc ''
-                Whether sshd should check file modes and ownership of directories
-              '';
-            };
             Ciphers = mkOption {
               type = types.listOf types.str;
               default = [

nixos/modules/services/networking/unifi.nix

@@ -42,10 +42,10 @@ in
 
     services.unifi.mongodbPackage = mkOption {
       type = types.package;
-      default = pkgs.mongodb-4_4;
+      default = pkgs.mongodb-4_2;
       defaultText = literalExpression "pkgs.mongodb";
       description = lib.mdDoc ''
-        The mongodb package to use. Please note: unifi7 officially only supports mongodb up until 3.6 but works with 4.4.
+        The mongodb package to use. Please note: unifi7 officially only supports mongodb up until 3.6 but works with 4.2.
       '';
     };
 
@@ -193,4 +193,6 @@ in
     (mkRemovedOptionModule [ "services" "unifi" "dataDir" ] "You should move contents of dataDir to /var/lib/unifi/data" )
     (mkRenamedOptionModule [ "services" "unifi" "openPorts" ] [ "services" "unifi" "openFirewall" ])
   ];
+
+  meta.maintainers = with lib.maintainers; [ pennae ];
 }

nixos/modules/services/networking/xray.nix

@@ -90,9 +90,6 @@ with lib;
       serviceConfig = {
         DynamicUser = true;
         ExecStart = "${cfg.package}/bin/xray -config ${settingsFile}";
-        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
-        AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
-        NoNewPrivileges = true;
       };
     };
   };

nixos/modules/services/security/kanidm.nix

@@ -320,7 +320,6 @@ in
         ProtectHome = false;
         RestrictAddressFamilies = [ "AF_UNIX" ];
         TemporaryFileSystem = "/:ro";
-        Restart = "on-failure";
       };
       environment.RUST_LOG = "info";
     };

nixos/modules/services/system/self-deploy.nix

@@ -125,15 +125,13 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    systemd.services.self-deploy = rec {
+    systemd.services.self-deploy = {
       inherit (cfg) startAt;
 
-      serviceConfig.Type = "oneshot";
+      wantedBy = [ "multi-user.target" ];
 
       requires = lib.mkIf (!(isPathType cfg.repository)) [ "network-online.target" ];
 
-      after = requires;
-
       environment.GIT_SSH_COMMAND = lib.mkIf (cfg.sshKeyFile != null)
         "${pkgs.openssh}/bin/ssh -i ${lib.escapeShellArg cfg.sshKeyFile}";
 

nixos/modules/services/video/go2rtc/default.nix

@@ -103,10 +103,6 @@ in
       serviceConfig = {
         DynamicUser = true;
         User = "go2rtc";
-        SupplementaryGroups = [
-          # for v4l2 devices
-          "video"
-        ];
         StateDirectory = "go2rtc";
         ExecStart = "${cfg.package}/bin/go2rtc -config ${configFile}";
       };

nixos/modules/services/video/unifi-video.nix

@@ -123,7 +123,7 @@ in
 
     mongodbPackage = mkOption {
       type = types.package;
-      default = pkgs.mongodb-4_4;
+      default = pkgs.mongodb-4_2;
       defaultText = literalExpression "pkgs.mongodb";
       description = lib.mdDoc ''
         The mongodb package to use.

nixos/modules/services/web-apps/gotosocial.md

@@ -1,64 +0,0 @@
-# GoToSocial {#module-services-gotosocial}
-
-[GoToSocial](https://gotosocial.org/) is an ActivityPub social network server, written in Golang.
-
-## Service configuration {#modules-services-gotosocial-service-configuration}
-
-The following configuration sets up the PostgreSQL as database backend and binds
-GoToSocial to `127.0.0.1:8080`, expecting to be run behind a HTTP proxy on `gotosocial.example.com`.
-
-```nix
-services.gotosocial = {
-  enable = true;
-  setupPostgresqlDB = true;
-  settings = {
-    application-name = "My GoToSocial";
-    host = "gotosocial.example.com";
-    protocol = "https";
-    bind-address = "127.0.0.1";
-    port = 8080;
-  };
-};
-```
-
-Please refer to the [GoToSocial Documentation](https://docs.gotosocial.org/en/latest/configuration/general/)
-for additional configuration options.
-
-## Proxy configuration {#modules-services-gotosocial-proxy-configuration}
-
-Although it is possible to expose GoToSocial directly, it is common practice to operate it behind an
-HTTP reverse proxy such as nginx.
-
-```nix
-networking.firewall.allowedTCPPorts = [ 80 443 ];
-services.nginx = {
-  enable = true;
-  clientMaxBodySize = "40M";
-  virtualHosts = with config.services.gotosocial.settings; {
-    "${host}" = {
-      enableACME = true;
-      forceSSL = true;
-      locations = {
-        "/" = {
-          recommendedProxySettings = true;
-          proxyWebsockets = true;
-          proxyPass = "http://${bind-address}:${toString port}";
-        };
-      };
-    };
-  };
-};
-```
-
-Please refer to [](#module-security-acme) for details on how to provision an SSL/TLS certificate.
-
-## User management {#modules-services-gotosocial-user-management}
-
-After the GoToSocial service is running, the `gotosocial-admin` utility can be used to manage users. In particular an
-administrative user can be created with
-
-```ShellSession
-$ sudo gotosocial-admin account create --username <nickname> --email <email> --password <password>
-$ sudo gotosocial-admin account confirm --username <nickname>
-$ sudo gotosocial-admin account promote --username <nickname>
-```

nixos/modules/services/web-apps/gotosocial.nix

@@ -1,173 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.services.gotosocial;
-  settingsFormat = pkgs.formats.yaml { };
-  configFile = settingsFormat.generate "config.yml" cfg.settings;
-  defaultSettings = {
-    application-name = "gotosocial";
-
-    protocol = "https";
-
-    bind-address = "127.0.0.1";
-    port = 8080;
-
-    storage-local-base-path = "/var/lib/gotosocial/storage";
-
-    db-type = "sqlite";
-    db-address = "/var/lib/gotosocial/database.sqlite";
-  };
-  gotosocial-admin = pkgs.writeShellScriptBin "gotosocial-admin" ''
-    exec systemd-run \
-      -u gotosocial-admin.service \
-      -p Group=gotosocial \
-      -p User=gotosocial \
-      -q -t -G --wait --service-type=exec \
-      ${cfg.package}/bin/gotosocial --config-path ${configFile} admin "$@"
-  '';
-in
-{
-  meta.doc = ./gotosocial.md;
-  meta.maintainers = with lib.maintainers; [ misuzu ];
-
-  options.services.gotosocial = {
-    enable = lib.mkEnableOption (lib.mdDoc "ActivityPub social network server");
-
-    package = lib.mkPackageOptionMD pkgs "gotosocial" { };
-
-    openFirewall = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = lib.mdDoc ''
-        Open the configured port in the firewall.
-        Using a reverse proxy instead is highly recommended.
-      '';
-    };
-
-    setupPostgresqlDB = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = lib.mdDoc ''
-        Whether to setup a local postgres database and populate the
-        `db-type` fields in `services.gotosocial.settings`.
-      '';
-    };
-
-    settings = lib.mkOption {
-      type = settingsFormat.type;
-      default = defaultSettings;
-      example = {
-        application-name = "My GoToSocial";
-        host = "gotosocial.example.com";
-      };
-      description = lib.mdDoc ''
-        Contents of the GoToSocial YAML config.
-
-        Please refer to the
-        [documentation](https://docs.gotosocial.org/en/latest/configuration/)
-        and
-        [example config](https://github.com/superseriousbusiness/gotosocial/blob/main/example/config.yaml).
-
-        Please note that the `host` option cannot be changed later so it is important to configure this correctly before you start GoToSocial.
-      '';
-    };
-
-    environmentFile = lib.mkOption {
-      type = lib.types.nullOr lib.types.path;
-      description = lib.mdDoc ''
-        File path containing environment variables for configuring the GoToSocial service
-        in the format of an EnvironmentFile as described by systemd.exec(5).
-
-        This option could be used to pass sensitive configuration to the GoToSocial daemon.
-
-        Please refer to the Environment Variables section in the
-        [documentation](https://docs.gotosocial.org/en/latest/configuration/).
-      '';
-      default = null;
-      example = "/root/nixos/secrets/gotosocial.env";
-    };
-
-  };
-
-  config = lib.mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = cfg.settings.host or null != null;
-        message = ''
-          You have to define a hostname for GoToSocial (`services.gotosocial.settings.host`), it cannot be changed later without starting over!
-        '';
-      }
-    ];
-
-    services.gotosocial.settings = (lib.mapAttrs (name: lib.mkDefault) (
-      defaultSettings // {
-        web-asset-base-dir = "${cfg.package}/share/gotosocial/web/assets/";
-        web-template-base-dir = "${cfg.package}/share/gotosocial/web/template/";
-      }
-    )) // (lib.optionalAttrs cfg.setupPostgresqlDB {
-      db-type = "postgres";
-      db-address = "/run/postgresql";
-      db-database = "gotosocial";
-      db-user = "gotosocial";
-    });
-
-    environment.systemPackages = [ gotosocial-admin ];
-
-    users.groups.gotosocial = { };
-    users.users.gotosocial = {
-      group = "gotosocial";
-      isSystemUser = true;
-    };
-
-    networking.firewall = lib.mkIf cfg.openFirewall {
-      allowedTCPPorts = [ cfg.settings.port ];
-    };
-
-    services.postgresql = lib.mkIf cfg.setupPostgresqlDB {
-      enable = true;
-      ensureDatabases = [ "gotosocial" ];
-      ensureUsers = [
-        {
-          name = "gotosocial";
-          ensurePermissions = {
-            "DATABASE gotosocial" = "ALL PRIVILEGES";
-          };
-        }
-      ];
-    };
-
-    systemd.services.gotosocial = {
-      description = "ActivityPub social network server";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ]
-        ++ lib.optional cfg.setupPostgresqlDB "postgresql.service";
-      requires = lib.optional cfg.setupPostgresqlDB "postgresql.service";
-      restartTriggers = [ configFile ];
-
-      serviceConfig = {
-        EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
-        ExecStart = "${cfg.package}/bin/gotosocial --config-path ${configFile} server start";
-        Restart = "on-failure";
-        Group = "gotosocial";
-        User = "gotosocial";
-        StateDirectory = "gotosocial";
-        WorkingDirectory = "/var/lib/gotosocial";
-
-        # Security options:
-        # Based on https://github.com/superseriousbusiness/gotosocial/blob/v0.8.1/example/gotosocial.service
-        AmbientCapabilities = lib.optional (cfg.settings.port < 1024) "CAP_NET_BIND_SERVICE";
-        NoNewPrivileges = true;
-        PrivateTmp = true;
-        PrivateDevices = true;
-        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        DevicePolicy = "closed";
-        ProtectSystem = "full";
-        ProtectControlGroups = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        LockPersonality = true;
-      };
-    };
-  };
-}

nixos/modules/services/web-apps/hedgedoc.nix

@@ -624,8 +624,7 @@ in
               '';
             };
             clientSecret = mkOption {
-              type = with types; nullOr str;
-              default = null;
+              type = types.str;
               description = lib.mdDoc ''
                 Specify the OAuth client secret.
               '';

nixos/modules/services/web-apps/lemmy.nix

@@ -25,7 +25,6 @@ in
     };
 
     caddy.enable = mkEnableOption (lib.mdDoc "exposing lemmy with the caddy reverse proxy");
-    nginx.enable = mkEnableOption (lib.mdDoc "exposing lemmy with the nginx reverse proxy");
 
     database.createLocally = mkEnableOption (lib.mdDoc "creation of database on the instance");
 
@@ -141,41 +140,6 @@ in
         };
       };
 
-      services.nginx = mkIf cfg.nginx.enable {
-        enable = mkDefault true;
-        virtualHosts."${cfg.settings.hostname}".locations = let
-          ui = "http://127.0.0.1:${toString cfg.ui.port}";
-          backend = "http://127.0.0.1:${toString cfg.settings.port}";
-        in {
-          "~ ^/(api|pictrs|feeds|nodeinfo|.well-known)" = {
-            # backend requests
-            proxyPass = backend;
-            proxyWebsockets = true;
-            recommendedProxySettings = true;
-          };
-          "/" = {
-            # mixed frontend and backend requests, based on the request headers
-            proxyPass = "$proxpass";
-            recommendedProxySettings = true;
-            extraConfig = ''
-              set $proxpass "${ui}";
-              if ($http_accept = "application/activity+json") {
-                set $proxpass "${backend}";
-              }
-              if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
-                set $proxpass "${backend}";
-              }
-              if ($request_method = POST) {
-                set $proxpass "${backend}";
-              }
-
-              # Cuts off the trailing slash on URLs to make them valid
-              rewrite ^(.+)/+$ $1 permanent;
-            '';
-          };
-        };
-      };
-
       assertions = [{
         assertion = cfg.database.createLocally -> cfg.settings.database.host == "localhost" || cfg.settings.database.host == "/run/postgresql";
         message = "if you want to create the database locally, you need to use a local database";

nixos/modules/services/web-apps/mattermost.nix

@@ -86,7 +86,8 @@ let
   mattermostConf = recursiveUpdate
     mattermostConfWithoutPlugins
     (
-      lib.optionalAttrs (mattermostPlugins != null) {
+      if mattermostPlugins == null then {}
+      else {
         PluginSettings = {
           Enable = true;
         };

nixos/modules/services/web-apps/mediawiki.nix

@@ -8,7 +8,7 @@ let
   cfg = config.services.mediawiki;
   fpm = config.services.phpfpm.pools.mediawiki;
   user = "mediawiki";
-  group = if cfg.webserver == "apache" then config.services.httpd.group else "mediawiki";
+  group = if cfg.webserver == "apache" then "apache" else "mediawiki";
 
   cacheDir = "/var/cache/mediawiki";
   stateDir = "/var/lib/mediawiki";

nixos/modules/services/web-apps/openvscode-server.nix

@@ -4,8 +4,7 @@ let
   cfg = config.services.openvscode-server;
   defaultUser = "openvscode-server";
   defaultGroup = defaultUser;
-in
-{
+in {
   options = {
     services.openvscode-server = {
       enable = lib.mkEnableOption (lib.mdDoc "openvscode-server");
@@ -127,12 +126,12 @@ in
       };
 
       telemetryLevel = lib.mkOption {
-        default = null;
+        default = "off";
         example = "crash";
         description = lib.mdDoc ''
           Sets the initial telemetry level. Valid levels are: 'off', 'crash', 'error' and 'all'.
         '';
-        type = lib.types.nullOr (lib.types.enum [ "off" "crash" "error" "all" ]);
+        type = lib.types.str;
       };
 
       connectionToken = lib.mkOption {
@@ -168,23 +167,23 @@ in
             --accept-server-license-terms \
             --host=${cfg.host} \
             --port=${toString cfg.port} \
-        '' + lib.optionalString (cfg.telemetryLevel != null) ''
-          --telemetry-level=${cfg.telemetryLevel} \
-        '' + lib.optionalString (cfg.withoutConnectionToken) ''
-          --without-connection-token \
-        '' + lib.optionalString (cfg.socketPath != null) ''
-          --socket-path=${cfg.socketPath} \
-        '' + lib.optionalString (cfg.userDataDir != null) ''
-          --user-data-dir=${cfg.userDataDir} \
-        '' + lib.optionalString (cfg.serverDataDir != null) ''
-          --server-data-dir=${cfg.serverDataDir} \
-        '' + lib.optionalString (cfg.extensionsDir != null) ''
-          --extensions-dir=${cfg.extensionsDir} \
-        '' + lib.optionalString (cfg.connectionToken != null) ''
-          --connection-token=${cfg.connectionToken} \
-        '' + lib.optionalString (cfg.connectionTokenFile != null) ''
-          --connection-token-file=${cfg.connectionTokenFile} \
-        '' + lib.escapeShellArgs cfg.extraArguments;
+          '' + lib.optionalString (cfg.telemetryLevel == true) ''
+            --telemetry-level=${cfg.telemetryLevel} \
+          '' + lib.optionalString (cfg.withoutConnectionToken == true) ''
+            --without-connection-token \
+          '' + lib.optionalString (cfg.socketPath != null) ''
+            --socket-path=${cfg.socketPath} \
+          '' + lib.optionalString (cfg.userDataDir != null) ''
+            --user-data-dir=${cfg.userDataDir} \
+          '' + lib.optionalString (cfg.serverDataDir != null) ''
+            --server-data-dir=${cfg.serverDataDir} \
+          '' + lib.optionalString (cfg.extensionsDir != null) ''
+            --extensions-dir=${cfg.extensionsDir} \
+          '' + lib.optionalString (cfg.connectionToken != null) ''
+            --connection-token=${cfg.connectionToken} \
+          '' + lib.optionalString (cfg.connectionTokenFile != null) ''
+            --connection-token-file=${cfg.connectionTokenFile} \
+          '' + lib.escapeShellArgs cfg.extraArguments;
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
         RuntimeDirectory = cfg.user;
         User = cfg.user;

nixos/modules/services/web-apps/pixelfed.nix

@@ -356,8 +356,7 @@ in {
         ExecStart = "${pixelfed-manage}/bin/pixelfed-manage schedule:run";
         User = user;
         Group = group;
-        StateDirectory =
-          lib.mkIf (cfg.dataDir == "/var/lib/pixelfed") "pixelfed";
+        StateDirectory = cfg.dataDir;
       };
     };
 
@@ -392,9 +391,6 @@ in {
         rsync -av --no-perms ${pixelfed}/storage-static/ ${cfg.dataDir}/storage
         chmod -R +w ${cfg.dataDir}/storage
 
-        chmod g+x ${cfg.dataDir}/storage ${cfg.dataDir}/storage/app
-        chmod -R g+rX ${cfg.dataDir}/storage/app/public
-
         # Link the app.php in the runtime folder.
         # We cannot link the cache folder only because bootstrap folder needs to be writeable.
         ln -sf ${pixelfed}/bootstrap-static/app.php ${cfg.runtimeDir}/app.php
@@ -445,7 +441,7 @@ in {
     ];
 
     # Enable NGINX to access our phpfpm-socket.
-    users.users."${config.services.nginx.user}".extraGroups = [ cfg.group ];
+    users.users."${config.services.nginx.group}".extraGroups = [ cfg.group ];
     services.nginx = mkIf (cfg.nginx != null) {
       enable = true;
       virtualHosts."${cfg.domain}" = mkMerge [

nixos/modules/services/web-servers/caddy/default.nix

@@ -14,7 +14,7 @@ let
     in
       ''
         ${hostOpts.hostName} ${concatStringsSep " " hostOpts.serverAliases} {
-          ${optionalString (hostOpts.listenAddresses != [ ]) "bind ${concatStringsSep " " hostOpts.listenAddresses}"}
+          bind ${concatStringsSep " " hostOpts.listenAddresses}
           ${optionalString (hostOpts.useACMEHost != null) "tls ${sslCertDir}/cert.pem ${sslCertDir}/key.pem"}
           log {
             ${hostOpts.logFormat}
@@ -245,23 +245,15 @@ in
     };
 
     acmeCA = mkOption {
-      default = null;
-      example = "https://acme-v02.api.letsencrypt.org/directory";
+      default = "https://acme-v02.api.letsencrypt.org/directory";
+      example = "https://acme-staging-v02.api.letsencrypt.org/directory";
       type = with types; nullOr str;
       description = lib.mdDoc ''
-        ::: {.note}
-        Sets the [`acme_ca` option](https://caddyserver.com/docs/caddyfile/options#acme-ca)
-        in the global options block of the resulting Caddyfile.
-        :::
-
         The URL to the ACME CA's directory. It is strongly recommended to set
-        this to `https://acme-staging-v02.api.letsencrypt.org/directory` for
-        Let's Encrypt's [staging endpoint](https://letsencrypt.org/docs/staging-environment/)
-        while testing or in development.
+        this to Let's Encrypt's staging endpoint for testing or development.
 
-        Value `null` should be prefered for production setups,
-        as it omits the `acme_ca` option to enable
-        [automatic issuer fallback](https://caddyserver.com/docs/automatic-https#issuer-fallback).
+        Set it to `null` if you want to write a more
+        fine-grained configuration manually.
       '';
     };
 

nixos/modules/services/web-servers/nginx/default.nix

@@ -713,7 +713,7 @@ in
           Configuration lines appended to the generated Nginx
           configuration file. Commonly used by different modules
           providing http snippets. {option}`appendConfig`
-          can be specified more than once and its value will be
+          can be specified more than once and it's value will be
           concatenated (contrary to {option}`config` which
           can be set only once).
         '';

nixos/modules/services/web-servers/traefik.nix

@@ -48,11 +48,6 @@ let
     ''
   else
     cfg.staticConfigFile;
-
-  finalStaticConfigFile =
-    if cfg.environmentFiles == []
-    then staticConfigFile
-    else "/run/traefik/config.toml";
 in {
   options.services.traefik = {
     enable = mkEnableOption (lib.mdDoc "Traefik web server");
@@ -132,16 +127,6 @@ in {
       type = types.package;
       description = lib.mdDoc "Traefik package to use.";
     };
-
-    environmentFiles = mkOption {
-      default = [];
-      type = types.listOf types.path;
-      example = [ "/run/secrets/traefik.env" ];
-      description = lib.mdDoc ''
-        Files to load as environment file. Environment variables from this file
-        will be substituted into the static configuration file using envsubst.
-      '';
-    };
   };
 
   config = mkIf cfg.enable {
@@ -154,13 +139,8 @@ in {
       startLimitIntervalSec = 86400;
       startLimitBurst = 5;
       serviceConfig = {
-        EnvironmentFile = cfg.environmentFiles;
-        ExecStartPre = lib.optional (cfg.environmentFiles != [])
-          (pkgs.writeShellScript "pre-start" ''
-            umask 077
-            ${pkgs.envsubst}/bin/envsubst -i "${staticConfigFile}" > "${finalStaticConfigFile}"
-          '');
-        ExecStart = "${cfg.package}/bin/traefik --configfile=${finalStaticConfigFile}";
+        ExecStart =
+          "${cfg.package}/bin/traefik --configfile=${staticConfigFile}";
         Type = "simple";
         User = "traefik";
         Group = cfg.group;
@@ -175,7 +155,6 @@ in {
         ProtectHome = true;
         ProtectSystem = "full";
         ReadWriteDirectories = cfg.dataDir;
-        RuntimeDirectory = "traefik";
       };
     };