nixos/public-inbox: use DynamicUser for readers

public-inbox-{http,nntp,imap}d only need to be able to read the
repositories, so they don't need to run as the public-inbox user,
which has write permission for /var/lib/public-inbox.

Annoyingly, confinement is currently not compatible with DynamicUser,
so we can't enable both at the same time.

.github/CODEOWNERS

@@ -58,9 +58,13 @@
 /maintainers/scripts/db-to-md.sh @jtojnar @ryantm
 /maintainers/scripts/doc @jtojnar @ryantm
 
+/doc/* @fricklerhandwerk
 /doc/build-aux/pandoc-filters @jtojnar
+/doc/builders/trivial-builders.chapter.md @fricklerhandwerk
 /doc/contributing/ @fricklerhandwerk
 /doc/contributing/contributing-to-documentation.chapter.md @jtojnar @fricklerhandwerk
+/doc/stdenv @fricklerhandwerk
+/doc/using @fricklerhandwerk
 
 # NixOS Internals
 /nixos/default.nix                                    @infinisil
@@ -298,13 +302,6 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /doc/languages-frameworks/javascript.section.md @winterqt
 
 # OCaml
-/pkgs/build-support/ocaml           @ulrikstrid
-/pkgs/development/compilers/ocaml   @ulrikstrid
-/pkgs/development/ocaml-modules     @ulrikstrid
-
-# ZFS
-pkgs/os-specific/linux/zfs                @raitobezarius
-nixos/lib/make-single-disk-zfs-image.nix  @raitobezarius
-nixos/lib/make-multi-disk-zfs-image.nix   @raitobezarius
-nixos/modules/tasks/filesystems/zfs.nix   @raitobezarius
-nixos/tests/zfs.nix                       @raitobezarius
+/pkgs/build-support/ocaml           @romildo @ulrikstrid
+/pkgs/development/compilers/ocaml   @romildo @ulrikstrid
+/pkgs/development/ocaml-modules     @romildo @ulrikstrid

.github/PULL_REQUEST_TEMPLATE.md

@@ -22,7 +22,7 @@ For new packages please briefly describe the package or provide a link to its ho
   - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages
 - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
 - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
-- [23.11 Release Notes (or backporting 23.05 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2305-release-notes)
+- [23.05 Release Notes (or backporting 22.11 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2305-release-notes)
   - [ ] (Package updates) Added a release notes entry if the change is major or breaking
   - [ ] (Module updates) Added a release notes entry if the change is significant
   - [ ] (Module addition) Added a release notes entry if adding a new NixOS module

.github/workflows/basic-eval.yml

@@ -19,7 +19,7 @@ jobs:
     # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
     steps:
     - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v21
+    - uses: cachix/install-nix-action@v20
     - uses: cachix/cachix-action@v12
       with:
         # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.

.github/workflows/check-maintainers-sorted.yaml

@@ -16,7 +16,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v20
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

.github/workflows/editorconfig.yml

@@ -28,7 +28,7 @@ jobs:
       with:
         # pull_request_target checks out the base branch by default
         ref: refs/pull/${{ github.event.pull_request.number }}/merge
-    - uses: cachix/install-nix-action@v21
+    - uses: cachix/install-nix-action@v20
       with:
         # nixpkgs commit is pinned so that it doesn't break
         # editorconfig-checker 2.4.0

.github/workflows/manual-nixos.yml

@@ -18,7 +18,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v20
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

.github/workflows/manual-nixpkgs.yml

@@ -19,7 +19,7 @@ jobs:
         with:
           # pull_request_target checks out the base branch by default
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v20
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

.github/workflows/manual-rendering.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v20
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true

.github/workflows/update-terraform-providers.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v21
+      - uses: cachix/install-nix-action@v20
         with:
           nix_path: nixpkgs=channel:nixpkgs-unstable
       - name: setup

CONTRIBUTING.md

@@ -66,12 +66,9 @@ Useful git commands that can help a lot with this are `git commit --patch --amen
 From time to time, changes between branches must be rebased, for example, if the
 number of new rebuilds they would cause is too large for the target branch. When
 rebasing, care must be taken to include only the intended changes, otherwise
-many CODEOWNERS will be inadvertently requested for review. To achieve this,
+many CODEOWNERS will be inadvertently requested for review.  To achieve this,
 rebasing should not be performed directly on the target branch, but on the merge
-base between the current and target branch. As an additional precautionary measure,
-you should temporarily mark the PR as draft for the duration of the operation.
-This reduces the probability of mass-pinging people. (OfBorg might still
-request a couple of persons for reviews though.)
+base between the current and target branch.
 
 In the following example, we assume that the current branch, called `feature`,
 is based on `master`, and we rebase it onto the merge base between
@@ -105,51 +102,21 @@ git status
 git push origin feature --force-with-lease
 ```
 
-### Something went wrong and a lot of people were pinged
-
-It happens. Remember to be kind, especially to new contributors.
-There is no way back, so the pull request should be closed and locked
-(if possible). The changes should be re-submitted in a new PR, in which the people
-originally involved in the conversation need to manually be pinged again.
-No further discussion should happen on the original PR, as a lot of people
-are now subscribed to it.
-
-The following message (or a version thereof) might be left when closing to
-describe the situation, since closing and locking without any explanation
-is kind of rude:
-
-```markdown
-It looks like you accidentally mass-pinged a bunch of people, which are now subscribed
-and getting notifications for everything in this pull request. Unfortunately, they
-cannot be automatically unsubscribed from the issue (removing review request does not
-unsubscribe), therefore development cannot continue in this pull request anymore.
-
-Please open a new pull request with your changes, link back to this one and ping the
-people actually involved in here over there.
-
-In order to avoid this in the future, there are instructions for how to properly
-rebase between branches in our [contribution guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#rebasing-between-branches-ie-from-master-to-staging).
-Setting your pull request to draft prior to rebasing is strongly recommended.
-In draft status, you can preview the list of people that are about to be requested
-for review, which allows you to sidestep this issue.
-This is not a bulletproof method though, as OfBorg still does review requests even on draft PRs.
-```
-
 ## Backporting changes
 
 Follow these steps to backport a change into a release branch in compliance with the [commit policy](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches).
 
-You can add a label such as `backport release-23.05` to a PR, so that merging it will
+You can add a label such as `backport release-22.11` to a PR, so that merging it will
 automatically create a backport (via [a GitHub Action](.github/workflows/backport.yml)).
-This also works for pull requests that have already been merged, and might take a couple of minutes to trigger.
+This also works for PR's that have already been merged, and might take a couple of minutes to trigger.
 
 You can also create the backport manually:
 
 1. Take note of the commits in which the change was introduced into `master` branch.
-2. Check out the target _release branch_, e.g. `release-23.05`. Do not use a _channel branch_ like `nixos-23.05` or `nixpkgs-23.05-darwin`.
+2. Check out the target _release branch_, e.g. `release-22.11`. Do not use a _channel branch_ like `nixos-22.11` or `nixpkgs-22.11-darwin`.
 3. Create a branch for your change, e.g. `git checkout -b backport`.
 4. When the reason to backport is not obvious from the original commit message, use `git cherry-pick -xe <original commit>` and add a reason. Otherwise use `git cherry-pick -x <original commit>`. That's fine for minor version updates that only include security and bug fixes, commits that fixes an otherwise broken package or similar. Please also ensure the commits exists on the master branch; in the case of squashed or rebased merges, the commit hash will change and the new commits can be found in the merge message at the bottom of the master pull request.
-5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-23.05`) as the target branch of the pull request, and link to the pull request in which the original change was committed to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[23.05]`.
+5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-22.11`) as the target branch of the pull request, and link to the pull request in which the original change was committed to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[22.11]`.
 6. When the backport pull request is merged and you have the necessary privileges you can also replace the label `9.needs: port to stable` with `8.has: port to stable` on the original pull request. This way maintainers can keep track of missing backports easier.
 
 ## Criteria for Backporting changes
@@ -161,7 +128,7 @@ Anything that does not cause user or downstream dependency regressions can be ba
 - Services which require a client to be up-to-date regardless. (E.g. `spotify`, `steam`, or `discord`)
 - Security critical applications (E.g. `firefox`)
 
-## Generating 23.11 Release Notes
+## Generating 23.05 Release Notes
 <!--
 note: title unchanged even though we don't need regeneration because extant
 PRs will link here. definitely change the title for 23.11 though.
@@ -169,10 +136,10 @@ PRs will link here. definitely change the title for 23.11 though.
 
 Documentation in nixpkgs is transitioning to a markdown-centric workflow. In the past release notes required a translation step to convert from markdown to a compatible docbook document, but this is no longer necessary.
 
-Steps for updating 23.11 Release notes:
+Steps for updating 23.05 Release notes:
 
-1. Edit `nixos/doc/manual/release-notes/rl-2311.section.md` with the desired changes
-2. Commit changes to `rl-2311.section.md`.
+1. Edit `nixos/doc/manual/release-notes/rl-2305.section.md` with the desired changes
+2. Commit changes to `rl-2305.section.md`.
 
 ## Reviewing contributions
 

README.md

@@ -51,9 +51,9 @@ Nixpkgs and NixOS are built and tested by our continuous integration
 system, [Hydra](https://hydra.nixos.org/).
 
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for the NixOS 23.05 release](https://hydra.nixos.org/jobset/nixos/release-23.05)
+* [Continuous package builds for the NixOS 22.11 release](https://hydra.nixos.org/jobset/nixos/release-22.11)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for the NixOS 23.05 release](https://hydra.nixos.org/job/nixos/release-23.05/tested#tabs-constituents)
+* [Tests for the NixOS 22.11 release](https://hydra.nixos.org/job/nixos/release-22.11/tested#tabs-constituents)
 
 Artifacts successfully built with Hydra are published to cache at
 https://cache.nixos.org/. When successful build and test criteria are

doc/Makefile

@@ -66,13 +66,18 @@ out/html/index.html: doc-support/result manual-full.xml style.css highlightjs
 	cp doc-support/result/xsl/docbook/images/callouts/*.svg out/html/images/callouts/
 	chmod u+w -R out/html/
 
-out/epub/manual.epub: epub.xml
+out/epub/manual.epub: manual-full.xml
 	mkdir -p out/epub/scratch
 	xsltproc --nonet \
 		--output out/epub/scratch/ \
 		doc-support/result/epub.xsl \
-		./epub.xml
+		./manual-full.xml
 
+	cp -r $(pandoc_media_dir) out/epub/scratch/OEBPS
+	cp ./overrides.css out/epub/scratch/OEBPS
+	cp ./style.css out/epub/scratch/OEBPS
+	mkdir -p out/epub/scratch/OEBPS/images/callouts/
+	cp doc-support/result/xsl/docbook/images/callouts/*.svg out/epub/scratch/OEBPS/images/callouts/
 	echo "application/epub+zip" > mimetype
 	zip -0Xq "out/epub/manual.epub" mimetype
 	rm mimetype

doc/builders/fetchers.chapter.md

@@ -132,16 +132,11 @@ A number of fetcher functions wrap part of `fetchurl` and `fetchzip`. They are m
 
 `fetchFromGitHub` expects four arguments. `owner` is a string corresponding to the GitHub user or organization that controls this repository. `repo` corresponds to the name of the software repository. These are located at the top of every GitHub HTML page as `owner`/`repo`. `rev` corresponds to the Git commit hash or tag (e.g `v1.0`) that will be downloaded from Git. Finally, `hash` corresponds to the hash of the extracted directory. Again, other hash algorithms are also available, but `hash` is currently preferred.
 
-To use a different GitHub instance, use `githubBase` (defaults to `"github.com"`).
-
 `fetchFromGitHub` uses `fetchzip` to download the source archive generated by GitHub for the specified revision. If `leaveDotGit`, `deepClone` or `fetchSubmodules` are set to `true`, `fetchFromGitHub` will use `fetchgit` instead. Refer to its section for documentation of these options.
 
 ## `fetchFromGitLab` {#fetchfromgitlab}
 
-This is used with GitLab repositories. It behaves similarly to `fetchFromGitHub`, and expects `owner`, `repo`, `rev`, and `hash`.
-
-To use a specific GitLab instance, use `domain` (defaults to `"gitlab.com"`).
-
+This is used with GitLab repositories. The arguments expected are very similar to `fetchFromGitHub` above.
 
 ## `fetchFromGitiles` {#fetchfromgitiles}
 
@@ -149,7 +144,7 @@ This is used with Gitiles repositories. The arguments expected are similar to `f
 
 ## `fetchFromBitbucket` {#fetchfrombitbucket}
 
-This is used with BitBucket repositories. The arguments expected are very similar to `fetchFromGitHub` above.
+This is used with BitBucket repositories. The arguments expected are very similar to fetchFromGitHub above.
 
 ## `fetchFromSavannah` {#fetchfromsavannah}
 

doc/builders/special/darwin-builder.section.md

@@ -62,7 +62,7 @@ builders-use-substitutes = true
 $ sudo launchctl kickstart -k system/org.nixos.nix-daemon
 ```
 
-## Example flake usage {#sec-darwin-builder-example-flake}
+## Example flake usage
 
 ```
 {
@@ -120,7 +120,7 @@ $ sudo launchctl kickstart -k system/org.nixos.nix-daemon
 }
 ```
 
-## Reconfiguring the builder {#sec-darwin-builder-reconfiguring}
+## Reconfiguring the builder
 
 Initially you should not change the builder configuration else you will not be
 able to use the binary cache. However, after you have the builder running locally

doc/builders/special/makesetuphook.section.md

@@ -12,7 +12,7 @@ pkgs.makeSetupHook {
 } ./script.sh
 ```
 
-### setup hook that depends on the hello package and runs hello and @shell@ is substituted with path to bash {#sec-pkgs.makeSetupHook-usage-example}
+#### setup hook that depends on the hello package and runs hello and @shell@ is substituted with path to bash {#sec-pkgs.makeSetupHook-usage-example}
 
 ```nix
 pkgs.makeSetupHook {

doc/builders/special/vm-tools.section.md

@@ -6,7 +6,7 @@ A set of VM related utilities, that help in building some packages in more advan
 
 A bash script fragment that produces a disk image at `destination`.
 
-### Attributes {#vm-tools-createEmptyImage-attributes}
+### Attributes
 
 * `size`. The disk size, in MiB.
 * `fullName`. Name that will be written to `${destination}/nix-support/full-name`.
@@ -20,14 +20,14 @@ Thus, any pure Nix derivation should run unmodified.
 
 If the build fails and Nix is run with the `-K/--keep-failed` option, a script `run-vm` will be left behind in the temporary build directory that allows you to boot into the VM and debug it interactively.
 
-### Attributes {#vm-tools-runInLinuxVM-attributes}
+### Attributes
 
 * `preVM` (optional). Shell command to be evaluated *before* the VM is started (i.e., on the host).
 * `memSize` (optional, default `512`). The memory size of the VM in MiB.
 * `diskImage` (optional). A file system image to be attached to `/dev/sda`.
   Note that currently we expect the image to contain a filesystem, not a full disk image with a partition table etc.
 
-### Examples {#vm-tools-runInLinuxVM-examples}
+### Examples
 
 Build the derivation hello inside a VM:
 ```nix
@@ -56,13 +56,13 @@ runInLinuxVM (hello.overrideAttrs (_: {
 
 Takes a file, such as an ISO, and extracts its contents into the store.
 
-### Attributes {#vm-tools-extractFs-attributes}
+### Attributes
 
 * `file`. Path to the file to be extracted.
   Note that currently we expect the image to contain a filesystem, not a full disk image with a partition table etc.
 * `fs` (optional). Filesystem of the contents of the file.
 
-### Examples {#vm-tools-extractFs-examples}
+### Examples
 
 Extract the contents of an ISO file:
 ```nix
@@ -82,7 +82,7 @@ Like [](#vm-tools-runInLinuxVM), but instead of using `stdenv` from the Nix stor
 
 Generate a script that can be used to run an interactive session in the given image.
 
-### Examples {#vm-tools-makeImageTestScript-examples}
+### Examples
 
 Create a script for running a Fedora 27 VM:
 ```nix
@@ -100,7 +100,7 @@ makeImageTestScript diskImages.ubuntu2004x86_64
 
 A set of functions that build a predefined set of minimal Linux distributions images.
 
-### Images {#vm-tools-diskImageFuns-images}
+### Images
 
 * Fedora
   * `fedora26x86_64`
@@ -126,12 +126,12 @@ A set of functions that build a predefined set of minimal Linux distributions im
   * `debian11i386`
   * `debian11x86_64`
 
-### Attributes {#vm-tools-diskImageFuns-attributes}
+### Attributes
 
 * `size` (optional, defaults to `4096`). The size of the image, in MiB.
 * `extraPackages` (optional). A list names of additional packages from the distribution that should be included in the image.
 
-### Examples {#vm-tools-diskImageFuns-examples}
+### Examples
 
 8GiB image containing Firefox in addition to the default packages:
 ```nix

doc/builders/testers.chapter.md

@@ -1,5 +1,5 @@
 # Testers {#chap-testers}
-This chapter describes several testing builders which are available in the `testers` namespace.
+This chapter describes several testing builders which are available in the <literal>testers</literal> namespace.
 
 ## `hasPkgConfigModule` {#tester-hasPkgConfigModule}
 

doc/contributing/coding-conventions.chapter.md

@@ -220,9 +220,7 @@ There are a few naming guidelines:
 
 - The `version` attribute _must_ start with a digit e.g`"0.3.1rc2".
 
-- If a package is a commit from a repository without a version assigned, then the `version` attribute _should_ be the latest upstream version preceding that commit, followed by `-unstable-` and the date of the (fetched) commit. The date _must_ be in `"YYYY-MM-DD"` format.
-
-Example: Given a project had its latest releases `2.2` in November 2021, and `3.0` in January 2022, a commit authored on March 15, 2022 for an upcoming bugfix release `2.2.1` would have `version = "2.2-unstable-2022-03-15"`.
+- If a package is not a release but a commit from a repository, then the `version` attribute _must_ be the date of that (fetched) commit. The date _must_ be in `"unstable-YYYY-MM-DD"` format.
 
 - Dashes in the package `pname` _should_ be preserved in new variable names, rather than converted to underscores or camel cased — e.g., `http-parser` instead of `http_parser` or `httpParser`. The hyphenated style is preferred in all three package names.
 

doc/contributing/reviewing-contributions.chapter.md

@@ -12,7 +12,7 @@ When reviewing a pull request, please always be nice and polite. Controversial c
 
 GitHub provides reactions as a simple and quick way to provide feedback to pull requests or any comments. The thumb-down reaction should be used with care and if possible accompanied with some explanation so the submitter has directions to improve their contribution.
 
-Pull request reviews should include a list of what has been reviewed in a comment, so other reviewers and mergers can know the state of the review.
+pull request reviews should include a list of what has been reviewed in a comment, so other reviewers and mergers can know the state of the review.
 
 All the review template samples provided in this section are generic and meant as examples. Their usage is optional and the reviewer is free to adapt them to their liking.
 
@@ -201,7 +201,7 @@ checks should be performed:
     them to either recommit using that key or to remove their key
     information.
 
-    Given a maintainer entry like this:
+    Given a maintainter entry like this:
 
     ``` nix
     {

doc/default.nix

@@ -20,33 +20,7 @@ in pkgs.stdenv.mkDerivation {
     ln -s ${doc-support} ./doc-support/result
   '';
 
-  epub = ''
-    <book xmlns="http://docbook.org/ns/docbook"
-          xmlns:xlink="http://www.w3.org/1999/xlink"
-          version="5.0"
-          xml:id="nixpkgs-manual">
-      <info>
-        <title>Nixpkgs Manual</title>
-        <subtitle>Version ${pkgs.lib.version}</subtitle>
-      </info>
-      <chapter>
-        <title>Temporarily unavailable</title>
-        <para>
-          The Nixpkgs manual is currently not available in EPUB format,
-          please use the <link xlink:href="https://nixos.org/nixpkgs/manual">HTML manual</link>
-          instead.
-        </para>
-        <para>
-          If you've used the EPUB manual in the past and it has been useful to you, please
-          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/237234">let us know</link>.
-        </para>
-      </chapter>
-    </book>
-  '';
-  passAsFile = [ "epub" ];
-
   preBuild = ''
-    cp $epubPath epub.xml
     make -j$NIX_BUILD_CORES render-md
   '';
 

doc/functions/generators.section.md

@@ -16,7 +16,7 @@ let
              if v == true then ''"yes"''
         else if v == false then ''"no"''
         else if isString v then ''"${v}"''
-        # and delegates all other values to the default generator
+        # and delegats all other values to the default generator
         else generators.mkValueStringDefault {} v;
     } ":";
   };

doc/hooks/autoconf.section.md

@@ -1,3 +1,4 @@
-# Autoconf {#setup-hook-autoconf}
+
+### Autoconf {#setup-hook-autoconf}
 
 The `autoreconfHook` derivation adds `autoreconfPhase`, which runs autoreconf, libtoolize and automake, essentially preparing the configure script in autotools-based builds. Most autotools-based packages come with the configure script pre-generated, but this hook is necessary for a few packages and when you need to patch the package’s configure scripts.

doc/hooks/automake.section.md

@@ -1,3 +1,4 @@
-# Automake {#setup-hook-automake}
+
+### Automake {#setup-hook-automake}
 
 Adds the `share/aclocal` subdirectory of each build input to the `ACLOCAL_PATH` environment variable.

doc/hooks/autopatchelf.section.md

@@ -1,4 +1,5 @@
-# autoPatchelfHook {#setup-hook-autopatchelfhook}
+
+### autoPatchelfHook {#setup-hook-autopatchelfhook}
 
 This is a special setup hook which helps in packaging proprietary software in that it automatically tries to find missing shared library dependencies of ELF files based on the given `buildInputs` and `nativeBuildInputs`.
 

doc/hooks/breakpoint.section.md

@@ -1,4 +1,5 @@
-# breakpointHook {#breakpointhook}
+
+### breakpointHook {#breakpointhook}
 
 This hook will make a build pause instead of stopping when a failure happens. It prevents nix from cleaning up the build environment immediately and allows the user to attach to a build environment using the `cntr` command. Upon build error it will print instructions on how to use `cntr`, which can be used to enter the environment for debugging. Installing cntr and running the command will provide shell access to the build sandbox of failed build. At `/var/lib/cntr` the sandboxed filesystem is mounted. All commands and files of the system are still accessible within the shell. To execute commands from the sandbox use the cntr exec subcommand. `cntr` is only supported on Linux-based platforms. To use it first add `cntr` to your `environment.systemPackages` on NixOS or alternatively to the root user on non-NixOS systems. Then in the package that is supposed to be inspected, add `breakpointHook` to `nativeBuildInputs`.
 

doc/hooks/cmake.section.md

@@ -1,3 +1,4 @@
-# cmake {#cmake}
+
+### cmake {#cmake}
 
 Overrides the default configure phase to run the CMake command. By default, we use the Make generator of CMake. In addition, dependencies are added automatically to `CMAKE_PREFIX_PATH` so that packages are correctly detected by CMake. Some additional flags are passed in to give similar behavior to configure-based packages. You can disable this hook’s behavior by setting `configurePhase` to a custom value, or by setting `dontUseCmakeConfigure`. `cmakeFlags` controls flags passed only to CMake. By default, parallel building is enabled as CMake supports parallel building almost everywhere. When Ninja is also in use, CMake will detect that and use the ninja generator.

doc/hooks/gdk-pixbuf.section.md

@@ -1,3 +1,4 @@
-# gdk-pixbuf {#setup-hook-gdk-pixbuf}
+
+### gdk-pixbuf {#setup-hook-gdk-pixbuf}
 
 Exports `GDK_PIXBUF_MODULE_FILE` environment variable to the builder. Add librsvg package to `buildInputs` to get svg support. See also the [setup hook description in GNOME platform docs](#ssec-gnome-hooks-gdk-pixbuf).

doc/hooks/ghc.section.md

@@ -1,3 +1,4 @@
-# GHC {#ghc}
+
+### GHC {#ghc}
 
 Creates a temporary package database and registers every Haskell build input in it (TODO: how?).

doc/hooks/gnome.section.md

@@ -1,3 +1,4 @@
-# GNOME platform {#gnome-platform}
+
+### GNOME platform {#gnome-platform}
 
 Hooks related to GNOME platform and related libraries like GLib, GTK and GStreamer are described in [](#sec-language-gnome).

doc/hooks/installShellFiles.section.md

@@ -1,4 +1,5 @@
-# `installShellFiles` {#installshellfiles}
+
+### `installShellFiles` {#installshellfiles}
 
 This hook helps with installing manpages and shell completion files. It exposes 2 shell functions `installManPage` and `installShellCompletion` that can be used from your `postInstall` hook.
 

doc/hooks/libiconv.section.md

@@ -1,3 +1,4 @@
-# libiconv, libintl {#libiconv-libintl}
+
+### libiconv, libintl {#libiconv-libintl}
 
 A few libraries automatically add to `NIX_LDFLAGS` their library, making their symbols automatically available to the linker. This includes libiconv and libintl (gettext). This is done to provide compatibility between GNU Linux, where libiconv and libintl are bundled in, and other systems where that might not be the case. Sometimes, this behavior is not desired. To disable this behavior, set `dontAddExtraLibs`.

doc/hooks/libxml2.section.md

@@ -1,3 +1,4 @@
-# libxml2 {#setup-hook-libxml2}
+
+### libxml2 {#setup-hook-libxml2}
 
 Adds every file named `catalog.xml` found under the `xml/dtd` and `xml/xsl` subdirectories of each build input to the `XML_CATALOG_FILES` environment variable.

doc/hooks/meson.section.md

@@ -1,25 +1,26 @@
-# Meson {#meson}
+
+### Meson {#meson}
 
 Overrides the configure phase to run meson to generate Ninja files. To run these files, you should accompany Meson with ninja. By default, `enableParallelBuilding` is enabled as Meson supports parallel building almost everywhere.
 
-## Variables controlling Meson {#variables-controlling-meson}
+#### Variables controlling Meson {#variables-controlling-meson}
 
-### `mesonFlags` {#mesonflags}
+##### `mesonFlags` {#mesonflags}
 
 Controls the flags passed to meson.
 
-### `mesonBuildType` {#mesonbuildtype}
+##### `mesonBuildType` {#mesonbuildtype}
 
 Which [`--buildtype`](https://mesonbuild.com/Builtin-options.html#core-options) to pass to Meson. We default to `plain`.
 
-### `mesonAutoFeatures` {#mesonautofeatures}
+##### `mesonAutoFeatures` {#mesonautofeatures}
 
 What value to set [`-Dauto_features=`](https://mesonbuild.com/Builtin-options.html#core-options) to. We default to `enabled`.
 
-### `mesonWrapMode` {#mesonwrapmode}
+##### `mesonWrapMode` {#mesonwrapmode}
 
 What value to set [`-Dwrap_mode=`](https://mesonbuild.com/Builtin-options.html#core-options) to. We default to `nodownload` as we disallow network access.
 
-### `dontUseMesonConfigure` {#dontusemesonconfigure}
+##### `dontUseMesonConfigure` {#dontusemesonconfigure}
 
 Disables using Meson’s `configurePhase`.

doc/hooks/ninja.section.md

@@ -1,3 +1,4 @@
-# ninja {#ninja}
+
+### ninja {#ninja}
 
 Overrides the build, install, and check phase to run ninja instead of make. You can disable this behavior with the `dontUseNinjaBuild`, `dontUseNinjaInstall`, and `dontUseNinjaCheck`, respectively. Parallel building is enabled by default in Ninja.

doc/hooks/perl.section.md

@@ -1,3 +1,4 @@
-# Perl {#setup-hook-perl}
+
+### Perl {#setup-hook-perl}
 
 Adds the `lib/site_perl` subdirectory of each build input to the `PERL5LIB` environment variable. For instance, if `buildInputs` contains Perl, then the `lib/site_perl` subdirectory of each input is added to the `PERL5LIB` environment variable.

doc/hooks/pkg-config.section.md

@@ -1,3 +1,4 @@
-# pkg-config {#setup-hook-pkg-config}
+
+### pkg-config {#setup-hook-pkg-config}
 
 Adds the `lib/pkgconfig` and `share/pkgconfig` subdirectories of each build input to the `PKG_CONFIG_PATH` environment variable.

doc/hooks/python.section.md

@@ -1,3 +1,4 @@
-# Python {#setup-hook-python}
+
+### Python {#setup-hook-python}
 
 Adds the `lib/${python.libPrefix}/site-packages` subdirectory of each build input to the `PYTHONPATH` environment variable.

doc/hooks/qt-4.section.md

@@ -1,3 +1,4 @@
-# Qt 4 {#qt-4}
+
+### Qt 4 {#qt-4}
 
 Sets the `QTDIR` environment variable to Qt’s path.

doc/hooks/scons.section.md

@@ -1,3 +1,4 @@
-# scons {#scons}
+
+### scons {#scons}
 
 Overrides the build, install, and check phases. This uses the scons build system as a replacement for make. scons does not provide a configure phase, so everything is managed at build and install time.

doc/hooks/tetex-tex-live.section.md

@@ -1,3 +1,4 @@
-# teTeX / TeX Live {#tetex-tex-live}
+
+### teTeX / TeX Live {#tetex-tex-live}
 
 Adds the `share/texmf-nix` subdirectory of each build input to the `TEXINPUTS` environment variable.

doc/hooks/unzip.section.md

@@ -1,3 +1,4 @@
-# unzip {#unzip}
+
+### unzip {#unzip}
 
 This setup hook will allow you to unzip .zip files specified in `$src`. There are many similar packages like `unrar`, `undmg`, etc.

doc/hooks/validatePkgConfig.section.md

@@ -1,3 +1,4 @@
-# validatePkgConfig {#validatepkgconfig}
+
+### validatePkgConfig {#validatepkgconfig}
 
 The `validatePkgConfig` hook validates all pkg-config (`.pc`) files in a package. This helps catching some common errors in pkg-config files, such as undefined variables.

doc/hooks/waf.section.md

@@ -1,3 +1,4 @@
-# wafHook {#wafhook}
+
+### wafHook {#wafhook}
 
 Overrides the configure, build, and install phases. This will run the “waf” script used by many projects. If `wafPath` (default `./waf`) doesn’t exist, it will copy the version of waf available in Nixpkgs. `wafFlags` can be used to pass flags to the waf script.

doc/hooks/xcbuild.section.md

@@ -1,3 +1,4 @@
-# xcbuildHook {#xcbuildhook}
+
+### xcbuildHook {#xcbuildhook}
 
 Overrides the build and install phases to run the "xcbuild" command. This hook is needed when a project only comes with build files for the XCode build system. You can disable this behavior by setting buildPhase and configurePhase to a custom value. xcbuildFlags controls flags passed only to xcbuild.

doc/languages-frameworks/bower.section.md

@@ -1,6 +1,6 @@
 # Bower {#sec-bower}
 
-[Bower](https://bower.io) is a package manager for web site front-end components. Bower packages (comprising of build artifacts and sometimes sources) are stored in `git` repositories, typically on Github. The package registry is run by the Bower team with package metadata coming from the `bower.json` file within each package.
+[Bower](https://bower.io) is a package manager for web site front-end components. Bower packages (comprising of build artefacts and sometimes sources) are stored in `git` repositories, typically on Github. The package registry is run by the Bower team with package metadata coming from the `bower.json` file within each package.
 
 The end result of running Bower is a `bower_components` directory which can be included in the web app's build process.
 
@@ -41,18 +41,32 @@ The function is implemented in [pkgs/development/bower-modules/generic/default.n
 
 ### Example buildBowerComponents {#ex-buildBowerComponents}
 
-```nix
+```{=docbook}
+<programlisting language="nix">
 bowerComponents = buildBowerComponents {
   name = "my-web-app";
-  generated = ./bower-packages.nix; # note 1
-  src = myWebApp; # note 2
+  generated = ./bower-packages.nix; <co xml:id="ex-buildBowerComponents-1" />
+  src = myWebApp; <co xml:id="ex-buildBowerComponents-2" />
 };
+</programlisting>
 ```
 
 In ["buildBowerComponents" example](#ex-buildBowerComponents) the following arguments are of special significance to the function:
 
-1. `generated` specifies the file which was created by {command}`bower2nix`.
-2. `src` is your project's sources. It needs to contain a {file}`bower.json` file.
+```{=docbook}
+<calloutlist>
+  <callout arearefs="ex-buildBowerComponents-1">
+    <para>
+      <varname>generated</varname> specifies the file which was created by <command>bower2nix</command>.
+    </para>
+    </callout>
+      <callout arearefs="ex-buildBowerComponents-2">
+    <para>
+      <varname>src</varname> is your project's sources. It needs to contain a <filename>bower.json</filename> file.
+    </para>
+  </callout>
+</calloutlist>
+```
 
 `buildBowerComponents` will run Bower to link together the output of `bower2nix`, resulting in a `bower_components` directory which can be used.
 
@@ -77,9 +91,10 @@ gulp.task('build', [], function () {
 
 ### Example Full example — default.nix {#ex-buildBowerComponentsDefaultNix}
 
-```nix
+```{=docbook}
+<programlisting language="nix">
 { myWebApp ? { outPath = ./.; name = "myWebApp"; }
-, pkgs ? import <nixpkgs> {}
+, pkgs ? import &lt;nixpkgs&gt; {}
 }:
 
 pkgs.stdenv.mkDerivation {
@@ -88,29 +103,49 @@ pkgs.stdenv.mkDerivation {
 
   buildInputs = [ pkgs.nodePackages.gulp ];
 
-  bowerComponents = pkgs.buildBowerComponents { # note 1
+  bowerComponents = pkgs.buildBowerComponents { <co xml:id="ex-buildBowerComponentsDefault-1" />
     name = "my-web-app";
     generated = ./bower-packages.nix;
     src = myWebApp;
   };
 
   buildPhase = ''
-    cp --reflink=auto --no-preserve=mode -R $bowerComponents/bower_components . # note 2
-    export HOME=$PWD # note 3
-    ${pkgs.nodePackages.gulp}/bin/gulp build # note 4
+    cp --reflink=auto --no-preserve=mode -R $bowerComponents/bower_components . <co xml:id="ex-buildBowerComponentsDefault-2" />
+    export HOME=$PWD <co xml:id="ex-buildBowerComponentsDefault-3" />
+    ${pkgs.nodePackages.gulp}/bin/gulp build <co xml:id="ex-buildBowerComponentsDefault-4" />
   '';
 
   installPhase = "mv gulpdist $out";
 }
+</programlisting>
 ```
 
 A few notes about [Full example — `default.nix`](#ex-buildBowerComponentsDefaultNix):
 
-1. The result of `buildBowerComponents` is an input to the frontend build.
-2. Whether to symlink or copy the {file}`bower_components` directory depends on the build tool in use.
-   In this case a copy is used to avoid {command}`gulp` silliness with permissions.
-3. {command}`gulp` requires `HOME` to refer to a writeable directory.
-4. The actual build command in this example is {command}`gulp`. Other tools could be used instead.
+```{=docbook}
+<calloutlist>
+  <callout arearefs="ex-buildBowerComponentsDefault-1">
+    <para>
+      The result of <varname>buildBowerComponents</varname> is an input to the frontend build.
+    </para>
+  </callout>
+  <callout arearefs="ex-buildBowerComponentsDefault-2">
+    <para>
+      Whether to symlink or copy the <filename>bower_components</filename> directory depends on the build tool in use. In this case a copy is used to avoid <command>gulp</command> silliness with permissions.
+    </para>
+  </callout>
+  <callout arearefs="ex-buildBowerComponentsDefault-3">
+    <para>
+      <command>gulp</command> requires <varname>HOME</varname> to refer to a writeable directory.
+    </para>
+  </callout>
+  <callout arearefs="ex-buildBowerComponentsDefault-4">
+    <para>
+      The actual build command. Other tools could be used.
+    </para>
+  </callout>
+</calloutlist>
+```
 
 ## Troubleshooting {#ssec-bower2nix-troubleshooting}
 

doc/languages-frameworks/dhall.section.md

@@ -307,12 +307,12 @@ $ nix-env --install --attr haskellPackages.dhall-nixpkgs
 
 $ nix-env --install --attr nix-prefetch-git  # Used by dhall-to-nixpkgs
 
-$ dhall-to-nixpkgs github https://github.com/Gabriella439/dhall-semver.git
+$ dhall-to-nixpkgs github https://github.com/Gabriel439/dhall-semver.git
 { buildDhallGitHubPackage, Prelude }:
   buildDhallGitHubPackage {
     name = "dhall-semver";
     githubBase = "github.com";
-    owner = "Gabriella439";
+    owner = "Gabriel439";
     repo = "dhall-semver";
     rev = "2d44ae605302ce5dc6c657a1216887fbb96392a4";
     fetchSubmodules = false;

doc/languages-frameworks/gnome.section.md

@@ -27,7 +27,7 @@ The modules are typically installed to `lib/gio/modules/` directory of a package
 
 In particular, we recommend:
 
-* adding `dconf.lib` for any software on Linux that reads [GSettings](#ssec-gnome-settings) (even transitively through e.g. GTK’s file manager)
+* adding `dconf.lib` for any software on Linux that reads [GSettings](#ssec-gnome-settings) (even transitivily through e.g. GTK’s file manager)
 * adding `glib-networking` for any software that accesses network using GIO or libsoup – glib-networking contains a module that implements TLS support and loads system-wide proxy settings
 
 To allow software to use various virtual file systems, `gvfs` package can be also added. But that is usually an optional feature so we typically use `gvfs` from the system (e.g. installed globally using NixOS module).
@@ -137,15 +137,15 @@ Most GNOME package offer [`updateScript`](#var-passthru-updateScript), it is the
 
 ## Frequently encountered issues {#ssec-gnome-common-issues}
 
-### `GLib-GIO-ERROR **: 06:04:50.903: No GSettings schemas are installed on the system` {#ssec-gnome-common-issues-no-schemas}
+#### `GLib-GIO-ERROR **: 06:04:50.903: No GSettings schemas are installed on the system` {#ssec-gnome-common-issues-no-schemas}
 
 There are no schemas available in `XDG_DATA_DIRS`. Temporarily add a random package containing schemas like `gsettings-desktop-schemas` to `buildInputs`. [`glib`](#ssec-gnome-hooks-glib) and [`wrapGAppsHook`](#ssec-gnome-hooks-wrapgappshook) setup hooks will take care of making the schemas available to application and you will see the actual missing schemas with the [next error](#ssec-gnome-common-issues-missing-schema). Or you can try looking through the source code for the actual schemas used.
 
-### `GLib-GIO-ERROR **: 06:04:50.903: Settings schema ‘org.gnome.foo’ is not installed` {#ssec-gnome-common-issues-missing-schema}
+#### `GLib-GIO-ERROR **: 06:04:50.903: Settings schema ‘org.gnome.foo’ is not installed` {#ssec-gnome-common-issues-missing-schema}
 
 Package is missing some GSettings schemas. You can find out the package containing the schema with `nix-locate org.gnome.foo.gschema.xml` and let the hooks handle the wrapping as [above](#ssec-gnome-common-issues-no-schemas).
 
-### When using `wrapGAppsHook` with special derivers you can end up with double wrapped binaries. {#ssec-gnome-common-issues-double-wrapped}
+#### When using `wrapGAppsHook` with special derivers you can end up with double wrapped binaries. {#ssec-gnome-common-issues-double-wrapped}
 
 This is because derivers like `python.pkgs.buildPythonApplication` or `qt5.mkDerivation` have setup-hooks automatically added that produce wrappers with makeWrapper. The simplest way to workaround that is to disable the `wrapGAppsHook` automatic wrapping with `dontWrapGApps = true;` and pass the arguments it intended to pass to makeWrapper to another.
 
@@ -193,7 +193,7 @@ mkDerivation {
 }
 ```
 
-### I am packaging a project that cannot be wrapped, like a library or GNOME Shell extension. {#ssec-gnome-common-issues-unwrappable-package}
+#### I am packaging a project that cannot be wrapped, like a library or GNOME Shell extension. {#ssec-gnome-common-issues-unwrappable-package}
 
 You can rely on applications depending on the library setting the necessary environment variables but that is often easy to miss. Instead we recommend to patch the paths in the source code whenever possible. Here are some examples:
 
@@ -209,6 +209,6 @@ You can rely on applications depending on the library setting the necessary envi
 
   []{#ssec-gnome-common-issues-unwrappable-package-gsettings-c} [Hard-coding GSettings schema path in C library](https://github.com/NixOS/nixpkgs/blob/29c120c065d03b000224872251bed93932d42412/pkgs/development/libraries/glib-networking/default.nix#L31-L34) – nothing special other than using [Coccinelle patch](https://github.com/NixOS/nixpkgs/pull/67957#issuecomment-527717467) to generate the patch itself.
 
-### I need to wrap a binary outside `bin` and `libexec` directories. {#ssec-gnome-common-issues-weird-location}
+#### I need to wrap a binary outside `bin` and `libexec` directories. {#ssec-gnome-common-issues-weird-location}
 
 You can manually trigger the wrapping with `wrapGApp` in `preFixup` phase. It takes a path to a program as a first argument; the remaining arguments are passed directly to [`wrapProgram`](#fun-wrapProgram) function.

doc/languages-frameworks/haskell.section.md

@@ -276,15 +276,6 @@ Defaults to `true`.
 : Whether to generate an index for interactive navigation of the HTML documentation.
 Defaults to `true` if supported.
 
-`doInstallIntermediates`
-: Whether to install intermediate build products (files written to `dist/build`
-by GHC during the build process). With `enableSeparateIntermediatesOutput`,
-these files are instead installed to [a separate `intermediates`
-output.][multiple-outputs] The output can then be passed into a future build of
-the same package with the `previousIntermediates` argument to support
-incremental builds. See [“Incremental builds”](#haskell-incremental-builds) for
-more information. Defaults to `false`.
-
 `enableLibraryProfiling`
 : Whether to enable [profiling][profiling] for libraries contained in the
 package. Enabled by default if supported.
@@ -380,12 +371,6 @@ Defaults to `false`.
 : Whether to install documentation to a separate `doc` output.
 Is automatically enabled if `doHaddock` is `true`.
 
-`enableSeparateIntermediatesOutput`
-: When `doInstallIntermediates` is true, whether to install intermediate build
-products to a separate `intermediates` output. See [“Incremental
-builds”](#haskell-incremental-builds) for more information. Defaults to
-`false`.
-
 `allowInconsistentDependencies`
 : If enabled, allow multiple versions of the same Haskell package in the
 dependency tree at configure time. Often in such a situation compilation would
@@ -396,11 +381,6 @@ later fail because of type mismatches. Defaults to `false`.
 when loading the library in the REPL, but requires extra build time and
 disk space. Defaults to `false`.
 
-`previousIntermediates`
-: If non-null, intermediate build artifacts are copied from this input to
-`dist/build` before performing compiling. See [“Incremental
-builds”](#haskell-incremental-builds) for more information. Defaults to `null`.
-
 `buildTarget`
 : Name of the executable or library to build and install.
 If unset, all available targets are built and installed.
@@ -516,54 +496,6 @@ the [Meta-attributes section](#chap-meta) for their documentation.
     * `broken`
     * `hydraPlatforms`
 
-### Incremental builds {#haskell-incremental-builds}
-
-`haskellPackages.mkDerivation` supports incremental builds for GHC 9.4 and
-newer with the `doInstallIntermediates`, `enableSeparateIntermediatesOutput`,
-and `previousIntermediates` arguments.
-
-The basic idea is to first perform a full build of the package in question,
-save its intermediate build products for later, and then copy those build
-products into the build directory of an incremental build performed later.
-Then, GHC will use those build artifacts to avoid recompiling unchanged
-modules.
-
-For more detail on how to store and use incremental build products, see
-[Gabriella Gonzalez’ blog post “Nixpkgs support for incremental Haskell
-builds”.][incremental-builds] motivation behind this feature.
-
-An incremental build for [the `turtle` package][turtle] can be performed like
-so:
-
-```nix
-let
-  pkgs = import <nixpkgs> {};
-  inherit (pkgs) haskell;
-  inherit (haskell.lib.compose) overrideCabal;
-
-  # Incremental builds work with GHC >=9.4.
-  turtle = haskell.packages.ghc944.turtle;
-
-  # This will do a full build of `turtle`, while writing the intermediate build products
-  # (compiled modules, etc.) to the `intermediates` output.
-  turtle-full-build-with-incremental-output = overrideCabal (drv: {
-    doInstallIntermediates = true;
-    enableSeparateIntermediatesOutput = true;
-  }) turtle;
-
-  # This will do an incremental build of `turtle` by copying the previously
-  # compiled modules and intermediate build products into the source tree
-  # before running the build.
-  #
-  # GHC will then naturally pick up and reuse these products, making this build
-  # complete much more quickly than the previous one.
-  turtle-incremental-build = overrideCabal (drv: {
-    previousIntermediates = turtle-full-build-with-incremental-output.intermediates;
-  }) turtle;
-in
-  turtle-incremental-build
-```
-
 ## Development environments {#haskell-development-environments}
 
 In addition to building and installing Haskell software, nixpkgs can also
@@ -1057,7 +989,7 @@ benchmark component.
 `dontBenchmark drv`
 : Set `doBenchmark` to `false` for `drv`.
 
-`setBuildTargets drv list`
+`setBuildTargets list drv`
 : Sets the `buildTarget` argument for `drv` so that the targets specified in `list` are built.
 
 `doCoverage drv`
@@ -1151,11 +1083,8 @@ on the issue linked above.
 [haskell.nix]: https://input-output-hk.github.io/haskell.nix/index.html
 [HLS user guide]: https://haskell-language-server.readthedocs.io/en/latest/configuration.html#configuring-your-editor
 [hoogle]: https://wiki.haskell.org/Hoogle
-[incremental-builds]: https://www.haskellforall.com/2022/12/nixpkgs-support-for-incremental-haskell.html
 [jailbreak-cabal]: https://github.com/NixOS/jailbreak-cabal/
-[multiple-outputs]: https://nixos.org/manual/nixpkgs/stable/#chap-multiple-output
 [optparse-applicative-completions]: https://github.com/pcapriotti/optparse-applicative/blob/7726b63796aa5d0df82e926d467f039b78ca09e2/README.md#bash-zsh-and-fish-completions
 [profiling-detail]: https://cabal.readthedocs.io/en/latest/cabal-project.html#cfg-field-profiling-detail
 [profiling]: https://downloads.haskell.org/~ghc/latest/docs/html/users_guide/profiling.html
 [search.nixos.org]: https://search.nixos.org
-[turtle]: https://hackage.haskell.org/package/turtle

doc/languages-frameworks/ios.section.md

@@ -104,7 +104,7 @@ The above function takes a variety of parameters:
   and the location where the source code resides
 * `sdkVersion` specifies which version of the iOS SDK to use.
 
-It also possible to adjust the `xcodebuild` parameters. This is only needed in
+It also possile to adjust the `xcodebuild` parameters. This is only needed in
 rare circumstances. In most cases the default values should suffice:
 
 * Specifies which `xcodebuild` target to build. By default it takes the target
@@ -130,7 +130,7 @@ In addition, you need to set the following parameters:
   store certificates.
 * `generateIPA` specifies that we want to produce an IPA file (this is probably
   what you want)
-* `generateXCArchive` specifies that we want to produce an xcarchive file.
+* `generateXCArchive` specifies thet we want to produce an xcarchive file.
 
 When building IPA files on Hydra and when it is desired to allow iOS devices to
 install IPAs by browsing to the Hydra build products page, you can enable the

doc/languages-frameworks/javascript.section.md

@@ -143,7 +143,7 @@ To update NPM packages in nixpkgs, run the same `generate.sh` script:
 #### Git protocol error {#javascript-git-error}
 
 Some packages may have Git dependencies from GitHub specified with `git://`.
-GitHub has [disabled unencrypted Git connections](https://github.blog/2021-09-01-improving-git-protocol-security-github/#no-more-unauthenticated-git), so you may see the following error when running the generate script:
+GitHub has [disabled unecrypted Git connections](https://github.blog/2021-09-01-improving-git-protocol-security-github/#no-more-unauthenticated-git), so you may see the following error when running the generate script:
 
 ```
 The unauthenticated git protocol on port 9418 is no longer supported

doc/languages-frameworks/python.section.md

@@ -995,7 +995,7 @@ and in this case the `python3` interpreter is automatically used.
 ### Interpreters {#interpreters}
 
 Versions 2.7, 3.8, 3.9, 3.10 and 3.11 of the CPython interpreter are available
-as respectively `python27`, `python38`, `python39`, `python310` and `python311`.
+as respectively `python27`, python38`, `python39`, `python310` and `python311`.
 The aliases `python2` and `python3` correspond to respectively `python27` and
 `python310`. The attribute `python` maps to `python2`. The PyPy interpreters
 compatible with Python 2.7 and 3 are available as `pypy27` and `pypy3`, with
@@ -1514,6 +1514,10 @@ Note: There is a boolean value `lib.inNixShell` set to `true` if nix-shell is in
 Packages inside nixpkgs are written by hand. However many tools exist in
 community to help save time. No tool is preferred at the moment.
 
+- [pypi2nix](https://github.com/nix-community/pypi2nix): Generate Nix
+  expressions for your Python project. Note that [sharing derivations from
+  pypi2nix with nixpkgs is possible but not
+  encouraged](https://github.com/nix-community/pypi2nix/issues/222#issuecomment-443497376).
 - [nixpkgs-pytools](https://github.com/nix-community/nixpkgs-pytools)
 - [poetry2nix](https://github.com/nix-community/poetry2nix)
 

doc/languages-frameworks/qt.section.md

@@ -10,22 +10,37 @@ pure and explicit at build-time, at the cost of introducing an extra indirection
 
 ## Nix expression for a Qt package (default.nix) {#qt-default-nix}
 
-```nix
-{ stdenv, lib, qtbase, wrapQtAppsHook }:
+```{=docbook}
+<programlisting>
+{ stdenv, lib, qtbase, wrapQtAppsHook }: <co xml:id='qt-default-nix-co-1' />
 
 stdenv.mkDerivation {
   pname = "myapp";
   version = "1.0";
 
   buildInputs = [ qtbase ];
-  nativeBuildInputs = [ wrapQtAppsHook ];
+  nativeBuildInputs = [ wrapQtAppsHook ]; <co xml:id='qt-default-nix-co-2' />
 }
+</programlisting>
+
+ <calloutlist>
+  <callout arearefs='qt-default-nix-co-1'>
+   <para>
+    Import Qt modules directly, that is: <literal>qtbase</literal>, <literal>qtdeclarative</literal>, etc.
+    <emphasis>Do not</emphasis> import Qt package sets such as <literal>qt5</literal>
+    because the Qt versions of dependencies may not be coherent, causing build and runtime failures.
+   </para>
+  </callout>
+  <callout arearefs='qt-default-nix-co-2'>
+    <para>
+      All Qt packages must include <literal>wrapQtAppsHook</literal> in
+      <literal>nativeBuildInputs</literal>, or you must explicitly set
+      <literal>dontWrapQtApps</literal>.
+    </para>
+  </callout>
+ </calloutlist>
 ```
 
-It is important to import Qt modules directly, that is: `qtbase`, `qtdeclarative`, etc. *Do not* import Qt package sets such as `qt5` because the Qt versions of dependencies may not be coherent, causing build and runtime failures.
-
-Additionally all Qt packages must include `wrapQtAppsHook` in `nativeBuildInputs`, or you must explicitly set `dontWrapQtApps`.
-
 ## Locating runtime dependencies {#qt-runtime-dependencies}
 
 Qt applications must be wrapped to find runtime dependencies.

doc/stdenv/meta.chapter.md

@@ -70,7 +70,7 @@ A list of the maintainers of this Nix expression. Maintainers are defined in [`n
 
 ### `mainProgram` {#var-meta-mainProgram}
 
-The name of the main binary for the package. This affects the binary `nix run` executes and falls back to the name of the package. Example: `"rg"`
+The name of the main binary for the package. This effects the binary `nix run` executes and falls back to the name of the package. Example: `"rg"`
 
 ### `priority` {#var-meta-priority}
 
@@ -128,7 +128,7 @@ Prefer `passthru.tests` for tests that are introduced in nixpkgs because:
 * we can run `passthru.tests` independently
 * `installCheckPhase` adds overhead to each build
 
-For more on how to write and run package tests, see [](#sec-package-tests).
+For more on how to write and run package tests, see <xref linkend="sec-package-tests"/>.
 
 #### NixOS tests {#var-meta-tests-nixos}
 
@@ -182,7 +182,7 @@ runCommand "my-package-test" {
 
 ### `timeout` {#var-meta-timeout}
 
-A timeout (in seconds) for building the derivation. If the derivation takes longer than this time to build, Hydra will fail it due to breaking the timeout. However, all computers do not have the same computing power, hence some builders may decide to apply a multiplicative factor to this value. When filling this value in, try to keep it approximately consistent with other values already present in `nixpkgs`.
+A timeout (in seconds) for building the derivation. If the derivation takes longer than this time to build, it can fail due to breaking the timeout. However, all computers do not have the same computing power, hence some builders may decide to apply a multiplicative factor to this value. When filling this value in, try to keep it approximately consistent with other values already present in `nixpkgs`.
 
 `meta` attributes are not stored in the instantiated derivation.
 Therefore, this setting may be lost when the package is used as a dependency.

doc/stdenv/stdenv.chapter.md

@@ -286,7 +286,7 @@ This is where “sum-like” comes in from above: We can just sum all of the hos
 
 Because of the bounds checks, the uncommon cases are `h = t` and `h + 2 = t`. In the former case, the motivation for `mapOffset` is that since its host and target platforms are the same, no transitive dependency of it should be able to “discover” an offset greater than its reduced target offsets. `mapOffset` effectively “squashes” all its transitive dependencies’ offsets so that none will ever be greater than the target offset of the original `h = t` package. In the other case, `h + 1` is skipped over between the host and target offsets. Instead of squashing the offsets, we need to “rip” them apart so no transitive dependencies’ offset is that one.
 
-Overall, the unifying theme here is that propagation shouldn’t be introducing transitive dependencies involving platforms the depending package is unaware of. \[One can imagine the depending package asking for dependencies with the platforms it knows about; other platforms it doesn’t know how to ask for. The platform description in that scenario is a kind of unforgeable capability.\] The offset bounds checking and definition of `mapOffset` together ensure that this is the case. Discovering a new offset is discovering a new platform, and since those platforms weren’t in the derivation “spec” of the needing package, they cannot be relevant. From a capability perspective, we can imagine that the host and target platforms of a package are the capabilities a package requires, and the depending package must provide the capability to the dependency.
+Overall, the unifying theme here is that propagation shouldn’t be introducing transitive dependencies involving platforms the depending package is unaware of. \[One can imagine the dependending package asking for dependencies with the platforms it knows about; other platforms it doesn’t know how to ask for. The platform description in that scenario is a kind of unforagable capability.\] The offset bounds checking and definition of `mapOffset` together ensure that this is the case. Discovering a new offset is discovering a new platform, and since those platforms weren’t in the derivation “spec” of the needing package, they cannot be relevant. From a capability perspective, we can imagine that the host and target platforms of a package are the capabilities a package requires, and the depending package must provide the capability to the dependency.
 
 #### Variables specifying dependencies {#variables-specifying-dependencies}
 
@@ -971,8 +971,7 @@ to `~/.gdbinit`. GDB will then be able to find debug information installed via `
 
 The installCheck phase checks whether the package was installed correctly by running its test suite against the installed directories. The default `installCheck` calls `make installcheck`.
 
-It is often better to add tests that are not part of the source distribution to `passthru.tests` (see
-[](#var-meta-tests)). This avoids adding overhead to every build and enables us to run them independently.
+It is often better to add tests that are not part of the source distribution to `passthru.tests` (see <xref linkend="var-meta-tests"/>). This avoids adding overhead to every build and enables us to run them independently.
 
 #### Variables controlling the installCheck phase {#variables-controlling-the-installcheck-phase}
 
@@ -1235,7 +1234,7 @@ This runs the strip command on installed binaries and libraries. This removes un
 
 This setup hook patches installed scripts to add Nix store paths to their shebang interpreter as found in the build environment. The [shebang](https://en.wikipedia.org/wiki/Shebang_(Unix)) line tells a Unix-like operating system which interpreter to use to execute the script's contents.
 
-::: {.note}
+::: note
 The [generic builder][generic-builder] populates `PATH` from inputs of the derivation.
 :::
 
@@ -1273,7 +1272,7 @@ patchShebangs --build configure
 
 Interpreter paths that point to a valid Nix store location are not changed.
 
-::: {.note}
+::: note
 A script file must be marked as executable, otherwise it will not be
 considered.
 :::

lib/attrsets.nix

@@ -123,11 +123,7 @@ rec {
          { x = "a"; y = "b"; }
        => { x = "a"; xa = "a"; y = "b"; yb = "b"; }
   */
-  concatMapAttrs = f: v:
-    foldl' mergeAttrs { }
-      (attrValues
-        (mapAttrs f v)
-      );
+  concatMapAttrs = f: flip pipe [ (mapAttrs f) attrValues (foldl' mergeAttrs { }) ];
 
 
   /* Update or set specific paths of an attribute set.

lib/derivations.nix

@@ -31,7 +31,7 @@ in
 
         (lazyDerivation { inherit derivation; meta.foo = true; }).meta
 
-    In these expressions, `derivation` _will_ be evaluated:
+    In these expressions, it `derivation` _will_ be evaluated:
 
         "${lazyDerivation { inherit derivation }}"
 

lib/licenses.nix

@@ -215,12 +215,6 @@ in mkLicense lset) ({
     url = "https://opensource.org/licenses/CAL-1.0";
   };
 
-  caldera = {
-    spdxId = "Caldera";
-    fullName = "Caldera License";
-    url = "http://www.lemis.com/grog/UNIX/ancient-source-all.pdf";
-  };
-
   capec = {
     fullName = "Common Attack Pattern Enumeration and Classification";
     url = "https://capec.mitre.org/about/termsofuse.html";
@@ -562,12 +556,6 @@ in mkLicense lset) ({
     fullName = "Imlib2 License";
   };
 
-  info-zip = {
-    spdxId = "Info-ZIP";
-    fullName = "Info-ZIP License";
-    url = "http://www.info-zip.org/pub/infozip/license.html";
-  };
-
   inria-compcert = {
     fullName  = "INRIA Non-Commercial License Agreement for the CompCert verified compiler";
     url       = "https://compcert.org/doc/LICENSE.txt";

lib/lists.nix

@@ -198,38 +198,8 @@ rec {
     default:
     # Input list
     list:
-    let
-      # A naive recursive implementation would be much simpler, but
-      # would also overflow the evaluator stack. We use `foldl'` as a workaround
-      # because it reuses the same stack space, evaluating the function for one
-      # element after another. We can't return early, so this means that we
-      # sacrifice early cutoff, but that appears to be an acceptable cost. A
-      # clever scheme with "exponential search" is possible, but appears over-
-      # engineered for now. See https://github.com/NixOS/nixpkgs/pull/235267
-
-      # Invariant:
-      # - if index < 0 then el == elemAt list (- index - 1) and all elements before el didn't satisfy pred
-      # - if index >= 0 then pred (elemAt list index) and all elements before (elemAt list index) didn't satisfy pred
-      #
-      # We start with index -1 and the 0'th element of the list, which satisfies the invariant
-      resultIndex = foldl' (index: el:
-        if index < 0 then
-          # No match yet before the current index, we need to check the element
-          if pred el then
-            # We have a match! Turn it into the actual index to prevent future iterations from modifying it
-            - index - 1
-          else
-            # Still no match, update the index to the next element (we're counting down, so minus one)
-            index - 1
-        else
-          # There's already a match, propagate the index without evaluating anything
-          index
-      ) (-1) list;
-    in
-    if resultIndex < 0 then
-      default
-    else
-      elemAt list resultIndex;
+    let found = filter pred list;
+    in if found == [] then default else head found;
 
   /* Return true if function `pred` returns true for at least one
      element of `list`.

lib/systems/doubles.nix

@@ -27,9 +27,9 @@ let
     # Linux
     "aarch64-linux" "armv5tel-linux" "armv6l-linux" "armv7a-linux"
     "armv7l-linux" "i686-linux" "loongarch64-linux" "m68k-linux" "microblaze-linux"
-    "microblazeel-linux" "mips-linux" "mips64-linux" "mips64el-linux"
-    "mipsel-linux" "powerpc64-linux" "powerpc64le-linux" "riscv32-linux"
-    "riscv64-linux" "s390-linux" "s390x-linux" "x86_64-linux"
+    "microblazeel-linux" "mipsel-linux" "mips64el-linux" "powerpc64-linux"
+    "powerpc64le-linux" "riscv32-linux" "riscv64-linux" "s390-linux"
+    "s390x-linux" "x86_64-linux"
 
     # MMIXware
     "mmix-mmixware"

lib/systems/examples.nix

@@ -91,16 +91,22 @@ rec {
   } // platforms.fuloong2f_n32;
 
   # can execute on 32bit chip
-  mips-linux-gnu           = { config = "mips-unknown-linux-gnu";           } // platforms.gcc_mips32r2_o32;
-  mipsel-linux-gnu         = { config = "mipsel-unknown-linux-gnu";         } // platforms.gcc_mips32r2_o32;
+  mips-linux-gnu                = { config = "mips-unknown-linux-gnu";                } // platforms.gcc_mips32r2_o32;
+  mipsel-linux-gnu              = { config = "mipsel-unknown-linux-gnu";              } // platforms.gcc_mips32r2_o32;
+  mipsisa32r6-linux-gnu         = { config = "mipsisa32r6-unknown-linux-gnu";         } // platforms.gcc_mips32r6_o32;
+  mipsisa32r6el-linux-gnu       = { config = "mipsisa32r6el-unknown-linux-gnu";       } // platforms.gcc_mips32r6_o32;
 
   # require 64bit chip (for more registers, 64-bit floating point, 64-bit "long long") but use 32bit pointers
-  mips64-linux-gnuabin32   = { config = "mips64-unknown-linux-gnuabin32";   } // platforms.gcc_mips64r2_n32;
-  mips64el-linux-gnuabin32 = { config = "mips64el-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r2_n32;
+  mips64-linux-gnuabin32        = { config = "mips64-unknown-linux-gnuabin32";        } // platforms.gcc_mips64r2_n32;
+  mips64el-linux-gnuabin32      = { config = "mips64el-unknown-linux-gnuabin32";      } // platforms.gcc_mips64r2_n32;
+  mipsisa64r6-linux-gnuabin32   = { config = "mipsisa64r6-unknown-linux-gnuabin32";   } // platforms.gcc_mips64r6_n32;
+  mipsisa64r6el-linux-gnuabin32 = { config = "mipsisa64r6el-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r6_n32;
 
   # 64bit pointers
-  mips64-linux-gnuabi64    = { config = "mips64-unknown-linux-gnuabi64";    } // platforms.gcc_mips64r2_64;
-  mips64el-linux-gnuabi64  = { config = "mips64el-unknown-linux-gnuabi64";  } // platforms.gcc_mips64r2_64;
+  mips64-linux-gnuabi64         = { config = "mips64-unknown-linux-gnuabi64";         } // platforms.gcc_mips64r2_64;
+  mips64el-linux-gnuabi64       = { config = "mips64el-unknown-linux-gnuabi64";       } // platforms.gcc_mips64r2_64;
+  mipsisa64r6-linux-gnuabi64    = { config = "mipsisa64r6-unknown-linux-gnuabi64";    } // platforms.gcc_mips64r6_64;
+  mipsisa64r6el-linux-gnuabi64  = { config = "mipsisa64r6el-unknown-linux-gnuabi64";  } // platforms.gcc_mips64r6_64;
 
   muslpi = raspberryPi // {
     config = "armv6l-unknown-linux-musleabihf";

lib/systems/parse.nix

@@ -91,10 +91,14 @@ rec {
     microblaze   = { bits = 32; significantByte = bigEndian;    family = "microblaze"; };
     microblazeel = { bits = 32; significantByte = littleEndian; family = "microblaze"; };
 
-    mips     = { bits = 32; significantByte = bigEndian;    family = "mips"; };
-    mipsel   = { bits = 32; significantByte = littleEndian; family = "mips"; };
-    mips64   = { bits = 64; significantByte = bigEndian;    family = "mips"; };
-    mips64el = { bits = 64; significantByte = littleEndian; family = "mips"; };
+    mips          = { bits = 32; significantByte = bigEndian;    family = "mips"; };
+    mipsel        = { bits = 32; significantByte = littleEndian; family = "mips"; };
+    mipsisa32r6   = { bits = 32; significantByte = bigEndian;    family = "mips"; };
+    mipsisa32r6el = { bits = 32; significantByte = littleEndian; family = "mips"; };
+    mips64        = { bits = 64; significantByte = bigEndian;    family = "mips"; };
+    mips64el      = { bits = 64; significantByte = littleEndian; family = "mips"; };
+    mipsisa64r6   = { bits = 64; significantByte = bigEndian;    family = "mips"; };
+    mipsisa64r6el = { bits = 64; significantByte = littleEndian; family = "mips"; };
 
     mmix     = { bits = 64; significantByte = bigEndian;    family = "mmix"; };
 

lib/tests/filesystem.sh

@@ -35,50 +35,58 @@ touch regular
 ln -s target symlink
 mkfifo fifo
 
-expectSuccess() {
-    local expr=$1
-    local expectedResultRegex=$2
-    if ! result=$(nix-instantiate --eval --strict --json \
-        --expr "with (import <nixpkgs/lib>).filesystem; $expr"); then
-        die "$expr failed to evaluate, but it was expected to succeed"
-    fi
-    if [[ ! "$result" =~ $expectedResultRegex ]]; then
-        die "$expr == $result, but $expectedResultRegex was expected"
+checkPathType() {
+    local path=$1
+    local expectedPathType=$2
+    local actualPathType=$(nix-instantiate --eval --strict --json 2>&1 \
+        -E '{ path }: let lib = import <nixpkgs/lib>; in lib.filesystem.pathType path' \
+        --argstr path "$path")
+    if [[ "$actualPathType" != "$expectedPathType" ]]; then
+        die "lib.filesystem.pathType \"$path\" == $actualPathType, but $expectedPathType was expected"
     fi
 }
 
-expectFailure() {
-    local expr=$1
-    local expectedErrorRegex=$2
-    if result=$(nix-instantiate --eval --strict --json 2>"$work/stderr" \
-        --expr "with (import <nixpkgs/lib>).filesystem; $expr"); then
-        die "$expr evaluated successfully to $result, but it was expected to fail"
-    fi
-    if [[ ! "$(<"$work/stderr")" =~ $expectedErrorRegex ]]; then
-        die "Error was $(<"$work/stderr"), but $expectedErrorRegex was expected"
+checkPathType "/" '"directory"'
+checkPathType "$PWD/directory" '"directory"'
+checkPathType "$PWD/regular" '"regular"'
+checkPathType "$PWD/symlink" '"symlink"'
+checkPathType "$PWD/fifo" '"unknown"'
+checkPathType "$PWD/non-existent" "error: evaluation aborted with the following error message: 'lib.filesystem.pathType: Path $PWD/non-existent does not exist.'"
+
+checkPathIsDirectory() {
+    local path=$1
+    local expectedIsDirectory=$2
+    local actualIsDirectory=$(nix-instantiate --eval --strict --json 2>&1 \
+        -E '{ path }: let lib = import <nixpkgs/lib>; in lib.filesystem.pathIsDirectory path' \
+        --argstr path "$path")
+    if [[ "$actualIsDirectory" != "$expectedIsDirectory" ]]; then
+        die "lib.filesystem.pathIsDirectory \"$path\" == $actualIsDirectory, but $expectedIsDirectory was expected"
     fi
 }
 
-expectSuccess "pathType /." '"directory"'
-expectSuccess "pathType $PWD/directory" '"directory"'
-expectSuccess "pathType $PWD/regular" '"regular"'
-expectSuccess "pathType $PWD/symlink" '"symlink"'
-expectSuccess "pathType $PWD/fifo" '"unknown"'
-# Different errors depending on whether the builtins.readFilePath primop is available or not
-expectFailure "pathType $PWD/non-existent" "error: (evaluation aborted with the following error message: 'lib.filesystem.pathType: Path $PWD/non-existent does not exist.'|getting status of '$PWD/non-existent': No such file or directory)"
+checkPathIsDirectory "/" "true"
+checkPathIsDirectory "$PWD/directory" "true"
+checkPathIsDirectory "$PWD/regular" "false"
+checkPathIsDirectory "$PWD/symlink" "false"
+checkPathIsDirectory "$PWD/fifo" "false"
+checkPathIsDirectory "$PWD/non-existent" "false"
 
-expectSuccess "pathIsDirectory /." "true"
-expectSuccess "pathIsDirectory $PWD/directory" "true"
-expectSuccess "pathIsDirectory $PWD/regular" "false"
-expectSuccess "pathIsDirectory $PWD/symlink" "false"
-expectSuccess "pathIsDirectory $PWD/fifo" "false"
-expectSuccess "pathIsDirectory $PWD/non-existent" "false"
+checkPathIsRegularFile() {
+    local path=$1
+    local expectedIsRegularFile=$2
+    local actualIsRegularFile=$(nix-instantiate --eval --strict --json 2>&1 \
+        -E '{ path }: let lib = import <nixpkgs/lib>; in lib.filesystem.pathIsRegularFile path' \
+        --argstr path "$path")
+    if [[ "$actualIsRegularFile" != "$expectedIsRegularFile" ]]; then
+        die "lib.filesystem.pathIsRegularFile \"$path\" == $actualIsRegularFile, but $expectedIsRegularFile was expected"
+    fi
+}
 
-expectSuccess "pathIsRegularFile /." "false"
-expectSuccess "pathIsRegularFile $PWD/directory" "false"
-expectSuccess "pathIsRegularFile $PWD/regular" "true"
-expectSuccess "pathIsRegularFile $PWD/symlink" "false"
-expectSuccess "pathIsRegularFile $PWD/fifo" "false"
-expectSuccess "pathIsRegularFile $PWD/non-existent" "false"
+checkPathIsRegularFile "/" "false"
+checkPathIsRegularFile "$PWD/directory" "false"
+checkPathIsRegularFile "$PWD/regular" "true"
+checkPathIsRegularFile "$PWD/symlink" "false"
+checkPathIsRegularFile "$PWD/fifo" "false"
+checkPathIsRegularFile "$PWD/non-existent" "false"
 
 echo >&2 tests ok

lib/tests/misc.nix

@@ -518,46 +518,6 @@ runTests {
     expected = false;
   };
 
-  testFindFirstExample1 = {
-    expr = findFirst (x: x > 3) 7 [ 1 6 4 ];
-    expected = 6;
-  };
-
-  testFindFirstExample2 = {
-    expr = findFirst (x: x > 9) 7 [ 1 6 4 ];
-    expected = 7;
-  };
-
-  testFindFirstEmpty = {
-    expr = findFirst (abort "when the list is empty, the predicate is not needed") null [];
-    expected = null;
-  };
-
-  testFindFirstSingleMatch = {
-    expr = findFirst (x: x == 5) null [ 5 ];
-    expected = 5;
-  };
-
-  testFindFirstSingleDefault = {
-    expr = findFirst (x: false) null [ (abort "if the predicate doesn't access the value, it must not be evaluated") ];
-    expected = null;
-  };
-
-  testFindFirstNone = {
-    expr = builtins.tryEval (findFirst (x: x == 2) null [ 1 (throw "the last element must be evaluated when there's no match") ]);
-    expected = { success = false; value = false; };
-  };
-
-  # Makes sure that the implementation doesn't cause a stack overflow
-  testFindFirstBig = {
-    expr = findFirst (x: x == 1000000) null (range 0 1000000);
-    expected = 1000000;
-  };
-
-  testFindFirstLazy = {
-    expr = findFirst (x: x == 1) 7 [ 1 (abort "list elements after the match must not be evaluated") ];
-    expected = 1;
-  };
 
 # ATTRSETS
 

lib/tests/modules.sh

@@ -378,7 +378,7 @@ checkConfigOutput '^{ }$' config.sub.nixosOk ./class-check.nix
 checkConfigError 'The module .*/module-class-is-darwin.nix was imported into nixos instead of darwin.' config.sub.nixosFail.config ./class-check.nix
 
 # submoduleWith type merge with different class
-checkConfigError 'A submoduleWith option is declared multiple times with conflicting class values "darwin" and "nixos".' config.sub.mergeFail.config ./class-check.nix
+checkConfigError 'error: A submoduleWith option is declared multiple times with conflicting class values "darwin" and "nixos".' config.sub.mergeFail.config ./class-check.nix
 
 # _type check
 checkConfigError 'Could not load a value as a module, because it is of type "flake", in file .*/module-imports-_type-check.nix' config.ok.config ./module-imports-_type-check.nix

lib/tests/release.nix

@@ -2,63 +2,53 @@
   # Don't test properties of pkgs.lib, but rather the lib in the parent directory
   pkgs ? import ../.. {} // { lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!"; },
   nix ? pkgs.nix,
-  nixVersions ? [ pkgs.nixVersions.minimum nix pkgs.nixVersions.unstable ],
 }:
 
-let
-  testWithNix = nix:
-    pkgs.runCommand "nixpkgs-lib-tests-nix-${nix.version}" {
-      buildInputs = [
-        (import ./check-eval.nix)
-        (import ./maintainers.nix {
-          inherit pkgs;
-          lib = import ../.;
-        })
-        (import ./teams.nix {
-          inherit pkgs;
-          lib = import ../.;
-        })
-        (import ../path/tests {
-          inherit pkgs;
-        })
-      ];
-      nativeBuildInputs = [
-        nix
-      ];
-      strictDeps = true;
-    } ''
-      datadir="${nix}/share"
-      export TEST_ROOT=$(pwd)/test-tmp
-      export NIX_BUILD_HOOK=
-      export NIX_CONF_DIR=$TEST_ROOT/etc
-      export NIX_LOCALSTATE_DIR=$TEST_ROOT/var
-      export NIX_LOG_DIR=$TEST_ROOT/var/log/nix
-      export NIX_STATE_DIR=$TEST_ROOT/var/nix
-      export NIX_STORE_DIR=$TEST_ROOT/store
-      export PAGER=cat
-      cacheDir=$TEST_ROOT/binary-cache
+pkgs.runCommand "nixpkgs-lib-tests" {
+  buildInputs = [
+    (import ./check-eval.nix)
+    (import ./maintainers.nix {
+      inherit pkgs;
+      lib = import ../.;
+    })
+    (import ./teams.nix {
+      inherit pkgs;
+      lib = import ../.;
+    })
+    (import ../path/tests {
+      inherit pkgs;
+    })
+  ];
+  nativeBuildInputs = [
+    nix
+  ];
+  strictDeps = true;
+} ''
+    datadir="${nix}/share"
+    export TEST_ROOT=$(pwd)/test-tmp
+    export NIX_BUILD_HOOK=
+    export NIX_CONF_DIR=$TEST_ROOT/etc
+    export NIX_LOCALSTATE_DIR=$TEST_ROOT/var
+    export NIX_LOG_DIR=$TEST_ROOT/var/log/nix
+    export NIX_STATE_DIR=$TEST_ROOT/var/nix
+    export NIX_STORE_DIR=$TEST_ROOT/store
+    export PAGER=cat
+    cacheDir=$TEST_ROOT/binary-cache
 
-      mkdir -p $NIX_CONF_DIR
-      echo "experimental-features = nix-command" >> $NIX_CONF_DIR/nix.conf
+    mkdir -p $NIX_CONF_DIR
+    echo "experimental-features = nix-command" >> $NIX_CONF_DIR/nix.conf
 
-      nix-store --init
+    nix-store --init
 
-      cp -r ${../.} lib
-      echo "Running lib/tests/modules.sh"
-      bash lib/tests/modules.sh
+    cp -r ${../.} lib
+    echo "Running lib/tests/modules.sh"
+    bash lib/tests/modules.sh
 
-      echo "Running lib/tests/filesystem.sh"
-      TEST_LIB=$PWD/lib bash lib/tests/filesystem.sh
+    echo "Running lib/tests/filesystem.sh"
+    TEST_LIB=$PWD/lib bash lib/tests/filesystem.sh
 
-      echo "Running lib/tests/sources.sh"
-      TEST_LIB=$PWD/lib bash lib/tests/sources.sh
+    echo "Running lib/tests/sources.sh"
+    TEST_LIB=$PWD/lib bash lib/tests/sources.sh
 
-      mkdir $out
-      echo success > $out/${nix.version}
-    '';
-
-in
-  pkgs.symlinkJoin {
-    name = "nixpkgs-lib-tests";
-    paths = map testWithNix nixVersions;
-  }
+    touch $out
+''

lib/tests/sources.sh

@@ -23,19 +23,14 @@ clean_up() {
 trap clean_up EXIT
 cd "$work"
 
-# Crudely unquotes a JSON string by just taking everything between the first and the second quote.
-# We're only using this for resulting /nix/store paths, which can't contain " anyways,
-# nor can they contain any other characters that would need to be escaped specially in JSON
-# This way we don't need to add a dependency on e.g. jq
-crudeUnquoteJSON() {
-    cut -d \" -f2
-}
-
 touch {README.md,module.o,foo.bar}
 
-dir="$(nix-instantiate --eval --strict --read-write-mode --json --expr '(with import <nixpkgs/lib>; "${
+# nix-instantiate doesn't write out the source, only computing the hash, so
+# this uses the experimental nix command instead.
+
+dir="$(nix eval --impure --raw --expr '(with import <nixpkgs/lib>; "${
   cleanSource ./.
-}")' | crudeUnquoteJSON)"
+}")')"
 (cd "$dir"; find) | sort -f | diff -U10 - <(cat <<EOF
 .
 ./foo.bar
@@ -44,9 +39,9 @@ EOF
 ) || die "cleanSource 1"
 
 
-dir="$(nix-instantiate --eval --strict --read-write-mode --json --expr '(with import <nixpkgs/lib>; "${
+dir="$(nix eval --impure --raw --expr '(with import <nixpkgs/lib>; "${
   cleanSourceWith { src = '"$work"'; filter = path: type: ! hasSuffix ".bar" path; }
-}")' | crudeUnquoteJSON)"
+}")')"
 (cd "$dir"; find) | sort -f | diff -U10 - <(cat <<EOF
 .
 ./module.o
@@ -54,9 +49,9 @@ dir="$(nix-instantiate --eval --strict --read-write-mode --json --expr '(with im
 EOF
 ) || die "cleanSourceWith 1"
 
-dir="$(nix-instantiate --eval --strict --read-write-mode --json --expr '(with import <nixpkgs/lib>; "${
+dir="$(nix eval --impure --raw --expr '(with import <nixpkgs/lib>; "${
   cleanSourceWith { src = cleanSource '"$work"'; filter = path: type: ! hasSuffix ".bar" path; }
-}")' | crudeUnquoteJSON)"
+}")')"
 (cd "$dir"; find) | sort -f | diff -U10 - <(cat <<EOF
 .
 ./README.md

lib/tests/systems.nix

@@ -18,7 +18,7 @@ with lib.systems.doubles; lib.runTests {
   testarm = mseteq arm [ "armv5tel-linux" "armv6l-linux" "armv6l-netbsd" "armv6l-none" "armv7a-linux" "armv7a-netbsd" "armv7l-linux" "armv7l-netbsd" "arm-none" "armv7a-darwin" ];
   testarmv7 = mseteq armv7 [ "armv7a-darwin" "armv7a-linux" "armv7l-linux" "armv7a-netbsd" "armv7l-netbsd" ];
   testi686 = mseteq i686 [ "i686-linux" "i686-freebsd13" "i686-genode" "i686-netbsd" "i686-openbsd" "i686-cygwin" "i686-windows" "i686-none" "i686-darwin" ];
-  testmips = mseteq mips [ "mips-linux" "mips64-linux" "mips64el-linux" "mipsel-linux" "mipsel-netbsd" ];
+  testmips = mseteq mips [ "mips64el-linux" "mipsel-linux" "mipsel-netbsd" ];
   testmmix = mseteq mmix [ "mmix-mmixware" ];
   testpower = mseteq power [ "powerpc-netbsd" "powerpc-none" "powerpc64-linux" "powerpc64le-linux" "powerpcle-none" ];
   testriscv = mseteq riscv [ "riscv32-linux" "riscv64-linux" "riscv32-netbsd" "riscv64-netbsd" "riscv32-none" "riscv64-none" ];
@@ -34,7 +34,7 @@ with lib.systems.doubles; lib.runTests {
   testredox = mseteq redox [ "x86_64-redox" ];
   testgnu = mseteq gnu (linux /* ++ kfreebsd ++ ... */);
   testillumos = mseteq illumos [ "x86_64-solaris" ];
-  testlinux = mseteq linux [ "aarch64-linux" "armv5tel-linux" "armv6l-linux" "armv7a-linux" "armv7l-linux" "i686-linux" "loongarch64-linux" "m68k-linux" "microblaze-linux" "microblazeel-linux" "mips-linux" "mips64-linux" "mips64el-linux" "mipsel-linux" "powerpc64-linux" "powerpc64le-linux" "riscv32-linux" "riscv64-linux" "s390-linux" "s390x-linux" "x86_64-linux" ];
+  testlinux = mseteq linux [ "aarch64-linux" "armv5tel-linux" "armv6l-linux" "armv7a-linux" "armv7l-linux" "i686-linux" "mips64el-linux" "mipsel-linux" "riscv32-linux" "riscv64-linux" "x86_64-linux" "powerpc64-linux" "powerpc64le-linux" "m68k-linux" "s390-linux" "s390x-linux" "microblaze-linux" "microblazeel-linux" "loongarch64-linux" ];
   testnetbsd = mseteq netbsd [ "aarch64-netbsd" "armv6l-netbsd" "armv7a-netbsd" "armv7l-netbsd" "i686-netbsd" "m68k-netbsd" "mipsel-netbsd" "powerpc-netbsd" "riscv32-netbsd" "riscv64-netbsd" "x86_64-netbsd" ];
   testopenbsd = mseteq openbsd [ "i686-openbsd" "x86_64-openbsd" ];
   testwindows = mseteq windows [ "i686-cygwin" "x86_64-cygwin" "i686-windows" "x86_64-windows" ];

maintainers/maintainer-list.nix

@@ -64,12 +64,6 @@
     githubId = 64707304;
     name = "Dmitry Kulikov";
   };
-  _0x120581f = {
-    email = "nixpkgs@0x120581f.dev";
-    name = "0x120581f";
-    github = "0x120581f";
-    githubId = 130835755;
-  };
   _0x4A6F = {
     email = "mail-maintainer@0x4A6F.dev";
     matrix = "@0x4a6f:matrix.org";
@@ -183,12 +177,6 @@
     githubId = 12578560;
     name = "Quinn Bohner";
   };
-  _8-bit-fox = {
-    email = "sebastian@markwaerter.de";
-    github = "8-bit-fox";
-    githubId = 43320117;
-    name = "Sebastian Marquardt";
-  };
   _9999years = {
     email = "rbt@fastmail.com";
     github = "9999years";
@@ -315,12 +303,6 @@
     githubId = 2321000;
     name = "Ruslan Babayev";
   };
-  abustany = {
-    email = "adrien@bustany.org";
-    github = "abustany";
-    githubId = 2526296;
-    name = "Adrien Bustany";
-  };
   acairncross = {
     email = "acairncross@gmail.com";
     github = "acairncross";
@@ -949,12 +931,6 @@
     githubId = 123550;
     name = "André Silva";
   };
-  andresnav = {
-    email = "nix@andresnav.com";
-    github = "andres-nav";
-    githubId = 118762770;
-    name = "Andres Navarro";
-  };
   andrestylianos = {
     email = "andre.stylianos@gmail.com";
     github = "andrestylianos";
@@ -1651,12 +1627,6 @@
       fingerprint = "2688 0377 C31D 9E81 9BDF  83A8 C8C6 BDDB 3847 F72B";
     }];
   };
-  azd325 = {
-    email = "tim.kleinschmidt@gmail.com";
-    github = "Azd325";
-    githubId = 426541;
-    name = "Tim Kleinschmidt";
-  };
   azuwis = {
     email = "azuwis@gmail.com";
     github = "azuwis";
@@ -2222,13 +2192,6 @@
     githubId = 68566724;
     name = "bootstrap-prime";
   };
-  boozedog = {
-    email = "code@booze.dog";
-    github = "boozedog";
-    githubId = 1410808;
-    matrix = "@boozedog:matrix.org";
-    name = "David A. Buser";
-  };
   borisbabic = {
     email = "boris.ivan.babic@gmail.com";
     github = "borisbabic";
@@ -2962,7 +2925,7 @@
   };
   citadelcore = {
     email = "alex@arctarus.co.uk";
-    github = "VertexA115";
+    github = "CitadelCore";
     githubId = 5567402;
     name = "Alex Zero";
     keys = [{
@@ -3567,12 +3530,6 @@
       fingerprint = "4779 D1D5 3C97 2EAE 34A5  ED3D D8AF C4BF 0567 0F9D";
     }];
   };
-  dariof4 = {
-    name = "dariof4";
-    email = "dazedtank@gmail.com";
-    github = "dariof4";
-    githubId = 9992814;
-  };
   darkonion0 = {
     name = "Alexandre Peruggia";
     email = "darkgenius1@protonmail.com";
@@ -4959,12 +4916,6 @@
     githubId = 1847524;
     name = "Evan Stoll";
   };
-  evanrichter = {
-    email = "evanjrichter@gmail.com";
-    github = "evanrichter";
-    githubId = 330292;
-    name = "Evan Richter";
-  };
   evax = {
     email = "nixos@evax.fr";
     github = "evax";
@@ -4983,12 +4934,6 @@
     githubId = 2512008;
     name = "Even Brenden";
   };
-  evilmav = {
-    email = "elenskiy.ilya@gmail.com";
-    github = "evilmav";
-    githubId = 6803717;
-    name = "Ilya Elenskiy";
-  };
   evils = {
     email = "evils.devils@protonmail.com";
     matrix = "@evils:nixos.dev";
@@ -5302,12 +5247,6 @@
     githubId = 2489598;
     name = "Felix Breidenstein";
   };
-  flemzord = {
-    email = "maxence@maireaux.fr";
-    github = "flemzord";
-    githubId = 1952914;
-    name = "Maxence Maireaux";
-  };
   flexagoon = {
     email = "flexagoon@pm.me";
     github = "flexagoon";
@@ -5459,12 +5398,6 @@
     githubId = 7551358;
     name = "Frede Emil";
   };
-  Freed-Wu = {
-    email = "wuzhenyu@ustc.edu";
-    github = "Freed-Wu";
-    githubId = 32936898;
-    name = "Wu Zhenyu";
-  };
   freezeboy = {
     github = "freezeboy";
     githubId = 13279982;
@@ -5568,7 +5501,7 @@
   };
   fuzen = {
     email = "me@fuzen.cafe";
-    github = "LovingMelody";
+    github = "Fuzen-py";
     githubId = 17859309;
     name = "Fuzen";
   };
@@ -5597,18 +5530,18 @@
     githubId = 606000;
     name = "Gabriel Adomnicai";
   };
+  Gabriel439 = {
+    email = "Gabriel439@gmail.com";
+    github = "Gabriella439";
+    githubId = 1313787;
+    name = "Gabriel Gonzalez";
+  };
   GabrielDougherty = {
     email = "contact@gabrieldougherty.com";
     github = "GabrielDougherty";
     githubId = 10541219;
     name = "Gabriel Dougherty";
   };
-  Gabriella439 = {
-    email = "GenuineGabriella@gmail.com";
-    github = "Gabriella439";
-    githubId = 1313787;
-    name = "Gabriella Gonzalez";
-  };
   gador = {
     email = "florian.brandes@posteo.de";
     github = "gador";
@@ -5768,12 +5701,6 @@
     githubId = 10353047;
     name = "Tobias Happ";
   };
-  getchoo = {
-    email = "getchoo@tuta.io";
-    github = "getchoo";
-    githubId = 48872998;
-    name = "Seth";
-  };
   gfrascadorio = {
     email = "gfrascadorio@tutanota.com";
     github = "gfrascadorio";
@@ -5928,6 +5855,15 @@
     githubId = 1621335;
     name = "Andrew Trachenko";
   };
+  gordias = {
+    name = "Gordias";
+    email = "gordias@disroot.org";
+    github = "gordiasdot";
+    githubId = 94724133;
+    keys = [{
+      fingerprint = "C006 B8A0 0618 F3B6 E0E4  2ECD 5D47 2848 30FA A4FA";
+    }];
+  };
   gotcha = {
     email = "gotcha@bubblenet.be";
     github = "gotcha";
@@ -6428,12 +6364,6 @@
       fingerprint = "45A9 9917 578C D629 9F5F  B5B4 C22D 4DE4 D7B3 2D19";
     }];
   };
-  hitsmaxft = {
-    name = "Bhe Hongtyu";
-    email = "mfthits@gmail.com";
-    github = "hitsmaxft";
-    githubId = 352727;
-  };
   hjones2199 = {
     email = "hjones2199@gmail.com";
     github = "hjones2199";
@@ -6467,15 +6397,6 @@
     githubId = 6074754;
     name = "Hlodver Sigurdsson";
   };
-  hmajid2301 = {
-    name = "Haseeb Majid";
-    email = "hello@haseebmajid.dev";
-    github = "hmajid2301";
-    githubId = 998807;
-    keys = [{
-      fingerprint = "A236 785D 59F1 9076 1E9C E8EC 7828 3DB3 D233 E1F9";
-    }];
-  };
   hmenke = {
     name = "Henri Menke";
     email = "henri@henrimenke.de";
@@ -6802,7 +6723,7 @@
   };
   ilya-kolpakov = {
     email = "ilya.kolpakov@gmail.com";
-    github = "1pakch";
+    github = "ilya-kolpakov";
     githubId = 592849;
     name = "Ilya Kolpakov";
   };
@@ -6959,12 +6880,6 @@
     githubId = 137306;
     name = "Michele Catalano";
   };
-  isaozler = {
-    email = "isaozler@gmail.com";
-    github = "isaozler";
-    githubId = 1378630;
-    name = "Isa Ozler";
-  };
   isgy = {
     name = "isgy";
     email = "isgy@teiyg.com";
@@ -7204,7 +7119,7 @@
   jayesh-bhoot = {
     name = "Jayesh Bhoot";
     email = "jb@jayeshbhoot.com";
-    github = "bhootjb";
+    github = "jayeshbhoot";
     githubId = 1915507;
   };
   jayman2000 = {
@@ -7612,12 +7527,6 @@
     githubId = 8900;
     name = "Johan Magnus Jonsson";
   };
-  jmbaur = {
-    email = "jaredbaur@fastmail.com";
-    github = "jmbaur";
-    githubId = 45740526;
-    name = "Jared Baur";
-  };
   jmc-figueira = {
     email = "business+nixos@jmc-figueira.dev";
     github = "jmc-figueira";
@@ -7689,10 +7598,10 @@
     name = "Jocelyn Thode";
   };
   joedevivo = {
-    github = "joedevivo";
-    githubId = 55951;
-    name = "Joe DeVivo";
-  };
+     github = "joedevivo";
+     githubId = 55951;
+     name = "Joe DeVivo";
+   };
   joelancaster = {
     email = "joe.a.lancas@gmail.com";
     github = "JoeLancaster";
@@ -8022,7 +7931,7 @@
   };
   juaningan = {
     email = "juaningan@gmail.com";
-    github = "oneingan";
+    github = "uningan";
     githubId = 810075;
     name = "Juan Rodal";
   };
@@ -8985,7 +8894,7 @@
     github = "leifhelm";
     githubId = 31693262;
     name = "Jakob Leifhelm";
-    keys = [{
+    keys =[{
       fingerprint = "4A82 F68D AC07 9FFD 8BF0  89C4 6817 AA02 3810 0822";
     }];
   };
@@ -9227,12 +9136,6 @@
       fingerprint = "74F5 E5CC 19D3 B5CB 608F  6124 68FF 81E6 A785 0F49";
     }];
   };
-  liyangau = {
-    email = "d@aufomm.com";
-    github = "liyangau";
-    githubId = 71299093;
-    name = "Li Yang";
-  };
   lizelive = {
     email = "nixpkgs@lize.live";
     github = "lizelive";
@@ -9427,12 +9330,6 @@
     githubId = 59375051;
     name = "Lucas Ransan";
   };
-  LucaGuerra = {
-    email = "luca@guerra.sh";
-    github = "LucaGuerra";
-    githubId = 35580196;
-    name = "Luca Guerra";
-  };
   lucasew = {
     email = "lucas59356@gmail.com";
     github = "lucasew";
@@ -9512,12 +9409,6 @@
       fingerprint = "97A0 AE5E 03F3 499B 7D7A  65C6 76A4 1432 37EF 5817";
     }];
   };
-  lukaswrz = {
-    email = "lukas@wrz.one";
-    github = "lukaswrz";
-    githubId = 84395723;
-    name = "Lukas Wurzinger";
-  };
   lukeadams = {
     email = "luke.adams@belljar.io";
     github = "lukeadams";
@@ -10060,7 +9951,7 @@
     githubId = 95194;
     name = "Mauricio Scheffer";
   };
-  maxbrunet = {
+   maxbrunet = {
     email = "max@brnt.mx";
     github = "maxbrunet";
     githubId = 32458727;
@@ -10432,7 +10323,7 @@
     name = "Michael Pacheco";
     github = "MichaelPachec0";
     githubId = 48970112;
-    keys = [{
+    keys = [ {
       fingerprint = "8D12 991F 5558 C501 70B2  779C 7811 46B0 B5F9 5F64";
     }];
   };
@@ -10744,12 +10635,6 @@
     githubId = 708570;
     name = "Manuel Mendez";
   };
-  mmusnjak = {
-    email = "marko.musnjak@gmail.com";
-    github = "mmusnjak";
-    githubId = 668956;
-    name = "Marko Mušnjak";
-  };
   mnacamura = {
     email = "m.nacamura@gmail.com";
     github = "mnacamura";
@@ -10818,12 +10703,6 @@
       fingerprint = "6460 4147 C434 F65E C306  A21F 135E EDD0 F719 34F3";
     }];
   };
-  moody = {
-    email = "moody@posixcafe.org";
-    github = "majiru";
-    githubId = 3579600;
-    name = "Jacob Moody";
-  };
   moosingin3space = {
     email = "moosingin3space@gmail.com";
     github = "moosingin3space";
@@ -11519,12 +11398,6 @@
       fingerprint = "E576 BFB2 CF6E B13D F571  33B9 E315 A758 4613 1564";
     }];
   };
-  nielsegberts = {
-    email = "nix@nielsegberts.nl";
-    github = "nielsegberts";
-    githubId = 368712;
-    name = "Niels Egberts";
-  };
   nigelgbanks = {
     name = "Nigel Banks";
     email = "nigel.g.banks@gmail.com";
@@ -11567,16 +11440,6 @@
     githubId = 26231126;
     name = "Nils ANDRÉ-CHANG";
   };
-  nim65s = {
-    email = "guilhem.saurel@laas.fr";
-    matrix = "@gsaurel:laas.fr";
-    github = "nim65s";
-    githubId = 131929;
-    name = "Guilhem Saurel";
-    keys = [{
-      fingerprint = "9B1A 7906 5D2F 2B80 6C8A  5A1C 7D2A CDAF 4653 CF28";
-    }];
-  };
   ninjatrappeur = {
     email = "felix@alternativebit.fr";
     matrix = "@ninjatrappeur:matrix.org";
@@ -11877,12 +11740,6 @@
     githubId = 30825096;
     name = "Ning Zhang";
   };
-  oaksoaj = {
-    email = "oaksoaj@riseup.net";
-    name = "Oaksoaj";
-    github = "oaksoaj";
-    githubId = 103952141;
-  };
   obadz = {
     email = "obadz-nixos@obadz.com";
     github = "obadz";
@@ -12041,15 +11898,6 @@
     github = "ony";
     githubId = 11265;
   };
-  ooliver1 = {
-    name = "Oliver Wilkes";
-    email = "oliverwilkes2006@icloud.com";
-    github = "ooliver1";
-    githubId = 34910574;
-    keys = [{
-      fingerprint = "D055 8A23 3947 B7A0 F966  B07F 0B41 0348 9833 7273";
-    }];
-  };
   opeik = {
     email = "sandro@stikic.com";
     github = "opeik";
@@ -15317,12 +15165,6 @@
     githubId = 38893265;
     name = "StrikerLulu";
   };
-  stteague = {
-    email = "stteague505@yahoo.com";
-    github = "stteague";
-    githubId = 77596767;
-    name = "Scott Teague";
-  };
   stumoss = {
     email = "samoss@gmail.com";
     github = "stumoss";
@@ -16090,12 +15932,6 @@
     github = "TilCreator";
     githubId = 18621411;
   };
-  tillkruss = {
-    name = "Till Krüss";
-    email = "till@kruss.io";
-    github = "tillkruss";
-    githubId = 665029;
-  };
   tilpner = {
     name = "Till Höppner";
     email = "nixpkgs@tilpner.com";
@@ -16194,12 +16030,6 @@
     githubId = 3159881;
     name = "Tobias Markus";
   };
-  tm-drtina = {
-    email = "tm.drtina@gmail.com";
-    github = "tm-drtina";
-    githubId = 26902865;
-    name = "Tomas Drtina";
-  };
   tmountain = {
     email = "tinymountain@gmail.com";
     github = "tmountain";
@@ -16556,15 +16386,6 @@
       fingerprint = "EE59 5E29 BB5B F2B3 5ED2  3F1C D276 FF74 6700 7335";
     }];
   };
-  undefined-moe = {
-    name = "undefined";
-    email = "i@undefined.moe";
-    github = "undefined-moe";
-    githubId = 29992205;
-    keys = [{
-      fingerprint = "6684 4E7D D213 C75D 8828  6215 C714 A58B 6C1E 0F52";
-    }];
-  };
   unhammer = {
     email = "unhammer@fsfe.org";
     github = "unhammer";
@@ -16805,12 +16626,6 @@
     github = "vdot0x23";
     githubId = 40716069;
   };
-  vector1dev = {
-    name = "vector1dev";
-    matrix = "@vector1dev:vector1.dev";
-    github = "vector1dev";
-    githubId = 127302590;
-  };
   veehaitch = {
     name = "Vincent Haupert";
     email = "mail@vincent-haupert.de";
@@ -17094,6 +16909,16 @@
     github = "wdavidw";
     githubId = 46896;
   };
+  WeebSorceress = {
+    name = "WeebSorceress";
+    email = "hello@weebsorceress.anonaddy.me";
+    matrix = "@weebsorceress:matrix.org";
+    github = "WeebSorceress";
+    githubId = 106774777;
+    keys = [{
+      fingerprint = "659A 9BC3 F904 EC24 1461  2EFE 7F57 3443 17F0 FA43";
+    }];
+  };
   wegank = {
     name = "Weijia Wang";
     email = "contact@weijia.wang";
@@ -17872,12 +17697,6 @@
     githubId = 2189609;
     name = "Zhaofeng Li";
   };
-  zi3m5f = {
-    name = "zi3m5f";
-    email = "k7n3o3a6f@mozmail.com";
-    github = "zi3m5f";
-    githubId = 113244000;
-  };
   ziguana = {
     name = "Zig Uana";
     email = "git@ziguana.dev";

maintainers/scripts/fix-maintainers.pl

@@ -42,7 +42,7 @@ while(my($k, $v) = each %$maintainers_json) {
     }
     my $resp_json = from_json($resp->content);
     my $api_user = %$resp_json{"login"};
-    if (lc($current_user) ne lc($api_user)) {
+    if ($current_user ne $api_user) {
         print $current_user . " is now known on github as " . $api_user . ". Editing maintainer-list.nix…\n";
         my $file = path($maintainers_list_nix);
         my $data = $file->slurp_utf8;

maintainers/team-list.nix

@@ -213,7 +213,7 @@ with lib.maintainers; {
 
   dhall = {
     members = [
-      Gabriella439
+      Gabriel439
       ehmry
     ];
     scope = "Maintain Dhall and related packages.";
@@ -292,8 +292,6 @@ with lib.maintainers; {
     members = [
       imincik
       sikmir
-      nh2
-      willcohen
     ];
     scope = "Maintain geospatial packages.";
     shortName = "Geospatial";
@@ -538,6 +536,7 @@ with lib.maintainers; {
       ma27
       fadenb
       mguentner
+      ekleog
       ralith
       dandellion
       sumnerevans
@@ -557,15 +556,6 @@ with lib.maintainers; {
     shortName = "Minimal Bootstrap";
   };
 
-  mercury = {
-    members = [
-      _9999years
-      Gabriella439
-    ];
-    scope = "Group registry for packages maintained by Mercury";
-    shortName = "Mercury Employees";
-  };
-
   mobile = {
     members = [
       samueldr

nixos/doc/manual/configuration/customizing-packages.section.md

@@ -12,29 +12,6 @@ Unfortunately, Nixpkgs currently lacks a way to query available
 configuration options.
 :::
 
-::: {.note}
-Alternatively, many packages come with extensions one might add.
-Examples include:
-- [`passExtensions.pass-otp`](https://search.nixos.org/packages/query=passExtensions.pass-otp)
-- [`python310Packages.requests`](https://search.nixos.org/packages/query=python310Packages.requests)
-
-You can use them like this:
-```nix
-environment.systemPackages = with pkgs; [
-  sl
-  (pass.withExtensions (subpkgs: with subpkgs; [
-    pass-audit
-    pass-otp
-    pass-genphrase
-  ]))
-  (python3.withPackages (subpkgs: with subpkgs; [
-      requests
-  ]))
-  cowsay
-];
-```
-:::
-
 Apart from high-level options, it's possible to tweak a package in
 almost arbitrary ways, such as changing or disabling dependencies of a
 package. For instance, the Emacs package in Nixpkgs by default has a

nixos/doc/manual/default.nix

@@ -267,41 +267,19 @@ in rec {
 
   manualEpub = runCommand "nixos-manual-epub"
     { nativeBuildInputs = [ buildPackages.libxml2.bin buildPackages.libxslt.bin buildPackages.zip ];
-      doc = ''
-        <book xmlns="http://docbook.org/ns/docbook"
-              xmlns:xlink="http://www.w3.org/1999/xlink"
-              version="5.0"
-              xml:id="book-nixos-manual">
-          <info>
-            <title>NixOS Manual</title>
-            <subtitle>Version ${lib.version}</subtitle>
-          </info>
-          <chapter>
-            <title>Temporarily unavailable</title>
-            <para>
-              The NixOS manual is currently not available in EPUB format,
-              please use the <link xlink:href="https://nixos.org/nixos/manual">HTML manual</link>
-              instead.
-            </para>
-            <para>
-              If you've used the EPUB manual in the past and it has been useful to you, please
-              <link xlink:href="https://github.com/NixOS/nixpkgs/issues/237234">let us know</link>.
-            </para>
-          </chapter>
-        </book>
-      '';
-      passAsFile = [ "doc" ];
     }
     ''
       # Generate the epub manual.
       dst=$out/share/doc/nixos
 
       xsltproc \
-        --param chapter.autolabel 0 \
+        ${manualXsltprocOptions} \
         --nonet --xinclude --output $dst/epub/ \
         ${docbook_xsl_ns}/xml/xsl/docbook/epub/docbook.xsl \
-        $docPath
+        ${manual-combined}/manual-combined.xml
 
+      mkdir -p $dst/epub/OEBPS/images/callouts
+      cp -r ${docbook_xsl_ns}/xml/xsl/docbook/images/callouts/*.svg $dst/epub/OEBPS/images/callouts # */
       echo "application/epub+zip" > mimetype
       manual="$dst/nixos-manual.epub"
       zip -0Xq "$manual" mimetype

nixos/doc/manual/installation/upgrading.chapter.md

@@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated
 automatically from NixOS's Git repository after certain tests have
 passed and all packages have been built. These channels are:
 
--   *Stable channels*, such as [`nixos-23.05`](https://channels.nixos.org/nixos-23.05).
+-   *Stable channels*, such as [`nixos-22.11`](https://nixos.org/channels/nixos-22.11).
     These only get conservative bug fixes and package upgrades. For
     instance, a channel update may cause the Linux kernel on your system
     to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
@@ -14,13 +14,13 @@ passed and all packages have been built. These channels are:
     Stable channels are generally maintained until the next stable
     branch is created.
 
--   The *unstable channel*, [`nixos-unstable`](https://channels.nixos.org/nixos-unstable).
+-   The *unstable channel*, [`nixos-unstable`](https://nixos.org/channels/nixos-unstable).
     This corresponds to NixOS's main development branch, and may thus see
     radical changes between channel updates. It's not recommended for
     production systems.
 
--   *Small channels*, such as [`nixos-23.05-small`](https://channels.nixos.org/nixos-23.05-small)
-    or [`nixos-unstable-small`](https://channels.nixos.org/nixos-unstable-small).
+-   *Small channels*, such as [`nixos-22.11-small`](https://nixos.org/channels/nixos-22.11-small)
+    or [`nixos-unstable-small`](https://nixos.org/channels/nixos-unstable-small).
     These are identical to the stable and unstable channels described above,
     except that they contain fewer binary packages. This means they get updated
     faster than the regular channels (for instance, when a critical security patch
@@ -28,7 +28,7 @@ passed and all packages have been built. These channels are:
     built from source than usual. They're mostly intended for server environments
     and as such contain few GUI applications.
 
-To see what channels are available, go to <https://channels.nixos.org>.
+To see what channels are available, go to <https://nixos.org/channels>.
 (Note that the URIs of the various channels redirect to a directory that
 contains the channel's latest version and includes ISO images and
 VirtualBox appliances.) Please note that during the release process,
@@ -38,38 +38,38 @@ newest supported stable release.
 
 When you first install NixOS, you're automatically subscribed to the
 NixOS channel that corresponds to your installation source. For
-instance, if you installed from a 23.05 ISO, you will be subscribed to
-the `nixos-23.05` channel. To see which NixOS channel you're subscribed
+instance, if you installed from a 22.11 ISO, you will be subscribed to
+the `nixos-22.11` channel. To see which NixOS channel you're subscribed
 to, run the following as root:
 
 ```ShellSession
 # nix-channel --list | grep nixos
-nixos https://channels.nixos.org/nixos-unstable
+nixos https://nixos.org/channels/nixos-unstable
 ```
 
 To switch to a different NixOS channel, do
 
 ```ShellSession
-# nix-channel --add https://channels.nixos.org/channel-name nixos
+# nix-channel --add https://nixos.org/channels/channel-name nixos
 ```
 
 (Be sure to include the `nixos` parameter at the end.) For instance, to
-use the NixOS 23.05 stable channel:
+use the NixOS 22.11 stable channel:
 
 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-23.05 nixos
+# nix-channel --add https://nixos.org/channels/nixos-22.11 nixos
 ```
 
 If you have a server, you may want to use the "small" channel instead:
 
 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-23.05-small nixos
+# nix-channel --add https://nixos.org/channels/nixos-22.11-small nixos
 ```
 
 And if you want to live on the bleeding edge:
 
 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-unstable nixos
+# nix-channel --add https://nixos.org/channels/nixos-unstable nixos
 ```
 
 You can then upgrade NixOS to the latest version in your chosen channel
@@ -114,5 +114,5 @@ the new generation contains a different kernel, initrd or kernel
 modules. You can also specify a channel explicitly, e.g.
 
 ```nix
-system.autoUpgrade.channel = "https://channels.nixos.org/nixos-23.05";
+system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11;
 ```

nixos/doc/manual/release-notes/rl-2305.section.md

@@ -1,84 +1,65 @@
-# Release 23.05 (“Stoat”, 2023.05/31) {#sec-release-23.05}
+# Release 23.05 (“Stoat”, 2023.05/??) {#sec-release-23.05}
 
-The NixOS release team is happy to announce a new version of NixOS. The release is called NixOS 23.05 ("Stoat").
-
-NixOS is a Linux distribution, whose set of packages can also be used on other Linux systems and macOS.
-
-Support is planned until the end of December 2023, handing over to NixOS 23.11.
-
-To upgrade to the latest release, follow the [upgrade chapter](https://nixos.org/manual/nixos/stable/index.html#sec-upgrading).
+Support is planned until the end of December 2023, handing over to 23.11.
 
 ## Highlights {#sec-release-23.05-highlights}
 
-In addition to numerous new and updated packages, this release has the following highlights:
+In addition to numerous new and upgraded packages, this release has the following highlights:
 
-- The default [Nix](https://github.com/NixOS/nix) version was updated from 2.11 to 2.13. In particular, this includes a [small language alteration](https://github.com/NixOS/nix/issues/8259) in the way floats are represented in `builtins.toJSON`. See the release notes for [2.12](https://nixos.org/manual/nix/stable/release-notes/rl-2.12.html) and [2.13](https://nixos.org/manual/nix/unstable/release-notes/rl-2.13.html) for more information.
+<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- The default [Linux Kernel](https://kernel.org/) was updated from version 5.15 to 6.1, see [Kernelnewbies](https://kernelnewbies.org/Linux_6.1) for what has changed. All Kernels currently shown on [kernel.org](https://kernel.org/) are available.
+- Core version changes:
 
-- [systemd](https://systemd.io) has been updated from v252 to v253, see [the release notes](https://github.com/systemd/systemd/blob/v253/NEWS#L3-L659) for more information on the changes.
-    - Updating with `nixos-rebuild boot` and rebooting is recommended, since in some rare cases the `nixos-rebuild switch` into the new generation on a live system might fail due to missing mount units.
+  - default linux: 5.15 -\> 6.1, all supported kernels available
 
-- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.35 to 2.37, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.37) for what was changed.
+  - systemd has been updated to v253.1, see [the pull request](https://github.com/NixOS/nixpkgs/pull/216826) for more info.
+    It's recommended to use `nixos-rebuild boot` and `reboot`, rather than `nixos-rebuild switch` - since in some rare cases
+    the switch of a live system might fail.
 
-- [libxcrypt](https://github.com/besser82/libxcrypt), the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and [many other packages](https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/NixOS/nixpkgs%24+libxcrypt&patternType=standard&sm=1&groupBy=path).
+  - glibc: 2.35 -\> 2.37
 
-- NixOS now defaults to using [nsncd](https://github.com/twosigma/nsncd), a non-caching reimplementation of nscd in Rust, as its NSS lookup dispatcher. This replaces the buggy and deprecated nscd implementation provided through glibc. When you find problems, you can switch back by disabling it:
-  ```nix
-  services.nscd.enableNsncd = false;
-  ```
+- Cinnamon has been updated to 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what is changed.
 
-- The internal option `boot.bootspec.enable` is now enabled by default because [RFC 0125](https://github.com/NixOS/rfcs/pull/125) was merged. This means you will have a bootspec document called `boot.json` generated for each system and specialisation in the top-level. This is useful to enable advanced boot use cases in NixOS, such as Secure Boot.
+- GNOME has been upgraded to version 44. Please see the [release notes](https://release.gnome.org/44/) for details.
 
-- Two changes to `nixos-rebuild` are important to highlight as well.
-    - Support for an extra `--specialisation` option was added that can be used to change specialisation for `switch` and `test` commands.
-    - The `--target-host` and `--build-host` options no longer treat the `localhost` value specially – to build on resp. deploy to a local machine, omit the relevant flag.
+- KDE Plasma has been updated to v5.27, see [the release notes](https://kde.org/announcements/plasma/5/5.27.0/) for what is changed.
 
-- [Python](https://www.python.org) implements [PEP 668](https://peps.python.org/pep-0668/), providing better feedback to users that try to run `pip install` for system-wide or user home installations.
+- Python implements [PEP 668](https://peps.python.org/pep-0668/), providing better feedback to users that try to run `pip install` system-wide.
 
-- [Cinnamon](https://github.com/linuxmint/Cinnamon) has been updated to version 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what was changed.
+- `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands.
 
-- [GNOME](https://www.gnome.org) has been updated to version 44, see the [the release notes](https://release.gnome.org/44/) for details.
+- `libxcrypt`, the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and [many other packages](https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20libxcrypt&type=code).
 
-- [KDE Plasma](https://kde.org/de/plasma-desktop/) has been updated to version 5.27, see [the release notes](https://kde.org/announcements/plasma/5/5.27.0/) for what was changed.
-
-- `openra` was updated to `20230225`. Due to large scope of the update, currently only `openraPackages.engines.release` and `openraPackages.engines.latest` packages are available.
-  If you want to use the old engine versions or mods, they were moved to the `openraPackages_2019` namespace.
+- `boot.bootspec.enable` (internal option) is now enabled by default because [RFC-0125](https://github.com/NixOS/rfcs/pull/125) was merged. This means you will have a bootspec document called `boot.json` generated for each system and specialisation in the top-level. This is useful to enable advanced boot usecases in NixOS such as SecureBoot.
 
 ## New Services {#sec-release-23.05-new-services}
 
+<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
+
 - [Akkoma](https://akkoma.social), an ActivityPub microblogging server. Available as [services.akkoma](options.html#opt-services.akkoma.enable).
 
-- [alertmanager-irc-relay](https://github.com/google/alertmanager-irc-relay), a Prometheus Alertmanager IRC Relay. Available as [services.prometheus.alertmanagerIrcRelay](options.html#opt-services.prometheus.alertmanagerIrcRelay.enable).
-
-- [alice-lg](github.com/alice-lg/alice-lg), a looking-glass for BGP sessions. Available as [services.alice-lg](#opt-services.alice-lg.enable).
-
-- [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable).
-
-- [authelia](https://www.authelia.com/), an open-source authentication and authorization server. Available as [services.authelia](options.html#opt-services.authelia.enable).
-
-- [birdwatcher](github.com/alice-lg/birdwatcher), a small HTTP server meant to provide an API defined by Barry O'Donovan's birds-eye to the BIRD internet routing daemon. Available as [services.birdwatcher](#opt-services.birdwatcher.enable).
+- [Pixelfed](https://pixelfed.org/), an Instagram-like ActivityPub server. Available as [services.pixelfed](options.html#opt-services.pixelfed.enable).
 
 - [blesh](https://github.com/akinomyoga/ble.sh), a line editor written in pure bash. Available as [programs.bash.blesh](#opt-programs.bash.blesh.enable).
 
-- [Budgie Desktop](https://github.com/BuddiesOfBudgie/budgie-desktop), a familiar, modern desktop environment. Available as [services.xserver.desktopManager.budgie](options.html#opt-services.xserver.desktopManager.budgie).
+- [webhook](https://github.com/adnanh/webhook), a lightweight webhook server. Available as [services.webhook](#opt-services.webhook.enable).
 
-- [clash-verge](https://github.com/zzzgydi/clash-verge), a Clash GUI based on tauri. Available as [programs.clash-verge](#opt-programs.clash-verge.enable).
+- [cups-pdf-to-pdf](https://github.com/alexivkin/CUPS-PDF-to-PDF), a pdf-generating cups backend based on [cups-pdf](https://www.cups-pdf.de/). Available as [services.printing.cups-pdf](#opt-services.printing.cups-pdf.enable).
+
+- [clash-verge](https://github.com/zzzgydi/clash-verge), A Clash GUI based on tauri. Available as [programs.clash-verge](#opt-programs.clash-verge.enable).
 
 - [Cloudlog](https://www.magicbug.co.uk/cloudlog/), a web-based Amateur Radio logging application. Available as [services.cloudlog](#opt-services.cloudlog.enable).
 
-- [consul-template](https://github.com/hashicorp/consul-template/), a template renderer, notifier, and supervisor for HashiCorp Consul and Vault data. Available as [services.consul-template](#opt-services.consul-template.instances).
-
-- [cups-pdf-to-pdf](https://github.com/alexivkin/CUPS-PDF-to-PDF), a PDF-generating CUPS backend based on [cups-pdf](https://www.cups-pdf.de/). Available as [services.printing.cups-pdf](#opt-services.printing.cups-pdf.enable).
-
 - [Deepin Desktop Environment](https://github.com/linuxdeepin/dde), an elegant, easy to use and reliable desktop environment. Available as [services.xserver.desktopManager.deepin](options.html#opt-services.xserver.desktopManager.deepin).
 
-- [esphome](https://esphome.io), a dashboard to configure ESP8266/ESP32 devices for use with Home Automation systems. Available as [services.esphome](#opt-services.esphome.enable).
+- [system-repart](https://www.freedesktop.org/software/systemd/man/systemd-repart.service.html), grow and add partitions to a partition table. Available as [systemd.repart](options.html#opt-systemd.repart) and [boot.initrd.systemd.repart](options.html#opt-boot.initrd.systemd.repart)
 
 - [frigate](https://frigate.video), an open source NVR built around real-time AI object detection. Available as [services.frigate](#opt-services.frigate.enable).
 
 - [fzf](https://github.com/junegunn/fzf), a command line fuzzyfinder. Available as [programs.fzf](#opt-programs.fzf.fuzzyCompletion).
 
+- [readarr](https://github.com/Readarr/Readarr), Book Manager and Automation (Sonarr for Ebooks). Available as [services.readarr](options.html#opt-services.readarr.enable).
+
 - [gemstash](https://github.com/rubygems/gemstash), a RubyGems.org cache and private gem server. Available as [services.gemstash](#opt-services.gemstash.enable).
 
 - [gitea-actions-runner](https://gitea.com/gitea/act_runner), a CI runner for Gitea/Forgejo Actions. Available as [services.gitea-actions-runner](#opt-services.gitea-actions-runner.instances).
@@ -87,121 +68,131 @@ In addition to numerous new and updated packages, this release has the following
 
 - [go2rtc](https://github.com/AlexxIT/go2rtc), a camera streaming appliation with support for RTSP, WebRTC, HomeKit, FFMPEG, RTMP and other protocols. Available as [services.go2rtc](options.html#opt-services.go2rtc.enable).
 
-- [goeland](https://github.com/slurdge/goeland), an alternative to rss2email written in Golang with many filters. Available as [services.goeland](#opt-services.goeland.enable).
-
-- [gonic](https://github.com/sentriz/gonic), a Subsonic music streaming server. Available as [services.gonic](#opt-services.gonic.enable).
-
-- [hardware.ipu6](#opt-hardware.ipu6.enable), drivers for IPU6 based webcams on Intel Tiger Lake and Alder Lake.
-
-- [harmonia](https://github.com/nix-community/harmonia/), a Nix binary cache implemented in Rust using [libnixstore](https://docs.rs/libnixstore/latest/libnixstore/). Available as [services.harmonia](options.html#opt-services.harmonia.enable).
+- [harmonia](https://github.com/nix-community/harmonia/), Nix binary cache implemented in rust using libnix-store. Available as [services.harmonia](options.html#opt-services.harmonia.enable).
 
 - [hyprland](https://github.com/hyprwm/hyprland), a dynamic tiling Wayland compositor that doesn't sacrifice on its looks. Available as [programs.hyprland](#opt-programs.hyprland.enable).
 
-- [imaginary](https://github.com/h2non/imaginary), a microservice for high-level image processing that Nextcloud can use to generate previews. Available as [services.imaginary](#opt-services.imaginary.enable).
-
-- [ivpn](https://www.ivpn.net/), a secure, private VPN with fast WireGuard connections. Available as [services.ivpn](#opt-services.ivpn.enable).
-
-- [vmalert](https://victoriametrics.com/), an alerting engine for VictoriaMetrics. Available as [services.vmalert](#opt-services.vmalert.enable).
-
-- [jellyseerr](https://github.com/Fallenbagel/jellyseerr), a web-based requests manager for Jellyfin, forked from Overseerr. Available as [services.jellyseerr](#opt-services.jellyseerr.enable).
-
-- [kavita](https://kavitareader.com), a self-hosted digital library. Available as [services.kavita](options.html#opt-services.kavita.enable).
-
-- [keyd](https://github.com/rvaiya/keyd), a key remapping daemon for Linux. Available as [services.keyd](#opt-services.keyd.enable).
-
-- [lldap](https://github.com/lldap/lldap), a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. Available as [services.lldap](#opt-services.lldap.enable).
-
 - [minipro](https://gitlab.com/DavidGriffith/minipro/), an open source program for controlling the MiniPRO TL866xx series of chip programmers. Available as [programs.minipro](options.html#opt-programs.minipro.enable).
 
-- [mmsd](https://gitlab.com/kop316/mmsd), a lower level daemon that transmits and receives MMSes. Available as [services.mmsd](#opt-services.mmsd.enable).
+- [stevenblack-blocklist](https://github.com/StevenBlack/hosts), A unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable).
 
-- [monica](https://www.monicahq.com), an open source personal CRM. Available as [services.monica](options.html#opt-services.monica.enable).
+- [Budgie Desktop](https://github.com/BuddiesOfBudgie/budgie-desktop), a familiar, modern desktop environment. Available as [services.xserver.desktopManager.budgie](options.html#opt-services.xserver.desktopManager.budgie).
 
-- [networkd-dispatcher](https://gitlab.com/craftyguy/networkd-dispatcher), a dispatcher service for systemd-networkd connection status changes. Available as [services.networkd-dispatcher](#opt-services.networkd-dispatcher.enable).
-
-- [nimdow](https://github.com/avahe-kellenberger/nimdow), a window manager written in Nim, inspired by dwm. Available as [services.xserver.windowManager.nimdow.enable](options.html#opt-services.xserver.windowManager.nimdow.enable).
+- [imaginary](https://github.com/h2non/imaginary), a microservice for high-level image processing that Nextcloud can use to generate previews. Available as [services.imaginary](#opt-services.imaginary.enable).
 
 - [opensearch](https://opensearch.org), a search server alternative to Elasticsearch. Available as [services.opensearch](options.html#opt-services.opensearch.enable).
 
-- [openvscode-server](https://github.com/gitpod-io/openvscode-server), run VS Code on a remote machine with access through a modern web browser from any device, anywhere. Available as [services.openvscode-server](#opt-services.openvscode-server.enable).
+- [kavita](https://kavitareader.com), a self-hosted digital library. Available as [services.kavita](options.html#opt-services.kavita.enable).
 
-- [peroxide](https://github.com/ljanyst/peroxide), a fork of the official [ProtonMail bridge](https://github.com/ProtonMail/proton-bridge) that aims to be similar to [Hydroxide](https://github.com/emersion/hydroxide). Available as [services.peroxide](#opt-services.peroxide.enable).
+- [monica](https://www.monicahq.com), an open source personal CRM. Available as [services.monica](options.html#opt-services.monica.enable).
 
-- [photoprism](https://photoprism.app/), a AI-powered photos app for the decentralized web. Available as [services.photoprism](options.html#opt-services.photoprism.enable).
+- [authelia](https://www.authelia.com/), is an open-source authentication and authorization server. Available under [services.authelia](options.html#opt-services.authelia.enable).
 
-- [Pixelfed](https://pixelfed.org/), an Instagram-like ActivityPub server. Available as [services.pixelfed](options.html#opt-services.pixelfed.enable).
+- [goeland](https://github.com/slurdge/goeland), an alternative to rss2email written in golang with many filters. Available as [services.goeland](#opt-services.goeland.enable).
 
-- [PufferPanel](https://pufferpanel.com), a game server management panel designed to be easy to use. Available as [services.pufferpanel](#opt-services.pufferpanel.enable).
-
-- [QDMR](https://dm3mat.darc.de/qdmr/), a GUI application and command line tool for programming DMR radios [programs.qdmr](#opt-programs.qdmr.enable).
-
-- [readarr](https://github.com/Readarr/Readarr), book manager and automation (Sonarr for ebooks). Available as [services.readarr](options.html#opt-services.readarr.enable).
-
-- [ReGreet](https://github.com/rharish101/ReGreet), a clean and customizable greeter for greetd. Available as [programs.regreet](#opt-programs.regreet.enable).
-
-- [rshim](https://github.com/Mellanox/rshim-user-space), the user-space rshim driver for the BlueField SoC. Available as [services.rshim](options.html#opt-services.rshim.enable).
-
-- [SFTPGo](https://github.com/drakkan/sftpgo), a fully featured and highly configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. Available as [services.sftpgo](options.html#opt-services.sftpgo.enable).
-
-- [sharing](https://github.com/parvardegr/sharing), a command-line tool to share directories and files from the CLI to iOS and Android devices without the need of an extra client app. Available as [programs.sharing](#opt-programs.sharing.enable).
-
-- [sniffnet](https://github.com/GyulyVGC/sniffnet), an application to monitor your network traffic. Available as [programs.sniffnet](#opt-programs.sniffnet.enable).
-
-- [stargazer](https://sr.ht/~zethra/stargazer/), a fast and easy to use Gemini server. Available as [services.stargazer](#opt-services.stargazer.enable).
-
-- [stevenblack-blocklist](https://github.com/StevenBlack/hosts), a unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable).
-
-- [systemd-repart](https://www.freedesktop.org/software/systemd/man/systemd-repart.service.html), grow and add partitions to a partition table. Available as [systemd.repart](options.html#opt-systemd.repart) and [boot.initrd.systemd.repart](options.html#opt-boot.initrd.systemd.repart)
-
-- [trippy](https://github.com/fujiapple852/trippy), a network diagnostic tool. Available as [programs.trippy](#opt-programs.trippy.enable).
+- [alertmanager-irc-relay](https://github.com/google/alertmanager-irc-relay), a Prometheus Alertmanager IRC Relay. Available as [services.prometheus.alertmanagerIrcRelay](options.html#opt-services.prometheus.alertmanagerIrcRelay.enable).
 
 - [tts](https://github.com/coqui-ai/TTS), a battle-tested deep learning toolkit for Text-to-Speech. Multiple servers may be configured below [services.tts.servers](#opt-services.tts.servers).
 
-- [ulogd](https://www.netfilter.org/projects/ulogd/index.html), a userspace logging daemon for netfilter/iptables related logging. Available as [services.ulogd](options.html#opt-services.ulogd.enable).
+- [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable).
+
+- [SFTPGo](https://github.com/drakkan/sftpgo), a fully featured and highly configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. Available as [services.sftpgo](options.html#opt-services.sftpgo.enable).
+
+- [esphome](https://esphome.io), a dashboard to configure ESP8266/ESP32 devices for use with Home Automation systems. Available as [services.esphome](#opt-services.esphome.enable).
+
+- [networkd-dispatcher](https://gitlab.com/craftyguy/networkd-dispatcher), a dispatcher service for systemd-networkd connection status changes. Available as [services.networkd-dispatcher](#opt-services.networkd-dispatcher.enable).
+
+- [gonic](https://github.com/sentriz/gonic), a Subsonic music streaming server. Available as [services.gonic](#opt-services.gonic.enable).
+
+- [mmsd](https://gitlab.com/kop316/mmsd), a lower level daemon that transmits and receives MMSes. Available as [services.mmsd](#opt-services.mmsd.enable).
+
+- [QDMR](https://dm3mat.darc.de/qdmr/), a GUI application and command line tool for programming DMR radios [programs.qdmr](#opt-programs.qdmr.enable)
+
+- [keyd](https://github.com/rvaiya/keyd), a key remapping daemon for linux. Available as [services.keyd](#opt-services.keyd.enable).
+
+- [consul-template](https://github.com/hashicorp/consul-template/), a template rendering, notifier, and supervisor for HashiCorp Consul and Vault data. Available as [services.consul-template](#opt-services.consul-template.instances).
+
+- [vault-agent](https://developer.hashicorp.com/vault/docs/agent), a template rendering and API auth proxy for HashiCorp Vault, similar to `consul-template`. Available as [services.vault-agent](#opt-services.vault-agent.instances).
+
+- [trippy](https://github.com/fujiapple852/trippy), a network diagnostic tool. Available as [programs.trippy](#opt-programs.trippy.enable).
 
 - [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable).
 
-- [v4l2-relayd](https://git.launchpad.net/v4l2-relayd), a streaming relay for v4l2loopback using gstreamer. Available as [services.v4l2-relayd](#opt-services.v4l2-relayd.instances._name_.enable).
+- [rshim](https://github.com/Mellanox/rshim-user-space), the user-space rshim driver for the BlueField SoC. Available as [services.rshim](options.html#opt-services.rshim.enable).
 
-- [vault-agent](https://developer.hashicorp.com/vault/docs/agent), a template renderer and API auth proxy for HashiCorp Vault, similar to `consul-template`. Available as [services.vault-agent](#opt-services.vault-agent.instances).
+- [wstunnel](https://github.com/erebe/wstunnel), a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Instances may be configured via [services.wstunnel](options.html#opt-services.wstunnel.enable).
 
-- [webhook](https://github.com/adnanh/webhook), a lightweight webhook server. Available as [services.webhook](#opt-services.webhook.enable).
+- [ulogd](https://www.netfilter.org/projects/ulogd/index.html), a userspace logging daemon for netfilter/iptables related logging. Available as [services.ulogd](options.html#opt-services.ulogd.enable).
+
+- [PufferPanel](https://pufferpanel.com), game server management panel designed to be easy to use. Available as [services.pufferpanel](#opt-services.pufferpanel.enable).
+
+- [jellyseerr](https://github.com/Fallenbagel/jellyseerr), a web-based requests manager for Jellyfin, forked from Overseerr. Available as [services.jellyseerr](#opt-services.jellyseerr.enable).
+
+- [stargazer](https://sr.ht/~zethra/stargazer/), a fast and easy to use Gemini server. Available as [services.stargazer](#opt-services.stargazer.enable).
+
+- [sniffnet](https://github.com/GyulyVGC/sniffnet), an application to monitor your network traffic. Available as [programs.sniffnet](#opt-programs.sniffnet.enable).
+
+- [photoprism](https://photoprism.app/), a AI-Powered Photos App for the Decentralized Web. Available as [services.photoprism](options.html#opt-services.photoprism.enable).
+
+- [alice-lg](github.com/alice-lg/alice-lg), a looking-glass for BGP sessions. Available as [services.alice-lg](#opt-services.alice-lg.enable).
+
+- [birdwatcher](github.com/alice-lg/birdwatcher), a small HTTP server meant to provide an API defined by Barry O'Donovan's birds-eye to the BIRD internet routing daemon. Available as [services.birdwatcher](#opt-services.birdwatcher.enable).
+
+- [peroxide](https://github.com/ljanyst/peroxide), a fork of the official [ProtonMail bridge](https://github.com/ProtonMail/proton-bridge) that aims to be similar to [Hydroxide](https://github.com/emersion/hydroxide). Available as [services.peroxide](#opt-services.peroxide.enable).
+
+- [autosuspend](https://github.com/languitar/autosuspend), a python daemon that suspends a system if certain conditions are met, or not met.
+
+- [sharing](https://github.com/parvardegr/sharing), a command-line tool to share directories and files from the CLI to iOS and Android devices without the need of an extra client app. Available as [programs.sharing](#opt-programs.sharing.enable).
+
+- [nimdow](https://github.com/avahe-kellenberger/nimdow), a window manager written in Nim, inspired by dwm.
+
+- [trurl](https://github.com/curl/trurl), a command line tool for URL parsing and manipulation.
 
 - [wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh), a simple utility to help connect wireguard nodes together in a full mesh topology. Available as [services.wgautomesh](options.html#opt-services.wgautomesh.enable).
 
-- [woodpecker](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-server](#opt-services.woodpecker-server.enable) and [services.woodpecker-agents](#opt-services.woodpecker-agents.agents._name_.enable).
+- [woodpecker-agents](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-agents](#opt-services.woodpecker-agents.agents._name_.enable).
 
-- [wstunnel](https://github.com/erebe/wstunnel), a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Available as [services.wstunnel](options.html#opt-services.wstunnel.enable).
+- [woodpecker-server](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-server](#opt-services.woodpecker-server.enable).
+
+- [lldap](https://github.com/lldap/lldap), a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. Available as [services.lldap](#opt-services.lldap.enable).
+
+- [ReGreet](https://github.com/rharish101/ReGreet), a clean and customizable greeter for greetd. Available as [programs.regreet](#opt-programs.regreet.enable).
+
+- [v4l2-relayd](https://git.launchpad.net/v4l2-relayd), a streaming relay for v4l2loopback using gstreamer. Available as [services.v4l2-relayd](#opt-services.v4l2-relayd.instances._name_.enable).
+
+- [hardware.ipu6](#opt-hardware.ipu6.enable) adds support for ipu6 based webcams on intel tiger lake and alder lake.
+
+- [ivpn](https://www.ivpn.net/), a secure, private VPN with fast WireGuard connections. Available as [services.ivpn](#opt-services.ivpn.enable).
+
+- [openvscode-server](https://github.com/gitpod-io/openvscode-server), run VS Code on a remote machine with access through a modern web browser from any device, anywhere. Available as [services.openvscode-server](#opt-services.openvscode-server.enable).
 
 ## Backward Incompatibilities {#sec-release-23.05-incompatibilities}
 
+<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
+
+- `carnix` and `cratesIO` has been removed due to being unmaintained, use alternatives such as [naersk](https://github.com/nix-community/naersk) and [crate2nix](https://github.com/kolloch/crate2nix) instead.
+
 - `services.asusd` configuration now uses strings instead of structured configuration, as upstream switched to the [RON](https://github.com/ron-rs/ron) configuration format. Support for structured configuration may return when [RON](https://github.com/ron-rs/ron) generation is implemented in nixpkgs.
 
+- `checkInputs` have been renamed to `nativeCheckInputs`, because they behave the same as `nativeBuildInputs` when `doCheck` is set. `checkInputs` now denote a new type of dependencies, added to `buildInputs` when `doCheck` is set. As a rule of thumb, `nativeCheckInputs` are tools on `$PATH` used during the tests, and `checkInputs` are libraries which are linked to executables built as part of the tests. Similarly, `installCheckInputs` are renamed to `nativeInstallCheckInputs`, corresponding to `nativeBuildInputs`, and `installCheckInputs` are a new type of dependencies added to `buildInputs` when `doInstallCheck` is set. (Note that this change will not cause breakage to derivations with `strictDeps` unset, which are most packages except python, rust, ocaml and go packages).
+
+- `buildDunePackage` now defaults to `strictDeps = true` which means that any library should go into `buildInputs` or `checkInputs`. Any executable that is run on the building machine should go into `nativeBuildInputs` or `nativeCheckInputs` respectively. Example of executables are `ocaml`, `findlib` and `menhir`. PPXs are libraries which are built by dune and should therefore not go into `nativeBuildInputs`.
+
 - `borgbackup` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.borgbackup.jobs.<name>.inhibitsSleep`](#opt-services.borgbackup.jobs._name_.inhibitsSleep).
 
-- The `openssh` client now comes with the `~C` escape sequence disabled by default. It can be re-enabled by setting `EnableEscapeCommandline yes`
+- The `ssh` client tool now disables the `~C` escape sequence by default. This can be re-enabled by setting `EnableEscapeCommandline yes`
 
-- The `programs.ssh` client module does not read `/etc/ssh/ssh_known_hosts2` anymore, since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2).
+- Many `services.syncthing` options have been moved to `services.syncthing.settings`, as part of [RFC 42](https://github.com/NixOS/rfcs/pull/42)'s implementation, see [#226088](https://github.com/NixOS/nixpkgs/pull/226088).
 
-- The `services.openssh` server module does not read `~/.ssh/authorized_keys2` anymore, since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2).
+- The `ssh` module does not read `/etc/ssh/ssh_known_hosts2` anymore since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2).
 
-- MAC-then-encrypt algorithms were removed from the default selection of `services.openssh.settings.Macs`. If you still require these [MACs](https://en.wikipedia.org/wiki/Message_authentication_code), for example when you are relying on libssh2 (e.g. VLC) or the SSH library shipped on the iPhone, you can re-add them like this:
-
-  ```nix
-  services.openssh.settings.Macs = [
-    "hmac-sha2-512"
-    "hmac-sha2-256"
-    "umac-128@openssh.com"
-  };
-  ```
+- The openssh module does not read `~/.ssh/authorized_keys2` anymore since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2).
 
 - `podman` now uses the `netavark` network stack. Users will need to delete all of their local containers, images, volumes, etc, by running `podman system reset --force` once before upgrading their systems.
 
 - `git-bug` has been updated to at least version 0.8.0, which includes backwards incompatible changes. The `git-bug-migration` package can be used to upgrade existing repositories.
 
-- `graylog` has been updated to version 5, which can not be updated directly from the previously packaged version 3.3. If you had installed the previously packaged version 3.3, please follow the [upgrade path](https://go2docs.graylog.org/5-0/upgrading_graylog/upgrade_path.htm) from 3.3 to 4.0 to 4.3 to 5.0.
-
-- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implemenation is still available via `buildFHSEnvChroot` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs.
+- `graylog` has been updated to version 5, which can not be upgraded directly from the previously packaged version 3.3. If you had installed the previously packaged version 3.3, please follow the [upgrade path](https://go2docs.graylog.org/5-0/upgrading_graylog/upgrade_path.htm) from 3.3 to 4.0 to 4.3 to 5.0.
 
 - `nushell` has been updated to at least version 0.77.0, which includes potential breaking changes in aliases. The old aliases are now available as `old-alias` but it is recommended you migrate to the new format. See [Reworked aliases](https://www.nushell.sh/blog/2023-03-14-nushell_0_77.html#reworked-aliases-breaking-changes-kubouch).
 
@@ -209,16 +200,16 @@ In addition to numerous new and updated packages, this release has the following
 
 - `keepassx` and `keepassx2` have been removed, due to upstream [stopping development](https://www.keepassx.org/index.html%3Fp=636.html). Consider [KeePassXC](https://keepassxc.org) as a maintained alternative.
 
-- The [services.kubo.settings](#opt-services.kubo.settings) option is now no longer stateful. If you changed any of the options in [services.kubo.settings](#opt-services.kubo.settings) in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably `/var/lib/ipfs/config`) and compare after the update.
+- The [services.kubo.settings](#opt-services.kubo.settings) option is now no longer stateful. If you changed any of the options in [services.kubo.settings](#opt-services.kubo.settings) in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config) and compare after the update.
 
 - The Kubo HTTP API will no longer listen on localhost and will instead only listen on a Unix domain socket by default. Read the [services.kubo.settings.Addresses.API](#opt-services.kubo.settings.Addresses.API) option description for more information.
 
 - The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services.
   This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service`
 
-- The mailman service now defaults to using a randomly generated REST API password instead of a hard-coded one.
+- The mailman service now defaults to using a randomly generated REST API password instead of a hardcoded one.
 
-- `minio` removed support for its legacy filesystem backend in [RELEASE.2022-10-29T06-21-33Z](https://github.com/minio/minio/releases/tag/RELEASE.2022-10-29T06-21-33Z). This means if your storage was created with the old format, minio will no longer start. Unfortunately, minio doesn't provide an automatic migration, they only provide [instructions how to manually convert the node](https://min.io/docs/minio/windows/operations/install-deploy-manage/migrate-fs-gateway.html). To facilitate this migration, we keep around the last version that still supports the old filesystem backend as `minio_legacy_fs`. Use it via `services.minio.package = minio_legacy_fs;` to export your data before switching to the new version. See the corresponding [issue](https://github.com/NixOS/nixpkgs/issues/199318) for more details.
+- `minio` removed support for its legacy filesystem backend in [RELEASE.2022-10-29T06-21-33Z](https://github.com/minio/minio/releases/tag/RELEASE.2022-10-29T06-21-33Z). This means if your storage was created with the old format, minio will no longer start. Unfortunately minio doesn't provide a an automatic migration, they only provide [instructions how to manually convert the node](https://min.io/docs/minio/windows/operations/install-deploy-manage/migrate-fs-gateway.html). To facilitate this migration we keep around the last version that still supports the old filesystem backend as `minio_legacy_fs`. Use it via `services.minio.package = minio_legacy_fs;` to export your data before switching to the new version. See the corresponding [issue](https://github.com/NixOS/nixpkgs/issues/199318) for more details.
 
 - `services.sourcehut.dispatch` and the corresponding package (`sourcehut.dispatchsrht`) have been removed due to [upstream deprecation](https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/).
 
@@ -242,20 +233,15 @@ In addition to numerous new and updated packages, this release has the following
   };
   ```
 
-- The default module options for [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall), [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) and [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) have been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.
+- The [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.
 
-- The option `i18n.inputMethod.fcitx5.enableRimeData` has been removed. Default RIME data is now included in `fcitx5-rime` by default, and can be customized using
+- The [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.
 
-  ```nix
-  fcitx5-rime.override {
-    rimeDataPkgs = [
-      pkgs.rime-data
-      # ...
-    ];
-  }
-  ```
+- The [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.
 
-- The `udev` hwdb.bin file is now built with systemd-hwdb rather than the [deprecated "udevadm hwdb"](https://github.com/systemd/systemd/pull/25714). This may impact mappings where the same key is defined in multiple matching entries. The updated behavior will select the latest definition in case of conflict. In general, this should be a positive change, as the hwdb source files are designed with this ordering in mind. As an example, the mapping of the HP Dev One keyboard scan code for "mute mic" is corrected by this update. This change may impact users who have worked-around previously incorrect mappings.
+- The option `i18n.inputMethod.fcitx5.enableRimeData` has been removed. Default RIME data is now included in `fcitx5-rime` by default, and can be customized using `fcitx5-rime.override { rimeDataPkgs = [ pkgs.rime-data, package2, ... ]; }`
+
+- The udev hwdb.bin file is now built with systemd-hwdb rather than the [deprecated "udevadm hwdb"](https://github.com/systemd/systemd/pull/25714). This may impact mappings where the same key is defined in multiple matching entries. The updated behavior will select the latest definition in case of conflict. In general, this should be a positive change, as the hwdb source files are designed with this ordering in mind. As an example, the mapping of the HP Dev One keyboard scan code for "mute mic" is corrected by this update. This change may impact users who have worked-around previously incorrect mappings.
 
 - Kime has been updated from 2.5.6 to 3.0.2 and the `i18n.inputMethod.kime.config` option has been removed. Users should use `daemonModules`, `iconColor`, and `extraConfig` options under `i18n.inputMethod.kime` instead.
 
@@ -263,26 +249,28 @@ In addition to numerous new and updated packages, this release has the following
 
 - `i3status-rust` has been updated from 0.22.0 to 0.30.5, and this brings many changes to its configuration format. Additional information can be found [here](https://github.com/greshake/i3status-rust/blob/v0.30.0/NEWS.md).
 
-- The `wordpress` derivation no longer contains any built-in plugins or themes. If you need them, you have to add them back to prevent your site from breaking. You can find them in `wordpressPackages.{plugins,themes}`.
+- The `wordpress` derivation no longer contains any builtin plugins or themes. If you need them you have to add them back to prevent your site from breaking. You can find them in `wordpressPackages.{plugins,themes}`.
 
 - `llvmPackages_rocm.llvm` will not contain `clang` or `compiler-rt`. `llvmPackages_rocm.clang` will not contain `llvm`. `llvmPackages_rocm.clangNoCompilerRt` has been removed in favor of using `llvmPackages_rocm.clang-unwrapped`.
 
-- `services.xserver.desktopManager.plasma5.excludePackages` has been moved to `environment.plasma5.excludePackages`, for consistency with other Desktop Environments.
-
-- `teleport` has been updated from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting `services.teleport.package = pkgs.teleport_11`. Afterwards, this option can be removed to upgrade to the default version (12).
+- `services.xserver.desktopManager.plasma5.excludePackages` has been moved to `environment.plasma5.excludePackages`, for consistency with other Desktop Environments
 
 - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.
 
+- `teleport` has been upgraded from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting `services.teleport.package = pkgs.teleport_11`. Afterwards, this option can be removed to upgrade to the default version (12).
+
 - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.
 
-- `gitlab` has been upgraded from major version 15 to major version 16 and requires at least PostgreSQL 13.6. Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation.
-
-- `gitlab` 16 deprecates the use of external container registries, in our case `pkgs.docker-distribution`. Module users who have [`services.gitlab.registry.enable`](#opt-services.gitlab.registry.enable) set to `true` are advised to back up their state and switch to gitlab's fork by setting [`services.gitlab.registry.package`](#opt-services.gitlab.registry.package) to `pkgs.gitlab-container-registry`.
-
 - `fail2ban` has been updated to 1.0.2, which has a few breaking changes compared to 0.11.2 ([changelog for 1.0.1](https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog), [changelog for 1.0.2](https://github.com/fail2ban/fail2ban/blob/1.0.2/ChangeLog))
 
 - `albert` has been updated from 0.17.6 to 0.20.13, and 0.18.0 changed the config format and many plugins ([changelog for 0.18.0](https://github.com/albertlauncher/albert/blob/v0.18.0/CHANGELOG.md))
 
+- Calling `makeSetupHook` without passing a `name` argument is deprecated.
+
+- Top-level buildPlatform,hostPlatform,targetPlatform have been deprecated, use stdenv.X instead.
+
+- `lib.systems.examples.ghcjs` and consequently `pkgsCross.ghcjs` now use the target triplet `javascript-unknown-ghcjs` instead of `js-unknown-ghcjs`. This has been done to match an [upstream decision](https://gitlab.haskell.org/ghc/ghc/-/commit/6636b670233522f01d002c9b97827d00289dbf5c) to follow Cabal's platform naming more closely. Nixpkgs will also reject `js` as an architecture name.
+
 - `dokuwiki` has been updated from 2023-07-31a (Igor) to 2023-04-04 (Jack Jackrum), which has [completely removed](https://www.dokuwiki.org/changes#release_2023-04-04_jack_jackrum) the options to embed HTML and PHP for security reasons. The [htmlok plugin](https://www.dokuwiki.org/plugin:htmlok) can be used to regain this functionality.
 
 - The old unsupported version 6.x of the ELK-stack and Elastic beats have been removed. Use OpenSearch instead.
@@ -293,6 +281,10 @@ In addition to numerous new and updated packages, this release has the following
 
 - The [services.wordpress.sites.&lt;name&gt;.plugins](#opt-services.wordpress.sites._name_.plugins) and [services.wordpress.sites.&lt;name&gt;.themes](#opt-services.wordpress.sites._name_.themes) options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name.
 
+- [`services.nextcloud.database.createLocally`](#opt-services.nextcloud.database.createLocally) now uses socket authentication and is no longer compatible with password authentication.
+  - If you want the module to manage the database for you, unset [`services.nextcloud.config.dbpassFile`](#opt-services.nextcloud.config.dbpassFile) (and [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost), if it's set).
+  - If you want to use password authentication **and** create the database locally, you will have to use [`services.mysql`](#opt-services.mysql.enable) to set it up.
+
 - `protonmail-bridge` package has been updated to major version 3.
 
 - Nebula now runs as a system user and group created for each nebula network, using the `CAP_NET_ADMIN` ambient capability on launch rather than starting as root. Ensure that any files each Nebula instance needs to access are owned by the correct user and group, by default `nebula-${networkName}`.
@@ -301,20 +293,26 @@ In addition to numerous new and updated packages, this release has the following
 
 - In `mastodon` it is now necessary to specify location of file with `PostgreSQL` database password. In `services.mastodon.database.passwordFile` parameter default value `/var/lib/mastodon/secrets/db-password` has been changed to `null`.
 
+- The `--target-host` and `--build-host` options of `nixos-rebuild` no longer treat the `localhost` value specially – to build on/deploy to local machine, omit the relevant flag.
+
 - The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon.
 
+- Deprecated `xlibsWrapper` transitional package has been removed in favour of direct use of its constituents: `xorg.libX11`, `freetype` and others.
+
 - The latest available version of Nextcloud is v26 (available as `pkgs.nextcloud26`) which uses PHP 8.2 as interpreter by default. The installation logic is as follows:
   - If `system.stateVersion` is >=23.05, `pkgs.nextcloud26` will be installed by default.
   - If `system.stateVersion` is >=22.11, `pkgs.nextcloud25` will be installed by default.
   - Please note that an upgrade from v24 (or older) to v26 directly is not possible. Please upgrade to `nextcloud25` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud25;`](options.html#opt-services.nextcloud.package).
   - It's recommended to use the latest version available (i.e. v26) and to specify that using `services.nextcloud.package`.
 
-- .NET 5.0 and .NET 3.1 were removed due to being end-of-life, use a newer, supported .NET version. Visit the  [Support Policy](https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core) for more information.
+- .NET 5.0 and .NET 3.1 were removed due to being end-of-life, use a newer, supported .NET version - https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core
 
 - The iputils package, which is installed by default, no longer provides the
-  `ninfod`, `rarpd` and `rdisc` tools. See [upstream's release notes](https://github.com/iputils/iputils/releases/tag/20221126) for more details and available replacements.
+  `ninfod`, `rarpd` and `rdisc` tools. See
+  [upstream's release notes](https://github.com/iputils/iputils/releases/tag/20221126)
+  for more details and available replacements.
 
-- The ppp plugin `rp-pppoe.so` has been renamed to `pppoe.so` in ppp 2.4.9. Starting from ppp 2.5.0, there is no longer an alias for backwards compatibility. Configurations that use this plugin must be updated accordingly from `plugin rp-pppoe.so` to `plugin pppoe.so`. See [upstream change](https://github.com/ppp-project/ppp/commit/610a7bd76eb1f99f22317541b35001b1e24877ed).
+- The ppp plugin `rp-pppoe.so` has been renamed to `pppoe.so` in ppp 2.4.9. Starting from ppp 2.5.0, there is no longer a alias for backwards compatibility. Configurations that use this plugin must be updated accordingly from `plugin rp-pppoe.so` to `plugin pppoe.so`. See [upstream change](https://github.com/ppp-project/ppp/commit/610a7bd76eb1f99f22317541b35001b1e24877ed).
 
 - [services.xserver.videoDrivers](options.html#opt-services.xserver.videoDrivers) now defaults to the `modesetting` driver over device-specific ones. The `radeon`, `amdgpu` and `nouveau` drivers are still available, but effectively unmaintained and not recommended for use.
 
@@ -324,7 +322,7 @@ In addition to numerous new and updated packages, this release has the following
 
 - In `services.fail2ban`, `bantime-increment.<name>` options now default to `null` (except `bantime-increment.enable`) and are used to set the corresponding option in `jail.local` only if not `null`. Also, enforce that `bantime-increment.formula` and `bantime-increment.multipliers` are not both specified.
 
-- The default `asterisk` package was changed to v20 from v19. Asterisk versions 16 and 19 have been dropped due to being EOL. You may need to update /var/lib/asterisk to match the template files in `${asterisk-20}/var/lib/asterisk`.
+- The default Asterisk package was changed to v20 from v19. Asterisk versions 16 and 19 have been dropped due to being EOL. You may need to update /var/lib/asterisk to match the template files in `${asterisk-20}/var/lib/asterisk`.
 
 - conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don't silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround.
 
@@ -342,7 +340,7 @@ In addition to numerous new and updated packages, this release has the following
 
 - The `qlandkartegt` and `garmindev` packages were removed due to being unmaintained and insecure.
 
-- The `go-ethereum` package has been updated to v1.11.5 and the `puppeth` command is no longer available as of v1.11.0.
+- `go-ethereum` package has been updated to v1.11.5 and the `puppeth` command is no longer available as of v1.11.0.
 
 - The `pnpm` package has be updated to from version 7.29.1 to version 8.1.1 and Node.js 14 support has been discontinued (though, there are workarounds if Node.js 14 is still required)
   - Migration instructions: ["Before updating pnpm to v8 in your CI, regenerate your pnpm-lock.yaml. To upgrade your lockfile, run pnpm install and commit the changes. Existing dependencies will not be updated; however, due to configuration changes in pnpm v8, some missing peer dependencies may be added to the lockfile and some packages may get deduplicated. You can commit the new lockfile even before upgrading Node.js in the CI, as pnpm v7 already supports the new lockfile format."](https://github.com/pnpm/pnpm/releases/tag/v8.0.0)
@@ -351,21 +349,21 @@ In addition to numerous new and updated packages, this release has the following
 
 - The `pict-rs` package was updated from an 0.3 alpha release to 0.3 stable, and related environment variables now require two underscores instead of one.
 
-- The `shattered-pixel-dungeon` game was updated from 1.1.2 to 2.0.2.
-  - The location of game data has changed. To migrate it, run `mv ~/.shatteredpixel ~/.local/share/.shatteredpixel`
-  - The update will delete all your in-progress games.
-
 - `espanso` has been updated to major version 2. Therefore, migration steps may need to be performed. See [the official migration instructions](https://espanso.org/docs/migration/overview/) for how to perform these migrations. Further, `espanso-wayland` can now be used for Wayland support.
 
-- Only `k3s` version 1.26 is included. Users of the `k3s_1_24` or `k3s_1_25` packages should upgrade to use the `1.26` version of the package.
-
-- The `nerdfonts` package has been updated to major version 3, which includes potential [breaking changes](https://github.com/ryanoasis/nerd-fonts/releases/tag/v3.0.0).
-
 ## Other Notable Changes {#sec-release-23.05-notable-changes}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- To follow [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) a few options of `openssh` have been moved from `extraConfig` to the new freeform option `settings` and renamed, e.g.:
+- `vim_configurable` has been renamed to `vim-full` to avoid confusion: `vim-full`'s build-time features are configurable, but both `vim` and `vim-full` are _customizable_ (in the sense of user configuration, like vimrc).
+
+- Pantheon now defaults to Mutter 43 and GNOME settings daemon 43, all Pantheon packages are now tracking elementary OS 7 updates.
+
+- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)
+
+- The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)
+
+- A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follows:
   - `services.openssh.forwardX11` to `services.openssh.settings.X11Forwarding`
   - `services.openssh.kbdInteractiveAuthentication` -> `services.openssh.settings.KbdInteractiveAuthentication`
   - `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`
@@ -377,21 +375,18 @@ In addition to numerous new and updated packages, this release has the following
   - `services.openssh.ciphers` to `services.openssh.settings.Ciphers`
   - `services.openssh.gatewayPorts` to `services.openssh.settings.GatewayPorts`
 
-
-- `vim_configurable` has been renamed to `vim-full` to avoid confusion: `vim-full`'s build-time features are configurable, but both `vim` and `vim-full` are _customizable_ (in the sense of user configuration, like vimrc).
-
-- Pantheon now defaults to Mutter 43 and GNOME settings daemon 43, all Pantheon packages are now tracking elementary OS 7 updates.
-
-- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)
-
-- The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)
-
 - `netbox` was updated to 3.5. NixOS' `services.netbox.package` still defaults to 3.3 if `stateVersion` is earlier than 23.05. Please review upstream's breaking changes [for 3.4.0](https://github.com/netbox-community/netbox/releases/tag/v3.4.0) and [for 3.5.0](https://github.com/netbox-community/netbox/releases/tag/v3.5.0), and upgrade NetBox by changing `services.netbox.package`. Database migrations will be run automatically.
 
 - `services.netbox` now support RFC42-style options, through `services.netbox.settings`.
 
 - `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.
 
+- DocBook option documentation, which has been deprecated since 22.11, will now cause a warning when documentation is built. Out-of-tree modules should migrate to using CommonMark documentation as outlined in [](#sec-option-declarations) to silence this warning.
+
+  DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors.
+
+- NixOS now defaults to using nsncd (a non-caching reimplementation in Rust) as NSS lookup dispatcher, instead of the buggy and deprecated glibc-provided nscd. If you need to switch back, set `services.nscd.enableNsncd = false`, but please open an issue in nixpkgs so your issue can be fixed.
+
 - `services.borgmatic` now allows for multiple configurations, placed in `/etc/borgmatic.d/`, you can define them with `services.borgmatic.configurations`.
 
 - `service.openafsServer` features a new backup server `pkgs.fabs` as a
@@ -409,6 +404,8 @@ In addition to numerous new and updated packages, this release has the following
   `services.dnsmasq.extraConfig` will be deprecated when NixOS 22.11 reaches
   end of life.
 
+- `kube3d` has now been renamed to `k3d` since the 3d editor that originally took that name has been dropped from nixpkgs. `kube3d` will continue to work as an alias for now.
+
 - The `dokuwiki` service is now configured via `services.dokuwiki.sites.<name>.settings` attribute set; `extraConfig` has been removed.
   The `{aclUse,superUser,disableActions}` attributes have been renamed accordingly. `pluginsConfig` now only accepts an attribute set of booleans.
   Passing plain PHP is no longer possible.
@@ -431,84 +428,106 @@ In addition to numerous new and updated packages, this release has the following
   If undesired, the old behavior can be restored by overriding the builders with
   `{ installDocumentation = false; }`.
 
-- The nftables module now validates its ruleset at build time. The new `networking.nftables.checkRuleset` option allows disabling this check, which may fail when rules have very specific requirements, that the sandbox environment, by default, will not cover. The `networking.nftables.preCheckRuleset` option can be used to prepare the environment before the checks are run.
+- The new option `networking.nftables.checkRuleset` controls whether the ruleset is checked for syntax or not during build.  It is `true` by default.  The check might fail because it is in a sandbox environment.  To circumvent this, the ruleset file can be edited using the `networking.nftables.preCheckRuleset` option.
 
-- The `services.mastodon` module now supports connection to a remote `PostgreSQL` database.
+- `mastodon` now supports connection to a remote `PostgreSQL` database.
 
-- [`services.nextcloud.database.createLocally`](#opt-services.nextcloud.database.createLocally) now uses socket authentication and is no longer compatible with password authentication.
-  - If you want the module to manage the database for you, unset [`services.nextcloud.config.dbpassFile`](#opt-services.nextcloud.config.dbpassFile) (and [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost), if it's set).
-  - If you want to use password authentication **and** create the database locally, you will have to use [`services.mysql`](#opt-services.mysql.enable) to set it up.
+- `nextcloud` has an option to enable SSE-C in S3.
 
-- [`services.nextcloud.config.objectstore.s3.sseCKeyFile`](#opt-services.nextcloud.config.objectstore.s3.sseCKeyFile) is a new option to enable server-side encryption with customer provided keys (SSE-C) for your S3 in Nextcloud.
-
-- NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to set up the plain encryption device over the underlying block device rather than allowing them to be determined by `cryptsetup(8)`. One can use these features like so:
+- NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to setup the plain encryption device over the
+  underlying block device rather than allowing them to be determined by `cryptsetup(8)`. One can use these features like so:
 
   ```nix
-  swapDevices = [ {
-    device = "/dev/disk/by-partlabel/swapspace";
-    randomEncryption = {
-      enable = true;
-      cipher = "aes-xts-plain64";
-      keySize = 512;
-      sectorSize = 4096;
-    };
-  } ];
+  {
+    swapDevices = [
+      {
+        device = "/dev/disk/by-partlabel/swapspace";
+
+        randomEncryption = {
+          enable = true;
+          cipher = "aes-xts-plain64";
+          keySize = 512;
+          sectorSize = 4096;
+        };
+      }
+    ];
+  }
   ```
 
 - New option `security.pam.zfs` to enable unlocking and mounting of encrypted ZFS home dataset at login.
 
-- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`.  Before upgrading, check the release notes for [PeerTube v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0).And backup your data.
+- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`.
+  Before upgrading, read the release notes for PeerTube:
+    - [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0)
+
+  And backup your data.
 
 - `services.chronyd` is now started with additional systemd sandbox/hardening options for better security.
 
-- PostgreSQL has added opt-in support for [JIT compilation](https://www.postgresql.org/docs/current/jit-reason.html). It can be enabled like this:
+- PostgreSQL has opt-in support for [JIT compilation](https://www.postgresql.org/docs/current/jit-reason.html). It can be enabled like this:
   ```nix
-  services.postgresql.enableJIT = true;
+  {
+    services.postgresql = {
+      enable = true;
+      enableJIT = true;
+    };
+  }
   ```
 
-- `services.netdata` offers a [`services.netdata.deadlineBeforeStopSec`](#opt-services.netdata.deadlineBeforeStopSec) option which will control the deadline (in seconds) after which systemd will consider your netdata instance as dead if it didn't start in the elapsed time. It is helpful when your netdata instance takes longer to start because of a large amount of state or upgrades.
+- `services.netdata` offers a `deadlineBeforeStopSec` option which enable users who have netdata instance that takes time to initialize to not have systemd kill them for no reason.
 
-- `services.dhcpcd` service stopped soliciting or accepting IPv6 Router Advertisements on interfaces that use static IPv6 addresses.
-  If your network provides both IPv6 unique local addresses (ULA) and globally unique addresses (GUA) through autoconfiguration with SLAAC, you must add the parameter `networking.dhcpcd.IPv6rs = true;`.
+- `services.dhcpcd` service now don't solicit or accept IPv6 Router Advertisements on interfaces that use static IPv6 addresses.
+  If network uses both IPv6 Unique local addresses (ULA) and global IPv6 address auto-configuration with SLAAC, must add the parameter `networking.dhcpcd.IPv6rs = true;`.
 
 - The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed:
 
-  - Most settings have been migrated below [services.headscale.settings](#opt-services.headscale.settings) which is a freeform attribute-set that will be converted into headscale's YAML config format. This means that the configuration from [headscale's example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) can be directly written as attribute-set in Nix within this option.
+  - Most settings has been migrated under [services.headscale.settings](#opt-services.headscale.settings) which is an attribute-set that
+    will be converted into headscale's YAML config format. This means that the configuration from
+    [headscale's example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml)
+    can be directly written as attribute-set in Nix within this option.
 
 - `services.kubo` now unmounts `ipfsMountDir` and `ipnsMountDir` even if it is killed unexpectedly when `autoMount` is enabled.
 
-- `services.grafana` listens only on localhost by default again. This was changed to the upstream default of `0.0.0.0` by accident in the freeform setting conversion.
+- `nixos/lib/make-disk-image.nix` can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual.
+
+- `services.grafana` listens only on localhost by default again. This was changed to upstreams default of `0.0.0.0` by accident in the freeform setting conversion.
 
 - Grafana Tempo has been updated to version 2.0. See the [upstream upgrade guide](https://grafana.com/docs/tempo/latest/release-notes/v2-0/#upgrade-considerations) for migration instructions.
 
-- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple Silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=23.05&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).
+- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).
 
 - The new option `users.motdFile` allows configuring a Message Of The Day that can be updated dynamically.
 
 - The `root` package is now built with the `"-Dgnuinstall=ON"` CMake flag, making the output conform the `bin` `lib` `share` layout. In this layout, `tutorials` is under `share/doc/ROOT/`; `cmake`, `font`, `icons`, `js` and `macro` under `share/root`; `Makefile.comp` and `Makefile.config` under `etc/root`.
 
-- There are various new options in the `services.nginx` module:
-    - Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option.
-    - The `proxyCachePath` option has been added to `services.nginx`. It allows configuring the [`proxy_cache_path`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path), that configures the storage path and various other settings for the cache.
-    - A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md).
-    - `services.nginx.recommendedProxySettings` now removes the `Connection` header preventing clients from closing backend connections.
+- Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option.
 
-- The nginx module also received an update to `services.nginx.recommendedGzipSettings`:
+- A new option `proxyCachePath` has been added to `services.nginx`. Learn more about proxy_cache_path: <https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path>.
+
+- A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md).
+
+- Updated recommended settings in `services.nginx.recommendedGzipSettings`:
   - Enables gzip compression for only certain proxied requests.
   - Allow checking and loading of precompressed files.
   - Updated gzip mime-types.
   - Increased the minimum length of a response that will be gzipped.
 
-- [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and configure [services.garage.package](options.html#opt-services.garage.package).
+- [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion).
 
 - Nebula now supports the `services.nebula.networks.<name>.isRelay` and `services.nebula.networks.<name>.relays` configuration options for setting up or allowing traffic relaying. See the [announcement](https://www.defined.net/blog/announcing-relay-support-in-nebula/) for more details about relays.
 
+- `hip` has been separated into `hip`, `hip-common` and `hipcc`.
+
+- `services.nginx.recommendedProxySettings` now removes the `Connection` header preventing clients from closing backend connections.
+
 - Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.
 
-- The `firewall` and `nat` modules can now optionally rely on an nftables based implementation. Enable `networking.nftables` to use it.
+- The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it.
 
 - The `services.fwupd` module now allows arbitrary daemon settings to be configured in a structured manner ([`services.fwupd.daemonSettings`](#opt-services.fwupd.daemonSettings)).
 
+- Nixpkgs now uses [IEEE-standard floating point arithmetic](https://github.com/NixOS/nixpkgs/pull/170215) on `powerpc64le-linux`.
+
 - `services.xserver.desktopManager.plasma5.phononBackend` now defaults to vlc according to [upstrean recommendation](https://community.kde.org/Distributions/Packaging_Recommendations#Non-Plasma_packages)
 
 - The `zramSwap` is now implemented with `zram-generator`, and the option `zramSwap.numDevices` for using ZRAM devices as general purpose ephemeral block devices has been removed.
@@ -519,10 +538,16 @@ In addition to numerous new and updated packages, this release has the following
   * `apptainer`: From `github.com/apptainer/apptainer`, which is the new repo after renaming.
   * `singularity`: From `github.com/sylabs/singularity`, which is the fork by Sylabs Inc..
 
+  `programs.singularity` got a new `package` option to specify which package to use.
+
   `singularity-tools.buildImage` got a new input argument `singularity` to specify which package to use.
 
 - The new option `programs.singularity.enableFakeroot`, if set to `true`, provides `--fakeroot` support for `apptainer` and `singularity`.
 
+- The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream.
+
+- The `rtsp-simple-server` package and corresponding NixOS module have been renamed to `mediamtx` to match upstream.
+
 - The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.
 
 - `openjdk` from version 11 and above is not build with `openjfx` (i.e.: JavaFX) support by default anymore. You can re-enable it by overriding, e.g.: `openjdk11.override { enableJavaFX = true; };`.
@@ -535,49 +560,24 @@ In addition to numerous new and updated packages, this release has the following
 
 - The option `services.prometheus.exporters.pihole.interval` does not exist anymore and has been removed.
 
-- The option `services.gpsd.device` has been replaced with  `services.gpsd.devices`, which supports multiple devices.
+- The option `services.gpsd.device` has been replaced with
+  `services.gpsd.devices`, which supports multiple devices.
 
-- `k3s` can now be configured with an `EnvironmentFile` for its systemd service, allowing secrets to be provided without ending up in the Nix Store.
+- `k3s` can now be configured with an EnvironmentFile for its systemd service, allowing secrets to be provided without ending up in the Nix Store.
 
-- The `gitea` module options have been moved into a freeform attribute set below `services.gitea.settings`.
+- `gitea` module options have been changed to be RFC042 conforming (i.e. some options were moved to be located under `services.gitea.settings`)
 
-- `boot.initrd.luks.device.<name>` has a new `tryEmptyPassphrase` option, this is useful for OEMs who need to install an encrypted disk with a future settable passphrase
+- `boot.initrd.luks.device.<name>` has a new `tryEmptyPassphrase` option, this is useful for OEM's who need to install an encrypted disk with a future settable passphrase
 
-- The `bind` module now allows the per-zone `allow-query` setting to be configured (previously it was hard-coded to `any`; it still defaults to `any` to retain compatibility).
-
-- The option `services.jitsi-videobridge.apis` has been renamed to `colibriRestApi` and turned into a boolean. Setting it to `true` will enable the private rest API, useful for monitoring using `services.prometheus.exporters.jitsi.enable`. Learn more about the API: "[The COLIBRI control interface (/colibri/)](https://github.com/jitsi/jitsi-videobridge/blob/v2.3/doc/rest.md)".
-
-- Booting from a volume managed by the Stratis storage management daemon is now supported. Use `fileSystems.<name>.stratis.poolUuid` to configure the pool containing the fs.
-
-## Nixpkgs internals {#sec-release-23.05-nixpkgs-internals}
-
-- `buildDunePackage` now defaults to `strictDeps = true` which means that any library should go into `buildInputs` or `checkInputs`. Any executable that is run on the building machine should go into `nativeBuildInputs` or `nativeCheckInputs` respectively. Example of executables are `ocaml`, `findlib` and `menhir`. PPXs are libraries which are built by dune and should therefore not go into `nativeBuildInputs`.
-
-- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implemenation is still available via `buildFHSEnvChrootenv` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs.
-
-- Top-level `buildPlatform`, `hostPlatform`, `targetPlatform` have been deprecated, use `stdenv.X` instead.
-
-- `carnix` and `cratesIO` has been removed due to being unmaintained, use alternatives such as [naersk](https://github.com/nix-community/naersk) and [crate2nix](https://github.com/kolloch/crate2nix) instead.
-
-- `checkInputs` have been renamed to `nativeCheckInputs`, because they behave the same as `nativeBuildInputs` when `doCheck` is set. `checkInputs` now denote a new type of dependencies, added to `buildInputs` when `doCheck` is set. As a rule of thumb, `nativeCheckInputs` are tools on `$PATH` used during the tests, and `checkInputs` are libraries which are linked to executables built as part of the tests. Similarly, `installCheckInputs` are renamed to `nativeInstallCheckInputs`, corresponding to `nativeBuildInputs`, and `installCheckInputs` are a new type of dependencies added to `buildInputs` when `doInstallCheck` is set. (Note that this change will not cause breakage to derivations with `strictDeps` unset, which are most packages except python, rust, ocaml and go packages).
-
-- DocBook option documentation, which has been deprecated since 22.11, will now cause a warning when documentation is built. Out-of-tree modules should migrate to using CommonMark documentation as outlined in [](#sec-option-declarations) to silence this warning.
-
-  DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors.
-
-- `lib.systems.examples.ghcjs` and consequently `pkgsCross.ghcjs` now use the target triplet `javascript-unknown-ghcjs` instead of `js-unknown-ghcjs`. This has been done to match an [upstream decision](https://gitlab.haskell.org/ghc/ghc/-/commit/6636b670233522f01d002c9b97827d00289dbf5c) to follow Cabal's platform naming more closely. Nixpkgs will also reject `js` as an architecture name.
+- there is a new `boot/stratisroot.nix` module that enables booting from a volume managed by the Stratis storage management daemon. Use `fileSystems.<name>.stratis.poolUuid` to configure the pool containing the fs.
 
 - Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release.
 
-- Calling `makeSetupHook` without passing a `name` argument is deprecated.
+- The `bind` module now allows the per-zone `allow-query` setting to be configured (previously it was hard-coded to `any`; it still defaults to `any` to retain compatibility).
 
-- `nixos/lib/make-disk-image.nix` handles `contents` arguments that are directories better, fixing a bug where it used to put them in a subdirectory of the intended `target`.
+- `make-disk-image` handles `contents` arguments that are directories better, fixing a bug where it used to put them in a subdirectory of the intended `target`.
 
-- `nixos/lib/make-disk-image.nix` can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual.
-
-- Nixpkgs now uses [IEEE-standard floating point arithmetic](https://github.com/NixOS/nixpkgs/pull/170215) on `powerpc64le-linux`.
-
-- Deprecated `xlibsWrapper` transitional package has been removed in favour of direct use of its constituents: `xorg.libX11`, `freetype` and others.
+- The option `services.jitsi-videobridge.apis` has been renamed to `colibriRestApi` and turned into a boolean. Setting it to `true` will enable the private rest API, useful for monitoring using `services.prometheus.exporters.jitsi.enable`. Learn more about the API: "[The COLIBRI control interface (/colibri/)](https://github.com/jitsi/jitsi-videobridge/blob/v2.3/doc/rest.md)".
 
 ## Detailed migration information {#sec-release-23.05-migration}
 

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -8,38 +8,16 @@
 
 - Create the first release note entry in this section!
 
-- [acme-dns](https://github.com/joohoi/acme-dns), a limited DNS server to handle ACME DNS challenges easily and securely. Available as [services.acme-dns](#opt-services.acme-dns.enable).
-
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 - [river](https://github.com/riverwm/river), A dynamic tiling wayland compositor. Available as [programs.river](#opt-programs.river.enable).
 
-- [GoToSocial](https://gotosocial.org/), an ActivityPub social network server, written in Golang. Available as [services.gotosocial](#opt-services.gotosocial.enable).
-
-- [sitespeed-io](https://sitespeed.io), a tool that can generate metrics (timings, diagnostics) for websites. Available as [services.sitespeed-io](#opt-services.sitespeed-io.enable).
-
 ## Backward Incompatibilities {#sec-release-23.11-incompatibilities}
 
-- `writeTextFile` now requires `executable` to be boolean, values like `null` or `""` will now fail to evaluate.
-
 - The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`.
 
-- `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`.
-
-- `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues.
-
 - `etcd` has been updated to 3.5, you will want to read the [3.3 to 3.4](https://etcd.io/docs/v3.5/upgrades/upgrade_3_4/) and [3.4 to 3.5](https://etcd.io/docs/v3.5/upgrades/upgrade_3_5/) upgrade guides
 
-- `himalaya` has been updated to `0.8.0`, which drops the native TLS support (in favor of Rustls) and add OAuth 2.0 support. See the [release note](https://github.com/soywod/himalaya/releases/tag/v0.8.0) for more details.
-
-- The [services.caddy.acmeCA](#opt-services.caddy.acmeCA) option now defaults to `null` instead of `"https://acme-v02.api.letsencrypt.org/directory"`, to use all of Caddy's default ACME CAs and enable Caddy's automatic issuer fallback feature by default, as recommended by upstream.
-
-- `util-linux` is now supported on Darwin and is no longer an alias to `unixtools`. Use the `unixtools.util-linux` package for access to the Apple variants of the utilities.
-
-- `fileSystems.<name>.autoFormat` now uses `systemd-makefs`, which does not accept formatting options. Therefore, `fileSystems.<name>.formatOptions` has been removed.
-
-- `fileSystems.<name>.autoResize` now uses `systemd-growfs` to resize the file system online in stage 2. This means that `f2fs` and `ext2` can no longer be auto resized, while `xfs` and `btrfs` now can be.
-
 ## Other Notable Changes {#sec-release-23.11-notable-changes}
 
 - The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.

nixos/maintainers/scripts/ec2/amazon-image.nix

@@ -43,7 +43,7 @@ in {
 
     sizeMB = mkOption {
       type = with types; either (enum [ "auto" ]) int;
-      default = 3072;
+      default = 2048;
       example = 8192;
       description = lib.mdDoc "The size in MB of the image";
     };

nixos/modules/config/no-x-libs.nix

@@ -38,7 +38,6 @@ with lib;
       gpsd = super.gpsd.override { guiSupport = false; };
       graphviz = super.graphviz-nox;
       gst_all_1 = super.gst_all_1 // {
-        gst-plugins-bad = super.gst_all_1.gst-plugins-bad.override { guiSupport = false; };
         gst-plugins-base = super.gst_all_1.gst-plugins-base.override { enableX11 = false; };
       };
       imagemagick = super.imagemagick.override { libX11Support = false; libXtSupport = false; };

nixos/modules/config/qt.nix

@@ -20,7 +20,7 @@ let
       pkgs.adwaita-qt6
     ]
     else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ]
-    else if isQt5ct then [ pkgs.libsForQt5.qt5ct pkgs.qt6Packages.qt6ct ]
+    else if isQt5ct then [ pkgs.libsForQt5.qt5ct ]
     else if isLxqt then [ pkgs.lxqt.lxqt-qtplugin pkgs.lxqt.lxqt-config ]
     else if isKde then [ pkgs.libsForQt5.plasma-integration pkgs.libsForQt5.systemsettings ]
     else throw "`qt.platformTheme` ${cfg.platformTheme} and `qt.style` ${cfg.style} are not compatible.";

nixos/modules/config/users-groups.nix

@@ -652,7 +652,7 @@ in {
       deps = [ "users" ];
       text = ''
         users=()
-        while IFS=: read -r user hash _; do
+        while IFS=: read -r user hash tail; do
           if [[ "$hash" = "$"* && ! "$hash" =~ ^\''$${cryptSchemeIdPatternGroup}\$ ]]; then
             users+=("$user")
           fi

nixos/modules/hardware/i2c.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 
 with lib;
 
@@ -31,14 +31,10 @@ in
       i2c = { };
     };
 
-    services.udev.packages = lib.singleton (pkgs.writeTextFile
-      { name = "i2c-udev-rules";
-        text = ''
-          # allow group ${cfg.group} and users with a seat use of i2c devices
-          ACTION=="add", KERNEL=="i2c-[0-9]*", TAG+="uaccess", GROUP="${cfg.group}", MODE="660"
-        '';
-        destination = "/etc/udev/rules.d/70-i2c.rules";
-      });
+    services.udev.extraRules = ''
+      # allow group ${cfg.group} and users with a seat use of i2c devices
+      ACTION=="add", KERNEL=="i2c-[0-9]*", TAG+="uaccess", GROUP="${cfg.group}", MODE="660"
+    '';
 
   };
 

nixos/modules/installer/tools/nix-fallback-paths.nix

@@ -1,7 +1,7 @@
 {
-  x86_64-linux = "/nix/store/ny9r65799s7xhp605bc2753sjvzkxrrs-nix-2.15.1";
-  i686-linux = "/nix/store/ck55dz5klc7szi8rx9ghhm8gi2b5q5bw-nix-2.15.1";
-  aarch64-linux = "/nix/store/cl0a02vr28913dgw98hrm45a4baqr3z1-nix-2.15.1";
-  x86_64-darwin = "/nix/store/wq228jdbz16pp2lnxf32n8dv27pw53p8-nix-2.15.1";
-  aarch64-darwin = "/nix/store/x11cpsjg4q236msfz5scc325pfp9xy64-nix-2.15.1";
+  x86_64-linux = "/nix/store/mc43d38fibi94pp5crfwacl5gbslccd0-nix-2.13.3";
+  i686-linux = "/nix/store/09m966pj26cgd4ihlg8ihl1106j3vih8-nix-2.13.3";
+  aarch64-linux = "/nix/store/7f191d125akld27gc6jl0r13l8pl7x0h-nix-2.13.3";
+  x86_64-darwin = "/nix/store/1wn9jkvi2zqfjnjgg7lnp30r2q2y8whd-nix-2.13.3";
+  aarch64-darwin = "/nix/store/8w0v2mffa10chrf1h66cbvbpw86qmh85-nix-2.13.3";
 }

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -85,7 +85,7 @@ sub debug {
 
 
 # nixpkgs.system
-push @attrs, "nixpkgs.hostPlatform = lib.mkDefault \"@hostPlatformSystem@\";";
+push @attrs, "nixpkgs.hostPlatform = lib.mkDefault \"@system@\";";
 
 
 my $cpuinfo = read_file "/proc/cpuinfo";

nixos/modules/installer/tools/tools.nix

@@ -35,7 +35,7 @@ let
     name = "nixos-generate-config";
     src = ./nixos-generate-config.pl;
     perl = "${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl";
-    hostPlatformSystem = pkgs.stdenv.hostPlatform.system;
+    system = pkgs.stdenv.hostPlatform.system;
     detectvirt = "${config.systemd.package}/bin/systemd-detect-virt";
     btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
     inherit (config.system.nixos-generate-config) configuration desktopConfiguration;

nixos/modules/module-list.nix

@@ -328,8 +328,6 @@
   ./services/audio/spotifyd.nix
   ./services/audio/squeezelite.nix
   ./services/audio/tts.nix
-  ./services/audio/wyoming/faster-whisper.nix
-  ./services/audio/wyoming/piper.nix
   ./services/audio/ympd.nix
   ./services/backup/automysqlbackup.nix
   ./services/backup/bacula.nix
@@ -779,7 +777,6 @@
   ./services/monitoring/uptime-kuma.nix
   ./services/monitoring/uptime.nix
   ./services/monitoring/vmagent.nix
-  ./services/monitoring/vmalert.nix
   ./services/monitoring/vnstat.nix
   ./services/monitoring/zabbix-agent.nix
   ./services/monitoring/zabbix-proxy.nix
@@ -810,7 +807,6 @@
   ./services/network-filesystems/xtreemfs.nix
   ./services/network-filesystems/yandex-disk.nix
   ./services/networking/3proxy.nix
-  ./services/networking/acme-dns.nix
   ./services/networking/adguardhome.nix
   ./services/networking/alice-lg.nix
   ./services/networking/amuled.nix
@@ -1012,7 +1008,6 @@
   ./services/networking/shorewall.nix
   ./services/networking/shorewall6.nix
   ./services/networking/shout.nix
-  ./services/networking/sitespeed-io.nix
   ./services/networking/skydns.nix
   ./services/networking/smartdns.nix
   ./services/networking/smokeping.nix
@@ -1190,7 +1185,6 @@
   ./services/web-apps/galene.nix
   ./services/web-apps/gerrit.nix
   ./services/web-apps/gotify-server.nix
-  ./services/web-apps/gotosocial.nix
   ./services/web-apps/grocy.nix
   ./services/web-apps/pixelfed.nix
   ./services/web-apps/healthchecks.nix

nixos/modules/programs/nano.nix

@@ -35,17 +35,8 @@ in
   ###### implementation
 
   config = lib.mkIf (cfg.nanorc != "" || cfg.syntaxHighlight) {
-    environment.etc.nanorc.text = lib.concatStringsSep LF (
-      ( lib.optionals cfg.syntaxHighlight [
-          "# The line below is added because value of programs.nano.syntaxHighlight is set to true"
-          ''include "${pkgs.nano}/share/nano/*.nanorc"''
-          ""
-      ])
-      ++ ( lib.optionals (cfg.nanorc != "") [
-        "# The lines below have been set from value of programs.nano.nanorc"
-        cfg.nanorc
-      ])
-    );
+    environment.etc.nanorc.text = lib.concatStrings [ cfg.nanorc
+      (lib.optionalString cfg.syntaxHighlight ''${LF}include "${pkgs.nano}/share/nano/*.nanorc"'') ];
   };
 
 }

nixos/modules/programs/wayland/river.nix

@@ -50,7 +50,7 @@ in {
         environment.systemPackages = optional (cfg.package != null) cfg.package ++ cfg.extraPackages;
 
         # To make a river session available if a display manager like SDDM is enabled:
-        services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ];
+        programs.xwayland.enable = mkDefault true;
       }
       (import ./wayland-session.nix { inherit lib pkgs; })
     ]);

nixos/modules/programs/wayland/sway.nix

@@ -49,7 +49,7 @@ in {
       description = lib.mdDoc ''
         Sway package to use. Will override the options
         'wrapperFeatures', 'extraSessionCommands', and 'extraOptions'.
-        Set to `null` to not add any Sway package to your
+        Set to <code>null</code> to not add any Sway package to your
         path. This should be done if you want to use the Home Manager Sway
         module to install Sway.
       '';

nixos/modules/security/pam.nix

@@ -484,9 +484,6 @@ let
           optionalString cfg.mysqlAuth ''
             account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
           '' +
-          optionalString (config.services.kanidm.enablePam) ''
-            account sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user
-          '' +
           optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
             account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
           '' +
@@ -620,9 +617,6 @@ let
           optionalString use_ldap ''
             auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass
           '' +
-          optionalString config.services.kanidm.enablePam ''
-            auth sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user use_first_pass
-          '' +
           optionalString config.services.sssd.enable ''
             auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass
           '' +
@@ -659,9 +653,6 @@ let
           optionalString cfg.mysqlAuth ''
             password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
           '' +
-          optionalString config.services.kanidm.enablePam ''
-            password sufficient ${pkgs.kanidm}/lib/pam_kanidm.so
-          '' +
           optionalString config.services.sssd.enable ''
             password sufficient ${pkgs.sssd}/lib/security/pam_sss.so
           '' +
@@ -723,9 +714,6 @@ let
           optionalString cfg.mysqlAuth ''
             session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
           '' +
-          optionalString config.services.kanidm.enablePam ''
-            session optional ${pkgs.kanidm}/lib/pam_kanidm.so
-          '' +
           optionalString config.services.sssd.enable ''
             session optional ${pkgs.sssd}/lib/security/pam_sss.so
           '' +
@@ -1310,7 +1298,6 @@ in
       # Include the PAM modules in the system path mostly for the manpages.
       [ pkgs.pam ]
       ++ optional config.users.ldap.enable pam_ldap
-      ++ optional config.services.kanidm.enablePam pkgs.kanidm
       ++ optional config.services.sssd.enable pkgs.sssd
       ++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds]
       ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
@@ -1377,9 +1364,6 @@ in
       optionalString use_ldap ''
          mr ${pam_ldap}/lib/security/pam_ldap.so,
       '' +
-      optionalString config.services.kanidm.enablePam ''
-        mr ${pkgs.kanidm}/lib/pam_kanidm.so,
-      '' +
       optionalString config.services.sssd.enable ''
         mr ${pkgs.sssd}/lib/security/pam_sss.so,
       '' +

nixos/modules/services/audio/wyoming/faster-whisper.nix

@@ -1,186 +0,0 @@
-{ config
-, lib
-, pkgs
-, ...
-}:
-
-let
-  cfg = config.services.wyoming.faster-whisper;
-
-  inherit (lib)
-    escapeShellArgs
-    mkOption
-    mdDoc
-    mkEnableOption
-    mkPackageOptionMD
-    types
-    ;
-
-  inherit (builtins)
-    toString
-    ;
-
-in
-
-{
-  options.services.wyoming.faster-whisper = with types; {
-    package = mkPackageOptionMD pkgs "wyoming-faster-whisper" { };
-
-    servers = mkOption {
-      default = {};
-      description = mdDoc ''
-        Attribute set of faster-whisper instances to spawn.
-      '';
-      type = types.attrsOf (types.submodule (
-        { ... }: {
-          options = {
-            enable = mkEnableOption (mdDoc "Wyoming faster-whisper server");
-
-            model = mkOption {
-              type = enum [
-                "tiny"
-                "tiny-int8"
-                "base"
-                "base-int8"
-                "small"
-                "small-int8"
-                "medium"
-                "medium-int8"
-              ];
-              default = "tiny-int8";
-              example = "medium-int8";
-              description = mdDoc ''
-                Name of the voice model to use.
-              '';
-            };
-
-            uri = mkOption {
-              type = strMatching "^(tcp|unix)://.*$";
-              example = "tcp://0.0.0.0:10300";
-              description = mdDoc ''
-                URI to bind the wyoming server to.
-              '';
-            };
-
-            device = mkOption {
-              # https://opennmt.net/CTranslate2/python/ctranslate2.models.Whisper.html#
-              type = types.enum [
-                "cpu"
-                "cuda"
-                "auto"
-              ];
-              default = "cpu";
-              description = mdDoc ''
-                Id of a speaker in a multi-speaker model.
-              '';
-            };
-
-            language = mkOption {
-              type = enum [
-                # https://github.com/home-assistant/addons/blob/master/whisper/config.yaml#L20
-                "auto" "af" "am" "ar" "as" "az" "ba" "be" "bg" "bn" "bo" "br" "bs" "ca" "cs" "cy" "da" "de" "el" "en" "es" "et" "eu" "fa" "fi" "fo" "fr" "gl" "gu" "ha" "haw" "he" "hi" "hr" "ht" "hu" "hy" "id" "is" "it" "ja" "jw" "ka" "kk" "km" "kn" "ko" "la" "lb" "ln" "lo" "lt" "lv" "mg" "mi" "mk" "ml" "mn" "mr" "ms" "mt" "my" "ne" "nl" "nn" "no" "oc" "pa" "pl" "ps" "pt" "ro" "ru" "sa" "sd" "si" "sk" "sl" "sn" "so" "sq" "sr" "su" "sv" "sw" "ta" "te" "tg" "th" "tk" "tl" "tr" "tt" "uk" "ur" "uz" "vi" "yi" "yo" "zh"
-              ];
-              example = "en";
-              description = mdDoc ''
-                The language used to to parse words and sentences.
-              '';
-            };
-
-            beamSize = mkOption {
-              type = ints.unsigned;
-              default = 1;
-              example = 5;
-              description = mdDoc ''
-                The number of beams to use in beam search.
-              '';
-              apply = toString;
-            };
-
-            extraArgs = mkOption {
-              type = listOf str;
-              default = [ ];
-              description = mdDoc ''
-                Extra arguments to pass to the server commandline.
-              '';
-              apply = escapeShellArgs;
-            };
-          };
-        }
-      ));
-    };
-  };
-
-  config = let
-    inherit (lib)
-      mapAttrs'
-      mkIf
-      nameValuePair
-    ;
-  in mkIf (cfg.servers != {}) {
-    systemd.services = mapAttrs' (server: options:
-      nameValuePair "wyoming-faster-whisper-${server}" {
-        description = "Wyoming faster-whisper server instance ${server}";
-        after = [
-          "network-online.target"
-        ];
-        wantedBy = [
-          "multi-user.target"
-        ];
-        serviceConfig = {
-          DynamicUser = true;
-          User = "wyoming-faster-whisper";
-          StateDirectory = "wyoming/faster-whisper";
-          # https://github.com/home-assistant/addons/blob/master/whisper/rootfs/etc/s6-overlay/s6-rc.d/whisper/run
-          ExecStart = ''
-            ${cfg.package}/bin/wyoming-faster-whisper \
-              --data-dir $STATE_DIRECTORY \
-              --download-dir $STATE_DIRECTORY \
-              --uri ${options.uri} \
-              --model ${options.model} \
-              --language ${options.language} \
-              --beam-size ${options.beamSize} ${options.extraArgs}
-          '';
-          CapabilityBoundingSet = "";
-          DeviceAllow = if builtins.elem options.device [ "cuda" "auto" ] then [
-            # https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf
-            "/dev/nvidia1"
-            "/dev/nvidia2"
-            "/dev/nvidia3"
-            "/dev/nvidia4"
-            "/dev/nvidia-caps/nvidia-cap1"
-            "/dev/nvidia-caps/nvidia-cap2"
-            "/dev/nvidiactl"
-            "/dev/nvidia-modeset"
-            "/dev/nvidia-uvm"
-            "/dev/nvidia-uvm-tools"
-          ] else "";
-          DevicePolicy = "closed";
-          LockPersonality = true;
-          MemoryDenyWriteExecute = true;
-          PrivateDevices = true;
-          PrivateUsers = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectControlGroups = true;
-          ProtectProc = "invisible";
-          ProcSubset = "pid";
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-          ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@privileged"
-          ];
-          UMask = "0077";
-        };
-      }) cfg.servers;
-  };
-}

nixos/modules/services/audio/wyoming/piper.nix

@@ -1,174 +0,0 @@
-{ config
-, lib
-, pkgs
-, ...
-}:
-
-let
-  cfg = config.services.wyoming.piper;
-
-  inherit (lib)
-    escapeShellArgs
-    mkOption
-    mdDoc
-    mkEnableOption
-    mkPackageOptionMD
-    types
-    ;
-
-  inherit (builtins)
-    toString
-    ;
-
-in
-
-{
-  meta.buildDocsInSandbox = false;
-
-  options.services.wyoming.piper = with types; {
-    package = mkPackageOptionMD pkgs "wyoming-piper" { };
-
-    servers = mkOption {
-      default = {};
-      description = mdDoc ''
-        Attribute set of piper instances to spawn.
-      '';
-      type = types.attrsOf (types.submodule (
-        { ... }: {
-          options = {
-            enable = mkEnableOption (mdDoc "Wyoming Piper server");
-
-            piper = mkPackageOptionMD pkgs "piper-tts" { };
-
-            voice = mkOption {
-              type = str;
-              example = "en-us-ryan-medium";
-              description = mdDoc ''
-                Name of the voice model to use. See the following website for samples:
-                https://rhasspy.github.io/piper-samples/
-              '';
-            };
-
-            uri = mkOption {
-              type = strMatching "^(tcp|unix)://.*$";
-              example = "tcp://0.0.0.0:10200";
-              description = mdDoc ''
-                URI to bind the wyoming server to.
-              '';
-            };
-
-            speaker = mkOption {
-              type = ints.unsigned;
-              default = 0;
-              description = mdDoc ''
-                ID of a specific speaker in a multi-speaker model.
-              '';
-              apply = toString;
-            };
-
-            noiseScale = mkOption {
-              type = float;
-              default = 0.667;
-              description = mdDoc ''
-                Generator noise value.
-              '';
-              apply = toString;
-            };
-
-            noiseWidth = mkOption {
-              type = float;
-              default = 0.333;
-              description = mdDoc ''
-                Phoneme width noise value.
-              '';
-              apply = toString;
-            };
-
-            lengthScale = mkOption {
-              type = float;
-              default = 1.0;
-              description = mdDoc ''
-                Phoneme length value.
-              '';
-              apply = toString;
-            };
-
-            extraArgs = mkOption {
-              type = listOf str;
-              default = [ ];
-              description = mdDoc ''
-                Extra arguments to pass to the server commandline.
-              '';
-              apply = escapeShellArgs;
-            };
-          };
-        }
-      ));
-    };
-  };
-
-  config = let
-    inherit (lib)
-      mapAttrs'
-      mkIf
-      nameValuePair
-    ;
-  in mkIf (cfg.servers != {}) {
-    systemd.services = mapAttrs' (server: options:
-      nameValuePair "wyoming-piper-${server}" {
-        description = "Wyoming Piper server instance ${server}";
-        after = [
-          "network-online.target"
-        ];
-        wantedBy = [
-          "multi-user.target"
-        ];
-        serviceConfig = {
-          DynamicUser = true;
-          User = "wyoming-piper";
-          StateDirectory = "wyoming/piper";
-          # https://github.com/home-assistant/addons/blob/master/piper/rootfs/etc/s6-overlay/s6-rc.d/piper/run
-          ExecStart = ''
-            ${cfg.package}/bin/wyoming-piper \
-              --data-dir $STATE_DIRECTORY \
-              --download-dir $STATE_DIRECTORY \
-              --uri ${options.uri} \
-              --piper ${options.piper}/bin/piper \
-              --voice ${options.voice} \
-              --speaker ${options.speaker} \
-              --length-scale ${options.lengthScale} \
-              --noise-scale ${options.noiseScale} \
-              --noise-w ${options.noiseWidth} ${options.extraArgs}
-          '';
-          CapabilityBoundingSet = "";
-          DeviceAllow = "";
-          DevicePolicy = "closed";
-          LockPersonality = true;
-          MemoryDenyWriteExecute = true;
-          PrivateDevices = true;
-          PrivateUsers = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectControlGroups = true;
-          ProtectProc = "invisible";
-          ProcSubset = "pid";
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-          ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@privileged"
-          ];
-          UMask = "0077";
-        };
-      }) cfg.servers;
-  };
-}

nixos/modules/services/continuous-integration/buildkite-agents.nix

@@ -11,7 +11,7 @@ let
       default = null;
       description = lib.mdDoc description;
       type = types.nullOr types.lines;
-    } // (lib.optionalAttrs (example != null) { inherit example; });
+    } // (if example == null then {} else { inherit example; });
   };
   mkHookOptions = hooks: listToAttrs (map mkHookOption hooks);
 

nixos/modules/services/continuous-integration/github-runner.nix

@@ -21,5 +21,5 @@ in
     services.github-runners.${cfg.name} = cfg;
   };
 
-  meta.maintainers = with maintainers; [ veehaitch newam thomasjm ];
+  meta.maintainers = with maintainers; [ veehaitch newam ];
 }

nixos/modules/services/databases/foundationdb.md

@@ -6,7 +6,7 @@
 
 *Maintainer:* Austin Seipp
 
-*Available version(s):* 7.1.x
+*Available version(s):* 5.1.x, 5.2.x, 6.0.x
 
 FoundationDB (or "FDB") is an open source, distributed, transactional
 key-value store.
@@ -17,7 +17,7 @@ To enable FoundationDB, add the following to your
 {file}`configuration.nix`:
 ```
 services.foundationdb.enable = true;
-services.foundationdb.package = pkgs.foundationdb71; # FoundationDB 7.1.x
+services.foundationdb.package = pkgs.foundationdb52; # FoundationDB 5.2.x
 ```
 
 The {option}`services.foundationdb.package` option is required, and
@@ -66,7 +66,7 @@ necessary Python modules).
 ```ShellSession
 a@link> cat fdb-status.py
 #! /usr/bin/env nix-shell
-#! nix-shell -i python -p python pythonPackages.foundationdb71
+#! nix-shell -i python -p python pythonPackages.foundationdb52
 
 import fdb
 import json

nixos/modules/services/mail/exim.nix

@@ -116,8 +116,8 @@ in
       wantedBy = [ "multi-user.target" ];
       restartTriggers = [ config.environment.etc."exim.conf".source ];
       serviceConfig = {
-        ExecStart   = "!${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}";
-        ExecReload  = "!${coreutils}/bin/kill -HUP $MAINPID";
+        ExecStart   = "+${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}";
+        ExecReload  = "+${coreutils}/bin/kill -HUP $MAINPID";
         User        = cfg.user;
       };
       preStart = ''

nixos/modules/services/mail/maddy.nix

@@ -335,13 +335,12 @@ in {
       };
 
       secrets = lib.mkOption {
-        type = with types; listOf path;
+        type = lib.types.path;
         description = lib.mdDoc ''
-          A list of files containing the various secrets. Should be in the format
+          A file containing the various secrets. Should be in the format
           expected by systemd's `EnvironmentFile` directory. Secrets can be
           referenced in the format `{env:VAR}`.
         '';
-        default = [ ];
       };
 
     };
@@ -380,7 +379,7 @@ in {
             User = cfg.user;
             Group = cfg.group;
             StateDirectory = [ "maddy" ];
-            EnvironmentFile = cfg.secrets;
+            EnvironmentFile = lib.mkIf (cfg.secrets != null) "${cfg.secrets}";
           };
           restartTriggers = [ config.environment.etc."maddy/maddy.conf".source ];
           wantedBy = [ "multi-user.target" ];

nixos/modules/services/mail/public-inbox.nix

@@ -53,7 +53,9 @@ let
       # if running simultaneous services.
       NonBlocking = true;
       #LimitNOFILE = 30000;
-      User = config.users.users."public-inbox".name;
+      User =
+        lib.mkIf config.systemd.services."public-inbox-${srv}".confinement.enable
+          config.users.users."public-inbox".name;
       Group = config.users.groups."public-inbox".name;
       RuntimeDirectory = [
           "public-inbox-${srv}/perl-inline"
@@ -61,9 +63,7 @@ let
       RuntimeDirectoryMode = "700";
       # This is for BindPaths= and BindReadOnlyPaths=
       # to allow traversal of directories they create inside RootDirectory=
-      UMask = "0066";
-      StateDirectory = ["public-inbox"];
-      StateDirectoryMode = "0750";
+      UMask = "0026";
       WorkingDirectory = stateDir;
       BindReadOnlyPaths = [
           "/etc"
@@ -109,7 +109,6 @@ let
       SystemCallArchitectures = "native";
 
       # The following options are redundant when confinement is enabled
-      RootDirectory = "/var/empty";
       TemporaryFileSystem = "/";
       PrivateMounts = true;
       MountAPIVFS = true;
@@ -275,8 +274,9 @@ in
           default = {};
           description = lib.mdDoc "public inboxes";
           type = types.submodule {
-            # Support both global options like `services.public-inbox.settings.publicinbox.imapserver`
-            # and inbox specific options like `services.public-inbox.settings.publicinbox.foo.address`.
+            # Keeping in line with the tradition of unnecessarily specific types, allow users to set
+            # freeform settings either globally under the `publicinbox` section, or for specific
+            # inboxes through additional nesting.
             freeformType = with types; attrsOf (oneOf [ iniAtom (attrsOf iniAtom) ]);
 
             options.css = mkOption {
@@ -284,24 +284,12 @@ in
               default = [];
               description = lib.mdDoc "The local path name of a CSS file for the PSGI web interface.";
             };
-            options.imapserver = mkOption {
-              type = with types; listOf str;
-              default = [];
-              example = [ "imap.public-inbox.org" ];
-              description = lib.mdDoc "IMAP URLs to this public-inbox instance";
-            };
             options.nntpserver = mkOption {
               type = with types; listOf str;
               default = [];
               example = [ "nntp://news.public-inbox.org" "nntps://news.public-inbox.org" ];
               description = lib.mdDoc "NNTP URLs to this public-inbox instance";
             };
-            options.pop3server = mkOption {
-              type = with types; listOf str;
-              default = [];
-              example = [ "pop.public-inbox.org" ];
-              description = lib.mdDoc "POP3 URLs to this public-inbox instance";
-            };
             options.wwwlisting = mkOption {
               type = with types; enum [ "all" "404" "match=domain" ];
               default = "404";
@@ -445,8 +433,10 @@ in
       (mkIf cfg.imap.enable
         { public-inbox-imapd = mkMerge [(serviceConfig "imapd") {
           after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
+          environment.PI_DIR = "/var/lib/public-inbox/.public-inbox";
           requires = [ "public-inbox-init.service" ];
           serviceConfig = {
+            DynamicUser = !config.systemd.services."public-inbox-imapd".confinement.enable;
             ExecStart = escapeShellArgs (
               [ "${cfg.package}/bin/public-inbox-imapd" ] ++
               cfg.imap.args ++
@@ -459,8 +449,10 @@ in
       (mkIf cfg.http.enable
         { public-inbox-httpd = mkMerge [(serviceConfig "httpd") {
           after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
+          environment.PI_DIR = "/var/lib/public-inbox/.public-inbox";
           requires = [ "public-inbox-init.service" ];
           serviceConfig = {
+            DynamicUser = !config.systemd.services."public-inbox-httpd".confinement.enable;
             ExecStart = escapeShellArgs (
               [ "${cfg.package}/bin/public-inbox-httpd" ] ++
               cfg.http.args ++
@@ -498,8 +490,10 @@ in
       (mkIf cfg.nntp.enable
         { public-inbox-nntpd = mkMerge [(serviceConfig "nntpd") {
           after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
+          environment.PI_DIR = "/var/lib/public-inbox/.public-inbox";
           requires = [ "public-inbox-init.service" ];
           serviceConfig = {
+            DynamicUser = !config.systemd.services."public-inbox-nntpd".confinement.enable;
             ExecStart = escapeShellArgs (
               [ "${cfg.package}/bin/public-inbox-nntpd" ] ++
               cfg.nntp.args ++
@@ -520,6 +514,10 @@ in
           serviceConfig = {
             ExecStart = "${cfg.package}/bin/public-inbox-watch";
             ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+            StateDirectory = ["public-inbox"];
+            StateDirectoryMode = "0750";
+            User = config.users.users."public-inbox".name;
+            Group = config.users.groups."public-inbox".name;
           };
         }];
       })
@@ -573,15 +571,22 @@ in
               ls -1 "$inbox" | grep -q '^xap' ||
               ${cfg.package}/bin/public-inbox-index "$inbox"
             done
+
+            # Older versions of the module did not make inboxes group-readable.
+            # chmod -R g+r ${stateDir}/inboxes
           '';
           serviceConfig = {
             Type = "oneshot";
             RemainAfterExit = true;
             StateDirectory = [
+              "public-inbox"
               "public-inbox/.public-inbox"
               "public-inbox/.public-inbox/emergency"
               "public-inbox/inboxes"
             ];
+            StateDirectoryMode = "0750";
+            User = config.users.users."public-inbox".name;
+            Group = config.users.groups."public-inbox".name;
           };
         }];
       })

nixos/modules/services/mail/rspamd.nix

@@ -215,7 +215,7 @@ let
       text = v.extraConfig;
     })
     (filterAttrs (n: v: v.extraConfig != "") cfg.workers))
-    // (lib.optionalAttrs (cfg.extraConfig != "") {
+    // (if cfg.extraConfig == "" then {} else {
       "extra-config.inc".text = cfg.extraConfig;
     });
 in

nixos/modules/services/misc/atuin.nix

@@ -46,13 +46,6 @@ in
         description = mdDoc "Open ports in the firewall for the atuin server.";
       };
 
-      database = {
-        createLocally = mkOption {
-          type = types.bool;
-          default = true;
-          description = lib.mdDoc "Create the database and database user locally.";
-        };
-      };
     };
   };
 
@@ -72,8 +65,7 @@ in
 
     systemd.services.atuin = {
       description = "atuin server";
-      requires = lib.optionals cfg.database.createLocally [ "postgresql.service" ];
-      after = [ "network.target" ] ++ lib.optionals cfg.database.createLocally [ "postgresql.service" ] ;
+      after = [ "network.target" "postgresql.service" ];
       wantedBy = [ "multi-user.target" ];
 
       serviceConfig = {
@@ -88,7 +80,7 @@ in
         ATUIN_PORT = toString cfg.port;
         ATUIN_MAX_HISTORY_LENGTH = toString cfg.maxHistoryLength;
         ATUIN_OPEN_REGISTRATION = boolToString cfg.openRegistration;
-        ATUIN_DB_URI =  mkIf cfg.database.createLocally "postgresql:///atuin";
+        ATUIN_DB_URI = "postgresql:///atuin";
         ATUIN_PATH = cfg.path;
         ATUIN_CONFIG_DIR = "/run/atuin"; # required to start, but not used as configuration is via environment variables
       };

nixos/modules/services/misc/docker-registry.nix

@@ -49,14 +49,6 @@ in {
   options.services.dockerRegistry = {
     enable = mkEnableOption (lib.mdDoc "Docker Registry");
 
-    package = mkOption {
-      type = types.package;
-      description = mdDoc "Which Docker registry package to use.";
-      default = pkgs.docker-distribution;
-      defaultText = literalExpression "pkgs.docker-distribution";
-      example = literalExpression "pkgs.gitlab-container-registry";
-    };
-
     listenAddress = mkOption {
       description = lib.mdDoc "Docker registry host or ip to bind to.";
       default = "127.0.0.1";
@@ -125,7 +117,7 @@ in {
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
       script = ''
-        ${cfg.package}/bin/registry serve ${configFile}
+        ${pkgs.docker-distribution}/bin/registry serve ${configFile}
       '';
 
       serviceConfig = {
@@ -144,7 +136,7 @@ in {
       serviceConfig.Type = "oneshot";
 
       script = ''
-        ${cfg.package}/bin/registry garbage-collect ${configFile}
+        ${pkgs.docker-distribution}/bin/registry garbage-collect ${configFile}
         /run/current-system/systemd/bin/systemctl restart docker-registry.service
       '';
 

nixos/modules/services/misc/gitea.nix

@@ -498,8 +498,7 @@ in
 
     systemd.services.gitea = {
       description = "gitea";
-      after = [ "network.target" ] ++ optional usePostgresql "postgresql.service" ++ optional useMysql "mysql.service";
-      requires = optional usePostgresql "postgresql.service" ++ optional useMysql "mysql.service";
+      after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service";
       wantedBy = [ "multi-user.target" ];
       path = [ cfg.package pkgs.git pkgs.gnupg ];