python3Packages.dramatiq: 2.0.1 -> 2.1.0

https://github.com/Bogdanp/dramatiq/compare/v2.0.1...v2.1.0
python3Packages.dramatiq: pin to setuptools 80
2026-06-06 13:23:41 +00:00 · 2026-05-30 03:53:23 +02:00 · 2026-05-30 03:53:23 +02:00 · 2026-05-30 03:53:23 +02:00 · 2026-05-30 03:53:22 +02:00 · 2026-05-30 03:53:22 +02:00
994 changed files with 17087 additions and 14819 deletions
--- a/.github/ISSUE_TEMPLATE/01_bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/01_bug_report.yml
@@ -36,7 +36,8 @@ body:
      options:
        - "Please select a version."
        - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
+++ b/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
@@ -36,7 +36,8 @@ body:
      options:
        - "Please select a version."
        - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
+++ b/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
@@ -36,7 +36,8 @@ body:
      options:
        - "Please select a version."
        - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/04_build_failure.yml
+++ b/.github/ISSUE_TEMPLATE/04_build_failure.yml
@@ -38,7 +38,8 @@ body:
      options:
        - "Please select a version."
        - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/05_update_request.yml
+++ b/.github/ISSUE_TEMPLATE/05_update_request.yml
@@ -38,7 +38,8 @@ body:
      options:
        - "Please select a version."
        - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
      default: 0
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/06_module_request.yml
+++ b/.github/ISSUE_TEMPLATE/06_module_request.yml
@@ -36,7 +36,8 @@ body:
      options:
        - "Please select a version."
        - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
      default: 0
    validations:
      required: true
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -9,7 +9,6 @@
          - '^release-'
          - '^staging-\d'
          - '^staging-next-\d'
-          - '^staging-nixos-\d'

 # NOTE: bsd, darwin and cross-compilation labels are handled by ofborg
 "6.topic: agda":
--- a/ci/OWNERS
+++ b/ci/OWNERS
@@ -56,12 +56,6 @@
 /pkgs/top-level/splice.nix                       @Ericson2314
 /pkgs/top-level/release-cross.nix                @Ericson2314
 /pkgs/top-level/by-name-overlay.nix              @infinisil @philiptaron
-/pkgs/top-level/config.nix                       @jopejoe1
-/pkgs/top-level/make-tarball.nix                 @jopejoe1
-/pkgs/top-level/packages-config.nix              @jopejoe1
-/pkgs/top-level/packages-info.nix                @jopejoe1
-/pkgs/top-level/release-lib.nix                  @jopejoe1
-/pkgs/top-level/release.nix                      @jopejoe1
 /pkgs/stdenv                                     @philiptaron @NixOS/stdenv
 /pkgs/stdenv/generic                             @Ericson2314 @NixOS/stdenv
 /pkgs/stdenv/generic/problems.nix                @infinisil
@@ -79,7 +73,6 @@

 ## Format generators/serializers
 /pkgs/pkgs-lib                                   @Stunkymonkey @h7x4
-/pkgs/pkgs-lib/formats/json2x                    @Stunkymonkey @h7x4 @figsoda

 # Nixpkgs build-support
 /pkgs/build-support/writers @lassulus
@@ -196,6 +189,8 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @Artturin @Ericson2314 @lo
 /maintainers/scripts/update-python-libraries  @mweinelt @natsukium
 /pkgs/by-name/up/update-python-libraries      @mweinelt @natsukium
 /pkgs/development/interpreters/python         @mweinelt @natsukium
+/pkgs/top-level/python-packages.nix                     @natsukium
+/pkgs/top-level/release-python.nix                      @natsukium

 # CUDA
 /pkgs/top-level/cuda-packages.nix             @NixOS/cuda-maintainers
--- a/doc/languages-frameworks/python.section.md
+++ b/doc/languages-frameworks/python.section.md
@@ -48,6 +48,7 @@ Based on the packages defined in `pkgs/top-level/python-packages.nix` an
 attribute set is created for each available Python interpreter. The available
 sets are

+* `pkgs.python27Packages`
 * `pkgs.python3Packages`
 * `pkgs.python311Packages`
 * `pkgs.python312Packages`
@@ -59,7 +60,9 @@ sets are

 and the aliases

+* `pkgs.python2Packages` pointing to `pkgs.python27Packages`
 * `pkgs.python3Packages` pointing to `pkgs.python313Packages`
+* `pkgs.pythonPackages` pointing to `pkgs.python2Packages`
 * `pkgs.pypy2Packages` pointing to `pkgs.pypy27Packages`
 * `pkgs.pypy3Packages` pointing to `pkgs.pypy310Packages`
 * `pkgs.pypyPackages` pointing to `pkgs.pypy2Packages`
@@ -284,27 +287,29 @@ because their behaviour is different:
 The `buildPythonPackage` function has a `overridePythonAttrs` method that can be
 used to override the package. In the following example we create an environment
 where we have the `blaze` package using an older version of `pandas`. We
-first override the Python package set, then instantiate an interpreter with
-that package set.
+override first the Python interpreter and pass `packageOverrides` which contains
+the overrides for packages in the package set.

 ```nix
 with import <nixpkgs> { };

 let
-  pythonPackages = python3Packages.overrideScope (
-    final: prev: {
-      pandas = prev.pandas.overridePythonAttrs (old: rec {
-        version = "0.19.1";
-        src = fetchPypi {
-          pname = "pandas";
-          inherit version;
-          hash = "sha256-JQn+rtpy/OA2deLszSKEuxyttqBzcAil50H+JDHUdCE=";
-        };
-      });
-    }
-  );
+  python = pkgs.python3.override {
+    packageOverrides = self: super: {
+      pandas = super.pandas.overridePythonAttrs (
+        finalAttrs: prevAttrs: {
+          version = "0.19.1";
+          src = fetchPypi {
+            pname = "pandas";
+            inherit (finalAttrs) version;
+            hash = "sha256-JQn+rtpy/OA2deLszSKEuxyttqBzcAil50H+JDHUdCE=";
+          };
+        }
+      );
+    };
+  };
 in
-(pythonPackages.python.withPackages (ps: [ ps.blaze ])).env
+(python.withPackages (ps: [ ps.blaze ])).env
 ```

 The next example shows a non trivial overriding of the `blas` implementation to
@@ -312,16 +317,15 @@ be used through out all of the Python package set:

 ```nix
 {
-  python3PackagesWithBlas = python3Packages.overrideScope (
-    final: prev: {
+  python3MyBlas = pkgs.python3.override {
+    packageOverrides = self: super: {
      # We need toPythonModule for the package set to evaluate this
-      blas = final.toPythonModule (prev.blas.override { blasProvider = final.mkl; });
-      lapack = final.toPythonModule (prev.lapack.override { lapackProvider = final.mkl; });
-    }
-  );
+      blas = super.toPythonModule (super.pkgs.blas.override { blasProvider = super.pkgs.mkl; });
+      lapack = super.toPythonModule (super.pkgs.lapack.override { lapackProvider = super.pkgs.mkl; });
+    };
+  };
 }
 ```
-This will create a new Python package set with the blas and lapack implementation set to Intel MKL.

 This is particularly useful for numpy and scipy users who want to gain speed with other blas implementations.
 Note that using `scipy = super.scipy.override { blas = super.pkgs.mkl; };` will likely result in
@@ -453,10 +457,11 @@ Note that overriding packages deeper in the dependency graph _can_ work, but it'
 let
  pyproject = pkgs.lib.importTOML ./pyproject.toml;

-  myPython3Packages = pkgs.python3Packages.overrideScope (
-    final: _: {
+  myPython = pkgs.python.override {
+    self = myPython;
+    packageOverrides = pyfinal: pyprev: {
      # An editable package with a script that loads our mutable location
-      my-editable = final.mkPythonEditablePackage {
+      my-editable = pyfinal.mkPythonEditablePackage {
        # Inherit project metadata from pyproject.toml
        pname = pyproject.project.name;
        inherit (pyproject.project) version;
@@ -467,10 +472,10 @@ let
        # Inject a script (other PEP-621 entrypoints are also accepted)
        inherit (pyproject.project) scripts;
      };
-    }
-  );
+    };
+  };

-  pythonEnv = myPython3Packages.python.withPackages (ps: [ ps.my-editable ]);
+  pythonEnv = myPython.withPackages (ps: [ ps.my-editable ]);

 in
 pkgs.mkShell { packages = [ pythonEnv ]; }
@@ -570,6 +575,9 @@ In contrast to [`python.buildEnv`](#python.buildenv-function), [`python.withPack
 more advanced options such as `ignoreCollisions = true` or `postBuild`. If you
 need them, you have to use [`python.buildEnv`](#python.buildenv-function).

+Python 2 namespace packages may provide `__init__.py` that collide. In that case
+[`python.buildEnv`](#python.buildenv-function) should be used with `ignoreCollisions = true`.
+
 #### Setup hooks {#setup-hooks}

 The following are setup hooks specifically for Python packages. Most of these
@@ -621,9 +629,10 @@ buildPythonPackage.override { stdenv = customStdenv; } {

 Several versions of the Python interpreter are available on Nix, as well as a
 high amount of packages. The attribute `python3` refers to the default
-interpreter, which is currently CPython 3.13. It is also possible to refer to
-specific versions, e.g., `python313` refers to CPython 3.13, and `pypy` refers
-to the default PyPy interpreter.
+interpreter, which is currently CPython 3.13. The attribute `python` refers to
+CPython 2.7 for backwards compatibility. It is also possible to refer to
+specific versions, e.g., `python313` refers to CPython 3.13, and `pypy` refers to
+the default PyPy interpreter.

 Python is used a lot, and in different ways. This affects also how it is
 packaged. In the case of Python on Nix, an important distinction is made between
@@ -635,6 +644,14 @@ In the Nixpkgs tree Python applications can be found throughout, depending on
 what they do, and are called from the main package set. Python libraries,
 however, are in separate sets, with one set per interpreter version.

+The interpreters have several common attributes. One of these attributes is
+`pkgs`, which is a package set of Python libraries for this specific
+interpreter. E.g., the `toolz` package corresponding to the default interpreter
+is `python3.pkgs.toolz`, and the CPython 3.13 version is `python313.pkgs.toolz`.
+The main package set contains aliases to these package sets, e.g.
+`pythonPackages` refers to `python.pkgs` and `python313Packages` to
+`python313.pkgs`.
+
 #### Installing Python and packages {#installing-python-and-packages}

 The Nix and NixOS manuals explain how packages are generally installed. In the
@@ -1004,7 +1021,7 @@ information. The output of the function is a derivation.

 An expression for `toolz` can be found in the Nixpkgs repository. As explained
 in the introduction of this Python section, a derivation of `toolz` is available
-for each interpreter version, e.g. `python313Packages.toolz` refers to the `toolz`
+for each interpreter version, e.g. `python313.pkgs.toolz` refers to the `toolz`
 derivation corresponding to the CPython 3.13 interpreter.

 The above example works when you're directly working on
@@ -1019,7 +1036,7 @@ with import <nixpkgs> { };

 (
  let
-    my_toolz = python313Packages.buildPythonPackage (finalAttrs: {
+    my_toolz = python313.pkgs.buildPythonPackage (finalAttrs: {
      pname = "toolz";
      version = "0.10.0";
      pyproject = true;
@@ -1029,7 +1046,7 @@ with import <nixpkgs> { };
        hash = "sha256-CP3V73yWSArRHBLUct4hrNMjWZlvaaUlkpm1QP66RWA=";
      };

-      build-system = [ python313Packages.setuptools ];
+      build-system = [ python313.pkgs.setuptools ];

      # has no tests
      doCheck = false;
@@ -1042,7 +1059,7 @@ with import <nixpkgs> { };
    });

  in
-  python313Packages.python.withPackages (
+  python313.withPackages (
    ps: with ps; [
      numpy
      my_toolz
@@ -1063,11 +1080,6 @@ of [`withPackages`](#python.withpackages-function) we used a `let` expression. Y
 `toolz` from the Nixpkgs package set this time, but instead took our own version
 that we introduced with the `let` expression.

-There is also a legacy API that can be accessed via `python3.pkgs`, which will also give access to
-the Python package set for a given interpreter. This API is not recommended to be used anymore
-because the package set at `python3.pkgs` is not spliced, while the package set at `python3Packages`
-is. This can lead to strange errors during cross-compilation, or if Python is used at build time.
-
 #### Handling dependencies {#handling-dependencies}

 Our example, `toolz`, does not have any dependencies on other Python packages or system libraries.
@@ -1705,22 +1717,27 @@ should also be done when packaging `A`.

 ### How to override a Python package? {#how-to-override-a-python-package}

-We can override the Python package set, then instantiate an interpreter with it.
-In the following example we rename the `pandas` package and build it.
+We can override the interpreter and pass `packageOverrides`. In the following
+example we rename the `pandas` package and build it.

 ```nix
 with import <nixpkgs> { };

-let
-  pythonPackages = python3Packages.overrideScope (
-    final: prev: {
-      pandas = prev.pandas.overridePythonAttrs {
-        name = "foo";
-      };
-    }
-  );
-in
-(pythonPackages.python.withPackages (ps: [ ps.pandas ])).env
+(
+  let
+    python =
+      let
+        packageOverrides = self: super: {
+          pandas = super.pandas.overridePythonAttrs (old: {
+            name = "foo";
+          });
+        };
+      in
+      pkgs.python313.override { inherit packageOverrides; };
+
+  in
+  python.withPackages (ps: [ ps.pandas ])
+).env
 ```

 Using `nix-build` on this expression will build an environment that contains the
@@ -1736,10 +1753,12 @@ the updated `scipy` version.
 ```nix
 with import <nixpkgs> { };

-let
-  pythonPackages = python313Packages.overrideScope (_: prev: { scipy = prev.scipy_0_17; });
-in
-(pythonPackages.python.withPackages (ps: [ ps.blaze ])).env
+(
+  let
+    packageOverrides = self: super: { scipy = super.scipy_0_17; };
+  in
+  (pkgs.python313.override { inherit packageOverrides; }).withPackages (ps: [ ps.blaze ])
+).env
 ```

 The requested package `blaze` depends on `pandas` which itself depends on `scipy`.
@@ -1753,16 +1772,14 @@ let
  pkgs = import <nixpkgs> { };
  newpkgs = import pkgs.path {
    overlays = [
-      (_: prev: {
+      (self: super: {
        python313 =
          let
-            pythonPackages = prev.python313Packages.overrideScope (
-              _: prev: {
-                numpy = prev.numpy_1_18;
-              }
-            );
+            packageOverrides = python-self: python-super: {
+              numpy = python-super.numpy_1_18;
+            };
          in
-          pythonPackages.python3;
+          super.python313.override { inherit packageOverrides; };
      })
    ];
  };
@@ -1903,8 +1920,9 @@ pkgs.mkShell rec {
 }
 ```

-In case the supplied venvShellHook is insufficient, you can define your own
-shell hook and adapt to your needs like in the following example:
+In case the supplied venvShellHook is insufficient, or when Python 2 support is
+needed, you can define your own shell hook and adapt to your needs like in the
+following example:

 ```nix
 with import <nixpkgs> { };
@@ -1917,6 +1935,8 @@ pkgs.mkShell rec {
  name = "impurePythonEnv";
  buildInputs = [
    pythonPackages.python
+    # Needed when using python 2.7
+    # pythonPackages.virtualenv
    # ...
  ];

@@ -1929,6 +1949,8 @@ pkgs.mkShell rec {
      echo "Skipping venv creation, '${venvDir}' already exists"
    else
      echo "Creating new venv environment in path: '${venvDir}'"
+      # Note that the module venv was only introduced in python 3, so for 2.7
+      # this needs to be replaced with a call to virtualenv
      ${pythonPackages.python.interpreter} -m venv "${venvDir}"
    fi

@@ -1955,17 +1977,19 @@ If you need to change a package's attribute(s) from `configuration.nix` you coul

 ```nix
 {
-  nixpkgs.config.packageOverrides = final: _: {
-    python3Packages = super.python3Packages.overrideScope (pySuper: {
-      twisted = pySuper.twisted.overridePythonAttrs {
-        src = final.fetchPypi {
-          pname = "Twisted";
-          version = "19.10.0";
-          hash = "sha256-c5S6fycq5yKnTz2Wnc9Zm8TvCTvDkgOHSKSQ8XJKUV0=";
-          extension = "tar.bz2";
-        };
+  nixpkgs.config.packageOverrides = super: {
+    python3 = super.python3.override {
+      packageOverrides = python-self: python-super: {
+        twisted = python-super.twisted.overridePythonAttrs (oldAttrs: {
+          src = super.fetchPypi {
+            pname = "Twisted";
+            version = "19.10.0";
+            hash = "sha256-c5S6fycq5yKnTz2Wnc9Zm8TvCTvDkgOHSKSQ8XJKUV0=";
+            extension = "tar.bz2";
+          };
+        });
      };
-    });
+    };
  };
 }
 ```
@@ -1981,7 +2005,7 @@ this snippet:

 ```nix
 {
-  myPythonPackages = python3Packages.overrideScope (final: super: { twisted = <...>; });
+  myPythonPackages = python3Packages.override { overrides = self: super: { twisted = <...>; }; };
 }
 ```

@@ -1990,17 +2014,19 @@ this snippet:
 Use the following overlay template:

 ```nix
-self: _: {
-  python3Packages = super.python3Packages.overrideScope (pySuper: {
-    twisted = pySuper.twisted.overrideAttrs {
-      src = final.fetchPypi {
-        pname = "Twisted";
-        version = "19.10.0";
-        hash = "sha256-c5S6fycq5yKnTz2Wnc9Zm8TvCTvDkgOHSKSQ8XJKUV0=";
-        extension = "tar.bz2";
-      };
+self: super: {
+  python = super.python.override {
+    packageOverrides = python-self: python-super: {
+      twisted = python-super.twisted.overrideAttrs (oldAttrs: {
+        src = super.fetchPypi {
+          pname = "Twisted";
+          version = "19.10.0";
+          hash = "sha256-c5S6fycq5yKnTz2Wnc9Zm8TvCTvDkgOHSKSQ8XJKUV0=";
+          extension = "tar.bz2";
+        };
+      });
    };
-  });
+  };
 }
 ```

--- a/doc/release-notes/rl-2605.section.md
+++ b/doc/release-notes/rl-2605.section.md
@@ -1,4 +1,4 @@
-# Nixpkgs 26.05 ("Yarara", 2026.05/30) {#sec-nixpkgs-release-26.05}
+# Nixpkgs 26.05 ("Yarara", 2026.05/??) {#sec-nixpkgs-release-26.05}

 ## Highlights {#sec-nixpkgs-release-26.05-highlights}
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -6,44 +6,6 @@
 - GCC has been updated from GCC 14 to GCC 15.
  This introduces some backwards incompatible changes; Refer to the [upstream porting guide](https://gcc.gnu.org/gcc-15/porting_to.html) for details.

- `glibc` has been updated to version 2.42.
-
-  This version no longer makes the stack executable when a shared library requires this. A symptom
-  is an error like
-
-  > cannot enable executable stack as shared object requires: Invalid argument
-
-  This is usually a bug. Please consider reporting it to the software maintainers.
-
-  In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:
-
-  * When building the shared library in question from source, use the following linker flags to force turning off the
-    executable flag:
-
-    ```nix
-    mkDerivation {
-      # …
-
-      env.NIX_LDFLAGS = "-z,noexecstack";
-    }
-    ```
-
-  * If the sources are not available, the execstack-flag can be cleared with `patchelf`:
-
-    ```
-    patchelf --clear-execstack binary-only.so
-    ```
-
-  * If the shared library to be loaded actually requires an executable stack and it isn't turned
-    on by the application loading it, you may force allowing that behavior by setting the
-    following environment variable:
-
-    ```
-    GLIBC_TUNABLES=glibc.rtld.execstack=2
-    ```
-
-    **Do not set this globally!** This makes your setup inherently less secure.
-
 - Node.js default version has been updated from 22 LTS to 24 LTS.
  This introduces some breaking changes; Refer to the [upstream migration article](https://nodejs.org/en/blog/migrations/v22-to-v24) for details.

@@ -112,8 +74,6 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- `mdbook-linkcheck` has been removed as it is unmaintained and incompatible with the latest version of `mdbook`. Users can instead migrate to `mdbook-linkcheck2`.
-
 - The `nodePackages` package set has been removed entirely from nixpkgs. This package set was created to ease the maintenance burden of maintaining lots of
  NodeJS-based packages within nixpkgs, but became a burden itself. Over the past several releases, there has been a focus on removing it in favor of the more modern nixpkgs packaging strategies.
  After a long time, this package set has been deprecated and removed. If you are using its package set in your own config, please use the top-level packages instead.(i.e `pkgs.package-name` instead of `pkgs.nodePackages.package-name`).
@@ -151,23 +111,6 @@

 - `nodePackages.wavedrom-cli` has been removed, as it was unmaintained within nixpkgs.

- MATE packages have been moved to top level (e.g. if you previously added `pkgs.mate.caja` to `environment.systemPackages`, you will need to change it to `pkgs.caja`).
-
- `kratos` has been updated from 1.3.1 to [25.4.0](https://github.com/ory/kratos/releases/tag/v25.4.0). Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:
-
-  - The `migrate sql` CLI command is now `migrate sql up`
-  - OIDC registration validation errors are now placed in the `default` node group instead of `oidc`
-  - Failed OIDC account linking returns HTTP 400 instead of 200
-
- `pdns` has been updated to version [v5.0.x](https://doc.powerdns.com/authoritative/changelog/5.0.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-5-0-0) for details.
-
- `geph` package's built-in GUI `geph5-client-gui` has been [removed](https://github.com/geph-official/geph5/commit/f2221fb8386312daf2cef05483ebb353ff48bdb4) by the upstream. All users who wish to continue using the GUI should install the `gephgui-wry`, which is consistent with the official release version.
-
- `xfsprogs` was updated to version 6.18.0, which enables parent pointers and exchange-range by default. Upstream recommends not to use these features with kernels older than 6.18.
-   GRUB2 is likely unable to boot from filesystems with these features enabled.
-
- `lunarvim` package has been removed, as it was abandoned upstream and relied on an old version of `neovim` to work properly.
-
 - `requireFile` now treats any `message` or `url` argument as a literal string, rather than subjecting it to Bash here-doc expansion.  This allows including strings like `$PWD` in the message without needing to know about and handle the undocumented Bash expansion.

 - `nodePackages.browserify` has been removed, as it was unmaintained within nixpkgs.
@@ -183,6 +126,8 @@
 - `kanata` now requires `karabiner-dk` version 6.0+ or later.
  The package has been updated to use the new `karabiner-dk` package and the `darwinDriver` output stays at the version defined in the package.

+- Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
+
 - Keycloak has been updated to 26.6.X, bringing a lot of new features like federated client authentication, JWT authorization grants, workflows and the ability to do
  zero-downtime patch releases. Read more about [all the exciting new capabilities in keycloak 26.6 here](https://github.com/keycloak/keycloak/releases/tag/26.6.0)
  and [consult the migration guide to 26.6](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-26-6-0) to find out whether this is a breaking
@@ -232,7 +177,7 @@

 - `iroh` has been removed and split up into `iroh-dns-server` and `iroh-relay`.

- The `xorg` package set has been deprecated, packages have moved to the top level.
+- the `xorg` package set has been deprecated, packages have moved to the top level.

 - `python3Packages.buildPythonPackage` and `python3Packages.buildPythonApplication` now throw errors in the presence of `pytestFlagsArray`.
  Please use [`pytestFlags` and `(enabled|disabled)(TestPaths|Tests|TestMarks)`](#using-pytestcheckhook) instead.
@@ -269,12 +214,23 @@
 - `jetbrains.plugins.addPlugins` no longer supports plugin names or ID strings.
  You can still use `addPlugins` with plugin derivations, such as plugins packaged outside of Nixpkgs.

+- The `programs.captive-browser` module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure `programs.captive-browser.dhcp-dns` manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.
+
 - NetBox was updated to `>= 4.5.5`. Have a look at the breaking changes
  of the [4.5 release](https://github.com/netbox-community/netbox/releases/tag/v4.5.0),
  make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_5;` in your configuration.

+- The `services.yggdrasil` module has been refactored with the following breaking changes:
+  - The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via `services.yggdrasil.settings`.
+  - The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use `services.yggdrasil.settings.PrivateKeyPath` to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
+  - Storing `PrivateKey` directly in `settings` is now explicitly forbidden to prevent keys from being stored world-readable in the Nix store.
+  - If you previously used `configFile`, migrate your configuration to the `settings` option and extract the private key to a separate file referenced by `PrivateKeyPath`.
+  - If you previously used `persistentKeys`, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them via `PrivateKeyPath`.
+
 - `pocket-id` has been updated to version 2 that contains [breaking changes](https://pocket-id.org/docs/setup/major-releases/migrate-v2).

+- `services.xserver` will now throw an error if an X11 driver specified in  `videoDriver(s)` cannot be found. Previously, unknown drivers would be silently ignored.
+
 - `asio` (standalone version of `boost::asio`) has been updated from 1.24.0 to 1.36.0. Some breaking changes were introduced between these
  two versions, and the one affected most was the removal of `asio::io_service` in favor of `asio::io_context` in 1.33.0. `asio_1_32_0` is
  retained for packages that have not completed migration. `asio_1_10` has been removed as no packages depend on it anymore.
@@ -297,6 +253,8 @@

 - Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.

+- The `services.avahi.wideArea` option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
+
 - `coreth` has been removed, as upstream has moved it into `avalanchego`.

 - `nodePackages.prebuild-install` was removed because it appeared to be unmaintained upstream.
@@ -326,6 +284,8 @@

 - `shisho` has been removed because it's archived. `semgrep`, `opengrep`, and `ast-grep` provide similar functionality.

+- `services.openssh.settings.AcceptEnv` is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
+
 - All Xfce packages have been moved to top level (e.g. if you previously added `pkgs.xfce.xfce4-whiskermenu-plugin` to `environment.systemPackages`, you will need to change it to `pkgs.xfce4-whiskermenu-plugin`). The `xfce` scope will be removed in NixOS 26.11.

 - The Dovecot IMAP server has been updated to version 2.4, with the `dovecot` attribute now referring to this backwards-incompatible version. The attribute `dovecot_2_3` refers to the previous version. The Pigeonhole plugin has been similarly updated to 2.4, with the version compatible with Dovecot 2.3 being at `dovecot_pigeonhole_0_5`. See <https://doc.dovecot.org/latest/installation/upgrade/2.3-to-2.4.html> for more information on how to upgrade.
@@ -336,8 +296,12 @@

 - `vimPlugins.nvim-treesitter` has been updated to `main` branch, which is a full and incompatible rewrite. If you can't or don't want to update, you should use `vimPlugins.nvim-treesitter-legacy`.

+- `services.taskchampion-sync-server` module has had an option `services.taskchampion-sync-server.dynamicUser` added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
+
 - Package `jellyseerr` has been renamed to `seerr` following the upstream rename.

+- The default packages in `services.jenkins.packages` have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
+
 - The `pie` hardening flag has been removed and will now error, after being deprecated in 25.11. Compilers are expected to enable PIE by default, as has been common practice since 2016 outside of Nixpkgs. If a package needs `pie` disabled pass `-no-pie` in `CFLAGS`. It is unlikely this will be necessary in many cases; due to the prevalence of default PIE toolchains, most packages incompatible with PIE already pass `-no-pie`.

 - `pqos-wrapper` was removed as it has been unmaintained since 2022 and not widely used.
@@ -350,8 +314,6 @@

 - `linuxPackages.nvidiaPackages` now follows NVIDIA's official release branches by exposing `production`, `new_feature`, and `beta`. The convenience aliases `latest` (newer of `production` and `new_feature`) and `bleeding_edge` (newer of `latest` and `beta`) are provided; note that `beta` now refers strictly to the beta branch.

- `stestrCheckHook` was added: This test hook runs `stestr run`. You can disable tests with `disabledTests` and `disabledTestsRegex`.
-
 - `balatro` now supports the Google Play and Xbox PC versions of the game.  Pass the `apk` or `Assets.zip` as `balatro.override { src = "…" }`.

 - `uptime-kuma` has been updated to v2, which requires an automated migration that can take a few hours. **A backup is highly recommended.**
@@ -362,22 +324,16 @@

 - The `libcxxhardeningextensive` hardening flag has been **disabled** by default. Enabling it by default in 25.11 was unintentional and may have had a negative effect on performance in some cases. `libcxxhardeningfast` remains enabled by default.

- Wine has been updated to the 11.0 branch. Please check the [upstream announcement](https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0) for more details.
-
- Cinnamon has been updated to 6.6, please check the [upstream announcement](https://www.linuxmint.com/rel_zena_whatsnew.php) for more details.
-
- `rspamd` has been updated to 4.0. Please check the upstream [migration](https://docs.rspamd.com/tutorials/migration/#migration-to-rspamd-400) documentation, especially if you run a sharded Redis deployment.
-
- `hyphen` now supports over 40 language variants through `hyphenDicts` and now allows to enable all supported languages through `hyphenDicts.all`.
-
- `budgie` has been updated to 10.10, please check the [upstream announcement](https://buddiesofbudgie.org/blog/budgie-10-10-released) for more details.
-
 - The packages `ibtool`, `actool` and `re-plistbuddy` have been added, providing reimplementations of the corresponding proprietary Apple tools. They are more compatible with the originals than the previously existing `xcbuild` package, and should enable more darwin software to be built from source.

+- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
+
 - GNU Taler has been updated to version 1.3.
  This release focuses on getting everything ready for a deployment of GNU Taler by Magnet bank.
  For more details, see the [upstream release notes](https://www.taler.net/en/news/2025-13.html).

+- The `services.nextcloud-spreed-signaling` NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).
+
 - `collabora-desktop` The desktop version of Collabora Office is now available, package version `25.05.9.2-2`.

 - `fetchPnpmDeps` and `pnpmConfigHook` were added as top-level attributes, replacing the now deprecated `pnpm.fetchDeps` and `pnpm.configHook` attributes.
@@ -412,6 +368,8 @@

 - Updated `gonic` to 0.21.0. A full ("slow") scan is recommended after upgrading to v0.21.0 to pick up the newly scanned fields (contributors, ISRCs, record labels, per-track years, ARTIST_CREDIT).

+- the `autossh-ng` NixOS module was introduced as a simpler alternative to the existing `autossh` module.
+
 - Added `haskell.packages.microhs`, a set of Haskell packages built with MicroHs.

 - `gnuradio`: Overriding the `.pkgs` package set is now possible with a `packageOverrides` function, like with `python.pkgs` and other language-specific package sets.
@@ -430,6 +388,8 @@ gnuradioMinimal.override {
 }
 ```

+- Added `headplane` and `headplane-agent` packages, and `services.headplane` service.
+
 ## Nixpkgs Library {#sec-nixpkgs-release-26.05-lib}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -462,3 +422,4 @@ gnuradioMinimal.override {

 - The builder `php.buildComposerProject2` for PHP applications has been improved for better reliability and stability.

+- The `services.drupal` module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.
--- a/doc/release-notes/rl-2611.section.md
+++ b/doc/release-notes/rl-2611.section.md
@@ -13,14 +13,8 @@
 - `hurl` has been updated to `8.x.x` which has some breaking changes. See [upstream changelog](https://github.com/Orange-OpenSource/hurl/releases/tag/8.0.0) for details.
 - `python3Packages.django-health-check` has been updated to major version 4. See its [migration guide](https://codingjoe.dev/django-health-check/migrate-to-v4/) and [changelog](https://github.com/codingjoe/django-health-check/releases/tag/4.0.0) for breaking changes.

- `libgdata` has been removed, as it was archived upstream and relied on the insecure libsoup 2.4.
-
- `uhttpmock` providing 0.0 ABI was removed. `uhttpmock_1_0` providing 1.0 ABI was renamed to `uhttpmock` and `uhttpmock_1_0` was kept as an alias.
-
 - `requireFile` now sets `meta.license = lib.licenses.unfree` by default. Users of `requireFile`-based derivations that preserve this default will need to explicitly allow their evaluation as described in [](#sec-allow-unfree).

- `librest` providing 0.7 ABI was removed. `librest_1_0` providing 1.0 ABI was renamed to `librest` and `librest_1_0` was kept as an alias.
-
 ## Other Notable Changes {#sec-nixpkgs-release-26.11-notable-changes}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
--- a/maintainers/github-teams.json
+++ b/maintainers/github-teams.json
@@ -309,7 +309,8 @@
    "members": {
      "AndersonTorres": 5954806,
      "adisbladis": 63286,
-      "panchoh": 471059
+      "panchoh": 471059,
+      "ttuegel": 563054
    },
    "name": "emacs"
  },
@@ -406,13 +407,12 @@
  "gnome": {
    "description": "Maintain GNOME desktop environment and platform.",
    "id": 3806133,
-    "maintainers": {
-      "jtojnar": 705123
-    },
+    "maintainers": {},
    "members": {
      "bobby285271": 20080233,
      "dasj19": 7589338,
-      "hedning": 71978
+      "hedning": 71978,
+      "jtojnar": 705123
    },
    "name": "GNOME"
  },
@@ -702,7 +702,6 @@
      "Mic92": 96200,
      "Radvendii": 1239929,
      "edolstra": 1148549,
-      "lisanna-dettwyler": 72424138,
      "lovesegfault": 7243783,
      "xokdvium": 145775305
    },
@@ -820,13 +819,14 @@
    "description": "Maintain the Qt framework, KDE application suite, Plasma desktop environment and related projects",
    "id": 4341481,
    "maintainers": {
-      "K900": 386765,
-      "NickCao": 15247171,
-      "SuperSandro2000": 7258858
+      "ttuegel": 563054
    },
    "members": {
      "FRidh": 2129135,
+      "K900": 386765,
      "LunNova": 782440,
+      "NickCao": 15247171,
+      "SuperSandro2000": 7258858,
      "bkchr": 5718007,
      "ilya-fedin": 17829319,
      "mjm": 1181,
@@ -896,7 +896,8 @@
    "id": 7304571,
    "maintainers": {
      "Mic92": 96200,
-      "winterqt": 78392041
+      "winterqt": 78392041,
+      "zowoq": 59103226
    },
    "members": {},
    "name": "rust"
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -4567,12 +4567,6 @@
    githubId = 53847249;
    name = "Casey Avila";
  };
-  castorNova2 = {
-    email = "solemnsquire@gmail.com";
-    github = "castorNova2";
-    githubId = 84083897;
-    name = "Nidhish Chauhan";
-  };
  catap = {
    email = "kirill@korins.ky";
    github = "catap";
@@ -11717,12 +11711,6 @@
    githubId = 7348004;
    name = "Benjamin Levy";
  };
-  iogamaster = {
-    email = "iogamastercode+nixpkgs@gmail.com";
-    name = "IogaMaster";
-    github = "IogaMaster";
-    githubId = 67164465;
-  };
  ionutnechita = {
    email = "ionut_n2001@yahoo.com";
    github = "ionutnechita";
@@ -14386,6 +14374,12 @@
    githubId = 451835;
    name = "Kirill Elagin";
  };
+  kirikaza = {
+    email = "k@kirikaza.ru";
+    github = "kirikaza";
+    githubId = 804677;
+    name = "Kirill Kazakov";
+  };
  kirillrdy = {
    email = "kirillrdy@gmail.com";
    github = "kirillrdy";
@@ -16483,12 +16477,6 @@
    githubId = 8094643;
    keys = [ { fingerprint = "BAA9 7711 58CA D457 B4AE  8B06 8188 423D 2FA2 0A65"; } ];
  };
-  m4r1vs = {
-    email = "marius.niveri@gmail.com";
-    name = "Marius Niveri";
-    github = "m4r1vs";
-    githubId = 26097311;
-  };
  m7medvision = {
    name = "Mohammed";
    github = "m7medVision";
@@ -18739,10 +18727,10 @@
    keys = [ { fingerprint = "3B66 ACFA D10F 02AA B1D5  2CB1 8DD0 D81D 7D1F C61A"; } ];
  };
  mshnwq = {
-    email = "hmachnouk@proton.me";
+    email = "mshnwq.com@gmail.com";
    github = "mshnwq";
    githubId = 68467027;
-    name = "Mshnwq";
+    name = "Hayan Al-Machnouk";
  };
  msiedlarek = {
    email = "mikolaj@siedlarek.pl";
@@ -19411,11 +19399,6 @@
    githubId = 79978224;
    name = "winston";
  };
-  nelind = {
-    name = "Nel";
-    github = "nelind3";
-    githubId = 57587152;
-  };
  nelsonjeppesen = {
    email = "nix@jeppesen.io";
    github = "NelsonJeppesen";
@@ -23387,6 +23370,12 @@
    githubId = 6047658;
    name = "Ryan Horiguchi";
  };
+  rht = {
+    email = "rhtbot@protonmail.com";
+    github = "rht";
+    githubId = 395821;
+    name = "rht";
+  };
  rhydianjenkins = {
    name = "Rhydian Jenkins";
    github = "RhydianJenkins";
@@ -23422,13 +23411,6 @@
    githubId = 61013287;
    name = "Ricardo Steijn";
  };
-  ricardomaps = {
-    email = "ricardomapurungajunior@gmail.com";
-    github = "ricardomaps";
-    githubId = 49507078;
-    name = "Ricardo Mapurunga Junior";
-    matrix = "@ricmaps:matrix.org";
-  };
  richar = {
    github = "ri-char";
    githubId = 17962023;
@@ -26137,12 +26119,6 @@
    name = "sportshead";
    keys = [ { fingerprint = "A6B6 D031 782E BDF7 631A  8E7E A874 DB2C BFD3 CFD0"; } ];
  };
-  spotdemo4 = {
-    email = "me@trev.xyz";
-    github = "spotdemo4";
-    githubId = 3732640;
-    name = "spotdemo4";
-  };
  spreetin = {
    email = "spreetin@protonmail.com";
    name = "David Falk";
@@ -29677,11 +29653,6 @@
      }
    ];
  };
-  wilaz = {
-    name = "Wilaz";
-    github = "Wilaz";
-    githubId = 98198668;
-  };
  wildsebastian = {
    name = "Sebastian Wild";
    email = "sebastian@wild-siena.com";
--- a/maintainers/team-list.nix
+++ b/maintainers/team-list.nix
@@ -662,6 +662,7 @@ with lib.maintainers;
  python = {
    members = [
      hexa
+      natsukium
    ];
    scope = "Maintain the Python interpreter and related packages.";
    shortName = "Python";
--- a/nixos/doc/manual/release-notes/rl-2605.section.md
+++ b/nixos/doc/manual/release-notes/rl-2605.section.md
@@ -1,4 +1,4 @@
-# Release 26.05 ("Yarara", 2026.05/30) {#sec-release-26.05}
+# Release 26.05 ("Yarara", 2026.05/??) {#sec-release-26.05}

 ## Highlights {#sec-release-26.05-highlights}

@@ -60,10 +60,6 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- [](#opt-services.autossh-ng.sessions) NixOS module was introduced as a simpler alternative to the existing [](#opt-services.autossh.sessions) module.
-
- [services.nextcloud-spreed-signaling](#opt-services.nextcloud-spreed-signaling.enable) NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).
-
 - [OpenThread Border Router](https://openthread.io/), a Thread border router for POSIX-based platforms that bridges Thread mesh networks to IP networks. Available as [services.openthread-border-router](#opt-services.openthread-border-router.enable).

 - [Atuin](https://atuin.sh), magical shell history — sync, search and backup your terminal history. Available as [programs.atuin](#opt-programs.atuin.enable).
@@ -73,9 +69,9 @@

 - [Goupile](https://goupile.org/en), an open-source design tool for secure forms including Clinical Report Forms (eCRF). Available as [services.goupile](#opt-services.goupile.enable).

- [knot-resolver](https://www.knot-resolver.cz/), in version 6. Available as [services.knot-resolver](#opt-services.knot-resolver.enable). A module for knot-resolver 5 was already available as [services.kresd](#opt-services.kresd.enable).
+- [knot-resolver](https://www.knot-resolver.cz/), in version 6. Available as `services.knot-resolver`. A module for knot-resolver 5 was already available as `services.kresd`.

- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as [services.immichframe](#opt-services.immichframe.enable).
+- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as `services.immichframe`.

 - [PdfDing](https://www.pdfding.com/), manage, view and edit your PDFs seamlessly on all your devices wherever you are. Available as [services.pdfding](#opt-services.pdfding.enable).

@@ -83,7 +79,7 @@

 - [reaction](https://reaction.ppom.me/), a daemon that scans program outputs for repeated patterns, and takes action. A common usage is to scan ssh and webserver logs, and to ban hosts that cause multiple authentication errors. A modern alternative to fail2ban. Available as [services.reaction](#opt-services.reaction.enable).

- [vinyl-cache](https://vinyl-cache.org) as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old [services.varnish](#opt-services.varnish.enable) module is still available.
+- [vinyl-cache](https://vinyl-cache.org) as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old `services.varnish` module is still available.

 - [papra](https://papra.app/), an open-source document management platform designed to help you organize, secure, and archive your files effortlessly. Available as [services.papra](#opt-services.papra.enable).

@@ -107,7 +103,7 @@

 - [bentopdf](https://github.com/alam00000/bentopdf), a privacy-first PDF toolkit running completely in-browser. Available as [services.bentopdf](#opt-services.bentopdf.enable).

- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as [services.hyprwhspr-rs](#opt-services.hyprwhspr-rs.enable).
+- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as `services.hyprwhspr-rs`.

 - [DankMaterialShell](https://danklinux.com), a complete desktop shell for Wayland compositors built with Quickshell. Available as [programs.dms-shell](#opt-programs.dms-shell.enable).

@@ -135,19 +131,19 @@

 - [Dawarich](https://dawarich.app/), a self-hostable location history tracker. Available as [services.dawarich](#opt-services.dawarich.enable).

- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux. Available as [services.howdy](#opt-services.howdy.enable)
+- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux.

- [SuiteNumérique Drive](https://github.com/suitenumerique/drive), a collaborative file sharing and document management platform that scales. Built with Django and React. Open source alternative to Sharepoint or Google Drive. Available as [services.lasuite-drive](#opt-services.lasuite-drive.enable).
+- [SuiteNumérique Drive](https://github.com/suitenumerique/drive), a collaborative file sharing and document management platform that scales. Built with Django and React. Open source alternative to Sharepoint or Google Drive.

- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy. Available as [services.linux-enable-ir-emitter](#opt-services.linux-enable-ir-emitter.enable).
+- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy.

- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as [](#opt-services.udp-over-tcp.udp2tcp) and [](#opt-services.udp-over-tcp.tcp2udp).
+- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as `services.udp-over-tcp`.

 - [turborepo-remote-cache](https://ducktors.github.io/turborepo-remote-cache/), an open-source implementation of the [Turborepo custom remote cache server](https://turbo.build/repo/docs/core-concepts/remote-caching#self-hosting). Available as [services.turborepo-remote-cache](#opt-services.turborepo-remote-cache.enable).

- [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as [services.rsshub](#opt-services.rsshub.enable).
+- [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as `services.rsshub`.

- [ReFrame](https://github.com/AlynxZhou/reframe), a DRM/KMS based remote desktop for Linux that supports Wayland/NVIDIA/headless/login. Available as [services.reframe](#opt-services.reframe.enable)
+- [ReFrame](https://github.com/AlynxZhou/reframe), a DRM/KMS based remote desktop for Linux that supports Wayland/NVIDIA/headless/login.

 - [Komodo Periphery](https://github.com/moghtech/komodo), a multi-server Docker and Git deployment agent by Komodo. Available as [services.komodo-periphery](#opt-services.komodo-periphery.enable).

@@ -163,7 +159,7 @@

 - [Headplane](https://headplane.net), a feature-complete Web UI for Headscale. Available as [services.headplane](#opt-services.headplane.enable).

- [whois](https://packages.qa.debian.org/w/whois.html), an intelligent WHOIS client. Available as [programs.whois](#opt-programs.whois.enable).
+- [whois](https://packages.qa.debian.org/w/whois.html), an intelligent WHOIS client. Available as `programs.whois`.

 - [porxie](https://codeberg.org/Blooym/porxie), a correct and efficient ATProto blob proxy for secure content delivery. Available as [services.porxie](#opt-services.porxie.enable).

@@ -173,25 +169,6 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- [](#opt-services.openssh.settings.AcceptEnv) is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
-
- The default packages in [](#opt-services.jenkins.packages) have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
-
- [services.taskchampion-sync-server](#opt-services.taskchampion-sync-server.enable) module has had an option [](#opt-services.taskchampion-sync-server.dynamicUser) added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
-
- The [programs.captive-browser](#opt-programs.captive-browser.enable) module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure [](#opt-programs.captive-browser.dhcp-dns) manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.
-
- The [services.yggdrasil](#opt-services.yggdrasil.enable) module has been refactored with the following breaking changes:
-  - The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via [](#opt-services.yggdrasil.settings).
-  - The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use [](#opt-services.yggdrasil.settings.PrivateKeyPath) to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
-  - Storing `PrivateKey` directly in `settings` is now explicitly forbidden to prevent keys from being stored world-readable in the Nix store.
-  - If you previously used `configFile`, migrate your configuration to the `settings` option and extract the private key to a separate file referenced by `PrivateKeyPath`.
-  - If you previously used `persistentKeys`, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them via `PrivateKeyPath`.
-
- [services.xserver](#opt-services.xserver.enable) will now throw an error if an X11 driver specified in  `videoDriver(s)` cannot be found. Previously, unknown drivers would be silently ignored.
-
- The [](#opt-services.avahi.wideArea) option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
-
 - `systemd.coredump.extraConfig` has been removed in favor of the structured [](#opt-systemd.coredump.settings.Coredump) option. Use `systemd.coredump.settings.Coredump` to set any `coredump.conf(5)` option directly. For example, replace `systemd.coredump.extraConfig = "Storage=journal";` with `systemd.coredump.settings.Coredump.Storage = "journal";`.

 - `services.home-assistant.config.lovelace.mode` has been renamed to `lovelace.dashboards` and `lovelace.resource_mode` to match the [configuration format](https://www.home-assistant.io/dashboards/dashboards/) required by Home Assistant 2026.8. Users who explicitly set `lovelace.mode` should remove it; the module generates the correct entries automatically.
@@ -209,9 +186,9 @@

 - `services.crabfit` was removed because its upstream packages are unmaintained and insecure.

- [services.opensnitch.settings.Rules.Path](#opt-services.opensnitch.settings.Rules.Path) now defaults to `/var/lib/opensnitch/rules` instead of the previous `/etc/opensnitchd/rules` because it contains mutable data.
+- `services.opensnitch.settings.Rules.Path` now defaults to `/var/lib/opensnitch/rules` instead of the previous `/etc/opensnitchd/rules` because it contains mutable data.

- [services.mosquitto](#opt-services.mosquitto.enable) now generates per-listener authentication and access control via the upstream `password-file` and `acl-file` plugins instead of the deprecated `password_file` and `acl_file` options. The plugins contain the same code, so behaviour is unchanged, but [](#opt-services.mosquitto.package) must now be at least version 2.1.
+- `services.mosquitto` now generates per-listener authentication and access control via the upstream `password-file` and `acl-file` plugins instead of the deprecated `password_file` and `acl_file` options. The plugins contain the same code, so behaviour is unchanged, but [](#opt-services.mosquitto.package) must now be at least version 2.1.

 - `sing-box` has been updated to 1.13.0, which has removed some deprecated options.  See [upstream documentation](https://sing-box.sagernet.org/configuration/) for details and migration options.

@@ -232,7 +209,7 @@

 - `linux_hardened` kernel has been removed due to a lack of maintenance.

- [services.tandoor-recipes](#opt-services.tandoor-recipes.enable) now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).
+- `services.tandoor-recipes` now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).

 - `linux-rt` kernel has been removed due to a lack of maintenance.

@@ -244,10 +221,10 @@

 - `services.uptime` has been removed because the package it relies on does not exist anymore in nixpkgs.

- [services.mattermost](#opt-services.mattermost.enable) now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
+- `services.mattermost` now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
  See the [migration steps](https://docs.mattermost.com/deployment-guide/manual-postgres-migration.html) if you were not running Postgres.
  Note that version 11 also restricts the user limit to 250 [by default](https://forum.mattermost.com/t/clarification-request-on-user-limits-max-250-user-server-v-11/25309);
-  see the `pkgs.mattermost` removeUserLimit and removeFreeBadge options combined with [](#opt-services.mattermost.package) to change this behavior. For example:
+  see the `pkgs.mattermost` removeUserLimit and removeFreeBadge options combined with `services.mattermost.package` to change this behavior. For example:

 ```nix
 {
@@ -260,10 +237,10 @@

 - `post-resume.target` has been removed. See {manpage}`systemd.special(7)` about `sleep.target` for instructions on ordering a process after resume with `ExecStop=`.

- [services.vsftpd](#opt-services.vsftpd.enable) no longer automatically configures a PAM module.  This means configurations using [](#opt-services.vsftpd.localUsers) will no longer work unless [](#opt-services.vsftpd.enableVirtualUsers) and [](#opt-services.vsftpd.userDbPath) are also configured.  The old behaviour can be restored by setting `security.pam.services.vsftpd.enable = true`, although this only ever worked by accident and may not be secure.
+- `services.vsftpd` no longer automatically configures a PAM module.  This means configurations using `services.vsftpd.localUsers` will no longer work unless `services.vsftpd.enableVirtualUsers` and `services.vsftpd.userDbPath` are also configured.  The old behaviour can be restored by setting `security.pam.services.vsftpd.enable = true`, although this only ever worked by accident and may not be secure.

- `services.kubernetes.addons.dns.coredns` has been renamed to [](#opt-services.kubernetes.addons.dns.corednsImage) and now expects a
-package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with `dockerTools.buildImage` is used, instead
+- `services.kubernetes.addons.dns.coredns` has been renamed to `services.kubernetes.addons.dns.corednsImage` and now expects a
+package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with dockerTools.buildImage is used, instead
 of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:

 ```nix
@@ -277,7 +254,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
 }
 ```

- `services.stalwart-mail` has been renamed to [`services.stalwart`](#opt-services.stalwart.enable) to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:
+- `services.stalwart-mail` has been renamed to `services.stalwart` to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:

  - Addition of module-specific `stateVersion` option, which on existing installations of Stalwart must be set to the same as `system.stateVersion`.

@@ -287,9 +264,9 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
  - Default value for `services.stalwart.dataDir` has changed to `/var/lib/stalwart`. If `stateVersion` is older than `26.05`, will fallback to legacy value of `/var/lib/stalwart-mail`.
  - Default tracer name and type have changed to `journal`. If `stateVersion` is older than `26.05`, will fallback to legacy value of `stdout`.

- `services.eintopf` has been renamed to [services.lauti](#opt-services.lauti.enable) to align with upstream re-brand as a community online calendar.
+- `services.eintopf` has been renamed to `services.lauti` to align with upstream re-brand as a community online calendar.

- `services.oauth2-proxy.clientSecret` and `services.oauth2-proxy.cookie.secret` have been replaced with [](#opt-services.oauth2-proxy.clientSecretFile) and [](#opt-services.oauth2-proxy.cookie.secretFile) respectively. This was done to ensure secrets don't get made world-readable.
+- `services.oauth2-proxy.clientSecret` and `services.oauth2-proxy.cookie.secret` have been replaced with `services.oauth2-proxy.clientSecretFile` and `services.oauth2-proxy.cookie.secretFile` respectively. This was done to ensure secrets don't get made world-readable.

 - [`services.grafana.settings.security.secret_key`](#opt-services.grafana.settings.security.secret_key) doesn't have a
  default value anymore. Please generate your own key or hard-code the old one ("SW2YcwTIb9zpOOhoPsMm") explicitly.
@@ -309,11 +286,18 @@ of pulling the upstream container image from Docker Hub. If you want the old beh

 - Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.

- [services.immich](#opt-services.immich.enable) no longer supports pgvecto.rs since the package has been removed from nixpkgs.
+- `services.headplane` has been updated to 0.6.2, which introduces several changes to the configuration schema:
+  - `services.headplane.settings.oidc.redirect_uri` is deprecated. Use `services.headplane.settings.server.base_url` instead; the OIDC redirect URI is now automatically derived from it. Ensure `base_url` is the bare host URL without the `/admin` suffix.
+  - `services.headplane.settings.oidc.user_storage_file` is deprecated. Headplane 0.6.2 still accepts it to migrate the old JSON user database into the new internal SQL database.
+  - `services.headplane.settings.oidc.strict_validation` is deprecated and has no effect.
+  - `services.headplane.settings.oidc.token_endpoint_auth_method` now defaults to `null` (auto-detection), which typically falls back to `client_secret_basic`. Previous versions defaulted to `client_secret_post`.
+  - `services.headplane.settings.integration.agent.cache_ttl` is deprecated and has no effect in 0.6.2.
+
+- `services.immich` no longer supports pgvecto.rs since the package has been removed from nixpkgs.
  As a result, options `services.immich.database.enableVectors` and `services.immich.database.enableVectorchord` have been removed, and VectorChord is now always used.
  If you have not completed the migration yet, ensure you completely remove the extension from your database before upgrading by following the [migration guide](https://github.com/NixOS/nixpkgs/blob/nixos-25.11/nixos/modules/services/web-apps/immich.md#migrating-from-pgvecto-rs-to-vectorchord-pre-2511-installations-module-services-immich-vectorchord-migration).

- [](#opt-services.cgit) before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable `opt-services.cgit.<name>.gitHttpBackend.checkExportOkFiles` (or disable the git-http-backend).
+- `services.cgit` before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable `services.cgit.gitHttpBackend.checkExportOkFiles` (or disable the git-http-backend).

 - `rocmPackages_6` has been removed. `rocmPackages` has been updated to ROCm 7.x. Out of tree packages may rely on obsolete hipblas APIs or compile time constant warp size and need to be updated.

@@ -323,7 +307,9 @@ of pulling the upstream container image from Docker Hub. If you want the old beh

 - The Bash implementation of the `nixos-rebuild` program is removed. All switchable systems now use the Python rewrite. Any prior usage of `system.rebuild.enableNg` must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.

- [services.desktopManager.gnome](#opt-services.desktopManager.gnome.enable) no longer installs the Geary e-mail client since it is not part of the GNOME [core applications](https://apps.gnome.org/) list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add `programs.geary.enable = true;` to your configuration.
+- `services.desktopManager.gnome` no longer installs the Geary e-mail client since it is not part of the GNOME [core applications](https://apps.gnome.org/) list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add `programs.geary.enable = true;` to your configuration.
+
+- MATE packages have been moved to top level (e.g. if you previously added `pkgs.mate.caja` to `environment.systemPackages`, you will need to change it to `pkgs.caja`).

 - `walker` has been updated to 2.0.0+, which is a complete rewrite in rust.

@@ -335,7 +321,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh

 - Support for `reiserfs` in nixpkgs has been removed, following the removal in Linux 6.13.

- [services.tor](#opt-services.tor.enable) no longer bind mounts Unix sockets of onion services into its chroot
+- `services.tor` no longer bind mounts Unix sockets of onion services into its chroot
 because it was not reliable. Users should do it themselves using either `JoinsNamespaceOf=` and Unix sockets in `/tmp`
 or `BindPaths=` from a persistent parent directory of each Unix socket.
 See <https://github.com/NixOS/nixpkgs/issues/481673>.
@@ -344,14 +330,14 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.

 - `services.xserver.cmt` has been removed as the `xf86-input-cmt` package was broken and unmaintained upstream.

- `programs.light` was removed from nixpkgs due to the corresponding package being unmaintained upstream. `brightnessctl` and [hardware.acpilight](#opt-hardware.acpilight.enable) offer replacements.
+- `programs.light` was removed from nixpkgs due to the corresponding package being unmaintained upstream. `brightnessctl` and `programs.acpilight` offer replacements.

 - `ceph` has been upgraded to v20. See the [Ceph "tentacle" release notes](https://docs.ceph.com/en/latest/releases/tentacle/#v20-2-0-tentacle) for details and recommended upgrade procedure.
  Note that **upgrades of server-side components are one-way**, and downgrading e.g. an OSD from *Tentacle* to *Squid* is not just not supported but is known to break.

- [](#opt-services.unifi.jrePackage) now defaults to `jdk25_headless` instead of `jdk17_headless`, in order to be compatible with new versions of `unifi`.
+- `services.unifi`'s `jrePackage` option now defaults to `jdk25_headless` instead of `jdk17_headless`, in order to be compatible with new versions of `unifi`.

- The [networking.wireless](#opt-networking.wireless.enable) module has been security hardened by default: the `wpa_supplicant` daemon now runs under an unprivileged user with restricted access to the system.
+- The `networking.wireless` module has been security hardened by default: the `wpa_supplicant` daemon now runs under an unprivileged user with restricted access to the system.

  As part of these changes, `/etc/wpa_supplicant.conf` has been deprecated: the NixOS-generated configuration file is now linked to `/etc/wpa_supplicant/nixos.conf` and `/etc/wpa_supplicant/imperative.conf` has been added for imperatively configuring `wpa_supplicant` or when using [allowAuxiliaryImperativeNetworks](#opt-networking.wireless.allowAuxiliaryImperativeNetworks).

@@ -371,20 +357,30 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
  - In both "networkd" and "scripted" backends, the configuration of name servers is now part of `network-local-commands.service` (fixes issue [#445496](https://github.com/NixOS/nixpkgs/issues/445496)).
  - The issue that resulted in a completely unconfigured network if both `resolvconf` was disabled and no default gateway configured, has also been fixed.

+- `kratos` has been updated from 1.3.1 to [25.4.0](https://github.com/ory/kratos/releases/tag/v25.4.0). Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:
+
+  - The `migrate sql` CLI command is now `migrate sql up`
+  - OIDC registration validation errors are now placed in the `default` node group instead of `oidc`
+  - Failed OIDC account linking returns HTTP 400 instead of 200
+
+- `pdns` has been updated to version [v5.0.x](https://doc.powerdns.com/authoritative/changelog/5.0.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-5-0-0) for details.
+
 - In the PowerDNS Recursor module, following the deprecation period started with NixOS 25.05, the option {option}`services.pdns-recursor.old-settings` has been removed and {option}`services.pdns-recursor.yaml-settings` consequently renamed to [](#opt-services.pdns-recursor.settings).

- [services.angrr](#opt-services.angrr.enable) now uses TOML for configuration. Define policies with [](#opt-services.angrr.settings) (generate TOML file) or point to a file using [](#opt-services.angrr.configFile). The legacy options `services.angrr.period`, `services.angrr.ownedOnly`, and `services.angrr.removeRoot` have been removed. See `man 5 angrr` and the description of [](#opt-services.angrr.settings) options for examples and details.
+- `services.angrr` now uses TOML for configuration. Define policies with `services.angrr.settings` (generate TOML file) or point to a file using `services.angrr.configFile`. The legacy options `services.angrr.period`, `services.angrr.ownedOnly`, and `services.angrr.removeRoot` have been removed. See `man 5 angrr` and the description of `services.angrr.settings` options for examples and details.

- `services.homepage-dashboard.environmentFile` has been renamed to [](#opt-services.homepage-dashboard.environmentFiles), and now expects a list of strings.
+- `services.homepage-dashboard.environmentFile` has been renamed to `services.homepage-dashboard.environmentFiles`, and now expects a list of strings.

 - `services.pingvin-share` has been removed as the `pingvin-share.backend` package was broken and the project was archived upstream.

- `services.jellyseerr` has been renamed to [services.seerr](#opt-services.seerr.enable) following the upstream changes. Notable breaking changes:
+- `geph` package's built-in GUI `geph5-client-gui` has been [removed](https://github.com/geph-official/geph5/commit/f2221fb8386312daf2cef05483ebb353ff48bdb4) by the upstream. All users who wish to continue using the GUI should install the `gephgui-wry`, which is consistent with the official release version.
+
+- `services.jellyseerr` has been renamed to `services.seerr` following the upstream changes. Notable breaking changes:
  - systemd service name changed accordingly.
  - Default config directory moved from `/var/lib/jellyseerr/config` to `/var/lib/seerr/`.
    - If `stateVersion` is older than `26.05`, the module fall backs to the legacy path value.

- [services.vikunja](#opt-services.vikunja.enable) has been updated to Vikunja [v1.0.0](https://vikunja.io/changelog/whats-new-in-vikunja-1.0.0/), which introduces multiple breaking changes.
+- `services.vikunja` has been updated to Vikunja [v1.0.0](https://vikunja.io/changelog/whats-new-in-vikunja-1.0.0/), which introduces multiple breaking changes.
  Notable breaking changes:
  - CORS is enabled by default. The module now sets
    `services.vikunja.settings.service.publicurl` by default. Custom overrides must ensure it is
@@ -395,11 +391,16 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
  - SQLite paths are now relative to `service.rootpath` unless absolute. Startup now validates file
    storage and OAuth providers.

+- `xfsprogs` was updated to version 6.18.0, which enables parent pointers and exchange-range by default. Upstream recommends not to use these features with kernels older than 6.18.
+   GRUB2 is likely unable to boot from filesystems with these features enabled.
+
 - `services.xtreemfs` has been removed as the `xtreemfs` package was broken and unmaintained upstream.

+- `lunarvim` package has been removed, as it was abandoned upstream and relied on an old version of `neovim` to work properly.
+
 - `opengfw` package and `services.opengfw` module have been removed as the upstream GitHub repository and website have been shut down.

- [services.esphome](#opt-services.esphome.enable) no longer uses `DynamicUser`. The service now runs as a static `esphome` system user. systemd handles the migration from `/var/lib/private/esphome` automatically, but users with [impermanence](https://github.com/nix-community/impermanence) setups should ensure `/var/lib/esphome` is persisted.
+- `services.esphome` no longer uses `DynamicUser`. The service now runs as a static `esphome` system user. systemd handles the migration from `/var/lib/private/esphome` automatically, but users with [impermanence](https://github.com/nix-community/impermanence) setups should ensure `/var/lib/esphome` is persisted.

 - `programs.pqos-wrapper` module has been deleted as the corresponding package has been dropped from nixpkgs.

@@ -409,10 +410,6 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
-
- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
-
 - `switch-to-configuration` now reloads a service instead of restarting it when the only change to its unit is `ExecReload=`, and takes no action when `ExecReload=` is removed. Previously both cases triggered a restart.

 - [`hardware.nvidia.branch`](#opt-hardware.nvidia.branch) was added to select the NVIDIA driver branch; setting [`hardware.nvidia.package`](#opt-hardware.nvidia.package) overrides this.
@@ -421,10 +418,12 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.

 - `nixos/nvidia` now uses EGL external platform ICD libraries built from source (`egl-gbm`, `egl-wayland`, `egl-wayland2`, `egl-x11`) instead of relying on vendor-provided binaries for these components.

- [](#opt-hardware.nvidia.moduleParams) was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to `modprobe` configuration instead of being passed through global kernel command-line parameters.
+- `hardware.nvidia.moduleParams` was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to `modprobe` configuration instead of being passed through global kernel command-line parameters.

 - [hardware.xpadneo](#opt-hardware.xpadneo.enable) now supports configuring kernel module parameters via a freeform [settings](#opt-hardware.xpadneo.settings) option, with convenience options for [rumble attenuation](#opt-hardware.xpadneo.rumbleAttenuation) and [controller quirks](#opt-hardware.xpadneo.quirks).

+- Wine has been updated to the 11.0 branch. Please check the [upstream announcement](https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0) for more details.
+
 - `security.acme` now defaults to a dynamic renewal duration, if
  [security.acme.defaults.validMinDays](#opt-security.acme.defaults.validMinDays)
  remains unset. This accommodates certificates with different ACME profile:
@@ -434,37 +433,44 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
    - For shortlived certificates with a total validity below 10 days renewal
      will happen after half of the total lifetime has passed

- The module for the Dovecot IMAP server, [services.dovecot2](#opt-services.dovecot2.enable), now uses RFC-42-style settings, exposing a structured interface to write the configuration file.
+- The module for the Dovecot IMAP server, *services.dovecot*, now uses RFC-42-style settings, exposing a structured interface to write the configuration file.

  Also see the list of available settings for [Dovecot 2.3](https://doc.dovecot.org/2.3/settings/core/) or [2.4](https://doc.dovecot.org/2.4.2/core/summaries/settings.html).

- [](#opt-fonts.fontconfig.useEmbeddedBitmaps) is now set to `true` by default.
+- Cinnamon has been updated to 6.6, please check the [upstream announcement](https://www.linuxmint.com/rel_zena_whatsnew.php) for more details.

- [services.frp](#opt-services.frp.instances) now supports multiple instances through [](#opt-services.frp.instances) to make it possible to run multiple frp clients or servers at the same time.
+- Rspamd has been updated to 4.0. Please check the upstream [migration](https://docs.rspamd.com/tutorials/migration/#migration-to-rspamd-400) documentation, especially if you run a sharded Redis deployment.
+
+- Budgie has been updated to 10.10, please check the [upstream announcement](https://buddiesofbudgie.org/blog/budgie-10-10-released) for more details.
+
+- `fonts.fontconfig.useEmbeddedBitmaps` is now set to `true` by default.
+
+- `stestrCheckHook` was added: This test hook runs `stestr run`. You can disable tests with `disabledTests` and `disabledTestsRegex`.
+
+- `services.frp` now supports multiple instances through `services.frp.instances` to make it possible to run multiple frp clients or servers at the same time.
+
+- `hyphen` now supports over 40 language variants through `hyphenDicts` and now allows to enable all supported languages through `hyphenDicts.all`.

 - [services.resolved](#opt-services.resolved.enable) module was converted to RFC42-style settings. The moved options have also been renamed to match the upstream names. Aliases mean current configs will continue to function, but users should move to the new options as convenient.

- `systemd.sleep.extraConfig` was replaced by [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant [](#opt-systemd.sleep.settings.Sleep), which is used to generate the `sleep.conf` configuration file. See {manpage}`sleep.conf.d(5)` for available options.
+- `systemd.sleep.extraConfig` was replaced by [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant `systemd.sleep.settings.Sleep`, which is used to generate the `sleep.conf` configuration file. See {manpage}`sleep.conf.d(5)` for available options.

- Support for Bluetooth audio based on `bluez-alsa` has been added to the [hardware.alsa](#opt-hardware.alsa.enable) module. It can be enabled with the new [enableBluetooth](#opt-hardware.alsa.enableBluetooth) option.
-
- [services.atuin](#opt-services.atuin.enable) now has an `environmentFile` option to safely allow configuring secrets, such as an `ATUIN_DB_URI` containing a Postgres password.
+- Support for Bluetooth audio based on `bluez-alsa` has been added to the `hardware.alsa` module. It can be enabled with the new [enableBluetooth](#opt-hardware.alsa.enableBluetooth) option.
+- `services.atuin` now has an `environmentFile` option to safely allow configuring secrets, such as an `ATUIN_DB_URI` containing a Postgres password.

 - `systemd.network.*` has been updated to support all configuration options from upstream `networkd` version 259.

- [](#opt-networking.resolvconf.enable) now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`. If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.
+- `networking.resolvconf.enable` now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`. If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.

- The [services.drupal](#opt-services.drupal.enable) module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.
+- `services.openssh` now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving `services.openssh.enable` disabled.  This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.

- [services.openssh](#opt-services.openssh.enable) now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving [](#opt-services.openssh.enable) disabled.  This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.
+- `services.openssh.enableRecommendedAlgorithms` has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See <https://github.com/NixOS/nixpkgs/pull/471330>.

- [](#opt-services.openssh.enableRecommendedAlgorithms) has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See <https://github.com/NixOS/nixpkgs/pull/471330>.
+- `services.openssh.banner` has been removed. Use `services.openssh.settings.Banner` instead.

- `services.openssh.banner` has been removed. Use [](#opt-services.openssh.settings.Banner) instead.
+- IPVLAN interfaces can now be configured through the `networking.ipvlans` option in the networking module.

- IPVLAN interfaces can now be configured through the [](#opt-networking.ipvlans) option in the networking module.
-
- [services.caddy](#opt-services.caddy.enable) now supports setting [](#opt-services.caddy.httpPort) and [](#opt-services.caddy.httpsPort) and opening them in the firewall via [](#opt-services.caddy.openFirewall).
+- `services.caddy` now supports setting `httpPort` and `httpsPort` and opening them in the firewall via `openFirewall`.

 - The latest available version of Nextcloud is v33 (available as `pkgs.nextcloud33`). The installation logic is as follows:
  - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
@@ -477,19 +483,59 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
  To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.
  If you set custom Caddy options for a InvoicePlane site, migrate these options by removing `http://` from `services.caddy.virtualHosts."http://example.com"`.

- `services.slurm` now supports slurmrestd usage through the [](#opt-services.slurm.rest.enable) NixOS options.
+- `services.slurm` now supports slurmrestd usage through the `services.slurm.rest` NixOS options.

- The [](#opt-networking.firewall.logRefusedConnections) option now defaults to
+- The `networking.firewall.logRefusedConnections` option now defaults to
  `false`.  Logging of refused or dropped incoming connections can generate a
  very high volume of kernel log messages on internet-facing systems, causing
  the kernel ring buffer (dmesg) to rotate quickly and potentially discard more
  relevant diagnostic information.

- The [services.calibre-web](#opt-services.calibre-web.enable) systemd service has been hardened with additional sandboxing restrictions.
+- The `services.calibre-web` systemd service has been hardened with additional sandboxing restrictions.

 - `services.kanidm` options for server, client and unix were moved under dedicated namespaces.
  For each component `enableComponent` and `componentSettings` are now `component.enable` and
  `component.settings`. The unix module now supports using SSH keys from Kanidm via
  `services.kanidm.unix.sshIntegration = true`.

- [services.radicle](#opt-services.radicle.enable) now supports importing the private key and passphrase as systemd creds.
+- `mdbook-linkcheck` has been removed as it is unmaintained and incompatible with the latest version of `mdbook`. Users can instead migrate to `mdbook-linkcheck2`.
+
+- `glibc` has been updated to version 2.42.
+
+  This version no longer makes the stack executable when a shared library requires this. A symptom
+  is an error like
+
+  > cannot enable executable stack as shared object requires: Invalid argument
+
+  This is usually a bug. Please consider reporting it to the software maintainers.
+
+  In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:
+
+  * When building the shared library in question from source, use the following linker flags to force turning off the
+    executable flag:
+
+    ```nix
+    mkDerivation {
+      # …
+
+      env.NIX_LDFLAGS = "-z,noexecstack";
+    }
+    ```
+
+  * If the sources are not available, the execstack-flag can be cleared with `patchelf`:
+
+    ```
+    patchelf --clear-execstack binary-only.so
+    ```
+
+  * If the shared library to be loaded actually requires an executable stack and it isn't turned
+    on by the application loading it, you may force allowing that behavior by setting the
+    following environment variable:
+
+    ```
+    GLIBC_TUNABLES=glibc.rtld.execstack=2
+    ```
+
+    **Do not set this globally!** This makes your setup inherently less secure.
+
+- `services.radicle` now supports importing the private key and passphrase as systemd creds.
--- a/nixos/doc/manual/release-notes/rl-2611.section.md
+++ b/nixos/doc/manual/release-notes/rl-2611.section.md
@@ -10,7 +10,7 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- [tranquil](https://tangled.org/tranquil.farm/tranquil-pds) is an ATProto PDS (personal data server) implementation in Rust. A featureful, spec conscious and community driven alternative to the Bluesky reference implementation PDS. Available as [services.tranquil-pds](#opt-services.tranquil-pds.enable).
+- Create the first release note entry in this section!

 ## Backward Incompatibilities {#sec-release-26.11-incompatibilities}

@@ -18,8 +18,6 @@

 - `boot.vesa` has been removed. It was deprecated in 2020 because Xorg now works better with kernel modesetting. If you still need the legacy VESA 800x600 fallback, set `boot.kernelParams = [ "vga=0x317" "nomodeset" ];` directly.

- Python 2 has been removed from the top-level package set, as it is long past end-of-life. The `python2`, `python27`, `python2Full`, `python27Full`, `python2Packages`, and `python27Packages` attributes, along with the legacy `python`, `pythonFull`, and `pythonPackages` aliases, now throw an error directing you to `python3`. The `isPy2` and `isPy27` package flags have been removed accordingly. The only remaining Python 2 interpreter is vendored inside the `resholve` package for its `oil` dependency and is not exposed for general use.
-
 ## Other Notable Changes {#sec-release-26.11-notable-changes}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
--- a/nixos/lib/systemd-lib.nix
+++ b/nixos/lib/systemd-lib.nix
@@ -78,16 +78,13 @@ rec {
        {
          preferLocalBuild = true;
          allowSubstitutes = false;
-          # unit.text can be null. But variables that are null listed in
-          # passAsFile are ignored by nix, resulting in no file being created,
-          # making the mv operation fail.
-          text = optionalString (unit.text != null) unit.text;
-          passAsFile = [ "text" ];
+          text = unit.text or "";
+          __structuredAttrs = true;
        }
        ''
          name=${shellEscape name}
          mkdir -p "$out/$(dirname -- "$name")"
-          mv "$textPath" "$out/$name"
+          printf "%s" "$text" > "$out/$name"
        ''
    else
      pkgs.runCommand "unit-${mkPathSafeName name}-disabled"
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -505,7 +505,7 @@ EOF
    # This should work for single and multi-device systems.
    # still needs subvolume support
    if ($fsType eq "bcachefs") {
-        my ($status, @info) = runCommand("bcachefs fs usage $rootDir$mountPoint");
+        my ($status, @info) = runCommand("@bcachefs@ fs usage $rootDir$mountPoint");
        my $UUID = $info[0];

        if ($status == 0 && $UUID =~ /^Filesystem:[ \t\n]*([0-9a-z-]+)/) {
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@@ -30,15 +30,20 @@ let
    name = "nixos-generate-config";
    src = ./nixos-generate-config.pl;
    replacements = {
-      perl = "${
+      perl = lib.getExe (
        pkgs.perl.withPackages (p: [
          p.FileSlurp
          p.ConfigIniFiles
        ])
-      }/bin/perl";
+      );
      hostPlatformSystem = pkgs.stdenv.hostPlatform.system;
-      detectvirt = "${config.systemd.package}/bin/systemd-detect-virt";
-      btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
+      detectvirt = lib.getExe' config.systemd.package "systemd-detect-virt";
+      bcachefs =
+        if pkgs.bcachefs-tools.meta.broken then
+          lib.getExe' pkgs.coreutils "false"
+        else
+          lib.getExe pkgs.bcachefs-tools;
+      btrfs = lib.getExe pkgs.btrfs-progs;
      inherit (config.system.nixos-generate-config) configuration desktopConfiguration flake;
      xserverEnabled = config.services.xserver.enable;
    };
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -394,6 +394,7 @@
  ./security/ca.nix
  ./security/chromium-suid-sandbox.nix
  ./security/default.nix
+  ./security/dhparams.nix
  ./security/doas.nix
  ./security/duosec.nix
  ./security/google_oslogin.nix
@@ -1792,7 +1793,6 @@
  ./services/web-apps/suwayomi-server.nix
  ./services/web-apps/szurubooru.nix
  ./services/web-apps/tabbyapi.nix
-  ./services/web-apps/tranquil-pds.nix
  ./services/web-apps/trilium.nix
  ./services/web-apps/tt-rss.nix
  ./services/web-apps/tuliprox.nix
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -125,9 +125,6 @@ in
    (mkRemovedOptionModule [ "programs" "yabar" ]
      "programs.yabar has been removed from NixOS. This is because the yabar repository has been archived upstream."
    )
-    (mkRemovedOptionModule [ "security" "dhparams" ] ''
-      The security.dhparams module has been removed as RFC 7919 has shown that generating your own params is problematic.
-    '')
    (mkRemovedOptionModule [ "security" "hideProcessInformation" ] ''
      The hidepid module was removed, since the underlying machinery
      is broken when using cgroups-v2.
--- a/nixos/modules/security/dhparams.nix
+++ b/nixos/modules/security/dhparams.nix
@@ -0,0 +1,223 @@
+{
+  config,
+  lib,
+  options,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib) literalExpression mkOption types;
+  cfg = config.security.dhparams;
+  opt = options.security.dhparams;
+
+  bitType = types.addCheck types.int (b: b >= 16) // {
+    name = "bits";
+    description = "integer of at least 16 bits";
+  };
+
+  paramsSubmodule =
+    { name, config, ... }:
+    {
+      options.bits = mkOption {
+        type = bitType;
+        default = cfg.defaultBitSize;
+        defaultText = literalExpression "config.${opt.defaultBitSize}";
+        description = ''
+          The bit size for the prime that is used during a Diffie-Hellman
+          key exchange.
+        '';
+      };
+
+      options.path = mkOption {
+        type = types.path;
+        readOnly = true;
+        description = ''
+          The resulting path of the generated Diffie-Hellman parameters
+          file for other services to reference. This could be either a
+          store path or a file inside the directory specified by
+          {option}`security.dhparams.path`.
+        '';
+      };
+
+      config.path =
+        let
+          generated = pkgs.runCommand "dhparams-${name}.pem" {
+            nativeBuildInputs = [ pkgs.openssl ];
+          } "openssl dhparam -out \"$out\" ${toString config.bits}";
+        in
+        if cfg.stateful then "${cfg.path}/${name}.pem" else generated;
+    };
+
+in
+{
+  options = {
+    security.dhparams = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to generate new DH params and clean up old DH params.
+        '';
+      };
+
+      params = mkOption {
+        type =
+          with types;
+          let
+            coerce = bits: { inherit bits; };
+          in
+          attrsOf (coercedTo int coerce (submodule paramsSubmodule));
+        default = { };
+        example = lib.literalExpression "{ nginx.bits = 3072; }";
+        description = ''
+          Diffie-Hellman parameters to generate.
+
+          The value is the size (in bits) of the DH params to generate. The
+          generated DH params path can be found in
+          `config.security.dhparams.params.«name».path`.
+
+          ::: {.note}
+          The name of the DH params is taken as being the name of
+          the service it serves and the params will be generated before the
+          said service is started.
+          :::
+
+          ::: {.warning}
+          If you are removing all dhparams from this list, you
+          have to leave {option}`security.dhparams.enable` for at
+          least one activation in order to have them be cleaned up. This also
+          means if you rollback to a version without any dhparams the
+          existing ones won't be cleaned up. Of course this only applies if
+          {option}`security.dhparams.stateful` is
+          `true`.
+          :::
+
+          ::: {.note}
+          **For module implementers:** It's recommended
+          to not set a specific bit size here, so that users can easily
+          override this by setting
+          {option}`security.dhparams.defaultBitSize`.
+          :::
+        '';
+      };
+
+      stateful = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether generation of Diffie-Hellman parameters should be stateful or
+          not. If this is enabled, PEM-encoded files for Diffie-Hellman
+          parameters are placed in the directory specified by
+          {option}`security.dhparams.path`. Otherwise the files are
+          created within the Nix store.
+
+          ::: {.note}
+          If this is `false` the resulting store
+          path will be non-deterministic and will be rebuilt every time the
+          `openssl` package changes.
+          :::
+        '';
+      };
+
+      defaultBitSize = mkOption {
+        type = bitType;
+        default = 2048;
+        description = ''
+          This allows to override the default bit size for all of the
+          Diffie-Hellman parameters set in
+          {option}`security.dhparams.params`.
+        '';
+      };
+
+      path = mkOption {
+        type = types.str;
+        default = "/var/lib/dhparams";
+        description = ''
+          Path to the directory in which Diffie-Hellman parameters will be
+          stored. This only is relevant if
+          {option}`security.dhparams.stateful` is
+          `true`.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      warnings = [
+        ''
+          The `security.dhparams` module is deprecated and scheduled for removal in NixOS 26.11.
+          Generating your own params has been shown to be problematic in RFC 7919 (2016).
+
+          Remove any uses of DHE and migrate to ECDHE (RFC 8422, 2018) and
+          Hybrid PQ (draft-ietf-tls-ecdhe-mlkem, 2026) key exchange algorithms.
+        ''
+      ];
+    })
+    (lib.mkIf (cfg.enable && cfg.stateful) {
+      systemd.services = {
+        dhparams-init = {
+          description = "Clean Up Old Diffie-Hellman Parameters";
+
+          # Clean up even when no DH params is set
+          wantedBy = [ "multi-user.target" ];
+
+          serviceConfig.RemainAfterExit = true;
+          serviceConfig.Type = "oneshot";
+
+          script = ''
+            if [ ! -d ${cfg.path} ]; then
+              mkdir -p ${cfg.path}
+            fi
+
+            # Remove old dhparams
+            for file in ${cfg.path}/*; do
+              if [ ! -f "$file" ]; then
+                continue
+              fi
+              ${lib.concatStrings (
+                lib.mapAttrsToList (
+                  name:
+                  { bits, path, ... }:
+                  ''
+                    if [ "$file" = ${lib.escapeShellArg path} ] && \
+                       ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text \
+                       | head -n 1 | grep "(${toString bits} bit)" > /dev/null; then
+                      continue
+                    fi
+                  ''
+                ) cfg.params
+              )}
+              rm "$file"
+            done
+
+            # TODO: Ideally this would be removing the *former* cfg.path, though
+            # this does not seem really important as changes to it are quite
+            # unlikely
+            rmdir --ignore-fail-on-non-empty ${cfg.path}
+          '';
+        };
+      }
+      // lib.mapAttrs' (
+        name:
+        { bits, path, ... }:
+        lib.nameValuePair "dhparams-gen-${name}" {
+          description = "Generate Diffie-Hellman Parameters for ${name}";
+          after = [ "dhparams-init.service" ];
+          before = [ "${name}.service" ];
+          requiredBy = [ "${name}.service" ];
+          wantedBy = [ "multi-user.target" ];
+          unitConfig.ConditionPathExists = "!${path}";
+          serviceConfig.Type = "oneshot";
+          script = ''
+            mkdir -p ${lib.escapeShellArg cfg.path}
+            ${pkgs.openssl}/bin/openssl dhparam -out ${lib.escapeShellArg path} \
+              ${toString bits}
+          '';
+        }
+      ) cfg.params;
+    })
+  ];
+
+}
--- a/nixos/modules/services/development/gemstash.nix
+++ b/nixos/modules/services/development/gemstash.nix
@@ -36,8 +36,6 @@ in
      '';
    };

-    package = lib.mkPackageOption pkgs "gemstash" { };
-
    settings = lib.mkOption {
      default = { };
      description = ''
@@ -98,7 +96,7 @@ in
      after = [ "network.target" ];
      serviceConfig = lib.mkMerge [
        {
-          ExecStart = "${lib.getExe cfg.package} start --no-daemonize --config-file ${settingsFormat.generate "gemstash.yaml" (prefixColon cfg.settings)}";
+          ExecStart = "${pkgs.gemstash}/bin/gemstash start --no-daemonize --config-file ${settingsFormat.generate "gemstash.yaml" (prefixColon cfg.settings)}";
          NoNewPrivileges = true;
          User = "gemstash";
          Group = "gemstash";
--- a/nixos/modules/services/home-automation/home-assistant.nix
+++ b/nixos/modules/services/home-automation/home-assistant.nix
@@ -30,6 +30,7 @@ let
    mapAttrsToList
    mergeAttrsList
    mkEnableOption
+    mkDefault
    mkIf
    mkMerge
    mkOption
@@ -776,25 +777,7 @@ in
    openFirewall = mkOption {
      default = false;
      type = types.bool;
-      description = ''
-        Whether to open the firewall for the specified frontend port
-
-        :::{.note}
-        For components specific ports see {option}`services.home-assistant.openFirewallForComponents`.
-        :::
-      '';
-    };
-
-    openFirewallForComponents = mkOption {
-      default = false;
-      type = types.bool;
-      description = ''
-        Whether to open required firewall ports for enabled components.
-
-        :::{.note}
-        For the frontend see {option}`services.home-assistant.openFirewall`.
-        :::
-      '';
+      description = "Whether to open the firewall for the specified port.";
    };

    blueprints = mergeAttrsList (
@@ -862,13 +845,7 @@ in
      }
    ];

-    networking.firewall.allowedTCPPorts = mkMerge [
-      (mkIf cfg.openFirewall [ cfg.config.http.server_port ])
-      (mkIf cfg.openFirewallForComponents
-        # https://www.home-assistant.io/integrations/sonos/#network-requirements
-        (optionals (useComponent "sonos") [ 1400 ])
-      )
-    ];
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.config.http.server_port ];

    # symlink the configuration to /etc/home-assistant
    environment.etc = mkMerge [
--- a/nixos/modules/services/logging/logrotate.nix
+++ b/nixos/modules/services/logging/logrotate.nix
@@ -91,9 +91,9 @@ let
      # files required to exist also won't be present, so missingok is forced.
      user=$(${pkgs.buildPackages.coreutils}/bin/id -un)
      group=$(${pkgs.buildPackages.coreutils}/bin/id -gn)
-      sed -E -e "s/\bsu\s.*/su $user $group/" \
-             -e "s/\b((create|createolddir)\b(\s+[0-9]+)?).*/\1 $user $group/" \
-             -e "1imissingok" -e "s/\bnomissingok\b//" \
+      sed -e "s/\bsu\s.*/su $user $group/" \
+          -e "s/\b\(create\s\+[0-9]*\s*\|createolddir\s\+[0-9]*\s\+\).*/\1$user $group/" \
+          -e "1imissingok" -e "s/\bnomissingok\b//" \
          $out > logrotate.conf
      # Since this makes for very verbose builds only show real error.
      # There is no way to control log level, but logrotate hardcodes
--- a/nixos/modules/services/mail/stalwart.nix
+++ b/nixos/modules/services/mail/stalwart.nix
@@ -273,7 +273,6 @@ in
          RestrictAddressFamilies = [
            "AF_INET"
            "AF_INET6"
-            "AF_UNIX"
          ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
--- a/nixos/modules/services/networking/pangolin.nix
+++ b/nixos/modules/services/networking/pangolin.nix
@@ -9,7 +9,7 @@
 let
  cfg = config.services.pangolin;
  format = pkgs.formats.yaml { };
-  finalSettings = lib.attrsets.recursiveUpdate options.services.pangolin.settings.default cfg.settings;
+  finalSettings = lib.attrsets.recursiveUpdate pangolinConf cfg.settings;
  cfgFile = format.generate "config.yml" finalSettings;
  # override the type to allow for optionality
  nullOrOpt = t: lib.types.nullOr t // { _optional = true; };
@@ -33,6 +33,25 @@ let
      fi
    '';
  };
+
+  pangolinConf = {
+    app.dashboard_url = "https://${cfg.dashboardDomain}";
+    domains.domain1 = {
+      base_domain = cfg.baseDomain;
+      prefer_wildcard_cert = false;
+    };
+    server = {
+      external_port = 3000;
+      internal_port = 3001;
+      next_port = 3002;
+      integration_port = 3003;
+      # needs to be set, otherwise this fails silently
+      # see https://github.com/fosrl/newt/issues/37
+      internal_hostname = "localhost";
+    };
+    gerbil.base_endpoint = cfg.dashboardDomain;
+    flags.enable_integration_api = false;
+  };
 in
 {
  options.services = {
@@ -42,50 +61,7 @@ in

      settings = lib.mkOption {
        inherit (format) type;
-        default = {
-          app.dashboard_url = "https://${cfg.dashboardDomain}";
-          domains.domain1 = {
-            base_domain = cfg.baseDomain;
-            prefer_wildcard_cert = false;
-          };
-          server = {
-            external_port = 3000;
-            internal_port = 3001;
-            next_port = 3002;
-            integration_port = 3003;
-            # needs to be set, otherwise this fails silently
-            # see https://github.com/fosrl/newt/issues/37
-            internal_hostname = "localhost";
-          };
-          gerbil.base_endpoint = cfg.dashboardDomain;
-          flags = {
-            disable_signup_without_invite = true;
-            enable_integration_api = false;
-          };
-        };
-        defaultText = lib.literalExpression ''
-          {
-            app.dashboard_url = "https://''${config.services.pangolin.dashboardDomain}";
-            domains.domain1 = {
-              base_domain = cfg.baseDomain;
-              prefer_wildcard_cert = false;
-            };
-            server = {
-              external_port = 3000;
-              internal_port = 3001;
-              next_port = 3002;
-              integration_port = 3003;
-              # needs to be set, otherwise this fails silently
-              # see https://github.com/fosrl/newt/issues/37
-              internal_hostname = "localhost";
-            };
-            gerbil.base_endpoint = config.services.pangolin.dashboardDomain;
-            flags = {
-              disable_signup_without_invite = true;
-              enable_integration_api = false;
-            };
-          }
-        '';
+        default = { };
        description = ''
          Additional attributes to be merged with the configuration options and written to Pangolin's {file}`config.yml` file.
        '';
--- a/nixos/modules/services/ttys/kmscon.nix
+++ b/nixos/modules/services/ttys/kmscon.nix
@@ -2,7 +2,6 @@
  config,
  pkgs,
  lib,
-  utils,
  ...
 }:
 let
@@ -11,6 +10,8 @@ let
    mkEnableOption
    mkOption
    mkPackageOption
+    optional
+    optionals
    types
    ;

@@ -21,12 +22,7 @@ let
  configDir = pkgs.writeTextFile {
    name = "kmscon-config";
    destination = "/kmscon.conf";
-    text =
-      let
-        mkKeyValue =
-          k: v: if lib.isBool v then (lib.optionalString (!v) "no-") + k else "${k}=${toString v}";
-      in
-      lib.generators.toKeyValue { inherit mkKeyValue; } (lib.filterAttrs (_: v: v != null) cfg.config);
+    text = cfg.extraConfig;
  };

  baseLoginOptions = "-p";
@@ -59,68 +55,58 @@ in

      Check `services.getty.autologinUser` instead.
    '')
-    (lib.mkRemovedOptionModule [ "services" "kmscon" "fonts" ] ''
-      `services.kmscon.fonts` is removed.
-
-      Add your font to `fonts.packages` and configure it with
-      `services.kmscon.config.font-name` instead.
-    '')
-    (lib.mkRemovedOptionModule [ "services" "kmscon" "extraConfig" ] ''
-      `services.kmscon.extraConfig` is removed.
-
-      Add your configurations to the new `services.kmscon.config` instead.
-    '')
-    (lib.mkRenamedOptionModule [ "services" "kmscon" "term" ] [ "services" "kmscon" "config" "term" ])
-    (lib.mkRenamedOptionModule
-      [ "services" "kmscon" "hwRender" ]
-      [ "services" "kmscon" "config" "hwaccel" ]
-    )
  ];

  options = {
    services.kmscon = {
      enable = mkEnableOption ''
-        use kmscon instead of autovt.
+        Use kmscon instead of autovt.

        Kmscon is a simple terminal emulator based on linux kernel mode setting (KMS).
-        It is an attempt to replace the in-kernel VT implementation with a userspace console
+        It is an attempt to replace the in-kernel VT implementation with a userspace console.
      '';

      package = mkPackageOption pkgs "kmscon" { };

-      useXkbConfig = mkEnableOption ''
-        configure keymap from xserver keyboard settings.
+      hwRender = mkEnableOption "3D hardware acceleration to render the console";

-        If enabled, configurations under `services.xserver.xkb` will be injected into kmscon's configuration
-      '';
-
-      config = mkOption {
-        description = ''
-          Configuration for kmscon. See {manpage}`kmscon.conf(5)`
-          for available options.
-        '';
-        default = { };
-        type = types.submodule {
-          freeformType =
-            with types;
-            attrsOf (oneOf [
-              bool
-              int
-              str
-            ]);
-          options = {
-            hwaccel = mkEnableOption "use hardware acceleration for rendering";
-            libseat = mkOption {
-              type = types.bool;
-              default = true;
-              description = ''
-                Whether to use libseat for session management.
-                This is the default for kmscon newer than 10.0.0 and prevents
-                launching another GUI from kmscon by `kmscon-launch-gui`.
-              '';
+      fonts = mkOption {
+        description = "Fonts used by kmscon, in order of priority.";
+        default = null;
+        example = lib.literalExpression ''[ { name = "Source Code Pro"; package = pkgs.source-code-pro; } ]'';
+        type =
+          with types;
+          let
+            fontType = submodule {
+              options = {
+                name = mkOption {
+                  type = str;
+                  description = "Font name, as used by fontconfig.";
+                };
+                package = mkOption {
+                  type = package;
+                  description = "Package providing the font.";
+                };
+              };
            };
-          };
-        };
+          in
+          nullOr (nonEmptyListOf fontType);
+      };
+
+      useXkbConfig = mkEnableOption "configure keymap from xserver keyboard settings.";
+
+      term = mkOption {
+        description = "Value for the TERM environment variable.";
+        type = types.nullOr types.str;
+        default = null;
+        example = "xterm-256color";
+      };
+
+      extraConfig = mkOption {
+        description = "Extra contents of the kmscon.conf file.";
+        type = types.lines;
+        default = "";
+        example = "font-size=14";
      };

      extraOptions = mkOption {
@@ -138,54 +124,30 @@ in
        assertion = gettyCfg.loginOptions == null;
        message = "services.getty.loginOptions is not supported when services.kmscon is enabled.";
      }
-      {
-        assertion = (cfg.config ? font-name) -> config.fonts.fontconfig.enable;
-        message = "Font configuration for kmscon requires fontconfig to be enabled.";
-      }
-      {
-        assertion = cfg.config.hwaccel -> config.hardware.graphics.enable;
-        message = "Hardware acceleration for kmscon requires `hardware.graphics.enable` to be true.";
-      }
    ];

-    services.kmscon.config = lib.mkIf cfg.useXkbConfig (
-      lib.mapAttrs (_: lib.mkDefault) (
-        lib.filterAttrs (_: v: v != "") {
-          xkb-layout = config.services.xserver.xkb.layout;
-          xkb-model = config.services.xserver.xkb.model;
-          xkb-options = config.services.xserver.xkb.options;
-          xkb-variant = config.services.xserver.xkb.variant;
-        }
-      )
-    );
-
    environment.systemPackages = [ cfg.package ];
    systemd.packages = [ cfg.package ];

    systemd.services."kmsconvt@" = {
-      serviceConfig = {
-        User = lib.mkIf (!cfg.config.libseat) "";
-        PAMName = lib.mkIf (!cfg.config.libseat) "";
-        Environment = [ "XKB_CONFIG_ROOT=${config.services.xserver.xkb.dir}" ];
-        ExecStart = [
-          "" # override upstream default with an empty ExecStart
-          (builtins.concatStringsSep " " (
-            [
-              "${cfg.package}/bin/kmscon"
-              "--configdir"
-              configDir
-              "--vt=%I"
-              "--no-switchvt"
-              "--login"
-            ]
-            ++ lib.optional (cfg.extraOptions != "") cfg.extraOptions
-            ++ [
-              "--"
-              loginScript
-            ]
-          ))
-        ];
-      };
+      serviceConfig.ExecStart = [
+        "" # override upstream default with an empty ExecStart
+        (builtins.concatStringsSep " " (
+          [
+            "${cfg.package}/bin/kmscon"
+            "--configdir"
+            configDir
+            "--vt=%I"
+            "--no-switchvt"
+            "--login"
+          ]
+          ++ lib.optional (cfg.extraOptions != "") cfg.extraOptions
+          ++ [
+            "--"
+            loginScript
+          ]
+        ))
+      ];

      restartIfChanged = false;
      # logind spawns autovt@ttyN.service on VT switch; point it at kmscon
@@ -194,55 +156,40 @@ in

    # tty1 is special: logind does not spawn autovt@tty1, it expects a static
    # pull-in via getty.target. With getty@ suppressed, we must replace it.
-    systemd.targets.getty.wants = lib.mkIf (!config.services.displayManager.enable) [
+    systemd.services."getty.target".wants = lib.mkIf (!config.services.displayManager.enable) [
      "kmsconvt@tty1.service"
    ];

    systemd.suppressedSystemUnits = [ "getty@.service" ];

-    security.pam.services.kmscon = lib.mkIf cfg.config.libseat {
-      useDefaultRules = false;
-      rules = {
-        auth = utils.pam.autoOrderRules [
-          {
-            name = "permit";
-            control = "required";
-            modulePath = "${config.security.pam.package}/lib/security/pam_permit.so";
-          }
-        ];
-        account = utils.pam.autoOrderRules [
-          {
-            name = "unix";
-            control = "required";
-            modulePath = "${config.security.pam.package}/lib/security/pam_unix.so";
-          }
-        ];
-        session = utils.pam.autoOrderRules [
-          {
-            name = "env";
-            control = "required";
-            modulePath = "${config.security.pam.package}/lib/security/pam_env.so";
-            settings = {
-              conffile = "/etc/pam/environment";
-              readenv = 0;
-            };
-          }
-          {
-            name = "unix";
-            control = "required";
-            modulePath = "${config.security.pam.package}/lib/security/pam_unix.so";
-          }
-          {
-            name = "systemd";
-            control = "optional";
-            modulePath = "${config.systemd.package}/lib/security/pam_systemd.so";
-            settings = {
-              type = "tty";
-              class = "greeter";
-            };
-          }
-        ];
-      };
+    services.kmscon.extraConfig = lib.concatLines (
+      optionals cfg.useXkbConfig (
+        lib.mapAttrsToList (n: v: "xkb-${n}=${v}") (
+          lib.filterAttrs (
+            n: v:
+            builtins.elem n [
+              "layout"
+              "model"
+              "options"
+              "variant"
+            ]
+            && v != ""
+          ) config.services.xserver.xkb
+        )
+      )
+      ++ optionals cfg.hwRender [
+        "drm"
+        "hwaccel"
+      ]
+      ++ optional (cfg.fonts != null) "font-name=${lib.concatMapStringsSep ", " (f: f.name) cfg.fonts}"
+      ++ optional (cfg.term != null) "term=${cfg.term}"
+    );
+
+    hardware.graphics.enable = mkIf cfg.hwRender true;
+
+    fonts = mkIf (cfg.fonts != null) {
+      fontconfig.enable = true;
+      packages = map (f: f.package) cfg.fonts;
    };
  };

--- a/nixos/modules/services/web-apps/immich.nix
+++ b/nixos/modules/services/web-apps/immich.nix
@@ -380,6 +380,8 @@ in
      MACHINE_LEARNING_WORKERS = "1";
      MACHINE_LEARNING_WORKER_TIMEOUT = "120";
      MACHINE_LEARNING_CACHE_FOLDER = "/var/cache/immich";
+      # TODO: drop when insightface no longer unconditionally imports matplotlib
+      MPLCONFIGDIR = "/var/cache/immich";
      XDG_CACHE_HOME = "/var/cache/immich";
      IMMICH_HOST = "localhost";
      IMMICH_PORT = "3003";
--- a/nixos/modules/services/web-apps/tranquil-pds.nix
+++ b/nixos/modules/services/web-apps/tranquil-pds.nix
@@ -1,251 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  ...
-}:
-let
-  cfg = config.services.tranquil-pds;
-
-  inherit (lib) types mkPackageOption mkOption;
-
-  settingsFormat = pkgs.formats.toml { };
-in
-{
-  options.services.tranquil-pds = {
-    enable = lib.mkEnableOption "tranquil-pds AT Protocol personal data server";
-
-    package = mkPackageOption pkgs "tranquil-pds" { };
-
-    user = mkOption {
-      type = types.str;
-      default = "tranquil-pds";
-      description = "User under which tranquil-pds runs";
-    };
-
-    group = mkOption {
-      type = types.str;
-      default = "tranquil-pds";
-      description = "Group under which tranquil-pds runs";
-    };
-
-    dataDir = mkOption {
-      type = types.str;
-      default = "/var/lib/tranquil-pds";
-      description = "Working directory for tranquil-pds. Also expected to be used for data (blobs)";
-    };
-
-    environmentFiles = mkOption {
-      type = types.listOf types.path;
-      default = [ ];
-      description = ''
-        File to load environment variables from. Loaded variables override
-        values set in {option}`environment`.
-
-        Use it to set values of `JWT_SECRET`, `DPOP_SECRET` and `MASTER_KEY`.
-
-        Generate these with:
-        ```
-        openssl rand -base64 48
-        ```
-      '';
-    };
-
-    database.createLocally = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Create the postgres database and user on the local host.
-      '';
-    };
-
-    settings = mkOption {
-      type = types.submodule {
-        freeformType = settingsFormat.type;
-
-        options = {
-          server = {
-            host = mkOption {
-              type = types.str;
-              default = "127.0.0.1";
-              description = "Host for tranquil-pds to listen on";
-            };
-
-            port = mkOption {
-              type = types.int;
-              default = 3000;
-              description = "Port for tranquil-pds to listen on";
-            };
-
-            hostname = mkOption {
-              type = types.str;
-              default = "";
-              example = "pds.example.com";
-              description = "The public-facing hostname of the PDS";
-            };
-
-            max_blob_size = mkOption {
-              type = types.int;
-              default = 10737418240; # 10 GiB
-              description = "Maximum allowed blob size in bytes.";
-            };
-          };
-
-          frontend = {
-            enabled =
-              lib.mkEnableOption "serving the frontend from the backend. Disable to serve the frontend manually"
-              // {
-                default = true;
-              };
-
-            dir = mkPackageOption pkgs "tranquil-pds-frontend" { };
-          };
-
-          storage = {
-            path = mkOption {
-              type = types.path;
-              default = "${cfg.dataDir}/blobs";
-              defaultText = "\${cfg.dataDir}/blobs";
-              description = "Directory for storing blobs";
-            };
-          };
-          tranquil_store = {
-            data_dir = mkOption {
-              type = types.path;
-              default = "${cfg.dataDir}/store";
-              defaultText = "\${cfg.dataDir}/store";
-              description = "Directory for tranquil-store files";
-            };
-          };
-        };
-      };
-
-      description = ''
-        Configuration options to set for the service. Secrets should be
-        specified using {option}`environmentFile`.
-
-        Refer to <https://tangled.org/tranquil.farm/tranquil-pds/blob/main/example.toml>
-        for available configuration options.
-      '';
-    };
-  };
-
-  config = lib.mkIf cfg.enable (
-    lib.mkMerge [
-      (lib.mkIf cfg.database.createLocally {
-        services.postgresql = {
-          enable = true;
-          ensureDatabases = [ cfg.user ];
-          ensureUsers = [
-            {
-              name = cfg.user;
-              ensureDBOwnership = true;
-            }
-          ];
-        };
-
-        services.tranquil-pds.settings.database.url =
-          lib.mkDefault "postgresql:///${cfg.user}?host=/run/postgresql";
-
-        systemd.services.tranquil-pds = {
-          requires = [ "postgresql.service" ];
-          after = [ "postgresql.service" ];
-        };
-      })
-
-      {
-        users.users.${cfg.user} = {
-          isSystemUser = true;
-          inherit (cfg) group;
-          home = cfg.dataDir;
-        };
-
-        users.groups.${cfg.group} = { };
-
-        systemd.tmpfiles.settings."tranquil-pds" =
-          lib.genAttrs
-            [
-              cfg.dataDir
-              cfg.settings.storage.path
-              cfg.settings.tranquil_store.data_dir
-            ]
-            (_: {
-              d = {
-                mode = "0750";
-                inherit (cfg) user group;
-              };
-            });
-
-        environment.etc = {
-          "tranquil-pds/config.toml".source =
-            let
-              conf = settingsFormat.generate "tranquil-pds.toml" cfg.settings;
-            in
-            pkgs.runCommandLocal "validated-tranquil-config" { nativeBuildInputs = [ cfg.package ]; } ''
-              tranquil-server --config ${conf} validate --ignore-secrets
-              ln -s ${conf} $out
-            '';
-        };
-
-        systemd.services.tranquil-pds = {
-          description = "Tranquil PDS - ATProtocol Personal Data Server";
-          after = [ "network-online.target" ];
-          wants = [ "network-online.target" ];
-          wantedBy = [ "multi-user.target" ];
-
-          serviceConfig = {
-            User = cfg.user;
-            Group = cfg.group;
-            UMask = "0077";
-            ExecStart = lib.getExe cfg.package;
-            Restart = "on-failure";
-            RestartSec = 5;
-
-            WorkingDirectory = cfg.dataDir;
-            StateDirectory = "tranquil-pds";
-            ReadWritePaths = [
-              cfg.settings.storage.path
-            ];
-
-            EnvironmentFile = cfg.environmentFiles;
-
-            CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-            ProtectProc = "invisible";
-            ProcSubset = "pid";
-            NoNewPrivileges = true;
-            ProtectSystem = "strict";
-            ProtectHome = true;
-            PrivateTmp = true;
-            PrivateDevices = true;
-            PrivateUsers = true;
-            ProtectHostname = true;
-            ProtectClock = true;
-            ProtectKernelTunables = true;
-            ProtectKernelModules = true;
-            ProtectKernelLogs = true;
-            ProtectControlGroups = true;
-            RestrictAddressFamilies = [
-              "AF_INET"
-              "AF_INET6"
-              "AF_UNIX"
-            ];
-            RestrictNamespaces = true;
-            LockPersonality = true;
-            MemoryDenyWriteExecute = true;
-            RestrictRealtime = true;
-            RestrictSUIDSGID = true;
-            RemoveIPC = true;
-            PrivateMounts = true;
-            SystemCallFilter = [
-              "@system-service"
-              "~@privileged @resources"
-            ];
-            SystemCallArchitectures = "native";
-          };
-        };
-      }
-    ]
-  );
-
-  meta.maintainers = with lib.maintainers; [ nelind ];
-}
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -455,6 +455,7 @@ in
  dependency-track = runTest ./dependency-track.nix;
  devpi-server = runTest ./devpi-server.nix;
  dex-oidc = runTest ./dex-oidc.nix;
+  dhparams = runTest ./dhparams.nix;
  dictd = runTest ./dictd.nix;
  disable-installer-tools = runTest ./disable-installer-tools.nix;
  discourse = runTest {
@@ -494,7 +495,6 @@ in
  drupal = runTest ./drupal.nix;
  dublin-traceroute = runTest ./dublin-traceroute.nix;
  dwl = runTestOn [ "x86_64-linux" "aarch64-linux" ] ./dwl.nix;
-  e57inspector = runTest ./e57inspector.nix;
  early-mount-options = runTest ./early-mount-options.nix;
  earlyoom = runTestOn [ "x86_64-linux" ] ./earlyoom.nix;
  easytier = runTest ./easytier.nix;
@@ -1708,7 +1708,6 @@ in
  tracee = handleTestOn [ "x86_64-linux" ] ./tracee.nix { };
  traefik = runTestOn [ "aarch64-linux" "x86_64-linux" ] ./traefik.nix;
  trafficserver = runTest ./trafficserver.nix;
-  tranquil-pds = runTest ./tranquil-pds.nix;
  transfer-sh = runTest ./transfer-sh.nix;
  transmission_4 = runTest ./transmission.nix;
  trezord = runTest ./trezord.nix;
--- a/nixos/tests/dhparams.nix
+++ b/nixos/tests/dhparams.nix
@@ -0,0 +1,143 @@
+{
+  name = "dhparams";
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      security.dhparams.enable = true;
+      environment.systemPackages = [ pkgs.openssl ];
+
+      specialisation = {
+        gen1.configuration =
+          { config, ... }:
+          {
+            security.dhparams.params = {
+              # Use low values here because we don't want the test to run for ages.
+              foo.bits = 1024;
+              # Also use the old format to make sure the type is coerced in the right
+              # way.
+              bar = 1025;
+            };
+
+            systemd.services.foo = {
+              description = "Check systemd Ordering";
+              wantedBy = [ "multi-user.target" ];
+              before = [ "shutdown.target" ];
+              conflicts = [ "shutdown.target" ];
+              unitConfig = {
+                # This is to make sure that the dhparams generation of foo occurs
+                # before this service so we need this service to start as early as
+                # possible to provoke a race condition.
+                DefaultDependencies = false;
+
+                # We check later whether the service has been started or not.
+                ConditionPathExists = config.security.dhparams.params.foo.path;
+              };
+              serviceConfig.Type = "oneshot";
+              serviceConfig.RemainAfterExit = true;
+              # The reason we only provide an ExecStop here is to ensure that we don't
+              # accidentally trigger an error because a file system is not yet ready
+              # during very early startup (we might not even have the Nix store
+              # available, for example if future changes in NixOS use systemd mount
+              # units to do early file system initialisation).
+              serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
+            };
+          };
+        gen2.configuration = {
+          security.dhparams.params.foo.bits = 1026;
+        };
+        gen3.configuration = { };
+        gen4.configuration = {
+          security.dhparams.stateful = false;
+          security.dhparams.params.foo2.bits = 1027;
+          security.dhparams.params.bar2.bits = 1028;
+        };
+        gen5.configuration = {
+          security.dhparams.defaultBitSize = 1029;
+          security.dhparams.params.foo3 = { };
+          security.dhparams.params.bar3 = { };
+        };
+      };
+    };
+
+  testScript =
+    { nodes, ... }:
+    let
+      getParamPath =
+        gen: name:
+        let
+          node = "gen${toString gen}";
+        in
+        nodes.machine.config.specialisation.${node}.configuration.security.dhparams.params.${name}.path;
+
+      switchToGeneration =
+        gen:
+        let
+          switchCmd = "${nodes.machine.config.system.build.toplevel}/specialisation/gen${toString gen}/bin/switch-to-configuration test";
+        in
+        ''
+          with machine.nested("switch to generation ${toString gen}"):
+            machine.succeed("${switchCmd}")
+        '';
+
+    in
+    ''
+      import re
+
+
+      def assert_param_bits(path, bits):
+          with machine.nested(f"check bit size of {path}"):
+              output = machine.succeed(f"openssl dhparam -in {path} -text")
+              pattern = re.compile(r"^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$", re.M)
+              match = pattern.match(output)
+              if match is None:
+                  raise Exception("bla")
+              if match[1] != str(bits):
+                  raise Exception(f"bit size should be {bits} but it is {match[1]} instead.")
+
+      machine.wait_for_unit("multi-user.target")
+      ${switchToGeneration 1}
+
+      with subtest("verify startup order"):
+          machine.succeed("systemctl is-active foo.service")
+
+      with subtest("check bit sizes of dhparam files"):
+          assert_param_bits("${getParamPath 1 "foo"}", 1024)
+          assert_param_bits("${getParamPath 1 "bar"}", 1025)
+
+      ${switchToGeneration 2}
+
+      with subtest("check whether bit size has changed"):
+          assert_param_bits("${getParamPath 2 "foo"}", 1026)
+
+      with subtest("ensure that dhparams file for 'bar' was deleted"):
+          machine.fail("test -e ${getParamPath 1 "bar"}")
+
+      ${switchToGeneration 3}
+
+      with subtest("ensure that 'security.dhparams.path' has been deleted"):
+          machine.fail("test -e ${nodes.machine.config.specialisation.gen3.configuration.security.dhparams.path}")
+
+      ${switchToGeneration 4}
+
+      with subtest("check bit sizes dhparam files"):
+          assert_param_bits(
+              "${getParamPath 4 "foo2"}", 1027
+          )
+          assert_param_bits(
+              "${getParamPath 4 "bar2"}", 1028
+          )
+
+      with subtest("check whether dhparam files are in the Nix store"):
+          machine.succeed(
+              "expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}",
+              "expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}",
+          )
+
+      ${switchToGeneration 5}
+
+      with subtest("check whether defaultBitSize works as intended"):
+          assert_param_bits("${getParamPath 5 "foo3"}", 1029)
+          assert_param_bits("${getParamPath 5 "bar3"}", 1029)
+    '';
+}
--- a/nixos/tests/e57inspector.nix
+++ b/nixos/tests/e57inspector.nix
@@ -1,38 +0,0 @@
-{ pkgs, ... }:
-{
-  name = "e57inspector";
-  meta.maintainers = with pkgs.lib.maintainers; [
-    nh2
-    chpatrick
-  ];
-
-  nodes.machine =
-    { ... }:
-    {
-      imports = [
-        ./common/x11.nix
-      ];
-
-      services.xserver.enable = true;
-      environment.systemPackages = [
-        pkgs.e57inspector
-        pkgs.xdotool
-      ];
-    };
-
-  testScript =
-    let
-      testFile = pkgs.fetchurl {
-        url = "https://raw.githubusercontent.com/asmaloney/libE57Format-test-data/bbcacec05d60f923869545c5eab33d94c390d50e/self/ColouredCubeFloat.e57";
-        hash = "sha256-bb95crNYvX3Qhkx4k6Sqe2GjOf1u4nxxswMfdjyXfTM=";
-      };
-    in
-    ''
-      start_all()
-      machine.wait_for_x()
-
-      machine.execute("e57inspector ${testFile} >&2 &")
-      machine.wait_until_succeeds("xdotool search --pid $(pidof .e57inspector-wrapped)")
-      machine.screenshot("screen")
-    '';
-}
--- a/nixos/tests/installed-tests/default.nix
+++ b/nixos/tests/installed-tests/default.nix
@@ -107,6 +107,7 @@ in
  gsconnect = callInstalledTest ./gsconnect.nix { };
  json-glib = callInstalledTest ./json-glib.nix { };
  ibus = callInstalledTest ./ibus.nix { };
+  libgdata = callInstalledTest ./libgdata.nix { };
  glib-testing = callInstalledTest ./glib-testing.nix { };
  libjcat = callInstalledTest ./libjcat.nix { };
  libxmlb = callInstalledTest ./libxmlb.nix { };
--- a/nixos/tests/installed-tests/libgdata.nix
+++ b/nixos/tests/installed-tests/libgdata.nix
@@ -0,0 +1,11 @@
+{ pkgs, makeInstalledTest, ... }:
+
+makeInstalledTest {
+  tested = pkgs.libgdata;
+
+  testConfig = {
+    # # GLib-GIO-DEBUG: _g_io_module_get_default: Found default implementation dummy (GDummyTlsBackend) for ‘gio-tls-backend’
+    # Bail out! libgdata:ERROR:../gdata/tests/common.c:134:gdata_test_init: assertion failed (child_error == NULL): TLS support is not available (g-tls-error-quark, 0)
+    services.gnome.glib-networking.enable = true;
+  };
+}
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@@ -1118,7 +1118,6 @@ let
        enableOCR = fallback;
        extraInstallerConfig = {
          boot.supportedFilesystems = [ "zfs" ];
-          networking.hostId = "00000000";
          environment.systemPackages = with pkgs; [ clevis ];
        };
        createPartitions = ''
--- a/nixos/tests/kmscon.nix
+++ b/nixos/tests/kmscon.nix
@@ -14,21 +14,17 @@

      services.getty.autologinUser = "alice";

-      hardware.graphics.enable = true;
-
-      fonts = {
-        fontconfig.enable = true;
-        packages = [ pkgs.nerd-fonts.jetbrains-mono ];
-      };
-
      services.kmscon = {
        enable = true;
+        hwRender = true;
+        fonts = [
+          {
+            name = "JetBrainsMono Nerd Font";
+            package = pkgs.nerd-fonts.jetbrains-mono;
+          }
+        ];
+        term = "xterm-256color";
        package = pkgs.kmscon;
-        config = {
-          font-name = "JetBrainsMono Nerd Font";
-          hwaccel = true;
-          term = "kmscon";
-        };
      };
    };

@@ -43,7 +39,7 @@
      machine.send_chars("echo $TERM | tee /tmp/term.txt\n")
      machine.wait_until_succeeds("test -s /tmp/term.txt")
      term = machine.succeed("cat /tmp/term.txt").strip()
-      assert term == "kmscon", f"Unexpected TERM value: {term!r}"
+      assert term == "xterm-256color", f"Unexpected TERM value: {term!r}"

      machine.screenshot("tty.png")
  '';
--- a/nixos/tests/logrotate.nix
+++ b/nixos/tests/logrotate.nix
@@ -66,10 +66,8 @@ in
            checkConf = {
              su = "root utmp";
              createolddir = "0750 root utmp";
-              "createolddir " = "0750";
              create = "root utmp";
              "create " = "0750 root utmp";
-              "create  " = "0750";
            };
            # multiple paths should be aggregated
            multipath = {
--- a/nixos/tests/rancher/auto-deploy.nix
+++ b/nixos/tests/rancher/auto-deploy.nix
@@ -275,16 +275,9 @@ in
            k3s = ''
              machine.wait_until_succeeds("kubectl -n kube-system rollout status deployment traefik")
            '';
-            rke2 =
-              # Starting from v1.36, RKE2 also uses traefik as default load balancer
-              if lib.versionAtLeast rancherPackage.version "1.36" then
-                ''
-                  machine.wait_until_succeeds("kubectl -n kube-system rollout status daemonset rke2-traefik")
-                ''
-              else
-                ''
-                  machine.wait_until_succeeds("kubectl -n kube-system rollout status daemonset rke2-ingress-nginx-controller")
-                '';
+            rke2 = ''
+              machine.wait_until_succeeds("kubectl -n kube-system rollout status daemonset rke2-ingress-nginx-controller")
+            '';
          }
          .${rancherDistro}
        }
--- a/nixos/tests/tranquil-pds.nix
+++ b/nixos/tests/tranquil-pds.nix
@@ -1,35 +0,0 @@
-{ lib, ... }:
-{
-  name = "tranquil-pds";
-
-  nodes.machine =
-    { pkgs, ... }:
-    {
-      services.tranquil-pds = {
-        enable = true;
-        database.createLocally = true;
-
-        settings = {
-          server = {
-            hostname = "pds";
-            port = 8080;
-          };
-
-          secrets = {
-            allow_insecure = true;
-            jwt_secret = "test-jwt-secret-must-be-32-chars-long";
-            dpop_secret = "test-dpop-secret-must-be-32-chars-long";
-            master_key = "test-master-key-must-be-32-chars-long";
-          };
-        };
-      };
-    };
-
-  testScript = ''
-    machine.wait_for_unit("tranquil-pds.service")
-    machine.wait_for_open_port(8080)
-    machine.succeed("curl --fail http://localhost:8080")
-  '';
-
-  meta.maintainers = with lib.maintainers; [ nelind ];
-}
--- a/pkgs/applications/audio/ladspa-plugins/default.nix
+++ b/pkgs/applications/audio/ladspa-plugins/default.nix
@@ -4,7 +4,7 @@
  fetchFromGitHub,
  autoreconfHook,
  automake,
-  fftwSinglePrec,
+  fftw,
  ladspa-header,
  libxml2,
  pkg-config,
@@ -39,9 +39,8 @@ stdenv.mkDerivation (finalAttrs: {
    perlPackages.perl
    perlPackages.XMLParser
  ];
-
  buildInputs = [
-    fftwSinglePrec
+    fftw
    ladspa-header
    libxml2
  ];
--- a/pkgs/applications/audio/mpg123/default.nix
+++ b/pkgs/applications/audio/mpg123/default.nix
@@ -21,11 +21,11 @@ assert withConplay -> !libOnly;

 stdenv.mkDerivation (finalAttrs: {
  pname = "${lib.optionalString libOnly "lib"}mpg123";
-  version = "1.33.4";
+  version = "1.33.5";

  src = fetchurl {
    url = "mirror://sourceforge/mpg123/mpg123-${finalAttrs.version}.tar.bz2";
-    hash = "sha256-OujJ/4Cpe/wOIuifvNdGh+yk/B2zFbEmB/J/ActaR9k=";
+    hash = "sha256-DX68jaCv88o4PIxrWmrb5ALuW7JWaFuMVJnzpzn51t0=";
  };

  outputs = [
--- a/pkgs/applications/audio/snapcast/default.nix
+++ b/pkgs/applications/audio/snapcast/default.nix
@@ -16,8 +16,7 @@
  soxr,
  aixlog,
  popl,
-  config,
-  pulseaudioSupport ? config.pulseaudio or stdenv.hostPlatform.isLinux,
+  pulseaudioSupport ? false,
  pipewireSupport ? stdenv.hostPlatform.isLinux,
  libpulseaudio,
  pipewire,
--- a/pkgs/applications/editors/vim/common.nix
+++ b/pkgs/applications/editors/vim/common.nix
@@ -4,7 +4,7 @@
  stdenv,
 }:
 rec {
-  version = "9.2.0389";
+  version = "9.2.0541";

  outputs = [
    "out"
@@ -15,7 +15,7 @@ rec {
    owner = "vim";
    repo = "vim";
    rev = "v${version}";
-    hash = "sha256-shhdJn1bPJ/68a54UZMn1fla7P4tjVUN4DGLbx3ohOg=";
+    hash = "sha256-M2vdIAM3P2MZdcMvFX/3/fixliTosR06nvPIX7NXFNo=";
  };

  enableParallelBuilding = true;
--- a/pkgs/applications/editors/vim/plugins/generated.nix
+++ b/pkgs/applications/editors/vim/plugins/generated.nix
@@ -15358,20 +15358,6 @@ final: prev: {
    meta.hydraPlatforms = [ ];
  };

-  reactive-nvim = buildVimPlugin {
-    pname = "reactive.nvim";
-    version = "1.2.1";
-    src = fetchFromGitHub {
-      owner = "rasulomaroff";
-      repo = "reactive.nvim";
-      tag = "v1.2.1";
-      hash = "sha256-LZCCboM/fw+Kw6wVskrPs6nr4SFLoD0pi6EMxSIGelw=";
-    };
-    meta.homepage = "https://github.com/rasulomaroff/reactive.nvim/";
-    meta.license = getLicenseFromSpdxId "Apache-2.0";
-    meta.hydraPlatforms = [ ];
-  };
-
  readline-vim = buildVimPlugin {
    pname = "readline.vim";
    version = "0-unstable-2023-03-09";
--- a/pkgs/applications/editors/vim/plugins/non-generated/fff-nvim/default.nix
+++ b/pkgs/applications/editors/vim/plugins/non-generated/fff-nvim/default.nix
@@ -13,18 +13,18 @@
  writableTmpDirAsHomeHook,
 }:
 let
-  version = "0.8.4";
+  version = "0.8.0";
  src = fetchFromGitHub {
    owner = "dmtrKovalenko";
    repo = "fff.nvim";
    tag = "v${version}";
-    hash = "sha256-w88NovzYVTiUVZmgvvmRvRq1didlbxMJYtKj1A3VB/Y=";
+    hash = "sha256-JbV2dTQhTyZgDZYvFoR1mz9CeM2IPv59Qmp2iiJC8a0=";
  };
  fff-nvim-lib = rustPlatform.buildRustPackage {
    pname = "fff-nvim-lib";
    inherit version src;

-    cargoHash = "sha256-2LGrohseOYdroUFY3cHy57HzgfS34CBuIbN1AFuYTUg=";
+    cargoHash = "sha256-L/Ens/wzw/jKaa1T3A2pLIBKs09saPEk/0bRhgRezPQ=";

    cargoBuildFlags = [
      "-p"
@@ -65,12 +65,9 @@ let
      openssl
    ];

+    # This test requires curl and GitHub access
    checkFlags = [
-      # This test requires curl and GitHub access
      "--skip=update_check::tests::test_update_check_end_to_end"
-
-      # This test depends on catching a race window and is not deterministic
-      "--skip=drop_during_post_scan_does_not_crash"
    ];

    env = {
--- a/pkgs/applications/editors/vim/plugins/overrides.nix
+++ b/pkgs/applications/editors/vim/plugins/overrides.nix
@@ -5791,12 +5791,6 @@ assertNoAdditions {
  vim-tabby = super.vim-tabby.overrideAttrs {
  };

-  vim-table-mode = super.vim-table-mode.overrideAttrs (old: {
-    meta = old.meta // {
-      license = lib.licenses.mit;
-    };
-  });
-
  vim-tabpagecd = super.vim-tabpagecd.overrideAttrs (old: {
    meta = old.meta // {
      license = lib.licenses.mit;
--- a/pkgs/applications/editors/vim/plugins/vim-plugin-names
+++ b/pkgs/applications/editors/vim/plugins/vim-plugin-names
@@ -1095,7 +1095,6 @@ https://github.com/winston0410/range-highlight.nvim/,,
 https://github.com/kelly-lin/ranger.nvim/,,
 https://github.com/rafaqz/ranger.vim/,,
 https://github.com/vim-scripts/rcshell.vim/,,
-https://github.com/rasulomaroff/reactive.nvim/,,
 https://github.com/ryvnf/readline.vim/,,
 https://github.com/theprimeagen/refactoring.nvim/,,
 https://github.com/mawkler/refjump.nvim/,,
--- a/pkgs/applications/editors/vscode/extensions/anthropic.claude-code/default.nix
+++ b/pkgs/applications/editors/vscode/extensions/anthropic.claude-code/default.nix
@@ -21,26 +21,26 @@ vscode-utils.buildVscodeMarketplaceExtension (finalAttrs: {
      sources = {
        "x86_64-linux" = {
          arch = "linux-x64";
-          hash = "sha256-fiPj/rkwNevJC2bTjRBkuhwdI3Sqgj3xsQB1yp6KxEM=";
+          hash = "sha256-cKQwDXdsaUI4pFF/DMa/8qLs9q3C1WwI47/otxKS+Ww=";
        };
        "aarch64-linux" = {
          arch = "linux-arm64";
-          hash = "sha256-NZy2I3cNZBM2oXUJ/mf56QW1edvcKu0HICAZq6VVF6U=";
+          hash = "sha256-2hOK3Hl5GDspu0oU0w2kqH324nOafRsKEoRCk2N6Nmw=";
        };
        "x86_64-darwin" = {
          arch = "darwin-x64";
-          hash = "sha256-admTed1OpngSd2BY368AkOQGWnVLX7KM4icgx2uNJYE=";
+          hash = "sha256-fw/WkYTeB7uh9ggEASmZIz636iuy0nDsIt/oU2DBfGo=";
        };
        "aarch64-darwin" = {
          arch = "darwin-arm64";
-          hash = "sha256-l39oH4LOgFrZ5598+YWvArIHrZHSz0NU9wOAMop7kNw=";
+          hash = "sha256-YwUoK12QEMasKl7GOTfHOnDgkg/NNBZMA29sx674XBc=";
        };
      };
    in
    {
      name = "claude-code";
      publisher = "anthropic";
-      version = "2.1.158";
+      version = "2.1.156";
    }
    // sources.${stdenvNoCC.hostPlatform.system}
      or (throw "Unsupported system ${stdenvNoCC.hostPlatform.system}");
--- a/pkgs/applications/editors/vscode/extensions/default.nix
+++ b/pkgs/applications/editors/vscode/extensions/default.nix
@@ -1007,8 +1007,8 @@ let
        mktplcRef = {
          name = "coder-remote";
          publisher = "coder";
-          version = "1.14.6";
-          hash = "sha256-dABM44pSD0srzNl6J+1OsqugWb++soVFmtEIzliByDs=";
+          version = "1.14.5";
+          hash = "sha256-08GsGOtgLhq5vLpQ9VDdVk/q5VSW6d7cXXflNQOpB50=";
        };
        meta = {
          description = "Extension for Visual Studio Code to open any Coder workspace in VS Code with a single click";
--- a/pkgs/applications/emulators/libretro/cores/gambatte.nix
+++ b/pkgs/applications/emulators/libretro/cores/gambatte.nix
@@ -5,13 +5,13 @@
 }:
 mkLibretroCore {
  core = "gambatte";
-  version = "0-unstable-2026-05-29";
+  version = "0-unstable-2026-05-15";

  src = fetchFromGitHub {
    owner = "libretro";
    repo = "gambatte-libretro";
-    rev = "589c29a07cd773315b6d5d350c3e050cbda7cd9d";
-    hash = "sha256-DEivvVqWMh/G9aqub3TzOjwcLcpNyEQzH9EZ29y3NIM=";
+    rev = "3262c2aa4adae8dba4f6d51cdd931c15cb11569f";
+    hash = "sha256-JPnpY/43XbT9QnvzrYPkZLCcM3hN+SoQTFZ8J/Dj+Oc=";
  };

  meta = {
--- a/pkgs/applications/emulators/libretro/cores/mame2010.nix
+++ b/pkgs/applications/emulators/libretro/cores/mame2010.nix
@@ -6,13 +6,13 @@
 }:
 mkLibretroCore {
  core = "mame2010";
-  version = "0-unstable-2026-05-23";
+  version = "0-unstable-2026-04-20";

  src = fetchFromGitHub {
    owner = "libretro";
    repo = "mame2010-libretro";
-    rev = "4679ae591ce39f3c0af492acd4a5b7319e9c2be5";
-    hash = "sha256-ZG1p0bcnt9Xv6dKLSDh49KTxA4ZmwO+s4hEVuozg1ak=";
+    rev = "cc63285e2109263da4eca0911ba07aec60b8109b";
+    hash = "sha256-vyOJNOnk74pvsfPq0Kg9ovQ/bS8R2ByA8SVMqixaueQ=";
  };

  makefile = "Makefile";
--- a/pkgs/applications/emulators/libretro/cores/opera.nix
+++ b/pkgs/applications/emulators/libretro/cores/opera.nix
@@ -6,13 +6,13 @@
 }:
 mkLibretroCore {
  core = "opera";
-  version = "0-unstable-2026-05-30";
+  version = "0-unstable-2026-04-10";

  src = fetchFromGitHub {
    owner = "libretro";
    repo = "opera-libretro";
-    rev = "d0a3b910f8bef6b8d48fb5eec4ad72ea5f022394";
-    hash = "sha256-OH9gkbMC4PJnpboiYrKV+XkQqq5ldq5tneyVJHfDzsM=";
+    rev = "4c4ca6bf741c40715723a8b8dae4b6187ff6ac30";
+    hash = "sha256-AcuqEuK3bz+WJ0r723+w6Y9WGuNs04zUOWlQ3aMXk/U=";
  };

  makefile = "Makefile";
--- a/pkgs/applications/emulators/libretro/cores/pcsx2.nix
+++ b/pkgs/applications/emulators/libretro/cores/pcsx2.nix
@@ -11,13 +11,13 @@
 }:
 mkLibretroCore {
  core = "pcsx2";
-  version = "0-unstable-2026-05-30";
+  version = "0-unstable-2026-05-13";

  src = fetchFromGitHub {
    owner = "libretro";
    repo = "ps2";
-    rev = "a1b104679bcf6a6cf943f1e9daee0e98515944c2";
-    hash = "sha256-NmVjqct6DaYdeAt/aMoHg0t5rs1k8srZ9JW6H5bGw5Y=";
+    rev = "2b9768b58e743b2e7586051e28896c98dc05fa4e";
+    hash = "sha256-Du+Z0gF5y5a91/bCfSY7ohubSn4JaaWxB3fkO4aE6e8=";
    fetchSubmodules = true;
  };

--- a/pkgs/applications/emulators/libretro/cores/play.nix
+++ b/pkgs/applications/emulators/libretro/cores/play.nix
@@ -14,13 +14,13 @@
 }:
 mkLibretroCore {
  core = "play";
-  version = "0-unstable-2026-05-28";
+  version = "0-unstable-2026-05-16";

  src = fetchFromGitHub {
    owner = "jpd002";
    repo = "Play-";
-    rev = "a14967a615ee278191a6a8c1f4f5171b660a170c";
-    hash = "sha256-gGCcr5yOnoP9EdP4fDM12dyEvNOPisBI+r+tGvezXi0=";
+    rev = "e62ea293ba347dc1fd9d387458d8262bc122053f";
+    hash = "sha256-V0ItXRD1YO7jq/SNoXOh7ZhpWwx9oFs3muIUkzj8FHE=";
    fetchSubmodules = true;
  };

--- a/pkgs/applications/graphics/gimp/2.0/default.nix
+++ b/pkgs/applications/graphics/gimp/2.0/default.nix
@@ -264,16 +264,9 @@ stdenv.mkDerivation (finalAttrs: {
  passthru = {
    # The declarations for `gimp-with-plugins` wrapper,
    # used for determining plug-in installation paths
-    apiVersion = "${
-      toString (
-        lib.toInt (lib.versions.major finalAttrs.version)
-        + (if lib.versions.minor finalAttrs.version == "99" then 1 else 0)
-      )
-    }.0";
-    appVersion = lib.versions.majorMinor finalAttrs.version;
-    majorVersion = lib.warn "gimp2.majorVersion is deprecated in favour of gimp2.apiVersion and gimp2.appVersion" finalAttrs.passthru.apiVersion;
-    targetLibDir = "lib/gimp/${finalAttrs.passthru.apiVersion}";
-    targetDataDir = "share/gimp/${finalAttrs.passthru.apiVersion}";
+    majorVersion = "${lib.versions.major finalAttrs.version}.0";
+    targetLibDir = "lib/gimp/${finalAttrs.passthru.majorVersion}";
+    targetDataDir = "share/gimp/${finalAttrs.passthru.majorVersion}";
    targetPluginDir = "${finalAttrs.passthru.targetLibDir}/plug-ins";
    targetScriptDir = "${finalAttrs.passthru.targetDataDir}/scripts";

--- a/pkgs/applications/graphics/gimp/default.nix
+++ b/pkgs/applications/graphics/gimp/default.nix
@@ -60,7 +60,7 @@
  gexiv2,
  harfbuzz,
  makeFontsConf,
-  mypaint-brushes,
+  mypaint-brushes1,
  libwebp,
  libheif,
  gjs,
@@ -71,6 +71,7 @@
  adwaita-icon-theme,
  alsa-lib,
  desktopToDarwinBundle,
+  fetchpatch,
  qoi,
 }:

@@ -83,7 +84,7 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
  pname = "gimp";
-  version = "3.2.4";
+  version = "3.0.8";

  outputs = [
    "out"
@@ -94,7 +95,7 @@ stdenv.mkDerivation (finalAttrs: {

  src = fetchurl {
    url = "https://download.gimp.org/gimp/v${lib.versions.majorMinor finalAttrs.version}/gimp-${finalAttrs.version}.tar.xz";
-    hash = "sha256-cxK8U+nG0tAFbKe5PxxrmHB5Rt2TT3FMIbh0bstgFYg=";
+    hash = "sha256-/rSYrMAbJoJ8/x/5Wqj7gs3Wpg16v3c8/NGavq/KM4Y=";
  };

  patches = [
@@ -117,6 +118,31 @@ stdenv.mkDerivation (finalAttrs: {
    (replaceVars ./tests-dbus-conf.patch {
      session_conf = "${dbus.out}/share/dbus-1/session.conf";
    })
+
+    # Allow calling tests from other directories.
+    # Required for the next patch.
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gimp/-/commit/fd58ab3bee7a79cb0a7870c6858f3b64c84a7917.patch";
+      hash = "sha256-fpysKWwt5rilqp7ukdWx7kutkDquL/6YhYjR1zQfu/Q=";
+    })
+
+    # Do not go through ui for save-and-export test.
+    # https://gitlab.gnome.org/GNOME/gimp/-/issues/15763
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gimp/-/commit/608ad0a528b5b31101c021d96aeb95558d207497.patch";
+      hash = "sha256-0oA5u+uAT0l3WT90fy0RGOR8xy/fGIHevBb69oUzfGs=";
+      excludes = [
+        # Other changes would prevent deletion, removing it from build is sufficient.
+        "app/tests/test-save-and-export.c"
+      ];
+    })
+
+    # Disable broken UI tests.
+    # https://gitlab.gnome.org/GNOME/gimp/-/issues/15763
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gimp/-/commit/c34fe3e94f1019eafcb38edf1c07bff12a57431e.patch";
+      hash = "sha256-yVauEpoGEOIfCXnGnWMGWjXbIDizDhJ3hipeCy3XSBM=";
+    })
  ];

  nativeBuildInputs = [
@@ -190,7 +216,7 @@ stdenv.mkDerivation (finalAttrs: {
    libxmu
    glib-networking
    libmypaint
-    mypaint-brushes
+    mypaint-brushes1
    qoi

    # New file dialogue crashes with “Icon 'image-missing' not present in theme Symbolic” without an icon theme.
@@ -259,9 +285,19 @@ stdenv.mkDerivation (finalAttrs: {

    # GIMP is executed at build time so we need to fix this.
    # TODO: Look into if we can fix the interp thing.
-    chmod +x plug-ins/python/{colorxhtml,file-openraster,foggify,gradients-save-as-css,histogram-export,palette-export-as-kpl,palette-offset,palette-sort,palette-to-gradient,python-eval,spyro-plus}.py
+    chmod +x plug-ins/python/{colorxhtml,file-openraster,foggify,gradients-save-as-css,histogram-export,palette-offset,palette-sort,palette-to-gradient,python-eval,spyro-plus}.py
    patchShebangs \
-      plug-ins/python/{colorxhtml,file-openraster,foggify,gradients-save-as-css,histogram-export,palette-export-as-kpl,palette-offset,palette-sort,palette-to-gradient,python-eval,spyro-plus}.py
+      plug-ins/python/{colorxhtml,file-openraster,foggify,gradients-save-as-css,histogram-export,palette-offset,palette-sort,palette-to-gradient,python-eval,spyro-plus}.py
+
+    # Use Python from environment not from Meson.
+    # https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2607
+    substituteInPlace meson.build \
+      --replace-fail "import('python').find_installation()" "import('python').find_installation('python3')"
+
+    # Broken test
+    # https://github.com/NixOS/nixpkgs/pull/484971#issuecomment-3846759517
+    substituteInPlace app/tests/meson.build \
+      --replace-fail "{${"\n"}    'name': 'save-and-export',${"\n"}  }${"\n"}" ""
  '';

  preBuild =
@@ -318,16 +354,9 @@ stdenv.mkDerivation (finalAttrs: {
  passthru = {
    # The declarations for `gimp-with-plugins` wrapper,
    # used for determining plug-in installation paths
-    apiVersion = "${
-      toString (
-        lib.toInt (lib.versions.major finalAttrs.version)
-        + (if lib.versions.minor finalAttrs.version == "99" then 1 else 0)
-      )
-    }.0";
-    appVersion = lib.versions.majorMinor finalAttrs.version;
-    majorVersion = lib.warn "gimp.majorVersion is deprecated in favour of gimp.apiVersion and gimp.appVersion" finalAttrs.passthru.apiVersion;
-    targetLibDir = "lib/gimp/${finalAttrs.passthru.apiVersion}";
-    targetDataDir = "share/gimp/${finalAttrs.passthru.apiVersion}";
+    majorVersion = "${lib.versions.major finalAttrs.version}.0";
+    targetLibDir = "lib/gimp/${finalAttrs.passthru.majorVersion}";
+    targetDataDir = "share/gimp/${finalAttrs.passthru.majorVersion}";
    targetPluginDir = "${finalAttrs.passthru.targetLibDir}/plug-ins";
    targetScriptDir = "${finalAttrs.passthru.targetDataDir}/scripts";

@@ -339,10 +368,7 @@ stdenv.mkDerivation (finalAttrs: {
    description = "GNU Image Manipulation Program";
    homepage = "https://www.gimp.org/";
    donationPage = "https://www.gimp.org/donating/";
-    maintainers = with lib.maintainers; [
-      jtojnar
-      bddvlpr
-    ];
+    maintainers = with lib.maintainers; [ jtojnar ];
    license = lib.licenses.gpl3Plus;
    platforms = lib.platforms.linux;
    # Build invokes built binary to convert assets, binary hangs during plugin loading on big-endian platforms (s390x, ppc64)
--- a/pkgs/applications/graphics/gimp/plugins/default.nix
+++ b/pkgs/applications/graphics/gimp/plugins/default.nix
@@ -13,10 +13,12 @@ let
    stdenv
    fetchurl
    fetchpatch
+    fetchpatch2
    pkg-config
    intltool
    glib
    fetchFromGitHub
+    fetchFromGitLab
    ;

  # We cannot use gimp from the arguments directly, or it would be shadowed by the one
@@ -142,7 +144,7 @@ lib.makeScope pkgs.newScope (
      installTargets = [ "install-admin" ];

      meta = {
-        broken = gimp.apiVersion != "2.0";
+        broken = gimp.majorVersion != "2.0";
        description = "Batch Image Manipulation Plugin for GIMP";
        homepage = "https://github.com/alessandrofrancesconi/gimp-plugin-bimp";
        license = lib.licenses.gpl2Plus;
@@ -166,7 +168,7 @@ lib.makeScope pkgs.newScope (
      '';

      meta = {
-        broken = gimp.apiVersion != "2.0";
+        broken = gimp.majorVersion != "2.0";
        description = "Gimp plug-in for the farbfeld image format";
        homepage = "https://github.com/ids1024/gimp-farbfeld";
        license = lib.licenses.mit;
@@ -206,7 +208,7 @@ lib.makeScope pkgs.newScope (
      '';

      meta = {
-        broken = gimp.apiVersion != "2.0";
+        broken = gimp.majorVersion != "2.0";
        description = "GIMP plug-in to do the fourier transform";
        homepage = "https://people.via.ecp.fr/~remi/soft/gimp/gimp_plugin_en.php3#fourier";
        license = with lib.licenses; [ gpl3Plus ];
@@ -263,7 +265,7 @@ lib.makeScope pkgs.newScope (
      ];

      meta = {
-        broken = gimp.apiVersion != "2.0";
+        broken = gimp.majorVersion != "2.0";
      };
    };

@@ -291,7 +293,7 @@ lib.makeScope pkgs.newScope (
      installPhase = "installPlugin src/wavelet-sharpen"; # TODO translations are not copied .. How to do this on nix?

      meta = {
-        broken = gimp.apiVersion != "2.0";
+        broken = gimp.majorVersion != "2.0";
      };
    };

@@ -320,7 +322,7 @@ lib.makeScope pkgs.newScope (
      ];

      meta = {
-        broken = gimp.apiVersion != "2.0";
+        broken = gimp.majorVersion != "2.0";
      };
    };

@@ -354,7 +356,7 @@ lib.makeScope pkgs.newScope (
    ";

      meta = {
-        broken = gimp.apiVersion != "2.0";
+        broken = gimp.majorVersion != "2.0";
        description = "GIMP plugin to correct lens distortion using the lensfun library and database";

        homepage = "http://lensfun.sebastiankraft.net/";
--- a/pkgs/applications/graphics/gimp/wrapper.nix
+++ b/pkgs/applications/graphics/gimp/wrapper.nix
@@ -15,9 +15,11 @@ let
  selectedPlugins = lib.filter (pkg: pkg != gimp) (if plugins == null then allPlugins else plugins);
  extraArgs =
    map (x: x.wrapArgs or "") selectedPlugins
-    ++ lib.optionals (gimp.apiVersion == "2.0") [
+    ++ lib.optionals (gimp.majorVersion == "2.0") [
      ''--prefix GTK_PATH : "${gnome-themes-extra}/lib/gtk-2.0"''
    ];
+  exeVersion =
+    if gimp.majorVersion == "2.0" then lib.versions.majorMinor gimp.version else gimp.majorVersion;
  majorVersion = lib.versions.major gimp.version;

 in
@@ -35,7 +37,7 @@ symlinkJoin {
  nativeBuildInputs = [ makeWrapper ];

  postBuild = ''
-    for each in gimp-${gimp.appVersion} gimp-console-${gimp.appVersion}; do
+    for each in gimp-${exeVersion} gimp-console-${exeVersion}; do
      wrapProgram $out/bin/$each \
        --set GIMP${majorVersion}_PLUGINDIR "$out/${gimp.targetLibDir}" \
        --set GIMP${majorVersion}_DATADIR "$out/${gimp.targetDataDir}" \
@@ -43,7 +45,7 @@ symlinkJoin {
    done
    set +x
    for each in gimp gimp-console; do
-      ln -sf "$each-${gimp.appVersion}" $out/bin/$each
+      ln -sf "$each-${exeVersion}" $out/bin/$each
    done

    ln -s ${gimp.man} $man
--- a/pkgs/applications/misc/cambrinary/default.nix
+++ b/pkgs/applications/misc/cambrinary/default.nix
@@ -1,10 +1,13 @@
 {
  lib,
-  python3Packages,
+  buildPythonApplication,
  fetchFromGitHub,
+  flit,
+  aiohttp,
+  beautifulsoup4,
 }:

-python3Packages.buildPythonApplication {
+buildPythonApplication {
  pname = "cambrinary";
  version = "unstable-2023-07-16";
  pyproject = true;
@@ -16,11 +19,11 @@ python3Packages.buildPythonApplication {
    hash = "sha256-wDcvpKAY/6lBjO5h3qKH3+Y2G2gm7spcKCXFMt/bAtE=";
  };

-  build-system = with python3Packages; [
+  nativeBuildInputs = [
    flit
  ];

-  dependencies = with python3Packages; [
+  propagatedBuildInputs = [
    aiohttp
    beautifulsoup4
  ];
--- a/pkgs/applications/misc/johnny-reborn/default.nix
+++ b/pkgs/applications/misc/johnny-reborn/default.nix
--- a/pkgs/applications/misc/johnny-reborn/with-data.nix
+++ b/pkgs/applications/misc/johnny-reborn/with-data.nix
--- a/pkgs/applications/misc/ola/default.nix
+++ b/pkgs/applications/misc/ola/default.nix
@@ -9,7 +9,7 @@
  libftdi1,
  libuuid,
  cppunit,
-  protobuf_21,
+  protobuf,
  zlib,
  avahi,
  libmicrohttpd,
@@ -18,14 +18,14 @@
  fetchpatch,
 }:

-stdenv.mkDerivation (finalAttrs: {
+stdenv.mkDerivation rec {
  pname = "ola";
  version = "0.10.9";

  src = fetchFromGitHub {
    owner = "OpenLightingProject";
    repo = "ola";
-    tag = finalAttrs.version;
+    tag = version;
    hash = "sha256-8w8ZT3D/+8Pxl9z2KTXeydVxE5xiPjxZevgmMFgrblU=";
  };
  patches = [
@@ -47,14 +47,14 @@ stdenv.mkDerivation (finalAttrs: {
    libftdi1
    libuuid
    cppunit
-    protobuf_21
+    protobuf
    zlib
    avahi
    libmicrohttpd
    python3
  ];
  propagatedBuildInputs = [
-    (python3.pkgs.protobuf4.override { protobuf = protobuf_21; })
+    (python3.pkgs.protobuf4.override { protobuf = protobuf; })
    python3.pkgs.numpy
  ];

@@ -73,4 +73,4 @@ stdenv.mkDerivation (finalAttrs: {
    ];
    platforms = lib.platforms.all;
  };
-})
+}
--- a/pkgs/applications/misc/twitch-chat-downloader/default.nix
+++ b/pkgs/applications/misc/twitch-chat-downloader/default.nix
@@ -1,13 +1,16 @@
 {
  lib,
-  python3Packages,
+  buildPythonApplication,
  fetchFromGitHub,
+  iso8601,
+  progressbar2,
+  requests,
 }:

-python3Packages.buildPythonApplication (finalAttrs: {
+buildPythonApplication rec {
  pname = "twitch-chat-downloader";
  version = "2.5.5";
-  pyproject = true;
+  format = "setuptools";

  # NOTE: Using maintained fork because upstream has stopped working, and it has
  # not been updated in a while.
@@ -15,12 +18,10 @@ python3Packages.buildPythonApplication (finalAttrs: {
  src = fetchFromGitHub {
    owner = "TheDrHax";
    repo = "twitch-chat-downloader";
-    rev = finalAttrs.version;
+    rev = version;
    hash = "sha256-9wIp0uttVBOdexOMb8VvpUEEdZ97SGSlZcFQ4jM/tqM=";
  };

-  build-system = [ python3Packages.setuptools ];
-
  postPatch = ''
    # Update client ID for Twitch changes
    # See: <https://github.com/TheDrHax/Twitch-Chat-Downloader/pull/16>
@@ -28,7 +29,7 @@ python3Packages.buildPythonApplication (finalAttrs: {
      --replace-fail jzkbprff40iqj646a697cyrvl0zt2m6 kd1unb4b3q4t58fwlpcbzcbnm76a8fp
  '';

-  dependencies = with python3Packages; [
+  propagatedBuildInputs = [
    iso8601
    progressbar2
    requests
@@ -45,4 +46,4 @@ python3Packages.buildPythonApplication (finalAttrs: {
    license = lib.licenses.mit;
    maintainers = with lib.maintainers; [ assistant ];
  };
-})
+}
--- a/pkgs/applications/misc/zathura/core/default.nix
+++ b/pkgs/applications/misc/zathura/core/default.nix
@@ -28,16 +28,12 @@
  librsvg,
  gtk-mac-integration,
  webp-pixbuf-loader,
-  versionCheckHook,
 }:

 stdenv.mkDerivation (finalAttrs: {
  pname = "zathura";
  version = "2026.05.20";

-  strictDeps = true;
-  __structuredAttrs = true;
-
  src = fetchFromGitHub {
    owner = "pwmt";
    repo = "zathura";
@@ -106,9 +102,6 @@ stdenv.mkDerivation (finalAttrs: {

  doCheck = !stdenv.hostPlatform.isDarwin;

-  nativeInstallCheckInputs = [ versionCheckHook ];
-  doInstallCheck = true;
-
  passthru.updateScript = gitUpdater { };

  meta = {
@@ -117,6 +110,5 @@ stdenv.mkDerivation (finalAttrs: {
    license = lib.licenses.zlib;
    platforms = lib.platforms.unix;
    maintainers = with lib.maintainers; [ mithicspirit ];
-    mainProgram = "zathura";
  };
 })
--- a/pkgs/applications/networking/browsers/firefox/wrapper.nix
+++ b/pkgs/applications/networking/browsers/firefox/wrapper.nix
@@ -228,7 +228,7 @@ let
          terminal = false;
        }
        // (
-          if lib.strings.hasPrefix "thunderbird" libName then
+          if libName == "thunderbird" then
            {
              genericName = "Email Client";
              comment = "Read and write e-mails or RSS feeds, or manage tasks on calendars.";
@@ -413,7 +413,7 @@ let
          done

          # Disable update checks
-          touch "$out/${libDir}/is-packaged-app"
+          touch $out/${libDir}/is-packaged-app

          cd "$out"

--- a/pkgs/applications/networking/cluster/rke2/1_36/images-versions.json
+++ b/pkgs/applications/networking/cluster/rke2/1_36/images-versions.json
@@ -1,138 +0,0 @@
-{
-  "images-calico-linux-amd64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-calico.linux-amd64.tar.gz",
-    "sha256": "bc9fb1ba72af6185de90e4e0f8a384993657c4b0fdedbb14e7ca5cf93bf2303d"
-  },
-  "images-calico-linux-amd64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-calico.linux-amd64.tar.zst",
-    "sha256": "38fc5ecd017e9a66e3831ece42efedcfedaafc000759eaa4fb9f19a68122ec51"
-  },
-  "images-calico-linux-arm64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-calico.linux-arm64.tar.gz",
-    "sha256": "e86ac7f4cf14e4f02fcdd0e3d74e832fa43654f592068c2b5d8c044c69e2b749"
-  },
-  "images-calico-linux-arm64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-calico.linux-arm64.tar.zst",
-    "sha256": "03df93db61bc54f351bb6131c632279c265d4b71af0a90e2a6898f9b99b453f4"
-  },
-  "images-canal-linux-amd64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-canal.linux-amd64.tar.gz",
-    "sha256": "5cce5314ed6ff237c646723456c81876e89517b9164368728a9df00697655858"
-  },
-  "images-canal-linux-amd64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst",
-    "sha256": "3a7828ce0143c3eb91cae940cebdfa0145960e91be056e88a8b077ee39ccc54d"
-  },
-  "images-canal-linux-arm64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-canal.linux-arm64.tar.gz",
-    "sha256": "e8346348137747fbd626846e5b71d182c49e8a1dcb997ea9e91f50e7bd907129"
-  },
-  "images-canal-linux-arm64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-canal.linux-arm64.tar.zst",
-    "sha256": "ede6d29451a99d7f4663b6a2b8eb0cfa093f83b7b025fd5c4899fb02edac703d"
-  },
-  "images-cilium-linux-amd64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-cilium.linux-amd64.tar.gz",
-    "sha256": "8c52261340b4af54186f83d2913c676a2dcef820f25a1b42b8c51cfef1dcdbc6"
-  },
-  "images-cilium-linux-amd64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-cilium.linux-amd64.tar.zst",
-    "sha256": "865913456dc55b2ba4748b0fe76489e4960a60990f207341c66bcbf9e93e95b3"
-  },
-  "images-cilium-linux-arm64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-cilium.linux-arm64.tar.gz",
-    "sha256": "4170bfc7d0ebf9167a94d24e393fbff0fc7dce4da1443257709fdbe603ffc579"
-  },
-  "images-cilium-linux-arm64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-cilium.linux-arm64.tar.zst",
-    "sha256": "016caf748e5c39460b9618d998d261c7db8fe8348f9fa43d35693a47d4913b86"
-  },
-  "images-core-linux-amd64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-core.linux-amd64.tar.gz",
-    "sha256": "03a72f2c228131b7cb616c5b7758cd1c00b7f3e7d589573c5faf837e4e2ab764"
-  },
-  "images-core-linux-amd64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-core.linux-amd64.tar.zst",
-    "sha256": "37acd15d183693fb0bb465840590593ed78d72415752a052d282a418fdb905cf"
-  },
-  "images-core-linux-arm64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-core.linux-arm64.tar.gz",
-    "sha256": "4798bf3293e7b5b62e694bee8a811c3ace86bb5c7516c9f196a4ba48dc947c3f"
-  },
-  "images-core-linux-arm64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-core.linux-arm64.tar.zst",
-    "sha256": "ff8c770fa2b17151e333a0a4449bc4dc3cd5c65662ec88b2ffc31fde6a40d0ed"
-  },
-  "images-flannel-linux-amd64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-flannel.linux-amd64.tar.gz",
-    "sha256": "0e5c71c9ecd89f11bb1cc0ea72a0297090e7a44395efe5fd74e14af3db3581a8"
-  },
-  "images-flannel-linux-amd64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-flannel.linux-amd64.tar.zst",
-    "sha256": "23695fd8c2a77f043a089c44437d12b5bde88422dbcd1d70edcda7a78f651137"
-  },
-  "images-flannel-linux-arm64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-flannel.linux-arm64.tar.gz",
-    "sha256": "d9f75aaace63bcba2cbaeba2662d9877d39ec822621fd96824e9ec3fbe62a79c"
-  },
-  "images-flannel-linux-arm64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-flannel.linux-arm64.tar.zst",
-    "sha256": "8aa8e19b739bc3fd897115f92d54acd081453441ee4dae8ca694ec47662838a7"
-  },
-  "images-harvester-linux-amd64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-harvester.linux-amd64.tar.gz",
-    "sha256": "c9442d489c4170fc515d04c2c5c7c76ff3ca2fb4093a94aea0d0a6fb1719c5d3"
-  },
-  "images-harvester-linux-amd64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-harvester.linux-amd64.tar.zst",
-    "sha256": "9551558d7baba1a78de7954f4801cf4329b5fb5ffd0cc3566b9fa32732ff950c"
-  },
-  "images-harvester-linux-arm64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-harvester.linux-arm64.tar.gz",
-    "sha256": "11ea150625fc1a4700cec2859367692d533f7f9288f7196b331a77682766d742"
-  },
-  "images-harvester-linux-arm64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-harvester.linux-arm64.tar.zst",
-    "sha256": "045db3938a0a11f6d5b4936f63471fec48fd76d29ef85e9cfe6bae5bddd8525e"
-  },
-  "images-ingress-nginx-linux-amd64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-ingress-nginx.linux-amd64.tar.gz",
-    "sha256": "0af77531d170d30b844518bb4665b29f3f386cf160f7c2b955467516f4d04dc3"
-  },
-  "images-ingress-nginx-linux-amd64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-ingress-nginx.linux-amd64.tar.zst",
-    "sha256": "d5b7d3f12de0799cebf84fc6260fc4f093f2837c5fef6fc84849d8f1da5cbc22"
-  },
-  "images-ingress-nginx-linux-arm64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-ingress-nginx.linux-arm64.tar.gz",
-    "sha256": "8c5d5eea216102e5dd07621671f2e462dfade184f20c81adb8facbaa58e59c2c"
-  },
-  "images-ingress-nginx-linux-arm64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-ingress-nginx.linux-arm64.tar.zst",
-    "sha256": "363f42d83118e3398e72996f6b42477230000ffd50d93fdda570140ea020539b"
-  },
-  "images-multus-linux-amd64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-multus.linux-amd64.tar.gz",
-    "sha256": "ec3d8557e36db43acd9a76c38242de6feea354e41ae3ff8b9ab55de82ee19026"
-  },
-  "images-multus-linux-amd64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-multus.linux-amd64.tar.zst",
-    "sha256": "8be7075092a5e179e50fb526ea730018103d9f8a609f22f0d1431482690a9d7f"
-  },
-  "images-multus-linux-arm64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-multus.linux-arm64.tar.gz",
-    "sha256": "caebabf77d9d3190d76156990d8eaa0c2df5cb563a8447f1e506b50f4104e1a0"
-  },
-  "images-multus-linux-arm64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-multus.linux-arm64.tar.zst",
-    "sha256": "39bd89d250894254f7c1f9b061401a574716574ab3f51cc3a82c03eb4e804825"
-  },
-  "images-vsphere-linux-amd64-tar-gz": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-vsphere.linux-amd64.tar.gz",
-    "sha256": "d07ed8b72db67fae9024540fca3eed7990b4a4b3a7ba6eef78a2eae8e6b3b4d3"
-  },
-  "images-vsphere-linux-amd64-tar-zst": {
-    "url": "https://github.com/rancher/rke2/releases/download/v1.36.1%2Brke2r1/rke2-images-vsphere.linux-amd64.tar.zst",
-    "sha256": "4cd43197b21bd1344c0a7e87a7f28c8766b3edfab8e2fb2bb6954d144f3b44a7"
-  }
-}
--- a/pkgs/applications/networking/cluster/rke2/1_36/versions.nix
+++ b/pkgs/applications/networking/cluster/rke2/1_36/versions.nix
@@ -1,13 +0,0 @@
-{
-  rke2Version = "1.36.1+rke2r1";
-  rke2Commit = "b4a8e78038f35eb282a8d6e3c29797a1181fa961";
-  rke2TarballHash = "sha256-SD7+lNYu6/5iMxEmHEpkD8g9UCgN6gjkFsGdQn9o1Cc=";
-  rke2VendorHash = "sha256-gUgRAC9yKDa8JYb/jdCxZdP6500XxjqHprmYlPv5A8c=";
-  k8sImageTag = "v1.36.1-rke2r1-build20260512";
-  etcdVersion = "v3.6.7-k3s1-build20260512";
-  pauseVersion = "3.6";
-  ccmVersion = "v1.36.0-rc2.0.20260427154526-d239025e2a23-build20260429";
-  dockerizedVersion = "v1.36.1-rke2r1";
-  helmJobVersion = "v0.10.0-build20260513";
-  imagesVersions = with builtins; fromJSON (readFile ./images-versions.json);
-}
--- a/pkgs/applications/networking/cluster/rke2/builder.nix
+++ b/pkgs/applications/networking/cluster/rke2/builder.nix
@@ -46,7 +46,6 @@ lib:
  nixosTests,
 }:
 buildGoModule (finalAttrs: {
-  __structuredAttrs = true;
  pname = "rke2";
  version = rke2Version;

--- a/pkgs/applications/networking/cluster/rke2/default.nix
+++ b/pkgs/applications/networking/cluster/rke2/default.nix
@@ -11,9 +11,7 @@ rec {

  rke2_1_35 = common (import ./1_35/versions.nix) extraArgs;

-  rke2_1_36 = common (import ./1_36/versions.nix) extraArgs;
-
  # Automatically set by update script, changes shouldn't be backported
  rke2_stable = rke2_1_35;
-  rke2_latest = rke2_1_36;
+  rke2_latest = rke2_1_35;
 }
--- a/pkgs/applications/networking/cluster/terraform-providers/providers.json
+++ b/pkgs/applications/networking/cluster/terraform-providers/providers.json
@@ -292,11 +292,11 @@
    "vendorHash": "sha256-tgo9FxqMZOZw4ZKULOz6CbZ8oJfEFfjdFffiWjjkc0Y="
  },
  "datadrivers_nexus": {
-    "hash": "sha256-gwExaFhOoJFrAhH91oZEp1AFvI7kgWekp655zd4tyd8=",
+    "hash": "sha256-yfxlDln4brI8QTFnhVsNOO3vRiqft3YWytvy2GMNBdY=",
    "homepage": "https://registry.terraform.io/providers/datadrivers/nexus",
    "owner": "datadrivers",
    "repo": "terraform-provider-nexus",
-    "rev": "v2.8.0",
+    "rev": "v2.7.1",
    "spdx": "MPL-2.0",
    "vendorHash": "sha256-2nNvLu2jicDUxiIi53qxtc6rvZQ+IEtW+LbRPYChfQE="
  },
@@ -373,13 +373,13 @@
    "vendorHash": "sha256-RtS88NqkO1nG/8znM0sQqsAIfDc+sOMy8N4T4hmvaVA="
  },
  "e-breuninger_netbox": {
-    "hash": "sha256-04k9lKwoczptgoMW5C8EitP/u/Joi4/OCd3+I+nr5pc=",
+    "hash": "sha256-hY3XZFMP1qT4mHJpxsVSGsyd025NOeJogbh2m9hk7qE=",
    "homepage": "https://registry.terraform.io/providers/e-breuninger/netbox",
    "owner": "e-breuninger",
    "repo": "terraform-provider-netbox",
-    "rev": "v5.4.0",
+    "rev": "v5.3.0",
    "spdx": "MPL-2.0",
-    "vendorHash": "sha256-RWoe4QQE55lW+B20uDJt0qX3Om/oc3em3LXhN+cBoUY="
+    "vendorHash": "sha256-5IZeoZpZj4vgAlyxbycs+IPeOEBS1tw3tM/7zoT4DCg="
  },
  "equinix_equinix": {
    "hash": "sha256-Tn8CnLx2ibkj7qlzpYCX7Cm+yoTcZujVELMJSbG+/ec=",
@@ -508,13 +508,13 @@
    "vendorHash": "sha256-ikBqIxD5aTOcwNHCMN6EaOwSHCAP5n/SULuqQXPLpOc="
  },
  "hashicorp_aws": {
-    "hash": "sha256-fjQPwnZeqYyP9Dh4QtnzFl6wNmuj/33nZAKPPpyQBcg=",
+    "hash": "sha256-dC3oeVzd8H7Ni9NvApkjmDpVWdx/XgirhI7Rf5ECGBE=",
    "homepage": "https://registry.terraform.io/providers/hashicorp/aws",
    "owner": "hashicorp",
    "repo": "terraform-provider-aws",
-    "rev": "v6.47.0",
+    "rev": "v6.46.0",
    "spdx": "MPL-2.0",
-    "vendorHash": "sha256-XnVGjEz4mxqkNFrvgpRQ4W9s+j03mk0NTgEx4p5Z6qk="
+    "vendorHash": "sha256-ieYDog2HS8OwfKvzPIsXZcSAsT7D9qzXPXuHhtfthV0="
  },
  "hashicorp_awscc": {
    "hash": "sha256-kpLC5NdlpBNXj2V0hR8ZvsJjyVgKCXFt7xK8Z7AOyoQ=",
@@ -715,13 +715,13 @@
    "vendorHash": null
  },
  "hetznercloud_hcloud": {
-    "hash": "sha256-yIzI1p4U8klNqqFqiMuKhVb8njoslJ+vDXFOv+9EmFw=",
+    "hash": "sha256-oU5XdhAl8/YEIEOF6TxpNEyffLYMrOgWv1D6oJNzJ8Q=",
    "homepage": "https://registry.terraform.io/providers/hetznercloud/hcloud",
    "owner": "hetznercloud",
    "repo": "terraform-provider-hcloud",
-    "rev": "v1.64.0",
+    "rev": "v1.63.0",
    "spdx": "MPL-2.0",
-    "vendorHash": "sha256-f49amYWzWSG9tzY6wvpxtTFiyJ8zC/Lc1hIQtzdgJRs="
+    "vendorHash": "sha256-L+T14UUCEUDbpd8UzKAsDzhpXKTmeUwC1XMnwWK4Z8Y="
  },
  "huaweicloud_huaweicloud": {
    "hash": "sha256-CtqPtXccE6I+yDj/7XbjbACMwCGMv+pSEIa5DVh+AGo=",
@@ -1013,13 +1013,13 @@
    "vendorHash": "sha256-/4mktOn7qjWIkpyqeEW4vzY0w0pG+0qx7KRYBkE1IkQ="
  },
  "okta_okta": {
-    "hash": "sha256-3zuD+R1fUAFJ3pvzzHmN92RGGiWLYpnGOJXSsv89Les=",
+    "hash": "sha256-Skp7GSfQSTBLOFoGlU3/TmzMqyZ8j7qYzlyuBYzBiB4=",
    "homepage": "https://registry.terraform.io/providers/okta/okta",
    "owner": "okta",
    "repo": "terraform-provider-okta",
-    "rev": "v6.11.0",
+    "rev": "v6.10.0",
    "spdx": "MPL-2.0",
-    "vendorHash": "sha256-/IbzilmyVTZh7qWogtXd+/Y7UJdjsQaf7Yjhi1fU1Vc="
+    "vendorHash": "sha256-0NaqVCibwiK7WY6hIFGd2kB/okyh6ZsZ+BAe5mGP38A="
  },
  "oktadeveloper_oktaasa": {
    "hash": "sha256-2LhxgowqKvDDDOwdznusL52p2DKP+UiXALHcs9ZQd0U=",
@@ -1319,11 +1319,11 @@
    "vendorHash": "sha256-omxEb+ntQuHDfS2Rmt0rj0BF0Q2T8DLhobLua2uU/0o="
  },
  "tencentcloudstack_tencentcloud": {
-    "hash": "sha256-hBKPD0hQ9kjypeG8Q8xLD2pKGnyWjKAKGnImYG9hsq8=",
+    "hash": "sha256-sjqbMCwj2lEdrGEeRRml/lpf795jDgPlMWBMn1MkAWI=",
    "homepage": "https://registry.terraform.io/providers/tencentcloudstack/tencentcloud",
    "owner": "tencentcloudstack",
    "repo": "terraform-provider-tencentcloud",
-    "rev": "v1.82.98",
+    "rev": "v1.82.95",
    "spdx": "MPL-2.0",
    "vendorHash": null
  },
@@ -1508,12 +1508,12 @@
    "vendorHash": "sha256-Z4DfoG4ApXbPNXZs9YvBWQj1bH7moLNI6P+nKDHt/Jc="
  },
  "yandex-cloud_yandex": {
-    "hash": "sha256-JSF1Q0wNRg2oavZ1+67QfCxNz+JOHrG+rfKn/1T9cgc=",
+    "hash": "sha256-j2JFdTXcry5VHEKBK7VHIjAdmPePF9fnJ4fW5dXglaY=",
    "homepage": "https://registry.terraform.io/providers/yandex-cloud/yandex",
    "owner": "yandex-cloud",
    "repo": "terraform-provider-yandex",
-    "rev": "v0.206.0",
+    "rev": "v0.204.0",
    "spdx": "MPL-2.0",
-    "vendorHash": "sha256-SpJ6wuzBzfI46C7MbNxs0gQpG62ODmB0WIZ8UpJjuPU="
+    "vendorHash": "sha256-ikUGcbJ1j/QrpPF5qn+ag2e7i1gxAK74h3nrUqR+azo="
  }
 }
--- a/pkgs/applications/networking/firehol/default.nix
+++ b/pkgs/applications/networking/firehol/default.nix
--- a/pkgs/applications/networking/firehol/firehol-ping6.patch
+++ b/pkgs/applications/networking/firehol/firehol-ping6.patch
--- a/pkgs/applications/networking/firehol/firehol-sysconfdir.patch
+++ b/pkgs/applications/networking/firehol/firehol-sysconfdir.patch
--- a/pkgs/applications/networking/firehol/firehol-uname-command.patch
+++ b/pkgs/applications/networking/firehol/firehol-uname-command.patch
--- a/pkgs/applications/networking/firehol/iprange.nix
+++ b/pkgs/applications/networking/firehol/iprange.nix
--- a/pkgs/applications/networking/mailreaders/thunderbird-bin/release_esr_sources.nix
+++ b/pkgs/applications/networking/mailreaders/thunderbird-bin/release_esr_sources.nix
--- a/pkgs/applications/networking/p2p/transmission/4.nix
+++ b/pkgs/applications/networking/p2p/transmission/4.nix
@@ -11,6 +11,7 @@
  inotify-tools,
  systemd,
  zlib,
+  pcre,
  rapidjson,
  small,
  libb64,
@@ -23,6 +24,7 @@
  miniupnpc,
  dht,
  libnatpmp,
+  libiconv,
  # Build options
  enableGTK3 ? false,
  gtkmm3,
@@ -52,6 +54,7 @@ let
      libpsl
      miniupnpc
      openssl
+      pcre
      zlib
    ]
    ++ optionals enableSystemd [ systemd ]
@@ -133,6 +136,7 @@ stdenv.mkDerivation (finalAttrs: {
    libutp
    miniupnpc
    openssl
+    pcre
    rapidjson
    small
    utf8cpp
--- a/pkgs/applications/networking/sync/lsyncd/default.nix
+++ b/pkgs/applications/networking/sync/lsyncd/default.nix
@@ -2,12 +2,10 @@
  lib,
  stdenv,
  fetchFromGitHub,
-
  cmake,
+  lua,
  pkg-config,
-
  rsync,
-  lua5_2_compat,
  asciidoc,
  libxml2,
  docbook_xml_dtd_45,
@@ -19,14 +17,14 @@
 let
  xnu = darwin.sourceRelease "xnu";
 in
-stdenv.mkDerivation (finalAttrs: {
+stdenv.mkDerivation rec {
  pname = "lsyncd";
  version = "2.3.1";

  src = fetchFromGitHub {
-    owner = "lsyncd";
+    owner = "axkibe";
    repo = "lsyncd";
-    tag = "v${finalAttrs.version}";
+    rev = "release-${version}";
    hash = "sha256-QBmvS1HGF3VWS+5aLgDr9AmUfEsuSz+DTFIeql2XHH4=";
  };

@@ -36,7 +34,7 @@ stdenv.mkDerivation (finalAttrs: {
  '';

  # Special flags needed on Darwin:
-  # https://github.com/lsyncd/lsyncd/blob/42413cabbedca429d55a5378f6e830f191f3cc86/INSTALL#L51
+  # https://github.com/axkibe/lsyncd/blob/42413cabbedca429d55a5378f6e830f191f3cc86/INSTALL#L51
  cmakeFlags = lib.optionals stdenv.hostPlatform.isDarwin [
    "-DWITH_INOTIFY=OFF"
    "-DWITH_FSEVENTS=ON"
@@ -49,10 +47,9 @@ stdenv.mkDerivation (finalAttrs: {
    cmake
    pkg-config
  ];
-
  buildInputs = [
    rsync
-    lua5_2_compat
+    lua
    asciidoc
    libxml2
    docbook_xml_dtd_45
@@ -61,11 +58,11 @@ stdenv.mkDerivation (finalAttrs: {
  ];

  meta = {
-    homepage = "https://github.com/lsyncd/lsyncd";
+    homepage = "https://github.com/axkibe/lsyncd";
    description = "Utility that synchronizes local directories with remote targets";
    mainProgram = "lsyncd";
    license = lib.licenses.gpl2Plus;
    platforms = lib.platforms.all;
    maintainers = with lib.maintainers; [ bobvanderlinden ];
  };
-})
+}
--- a/pkgs/applications/networking/sync/rsync/default.nix
+++ b/pkgs/applications/networking/sync/rsync/default.nix
@@ -1,51 +1,39 @@
 {
  lib,
  stdenv,
-  fetchpatch,
  fetchurl,
-
  updateAutotoolsGnuConfigScriptsHook,
  perl,
-
+  python3,
  libiconv,
  zlib,
  popt,
-
-  config,
-
-  enableACLs ? config.rsync.enableACLs or (lib.meta.availableOn stdenv.hostPlatform acl),
+  enableACLs ? lib.meta.availableOn stdenv.hostPlatform acl,
  acl,
-  enableLZ4 ? config.rsync.enableLZ4 or true,
+  enableLZ4 ? true,
  lz4,
-  enableOpenSSL ? config.rsync.enableOpenSSL or true,
+  enableOpenSSL ? true,
  openssl,
-  enableXXHash ? config.rsync.enableXXHash or true,
+  enableXXHash ? true,
  xxhash,
-  enableZstd ? config.rsync.enableZstd or true,
+  enableZstd ? true,
  zstd,
-
  nixosTests,
 }:

-stdenv.mkDerivation (finalAttrs: {
+stdenv.mkDerivation rec {
  pname = "rsync";
-  version = "3.4.1";
+  version = "3.4.3";

  src = fetchurl {
    # signed with key 9FEF 112D CE19 A0DC 7E88  2CB8 1BB2 4997 A853 5F6F
-    url = "mirror://samba/rsync/src/rsync-${finalAttrs.version}.tar.gz";
-    hash = "sha256-KSS8s6Hti1UfwQH3QLnw/gogKxFQJ2R89phQ1l/YjFI=";
+    url = "mirror://samba/rsync/src/rsync-${version}.tar.gz";
+    hash = "sha256-xy5jyjAhy8gLqG7DAQJ3P0xWMfvEkrUudzs5WPgqU9M=";
  };

-  patches = [
-    # See: <https://github.com/RsyncProject/rsync/pull/790>
-    ./fix-tests-in-darwin-sandbox.patch
-    # fix compilation with gcc15
-    (fetchpatch {
-      url = "https://github.com/RsyncProject/rsync/commit/a4b926dcdce96b0f2cc0dc7744e95747b233500a.patch";
-      hash = "sha256-UiEQJ+p2gtIDYNJqnxx4qKgItKIZzCpkHnvsgoxBmSE=";
-    })
-  ];
+  preBuild = ''
+    patchShebangs ./runtests.py
+  '';

  nativeBuildInputs = [
    updateAutotoolsGnuConfigScriptsHook
@@ -86,6 +74,15 @@ stdenv.mkDerivation (finalAttrs: {

  passthru.tests = { inherit (nixosTests) rsyncd; };

+  nativeCheckInputs = [
+    python3
+  ];
+
+  # Test fails when built in a chroot store
+  preCheck = ''
+    rm testsuite/chgrp.test
+  '';
+
  doCheck = true;

  __darwinAllowLocalNetworking = true;
@@ -101,8 +98,8 @@ stdenv.mkDerivation (finalAttrs: {
    platforms = lib.platforms.unix;
    identifiers.cpeParts = {
      vendor = "samba";
-      inherit (finalAttrs) version;
+      inherit version;
      update = "-";
    };
  };
-})
+}
--- a/pkgs/applications/networking/sync/rsync/rrsync.nix
+++ b/pkgs/applications/networking/sync/rsync/rrsync.nix
--- a/pkgs/applications/networking/syncthing/default.nix
+++ b/pkgs/applications/networking/syncthing/default.nix
@@ -0,0 +1,151 @@
+{
+  pkgsBuildBuild,
+  go,
+  buildGoModule,
+  stdenv,
+  lib,
+  fetchFromGitHub,
+  nixosTests,
+  autoSignDarwinBinariesHook,
+  nix-update-script,
+}:
+
+let
+  common =
+    {
+      stname,
+      target,
+      postInstall ? "",
+    }:
+    buildGoModule rec {
+      pname = stname;
+      version = "2.0.15";
+
+      src = fetchFromGitHub {
+        owner = "syncthing";
+        repo = "syncthing";
+        tag = "v${version}";
+        hash = "sha256-v77ovjV+UoCRA1GteP+HDqC8dsRvtOhFX/IkSgSIf8Y=";
+      };
+
+      vendorHash = "sha256-boYTLgvH+iWlh3y3Z0LPvSVGEget3X94AthtJKphhCw=";
+
+      nativeBuildInputs = lib.optionals stdenv.hostPlatform.isDarwin [
+        # Recent versions of macOS seem to require binaries to be signed when
+        # run from Launch Agents/Daemons, even on x86 devices where it has a
+        # more lax code signing policy compared to Apple Silicon. So just sign
+        # the binaries on both architectures to make it possible for launchd to
+        # auto-start Syncthing at login.
+        autoSignDarwinBinariesHook
+      ];
+
+      doCheck = false;
+
+      env = {
+        BUILD_USER = "nix";
+        BUILD_HOST = "nix";
+      };
+
+      buildPhase = ''
+        runHook preBuild
+        (
+          export GOOS="${pkgsBuildBuild.go.GOOS}" GOARCH="${pkgsBuildBuild.go.GOARCH}" CC=$CC_FOR_BUILD
+          go build build.go
+          go generate github.com/syncthing/syncthing/lib/api/auto github.com/syncthing/syncthing/cmd/infra/strelaypoolsrv/auto
+        )
+        ./build -goos ${go.GOOS} -goarch ${go.GOARCH} -no-upgrade -version v${version} build ${target}
+        runHook postBuild
+      '';
+
+      installPhase = ''
+        runHook preInstall
+        install -Dm755 ${target} $out/bin/${target}
+        runHook postInstall
+      '';
+
+      inherit postInstall;
+
+      passthru = {
+        tests = {
+          inherit (nixosTests)
+            syncthing
+            syncthing-folders
+            syncthing-guiPassword
+            syncthing-guiPasswordFile
+            syncthing-init
+            syncthing-no-settings
+            syncthing-relay
+            ;
+        };
+        updateScript = nix-update-script { };
+      };
+
+      meta = {
+        homepage = "https://syncthing.net/";
+        description = "Open Source Continuous File Synchronization";
+        changelog = "https://github.com/syncthing/syncthing/releases/tag/v${version}";
+        license = lib.licenses.mpl20;
+        maintainers = with lib.maintainers; [
+          joko
+          peterhoeg
+        ];
+        mainProgram = target;
+        platforms = lib.platforms.unix;
+      };
+    };
+
+in
+{
+  syncthing = common {
+    stname = "syncthing";
+    target = "syncthing";
+
+    postInstall = ''
+      # This installs man pages in the correct directory according to the suffix
+      # on the filename
+      for mf in man/*.[1-9]; do
+        mantype="$(echo "$mf" | awk -F"." '{print $NF}')"
+        mandir="$out/share/man/man$mantype"
+        install -Dm644 "$mf" "$mandir/$(basename "$mf")"
+      done
+
+      install -Dm644 etc/linux-desktop/syncthing-ui.desktop $out/share/applications/syncthing-ui.desktop
+      install -Dm644 assets/logo-32.png   $out/share/icons/hicolor/32x32/apps/syncthing.png
+      install -Dm644 assets/logo-64.png   $out/share/icons/hicolor/64x64/apps/syncthing.png
+      install -Dm644 assets/logo-128.png  $out/share/icons/hicolor/128x128/apps/syncthing.png
+      install -Dm644 assets/logo-256.png  $out/share/icons/hicolor/256x256/apps/syncthing.png
+      install -Dm644 assets/logo-512.png  $out/share/icons/hicolor/512x512/apps/syncthing.png
+      install -Dm644 assets/logo-only.svg $out/share/icons/hicolor/scalable/apps/syncthing.svg
+
+    ''
+    + lib.optionalString (stdenv.hostPlatform.isLinux) ''
+      mkdir -p $out/lib/systemd/{system,user}
+
+      substitute etc/linux-systemd/system/syncthing@.service \
+                 $out/lib/systemd/system/syncthing@.service \
+                 --replace-fail /usr/bin/syncthing $out/bin/syncthing
+
+      substitute etc/linux-systemd/user/syncthing.service \
+                 $out/lib/systemd/user/syncthing.service \
+                 --replace-fail /usr/bin/syncthing $out/bin/syncthing
+    '';
+  };
+
+  syncthing-discovery = common {
+    stname = "syncthing-discovery";
+    target = "stdiscosrv";
+  };
+
+  syncthing-relay = common {
+    stname = "syncthing-relay";
+    target = "strelaysrv";
+
+    postInstall = lib.optionalString (stdenv.hostPlatform.isLinux) ''
+      mkdir -p $out/lib/systemd/system
+
+      substitute cmd/strelaysrv/etc/linux-systemd/strelaysrv.service \
+                 $out/lib/systemd/system/strelaysrv.service \
+                 --replace-fail /usr/bin/strelaysrv $out/bin/strelaysrv
+    '';
+  };
+}
--- a/pkgs/applications/office/mendeley/default.nix
+++ b/pkgs/applications/office/mendeley/default.nix
@@ -2,6 +2,7 @@
  lib,
  fetchurl,
  appimageTools,
+  gconf,
  imagemagick,
 }:

--- a/pkgs/applications/science/chemistry/autodock-vina/default.nix
+++ b/pkgs/applications/science/chemistry/autodock-vina/default.nix
--- a/pkgs/applications/science/chemistry/autodock-vina/python-bindings.nix
+++ b/pkgs/applications/science/chemistry/autodock-vina/python-bindings.nix
--- a/pkgs/applications/terminal-emulators/rxvt-unicode/default.nix
+++ b/pkgs/applications/terminal-emulators/rxvt-unicode/default.nix
--- a/pkgs/applications/terminal-emulators/rxvt-unicode/patches/256-color-resources.patch
+++ b/pkgs/applications/terminal-emulators/rxvt-unicode/patches/256-color-resources.patch
--- a/pkgs/applications/terminal-emulators/rxvt-unicode/patches/9.06-font-width.patch
+++ b/pkgs/applications/terminal-emulators/rxvt-unicode/patches/9.06-font-width.patch
--- a/pkgs/applications/terminal-emulators/rxvt-unicode/patches/makefile-phony.patch
+++ b/pkgs/applications/terminal-emulators/rxvt-unicode/patches/makefile-phony.patch
--- a/pkgs/applications/terminal-emulators/rxvt-unicode/wrapper.nix
+++ b/pkgs/applications/terminal-emulators/rxvt-unicode/wrapper.nix
--- a/pkgs/applications/video/mplayer/default.nix
+++ b/pkgs/applications/video/mplayer/default.nix
@@ -66,7 +66,6 @@
  libjpeg,
  useUnfreeCodecs ? false,
  buildPackages,
-  versionCheckHook,
 }:

 assert xineramaSupport -> x11Support;
@@ -118,7 +117,7 @@ let

 in

-stdenv.mkDerivation (finalAttrs: {
+stdenv.mkDerivation {
  pname = "mplayer";
  version = "1.5-unstable-2024-12-21";

@@ -129,7 +128,6 @@ stdenv.mkDerivation (finalAttrs: {
  };

  prePatch = ''
-    echo "${finalAttrs.version}" > VERSION
    sed -i /^_install_strip/d configure

    rm -rf ffmpeg
@@ -139,9 +137,6 @@ stdenv.mkDerivation (finalAttrs: {
  nativeBuildInputs = [
    pkg-config
    yasm
-  ]
-  ++ lib.optionals cacaSupport [
-    libcaca # caca-config
  ];
  buildInputs = [
    freetype
@@ -181,46 +176,46 @@ stdenv.mkDerivation (finalAttrs: {
  ++ lib.optional bs2bSupport libbs2b
  ++ lib.optional v4lSupport libv4l;

-  strictDeps = true;
-
  configurePlatforms = [ ];
  configureFlags = [
-    (lib.enableFeature true "freetype")
-    (lib.enableFeature fontconfigSupport "fontconfig")
-    (lib.enableFeature x11Support "x11")
-    (lib.enableFeature x11Support "gl")
-    (lib.enableFeature xineramaSupport "xinerama")
-    (lib.enableFeature xvSupport "xv")
-    (lib.enableFeature alsaSupport "alsa")
-    (lib.enableFeature screenSaverSupport "xss")
-    (lib.enableFeature vdpauSupport "vdpau")
-    (lib.enableFeature cddaSupport "cdparanoia")
-    (lib.enableFeature dvdnavSupport "dvdnav")
-    (lib.enableFeature bluraySupport "bluray")
-    (lib.enableFeature amrSupport "libopencore_amrnb")
-    (lib.enableFeature cacaSupport "caca")
-    (lib.enableFeature lameSupport "mp3lame")
-    (lib.enableFeature (!lameSupport) "mp3lame-lavc")
-    (lib.enableFeature speexSupport "speex")
-    (lib.enableFeature theoraSupport "theora")
-    (lib.enableFeature x264Support "x264")
-    (lib.enableFeature (!x264Support) "x264-lavc")
-    (lib.enableFeature pulseSupport "pulse")
-    (lib.enableFeature v4lSupport "v4l2")
-    (lib.enableFeature v4lSupport "tv-v4l2")
-    (lib.enableFeature v4lSupport "radio")
-    (lib.enableFeature v4lSupport "radio-v4l2")
-    (lib.enableFeature v4lSupport "radio-capture")
-    (lib.enableFeature false "xanim")
-    (lib.enableFeature false "xvid")
-    (lib.enableFeature false "xvid-lavc")
-    (lib.enableFeature false "ossaudio")
-    (lib.enableFeature false "ffmpeg_a")
+    "--enable-freetype"
+    (if fontconfigSupport then "--enable-fontconfig" else "--disable-fontconfig")
+    (if x11Support then "--enable-x11 --enable-gl" else "--disable-x11 --disable-gl")
+    (if xineramaSupport then "--enable-xinerama" else "--disable-xinerama")
+    (if xvSupport then "--enable-xv" else "--disable-xv")
+    (if alsaSupport then "--enable-alsa" else "--disable-alsa")
+    (if screenSaverSupport then "--enable-xss" else "--disable-xss")
+    (if vdpauSupport then "--enable-vdpau" else "--disable-vdpau")
+    (if cddaSupport then "--enable-cdparanoia" else "--disable-cdparanoia")
+    (if dvdnavSupport then "--enable-dvdnav" else "--disable-dvdnav")
+    (if bluraySupport then "--enable-bluray" else "--disable-bluray")
+    (if amrSupport then "--enable-libopencore_amrnb" else "--disable-libopencore_amrnb")
+    (if cacaSupport then "--enable-caca" else "--disable-caca")
+    (
+      if lameSupport then
+        "--enable-mp3lame --disable-mp3lame-lavc"
+      else
+        "--disable-mp3lame --enable-mp3lame-lavc"
+    )
+    (if speexSupport then "--enable-speex" else "--disable-speex")
+    (if theoraSupport then "--enable-theora" else "--disable-theora")
+    (if x264Support then "--enable-x264 --disable-x264-lavc" else "--disable-x264 --enable-x264-lavc")
+    (if jackaudioSupport then "" else "--disable-jack")
+    (if pulseSupport then "--enable-pulse" else "--disable-pulse")
+    (
+      if v4lSupport then
+        "--enable-v4l2 --enable-tv-v4l2 --enable-radio --enable-radio-v4l2 --enable-radio-capture"
+      else
+        "--disable-v4l2 --disable-tv-v4l2 --disable-radio --disable-radio-v4l2 --disable-radio-capture"
+    )
+    "--disable-xanim"
+    "--disable-xvid --disable-xvid-lavc"
+    "--disable-ossaudio"
+    "--disable-ffmpeg_a"
    "--yasm=${buildPackages.yasm}/bin/yasm"
    # Note, the `target` vs `host` confusion is intentional.
    "--target=${stdenv.hostPlatform.config}"
  ]
-  ++ lib.optional (!jackaudioSupport) "--disable-jack"
  ++ lib.optional (useUnfreeCodecs && codecs != null && !crossBuild) "--codecsdir=${codecs}"
  ++ lib.optional (stdenv.hostPlatform.isx86 && !crossBuild) "--enable-runtime-cpudetection"
  ++ lib.optional fribidiSupport "--enable-fribidi"
@@ -285,12 +280,6 @@ stdenv.mkDerivation (finalAttrs: {
    fi
  '';

-  nativeInstallCheckInputs = [ versionCheckHook ];
-  versionCheckProgramArg = "--help";
-  doInstallCheck = true;
-
-  __structuredAttrs = true;
-
  meta = {
    description = "Movie player that supports many video formats";
    homepage = "http://mplayerhq.hu";
@@ -305,4 +294,4 @@ stdenv.mkDerivation (finalAttrs: {
      "aarch64-linux"
    ];
  };
-})
+}
--- a/pkgs/applications/video/vdr/epgsearch/default.nix
+++ b/pkgs/applications/video/vdr/epgsearch/default.nix
@@ -6,7 +6,7 @@
  util-linux,
  groff,
  perl,
-  pcre2,
+  pcre,
 }:
 stdenv.mkDerivation rec {
  pname = "vdr-epgsearch";
@@ -33,11 +33,12 @@ stdenv.mkDerivation rec {

  buildInputs = [
    vdr
-    pcre2
+    pcre
  ];

  buildFlags = [
    "SENDMAIL="
+    "REGEXLIB=pcre"
  ];

  installFlags = [
--- a/pkgs/applications/virtualization/docker/sbom.nix
+++ b/pkgs/applications/virtualization/docker/sbom.nix
@@ -7,13 +7,13 @@

 buildGoModule rec {
  pname = "docker-sbom";
-  version = "0.7.0";
+  version = "0.6.1";

  src = fetchFromGitHub {
    owner = "docker";
    repo = "sbom-cli-plugin";
    rev = "tags/v${version}";
-    hash = "sha256-aKEew/5T4cIc3KiWaBxqFqTki/QSnfSAroZ9iO+orUA=";
+    hash = "sha256-i3gIogHb0oW/VDuZUo6LGBmvqs/XfMXjpvTTYeGCK7Q=";
  };

  patches = [
--- a/pkgs/applications/virtualization/sail-riscv/default.nix
+++ b/pkgs/applications/virtualization/sail-riscv/default.nix
@@ -1,25 +1,23 @@
 {
-  lib,
  stdenv,
  fetchFromGitHub,
-
-  z3,
+  lib,
  cmake,
-  ninja,
-  pkg-config,
-  ocamlPackages,
-
  gmp,
+  pkg-config,
+  sail,
+  ninja,
+  z3,
 }:

-stdenv.mkDerivation (finalAttrs: {
+stdenv.mkDerivation rec {
  pname = "sail-riscv";
  version = "0.8";

  src = fetchFromGitHub {
    owner = "riscv";
    repo = "sail-riscv";
-    rev = finalAttrs.version;
+    rev = version;
    hash = "sha256-50ATe3DQcdyNOqP85mEMyEwxzpBOplzRN9ulaJNo9zo=";
  };

@@ -28,7 +26,7 @@ stdenv.mkDerivation (finalAttrs: {
    cmake
    pkg-config
    ninja
-    ocamlPackages.sail
+    sail
  ];
  buildInputs = [
    gmp
@@ -44,4 +42,4 @@ stdenv.mkDerivation (finalAttrs: {
    maintainers = [ ];
    license = lib.licenses.bsd2;
  };
-})
+}
--- a/pkgs/applications/window-managers/lemonbar/default.nix
+++ b/pkgs/applications/window-managers/lemonbar/default.nix
--- a/pkgs/applications/window-managers/lemonbar/xft.nix
+++ b/pkgs/applications/window-managers/lemonbar/xft.nix
--- a/pkgs/build-support/bintools-wrapper/setup-hook.sh
+++ b/pkgs/build-support/bintools-wrapper/setup-hook.sh
@@ -60,7 +60,8 @@ do
    if
        PATH=$_PATH type -p "@targetPrefix@${cmd}" > /dev/null
    then
-        export "${cmd^^}${role_post}=@targetPrefix@${cmd}";
+        upper_case="$(echo "$cmd" | tr "a-z" "A-Z")"
+        export "${upper_case}${role_post}=@targetPrefix@${cmd}";
    fi
 done

--- a/pkgs/build-support/build-mozilla-mach/default.nix
+++ b/pkgs/build-support/build-mozilla-mach/default.nix
@@ -58,6 +58,7 @@ in
  pkg-config,
  pkgsCross, # wasm32 rlbox
  python3,
+  python313,
  runCommand,
  rustc,
  rust-cbindgen,
@@ -364,7 +365,7 @@ buildStdenv.mkDerivation {
    makeBinaryWrapper
    nodejs
    perl
-    python3
+    (if lib.versionAtLeast version "143.0" then python3 else python313)
    rust-cbindgen
    rustPlatform.bindgenHook
    rustc
--- a/pkgs/build-support/cc-wrapper/add-clang-cc-cflags-before.sh
+++ b/pkgs/build-support/cc-wrapper/add-clang-cc-cflags-before.sh
@@ -36,6 +36,6 @@ elif [[ $0 != *cpp ]]; then
    fi
 fi

-if [[ "@darwinMinVersion@" ]]; then
+if [[ "@darwinMinVersion@" ]] && [ "@isFlang@" != 1 ]; then
    extraBefore+=(-Werror=unguarded-availability)
 fi
--- a/pkgs/build-support/cc-wrapper/add-flags.sh
+++ b/pkgs/build-support/cc-wrapper/add-flags.sh
@@ -11,6 +11,8 @@ var_templates_list=(
    NIX_CXXSTDLIB_COMPILE
    NIX_CXXSTDLIB_LINK
    NIX_GNATFLAGS_COMPILE
+    NIX_FFLAGS_COMPILE
+    NIX_FFLAGS_COMPILE_BEFORE
 )
 var_templates_bool=(
    NIX_ENFORCE_NO_NATIVE
--- a/Show More
+++ b/Show More