python3Packages.dramatiq: 2.0.1 -> 2.1.0

https://github.com/Bogdanp/dramatiq/compare/v2.0.1...v2.1.0

.github/ISSUE_TEMPLATE/01_bug_report.yml

@@ -36,7 +36,8 @@ body:
       options:
         - "Please select a version."
         - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
       default: 0
     validations:
       required: true

.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml

@@ -36,7 +36,8 @@ body:
       options:
         - "Please select a version."
         - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
       default: 0
     validations:
       required: true

.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml

@@ -36,7 +36,8 @@ body:
       options:
         - "Please select a version."
         - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
       default: 0
     validations:
       required: true

.github/ISSUE_TEMPLATE/04_build_failure.yml

@@ -38,7 +38,8 @@ body:
       options:
         - "Please select a version."
         - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
       default: 0
     validations:
       required: true

.github/ISSUE_TEMPLATE/05_update_request.yml

@@ -38,7 +38,8 @@ body:
       options:
         - "Please select a version."
         - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
       default: 0
     validations:
       required: true

.github/ISSUE_TEMPLATE/06_module_request.yml

@@ -36,7 +36,8 @@ body:
       options:
         - "Please select a version."
         - "- Unstable (26.11)"
-        - "- Stable (26.05)"
+        - "- Beta (26.05)"
+        - "- Stable (25.11)"
       default: 0
     validations:
       required: true

.github/labeler.yml

@@ -9,7 +9,6 @@
           - '^release-'
           - '^staging-\d'
           - '^staging-next-\d'
-          - '^staging-nixos-\d'
 
 # NOTE: bsd, darwin and cross-compilation labels are handled by ofborg
 "6.topic: agda":

.github/workflows/backport.yml

@@ -36,7 +36,7 @@ jobs:
           permission-pull-requests: write
           permission-workflows: write
 
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{ steps.app-token.outputs.token }}

.github/workflows/bot.yml

@@ -46,7 +46,7 @@ jobs:
       # https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
       FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: |

.github/workflows/build.yml

@@ -52,7 +52,7 @@ jobs:
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: .github/actions

.github/workflows/check.yml

@@ -43,7 +43,7 @@ jobs:
     runs-on: ubuntu-slim
     timeout-minutes: 3
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           path: trusted
@@ -95,7 +95,7 @@ jobs:
     runs-on: ubuntu-slim
     timeout-minutes: 3
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           path: trusted
@@ -137,7 +137,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: .github/actions

.github/workflows/comment.yml

@@ -23,7 +23,7 @@ jobs:
     timeout-minutes: 2
     if: contains(github.event.comment.body, '@NixOS/nixpkgs-merge-bot merge')
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: |

.github/workflows/eval.yml

@@ -47,7 +47,7 @@ jobs:
       ciPinBumpCommit: ${{ steps.find-pinned-commit.outputs.ciPinBumpCommit }}
       ciPinBumpCommitShort: ${{ steps.find-pinned-commit.outputs.ciPinBumpCommitShort }}
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           path: trusted
@@ -55,7 +55,7 @@ jobs:
             ci/supportedVersions.nix
 
       - name: Check out the PR at the test merge commit
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           ref: ${{ inputs.mergedSha }}
@@ -171,7 +171,7 @@ jobs:
           sudo mkswap /swap
           sudo swapon /swap
 
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
@@ -256,7 +256,7 @@ jobs:
       statuses: write # creating 'Eval Summary' commit statuses
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
@@ -471,7 +471,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: .github/actions

.github/workflows/lint.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
@@ -61,7 +61,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
@@ -90,7 +90,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: .github/actions
@@ -134,7 +134,7 @@ jobs:
     runs-on: ubuntu-slim
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: true # Needed to run git fetch for large PRs.
           path: trusted

.github/workflows/merge-group.yml

@@ -25,7 +25,7 @@ jobs:
       targetSha: ${{ steps.prepare.outputs.targetSha }}
       systems: ${{ steps.prepare.outputs.systems }}
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: |

.github/workflows/periodic-merge.yml

@@ -34,7 +34,7 @@ jobs:
           permission-contents: write
           permission-pull-requests: write
 
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/pull-request-target.yml

@@ -36,7 +36,7 @@ jobs:
       systems: ${{ steps.prepare.outputs.systems }}
       touched: ${{ steps.prepare.outputs.touched }}
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout-cone-mode: true # default, for clarity

.github/workflows/review.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-slim
     timeout-minutes: 2
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: |

.github/workflows/teams.yml

@@ -30,7 +30,7 @@ jobs:
           permission-pull-requests: write
 
       - name: Fetch source
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: |

.github/workflows/test.yml

@@ -19,7 +19,7 @@ jobs:
       push: ${{ steps.files.outputs.push }}
       targetSha: ${{ steps.prepare.outputs.targetSha }}
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout-cone-mode: true # default, for clarity

README.md

@@ -13,7 +13,7 @@
   <a href="https://opencollective.com/nixos"><img src="https://opencollective.com/nixos/tiers/supporter/badge.svg?label=supporters&color=brightgreen" alt="Open Collective supporters" /></a>
 </p>
 
-[Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over 140,000 software packages that can be installed with the [Nix](https://nixos.org/nix/) package manager.
+[Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over 120,000 software packages that can be installed with the [Nix](https://nixos.org/nix/) package manager.
 It also implements [NixOS](https://nixos.org/nixos/), a purely-functional Linux distribution.
 
 # Manuals
@@ -47,9 +47,9 @@ Here are some of the main ones:
 Nixpkgs and NixOS are built and tested by our continuous integration system, [Hydra](https://hydra.nixos.org/).
 
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for the NixOS 26.05 release](https://hydra.nixos.org/jobset/nixos/release-26.05)
+* [Continuous package builds for the NixOS 25.11 release](https://hydra.nixos.org/jobset/nixos/release-25.11)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for the NixOS 26.05 release](https://hydra.nixos.org/job/nixos/release-26.05/tested#tabs-constituents)
+* [Tests for the NixOS 25.11 release](https://hydra.nixos.org/job/nixos/release-25.11/tested#tabs-constituents)
 
 Artifacts successfully built with Hydra are published to cache at https://cache.nixos.org/.
 When successful build and test criteria are met, the Nixpkgs expressions are distributed via [Nix channels](https://nix.dev/manual/nix/stable/command-ref/nix-channel.html).

ci/OWNERS

@@ -56,12 +56,6 @@
 /pkgs/top-level/splice.nix                       @Ericson2314
 /pkgs/top-level/release-cross.nix                @Ericson2314
 /pkgs/top-level/by-name-overlay.nix              @infinisil @philiptaron
-/pkgs/top-level/config.nix                       @jopejoe1
-/pkgs/top-level/make-tarball.nix                 @jopejoe1
-/pkgs/top-level/packages-config.nix              @jopejoe1
-/pkgs/top-level/packages-info.nix                @jopejoe1
-/pkgs/top-level/release-lib.nix                  @jopejoe1
-/pkgs/top-level/release.nix                      @jopejoe1
 /pkgs/stdenv                                     @philiptaron @NixOS/stdenv
 /pkgs/stdenv/generic                             @Ericson2314 @NixOS/stdenv
 /pkgs/stdenv/generic/problems.nix                @infinisil
@@ -79,7 +73,6 @@
 
 ## Format generators/serializers
 /pkgs/pkgs-lib                                   @Stunkymonkey @h7x4
-/pkgs/pkgs-lib/formats/json2x                    @Stunkymonkey @h7x4 @figsoda
 
 # Nixpkgs build-support
 /pkgs/build-support/writers @lassulus
@@ -196,6 +189,8 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @Artturin @Ericson2314 @lo
 /maintainers/scripts/update-python-libraries  @mweinelt @natsukium
 /pkgs/by-name/up/update-python-libraries      @mweinelt @natsukium
 /pkgs/development/interpreters/python         @mweinelt @natsukium
+/pkgs/top-level/python-packages.nix                     @natsukium
+/pkgs/top-level/release-python.nix                      @natsukium
 
 # CUDA
 /pkgs/top-level/cuda-packages.nix             @NixOS/cuda-maintainers
@@ -277,15 +272,15 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /lib/licenses @alyssais @emilazy @jopejoe1
 
 # Qt
-/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000
-/pkgs/development/libraries/qt-6 @K900 @NickCao @SuperSandro2000
+/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
+/pkgs/development/libraries/qt-6 @K900 @NickCao @SuperSandro2000 @ttuegel
 
 # KDE Frameworks 5
-/pkgs/development/libraries/kde-frameworks @K900 @NickCao @SuperSandro2000
+/pkgs/development/libraries/kde-frameworks @K900 @NickCao @SuperSandro2000 @ttuegel
 
 # KDE / Plasma 6
-/pkgs/kde @K900 @NickCao @SuperSandro2000
-/maintainers/scripts/kde @K900 @NickCao @SuperSandro2000
+/pkgs/kde @K900 @NickCao @SuperSandro2000 @ttuegel
+/maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel
 
 # PostgreSQL and related stuff
 /pkgs/by-name/po/postgresqlTestHook @NixOS/postgres
@@ -445,7 +440,6 @@ nixos/tests/forgejo.nix               @adamcstephens @bendlas @christoph-heiss @
 /doc/languages-frameworks/javascript.section.md @winterqt
 /pkgs/development/tools/pnpm                    @Scrumplex @gepbird
 /pkgs/build-support/node/fetch-pnpm-deps        @Scrumplex @gepbird
-/pkgs/test/pnpm                                 @Scrumplex @gepbird
 
 # OCaml
 /pkgs/build-support/ocaml           @ulrikstrid

doc/README.md

@@ -207,8 +207,6 @@ When needed, each convention explains why it exists, so you can make a decision
 Note that these conventions are about the **structure** of the manual (and its source files), not about the content that goes in it.
 You, as the writer of documentation, are still in charge of its content.
 
-**For prose style, see the [documentation styleguide](./styleguide.md).**
-
 ### One sentence per line
 
 Put each sentence in its own line.
@@ -221,16 +219,17 @@ When changing existing content, update formatting if possible, but avoid excessi
 
 ### Examples first
 
-Put examples before detailed explanations (see the [styleguide](./styleguide.md) for the rationale).
+Readers look at examples first: an example communicates what something does faster than a description.
+Put examples before detailed explanations.
 
-Use this structure for each documented item:
+Prefer this structure for each documented item:
 
 1. Title
-2. Abstract (optional, one sentence max)
+2. Abstract (optional, one sentence max, the example often speaks for itself)
 3. Example
 4. Explanation (details, edge cases, types, defaults)
 
-Rendered example:
+For instance:
 
 ````markdown
 ## `lib.toUpper`
@@ -282,9 +281,11 @@ Returns the difference as a number.
 
 Use the [admonition syntax](#admonitions) for callouts and examples.
 
-### `callPackage`-compatible examples
+### Provide self-contained examples
 
-Provide at least one example per function.
+Provide at least one example per function, and make examples self-contained.
+This is easier to understand for beginners.
+It also helps with testing that it actually works – especially once we introduce automation.
 
 Example code should be such that it can be passed to `pkgs.callPackage`.
 Instead of something like:

doc/hooks/index.md

@@ -37,7 +37,6 @@ npm-install-hook.section.md
 patch-rc-path-hooks.section.md
 perl.section.md
 pkg-config.section.md
-pnpm.section.md
 postgresql-test-hook.section.md
 premake.section.md
 python.section.md

doc/hooks/pnpm.section.md

@@ -1,142 +0,0 @@
-# pnpmBuildHook {#pnpm-build-hook}
-
-[pnpm](https://pnpm.io/) is a an NPM-compatible package manager focused on increasing managment speeds, and reducing disk space.
-
-The `pnpmBuildHook` in Nixpkgs overrides the default build phase for building packages that use pnpm.
-
-:::{.example #ex-pnpm-build-hook}
-## pnpmBuildHook example code snippet {#pnpm-build-hook-code-snippet}
-
-```
-{
-  lib,
-  stdenv,
-  fetchFromGitHub,
-  fetchPnpmDeps,
-  pnpmConfigHook,
-  pnpmBuildHook,
-  makeBinaryWrapper,
-  pnpm_10,
-}:
-let
-  pnpm = pnpm_10;
-in
-stdenv.mkDerivation (finalAttrs: {
-  pname = "coolPackages";
-  version = "1.0";
-
-  src = fetchFromGitHub {
-    owner = "JaneCool";
-    repo = "coolpackage";
-    tag = finalAttrs.version;
-    hash = lib.fakeHash;
-  };
-
-  __structuredAttrs = true;
-  strictDeps = true;
-
-  pnpmDeps = fetchPnpmDeps {
-    inherit (finalAttrs) pname version src;
-    inherit pnpm;
-    fetcherversion = 4;
-    hash = lib.fakeHash;
-  };
-
-  nativeBuildInputs = [
-    pnpmConfigHook
-    pnpmBuildHook
-    makeBinaryWrapper
-  ];
-
-  pnpmBuildScript = "build";
-  pnpmBuildFlags = [
-    "--mode"
-    "production"
-  ];
-  pnpmWorkspaces = [
-    "test"
-  ];
-
-  installPhase = ''
-    runHook preInstall
-
-    mkdir "$out"
-    cp -r dist/. "$out"
-
-    runHook postInstall
-  '';
-
-  meta = {
-    description = "very cool package that does cool things";
-    mainProgram = "cool";
-  };
-})
-```
-:::
-
-## Variables controlling pnpmBuildHook {#pnpm-build-hook-variables}
-
-### pnpm Exclusive Variables {#pnpm-build-hook-exclusive-variables}
-
-#### `pnpmBuildScript` {#pnpm-build-hook-script}
-
-Controls the script ran to build the package, by default the script is `build`.
-
-#### `pnpmFlags` {#pnpm-build-hook-flags}
-
-Controls flags used for all invocations of pnpm across all hooks local to this derivation.
-
-#### `pnpmBuildFlags` {#pnpm-build-hook-build-flags}
-
-Controls the flags pass only to the pnpm build script invocation.
-
-#### `dontPnpmBuild` {#pnpm-build-hook-dont}
-
-Disables automatically running `pnpmBuildHook`. The build can still be run manually if needed, for example:
-
-```
-{
-  lib,
-  rustPlatform,
-  pnpmBuildHook,
-  pnpmConfigHook,
-  fetchPnpmDeps,
-  emptyDirectory,
-  pnpm_10,
-}:
-let
-  pnpm = pnpm_10;
-in
-rustPlatform.buildRustPackage (finalAttrs: {
-  pname = "super-fast-application";
-  version = "1.0";
-
-  src = emptyDirectory;
-
-  cargoHash = lib.fakeHash;
-
-  nativeBuildInputs = [
-    pnpmBuildHook
-    pnpmConfigHook
-  ];
-
-  pnpmDeps = fetchPnpmDeps {
-    inherit (finalAttrs) pname version src;
-    inherit pnpm;
-    fetcherversion = 3;
-    hash = lib.fakeHash;
-  }
-
-  dontPnpmBuild = true;
-  postBuild = ''
-    pnpmBuildHook
-  '';
-})
-```
-
-### Honored Variables {#pnpm-build-hook-honored-variables}
-
-The following variables are honored by `pnpmBuildHook`.
-
-* [`pnpmRoot`](#javascript-pnpm-sourceRoot)
-* [`pnpmWorkspaces`](#javascript-pnpm-workspaces)

doc/languages-frameworks/javascript.section.md

@@ -309,8 +309,6 @@ pnpm is available as the top-level package `pnpm`. Additionally, there are varia
 
 When packaging an application that includes a `pnpm-lock.yaml`, you need to fetch the pnpm store for that project using a fixed-output-derivation. The function `fetchPnpmDeps` can create this pnpm store derivation. In conjunction, the setup hook `pnpmConfigHook` will prepare the build environment to install the pre-fetched dependencies store. Here is an example for a package that contains `package.json` and a `pnpm-lock.yaml` files using the fetcher and setup hook above:
 
-There is also the [`pnpmBuildHook`](#pnpm-build-hook) for building packages with `pnpm`, as seen in [](#ex-pnpm-build-hook).
-
 ```nix
 {
   fetchPnpmDeps,
@@ -513,10 +511,10 @@ Changes can include workarounds or bug fixes to existing PNPM issues.
 
 ##### Version history {#javascript-pnpm-fetcherVersion-versionHistory}
 
-Version 3 is the minimum supported value. Versions 1 and 2 were removed in the 26.11 release; packages that still use them fail to evaluate and must migrate to `fetcherVersion = 3` (or later) and regenerate their hashes.
+Version 3 is the recommended value for new packages. Versions 1 and 2 are deprecated and scheduled for removal in the 26.11 release; existing packages must migrate.
 
-- 1: Initial version, nothing special. (removed in 26.11)
-- 2: [Ensure consistent permissions](https://github.com/NixOS/nixpkgs/pull/422975) (removed in 26.11)
+- 1: Initial version, nothing special.
+- 2: [Ensure consistent permissions](https://github.com/NixOS/nixpkgs/pull/422975)
 - 3: [Build a reproducible tarball](https://github.com/NixOS/nixpkgs/pull/469950)
 - 4: [Dump SQLite database to an SQL file](https://github.com/NixOS/nixpkgs/pull/522703)
 

doc/languages-frameworks/python.section.md

@@ -48,6 +48,7 @@ Based on the packages defined in `pkgs/top-level/python-packages.nix` an
 attribute set is created for each available Python interpreter. The available
 sets are
 
+* `pkgs.python27Packages`
 * `pkgs.python3Packages`
 * `pkgs.python311Packages`
 * `pkgs.python312Packages`
@@ -59,7 +60,9 @@ sets are
 
 and the aliases
 
+* `pkgs.python2Packages` pointing to `pkgs.python27Packages`
 * `pkgs.python3Packages` pointing to `pkgs.python313Packages`
+* `pkgs.pythonPackages` pointing to `pkgs.python2Packages`
 * `pkgs.pypy2Packages` pointing to `pkgs.pypy27Packages`
 * `pkgs.pypy3Packages` pointing to `pkgs.pypy310Packages`
 * `pkgs.pypyPackages` pointing to `pkgs.pypy2Packages`
@@ -284,27 +287,29 @@ because their behaviour is different:
 The `buildPythonPackage` function has a `overridePythonAttrs` method that can be
 used to override the package. In the following example we create an environment
 where we have the `blaze` package using an older version of `pandas`. We
-first override the Python package set, then instantiate an interpreter with
-that package set.
+override first the Python interpreter and pass `packageOverrides` which contains
+the overrides for packages in the package set.
 
 ```nix
 with import <nixpkgs> { };
 
 let
-  pythonPackages = python3Packages.overrideScope (
-    final: prev: {
-      pandas = prev.pandas.overridePythonAttrs (old: rec {
-        version = "0.19.1";
-        src = fetchPypi {
-          pname = "pandas";
-          inherit version;
-          hash = "sha256-JQn+rtpy/OA2deLszSKEuxyttqBzcAil50H+JDHUdCE=";
-        };
-      });
-    }
-  );
+  python = pkgs.python3.override {
+    packageOverrides = self: super: {
+      pandas = super.pandas.overridePythonAttrs (
+        finalAttrs: prevAttrs: {
+          version = "0.19.1";
+          src = fetchPypi {
+            pname = "pandas";
+            inherit (finalAttrs) version;
+            hash = "sha256-JQn+rtpy/OA2deLszSKEuxyttqBzcAil50H+JDHUdCE=";
+          };
+        }
+      );
+    };
+  };
 in
-(pythonPackages.python.withPackages (ps: [ ps.blaze ])).env
+(python.withPackages (ps: [ ps.blaze ])).env
 ```
 
 The next example shows a non trivial overriding of the `blas` implementation to
@@ -312,16 +317,15 @@ be used through out all of the Python package set:
 
 ```nix
 {
-  python3PackagesWithBlas = python3Packages.overrideScope (
-    final: prev: {
+  python3MyBlas = pkgs.python3.override {
+    packageOverrides = self: super: {
       # We need toPythonModule for the package set to evaluate this
-      blas = final.toPythonModule (prev.blas.override { blasProvider = final.mkl; });
-      lapack = final.toPythonModule (prev.lapack.override { lapackProvider = final.mkl; });
-    }
-  );
+      blas = super.toPythonModule (super.pkgs.blas.override { blasProvider = super.pkgs.mkl; });
+      lapack = super.toPythonModule (super.pkgs.lapack.override { lapackProvider = super.pkgs.mkl; });
+    };
+  };
 }
 ```
-This will create a new Python package set with the blas and lapack implementation set to Intel MKL.
 
 This is particularly useful for numpy and scipy users who want to gain speed with other blas implementations.
 Note that using `scipy = super.scipy.override { blas = super.pkgs.mkl; };` will likely result in
@@ -453,10 +457,11 @@ Note that overriding packages deeper in the dependency graph _can_ work, but it'
 let
   pyproject = pkgs.lib.importTOML ./pyproject.toml;
 
-  myPython3Packages = pkgs.python3Packages.overrideScope (
-    final: _: {
+  myPython = pkgs.python.override {
+    self = myPython;
+    packageOverrides = pyfinal: pyprev: {
       # An editable package with a script that loads our mutable location
-      my-editable = final.mkPythonEditablePackage {
+      my-editable = pyfinal.mkPythonEditablePackage {
         # Inherit project metadata from pyproject.toml
         pname = pyproject.project.name;
         inherit (pyproject.project) version;
@@ -467,10 +472,10 @@ let
         # Inject a script (other PEP-621 entrypoints are also accepted)
         inherit (pyproject.project) scripts;
       };
-    }
-  );
+    };
+  };
 
-  pythonEnv = myPython3Packages.python.withPackages (ps: [ ps.my-editable ]);
+  pythonEnv = myPython.withPackages (ps: [ ps.my-editable ]);
 
 in
 pkgs.mkShell { packages = [ pythonEnv ]; }
@@ -570,6 +575,9 @@ In contrast to [`python.buildEnv`](#python.buildenv-function), [`python.withPack
 more advanced options such as `ignoreCollisions = true` or `postBuild`. If you
 need them, you have to use [`python.buildEnv`](#python.buildenv-function).
 
+Python 2 namespace packages may provide `__init__.py` that collide. In that case
+[`python.buildEnv`](#python.buildenv-function) should be used with `ignoreCollisions = true`.
+
 #### Setup hooks {#setup-hooks}
 
 The following are setup hooks specifically for Python packages. Most of these
@@ -621,9 +629,10 @@ buildPythonPackage.override { stdenv = customStdenv; } {
 
 Several versions of the Python interpreter are available on Nix, as well as a
 high amount of packages. The attribute `python3` refers to the default
-interpreter, which is currently CPython 3.13. It is also possible to refer to
-specific versions, e.g., `python313` refers to CPython 3.13, and `pypy` refers
-to the default PyPy interpreter.
+interpreter, which is currently CPython 3.13. The attribute `python` refers to
+CPython 2.7 for backwards compatibility. It is also possible to refer to
+specific versions, e.g., `python313` refers to CPython 3.13, and `pypy` refers to
+the default PyPy interpreter.
 
 Python is used a lot, and in different ways. This affects also how it is
 packaged. In the case of Python on Nix, an important distinction is made between
@@ -635,6 +644,14 @@ In the Nixpkgs tree Python applications can be found throughout, depending on
 what they do, and are called from the main package set. Python libraries,
 however, are in separate sets, with one set per interpreter version.
 
+The interpreters have several common attributes. One of these attributes is
+`pkgs`, which is a package set of Python libraries for this specific
+interpreter. E.g., the `toolz` package corresponding to the default interpreter
+is `python3.pkgs.toolz`, and the CPython 3.13 version is `python313.pkgs.toolz`.
+The main package set contains aliases to these package sets, e.g.
+`pythonPackages` refers to `python.pkgs` and `python313Packages` to
+`python313.pkgs`.
+
 #### Installing Python and packages {#installing-python-and-packages}
 
 The Nix and NixOS manuals explain how packages are generally installed. In the
@@ -1004,7 +1021,7 @@ information. The output of the function is a derivation.
 
 An expression for `toolz` can be found in the Nixpkgs repository. As explained
 in the introduction of this Python section, a derivation of `toolz` is available
-for each interpreter version, e.g. `python313Packages.toolz` refers to the `toolz`
+for each interpreter version, e.g. `python313.pkgs.toolz` refers to the `toolz`
 derivation corresponding to the CPython 3.13 interpreter.
 
 The above example works when you're directly working on
@@ -1019,7 +1036,7 @@ with import <nixpkgs> { };
 
 (
   let
-    my_toolz = python313Packages.buildPythonPackage (finalAttrs: {
+    my_toolz = python313.pkgs.buildPythonPackage (finalAttrs: {
       pname = "toolz";
       version = "0.10.0";
       pyproject = true;
@@ -1029,7 +1046,7 @@ with import <nixpkgs> { };
         hash = "sha256-CP3V73yWSArRHBLUct4hrNMjWZlvaaUlkpm1QP66RWA=";
       };
 
-      build-system = [ python313Packages.setuptools ];
+      build-system = [ python313.pkgs.setuptools ];
 
       # has no tests
       doCheck = false;
@@ -1042,7 +1059,7 @@ with import <nixpkgs> { };
     });
 
   in
-  python313Packages.python.withPackages (
+  python313.withPackages (
     ps: with ps; [
       numpy
       my_toolz
@@ -1063,11 +1080,6 @@ of [`withPackages`](#python.withpackages-function) we used a `let` expression. Y
 `toolz` from the Nixpkgs package set this time, but instead took our own version
 that we introduced with the `let` expression.
 
-There is also a legacy API that can be accessed via `python3.pkgs`, which will also give access to
-the Python package set for a given interpreter. This API is not recommended to be used anymore
-because the package set at `python3.pkgs` is not spliced, while the package set at `python3Packages`
-is. This can lead to strange errors during cross-compilation, or if Python is used at build time.
-
 #### Handling dependencies {#handling-dependencies}
 
 Our example, `toolz`, does not have any dependencies on other Python packages or system libraries.
@@ -1705,22 +1717,27 @@ should also be done when packaging `A`.
 
 ### How to override a Python package? {#how-to-override-a-python-package}
 
-We can override the Python package set, then instantiate an interpreter with it.
-In the following example we rename the `pandas` package and build it.
+We can override the interpreter and pass `packageOverrides`. In the following
+example we rename the `pandas` package and build it.
 
 ```nix
 with import <nixpkgs> { };
 
-let
-  pythonPackages = python3Packages.overrideScope (
-    final: prev: {
-      pandas = prev.pandas.overridePythonAttrs {
-        name = "foo";
-      };
-    }
-  );
-in
-(pythonPackages.python.withPackages (ps: [ ps.pandas ])).env
+(
+  let
+    python =
+      let
+        packageOverrides = self: super: {
+          pandas = super.pandas.overridePythonAttrs (old: {
+            name = "foo";
+          });
+        };
+      in
+      pkgs.python313.override { inherit packageOverrides; };
+
+  in
+  python.withPackages (ps: [ ps.pandas ])
+).env
 ```
 
 Using `nix-build` on this expression will build an environment that contains the
@@ -1736,10 +1753,12 @@ the updated `scipy` version.
 ```nix
 with import <nixpkgs> { };
 
-let
-  pythonPackages = python313Packages.overrideScope (_: prev: { scipy = prev.scipy_0_17; });
-in
-(pythonPackages.python.withPackages (ps: [ ps.blaze ])).env
+(
+  let
+    packageOverrides = self: super: { scipy = super.scipy_0_17; };
+  in
+  (pkgs.python313.override { inherit packageOverrides; }).withPackages (ps: [ ps.blaze ])
+).env
 ```
 
 The requested package `blaze` depends on `pandas` which itself depends on `scipy`.
@@ -1753,16 +1772,14 @@ let
   pkgs = import <nixpkgs> { };
   newpkgs = import pkgs.path {
     overlays = [
-      (_: prev: {
+      (self: super: {
         python313 =
           let
-            pythonPackages = prev.python313Packages.overrideScope (
-              _: prev: {
-                numpy = prev.numpy_1_18;
-              }
-            );
+            packageOverrides = python-self: python-super: {
+              numpy = python-super.numpy_1_18;
+            };
           in
-          pythonPackages.python3;
+          super.python313.override { inherit packageOverrides; };
       })
     ];
   };
@@ -1903,8 +1920,9 @@ pkgs.mkShell rec {
 }
 ```
 
-In case the supplied venvShellHook is insufficient, you can define your own
-shell hook and adapt to your needs like in the following example:
+In case the supplied venvShellHook is insufficient, or when Python 2 support is
+needed, you can define your own shell hook and adapt to your needs like in the
+following example:
 
 ```nix
 with import <nixpkgs> { };
@@ -1917,6 +1935,8 @@ pkgs.mkShell rec {
   name = "impurePythonEnv";
   buildInputs = [
     pythonPackages.python
+    # Needed when using python 2.7
+    # pythonPackages.virtualenv
     # ...
   ];
 
@@ -1929,6 +1949,8 @@ pkgs.mkShell rec {
       echo "Skipping venv creation, '${venvDir}' already exists"
     else
       echo "Creating new venv environment in path: '${venvDir}'"
+      # Note that the module venv was only introduced in python 3, so for 2.7
+      # this needs to be replaced with a call to virtualenv
       ${pythonPackages.python.interpreter} -m venv "${venvDir}"
     fi
 
@@ -1955,17 +1977,19 @@ If you need to change a package's attribute(s) from `configuration.nix` you coul
 
 ```nix
 {
-  nixpkgs.config.packageOverrides = final: _: {
-    python3Packages = super.python3Packages.overrideScope (pySuper: {
-      twisted = pySuper.twisted.overridePythonAttrs {
-        src = final.fetchPypi {
-          pname = "Twisted";
-          version = "19.10.0";
-          hash = "sha256-c5S6fycq5yKnTz2Wnc9Zm8TvCTvDkgOHSKSQ8XJKUV0=";
-          extension = "tar.bz2";
-        };
+  nixpkgs.config.packageOverrides = super: {
+    python3 = super.python3.override {
+      packageOverrides = python-self: python-super: {
+        twisted = python-super.twisted.overridePythonAttrs (oldAttrs: {
+          src = super.fetchPypi {
+            pname = "Twisted";
+            version = "19.10.0";
+            hash = "sha256-c5S6fycq5yKnTz2Wnc9Zm8TvCTvDkgOHSKSQ8XJKUV0=";
+            extension = "tar.bz2";
+          };
+        });
       };
-    });
+    };
   };
 }
 ```
@@ -1981,7 +2005,7 @@ this snippet:
 
 ```nix
 {
-  myPythonPackages = python3Packages.overrideScope (final: super: { twisted = <...>; });
+  myPythonPackages = python3Packages.override { overrides = self: super: { twisted = <...>; }; };
 }
 ```
 
@@ -1990,17 +2014,19 @@ this snippet:
 Use the following overlay template:
 
 ```nix
-self: _: {
-  python3Packages = super.python3Packages.overrideScope (pySuper: {
-    twisted = pySuper.twisted.overrideAttrs {
-      src = final.fetchPypi {
-        pname = "Twisted";
-        version = "19.10.0";
-        hash = "sha256-c5S6fycq5yKnTz2Wnc9Zm8TvCTvDkgOHSKSQ8XJKUV0=";
-        extension = "tar.bz2";
-      };
+self: super: {
+  python = super.python.override {
+    packageOverrides = python-self: python-super: {
+      twisted = python-super.twisted.overrideAttrs (oldAttrs: {
+        src = super.fetchPypi {
+          pname = "Twisted";
+          version = "19.10.0";
+          hash = "sha256-c5S6fycq5yKnTz2Wnc9Zm8TvCTvDkgOHSKSQ8XJKUV0=";
+          extension = "tar.bz2";
+        };
+      });
     };
-  });
+  };
 }
 ```
 

doc/redirects.json

@@ -113,9 +113,6 @@
   "ex-pkgs-replace-vars-with": [
     "index.html#ex-pkgs-replace-vars-with"
   ],
-  "ex-pnpm-build-hook": [
-    "index.html#ex-pnpm-build-hook"
-  ],
   "ex-shfmt": [
     "index.html#ex-shfmt"
   ],
@@ -349,33 +346,6 @@
   "pkgs.treefmt.withConfig": [
     "index.html#pkgs.treefmt.withConfig"
   ],
-  "pnpm-build-hook": [
-    "index.html#pnpm-build-hook"
-  ],
-  "pnpm-build-hook-build-flags": [
-    "index.html#pnpm-build-hook-build-flags"
-  ],
-  "pnpm-build-hook-code-snippet": [
-    "index.html#pnpm-build-hook-code-snippet"
-  ],
-  "pnpm-build-hook-dont": [
-    "index.html#pnpm-build-hook-dont"
-  ],
-  "pnpm-build-hook-exclusive-variables": [
-    "index.html#pnpm-build-hook-exclusive-variables"
-  ],
-  "pnpm-build-hook-flags": [
-    "index.html#pnpm-build-hook-flags"
-  ],
-  "pnpm-build-hook-script": [
-    "index.html#pnpm-build-hook-script"
-  ],
-  "pnpm-build-hook-variables": [
-    "index.html#pnpm-build-hook-variables"
-  ],
-  "pnpm-build-hook-honored-variables": [
-    "index.html#pnpm-build-hook-honored-variables"
-  ],
   "preface": [
     "index.html#preface"
   ],

doc/release-notes/rl-2605.section.md

@@ -1,4 +1,4 @@
-# Nixpkgs 26.05 ("Yarara", 2026.05/30) {#sec-nixpkgs-release-26.05}
+# Nixpkgs 26.05 ("Yarara", 2026.05/??) {#sec-nixpkgs-release-26.05}
 
 ## Highlights {#sec-nixpkgs-release-26.05-highlights}
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -6,44 +6,6 @@
 - GCC has been updated from GCC 14 to GCC 15.
   This introduces some backwards incompatible changes; Refer to the [upstream porting guide](https://gcc.gnu.org/gcc-15/porting_to.html) for details.
 
-- `glibc` has been updated to version 2.42.
-
-  This version no longer makes the stack executable when a shared library requires this. A symptom
-  is an error like
-
-  > cannot enable executable stack as shared object requires: Invalid argument
-
-  This is usually a bug. Please consider reporting it to the software maintainers.
-
-  In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:
-
-  * When building the shared library in question from source, use the following linker flags to force turning off the
-    executable flag:
-
-    ```nix
-    mkDerivation {
-      # …
-
-      env.NIX_LDFLAGS = "-z,noexecstack";
-    }
-    ```
-
-  * If the sources are not available, the execstack-flag can be cleared with `patchelf`:
-
-    ```
-    patchelf --clear-execstack binary-only.so
-    ```
-
-  * If the shared library to be loaded actually requires an executable stack and it isn't turned
-    on by the application loading it, you may force allowing that behavior by setting the
-    following environment variable:
-
-    ```
-    GLIBC_TUNABLES=glibc.rtld.execstack=2
-    ```
-
-    **Do not set this globally!** This makes your setup inherently less secure.
-
 - Node.js default version has been updated from 22 LTS to 24 LTS.
   This introduces some breaking changes; Refer to the [upstream migration article](https://nodejs.org/en/blog/migrations/v22-to-v24) for details.
 
@@ -112,8 +74,6 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- `mdbook-linkcheck` has been removed as it is unmaintained and incompatible with the latest version of `mdbook`. Users can instead migrate to `mdbook-linkcheck2`.
-
 - The `nodePackages` package set has been removed entirely from nixpkgs. This package set was created to ease the maintenance burden of maintaining lots of
   NodeJS-based packages within nixpkgs, but became a burden itself. Over the past several releases, there has been a focus on removing it in favor of the more modern nixpkgs packaging strategies.
   After a long time, this package set has been deprecated and removed. If you are using its package set in your own config, please use the top-level packages instead.(i.e `pkgs.package-name` instead of `pkgs.nodePackages.package-name`).
@@ -151,23 +111,6 @@
 
 - `nodePackages.wavedrom-cli` has been removed, as it was unmaintained within nixpkgs.
 
-- MATE packages have been moved to top level (e.g. if you previously added `pkgs.mate.caja` to `environment.systemPackages`, you will need to change it to `pkgs.caja`).
-
-- `kratos` has been updated from 1.3.1 to [25.4.0](https://github.com/ory/kratos/releases/tag/v25.4.0). Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:
-
-  - The `migrate sql` CLI command is now `migrate sql up`
-  - OIDC registration validation errors are now placed in the `default` node group instead of `oidc`
-  - Failed OIDC account linking returns HTTP 400 instead of 200
-
-- `pdns` has been updated to version [v5.0.x](https://doc.powerdns.com/authoritative/changelog/5.0.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-5-0-0) for details.
-
-- `geph` package's built-in GUI `geph5-client-gui` has been [removed](https://github.com/geph-official/geph5/commit/f2221fb8386312daf2cef05483ebb353ff48bdb4) by the upstream. All users who wish to continue using the GUI should install the `gephgui-wry`, which is consistent with the official release version.
-
-- `xfsprogs` was updated to version 6.18.0, which enables parent pointers and exchange-range by default. Upstream recommends not to use these features with kernels older than 6.18.
-   GRUB2 is likely unable to boot from filesystems with these features enabled.
-
-- `lunarvim` package has been removed, as it was abandoned upstream and relied on an old version of `neovim` to work properly.
-
 - `requireFile` now treats any `message` or `url` argument as a literal string, rather than subjecting it to Bash here-doc expansion.  This allows including strings like `$PWD` in the message without needing to know about and handle the undocumented Bash expansion.
 
 - `nodePackages.browserify` has been removed, as it was unmaintained within nixpkgs.
@@ -183,6 +126,8 @@
 - `kanata` now requires `karabiner-dk` version 6.0+ or later.
   The package has been updated to use the new `karabiner-dk` package and the `darwinDriver` output stays at the version defined in the package.
 
+- Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
+
 - Keycloak has been updated to 26.6.X, bringing a lot of new features like federated client authentication, JWT authorization grants, workflows and the ability to do
   zero-downtime patch releases. Read more about [all the exciting new capabilities in keycloak 26.6 here](https://github.com/keycloak/keycloak/releases/tag/26.6.0)
   and [consult the migration guide to 26.6](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-26-6-0) to find out whether this is a breaking
@@ -232,7 +177,7 @@
 
 - `iroh` has been removed and split up into `iroh-dns-server` and `iroh-relay`.
 
-- The `xorg` package set has been deprecated, packages have moved to the top level.
+- the `xorg` package set has been deprecated, packages have moved to the top level.
 
 - `python3Packages.buildPythonPackage` and `python3Packages.buildPythonApplication` now throw errors in the presence of `pytestFlagsArray`.
   Please use [`pytestFlags` and `(enabled|disabled)(TestPaths|Tests|TestMarks)`](#using-pytestcheckhook) instead.
@@ -269,12 +214,23 @@
 - `jetbrains.plugins.addPlugins` no longer supports plugin names or ID strings.
   You can still use `addPlugins` with plugin derivations, such as plugins packaged outside of Nixpkgs.
 
+- The `programs.captive-browser` module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure `programs.captive-browser.dhcp-dns` manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.
+
 - NetBox was updated to `>= 4.5.5`. Have a look at the breaking changes
   of the [4.5 release](https://github.com/netbox-community/netbox/releases/tag/v4.5.0),
   make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_5;` in your configuration.
 
+- The `services.yggdrasil` module has been refactored with the following breaking changes:
+  - The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via `services.yggdrasil.settings`.
+  - The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use `services.yggdrasil.settings.PrivateKeyPath` to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
+  - Storing `PrivateKey` directly in `settings` is now explicitly forbidden to prevent keys from being stored world-readable in the Nix store.
+  - If you previously used `configFile`, migrate your configuration to the `settings` option and extract the private key to a separate file referenced by `PrivateKeyPath`.
+  - If you previously used `persistentKeys`, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them via `PrivateKeyPath`.
+
 - `pocket-id` has been updated to version 2 that contains [breaking changes](https://pocket-id.org/docs/setup/major-releases/migrate-v2).
 
+- `services.xserver` will now throw an error if an X11 driver specified in  `videoDriver(s)` cannot be found. Previously, unknown drivers would be silently ignored.
+
 - `asio` (standalone version of `boost::asio`) has been updated from 1.24.0 to 1.36.0. Some breaking changes were introduced between these
   two versions, and the one affected most was the removal of `asio::io_service` in favor of `asio::io_context` in 1.33.0. `asio_1_32_0` is
   retained for packages that have not completed migration. `asio_1_10` has been removed as no packages depend on it anymore.
@@ -297,6 +253,8 @@
 
 - Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.
 
+- The `services.avahi.wideArea` option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
+
 - `coreth` has been removed, as upstream has moved it into `avalanchego`.
 
 - `nodePackages.prebuild-install` was removed because it appeared to be unmaintained upstream.
@@ -326,6 +284,8 @@
 
 - `shisho` has been removed because it's archived. `semgrep`, `opengrep`, and `ast-grep` provide similar functionality.
 
+- `services.openssh.settings.AcceptEnv` is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
+
 - All Xfce packages have been moved to top level (e.g. if you previously added `pkgs.xfce.xfce4-whiskermenu-plugin` to `environment.systemPackages`, you will need to change it to `pkgs.xfce4-whiskermenu-plugin`). The `xfce` scope will be removed in NixOS 26.11.
 
 - The Dovecot IMAP server has been updated to version 2.4, with the `dovecot` attribute now referring to this backwards-incompatible version. The attribute `dovecot_2_3` refers to the previous version. The Pigeonhole plugin has been similarly updated to 2.4, with the version compatible with Dovecot 2.3 being at `dovecot_pigeonhole_0_5`. See <https://doc.dovecot.org/latest/installation/upgrade/2.3-to-2.4.html> for more information on how to upgrade.
@@ -336,8 +296,12 @@
 
 - `vimPlugins.nvim-treesitter` has been updated to `main` branch, which is a full and incompatible rewrite. If you can't or don't want to update, you should use `vimPlugins.nvim-treesitter-legacy`.
 
+- `services.taskchampion-sync-server` module has had an option `services.taskchampion-sync-server.dynamicUser` added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
+
 - Package `jellyseerr` has been renamed to `seerr` following the upstream rename.
 
+- The default packages in `services.jenkins.packages` have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
+
 - The `pie` hardening flag has been removed and will now error, after being deprecated in 25.11. Compilers are expected to enable PIE by default, as has been common practice since 2016 outside of Nixpkgs. If a package needs `pie` disabled pass `-no-pie` in `CFLAGS`. It is unlikely this will be necessary in many cases; due to the prevalence of default PIE toolchains, most packages incompatible with PIE already pass `-no-pie`.
 
 - `pqos-wrapper` was removed as it has been unmaintained since 2022 and not widely used.
@@ -350,8 +314,6 @@
 
 - `linuxPackages.nvidiaPackages` now follows NVIDIA's official release branches by exposing `production`, `new_feature`, and `beta`. The convenience aliases `latest` (newer of `production` and `new_feature`) and `bleeding_edge` (newer of `latest` and `beta`) are provided; note that `beta` now refers strictly to the beta branch.
 
-- `stestrCheckHook` was added: This test hook runs `stestr run`. You can disable tests with `disabledTests` and `disabledTestsRegex`.
-
 - `balatro` now supports the Google Play and Xbox PC versions of the game.  Pass the `apk` or `Assets.zip` as `balatro.override { src = "…" }`.
 
 - `uptime-kuma` has been updated to v2, which requires an automated migration that can take a few hours. **A backup is highly recommended.**
@@ -362,22 +324,16 @@
 
 - The `libcxxhardeningextensive` hardening flag has been **disabled** by default. Enabling it by default in 25.11 was unintentional and may have had a negative effect on performance in some cases. `libcxxhardeningfast` remains enabled by default.
 
-- Wine has been updated to the 11.0 branch. Please check the [upstream announcement](https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0) for more details.
-
-- Cinnamon has been updated to 6.6, please check the [upstream announcement](https://www.linuxmint.com/rel_zena_whatsnew.php) for more details.
-
-- `rspamd` has been updated to 4.0. Please check the upstream [migration](https://docs.rspamd.com/tutorials/migration/#migration-to-rspamd-400) documentation, especially if you run a sharded Redis deployment.
-
-- `hyphen` now supports over 40 language variants through `hyphenDicts` and now allows to enable all supported languages through `hyphenDicts.all`.
-
-- `budgie` has been updated to 10.10, please check the [upstream announcement](https://buddiesofbudgie.org/blog/budgie-10-10-released) for more details.
-
 - The packages `ibtool`, `actool` and `re-plistbuddy` have been added, providing reimplementations of the corresponding proprietary Apple tools. They are more compatible with the originals than the previously existing `xcbuild` package, and should enable more darwin software to be built from source.
 
+- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
+
 - GNU Taler has been updated to version 1.3.
   This release focuses on getting everything ready for a deployment of GNU Taler by Magnet bank.
   For more details, see the [upstream release notes](https://www.taler.net/en/news/2025-13.html).
 
+- The `services.nextcloud-spreed-signaling` NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).
+
 - `collabora-desktop` The desktop version of Collabora Office is now available, package version `25.05.9.2-2`.
 
 - `fetchPnpmDeps` and `pnpmConfigHook` were added as top-level attributes, replacing the now deprecated `pnpm.fetchDeps` and `pnpm.configHook` attributes.
@@ -412,6 +368,8 @@
 
 - Updated `gonic` to 0.21.0. A full ("slow") scan is recommended after upgrading to v0.21.0 to pick up the newly scanned fields (contributors, ISRCs, record labels, per-track years, ARTIST_CREDIT).
 
+- the `autossh-ng` NixOS module was introduced as a simpler alternative to the existing `autossh` module.
+
 - Added `haskell.packages.microhs`, a set of Haskell packages built with MicroHs.
 
 - `gnuradio`: Overriding the `.pkgs` package set is now possible with a `packageOverrides` function, like with `python.pkgs` and other language-specific package sets.
@@ -430,6 +388,8 @@ gnuradioMinimal.override {
 }
 ```
 
+- Added `headplane` and `headplane-agent` packages, and `services.headplane` service.
+
 ## Nixpkgs Library {#sec-nixpkgs-release-26.05-lib}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -462,3 +422,4 @@ gnuradioMinimal.override {
 
 - The builder `php.buildComposerProject2` for PHP applications has been improved for better reliability and stability.
 
+- The `services.drupal` module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.

doc/release-notes/rl-2611.section.md

@@ -10,32 +10,11 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- `databricks-cli` has been updated from `0.290.2` to `1.x.x`, the first major release. OAuth tokens for interactive logins (`auth_type = databricks-cli`) are now stored in the OS-native secure store by default (Secret Service on Linux) instead of `~/.databricks/token-cache.json`; cached tokens from older versions are not migrated, so run `databricks auth login` once per profile after upgrading. To keep the previous file-backed storage, set `DATABRICKS_AUTH_STORAGE=plaintext` or add `auth_storage = plaintext` under `[__settings__]` in `~/.databrickscfg`. Additionally, the `vector_search_endpoints` DABs resource renamed `min_qps` to `target_qps` (and the `vector-search-endpoints` command renamed `--min-qps` to `--target-qps`). See the [upstream changelog](https://github.com/databricks/cli/blob/main/CHANGELOG.md) for details.
-
 - `hurl` has been updated to `8.x.x` which has some breaking changes. See [upstream changelog](https://github.com/Orange-OpenSource/hurl/releases/tag/8.0.0) for details.
 - `python3Packages.django-health-check` has been updated to major version 4. See its [migration guide](https://codingjoe.dev/django-health-check/migrate-to-v4/) and [changelog](https://github.com/codingjoe/django-health-check/releases/tag/4.0.0) for breaking changes.
 
-- `libgdata` has been removed, as it was archived upstream and relied on the insecure libsoup 2.4.
-
-- `uhttpmock` providing 0.0 ABI was removed. `uhttpmock_1_0` providing 1.0 ABI was renamed to `uhttpmock` and `uhttpmock_1_0` was kept as an alias.
-
-- The ARMv5 Linux kernel build now uses a standard configuration and generates a standard compressed image instead of the deprecated legacy U‐Boot image format.
-  `lib.systems.{examples,platforms}.{sheevaplug,pogoplug4}` have been unified into `lib.systems.examples.armv5tel-multiplatform`.
-  Note that there is no official support for ARMv5 and it is not possible to build even a simple NixOS configuration out of the box.
-
-- Support for the legacy U‐Boot image format has been removed from the Linux kernel builders, as it is deprecated upstream and no longer used by any platform in Nixpkgs.
-
 - `requireFile` now sets `meta.license = lib.licenses.unfree` by default. Users of `requireFile`-based derivations that preserve this default will need to explicitly allow their evaluation as described in [](#sec-allow-unfree).
 
-- `librest` providing 0.7 ABI was removed. `librest_1_0` providing 1.0 ABI was renamed to `librest` and `librest_1_0` was kept as an alias.
-
-- `fetchPnpmDeps`' `fetcherVersion = 1` and `fetcherVersion = 2` have been
-  removed, as announced in the 26.05 release. Packages still using them now
-  throw an evaluation error and must migrate to `fetcherVersion = 3` (or later)
-  and regenerate their hashes. See the
-  [pnpm `fetcherVersion` section](#javascript-pnpm-fetcherVersion) of the manual
-  for details.
-
 ## Other Notable Changes {#sec-nixpkgs-release-26.11-notable-changes}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

doc/styleguide.md

@@ -1,420 +0,0 @@
-# Styleguide
-
-## Writing Principles
-
-A consistent style greatly increases the usability of all documentation and communication.
-
-Use this page as a reference and style guide for our internal and external documentation.
-
-### Knowledge Expectations
-
-**Assume competence, not familiarity.**
-
-Write for someone who knows a great deal — up to but not including this project.
-
-**What readers know:**
-
-- Basic computer operation
-- Command line familiarity
-- General interest in systems configuration
-
-**What readers don't know:**
-
-- NixOS-specific concepts
-- NixOS ecosystem details or grammar
-- NixOS workflows
-
-If specific knowledge is required, mention it at the start of the page.
-
-#### Show, Don't Tell
-
-The fastest path to understanding is a working example.
-People learn by doing, not by reading about doing.
-
-**Recommended structure:**
-
-- Start with the minimal working code or command
-- Briefly explain what it does
-- Cover edge cases or variations
-- Link to further information instead of including it
-
-#### Grammar and Style
-
-**Sentence structure:**
-
-- Use simple, direct sentences
-- Break complex ideas into multiple short sentences
-- Avoid nested clauses
-
-**Bad:**
-
-> The following command, which utilizes nixos-generate-config to produce a comprehensive hardware configuration, will write the results back into the respective configuration directory located on your local machine.
-
-What the user does is hidden in the middle.
-`nixos-generate-config` is a leaked implementation detail.
-Users care about *detecting hardware*, not *the tool that does it*.
-
-**Good:**
-
-> This command detects your hardware and saves the configuration.
-
-#### Content Organization
-
-Lead with value. State what the reader will accomplish before explaining how.
-
-**Bad:**
-
-> To create a new NixOS configuration that you can later use as a webserver, first navigate to your project directory, then add a new host configuration file with the desired machine name.
-
-**Good:**
-
-Add a webserver configuration to your NixOS setup:
-
-```nix
-# hosts/webserver/configuration.nix
-{ ... }:
-{
-  services.nginx.enable = true;
-}
-```
-
-Use **progressive disclosure**. Introduce concepts only when needed.
-
-**Recommended structure:**
-
-1. State the goal (one sentence)
-2. Show the simplest working example
-3. Explain concepts if needed
-4. Provide advanced options separately or link to the reference
-
-#### No Meta-commentary
-
-Don't describe what the documentation does. Just do it.
-
-**Don't:**
-
-> This section explains how to configure networking.
-> The following guide walks you through setting up a web server.
-
-**Do:**
-
-> Configure networking by setting:
-> Set up a web server:
-
-#### Code Examples
-
-**Keep examples focused:**
-
-- Show one concept at a time
-- Use realistic but simple scenarios
-- Avoid dependencies on other examples
-
-**Minimal comments**
-
-Let the code speak for itself.
-Paste code examples directly and without further alteration.
-
-**Bad:**
-
-```nix
-# This sets the hostname for the machine
-{
-  networking.hostName = "webserver"; # Change this to your machine's hostname
-  # This enables SSH access
-  services.openssh.enable = true; # Required for remote deployment
-}
-```
-
-**Good:**
-
-```nix
-{
-  networking.hostName = "webserver";
-  services.openssh.enable = true;
-}
-```
-
-#### Lead with Practical Examples
-
-Don't front-load theory. Readers want to accomplish something first, then understand why it works.
-
-- Show configuration as *what you want*, not *how the module system works*
-- Introduce Nix-specific concepts only when they are needed to complete the task
-- Defer language mechanics to reference pages or `nix.dev`
-
-**Bad:**
-
-> Before adding a service, you need to understand the NixOS module system and attribute set merging.
-
-**Good:**
-
-Enable nginx:
-
-```nix
-{ services.nginx.enable = true; }
-```
-
-This adds nginx to your system configuration. Rebuild to apply:
-
-```bash
-sudo nixos-rebuild switch
-```
-
-#### Teach Nix through examples, not theory
-
-
-Users learn the NixOS module system by seeing patterns first.
-
-- Start with a working example
-- Explanation follows the code
-- Link deeper concepts instead of inlining them
-- Link to `nix.dev` for optional learning
-
-#### General Rules
-
-- Abbreviate keys like `ssh-ed25519 AAAAC3NzaC…`
-- Abbreviate IP addresses like `192.168.XXX.XXX`
-- Variables are capitalized and start with `$`, e.g. `$YOUR_HOSTNAME`
-- Variables should be directly usable during copy-paste
-- Do **not** describe missing code parts (`#elided`, `#omitted`)
-- **Machine vs Host**: use "machine" for the NixOS system identity, "host" for the physical or virtual hardware
-
-#### Capitalization
-
-- GB / RAM / HDD
-- bootable USB drive
-- Wi-Fi / DHCP / DNS
-- macOS / NixOS / Nix / Linux
-- Flakes
-- git
-
-#### Headings
-
-Use sentence case. A reader scanning only headings should understand the page.
-
-**Don't:**
-
-> Getting Started
-> Overview
-> Configure The Database
-
-**Do:**
-
-> Set up a PostgreSQL database
-> Configure networking
-> Add a user to the system
-
-#### Imperative Mood, Voice, and Person
-
-Use imperative mood for instructions. Address the reader as "you", not "the user". Use active voice; in other words, make the subject do the action.
-
-**Don't:**
-
-> The user should run the following command.
-> The configuration will need to be updated.
-> The key is generated by the system.
-
-**Do:**
-
-> Run the command.
-> Update the configuration.
-> The system generates the key.
-
-#### Tense
-
-Use present tense for descriptions. Future tense makes documentation feel tentative.
-
-**Don't:**
-
-> This will create a new folder.
-> Running this command will install the package.
-
-**Do:**
-
-> This creates a new folder.
-> Running this command installs the package.
-
-#### Be Confident
-
-State facts. Don't hedge with "should," "might," "typically," or "usually" unless the behavior genuinely varies.
-
-**Don't:**
-
-> This should create the configuration file.
-> The service will usually start automatically.
-
-**Do:**
-
-> This creates the configuration file.
-> The service starts automatically.
-
-#### Avoid Nominalizations
-
-A nominalization is a verb turned into a noun, often by adding *-tion*, *-meant*, or *-ance* (e.g. "explanation", "selection"). The fix: find the hidden verb and use it directly.
-
-**Don't:**
-
-> Make a selection from the list.
-> Provide an explanation of the error.
-
-**Do:**
-
-> Select from the list.
-> Explain the error.
-
-#### Plain Words
-
-Technical precision for technical terms; plain language for everything else.
-
-- "use" not "utilize"
-- "start" not "initiate"
-- "end" not "terminate"
-- "help" not "facilitate"
-- "send" not "transmit"
-- "set up" not "establish"
-- "find out" not "ascertain"
-
-#### Filler Words and Weak Phrases
-
-Cut words and phrases that add length without meaning.
-
-Delete on sight:
-
-- "simply", "just", "easily", "basically", "obviously"
-- "in order to" → use "to"
-- "allows you to" → use the verb directly
-- "it's worth noting that" → just say the thing
-- no exclamation marks in technical prose
-
-**Don't:**
-
-> Simply run `nixos-rebuild switch`.
-> In order to deploy, you first need to run the command, which allows you to push the config.
-> It's worth noting that this requires root access.
-
-**Do:**
-
-> Run `nixos-rebuild switch`.
-> To deploy, run:
-> This requires root access.
-
-Every word must earn its place.
-
-#### Writing Procedures
-
-One instruction per sentence. Don't pack multiple actions into one sentence.
-
-**Don't:**
-
-> Navigate to your project directory and run the command, then check the output.
-
-**Do:**
-
-1. Navigate to your project directory.
-2. Run the command.
-3. Check the output.
-
-Don't bury the negative. Key limitations should be prominent, not a footnote after a positive description.
-
-**Don't:**
-
-> This service supports multiple roles, integrates with existing modules, and works great for most setups (note that multiple instances are not supported).
-
-**Do:**
-
-> This service does not support multiple instances.
-
-#### Consistent Terminology
-
-Pick a term and stick to it. Don't swap synonyms to avoid repetition. In technical documentation, repetition is clarity.
-
-**Don't:**
-
-> Create a machine... configure the host... deploy the node.
-
-**Do:**
-
-> Create a machine... configure the machine... deploy the machine.
-
-#### Links
-
-Use descriptive link text. Never use "click here" or "this link."
-
-**Don't:**
-
-> For more information, see `[this page](url)`.
-> Click `[here](url)` to read the reference.
-
-**Do:**
-
-> See the `[NixOS options reference](url)` for details.
-> Read the `[NixOS module system guide](url)`.
-
-Only link when the destination is directly relevant, not for generic background context (sometimes known as "Wikipedia-style links"). Readers feel obligated to click links, fearing they'll miss something important. Don't send them to a generic article about a technology when they're looking for how *your* system uses it.
-
-**Don't:**
-
-> Our software uses [SQLite](https://sqlite.org/) for storage.
-> *(Reader clicks expecting schema details — finds a generic product page instead.)*
-
-(Note that in the above example, the SQLite link is the SQLite home page, which is likely not pertinent.)
-
-**Do:**
-
-> See `[database schema](url)` for the full table structure.
-
-#### UI Language
-
-Match UI element names exactly: wording, casing, and spacing (even if a label seems oddly worded).
-
-**Don't:**
-
-> Click the generator button.
-> Select the save option.
-
-**Do:**
-
-> Click **Generate a Key**.
-> Click **Save Changes**.
-
-Someone will go looking for a button labeled "generator." They will not find it. They will be frustrated.
-
-Consistency between documentation and interface builds confidence. Words are part of the interface.
-
-:::{.tip}
-This can be tricky as UI changes; we don't yet have a policy in place for how to handle this. We welcome comments and suggestions.
-:::
-
-#### Clean system discipline
-
-Your machine has things new users don't: cached credentials, installed tools, environment variables, existing configuration. When writing or updating documentation:
-
-**Don't:**
-
-> Write steps from memory on your development machine, assuming what works there will work everywhere.
-
-**Do:**
-
-> - Start on a clean system — a fresh VM or new user account
-> - Take notes in real time as you work through the steps
-> - Document every warning, prompt, or unexpected output the system shows
-
-Also think in combinations: WSL vs native Linux, with and without existing keys. You don't need to test every matrix square — but you need to know which ones diverge.
-
-#### Never type code — always copy-paste
-
-Always copy commands and code from a terminal where you just ran them successfully. Never retype from memory.
-
-**Don't:**
-
-> Retype a command from memory into the documentation.
-> Retype code into a code-block from memory
-
-**Do:**
-
-> Paste commands directly from the shell or IDE.
-> Paste code that has been successfully validated with nix-instantiate or nix-build
-
-Replace sensitive values with placeholders: `<YOUR-KEY>`, `<YOUR-HOST>`, `<YOUR-TOKEN>`.
-
-Typed-from-memory commands introduce subtle errors. Even the most experienced software developers have occasional typos.

lib/systems/examples.nix

@@ -40,9 +40,10 @@ rec {
     rust.rustcTarget = "powerpc-unknown-linux-gnu";
   };
 
-  armv5tel-multiplatform = {
+  sheevaplug = {
     config = "armv5tel-unknown-linux-gnueabi";
-  };
+  }
+  // platforms.sheevaplug;
 
   raspberryPi = {
     config = "armv6l-unknown-linux-gnueabihf";
@@ -98,6 +99,11 @@ rec {
     useLLVM = true;
   };
 
+  pogoplug4 = {
+    config = "armv5tel-unknown-linux-gnueabi";
+  }
+  // platforms.pogoplug4;
+
   ben-nanonote = {
     config = "mipsel-unknown-linux-uclibc";
   }
@@ -149,6 +155,7 @@ rec {
   gnu64 = {
     config = "x86_64-unknown-linux-gnu";
   };
+  gnu64_simplekernel = gnu64 // platforms.pc_simplekernel; # see test/cross/default.nix
   gnu32 = {
     config = "i686-unknown-linux-gnu";
   };

lib/systems/platforms.nix

@@ -18,6 +18,10 @@ rec {
     };
   };
 
+  pc_simplekernel = lib.recursiveUpdate pc {
+    linux-kernel.autoModules = false;
+  };
+
   ##
   ## POWER
   ##
@@ -46,15 +50,138 @@ rec {
   ## ARM
   ##
 
-  armv5tel-multiplatform = {
+  pogoplug4 = {
     linux-kernel = {
-      name = "armv5tel-multiplatform";
+      name = "pogoplug4";
 
       baseConfig = "multi_v5_defconfig";
-      DTB = true;
-      autoModules = true;
-      preferBuiltin = true;
-      target = "zImage";
+      autoModules = false;
+      extraConfig = ''
+        # Ubi for the mtd
+        MTD_UBI y
+        UBIFS_FS y
+        UBIFS_FS_XATTR y
+        UBIFS_FS_ADVANCED_COMPR y
+        UBIFS_FS_LZO y
+        UBIFS_FS_ZLIB y
+        UBIFS_FS_DEBUG n
+      '';
+      makeFlags = [ "LOADADDR=0x8000" ];
+      target = "uImage";
+      # TODO reenable once manual-config's config actually builds a .dtb and this is checked to be working
+      #DTB = true;
+    };
+    gcc = {
+      arch = "armv5te";
+    };
+  };
+
+  sheevaplug = {
+    linux-kernel = {
+      name = "sheevaplug";
+
+      baseConfig = "multi_v5_defconfig";
+      autoModules = false;
+      extraConfig = ''
+        BLK_DEV_RAM y
+        BLK_DEV_INITRD y
+        BLK_DEV_CRYPTOLOOP m
+        BLK_DEV_DM m
+        DM_CRYPT m
+        MD y
+        BTRFS_FS m
+        XFS_FS m
+        JFS_FS m
+        EXT4_FS m
+        USB_STORAGE_CYPRESS_ATACB m
+
+        # mv cesa requires this sw fallback, for mv-sha1
+        CRYPTO_SHA1 y
+        # Fast crypto
+        CRYPTO_TWOFISH y
+        CRYPTO_TWOFISH_COMMON y
+        CRYPTO_BLOWFISH y
+        CRYPTO_BLOWFISH_COMMON y
+
+        IP_PNP y
+        IP_PNP_DHCP y
+        NFS_FS y
+        ROOT_NFS y
+        TUN m
+        NFS_V4 y
+        NFS_V4_1 y
+        NFS_FSCACHE y
+        NFSD m
+        NFSD_V2_ACL y
+        NFSD_V3 y
+        NFSD_V3_ACL y
+        NFSD_V4 y
+        NETFILTER y
+        IP_NF_IPTABLES y
+        IP_NF_FILTER y
+        IP_NF_MATCH_ADDRTYPE y
+        IP_NF_TARGET_LOG y
+        IP_NF_MANGLE y
+        IPV6 m
+        VLAN_8021Q m
+
+        CIFS y
+        CIFS_XATTR y
+        CIFS_POSIX y
+        CIFS_FSCACHE y
+        CIFS_ACL y
+
+        WATCHDOG y
+        WATCHDOG_CORE y
+        ORION_WATCHDOG m
+
+        ZRAM m
+        NETCONSOLE m
+
+        # Disable OABI to have seccomp_filter (required for systemd)
+        # https://github.com/raspberrypi/firmware/issues/651
+        OABI_COMPAT n
+
+        # Fail to build
+        DRM n
+        SCSI_ADVANSYS n
+        USB_ISP1362_HCD n
+        SND_SOC n
+        SND_ALI5451 n
+        FB_SAVAGE n
+        SCSI_NSP32 n
+        ATA_SFF n
+        SUNGEM n
+        IRDA n
+        ATM_HE n
+        SCSI_ACARD n
+        BLK_DEV_CMD640_ENHANCED n
+
+        FUSE_FS m
+
+        # systemd uses cgroups
+        CGROUPS y
+
+        # Latencytop
+        LATENCYTOP y
+
+        # Ubi for the mtd
+        MTD_UBI y
+        UBIFS_FS y
+        UBIFS_FS_XATTR y
+        UBIFS_FS_ADVANCED_COMPR y
+        UBIFS_FS_LZO y
+        UBIFS_FS_ZLIB y
+        UBIFS_FS_DEBUG n
+
+        # Kdb, for kernel troubles
+        KGDB y
+        KGDB_SERIAL_CONSOLE y
+        KGDB_KDB y
+      '';
+      makeFlags = [ "LOADADDR=0x0200000" ];
+      target = "uImage";
+      DTB = true; # Beyond 3.10
     };
     gcc = {
       arch = "armv5te";
@@ -69,6 +196,11 @@ rec {
       DTB = true;
       autoModules = true;
       preferBuiltin = true;
+      extraConfig = ''
+        # Disable OABI to have seccomp_filter (required for systemd)
+        # https://github.com/raspberrypi/firmware/issues/651
+        OABI_COMPAT n
+      '';
       target = "zImage";
     };
     gcc = {
@@ -89,6 +221,15 @@ rec {
   };
 
   zero-gravitas = {
+    linux-kernel = {
+      name = "zero-gravitas";
+
+      baseConfig = "zero-gravitas_defconfig";
+      # Target verified by checking /boot on reMarkable 1 device
+      target = "zImage";
+      autoModules = false;
+      DTB = true;
+    };
     gcc = {
       fpu = "neon";
       cpu = "cortex-a9";
@@ -96,6 +237,15 @@ rec {
   };
 
   zero-sugar = {
+    linux-kernel = {
+      name = "zero-sugar";
+
+      baseConfig = "zero-sugar_defconfig";
+      DTB = true;
+      autoModules = false;
+      preferBuiltin = true;
+      target = "zImage";
+    };
     gcc = {
       cpu = "cortex-a7";
       fpu = "neon-vfpv4";
@@ -103,6 +253,49 @@ rec {
     };
   };
 
+  utilite = {
+    linux-kernel = {
+      name = "utilite";
+      maseConfig = "multi_v7_defconfig";
+      autoModules = false;
+      extraConfig = ''
+        # Ubi for the mtd
+        MTD_UBI y
+        UBIFS_FS y
+        UBIFS_FS_XATTR y
+        UBIFS_FS_ADVANCED_COMPR y
+        UBIFS_FS_LZO y
+        UBIFS_FS_ZLIB y
+        UBIFS_FS_DEBUG n
+      '';
+      makeFlags = [ "LOADADDR=0x10800000" ];
+      target = "uImage";
+      DTB = true;
+    };
+    gcc = {
+      cpu = "cortex-a9";
+      fpu = "neon";
+    };
+  };
+
+  guruplug = lib.recursiveUpdate sheevaplug {
+    # Define `CONFIG_MACH_GURUPLUG' (see
+    # <http://kerneltrap.org/mailarchive/git-commits-head/2010/5/19/33618>)
+    # and other GuruPlug-specific things.  Requires the `guruplug-defconfig'
+    # patch.
+    linux-kernel.baseConfig = "guruplug_defconfig";
+  };
+
+  beaglebone = lib.recursiveUpdate armv7l-hf-multiplatform {
+    linux-kernel = {
+      name = "beaglebone";
+      baseConfig = "bb.org_defconfig";
+      autoModules = false;
+      extraConfig = ""; # TBD kernel config
+      target = "zImage";
+    };
+  };
+
   # https://developer.android.com/ndk/guides/abis#v7a
   armv7a-android = {
     linux-kernel.name = "armeabi-v7a";
@@ -116,11 +309,32 @@ rec {
   armv7l-hf-multiplatform = {
     linux-kernel = {
       name = "armv7l-hf-multiplatform";
-      baseConfig = "defconfig";
+      Major = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
+      baseConfig = "multi_v7_defconfig";
       DTB = true;
       autoModules = true;
       preferBuiltin = true;
       target = "zImage";
+      extraConfig = ''
+        # Serial port for Raspberry Pi 3. Wasn't included in ARMv7 defconfig
+        # until 4.17.
+        SERIAL_8250_BCM2835AUX y
+        SERIAL_8250_EXTENDED y
+        SERIAL_8250_SHARE_IRQ y
+
+        # Hangs ODROID-XU4
+        ARM_BIG_LITTLE_CPUIDLE n
+
+        # Disable OABI to have seccomp_filter (required for systemd)
+        # https://github.com/raspberrypi/firmware/issues/651
+        OABI_COMPAT n
+
+        # >=5.12 fails with:
+        # drivers/net/ethernet/micrel/ks8851_common.o: in function `ks8851_probe_common':
+        # ks8851_common.c:(.text+0x179c): undefined reference to `__this_module'
+        # See: https://lore.kernel.org/netdev/20210116164828.40545-1-marex@denx.de/T/
+        KS8851_MLL y
+      '';
     };
     gcc = {
       # Some table about fpu flags:
@@ -153,6 +367,22 @@ rec {
       autoModules = true;
       preferBuiltin = true;
       extraConfig = ''
+        # Raspberry Pi 3 stuff. Not needed for   s >= 4.10.
+        ARCH_BCM2835 y
+        BCM2835_MBOX y
+        BCM2835_WDT y
+        RASPBERRYPI_FIRMWARE y
+        RASPBERRYPI_POWER y
+        SERIAL_8250_BCM2835AUX y
+        SERIAL_8250_EXTENDED y
+        SERIAL_8250_SHARE_IRQ y
+
+        # Cavium ThunderX stuff.
+        PCI_HOST_THUNDER_ECAM y
+
+        # Nvidia Tegra stuff.
+        PCI_TEGRA y
+
         # The default (=y) forces us to have the XHCI firmware available in initrd,
         # which our initrd builder can't currently do easily.
         USB_XHCI_TEGRA m
@@ -186,6 +416,74 @@ rec {
   };
 
   fuloong2f_n32 = {
+    linux-kernel = {
+      name = "fuloong2f_n32";
+      baseConfig = "lemote2f_defconfig";
+      autoModules = false;
+      extraConfig = ''
+        MIGRATION n
+        COMPACTION n
+
+        # nixos mounts some cgroup
+        CGROUPS y
+
+        BLK_DEV_RAM y
+        BLK_DEV_INITRD y
+        BLK_DEV_CRYPTOLOOP m
+        BLK_DEV_DM m
+        DM_CRYPT m
+        MD y
+        EXT4_FS m
+        USB_STORAGE_CYPRESS_ATACB m
+
+        IP_PNP y
+        IP_PNP_DHCP y
+        IP_PNP_BOOTP y
+        NFS_FS y
+        ROOT_NFS y
+        TUN m
+        NFS_V4 y
+        NFS_V4_1 y
+        NFS_FSCACHE y
+        NFSD m
+        NFSD_V2_ACL y
+        NFSD_V3 y
+        NFSD_V3_ACL y
+        NFSD_V4 y
+
+        # Fail to build
+        DRM n
+        SCSI_ADVANSYS n
+        USB_ISP1362_HCD n
+        SND_SOC n
+        SND_ALI5451 n
+        FB_SAVAGE n
+        SCSI_NSP32 n
+        ATA_SFF n
+        SUNGEM n
+        IRDA n
+        ATM_HE n
+        SCSI_ACARD n
+        BLK_DEV_CMD640_ENHANCED n
+
+        FUSE_FS m
+
+        # Needed for udev >= 150
+        SYSFS_DEPRECATED_V2 n
+
+        VGA_CONSOLE n
+        VT_HW_CONSOLE_BINDING y
+        SERIAL_8250_CONSOLE y
+        FRAMEBUFFER_CONSOLE y
+        EXT2_FS y
+        EXT3_FS y
+        MAGIC_SYSRQ y
+
+        # The kernel doesn't boot at all, with FTRACE
+        FTRACE n
+      '';
+      target = "vmlinux";
+    };
     gcc = {
       arch = "loongson2f";
       float = "hard";
@@ -231,6 +529,35 @@ rec {
     };
   };
 
+  # based on:
+  #   https://www.mail-archive.com/qemu-discuss@nongnu.org/msg05179.html
+  #   https://gmplib.org/~tege/qemu.html#mips64-debian
+  mips64el-qemu-linux-gnuabi64 = {
+    linux-kernel = {
+      name = "mips64el";
+      baseConfig = "64r2el_defconfig";
+      target = "vmlinuz";
+      autoModules = false;
+      DTB = true;
+      # for qemu 9p passthrough filesystem
+      extraConfig = ''
+        MIPS_MALTA y
+        PAGE_SIZE_4KB y
+        CPU_LITTLE_ENDIAN y
+        CPU_MIPS64_R2 y
+        64BIT y
+        CPU_MIPS64_R2 y
+
+        NET_9P y
+        NET_9P_VIRTIO y
+        9P_FS y
+        9P_FS_POSIX_ACL y
+        PCI y
+        VIRTIO_PCI y
+      '';
+    };
+  };
+
   ##
   ## Other
   ##
@@ -284,7 +611,7 @@ rec {
       if version == null then
         pc
       else if lib.versionOlder version "6" then
-        armv5tel-multiplatform
+        sheevaplug
       else if lib.versionOlder version "7" then
         raspberrypi
       else

maintainers/github-teams.json

@@ -309,7 +309,8 @@
     "members": {
       "AndersonTorres": 5954806,
       "adisbladis": 63286,
-      "panchoh": 471059
+      "panchoh": 471059,
+      "ttuegel": 563054
     },
     "name": "emacs"
   },
@@ -406,13 +407,12 @@
   "gnome": {
     "description": "Maintain GNOME desktop environment and platform.",
     "id": 3806133,
-    "maintainers": {
-      "jtojnar": 705123
-    },
+    "maintainers": {},
     "members": {
       "bobby285271": 20080233,
       "dasj19": 7589338,
-      "hedning": 71978
+      "hedning": 71978,
+      "jtojnar": 705123
     },
     "name": "GNOME"
   },
@@ -702,7 +702,6 @@
       "Mic92": 96200,
       "Radvendii": 1239929,
       "edolstra": 1148549,
-      "lisanna-dettwyler": 72424138,
       "lovesegfault": 7243783,
       "xokdvium": 145775305
     },
@@ -820,13 +819,14 @@
     "description": "Maintain the Qt framework, KDE application suite, Plasma desktop environment and related projects",
     "id": 4341481,
     "maintainers": {
-      "K900": 386765,
-      "NickCao": 15247171,
-      "SuperSandro2000": 7258858
+      "ttuegel": 563054
     },
     "members": {
       "FRidh": 2129135,
+      "K900": 386765,
       "LunNova": 782440,
+      "NickCao": 15247171,
+      "SuperSandro2000": 7258858,
       "bkchr": 5718007,
       "ilya-fedin": 17829319,
       "mjm": 1181,
@@ -896,7 +896,8 @@
     "id": 7304571,
     "maintainers": {
       "Mic92": 96200,
-      "winterqt": 78392041
+      "winterqt": 78392041,
+      "zowoq": 59103226
     },
     "members": {},
     "name": "rust"
@@ -935,7 +936,6 @@
       "infinisil": 20525370
     },
     "members": {
-      "andir": 638836,
       "pyrox0": 35778371
     },
     "name": "Security review"

maintainers/maintainer-list.nix

@@ -118,6 +118,13 @@
     github = "0xB10C";
     githubId = 19157360;
   };
+  _0xbe7a = {
+    email = "nix@be7a.de";
+    name = "Bela Stoyan";
+    github = "0xbe7a";
+    githubId = 6232980;
+    keys = [ { fingerprint = "2536 9E86 1AA5 9EB7 4C47  B138 6510 870A 77F4 9A99"; } ];
+  };
   _0xC45 = {
     email = "jason@0xc45.com";
     name = "Jason Vigil";
@@ -1875,10 +1882,7 @@
     github = "ap-1";
     githubId = 67872951;
     name = "Anish Pallati";
-    keys = [
-      { fingerprint = "2A0A 16F5 E026 BE3B A47F B7A6 841A FB68 9A5B ACCB"; }
-      { fingerprint = "B89E A3F3 16A7 411C B5B2 8A14 B1CA 8321 35A8 C503"; }
-    ];
+    keys = [ { fingerprint = "2A0A 16F5 E026 BE3B A47F B7A6 841A FB68 9A5B ACCB"; } ];
   };
   ankhers = {
     email = "me@ankhers.dev";
@@ -4370,6 +4374,12 @@
     githubId = 1516457;
     name = "Christian Albrecht";
   };
+  callahad = {
+    email = "dan.callahan@gmail.com";
+    github = "callahad";
+    githubId = 24193;
+    name = "Dan Callahan";
+  };
   callumio = {
     email = "git@cleslie.uk";
     github = "callumio";
@@ -4557,12 +4567,6 @@
     githubId = 53847249;
     name = "Casey Avila";
   };
-  castorNova2 = {
-    email = "solemnsquire@gmail.com";
-    github = "castorNova2";
-    githubId = 84083897;
-    name = "Nidhish Chauhan";
-  };
   catap = {
     email = "kirill@korins.ky";
     github = "catap";
@@ -9249,12 +9253,6 @@
     githubId = 119691;
     name = "Michael Gough";
   };
-  fraggerfox = {
-    email = "santhosh.raju@gmail.com";
-    github = "fraggerfox";
-    githubId = 189939;
-    name = "Santhosh Raju";
-  };
   fraioveio = {
     email = "francesco@vecchia.lol";
     github = "FraioVeio";
@@ -9365,6 +9363,14 @@
     githubId = 1943632;
     name = "fro_ozen";
   };
+  frogamic = {
+    email = "frogamic@protonmail.com";
+    github = "frogamic";
+    githubId = 10263813;
+    name = "Dominic Shelton";
+    matrix = "@frogamic:beeper.com";
+    keys = [ { fingerprint = "779A 7CA8 D51C C53A 9C51  43F7 AAE0 70F0 67EC 00A5"; } ];
+  };
   frontear = {
     name = "Ali Rizvi";
     email = "perm-iterate-0b@icloud.com";
@@ -11705,12 +11711,6 @@
     githubId = 7348004;
     name = "Benjamin Levy";
   };
-  iogamaster = {
-    email = "iogamastercode+nixpkgs@gmail.com";
-    name = "IogaMaster";
-    github = "IogaMaster";
-    githubId = 67164465;
-  };
   ionutnechita = {
     email = "ionut_n2001@yahoo.com";
     github = "ionutnechita";
@@ -12612,12 +12612,6 @@
     githubId = 30251156;
     name = "Jesse Moore";
   };
-  jesssullivan = {
-    email = "jess@sulliwood.org";
-    github = "Jesssullivan";
-    githubId = 37297218;
-    name = "Jess Sullivan";
-  };
   jethair = {
     email = "jethair@duck.com";
     github = "JetHair";
@@ -14380,6 +14374,12 @@
     githubId = 451835;
     name = "Kirill Elagin";
   };
+  kirikaza = {
+    email = "k@kirikaza.ru";
+    github = "kirikaza";
+    githubId = 804677;
+    name = "Kirill Kazakov";
+  };
   kirillrdy = {
     email = "kirillrdy@gmail.com";
     github = "kirillrdy";
@@ -16477,12 +16477,6 @@
     githubId = 8094643;
     keys = [ { fingerprint = "BAA9 7711 58CA D457 B4AE  8B06 8188 423D 2FA2 0A65"; } ];
   };
-  m4r1vs = {
-    email = "marius.niveri@gmail.com";
-    name = "Marius Niveri";
-    github = "m4r1vs";
-    githubId = 26097311;
-  };
   m7medvision = {
     name = "Mohammed";
     github = "m7medVision";
@@ -18294,6 +18288,13 @@
     githubId = 52108954;
     name = "Matias Zwinger";
   };
+  mkf = {
+    email = "m@mikf.pl";
+    github = "mkf";
+    githubId = 7753506;
+    name = "Michał Krzysztof Feiler";
+    keys = [ { fingerprint = "1E36 9940 CC7E 01C4 CFE8  F20A E35C 2D7C 2C6A C724"; } ];
+  };
   mkg = {
     email = "mkg@vt.edu";
     github = "mkgvt";
@@ -18726,10 +18727,10 @@
     keys = [ { fingerprint = "3B66 ACFA D10F 02AA B1D5  2CB1 8DD0 D81D 7D1F C61A"; } ];
   };
   mshnwq = {
-    email = "hmachnouk@proton.me";
+    email = "mshnwq.com@gmail.com";
     github = "mshnwq";
     githubId = 68467027;
-    name = "Mshnwq";
+    name = "Hayan Al-Machnouk";
   };
   msiedlarek = {
     email = "mikolaj@siedlarek.pl";
@@ -19398,11 +19399,6 @@
     githubId = 79978224;
     name = "winston";
   };
-  nelind = {
-    name = "Nel";
-    github = "nelind3";
-    githubId = 57587152;
-  };
   nelsonjeppesen = {
     email = "nix@jeppesen.io";
     github = "NelsonJeppesen";
@@ -19501,12 +19497,6 @@
     githubId = 1488603;
     name = "François Espinet";
   };
-  netpleb = {
-    email = "netpleb@proton.me";
-    github = "netpleb";
-    githubId = 130105838;
-    name = "netpleb";
-  };
   netthier = {
     email = "netthier@proton.me";
     name = "nett_hier";
@@ -20398,12 +20388,6 @@
     email = "nyu@nyuku.ru";
     githubId = 97425873;
   };
-  nyxar77 = {
-    name = "nyxar77";
-    github = "nyxar77";
-    email = "dev@nyxar.space";
-    githubId = 153492661;
-  };
   nyxonios = {
     name = "nyxonios";
     github = "Nyxonios";
@@ -21437,12 +21421,6 @@
     githubId = 7420227;
     name = "Peter Tri Ho";
   };
-  peterwaller-arm = {
-    email = "peter.waller@arm.com";
-    github = "peterwaller-arm";
-    githubId = 52030119;
-    name = "Peter Waller";
-  };
   peterwilli = {
     email = "peter@codebuffet.co";
     github = "peterwilli";
@@ -22158,12 +22136,6 @@
     githubId = 246631;
     keys = [ { fingerprint = "3E46 7EF1 54AA A1D0 C7DF  A694 E45C B17F 1940 CA52"; } ];
   };
-  pretentiousUsername = {
-    name = "Ian Mitchell";
-    email = "mitchell.ian.2001@gmail.com";
-    github = "pretentiousUsername";
-    githubId = 94192644;
-  };
   priegger = {
     email = "philipp@riegger.name";
     github = "priegger";
@@ -23398,6 +23370,12 @@
     githubId = 6047658;
     name = "Ryan Horiguchi";
   };
+  rht = {
+    email = "rhtbot@protonmail.com";
+    github = "rht";
+    githubId = 395821;
+    name = "rht";
+  };
   rhydianjenkins = {
     name = "Rhydian Jenkins";
     github = "RhydianJenkins";
@@ -23433,13 +23411,6 @@
     githubId = 61013287;
     name = "Ricardo Steijn";
   };
-  ricardomaps = {
-    email = "ricardomapurungajunior@gmail.com";
-    github = "ricardomaps";
-    githubId = 49507078;
-    name = "Ricardo Mapurunga Junior";
-    matrix = "@ricmaps:matrix.org";
-  };
   richar = {
     github = "ri-char";
     githubId = 17962023;
@@ -25089,12 +25060,6 @@
     githubId = 2049686;
     name = "Sebastián Estrella";
   };
-  seudonym = {
-    name = "Wahid Khan";
-    email = "wk170179+nixpkgs@gmail.com";
-    github = "seudonym";
-    githubId = 80459261;
-  };
   seven_bear = {
     name = "Edmond Freeman";
     email = "edmondfreeman7@gmail.com";
@@ -25367,6 +25332,12 @@
     githubId = 487050;
     name = "Shea Levy";
   };
+  shlok = {
+    email = "sd-nix-maintainer@quant.is";
+    github = "shlok";
+    githubId = 3000933;
+    name = "Shlok Datye";
+  };
   shmish111 = {
     email = "shmish111@gmail.com";
     github = "shmish111";
@@ -25751,7 +25722,6 @@
   };
   skyesoss = {
     name = "Skye Soss";
-    email = "skye@soss.website";
     matrix = "@skyesoss:matrix.org";
     github = "Skyb0rg007";
     githubId = 30806179;
@@ -26149,12 +26119,6 @@
     name = "sportshead";
     keys = [ { fingerprint = "A6B6 D031 782E BDF7 631A  8E7E A874 DB2C BFD3 CFD0"; } ];
   };
-  spotdemo4 = {
-    email = "me@trev.xyz";
-    github = "spotdemo4";
-    githubId = 3732640;
-    name = "spotdemo4";
-  };
   spreetin = {
     email = "spreetin@protonmail.com";
     name = "David Falk";
@@ -28400,6 +28364,12 @@
     githubId = 77488956;
     name = "Timothy Tschnitzel";
   };
+  ttuegel = {
+    email = "ttuegel@mailbox.org";
+    github = "ttuegel";
+    githubId = 563054;
+    name = "Thomas Tuegel";
+  };
   tu-maurice = {
     email = "valentin.gehrke+nixpkgs@zom.bi";
     github = "tu-maurice";
@@ -29683,11 +29653,6 @@
       }
     ];
   };
-  wilaz = {
-    name = "Wilaz";
-    github = "Wilaz";
-    githubId = 98198668;
-  };
   wildsebastian = {
     name = "Sebastian Wild";
     email = "sebastian@wild-siena.com";

maintainers/scripts/luarocks-packages.csv

@@ -176,7 +176,6 @@ tree-sitter-norg-meta,,,,,,
 tree-sitter-orgmode,,,,,5.1,
 utf8,,,,,,
 tree-sitter-teal,,,,,,
-vicious,,,,,,
 vstruct,,,,,,
 vusted,,,,,,
 xml2lua,,,,,,teto

maintainers/team-list.nix

@@ -662,6 +662,7 @@ with lib.maintainers;
   python = {
     members = [
       hexa
+      natsukium
     ];
     scope = "Maintain the Python interpreter and related packages.";
     shortName = "Python";

nixos/doc/manual/release-notes/rl-2605.section.md

@@ -1,4 +1,4 @@
-# Release 26.05 ("Yarara", 2026.05/30) {#sec-release-26.05}
+# Release 26.05 ("Yarara", 2026.05/??) {#sec-release-26.05}
 
 ## Highlights {#sec-release-26.05-highlights}
 
@@ -13,7 +13,6 @@
   - If you use LUKS disk encryption, ensure that `fileSystems."/".device` is set to `"/dev/mapper/<name>"`, where `<name>` matches the name in your `boot.initrd.luks.devices.<name>` definition, to avoid systemd timing out while prompting for a passphrase. If you have a more complex setup, e.g. with LVM on top of LUKS, you may need to add `"x-systemd.device-timeout=infinity"` to `fileSystems."/".options` instead. If you need to disable the timeout before you can boot into the system, pass `systemd.default_device_timeout_sec=infinity` on the kernel command line.
   - The `cryptsetup-askpass` program is not available; use `systemctl default` instead, which will prompt for passphrases as necessary. If you pipe password responses into SSH over stdin, use `ssh -o RequestTTY=force` to ensure `systemctl default` gets a TTY to prompt on.
   - Many kernel parameters have been replaced with native systemd versions; see [](#sec-boot-problems).
-  - `/dev/root` is not available with the systemd stage 1. In the old scripted stage 1, `/dev/root` was a symlink created by the init script from the `root=` kernel command line. With systemd stage 1, this symlink is not provided. If your configuration uses `/dev/root` in `fileSystems`, replace it with a stable device path such as `/dev/disk/by-label/...`, `/dev/disk/by-uuid/...`, or the appropriate `/dev/mapper/...` path.
 
 - The system.nix file has been added as an alternative entry point to configuration.nix (and flake.nix) that allows configuring NixOS without using `nix-channel`.
   This file must evaluate to a NixOS system derivation or an attribute set of such derivations, in which case the attribute to build has to be selected with the `--attr` option of `nixos-rebuild` or `nixos-install`.
@@ -61,10 +60,6 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- [](#opt-services.autossh-ng.sessions) NixOS module was introduced as a simpler alternative to the existing [](#opt-services.autossh.sessions) module.
-
-- [services.nextcloud-spreed-signaling](#opt-services.nextcloud-spreed-signaling.enable) NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).
-
 - [OpenThread Border Router](https://openthread.io/), a Thread border router for POSIX-based platforms that bridges Thread mesh networks to IP networks. Available as [services.openthread-border-router](#opt-services.openthread-border-router.enable).
 
 - [Atuin](https://atuin.sh), magical shell history — sync, search and backup your terminal history. Available as [programs.atuin](#opt-programs.atuin.enable).
@@ -74,9 +69,9 @@
 
 - [Goupile](https://goupile.org/en), an open-source design tool for secure forms including Clinical Report Forms (eCRF). Available as [services.goupile](#opt-services.goupile.enable).
 
-- [knot-resolver](https://www.knot-resolver.cz/), in version 6. Available as [services.knot-resolver](#opt-services.knot-resolver.enable). A module for knot-resolver 5 was already available as [services.kresd](#opt-services.kresd.enable).
+- [knot-resolver](https://www.knot-resolver.cz/), in version 6. Available as `services.knot-resolver`. A module for knot-resolver 5 was already available as `services.kresd`.
 
-- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as [services.immichframe](#opt-services.immichframe.enable).
+- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as `services.immichframe`.
 
 - [PdfDing](https://www.pdfding.com/), manage, view and edit your PDFs seamlessly on all your devices wherever you are. Available as [services.pdfding](#opt-services.pdfding.enable).
 
@@ -84,7 +79,7 @@
 
 - [reaction](https://reaction.ppom.me/), a daemon that scans program outputs for repeated patterns, and takes action. A common usage is to scan ssh and webserver logs, and to ban hosts that cause multiple authentication errors. A modern alternative to fail2ban. Available as [services.reaction](#opt-services.reaction.enable).
 
-- [vinyl-cache](https://vinyl-cache.org) as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old [services.varnish](#opt-services.varnish.enable) module is still available.
+- [vinyl-cache](https://vinyl-cache.org) as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old `services.varnish` module is still available.
 
 - [papra](https://papra.app/), an open-source document management platform designed to help you organize, secure, and archive your files effortlessly. Available as [services.papra](#opt-services.papra.enable).
 
@@ -108,7 +103,7 @@
 
 - [bentopdf](https://github.com/alam00000/bentopdf), a privacy-first PDF toolkit running completely in-browser. Available as [services.bentopdf](#opt-services.bentopdf.enable).
 
-- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as [services.hyprwhspr-rs](#opt-services.hyprwhspr-rs.enable).
+- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as `services.hyprwhspr-rs`.
 
 - [DankMaterialShell](https://danklinux.com), a complete desktop shell for Wayland compositors built with Quickshell. Available as [programs.dms-shell](#opt-programs.dms-shell.enable).
 
@@ -136,19 +131,19 @@
 
 - [Dawarich](https://dawarich.app/), a self-hostable location history tracker. Available as [services.dawarich](#opt-services.dawarich.enable).
 
-- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux. Available as [services.howdy](#opt-services.howdy.enable)
+- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux.
 
-- [SuiteNumérique Drive](https://github.com/suitenumerique/drive), a collaborative file sharing and document management platform that scales. Built with Django and React. Open source alternative to Sharepoint or Google Drive. Available as [services.lasuite-drive](#opt-services.lasuite-drive.enable).
+- [SuiteNumérique Drive](https://github.com/suitenumerique/drive), a collaborative file sharing and document management platform that scales. Built with Django and React. Open source alternative to Sharepoint or Google Drive.
 
-- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy. Available as [services.linux-enable-ir-emitter](#opt-services.linux-enable-ir-emitter.enable).
+- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy.
 
-- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as [](#opt-services.udp-over-tcp.udp2tcp) and [](#opt-services.udp-over-tcp.tcp2udp).
+- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as `services.udp-over-tcp`.
 
 - [turborepo-remote-cache](https://ducktors.github.io/turborepo-remote-cache/), an open-source implementation of the [Turborepo custom remote cache server](https://turbo.build/repo/docs/core-concepts/remote-caching#self-hosting). Available as [services.turborepo-remote-cache](#opt-services.turborepo-remote-cache.enable).
 
-- [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as [services.rsshub](#opt-services.rsshub.enable).
+- [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as `services.rsshub`.
 
-- [ReFrame](https://github.com/AlynxZhou/reframe), a DRM/KMS based remote desktop for Linux that supports Wayland/NVIDIA/headless/login. Available as [services.reframe](#opt-services.reframe.enable)
+- [ReFrame](https://github.com/AlynxZhou/reframe), a DRM/KMS based remote desktop for Linux that supports Wayland/NVIDIA/headless/login.
 
 - [Komodo Periphery](https://github.com/moghtech/komodo), a multi-server Docker and Git deployment agent by Komodo. Available as [services.komodo-periphery](#opt-services.komodo-periphery.enable).
 
@@ -164,7 +159,7 @@
 
 - [Headplane](https://headplane.net), a feature-complete Web UI for Headscale. Available as [services.headplane](#opt-services.headplane.enable).
 
-- [whois](https://packages.qa.debian.org/w/whois.html), an intelligent WHOIS client. Available as [programs.whois](#opt-programs.whois.enable).
+- [whois](https://packages.qa.debian.org/w/whois.html), an intelligent WHOIS client. Available as `programs.whois`.
 
 - [porxie](https://codeberg.org/Blooym/porxie), a correct and efficient ATProto blob proxy for secure content delivery. Available as [services.porxie](#opt-services.porxie.enable).
 
@@ -174,25 +169,6 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- [](#opt-services.openssh.settings.AcceptEnv) is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
-
-- The default packages in [](#opt-services.jenkins.packages) have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
-
-- [services.taskchampion-sync-server](#opt-services.taskchampion-sync-server.enable) module has had an option [](#opt-services.taskchampion-sync-server.dynamicUser) added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
-
-- The [programs.captive-browser](#opt-programs.captive-browser.enable) module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure [](#opt-programs.captive-browser.dhcp-dns) manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.
-
-- The [services.yggdrasil](#opt-services.yggdrasil.enable) module has been refactored with the following breaking changes:
-  - The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via [](#opt-services.yggdrasil.settings).
-  - The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use [](#opt-services.yggdrasil.settings.PrivateKeyPath) to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
-  - Storing `PrivateKey` directly in `settings` is now explicitly forbidden to prevent keys from being stored world-readable in the Nix store.
-  - If you previously used `configFile`, migrate your configuration to the `settings` option and extract the private key to a separate file referenced by `PrivateKeyPath`.
-  - If you previously used `persistentKeys`, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them via `PrivateKeyPath`.
-
-- [services.xserver](#opt-services.xserver.enable) will now throw an error if an X11 driver specified in  `videoDriver(s)` cannot be found. Previously, unknown drivers would be silently ignored.
-
-- The [](#opt-services.avahi.wideArea) option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
-
 - `systemd.coredump.extraConfig` has been removed in favor of the structured [](#opt-systemd.coredump.settings.Coredump) option. Use `systemd.coredump.settings.Coredump` to set any `coredump.conf(5)` option directly. For example, replace `systemd.coredump.extraConfig = "Storage=journal";` with `systemd.coredump.settings.Coredump.Storage = "journal";`.
 
 - `services.home-assistant.config.lovelace.mode` has been renamed to `lovelace.dashboards` and `lovelace.resource_mode` to match the [configuration format](https://www.home-assistant.io/dashboards/dashboards/) required by Home Assistant 2026.8. Users who explicitly set `lovelace.mode` should remove it; the module generates the correct entries automatically.
@@ -210,9 +186,9 @@
 
 - `services.crabfit` was removed because its upstream packages are unmaintained and insecure.
 
-- [services.opensnitch.settings.Rules.Path](#opt-services.opensnitch.settings.Rules.Path) now defaults to `/var/lib/opensnitch/rules` instead of the previous `/etc/opensnitchd/rules` because it contains mutable data.
+- `services.opensnitch.settings.Rules.Path` now defaults to `/var/lib/opensnitch/rules` instead of the previous `/etc/opensnitchd/rules` because it contains mutable data.
 
-- [services.mosquitto](#opt-services.mosquitto.enable) now generates per-listener authentication and access control via the upstream `password-file` and `acl-file` plugins instead of the deprecated `password_file` and `acl_file` options. The plugins contain the same code, so behaviour is unchanged, but [](#opt-services.mosquitto.package) must now be at least version 2.1.
+- `services.mosquitto` now generates per-listener authentication and access control via the upstream `password-file` and `acl-file` plugins instead of the deprecated `password_file` and `acl_file` options. The plugins contain the same code, so behaviour is unchanged, but [](#opt-services.mosquitto.package) must now be at least version 2.1.
 
 - `sing-box` has been updated to 1.13.0, which has removed some deprecated options.  See [upstream documentation](https://sing-box.sagernet.org/configuration/) for details and migration options.
 
@@ -233,7 +209,7 @@
 
 - `linux_hardened` kernel has been removed due to a lack of maintenance.
 
-- [services.tandoor-recipes](#opt-services.tandoor-recipes.enable) now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).
+- `services.tandoor-recipes` now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).
 
 - `linux-rt` kernel has been removed due to a lack of maintenance.
 
@@ -245,10 +221,10 @@
 
 - `services.uptime` has been removed because the package it relies on does not exist anymore in nixpkgs.
 
-- [services.mattermost](#opt-services.mattermost.enable) now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
+- `services.mattermost` now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
   See the [migration steps](https://docs.mattermost.com/deployment-guide/manual-postgres-migration.html) if you were not running Postgres.
   Note that version 11 also restricts the user limit to 250 [by default](https://forum.mattermost.com/t/clarification-request-on-user-limits-max-250-user-server-v-11/25309);
-  see the `pkgs.mattermost` removeUserLimit and removeFreeBadge options combined with [](#opt-services.mattermost.package) to change this behavior. For example:
+  see the `pkgs.mattermost` removeUserLimit and removeFreeBadge options combined with `services.mattermost.package` to change this behavior. For example:
 
 ```nix
 {
@@ -261,10 +237,10 @@
 
 - `post-resume.target` has been removed. See {manpage}`systemd.special(7)` about `sleep.target` for instructions on ordering a process after resume with `ExecStop=`.
 
-- [services.vsftpd](#opt-services.vsftpd.enable) no longer automatically configures a PAM module.  This means configurations using [](#opt-services.vsftpd.localUsers) will no longer work unless [](#opt-services.vsftpd.enableVirtualUsers) and [](#opt-services.vsftpd.userDbPath) are also configured.  The old behaviour can be restored by setting `security.pam.services.vsftpd.enable = true`, although this only ever worked by accident and may not be secure.
+- `services.vsftpd` no longer automatically configures a PAM module.  This means configurations using `services.vsftpd.localUsers` will no longer work unless `services.vsftpd.enableVirtualUsers` and `services.vsftpd.userDbPath` are also configured.  The old behaviour can be restored by setting `security.pam.services.vsftpd.enable = true`, although this only ever worked by accident and may not be secure.
 
-- `services.kubernetes.addons.dns.coredns` has been renamed to [](#opt-services.kubernetes.addons.dns.corednsImage) and now expects a
-package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with `dockerTools.buildImage` is used, instead
+- `services.kubernetes.addons.dns.coredns` has been renamed to `services.kubernetes.addons.dns.corednsImage` and now expects a
+package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with dockerTools.buildImage is used, instead
 of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:
 
 ```nix
@@ -278,7 +254,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
 }
 ```
 
-- `services.stalwart-mail` has been renamed to [`services.stalwart`](#opt-services.stalwart.enable) to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:
+- `services.stalwart-mail` has been renamed to `services.stalwart` to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:
 
   - Addition of module-specific `stateVersion` option, which on existing installations of Stalwart must be set to the same as `system.stateVersion`.
 
@@ -288,9 +264,9 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
   - Default value for `services.stalwart.dataDir` has changed to `/var/lib/stalwart`. If `stateVersion` is older than `26.05`, will fallback to legacy value of `/var/lib/stalwart-mail`.
   - Default tracer name and type have changed to `journal`. If `stateVersion` is older than `26.05`, will fallback to legacy value of `stdout`.
 
-- `services.eintopf` has been renamed to [services.lauti](#opt-services.lauti.enable) to align with upstream re-brand as a community online calendar.
+- `services.eintopf` has been renamed to `services.lauti` to align with upstream re-brand as a community online calendar.
 
-- `services.oauth2-proxy.clientSecret` and `services.oauth2-proxy.cookie.secret` have been replaced with [](#opt-services.oauth2-proxy.clientSecretFile) and [](#opt-services.oauth2-proxy.cookie.secretFile) respectively. This was done to ensure secrets don't get made world-readable.
+- `services.oauth2-proxy.clientSecret` and `services.oauth2-proxy.cookie.secret` have been replaced with `services.oauth2-proxy.clientSecretFile` and `services.oauth2-proxy.cookie.secretFile` respectively. This was done to ensure secrets don't get made world-readable.
 
 - [`services.grafana.settings.security.secret_key`](#opt-services.grafana.settings.security.secret_key) doesn't have a
   default value anymore. Please generate your own key or hard-code the old one ("SW2YcwTIb9zpOOhoPsMm") explicitly.
@@ -310,11 +286,18 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
 
 - Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.
 
-- [services.immich](#opt-services.immich.enable) no longer supports pgvecto.rs since the package has been removed from nixpkgs.
+- `services.headplane` has been updated to 0.6.2, which introduces several changes to the configuration schema:
+  - `services.headplane.settings.oidc.redirect_uri` is deprecated. Use `services.headplane.settings.server.base_url` instead; the OIDC redirect URI is now automatically derived from it. Ensure `base_url` is the bare host URL without the `/admin` suffix.
+  - `services.headplane.settings.oidc.user_storage_file` is deprecated. Headplane 0.6.2 still accepts it to migrate the old JSON user database into the new internal SQL database.
+  - `services.headplane.settings.oidc.strict_validation` is deprecated and has no effect.
+  - `services.headplane.settings.oidc.token_endpoint_auth_method` now defaults to `null` (auto-detection), which typically falls back to `client_secret_basic`. Previous versions defaulted to `client_secret_post`.
+  - `services.headplane.settings.integration.agent.cache_ttl` is deprecated and has no effect in 0.6.2.
+
+- `services.immich` no longer supports pgvecto.rs since the package has been removed from nixpkgs.
   As a result, options `services.immich.database.enableVectors` and `services.immich.database.enableVectorchord` have been removed, and VectorChord is now always used.
   If you have not completed the migration yet, ensure you completely remove the extension from your database before upgrading by following the [migration guide](https://github.com/NixOS/nixpkgs/blob/nixos-25.11/nixos/modules/services/web-apps/immich.md#migrating-from-pgvecto-rs-to-vectorchord-pre-2511-installations-module-services-immich-vectorchord-migration).
 
-- [](#opt-services.cgit) before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable `opt-services.cgit.<name>.gitHttpBackend.checkExportOkFiles` (or disable the git-http-backend).
+- `services.cgit` before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable `services.cgit.gitHttpBackend.checkExportOkFiles` (or disable the git-http-backend).
 
 - `rocmPackages_6` has been removed. `rocmPackages` has been updated to ROCm 7.x. Out of tree packages may rely on obsolete hipblas APIs or compile time constant warp size and need to be updated.
 
@@ -324,7 +307,9 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
 
 - The Bash implementation of the `nixos-rebuild` program is removed. All switchable systems now use the Python rewrite. Any prior usage of `system.rebuild.enableNg` must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.
 
-- [services.desktopManager.gnome](#opt-services.desktopManager.gnome.enable) no longer installs the Geary e-mail client since it is not part of the GNOME [core applications](https://apps.gnome.org/) list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add `programs.geary.enable = true;` to your configuration.
+- `services.desktopManager.gnome` no longer installs the Geary e-mail client since it is not part of the GNOME [core applications](https://apps.gnome.org/) list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add `programs.geary.enable = true;` to your configuration.
+
+- MATE packages have been moved to top level (e.g. if you previously added `pkgs.mate.caja` to `environment.systemPackages`, you will need to change it to `pkgs.caja`).
 
 - `walker` has been updated to 2.0.0+, which is a complete rewrite in rust.
 
@@ -336,7 +321,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
 
 - Support for `reiserfs` in nixpkgs has been removed, following the removal in Linux 6.13.
 
-- [services.tor](#opt-services.tor.enable) no longer bind mounts Unix sockets of onion services into its chroot
+- `services.tor` no longer bind mounts Unix sockets of onion services into its chroot
 because it was not reliable. Users should do it themselves using either `JoinsNamespaceOf=` and Unix sockets in `/tmp`
 or `BindPaths=` from a persistent parent directory of each Unix socket.
 See <https://github.com/NixOS/nixpkgs/issues/481673>.
@@ -345,14 +330,14 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
 
 - `services.xserver.cmt` has been removed as the `xf86-input-cmt` package was broken and unmaintained upstream.
 
-- `programs.light` was removed from nixpkgs due to the corresponding package being unmaintained upstream. `brightnessctl` and [hardware.acpilight](#opt-hardware.acpilight.enable) offer replacements.
+- `programs.light` was removed from nixpkgs due to the corresponding package being unmaintained upstream. `brightnessctl` and `programs.acpilight` offer replacements.
 
 - `ceph` has been upgraded to v20. See the [Ceph "tentacle" release notes](https://docs.ceph.com/en/latest/releases/tentacle/#v20-2-0-tentacle) for details and recommended upgrade procedure.
   Note that **upgrades of server-side components are one-way**, and downgrading e.g. an OSD from *Tentacle* to *Squid* is not just not supported but is known to break.
 
-- [](#opt-services.unifi.jrePackage) now defaults to `jdk25_headless` instead of `jdk17_headless`, in order to be compatible with new versions of `unifi`.
+- `services.unifi`'s `jrePackage` option now defaults to `jdk25_headless` instead of `jdk17_headless`, in order to be compatible with new versions of `unifi`.
 
-- The [networking.wireless](#opt-networking.wireless.enable) module has been security hardened by default: the `wpa_supplicant` daemon now runs under an unprivileged user with restricted access to the system.
+- The `networking.wireless` module has been security hardened by default: the `wpa_supplicant` daemon now runs under an unprivileged user with restricted access to the system.
 
   As part of these changes, `/etc/wpa_supplicant.conf` has been deprecated: the NixOS-generated configuration file is now linked to `/etc/wpa_supplicant/nixos.conf` and `/etc/wpa_supplicant/imperative.conf` has been added for imperatively configuring `wpa_supplicant` or when using [allowAuxiliaryImperativeNetworks](#opt-networking.wireless.allowAuxiliaryImperativeNetworks).
 
@@ -372,20 +357,30 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
   - In both "networkd" and "scripted" backends, the configuration of name servers is now part of `network-local-commands.service` (fixes issue [#445496](https://github.com/NixOS/nixpkgs/issues/445496)).
   - The issue that resulted in a completely unconfigured network if both `resolvconf` was disabled and no default gateway configured, has also been fixed.
 
+- `kratos` has been updated from 1.3.1 to [25.4.0](https://github.com/ory/kratos/releases/tag/v25.4.0). Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:
+
+  - The `migrate sql` CLI command is now `migrate sql up`
+  - OIDC registration validation errors are now placed in the `default` node group instead of `oidc`
+  - Failed OIDC account linking returns HTTP 400 instead of 200
+
+- `pdns` has been updated to version [v5.0.x](https://doc.powerdns.com/authoritative/changelog/5.0.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-5-0-0) for details.
+
 - In the PowerDNS Recursor module, following the deprecation period started with NixOS 25.05, the option {option}`services.pdns-recursor.old-settings` has been removed and {option}`services.pdns-recursor.yaml-settings` consequently renamed to [](#opt-services.pdns-recursor.settings).
 
-- [services.angrr](#opt-services.angrr.enable) now uses TOML for configuration. Define policies with [](#opt-services.angrr.settings) (generate TOML file) or point to a file using [](#opt-services.angrr.configFile). The legacy options `services.angrr.period`, `services.angrr.ownedOnly`, and `services.angrr.removeRoot` have been removed. See `man 5 angrr` and the description of [](#opt-services.angrr.settings) options for examples and details.
+- `services.angrr` now uses TOML for configuration. Define policies with `services.angrr.settings` (generate TOML file) or point to a file using `services.angrr.configFile`. The legacy options `services.angrr.period`, `services.angrr.ownedOnly`, and `services.angrr.removeRoot` have been removed. See `man 5 angrr` and the description of `services.angrr.settings` options for examples and details.
 
-- `services.homepage-dashboard.environmentFile` has been renamed to [](#opt-services.homepage-dashboard.environmentFiles), and now expects a list of strings.
+- `services.homepage-dashboard.environmentFile` has been renamed to `services.homepage-dashboard.environmentFiles`, and now expects a list of strings.
 
 - `services.pingvin-share` has been removed as the `pingvin-share.backend` package was broken and the project was archived upstream.
 
-- `services.jellyseerr` has been renamed to [services.seerr](#opt-services.seerr.enable) following the upstream changes. Notable breaking changes:
+- `geph` package's built-in GUI `geph5-client-gui` has been [removed](https://github.com/geph-official/geph5/commit/f2221fb8386312daf2cef05483ebb353ff48bdb4) by the upstream. All users who wish to continue using the GUI should install the `gephgui-wry`, which is consistent with the official release version.
+
+- `services.jellyseerr` has been renamed to `services.seerr` following the upstream changes. Notable breaking changes:
   - systemd service name changed accordingly.
   - Default config directory moved from `/var/lib/jellyseerr/config` to `/var/lib/seerr/`.
     - If `stateVersion` is older than `26.05`, the module fall backs to the legacy path value.
 
-- [services.vikunja](#opt-services.vikunja.enable) has been updated to Vikunja [v1.0.0](https://vikunja.io/changelog/whats-new-in-vikunja-1.0.0/), which introduces multiple breaking changes.
+- `services.vikunja` has been updated to Vikunja [v1.0.0](https://vikunja.io/changelog/whats-new-in-vikunja-1.0.0/), which introduces multiple breaking changes.
   Notable breaking changes:
   - CORS is enabled by default. The module now sets
     `services.vikunja.settings.service.publicurl` by default. Custom overrides must ensure it is
@@ -396,11 +391,16 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
   - SQLite paths are now relative to `service.rootpath` unless absolute. Startup now validates file
     storage and OAuth providers.
 
+- `xfsprogs` was updated to version 6.18.0, which enables parent pointers and exchange-range by default. Upstream recommends not to use these features with kernels older than 6.18.
+   GRUB2 is likely unable to boot from filesystems with these features enabled.
+
 - `services.xtreemfs` has been removed as the `xtreemfs` package was broken and unmaintained upstream.
 
+- `lunarvim` package has been removed, as it was abandoned upstream and relied on an old version of `neovim` to work properly.
+
 - `opengfw` package and `services.opengfw` module have been removed as the upstream GitHub repository and website have been shut down.
 
-- [services.esphome](#opt-services.esphome.enable) no longer uses `DynamicUser`. The service now runs as a static `esphome` system user. systemd handles the migration from `/var/lib/private/esphome` automatically, but users with [impermanence](https://github.com/nix-community/impermanence) setups should ensure `/var/lib/esphome` is persisted.
+- `services.esphome` no longer uses `DynamicUser`. The service now runs as a static `esphome` system user. systemd handles the migration from `/var/lib/private/esphome` automatically, but users with [impermanence](https://github.com/nix-community/impermanence) setups should ensure `/var/lib/esphome` is persisted.
 
 - `programs.pqos-wrapper` module has been deleted as the corresponding package has been dropped from nixpkgs.
 
@@ -410,10 +410,6 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
-
-- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
-
 - `switch-to-configuration` now reloads a service instead of restarting it when the only change to its unit is `ExecReload=`, and takes no action when `ExecReload=` is removed. Previously both cases triggered a restart.
 
 - [`hardware.nvidia.branch`](#opt-hardware.nvidia.branch) was added to select the NVIDIA driver branch; setting [`hardware.nvidia.package`](#opt-hardware.nvidia.package) overrides this.
@@ -422,10 +418,12 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
 
 - `nixos/nvidia` now uses EGL external platform ICD libraries built from source (`egl-gbm`, `egl-wayland`, `egl-wayland2`, `egl-x11`) instead of relying on vendor-provided binaries for these components.
 
-- [](#opt-hardware.nvidia.moduleParams) was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to `modprobe` configuration instead of being passed through global kernel command-line parameters.
+- `hardware.nvidia.moduleParams` was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to `modprobe` configuration instead of being passed through global kernel command-line parameters.
 
 - [hardware.xpadneo](#opt-hardware.xpadneo.enable) now supports configuring kernel module parameters via a freeform [settings](#opt-hardware.xpadneo.settings) option, with convenience options for [rumble attenuation](#opt-hardware.xpadneo.rumbleAttenuation) and [controller quirks](#opt-hardware.xpadneo.quirks).
 
+- Wine has been updated to the 11.0 branch. Please check the [upstream announcement](https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0) for more details.
+
 - `security.acme` now defaults to a dynamic renewal duration, if
   [security.acme.defaults.validMinDays](#opt-security.acme.defaults.validMinDays)
   remains unset. This accommodates certificates with different ACME profile:
@@ -435,37 +433,44 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
     - For shortlived certificates with a total validity below 10 days renewal
       will happen after half of the total lifetime has passed
 
-- The module for the Dovecot IMAP server, [services.dovecot2](#opt-services.dovecot2.enable), now uses RFC-42-style settings, exposing a structured interface to write the configuration file.
+- The module for the Dovecot IMAP server, *services.dovecot*, now uses RFC-42-style settings, exposing a structured interface to write the configuration file.
 
   Also see the list of available settings for [Dovecot 2.3](https://doc.dovecot.org/2.3/settings/core/) or [2.4](https://doc.dovecot.org/2.4.2/core/summaries/settings.html).
 
-- [](#opt-fonts.fontconfig.useEmbeddedBitmaps) is now set to `true` by default.
+- Cinnamon has been updated to 6.6, please check the [upstream announcement](https://www.linuxmint.com/rel_zena_whatsnew.php) for more details.
 
-- [services.frp](#opt-services.frp.instances) now supports multiple instances through [](#opt-services.frp.instances) to make it possible to run multiple frp clients or servers at the same time.
+- Rspamd has been updated to 4.0. Please check the upstream [migration](https://docs.rspamd.com/tutorials/migration/#migration-to-rspamd-400) documentation, especially if you run a sharded Redis deployment.
+
+- Budgie has been updated to 10.10, please check the [upstream announcement](https://buddiesofbudgie.org/blog/budgie-10-10-released) for more details.
+
+- `fonts.fontconfig.useEmbeddedBitmaps` is now set to `true` by default.
+
+- `stestrCheckHook` was added: This test hook runs `stestr run`. You can disable tests with `disabledTests` and `disabledTestsRegex`.
+
+- `services.frp` now supports multiple instances through `services.frp.instances` to make it possible to run multiple frp clients or servers at the same time.
+
+- `hyphen` now supports over 40 language variants through `hyphenDicts` and now allows to enable all supported languages through `hyphenDicts.all`.
 
 - [services.resolved](#opt-services.resolved.enable) module was converted to RFC42-style settings. The moved options have also been renamed to match the upstream names. Aliases mean current configs will continue to function, but users should move to the new options as convenient.
 
-- `systemd.sleep.extraConfig` was replaced by [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant [](#opt-systemd.sleep.settings.Sleep), which is used to generate the `sleep.conf` configuration file. See {manpage}`sleep.conf.d(5)` for available options.
+- `systemd.sleep.extraConfig` was replaced by [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant `systemd.sleep.settings.Sleep`, which is used to generate the `sleep.conf` configuration file. See {manpage}`sleep.conf.d(5)` for available options.
 
-- Support for Bluetooth audio based on `bluez-alsa` has been added to the [hardware.alsa](#opt-hardware.alsa.enable) module. It can be enabled with the new [enableBluetooth](#opt-hardware.alsa.enableBluetooth) option.
-
-- [services.atuin](#opt-services.atuin.enable) now has an `environmentFile` option to safely allow configuring secrets, such as an `ATUIN_DB_URI` containing a Postgres password.
+- Support for Bluetooth audio based on `bluez-alsa` has been added to the `hardware.alsa` module. It can be enabled with the new [enableBluetooth](#opt-hardware.alsa.enableBluetooth) option.
+- `services.atuin` now has an `environmentFile` option to safely allow configuring secrets, such as an `ATUIN_DB_URI` containing a Postgres password.
 
 - `systemd.network.*` has been updated to support all configuration options from upstream `networkd` version 259.
 
-- [](#opt-networking.resolvconf.enable) now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`. If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.
+- `networking.resolvconf.enable` now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`. If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.
 
-- The [services.drupal](#opt-services.drupal.enable) module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.
+- `services.openssh` now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving `services.openssh.enable` disabled.  This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.
 
-- [services.openssh](#opt-services.openssh.enable) now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving [](#opt-services.openssh.enable) disabled.  This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.
+- `services.openssh.enableRecommendedAlgorithms` has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See <https://github.com/NixOS/nixpkgs/pull/471330>.
 
-- [](#opt-services.openssh.enableRecommendedAlgorithms) has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See <https://github.com/NixOS/nixpkgs/pull/471330>.
+- `services.openssh.banner` has been removed. Use `services.openssh.settings.Banner` instead.
 
-- `services.openssh.banner` has been removed. Use [](#opt-services.openssh.settings.Banner) instead.
+- IPVLAN interfaces can now be configured through the `networking.ipvlans` option in the networking module.
 
-- IPVLAN interfaces can now be configured through the [](#opt-networking.ipvlans) option in the networking module.
-
-- [services.caddy](#opt-services.caddy.enable) now supports setting [](#opt-services.caddy.httpPort) and [](#opt-services.caddy.httpsPort) and opening them in the firewall via [](#opt-services.caddy.openFirewall).
+- `services.caddy` now supports setting `httpPort` and `httpsPort` and opening them in the firewall via `openFirewall`.
 
 - The latest available version of Nextcloud is v33 (available as `pkgs.nextcloud33`). The installation logic is as follows:
   - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
@@ -478,19 +483,59 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
   To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.
   If you set custom Caddy options for a InvoicePlane site, migrate these options by removing `http://` from `services.caddy.virtualHosts."http://example.com"`.
 
-- `services.slurm` now supports slurmrestd usage through the [](#opt-services.slurm.rest.enable) NixOS options.
+- `services.slurm` now supports slurmrestd usage through the `services.slurm.rest` NixOS options.
 
-- The [](#opt-networking.firewall.logRefusedConnections) option now defaults to
+- The `networking.firewall.logRefusedConnections` option now defaults to
   `false`.  Logging of refused or dropped incoming connections can generate a
   very high volume of kernel log messages on internet-facing systems, causing
   the kernel ring buffer (dmesg) to rotate quickly and potentially discard more
   relevant diagnostic information.
 
-- The [services.calibre-web](#opt-services.calibre-web.enable) systemd service has been hardened with additional sandboxing restrictions.
+- The `services.calibre-web` systemd service has been hardened with additional sandboxing restrictions.
 
 - `services.kanidm` options for server, client and unix were moved under dedicated namespaces.
   For each component `enableComponent` and `componentSettings` are now `component.enable` and
   `component.settings`. The unix module now supports using SSH keys from Kanidm via
   `services.kanidm.unix.sshIntegration = true`.
 
-- [services.radicle](#opt-services.radicle.enable) now supports importing the private key and passphrase as systemd creds.
+- `mdbook-linkcheck` has been removed as it is unmaintained and incompatible with the latest version of `mdbook`. Users can instead migrate to `mdbook-linkcheck2`.
+
+- `glibc` has been updated to version 2.42.
+
+  This version no longer makes the stack executable when a shared library requires this. A symptom
+  is an error like
+
+  > cannot enable executable stack as shared object requires: Invalid argument
+
+  This is usually a bug. Please consider reporting it to the software maintainers.
+
+  In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:
+
+  * When building the shared library in question from source, use the following linker flags to force turning off the
+    executable flag:
+
+    ```nix
+    mkDerivation {
+      # …
+
+      env.NIX_LDFLAGS = "-z,noexecstack";
+    }
+    ```
+
+  * If the sources are not available, the execstack-flag can be cleared with `patchelf`:
+
+    ```
+    patchelf --clear-execstack binary-only.so
+    ```
+
+  * If the shared library to be loaded actually requires an executable stack and it isn't turned
+    on by the application loading it, you may force allowing that behavior by setting the
+    following environment variable:
+
+    ```
+    GLIBC_TUNABLES=glibc.rtld.execstack=2
+    ```
+
+    **Do not set this globally!** This makes your setup inherently less secure.
+
+- `services.radicle` now supports importing the private key and passphrase as systemd creds.

nixos/doc/manual/release-notes/rl-2611.section.md

@@ -10,9 +10,7 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- [tranquil](https://tangled.org/tranquil.farm/tranquil-pds) is an ATProto PDS (personal data server) implementation in Rust. A featureful, spec conscious and community driven alternative to the Bluesky reference implementation PDS. Available as [services.tranquil-pds](#opt-services.tranquil-pds.enable).
-
-- [FlapAlerted](https://github.com/Kioubit/FlapAlerted), detects BGP flapping events and provides statistics based on BGP update messages. Available as [services.flap-alerted](#opt-services.flap-alerted.enable).
+- Create the first release note entry in this section!
 
 ## Backward Incompatibilities {#sec-release-26.11-incompatibilities}
 
@@ -20,16 +18,8 @@
 
 - `boot.vesa` has been removed. It was deprecated in 2020 because Xorg now works better with kernel modesetting. If you still need the legacy VESA 800x600 fallback, set `boot.kernelParams = [ "vga=0x317" "nomodeset" ];` directly.
 
-- Support for the legacy U‐Boot image format has been removed from the initrd generators, as it is deprecated upstream and no longer used by any platform in Nixpkgs.
-
-- Python 2 has been removed from the top-level package set, as it is long past end-of-life. The `python2`, `python27`, `python2Full`, `python27Full`, `python2Packages`, and `python27Packages` attributes, along with the legacy `python`, `pythonFull`, and `pythonPackages` aliases, now throw an error directing you to `python3`. The `isPy2` and `isPy27` package flags have been removed accordingly. The only remaining Python 2 interpreter is vendored inside the `resholve` package for its `oil` dependency and is not exposed for general use.
-
-- `services.timesyncd.extraConfig` has been removed in favor of the structured [](#opt-services.timesyncd.settings.Time) option. Use `services.timesyncd.settings.Time` to set any `timesyncd.conf(5)` option directly. For example, replace `services.timesyncd.extraConfig = "PollIntervalMaxSec=180";` with `services.timesyncd.settings.Time.PollIntervalMaxSec = 180;`.
-
 ## Other Notable Changes {#sec-release-26.11-notable-changes}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- `boot.loader.systemd-boot` gained support for [Automatic Boot Assessment](https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT/) via the new [`boot.loader.systemd-boot.bootCounting`](#opt-boot.loader.systemd-boot.bootCounting.enable) options, allowing automatic detection of and recovery from bad NixOS generations. As part of this change, boot loader entries on the ESP/XBOOTLDR partition are now named `nixos-<content-hash>.conf` instead of `nixos-generation-<n>.conf`; existing entries are migrated automatically on the next `nixos-rebuild boot`/`switch`.
-
-- The `newuidmap` and `newgidmap` security wrappers are now installed with `cap_setuid`/`cap_setgid` file capabilities instead of the setuid-root bit, matching shadow's `--with-fcaps` install mode and other major distributions. Rootless containers (podman, docker-rootless, unprivileged user namespaces) are unaffected. The only behavioural change is that mapping host uid 0 via `/etc/subuid` (which NixOS never configures by default) additionally requires `cap_setfcap`; users who explicitly grant uid 0 in a subuid range can restore the previous behaviour with `security.wrappers.newuidmap.capabilities = lib.mkForce "cap_setuid,cap_setfcap+ep";`.
+- Create the first release note entry in this section!

nixos/lib/systemd-lib.nix

@@ -78,16 +78,13 @@ rec {
         {
           preferLocalBuild = true;
           allowSubstitutes = false;
-          # unit.text can be null. But variables that are null listed in
-          # passAsFile are ignored by nix, resulting in no file being created,
-          # making the mv operation fail.
-          text = optionalString (unit.text != null) unit.text;
-          passAsFile = [ "text" ];
+          text = unit.text or "";
+          __structuredAttrs = true;
         }
         ''
           name=${shellEscape name}
           mkdir -p "$out/$(dirname -- "$name")"
-          mv "$textPath" "$out/$name"
+          printf "%s" "$text" > "$out/$name"
         ''
     else
       pkgs.runCommand "unit-${mkPathSafeName name}-disabled"

nixos/lib/test-driver/src/test_driver/machine/__init__.py

@@ -1031,7 +1031,6 @@ class QemuMachine(BaseMachine):
             As soon as we read some data from the socket here, we assume that
             our root shell is operational.
             """
-            assert self.shell
             (ready, _, _) = select.select([self.shell], [], [], timeout_secs)
             return bool(ready)
 

nixos/lib/testing/driver.nix

@@ -5,12 +5,7 @@
   ...
 }:
 let
-  inherit (lib)
-    mkOption
-    types
-    literalExpression
-    literalMD
-    ;
+  inherit (lib) mkOption types literalMD;
 
   inherit (config) sshBackdoor;
 
@@ -122,10 +117,9 @@ in
 {
   options = {
     pythonTestDriverPackage = mkOption {
-      description = "Package containing the python NixOS test driver implementation";
+      description = "Package containing the python NixOS test driver implemetnation";
       type = types.package;
       default = hostPkgs.nixos-test-driver;
-      defaultText = literalExpression "hostPkgs.nixos-test-driver";
       readOnly = true;
     };
 

nixos/modules/config/fonts/packages.nix

@@ -47,8 +47,6 @@ in
         gyre-fonts # TrueType substitutes for standard PostScript fonts
         liberation_ttf
         unifont
-        noto-fonts-cjk-sans
-        noto-fonts-cjk-serif
         noto-fonts-color-emoji
       ]
     );

nixos/modules/config/nix-channel.nix

@@ -6,16 +6,12 @@
   - ./nix.nix
   - ./nix-flakes.nix
 */
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
+{ config, lib, ... }:
 let
   inherit (lib)
     mkIf
     mkOption
+    stringAfter
     types
     ;
 
@@ -102,10 +98,8 @@ in
       ''f /root/.nix-channels - - - - ${config.system.defaultChannel} nixos\n''
     ];
 
-    system.preSwitchChecks.no-nix-channel = mkIf (!cfg.channel.enable) (
-      lib.replaceStrings [ "@getent@" ] [ (lib.getExe pkgs.getent) ] (
-        builtins.readFile ./nix-channel/pre-switch-check.sh
-      )
+    system.activationScripts.no-nix-channel = mkIf (!cfg.channel.enable) (
+      stringAfter [ "etc" "users" ] (builtins.readFile ./nix-channel/activation-check.sh)
     );
   };
 }

nixos/modules/config/nix-channel/activation-check.sh

@@ -1,6 +1,4 @@
-warn() {
-    printf "\033[1;35mwarning:\033[0m %s\n" "$*" >&2
-}
+# shellcheck shell=bash
 
 explainChannelWarning=0
 if [[ -e "/root/.nix-defexpr/channels" ]]; then
@@ -13,13 +11,11 @@ if [[ -e "/nix/var/nix/profiles/per-user/root/channels" ]]; then
 fi
 while IFS=: read -r _ _ _ _ _ home _ ; do
     if [[ -n  "$home" && -e "$home/.nix-defexpr/channels" ]]; then
-        warn "$home/.nix-defexpr/channels exists, but channels have been disabled."
+        warn "$home/.nix-defexpr/channels exists, but channels have been disabled." 1>&2
         explainChannelWarning=1
     fi
-done < <(@getent@ passwd)
+done < <(getent passwd)
 if [[ $explainChannelWarning -eq 1 ]]; then
-    echo "Due to https://github.com/NixOS/nix/issues/9574, Nix may still use these channels when NIX_PATH is unset." >&2
-    echo "Delete the above directory or directories to prevent this." >&2
+    echo "Due to https://github.com/NixOS/nix/issues/9574, Nix may still use these channels when NIX_PATH is unset." 1>&2
+    echo "Delete the above directory or directories to prevent this." 1>&2
 fi
-# This check is informational only and must never block a switch.
-true

nixos/modules/config/nix-channel/test.nix

@@ -0,0 +1,20 @@
+# Run:
+#   nix-build -A nixosTests.nix-channel
+{ lib, testers }:
+let
+  inherit (lib) fileset;
+
+  runShellcheck = testers.shellcheck {
+    name = "activation-check";
+    src = fileset.toSource {
+      root = ./.;
+      fileset = fileset.unions [
+        ./activation-check.sh
+      ];
+    };
+  };
+
+in
+lib.recurseIntoAttrs {
+  inherit runShellcheck;
+}

nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix

@@ -36,22 +36,25 @@
   # Avoid bundling an entire MariaDB installation on the ISO.
   programs.kde-pim.enable = false;
 
-  systemd.tmpfiles.settings."10-installer-desktop" =
+  system.activationScripts.installerDesktop =
     let
+
       # Comes from documentation.nix when xserver and nixos.enable are true.
       manualDesktopFile = "/run/current-system/sw/share/applications/nixos-manual.desktop";
+
+      homeDir = "/home/nixos/";
+      desktopDir = homeDir + "Desktop/";
+
     in
-    {
-      "/home/nixos/Desktop".d = {
-        user = "nixos";
-        group = "users";
-        mode = "0755";
-      };
-      "/home/nixos/Desktop/nixos-manual.desktop"."L+".argument = manualDesktopFile;
-      "/home/nixos/Desktop/gparted.desktop"."L+".argument =
-        "${pkgs.gparted}/share/applications/gparted.desktop";
-      "/home/nixos/Desktop/calamares.desktop"."L+".argument =
-        "${pkgs.calamares-nixos}/share/applications/calamares.desktop";
-    };
+    ''
+      mkdir -p ${desktopDir}
+      chown nixos ${homeDir} ${desktopDir}
+
+      ln -sfT ${manualDesktopFile} ${desktopDir + "nixos-manual.desktop"}
+      ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop ${desktopDir + "gparted.desktop"}
+      ln -sfT ${pkgs.calamares-nixos}/share/applications/calamares.desktop ${
+        desktopDir + "calamares.desktop"
+      }
+    '';
 
 }

nixos/modules/installer/cd-dvd/iso-image.nix

@@ -787,10 +787,9 @@ in
       options = [ "mode=0755" ];
     };
 
-    # With systemd stage 1, the ISO is identified by its volume label.
-    # With the scripted stage 1, /dev/root is a symlink to the actual
-    # root device specified on the kernel command line, created by the
-    # stage 1 init script.
+    # Note that /dev/root is a symlink to the actual root device
+    # specified on the kernel command line, created in the stage 1
+    # init script.
     "/iso" = lib.mkImageMediaOverride {
       device =
         if config.boot.initrd.systemd.enable then

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -505,7 +505,7 @@ EOF
     # This should work for single and multi-device systems.
     # still needs subvolume support
     if ($fsType eq "bcachefs") {
-        my ($status, @info) = runCommand("bcachefs fs usage $rootDir$mountPoint");
+        my ($status, @info) = runCommand("@bcachefs@ fs usage $rootDir$mountPoint");
         my $UUID = $info[0];
 
         if ($status == 0 && $UUID =~ /^Filesystem:[ \t\n]*([0-9a-z-]+)/) {

nixos/modules/installer/tools/tools.nix

@@ -30,15 +30,20 @@ let
     name = "nixos-generate-config";
     src = ./nixos-generate-config.pl;
     replacements = {
-      perl = "${
+      perl = lib.getExe (
         pkgs.perl.withPackages (p: [
           p.FileSlurp
           p.ConfigIniFiles
         ])
-      }/bin/perl";
+      );
       hostPlatformSystem = pkgs.stdenv.hostPlatform.system;
-      detectvirt = "${config.systemd.package}/bin/systemd-detect-virt";
-      btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
+      detectvirt = lib.getExe' config.systemd.package "systemd-detect-virt";
+      bcachefs =
+        if pkgs.bcachefs-tools.meta.broken then
+          lib.getExe' pkgs.coreutils "false"
+        else
+          lib.getExe pkgs.bcachefs-tools;
+      btrfs = lib.getExe pkgs.btrfs-progs;
       inherit (config.system.nixos-generate-config) configuration desktopConfiguration flake;
       xserverEnabled = config.services.xserver.enable;
     };
@@ -314,27 +319,6 @@ in
         name = "nixos-rebuild";
         package = config.system.build.nixos-rebuild;
       })
-      (
-        { config, ... }:
-        {
-          options.system.tools.nixos-rebuild.enableRun0Elevation = lib.mkEnableOption ''
-            support for being targeted by `nixos-rebuild --elevate=run0
-            --ask-elevate-password`.
-
-            This enables polkit and adds {command}`polkit-stdin-agent` to
-            {option}`environment.systemPackages` so that a deploying host
-            can find a target-architecture agent at
-            {file}`<toplevel>/sw/bin/polkit-stdin-agent` after copying the
-            closure (which is required for cross-architecture deploys and
-            mismatched nixpkgs revisions to work).
-          '';
-
-          config = lib.mkIf config.system.tools.nixos-rebuild.enableRun0Elevation {
-            security.polkit.enable = lib.mkDefault true;
-            environment.systemPackages = [ pkgs.polkit-stdin-agent ];
-          };
-        }
-      )
       (mkToolModule {
         name = "nixos-version";
         package = nixos-version;

nixos/modules/module-list.nix

@@ -394,6 +394,7 @@
   ./security/ca.nix
   ./security/chromium-suid-sandbox.nix
   ./security/default.nix
+  ./security/dhparams.nix
   ./security/doas.nix
   ./security/duosec.nix
   ./security/google_oslogin.nix
@@ -887,7 +888,6 @@
   ./services/misc/ihaskell.nix
   ./services/misc/iio-niri.nix
   ./services/misc/input-remapper.nix
-  ./services/misc/inventree.nix
   ./services/misc/invidious-router.nix
   ./services/misc/irkerd.nix
   ./services/misc/jackett.nix
@@ -1018,7 +1018,6 @@
   ./services/monitoring/das_watchdog.nix
   ./services/monitoring/datadog-agent.nix
   ./services/monitoring/do-agent.nix
-  ./services/monitoring/flap-alerted.nix
   ./services/monitoring/fluent-bit.nix
   ./services/monitoring/fusion-inventory.nix
   ./services/monitoring/gatus.nix
@@ -1794,7 +1793,6 @@
   ./services/web-apps/suwayomi-server.nix
   ./services/web-apps/szurubooru.nix
   ./services/web-apps/tabbyapi.nix
-  ./services/web-apps/tranquil-pds.nix
   ./services/web-apps/trilium.nix
   ./services/web-apps/tt-rss.nix
   ./services/web-apps/tuliprox.nix

nixos/modules/programs/shadow.nix

@@ -267,22 +267,13 @@ in
             group = "root";
             inherit source;
           };
-          mkCapRoot = capabilities: source: {
-            inherit capabilities source;
-            owner = "root";
-            group = "root";
-          };
         in
         {
           su = mkSetuidRoot "${config.security.shadow.su.package}/bin/su";
           sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
           newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
-          # File capabilities instead of setuid root, mirroring shadow's
-          # own --with-fcaps install mode and what Arch/Fedora/Debian ship.
-          # The kernel only requires CAP_SETUID/CAP_SETGID over the parent
-          # userns to write a multi-line /proc/<pid>/[ug]id_map.
-          newuidmap = mkCapRoot "cap_setuid+ep" "${cfg.package.out}/bin/newuidmap";
-          newgidmap = mkCapRoot "cap_setgid+ep" "${cfg.package.out}/bin/newgidmap";
+          newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
+          newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
         }
         // lib.optionalAttrs config.users.mutableUsers {
           chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";

nixos/modules/rename.nix

@@ -125,9 +125,6 @@ in
     (mkRemovedOptionModule [ "programs" "yabar" ]
       "programs.yabar has been removed from NixOS. This is because the yabar repository has been archived upstream."
     )
-    (mkRemovedOptionModule [ "security" "dhparams" ] ''
-      The security.dhparams module has been removed as RFC 7919 has shown that generating your own params is problematic.
-    '')
     (mkRemovedOptionModule [ "security" "hideProcessInformation" ] ''
       The hidepid module was removed, since the underlying machinery
       is broken when using cgroups-v2.

nixos/modules/security/dhparams.nix

@@ -0,0 +1,223 @@
+{
+  config,
+  lib,
+  options,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib) literalExpression mkOption types;
+  cfg = config.security.dhparams;
+  opt = options.security.dhparams;
+
+  bitType = types.addCheck types.int (b: b >= 16) // {
+    name = "bits";
+    description = "integer of at least 16 bits";
+  };
+
+  paramsSubmodule =
+    { name, config, ... }:
+    {
+      options.bits = mkOption {
+        type = bitType;
+        default = cfg.defaultBitSize;
+        defaultText = literalExpression "config.${opt.defaultBitSize}";
+        description = ''
+          The bit size for the prime that is used during a Diffie-Hellman
+          key exchange.
+        '';
+      };
+
+      options.path = mkOption {
+        type = types.path;
+        readOnly = true;
+        description = ''
+          The resulting path of the generated Diffie-Hellman parameters
+          file for other services to reference. This could be either a
+          store path or a file inside the directory specified by
+          {option}`security.dhparams.path`.
+        '';
+      };
+
+      config.path =
+        let
+          generated = pkgs.runCommand "dhparams-${name}.pem" {
+            nativeBuildInputs = [ pkgs.openssl ];
+          } "openssl dhparam -out \"$out\" ${toString config.bits}";
+        in
+        if cfg.stateful then "${cfg.path}/${name}.pem" else generated;
+    };
+
+in
+{
+  options = {
+    security.dhparams = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to generate new DH params and clean up old DH params.
+        '';
+      };
+
+      params = mkOption {
+        type =
+          with types;
+          let
+            coerce = bits: { inherit bits; };
+          in
+          attrsOf (coercedTo int coerce (submodule paramsSubmodule));
+        default = { };
+        example = lib.literalExpression "{ nginx.bits = 3072; }";
+        description = ''
+          Diffie-Hellman parameters to generate.
+
+          The value is the size (in bits) of the DH params to generate. The
+          generated DH params path can be found in
+          `config.security.dhparams.params.«name».path`.
+
+          ::: {.note}
+          The name of the DH params is taken as being the name of
+          the service it serves and the params will be generated before the
+          said service is started.
+          :::
+
+          ::: {.warning}
+          If you are removing all dhparams from this list, you
+          have to leave {option}`security.dhparams.enable` for at
+          least one activation in order to have them be cleaned up. This also
+          means if you rollback to a version without any dhparams the
+          existing ones won't be cleaned up. Of course this only applies if
+          {option}`security.dhparams.stateful` is
+          `true`.
+          :::
+
+          ::: {.note}
+          **For module implementers:** It's recommended
+          to not set a specific bit size here, so that users can easily
+          override this by setting
+          {option}`security.dhparams.defaultBitSize`.
+          :::
+        '';
+      };
+
+      stateful = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether generation of Diffie-Hellman parameters should be stateful or
+          not. If this is enabled, PEM-encoded files for Diffie-Hellman
+          parameters are placed in the directory specified by
+          {option}`security.dhparams.path`. Otherwise the files are
+          created within the Nix store.
+
+          ::: {.note}
+          If this is `false` the resulting store
+          path will be non-deterministic and will be rebuilt every time the
+          `openssl` package changes.
+          :::
+        '';
+      };
+
+      defaultBitSize = mkOption {
+        type = bitType;
+        default = 2048;
+        description = ''
+          This allows to override the default bit size for all of the
+          Diffie-Hellman parameters set in
+          {option}`security.dhparams.params`.
+        '';
+      };
+
+      path = mkOption {
+        type = types.str;
+        default = "/var/lib/dhparams";
+        description = ''
+          Path to the directory in which Diffie-Hellman parameters will be
+          stored. This only is relevant if
+          {option}`security.dhparams.stateful` is
+          `true`.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      warnings = [
+        ''
+          The `security.dhparams` module is deprecated and scheduled for removal in NixOS 26.11.
+          Generating your own params has been shown to be problematic in RFC 7919 (2016).
+
+          Remove any uses of DHE and migrate to ECDHE (RFC 8422, 2018) and
+          Hybrid PQ (draft-ietf-tls-ecdhe-mlkem, 2026) key exchange algorithms.
+        ''
+      ];
+    })
+    (lib.mkIf (cfg.enable && cfg.stateful) {
+      systemd.services = {
+        dhparams-init = {
+          description = "Clean Up Old Diffie-Hellman Parameters";
+
+          # Clean up even when no DH params is set
+          wantedBy = [ "multi-user.target" ];
+
+          serviceConfig.RemainAfterExit = true;
+          serviceConfig.Type = "oneshot";
+
+          script = ''
+            if [ ! -d ${cfg.path} ]; then
+              mkdir -p ${cfg.path}
+            fi
+
+            # Remove old dhparams
+            for file in ${cfg.path}/*; do
+              if [ ! -f "$file" ]; then
+                continue
+              fi
+              ${lib.concatStrings (
+                lib.mapAttrsToList (
+                  name:
+                  { bits, path, ... }:
+                  ''
+                    if [ "$file" = ${lib.escapeShellArg path} ] && \
+                       ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text \
+                       | head -n 1 | grep "(${toString bits} bit)" > /dev/null; then
+                      continue
+                    fi
+                  ''
+                ) cfg.params
+              )}
+              rm "$file"
+            done
+
+            # TODO: Ideally this would be removing the *former* cfg.path, though
+            # this does not seem really important as changes to it are quite
+            # unlikely
+            rmdir --ignore-fail-on-non-empty ${cfg.path}
+          '';
+        };
+      }
+      // lib.mapAttrs' (
+        name:
+        { bits, path, ... }:
+        lib.nameValuePair "dhparams-gen-${name}" {
+          description = "Generate Diffie-Hellman Parameters for ${name}";
+          after = [ "dhparams-init.service" ];
+          before = [ "${name}.service" ];
+          requiredBy = [ "${name}.service" ];
+          wantedBy = [ "multi-user.target" ];
+          unitConfig.ConditionPathExists = "!${path}";
+          serviceConfig.Type = "oneshot";
+          script = ''
+            mkdir -p ${lib.escapeShellArg cfg.path}
+            ${pkgs.openssl}/bin/openssl dhparam -out ${lib.escapeShellArg path} \
+              ${toString bits}
+          '';
+        }
+      ) cfg.params;
+    })
+  ];
+
+}

nixos/modules/security/pam_mount.nix

@@ -179,10 +179,10 @@ in
           }" />
           <!-- specify the binaries to be called -->
           <!-- the comma in front of the options is necessary for empty options -->
-          <fusemount>${pkgs.fuse3}/bin/mount.fuse3 %(VOLUME) %(MNTPT) -o ,${
+          <fusemount>${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) -o ,${
             lib.concatStringsSep "," (cfg.fuseMountOptions ++ [ "%(OPTIONS)" ])
           }'</fusemount>
-          <fuseumount>${pkgs.fuse3}/bin/fusermount3 -u %(MNTPT)</fuseumount>
+          <fuseumount>${pkgs.fuse}/bin/fusermount -u %(MNTPT)</fuseumount>
           <!-- the comma in front of the options is necessary for empty options -->
           <cryptmount>${pkgs.pam_mount}/bin/mount.crypt -o ,${
             lib.concatStringsSep "," (cfg.cryptMountOptions ++ [ "%(OPTIONS)" ])

nixos/modules/security/wrappers/default.nix

@@ -181,23 +181,8 @@ in
   ###### interface
 
   options = {
-    security.enableWrappers = lib.mkEnableOption "" // {
+    security.enableWrappers = lib.mkEnableOption "SUID/SGID wrappers" // {
       default = true;
-      description = ''
-        Whether to enable SUID/SGID wrappers.
-
-        ::: {.warning}
-        ONLY DISABLE THIS OPTION IF YOU KNOW WHAT YOU'RE DOING.
-        :::
-
-        A normal interactive NixOS system requires SUID/SGID wrappers (e.g. for
-        PAM and sudo). Disabling them, thus will lock you out from your system.
-
-        Disabling the SUID/SGID binaries is useful for non-interactive systems
-        (like a firewall appliance) to minimize the attack surface. In the
-        future, this might become available for interactive systems as well
-        (e.g. with systemd's [run0](https://www.freedesktop.org/software/systemd/man/latest/run0)).
-      '';
     };
 
     security.wrappers = lib.mkOption {

nixos/modules/services/continuous-integration/gitlab-runner/runner.nix

@@ -189,15 +189,11 @@ let
                         [ "--docker-image ${service.dockerImage}" ]
                         ++ optional service.dockerDisableCache "--docker-disable-cache"
                         ++ optional service.dockerPrivileged "--docker-privileged"
-                        ++ optional service.dockerServicesPrivileged "--docker-services_privileged true"
                         ++ optional (service.dockerPullPolicy != null) "--docker-pull-policy ${service.dockerPullPolicy}"
                         ++ map (v: "--docker-volumes ${escapeShellArg v}") service.dockerVolumes
                         ++ map (v: "--docker-extra-hosts ${escapeShellArg v}") service.dockerExtraHosts
                         ++ map (v: "--docker-allowed-images ${escapeShellArg v}") service.dockerAllowedImages
                         ++ map (v: "--docker-allowed-services ${escapeShellArg v}") service.dockerAllowedServices
-                        ++ map (
-                          v: "--docker-allowed-privileged-services ${escapeShellArg v}"
-                        ) service.dockerAllowedPrivilegedServices
                       )
                     )
                   )
@@ -525,13 +521,6 @@ in
                 Give extended privileges to container.
               '';
             };
-            dockerServicesPrivileged = mkOption {
-              type = types.bool;
-              default = false;
-              description = ''
-                Give extended privileges to services.
-              '';
-            };
             dockerExtraHosts = mkOption {
               type = types.listOf types.str;
               default = [ ];
@@ -565,19 +554,6 @@ in
                 Whitelist allowed services.
               '';
             };
-            dockerAllowedPrivilegedServices = mkOption {
-              type = types.listOf types.str;
-              default = [ ];
-              example = [
-                "docker.io/library/docker:*-dind-rootless"
-                "docker.io/library/docker:dind-rootless"
-                "docker:*-dind-rootless"
-                "docker:dind-rootless"
-              ];
-              description = ''
-                Whitelist allowed privileged services.
-              '';
-            };
             preGetSourcesScript = mkOption {
               type = types.nullOr (types.either types.str types.path);
               default = null;

nixos/modules/services/development/gemstash.nix

@@ -36,8 +36,6 @@ in
       '';
     };
 
-    package = lib.mkPackageOption pkgs "gemstash" { };
-
     settings = lib.mkOption {
       default = { };
       description = ''
@@ -98,7 +96,7 @@ in
       after = [ "network.target" ];
       serviceConfig = lib.mkMerge [
         {
-          ExecStart = "${lib.getExe cfg.package} start --no-daemonize --config-file ${settingsFormat.generate "gemstash.yaml" (prefixColon cfg.settings)}";
+          ExecStart = "${pkgs.gemstash}/bin/gemstash start --no-daemonize --config-file ${settingsFormat.generate "gemstash.yaml" (prefixColon cfg.settings)}";
           NoNewPrivileges = true;
           User = "gemstash";
           Group = "gemstash";

nixos/modules/services/display-managers/default.nix

@@ -1,6 +1,5 @@
 {
   config,
-  options,
   lib,
   pkgs,
   ...
@@ -8,9 +7,6 @@
 
 let
   cfg = config.services.displayManager;
-  opts = options.services.displayManager;
-
-  toPretty = lib.generators.toPretty { };
 
   installedSessions =
     pkgs.runCommand "desktops"
@@ -83,7 +79,7 @@ in
                 default = config.user != null;
                 defaultText = lib.literalExpression "config.${options.user} != null";
                 description = ''
-                  Automatically log in as {option}`${options.user}`.
+                  Automatically log in as {option}`autoLogin.user`.
                 '';
               };
 
@@ -105,7 +101,16 @@ in
       };
 
       defaultSession = lib.mkOption {
-        type = lib.types.nullOr (lib.types.str // { description = "session name"; });
+        type = lib.types.nullOr lib.types.str // {
+          description = "session name";
+          check =
+            d:
+            lib.assertMsg (d != null -> (lib.types.str.check d && lib.elem d cfg.sessionData.sessionNames)) ''
+              Default graphical session, '${d}', not found.
+              Valid names for 'services.displayManager.defaultSession' are:
+                ${lib.concatStringsSep "\n  " cfg.sessionData.sessionNames}
+            '';
+        };
         default = null;
         example = "gnome";
         description = ''
@@ -125,12 +130,26 @@ in
 
       sessionPackages = lib.mkOption {
         type = lib.types.listOf (
-          lib.types.addCheck lib.types.package (
-            p: p ? providedSessions && p.providedSessions != [ ] && lib.all lib.isString p.providedSessions
-          )
+          lib.types.package
           // {
             description = "package with provided sessions";
-            descriptionClass = "composite";
+            check =
+              p:
+              lib.assertMsg
+                (
+                  lib.types.package.check p
+                  && p ? providedSessions
+                  && p.providedSessions != [ ]
+                  && lib.all lib.isString p.providedSessions
+                )
+                ''
+                  Package, '${p.name}', did not specify any session names, as strings, in
+                  'passthru.providedSessions'. This is required when used as a session package.
+
+                  The session names can be looked up in:
+                    ${p}/share/xsessions
+                    ${p}/share/wayland-sessions
+                '';
           }
         );
         default = [ ];
@@ -189,15 +208,7 @@ in
       {
         assertion = cfg.autoLogin.enable -> cfg.autoLogin.user != null;
         message = ''
-          `${opts.autoLogin}.enable` requires `${opts.autoLogin}.user` to be set
-        '';
-      }
-      {
-        assertion = cfg.defaultSession == null || lib.elem cfg.defaultSession cfg.sessionData.sessionNames;
-        message = ''
-          Default graphical session, ${toPretty cfg.defaultSession}, not found. Definitions:${lib.options.showDefs opts.defaultSession.definitionsWithLocations}.
-          Valid names for `${opts.defaultSession}` are:
-              ${lib.concatMapStringsSep "\n    " toPretty cfg.sessionData.sessionNames}
+          services.displayManager.autoLogin.enable requires services.displayManager.autoLogin.user to be set
         '';
       }
     ];

nixos/modules/services/display-managers/gdm.nix

@@ -455,22 +455,6 @@ in
               settings.conffile = "/etc/pam/environment";
               settings.readenv = 0;
             }
-            # make sure the spawned session has the same variables as `display-manager.service`
-            # https://github.com/NixOS/nixpkgs/issues/523332
-            {
-              name = "env-greeter";
-              control = "required";
-              modulePath = "${config.security.pam.package}/lib/security/pam_env.so";
-              settings.conffile =
-                let
-                  env = config.services.displayManager.generic.environment;
-                in
-                pkgs.writeText "gdm-launch-environment-env-conf" ''
-                  PATH          DEFAULT="''${PATH}:${pkgs.gnome-session}/bin"
-                  XDG_DATA_DIRS DEFAULT="''${XDG_DATA_DIRS}:${env.XDG_DATA_DIRS}"
-                '';
-              settings.readenv = 0;
-            }
             {
               name = "systemd";
               control = "optional";

nixos/modules/services/home-automation/home-assistant.nix

@@ -30,6 +30,7 @@ let
     mapAttrsToList
     mergeAttrsList
     mkEnableOption
+    mkDefault
     mkIf
     mkMerge
     mkOption
@@ -776,25 +777,7 @@ in
     openFirewall = mkOption {
       default = false;
       type = types.bool;
-      description = ''
-        Whether to open the firewall for the specified frontend port
-
-        :::{.note}
-        For components specific ports see {option}`services.home-assistant.openFirewallForComponents`.
-        :::
-      '';
-    };
-
-    openFirewallForComponents = mkOption {
-      default = false;
-      type = types.bool;
-      description = ''
-        Whether to open required firewall ports for enabled components.
-
-        :::{.note}
-        For the frontend see {option}`services.home-assistant.openFirewall`.
-        :::
-      '';
+      description = "Whether to open the firewall for the specified port.";
     };
 
     blueprints = mergeAttrsList (
@@ -862,13 +845,7 @@ in
       }
     ];
 
-    networking.firewall.allowedTCPPorts = mkMerge [
-      (mkIf cfg.openFirewall [ cfg.config.http.server_port ])
-      (mkIf cfg.openFirewallForComponents
-        # https://www.home-assistant.io/integrations/sonos/#network-requirements
-        (optionals (useComponent "sonos") [ 1400 ])
-      )
-    ];
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.config.http.server_port ];
 
     # symlink the configuration to /etc/home-assistant
     environment.etc = mkMerge [

nixos/modules/services/logging/logrotate.nix

@@ -91,9 +91,9 @@ let
       # files required to exist also won't be present, so missingok is forced.
       user=$(${pkgs.buildPackages.coreutils}/bin/id -un)
       group=$(${pkgs.buildPackages.coreutils}/bin/id -gn)
-      sed -E -e "s/\bsu\s.*/su $user $group/" \
-             -e "s/\b((create|createolddir)\b(\s+[0-9]+)?).*/\1 $user $group/" \
-             -e "1imissingok" -e "s/\bnomissingok\b//" \
+      sed -e "s/\bsu\s.*/su $user $group/" \
+          -e "s/\b\(create\s\+[0-9]*\s*\|createolddir\s\+[0-9]*\s\+\).*/\1$user $group/" \
+          -e "1imissingok" -e "s/\bnomissingok\b//" \
           $out > logrotate.conf
       # Since this makes for very verbose builds only show real error.
       # There is no way to control log level, but logrotate hardcodes

nixos/modules/services/mail/stalwart.nix

@@ -273,7 +273,6 @@ in
           RestrictAddressFamilies = [
             "AF_INET"
             "AF_INET6"
-            "AF_UNIX"
           ];
           RestrictNamespaces = true;
           RestrictRealtime = true;

nixos/modules/services/misc/inventree.nix

@@ -1,411 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.services.inventree;
-  pkg = cfg.package;
-
-  mysqlLocal = cfg.database.createLocally && cfg.database.dbtype == "mysql";
-  pgsqlLocal = cfg.database.createLocally && cfg.database.dbtype == "postgresql";
-
-  manage = pkgs.writeShellScriptBin "inventree-manage" ''
-    set -a
-    ${lib.toShellVars cfg.settings}
-    ${lib.optionalString (
-      cfg.database.passwordFile != null
-    ) ''INVENTREE_DB_PASSWORD="$(<${lib.escapeShellArg cfg.database.passwordFile})"''}
-    set +a
-
-    pushd ${lib.escapeShellArg cfg.dataDir}
-    expectedUser=${lib.escapeShellArg cfg.user}
-    sudo=()
-    if [[ "$USER" != "$expectedUser" ]]; then
-      ${
-        if config.security.sudo.enable then
-          ''sudo+=(${config.security.wrapperDir}/sudo -u "$expectedUser" -E)''
-        else
-          ''printf 'Aborting, inventree-manage must be run as user %s\n!' "$expectedUser" >&2; exit 2''
-      }
-    fi
-    exec "''${sudo[@]}" ${cfg.package}/bin/inventree "$@"
-  '';
-
-in
-{
-  meta.buildDocsInSandbox = false;
-
-  meta.maintainers = with lib.maintainers; [
-    kurogeek
-  ];
-
-  options.services.inventree = {
-    enable = lib.mkEnableOption "inventree";
-
-    dataDir = lib.mkOption {
-      type = lib.types.str;
-      default = "/var/lib/inventree";
-      description = "Inventree's data storage path.  Will be `/var/lib/inventree` by default.";
-    };
-
-    package = lib.mkOption {
-      type = lib.types.package;
-      description = "Which package to use for the InvenTree instance.";
-      default = pkgs.inventree;
-      defaultText = lib.literalExpression "pkgs.inventree";
-    };
-
-    adminPasswordFile = lib.mkOption {
-      type = lib.types.nullOr lib.types.path;
-      default = null;
-      example = "/run/keys/inventree-password";
-      description = "Path to a file containing admin password";
-    };
-
-    secretKeyFile = lib.mkOption {
-      type = lib.types.path;
-      default = "${cfg.dataDir}/secret_key.txt";
-      defaultText = lib.literalExpression ''"''${cfg.dataDir}/secret_key.txt"'';
-      example = "/run/keys/inventree-secret-key";
-      description = ''
-        Path to a file containing the secret key
-      '';
-    };
-
-    database = {
-      dbtype = lib.mkOption {
-        type = lib.types.nullOr (
-          lib.types.enum [
-            "postgresql"
-            "mysql"
-          ]
-        );
-        default = "postgresql";
-        description = "Database type.";
-      };
-      dbhost = lib.mkOption {
-        type = lib.types.nullOr lib.types.str;
-        default = null;
-        example = "localhost";
-        description = "Database host or socket path.";
-      };
-      dbport = lib.mkOption {
-        type = lib.types.nullOr lib.types.port;
-        default = null;
-        example = 5432;
-        description = "Database host port.";
-      };
-      dbname = lib.mkOption {
-        type = lib.types.str;
-        default = "inventree";
-        description = "Database name.";
-      };
-      dbuser = lib.mkOption {
-        type = lib.types.str;
-        default = "inventree";
-        description = "Database username.";
-      };
-      passwordFile = lib.mkOption {
-        type = with lib.types; nullOr path;
-        default = null;
-        example = "/run/keys/inventree-dbpassword";
-        description = ''
-          A file containing the password corresponding to
-          <option>database.dbuser</option>.
-        '';
-      };
-      createLocally = lib.mkOption {
-        type = lib.types.bool;
-        default = true;
-        description = "Create the database and database user locally.";
-      };
-    };
-
-    domain = lib.mkOption {
-      type = lib.types.str;
-      default = "localhost";
-      example = "inventree.example.com";
-      description = ''
-        The INVENTREE_SITE_URL option defines the base URL for the
-        InvenTree server. This is a critical setting, and it is required
-        for correct operation of the server. If not specified, the
-        server will attempt to determine the site URL automatically -
-        but this may not always be correct!
-
-        The site URL is the URL that users will use to access the
-        InvenTree server. For example, if the server is accessible at
-        `https://inventree.example.com`, the site URL should be set to
-        `https://inventree.example.com`. Note that this is not
-        necessarily the same as the internal URL that the server is
-        running on - the internal URL will depend entirely on your
-        server configuration and may be obscured by a reverse proxy or
-        other such setup.
-      '';
-    };
-
-    user = lib.mkOption {
-      type = lib.types.str;
-      default = "inventree";
-      description = "User under which InvenTree runs.";
-    };
-
-    group = lib.mkOption {
-      type = lib.types.str;
-      default = "inventree";
-      description = "Group under which InvenTree runs.";
-    };
-
-    settings = lib.mkOption {
-      type =
-        with lib.types;
-        attrsOf (
-          nullOr (oneOf [
-            path
-            str
-          ])
-        );
-      default = { };
-      description = ''
-        InvenTree config options.
-
-        See [the documentation](https://docs.inventree.org/en/stable/start/config/) for available options.
-      '';
-      example = {
-        INVENTREE_CACHE_ENABLED = true;
-        INVENTREE_CACHE_HOST = "localhost";
-
-        INVENTREE_EMAIL_HOST = "smtp.example.com";
-        INVENTREE_EMAIL_PORT = 25;
-      };
-    };
-
-  };
-
-  config = lib.mkIf cfg.enable (
-    lib.mkMerge [
-      {
-        services.inventree.settings = {
-          INVENTREE_DB_ENGINE = cfg.database.dbtype;
-          INVENTREE_DB_NAME = cfg.database.dbname;
-          INVENTREE_DB_HOST = cfg.database.dbhost;
-          INVENTREE_DB_USER = cfg.database.dbuser;
-          INVENTREE_DB_PORT = if cfg.database.dbport != null then toString cfg.database.dbport else null;
-
-          INVENTREE_CONFIG_FILE = lib.mkDefault "${cfg.dataDir}/config/config.yaml";
-          INVENTREE_OIDC_PRIVATE_KEY_FILE = lib.mkDefault "${cfg.dataDir}/config/oidc_private_key.txt";
-          INVENTREE_STATIC_ROOT = lib.mkDefault "${cfg.package}/lib/inventree/static";
-          INVENTREE_MEDIA_ROOT = lib.mkDefault "${cfg.dataDir}/data/media";
-          INVENTREE_BACKUP_DIR = lib.mkDefault "${cfg.dataDir}/data/backups";
-          INVENTREE_SITE_URL = lib.mkDefault "http://${cfg.domain}";
-          INVENTREE_PLUGIN_FILE = lib.mkDefault "${cfg.dataDir}/data/plugins/plugins.txt";
-          INVENTREE_PLUGIN_DIR = lib.mkDefault "${cfg.dataDir}/data/plugins";
-          INVENTREE_ADMIN_USER = lib.mkDefault "admin";
-          INVENTREE_ADMIN_EMAIL = lib.mkDefault "admin@${cfg.domain}";
-          INVENTREE_ADMIN_PASSWORD_FILE = lib.mkDefault cfg.adminPasswordFile;
-          INVENTREE_SECRET_KEY_FILE = lib.mkDefault cfg.secretKeyFile;
-          INVENTREE_AUTO_UPDATE = lib.mkDefault "false";
-        };
-        environment.systemPackages = [ manage ];
-        systemd.tmpfiles.rules = (
-          map (dir: "d ${dir} 0755 inventree inventree") [
-            "${cfg.dataDir}"
-            "${cfg.dataDir}/config"
-            "${cfg.dataDir}/data"
-            "${cfg.dataDir}/data/media"
-            "${cfg.dataDir}/data/backups"
-            "${cfg.dataDir}/data/plugins"
-          ]
-        );
-
-        services.postgresql = lib.mkIf pgsqlLocal {
-          enable = true;
-          ensureDatabases = [ cfg.database.dbname ];
-          ensureUsers = [
-            {
-              name = cfg.database.dbuser;
-              ensureDBOwnership = true;
-            }
-          ];
-        };
-
-        services.mysql = lib.mkIf mysqlLocal {
-          enable = true;
-          package = lib.mkDefault pkgs.mariadb;
-          ensureDatabases = [ cfg.database.dbname ];
-          ensureUsers = [
-            {
-              name = cfg.database.dbuser;
-              ensurePermissions = {
-                "${cfg.database.dbname}.*" = "ALL PRIVILEGES";
-              };
-            }
-          ];
-        };
-
-        services.nginx.enable = true;
-        services.nginx.virtualHosts.${cfg.domain} = {
-          locations =
-            let
-              unixPath = config.systemd.sockets.inventree-server.socketConfig.ListenStream;
-            in
-            {
-              "/" = {
-                extraConfig = ''
-                  proxy_set_header Host $host;
-                  proxy_set_header X-Forwarded-By $server_addr:$server_port;
-                  proxy_set_header X-Forwarded-For $remote_addr;
-                  proxy_set_header X-Forwarded-Proto $scheme;
-                  proxy_set_header X-Real-IP $remote_addr;
-                  proxy_set_header CLIENT_IP $remote_addr;
-
-                  proxy_pass_request_headers on;
-
-                  proxy_redirect off;
-
-                  client_max_body_size 100M;
-
-                  proxy_buffering off;
-                  proxy_request_buffering off;
-                '';
-                proxyPass = "http://unix:${unixPath}";
-              };
-              "/auth" = {
-                extraConfig = ''
-                  internal;
-                  proxy_pass_request_body off;
-                  proxy_set_header Content-Length "";
-                  proxy_set_header X-Original-URI $request_uri;
-                '';
-                proxyPass = "http://unix:${unixPath}:/auth/";
-              };
-              "/static/" = {
-                alias = "${cfg.settings.INVENTREE_STATIC_ROOT}/";
-                extraConfig = ''
-                  autoindex on;
-
-                  # Caching settings
-                  expires 30d;
-                  add_header Pragma public;
-                  add_header Cache-Control "public";
-                '';
-              };
-              "/media/" = {
-                alias = "${cfg.settings.INVENTREE_MEDIA_ROOT}/";
-                extraConfig = ''
-                  auth_request /auth;
-                  add_header Content-disposition "attachment";
-                '';
-              };
-            };
-        };
-
-        systemd.services.inventree-setup = {
-          description = "Inventree setup";
-          wantedBy = [ "inventree.target" ];
-          partOf = [ "inventree.target" ];
-          after = lib.optional mysqlLocal "mysql.service" ++ lib.optional pgsqlLocal "postgresql.target";
-          requires = lib.optional mysqlLocal "mysql.service" ++ lib.optional pgsqlLocal "postgresql.target";
-          before = [
-            "inventree-server.service"
-            "inventree-qcluster.service"
-          ];
-          serviceConfig = {
-            Type = "oneshot";
-            User = cfg.user;
-            Group = cfg.group;
-            RemainAfterExit = true;
-            PrivateTmp = true;
-          }
-          // lib.optionalAttrs (cfg.database.passwordFile != null) {
-            LoadCredential = "db_password:${cfg.database.passwordFile}";
-          };
-          environment = cfg.settings;
-          script = ''
-            set -euo pipefail
-            umask u=rwx,g=,o=
-
-            ${
-              lib.optionalString (cfg.database.passwordFile != null) ''
-                INVENTREE_DB_PASSWORD=$(<"$CREDENTIALS_DIRECTORY/db_password")
-              ''
-            } \
-            exec ${pkg}/bin/inventree migrate
-          '';
-        };
-
-        systemd.services.inventree-server = {
-          description = "Inventree Gunicorn service";
-          requiredBy = [ "inventree.target" ];
-          partOf = [ "inventree.target" ];
-          environment = cfg.settings;
-          serviceConfig = {
-            User = cfg.user;
-            Group = cfg.group;
-            StateDirectory = "inventree";
-            PrivateTmp = true;
-          }
-          // lib.optionalAttrs (cfg.database.passwordFile != null) {
-            LoadCredential = "db_password:${cfg.database.passwordFile}";
-          };
-          script = ''
-            ${
-              lib.optionalString (cfg.database.passwordFile != null) ''
-                INVENTREE_DB_PASSWORD=$(<"$CREDENTIALS_DIRECTORY/db_password")
-              ''
-            } \
-            exec ${pkg}/bin/gunicorn InvenTree.wsgi
-          '';
-        };
-
-        systemd.sockets.inventree-server = {
-          wantedBy = [ "sockets.target" ];
-          partOf = [ "inventree.target" ];
-          socketConfig.ListenStream = "/run/inventree/gunicorn.socket";
-        };
-
-        systemd.services.inventree-qcluster = {
-          description = "InvenTree qcluster server";
-          requiredBy = [ "inventree.target" ];
-          wantedBy = [ "inventree.target" ];
-          partOf = [ "inventree.target" ];
-          environment = cfg.settings;
-          serviceConfig = {
-            User = cfg.user;
-            Group = cfg.group;
-            StateDirectory = "inventree";
-            PrivateTmp = true;
-          }
-          // lib.optionalAttrs (cfg.database.passwordFile != null) {
-            LoadCredential = "db_password:${cfg.database.passwordFile}";
-          };
-          script = ''
-            ${
-              lib.optionalString (cfg.database.passwordFile != null) ''
-                INVENTREE_DB_PASSWORD=$(<"$CREDENTIALS_DIRECTORY/db_password")
-              ''
-            } \
-            exec ${pkg}/bin/inventree qcluster
-          '';
-        };
-
-        systemd.targets.inventree = {
-          description = "Target for all InvenTree services";
-          wantedBy = [ "multi-user.target" ];
-          wants = [ "network-online.target" ];
-          after = [ "network-online.target" ];
-        };
-
-        users = lib.optionalAttrs (cfg.user == cfg.user) {
-          users.${cfg.user} = {
-            group = cfg.group;
-            isSystemUser = true;
-            home = cfg.dataDir;
-          };
-          groups.${cfg.group}.members = [ cfg.user ];
-        };
-      }
-    ]
-  );
-}

nixos/modules/services/misc/klipper.nix

@@ -40,27 +40,11 @@ let
         '';
         serial = lib.mkOption {
           type = lib.types.nullOr lib.types.path;
-          description = "Path to serial port this mcu is connected to. Derived from `service.klipper.settings` by default.";
+          description = "Path to serial port this printer is connected to. Derived from `service.klipper.settings` by default.";
           defaultText = lib.literalExpression "config.services.klipper.settings.<name>.serial";
           default =
             if lib.hasAttrByPath [ "${mcu}" "serial" ] cfg.settings then cfg.settings."${mcu}".serial else null;
         };
-        canbus_uuid = lib.mkOption {
-          type = lib.types.nullOr lib.types.str;
-          description = "CAN bus uuid of this mcu. Derived from `service.klipper.settings` by default.";
-          defaultText = lib.literalExpression "config.services.klipper.settings.<name>.canbus_uuid";
-          default =
-            if lib.hasAttrByPath [ "${mcu}" "canbus_uuid" ] cfg.settings then
-              cfg.settings."${mcu}".canbus_uuid
-            else
-              null;
-        };
-        canbusNetwork = lib.mkOption {
-          type = lib.types.nullOr lib.types.str;
-          description = "CAN bus network this mcu is connected to. Defaults to can0 if canbus_uuid is set.";
-          defaultText = lib.literalExpression ''if canbus_uuid != null then "can0" else null'';
-          default = if subcfg.canbus_uuid != null then "can0" else null;
-        };
         configFile = lib.mkOption {
           type = lib.types.path;
           description = "Path to firmware config which is generated using `klipper-genconf`";
@@ -94,8 +78,6 @@ let
               klipper-firmware = subcfg.package;
               mcu = lib.strings.sanitizeDerivationName mcu;
               flashDevice = subcfg.serial;
-              canbusDevice = subcfg.canbus_uuid;
-              canbusNetwork = subcfg.canbusNetwork;
               firmwareConfig = subcfg.configFile;
             }
           else
@@ -242,15 +224,12 @@ in
       }
     ]
     ++ lib.mapAttrsToList (mcu: firmware: {
-      assertion =
-        firmware.enableKlipperFlash -> (firmware.serial != null || firmware.canbus_uuid != null);
+      assertion = firmware.enableKlipperFlash -> firmware.serial != null;
       message = ''
-        Unable to determine the serial or canbus connection for services.klipper.firmwares."${mcu}". Please set one of the following:
+        Unable to determine the serial connection for services.klipper.firmwares."${mcu}". Please set one of the following:
 
           - services.klipper.firmwares."${mcu}".serial
-          - services.klipper.firmwares."${mcu}".canbus_uuid
           - services.klipper.settings."${mcu}".serial
-          - services.klipper.settings."${mcu}".canbus_uuid
       '';
     }) cfg.firmwares;
 
@@ -329,6 +308,7 @@ in
 
     environment.systemPackages =
       let
+        default = a: b: if a != null then a else b;
         genconf = pkgs.klipper-genconf.override {
           klipper = cfg.package;
         };

nixos/modules/services/monitoring/flap-alerted.nix

@@ -1,147 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-let
-  cfg = config.services.flap-alerted;
-
-  settingsArgs = lib.pipe cfg.settings [
-    (lib.mapAttrsToList (
-      name: value:
-      if value == null || value == false then
-        [ ]
-      else if value == true then
-        [ "-${name}" ]
-      else
-        [
-          "-${name}"
-          (toString value)
-        ]
-    ))
-    lib.concatLists
-  ];
-in
-
-{
-  meta.maintainers = with lib.maintainers; [ defelo ];
-
-  options.services.flap-alerted = {
-    enable = lib.mkEnableOption "FlapAlerted";
-
-    package = lib.mkPackageOption pkgs "flap-alerted" { };
-
-    environmentFiles = lib.mkOption {
-      type = lib.types.listOf lib.types.path;
-      default = [ ];
-      example = [ "/run/secrets/flap-alerted.env" ];
-      description = ''
-        Files to load environment variables from.
-        This is useful to avoid putting secrets into the nix store.
-        See <https://github.com/Kioubit/FlapAlerted> for a list of options.
-      '';
-    };
-
-    extraArgs = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      description = ''
-        Extra command line arguments to pass to FlapAlerted.
-        See <https://github.com/Kioubit/FlapAlerted> for a list of options.
-      '';
-      default = [ ];
-    };
-
-    settings = lib.mkOption {
-      description = ''
-        Configuration of FlapAlerted.
-        See <https://github.com/Kioubit/FlapAlerted> for a list of options.
-      '';
-      default = { };
-
-      type = lib.types.submodule {
-        freeformType = lib.types.attrsOf (
-          lib.types.nullOr (
-            lib.types.oneOf [
-              lib.types.str
-              lib.types.int
-              lib.types.bool
-            ]
-          )
-        );
-
-        options = {
-          asn = lib.mkOption {
-            type = lib.types.ints.u32;
-            description = "Your ASN number";
-          };
-
-          bgpListenAddress = lib.mkOption {
-            type = lib.types.str;
-            description = "Address to listen on for incoming BGP connections";
-            default = ":1790";
-          };
-
-          debug = lib.mkOption {
-            type = lib.types.bool;
-            description = "Enable debug mode (produces a lot of output)";
-            default = false;
-          };
-        };
-      };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services.flap-alerted = {
-      wantedBy = [ "multi-user.target" ];
-
-      wants = [ "network-online.target" ];
-      after = [ "network-online.target" ];
-
-      serviceConfig = {
-        User = "flap-alerted";
-        Group = "flap-alerted";
-        DynamicUser = true;
-
-        EnvironmentFile = cfg.environmentFiles;
-
-        ExecStart = lib.escapeShellArgs ([ (lib.getExe cfg.package) ] ++ settingsArgs ++ cfg.extraArgs);
-
-        # Hardening
-        AmbientCapabilities = "";
-        CapabilityBoundingSet = [ "" ];
-        DevicePolicy = "closed";
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        PrivateTmp = true;
-        PrivateUsers = true;
-        ProcSubset = "pid";
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        RemoveIPC = true;
-        RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [
-          "@system-service"
-          "~@privileged"
-          "~@resources"
-        ];
-        UMask = "0077";
-      };
-    };
-  };
-}

nixos/modules/services/networking/firewalld/default.nix

@@ -57,19 +57,7 @@ in
     systemd.services.firewalld = {
       aliases = [ "dbus-org.fedoraproject.FirewallD1.service" ];
       wantedBy = [ "multi-user.target" ];
-      serviceConfig.ExecReload = [
-        ""
-        "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID"
-      ];
-      reloadTriggers = [
-        config.environment.etc."firewalld/firewalld.conf".source
-      ]
-      ++ lib.mapAttrsToList (
-        name: _: config.environment.etc."firewalld/zones/${name}.xml".source
-      ) config.services.firewalld.zones
-      ++ lib.mapAttrsToList (
-        name: _: config.environment.etc."firewalld/services/${name}.xml".source
-      ) config.services.firewalld.services;
+      serviceConfig.ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -HUP $MAINPID";
       environment.NIX_FIREWALLD_CONFIG_PATH = "${paths}/lib/firewalld";
     };
   };

nixos/modules/services/networking/pangolin.nix

@@ -9,7 +9,7 @@
 let
   cfg = config.services.pangolin;
   format = pkgs.formats.yaml { };
-  finalSettings = lib.attrsets.recursiveUpdate options.services.pangolin.settings.default cfg.settings;
+  finalSettings = lib.attrsets.recursiveUpdate pangolinConf cfg.settings;
   cfgFile = format.generate "config.yml" finalSettings;
   # override the type to allow for optionality
   nullOrOpt = t: lib.types.nullOr t // { _optional = true; };
@@ -33,6 +33,25 @@ let
       fi
     '';
   };
+
+  pangolinConf = {
+    app.dashboard_url = "https://${cfg.dashboardDomain}";
+    domains.domain1 = {
+      base_domain = cfg.baseDomain;
+      prefer_wildcard_cert = false;
+    };
+    server = {
+      external_port = 3000;
+      internal_port = 3001;
+      next_port = 3002;
+      integration_port = 3003;
+      # needs to be set, otherwise this fails silently
+      # see https://github.com/fosrl/newt/issues/37
+      internal_hostname = "localhost";
+    };
+    gerbil.base_endpoint = cfg.dashboardDomain;
+    flags.enable_integration_api = false;
+  };
 in
 {
   options.services = {
@@ -42,50 +61,7 @@ in
 
       settings = lib.mkOption {
         inherit (format) type;
-        default = {
-          app.dashboard_url = "https://${cfg.dashboardDomain}";
-          domains.domain1 = {
-            base_domain = cfg.baseDomain;
-            prefer_wildcard_cert = false;
-          };
-          server = {
-            external_port = 3000;
-            internal_port = 3001;
-            next_port = 3002;
-            integration_port = 3003;
-            # needs to be set, otherwise this fails silently
-            # see https://github.com/fosrl/newt/issues/37
-            internal_hostname = "localhost";
-          };
-          gerbil.base_endpoint = cfg.dashboardDomain;
-          flags = {
-            disable_signup_without_invite = true;
-            enable_integration_api = false;
-          };
-        };
-        defaultText = lib.literalExpression ''
-          {
-            app.dashboard_url = "https://''${config.services.pangolin.dashboardDomain}";
-            domains.domain1 = {
-              base_domain = cfg.baseDomain;
-              prefer_wildcard_cert = false;
-            };
-            server = {
-              external_port = 3000;
-              internal_port = 3001;
-              next_port = 3002;
-              integration_port = 3003;
-              # needs to be set, otherwise this fails silently
-              # see https://github.com/fosrl/newt/issues/37
-              internal_hostname = "localhost";
-            };
-            gerbil.base_endpoint = config.services.pangolin.dashboardDomain;
-            flags = {
-              disable_signup_without_invite = true;
-              enable_integration_api = false;
-            };
-          }
-        '';
+        default = { };
         description = ''
           Additional attributes to be merged with the configuration options and written to Pangolin's {file}`config.yml` file.
         '';

nixos/modules/services/networking/wpa_supplicant.nix

@@ -123,8 +123,7 @@ let
             # set up imperative config file
             "+${pkgs.coreutils}/bin/touch /etc/wpa_supplicant/imperative.conf"
             "+${pkgs.coreutils}/bin/chmod 664 /etc/wpa_supplicant/imperative.conf"
-            "+${pkgs.coreutils}/bin/chown wpa_supplicant:wpa_supplicant /etc/wpa_supplicant"
-            "+${pkgs.coreutils}/bin/chown wpa_supplicant:wpa_supplicant /etc/wpa_supplicant/imperative.conf"
+            "+${pkgs.coreutils}/bin/chown -R wpa_supplicant:wpa_supplicant /etc/wpa_supplicant"
           ]
           ++ lib.optionals cfg.userControlled [
             # set up client sockets directory

nixos/modules/services/security/jitterentropy-rngd.nix

@@ -26,11 +26,6 @@ in
       default = false;
       description = "Force SP800-90B mode for entropy reading";
     };
-    memlockLimit = lib.mkOption {
-      type = lib.types.str;
-      default = "2M";
-      description = "Set limit for lockable memory with mlock";
-    };
     verbose = lib.mkOption {
       type = lib.types.bool;
       default = false;
@@ -61,12 +56,6 @@ in
           # use service from package with our configured args
           "${cfg.package}/bin/jitterentropy-rngd ${args}"
         ];
-        LimitMEMLOCK = [
-          # clear old setting from built-in service file
-          ""
-          # use service from package with our configured limit
-          "${cfg.memlockLimit}"
-        ];
       };
     };
 

nixos/modules/services/security/opensnitch.nix

@@ -207,7 +207,6 @@ in
       };
       tmpfiles.rules = [
         "d ${cfg.settings.Rules.Path} 0750 root root - -"
-        "L+ /etc/opensnitchd/network_aliases.json - - - - ${cfg.package}/etc/opensnitchd/network_aliases.json"
         "L+ /etc/opensnitchd/system-fw.json - - - - ${cfg.package}/etc/opensnitchd/system-fw.json"
       ];
     };

nixos/modules/services/torrent/bitmagnet.nix

@@ -14,7 +14,6 @@ let
     optional
     ;
   inherit (lib.types)
-    nullOr
     bool
     port
     str
@@ -44,10 +43,10 @@ in
             type = submodule {
               inherit freeformType;
               options = {
-                local_address = mkOption {
+                port = mkOption {
                   type = str;
                   default = ":3333";
-                  description = "HTTP server listen address";
+                  description = "HTTP server listen port";
                 };
               };
             };
@@ -95,20 +94,6 @@ in
               };
             };
           };
-          tmdb = mkOption {
-            default = { };
-            description = "TMDB api settings";
-            type = submodule {
-              inherit freeformType;
-              options = {
-                api_key = mkOption {
-                  type = nullOr str;
-                  default = null;
-                  description = "TMDB api key, to avoid api limits. Leave null to use the default shared key.";
-                };
-              };
-            };
-          };
         };
       };
     };
@@ -144,7 +129,6 @@ in
       ]
       ++ optional cfg.useLocalPostgresDB "postgresql.target";
       requires = optional cfg.useLocalPostgresDB "postgresql.target";
-      restartTriggers = [ config.environment.etc."xdg/bitmagnet/config.yml".source ];
       serviceConfig = {
         Type = "simple";
         DynamicUser = true;
@@ -154,7 +138,6 @@ in
         Restart = "on-failure";
         WorkingDirectory = "/var/lib/bitmagnet";
         StateDirectory = "bitmagnet";
-        BindReadOnlyPaths = [ "/etc/xdg/bitmagnet/config.yml" ];
 
         # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
         ProtectSystem = "strict";

nixos/modules/services/torrent/transmission.nix

@@ -238,10 +238,10 @@ in
         default = null;
         example = "770";
         description = ''
-          If not `null`, is used as the permissions set by
-          `transmission-setup.service` on the directories
-          [](#opt-services.transmission.settings.download-dir),
-          [](#opt-services.transmission.settings.incomplete-dir)
+          If not `null`, is used as the permissions
+          set by `system.activationScripts.transmission-daemon`
+          on the directories [](#opt-services.transmission.settings.download-dir),
+          [](#opt-services.transmission.settings.incomplete-dir).
           and [](#opt-services.transmission.settings.watch-dir).
           Note that you may also want to change
           [](#opt-services.transmission.settings.umask).

nixos/modules/services/ttys/kmscon.nix

@@ -2,7 +2,6 @@
   config,
   pkgs,
   lib,
-  utils,
   ...
 }:
 let
@@ -11,6 +10,8 @@ let
     mkEnableOption
     mkOption
     mkPackageOption
+    optional
+    optionals
     types
     ;
 
@@ -21,12 +22,7 @@ let
   configDir = pkgs.writeTextFile {
     name = "kmscon-config";
     destination = "/kmscon.conf";
-    text =
-      let
-        mkKeyValue =
-          k: v: if lib.isBool v then (lib.optionalString (!v) "no-") + k else "${k}=${toString v}";
-      in
-      lib.generators.toKeyValue { inherit mkKeyValue; } (lib.filterAttrs (_: v: v != null) cfg.config);
+    text = cfg.extraConfig;
   };
 
   baseLoginOptions = "-p";
@@ -59,68 +55,58 @@ in
 
       Check `services.getty.autologinUser` instead.
     '')
-    (lib.mkRemovedOptionModule [ "services" "kmscon" "fonts" ] ''
-      `services.kmscon.fonts` is removed.
-
-      Add your font to `fonts.packages` and configure it with
-      `services.kmscon.config.font-name` instead.
-    '')
-    (lib.mkRemovedOptionModule [ "services" "kmscon" "extraConfig" ] ''
-      `services.kmscon.extraConfig` is removed.
-
-      Add your configurations to the new `services.kmscon.config` instead.
-    '')
-    (lib.mkRenamedOptionModule [ "services" "kmscon" "term" ] [ "services" "kmscon" "config" "term" ])
-    (lib.mkRenamedOptionModule
-      [ "services" "kmscon" "hwRender" ]
-      [ "services" "kmscon" "config" "hwaccel" ]
-    )
   ];
 
   options = {
     services.kmscon = {
       enable = mkEnableOption ''
-        use kmscon instead of autovt.
+        Use kmscon instead of autovt.
 
         Kmscon is a simple terminal emulator based on linux kernel mode setting (KMS).
-        It is an attempt to replace the in-kernel VT implementation with a userspace console
+        It is an attempt to replace the in-kernel VT implementation with a userspace console.
       '';
 
       package = mkPackageOption pkgs "kmscon" { };
 
-      useXkbConfig = mkEnableOption ''
-        configure keymap from xserver keyboard settings.
+      hwRender = mkEnableOption "3D hardware acceleration to render the console";
 
-        If enabled, configurations under `services.xserver.xkb` will be injected into kmscon's configuration
-      '';
-
-      config = mkOption {
-        description = ''
-          Configuration for kmscon. See {manpage}`kmscon.conf(5)`
-          for available options.
-        '';
-        default = { };
-        type = types.submodule {
-          freeformType =
-            with types;
-            attrsOf (oneOf [
-              bool
-              int
-              str
-            ]);
-          options = {
-            hwaccel = mkEnableOption "use hardware acceleration for rendering";
-            libseat = mkOption {
-              type = types.bool;
-              default = true;
-              description = ''
-                Whether to use libseat for session management.
-                This is the default for kmscon newer than 10.0.0 and prevents
-                launching another GUI from kmscon by `kmscon-launch-gui`.
-              '';
+      fonts = mkOption {
+        description = "Fonts used by kmscon, in order of priority.";
+        default = null;
+        example = lib.literalExpression ''[ { name = "Source Code Pro"; package = pkgs.source-code-pro; } ]'';
+        type =
+          with types;
+          let
+            fontType = submodule {
+              options = {
+                name = mkOption {
+                  type = str;
+                  description = "Font name, as used by fontconfig.";
+                };
+                package = mkOption {
+                  type = package;
+                  description = "Package providing the font.";
+                };
+              };
             };
-          };
-        };
+          in
+          nullOr (nonEmptyListOf fontType);
+      };
+
+      useXkbConfig = mkEnableOption "configure keymap from xserver keyboard settings.";
+
+      term = mkOption {
+        description = "Value for the TERM environment variable.";
+        type = types.nullOr types.str;
+        default = null;
+        example = "xterm-256color";
+      };
+
+      extraConfig = mkOption {
+        description = "Extra contents of the kmscon.conf file.";
+        type = types.lines;
+        default = "";
+        example = "font-size=14";
       };
 
       extraOptions = mkOption {
@@ -138,54 +124,30 @@ in
         assertion = gettyCfg.loginOptions == null;
         message = "services.getty.loginOptions is not supported when services.kmscon is enabled.";
       }
-      {
-        assertion = (cfg.config ? font-name) -> config.fonts.fontconfig.enable;
-        message = "Font configuration for kmscon requires fontconfig to be enabled.";
-      }
-      {
-        assertion = cfg.config.hwaccel -> config.hardware.graphics.enable;
-        message = "Hardware acceleration for kmscon requires `hardware.graphics.enable` to be true.";
-      }
     ];
 
-    services.kmscon.config = lib.mkIf cfg.useXkbConfig (
-      lib.mapAttrs (_: lib.mkDefault) (
-        lib.filterAttrs (_: v: v != "") {
-          xkb-layout = config.services.xserver.xkb.layout;
-          xkb-model = config.services.xserver.xkb.model;
-          xkb-options = config.services.xserver.xkb.options;
-          xkb-variant = config.services.xserver.xkb.variant;
-        }
-      )
-    );
-
     environment.systemPackages = [ cfg.package ];
     systemd.packages = [ cfg.package ];
 
     systemd.services."kmsconvt@" = {
-      serviceConfig = {
-        User = lib.mkIf (!cfg.config.libseat) "";
-        PAMName = lib.mkIf (!cfg.config.libseat) "";
-        Environment = [ "XKB_CONFIG_ROOT=${config.services.xserver.xkb.dir}" ];
-        ExecStart = [
-          "" # override upstream default with an empty ExecStart
-          (builtins.concatStringsSep " " (
-            [
-              "${cfg.package}/bin/kmscon"
-              "--configdir"
-              configDir
-              "--vt=%I"
-              "--no-switchvt"
-              "--login"
-            ]
-            ++ lib.optional (cfg.extraOptions != "") cfg.extraOptions
-            ++ [
-              "--"
-              loginScript
-            ]
-          ))
-        ];
-      };
+      serviceConfig.ExecStart = [
+        "" # override upstream default with an empty ExecStart
+        (builtins.concatStringsSep " " (
+          [
+            "${cfg.package}/bin/kmscon"
+            "--configdir"
+            configDir
+            "--vt=%I"
+            "--no-switchvt"
+            "--login"
+          ]
+          ++ lib.optional (cfg.extraOptions != "") cfg.extraOptions
+          ++ [
+            "--"
+            loginScript
+          ]
+        ))
+      ];
 
       restartIfChanged = false;
       # logind spawns autovt@ttyN.service on VT switch; point it at kmscon
@@ -194,55 +156,40 @@ in
 
     # tty1 is special: logind does not spawn autovt@tty1, it expects a static
     # pull-in via getty.target. With getty@ suppressed, we must replace it.
-    systemd.targets.getty.wants = lib.mkIf (!config.services.displayManager.enable) [
+    systemd.services."getty.target".wants = lib.mkIf (!config.services.displayManager.enable) [
       "kmsconvt@tty1.service"
     ];
 
     systemd.suppressedSystemUnits = [ "getty@.service" ];
 
-    security.pam.services.kmscon = lib.mkIf cfg.config.libseat {
-      useDefaultRules = false;
-      rules = {
-        auth = utils.pam.autoOrderRules [
-          {
-            name = "permit";
-            control = "required";
-            modulePath = "${config.security.pam.package}/lib/security/pam_permit.so";
-          }
-        ];
-        account = utils.pam.autoOrderRules [
-          {
-            name = "unix";
-            control = "required";
-            modulePath = "${config.security.pam.package}/lib/security/pam_unix.so";
-          }
-        ];
-        session = utils.pam.autoOrderRules [
-          {
-            name = "env";
-            control = "required";
-            modulePath = "${config.security.pam.package}/lib/security/pam_env.so";
-            settings = {
-              conffile = "/etc/pam/environment";
-              readenv = 0;
-            };
-          }
-          {
-            name = "unix";
-            control = "required";
-            modulePath = "${config.security.pam.package}/lib/security/pam_unix.so";
-          }
-          {
-            name = "systemd";
-            control = "optional";
-            modulePath = "${config.systemd.package}/lib/security/pam_systemd.so";
-            settings = {
-              type = "tty";
-              class = "greeter";
-            };
-          }
-        ];
-      };
+    services.kmscon.extraConfig = lib.concatLines (
+      optionals cfg.useXkbConfig (
+        lib.mapAttrsToList (n: v: "xkb-${n}=${v}") (
+          lib.filterAttrs (
+            n: v:
+            builtins.elem n [
+              "layout"
+              "model"
+              "options"
+              "variant"
+            ]
+            && v != ""
+          ) config.services.xserver.xkb
+        )
+      )
+      ++ optionals cfg.hwRender [
+        "drm"
+        "hwaccel"
+      ]
+      ++ optional (cfg.fonts != null) "font-name=${lib.concatMapStringsSep ", " (f: f.name) cfg.fonts}"
+      ++ optional (cfg.term != null) "term=${cfg.term}"
+    );
+
+    hardware.graphics.enable = mkIf cfg.hwRender true;
+
+    fonts = mkIf (cfg.fonts != null) {
+      fontconfig.enable = true;
+      packages = map (f: f.package) cfg.fonts;
     };
   };
 

nixos/modules/services/web-apps/docuseal.nix

@@ -56,8 +56,6 @@ in
       default = { };
       description = ''
         Extra environment variables to pass to DocuSeal services.
-
-        Refer to <https://www.docuseal.com/docs/configuring-docuseal-via-environment-variables>.
       '';
     };
 

nixos/modules/services/web-apps/immich.nix

@@ -380,6 +380,8 @@ in
       MACHINE_LEARNING_WORKERS = "1";
       MACHINE_LEARNING_WORKER_TIMEOUT = "120";
       MACHINE_LEARNING_CACHE_FOLDER = "/var/cache/immich";
+      # TODO: drop when insightface no longer unconditionally imports matplotlib
+      MPLCONFIGDIR = "/var/cache/immich";
       XDG_CACHE_HOME = "/var/cache/immich";
       IMMICH_HOST = "localhost";
       IMMICH_PORT = "3003";

nixos/modules/services/web-apps/strichliste.nix

@@ -246,16 +246,6 @@ in
               };
             };
 
-            splitInvoice = {
-              enabled = mkOption {
-                type = types.bool;
-                default = true;
-                description = ''
-                  Whether to allow splitting invoices.
-                '';
-              };
-            };
-
             transaction = {
               enabled = mkOption {
                 type = types.bool;
@@ -474,22 +464,26 @@ in
         wants = unitDependencies;
         after = unitDependencies;
         inherit (cfg) environment;
+        preStart = ''
+          set -ex
+          if [ ! -e "/var/lib/strichliste/.db-init" ]; then
+            ${lib.optionalString (lib.hasInfix "sqlite" cfg.environment.DATABASE_URL) ''
+              ${lib.getExe cfg.packages.backend} doctrine:database:create
+            ''}
+            ${lib.getExe cfg.packages.backend} doctrine:schema:create
+            touch "/var/lib/strichliste/.db-init"
+          fi
+        '';
         serviceConfig = {
-          Type = "oneshot";
+          Type = "exec";
           User = "strichliste";
           Group = "strichliste";
           EnvironmentFile = cfg.environmentFiles;
-          ExecStart = map toString [
-            [
-              (lib.getExe cfg.packages.backend)
-              "cache:clear"
-            ]
-            [
-              (lib.getExe cfg.packages.backend)
-              "doctrine:migrations:migrate"
-              "--allow-no-migration"
-              "--no-interaction"
-            ]
+          ExecStart = toString [
+            (lib.getExe cfg.packages.backend)
+            "doctrine:migrations:migrate"
+            "--allow-no-migration"
+            "--no-interaction"
           ];
         };
       };

nixos/modules/services/web-apps/tranquil-pds.nix

@@ -1,251 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  ...
-}:
-let
-  cfg = config.services.tranquil-pds;
-
-  inherit (lib) types mkPackageOption mkOption;
-
-  settingsFormat = pkgs.formats.toml { };
-in
-{
-  options.services.tranquil-pds = {
-    enable = lib.mkEnableOption "tranquil-pds AT Protocol personal data server";
-
-    package = mkPackageOption pkgs "tranquil-pds" { };
-
-    user = mkOption {
-      type = types.str;
-      default = "tranquil-pds";
-      description = "User under which tranquil-pds runs";
-    };
-
-    group = mkOption {
-      type = types.str;
-      default = "tranquil-pds";
-      description = "Group under which tranquil-pds runs";
-    };
-
-    dataDir = mkOption {
-      type = types.str;
-      default = "/var/lib/tranquil-pds";
-      description = "Working directory for tranquil-pds. Also expected to be used for data (blobs)";
-    };
-
-    environmentFiles = mkOption {
-      type = types.listOf types.path;
-      default = [ ];
-      description = ''
-        File to load environment variables from. Loaded variables override
-        values set in {option}`environment`.
-
-        Use it to set values of `JWT_SECRET`, `DPOP_SECRET` and `MASTER_KEY`.
-
-        Generate these with:
-        ```
-        openssl rand -base64 48
-        ```
-      '';
-    };
-
-    database.createLocally = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Create the postgres database and user on the local host.
-      '';
-    };
-
-    settings = mkOption {
-      type = types.submodule {
-        freeformType = settingsFormat.type;
-
-        options = {
-          server = {
-            host = mkOption {
-              type = types.str;
-              default = "127.0.0.1";
-              description = "Host for tranquil-pds to listen on";
-            };
-
-            port = mkOption {
-              type = types.int;
-              default = 3000;
-              description = "Port for tranquil-pds to listen on";
-            };
-
-            hostname = mkOption {
-              type = types.str;
-              default = "";
-              example = "pds.example.com";
-              description = "The public-facing hostname of the PDS";
-            };
-
-            max_blob_size = mkOption {
-              type = types.int;
-              default = 10737418240; # 10 GiB
-              description = "Maximum allowed blob size in bytes.";
-            };
-          };
-
-          frontend = {
-            enabled =
-              lib.mkEnableOption "serving the frontend from the backend. Disable to serve the frontend manually"
-              // {
-                default = true;
-              };
-
-            dir = mkPackageOption pkgs "tranquil-pds-frontend" { };
-          };
-
-          storage = {
-            path = mkOption {
-              type = types.path;
-              default = "${cfg.dataDir}/blobs";
-              defaultText = "\${cfg.dataDir}/blobs";
-              description = "Directory for storing blobs";
-            };
-          };
-          tranquil_store = {
-            data_dir = mkOption {
-              type = types.path;
-              default = "${cfg.dataDir}/store";
-              defaultText = "\${cfg.dataDir}/store";
-              description = "Directory for tranquil-store files";
-            };
-          };
-        };
-      };
-
-      description = ''
-        Configuration options to set for the service. Secrets should be
-        specified using {option}`environmentFile`.
-
-        Refer to <https://tangled.org/tranquil.farm/tranquil-pds/blob/main/example.toml>
-        for available configuration options.
-      '';
-    };
-  };
-
-  config = lib.mkIf cfg.enable (
-    lib.mkMerge [
-      (lib.mkIf cfg.database.createLocally {
-        services.postgresql = {
-          enable = true;
-          ensureDatabases = [ cfg.user ];
-          ensureUsers = [
-            {
-              name = cfg.user;
-              ensureDBOwnership = true;
-            }
-          ];
-        };
-
-        services.tranquil-pds.settings.database.url =
-          lib.mkDefault "postgresql:///${cfg.user}?host=/run/postgresql";
-
-        systemd.services.tranquil-pds = {
-          requires = [ "postgresql.service" ];
-          after = [ "postgresql.service" ];
-        };
-      })
-
-      {
-        users.users.${cfg.user} = {
-          isSystemUser = true;
-          inherit (cfg) group;
-          home = cfg.dataDir;
-        };
-
-        users.groups.${cfg.group} = { };
-
-        systemd.tmpfiles.settings."tranquil-pds" =
-          lib.genAttrs
-            [
-              cfg.dataDir
-              cfg.settings.storage.path
-              cfg.settings.tranquil_store.data_dir
-            ]
-            (_: {
-              d = {
-                mode = "0750";
-                inherit (cfg) user group;
-              };
-            });
-
-        environment.etc = {
-          "tranquil-pds/config.toml".source =
-            let
-              conf = settingsFormat.generate "tranquil-pds.toml" cfg.settings;
-            in
-            pkgs.runCommandLocal "validated-tranquil-config" { nativeBuildInputs = [ cfg.package ]; } ''
-              tranquil-server --config ${conf} validate --ignore-secrets
-              ln -s ${conf} $out
-            '';
-        };
-
-        systemd.services.tranquil-pds = {
-          description = "Tranquil PDS - ATProtocol Personal Data Server";
-          after = [ "network-online.target" ];
-          wants = [ "network-online.target" ];
-          wantedBy = [ "multi-user.target" ];
-
-          serviceConfig = {
-            User = cfg.user;
-            Group = cfg.group;
-            UMask = "0077";
-            ExecStart = lib.getExe cfg.package;
-            Restart = "on-failure";
-            RestartSec = 5;
-
-            WorkingDirectory = cfg.dataDir;
-            StateDirectory = "tranquil-pds";
-            ReadWritePaths = [
-              cfg.settings.storage.path
-            ];
-
-            EnvironmentFile = cfg.environmentFiles;
-
-            CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-            ProtectProc = "invisible";
-            ProcSubset = "pid";
-            NoNewPrivileges = true;
-            ProtectSystem = "strict";
-            ProtectHome = true;
-            PrivateTmp = true;
-            PrivateDevices = true;
-            PrivateUsers = true;
-            ProtectHostname = true;
-            ProtectClock = true;
-            ProtectKernelTunables = true;
-            ProtectKernelModules = true;
-            ProtectKernelLogs = true;
-            ProtectControlGroups = true;
-            RestrictAddressFamilies = [
-              "AF_INET"
-              "AF_INET6"
-              "AF_UNIX"
-            ];
-            RestrictNamespaces = true;
-            LockPersonality = true;
-            MemoryDenyWriteExecute = true;
-            RestrictRealtime = true;
-            RestrictSUIDSGID = true;
-            RemoveIPC = true;
-            PrivateMounts = true;
-            SystemCallFilter = [
-              "@system-service"
-              "~@privileged @resources"
-            ];
-            SystemCallArchitectures = "native";
-          };
-        };
-      }
-    ]
-  );
-
-  meta.maintainers = with lib.maintainers; [ nelind ];
-}

nixos/modules/services/web-apps/weblate.nix

@@ -9,7 +9,6 @@ let
   cfg = config.services.weblate;
 
   dataDir = "/var/lib/weblate";
-  cacheDir = "${dataDir}/cache";
   settingsDir = "${dataDir}/settings";
 
   finalPackage = cfg.package.overridePythonAttrs (old: {
@@ -363,18 +362,6 @@ in
       ];
       inherit environment;
       path = weblatePath;
-      # Weblate generates SSH wrappers with some preset options that use the
-      # absolute paths of the ssh and scp binaries internally.
-      # As the wrapper is only regenerated when the generator itself is changed,
-      # this absolute nix store path becomes unusable once ssh is updated and
-      # the path is garbage collected.
-      # As generating the wrappers is a quick operation, simply deleting the
-      # wrapper directory before service start ensures they are up to date.
-      preStart = ''
-        if [ -d "${cacheDir}/ssh" ]; then
-          rm -r "${cacheDir}/ssh"
-        fi
-      '';
       serviceConfig = {
         Type = "notify";
         NotifyAccess = "all";

nixos/modules/services/web-servers/varnish/default.nix

@@ -21,9 +21,20 @@ let
   # Varnish has very strong opinions and very complicated code around handling
   # the stateDir. After a lot of back and forth, we decided that we a)
   # do not want a configurable option here, as most of the handling depends
-  # on the compile time options. Putting everything into /var/run (RAM backed)
-  # is absolutely recommended by Varnish anyways.
-  stateDir = "/var/run/varnishd";
+  # on the version and the compile time options. Putting everything into
+  # /var/run (RAM backed) is absolutely recommended by Varnish anyways.
+  # We do need to pay attention to the version-dependend variations, though!
+  stateDir =
+    if
+      (lib.versionOlder cfg.package.version "7")
+    # Remove after Varnish 6.0 is gone. In 6.0 varnishadm always appends the
+    # hostname (by default) and can't be nudged to not use any name. This has
+    # long changed by 7.5 and can be used without the host name.
+    then
+      "/var/run/varnish/${config.networking.hostName}"
+    # Newer varnish uses this:
+    else
+      "/var/run/varnishd";
 
   # from --help:
   #   -a [<name>=]address[:port][,proto] # HTTP listen address and port

nixos/modules/system/activation/activation-script.nix

@@ -322,9 +322,6 @@ in
         description = "Run user-specific NixOS activation";
         script = config.system.userActivationScripts.script;
         unitConfig.ConditionUser = "!@system";
-        # switch-to-configuration restarts this explicitly on every switch.
-        restartIfChanged = false;
-        serviceConfig.RemainAfterExit = true;
         serviceConfig.Type = "oneshot";
         wantedBy = [ "default.target" ];
       };

nixos/modules/system/activation/pre-switch-check.nix

@@ -8,18 +8,9 @@ let
   preSwitchCheckScript = lib.concatLines (
     lib.mapAttrsToList (name: text: ''
       # pre-switch check ${name}
-      #
-      # Run with errexit in a subshell that is not part of an `if`/`||`
-      # condition, so that `set -e` is actually honoured inside the
-      # check body.
-      set +e
-      (
-        set -e
+      if ! (
         ${text}
-      ) >&2
-      _rc=$?
-      set -e
-      if [ "$_rc" -ne 0 ]; then
+      ) >&2 ; then
         echo "Pre-switch check '${name}' failed" >&2
         exit 1
       fi

nixos/modules/system/boot/kernel_config.nix

@@ -29,7 +29,9 @@ let
       };
 
       freeform = mkOption {
-        type = types.nullOr types.str;
+        type = types.nullOr types.str // {
+          merge = mergeEqualOption;
+        };
         default = null;
         example = ''MMC_BLOCK_MINORS.freeform = "32";'';
         description = ''

nixos/modules/system/boot/loader/limine/limine.nix

@@ -29,7 +29,7 @@ let
       resolution = cfg.resolution;
       maxGenerations = if cfg.maxGenerations == null then 0 else cfg.maxGenerations;
       hostArchitecture = pkgs.stdenv.hostPlatform.parsed.cpu;
-      timeout = if config.boot.loader.timeout == null then "no" else config.boot.loader.timeout;
+      timeout = if config.boot.loader.timeout != null then config.boot.loader.timeout else 10;
       enableEditor = cfg.enableEditor;
       extraConfig = cfg.extraConfig;
       extraEntries = cfg.extraEntries;

nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py

@@ -3,8 +3,6 @@ import argparse
 import ctypes
 import datetime
 import errno
-import functools
-import hashlib
 import os
 import re
 import shutil
@@ -13,7 +11,7 @@ import sys
 import tempfile
 import warnings
 import json
-from typing import NamedTuple, Any, Protocol, Sequence
+from typing import NamedTuple, Any, Sequence
 from dataclasses import dataclass
 from pathlib import Path
 
@@ -21,11 +19,9 @@ from pathlib import Path
 EFI_SYS_MOUNT_POINT = Path("@efiSysMountPoint@")
 BOOT_MOUNT_POINT = Path("@bootMountPoint@")
 LOADER_CONF = EFI_SYS_MOUNT_POINT / "loader/loader.conf"  # Always stored on the ESP
-NIXOS_DIR = Path(
-    "@nixosDir@".strip("/")
-)  # Path relative to the XBOOTLDR or ESP mount point
+NIXOS_DIR = Path("@nixosDir@".strip("/")) # Path relative to the XBOOTLDR or ESP mount point
 TIMEOUT = "@timeout@"
-EDITOR = "@editor@" == "1"  # noqa: PLR0133
+EDITOR = "@editor@" == "1" # noqa: PLR0133
 CONSOLE_MODE = "@consoleMode@"
 BOOTSPEC_TOOLS = "@bootspecTools@"
 DISTRO_NAME = "@distroName@"
@@ -33,16 +29,13 @@ NIX = "@nix@"
 SYSTEMD = "@systemd@"
 CONFIGURATION_LIMIT = int("@configurationLimit@")
 REBOOT_FOR_BITLOCKER = bool("@rebootForBitlocker@")
-CAN_TOUCH_EFI_VARIABLES = "@canTouchEfiVariables@" == "1"
-GRACEFUL = "@graceful@" == "1"
+CAN_TOUCH_EFI_VARIABLES = "@canTouchEfiVariables@"
+GRACEFUL = "@graceful@"
 COPY_EXTRA_FILES = "@copyExtraFiles@"
 CHECK_MOUNTPOINTS = "@checkMountpoints@"
 STORE_DIR = "@storeDir@"
-BOOT_COUNTING_TRIES = "@bootCountingTries@"
-BOOT_COUNTING = "@bootCounting@" == "True"
 
-
-@dataclass(frozen=True)
+@dataclass
 class BootSpec:
     init: Path
     initrd: Path
@@ -57,98 +50,12 @@ class BootSpec:
     initrdSecrets: str | None = None  # noqa: N815
 
 
-class WriteBootFile(Protocol):
-    def write_boot_file(self, path: Path, *, critical: bool) -> None: ...
+libc = ctypes.CDLL("libc.so.6")
 
+FILE = None | int
 
-@dataclass
-class CopyWriter:
-    source: Path
-
-    def write_boot_file(self, path: Path, *, critical: bool) -> None:
-        if path.exists():
-            return
-        with tempfile.NamedTemporaryFile(
-            mode="wb",
-            dir=path.parent,
-            delete=False,
-            prefix=path.name,
-            suffix=".tmp",
-        ) as tmp:
-            with open(self.source, mode="rb") as source_file:
-                shutil.copyfileobj(source_file, tmp)
-            tmp.flush()
-            os.fsync(tmp.fileno())
-            tmp.close()
-            os.rename(tmp.name, path)
-
-
-@dataclass
-class InitrdWithSecretsWriter:
-    source: Path
-    initrd_secrets: Path
-    generation: int
-
-    def write_boot_file(self, path: Path, *, critical: bool) -> None:
-        # Secrets can change between rebuilds, so always rebuild from the
-        # pristine initrd into a temp file and rename into place.
-        with tempfile.NamedTemporaryFile(
-            mode="wb",
-            dir=path.parent,
-            delete=False,
-            prefix=path.name,
-            suffix=".tmp",
-        ) as tmp:
-            try:
-                with open(self.source, mode="rb") as source_file:
-                    shutil.copyfileobj(source_file, tmp)
-                tmp.flush()
-                run([self.initrd_secrets, tmp.name])
-                os.fsync(tmp.fileno())
-            except subprocess.CalledProcessError:
-                os.unlink(tmp.name)
-                if critical:
-                    print("failed to create initrd secrets!", file=sys.stderr)
-                    sys.exit(1)
-                # Keep the entry bootable by leaving at least a pristine
-                # initrd in place. CopyWriter is a no-op if one already
-                # exists.
-                CopyWriter(source=self.source).write_boot_file(path, critical=False)
-                print(
-                    "warning: failed to update initrd secrets for an older "
-                    f"generation ({self.generation}). The previous secrets "
-                    "in this initrd will continue to be used. To silence "
-                    "this warning, restore the secret files to their "
-                    "original locations or delete this generation.",
-                    file=sys.stderr,
-                )
-                return
-            except BaseException:
-                os.unlink(tmp.name)
-                raise
-            os.rename(tmp.name, path)
-
-
-@dataclass
-class ContentsWriter:
-    contents: bytes
-
-    def write_boot_file(self, path: Path, *, critical: bool) -> None:
-        if path.exists():
-            return
-        with tempfile.NamedTemporaryFile(
-            mode="wb",
-            dir=path.parent,
-            delete=False,
-            prefix=path.name,
-            suffix=".tmp",
-        ) as tmp:
-            tmp.write(self.contents)
-            tmp.flush()
-            os.fsync(tmp.fileno())
-            tmp.close()
-            os.rename(tmp.name, path)
-
+def run(cmd: Sequence[str | Path], stdout: FILE = None) -> subprocess.CompletedProcess[str]:
+    return subprocess.run(cmd, check=True, text=True, stdout=stdout)
 
 class SystemIdentifier(NamedTuple):
     profile: str | None
@@ -156,131 +63,51 @@ class SystemIdentifier(NamedTuple):
     specialisation: str | None
 
 
-@dataclass
-class BootFile:
-    path: Path
-    writer: WriteBootFile
-
-    @staticmethod
-    def from_source(source: Path) -> "BootFile":
-        return BootFile(
-            path=boot_path(source),
-            writer=CopyWriter(source=source),
-        )
-
-    @staticmethod
-    def from_initrd(
-        generation: int,
-        source: Path,
-        initrd_secrets: Path | None,
-    ) -> "BootFile":
-        if initrd_secrets is None:
-            return BootFile.from_source(source)
-        else:
-            # We're trying to calculate a canonical path unique to
-            # this initrd and secret-appender. The boot_path is the
-            # canonical path for files that don't need modifications,
-            # so it serves as a perfect proxy for the unique
-            # information to combine for a combined unique path. The
-            # original paths themselves would have also been fine, but
-            # boot_path is more semantically representative, since
-            # it's the actual path whose uniqueness we're trying to
-            # ensure for other things.
-            combined = "\n".join(
-                [str(boot_path(source)), str(boot_path(initrd_secrets))]
-            )
-            combined_hash = hashlib.sha256(combined.encode("utf-8")).hexdigest()
-            return BootFile(
-                path=NIXOS_DIR / f"{combined_hash}-initrd.efi",
-                writer=InitrdWithSecretsWriter(
-                    source=source,
-                    initrd_secrets=initrd_secrets,
-                    generation=generation,
-                ),
-            )
-
-    @staticmethod
-    def from_entry(contents: bytes) -> tuple["BootFile", str]:
-        contents_hash = hashlib.sha256(contents).hexdigest()
-        path_prefix = f"nixos-{contents_hash}"
-        pat = re.compile(rf"{re.escape(path_prefix)}(\+[0-9]+(-[0-9]+)?)?\.conf")
-        path = None
-        for e in os.scandir(path=BOOT_MOUNT_POINT / "loader" / "entries"):
-            if pat.fullmatch(e.name) is None:
-                continue
-            # Ignore files whose content does not match the hash in their
-            # name so GC removes them and a fresh entry is written.
-            if hashlib.sha256(Path(e.path).read_bytes()).hexdigest() != contents_hash:
-                continue
-            path = Path("loader/entries") / e.name
-            break
-        if path is None:
-            counters = f"+{BOOT_COUNTING_TRIES}" if BOOT_COUNTING else ""
-            path = Path(f"loader/entries/{path_prefix}{counters}.conf")
-        return (
-            BootFile(
-                path=path,
-                writer=ContentsWriter(contents=contents),
-            ),
-            f"{path_prefix}.conf",
-        )
-
-
-# This gets its own type alias to document that the order is very
-# important. The order ensures that entry files are written after
-# their respective kernel / initrd / etc.
-type BootFileList = list[BootFile]
-
-
-libc = ctypes.CDLL("libc.so.6")
-
-FILE = None | int
-
-
-def run(
-    cmd: Sequence[str | Path], stdout: FILE = None
-) -> subprocess.CompletedProcess[str]:
-    return subprocess.run(cmd, check=True, text=True, stdout=stdout, stderr=sys.stderr)
+def copy_if_not_exists(source: Path, dest: Path) -> None:
+    if not dest.exists():
+        tmpfd, tmppath = tempfile.mkstemp(dir=dest.parent, prefix=dest.name, suffix='.tmp.')
+        shutil.copyfile(source, tmppath)
+        os.fsync(tmpfd)
+        shutil.move(tmppath, dest)
 
 
 def generation_dir(profile: str | None, generation: int) -> Path:
     if profile:
-        return Path(
-            f"/nix/var/nix/profiles/system-profiles/{profile}-{generation}-link"
-        )
+        return Path(f"/nix/var/nix/profiles/system-profiles/{profile}-{generation}-link")
     else:
         return Path(f"/nix/var/nix/profiles/system-{generation}-link")
 
-
-def system_dir(
-    profile: str | None, generation: int, specialisation: str | None
-) -> Path:
+def system_dir(profile: str | None, generation: int, specialisation: str | None) -> Path:
     d = generation_dir(profile, generation)
     if specialisation:
         return d / "specialisation" / specialisation
     else:
         return d
 
+BOOT_ENTRY = """title {title}
+sort-key {sort_key}
+version Generation {generation} {description}
+linux {kernel}
+initrd {initrd}
+options {kernel_params}
+"""
 
-def write_loader_conf(default_entry_id: str | None) -> None:
+def generation_conf_filename(profile: str | None, generation: int, specialisation: str | None) -> str:
+    pieces = [
+        "nixos",
+        profile or None,
+        "generation",
+        str(generation),
+        f"specialisation-{specialisation}" if specialisation else None,
+    ]
+    return "-".join(p for p in pieces if p) + ".conf"
+
+
+def write_loader_conf(profile: str | None, generation: int, specialisation: str | None) -> None:
     tmp = LOADER_CONF.with_suffix(".tmp")
-    with tmp.open("x") as f:
+    with tmp.open('x') as f:
         f.write(f"timeout {TIMEOUT}\n")
-        if default_entry_id is None:
-            # No generation matched the requested default config; fall back to
-            # the newest entry as determined by Boot Loader Spec sorting.
-            f.write("default nixos-*\n")
-        elif BOOT_COUNTING:
-            # `preferred` (systemd-boot >= 260) honours boot assessment, so a
-            # generation that exhausted its boot counter is skipped and we fall
-            # through to `default`. systemd-boot sorts entries with
-            # tries_left == 0 to the end of the list and resolves the `default`
-            # glob against that order, so `nixos-*` yields the newest entry that
-            # is not bad, or a bad one only if every nixos entry is bad.
-            f.write(f"preferred {default_entry_id}\n")
-            f.write("default nixos-*\n")
-        else:
-            f.write(f"default {default_entry_id}\n")
+        f.write("default %s\n" % generation_conf_filename(profile, generation, specialisation))
         if not EDITOR:
             f.write("editor 0\n")
         if REBOOT_FOR_BITLOCKER:
@@ -300,9 +127,7 @@ def get_bootspec(profile: str | None, generation: int) -> BootSpec:
             try:
                 bootspec_json = json.load(f)
             except ValueError as e:
-                print(
-                    f"error: Malformed Json: {e}, in {boot_json_path}", file=sys.stderr
-                )
+                print(f"error: Malformed Json: {e}, in {boot_json_path}", file=sys.stderr)
                 sys.exit(1)
     else:
         boot_json_str = run(
@@ -318,18 +143,17 @@ def get_bootspec(profile: str | None, generation: int) -> BootSpec:
         bootspec_json = json.loads(boot_json_str)
     return bootspec_from_json(bootspec_json)
 
-
 def bootspec_from_json(bootspec_json: dict[str, Any]) -> BootSpec:
-    specialisations = bootspec_json["org.nixos.specialisation.v1"]
+    specialisations = bootspec_json['org.nixos.specialisation.v1']
     specialisations = {k: bootspec_from_json(v) for k, v in specialisations.items()}
-    systemdBootExtension = bootspec_json.get("org.nixos.systemd-boot", {})
-    sortKey = systemdBootExtension.get("sortKey", "nixos")
-    devicetree = systemdBootExtension.get("devicetree")
+    systemdBootExtension = bootspec_json.get('org.nixos.systemd-boot', {})
+    sortKey = systemdBootExtension.get('sortKey', 'nixos')
+    devicetree = systemdBootExtension.get('devicetree')
 
     if devicetree:
         devicetree = Path(devicetree)
 
-    main_json = bootspec_json["org.nixos.bootspec.v1"]
+    main_json = bootspec_json['org.nixos.bootspec.v1']
     for attr in ("kernel", "initrd", "toplevel"):
         if attr in main_json:
             main_json[attr] = Path(main_json[attr])
@@ -341,58 +165,67 @@ def bootspec_from_json(bootspec_json: dict[str, Any]) -> BootSpec:
     )
 
 
-@functools.lru_cache(maxsize=None)
-def boot_path(file: Path) -> Path:
+def copy_from_file(file: Path, dry_run: bool = False) -> Path:
+    """
+    Copy a file to the boot filesystem (XBOOTLDR if in use, otherwise ESP), basing the destination filename on the store path that's being copied from. Return the destination path, relative to the boot filesystem mountpoint.
+    """
     store_file_path = file.resolve()
     suffix = store_file_path.name
     store_subdir = store_file_path.relative_to(STORE_DIR).parts[0]
-    return NIXOS_DIR / (
-        f"{suffix}.efi" if suffix == store_subdir else f"{store_subdir}-{suffix}.efi"
-    )
+    efi_file_path = NIXOS_DIR / (f"{suffix}.efi" if suffix == store_subdir else f"{store_subdir}-{suffix}.efi")
+    if not dry_run:
+        copy_if_not_exists(store_file_path, BOOT_MOUNT_POINT / efi_file_path)
+    return efi_file_path
 
 
-def boot_file(
-    profile: str | None,
-    generation: int,
-    specialisation: str | None,
-    machine_id: str | None,
-    bootspec: BootSpec,
-) -> tuple[BootFileList, str]:
+def write_entry(profile: str | None, generation: int, specialisation: str | None,
+                machine_id: str | None, bootspec: BootSpec, current: bool) -> None:
     if specialisation:
         bootspec = bootspec.specialisations[specialisation]
-    kernel = BootFile.from_source(bootspec.kernel)
-    initrd = BootFile.from_initrd(
-        generation,
-        bootspec.initrd,
-        Path(bootspec.initrdSecrets) if bootspec.initrdSecrets is not None else None,
-    )
-    devicetree = None
-    if bootspec.devicetree is not None:
-        devicetree = BootFile.from_source(bootspec.devicetree)
-
-    kernel_params = " ".join([f"init={bootspec.init}"] + bootspec.kernelParams)
-    build_time = int(system_dir(profile, generation, specialisation).stat().st_ctime)
-    build_date = datetime.datetime.fromtimestamp(build_time).strftime("%F")
+    kernel = copy_from_file(bootspec.kernel)
+    initrd = copy_from_file(bootspec.initrd)
+    devicetree = copy_from_file(bootspec.devicetree) if bootspec.devicetree is not None else None
 
     title = "{name}{profile}{specialisation}".format(
         name=DISTRO_NAME,
         profile=" [" + profile + "]" if profile else "",
-        specialisation=" (%s)" % specialisation if specialisation else "",
-    )
-    description = f"Generation {generation} {bootspec.label}, built on {build_date}"
-    boot_entry = [
-        f"title {title}",
-        f"version {description}",
-        f"linux /{str(kernel.path)}",
-        f"initrd /{str(initrd.path)}",
-        f"options {kernel_params}",
-        f"machine-id {machine_id}" if machine_id is not None else None,
-        f"devicetree /{str(devicetree.path)}" if devicetree is not None else None,
-        f"sort-key {bootspec.sortKey}",
-    ]
-    contents = "\n".join(filter(None, boot_entry))
-    entry, bootctl_id = BootFile.from_entry(contents.encode("utf-8"))
-    return (list(filter(None, [kernel, initrd, devicetree, entry])), bootctl_id)
+        specialisation=" (%s)" % specialisation if specialisation else "")
+
+    try:
+        if bootspec.initrdSecrets is not None:
+            run([bootspec.initrdSecrets, BOOT_MOUNT_POINT / initrd])
+    except subprocess.CalledProcessError:
+        if current:
+            print("failed to create initrd secrets!", file=sys.stderr)
+            sys.exit(1)
+        else:
+            print("warning: failed to create initrd secrets "
+                  f'for "{title} - Configuration {generation}", an older generation', file=sys.stderr)
+            print("note: this is normal after having removed "
+                  "or renamed a file in `boot.initrd.secrets`", file=sys.stderr)
+    entry_file = BOOT_MOUNT_POINT / "loader/entries" / generation_conf_filename(profile, generation, specialisation)
+    tmp_path = entry_file.with_suffix(".tmp")
+    kernel_params = "init=%s " % bootspec.init
+
+    kernel_params = kernel_params + " ".join(bootspec.kernelParams)
+    build_time = int(system_dir(profile, generation, specialisation).stat().st_ctime)
+    build_date = datetime.datetime.fromtimestamp(build_time).strftime('%F')
+
+    with tmp_path.open("w") as f:
+        f.write(BOOT_ENTRY.format(title=title,
+                    sort_key=bootspec.sortKey,
+                    generation=generation,
+                    kernel=f"/{kernel}",
+                    initrd=f"/{initrd}",
+                    kernel_params=kernel_params,
+                    description=f"{bootspec.label}, built on {build_date}"))
+        if machine_id is not None:
+            f.write("machine-id %s\n" % machine_id)
+        if devicetree is not None:
+            f.write(f"devicetree /{devicetree}\n")
+        f.flush()
+        os.fsync(f.fileno())
+    tmp_path.rename(entry_file)
 
 
 def get_generations(profile: str | None = None) -> list[SystemIdentifier]:
@@ -412,15 +245,43 @@ def get_generations(profile: str | None = None) -> list[SystemIdentifier]:
     configurationLimit = CONFIGURATION_LIMIT
     configurations = [
         SystemIdentifier(
-            profile=profile, generation=int(line.split()[0]), specialisation=None
+            profile=profile,
+            generation=int(line.split()[0]),
+            specialisation=None
         )
         for line in gen_lines
     ]
     return configurations[-configurationLimit:]
 
 
+def remove_old_entries(gens: list[SystemIdentifier]) -> None:
+    rex_profile = re.compile(r"^nixos-(.*)-generation-.*\.conf$")
+    rex_generation = re.compile(r"^nixos.*-generation-([0-9]+)(-specialisation-.*)?\.conf$")
+    known_paths = []
+    for gen in gens:
+        bootspec = get_bootspec(gen.profile, gen.generation)
+        known_paths.append(copy_from_file(bootspec.kernel, True).name)
+        known_paths.append(copy_from_file(bootspec.initrd, True).name)
+        if bootspec.devicetree is not None:
+            known_paths.append(copy_from_file(bootspec.devicetree, True).name)
+    for path in (BOOT_MOUNT_POINT / "loader/entries").glob("nixos*-generation-[1-9]*.conf", case_sensitive=False):
+        if rex_profile.match(path.name):
+            prof = rex_profile.sub(r"\1", path.name)
+        else:
+            prof = None
+        try:
+            gen_number = int(rex_generation.sub(r"\1", path.name))
+        except ValueError:
+            continue
+        if (prof, gen_number, None) not in gens:
+            path.unlink()
+    for path in (BOOT_MOUNT_POINT / NIXOS_DIR).iterdir():
+        if path.name not in known_paths and not path.is_dir():
+            path.unlink()
+
+
 def cleanup_esp() -> None:
-    for path in (EFI_SYS_MOUNT_POINT / "loader" / "entries").glob("nixos*"):
+    for path in (EFI_SYS_MOUNT_POINT / "loader/entries").glob("nixos*"):
         path.unlink()
     nixos_dir = EFI_SYS_MOUNT_POINT / NIXOS_DIR
     if nixos_dir.is_dir():
@@ -430,13 +291,12 @@ def cleanup_esp() -> None:
 def get_profiles() -> list[str]:
     system_profiles = Path("/nix/var/nix/profiles/system-profiles/")
     if system_profiles.is_dir():
-        return [
-            x.name for x in system_profiles.iterdir() if not x.name.endswith("-link")
-        ]
+        return [x.name
+            for x in system_profiles.iterdir()
+            if not x.name.endswith("-link")]
     else:
         return []
 
-
 def install_bootloader(args: argparse.Namespace) -> None:
     try:
         with open("/etc/machine-id") as machine_file:
@@ -447,10 +307,7 @@ def install_bootloader(args: argparse.Namespace) -> None:
         machine_id = None
 
     if os.getenv("NIXOS_INSTALL_GRUB") == "1":
-        warnings.warn(
-            "NIXOS_INSTALL_GRUB env var deprecated, use NIXOS_INSTALL_BOOTLOADER",
-            DeprecationWarning,
-        )
+        warnings.warn("NIXOS_INSTALL_GRUB env var deprecated, use NIXOS_INSTALL_BOOTLOADER", DeprecationWarning)
         os.environ["NIXOS_INSTALL_BOOTLOADER"] = "1"
 
     # flags to pass to bootctl install/update
@@ -459,10 +316,10 @@ def install_bootloader(args: argparse.Namespace) -> None:
     if BOOT_MOUNT_POINT != EFI_SYS_MOUNT_POINT:
         bootctl_flags.append(f"--boot-path={BOOT_MOUNT_POINT}")
 
-    if not CAN_TOUCH_EFI_VARIABLES:
+    if CAN_TOUCH_EFI_VARIABLES != "1":
         bootctl_flags.append("--no-variables")
 
-    if GRACEFUL:
+    if GRACEFUL == "1":
         bootctl_flags.append("--graceful")
 
     if os.getenv("NIXOS_INSTALL_BOOTLOADER") == "1":
@@ -494,18 +351,13 @@ def install_bootloader(args: argparse.Namespace) -> None:
         #  ESP: /boot (/dev/disk/by-partuuid/9b39b4c4-c48b-4ebf-bfea-a56b2395b7e0)
         # File: ├─/EFI/systemd/HashTool.efi
         #       └─/EFI/systemd/systemd-bootx64.efi (systemd-boot 255.2)
-        installed_match = re.search(
-            r"^\W+.*/EFI/(?:BOOT|systemd)/.*\.efi \(systemd-boot ([\d.]+[^)]*)\)$",
-            installed_out,
-            re.IGNORECASE | re.MULTILINE,
-        )
+        installed_match = re.search(r"^\W+.*/EFI/(?:BOOT|systemd)/.*\.efi \(systemd-boot ([\d.]+[^)]*)\)$",
+                      installed_out, re.IGNORECASE | re.MULTILINE)
 
         available_match = re.search(r"^\((.*)\)$", available_out)
 
         if installed_match is None:
-            raise Exception(
-                "Could not find any previously installed systemd-boot. If you are switching to systemd-boot from a different bootloader, you need to run `nixos-rebuild switch --install-bootloader`"
-            )
+            raise Exception("Could not find any previously installed systemd-boot. If you are switching to systemd-boot from a different bootloader, you need to run `nixos-rebuild switch --install-bootloader`")
 
         if available_match is None:
             raise Exception("could not determine systemd-boot version")
@@ -514,11 +366,7 @@ def install_bootloader(args: argparse.Namespace) -> None:
         available_version = available_match.group(1)
 
         if installed_version < available_version:
-            print(
-                "updating systemd-boot from %s to %s"
-                % (installed_version, available_version),
-                file=sys.stderr,
-            )
+            print("updating systemd-boot from %s to %s" % (installed_version, available_version), file=sys.stderr)
             run(
                 [f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}"]
                 + bootctl_flags
@@ -532,45 +380,24 @@ def install_bootloader(args: argparse.Namespace) -> None:
     for profile in get_profiles():
         gens += get_generations(profile)
 
-    boot_files: BootFileList = []
-    critical_paths: set[Path] = set()
-
-    default_config = Path(args.default_config)
-    default_entry_id: str | None = None
+    remove_old_entries(gens)
 
     for gen in gens:
-        bootspec = get_bootspec(gen.profile, gen.generation)
-        is_default = Path(bootspec.init).parent == default_config
-        new_boot_files, new_bootctl_id = boot_file(*gen, machine_id, bootspec)
-        boot_files.extend(new_boot_files)
-        if is_default:
-            default_entry_id = new_bootctl_id
-            critical_paths.update(bf.path for bf in new_boot_files)
-        for specialisation_name, specialisation in bootspec.specialisations.items():
-            is_default = Path(specialisation.init).parent == default_config
-            new_boot_files, new_bootctl_id = boot_file(
-                gen.profile,
-                gen.generation,
-                specialisation_name,
-                machine_id,
-                bootspec,
-            )
-            boot_files.extend(new_boot_files)
+        try:
+            bootspec = get_bootspec(gen.profile, gen.generation)
+            is_default = Path(bootspec.init).parent == Path(args.default_config)
+            write_entry(*gen, machine_id, bootspec, current=is_default)
+            for specialisation in bootspec.specialisations.keys():
+                write_entry(gen.profile, gen.generation, specialisation, machine_id, bootspec, current=is_default)
             if is_default:
-                default_entry_id = new_bootctl_id
-                critical_paths.update(bf.path for bf in new_boot_files)
-
-    # Garbage-collect stale kernels/initrds/entries before re-populating extra
-    # files, so that user-supplied extraEntries (which may also live under
-    # loader/entries and start with `nixos-`) are not removed again.
-    garbage_collect(boot_files)
-
-    write_boot_files(boot_files, critical_paths)
-
-    write_loader_conf(default_entry_id)
-
-    remove_extra_files()
-    run([COPY_EXTRA_FILES])
+                write_loader_conf(*gen)
+        except OSError as e:
+            # See https://github.com/NixOS/nixpkgs/issues/114552
+            if e.errno == errno.EINVAL:
+                profile = f"profile '{gen.profile}'" if gen.profile else "default profile"
+                print("ignoring {} in the list of boot entries because of the following error:\n{}".format(profile, e), file=sys.stderr)
+            else:
+                raise e
 
     if BOOT_MOUNT_POINT != EFI_SYS_MOUNT_POINT:
         # Cleanup any entries in ESP if xbootldrMountPoint is set.
@@ -578,8 +405,6 @@ def install_bootloader(args: argparse.Namespace) -> None:
         # automatically, as we don't have information about the mount point anymore.
         cleanup_esp()
 
-
-def remove_extra_files() -> None:
     extra_files_dir = BOOT_MOUNT_POINT / NIXOS_DIR / ".extra-files"
     for root, _, files in extra_files_dir.walk(top_down=False):
         relative_root = root.relative_to(extra_files_dir)
@@ -596,45 +421,12 @@ def remove_extra_files() -> None:
 
     extra_files_dir.mkdir(parents=True, exist_ok=True)
 
-
-def garbage_collect(gc_roots: BootFileList) -> None:
-    keep = {BOOT_MOUNT_POINT / gc_root.path for gc_root in gc_roots}
-
-    def delete_path(e: os.DirEntry) -> None:
-        if e.is_file(follow_symlinks=True) and Path(e.path) not in keep:
-            os.remove(e.path)
-
-    for e in os.scandir(BOOT_MOUNT_POINT / NIXOS_DIR):
-        delete_path(e)
-
-    for e in os.scandir(BOOT_MOUNT_POINT / "loader" / "entries"):
-        match = re.fullmatch(r"nixos-.+\.conf", e.name)
-        if match:
-            delete_path(e)
-
-
-def write_boot_files(boot_files: BootFileList, critical_paths: set[Path]) -> None:
-    # Deduplicate by destination path so shared files are written once.
-    seen: set[Path] = set()
-    for boot_file in boot_files:
-        if boot_file.path in seen:
-            continue
-        seen.add(boot_file.path)
-        boot_file.writer.write_boot_file(
-            BOOT_MOUNT_POINT / boot_file.path,
-            critical=boot_file.path in critical_paths,
-        )
+    run([COPY_EXTRA_FILES])
 
 
 def main() -> None:
-    parser = argparse.ArgumentParser(
-        description=f"Update {DISTRO_NAME}-related systemd-boot files"
-    )
-    parser.add_argument(
-        "default_config",
-        metavar="DEFAULT-CONFIG",
-        help=f"The default {DISTRO_NAME} config to boot",
-    )
+    parser = argparse.ArgumentParser(description=f"Update {DISTRO_NAME}-related systemd-boot files")
+    parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help=f"The default {DISTRO_NAME} config to boot")
     args = parser.parse_args()
 
     run([CHECK_MOUNTPOINTS])
@@ -648,18 +440,13 @@ def main() -> None:
         # event sync the efi filesystem after each update.
         rc = libc.syncfs(os.open(f"{BOOT_MOUNT_POINT}", os.O_RDONLY))
         if rc != 0:
-            print(
-                f"could not sync {BOOT_MOUNT_POINT}: {os.strerror(rc)}", file=sys.stderr
-            )
+            print(f"could not sync {BOOT_MOUNT_POINT}: {os.strerror(rc)}", file=sys.stderr)
 
         if BOOT_MOUNT_POINT != EFI_SYS_MOUNT_POINT:
             rc = libc.syncfs(os.open(EFI_SYS_MOUNT_POINT, os.O_RDONLY))
             if rc != 0:
-                print(
-                    f"could not sync {EFI_SYS_MOUNT_POINT}: {os.strerror(rc)}",
-                    file=sys.stderr,
-                )
+                print(f"could not sync {EFI_SYS_MOUNT_POINT}: {os.strerror(rc)}", file=sys.stderr)
 
 
-if __name__ == "__main__":
+if __name__ == '__main__':
     main()

nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix

@@ -97,9 +97,6 @@ let
           '') cfg.extraEntries
         )}
       '';
-
-      bootCountingTries = cfg.bootCounting.tries;
-      bootCounting = if cfg.bootCounting.enable then "True" else "False";
     };
   };
 
@@ -420,26 +417,6 @@ in
       '';
     };
 
-    bootCounting = {
-      enable = mkEnableOption ''
-        [Automatic Boot Assessment](https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT/).
-
-        New boot entries are written with a boot counter in the file name. On
-        each boot, systemd-boot decrements the counter; once the booted system
-        reaches `boot-complete.target`, `systemd-bless-boot.service` removes the
-        counter and marks the entry as good. An entry whose counter reaches zero
-        is considered bad and will be skipped in favour of an older generation
-      '';
-      tries = mkOption {
-        default = 3;
-        type = types.ints.positive;
-        description = ''
-          Number of boot attempts a freshly written entry is given before it is
-          considered bad.
-        '';
-      };
-    };
-
     rebootForBitlocker = mkOption {
       default = false;
 

nixos/modules/system/boot/timesyncd.nix

@@ -1,37 +1,26 @@
-{
-  config,
-  lib,
-  utils,
-  ...
-}:
+{ config, lib, ... }:
+
+with lib;
 
 let
   cfg = config.services.timesyncd;
 in
 {
 
-  imports = [
-    (lib.mkRemovedOptionModule [
-      "services"
-      "timesyncd"
-      "extraConfig"
-    ] "Use services.timesyncd.settings.Time instead.")
-  ];
-
   options = {
 
-    services.timesyncd = {
-      enable = lib.mkOption {
+    services.timesyncd = with types; {
+      enable = mkOption {
         default = !config.boot.isContainer;
-        defaultText = lib.literalExpression "!config.boot.isContainer";
-        type = lib.types.bool;
+        defaultText = literalExpression "!config.boot.isContainer";
+        type = bool;
         description = ''
           Enables the systemd NTP client daemon.
         '';
       };
-      servers = lib.mkOption {
+      servers = mkOption {
         default = null;
-        type = lib.types.nullOr (lib.types.listOf lib.types.str);
+        type = nullOr (listOf str);
         description = ''
           The set of NTP servers from which to synchronise.
 
@@ -42,10 +31,10 @@ in
           See {manpage}`timesyncd.conf(5)` for details.
         '';
       };
-      fallbackServers = lib.mkOption {
+      fallbackServers = mkOption {
         default = config.networking.timeServers;
-        defaultText = lib.literalExpression "config.networking.timeServers";
-        type = lib.types.nullOr (lib.types.listOf lib.types.str);
+        defaultText = literalExpression "config.networking.timeServers";
+        type = nullOr (listOf str);
         description = ''
           The set of fallback NTP servers from which to synchronise.
 
@@ -56,23 +45,21 @@ in
           See {manpage}`timesyncd.conf(5)` for details.
         '';
       };
-      settings.Time = lib.mkOption {
-        default = { };
-        type = lib.types.submodule {
-          freeformType = lib.types.attrsOf utils.systemdUtils.unitOptions.unitOption;
-        };
-        example = {
-          PollIntervalMaxSec = 180;
-        };
+      extraConfig = mkOption {
+        default = "";
+        type = lines;
+        example = ''
+          PollIntervalMaxSec=180
+        '';
         description = ''
-          Settings for systemd-timesyncd. See {manpage}`timesyncd.conf(5)` for
-          available options.
+          Extra config options for systemd-timesyncd. See
+          {manpage}`timesyncd.conf(5)` for available options.
         '';
       };
     };
   };
 
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.enable {
 
     systemd.additionalUpstreamSystemUnits = [ "systemd-timesyncd.service" ];
 
@@ -89,17 +76,16 @@ in
       environment.LD_LIBRARY_PATH = config.system.nssModules.path;
     };
 
-    services.timesyncd.settings.Time = lib.mkMerge [
-      (lib.mkIf (cfg.servers != null) {
-        NTP = lib.mkDefault (lib.concatStringsSep " " cfg.servers);
-      })
-      (lib.mkIf (cfg.fallbackServers != null) {
-        FallbackNTP = lib.mkDefault (lib.concatStringsSep " " cfg.fallbackServers);
-      })
-    ];
-
-    environment.etc."systemd/timesyncd.conf".text =
-      utils.systemdUtils.lib.settingsToSections cfg.settings;
+    environment.etc."systemd/timesyncd.conf".text = ''
+      [Time]
+    ''
+    + optionalString (cfg.servers != null) ''
+      NTP=${concatStringsSep " " cfg.servers}
+    ''
+    + optionalString (cfg.fallbackServers != null) ''
+      FallbackNTP=${concatStringsSep " " cfg.fallbackServers}
+    ''
+    + cfg.extraConfig;
 
     users.users.systemd-timesync = {
       uid = config.ids.uids.systemd-timesync;

nixos/modules/system/etc/etc-activation.nix

@@ -173,18 +173,5 @@
 
     })
 
-    (lib.mkIf (config.system.etc.overlay.enable && !config.system.etc.overlay.mutable) {
-      # Systemd requires /etc/machine-id exists or can be initialized on first
-      # boot. This file should not be part of an image or system config because
-      # it is unique to the machine, so it is initialized at first boot and
-      # persisted in the system state directory, /var/lib/nixos.
-      environment.etc."machine-id".source = lib.mkDefault "/var/lib/nixos/machine-id";
-      boot.initrd.systemd.tmpfiles.settings.machine-id."/sysroot/var/lib/nixos/machine-id".f =
-        lib.mkDefault
-          {
-            argument = "uninitialized";
-          };
-    })
-
   ];
 }

nixos/modules/tasks/network-interfaces-scripted.nix

@@ -430,9 +430,8 @@ let
                 rm -f /run/${n}.interfaces
               '';
               reload = ''
-                # shellcheck disable=SC2013
                 # Un-enslave child interfaces (old list of interfaces)
-                for interface in $(cat /run/${n}.interfaces); do
+                for interface in `cat /run/${n}.interfaces`; do
                   ip link set dev "$interface" nomaster up
                 done
 

nixos/modules/virtualisation/lxcfs.nix

@@ -41,7 +41,7 @@ in
       serviceConfig = {
         ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/lxcfs";
         ExecStart = "${pkgs.lxcfs}/bin/lxcfs /var/lib/lxcfs";
-        ExecStopPost = "-${pkgs.fuse3}/bin/fusermount3 -u /var/lib/lxcfs";
+        ExecStopPost = "-${pkgs.fuse}/bin/fusermount -u /var/lib/lxcfs";
         KillMode = "process";
         Restart = "on-failure";
       };

nixos/modules/virtualisation/nspawn-container/run-nspawn/package.nix

@@ -3,10 +3,10 @@
   e2fsprogs,
   iproute2,
   lib,
+  mypy,
   ruff,
   setuptools,
   systemd,
-  ty,
 }:
 
 buildPythonApplication {
@@ -35,13 +35,13 @@ buildPythonApplication {
   doCheck = true;
 
   nativeCheckInputs = [
+    mypy
     ruff
-    ty
   ];
 
   checkPhase = ''
-    echo -e "\x1b[32m## run ty\x1b[0m"
-    ty check --error-on-warning run_nspawn
+    echo -e "\x1b[32m## run mypy\x1b[0m"
+    mypy run_nspawn
     echo -e "\x1b[32m## run ruff check\x1b[0m"
     ruff check .
     echo -e "\x1b[32m## run ruff format\x1b[0m"

nixos/modules/virtualisation/qemu-vm.nix

@@ -551,7 +551,7 @@ in
         y = 768;
       };
       description = ''
-        The resolution of the virtual machine display (relevant only if virtualised machine uses grub bootloader).
+        The resolution of the virtual machine display.
       '';
     };
 

nixos/tests/all-tests.nix

@@ -153,7 +153,6 @@ in
     console-log = runTest ./nixos-test-driver/console-log.nix;
     containers = runTest ./nixos-test-driver/containers.nix;
     skip-typecheck = runTest ./nixos-test-driver/skip-typecheck.nix;
-    options-doc-regression = import ./nixos-test-driver/options-doc-regression.nix { inherit pkgs; };
     driver-timeout =
       pkgs.runCommand "ensure-timeout-induced-failure"
         {
@@ -456,6 +455,7 @@ in
   dependency-track = runTest ./dependency-track.nix;
   devpi-server = runTest ./devpi-server.nix;
   dex-oidc = runTest ./dex-oidc.nix;
+  dhparams = runTest ./dhparams.nix;
   dictd = runTest ./dictd.nix;
   disable-installer-tools = runTest ./disable-installer-tools.nix;
   discourse = runTest {
@@ -495,7 +495,6 @@ in
   drupal = runTest ./drupal.nix;
   dublin-traceroute = runTest ./dublin-traceroute.nix;
   dwl = runTestOn [ "x86_64-linux" "aarch64-linux" ] ./dwl.nix;
-  e57inspector = runTest ./e57inspector.nix;
   early-mount-options = runTest ./early-mount-options.nix;
   earlyoom = runTestOn [ "x86_64-linux" ] ./earlyoom.nix;
   easytier = runTest ./easytier.nix;
@@ -597,7 +596,6 @@ in
   firezone = runTest ./firezone/firezone.nix;
   fish = runTest ./fish.nix;
   flannel = runTestOn [ "x86_64-linux" ] ./flannel.nix;
-  flap-alerted = runTest ./flap-alerted.nix;
   flaresolverr = runTest ./flaresolverr.nix;
   flood = runTest ./flood.nix;
   fluent-bit = runTest ./fluent-bit.nix;
@@ -675,7 +673,6 @@ in
   gobgpd = runTest ./gobgpd.nix;
   gocd-agent = runTest ./gocd-agent.nix;
   gocd-server = runTest ./gocd-server.nix;
-  gocryptfs = runTest ./gocryptfs.nix;
   gokapi = runTest ./gokapi.nix;
   gollum = runTest ./gollum.nix;
   gonic = runTest ./gonic.nix;
@@ -802,7 +799,6 @@ in
   installer = handleTest ./installer.nix { systemdStage1 = false; };
   installer-systemd-stage-1 = handleTest ./installer.nix { systemdStage1 = true; };
   intune = runTest ./intune.nix;
-  inventree = runTest ./inventree.nix;
   invidious = runTest ./invidious.nix;
   invoiceplane = runTest ./invoiceplane.nix;
   iodine = runTest ./iodine.nix;
@@ -1123,6 +1119,7 @@ in
   nimdow = runTest ./nimdow.nix;
   nipap = runTest ./web-apps/nipap.nix;
   nitter = runTest ./nitter.nix;
+  nix-channel = pkgs.callPackage ../modules/config/nix-channel/test.nix { };
   nix-config = runTest ./nix-config.nix;
   nix-daemon-firewall = runTest ./nix-daemon-firewall.nix;
   nix-daemon-unprivileged = runTest ./nix-daemon-unprivileged.nix;
@@ -1594,10 +1591,7 @@ in
   systemd = runTest ./systemd.nix;
   systemd-analyze = runTest ./systemd-analyze.nix;
   systemd-binfmt = handleTestOn [ "x86_64-linux" ] ./systemd-binfmt.nix { };
-  systemd-boot = import ./systemd-boot.nix {
-    inherit runTest runTestOn;
-    inherit (pkgs) lib;
-  };
+  systemd-boot = import ./systemd-boot.nix { inherit runTest runTestOn; };
   systemd-bpf = runTest ./systemd-bpf.nix;
   systemd-capsules = runTest ./systemd-capsules.nix;
   systemd-confinement = handleTest ./systemd-confinement { };
@@ -1666,7 +1660,6 @@ in
   systemd-sysusers-immutable = runTest ./systemd-sysusers-immutable.nix;
   systemd-sysusers-mutable = runTest ./systemd-sysusers-mutable.nix;
   systemd-sysusers-password-option-override-ordering = runTest ./systemd-sysusers-password-option-override-ordering.nix;
-  systemd-timesyncd = runTest ./systemd-timesyncd.nix;
   systemd-timesyncd-nscd-dnssec = runTest ./systemd-timesyncd-nscd-dnssec.nix;
   systemd-user-linger = runTest ./systemd-user-linger.nix;
   systemd-user-linger-purge = runTest ./systemd-user-linger-purge.nix;
@@ -1715,7 +1708,6 @@ in
   tracee = handleTestOn [ "x86_64-linux" ] ./tracee.nix { };
   traefik = runTestOn [ "aarch64-linux" "x86_64-linux" ] ./traefik.nix;
   trafficserver = runTest ./trafficserver.nix;
-  tranquil-pds = runTest ./tranquil-pds.nix;
   transfer-sh = runTest ./transfer-sh.nix;
   transmission_4 = runTest ./transmission.nix;
   trezord = runTest ./trezord.nix;
@@ -1766,6 +1758,10 @@ in
   utils = import ./utils { inherit runTest; };
   uwsgi = runTest ./uwsgi.nix;
   v2ray = runTest ./v2ray.nix;
+  varnish60 = runTest {
+    imports = [ ./varnish.nix ];
+    _module.args.package = pkgs.varnish60;
+  };
   varnish80 = runTest {
     imports = [ ./varnish.nix ];
     _module.args.package = pkgs.varnish80;

nixos/tests/caddy.nix

@@ -73,7 +73,7 @@
           services.caddy = {
             package = pkgs.caddy.withPlugins {
               plugins = [ "github.com/caddyserver/replace-response@v0.0.0-20250618171559-80962887e4c6" ];
-              hash = "sha256-0N/bQAM5yT6g9UAteWsfxofGcelmU/NDTroS2oL43Gs=";
+              hash = "sha256-kKWXpxEAn23yud8tcgw7FFOaxLjoodZ/cuM1239TRoY=";
             };
             configFile = pkgs.writeText "Caddyfile" ''
               {

nixos/tests/dhparams.nix

@@ -0,0 +1,143 @@
+{
+  name = "dhparams";
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      security.dhparams.enable = true;
+      environment.systemPackages = [ pkgs.openssl ];
+
+      specialisation = {
+        gen1.configuration =
+          { config, ... }:
+          {
+            security.dhparams.params = {
+              # Use low values here because we don't want the test to run for ages.
+              foo.bits = 1024;
+              # Also use the old format to make sure the type is coerced in the right
+              # way.
+              bar = 1025;
+            };
+
+            systemd.services.foo = {
+              description = "Check systemd Ordering";
+              wantedBy = [ "multi-user.target" ];
+              before = [ "shutdown.target" ];
+              conflicts = [ "shutdown.target" ];
+              unitConfig = {
+                # This is to make sure that the dhparams generation of foo occurs
+                # before this service so we need this service to start as early as
+                # possible to provoke a race condition.
+                DefaultDependencies = false;
+
+                # We check later whether the service has been started or not.
+                ConditionPathExists = config.security.dhparams.params.foo.path;
+              };
+              serviceConfig.Type = "oneshot";
+              serviceConfig.RemainAfterExit = true;
+              # The reason we only provide an ExecStop here is to ensure that we don't
+              # accidentally trigger an error because a file system is not yet ready
+              # during very early startup (we might not even have the Nix store
+              # available, for example if future changes in NixOS use systemd mount
+              # units to do early file system initialisation).
+              serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
+            };
+          };
+        gen2.configuration = {
+          security.dhparams.params.foo.bits = 1026;
+        };
+        gen3.configuration = { };
+        gen4.configuration = {
+          security.dhparams.stateful = false;
+          security.dhparams.params.foo2.bits = 1027;
+          security.dhparams.params.bar2.bits = 1028;
+        };
+        gen5.configuration = {
+          security.dhparams.defaultBitSize = 1029;
+          security.dhparams.params.foo3 = { };
+          security.dhparams.params.bar3 = { };
+        };
+      };
+    };
+
+  testScript =
+    { nodes, ... }:
+    let
+      getParamPath =
+        gen: name:
+        let
+          node = "gen${toString gen}";
+        in
+        nodes.machine.config.specialisation.${node}.configuration.security.dhparams.params.${name}.path;
+
+      switchToGeneration =
+        gen:
+        let
+          switchCmd = "${nodes.machine.config.system.build.toplevel}/specialisation/gen${toString gen}/bin/switch-to-configuration test";
+        in
+        ''
+          with machine.nested("switch to generation ${toString gen}"):
+            machine.succeed("${switchCmd}")
+        '';
+
+    in
+    ''
+      import re
+
+
+      def assert_param_bits(path, bits):
+          with machine.nested(f"check bit size of {path}"):
+              output = machine.succeed(f"openssl dhparam -in {path} -text")
+              pattern = re.compile(r"^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$", re.M)
+              match = pattern.match(output)
+              if match is None:
+                  raise Exception("bla")
+              if match[1] != str(bits):
+                  raise Exception(f"bit size should be {bits} but it is {match[1]} instead.")
+
+      machine.wait_for_unit("multi-user.target")
+      ${switchToGeneration 1}
+
+      with subtest("verify startup order"):
+          machine.succeed("systemctl is-active foo.service")
+
+      with subtest("check bit sizes of dhparam files"):
+          assert_param_bits("${getParamPath 1 "foo"}", 1024)
+          assert_param_bits("${getParamPath 1 "bar"}", 1025)
+
+      ${switchToGeneration 2}
+
+      with subtest("check whether bit size has changed"):
+          assert_param_bits("${getParamPath 2 "foo"}", 1026)
+
+      with subtest("ensure that dhparams file for 'bar' was deleted"):
+          machine.fail("test -e ${getParamPath 1 "bar"}")
+
+      ${switchToGeneration 3}
+
+      with subtest("ensure that 'security.dhparams.path' has been deleted"):
+          machine.fail("test -e ${nodes.machine.config.specialisation.gen3.configuration.security.dhparams.path}")
+
+      ${switchToGeneration 4}
+
+      with subtest("check bit sizes dhparam files"):
+          assert_param_bits(
+              "${getParamPath 4 "foo2"}", 1027
+          )
+          assert_param_bits(
+              "${getParamPath 4 "bar2"}", 1028
+          )
+
+      with subtest("check whether dhparam files are in the Nix store"):
+          machine.succeed(
+              "expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}",
+              "expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}",
+          )
+
+      ${switchToGeneration 5}
+
+      with subtest("check whether defaultBitSize works as intended"):
+          assert_param_bits("${getParamPath 5 "foo3"}", 1029)
+          assert_param_bits("${getParamPath 5 "bar3"}", 1029)
+    '';
+}

nixos/tests/e57inspector.nix

@@ -1,38 +0,0 @@
-{ pkgs, ... }:
-{
-  name = "e57inspector";
-  meta.maintainers = with pkgs.lib.maintainers; [
-    nh2
-    chpatrick
-  ];
-
-  nodes.machine =
-    { ... }:
-    {
-      imports = [
-        ./common/x11.nix
-      ];
-
-      services.xserver.enable = true;
-      environment.systemPackages = [
-        pkgs.e57inspector
-        pkgs.xdotool
-      ];
-    };
-
-  testScript =
-    let
-      testFile = pkgs.fetchurl {
-        url = "https://raw.githubusercontent.com/asmaloney/libE57Format-test-data/bbcacec05d60f923869545c5eab33d94c390d50e/self/ColouredCubeFloat.e57";
-        hash = "sha256-bb95crNYvX3Qhkx4k6Sqe2GjOf1u4nxxswMfdjyXfTM=";
-      };
-    in
-    ''
-      start_all()
-      machine.wait_for_x()
-
-      machine.execute("e57inspector ${testFile} >&2 &")
-      machine.wait_until_succeeds("xdotool search --pid $(pidof .e57inspector-wrapped)")
-      machine.screenshot("screen")
-    '';
-}

nixos/tests/flap-alerted.nix

@@ -1,128 +0,0 @@
-{ config, lib, ... }:
-
-{
-  name = "flap-alerted";
-  meta.maintainers = with lib.maintainers; [ defelo ];
-
-  nodes.machine = {
-    services.flap-alerted = {
-      enable = true;
-      settings = {
-        asn = 4213370001;
-        bgpListenAddress = ":1790";
-        routeChangeCounter = 5;
-        overThresholdTarget = 1;
-      };
-    };
-
-    services.bird = {
-      enable = true;
-      preCheckConfig = ''
-        mkdir -p /tmp/bird
-        touch /tmp/bird/routes.conf
-      '';
-      config = ''
-        router id 192.168.1.1;
-
-        protocol device { }
-
-        protocol bgp flapalerted {
-          local 2001:db8:1::1 as 4213370001;
-          neighbor ::1 as 4213370001 port 1790;
-
-          ipv4 {
-            add paths on;
-            export all;
-            import none;
-            extended next hop on;
-          };
-
-          ipv6 {
-            add paths on;
-            export all;
-            import none;
-          };
-        }
-
-        protocol static {
-          include "/tmp/bird/routes.conf";
-
-          ipv4 {
-            import all;
-            export none;
-          };
-        }
-      '';
-    };
-
-    systemd.services.bird.serviceConfig.BindReadOnlyPaths = [ "/tmp/bird" ];
-
-    systemd.tmpfiles.settings.bird-static-routes."/tmp/bird/routes.conf".f = { };
-  };
-
-  interactive.sshBackdoor.enable = true;
-  interactive.defaults.virtualisation.graphics = false;
-
-  interactive.nodes.machine = {
-    services.flap-alerted.settings.httpAPIListenAddress = ":8699";
-    networking.firewall.allowedTCPPorts = [ 8699 ];
-    virtualisation.forwardPorts = [
-      {
-        from = "host";
-        host.port = 8699;
-        guest.port = 8699;
-      }
-    ];
-  };
-
-  testScript = ''
-    import json
-    import random
-    import time
-
-    machine.log(machine.succeed("systemd-analyze security flap-alerted.service --threshold=11 --no-pager"))
-
-    machine.wait_for_unit("bird.service")
-    machine.wait_for_unit("flap-alerted.service")
-    machine.wait_for_open_port(1790)
-    machine.wait_for_open_port(8699)
-
-    resp = json.loads(machine.succeed("curl localhost:8699/capabilities"))
-    expected_version = "v${config.nodes.machine.services.flap-alerted.package.version}"
-    assert resp["Version"] == expected_version
-
-    for _ in range(10):
-      resp = json.loads(machine.succeed("curl localhost:8699/sessions"))
-      if len(resp) == 1: break
-      time.sleep(1)
-    else:
-      assert False, "failed to establish bgp session"
-    assert resp[0]["RouterID"] == "192.168.1.1"
-
-    resp = json.loads(machine.succeed("curl localhost:8699/flaps/active/compact"))
-    assert resp == []
-
-    def flap():
-      route = lambda idx, gw: f"""
-        route 10.0.{idx}.0/24 via 10.254.254.{gw} dev \"eth0\" onlink {{
-          bgp_path.prepend(4213370002);
-          bgp_path.prepend({4213370002 + gw});
-        }};
-      """
-      with open("routes.conf", "w") as f:
-        for i in range(1, 4): # stable routes
-          f.write(route(i, i))
-        for i in range(4, 7): # flappy routes
-          f.write(route(i, random.randint(1, 254)))
-      machine.copy_from_host("routes.conf", "/tmp/bird/routes.conf")
-      machine.succeed("birdc configure")
-
-    t = time.time()
-    while time.time() - t < 70:
-      flap()
-      time.sleep(1)
-
-    resp = json.loads(machine.succeed("curl localhost:8699/flaps/active/compact"))
-    assert sorted(x["Prefix"] for x in resp) == ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
-  '';
-}

nixos/tests/gocryptfs.nix

@@ -1,51 +0,0 @@
-{
-  name = "gocryptfs";
-  meta = {
-    maintainers = [ ];
-  };
-
-  nodes.machine =
-    { pkgs, ... }:
-    {
-
-      environment.systemPackages = [
-        pkgs.gocryptfs
-        pkgs.openssl
-      ];
-
-      specialisation.fstab-test.configuration = {
-        # This can't be fileSytems, as the qemu machinery doesn't honor it.
-        virtualisation.fileSystems."/plain" = {
-          device = "/encrypted";
-          fsType = "fuse.gocryptfs";
-          options = [
-            "nofail"
-            "allow_other"
-            "passfile=/tmp/password.txt"
-          ];
-        };
-      };
-    };
-
-  testScript = ''
-    # Initialize a gocryptfs filesystem and mount it
-    machine.succeed("openssl rand -base64 32 > /tmp/password.txt")
-    machine.succeed("mkdir -p /encrypted /plain")
-    machine.succeed("gocryptfs -init /encrypted  -passfile /tmp/password.txt -quiet")
-    machine.succeed("gocryptfs /encrypted /plain  -passfile /tmp/password.txt -quiet")
-
-    # Drop a canary file and unmount
-    machine.succeed("echo success > /plain/data.txt")
-    machine.succeed("fusermount -u /plain")
-
-    # Switch to a specialisation that has this in /etc/fstab
-    machine.succeed("/run/current-system/specialisation/fstab-test/bin/switch-to-configuration switch")
-
-    # Wait for mounts
-    machine.wait_for_unit("local-fs.target")
-
-    # Ensure the canary is alive
-    machine.succeed("grep -q success /plain/data.txt")
-
-  '';
-}

nixos/tests/incus/incus-tests-module.nix

@@ -1,12 +1,10 @@
 {
-  config,
   lib,
   pkgs,
   ...
 }:
 let
   jsonFormat = pkgs.formats.json { };
-  cfg = config.tests.incus;
 in
 {
   options.tests.incus = {
@@ -76,11 +74,7 @@ in
             config =
               let
                 releases = import ../../release.nix {
-                  configuration = lib.recursiveUpdate config.nixosConfig {
-                    virtualisation.incus = {
-                      inherit (cfg) package;
-                    };
-                  };
+                  configuration = config.nixosConfig;
                 };
 
                 images = {

nixos/tests/installed-tests/default.nix

@@ -107,6 +107,7 @@ in
   gsconnect = callInstalledTest ./gsconnect.nix { };
   json-glib = callInstalledTest ./json-glib.nix { };
   ibus = callInstalledTest ./ibus.nix { };
+  libgdata = callInstalledTest ./libgdata.nix { };
   glib-testing = callInstalledTest ./glib-testing.nix { };
   libjcat = callInstalledTest ./libjcat.nix { };
   libxmlb = callInstalledTest ./libxmlb.nix { };