makehuman: mark broken

Signed-off-by: phanirithvij <phanirithvij2000@gmail.com> (cherry picked from commit ebb943a800)
various: use finalAttrs
2026-06-06 05:13:37 +00:00 · 2026-05-30 13:30:30 +00:00 · 2026-05-30 13:30:30 +00:00 · 2026-05-30 13:30:30 +00:00 · 2026-05-30 13:30:30 +00:00 · 2026-05-30 13:30:29 +00:00
469 changed files with 15603 additions and 8187 deletions
--- a/.github/labeler-no-sync.yml
+++ b/.github/labeler-no-sync.yml
@@ -33,4 +33,15 @@
              - maintainers/github-teams.json
      - base-branch: ['master']

+"backport release-26.05":
+  - all:
+      - changed-files:
+          - any-glob-to-any-file:
+              - .github/actions/**/*
+              - .github/workflows/*
+              - .github/labeler*.yml
+              - ci/**/*.*
+              - maintainers/github-teams.json
+      - base-branch: ['master']
+
 # keep-sorted end
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -9,6 +9,7 @@
          - '^release-'
          - '^staging-\d'
          - '^staging-next-\d'
+          - '^staging-nixos-\d'

 # NOTE: bsd, darwin and cross-compilation labels are handled by ofborg
 "6.topic: agda":
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -21,7 +21,7 @@ defaults:
 jobs:
  backport:
    name: Backport Pull Request
-    if: vars.NIXPKGS_CI_APP_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
+    if: vars.NIXPKGS_CI_CLIENT_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
    runs-on: ubuntu-slim
    timeout-minutes: 3
    steps:
@@ -30,7 +30,7 @@ jobs:
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-contents: write
          permission-pull-requests: write
--- a/.github/workflows/bot.yml
+++ b/.github/workflows/bot.yml
@@ -57,10 +57,10 @@ jobs:

      # Use a GitHub App, because it has much higher rate limits: 12,500 instead of 5,000 req / hour.
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
        id: app-token
        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-administration: read
          permission-contents: write
--- a/.github/workflows/comment.yml
+++ b/.github/workflows/comment.yml
@@ -31,10 +31,10 @@ jobs:

      # Use the GitHub App to make sure the reaction happens with the same user who will later merge.
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
        id: app-token
        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-pull-requests: write

--- a/.github/workflows/edited.yml
+++ b/.github/workflows/edited.yml
@@ -39,7 +39,7 @@ jobs:
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-pull-requests: write

--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -22,7 +22,7 @@ defaults:

 jobs:
  periodic-merge:
-    if: github.repository_owner == 'NixOS'
+    if: github.repository_owner == 'NixOS' || github.event_name == 'workflow_dispatch'
    strategy:
      # don't fail fast, so that all pairs are tried
      fail-fast: false
@@ -35,10 +35,14 @@ jobs:
            into: staging-next-25.11
          - from: staging-next-25.11
            into: staging-25.11
-          - from: master
+          - from: release-25.11
+            into: staging-nixos-25.11
+          - from: release-26.05
            into: staging-next-26.05
          - from: staging-next-26.05
            into: staging-26.05
+          - from: release-26.05
+            into: staging-nixos-26.05
          - name: merge-base(master,staging) → haskell-updates
            from: master staging
            into: haskell-updates
@@ -49,3 +53,34 @@ jobs:
    name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
    secrets:
      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
+
+  # Resets the target branch of the current haskell-updates PR.
+  # This makes GitHub hide all the commits that are already part of staging and gives us a much clearer PR view.
+  haskell-updates:
+    needs: periodic-merge
+    runs-on: ubuntu-slim
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Find PR and update target branch
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            // There will at most be a single haskell-updates PR anyway, so no need to paginate.
+            await Promise.all(
+              (
+                await github.rest.pulls.list({
+                  ...context.repo,
+                  state: 'open',
+                  head: `${context.repo.owner}:haskell-updates`,
+                })
+              ).data.map((pr) =>
+                github.rest.pulls.update({
+                  ...context.repo,
+                  pull_number: pr.number,
+                  // Just updating to the same branch to trigger a UI update.
+                  // This is staging most of the time, but could be staging-next in rare cases.
+                  base: pr.base.ref,
+                }),
+              ),
+            )
--- a/.github/workflows/periodic-merge-6h.yml
+++ b/.github/workflows/periodic-merge-6h.yml
@@ -22,7 +22,7 @@ defaults:

 jobs:
  periodic-merge:
-    if: github.repository_owner == 'NixOS'
+    if: github.repository_owner == 'NixOS' || github.event_name == 'workflow_dispatch'
    strategy:
      # don't fail fast, so that all pairs are tried
      fail-fast: false
--- a/.github/workflows/periodic-merge.yml
+++ b/.github/workflows/periodic-merge.yml
@@ -29,7 +29,7 @@ jobs:
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-contents: write
          permission-pull-requests: write
--- a/.github/workflows/review.yml
+++ b/.github/workflows/review.yml
@@ -28,10 +28,10 @@ jobs:

      # Use the GitHub App to make sure the reaction happens with the same user who will later merge.
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
        id: app-token
        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-pull-requests: write

--- a/.github/workflows/teams.yml
+++ b/.github/workflows/teams.yml
@@ -22,7 +22,7 @@ jobs:
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
+          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-administration: read
          permission-contents: write
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -442,6 +442,7 @@ The staging workflow is used for all stable branches with corresponding names:
 - `master`/`release-YY.MM`
 - `staging`/`staging-YY.MM`
 - `staging-next`/`staging-next-YY.MM`
+- `staging-nixos`/`staging-nixos-YY.MM`

 [^1]: Except changes that cause no more rebuilds than kernel updates

@@ -505,7 +506,7 @@ These PRs go to `staging-nixos`, see [the next section for more context](#change
 Changes causing a rebuild of all NixOS tests get a special [`10.rebuild-nixos-tests`](https://github.com/NixOS/nixpkgs/issues?q=state%3Aopen%20label%3A10.rebuild-nixos-tests) label.
 These changes pose a significant impact on the build infrastructure.

-Hence, these PRs should either target a `staging`-branch or `staging-nixos`, provided one of following conditions applies:
+Hence, these PRs should either target a `staging`-branch or `staging-nixos`-branch, provided one of following conditions applies:

 * The label `10.rebuild-nixos-tests` is set, or
 * The PR is a change affecting the Linux kernel.
--- a/ci/OWNERS
+++ b/ci/OWNERS
@@ -188,8 +188,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @Artturin @Ericson2314 @lo
 /maintainers/scripts/update-python-libraries  @mweinelt @natsukium
 /pkgs/by-name/up/update-python-libraries      @mweinelt @natsukium
 /pkgs/development/interpreters/python         @mweinelt @natsukium
-/pkgs/top-level/python-packages.nix                     @natsukium
-/pkgs/top-level/release-python.nix                      @natsukium

 # CUDA
 /pkgs/top-level/cuda-packages.nix             @NixOS/cuda-maintainers
--- a/ci/github-script/check-target-branch.js
+++ b/ci/github-script/check-target-branch.js
@@ -102,9 +102,8 @@ async function checkTargetBranch({ github, context, core, dry }) {
    changed.attrdiff.changed.includes('nixosTests.simple-container') ||
    changed.attrdiff.changed.includes('nixosTests.simple-vm')

-  // https://github.com/NixOS/nixpkgs/pull/481205#issuecomment-3790123921
-  // These should go to staging-nixos instead of master,
-  // but release-xx.xx (not staging-xx.xx) when backported
+  // https://github.com/NixOS/nixpkgs/pull/521157
+  // These should go to master and release-xx.xx when backported
  let isExemptKernelUpdate = false
  if (prInfo.changed_files === 1) {
    const changedFiles = (
@@ -115,11 +114,8 @@ async function checkTargetBranch({ github, context, core, dry }) {
    ).data
    isExemptKernelUpdate =
      changedFiles.length === 1 &&
-      (changedFiles[0].filename ===
-        'pkgs/os-specific/linux/kernel/xanmod-kernels.nix' ||
-        (base.startsWith('release-') &&
-          changedFiles[0].filename ===
-            'pkgs/os-specific/linux/kernel/kernels-org.json'))
+      changedFiles[0].filename ===
+        'pkgs/os-specific/linux/kernel/xanmod-kernels.nix'
  }

  // https://github.com/NixOS/nixpkgs/pull/483194#issuecomment-3793393218
@@ -164,8 +160,10 @@ async function checkTargetBranch({ github, context, core, dry }) {
      branchText = '(probably either `staging-nixos` or `staging`)'
    } else if (base === 'master') {
      branchText = '(probably `staging-nixos`)'
+    } else if (maxRebuildCount >= 500) {
+      branchText = `(probably either \`staging-nixos-${split(base).version}\` or \`staging-${split(base).version}\`)`
    } else {
-      branchText = `(probably \`staging-${split(base).version}\`)`
+      branchText = `(probably \`staging-nixos-${split(base).version}\`)`
    }
    const body = [
      `The PR's base branch is set to \`${base}\`, but this PR rebuilds all NixOS tests.`,
--- a/doc/languages-frameworks/beam.section.md
+++ b/doc/languages-frameworks/beam.section.md
@@ -6,46 +6,68 @@ In this document and related Nix expressions, we use the term, _BEAM_, to descri

 ## Available versions and deprecations schedule {#available-versions-and-deprecations-schedule}

+### Erlang OTP {#erlang}
+
+Nixpkgs follows upstream Erlang in their [support lifecycle](https://erlang.org/download/otp_versions_tree.html) and keeps up to the last 3 released versions of Erlang available. Due to upstream and NixOS release timings, this may mean removal of the oldest release prior to upstream fully dropping support.
+
 ### Elixir {#elixir}

-Nixpkgs follows the [official elixir deprecation schedule](https://hexdocs.pm/elixir/compatibility-and-deprecations.html) and keeps the last 5 released versions of Elixir available.
+Nixpkgs follows the [official elixir deprecation schedule](https://hexdocs.pm/elixir/compatibility-and-deprecations.html) and keeps up to the last 5 released versions of Elixir available.

 ## Structure {#beam-structure}

-All BEAM-related expressions are available via the top-level `beam` attribute, which includes:
+All BEAM-related expressions are available via top-level package sets. It is recommended to work with a single package set to ensure consistent versions.

- `interpreters`: a set of compilers running on the BEAM, including multiple Erlang/OTP versions (`beam.interpreters.erlang_22`, etc), Elixir (`beam.interpreters.elixir`) and LFE (Lisp Flavoured Erlang) (`beam.interpreters.lfe`).
+- `beamPackages` - default OTP version
+- `beamMinimalPackages` - default OTP version, without wxwidgets, which saves ~1GB in closure size

- `packages`: a set of package builders (Mix and rebar3), each compiled with a specific Erlang/OTP version, e.g. `beam.packages.erlang22`.
+There are also OTP version specific package sets, e.g. for OTP 28:

-The default Erlang compiler, defined by `beam.interpreters.erlang`, is aliased as `erlang`. The default BEAM package set is defined by `beam.packages.erlang` and aliased at the top level as `beamPackages`.
+- `beam28Packages`
+- `beamMinimal28Packages`

-To create a package builder built with a custom Erlang version, use the lambda, `beam.packagesWith`, which accepts an Erlang/OTP derivation and produces a package builder similar to `beam.packages.erlang`.
+Inside each package set are:

-Many Erlang/OTP distributions available in `beam.interpreters` have versions with ODBC and/or Java enabled or without wx (no observer support). For example, there's `beam.interpreters.erlang_22_odbc_javac`, which corresponds to `beam.interpreters.erlang_22` and `beam.interpreters.erlang_22_nox`, which corresponds to `beam.interpreters.erlang_22`.
+- erlang itself (version comes from package set)
+- interpreters: elixir (multiple versions, e.g. elixir_1_18) and lfe
+- packages: rebar3, hex, etc
+- builders: mixRelease, buildRebar3, etc
+- hooks: for composing builders and packages

-## Build Tools {#build-tools}
+To use a non-default Elixir it's important to keep the rest of the package set consistent, so it's recommended to use `.extend`. This ensures that builders like `mixRelease`, `fetchMixDeps`, and `buildMix` all pick up the overridden Elixir:

-### Rebar3 {#build-tools-rebar3}
+```nix
+let
+  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
+in
+beamPackages.mixRelease {
+  # ...
+}
+```

-We provide a version of Rebar3, under `rebar3`. We also provide a helper to fetch Rebar3 dependencies from a lockfile under `fetchRebar3Deps`.
+## Build Tools {#beam-build-tools}

-We also provide a version on Rebar3 with plugins included, under `rebar3WithPlugins`. This package is a function which takes two arguments: `plugins`, a list of nix derivations to include as plugins (loaded only when specified in `rebar.config`), and `globalPlugins`, which should always be loaded by rebar3. Example: `rebar3WithPlugins { globalPlugins = [beamPackages.pc]; }`.
+### Rebar3 {#beam-build-tools-rebar3}
+
+We provide a version of Rebar3, under `beamPackages.rebar3`. We also provide a helper to fetch Rebar3 dependencies from a lockfile under `beamPackages.fetchRebar3Deps`.
+
+We also provide a version on Rebar3 with plugins included, under `beamPackages.rebar3WithPlugins`. This package is a function which takes two arguments: `plugins`, a list of nix derivations to include as plugins (loaded only when specified in `rebar.config`), and `globalPlugins`, which should always be loaded by rebar3. Example: `beamPackages.rebar3WithPlugins { globalPlugins = [beamPackages.pc]; }`.

 When adding a new plugin it is important that the `name` attribute is the same as the atom used by rebar3 to refer to the plugin.

-### Mix & Erlang.mk {#build-tools-other}
+### Erlang.mk {#beam-build-tools-erlangmk}

 Erlang.mk works exactly as expected. There is a bootstrap process that needs to be run, which is supported by the `buildErlangMk` derivation.

-For Elixir applications use `mixRelease` to make a release. See examples for more details.
+### Mix {#beam-build-tools-mix}

-There is also a `buildMix` helper, whose behavior is closer to that of `buildErlangMk` and `buildRebar3`. The primary difference is that mixRelease makes a release, while buildMix only builds the package, making it useful for libraries and other dependencies.
+For Elixir applications that use [mix release](https://hexdocs.pm/mix/Mix.Release.html), use the `mixRelease` builder to make a release. See examples for more details.
+
+There is also a `buildMix` helper, whose behavior is closer to that of `buildErlangMk` and `buildRebar3`. The primary difference is that `mixRelease` makes a release, while `buildMix` only builds the package, which is more useful for libraries and other dependencies.

 ## How to Install BEAM Packages {#how-to-install-beam-packages}

-BEAM builders are not registered at the top level, because they are not relevant to the vast majority of Nix users.
-To use any of those builders into your environment, refer to them by their attribute path under `beamPackages`, e.g. `beamPackages.rebar3`:
+To use any of these builders in your environment, refer to them by their attribute path under `beamPackages` (or another BEAM package set), e.g. `beamPackages.rebar3`:

 ::: {.example #ex-beam-ephemeral-shell}
 # Ephemeral shell
@@ -75,35 +97,39 @@ pkgs.mkShell { packages = [ pkgs.beamPackages.rebar3 ]; }

 #### Rebar3 Packages {#rebar3-packages}

-The Nix function, `buildRebar3`, defined in `beam.packages.erlang.buildRebar3` and aliased at the top level, can be used to build a derivation that understands how to build a Rebar3 project.
-
-If a package needs to compile native code via Rebar3's port compilation mechanism, add `compilePort = true;` to the derivation.
+The builder `beamPackages.buildRebar3` can be used to build a derivation that understands how to build a Rebar3 project.

 #### Erlang.mk Packages {#erlang-mk-packages}

-Erlang.mk functions similarly to Rebar3, except we use `buildErlangMk` instead of `buildRebar3`.
+Erlang.mk functions similarly to Rebar3, except we use `beamPackages.buildErlangMk` instead of `beamPackages.buildRebar3`.
+
+If a package needs to compile native code via Erlang.mk's port compilation mechanism, add `compilePorts = true;` to the derivation.
+
+### Elixir Applications {#packaging-elixir-applications}

 #### Mix Packages {#mix-packages}

-`mixRelease` is used to make a release in the mix sense. Dependencies will need to be fetched with `fetchMixDeps` and passed to it.
+`beamPackages.mixRelease` is used to make a release in the mix sense. Dependencies will need to be fetched with `beamPackages.fetchMixDeps` and passed to it.

 #### mixRelease - Elixir Phoenix example {#mix-release-elixir-phoenix-example}

-there are 3 steps: frontend dependencies (javascript), backend dependencies (elixir), and the final derivation that puts both of those together
+There are 3 steps: frontend dependencies (javascript), backend dependencies (elixir), and the final derivation that puts both of those together.

 ##### mixRelease - Frontend dependencies (javascript) {#mix-release-javascript-deps}

-For phoenix projects, inside of Nixpkgs you can either use `fetchYarnDeps` or `buildNpmPackage`. An example with `fetchYarnDeps` can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/plausible/package.nix). An example with `fetchYarnDeps` will follow. To package something outside of nixpkgs, you have alternatives like [npmlock2nix](https://github.com/nix-community/npmlock2nix) or [nix-npm-buildpackage](https://github.com/serokell/nix-npm-buildpackage)
+For phoenix projects, inside of Nixpkgs you can either use `fetchYarnDeps` or `buildNpmPackage`. An example with `buildNpmPackage` can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/plausible/package.nix), and an example with `fetchYarnDeps` can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pi/pinchflat/package.nix).

 ##### mixRelease - backend dependencies (mix) {#mix-release-mix-deps}

-There are 2 ways to package backend dependencies. With mix2nix and with a fixed-output-derivation (FOD).
+There are 2 ways to package backend dependencies: either per-dependency mix2nix or with a fixed-output-derivation (FOD).
+
+When writing an elixir project targeting `mixRelease`, you can also consider using [deps_nix](https://github.com/code-supply/deps_nix) with `mixNixDeps`. `deps_nix` supports git dependencies, but is intended to be added to the project's `mix.exs` directly.

 ###### mix2nix {#mix2nix}

 `mix2nix` is a cli tool available in Nixpkgs. It will generate a Nix expression from a `mix.lock` file. It is quite standard in the 2nix tool series.

-Note that currently mix2nix can't handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see [example](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/pleroma/default.nix#L20)) or use the FOD method.
+Note that currently mix2nix can't handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see [example](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/pleroma/package.nix)) or use the FOD method.

 The advantage of using mix2nix is that nix will know your whole dependency graph. On a dependency update, this won't trigger a full rebuild and download of all the dependencies, where FOD will do so.

@@ -151,7 +177,7 @@ You will need to run the build process once to fix the hash to correspond to you

 ###### FOD {#fixed-output-derivation}

-A fixed output derivation will download mix dependencies from the internet. To ensure reproducibility, a hash will be supplied. Note that mix is relatively reproducible. An FOD generating a different hash on each run hasn't been observed (as opposed to npm where the chances are relatively high). See [elixir-ls](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/beam-modules/elixir-ls/default.nix) for a usage example of FOD.
+A fixed output derivation will download mix dependencies from the internet. To ensure reproducibility, a hash will be supplied. Note that mix is relatively reproducible. An FOD generating a different hash on each run hasn't been observed (as opposed to npm where the chances are relatively high). See [akkoma](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/ak/akkoma/package.nix) for a usage example of FOD.

 Practical steps

@@ -176,12 +202,11 @@ Note that if after you've replaced the value, nix suggests another hash, then mi
 Here is how your `default.nix` file would look for a Phoenix project.

 ```nix
-with import <nixpkgs> { };
-
+{
+  # beam27Packages or beam29Packages is available if you need a particular version
+  beamPackages,
+}:
 let
-  # beam.interpreters.erlang_26 is available if you need a particular version
-  packages = beam.packagesWith beam.interpreters.erlang;
-
  pname = "your_project";
  version = "0.0.1";

@@ -191,7 +216,7 @@ let
  };

  # if using mix2nix you can use the mixNixDeps attribute
-  mixFodDeps = packages.fetchMixDeps {
+  mixFodDeps = beamPackages.fetchMixDeps {
    pname = "mix-deps-${pname}";
    inherit src version;
    # nix will complain and tell you the right value to replace this with
@@ -200,11 +225,8 @@ let
    # if you have build time environment variables add them here
    MY_ENV_VAR = "my_value";
  };
-
-  nodeDependencies = (pkgs.callPackage ./assets/default.nix { }).shell.nodeDependencies;
-
 in
-packages.mixRelease {
+beamPackages.mixRelease {
  inherit
    src
    pname
@@ -215,9 +237,6 @@ packages.mixRelease {
  MY_ENV_VAR = "my_value";

  postBuild = ''
-    ln -sf ${nodeDependencies}/lib/node_modules assets/node_modules
-    npm run deploy --prefix ./assets
-
    # for external task you need a workaround for the no deps check flag
    # https://github.com/phoenixframework/phoenix/issues/2690
    mix do deps.loadpaths --no-deps-check, phx.digest
@@ -229,7 +248,7 @@ packages.mixRelease {
 Setup will require the following steps:

 - Move your secrets to runtime environment variables. For more information refer to the [runtime.exs docs](https://hexdocs.pm/mix/Mix.Tasks.Release.html#module-runtime-configuration). On a fresh Phoenix build that would mean that both `DATABASE_URL` and `SECRET_KEY` need to be moved to `runtime.exs`.
- `cd assets` and `nix-shell -p node2nix --run "node2nix --development"` will generate a Nix expression containing your frontend dependencies
+- Generate a Nix expression for your frontend dependencies using `fetchNpmDeps`/`buildNpmPackage` or `fetchYarnDeps`, depending on whether the project uses npm or yarn
 - commit and push those changes
 - you can now `nix-build .`
 - To run the release, set the `RELEASE_TMP` environment variable to a directory that your program has write access to. It will be used to store the BEAM settings.
@@ -248,7 +267,7 @@ in your project with the following
 }:

 let
-  release = pkgs.callPackage ./default.nix;
+  release = pkgs.callPackage ./default.nix { };
  release_name = "app";
  working_directory = "/home/app";
 in
@@ -320,9 +339,10 @@ Usually, we need to create a `shell.nix` file and do our development inside the

 with pkgs;
 let
-  elixir = beam.packages.erlang_27.elixir_1_18;
+  # pin OTP via beam27Packages/beam28Packages/... and Elixir via .extend
+  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
 in
-mkShell { buildInputs = [ elixir ]; }
+mkShell { buildInputs = [ beamPackages.elixir ]; }
 ```

 ### Using an overlay {#beam-using-overlays}
@@ -337,7 +357,7 @@ let
    self: super: {
      elixir_1_18 = super.elixir_1_18.override {
        version = "1.18.1";
-        sha256 = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+        hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
      };
    }
  );
@@ -355,18 +375,17 @@ Here is an example `shell.nix`.
 with import <nixpkgs> { };

 let
+  # pin OTP via beam27Packages/beam28Packages/... and Elixir via .extend
+  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
+
  # define packages to install
  basePackages = [
    git
-    # replace with beam.packages.erlang.elixir_1_18 if you need
-    beam.packages.erlang.elixir
+    beamPackages.elixir
    nodejs
    postgresql_14
-    # only used for frontend dependencies
-    # you are free to use yarn2nix as well
-    nodePackages.node2nix
    # formatting js file
-    nodePackages.prettier
+    prettier
  ];

  inputs = basePackages ++ lib.optionals stdenv.hostPlatform.isLinux [ inotify-tools ];
@@ -379,13 +398,13 @@ let
    export HEX_HOME=$PWD/.nix-mix
    # make hex from Nixpkgs available
    # `mix local.hex` will install hex into MIX_HOME and should take precedence
-    export MIX_PATH="${beam.packages.erlang.hex}/lib/erlang/lib/hex/ebin"
+    export MIX_PATH="${beamPackages.hex}/lib/erlang/lib/hex/ebin"
    export PATH=$MIX_HOME/bin:$HEX_HOME/bin:$PATH
    export LANG=C.UTF-8
    # keep your shell history in iex
    export ERL_AFLAGS="-kernel shell_history enabled"

-    # postges related
+    # postgres related
    # keep all your db data in a folder inside the project
    export PGDATA="$PWD/db"

--- a/doc/languages-frameworks/texlive.section.md
+++ b/doc/languages-frameworks/texlive.section.md
@@ -2,9 +2,7 @@

 There is a TeX Live packaging that lives entirely under attribute `texlive`.

-## User's guide (experimental new interface) {#sec-language-texlive-user-guide-experimental}
-
-Release 23.11 ships with a new interface that will eventually replace `texlive.combine`.
+## User's guide {#sec-language-texlive-user-guide}

 - For basic usage, use some of the prebuilt environments available at the top level, such as `texliveBasic`, `texliveSmall`. For the full list of prebuilt environments, inspect `texlive.schemes`.

@@ -24,7 +22,7 @@ Release 23.11 ships with a new interface that will eventually replace `texlive.c

 - `texlive.withPackages` uses the same logic as `buildEnv`. Only parts of a package are installed in an environment: its 'runtime' files (`tex` output), binaries (`out` output), and support files (`tlpkg` output). Moreover, man and info pages are assembled into separate `man` and `info` outputs. To add only the TeX files of a package, or its documentation (`texdoc` output), just specify the outputs:
  ```nix
-  texlive.withPackages (
+  texliveBasic.withPackages (
    ps: with ps; [
      texdoc # recommended package to navigate the documentation
      perlPackages.LaTeXML.tex # tex files of LaTeXML, omit binaries
@@ -34,64 +32,19 @@ Release 23.11 ships with a new interface that will eventually replace `texlive.c
  )
  ```

+- To add the documentation for all packages in the environment, use
+  ```nix
+  texliveSmall.overrideAttrs { withDocs = true; }
+  ```
+  This can be applied before or after calling `withPackages`. The parameter `withSources` adds all source containers.
+
 - All packages distributed by TeX Live, which contains most of CTAN, are available and can be found under `texlive.pkgs`:
  ```ShellSession
  $ nix repl
  nix-repl> :l <nixpkgs>
  nix-repl> texlive.pkgs.[TAB]
  ```
-  Note that the packages in `texlive.pkgs` are only provided for search purposes and must not be used directly.
-
- **Experimental and subject to change without notice:** to add the documentation for all packages in the environment, use
-  ```nix
-  texliveSmall.__overrideTeXConfig { withDocs = true; }
-  ```
-  This can be applied before or after calling `withPackages`.
-
-  The function currently supports the parameters `withDocs`, `withSources`, and `requireTeXPackages`.
-
-## User's guide {#sec-language-texlive-user-guide}
-
- For basic usage just pull `texlive.combined.scheme-basic` for an environment with basic LaTeX support.
-
- It typically won't work to use separately installed packages together. Instead, you can build a custom set of packages like this. Most CTAN packages should be available:
-
-  ```nix
-  texlive.combine {
-    inherit (texlive)
-      scheme-small
-      collection-langkorean
-      algorithms
-      cm-super
-      ;
-  }
-  ```
-
- There are all the schemes, collections and a few thousand packages, as defined upstream (perhaps with tiny differences).
-
- By default you only get executables and files needed during runtime, and a little documentation for the core packages. To change that, you need to add `pkgFilter` function to `combine`.
-
-  ```nix
-  texlive.combine {
-    # inherit (texlive) whatever-you-want;
-    pkgFilter =
-      pkg: pkg.tlType == "run" || pkg.tlType == "bin" || pkg.hasManpages || pkg.pname == "cm-super";
-    # elem tlType [ "run" "bin" "doc" "source" ]
-    # there are also other attributes: version, name
-  }
-  ```
-
- You can list packages e.g. by `nix repl`.
-
-  ```ShellSession
-  $ nix repl
-  nix-repl> :l <nixpkgs>
-  nix-repl> texlive.collection-[TAB]
-  ```
-
- Note that the wrapper assumes that the result has a chance to be useful. For example, the core executables should be present, as well as some core data files. The supported way of ensuring this is by including some scheme, for example, `scheme-basic`, into the combination.
-
- TeX Live packages are also available under `texlive.pkgs` as derivations with outputs `out`, `tex`, `texdoc`, `texsource`, `tlpkg`, `man`, `info`. They cannot be installed outside of `texlive.combine` but are available for other uses. To repackage a font, for instance, use
+  These are derivations with outputs `out`, `tex`, `texdoc`, `texsource`, `tlpkg`, `man`, `info`. They cannot be installed outside of `texlive.withPackages` but are available for other uses. To repackage a font, for instance, use

  ```nix
  stdenvNoCC.mkDerivation (finalAttrs: {
@@ -112,9 +65,9 @@ Release 23.11 ships with a new interface that will eventually replace `texlive.c

 ## Custom packages {#sec-language-texlive-custom-packages}

-You may find that you need to use an external TeX package. A derivation for such package has to provide the contents of the "texmf" directory in its `"tex"` output, according to the [TeX Directory Structure](https://tug.ctan.org/tds/tds.html). Dependencies on other TeX packages can be listed in the attribute `tlDeps`.
+You may find that you need to use an external TeX package. A derivation for such package has to provide the contents of the "texmf" directory in its `"tex"` output, according to the [TeX Directory Structure](https://tug.ctan.org/tds/tds.html). Dependencies on other TeX packages can be listed in the attribute `passthru.tlDeps`, which is a function taking a package set and returning a list of packages.

-The functions `texlive.combine` and `texlive.withPackages` recognise the following outputs:
+The function `texlive.withPackages` recognise the following outputs:

 - `"out"`: contents are linked in the TeX Live environment, and binaries in the `$out/bin` folder are wrapped;
 - `"tex"`: linked in `$TEXMFDIST`; files should follow the TDS (for instance `$tex/tex/latex/foiltex/foiltex.cls`);
@@ -122,8 +75,6 @@ The functions `texlive.combine` and `texlive.withPackages` recognise the followi
 - `"tlpkg"`: linked in `$TEXMFROOT/tlpkg`;
 - `"man"`, `"info"`, ...: the other outputs are combined into separate outputs.

-When using `pkgFilter`, `texlive.combine` will assign `tlType` respectively `"bin"`, `"run"`, `"doc"`, `"source"`, `"tlpkg"` to the above outputs.
-
 Here is a (very verbose) example. See also the packages `auctex`, `eukleides`, `mftrace` for more examples.

 ```nix
@@ -138,7 +89,7 @@ let
      "tex"
      "texdoc"
    ];
-    passthru.tlDeps = with texlive; [ latex ];
+    passthru.tlDeps = ps: [ ps.latex ];

    srcs = [
      (fetchurl {
@@ -169,13 +120,14 @@ let
          latexmk
        ]
      ))
-      # multiple-outputs.sh fails if $out is not defined
-      (writeShellScript "force-tex-output.sh" ''
-        out="''${tex-}"
-      '')
      writableTmpDirAsHomeHook # Need a writable $HOME for latexmk
    ];

+    # multiple-outputs.sh fails if $out is not defined
+    preHook = ''
+      out="''${tex-}"
+    '';
+
    dontConfigure = true;

    buildPhase = ''
--- a/doc/packages/linux.section.md
+++ b/doc/packages/linux.section.md
@@ -119,11 +119,10 @@ $ pkgs/os-specific/linux/kernel/update.sh
 The change gets submitted like this:

 * File a PR against `staging-nixos`.
-  * Add a `backport release-XX.XX` label for an automated backport.
-    We don't expect many other changes on that branch to require a backport, hence there's no such branch for stable.
+  * Add a `backport staging-nixos-XX.XX` label for an automated backport.
    By using an additional PR, we get the automatic backport against stable without manual cherry-picks.
-* Merge into `staging-nixos`.
-* File as PR from `staging-nixos` against `master`.
+* Merge into `staging-nixos` or `staging-nixos-XX.XX`.
+* File as PR from `staging-nixos` against `master` or `staging-nixos-XX.XX` against `release-xx.xx`.
 * When all status checks are green, merge.

 ### Add a new (major) version of the Linux kernel {#sec-linux-add-new-kernel-version}
--- a/doc/redirects.json
+++ b/doc/redirects.json
@@ -899,6 +899,9 @@
  "var-go-buildTestBinaries": [
    "index.html#var-go-buildTestBinaries"
  ],
+  "var-meta-donationPage": [
+    "index.html#var-meta-donationPage"
+  ],
  "var-meta-identifiers-cpe": [
    "index.html#var-meta-identifiers-cpe"
  ],
@@ -3049,19 +3052,28 @@
  "available-versions-and-deprecations-schedule": [
    "index.html#available-versions-and-deprecations-schedule"
  ],
+  "erlang": [
+    "index.html#erlang"
+  ],
  "elixir": [
    "index.html#elixir"
  ],
  "beam-structure": [
    "index.html#beam-structure"
  ],
-  "build-tools": [
+  "beam-build-tools": [
+    "index.html#beam-build-tools",
    "index.html#build-tools"
  ],
-  "build-tools-rebar3": [
+  "beam-build-tools-rebar3": [
+    "index.html#beam-build-tools-rebar3",
    "index.html#build-tools-rebar3"
  ],
-  "build-tools-other": [
+  "beam-build-tools-erlangmk": [
+    "index.html#beam-build-tools-erlangmk"
+  ],
+  "beam-build-tools-mix": [
+    "index.html#beam-build-tools-mix",
    "index.html#build-tools-other"
  ],
  "how-to-install-beam-packages": [
@@ -3079,6 +3091,9 @@
  "packaging-erlang-applications": [
    "index.html#packaging-erlang-applications"
  ],
+  "packaging-elixir-applications": [
+    "index.html#packaging-elixir-applications"
+  ],
  "rebar3-packages": [
    "index.html#rebar3-packages"
  ],
@@ -4428,11 +4443,9 @@
  "sec-language-texlive": [
    "index.html#sec-language-texlive"
  ],
-  "sec-language-texlive-user-guide-experimental": [
-    "index.html#sec-language-texlive-user-guide-experimental"
-  ],
  "sec-language-texlive-user-guide": [
-    "index.html#sec-language-texlive-user-guide"
+    "index.html#sec-language-texlive-user-guide",
+    "index.html#sec-language-texlive-user-guide-experimental"
  ],
  "sec-language-texlive-custom-packages": [
    "index.html#sec-language-texlive-custom-packages"
--- a/doc/release-notes/rl-2511.section.md
+++ b/doc/release-notes/rl-2511.section.md
@@ -44,7 +44,7 @@

 - `base16-builder` node package has been removed due to lack of upstream maintenance.

- `budgie-desktop` has been updated [10.9.4](https://github.com/BuddiesOfBudgie/budgie-desktop/releases/tag/v10.9.4). This changes `XDG_CURRENT_DESKTOP` from `Budgie:GNOME` to `Budgie` and contains ABI bumps for libpeas2 migration.
+- `budgie-desktop` has been updated to [10.9.4](https://github.com/BuddiesOfBudgie/budgie-desktop/releases/tag/v10.9.4). This changes `XDG_CURRENT_DESKTOP` from `Budgie:GNOME` to `Budgie` and contains ABI bumps for libpeas2 migration.

 - `buildGoModule` removes the compatibility layer of `CGO_ENABLED` not specified via `env`.
  Specifying `CGO_ENABLED` directly now results in an error.
@@ -53,7 +53,7 @@

 - `cardboard` has been removed due to the package having been broken since at least November 2024.

- `carla` no longer support `gtk2` override.
+- `carla` no longer supports `gtk2` override.

 - `chatgpt-retrieval-plugin` has been removed due to the package having been broken since at least November 2024.

@@ -135,7 +135,7 @@

 - `linux` and all other Linux kernel packages have moved all in-tree kernel modules into a new `modules` output.

- `lxde` scope has been removed, and its packages have been moved the top-level.
+- `lxde` scope has been removed, and its packages have been moved to the top-level.

 - `mariadb` now defaults to `mariadb_114` instead of `mariadb_1011`, meaning the default version was upgraded from 10.11.x to 11.4.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-4/) for potential issues.

@@ -183,7 +183,7 @@
 - `pcp` has been removed because the upstream repo was archived and it hasn't been updated since 2021.

 - `podofo` has been updated from `0.9.8` to `1.0.0`. These releases are by nature very incompatible due to major API changes. The legacy versions can be found under `podofo_0_10` and `podofo_0_9`.
-  Changelog: https://github.com/podofo/podofo/blob/1.0.0/CHANGELOG.md, API-Migration-Guide: https://github.com/podofo/podofo/blob/1.0.0/API-MIGRATION.md.
+  Changelog: <https://github.com/podofo/podofo/blob/1.0.0/CHANGELOG.md>, API-Migration-Guide: <https://github.com/podofo/podofo/blob/1.0.0/API-MIGRATION.md>.

 - `privatebin` has been updated to `2.0.0`. This release changes configuration defaults including switching the template and removing legacy features. See the [v2.0.0 changelog entry](https://github.com/PrivateBin/PrivateBin/releases/tag/2.0.0) for details on how to upgrade.

@@ -246,7 +246,7 @@

 - `sublime-music` has been removed because upstream has announced it is no longer maintained. Upstream suggests using `supersonic` instead.

- Support for bootstrapping native GHC compilers on 32‐bit ARM and little‐endian 64‐bit PowerPC has been dropped.
+- Support for bootstrapping native GHC compilers on 32‐bit ARM and little‐endian 64-bit PowerPC has been dropped.
  The latter was probably broken anyway.
  If there is interest in restoring support for these architectures, it should be possible to cross‐compile a bootstrap GHC binary.

@@ -359,7 +359,7 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - `ffmpeg_8`, `ffmpeg_8-headless`, and `ffmpeg_8-full` have been added. The default version of FFmpeg is now `ffmpeg_8`. You can install previous versions from package attributes such as `ffmpeg_7`.

- `forgejo-runner` upgrading to version 11 brings a license change from MIT to GPLv3-or-later.
+- `forgejo-runner` has been upgraded to version 11, which brings a license change from MIT to GPLv3-or-later.

 - GIMP now defaults to version 3. Use `gimp2` for the old version.

@@ -405,8 +405,6 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - `prl-tools` has been moved out of `linuxPackages` because Parallels Guest Tools become driverless since 26.1.0.

- `searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.
-
 - `sftpman` has been updated to version 2, a rewrite in Rust which is mostly backward compatible but does include some changes to the CLI.
  For more information, [check the project's README](https://github.com/spantaleev/sftpman-rs#is-sftpman-v2-compatible-with-sftpman-v1).

@@ -431,7 +429,7 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - The `dockerTools.streamLayeredImage` builder now uses a better algorithm for generating layered docker images, such that much more sharing is possible when the number of store paths exceeds the layer limit. It gives each of the largest store paths its own layer and adds dependencies to those layers when they aren't used elsewhere.

- The `open-webui` package's postgres support have been moved to optional dependencies to comply with upstream changes in 0.6.26.
+- The `open-webui` package's postgres support has been moved to optional dependencies to comply with upstream changes in 0.6.26.

 - The systemd initrd will now respect `x-systemd.wants` and `x-systemd.requires` for reliably unlocking multi-disk bcachefs volumes.

@@ -440,6 +438,8 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
 - Packages using `versionCheckHook` that previously relied solely on `pname` to locate the program used to version check, but have a differing `meta.mainProgram` entry, might now fail.

 - `waydroid-nftables` is a new variant of `waydroid` that supports nftables instead of iptables.
+
+- `searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.
  If your previous configuration included a secret reference like `server.secret_key = "@SEARX_SECRET_KEY@"`, you must migrate to the new envsubst syntax: `server.secret_key = "$SEARX_SECRET_KEY"`.

 ## Nixpkgs Library {#sec-nixpkgs-release-25.11-lib}
@@ -470,7 +470,7 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - `lib.sources.pathType`, `lib.sources.pathIsDirectory` and `lib.sources.pathIsRegularFile` have been replaced by `lib.filesystem.pathType`, `lib.filesystem.pathIsDirectory` and `lib.filesystem.pathIsRegularFile` respectively.

- `lib.strings.isCoercibleToString` has been in favor of either `lib.strings.isStringLike` or `lib.strings.isConvertibleWithToString`. Only use the latter if it needs to return true for null, numbers, booleans, or a list of those.
+- `lib.strings.isCoercibleToString` has been replaced in favor of either `lib.strings.isStringLike` or `lib.strings.isConvertibleWithToString`. Only use the latter if it needs to return true for null, numbers, booleans, or a list of those.

 - `lib.types.string` has been removed. See [this pull request](https://github.com/NixOS/nixpkgs/pull/66346) for better alternative types like `lib.types.str`.

--- a/doc/release-notes/rl-2605.section.md
+++ b/doc/release-notes/rl-2605.section.md
@@ -1,4 +1,4 @@
-# Nixpkgs 26.05 ("Yarara", 2026.05/??) {#sec-nixpkgs-release-26.05}
+# Nixpkgs 26.05 ("Yarara", 2026.05/30) {#sec-nixpkgs-release-26.05}

 ## Highlights {#sec-nixpkgs-release-26.05-highlights}
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -6,6 +6,44 @@
 - GCC has been updated from GCC 14 to GCC 15.
  This introduces some backwards incompatible changes; Refer to the [upstream porting guide](https://gcc.gnu.org/gcc-15/porting_to.html) for details.

+- `glibc` has been updated to version 2.42.
+
+  This version no longer makes the stack executable when a shared library requires this. A symptom
+  is an error like
+
+  > cannot enable executable stack as shared object requires: Invalid argument
+
+  This is usually a bug. Please consider reporting it to the software maintainers.
+
+  In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:
+
+  * When building the shared library in question from source, use the following linker flags to force turning off the
+    executable flag:
+
+    ```nix
+    mkDerivation {
+      # …
+
+      env.NIX_LDFLAGS = "-z,noexecstack";
+    }
+    ```
+
+  * If the sources are not available, the execstack-flag can be cleared with `patchelf`:
+
+    ```
+    patchelf --clear-execstack binary-only.so
+    ```
+
+  * If the shared library to be loaded actually requires an executable stack and it isn't turned
+    on by the application loading it, you may force allowing that behavior by setting the
+    following environment variable:
+
+    ```
+    GLIBC_TUNABLES=glibc.rtld.execstack=2
+    ```
+
+    **Do not set this globally!** This makes your setup inherently less secure.
+
 - Node.js default version has been updated from 22 LTS to 24 LTS.
  This introduces some breaking changes; Refer to the [upstream migration article](https://nodejs.org/en/blog/migrations/v22-to-v24) for details.

@@ -74,6 +112,8 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

+- `mdbook-linkcheck` has been removed as it is unmaintained and incompatible with the latest version of `mdbook`. Users can instead migrate to `mdbook-linkcheck2`.
+
 - The `nodePackages` package set has been removed entirely from nixpkgs. This package set was created to ease the maintenance burden of maintaining lots of
  NodeJS-based packages within nixpkgs, but became a burden itself. Over the past several releases, there has been a focus on removing it in favor of the more modern nixpkgs packaging strategies.
  After a long time, this package set has been deprecated and removed. If you are using its package set in your own config, please use the top-level packages instead.(i.e `pkgs.package-name` instead of `pkgs.nodePackages.package-name`).
@@ -89,7 +129,7 @@

 - `yarn2nix`/`yarn2nix-moretea` and its tooling(`mkYarnPackage`, `mkYarnModules`, and `fixup_yarn_lock`) have been removed as they were unmaintainable in nixpkgs. If you want to build with Yarn V1 going forward, use the hooks instead(`yarnBuildHook`, `yarnConfigHook`, and `yarnInstallHook`). See the yarn v1 documentation in the nixpkgs manual for more details.

- `albert` has been updated to the version 34.0.5. This release redesigns the query system to support stateful asynchronous handlers and infinite scrolling, and adds internationalized tokenization.
+- `albert` has been updated to version 34.0.5. This release redesigns the query system to support stateful asynchronous handlers and infinite scrolling, and adds internationalized tokenization.
  This update introduces several breaking changes: the Python plugin interface is now v5.0, the `PATH` plugin has been renamed to `Commandline`, and the QStylesheets-based widgets box model frontend has been removed.
  For more information read the [changelog for 34.0.0](https://albertlauncher.github.io/2026/01/19/albert-v34.0.0-released/).

@@ -105,17 +145,34 @@

 - `spoof` has been removed, as there are many issues upstream with it working on modern OS versions, and it appears to be unmaintained.

- `duckstation` package has been removed, as it was requested by upstream and build source were changed to be incompatible with NixOS.
+- `duckstation` package has been removed, as it was requested by upstream and build sources were changed to be incompatible with NixOS.

 - `nodePackages.coc-go` and `nodePackages.coc-tsserver`, along with their vim plugins, have been removed from nixpkgs due to being unmaintained.

 - `nodePackages.wavedrom-cli` has been removed, as it was unmaintained within nixpkgs.

+- MATE packages have been moved to top level (e.g. if you previously added `pkgs.mate.caja` to `environment.systemPackages`, you will need to change it to `pkgs.caja`).
+
+- `kratos` has been updated from 1.3.1 to [25.4.0](https://github.com/ory/kratos/releases/tag/v25.4.0). Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:
+
+  - The `migrate sql` CLI command is now `migrate sql up`
+  - OIDC registration validation errors are now placed in the `default` node group instead of `oidc`
+  - Failed OIDC account linking returns HTTP 400 instead of 200
+
+- `pdns` has been updated to version [v5.0.x](https://doc.powerdns.com/authoritative/changelog/5.0.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-5-0-0) for details.
+
+- `geph` package's built-in GUI `geph5-client-gui` has been [removed](https://github.com/geph-official/geph5/commit/f2221fb8386312daf2cef05483ebb353ff48bdb4) by the upstream. All users who wish to continue using the GUI should install the `gephgui-wry`, which is consistent with the official release version.
+
+- `xfsprogs` was updated to version 6.18.0, which enables parent pointers and exchange-range by default. Upstream recommends not to use these features with kernels older than 6.18.
+   GRUB2 is likely unable to boot from filesystems with these features enabled.
+
+- `lunarvim` package has been removed, as it was abandoned upstream and relied on an old version of `neovim` to work properly.
+
 - `requireFile` now treats any `message` or `url` argument as a literal string, rather than subjecting it to Bash here-doc expansion.  This allows including strings like `$PWD` in the message without needing to know about and handle the undocumented Bash expansion.

 - `nodePackages.browserify` has been removed, as it was unmaintained within nixpkgs.

- `command-not-found` package will be enabled by default if the source of nixpkgs contains the file `programs.sqlite`. This is the case if a nixpkgs tarball from https://channels.nixos.org is used. This usage will also make the database of `command-not-found` stateless.
+- `command-not-found` package will be enabled by default if the source of nixpkgs contains the file `programs.sqlite`. This is the case if a nixpkgs tarball from <https://channels.nixos.org> is used. This usage will also make the database of `command-not-found` stateless.

 - `nodePackages.sass` has been removed, as it was unmaintained within nixpkgs.

@@ -126,9 +183,7 @@
 - `kanata` now requires `karabiner-dk` version 6.0+ or later.
  The package has been updated to use the new `karabiner-dk` package and the `darwinDriver` output stays at the version defined in the package.

- Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
-
- Keycloak has been updated to 26.6.X, bringing a lot new features like federated client authentication, JWT authorization grants, workflows and the ability to do
+- Keycloak has been updated to 26.6.X, bringing a lot of new features like federated client authentication, JWT authorization grants, workflows and the ability to do
  zero-downtime patch releases. Read more about [all the exciting new capabilities in keycloak 26.6 here](https://github.com/keycloak/keycloak/releases/tag/26.6.0)
  and [consult the migration guide to 26.6](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-26-6-0) to find out whether this is a breaking
  change for your keycloak instance.
@@ -157,21 +212,19 @@
  This release contains breaking changes, see [Upgrading to Vinyl Cache 9.0](https://vinyl-cache.org/docs/9.0/whats-new/upgrading-9.0.html).
  The `varnish-modules` project is currently not packaged for Vinyl Cache, as it is incompatible.

- `eslint` has been updated from version 9 to version 10. Please see https://eslint.org/blog/2026/02/eslint-v10.0.0-released/ for details about the breaking changes included in the update.
+- `eslint` has been updated from version 9 to version 10. Please see <https://eslint.org/blog/2026/02/eslint-v10.0.0-released/> for details about the breaking changes included in the update.

- `minio` has been abandoned by upstream and security issues won't be fixed. It is scheduled to be removed for 26.11. Users should migrate to alternatives such as Garage, SeaweedFS, or Ceph. S3-compatible clients such as rclone can be used to move data.
+- `minio` has been abandoned by upstream and security issues won't be fixed. `minio_legacy_fs` has also been removed. Both are scheduled for full removal in 26.11. Users should migrate to alternatives such as Garage, SeaweedFS, or Ceph. S3-compatible clients such as rclone can be used to move data.

-`minio_legacy_fs` has been removed. Users should migrate to alternatives such as Garage, SeaweedFS, or Ceph. S3-compatible clients such as rclone can be used to move data.
+- `mercure` has been updated to `0.21.4` (or later). Version [0.21.0](https://github.com/dunglas/mercure/releases/v0.21.0) and [0.21.2](https://github.com/dunglas/mercure/releases/tag/v0.21.2) introduce breaking changes to the package.

- `mercure` has been update to `0.21.4` (or later). Version [0.21.0](https://github.com/dunglas/mercure/releases/v0.21.0) and [0.21.2](https://github.com/dunglas/mercure/releases/tag/v0.21.2) introduce breaking changes to the package.
-
- `mozc` and `mozc-ut` no longer contains the IBus front-end, which are now provided by `ibus-engines.mozc` and `ibus-engines.mozc-ut`.
+- `mozc` and `mozc-ut` no longer contain the IBus front-end, which is now provided by `ibus-engines.mozc` and `ibus-engines.mozc-ut`.

 - `nemorosa` has been updated from `0.4.3` to `0.5.0`. Version [0.5.0](https://github.com/KyokoMiki/nemorosa/releases/tag/0.5.0) introduced breaking changes to the package configuration.

- `n8n` has been updated to version 2. You can find the breaking changes here: https://docs.n8n.io/2-0-breaking-changes/.
+- `n8n` has been updated to version 2. You can find the breaking changes here: <https://docs.n8n.io/2-0-breaking-changes/>.

- `nomad` has been updated to v1.11. Refer to the [release note](https://developer.hashicorp.com/nomad/docs/release-notes/nomad/v1-11-x) for more details. Once a new Nomad version has started and upgraded it's data directory, it generally cannot be downgraded to the previous version.
+- `nomad` has been updated to v1.11. Refer to the [release note](https://developer.hashicorp.com/nomad/docs/release-notes/nomad/v1-11-x) for more details. Once a new Nomad version has started and upgraded its data directory, it generally cannot be downgraded to the previous version.

 - The default NVIDIA drivers no longer support Maxwell (GTX 1xxx) or older GPUs. Pin the nvidia package to ` config.boot.kernelPackages.nvidiaPackages.legacy_580` for continued support.

@@ -179,24 +232,26 @@

 - `iroh` has been removed and split up into `iroh-dns-server` and `iroh-relay`.

- the `xorg` package set has been deprecated, packages have moved to the top level.
+- The `xorg` package set has been deprecated, packages have moved to the top level.

 - `python3Packages.buildPythonPackage` and `python3Packages.buildPythonApplication` now throw errors in the presence of `pytestFlagsArray`.
  Please use [`pytestFlags` and `(enabled|disabled)(TestPaths|Tests|TestMarks)`](#using-pytestcheckhook) instead.
  If modifying the Nix expression is not feasible, users can remediate the error by overriding `pytestFlagsArray` with `null` or `[ ]`.

- `python3Packages.pygame` has been been renamed to `python3Packages.pygame-original`, the attribute `python3Packages.pygame` will from python 3.14 default to the more actively maintained `python3Packages.pygame-ce`
+- `python3Packages.pygame` has been renamed to `python3Packages.pygame-original`, the attribute `python3Packages.pygame` will from python 3.14 default to the more actively maintained `python3Packages.pygame-ce`.

- `fastly` has been updated to major version 14. For more information, you can check the [release notes](https://github.com/fastly/cli/releases/tag/v14.0.0)
+- `fastly` has been updated to major version 14. For more information, you can check the [release notes](https://github.com/fastly/cli/releases/tag/v14.0.0).

 - `peertube` has been updated from `7.3.0` to `8.0.2`, introducing several breaking changes.
  Some notable new features include channel collaboration and video player redesign with a new theme.
  For details on how to upgrade, see the `IMPORTANT NOTES` section of the [v8.0.0 CHANGELOG entry](https://docs.joinpeertube.org/CHANGELOG#v8-0-0).

- `python3Packages.gradio` has been updated to version 6. See upstream's migration guide at https://www.gradio.app/main/guides/gradio-6-migration-guide.
+- `python3Packages.gradio` has been updated to version 6. See upstream's migration guide at <https://www.gradio.app/main/guides/gradio-6-migration-guide>.

 - `python3Packages.pikepdf` no longer builds with mupdf support by default, which may be nice in Jupyter and iPython. Build with `withMupdf = true` if this is required.

+- `olive-editor` has been dropped as upstream development ceased and no longer builds.
+
 - `python3Packages.django-mdeditor` has been removed, as it was unmaintained upstream and the latest release was vulnerable to a [critical security vulnerability](https://github.com/NixOS/nixpkgs/issues/515462).

 - `vicinae` has been updated to v0.20. This includes, among several other breaking changes, a complete overhaul of the configuration system. For update instructions, see the [upstream configuration documentation](https://docs.vicinae.com/config#migration-from-v0-16-x-to-v0-17-x).
@@ -214,23 +269,12 @@
 - `jetbrains.plugins.addPlugins` no longer supports plugin names or ID strings.
  You can still use `addPlugins` with plugin derivations, such as plugins packaged outside of Nixpkgs.

- The `programs.captive-browser` module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure `programs.captive-browser.dhcp-dns` manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.
-
 - NetBox was updated to `>= 4.5.5`. Have a look at the breaking changes
  of the [4.5 release](https://github.com/netbox-community/netbox/releases/tag/v4.5.0),
  make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_5;` in your configuration.

- The `services.yggdrasil` module has been refactored with the following breaking changes:
-  - The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via `services.yggdrasil.settings`.
-  - The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use `services.yggdrasil.settings.PrivateKeyPath` to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
-  - Storing `PrivateKey` directly in `settings` is now explicitly forbidden to prevent keys from being stored world-readable in the Nix store.
-  - If you previously used `configFile`, migrate your configuration to the `settings` option and extract the private key to a separate file referenced by `PrivateKeyPath`.
-  - If you previously used `persistentKeys`, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them via `PrivateKeyPath`.
-
 - `pocket-id` has been updated to version 2 that contains [breaking changes](https://pocket-id.org/docs/setup/major-releases/migrate-v2).

- `services.xserver` will now throw an error if an X11 driver specified in  `videoDriver(s)` cannot be found. Previously, unknown drivers would be silently ignored.
-
 - `asio` (standalone version of `boost::asio`) has been updated from 1.24.0 to 1.36.0. Some breaking changes were introduced between these
  two versions, and the one affected most was the removal of `asio::io_service` in favor of `asio::io_context` in 1.33.0. `asio_1_32_0` is
  retained for packages that have not completed migration. `asio_1_10` has been removed as no packages depend on it anymore.
@@ -253,8 +297,6 @@

 - Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.

- The `services.avahi.wideArea` option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
-
 - `coreth` has been removed, as upstream has moved it into `avalanchego`.

 - `nodePackages.prebuild-install` was removed because it appeared to be unmaintained upstream.
@@ -272,7 +314,7 @@
    IMAP_CERTIFICATE_VALIDATION=false
    ```

- `python3packages.pillow-avif-plugin` has been removed as the functionality is included in `python3packages.pillow` directly since version 11.3.
+- `python3Packages.pillow-avif-plugin` has been removed as the functionality is included in `python3Packages.pillow` directly since version 11.3.

 - `wasistlos` (previously known as `whatsapp-for-linux`) has been removed because it was unmaintained and archived upstream.
  Multiple alternatives exist: `karere`, `whatsie` and `zapzap` among others.
@@ -284,8 +326,6 @@

 - `shisho` has been removed because it's archived. `semgrep`, `opengrep`, and `ast-grep` provide similar functionality.

- `services.openssh.settings.AcceptEnv` now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
-
 - All Xfce packages have been moved to top level (e.g. if you previously added `pkgs.xfce.xfce4-whiskermenu-plugin` to `environment.systemPackages`, you will need to change it to `pkgs.xfce4-whiskermenu-plugin`). The `xfce` scope will be removed in NixOS 26.11.

 - The Dovecot IMAP server has been updated to version 2.4, with the `dovecot` attribute now referring to this backwards-incompatible version. The attribute `dovecot_2_3` refers to the previous version. The Pigeonhole plugin has been similarly updated to 2.4, with the version compatible with Dovecot 2.3 being at `dovecot_pigeonhole_0_5`. See <https://doc.dovecot.org/latest/installation/upgrade/2.3-to-2.4.html> for more information on how to upgrade.
@@ -296,12 +336,8 @@

 - `vimPlugins.nvim-treesitter` has been updated to `main` branch, which is a full and incompatible rewrite. If you can't or don't want to update, you should use `vimPlugins.nvim-treesitter-legacy`.

- `services.taskchampion-sync-server` module have been added an option `services.taskchampion-sync-server.dynamicUser` to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
-
 - Package `jellyseerr` has been renamed to `seerr` following the upstream rename.

- The default packages in `services.jenkins.packages` have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
-
 - The `pie` hardening flag has been removed and will now error, after being deprecated in 25.11. Compilers are expected to enable PIE by default, as has been common practice since 2016 outside of Nixpkgs. If a package needs `pie` disabled pass `-no-pie` in `CFLAGS`. It is unlikely this will be necessary in many cases; due to the prevalence of default PIE toolchains, most packages incompatible with PIE already pass `-no-pie`.

 - `pqos-wrapper` was removed as it has been unmaintained since 2022 and not widely used.
@@ -314,6 +350,8 @@

 - `linuxPackages.nvidiaPackages` now follows NVIDIA's official release branches by exposing `production`, `new_feature`, and `beta`. The convenience aliases `latest` (newer of `production` and `new_feature`) and `bleeding_edge` (newer of `latest` and `beta`) are provided; note that `beta` now refers strictly to the beta branch.

+- `stestrCheckHook` was added: This test hook runs `stestr run`. You can disable tests with `disabledTests` and `disabledTestsRegex`.
+
 - `balatro` now supports the Google Play and Xbox PC versions of the game.  Pass the `apk` or `Assets.zip` as `balatro.override { src = "…" }`.

 - `uptime-kuma` has been updated to v2, which requires an automated migration that can take a few hours. **A backup is highly recommended.**
@@ -324,16 +362,22 @@

 - The `libcxxhardeningextensive` hardening flag has been **disabled** by default. Enabling it by default in 25.11 was unintentional and may have had a negative effect on performance in some cases. `libcxxhardeningfast` remains enabled by default.

- The packages `ibtool`, `actool` and `re-plistbuddy` have been added, providing reimplementations of the corresponding proprietary Apple tools. They are more compatible with the originals than the previously existing `xcbuild` package, and should enable more darwin software to be built from source.
+- Wine has been updated to the 11.0 branch. Please check the [upstream announcement](https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0) for more details.

- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows to avoid switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
+- Cinnamon has been updated to 6.6, please check the [upstream announcement](https://www.linuxmint.com/rel_zena_whatsnew.php) for more details.
+
+- `rspamd` has been updated to 4.0. Please check the upstream [migration](https://docs.rspamd.com/tutorials/migration/#migration-to-rspamd-400) documentation, especially if you run a sharded Redis deployment.
+
+- `hyphen` now supports over 40 language variants through `hyphenDicts` and now allows to enable all supported languages through `hyphenDicts.all`.
+
+- `budgie` has been updated to 10.10, please check the [upstream announcement](https://buddiesofbudgie.org/blog/budgie-10-10-released) for more details.
+
+- The packages `ibtool`, `actool` and `re-plistbuddy` have been added, providing reimplementations of the corresponding proprietary Apple tools. They are more compatible with the originals than the previously existing `xcbuild` package, and should enable more darwin software to be built from source.

 - GNU Taler has been updated to version 1.3.
  This release focuses on getting everything ready for a deployment of GNU Taler by Magnet bank.
  For more details, see the [upstream release notes](https://www.taler.net/en/news/2025-13.html).

- The `services.nextcloud-spreed-signaling` NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).
-
 - `collabora-desktop` The desktop version of Collabora Office is now available, package version `25.05.9.2-2`.

 - `fetchPnpmDeps` and `pnpmConfigHook` were added as top-level attributes, replacing the now deprecated `pnpm.fetchDeps` and `pnpm.configHook` attributes.
@@ -349,7 +393,7 @@

 - Added `dell-bios-fan-control` package and service.

- Added `lovr` package, a LUA-based game engine for VR and XR applications.
+- Added `lovr` package, a Lua-based game engine for VR and XR applications.

 - Updated `wsjtx` from 2.7.0 to 3.0.0 for amateur radio hobbyists who use FT8 and other related digital modes.
  See the [release notes](https://wsjt.sourceforge.io/Release_Notes.txt) for the changelog.
@@ -359,14 +403,14 @@

 - `wrapNeovimUnstable` now sets provider-related configuration in its generated config rather than as wrapper arguments. It should not affect configuration unless you set `wrapRc` to false or are using the `legacyWrapper`.

- neovim lua dependencies are now set in the generated init.lua instead of
+- Neovim Lua dependencies are now set in the generated init.lua instead of
  modifying LUA_PATH in the wrapper. Commands run pre-vimrc via `nvim --cmd
  "require'LUA_MODULE'"` may
  not find their lua dependencies anymore. Use `nvim -c "lua require'LUA_MODULE'"` instead to run these commands after loading `init.lua`. If you use `wrapNeovim` with `wrapRc` set to `false`, you may lose the lua dependencies if you are not loading the generated `init.lua`.

 - We now use the upstream wrapper script for Gradle, supporting both the `JAVA_HOME` and `GRADLE_OPTS` environment variables.

- the `autossh-ng` NixOS module was introduced as a simpler alternative to the existing `autossh` module.
+- Updated `gonic` to 0.21.0. A full ("slow") scan is recommended after upgrading to v0.21.0 to pick up the newly scanned fields (contributors, ISRCs, record labels, per-track years, ARTIST_CREDIT).

 - Added `haskell.packages.microhs`, a set of Haskell packages built with MicroHs.

@@ -386,8 +430,6 @@ gnuradioMinimal.override {
 }
 ```

- Added `headplane` and `headplane-agent` packages, and `services.headplane` service.
-
 ## Nixpkgs Library {#sec-nixpkgs-release-26.05-lib}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -400,7 +442,7 @@ gnuradioMinimal.override {

 - `nodejs` is now a simple wrapper for `nodejs-slim`+`nodejs-slim.npm`+`nodejs-slim.corepack`, meaning it is no longer possible to reference or override its attributes or outputs (e.g. `nodejs.libv8` must be replaced with `nodejs-slim.libv8`, `nodejs.nativeBuildInputs` with `nodejs-slim.nativeBuildInputs`, etc.).

- `navidrome` has removed the built-in Spotify integration https://github.com/navidrome/navidrome/releases/tag/v0.61.0 has details on optional replacements
+- `navidrome` has removed the built-in Spotify integration. See [v0.61.0](https://github.com/navidrome/navidrome/releases/tag/v0.61.0) for details on optional replacements.

 - `mold` is now wrapped by default.

@@ -420,4 +462,3 @@ gnuradioMinimal.override {

 - The builder `php.buildComposerProject2` for PHP applications has been improved for better reliability and stability.

- The `services.drupal` module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and a some new settings for managing variable content and filepaths.
--- a/doc/stdenv/meta.chapter.md
+++ b/doc/stdenv/meta.chapter.md
@@ -61,6 +61,12 @@ Release branch. Used to specify that a package is not going to receive updates t

 The package’s homepage. Example: `https://www.gnu.org/software/hello/manual/`

+### `donationPage` {#var-meta-donationPage}
+
+The package or project's donation page, if it exists. Example: `https://neovim.io/sponsors/`
+
+Authoritative project URLs are preferred.
+
 ### `downloadPage` {#var-meta-downloadPage}

 The page where a link to the current version can be found. Example: `https://ftp.gnu.org/gnu/hello/`
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -5058,12 +5058,6 @@
    github = "cigrainger";
    githubId = 3984794;
  };
-  ciil = {
-    email = "simon@lackerbauer.com";
-    github = "ciil";
-    githubId = 3956062;
-    name = "Simon Lackerbauer";
-  };
  cilki = {
    github = "cilki";
    githubId = 10459406;
@@ -7360,12 +7354,6 @@
    github = "DSeeLP";
    githubId = 46624152;
  };
-  dsferruzza = {
-    email = "david.sferruzza@gmail.com";
-    github = "dsferruzza";
-    githubId = 1931963;
-    name = "David Sferruzza";
-  };
  dsluijk = {
    name = "Dany Sluijk";
    email = "nix@dany.dev";
@@ -18260,6 +18248,12 @@
    githubId = 16974598;
    name = "Mike Playle";
  };
+  mkannwischer = {
+    email = "matthias@kannwischer.eu";
+    github = "mkannwischer";
+    githubId = 3984960;
+    name = "Matthias Kannwischer";
+  };
  mkez = {
    email = "matias+nix@zwinger.fi";
    github = "mk3z";
@@ -19250,6 +19244,12 @@
    name = "Naufal Fikri";
    keys = [ { fingerprint = "1575 D651 E31EC 6117A CF0AA C1A3B 8BBC A515 8835"; } ];
  };
+  naurissteins = {
+    name = "Nauris Steins";
+    email = "me@naurissteins.com";
+    github = "naurissteins";
+    githubId = 5653746;
+  };
  naxdy = {
    name = "Naxdy";
    email = "naxdy@naxdy.org";
--- a/maintainers/team-list.nix
+++ b/maintainers/team-list.nix
@@ -662,7 +662,6 @@ with lib.maintainers;
  python = {
    members = [
      hexa
-      natsukium
    ];
    scope = "Maintain the Python interpreter and related packages.";
    shortName = "Python";
--- a/nixos/doc/manual/installation/upgrading.chapter.md
+++ b/nixos/doc/manual/installation/upgrading.chapter.md
@@ -8,7 +8,7 @@ passed and a selection of packages has been built successfully
 (see `nixos/release-combined.nix` and `nixos/release-small.nix`).
 These channels are:

-   *Stable channels*, such as [`nixos-25.11`](https://channels.nixos.org/nixos-25.11).
+-   *Stable channels*, such as [`nixos-26.05`](https://channels.nixos.org/nixos-26.05).
    These only get conservative bug fixes and package upgrades. For
    instance, a channel update may cause the Linux kernel on your system
    to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
@@ -21,7 +21,7 @@ These channels are:
    radical changes between channel updates. It's not recommended for
    production systems.

-   *Small channels*, such as [`nixos-25.11-small`](https://channels.nixos.org/nixos-25.11-small)
+-   *Small channels*, such as [`nixos-26.05-small`](https://channels.nixos.org/nixos-26.05-small)
    or [`nixos-unstable-small`](https://channels.nixos.org/nixos-unstable-small).
    These are identical to the stable and unstable channels described above,
    except that they contain fewer binary packages. This means they get updated
@@ -40,8 +40,8 @@ supported stable release.

 When you first install NixOS, you're automatically subscribed to the
 NixOS channel that corresponds to your installation source. For
-instance, if you installed from a 25.11 ISO, you will be subscribed to
-the `nixos-25.11` channel. To see which NixOS channel you're subscribed
+instance, if you installed from a 26.05 ISO, you will be subscribed to
+the `nixos-26.05` channel. To see which NixOS channel you're subscribed
 to, run the following as root:

 ```ShellSession
@@ -56,16 +56,16 @@ To switch to a different NixOS channel, do
 ```

 (Be sure to include the `nixos` parameter at the end.) For instance, to
-use the NixOS 25.11 stable channel:
+use the NixOS 26.05 stable channel:

 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-25.11 nixos
+# nix-channel --add https://channels.nixos.org/nixos-26.05 nixos
 ```

 If you have a server, you may want to use the "small" channel instead:

 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-25.11-small nixos
+# nix-channel --add https://channels.nixos.org/nixos-26.05-small nixos
 ```

 And if you want to live on the bleeding edge:
@@ -118,5 +118,5 @@ the new generation contains a different kernel, initrd or kernel
 modules. You can also specify a channel explicitly, e.g.

 ```nix
-{ system.autoUpgrade.channel = "https://channels.nixos.org/nixos-25.11"; }
+{ system.autoUpgrade.channel = "https://channels.nixos.org/nixos-26.05"; }
 ```
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -4,7 +4,7 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows to build NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.
+- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd.

 - COSMIC DE has been updated to the beta version, bringing it closer to its first stable release. This includes updates to its core components, applications, and overall stability.

@@ -41,17 +41,19 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows to build NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.
+- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows building NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.

 - [angrr](https://github.com/linyinfeng/angrr), a service that automatically cleans up old auto GC roots. Available as [services.angrr](#opt-services.angrr.enable).

 - Auto-scrub support for Bcachefs filesystems can now be enabled through [services.bcachefs.autoScrub.enable](#opt-services.bcachefs.autoScrub.enable) to periodically check for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks.

- [Beszel](https://beszel.dev), a lightweight server monitoring hub with historical data, docker stats, and alerts. Available as [`services.beszel.agent`](options.html#opt-services.beszel.agent.enable) and [`services.beszel.hub`](options.html#opt-services.beszel.hub.enable).
+- [Beszel](https://beszel.dev), a lightweight server monitoring hub with historical data, docker stats, and alerts. Available as [`services.beszel.agent`](#opt-services.beszel.agent.enable) and [`services.beszel.hub`](#opt-services.beszel.hub.enable).

- [boot.kernel.sysfs](options.html#opt-boot.kernel.sysfs), a new way to set of sysfs attributes.
+- [boot.kernel.sysfs](#opt-boot.kernel.sysfs), a new way to set sysfs attributes.

- [Broadcast Box](https://github.com/Glimesh/broadcast-box), a WebRTC broadcast server. Available as [services.broadcast-box](options.html#opt-services.broadcast-box.enable).
+- [Broadcast Box](https://github.com/Glimesh/broadcast-box), a WebRTC broadcast server. Available as [services.broadcast-box](#opt-services.broadcast-box.enable).
+
+- Drivers and utilities for [Tenstorrent](https://tenstorrent.com) have been added. Available as [hardware.tenstorrent](#opt-hardware.tenstorrent.enable).

 - [byedpi](https://github.com/hufrea/byedpi), a DPI bypass service. Available as [services.byedpi](#opt-services.byedpi.enable).

@@ -67,9 +69,7 @@

 - [crowdsec-firewall-bouncer](https://www.crowdsec.net/), the CrowdSec Remediation Component for fetching new and old decisions from a CrowdSec API and adding them to a blocklist used by supported firewalls. Available as [services.crowdsec-firewall-bouncer](#opt-services.crowdsec-firewall-bouncer.enable).

- Docker now defaults to 28.x, because version 27.x stopped receiving security updates and bug fixes after [May 2, 2025](https://github.com/moby/moby/pull/49910).
-
- [docuseal](https://github.com/docusealco/docuseal), a DocuSign alternative. Create, fill, and sign digital documents. Available at [services.docuseal](#opt-services.docuseal.enable).
+- [docuseal](https://github.com/docusealco/docuseal), a DocuSign alternative. Create, fill, and sign digital documents. Available as [services.docuseal](#opt-services.docuseal.enable).

 - [Draupnir](https://github.com/the-draupnir-project/draupnir), a Matrix moderation bot. Available as [services.draupnir](#opt-services.draupnir.enable).

@@ -93,14 +93,14 @@

 - [Homebridge](https://github.com/homebridge/homebridge), a lightweight Node.js server you can run on your home network that emulates the iOS HomeKit API. Available as [services.homebridge](#opt-services.homebridge.enable).

- [IfState](https://ifstate.net), manage host interface settings in a declarative manner. Available as [networking.ifstate](options.html#opt-networking.ifstate.enable) and [boot.initrd.network.ifstate](options.html#opt-boot.initrd.network.ifstate.enable).
+- [IfState](https://ifstate.net), manage host interface settings in a declarative manner. Available as [networking.ifstate](#opt-networking.ifstate.enable) and [boot.initrd.network.ifstate](#opt-boot.initrd.network.ifstate.enable).

 - [KMinion](https://github.com/redpanda-data/kminion), feature-rich Prometheus exporter for Apache Kafka. Available as [services.prometheus.exporters.kafka](options.html#opt-services.prometheus.exporters.kafka).

 - [LACT](https://github.com/ilya-zlobintsev/LACT), a GPU monitoring and configuration tool, can now be enabled through [services.lact.enable](#opt-services.lact.enable).
  Note that for LACT to work properly on AMD GPU systems, you need to enable [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable).

- [lemurs](https://github.com/coastalwhite/lemurs), a customizable TUI display/login manager. Available at [services.displayManager.lemurs](#opt-services.displayManager.lemurs.enable).
+- [lemurs](https://github.com/coastalwhite/lemurs), a customizable TUI display/login manager. Available as [services.displayManager.lemurs](#opt-services.displayManager.lemurs.enable).

 - [LibreTranslate](https://libretranslate.com), a free and open source machine translation API. Available as [services.libretranslate](#opt-services.libretranslate.enable).

@@ -121,11 +121,11 @@

 - [nebula-lighthouse-service](https://github.com/manuels/nebula-lighthouse-service), a public Nebula VPN lighthouse service. Available as [services.nebula-lighthouse-service](#opt-services.nebula-lighthouse-service.enable).

- [Newt](https://github.com/fosrl/newt), a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. Available as [services.newt](options.html#opt-services.newt.enable).
+- [Newt](https://github.com/fosrl/newt), a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. Available as [services.newt](#opt-services.newt.enable).

 - [nixbit](https://github.com/pbek/nixbit), a GUI application for updating your NixOS system from a Nix Flakes Git repository. Available as [programs.nixbit](#opt-programs.nixbit.enable).

- [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable).
+- [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](#opt-boot.initrd.nix-store-veritysetup.enable).

 - [nvme-rs](https://github.com/liberodark/nvme-rs), NVMe monitoring [services.nvme-rs](#opt-services.nvme-rs.enable).

@@ -139,7 +139,7 @@

 - [Pi-hole](https://pi-hole.net/), a DNS sinkhole for advertisements based on Dnsmasq. Available as [services.pihole-ftl](#opt-services.pihole-ftl.enable), and [services.pihole-web](#opt-services.pihole-web.enable) for the web GUI and API.

- [pmount](https://salsa.debian.org/debian/pmount), a tool that allows normal users to mount removable devices without requiring root privileges Available at [programs.pmount](#opt-programs.pmount.enable).
+- [pmount](https://salsa.debian.org/debian/pmount), a tool that allows normal users to mount removable devices without requiring root privileges Available as [programs.pmount](#opt-programs.pmount.enable).

 - [postfix-tlspol](https://github.com/Zuplu/postfix-tlspol), a MTA-STS and DANE resolver and TLS policy server for Postfix. Available as [services.postfix-tlspol](#opt-services.postfix-tlspol.enable).

@@ -153,7 +153,7 @@

 - [radicle-native-ci](https://radicle.network/nodes/seed.radicle.dev/rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE), an adapter for the [Radicle CI broker](https://radicle.network/nodes/seed.radicle.dev/rad:zwTxygwuz5LDGBq255RA2CbNGrz8), for performing CI runs locally. Available as [services.radicle.ci.adapters.native](#opt-services.radicle.ci.adapters.native.instances).

- [rauc](https://rauc.io/) (the Robust Auto-Update Controller), a daemon that allows reliable and secure software updates in embedded Linux systems. Available at [services.rauc](#opt-services.rauc.enable).
+- [rauc](https://rauc.io/) (the Robust Auto-Update Controller), a daemon that allows reliable and secure software updates in embedded Linux systems. Available as [services.rauc](#opt-services.rauc.enable).

 - [ringboard](https://github.com/SUPERCILEX/clipboard-history), a fast, efficient, and composable clipboard manager for Linux. Available for x11 as [services.ringboard](#opt-services.ringboard.x11.enable) and for Wayland as [services.ringboard](#opt-services.ringboard.wayland.enable).

@@ -189,7 +189,7 @@

 - [tuwunel](https://matrix-construct.github.io/tuwunel/), a federated chat server implementing the Matrix protocol, forked from Conduwuit. Available as [services.matrix-tuwunel](#opt-services.matrix-tuwunel.enable).

- [umami](https://github.com/umami-software/umami), a simple, fast, privacy-focused alternative to Google Analytics. Available with [services.umami](#opt-services.umami.enable).
+- [umami](https://github.com/umami-software/umami), a simple, fast, privacy-focused alternative to Google Analytics. Available as [services.umami](#opt-services.umami.enable).

 - [wayvnc](https://github.com/any1/wayvnc), a VNC server for wlroots based Wayland compositors. Available as [programs.wayvnc](#opt-programs.wayvnc.enable).

@@ -222,7 +222,7 @@

 - `miniflux` no longer uses the hstore PostgreSQL extension. Having the extension would prevent Miniflux from starting. In case you are managing your `miniflux` PostgreSQL database externally, disable the extension with `DROP EXTENSION IF EXISTS hstore;`.

- `netbox-manage` script created by the `netbox` module no longer uses `sudo -u netbox` internally. It can be run as root and will change it's user to `netbox` using `runuser`.
+- `netbox-manage` script created by the `netbox` module no longer uses `sudo -u netbox` internally. It can be run as root and will change its user to `netbox` using `runuser`.

 - NixOS display manager modules now strictly use tty1, where many of them previously used tty7. Options to configure display managers' VT have been dropped. A configuration with a display manager enabled will not start `getty@tty1.service`, even if the system is forced to boot into `multi-user.target` instead of `graphical.target`.

@@ -254,7 +254,7 @@

 - `services.nextcloud.notify_push.enable` now installs the notify_push app. Therefore the appstore is now disabled when using `notify_push`. See `services.nextcloud.appstoreEnable`.

- `services.nixseparatedebuginfod.enable = true;` has been replaced by `services.nixseparatedebuginfod2.enable = true`. If you only use the official binary cache `https://cache.nixos.org` then no further configuration should be needed. If you have other https substituters, you can add them to `services.nixseparatedebuginfod2.subsituters`. SSH substituters are not supported by nixseparatedebuginfod2. Consider running nixseparatedebuginfod2 on the substituter instead, and pointing to it with the new option `environment.debuginfodServers`.
+- `services.nixseparatedebuginfod.enable = true;` has been replaced by `services.nixseparatedebuginfod2.enable = true`. If you only use the official binary cache `https://cache.nixos.org` then no further configuration should be needed. If you have other https substituters, you can add them to `services.nixseparatedebuginfod2.substituters`. SSH substituters are not supported by nixseparatedebuginfod2. Consider running nixseparatedebuginfod2 on the substituter instead, and pointing to it with the new option `environment.debuginfodServers`.

 - `services.parsoid` and the `nodePackages.parsoid` package have been removed, as the JavaScript-based version this module uses is not compatible with modern MediaWiki versions.

@@ -373,7 +373,7 @@

 - `boot.plymouth` now has a [`package`](#opt-boot.plymouth.package) option to specify the package used in the module.

- Drivers and utilities for [Tenstorrent](https://tenstorrent.com) have been added. Available as [hardware.tenstorrent](#opt-hardware.tenstorrent.enable).
+- Docker now defaults to 28.x, because version 27.x stopped receiving security updates and bug fixes after [May 2, 2025](https://github.com/moby/moby/pull/49910).

 - Due to [deprecation of gnome-session X11 support](https://blogs.gnome.org/alatiera/2025/06/08/the-x11-session-removal/), `services.desktopManager.pantheon` now defaults to pantheon-wayland session. The X11 session has been removed, see [this issue](https://github.com/elementary/session-settings/issues/91) for details.

@@ -436,9 +436,9 @@
 - `services.k3s` now shares most of its code with `services.rke2`. The merge resulted in both modules providing more options, with `services.rke2` receiving the most improvements.
  Existing configurations for either module should not be affected.

- [services.libvirtd.autoSnapshot](options.html#opt-services.libvirtd.autoSnapshot.enable) has been added as a backup service for libvirt managed VMs.
+- [services.libvirtd.autoSnapshot](#opt-services.libvirtd.autoSnapshot.enable) has been added as a backup service for libvirt managed VMs.

- `services.limesurvey` now supports nginx as reverse-proxy. Available through [services.limesurvey.webserver](#opt-services.limesurvey.webserver).
+- `services.limesurvey` now supports nginx as reverse-proxy. Available as [services.limesurvey.webserver](#opt-services.limesurvey.webserver).

 - `services.mattermost` has been updated to use the 10.11 ESR instead of 10.5. While this shouldn't break anyone, we also now package Mattermost 11 as mattermostLatest. Note that Mattermost 11 drops support for MySQL. The Mattermost module will assertion fail if you try to use MySQL with Mattermost 11; support for using MySQL with Mattermost will fully be removed in NixOS 26.

--- a/nixos/doc/manual/release-notes/rl-2605.section.md
+++ b/nixos/doc/manual/release-notes/rl-2605.section.md
@@ -1,4 +1,4 @@
-# Release 26.05 ("Yarara", 2026.05/??) {#sec-release-26.05}
+# Release 26.05 ("Yarara", 2026.05/30) {#sec-release-26.05}

 ## Highlights {#sec-release-26.05-highlights}

@@ -14,7 +14,7 @@
  - The `cryptsetup-askpass` program is not available; use `systemctl default` instead, which will prompt for passphrases as necessary. If you pipe password responses into SSH over stdin, use `ssh -o RequestTTY=force` to ensure `systemctl default` gets a TTY to prompt on.
  - Many kernel parameters have been replaced with native systemd versions; see [](#sec-boot-problems).

- The system.nix file has been added as an alternative entry point to configuration.nix (and flake.nix) that allows to configure NixOS without using `nix-channel`.
+- The system.nix file has been added as an alternative entry point to configuration.nix (and flake.nix) that allows configuring NixOS without using `nix-channel`.
  This file must evaluate to a NixOS system derivation or an attribute set of such derivations, in which case the attribute to build has to be selected with the `--attr` option of `nixos-rebuild` or `nixos-install`.
  For example,
  ```nix
@@ -60,19 +60,22 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

+- [](#opt-services.autossh-ng.sessions) NixOS module was introduced as a simpler alternative to the existing [](#opt-services.autossh.sessions) module.
+
+- [services.nextcloud-spreed-signaling](#opt-services.nextcloud-spreed-signaling.enable) NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).
+
 - [OpenThread Border Router](https://openthread.io/), a Thread border router for POSIX-based platforms that bridges Thread mesh networks to IP networks. Available as [services.openthread-border-router](#opt-services.openthread-border-router.enable).

 - [Atuin](https://atuin.sh), magical shell history — sync, search and backup your terminal history. Available as [programs.atuin](#opt-programs.atuin.enable).

 - [Meshtastic](https://meshtastic.org), an open-source, off-grid, decentralised mesh network
-  designed to run on affordable, low-power devices. Available as [services.meshtasticd]
-  (#opt-services.meshtasticd.enable).
+  designed to run on affordable, low-power devices. Available as [services.meshtasticd](#opt-services.meshtasticd.enable).

 - [Goupile](https://goupile.org/en), an open-source design tool for secure forms including Clinical Report Forms (eCRF). Available as [services.goupile](#opt-services.goupile.enable).

- [knot-resolver](https://www.knot-resolver.cz/) in version 6. Available as `services.knot-resolver`. A module for knot-resolver 5 was already available as `services.kresd`.
+- [knot-resolver](https://www.knot-resolver.cz/), in version 6. Available as [services.knot-resolver](#opt-services.knot-resolver.enable). A module for knot-resolver 5 was already available as [services.kresd](#opt-services.kresd.enable).

- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as `services.immichframe`.
+- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as [services.immichframe](#opt-services.immichframe.enable).

 - [PdfDing](https://www.pdfding.com/), manage, view and edit your PDFs seamlessly on all your devices wherever you are. Available as [services.pdfding](#opt-services.pdfding.enable).

@@ -80,7 +83,7 @@

 - [reaction](https://reaction.ppom.me/), a daemon that scans program outputs for repeated patterns, and takes action. A common usage is to scan ssh and webserver logs, and to ban hosts that cause multiple authentication errors. A modern alternative to fail2ban. Available as [services.reaction](#opt-services.reaction.enable).

- [vinyl-cache] as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old `services.varnish` module is still available.
+- [vinyl-cache](https://vinyl-cache.org) as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old [services.varnish](#opt-services.varnish.enable) module is still available.

 - [papra](https://papra.app/), an open-source document management platform designed to help you organize, secure, and archive your files effortlessly. Available as [services.papra](#opt-services.papra.enable).

@@ -96,29 +99,29 @@

 - [LibreChat](https://www.librechat.ai/), open-source self-hostable ChatGPT clone with Agents and RAG APIs. Available as [services.librechat](#opt-services.librechat.enable).

- [nohang](https://github.com/hakavlad/nohang), a daemon for Linux that prevents out of memory (OOM) situations from affecting system responsiveness. Available as [services.nohang](#opt-services.nohang.enable)
+- [nohang](https://github.com/hakavlad/nohang), a daemon for Linux that prevents out of memory (OOM) situations from affecting system responsiveness. Available as [services.nohang](#opt-services.nohang.enable).

 - [clevis-luks-askpass](https://github.com/latchset/clevis), automatic LUKS unlocking in initrd using clevis token bindings stored in LUKS headers. Available as [boot.initrd.clevisLuksAskpass](#opt-boot.initrd.clevisLuksAskpass.enable).

 - [bentopdf](https://github.com/alam00000/bentopdf), a privacy-first PDF toolkit running completely in-browser. Available as [services.bentopdf](#opt-services.bentopdf.enable).

- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as `services.hyprwhspr-rs`
+- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as [services.hyprwhspr-rs](#opt-services.hyprwhspr-rs.enable).

 - [DankMaterialShell](https://danklinux.com), a complete desktop shell for Wayland compositors built with Quickshell. Available as [programs.dms-shell](#opt-programs.dms-shell.enable).

- [pyroscope](https://github.com/grafana/pyroscope), a continuous profiling platform. that allows for performance debugging. Available as [services.pyroscope](#opt-services.pyroscope.enable)
+- [pyroscope](https://github.com/grafana/pyroscope), a continuous profiling platform that allows for performance debugging. Available as [services.pyroscope](#opt-services.pyroscope.enable).

 - [dms-greeter](https://danklinux.com), a modern display manager greeter for DankMaterialShell that works with greetd and supports multiple Wayland compositors. Available as [services.displayManager.dms-greeter](#opt-services.displayManager.dms-greeter.enable).

 - [dsearch](https://github.com/AvengeMedia/danksearch), a fast filesystem search service with fuzzy matching. Available as [programs.dsearch](#opt-programs.dsearch.enable).

- [Rustical](https://github.com/lennart-k/rustical), a CalDav/CardDav server aiming to be simple, fast and passwordless. Available as [services.rustical](options.html#opt-services.rustical.enable).
+- [Rustical](https://github.com/lennart-k/rustical), a CalDav/CardDav server aiming to be simple, fast and passwordless. Available as [services.rustical](#opt-services.rustical.enable).

 - [Elephant](https://github.com/abenz1267/elephant), a data provider service and backend for building custom application launchers. Available as [services.elephant](#opt-services.elephant.enable).

 - [Dunst](https://github.com/dunst-project/dunst), a lightweight and customizable notification daemon. Available as [services.dunst](#opt-services.dunst.enable).

- [cocoon](https://github.com/haileyok/cocoon), is a PDS (personal data server) that is a alternative to the bluesky pds. Available as [services.cocoon](#opt-services.cocoon.enable).
+- [cocoon](https://github.com/haileyok/cocoon), a PDS (personal data server) that is an alternative to the Bluesky PDS. Available as [services.cocoon](#opt-services.cocoon.enable).

 - [Ente Auth](https://ente.io/auth/), an open source 2FA authenticator, with end-to-end encrypted backups. Available as [programs.ente-auth](#opt-programs.ente-auth.enable).

@@ -130,19 +133,19 @@

 - [Dawarich](https://dawarich.app/), a self-hostable location history tracker. Available as [services.dawarich](#opt-services.dawarich.enable).

- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux.
+- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux. Available as [services.howdy](#opt-services.howdy.enable)

- [SuiteNumérique Drive](https://github.com/suitenumerique/drive), a collaborative file sharing and document management platform that scales. Built with Django and React. Open source alternative to Sharepoint or Google Drive.
+- [SuiteNumérique Drive](https://github.com/suitenumerique/drive), a collaborative file sharing and document management platform that scales. Built with Django and React. Open source alternative to Sharepoint or Google Drive. Available as [services.lasuite-drive](#opt-services.lasuite-drive.enable).

- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy.
+- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy. Available as [services.linux-enable-ir-emitter](#opt-services.linux-enable-ir-emitter.enable).

- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as `services.udp-over-tcp`.
+- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as [](#opt-services.udp-over-tcp.udp2tcp) and [](#opt-services.udp-over-tcp.tcp2udp).

- [turborepo-remote-cache](https://ducktors.github.io/turborepo-remote-cache/), an open-source implementation of the [Turborepo custom remote cache server](https://turbo.build/repo/docs/core-concepts/remote-caching#self-hosting). Available as [services.turborepo-remote-cache](options.html#opt-services.turborepo-remote-cache).
+- [turborepo-remote-cache](https://ducktors.github.io/turborepo-remote-cache/), an open-source implementation of the [Turborepo custom remote cache server](https://turbo.build/repo/docs/core-concepts/remote-caching#self-hosting). Available as [services.turborepo-remote-cache](#opt-services.turborepo-remote-cache.enable).

- [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as `services.rsshub`.
+- [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as [services.rsshub](#opt-services.rsshub.enable).

- [ReFrame](https://github.com/AlynxZhou/reframe), a DRM/KMS based remote desktop for Linux that supports Wayland/NVIDIA/headless/login.
+- [ReFrame](https://github.com/AlynxZhou/reframe), a DRM/KMS based remote desktop for Linux that supports Wayland/NVIDIA/headless/login. Available as [services.reframe](#opt-services.reframe.enable)

 - [Komodo Periphery](https://github.com/moghtech/komodo), a multi-server Docker and Git deployment agent by Komodo. Available as [services.komodo-periphery](#opt-services.komodo-periphery.enable).

@@ -158,16 +161,35 @@

 - [Headplane](https://headplane.net), a feature-complete Web UI for Headscale. Available as [services.headplane](#opt-services.headplane.enable).

- [whois](https://packages.qa.debian.org/w/whois.html), an intelligent WHOIS client. Available as `programs.whois`.
+- [whois](https://packages.qa.debian.org/w/whois.html), an intelligent WHOIS client. Available as [programs.whois](#opt-programs.whois.enable).

 - [porxie](https://codeberg.org/Blooym/porxie), a correct and efficient ATProto blob proxy for secure content delivery. Available as [services.porxie](#opt-services.porxie.enable).

- [LogiOps](https://github.com/PixlOne/logiops), a unofficial userspace driver for HID++ Logitech devices. Available as [services.logiops](#opt-services.logiops.enable).
+- [LogiOps](https://github.com/PixlOne/logiops), an unofficial userspace driver for HID++ Logitech devices. Available as [services.logiops](#opt-services.logiops.enable).

 ## Backward Incompatibilities {#sec-release-26.05-incompatibilities}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

+- [](#opt-services.openssh.settings.AcceptEnv) is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
+
+- The default packages in [](#opt-services.jenkins.packages) have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
+
+- [services.taskchampion-sync-server](#opt-services.taskchampion-sync-server.enable) module has had an option [](#opt-services.taskchampion-sync-server.dynamicUser) added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
+
+- The [programs.captive-browser](#opt-programs.captive-browser.enable) module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure [](#opt-programs.captive-browser.dhcp-dns) manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.
+
+- The [services.yggdrasil](#opt-services.yggdrasil.enable) module has been refactored with the following breaking changes:
+  - The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via [](#opt-services.yggdrasil.settings).
+  - The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use [](#opt-services.yggdrasil.settings.PrivateKeyPath) to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
+  - Storing `PrivateKey` directly in `settings` is now explicitly forbidden to prevent keys from being stored world-readable in the Nix store.
+  - If you previously used `configFile`, migrate your configuration to the `settings` option and extract the private key to a separate file referenced by `PrivateKeyPath`.
+  - If you previously used `persistentKeys`, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them via `PrivateKeyPath`.
+
+- [services.xserver](#opt-services.xserver.enable) will now throw an error if an X11 driver specified in  `videoDriver(s)` cannot be found. Previously, unknown drivers would be silently ignored.
+
+- The [](#opt-services.avahi.wideArea) option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
+
 - `systemd.coredump.extraConfig` has been removed in favor of the structured [](#opt-systemd.coredump.settings.Coredump) option. Use `systemd.coredump.settings.Coredump` to set any `coredump.conf(5)` option directly. For example, replace `systemd.coredump.extraConfig = "Storage=journal";` with `systemd.coredump.settings.Coredump.Storage = "journal";`.

 - `services.home-assistant.config.lovelace.mode` has been renamed to `lovelace.dashboards` and `lovelace.resource_mode` to match the [configuration format](https://www.home-assistant.io/dashboards/dashboards/) required by Home Assistant 2026.8. Users who explicitly set `lovelace.mode` should remove it; the module generates the correct entries automatically.
@@ -183,9 +205,9 @@

 - `services.crabfit` was removed because its upstream packages are unmaintained and insecure.

- `services.opensnitch.settings.Rules.Path` now defaults to `/var/lib/opensnitch/rules` instead of the previous `/etc/opensnitchd/rules` because it contains mutable data.
+- [services.opensnitch.settings.Rules.Path](#opt-services.opensnitch.settings.Rules.Path) now defaults to `/var/lib/opensnitch/rules` instead of the previous `/etc/opensnitchd/rules` because it contains mutable data.

- `services.mosquitto` now generates per-listener authentication and access control via the upstream `password-file` and `acl-file` plugins instead of the deprecated `password_file` and `acl_file` options. The plugins contain the same code, so behaviour is unchanged, but [](#opt-services.mosquitto.package) must now be at least version 2.1.
+- [services.mosquitto](#opt-services.mosquitto.enable) now generates per-listener authentication and access control via the upstream `password-file` and `acl-file` plugins instead of the deprecated `password_file` and `acl_file` options. The plugins contain the same code, so behaviour is unchanged, but [](#opt-services.mosquitto.package) must now be at least version 2.1.

 - `sing-box` has been updated to 1.13.0, which has removed some deprecated options.  See [upstream documentation](https://sing-box.sagernet.org/configuration/) for details and migration options.

@@ -206,7 +228,7 @@

 - `linux_hardened` kernel has been removed due to a lack of maintenance.

- `services.tandoor-recipes` now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).
+- [services.tandoor-recipes](#opt-services.tandoor-recipes.enable) now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).

 - `linux-rt` kernel has been removed due to a lack of maintenance.

@@ -218,13 +240,26 @@

 - `services.uptime` has been removed because the package it relies on does not exist anymore in nixpkgs.

- `services.mattermost` now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
+- [services.mattermost](#opt-services.mattermost.enable) now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
  See the [migration steps](https://docs.mattermost.com/deployment-guide/manual-postgres-migration.html) if you were not running Postgres.
+  Note that version 11 also restricts the user limit to 250 [by default](https://forum.mattermost.com/t/clarification-request-on-user-limits-max-250-user-server-v-11/25309);
+  see the `pkgs.mattermost` removeUserLimit and removeFreeBadge options combined with [](#opt-services.mattermost.package) to change this behavior. For example:
+
+```nix
+{
+  services.mattermost.package = pkgs.mattermost.override {
+    removeUserLimit = true;
+    removeFreeBadge = true;
+  };
+}
+```

 - `post-resume.target` has been removed. See {manpage}`systemd.special(7)` about `sleep.target` for instructions on ordering a process after resume with `ExecStop=`.

- `services.kubernetes.addons.dns.coredns` has been renamed to `services.kubernetes.addons.dns.corednsImage` and now expects a
-package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with dockerTools.buildImage is used, instead
+- [services.vsftpd](#opt-services.vsftpd.enable) no longer automatically configures a PAM module.  This means configurations using [](#opt-services.vsftpd.localUsers) will no longer work unless [](#opt-services.vsftpd.enableVirtualUsers) and [](#opt-services.vsftpd.userDbPath) are also configured.  The old behaviour can be restored by setting `security.pam.services.vsftpd.enable = true`, although this only ever worked by accident and may not be secure.
+
+- `services.kubernetes.addons.dns.coredns` has been renamed to [](#opt-services.kubernetes.addons.dns.corednsImage) and now expects a
+package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with `dockerTools.buildImage` is used, instead
 of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:

 ```nix
@@ -238,7 +273,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
 }
 ```

- `services.stalwart-mail` has been renamed to `services.stalwart` to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:
+- `services.stalwart-mail` has been renamed to [`services.stalwart`](#opt-services.stalwart.enable) to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:

  - Addition of module-specific `stateVersion` option, which on existing installations of Stalwart must be set to the same as `system.stateVersion`.

@@ -248,9 +283,9 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
  - Default value for `services.stalwart.dataDir` has changed to `/var/lib/stalwart`. If `stateVersion` is older than `26.05`, will fallback to legacy value of `/var/lib/stalwart-mail`.
  - Default tracer name and type have changed to `journal`. If `stateVersion` is older than `26.05`, will fallback to legacy value of `stdout`.

- `services.eintopf` has been renamed to `services.lauti` to align with upstream re-brand as a community online calendar.
+- `services.eintopf` has been renamed to [services.lauti](#opt-services.lauti.enable) to align with upstream re-brand as a community online calendar.

- `services.oauth2-proxy.clientSecret` and `services.oauth2-proxy.cookie.secret` have been replaced with `services.oauth2-proxy.clientSecretFile` and `services.oauth2-proxy.cookie.secretFile` respectively. This was done to ensure secrets don't get made world-readable.
+- `services.oauth2-proxy.clientSecret` and `services.oauth2-proxy.cookie.secret` have been replaced with [](#opt-services.oauth2-proxy.clientSecretFile) and [](#opt-services.oauth2-proxy.cookie.secretFile) respectively. This was done to ensure secrets don't get made world-readable.

 - [`services.grafana.settings.security.secret_key`](#opt-services.grafana.settings.security.secret_key) doesn't have a
  default value anymore. Please generate your own key or hard-code the old one ("SW2YcwTIb9zpOOhoPsMm") explicitly.
@@ -259,7 +294,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
  for further information.

  Please do note that there's no official way to rotate. On a single-node instance with the database and the secret-key being
-  on the same filesystem with the same permissions for Grafana only to read it's most likely OK to keep using the old key.
+  on the same filesystem with the same permissions for Grafana only to read, it is most likely OK to keep using the old key.

  If you need to rotate, a [3rd-party tool, `grafana-secretkey-rotation-tool`](https://github.com/erooke/grafana-secretkey-rotation-tool/tree/d9dc788902fa5185e15cb15ce6129f7237ab6138) is a tested option.
  When using a secret for this value, make sure to use [Grafana's variable expansion to inject secrets](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion).
@@ -270,18 +305,11 @@ of pulling the upstream container image from Docker Hub. If you want the old beh

 - Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.

- `services.headplane` has been updated to 0.6.2, which introduces several changes to the configuration schema:
-  - `services.headplane.settings.oidc.redirect_uri` is deprecated. Use `services.headplane.settings.server.base_url` instead; the OIDC redirect URI is now automatically derived from it. Ensure `base_url` is the bare host URL without the `/admin` suffix.
-  - `services.headplane.settings.oidc.user_storage_file` is deprecated. Headplane 0.6.2 still accepts it to migrate the old JSON user database into the new internal SQL database.
-  - `services.headplane.settings.oidc.strict_validation` is deprecated and has no effect.
-  - `services.headplane.settings.oidc.token_endpoint_auth_method` now defaults to `null` (auto-detection), which typically falls back to `client_secret_basic`. Previous versions defaulted to `client_secret_post`.
-  - `services.headplane.settings.integration.agent.cache_ttl` is deprecated and has no effect in 0.6.2.
-
- `services.immich` no longer supports pgvecto.rs since the package has been removed from nixpkgs.
+- [services.immich](#opt-services.immich.enable) no longer supports pgvecto.rs since the package has been removed from nixpkgs.
  As a result, options `services.immich.database.enableVectors` and `services.immich.database.enableVectorchord` have been removed, and VectorChord is now always used.
  If you have not completed the migration yet, ensure you completely remove the extension from your database before upgrading by following the [migration guide](https://github.com/NixOS/nixpkgs/blob/nixos-25.11/nixos/modules/services/web-apps/immich.md#migrating-from-pgvecto-rs-to-vectorchord-pre-2511-installations-module-services-immich-vectorchord-migration).

- `services.cgit` before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable `services.cgit.gitHttpBackend.checkExportOkFiles` (or disable the git-http-backend).
+- [](#opt-services.cgit) before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable `opt-services.cgit.<name>.gitHttpBackend.checkExportOkFiles` (or disable the git-http-backend).

 - `rocmPackages_6` has been removed. `rocmPackages` has been updated to ROCm 7.x. Out of tree packages may rely on obsolete hipblas APIs or compile time constant warp size and need to be updated.

@@ -291,13 +319,11 @@ of pulling the upstream container image from Docker Hub. If you want the old beh

 - The Bash implementation of the `nixos-rebuild` program is removed. All switchable systems now use the Python rewrite. Any prior usage of `system.rebuild.enableNg` must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.

- `services.desktopManager.gnome` no longer installs the Geary e-mail client since it is not part of the GNOME [core applications](https://apps.gnome.org/) list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add `programs.geary.enable = true;` to your configuration.
-
- MATE packages have been moved to top level (e.g. if you previously added `pkgs.mate.caja` to `environment.systemPackages`, you will need to change it to `pkgs.caja`).
+- [services.desktopManager.gnome](#opt-services.desktopManager.gnome.enable) no longer installs the Geary e-mail client since it is not part of the GNOME [core applications](https://apps.gnome.org/) list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add `programs.geary.enable = true;` to your configuration.

 - `walker` has been updated to 2.0.0+, which is a complete rewrite in rust.

-  It now requires a running `elephant` application launcher backend service, which can be enabled using the new `services.elephpant.enable`.
+  It now requires a running `elephant` application launcher backend service, which can be enabled using the new `services.elephant.enable`.

  The way keybinds and actions are handled have been completely revamped. Please refer to the [default config](https://raw.githubusercontent.com/abenz1267/walker/refs/heads/master/resources/config.toml).

@@ -305,7 +331,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh

 - Support for `reiserfs` in nixpkgs has been removed, following the removal in Linux 6.13.

- `services.tor` no longer bind mounts Unix sockets of onion services into its chroot
+- [services.tor](#opt-services.tor.enable) no longer bind mounts Unix sockets of onion services into its chroot
 because it was not reliable. Users should do it themselves using either `JoinsNamespaceOf=` and Unix sockets in `/tmp`
 or `BindPaths=` from a persistent parent directory of each Unix socket.
 See <https://github.com/NixOS/nixpkgs/issues/481673>.
@@ -314,14 +340,14 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.

 - `services.xserver.cmt` has been removed as the `xf86-input-cmt` package was broken and unmaintained upstream.

- `programs.light` was removed from nixpkgs due to the corresponding package being unmaintained upstream. `brightnessctl` and `programs.acpilight` offer replacements.
+- `programs.light` was removed from nixpkgs due to the corresponding package being unmaintained upstream. `brightnessctl` and [hardware.acpilight](#opt-hardware.acpilight.enable) offer replacements.

 - `ceph` has been upgraded to v20. See the [Ceph "tentacle" release notes](https://docs.ceph.com/en/latest/releases/tentacle/#v20-2-0-tentacle) for details and recommended upgrade procedure.
  Note that **upgrades of server-side components are one-way**, and downgrading e.g. an OSD from *Tentacle* to *Squid* is not just not supported but is known to break.

- `services.unifi`'s `jrePackage` option now defaults to `jdk25_headless` instead of `jdk17_headless`, in order to be compatible with new versions of `unifi`.
+- [](#opt-services.unifi.jrePackage) now defaults to `jdk25_headless` instead of `jdk17_headless`, in order to be compatible with new versions of `unifi`.

- The `networking.wireless` module has been security hardened by default: the `wpa_supplicant` daemon now runs under an unprivileged user with restricted access to the system.
+- The [networking.wireless](#opt-networking.wireless.enable) module has been security hardened by default: the `wpa_supplicant` daemon now runs under an unprivileged user with restricted access to the system.

  As part of these changes, `/etc/wpa_supplicant.conf` has been deprecated: the NixOS-generated configuration file is now linked to `/etc/wpa_supplicant/nixos.conf` and `/etc/wpa_supplicant/imperative.conf` has been added for imperatively configuring `wpa_supplicant` or when using [allowAuxiliaryImperativeNetworks](#opt-networking.wireless.allowAuxiliaryImperativeNetworks).

@@ -341,30 +367,20 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
  - In both "networkd" and "scripted" backends, the configuration of name servers is now part of `network-local-commands.service` (fixes issue [#445496](https://github.com/NixOS/nixpkgs/issues/445496)).
  - The issue that resulted in a completely unconfigured network if both `resolvconf` was disabled and no default gateway configured, has also been fixed.

- `kratos` has been updated from 1.3.1 to [25.4.0](https://github.com/ory/kratos/releases/tag/v25.4.0). Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:
-
-  - The `migrate sql` CLI command is now `migrate sql up`
-  - OIDC registration validation errors are now placed in the `default` node group instead of `oidc`
-  - Failed OIDC account linking returns HTTP 400 instead of 200
-
- `pdns` has been updated to version [v5.0.x](https://doc.powerdns.com/authoritative/changelog/5.0.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-5-0-0) for details.
-
 - In the PowerDNS Recursor module, following the deprecation period started with NixOS 25.05, the option {option}`services.pdns-recursor.old-settings` has been removed and {option}`services.pdns-recursor.yaml-settings` consequently renamed to [](#opt-services.pdns-recursor.settings).

- `services.angrr` now uses TOML for configuration. Define policies with `services.angrr.settings` (generate TOML file) or point to a file using `services.angrr.configFile`. The legacy options `services.angrr.period`, `services.angrr.ownedOnly`, and `services.angrr.removeRoot` have been removed. See `man 5 angrr` and the description of `services.angrr.settings` options for examples and details.
+- [services.angrr](#opt-services.angrr.enable) now uses TOML for configuration. Define policies with [](#opt-services.angrr.settings) (generate TOML file) or point to a file using [](#opt-services.angrr.configFile). The legacy options `services.angrr.period`, `services.angrr.ownedOnly`, and `services.angrr.removeRoot` have been removed. See `man 5 angrr` and the description of [](#opt-services.angrr.settings) options for examples and details.

- `services.homepage-dashboard.environmentFile` has been renamed to `services.homepage-dashboard.environmentFiles`, and now expects a list of strings.
+- `services.homepage-dashboard.environmentFile` has been renamed to [](#opt-services.homepage-dashboard.environmentFiles), and now expects a list of strings.

 - `services.pingvin-share` has been removed as the `pingvin-share.backend` package was broken and the project was archived upstream.

- `geph` package's built-in GUI `geph5-client-gui` has been [removed](https://github.com/geph-official/geph5/commit/f2221fb8386312daf2cef05483ebb353ff48bdb4) by the upstream. All users who wish to continue using the GUI should install the `gephgui-wry`, which is consistent with the official release version.
-
- `services.jellyseerr` has been renamed to `services.seerr` following the upstream changes. Notable breaking changes:
+- `services.jellyseerr` has been renamed to [services.seerr](#opt-services.seerr.enable) following the upstream changes. Notable breaking changes:
  - systemd service name changed accordingly.
  - Default config directory moved from `/var/lib/jellyseerr/config` to `/var/lib/seerr/`.
    - If `stateVersion` is older than `26.05`, the module fall backs to the legacy path value.

- `services.vikunja` has been updated to Vikunja [v1.0.0](https://vikunja.io/changelog/whats-new-in-vikunja-1.0.0/), which introduces multiple breaking changes.
+- [services.vikunja](#opt-services.vikunja.enable) has been updated to Vikunja [v1.0.0](https://vikunja.io/changelog/whats-new-in-vikunja-1.0.0/), which introduces multiple breaking changes.
  Notable breaking changes:
  - CORS is enabled by default. The module now sets
    `services.vikunja.settings.service.publicurl` by default. Custom overrides must ensure it is
@@ -375,16 +391,11 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
  - SQLite paths are now relative to `service.rootpath` unless absolute. Startup now validates file
    storage and OAuth providers.

- `xfsprogs` was updated to version 6.18.0, which enables parent pointers and exchange-range by default. Upstream recommends not to use these features with kernels older than 6.18.
-   GRUB2 is likely unable to boot from filesystems with these features enabled.
-
 - `services.xtreemfs` has been removed as the `xtreemfs` package was broken and unmaintained upstream.

- `lunarvim` package has been removed, as it was abandoned upstream and relied on an old version of `neovim` to work properly.
-
 - `opengfw` package and `services.opengfw` module have been removed as the upstream GitHub repository and website have been shut down.

- `services.esphome` no longer uses `DynamicUser`. The service now runs as a static `esphome` system user. systemd handles the migration from `/var/lib/private/esphome` automatically, but users with [impermanence](https://github.com/nix-community/impermanence) setups should ensure `/var/lib/esphome` is persisted.
+- [services.esphome](#opt-services.esphome.enable) no longer uses `DynamicUser`. The service now runs as a static `esphome` system user. systemd handles the migration from `/var/lib/private/esphome` automatically, but users with [impermanence](https://github.com/nix-community/impermanence) setups should ensure `/var/lib/esphome` is persisted.

 - `programs.pqos-wrapper` module has been deleted as the corresponding package has been dropped from nixpkgs.

@@ -394,6 +405,10 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

+- Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
+
+- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
+
 - `switch-to-configuration` now reloads a service instead of restarting it when the only change to its unit is `ExecReload=`, and takes no action when `ExecReload=` is removed. Previously both cases triggered a restart.

 - [`hardware.nvidia.branch`](#opt-hardware.nvidia.branch) was added to select the NVIDIA driver branch; setting [`hardware.nvidia.package`](#opt-hardware.nvidia.package) overrides this.
@@ -402,12 +417,10 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.

 - `nixos/nvidia` now uses EGL external platform ICD libraries built from source (`egl-gbm`, `egl-wayland`, `egl-wayland2`, `egl-x11`) instead of relying on vendor-provided binaries for these components.

- `hardware.nvidia.moduleParams` was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to `modprobe` configuration instead of being passed through global kernel command-line parameters.
+- [](#opt-hardware.nvidia.moduleParams) was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to `modprobe` configuration instead of being passed through global kernel command-line parameters.

 - [hardware.xpadneo](#opt-hardware.xpadneo.enable) now supports configuring kernel module parameters via a freeform [settings](#opt-hardware.xpadneo.settings) option, with convenience options for [rumble attenuation](#opt-hardware.xpadneo.rumbleAttenuation) and [controller quirks](#opt-hardware.xpadneo.quirks).

- Wine has been updated to the 11.0 branch. Please check the [upstream announcement](https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0) for more details.
-
 - `security.acme` now defaults to a dynamic renewal duration, if
  [security.acme.defaults.validMinDays](#opt-security.acme.defaults.validMinDays)
  remains unset. This accommodates certificates with different ACME profile:
@@ -417,44 +430,37 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
    - For shortlived certificates with a total validity below 10 days renewal
      will happen after half of the total lifetime has passed

- The module for the Dovecot IMAP server, *services.dovecot*, now uses RFC-42-style settings, exposing a structured interface to write the configuration file.
+- The module for the Dovecot IMAP server, [services.dovecot2](#opt-services.dovecot2.enable), now uses RFC-42-style settings, exposing a structured interface to write the configuration file.

  Also see the list of available settings for [Dovecot 2.3](https://doc.dovecot.org/2.3/settings/core/) or [2.4](https://doc.dovecot.org/2.4.2/core/summaries/settings.html).

- Cinnamon has been updated to 6.6, please check the [upstream announcement](https://www.linuxmint.com/rel_zena_whatsnew.php) for more details.
+- [](#opt-fonts.fontconfig.useEmbeddedBitmaps) is now set to `true` by default.

- Rspamd has been updated to 4.0. Please check the upstream [migration](https://docs.rspamd.com/tutorials/migration/#migration-to-rspamd-400) documentation, especially if you run a sharded Redis deployment.
-
- Budgie has been updated to 10.10, please check the [upstream announcement](https://buddiesofbudgie.org/blog/budgie-10-10-released) for more details.
-
- `fonts.fontconfig.useEmbeddedBitmaps` is now set to `true` by default.
-
- `stestrCheckHook` was added: This test hook runs `stestr run`. You can disable tests with `disabledTests` and `disabledTestsRegex`.
-
- `services.frp` now supports multiple instances through `services.frp.instances` to make it possible to run multiple frp clients or servers at the same time.
-
- `hyphen` now supports over 40 language variants through `hyphenDicts` and now allows to enable all supported languages through `hyphenDicts.all`.
+- [services.frp](#opt-services.frp.instances) now supports multiple instances through [](#opt-services.frp.instances) to make it possible to run multiple frp clients or servers at the same time.

 - [services.resolved](#opt-services.resolved.enable) module was converted to RFC42-style settings. The moved options have also been renamed to match the upstream names. Aliases mean current configs will continue to function, but users should move to the new options as convenient.

- `systemd.sleep.extraConfig` was replaced by [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant `systemd.sleep.settings.Sleep`, which is used to generate the `sleep.conf` configuration file. See {manpage}`sleep.conf.d(5)` for available options.
+- `systemd.sleep.extraConfig` was replaced by [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant [](#opt-systemd.sleep.settings.Sleep), which is used to generate the `sleep.conf` configuration file. See {manpage}`sleep.conf.d(5)` for available options.

- Support for Bluetooth audio based on `bluez-alsa` has been added to the `hardware.alsa` module. It can be enabled with the new [enableBluetooth](#opt-hardware.alsa.enableBluetooth) option.
- `services.atuin` now has an `environmentFile` option to safely allow configuring secrets, such as an `ATUIN_DB_URI` containing a Postgres password.
+- Support for Bluetooth audio based on `bluez-alsa` has been added to the [hardware.alsa](#opt-hardware.alsa.enable) module. It can be enabled with the new [enableBluetooth](#opt-hardware.alsa.enableBluetooth) option.
+
+- [services.atuin](#opt-services.atuin.enable) now has an `environmentFile` option to safely allow configuring secrets, such as an `ATUIN_DB_URI` containing a Postgres password.

 - `systemd.network.*` has been updated to support all configuration options from upstream `networkd` version 259.

- `networking.resolvconf.enable` now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`.If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.
+- [](#opt-networking.resolvconf.enable) now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`. If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.

- `services.openssh` now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving `services.openssh.enable` disabled.  This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.
+- The [services.drupal](#opt-services.drupal.enable) module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.

- `services.openssh.enableRecommendedAlgorithms` has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See <https://github.com/NixOS/nixpkgs/pull/471330>.
+- [services.openssh](#opt-services.openssh.enable) now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving [](#opt-services.openssh.enable) disabled.  This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.

- `services.openssh.banner` has been removed. Use `services.openssh.settings.Banner` instead.
+- [](#opt-services.openssh.enableRecommendedAlgorithms) has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See <https://github.com/NixOS/nixpkgs/pull/471330>.

- IPVLAN interfaces can now be configured through the `networking.ipvlans` option in the networking module.
+- `services.openssh.banner` has been removed. Use [](#opt-services.openssh.settings.Banner) instead.

- `services.caddy` now supports setting `httpPort` and `httpsPort` and opening them in the firewall via `openFirewall`.
+- IPVLAN interfaces can now be configured through the [](#opt-networking.ipvlans) option in the networking module.
+
+- [services.caddy](#opt-services.caddy.enable) now supports setting [](#opt-services.caddy.httpPort) and [](#opt-services.caddy.httpsPort) and opening them in the firewall via [](#opt-services.caddy.openFirewall).

 - The latest available version of Nextcloud is v33 (available as `pkgs.nextcloud33`). The installation logic is as follows:
  - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
@@ -467,59 +473,19 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
  To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.
  If you set custom Caddy options for a InvoicePlane site, migrate these options by removing `http://` from `services.caddy.virtualHosts."http://example.com"`.

- `services.slurm` now supports slurmrestd usage through the `services.slurm.rest` NixOS options.
+- `services.slurm` now supports slurmrestd usage through the [](#opt-services.slurm.rest.enable) NixOS options.

- The `networking.firewall.logRefusedConnections` option now defaults to
+- The [](#opt-networking.firewall.logRefusedConnections) option now defaults to
  `false`.  Logging of refused or dropped incoming connections can generate a
  very high volume of kernel log messages on internet-facing systems, causing
  the kernel ring buffer (dmesg) to rotate quickly and potentially discard more
  relevant diagnostic information.

- The `services.calibre-web` systemd service has been hardened with additional sandboxing restrictions.
+- The [services.calibre-web](#opt-services.calibre-web.enable) systemd service has been hardened with additional sandboxing restrictions.

 - `services.kanidm` options for server, client and unix were moved under dedicated namespaces.
  For each component `enableComponent` and `componentSettings` are now `component.enable` and
  `component.settings`. The unix module now supports using SSH keys from Kanidm via
  `services.kanidm.unix.sshIntegration = true`.

- `mdbook-linkcheck` has been removed as it is unmaintained and incompatible with the latest version of `mdbook`. Users can instead migrate to `mdbook-linkcheck2`.
-
- `glibc` has been updated to version 2.42.
-
-  This version no longer makes the stack executable when a shared library requires this. A symptom
-  is an error like
-
-  > cannot enable executable stack as shared object requires: Invalid argument
-
-  This is usually a bug. Please consider reporting it to the software maintainers.
-
-  In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:
-
-  * When building the shared library in question from source, use the following linker flags to force turning off the
-    executable flag:
-
-    ```nix
-    mkDerivation {
-      # …
-
-      env.NIX_LDFLAGS = "-z,noexecstack";
-    }
-    ```
-
-  * If the sources are not available, the execstack-flag can be cleared with `patchelf`:
-
-    ```
-    patchelf --clear-execstack binary-only.so
-    ```
-
-  * If the shared library to be loaded actually requires an executable stack and it isn't turned
-    on by the application loading it, you may force allowing that behavior by setting the
-    following environment variable:
-
-    ```
-    GLIBC_TUNABLES=glibc.rtld.execstack=2
-    ```
-
-    **Do not set this globally!** This makes your setup inherently less secure.
-
- `services.radicle` now supports importing the private key and passphrase as systemd creds.
+- [services.radicle](#opt-services.radicle.enable) now supports importing the private key and passphrase as systemd creds.
--- a/nixos/modules/config/nix-channel.nix
+++ b/nixos/modules/config/nix-channel.nix
@@ -70,7 +70,7 @@ in
      defaultChannel = mkOption {
        internal = true;
        type = types.str;
-        default = "https://channels.nixos.org/nixos-unstable";
+        default = "https://channels.nixos.org/nixos-26.05";
        description = "Default NixOS channel to which the root user is subscribed.";
      };
    };
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@@ -51,6 +51,7 @@ let
      VENDOR_URL = optionalString isNixos "https://nixos.org/";
      DOCUMENTATION_URL = optionalString isNixos "https://nixos.org/learn.html";
      SUPPORT_URL = optionalString isNixos "https://nixos.org/community.html";
+      SUPPORT_END = "2026-12-31";
      BUG_REPORT_URL = optionalString isNixos "https://github.com/NixOS/nixpkgs/issues";
      ANSI_COLOR = optionalString isNixos "0;38;2;126;186;228";
      IMAGE_ID = optionalString (config.system.image.id != null) config.system.image.id;
--- a/nixos/modules/programs/command-not-found/command-not-found.nix
+++ b/nixos/modules/programs/command-not-found/command-not-found.nix
@@ -33,7 +33,10 @@ in

    enable = lib.mkOption {
      type = lib.types.bool;
-      default = false;
+      default = builtins.pathExists config.programs.command-not-found.dbPath;
+      defaultText = lib.literalExpression ''
+        builtins.pathExists config.programs.command-not-found.dbPath
+      '';
      description = ''
        Whether interactive shells should show which Nix package (if
        any) provides a missing command.
@@ -45,6 +48,11 @@ in
    };

    dbPath = lib.mkOption {
+      type = lib.types.path;
+      default = pkgs.path + "/programs.sqlite";
+      defaultText = lib.literalExpression ''
+        pkgs.path + "/programs.sqlite"
+      '';
      description = ''
        Absolute path to `programs.sqlite`, which contains mappings from binary names to package names.

@@ -54,39 +62,29 @@ in
        `/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite`.
        If you do so, you can update it with `sudo nix-channels --update`.
      '';
-      type = lib.types.path;
    };
  };

-  config = lib.mkMerge [
-    {
-      programs.command-not-found = {
-        enable = lib.mkDefault (builtins.pathExists cfg.dbPath);
-        dbPath = pkgs.path + "/programs.sqlite";
-      };
-    }
+  config = lib.mkIf cfg.enable {
+    programs.bash.interactiveShellInit = ''
+      command_not_found_handle() {
+        '${commandNotFound}/bin/command-not-found' "$@"
+      }
+    '';

-    (lib.mkIf cfg.enable {
-      programs.bash.interactiveShellInit = ''
-        command_not_found_handle() {
-          '${commandNotFound}/bin/command-not-found' "$@"
-        }
-      '';
+    programs.zsh.interactiveShellInit = ''
+      command_not_found_handler() {
+        '${commandNotFound}/bin/command-not-found' "$@"
+      }
+    '';

-      programs.zsh.interactiveShellInit = ''
-        command_not_found_handler() {
-          '${commandNotFound}/bin/command-not-found' "$@"
-        }
-      '';
+    # NOTE: Fish by itself checks for nixos command-not-found, let's instead makes it explicit.
+    programs.fish.interactiveShellInit = ''
+      function fish_command_not_found
+         "${commandNotFound}/bin/command-not-found" $argv
+      end
+    '';

-      # NOTE: Fish by itself checks for nixos command-not-found, let's instead makes it explicit.
-      programs.fish.interactiveShellInit = ''
-        function fish_command_not_found
-           "${commandNotFound}/bin/command-not-found" $argv
-        end
-      '';
-
-      environment.systemPackages = [ commandNotFound ];
-    })
-  ];
+    environment.systemPackages = [ commandNotFound ];
+  };
 }
--- a/nixos/modules/programs/lix.nix
+++ b/nixos/modules/programs/lix.nix
@@ -47,6 +47,9 @@ in

 {
  config = lib.mkIf (cfg.enable && nixPackage.pname == "lix") {
+    # Require the tun kernel module for pasta, can be disabled if pasta is not used.
+    boot.kernelModules.tun = lib.mkDefault true;
+
    environment.systemPackages = [
      nixPackage
      pkgs.nix-info
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -245,156 +245,134 @@ in
  };

  ###### implementation
-  config = lib.mkMerge [
-    {
-      warnings = lib.optional (wrappers != { } && !config.security.enableWrappers) ''
-        security.enableWrappers is set to false, but the following wrappers are still enabled and will be silently ignored: ${lib.concatStringsSep ", " (lib.attrNames wrappers)}. This might prevent fundamental functionalities, like PAM authentication. To avoid this warning, either set security.enableWrappers = true, or explicitly disable each wrapper with `enable = false`.
-      '';
-      assertions = [
-        {
-          assertion =
-            !(
-              !config.security.enableWrappers && lib.any (u: u.isNormalUser) (lib.attrValues config.users.users)
-            );
-          message = ''
-            security.enableWrappers is disabled but normal users are defined
-            (${
-              lib.concatStringsSep ", " (
-                lib.mapAttrsToList (n: _: n) (lib.filterAttrs (_: u: u.isNormalUser) config.users.users)
-              )
-            }). Without SUID wrappers, users cannot login. Either enable wrappers or remove all normal user accounts.
-          '';
-        }
-      ];
-    }
-    (lib.mkIf config.security.enableWrappers {
-      assertions = lib.mapAttrsToList (name: opts: {
-        assertion = opts.setuid || opts.setgid -> opts.capabilities == "";
-        message = ''
-          The security.wrappers.${name} wrapper is not valid:
-              setuid/setgid and capabilities are mutually exclusive.
-        '';
-      }) wrappers;
+  config = lib.mkIf config.security.enableWrappers {

-      security.wrappers =
-        let
-          mkSetuidRoot = source: {
-            setuid = true;
-            owner = "root";
-            group = "root";
-            inherit source;
-          };
-        in
-        {
-          # These are mount related wrappers that require the +s permission.
-          mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
-          umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
+    assertions = lib.mapAttrsToList (name: opts: {
+      assertion = opts.setuid || opts.setgid -> opts.capabilities == "";
+      message = ''
+        The security.wrappers.${name} wrapper is not valid:
+            setuid/setgid and capabilities are mutually exclusive.
+      '';
+    }) wrappers;
+
+    security.wrappers =
+      let
+        mkSetuidRoot = source: {
+          setuid = true;
+          owner = "root";
+          group = "root";
+          inherit source;
        };
-
-      # Make sure our wrapperDir exports to the PATH env variable when
-      # initializing the shell
-      environment.extraInit = ''
-        # Wrappers override other bin directories.
-        export PATH="${wrapperDir}:$PATH"
-      '';
-
-      security.apparmor.includes = lib.mapAttrs' (
-        wrapName: wrap:
-        lib.nameValuePair "nixos/security.wrappers/${wrapName}" ''
-          include "${
-            pkgs.apparmorRulesFromClosure { name = "security.wrappers.${wrapName}"; } [
-              (securityWrapper wrap.source)
-            ]
-          }"
-          mrpx ${wrap.source},
-        ''
-      ) wrappers;
-
-      systemd.mounts = [
-        {
-          where = parentWrapperDir;
-          what = "tmpfs";
-          type = "tmpfs";
-          options = lib.concatStringsSep "," [
-            "nodev"
-            "mode=755"
-            "size=${config.security.wrapperDirSize}"
-          ];
-        }
-      ];
-
-      systemd.services.suid-sgid-wrappers = {
-        description = "Create SUID/SGID Wrappers";
-        wantedBy = [ "sysinit.target" ];
-        before = [
-          "sysinit.target"
-          "shutdown.target"
-        ];
-        conflicts = [ "shutdown.target" ];
-        after = [ "systemd-sysusers.service" ];
-        unitConfig.DefaultDependencies = false;
-        unitConfig.RequiresMountsFor = [
-          "/nix/store"
-          "/run/wrappers"
-        ];
-        serviceConfig.RestrictSUIDSGID = false;
-        serviceConfig.Type = "oneshot";
-        script = ''
-          chmod 755 "${parentWrapperDir}"
-
-          # We want to place the tmpdirs for the wrappers to the parent dir.
-          wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
-          chmod a+rx "$wrapperDir"
-
-          ${lib.concatStringsSep "\n" mkWrappedPrograms}
-
-          if [ -L ${wrapperDir} ]; then
-            # Atomically replace the symlink
-            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
-            old=$(readlink -f ${wrapperDir})
-            if [ -e "${wrapperDir}-tmp" ]; then
-              rm --force --recursive "${wrapperDir}-tmp"
-            fi
-            ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp"
-            mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}"
-            rm --force --recursive "$old"
-          else
-            # For initial setup
-            ln --symbolic "$wrapperDir" "${wrapperDir}"
-          fi
-        '';
+      in
+      {
+        # These are mount related wrappers that require the +s permission.
+        mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
+        umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
      };

-      ###### wrappers consistency checks
-      system.checks = lib.singleton (
-        pkgs.runCommand "ensure-all-wrappers-paths-exist"
-          {
-            preferLocalBuild = true;
-          }
-          ''
-            # make sure we produce output
-            mkdir -p $out
+    # Make sure our wrapperDir exports to the PATH env variable when
+    # initializing the shell
+    environment.extraInit = ''
+      # Wrappers override other bin directories.
+      export PATH="${wrapperDir}:$PATH"
+    '';

-            echo -n "Checking that Nix store paths of all wrapped programs exist... "
+    security.apparmor.includes = lib.mapAttrs' (
+      wrapName: wrap:
+      lib.nameValuePair "nixos/security.wrappers/${wrapName}" ''
+        include "${
+          pkgs.apparmorRulesFromClosure { name = "security.wrappers.${wrapName}"; } [
+            (securityWrapper wrap.source)
+          ]
+        }"
+        mrpx ${wrap.source},
+      ''
+    ) wrappers;

-            declare -A wrappers
-            ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "wrappers['${n}']='${v.source}'") wrappers)}
+    systemd.mounts = [
+      {
+        where = parentWrapperDir;
+        what = "tmpfs";
+        type = "tmpfs";
+        options = lib.concatStringsSep "," [
+          "nodev"
+          "mode=755"
+          "size=${config.security.wrapperDirSize}"
+        ];
+      }
+    ];

-            for name in "''${!wrappers[@]}"; do
-              path="''${wrappers[$name]}"
-              if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then
-                test -t 1 && echo -ne '\033[1;31m'
-                echo "FAIL"
-                echo "The path $path does not exist!"
-                echo 'Please, check the value of `security.wrappers."'$name'".source`.'
-                test -t 1 && echo -ne '\033[0m'
-                exit 1
-              fi
-            done
+    systemd.services.suid-sgid-wrappers = {
+      description = "Create SUID/SGID Wrappers";
+      wantedBy = [ "sysinit.target" ];
+      before = [
+        "sysinit.target"
+        "shutdown.target"
+      ];
+      conflicts = [ "shutdown.target" ];
+      after = [ "systemd-sysusers.service" ];
+      unitConfig.DefaultDependencies = false;
+      unitConfig.RequiresMountsFor = [
+        "/nix/store"
+        "/run/wrappers"
+      ];
+      serviceConfig.RestrictSUIDSGID = false;
+      serviceConfig.Type = "oneshot";
+      script = ''
+        chmod 755 "${parentWrapperDir}"

-            echo "OK"
-          ''
-      );
-    })
-  ];
+        # We want to place the tmpdirs for the wrappers to the parent dir.
+        wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
+        chmod a+rx "$wrapperDir"
+
+        ${lib.concatStringsSep "\n" mkWrappedPrograms}
+
+        if [ -L ${wrapperDir} ]; then
+          # Atomically replace the symlink
+          # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
+          old=$(readlink -f ${wrapperDir})
+          if [ -e "${wrapperDir}-tmp" ]; then
+            rm --force --recursive "${wrapperDir}-tmp"
+          fi
+          ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp"
+          mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}"
+          rm --force --recursive "$old"
+        else
+          # For initial setup
+          ln --symbolic "$wrapperDir" "${wrapperDir}"
+        fi
+      '';
+    };
+
+    ###### wrappers consistency checks
+    system.checks = lib.singleton (
+      pkgs.runCommand "ensure-all-wrappers-paths-exist"
+        {
+          preferLocalBuild = true;
+        }
+        ''
+          # make sure we produce output
+          mkdir -p $out
+
+          echo -n "Checking that Nix store paths of all wrapped programs exist... "
+
+          declare -A wrappers
+          ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "wrappers['${n}']='${v.source}'") wrappers)}
+
+          for name in "''${!wrappers[@]}"; do
+            path="''${wrappers[$name]}"
+            if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then
+              test -t 1 && echo -ne '\033[1;31m'
+              echo "FAIL"
+              echo "The path $path does not exist!"
+              echo 'Please, check the value of `security.wrappers."'$name'".source`.'
+              test -t 1 && echo -ne '\033[0m'
+              exit 1
+            fi
+          done
+
+          echo "OK"
+        ''
+    );
+  };
 }
--- a/nixos/modules/services/audio/music-assistant.nix
+++ b/nixos/modules/services/audio/music-assistant.nix
@@ -155,7 +155,8 @@ in
        CapabilityBoundingSet = [ "" ];
        DevicePolicy = "closed";
        LockPersonality = true;
-        MemoryDenyWriteExecute = !useYTMusic;
+        # breaks pyopenssl's cffi calls, used in remote access feature
+        MemoryDenyWriteExecute = false;
        ProcSubset = "pid";
        ProtectClock = true;
        ProtectControlGroups = true;
--- a/nixos/modules/services/continuous-integration/github-runner/options.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/options.nix
@@ -289,7 +289,6 @@
                  "node24"
                ]);
              default = [
-                "node20"
                "node24"
              ];
              description = ''
--- a/nixos/modules/services/desktops/seatd.nix
+++ b/nixos/modules/services/desktops/seatd.nix
@@ -40,6 +40,7 @@ in
  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      seatd
+      sdnotify-wrapper
    ];
    users.groups.seat = lib.mkIf (cfg.group == "seat") { };

@@ -54,7 +55,7 @@ in
        Type = "notify";
        NotifyAccess = "all";
        SyslogIdentifier = "seatd";
-        ExecStart = "${lib.getExe' pkgs.s6 "s6-notify-socket-from-fd"} ${pkgs.seatd.bin}/bin/seatd -n 1 -u ${cfg.user} -g ${cfg.group} -l ${cfg.logLevel}";
+        ExecStart = "${pkgs.sdnotify-wrapper}/bin/sdnotify-wrapper ${pkgs.seatd.bin}/bin/seatd -n 1 -u ${cfg.user} -g ${cfg.group} -l ${cfg.logLevel}";
        RestartSec = 1;
        Restart = "always";
      };
--- a/nixos/modules/services/mail/stalwart.nix
+++ b/nixos/modules/services/mail/stalwart.nix
@@ -273,6 +273,7 @@ in
          RestrictAddressFamilies = [
            "AF_INET"
            "AF_INET6"
+            "AF_UNIX"
          ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
--- a/nixos/modules/services/networking/fastnetmon-advanced.nix
+++ b/nixos/modules/services/networking/fastnetmon-advanced.nix
@@ -207,6 +207,10 @@ in
          AmbientCapabilities = "cap_net_bind_service";
        };
      };
+
+      services.fastnetmon-advanced.hostgroups = {
+        global = { };
+      };
    })

    (lib.mkIf (cfg.enable && cfg.enableAdvancedTrafficPersistence) {
--- a/nixos/modules/services/networking/porxie.nix
+++ b/nixos/modules/services/networking/porxie.nix
@@ -62,10 +62,10 @@ in
            description = ''
              Admin password for authenticating privileged requests.

-              When unset, all authenticated endpoints will reject requests with HTTP 401.
-
              Authenticated requests always expect the username `admin` as per specification.

+              When not set, authenticated endpoints will be unavailable.
+
              Should be set via {option}`environmentFiles` rather than directly.
            '';
          };
@@ -90,20 +90,17 @@ in
            description = ''
              Maximum blob size that can be served.

-              Blobs that exceed this limit will return HTTP 413.
-
-              The minimum value is 512kb and the maximum is the system's total memory.
+              This value cannot be set higher than the system's total memory.
            '';
          };
          PORXIE_BLOB_CACHE_HEADER = lib.mkOption {
            type = lib.types.nullOr lib.types.str;
            default = null;
            description = ''
-              The `Cache-Control` header value to send alongside blob responses.
+              The Cache-Control header value to send alongside blob responses.

-              This does not affect internal cache lifetimes, only how downstream clients such as
-              CDNs and browsers are instructed to cache responses. Intermediary caches may need
-              to be cleared manually for changes to take effect quickly.
+              This does not affect internal cache lifetimes, only how downstream clients such as CDNs
+              and browsers are instructed to cache responses.
            '';
          };
          PORXIE_BLOB_PROCESSING_TIMEOUT = lib.mkOption {
@@ -116,39 +113,12 @@ in
            default = null;
            description = "Maximum duration before blob fetch requests are timed out.";
          };
-          PORXIE_BLOB_HTTP_CONNECT_TIMEOUT = lib.mkOption {
-            type = lib.types.nullOr lib.types.str;
-            default = null;
-            description = ''
-              Maximum duration before an attempted connection to a blob upstream is aborted.
-
-              This value should be lower than {option}`settings.PORXIE_BLOB_HTTP_TIMEOUT`.
-            '';
-          };

          # Identity.
          PORXIE_IDENTITY_PLC_URL = lib.mkOption {
            type = lib.types.nullOr lib.types.str;
            default = null;
-            description = ''
-              URL of the PLC instance used for `did:plc` lookups.
-
-              Can typically be left as default unless using a custom or local development setup.
-            '';
-          };
-          PORXIE_IDENTITY_HTTP_TIMEOUT = lib.mkOption {
-            type = lib.types.nullOr lib.types.str;
-            default = null;
-            description = "Maximum duration before identity resolution requests are timed out.";
-          };
-          PORXIE_IDENTITY_HTTP_CONNECT_TIMEOUT = lib.mkOption {
-            type = lib.types.nullOr lib.types.str;
-            default = null;
-            description = ''
-              Maximum duration before a connection attempt to an identity upstream is aborted.
-
-              This value should be lower than {option}`settings.PORXIE_IDENTITY_HTTP_TIMEOUT`.
-            '';
+            description = "URL of the PLC instance used for `did:plc` lookups.";
          };

          # Cache.
@@ -158,8 +128,7 @@ in
            description = ''
              Total memory allocation for the internal cache.

-              Blobs are cached using an LFU policy. The most frequently requested blobs are kept
-              longest when the cache approaches its limit.
+              Blobs are cached using an LFU policy. The most frequently requested blobs are kept longest when the cache reaches maximum size.

              For production deployments, a CDN or caching layer in front of this server is
              recommended for lower latency and better global availability.
@@ -195,7 +164,7 @@ in
            description = ''
              Policy service URL that DID+CID pairs will be checked against.

-              Requests are sent via XRPC to `<url>/xrpc/dev.blooym.porxie.getBlobPolicy?did=<did>&cid=<cid>`.
+              Requests are sent via XRPC to `<url>/xrpc/dev.blooym.porxie.getBlobPolicy`.
            '';
          };
          PORXIE_POLICY_REQUEST_HEADERS = lib.mkOption {
@@ -203,10 +172,11 @@ in
            default = null;
            apply = v: if v != null then lib.concatStringsSep "|" v else null;
            description = ''
-              Headers sent alongside all requests to the policy service.
+              Headers sent alongside requests to the policy service.
+
              Each header must be in the format `Name: value`.

-              As pipes are used as a delimiter, they cannot be contained in header values.
+              As pipes are used as a delimiter, they cannot be contained in headers.

              Should be set via {option}`environmentFiles` for sensitive values such as API keys.
            '';
@@ -216,24 +186,10 @@ in
            default = null;
            apply = v: if v != null then lib.boolToString v else null;
            description = ''
-              Allow requests to proceed if the policy service is unavailable.
+              Allow requests to proceed even if the policy service is unavailable.

-              Warning: enabling this means restricted blobs may be served when the policy
-              service is unreachable.
-            '';
-          };
-          PORXIE_POLICY_HTTP_TIMEOUT = lib.mkOption {
-            type = lib.types.nullOr lib.types.str;
-            default = null;
-            description = "Maximum duration before policy service requests are timed out.";
-          };
-          PORXIE_POLICY_HTTP_CONNECT_TIMEOUT = lib.mkOption {
-            type = lib.types.nullOr lib.types.str;
-            default = null;
-            description = ''
-              Maximum duration before an attempted connection to the policy service is aborted.
-
-              This value should be lower than {option}`settings.PORXIE_POLICY_HTTP_TIMEOUT`.
+              Warning: enabling this means restricted blobs may be served when the policy service
+              is unavailable.
            '';
          };
        };
--- a/nixos/modules/services/search/nominatim.nix
+++ b/nixos/modules/services/search/nominatim.nix
@@ -50,6 +50,10 @@ in
    };

    ui = {
+      enable = lib.mkEnableOption "Nominatim UI" // {
+        default = true;
+      };
+
      package = lib.mkPackageOption pkgs "nominatim-ui" { };

      config = lib.mkOption {
@@ -277,7 +281,7 @@ in

      services.nginx = {
        enable = true;
-        appendHttpConfig = ''
+        appendHttpConfig = lib.mkIf cfg.ui.enable ''
          map $args $format {
              default                  default;
              ~(^|&)format=html(&|$)   html;
@@ -304,19 +308,19 @@ in
            enableACME = lib.mkDefault true;
            locations = {
              "= /" = {
-                extraConfig = ''
+                extraConfig = lib.mkIf cfg.ui.enable ''
                  return 301 $scheme://$http_host/ui/search.html;
                '';
              };
              "/" = {
                proxyPass = "http://nominatim";
-                extraConfig = ''
+                extraConfig = lib.mkIf cfg.ui.enable ''
                  if ($forward_to_ui) {
                      rewrite ^(/[^/.]*) /ui$1.html redirect;
                  }
                '';
              };
-              "/ui/" = {
+              "/ui/" = lib.mkIf cfg.ui.enable {
                alias = "${uiPackage}/";
              };
            };
--- a/nixos/modules/services/web-apps/immich.nix
+++ b/nixos/modules/services/web-apps/immich.nix
@@ -380,6 +380,8 @@ in
      MACHINE_LEARNING_WORKERS = "1";
      MACHINE_LEARNING_WORKER_TIMEOUT = "120";
      MACHINE_LEARNING_CACHE_FOLDER = "/var/cache/immich";
+      # TODO: drop when insightface no longer unconditionally imports matplotlib
+      MPLCONFIGDIR = "/var/cache/immich";
      XDG_CACHE_HOME = "/var/cache/immich";
      IMMICH_HOST = "localhost";
      IMMICH_PORT = "3003";
--- a/nixos/modules/virtualisation/nixos-containers.nix
+++ b/nixos/modules/virtualisation/nixos-containers.nix
@@ -607,14 +607,16 @@ in
                                boot.isNspawnContainer = true;
                                networking.hostName = mkDefault name;
                                networking.useDHCP = false;
-                                networking.interfaces = lib.mkIf config.privateNetwork {
-                                  eth0.ipv4.addresses = lib.optional (config.localAddress != null) (
-                                    ipv4FromString config.localAddress
-                                  );
-                                  eth0.ipv6.addresses = lib.optional (config.localAddress6 != null) (
-                                    lib.network.ipv6.fromString config.localAddress6
-                                  );
-                                };
+                                networking.interfaces = lib.mkIf config.privateNetwork (
+                                  lib.mkMerge [
+                                    (lib.mkIf (config.localAddress != null) {
+                                      eth0.ipv4.addresses = [ (ipv4FromString config.localAddress) ];
+                                    })
+                                    (lib.mkIf (config.localAddress6 != null) {
+                                      eth0.ipv6.addresses = [ (lib.network.ipv6.fromString config.localAddress6) ];
+                                    })
+                                  ]
+                                );
                                assertions = [
                                  {
                                    assertion =
--- a/nixos/release.nix
+++ b/nixos/release.nix
@@ -30,7 +30,8 @@ let

  version = fileContents ../.version;
  versionSuffix =
-    (if stableBranch then "." else "pre") + "${toString nixpkgs.revCount}.${nixpkgs.shortRev}";
+    (if stableBranch then "." else "beta")
+    + "${toString (nixpkgs.revCount - 1004291)}.${nixpkgs.shortRev}";

  # Run the tests for each platform.  You can run a test by doing
  # e.g. ‘nix-build release.nix -A tests.login.x86_64-linux’,
--- a/nixos/tests/evcc.nix
+++ b/nixos/tests/evcc.nix
@@ -7,7 +7,7 @@ in
  name = "evcc";
  meta.maintainers = with lib.maintainers; [ hexa ];

-  nodes = {
+  containers = {
    machine = {
      services.evcc = {
        enable = true;
--- a/nixos/tests/fastnetmon-advanced.nix
+++ b/nixos/tests/fastnetmon-advanced.nix
@@ -62,7 +62,7 @@
      bird.wait_for_unit("bird.service")

      fnm.wait_until_succeeds('journalctl -eu fastnetmon.service | grep "BGP daemon restarted correctly"')
-      fnm.wait_until_succeeds("journalctl -eu gobgp.service | grep BGP_FSM_OPENCONFIRM")
+      fnm.wait_until_succeeds('journalctl -eu gobgp.service | grep "Peer Up"')
      bird.wait_until_succeeds("birdc show protocol fnm | grep Estab")
      fnm.wait_until_succeeds('journalctl -eu fastnetmon.service | grep "API server listening"')
      fnm.succeed("fcli set blackhole 172.23.42.123")
--- a/nixos/tests/mattermost/default.nix
+++ b/nixos/tests/mattermost/default.nix
@@ -58,11 +58,20 @@ import ../make-test-python.nix (
                  UserNoticesEnabled = false;
                };
              };
+              package = pkgs.mattermost.override {
+                removeFreeBadge = true;
+                removeUserLimit = true;
+              };
            } mattermostConfig;

            # Upgrade to the latest Mattermost.
            specialisation.latest.configuration = {
-              services.mattermost.package = lib.mkForce pkgs.mattermostLatest;
+              services.mattermost.package = lib.mkForce (
+                pkgs.mattermostLatest.override {
+                  removeFreeBadge = true;
+                  removeUserLimit = true;
+                }
+              );
              system.stateVersion = lib.mkVMOverride (lib.versions.majorMinor lib.version);
            };
          }
--- a/nixos/tests/pam/zfs-key.nix
+++ b/nixos/tests/pam/zfs-key.nix
@@ -11,6 +11,7 @@ in
    { ... }:
    {
      boot.supportedFilesystems = [ "zfs" ];
+      boot.zfs.forceImportRoot = false;

      networking.hostId = "12345678";

@@ -42,10 +43,10 @@ in
        machine.succeed("truncate -s 64M /testpool.img")
        machine.succeed("zpool create -O canmount=off '${pool}' /testpool.img")
        machine.succeed("zfs create -o canmount=off -p '${homes}'")
-        machine.succeed("echo ${userPassword} | zfs create -o canmount=noauto -o encryption=on -o keyformat=passphrase '${homes}/alice'")
-        machine.succeed("zfs unload-key '${homes}/alice'")
-        machine.succeed("echo ${mismatchPass} | zfs create -o canmount=noauto -o encryption=on -o keyformat=passphrase '${homes}/bob'")
-        machine.succeed("zfs unload-key '${homes}/bob'")
+        machine.succeed("echo ${userPassword} | zfs create -o encryption=on -o keyformat=passphrase '${homes}/alice'")
+        machine.succeed("zfs unmount '${homes}/alice' && zfs unload-key '${homes}/alice'")
+        machine.succeed("echo ${mismatchPass} | zfs create -o encryption=on -o keyformat=passphrase '${homes}/bob'")
+        machine.succeed("zfs unmount '${homes}/bob' && zfs unload-key '${homes}/bob'")

      with subtest("Switch to tty2"):
        machine.fail("pgrep -f 'agetty.*tty2'")
--- a/nixos/tests/pinnwand.nix
+++ b/nixos/tests/pinnwand.nix
@@ -12,7 +12,7 @@ in
    maintainers = [ hexa ];
  };

-  nodes = {
+  containers = {
    server =
      { config, ... }:
      {
--- a/nixos/tests/postfix-tlspol.nix
+++ b/nixos/tests/postfix-tlspol.nix
@@ -7,7 +7,7 @@

  meta.maintainers = with lib.maintainers; [ hexa ];

-  nodes.machine = {
+  containers.machine = {
    services.postfix.enable = true;
    services.postfix-tlspol.enable = true;

--- a/nixos/tests/vsftpd.nix
+++ b/nixos/tests/vsftpd.nix
@@ -4,6 +4,8 @@

  nodes = {
    server = {
+      security.pam.services.vsftpd.enable = true;
+
      services.vsftpd = {
        enable = true;
        userlistDeny = false;
--- a/nixos/tests/zigbee2mqtt.nix
+++ b/nixos/tests/zigbee2mqtt.nix
@@ -6,7 +6,7 @@

 {
  name = "zigbee2mqtt";
-  nodes.machine = {
+  containers.machine = {
    systemd.services.dummy-serial = {
      wantedBy = [
        "multi-user.target"
--- a/pkgs/applications/editors/android-studio/default.nix
+++ b/pkgs/applications/editors/android-studio/default.nix
@@ -21,14 +21,14 @@ let
    url = "https://edgedl.me.gvt1.com/android/studio/ide-zips/2025.3.4.7/android-studio-panda4-patch1-linux.tar.gz";
  };
  betaVersion = {
-    version = "2025.3.4.5"; # "Android Studio Panda 4 | 2025.3.4 RC 1"
-    sha256Hash = "sha256-NiNq1j+rzPU4KsLKYymfi5/Vx2Bn3hK8I3OVIUFloX0=";
-    url = "https://edgedl.me.gvt1.com/android/studio/ide-zips/2025.3.4.5/android-studio-panda4-rc1-linux.tar.gz";
+    version = "2026.1.1.6"; # "Android Studio Quail 1 | 2026.1.1 RC 1"
+    sha256Hash = "sha256-b6PVgBTTjIgm6BI171RL7T6GJD9ApnTWGOTqvt703PQ=";
+    url = "https://edgedl.me.gvt1.com/android/studio/ide-zips/2026.1.1.6/android-studio-quail1-rc1-linux.tar.gz";
  };
  latestVersion = {
-    version = "2026.1.1.5"; # "Android Studio Quail 1 | 2026.1.1 Canary 5"
-    sha256Hash = "sha256-k4rM0MyTh0wnpsK8m6Hs1nSdwYpqUiQ+z7oiO6hn9YQ=";
-    url = "https://edgedl.me.gvt1.com/android/studio/ide-zips/2026.1.1.5/android-studio-quail1-canary5-linux.tar.gz";
+    version = "2026.1.2.2"; # "Android Studio Quail 2 | 2026.1.2 Canary 2"
+    sha256Hash = "sha256-+FmW72k48GF71yzCdpIAl//qi6w26Qg8gZUW5/Nuh58=";
+    url = "https://edgedl.me.gvt1.com/android/studio/ide-zips/2026.1.2.2/android-studio-quail2-canary2-linux.tar.gz";
  };
 in
 {
--- a/pkgs/applications/editors/vim/plugins/non-generated/blink-pairs/default.nix
+++ b/pkgs/applications/editors/vim/plugins/non-generated/blink-pairs/default.nix
@@ -8,13 +8,13 @@
  nix-update-script,
 }:
 let
-  version = "0.4.1";
+  version = "0.5.0";

  src = fetchFromGitHub {
    owner = "Saghen";
    repo = "blink.pairs";
    tag = "v${version}";
-    hash = "sha256-IfnFSusQMm6LujE1AmihK9wEF2RSGfKYwpV2fedg0fc=";
+    hash = "sha256-PTbj6jlXNRUOmwFSplvRDDiyyGqkBzUKtuBrvZm9kzM=";
  };

  blink-pairs-lib = rustPlatform.buildRustPackage {
@@ -51,6 +51,12 @@ vimUtils.buildVimPlugin {
      ln -s ${blink-pairs-lib}/lib/libblink_pairs${ext} target/release/
    '';

+  nvimSkipModules = [
+    # a module to quickly setup a minimal reproduction environment for testing
+    # bugs. therefore mostly useless from a consumer side
+    "repro"
+  ];
+
  passthru = {
    updateScript = nix-update-script {
      attrPath = "vimPlugins.blink-pairs.blink-pairs-lib";
--- a/pkgs/applications/editors/vim/plugins/overrides.nix
+++ b/pkgs/applications/editors/vim/plugins/overrides.nix
--- a/pkgs/applications/misc/cura/plugins.nix
+++ b/pkgs/applications/misc/cura/plugins.nix
@@ -1,84 +0,0 @@
-{
-  lib,
-  stdenv,
-  fetchFromGitHub,
-  python3Packages,
-  libspnav,
-  jq,
-}:
-
-let
-
-  self = {
-
-    octoprint = stdenv.mkDerivation {
-      pname = "Cura-OctoPrintPlugin";
-      version = "3.5.18";
-
-      src = fetchFromGitHub {
-        owner = "fieldOfView";
-        repo = "Cura-OctoPrintPlugin";
-        rev = "7bd73946fbf22d18337dc900a81a011ece26bee0";
-        sha256 = "057b2f5f49p96lkh2wsr9w6yh2003x4a85irqsgbzp6igmk8imdn";
-      };
-
-      propagatedBuildInputs = with python3Packages; [
-        netifaces
-      ];
-
-      installPhase = ''
-        mkdir -p $out/lib/cura/plugins/OctoPrintPlugin
-        cp -rv . $out/lib/cura/plugins/OctoPrintPlugin/
-      '';
-
-      meta = {
-        description = "Enables printing directly to OctoPrint and monitoring the process";
-        homepage = "https://github.com/fieldOfView/Cura-OctoPrintPlugin";
-        license = lib.licenses.agpl3Plus;
-        maintainers = [ ];
-      };
-    };
-
-    rawmouse = stdenv.mkDerivation rec {
-      pname = "RawMouse";
-      version = "1.1.0";
-
-      src = fetchFromGitHub {
-        owner = "smartavionics";
-        repo = "RawMouse";
-        rev = version;
-        sha256 = "0hvi7qwd4xfnqnhbj9dgfjmvv9df7s42asf3fdfxv43n6nx74scw";
-      };
-
-      nativeBuildInputs = [ jq ];
-
-      propagatedBuildInputs = with python3Packages; [
-        hidapi
-      ];
-
-      buildPhase = ''
-        jq 'del(.devices) | .libspnav="${libspnav}/lib/libspnav.so"' \
-          <RawMouse/config.json >RawMouse/config.json.new
-        mv RawMouse/config.json.new RawMouse/config.json
-
-        # remove prebuilt binaries
-        rm -r RawMouse/hidapi
-      '';
-
-      installPhase = ''
-        mkdir -p $out/lib/cura/plugins/RawMouse
-        cp -rv . $out/lib/cura/plugins/RawMouse/
-      '';
-
-      meta = {
-        description = "Cura plugin for HID mice such as 3Dconnexion spacemouse";
-        homepage = "https://github.com/smartavionics/RawMouse";
-        license = lib.licenses.agpl3Plus;
-        maintainers = [ ];
-      };
-    };
-
-  };
-
-in
-self
--- a/pkgs/applications/misc/curaengine/default.nix
+++ b/pkgs/applications/misc/curaengine/default.nix
@@ -1,49 +0,0 @@
-{
-  lib,
-  stdenv,
-  fetchFromGitHub,
-  cmake,
-  libarcus,
-  stb,
-  protobuf,
-  fetchpatch,
-}:
-
-stdenv.mkDerivation (finalAttrs: {
-  pname = "curaengine";
-  version = "4.13.1";
-
-  src = fetchFromGitHub {
-    owner = "Ultimaker";
-    repo = "CuraEngine";
-    rev = finalAttrs.version;
-    sha256 = "sha256-dx0Q6cuA66lG4nwR7quW5Tvs9sdxjdV4gtpxXirI4nY=";
-  };
-
-  nativeBuildInputs = [ cmake ];
-  buildInputs = [
-    libarcus
-    stb
-    protobuf
-  ];
-
-  cmakeFlags = [ "-DCURA_ENGINE_VERSION=${finalAttrs.version}" ];
-
-  # TODO already fixed in master, remove in next release
-  patches = [
-    (fetchpatch {
-      url = "https://github.com/Ultimaker/CuraEngine/commit/de60e86a6ea11cb7d121471b5dd192e5deac0f3d.patch";
-      hash = "sha256-/gT9yErIDDYAXvZ6vX5TGlwljy31K563+sqkm1UGljQ=";
-      includes = [ "src/utils/math.h" ];
-    })
-  ];
-
-  meta = {
-    description = "Powerful, fast and robust engine for processing 3D models into 3D printing instruction";
-    homepage = "https://github.com/Ultimaker/CuraEngine";
-    license = lib.licenses.agpl3Only;
-    platforms = lib.platforms.linux;
-    maintainers = [ ];
-    mainProgram = "CuraEngine";
-  };
-})
--- a/pkgs/applications/networking/browsers/chromium/info.json
+++ b/pkgs/applications/networking/browsers/chromium/info.json
@@ -1,10 +1,10 @@
 {
  "chromium": {
-    "version": "148.0.7778.178",
+    "version": "148.0.7778.215",
    "chromedriver": {
-      "version": "148.0.7778.179",
-      "hash_darwin": "sha256-jDw+ON0X8rePW1HLBZ5FVKMibImBuW/Tp0EDZ/UjJlw=",
-      "hash_darwin_aarch64": "sha256-hNaaKMVy8sKNU444Uf78YI3ayUATrTBAr6/7Z3jewv0="
+      "version": "148.0.7778.216",
+      "hash_darwin": "sha256-gsK7Q3rwfQQ0iE5e/st/3gGtU+D8dGsTycffpEejmhw=",
+      "hash_darwin_aarch64": "sha256-zHASbRPnYf2q1qq8FsKnYrLwPjzoGk0tzLxB9SdTXFw="
    },
    "deps": {
      "depot_tools": {
@@ -21,8 +21,8 @@
    "DEPS": {
      "src": {
        "url": "https://chromium.googlesource.com/chromium/src.git",
-        "rev": "d096af1c9e98c45c3596e59620622b1a049bfecb",
-        "hash": "sha256-XRalekzeALnDh9KiGqhYdhXvkGkjO3TOIZeqwpPLO+U=",
+        "rev": "7c855c70efe3f6ade6663c1520913fa7f63a0b2b",
+        "hash": "sha256-uDVYgSjxQ+xw8DHVd5UNkqnUrJ6P5ZWxL2tZToBhgQg=",
        "recompress": true
      },
      "src/third_party/clang-format/script": {
@@ -92,8 +92,8 @@
      },
      "src/third_party/angle": {
        "url": "https://chromium.googlesource.com/angle/angle.git",
-        "rev": "50fd896fb21cca91f325812d01d1e971593efc73",
-        "hash": "sha256-HcfKm7UQmg3wMDOytmaYzm7Z7gRdOrRoqAKaE0ZdI4E="
+        "rev": "a101e2d1db6da927325273566fe8f5404fa3a9bd",
+        "hash": "sha256-uIqodvHxEY9xNse2IHNns2Mz9zLAUZSSIN7pAXB8cPs="
      },
      "src/third_party/angle/third_party/glmark2/src": {
        "url": "https://chromium.googlesource.com/external/github.com/glmark2/glmark2",
@@ -132,8 +132,8 @@
      },
      "src/third_party/dawn": {
        "url": "https://dawn.googlesource.com/dawn.git",
-        "rev": "19696dd088b8ed5804e2f02a8f83f5afdb3e99e3",
-        "hash": "sha256-ihnVPCk9412UzCmoABWVUhiGaIdIYxiYMkk43KDqpg8="
+        "rev": "78a9030d63048d832c4b822839bffe38ad4f20e5",
+        "hash": "sha256-ZknkLN64TYAN5j9WsgtKlRBrAc3iCM084zpc8Zui8Ts="
      },
      "src/third_party/dawn/third_party/glfw3/src": {
        "url": "https://chromium.googlesource.com/external/github.com/glfw/glfw",
@@ -267,8 +267,8 @@
      },
      "src/third_party/devtools-frontend/src": {
        "url": "https://chromium.googlesource.com/devtools/devtools-frontend",
-        "rev": "6efd6eb1d85fd67fdcc2385c54fa56c524bec3f7",
-        "hash": "sha256-1pr3+RK519m+wtcacJB3PcDTL+qSHlOn1ctxpoLzTf8="
+        "rev": "1fb83ff123c44ab59a480056c8c1ba3d33c2caf0",
+        "hash": "sha256-S6agM7HMZ2g2W6e9tYdLSXr0Lc6zeQF9hAYLIeImAYQ="
      },
      "src/third_party/dom_distiller_js/dist": {
        "url": "https://chromium.googlesource.com/chromium/dom-distiller/dist.git",
@@ -332,8 +332,8 @@
      },
      "src/third_party/freetype/src": {
        "url": "https://chromium.googlesource.com/chromium/src/third_party/freetype2.git",
-        "rev": "99b479dc34728936b006679a31e12b8cf432fc55",
-        "hash": "sha256-H5RzBFYWIp/QYKyeBM2wfuX7FvXHPbhCAp7qne5Zvhw="
+        "rev": "6d9fc45fc4bca8aef0b8f65592520673638c3334",
+        "hash": "sha256-A21ONLz8HxoBkOL/jHfs5YwePmOnFyNdlNYSJa9wers="
      },
      "src/third_party/fxdiv/src": {
        "url": "https://chromium.googlesource.com/external/github.com/Maratyszcza/FXdiv.git",
@@ -342,8 +342,8 @@
      },
      "src/third_party/harfbuzz/src": {
        "url": "https://chromium.googlesource.com/external/github.com/harfbuzz/harfbuzz.git",
-        "rev": "f027b8e9039f73bf803eae684fee2eb2d30e4180",
-        "hash": "sha256-HWb3QbPl+RE2oI/Jwv5BjKwv9UnJ8VcJvk+uGy9cAqM="
+        "rev": "67bb413f586f36ba44d740319cb7a28b3d283ea6",
+        "hash": "sha256-WCPEkbiiU8dENM+ik0KokW9Uxmz0xlsRFVVPPOEOZXw="
      },
      "src/third_party/ink/src": {
        "url": "https://chromium.googlesource.com/external/github.com/google/ink.git",
@@ -432,8 +432,8 @@
      },
      "src/third_party/libaom/source/libaom": {
        "url": "https://aomedia.googlesource.com/aom.git",
-        "rev": "b63f30b6d30028a3d7d9c5223def8f3ad97dcc4c",
-        "hash": "sha256-LaBEcVcSB8WB9ZNRgPSiGaKdQL5f3wll2sPb9OhN5SE="
+        "rev": "343cee0a952f8c7d329e59ff3ac2c8bdbe70ec6a",
+        "hash": "sha256-H8Eu3BiUIiZcyReGDyFq9UvjdMJOX00ERjru8+I0zL8="
      },
      "src/third_party/crabbyavif/src": {
        "url": "https://chromium.googlesource.com/external/github.com/webmproject/CrabbyAvif.git",
@@ -612,8 +612,8 @@
      },
      "src/third_party/pdfium": {
        "url": "https://pdfium.googlesource.com/pdfium.git",
-        "rev": "a78c62d93a8f514ea2cd98a70bd1d21226be9d93",
-        "hash": "sha256-qd3Oa/JFzoI5hKDY2/OQAzdr2z9srUj0H6oKz0R516U="
+        "rev": "72ea487e4399c44c3a53a48b104f9612ca772008",
+        "hash": "sha256-0VgmDPyF5k81nBXdo88CcIIbz6XRhaiADnG8gwDGZZk="
      },
      "src/third_party/perfetto": {
        "url": "https://chromium.googlesource.com/external/github.com/google/perfetto.git",
@@ -662,8 +662,8 @@
      },
      "src/third_party/skia": {
        "url": "https://skia.googlesource.com/skia.git",
-        "rev": "a2888b27a98e4ff30085d4d2dba8a1a99baf6dfb",
-        "hash": "sha256-eOjFuMmXr9YtZ0e4yDB8JMjTrNWEg5OlTkAMGuHZIWE="
+        "rev": "03c3234e64f9fbbbcf6a7b9c79e94059df49dbfe",
+        "hash": "sha256-e0MSCbqv4u4995nowzipKorkn6mPpO7tf8+ygj3/nFY="
      },
      "src/third_party/smhasher/src": {
        "url": "https://chromium.googlesource.com/external/smhasher.git",
@@ -797,8 +797,8 @@
      },
      "src/third_party/webrtc": {
        "url": "https://webrtc.googlesource.com/src.git",
-        "rev": "9a7f650bcd14f241d20f88f4e1ea3b7300de72ac",
-        "hash": "sha256-k5cHE4XURJQrPURmXk4MMNV5k8+ryKfjmsVTzARRro4="
+        "rev": "e3ee86921c57b9f8921045e77f098604803cb66c",
+        "hash": "sha256-n39HENOXmatsZLF6jdYRsb+wl2cM0i6ngT4Zbyu5ayE="
      },
      "src/third_party/wuffs/src": {
        "url": "https://skia.googlesource.com/external/github.com/google/wuffs-mirror-release-c.git",
@@ -822,13 +822,13 @@
      },
      "src/v8": {
        "url": "https://chromium.googlesource.com/v8/v8.git",
-        "rev": "ad6e4525c418a92147c8247ef9d144ce4c242a38",
-        "hash": "sha256-+cQdsWTgIohd3yOCsNCprSr4Ctes77fWGdmPxN2tQlM="
+        "rev": "5e24a1fd6ffb840b93ee90a800897fcb4d60eeab",
+        "hash": "sha256-JcBGaXhqNRIA4NPPV4eANVM93wsQ9QxSLO/Ecz3wklU="
      }
    }
  },
  "ungoogled-chromium": {
-    "version": "148.0.7778.178",
+    "version": "148.0.7778.215",
    "deps": {
      "depot_tools": {
        "rev": "41c40cfaec7ee3bf0423c59925d8b23982a601f1",
@@ -840,16 +840,16 @@
        "hash": "sha256-BTPD8WM1pVAMkFDlHekMdWFGyf63KdhKkKwsqikqoBQ="
      },
      "ungoogled-patches": {
-        "rev": "148.0.7778.178-1",
-        "hash": "sha256-s4zTU4rQUcrfpg7CWFdvEn3JYNqhHGsAFcYmQGS64fc="
+        "rev": "148.0.7778.215-1",
+        "hash": "sha256-Rp+PuyOQ26Cqiu+8sNlJkjp/3bO968NYNX1AgHOyYOA="
      },
      "npmHash": "sha256-JuVcY8iFRDWcPcP4Pg+qm5rnTXkiVfNsqSkXbDWqsE8="
    },
    "DEPS": {
      "src": {
        "url": "https://chromium.googlesource.com/chromium/src.git",
-        "rev": "d096af1c9e98c45c3596e59620622b1a049bfecb",
-        "hash": "sha256-XRalekzeALnDh9KiGqhYdhXvkGkjO3TOIZeqwpPLO+U=",
+        "rev": "7c855c70efe3f6ade6663c1520913fa7f63a0b2b",
+        "hash": "sha256-uDVYgSjxQ+xw8DHVd5UNkqnUrJ6P5ZWxL2tZToBhgQg=",
        "recompress": true
      },
      "src/third_party/clang-format/script": {
@@ -919,8 +919,8 @@
      },
      "src/third_party/angle": {
        "url": "https://chromium.googlesource.com/angle/angle.git",
-        "rev": "50fd896fb21cca91f325812d01d1e971593efc73",
-        "hash": "sha256-HcfKm7UQmg3wMDOytmaYzm7Z7gRdOrRoqAKaE0ZdI4E="
+        "rev": "a101e2d1db6da927325273566fe8f5404fa3a9bd",
+        "hash": "sha256-uIqodvHxEY9xNse2IHNns2Mz9zLAUZSSIN7pAXB8cPs="
      },
      "src/third_party/angle/third_party/glmark2/src": {
        "url": "https://chromium.googlesource.com/external/github.com/glmark2/glmark2",
@@ -959,8 +959,8 @@
      },
      "src/third_party/dawn": {
        "url": "https://dawn.googlesource.com/dawn.git",
-        "rev": "19696dd088b8ed5804e2f02a8f83f5afdb3e99e3",
-        "hash": "sha256-ihnVPCk9412UzCmoABWVUhiGaIdIYxiYMkk43KDqpg8="
+        "rev": "78a9030d63048d832c4b822839bffe38ad4f20e5",
+        "hash": "sha256-ZknkLN64TYAN5j9WsgtKlRBrAc3iCM084zpc8Zui8Ts="
      },
      "src/third_party/dawn/third_party/glfw3/src": {
        "url": "https://chromium.googlesource.com/external/github.com/glfw/glfw",
@@ -1094,8 +1094,8 @@
      },
      "src/third_party/devtools-frontend/src": {
        "url": "https://chromium.googlesource.com/devtools/devtools-frontend",
-        "rev": "6efd6eb1d85fd67fdcc2385c54fa56c524bec3f7",
-        "hash": "sha256-1pr3+RK519m+wtcacJB3PcDTL+qSHlOn1ctxpoLzTf8="
+        "rev": "1fb83ff123c44ab59a480056c8c1ba3d33c2caf0",
+        "hash": "sha256-S6agM7HMZ2g2W6e9tYdLSXr0Lc6zeQF9hAYLIeImAYQ="
      },
      "src/third_party/dom_distiller_js/dist": {
        "url": "https://chromium.googlesource.com/chromium/dom-distiller/dist.git",
@@ -1159,8 +1159,8 @@
      },
      "src/third_party/freetype/src": {
        "url": "https://chromium.googlesource.com/chromium/src/third_party/freetype2.git",
-        "rev": "99b479dc34728936b006679a31e12b8cf432fc55",
-        "hash": "sha256-H5RzBFYWIp/QYKyeBM2wfuX7FvXHPbhCAp7qne5Zvhw="
+        "rev": "6d9fc45fc4bca8aef0b8f65592520673638c3334",
+        "hash": "sha256-A21ONLz8HxoBkOL/jHfs5YwePmOnFyNdlNYSJa9wers="
      },
      "src/third_party/fxdiv/src": {
        "url": "https://chromium.googlesource.com/external/github.com/Maratyszcza/FXdiv.git",
@@ -1169,8 +1169,8 @@
      },
      "src/third_party/harfbuzz/src": {
        "url": "https://chromium.googlesource.com/external/github.com/harfbuzz/harfbuzz.git",
-        "rev": "f027b8e9039f73bf803eae684fee2eb2d30e4180",
-        "hash": "sha256-HWb3QbPl+RE2oI/Jwv5BjKwv9UnJ8VcJvk+uGy9cAqM="
+        "rev": "67bb413f586f36ba44d740319cb7a28b3d283ea6",
+        "hash": "sha256-WCPEkbiiU8dENM+ik0KokW9Uxmz0xlsRFVVPPOEOZXw="
      },
      "src/third_party/ink/src": {
        "url": "https://chromium.googlesource.com/external/github.com/google/ink.git",
@@ -1259,8 +1259,8 @@
      },
      "src/third_party/libaom/source/libaom": {
        "url": "https://aomedia.googlesource.com/aom.git",
-        "rev": "b63f30b6d30028a3d7d9c5223def8f3ad97dcc4c",
-        "hash": "sha256-LaBEcVcSB8WB9ZNRgPSiGaKdQL5f3wll2sPb9OhN5SE="
+        "rev": "343cee0a952f8c7d329e59ff3ac2c8bdbe70ec6a",
+        "hash": "sha256-H8Eu3BiUIiZcyReGDyFq9UvjdMJOX00ERjru8+I0zL8="
      },
      "src/third_party/crabbyavif/src": {
        "url": "https://chromium.googlesource.com/external/github.com/webmproject/CrabbyAvif.git",
@@ -1439,8 +1439,8 @@
      },
      "src/third_party/pdfium": {
        "url": "https://pdfium.googlesource.com/pdfium.git",
-        "rev": "a78c62d93a8f514ea2cd98a70bd1d21226be9d93",
-        "hash": "sha256-qd3Oa/JFzoI5hKDY2/OQAzdr2z9srUj0H6oKz0R516U="
+        "rev": "72ea487e4399c44c3a53a48b104f9612ca772008",
+        "hash": "sha256-0VgmDPyF5k81nBXdo88CcIIbz6XRhaiADnG8gwDGZZk="
      },
      "src/third_party/perfetto": {
        "url": "https://chromium.googlesource.com/external/github.com/google/perfetto.git",
@@ -1489,8 +1489,8 @@
      },
      "src/third_party/skia": {
        "url": "https://skia.googlesource.com/skia.git",
-        "rev": "a2888b27a98e4ff30085d4d2dba8a1a99baf6dfb",
-        "hash": "sha256-eOjFuMmXr9YtZ0e4yDB8JMjTrNWEg5OlTkAMGuHZIWE="
+        "rev": "03c3234e64f9fbbbcf6a7b9c79e94059df49dbfe",
+        "hash": "sha256-e0MSCbqv4u4995nowzipKorkn6mPpO7tf8+ygj3/nFY="
      },
      "src/third_party/smhasher/src": {
        "url": "https://chromium.googlesource.com/external/smhasher.git",
@@ -1624,8 +1624,8 @@
      },
      "src/third_party/webrtc": {
        "url": "https://webrtc.googlesource.com/src.git",
-        "rev": "9a7f650bcd14f241d20f88f4e1ea3b7300de72ac",
-        "hash": "sha256-k5cHE4XURJQrPURmXk4MMNV5k8+ryKfjmsVTzARRro4="
+        "rev": "e3ee86921c57b9f8921045e77f098604803cb66c",
+        "hash": "sha256-n39HENOXmatsZLF6jdYRsb+wl2cM0i6ngT4Zbyu5ayE="
      },
      "src/third_party/wuffs/src": {
        "url": "https://skia.googlesource.com/external/github.com/google/wuffs-mirror-release-c.git",
@@ -1649,8 +1649,8 @@
      },
      "src/v8": {
        "url": "https://chromium.googlesource.com/v8/v8.git",
-        "rev": "ad6e4525c418a92147c8247ef9d144ce4c242a38",
-        "hash": "sha256-+cQdsWTgIohd3yOCsNCprSr4Ctes77fWGdmPxN2tQlM="
+        "rev": "5e24a1fd6ffb840b93ee90a800897fcb4d60eeab",
+        "hash": "sha256-JcBGaXhqNRIA4NPPV4eANVM93wsQ9QxSLO/Ecz3wklU="
      }
    }
  }
--- a/pkgs/applications/networking/browsers/firefox-bin/release_sources.nix
+++ b/pkgs/applications/networking/browsers/firefox-bin/release_sources.nix
--- a/pkgs/applications/networking/browsers/firefox/packages/firefox.nix
+++ b/pkgs/applications/networking/browsers/firefox/packages/firefox.nix
@@ -9,10 +9,10 @@

 buildMozillaMach rec {
  pname = "firefox";
-  version = "151.0.1";
+  version = "151.0.2";
  src = fetchurl {
    url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-    sha512 = "8492a1bb956b38373153938bd18b0e18e3a4ad0d2abc2017b45e02bc2768c8f468d5c06329a32485a03a67bb9c22102e6abff1e73080c77764735d430dc77277";
+    sha512 = "87308953ed354a2799a9a45be40033bf9ff8d80fa220f034aacfbd6e754716901d4164c37fa56032c659b259116603e0ba2b566c1f3651ab9cc0835d502cd739";
  };

  meta = {
--- a/pkgs/applications/networking/browsers/firefox/wrapper.nix
+++ b/pkgs/applications/networking/browsers/firefox/wrapper.nix
@@ -166,36 +166,34 @@ let
          ) (lib.optionals usesNixExtensions nixExtensions);

      enterprisePolicies = {
-        policies = {
-          DisableAppUpdate = true;
-        }
-        // lib.optionalAttrs usesNixExtensions {
-          ExtensionSettings = {
-            "*" = {
-              blocked_install_message = "You can't have manual extension mixed with nix extensions";
-              installation_mode = "blocked";
-            };
-          }
-          // lib.foldr (
-            e: ret:
-            ret
-            // {
-              "${e.extid}" = {
-                installation_mode = "allowed";
+        policies =
+          lib.optionalAttrs usesNixExtensions {
+            ExtensionSettings = {
+              "*" = {
+                blocked_install_message = "You can't have manual extension mixed with nix extensions";
+                installation_mode = "blocked";
              };
            }
-          ) { } extensions;
+            // lib.foldr (
+              e: ret:
+              ret
+              // {
+                "${e.extid}" = {
+                  installation_mode = "allowed";
+                };
+              }
+            ) { } extensions;

-          Extensions = {
-            Install = lib.foldr (e: ret: ret ++ [ "${e.outPath}/${e.extid}.xpi" ]) [ ] extensions;
-          };
-        }
-        // lib.optionalAttrs smartcardSupport {
-          SecurityDevices = {
-            "OpenSC PKCS#11 Module" = "opensc-pkcs11.so";
-          };
-        }
-        // extraPolicies;
+            Extensions = {
+              Install = lib.foldr (e: ret: ret ++ [ "${e.outPath}/${e.extid}.xpi" ]) [ ] extensions;
+            };
+          }
+          // lib.optionalAttrs smartcardSupport {
+            SecurityDevices = {
+              "OpenSC PKCS#11 Module" = "opensc-pkcs11.so";
+            };
+          }
+          // extraPolicies;
      };

      mozillaCfg = ''
@@ -414,6 +412,9 @@ let
            ln -sfT "$target" "$out/$l"
          done

+          # Disable update checks
+          touch $out/${libDir}/is-packaged-app
+
          cd "$out"

        ''
--- a/pkgs/applications/networking/instant-messengers/gajim/default.nix
+++ b/pkgs/applications/networking/instant-messengers/gajim/default.nix
@@ -31,7 +31,7 @@
  enableRST ? true,
  docutils,
  enableSpelling ? true,
-  gspell,
+  libspelling,
  enableUPnP ? true,
  gupnp-igd,
  enableAppIndicator ? true,
@@ -70,7 +70,7 @@ python3.pkgs.buildPythonApplication rec {
    libnice
  ]
  ++ lib.optional enableSecrets libsecret
-  ++ lib.optional enableSpelling gspell
+  ++ lib.optional enableSpelling libspelling
  ++ lib.optional enableUPnP gupnp-igd
  ++ lib.optional enableAppIndicator libappindicator-gtk3
  ++ lib.optional enableSoundNotifications gsound;
--- a/pkgs/applications/networking/mailreaders/thunderbird/packages.nix
+++ b/pkgs/applications/networking/mailreaders/thunderbird/packages.nix
@@ -30,12 +30,16 @@ let
        (if lib.versionOlder version "140" then ./no-buildconfig.patch else ./no-buildconfig-tb140.patch)
      ];
      # FIXME: let's hope that upstream will fix this soon and we can drop this hack again.
-      # https://bugzilla.mozilla.org/show_bug.cgi?id=2006630
+      # https://bugzilla.mozilla.org/show_bug.cgi?id=2040877
      extraPostPatch =
-        lib.optionalString (lib.versionAtLeast version "147" && lib.versionOlder version "149")
-          ''
-            find . -name .cargo-checksum.json | xargs sed 's/"[^"]*\.gitmodules":"[a-z0-9]*",//g' -i
-          '';
+        lib.optionalString (lib.versionAtLeast version "151" && lib.versionOlder version "152") ''
+          echo https://hg.mozilla.org/releases/comm-release/rev/becfb8fb2c70f1603882a2787e2170d5d8013949 >> sourcestamp.txt
+          echo https://hg.mozilla.org/releases/mozilla-release/rev/fc12dc911f904307729760a817deb829cbf8feb4 >> sourcestamp.txt
+        ''
+        # https://bugzilla.mozilla.org/show_bug.cgi?id=2006630
+        + lib.optionalString (lib.versionAtLeast version "140.8" && lib.versionOlder version "151") ''
+          find . -name .cargo-checksum.json | xargs sed 's/"[^"]*\.gitmodules":"[a-z0-9]*",//g' -i
+        '';

      meta = {
        changelog = "https://www.thunderbird.net/en-US/thunderbird/${version}/releasenotes/";
@@ -73,8 +77,8 @@ rec {
  thunderbird = thunderbird-latest;

  thunderbird-latest = common {
-    version = "150.0.2";
-    sha512 = "3e52220ff34aa6cd1bf46a910dba1f30d0abf7d19ed7f501ffeeb8f5901b8d97fdc0adb0cceb434ef8e83c7f7b83f28024b872280237af72ff2da9d89fafe065";
+    version = "151.0.1";
+    sha512 = "a09c1e18faa8d7fdccf39e905542c21e817230e68c7cc6050beec048d0fec0f8eb92e51278d2ccd8d8cfa842762662235517e20238b555a4ad48ee5648dc3589";

    updateScript = callPackage ./update.nix {
      attrPath = "thunderbirdPackages.thunderbird-latest";
@@ -87,8 +91,8 @@ rec {
  thunderbird-140 = common {
    applicationName = "Thunderbird ESR";

-    version = "140.7.2esr";
-    sha512 = "513bcaa496f987d0f3906aeb6fe3ea651331470646b0c58479c91bb2c8eb52e389bc8aa646437a03b611ab78bda1df7252545960ffe38086d1fc462e65421819";
+    version = "140.11.1esr";
+    sha512 = "93dfdd26e6f4c7dd2f7dcc2e4994980d017868341c60c93775721467abd9192b815f2de63928e7d10c965fc045ed72ca5b49ed6502a61e50104ee5cd00941d1e";

    updateScript = callPackage ./update.nix {
      attrPath = "thunderbirdPackages.thunderbird-140";
--- a/pkgs/applications/networking/remote/putty/default.nix
+++ b/pkgs/applications/networking/remote/putty/default.nix
@@ -12,7 +12,7 @@
 }:

 stdenv.mkDerivation rec {
-  version = "0.83";
+  version = "0.84";
  pname = "putty";

  src = fetchurl {
@@ -20,15 +20,9 @@ stdenv.mkDerivation rec {
      "https://the.earth.li/~sgtatham/putty/${version}/${pname}-${version}.tar.gz"
      "ftp://ftp.wayne.edu/putty/putty-website-mirror/${version}/${pname}-${version}.tar.gz"
    ];
-    hash = "sha256-cYd3wT1j0N/5H+AxYrwqBbTfyLCCdjTNYLUc79/2McY=";
+    hash = "sha256-BgV4Yq4Zjx29IZ0MdJMIDVn2BhlLtQVsVJ40KqAbaf4=";
  };

-  patches = [
-    # Fix EdDSA signature verification accepting out-of-range s values
-    # https://git.tartarus.org/?p=simon/putty.git;a=commit;h=af996b5ec27ab79bae3882071b9d6acf16044549
-    ./eddsa-verify-check-out-of-range-s.patch
-  ];
-
  nativeBuildInputs = [
    cmake
    perl
--- a/pkgs/applications/networking/remote/putty/eddsa-verify-check-out-of-range-s.patch
+++ b/pkgs/applications/networking/remote/putty/eddsa-verify-check-out-of-range-s.patch
@@ -1,87 +0,0 @@
-From af996b5ec27ab79bae3882071b9d6acf16044549 Mon Sep 17 00:00:00 2001
-From: Simon Tatham <anakin@pobox.com>
-Date: Wed, 25 Feb 2026 08:29:58 +0000
-Subject: [PATCH] eddsa_verify: add check for out-of-range s.
-
-The integer s in an EdDSA signature is treated as an exponent: the
-curve's base point is raised to that power. (OK, multiplied by it, if
-you use the elliptic curve notational convention rather than the
-general group convention.) Therefore, in principle, it doesn't make
-any difference if s varies by a multiple of the base point's
-order (which is around 2^252, therefore a larger s still fits easily
-within the 256-bit space for it in the signature encoding). However,
-RFC 8032 requires s to be strictly less than that order, so that
-there's a single canonical encoding for any given signature.
-
-I'm not treating this as a vulnerability because I don't believe
-there's any situation in SSH where canonicality of signatures is
-important. But it should be fixed, nonetheless.
-
-In the fix, it's OK to use an ordinary if statement to check the bound
-on s, because they're visible to everybody anyway: the integer s is
-encoded directly in the signature, and the bound we're checking it
-against is a well-known public integer, so nothing new is revealed by
-any timing side channel proving that that was the reason for the
-rejection. (Not even if the message being signed were secret, which it
-is in SSH: the validation of s doesn't depend on the message.)
-
-Thanks to Yujie Zhu for the report.
---
- crypto/ecc-ssh.c   |  5 +++++
- test/cryptsuite.py | 18 ++++++++++++++++++
- 2 files changed, 23 insertions(+)
-
-diff --git a/crypto/ecc-ssh.c b/crypto/ecc-ssh.c
-index e524dfc4..fcde908d 100644
--- a/crypto/ecc-ssh.c
-+++ b/crypto/ecc-ssh.c
-@@ -1091,6 +1091,11 @@ static bool eddsa_verify(ssh_key *key, ptrlen sig, ptrlen data)
-     if (!r)
-         return false;
-     mp_int *s = mp_from_bytes_le(sstr);
-+    if (mp_cmp_hs(s, ek->curve->e.G_order)) {
-+        ecc_edwards_point_free(r);
-+        mp_free(s);
-+        return false;
-+    }
- 
-     mp_int *H = eddsa_signing_exponent_from_data(ek, extra, rstr, data);
- 
-diff --git a/test/cryptsuite.py b/test/cryptsuite.py
-index 1ee283c2..30c4ebeb 100755
--- a/test/cryptsuite.py
-+++ b/test/cryptsuite.py
-@@ -93,6 +93,9 @@ def le_integer(x, nbits):
- def be_integer(x, nbits):
-     return bytes(reversed(le_integer(x, nbits)))
- 
-+def decode_le_integer(s):
-+    return sum(byte << (8*i) for i,byte in enumerate(s))
-+
- @contextlib.contextmanager
- def queued_random_data(nbytes, seed):
-     hashsize = 512 // 8
-@@ -3518,6 +3521,21 @@ LzN/Ly+uECsga2hoc+P/ZHMULMZkCfrOyWdeXz7BR/acLZJoT579
-                 self.assertEqual(
-                     mlkem_decaps(params, bytes(dk_bytes), c), fail)
- 
-+    def testEd25519Overflow(self):
-+        test_key = ssh_key_new_priv('ed25519', b64('AAAAC3NzaC1lZDI1NTE5AAAAIMt0/CMBL+64GQ/r/JyGxo6oHs86i9bOHhMJYbDbxEJf'), b64('AAAAIB38jy02ZWYb4EXrJG9RIljEhqidrG5DdhZvMvoeOTZs'))
-+        test_string = b'hello, world'
-+        good_sig = test_key.sign(test_string, 0)
-+        self.assertTrue(test_key.verify(good_sig, test_string))
-+        prefixlen = 4 + len('ssh-ed25519') + 4
-+        self.assertEqual(len(good_sig), prefixlen + 64)
-+        good_sstr = good_sig[prefixlen+32:]
-+        good_s = decode_le_integer(good_sstr)
-+        bad_s = good_s + ed25519.G_order
-+        bad_sstr = le_integer(bad_s, 256)
-+        bad_sig = good_sig[:prefixlen+32] + bad_sstr
-+        self.assertEqual(len(bad_sig), len(good_sig))
-+        self.assertFalse(test_key.verify(bad_sig, test_string))
-+
- class standard_test_vectors(MyTestBase):
-     def testAES(self):
-         def vector(cipher, key, plaintext, ciphertext):
-- 
-2.30.2
--- a/pkgs/applications/networking/syncthing/default.nix
+++ b/pkgs/applications/networking/syncthing/default.nix
@@ -1,151 +0,0 @@
-{
-  pkgsBuildBuild,
-  go,
-  buildGoModule,
-  stdenv,
-  lib,
-  fetchFromGitHub,
-  nixosTests,
-  autoSignDarwinBinariesHook,
-  nix-update-script,
-}:
-
-let
-  common =
-    {
-      stname,
-      target,
-      postInstall ? "",
-    }:
-    buildGoModule rec {
-      pname = stname;
-      version = "2.0.15";
-
-      src = fetchFromGitHub {
-        owner = "syncthing";
-        repo = "syncthing";
-        tag = "v${version}";
-        hash = "sha256-v77ovjV+UoCRA1GteP+HDqC8dsRvtOhFX/IkSgSIf8Y=";
-      };
-
-      vendorHash = "sha256-boYTLgvH+iWlh3y3Z0LPvSVGEget3X94AthtJKphhCw=";
-
-      nativeBuildInputs = lib.optionals stdenv.hostPlatform.isDarwin [
-        # Recent versions of macOS seem to require binaries to be signed when
-        # run from Launch Agents/Daemons, even on x86 devices where it has a
-        # more lax code signing policy compared to Apple Silicon. So just sign
-        # the binaries on both architectures to make it possible for launchd to
-        # auto-start Syncthing at login.
-        autoSignDarwinBinariesHook
-      ];
-
-      doCheck = false;
-
-      env = {
-        BUILD_USER = "nix";
-        BUILD_HOST = "nix";
-      };
-
-      buildPhase = ''
-        runHook preBuild
-        (
-          export GOOS="${pkgsBuildBuild.go.GOOS}" GOARCH="${pkgsBuildBuild.go.GOARCH}" CC=$CC_FOR_BUILD
-          go build build.go
-          go generate github.com/syncthing/syncthing/lib/api/auto github.com/syncthing/syncthing/cmd/infra/strelaypoolsrv/auto
-        )
-        ./build -goos ${go.GOOS} -goarch ${go.GOARCH} -no-upgrade -version v${version} build ${target}
-        runHook postBuild
-      '';
-
-      installPhase = ''
-        runHook preInstall
-        install -Dm755 ${target} $out/bin/${target}
-        runHook postInstall
-      '';
-
-      inherit postInstall;
-
-      passthru = {
-        tests = {
-          inherit (nixosTests)
-            syncthing
-            syncthing-folders
-            syncthing-guiPassword
-            syncthing-guiPasswordFile
-            syncthing-init
-            syncthing-no-settings
-            syncthing-relay
-            ;
-        };
-        updateScript = nix-update-script { };
-      };
-
-      meta = {
-        homepage = "https://syncthing.net/";
-        description = "Open Source Continuous File Synchronization";
-        changelog = "https://github.com/syncthing/syncthing/releases/tag/v${version}";
-        license = lib.licenses.mpl20;
-        maintainers = with lib.maintainers; [
-          joko
-          peterhoeg
-        ];
-        mainProgram = target;
-        platforms = lib.platforms.unix;
-      };
-    };
-
-in
-{
-  syncthing = common {
-    stname = "syncthing";
-    target = "syncthing";
-
-    postInstall = ''
-      # This installs man pages in the correct directory according to the suffix
-      # on the filename
-      for mf in man/*.[1-9]; do
-        mantype="$(echo "$mf" | awk -F"." '{print $NF}')"
-        mandir="$out/share/man/man$mantype"
-        install -Dm644 "$mf" "$mandir/$(basename "$mf")"
-      done
-
-      install -Dm644 etc/linux-desktop/syncthing-ui.desktop $out/share/applications/syncthing-ui.desktop
-      install -Dm644 assets/logo-32.png   $out/share/icons/hicolor/32x32/apps/syncthing.png
-      install -Dm644 assets/logo-64.png   $out/share/icons/hicolor/64x64/apps/syncthing.png
-      install -Dm644 assets/logo-128.png  $out/share/icons/hicolor/128x128/apps/syncthing.png
-      install -Dm644 assets/logo-256.png  $out/share/icons/hicolor/256x256/apps/syncthing.png
-      install -Dm644 assets/logo-512.png  $out/share/icons/hicolor/512x512/apps/syncthing.png
-      install -Dm644 assets/logo-only.svg $out/share/icons/hicolor/scalable/apps/syncthing.svg
-
-    ''
-    + lib.optionalString (stdenv.hostPlatform.isLinux) ''
-      mkdir -p $out/lib/systemd/{system,user}
-
-      substitute etc/linux-systemd/system/syncthing@.service \
-                 $out/lib/systemd/system/syncthing@.service \
-                 --replace-fail /usr/bin/syncthing $out/bin/syncthing
-
-      substitute etc/linux-systemd/user/syncthing.service \
-                 $out/lib/systemd/user/syncthing.service \
-                 --replace-fail /usr/bin/syncthing $out/bin/syncthing
-    '';
-  };
-
-  syncthing-discovery = common {
-    stname = "syncthing-discovery";
-    target = "stdiscosrv";
-  };
-
-  syncthing-relay = common {
-    stname = "syncthing-relay";
-    target = "strelaysrv";
-
-    postInstall = lib.optionalString (stdenv.hostPlatform.isLinux) ''
-      mkdir -p $out/lib/systemd/system
-
-      substitute cmd/strelaysrv/etc/linux-systemd/strelaysrv.service \
-                 $out/lib/systemd/system/strelaysrv.service \
-                 --replace-fail /usr/bin/strelaysrv $out/bin/strelaysrv
-    '';
-  };
-}
--- a/pkgs/applications/office/activitywatch/aw-notify-desktop-notifier-6.patch
+++ b/pkgs/applications/office/activitywatch/aw-notify-desktop-notifier-6.patch
@@ -0,0 +1,72 @@
+diff --git a/aw_notify/main.py b/aw_notify/main.py
+index c749725..44dce5a 100644
+--- a/aw_notify/main.py
+++ b/aw_notify/main.py
+@@ -3,6 +3,7 @@
+ and send notifications to the user on predefined conditions.
+ """
+ 
+import asyncio
+ import logging
+ import sys
+ import threading
+@@ -23,7 +24,7 @@
+ import aw_client.queries
+ import click
+ from aw_core.log import setup_logging
+-from desktop_notifier import DesktopNotifier
+from desktop_notifier import DesktopNotifier, Icon
+ from typing_extensions import TypeAlias
+ 
+ logger = logging.getLogger(__name__)
+@@ -149,11 +150,20 @@ def notify(title: str, msg: str):
+     if notifier is None:
+         notifier = DesktopNotifier(
+             app_name="AW",
+-            app_icon=f"file://{icon_path}",
+            app_icon=Icon(uri=f"file://{icon_path}"),
+             notification_limit=10,
+         )
+ 
+     logger.info(f'Showing: "{title} - {msg}"')
+-    notifier.send_sync(title=title, message=msg)
+
+    # Get or create event loop
+    try:
+        loop = asyncio.get_running_loop()
+    except RuntimeError:
+        loop = asyncio.new_event_loop()
+        asyncio.set_event_loop(loop)
+
+    # Send notification
+    loop.run_until_complete(notifier.send(title=title, message=msg))
+ 
+ 
+ class CategoryAlert:
+diff --git a/pyproject.toml b/pyproject.toml
+index 314fe2f..0d6d5a9 100644
+--- a/pyproject.toml
+++ b/pyproject.toml
+@@ -13,15 +13,15 @@ packages = [{include = "aw_notify"}]
+ aw-notify = "aw_notify.main:main"
+ 
+ [tool.poetry.dependencies]
+-python = "^3.9,<3.12"
+-aw-client = "^0.5.13"
+-desktop-notifier = "^3.4.2"
+-rubicon-objc = { version = "^0.4.0", platform = "darwin" }
+python = ">=3.9,<3.14"
+aw-client = "^0.5.15"
+desktop-notifier = "^6.0.0"
+rubicon-objc = { version = "^0.5.0", platform = "darwin" }
+ 
+ [tool.poetry.group.dev.dependencies]
+ black = "*"
+ mypy = "*"
+-pyinstaller = "^6.6"
+-pytest = "^7.4"
+pyinstaller = "^6.12.0"
+pytest = "*"
+ 
+ [build-system]
+ requires = ["poetry-core"]
--- a/pkgs/applications/office/activitywatch/default.nix
+++ b/pkgs/applications/office/activitywatch/default.nix
@@ -14,6 +14,7 @@
  qtsvg,
  xdg-utils,
  replaceVars,
+  nodejs_22,
  buildNpmPackage,
 }:

@@ -159,6 +160,12 @@ rec {
    pyproject = true;
    build-system = [ python3Packages.poetry-core ];

+    patches = [
+      # Backport desktop-notifier 6 / rubicon-objc 0.5 support.
+      # https://github.com/ActivityWatch/aw-notify/pull/10
+      ./aw-notify-desktop-notifier-6.patch
+    ];
+
    dependencies = with python3Packages; [
      aw-client
      desktop-notifier
@@ -228,6 +235,7 @@ rec {

    src = "${sources}/aw-server-rust/aw-webui";

+    nodejs = nodejs_22;
    npmDepsHash = "sha256-fPk7UpKuO3nEN1w+cf9DIZIG1+XRUk6PJfVmtpC30XE=";

    makeCacheWritable = true;
--- a/pkgs/applications/science/logic/abella/default.nix
+++ b/pkgs/applications/science/logic/abella/default.nix
@@ -54,10 +54,7 @@ stdenv.mkDerivation (finalAttrs: {
    '';
    homepage = "https://abella-prover.org";
    license = lib.licenses.gpl3;
-    maintainers = with lib.maintainers; [
-      bcdarwin
-      ciil
-    ];
+    maintainers = [ lib.maintainers.bcdarwin ];
    platforms = lib.platforms.unix;
  };
 })
--- a/pkgs/applications/science/logic/hol_light/default.nix
+++ b/pkgs/applications/science/logic/hol_light/default.nix
@@ -9,6 +9,7 @@
  zarith,
  camlp5,
  camlp-streams,
+  pcre2,
  bash,
 }:

@@ -19,6 +20,7 @@ let
      ''
        -I ${zarith}/lib/ocaml/${ocaml.version}/site-lib/zarith \
        -I ${zarith}/lib/ocaml/${ocaml.version}/site-lib/stublibs \
+        -I ${pcre2}/lib/ocaml/${ocaml.version}/site-lib/stublibs \
      ''
    else
      lib.optionalString (num != null) ''
@@ -64,6 +66,7 @@ stdenv.mkDerivation {
  ];
  propagatedBuildInputs = [
    camlp-streams
+    pcre2
    (if use_zarith then zarith else num)
  ];

--- a/pkgs/applications/science/math/R/default.nix
+++ b/pkgs/applications/science/math/R/default.nix
@@ -16,7 +16,6 @@
  perl,
  readline,
  tcl,
-  texlive,
  texliveSmall,
  tk,
  xz,
@@ -198,23 +197,20 @@ stdenv.mkDerivation (finalAttrs: {

  passthru.tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;

-  # make tex output available to texlive.combine
-  passthru.pkgs = [ finalAttrs.finalPackage.tex ];
-  passthru.tlType = "run";
  # dependencies (based on \RequirePackage in jss.cls, Rd.sty, Sweave.sty)
-  passthru.tlDeps = with texlive; [
-    amsfonts
-    amsmath
-    fancyvrb
-    graphics
-    hyperref
-    iftex
-    jknapltx
-    latex
-    lm
-    tools
-    upquote
-    url
+  passthru.tlDeps = ps: [
+    ps.amsfonts
+    ps.amsmath
+    ps.fancyvrb
+    ps.graphics
+    ps.hyperref
+    ps.iftex
+    ps.jknapltx
+    ps.latex
+    ps.lm
+    ps.tools
+    ps.upquote
+    ps.url
  ];

  meta = {
--- a/pkgs/applications/video/qmediathekview/default.nix
+++ b/pkgs/applications/video/qmediathekview/default.nix
@@ -10,14 +10,14 @@
  wrapQtAppsHook,
 }:

-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
  pname = "QMediathekView";
  version = "0.2.1";

  src = fetchFromGitHub {
    owner = "adamreichold";
    repo = "QMediathekView";
-    rev = "v${version}";
+    tag = "v${finalAttrs.version}";
    sha256 = "0i9hac9alaajbra3lx23m0iiq6ww4is00lpbzg5x70agjrwj0nd6";
  };

@@ -42,11 +42,11 @@ stdenv.mkDerivation rec {

  meta = {
    description = "Alternative Qt-based front-end for the database maintained by the MediathekView project";
-    inherit (src.meta) homepage;
+    inherit (finalAttrs.src.meta) homepage;
    license = lib.licenses.gpl3Plus;
    platforms = lib.platforms.linux;
    maintainers = with lib.maintainers; [ dotlambda ];
    broken = stdenv.hostPlatform.isAarch64;
    mainProgram = "QMediathekView";
  };
-}
+})
--- a/pkgs/applications/virtualization/docker/default.nix
+++ b/pkgs/applications/virtualization/docker/default.nix
@@ -400,7 +400,7 @@ in
  # https://github.com/moby/moby/tree/${mobyRev}/Dockerfile
  docker_25 =
    let
-      version = "25.0.13";
+      version = "25.0.16";
    in
    callPackage dockerGen {
      inherit version;
@@ -409,7 +409,7 @@ in
      cliRev = "43987fca488a535d810c429f75743d8c7b63bf4f";
      cliHash = "sha256-OwufdfuUPbPtgqfPeiKrQVkOOacU2g4ommHb770gV40=";
      mobyRev = "v${version}";
-      mobyHash = "sha256-X+1QG/toJt+VNLktR5vun8sG3PRoTVBAcekFXxocJdU=";
+      mobyHash = "sha256-St5yLoxo8QUTu7PjNcblS/EzZm98T189RPl1y+pAyHA=";
      runcRev = "v1.2.5";
      runcHash = "sha256-J/QmOZxYnMPpzm87HhPTkYdt+fN+yeSUu2sv6aUeTY4=";
      containerdRev = "v1.7.27";
@@ -420,14 +420,14 @@ in

  docker_29 =
    let
-      version = "29.5.1";
+      version = "29.5.2";
    in
    callPackage dockerGen {
      inherit version;
      cliRev = "v${version}";
-      cliHash = "sha256-oobGr0UaeJL800hHx3K0tQs50HZbOn559WcLnSRiRhU=";
+      cliHash = "sha256-kHgDZVr6mAyCtZ6bSG9FWV0GhWDfXLXzHYFrmjFzO9w=";
      mobyRev = "docker-v${version}";
-      mobyHash = "sha256-ghYEOWr5RUDm0YLyupaDSpLd+8gFqxp3VjCt+3lztcA=";
+      mobyHash = "sha256-lux7tTyF6vm5wuIXs+z3Ygd2v4JjgHbRvOXNA4kjNtg=";
      runcRev = "v1.3.5";
      runcHash = "sha256-Swphxbu/OLkUrfRjLMZIVGwYb7AN0xHdyxm0ysAVam0=";
      containerdRev = "v2.2.3";
--- a/pkgs/build-support/build-mozilla-mach/140-bindgen-string-view.patch
+++ b/pkgs/build-support/build-mozilla-mach/140-bindgen-string-view.patch
@@ -0,0 +1,15 @@
+diff --git a/tools/profiler/rust-api/build.rs b/tools/profiler/rust-api/build.rs
+index 9bb27eb83e5e..3f09f7f01bcb 100644
+--- a/tools/profiler/rust-api/build.rs
+++ b/tools/profiler/rust-api/build.rs
+@@ -88,6 +88,10 @@ fn generate_bindings() {
+         // successfully. Otherwise, it fails to build because MarkerSchema has
+         // some std::strings as its fields.
+         .opaque_type("std::string")
+        .blocklist_type(".*basic_string_view.*")
+        .opaque_type(".*basic_string_view.*")
+        .blocklist_type(".*basic_string___self_view.*")
+        .opaque_type(".*basic_string___self_view.*")
+         // std::vector needs to be converted to an opaque type because, if it's
+         // not an opaque type, bindgen can't find its size properly and
+         // MarkerSchema's total size reduces. That causes a heap buffer overflow.
--- a/pkgs/build-support/build-mozilla-mach/default.nix
+++ b/pkgs/build-support/build-mozilla-mach/default.nix
@@ -332,6 +332,14 @@ buildStdenv.mkDerivation {
      # https://hg-edge.mozilla.org/mozilla-central/rev/aa8a29bd1fb9
      ./139-wayland-drag-animation.patch
    ]
+    ++ lib.optionals (lib.versionAtLeast version "140" && lib.versionOlder version "144") [
+      # Versions before 144 vendor bindgen 0.69. On Darwin, libc++ 21 changed
+      # basic_string::__self_view from a typedef to an attributed using alias;
+      # bindgen then emits it without its template parameter, producing invalid
+      # Rust. Vendored bindgen was updated in:
+      # https://bugzilla.mozilla.org/show_bug.cgi?id=1985509
+      ./140-bindgen-string-view.patch
+    ]
    ++ extraPatches;

  postPatch = ''
@@ -587,7 +595,7 @@ buildStdenv.mkDerivation {

  profilingPhase = lib.optionalString pgoSupport ''
    # Avoid compressing the instrumented build with high levels of compression
-    export MOZ_PKG_FORMAT=tar
+    export MOZ_PKG_FORMAT=TAR

    # Package up Firefox for profiling
    ./mach package
--- a/pkgs/build-support/fetchgit/nix-prefetch-git
+++ b/pkgs/build-support/fetchgit/nix-prefetch-git
@@ -123,6 +123,10 @@ fi
 init_remote(){
    local url=$1
    clean_git init --initial-branch=master
+    # Disable maintenance: it's not useful for a short-lived clone, and
+    # background maintenance causes non-deterministic builds.
+    # https://github.com/NixOS/nixpkgs/issues/524215
+    clean_git config maintenance.auto false
    clean_git remote add origin "$url"
    if [ -n "$sparseCheckout" ]; then
        git config remote.origin.partialclonefilter "blob:none"
--- a/pkgs/build-support/node/fetch-pnpm-deps/default.nix
+++ b/pkgs/build-support/node/fetch-pnpm-deps/default.nix
@@ -146,6 +146,10 @@ in
              # Run any additional pnpm configuration commands that users provide.
              ${prePnpmInstall}

+              echo "Final pnpm config:"
+              pnpm config list
+              echo
+
              # pnpm is going to warn us about using --force
              # --force allows us to fetch all dependencies including ones that aren't meant for our host platform
              pnpm install \
--- a/pkgs/build-support/node/fetch-pnpm-deps/pnpm-config-hook.sh
+++ b/pkgs/build-support/node/fetch-pnpm-deps/pnpm-config-hook.sh
@@ -28,6 +28,11 @@ pnpmConfigHook() {
    if versionAtLeast "$pnpmVersion" "11"; then
      # pnpm 11 uses a different mechanism to manage package manager versions
      export pnpm_config_pm_on_fail=ignore
+
+      # Disable lockfile verification against supply-chain policies. This is
+      # already done in fetchPnpmDeps, so if these checks failed there, we
+      # wouldn't be here in the first place
+      export pnpm_config_trust_lockfile=true
    else
      pnpm config set manage-package-manager-versions false
    fi
@@ -84,6 +89,10 @@ pnpmConfigHook() {

    runHook prePnpmInstall

+    echo "Final pnpm config:"
+    pnpm config list
+    echo
+
    if ! pnpm install \
        --offline \
        --ignore-scripts \
--- a/pkgs/build-support/rust/import-cargo-lock.nix
+++ b/pkgs/build-support/rust/import-cargo-lock.nix
@@ -130,7 +130,10 @@ let
    };

  registries = {
-    "https://github.com/rust-lang/crates.io-index" = "https://crates.io/api/v1/crates";
+    # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec
+    # rate limit on the API servers, which currently returns intermittent 403s.
+    # See https://github.com/rust-lang/crates.io/issues/13482
+    "https://github.com/rust-lang/crates.io-index" = "https://static.crates.io/crates";
  }
  // extraRegistries;

--- a/pkgs/by-name/ac/acl2/0002-sbcl-fp-trap-fallback.patch
+++ b/pkgs/by-name/ac/acl2/0002-sbcl-fp-trap-fallback.patch
@@ -0,0 +1,53 @@
+diff --git a/acl2.lisp b/acl2.lisp
+index 036657d902..c2b7e4fad9 100644
+--- a/acl2.lisp
+++ b/acl2.lisp
+@@ -1963,11 +1963,7 @@ ACL2 from scratch.")
+                (* *my-most-positive-double-float*
+                   *my-most-positive-double-float*)
+                (error () 0.0d0))
+-              'double-float))
+-     #+sbcl
+-     (member :overflow
+-             (cadr (member :traps
+-                           (sb-int:get-floating-point-modes)))))
+              'double-float)))
+   (error "This Lisp is unsuitable for ACL2, because it failed ~%a check that ~
+           floating-point overflow causes an error."))
+ 
+diff --git a/float-raw.lisp b/float-raw.lisp
+index 1364491fdf..e6d0417971 100644
+--- a/float-raw.lisp
+++ b/float-raw.lisp
+@@ -46,13 +46,13 @@
+ ; #.*infinity-double* and #.*negative-infinity-double*), so we do so, but we
+ ; don't bother testing for Nan in LispWorks.
+ 
+-; We return form unchanged in other than Allegro CL and LispWorks, because we
+; We return form unchanged in other than Allegro CL, LispWorks, and SBCL, because we
+ ; already know that an error is signalled on overflow for other Lisps that host
+ ; ACL2; see break-on-overflow-and-nan.
+ 
+-  #-(or allegro lispworks)
+  #-(or allegro lispworks sbcl)
+   (declare (ignore op))
+-  #-(or allegro lispworks)
+  #-(or allegro lispworks sbcl)
+   form
+   #+allegro
+   `(let ((result ,form))
+@@ -65,6 +65,14 @@
+      (when (or (= result +1D++0) (= result -1D++0))
+        (error "Floating-point overflow for a call of ~s"
+               ',op))
+     result)
+  #+sbcl
+  `(let ((result ,form))
+     (when (or (sb-ext:float-nan-p result)
+               (= result sb-ext:double-float-positive-infinity)
+               (= result sb-ext:double-float-negative-infinity))
+       (error "Floating-point exception for a call of ~s"
+              ',op))
+      result))
+ 
+ (defmacro defun-df-binary (name op)
--- a/pkgs/by-name/ac/acl2/package.nix
+++ b/pkgs/by-name/ac/acl2/package.nix
@@ -62,6 +62,13 @@ stdenv.mkDerivation rec {
      libssl = "${lib.getLib openssl}/lib/libssl${stdenv.hostPlatform.extensions.sharedLibrary}";
      libcrypto = "${lib.getLib openssl}/lib/libcrypto${stdenv.hostPlatform.extensions.sharedLibrary}";
    })
+  ]
+  ++ lib.optionals (stdenv.hostPlatform.system == "aarch64-linux") [
+    # ACL2 8.6 assumes SBCL can enable floating-point traps. On
+    # aarch64-linux, SBCL can leave :TRAPS NIL after enabling them, so use
+    # ACL2's existing exceptional-float checking path instead. See:
+    # https://github.com/acl2-devel/acl2-devel/commit/0632b37adffb6b5fd71d8438d519133281f837ec
+    ./0002-sbcl-fp-trap-fallback.patch
  ];

  # We need the timestamps on the source tree to be stable for certification to
--- a/pkgs/by-name/ad/adguardhome/package.nix
+++ b/pkgs/by-name/ad/adguardhome/package.nix
@@ -9,15 +9,15 @@

 buildGoModule (finalAttrs: {
  pname = "adguardhome";
-  version = "0.107.74";
+  version = "0.107.76";
  src = fetchFromGitHub {
    owner = "AdguardTeam";
    repo = "AdGuardHome";
    tag = "v${finalAttrs.version}";
-    hash = "sha256-cAuthACY/rBVRTSv/UIarhScm+EoTUhnkQ0RUtvhAFg=";
+    hash = "sha256-CF1Ieu7oCnzvXwoHzX5126gQGcgXL+giMtUciKBZ2ZU=";
  };

-  vendorHash = "sha256-o4hpiqQEt8gkYFeAkxPDisvLWbi7WOBZ7xMXrPt6Cdo=";
+  vendorHash = "sha256-tHabP5I7PZtDkVucF95StRyXGEsfbuc6Z3AhQZ/g2f8=";

  dashboard = buildNpmPackage {
    inherit (finalAttrs) src version;
@@ -25,7 +25,7 @@ buildGoModule (finalAttrs: {
    postPatch = ''
      cd client
    '';
-    npmDepsHash = "sha256-SOHmXvGLpjs8h0X+AJ6/jAYpxzoizhwRjIzx4SqJOCo=";
+    npmDepsHash = "sha256-Yyv8dTKhZ9IlIW/x/57cl/+cpvjjycaFLSyOR0IiIPk=";
    npmBuildScript = "build-prod";
    postBuild = ''
      mkdir -p $out/build/
--- a/pkgs/by-name/ag/age-plugin-fido2prf/package.nix
+++ b/pkgs/by-name/ag/age-plugin-fido2prf/package.nix
@@ -1,5 +1,6 @@
 {
  lib,
+  stdenv,
  buildGoModule,
  fetchFromGitHub,
  libfido2,
@@ -26,6 +27,24 @@ buildGoModule (finalAttrs: {

  buildInputs = [ libfido2 ];

+  postConfigure = lib.optionalString stdenv.hostPlatform.isDarwin ''
+    chmod -R +w vendor/github.com/keys-pub/go-libfido2
+    substituteInPlace vendor/github.com/keys-pub/go-libfido2/fido2_static_arm64.go \
+      --replace-fail \
+        '/opt/homebrew/opt/libfido2/lib/libfido2.a /opt/homebrew/opt/openssl@3/lib/libcrypto.a ''${SRCDIR}/darwin/arm64/lib/libcbor.a' \
+        '-lfido2' \
+      --replace-fail \
+        '-I/opt/homebrew/opt/libfido2/include -I/opt/homebrew/opt/openssl@3/include' \
+        '-I${libfido2.dev}/include'
+    substituteInPlace vendor/github.com/keys-pub/go-libfido2/fido2_static_amd64.go \
+      --replace-fail \
+        '/usr/local/lib/libfido2.a /usr/local/opt/openssl@3/lib/libcrypto.a ''${SRCDIR}/darwin/amd64/lib/libcbor.a' \
+        '-lfido2' \
+      --replace-fail \
+        '-I/usr/local/opt/libfido2/include -I/usr/local/opt/openssl@3/include' \
+        '-I${libfido2.dev}/include'
+  '';
+
  meta = {
    description = "Age plugin to encrypt files with FIDO2 tokens in a way compatible to typage";
    homepage = "https://github.com/FiloSottile/typage/";
--- a/pkgs/by-name/ak/akkoma-admin-fe/package.nix
+++ b/pkgs/by-name/ak/akkoma-admin-fe/package.nix
@@ -2,6 +2,7 @@
  lib,
  stdenv,
  fetchFromGitea,
+  cctools,
  yarn-berry_3,
  nodejs,
  python311,
@@ -42,7 +43,10 @@ stdenv.mkDerivation (finalAttrs: {
    python311
    libsass
  ]
-  ++ lib.optional stdenv.hostPlatform.isDarwin xcbuild;
+  ++ lib.optionals stdenv.hostPlatform.isDarwin [
+    xcbuild
+    cctools.libtool
+  ];

  buildPhase = ''
    runHook preBuild
--- a/pkgs/by-name/al/alire/package.nix
+++ b/pkgs/by-name/al/alire/package.nix
@@ -8,13 +8,13 @@

 stdenv.mkDerivation (finalAttrs: {
  pname = "alire";
-  version = "2.1.0";
+  version = "2.1.1";

  src = fetchFromGitHub {
    owner = "alire-project";
    repo = "alire";
    tag = "v${finalAttrs.version}";
-    hash = "sha256-DfzCQu9xOe9JgX6RTrYOGTIS6EcPimLnd5pfXMtfRss=";
+    hash = "sha256-YOUFTKbqbFfdYNWcGCvtFCDCW2tH8E3YuRQrV522Px4=";

    fetchSubmodules = true;
  };
--- a/pkgs/by-name/al/alliance/package.nix
+++ b/pkgs/by-name/al/alliance/package.nix
@@ -48,7 +48,7 @@ stdenv.mkDerivation (finalAttrs: {
  ];

  # To avoid compiler error in LoadDataBase.c:366:27
-  env.NIX_CFLAGS_COMPILE = "-Wno-incompatible-pointer-types";
+  env.NIX_CFLAGS_COMPILE = "-std=gnu99 -Wno-incompatible-pointer-types";

  postPatch = ''
    # texlive for docs seems extreme
@@ -77,6 +77,5 @@ stdenv.mkDerivation (finalAttrs: {
    license = with lib.licenses; gpl2Plus;
    maintainers = [ ];
    platforms = with lib.platforms; linux;
-    broken = true;
  };
 })
--- a/pkgs/by-name/an/antimicrox/package.nix
+++ b/pkgs/by-name/an/antimicrox/package.nix
@@ -12,14 +12,14 @@
  fetchFromGitHub,
 }:

-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
  pname = "antimicrox";
  version = "3.5.1";

  src = fetchFromGitHub {
    owner = "AntiMicroX";
-    repo = pname;
-    rev = version;
+    repo = "antimicrox";
+    rev = finalAttrs.version;
    sha256 = "sha256-ZIHhgyOpabWkdFZoha/Hj/1d8/b6qVolE6dn0xAFZVw=";
  };

@@ -31,6 +31,7 @@ stdenv.mkDerivation rec {
    udevCheckHook
    libsForQt5.wrapQtAppsHook
  ];
+
  buildInputs = [
    SDL2
    libsForQt5.qttools
@@ -46,10 +47,10 @@ stdenv.mkDerivation rec {

  meta = {
    description = "GUI for mapping keyboard and mouse controls to a gamepad";
-    inherit (src.meta) homepage;
+    inherit (finalAttrs.src.meta) homepage;
    maintainers = [ ];
    license = lib.licenses.gpl3Plus;
    platforms = with lib.platforms; linux;
    mainProgram = "antimicrox";
  };
-}
+})
--- a/pkgs/by-name/ap/applgrid/TFileStringLinkDef.h
+++ b/pkgs/by-name/ap/applgrid/TFileStringLinkDef.h
@@ -0,0 +1,6 @@
+#ifdef __CLING__
+#pragma link off all globals;
+#pragma link off all classes;
+#pragma link off all functions;
+#pragma link C++ class TFileString+;
+#endif
--- a/pkgs/by-name/ap/applgrid/TFileVectorLinkDef.h
+++ b/pkgs/by-name/ap/applgrid/TFileVectorLinkDef.h
@@ -0,0 +1,6 @@
+#ifdef __CLING__
+#pragma link off all globals;
+#pragma link off all classes;
+#pragma link off all functions;
+#pragma link C++ class TFileVector+;
+#endif
--- a/pkgs/by-name/ap/applgrid/no-m64.patch
+++ b/pkgs/by-name/ap/applgrid/no-m64.patch
@@ -0,0 +1,10 @@
+--- a/configure
+++ b/configure
+@@ -16130,7 +16130,6 @@
+ $as_echo "$as_me: WARNING: ****************************************************************" >&2;}
+ fi
+ 
+-( echo $CXXFLAGS | grep -q "m64" ) || CXXFLAGS+=" -m64 "
+ 
+ 
+ 
--- a/pkgs/by-name/ap/applgrid/package.nix
+++ b/pkgs/by-name/ap/applgrid/package.nix
@@ -18,7 +18,26 @@ stdenv.mkDerivation (finalAttrs: {
    hash = "sha256-h+ZNGj33FIwg4fOCyfGJrUKM2vDDQl76JcLhtboAOtc=";
  };

+  patches = [
+    # Upstream's configure unconditionally injects `-m64` into CXXFLAGS, which is
+    # invalid on aarch64 (and redundant on x86_64). The line was added in r1946
+    # for applgrid 1.6.17 with the commit message "add default m64 compilation".
+    # There is no public bug tracker upstream, and the line is still present in
+    # trunk. We patch only the generated `configure` (not `configure.ac`) so
+    # that make doesn't try to re-run autotools during the build.
+    ./no-m64.patch
+
+    # ROOT 6.40 made rootcling fail when no selection rules are provided
+    # (https://root.cern/doc/v640/release-notes.html#core-libraries). The patch
+    # appends $*LinkDef.h to the dictionary pattern rule so rootcint picks up
+    # the LinkDef.h files we drop into src/ in postPatch.
+    ./rootcling-linkdef.patch
+  ];
+
  postPatch = ''
+    cp ${./TFileStringLinkDef.h} src/TFileStringLinkDef.h
+    cp ${./TFileVectorLinkDef.h} src/TFileVectorLinkDef.h
+
    sed -i appl_grid/serialise_base.h -e '1i#include <cstdint>'
  '';

--- a/pkgs/by-name/ap/applgrid/rootcling-linkdef.patch
+++ b/pkgs/by-name/ap/applgrid/rootcling-linkdef.patch
@@ -0,0 +1,11 @@
+--- a/src/Makefile.in
+++ b/src/Makefile.in
+@@ -1027,7 +1027,7 @@
+ 	$(CC) $(AM_CFLAGS) -c $<
+ 
+ @USE_ROOT_TRUE@%Dict.cxx : %.h %.cxx
+-@USE_ROOT_TRUE@	$(CINT) -f $@ -c $< -I.. 
+@USE_ROOT_TRUE@	$(CINT) -f $@ -c $< -I.. $*LinkDef.h
+ 
+ #../appl_grid/$*LinkDef.h
+ 
--- a/pkgs/by-name/as/asciinema-agg/package.nix
+++ b/pkgs/by-name/as/asciinema-agg/package.nix
@@ -8,18 +8,18 @@

 rustPlatform.buildRustPackage (finalAttrs: {
  pname = "agg";
-  version = "1.8.1";
+  version = "1.9.0";

  src = fetchFromGitHub {
    owner = "asciinema";
    repo = "agg";
    tag = "v${finalAttrs.version}";
-    hash = "sha256-64VyCTGjzey6AHEAfk5V/Qoffe5+sDaDNve54M7tmf4=";
+    hash = "sha256-XuAVckgTsKvngrR/blgpLgONaWxfrn8o7hCKqCGPNeM=";
  };

  strictDeps = true;

-  cargoHash = "sha256-/WS5nAFKnP/CsU5+Pf5rtNN4LWaXVjlidLzH7DWYds0=";
+  cargoHash = "sha256-VcdHlQOplki31uLOutVx7HH7rjH9a5fEZhlxtLvuS9E=";

  __impureHostDeps = lib.optionals stdenv.hostPlatform.isDarwin [
    "/System/Library/Fonts"
--- a/pkgs/by-name/au/auctex/package.nix
+++ b/pkgs/by-name/au/auctex/package.nix
@@ -7,50 +7,43 @@
  ghostscript,
 }:

-let
-  auctex = stdenv.mkDerivation rec {
-    # Make this a valid tex(live-new) package;
-    # the pkgs attribute is provided with a hack below.
-    pname = "auctex";
-    version = "13.2";
-    tlType = "run";
+stdenv.mkDerivation rec {
+  pname = "auctex";
+  version = "13.2";

-    outputs = [
-      "out"
-      "tex"
-    ];
+  outputs = [
+    "out"
+    "tex"
+  ];

-    src = fetchurl {
-      url = "mirror://gnu/auctex/auctex-${version}.tar.gz";
-      hash = "sha256-Hn5AKrz4RmlOuncZklvwlcI+8zpeZgIgHHS2ymCUQDU=";
-    };
-
-    buildInputs = [
-      emacs
-      ghostscript
-      (texliveBasic.withPackages (ps: [
-        ps.etoolbox
-        ps.hypdoc
-      ]))
-    ];
-
-    preConfigure = ''
-      mkdir -p "$tex"
-      export HOME=$(mktemp -d)
-    '';
-
-    configureFlags = [
-      "--with-lispdir=\${out}/share/emacs/site-lisp"
-      "--with-texmf-dir=\${tex}"
-    ];
-
-    meta = {
-      homepage = "https://www.gnu.org/software/auctex";
-      description = "Extensible package for writing and formatting TeX files in GNU Emacs and XEmacs";
-      license = lib.licenses.gpl3Plus;
-      platforms = lib.platforms.unix;
-    };
+  src = fetchurl {
+    url = "mirror://gnu/auctex/auctex-${version}.tar.gz";
+    hash = "sha256-Hn5AKrz4RmlOuncZklvwlcI+8zpeZgIgHHS2ymCUQDU=";
  };

-in
-auctex // { pkgs = [ auctex.tex ]; }
+  buildInputs = [
+    emacs
+    ghostscript
+    (texliveBasic.withPackages (ps: [
+      ps.etoolbox
+      ps.hypdoc
+    ]))
+  ];
+
+  preConfigure = ''
+    mkdir -p "$tex"
+    export HOME=$(mktemp -d)
+  '';
+
+  configureFlags = [
+    "--with-lispdir=\${out}/share/emacs/site-lisp"
+    "--with-texmf-dir=\${tex}"
+  ];
+
+  meta = {
+    homepage = "https://www.gnu.org/software/auctex";
+    description = "Extensible package for writing and formatting TeX files in GNU Emacs and XEmacs";
+    license = lib.licenses.gpl3Plus;
+    platforms = lib.platforms.unix;
+  };
+}
--- a/pkgs/by-name/au/audiobookshelf/package.nix
+++ b/pkgs/by-name/au/audiobookshelf/package.nix
@@ -15,10 +15,10 @@

 let
  source = {
-    version = "2.35.0";
-    hash = "sha256-KJ+/p6Szblof7fPeHkikOVK10xvcyVgpeFMx6cOOEgc=";
-    npmDepsHash = "sha256-iqH32SWpoILLb9JQjgF+lrkZXHlbXTi3XFsvNKup934=";
-    clientNpmDepsHash = "sha256-jSjw/Y+1VYlG8pKqOzNzrZRTUeIyBPdOAhZqEbC2qiA=";
+    version = "2.35.1";
+    hash = "sha256-31cKSjSTJyUetjCSOCDY2wnTFV+Z52LcvGrh7Emc0cM=";
+    npmDepsHash = "sha256-wmbzbMQHrbHcL9JSpPXpc+vjjj5LTNN8e6Ug3ZRQ7mo=";
+    clientNpmDepsHash = "sha256-wJdCvUVLZzCY3iW/Q7QVuRu96s49TehnuQNqbImbe0g=";
  };

  src = fetchFromGitHub {
--- a/pkgs/by-name/au/authelia/package.nix
+++ b/pkgs/by-name/au/authelia/package.nix
@@ -4,9 +4,9 @@
  nodejs,
  fetchPnpmDeps,
  pnpmConfigHook,
-  pnpm_10,
+  pnpm_11,
  fetchFromGitHub,
-  buildGo125Module,
+  buildGo126Module,
  installShellFiles,
  callPackage,
  nixosTests,
@@ -15,16 +15,16 @@
      nodejs
      fetchPnpmDeps
      pnpmConfigHook
-      pnpm_10
+      pnpm_11
      fetchFromGitHub
      ;
  },
 }:

 let
-  pnpm = pnpm_10;
+  pnpm = pnpm_11;

-  buildGoModule = buildGo125Module;
+  buildGoModule = buildGo126Module;

  inherit (import ./sources.nix { inherit fetchFromGitHub; })
    pname
@@ -66,11 +66,6 @@ buildGoModule (finalAttrs: {
      "-X ${p}.BuildExtra=nixpkgs"
    ];

-  # It is required to set this to avoid a change in the
-  # handling of sync map in go 1.24+
-  # Upstream issue: https://github.com/authelia/authelia/issues/8980
-  env.GOEXPERIMENT = "nosynchashtriemap";
-
  # several tests with networking and several that want chromium
  doCheck = false;

--- a/pkgs/by-name/au/authelia/sources.nix
+++ b/pkgs/by-name/au/authelia/sources.nix
@@ -1,14 +1,14 @@
 { fetchFromGitHub }:
 rec {
  pname = "authelia";
-  version = "4.39.19";
+  version = "4.39.20";

  src = fetchFromGitHub {
    owner = "authelia";
    repo = "authelia";
    rev = "v${version}";
-    hash = "sha256-wMOurdgdjykFekn0Pej3meM6WSzq9tJ+kZV9sVDvRwM=";
+    hash = "sha256-JjpfNQsqtmSKXj14fQUJsiTgfkAlSHDfqUC/x+bE+fc=";
  };
-  vendorHash = "sha256-ZDsLRMip2B8PPZu8VxW+91FVvwC2rXzohhAZFifT26g=";
-  pnpmDepsHash = "sha256-HMrC5V+Ak2dF1uPtbh8kgFc8kZI2FPMmZHJciWRYx9w=";
+  vendorHash = "sha256-dZjsYqw/ABEn1y6tZgSjbmqamO4U20Ljj/dQMFruVjU=";
+  pnpmDepsHash = "sha256-syfPg62JrTh496xi39xW/CnIwpJYo+iU5sCPP3bD2Ys=";
 }
--- a/pkgs/by-name/au/authelia/web.nix
+++ b/pkgs/by-name/au/authelia/web.nix
@@ -3,12 +3,12 @@
  nodejs,
  fetchPnpmDeps,
  pnpmConfigHook,
-  pnpm_10,
+  pnpm_11,
  fetchFromGitHub,
 }:

 let
-  pnpm = pnpm_10;
+  pnpm = pnpm_11;

  inherit (import ./sources.nix { inherit fetchFromGitHub; })
    pname
--- a/pkgs/by-name/au/authentik/package.nix
+++ b/pkgs/by-name/au/authentik/package.nix
@@ -20,13 +20,13 @@
 let
  nodejs = nodejs_24;

-  version = "2025.12.4";
+  version = "2025.12.5";

  src = fetchFromGitHub {
    owner = "goauthentik";
    repo = "authentik";
    tag = "version/${version}";
-    hash = "sha256-alTyrMBbjZbw4jhEna8saabf93sqSrZCu+Z5xH3pZ7M=";
+    hash = "sha256-LPGAhbtmuztDQ4CVhUXb+vBU5HjvNZ7JicI5r3lr1QQ=";
  };

  meta = {
@@ -52,7 +52,7 @@ let
    src = fetchFromGitHub {
      owner = "goauthentik";
      repo = "client-go";
-      tag = "v3.${version}";
+      tag = "v3.2025.12.4";
      hash = "sha256-+/CfOE2HkBU+ZddvdXGenB/z8xNFk8cujpZpMXyh3cY=";
    };

@@ -137,8 +137,8 @@ let

    outputHash =
      {
-        "aarch64-linux" = "sha256-GL5FPIBnoEXYtw8DPJpRPe3tT3qioN4AdoeOmCoiYsM=";
-        "x86_64-linux" = "sha256-AnceTipq6uUvTbOAZanVshAbAJ9LS1kwImbttTOcWxc=";
+        "aarch64-linux" = "sha256-smm9x29z7gOI7Wq0NvP45KHtBbT6p1lH6IjEf9LRuGs=";
+        "x86_64-linux" = "sha256-K86wnn50svP+QG3i0mggH8RQgfoIqEmyQTouz35xzw8=";
      }
      .${stdenvNoCC.hostPlatform.system} or (throw "authentik-website-deps: unsupported host platform");

@@ -208,8 +208,8 @@ let

    outputHash =
      {
-        "aarch64-linux" = "sha256-eZZ5Ynj81KwFsU5emPtYZ2CxO8MFvWbJnCHs+L88KQQ=";
-        "x86_64-linux" = "sha256-yUAyyO1NFav1EptrRYGSzC8dxCxYVj0FmzHk8IckFZM=";
+        "aarch64-linux" = "sha256-J9wGQe7iMfKznNk3woqi0VNVNA/dE6TGi2f44DOlG1c=";
+        "x86_64-linux" = "sha256-9Q590Rw0mk3q5osxOKGWU7+XtKwkTyA+CLC2LxAA/3g=";
      }
      .${stdenvNoCC.hostPlatform.system} or (throw "authentik-webui-deps: unsupported host platform");
    outputHashMode = "recursive";
--- a/pkgs/by-name/au/auto-multiple-choice/package.nix
+++ b/pkgs/by-name/au/auto-multiple-choice/package.nix
@@ -145,11 +145,6 @@ stdenv.mkDerivation (finalAttrs: {
    perlWithPackages
  ];

-  passthru = {
-    tlType = "run";
-    pkgs = [ finalAttrs.finalPackage ];
-  };
-
  meta = {
    description = "Create and manage multiple choice questionnaires with automated marking";
    mainProgram = "auto-multiple-choice";
--- a/pkgs/by-name/ba/bambu-studio/package.nix
+++ b/pkgs/by-name/ba/bambu-studio/package.nix
@@ -1,13 +1,13 @@
 {
  stdenv,
  lib,
-  binutils,
  fetchFromGitHub,
  cmake,
  ninja,
  pkg-config,
  wrapGAppsHook3,
  boost183,
+  cacert,
  cereal,
  cgal_5,
  curl,
@@ -15,7 +15,6 @@
  eigen,
  expat,
  ffmpeg,
-  gcc-unwrapped,
  glew,
  glfw,
  glib,
@@ -26,19 +25,24 @@
  gtk3,
  hicolor-icon-theme,
  libpng,
+  libsecret,
+  makeFontsConf,
  mpfr,
+  nanum,
  nlopt,
  opencascade-occt_7_6,
  openvdb,
  openexr,
  opencv,
-  pcre,
  systemd,
  onetbb,
  webkitgtk_4_1,
  wxwidgets_3_1,
  libx11,
  withSystemd ? stdenv.hostPlatform.isLinux,
+  # 3D viewport blank on NVIDIA proprietary GL; routes through Mesa + zink.
+  # https://github.com/NixOS/nixpkgs/issues/498311
+  withNvidiaGLWorkaround ? false,
 }:
 let
  wxGTK' =
@@ -48,11 +52,17 @@ let
      withWebKit = true;
    }).overrideAttrs
      (old: {
+        buildInputs = old.buildInputs ++ [ libsecret ];
        configureFlags = old.configureFlags ++ [
          # Disable noisy debug dialogs
          "--enable-debug=no"
+          "--enable-secretstore"
        ];
      });
+
+  fontsConf = makeFontsConf { fontDirectories = [ nanum ]; };
+
+  caBundle = "${cacert}/etc/ssl/certs/ca-bundle.crt";
 in
 stdenv.mkDerivation (finalAttrs: {
  pname = "bambu-studio";
@@ -73,7 +83,6 @@ stdenv.mkDerivation (finalAttrs: {
  ];

  buildInputs = [
-    binutils
    boost183
    cereal
    cgal_5
@@ -82,7 +91,6 @@ stdenv.mkDerivation (finalAttrs: {
    eigen
    expat
    ffmpeg
-    gcc-unwrapped
    glew
    glfw
    glib
@@ -95,12 +103,12 @@ stdenv.mkDerivation (finalAttrs: {
    gtk3
    hicolor-icon-theme
    libpng
+    libsecret
    mpfr
    nlopt
    opencascade-occt_7_6
    openexr
    openvdb
-    pcre
    onetbb
    webkitgtk_4_1
    wxGTK'
@@ -156,19 +164,19 @@ stdenv.mkDerivation (finalAttrs: {
  '';

  cmakeFlags = [
-    "-DSLIC3R_STATIC=0"
-    "-DSLIC3R_FHS=1"
-    "-DSLIC3R_GTK=3"
+    (lib.cmakeBool "SLIC3R_STATIC" false)
+    (lib.cmakeBool "SLIC3R_FHS" true)
+    (lib.cmakeFeature "SLIC3R_GTK" "3")

    # Skips installing ffmpeg, since we BYO.
-    "-DFLATPAK=1"
+    (lib.cmakeBool "FLATPAK" true)

-    # BambuStudio-specific
-    "-DBBL_RELEASE_TO_PUBLIC=1"
-    "-DBBL_INTERNAL_TESTING=0"
-    "-DDEP_WX_GTK3=ON"
-    "-DSLIC3R_BUILD_TESTS=0"
-    "-DCMAKE_CXX_FLAGS=-DBOOST_LOG_DYN_LINK"
+    # Substituted into `#define BBL_x @value@`; must be integer literals.
+    (lib.cmakeFeature "BBL_RELEASE_TO_PUBLIC" "1")
+    (lib.cmakeFeature "BBL_INTERNAL_TESTING" "0")
+    (lib.cmakeBool "DEP_WX_GTK3" true)
+    (lib.cmakeBool "SLIC3R_BUILD_TESTS" false)
+    (lib.cmakeFeature "CMAKE_CXX_FLAGS" "-DBOOST_LOG_DYN_LINK")
  ];

  preFixup = ''
@@ -178,6 +186,25 @@ stdenv.mkDerivation (finalAttrs: {
      # Fixes intermittent crash
      # The upstream setup links in glew statically
      --prefix LD_PRELOAD : "${glew.out}/lib/libGLEW.so"
+
+      # plugin libcurl + main HTTPS need explicit CA bundle.
+      # https://github.com/NixOS/nixpkgs/issues/498307
+      --set-default SSL_CERT_FILE ${caBundle}
+      --set-default CURL_CA_BUNDLE ${caBundle}
+
+      # WebKit OAuth callback fails with DMA-BUF compositing.
+      # https://github.com/NixOS/nixpkgs/issues/498307
+      --set WEBKIT_DISABLE_COMPOSITING_MODE 1
+      --set WEBKIT_DISABLE_DMABUF_RENDERER 1
+
+      --set FONTCONFIG_FILE "${fontsConf}"
+
+      ${lib.optionalString withNvidiaGLWorkaround ''
+        --set __GLX_VENDOR_LIBRARY_NAME mesa
+        --set __EGL_VENDOR_LIBRARY_FILENAMES /run/opengl-driver/share/glvnd/egl_vendor.d/50_mesa.json
+        --set MESA_LOADER_DRIVER_OVERRIDE zink
+        --set GALLIUM_DRIVER zink
+      ''}
    )
  '';

@@ -192,7 +219,15 @@ stdenv.mkDerivation (finalAttrs: {
    description = "PC Software for BambuLab's 3D printers";
    homepage = "https://github.com/bambulab/BambuStudio";
    changelog = "https://github.com/bambulab/BambuStudio/releases/tag/v${finalAttrs.version}";
-    license = lib.licenses.agpl3Plus;
+    license = with lib.licenses; [
+      agpl3Plus
+      # Bambu Studio downloads and dlopens a proprietary networking library
+      # at first launch whose corresponding source is not provided. SFC ruled
+      # this an ongoing AGPLv3 violation; see:
+      # https://github.com/NixOS/nixpkgs/issues/415821
+      # https://sfconservancy.org/news/2026/may/18/bambu-studio-3d-printer-agpl-violation-response/
+      unfree
+    ];
    maintainers = with lib.maintainers; [
      zhaofengli
      dsluijk
--- a/pkgs/by-name/bi/bird2/package.nix
+++ b/pkgs/by-name/bi/bird2/package.nix
@@ -12,14 +12,14 @@

 stdenv.mkDerivation (finalAttrs: {
  pname = "bird";
-  version = "2.18.1";
+  version = "2.19.0";

  src = fetchFromGitLab {
    domain = "gitlab.nic.cz";
    owner = "labs";
    repo = "bird";
    tag = "v${finalAttrs.version}";
-    hash = "sha256-tYICTipTzugtb7kv/zwsChM8v+zJ2TVsotEkJDcZCto=";
+    hash = "sha256-xk3z5kkjnInmIwtE6Q7kCJ5P5Njt/Oz1+HPO0vcr93E=";
  };

  nativeBuildInputs = [
--- a/pkgs/by-name/bi/bird3/package.nix
+++ b/pkgs/by-name/bi/bird3/package.nix
@@ -12,14 +12,14 @@

 stdenv.mkDerivation (finalAttrs: {
  pname = "bird";
-  version = "3.2.1";
+  version = "3.3.0";

  src = fetchFromGitLab {
    domain = "gitlab.nic.cz";
    owner = "labs";
    repo = "bird";
    tag = "v${finalAttrs.version}";
-    hash = "sha256-FkrVrjT4Q9zLeauP2GOX38a7a4q7h2aQbEe/kmfKB3A=";
+    hash = "sha256-mH9CM9Emie2B9c5PeW4DKUQUzvgxTExPBGG06YbWqGo=";
  };

  nativeBuildInputs = [
--- a/Show More
+++ b/Show More