shadps4-qtlauncher: init at 224

(cherry picked from commit 8de3589aa7)
shadps4: 0.13.0 -> 0.15.0
2026-06-06 05:13:37 +00:00 · 2026-05-25 21:43:54 +00:00 · 2026-05-25 21:43:54 +00:00 · 2026-05-25 21:14:36 +00:00 · 2026-05-25 20:41:49 +00:00 · 2026-05-25 20:31:49 +00:00
2085 changed files with 18570 additions and 30727 deletions
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -0,0 +1,6 @@
+<!--
+    Please note: This blank issue template is meant for extraordinary issues
+    that do not fit the templates. Unless you know your issue is relevant to
+    Nixpkgs and requires the free-form blank issue, please use the issue
+    templates instead.
+-->
--- a/.github/ISSUE_TEMPLATE/01_bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/01_bug_report.yml
@@ -35,8 +35,7 @@ body:
        If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
--- a/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
+++ b/.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml
@@ -35,8 +35,7 @@ body:
        If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
@@ -100,7 +99,7 @@ body:
    attributes:
      label: "Are you using nix-darwin?"
      description: |
-        [`nix-darwin`](https://github.com/nix-darwin/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
+        [`nix-darwin`](https://github.com/LnL7/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
      options:
        - "Yes, I am using nix-darwin."
        - "No, I am not using nix-darwin."
--- a/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
+++ b/.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml
@@ -35,8 +35,7 @@ body:
        If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
--- a/.github/ISSUE_TEMPLATE/04_build_failure.yml
+++ b/.github/ISSUE_TEMPLATE/04_build_failure.yml
@@ -37,8 +37,7 @@ body:
        If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
--- a/.github/ISSUE_TEMPLATE/05_update_request.yml
+++ b/.github/ISSUE_TEMPLATE/05_update_request.yml
@@ -37,8 +37,7 @@ body:
        If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
--- a/.github/ISSUE_TEMPLATE/06_module_request.yml
+++ b/.github/ISSUE_TEMPLATE/06_module_request.yml
@@ -35,8 +35,7 @@ body:
        If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
      options:
        - "Please select a version."
-        - "- Unstable (26.11)"
-        - "- Beta (26.05)"
+        - "- Unstable (26.05)"
        - "- Stable (25.11)"
      default: 0
    validations:
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -21,7 +21,7 @@ defaults:
 jobs:
  backport:
    name: Backport Pull Request
-    if: vars.NIXPKGS_CI_CLIENT_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
+    if: vars.NIXPKGS_CI_APP_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
    runs-on: ubuntu-slim
    timeout-minutes: 3
    steps:
@@ -30,7 +30,7 @@ jobs:
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-contents: write
          permission-pull-requests: write
--- a/.github/workflows/bot.yml
+++ b/.github/workflows/bot.yml
@@ -57,10 +57,10 @@ jobs:

      # Use a GitHub App, because it has much higher rate limits: 12,500 instead of 5,000 req / hour.
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-administration: read
          permission-contents: write
--- a/.github/workflows/comment.yml
+++ b/.github/workflows/comment.yml
@@ -31,10 +31,10 @@ jobs:

      # Use the GitHub App to make sure the reaction happens with the same user who will later merge.
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-pull-requests: write

--- a/.github/workflows/edited.yml
+++ b/.github/workflows/edited.yml
@@ -39,7 +39,7 @@ jobs:
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-pull-requests: write

--- a/.github/workflows/periodic-merge-24h.yml
+++ b/.github/workflows/periodic-merge-24h.yml
@@ -35,14 +35,10 @@ jobs:
            into: staging-next-25.11
          - from: staging-next-25.11
            into: staging-25.11
-          - from: release-25.11
-            into: staging-nixos-25.11
          - from: release-26.05
            into: staging-next-26.05
          - from: staging-next-26.05
            into: staging-26.05
-          - from: release-26.05
-            into: staging-nixos-26.05
          - name: merge-base(master,staging) → haskell-updates
            from: master staging
            into: haskell-updates
--- a/.github/workflows/periodic-merge.yml
+++ b/.github/workflows/periodic-merge.yml
@@ -29,7 +29,7 @@ jobs:
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-contents: write
          permission-pull-requests: write
--- a/.github/workflows/review.yml
+++ b/.github/workflows/review.yml
@@ -28,10 +28,10 @@ jobs:

      # Use the GitHub App to make sure the reaction happens with the same user who will later merge.
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_CLIENT_ID
+        if: github.event_name != 'pull_request' && vars.NIXPKGS_CI_APP_ID
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-pull-requests: write

--- a/.github/workflows/teams.yml
+++ b/.github/workflows/teams.yml
@@ -22,7 +22,7 @@ jobs:
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        id: app-token
        with:
-          client-id: ${{ vars.NIXPKGS_CI_CLIENT_ID }}
+          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
          permission-administration: read
          permission-contents: write
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -442,7 +442,6 @@ The staging workflow is used for all stable branches with corresponding names:
 - `master`/`release-YY.MM`
 - `staging`/`staging-YY.MM`
 - `staging-next`/`staging-next-YY.MM`
- `staging-nixos`/`staging-nixos-YY.MM`

 [^1]: Except changes that cause no more rebuilds than kernel updates

@@ -506,7 +505,7 @@ These PRs go to `staging-nixos`, see [the next section for more context](#change
 Changes causing a rebuild of all NixOS tests get a special [`10.rebuild-nixos-tests`](https://github.com/NixOS/nixpkgs/issues?q=state%3Aopen%20label%3A10.rebuild-nixos-tests) label.
 These changes pose a significant impact on the build infrastructure.

-Hence, these PRs should either target a `staging`-branch or `staging-nixos`-branch, provided one of following conditions applies:
+Hence, these PRs should either target a `staging`-branch or `staging-nixos`, provided one of following conditions applies:

 * The label `10.rebuild-nixos-tests` is set, or
 * The PR is a change affecting the Linux kernel.
--- a/ci/OWNERS
+++ b/ci/OWNERS
@@ -124,7 +124,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @Artturin @Ericson2314 @lo

 # NixOS integration test driver
 /nixos/lib/test-driver  @tfc
-/nixos/lib/testing      @tfc

 # NixOS QEMU virtualisation
 /nixos/modules/virtualisation/qemu-vm.nix                 @raitobezarius
@@ -527,6 +526,3 @@ pkgs/by-name/wa/warp-terminal/  @emilytrau @imadnyc @FlameFlag @johnrtitor
 # Radicle
 /pkgs/build-support/fetchradicle/      @NixOS/radicle
 /pkgs/build-support/fetchradiclepatch/ @NixOS/radicle
-
-# Zellij plugins
-/pkgs/by-name/ze/zellij/plugins/   @PerchunPak
--- a/ci/github-script/check-target-branch.js
+++ b/ci/github-script/check-target-branch.js
@@ -102,8 +102,9 @@ async function checkTargetBranch({ github, context, core, dry }) {
    changed.attrdiff.changed.includes('nixosTests.simple-container') ||
    changed.attrdiff.changed.includes('nixosTests.simple-vm')

-  // https://github.com/NixOS/nixpkgs/pull/521157
-  // These should go to master and release-xx.xx when backported
+  // https://github.com/NixOS/nixpkgs/pull/481205#issuecomment-3790123921
+  // These should go to staging-nixos instead of master,
+  // but release-xx.xx (not staging-xx.xx) when backported
  let isExemptKernelUpdate = false
  if (prInfo.changed_files === 1) {
    const changedFiles = (
@@ -114,8 +115,11 @@ async function checkTargetBranch({ github, context, core, dry }) {
    ).data
    isExemptKernelUpdate =
      changedFiles.length === 1 &&
-      changedFiles[0].filename ===
-        'pkgs/os-specific/linux/kernel/xanmod-kernels.nix'
+      (changedFiles[0].filename ===
+        'pkgs/os-specific/linux/kernel/xanmod-kernels.nix' ||
+        (base.startsWith('release-') &&
+          changedFiles[0].filename ===
+            'pkgs/os-specific/linux/kernel/kernels-org.json'))
  }

  // https://github.com/NixOS/nixpkgs/pull/483194#issuecomment-3793393218
@@ -160,10 +164,8 @@ async function checkTargetBranch({ github, context, core, dry }) {
      branchText = '(probably either `staging-nixos` or `staging`)'
    } else if (base === 'master') {
      branchText = '(probably `staging-nixos`)'
-    } else if (maxRebuildCount >= 500) {
-      branchText = `(probably either \`staging-nixos-${split(base).version}\` or \`staging-${split(base).version}\`)`
    } else {
-      branchText = `(probably \`staging-nixos-${split(base).version}\`)`
+      branchText = `(probably \`staging-${split(base).version}\`)`
    }
    const body = [
      `The PR's base branch is set to \`${base}\`, but this PR rebuilds all NixOS tests.`,
--- a/doc/hooks/index.md
+++ b/doc/hooks/index.md
@@ -48,7 +48,6 @@ unzip.section.md
 validatePkgConfig.section.md
 versionCheckHook.section.md
 waf.section.md
-writable-tmpdir-as-home-hook.section.md
 zig.section.md
 xcbuild.section.md
 xfce4-dev-tools.section.md
--- a/doc/hooks/writable-tmpdir-as-home-hook.section.md
+++ b/doc/hooks/writable-tmpdir-as-home-hook.section.md
@@ -1,5 +0,0 @@
-# writableTmpDirAsHomeHook {#writableTmpDirAsHomeHook}
-
-This setup hook provides a writable home directory for packages that require it.
-
-To use, just add the hook to the `nativeBuildInputs` of the package.
--- a/doc/languages-frameworks/beam.section.md
+++ b/doc/languages-frameworks/beam.section.md
@@ -6,68 +6,46 @@ In this document and related Nix expressions, we use the term, _BEAM_, to descri

 ## Available versions and deprecations schedule {#available-versions-and-deprecations-schedule}

-### Erlang OTP {#erlang}
-
-Nixpkgs follows upstream Erlang in their [support lifecycle](https://erlang.org/download/otp_versions_tree.html) and keeps up to the last 3 released versions of Erlang available. Due to upstream and NixOS release timings, this may mean removal of the oldest release prior to upstream fully dropping support.
-
 ### Elixir {#elixir}

-Nixpkgs follows the [official elixir deprecation schedule](https://hexdocs.pm/elixir/compatibility-and-deprecations.html) and keeps up to the last 5 released versions of Elixir available.
+Nixpkgs follows the [official elixir deprecation schedule](https://hexdocs.pm/elixir/compatibility-and-deprecations.html) and keeps the last 5 released versions of Elixir available.

 ## Structure {#beam-structure}

-All BEAM-related expressions are available via top-level package sets. It is recommended to work with a single package set to ensure consistent versions.
+All BEAM-related expressions are available via the top-level `beam` attribute, which includes:

- `beamPackages` - default OTP version
- `beamMinimalPackages` - default OTP version, without wxwidgets, which saves ~1GB in closure size
+- `interpreters`: a set of compilers running on the BEAM, including multiple Erlang/OTP versions (`beam.interpreters.erlang_22`, etc), Elixir (`beam.interpreters.elixir`) and LFE (Lisp Flavoured Erlang) (`beam.interpreters.lfe`).

-There are also OTP version specific package sets, e.g. for OTP 28:
+- `packages`: a set of package builders (Mix and rebar3), each compiled with a specific Erlang/OTP version, e.g. `beam.packages.erlang22`.

- `beam28Packages`
- `beamMinimal28Packages`
+The default Erlang compiler, defined by `beam.interpreters.erlang`, is aliased as `erlang`. The default BEAM package set is defined by `beam.packages.erlang` and aliased at the top level as `beamPackages`.

-Inside each package set are:
+To create a package builder built with a custom Erlang version, use the lambda, `beam.packagesWith`, which accepts an Erlang/OTP derivation and produces a package builder similar to `beam.packages.erlang`.

- erlang itself (version comes from package set)
- interpreters: elixir (multiple versions, e.g. elixir_1_18) and lfe
- packages: rebar3, hex, etc
- builders: mixRelease, buildRebar3, etc
- hooks: for composing builders and packages
+Many Erlang/OTP distributions available in `beam.interpreters` have versions with ODBC and/or Java enabled or without wx (no observer support). For example, there's `beam.interpreters.erlang_22_odbc_javac`, which corresponds to `beam.interpreters.erlang_22` and `beam.interpreters.erlang_22_nox`, which corresponds to `beam.interpreters.erlang_22`.

-To use a non-default Elixir it's important to keep the rest of the package set consistent, so it's recommended to use `.extend`. This ensures that builders like `mixRelease`, `fetchMixDeps`, and `buildMix` all pick up the overridden Elixir:
+## Build Tools {#build-tools}

-```nix
-let
-  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
-in
-beamPackages.mixRelease {
-  # ...
-}
-```
+### Rebar3 {#build-tools-rebar3}

-## Build Tools {#beam-build-tools}
+We provide a version of Rebar3, under `rebar3`. We also provide a helper to fetch Rebar3 dependencies from a lockfile under `fetchRebar3Deps`.

-### Rebar3 {#beam-build-tools-rebar3}
-
-We provide a version of Rebar3, under `beamPackages.rebar3`. We also provide a helper to fetch Rebar3 dependencies from a lockfile under `beamPackages.fetchRebar3Deps`.
-
-We also provide a version on Rebar3 with plugins included, under `beamPackages.rebar3WithPlugins`. This package is a function which takes two arguments: `plugins`, a list of nix derivations to include as plugins (loaded only when specified in `rebar.config`), and `globalPlugins`, which should always be loaded by rebar3. Example: `beamPackages.rebar3WithPlugins { globalPlugins = [beamPackages.pc]; }`.
+We also provide a version on Rebar3 with plugins included, under `rebar3WithPlugins`. This package is a function which takes two arguments: `plugins`, a list of nix derivations to include as plugins (loaded only when specified in `rebar.config`), and `globalPlugins`, which should always be loaded by rebar3. Example: `rebar3WithPlugins { globalPlugins = [beamPackages.pc]; }`.

 When adding a new plugin it is important that the `name` attribute is the same as the atom used by rebar3 to refer to the plugin.

-### Erlang.mk {#beam-build-tools-erlangmk}
+### Mix & Erlang.mk {#build-tools-other}

 Erlang.mk works exactly as expected. There is a bootstrap process that needs to be run, which is supported by the `buildErlangMk` derivation.

-### Mix {#beam-build-tools-mix}
+For Elixir applications use `mixRelease` to make a release. See examples for more details.

-For Elixir applications that use [mix release](https://hexdocs.pm/mix/Mix.Release.html), use the `mixRelease` builder to make a release. See examples for more details.
-
-There is also a `buildMix` helper, whose behavior is closer to that of `buildErlangMk` and `buildRebar3`. The primary difference is that `mixRelease` makes a release, while `buildMix` only builds the package, which is more useful for libraries and other dependencies.
+There is also a `buildMix` helper, whose behavior is closer to that of `buildErlangMk` and `buildRebar3`. The primary difference is that mixRelease makes a release, while buildMix only builds the package, making it useful for libraries and other dependencies.

 ## How to Install BEAM Packages {#how-to-install-beam-packages}

-To use any of these builders in your environment, refer to them by their attribute path under `beamPackages` (or another BEAM package set), e.g. `beamPackages.rebar3`:
+BEAM builders are not registered at the top level, because they are not relevant to the vast majority of Nix users.
+To use any of those builders into your environment, refer to them by their attribute path under `beamPackages`, e.g. `beamPackages.rebar3`:

 ::: {.example #ex-beam-ephemeral-shell}
 # Ephemeral shell
@@ -97,39 +75,35 @@ pkgs.mkShell { packages = [ pkgs.beamPackages.rebar3 ]; }

 #### Rebar3 Packages {#rebar3-packages}

-The builder `beamPackages.buildRebar3` can be used to build a derivation that understands how to build a Rebar3 project.
+The Nix function, `buildRebar3`, defined in `beam.packages.erlang.buildRebar3` and aliased at the top level, can be used to build a derivation that understands how to build a Rebar3 project.
+
+If a package needs to compile native code via Rebar3's port compilation mechanism, add `compilePort = true;` to the derivation.

 #### Erlang.mk Packages {#erlang-mk-packages}

-Erlang.mk functions similarly to Rebar3, except we use `beamPackages.buildErlangMk` instead of `beamPackages.buildRebar3`.
-
-If a package needs to compile native code via Erlang.mk's port compilation mechanism, add `compilePorts = true;` to the derivation.
-
-### Elixir Applications {#packaging-elixir-applications}
+Erlang.mk functions similarly to Rebar3, except we use `buildErlangMk` instead of `buildRebar3`.

 #### Mix Packages {#mix-packages}

-`beamPackages.mixRelease` is used to make a release in the mix sense. Dependencies will need to be fetched with `beamPackages.fetchMixDeps` and passed to it.
+`mixRelease` is used to make a release in the mix sense. Dependencies will need to be fetched with `fetchMixDeps` and passed to it.

 #### mixRelease - Elixir Phoenix example {#mix-release-elixir-phoenix-example}

-There are 3 steps: frontend dependencies (javascript), backend dependencies (elixir), and the final derivation that puts both of those together.
+there are 3 steps: frontend dependencies (javascript), backend dependencies (elixir), and the final derivation that puts both of those together

 ##### mixRelease - Frontend dependencies (javascript) {#mix-release-javascript-deps}

-For phoenix projects, inside of Nixpkgs you can either use `fetchYarnDeps` or `buildNpmPackage`. An example with `buildNpmPackage` can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/plausible/package.nix), and an example with `fetchYarnDeps` can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pi/pinchflat/package.nix).
+For phoenix projects, inside of Nixpkgs you can either use `fetchYarnDeps` or `buildNpmPackage`. An example with `fetchYarnDeps` can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/plausible/package.nix). An example with `fetchYarnDeps` will follow. To package something outside of nixpkgs, you have alternatives like [npmlock2nix](https://github.com/nix-community/npmlock2nix) or [nix-npm-buildpackage](https://github.com/serokell/nix-npm-buildpackage)

 ##### mixRelease - backend dependencies (mix) {#mix-release-mix-deps}

-There are 2 ways to package backend dependencies: either per-dependency mix2nix or with a fixed-output-derivation (FOD).
-
-When writing an elixir project targeting `mixRelease`, you can also consider using [deps_nix](https://github.com/code-supply/deps_nix) with `mixNixDeps`. `deps_nix` supports git dependencies, but is intended to be added to the project's `mix.exs` directly.
+There are 2 ways to package backend dependencies. With mix2nix and with a fixed-output-derivation (FOD).

 ###### mix2nix {#mix2nix}

 `mix2nix` is a cli tool available in Nixpkgs. It will generate a Nix expression from a `mix.lock` file. It is quite standard in the 2nix tool series.

-Note that currently mix2nix can't handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see [example](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/pl/pleroma/package.nix)) or use the FOD method.
+Note that currently mix2nix can't handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see [example](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/pleroma/default.nix#L20)) or use the FOD method.

 The advantage of using mix2nix is that nix will know your whole dependency graph. On a dependency update, this won't trigger a full rebuild and download of all the dependencies, where FOD will do so.

@@ -177,7 +151,7 @@ You will need to run the build process once to fix the hash to correspond to you

 ###### FOD {#fixed-output-derivation}

-A fixed output derivation will download mix dependencies from the internet. To ensure reproducibility, a hash will be supplied. Note that mix is relatively reproducible. An FOD generating a different hash on each run hasn't been observed (as opposed to npm where the chances are relatively high). See [akkoma](https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/ak/akkoma/package.nix) for a usage example of FOD.
+A fixed output derivation will download mix dependencies from the internet. To ensure reproducibility, a hash will be supplied. Note that mix is relatively reproducible. An FOD generating a different hash on each run hasn't been observed (as opposed to npm where the chances are relatively high). See [elixir-ls](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/beam-modules/elixir-ls/default.nix) for a usage example of FOD.

 Practical steps

@@ -202,11 +176,12 @@ Note that if after you've replaced the value, nix suggests another hash, then mi
 Here is how your `default.nix` file would look for a Phoenix project.

 ```nix
-{
-  # beam27Packages or beam29Packages is available if you need a particular version
-  beamPackages,
-}:
+with import <nixpkgs> { };
+
 let
+  # beam.interpreters.erlang_26 is available if you need a particular version
+  packages = beam.packagesWith beam.interpreters.erlang;
+
  pname = "your_project";
  version = "0.0.1";

@@ -216,7 +191,7 @@ let
  };

  # if using mix2nix you can use the mixNixDeps attribute
-  mixFodDeps = beamPackages.fetchMixDeps {
+  mixFodDeps = packages.fetchMixDeps {
    pname = "mix-deps-${pname}";
    inherit src version;
    # nix will complain and tell you the right value to replace this with
@@ -225,8 +200,11 @@ let
    # if you have build time environment variables add them here
    MY_ENV_VAR = "my_value";
  };
+
+  nodeDependencies = (pkgs.callPackage ./assets/default.nix { }).shell.nodeDependencies;
+
 in
-beamPackages.mixRelease {
+packages.mixRelease {
  inherit
    src
    pname
@@ -237,6 +215,9 @@ beamPackages.mixRelease {
  MY_ENV_VAR = "my_value";

  postBuild = ''
+    ln -sf ${nodeDependencies}/lib/node_modules assets/node_modules
+    npm run deploy --prefix ./assets
+
    # for external task you need a workaround for the no deps check flag
    # https://github.com/phoenixframework/phoenix/issues/2690
    mix do deps.loadpaths --no-deps-check, phx.digest
@@ -248,7 +229,7 @@ beamPackages.mixRelease {
 Setup will require the following steps:

 - Move your secrets to runtime environment variables. For more information refer to the [runtime.exs docs](https://hexdocs.pm/mix/Mix.Tasks.Release.html#module-runtime-configuration). On a fresh Phoenix build that would mean that both `DATABASE_URL` and `SECRET_KEY` need to be moved to `runtime.exs`.
- Generate a Nix expression for your frontend dependencies using `fetchNpmDeps`/`buildNpmPackage` or `fetchYarnDeps`, depending on whether the project uses npm or yarn
+- `cd assets` and `nix-shell -p node2nix --run "node2nix --development"` will generate a Nix expression containing your frontend dependencies
 - commit and push those changes
 - you can now `nix-build .`
 - To run the release, set the `RELEASE_TMP` environment variable to a directory that your program has write access to. It will be used to store the BEAM settings.
@@ -267,7 +248,7 @@ in your project with the following
 }:

 let
-  release = pkgs.callPackage ./default.nix { };
+  release = pkgs.callPackage ./default.nix;
  release_name = "app";
  working_directory = "/home/app";
 in
@@ -339,10 +320,9 @@ Usually, we need to create a `shell.nix` file and do our development inside the

 with pkgs;
 let
-  # pin OTP via beam27Packages/beam28Packages/... and Elixir via .extend
-  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
+  elixir = beam.packages.erlang_27.elixir_1_18;
 in
-mkShell { buildInputs = [ beamPackages.elixir ]; }
+mkShell { buildInputs = [ elixir ]; }
 ```

 ### Using an overlay {#beam-using-overlays}
@@ -357,7 +337,7 @@ let
    self: super: {
      elixir_1_18 = super.elixir_1_18.override {
        version = "1.18.1";
-        hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+        sha256 = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
      };
    }
  );
@@ -375,17 +355,18 @@ Here is an example `shell.nix`.
 with import <nixpkgs> { };

 let
-  # pin OTP via beam27Packages/beam28Packages/... and Elixir via .extend
-  beamPackages = beam27Packages.extend (self: super: { elixir = self.elixir_1_18; });
-
  # define packages to install
  basePackages = [
    git
-    beamPackages.elixir
+    # replace with beam.packages.erlang.elixir_1_18 if you need
+    beam.packages.erlang.elixir
    nodejs
    postgresql_14
+    # only used for frontend dependencies
+    # you are free to use yarn2nix as well
+    nodePackages.node2nix
    # formatting js file
-    prettier
+    nodePackages.prettier
  ];

  inputs = basePackages ++ lib.optionals stdenv.hostPlatform.isLinux [ inotify-tools ];
@@ -398,13 +379,13 @@ let
    export HEX_HOME=$PWD/.nix-mix
    # make hex from Nixpkgs available
    # `mix local.hex` will install hex into MIX_HOME and should take precedence
-    export MIX_PATH="${beamPackages.hex}/lib/erlang/lib/hex/ebin"
+    export MIX_PATH="${beam.packages.erlang.hex}/lib/erlang/lib/hex/ebin"
    export PATH=$MIX_HOME/bin:$HEX_HOME/bin:$PATH
    export LANG=C.UTF-8
    # keep your shell history in iex
    export ERL_AFLAGS="-kernel shell_history enabled"

-    # postgres related
+    # postges related
    # keep all your db data in a folder inside the project
    export PGDATA="$PWD/db"

--- a/doc/languages-frameworks/lua.section.md
+++ b/doc/languages-frameworks/lua.section.md
@@ -232,7 +232,7 @@ The following is an example:
        vyp
        lblasc
      ];
-      license = lib.licenses.mit;
+      license.fullName = "MIT/X11";
    };
  };
 }
--- a/doc/packages/darwin-builder.section.md
+++ b/doc/packages/darwin-builder.section.md
@@ -89,7 +89,7 @@ Note that if the builder is running and you have created the above ssh conf file
 {
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-22.11-darwin";
-    darwin.url = "github:nix-darwin/nix-darwin/master";
+    darwin.url = "github:lnl7/nix-darwin/master";
    darwin.inputs.nixpkgs.follows = "nixpkgs";
  };

--- a/doc/packages/linux.section.md
+++ b/doc/packages/linux.section.md
@@ -119,10 +119,11 @@ $ pkgs/os-specific/linux/kernel/update.sh
 The change gets submitted like this:

 * File a PR against `staging-nixos`.
-  * Add a `backport staging-nixos-XX.XX` label for an automated backport.
+  * Add a `backport release-XX.XX` label for an automated backport.
+    We don't expect many other changes on that branch to require a backport, hence there's no such branch for stable.
    By using an additional PR, we get the automatic backport against stable without manual cherry-picks.
-* Merge into `staging-nixos` or `staging-nixos-XX.XX`.
-* File as PR from `staging-nixos` against `master` or `staging-nixos-XX.XX` against `release-xx.xx`.
+* Merge into `staging-nixos`.
+* File as PR from `staging-nixos` against `master`.
 * When all status checks are green, merge.

 ### Add a new (major) version of the Linux kernel {#sec-linux-add-new-kernel-version}
--- a/doc/redirects.json
+++ b/doc/redirects.json
@@ -412,9 +412,6 @@
  "sec-meta-identifiers-cpe": [
    "index.html#sec-meta-identifiers-cpe"
  ],
-  "sec-meta-identifiers-purl": [
-    "index.html#sec-meta-identifiers-purl"
-  ],
  "sec-modify-via-packageOverrides": [
    "index.html#sec-modify-via-packageOverrides"
  ],
@@ -436,30 +433,6 @@
  "chap-overlays": [
    "index.html#chap-overlays"
  ],
-  "sec-nixpkgs-release-26.11": [
-    "release-notes.html#sec-nixpkgs-release-26.11"
-  ],
-  "sec-nixpkgs-release-26.11-highlights": [
-    "release-notes.html#sec-nixpkgs-release-26.11-highlights"
-  ],
-  "sec-nixpkgs-release-26.11-incompatibilities": [
-    "release-notes.html#sec-nixpkgs-release-26.11-incompatibilities"
-  ],
-  "sec-nixpkgs-release-26.11-lib": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib"
-  ],
-  "sec-nixpkgs-release-26.11-lib-breaking": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib-breaking"
-  ],
-  "sec-nixpkgs-release-26.11-lib-deprecations": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib-deprecations"
-  ],
-  "sec-nixpkgs-release-26.11-lib-additions-improvements": [
-    "release-notes.html#sec-nixpkgs-release-26.11-lib-additions-improvements"
-  ],
-  "sec-nixpkgs-release-26.11-notable-changes": [
-    "release-notes.html#sec-nixpkgs-release-26.11-notable-changes"
-  ],
  "sec-nixpkgs-release-26.05": [
    "release-notes.html#sec-nixpkgs-release-26.05"
  ],
@@ -926,9 +899,6 @@
  "var-go-buildTestBinaries": [
    "index.html#var-go-buildTestBinaries"
  ],
-  "var-meta-donationPage": [
-    "index.html#var-meta-donationPage"
-  ],
  "var-meta-identifiers-cpe": [
    "index.html#var-meta-identifiers-cpe"
  ],
@@ -938,15 +908,6 @@
  "var-meta-identifiers-possibleCPEs": [
    "index.html#var-meta-identifiers-possibleCPEs"
  ],
-  "var-meta-identifiers-purl": [
-    "index.html#var-meta-identifiers-purl"
-  ],
-  "var-meta-identifiers-purlParts": [
-    "index.html#var-meta-identifiers-purlParts"
-  ],
-  "var-meta-identifiers-purls": [
-    "index.html#var-meta-identifiers-purls"
-  ],
  "var-meta-teams": [
    "index.html#var-meta-teams"
  ],
@@ -1055,9 +1016,6 @@
  "tar-files": [
    "index.html#tar-files"
  ],
-  "writableTmpDirAsHomeHook": [
-    "index.html#writableTmpDirAsHomeHook"
-  ],
  "x86_64-darwin-26.05": [
    "release-notes.html#x86_64-darwin-26.05"
  ],
@@ -3091,28 +3049,19 @@
  "available-versions-and-deprecations-schedule": [
    "index.html#available-versions-and-deprecations-schedule"
  ],
-  "erlang": [
-    "index.html#erlang"
-  ],
  "elixir": [
    "index.html#elixir"
  ],
  "beam-structure": [
    "index.html#beam-structure"
  ],
-  "beam-build-tools": [
-    "index.html#beam-build-tools",
+  "build-tools": [
    "index.html#build-tools"
  ],
-  "beam-build-tools-rebar3": [
-    "index.html#beam-build-tools-rebar3",
+  "build-tools-rebar3": [
    "index.html#build-tools-rebar3"
  ],
-  "beam-build-tools-erlangmk": [
-    "index.html#beam-build-tools-erlangmk"
-  ],
-  "beam-build-tools-mix": [
-    "index.html#beam-build-tools-mix",
+  "build-tools-other": [
    "index.html#build-tools-other"
  ],
  "how-to-install-beam-packages": [
@@ -3130,9 +3079,6 @@
  "packaging-erlang-applications": [
    "index.html#packaging-erlang-applications"
  ],
-  "packaging-elixir-applications": [
-    "index.html#packaging-elixir-applications"
-  ],
  "rebar3-packages": [
    "index.html#rebar3-packages"
  ],
--- a/doc/release-notes/release-notes.md
+++ b/doc/release-notes/release-notes.md
@@ -3,7 +3,6 @@
 This section lists the release notes for each stable version of Nixpkgs and the current unstable revision.

 ```{=include=} sections
-rl-2611.section.md
 rl-2605.section.md
 rl-2511.section.md
 rl-2505.section.md
--- a/doc/release-notes/rl-2511.section.md
+++ b/doc/release-notes/rl-2511.section.md
@@ -44,7 +44,7 @@

 - `base16-builder` node package has been removed due to lack of upstream maintenance.

- `budgie-desktop` has been updated to [10.9.4](https://github.com/BuddiesOfBudgie/budgie-desktop/releases/tag/v10.9.4). This changes `XDG_CURRENT_DESKTOP` from `Budgie:GNOME` to `Budgie` and contains ABI bumps for libpeas2 migration.
+- `budgie-desktop` has been updated [10.9.4](https://github.com/BuddiesOfBudgie/budgie-desktop/releases/tag/v10.9.4). This changes `XDG_CURRENT_DESKTOP` from `Budgie:GNOME` to `Budgie` and contains ABI bumps for libpeas2 migration.

 - `buildGoModule` removes the compatibility layer of `CGO_ENABLED` not specified via `env`.
  Specifying `CGO_ENABLED` directly now results in an error.
@@ -53,7 +53,7 @@

 - `cardboard` has been removed due to the package having been broken since at least November 2024.

- `carla` no longer supports `gtk2` override.
+- `carla` no longer support `gtk2` override.

 - `chatgpt-retrieval-plugin` has been removed due to the package having been broken since at least November 2024.

@@ -135,7 +135,7 @@

 - `linux` and all other Linux kernel packages have moved all in-tree kernel modules into a new `modules` output.

- `lxde` scope has been removed, and its packages have been moved to the top-level.
+- `lxde` scope has been removed, and its packages have been moved the top-level.

 - `mariadb` now defaults to `mariadb_114` instead of `mariadb_1011`, meaning the default version was upgraded from 10.11.x to 11.4.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-4/) for potential issues.

@@ -183,7 +183,7 @@
 - `pcp` has been removed because the upstream repo was archived and it hasn't been updated since 2021.

 - `podofo` has been updated from `0.9.8` to `1.0.0`. These releases are by nature very incompatible due to major API changes. The legacy versions can be found under `podofo_0_10` and `podofo_0_9`.
-  Changelog: <https://github.com/podofo/podofo/blob/1.0.0/CHANGELOG.md>, API-Migration-Guide: <https://github.com/podofo/podofo/blob/1.0.0/API-MIGRATION.md>.
+  Changelog: https://github.com/podofo/podofo/blob/1.0.0/CHANGELOG.md, API-Migration-Guide: https://github.com/podofo/podofo/blob/1.0.0/API-MIGRATION.md.

 - `privatebin` has been updated to `2.0.0`. This release changes configuration defaults including switching the template and removing legacy features. See the [v2.0.0 changelog entry](https://github.com/PrivateBin/PrivateBin/releases/tag/2.0.0) for details on how to upgrade.

@@ -246,7 +246,7 @@

 - `sublime-music` has been removed because upstream has announced it is no longer maintained. Upstream suggests using `supersonic` instead.

- Support for bootstrapping native GHC compilers on 32‐bit ARM and little‐endian 64-bit PowerPC has been dropped.
+- Support for bootstrapping native GHC compilers on 32‐bit ARM and little‐endian 64‐bit PowerPC has been dropped.
  The latter was probably broken anyway.
  If there is interest in restoring support for these architectures, it should be possible to cross‐compile a bootstrap GHC binary.

@@ -359,7 +359,7 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - `ffmpeg_8`, `ffmpeg_8-headless`, and `ffmpeg_8-full` have been added. The default version of FFmpeg is now `ffmpeg_8`. You can install previous versions from package attributes such as `ffmpeg_7`.

- `forgejo-runner` has been upgraded to version 11, which brings a license change from MIT to GPLv3-or-later.
+- `forgejo-runner` upgrading to version 11 brings a license change from MIT to GPLv3-or-later.

 - GIMP now defaults to version 3. Use `gimp2` for the old version.

@@ -405,6 +405,8 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - `prl-tools` has been moved out of `linuxPackages` because Parallels Guest Tools become driverless since 26.1.0.

+- `searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.
+
 - `sftpman` has been updated to version 2, a rewrite in Rust which is mostly backward compatible but does include some changes to the CLI.
  For more information, [check the project's README](https://github.com/spantaleev/sftpman-rs#is-sftpman-v2-compatible-with-sftpman-v1).

@@ -429,7 +431,7 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - The `dockerTools.streamLayeredImage` builder now uses a better algorithm for generating layered docker images, such that much more sharing is possible when the number of store paths exceeds the layer limit. It gives each of the largest store paths its own layer and adds dependencies to those layers when they aren't used elsewhere.

- The `open-webui` package's postgres support has been moved to optional dependencies to comply with upstream changes in 0.6.26.
+- The `open-webui` package's postgres support have been moved to optional dependencies to comply with upstream changes in 0.6.26.

 - The systemd initrd will now respect `x-systemd.wants` and `x-systemd.requires` for reliably unlocking multi-disk bcachefs volumes.

@@ -438,8 +440,6 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
 - Packages using `versionCheckHook` that previously relied solely on `pname` to locate the program used to version check, but have a differing `meta.mainProgram` entry, might now fail.

 - `waydroid-nftables` is a new variant of `waydroid` that supports nftables instead of iptables.
-
- `searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.
  If your previous configuration included a secret reference like `server.secret_key = "@SEARX_SECRET_KEY@"`, you must migrate to the new envsubst syntax: `server.secret_key = "$SEARX_SECRET_KEY"`.

 ## Nixpkgs Library {#sec-nixpkgs-release-25.11-lib}
@@ -470,7 +470,7 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

 - `lib.sources.pathType`, `lib.sources.pathIsDirectory` and `lib.sources.pathIsRegularFile` have been replaced by `lib.filesystem.pathType`, `lib.filesystem.pathIsDirectory` and `lib.filesystem.pathIsRegularFile` respectively.

- `lib.strings.isCoercibleToString` has been replaced in favor of either `lib.strings.isStringLike` or `lib.strings.isConvertibleWithToString`. Only use the latter if it needs to return true for null, numbers, booleans, or a list of those.
+- `lib.strings.isCoercibleToString` has been in favor of either `lib.strings.isStringLike` or `lib.strings.isConvertibleWithToString`. Only use the latter if it needs to return true for null, numbers, booleans, or a list of those.

 - `lib.types.string` has been removed. See [this pull request](https://github.com/NixOS/nixpkgs/pull/66346) for better alternative types like `lib.types.str`.

--- a/doc/release-notes/rl-2605.section.md
+++ b/doc/release-notes/rl-2605.section.md
@@ -89,7 +89,7 @@

 - `yarn2nix`/`yarn2nix-moretea` and its tooling(`mkYarnPackage`, `mkYarnModules`, and `fixup_yarn_lock`) have been removed as they were unmaintainable in nixpkgs. If you want to build with Yarn V1 going forward, use the hooks instead(`yarnBuildHook`, `yarnConfigHook`, and `yarnInstallHook`). See the yarn v1 documentation in the nixpkgs manual for more details.

- `albert` has been updated to version 34.0.5. This release redesigns the query system to support stateful asynchronous handlers and infinite scrolling, and adds internationalized tokenization.
+- `albert` has been updated to the version 34.0.5. This release redesigns the query system to support stateful asynchronous handlers and infinite scrolling, and adds internationalized tokenization.
  This update introduces several breaking changes: the Python plugin interface is now v5.0, the `PATH` plugin has been renamed to `Commandline`, and the QStylesheets-based widgets box model frontend has been removed.
  For more information read the [changelog for 34.0.0](https://albertlauncher.github.io/2026/01/19/albert-v34.0.0-released/).

@@ -105,7 +105,7 @@

 - `spoof` has been removed, as there are many issues upstream with it working on modern OS versions, and it appears to be unmaintained.

- `duckstation` package has been removed, as it was requested by upstream and build sources were changed to be incompatible with NixOS.
+- `duckstation` package has been removed, as it was requested by upstream and build source were changed to be incompatible with NixOS.

 - `nodePackages.coc-go` and `nodePackages.coc-tsserver`, along with their vim plugins, have been removed from nixpkgs due to being unmaintained.

@@ -115,7 +115,7 @@

 - `nodePackages.browserify` has been removed, as it was unmaintained within nixpkgs.

- `command-not-found` package will be enabled by default if the source of nixpkgs contains the file `programs.sqlite`. This is the case if a nixpkgs tarball from <https://channels.nixos.org> is used. This usage will also make the database of `command-not-found` stateless.
+- `command-not-found` package will be enabled by default if the source of nixpkgs contains the file `programs.sqlite`. This is the case if a nixpkgs tarball from https://channels.nixos.org is used. This usage will also make the database of `command-not-found` stateless.

 - `nodePackages.sass` has been removed, as it was unmaintained within nixpkgs.

@@ -128,7 +128,7 @@

 - Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.

- Keycloak has been updated to 26.6.X, bringing a lot of new features like federated client authentication, JWT authorization grants, workflows and the ability to do
+- Keycloak has been updated to 26.6.X, bringing a lot new features like federated client authentication, JWT authorization grants, workflows and the ability to do
  zero-downtime patch releases. Read more about [all the exciting new capabilities in keycloak 26.6 here](https://github.com/keycloak/keycloak/releases/tag/26.6.0)
  and [consult the migration guide to 26.6](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-26-6-0) to find out whether this is a breaking
  change for your keycloak instance.
@@ -157,19 +157,21 @@
  This release contains breaking changes, see [Upgrading to Vinyl Cache 9.0](https://vinyl-cache.org/docs/9.0/whats-new/upgrading-9.0.html).
  The `varnish-modules` project is currently not packaged for Vinyl Cache, as it is incompatible.

- `eslint` has been updated from version 9 to version 10. Please see <https://eslint.org/blog/2026/02/eslint-v10.0.0-released/> for details about the breaking changes included in the update.
+- `eslint` has been updated from version 9 to version 10. Please see https://eslint.org/blog/2026/02/eslint-v10.0.0-released/ for details about the breaking changes included in the update.

- `minio` has been abandoned by upstream and security issues won't be fixed. `minio_legacy_fs` has also been removed. Both are scheduled for full removal in 26.11. Users should migrate to alternatives such as Garage, SeaweedFS, or Ceph. S3-compatible clients such as rclone can be used to move data.
+- `minio` has been abandoned by upstream and security issues won't be fixed. It is scheduled to be removed for 26.11. Users should migrate to alternatives such as Garage, SeaweedFS, or Ceph. S3-compatible clients such as rclone can be used to move data.

- `mercure` has been updated to `0.21.4` (or later). Version [0.21.0](https://github.com/dunglas/mercure/releases/v0.21.0) and [0.21.2](https://github.com/dunglas/mercure/releases/tag/v0.21.2) introduce breaking changes to the package.
+`minio_legacy_fs` has been removed. Users should migrate to alternatives such as Garage, SeaweedFS, or Ceph. S3-compatible clients such as rclone can be used to move data.

- `mozc` and `mozc-ut` no longer contain the IBus front-end, which is now provided by `ibus-engines.mozc` and `ibus-engines.mozc-ut`.
+- `mercure` has been update to `0.21.4` (or later). Version [0.21.0](https://github.com/dunglas/mercure/releases/v0.21.0) and [0.21.2](https://github.com/dunglas/mercure/releases/tag/v0.21.2) introduce breaking changes to the package.
+
+- `mozc` and `mozc-ut` no longer contains the IBus front-end, which are now provided by `ibus-engines.mozc` and `ibus-engines.mozc-ut`.

 - `nemorosa` has been updated from `0.4.3` to `0.5.0`. Version [0.5.0](https://github.com/KyokoMiki/nemorosa/releases/tag/0.5.0) introduced breaking changes to the package configuration.

- `n8n` has been updated to version 2. You can find the breaking changes here: <https://docs.n8n.io/2-0-breaking-changes/>.
+- `n8n` has been updated to version 2. You can find the breaking changes here: https://docs.n8n.io/2-0-breaking-changes/.

- `nomad` has been updated to v1.11. Refer to the [release note](https://developer.hashicorp.com/nomad/docs/release-notes/nomad/v1-11-x) for more details. Once a new Nomad version has started and upgraded its data directory, it generally cannot be downgraded to the previous version.
+- `nomad` has been updated to v1.11. Refer to the [release note](https://developer.hashicorp.com/nomad/docs/release-notes/nomad/v1-11-x) for more details. Once a new Nomad version has started and upgraded it's data directory, it generally cannot be downgraded to the previous version.

 - The default NVIDIA drivers no longer support Maxwell (GTX 1xxx) or older GPUs. Pin the nvidia package to ` config.boot.kernelPackages.nvidiaPackages.legacy_580` for continued support.

@@ -183,20 +185,18 @@
  Please use [`pytestFlags` and `(enabled|disabled)(TestPaths|Tests|TestMarks)`](#using-pytestcheckhook) instead.
  If modifying the Nix expression is not feasible, users can remediate the error by overriding `pytestFlagsArray` with `null` or `[ ]`.

- `python3Packages.pygame` has been renamed to `python3Packages.pygame-original`, the attribute `python3Packages.pygame` will from python 3.14 default to the more actively maintained `python3Packages.pygame-ce`.
+- `python3Packages.pygame` has been been renamed to `python3Packages.pygame-original`, the attribute `python3Packages.pygame` will from python 3.14 default to the more actively maintained `python3Packages.pygame-ce`

- `fastly` has been updated to major version 14. For more information, you can check the [release notes](https://github.com/fastly/cli/releases/tag/v14.0.0).
+- `fastly` has been updated to major version 14. For more information, you can check the [release notes](https://github.com/fastly/cli/releases/tag/v14.0.0)

 - `peertube` has been updated from `7.3.0` to `8.0.2`, introducing several breaking changes.
  Some notable new features include channel collaboration and video player redesign with a new theme.
  For details on how to upgrade, see the `IMPORTANT NOTES` section of the [v8.0.0 CHANGELOG entry](https://docs.joinpeertube.org/CHANGELOG#v8-0-0).

- `python3Packages.gradio` has been updated to version 6. See upstream's migration guide at <https://www.gradio.app/main/guides/gradio-6-migration-guide>.
+- `python3Packages.gradio` has been updated to version 6. See upstream's migration guide at https://www.gradio.app/main/guides/gradio-6-migration-guide.

 - `python3Packages.pikepdf` no longer builds with mupdf support by default, which may be nice in Jupyter and iPython. Build with `withMupdf = true` if this is required.

- `olive-editor` has been dropped as upstream development ceased and no longer builds.
-
 - `python3Packages.django-mdeditor` has been removed, as it was unmaintained upstream and the latest release was vulnerable to a [critical security vulnerability](https://github.com/NixOS/nixpkgs/issues/515462).

 - `vicinae` has been updated to v0.20. This includes, among several other breaking changes, a complete overhaul of the configuration system. For update instructions, see the [upstream configuration documentation](https://docs.vicinae.com/config#migration-from-v0-16-x-to-v0-17-x).
@@ -272,7 +272,7 @@
    IMAP_CERTIFICATE_VALIDATION=false
    ```

- `python3Packages.pillow-avif-plugin` has been removed as the functionality is included in `python3Packages.pillow` directly since version 11.3.
+- `python3packages.pillow-avif-plugin` has been removed as the functionality is included in `python3packages.pillow` directly since version 11.3.

 - `wasistlos` (previously known as `whatsapp-for-linux`) has been removed because it was unmaintained and archived upstream.
  Multiple alternatives exist: `karere`, `whatsie` and `zapzap` among others.
@@ -284,7 +284,7 @@

 - `shisho` has been removed because it's archived. `semgrep`, `opengrep`, and `ast-grep` provide similar functionality.

- `services.openssh.settings.AcceptEnv` is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
+- `services.openssh.settings.AcceptEnv` now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.

 - All Xfce packages have been moved to top level (e.g. if you previously added `pkgs.xfce.xfce4-whiskermenu-plugin` to `environment.systemPackages`, you will need to change it to `pkgs.xfce4-whiskermenu-plugin`). The `xfce` scope will be removed in NixOS 26.11.

@@ -296,7 +296,7 @@

 - `vimPlugins.nvim-treesitter` has been updated to `main` branch, which is a full and incompatible rewrite. If you can't or don't want to update, you should use `vimPlugins.nvim-treesitter-legacy`.

- `services.taskchampion-sync-server` module has had an option `services.taskchampion-sync-server.dynamicUser` added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
+- `services.taskchampion-sync-server` module have been added an option `services.taskchampion-sync-server.dynamicUser` to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.

 - Package `jellyseerr` has been renamed to `seerr` following the upstream rename.

@@ -326,7 +326,7 @@

 - The packages `ibtool`, `actool` and `re-plistbuddy` have been added, providing reimplementations of the corresponding proprietary Apple tools. They are more compatible with the originals than the previously existing `xcbuild` package, and should enable more darwin software to be built from source.

- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
+- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows to avoid switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.

 - GNU Taler has been updated to version 1.3.
  This release focuses on getting everything ready for a deployment of GNU Taler by Magnet bank.
@@ -349,7 +349,7 @@

 - Added `dell-bios-fan-control` package and service.

- Added `lovr` package, a Lua-based game engine for VR and XR applications.
+- Added `lovr` package, a LUA-based game engine for VR and XR applications.

 - Updated `wsjtx` from 2.7.0 to 3.0.0 for amateur radio hobbyists who use FT8 and other related digital modes.
  See the [release notes](https://wsjt.sourceforge.io/Release_Notes.txt) for the changelog.
@@ -359,15 +359,13 @@

 - `wrapNeovimUnstable` now sets provider-related configuration in its generated config rather than as wrapper arguments. It should not affect configuration unless you set `wrapRc` to false or are using the `legacyWrapper`.

- Neovim Lua dependencies are now set in the generated init.lua instead of
+- neovim lua dependencies are now set in the generated init.lua instead of
  modifying LUA_PATH in the wrapper. Commands run pre-vimrc via `nvim --cmd
  "require'LUA_MODULE'"` may
  not find their lua dependencies anymore. Use `nvim -c "lua require'LUA_MODULE'"` instead to run these commands after loading `init.lua`. If you use `wrapNeovim` with `wrapRc` set to `false`, you may lose the lua dependencies if you are not loading the generated `init.lua`.

 - We now use the upstream wrapper script for Gradle, supporting both the `JAVA_HOME` and `GRADLE_OPTS` environment variables.

- Updated `gonic` to 0.21.0. A full ("slow") scan is recommended after upgrading to v0.21.0 to pick up the newly scanned fields (contributors, ISRCs, record labels, per-track years, ARTIST_CREDIT).
-
 - the `autossh-ng` NixOS module was introduced as a simpler alternative to the existing `autossh` module.

 - Added `haskell.packages.microhs`, a set of Haskell packages built with MicroHs.
@@ -402,7 +400,7 @@ gnuradioMinimal.override {

 - `nodejs` is now a simple wrapper for `nodejs-slim`+`nodejs-slim.npm`+`nodejs-slim.corepack`, meaning it is no longer possible to reference or override its attributes or outputs (e.g. `nodejs.libv8` must be replaced with `nodejs-slim.libv8`, `nodejs.nativeBuildInputs` with `nodejs-slim.nativeBuildInputs`, etc.).

- `navidrome` has removed the built-in Spotify integration. See [v0.61.0](https://github.com/navidrome/navidrome/releases/tag/v0.61.0) for details on optional replacements.
+- `navidrome` has removed the built-in Spotify integration https://github.com/navidrome/navidrome/releases/tag/v0.61.0 has details on optional replacements

 - `mold` is now wrapped by default.

@@ -422,4 +420,4 @@ gnuradioMinimal.override {

 - The builder `php.buildComposerProject2` for PHP applications has been improved for better reliability and stability.

- The `services.drupal` module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.
+- The `services.drupal` module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and a some new settings for managing variable content and filepaths.
--- a/doc/release-notes/rl-2611.section.md
+++ b/doc/release-notes/rl-2611.section.md
@@ -1,4 +1,4 @@
-# Nixpkgs 26.11 ("Zokor", 2026.11/??) {#sec-nixpkgs-release-26.11}
+# Nixpkgs 26.11 (2026.11/??) {#sec-nixpkgs-release-26.11}

 ## Highlights {#sec-nixpkgs-release-26.11-highlights}

@@ -10,20 +10,13 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- `hurl` has been updated to `8.x.x` which has some breaking changes. See [upstream changelog](https://github.com/Orange-OpenSource/hurl/releases/tag/8.0.0) for details.
- `python3Packages.django-health-check` has been updated to major version 4. See its [migration guide](https://codingjoe.dev/django-health-check/migrate-to-v4/) and [changelog](https://github.com/codingjoe/django-health-check/releases/tag/4.0.0) for breaking changes.
-
- `requireFile` now sets `meta.license = lib.licenses.unfree` by default. Users of `requireFile`-based derivations that preserve this default will need to explicitly allow their evaluation as described in [](#sec-allow-unfree).
+- Create the first release note entry in this section!

 ## Other Notable Changes {#sec-nixpkgs-release-26.11-notable-changes}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- Package-URL (PURL, https://github.com/package-url/purl-spec) metadata identifier has been added for `fetchgit`, `fetchpypi` and `fetchFromGithub` fetchers.
-  `mkDerivation` has been adjusted to reuse this information.
-  Package-URLs allow reliably identifying and locating software packages.
-  Maintainers of derivations using the adapted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers.
-  Maintainers using `fetchurl` for `drv.src` are urged to adapt their `drv.meta.identifiers.purlParts` for proper identification.
+- Create the first release note entry in this section!

 ## Nixpkgs Library {#sec-nixpkgs-release-26.11-lib}

--- a/doc/stdenv/meta.chapter.md
+++ b/doc/stdenv/meta.chapter.md
@@ -61,12 +61,6 @@ Release branch. Used to specify that a package is not going to receive updates t

 The package’s homepage. Example: `https://www.gnu.org/software/hello/manual/`

-### `donationPage` {#var-meta-donationPage}
-
-The package or project's donation page, if it exists. Example: `https://neovim.io/sponsors/`
-
-Authoritative project URLs are preferred.
-
 ### `downloadPage` {#var-meta-downloadPage}

 The page where a link to the current version can be found. Example: `https://ftp.gnu.org/gnu/hello/`
@@ -157,8 +151,6 @@ The list of Nix platform types for which the [Hydra](https://github.com/nixos/hy
 }
 ```

-Note that this does not affect whether reverse dependencies of the package are built on Hydra.
-
 ### `broken` {#var-meta-broken}

 If set to `true`, the package is marked as "broken", meaning that it won’t show up in [search.nixos.org](https://search.nixos.org/packages), and cannot be built or installed unless [explicitly allowed](#sec-allow-broken).
@@ -342,30 +334,3 @@ A readonly attribute that concatenates all CPE parts in one string.
 #### `meta.identifiers.possibleCPEs` {#var-meta-identifiers-possibleCPEs}

 A readonly attribute containing the list of guesses for what CPE for this package can look like. It includes all variants of version handling mentioned above. Each item is an attrset with attributes `cpeParts` and `cpe` for each guess.
-
-### Package URL {#sec-meta-identifiers-purl}
-
-[Package-URL](https://github.com/package-url/purl-spec) (PURL) is a specification to reliably identify and locate software packages.
-Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management.
-Package-URLs shall default to the `mkDerivation.src`, as the original consumed software package is the single source of truth.
-
-#### `meta.identifiers.purlParts` {#var-meta-identifiers-purlParts}
-
-This attribute contains an attribute set of all parts of the PURL for this package.
-
-* `type` mandatory [type](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/docs/standard/summary.md) which needs to be provided
-* `spec` specify the PURL in accordance with the [purl-spec](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/purl-specification.md)
-
-#### `meta.identifiers.purl` {#var-meta-identifiers-purl}
-
-An extendable attribute which is built based on `purlParts`.
-This is the main identifier of the software package.
-For handling edge cases, consider using the list interface [`meta.identifiers.purls`](#var-meta-identifiers-purls).
-
-#### `meta.identifiers.purls` {#var-meta-identifiers-purls}
-
-An extendable list attribute which defaults to a single element equal to [`meta.identifiers.purl`](#var-meta-identifiers-purl).
-It provides an interface for additional identifiers of `mkDerivation.src` or for identifiers of vendored dependencies inside `mkDerivation.src`, which maintainers may carefully consider to specify as well.
-
-Additional identifiers are generally not recommended, as they might cause maintenance overhead or diverge.
-For example, a source distribution `pkg:github` may be hard to keep correctly aligned with the corresponding binary distribution `pkg:pypi`.
--- a/lib/.version
+++ b/lib/.version
@@ -1 +1 @@
-26.11
+26.05
--- a/lib/customisation.nix
+++ b/lib/customisation.nix
@@ -400,25 +400,7 @@ rec {
    condition: passthru: drv:
    let
      commonAttrs =
-        drv
-        // listToAttrs (
-          outputsList
-          ++ [
-            {
-              name = "all";
-              value = map (x: x.value) outputsList;
-            }
-          ]
-        )
-        // passthru
-        // {
-          drvPath =
-            assert condition;
-            drv.drvPath;
-          outPath =
-            assert condition;
-            drv.outPath;
-        };
+        drv // (listToAttrs outputsList) // { all = map (x: x.value) outputsList; } // passthru;

      outputsList = map (outputName: {
        name = outputName;
@@ -440,7 +422,15 @@ rec {
        };
      }) (drv.outputs or [ "out" ]);
    in
-    commonAttrs;
+    commonAttrs
+    // {
+      drvPath =
+        assert condition;
+        drv.drvPath;
+      outPath =
+        assert condition;
+        drv.outPath;
+    };

  /**
    Strip a derivation of all non-essential attributes, returning
--- a/lib/generators.nix
+++ b/lib/generators.nix
@@ -23,12 +23,9 @@
 let
  inherit (lib)
    addErrorContext
-    any
    assertMsg
    attrNames
-    attrValues
    concatLists
-    concatMap
    concatMapStringsSep
    concatStrings
    concatStringsSep
@@ -55,7 +52,6 @@ let
    isString
    last
    length
-    genAttrs
    mapAttrs
    mapAttrsToList
    optionals
@@ -383,69 +379,55 @@ rec {
      See the [git-config documentation](https://git-scm.com/docs/git-config#_variables) for possible values.
  */
  toGitINI =
+    attrs:
    let
      mkSectionName =
-        let
-          containsQuote = hasInfix ''"'';
-        in
        name:
        let
+          containsQuote = hasInfix ''"'' name;
          sections = splitString "." name;
+          section = head sections;
+          subsections = tail sections;
+          subsection = concatStringsSep "." subsections;
        in
-        if containsQuote name || length sections == 1 then
-          name
-        else
-          ''${head sections} "${concatStringsSep "." (tail sections)}"'';
+        if containsQuote || subsections == [ ] then name else ''${section} "${subsection}"'';

      mkValueString =
+        v:
        let
-          escape = replaceStrings [ "\n" "	" ''"'' "\\" ] [ "\\n" "\\t" ''\"'' "\\\\" ];
+          escapedV = ''"${replaceStrings [ "\n" "	" ''"'' "\\" ] [ "\\n" "\\t" ''\"'' "\\\\" ] v}"'';
        in
-        v: mkValueStringDefault { } (if isString v then ''"${escape v}"'' else v);
+        mkValueStringDefault { } (if isString v then escapedV else v);

      # generation for multiple ini values
      mkKeyValue =
+        k: v:
        let
-          mkKeyValue = mkKeyValueDefault { inherit mkValueString; } " = ";
-          attrToString = k: v: "\t" + mkKeyValue k v;
+          mkKeyValue = mkKeyValueDefault { inherit mkValueString; } " = " k;
        in
-        k: v: if isList v then concatStringsSep "\n" (map (attrToString k) v) else attrToString k v;
+        concatStringsSep "\n" (map (kv: "\t" + mkKeyValue kv) (toList v));

      # converts { a.b.c = 5; } to { "a.b".c = 5; } for toINI
      gitFlattenAttrs =
        let
-          isNonDrvAttrs = value: isAttrs value && !isDerivation value;
          recurse =
            path: value:
-            if isNonDrvAttrs value then
-              concatMap (name: recurse ([ name ] ++ path) value.${name}) (attrNames value)
+            if isAttrs value && !isDerivation value then
+              mapAttrsToList (name: value: recurse ([ name ] ++ path) value) value
            else if length path > 1 then
-              [
-                {
-                  ${concatStringsSep "." (reverseList (tail path))}.${head path} = value;
-                }
-              ]
+              {
+                ${concatStringsSep "." (reverseList (tail path))}.${head path} = value;
+              }
            else
-              [
-                {
-                  ${head path} = value;
-                }
-              ];
+              {
+                ${head path} = value;
+              };
        in
-        attrs:
-        let
-          # Filter the names for any that contain nested attrsets. attrs that
-          # don't contain nested attrsets can stay the same =
-          namesToRewrite = filter (
-            name: isAttrs attrs.${name} && any isNonDrvAttrs (attrValues attrs.${name})
-          ) (attrNames attrs);
-          attrsToRewrite = genAttrs namesToRewrite (name: attrs.${name});
-        in
-        removeAttrs attrs namesToRewrite // foldl recursiveUpdate { } (recurse [ ] attrsToRewrite);
+        attrs: foldl recursiveUpdate { } (flatten (recurse [ ] attrs));

      toINI_ = toINI { inherit mkKeyValue mkSectionName; };
    in
-    attrs: toINI_ (gitFlattenAttrs attrs);
+    toINI_ (gitFlattenAttrs attrs);

  /**
    `mkKeyValueDefault` wrapper that handles dconf INI quirks.
--- a/lib/licenses/licenses.nix
+++ b/lib/licenses/licenses.nix
@@ -575,13 +575,6 @@ lib.mapAttrs mkLicense (
      free = false;
    };

-    enpl = {
-      fullName = "Emmi AI Non-Production License";
-      url = "https://github.com/Emmi-AI/noether/blob/main/LICENSE.txt";
-      free = false;
-      redistributable = true;
-    };
-
    epl10 = {
      spdxId = "EPL-1.0";
      fullName = "Eclipse Public License 1.0";
@@ -1157,12 +1150,6 @@ lib.mapAttrs mkLicense (
      redistributable = true; # Only if used in Netdata products.
    };

-    netboxLimitedUse = {
-      fullName = "NetBox Limited Use License 1.0";
-      free = false;
-      url = "https://github.com/netboxlabs/netbox-branching/blob/8465b9aee69ded23930cfe1a522695bfb8955a5a/LICENSE.md";
-    };
-
    ngpl = {
      spdxId = "NGPL";
      fullName = "Nethack General Public License";
--- a/lib/modules.nix
+++ b/lib/modules.nix
@@ -1158,10 +1158,8 @@ let
      value = if opt ? apply then opt.apply res.mergedValue else res.mergedValue;

      warnDeprecation =
-        if (opt.type.deprecationMessage != null) then
-          warn "The type `types.${opt.type.name}' of option `${showOption loc}' defined in ${showFiles opt.declarations} is deprecated. ${opt.type.deprecationMessage}"
-        else
-          x: x;
+        warnIf (opt.type.deprecationMessage != null)
+          "The type `types.${opt.type.name}' of option `${showOption loc}' defined in ${showFiles opt.declarations} is deprecated. ${opt.type.deprecationMessage}";

    in
    warnDeprecation opt
@@ -1600,28 +1598,6 @@ let
    inherit priority content;
  };

-  /**
-    Applies a function to the value inside a definition,
-    preserving all surrounding properties (`mkForce`, `mkOrder`, `mkIf`, etc.).
-  */
-  mapDefinitionValue =
-    f: def:
-    if def ? _type then
-      if def._type == "merge" then
-        def // { contents = map (mapDefinitionValue f) def.contents; }
-      else if def._type == "if" then
-        def // { content = mapDefinitionValue f def.content; }
-      else if def._type == "override" then
-        def // { content = mapDefinitionValue f def.content; }
-      else if def._type == "order" then
-        def // { content = mapDefinitionValue f def.content; }
-      else if def._type == "definition" then
-        def // { value = mapDefinitionValue f def.value; }
-      else
-        f def
-    else
-      f def;
-
  mkBefore = mkOrder 500;
  defaultOrderPriority = 1000;
  mkAfter = mkOrder 1500;
@@ -2326,7 +2302,6 @@ private
    importApply
    importJSON
    importTOML
-    mapDefinitionValue
    mergeDefinitions
    mergeAttrDefinitionsWithPrio
    mergeOptionDecls # should be private?
--- a/lib/sources.nix
+++ b/lib/sources.nix
@@ -7,19 +7,12 @@ let
    match
    split
    storeDir
-    escapeRegex
-    removePrefix
    ;
  inherit (lib)
    boolToString
    filter
    isString
    readFile
-    concatStrings
-    length
-    elemAt
-    isList
-    any
    ;
  inherit (lib.filesystem)
    pathIsRegularFile
@@ -520,113 +513,6 @@ let
    else
      throw "repoRevToName: invalid kind";

-  /**
-    Filter a source tree by a list of doublestar-style glob patterns,
-    returning a source that only contains paths matching at least one
-    pattern. `*` matches a single path component, and `**` matches any
-    number of components.
-
-    # Inputs
-
-    `src`
-
-    : The source tree to filter.
-
-    `patterns`
-
-    : List of glob patterns to include, e.g. `[ "*.py" "src/**" ]`.
-      A leading `**` (e.g. `**\/*.py` for all `.py` files at any depth)
-      is also supported; the `\` here is just a Nix string escape used
-      to avoid closing this comment.
-
-    # Examples
-    :::{.example}
-    ## `sourceByGlobs` usage example
-
-    - Include everything under a subdirectory
-    ```nix
-    src = sourceByGlobs ./. [ "src/**" "tests/**" ]
-    ```
-
-    - Include all .py files in root directory only
-    ```nix
-    src = sourceByGlobs ./. [ "*.py" ]
-    ```
-
-    :::
-  */
-  sourceByGlobs =
-    let
-      splitPath = path: filter isString (split "/" path);
-      # Make component regex
-      mkRe =
-        s:
-        if s == "**" then
-          ".*" # Has special handling below
-        else
-          concatStrings (map (tok: if isList tok then "[^/]*" else escapeRegex tok) (split "\\*+" s));
-
-      # Make a source filter function from pattern
-      mkMatcher =
-        pat:
-        let
-          globs = map mkRe (splitPath pat);
-          glen = length globs;
-        in
-        path: type:
-        let
-          path' = splitPath path;
-          plen = length path';
-
-          recurse =
-            gi: pi:
-            let
-              g = elemAt globs gi;
-              p = elemAt path' pi;
-              m = match g p != null;
-            in
-            if pi >= plen then # Reached end of path
-              gi >= glen || (type == "directory" || type == "symlink") # Only allow partial matches for directories
-            else if gi >= glen then # Reached end of globs
-              false
-            else if g == ".*" then # Special handling for **
-              (
-                # Lookahead for next glob match
-                if (gi + 1) == glen then
-                  true
-                else if (match (elemAt globs (gi + 1)) p != null) then
-                  recurse (gi + 1) pi
-                else if m then
-                  recurse gi (pi + 1)
-                else
-                  false
-              )
-            else if m then
-              recurse (gi + 1) (pi + 1)
-            else
-              false;
-
-        in
-        recurse 0 0;
-
-      mkSourceFilter =
-        root: patterns:
-        let
-          root' = "${toString root}/";
-          matchers = map mkMatcher patterns;
-        in
-        name: type:
-        let
-          name' = removePrefix root' name;
-        in
-        any (m: m name' type) matchers;
-
-    in
-    src: patterns:
-    lib.cleanSourceWith {
-      filter = mkSourceFilter src patterns;
-      inherit src;
-    };
 in
 {
  inherit
@@ -646,7 +532,6 @@ in

    sourceByRegex
    sourceFilesBySuffices
-    sourceByGlobs

    trace
    ;
--- a/lib/tests/misc.nix
+++ b/lib/tests/misc.nix
@@ -5114,96 +5114,4 @@ runTests {
    );
    expected = false;
  };
-
-  # mapDefinitionValue
-
-  testMapDefinitionValuePlain = {
-    expr = lib.modules.mapDefinitionValue (x: x + 1) 5;
-    expected = 6;
-  };
-
-  testMapDefinitionValueMkForce = {
-    expr = lib.modules.mapDefinitionValue (x: x + 1) (lib.mkForce 5);
-    expected = lib.mkForce 6;
-  };
-
-  testMapDefinitionValueMkDefault = {
-    expr = lib.modules.mapDefinitionValue (x: x + 1) (lib.mkDefault 5);
-    expected = lib.mkDefault 6;
-  };
-
-  testMapDefinitionValueMkOrder = {
-    expr = lib.modules.mapDefinitionValue (x: x + 1) (lib.mkOrder 500 5);
-    expected = lib.mkOrder 500 6;
-  };
-
-  testMapDefinitionValueMkOverrideNested = {
-    expr = lib.modules.mapDefinitionValue (x: x + 1) (lib.mkForce (lib.mkOrder 500 5));
-    expected = lib.mkForce (lib.mkOrder 500 6);
-  };
-
-  testMapDefinitionValueMkIf = {
-    expr = lib.modules.mapDefinitionValue (x: x + 1) (lib.mkIf true 5);
-    expected = lib.mkIf true 6;
-  };
-
-  testMapDefinitionValueMkMerge = {
-    expr = lib.modules.mapDefinitionValue (x: x + 1) (
-      lib.mkMerge [
-        5
-        10
-      ]
-    );
-    expected = lib.mkMerge [
-      6
-      11
-    ];
-  };
-
-  testMapDefinitionValueMkDefinition = {
-    expr = lib.modules.mapDefinitionValue (x: x + 1) (
-      lib.mkDefinition {
-        file = "test";
-        value = 5;
-      }
-    );
-    expected = lib.mkDefinition {
-      file = "test";
-      value = 6;
-    };
-  };
-
-  testMapDefinitionValueDeep = {
-    expr = lib.modules.mapDefinitionValue (x: x + 1) (lib.mkIf true (lib.mkForce (lib.mkOrder 500 5)));
-    expected = lib.mkIf true (lib.mkForce (lib.mkOrder 500 6));
-  };
-
-  testMapDefinitionValueAllNested = {
-    expr = lib.modules.mapDefinitionValue (x: x + 1) (
-      lib.mkMerge [
-        (lib.mkIf true (
-          lib.mkForce (
-            lib.mkOrder 500 (
-              lib.mkDefinition {
-                file = "test";
-                value = lib.mkBefore 5;
-              }
-            )
-          )
-        ))
-      ]
-    );
-    expected = lib.mkMerge [
-      (lib.mkIf true (
-        lib.mkForce (
-          lib.mkOrder 500 (
-            lib.mkDefinition {
-              file = "test";
-              value = lib.mkBefore 6;
-            }
-          )
-        )
-      ))
-    ];
-  };
 }
--- a/lib/tests/modules.sh
+++ b/lib/tests/modules.sh
@@ -899,19 +899,6 @@ checkConfigError 'Did you mean .enable., .ebe. or .enabled.\?' config ./error-ty
 checkConfigError 'Did you mean .services\.myservice\.port. or .services\.myservice\.enable.\?' config.services.myservice ./error-typo-submodule.nix
 checkConfigError 'Did you mean .services\.nginx\.virtualHosts\."example\.com"\.ssl\.certificate. or .services\.nginx\.virtualHosts\."example\.com"\.ssl\.certificateKey.\?' config.services.nginx.virtualHosts.\"example.com\" ./error-typo-deeply-nested.nix

-# types.attrListOf
-checkConfigOutput '"ok"' config.assertions ./declare-attrList.nix
-checkConfigError 'A definition for option .attrListInt.badValue.a. is not of type .signed integer.. Definition values:' config.attrListIntStrict.badValue ./declare-attrList.nix
-checkConfigError 'A definition for option .attrList.badListElem. is not of type .attribute list of string.. Each list element must be a single-key attribute set, but got 2 keys' config.attrListStrict.badListElem ./declare-attrList.nix
-checkConfigError 'A definition for option .attrList.badString. is not of type .attribute list of string.. TypeError: Definition values:' config.attrListStrict.badString ./declare-attrList.nix
-checkConfigError 'A definition for option .attrList.badListString. is not of type .attribute list of string.. Each list element must be an attribute set, but got string' config.attrListStrict.badListString ./declare-attrList.nix
-
-# attrListWith valueMeta.definitions: file propagation
-checkConfigError 'the-defs-file\.nix' config.argv ./attrList-valueMeta-definitions-file-diagnostic-forwarding.nix
-
-# attrListOf does not support type merging
-checkConfigError 'The option .merged. in .*/declare-attrList-type-merge.nix. is already declared in .*/declare-attrList-type-merge.nix' config.merged ./declare-attrList-type-merge.nix
-
 cat <<EOF
 ====== module tests ======
 $pass Pass
--- a/lib/tests/modules/attrList-valueMeta-definitions-file-diagnostic-forwarding.nix
+++ b/lib/tests/modules/attrList-valueMeta-definitions-file-diagnostic-forwarding.nix
@@ -1,25 +0,0 @@
-{ lib, options, ... }:
-let
-  inherit (lib) mkOption mkMerge types;
-in
-{
-  imports = [
-    {
-      _file = "the-defs-file.nix";
-      config.flags.my-flag = 3.14;
-    }
-  ];
-
-  options.flags = mkOption {
-    type = types.attrListWith {
-      elemType = types.anything;
-      asAttrs = true;
-      mergeAttrValues = _name: vs: lib.head vs;
-    };
-  };
-  options.argv = mkOption { type = types.listOf types.str; };
-
-  # Feed definitions into argv; the float from the-defs-file.nix should cause
-  # a type error mentioning that file
-  config.argv = mkMerge options.flags.valueMeta.definitions;
-}
--- a/lib/tests/modules/declare-attrList-type-merge.nix
+++ b/lib/tests/modules/declare-attrList-type-merge.nix
@@ -1,12 +0,0 @@
-# Test that attrListOf does not support type merging:
-# two declarations of the same option should fail.
-{ lib, ... }:
-let
-  inherit (lib) mkOption types;
-in
-{
-  imports = [
-    { options.merged = mkOption { type = types.attrListOf types.str; }; }
-    { options.merged = mkOption { type = types.attrListOf types.str; }; }
-  ];
-}
--- a/lib/tests/modules/declare-attrList.nix
+++ b/lib/tests/modules/declare-attrList.nix
@@ -1,925 +0,0 @@
-# Run with:
-#   cd nixpkgs
-#   ./lib/tests/modules.sh
-{ lib, config, ... }:
-let
-  inherit (lib)
-    mkOption
-    mkOrder
-    mkMerge
-    mkBefore
-    mkAfter
-    mkIf
-    mkOverride
-    mkDefault
-    mkForce
-    types
-    ;
-in
-{
-  options = {
-    attrList = mkOption {
-      type = types.lazyAttrsOf (types.attrListOf types.str);
-    };
-
-    attrListInt = mkOption {
-      type = types.lazyAttrsOf (types.attrListOf types.int);
-    };
-
-    attrListSubmodule = mkOption {
-      type = types.attrListOf (
-        types.submodule {
-          options.port = mkOption {
-            type = types.int;
-            description = "Port number";
-          };
-          options.host = mkOption {
-            type = types.str;
-            default = "localhost";
-            description = "Hostname";
-          };
-        }
-      );
-    };
-
-    # asAttrs: value is a merged attrset, ordered list in valueMeta
-    asAttrs = mkOption {
-      type = types.lazyAttrsOf (
-        types.attrListWith {
-          elemType = types.str;
-          asAttrs = true;
-          mergeAttrValues = _name: values: lib.last values;
-        }
-      );
-    };
-
-    # asAttrs with default mergeAttrValues: duplicates collected into lists
-    asAttrsDefault = mkOption {
-      type = types.lazyAttrsOf (
-        types.attrListWith {
-          elemType = types.int;
-          asAttrs = true;
-        }
-      );
-    };
-
-    # Strict wrappers that force deep evaluation, for testing error cases
-    attrListStrict = mkOption {
-      type = types.lazyAttrsOf types.raw;
-    };
-
-    attrListIntStrict = mkOption {
-      type = types.lazyAttrsOf types.raw;
-    };
-
-    # either picks attrList when input is list/attrset, int when input is int
-    eitherAttrListOrInt = mkOption {
-      type = types.either (types.attrListOf types.str) types.int;
-    };
-
-    eitherAttrListOrIntFallback = mkOption {
-      type = types.either (types.attrListOf types.str) types.int;
-    };
-
-    eitherIntOrAttrList = mkOption {
-      type = types.either types.int (types.attrListOf types.str);
-    };
-
-    eitherIntOrAttrListFallback = mkOption {
-      type = types.either types.int (types.attrListOf types.str);
-    };
-
-    assertions = mkOption { };
-  };
-
-  imports = [
-    # Second module contributing to multiModule
-    {
-      attrListInt.multiModule = [
-        { b = 2; }
-      ];
-    }
-  ];
-
-  config = {
-
-    # List input: pass-through
-    attrList.listInput = [
-      { a = "alpha"; }
-      { b = "beta"; }
-    ];
-
-    # Attrset input with explicit ordering
-    attrList.attrsetOrdered = {
-      x = mkOrder 200 "x-val";
-      y = mkOrder 100 "y-val";
-    };
-
-    # Mixed: list elements at default priority, attrset with mkOrder
-    attrList.mixed = mkMerge [
-      [
-        { m = "from-list"; }
-      ]
-      {
-        n = mkOrder 50 "from-attrset";
-      }
-    ];
-
-    # Multiple list definitions from separate modules
-    attrListInt.multiModule = [
-      { a = 1; }
-    ];
-
-    # Attrset without mkOrder uses default priority
-    attrList.attrsetNoOrder = {
-      foo = "bar";
-      baz = "qux";
-    };
-
-    # Empty list
-    attrList.empty = [ ];
-
-    # Ordering test: lower priority first
-    attrList.ordering = mkMerge [
-      {
-        last = mkOrder 1500 "last";
-      }
-      {
-        first = mkOrder 500 "first";
-      }
-      [
-        { middle = "middle"; }
-      ]
-    ];
-
-    # List elements support mkOrder/mkBefore/mkAfter
-    attrList.listOrdering = [
-      (mkAfter { z = "after"; })
-      { m = "default"; }
-      (mkBefore { a = "before"; })
-    ];
-
-    # Plain list entries land at default priority (1000):
-    # they appear after mkOrder 999 and before mkOrder 1001.
-    attrList.listDefaultPrio = mkMerge [
-      { after = mkOrder 1001 "after"; }
-      [
-        { mid = "list-entry"; }
-      ]
-      { before = mkOrder 999 "before"; }
-    ];
-
-    # mkBefore and mkAfter
-    attrList.beforeAfter = mkMerge [
-      {
-        z = mkAfter "after";
-      }
-      {
-        a = mkBefore "before";
-      }
-      [
-        { m = "default"; }
-      ]
-    ];
-
-    # mkIf: conditional definition
-    attrList.withMkIf = mkMerge [
-      (mkIf true [
-        { yes = "included"; }
-      ])
-      (mkIf false [
-        { no = "excluded"; }
-      ])
-    ];
-
-    # mkOverride: higher priority override wins
-    attrList.withOverride = mkMerge [
-      (mkOverride 100 [
-        { replaced = "gone"; }
-      ])
-      (mkOverride 50 [
-        { winner = "wins"; }
-      ])
-    ];
-
-    # mkDefault: lower priority than normal
-    attrList.withDefault = mkMerge [
-      (mkDefault [
-        { default = "overridden"; }
-      ])
-      [
-        { normal = "wins"; }
-      ]
-    ];
-
-    # mkForce on the whole option (should discard other defs)
-    attrList.withForce = mkMerge [
-      [
-        { discarded = "gone"; }
-      ]
-      (mkForce [
-        { forced = "wins"; }
-      ])
-    ];
-
-    # mkForce with mkOrder inside
-    attrList.forceWithOrder = mkForce [
-      (mkAfter { second = "after"; })
-      (mkBefore { first = "before"; })
-    ];
-
-    # mkForce on individual element values; non-forced entries are discarded.
-    # Discarded values use a mix of: plain value, mkDefault(abort ...), mkOverride 100 (abort ...).
-    # The abort variants verify laziness: peelProperties sees the wrapper without forcing the content.
-    attrListInt.forceElementValue = [
-      { a = mkDefault (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated"); }
-      { a = mkForce 42; }
-      { a = mkOverride 100 (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated"); }
-      { b = 2; }
-    ];
-
-    # mkForce on attrset format
-    attrList.forceAttrset = mkMerge [
-      [
-        { discarded = "gone"; }
-      ]
-      (mkForce {
-        x = mkOrder 200 "x-val";
-        y = mkOrder 100 "y-val";
-      })
-    ];
-
-    # mkForce on repeated key: forced entries override non-forced
-    attrList.forceRepeatedKey = [
-      { x = mkOverride 100 (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated"); }
-      { x = mkForce "wins"; }
-      { x = mkForce "wins 2"; }
-    ];
-
-    # mkForce on repeated key across mkMerge
-    attrList.forceRepeatedKeyMerge = mkMerge [
-      [
-        { x = "unused: overridden by mkForce"; }
-        { x = mkDefault (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated"); }
-      ]
-      [
-        { x = mkOverride 100 (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated"); }
-      ]
-      [
-        { x = mkForce "forced"; }
-      ]
-    ];
-
-    # mkForce on repeated key in attrset format across mkMerge
-    attrList.forceRepeatedKeyAttrs = mkMerge [
-      {
-        x = mkDefault (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated");
-        y = "kept";
-      }
-      { x = mkForce "forced"; }
-    ];
-
-    # mkForce only affects the key it's on, other keys survive
-    attrList.forcePartialAttrs = mkMerge [
-      {
-        x = "unused: overridden by mkForce";
-        y = "normal y";
-      }
-      { x = mkForce "forced x"; }
-    ];
-
-    # mkForce in attrset format overrides same key from list format
-    attrList.forceMixedFormats = mkMerge [
-      [
-        { x = mkOverride 100 (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated"); }
-        { y = "list y"; }
-      ]
-      { x = mkForce "attrset forced x"; }
-    ];
-
-    # Nesting: list format, mkOrder on element + mkForce on value
-    attrList.nestListOrderForce = mkMerge [
-      [
-        { x = mkDefault (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated"); }
-        (mkOrder 500 { x = mkForce "forced-early"; })
-        (mkOrder 1500 { y = "late"; })
-      ]
-      [
-        (mkOrder 100 { z = "earliest"; })
-      ]
-    ];
-
-    # Nesting: list format, mkOrder(mkForce(val)) on value
-    attrList.nestListOrderOfForce = mkMerge [
-      [
-        { x = mkOverride 100 (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated"); }
-        { y = "plain-early"; }
-      ]
-      [
-        { x = mkOrder 1500 (mkForce "forced-late"); }
-        { z = mkOrder 500 "earliest"; }
-      ]
-      [
-        { x = "unused: overridden by mkForce"; }
-        { w = mkOrder 1200 "mid"; }
-      ]
-    ];
-
-    # Nesting: list format, mkForce(mkOrder(val)) on value
-    attrList.nestListForceOfOrder = mkMerge [
-      [
-        { x = "unused: overridden by mkForce"; }
-        { y = "plain-early"; }
-      ]
-      [
-        { x = mkForce (mkOrder 1500 "forced-late"); }
-        { z = mkOrder 500 "earliest"; }
-      ]
-      [
-        { x = mkDefault (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated"); }
-        { w = mkOrder 1200 "mid"; }
-      ]
-    ];
-
-    # Nesting: attrset format, mkOrder wrapping mkForce
-    attrList.nestAttrsOrderOfForce = mkMerge [
-      {
-        x = mkOverride 100 (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated");
-        y = "plain-early";
-      }
-      {
-        x = mkOrder 1500 (mkForce "forced-late");
-        z = mkOrder 500 "earliest";
-      }
-      {
-        x = "unused: overridden by mkForce";
-        w = mkOrder 1200 "mid";
-      }
-    ];
-
-    # Nesting: attrset format, mkForce wrapping mkOrder
-    attrList.nestAttrsForceOfOrder = mkMerge [
-      {
-        x = "unused: overridden by mkForce";
-        y = "plain-early";
-      }
-      {
-        x = mkForce (mkOrder 1500 "forced-late");
-        z = mkOrder 500 "earliest";
-      }
-      {
-        x = mkDefault (abort "overridden by mkForce; laziness guarantee: MUST NOT be evaluated");
-        w = mkOrder 1200 "mid";
-      }
-    ];
-
-    # mkIf false on individual element value filters it out (list format)
-    attrListInt.optionalValueList = [
-      { a = mkIf true 1; }
-      { b = mkIf false 2; }
-      { c = 3; }
-    ];
-
-    # mkIf false on individual element value filters it out (attrset format)
-    attrListInt.optionalValueAttrs = {
-      a = mkIf true 1;
-      b = mkIf false 2;
-      c = 3;
-    };
-
-    # submodule elemType: produces real valueMeta
-    attrListSubmodule = [
-      {
-        web = {
-          port = 80;
-        };
-      }
-      {
-        db = {
-          port = 5432;
-          host = "dbhost";
-        };
-      }
-    ];
-
-    # asAttrs: unique keys — value is a plain attrset
-    asAttrs.unique = [
-      { a = "alpha"; }
-      { b = "beta"; }
-    ];
-
-    # asAttrs: duplicate keys — last in order wins
-    asAttrs.duplicateKeys = mkMerge [
-      { x = mkOrder 500 "first"; }
-      { x = mkOrder 1500 "last"; }
-      { y = "only"; }
-    ];
-
-    # asAttrs: with ordering — value is attrset, ordered list in valueMeta
-    asAttrs.ordered = {
-      z = mkOrder 200 "z-val";
-      a = mkOrder 100 "a-val";
-    };
-
-    # asAttrs: with mkForce — forced key overrides
-    asAttrs.withForce = mkMerge [
-      { x = "unused: overridden by mkForce"; }
-      {
-        x = mkForce "forced";
-        y = "kept";
-      }
-    ];
-
-    # asAttrs: empty
-    asAttrs.empty = [ ];
-
-    # asAttrsDefault: unique keys
-    asAttrsDefault.unique = [
-      { a = 1; }
-      { b = 2; }
-    ];
-
-    # asAttrsDefault: duplicate keys — default collects into lists
-    asAttrsDefault.duplicates = mkMerge [
-      { x = mkOrder 500 10; }
-      { x = mkOrder 1500 30; }
-      { y = 99; }
-      [
-        { x = 20; }
-      ]
-    ];
-
-    # either: attrList branch matches for list input
-    eitherAttrListOrInt = [
-      { a = "hello"; }
-      { b = "world"; }
-    ];
-
-    # either: int input falls through to int branch
-    eitherAttrListOrIntFallback = 42;
-
-    # either (swapped): int first, attrList second — int input matches int
-    eitherIntOrAttrList = 42;
-
-    # either (swapped): list input falls through to attrList branch
-    eitherIntOrAttrListFallback = [
-      { a = "hello"; }
-    ];
-
-    # Bad: string where int expected
-    attrListInt.badValue = [
-      { a = "not-an-int"; }
-    ];
-
-    # Bad: list element with multiple keys
-    attrList.badListElem = [
-      {
-        a = "ok";
-        b = "extra";
-      }
-    ];
-
-    # Bad: plain string instead of list or attrset
-    attrList.badString = "not-a-container";
-
-    # Bad: list element is a bare string, not a singleton attrset
-    attrList.badListString = [
-      "not a singleton attribute"
-    ];
-
-    attrListStrict = builtins.mapAttrs (k: v: builtins.deepSeq v v) config.attrList;
-    attrListIntStrict = builtins.mapAttrs (k: v: builtins.deepSeq v v) config.attrListInt;
-
-    assertions =
-      let
-        c = lib.evalModules {
-          modules = [ ./declare-attrList.nix ];
-        };
-        cfg = c.config;
-      in
-
-      # List input preserves elements
-      assert
-        cfg.attrList.listInput == [
-          { a = "alpha"; }
-          { b = "beta"; }
-        ];
-
-      # Attrset input with mkOrder: lower priority comes first
-      assert
-        cfg.attrList.attrsetOrdered == [
-          { y = "y-val"; }
-          { x = "x-val"; }
-        ];
-
-      # Mixed input: mkOrder 50 < default 1000
-      assert
-        cfg.attrList.mixed == [
-          { n = "from-attrset"; }
-          { m = "from-list"; }
-        ];
-
-      # Multiple definitions from separate modules concatenate
-      # (import module's definition comes before this module's)
-      assert
-        cfg.attrListInt.multiModule == [
-          { b = 2; }
-          { a = 1; }
-        ];
-
-      # Attrset without mkOrder: all at default priority
-      assert builtins.length cfg.attrList.attrsetNoOrder == 2;
-
-      # Empty list stays empty
-      assert cfg.attrList.empty == [ ];
-
-      # List elements support mkOrder/mkBefore/mkAfter
-      assert
-        cfg.attrList.listOrdering == [
-          { a = "before"; }
-          { m = "default"; }
-          { z = "after"; }
-        ];
-
-      # Plain list entries are at default priority (1000)
-      assert
-        cfg.attrList.listDefaultPrio == [
-          { before = "before"; }
-          { mid = "list-entry"; }
-          { after = "after"; }
-        ];
-
-      # Ordering: 500 < 1000 (default) < 1500
-      assert
-        cfg.attrList.ordering == [
-          { first = "first"; }
-          { middle = "middle"; }
-          { last = "last"; }
-        ];
-
-      # mkBefore (500) < default (1000) < mkAfter (1500)
-      assert
-        cfg.attrList.beforeAfter == [
-          { a = "before"; }
-          { m = "default"; }
-          { z = "after"; }
-        ];
-
-      # mkIf true includes, mkIf false excludes
-      assert
-        cfg.attrList.withMkIf == [
-          { yes = "included"; }
-        ];
-
-      # mkOverride: only lowest priority override survives
-      assert
-        cfg.attrList.withOverride == [
-          { winner = "wins"; }
-        ];
-
-      # mkDefault is overridden by normal definitions
-      assert
-        cfg.attrList.withDefault == [
-          { normal = "wins"; }
-        ];
-
-      # mkForce discards other definitions
-      assert
-        cfg.attrList.withForce == [
-          { forced = "wins"; }
-        ];
-
-      # mkForce with mkOrder inside: ordering still works
-      assert
-        cfg.attrList.forceWithOrder == [
-          { first = "before"; }
-          { second = "after"; }
-        ];
-
-      # mkForce on individual element values passes through
-      assert
-        cfg.attrListInt.forceElementValue == [
-          { a = 42; }
-          { b = 2; }
-        ];
-
-      # mkForce on attrset format: discards other defs, ordering preserved
-      assert
-        cfg.attrList.forceAttrset == [
-          { y = "y-val"; }
-          { x = "x-val"; }
-        ];
-
-      # mkForce on repeated key: forced entries override non-forced
-      assert
-        cfg.attrList.forceRepeatedKey == [
-          { x = "wins"; }
-          { x = "wins 2"; }
-        ];
-
-      # mkForce on repeated key across mkMerge: forced wins
-      assert
-        cfg.attrList.forceRepeatedKeyMerge == [
-          { x = "forced"; }
-        ];
-
-      # mkForce on repeated key in attrset format: discards other x, keeps y
-      assert
-        cfg.attrList.forceRepeatedKeyAttrs == [
-          { y = "kept"; }
-          { x = "forced"; }
-        ];
-
-      # mkForce only affects its own key
-      assert
-        cfg.attrList.forcePartialAttrs == [
-          { y = "normal y"; }
-          { x = "forced x"; }
-        ];
-
-      # mkForce in attrset format overrides same key from list format
-      assert
-        cfg.attrList.forceMixedFormats == [
-          { y = "list y"; }
-          { x = "attrset forced x"; }
-        ];
-
-      # Nesting: list format, mkOrder on element + mkForce on value
-      # z(100) < x-forced(500) < y(1500); x-discarded filtered by mkForce
-      assert
-        cfg.attrList.nestListOrderForce == [
-          { z = "earliest"; }
-          { x = "forced-early"; }
-          { y = "late"; }
-        ];
-
-      # Nesting: list format, mkOrder(mkForce(val)) on value
-      # z(500) < y(1000) < w(1200) < x-forced(1500); x-discarded entries filtered
-      assert
-        cfg.attrList.nestListOrderOfForce == [
-          { z = "earliest"; }
-          { y = "plain-early"; }
-          { w = "mid"; }
-          { x = "forced-late"; }
-        ];
-
-      # Nesting: list format, mkForce(mkOrder(val)) on value
-      # z(500) < y(1000) < w(1200) < x-forced(1500); x-discarded entries filtered
-      assert
-        cfg.attrList.nestListForceOfOrder == [
-          { z = "earliest"; }
-          { y = "plain-early"; }
-          { w = "mid"; }
-          { x = "forced-late"; }
-        ];
-
-      # Nesting: attrset format, mkOrder(mkForce(val))
-      # z(500) < y(1000) < w(1200) < x-forced(1500); x-discarded entries filtered
-      assert
-        cfg.attrList.nestAttrsOrderOfForce == [
-          { z = "earliest"; }
-          { y = "plain-early"; }
-          { w = "mid"; }
-          { x = "forced-late"; }
-        ];
-
-      # Nesting: attrset format, mkForce(mkOrder(val))
-      # z(500) < y(1000) < w(1200) < x-forced(1500); x-discarded entries filtered
-      assert
-        cfg.attrList.nestAttrsForceOfOrder == [
-          { z = "earliest"; }
-          { y = "plain-early"; }
-          { w = "mid"; }
-          { x = "forced-late"; }
-        ];
-
-      # mkIf false on individual element value filters it out (list format)
-      assert
-        cfg.attrListInt.optionalValueList == [
-          { a = 1; }
-          { c = 3; }
-        ];
-
-      # mkIf false on individual element value filters it out (attrset format)
-      assert
-        cfg.attrListInt.optionalValueAttrs == [
-          { a = 1; }
-          { c = 3; }
-        ];
-
-      # submodule: value, option descriptions, and valueMeta with real configuration metadata
-      assert
-        cfg.attrListSubmodule == [
-          {
-            web = {
-              host = "localhost";
-              port = 80;
-            };
-          }
-          {
-            db = {
-              host = "dbhost";
-              port = 5432;
-            };
-          }
-        ];
-      assert
-        builtins.map (m: m.configuration.config) c.options.attrListSubmodule.valueMeta.attrList == [
-          {
-            host = "localhost";
-            port = 80;
-          }
-          {
-            host = "dbhost";
-            port = 5432;
-          }
-        ];
-      assert
-        builtins.map (
-          m:
-          builtins.mapAttrs (n: o: o.description) (builtins.removeAttrs m.configuration.options [ "_module" ])
-        ) c.options.attrListSubmodule.valueMeta.attrList == [
-          {
-            host = "Hostname";
-            port = "Port number";
-          }
-          {
-            host = "Hostname";
-            port = "Port number";
-          }
-        ];
-
-      # valueMeta.attrList has one entry per (non-filtered) element
-      assert
-        c.options.attrList.valueMeta.attrs.listInput.attrList == [
-          { }
-          { }
-        ];
-      assert
-        c.options.attrList.valueMeta.attrs.attrsetOrdered.attrList == [
-          { }
-          { }
-        ];
-      assert
-        c.options.attrList.valueMeta.attrs.mixed.attrList == [
-          { }
-          { }
-        ];
-      assert c.options.attrList.valueMeta.attrs.empty.attrList == [ ];
-      assert
-        c.options.attrListInt.valueMeta.attrs.optionalValueList.attrList == [
-          { }
-          { }
-        ];
-
-      # either: headError is null for valid attrList input, so attrList branch is picked
-      assert
-        cfg.eitherAttrListOrInt == [
-          { a = "hello"; }
-          { b = "world"; }
-        ];
-
-      # either: headError is non-null for int input, so int branch is picked
-      assert cfg.eitherAttrListOrIntFallback == 42;
-
-      # either (swapped): int first — int input matches
-      assert cfg.eitherIntOrAttrList == 42;
-
-      # either (swapped): list input falls through to attrList branch
-      assert
-        cfg.eitherIntOrAttrListFallback == [
-          { a = "hello"; }
-        ];
-
-      # asAttrs: unique keys — value is a plain attrset
-      assert
-        cfg.asAttrs.unique == {
-          a = "alpha";
-          b = "beta";
-        };
-      # ordered list preserved in valueMeta
-      assert
-        c.options.asAttrs.valueMeta.attrs.unique.attrListValue == [
-          { a = "alpha"; }
-          { b = "beta"; }
-        ];
-
-      # asAttrs: duplicate keys — last in order wins
-      assert
-        cfg.asAttrs.duplicateKeys == {
-          x = "last";
-          y = "only";
-        };
-      assert
-        c.options.asAttrs.valueMeta.attrs.duplicateKeys.attrListValue == [
-          { x = "first"; }
-          { y = "only"; }
-          { x = "last"; }
-        ];
-
-      # asAttrs: ordered — value is attrset (unordered), list in valueMeta preserves order
-      assert
-        cfg.asAttrs.ordered == {
-          a = "a-val";
-          z = "z-val";
-        };
-      assert
-        c.options.asAttrs.valueMeta.attrs.ordered.attrListValue == [
-          { a = "a-val"; }
-          { z = "z-val"; }
-        ];
-
-      # asAttrs: mkForce — forced key overrides, value is attrset
-      assert
-        cfg.asAttrs.withForce == {
-          x = "forced";
-          y = "kept";
-        };
-
-      # asAttrs: empty — value is empty attrset
-      assert cfg.asAttrs.empty == { };
-
-      # asAttrsDefault: unique keys — each value wrapped in singleton list
-      assert
-        cfg.asAttrsDefault.unique == {
-          a = [ 1 ];
-          b = [ 2 ];
-        };
-
-      # asAttrsDefault: duplicate keys — values collected into list in order
-      assert
-        cfg.asAttrsDefault.duplicates == {
-          x = [
-            10
-            20
-            30
-          ];
-          y = [ 99 ];
-        };
-      assert
-        c.options.asAttrsDefault.valueMeta.attrs.duplicates.attrListValue == [
-          { x = 10; }
-          { y = 99; }
-          { x = 20; }
-          { x = 30; }
-        ];
-
-      # valueMeta.definitions: mkDefinition records with mkOrder-wrapped single-key attrsets
-      # Use duplicateKeys which has mixed priorities and repeated keys
-      assert
-        let
-          defs = c.options.asAttrs.valueMeta.attrs.duplicateKeys.definitions;
-          extract = d: {
-            prio = d.value.priority;
-            value = d.value.content;
-          };
-        in
-        map extract defs == [
-          {
-            prio = 500;
-            value = {
-              x = "first";
-            };
-          }
-          {
-            prio = 1000;
-            value = {
-              y = "only";
-            };
-          }
-          {
-            prio = 1500;
-            value = {
-              x = "last";
-            };
-          }
-        ];
-
-      # Round-trip: feed definitions through mapDefinitionValue + mkMerge into a listOf option
-      assert
-        let
-          rendered = lib.modules.mapDefinitionValue (attr: lib.cli.toCommandLineGNU { } attr) (
-            mkMerge c.options.asAttrs.valueMeta.attrs.duplicateKeys.definitions
-          );
-          result =
-            (lib.evalModules {
-              modules = [
-                { options.out = mkOption { type = types.listOf types.str; }; }
-                { config.out = rendered; }
-                # Interleave: mkOrder 800 lands between x(500) and y(1000)
-                { config.out = mkOrder 800 [ "--interleaved" ]; }
-              ];
-            }).config.out;
-        in
-        result == [
-          "-xfirst"
-          "--interleaved"
-          "-yonly"
-          "-xlast"
-        ];
-
-      # Error cases are tested via checkConfigError in modules.sh
-
-      "ok";
-  };
-}
--- a/lib/tests/modules/types.nix
+++ b/lib/tests/modules/types.nix
@@ -167,28 +167,6 @@ in
          elemType = str;
          lazy = false;
        }).description == "attribute set of string";
-      assert (attrListOf str).description == "attribute list of string";
-      assert (attrListOf int).description == "attribute list of signed integer";
-      assert (attrListOf bool).description == "attribute list of boolean";
-      assert (attrListOf (either int str)).description == "attribute list of (signed integer or string)";
-      assert (attrListOf (nullOr str)).description == "attribute list of (null or string)";
-      assert (attrListOf (listOf str)).description == "attribute list of list of string";
-      assert
-        (attrListOf (attrsOf int)).description == "attribute list of attribute set of signed integer";
-      assert (attrListOf (attrListOf str)).description == "attribute list of attribute list of string";
-      assert (attrListOf ints.positive).description == "attribute list of (positive integer, meaning >0)";
-      assert
-        (attrListOf (enum [
-          "a"
-          "b"
-        ])).description == "attribute list of (one of \"a\", \"b\")";
-      assert
-        (attrListOf (strMatching "[0-9]+")).description
-        == "attribute list of string matching the pattern [0-9]+";
-      assert
-        (attrListOf (nonEmptyListOf str)).description == "attribute list of non-empty (list of string)";
-      assert (attrListOf (submodule { })).description == "attribute list of (submodule)";
-
      assert (coercedTo str abort int).description == "signed integer or string convertible to it";
      assert (coercedTo int abort str).description == "string or signed integer convertible to it";
      assert (coercedTo bool abort str).description == "string or boolean convertible to it";
--- a/lib/tests/sources.sh
+++ b/lib/tests/sources.sh
@@ -70,16 +70,4 @@ dir="$(nix-instantiate --eval --strict --read-write-mode --json --expr '(with im
 EOF
 ) || die "cleanSourceWith + cleanSource"

-
-dir="$(nix-instantiate --eval --strict --read-write-mode --json --expr '(with import <nixpkgs/lib>; "${
-  sources.sourceByGlobs '"$work"' [ "*.md" "**/*.o" ]
-}")' | crudeUnquoteJSON)"
-(cd "$dir"; find) | sort -f | diff -U10 - <(cat <<EOF
-.
-./module.o
-./README.md
-EOF
-) || die "sourceByGlobs 1"
-
-
 echo >&2 tests ok
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@@ -504,7 +504,7 @@ in
    On each release the first letter is bumped and a new animal is chosen
    starting with that new letter.
  */
-  codeName = "Zokor";
+  codeName = "Yarara";

  /**
    Returns the current nixpkgs version suffix as string.
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -20,7 +20,6 @@ let
    isStorePath
    isString
    substring
-    sort
    throwIf
    toDerivation
    toList
@@ -28,7 +27,6 @@ let
    ;
  inherit (lib.lists)
    concatLists
-    concatMap
    elemAt
    filter
    foldl'
@@ -72,11 +70,6 @@ let
    mergeDefinitions
    fixupOptionType
    mergeOptionDecls
-    defaultOrderPriority
-    defaultOverridePriority
-    mkDefinition
-    mkOrder
-    mkOverride
    ;
  inherit (lib.fileset)
    isFileset
@@ -812,179 +805,6 @@ rec {
      substSubModules = m: nonEmptyListOf (elemType.substSubModules m);
    };

-  attrListOf = elemType: attrListWith { inherit elemType; };
-
-  attrListWith =
-    {
-      elemType,
-      asAttrs ? false,
-      mergeAttrValues ? _name: values: values,
-    }:
-    mkOptionType rec {
-      name = "attrListOf";
-      description = "attribute list of ${
-        optionDescriptionPhrase (class: class == "noun" || class == "composite") elemType
-      }";
-      descriptionClass = "composite";
-      check = {
-        __functor = _self: x: isList x || isAttrs x;
-        isV2MergeCoherent = true;
-      };
-      merge = {
-        __functor =
-          self: loc: defs:
-          (self.v2 { inherit loc defs; }).value;
-        v2 =
-          { loc, defs }:
-          let
-            # Peel order and override properties from a value in any nesting order.
-            # Returns { value, prio, overridePrio }.
-            # mkOrder is stripped (we consume it for sorting).
-            # mkOverride is preserved in value (mergeDefinitions strips it).
-            peelProperties =
-              value:
-              let
-                type = value._type or null;
-              in
-              if type == "order" then
-                let
-                  inner = peelProperties value.content;
-                in
-                {
-                  inherit (inner) value overridePrio;
-                  prio = value.priority;
-                }
-              else if type == "override" then
-                let
-                  inner = peelProperties value.content;
-                in
-                {
-                  inherit (inner) prio;
-                  overridePrio = value.priority;
-                  # Re-wrap mkOverride around the inner value (with mkOrder stripped)
-                  value = mkOverride value.priority inner.value;
-                }
-              else
-                {
-                  inherit value;
-                  prio = defaultOrderPriority;
-                  overridePrio = defaultOverridePriority;
-                };
-
-            # Extract { file, key, value, prio, overridePrio } from a single-key attrset,
-            # optionally wrapped in mkOrder at the element level (list format).
-            extractItem =
-              file: raw:
-              let
-                hasOrder = isType "order" raw;
-                item = if hasOrder then raw.content else raw;
-                key = head (attrNames item);
-                peeled = peelProperties item.${key};
-              in
-              if isAttrs item && length (attrNames item) == 1 then
-                peeled
-                // {
-                  inherit file key;
-                  prio = if hasOrder then raw.priority else peeled.prio;
-                }
-              else
-                throw "A definition for option `${showOption loc}' is not of type `${description}'. ${
-                  if !isAttrs item then
-                    "Each list element must be an attribute set, but got ${builtins.typeOf item}"
-                  else
-                    "Each list element must be a single-key attribute set, but got ${toString (length (attrNames item))} keys"
-                }.${
-                  showDefs [
-                    {
-                      inherit file;
-                      value = raw;
-                    }
-                  ]
-                }";
-
-            # Convert a definition to a flat list of { file, key, value, prio, overridePrio }
-            defToItems =
-              def:
-              if isList def.value then
-                map (extractItem def.file) def.value
-              else
-                # isAttrs: properties are on the values directly
-                map (
-                  key:
-                  peelProperties def.value.${key}
-                  // {
-                    inherit (def) file;
-                    inherit key;
-                  }
-                ) (attrNames def.value);
-
-            allItems = concatMap defToItems defs;
-
-            # Per key, find the highest override priority (lowest number)
-            winningOverridePrio = foldl' (
-              acc: item:
-              let
-                prev = acc.${item.key} or defaultOverridePriority;
-              in
-              if item.overridePrio < prev then
-                acc // { ${item.key} = item.overridePrio; }
-              else
-                # minimize `//` operations
-                acc
-            ) { } allItems;
-
-            # Keep only items at the winning override priority for their key
-            items = sort (a: b: a.prio < b.prio) (
-              filter (
-                item: item.overridePrio == winningOverridePrio.${item.key} or defaultOverridePriority
-              ) allItems
-            );
-
-            evals = filter (e: e.eval.optionalValue ? value) (
-              map (item: {
-                inherit (item) key file prio;
-                eval = mergeDefinitions (loc ++ [ item.key ]) elemType [
-                  {
-                    inherit (item) file value;
-                  }
-                ];
-              }) items
-            );
-
-            attrListValue = map (e: { ${e.key} = e.eval.optionalValue.value or e.eval.mergedValue; }) evals;
-          in
-          {
-            headError = checkDefsForError check loc defs;
-            value = if asAttrs then zipAttrsWith mergeAttrValues attrListValue else attrListValue;
-            valueMeta.attrList = map (e: e.eval.checkedAndMerged.valueMeta) evals;
-            /**
-              The ordered list representation, especially useful when asAttrs is set.
-            */
-            valueMeta.attrListValue = attrListValue;
-            valueMeta.definitions = map (
-              e:
-              mkDefinition {
-                inherit (e) file;
-                value = mkOrder e.prio { ${e.key} = e.eval.optionalValue.value or e.eval.mergedValue; };
-              }
-            ) evals;
-          };
-      };
-      emptyValue = {
-        value = if asAttrs then { } else [ ];
-      };
-      getSubOptions = prefix: elemType.getSubOptions (prefix ++ [ "*" ]);
-      getSubModules = elemType.getSubModules;
-      substSubModules =
-        m:
-        attrListWith {
-          inherit asAttrs mergeAttrValues;
-          elemType = elemType.substSubModules m;
-        };
-      typeMerge = t: null; # Disable type merging
-      nestedTypes.elemType = elemType;
-    };
-
  attrsOf = elemType: attrsWith { inherit elemType; };

  # A version of attrsOf that's lazy in its values at the expense of
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -710,12 +710,6 @@
    githubId = 25004152;
    name = "Adrian Gunnar Lauterer";
  };
-  adrielvelazquez = {
-    email = "AdrielVelazquez@gmail.com";
-    github = "AdrielVelazquez";
-    githubId = 3443378;
-    name = "Adriel Velazquez";
-  };
  AdrienLemaire = {
    email = "lemaire.adrien@gmail.com";
    github = "AdrienLemaire";
@@ -4288,12 +4282,6 @@
      { fingerprint = "D088 A5AF C45B 78D1 CD4F  457C 6957 B3B6 46F2 BB4E"; }
    ];
  };
-  c6rg0 = {
-    email = "c6rg0@protonmail.com";
-    github = "c6rg0";
-    githubId = 64259221;
-    name = "c6rg0";
-  };
  caarlos0 = {
    name = "Carlos A Becker";
    email = "carlos@becker.software";
@@ -5070,6 +5058,12 @@
    github = "cigrainger";
    githubId = 3984794;
  };
+  ciil = {
+    email = "simon@lackerbauer.com";
+    github = "ciil";
+    githubId = 3956062;
+    name = "Simon Lackerbauer";
+  };
  cilki = {
    github = "cilki";
    githubId = 10459406;
@@ -7366,6 +7360,12 @@
    github = "DSeeLP";
    githubId = 46624152;
  };
+  dsferruzza = {
+    email = "david.sferruzza@gmail.com";
+    github = "dsferruzza";
+    githubId = 1931963;
+    name = "David Sferruzza";
+  };
  dsluijk = {
    name = "Dany Sluijk";
    email = "nix@dany.dev";
@@ -7616,11 +7616,6 @@
    githubId = 54573;
    name = "Edward Amsden";
  };
-  eana = {
-    github = "eana";
-    githubId = 18534280;
-    name = "Jonas Eana";
-  };
  earldouglas = {
    email = "james@earldouglas.com";
    github = "earldouglas";
@@ -7657,12 +7652,6 @@
    github = "eclairevoyant";
    name = "éclairevoyant";
  };
-  eConnah = {
-    email = "git@econnah.uk";
-    github = "eConnah";
-    githubId = 63052937;
-    name = "Connor Alecks";
-  };
  edanaher = {
    email = "nixos@edanaher.net";
    github = "edanaher";
@@ -8319,11 +8308,6 @@
    githubId = 5427394;
    name = "Ersin Akinci";
  };
-  es-sai-fi = {
-    name = "es-sai-fi";
-    github = "es-sai-fi";
-    githubId = 96452903;
-  };
  esau79p = {
    github = "EsAu79p";
    githubId = 21313906;
@@ -8680,13 +8664,6 @@
    githubId = 88741530;
    name = "Fabian Rigoll";
  };
-  fabiob = {
-    email = "fabio@atelie.dev.br";
-    github = "fabiob";
-    githubId = 140875;
-    name = "Fábio Batista";
-    keys = [ { fingerprint = "D2D8 69D8 5EEC 30AD D327  B4A5 6CD5 5257 DB01 8B72"; } ];
-  };
  fallenbagel = {
    name = "fallenbagel";
    github = "fallenbagel";
@@ -10159,12 +10136,6 @@
    githubId = 6893840;
    name = "Yacine Hmito";
  };
-  gquetel = {
-    email = "gregor.quetel@telecom-paris.fr";
-    github = "gquetel";
-    githubId = 48437427;
-    name = "Grégor Quetel";
-  };
  gracicot = {
    email = "dev@gracicot.com";
    matrix = "@gracicot-59e8f173d73408ce4f7ac803:gitter.im";
@@ -15624,6 +15595,12 @@
    githubId = 4312404;
    name = "Chris Rendle-Short";
  };
+  lightdiscord = {
+    email = "root@arnaud.sh";
+    github = "lightdiscord";
+    githubId = 24509182;
+    name = "Arnaud Pascal";
+  };
  lightquantum = {
    email = "self@lightquantum.me";
    github = "PhotonQuantum";
@@ -15830,6 +15807,12 @@
    githubId = 23727619;
    name = "Luca Ruperto";
  };
+  lnl7 = {
+    email = "daiderd@gmail.com";
+    github = "LnL7";
+    githubId = 689294;
+    name = "Daiderd Jordan";
+  };
  lo1tuma = {
    email = "schreck.mathias@gmail.com";
    github = "lo1tuma";
@@ -16294,11 +16277,6 @@
    githubId = 26020062;
    name = "lumi";
  };
-  luminarleaf = {
-    github = "LuminarLeaf";
-    githubId = 80571430;
-    name = "Luminar Leaf";
-  };
  luna_1024 = {
    email = "contact@luna.computer";
    github = "luna-1024";
@@ -17415,6 +17393,12 @@
    githubId = 613740;
    name = "Martin Baillie";
  };
+  mbbx6spp = {
+    email = "me@susanpotter.net";
+    github = "mbbx6spp";
+    githubId = 564;
+    name = "Susan Potter";
+  };
  mbe = {
    email = "brandonedens@gmail.com";
    github = "brandonedens";
@@ -18276,12 +18260,6 @@
    githubId = 16974598;
    name = "Mike Playle";
  };
-  mkannwischer = {
-    email = "matthias@kannwischer.eu";
-    github = "mkannwischer";
-    githubId = 3984960;
-    name = "Matthias Kannwischer";
-  };
  mkez = {
    email = "matias+nix@zwinger.fi";
    github = "mk3z";
@@ -19272,12 +19250,6 @@
    name = "Naufal Fikri";
    keys = [ { fingerprint = "1575 D651 E31EC 6117A CF0AA C1A3B 8BBC A515 8835"; } ];
  };
-  naurissteins = {
-    name = "Nauris Steins";
-    email = "me@naurissteins.com";
-    github = "naurissteins";
-    githubId = 5653746;
-  };
  naxdy = {
    name = "Naxdy";
    email = "naxdy@naxdy.org";
@@ -19427,12 +19399,6 @@
    name = "neo";
    email = "chojs990222@gmail.com";
  };
-  neonvoid = {
-    email = "me@neonvoid.dev";
-    github = "neonvoidx";
-    githubId = 25580051;
-    name = "neonvoid";
-  };
  neosimsim = {
    email = "me@abn.sh";
    github = "neosimsim";
@@ -25680,6 +25646,12 @@
    githubId = 216167;
    name = "Steve Jones";
  };
+  sjmackenzie = {
+    email = "setori88@gmail.com";
+    github = "sjmackenzie";
+    githubId = 158321;
+    name = "Stewart Mackenzie";
+  };
  skaphi = {
    name = "Oskar Philipsson";
    email = "oskar.philipsson@gmail.com";
@@ -28556,12 +28528,6 @@
    githubId = 30677291;
    name = "u2x1";
  };
-  u3kkasha = {
-    email = "fida.waseque@gmail.com";
-    github = "u3kkasha";
-    githubId = 146055002;
-    name = "Fida Waseque Choudhury";
-  };
  uakci = {
    name = "uakci";
    email = "git@uakci.space";
@@ -29461,12 +29427,6 @@
    github = "wdavidw";
    githubId = 46896;
  };
-  wduo87391 = {
-    name = "wduo87391";
-    email = "wduo87391@gmail.com";
-    github = "wduo87391";
-    githubId = 197874825;
-  };
  weathercold = {
    name = "Weathercold";
    email = "weathercold.scr@proton.me";
--- a/maintainers/scripts/luarocks-packages.csv
+++ b/maintainers/scripts/luarocks-packages.csv
@@ -49,7 +49,6 @@ lpeglabel,,,,1.6.0,,
 lrexlib-gnu,,,,,,
 lrexlib-oniguruma,,,,,,junestepp
 lrexlib-pcre,,,,,,
-lrexlib-pcre2,,,,,,wishstudio
 lrexlib-posix,,,,,,
 lsp-progress.nvim,,,,,5.1,gepbird
 lsqlite3,,,,,,
@@ -168,7 +167,6 @@ telescope.nvim,,,,,5.1,
 tiktoken_core,,,,,,natsukium
 tl,,,,,,mephistophiles
 toml-edit,,,,,5.1,mrcjkb
-tomlua,,,,,,birdee
 tree-sitter-cli,,,,,,
 tree-sitter-http,,,,0.0.33-1,,
 tree-sitter-norg,,,,,5.1,mrcjkb
--- a/nixos/doc/manual/configuration/profiles/headless.section.md
+++ b/nixos/doc/manual/configuration/profiles/headless.section.md
@@ -2,7 +2,7 @@

 Common configuration for headless machines (e.g., Amazon EC2 instances).

-Disables serial consoles,
+Disables [vesa](#opt-boot.vesa), serial consoles,
 [emergency mode](#opt-systemd.enableEmergencyMode),
 [grub splash images](#opt-boot.loader.grub.splashImage)
 and configures the kernel to reboot automatically on panic.
--- a/nixos/doc/manual/development/modular-services.md
+++ b/nixos/doc/manual/development/modular-services.md
@@ -6,7 +6,7 @@ Status: in development. This functionality is new in NixOS 25.11, and significan
 Traditionally, NixOS services were defined using sets of options *in* modules, not *as* modules. This made them non-modular, resulting in problems with composability, reuse, and portability.

 A configuration management framework is an application of `evalModules` with the `class` and `specialArgs` input attribute set to particular values.
-NixOS is such a configuration management framework, and so are [Home Manager](https://github.com/nix-community/home-manager) and [`nix-darwin`](https://github.com/nix-darwin/nix-darwin).
+NixOS is such a configuration management framework, and so are [Home Manager](https://github.com/nix-community/home-manager) and [`nix-darwin`](https://github.com/lnl7/nix-darwin).

 The service management component of a configuration management framework is the set of module options that connects Nix expressions with the underlying service (or process) manager.
 For NixOS this is the module wrapping [`systemd`](https://systemd.io/), on `nix-darwin` this is the module wrapping [`launchd`](https://en.wikipedia.org/wiki/Launchd).
--- a/nixos/doc/manual/development/option-types.section.md
+++ b/nixos/doc/manual/development/option-types.section.md
@@ -494,47 +494,6 @@ Composed types are types that take a type as parameter. `listOf

      Displays the option as `foo.<id>` in the manual.

-`types.attrListOf` *`t`*
-
-:   An ordered list of single-attribute attribute sets, where each value is of *`t`* type.
-    The output is always `[ { name1 = value1; } { name2 = value2; } ... ]`.
-
-    Definitions can be provided in two formats, which may be mixed via `lib.mkMerge`, `imports`, etc:
-
-    - **List format**: `[ { a = 1; } { b = 2; } ]` — each element must be a single-attribute attribute set.
-      Elements may be wrapped in `lib.mkOrder` (or `lib.mkBefore`/`lib.mkAfter`) to control ordering;
-      unwrapped elements use the default order priority.
-
-    - **Attribute set format**: `{ a = lib.mkOrder 100 1; b = 2; }` — each name-value pair becomes a single-attribute attribute set in the output.
-      Values may be wrapped in `lib.mkOrder` (or `lib.mkBefore`/`lib.mkAfter`) to control ordering.
-      Values without `lib.mkOrder` use the default priority.
-
-    Multiple definitions of the same option are concatenated and then sorted by priority.
-    Entries at the same priority level preserve their definition order.
-
-`types.attrListWith` { *`elemType`*, *`asAttrs`* ? false, *`mergeAttrValues`* ? _name: values: values }
-
-:   An ordered list of single-attribute attribute sets, where each value is of *`elemType`* type.
-
-    **Parameters**
-
-    `elemType` (Required)
-    : Specifies the type of each value in the attribute list.
-
-    `asAttrs`
-    : When `true`, the option value is an attribute set instead of a list.
-      Duplicate keys are merged using `mergeAttrValues`.
-      The ordered list is always available via `valueMeta.attrListValue`.
-
-    `mergeAttrValues`
-    : A function `name: values: mergedValue` that controls how duplicate keys
-      are combined when `asAttrs = true`. This is passed as the callback to
-      `lib.zipAttrsWith`. The `values` list is in order of priority.
-      By default, all values are collected into a list.
-
-    **Behavior**
-
-    - `attrListWith { elemType = t; }` is equivalent to `attrListOf t`

 `types.uniq` *`t`*

--- a/nixos/doc/manual/installation/upgrading.chapter.md
+++ b/nixos/doc/manual/installation/upgrading.chapter.md
@@ -8,7 +8,7 @@ passed and a selection of packages has been built successfully
 (see `nixos/release-combined.nix` and `nixos/release-small.nix`).
 These channels are:

-   *Stable channels*, such as [`nixos-26.05`](https://channels.nixos.org/nixos-26.05).
+-   *Stable channels*, such as [`nixos-25.11`](https://channels.nixos.org/nixos-25.11).
    These only get conservative bug fixes and package upgrades. For
    instance, a channel update may cause the Linux kernel on your system
    to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
@@ -21,7 +21,7 @@ These channels are:
    radical changes between channel updates. It's not recommended for
    production systems.

-   *Small channels*, such as [`nixos-26.05-small`](https://channels.nixos.org/nixos-26.05-small)
+-   *Small channels*, such as [`nixos-25.11-small`](https://channels.nixos.org/nixos-25.11-small)
    or [`nixos-unstable-small`](https://channels.nixos.org/nixos-unstable-small).
    These are identical to the stable and unstable channels described above,
    except that they contain fewer binary packages. This means they get updated
@@ -40,8 +40,8 @@ supported stable release.

 When you first install NixOS, you're automatically subscribed to the
 NixOS channel that corresponds to your installation source. For
-instance, if you installed from a 26.05 ISO, you will be subscribed to
-the `nixos-26.05` channel. To see which NixOS channel you're subscribed
+instance, if you installed from a 25.11 ISO, you will be subscribed to
+the `nixos-25.11` channel. To see which NixOS channel you're subscribed
 to, run the following as root:

 ```ShellSession
@@ -56,16 +56,16 @@ To switch to a different NixOS channel, do
 ```

 (Be sure to include the `nixos` parameter at the end.) For instance, to
-use the NixOS 26.05 stable channel:
+use the NixOS 25.11 stable channel:

 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-26.05 nixos
+# nix-channel --add https://channels.nixos.org/nixos-25.11 nixos
 ```

 If you have a server, you may want to use the "small" channel instead:

 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-26.05-small nixos
+# nix-channel --add https://channels.nixos.org/nixos-25.11-small nixos
 ```

 And if you want to live on the bleeding edge:
@@ -118,5 +118,5 @@ the new generation contains a different kernel, initrd or kernel
 modules. You can also specify a channel explicitly, e.g.

 ```nix
-{ system.autoUpgrade.channel = "https://channels.nixos.org/nixos-26.05"; }
+{ system.autoUpgrade.channel = "https://channels.nixos.org/nixos-25.11"; }
 ```
--- a/nixos/doc/manual/redirects.json
+++ b/nixos/doc/manual/redirects.json
@@ -2363,21 +2363,6 @@
  "ch-release-notes": [
    "release-notes.html#ch-release-notes"
  ],
-  "sec-release-26.11": [
-    "release-notes.html#sec-release-26.11"
-  ],
-  "sec-release-26.11-highlights": [
-    "release-notes.html#sec-release-26.11-highlights"
-  ],
-  "sec-release-26.11-new-modules": [
-    "release-notes.html#sec-release-26.11-new-modules"
-  ],
-  "sec-release-26.11-incompatibilities": [
-    "release-notes.html#sec-release-26.11-incompatibilities"
-  ],
-  "sec-release-26.11-notable-changes": [
-    "release-notes.html#sec-release-26.11-notable-changes"
-  ],
  "sec-release-26.05": [
    "release-notes.html#sec-release-26.05"
  ],
--- a/nixos/doc/manual/release-notes/release-notes.md
+++ b/nixos/doc/manual/release-notes/release-notes.md
@@ -3,7 +3,6 @@
 This section lists the release notes for each stable version of NixOS and current unstable revision.

 ```{=include=} sections
-rl-2611.section.md
 rl-2605.section.md
 rl-2511.section.md
 rl-2505.section.md
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -4,7 +4,7 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd.
+- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows to build NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.

 - COSMIC DE has been updated to the beta version, bringing it closer to its first stable release. This includes updates to its core components, applications, and overall stability.

@@ -41,19 +41,17 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows building NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.
+- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows to build NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.

 - [angrr](https://github.com/linyinfeng/angrr), a service that automatically cleans up old auto GC roots. Available as [services.angrr](#opt-services.angrr.enable).

 - Auto-scrub support for Bcachefs filesystems can now be enabled through [services.bcachefs.autoScrub.enable](#opt-services.bcachefs.autoScrub.enable) to periodically check for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks.

- [Beszel](https://beszel.dev), a lightweight server monitoring hub with historical data, docker stats, and alerts. Available as [`services.beszel.agent`](#opt-services.beszel.agent.enable) and [`services.beszel.hub`](#opt-services.beszel.hub.enable).
+- [Beszel](https://beszel.dev), a lightweight server monitoring hub with historical data, docker stats, and alerts. Available as [`services.beszel.agent`](options.html#opt-services.beszel.agent.enable) and [`services.beszel.hub`](options.html#opt-services.beszel.hub.enable).

- [boot.kernel.sysfs](#opt-boot.kernel.sysfs), a new way to set sysfs attributes.
+- [boot.kernel.sysfs](options.html#opt-boot.kernel.sysfs), a new way to set of sysfs attributes.

- [Broadcast Box](https://github.com/Glimesh/broadcast-box), a WebRTC broadcast server. Available as [services.broadcast-box](#opt-services.broadcast-box.enable).
-
- Drivers and utilities for [Tenstorrent](https://tenstorrent.com) have been added. Available as [hardware.tenstorrent](#opt-hardware.tenstorrent.enable).
+- [Broadcast Box](https://github.com/Glimesh/broadcast-box), a WebRTC broadcast server. Available as [services.broadcast-box](options.html#opt-services.broadcast-box.enable).

 - [byedpi](https://github.com/hufrea/byedpi), a DPI bypass service. Available as [services.byedpi](#opt-services.byedpi.enable).

@@ -69,7 +67,9 @@

 - [crowdsec-firewall-bouncer](https://www.crowdsec.net/), the CrowdSec Remediation Component for fetching new and old decisions from a CrowdSec API and adding them to a blocklist used by supported firewalls. Available as [services.crowdsec-firewall-bouncer](#opt-services.crowdsec-firewall-bouncer.enable).

- [docuseal](https://github.com/docusealco/docuseal), a DocuSign alternative. Create, fill, and sign digital documents. Available as [services.docuseal](#opt-services.docuseal.enable).
+- Docker now defaults to 28.x, because version 27.x stopped receiving security updates and bug fixes after [May 2, 2025](https://github.com/moby/moby/pull/49910).
+
+- [docuseal](https://github.com/docusealco/docuseal), a DocuSign alternative. Create, fill, and sign digital documents. Available at [services.docuseal](#opt-services.docuseal.enable).

 - [Draupnir](https://github.com/the-draupnir-project/draupnir), a Matrix moderation bot. Available as [services.draupnir](#opt-services.draupnir.enable).

@@ -93,14 +93,14 @@

 - [Homebridge](https://github.com/homebridge/homebridge), a lightweight Node.js server you can run on your home network that emulates the iOS HomeKit API. Available as [services.homebridge](#opt-services.homebridge.enable).

- [IfState](https://ifstate.net), manage host interface settings in a declarative manner. Available as [networking.ifstate](#opt-networking.ifstate.enable) and [boot.initrd.network.ifstate](#opt-boot.initrd.network.ifstate.enable).
+- [IfState](https://ifstate.net), manage host interface settings in a declarative manner. Available as [networking.ifstate](options.html#opt-networking.ifstate.enable) and [boot.initrd.network.ifstate](options.html#opt-boot.initrd.network.ifstate.enable).

 - [KMinion](https://github.com/redpanda-data/kminion), feature-rich Prometheus exporter for Apache Kafka. Available as [services.prometheus.exporters.kafka](options.html#opt-services.prometheus.exporters.kafka).

 - [LACT](https://github.com/ilya-zlobintsev/LACT), a GPU monitoring and configuration tool, can now be enabled through [services.lact.enable](#opt-services.lact.enable).
  Note that for LACT to work properly on AMD GPU systems, you need to enable [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable).

- [lemurs](https://github.com/coastalwhite/lemurs), a customizable TUI display/login manager. Available as [services.displayManager.lemurs](#opt-services.displayManager.lemurs.enable).
+- [lemurs](https://github.com/coastalwhite/lemurs), a customizable TUI display/login manager. Available at [services.displayManager.lemurs](#opt-services.displayManager.lemurs.enable).

 - [LibreTranslate](https://libretranslate.com), a free and open source machine translation API. Available as [services.libretranslate](#opt-services.libretranslate.enable).

@@ -121,11 +121,11 @@

 - [nebula-lighthouse-service](https://github.com/manuels/nebula-lighthouse-service), a public Nebula VPN lighthouse service. Available as [services.nebula-lighthouse-service](#opt-services.nebula-lighthouse-service.enable).

- [Newt](https://github.com/fosrl/newt), a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. Available as [services.newt](#opt-services.newt.enable).
+- [Newt](https://github.com/fosrl/newt), a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. Available as [services.newt](options.html#opt-services.newt.enable).

 - [nixbit](https://github.com/pbek/nixbit), a GUI application for updating your NixOS system from a Nix Flakes Git repository. Available as [programs.nixbit](#opt-programs.nixbit.enable).

- [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](#opt-boot.initrd.nix-store-veritysetup.enable).
+- [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable).

 - [nvme-rs](https://github.com/liberodark/nvme-rs), NVMe monitoring [services.nvme-rs](#opt-services.nvme-rs.enable).

@@ -139,7 +139,7 @@

 - [Pi-hole](https://pi-hole.net/), a DNS sinkhole for advertisements based on Dnsmasq. Available as [services.pihole-ftl](#opt-services.pihole-ftl.enable), and [services.pihole-web](#opt-services.pihole-web.enable) for the web GUI and API.

- [pmount](https://salsa.debian.org/debian/pmount), a tool that allows normal users to mount removable devices without requiring root privileges Available as [programs.pmount](#opt-programs.pmount.enable).
+- [pmount](https://salsa.debian.org/debian/pmount), a tool that allows normal users to mount removable devices without requiring root privileges Available at [programs.pmount](#opt-programs.pmount.enable).

 - [postfix-tlspol](https://github.com/Zuplu/postfix-tlspol), a MTA-STS and DANE resolver and TLS policy server for Postfix. Available as [services.postfix-tlspol](#opt-services.postfix-tlspol.enable).

@@ -153,7 +153,7 @@

 - [radicle-native-ci](https://radicle.network/nodes/seed.radicle.dev/rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE), an adapter for the [Radicle CI broker](https://radicle.network/nodes/seed.radicle.dev/rad:zwTxygwuz5LDGBq255RA2CbNGrz8), for performing CI runs locally. Available as [services.radicle.ci.adapters.native](#opt-services.radicle.ci.adapters.native.instances).

- [rauc](https://rauc.io/) (the Robust Auto-Update Controller), a daemon that allows reliable and secure software updates in embedded Linux systems. Available as [services.rauc](#opt-services.rauc.enable).
+- [rauc](https://rauc.io/) (the Robust Auto-Update Controller), a daemon that allows reliable and secure software updates in embedded Linux systems. Available at [services.rauc](#opt-services.rauc.enable).

 - [ringboard](https://github.com/SUPERCILEX/clipboard-history), a fast, efficient, and composable clipboard manager for Linux. Available for x11 as [services.ringboard](#opt-services.ringboard.x11.enable) and for Wayland as [services.ringboard](#opt-services.ringboard.wayland.enable).

@@ -189,7 +189,7 @@

 - [tuwunel](https://matrix-construct.github.io/tuwunel/), a federated chat server implementing the Matrix protocol, forked from Conduwuit. Available as [services.matrix-tuwunel](#opt-services.matrix-tuwunel.enable).

- [umami](https://github.com/umami-software/umami), a simple, fast, privacy-focused alternative to Google Analytics. Available as [services.umami](#opt-services.umami.enable).
+- [umami](https://github.com/umami-software/umami), a simple, fast, privacy-focused alternative to Google Analytics. Available with [services.umami](#opt-services.umami.enable).

 - [wayvnc](https://github.com/any1/wayvnc), a VNC server for wlroots based Wayland compositors. Available as [programs.wayvnc](#opt-programs.wayvnc.enable).

@@ -222,7 +222,7 @@

 - `miniflux` no longer uses the hstore PostgreSQL extension. Having the extension would prevent Miniflux from starting. In case you are managing your `miniflux` PostgreSQL database externally, disable the extension with `DROP EXTENSION IF EXISTS hstore;`.

- `netbox-manage` script created by the `netbox` module no longer uses `sudo -u netbox` internally. It can be run as root and will change its user to `netbox` using `runuser`.
+- `netbox-manage` script created by the `netbox` module no longer uses `sudo -u netbox` internally. It can be run as root and will change it's user to `netbox` using `runuser`.

 - NixOS display manager modules now strictly use tty1, where many of them previously used tty7. Options to configure display managers' VT have been dropped. A configuration with a display manager enabled will not start `getty@tty1.service`, even if the system is forced to boot into `multi-user.target` instead of `graphical.target`.

@@ -254,7 +254,7 @@

 - `services.nextcloud.notify_push.enable` now installs the notify_push app. Therefore the appstore is now disabled when using `notify_push`. See `services.nextcloud.appstoreEnable`.

- `services.nixseparatedebuginfod.enable = true;` has been replaced by `services.nixseparatedebuginfod2.enable = true`. If you only use the official binary cache `https://cache.nixos.org` then no further configuration should be needed. If you have other https substituters, you can add them to `services.nixseparatedebuginfod2.substituters`. SSH substituters are not supported by nixseparatedebuginfod2. Consider running nixseparatedebuginfod2 on the substituter instead, and pointing to it with the new option `environment.debuginfodServers`.
+- `services.nixseparatedebuginfod.enable = true;` has been replaced by `services.nixseparatedebuginfod2.enable = true`. If you only use the official binary cache `https://cache.nixos.org` then no further configuration should be needed. If you have other https substituters, you can add them to `services.nixseparatedebuginfod2.subsituters`. SSH substituters are not supported by nixseparatedebuginfod2. Consider running nixseparatedebuginfod2 on the substituter instead, and pointing to it with the new option `environment.debuginfodServers`.

 - `services.parsoid` and the `nodePackages.parsoid` package have been removed, as the JavaScript-based version this module uses is not compatible with modern MediaWiki versions.

@@ -373,7 +373,7 @@

 - `boot.plymouth` now has a [`package`](#opt-boot.plymouth.package) option to specify the package used in the module.

- Docker now defaults to 28.x, because version 27.x stopped receiving security updates and bug fixes after [May 2, 2025](https://github.com/moby/moby/pull/49910).
+- Drivers and utilities for [Tenstorrent](https://tenstorrent.com) have been added. Available as [hardware.tenstorrent](#opt-hardware.tenstorrent.enable).

 - Due to [deprecation of gnome-session X11 support](https://blogs.gnome.org/alatiera/2025/06/08/the-x11-session-removal/), `services.desktopManager.pantheon` now defaults to pantheon-wayland session. The X11 session has been removed, see [this issue](https://github.com/elementary/session-settings/issues/91) for details.

@@ -436,9 +436,9 @@
 - `services.k3s` now shares most of its code with `services.rke2`. The merge resulted in both modules providing more options, with `services.rke2` receiving the most improvements.
  Existing configurations for either module should not be affected.

- [services.libvirtd.autoSnapshot](#opt-services.libvirtd.autoSnapshot.enable) has been added as a backup service for libvirt managed VMs.
+- [services.libvirtd.autoSnapshot](options.html#opt-services.libvirtd.autoSnapshot.enable) has been added as a backup service for libvirt managed VMs.

- `services.limesurvey` now supports nginx as reverse-proxy. Available as [services.limesurvey.webserver](#opt-services.limesurvey.webserver).
+- `services.limesurvey` now supports nginx as reverse-proxy. Available through [services.limesurvey.webserver](#opt-services.limesurvey.webserver).

 - `services.mattermost` has been updated to use the 10.11 ESR instead of 10.5. While this shouldn't break anyone, we also now package Mattermost 11 as mattermostLatest. Note that Mattermost 11 drops support for MySQL. The Mattermost module will assertion fail if you try to use MySQL with Mattermost 11; support for using MySQL with Mattermost will fully be removed in NixOS 26.

--- a/nixos/doc/manual/release-notes/rl-2605.section.md
+++ b/nixos/doc/manual/release-notes/rl-2605.section.md
@@ -14,7 +14,7 @@
  - The `cryptsetup-askpass` program is not available; use `systemctl default` instead, which will prompt for passphrases as necessary. If you pipe password responses into SSH over stdin, use `ssh -o RequestTTY=force` to ensure `systemctl default` gets a TTY to prompt on.
  - Many kernel parameters have been replaced with native systemd versions; see [](#sec-boot-problems).

- The system.nix file has been added as an alternative entry point to configuration.nix (and flake.nix) that allows configuring NixOS without using `nix-channel`.
+- The system.nix file has been added as an alternative entry point to configuration.nix (and flake.nix) that allows to configure NixOS without using `nix-channel`.
  This file must evaluate to a NixOS system derivation or an attribute set of such derivations, in which case the attribute to build has to be selected with the `--attr` option of `nixos-rebuild` or `nixos-install`.
  For example,
  ```nix
@@ -65,11 +65,12 @@
 - [Atuin](https://atuin.sh), magical shell history — sync, search and backup your terminal history. Available as [programs.atuin](#opt-programs.atuin.enable).

 - [Meshtastic](https://meshtastic.org), an open-source, off-grid, decentralised mesh network
-  designed to run on affordable, low-power devices. Available as [services.meshtasticd](#opt-services.meshtasticd.enable).
+  designed to run on affordable, low-power devices. Available as [services.meshtasticd]
+  (#opt-services.meshtasticd.enable).

 - [Goupile](https://goupile.org/en), an open-source design tool for secure forms including Clinical Report Forms (eCRF). Available as [services.goupile](#opt-services.goupile.enable).

- [knot-resolver](https://www.knot-resolver.cz/), in version 6. Available as `services.knot-resolver`. A module for knot-resolver 5 was already available as `services.kresd`.
+- [knot-resolver](https://www.knot-resolver.cz/) in version 6. Available as `services.knot-resolver`. A module for knot-resolver 5 was already available as `services.kresd`.

 - [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as `services.immichframe`.

@@ -79,7 +80,7 @@

 - [reaction](https://reaction.ppom.me/), a daemon that scans program outputs for repeated patterns, and takes action. A common usage is to scan ssh and webserver logs, and to ban hosts that cause multiple authentication errors. A modern alternative to fail2ban. Available as [services.reaction](#opt-services.reaction.enable).

- [vinyl-cache](https://vinyl-cache.org) as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old `services.varnish` module is still available.
+- [vinyl-cache] as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old `services.varnish` module is still available.

 - [papra](https://papra.app/), an open-source document management platform designed to help you organize, secure, and archive your files effortlessly. Available as [services.papra](#opt-services.papra.enable).

@@ -91,35 +92,33 @@

 - [kiwix-serve](https://wiki.kiwix.org/wiki/Kiwix-serve), a service that serves ZIM files (such as Wikipedia archives) over HTTP. Available as [services.kiwix-serve](#opt-services.kiwix-serve.enable).

- [matterjs-server](https://github.com/matter-js/matterjs-server), a Matter controller with a Home Assistant compatible WebSocket API. Available as [services.matterjs-server](#opt-services.matterjs-server.enable).
-
 - [Remark42](https://remark42.com/), a self-hosted comment engine. Available as [services.remark42](#opt-services.remark42.enable).

 - [LibreChat](https://www.librechat.ai/), open-source self-hostable ChatGPT clone with Agents and RAG APIs. Available as [services.librechat](#opt-services.librechat.enable).

- [nohang](https://github.com/hakavlad/nohang), a daemon for Linux that prevents out of memory (OOM) situations from affecting system responsiveness. Available as [services.nohang](#opt-services.nohang.enable).
+- [nohang](https://github.com/hakavlad/nohang), a daemon for Linux that prevents out of memory (OOM) situations from affecting system responsiveness. Available as [services.nohang](#opt-services.nohang.enable)

 - [clevis-luks-askpass](https://github.com/latchset/clevis), automatic LUKS unlocking in initrd using clevis token bindings stored in LUKS headers. Available as [boot.initrd.clevisLuksAskpass](#opt-boot.initrd.clevisLuksAskpass.enable).

 - [bentopdf](https://github.com/alam00000/bentopdf), a privacy-first PDF toolkit running completely in-browser. Available as [services.bentopdf](#opt-services.bentopdf.enable).

- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as `services.hyprwhspr-rs`.
+- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as `services.hyprwhspr-rs`

 - [DankMaterialShell](https://danklinux.com), a complete desktop shell for Wayland compositors built with Quickshell. Available as [programs.dms-shell](#opt-programs.dms-shell.enable).

- [pyroscope](https://github.com/grafana/pyroscope), a continuous profiling platform that allows for performance debugging. Available as [services.pyroscope](#opt-services.pyroscope.enable).
+- [pyroscope](https://github.com/grafana/pyroscope), a continuous profiling platform. that allows for performance debugging. Available as [services.pyroscope](#opt-services.pyroscope.enable)

 - [dms-greeter](https://danklinux.com), a modern display manager greeter for DankMaterialShell that works with greetd and supports multiple Wayland compositors. Available as [services.displayManager.dms-greeter](#opt-services.displayManager.dms-greeter.enable).

 - [dsearch](https://github.com/AvengeMedia/danksearch), a fast filesystem search service with fuzzy matching. Available as [programs.dsearch](#opt-programs.dsearch.enable).

- [Rustical](https://github.com/lennart-k/rustical), a CalDav/CardDav server aiming to be simple, fast and passwordless. Available as [services.rustical](#opt-services.rustical.enable).
+- [Rustical](https://github.com/lennart-k/rustical), a CalDav/CardDav server aiming to be simple, fast and passwordless. Available as [services.rustical](options.html#opt-services.rustical.enable).

 - [Elephant](https://github.com/abenz1267/elephant), a data provider service and backend for building custom application launchers. Available as [services.elephant](#opt-services.elephant.enable).

 - [Dunst](https://github.com/dunst-project/dunst), a lightweight and customizable notification daemon. Available as [services.dunst](#opt-services.dunst.enable).

- [cocoon](https://github.com/haileyok/cocoon), a PDS (personal data server) that is an alternative to the Bluesky PDS. Available as [services.cocoon](#opt-services.cocoon.enable).
+- [cocoon](https://github.com/haileyok/cocoon), is a PDS (personal data server) that is a alternative to the bluesky pds. Available as [services.cocoon](#opt-services.cocoon.enable).

 - [Ente Auth](https://ente.io/auth/), an open source 2FA authenticator, with end-to-end encrypted backups. Available as [programs.ente-auth](#opt-programs.ente-auth.enable).

@@ -139,7 +138,7 @@

 - [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as `services.udp-over-tcp`.

- [turborepo-remote-cache](https://ducktors.github.io/turborepo-remote-cache/), an open-source implementation of the [Turborepo custom remote cache server](https://turbo.build/repo/docs/core-concepts/remote-caching#self-hosting). Available as [services.turborepo-remote-cache](#opt-services.turborepo-remote-cache.enable).
+- [turborepo-remote-cache](https://ducktors.github.io/turborepo-remote-cache/), an open-source implementation of the [Turborepo custom remote cache server](https://turbo.build/repo/docs/core-concepts/remote-caching#self-hosting). Available as [services.turborepo-remote-cache](options.html#opt-services.turborepo-remote-cache).

 - [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as `services.rsshub`.

@@ -163,7 +162,7 @@

 - [porxie](https://codeberg.org/Blooym/porxie), a correct and efficient ATProto blob proxy for secure content delivery. Available as [services.porxie](#opt-services.porxie.enable).

- [LogiOps](https://github.com/PixlOne/logiops), an unofficial userspace driver for HID++ Logitech devices. Available as [services.logiops](#opt-services.logiops.enable).
+- [LogiOps](https://github.com/PixlOne/logiops), a unofficial userspace driver for HID++ Logitech devices. Available as [services.logiops](#opt-services.logiops.enable).

 ## Backward Incompatibilities {#sec-release-26.05-incompatibilities}

@@ -173,8 +172,6 @@

 - `services.home-assistant.config.lovelace.mode` has been renamed to `lovelace.dashboards` and `lovelace.resource_mode` to match the [configuration format](https://www.home-assistant.io/dashboards/dashboards/) required by Home Assistant 2026.8. Users who explicitly set `lovelace.mode` should remove it; the module generates the correct entries automatically.

- `fulcrum` has been updated to 2.x. If run against an existing v1.x database without the `--db-upgrade` flag it refuses to start; the upgrade takes around an hour on Bitcoin mainnet.
-
 - `opentrack`, `slushload`, `synthesia`, `vtfedit`, `winbox`, `wineasio`, and `yabridge` use wineWow64Packages instead of wineWowPackages as wine versions >= 11.0 have deprecated wineWowPackages. As such, the prefixes for these packages are NOT backwards compatible and need to be regenerated with potential for data loss.

 - []{#sec-release-26.05-incompatibilities-profiles-hardened-removed} `profiles/hardened` has been removed, because:
@@ -223,17 +220,6 @@

 - `services.mattermost` now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
  See the [migration steps](https://docs.mattermost.com/deployment-guide/manual-postgres-migration.html) if you were not running Postgres.
-  Note that version 11 also restricts the user limit to 250 [by default](https://forum.mattermost.com/t/clarification-request-on-user-limits-max-250-user-server-v-11/25309);
-  see the `pkgs.mattermost` removeUserLimit and removeFreeBadge options combined with `services.mattermost.package` to change this behavior. For example:
-
-```nix
-{
-  services.mattermost.package = pkgs.mattermost.override {
-    removeUserLimit = true;
-    removeFreeBadge = true;
-  };
-}
-```

 - `post-resume.target` has been removed. See {manpage}`systemd.special(7)` about `sleep.target` for instructions on ordering a process after resume with `ExecStop=`.

@@ -275,7 +261,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
  for further information.

  Please do note that there's no official way to rotate. On a single-node instance with the database and the secret-key being
-  on the same filesystem with the same permissions for Grafana only to read, it is most likely OK to keep using the old key.
+  on the same filesystem with the same permissions for Grafana only to read it's most likely OK to keep using the old key.

  If you need to rotate, a [3rd-party tool, `grafana-secretkey-rotation-tool`](https://github.com/erooke/grafana-secretkey-rotation-tool/tree/d9dc788902fa5185e15cb15ce6129f7237ab6138) is a tested option.
  When using a secret for this value, make sure to use [Grafana's variable expansion to inject secrets](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion).
@@ -313,7 +299,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh

 - `walker` has been updated to 2.0.0+, which is a complete rewrite in rust.

-  It now requires a running `elephant` application launcher backend service, which can be enabled using the new `services.elephant.enable`.
+  It now requires a running `elephant` application launcher backend service, which can be enabled using the new `services.elephpant.enable`.

  The way keybinds and actions are handled have been completely revamped. Please refer to the [default config](https://raw.githubusercontent.com/abenz1267/walker/refs/heads/master/resources/config.toml).

@@ -460,7 +446,7 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.

 - `systemd.network.*` has been updated to support all configuration options from upstream `networkd` version 259.

- `networking.resolvconf.enable` now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`. If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.
+- `networking.resolvconf.enable` now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`.If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.

 - `services.openssh` now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving `services.openssh.enable` disabled.  This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.

--- a/nixos/doc/manual/release-notes/rl-2611.section.md
+++ b/nixos/doc/manual/release-notes/rl-2611.section.md
@@ -1,4 +1,4 @@
-# Release 26.11 ("Zokor", 2026.11/??) {#sec-release-26.11}
+# Release 26.11 (2026.11/??) {#sec-release-26.11}

 ## Highlights {#sec-release-26.11-highlights}

@@ -16,7 +16,7 @@

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- `boot.vesa` has been removed. It was deprecated in 2020 because Xorg now works better with kernel modesetting. If you still need the legacy VESA 800x600 fallback, set `boot.kernelParams = [ "vga=0x317" "nomodeset" ];` directly.
+- Create the first release note entry in this section!

 ## Other Notable Changes {#sec-release-26.11-notable-changes}

--- a/nixos/lib/systemd-lib.nix
+++ b/nixos/lib/systemd-lib.nix
@@ -78,13 +78,16 @@ rec {
        {
          preferLocalBuild = true;
          allowSubstitutes = false;
-          text = unit.text or "";
-          __structuredAttrs = true;
+          # unit.text can be null. But variables that are null listed in
+          # passAsFile are ignored by nix, resulting in no file being created,
+          # making the mv operation fail.
+          text = optionalString (unit.text != null) unit.text;
+          passAsFile = [ "text" ];
        }
        ''
          name=${shellEscape name}
          mkdir -p "$out/$(dirname -- "$name")"
-          printf "%s" "$text" > "$out/$name"
+          mv "$textPath" "$out/$name"
        ''
    else
      pkgs.runCommand "unit-${mkPathSafeName name}-disabled"
--- a/nixos/modules/config/console.nix
+++ b/nixos/modules/config/console.nix
@@ -217,7 +217,7 @@ in
          # When imperative, seed /etc/vconsole.conf on first boot from declared
          # defaults so the keymap isn't lost before localectl is ever used
          systemd.tmpfiles.rules = lib.mkIf i18nCfg.imperativeLocale [
-            "C /etc/vconsole.conf - - - - ${vconsoleConf true}"
+            "C /etc/vconsole.conf - - - - ${vconsoleConf}"
          ];

          systemd.services.reload-systemd-vconsole-setup = {
--- a/nixos/modules/config/nix-channel.nix
+++ b/nixos/modules/config/nix-channel.nix
@@ -70,7 +70,7 @@ in
      defaultChannel = mkOption {
        internal = true;
        type = types.str;
-        default = "https://channels.nixos.org/nixos-unstable";
+        default = "https://channels.nixos.org/nixos-26.05";
        description = "Default NixOS channel to which the root user is subscribed.";
      };
    };
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -505,7 +505,7 @@ EOF
    # This should work for single and multi-device systems.
    # still needs subvolume support
    if ($fsType eq "bcachefs") {
-        my ($status, @info) = runCommand("@bcachefs@ fs usage $rootDir$mountPoint");
+        my ($status, @info) = runCommand("bcachefs fs usage $rootDir$mountPoint");
        my $UUID = $info[0];

        if ($status == 0 && $UUID =~ /^Filesystem:[ \t\n]*([0-9a-z-]+)/) {
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@@ -30,20 +30,15 @@ let
    name = "nixos-generate-config";
    src = ./nixos-generate-config.pl;
    replacements = {
-      perl = lib.getExe (
+      perl = "${
        pkgs.perl.withPackages (p: [
          p.FileSlurp
          p.ConfigIniFiles
        ])
-      );
+      }/bin/perl";
      hostPlatformSystem = pkgs.stdenv.hostPlatform.system;
-      detectvirt = lib.getExe' config.systemd.package "systemd-detect-virt";
-      bcachefs =
-        if pkgs.bcachefs-tools.meta.broken then
-          lib.getExe' pkgs.coreutils "false"
-        else
-          lib.getExe pkgs.bcachefs-tools;
-      btrfs = lib.getExe pkgs.btrfs-progs;
+      detectvirt = "${config.systemd.package}/bin/systemd-detect-virt";
+      btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
      inherit (config.system.nixos-generate-config) configuration desktopConfiguration flake;
      xserverEnabled = config.services.xserver.enable;
    };
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@@ -51,6 +51,7 @@ let
      VENDOR_URL = optionalString isNixos "https://nixos.org/";
      DOCUMENTATION_URL = optionalString isNixos "https://nixos.org/learn.html";
      SUPPORT_URL = optionalString isNixos "https://nixos.org/community.html";
+      SUPPORT_END = "2026-12-31";
      BUG_REPORT_URL = optionalString isNixos "https://github.com/NixOS/nixpkgs/issues";
      ANSI_COLOR = optionalString isNixos "0;38;2;126;186;228";
      IMAGE_ID = optionalString (config.system.image.id != null) config.system.image.id;
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -733,7 +733,6 @@
  ./services/home-automation/home-assistant.nix
  ./services/home-automation/homebridge.nix
  ./services/home-automation/matter-server.nix
-  ./services/home-automation/matterjs-server.nix
  ./services/home-automation/openthread-border-router.nix
  ./services/home-automation/wyoming/faster-whisper.nix
  ./services/home-automation/wyoming/openwakeword.nix
--- a/nixos/modules/programs/command-not-found/command-not-found.nix
+++ b/nixos/modules/programs/command-not-found/command-not-found.nix
@@ -33,10 +33,7 @@ in

    enable = lib.mkOption {
      type = lib.types.bool;
-      default = builtins.pathExists config.programs.command-not-found.dbPath;
-      defaultText = lib.literalExpression ''
-        builtins.pathExists config.programs.command-not-found.dbPath
-      '';
+      default = false;
      description = ''
        Whether interactive shells should show which Nix package (if
        any) provides a missing command.
@@ -48,11 +45,6 @@ in
    };

    dbPath = lib.mkOption {
-      type = lib.types.path;
-      default = pkgs.path + "/programs.sqlite";
-      defaultText = lib.literalExpression ''
-        pkgs.path + "/programs.sqlite"
-      '';
      description = ''
        Absolute path to `programs.sqlite`, which contains mappings from binary names to package names.

@@ -62,29 +54,39 @@ in
        `/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite`.
        If you do so, you can update it with `sudo nix-channels --update`.
      '';
+      type = lib.types.path;
    };
  };

-  config = lib.mkIf cfg.enable {
-    programs.bash.interactiveShellInit = ''
-      command_not_found_handle() {
-        '${commandNotFound}/bin/command-not-found' "$@"
-      }
-    '';
+  config = lib.mkMerge [
+    {
+      programs.command-not-found = {
+        enable = lib.mkDefault (builtins.pathExists cfg.dbPath);
+        dbPath = pkgs.path + "/programs.sqlite";
+      };
+    }

-    programs.zsh.interactiveShellInit = ''
-      command_not_found_handler() {
-        '${commandNotFound}/bin/command-not-found' "$@"
-      }
-    '';
+    (lib.mkIf cfg.enable {
+      programs.bash.interactiveShellInit = ''
+        command_not_found_handle() {
+          '${commandNotFound}/bin/command-not-found' "$@"
+        }
+      '';

-    # NOTE: Fish by itself checks for nixos command-not-found, let's instead makes it explicit.
-    programs.fish.interactiveShellInit = ''
-      function fish_command_not_found
-         "${commandNotFound}/bin/command-not-found" $argv
-      end
-    '';
+      programs.zsh.interactiveShellInit = ''
+        command_not_found_handler() {
+          '${commandNotFound}/bin/command-not-found' "$@"
+        }
+      '';

-    environment.systemPackages = [ commandNotFound ];
-  };
+      # NOTE: Fish by itself checks for nixos command-not-found, let's instead makes it explicit.
+      programs.fish.interactiveShellInit = ''
+        function fish_command_not_found
+           "${commandNotFound}/bin/command-not-found" $argv
+        end
+      '';
+
+      environment.systemPackages = [ commandNotFound ];
+    })
+  ];
 }
--- a/nixos/modules/programs/gamemode.nix
+++ b/nixos/modules/programs/gamemode.nix
@@ -15,8 +15,6 @@ in
    programs.gamemode = {
      enable = lib.mkEnableOption "GameMode to optimise system performance on demand";

-      package = lib.mkPackageOption pkgs "gamemode" { };
-
      enableRenice =
        lib.mkEnableOption "CAP_SYS_NICE on gamemoded to support lowering process niceness"
        // {
@@ -55,7 +53,7 @@ in

  config = lib.mkIf cfg.enable {
    environment = {
-      systemPackages = [ cfg.package ];
+      systemPackages = [ pkgs.gamemode ];
      etc."gamemode.ini".source = configFile;
    };

@@ -65,14 +63,14 @@ in
        gamemoded = {
          owner = "root";
          group = "root";
-          source = "${cfg.package}/bin/gamemoded";
+          source = "${pkgs.gamemode}/bin/gamemoded";
          capabilities = "cap_sys_nice+ep";
        };
      };
    };

    systemd = {
-      packages = [ cfg.package ];
+      packages = [ pkgs.gamemode ];
      user.services.gamemoded = {
        # Use pkexec from the security wrappers to allow users to
        # run libexec/cpugovctl & libexec/gpuclockctl as root with
--- a/nixos/modules/programs/gamescope.nix
+++ b/nixos/modules/programs/gamescope.nix
@@ -26,8 +26,6 @@ in

    package = lib.mkPackageOption pkgs "gamescope" { };

-    enableWsi = lib.mkEnableOption "gamescope-wsi, the Vulkan WSI layer, alongside gamescope";
-
    capSysNice = lib.mkOption {
      type = lib.types.bool;
      default = false;
@@ -78,11 +76,6 @@ in
    };

    environment.systemPackages = lib.mkIf (!cfg.capSysNice) [ gamescope ];
-
-    hardware.graphics = lib.optionalAttrs cfg.enableWsi {
-      extraPackages = with pkgs; [ gamescope-wsi ];
-      extraPackages32 = with pkgs; [ pkgsi686Linux.gamescope-wsi ];
-    };
  };

  meta.maintainers = [ ];
--- a/nixos/modules/programs/lix.nix
+++ b/nixos/modules/programs/lix.nix
@@ -47,9 +47,6 @@ in

 {
  config = lib.mkIf (cfg.enable && nixPackage.pname == "lix") {
-    # Require the tun kernel module for pasta, can be disabled if pasta is not used.
-    boot.kernelModules.tun = lib.mkDefault true;
-
    environment.systemPackages = [
      nixPackage
      pkgs.nix-info
--- a/nixos/modules/programs/steam.nix
+++ b/nixos/modules/programs/steam.nix
@@ -56,29 +56,38 @@ in
      '';
      apply =
        steam:
-        steam.override (prev: {
-          extraEnv =
-            (lib.optionalAttrs (cfg.extraCompatPackages != [ ]) {
-              STEAM_EXTRA_COMPAT_TOOLS_PATHS = extraCompatPaths;
-            })
-            // (lib.optionalAttrs cfg.extest.enable {
-              LD_PRELOAD = "${pkgs.pkgsi686Linux.extest}/lib/libextest.so";
-            })
-            // (prev.extraEnv or { });
-          extraLibraries =
-            pkgs:
-            let
-              prevLibs = if prev ? extraLibraries then prev.extraLibraries pkgs else [ ];
-              additionalLibs =
-                with config.hardware.graphics;
-                if pkgs.stdenv.hostPlatform.is64bit then
-                  [ package ] ++ extraPackages
-                else
-                  [ package32 ] ++ extraPackages32;
-            in
-            prevLibs ++ additionalLibs;
-          extraPkgs = p: (cfg.extraPackages ++ lib.optionals (prev ? extraPkgs) (prev.extraPkgs p));
-        });
+        steam.override (
+          prev:
+          {
+            extraEnv =
+              (lib.optionalAttrs (cfg.extraCompatPackages != [ ]) {
+                STEAM_EXTRA_COMPAT_TOOLS_PATHS = extraCompatPaths;
+              })
+              // (lib.optionalAttrs cfg.extest.enable {
+                LD_PRELOAD = "${pkgs.pkgsi686Linux.extest}/lib/libextest.so";
+              })
+              // (prev.extraEnv or { });
+            extraLibraries =
+              pkgs:
+              let
+                prevLibs = if prev ? extraLibraries then prev.extraLibraries pkgs else [ ];
+                additionalLibs =
+                  with config.hardware.graphics;
+                  if pkgs.stdenv.hostPlatform.is64bit then
+                    [ package ] ++ extraPackages
+                  else
+                    [ package32 ] ++ extraPackages32;
+              in
+              prevLibs ++ additionalLibs;
+            extraPkgs = p: (cfg.extraPackages ++ lib.optionals (prev ? extraPkgs) (prev.extraPkgs p));
+          }
+          // lib.optionalAttrs (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) {
+            buildFHSEnv = pkgs.buildFHSEnv.override {
+              # use the setuid wrapped bubblewrap
+              bubblewrap = "${config.security.wrapperDir}/..";
+            };
+          }
+        );
      description = ''
        The Steam package to use. Additional libraries are added from the system
        configuration to ensure graphics work properly.
@@ -209,6 +218,16 @@ in
      enable32Bit = true;
    };

+    security.wrappers = lib.mkIf (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) {
+      # needed or steam fails
+      bwrap = {
+        owner = "root";
+        group = "root";
+        source = "${pkgs.bubblewrap}/bin/bwrap";
+        setuid = true;
+      };
+    };
+
    programs.steam.extraPackages = cfg.fontPackages;

    programs.gamescope.enable = lib.mkDefault cfg.gamescopeSession.enable;
--- a/nixos/modules/programs/throne.nix
+++ b/nixos/modules/programs/throne.nix
@@ -23,7 +23,7 @@ in
        enable = lib.mkEnableOption "TUN mode of Throne";

        setuid = lib.mkEnableOption ''
-          setting suid bit for ThroneCore to run as root, which is less
+          setting suid bit for throne-core to run as root, which is less
          secure than default setcap method but closer to upstream assumptions.
          Enable this if you find the default setcap method configured in
          this module doesn't work for you
@@ -36,8 +36,8 @@ in

    environment.systemPackages = [ cfg.package ];

-    security.wrappers."ThroneCore" = lib.mkIf cfg.tunMode.enable {
-      source = "${cfg.package}/share/throne/ThroneCore";
+    security.wrappers.throne-core = lib.mkIf cfg.tunMode.enable {
+      source = "${cfg.package}/share/throne/Core";
      owner = "root";
      group = "root";
      setuid = lib.mkIf cfg.tunMode.setuid true;
@@ -49,7 +49,7 @@ in

    # avoid resolvectl password prompt popping up three times
    # https://github.com/SagerNet/sing-tun/blob/0686f8c4f210f4e7039c352d42d762252f9d9cf5/tun_linux.go#L1062
-    # We use a hack here to determine whether the requested process is ThroneCore
+    # We use a hack here to determine whether the requested process is throne-core
    # Detect whether its capabilities contain at least `net_admin` and `net_raw`.
    # This does not reduce security, as we can already bypass `resolved` with them.
    # Alternatives to consider:
@@ -61,7 +61,7 @@ in
    #    change its own cmdline. `/proc/<pid>/exe` is reliable but kernel forbids
    #    checking that entry of process from different users, and polkit runs `spawn`
    #    as an unprivileged user.
-    # 3. Put ThroneCore into a systemd service, and let polkit check service name.
+    # 3. Put throne-core into a systemd service, and let polkit check service name.
    #    This is the most secure and convenient way but requires heavy modification
    #    to Throne source code. Would be good to let upstream support that eventually.
    security.polkit.extraConfig =
@@ -69,7 +69,6 @@ in
        ''
          polkit.addRule(function(action, subject) {
            const allowedActionIds = [
-              "org.freedesktop.resolve1.revert",
              "org.freedesktop.resolve1.set-domains",
              "org.freedesktop.resolve1.set-default-route",
              "org.freedesktop.resolve1.set-dns-servers"
--- a/nixos/modules/programs/zsh/zsh.nix
+++ b/nixos/modules/programs/zsh/zsh.nix
@@ -249,8 +249,8 @@ in
        setopt ${builtins.concatStringsSep " " cfg.setOptions}
      ''}

-      # Determine current fqdn hostname
-      HOST=$(hostname --fqdn)
+      # Alternative method of determining short and full hostname.
+      HOST=${config.networking.fqdnOrHostName}

      # Setup command line history.
      # Don't export these, otherwise other shells (bash) will try to use same HISTFILE.
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -8,21 +8,6 @@
  ...
 }:
 let
-  inherit (lib)
-    attrNames
-    catAttrs
-    concatLines
-    concatMap
-    filter
-    unique
-    flip
-    elem
-    attrValues
-    concatMapStrings
-    hasPrefix
-    concatStringsSep
-    sort
-    ;

  moduleSettingsType =
    with lib.types;
@@ -896,30 +881,41 @@ let

        text =
          let
+            ensureUniqueOrder =
+              type: rules:
+              let
+                checkPair =
+                  a: b:
+                  assert lib.assertMsg (a.order != b.order)
+                    "security.pam.services.${name}.rules.${type}: rules '${a.name}' and '${b.name}' cannot have the same order value (${toString a.order})";
+                  b;
+                checked = lib.zipListsWith checkPair rules (lib.drop 1 rules);
+              in
+              lib.take 1 rules ++ checked;
            # Formats a string for use in `module-arguments`. See `man pam.conf`.
            formatModuleArgument =
              token: if lib.hasInfix " " token then "[${lib.replaceStrings [ "]" ] [ "\\]" ] token}]" else token;
-
            formatRules =
              type:
-              concatStringsSep "\n" (
-                map
-                  (
-                    rule:
-                    "${type} ${rule.control} ${rule.modulePath}${
-                      if rule.args == [ ] then "" else " " + concatStringsSep " " (map formatModuleArgument rule.args)
-                    } # ${rule.name} (order ${toString rule.order})"
+              lib.pipe cfg.rules.${type} [
+                lib.attrValues
+                (lib.filter (rule: rule.enable))
+                (lib.sort (a: b: a.order < b.order))
+                (ensureUniqueOrder type)
+                (map (
+                  rule:
+                  lib.concatStringsSep " " (
+                    [
+                      type
+                      rule.control
+                      rule.modulePath
+                    ]
+                    ++ map formatModuleArgument rule.args
+                    ++ [ "# ${rule.name} (order ${toString rule.order})" ]
                  )
-                  (
-                    sort (
-                      a: b:
-                      if a.order != b.order then
-                        a.order < b.order
-                      else
-                        throw "security.pam.services.${name}.rules.${type}: rules '${a.name}' and '${b.name}' cannot have the same order value (${toString a.order})"
-                    ) (filter (rule: rule.enable) (attrValues cfg.rules.${type}))
-                  )
-              );
+                ))
+                (lib.concatStringsSep "\n")
+              ];
          in
          lib.mkDefault ''
            # Account management.
@@ -2641,29 +2637,35 @@ in
    };

    security.apparmor.includes."abstractions/pam" =
-      concatMapStrings (name: "r ${config.environment.etc."pam.d/${name}".source},\n") (
-        attrNames enabledServices
+      lib.concatMapStrings (name: "r ${config.environment.etc."pam.d/${name}".source},\n") (
+        lib.attrNames enabledServices
      )
      + (
-        let
-          types = concatMap attrValues (catAttrs "rules" (attrValues enabledServices));
-          rules = concatMap attrValues types;
-
-          isDirect = flip elem [
-            "include"
-            "substack"
-          ];
-          activeRules = filter (rule: rule.enable && !isDirect rule.control) rules;
-
-          modulePaths = concatMap (
+        with lib;
+        pipe enabledServices [
+          lib.attrValues
+          (catAttrs "rules")
+          (lib.concatMap lib.attrValues)
+          (lib.concatMap lib.attrValues)
+          (lib.filter (rule: rule.enable))
+          (lib.filter (
            rule:
-            if (!hasPrefix "/" rule.modulePath) then
-              throw ''non-absolute PAM modulePath "${rule.modulePath}" is unsupported by apparmor''
-            else
-              [ rule.modulePath ]
-          ) activeRules;
-        in
-        concatLines (map (module: "mr ${module},") (unique modulePaths))
+            !builtins.elem rule.control [
+              "include"
+              "substack"
+            ]
+          ))
+          (lib.catAttrs "modulePath")
+          (map (
+            modulePath:
+            lib.throwIfNot (lib.hasPrefix "/" modulePath)
+              ''non-absolute PAM modulePath "${modulePath}" is unsupported by apparmor''
+              modulePath
+          ))
+          lib.unique
+          (map (module: "mr ${module},"))
+          concatLines
+        ]
      );

    security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth;
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -245,134 +245,156 @@ in
  };

  ###### implementation
-  config = lib.mkIf config.security.enableWrappers {
-
-    assertions = lib.mapAttrsToList (name: opts: {
-      assertion = opts.setuid || opts.setgid -> opts.capabilities == "";
-      message = ''
-        The security.wrappers.${name} wrapper is not valid:
-            setuid/setgid and capabilities are mutually exclusive.
+  config = lib.mkMerge [
+    {
+      warnings = lib.optional (wrappers != { } && !config.security.enableWrappers) ''
+        security.enableWrappers is set to false, but the following wrappers are still enabled and will be silently ignored: ${lib.concatStringsSep ", " (lib.attrNames wrappers)}. This might prevent fundamental functionalities, like PAM authentication. To avoid this warning, either set security.enableWrappers = true, or explicitly disable each wrapper with `enable = false`.
      '';
-    }) wrappers;
+      assertions = [
+        {
+          assertion =
+            !(
+              !config.security.enableWrappers && lib.any (u: u.isNormalUser) (lib.attrValues config.users.users)
+            );
+          message = ''
+            security.enableWrappers is disabled but normal users are defined
+            (${
+              lib.concatStringsSep ", " (
+                lib.mapAttrsToList (n: _: n) (lib.filterAttrs (_: u: u.isNormalUser) config.users.users)
+              )
+            }). Without SUID wrappers, users cannot login. Either enable wrappers or remove all normal user accounts.
+          '';
+        }
+      ];
+    }
+    (lib.mkIf config.security.enableWrappers {
+      assertions = lib.mapAttrsToList (name: opts: {
+        assertion = opts.setuid || opts.setgid -> opts.capabilities == "";
+        message = ''
+          The security.wrappers.${name} wrapper is not valid:
+              setuid/setgid and capabilities are mutually exclusive.
+        '';
+      }) wrappers;

-    security.wrappers =
-      let
-        mkSetuidRoot = source: {
-          setuid = true;
-          owner = "root";
-          group = "root";
-          inherit source;
+      security.wrappers =
+        let
+          mkSetuidRoot = source: {
+            setuid = true;
+            owner = "root";
+            group = "root";
+            inherit source;
+          };
+        in
+        {
+          # These are mount related wrappers that require the +s permission.
+          mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
+          umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
        };
-      in
-      {
-        # These are mount related wrappers that require the +s permission.
-        mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
-        umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
+
+      # Make sure our wrapperDir exports to the PATH env variable when
+      # initializing the shell
+      environment.extraInit = ''
+        # Wrappers override other bin directories.
+        export PATH="${wrapperDir}:$PATH"
+      '';
+
+      security.apparmor.includes = lib.mapAttrs' (
+        wrapName: wrap:
+        lib.nameValuePair "nixos/security.wrappers/${wrapName}" ''
+          include "${
+            pkgs.apparmorRulesFromClosure { name = "security.wrappers.${wrapName}"; } [
+              (securityWrapper wrap.source)
+            ]
+          }"
+          mrpx ${wrap.source},
+        ''
+      ) wrappers;
+
+      systemd.mounts = [
+        {
+          where = parentWrapperDir;
+          what = "tmpfs";
+          type = "tmpfs";
+          options = lib.concatStringsSep "," [
+            "nodev"
+            "mode=755"
+            "size=${config.security.wrapperDirSize}"
+          ];
+        }
+      ];
+
+      systemd.services.suid-sgid-wrappers = {
+        description = "Create SUID/SGID Wrappers";
+        wantedBy = [ "sysinit.target" ];
+        before = [
+          "sysinit.target"
+          "shutdown.target"
+        ];
+        conflicts = [ "shutdown.target" ];
+        after = [ "systemd-sysusers.service" ];
+        unitConfig.DefaultDependencies = false;
+        unitConfig.RequiresMountsFor = [
+          "/nix/store"
+          "/run/wrappers"
+        ];
+        serviceConfig.RestrictSUIDSGID = false;
+        serviceConfig.Type = "oneshot";
+        script = ''
+          chmod 755 "${parentWrapperDir}"
+
+          # We want to place the tmpdirs for the wrappers to the parent dir.
+          wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
+          chmod a+rx "$wrapperDir"
+
+          ${lib.concatStringsSep "\n" mkWrappedPrograms}
+
+          if [ -L ${wrapperDir} ]; then
+            # Atomically replace the symlink
+            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
+            old=$(readlink -f ${wrapperDir})
+            if [ -e "${wrapperDir}-tmp" ]; then
+              rm --force --recursive "${wrapperDir}-tmp"
+            fi
+            ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp"
+            mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}"
+            rm --force --recursive "$old"
+          else
+            # For initial setup
+            ln --symbolic "$wrapperDir" "${wrapperDir}"
+          fi
+        '';
      };

-    # Make sure our wrapperDir exports to the PATH env variable when
-    # initializing the shell
-    environment.extraInit = ''
-      # Wrappers override other bin directories.
-      export PATH="${wrapperDir}:$PATH"
-    '';
+      ###### wrappers consistency checks
+      system.checks = lib.singleton (
+        pkgs.runCommand "ensure-all-wrappers-paths-exist"
+          {
+            preferLocalBuild = true;
+          }
+          ''
+            # make sure we produce output
+            mkdir -p $out

-    security.apparmor.includes = lib.mapAttrs' (
-      wrapName: wrap:
-      lib.nameValuePair "nixos/security.wrappers/${wrapName}" ''
-        include "${
-          pkgs.apparmorRulesFromClosure { name = "security.wrappers.${wrapName}"; } [
-            (securityWrapper wrap.source)
-          ]
-        }"
-        mrpx ${wrap.source},
-      ''
-    ) wrappers;
+            echo -n "Checking that Nix store paths of all wrapped programs exist... "

-    systemd.mounts = [
-      {
-        where = parentWrapperDir;
-        what = "tmpfs";
-        type = "tmpfs";
-        options = lib.concatStringsSep "," [
-          "nodev"
-          "mode=755"
-          "size=${config.security.wrapperDirSize}"
-        ];
-      }
-    ];
+            declare -A wrappers
+            ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "wrappers['${n}']='${v.source}'") wrappers)}

-    systemd.services.suid-sgid-wrappers = {
-      description = "Create SUID/SGID Wrappers";
-      wantedBy = [ "sysinit.target" ];
-      before = [
-        "sysinit.target"
-        "shutdown.target"
-      ];
-      conflicts = [ "shutdown.target" ];
-      after = [ "systemd-sysusers.service" ];
-      unitConfig.DefaultDependencies = false;
-      unitConfig.RequiresMountsFor = [
-        "/nix/store"
-        "/run/wrappers"
-      ];
-      serviceConfig.RestrictSUIDSGID = false;
-      serviceConfig.Type = "oneshot";
-      script = ''
-        chmod 755 "${parentWrapperDir}"
+            for name in "''${!wrappers[@]}"; do
+              path="''${wrappers[$name]}"
+              if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then
+                test -t 1 && echo -ne '\033[1;31m'
+                echo "FAIL"
+                echo "The path $path does not exist!"
+                echo 'Please, check the value of `security.wrappers."'$name'".source`.'
+                test -t 1 && echo -ne '\033[0m'
+                exit 1
+              fi
+            done

-        # We want to place the tmpdirs for the wrappers to the parent dir.
-        wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
-        chmod a+rx "$wrapperDir"
-
-        ${lib.concatStringsSep "\n" mkWrappedPrograms}
-
-        if [ -L ${wrapperDir} ]; then
-          # Atomically replace the symlink
-          # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
-          old=$(readlink -f ${wrapperDir})
-          if [ -e "${wrapperDir}-tmp" ]; then
-            rm --force --recursive "${wrapperDir}-tmp"
-          fi
-          ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp"
-          mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}"
-          rm --force --recursive "$old"
-        else
-          # For initial setup
-          ln --symbolic "$wrapperDir" "${wrapperDir}"
-        fi
-      '';
-    };
-
-    ###### wrappers consistency checks
-    system.checks = lib.singleton (
-      pkgs.runCommand "ensure-all-wrappers-paths-exist"
-        {
-          preferLocalBuild = true;
-        }
-        ''
-          # make sure we produce output
-          mkdir -p $out
-
-          echo -n "Checking that Nix store paths of all wrapped programs exist... "
-
-          declare -A wrappers
-          ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "wrappers['${n}']='${v.source}'") wrappers)}
-
-          for name in "''${!wrappers[@]}"; do
-            path="''${wrappers[$name]}"
-            if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then
-              test -t 1 && echo -ne '\033[1;31m'
-              echo "FAIL"
-              echo "The path $path does not exist!"
-              echo 'Please, check the value of `security.wrappers."'$name'".source`.'
-              test -t 1 && echo -ne '\033[0m'
-              exit 1
-            fi
-          done
-
-          echo "OK"
-        ''
-    );
-  };
+            echo "OK"
+          ''
+      );
+    })
+  ];
 }
--- a/nixos/modules/services/continuous-integration/github-runner/options.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/options.nix
@@ -289,6 +289,7 @@
                  "node24"
                ]);
              default = [
+                "node20"
                "node24"
              ];
              description = ''
--- a/nixos/modules/services/desktops/seatd.nix
+++ b/nixos/modules/services/desktops/seatd.nix
@@ -40,7 +40,6 @@ in
  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [
      seatd
-      sdnotify-wrapper
    ];
    users.groups.seat = lib.mkIf (cfg.group == "seat") { };

@@ -55,7 +54,7 @@ in
        Type = "notify";
        NotifyAccess = "all";
        SyslogIdentifier = "seatd";
-        ExecStart = "${pkgs.sdnotify-wrapper}/bin/sdnotify-wrapper ${pkgs.seatd.bin}/bin/seatd -n 1 -u ${cfg.user} -g ${cfg.group} -l ${cfg.logLevel}";
+        ExecStart = "${lib.getExe' pkgs.s6 "s6-notify-socket-from-fd"} ${pkgs.seatd.bin}/bin/seatd -n 1 -u ${cfg.user} -g ${cfg.group} -l ${cfg.logLevel}";
        RestartSec = 1;
        Restart = "always";
      };
--- a/nixos/modules/services/display-managers/cosmic-greeter.nix
+++ b/nixos/modules/services/display-managers/cosmic-greeter.nix
@@ -26,7 +26,6 @@ in
  config = lib.mkIf cfg.enable {
    environment.systemPackages = [
      pkgs.cosmic-comp
-      pkgs.cosmic-icons
      cfg.package
    ];

--- a/nixos/modules/services/home-automation/matterjs-server.nix
+++ b/nixos/modules/services/home-automation/matterjs-server.nix
@@ -1,127 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.services.matterjs-server;
-in
-{
-  options.services.matterjs-server = {
-    enable = lib.mkEnableOption "matterjs-server, a Matter Controller WebSocket server based on Matter.js";
-
-    package = lib.mkPackageOption pkgs "matterjs-server" { };
-
-    listenAddress = lib.mkOption {
-      type = lib.types.str;
-      default = "127.0.0.1";
-      description = "IP address the WebSocket API binds to.";
-    };
-
-    port = lib.mkOption {
-      type = lib.types.port;
-      default = 5580;
-      description = "TCP port the WebSocket API listens on.";
-    };
-
-    openFirewall = lib.mkEnableOption null // {
-      description = "Whether to open the WebSocket API port in the firewall.";
-    };
-
-    bluetoothSupport = lib.mkEnableOption ''
-      BLE (Bluetooth Low Energy) commissioning support. Select an adapter with
-      `--bluetooth-adapter=<id>` in
-      {option}`services.matterjs-server.extraArgs`
-    '';
-
-    extraArgs = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [ ];
-      example = [
-        "--primary-interface=enp11s0"
-        "--log-level=debug"
-      ];
-      description = ''
-        Additional command-line arguments passed to `matterjs-server`. See
-        `matterjs-server --help` for the full list of options.
-      '';
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    networking.firewall = lib.mkIf cfg.openFirewall {
-      allowedTCPPorts = [ cfg.port ];
-    };
-
-    systemd.services.matterjs-server = {
-      description = "Matter Controller WebSocket server based on Matter.js";
-      documentation = [ "https://github.com/matter-js/matterjs-server" ];
-
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network-online.target" ];
-      wants = [ "network-online.target" ];
-
-      serviceConfig =
-        let
-          bluetoothCaps = [
-            "CAP_NET_RAW"
-            "CAP_NET_ADMIN"
-          ];
-        in
-        {
-          ExecStart = lib.escapeShellArgs (
-            [
-              (lib.getExe cfg.package)
-              "--storage-path=%S/matterjs-server"
-              "--listen-address=${cfg.listenAddress}"
-              "--port=${toString cfg.port}"
-              "--production-mode"
-            ]
-            ++ cfg.extraArgs
-          );
-
-          StateDirectory = "matterjs-server";
-          StateDirectoryMode = "0700";
-
-          DynamicUser = true;
-
-          # Required for interaction with hci devices and bluetooth sockets
-          AmbientCapabilities = lib.optionals cfg.bluetoothSupport bluetoothCaps;
-          CapabilityBoundingSet = lib.optionals cfg.bluetoothSupport bluetoothCaps;
-          LockPersonality = true;
-          NoNewPrivileges = true;
-          PrivateTmp = true;
-          PrivateUsers = !cfg.bluetoothSupport; # Prevents gaining capabilities in the host namespace
-          ProcSubset = "pid";
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectProc = "invisible";
-          ProtectSystem = "strict";
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_NETLINK"
-            "AF_UNIX"
-          ]
-          ++ lib.optional cfg.bluetoothSupport "AF_BLUETOOTH";
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@privileged"
-          ];
-          UMask = "0077";
-        };
-    };
-  };
-
-  meta.maintainers = with lib.maintainers; [ kranzes ];
-}
--- a/nixos/modules/services/misc/klipper.nix
+++ b/nixos/modules/services/misc/klipper.nix
@@ -14,14 +14,7 @@ let
        lib.generators.mkValueStringDefault { } (lib.head l)
      else
        lib.concatMapStrings (s: "\n  ${lib.generators.mkValueStringDefault { } s}") l;
-    mkKeyValue =
-      key: value:
-      lib.generators.mkKeyValueDefault { } ":" key (
-        if builtins.isString value && lib.hasInfix "\n" value then
-          "\n  ${lib.replaceString "\n" "\n  " value}"
-        else
-          value
-      );
+    mkKeyValue = lib.generators.mkKeyValueDefault { } ":";
  };
  firmwareSubmodule = lib.types.submodule (
    { name, ... }@local:
--- a/nixos/modules/services/networking/bird.nix
+++ b/nixos/modules/services/networking/bird.nix
@@ -93,7 +93,6 @@ in
    systemd.services.bird = {
      description = "BIRD Internet Routing Daemon";
      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
      reloadTriggers = lib.optional cfg.autoReload config.environment.etc."bird/bird.conf".source;
      serviceConfig = {
        Type = "forking";
--- a/nixos/modules/services/networking/fastnetmon-advanced.nix
+++ b/nixos/modules/services/networking/fastnetmon-advanced.nix
@@ -207,10 +207,6 @@ in
          AmbientCapabilities = "cap_net_bind_service";
        };
      };
-
-      services.fastnetmon-advanced.hostgroups = {
-        global = { };
-      };
    })

    (lib.mkIf (cfg.enable && cfg.enableAdvancedTrafficPersistence) {
--- a/nixos/modules/services/networking/llama-swap.nix
+++ b/nixos/modules/services/networking/llama-swap.nix
@@ -166,6 +166,7 @@ in
        SystemCallErrorNumber = "EPERM";
        ProtectProc = "invisible";
        ProtectHostname = true;
+        ProcSubset = "pid";
        WorkingDirectory = "/tmp";
      };
    };
--- a/nixos/modules/services/networking/porxie.nix
+++ b/nixos/modules/services/networking/porxie.nix
@@ -62,9 +62,9 @@ in
            description = ''
              Admin password for authenticating privileged requests.

-              Authenticated requests always expect the username `admin` as per specification.
+              When unset, all authenticated endpoints will reject requests with HTTP 401.

-              When not set, authenticated endpoints will be unavailable.
+              Authenticated requests always expect the username `admin` as per specification.

              Should be set via {option}`environmentFiles` rather than directly.
            '';
@@ -90,17 +90,20 @@ in
            description = ''
              Maximum blob size that can be served.

-              This value cannot be set higher than the system's total memory.
+              Blobs that exceed this limit will return HTTP 413.
+
+              The minimum value is 512kb and the maximum is the system's total memory.
            '';
          };
          PORXIE_BLOB_CACHE_HEADER = lib.mkOption {
            type = lib.types.nullOr lib.types.str;
            default = null;
            description = ''
-              The Cache-Control header value to send alongside blob responses.
+              The `Cache-Control` header value to send alongside blob responses.

-              This does not affect internal cache lifetimes, only how downstream clients such as CDNs
-              and browsers are instructed to cache responses.
+              This does not affect internal cache lifetimes, only how downstream clients such as
+              CDNs and browsers are instructed to cache responses. Intermediary caches may need
+              to be cleared manually for changes to take effect quickly.
            '';
          };
          PORXIE_BLOB_PROCESSING_TIMEOUT = lib.mkOption {
@@ -113,12 +116,39 @@ in
            default = null;
            description = "Maximum duration before blob fetch requests are timed out.";
          };
+          PORXIE_BLOB_HTTP_CONNECT_TIMEOUT = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            default = null;
+            description = ''
+              Maximum duration before an attempted connection to a blob upstream is aborted.
+
+              This value should be lower than {option}`settings.PORXIE_BLOB_HTTP_TIMEOUT`.
+            '';
+          };

          # Identity.
          PORXIE_IDENTITY_PLC_URL = lib.mkOption {
            type = lib.types.nullOr lib.types.str;
            default = null;
-            description = "URL of the PLC instance used for `did:plc` lookups.";
+            description = ''
+              URL of the PLC instance used for `did:plc` lookups.
+
+              Can typically be left as default unless using a custom or local development setup.
+            '';
+          };
+          PORXIE_IDENTITY_HTTP_TIMEOUT = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            default = null;
+            description = "Maximum duration before identity resolution requests are timed out.";
+          };
+          PORXIE_IDENTITY_HTTP_CONNECT_TIMEOUT = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            default = null;
+            description = ''
+              Maximum duration before a connection attempt to an identity upstream is aborted.
+
+              This value should be lower than {option}`settings.PORXIE_IDENTITY_HTTP_TIMEOUT`.
+            '';
          };

          # Cache.
@@ -128,7 +158,8 @@ in
            description = ''
              Total memory allocation for the internal cache.

-              Blobs are cached using an LFU policy. The most frequently requested blobs are kept longest when the cache reaches maximum size.
+              Blobs are cached using an LFU policy. The most frequently requested blobs are kept
+              longest when the cache approaches its limit.

              For production deployments, a CDN or caching layer in front of this server is
              recommended for lower latency and better global availability.
@@ -164,7 +195,7 @@ in
            description = ''
              Policy service URL that DID+CID pairs will be checked against.

-              Requests are sent via XRPC to `<url>/xrpc/dev.blooym.porxie.getBlobPolicy`.
+              Requests are sent via XRPC to `<url>/xrpc/dev.blooym.porxie.getBlobPolicy?did=<did>&cid=<cid>`.
            '';
          };
          PORXIE_POLICY_REQUEST_HEADERS = lib.mkOption {
@@ -172,11 +203,10 @@ in
            default = null;
            apply = v: if v != null then lib.concatStringsSep "|" v else null;
            description = ''
-              Headers sent alongside requests to the policy service.
-
+              Headers sent alongside all requests to the policy service.
              Each header must be in the format `Name: value`.

-              As pipes are used as a delimiter, they cannot be contained in headers.
+              As pipes are used as a delimiter, they cannot be contained in header values.

              Should be set via {option}`environmentFiles` for sensitive values such as API keys.
            '';
@@ -186,10 +216,24 @@ in
            default = null;
            apply = v: if v != null then lib.boolToString v else null;
            description = ''
-              Allow requests to proceed even if the policy service is unavailable.
+              Allow requests to proceed if the policy service is unavailable.

-              Warning: enabling this means restricted blobs may be served when the policy service
-              is unavailable.
+              Warning: enabling this means restricted blobs may be served when the policy
+              service is unreachable.
+            '';
+          };
+          PORXIE_POLICY_HTTP_TIMEOUT = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            default = null;
+            description = "Maximum duration before policy service requests are timed out.";
+          };
+          PORXIE_POLICY_HTTP_CONNECT_TIMEOUT = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            default = null;
+            description = ''
+              Maximum duration before an attempted connection to the policy service is aborted.
+
+              This value should be lower than {option}`settings.PORXIE_POLICY_HTTP_TIMEOUT`.
            '';
          };
        };
--- a/nixos/modules/services/search/nominatim.nix
+++ b/nixos/modules/services/search/nominatim.nix
@@ -50,10 +50,6 @@ in
    };

    ui = {
-      enable = lib.mkEnableOption "Nominatim UI" // {
-        default = true;
-      };
-
      package = lib.mkPackageOption pkgs "nominatim-ui" { };

      config = lib.mkOption {
@@ -281,7 +277,7 @@ in

      services.nginx = {
        enable = true;
-        appendHttpConfig = lib.mkIf cfg.ui.enable ''
+        appendHttpConfig = ''
          map $args $format {
              default                  default;
              ~(^|&)format=html(&|$)   html;
@@ -308,19 +304,19 @@ in
            enableACME = lib.mkDefault true;
            locations = {
              "= /" = {
-                extraConfig = lib.mkIf cfg.ui.enable ''
+                extraConfig = ''
                  return 301 $scheme://$http_host/ui/search.html;
                '';
              };
              "/" = {
                proxyPass = "http://nominatim";
-                extraConfig = lib.mkIf cfg.ui.enable ''
+                extraConfig = ''
                  if ($forward_to_ui) {
                      rewrite ^(/[^/.]*) /ui$1.html redirect;
                  }
                '';
              };
-              "/ui/" = lib.mkIf cfg.ui.enable {
+              "/ui/" = {
                alias = "${uiPackage}/";
              };
            };
--- a/nixos/modules/services/web-apps/immich.nix
+++ b/nixos/modules/services/web-apps/immich.nix
@@ -380,8 +380,6 @@ in
      MACHINE_LEARNING_WORKERS = "1";
      MACHINE_LEARNING_WORKER_TIMEOUT = "120";
      MACHINE_LEARNING_CACHE_FOLDER = "/var/cache/immich";
-      # TODO: drop when insightface no longer unconditionally imports matplotlib
-      MPLCONFIGDIR = "/var/cache/immich";
      XDG_CACHE_HOME = "/var/cache/immich";
      IMMICH_HOST = "localhost";
      IMMICH_PORT = "3003";
--- a/nixos/modules/services/web-apps/rsshub.nix
+++ b/nixos/modules/services/web-apps/rsshub.nix
@@ -49,7 +49,7 @@ in
        {
          REQUEST_TIMEOUT = "3000";
          REQUEST_RETRY = "10";
-          CHROMIUM_EXECUTABLE_PATH = lib.getExe pkgs.chromium;
+          PUPPETEER_EXECUTABLE_PATH = lib.getExe pkgs.chromium";
        }
      '';
      description = ''
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -206,6 +206,11 @@ let
                if lib.isList cfg.sslCiphers then (lib.concatStringsSep ":" cfg.sslCiphers) else cfg.sslCiphers
              };"
            }
+            ${optionalString (cfg.sslDhparam != false)
+              "ssl_dhparam ${
+                if cfg.sslDhparam == true then config.security.dhparams.params.nginx.path else cfg.sslDhparam
+              };"
+            }

            ${optionalString cfg.recommendedTlsSettings ''
              # Consider https://ssl-config.mozilla.org/#server=nginx&config=intermediate as the lower bound
@@ -976,6 +981,9 @@ in
          "ECDHE-RSA-AES256-GCM-SHA384"
          "ECDHE-ECDSA-CHACHA20-POLY1305"
          "ECDHE-RSA-CHACHA20-POLY1305"
+          "DHE-RSA-AES128-GCM-SHA256"
+          "DHE-RSA-AES256-GCM-SHA384"
+          "DHE-RSA-CHACHA20-POLY1305"
        ];
        description = ''
          List of available cipher suites to choose from when negotiating TLS sessions.
@@ -994,6 +1002,13 @@ in
        description = "Allowed TLS protocol versions.";
      };

+      sslDhparam = mkOption {
+        type = types.either types.path types.bool;
+        default = false;
+        example = "/path/to/dhparams.pem";
+        description = "Path to DH parameters file, or `true` to generate with `security.dhparms.params.nginx`.";
+      };
+
      proxyResolveWhileRunning = mkOption {
        type = types.bool;
        default = false;
@@ -1293,13 +1308,6 @@ in
  };

  imports = [
-    (mkRemovedOptionModule [ "services" "nginx" "sslDhparam" ] ''
-      DHE cipher suites have been removed from the default nginx cipher list.
-
-      No additional configuration is required as ECDHE is used by default already.
-
-      If you wish to use Hybrid PQ key exchange, you can set services.nginx.recommendedTlsSettings = true.
-    '')
    (mkRemovedOptionModule [ "services" "nginx" "stateDir" ] ''
      The Nginx log directory has been moved to /var/log/nginx, the cache directory
      to /var/cache/nginx. The option services.nginx.stateDir has been removed.
@@ -1670,6 +1678,8 @@ in
      in
      listToAttrs acmePairs;

+    security.dhparams.params.nginx = lib.mkIf (cfg.sslDhparam == true) { };
+
    users.users = optionalAttrs (cfg.user == "nginx") {
      nginx = {
        group = cfg.group;
--- a/nixos/modules/system/boot/kernel.nix
+++ b/nixos/modules/system/boot/kernel.nix
@@ -35,15 +35,6 @@ in

 {

-  imports = [
-    (mkRemovedOptionModule [ "boot" "vesa" ] ''
-      The `boot.vesa` option has been removed. It was deprecated in 2020
-      because Xorg now works better with kernel modesetting. If you still
-      need the legacy VESA 800x600 fallback, set
-      `boot.kernelParams = [ "vga=0x317" "nomodeset" ];` directly.
-    '')
-  ];
-
  ###### interface

  options = {
@@ -190,6 +181,19 @@ in
      '';
    };

+    boot.vesa = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        (Deprecated) This option, if set, activates the VESA 800x600 video
+        mode on boot and disables kernel modesetting. It is equivalent to
+        specifying `[ "vga=0x317" "nomodeset" ]` in the
+        {option}`boot.kernelParams` option. This option is
+        deprecated as of 2020: Xorg now works better with modesetting, and
+        you might want a different VESA vga setting, anyway.
+      '';
+    };
+
    boot.extraModulePackages = mkOption {
      type = types.listOf types.package;
      default = [ ];
@@ -423,6 +427,10 @@ in
      # (so you don't need to reboot to have changes take effect).
      boot.kernelParams = [
        "loglevel=${toString config.boot.consoleLogLevel}"
+      ]
+      ++ optionals config.boot.vesa [
+        "vga=0x317"
+        "nomodeset"
      ];

      boot.kernel.sysctl."kernel.printk" = mkDefault config.boot.consoleLogLevel;
--- a/nixos/modules/virtualisation/nixos-containers.nix
+++ b/nixos/modules/virtualisation/nixos-containers.nix
@@ -607,16 +607,14 @@ in
                                boot.isNspawnContainer = true;
                                networking.hostName = mkDefault name;
                                networking.useDHCP = false;
-                                networking.interfaces = lib.mkIf config.privateNetwork (
-                                  lib.mkMerge [
-                                    (lib.mkIf (config.localAddress != null) {
-                                      eth0.ipv4.addresses = [ (ipv4FromString config.localAddress) ];
-                                    })
-                                    (lib.mkIf (config.localAddress6 != null) {
-                                      eth0.ipv6.addresses = [ (lib.network.ipv6.fromString config.localAddress6) ];
-                                    })
-                                  ]
-                                );
+                                networking.interfaces = lib.mkIf config.privateNetwork {
+                                  eth0.ipv4.addresses = lib.optional (config.localAddress != null) (
+                                    ipv4FromString config.localAddress
+                                  );
+                                  eth0.ipv6.addresses = lib.optional (config.localAddress6 != null) (
+                                    lib.network.ipv6.fromString config.localAddress6
+                                  );
+                                };
                                assertions = [
                                  {
                                    assertion =
--- a/nixos/release.nix
+++ b/nixos/release.nix
@@ -30,7 +30,8 @@ let

  version = fileContents ../.version;
  versionSuffix =
-    (if stableBranch then "." else "pre") + "${toString nixpkgs.revCount}.${nixpkgs.shortRev}";
+    (if stableBranch then "." else "beta")
+    + "${toString (nixpkgs.revCount - 1004291)}.${nixpkgs.shortRev}";

  # Run the tests for each platform.  You can run a test by doing
  # e.g. ‘nix-build release.nix -A tests.login.x86_64-linux’,
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -966,7 +966,6 @@ in
  matrix-synapse-workers = runTest ./matrix/synapse-workers.nix;
  matrix-tuwunel = runTest ./matrix/tuwunel.nix;
  matter-server = runTest ./matter-server.nix;
-  matterjs-server = runTest ./matterjs-server.nix;
  mattermost = handleTest ./mattermost { };
  mautrix-discord = runTest ./matrix/mautrix-discord.nix;
  mautrix-meta-postgres = runTest ./matrix/mautrix-meta-postgres.nix;
--- a/nixos/tests/clatd.nix
+++ b/nixos/tests/clatd.nix
@@ -13,8 +13,8 @@
 #        +--|---
 #        | eth2    Address: 2001:db8::1/64
 # Router |
-#        | nat64   Address: fde7:6c52:047e::1/128
-#        |         Route:   fde7:6c52:047e::/96
+#        | nat64   Address: 64:ff9b::1/128
+#        |         Route:   64:ff9b::/96
 #        |         Address: 192.0.2.0/32
 #        |         Route:   192.0.2.0/24
 #        |
@@ -37,7 +37,11 @@
  ];

  nodes = {
-    # The server is configured with static IPv4 addresses.
+    # The server is configured with static IPv4 addresses. RFC 6052 Section 3.1
+    # disallows the mapping of non-global IPv4 addresses like RFC 1918 into the
+    # Well-Known Prefix 64:ff9b::/96. TAYGA also does not allow the mapping of
+    # documentation space (RFC 5737). To circumvent this, 100.64.0.2/24 from
+    # RFC 6589 (Carrier Grade NAT) is used here.
    # To reach the IPv4 address pool of the NAT64 gateway, there is a static
    # route configured. In normal cases, where the router would also source NAT
    # the pool addresses to one IPv4 addresses, this would not be needed.
@@ -69,7 +73,7 @@
    # The router is configured with static IPv4 addresses towards the server
    # and IPv6 addresses towards the client. DNS64 is exposed towards the
    # client so clatd is able to auto-discover the PLAT prefix. For NAT64, the
-    # ULA prefix fde7:6c52:047e::/96 is used. NAT64 is done with TAYGA which
+    # Well-Known prefix 64:ff9b::/96 is used. NAT64 is done with TAYGA which
    # provides the tun-interface nat64 and does the translation over it. The
    # IPv6 packets are sent to this interfaces and received as IPv4 packets and
    # vice versa. As TAYGA only translates IPv6 addresses to dedicated IPv4
@@ -117,7 +121,7 @@
      systemd.network.networks."40-eth2" = {
        networkConfig.IPv6SendRA = true;
        ipv6Prefixes = [ { Prefix = "2001:db8::/64"; } ];
-        ipv6PREF64Prefixes = [ { Prefix = "fde7:6c52:047e::/96"; } ];
+        ipv6PREF64Prefixes = [ { Prefix = "64:ff9b::/96"; } ];
        ipv6SendRAConfig = {
          EmitDNS = true;
          DNS = "_link_local";
@@ -137,7 +141,7 @@
          .:53 {
            bind ::
            hosts /etc/hosts
-            dns64 fde7:6c52:047e::/96
+            dns64 64:ff9b::/96
          }
        '';
      };
@@ -157,10 +161,10 @@
        ipv6 = {
          address = "2001:db8::1";
          router = {
-            address = "fde7:6c52:047e::1";
+            address = "64:ff9b::1";
          };
          pool = {
-            address = "fde7:6c52:047e::";
+            address = "64:ff9b::";
            prefixLength = 96;
          };
        };
@@ -217,7 +221,7 @@
    with subtest("networkd exports PREF64 prefix"):
      assert json.loads(client.succeed("networkctl status eth1 --json=short"))[
          "NDisc"
-      ]["PREF64"][0]["Prefix"] == [0xfd, 0xe7, 0x6c, 0x52, 0x04, 0x7e] + ([0] * 10)
+      ]["PREF64"][0]["Prefix"] == [0x0, 0x64, 0xFF, 0x9B] + ([0] * 12)

    with subtest("Test ICMP"):
      client.wait_until_succeeds("ping -c3 100.64.0.2 >&2")
--- a/nixos/tests/docker-tools-overlay.nix
+++ b/nixos/tests/docker-tools-overlay.nix
@@ -4,6 +4,7 @@
  name = "docker-tools-overlay";
  meta = with pkgs.lib.maintainers; {
    maintainers = [
+      lnl7
      roberth
    ];
  };
--- a/nixos/tests/docker-tools.nix
+++ b/nixos/tests/docker-tools.nix
@@ -91,6 +91,7 @@ in
  name = "docker-tools";
  meta = with pkgs.lib.maintainers; {
    maintainers = [
+      lnl7
      roberth
    ];
  };
--- a/nixos/tests/fastnetmon-advanced.nix
+++ b/nixos/tests/fastnetmon-advanced.nix
@@ -62,7 +62,7 @@
      bird.wait_for_unit("bird.service")

      fnm.wait_until_succeeds('journalctl -eu fastnetmon.service | grep "BGP daemon restarted correctly"')
-      fnm.wait_until_succeeds('journalctl -eu gobgp.service | grep "Peer Up"')
+      fnm.wait_until_succeeds("journalctl -eu gobgp.service | grep BGP_FSM_OPENCONFIRM")
      bird.wait_until_succeeds("birdc show protocol fnm | grep Estab")
      fnm.wait_until_succeeds('journalctl -eu fastnetmon.service | grep "API server listening"')
      fnm.succeed("fcli set blackhole 172.23.42.123")
--- a/nixos/tests/frigate.nix
+++ b/nixos/tests/frigate.nix
@@ -8,7 +8,7 @@
  name = "frigate";
  meta = { inherit (pkgs.frigate.meta) maintainers; };

-  containers = {
+  nodes = {
    machine = {
      services.frigate = {
        enable = true;
@@ -67,13 +67,13 @@
    password = machine.execute("journalctl -u frigate.service -o cat | grep -oP '([a-f0-9]{32})'")[1]

    # login and store session
-    machine.log(machine.succeed(f"http --ignore-stdin --check-status --session=frigate post http://localhost/api/login user=admin password={password}"))
+    machine.log(machine.succeed(f"http --check-status --session=frigate post http://localhost/api/login user=admin password={password}"))

    # make authenticated api request
-    machine.log(machine.succeed("http --ignore-stdin --check-status --session=frigate get http://localhost/api/version"))
+    machine.log(machine.succeed("http --check-status --session=frigate get http://localhost/api/version"))

    # make unauthenticated api request
-    machine.log(machine.succeed("http --ignore-stdin --check-status get http://localhost:5000/api/version"))
+    machine.log(machine.succeed("http --check-status get http://localhost:5000/api/version"))

    # wait for a recording to appear
    machine.wait_for_file("/var/cache/frigate/test@*.mp4")
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@@ -1276,7 +1276,6 @@ in
  separateBootZfs = makeInstallerTest "separateBootZfs" {
    extraInstallerConfig = {
      boot.supportedFilesystems = [ "zfs" ];
-      networking.hostId = "00000000";
    };

    extraConfig = ''
@@ -1349,7 +1348,6 @@ in
  zfsroot = makeInstallerTest "zfs-root" {
    extraInstallerConfig = {
      boot.supportedFilesystems = [ "zfs" ];
-      networking.hostId = "00000000";
    };

    extraConfig = ''
--- a/nixos/tests/kaidan/default.nix
+++ b/nixos/tests/kaidan/default.nix
@@ -34,7 +34,7 @@
  };

  enableOCR = true;
-  interactive.sshBackdoor.enable = true;
+  interactive.sshBackdoor.enable = true; # ssh -o User=root vsock/3

  testScript =
    { nodes, ... }:
--- a/nixos/tests/matterjs-server.nix
+++ b/nixos/tests/matterjs-server.nix
@@ -1,23 +0,0 @@
-{ lib, ... }:
-
-{
-  name = "matterjs-server";
-  meta.maintainers = with lib.maintainers; [ kranzes ];
-
-  nodes.machine.services.matterjs-server.enable = true;
-
-  testScript =
-    { nodes, ... }:
-    let
-      inherit (nodes.machine.services.matterjs-server) listenAddress port package;
-    in
-    ''
-      import json
-
-      machine.wait_for_unit("matterjs-server.service")
-      machine.wait_for_open_port(${toString port})
-
-      health = json.loads(machine.succeed("curl -fsS http://${listenAddress}:${toString port}/health"))
-      assert health["version"] == "${package.version}"
-    '';
-}
--- a/nixos/tests/mattermost/default.nix
+++ b/nixos/tests/mattermost/default.nix
@@ -58,20 +58,11 @@ import ../make-test-python.nix (
                  UserNoticesEnabled = false;
                };
              };
-              package = pkgs.mattermost.override {
-                removeFreeBadge = true;
-                removeUserLimit = true;
-              };
            } mattermostConfig;

            # Upgrade to the latest Mattermost.
            specialisation.latest.configuration = {
-              services.mattermost.package = lib.mkForce (
-                pkgs.mattermostLatest.override {
-                  removeFreeBadge = true;
-                  removeUserLimit = true;
-                }
-              );
+              services.mattermost.package = lib.mkForce pkgs.mattermostLatest;
              system.stateVersion = lib.mkVMOverride (lib.versions.majorMinor lib.version);
            };
          }
--- a/nixos/tests/nginx.nix
+++ b/nixos/tests/nginx.nix
@@ -4,11 +4,13 @@
 #   2. whether the ETag header is properly generated whenever we're serving
 #      files in Nix store paths
 #   3. nginx doesn't restart on configuration changes (only reloads)
-{ ... }:
+{ pkgs, ... }:
 {
  name = "nginx";
-  meta = {
-    maintainers = [ ];
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [
+      mbbx6spp
+    ];
  };

  nodes = {
--- a/nixos/tests/nixos-test-driver/containers.nix
+++ b/nixos/tests/nixos-test-driver/containers.nix
@@ -2,12 +2,7 @@
 {
  name = "containers";
  meta.maintainers = with pkgs.lib.maintainers; [ jfly ];
-  # Relies upon /dev/net/tun, which is currently disabled in hydra due to
-  # security concerns [0].
-  # There is a PR [1] that will remove the requirement on /dev/net/tun. When/if
-  # that lands, we can run this test in hydra.
-  # [0]: https://github.com/NixOS/infra/issues/987#issuecomment-4261612652
-  # [1]: https://github.com/NixOS/nixpkgs/pull/512268
+  # https://github.com/NixOS/infra/issues/987
  meta.hydraPlatforms = [ ];

  nodes = {
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .11
 .05