Release NixOS 23.05

(cherry picked from commit 2c6ae7132c)
Merge pull request #235217 from NixOS/backport-235199-to-release-23.05
2026-06-06 05:13:37 +00:00 · 2023-05-31 22:57:43 +02:00 · 2023-05-31 21:34:25 +02:00 · 2023-05-31 21:28:55 +02:00 · 2023-05-31 15:19:22 +00:00 · 2023-05-31 15:19:04 +02:00
275 changed files with 11698 additions and 27047 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -22,7 +22,7 @@ For new packages please briefly describe the package or provide a link to its ho
  - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages
 - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
 - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [23.05 Release Notes (or backporting 22.11 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2305-release-notes)
+- [23.11 Release Notes (or backporting 23.05 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2305-release-notes)
  - [ ] (Package updates) Added a release notes entry if the change is major or breaking
  - [ ] (Module updates) Added a release notes entry if the change is significant
  - [ ] (Module addition) Added a release notes entry if adding a new NixOS module
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -106,17 +106,17 @@ git push origin feature --force-with-lease

 Follow these steps to backport a change into a release branch in compliance with the [commit policy](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches).

-You can add a label such as `backport release-22.11` to a PR, so that merging it will
+You can add a label such as `backport release-23.05` to a PR, so that merging it will
 automatically create a backport (via [a GitHub Action](.github/workflows/backport.yml)).
-This also works for PR's that have already been merged, and might take a couple of minutes to trigger.
+This also works for pull requests that have already been merged, and might take a couple of minutes to trigger.

 You can also create the backport manually:

 1. Take note of the commits in which the change was introduced into `master` branch.
-2. Check out the target _release branch_, e.g. `release-22.11`. Do not use a _channel branch_ like `nixos-22.11` or `nixpkgs-22.11-darwin`.
+2. Check out the target _release branch_, e.g. `release-23.05`. Do not use a _channel branch_ like `nixos-23.05` or `nixpkgs-23.05-darwin`.
 3. Create a branch for your change, e.g. `git checkout -b backport`.
 4. When the reason to backport is not obvious from the original commit message, use `git cherry-pick -xe <original commit>` and add a reason. Otherwise use `git cherry-pick -x <original commit>`. That's fine for minor version updates that only include security and bug fixes, commits that fixes an otherwise broken package or similar. Please also ensure the commits exists on the master branch; in the case of squashed or rebased merges, the commit hash will change and the new commits can be found in the merge message at the bottom of the master pull request.
-5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-22.11`) as the target branch of the pull request, and link to the pull request in which the original change was committed to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[22.11]`.
+5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-23.05`) as the target branch of the pull request, and link to the pull request in which the original change was committed to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[23.05]`.
 6. When the backport pull request is merged and you have the necessary privileges you can also replace the label `9.needs: port to stable` with `8.has: port to stable` on the original pull request. This way maintainers can keep track of missing backports easier.

 ## Criteria for Backporting changes
@@ -128,7 +128,7 @@ Anything that does not cause user or downstream dependency regressions can be ba
 - Services which require a client to be up-to-date regardless. (E.g. `spotify`, `steam`, or `discord`)
 - Security critical applications (E.g. `firefox`)

-## Generating 23.05 Release Notes
+## Generating 23.11 Release Notes
 <!--
 note: title unchanged even though we don't need regeneration because extant
 PRs will link here. definitely change the title for 23.11 though.
@@ -136,10 +136,10 @@ PRs will link here. definitely change the title for 23.11 though.

 Documentation in nixpkgs is transitioning to a markdown-centric workflow. In the past release notes required a translation step to convert from markdown to a compatible docbook document, but this is no longer necessary.

-Steps for updating 23.05 Release notes:
+Steps for updating 23.11 Release notes:

-1. Edit `nixos/doc/manual/release-notes/rl-2305.section.md` with the desired changes
-2. Commit changes to `rl-2305.section.md`.
+1. Edit `nixos/doc/manual/release-notes/rl-2311.section.md` with the desired changes
+2. Commit changes to `rl-2311.section.md`.

 ## Reviewing contributions

--- a/README.md
+++ b/README.md
@@ -51,9 +51,9 @@ Nixpkgs and NixOS are built and tested by our continuous integration
 system, [Hydra](https://hydra.nixos.org/).

 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for the NixOS 22.11 release](https://hydra.nixos.org/jobset/nixos/release-22.11)
+* [Continuous package builds for the NixOS 23.05 release](https://hydra.nixos.org/jobset/nixos/release-23.05)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for the NixOS 22.11 release](https://hydra.nixos.org/job/nixos/release-22.11/tested#tabs-constituents)
+* [Tests for the NixOS 23.05 release](https://hydra.nixos.org/job/nixos/release-23.05/tested#tabs-constituents)

 Artifacts successfully built with Hydra are published to cache at
 https://cache.nixos.org/. When successful build and test criteria are
--- a/doc/stdenv/meta.chapter.md
+++ b/doc/stdenv/meta.chapter.md
@@ -182,7 +182,7 @@ runCommand "my-package-test" {

 ### `timeout` {#var-meta-timeout}

-A timeout (in seconds) for building the derivation. If the derivation takes longer than this time to build, it can fail due to breaking the timeout. However, all computers do not have the same computing power, hence some builders may decide to apply a multiplicative factor to this value. When filling this value in, try to keep it approximately consistent with other values already present in `nixpkgs`.
+A timeout (in seconds) for building the derivation. If the derivation takes longer than this time to build, Hydra will fail it due to breaking the timeout. However, all computers do not have the same computing power, hence some builders may decide to apply a multiplicative factor to this value. When filling this value in, try to keep it approximately consistent with other values already present in `nixpkgs`.

 `meta` attributes are not stored in the instantiated derivation.
 Therefore, this setting may be lost when the package is used as a dependency.
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -117,10 +117,11 @@ let
    inherit (self.meta) addMetaAttrs dontDistribute setName updateName
      appendToName mapDerivationAttrset setPrio lowPrio lowPrioSet hiPrio
      hiPrioSet getLicenseFromSpdxId getExe;
-    inherit (self.sources) pathType pathIsDirectory cleanSourceFilter
+    inherit (self.filesystem) pathType pathIsDirectory pathIsRegularFile;
+    inherit (self.sources) cleanSourceFilter
      cleanSource sourceByRegex sourceFilesBySuffices
      commitIdFromGitRepo cleanSourceWith pathHasContext
-      canCleanSource pathIsRegularFile pathIsGitRepo;
+      canCleanSource pathIsGitRepo;
    inherit (self.modules) evalModules setDefaultModuleLocation
      unifyModuleSyntax applyModuleArgsIfFunction mergeModules
      mergeModules' mergeOptionDecls evalOptionValue mergeDefinitions
--- a/lib/filesystem.nix
+++ b/lib/filesystem.nix
@@ -1,13 +1,93 @@
-# Functions for copying sources to the Nix store.
+# Functions for querying information about the filesystem
+# without copying any files to the Nix store.
 { lib }:

+# Tested in lib/tests/filesystem.sh
 let
+  inherit (builtins)
+    readDir
+    pathExists
+    ;
+
  inherit (lib.strings)
    hasPrefix
    ;
+
+  inherit (lib.filesystem)
+    pathType
+    ;
 in

 {
+
+  /*
+    The type of a path. The path needs to exist and be accessible.
+    The result is either "directory" for a directory, "regular" for a regular file, "symlink" for a symlink, or "unknown" for anything else.
+
+    Type:
+      pathType :: Path -> String
+
+    Example:
+      pathType /.
+      => "directory"
+
+      pathType /some/file.nix
+      => "regular"
+  */
+  pathType =
+    builtins.readFileType or
+    # Nix <2.14 compatibility shim
+    (path:
+      if ! pathExists path
+      # Fail irrecoverably to mimic the historic behavior of this function and
+      # the new builtins.readFileType
+      then abort "lib.filesystem.pathType: Path ${toString path} does not exist."
+      # The filesystem root is the only path where `dirOf / == /` and
+      # `baseNameOf /` is not valid. We can detect this and directly return
+      # "directory", since we know the filesystem root can't be anything else.
+      else if dirOf path == path
+      then "directory"
+      else (readDir (dirOf path)).${baseNameOf path}
+    );
+
+  /*
+    Whether a path exists and is a directory.
+
+    Type:
+      pathIsDirectory :: Path -> Bool
+
+    Example:
+      pathIsDirectory /.
+      => true
+
+      pathIsDirectory /this/does/not/exist
+      => false
+
+      pathIsDirectory /some/file.nix
+      => false
+  */
+  pathIsDirectory = path:
+    pathExists path && pathType path == "directory";
+
+  /*
+    Whether a path exists and is a regular file, meaning not a symlink or any other special file type.
+
+    Type:
+      pathIsRegularFile :: Path -> Bool
+
+    Example:
+      pathIsRegularFile /.
+      => false
+
+      pathIsRegularFile /this/does/not/exist
+      => false
+
+      pathIsRegularFile /some/file.nix
+      => true
+  */
+  pathIsRegularFile = path:
+    pathExists path && pathType path == "regular";
+
  /*
    A map of all haskell packages defined in the given path,
    identified by having a cabal file with the same name as the
--- a/lib/sources.nix
+++ b/lib/sources.nix
@@ -18,21 +18,11 @@ let
    pathExists
    readFile
    ;
-
-  /*
-    Returns the type of a path: regular (for file), symlink, or directory.
-  */
-  pathType = path: getAttr (baseNameOf path) (readDir (dirOf path));
-
-  /*
-    Returns true if the path exists and is a directory, false otherwise.
-  */
-  pathIsDirectory = path: if pathExists path then (pathType path) == "directory" else false;
-
-  /*
-    Returns true if the path exists and is a regular file, false otherwise.
-  */
-  pathIsRegularFile = path: if pathExists path then (pathType path) == "regular" else false;
+  inherit (lib.filesystem)
+    pathType
+    pathIsDirectory
+    pathIsRegularFile
+    ;

  /*
    A basic filter for `cleanSourceWith` that removes
@@ -271,11 +261,20 @@ let
    };

 in {
-  inherit
-    pathType
-    pathIsDirectory
-    pathIsRegularFile

+  pathType = lib.warnIf (lib.isInOldestRelease 2305)
+    "lib.sources.pathType has been moved to lib.filesystem.pathType."
+    lib.filesystem.pathType;
+
+  pathIsDirectory = lib.warnIf (lib.isInOldestRelease 2305)
+    "lib.sources.pathIsDirectory has been moved to lib.filesystem.pathIsDirectory."
+    lib.filesystem.pathIsDirectory;
+
+  pathIsRegularFile = lib.warnIf (lib.isInOldestRelease 2305)
+    "lib.sources.pathIsRegularFile has been moved to lib.filesystem.pathIsRegularFile."
+    lib.filesystem.pathIsRegularFile;
+
+  inherit
    pathIsGitRepo
    commitIdFromGitRepo

--- a/lib/tests/filesystem.sh
+++ b/lib/tests/filesystem.sh
@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+
+# Tests lib/filesystem.nix
+# Run:
+# [nixpkgs]$ lib/tests/filesystem.sh
+# or:
+# [nixpkgs]$ nix-build lib/tests/release.nix
+
+set -euo pipefail
+shopt -s inherit_errexit
+
+# Use
+#     || die
+die() {
+  echo >&2 "test case failed: " "$@"
+  exit 1
+}
+
+if test -n "${TEST_LIB:-}"; then
+  NIX_PATH=nixpkgs="$(dirname "$TEST_LIB")"
+else
+  NIX_PATH=nixpkgs="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.."; pwd)"
+fi
+export NIX_PATH
+
+work="$(mktemp -d)"
+clean_up() {
+  rm -rf "$work"
+}
+trap clean_up EXIT
+cd "$work"
+
+mkdir directory
+touch regular
+ln -s target symlink
+mkfifo fifo
+
+checkPathType() {
+    local path=$1
+    local expectedPathType=$2
+    local actualPathType=$(nix-instantiate --eval --strict --json 2>&1 \
+        -E '{ path }: let lib = import <nixpkgs/lib>; in lib.filesystem.pathType path' \
+        --argstr path "$path")
+    if [[ "$actualPathType" != "$expectedPathType" ]]; then
+        die "lib.filesystem.pathType \"$path\" == $actualPathType, but $expectedPathType was expected"
+    fi
+}
+
+checkPathType "/" '"directory"'
+checkPathType "$PWD/directory" '"directory"'
+checkPathType "$PWD/regular" '"regular"'
+checkPathType "$PWD/symlink" '"symlink"'
+checkPathType "$PWD/fifo" '"unknown"'
+checkPathType "$PWD/non-existent" "error: evaluation aborted with the following error message: 'lib.filesystem.pathType: Path $PWD/non-existent does not exist.'"
+
+checkPathIsDirectory() {
+    local path=$1
+    local expectedIsDirectory=$2
+    local actualIsDirectory=$(nix-instantiate --eval --strict --json 2>&1 \
+        -E '{ path }: let lib = import <nixpkgs/lib>; in lib.filesystem.pathIsDirectory path' \
+        --argstr path "$path")
+    if [[ "$actualIsDirectory" != "$expectedIsDirectory" ]]; then
+        die "lib.filesystem.pathIsDirectory \"$path\" == $actualIsDirectory, but $expectedIsDirectory was expected"
+    fi
+}
+
+checkPathIsDirectory "/" "true"
+checkPathIsDirectory "$PWD/directory" "true"
+checkPathIsDirectory "$PWD/regular" "false"
+checkPathIsDirectory "$PWD/symlink" "false"
+checkPathIsDirectory "$PWD/fifo" "false"
+checkPathIsDirectory "$PWD/non-existent" "false"
+
+checkPathIsRegularFile() {
+    local path=$1
+    local expectedIsRegularFile=$2
+    local actualIsRegularFile=$(nix-instantiate --eval --strict --json 2>&1 \
+        -E '{ path }: let lib = import <nixpkgs/lib>; in lib.filesystem.pathIsRegularFile path' \
+        --argstr path "$path")
+    if [[ "$actualIsRegularFile" != "$expectedIsRegularFile" ]]; then
+        die "lib.filesystem.pathIsRegularFile \"$path\" == $actualIsRegularFile, but $expectedIsRegularFile was expected"
+    fi
+}
+
+checkPathIsRegularFile "/" "false"
+checkPathIsRegularFile "$PWD/directory" "false"
+checkPathIsRegularFile "$PWD/regular" "true"
+checkPathIsRegularFile "$PWD/symlink" "false"
+checkPathIsRegularFile "$PWD/fifo" "false"
+checkPathIsRegularFile "$PWD/non-existent" "false"
+
+echo >&2 tests ok
--- a/lib/tests/release.nix
+++ b/lib/tests/release.nix
@@ -44,6 +44,9 @@ pkgs.runCommand "nixpkgs-lib-tests" {
    echo "Running lib/tests/modules.sh"
    bash lib/tests/modules.sh

+    echo "Running lib/tests/filesystem.sh"
+    TEST_LIB=$PWD/lib bash lib/tests/filesystem.sh
+
    echo "Running lib/tests/sources.sh"
    TEST_LIB=$PWD/lib bash lib/tests/sources.sh

--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -931,6 +931,12 @@
    githubId = 123550;
    name = "André Silva";
  };
+  andresnav = {
+    email = "nix@andresnav.com";
+    github = "andres-nav";
+    githubId = 118762770;
+    name = "Andres Navarro";
+  };
  andrestylianos = {
    email = "andre.stylianos@gmail.com";
    github = "andrestylianos";
@@ -9652,6 +9658,12 @@
    githubId = 346094;
    name = "Michael Alyn Miller";
  };
+  mangoiv = {
+    email = "contact@mangoiv.com";
+    github = "mangoiv";
+    githubId = 40720523;
+    name = "MangoIV";
+  };
  manojkarthick = {
    email = "smanojkarthick@gmail.com";
    github = "manojkarthick";
--- a/nixos/doc/manual/installation/upgrading.chapter.md
+++ b/nixos/doc/manual/installation/upgrading.chapter.md
@@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated
 automatically from NixOS's Git repository after certain tests have
 passed and all packages have been built. These channels are:

-   *Stable channels*, such as [`nixos-22.11`](https://nixos.org/channels/nixos-22.11).
+-   *Stable channels*, such as [`nixos-23.05`](https://channels.nixos.org/nixos-23.05).
    These only get conservative bug fixes and package upgrades. For
    instance, a channel update may cause the Linux kernel on your system
    to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
@@ -14,13 +14,13 @@ passed and all packages have been built. These channels are:
    Stable channels are generally maintained until the next stable
    branch is created.

-   The *unstable channel*, [`nixos-unstable`](https://nixos.org/channels/nixos-unstable).
+-   The *unstable channel*, [`nixos-unstable`](https://channels.nixos.org/nixos-unstable).
    This corresponds to NixOS's main development branch, and may thus see
    radical changes between channel updates. It's not recommended for
    production systems.

-   *Small channels*, such as [`nixos-22.11-small`](https://nixos.org/channels/nixos-22.11-small)
-    or [`nixos-unstable-small`](https://nixos.org/channels/nixos-unstable-small).
+-   *Small channels*, such as [`nixos-23.05-small`](https://channels.nixos.org/nixos-23.05-small)
+    or [`nixos-unstable-small`](https://channels.nixos.org/nixos-unstable-small).
    These are identical to the stable and unstable channels described above,
    except that they contain fewer binary packages. This means they get updated
    faster than the regular channels (for instance, when a critical security patch
@@ -28,7 +28,7 @@ passed and all packages have been built. These channels are:
    built from source than usual. They're mostly intended for server environments
    and as such contain few GUI applications.

-To see what channels are available, go to <https://nixos.org/channels>.
+To see what channels are available, go to <https://channels.nixos.org>.
 (Note that the URIs of the various channels redirect to a directory that
 contains the channel's latest version and includes ISO images and
 VirtualBox appliances.) Please note that during the release process,
@@ -38,38 +38,38 @@ newest supported stable release.

 When you first install NixOS, you're automatically subscribed to the
 NixOS channel that corresponds to your installation source. For
-instance, if you installed from a 22.11 ISO, you will be subscribed to
-the `nixos-22.11` channel. To see which NixOS channel you're subscribed
+instance, if you installed from a 23.05 ISO, you will be subscribed to
+the `nixos-23.05` channel. To see which NixOS channel you're subscribed
 to, run the following as root:

 ```ShellSession
 # nix-channel --list | grep nixos
-nixos https://nixos.org/channels/nixos-unstable
+nixos https://channels.nixos.org/nixos-unstable
 ```

 To switch to a different NixOS channel, do

 ```ShellSession
-# nix-channel --add https://nixos.org/channels/channel-name nixos
+# nix-channel --add https://channels.nixos.org/channel-name nixos
 ```

 (Be sure to include the `nixos` parameter at the end.) For instance, to
-use the NixOS 22.11 stable channel:
+use the NixOS 23.05 stable channel:

 ```ShellSession
-# nix-channel --add https://nixos.org/channels/nixos-22.11 nixos
+# nix-channel --add https://channels.nixos.org/nixos-23.05 nixos
 ```

 If you have a server, you may want to use the "small" channel instead:

 ```ShellSession
-# nix-channel --add https://nixos.org/channels/nixos-22.11-small nixos
+# nix-channel --add https://channels.nixos.org/nixos-23.05-small nixos
 ```

 And if you want to live on the bleeding edge:

 ```ShellSession
-# nix-channel --add https://nixos.org/channels/nixos-unstable nixos
+# nix-channel --add https://channels.nixos.org/nixos-unstable nixos
 ```

 You can then upgrade NixOS to the latest version in your chosen channel
@@ -114,5 +114,5 @@ the new generation contains a different kernel, initrd or kernel
 modules. You can also specify a channel explicitly, e.g.

 ```nix
-system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11;
+system.autoUpgrade.channel = "https://channels.nixos.org/nixos-23.05";
 ```
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -1,65 +1,81 @@
-# Release 23.05 (“Stoat”, 2023.05/??) {#sec-release-23.05}
+# Release 23.05 (“Stoat”, 2023.05/31) {#sec-release-23.05}

-Support is planned until the end of December 2023, handing over to 23.11.
+The NixOS release team is happy to announce a new version of NixOS. The release is called NixOS 23.05 ("Stoat").
+
+NixOS is a Linux distribution, whose set of packages can also be used on other Linux systems and macOS.
+
+Support is planned until the end of December 2023, handing over to NixOS 23.11.
+
+To upgrade to the latest release, follow the [upgrade chapter](https://nixos.org/manual/nixos/stable/index.html#sec-upgrading).

 ## Highlights {#sec-release-23.05-highlights}

-In addition to numerous new and upgraded packages, this release has the following highlights:
+In addition to numerous new and updated packages, this release has the following highlights:

-<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
+- The default [Nix](https://github.com/NixOS/nix) version was updated from 2.11 to 2.13. In particular, this includes a [small language alteration](https://github.com/NixOS/nix/issues/8259) in the way floats are represented in `builtins.toJSON`. See the release notes for [2.13](https://nixos.org/manual/nix/stable/release-notes/rl-2.13.html) and [2.14](https://nixos.org/manual/nix/unstable/release-notes/rl-2.14.html) for more information.

- Core version changes:
+- The default [Linux Kernel](https://kernel.org/) was updated from version 5.15 to 6.1, see [Kernelnewbies](https://kernelnewbies.org/Linux_6.1) for what has changed. All currently shown Kernels shown on [kernel.org](https://kernel.org/) are available.

-  - default linux: 5.15 -\> 6.1, all supported kernels available
+- [systemd](https://systemd.io) has been updated from v252 to v253, see [the release notes](https://github.com/systemd/systemd/blob/main/NEWS#L21-L677) for more information on the changes.
+    - Updating with `nixos-rebuild boot` and rebooting is recommended, since in some rare cases the `nixos-rebuild switch` into the new generation on a live system might fail due to missing mount units.

-  - systemd has been updated to v253.1, see [the pull request](https://github.com/NixOS/nixpkgs/pull/216826) for more info.
-    It's recommended to use `nixos-rebuild boot` and `reboot`, rather than `nixos-rebuild switch` - since in some rare cases
-    the switch of a live system might fail.
+- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.35 to 2.37, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.37) for what was changed.

-  - glibc: 2.35 -\> 2.37
+- [libxcrypt](https://github.com/besser82/libxcrypt), the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and [many other packages](https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/NixOS/nixpkgs%24+libxcrypt&patternType=standard&sm=1&groupBy=path).

- Cinnamon has been updated to 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what is changed.
+- NixOS now defaults to using [nsncd](https://github.com/twosigma/nsncd), a non-caching reimplementation of nscd in Rust, as its NSS lookup dispatcher. This replaces the buggy and deprecated nscd implementation provided through glibc. When you find problems, you can switch back by disabling it:
+  ```nix
+  services.nscd.enableNsncd = false;
+  ```

- GNOME has been upgraded to version 44. Please see the [release notes](https://release.gnome.org/44/) for details.
+- The internal option `boot.bootspec.enable` is now enabled by default because [RFC 0125](https://github.com/NixOS/rfcs/pull/125) was merged. This means you will have a bootspec document called `boot.json` generated for each system and specialisation in the top-level. This is useful to enable advanced boot use cases in NixOS, such as Secure Boot.

- KDE Plasma has been updated to v5.27, see [the release notes](https://kde.org/announcements/plasma/5/5.27.0/) for what is changed.
+- Two changes to `nixos-rebuild` are important to highlight as well.
+    - Support for an extra `--specialisation` option was added that can be used to change specialisation for `switch` and `test` commands.
+    - The `--target-host` and `--build-host` options no longer treat the `localhost` value specially – to build on resp. deploy to a local machine, omit the relevant flag.

- Python implements [PEP 668](https://peps.python.org/pep-0668/), providing better feedback to users that try to run `pip install` system-wide.
+- [Python](https://www.python.org) implements [PEP 668](https://peps.python.org/pep-0668/), providing better feedback to users that try to run `pip install` for system-wide or user home installations.

- `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands.
+- [Cinnamon](https://github.com/linuxmint/Cinnamon) has been updated to version 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what was changed.

- `libxcrypt`, the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and [many other packages](https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20libxcrypt&type=code).
+- [GNOME](https://www.gnome.org) has been updated to version 44, see the [the release notes](https://release.gnome.org/44/) for details.

- `boot.bootspec.enable` (internal option) is now enabled by default because [RFC-0125](https://github.com/NixOS/rfcs/pull/125) was merged. This means you will have a bootspec document called `boot.json` generated for each system and specialisation in the top-level. This is useful to enable advanced boot usecases in NixOS such as SecureBoot.
+- [KDE Plasma](https://kde.org/de/plasma-desktop/) has been updated to version 5.27, see [the release notes](https://kde.org/announcements/plasma/5/5.27.0/) for what was changed.

 ## New Services {#sec-release-23.05-new-services}

-<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-
 - [Akkoma](https://akkoma.social), an ActivityPub microblogging server. Available as [services.akkoma](options.html#opt-services.akkoma.enable).

- [Pixelfed](https://pixelfed.org/), an Instagram-like ActivityPub server. Available as [services.pixelfed](options.html#opt-services.pixelfed.enable).
+- [alertmanager-irc-relay](https://github.com/google/alertmanager-irc-relay), a Prometheus Alertmanager IRC Relay. Available as [services.prometheus.alertmanagerIrcRelay](options.html#opt-services.prometheus.alertmanagerIrcRelay.enable).
+
+- [alice-lg](github.com/alice-lg/alice-lg), a looking-glass for BGP sessions. Available as [services.alice-lg](#opt-services.alice-lg.enable).
+
+- [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable).
+
+- [authelia](https://www.authelia.com/), an open-source authentication and authorization server. Available as [services.authelia](options.html#opt-services.authelia.enable).
+
+- [birdwatcher](github.com/alice-lg/birdwatcher), a small HTTP server meant to provide an API defined by Barry O'Donovan's birds-eye to the BIRD internet routing daemon. Available as [services.birdwatcher](#opt-services.birdwatcher.enable).

 - [blesh](https://github.com/akinomyoga/ble.sh), a line editor written in pure bash. Available as [programs.bash.blesh](#opt-programs.bash.blesh.enable).

- [webhook](https://github.com/adnanh/webhook), a lightweight webhook server. Available as [services.webhook](#opt-services.webhook.enable).
+- [Budgie Desktop](https://github.com/BuddiesOfBudgie/budgie-desktop), a familiar, modern desktop environment. Available as [services.xserver.desktopManager.budgie](options.html#opt-services.xserver.desktopManager.budgie).

- [cups-pdf-to-pdf](https://github.com/alexivkin/CUPS-PDF-to-PDF), a pdf-generating cups backend based on [cups-pdf](https://www.cups-pdf.de/). Available as [services.printing.cups-pdf](#opt-services.printing.cups-pdf.enable).
-
- [clash-verge](https://github.com/zzzgydi/clash-verge), A Clash GUI based on tauri. Available as [programs.clash-verge](#opt-programs.clash-verge.enable).
+- [clash-verge](https://github.com/zzzgydi/clash-verge), a Clash GUI based on tauri. Available as [programs.clash-verge](#opt-programs.clash-verge.enable).

 - [Cloudlog](https://www.magicbug.co.uk/cloudlog/), a web-based Amateur Radio logging application. Available as [services.cloudlog](#opt-services.cloudlog.enable).

+- [consul-template](https://github.com/hashicorp/consul-template/), a template renderer, notifier, and supervisor for HashiCorp Consul and Vault data. Available as [services.consul-template](#opt-services.consul-template.instances).
+
+- [cups-pdf-to-pdf](https://github.com/alexivkin/CUPS-PDF-to-PDF), a PDF-generating CUPS backend based on [cups-pdf](https://www.cups-pdf.de/). Available as [services.printing.cups-pdf](#opt-services.printing.cups-pdf.enable).
+
 - [Deepin Desktop Environment](https://github.com/linuxdeepin/dde), an elegant, easy to use and reliable desktop environment. Available as [services.xserver.desktopManager.deepin](options.html#opt-services.xserver.desktopManager.deepin).

- [system-repart](https://www.freedesktop.org/software/systemd/man/systemd-repart.service.html), grow and add partitions to a partition table. Available as [systemd.repart](options.html#opt-systemd.repart) and [boot.initrd.systemd.repart](options.html#opt-boot.initrd.systemd.repart)
+- [esphome](https://esphome.io), a dashboard to configure ESP8266/ESP32 devices for use with Home Automation systems. Available as [services.esphome](#opt-services.esphome.enable).

 - [frigate](https://frigate.video), an open source NVR built around real-time AI object detection. Available as [services.frigate](#opt-services.frigate.enable).

 - [fzf](https://github.com/junegunn/fzf), a command line fuzzyfinder. Available as [programs.fzf](#opt-programs.fzf.fuzzyCompletion).

- [readarr](https://github.com/Readarr/Readarr), Book Manager and Automation (Sonarr for Ebooks). Available as [services.readarr](options.html#opt-services.readarr.enable).
-
 - [gemstash](https://github.com/rubygems/gemstash), a RubyGems.org cache and private gem server. Available as [services.gemstash](#opt-services.gemstash.enable).

 - [gitea-actions-runner](https://gitea.com/gitea/act_runner), a CI runner for Gitea/Forgejo Actions. Available as [services.gitea-actions-runner](#opt-services.gitea-actions-runner.instances).
@@ -68,129 +84,126 @@ In addition to numerous new and upgraded packages, this release has the followin

 - [go2rtc](https://github.com/AlexxIT/go2rtc), a camera streaming appliation with support for RTSP, WebRTC, HomeKit, FFMPEG, RTMP and other protocols. Available as [services.go2rtc](options.html#opt-services.go2rtc.enable).

- [harmonia](https://github.com/nix-community/harmonia/), Nix binary cache implemented in rust using libnix-store. Available as [services.harmonia](options.html#opt-services.harmonia.enable).
-
- [hyprland](https://github.com/hyprwm/hyprland), a dynamic tiling Wayland compositor that doesn't sacrifice on its looks. Available as [programs.hyprland](#opt-programs.hyprland.enable).
-
- [minipro](https://gitlab.com/DavidGriffith/minipro/), an open source program for controlling the MiniPRO TL866xx series of chip programmers. Available as [programs.minipro](options.html#opt-programs.minipro.enable).
-
- [stevenblack-blocklist](https://github.com/StevenBlack/hosts), A unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable).
-
- [Budgie Desktop](https://github.com/BuddiesOfBudgie/budgie-desktop), a familiar, modern desktop environment. Available as [services.xserver.desktopManager.budgie](options.html#opt-services.xserver.desktopManager.budgie).
-
- [imaginary](https://github.com/h2non/imaginary), a microservice for high-level image processing that Nextcloud can use to generate previews. Available as [services.imaginary](#opt-services.imaginary.enable).
-
- [opensearch](https://opensearch.org), a search server alternative to Elasticsearch. Available as [services.opensearch](options.html#opt-services.opensearch.enable).
-
- [kavita](https://kavitareader.com), a self-hosted digital library. Available as [services.kavita](options.html#opt-services.kavita.enable).
-
- [monica](https://www.monicahq.com), an open source personal CRM. Available as [services.monica](options.html#opt-services.monica.enable).
-
- [authelia](https://www.authelia.com/), is an open-source authentication and authorization server. Available under [services.authelia](options.html#opt-services.authelia.enable).
-
- [goeland](https://github.com/slurdge/goeland), an alternative to rss2email written in golang with many filters. Available as [services.goeland](#opt-services.goeland.enable).
-
- [alertmanager-irc-relay](https://github.com/google/alertmanager-irc-relay), a Prometheus Alertmanager IRC Relay. Available as [services.prometheus.alertmanagerIrcRelay](options.html#opt-services.prometheus.alertmanagerIrcRelay.enable).
-
- [tts](https://github.com/coqui-ai/TTS), a battle-tested deep learning toolkit for Text-to-Speech. Multiple servers may be configured below [services.tts.servers](#opt-services.tts.servers).
-
- [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable).
-
- [esphome](https://esphome.io), a dashboard to configure ESP8266/ESP32 devices for use with Home Automation systems. Available as [services.esphome](#opt-services.esphome.enable).
-
- [networkd-dispatcher](https://gitlab.com/craftyguy/networkd-dispatcher), a dispatcher service for systemd-networkd connection status changes. Available as [services.networkd-dispatcher](#opt-services.networkd-dispatcher.enable).
+- [goeland](https://github.com/slurdge/goeland), an alternative to rss2email written in Golang with many filters. Available as [services.goeland](#opt-services.goeland.enable).

 - [gonic](https://github.com/sentriz/gonic), a Subsonic music streaming server. Available as [services.gonic](#opt-services.gonic.enable).

- [mmsd](https://gitlab.com/kop316/mmsd), a lower level daemon that transmits and receives MMSes. Available as [services.mmsd](#opt-services.mmsd.enable).
+- [hardware.ipu6](#opt-hardware.ipu6.enable), drivers for IPU6 based webcams on Intel Tiger Lake and Alder Lake.

- [QDMR](https://dm3mat.darc.de/qdmr/), a GUI application and command line tool for programming DMR radios [programs.qdmr](#opt-programs.qdmr.enable)
+- [harmonia](https://github.com/nix-community/harmonia/), a Nix binary cache implemented in Rust using [libnixstore](https://docs.rs/libnixstore/latest/libnixstore/). Available as [services.harmonia](options.html#opt-services.harmonia.enable).

- [keyd](https://github.com/rvaiya/keyd), a key remapping daemon for linux. Available as [services.keyd](#opt-services.keyd.enable).
+- [hyprland](https://github.com/hyprwm/hyprland), a dynamic tiling Wayland compositor that doesn't sacrifice on its looks. Available as [programs.hyprland](#opt-programs.hyprland.enable).

- [consul-template](https://github.com/hashicorp/consul-template/), a template rendering, notifier, and supervisor for HashiCorp Consul and Vault data. Available as [services.consul-template](#opt-services.consul-template.instances).
-
- [vault-agent](https://developer.hashicorp.com/vault/docs/agent), a template rendering and API auth proxy for HashiCorp Vault, similar to `consul-template`. Available as [services.vault-agent](#opt-services.vault-agent.instances).
-
- [trippy](https://github.com/fujiapple852/trippy), a network diagnostic tool. Available as [programs.trippy](#opt-programs.trippy.enable).
-
- [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable).
-
- [rshim](https://github.com/Mellanox/rshim-user-space), the user-space rshim driver for the BlueField SoC. Available as [services.rshim](options.html#opt-services.rshim.enable).
-
- [wstunnel](https://github.com/erebe/wstunnel), a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Instances may be configured via [services.wstunnel](options.html#opt-services.wstunnel.enable).
-
- [ulogd](https://www.netfilter.org/projects/ulogd/index.html), a userspace logging daemon for netfilter/iptables related logging. Available as [services.ulogd](options.html#opt-services.ulogd.enable).
-
- [PufferPanel](https://pufferpanel.com), game server management panel designed to be easy to use. Available as [services.pufferpanel](#opt-services.pufferpanel.enable).
-
- [jellyseerr](https://github.com/Fallenbagel/jellyseerr), a web-based requests manager for Jellyfin, forked from Overseerr. Available as [services.jellyseerr](#opt-services.jellyseerr.enable).
-
- [stargazer](https://sr.ht/~zethra/stargazer/), a fast and easy to use Gemini server. Available as [services.stargazer](#opt-services.stargazer.enable).
-
- [sniffnet](https://github.com/GyulyVGC/sniffnet), an application to monitor your network traffic. Available as [programs.sniffnet](#opt-programs.sniffnet.enable).
-
- [photoprism](https://photoprism.app/), a AI-Powered Photos App for the Decentralized Web. Available as [services.photoprism](options.html#opt-services.photoprism.enable).
-
- [alice-lg](github.com/alice-lg/alice-lg), a looking-glass for BGP sessions. Available as [services.alice-lg](#opt-services.alice-lg.enable).
-
- [birdwatcher](github.com/alice-lg/birdwatcher), a small HTTP server meant to provide an API defined by Barry O'Donovan's birds-eye to the BIRD internet routing daemon. Available as [services.birdwatcher](#opt-services.birdwatcher.enable).
-
- [peroxide](https://github.com/ljanyst/peroxide), a fork of the official [ProtonMail bridge](https://github.com/ProtonMail/proton-bridge) that aims to be similar to [Hydroxide](https://github.com/emersion/hydroxide). Available as [services.peroxide](#opt-services.peroxide.enable).
-
- [autosuspend](https://github.com/languitar/autosuspend), a python daemon that suspends a system if certain conditions are met, or not met.
-
- [sharing](https://github.com/parvardegr/sharing), a command-line tool to share directories and files from the CLI to iOS and Android devices without the need of an extra client app. Available as [programs.sharing](#opt-programs.sharing.enable).
-
- [nimdow](https://github.com/avahe-kellenberger/nimdow), a window manager written in Nim, inspired by dwm.
-
- [trurl](https://github.com/curl/trurl), a command line tool for URL parsing and manipulation.
-
- [wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh), a simple utility to help connect wireguard nodes together in a full mesh topology. Available as [services.wgautomesh](options.html#opt-services.wgautomesh.enable).
-
- [woodpecker-agents](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-agents](#opt-services.woodpecker-agents.agents._name_.enable).
-
- [woodpecker-server](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-server](#opt-services.woodpecker-server.enable).
-
- [lldap](https://github.com/lldap/lldap), a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. Available as [services.lldap](#opt-services.lldap.enable).
-
- [ReGreet](https://github.com/rharish101/ReGreet), a clean and customizable greeter for greetd. Available as [programs.regreet](#opt-programs.regreet.enable).
-
- [v4l2-relayd](https://git.launchpad.net/v4l2-relayd), a streaming relay for v4l2loopback using gstreamer. Available as [services.v4l2-relayd](#opt-services.v4l2-relayd.instances._name_.enable).
-
- [hardware.ipu6](#opt-hardware.ipu6.enable) adds support for ipu6 based webcams on intel tiger lake and alder lake.
+- [imaginary](https://github.com/h2non/imaginary), a microservice for high-level image processing that Nextcloud can use to generate previews. Available as [services.imaginary](#opt-services.imaginary.enable).

 - [ivpn](https://www.ivpn.net/), a secure, private VPN with fast WireGuard connections. Available as [services.ivpn](#opt-services.ivpn.enable).

+- [vmalert](https://victoriametrics.com/), an alerting engine for VictoriaMetrics. Available as [services.vmalert](#opt-services.vmalert.enable).
+
+- [jellyseerr](https://github.com/Fallenbagel/jellyseerr), a web-based requests manager for Jellyfin, forked from Overseerr. Available as [services.jellyseerr](#opt-services.jellyseerr.enable).
+
+- [kavita](https://kavitareader.com), a self-hosted digital library. Available as [services.kavita](options.html#opt-services.kavita.enable).
+
+- [keyd](https://github.com/rvaiya/keyd), a key remapping daemon for Linux. Available as [services.keyd](#opt-services.keyd.enable).
+
+- [lldap](https://github.com/lldap/lldap), a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. Available as [services.lldap](#opt-services.lldap.enable).
+
+- [minipro](https://gitlab.com/DavidGriffith/minipro/), an open source program for controlling the MiniPRO TL866xx series of chip programmers. Available as [programs.minipro](options.html#opt-programs.minipro.enable).
+
+- [mmsd](https://gitlab.com/kop316/mmsd), a lower level daemon that transmits and receives MMSes. Available as [services.mmsd](#opt-services.mmsd.enable).
+
+- [monica](https://www.monicahq.com), an open source personal CRM. Available as [services.monica](options.html#opt-services.monica.enable).
+
+- [networkd-dispatcher](https://gitlab.com/craftyguy/networkd-dispatcher), a dispatcher service for systemd-networkd connection status changes. Available as [services.networkd-dispatcher](#opt-services.networkd-dispatcher.enable).
+
+- [nimdow](https://github.com/avahe-kellenberger/nimdow), a window manager written in Nim, inspired by dwm. Available as [services.xserver.windowManager.nimdow.enable](options.html#opt-services.xserver.windowManager.nimdow.enable).
+
+- [opensearch](https://opensearch.org), a search server alternative to Elasticsearch. Available as [services.opensearch](options.html#opt-services.opensearch.enable).
+
 - [openvscode-server](https://github.com/gitpod-io/openvscode-server), run VS Code on a remote machine with access through a modern web browser from any device, anywhere. Available as [services.openvscode-server](#opt-services.openvscode-server.enable).

+- [peroxide](https://github.com/ljanyst/peroxide), a fork of the official [ProtonMail bridge](https://github.com/ProtonMail/proton-bridge) that aims to be similar to [Hydroxide](https://github.com/emersion/hydroxide). Available as [services.peroxide](#opt-services.peroxide.enable).
+
+- [photoprism](https://photoprism.app/), a AI-powered photos app for the decentralized web. Available as [services.photoprism](options.html#opt-services.photoprism.enable).
+
+- [Pixelfed](https://pixelfed.org/), an Instagram-like ActivityPub server. Available as [services.pixelfed](options.html#opt-services.pixelfed.enable).
+
+- [PufferPanel](https://pufferpanel.com), a game server management panel designed to be easy to use. Available as [services.pufferpanel](#opt-services.pufferpanel.enable).
+
+- [QDMR](https://dm3mat.darc.de/qdmr/), a GUI application and command line tool for programming DMR radios [programs.qdmr](#opt-programs.qdmr.enable).
+
+- [readarr](https://github.com/Readarr/Readarr), book manager and automation (Sonarr for ebooks). Available as [services.readarr](options.html#opt-services.readarr.enable).
+
+- [ReGreet](https://github.com/rharish101/ReGreet), a clean and customizable greeter for greetd. Available as [programs.regreet](#opt-programs.regreet.enable).
+
+- [rshim](https://github.com/Mellanox/rshim-user-space), the user-space rshim driver for the BlueField SoC. Available as [services.rshim](options.html#opt-services.rshim.enable).
+
+- [SFTPGo](https://github.com/drakkan/sftpgo), a fully featured and highly configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. Available as [services.sftpgo](options.html#opt-services.sftpgo.enable).
+
+- [sharing](https://github.com/parvardegr/sharing), a command-line tool to share directories and files from the CLI to iOS and Android devices without the need of an extra client app. Available as [programs.sharing](#opt-programs.sharing.enable).
+
+- [sniffnet](https://github.com/GyulyVGC/sniffnet), an application to monitor your network traffic. Available as [programs.sniffnet](#opt-programs.sniffnet.enable).
+
+- [stargazer](https://sr.ht/~zethra/stargazer/), a fast and easy to use Gemini server. Available as [services.stargazer](#opt-services.stargazer.enable).
+
+- [stevenblack-blocklist](https://github.com/StevenBlack/hosts), a unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable).
+
+- [systemd-repart](https://www.freedesktop.org/software/systemd/man/systemd-repart.service.html), grow and add partitions to a partition table. Available as [systemd.repart](options.html#opt-systemd.repart) and [boot.initrd.systemd.repart](options.html#opt-boot.initrd.systemd.repart)
+
+- [trippy](https://github.com/fujiapple852/trippy), a network diagnostic tool. Available as [programs.trippy](#opt-programs.trippy.enable).
+
+- [tts](https://github.com/coqui-ai/TTS), a battle-tested deep learning toolkit for Text-to-Speech. Multiple servers may be configured below [services.tts.servers](#opt-services.tts.servers).
+
+- [ulogd](https://www.netfilter.org/projects/ulogd/index.html), a userspace logging daemon for netfilter/iptables related logging. Available as [services.ulogd](options.html#opt-services.ulogd.enable).
+
+- [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable).
+
+- [v4l2-relayd](https://git.launchpad.net/v4l2-relayd), a streaming relay for v4l2loopback using gstreamer. Available as [services.v4l2-relayd](#opt-services.v4l2-relayd.instances._name_.enable).
+
+- [vault-agent](https://developer.hashicorp.com/vault/docs/agent), a template renderer and API auth proxy for HashiCorp Vault, similar to `consul-template`. Available as [services.vault-agent](#opt-services.vault-agent.instances).
+
+- [webhook](https://github.com/adnanh/webhook), a lightweight webhook server. Available as [services.webhook](#opt-services.webhook.enable).
+
+- [wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh), a simple utility to help connect wireguard nodes together in a full mesh topology. Available as [services.wgautomesh](options.html#opt-services.wgautomesh.enable).
+
+- [woodpecker](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-server](#opt-services.woodpecker-server.enable) and [services.woodpecker-agents](#opt-services.woodpecker-agents.agents._name_.enable).
+
+- [wstunnel](https://github.com/erebe/wstunnel), a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Available as [services.wstunnel](options.html#opt-services.wstunnel.enable).
+
 ## Backward Incompatibilities {#sec-release-23.05-incompatibilities}

-<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-
- `carnix` and `cratesIO` has been removed due to being unmaintained, use alternatives such as [naersk](https://github.com/nix-community/naersk) and [crate2nix](https://github.com/kolloch/crate2nix) instead.
-
 - `services.asusd` configuration now uses strings instead of structured configuration, as upstream switched to the [RON](https://github.com/ron-rs/ron) configuration format. Support for structured configuration may return when [RON](https://github.com/ron-rs/ron) generation is implemented in nixpkgs.

- `checkInputs` have been renamed to `nativeCheckInputs`, because they behave the same as `nativeBuildInputs` when `doCheck` is set. `checkInputs` now denote a new type of dependencies, added to `buildInputs` when `doCheck` is set. As a rule of thumb, `nativeCheckInputs` are tools on `$PATH` used during the tests, and `checkInputs` are libraries which are linked to executables built as part of the tests. Similarly, `installCheckInputs` are renamed to `nativeInstallCheckInputs`, corresponding to `nativeBuildInputs`, and `installCheckInputs` are a new type of dependencies added to `buildInputs` when `doInstallCheck` is set. (Note that this change will not cause breakage to derivations with `strictDeps` unset, which are most packages except python, rust, ocaml and go packages).
-
- `buildDunePackage` now defaults to `strictDeps = true` which means that any library should go into `buildInputs` or `checkInputs`. Any executable that is run on the building machine should go into `nativeBuildInputs` or `nativeCheckInputs` respectively. Example of executables are `ocaml`, `findlib` and `menhir`. PPXs are libraries which are built by dune and should therefore not go into `nativeBuildInputs`.
-
 - `borgbackup` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.borgbackup.jobs.<name>.inhibitsSleep`](#opt-services.borgbackup.jobs._name_.inhibitsSleep).

- The `ssh` client tool now disables the `~C` escape sequence by default. This can be re-enabled by setting `EnableEscapeCommandline yes`
+- The `openssh` client now comes with the `~C` escape sequence disabled by default. It can be re-enabled by setting `EnableEscapeCommandline yes`
+
+- The `programs.ssh` client module does not read `/etc/ssh/ssh_known_hosts2` anymore, since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2).
+
+- The `services.openssh` server module does not read `~/.ssh/authorized_keys2` anymore, since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2).
+
+- MAC-then-encrypt algorithms were removed from the default selection of `services.openssh.settings.Macs`. If you still require these [MACs](https://en.wikipedia.org/wiki/Message_authentication_code), for example when you are relying on libssh2 (e.g. VLC) or the SSH library shipped on the iPhone, you can re-add them like this:
+
+  ```nix
+  services.openssh.settings.Macs = [
+    "hmac-sha2-512"
+    "hmac-sha2-256"
+    "umac-128@openssh.com"
+  };
+  ```

 - Many `services.syncthing` options have been moved to `services.syncthing.settings`, as part of [RFC 42](https://github.com/NixOS/rfcs/pull/42)'s implementation, see [#226088](https://github.com/NixOS/nixpkgs/pull/226088).

- The `ssh` module does not read `/etc/ssh/ssh_known_hosts2` anymore since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2).
-
- The openssh module does not read `~/.ssh/authorized_keys2` anymore since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2).
-
 - `podman` now uses the `netavark` network stack. Users will need to delete all of their local containers, images, volumes, etc, by running `podman system reset --force` once before upgrading their systems.

 - `git-bug` has been updated to at least version 0.8.0, which includes backwards incompatible changes. The `git-bug-migration` package can be used to upgrade existing repositories.

- `graylog` has been updated to version 5, which can not be upgraded directly from the previously packaged version 3.3. If you had installed the previously packaged version 3.3, please follow the [upgrade path](https://go2docs.graylog.org/5-0/upgrading_graylog/upgrade_path.htm) from 3.3 to 4.0 to 4.3 to 5.0.
+- `graylog` has been updated to version 5, which can not be updated directly from the previously packaged version 3.3. If you had installed the previously packaged version 3.3, please follow the [upgrade path](https://go2docs.graylog.org/5-0/upgrading_graylog/upgrade_path.htm) from 3.3 to 4.0 to 4.3 to 5.0.
+
+- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implemenation is still available via `buildFHSEnvChrootenv` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs.
+
+
+- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implemenation is still available via `buildFHSEnvChrootenv` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs.

 - `nushell` has been updated to at least version 0.77.0, which includes potential breaking changes in aliases. The old aliases are now available as `old-alias` but it is recommended you migrate to the new format. See [Reworked aliases](https://www.nushell.sh/blog/2023-03-14-nushell_0_77.html#reworked-aliases-breaking-changes-kubouch).

@@ -198,16 +211,16 @@ In addition to numerous new and upgraded packages, this release has the followin

 - `keepassx` and `keepassx2` have been removed, due to upstream [stopping development](https://www.keepassx.org/index.html%3Fp=636.html). Consider [KeePassXC](https://keepassxc.org) as a maintained alternative.

- The [services.kubo.settings](#opt-services.kubo.settings) option is now no longer stateful. If you changed any of the options in [services.kubo.settings](#opt-services.kubo.settings) in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config) and compare after the update.
+- The [services.kubo.settings](#opt-services.kubo.settings) option is now no longer stateful. If you changed any of the options in [services.kubo.settings](#opt-services.kubo.settings) in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably `/var/lib/ipfs/config`) and compare after the update.

 - The Kubo HTTP API will no longer listen on localhost and will instead only listen on a Unix domain socket by default. Read the [services.kubo.settings.Addresses.API](#opt-services.kubo.settings.Addresses.API) option description for more information.

 - The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services.
  This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service`

- The mailman service now defaults to using a randomly generated REST API password instead of a hardcoded one.
+- The mailman service now defaults to using a randomly generated REST API password instead of a hard-coded one.

- `minio` removed support for its legacy filesystem backend in [RELEASE.2022-10-29T06-21-33Z](https://github.com/minio/minio/releases/tag/RELEASE.2022-10-29T06-21-33Z). This means if your storage was created with the old format, minio will no longer start. Unfortunately minio doesn't provide a an automatic migration, they only provide [instructions how to manually convert the node](https://min.io/docs/minio/windows/operations/install-deploy-manage/migrate-fs-gateway.html). To facilitate this migration we keep around the last version that still supports the old filesystem backend as `minio_legacy_fs`. Use it via `services.minio.package = minio_legacy_fs;` to export your data before switching to the new version. See the corresponding [issue](https://github.com/NixOS/nixpkgs/issues/199318) for more details.
+- `minio` removed support for its legacy filesystem backend in [RELEASE.2022-10-29T06-21-33Z](https://github.com/minio/minio/releases/tag/RELEASE.2022-10-29T06-21-33Z). This means if your storage was created with the old format, minio will no longer start. Unfortunately, minio doesn't provide an automatic migration, they only provide [instructions how to manually convert the node](https://min.io/docs/minio/windows/operations/install-deploy-manage/migrate-fs-gateway.html). To facilitate this migration, we keep around the last version that still supports the old filesystem backend as `minio_legacy_fs`. Use it via `services.minio.package = minio_legacy_fs;` to export your data before switching to the new version. See the corresponding [issue](https://github.com/NixOS/nixpkgs/issues/199318) for more details.

 - `services.sourcehut.dispatch` and the corresponding package (`sourcehut.dispatchsrht`) have been removed due to [upstream deprecation](https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/).

@@ -231,15 +244,20 @@ In addition to numerous new and upgraded packages, this release has the followin
  };
  ```

- The [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.
+- The default module options for [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall), [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) and [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) have been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.

- The [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.
+- The option `i18n.inputMethod.fcitx5.enableRimeData` has been removed. Default RIME data is now included in `fcitx5-rime` by default, and can be customized using

- The [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.
+  ```nix
+  fcitx5-rime.override {
+    rimeDataPkgs = [
+      pkgs.rime-data
+      # ...
+    ];
+  }
+  ```

- The option `i18n.inputMethod.fcitx5.enableRimeData` has been removed. Default RIME data is now included in `fcitx5-rime` by default, and can be customized using `fcitx5-rime.override { rimeDataPkgs = [ pkgs.rime-data, package2, ... ]; }`
-
- The udev hwdb.bin file is now built with systemd-hwdb rather than the [deprecated "udevadm hwdb"](https://github.com/systemd/systemd/pull/25714). This may impact mappings where the same key is defined in multiple matching entries. The updated behavior will select the latest definition in case of conflict. In general, this should be a positive change, as the hwdb source files are designed with this ordering in mind. As an example, the mapping of the HP Dev One keyboard scan code for "mute mic" is corrected by this update. This change may impact users who have worked-around previously incorrect mappings.
+- The `udev` hwdb.bin file is now built with systemd-hwdb rather than the [deprecated "udevadm hwdb"](https://github.com/systemd/systemd/pull/25714). This may impact mappings where the same key is defined in multiple matching entries. The updated behavior will select the latest definition in case of conflict. In general, this should be a positive change, as the hwdb source files are designed with this ordering in mind. As an example, the mapping of the HP Dev One keyboard scan code for "mute mic" is corrected by this update. This change may impact users who have worked-around previously incorrect mappings.

 - Kime has been updated from 2.5.6 to 3.0.2 and the `i18n.inputMethod.kime.config` option has been removed. Users should use `daemonModules`, `iconColor`, and `extraConfig` options under `i18n.inputMethod.kime` instead.

@@ -247,28 +265,22 @@ In addition to numerous new and upgraded packages, this release has the followin

 - `i3status-rust` has been updated from 0.22.0 to 0.30.5, and this brings many changes to its configuration format. Additional information can be found [here](https://github.com/greshake/i3status-rust/blob/v0.30.0/NEWS.md).

- The `wordpress` derivation no longer contains any builtin plugins or themes. If you need them you have to add them back to prevent your site from breaking. You can find them in `wordpressPackages.{plugins,themes}`.
+- The `wordpress` derivation no longer contains any built-in plugins or themes. If you need them, you have to add them back to prevent your site from breaking. You can find them in `wordpressPackages.{plugins,themes}`.

 - `llvmPackages_rocm.llvm` will not contain `clang` or `compiler-rt`. `llvmPackages_rocm.clang` will not contain `llvm`. `llvmPackages_rocm.clangNoCompilerRt` has been removed in favor of using `llvmPackages_rocm.clang-unwrapped`.

- `services.xserver.desktopManager.plasma5.excludePackages` has been moved to `environment.plasma5.excludePackages`, for consistency with other Desktop Environments
+- `services.xserver.desktopManager.plasma5.excludePackages` has been moved to `environment.plasma5.excludePackages`, for consistency with other Desktop Environments.
+
+- `teleport` has been updated from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting `services.teleport.package = pkgs.teleport_11`. Afterwards, this option can be removed to upgrade to the default version (12).

 - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.

- `teleport` has been upgraded from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting `services.teleport.package = pkgs.teleport_11`. Afterwards, this option can be removed to upgrade to the default version (12).
-
 - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.

 - `fail2ban` has been updated to 1.0.2, which has a few breaking changes compared to 0.11.2 ([changelog for 1.0.1](https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog), [changelog for 1.0.2](https://github.com/fail2ban/fail2ban/blob/1.0.2/ChangeLog))

 - `albert` has been updated from 0.17.6 to 0.20.13, and 0.18.0 changed the config format and many plugins ([changelog for 0.18.0](https://github.com/albertlauncher/albert/blob/v0.18.0/CHANGELOG.md))

- Calling `makeSetupHook` without passing a `name` argument is deprecated.
-
- Top-level buildPlatform,hostPlatform,targetPlatform have been deprecated, use stdenv.X instead.
-
- `lib.systems.examples.ghcjs` and consequently `pkgsCross.ghcjs` now use the target triplet `javascript-unknown-ghcjs` instead of `js-unknown-ghcjs`. This has been done to match an [upstream decision](https://gitlab.haskell.org/ghc/ghc/-/commit/6636b670233522f01d002c9b97827d00289dbf5c) to follow Cabal's platform naming more closely. Nixpkgs will also reject `js` as an architecture name.
-
 - `dokuwiki` has been updated from 2023-07-31a (Igor) to 2023-04-04 (Jack Jackrum), which has [completely removed](https://www.dokuwiki.org/changes#release_2023-04-04_jack_jackrum) the options to embed HTML and PHP for security reasons. The [htmlok plugin](https://www.dokuwiki.org/plugin:htmlok) can be used to regain this functionality.

 - The old unsupported version 6.x of the ELK-stack and Elastic beats have been removed. Use OpenSearch instead.
@@ -279,10 +291,6 @@ In addition to numerous new and upgraded packages, this release has the followin

 - The [services.wordpress.sites.&lt;name&gt;.plugins](#opt-services.wordpress.sites._name_.plugins) and [services.wordpress.sites.&lt;name&gt;.themes](#opt-services.wordpress.sites._name_.themes) options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name.

- [`services.nextcloud.database.createLocally`](#opt-services.nextcloud.database.createLocally) now uses socket authentication and is no longer compatible with password authentication.
-  - If you want the module to manage the database for you, unset [`services.nextcloud.config.dbpassFile`](#opt-services.nextcloud.config.dbpassFile) (and [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost), if it's set).
-  - If you want to use password authentication **and** create the database locally, you will have to use [`services.mysql`](#opt-services.mysql.enable) to set it up.
-
 - `protonmail-bridge` package has been updated to major version 3.

 - Nebula now runs as a system user and group created for each nebula network, using the `CAP_NET_ADMIN` ambient capability on launch rather than starting as root. Ensure that any files each Nebula instance needs to access are owned by the correct user and group, by default `nebula-${networkName}`.
@@ -291,26 +299,20 @@ In addition to numerous new and upgraded packages, this release has the followin

 - In `mastodon` it is now necessary to specify location of file with `PostgreSQL` database password. In `services.mastodon.database.passwordFile` parameter default value `/var/lib/mastodon/secrets/db-password` has been changed to `null`.

- The `--target-host` and `--build-host` options of `nixos-rebuild` no longer treat the `localhost` value specially – to build on/deploy to local machine, omit the relevant flag.
-
 - The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon.

- Deprecated `xlibsWrapper` transitional package has been removed in favour of direct use of its constituents: `xorg.libX11`, `freetype` and others.
-
 - The latest available version of Nextcloud is v26 (available as `pkgs.nextcloud26`) which uses PHP 8.2 as interpreter by default. The installation logic is as follows:
  - If `system.stateVersion` is >=23.05, `pkgs.nextcloud26` will be installed by default.
  - If `system.stateVersion` is >=22.11, `pkgs.nextcloud25` will be installed by default.
  - Please note that an upgrade from v24 (or older) to v26 directly is not possible. Please upgrade to `nextcloud25` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud25;`](options.html#opt-services.nextcloud.package).
  - It's recommended to use the latest version available (i.e. v26) and to specify that using `services.nextcloud.package`.

- .NET 5.0 and .NET 3.1 were removed due to being end-of-life, use a newer, supported .NET version - https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core
+- .NET 5.0 and .NET 3.1 were removed due to being end-of-life, use a newer, supported .NET version. Visit the  [Support Policy](https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core) for more information.

 - The iputils package, which is installed by default, no longer provides the
-  `ninfod`, `rarpd` and `rdisc` tools. See
-  [upstream's release notes](https://github.com/iputils/iputils/releases/tag/20221126)
-  for more details and available replacements.
+  `ninfod`, `rarpd` and `rdisc` tools. See [upstream's release notes](https://github.com/iputils/iputils/releases/tag/20221126) for more details and available replacements.

- The ppp plugin `rp-pppoe.so` has been renamed to `pppoe.so` in ppp 2.4.9. Starting from ppp 2.5.0, there is no longer a alias for backwards compatibility. Configurations that use this plugin must be updated accordingly from `plugin rp-pppoe.so` to `plugin pppoe.so`. See [upstream change](https://github.com/ppp-project/ppp/commit/610a7bd76eb1f99f22317541b35001b1e24877ed).
+- The ppp plugin `rp-pppoe.so` has been renamed to `pppoe.so` in ppp 2.4.9. Starting from ppp 2.5.0, there is no longer an alias for backwards compatibility. Configurations that use this plugin must be updated accordingly from `plugin rp-pppoe.so` to `plugin pppoe.so`. See [upstream change](https://github.com/ppp-project/ppp/commit/610a7bd76eb1f99f22317541b35001b1e24877ed).

 - [services.xserver.videoDrivers](options.html#opt-services.xserver.videoDrivers) now defaults to the `modesetting` driver over device-specific ones. The `radeon`, `amdgpu` and `nouveau` drivers are still available, but effectively unmaintained and not recommended for use.

@@ -320,7 +322,7 @@ In addition to numerous new and upgraded packages, this release has the followin

 - In `services.fail2ban`, `bantime-increment.<name>` options now default to `null` (except `bantime-increment.enable`) and are used to set the corresponding option in `jail.local` only if not `null`. Also, enforce that `bantime-increment.formula` and `bantime-increment.multipliers` are not both specified.

- The default Asterisk package was changed to v20 from v19. Asterisk versions 16 and 19 have been dropped due to being EOL. You may need to update /var/lib/asterisk to match the template files in `${asterisk-20}/var/lib/asterisk`.
+- The default `asterisk` package was changed to v20 from v19. Asterisk versions 16 and 19 have been dropped due to being EOL. You may need to update /var/lib/asterisk to match the template files in `${asterisk-20}/var/lib/asterisk`.

 - conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don't silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround.

@@ -338,7 +340,7 @@ In addition to numerous new and upgraded packages, this release has the followin

 - The `qlandkartegt` and `garmindev` packages were removed due to being unmaintained and insecure.

- `go-ethereum` package has been updated to v1.11.5 and the `puppeth` command is no longer available as of v1.11.0.
+- The `go-ethereum` package has been updated to v1.11.5 and the `puppeth` command is no longer available as of v1.11.0.

 - The `pnpm` package has be updated to from version 7.29.1 to version 8.1.1 and Node.js 14 support has been discontinued (though, there are workarounds if Node.js 14 is still required)
  - Migration instructions: ["Before updating pnpm to v8 in your CI, regenerate your pnpm-lock.yaml. To upgrade your lockfile, run pnpm install and commit the changes. Existing dependencies will not be updated; however, due to configuration changes in pnpm v8, some missing peer dependencies may be added to the lockfile and some packages may get deduplicated. You can commit the new lockfile even before upgrading Node.js in the CI, as pnpm v7 already supports the new lockfile format."](https://github.com/pnpm/pnpm/releases/tag/v8.0.0)
@@ -347,21 +349,19 @@ In addition to numerous new and upgraded packages, this release has the followin

 - The `pict-rs` package was updated from an 0.3 alpha release to 0.3 stable, and related environment variables now require two underscores instead of one.

+- The `shattered-pixel-dungeon` game was updated from 1.1.2 to 2.0.2.
+  - The location of game data has changed. To migrate it, run `mv ~/.shatteredpixel ~/.local/share/.shatteredpixel`
+  - The update will delete all your in-progress games.
+
 - `espanso` has been updated to major version 2. Therefore, migration steps may need to be performed. See [the official migration instructions](https://espanso.org/docs/migration/overview/) for how to perform these migrations. Further, `espanso-wayland` can now be used for Wayland support.

+- Only `k3s` version 1.26 is included. Users of the `k3s_1_24` or `k3s_1_25` packages should upgrade to use the `1.26` version of the package.
+
 ## Other Notable Changes {#sec-release-23.05-notable-changes}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- `vim_configurable` has been renamed to `vim-full` to avoid confusion: `vim-full`'s build-time features are configurable, but both `vim` and `vim-full` are _customizable_ (in the sense of user configuration, like vimrc).
-
- Pantheon now defaults to Mutter 43 and GNOME settings daemon 43, all Pantheon packages are now tracking elementary OS 7 updates.
-
- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)
-
- The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)
-
- A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follows:
+- To follow [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) a few options of `openssh` have been moved from `extraConfig` to the new freeform option `settings` and renamed, e.g.:
  - `services.openssh.forwardX11` to `services.openssh.settings.X11Forwarding`
  - `services.openssh.kbdInteractiveAuthentication` -> `services.openssh.settings.KbdInteractiveAuthentication`
  - `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`
@@ -373,18 +373,21 @@ In addition to numerous new and upgraded packages, this release has the followin
  - `services.openssh.ciphers` to `services.openssh.settings.Ciphers`
  - `services.openssh.gatewayPorts` to `services.openssh.settings.GatewayPorts`

+
+- `vim_configurable` has been renamed to `vim-full` to avoid confusion: `vim-full`'s build-time features are configurable, but both `vim` and `vim-full` are _customizable_ (in the sense of user configuration, like vimrc).
+
+- Pantheon now defaults to Mutter 43 and GNOME settings daemon 43, all Pantheon packages are now tracking elementary OS 7 updates.
+
+- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)
+
+- The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)
+
 - `netbox` was updated to 3.5. NixOS' `services.netbox.package` still defaults to 3.3 if `stateVersion` is earlier than 23.05. Please review upstream's breaking changes [for 3.4.0](https://github.com/netbox-community/netbox/releases/tag/v3.4.0) and [for 3.5.0](https://github.com/netbox-community/netbox/releases/tag/v3.5.0), and upgrade NetBox by changing `services.netbox.package`. Database migrations will be run automatically.

 - `services.netbox` now support RFC42-style options, through `services.netbox.settings`.

 - `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.

- DocBook option documentation, which has been deprecated since 22.11, will now cause a warning when documentation is built. Out-of-tree modules should migrate to using CommonMark documentation as outlined in [](#sec-option-declarations) to silence this warning.
-
-  DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors.
-
- NixOS now defaults to using nsncd (a non-caching reimplementation in Rust) as NSS lookup dispatcher, instead of the buggy and deprecated glibc-provided nscd. If you need to switch back, set `services.nscd.enableNsncd = false`, but please open an issue in nixpkgs so your issue can be fixed.
-
 - `services.borgmatic` now allows for multiple configurations, placed in `/etc/borgmatic.d/`, you can define them with `services.borgmatic.configurations`.

 - `service.openafsServer` features a new backup server `pkgs.fabs` as a
@@ -402,8 +405,6 @@ In addition to numerous new and upgraded packages, this release has the followin
  `services.dnsmasq.extraConfig` will be deprecated when NixOS 22.11 reaches
  end of life.

- `kube3d` has now been renamed to `k3d` since the 3d editor that originally took that name has been dropped from nixpkgs. `kube3d` will continue to work as an alias for now.
-
 - The `dokuwiki` service is now configured via `services.dokuwiki.sites.<name>.settings` attribute set; `extraConfig` has been removed.
  The `{aclUse,superUser,disableActions}` attributes have been renamed accordingly. `pluginsConfig` now only accepts an attribute set of booleans.
  Passing plain PHP is no longer possible.
@@ -419,106 +420,88 @@ In addition to numerous new and upgraded packages, this release has the followin

 - The minimal ISO image now uses the `nixos/modules/profiles/minimal.nix` profile.

+- NixOS installer ISOs can now be built for `powerpc64le-linux`; see `nixos/modules/installer/sd-card/sd-image-powerpc64le.nix` and [PR 192672](https://github.com/NixOS/nixpkgs/pull/192672).  Hydra does not support this platform, so you must build the binaries yourself.
+
 - The `ghcWithPackages` and `ghcWithHoogle` wrappers will now also symlink GHC's
  and all included libraries' documentation to `$out/share/doc` for convenience.
  If undesired, the old behavior can be restored by overriding the builders with
  `{ installDocumentation = false; }`.

- The new option `networking.nftables.checkRuleset` controls whether the ruleset is checked for syntax or not during build.  It is `true` by default.  The check might fail because it is in a sandbox environment.  To circumvent this, the ruleset file can be edited using the `networking.nftables.preCheckRuleset` option.
+- The nftables module now validates its ruleset at build time. The new `networking.nftables.checkRuleset` option allows disabling this check, which may fail when rules have very specific requirements, that the sandbox environment, by default, will not cover. The `networking.nftables.preCheckRuleset` option can be used to prepare the environment before the checks are run.

- `mastodon` now supports connection to a remote `PostgreSQL` database.
+- The `services.mastodon` module now supports connection to a remote `PostgreSQL` database.

- `nextcloud` has an option to enable SSE-C in S3.
+- [`services.nextcloud.database.createLocally`](#opt-services.nextcloud.database.createLocally) now uses socket authentication and is no longer compatible with password authentication.
+  - If you want the module to manage the database for you, unset [`services.nextcloud.config.dbpassFile`](#opt-services.nextcloud.config.dbpassFile) (and [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost), if it's set).
+  - If you want to use password authentication **and** create the database locally, you will have to use [`services.mysql`](#opt-services.mysql.enable) to set it up.

- NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to setup the plain encryption device over the
-  underlying block device rather than allowing them to be determined by `cryptsetup(8)`. One can use these features like so:
+- [`services.nextcloud.config.objectstore.s3.sseCKeyFile`](#opt-services.nextcloud.config.objectstore.s3.sseCKeyFile) is a new option to enable server-side encryption with customer provided keys (SSE-C) for your S3 in Nextcloud.
+
+- NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to set up the plain encryption device over the underlying block device rather than allowing them to be determined by `cryptsetup(8)`. One can use these features like so:

  ```nix
-  {
-    swapDevices = [
-      {
-        device = "/dev/disk/by-partlabel/swapspace";
-
-        randomEncryption = {
-          enable = true;
-          cipher = "aes-xts-plain64";
-          keySize = 512;
-          sectorSize = 4096;
-        };
-      }
-    ];
-  }
+  swapDevices = [ {
+    device = "/dev/disk/by-partlabel/swapspace";
+    randomEncryption = {
+      enable = true;
+      cipher = "aes-xts-plain64";
+      keySize = 512;
+      sectorSize = 4096;
+    };
+  } ];
  ```

 - New option `security.pam.zfs` to enable unlocking and mounting of encrypted ZFS home dataset at login.

- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`.
-  Before upgrading, read the release notes for PeerTube:
-    - [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0)
-
-  And backup your data.
+- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`.  Before upgrading, check the release notes for [PeerTube v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0).And backup your data.

 - `services.chronyd` is now started with additional systemd sandbox/hardening options for better security.

- PostgreSQL has opt-in support for [JIT compilation](https://www.postgresql.org/docs/current/jit-reason.html). It can be enabled like this:
+- PostgreSQL has added opt-in support for [JIT compilation](https://www.postgresql.org/docs/current/jit-reason.html). It can be enabled like this:
  ```nix
-  {
-    services.postgresql = {
-      enable = true;
-      enableJIT = true;
-    };
-  }
+  services.postgresql.enableJIT = true;
  ```

- `services.netdata` offers a `deadlineBeforeStopSec` option which enable users who have netdata instance that takes time to initialize to not have systemd kill them for no reason.
+- `services.netdata` offers a [`services.netdata.deadlineBeforeStopSec`](#opt-services.netdata.deadlineBeforeStopSec) option which will control the deadline (in seconds) after which systemd will consider your netdata instance as dead if it didn't start in the elapsed time. It is helpful when your netdata instance takes longer to start because of a large amount of state or upgrades.

- `services.dhcpcd` service now don't solicit or accept IPv6 Router Advertisements on interfaces that use static IPv6 addresses.
-  If network uses both IPv6 Unique local addresses (ULA) and global IPv6 address auto-configuration with SLAAC, must add the parameter `networking.dhcpcd.IPv6rs = true;`.
+- `services.dhcpcd` service stopped soliciting or accepting IPv6 Router Advertisements on interfaces that use static IPv6 addresses.
+  If your network provides both IPv6 unique local addresses (ULA) and globally unique addresses (GUA) through autoconfiguration with SLAAC, you must add the parameter `networking.dhcpcd.IPv6rs = true;`.

 - The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed:

-  - Most settings has been migrated under [services.headscale.settings](#opt-services.headscale.settings) which is an attribute-set that
-    will be converted into headscale's YAML config format. This means that the configuration from
-    [headscale's example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml)
-    can be directly written as attribute-set in Nix within this option.
+  - Most settings have been migrated below [services.headscale.settings](#opt-services.headscale.settings) which is a freeform attribute-set that will be converted into headscale's YAML config format. This means that the configuration from [headscale's example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) can be directly written as attribute-set in Nix within this option.

 - `services.kubo` now unmounts `ipfsMountDir` and `ipnsMountDir` even if it is killed unexpectedly when `autoMount` is enabled.

- `nixos/lib/make-disk-image.nix` can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual.
-
- `services.grafana` listens only on localhost by default again. This was changed to upstreams default of `0.0.0.0` by accident in the freeform setting conversion.
+- `services.grafana` listens only on localhost by default again. This was changed to the upstream default of `0.0.0.0` by accident in the freeform setting conversion.

 - Grafana Tempo has been updated to version 2.0. See the [upstream upgrade guide](https://grafana.com/docs/tempo/latest/release-notes/v2-0/#upgrade-considerations) for migration instructions.

- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).
+- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple Silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=23.05&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).

 - The new option `users.motdFile` allows configuring a Message Of The Day that can be updated dynamically.

 - The `root` package is now built with the `"-Dgnuinstall=ON"` CMake flag, making the output conform the `bin` `lib` `share` layout. In this layout, `tutorials` is under `share/doc/ROOT/`; `cmake`, `font`, `icons`, `js` and `macro` under `share/root`; `Makefile.comp` and `Makefile.config` under `etc/root`.

- Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option.
+- There are various new options in the `services.nginx` module:
+    - Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option.
+    - The `proxyCachePath` option has been added to `services.nginx`. It allows configuring the [`proxy_cache_path`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path), that configures the storage path and various other settings for the cache.
+    - A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md).
+    - `services.nginx.recommendedProxySettings` now removes the `Connection` header preventing clients from closing backend connections.

- A new option `proxyCachePath` has been added to `services.nginx`. Learn more about proxy_cache_path: <https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path>.
-
- A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md).
-
- Updated recommended settings in `services.nginx.recommendedGzipSettings`:
+- The nginx module also received an update to `services.nginx.recommendedGzipSettings`:
  - Enables gzip compression for only certain proxied requests.
  - Allow checking and loading of precompressed files.
  - Updated gzip mime-types.
  - Increased the minimum length of a response that will be gzipped.

- [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion).
+- [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and configure [services.garage.package](options.html#opt-services.garage.package).

 - Nebula now supports the `services.nebula.networks.<name>.isRelay` and `services.nebula.networks.<name>.relays` configuration options for setting up or allowing traffic relaying. See the [announcement](https://www.defined.net/blog/announcing-relay-support-in-nebula/) for more details about relays.

- `hip` has been separated into `hip`, `hip-common` and `hipcc`.
-
- `services.nginx.recommendedProxySettings` now removes the `Connection` header preventing clients from closing backend connections.
-
 - Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.

- The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it.
+- The `firewall` and `nat` modules can now optionally rely on an nftables based implementation. Enable `networking.nftables` to use it.

 - The `services.fwupd` module now allows arbitrary daemon settings to be configured in a structured manner ([`services.fwupd.daemonSettings`](#opt-services.fwupd.daemonSettings)).

@@ -532,19 +515,13 @@ In addition to numerous new and upgraded packages, this release has the followin
  * `apptainer`: From `github.com/apptainer/apptainer`, which is the new repo after renaming.
  * `singularity`: From `github.com/sylabs/singularity`, which is the fork by Sylabs Inc..

-  `programs.singularity` got a new `package` option to specify which package to use.
-
  `singularity-tools.buildImage` got a new input argument `singularity` to specify which package to use.

 - The new option `programs.singularity.enableFakeroot`, if set to `true`, provides `--fakeroot` support for `apptainer` and `singularity`.

- The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream.
-
- The `rtsp-simple-server` package and corresponding NixOS module have been renamed to `mediamtx` to match upstream.
-
 - The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.

- `openjdk` from version 11 and above is not build with `openjfx` (i.e.: JavaFX) support by default anymore. You can re-enable it by overriding, e.g.: `openjdk11.override { enableJavaFX = true; };`.
+- `openjdk` from versioggn 11 and above is not build with `openjfx` (i.e.: JavaFX) support by default anymore. You can re-enable it by overriding, e.g.: `openjdk11.override { enableJavaFX = true; };`.

 - [Xastir](https://xastir.org/index.php/Main_Page) can now access AX.25 interfaces via the `libax25` package.

@@ -554,23 +531,52 @@ In addition to numerous new and upgraded packages, this release has the followin

 - The option `services.prometheus.exporters.pihole.interval` does not exist anymore and has been removed.

- The option `services.gpsd.device` has been replaced with
-  `services.gpsd.devices`, which supports multiple devices.
+- The option `services.gpsd.device` has been replaced with  `services.gpsd.devices`, which supports multiple devices.

- `k3s` can now be configured with an EnvironmentFile for its systemd service, allowing secrets to be provided without ending up in the Nix Store.
+- `k3s` can now be configured with an `EnvironmentFile` for its systemd service, allowing secrets to be provided without ending up in the Nix Store.

- `gitea` module options have been changed to be RFC042 conforming (i.e. some options were moved to be located under `services.gitea.settings`)
+- The `gitea` module options have been moved into a freeform attribute set below `services.gitea.settings`.

- `boot.initrd.luks.device.<name>` has a new `tryEmptyPassphrase` option, this is useful for OEM's who need to install an encrypted disk with a future settable passphrase
-
- Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release.
+- `boot.initrd.luks.device.<name>` has a new `tryEmptyPassphrase` option, this is useful for OEMs who need to install an encrypted disk with a future settable passphrase

 - The `bind` module now allows the per-zone `allow-query` setting to be configured (previously it was hard-coded to `any`; it still defaults to `any` to retain compatibility).

- `make-disk-image` handles `contents` arguments that are directories better, fixing a bug where it used to put them in a subdirectory of the intended `target`.
-
 - The option `services.jitsi-videobridge.apis` has been renamed to `colibriRestApi` and turned into a boolean. Setting it to `true` will enable the private rest API, useful for monitoring using `services.prometheus.exporters.jitsi.enable`. Learn more about the API: "[The COLIBRI control interface (/colibri/)](https://github.com/jitsi/jitsi-videobridge/blob/v2.3/doc/rest.md)".

+- Booting from a volume managed by the Stratis storage management daemon is now supported. Use `fileSystems.<name>.stratis.poolUuid` to configure the pool containing the fs.
+
+- Only `k3s` version 1.26 is included. Users of the `k3s_1_24` or `k3s_1_25` packages should upgrade to use the version 1.26 of the package.
+
+## Nixpkgs internals {#sec-release-23.05-nixpkgs-internals}
+
+- `buildDunePackage` now defaults to `strictDeps = true` which means that any library should go into `buildInputs` or `checkInputs`. Any executable that is run on the building machine should go into `nativeBuildInputs` or `nativeCheckInputs` respectively. Example of executables are `ocaml`, `findlib` and `menhir`. PPXs are libraries which are built by dune and should therefore not go into `nativeBuildInputs`.
+
+- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implemenation is still available via `buildFHSEnvChrootenv` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs.
+
+- Top-level `buildPlatform`, `hostPlatform`, `targetPlatform` have been deprecated, use `stdenv.X` instead.
+
+- `carnix` and `cratesIO` has been removed due to being unmaintained, use alternatives such as [naersk](https://github.com/nix-community/naersk) and [crate2nix](https://github.com/kolloch/crate2nix) instead.
+
+- `checkInputs` have been renamed to `nativeCheckInputs`, because they behave the same as `nativeBuildInputs` when `doCheck` is set. `checkInputs` now denote a new type of dependencies, added to `buildInputs` when `doCheck` is set. As a rule of thumb, `nativeCheckInputs` are tools on `$PATH` used during the tests, and `checkInputs` are libraries which are linked to executables built as part of the tests. Similarly, `installCheckInputs` are renamed to `nativeInstallCheckInputs`, corresponding to `nativeBuildInputs`, and `installCheckInputs` are a new type of dependencies added to `buildInputs` when `doInstallCheck` is set. (Note that this change will not cause breakage to derivations with `strictDeps` unset, which are most packages except python, rust, ocaml and go packages).
+
+- DocBook option documentation, which has been deprecated since 22.11, will now cause a warning when documentation is built. Out-of-tree modules should migrate to using CommonMark documentation as outlined in [](#sec-option-declarations) to silence this warning.
+
+  DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors.
+
+- `lib.systems.examples.ghcjs` and consequently `pkgsCross.ghcjs` now use the target triplet `javascript-unknown-ghcjs` instead of `js-unknown-ghcjs`. This has been done to match an [upstream decision](https://gitlab.haskell.org/ghc/ghc/-/commit/6636b670233522f01d002c9b97827d00289dbf5c) to follow Cabal's platform naming more closely. Nixpkgs will also reject `js` as an architecture name.
+
+- Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release.
+
+- Calling `makeSetupHook` without passing a `name` argument is deprecated.
+
+- `nixos/lib/make-disk-image.nix` handles `contents` arguments that are directories better, fixing a bug where it used to put them in a subdirectory of the intended `target`.
+
+- `nixos/lib/make-disk-image.nix` can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual.
+
+- Nixpkgs now uses [IEEE-standard floating point arithmetic](https://github.com/NixOS/nixpkgs/pull/170215) on `powerpc64le-linux`.
+
+- Deprecated `xlibsWrapper` transitional package has been removed in favour of direct use of its constituents: `xorg.libX11`, `freetype` and others.
+
 ## Detailed migration information {#sec-release-23.05-migration}

 ### Pipewire configuration overrides {#sec-release-23.05-migration-pipewire}
--- a/nixos/lib/test-driver/test_driver/driver.py
+++ b/nixos/lib/test-driver/test_driver/driver.py
@@ -163,11 +163,6 @@ class Driver:
                machine.wait_for_shutdown()

    def create_machine(self, args: Dict[str, Any]) -> Machine:
-        rootlog.warning(
-            "Using legacy create_machine(), please instantiate the"
-            "Machine class directly, instead"
-        )
-
        tmp_dir = get_tmp_dir()

        if args.get("startCommand"):
--- a/nixos/lib/test-driver/test_driver/machine.py
+++ b/nixos/lib/test-driver/test_driver/machine.py
@@ -369,8 +369,8 @@ class Machine:
    @staticmethod
    def create_startcommand(args: Dict[str, str]) -> StartCommand:
        rootlog.warning(
-            "Using legacy create_startcommand(),"
-            "please use proper nix test vm instrumentation, instead"
+            "Using legacy create_startcommand(), "
+            "please use proper nix test vm instrumentation, instead "
            "to generate the appropriate nixos test vm qemu startup script"
        )
        hda = None
--- a/nixos/modules/installer/cd-dvd/installation-cd-base.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-base.nix
@@ -21,9 +21,6 @@ with lib;
  # ISO naming.
  isoImage.isoName = "${config.isoImage.isoBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.iso";

-  # BIOS booting
-  isoImage.makeBiosBootable = true;
-
  # EFI booting
  isoImage.makeEfiBootable = true;

--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@@ -442,9 +442,6 @@ let
      fsck.vfat -vn "$out"
    ''; # */

-  # Syslinux (and isolinux) only supports x86-based architectures.
-  canx86BiosBoot = pkgs.stdenv.hostPlatform.isx86;
-
 in

 {
@@ -543,7 +540,17 @@ in
    };

    isoImage.makeBiosBootable = mkOption {
-      default = false;
+      # Before this option was introduced, images were BIOS-bootable if the
+      # hostPlatform was x86-based. This option is enabled by default for
+      # backwards compatibility.
+      #
+      # Also note that syslinux package currently cannot be cross-compiled from
+      # non-x86 platforms, so the default is false on non-x86 build platforms.
+      default = pkgs.stdenv.buildPlatform.isx86 && pkgs.stdenv.hostPlatform.isx86;
+      defaultText = lib.literalMD ''
+        `true` if both build and host platforms are x86-based architectures,
+        e.g. i686 and x86_64.
+      '';
      type = lib.types.bool;
      description = lib.mdDoc ''
        Whether the ISO image should be a BIOS-bootable disk.
@@ -704,6 +711,11 @@ in

  config = {
    assertions = [
+      {
+        # Syslinux (and isolinux) only supports x86-based architectures.
+        assertion = config.isoImage.makeBiosBootable -> pkgs.stdenv.hostPlatform.isx86;
+        message = "BIOS boot is only supported on x86-based architectures.";
+      }
      {
        assertion = !(stringLength config.isoImage.volumeID > 32);
        # https://wiki.osdev.org/ISO_9660#The_Primary_Volume_Descriptor
@@ -722,7 +734,7 @@ in
    boot.loader.grub.enable = false;

    environment.systemPackages =  [ grubPkgs.grub2 grubPkgs.grub2_efi ]
-      ++ optional (config.isoImage.makeBiosBootable && canx86BiosBoot) pkgs.syslinux
+      ++ optional (config.isoImage.makeBiosBootable) pkgs.syslinux
    ;

    # In stage 1 of the boot, mount the CD as the root FS by label so
@@ -773,7 +785,7 @@ in
        { source = pkgs.writeText "version" config.system.nixos.label;
          target = "/version.txt";
        }
-      ] ++ optionals (config.isoImage.makeBiosBootable && canx86BiosBoot) [
+      ] ++ optionals (config.isoImage.makeBiosBootable) [
        { source = config.isoImage.splashImage;
          target = "/isolinux/background.png";
        }
@@ -800,7 +812,7 @@ in
        { source = config.isoImage.efiSplashImage;
          target = "/EFI/boot/efi-background.png";
        }
-      ] ++ optionals (config.boot.loader.grub.memtest86.enable && config.isoImage.makeBiosBootable && canx86BiosBoot) [
+      ] ++ optionals (config.boot.loader.grub.memtest86.enable && config.isoImage.makeBiosBootable) [
        { source = "${pkgs.memtest86plus}/memtest.bin";
          target = "/boot/memtest.bin";
        }
@@ -815,10 +827,10 @@ in
    # Create the ISO image.
    system.build.isoImage = pkgs.callPackage ../../../lib/make-iso9660-image.nix ({
      inherit (config.isoImage) isoName compressImage volumeID contents;
-      bootable = config.isoImage.makeBiosBootable && canx86BiosBoot;
+      bootable = config.isoImage.makeBiosBootable;
      bootImage = "/isolinux/isolinux.bin";
-      syslinux = if config.isoImage.makeBiosBootable && canx86BiosBoot then pkgs.syslinux else null;
-    } // optionalAttrs (config.isoImage.makeUsbBootable && config.isoImage.makeBiosBootable && canx86BiosBoot) {
+      syslinux = if config.isoImage.makeBiosBootable then pkgs.syslinux else null;
+    } // optionalAttrs (config.isoImage.makeUsbBootable && config.isoImage.makeBiosBootable) {
      usbBootable = true;
      isohybridMbrImage = "${pkgs.syslinux}/share/syslinux/isohdpfx.bin";
    } // optionalAttrs config.isoImage.makeEfiBootable {
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@@ -28,6 +28,7 @@ let
    DOCUMENTATION_URL = lib.optionalString (cfg.distroId == "nixos") "https://nixos.org/learn.html";
    SUPPORT_URL = lib.optionalString (cfg.distroId == "nixos") "https://nixos.org/community.html";
    BUG_REPORT_URL = lib.optionalString (cfg.distroId == "nixos") "https://github.com/NixOS/nixpkgs/issues";
+    SUPPORT_END = "2023-12-31";
  } // lib.optionalAttrs (cfg.variant_id != null) {
    VARIANT_ID = cfg.variant_id;
  };
@@ -143,7 +144,7 @@ in
    defaultChannel = mkOption {
      internal = true;
      type = types.str;
-      default = "https://nixos.org/channels/nixos-unstable";
+      default = "https://nixos.org/channels/nixos-23.05";
      description = lib.mdDoc "Default NixOS channel to which the root user is subscribed.";
    };

--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -776,6 +776,7 @@
  ./services/monitoring/uptime-kuma.nix
  ./services/monitoring/uptime.nix
  ./services/monitoring/vmagent.nix
+  ./services/monitoring/vmalert.nix
  ./services/monitoring/vnstat.nix
  ./services/monitoring/zabbix-agent.nix
  ./services/monitoring/zabbix-proxy.nix
@@ -1230,6 +1231,7 @@
  ./services/web-apps/powerdns-admin.nix
  ./services/web-apps/prosody-filer.nix
  ./services/web-apps/restya-board.nix
+  ./services/web-apps/sftpgo.nix
  ./services/web-apps/rss-bridge.nix
  ./services/web-apps/selfoss.nix
  ./services/web-apps/shiori.nix
--- a/nixos/modules/security/pam_mount.nix
+++ b/nixos/modules/security/pam_mount.nix
@@ -167,9 +167,11 @@ in
          <!-- create mount point if not present -->
          <mkmountpoint enable="${if cfg.createMountPoints then "1" else "0"}" remove="${if cfg.removeCreatedMountPoints then "true" else "false"}" />
          <!-- specify the binaries to be called -->
-          <fusemount>${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) -o ${concatStringsSep "," (cfg.fuseMountOptions ++ [ "%(OPTIONS)" ])}</fusemount>
+          <!-- the comma in front of the options is necessary for empty options -->
+          <fusemount>${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) -o ,${concatStringsSep "," (cfg.fuseMountOptions ++ [ "%(OPTIONS)" ])}'</fusemount>
          <fuseumount>${pkgs.fuse}/bin/fusermount -u %(MNTPT)</fuseumount>
-          <cryptmount>${pkgs.pam_mount}/bin/mount.crypt -o ${concatStringsSep "," (cfg.cryptMountOptions ++ [ "%(OPTIONS)" ])} %(VOLUME) %(MNTPT)</cryptmount>
+          <!-- the comma in front of the options is necessary for empty options -->
+          <cryptmount>${pkgs.pam_mount}/bin/mount.crypt -o ,${concatStringsSep "," (cfg.cryptMountOptions ++ [ "%(OPTIONS)" ])} %(VOLUME) %(MNTPT)</cryptmount>
          <cryptumount>${pkgs.pam_mount}/bin/umount.crypt %(MNTPT)</cryptumount>
          <pmvarrun>${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION)</pmvarrun>
          ${optionalString oflRequired "<ofl>${fake_ofl}/bin/fake_ofl %(SIGNAL) %(MNTPT)</ofl>"}
--- a/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix
+++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix
@@ -10,171 +10,18 @@
 let
  inherit (lib)
    filterAttrs
-    literalMD
    literalExpression
    mkIf
    mkOption
    mkRemovedOptionModule
    mkRenamedOptionModule
    types
+
    ;

-  cfg =
-    config.services.hercules-ci-agent;
+  cfg = config.services.hercules-ci-agent;

-  format = pkgs.formats.toml { };
-
-  settingsModule = { config, ... }: {
-    freeformType = format.type;
-    options = {
-      apiBaseUrl = mkOption {
-        description = lib.mdDoc ''
-          API base URL that the agent will connect to.
-
-          When using Hercules CI Enterprise, set this to the URL where your
-          Hercules CI server is reachable.
-        '';
-        type = types.str;
-        default = "https://hercules-ci.com";
-      };
-      baseDirectory = mkOption {
-        type = types.path;
-        default = "/var/lib/hercules-ci-agent";
-        description = lib.mdDoc ''
-          State directory (secrets, work directory, etc) for agent
-        '';
-      };
-      concurrentTasks = mkOption {
-        description = lib.mdDoc ''
-          Number of tasks to perform simultaneously.
-
-          A task is a single derivation build, an evaluation or an effect run.
-          At minimum, you need 2 concurrent tasks for `x86_64-linux`
-          in your cluster, to allow for import from derivation.
-
-          `concurrentTasks` can be around the CPU core count or lower if memory is
-          the bottleneck.
-
-          The optimal value depends on the resource consumption characteristics of your workload,
-          including memory usage and in-task parallelism. This is typically determined empirically.
-
-          When scaling, it is generally better to have a double-size machine than two machines,
-          because each split of resources causes inefficiencies; particularly with regards
-          to build latency because of extra downloads.
-        '';
-        type = types.either types.ints.positive (types.enum [ "auto" ]);
-        default = "auto";
-      };
-      labels = mkOption {
-        description = lib.mdDoc ''
-          A key-value map of user data.
-
-          This data will be available to organization members in the dashboard and API.
-
-          The values can be of any TOML type that corresponds to a JSON type, but arrays
-          can not contain tables/objects due to limitations of the TOML library. Values
-          involving arrays of non-primitive types may not be representable currently.
-        '';
-        type = format.type;
-        defaultText = literalExpression ''
-          {
-            agent.source = "..."; # One of "nixpkgs", "flake", "override"
-            lib.version = "...";
-            pkgs.version = "...";
-          }
-        '';
-      };
-      workDirectory = mkOption {
-        description = lib.mdDoc ''
-          The directory in which temporary subdirectories are created for task state. This includes sources for Nix evaluation.
-        '';
-        type = types.path;
-        default = config.baseDirectory + "/work";
-        defaultText = literalExpression ''baseDirectory + "/work"'';
-      };
-      staticSecretsDirectory = mkOption {
-        description = lib.mdDoc ''
-          This is the default directory to look for statically configured secrets like `cluster-join-token.key`.
-
-          See also `clusterJoinTokenPath` and `binaryCachesPath` for fine-grained configuration.
-        '';
-        type = types.path;
-        default = config.baseDirectory + "/secrets";
-        defaultText = literalExpression ''baseDirectory + "/secrets"'';
-      };
-      clusterJoinTokenPath = mkOption {
-        description = lib.mdDoc ''
-          Location of the cluster-join-token.key file.
-
-          You can retrieve the contents of the file when creating a new agent via
-          <https://hercules-ci.com/dashboard>.
-
-          As this value is confidential, it should not be in the store, but
-          installed using other means, such as agenix, NixOps
-          `deployment.keys`, or manual installation.
-
-          The contents of the file are used for authentication between the agent and the API.
-        '';
-        type = types.path;
-        default = config.staticSecretsDirectory + "/cluster-join-token.key";
-        defaultText = literalExpression ''staticSecretsDirectory + "/cluster-join-token.key"'';
-      };
-      binaryCachesPath = mkOption {
-        description = lib.mdDoc ''
-          Path to a JSON file containing binary cache secret keys.
-
-          As these values are confidential, they should not be in the store, but
-          copied over using other means, such as agenix, NixOps
-          `deployment.keys`, or manual installation.
-
-          The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/>.
-        '';
-        type = types.path;
-        default = config.staticSecretsDirectory + "/binary-caches.json";
-        defaultText = literalExpression ''staticSecretsDirectory + "/binary-caches.json"'';
-      };
-      secretsJsonPath = mkOption {
-        description = lib.mdDoc ''
-          Path to a JSON file containing secrets for effects.
-
-          As these values are confidential, they should not be in the store, but
-          copied over using other means, such as agenix, NixOps
-          `deployment.keys`, or manual installation.
-
-          The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/>.
-        '';
-        type = types.path;
-        default = config.staticSecretsDirectory + "/secrets.json";
-        defaultText = literalExpression ''staticSecretsDirectory + "/secrets.json"'';
-      };
-    };
-  };
-
-  # TODO (roberth, >=2022) remove
-  checkNix =
-    if !cfg.checkNix
-    then ""
-    else if lib.versionAtLeast config.nix.package.version "2.3.10"
-    then ""
-    else
-      pkgs.stdenv.mkDerivation {
-        name = "hercules-ci-check-system-nix-src";
-        inherit (config.nix.package) src patches;
-        dontConfigure = true;
-        buildPhase = ''
-          echo "Checking in-memory pathInfoCache expiry"
-          if ! grep 'PathInfoCacheValue' src/libstore/store-api.hh >/dev/null; then
-            cat 1>&2 <<EOF
-
-            You are deploying Hercules CI Agent on a system with an incompatible
-            nix-daemon. Please make sure nix.package is set to a Nix version of at
-            least 2.3.10 or a master version more recent than Mar 12, 2020.
-          EOF
-            exit 1
-          fi
-        '';
-        installPhase = "touch $out";
-      };
+  inherit (import ./settings.nix { inherit pkgs lib; }) format settingsModule;

 in
 {
@@ -198,15 +45,6 @@ in
        Support is available at [help@hercules-ci.com](mailto:help@hercules-ci.com).
      '';
    };
-    checkNix = mkOption {
-      type = types.bool;
-      default = true;
-      description = lib.mdDoc ''
-        Whether to make sure that the system's Nix (nix-daemon) is compatible.
-
-        If you set this to false, please keep up with the change log.
-      '';
-    };
    package = mkOption {
      description = lib.mdDoc ''
        Package containing the bin/hercules-ci-agent executable.
@@ -235,7 +73,7 @@ in
    tomlFile = mkOption {
      type = types.path;
      internal = true;
-      defaultText = literalMD "generated `hercules-ci-agent.toml`";
+      defaultText = lib.literalMD "generated `hercules-ci-agent.toml`";
      description = lib.mdDoc ''
        The fully assembled config file.
      '';
@@ -243,7 +81,27 @@ in
  };

  config = mkIf cfg.enable {
-    nix.extraOptions = lib.addContextFrom checkNix ''
+    # Make sure that nix.extraOptions does not override trusted-users
+    assertions = [
+      {
+        assertion =
+          (cfg.settings.nixUserIsTrusted or false) ->
+          builtins.match ".*(^|\n)[ \t]*trusted-users[ \t]*=.*" config.nix.extraOptions == null;
+        message = ''
+          hercules-ci-agent: Please do not set `trusted-users` in `nix.extraOptions`.
+
+          The hercules-ci-agent module by default relies on `nix.settings.trusted-users`
+          to be effectful, but a line like `trusted-users = ...` in `nix.extraOptions`
+          will override the value set in `nix.settings.trusted-users`.
+
+          Instead of setting `trusted-users` in the `nix.extraOptions` string, you should
+          set an option with additive semantics, such as
+           - the NixOS option `nix.settings.trusted-users`, or
+           - the Nix option in the `extraOptions` string, `extra-trusted-users`
+        '';
+      }
+    ];
+    nix.extraOptions = ''
      # A store path that was missing at first may well have finished building,
      # even shortly after the previous lookup. This *also* applies to the daemon.
      narinfo-cache-negative-ttl = 0
@@ -251,14 +109,9 @@ in
    services.hercules-ci-agent = {
      tomlFile =
        format.generate "hercules-ci-agent.toml" cfg.settings;
-
-      settings.labels = {
-        agent.source =
-          if options.services.hercules-ci-agent.package.highestPrio == (lib.modules.mkOptionDefault { }).priority
-          then "nixpkgs"
-          else lib.mkOptionDefault "override";
-        pkgs.version = pkgs.lib.version;
-        lib.version = lib.version;
+      settings.config._module.args = {
+        packageOption = options.services.hercules-ci-agent.package;
+        inherit pkgs;
      };
    };
  };
--- a/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix
+++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/default.nix
@@ -36,8 +36,14 @@ in
        Restart = "on-failure";
        RestartSec = 120;

-        LimitSTACK = 256 * 1024 * 1024;
+        # If a worker goes OOM, don't kill the main process. It needs to
+        # report the failure and it's unlikely to be part of the problem.
        OOMPolicy = "continue";
+
+        # Work around excessive stack use by libstdc++ regex
+        # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164
+        # A 256 MiB stack allows between 400 KiB and 1.5 MiB file to be matched by ".*".
+        LimitSTACK = 256 * 1024 * 1024;
      };
    };

--- a/nixos/modules/services/continuous-integration/hercules-ci-agent/settings.nix
+++ b/nixos/modules/services/continuous-integration/hercules-ci-agent/settings.nix
@@ -0,0 +1,153 @@
+# Not a module
+{ pkgs, lib }:
+let
+  inherit (lib)
+    types
+    literalExpression
+    mkOption
+    ;
+
+  format = pkgs.formats.toml { };
+
+  settingsModule = { config, packageOption, pkgs, ... }: {
+    freeformType = format.type;
+    options = {
+      apiBaseUrl = mkOption {
+        description = lib.mdDoc ''
+          API base URL that the agent will connect to.
+
+          When using Hercules CI Enterprise, set this to the URL where your
+          Hercules CI server is reachable.
+        '';
+        type = types.str;
+        default = "https://hercules-ci.com";
+      };
+      baseDirectory = mkOption {
+        type = types.path;
+        default = "/var/lib/hercules-ci-agent";
+        description = lib.mdDoc ''
+          State directory (secrets, work directory, etc) for agent
+        '';
+      };
+      concurrentTasks = mkOption {
+        description = lib.mdDoc ''
+          Number of tasks to perform simultaneously.
+
+          A task is a single derivation build, an evaluation or an effect run.
+          At minimum, you need 2 concurrent tasks for `x86_64-linux`
+          in your cluster, to allow for import from derivation.
+
+          `concurrentTasks` can be around the CPU core count or lower if memory is
+          the bottleneck.
+
+          The optimal value depends on the resource consumption characteristics of your workload,
+          including memory usage and in-task parallelism. This is typically determined empirically.
+
+          When scaling, it is generally better to have a double-size machine than two machines,
+          because each split of resources causes inefficiencies; particularly with regards
+          to build latency because of extra downloads.
+        '';
+        type = types.either types.ints.positive (types.enum [ "auto" ]);
+        default = "auto";
+        defaultText = lib.literalMD ''
+          `"auto"`, meaning equal to the number of CPU cores.
+        '';
+      };
+      labels = mkOption {
+        description = lib.mdDoc ''
+          A key-value map of user data.
+
+          This data will be available to organization members in the dashboard and API.
+
+          The values can be of any TOML type that corresponds to a JSON type, but arrays
+          can not contain tables/objects due to limitations of the TOML library. Values
+          involving arrays of non-primitive types may not be representable currently.
+        '';
+        type = format.type;
+        defaultText = literalExpression ''
+          {
+            agent.source = "..."; # One of "nixpkgs", "flake", "override"
+            lib.version = "...";
+            pkgs.version = "...";
+          }
+        '';
+      };
+      workDirectory = mkOption {
+        description = lib.mdDoc ''
+          The directory in which temporary subdirectories are created for task state. This includes sources for Nix evaluation.
+        '';
+        type = types.path;
+        default = config.baseDirectory + "/work";
+        defaultText = literalExpression ''baseDirectory + "/work"'';
+      };
+      staticSecretsDirectory = mkOption {
+        description = lib.mdDoc ''
+          This is the default directory to look for statically configured secrets like `cluster-join-token.key`.
+
+          See also `clusterJoinTokenPath` and `binaryCachesPath` for fine-grained configuration.
+        '';
+        type = types.path;
+        default = config.baseDirectory + "/secrets";
+        defaultText = literalExpression ''baseDirectory + "/secrets"'';
+      };
+      clusterJoinTokenPath = mkOption {
+        description = lib.mdDoc ''
+          Location of the cluster-join-token.key file.
+
+          You can retrieve the contents of the file when creating a new agent via
+          <https://hercules-ci.com/dashboard>.
+
+          As this value is confidential, it should not be in the store, but
+          installed using other means, such as agenix, NixOps
+          `deployment.keys`, or manual installation.
+
+          The contents of the file are used for authentication between the agent and the API.
+        '';
+        type = types.path;
+        default = config.staticSecretsDirectory + "/cluster-join-token.key";
+        defaultText = literalExpression ''staticSecretsDirectory + "/cluster-join-token.key"'';
+      };
+      binaryCachesPath = mkOption {
+        description = lib.mdDoc ''
+          Path to a JSON file containing binary cache secret keys.
+
+          As these values are confidential, they should not be in the store, but
+          copied over using other means, such as agenix, NixOps
+          `deployment.keys`, or manual installation.
+
+          The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/>.
+        '';
+        type = types.path;
+        default = config.staticSecretsDirectory + "/binary-caches.json";
+        defaultText = literalExpression ''staticSecretsDirectory + "/binary-caches.json"'';
+      };
+      secretsJsonPath = mkOption {
+        description = lib.mdDoc ''
+          Path to a JSON file containing secrets for effects.
+
+          As these values are confidential, they should not be in the store, but
+          copied over using other means, such as agenix, NixOps
+          `deployment.keys`, or manual installation.
+
+          The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/>.
+        '';
+        type = types.path;
+        default = config.staticSecretsDirectory + "/secrets.json";
+        defaultText = literalExpression ''staticSecretsDirectory + "/secrets.json"'';
+      };
+    };
+    config = {
+      labels = {
+        agent.source =
+          if packageOption.highestPrio == (lib.modules.mkOptionDefault { }).priority
+          then "nixpkgs"
+          else lib.mkOptionDefault "override";
+        pkgs.version = pkgs.lib.version;
+        lib.version = lib.version;
+      };
+    };
+  };
+in
+{
+  inherit format settingsModule;
+}
--- a/nixos/modules/services/mail/maddy.nix
+++ b/nixos/modules/services/mail/maddy.nix
@@ -335,12 +335,13 @@ in {
      };

      secrets = lib.mkOption {
-        type = lib.types.path;
+        type = with types; listOf path;
        description = lib.mdDoc ''
-          A file containing the various secrets. Should be in the format
+          A list of files containing the various secrets. Should be in the format
          expected by systemd's `EnvironmentFile` directory. Secrets can be
          referenced in the format `{env:VAR}`.
        '';
+        default = [ ];
      };

    };
@@ -379,7 +380,7 @@ in {
            User = cfg.user;
            Group = cfg.group;
            StateDirectory = [ "maddy" ];
-            EnvironmentFile = lib.mkIf (cfg.secrets != null) "${cfg.secrets}";
+            EnvironmentFile = cfg.secrets;
          };
          restartTriggers = [ config.environment.etc."maddy/maddy.conf".source ];
          wantedBy = [ "multi-user.target" ];
--- a/nixos/modules/services/matrix/synapse.nix
+++ b/nixos/modules/services/matrix/synapse.nix
@@ -636,6 +636,7 @@ in {

            trusted_key_servers = mkOption {
              type = types.listOf (types.submodule {
+                freeformType = format.type;
                options = {
                  server_name = mkOption {
                    type = types.str;
@@ -644,22 +645,6 @@ in {
                      Hostname of the trusted server.
                    '';
                  };
-
-                  verify_keys = mkOption {
-                    type = types.nullOr (types.attrsOf types.str);
-                    default = null;
-                    example = literalExpression ''
-                      {
-                        "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
-                      }
-                    '';
-                    description = lib.mdDoc ''
-                      Attribute set from key id to base64 encoded public key.
-
-                      If specified synapse will check that the response is signed
-                      by at least one of the given keys.
-                    '';
-                  };
                };
              });
              default = [ {
--- a/nixos/modules/services/misc/pufferpanel.nix
+++ b/nixos/modules/services/misc/pufferpanel.nix
@@ -19,7 +19,7 @@ in
          services.pufferpanel = {
            enable = true;
            extraPackages = with pkgs; [ bash curl gawk gnutar gzip ];
-            package = pkgs.buildFHSUserEnv {
+            package = pkgs.buildFHSEnv {
              name = "pufferpanel-fhs";
              runScript = lib.getExe pkgs.pufferpanel;
              targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ];
@@ -162,7 +162,7 @@ in
        PrivateUsers = true;
        PrivateDevices = true;
        RestrictRealtime = true;
-        RestrictNamespaces = [ "user" "mnt" ]; # allow buildFHSUserEnv
+        RestrictNamespaces = [ "user" "mnt" ]; # allow buildFHSEnv
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
        LockPersonality = true;
        DeviceAllow = [ "" ];
--- a/nixos/modules/services/monitoring/vmalert.nix
+++ b/nixos/modules/services/monitoring/vmalert.nix
@@ -0,0 +1,136 @@
+{ config, pkgs, lib, ... }: with lib;
+let
+  cfg = config.services.vmalert;
+
+  format = pkgs.formats.yaml {};
+
+  confOpts = concatStringsSep " \\\n" (mapAttrsToList mkLine (filterAttrs (_: v: v != false) cfg.settings));
+  confType = with types;
+    let
+      valueType = oneOf [ bool int path str ];
+    in
+    attrsOf (either valueType (listOf valueType));
+
+  mkLine = key: value:
+    if value == true then "-${key}"
+    else if isList value then concatMapStringsSep " " (v: "-${key}=${escapeShellArg (toString v)}") value
+    else "-${key}=${escapeShellArg (toString value)}"
+  ;
+in
+{
+  # interface
+  options.services.vmalert = {
+    enable = mkEnableOption (mdDoc "vmalert");
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.victoriametrics;
+      defaultText = "pkgs.victoriametrics";
+      description = mdDoc ''
+        The VictoriaMetrics derivation to use.
+      '';
+    };
+
+    settings = mkOption {
+      type = types.submodule {
+        freeformType = confType;
+        options = {
+
+          "datasource.url" = mkOption {
+            type = types.nonEmptyStr;
+            example = "http://localhost:8428";
+            description = mdDoc ''
+              Datasource compatible with Prometheus HTTP API.
+            '';
+          };
+
+          "notifier.url" = mkOption {
+            type = with types; listOf nonEmptyStr;
+            default = [];
+            example = [ "http://127.0.0.1:9093" ];
+            description = mdDoc ''
+              Prometheus Alertmanager URL. List all Alertmanager URLs if it runs in the cluster mode to ensure high availability.
+            '';
+          };
+
+          "rule" = mkOption {
+            type = with types; listOf path;
+            description = mdDoc ''
+              Path to the files with alerting and/or recording rules.
+
+              ::: {.note}
+              Consider using the {option}`services.vmalert.rules` option as a convenient alternative for declaring rules
+              directly in the `nix` language.
+              :::
+            '';
+          };
+
+        };
+      };
+      default = { };
+      example = {
+        "datasource.url" = "http://localhost:8428";
+        "datasource.disableKeepAlive" = true;
+        "datasource.showURL" = false;
+        "rule" = [
+          "http://<some-server-addr>/path/to/rules"
+          "dir/*.yaml"
+        ];
+      };
+      description = mdDoc ''
+        `vmalert` configuration, passed via command line flags. Refer to
+        <https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/app/vmalert/README.md#configuration>
+        for details on supported values.
+      '';
+    };
+
+    rules = mkOption {
+      type = format.type;
+      default = {};
+      example = {
+        group = [
+          { name = "TestGroup";
+            rules = [
+              { alert = "ExampleAlertAlwaysFiring";
+                expr = ''
+                  sum by(job)
+                  (up == 1)
+                '';
+              }
+            ];
+          }
+        ];
+      };
+      description = mdDoc ''
+        A list of the given alerting or recording rules against configured `"datasource.url"` compatible with
+        Prometheus HTTP API for `vmalert` to execute. Refer to
+        <https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/app/vmalert/README.md#rules>
+        for details on supported values.
+      '';
+    };
+  };
+
+  # implementation
+  config = mkIf cfg.enable {
+
+    environment.etc."vmalert/rules.yml".source = format.generate "rules.yml" cfg.rules;
+
+    services.vmalert.settings.rule = [
+      "/etc/vmalert/rules.yml"
+    ];
+
+    systemd.services.vmalert = {
+      description = "vmalert service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      reloadTriggers = [ config.environment.etc."vmalert/rules.yml".source ];
+
+      serviceConfig = {
+        DynamicUser = true;
+        Restart = "on-failure";
+        ExecStart = "${cfg.package}/bin/vmalert ${confOpts}";
+        ExecReload = ''${pkgs.coreutils}/bin/kill -SIGHUP "$MAINPID"'';
+      };
+    };
+  };
+}
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -569,12 +569,27 @@ in
      '';

    assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true;
-                    message = "cannot enable X11 forwarding without setting xauth location";}]
+                    message = "cannot enable X11 forwarding without setting xauth location";}
+                  (let
+                    duplicates =
+                      # Filter out the groups with more than 1 element
+                      lib.filter (l: lib.length l > 1) (
+                        # Grab the groups, we don't care about the group identifiers
+                        lib.attrValues (
+                          # Group the settings that are the same in lower case
+                          lib.groupBy lib.strings.toLower (attrNames cfg.settings)
+                        )
+                      );
+                    formattedDuplicates = lib.concatMapStringsSep ", " (dupl: "(${lib.concatStringsSep ", " dupl})") duplicates;
+                  in
+                  {
+                    assertion = lib.length duplicates == 0;
+                    message = ''Duplicate sshd config key; does your capitalization match the option's? Duplicate keys: ${formattedDuplicates}'';
+                  })]
      ++ forEach cfg.listenAddresses ({ addr, ... }: {
        assertion = addr != null;
        message = "addr must be specified in each listenAddresses entry";
      });
-
  };

 }
--- a/nixos/modules/services/video/mirakurun.nix
+++ b/nixos/modules/services/video/mirakurun.nix
@@ -154,6 +154,9 @@ in
        description = "Mirakurun user";
        group = "video";
        isSystemUser = true;
+
+        # NPM insists on creating ~/.npm
+        home = "/var/cache/mirakurun";
      };

      services.mirakurun.serverSettings = {
@@ -171,9 +174,10 @@ in
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        serviceConfig = {
-          ExecStart = "${mirakurun}/bin/mirakurun-start";
+          ExecStart = "${mirakurun}/bin/mirakurun start";
          User = username;
          Group = groupname;
+          CacheDirectory = "mirakurun";
          RuntimeDirectory="mirakurun";
          StateDirectory="mirakurun";
          Nice = -10;
--- a/nixos/modules/services/web-apps/sftpgo.nix
+++ b/nixos/modules/services/web-apps/sftpgo.nix
@@ -0,0 +1,375 @@
+{ options, config, lib, pkgs, utils, ... }:
+
+with lib;
+
+let
+  cfg = config.services.sftpgo;
+  defaultUser = "sftpgo";
+  settingsFormat = pkgs.formats.json {};
+  configFile = settingsFormat.generate "sftpgo.json" cfg.settings;
+  hasPrivilegedPorts = any (port: port > 0 && port < 1024) (
+    catAttrs "port" (cfg.settings.httpd.bindings
+      ++ cfg.settings.ftpd.bindings
+      ++ cfg.settings.sftpd.bindings
+      ++ cfg.settings.webdavd.bindings
+    )
+  );
+in
+{
+  options.services.sftpgo = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = mdDoc "sftpgo";
+    };
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.sftpgo;
+      defaultText = literalExpression "pkgs.sftpgo";
+      description = mdDoc ''
+        Which SFTPGo package to use.
+      '';
+    };
+
+    extraArgs = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = mdDoc ''
+        Additional command line arguments to pass to the sftpgo daemon.
+      '';
+      example = [ "--log-level" "info" ];
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/sftpgo";
+      description = mdDoc ''
+        The directory where SFTPGo stores its data files.
+      '';
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = defaultUser;
+      description = mdDoc ''
+        User account name under which SFTPGo runs.
+      '';
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = defaultUser;
+      description = mdDoc ''
+        Group name under which SFTPGo runs.
+      '';
+    };
+
+    loadDataFile = mkOption {
+      default = null;
+      type = with types; nullOr path;
+      description = mdDoc ''
+        Path to a json file containing users and folders to load (or update) on startup.
+        Check the [documentation](https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md)
+        for the `--loaddata-from` command line argument for more info.
+      '';
+    };
+
+    settings = mkOption {
+      default = {};
+      description = mdDoc ''
+        The primary sftpgo configuration. See the
+        [configuration reference](https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md)
+        for possible values.
+      '';
+      type = with types; submodule {
+        freeformType = settingsFormat.type;
+        options = {
+          httpd.bindings = mkOption {
+            default = [];
+            description = mdDoc ''
+              Configure listen addresses and ports for httpd.
+            '';
+            type = types.listOf (types.submodule {
+              freeformType = settingsFormat.type;
+              options = {
+                address = mkOption {
+                  type = types.str;
+                  default = "127.0.0.1";
+                  description = mdDoc ''
+                    Network listen address. Leave blank to listen on all available network interfaces.
+                    On *NIX you can specify an absolute path to listen on a Unix-domain socket.
+                  '';
+                };
+
+                port = mkOption {
+                  type = types.port;
+                  default = 8080;
+                  description = mdDoc ''
+                    The port for serving HTTP(S) requests.
+
+                    Setting the port to `0` disables listening on this interface binding.
+                  '';
+                };
+
+                enable_web_admin = mkOption {
+                  type = types.bool;
+                  default = true;
+                  description = mdDoc ''
+                    Enable the built-in web admin for this interface binding.
+                  '';
+                };
+
+                enable_web_client = mkOption {
+                  type = types.bool;
+                  default = true;
+                  description = mdDoc ''
+                    Enable the built-in web client for this interface binding.
+                  '';
+                };
+              };
+            });
+          };
+
+          ftpd.bindings = mkOption {
+            default = [];
+            description = mdDoc ''
+              Configure listen addresses and ports for ftpd.
+            '';
+            type = types.listOf (types.submodule {
+              freeformType = settingsFormat.type;
+              options = {
+                address = mkOption {
+                  type = types.str;
+                  default = "127.0.0.1";
+                  description = mdDoc ''
+                    Network listen address. Leave blank to listen on all available network interfaces.
+                    On *NIX you can specify an absolute path to listen on a Unix-domain socket.
+                  '';
+                };
+
+                port = mkOption {
+                  type = types.port;
+                  default = 0;
+                  description = mdDoc ''
+                    The port for serving FTP requests.
+
+                    Setting the port to `0` disables listening on this interface binding.
+                  '';
+                };
+              };
+            });
+          };
+
+          sftpd.bindings = mkOption {
+            default = [];
+            description = mdDoc ''
+              Configure listen addresses and ports for sftpd.
+            '';
+            type = types.listOf (types.submodule {
+              freeformType = settingsFormat.type;
+              options = {
+                address = mkOption {
+                  type = types.str;
+                  default = "127.0.0.1";
+                  description = mdDoc ''
+                    Network listen address. Leave blank to listen on all available network interfaces.
+                    On *NIX you can specify an absolute path to listen on a Unix-domain socket.
+                  '';
+                };
+
+                port = mkOption {
+                  type = types.port;
+                  default = 0;
+                  description = mdDoc ''
+                    The port for serving SFTP requests.
+
+                    Setting the port to `0` disables listening on this interface binding.
+                  '';
+                };
+              };
+            });
+          };
+
+          webdavd.bindings = mkOption {
+            default = [];
+            description = mdDoc ''
+              Configure listen addresses and ports for webdavd.
+            '';
+            type = types.listOf (types.submodule {
+              freeformType = settingsFormat.type;
+              options = {
+                address = mkOption {
+                  type = types.str;
+                  default = "127.0.0.1";
+                  description = mdDoc ''
+                    Network listen address. Leave blank to listen on all available network interfaces.
+                    On *NIX you can specify an absolute path to listen on a Unix-domain socket.
+                  '';
+                };
+
+                port = mkOption {
+                  type = types.port;
+                  default = 0;
+                  description = mdDoc ''
+                    The port for serving WebDAV requests.
+
+                    Setting the port to `0` disables listening on this interface binding.
+                  '';
+                };
+              };
+            });
+          };
+
+          smtp = mkOption {
+            default = {};
+            description = mdDoc ''
+              SMTP configuration section.
+            '';
+            type = types.submodule {
+              freeformType = settingsFormat.type;
+              options = {
+                host = mkOption {
+                  type = types.str;
+                  default = "";
+                  description = mdDoc ''
+                    Location of SMTP email server. Leave empty to disable email sending capabilities.
+                  '';
+                };
+
+                port = mkOption {
+                  type = types.port;
+                  default = 465;
+                  description = mdDoc "Port of the SMTP Server.";
+                };
+
+                encryption = mkOption {
+                  type = types.enum [ 0 1 2 ];
+                  default = 1;
+                  description = mdDoc ''
+                    Encryption scheme:
+                    - `0`: No encryption
+                    - `1`: TLS
+                    - `2`: STARTTLS
+                  '';
+                };
+
+                auth_type = mkOption {
+                  type = types.enum [ 0 1 2 ];
+                  default = 0;
+                  description = mdDoc ''
+                    - `0`: Plain
+                    - `1`: Login
+                    - `2`: CRAM-MD5
+                  '';
+                };
+
+                user = mkOption {
+                  type = types.str;
+                  default = "sftpgo";
+                  description = mdDoc "SMTP username.";
+                };
+
+                from = mkOption {
+                  type = types.str;
+                  default = "SFTPGo <sftpgo@example.com>";
+                  description = mdDoc ''
+                    From address.
+                  '';
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.sftpgo.settings = (mapAttrs (name: mkDefault) {
+      ftpd.bindings = [{ port = 0; }];
+      httpd.bindings = [{ port = 0; }];
+      sftpd.bindings = [{ port = 0; }];
+      webdavd.bindings = [{ port = 0; }];
+      httpd.openapi_path = "${cfg.package}/share/sftpgo/openapi";
+      httpd.templates_path = "${cfg.package}/share/sftpgo/templates";
+      httpd.static_files_path = "${cfg.package}/share/sftpgo/static";
+      smtp.templates_path = "${cfg.package}/share/sftpgo/templates";
+    });
+
+    users = optionalAttrs (cfg.user == defaultUser) {
+      users = {
+        ${defaultUser} = {
+          description = "SFTPGo system user";
+          isSystemUser = true;
+          group = defaultUser;
+          home = cfg.dataDir;
+        };
+      };
+
+      groups = {
+        ${defaultUser} = {
+          members = [ defaultUser ];
+        };
+      };
+    };
+
+    systemd.services.sftpgo = {
+      description = "SFTPGo daemon";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      environment = {
+        SFTPGO_CONFIG_FILE = mkDefault configFile;
+        SFTPGO_LOG_FILE_PATH = mkDefault ""; # log to journal
+        SFTPGO_LOADDATA_FROM = mkIf (cfg.loadDataFile != null) cfg.loadDataFile;
+      };
+
+      serviceConfig = mkMerge [
+        ({
+          Type = "simple";
+          User = cfg.user;
+          Group = cfg.group;
+          WorkingDirectory = cfg.dataDir;
+          ReadWritePaths = [ cfg.dataDir ];
+          LimitNOFILE = 8192; # taken from upstream
+          KillMode = "mixed";
+          ExecStart = "${cfg.package}/bin/sftpgo serve ${utils.escapeSystemdExecArgs cfg.extraArgs}";
+          ExecReload = "${pkgs.util-linux}/bin/kill -s HUP $MAINPID";
+
+          # Service hardening
+          CapabilityBoundingSet = [ (optionalString hasPrivilegedPorts "CAP_NET_BIND_SERVICE") ];
+          DevicePolicy = "closed";
+          LockPersonality = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [ "@system-service" "~@privileged" ];
+          UMask = "0077";
+        })
+        (mkIf hasPrivilegedPorts {
+          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+        })
+        (mkIf (cfg.dataDir == options.services.sftpgo.dataDir.default) {
+          StateDirectory = baseNameOf cfg.dataDir;
+        })
+      ];
+    };
+  };
+}
--- a/nixos/modules/virtualisation/proxmox-image.nix
+++ b/nixos/modules/virtualisation/proxmox-image.nix
@@ -187,20 +187,20 @@ with lib;
          guestAgentSupport = false;
        }).overrideAttrs ( super: rec {

-          version = "7.0.0";
+          version = "7.2.1";
          src = pkgs.fetchurl {
            url= "https://download.qemu.org/qemu-${version}.tar.xz";
-            sha256 = "sha256-9rN1x5UfcoQCeYsLqrsthkeMpT1Eztvvq74cRr9G+Dk=";
+            sha256 = "sha256-jIVpms+dekOl/immTN1WNwsMLRrQdLr3CYqCTReq1zs=";
          };
          patches = [
            # Proxmox' VMA tool is published as a particular patch upon QEMU
            (pkgs.fetchpatch {
              url =
                let
-                  rev = "1976ca460796f28447b41e3618e5c1e234035dd5";
-                  path = "debian/patches/pve/0026-PVE-Backup-add-vma-backup-format-code.patch";
+                  rev = "abb04bb6272c1202ca9face0827917552b9d06f6";
+                  path = "debian/patches/pve/0027-PVE-Backup-add-vma-backup-format-code.patch";
                in "https://git.proxmox.com/?p=pve-qemu.git;a=blob_plain;hb=${rev};f=${path}";
-              hash = "sha256-2Dz+ceTwrcyYYxi76RtyY3v15/2pwGcDhFuoZWlgbjc=";
+              hash = "sha256-3d0HHdvaExCry6zcULnziYnWIAnn24vECkI4sjj2BMg=";
            })

            # Proxmox' VMA tool uses O_DIRECT which fails on tmpfs
@@ -220,6 +220,7 @@ with lib;
          ];

          buildInputs = super.buildInputs ++ [ pkgs.libuuid ];
+          nativeBuildInputs = super.nativeBuildInputs ++ [ pkgs.perl ];

        });
      in
--- a/nixos/modules/virtualisation/qemu-vm.nix
+++ b/nixos/modules/virtualisation/qemu-vm.nix
@@ -863,7 +863,13 @@ in
                  The address must be in the default VLAN (10.0.2.0/24).
              '';
          }
-        ]));
+        ])) ++ [
+          { assertion = pkgs.stdenv.hostPlatform.is32bit -> cfg.memorySize < 2047;
+            message = ''
+              virtualisation.memorySize is above 2047, but qemu is only able to allocate 2047MB RAM on 32bit max.
+            '';
+          }
+        ];

    warnings =
      optional (
--- a/nixos/release.nix
+++ b/nixos/release.nix
@@ -12,7 +12,7 @@ let

  version = fileContents ../.version;
  versionSuffix =
-    (if stableBranch then "." else "pre") + "${toString nixpkgs.revCount}.${nixpkgs.shortRev}";
+    (if stableBranch then "." else "beta") + "${toString (nixpkgs.revCount - 487364)}.${nixpkgs.shortRev}";

  # Run the tests for each platform.  You can run a test by doing
  # e.g. ‘nix-build release.nix -A tests.login.x86_64-linux’,
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -664,6 +664,7 @@ in {
  seafile = handleTest ./seafile.nix {};
  searx = handleTest ./searx.nix {};
  service-runner = handleTest ./service-runner.nix {};
+  sftpgo = runTest ./sftpgo.nix;
  sfxr-qt = handleTest ./sfxr-qt.nix {};
  sgtpuzzles = handleTest ./sgtpuzzles.nix {};
  shadow = handleTest ./shadow.nix {};
--- a/nixos/tests/miriway.nix
+++ b/nixos/tests/miriway.nix
@@ -3,11 +3,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {

  meta = {
    maintainers = with lib.maintainers; [ OPNA2608 ];
-    # Natively running Mir has problems with capturing the first registered libinput device.
-    # In our VM  runners on ARM and on some hardware configs (my RPi4, distro-independent), this misses the keyboard.
-    # It can be worked around by dis- and reconnecting the affected hardware, but we can't do this in these tests.
-    # https://github.com/MirServer/mir/issues/2837
-    broken = pkgs.stdenv.hostPlatform.isAarch;
  };

  nodes.machine = { config, ... }: {
--- a/nixos/tests/public-inbox.nix
+++ b/nixos/tests/public-inbox.nix
@@ -201,7 +201,7 @@ in

      This is a testing mail.
    ''}")
-    machine.sleep(5)
+    machine.sleep(10)
    machine.succeed("curl -L 'https://machine.${domain}/inbox/repo1/repo1@root-1/T/#u' | grep 'This is a testing mail.'")

    # Read a mail through public-inbox-imapd
--- a/nixos/tests/sftpgo.nix
+++ b/nixos/tests/sftpgo.nix
@@ -0,0 +1,384 @@
+# SFTPGo NixOS test
+#
+# This NixOS test sets up a basic test scenario for the SFTPGo module
+# and covers the following scenarios:
+# - uploading a file via sftp
+# - downloading the file over sftp
+# - assert that the ACLs are respected
+# - share a file between alice and bob (using sftp)
+# - assert that eve cannot acceess the shared folder between alice and bob.
+#
+# Additional test coverage for the remaining protocols (i.e. ftp, http and webdav)
+# would be a nice to have for the future.
+{ pkgs, lib, ...  }:
+
+with lib;
+
+let
+  inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
+
+  # Returns an attributeset of users who are not system users.
+  normalUsers = config:
+    filterAttrs (name: user: user.isNormalUser) config.users.users;
+
+  # Returns true if a user is a member of the given group
+  isMemberOf =
+    config:
+    # str
+    groupName:
+    # users.users attrset
+    user:
+      any (x: x == user.name) config.users.groups.${groupName}.members;
+
+  # Generates a valid SFTPGo user configuration for a given user
+  # Will be converted to JSON and loaded on application startup.
+  generateUserAttrSet =
+    config:
+    # attrset returned by config.users.users.<username>
+    user: {
+      # 0: user is disabled, login is not allowed
+      # 1: user is enabled
+      status = 1;
+
+      username = user.name;
+      password = ""; # disables password authentication
+      public_keys = user.openssh.authorizedKeys.keys;
+      email = "${user.name}@example.com";
+
+      # User home directory on the local filesystem
+      home_dir = "${config.services.sftpgo.dataDir}/users/${user.name}";
+
+      # Defines a mapping between virtual SFTPGo paths and filesystem paths outside the user home directory.
+      #
+      # Supported for local filesystem only. If one or more of the specified folders are not
+      # inside the dataprovider they will be automatically created.
+      # You have to create the folder on the filesystem yourself
+      virtual_folders =
+        optional (isMemberOf config sharedFolderName user) {
+          name = sharedFolderName;
+          mapped_path = "${config.services.sftpgo.dataDir}/${sharedFolderName}";
+          virtual_path = "/${sharedFolderName}";
+        };
+
+      # Defines the ACL on the virtual filesystem
+      permissions =
+        recursiveUpdate {
+          "/" = [ "list" ];     # read-only top level directory
+          "/private" = [ "*" ]; # private subdirectory, not shared with others
+        } (optionalAttrs (isMemberOf config "shared" user) {
+          "/shared" = [ "*" ];
+        });
+
+      filters = {
+        allowed_ip = [];
+        denied_ip = [];
+        web_client = [
+          "password-change-disabled"
+          "password-reset-disabled"
+          "api-key-auth-change-disabled"
+        ];
+      };
+
+      upload_bandwidth = 0; # unlimited
+      download_bandwidth = 0; # unlimited
+      expiration_date = 0; # means no expiration
+      max_sessions = 0;
+      quota_size = 0;
+      quota_files = 0;
+    };
+
+  # Generates a json file containing a static configuration
+  # of users and folders to import to SFTPGo.
+  loadDataJson = config: pkgs.writeText "users-and-folders.json" (builtins.toJSON {
+    users =
+      mapAttrsToList (name: user: generateUserAttrSet config user) (normalUsers config);
+
+    folders = [
+      {
+        name = sharedFolderName;
+        description = "shared folder";
+
+        # 0: local filesystem
+        # 1: AWS S3 compatible
+        # 2: Google Cloud Storage
+        filesystem.provider = 0;
+
+        # Mapped path on the local filesystem
+        mapped_path = "${config.services.sftpgo.dataDir}/${sharedFolderName}";
+
+        # All users in the matching group gain access
+        users = config.users.groups.${sharedFolderName}.members;
+      }
+    ];
+  });
+
+  # Generated Host Key for connecting to SFTPGo's sftp subsystem.
+  snakeOilHostKey = pkgs.writeText "sftpgo_ed25519_host_key" ''
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+    QyNTUxOQAAACBOtQu6U135yxtrvUqPoozUymkjoNNPVK6rqjS936RLtQAAAJAXOMoSFzjK
+    EgAAAAtzc2gtZWQyNTUxOQAAACBOtQu6U135yxtrvUqPoozUymkjoNNPVK6rqjS936RLtQ
+    AAAEAoRLEV1VD80mg314ObySpfrCcUqtWoOSS3EtMPPhx08U61C7pTXfnLG2u9So+ijNTK
+    aSOg009UrquqNL3fpEu1AAAADHNmdHBnb0BuaXhvcwE=
+    -----END OPENSSH PRIVATE KEY-----
+  '';
+
+  adminUsername = "admin";
+  adminPassword = "secretadminpassword";
+  aliceUsername = "alice";
+  alicePassword = "secretalicepassword";
+  bobUsername = "bob";
+  bobPassword = "secretbobpassword";
+  eveUsername = "eve";
+  evePassword = "secretevepassword";
+  sharedFolderName = "shared";
+
+  # A file for testing uploading via SFTP
+  testFile = pkgs.writeText "test.txt" "hello world";
+  sharedFile = pkgs.writeText "shared.txt" "shared content";
+
+  # Define the for exposing SFTP
+  sftpPort = 2022;
+
+  # Define the for exposing HTTP
+  httpPort = 8080;
+in
+{
+  name = "sftpgo";
+
+  meta.maintainers = with maintainers; [ yayayayaka ];
+
+  nodes = {
+    server = { nodes, ... }: {
+      networking.firewall.allowedTCPPorts = [ sftpPort httpPort ];
+
+      # nodes.server.configure postgresql database
+      services.postgresql = {
+        enable = true;
+        ensureDatabases = [ "sftpgo" ];
+        ensureUsers = [{
+          name = "sftpgo";
+          ensurePermissions."DATABASE sftpgo" = "ALL PRIVILEGES";
+        }];
+      };
+
+      services.sftpgo = {
+        enable = true;
+
+        loadDataFile = (loadDataJson nodes.server);
+
+        settings = {
+          data_provider = {
+            driver = "postgresql";
+            name = "sftpgo";
+            username = "sftpgo";
+            host = "/run/postgresql";
+            port = 5432;
+
+            # Enables the possibility to create an initial admin user on first startup.
+            create_default_admin = true;
+          };
+
+          httpd.bindings = [
+            {
+              address = ""; # listen on all interfaces
+              port = httpPort;
+              enable_https = false;
+
+              enable_web_client = true;
+              enable_web_admin = true;
+            }
+          ];
+
+          # Enable sftpd
+          sftpd = {
+            bindings = [{
+              address = ""; # listen on all interfaces
+              port = sftpPort;
+            }];
+            host_keys = [ snakeOilHostKey ];
+            password_authentication = false;
+            keyboard_interactive_authentication = false;
+          };
+        };
+      };
+
+      systemd.services.sftpgo = {
+        after = [ "postgresql.service"];
+        environment = {
+          # Update existing users
+          SFTPGO_LOADDATA_MODE = "0";
+          SFTPGO_DEFAULT_ADMIN_USERNAME = adminUsername;
+
+          # This will end up in cleartext in the systemd service.
+          # Don't use this approach in production!
+          SFTPGO_DEFAULT_ADMIN_PASSWORD = adminPassword;
+        };
+      };
+
+      # Sets up the folder hierarchy on the local filesystem
+      systemd.tmpfiles.rules =
+        let
+          sftpgoUser = nodes.server.services.sftpgo.user;
+          sftpgoGroup = nodes.server.services.sftpgo.group;
+          statePath = nodes.server.services.sftpgo.dataDir;
+        in [
+          # Create state directory
+          "d ${statePath} 0750 ${sftpgoUser} ${sftpgoGroup} -"
+          "d ${statePath}/users 0750 ${sftpgoUser} ${sftpgoGroup} -"
+
+          # Created shared folder directories
+          "d ${statePath}/${sharedFolderName} 2770 ${sftpgoUser} ${sharedFolderName}   -"
+        ]
+        ++ mapAttrsToList (name: user:
+          # Create private user directories
+          ''
+            d ${statePath}/users/${user.name} 0700 ${sftpgoUser} ${sftpgoGroup} -
+            d ${statePath}/users/${user.name}/private 0700 ${sftpgoUser} ${sftpgoGroup} -
+          ''
+        ) (normalUsers nodes.server);
+
+      users.users =
+        let
+          commonAttrs = {
+            isNormalUser = true;
+            openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
+          };
+        in {
+          # SFTPGo admin user
+          admin = commonAttrs // {
+            password = adminPassword;
+          };
+
+          # Alice and bob share folders with each other
+          alice = commonAttrs // {
+            password = alicePassword;
+            extraGroups = [ sharedFolderName ];
+          };
+
+          bob = commonAttrs // {
+            password = bobPassword;
+            extraGroups = [ sharedFolderName ];
+          };
+
+          # Eve has no shared folders
+          eve = commonAttrs // {
+            password = evePassword;
+          };
+        };
+
+      users.groups.${sharedFolderName} = {};
+
+      specialisation = {
+        # A specialisation for asserting that SFTPGo can bind to privileged ports.
+        privilegedPorts.configuration = { ... }: {
+          networking.firewall.allowedTCPPorts = [ 22 80 ];
+          services.sftpgo = {
+            settings = {
+              sftpd.bindings = mkForce [{
+                address = "";
+                port = 22;
+              }];
+
+              httpd.bindings = mkForce [{
+                address = "";
+                port = 80;
+              }];
+            };
+          };
+        };
+      };
+    };
+
+    client = { nodes, ... }: {
+      # Add the SFTPGo host key to the global known_hosts file
+      programs.ssh.knownHosts =
+        let
+          commonAttrs = {
+            publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE61C7pTXfnLG2u9So+ijNTKaSOg009UrquqNL3fpEu1";
+          };
+        in {
+          "server" = commonAttrs;
+          "[server]:2022" = commonAttrs;
+        };
+      };
+  };
+
+  testScript = { nodes, ... }: let
+    # A function to generate test cases for wheter
+    # a specified username is expected to access the shared folder.
+    accessSharedFoldersSubtest =
+      { # The username to run as
+        username
+        # Whether the tests are expected to succeed or not
+      , shouldSucceed ? true
+      }: ''
+        with subtest("Test whether ${username} can access shared folders"):
+            client.${if shouldSucceed then "succeed" else "fail"}("sftp -P ${toString sftpPort} -b ${
+              pkgs.writeText "${username}-ls-${sharedFolderName}" ''
+                ls ${sharedFolderName}
+              ''
+            } ${username}@server")
+      '';
+      statePath = nodes.server.services.sftpgo.dataDir;
+  in ''
+    start_all()
+
+    client.wait_for_unit("default.target")
+    server.wait_for_unit("sftpgo.service")
+
+    with subtest("web client"):
+        client.wait_until_succeeds("curl -sSf http://server:${toString httpPort}/web/client/login")
+
+        # Ensure sftpgo found the static folder
+        client.wait_until_succeeds("curl -o /dev/null -sSf http://server:${toString httpPort}/static/favicon.ico")
+
+    with subtest("Setup SSH keys"):
+        client.succeed("mkdir -m 700 /root/.ssh")
+        client.succeed("cat ${snakeOilPrivateKey} > /root/.ssh/id_ecdsa")
+        client.succeed("chmod 600 /root/.ssh/id_ecdsa")
+
+    with subtest("Copy a file over sftp"):
+        client.wait_until_succeeds("scp -P ${toString sftpPort} ${toString testFile} alice@server:/private/${testFile.name}")
+        server.succeed("test -s ${statePath}/users/alice/private/${testFile.name}")
+
+        # The configured ACL should prevent uploading files to the root directory
+        client.fail("scp -P ${toString sftpPort} ${toString testFile} alice@server:/")
+
+    with subtest("Attempting an interactive SSH sessions must fail"):
+        client.fail("ssh -p ${toString sftpPort} alice@server")
+
+    ${accessSharedFoldersSubtest {
+      username = "alice";
+      shouldSucceed = true;
+    }}
+
+    ${accessSharedFoldersSubtest {
+      username = "bob";
+      shouldSucceed = true;
+    }}
+
+    ${accessSharedFoldersSubtest {
+      username = "eve";
+      shouldSucceed = false;
+    }}
+
+    with subtest("Test sharing files"):
+        # Alice uploads a file to shared folder
+        client.succeed("scp -P ${toString sftpPort} ${toString sharedFile} alice@server:/${sharedFolderName}/${sharedFile.name}")
+        server.succeed("test -s ${statePath}/${sharedFolderName}/${sharedFile.name}")
+
+        # Bob downloads the file from shared folder
+        client.succeed("scp -P ${toString sftpPort} bob@server:/shared/${sharedFile.name} ${sharedFile.name}")
+        client.succeed("test -s ${sharedFile.name}")
+
+        # Eve should not get the file from shared folder
+        client.fail("scp -P ${toString sftpPort} eve@server:/shared/${sharedFile.name}")
+
+    server.succeed("/run/current-system/specialisation/privilegedPorts/bin/switch-to-configuration test")
+
+    client.wait_until_succeeds("sftp -P 22 -b ${pkgs.writeText "get-hello-world.txt" ''
+      get /private/${testFile.name}
+    ''} alice@server")
+  '';
+}
--- a/nixos/tests/shadowsocks/common.nix
+++ b/nixos/tests/shadowsocks/common.nix
@@ -69,6 +69,7 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: {
      start_all()

      server.wait_for_unit("shadowsocks-libev.service")
+      server.wait_for_unit("nginx.service")
      client.wait_for_unit("shadowsocks-client.service")

      client.fail(
--- a/pkgs/applications/audio/bespokesynth/default.nix
+++ b/pkgs/applications/audio/bespokesynth/default.nix
@@ -30,10 +30,12 @@
 , pcre
 , mount
 , gnome
+, Accelerate
 , Cocoa
 , WebKit
 , CoreServices
 , CoreAudioKit
+, IOBluetooth
  # It is not allowed to distribute binaries with the VST2 SDK plugin without a license
  # (the author of Bespoke has such a licence but not Nix). VST3 should work out of the box.
  # Read more in https://github.com/NixOS/nixpkgs/issues/145607
@@ -102,10 +104,12 @@ stdenv.mkDerivation rec {
    pcre
    mount
  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
+    Accelerate
    Cocoa
    WebKit
    CoreServices
    CoreAudioKit
+    IOBluetooth
  ];

  env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.hostPlatform.isDarwin (toString [
--- a/pkgs/applications/audio/dexed/default.nix
+++ b/pkgs/applications/audio/dexed/default.nix
@@ -11,6 +11,7 @@
 , freetype
 , alsa-lib
 , libjack2
+, Accelerate
 , Cocoa
 , WebKit
 , MetalKit
@@ -52,6 +53,7 @@ stdenv.mkDerivation rec {
    alsa-lib
    libjack2
  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
+    Accelerate
    Cocoa
    WebKit
    MetalKit
--- a/pkgs/applications/audio/fire/default.nix
+++ b/pkgs/applications/audio/fire/default.nix
@@ -11,6 +11,7 @@
 , libXcursor
 , freetype
 , alsa-lib
+, Accelerate
 , Cocoa
 , WebKit
 , CoreServices
@@ -76,6 +77,7 @@ stdenv.mkDerivation rec {
    freetype
    alsa-lib
  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
+    Accelerate
    Cocoa
    WebKit
    CoreServices
--- a/pkgs/applications/audio/furnace/default.nix
+++ b/pkgs/applications/audio/furnace/default.nix
@@ -10,6 +10,7 @@
 , fftw
 , fmt_8
 , libsndfile
+, libX11
 , rtmidi
 , SDL2
 , zlib
@@ -21,16 +22,23 @@

 stdenv.mkDerivation rec {
  pname = "furnace";
-  version = "0.6pre4-hotfix";
+  version = "0.6pre5";

  src = fetchFromGitHub {
    owner = "tildearrow";
    repo = "furnace";
    rev = "v${version}";
    fetchSubmodules = true;
-    sha256 = "sha256-lJtV/0GnWN5mSjv2LaPEMnkuThaNeijBMjLGFPOJX4k=";
+    sha256 = "sha256-6KiG7nfQUdPW+EkBW3PPM141kOmolAgrrqhEGH/Azg4=";
  };

+  postPatch = lib.optionalString stdenv.hostPlatform.isLinux ''
+    # To offer scaling detection on X11, furnace checks if libX11.so is available via dlopen and uses some of its functions
+    # But it's being linked against a versioned libX11.so.VERSION via SDL, so the unversioned one is not on the rpath
+    substituteInPlace src/gui/scaling.cpp \
+      --replace 'libX11.so' '${lib.getLib libX11}/lib/libX11.so'
+  '';
+
  nativeBuildInputs = [
    cmake
    pkg-config
@@ -97,6 +105,7 @@ stdenv.mkDerivation rec {
  meta = with lib; {
    description = "Multi-system chiptune tracker compatible with DefleMask modules";
    homepage = "https://github.com/tildearrow/furnace";
+    changelog = "https://github.com/tildearrow/furnace/releases/tag/v${version}";
    license = with licenses; [ gpl2Plus ];
    maintainers = with maintainers; [ OPNA2608 ];
    platforms = platforms.all;
--- a/pkgs/applications/blockchains/bitcoin/default.nix
+++ b/pkgs/applications/blockchains/bitcoin/default.nix
@@ -32,14 +32,14 @@ let
 in
 stdenv.mkDerivation rec {
  pname = if withGui then "bitcoin" else "bitcoind";
-  version = "24.1";
+  version = "25.0";

  src = fetchurl {
    urls = [
      "https://bitcoincore.org/bin/bitcoin-core-${version}/bitcoin-${version}.tar.gz"
    ];
    # hash retrieved from signed SHA256SUMS
-    sha256 = "8a0a3db3b2d9cc024e897113f70a3a65d8de831c129eb6d1e26ffa65e7bfaf4e";
+    sha256 = "5df67cf42ca3b9a0c38cdafec5bbb517da5b58d251f32c8d2a47511f9be1ebc2";
  };

  nativeBuildInputs =
--- a/pkgs/applications/editors/bluej/default.nix
+++ b/pkgs/applications/editors/bluej/default.nix
@@ -1,21 +1,22 @@
-{ lib, stdenv, fetchurl, jdk, glib, wrapGAppsHook }:
+{ lib, stdenv, fetchurl, openjdk, glib, wrapGAppsHook }:

 stdenv.mkDerivation rec {
  pname = "bluej";
-  version = "5.0.3";
+  version = "5.1.0";

  src = fetchurl {
    # We use the deb here. First instinct might be to go for the "generic" JAR
    # download, but that is actually a graphical installer that is much harder
    # to unpack than the deb.
    url = "https://www.bluej.org/download/files/BlueJ-linux-${builtins.replaceStrings ["."] [""] version}.deb";
-    sha256 = "sha256-OarqmptxZc7xEEYeoCVqHXkAvfzfSYx5nUp/iWPyoqw=";
+    sha256 = "sha256-tOb15wU9OjUt0D8l/JkaGYj84L7HV4FUnQQB5cRAxG0=";
  };

  nativeBuildInputs = [ wrapGAppsHook ];
  buildInputs = [ glib ];

  sourceRoot = ".";
+
  preUnpack = ''
    unpackCmdHooks+=(_tryDebData)
    _tryDebData() {
@@ -26,39 +27,29 @@ stdenv.mkDerivation rec {
    }
  '';

+  dontWrapGApps = true;
+
  installPhase = ''
    runHook preInstall

-    if [ -n "$prefix" ]; then
-        mkdir -p "$prefix"
-    fi
+    mkdir -p $out
+    cp -r usr/* $out

-    mkdir -p "$out"
-
-    if shopt -q dotglob; then dotglobOpt=$?; else dotglobOpt=$?; fi
-    shopt -s dotglob
-    for file in usr/*; do
-      cp -R "$file" "$out"
-    done
-    if (( !dotglobOpt )); then shopt -u dotglob; fi
+    makeWrapper ${openjdk}/bin/java $out/bin/bluej \
+      "''${gappsWrapperArgs[@]}" \
+      --add-flags "-Dawt.useSystemAAFontSettings=on -Xmx512M \
+                   --add-opens javafx.graphics/com.sun.glass.ui=ALL-UNNAMED \
+                   -jar $out/share/bluej/bluej.jar"

    runHook postInstall
  '';

-  dontWrapGApps = true;
-
-  preFixup = ''
-    makeWrapper ${jdk}/bin/java $out/bin/bluej \
-      "''${gappsWrapperArgs[@]}" \
-      --add-flags "-Djavafx.embed.singleThread=true -Dawt.useSystemAAFontSettings=on -Xmx512M -cp $out/share/bluej/bluej.jar bluej.Boot"
-  '';
-
  meta = with lib; {
    description = "A simple integrated development environment for Java";
    homepage = "https://www.bluej.org/";
    sourceProvenance = with sourceTypes; [ binaryBytecode ];
    license = licenses.gpl2ClasspathPlus;
    maintainers = with maintainers; [ chvp ];
-    platforms = platforms.unix;
+    platforms = platforms.linux;
  };
 }
--- a/pkgs/applications/editors/helix/grammars.nix
+++ b/pkgs/applications/editors/helix/grammars.nix
@@ -47,7 +47,6 @@
        then "${source}/${grammar.source.subpath}"
        else source;

-      dontUnpack = true;
      dontConfigure = true;

      FLAGS = [
@@ -64,13 +63,13 @@
      buildPhase = ''
        runHook preBuild

-        if [[ -e "$src/src/scanner.cc" ]]; then
-          $CXX -c "$src/src/scanner.cc" -o scanner.o $FLAGS
-        elif [[ -e "$src/src/scanner.c" ]]; then
-          $CC -c "$src/src/scanner.c" -o scanner.o $FLAGS
+        if [[ -e "src/scanner.cc" ]]; then
+          $CXX -c "src/scanner.cc" -o scanner.o $FLAGS
+        elif [[ -e "src/scanner.c" ]]; then
+          $CC -c "src/scanner.c" -o scanner.o $FLAGS
        fi

-        $CC -c "$src/src/parser.c" -o parser.o $FLAGS
+        $CC -c "src/parser.c" -o parser.o $FLAGS
        $CXX -shared -o $NAME.so *.o

        runHook postBuild
--- a/pkgs/applications/editors/jetbrains/versions.json
+++ b/pkgs/applications/editors/jetbrains/versions.json
@@ -3,18 +3,18 @@
    "clion": {
      "update-channel": "CLion RELEASE",
      "url-template": "https://download.jetbrains.com/cpp/CLion-{version}.tar.gz",
-      "version": "2023.1.2",
-      "sha256": "e3efc51a4431dc67da6463a8a37aab8ad6a214a8338430ae61cd4add5e7e5b04",
-      "url": "https://download.jetbrains.com/cpp/CLion-2023.1.2.tar.gz",
-      "build_number": "231.8770.66"
+      "version": "2023.1.3",
+      "sha256": "7ea6a7d18cac5c7c89a3e1dd4d3870f74762d4c9378c31a3753fd37f50cf2832",
+      "url": "https://download.jetbrains.com/cpp/CLion-2023.1.3.tar.gz",
+      "build_number": "231.9011.31"
    },
    "datagrip": {
      "update-channel": "DataGrip RELEASE",
      "url-template": "https://download.jetbrains.com/datagrip/datagrip-{version}.tar.gz",
-      "version": "2023.1.1",
-      "sha256": "9f1d9bd64352ade881343bd2d0cae63a4f5e9479e1bf822b4ab5f674fc0a8697",
-      "url": "https://download.jetbrains.com/datagrip/datagrip-2023.1.1.tar.gz",
-      "build_number": "231.8770.3"
+      "version": "2023.1.2",
+      "sha256": "57e8a79d69d9f34957fe7fa1307296396ab7c2b84bacffb6d86616cbcd596edd",
+      "url": "https://download.jetbrains.com/datagrip/datagrip-2023.1.2.tar.gz",
+      "build_number": "231.9011.35"
    },
    "gateway": {
      "update-channel": "Gateway RELEASE",
@@ -27,26 +27,26 @@
    "goland": {
      "update-channel": "GoLand RELEASE",
      "url-template": "https://download.jetbrains.com/go/goland-{version}.tar.gz",
-      "version": "2023.1.1",
-      "sha256": "ed4334fbfde1c9416920ec1aa9ccdbaa6bdbbe6f211b15ca74239c44a0b7ed1c",
-      "url": "https://download.jetbrains.com/go/goland-2023.1.1.tar.gz",
-      "build_number": "231.8770.71"
+      "version": "2023.1.2",
+      "sha256": "e1f16726a864f4ff9f0a48bd60a6983a664030df5e5456023d76b8fb8ac9df9d",
+      "url": "https://download.jetbrains.com/go/goland-2023.1.2.tar.gz",
+      "build_number": "231.9011.34"
    },
    "idea-community": {
      "update-channel": "IntelliJ IDEA RELEASE",
      "url-template": "https://download.jetbrains.com/idea/ideaIC-{version}.tar.gz",
-      "version": "2023.1.1",
-      "sha256": "0a9bc55c2eaecbe983cd1db9ab6a353e3b7c3747f6fc6dea95736df104a68239",
-      "url": "https://download.jetbrains.com/idea/ideaIC-2023.1.1.tar.gz",
-      "build_number": "231.8770.65"
+      "version": "2023.1.2",
+      "sha256": "f222f0282bebe2e8c3fef6a27b160c760c118e45a0cdb7c9053d645a8e00844a",
+      "url": "https://download.jetbrains.com/idea/ideaIC-2023.1.2.tar.gz",
+      "build_number": "231.9011.34"
    },
    "idea-ultimate": {
      "update-channel": "IntelliJ IDEA RELEASE",
      "url-template": "https://download.jetbrains.com/idea/ideaIU-{version}.tar.gz",
-      "version": "2023.1.1",
-      "sha256": "62ac9a6a801e5e029c3ca5ea28ee5de2680e3d58ae233cf1cb3d3636c6b205ca",
-      "url": "https://download.jetbrains.com/idea/ideaIU-2023.1.1.tar.gz",
-      "build_number": "231.8770.65"
+      "version": "2023.1.2",
+      "sha256": "e1a26070e91bdc6a7d262aeda316a72908d1ffbb8b500f086665bfcd29de249a",
+      "url": "https://download.jetbrains.com/idea/ideaIU-2023.1.2.tar.gz",
+      "build_number": "231.9011.34"
    },
    "mps": {
      "update-channel": "MPS RELEASE",
@@ -59,69 +59,69 @@
    "phpstorm": {
      "update-channel": "PhpStorm RELEASE",
      "url-template": "https://download.jetbrains.com/webide/PhpStorm-{version}.tar.gz",
-      "version": "2023.1.1",
-      "sha256": "be824ba2f0a55b8d246becde235a3308106d2115cea814e4b0cc2f3b9a736253",
-      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.1.1.tar.gz",
-      "build_number": "231.8770.68",
+      "version": "2023.1.2",
+      "sha256": "889f531bbe5c6dda9fb4805dbbccd25d3aa4262a97f4ad14cf184db3eaf2d980",
+      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.1.2.tar.gz",
+      "build_number": "231.9011.38",
      "version-major-minor": "2022.3"
    },
    "pycharm-community": {
      "update-channel": "PyCharm RELEASE",
      "url-template": "https://download.jetbrains.com/python/pycharm-community-{version}.tar.gz",
-      "version": "2023.1.1",
-      "sha256": "4de47ea21ede9ed52fedf42513ab2d886683d7d66784c1ce9b4d3c8b84da7a29",
-      "url": "https://download.jetbrains.com/python/pycharm-community-2023.1.1.tar.gz",
-      "build_number": "231.8770.66"
+      "version": "2023.1.2",
+      "sha256": "1445b48b091469176644cb85a0a6f953783920fb1ec9a53bcbdd932ad8c947b0",
+      "url": "https://download.jetbrains.com/python/pycharm-community-2023.1.2.tar.gz",
+      "build_number": "231.9011.38"
    },
    "pycharm-professional": {
      "update-channel": "PyCharm RELEASE",
      "url-template": "https://download.jetbrains.com/python/pycharm-professional-{version}.tar.gz",
-      "version": "2023.1.1",
-      "sha256": "aaa8d136e47077cfe970a5b42aa2058bb74038c5dab354c9f6ff22bfa3aa327d",
-      "url": "https://download.jetbrains.com/python/pycharm-professional-2023.1.1.tar.gz",
-      "build_number": "231.8770.66"
+      "version": "2023.1.2",
+      "sha256": "e57eae7a3c99983b8dc5c5aa036579d7ac73cae33aeb4c5f7f80517f2040c385",
+      "url": "https://download.jetbrains.com/python/pycharm-professional-2023.1.2.tar.gz",
+      "build_number": "231.9011.38"
    },
    "rider": {
      "update-channel": "Rider RELEASE",
      "url-template": "https://download.jetbrains.com/rider/JetBrains.Rider-{version}.tar.gz",
-      "version": "2023.1.1",
-      "sha256": "d50a7ed977e04ae50d6a16422a0968896fc6d94b0ab84d044ad3503d904570e0",
-      "url": "https://download.jetbrains.com/rider/JetBrains.Rider-2023.1.1.tar.gz",
-      "build_number": "231.8770.54"
+      "version": "2023.1.2",
+      "sha256": "50eb2deb303162dc77c802c4402c2734bdae38a47ab534921e064a107dc284ae",
+      "url": "https://download.jetbrains.com/rider/JetBrains.Rider-2023.1.2.tar.gz",
+      "build_number": "231.9011.39"
    },
    "ruby-mine": {
      "update-channel": "RubyMine RELEASE",
      "url-template": "https://download.jetbrains.com/ruby/RubyMine-{version}.tar.gz",
-      "version": "2023.1.1",
-      "sha256": "44a852fa872751ba53b1a10eb5d136a407ae7db90e4e4f8c37ba282dcc9c1419",
-      "url": "https://download.jetbrains.com/ruby/RubyMine-2023.1.1.tar.gz",
-      "build_number": "231.8770.57"
+      "version": "2023.1.2",
+      "sha256": "f7f40e03571d485a7b6e36b98c8a3e3b534456fb351389347927a800e1b2fc74",
+      "url": "https://download.jetbrains.com/ruby/RubyMine-2023.1.2.tar.gz",
+      "build_number": "231.9011.41"
    },
    "webstorm": {
      "update-channel": "WebStorm RELEASE",
      "url-template": "https://download.jetbrains.com/webstorm/WebStorm-{version}.tar.gz",
-      "version": "2023.1.1",
-      "sha256": "93e11177010037a156939f2ded59ac5d8d0661e47a4471399665affe4a1eb7a9",
-      "url": "https://download.jetbrains.com/webstorm/WebStorm-2023.1.1.tar.gz",
-      "build_number": "231.8770.64"
+      "version": "2023.1.2",
+      "sha256": "934986d682857e8529588cdc6f4f125ff7e13ee0a1060fa41af2bb9d4a620444",
+      "url": "https://download.jetbrains.com/webstorm/WebStorm-2023.1.2.tar.gz",
+      "build_number": "231.9011.35"
    }
  },
  "x86_64-darwin": {
    "clion": {
      "update-channel": "CLion RELEASE",
      "url-template": "https://download.jetbrains.com/cpp/CLion-{version}.dmg",
-      "version": "2023.1.2",
-      "sha256": "a980ecceda348d5a9e4ee7aaec2baf6d985a66c714ee270d402d708838e40d26",
-      "url": "https://download.jetbrains.com/cpp/CLion-2023.1.2.dmg",
-      "build_number": "231.8770.66"
+      "version": "2023.1.3",
+      "sha256": "74e65171daeec11ee8e45db14fefa72f141ebe4f8f40fe5172c24aaacac1d2fd",
+      "url": "https://download.jetbrains.com/cpp/CLion-2023.1.3.dmg",
+      "build_number": "231.9011.31"
    },
    "datagrip": {
      "update-channel": "DataGrip RELEASE",
      "url-template": "https://download.jetbrains.com/datagrip/datagrip-{version}.dmg",
-      "version": "2023.1.1",
-      "sha256": "94b2c070b91a45960d50deee5986d63e894dc2a2b3f371a1bcd650521029b66b",
-      "url": "https://download.jetbrains.com/datagrip/datagrip-2023.1.1.dmg",
-      "build_number": "231.8770.3"
+      "version": "2023.1.2",
+      "sha256": "13302c2cda09fdf08025430cfb195d7cbf34ad0f66968091e5227a8ff71a7f79",
+      "url": "https://download.jetbrains.com/datagrip/datagrip-2023.1.2.dmg",
+      "build_number": "231.9011.35"
    },
    "gateway": {
      "update-channel": "Gateway RELEASE",
@@ -134,26 +134,26 @@
    "goland": {
      "update-channel": "GoLand RELEASE",
      "url-template": "https://download.jetbrains.com/go/goland-{version}.dmg",
-      "version": "2023.1.1",
-      "sha256": "951d0940edebc9cba6a3e37eae3d3e146416d1951803e8a34706904e983bb6ee",
-      "url": "https://download.jetbrains.com/go/goland-2023.1.1.dmg",
-      "build_number": "231.8770.71"
+      "version": "2023.1.2",
+      "sha256": "8ea923b48a6a34991902689062c96d9bd7524591dfad0e47ace937ae5762d051",
+      "url": "https://download.jetbrains.com/go/goland-2023.1.2.dmg",
+      "build_number": "231.9011.34"
    },
    "idea-community": {
      "update-channel": "IntelliJ IDEA RELEASE",
      "url-template": "https://download.jetbrains.com/idea/ideaIC-{version}.dmg",
-      "version": "2023.1.1",
-      "sha256": "ee7769737cb0e22d4c88ea8808d0767b8d88667b6b732748d745a5eb48809c46",
-      "url": "https://download.jetbrains.com/idea/ideaIC-2023.1.1.dmg",
-      "build_number": "231.8770.65"
+      "version": "2023.1.2",
+      "sha256": "d313f3308788e2a6646c67c4c00afbf4dd848889009de32b93e1ef8bf80a529b",
+      "url": "https://download.jetbrains.com/idea/ideaIC-2023.1.2.dmg",
+      "build_number": "231.9011.34"
    },
    "idea-ultimate": {
      "update-channel": "IntelliJ IDEA RELEASE",
      "url-template": "https://download.jetbrains.com/idea/ideaIU-{version}.dmg",
-      "version": "2023.1.1",
-      "sha256": "46fed7185c1cc901778593941db035d9806ebdad930eccbb4472668d440e60af",
-      "url": "https://download.jetbrains.com/idea/ideaIU-2023.1.1.dmg",
-      "build_number": "231.8770.65"
+      "version": "2023.1.2",
+      "sha256": "7242ff72b56a0337f0bbc20b0dea4675759e1228f86bcb1c0dab3311f9f8d709",
+      "url": "https://download.jetbrains.com/idea/ideaIU-2023.1.2.dmg",
+      "build_number": "231.9011.34"
    },
    "mps": {
      "update-channel": "MPS RELEASE",
@@ -166,69 +166,69 @@
    "phpstorm": {
      "update-channel": "PhpStorm RELEASE",
      "url-template": "https://download.jetbrains.com/webide/PhpStorm-{version}.dmg",
-      "version": "2023.1.1",
-      "sha256": "da5809e47bb6adaa61ecdbcc16ca452e25269e7dbeb316bc6022784c3d6edd28",
-      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.1.1.dmg",
-      "build_number": "231.8770.68",
+      "version": "2023.1.2",
+      "sha256": "42d4e946ff7f40a52a47f121be8a08a0fa46786f773b7cee28e51b12f2f296e6",
+      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.1.2.dmg",
+      "build_number": "231.9011.38",
      "version-major-minor": "2022.3"
    },
    "pycharm-community": {
      "update-channel": "PyCharm RELEASE",
      "url-template": "https://download.jetbrains.com/python/pycharm-community-{version}.dmg",
-      "version": "2023.1.1",
-      "sha256": "45f47c71f1621d054b4ceedb717bbb4c2f8e8ab2d3ef8acb7366088b866a4cf6",
-      "url": "https://download.jetbrains.com/python/pycharm-community-2023.1.1.dmg",
-      "build_number": "231.8770.66"
+      "version": "2023.1.2",
+      "sha256": "7a947104f38cdb3a8e1a3466808add60a3c3d41545ae2fe84c1467dcc91973e8",
+      "url": "https://download.jetbrains.com/python/pycharm-community-2023.1.2.dmg",
+      "build_number": "231.9011.38"
    },
    "pycharm-professional": {
      "update-channel": "PyCharm RELEASE",
      "url-template": "https://download.jetbrains.com/python/pycharm-professional-{version}.dmg",
-      "version": "2023.1.1",
-      "sha256": "601c427b292a76d7646fe81ed351447b79a5094b650f19c8acca6f8f42e6e609",
-      "url": "https://download.jetbrains.com/python/pycharm-professional-2023.1.1.dmg",
-      "build_number": "231.8770.66"
+      "version": "2023.1.2",
+      "sha256": "46d8c03dd18de5a87837f3a437ae05ad7ad1ba3d61d742cef5124a30f5aa1109",
+      "url": "https://download.jetbrains.com/python/pycharm-professional-2023.1.2.dmg",
+      "build_number": "231.9011.38"
    },
    "rider": {
      "update-channel": "Rider RELEASE",
      "url-template": "https://download.jetbrains.com/rider/JetBrains.Rider-{version}.dmg",
-      "version": "2023.1.1",
-      "sha256": "72131efb1d4606cefd9bfb11cc98443a13f5b9761ac007484564db2107e7f8e9",
-      "url": "https://download.jetbrains.com/rider/JetBrains.Rider-2023.1.1.dmg",
-      "build_number": "231.8770.54"
+      "version": "2023.1.2",
+      "sha256": "f784a5a9d909bf671d6680807a451c761f44cba3a0f49cfc9b74c4bca1d7c1f1",
+      "url": "https://download.jetbrains.com/rider/JetBrains.Rider-2023.1.2.dmg",
+      "build_number": "231.9011.39"
    },
    "ruby-mine": {
      "update-channel": "RubyMine RELEASE",
      "url-template": "https://download.jetbrains.com/ruby/RubyMine-{version}.dmg",
-      "version": "2023.1.1",
-      "sha256": "2c37a3e8c8a9b800b9132f31d0cfdffbb3fd4ee83de13b3141187ec05a79e3e0",
-      "url": "https://download.jetbrains.com/ruby/RubyMine-2023.1.1.dmg",
-      "build_number": "231.8770.57"
+      "version": "2023.1.2",
+      "sha256": "28eb6505d37d5821507985cbd7ddd60787b7f3fa9966b3a67187938c3b7f153f",
+      "url": "https://download.jetbrains.com/ruby/RubyMine-2023.1.2.dmg",
+      "build_number": "231.9011.41"
    },
    "webstorm": {
      "update-channel": "WebStorm RELEASE",
      "url-template": "https://download.jetbrains.com/webstorm/WebStorm-{version}.dmg",
-      "version": "2023.1.1",
-      "sha256": "e7b9b86501682a0cf5a1b2d22e65491a6923635043378707581357a10fc8dc2a",
-      "url": "https://download.jetbrains.com/webstorm/WebStorm-2023.1.1.dmg",
-      "build_number": "231.8770.64"
+      "version": "2023.1.2",
+      "sha256": "0a8dbf63ce61bd24a1037a967cc27b45d4b467a0c39c6e4625704a8fba3add71",
+      "url": "https://download.jetbrains.com/webstorm/WebStorm-2023.1.2.dmg",
+      "build_number": "231.9011.35"
    }
  },
  "aarch64-darwin": {
    "clion": {
      "update-channel": "CLion RELEASE",
      "url-template": "https://download.jetbrains.com/cpp/CLion-{version}-aarch64.dmg",
-      "version": "2023.1.2",
-      "sha256": "61c8c1e76fe25389557111534c3fdadb5ba69427384890bf25499d0b474c147d",
-      "url": "https://download.jetbrains.com/cpp/CLion-2023.1.2-aarch64.dmg",
-      "build_number": "231.8770.66"
+      "version": "2023.1.3",
+      "sha256": "a167a2fe88cecf422edc32f981cd01736d154f3c284d1cd9cc85f68e0aa7e50b",
+      "url": "https://download.jetbrains.com/cpp/CLion-2023.1.3-aarch64.dmg",
+      "build_number": "231.9011.31"
    },
    "datagrip": {
      "update-channel": "DataGrip RELEASE",
      "url-template": "https://download.jetbrains.com/datagrip/datagrip-{version}-aarch64.dmg",
-      "version": "2023.1.1",
-      "sha256": "215ad7898e9a8ef2cf18ec90d342c995bf94a2fe5781fbce537e7166edf90652",
-      "url": "https://download.jetbrains.com/datagrip/datagrip-2023.1.1-aarch64.dmg",
-      "build_number": "231.8770.3"
+      "version": "2023.1.2",
+      "sha256": "3af05578dd8c3b01a5b75e34b0944bccd307ce698e80fe238044762785920c90",
+      "url": "https://download.jetbrains.com/datagrip/datagrip-2023.1.2-aarch64.dmg",
+      "build_number": "231.9011.35"
    },
    "gateway": {
      "update-channel": "Gateway RELEASE",
@@ -241,26 +241,26 @@
    "goland": {
      "update-channel": "GoLand RELEASE",
      "url-template": "https://download.jetbrains.com/go/goland-{version}-aarch64.dmg",
-      "version": "2023.1.1",
-      "sha256": "29963a09c83f193746f762a104e9c51fa5ff9f46a90376a0e518261f1990847e",
-      "url": "https://download.jetbrains.com/go/goland-2023.1.1-aarch64.dmg",
-      "build_number": "231.8770.71"
+      "version": "2023.1.2",
+      "sha256": "8674cb075b41db52b2a5f3698659b8e0480bcb9d81b4e3112bb7e5c23259200e",
+      "url": "https://download.jetbrains.com/go/goland-2023.1.2-aarch64.dmg",
+      "build_number": "231.9011.34"
    },
    "idea-community": {
      "update-channel": "IntelliJ IDEA RELEASE",
      "url-template": "https://download.jetbrains.com/idea/ideaIC-{version}-aarch64.dmg",
-      "version": "2023.1.1",
-      "sha256": "c9ab2053e1ad648466c547c378bd4e8753b4db8908de1caaeca91563ad80f6f9",
-      "url": "https://download.jetbrains.com/idea/ideaIC-2023.1.1-aarch64.dmg",
-      "build_number": "231.8770.65"
+      "version": "2023.1.2",
+      "sha256": "f269422723105de9c28c61c95f7c74cc4481032abaf980ace7e4fd2d7f00dca5",
+      "url": "https://download.jetbrains.com/idea/ideaIC-2023.1.2-aarch64.dmg",
+      "build_number": "231.9011.34"
    },
    "idea-ultimate": {
      "update-channel": "IntelliJ IDEA RELEASE",
      "url-template": "https://download.jetbrains.com/idea/ideaIU-{version}-aarch64.dmg",
-      "version": "2023.1.1",
-      "sha256": "ae631000e19b821194b38be7caaa1e13ad78b465e6eb00f44215bb1173038448",
-      "url": "https://download.jetbrains.com/idea/ideaIU-2023.1.1-aarch64.dmg",
-      "build_number": "231.8770.65"
+      "version": "2023.1.2",
+      "sha256": "d8ae93ade97ddd30c91fd2a828763b1c952e8c206f04fbdb9d79ea2207955a8e",
+      "url": "https://download.jetbrains.com/idea/ideaIU-2023.1.2-aarch64.dmg",
+      "build_number": "231.9011.34"
    },
    "mps": {
      "update-channel": "MPS RELEASE",
@@ -273,51 +273,51 @@
    "phpstorm": {
      "update-channel": "PhpStorm RELEASE",
      "url-template": "https://download.jetbrains.com/webide/PhpStorm-{version}-aarch64.dmg",
-      "version": "2023.1.1",
-      "sha256": "7857f77b2d28fc7e3a4380f43fe0f923616d39f13cb47a9f37c6cf5f32fd40a3",
-      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.1.1-aarch64.dmg",
-      "build_number": "231.8770.68",
+      "version": "2023.1.2",
+      "sha256": "871147496e828a9f28b02a3226eca6127a7b0837f6ca872c51590696fc52f7fc",
+      "url": "https://download.jetbrains.com/webide/PhpStorm-2023.1.2-aarch64.dmg",
+      "build_number": "231.9011.38",
      "version-major-minor": "2022.3"
    },
    "pycharm-community": {
      "update-channel": "PyCharm RELEASE",
      "url-template": "https://download.jetbrains.com/python/pycharm-community-{version}-aarch64.dmg",
-      "version": "2023.1.1",
-      "sha256": "d3c3e5d4896be54e54c20603e8124220ee32f29f24b5068d1b56d1685c9bc2cd",
-      "url": "https://download.jetbrains.com/python/pycharm-community-2023.1.1-aarch64.dmg",
-      "build_number": "231.8770.66"
+      "version": "2023.1.2",
+      "sha256": "d816ad095094dc5cc5b91ede9f1d41654fc90f8925b9e421f9aac0325de0e366",
+      "url": "https://download.jetbrains.com/python/pycharm-community-2023.1.2-aarch64.dmg",
+      "build_number": "231.9011.38"
    },
    "pycharm-professional": {
      "update-channel": "PyCharm RELEASE",
      "url-template": "https://download.jetbrains.com/python/pycharm-professional-{version}-aarch64.dmg",
-      "version": "2023.1.1",
-      "sha256": "3c1947ad4627fc4dfce9a01b8bf4b8d90627fa5e20e4c27f60d785430e99d25d",
-      "url": "https://download.jetbrains.com/python/pycharm-professional-2023.1.1-aarch64.dmg",
-      "build_number": "231.8770.66"
+      "version": "2023.1.2",
+      "sha256": "9387e383f9d70d1b5e4e8e4b64061678c94a8329cafc9df5d342ac0f346a31fe",
+      "url": "https://download.jetbrains.com/python/pycharm-professional-2023.1.2-aarch64.dmg",
+      "build_number": "231.9011.38"
    },
    "rider": {
      "update-channel": "Rider RELEASE",
      "url-template": "https://download.jetbrains.com/rider/JetBrains.Rider-{version}-aarch64.dmg",
-      "version": "2023.1.1",
-      "sha256": "b089e107bd81829fffe97509912c4467f8b4ea09fd5f38ebd8cc8c57e6adb947",
-      "url": "https://download.jetbrains.com/rider/JetBrains.Rider-2023.1.1-aarch64.dmg",
-      "build_number": "231.8770.54"
+      "version": "2023.1.2",
+      "sha256": "896a70b5807683acec70e77620ccc9f1c1e1801257678de0531a5f3c1bccffb7",
+      "url": "https://download.jetbrains.com/rider/JetBrains.Rider-2023.1.2-aarch64.dmg",
+      "build_number": "231.9011.39"
    },
    "ruby-mine": {
      "update-channel": "RubyMine RELEASE",
      "url-template": "https://download.jetbrains.com/ruby/RubyMine-{version}-aarch64.dmg",
-      "version": "2023.1.1",
-      "sha256": "17327de2d4edd3fbddb47c96d4db1bfba716786eb5b74b4a2e3ba6d0482610f9",
-      "url": "https://download.jetbrains.com/ruby/RubyMine-2023.1.1-aarch64.dmg",
-      "build_number": "231.8770.57"
+      "version": "2023.1.2",
+      "sha256": "ecd3aeba77455d90a10b2ad4dc0939a66d8b70d1c43125fb76132c0af72bba31",
+      "url": "https://download.jetbrains.com/ruby/RubyMine-2023.1.2-aarch64.dmg",
+      "build_number": "231.9011.41"
    },
    "webstorm": {
      "update-channel": "WebStorm RELEASE",
      "url-template": "https://download.jetbrains.com/webstorm/WebStorm-{version}-aarch64.dmg",
-      "version": "2023.1.1",
-      "sha256": "3ccf935b898511106b25f3d30363767372f6a301311a5547f68210895b054cf1",
-      "url": "https://download.jetbrains.com/webstorm/WebStorm-2023.1.1-aarch64.dmg",
-      "build_number": "231.8770.64"
+      "version": "2023.1.2",
+      "sha256": "c72e249d38ba1fbfece680545d4714e73d73e9933cbbab8e85c0da2bab37142e",
+      "url": "https://download.jetbrains.com/webstorm/WebStorm-2023.1.2-aarch64.dmg",
+      "build_number": "231.9011.35"
    }
  }
 }
--- a/pkgs/applications/editors/neovim/default.nix
+++ b/pkgs/applications/editors/neovim/default.nix
@@ -1,5 +1,4 @@
 { lib, stdenv, fetchFromGitHub, cmake, gettext, msgpack, libtermkey, libiconv
-, fetchpatch
 , libuv, lua, ncurses, pkg-config
 , unibilium, gperf
 , libvterm-neovim
@@ -37,13 +36,13 @@ let
 in
  stdenv.mkDerivation rec {
    pname = "neovim-unwrapped";
-    version = "0.9.0";
+    version = "0.9.1";

    src = fetchFromGitHub {
      owner = "neovim";
      repo = "neovim";
      rev = "v${version}";
-      hash = "sha256-4uCPWnjSMU7ac6Q3LT+Em8lVk1MuSegxHMLGQRtFqAs=";
+      hash = "sha256-G51qD7GklEn0JrneKSSqDDx0Odi7W2FjdQc0ZDE9ZK4=";
    };

    patches = [
@@ -51,14 +50,6 @@ in
      # necessary so that nix can handle `UpdateRemotePlugins` for the plugins
      # it installs. See https://github.com/neovim/neovim/issues/9413.
      ./system_rplugin_manifest.patch
-
-      # fix bug with the gsub directive
-      # https://github.com/neovim/neovim/pull/23015
-      (fetchpatch {
-        name = "use-the-correct-replacement-args-for-gsub-directive.patch";
-        url = "https://github.com/neovim/neovim/commit/ccc0980f86c6ef9a86b0e5a3a691f37cea8eb776.patch";
-        hash = "sha256-sZWM6M8jCL1e72H0bAc51a6FrH0mFFqTV1gGLwKT7Zo=";
-      })
    ];

    dontFixCmake = true;
--- a/pkgs/applications/editors/vscode/extensions/default.nix
+++ b/pkgs/applications/editors/vscode/extensions/default.nix
@@ -757,8 +757,8 @@ let
        mktplcRef = {
          name = "vscode-markdownlint";
          publisher = "DavidAnson";
-          version = "0.49.0";
-          sha256 = "sha256-Mh/OoRK410aXEr3sK2CYFDsXGSqFT+JOWi9jHOdK01Y=";
+          version = "0.50.0";
+          sha256 = "sha256-F+lryIhSudDz68t1eGrfqI8EuoUUOWU5LfWj0IRCQyY=";
        };
        meta = {
          changelog = "https://marketplace.visualstudio.com/items/DavidAnson.vscode-markdownlint/changelog";
@@ -1069,8 +1069,8 @@ let
        mktplcRef = {
          name = "elixir-ls";
          publisher = "JakeBecker";
-          version = "0.13.0";
-          sha256 = "sha256-1uaLFTMvkcYrYAt9qDdISJneKxHo9qsris70iowGW2s=";
+          version = "0.14.7";
+          sha256 = "sha256-RkwgQqasBKMA+0293QhbZhgyGSqhJSic5DuIpBB+OEA=";
        };
        meta = {
          changelog = "https://marketplace.visualstudio.com/items/JakeBecker.elixir-ls/changelog";
@@ -1132,8 +1132,8 @@ let
        mktplcRef = {
          name = "prettier-vscode";
          publisher = "esbenp";
-          version = "9.12.0";
-          sha256 = "sha256-b7EaYYJNZQBqhyKJ04tytmD9DDRcvA68HTo5JHTr9Fo=";
+          version = "9.13.0";
+          sha256 = "sha256-Iqz1O6odSzAfojCgGDwDA1YtnWU5Ei7vx9Qt25/1SLw=";
        };
        meta = {
          changelog = "https://marketplace.visualstudio.com/items/esbenp.prettier-vscode/changelog";
--- a/pkgs/applications/emulators/ppsspp/default.nix
+++ b/pkgs/applications/emulators/ppsspp/default.nix
@@ -97,7 +97,7 @@ stdenv.mkDerivation (finalAttrs: {
    ''
      runHook preInstall

-      mkdir -p $out/share/{applications,ppsspp}
+      mkdir -p $out/share/{applications,ppsspp,icons}
    '' + (if enableQt then ''
      install -Dm555 PPSSPPQt $out/bin/ppsspp
      wrapProgram $out/bin/ppsspp \
@@ -110,6 +110,7 @@ stdenv.mkDerivation (finalAttrs: {
        --prefix LD_LIBRARY_PATH : ${vulkanPath} \
    '' + "\n" + ''
      mv assets $out/share/ppsspp
+      mv ../icons/hicolor $out/share/icons

      runHook postInstall
    '';
--- a/pkgs/applications/misc/organicmaps/default.nix
+++ b/pkgs/applications/misc/organicmaps/default.nix
@@ -21,13 +21,13 @@

 mkDerivation rec {
  pname = "organicmaps";
-  version = "2023.04.02-7";
+  version = "2023.05.08-7";

  src = fetchFromGitHub {
    owner = "organicmaps";
    repo = "organicmaps";
    rev = "${version}-android";
-    sha256 = "sha256-xXBzHo7IOo2f1raGnpFcsvs++crHMI5SACIc345cX7g=";
+    sha256 = "sha256-V7qTi5NiZf+1voZSHfuAyfMeTeiYfs/CoOQ2zweKmaU=";
    fetchSubmodules = true;
  };

--- a/pkgs/applications/misc/pgmanage/default.nix
+++ b/pkgs/applications/misc/pgmanage/default.nix
@@ -1,14 +1,16 @@
-{ lib, stdenv, fetchFromGitHub, postgresql, openssl } :
-
+{ lib, stdenv, fetchFromGitHub, postgresql, openssl, nixosTests } :
 stdenv.mkDerivation rec {
  pname = "pgmanage";
-  version = "11.0.1";
+  # The last release 11.0.1 from 2018 fails the NixOS test
+  # probably because of PostgreSQL-12 incompatibility.
+  # Fortunately the latest master does succeed the test.
+  version = "unstable-2022-05-11";

  src = fetchFromGitHub {
    owner  = "pgManage";
    repo   = "pgManage";
-    rev    = "v${version}";
-    sha256 = "1a1dbc32b3y0ph8ydf800h6pz7dg6g1gxgid4gffk7k58xj0c5yf";
+    rev    = "a028604416be382d6d310bc68b4e7c3cd16020fb";
+    sha256 = "sha256-ibCzZrqfbio1wBVFKB6S/wdRxnCc7s3IQdtI9txxhaM=";
  };

  patchPhase = ''
@@ -21,6 +23,8 @@ stdenv.mkDerivation rec {

  buildInputs = [ postgresql openssl ];

+  passthru.tests.sign-in = nixosTests.pgmanage;
+
  meta = with lib; {
    description = "A fast replacement for PGAdmin";
    longDescription = ''
--- a/pkgs/applications/misc/snagboot/default.nix
+++ b/pkgs/applications/misc/snagboot/default.nix
@@ -0,0 +1,76 @@
+{ lib
+, stdenv
+, fetchPypi
+, pythonRelaxDepsHook
+, python3
+, snagboot
+, testers
+, gitUpdater
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "snagboot";
+  version = "1.0";
+  format = "pyproject";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-wtIcrd3s/ZfdYqi2a2+IvVYnJie5txJy6d2m+GjuhxU=";
+  };
+
+  passthru = {
+    updateScript = gitUpdater {
+      rev-prefix = "v";
+      ignoredVersions = ".(rc|beta).*";
+    };
+
+    tests.version = testers.testVersion {
+      package = snagboot;
+      command = "snagrecover --version";
+      version = "v${version}";
+    };
+  };
+
+  nativeBuildInputs = [
+    pythonRelaxDepsHook
+  ];
+
+  pythonRemoveDeps = [
+    "pylibfdt"
+    "swig"
+  ];
+
+  propagatedBuildInputs = with python3.pkgs; [
+    setuptools
+    pyusb
+    pyserial
+    hid
+    crccheck
+    six
+    xmodem
+    pyyaml
+    libfdt
+    tftpy
+  ];
+
+  postInstall = lib.optionalString stdenv.isLinux ''
+    rules="src/snagrecover/80-snagboot.rules"
+    if [ ! -f "$rules" ]; then
+        echo "$rules is missing, must update the Nix file."
+        exit 1
+    fi
+
+    mkdir -p "$out/lib/udev/rules.d"
+    cp "$rules" "$out/lib/udev/rules.d/80-snagboot.rules"
+  '';
+
+  # There are no tests
+  doCheck = false;
+
+  meta = {
+    homepage = "https://github.com/bootlin/snagboot";
+    description = "Generic recovery and reflashing tool for embedded platforms";
+    license = lib.licenses.gpl2;
+    maintainers = with lib.maintainers; [ otavio ];
+  };
+}
--- a/pkgs/applications/networking/browsers/brave/default.nix
+++ b/pkgs/applications/networking/browsers/brave/default.nix
@@ -90,11 +90,11 @@ in

 stdenv.mkDerivation rec {
  pname = "brave";
-  version = "1.51.114";
+  version = "1.51.118";

  src = fetchurl {
    url = "https://github.com/brave/brave-browser/releases/download/v${version}/brave-browser_${version}_amd64.deb";
-    sha256 = "sha256-lykwmfGqH5VuWazEQuvTpD4ett4m+LCFmmxzjkULfmk=";
+    sha256 = "sha256-/OrnB4M6oefZ2aG2rQst8H4UZ/7vAFzyqWsn9kerb9c=";
  };

  dontConfigure = true;
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -170,6 +170,14 @@ let
      # (we currently package 1.26 in Nixpkgs while Chromium bundles 1.21):
      # Source: https://bugs.chromium.org/p/angleproject/issues/detail?id=7582#c1
      ./patches/angle-wayland-include-protocol.patch
+    ] ++ lib.optionals (chromiumVersionAtLeast "114") [
+      # We need to revert this patch to build M114+ with LLVM 16:
+      (githubPatch {
+        # Reland [clang] Disable autoupgrading debug info in ThinLTO builds
+        commit = "54969766fd2029c506befc46e9ce14d67c7ed02a";
+        sha256 = "sha256-Vryjg8kyn3cxWg3PmSwYRG6zrHOqYWBMSdEMGiaPg6M=";
+        revert = true;
+      })
    ];

    postPatch = ''
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.json
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.json
@@ -19,9 +19,9 @@
    }
  },
  "beta": {
-    "version": "114.0.5735.35",
-    "sha256": "1ik3d886pcpqs7fnqf7ck0y8x8dbi1d4aqm227qwv0jw2p4a0qyb",
-    "sha256bin64": "0xx53x6c7r8cji7d2663zn4p4yklzyc124abqlhyr14w8p2lfldq",
+    "version": "114.0.5735.45",
+    "sha256": "1z7z4mq3yw9i17xprza3v33wx28zpk7s3g8xcgapdydw0rgxz30v",
+    "sha256bin64": "1387x7mab2sh3wg39z48gl8fjhq39jllbcgzic8rdzpbhlcgs7br",
    "deps": {
      "gn": {
        "version": "2023-04-19",
@@ -32,15 +32,15 @@
    }
  },
  "dev": {
-    "version": "115.0.5773.4",
-    "sha256": "18as1yqp7jyv92mn6lq4fl6mzq3w5qx4aqsw5nyixmgys4hfx6a6",
-    "sha256bin64": "0d0anrc2bdh9c8rs06jng45xd7sxw0raky3wrngbda2g4aqh817k",
+    "version": "115.0.5790.3",
+    "sha256": "1haai0jabghwl37k929138s4l6izmifssdvn2wgsig9jhiihxz29",
+    "sha256bin64": "12avl8ilvhmlvbag045yhnx0bbbsyx5d3jqh5af07pmbcxksgf96",
    "deps": {
      "gn": {
-        "version": "2023-05-09",
+        "version": "2023-05-19",
        "url": "https://gn.googlesource.com/gn",
-        "rev": "26aa46c283e40199b6f847ecca088dcea7099ded",
-        "sha256": "1z5w4fiypv4aq12qlc8in832n7k6wi4k64k4axardrsy24316r9d"
+        "rev": "e9e83d9095d3234adf68f3e2866f25daf766d5c7",
+        "sha256": "0y07c18xskq4mclqiz3a63fz8jicz2kqridnvdhqdf75lhp61f8a"
      }
    }
  },
--- a/pkgs/applications/networking/browsers/firefox-bin/beta_sources.nix
+++ b/pkgs/applications/networking/browsers/firefox-bin/beta_sources.nix
--- a/pkgs/applications/networking/browsers/firefox-bin/devedition_sources.nix
+++ b/pkgs/applications/networking/browsers/firefox-bin/devedition_sources.nix
--- a/pkgs/applications/networking/browsers/firefox-bin/release_sources.nix
+++ b/pkgs/applications/networking/browsers/firefox-bin/release_sources.nix
--- a/pkgs/applications/networking/browsers/firefox/packages.nix
+++ b/pkgs/applications/networking/browsers/firefox/packages.nix
@@ -3,10 +3,10 @@
 {
  firefox = buildMozillaMach rec {
    pname = "firefox";
-    version = "113.0.1";
+    version = "113.0.2";
    src = fetchurl {
      url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-      sha512 = "67d6b777d138ef55dd813a15a483d0588181f3b83ba8da52bf6c1f10a58ab1d907a80afcfc1aa90b65405852b50d083f05032b32d3fdb153317f2df7f1f15db3";
+      sha512 = "7b1ff7d547fda02901f54a2593e03598a830698192003d833e27b85db0e00571ff66e03ebd4089e76fa65b09df000cbb2542450beeabb0b310875910603e6743";
    };

    meta = {
@@ -29,11 +29,11 @@

  firefox-beta = buildMozillaMach rec {
    pname = "firefox-beta";
-    version = "114.0b6";
+    version = "114.0b7";
    applicationName = "Mozilla Firefox Beta";
    src = fetchurl {
      url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-      sha512 = "50127c640e0cb617ca031df022a09df8bba7dd44e9b88b034d9c9276d1adcec17a937d80ab3e540433290e8f78982a405b7281724713f43c36e5e266df721854";
+      sha512 = "6cfcaa08d74d6e123047cd33c1bc2e012e948890ea8bab5feb43459048a41c10f6bc549241386a3c81d438b59e966e7949161fe3f18b359ec8659bdf2ba0f187";
    };

    meta = {
@@ -56,12 +56,12 @@

  firefox-devedition = buildMozillaMach rec {
    pname = "firefox-devedition";
-    version = "114.0b6";
+    version = "114.0b7";
    applicationName = "Mozilla Firefox Developer Edition";
    branding = "browser/branding/aurora";
    src = fetchurl {
      url = "mirror://mozilla/devedition/releases/${version}/source/firefox-${version}.source.tar.xz";
-      sha512 = "cf5a6ab9b950af602c91d2c6ffc9c5efd96d83f580f3de16e03cbcf3ef5fa04e4d86536a82c1e2503ca09ae744991bc360e35a2e1c03c8b8408fa3f4c956823e";
+      sha512 = "2aa9ec2eb57b6debe3a15ac43f4410a4d649c8373725be8ed2540effa758d970e29c9ca675d9ac27a4b58935fc428aaf8b84ecd769b88f3607e911178492ebf1";
    };

    meta = {
--- a/pkgs/applications/networking/cluster/k3s/1_24/chart-versions.nix
+++ b/pkgs/applications/networking/cluster/k3s/1_24/chart-versions.nix
@@ -1,10 +0,0 @@
-{
-    traefik-crd  = {
-        url = "https://k3s.io/k3s-charts/assets/traefik-crd/traefik-crd-20.3.1+up20.3.0.tgz";
-        sha256 = "1775vjldvqvhzdbzanxhbaqbmkih09yb91im651q8bc7z5sb9ckn";
-    };
-    traefik = {
-        url = "https://k3s.io/k3s-charts/assets/traefik/traefik-20.3.1+up20.3.0.tgz";
-        sha256 = "1rj0f0n0vgjcbzfwzhqmsd501i2f6vw145w9plbp8gwdyzmg2nc6";
-    };
-}
--- a/pkgs/applications/networking/cluster/k3s/1_24/default.nix
+++ b/pkgs/applications/networking/cluster/k3s/1_24/default.nix
@@ -1,329 +0,0 @@
-{ stdenv
-, lib
-, makeWrapper
-, socat
-, iptables
-, iproute2
-, ipset
-, bridge-utils
-, btrfs-progs
-, conntrack-tools
-, buildGoModule
-, runc
-, rsync
-, kmod
-, libseccomp
-, pkg-config
-, ethtool
-, util-linux
-, fetchFromGitHub
-, fetchurl
-, fetchzip
-, fetchgit
-, zstd
-, yq-go
-, sqlite
-, nixosTests
-, k3s
-, pkgsBuildBuild
-}:
-
-# k3s is a kinda weird derivation. One of the main points of k3s is the
-# simplicity of it being one binary that can perform several tasks.
-# However, when you have a good package manager (like nix), that doesn't
-# actually make much of a difference; you don't really care if it's one binary
-# or 10 since with a good package manager, installing and running it is
-# identical.
-# Since upstream k3s packages itself as one large binary with several
-# "personalities" (in the form of subcommands like 'k3s agent' and 'k3s
-# kubectl'), it ends up being easiest to mostly mimic upstream packaging, with
-# some exceptions.
-# K3s also carries patches to some packages (such as containerd and cni
-# plugins), so we intentionally use the k3s versions of those binaries for k3s,
-# even if the upstream version of those binaries exist in nixpkgs already. In
-# the end, that means we have a thick k3s binary that behaves like the upstream
-# one for the most part.
-# However, k3s also bundles several pieces of unpatched software, from the
-# strongswan vpn software, to iptables, to socat, conntrack, busybox, etc.
-# Those pieces of software we entirely ignore upstream's handling of, and just
-# make sure they're in the path if desired.
-let
-  k3sVersion = "1.24.10+k3s1";     # k3s git tag
-  k3sCommit = "546a94e9ae1c3be6f9c0dcde32a6e6672b035bc8"; # k3s git commit at the above version
-  k3sRepoSha256 = "sha256-HfkGb3GtR2wQkVIze26aFh6A6W0fegr8ovpSel7oujQ=";
-  k3sVendorSha256 = "sha256-YAerisDr/knlKPaO2fVMZA4FUpwshFmkpi3mJAmLqKM=";
-
-  # Based on the traefik charts here: https://github.com/k3s-io/k3s/blob/v1.24.10%2Bk3s1/scripts/download#L29-L32
-  # see also https://github.com/k3s-io/k3s/blob/v1.24.10%2Bk3s1/manifests/traefik.yaml#L8-L16
-  # At the time of writing, there are two traefik charts, and that's it
-  charts = import ./chart-versions.nix;
-
-  # taken from ./scripts/version.sh VERSION_ROOT https://github.com/k3s-io/k3s/blob/v1.24.10%2Bk3s1/scripts/version.sh#L56
-  k3sRootVersion = "0.12.1";
-  k3sRootSha256 = "sha256-xCXbarWztnvW2xn3cGa84hie3OevVZeGEDWh+Uf3RBw=";
-
-  # taken from ./scripts/version.sh VERSION_CNIPLUGINS https://github.com/k3s-io/k3s/blob/v1.24.10%2Bk3s1/scripts/version.sh#L49
-  k3sCNIVersion = "1.1.1-k3s1";
-  k3sCNISha256 = "14mb3zsqibj1sn338gjmsyksbm0mxv9p016dij7zidccx2rzn6nl";
-
-  # taken from go.mod, the 'github.com/containerd/containerd' line
-  # run `grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}'`
-  # https://github.com/k3s-io/k3s/blob/v1.24.10%2Bk3s1/go.mod#L10
-  containerdVersion = "1.5.16-k3s1";
-  containerdSha256 = "sha256-dxC44qE1A20Hd2j77Ir9Sla8xncttswWIuGGM/5FWi8=";
-
-  # run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag
-  # https://github.com/k3s-io/k3s/blob/v1.24.10%2Bk3s1/go.mod#L18
-  criCtlVersion = "1.24.0-k3s1";
-
-  baseMeta = k3s.meta;
-
-  # https://github.com/k3s-io/k3s/blob/5fb370e53e0014dc96183b8ecb2c25a61e891e76/scripts/build#L19-L40
-  versionldflags = [
-    "-X github.com/rancher/k3s/pkg/version.Version=v${k3sVersion}"
-    "-X github.com/rancher/k3s/pkg/version.GitCommit=${lib.substring 0 8 k3sCommit}"
-    "-X k8s.io/client-go/pkg/version.gitVersion=v${k3sVersion}"
-    "-X k8s.io/client-go/pkg/version.gitCommit=${k3sCommit}"
-    "-X k8s.io/client-go/pkg/version.gitTreeState=clean"
-    "-X k8s.io/client-go/pkg/version.buildDate=1970-01-01T01:01:01Z"
-    "-X k8s.io/component-base/version.gitVersion=v${k3sVersion}"
-    "-X k8s.io/component-base/version.gitCommit=${k3sCommit}"
-    "-X k8s.io/component-base/version.gitTreeState=clean"
-    "-X k8s.io/component-base/version.buildDate=1970-01-01T01:01:01Z"
-    "-X github.com/kubernetes-sigs/cri-tools/pkg/version.Version=v${criCtlVersion}"
-    "-X github.com/containerd/containerd/version.Version=v${containerdVersion}"
-    "-X github.com/containerd/containerd/version.Package=github.com/k3s-io/containerd"
-  ];
-
-  # bundled into the k3s binary
-  traefikChart = fetchurl charts.traefik;
-  traefik-crdChart = fetchurl charts.traefik-crd;
-
-  # so, k3s is a complicated thing to package
-  # This derivation attempts to avoid including any random binaries from the
-  # internet. k3s-root is _mostly_ binaries built to be bundled in k3s (which
-  # we don't care about doing, we can add those as build or runtime
-  # dependencies using a real package manager).
-  # In addition to those binaries, it's also configuration though (right now
-  # mostly strongswan configuration), and k3s does use those files.
-  # As such, we download it in order to grab 'etc' and bundle it into the final
-  # k3s binary.
-  k3sRoot = fetchzip {
-    # Note: marked as apache 2.0 license
-    url = "https://github.com/k3s-io/k3s-root/releases/download/v${k3sRootVersion}/k3s-root-amd64.tar";
-    sha256 = k3sRootSha256;
-    stripRoot = false;
-  };
-  k3sCNIPlugins = buildGoModule rec {
-    pname = "k3s-cni-plugins";
-    version = k3sCNIVersion;
-    vendorSha256 = null;
-
-    subPackages = [ "." ];
-
-    src = fetchFromGitHub {
-      owner = "rancher";
-      repo = "plugins";
-      rev = "v${version}";
-      sha256 = k3sCNISha256;
-    };
-
-    postInstall = ''
-      mv $out/bin/plugins $out/bin/cni
-    '';
-
-    meta = baseMeta // {
-      description = "CNI plugins, as patched by rancher for k3s";
-    };
-  };
-  # Grab this separately from a build because it's used by both stages of the
-  # k3s build.
-  k3sRepo = fetchgit {
-    url = "https://github.com/k3s-io/k3s";
-    rev = "v${k3sVersion}";
-    sha256 = k3sRepoSha256;
-  };
-  # Stage 1 of the k3s build:
-  # Let's talk about how k3s is structured.
-  # One of the ideas of k3s is that there's the single "k3s" binary which can
-  # do everything you need, from running a k3s server, to being a worker node,
-  # to running kubectl.
-  # The way that actually works is that k3s is a single go binary that contains
-  # a bunch of bindata that it unpacks at runtime into directories (either the
-  # user's home directory or /var/lib/rancher if run as root).
-  # This bindata includes both binaries and configuration.
-  # In order to let nixpkgs do all its autostripping/patching/etc, we split this into two derivations.
-  # First, we build all the binaries that get packed into the thick k3s binary
-  # (and output them from one derivation so they'll all be suitably patched up).
-  # Then, we bundle those binaries into our thick k3s binary and use that as
-  # the final single output.
-  # This approach was chosen because it ensures the bundled binaries all are
-  # correctly built to run with nix (we can lean on the existing buildGoModule
-  # stuff), and we can again lean on that tooling for the final k3s binary too.
-  # Other alternatives would be to manually run the
-  # strip/patchelf/remove-references step ourselves in the installPhase of the
-  # derivation when we've built all the binaries, but haven't bundled them in
-  # with generated bindata yet.
-
-  k3sServer = buildGoModule rec {
-    pname = "k3s-server";
-    version = k3sVersion;
-
-    src = k3sRepo;
-    vendorSha256 = k3sVendorSha256;
-
-    nativeBuildInputs = [ pkg-config ];
-    buildInputs = [ libseccomp sqlite.dev ];
-
-    subPackages = [ "cmd/server" ];
-    ldflags = versionldflags;
-
-    tags = [ "libsqlite3" "linux" ];
-
-    # create the multicall symlinks for k3s
-    postInstall = ''
-      mv $out/bin/server $out/bin/k3s
-      pushd $out
-      # taken verbatim from https://github.com/k3s-io/k3s/blob/v1.24.10%2Bk3s1/scripts/build#L123-L131
-      ln -s k3s ./bin/k3s-agent
-      ln -s k3s ./bin/k3s-server
-      ln -s k3s ./bin/k3s-etcd-snapshot
-      ln -s k3s ./bin/k3s-secrets-encrypt
-      ln -s k3s ./bin/k3s-certificate
-      ln -s k3s ./bin/k3s-completion
-      ln -s k3s ./bin/kubectl
-      ln -s k3s ./bin/crictl
-      ln -s k3s ./bin/ctr
-      popd
-    '';
-
-    meta = baseMeta // {
-      description = "The various binaries that get packaged into the final k3s binary";
-    };
-  };
-  k3sContainerd = buildGoModule {
-    pname = "k3s-containerd";
-    version = containerdVersion;
-    src = fetchFromGitHub {
-      owner = "k3s-io";
-      repo = "containerd";
-      rev = "v${containerdVersion}";
-      sha256 = containerdSha256;
-    };
-    vendorSha256 = null;
-    buildInputs = [ btrfs-progs ];
-    subPackages = [ "cmd/containerd" "cmd/containerd-shim-runc-v2" ];
-    ldflags = versionldflags;
-  };
-in
-buildGoModule rec {
-  pname = "k3s";
-  version = k3sVersion;
-
-  src = k3sRepo;
-  vendorSha256 = k3sVendorSha256;
-
-  postPatch = ''
-    # Nix prefers dynamically linked binaries over static binary.
-
-    substituteInPlace scripts/package-cli \
-      --replace '"$LDFLAGS $STATIC" -o' \
-                '"$LDFLAGS" -o' \
-      --replace "STATIC=\"-extldflags \'-static\'\"" \
-                ""
-
-    # Upstream codegen fails with trimpath set. Removes "trimpath" for 'go generate':
-
-    substituteInPlace scripts/package-cli \
-      --replace '"''${GO}" generate' \
-                'GOFLAGS="" \
-                 GOOS="${pkgsBuildBuild.go.GOOS}" \
-                 GOARCH="${pkgsBuildBuild.go.GOARCH}" \
-                 CC="${pkgsBuildBuild.stdenv.cc}/bin/cc" \
-                 "''${GO}" generate'
-  '';
-
-  # Important utilities used by the kubelet, see
-  # https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
-  # Note the list in that issue is stale and some aren't relevant for k3s.
-  k3sRuntimeDeps = [
-    kmod
-    socat
-    iptables
-    iproute2
-    ipset
-    bridge-utils
-    ethtool
-    util-linux # kubelet wants 'nsenter' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388
-    conntrack-tools
-  ];
-
-  buildInputs = k3sRuntimeDeps;
-
-  nativeBuildInputs = [
-    makeWrapper
-    rsync
-    yq-go
-    zstd
-  ];
-
-  # embedded in the final k3s cli
-  propagatedBuildInputs = [
-    k3sCNIPlugins
-    k3sContainerd
-    k3sServer
-    runc
-  ];
-
-  # We override most of buildPhase due to peculiarities in k3s's build.
-  # Specifically, it has a 'go generate' which runs part of the package. See
-  # this comment:
-  # https://github.com/NixOS/nixpkgs/pull/158089#discussion_r799965694
-  # So, why do we use buildGoModule at all? For the `vendorSha256` / `go mod download` stuff primarily.
-  buildPhase = ''
-    patchShebangs ./scripts/package-cli ./scripts/download ./scripts/build-upload
-
-    # copy needed 'go generate' inputs into place
-    mkdir -p ./bin/aux
-    rsync -a --no-perms ${k3sServer}/bin/ ./bin/
-    ln -vsf ${runc}/bin/runc ./bin/runc
-    ln -vsf ${k3sCNIPlugins}/bin/cni ./bin/cni
-    ln -vsf ${k3sContainerd}/bin/* ./bin/
-    rsync -a --no-perms --chmod u=rwX ${k3sRoot}/etc/ ./etc/
-    mkdir -p ./build/static/charts
-
-    cp ${traefikChart} ./build/static/charts
-    cp ${traefik-crdChart} ./build/static/charts
-
-    export ARCH=$GOARCH
-    export DRONE_TAG="v${k3sVersion}"
-    export DRONE_COMMIT="${k3sCommit}"
-    # use ./scripts/package-cli to run 'go generate' + 'go build'
-
-    ./scripts/package-cli
-    mkdir -p $out/bin
-  '';
-
-  # Otherwise it depends on 'getGoDirs', which is normally set in buildPhase
-  doCheck = false;
-
-  installPhase = ''
-    # wildcard to match the arm64 build too
-    install -m 0755 dist/artifacts/k3s* -D $out/bin/k3s
-    wrapProgram $out/bin/k3s \
-      --prefix PATH : ${lib.makeBinPath k3sRuntimeDeps} \
-      --prefix PATH : "$out/bin"
-  '';
-
-  doInstallCheck = true;
-  installCheckPhase = ''
-    $out/bin/k3s --version | grep -F "v${k3sVersion}" >/dev/null
-  '';
-
-  # Fix-Me: Needs to be adapted specifically for 1.24
-  # passthru.updateScript = ./update.sh;
-
-  passthru.tests = k3s.passthru.mkTests k3sVersion;
-
-  meta = baseMeta;
-}
--- a/pkgs/applications/networking/cluster/k3s/1_25/0001-script-download-strip-downloading-just-package-CRD.patch
+++ b/pkgs/applications/networking/cluster/k3s/1_25/0001-script-download-strip-downloading-just-package-CRD.patch
@@ -1,41 +0,0 @@
-From 6f53bd36a40da4c71486e3b79f6e32d53d6eea5d Mon Sep 17 00:00:00 2001
-From: Euan Kemp <euank@euank.com>
-Date: Thu, 3 Feb 2022 23:50:40 -0800
-Subject: [PATCH 2/2] scrips/download: strip downloading, just package CRD
-
-The CRD packaging is a complicated set of commands, so let's reuse it.
---
- scripts/download | 10 ++--------
- 1 file changed, 2 insertions(+), 8 deletions(-)
-
-diff --git a/scripts/download b/scripts/download
-index 5effc0562a..82361803ee 100755
--- a/scripts/download
-+++ b/scripts/download
-@@ -24,12 +24,6 @@ rm -rf ${CONTAINERD_DIR}
- mkdir -p ${CHARTS_DIR}
- mkdir -p ${DATA_DIR}
- 
-curl --compressed -sfL https://github.com/k3s-io/k3s-root/releases/download/${VERSION_ROOT}/k3s-root-${ARCH}.tar | tar xf - --exclude=bin/socat
-
-git clone --single-branch --branch=${VERSION_RUNC} --depth=1 https://github.com/opencontainers/runc ${RUNC_DIR}
-
-git clone --single-branch --branch=${VERSION_CONTAINERD} --depth=1 https://github.com/k3s-io/containerd ${CONTAINERD_DIR}
-
- setup_tmp() {
-     TMP_DIR=$(mktemp -d --tmpdir=${CHARTS_DIR})
-     cleanup() {
-@@ -44,8 +38,8 @@ setup_tmp() {
- 
- download_and_package_traefik () {
-   echo "Downloading Traefik Helm chart from ${TRAEFIK_URL}"
-  curl -sfL ${TRAEFIK_URL} -o ${TMP_DIR}/${TRAEFIK_FILE}
-  code=$?
-+  # nixpkgs: copy in our known traefik chart instead
-+  cp $TRAEFIK_CHART_FILE ${TMP_DIR}/${TRAEFIK_FILE}
- 
-   if [ $code -ne 0 ]; then
-     echo "Error: Failed to download Traefik Helm chart!"
-- 
-2.34.1
-
--- a/pkgs/applications/networking/cluster/k3s/1_25/default.nix
+++ b/pkgs/applications/networking/cluster/k3s/1_25/default.nix
@@ -1,333 +0,0 @@
-{ stdenv
-, lib
-, makeWrapper
-, socat
-, iptables
-, iproute2
-, ipset
-, bridge-utils
-, btrfs-progs
-, conntrack-tools
-, buildGoModule
-, runc
-, rsync
-, kmod
-, libseccomp
-, pkg-config
-, ethtool
-, util-linux
-, fetchFromGitHub
-, fetchurl
-, fetchzip
-, fetchgit
-, zstd
-, yq-go
-, sqlite
-, nixosTests
-, pkgsBuildBuild
-, k3s
-}:
-
-# k3s is a kinda weird derivation. One of the main points of k3s is the
-# simplicity of it being one binary that can perform several tasks.
-# However, when you have a good package manager (like nix), that doesn't
-# actually make much of a difference; you don't really care if it's one binary
-# or 10 since with a good package manager, installing and running it is
-# identical.
-# Since upstream k3s packages itself as one large binary with several
-# "personalities" (in the form of subcommands like 'k3s agent' and 'k3s
-# kubectl'), it ends up being easiest to mostly mimic upstream packaging, with
-# some exceptions.
-# K3s also carries patches to some packages (such as containerd and cni
-# plugins), so we intentionally use the k3s versions of those binaries for k3s,
-# even if the upstream version of those binaries exist in nixpkgs already. In
-# the end, that means we have a thick k3s binary that behaves like the upstream
-# one for the most part.
-# However, k3s also bundles several pieces of unpatched software, from the
-# strongswan vpn software, to iptables, to socat, conntrack, busybox, etc.
-# Those pieces of software we entirely ignore upstream's handling of, and just
-# make sure they're in the path if desired.
-let
-  k3sVersion = "1.25.3+k3s1";     # k3s git tag
-  k3sCommit = "f2585c1671b31b4b34bddbb3bf4e7d69662b0821"; # k3s git commit at the above version
-  k3sRepoSha256 = "0zwf3iwjcidx14zw36s1hr0q8wmmbfc0rfqwd7fmpjq597h8zkms";
-  k3sVendorSha256 = "sha256-U67tJRGqPFk5AfRe7I50zKGC9HJ2oh+iI/C7qF/76BQ=";
-
-  # taken from ./manifests/traefik.yaml, extracted from '.spec.chart' https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/download#L9
-  # The 'patch' and 'minor' versions are currently hardcoded as single digits only, so ignore the trailing two digits. Weird, I know.
-  traefikChartVersion = "12.0.0";
-  traefikChartSha256 = "1sqmi71fi3ad5dh5fmsp9mv80x6pkgqwi4r9fr8l6i9sdnai6f1a";
-
-  # taken from ./scripts/version.sh VERSION_ROOT https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L47
-  k3sRootVersion = "0.11.0";
-  k3sRootSha256 = "016n56vi09xkvjph7wgzb2m86mhd5x65fs4d11pmh20hl249r620";
-
-  # taken from ./scripts/version.sh VERSION_CNIPLUGINS https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L45
-  k3sCNIVersion = "1.1.1-k3s1";
-  k3sCNISha256 = "14mb3zsqibj1sn338gjmsyksbm0mxv9p016dij7zidccx2rzn6nl";
-
-  # taken from go.mod, the 'github.com/containerd/containerd' line
-  # run `grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}'`
-  containerdVersion = "1.5.13-k3s2";
-  containerdSha256 = "1pfr2ji4aij9js90gf4a3hqnhyw5hshcjdccm62l700j68gs5z97";
-
-  # run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag
-  criCtlVersion = "1.25.0-k3s1";
-
-  baseMeta = k3s.meta;
-
-  # https://github.com/k3s-io/k3s/blob/5fb370e53e0014dc96183b8ecb2c25a61e891e76/scripts/build#L19-L40
-  versionldflags = [
-    "-X github.com/rancher/k3s/pkg/version.Version=v${k3sVersion}"
-    "-X github.com/rancher/k3s/pkg/version.GitCommit=${lib.substring 0 8 k3sCommit}"
-    "-X k8s.io/client-go/pkg/version.gitVersion=v${k3sVersion}"
-    "-X k8s.io/client-go/pkg/version.gitCommit=${k3sCommit}"
-    "-X k8s.io/client-go/pkg/version.gitTreeState=clean"
-    "-X k8s.io/client-go/pkg/version.buildDate=1970-01-01T01:01:01Z"
-    "-X k8s.io/component-base/version.gitVersion=v${k3sVersion}"
-    "-X k8s.io/component-base/version.gitCommit=${k3sCommit}"
-    "-X k8s.io/component-base/version.gitTreeState=clean"
-    "-X k8s.io/component-base/version.buildDate=1970-01-01T01:01:01Z"
-    "-X github.com/kubernetes-sigs/cri-tools/pkg/version.Version=v${criCtlVersion}"
-    "-X github.com/containerd/containerd/version.Version=v${containerdVersion}"
-    "-X github.com/containerd/containerd/version.Package=github.com/k3s-io/containerd"
-  ];
-
-  # bundled into the k3s binary
-  traefikChart = fetchurl {
-    url = "https://helm.traefik.io/traefik/traefik-${traefikChartVersion}.tgz";
-    sha256 = traefikChartSha256;
-  };
-  # so, k3s is a complicated thing to package
-  # This derivation attempts to avoid including any random binaries from the
-  # internet. k3s-root is _mostly_ binaries built to be bundled in k3s (which
-  # we don't care about doing, we can add those as build or runtime
-  # dependencies using a real package manager).
-  # In addition to those binaries, it's also configuration though (right now
-  # mostly strongswan configuration), and k3s does use those files.
-  # As such, we download it in order to grab 'etc' and bundle it into the final
-  # k3s binary.
-  k3sRoot = fetchzip {
-    # Note: marked as apache 2.0 license
-    url = "https://github.com/k3s-io/k3s-root/releases/download/v${k3sRootVersion}/k3s-root-amd64.tar";
-    sha256 = k3sRootSha256;
-    stripRoot = false;
-  };
-  k3sCNIPlugins = buildGoModule rec {
-    pname = "k3s-cni-plugins";
-    version = k3sCNIVersion;
-    vendorSha256 = null;
-
-    subPackages = [ "." ];
-
-    src = fetchFromGitHub {
-      owner = "rancher";
-      repo = "plugins";
-      rev = "v${version}";
-      sha256 = k3sCNISha256;
-    };
-
-    postInstall = ''
-      mv $out/bin/plugins $out/bin/cni
-    '';
-
-    meta = baseMeta // {
-      description = "CNI plugins, as patched by rancher for k3s";
-    };
-  };
-  # Grab this separately from a build because it's used by both stages of the
-  # k3s build.
-  k3sRepo = fetchgit {
-    url = "https://github.com/k3s-io/k3s";
-    rev = "v${k3sVersion}";
-    sha256 = k3sRepoSha256;
-  };
-  # Stage 1 of the k3s build:
-  # Let's talk about how k3s is structured.
-  # One of the ideas of k3s is that there's the single "k3s" binary which can
-  # do everything you need, from running a k3s server, to being a worker node,
-  # to running kubectl.
-  # The way that actually works is that k3s is a single go binary that contains
-  # a bunch of bindata that it unpacks at runtime into directories (either the
-  # user's home directory or /var/lib/rancher if run as root).
-  # This bindata includes both binaries and configuration.
-  # In order to let nixpkgs do all its autostripping/patching/etc, we split this into two derivations.
-  # First, we build all the binaries that get packed into the thick k3s binary
-  # (and output them from one derivation so they'll all be suitably patched up).
-  # Then, we bundle those binaries into our thick k3s binary and use that as
-  # the final single output.
-  # This approach was chosen because it ensures the bundled binaries all are
-  # correctly built to run with nix (we can lean on the existing buildGoModule
-  # stuff), and we can again lean on that tooling for the final k3s binary too.
-  # Other alternatives would be to manually run the
-  # strip/patchelf/remove-references step ourselves in the installPhase of the
-  # derivation when we've built all the binaries, but haven't bundled them in
-  # with generated bindata yet.
-
-  k3sServer = buildGoModule rec {
-    pname = "k3s-server";
-    version = k3sVersion;
-
-    src = k3sRepo;
-    vendorSha256 = k3sVendorSha256;
-
-    nativeBuildInputs = [ pkg-config ];
-    buildInputs = [ libseccomp sqlite.dev ];
-
-    subPackages = [ "cmd/server" ];
-    ldflags = versionldflags;
-
-    tags = [ "libsqlite3" "linux" ];
-
-    # create the multicall symlinks for k3s
-    postInstall = ''
-      mv $out/bin/server $out/bin/k3s
-      pushd $out
-      # taken verbatim from https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/build#L105-L113
-      ln -s k3s ./bin/k3s-agent
-      ln -s k3s ./bin/k3s-server
-      ln -s k3s ./bin/k3s-etcd-snapshot
-      ln -s k3s ./bin/k3s-secrets-encrypt
-      ln -s k3s ./bin/k3s-certificate
-      ln -s k3s ./bin/kubectl
-      ln -s k3s ./bin/crictl
-      ln -s k3s ./bin/ctr
-      popd
-    '';
-
-    meta = baseMeta // {
-      description = "The various binaries that get packaged into the final k3s binary";
-    };
-  };
-  k3sContainerd = buildGoModule {
-    pname = "k3s-containerd";
-    version = containerdVersion;
-    src = fetchFromGitHub {
-      owner = "k3s-io";
-      repo = "containerd";
-      rev = "v${containerdVersion}";
-      sha256 = containerdSha256;
-    };
-    vendorSha256 = null;
-    buildInputs = [ btrfs-progs ];
-    subPackages = [ "cmd/containerd" "cmd/containerd-shim-runc-v2" ];
-    ldflags = versionldflags;
-  };
-in
-buildGoModule rec {
-  pname = "k3s";
-  version = k3sVersion;
-
-  src = k3sRepo;
-  vendorSha256 = k3sVendorSha256;
-
-  patches = [
-    ./0001-script-download-strip-downloading-just-package-CRD.patch
-  ];
-
-  postPatch = ''
-    # Nix prefers dynamically linked binaries over static binary.
-
-    substituteInPlace scripts/package-cli \
-      --replace '"$LDFLAGS $STATIC" -o' \
-                '"$LDFLAGS" -o' \
-      --replace "STATIC=\"-extldflags \'-static\'\"" \
-                ""
-
-    # Upstream codegen fails with trimpath set. Removes "trimpath" for 'go generate':
-
-    substituteInPlace scripts/package-cli \
-      --replace '"''${GO}" generate' \
-                'GOFLAGS="" \
-                 GOOS="${pkgsBuildBuild.go.GOOS}" \
-                 GOARCH="${pkgsBuildBuild.go.GOARCH}" \
-                 CC="${pkgsBuildBuild.stdenv.cc}/bin/cc" \
-                 "''${GO}" generate'
-  '';
-
-  # Important utilities used by the kubelet, see
-  # https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
-  # Note the list in that issue is stale and some aren't relevant for k3s.
-  k3sRuntimeDeps = [
-    kmod
-    socat
-    iptables
-    iproute2
-    ipset
-    bridge-utils
-    ethtool
-    util-linux # kubelet wants 'nsenter' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388
-    conntrack-tools
-  ];
-
-  buildInputs = k3sRuntimeDeps;
-
-  nativeBuildInputs = [
-    makeWrapper
-    rsync
-    yq-go
-    zstd
-  ];
-
-  # embedded in the final k3s cli
-  propagatedBuildInputs = [
-    k3sCNIPlugins
-    k3sContainerd
-    k3sServer
-    runc
-  ];
-
-  # We override most of buildPhase due to peculiarities in k3s's build.
-  # Specifically, it has a 'go generate' which runs part of the package. See
-  # this comment:
-  # https://github.com/NixOS/nixpkgs/pull/158089#discussion_r799965694
-  # So, why do we use buildGoModule at all? For the `vendorSha256` / `go mod download` stuff primarily.
-  buildPhase = ''
-    patchShebangs ./scripts/package-cli ./scripts/download ./scripts/build-upload
-
-    # copy needed 'go generate' inputs into place
-    mkdir -p ./bin/aux
-    rsync -a --no-perms ${k3sServer}/bin/ ./bin/
-    ln -vsf ${runc}/bin/runc ./bin/runc
-    ln -vsf ${k3sCNIPlugins}/bin/cni ./bin/cni
-    ln -vsf ${k3sContainerd}/bin/* ./bin/
-    rsync -a --no-perms --chmod u=rwX ${k3sRoot}/etc/ ./etc/
-    mkdir -p ./build/static/charts
-    # Note, upstream's chart has a 00 suffix. This seems to not matter though, so we're ignoring that naming detail.
-    export TRAEFIK_CHART_FILE=${traefikChart}
-    # place the traefik chart using their code since it's complicated
-    # We trim the actual download, see patches
-    ./scripts/download
-
-    export ARCH=$GOARCH
-    export DRONE_TAG="v${k3sVersion}"
-    export DRONE_COMMIT="${k3sCommit}"
-    # use ./scripts/package-cli to run 'go generate' + 'go build'
-
-    ./scripts/package-cli
-    mkdir -p $out/bin
-  '';
-
-  # Otherwise it depends on 'getGoDirs', which is normally set in buildPhase
-  doCheck = false;
-
-  installPhase = ''
-    # wildcard to match the arm64 build too
-    install -m 0755 dist/artifacts/k3s* -D $out/bin/k3s
-    wrapProgram $out/bin/k3s \
-      --prefix PATH : ${lib.makeBinPath k3sRuntimeDeps} \
-      --prefix PATH : "$out/bin"
-  '';
-
-  doInstallCheck = true;
-  installCheckPhase = ''
-    $out/bin/k3s --version | grep -F "v${k3sVersion}" >/dev/null
-  '';
-
-  # Fix-Me: Needs to be adapted specifically for 1.25
-  # passthru.updateScript = ./update.sh;
-
-  passthru.tests = k3s.passthru.mkTests k3sVersion;
-
-  meta = baseMeta;
-}
--- a/pkgs/applications/networking/cluster/nixops/default.nix
+++ b/pkgs/applications/networking/cluster/nixops/default.nix
@@ -31,6 +31,7 @@ let
                  maintainers = with lib.maintainers; [ adisbladis aminechikhaoui eelco rob domenkozar ];
                  platforms = lib.platforms.unix;
                  license = lib.licenses.lgpl3;
+                  mainProgram = "nixops";
                };

              }
--- a/pkgs/applications/networking/cluster/nixops/poetry-git-overlay.nix
+++ b/pkgs/applications/networking/cluster/nixops/poetry-git-overlay.nix
@@ -5,8 +5,8 @@ self: super: {
    _: {
      src = pkgs.fetchgit {
        url = "https://github.com/NixOS/nixops.git";
-        rev = "5013072c5ca34247d7dce545c3a7b1954948fd4d";
-        sha256 = "0417xq7s0qkh9ali8grlahpxl4sgg4dla302dda4768wbp0wagcz";
+        rev = "fc9b55c55da62f949028143b974f67fdc7f40c8b";
+        sha256 = "0f5r17rq3rf3ylp16cq50prn8qmfc1gwpqgqfj491w38sr5sspf8";
      };
    }
  );
@@ -15,8 +15,8 @@ self: super: {
    _: {
      src = pkgs.fetchgit {
        url = "https://github.com/NixOS/nixops-aws.git";
-        rev = "d8a6679c413edd1a7075b2fe08017b4c7fa3b3ce";
-        sha256 = "0aqkaskp6nkcnfxxf1n294xp4ggk36qldj5c3kzfgxim06jap7n5";
+        rev = "012c94fc128b1cf2497aa5f2bc8fbffd0b52b464";
+        sha256 = "04lamaszl3llhbpsybi9scd7yrqc51x1h5z38b2w20ik9gv9lgrz";
      };
    }
  );
@@ -45,8 +45,8 @@ self: super: {
    _: {
      src = pkgs.fetchgit {
        url = "https://github.com/nix-community/nixops-gce.git";
-        rev = "712453027486e62e087b9c91e4a8a171eebb6ddd";
-        sha256 = "0siw2silxvbxdfgb2dcymn11nqdf8an7q43wcq1lyg1ac07w7dwh";
+        rev = "d13cb794aef763338f544010ceb1816fe31d7f42";
+        sha256 = "0i57qhiga4nr0ms9gj615l599vxy78lzw7hap4rbzbhl5bl1yijj";
      };
    }
  );
--- a/pkgs/applications/networking/cluster/nixops/poetry.lock
+++ b/pkgs/applications/networking/cluster/nixops/poetry.lock
@@ -29,18 +29,18 @@ files = [

 [[package]]
 name = "boto3"
-version = "1.26.79"
+version = "1.26.141"
 description = "The AWS SDK for Python"
 category = "main"
 optional = false
 python-versions = ">= 3.7"
 files = [
-    {file = "boto3-1.26.79-py3-none-any.whl", hash = "sha256:049de631cc03726a14b8eb24ac9ec2a48b0624197796f36166da809fdc9b9a7f"},
-    {file = "boto3-1.26.79.tar.gz", hash = "sha256:73d7bd1f16118ef0dfe936e0420cd76b02d1aedb75330ebda51168458ab752ac"},
+    {file = "boto3-1.26.141-py3-none-any.whl", hash = "sha256:a5d6fdcaec863bc7ad2f8133ff9a926d6f06468b83b5fb631cd90bd33b709c45"},
+    {file = "boto3-1.26.141.tar.gz", hash = "sha256:152def2fcc9854dcc42383d2b53e2ed2c9ccb5ff6cc0f3ada20f1ab54418ede4"},
 ]

 [package.dependencies]
-botocore = ">=1.29.79,<1.30.0"
+botocore = ">=1.29.141,<1.30.0"
 jmespath = ">=0.7.1,<2.0.0"
 s3transfer = ">=0.6.0,<0.7.0"

@@ -49,14 +49,14 @@ crt = ["botocore[crt] (>=1.21.0,<2.0a0)"]

 [[package]]
 name = "botocore"
-version = "1.29.79"
+version = "1.29.141"
 description = "Low-level, data-driven core of boto 3."
 category = "main"
 optional = false
 python-versions = ">= 3.7"
 files = [
-    {file = "botocore-1.29.79-py3-none-any.whl", hash = "sha256:5f254f019e8641f8b2ba6dddc1f7541e8c6d25d976802392710b2fc4bac925b1"},
-    {file = "botocore-1.29.79.tar.gz", hash = "sha256:c7ded44062bed3b928944cfb09e1578ed3fed0e4c98de4f233f3c2056a8d491e"},
+    {file = "botocore-1.29.141-py3-none-any.whl", hash = "sha256:b01d156c42765f3f437959e01a8c7f3cb0e29b24aa0b8f373498133408b2e3c7"},
+    {file = "botocore-1.29.141.tar.gz", hash = "sha256:e86e1633f98838317b9e1b5c874c4d85339b77f6b7e55c2a4d83913f6166f9ad"},
 ]

 [package.dependencies]
@@ -69,14 +69,14 @@ crt = ["awscrt (==0.16.9)"]

 [[package]]
 name = "certifi"
-version = "2022.12.7"
+version = "2023.5.7"
 description = "Python package for providing Mozilla's CA Bundle."
 category = "main"
 optional = false
 python-versions = ">=3.6"
 files = [
-    {file = "certifi-2022.12.7-py3-none-any.whl", hash = "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18"},
-    {file = "certifi-2022.12.7.tar.gz", hash = "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3"},
+    {file = "certifi-2023.5.7-py3-none-any.whl", hash = "sha256:c6c2e98f5c7869efca1f8916fed228dd91539f9f1b444c314c06eef02980c716"},
+    {file = "certifi-2023.5.7.tar.gz", hash = "sha256:0f0d56dc5a6ad56fd4ba36484d6cc34451e1c6548c61daad8c320169f91eddc7"},
 ]

 [[package]]
@@ -158,141 +158,130 @@ pycparser = "*"

 [[package]]
 name = "charset-normalizer"
-version = "3.0.1"
+version = "3.1.0"
 description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet."
 category = "main"
 optional = false
-python-versions = "*"
+python-versions = ">=3.7.0"
 files = [
-    {file = "charset-normalizer-3.0.1.tar.gz", hash = "sha256:ebea339af930f8ca5d7a699b921106c6e29c617fe9606fa7baa043c1cdae326f"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:88600c72ef7587fe1708fd242b385b6ed4b8904976d5da0893e31df8b3480cb6"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:c75ffc45f25324e68ab238cb4b5c0a38cd1c3d7f1fb1f72b5541de469e2247db"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:db72b07027db150f468fbada4d85b3b2729a3db39178abf5c543b784c1254539"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:62595ab75873d50d57323a91dd03e6966eb79c41fa834b7a1661ed043b2d404d"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ff6f3db31555657f3163b15a6b7c6938d08df7adbfc9dd13d9d19edad678f1e8"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:772b87914ff1152b92a197ef4ea40efe27a378606c39446ded52c8f80f79702e"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:70990b9c51340e4044cfc394a81f614f3f90d41397104d226f21e66de668730d"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:292d5e8ba896bbfd6334b096e34bffb56161c81408d6d036a7dfa6929cff8783"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:2edb64ee7bf1ed524a1da60cdcd2e1f6e2b4f66ef7c077680739f1641f62f555"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:31a9ddf4718d10ae04d9b18801bd776693487cbb57d74cc3458a7673f6f34639"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:44ba614de5361b3e5278e1241fda3dc1838deed864b50a10d7ce92983797fa76"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:12db3b2c533c23ab812c2b25934f60383361f8a376ae272665f8e48b88e8e1c6"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:c512accbd6ff0270939b9ac214b84fb5ada5f0409c44298361b2f5e13f9aed9e"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-win32.whl", hash = "sha256:502218f52498a36d6bf5ea77081844017bf7982cdbe521ad85e64cabee1b608b"},
-    {file = "charset_normalizer-3.0.1-cp310-cp310-win_amd64.whl", hash = "sha256:601f36512f9e28f029d9481bdaf8e89e5148ac5d89cffd3b05cd533eeb423b59"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:0298eafff88c99982a4cf66ba2efa1128e4ddaca0b05eec4c456bbc7db691d8d"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:a8d0fc946c784ff7f7c3742310cc8a57c5c6dc31631269876a88b809dbeff3d3"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:87701167f2a5c930b403e9756fab1d31d4d4da52856143b609e30a1ce7160f3c"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:14e76c0f23218b8f46c4d87018ca2e441535aed3632ca134b10239dfb6dadd6b"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0c0a590235ccd933d9892c627dec5bc7511ce6ad6c1011fdf5b11363022746c1"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8c7fe7afa480e3e82eed58e0ca89f751cd14d767638e2550c77a92a9e749c317"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:79909e27e8e4fcc9db4addea88aa63f6423ebb171db091fb4373e3312cb6d603"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8ac7b6a045b814cf0c47f3623d21ebd88b3e8cf216a14790b455ea7ff0135d18"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:72966d1b297c741541ca8cf1223ff262a6febe52481af742036a0b296e35fa5a"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:f9d0c5c045a3ca9bedfc35dca8526798eb91a07aa7a2c0fee134c6c6f321cbd7"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:5995f0164fa7df59db4746112fec3f49c461dd6b31b841873443bdb077c13cfc"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:4a8fcf28c05c1f6d7e177a9a46a1c52798bfe2ad80681d275b10dcf317deaf0b"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:761e8904c07ad053d285670f36dd94e1b6ab7f16ce62b9805c475b7aa1cffde6"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-win32.whl", hash = "sha256:71140351489970dfe5e60fc621ada3e0f41104a5eddaca47a7acb3c1b851d6d3"},
-    {file = "charset_normalizer-3.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:9ab77acb98eba3fd2a85cd160851816bfce6871d944d885febf012713f06659c"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:84c3990934bae40ea69a82034912ffe5a62c60bbf6ec5bc9691419641d7d5c9a"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:74292fc76c905c0ef095fe11e188a32ebd03bc38f3f3e9bcb85e4e6db177b7ea"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c95a03c79bbe30eec3ec2b7f076074f4281526724c8685a42872974ef4d36b72"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f4c39b0e3eac288fedc2b43055cfc2ca7a60362d0e5e87a637beac5d801ef478"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:df2c707231459e8a4028eabcd3cfc827befd635b3ef72eada84ab13b52e1574d"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:93ad6d87ac18e2a90b0fe89df7c65263b9a99a0eb98f0a3d2e079f12a0735837"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-musllinux_1_1_aarch64.whl", hash = "sha256:59e5686dd847347e55dffcc191a96622f016bc0ad89105e24c14e0d6305acbc6"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-musllinux_1_1_i686.whl", hash = "sha256:cd6056167405314a4dc3c173943f11249fa0f1b204f8b51ed4bde1a9cd1834dc"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-musllinux_1_1_ppc64le.whl", hash = "sha256:083c8d17153ecb403e5e1eb76a7ef4babfc2c48d58899c98fcaa04833e7a2f9a"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-musllinux_1_1_s390x.whl", hash = "sha256:f5057856d21e7586765171eac8b9fc3f7d44ef39425f85dbcccb13b3ebea806c"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-musllinux_1_1_x86_64.whl", hash = "sha256:7eb33a30d75562222b64f569c642ff3dc6689e09adda43a082208397f016c39a"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-win32.whl", hash = "sha256:95dea361dd73757c6f1c0a1480ac499952c16ac83f7f5f4f84f0658a01b8ef41"},
-    {file = "charset_normalizer-3.0.1-cp36-cp36m-win_amd64.whl", hash = "sha256:eaa379fcd227ca235d04152ca6704c7cb55564116f8bc52545ff357628e10602"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:3e45867f1f2ab0711d60c6c71746ac53537f1684baa699f4f668d4c6f6ce8e14"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cadaeaba78750d58d3cc6ac4d1fd867da6fc73c88156b7a3212a3cd4819d679d"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:911d8a40b2bef5b8bbae2e36a0b103f142ac53557ab421dc16ac4aafee6f53dc"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:503e65837c71b875ecdd733877d852adbc465bd82c768a067badd953bf1bc5a3"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a60332922359f920193b1d4826953c507a877b523b2395ad7bc716ddd386d866"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:16a8663d6e281208d78806dbe14ee9903715361cf81f6d4309944e4d1e59ac5b"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:a16418ecf1329f71df119e8a65f3aa68004a3f9383821edcb20f0702934d8087"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:9d9153257a3f70d5f69edf2325357251ed20f772b12e593f3b3377b5f78e7ef8"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:02a51034802cbf38db3f89c66fb5d2ec57e6fe7ef2f4a44d070a593c3688667b"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:2e396d70bc4ef5325b72b593a72c8979999aa52fb8bcf03f701c1b03e1166918"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:11b53acf2411c3b09e6af37e4b9005cba376c872503c8f28218c7243582df45d"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-win32.whl", hash = "sha256:0bf2dae5291758b6f84cf923bfaa285632816007db0330002fa1de38bfcb7154"},
-    {file = "charset_normalizer-3.0.1-cp37-cp37m-win_amd64.whl", hash = "sha256:2c03cc56021a4bd59be889c2b9257dae13bf55041a3372d3295416f86b295fb5"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:024e606be3ed92216e2b6952ed859d86b4cfa52cd5bc5f050e7dc28f9b43ec42"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:4b0d02d7102dd0f997580b51edc4cebcf2ab6397a7edf89f1c73b586c614272c"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:358a7c4cb8ba9b46c453b1dd8d9e431452d5249072e4f56cfda3149f6ab1405e"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:81d6741ab457d14fdedc215516665050f3822d3e56508921cc7239f8c8e66a58"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8b8af03d2e37866d023ad0ddea594edefc31e827fee64f8de5611a1dbc373174"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9cf4e8ad252f7c38dd1f676b46514f92dc0ebeb0db5552f5f403509705e24753"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e696f0dd336161fca9adbb846875d40752e6eba585843c768935ba5c9960722b"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c22d3fe05ce11d3671297dc8973267daa0f938b93ec716e12e0f6dee81591dc1"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:109487860ef6a328f3eec66f2bf78b0b72400280d8f8ea05f69c51644ba6521a"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:37f8febc8ec50c14f3ec9637505f28e58d4f66752207ea177c1d67df25da5aed"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:f97e83fa6c25693c7a35de154681fcc257c1c41b38beb0304b9c4d2d9e164479"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:a152f5f33d64a6be73f1d30c9cc82dfc73cec6477ec268e7c6e4c7d23c2d2291"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:39049da0ffb96c8cbb65cbf5c5f3ca3168990adf3551bd1dee10c48fce8ae820"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-win32.whl", hash = "sha256:4457ea6774b5611f4bed5eaa5df55f70abde42364d498c5134b7ef4c6958e20e"},
-    {file = "charset_normalizer-3.0.1-cp38-cp38-win_amd64.whl", hash = "sha256:e62164b50f84e20601c1ff8eb55620d2ad25fb81b59e3cd776a1902527a788af"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:8eade758719add78ec36dc13201483f8e9b5d940329285edcd5f70c0a9edbd7f"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:8499ca8f4502af841f68135133d8258f7b32a53a1d594aa98cc52013fff55678"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:3fc1c4a2ffd64890aebdb3f97e1278b0cc72579a08ca4de8cd2c04799a3a22be"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:00d3ffdaafe92a5dc603cb9bd5111aaa36dfa187c8285c543be562e61b755f6b"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c2ac1b08635a8cd4e0cbeaf6f5e922085908d48eb05d44c5ae9eabab148512ca"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f6f45710b4459401609ebebdbcfb34515da4fc2aa886f95107f556ac69a9147e"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3ae1de54a77dc0d6d5fcf623290af4266412a7c4be0b1ff7444394f03f5c54e3"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3b590df687e3c5ee0deef9fc8c547d81986d9a1b56073d82de008744452d6541"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:ab5de034a886f616a5668aa5d098af2b5385ed70142090e2a31bcbd0af0fdb3d"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:9cb3032517f1627cc012dbc80a8ec976ae76d93ea2b5feaa9d2a5b8882597579"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:608862a7bf6957f2333fc54ab4399e405baad0163dc9f8d99cb236816db169d4"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:0f438ae3532723fb6ead77e7c604be7c8374094ef4ee2c5e03a3a17f1fca256c"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:356541bf4381fa35856dafa6a965916e54bed415ad8a24ee6de6e37deccf2786"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-win32.whl", hash = "sha256:39cf9ed17fe3b1bc81f33c9ceb6ce67683ee7526e65fde1447c772afc54a1bb8"},
-    {file = "charset_normalizer-3.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:0a11e971ed097d24c534c037d298ad32c6ce81a45736d31e0ff0ad37ab437d59"},
-    {file = "charset_normalizer-3.0.1-py3-none-any.whl", hash = "sha256:7e189e2e1d3ed2f4aebabd2d5b0f931e883676e51c7624826e0a4e5fe8a0bf24"},
+    {file = "charset-normalizer-3.1.0.tar.gz", hash = "sha256:34e0a2f9c370eb95597aae63bf85eb5e96826d81e3dcf88b8886012906f509b5"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:e0ac8959c929593fee38da1c2b64ee9778733cdf03c482c9ff1d508b6b593b2b"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d7fc3fca01da18fbabe4625d64bb612b533533ed10045a2ac3dd194bfa656b60"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:04eefcee095f58eaabe6dc3cc2262f3bcd776d2c67005880894f447b3f2cb9c1"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:20064ead0717cf9a73a6d1e779b23d149b53daf971169289ed2ed43a71e8d3b0"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1435ae15108b1cb6fffbcea2af3d468683b7afed0169ad718451f8db5d1aff6f"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c84132a54c750fda57729d1e2599bb598f5fa0344085dbde5003ba429a4798c0"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:75f2568b4189dda1c567339b48cba4ac7384accb9c2a7ed655cd86b04055c795"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:11d3bcb7be35e7b1bba2c23beedac81ee893ac9871d0ba79effc7fc01167db6c"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:891cf9b48776b5c61c700b55a598621fdb7b1e301a550365571e9624f270c203"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:5f008525e02908b20e04707a4f704cd286d94718f48bb33edddc7d7b584dddc1"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:b06f0d3bf045158d2fb8837c5785fe9ff9b8c93358be64461a1089f5da983137"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:49919f8400b5e49e961f320c735388ee686a62327e773fa5b3ce6721f7e785ce"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:22908891a380d50738e1f978667536f6c6b526a2064156203d418f4856d6e86a"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-win32.whl", hash = "sha256:12d1a39aa6b8c6f6248bb54550efcc1c38ce0d8096a146638fd4738e42284448"},
+    {file = "charset_normalizer-3.1.0-cp310-cp310-win_amd64.whl", hash = "sha256:65ed923f84a6844de5fd29726b888e58c62820e0769b76565480e1fdc3d062f8"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:9a3267620866c9d17b959a84dd0bd2d45719b817245e49371ead79ed4f710d19"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6734e606355834f13445b6adc38b53c0fd45f1a56a9ba06c2058f86893ae8017"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:f8303414c7b03f794347ad062c0516cee0e15f7a612abd0ce1e25caf6ceb47df"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:aaf53a6cebad0eae578f062c7d462155eada9c172bd8c4d250b8c1d8eb7f916a"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3dc5b6a8ecfdc5748a7e429782598e4f17ef378e3e272eeb1340ea57c9109f41"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e1b25e3ad6c909f398df8921780d6a3d120d8c09466720226fc621605b6f92b1"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0ca564606d2caafb0abe6d1b5311c2649e8071eb241b2d64e75a0d0065107e62"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b82fab78e0b1329e183a65260581de4375f619167478dddab510c6c6fb04d9b6"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:bd7163182133c0c7701b25e604cf1611c0d87712e56e88e7ee5d72deab3e76b5"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:11d117e6c63e8f495412d37e7dc2e2fff09c34b2d09dbe2bee3c6229577818be"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:cf6511efa4801b9b38dc5546d7547d5b5c6ef4b081c60b23e4d941d0eba9cbeb"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:abc1185d79f47c0a7aaf7e2412a0eb2c03b724581139193d2d82b3ad8cbb00ac"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:cb7b2ab0188829593b9de646545175547a70d9a6e2b63bf2cd87a0a391599324"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-win32.whl", hash = "sha256:c36bcbc0d5174a80d6cccf43a0ecaca44e81d25be4b7f90f0ed7bcfbb5a00909"},
+    {file = "charset_normalizer-3.1.0-cp311-cp311-win_amd64.whl", hash = "sha256:cca4def576f47a09a943666b8f829606bcb17e2bc2d5911a46c8f8da45f56755"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:0c95f12b74681e9ae127728f7e5409cbbef9cd914d5896ef238cc779b8152373"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fca62a8301b605b954ad2e9c3666f9d97f63872aa4efcae5492baca2056b74ab"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ac0aa6cd53ab9a31d397f8303f92c42f534693528fafbdb997c82bae6e477ad9"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c3af8e0f07399d3176b179f2e2634c3ce9c1301379a6b8c9c9aeecd481da494f"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3a5fc78f9e3f501a1614a98f7c54d3969f3ad9bba8ba3d9b438c3bc5d047dd28"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:628c985afb2c7d27a4800bfb609e03985aaecb42f955049957814e0491d4006d"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:74db0052d985cf37fa111828d0dd230776ac99c740e1a758ad99094be4f1803d"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:1e8fcdd8f672a1c4fc8d0bd3a2b576b152d2a349782d1eb0f6b8e52e9954731d"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:04afa6387e2b282cf78ff3dbce20f0cc071c12dc8f685bd40960cc68644cfea6"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:dd5653e67b149503c68c4018bf07e42eeed6b4e956b24c00ccdf93ac79cdff84"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:d2686f91611f9e17f4548dbf050e75b079bbc2a82be565832bc8ea9047b61c8c"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-win32.whl", hash = "sha256:4155b51ae05ed47199dc5b2a4e62abccb274cee6b01da5b895099b61b1982974"},
+    {file = "charset_normalizer-3.1.0-cp37-cp37m-win_amd64.whl", hash = "sha256:322102cdf1ab682ecc7d9b1c5eed4ec59657a65e1c146a0da342b78f4112db23"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:e633940f28c1e913615fd624fcdd72fdba807bf53ea6925d6a588e84e1151531"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:3a06f32c9634a8705f4ca9946d667609f52cf130d5548881401f1eb2c39b1e2c"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:7381c66e0561c5757ffe616af869b916c8b4e42b367ab29fedc98481d1e74e14"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3573d376454d956553c356df45bb824262c397c6e26ce43e8203c4c540ee0acb"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e89df2958e5159b811af9ff0f92614dabf4ff617c03a4c1c6ff53bf1c399e0e1"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:78cacd03e79d009d95635e7d6ff12c21eb89b894c354bd2b2ed0b4763373693b"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:de5695a6f1d8340b12a5d6d4484290ee74d61e467c39ff03b39e30df62cf83a0"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1c60b9c202d00052183c9be85e5eaf18a4ada0a47d188a83c8f5c5b23252f649"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:f645caaf0008bacf349875a974220f1f1da349c5dbe7c4ec93048cdc785a3326"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:ea9f9c6034ea2d93d9147818f17c2a0860d41b71c38b9ce4d55f21b6f9165a11"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:80d1543d58bd3d6c271b66abf454d437a438dff01c3e62fdbcd68f2a11310d4b"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:73dc03a6a7e30b7edc5b01b601e53e7fc924b04e1835e8e407c12c037e81adbd"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:6f5c2e7bc8a4bf7c426599765b1bd33217ec84023033672c1e9a8b35eaeaaaf8"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-win32.whl", hash = "sha256:12a2b561af122e3d94cdb97fe6fb2bb2b82cef0cdca131646fdb940a1eda04f0"},
+    {file = "charset_normalizer-3.1.0-cp38-cp38-win_amd64.whl", hash = "sha256:3160a0fd9754aab7d47f95a6b63ab355388d890163eb03b2d2b87ab0a30cfa59"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:38e812a197bf8e71a59fe55b757a84c1f946d0ac114acafaafaf21667a7e169e"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:6baf0baf0d5d265fa7944feb9f7451cc316bfe30e8df1a61b1bb08577c554f31"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:8f25e17ab3039b05f762b0a55ae0b3632b2e073d9c8fc88e89aca31a6198e88f"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3747443b6a904001473370d7810aa19c3a180ccd52a7157aacc264a5ac79265e"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b116502087ce8a6b7a5f1814568ccbd0e9f6cfd99948aa59b0e241dc57cf739f"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d16fd5252f883eb074ca55cb622bc0bee49b979ae4e8639fff6ca3ff44f9f854"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:21fa558996782fc226b529fdd2ed7866c2c6ec91cee82735c98a197fae39f706"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6f6c7a8a57e9405cad7485f4c9d3172ae486cfef1344b5ddd8e5239582d7355e"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:ac3775e3311661d4adace3697a52ac0bab17edd166087d493b52d4f4f553f9f0"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:10c93628d7497c81686e8e5e557aafa78f230cd9e77dd0c40032ef90c18f2230"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:6f4f4668e1831850ebcc2fd0b1cd11721947b6dc7c00bf1c6bd3c929ae14f2c7"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:0be65ccf618c1e7ac9b849c315cc2e8a8751d9cfdaa43027d4f6624bd587ab7e"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:53d0a3fa5f8af98a1e261de6a3943ca631c526635eb5817a87a59d9a57ebf48f"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-win32.whl", hash = "sha256:a04f86f41a8916fe45ac5024ec477f41f886b3c435da2d4e3d2709b22ab02af1"},
+    {file = "charset_normalizer-3.1.0-cp39-cp39-win_amd64.whl", hash = "sha256:830d2948a5ec37c386d3170c483063798d7879037492540f10a475e3fd6f244b"},
+    {file = "charset_normalizer-3.1.0-py3-none-any.whl", hash = "sha256:3d9098b479e78c85080c98e1e35ff40b4a31d8953102bb0fd7d1b6f8a2111a3d"},
 ]

 [[package]]
 name = "cryptography"
-version = "3.4.8"
+version = "40.0.1"
 description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
 category = "main"
 optional = false
 python-versions = ">=3.6"
 files = [
-    {file = "cryptography-3.4.8-cp36-abi3-macosx_10_10_x86_64.whl", hash = "sha256:a00cf305f07b26c351d8d4e1af84ad7501eca8a342dedf24a7acb0e7b7406e14"},
-    {file = "cryptography-3.4.8-cp36-abi3-macosx_11_0_arm64.whl", hash = "sha256:f44d141b8c4ea5eb4dbc9b3ad992d45580c1d22bf5e24363f2fbf50c2d7ae8a7"},
-    {file = "cryptography-3.4.8-cp36-abi3-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:0a7dcbcd3f1913f664aca35d47c1331fce738d44ec34b7be8b9d332151b0b01e"},
-    {file = "cryptography-3.4.8-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:34dae04a0dce5730d8eb7894eab617d8a70d0c97da76b905de9efb7128ad7085"},
-    {file = "cryptography-3.4.8-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1eb7bb0df6f6f583dd8e054689def236255161ebbcf62b226454ab9ec663746b"},
-    {file = "cryptography-3.4.8-cp36-abi3-manylinux_2_24_x86_64.whl", hash = "sha256:9965c46c674ba8cc572bc09a03f4c649292ee73e1b683adb1ce81e82e9a6a0fb"},
-    {file = "cryptography-3.4.8-cp36-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:3c4129fc3fdc0fa8e40861b5ac0c673315b3c902bbdc05fc176764815b43dd1d"},
-    {file = "cryptography-3.4.8-cp36-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:695104a9223a7239d155d7627ad912953b540929ef97ae0c34c7b8bf30857e89"},
-    {file = "cryptography-3.4.8-cp36-abi3-win32.whl", hash = "sha256:21ca464b3a4b8d8e86ba0ee5045e103a1fcfac3b39319727bc0fc58c09c6aff7"},
-    {file = "cryptography-3.4.8-cp36-abi3-win_amd64.whl", hash = "sha256:3520667fda779eb788ea00080124875be18f2d8f0848ec00733c0ec3bb8219fc"},
-    {file = "cryptography-3.4.8-pp36-pypy36_pp73-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:d2a6e5ef66503da51d2110edf6c403dc6b494cc0082f85db12f54e9c5d4c3ec5"},
-    {file = "cryptography-3.4.8-pp36-pypy36_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a305600e7a6b7b855cd798e00278161b681ad6e9b7eca94c721d5f588ab212af"},
-    {file = "cryptography-3.4.8-pp36-pypy36_pp73-manylinux_2_24_x86_64.whl", hash = "sha256:3fa3a7ccf96e826affdf1a0a9432be74dc73423125c8f96a909e3835a5ef194a"},
-    {file = "cryptography-3.4.8-pp37-pypy37_pp73-macosx_10_10_x86_64.whl", hash = "sha256:d9ec0e67a14f9d1d48dd87a2531009a9b251c02ea42851c060b25c782516ff06"},
-    {file = "cryptography-3.4.8-pp37-pypy37_pp73-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:5b0fbfae7ff7febdb74b574055c7466da334a5371f253732d7e2e7525d570498"},
-    {file = "cryptography-3.4.8-pp37-pypy37_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:94fff993ee9bc1b2440d3b7243d488c6a3d9724cc2b09cdb297f6a886d040ef7"},
-    {file = "cryptography-3.4.8-pp37-pypy37_pp73-manylinux_2_24_x86_64.whl", hash = "sha256:8695456444f277af73a4877db9fc979849cd3ee74c198d04fc0776ebc3db52b9"},
-    {file = "cryptography-3.4.8-pp37-pypy37_pp73-win_amd64.whl", hash = "sha256:cd65b60cfe004790c795cc35f272e41a3df4631e2fb6b35aa7ac6ef2859d554e"},
-    {file = "cryptography-3.4.8.tar.gz", hash = "sha256:94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c"},
+    {file = "cryptography-40.0.1-cp36-abi3-macosx_10_12_universal2.whl", hash = "sha256:918cb89086c7d98b1b86b9fdb70c712e5a9325ba6f7d7cfb509e784e0cfc6917"},
+    {file = "cryptography-40.0.1-cp36-abi3-macosx_10_12_x86_64.whl", hash = "sha256:9618a87212cb5200500e304e43691111570e1f10ec3f35569fdfcd17e28fd797"},
+    {file = "cryptography-40.0.1-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3a4805a4ca729d65570a1b7cac84eac1e431085d40387b7d3bbaa47e39890b88"},
+    {file = "cryptography-40.0.1-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:63dac2d25c47f12a7b8aa60e528bfb3c51c5a6c5a9f7c86987909c6c79765554"},
+    {file = "cryptography-40.0.1-cp36-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:0a4e3406cfed6b1f6d6e87ed243363652b2586b2d917b0609ca4f97072994405"},
+    {file = "cryptography-40.0.1-cp36-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:1e0af458515d5e4028aad75f3bb3fe7a31e46ad920648cd59b64d3da842e4356"},
+    {file = "cryptography-40.0.1-cp36-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:d8aa3609d337ad85e4eb9bb0f8bcf6e4409bfb86e706efa9a027912169e89122"},
+    {file = "cryptography-40.0.1-cp36-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:cf91e428c51ef692b82ce786583e214f58392399cf65c341bc7301d096fa3ba2"},
+    {file = "cryptography-40.0.1-cp36-abi3-win32.whl", hash = "sha256:650883cc064297ef3676b1db1b7b1df6081794c4ada96fa457253c4cc40f97db"},
+    {file = "cryptography-40.0.1-cp36-abi3-win_amd64.whl", hash = "sha256:a805a7bce4a77d51696410005b3e85ae2839bad9aa38894afc0aa99d8e0c3160"},
+    {file = "cryptography-40.0.1-pp38-pypy38_pp73-macosx_10_12_x86_64.whl", hash = "sha256:cd033d74067d8928ef00a6b1327c8ea0452523967ca4463666eeba65ca350d4c"},
+    {file = "cryptography-40.0.1-pp38-pypy38_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:d36bbeb99704aabefdca5aee4eba04455d7a27ceabd16f3b3ba9bdcc31da86c4"},
+    {file = "cryptography-40.0.1-pp38-pypy38_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:32057d3d0ab7d4453778367ca43e99ddb711770477c4f072a51b3ca69602780a"},
+    {file = "cryptography-40.0.1-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:f5d7b79fa56bc29580faafc2ff736ce05ba31feaa9d4735048b0de7d9ceb2b94"},
+    {file = "cryptography-40.0.1-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:7c872413353c70e0263a9368c4993710070e70ab3e5318d85510cc91cce77e7c"},
+    {file = "cryptography-40.0.1-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:28d63d75bf7ae4045b10de5413fb1d6338616e79015999ad9cf6fc538f772d41"},
+    {file = "cryptography-40.0.1-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:6f2bbd72f717ce33100e6467572abaedc61f1acb87b8d546001328d7f466b778"},
+    {file = "cryptography-40.0.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:cc3a621076d824d75ab1e1e530e66e7e8564e357dd723f2533225d40fe35c60c"},
+    {file = "cryptography-40.0.1.tar.gz", hash = "sha256:2803f2f8b1e95f614419926c7e6f55d828afc614ca5ed61543877ae668cc3472"},
 ]

 [package.dependencies]
 cffi = ">=1.12"

 [package.extras]
-docs = ["sphinx (>=1.6.5,!=1.8.0,!=3.1.0,!=3.1.1)", "sphinx_rtd_theme"]
-docstest = ["doc8", "pyenchant (>=1.6.11)", "sphinxcontrib-spelling (>=4.0.1)", "twine (>=1.12.0)"]
-pep8test = ["black", "flake8", "flake8-import-order", "pep8-naming"]
+docs = ["sphinx (>=5.3.0)", "sphinx-rtd-theme (>=1.1.1)"]
+docstest = ["pyenchant (>=1.6.11)", "sphinxcontrib-spelling (>=4.0.1)", "twine (>=1.12.0)"]
+pep8test = ["black", "check-manifest", "mypy", "ruff"]
 sdist = ["setuptools-rust (>=0.11.4)"]
 ssh = ["bcrypt (>=3.1.5)"]
-test = ["hypothesis (>=1.11.4,!=3.79.2)", "iso8601", "pretend", "pytest (>=6.0)", "pytest-cov", "pytest-subtests", "pytest-xdist", "pytz"]
+test = ["iso8601", "pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-shard (>=0.1.2)", "pytest-subtests", "pytest-xdist"]
+test-randomorder = ["pytest-randomly"]
+tox = ["tox"]

 [[package]]
 name = "hcloud"
@@ -367,13 +356,13 @@ testing-libs = ["simplejson", "ujson"]

 [[package]]
 name = "libvirt-python"
-version = "9.0.0"
+version = "9.3.0"
 description = "The libvirt virtualization API python binding"
 category = "main"
 optional = false
 python-versions = "*"
 files = [
-    {file = "libvirt-python-9.0.0.tar.gz", hash = "sha256:49702d33fa8cbcae19fa727467a69f7ae2241b3091324085ca1cc752b2b414ce"},
+    {file = "libvirt-python-9.3.0.tar.gz", hash = "sha256:9c761d88b4ddcf65b324043944da4f18f82471c74d9371d2372d3b4e0f19861b"},
 ]

 [[package]]
@@ -396,7 +385,7 @@ typing-extensions = "^3.7.4"
 type = "git"
 url = "https://github.com/NixOS/nixops.git"
 reference = "master"
-resolved_reference = "5013072c5ca34247d7dce545c3a7b1954948fd4d"
+resolved_reference = "fc9b55c55da62f949028143b974f67fdc7f40c8b"

 [[package]]
 name = "nixops-aws"
@@ -419,7 +408,7 @@ typing-extensions = "^3.7.4"
 type = "git"
 url = "https://github.com/NixOS/nixops-aws.git"
 reference = "HEAD"
-resolved_reference = "d8a6679c413edd1a7075b2fe08017b4c7fa3b3ce"
+resolved_reference = "012c94fc128b1cf2497aa5f2bc8fbffd0b52b464"

 [[package]]
 name = "nixops-digitalocean"
@@ -466,13 +455,13 @@ version = "1.0"
 description = "NixOps backend for Google Cloud Platform"
 category = "main"
 optional = false
-python-versions = "^3.7"
+python-versions = "^3.10"
 files = []
 develop = false

 [package.dependencies]
-apache-libcloud = "^3.2.0"
-cryptography = "^3.1.1"
+apache-libcloud = "^3.7.0"
+cryptography = "40.0.1"
 nixops = {git = "https://github.com/NixOS/nixops.git", rev = "master"}
 nixos-modules-contrib = {git = "https://github.com/nix-community/nixos-modules-contrib.git", rev = "master"}

@@ -480,7 +469,7 @@ nixos-modules-contrib = {git = "https://github.com/nix-community/nixos-modules-c
 type = "git"
 url = "https://github.com/nix-community/nixops-gce.git"
 reference = "HEAD"
-resolved_reference = "712453027486e62e087b9c91e4a8a171eebb6ddd"
+resolved_reference = "d13cb794aef763338f544010ceb1816fe31d7f42"

 [[package]]
 name = "nixops-hercules-ci"
@@ -676,21 +665,21 @@ requests = "*"

 [[package]]
 name = "requests"
-version = "2.28.2"
+version = "2.31.0"
 description = "Python HTTP for Humans."
 category = "main"
 optional = false
-python-versions = ">=3.7, <4"
+python-versions = ">=3.7"
 files = [
-    {file = "requests-2.28.2-py3-none-any.whl", hash = "sha256:64299f4909223da747622c030b781c0d7811e359c37124b4bd368fb8c6518baa"},
-    {file = "requests-2.28.2.tar.gz", hash = "sha256:98b1b2782e3c6c4904938b84c0eb932721069dfdb9134313beff7c83c2df24bf"},
+    {file = "requests-2.31.0-py3-none-any.whl", hash = "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f"},
+    {file = "requests-2.31.0.tar.gz", hash = "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"},
 ]

 [package.dependencies]
 certifi = ">=2017.4.17"
 charset-normalizer = ">=2,<4"
 idna = ">=2.5,<4"
-urllib3 = ">=1.21.1,<1.27"
+urllib3 = ">=1.21.1,<3"

 [package.extras]
 socks = ["PySocks (>=1.5.6,!=1.5.7)"]
@@ -698,14 +687,14 @@ use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]

 [[package]]
 name = "s3transfer"
-version = "0.6.0"
+version = "0.6.1"
 description = "An Amazon S3 Transfer Manager"
 category = "main"
 optional = false
 python-versions = ">= 3.7"
 files = [
-    {file = "s3transfer-0.6.0-py3-none-any.whl", hash = "sha256:06176b74f3a15f61f1b4f25a1fc29a4429040b7647133a463da8fa5bd28d5ecd"},
-    {file = "s3transfer-0.6.0.tar.gz", hash = "sha256:2ed07d3866f523cc561bf4a00fc5535827981b117dd7876f036b0c1aca42c947"},
+    {file = "s3transfer-0.6.1-py3-none-any.whl", hash = "sha256:3c0da2d074bf35d6870ef157158641178a4204a6e689e82546083e31e0311346"},
+    {file = "s3transfer-0.6.1.tar.gz", hash = "sha256:640bb492711f4c0c0905e1f62b6aaeb771881935ad27884852411f8e9cacbca9"},
 ]

 [package.dependencies]
@@ -757,14 +746,14 @@ files = [

 [[package]]
 name = "urllib3"
-version = "1.26.14"
+version = "1.26.16"
 description = "HTTP library with thread-safe connection pooling, file post, and more."
 category = "main"
 optional = false
 python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*"
 files = [
-    {file = "urllib3-1.26.14-py2.py3-none-any.whl", hash = "sha256:75edcdc2f7d85b137124a6c3c9fc3933cdeaa12ecb9a6a959f22797a0feca7e1"},
-    {file = "urllib3-1.26.14.tar.gz", hash = "sha256:076907bf8fd355cde77728471316625a4d2f7e713c125f51953bb5b3eecf4f72"},
+    {file = "urllib3-1.26.16-py2.py3-none-any.whl", hash = "sha256:8d36afa7616d8ab714608411b4a3b13e58f463aee519024578e062e141dce20f"},
+    {file = "urllib3-1.26.16.tar.gz", hash = "sha256:8f135f6502756bde6b2a9b28989df5fbe87c9970cecaa69041edcce7f0589b14"},
 ]

 [package.extras]
@@ -775,4 +764,4 @@ socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"]
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.10"
-content-hash = "e58721318221aacb55ace3d0df65d71382f20147367dfa1466b59a13bda564b4"
+content-hash = "3d42a61f93a1a6b6816e317a78f3385271bd838430200f69154ebc5bebeb6162"
--- a/pkgs/applications/networking/cluster/nixops/pyproject.toml
+++ b/pkgs/applications/networking/cluster/nixops/pyproject.toml
@@ -17,6 +17,12 @@ nixops-hetznercloud = {git = "https://github.com/lukebfox/nixops-hetznercloud.gi
 nixopsvbox = {git = "https://github.com/nix-community/nixops-vbox.git"}
 nixops-virtd = {git = "https://github.com/nix-community/nixops-libvirtd.git"}

+# poetry lock would download an excessive number of wheels looking for a compatible version, so
+# we pin a feasible range here. This does not represent a real constraint on the version and
+# would be ok to remove/update/ignore in future upgrades. Note that a botocore wheel is about 50MB.
+boto3 = "^1.26"
+botocore = "^1.29"
+
 [build-system]
 requires = ["poetry>=0.12"]
 build-backend = "poetry.masonry.api"
--- a/pkgs/applications/networking/instant-messengers/discord/default.nix
+++ b/pkgs/applications/networking/instant-messengers/discord/default.nix
@@ -3,7 +3,7 @@ let
  versions = if stdenv.isLinux then {
    stable = "0.0.27";
    ptb = "0.0.42";
-    canary = "0.0.151";
+    canary = "0.0.154";
    development = "0.0.216";
  } else {
    stable = "0.0.273";
@@ -24,7 +24,7 @@ let
      };
      canary = fetchurl {
        url = "https://dl-canary.discordapp.net/apps/linux/${version}/discord-canary-${version}.tar.gz";
-        sha256 = "sha256-ZN+lEGtSajgYsyMoGRmyTZCpUGVmb9LKgVv89NA4m7U=";
+        sha256 = "sha256-rtqPQZBrmxnHuXgzmC7VNiucXBBmtrn8AiKNDtxaR7c=";
      };
      development = fetchurl {
        url = "https://dl-development.discordapp.net/apps/linux/${version}/discord-development-${version}.tar.gz";
--- a/pkgs/applications/networking/instant-messengers/mattermost-desktop/default.nix
+++ b/pkgs/applications/networking/instant-messengers/mattermost-desktop/default.nix
@@ -14,17 +14,17 @@
 let

  pname = "mattermost-desktop";
-  version = "5.1.0";
+  version = "5.3.1";

  srcs = {
    "x86_64-linux" = {
      url = "https://releases.mattermost.com/desktop/${version}/${pname}-${version}-linux-x64.tar.gz";
-      hash = "sha256-KmtQUqg2ODbZ6zJjsnwlvB+vhR1xbK2X9qqmZpyTR78=";
+      hash = "sha256-rw+SYCFmN2W4t5iIWEpV9VHxcvwTLOckMV58WRa5dZE=";
    };

-    "i686-linux" = {
-      url = "https://releases.mattermost.com/desktop/${version}/${pname}-${version}-linux-ia32.tar.gz";
-      hash = "sha256-X8Zrthw1hZOqmcYidt72l2vonh31iiA3EDGmCQr7e4c=";
+    "aarch64-linux" = {
+      url = "https://releases.mattermost.com/desktop/${version}/${pname}-${version}-linux-arm64.tar.gz";
+      hash = "sha256-FEIldkb3FbUfVAYRkjs7oPRJDHdsIGDW5iaC2Qz1dpc=";
    };
  };

@@ -86,7 +86,7 @@ stdenv.mkDerivation {
    homepage = "https://about.mattermost.com/";
    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
    license = licenses.asl20;
-    platforms = [ "x86_64-linux" "i686-linux" ];
+    platforms = [ "x86_64-linux" "aarch64-linux" ];
    maintainers = [ maintainers.joko ];
  };
 }
--- a/pkgs/applications/networking/insync/default.nix
+++ b/pkgs/applications/networking/insync/default.nix
@@ -1,7 +1,7 @@
 { lib
 , writeShellScript
 , buildFHSEnv
-, stdenv
+, stdenvNoCC
 , fetchurl
 , autoPatchelfHook
 , dpkg
@@ -15,7 +15,7 @@

 let
  pname = "insync";
-  version = "3.8.5.50499";
+  version = "3.8.6.50504";
  meta = with lib; {
    platforms = ["x86_64-linux"];
    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
@@ -37,13 +37,14 @@ let
     2) libqtvirtualkeyboardplugin does not have necessary Qt library shipped from vendor.
    '';
  };
-  insync-pkg = stdenv.mkDerivation {
-    inherit pname version;
+
+  insync-pkg = stdenvNoCC.mkDerivation {
+    inherit pname version meta;

    src = fetchurl {
      # Find a binary from https://www.insynchq.com/downloads/linux#ubuntu.
      url = "https://cdn.insynchq.com/builds/linux/${pname}_${version}-lunar_amd64.deb";
-      sha256 = "sha256-mpMJe8LAmO9OrqRIEWuxfVNeh5ANvjZIEHFz8cXYObY=";
+      sha256 = "sha256-BxTFtQ1rAsOuhKnH5vsl3zkM7WOd+vjA4LKZGxl4jk0=";
    };

    buildInputs = [
@@ -68,7 +69,7 @@ let
      cp -R usr/* $out/

      # use system glibc
-      rm -f $out/lib/insync/{libgcc_s.so.1,libstdc++.so.6}
+      rm $out/lib/insync/{libgcc_s.so.1,libstdc++.so.6}

      # remove badly packaged plugins
      rm $out/lib/insync/PySide2/plugins/platforminputcontexts/libqtvirtualkeyboardplugin.so
@@ -76,35 +77,43 @@ let
      runHook postInstall
    '';

-    dontConfigure = true;
-    dontBuild = true;
-
    # NB! This did the trick, otherwise it segfaults! However I don't understand why!
    dontStrip = true;
-
-    inherit meta;
  };
-in buildFHSEnv { # ref: pkgs/build-support/build-fhsenv-bubblewrap/default.nix
-  name = "${pname}-${version}";
-  inherit meta;

-  # for including insync's xdg data dirs
-  extraOutputsToInstall = [ "share" ];
+  insync-fhsenv = buildFHSEnv {
+    name = "${pname}-${version}";
+    inherit meta;

-  targetPkgs = pkgs: [
-    insync-pkg
-  ];
+    # for including insync's xdg data dirs
+    extraOutputsToInstall = [ "share" ];

-  multiPkgs = pkgs: with pkgs; [
-    # apparently only package needed for the FHS :)
-    libudev0-shim
-  ];
+    targetPkgs = pkgs: [
+      insync-pkg
+    ];

-  runScript = writeShellScript "insync-wrapper.sh" ''
+    multiPkgs = pkgs: with pkgs; [
+      # apparently only package needed for the FHS :)
+      libudev0-shim
+    ];
+
+    runScript = writeShellScript "insync-wrapper.sh" ''
    # QT_STYLE_OVERRIDE was used to suppress a QT warning, it should have no actual effect for this binary.
    export QT_STYLE_OVERRIDE=Fusion
    exec "${insync-pkg.outPath}/lib/insync/insync" "$@"
+    '';
+
+    # "insync start" command starts a daemon.
+    dieWithParent = false;
+  };
+
+in stdenvNoCC.mkDerivation {
+  inherit pname version meta;
+
+  dontUnpack = true;
+  installPhase = ''
+    mkdir -p $out/bin
+    ln -s ${insync-fhsenv}/bin/${insync-fhsenv.name} $out/bin/insync
+    ln -s ${insync-pkg}/share $out/share
  '';
-  # "insync start" command starts a daemon.
-  dieWithParent = false;
 }
--- a/pkgs/applications/networking/irc/thelounge/default.nix
+++ b/pkgs/applications/networking/irc/thelounge/default.nix
@@ -0,0 +1,71 @@
+{ lib, stdenv, fetchFromGitHub, fetchYarnDeps, yarn, fixup_yarn_lock, nodejs, npmHooks, nixosTests }:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "thelounge";
+  version = "4.4.0";
+
+  src = fetchFromGitHub {
+    owner = "thelounge";
+    repo = "thelounge";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-2MHq71lKkFe1uHEENgUiYsO99bPyLmEZZIdcdgsZfSM=";
+  };
+
+  # Allow setting package path for the NixOS module.
+  patches = [ ./packages-path.patch ];
+
+  # Use the NixOS module's state directory by default.
+  postPatch = ''
+    echo /var/lib/thelounge > .thelounge_home
+  '';
+
+  offlineCache = fetchYarnDeps {
+    yarnLock = "${finalAttrs.src}/yarn.lock";
+    hash = "sha256-OKLsNGl94EDyLgP2X2tiwihgRQFXGvf5XgXwgX+JEpk=";
+  };
+
+  nativeBuildInputs = [ nodejs yarn fixup_yarn_lock npmHooks.npmInstallHook ];
+
+  configurePhase = ''
+    runHook preConfigure
+
+    export HOME="$PWD"
+
+    fixup_yarn_lock yarn.lock
+    yarn config --offline set yarn-offline-mirror ${finalAttrs.offlineCache}
+    yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
+    patchShebangs node_modules
+
+    runHook postConfigure
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    NODE_ENV=production yarn build
+
+    runHook postBuild
+  '';
+
+  # `npm prune` doesn't work and/or hangs for whatever reason.
+  preInstall = ''
+    rm -rf node_modules
+    yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive --production
+  '';
+
+  dontNpmPrune = true;
+
+  # Takes way, way, way too long.
+  dontStrip = true;
+
+  passthru.tests = nixosTests.thelounge;
+
+  meta = with lib; {
+    description = "Modern, responsive, cross-platform, self-hosted web IRC client";
+    homepage = "https://thelounge.chat";
+    changelog = "https://github.com/thelounge/thelounge/releases/tag/v${finalAttrs.version}";
+    maintainers = with maintainers; [ winter raitobezarius ];
+    license = licenses.mit;
+    inherit (nodejs.meta) platforms;
+  };
+})
--- a/pkgs/applications/networking/irc/thelounge/packages-path.patch
+++ b/pkgs/applications/networking/irc/thelounge/packages-path.patch
@@ -0,0 +1,13 @@
+diff --git a/server/config.ts b/server/config.ts
+index 543a8135..9744f00d 100644
+--- a/server/config.ts
+++ b/server/config.ts
+@@ -145,7 +145,7 @@ class Config {
+ 	}
+ 
+ 	getPackagesPath() {
+-		return path.join(this.#homePath, "packages");
+		return process.env.THELOUNGE_PACKAGES || path.join(this.#homePath, "packages");
+ 	}
+ 
+ 	getPackageModulePath(packageName: string) {
--- a/pkgs/applications/networking/owncloud-client/default.nix
+++ b/pkgs/applications/networking/owncloud-client/default.nix
@@ -40,6 +40,7 @@ stdenv.mkDerivation rec {
    homepage = "https://owncloud.org";
    maintainers = with maintainers; [ qknight hellwolf ];
    platforms = platforms.unix;
+    broken = stdenv.isDarwin;
    license = licenses.gpl2Plus;
    changelog = "https://github.com/owncloud/client/releases/tag/v${version}";
  };
--- a/pkgs/applications/networking/remote/xrdp/default.nix
+++ b/pkgs/applications/networking/remote/xrdp/default.nix
@@ -34,7 +34,7 @@ let
  };

  xrdp = stdenv.mkDerivation rec {
-    version = "0.9.22";
+    version = "0.9.22.1";
    pname = "xrdp";

    src = fetchFromGitHub {
@@ -42,7 +42,7 @@ let
      repo = "xrdp";
      rev = "v${version}";
      fetchSubmodules = true;
-      hash = "sha256-/i2rLVrN1twKtQH6Qt1OZOPGZzegWBOKpj0Wnin8cR8=";
+      hash = "sha256-8gAP4wOqSmar8JhKRt4qRRwh23coIn0Q8Tt9ClHQSt8=";
    };

    nativeBuildInputs = [ pkg-config autoconf automake which libtool nasm perl ];
--- a/pkgs/applications/networking/syncplay/default.nix
+++ b/pkgs/applications/networking/syncplay/default.nix
@@ -2,6 +2,7 @@
 , stdenv
 , fetchFromGitHub
 , buildPythonApplication
+, fetchpatch
 , pyside6
 , twisted
 , certifi
@@ -23,6 +24,14 @@ buildPythonApplication rec {
    sha256 = "sha256-Te81yOv3D6M6aMfC5XrM6/I6BlMdlY1yRk1RRJa9Mxg=";
  };

+  patches = [
+    (fetchpatch {
+      name = "fix-typeerror.patch";
+      url = "https://github.com/Syncplay/syncplay/commit/b62b038cdf58c54205987dfc52ebf228505ad03b.patch";
+      hash = "sha256-pSP33Qn1I+nJBW8T1E1tSJKRh5OnZMRsbU+jr5z4u7c=";
+    })
+  ];
+
  buildInputs = lib.optionals enableGUI [ (if stdenv.isLinux then qt6.qtwayland else qt6.qtbase) ];
  propagatedBuildInputs = [ twisted certifi ]
    ++ twisted.optional-dependencies.tls
--- a/pkgs/applications/office/libreoffice/src-fresh/download.nix
+++ b/pkgs/applications/office/libreoffice/src-fresh/download.nix
@@ -301,11 +301,11 @@
    md5name = "b8e892d8627c41888ff121e921455b9e2d26836978f2359173d19825da62b8fc-graphite2-minimal-1.3.14.tgz";
  }
  {
-    name = "harfbuzz-5.2.0.tar.xz";
-    url = "https://dev-www.libreoffice.org/src/harfbuzz-5.2.0.tar.xz";
-    sha256 = "735a94917b47936575acb4d4fa7e7986522f8a89527e4635721474dee2bc942c";
+    name = "harfbuzz-7.1.0.tar.xz";
+    url = "https://dev-www.libreoffice.org/src/harfbuzz-7.1.0.tar.xz";
+    sha256 = "f135a61cd464c9ed6bc9823764c188f276c3850a8dc904628de2a87966b7077b";
    md5 = "";
-    md5name = "735a94917b47936575acb4d4fa7e7986522f8a89527e4635721474dee2bc942c-harfbuzz-5.2.0.tar.xz";
+    md5name = "f135a61cd464c9ed6bc9823764c188f276c3850a8dc904628de2a87966b7077b-harfbuzz-7.1.0.tar.xz";
  }
  {
    name = "hsqldb_1_8_0.zip";
@@ -420,11 +420,11 @@
    md5name = "39bb3fcea1514f1369fcfc87542390fd-sacjava-1.3.zip";
  }
  {
-    name = "libjpeg-turbo-2.1.5.tar.gz";
-    url = "https://dev-www.libreoffice.org/src/libjpeg-turbo-2.1.5.tar.gz";
-    sha256 = "bc12bc9dce55300c6bf4342bc233bcc26bd38bf289eedf147360d731c668ddaf";
+    name = "libjpeg-turbo-2.1.5.1.tar.gz";
+    url = "https://dev-www.libreoffice.org/src/libjpeg-turbo-2.1.5.1.tar.gz";
+    sha256 = "2fdc3feb6e9deb17adec9bafa3321419aa19f8f4e5dea7bf8486844ca22207bf";
    md5 = "";
-    md5name = "bc12bc9dce55300c6bf4342bc233bcc26bd38bf289eedf147360d731c668ddaf-libjpeg-turbo-2.1.5.tar.gz";
+    md5name = "2fdc3feb6e9deb17adec9bafa3321419aa19f8f4e5dea7bf8486844ca22207bf-libjpeg-turbo-2.1.5.1.tar.gz";
  }
  {
    name = "language-subtag-registry-2022-08-08.tar.bz2";
@@ -504,11 +504,11 @@
    md5name = "083daa92d8ee6f4af96a6143b12d7fc8fe1a547e14f862304f7281f8f7347483-ltm-1.0.zip";
  }
  {
-    name = "libwebp-1.2.4.tar.gz";
-    url = "https://dev-www.libreoffice.org/src/libwebp-1.2.4.tar.gz";
-    sha256 = "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df";
+    name = "libwebp-1.3.0.tar.gz";
+    url = "https://dev-www.libreoffice.org/src/libwebp-1.3.0.tar.gz";
+    sha256 = "64ac4614db292ae8c5aa26de0295bf1623dbb3985054cb656c55e67431def17c";
    md5 = "";
-    md5name = "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df-libwebp-1.2.4.tar.gz";
+    md5name = "64ac4614db292ae8c5aa26de0295bf1623dbb3985054cb656c55e67431def17c-libwebp-1.3.0.tar.gz";
  }
  {
    name = "xmlsec1-1.2.37.tar.gz";
@@ -518,11 +518,11 @@
    md5name = "5f8dfbcb6d1e56bddd0b5ec2e00a3d0ca5342a9f57c24dffde5c796b2be2871c-xmlsec1-1.2.37.tar.gz";
  }
  {
-    name = "libxml2-2.10.3.tar.xz";
-    url = "https://dev-www.libreoffice.org/src/libxml2-2.10.3.tar.xz";
-    sha256 = "5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c";
+    name = "libxml2-2.10.4.tar.xz";
+    url = "https://dev-www.libreoffice.org/src/libxml2-2.10.4.tar.xz";
+    sha256 = "ed0c91c5845008f1936739e4eee2035531c1c94742c6541f44ee66d885948d45";
    md5 = "";
-    md5name = "5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c-libxml2-2.10.3.tar.xz";
+    md5name = "ed0c91c5845008f1936739e4eee2035531c1c94742c6541f44ee66d885948d45-libxml2-2.10.4.tar.xz";
  }
  {
    name = "libxslt-1.1.35.tar.xz";
@@ -784,11 +784,11 @@
    md5name = "2465b0b662fdc5d4e3bebcdc9a79027713fb629ca2bff04a3c9251fdec42dd09-libwpd-0.10.3.tar.xz";
  }
  {
-    name = "libwpg-0.3.3.tar.xz";
-    url = "https://dev-www.libreoffice.org/src/libwpg-0.3.3.tar.xz";
-    sha256 = "99b3f7f8832385748582ab8130fbb9e5607bd5179bebf9751ac1d51a53099d1c";
+    name = "libwpg-0.3.4.tar.xz";
+    url = "https://dev-www.libreoffice.org/src/libwpg-0.3.4.tar.xz";
+    sha256 = "b55fda9440d1e070630eb2487d8b8697cf412c214a27caee9df69cec7c004de3";
    md5 = "";
-    md5name = "99b3f7f8832385748582ab8130fbb9e5607bd5179bebf9751ac1d51a53099d1c-libwpg-0.3.3.tar.xz";
+    md5name = "b55fda9440d1e070630eb2487d8b8697cf412c214a27caee9df69cec7c004de3-libwpg-0.3.4.tar.xz";
  }
  {
    name = "libwps-0.4.12.tar.xz";
--- a/pkgs/applications/office/libreoffice/src-fresh/primary.nix
+++ b/pkgs/applications/office/libreoffice/src-fresh/primary.nix
@@ -8,8 +8,8 @@ rec {

  major = "7";
  minor = "5";
-  patch = "2";
-  tweak = "2";
+  patch = "4";
+  tweak = "1";

  subdir = "${major}.${minor}.${patch}";

@@ -17,13 +17,13 @@ rec {

  src = fetchurl {
    url = "https://download.documentfoundation.org/libreoffice/src/${subdir}/libreoffice-${version}.tar.xz";
-    hash = "sha256-YYuQfdNrj4DgfdwTpgXo58EhJh323cmmQ24FQUMkLdM=";
+    hash = "sha256-dWE7yXldkiEnsJOxfxyZ9p05eARqexgRRgNV158VVF4=";
  };

  # FIXME rename
  translations = fetchSrc {
    name = "translations";
-    hash = "sha256-IPdXQibM+xz1Wok/XnRxyNVqvwh4BarWCH9FceylN/0=";
+    hash = "sha256-dv3L8DtdxZcwmeXnqtTtwIpOvwZg3aH3VvJBiiZzbh0=";
  };

  # the "dictionaries" archive is not used for LO build because we already build hunspellDicts packages from
@@ -31,6 +31,6 @@ rec {

  help = fetchSrc {
    name = "help";
-    hash = "sha256-h1uQ3EaroSyz6uCU7SFC06TuGMvaXm97/v9zCKvNxDY=";
+    hash = "sha256-2CrGEyK5AQEAo1Qz1ACmvMH7BaOubW5BNLWv3fDEdOY=";
  };
 }
--- a/pkgs/applications/office/libreoffice/src-still/download.nix
+++ b/pkgs/applications/office/libreoffice/src-still/download.nix
@@ -98,11 +98,11 @@
    md5name = "89c5c6665337f56fd2db36bc3805a5619709d51fb136e51937072f63fcc717a7-cppunit-1.15.1.tar.gz";
  }
  {
-    name = "curl-7.88.1.tar.xz";
-    url = "https://dev-www.libreoffice.org/src/curl-7.88.1.tar.xz";
-    sha256 = "1dae31b2a7c1fe269de99c0c31bb488346aab3459b5ffca909d6938249ae415f";
+    name = "curl-8.0.1.tar.xz";
+    url = "https://dev-www.libreoffice.org/src/curl-8.0.1.tar.xz";
+    sha256 = "0a381cd82f4d00a9a334438b8ca239afea5bfefcfa9a1025f2bf118e79e0b5f0";
    md5 = "";
-    md5name = "1dae31b2a7c1fe269de99c0c31bb488346aab3459b5ffca909d6938249ae415f-curl-7.88.1.tar.xz";
+    md5name = "0a381cd82f4d00a9a334438b8ca239afea5bfefcfa9a1025f2bf118e79e0b5f0-curl-8.0.1.tar.xz";
  }
  {
    name = "libe-book-0.1.3.tar.xz";
@@ -329,11 +329,11 @@
    md5name = "b8e892d8627c41888ff121e921455b9e2d26836978f2359173d19825da62b8fc-graphite2-minimal-1.3.14.tgz";
  }
  {
-    name = "harfbuzz-4.3.0.tar.xz";
-    url = "https://dev-www.libreoffice.org/src/harfbuzz-4.3.0.tar.xz";
-    sha256 = "a49628f4c4c8e6d8df95ef44935a93446cf2e46366915b0e3ca30df21fffb530";
+    name = "harfbuzz-7.1.0.tar.xz";
+    url = "https://dev-www.libreoffice.org/src/harfbuzz-7.1.0.tar.xz";
+    sha256 = "f135a61cd464c9ed6bc9823764c188f276c3850a8dc904628de2a87966b7077b";
    md5 = "";
-    md5name = "a49628f4c4c8e6d8df95ef44935a93446cf2e46366915b0e3ca30df21fffb530-harfbuzz-4.3.0.tar.xz";
+    md5name = "f135a61cd464c9ed6bc9823764c188f276c3850a8dc904628de2a87966b7077b-harfbuzz-7.1.0.tar.xz";
  }
  {
    name = "hsqldb_1_8_0.zip";
@@ -546,11 +546,11 @@
    md5name = "52ced4943f35bd7d0818a38298c1528ca4ac8a54440fd71134a07d2d1370a262-xmlsec1-1.2.34.tar.gz";
  }
  {
-    name = "libxml2-2.10.3.tar.xz";
-    url = "https://dev-www.libreoffice.org/src/libxml2-2.10.3.tar.xz";
-    sha256 = "5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c";
+    name = "libxml2-2.10.4.tar.xz";
+    url = "https://dev-www.libreoffice.org/src/libxml2-2.10.4.tar.xz";
+    sha256 = "ed0c91c5845008f1936739e4eee2035531c1c94742c6541f44ee66d885948d45";
    md5 = "";
-    md5name = "5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c-libxml2-2.10.3.tar.xz";
+    md5name = "ed0c91c5845008f1936739e4eee2035531c1c94742c6541f44ee66d885948d45-libxml2-2.10.4.tar.xz";
  }
  {
    name = "libxslt-1.1.35.tar.xz";
--- a/pkgs/applications/office/libreoffice/src-still/primary.nix
+++ b/pkgs/applications/office/libreoffice/src-still/primary.nix
@@ -8,7 +8,7 @@ rec {

  major = "7";
  minor = "4";
-  patch = "6";
+  patch = "7";
  tweak = "2";

  subdir = "${major}.${minor}.${patch}";
@@ -17,13 +17,13 @@ rec {

  src = fetchurl {
    url = "https://download.documentfoundation.org/libreoffice/src/${subdir}/libreoffice-${version}.tar.xz";
-    hash = "sha256-GHOuiYbww/DSK/DpSqAaB/jgppKacjGSYIOPqGnmIJM=";
+    hash = "sha256-dD2R8qE4png4D6eo7LWyQB2ZSwZ7MwdQ8DrY9SOi+yA=";
  };

  # FIXME rename
  translations = fetchSrc {
    name = "translations";
-    hash = "sha256-ES4r9Pk7DYeFTPg8iPXQP84SpGn6x8G10Pfs1WQVixM=";
+    hash = "sha256-7wea0EClmvwcPvgQDGagkOF7eBVvYTZScCEEpirdXnE=";
  };

  # the "dictionaries" archive is not used for LO build because we already build hunspellDicts packages from
@@ -31,6 +31,6 @@ rec {

  help = fetchSrc {
    name = "help";
-    hash = "sha256-o0JnybhmMFZhcbTrWRllJ+J9+tcUbFLcbftymgECT9E=";
+    hash = "sha256-vcQWE3mBZx2sBQ9KzTh6zM7277mK9twfvyESTzTiII8=";
  };
 }
--- a/pkgs/applications/radio/dablin/default.nix
+++ b/pkgs/applications/radio/dablin/default.nix
@@ -4,13 +4,13 @@

 stdenv.mkDerivation rec {
  pname = "dablin";
-  version = "1.14.0";
+  version = "1.15.0";

  src = fetchFromGitHub {
    owner = "Opendigitalradio";
    repo = "dablin";
    rev = version;
-    sha256 = "02mhxaqpj0094sbb3c28r5xznw9z8ayvlkczknizlk75ag895zz2";
+    sha256 = "sha256-tmmOk7nOkuSCjPNHiwAqP5yf1r8+fsCeDGCxhZUImD4=";
  };

  nativeBuildInputs = [ cmake pkg-config ];
--- a/pkgs/applications/science/electronics/flatcam/default.nix
+++ b/pkgs/applications/science/electronics/flatcam/default.nix
@@ -66,6 +66,10 @@ in python.pkgs.buildPythonApplication rec {
    ./release.patch
  ];

+  postPatch = ''
+    substituteInPlace setup.py --replace "'shapely>=1.3'" "'shapely>=1.3',"
+  '';
+
  # Only non-GUI tests can be run deterministically in the Nix build environment.
  checkPhase = ''
    python -m unittest tests.test_excellon
--- a/pkgs/applications/science/logic/alt-ergo/default.nix
+++ b/pkgs/applications/science/logic/alt-ergo/default.nix
@@ -2,7 +2,7 @@

 let
  pname = "alt-ergo";
-  version = "2.4.2";
+  version = "2.4.3";

  configureScript = "ocaml unix.cma configure.ml";

@@ -10,7 +10,7 @@ let
    owner = "OCamlPro";
    repo = pname;
    rev = "refs/tags/${version}";
-    hash = "sha256-8pJ/1UAbheQaLFs5Uubmmf5D0oFJiPxF6e2WTZgRyAc=";
+    hash = "sha256-2XARGr8rLiPMOM0rBBoRv5tZvKYtkLkJctGqLYkMe7Q=";
  };
 in

@@ -20,7 +20,7 @@ let alt-ergo-lib = ocamlPackages.buildDunePackage rec {
  configureFlags = [ pname ];
  nativeBuildInputs = [ which ];
  buildInputs = with ocamlPackages; [ dune-configurator ];
-  propagatedBuildInputs = with ocamlPackages; [ num ocplib-simplex seq stdlib-shims zarith ];
+  propagatedBuildInputs = with ocamlPackages; [ dune-build-info num ocplib-simplex seq stdlib-shims zarith ];
  preBuild = ''
    substituteInPlace src/lib/util/version.ml --replace 'version="dev"' 'version="${version}"'
  '';
--- a/pkgs/applications/science/machine-learning/openbugs/default.nix
+++ b/pkgs/applications/science/machine-learning/openbugs/default.nix
@@ -0,0 +1,22 @@
+{ lib
+, stdenv
+, fetchurl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "OpenBUGS";
+  version = "3.2.3";
+
+  src = fetchurl {
+    url = "https://www.mrc-bsu.cam.ac.uk/wp-content/uploads/2018/04/${pname}-${version}.tar.gz";
+    sha256 = "sha256-oonE2gxKw3H4ATImyF69Cp4d7F3puFiVDkhUy4FLTtg=";
+  };
+
+  meta = with lib; {
+    description = "Open source program for Bayesian modelling based on MCMC";
+    homepage = "https://www.mrc-bsu.cam.ac.uk/software/bugs/openbugs/";
+    maintainers = with maintainers; [ andresnav ];
+    license = licenses.gpl3Only;
+    platforms = [ "i686-linux" ];
+  };
+}
--- a/pkgs/applications/version-management/gitlab/data.json
+++ b/pkgs/applications/version-management/gitlab/data.json
@@ -1,14 +1,14 @@
 {
-  "version": "15.11.5",
-  "repo_hash": "sha256-t0MpfRyKfdO/Z90SogurKOCKv9xunyQasftNZ2o1GAE=",
+  "version": "15.11.6",
+  "repo_hash": "sha256-qpYVYzxtMgWLXhMn+0TvDqRJOnerfc9OEU1Gs6Ys/Bc=",
  "yarn_hash": "02ipm7agjy3c75df76c00k3qq5gpw3d876f6x91xnwizswsv9agb",
  "owner": "gitlab-org",
  "repo": "gitlab",
-  "rev": "v15.11.5-ee",
+  "rev": "v15.11.6-ee",
  "passthru": {
-    "GITALY_SERVER_VERSION": "15.11.5",
-    "GITLAB_PAGES_VERSION": "15.11.5",
+    "GITALY_SERVER_VERSION": "15.11.6",
+    "GITLAB_PAGES_VERSION": "15.11.6",
    "GITLAB_SHELL_VERSION": "14.18.0",
-    "GITLAB_WORKHORSE_VERSION": "15.11.5"
+    "GITLAB_WORKHORSE_VERSION": "15.11.6"
  }
 }
--- a/pkgs/applications/version-management/gitlab/gitaly/default.nix
+++ b/pkgs/applications/version-management/gitlab/gitaly/default.nix
@@ -11,7 +11,7 @@ let
    gemdir = ./.;
  };

-  version = "15.11.5";
+  version = "15.11.6";
  package_version = "v${lib.versions.major version}";
  gitaly_package = "gitlab.com/gitlab-org/gitaly/${package_version}";

@@ -22,7 +22,7 @@ let
      owner = "gitlab-org";
      repo = "gitaly";
      rev = "v${version}";
-      sha256 = "sha256-ITyA9QqaCq6w9UToTWzyq77Sfg+dqaWrL45d5yqmzm4=";
+      sha256 = "sha256-n56Jqgu64+pN4bcH/Sh8/+4StpTEY529a4yVozqtK5Y=";
    };

    vendorSha256 = "sha256-gJelagGPogeCdJtRpj4RaYlqzZRhtU0EIhmj1aK4ZOk=";
--- a/pkgs/applications/version-management/gitlab/gitlab-container-registry/default.nix
+++ b/pkgs/applications/version-management/gitlab/gitlab-container-registry/default.nix
@@ -0,0 +1,30 @@
+{ lib, buildGoModule, fetchFromGitLab }:
+
+buildGoModule rec {
+  pname = "gitlab-container-registry";
+  version = "3.74.0";
+  rev = "v${version}-gitlab";
+
+  src = fetchFromGitLab {
+    owner = "gitlab-org";
+    repo = "container-registry";
+    inherit rev;
+    sha256 = "sha256-fwMu45OFfNgFgMyQFWfvmM3Qv+co1ofsZLL44OoW9Wo=";
+  };
+
+  vendorHash = "sha256-9rO2GmoFZrNA3Udaktn8Ek9uM8EEoc0I3uv4UEq1c1k=";
+
+  postPatch = ''
+    substituteInPlace health/checks/checks_test.go \
+      --replace \
+        'func TestHTTPChecker(t *testing.T) {' \
+        'func TestHTTPChecker(t *testing.T) { t.Skip("Test requires network connection")'
+  '';
+
+  meta = with lib; {
+    description = "The GitLab Docker toolset to pack, ship, store, and deliver content";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ yayayayaka xanderio ];
+    platforms = platforms.unix;
+  };
+}
--- a/pkgs/applications/version-management/gitlab/gitlab-pages/default.nix
+++ b/pkgs/applications/version-management/gitlab/gitlab-pages/default.nix
@@ -2,13 +2,13 @@

 buildGoModule rec {
  pname = "gitlab-pages";
-  version = "15.11.5";
+  version = "15.11.6";

  src = fetchFromGitLab {
    owner = "gitlab-org";
    repo = "gitlab-pages";
    rev = "v${version}";
-    sha256 = "sha256-4B6n/HQ1R5QYHjVDf18WKH0ZkNip8k0OASoTXuci+/Y=";
+    sha256 = "sha256-Dl/NCsZCi5S9BKjtQzRg3mj8lzvIa4FMCqprLKXKlHw=";
  };

  vendorHash = "sha256-s3HHoz9URACuVVhePQQFviTqlQU7vCLOjTJPBlus1Vo=";
--- a/pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix
+++ b/pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix
@@ -5,7 +5,7 @@ in
 buildGoModule rec {
  pname = "gitlab-workhorse";

-  version = "15.11.5";
+  version = "15.11.6";

  src = fetchFromGitLab {
    owner = data.owner;
--- a/pkgs/applications/version-management/gitlab/update.py
+++ b/pkgs/applications/version-management/gitlab/update.py
@@ -1,9 +1,8 @@
 #!/usr/bin/env nix-shell
-#! nix-shell -I nixpkgs=../../../.. -i python3 -p bundix bundler nix-update nix nix-universal-prefetch python3 python3Packages.requests python3Packages.click python3Packages.click-log python3Packages.packaging prefetch-yarn-deps
+#! nix-shell -I nixpkgs=../../../.. -i python3 -p bundix bundler nix-update nix nix-universal-prefetch python3 python3Packages.requests python3Packages.click python3Packages.click-log python3Packages.packaging prefetch-yarn-deps git

 import click
 import click_log
-import os
 import re
 import logging
 import subprocess
@@ -15,12 +14,17 @@ from typing import Iterable

 import requests

+NIXPKGS_PATH = pathlib.Path(__file__).parent / "../../../../"
+GITLAB_DIR = pathlib.Path(__file__).parent
+
 logger = logging.getLogger(__name__)
+click_log.basic_config(logger)


 class GitLabRepo:
-    version_regex = re.compile(r"^v\d+\.\d+\.\d+(\-rc\d+)?(\-ee)?")
-    def __init__(self, owner: str = 'gitlab-org', repo: str = 'gitlab'):
+    version_regex = re.compile(r"^v\d+\.\d+\.\d+(\-rc\d+)?(\-ee)?(\-gitlab)?")
+
+    def __init__(self, owner: str = "gitlab-org", repo: str = "gitlab"):
        self.owner = owner
        self.repo = repo

@@ -30,24 +34,49 @@ class GitLabRepo:

    @property
    def tags(self) -> Iterable[str]:
+        """Returns a sorted list of repository tags"""
        r = requests.get(self.url + "/refs?sort=updated_desc&ref=master").json()
        tags = r.get("Tags", [])

        # filter out versions not matching version_regex
        versions = list(filter(self.version_regex.match, tags))

-        # sort, but ignore v and -ee for sorting comparisons
-        versions.sort(key=lambda x: Version(x.replace("v", "").replace("-ee", "")), reverse=True)
+        # sort, but ignore v, -ee and -gitlab for sorting comparisons
+        versions.sort(
+            key=lambda x: Version(
+                x.replace("v", "").replace("-ee", "").replace("-gitlab", "")
+            ),
+            reverse=True,
+        )
        return versions

    def get_git_hash(self, rev: str):
-        return subprocess.check_output(['nix-universal-prefetch', 'fetchFromGitLab', '--owner', self.owner, '--repo', self.repo, '--rev', rev]).decode('utf-8').strip()
+        return (
+            subprocess.check_output(
+                [
+                    "nix-universal-prefetch",
+                    "fetchFromGitLab",
+                    "--owner",
+                    self.owner,
+                    "--repo",
+                    self.repo,
+                    "--rev",
+                    rev,
+                ]
+            )
+            .decode("utf-8")
+            .strip()
+        )

    def get_yarn_hash(self, rev: str):
        with tempfile.TemporaryDirectory() as tmp_dir:
-            with open(tmp_dir + '/yarn.lock', 'w') as f:
-                f.write(self.get_file('yarn.lock', rev))
-            return subprocess.check_output(['prefetch-yarn-deps', tmp_dir + '/yarn.lock']).decode('utf-8').strip()
+            with open(tmp_dir + "/yarn.lock", "w") as f:
+                f.write(self.get_file("yarn.lock", rev))
+            return (
+                subprocess.check_output(["prefetch-yarn-deps", tmp_dir + "/yarn.lock"])
+                .decode("utf-8")
+                .strip()
+            )

    @staticmethod
    def rev2version(tag: str) -> str:
@@ -58,9 +87,9 @@ class GitLabRepo:
        :return: a normalized version number
        """
        # strip v prefix
-        version = re.sub(r"^v", '', tag)
-        # strip -ee suffix
-        return re.sub(r"-ee$", '', version)
+        version = re.sub(r"^v", "", tag)
+        # strip -ee and -gitlab suffixes
+        return re.sub(r"-(ee|gitlab)$", "", version)

    def get_file(self, filepath, rev):
        """
@@ -74,30 +103,39 @@ class GitLabRepo:
    def get_data(self, rev):
        version = self.rev2version(rev)

-        passthru = {v: self.get_file(v, rev).strip() for v in ['GITALY_SERVER_VERSION', 'GITLAB_PAGES_VERSION',
-                                                               'GITLAB_SHELL_VERSION']}
+        passthru = {
+            v: self.get_file(v, rev).strip()
+            for v in [
+                "GITALY_SERVER_VERSION",
+                "GITLAB_PAGES_VERSION",
+                "GITLAB_SHELL_VERSION",
+            ]
+        }

        passthru["GITLAB_WORKHORSE_VERSION"] = version

-        return dict(version=self.rev2version(rev),
-                    repo_hash=self.get_git_hash(rev),
-                    yarn_hash=self.get_yarn_hash(rev),
-                    owner=self.owner,
-                    repo=self.repo,
-                    rev=rev,
-                    passthru=passthru)
+        return dict(
+            version=self.rev2version(rev),
+            repo_hash=self.get_git_hash(rev),
+            yarn_hash=self.get_yarn_hash(rev),
+            owner=self.owner,
+            repo=self.repo,
+            rev=rev,
+            passthru=passthru,
+        )


 def _get_data_json():
-    data_file_path = pathlib.Path(__file__).parent / 'data.json'
-    with open(data_file_path, 'r') as f:
+    data_file_path = pathlib.Path(__file__).parent / "data.json"
+    with open(data_file_path, "r") as f:
        return json.load(f)


 def _call_nix_update(pkg, version):
    """calls nix-update from nixpkgs root dir"""
-    nixpkgs_path = pathlib.Path(__file__).parent / '../../../../'
-    return subprocess.check_output(['nix-update', pkg, '--version', version], cwd=nixpkgs_path)
+    return subprocess.check_output(
+        ["nix-update", pkg, "--version", version], cwd=NIXPKGS_PATH
+    )


@click_log.simple_verbosity_option(logger)
@@ -106,116 +144,240 @@ def cli():
    pass


-@cli.command('update-data')
-@click.option('--rev', default='latest', help='The rev to use (vX.Y.Z-ee), or \'latest\'')
+@cli.command("update-data")
+@click.option("--rev", default="latest", help="The rev to use (vX.Y.Z-ee), or 'latest'")
 def update_data(rev: str):
-    """Update data.nix"""
+    """Update data.json"""
+    logger.info("Updating data.json")
+
    repo = GitLabRepo()
+    if rev == "latest":
+        # filter out pre and rc releases
+        rev = next(filter(lambda x: not ("rc" in x or x.endswith("pre")), repo.tags))

-    if rev == 'latest':
-        # filter out pre and re releases
-        rev = next(filter(lambda x: not ('rc' in x or x.endswith('pre')), repo.tags))
-    logger.debug(f"Using rev {rev}")
-
-    version = repo.rev2version(rev)
-    logger.debug(f"Using version {version}")
-
-    data_file_path = pathlib.Path(__file__).parent / 'data.json'
+    data_file_path = pathlib.Path(__file__).parent / "data.json"

    data = repo.get_data(rev)

-    with open(data_file_path.as_posix(), 'w') as f:
+    with open(data_file_path.as_posix(), "w") as f:
        json.dump(data, f, indent=2)
        f.write("\n")


-@cli.command('update-rubyenv')
+@cli.command("update-rubyenv")
 def update_rubyenv():
    """Update rubyEnv"""
+    logger.info("Updating gitlab")
    repo = GitLabRepo()
-    rubyenv_dir = pathlib.Path(__file__).parent / f"rubyEnv"
+    rubyenv_dir = pathlib.Path(__file__).parent / "rubyEnv"

    # load rev from data.json
    data = _get_data_json()
-    rev = data['rev']
-    version = data['version']
+    rev = data["rev"]
+    version = data["version"]

-    for fn in ['Gemfile.lock', 'Gemfile']:
-        with open(rubyenv_dir / fn, 'w') as f:
+    for fn in ["Gemfile.lock", "Gemfile"]:
+        with open(rubyenv_dir / fn, "w") as f:
            f.write(repo.get_file(fn, rev))

    # patch for openssl 3.x support
-    subprocess.check_output(['sed', '-i', "s:'openssl', '2.*':'openssl', '3.0.2':g", 'Gemfile'], cwd=rubyenv_dir)
+    subprocess.check_output(
+        ["sed", "-i", "s:'openssl', '2.*':'openssl', '3.0.2':g", "Gemfile"],
+        cwd=rubyenv_dir,
+    )

    # Fetch vendored dependencies temporarily in order to build the gemset.nix
-    subprocess.check_output(['mkdir', '-p', 'vendor/gems'], cwd=rubyenv_dir)
-    subprocess.check_output(['sh', '-c', f'curl -L https://gitlab.com/gitlab-org/gitlab/-/archive/v{version}-ee/gitlab-v{version}-ee.tar.bz2?path=vendor/gems | tar -xj --strip-components=3'], cwd=f'{rubyenv_dir}/vendor/gems')
+    subprocess.check_output(["mkdir", "-p", "vendor/gems"], cwd=rubyenv_dir)
+    subprocess.check_output(
+        [
+            "sh",
+            "-c",
+            f"curl -L https://gitlab.com/gitlab-org/gitlab/-/archive/v{version}-ee/gitlab-v{version}-ee.tar.bz2?path=vendor/gems | tar -xj --strip-components=3",
+        ],
+        cwd=f"{rubyenv_dir}/vendor/gems",
+    )

    # Undo our gemset.nix patches so that bundix runs through
-    subprocess.check_output(['sed', '-i', '-e', '1d', '-e', 's:\\${src}/::g' , 'gemset.nix'], cwd=rubyenv_dir)
+    subprocess.check_output(
+        ["sed", "-i", "-e", "1d", "-e", "s:\\${src}/::g", "gemset.nix"], cwd=rubyenv_dir
+    )

-    subprocess.check_output(['bundle', 'lock'], cwd=rubyenv_dir)
-    subprocess.check_output(['bundix'], cwd=rubyenv_dir)
+    subprocess.check_output(["bundle", "lock"], cwd=rubyenv_dir)
+    subprocess.check_output(["bundix"], cwd=rubyenv_dir)

-    subprocess.check_output(['sed', '-i', '-e', '1i\\src:', '-e', 's:path = \\(vendor/[^;]*\\);:path = "${src}/\\1";:g', 'gemset.nix'], cwd=rubyenv_dir)
-    subprocess.check_output(['rm', '-rf', 'vendor'], cwd=rubyenv_dir)
+    subprocess.check_output(
+        [
+            "sed",
+            "-i",
+            "-e",
+            "1i\\src:",
+            "-e",
+            's:path = \\(vendor/[^;]*\\);:path = "${src}/\\1";:g',
+            "gemset.nix",
+        ],
+        cwd=rubyenv_dir,
+    )
+    subprocess.check_output(["rm", "-rf", "vendor"], cwd=rubyenv_dir)


-
-@cli.command('update-gitaly')
+@cli.command("update-gitaly")
 def update_gitaly():
    """Update gitaly"""
+    logger.info("Updating gitaly")
    data = _get_data_json()
-    gitaly_server_version = data['passthru']['GITALY_SERVER_VERSION']
-    repo = GitLabRepo(repo='gitaly')
-    gitaly_dir = pathlib.Path(__file__).parent / 'gitaly'
+    gitaly_server_version = data["passthru"]["GITALY_SERVER_VERSION"]
+    repo = GitLabRepo(repo="gitaly")
+    gitaly_dir = pathlib.Path(__file__).parent / "gitaly"

-    for fn in ['Gemfile.lock', 'Gemfile']:
-        with open(gitaly_dir / fn, 'w') as f:
+    for fn in ["Gemfile.lock", "Gemfile"]:
+        with open(gitaly_dir / fn, "w") as f:
            f.write(repo.get_file(f"ruby/{fn}", f"v{gitaly_server_version}"))

-    subprocess.check_output(['bundle', 'lock'], cwd=gitaly_dir)
-    subprocess.check_output(['bundix'], cwd=gitaly_dir)
+    subprocess.check_output(["bundle", "lock"], cwd=gitaly_dir)
+    subprocess.check_output(["bundix"], cwd=gitaly_dir)

-    _call_nix_update('gitaly', gitaly_server_version)
+    _call_nix_update("gitaly", gitaly_server_version)


-@cli.command('update-gitlab-pages')
+@cli.command("update-gitlab-pages")
 def update_gitlab_pages():
-    """Update gitlab-shell"""
+    """Update gitlab-pages"""
+    logger.info("Updating gitlab-pages")
    data = _get_data_json()
-    gitlab_pages_version = data['passthru']['GITLAB_PAGES_VERSION']
-    _call_nix_update('gitlab-pages', gitlab_pages_version)
+    gitlab_pages_version = data["passthru"]["GITLAB_PAGES_VERSION"]
+    _call_nix_update("gitlab-pages", gitlab_pages_version)


-@cli.command('update-gitlab-shell')
+def get_container_registry_version() -> str:
+    """Returns the version attribute of gitlab-container-registry"""
+    return subprocess.check_output(
+        [
+            "nix",
+            "--experimental-features",
+            "nix-command",
+            "eval",
+            "-f",
+            ".",
+            "--raw",
+            "gitlab-container-registry.version",
+        ],
+        cwd=NIXPKGS_PATH,
+    ).decode("utf-8")
+
+
+@cli.command("update-gitlab-shell")
 def update_gitlab_shell():
    """Update gitlab-shell"""
+    logger.info("Updating gitlab-shell")
    data = _get_data_json()
-    gitlab_shell_version = data['passthru']['GITLAB_SHELL_VERSION']
-    _call_nix_update('gitlab-shell', gitlab_shell_version)
+    gitlab_shell_version = data["passthru"]["GITLAB_SHELL_VERSION"]
+    _call_nix_update("gitlab-shell", gitlab_shell_version)


-@cli.command('update-gitlab-workhorse')
+@cli.command("update-gitlab-workhorse")
 def update_gitlab_workhorse():
    """Update gitlab-workhorse"""
+    logger.info("Updating gitlab-workhorse")
    data = _get_data_json()
-    gitlab_workhorse_version = data['passthru']['GITLAB_WORKHORSE_VERSION']
-    _call_nix_update('gitlab-workhorse', gitlab_workhorse_version)
+    gitlab_workhorse_version = data["passthru"]["GITLAB_WORKHORSE_VERSION"]
+    _call_nix_update("gitlab-workhorse", gitlab_workhorse_version)


-@cli.command('update-all')
-@click.option('--rev', default='latest', help='The rev to use (vX.Y.Z-ee), or \'latest\'')
+@cli.command("update-gitlab-container-registry")
+@click.option("--rev", default="latest", help="The rev to use (vX.Y.Z-ee), or 'latest'")
+@click.option(
+    "--commit", is_flag=True, default=False, help="Commit the changes for you"
+)
+def update_gitlab_container_registry(rev: str, commit: bool):
+    """Update gitlab-container-registry"""
+    logger.info("Updading gitlab-container-registry")
+    repo = GitLabRepo(repo="container-registry")
+    old_container_registry_version = get_container_registry_version()
+
+    if rev == "latest":
+        rev = next(filter(lambda x: not ("rc" in x or x.endswith("pre")), repo.tags))
+
+    version = repo.rev2version(rev)
+    _call_nix_update("gitlab-container-registry", version)
+    if commit:
+        new_container_registry_version = get_container_registry_version()
+        commit_container_registry(
+            old_container_registry_version, new_container_registry_version
+        )
+
+
+@cli.command("update-all")
+@click.option("--rev", default="latest", help="The rev to use (vX.Y.Z-ee), or 'latest'")
+@click.option(
+    "--commit", is_flag=True, default=False, help="Commit the changes for you"
+)
@click.pass_context
-def update_all(ctx, rev: str):
+def update_all(ctx, rev: str, commit: bool):
    """Update all gitlab components to the latest stable release"""
+    old_data_json = _get_data_json()
+    old_container_registry_version = get_container_registry_version()
+
    ctx.invoke(update_data, rev=rev)
+
+    new_data_json = _get_data_json()
+
    ctx.invoke(update_rubyenv)
    ctx.invoke(update_gitaly)
    ctx.invoke(update_gitlab_pages)
    ctx.invoke(update_gitlab_shell)
    ctx.invoke(update_gitlab_workhorse)
+    if commit:
+        commit_gitlab(
+            old_data_json["version"], new_data_json["version"], new_data_json["rev"]
+        )
+
+    ctx.invoke(update_gitlab_container_registry)
+    if commit:
+        new_container_registry_version = get_container_registry_version()
+        commit_container_registry(
+            old_container_registry_version, new_container_registry_version
+        )


-if __name__ == '__main__':
+def commit_gitlab(old_version: str, new_version: str, new_rev: str) -> None:
+    """Commits the gitlab changes for you"""
+    subprocess.run(
+        [
+            "git",
+            "add",
+            "data.json",
+            "rubyEnv",
+            "gitaly",
+            "gitlab-pages",
+            "gitlab-shell",
+            "gitlab-workhorse",
+        ],
+        cwd=GITLAB_DIR,
+    )
+    subprocess.run(
+        [
+            "git",
+            "commit",
+            "--message",
+            f"""gitlab: {old_version} -> {new_version}\n\nhttps://gitlab.com/gitlab-org/gitlab/-/blob/{new_rev}/CHANGELOG.md""",
+        ],
+        cwd=GITLAB_DIR,
+    )
+
+
+def commit_container_registry(old_version: str, new_version: str) -> None:
+    """Commits the gitlab-container-registry changes for you"""
+    subprocess.run(["git", "add", "gitlab-container-registry"], cwd=GITLAB_DIR)
+    subprocess.run(
+        [
+            "git",
+            "commit",
+            "--message",
+            f"gitlab-container-registry: {old_version} -> {new_version}",
+        ],
+        cwd=GITLAB_DIR,
+    )
+
+
+if __name__ == "__main__":
    cli()
--- a/pkgs/applications/video/frigate/default.nix
+++ b/pkgs/applications/video/frigate/default.nix
@@ -94,6 +94,16 @@ python.pkgs.buildPythonApplication rec {
      --replace "/media/frigate" "/var/lib/frigate" \
      --replace "/tmp/cache" "/var/cache/frigate"

+    substituteInPlace frigate/http.py \
+      --replace "/opt/frigate" "${placeholder "out"}/${python.sitePackages}" \
+      --replace "/tmp/cache/" "/var/cache/frigate"
+
+    substituteInPlace frigate/output.py \
+      --replace "/opt/frigate" "${placeholder "out"}/${python.sitePackages}"
+
+    substituteInPlace frigate/record.py \
+      --replace "/tmp/cache" "/var/cache/frigate"
+
    substituteInPlace frigate/detectors/detector_config.py \
      --replace "/labelmap.txt" "${placeholder "out"}/share/frigate/labelmap.txt"

--- a/pkgs/applications/video/gpac/default.nix
+++ b/pkgs/applications/video/gpac/default.nix
@@ -1,21 +1,36 @@
 { lib, stdenv, fetchFromGitHub, fetchpatch, pkg-config, zlib }:

 stdenv.mkDerivation rec {
-  version = "2.2.0";
+  version = "2.2.1";
  pname = "gpac";

  src = fetchFromGitHub {
    owner = "gpac";
    repo = "gpac";
    rev = "v${version}";
-    sha256 = "sha256-m2qXTXLGgAyU9y6GEk4Hp/7Al57IPRSqImJatIcwswQ=";
+    hash = "sha256-VjA1VFMsYUJ8uJqhYgjXYtqlGWSJHr16Ck3b5stuZWw=";
  };

  patches = [
    (fetchpatch {
-      name = "CVE-2023-0358.patch";
-      url = "https://github.com/gpac/gpac/commit/9971fb125cf91cefd081a080c417b90bbe4a467b.patch";
-      sha256 = "sha256-0PDQXahbJCOo1JJAC0T0N1u2mqmwAkdm87wXMJnBicM=";
+      name = "CVE-2023-2837.patch";
+      url = "https://github.com/gpac/gpac/commit/6f28c4cd607d83ce381f9b4a9f8101ca1e79c611.patch";
+      hash = "sha256-HA6qMungIoh1fz1R3zUvV1Ahoa2pp861JRzYY/NNDQI=";
+    })
+    (fetchpatch {
+      name = "CVE-2023-2838.patch";
+      url = "https://github.com/gpac/gpac/commit/c88df2e202efad214c25b4e586f243b2038779ba.patch";
+      hash = "sha256-gIISG7pz01iVoWqlho2BL27ki87i3pGkug2Z+KKn+xs=";
+    })
+    (fetchpatch {
+      name = "CVE-2023-2839.patch";
+      url = "https://github.com/gpac/gpac/commit/047f96fb39e6bf70cb9f344093f5886e51dce0ac.patch";
+      hash = "sha256-i+/iFrWJ+Djc8xYtIOYvlZ98fYUdJooqUz9y/uhusL4=";
+    })
+    (fetchpatch {
+      name = "CVE-2023-2840.patch";
+      url = "https://github.com/gpac/gpac/commit/ba59206b3225f0e8e95a27eff41cb1c49ddf9a37.patch";
+      hash = "sha256-mwO9Qeeufq0wa57lO+LgWGjrN3CHMYK+xr2ZBalKBQo=";
    })
  ];

--- a/pkgs/applications/video/manim/default.nix
+++ b/pkgs/applications/video/manim/default.nix
@@ -1,5 +1,6 @@
 { lib
 , fetchFromGitHub
+, fetchPypi

 , cairo
 , ffmpeg
@@ -42,7 +43,30 @@ let
    fundus-calligra microtype wasysym physics dvisvgm jknapltx wasy cm-super
    babel-english gnu-freefont mathastext cbfonts-fd;
  };
-in python3.pkgs.buildPythonApplication rec {
+
+  python = python3.override {
+    packageOverrides = self: super: {
+      networkx = super.networkx.overridePythonAttrs (oldAttrs: rec {
+        pname = "networkx";
+        version = "2.8.8";
+        src = fetchPypi {
+          inherit pname version;
+          hash = "sha256-Iw04gRevhw/OVkejxSQB/PdT6Ucg5uprQZelNVZIiF4=";
+        };
+      });
+
+      watchdog = super.watchdog.overridePythonAttrs (oldAttrs: rec{
+        pname = "watchdog";
+        version = "2.3.1";
+        src = fetchPypi {
+          inherit pname version;
+          hash = "sha256-2fntJu0iqdMxggqEMsNoBwfqi1QSHdzJ3H2fLO6zaQY=";
+        };
+      });
+    };
+  };
+
+in python.pkgs.buildPythonApplication rec {
  pname = "manim";
  format = "pyproject";
  version = "0.16.0.post0";
@@ -55,8 +79,8 @@ in python3.pkgs.buildPythonApplication rec {
    sha256 = "sha256-iXiPnI6lTP51P1X3iLp75ArRP66o8WAANBLoStPrz4M=";
  };

-  nativeBuildInputs = [
-    python3.pkgs.poetry-core
+  nativeBuildInputs = with python.pkgs; [
+    poetry-core
  ];

  postPatch = ''
@@ -69,7 +93,7 @@ in python3.pkgs.buildPythonApplication rec {

  buildInputs = [ cairo ];

-  propagatedBuildInputs = with python3.pkgs; [
+  propagatedBuildInputs = with python.pkgs; [
    click
    click-default-group
    cloup
@@ -106,14 +130,13 @@ in python3.pkgs.buildPythonApplication rec {
    ])
  ];

-
  nativeCheckInputs = [
-    python3.pkgs.pytest-xdist
-    python3.pkgs.pytestCheckHook
-
    ffmpeg
    (texlive.combine manim-tinytex)
-  ];
+  ] ++ (with python.pkgs; [
+    pytest-xdist
+    pytestCheckHook
+  ]);

  # about 55 of ~600 tests failing mostly due to demand for display
  disabledTests = import ./failing_tests.nix;
--- a/pkgs/applications/video/manim/failing_tests.nix
+++ b/pkgs/applications/video/manim/failing_tests.nix
@@ -1,5 +1,5 @@
-# reason for failure: tests try to open display
 [
+  # reason for failure: tests try to open display
  "test_background_color"
  "test_scene_add_remove"
  "test_Circle"
@@ -46,31 +46,29 @@
  "test_force_window_opengl_render_with_format"
  "test_get_frame_with_preview_disabled"
  "test_get_frame_with_preview_enabled"
-] ++

-# reason for failure: tests try to reach network
-[
+  # reason for failure: tests try to reach network
  "test_logging_to_file"
  "test_plugin_function_like"
  "test_plugin_no_all"
  "test_plugin_with_all"
-] ++

-# failing with:
-# E           AssertionError:
-# E           Not equal to tolerance rtol=1e-07, atol=1.01
-# E           Frame no -1. You can use --show_diff to visually show the difference.
-# E           Mismatched elements: 18525 / 1639680 (1.13%)
-# E           Max absolute difference: 255
-# E           Max relative difference: 255.
-[
+  # failing with:
+  # E           AssertionError:
+  # E           Not equal to tolerance rtol=1e-07, atol=1.01
+  # E           Frame no -1. You can use --show_diff to visually show the difference.
+  # E           Mismatched elements: 18525 / 1639680 (1.13%)
+  # E           Max absolute difference: 255
+  # E           Max relative difference: 255.
  "test_Text2Color"
  "test_PointCloudDot"
  "test_Torus"
-] ++

-# failing with:
-# TypeError: __init__() got an unexpected keyword argument 'msg' - maybe you meant pytest.mark.skipif?
-[
+  # failing with:
+  # TypeError: __init__() got an unexpected keyword argument 'msg' - maybe you meant pytest.mark.skipif?
  "test_force_window_opengl_render_with_movies"
+
+  # mismatching expecation on the new commandline
+  "test_manim_new_command"
+
 ]
--- a/pkgs/applications/video/memento/default.nix
+++ b/pkgs/applications/video/memento/default.nix
@@ -0,0 +1,63 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, qtbase
+, qtx11extras ? null # qt5 only
+, wrapQtAppsHook
+
+# before that => zeal
+, sqlite
+, json_c
+, mecab
+, libzip
+, mpv
+, yt-dlp
+# optional
+, makeWrapper}:
+
+let
+  isQt5 = lib.versions.major qtbase.version == "5";
+
+in
+stdenv.mkDerivation (finalAttrs: {
+  pname = "memento";
+  version = "v1.1.0";
+
+  src = fetchFromGitHub {
+    owner = "ripose-jp";
+    repo = "Memento";
+    rev = finalAttrs.version;
+    hash = "sha256-29AzQ+Z2PNs65Tvmt2Z5Ra2G3Yhm4LVBpAqvnSsnE0Y=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+    makeWrapper
+    wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    qtbase
+    sqlite
+    json_c
+    libzip
+    mecab
+  ] ++ lib.optionals isQt5 [ qtx11extras ];
+
+  propagatedBuildInputs = [ mpv  ];
+
+  preFixup = ''
+     wrapProgram "$out/bin/memento" \
+       --prefix PATH : "${yt-dlp}/bin" \
+  '';
+
+  meta = with lib; {
+    description = "An mpv-based video player for studying Japanese";
+    homepage = "https://ripose-jp.github.io/Memento/";
+    license = licenses.gpl2;
+    maintainers = with maintainers; [ teto ];
+    platforms = platforms.linux;
+  };
+})
+
--- a/pkgs/applications/video/mirakurun/default.nix
+++ b/pkgs/applications/video/mirakurun/default.nix
@@ -1,96 +1,74 @@
-# NOTE: Mirakurun is packaged outside of nodePackages because Node2nix can't
-# handle one of its subdependencies. See below link for details.
-#
-# https://github.com/Chinachu/node-aribts/blob/af84dbbbd81ea80b946e538083b64b5b2dc7e8f2/package.json#L26
-
 { lib
-, stdenvNoCC
+, stdenv
 , bash
+, buildNpmPackage
 , fetchFromGitHub
-, gitUpdater
-, jq
+, installShellFiles
 , makeWrapper
-, mkYarnPackage
-, which
-, writers
+, nodejs
+, substituteAll
 , v4l-utils
-, yarn
-, yarn2nix
+, which
 }:

-stdenvNoCC.mkDerivation rec {
+buildNpmPackage rec {
  pname = "mirakurun";
-  version = "3.8.0";
+  version = "3.9.0-rc.4";

  src = fetchFromGitHub {
    owner = "Chinachu";
    repo = "Mirakurun";
    rev = version;
-    sha256 = "1fmzi3jc3havvpc1kz5z16k52lnrsmc3b5yqyxc7i911gqyjsxzr";
+    sha256 = "sha256-Qg+wET5H9t3Mv2Hv0iT/C85/SEaQ+BHSBL3JjMQW5+Q=";
  };

-  nativeBuildInputs = [ makeWrapper ];
+  patches = [
+    # NOTE: fixes for hardcoded paths and assumptions about filesystem
+    # permissions
+    ./nix-filesystem.patch
+  ];

-  mirakurun = mkYarnPackage rec {
-    name = "${pname}-${version}";
-    inherit version src;
+  npmDepsHash = "sha256-e7m7xb7p1SBzLAyQ82TTR/qLXv4lRm37x0JJPWYYGvI=";

-    yarnNix = ./yarn.nix;
-    yarnLock = ./yarn.lock;
-    packageJSON = ./package.json;
+  nativeBuildInputs = [ installShellFiles makeWrapper ];

-    # workaround for https://github.com/webpack/webpack/issues/14532
-    NODE_OPTIONS = "--openssl-legacy-provider";
+  # workaround for https://github.com/webpack/webpack/issues/14532
+  NODE_OPTIONS = "--openssl-legacy-provider";

-    patches = [
-      # NOTE: fixes for hardcoded paths and assumptions about filesystem
-      # permissions
-      ./nix-filesystem.patch
-    ];
-
-    buildPhase = ''
-      yarn --offline build
-    '';
-
-    distPhase = "true";
-  };
-
-  installPhase =
+  postInstall =
    let
-      runtimeDeps = [ bash which v4l-utils ];
+      runtimeDeps = [
+        bash
+        nodejs
+        which
+      ] ++ lib.optionals stdenv.isLinux [ v4l-utils ];
+      crc32Patch = substituteAll {
+        src = ./fix-musl-detection.patch;
+        isMusl = if stdenv.hostPlatform.isMusl then "true" else "false";
+      };
    in
    ''
-      mkdir -p $out/bin
+      sed 's/@DESCRIPTION@/${meta.description}/g' ${./mirakurun.1} > mirakurun.1
+      installManPage mirakurun.1

-      makeWrapper ${mirakurun}/bin/mirakurun-epgdump $out/bin/mirakurun-epgdump \
-        --chdir "${mirakurun}/libexec/mirakurun/node_modules/mirakurun" \
+      wrapProgram $out/bin/mirakurun-epgdump \
        --prefix PATH : ${lib.makeBinPath runtimeDeps}

      # XXX: The original mirakurun command uses PM2 to manage the Mirakurun
      # server.  However, we invoke the server directly and let systemd
      # manage it to avoid complication. This is okay since no features
      # unique to PM2 is currently being used.
-      makeWrapper ${yarn}/bin/yarn $out/bin/mirakurun-start \
-        --add-flags "start" \
-        --chdir "${mirakurun}/libexec/mirakurun/node_modules/mirakurun" \
+      makeWrapper ${nodejs}/bin/npm $out/bin/mirakurun \
+        --chdir "$out/lib/node_modules/mirakurun" \
        --prefix PATH : ${lib.makeBinPath runtimeDeps}
+
+      pushd $out/lib/node_modules/mirakurun/node_modules/@node-rs/crc32
+      patch -p3 < ${crc32Patch}
+      popd
    '';

-  passthru.updateScript = import ./update.nix {
-    inherit lib;
-    inherit (src.meta) homepage;
-    inherit
-      pname
-      version
-      gitUpdater
-      writers
-      jq
-      yarn
-      yarn2nix;
-  };
-
  meta = with lib; {
-    inherit (mirakurun.meta) description platforms;
+    description = "Resource manager for TV tuners.";
    license = licenses.asl20;
    maintainers = with maintainers; [ midchildan ];
  };
--- a/pkgs/applications/video/mirakurun/fix-musl-detection.patch
+++ b/pkgs/applications/video/mirakurun/fix-musl-detection.patch
@@ -0,0 +1,29 @@
+diff --git a/packages/crc32/index.js b/packages/crc32/index.js
+index cdc7519..7b05930 100644
+--- a/packages/crc32/index.js
+++ b/packages/crc32/index.js
+@@ -5,7 +5,7 @@ const { platform, arch } = process
+ 
+ let nativeBinding = null
+ let localFileExisted = false
+-let isMusl = false
+let isMusl = @isMusl@
+ let loadError = null
+ 
+ switch (platform) {
+@@ -114,7 +114,6 @@ switch (platform) {
+   case 'linux':
+     switch (arch) {
+       case 'x64':
+-        isMusl = readFileSync('/usr/bin/ldd', 'utf8').includes('musl')
+         if (isMusl) {
+           localFileExisted = existsSync(join(__dirname, 'crc32.linux-x64-musl.node'))
+           try {
+@@ -140,7 +139,6 @@ switch (platform) {
+         }
+         break
+       case 'arm64':
+-        isMusl = readFileSync('/usr/bin/ldd', 'utf8').includes('musl')
+         if (isMusl) {
+           localFileExisted = existsSync(join(__dirname, 'crc32.linux-arm64-musl.node'))
+           try {
--- a/pkgs/applications/video/mirakurun/mirakurun.1
+++ b/pkgs/applications/video/mirakurun/mirakurun.1
@@ -0,0 +1,44 @@
+.Dd $Mdocdate$
+.Dt MIRAKURUN 1
+.Os
+.Sh NAME
+.Nm mirakurun
+.Nd @DESCRIPTION@
+.Sh SYNOPSIS
+.Nm
+.Bk -words
+.Op Ar command Op Ar args
+.Ek
+.Sh DESCRIPTION
+.Nm
+is a wrapper command for Mirakurun provided by Nix. It's actually a thin
+wrapper around the
+.Xr npm 1
+command line tool which you can use to invoke npm commands from the Mirakurun
+project directory. The command line arguments are simply passed as-is to
+.Xr npm 1 .
+.Pp
+On NixOS, it is strongly recommended that you enable the mirakurun module
+instead of invoking this command directly to launch Mirakurun. On other
+platforms, run
+.Pp
+.Dl $ mirakurun start
+.Pp
+to start Mirakurun.
+.Sh FILES
+.Bl -tag -width Ds -compact
+.It Pa /etc/mirakurun
+.Nm
+configuration directory.
+.El
+.Sh EXAMPLES
+Start Mirakurun.
+.Pp
+.Dl $ mirakurun start
+.Pp
+Start Mirakurun in development mode.
+.Pp
+.Dl $ mirakurun run debug
+.Pp
+.Sh SEE ALSO
+.Xr npm 1
--- a/pkgs/applications/video/mirakurun/package.json
+++ b/pkgs/applications/video/mirakurun/package.json
@@ -1,129 +0,0 @@
-{
-  "name": "mirakurun",
-  "preferGlobal": true,
-  "description": "Japanese DTV Tuner Server Service.",
-  "version": "3.8.0",
-  "homepage": "https://github.com/Chinachu/Mirakurun",
-  "keywords": [
-    "mirakurun",
-    "chinachu",
-    "rivarun",
-    "arib",
-    "isdb",
-    "dvb",
-    "dvr",
-    "dtv",
-    "tv"
-  ],
-  "author": {
-    "name": "kanreisa",
-    "url": "https://github.com/kanreisa"
-  },
-  "contributors": [
-    "rndomhack"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/Chinachu/Mirakurun.git"
-  },
-  "bugs": {
-    "url": "https://github.com/Chinachu/Mirakurun/issues"
-  },
-  "license": "Apache-2.0",
-  "bin": {
-    "mirakurun": "bin/cli.sh",
-    "mirakurun-epgdump": "bin/epgdump.js"
-  },
-  "main": "lib/client.js",
-  "scripts": {
-    "start": "node -r source-map-support/register lib/server.js",
-    "debug": "node -r source-map-support/register --inspect=0.0.0.0:9229 lib/server.js",
-    "start.win32": "node.exe -r source-map-support/register bin/init.win32.js",
-    "debug.win32": "node.exe -r source-map-support/register --inspect bin/init.win32.js",
-    "build": "tslint --project . && tsc --declaration && webpack",
-    "watch": "tsc -w --declaration",
-    "watch-webpack": "webpack -w",
-    "test": "tslint --project . && mocha --exit test/*.spec.js",
-    "clean": "rimraf lib/*",
-    "prepublishOnly": "npm run clean && npm run build",
-    "preinstall": "node bin/preinstall.js",
-    "postinstall": "node bin/postinstall.js && opencollective-postinstall",
-    "preuninstall": "node bin/preuninstall.js",
-    "docker-build": "docker-compose -f docker/docker-compose.yml build",
-    "docker-run": "docker-compose -f docker/docker-compose.yml run --rm --service-ports mirakurun",
-    "docker-debug": "docker-compose -f docker/docker-compose.yml run --rm --service-ports -e DEBUG=true mirakurun"
-  },
-  "directories": {
-    "doc": "doc",
-    "lib": "lib"
-  },
-  "dependencies": {
-    "@fluentui/react": "8.27.0",
-    "aribts": "^1.3.5",
-    "colors": "^1.4.0",
-    "cors": "^2.8.5",
-    "dotenv": "^8.6.0",
-    "eventemitter3": "^4.0.7",
-    "express": "^4.17.1",
-    "express-openapi": "^8.0.0",
-    "glob": "^7.1.7",
-    "ip": "^1.1.4",
-    "js-yaml": "^4.1.0",
-    "latest-version": "^5.1.0",
-    "morgan": "^1.10.0",
-    "openapi-types": "^7.2.3",
-    "opencollective": "^1.0.3",
-    "opencollective-postinstall": "^2.0.3",
-    "promise-queue": "^2.2.3",
-    "react": "^17.0.2",
-    "react-dom": "^17.0.2",
-    "semver": "^7.3.5",
-    "sift": "^7.0.1",
-    "source-map-support": "^0.5.19",
-    "stream-http": "^3.2.0",
-    "swagger-ui-dist": "3.51.2",
-    "tail": "^2.2.3"
-  },
-  "devDependencies": {
-    "@types/cors": "^2.8.12",
-    "@types/express": "^4.17.13",
-    "@types/ip": "^1.1.0",
-    "@types/js-yaml": "^4.0.2",
-    "@types/morgan": "^1.9.3",
-    "@types/node": "^12.20.17",
-    "@types/promise-queue": "^2.2.0",
-    "@types/react": "^17.0.14",
-    "@types/react-dom": "^17.0.9",
-    "buffer": "^6.0.3",
-    "copy-webpack-plugin": "^9.0.1",
-    "css-loader": "5.2.7",
-    "mocha": "^8.4.0",
-    "process": "^0.11.10",
-    "rimraf": "^3.0.2",
-    "style-loader": "^2.0.0",
-    "ts-loader": "^9.2.3",
-    "tslint": "^6.1.3",
-    "tslint-config-prettier": "^1.18.0",
-    "typescript": "^4.3.5",
-    "url": "^0.11.0",
-    "webpack": "5.48.0",
-    "webpack-cli": "^4.7.2"
-  },
-  "engines": {
-    "node": "^12 || ^14 || ^16"
-  },
-  "engineStrict": true,
-  "os": [
-    "linux",
-    "darwin",
-    "win32"
-  ],
-  "funding": {
-    "type": "opencollective",
-    "url": "https://opencollective.com/Mirakurun"
-  },
-  "collective": {
-    "type": "opencollective",
-    "url": "https://opencollective.com/Mirakurun"
-  }
-}
--- a/pkgs/applications/video/mirakurun/update.nix
+++ b/pkgs/applications/video/mirakurun/update.nix
@@ -1,51 +0,0 @@
-{ pname
-, version
-, homepage
-, lib
-, gitUpdater
-, writers
-, jq
-, yarn
-, yarn2nix
-}:
-
-let
-  updater = gitUpdater {
-    inherit pname version;
-    attrPath = lib.toLower pname;
-
-    # exclude prerelease versions
-    ignoredVersions = "-";
-  };
-  updateScript = builtins.elemAt updater.command 0;
-  updateArgs = map (lib.escapeShellArg) (builtins.tail updater.command);
-in writers.writeBash "update-mirakurun" ''
-  set -euxo pipefail
-
-  WORKDIR="$(mktemp -d)"
-  cleanup() {
-    rm -rf "$WORKDIR"
-  }
-  trap cleanup EXIT
-
-  # bump the version
-  ${updateScript} ${lib.concatStringsSep " " updateArgs}
-
-  # Get the path to the latest source. Note that we can't just pass the value
-  # of mirakurun.src directly because it'd be evaluated before we can run
-  # updateScript.
-  SRC="$(nix-build "${toString ../../../..}" --no-out-link -A mirakurun.src)"
-  if [[ "${version}" == "$(${jq}/bin/jq -r .version "$SRC/package.json")" ]]; then
-    echo "[INFO] Already using the latest version of ${pname}" >&2
-    exit
-  fi
-
-  cd "$WORKDIR"
-
-  cp "$SRC/package.json" package.json
-  "${yarn}/bin/yarn" install --ignore-scripts
-
-  "${yarn2nix}/bin/yarn2nix" > "${toString ./.}/yarn.nix"
-  cp yarn.lock "${toString ./.}/yarn.lock"
-  cp package.json "${toString ./.}/package.json"
-''
--- a/pkgs/applications/video/mirakurun/yarn.lock
+++ b/pkgs/applications/video/mirakurun/yarn.lock
--- a/pkgs/applications/video/mirakurun/yarn.nix
+++ b/pkgs/applications/video/mirakurun/yarn.nix
--- a/Show More
+++ b/Show More