Merge staging-next into staging

nixos/doc/manual/redirects.json

@@ -1,4 +1,19 @@
 {
+  "module-boot-plymouth-tpm2-totp": [
+    "index.html#module-boot-plymouth-tpm2-totp"
+  ],
+  "module-boot-plymouth-tpm2-totp-quick-start": [
+    "index.html#module-boot-plymouth-tpm2-totp-quick-start"
+  ],
+  "module-boot-plymouth-tpm2-totp-quick-start-check": [
+    "index.html#module-boot-plymouth-tpm2-totp-quick-start-check"
+  ],
+  "module-boot-plymouth-tpm2-totp-quick-start-configure": [
+    "index.html#module-boot-plymouth-tpm2-totp-quick-start-configure"
+  ],
+  "module-boot-plymouth-tpm2-totp-quick-start-enable": [
+    "index.html#module-boot-plymouth-tpm2-totp-quick-start-enable"
+  ],
   "sec-override-nixos-test": [
     "index.html#sec-override-nixos-test"
   ],

nixos/doc/manual/release-notes/rl-2511.section.md

@@ -88,6 +88,8 @@
 
 - The [Neat IP Address Planner](https://spritelink.github.io/NIPAP/) (NIPAP) can now be enabled through [services.nipap.enable](#opt-services.nipap.enable).
 
+- [tpm2-totp](https://github.com/tpm2-software/tpm2-totp) can now be used to show a TOTP during boot using Plymouth. Available as [boot.plymouth.tpm2-totp](#opt-boot.plymouth.tpm2-totp.enable).
+
 - [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable).
 
 - [ente](https://github.com/ente-io/ente), a service that provides a fully open source, end-to-end encrypted platform for photos and videos. Available as [services.ente.api](#opt-services.ente.api.enable) and  [services.ente.web](#opt-services.ente.web.enable).

nixos/modules/module-list.nix

@@ -1830,6 +1830,7 @@
   ./system/boot/modprobe.nix
   ./system/boot/networkd.nix
   ./system/boot/nix-store-veritysetup.nix
+  ./system/boot/plymouth-tpm2-totp.nix
   ./system/boot/plymouth.nix
   ./system/boot/resolved.nix
   ./system/boot/shutdown.nix

nixos/modules/system/boot/plymouth-tpm2-totp.md

@@ -0,0 +1,29 @@
+# tpm2-totp with Plymouth {#module-boot-plymouth-tpm2-totp}
+
+[tpm2-totp](https://github.com/tpm2-software/tpm2-totp) attests the trustworthiness of a device against a human using time-based one-time passwords. This module uses a `tpm2-totp` configuration to display a TOTP at boot using Plymouth.
+
+## Quick start {#module-boot-plymouth-tpm2-totp-quick-start}
+
+### 1. Enable modules {#module-boot-plymouth-tpm2-totp-quick-start-enable}
+
+```nix
+{
+  boot.plymouth.tpm2-totp.enable = true;
+
+  # Plymouth and systemd initrd/stage-1 are required:
+  boot.plymouth.enable = true;
+  boot.initrd.systemd.enable = true;
+}
+```
+
+Switch to the new configuration before proceeding to the next step.
+
+### 2. Configure `tpm2-totp` {#module-boot-plymouth-tpm2-totp-quick-start-configure}
+
+Generate a new TOTP secret and save the secret in your chosen authenticator app. See `man tpm2-totp` for commands and configuration examples.
+
+More information, including security considerations, can be found in the `README.md` in the [tpm2-totp](https://github.com/tpm2-software/tpm2-totp) repository. Be sure to select the tag for the version of `tpm2-totp` you have installed.
+
+### 3. Check configuration {#module-boot-plymouth-tpm2-totp-quick-start-check}
+
+Reboot and you should see the TOTP appear on the Plymouth boot screen. The TOTP should match the code displayed in your authenticator app (or the code immediately before/after).

nixos/modules/system/boot/plymouth-tpm2-totp.nix

@@ -0,0 +1,59 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.boot.plymouth.tpm2-totp;
+in
+{
+  options.boot.plymouth.tpm2-totp = {
+    enable = lib.mkEnableOption "tpm2-totp using Plymouth" // {
+      description = "Whether to display a TOTP during boot using tpm2-totp and Plymouth.";
+    };
+
+    package = lib.mkPackageOption pkgs "tpm2-totp" { default = "tpm2-totp-with-plymouth"; };
+  };
+
+  meta = {
+    maintainers = with lib.maintainers; [ majiir ];
+    doc = ./plymouth-tpm2-totp.md;
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = config.boot.initrd.systemd.enable;
+        message = "boot.plymouth.tpm2-totp is only supported with boot.initrd.systemd.";
+      }
+    ];
+
+    environment.systemPackages = [
+      cfg.package
+    ];
+
+    boot.initrd.systemd.storePaths = [
+      "${cfg.package}/libexec/tpm2-totp/plymouth-tpm2-totp"
+      "${cfg.package}/lib/libtpm2-totp.so.0"
+      "${cfg.package}/lib/libtpm2-totp.so.0.0.0"
+    ];
+
+    # Based on https://github.com/tpm2-software/tpm2-totp/blob/9bcfdcbfdd42e0b2e1d7769852009608f889631c/dist/plymouth-tpm2-totp.service.in
+    boot.initrd.systemd.services.plymouth-tpm2-totp = {
+      description = "Display a TOTP during boot using Plymouth";
+      requires = [ "plymouth-start.service" ];
+      after = [
+        "plymouth-start.service"
+        "tpm2.target"
+      ];
+      wantedBy = [ "sysinit.target" ];
+      unitConfig.DefaultDependencies = false;
+      serviceConfig = {
+        Type = "exec";
+        ExecStart = "${cfg.package}/libexec/tpm2-totp/plymouth-tpm2-totp";
+      };
+    };
+  };
+}

pkgs/applications/video/kodi/addons/jellyfin/default.nix

@@ -17,13 +17,13 @@ in
 buildKodiAddon rec {
   pname = "jellyfin";
   namespace = "plugin.video.jellyfin";
-  version = "1.0.8";
+  version = "1.1.0";
 
   src = fetchFromGitHub {
     owner = "jellyfin";
     repo = "jellyfin-kodi";
     rev = "v${version}";
-    sha256 = "sha256-/kolXnYO+wo6z7ucCXvxwjsiflvusKJ3qTWxm1YZMfU=";
+    sha256 = "sha256-5CJenvNmyNwrlNfF4jPap99oj21T96TeExbod8+KKTA=";
   };
 
   nativeBuildInputs = [ python ];

pkgs/by-name/an/ananicy-rules-cachyos/package.nix

@@ -7,13 +7,13 @@
 
 stdenvNoCC.mkDerivation {
   pname = "ananicy-rules-cachyos";
-  version = "0-unstable-2025-09-03";
+  version = "0-unstable-2025-09-09";
 
   src = fetchFromGitHub {
     owner = "CachyOS";
     repo = "ananicy-rules";
-    rev = "4a4931273868421e772c82f34f0df82252200526";
+    rev = "0f5d7883cc4c49b8e9c51d5512ba145b5289eb05";
-    hash = "sha256-Wr/NIWObhzBdkI7QsYNLO52dYU3BUNGVKHliEcNGU3Y=";
+    hash = "sha256-8zzUp1am6nu/6EnQkPTDkd/TLb2SBgSSyNpUyv44Zr8=";
   };
 
   dontConfigure = true;

pkgs/by-name/ge/gensio/package.nix

@@ -10,13 +10,13 @@
 
 stdenv.mkDerivation rec {
   pname = "gensio";
-  version = "2.8.15";
+  version = "3.0.0";
 
   src = fetchFromGitHub {
     owner = "cminyard";
     repo = "gensio";
     rev = "v${version}";
-    sha256 = "sha256-EDa95r8x5yIXibJigJXR3PCYTTvJlqB6XBN1RZHq6KM=";
+    sha256 = "sha256-YP5KKHpKVZhJxhCBbdXg6pTgvPRHUwdqlzDlR+hIB+w=";
   };
 
   passthru = {

pkgs/by-name/n9/n98-magerun2/package.nix

@@ -7,16 +7,16 @@
 
 php83.buildComposerProject2 (finalAttrs: {
   pname = "n98-magerun2";
-  version = "9.0.2";
+  version = "9.1.0";
 
   src = fetchFromGitHub {
     owner = "netz98";
     repo = "n98-magerun2";
     tag = finalAttrs.version;
-    hash = "sha256-v6Be9yODeac4ZLYfHXZTLMcfzjKGDXD7jz7kmI/z8wo=";
+    hash = "sha256-kjT72pLKuN166Edm8+8vUIfhFdMnZkeTagl0ECL20b8=";
   };
 
-  vendorHash = "sha256-vaRRxtHu/ZFc+Z38KJjm0iUncFYUfRLkk7A3+T1p4+I=";
+  vendorHash = "sha256-0Bk01aU3vicwk9swkv+8VZxcPdaEMOOtp9niNfPfQyA=";
 
   nativeInstallCheckInputs = [ versionCheckHook ];
   versionCheckProgramArg = "--version";

pkgs/by-name/tp/tpm2-totp/package.nix

@@ -5,7 +5,10 @@
   tpm2-tss,
   autoreconfHook,
   autoconf-archive,
+  pandoc,
   pkg-config,
+  withPlymouth ? false,
+  plymouth,
   qrencode,
 }:
 
@@ -27,13 +30,15 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [
     autoreconfHook
     autoconf-archive
+    pandoc
     pkg-config
   ];
 
   buildInputs = [
     tpm2-tss
     qrencode
-  ];
+  ]
+  ++ lib.optional withPlymouth plymouth;
 
   meta = with lib; {
     description = "Attest the trustworthiness of a device against a human using time-based one-time passwords";

pkgs/by-name/xp/xpar/package.nix

@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "xpar";
-  version = "0.5";
+  version = "0.6";
 
   src = fetchFromGitHub {
     owner = "kspalaiologos";
     repo = "xpar";
     rev = finalAttrs.version;
-    hash = "sha256-DMUDWQqYSQjGxYOpcfwNaaM21avcZ1w3IqEhuOaabrw=";
+    hash = "sha256-cvt5fXg3mKzh0GlL1qkA7G17p2ZA0PpFnE2cLYwlmUM=";
   };
 
   nativeBuildInputs = [

pkgs/development/beam-modules/livebook/default.nix

@@ -9,7 +9,7 @@
 
 beamPackages.mixRelease rec {
   pname = "livebook";
-  version = "0.17.1";
+  version = "0.17.2";
 
   inherit (beamPackages) elixir;
 
@@ -21,7 +21,7 @@ beamPackages.mixRelease rec {
     owner = "livebook-dev";
     repo = "livebook";
     tag = "v${version}";
-    hash = "sha256-TQbSqavpJqasQsuLSvCdrkL7DZK56c7FHp5ABhK9noA=";
+    hash = "sha256-9AlvEqyQJvcRbAuuxF5Q5S9hG96vaQYVBYwPYp4lGQM=";
   };
 
   mixFodDeps = beamPackages.fetchMixDeps {

pkgs/tools/networking/openapi-generator-cli/default.nix

@@ -9,7 +9,7 @@
 
 let
   this = stdenv.mkDerivation (finalAttrs: {
-    version = "7.14.0";
+    version = "7.15.0";
     pname = "openapi-generator-cli";
 
     jarfilename = "openapi-generator-cli-${finalAttrs.version}.jar";
@@ -20,7 +20,7 @@ let
 
     src = fetchurl {
       url = "mirror://maven/org/openapitools/openapi-generator-cli/${finalAttrs.version}/${finalAttrs.jarfilename}";
-      sha256 = "sha256-4DGGg1AiygLaSqleOWe2o7bUTC5fdgbm1cIkZvUZx1c=";
+      sha256 = "sha256-TaGnzbeMOkOx6rBkiJETXow1R9Lu26Ddadrzd/hl82Y=";
     };
 
     dontUnpack = true;

pkgs/top-level/all-packages.nix

@@ -4261,6 +4261,10 @@ with pkgs;
     }
   );
 
+  tpm2-totp-with-plymouth = tpm2-totp.override {
+    withPlymouth = true;
+  };
+
   trackma-curses = trackma.override { withCurses = true; };
 
   trackma-gtk = trackma.override { withGTK = true; };