fprintd: 1.94.2 -> 1.94.3

Signed-off-by: Florian Brandes <florian.brandes@posteo.de>
python312Packages.pypamtest: 1.1.3 -> 1.1.5
2024-07-07 11:05:19 +02:00 · 2024-07-07 11:05:09 +02:00
1221 changed files with 18372 additions and 26592 deletions
@@ -1 +0,0 @@
 use nix
@@ -135,6 +135,3 @@ f8c4a98e8e138e21353a2c33b90db3359f539b37
 acd0e3898feb321cb9a71a0fd376f1157d0f4553
 1b28414d2886c57343864326dbb745a634d3e37d
 6afb255d976f85f3359e4929abd6f5149c323a02
 # azure-cli: move to by-name, nixfmt #325950
 96cd538b68bd1d0a0a37979356d669abbba32ebc
@@ -19,7 +19,6 @@
 # Develompent support
 /.editorconfig @Mic92 @zowoq
 /shell.nix @infinisil @NixOS/Security
 /.envrc @infinisil @NixOS/Security
 # Libraries
 /lib                        @infinisil
@@ -74,13 +74,6 @@
        - lib/systems/flake-systems.nix
        - nixos/modules/config/nix-flakes.nix
 "6.topic: flutter":
  - any:
    - changed-files:
      - any-glob-to-any-file:
        - pkgs/build-support/flutter/*.nix
        - pkgs/development/compilers/flutter/**/*.nix
 "6.topic: GNOME":
  - any:
    - changed-files:
@@ -156,7 +149,7 @@
  - any:
    - changed-files:
      - any-glob-to-any-file:
-        - pkgs/development/compilers/llvm/**/*
+        - pkgs/development/compilers/llvm/*
 "6.topic: lua":
  - any:
@@ -19,7 +19,6 @@ tags
 /doc/manual.pdf
 /source/
 .version-suffix
 .direnv
 .DS_Store
 .mypy_cache
@@ -90,7 +90,6 @@ qt.section.md
 r.section.md
 ruby.section.md
 rust.section.md
 scheme.section.md
 swift.section.md
 texlive.section.md
 titanium.section.md
@@ -1,35 +0,0 @@
 # Scheme {#sec-scheme}
 ## Package Management {#sec-scheme-package-management}
 ### Akku {#sec-scheme-package-management-akku}
 About two hundred R6RS & R7RS libraries from [Akku](https://akkuscm.org/)
 (which also mirrors [snow-fort](https://snow-fort.org/pkg))
 are available inside the `akkuPackages` attrset, and the Akku executable
 itself is at the top level as `akku`. The packages could be used
 in a derivation's `buildInputs`, work inside of `nix-shell`, and
 are tested using [Chez](https://www.scheme.com/) &
 [Chibi](https://synthcode.com/wiki/chibi-scheme)
 Scheme during build time.
 Including a package as a build input is done in the typical Nix fashion.
 For example, to include
 [a bunch of SRFIs](https://akkuscm.org/packages/chez-srfi/)
 primarily for Chez Scheme in a derivation, one might write:
 ```nix
 {
  buildInputs = [
    chez
    akkuPackages.chez-srfi
  ];
 }
 ```
 The package index is located in `pkgs/tools/package-management/akku`
 as `deps.toml`, and should be updated occasionally by running `./update.sh`
 in the directory. Doing so will pull the source URLs for new packages and
 more recent versions, then write them to the TOML.
@@ -1527,11 +1527,7 @@ The following flags are disabled by default and should be enabled with `hardenin
 #### `pie` {#pie}
-This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for
+This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for `musl` based package builds.
  - `musl`-based package builds, except on Aarch64 and Aarch32, where there are issues.
  - Statically-linked for OpenBSD builds, where it appears to be required to get a working binary.
 Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Executables are needed to take advantage of Address Space Layout Randomization, supported by modern kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this with the `pic` flag, so they gain ASLR automatically, but binary .text regions need to be build with `pie` to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.
@@ -917,7 +917,7 @@ in mkLicense lset) ({
  ncbiPd = {
    spdxId = "NCBI-PD";
-    fullName = "NCBI Public Domain Notice";
+    fullname = "NCBI Public Domain Notice";
    # Due to United States copyright law, anything with this "license" does not have a copyright in the
    # jurisdiction of the United States. However, other jurisdictions may assign the United States
    # government copyright to the work, and the license explicitly states that in such a case, no license
@@ -1161,7 +1161,7 @@ in mkLicense lset) ({
    shortName = "TSL";
    fullName = "Timescale License Agreegment";
    url = "https://github.com/timescale/timescaledb/blob/main/tsl/LICENSE-TIMESCALE";
-    free = false;
+    unfree = true;
  };
  tcltk = {
@@ -1297,7 +1297,7 @@ in mkLicense lset) ({
  zsh = {
    url = "https://github.com/zsh-users/zsh/blob/master/LICENCE";
-    fullName = "Zsh License";
+    fulllName = "Zsh License";
  };
  zpl20 = {
@@ -323,7 +323,6 @@ let
            os =
              /**/ if rust ? platform then rust.platform.os or "none"
              else if final.isDarwin then "macos"
              else if final.isWasm && !final.isWasi then "unknown" # Needed for {wasm32,wasm64}-unknown-unknown.
              else final.parsed.kernel.name;
            # https://doc.rust-lang.org/reference/conditional-compilation.html#target_family
@@ -71,12 +71,6 @@
    github = "0b11stan";
    githubId = 27831931;
  };
  _0david0mp = {
    email = "davidmrpr@proton.me";
    github = "0david0mp";
    githubId = 54892055;
    name = "David mp";
  };
  _0nyr = {
    email = "onyr.maintainer@gmail.com";
    github = "0nyr";
@@ -233,12 +227,6 @@
    githubId = 12578560;
    name = "Quinn Bohner";
  };
  _71zenith = {
    email = "71zenith@proton.me";
    github = "71zenith";
    githubId = 92977828;
    name = "Mori Zen";
  };
  _8aed = {
    email = "8aed@riseup.net";
    github = "8aed";
@@ -2616,11 +2604,6 @@
    githubId = 30630233;
    name = "Timo Triebensky";
  };
  birdee = {
    name = "birdee";
    github = "BirdeeHub";
    githubId = 85372418;
  };
  birkb = {
    email = "birk@batchworks.de";
    github = "birkb";
@@ -5345,12 +5328,6 @@
    githubId = 6199462;
    name = "Dmytro Rets";
  };
  dretyuiop = {
    email = "chewch03@gmail.com";
    github = "dretyuiop";
    githubId = 81854406;
    name = "Chew Cheng Hong";
  };
  drewrisinger = {
    email = "drisinger+nixpkgs@gmail.com";
    github = "drewrisinger";
@@ -8218,12 +8195,6 @@
    githubId = 25618740;
    name = "Vincent Cui";
  };
  hornwall = {
    email = "hannes@hornwall.me";
    github = "hornwall";
    githubId = 1064477;
    name = "Hannes Hornwall";
  };
  hoverbear = {
    email = "operator+nix@hoverbear.org";
    matrix = "@hoverbear:matrix.org";
@@ -15413,12 +15384,6 @@
    githubId = 49961859;
    name = "Pavel Sobolev";
  };
  pawelchcki = {
    email = "pawel.chcki@gmail.com";
    github = "pawelchcki";
    githubId = 812891;
    name = "Paweł Chojnacki";
  };
  pawelpacana = {
    email = "pawel.pacana@gmail.com";
    github = "pawelpacana";
@@ -15494,12 +15459,6 @@
    githubId = 817039;
    name = "Paulo Casaretto";
  };
  pcboy = {
    email = "david@joynetiks.com";
    github = "pcboy";
    githubId = 943430;
    name = "David Hagege";
  };
  pedrohlc = {
    email = "root@pedrohlc.com";
    github = "PedroHLC";
@@ -16532,12 +16491,6 @@
    githubId = 39039420;
    name = "Quinn Dougherty";
  };
  quodlibetor = {
    email = "quodlibetor@gmail.com";
    github = "quodlibetor";
    githubId = 277161;
    name = "Brandon W Maister";
  };
  qusic = {
    email = "qusicx@gmail.com";
    github = "Qusic";
@@ -18524,14 +18477,6 @@
    githubId = 53050011;
    name = "Yohann Boniface";
  };
  sigmasquadron = {
    name = "Fernando Rodrigues";
    email = "alpha@sigmasquadron.net";
    matrix = "@sigmasquadron:matrix.org";
    github = "SigmaSquadron";
    githubId = 174749595;
    keys = [ { fingerprint = "E3CD E225 47C6 2DB6 6CCD  BC06 CC3A E2EA 0000 0000"; } ];
  };
  sikmir = {
    email = "sikmir@disroot.org";
    matrix = "@sikmir:matrix.org";
@@ -18963,6 +18908,11 @@
    githubId = 10437171;
    keys = [ { fingerprint = "75F0 AB7C FE01 D077 AEE6  CAFD 353E 4A18 EE0F AB72"; } ];
  };
  spacefault = {
    github = "spacefault";
    githubId = 74156492;
    name = "spacefault";
  };
  spacefrogg = {
    email = "spacefrogg-nixos@meterriblecrew.net";
    github = "spacefrogg";
@@ -19813,12 +19763,6 @@
    githubId = 1755789;
    name = "Robert Irelan";
  };
  tembleking = {
    name = "Fede Barcelona";
    email = "fede_rico_94@hotmail.com";
    github = "tembleking";
    githubId = 2988780;
  };
  tengkuizdihar = {
    name = "Tengku Izdihar";
    email = "tengkuizdihar@gmail.com";
@@ -19964,14 +19908,6 @@
    githubId = 34945377;
    name = "John Smith";
  };
  theCapypara = {
    name = "Marco Köpcke";
    email = "hello@capypara.de";
    matrix = "@capypara:matrix.org";
    github = "theCapypara";
    githubId = 3512122;
    keys = [ { fingerprint = "5F29 132D EFA8 5DA0 B598  5BF2 5941 754C 1CDE 33BB"; } ];
  };
  thedavidmeister = {
    email = "thedavidmeister@gmail.com";
    github = "thedavidmeister";
@@ -20551,12 +20487,6 @@
    githubId = 1312290;
    name = "Trevor Joynson";
  };
  treyfortmuller = {
    email = "treyunofficial@gmail.com";
    github = "treyfortmuller";
    githubId = 5715025;
    name = "Trey Fortmuller";
  };
  tricktron = {
    email = "tgagnaux@gmail.com";
    github = "tricktron";
@@ -6,7 +6,6 @@ argparse,,,,,,
 basexx,,,,,,
 binaryheap,,,,,,vcunat
 busted,,,,,,
 busted-htest,,,,,,mrcjkb
 cassowary,,,,,,alerque
 cldr,,,,,,alerque
 compat53,,,,,,vcunat
@@ -174,6 +174,8 @@ commands:
 OK
 > set_network 0 psk "mypassword"
 OK
 > set_network 0 key_mgmt WPA-PSK
 OK
 > enable_network 0
 OK
 ```
@@ -189,6 +191,8 @@ OK
 OK
 > set_network 0 password "mypassword"
 OK
 > set_network 0 key_mgmt WPA-EAP
 OK
 > enable_network 0
 OK
 ```
@@ -20,8 +20,6 @@
 - [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood).
 - [QGroundControl], a ground station support and configuration manager for the PX4 and APM Flight Stacks. Available as [programs.qgroundcontrol](options.html#opt-programs.qgroundcontrol.enable).
 - [Eintopf](https://eintopf.info), community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf).
 - [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).
@@ -30,12 +28,8 @@
 - [Envision](https://gitlab.com/gabmus/envision), a UI for building, configuring and running Monado, the open source OpenXR runtime. Available as [programs.envision](#opt-programs.envision.enable).
 - [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in rust. Available as [services.realm.enable](#opt-services.realm.enable).
 - [Playerctld](https://github.com/altdesktop/playerctl), a daemon to track media player activity. Available as [services.playerctld](option.html#opt-services.playerctld).
 - [Glance](https://github.com/glanceapp/glance), a self-hosted dashboard that puts all your feeds in one place. Available as [services.glance](option.html#opt-services.glance).
 ## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
 - `transmission` package has been aliased with a `trace` warning to `transmission_3`. Since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0), and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The `services.transmission.package` defaults to `transmission_3` as well because the upgrade can cause data loss in certain specific usage patterns (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory per your usage:
@@ -149,8 +143,6 @@
  services.shiori.environmentFile = "/path/to/env-file";
  ```
 - `/share/nano` is now only linked when `programs.nano.enable` is enabled.
 - `libe57format` has been updated to `>= 3.0.0`, which contains some backward-incompatible API changes. See the [release note](https://github.com/asmaloney/libE57Format/releases/tag/v3.0.0) for more details.
 - `gitlab` deprecated support for *runner registration tokens* in GitLab 16.0, disabled their support in GitLab 17.0 and will
@@ -182,10 +174,6 @@
 - `keycloak` was updated to version 25, which introduces new hostname related options.
  See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions.
 - `programs.vim.defaultEditor` now only works if `programs.vim.enable` is enabled.
 - `/share/vim-plugins` now only gets linked if `programs.vim.enable` is enabled
 - The `tracy` package no longer works on X11, since it's moved to Wayland
  support, which is the intended default behavior by Tracy maintainers.
  X11 users have to switch to the new package `tracy-x11`.
@@ -1,5 +1,5 @@
 /**
-  Generates documentation for [nix modules](https://nix.dev/tutorials/module-system/index.html).
+  Generates documentation for [nix modules](https://nix.dev/tutorials/module-system/module-system.html).
  It uses the declared `options` to generate documentation in various formats.
@@ -23,7 +23,6 @@ let
    isPath
    isString
    listToAttrs
    mapAttrs
    nameValuePair
    optionalString
    removePrefix
@@ -141,35 +140,11 @@ utils = rec {
         ];
       } "_secret" -> { ".example[1].relevant.secret" = "/path/to/secret"; }
  */
-  recursiveGetAttrWithJqPrefix = item: attr: mapAttrs (_name: set: set.${attr}) (recursiveGetAttrsetWithJqPrefix item attr);
+  recursiveGetAttrWithJqPrefix = item: attr:
  /* Similar to `recursiveGetAttrWithJqPrefix`, but returns the whole
     attribute set containing `attr` instead of the value of `attr` in
     the set.
     Example:
       recursiveGetAttrsetWithJqPrefix {
         example = [
           {
             irrelevant = "not interesting";
           }
           {
             ignored = "ignored attr";
             relevant = {
               secret = {
                 _secret = "/path/to/secret";
                 quote = true;
               };
             };
           }
         ];
       } "_secret" -> { ".example[1].relevant.secret" = { _secret = "/path/to/secret"; quote = true; }; }
  */
  recursiveGetAttrsetWithJqPrefix = item: attr:
    let
      recurse = prefix: item:
        if item ? ${attr} then
-          nameValuePair prefix item
+          nameValuePair prefix item.${attr}
        else if isDerivation item then []
        else if isAttrs item then
          map (name:
@@ -231,58 +206,6 @@ utils = rec {
           }
         ]
       }
     The attribute set { _secret = "/path/to/secret"; } can contain extra
     options, currently it accepts the `quote = true|false` option.
     If `quote = true` (default behavior), the content of the secret file will
     be quoted as a string and embedded.  Otherwise, if `quote = false`, the
     content of the secret file will be parsed to JSON and then embedded.
     Example:
       If the file "/path/to/secret" contains the JSON document:
       [
         { "a": "topsecretpassword1234" },
         { "b": "topsecretpassword5678" }
       ]
       genJqSecretsReplacementSnippet {
         example = [
           {
             irrelevant = "not interesting";
           }
           {
             ignored = "ignored attr";
             relevant = {
               secret = {
                 _secret = "/path/to/secret";
                 quote = false;
               };
             };
           }
         ];
       } "/path/to/output.json"
       would generate a snippet that, when run, outputs the following
       JSON file at "/path/to/output.json":
       {
         "example": [
           {
             "irrelevant": "not interesting"
           },
           {
             "ignored": "ignored attr",
             "relevant": {
               "secret": [
                 { "a": "topsecretpassword1234" },
                 { "b": "topsecretpassword5678" }
               ]
             }
           }
         ]
       }
  */
  genJqSecretsReplacementSnippet = genJqSecretsReplacementSnippet' "_secret";
@@ -290,11 +213,7 @@ utils = rec {
  # attr which identifies the secret to be changed.
  genJqSecretsReplacementSnippet' = attr: set: output:
    let
-      secretsRaw = recursiveGetAttrsetWithJqPrefix set attr;
+      secrets = recursiveGetAttrWithJqPrefix set attr;
      # Set default option values
      secrets = mapAttrs (_name: set: {
        quote = true;
      } // set) secretsRaw;
      stringOrDefault = str: def: if str == "" then def else str;
    in ''
      if [[ -h '${output}' ]]; then
@@ -308,7 +227,7 @@ utils = rec {
    + concatStringsSep
        "\n"
        (imap1 (index: name: ''
-                  secret${toString index}=$(<'${secrets.${name}.${attr}}')
+                  secret${toString index}=$(<'${secrets.${name}}')
                  export secret${toString index}
                '')
               (attrNames secrets))
@@ -317,7 +236,7 @@ utils = rec {
    + escapeShellArg (stringOrDefault
          (concatStringsSep
            " | "
-            (imap1 (index: name: ''${name} = ($ENV.secret${toString index}${optionalString (!secrets.${name}.quote) " | fromjson"})'')
+            (imap1 (index: name: ''${name} = $ENV.secret${toString index}'')
                   (attrNames secrets)))
          ".")
    + ''
@@ -42,10 +42,8 @@ in
        strings.  The latter is concatenated, interspersed with colon
        characters.
      '';
-      type = with types; attrsOf (oneOf [ (listOf (oneOf [ int str path ])) int str path ]);
+      type = with types; attrsOf (oneOf [ (listOf (oneOf [ float int str ])) float int str path ]);
-      apply = let
+      apply = mapAttrs (n: v: if isList v then concatMapStringsSep ":" toString v else toString v);
        toStr = v: if isPath v then "${v}" else toString v;
      in mapAttrs (n: v: if isList v then concatMapStringsSep ":" toStr v else toStr v);
    };
    environment.profiles = mkOption {
@@ -153,8 +153,10 @@ in
        "/sbin"
        "/share/emacs"
        "/share/hunspell"
        "/share/nano"
        "/share/org"
        "/share/themes"
        "/share/vim-plugins"
        "/share/vulkan"
        "/share/kservices5"
        "/share/kservicetypes5"
@@ -234,7 +234,7 @@ foreach my $u (@{$spec->{users}}) {
    # Ensure home directory incl. ownership and permissions.
    if ($u->{createHome} and !$is_dry) {
-        make_path($u->{home}, { mode => 0755 }) if ! -e $u->{home};
+        make_path($u->{home}, { mode => oct($u->{homeMode}) }) if ! -e $u->{home};
        chown $u->{uid}, $u->{gid}, $u->{home};
        chmod oct($u->{homeMode}), $u->{home};
    }
@@ -96,11 +96,7 @@ in
        Enabling this fixes screen tearing when using Optimus via PRIME (see
        {option}`hardware.nvidia.prime.sync.enable`. This is not enabled
        by default because it is not officially supported by NVIDIA and would not
-        work with SLI.
+        work with SLI
        Enabling this and using version 545 or newer of the proprietary NVIDIA
        driver causes it to provide its own framebuffer device, which can cause
        Wayland compositors to work when they otherwise wouldn't.
      '';
      prime.nvidiaBusId = lib.mkOption {
@@ -572,10 +568,9 @@ in
              "nvidia_drm"
            ];
-            # If requested enable modesetting via kernel parameters.
+            # If requested enable modesetting via kernel parameter.
            kernelParams =
              lib.optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1"
              ++ lib.optional ((offloadCfg.enable || cfg.modesetting.enable) && lib.versionAtLeast nvidia_x11.version "545") "nvidia-drm.fbdev=1"
              ++ lib.optional cfg.powerManagement.enable "nvidia.NVreg_PreserveVideoMemoryAllocations=1"
              ++ lib.optional cfg.open "nvidia.NVreg_OpenRmEnableUnsupportedGpus=1"
              ++ lib.optional (config.boot.kernelPackages.kernel.kernelAtLeast "6.2" && !ibtSupport) "ibt=off";
@@ -69,7 +69,7 @@ let
    patchShebangs --build $out
    black --check --diff $out
-    ruff check --line-length 88 $out
+    ruff --line-length 88 $out
    mypy --strict $out
  '';
@@ -1,7 +1,7 @@
 {
-  x86_64-linux = "/nix/store/f409bhlpp0xkzvdz95qr2yvfjfi8r9jc-nix-2.18.5";
+  x86_64-linux = "/nix/store/1w4b47zhp33md29wjhgg549pc281vv02-nix-2.18.4";
-  i686-linux = "/nix/store/ra39jzrxq3bcpf55aahwv5037akvylf5-nix-2.18.5";
+  i686-linux = "/nix/store/hz02kn0ffn3wdi2xs7lndpr88v4v4fp2-nix-2.18.4";
-  aarch64-linux = "/nix/store/xiw8a4jbnw18svgdb04hyqzg5bsjspqf-nix-2.18.5";
+  aarch64-linux = "/nix/store/90zwqa9z2fgldc7ki1p5gfvglchjh9r6-nix-2.18.4";
-  x86_64-darwin = "/nix/store/k2gzx7i90x3h2c8g6xdi1jkwbl6ic895-nix-2.18.5";
+  x86_64-darwin = "/nix/store/bd1ix5mj9lj2yh7bqnmdjc24zlg5jivk-nix-2.18.4";
-  aarch64-darwin = "/nix/store/rqwymbndaqxma6p8s5brcl9k32n5xx54-nix-2.18.5";
+  aarch64-darwin = "/nix/store/5hvsmklhqiay5i4q5vdkg60p8qpc69rz-nix-2.18.4";
 }
@@ -297,10 +297,7 @@ in
      description = "Update timer for locate database";
      partOf = [ "update-locatedb.service" ];
      wantedBy = [ "timers.target" ];
-      timerConfig = {
+      timerConfig.OnCalendar = cfg.interval;
        OnCalendar = cfg.interval;
        Persistent = true;
      };
    };
  };
@@ -258,7 +258,6 @@
  ./programs/projecteur.nix
  ./programs/proxychains.nix
  ./programs/qdmr.nix
  ./programs/qgroundcontrol.nix
  ./programs/qt5ct.nix
  ./programs/quark-goldleaf.nix
  ./programs/regreet.nix
@@ -973,7 +972,6 @@
  ./services/networking/clatd.nix
  ./services/networking/cloudflare-dyndns.nix
  ./services/networking/cloudflared.nix
  ./services/networking/cloudflare-warp.nix
  ./services/networking/cntlm.nix
  ./services/networking/connman.nix
  ./services/networking/consul.nix
@@ -1151,7 +1149,6 @@
  ./services/networking/radicale.nix
  ./services/networking/radvd.nix
  ./services/networking/rdnssd.nix
  ./services/networking/realm.nix
  ./services/networking/redsocks.nix
  ./services/networking/resilio.nix
  ./services/networking/robustirc-bridge.nix
@@ -1383,7 +1380,6 @@
  ./services/web-apps/freshrss.nix
  ./services/web-apps/galene.nix
  ./services/web-apps/gerrit.nix
  ./services/web-apps/glance.nix
  ./services/web-apps/gotify-server.nix
  ./services/web-apps/gotosocial.nix
  ./services/web-apps/grocy.nix
@@ -5,5 +5,5 @@
 {
  boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ];
-  boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" "virtio_gpu" ];
+  boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ];
 }
@@ -31,14 +31,6 @@ in
      };
    };
    services.udev = {
      enable = true;
      packages = with pkgs; [
        android-udev-rules
        xr-hardware
      ];
    };
    environment.systemPackages = [ cfg.package ];
    networking.firewall = lib.mkIf cfg.openFirewall {
@@ -43,7 +43,6 @@ in
        include "${cfg.package}/share/nano/extra/*.nanorc"
      '') + cfg.nanorc;
      systemPackages = [ cfg.package ];
      pathsToLink = [ "/share/nano" ];
    };
  };
 }
@@ -1,53 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.programs.qgroundcontrol;
 in
 {
  options = {
    programs.qgroundcontrol = {
      enable = lib.mkEnableOption "qgroundcontrol";
      package = lib.mkPackageOption pkgs "qgroundcontrol" {};
      blacklistModemManagerFromTTYUSB = lib.mkOption {
        type = lib.types.bool;
        default = true;
        description = ''
          Disallow ModemManager from interfering with serial connections that QGroundControl might use.
          Note that if you use a modem that's connected via USB, you might want to disable this option.
        '';
      };
    };
  };
  config = lib.mkIf cfg.enable {
    # ModemManager is known to interfere with serial connections;
    # QGC recommends disabling it, but we don't want to if we can avoid it
    # Instead, we blacklist tty devices using udev rules, which is a more targeted approach
    services.udev = lib.mkIf cfg.blacklistModemManagerFromTTYUSB {
      enable = true;
      extraRules = ''
        # nixos/qgroundcontrol: Blacklist ttyUSB devices from ModemManager
        SUBSYSTEM=="tty", KERNEL=="ttyUSB*", ENV{ID_MM_DEVICE_IGNORE}="1"
      '';
    };
    # Security wrapper
    security.wrappers.qgroundcontrol = {
      source = lib.getExe cfg.package;
      owner = "root"; # Sensible default; not setuid so this is not a security risk
      group = "tty";
      setgid = true;
    };
  };
  meta.maintainers = pkgs.qgroundcontrol.meta.maintainers;
 }
@@ -22,7 +22,7 @@ let
  serverOptions = { name, config, ... }: {
    freeformType = attrsOf (either scalarType (listOf scalarType));
    # Client system-options file directives are explained here:
-    # https://www.ibm.com/docs/en/storage-protect/8.1.23?topic=commands-processing-options
+    # https://www.ibm.com/docs/en/storage-protect/8.1.22?topic=commands-processing-options
    options.servername = mkOption {
      type = servernameType;
      default = name;
@@ -1,31 +1,25 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.programs.vim;
-in
+in {
 {
  options.programs.vim = {
-    enable = lib.mkEnableOption "Vi IMproved, an advanced text";
+    defaultEditor = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        When enabled, installs vim and configures vim to be the default editor
        using the EDITOR environment variable.
      '';
    };
-    defaultEditor = lib.mkEnableOption "vim as the default editor";
+    package = lib.mkPackageOption pkgs "vim" {
-
+      example = "vim-full";
    package = lib.mkPackageOption pkgs "vim" { example = "vim-full"; };
  };
  # TODO: convert it into assert after 24.11 release
  config = lib.mkIf (cfg.enable || cfg.defaultEditor) {
    warnings = lib.mkIf (cfg.defaultEditor && !cfg.enable) [
      "programs.vim.defaultEditor will only work if programs.vim.enable is enabled, will be encfored after the 24.11 release"
    ];
    environment = {
      systemPackages = [ cfg.package ];
      variables.EDITOR = lib.mkIf cfg.defaultEditor (lib.mkOverride 900 "vim");
      pathsToLink = [ "/share/vim-plugins" ];
    };
  };
  config = lib.mkIf cfg.defaultEditor {
    environment.systemPackages = [ cfg.package ];
    environment.variables = { EDITOR = lib.mkOverride 900 "vim"; };
  };
 }
@@ -42,28 +42,6 @@ in
      '';
    };
    includeFileList = mkOption {
      type = types.nullOr types.path;
      default = null;
      example = /path/to/fileList.txt;
      description = ''
        File containing newline-separated list of paths to include into the
        backups. See the FILE SELECTION section in {manpage}`duplicity(1)` for
        details on the syntax.
      '';
    };
    excludeFileList = mkOption {
      type = types.nullOr types.path;
      default = null;
      example = /path/to/fileList.txt;
      description = ''
        File containing newline-separated list of paths to exclude into the
        backups. See the FILE SELECTION section in {manpage}`duplicity(1)` for
        details on the syntax.
      '';
    };
    targetUrl = mkOption {
      type = types.str;
      example = "s3://host:port/prefix";
@@ -176,8 +154,6 @@ in
            ${lib.optionalString (cfg.cleanup.maxIncr != null) "${dup} remove-all-inc-of-but-n-full ${toString cfg.cleanup.maxIncr} ${target} --force ${extra}"}
            exec ${dup} ${if cfg.fullIfOlderThan == "always" then "full" else "incr"} ${lib.escapeShellArgs (
              [ cfg.root cfg.targetUrl ]
              ++ lib.optionals (cfg.includeFileList != null) [ "--include-filelist" cfg.includeFileList ]
              ++ lib.optionals (cfg.excludeFileList != null) [ "--exclude-filelist" cfg.excludeFileList ]
              ++ concatMap (p: [ "--include" p ]) cfg.include
              ++ concatMap (p: [ "--exclude" p ]) cfg.exclude
              ++ (lib.optionals (cfg.fullIfOlderThan != "never" && cfg.fullIfOlderThan != "always") [ "--full-if-older-than" cfg.fullIfOlderThan ])
@@ -90,7 +90,7 @@ in
      environment.HOME = "/var/lib/tsm-backup";
      serviceConfig = {
        # for exit status description see
-        # https://www.ibm.com/docs/en/storage-protect/8.1.23?topic=clients-client-return-codes
+        # https://www.ibm.com/docs/en/storage-protect/8.1.22?topic=clients-client-return-codes
        SuccessExitStatus = "4 8";
        # The `-se` option must come after the command.
        # The `-optfile` option suppresses a `dsm.opt`-not-found warning.
@@ -241,7 +241,7 @@ in
      "kernel.panic_on_oops" = 1;
    };
-    systemd.services."rke2-${cfg.role}" = {
+    systemd.services.rke2 = {
      description = "Rancher Kubernetes Engine v2";
      documentation = [ "https://github.com/rancher/rke2#readme" ];
      after = [ "network-online.target" ];
@@ -21,8 +21,6 @@ in {
        history-service
        libusermetrics
        lomiri
        lomiri-calculator-app
        lomiri-clock-app
        lomiri-download-manager
        lomiri-filemanager-app
        lomiri-polkit-agent
@@ -38,7 +36,7 @@ in {
        morph-browser
        qtmir # not having its desktop file for Xwayland available causes any X11 application to crash the session
        suru-icon-theme
-        telephony-service
+        # telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043
      ]);
      variables = {
        # To override the keyboard layouts in Lomiri
@@ -87,7 +85,7 @@ in {
      ] ++ lib.optionals (config.hardware.pulseaudio.enable || config.services.pipewire.pulse.enable) [
        ayatana-indicator-sound
      ]) ++ (with pkgs.lomiri; [
-        telephony-service
+        # telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043
      ] ++ lib.optionals config.networking.networkmanager.enable [
        lomiri-indicator-network
      ]);
@@ -19,28 +19,15 @@ let
    (boolFlag "secure" cfg.secure)
    (boolFlag "noupnp" cfg.noUPnP)
  ];
  stopScript = pkgs.writeScript "terraria-stop" ''
    #!${pkgs.runtimeShell}
  tmuxCmd = "${lib.getExe pkgs.tmux} -S ${lib.escapeShellArg cfg.dataDir}/terraria.sock";
  stopScript = pkgs.writeShellScript "terraria-stop" ''
    if ! [ -d "/proc/$1" ]; then
      exit 0
    fi
-    lastline=$(${tmuxCmd} capture-pane -p | grep . | tail -n1)
+    ${getBin pkgs.tmux}/bin/tmux -S ${cfg.dataDir}/terraria.sock send-keys Enter exit Enter
-
+    ${getBin pkgs.coreutils}/bin/tail --pid="$1" -f /dev/null
    # If the service is not configured to auto-start a world, it will show the world selection prompt
    # If the last non-empty line on-screen starts with "Choose World", we know the prompt is open
    if [[ "$lastline" =~ ^'Choose World' ]]; then
      # In this case, nothing needs to be saved, so we can kill the process
      ${tmuxCmd} kill-session
    else
      # Otherwise, we send the `exit` command
      ${tmuxCmd} send-keys Enter exit Enter
    fi
    # Wait for the process to stop
    tail --pid="$1" -f /dev/null
  '';
 in
 {
@@ -165,7 +152,7 @@ in
        Type = "forking";
        GuessMainPID = true;
        UMask = 007;
-        ExecStart = "${tmuxCmd} new -d ${pkgs.terraria-server}/bin/TerrariaServer ${concatStringsSep " " flags}";
+        ExecStart = "${getBin pkgs.tmux}/bin/tmux -S ${cfg.dataDir}/terraria.sock new -d ${pkgs.terraria-server}/bin/TerrariaServer ${concatStringsSep " " flags}";
        ExecStop = "${stopScript} $MAINPID";
      };
    };
@@ -1,17 +1,14 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, options, pkgs, ... }:
 with lib;
 let
  cfg = config.services.languagetool;
-  settingsFormat = pkgs.formats.javaProperties { };
+  settingsFormat = pkgs.formats.javaProperties {};
-in
+in {
 {
  options.services.languagetool = {
    enable = mkEnableOption "the LanguageTool server, a multilingual spelling, style, and grammar checker that helps correct or paraphrase texts";
    package = mkPackageOption pkgs "languagetool" { };
    port = mkOption {
      type = types.port;
      default = 8081;
@@ -34,7 +31,7 @@ in
      '';
    };
-    settings = mkOption {
+    settings = lib.mkOption {
      type = types.submodule {
        freeformType = settingsFormat.type;
@@ -52,25 +49,11 @@ in
        for supported settings.
      '';
    };
    jrePackage = mkPackageOption pkgs "jre" { };
    jvmOptions = mkOption {
      description = ''
        Extra command line options for the JVM running languagetool.
        More information can be found here: https://docs.oracle.com/en/java/javase/19/docs/specs/man/java.html#standard-options-for-java
      '';
      default = [ ];
      type = types.listOf types.str;
      example = [
        "-Xmx512m"
      ];
    };
  };
  config = mkIf cfg.enable {
-    systemd.services.languagetool = {
+    systemd.services.languagetool =  {
      description = "LanguageTool HTTP server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
@@ -82,17 +65,13 @@ in
        RestrictNamespaces = [ "" ];
        SystemCallFilter = [ "@system-service" "~ @privileged" ];
        ProtectHome = "yes";
        Restart = "on-failure";
        ExecStart = ''
-          ${cfg.jrePackage}/bin/java \
+          ${pkgs.languagetool}/bin/languagetool-http-server \
-            -cp ${cfg.package}/share/languagetool-server.jar \
+            --port ${toString cfg.port} \
-            ${toString cfg.jvmOptions} \
+            ${optionalString cfg.public "--public"} \
-            org.languagetool.server.HTTPServer \
+            ${optionalString (cfg.allowOrigin != null) "--allow-origin ${cfg.allowOrigin}"} \
-              --port ${toString cfg.port} \
+            "--config" ${settingsFormat.generate "languagetool.conf" cfg.settings}
-              ${optionalString cfg.public "--public"} \
+          '';
              ${optionalString (cfg.allowOrigin != null) "--allow-origin ${cfg.allowOrigin}"} \
              "--config" ${settingsFormat.generate "languagetool.conf" cfg.settings}
        '';
      };
    };
  };
@@ -6,9 +6,8 @@ let
  cfg = config.services.opentelemetry-collector;
  opentelemetry-collector = cfg.package;
-  settingsFormat = pkgs.formats.yaml { };
+  settingsFormat = pkgs.formats.yaml {};
-in
+in {
 {
  options.services.opentelemetry-collector = {
    enable = mkEnableOption "Opentelemetry Collector";
@@ -16,7 +15,7 @@ in
    settings = mkOption {
      type = settingsFormat.type;
-      default = { };
+      default = {};
      description = ''
        Specify the configuration for Opentelemetry Collector in Nix.
@@ -36,9 +35,9 @@ in
  config = mkIf cfg.enable {
    assertions = [{
      assertion = (
-        (cfg.settings == { }) != (cfg.configFile == null)
+        (cfg.settings == {}) != (cfg.configFile == null)
      );
-      message = ''
+      message  = ''
        Please specify a configuration for Opentelemetry Collector with either
        'services.opentelemetry-collector.settings' or
        'services.opentelemetry-collector.configFile'.
@@ -49,27 +48,21 @@ in
      description = "Opentelemetry Collector Service Daemon";
      wantedBy = [ "multi-user.target" ];
-      serviceConfig =
+      serviceConfig = let
-        let
+        conf = if cfg.configFile == null
-          conf =
+               then settingsFormat.generate "config.yaml" cfg.settings
-            if cfg.configFile == null
+               else cfg.configFile;
-            then settingsFormat.generate "config.yaml" cfg.settings
+      in
-            else cfg.configFile;
+      {
-        in
+        ExecStart = "${getExe opentelemetry-collector} --config=file:${conf}";
-        {
+        DynamicUser = true;
-          ExecStart = "${getExe opentelemetry-collector} --config=file:${conf}";
+        Restart = "always";
-          DynamicUser = true;
+        ProtectSystem = "full";
-          Restart = "always";
+        DevicePolicy = "closed";
-          ProtectSystem = "full";
+        NoNewPrivileges = true;
-          DevicePolicy = "closed";
+        WorkingDirectory = "/var/lib/opentelemetry-collector";
-          NoNewPrivileges = true;
+        StateDirectory = "opentelemetry-collector";
-          WorkingDirectory = "%S/opentelemetry-collector";
+      };
          StateDirectory = "opentelemetry-collector";
          SupplementaryGroups = [
            # allow to read the systemd journal for opentelemetry-collector
            "systemd-journal"
          ];
        };
    };
  };
 }
@@ -32,15 +32,9 @@ in
          ${escapeShellArgs cfg.extraFlags}
        '';
        CapabilityBoundingSet = [ "" ];
        DeviceAllow = [ "" ];
        DynamicUser = true;
        NoNewPrivileges = true;
        MemoryDenyWriteExecute = true;
        LockPersonality = true;
        ProtectProc = "invisible";
        ProtectSystem = "strict";
        ProtectHome = "tmpfs";
@@ -49,8 +43,6 @@ in
        PrivateDevices = true;
        PrivateIPC = true;
        ProcSubset = "pid";
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
@@ -58,10 +50,7 @@ in
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        Restart  = "on-failure";
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
@@ -181,57 +181,15 @@ in {
                                                    -i "${alertmanagerYml}"
        '';
        serviceConfig = {
          Restart  = "always";
          StateDirectory = "alertmanager";
          DynamicUser = true; # implies PrivateTmp
          EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
          WorkingDirectory = "/tmp";
          ExecStart = "${cfg.package}/bin/alertmanager" +
            optionalString (length cmdlineArgs != 0) (" \\\n  " +
              concatStringsSep " \\\n  " cmdlineArgs);
          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
          EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
          CapabilityBoundingSet = [ "" ];
          DeviceAllow = [ "" ];
          DynamicUser = true;
          NoNewPrivileges = true;
          MemoryDenyWriteExecute = true;
          LockPersonality = true;
          ProtectProc = "invisible";
          ProtectSystem = "strict";
          ProtectHome = "tmpfs";
          PrivateTmp = true;
          PrivateDevices = true;
          PrivateIPC = true;
          ProcSubset = "pid";
          ProtectHostname = true;
          ProtectClock = true;
          ProtectKernelTunables = true;
          ProtectKernelModules = true;
          ProtectKernelLogs = true;
          ProtectControlGroups = true;
          Restart  = "always";
          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          StateDirectory = "alertmanager";
          SystemCallFilter = [
            "@system-service"
            "~@cpu-emulation"
            "~@privileged"
            "~@reboot"
            "~@setuid"
            "~@swap"
          ];
          WorkingDirectory = "/tmp";
        };
      };
    })
@@ -29,7 +29,6 @@ let
    "blackbox"
    "buildkite-agent"
    "collectd"
    "deluge"
    "dmarc"
    "dnsmasq"
    "dnssec"
@@ -409,14 +408,6 @@ in
        Please ensure you have either `services.prometheus.exporters.idrac.configuration'
          or `services.prometheus.exporters.idrac.configurationPath' set!
      '';
    } {
      assertion = cfg.deluge.enable -> (
        (cfg.deluge.delugePassword == null) != (cfg.deluge.delugePasswordFile == null)
      );
      message = ''
        Please ensure you have either `services.prometheus.exporters.deluge.delugePassword'
          or `services.prometheus.exporters.deluge.delugePasswordFile' set!
      '';
    } ] ++ (flip map (attrNames exporterOpts) (exporter: {
      assertion = cfg.${exporter}.firewallFilter != null -> cfg.${exporter}.openFirewall;
      message = ''
@@ -446,13 +437,6 @@ in
    hardware.rtl-sdr.enable = mkDefault true;
  })] ++ [(mkIf config.services.postfix.enable {
    services.prometheus.exporters.postfix.group = mkDefault config.services.postfix.setgidGroup;
  })] ++ [(mkIf config.services.prometheus.exporters.deluge.enable {
    system.activationScripts = {
      deluge-exported.text = ''
      mkdir -p /etc/deluge-exporter
      echo "DELUGE_PASSWORD=$(cat ${config.services.prometheus.exporters.deluge.delugePasswordFile})" > /etc/deluge-exporter/password
      '';
    };
  })] ++ (mapAttrsToList (name: conf:
    mkExporterConf {
      inherit name;
@@ -1,85 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.prometheus.exporters.deluge;
  inherit (lib) mkOption types concatStringsSep;
 in
 {
  port = 9354;
  extraOpts = {
    delugeHost = mkOption {
      type = types.str;
      default = "localhost";
      description = ''
        Hostname where deluge server is running.
      '';
    };
    delugePort = mkOption {
      type = types.port;
      default = 58846;
      description = ''
        Port where deluge server is listening.
      '';
    };
    delugeUser = mkOption {
      type = types.str;
      default = "localclient";
      description = ''
        User to connect to deluge server.
      '';
    };
    delugePassword = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = ''
        Password to connect to deluge server.
        This stores the password unencrypted in the nix store and is thus considered unsafe. Prefer
        using the delugePasswordFile option.
      '';
    };
    delugePasswordFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        File containing the password to connect to deluge server.
      '';
    };
    exportPerTorrentMetrics = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable per-torrent metrics.
        This may significantly increase the number of time series depending on the number of
        torrents in your Deluge instance.
      '';
    };
  };
  serviceOpts = {
    serviceConfig = {
      ExecStart = ''
        ${pkgs.prometheus-deluge-exporter}/bin/deluge-exporter
      '';
      Environment = [
        "LISTEN_PORT=${toString cfg.port}"
        "LISTEN_ADDRESS=${toString cfg.listenAddress}"
        "DELUGE_HOST=${cfg.delugeHost}"
        "DELUGE_USER=${cfg.delugeUser}"
        "DELUGE_PORT=${toString cfg.delugePort}"
      ] ++ lib.optionals (cfg.delugePassword != null) [
        "DELUGE_PASSWORD=${cfg.delugePassword}"
      ] ++ lib.optionals cfg.exportPerTorrentMetrics [
        "PER_TORRENT_METRICS=1"
      ];
      EnvironmentFile = lib.optionalString (cfg.delugePasswordFile != null) "/etc/deluge-exporter/password";
    };
  };
 }
@@ -147,52 +147,12 @@ in {
      wantedBy = [ "multi-user.target" ];
      after    = [ "network.target" ];
      serviceConfig = {
        Restart  = "always";
        DynamicUser = true;
        ExecStart = "${cfg.package}/bin/pushgateway" +
          optionalString (length cmdlineArgs != 0) (" \\\n  " +
            concatStringsSep " \\\n  " cmdlineArgs);
        CapabilityBoundingSet = [ "" ];
        DeviceAllow = [ "" ];
        DynamicUser = true;
        NoNewPrivileges = true;
        MemoryDenyWriteExecute = true;
        LockPersonality = true;
        ProtectProc = "invisible";
        ProtectSystem = "strict";
        ProtectHome = "tmpfs";
        PrivateTmp = true;
        PrivateDevices = true;
        PrivateIPC = true;
        ProcSubset = "pid";
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        Restart  = "always";
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        StateDirectory = if cfg.persistMetrics then cfg.stateDir else null;
        SystemCallFilter = [
          "@system-service"
          "~@cpu-emulation"
          "~@privileged"
          "~@reboot"
          "~@setuid"
          "~@swap"
        ];
      };
    };
  };
@@ -101,7 +101,8 @@ in {
      preStart = with cfg.settings; ''
        if ! test -f ${password-file}; then
-          < /dev/urandom tr -dc _A-Z-a-z-0-9 2> /dev/null | head -c32 | install -m 600 /dev/stdin ${password-file}
+          < /dev/urandom tr -dc _A-Z-a-z-0-9 2> /dev/null | head -c32 > ${password-file}
          chmod 0600 ${password-file}
          echo "Initialized ${password-file} from /dev/urandom"
        fi
        if [ ! -f ${data-dir}/keys/libp2p.key ]; then
@@ -1,91 +0,0 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.cloudflare-warp;
 in
 {
  options.services.cloudflare-warp = {
    enable = lib.mkEnableOption "Cloudflare Zero Trust client daemon";
    package = lib.mkPackageOption pkgs "cloudflare-warp" { };
    rootDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/cloudflare-warp";
      description = ''
        Working directory for the warp-svc daemon.
      '';
    };
    udpPort = lib.mkOption {
      type = lib.types.port;
      default = 2408;
      description = ''
        The UDP port to open in the firewall. Warp uses port 2408 by default, but fallback ports can be used
        if that conflicts with another service. See the [firewall documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/firewall#warp-udp-ports)
        for the pre-configured available fallback ports.
      '';
    };
    openFirewall = lib.mkEnableOption "opening UDP ports in the firewall" // {
      default = true;
    };
  };
  config = lib.mkIf cfg.enable {
    environment.systemPackages = [ cfg.package ];
    networking.firewall = lib.mkIf cfg.openFirewall {
      allowedUDPPorts = [ cfg.udpPort ];
    };
    systemd.tmpfiles.rules = [
      "d ${cfg.rootDir}    - root root"
      "z ${cfg.rootDir}    - root root"
    ];
    systemd.services.cloudflare-warp = {
      enable = true;
      description = "Cloudflare Zero Trust Client Daemon";
      # lsof is used by the service to determine which UDP port to bind to
      # in the case that it detects collisions.
      path = [ pkgs.lsof ];
      requires = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig =
        let
          caps = [
            "CAP_NET_ADMIN"
            "CAP_NET_BIND_SERVICE"
            "CAP_SYS_PTRACE"
          ];
        in
        {
          Type = "simple";
          ExecStart = "${cfg.package}/bin/warp-svc";
          ReadWritePaths = [ "${cfg.rootDir}" "/etc/resolv.conf" ];
          CapabilityBoundingSet = caps;
          AmbientCapabilities = caps;
          Restart = "always";
          RestartSec = 5;
          Environment = [ "RUST_BACKTRACE=full" ];
          WorkingDirectory = cfg.rootDir;
          # See the systemd.exec docs for the canonicalized paths, the service
          # makes use of them for logging, and account state info tracking.
          # https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#RuntimeDirectory=
          StateDirectory = "cloudflare-warp";
          RuntimeDirectory = "cloudflare-warp";
          LogsDirectory = "cloudflare-warp";
          # The service needs to write to /etc/resolv.conf to configure DNS, so that file would have to
          # be world read/writable to run as anything other than root.
          User = "root";
          Group = "root";
        };
    };
  };
  meta.maintainers = with lib.maintainers; [ treyfortmuller ];
 }
@@ -122,7 +122,6 @@ in
        RuntimeDirectory = name;
        RuntimeDirectoryMode = "0700";
        StateDirectory = name;
        SuccessExitStatus = [ 143 ];
        WorkingDirectory = stateDir;
        # For access to /dev/ttyACM0 (ConBee).
        SupplementaryGroups = [ "dialout" ];
@@ -1,27 +1,18 @@
-{
+{ config, lib, pkgs, ... }:
-  config,
+
-  lib,
+with lib;
  pkgs,
  ...
 }:
 let
  cfg = config.services.magic-wormhole-mailbox-server;
  # keep semicolon in dataDir for backward compatibility
  dataDir = "/var/lib/magic-wormhole-mailbox-server;";
-  python = pkgs.python311.withPackages (
+  python = pkgs.python3.withPackages (py: [ py.magic-wormhole-mailbox-server py.twisted ]);
    py: with py; [
      magic-wormhole-mailbox-server
      twisted
    ]
  );
 in
 {
  options.services.magic-wormhole-mailbox-server = {
-    enable = lib.mkEnableOption "Magic Wormhole Mailbox Server";
+    enable = mkEnableOption "Magic Wormhole Mailbox Server";
  };
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.enable {
    systemd.services.magic-wormhole-mailbox-server = {
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
@@ -32,7 +23,6 @@ in
        StateDirectory = baseNameOf dataDir;
      };
    };
  };
-  meta.maintainers = [ lib.maintainers.mjoerg ];
+  };
 }
@@ -51,8 +51,8 @@ in
            };
            key = mkOption {
-              type = types.oneOf [types.nonEmptyStr types.path];
+              type = types.path;
-              description = "Path or reference to the host key.";
+              description = "Path to the host key.";
              example = "/etc/nebula/host.key";
            };
@@ -241,7 +241,7 @@ in
              ProtectKernelModules = true;
              ProtectKernelTunables = true;
              ProtectProc = "invisible";
-              ProtectSystem = true;
+              ProtectSystem = "strict";
              RestrictNamespaces = true;
              RestrictSUIDSGID = true;
              User = networkId;
@@ -269,6 +269,4 @@ in
      ${nameToId netName} = {};
    }) enabledNetworks);
  };
  meta.maintainers = [ numinit ];
 }
@@ -1,50 +0,0 @@
 { config
 , lib
 , pkgs
 , ...
 }:
 let
  cfg = config.services.realm;
  configFormat = pkgs.formats.json { };
  configFile = configFormat.generate "config.json" cfg.config;
  inherit (lib)
    mkEnableOption mkPackageOption mkOption mkIf types getExe;
 in
 {
  meta.maintainers = with lib.maintainers; [ ocfox ];
  options = {
    services.realm = {
      enable = mkEnableOption "A simple, high performance relay server written in rust";
      package = mkPackageOption pkgs "realm" { };
      config = mkOption {
        type = types.submodule {
          freeformType = configFormat.type;
        };
        default = { };
        description = ''
          The realm configuration, see <https://github.com/zhboner/realm#overview> for documentation.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services.realm = {
      serviceConfig = {
        DynamicUser = true;
        MemoryDenyWriteExecute = true;
        PrivateDevices = true;
        ProtectClock = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectProc = "invisible";
        ProtectKernelTunables = true;
        ExecStart = "${getExe cfg.package} --config ${configFile}";
        AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" ];
      };
      wantedBy = [ "multi-user.target" ];
    };
  };
 }
@@ -3,10 +3,8 @@
 with lib;
 let
  globalCfg = config.services.scion;
  cfg = config.services.scion.scion-control;
  toml = pkgs.formats.toml { };
  connectionDir = if globalCfg.stateless then "/run" else "/var/lib";
  defaultConfig = {
    general = {
      id = "cs";
@@ -14,13 +12,13 @@ let
      reconnect_to_dispatcher = true;
    };
    beacon_db = {
-      connection = "${connectionDir}/scion-control/control.beacon.db";
+      connection = "/run/scion-control/control.beacon.db";
    };
    path_db = {
-      connection = "${connectionDir}/scion-control/control.path.db";
+      connection = "/run/scion-control/control.path.db";
    };
    trust_db = {
-      connection = "${connectionDir}/scion-control/control.trust.db";
+      connection = "/run/scion-control/control.trust.db";
    };
    log.console = {
      level = "info";
@@ -64,7 +62,7 @@ in
        DynamicUser = true;
        Restart = "on-failure";
        BindPaths = [ "/dev/shm:/run/shm" ];
-        ${if globalCfg.stateless then "RuntimeDirectory" else "StateDirectory"} = "scion-control";
+        RuntimeDirectory = "scion-control";
      };
    };
  };
@@ -3,10 +3,8 @@
 with lib;
 let
  globalCfg = config.services.scion;
  cfg = config.services.scion.scion-daemon;
  toml = pkgs.formats.toml { };
  connectionDir = if globalCfg.stateless then "/run" else "/var/lib";
  defaultConfig = {
    general = {
      id = "sd";
@@ -14,10 +12,10 @@ let
      reconnect_to_dispatcher = true;
    };
    path_db = {
-      connection = "${connectionDir}/scion-daemon/sd.path.db";
+      connection = "/run/scion-daemon/sd.path.db";
    };
    trust_db = {
-      connection = "${connectionDir}/scion-daemon/sd.trust.db";
+      connection = "/run/scion-daemon/sd.trust.db";
    };
    log.console = {
      level = "info";
@@ -59,7 +57,7 @@ in
        ExecStart = "${pkgs.scion}/bin/scion-daemon --config ${configFile}";
        Restart = "on-failure";
        DynamicUser = true;
-        ${if globalCfg.stateless then "RuntimeDirectory" else "StateDirectory"} = "scion-daemon";
+        RuntimeDirectory = "scion-daemon";
      };
    };
  };
@@ -3,7 +3,6 @@
 with lib;
 let
  globalCfg = config.services.scion;
  cfg = config.services.scion.scion-dispatcher;
  toml = pkgs.formats.toml { };
  defaultConfig = {
@@ -67,7 +66,7 @@ in
        ExecStartPre = "${pkgs.coreutils}/bin/rm -rf /run/shm/dispatcher";
        ExecStart = "${pkgs.scion}/bin/scion-dispatcher --config ${configFile}";
        Restart = "on-failure";
-        ${if globalCfg.stateless then "RuntimeDirectory" else "StateDirectory"} = "scion-dispatcher";
+        RuntimeDirectory = "scion-dispatcher";
      };
    };
  };
@@ -3,7 +3,6 @@
 with lib;
 let
  globalCfg = config.services.scion;
  cfg = config.services.scion.scion-router;
  toml = pkgs.formats.toml { };
  defaultConfig = {
@@ -43,7 +42,7 @@ in
        ExecStart = "${pkgs.scion}/bin/scion-router --config ${configFile}";
        Restart = "on-failure";
        DynamicUser = true;
-        ${if globalCfg.stateless then "RuntimeDirectory" else "StateDirectory"} = "scion-router";
+        RuntimeDirectory = "scion-router";
      };
    };
  };
@@ -8,22 +8,6 @@ in
 {
  options.services.scion = {
    enable = mkEnableOption "all of the scion components and services";
    stateless = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Setting this value to false (stateful) can lead to improved caching and
        performance.
        This option decides whether to persist the SCION path sqlite databases
        on disk or not. Persisting this data can lead to database corruption in
        extreme cases such as power outage, meaning SCION fails to work on the
        next boot. This is being investigated.
        If true, /run/scion-* is used for data
        If false, use /var/lib/scion-* is used for data
      '';
    };
    bypassBootstrapWarning = mkOption {
      type = types.bool;
      default = false;
@@ -5,6 +5,7 @@ let
  stateDir = "/var/lib/clamav";
  clamavGroup = clamavUser;
  cfg = config.services.clamav;
  pkg = pkgs.clamav;
  toKeyValue = generators.toKeyValue {
    mkKeyValue = generators.mkKeyValueDefault { } " ";
@@ -26,7 +27,6 @@ in
  options = {
    services.clamav = {
      package = mkPackageOption pkgs "clamav" { };
      daemon = {
        enable = mkEnableOption "ClamAV clamd daemon";
@@ -125,7 +125,7 @@ in
  };
  config = mkIf (cfg.updater.enable || cfg.daemon.enable) {
-    environment.systemPackages = [ cfg.package ];
+    environment.systemPackages = [ pkg ];
    users.users.${clamavUser} = {
      uid = config.ids.uids.clamav;
@@ -172,7 +172,7 @@ in
      restartTriggers = [ clamdConfigFile ];
      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/clamd";
+        ExecStart = "${pkg}/bin/clamd";
        ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
        User = clamavUser;
        Group = clamavGroup;
@@ -201,7 +201,7 @@ in
      serviceConfig = {
        Type = "oneshot";
-        ExecStart = "${cfg.package}/bin/freshclam";
+        ExecStart = "${pkg}/bin/freshclam";
        SuccessExitStatus = "1"; # if databases are up to date
        StateDirectory = "clamav";
        User = clamavUser;
@@ -274,7 +274,7 @@ in
      serviceConfig = {
        Type = "oneshot";
-        ExecStart = "${cfg.package}/bin/clamdscan --multiscan --fdpass --infected --allmatch ${lib.concatStringsSep " " cfg.scanner.scanDirectories}";
+        ExecStart = "${pkg}/bin/clamdscan --multiscan --fdpass --infected --allmatch ${lib.concatStringsSep " " cfg.scanner.scanDirectories}";
      };
    };
  };
@@ -1,39 +0,0 @@
 # Glance {#module-services-glance}
 Glance is a self-hosted dashboard that puts all your feeds in one place.
 Visit [the Glance project page](https://github.com/glanceapp/glance) to learn
 more about it.
 ## Quickstart {#module-services-glance-quickstart}
 Checkout the [configuration docs](https://github.com/glanceapp/glance/blob/main/docs/configuration.md) to learn more.
 Use the following configuration to start a public instance of Glance locally:
 ```nix
 {
  services.glance = {
    enable = true;
    settings = {
      pages = [
        {
          name = "Home";
          columns = [
            {
              size = "full";
              widgets = [
                { type = "calendar"; }
                {
                  type = "weather";
                  location = "Nivelles, Belgium";
                }
              ];
            }
          ];
        }
      ];
    };
    openFirewall = true;
  };
 }
 ```
@@ -1,141 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.services.glance;
  inherit (lib)
    mkEnableOption
    mkPackageOption
    mkOption
    mkIf
    getExe
    types
    ;
  settingsFormat = pkgs.formats.yaml { };
 in
 {
  options.services.glance = {
    enable = mkEnableOption "glance";
    package = mkPackageOption pkgs "glance" { };
    settings = mkOption {
      type = types.submodule {
        freeformType = settingsFormat.type;
        options = {
          server = {
            host = mkOption {
              description = "Glance bind address";
              default = "127.0.0.1";
              example = "0.0.0.0";
              type = types.str;
            };
            port = mkOption {
              description = "Glance port to listen on";
              default = 8080;
              example = 5678;
              type = types.port;
            };
          };
          pages = mkOption {
            type = settingsFormat.type;
            description = ''
              List of pages to be present on the dashboard.
              See <https://github.com/glanceapp/glance/blob/main/docs/configuration.md#pages--columns>
            '';
            default = [
              {
                name = "Calendar";
                columns = [
                  {
                    size = "full";
                    widgets = [ { type = "calendar"; } ];
                  }
                ];
              }
            ];
            example = [
              {
                name = "Home";
                columns = [
                  {
                    size = "full";
                    widgets = [
                      { type = "calendar"; }
                      {
                        type = "weather";
                        location = "Nivelles, Belgium";
                      }
                    ];
                  }
                ];
              }
            ];
          };
        };
      };
      default = { };
      description = ''
        Configuration written to a yaml file that is read by glance. See
        <https://github.com/glanceapp/glance/blob/main/docs/configuration.md>
        for more.
      '';
    };
    openFirewall = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to open the firewall for Glance.
        This adds `services.glance.settings.server.port` to `networking.firewall.allowedTCPPorts`.
      '';
    };
  };
  config = mkIf cfg.enable {
    systemd.services.glance = {
      description = "Glance feed dashboard server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      serviceConfig = {
        ExecStart =
          let
            glance-yaml = settingsFormat.generate "glance.yaml" cfg.settings;
          in
          "${getExe cfg.package} --config ${glance-yaml}";
        WorkingDirectory = "/var/lib/glance";
        StateDirectory = "glance";
        RuntimeDirectory = "glance";
        RuntimeDirectoryMode = "0755";
        PrivateTmp = true;
        DynamicUser = true;
        DevicePolicy = "closed";
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        PrivateUsers = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectControlGroups = true;
        ProcSubset = "pid";
        RestrictNamespaces = true;
        RestrictRealtime = true;
        SystemCallArchitectures = "native";
        UMask = "0077";
      };
    };
    networking.firewall = mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.settings.server.port ]; };
  };
  meta.doc = ./glance.md;
  meta.maintainers = [ lib.maintainers.drupol ];
 }
@@ -398,29 +398,30 @@ in
      before = [ "jicofo.service" "jitsi-videobridge2.service" ] ++ (optional cfg.prosody.enable "prosody.service") ++ (optional cfg.jigasi.enable "jigasi.service");
      serviceConfig = {
        Type = "oneshot";
        UMask = "027";
        User = "root";
        Group = "jitsi-meet";
        WorkingDirectory = "/var/lib/jitsi-meet";
      };
      script = let
        secrets = [ "jicofo-component-secret" "jicofo-user-secret" "jibri-auth-secret" "jibri-recorder-secret" ] ++ (optionals cfg.jigasi.enable [ "jigasi-user-secret" "jigasi-component-secret" ]) ++ (optional (cfg.videobridge.passwordFile == null) "videobridge-secret");
      in
      ''
        cd /var/lib/jitsi-meet
        ${concatMapStringsSep "\n" (s: ''
          if [ ! -f ${s} ]; then
            tr -dc a-zA-Z0-9 </dev/urandom | head -c 64 > ${s}
            chown root:jitsi-meet ${s}
            chmod 640 ${s}
          fi
        '') secrets}
        # for easy access in prosody
        echo "JICOFO_COMPONENT_SECRET=$(cat jicofo-component-secret)" > secrets-env
        echo "JIGASI_COMPONENT_SECRET=$(cat jigasi-component-secret)" >> secrets-env
        chown root:jitsi-meet secrets-env
        chmod 640 secrets-env
      ''
      + optionalString cfg.prosody.enable ''
        # generate self-signed certificates
-        if [ ! -f /var/lib/jitsi-meet/jitsi-meet.crt ]; then
+        if [ ! -f /var/lib/jitsi-meet.crt ]; then
          ${getBin pkgs.openssl}/bin/openssl req \
            -x509 \
            -newkey rsa:4096 \
@@ -429,7 +430,8 @@ in
            -days 36500 \
            -nodes \
            -subj '/CN=${cfg.hostName}/CN=auth.${cfg.hostName}'
-          chmod 640 /var/lib/jitsi-meet/jitsi-meet.key
+          chmod 640 /var/lib/jitsi-meet/jitsi-meet.{crt,key}
          chown root:jitsi-meet /var/lib/jitsi-meet/jitsi-meet.{crt,key}
        fi
      '';
    };
@@ -64,135 +64,129 @@ let
  else
    throw "Unsupported database type: ${cfg.database.type} for socket: ${cfg.database.socket}";
-  mediawikiConfig = pkgs.writeTextFile {
+  mediawikiConfig = pkgs.writeText "LocalSettings.php" ''
-    name = "LocalSettings.php";
+    <?php
-    checkPhase = ''
+      # Protect against web entry
-      ${php}/bin/php --syntax-check "$target"
+      if ( !defined( 'MEDIAWIKI' ) ) {
-    '';
+        exit;
-    text = ''
+      }
      <?php
        # Protect against web entry
        if ( !defined( 'MEDIAWIKI' ) ) {
          exit;
        }
-        $wgSitename = "${cfg.name}";
+      $wgSitename = "${cfg.name}";
-        $wgMetaNamespace = false;
+      $wgMetaNamespace = false;
-        ## The URL base path to the directory containing the wiki;
+      ## The URL base path to the directory containing the wiki;
-        ## defaults for all runtime URL paths are based off of this.
+      ## defaults for all runtime URL paths are based off of this.
-        ## For more information on customizing the URLs
+      ## For more information on customizing the URLs
-        ## (like /w/index.php/Page_title to /wiki/Page_title) please see:
+      ## (like /w/index.php/Page_title to /wiki/Page_title) please see:
-        ## https://www.mediawiki.org/wiki/Manual:Short_URL
+      ## https://www.mediawiki.org/wiki/Manual:Short_URL
-        $wgScriptPath = "${lib.optionalString (cfg.webserver == "nginx") "/w"}";
+      $wgScriptPath = "${lib.optionalString (cfg.webserver == "nginx") "/w"}";
-        ## The protocol and server name to use in fully-qualified URLs
+      ## The protocol and server name to use in fully-qualified URLs
-        $wgServer = "${cfg.url}";
+      $wgServer = "${cfg.url}";
-        ## The URL path to static resources (images, scripts, etc.)
+      ## The URL path to static resources (images, scripts, etc.)
-        $wgResourceBasePath = $wgScriptPath;
+      $wgResourceBasePath = $wgScriptPath;
-        ${lib.optionalString (cfg.webserver == "nginx") ''
+      ${lib.optionalString (cfg.webserver == "nginx") ''
-          $wgArticlePath = "/wiki/$1";
+        $wgArticlePath = "/wiki/$1";
-          $wgUsePathInfo = true;
+        $wgUsePathInfo = true;
-        ''}
+      ''}
-        ## The URL path to the logo.  Make sure you change this from the default,
+      ## The URL path to the logo.  Make sure you change this from the default,
-        ## or else you'll overwrite your logo when you upgrade!
+      ## or else you'll overwrite your logo when you upgrade!
-        $wgLogo = "$wgResourceBasePath/resources/assets/wiki.png";
+      $wgLogo = "$wgResourceBasePath/resources/assets/wiki.png";
-        ## UPO means: this is also a user preference option
+      ## UPO means: this is also a user preference option
-        $wgEnableEmail = true;
+      $wgEnableEmail = true;
-        $wgEnableUserEmail = true; # UPO
+      $wgEnableUserEmail = true; # UPO
-        $wgPasswordSender = "${cfg.passwordSender}";
+      $wgPasswordSender = "${cfg.passwordSender}";
-        $wgEnotifUserTalk = false; # UPO
+      $wgEnotifUserTalk = false; # UPO
-        $wgEnotifWatchlist = false; # UPO
+      $wgEnotifWatchlist = false; # UPO
-        $wgEmailAuthentication = true;
+      $wgEmailAuthentication = true;
-        ## Database settings
+      ## Database settings
-        $wgDBtype = "${cfg.database.type}";
+      $wgDBtype = "${cfg.database.type}";
-        $wgDBserver = "${dbAddr}";
+      $wgDBserver = "${dbAddr}";
-        $wgDBport = "${toString cfg.database.port}";
+      $wgDBport = "${toString cfg.database.port}";
-        $wgDBname = "${cfg.database.name}";
+      $wgDBname = "${cfg.database.name}";
-        $wgDBuser = "${cfg.database.user}";
+      $wgDBuser = "${cfg.database.user}";
-        ${optionalString (cfg.database.passwordFile != null) "$wgDBpassword = file_get_contents(\"${cfg.database.passwordFile}\");"}
+      ${optionalString (cfg.database.passwordFile != null) "$wgDBpassword = file_get_contents(\"${cfg.database.passwordFile}\");"}
-        ${optionalString (cfg.database.type == "mysql" && cfg.database.tablePrefix != null) ''
+      ${optionalString (cfg.database.type == "mysql" && cfg.database.tablePrefix != null) ''
-          # MySQL specific settings
+        # MySQL specific settings
-          $wgDBprefix = "${cfg.database.tablePrefix}";
+        $wgDBprefix = "${cfg.database.tablePrefix}";
-        ''}
+      ''}
-        ${optionalString (cfg.database.type == "mysql") ''
+      ${optionalString (cfg.database.type == "mysql") ''
-          # MySQL table options to use during installation or update
+        # MySQL table options to use during installation or update
-          $wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";
+        $wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";
-        ''}
+      ''}
-        ## Shared memory settings
+      ## Shared memory settings
-        $wgMainCacheType = CACHE_NONE;
+      $wgMainCacheType = CACHE_NONE;
-        $wgMemCachedServers = [];
+      $wgMemCachedServers = [];
-        ${optionalString (cfg.uploadsDir != null) ''
+      ${optionalString (cfg.uploadsDir != null) ''
-          $wgEnableUploads = true;
+        $wgEnableUploads = true;
-          $wgUploadDirectory = "${cfg.uploadsDir}";
+        $wgUploadDirectory = "${cfg.uploadsDir}";
-        ''}
+      ''}
-        $wgUseImageMagick = true;
+      $wgUseImageMagick = true;
-        $wgImageMagickConvertCommand = "${pkgs.imagemagick}/bin/convert";
+      $wgImageMagickConvertCommand = "${pkgs.imagemagick}/bin/convert";
-        # InstantCommons allows wiki to use images from https://commons.wikimedia.org
+      # InstantCommons allows wiki to use images from https://commons.wikimedia.org
-        $wgUseInstantCommons = false;
+      $wgUseInstantCommons = false;
-        # Periodically send a pingback to https://www.mediawiki.org/ with basic data
+      # Periodically send a pingback to https://www.mediawiki.org/ with basic data
-        # about this MediaWiki instance. The Wikimedia Foundation shares this data
+      # about this MediaWiki instance. The Wikimedia Foundation shares this data
-        # with MediaWiki developers to help guide future development efforts.
+      # with MediaWiki developers to help guide future development efforts.
-        $wgPingback = true;
+      $wgPingback = true;
-        ## If you use ImageMagick (or any other shell command) on a
+      ## If you use ImageMagick (or any other shell command) on a
-        ## Linux server, this will need to be set to the name of an
+      ## Linux server, this will need to be set to the name of an
-        ## available UTF-8 locale
+      ## available UTF-8 locale
-        $wgShellLocale = "C.UTF-8";
+      $wgShellLocale = "C.UTF-8";
-        ## Set $wgCacheDirectory to a writable directory on the web server
+      ## Set $wgCacheDirectory to a writable directory on the web server
-        ## to make your wiki go slightly faster. The directory should not
+      ## to make your wiki go slightly faster. The directory should not
-        ## be publicly accessible from the web.
+      ## be publicly accessible from the web.
-        $wgCacheDirectory = "${cacheDir}";
+      $wgCacheDirectory = "${cacheDir}";
-        # Site language code, should be one of the list in ./languages/data/Names.php
+      # Site language code, should be one of the list in ./languages/data/Names.php
-        $wgLanguageCode = "en";
+      $wgLanguageCode = "en";
-        $wgSecretKey = file_get_contents("${stateDir}/secret.key");
+      $wgSecretKey = file_get_contents("${stateDir}/secret.key");
-        # Changing this will log out all existing sessions.
+      # Changing this will log out all existing sessions.
-        $wgAuthenticationTokenVersion = "";
+      $wgAuthenticationTokenVersion = "";
-        ## For attaching licensing metadata to pages, and displaying an
+      ## For attaching licensing metadata to pages, and displaying an
-        ## appropriate copyright notice / icon. GNU Free Documentation
+      ## appropriate copyright notice / icon. GNU Free Documentation
-        ## License and Creative Commons licenses are supported so far.
+      ## License and Creative Commons licenses are supported so far.
-        $wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
+      $wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
-        $wgRightsUrl = "";
+      $wgRightsUrl = "";
-        $wgRightsText = "";
+      $wgRightsText = "";
-        $wgRightsIcon = "";
+      $wgRightsIcon = "";
-        # Path to the GNU diff3 utility. Used for conflict resolution.
+      # Path to the GNU diff3 utility. Used for conflict resolution.
-        $wgDiff = "${pkgs.diffutils}/bin/diff";
+      $wgDiff = "${pkgs.diffutils}/bin/diff";
-        $wgDiff3 = "${pkgs.diffutils}/bin/diff3";
+      $wgDiff3 = "${pkgs.diffutils}/bin/diff3";
-        # Enabled skins.
+      # Enabled skins.
-        ${concatStringsSep "\n" (mapAttrsToList (k: v: "wfLoadSkin('${k}');") cfg.skins)}
+      ${concatStringsSep "\n" (mapAttrsToList (k: v: "wfLoadSkin('${k}');") cfg.skins)}
-        # Enabled extensions.
+      # Enabled extensions.
-        ${concatStringsSep "\n" (mapAttrsToList (k: v: "wfLoadExtension('${k}');") cfg.extensions)}
+      ${concatStringsSep "\n" (mapAttrsToList (k: v: "wfLoadExtension('${k}');") cfg.extensions)}
-        # End of automatically generated settings.
+      # End of automatically generated settings.
-        # Add more configuration options below.
+      # Add more configuration options below.
-        ${cfg.extraConfig}
+      ${cfg.extraConfig}
-      '';
+  '';
    };
  withTrailingSlash = str: if lib.hasSuffix "/" str then str else "${str}/";
 in
@@ -1,22 +1,24 @@
 { lib, config, pkgs, ... }:
 with lib;
 let
  cfg = config.services.onlyoffice;
 in
 {
  options.services.onlyoffice = {
-    enable = lib.mkEnableOption "OnlyOffice DocumentServer";
+    enable = mkEnableOption "OnlyOffice DocumentServer";
-    enableExampleServer = lib.mkEnableOption "OnlyOffice example server";
+    enableExampleServer = mkEnableOption "OnlyOffice example server";
-    hostname = lib.mkOption {
+    hostname = mkOption {
-      type = lib.types.str;
+      type = types.str;
      default = "localhost";
-      description = "FQDN for the OnlyOffice instance.";
+      description = "FQDN for the onlyoffice instance.";
    };
-    jwtSecretFile = lib.mkOption {
+    jwtSecretFile = mkOption {
-      type = lib.types.nullOr lib.types.str;
+      type = types.nullOr types.str;
      default = null;
      description = ''
        Path to a file that contains the secret to sign web requests using JSON Web Tokens.
@@ -24,34 +26,34 @@ in
      '';
    };
-    package = lib.mkPackageOption pkgs "onlyoffice-documentserver" { };
+    package = mkPackageOption pkgs "onlyoffice-documentserver" { };
-    port = lib.mkOption {
+    port = mkOption {
-      type = lib.types.port;
+      type = types.port;
      default = 8000;
-      description = "Port the OnlyOffice document server should listen on.";
+      description = "Port the OnlyOffice DocumentServer should listens on.";
    };
-    examplePort = lib.mkOption {
+    examplePort = mkOption {
-      type = lib.types.port;
+      type = types.port;
      default = null;
-      description = "Port the OnlyOffice example server should listen on.";
+      description = "Port the OnlyOffice Example server should listens on.";
    };
-    postgresHost = lib.mkOption {
+    postgresHost = mkOption {
-      type = lib.types.str;
+      type = types.str;
      default = "/run/postgresql";
      description = "The Postgresql hostname or socket path OnlyOffice should connect to.";
    };
-    postgresName = lib.mkOption {
+    postgresName = mkOption {
-      type = lib.types.str;
+      type = types.str;
      default = "onlyoffice";
-      description = "The name of database OnlyOffice should use.";
+      description = "The name of database OnlyOffice should user.";
    };
-    postgresPasswordFile = lib.mkOption {
+    postgresPasswordFile = mkOption {
-      type = lib.types.nullOr lib.types.str;
+      type = types.nullOr types.str;
      default = null;
      description = ''
        Path to a file that contains the password OnlyOffice should use to connect to Postgresql.
@@ -59,8 +61,8 @@ in
      '';
    };
-    postgresUser = lib.mkOption {
+    postgresUser = mkOption {
-      type = lib.types.str;
+      type = types.str;
      default = "onlyoffice";
      description = ''
        The username OnlyOffice should use to connect to Postgresql.
@@ -68,8 +70,8 @@ in
      '';
    };
-    rabbitmqUrl = lib.mkOption {
+    rabbitmqUrl = mkOption {
-      type = lib.types.str;
+      type = types.str;
      default = "amqp://guest:guest@localhost:5672";
      description = "The Rabbitmq in amqp URI style OnlyOffice should connect to.";
    };
@@ -78,10 +80,10 @@ in
  config = lib.mkIf cfg.enable {
    services = {
      nginx = {
-        enable = lib.mkDefault true;
+        enable = mkDefault true;
        # misses text/csv, font/ttf, application/x-font-ttf, application/rtf, application/wasm
-        recommendedGzipSettings = lib.mkDefault true;
+        recommendedGzipSettings = mkDefault true;
-        recommendedProxySettings = lib.mkDefault true;
+        recommendedProxySettings = mkDefault true;
        upstreams = {
          # /etc/nginx/includes/http-common.conf
@@ -12,7 +12,7 @@ import subprocess
 import sys
 import warnings
 import json
-from typing import NamedTuple, Any
+from typing import NamedTuple, Dict, List
 from dataclasses import dataclass
 # These values will be replaced with actual values during the package build
@@ -21,7 +21,7 @@ BOOT_MOUNT_POINT = "@bootMountPoint@"
 LOADER_CONF = f"{EFI_SYS_MOUNT_POINT}/loader/loader.conf"  # Always stored on the ESP
 NIXOS_DIR = "@nixosDir@"
 TIMEOUT = "@timeout@"
-EDITOR = "@editor@" == "1" # noqa: PLR0133
+EDITOR = "@editor@" == "1"
 CONSOLE_MODE = "@consoleMode@"
 BOOTSPEC_TOOLS = "@bootspecTools@"
 DISTRO_NAME = "@distroName@"
@@ -38,22 +38,17 @@ class BootSpec:
    init: str
    initrd: str
    kernel: str
-    kernelParams: list[str]  # noqa: N815
+    kernelParams: List[str]
    label: str
    system: str
    toplevel: str
-    specialisations: dict[str, "BootSpec"]
+    specialisations: Dict[str, "BootSpec"]
-    sortKey: str  # noqa: N815
+    sortKey: str
-    initrdSecrets: str | None = None  # noqa: N815
+    initrdSecrets: str | None = None
 libc = ctypes.CDLL("libc.so.6")
 FILE = None | int
 def run(cmd: list[str], stdout: FILE = None) -> subprocess.CompletedProcess[str]:
    return subprocess.run(cmd, check=True, text=True, stdout=stdout)
 class SystemIdentifier(NamedTuple):
    profile: str | None
    generation: int
@@ -117,20 +112,17 @@ def get_bootspec(profile: str | None, generation: int) -> BootSpec:
        boot_json_f = open(boot_json_path, 'r')
        bootspec_json = json.load(boot_json_f)
    else:
-        boot_json_str = run(
+        boot_json_str = subprocess.check_output([
-            [
+        f"{BOOTSPEC_TOOLS}/bin/synthesize",
-                f"{BOOTSPEC_TOOLS}/bin/synthesize",
+        "--version",
-                "--version",
+        "1",
-                "1",
+        system_directory,
-                system_directory,
+        "/dev/stdout"],
-                "/dev/stdout",
+        universal_newlines=True)
            ],
            stdout=subprocess.PIPE,
        ).stdout
        bootspec_json = json.loads(boot_json_str)
    return bootspec_from_json(bootspec_json)
-def bootspec_from_json(bootspec_json: dict[str, Any]) -> BootSpec:
+def bootspec_from_json(bootspec_json: Dict) -> BootSpec:
    specialisations = bootspec_json['org.nixos.specialisation.v1']
    specialisations = {k: bootspec_from_json(v) for k, v in specialisations.items()}
    systemdBootExtension = bootspec_json.get('org.nixos.systemd-boot', {})
@@ -165,7 +157,7 @@ def write_entry(profile: str | None, generation: int, specialisation: str | None
    try:
        if bootspec.initrdSecrets is not None:
-            run([bootspec.initrdSecrets, f"{BOOT_MOUNT_POINT}%s" % (initrd)])
+            subprocess.check_call([bootspec.initrdSecrets, f"{BOOT_MOUNT_POINT}%s" % (initrd)])
    except subprocess.CalledProcessError:
        if current:
            print("failed to create initrd secrets!", file=sys.stderr)
@@ -200,17 +192,13 @@ def write_entry(profile: str | None, generation: int, specialisation: str | None
 def get_generations(profile: str | None = None) -> list[SystemIdentifier]:
-    gen_list = run(
+    gen_list = subprocess.check_output([
-        [
+        f"{NIX}/bin/nix-env",
-            f"{NIX}/bin/nix-env",
+        "--list-generations",
-            "--list-generations",
+        "-p",
-            "-p",
+        "/nix/var/nix/profiles/%s" % ("system-profiles/" + profile if profile else "system")],
-            "/nix/var/nix/profiles/%s"
+        universal_newlines=True)
-            % ("system-profiles/" + profile if profile else "system"),
+    gen_lines = gen_list.split('\n')
        ],
        stdout=subprocess.PIPE,
    ).stdout
    gen_lines = gen_list.split("\n")
    gen_lines.pop()
    configurationLimit = CONFIGURATION_LIMIT
@@ -226,8 +214,8 @@ def get_generations(profile: str | None = None) -> list[SystemIdentifier]:
 def remove_old_entries(gens: list[SystemIdentifier]) -> None:
-    rex_profile = re.compile(r"^" + re.escape(BOOT_MOUNT_POINT) + r"/loader/entries/nixos-(.*)-generation-.*\.conf$")
+    rex_profile = re.compile(r"^" + re.escape(BOOT_MOUNT_POINT) + "/loader/entries/nixos-(.*)-generation-.*\.conf$")
-    rex_generation = re.compile(r"^" + re.escape(BOOT_MOUNT_POINT) + r"/loader/entries/nixos.*-generation-([0-9]+)(-specialisation-.*)?\.conf$")
+    rex_generation = re.compile(r"^" + re.escape(BOOT_MOUNT_POINT) + "/loader/entries/nixos.*-generation-([0-9]+)(-specialisation-.*)?\.conf$")
    known_paths = []
    for gen in gens:
        bootspec = get_bootspec(gen.profile, gen.generation)
@@ -242,10 +230,10 @@ def remove_old_entries(gens: list[SystemIdentifier]) -> None:
            gen_number = int(rex_generation.sub(r"\1", path))
        except ValueError:
            continue
-        if (prof, gen_number, None) not in gens:
+        if not (prof, gen_number, None) in gens:
            os.unlink(path)
    for path in glob.iglob(f"{BOOT_MOUNT_POINT}/{NIXOS_DIR}/*"):
-        if path not in known_paths and not os.path.isdir(path):
+        if not path in known_paths and not os.path.isdir(path):
            os.unlink(path)
@@ -275,7 +263,9 @@ def install_bootloader(args: argparse.Namespace) -> None:
        # be there on newly installed systems, so let's generate one so that
        # bootctl can find it and we can also pass it to write_entry() later.
        cmd = [f"{SYSTEMD}/bin/systemd-machine-id-setup", "--print"]
-        machine_id = run(cmd, stdout=subprocess.PIPE).stdout.rstrip()
+        machine_id = subprocess.run(
          cmd, text=True, check=True, stdout=subprocess.PIPE
        ).stdout.rstrip()
    if os.getenv("NIXOS_INSTALL_GRUB") == "1":
        warnings.warn("NIXOS_INSTALL_GRUB env var deprecated, use NIXOS_INSTALL_BOOTLOADER", DeprecationWarning)
@@ -298,20 +288,11 @@ def install_bootloader(args: argparse.Namespace) -> None:
        if os.path.exists(LOADER_CONF):
            os.unlink(LOADER_CONF)
-        run(
+        subprocess.check_call([f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}"] + bootctl_flags + ["install"])
            [f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}"]
            + bootctl_flags
            + ["install"]
        )
    else:
        # Update bootloader to latest if needed
-        available_out = run(
+        available_out = subprocess.check_output([f"{SYSTEMD}/bin/bootctl", "--version"], universal_newlines=True).split()[2]
-            [f"{SYSTEMD}/bin/bootctl", "--version"], stdout=subprocess.PIPE
+        installed_out = subprocess.check_output([f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}", "status"], universal_newlines=True)
        ).stdout.split()[2]
        installed_out = run(
            [f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}", "status"],
            stdout=subprocess.PIPE,
        ).stdout
        # See status_binaries() in systemd bootctl.c for code which generates this
        installed_match = re.search(r"^\W+File:.*/EFI/(?:BOOT|systemd)/.*\.efi \(systemd-boot ([\d.]+[^)]*)\)$",
@@ -330,11 +311,7 @@ def install_bootloader(args: argparse.Namespace) -> None:
        if installed_version < available_version:
            print("updating systemd-boot from %s to %s" % (installed_version, available_version))
-            run(
+            subprocess.check_call([f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}"] + bootctl_flags + ["update"])
                [f"{SYSTEMD}/bin/bootctl", f"--esp-path={EFI_SYS_MOUNT_POINT}"]
                + bootctl_flags
                + ["update"]
            )
    os.makedirs(f"{BOOT_MOUNT_POINT}/{NIXOS_DIR}", exist_ok=True)
    os.makedirs(f"{BOOT_MOUNT_POINT}/loader/entries", exist_ok=True)
@@ -385,7 +362,7 @@ def install_bootloader(args: argparse.Namespace) -> None:
    os.makedirs(f"{BOOT_MOUNT_POINT}/{NIXOS_DIR}/.extra-files", exist_ok=True)
-    run([COPY_EXTRA_FILES])
+    subprocess.check_call(COPY_EXTRA_FILES)
 def main() -> None:
@@ -393,7 +370,7 @@ def main() -> None:
    parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help=f"The default {DISTRO_NAME} config to boot")
    args = parser.parse_args()
-    run([CHECK_MOUNTPOINTS])
+    subprocess.check_call(CHECK_MOUNTPOINTS)
    try:
        install_bootloader(args)
@@ -78,7 +78,6 @@ in rec {
      nginx
      nodejs
      openssh
      opensshTest
      php
      postgresql
      python
@@ -140,7 +139,6 @@ in rec {
        "nixos.tests.simple"
        "nixpkgs.jdk"
        "nixpkgs.tests-stdenv-gcc-stageCompare"
        "nixpkgs.opensshTest"
      ])
    ];
  };
@@ -323,7 +323,6 @@ in {
  firefox-devedition = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-devedition; };
  firefox-esr    = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr; }; # used in `tested` job
  firefox-esr-115 = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr-115; };
  firefox-esr-128 = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr-128; };
  firefoxpwa = handleTest ./firefoxpwa.nix {};
  firejail = handleTest ./firejail.nix {};
  firewall = handleTest ./firewall.nix { nftables = false; };
@@ -364,7 +363,6 @@ in {
  gitlab = runTest ./gitlab.nix;
  gitolite = handleTest ./gitolite.nix {};
  gitolite-fcgiwrap = handleTest ./gitolite-fcgiwrap.nix {};
  glance = runTest ./glance.nix;
  glusterfs = handleTest ./glusterfs.nix {};
  gnome = handleTest ./gnome.nix {};
  gnome-extensions = handleTest ./gnome-extensions.nix {};
@@ -526,8 +524,6 @@ in {
  lxd-image-server = handleTest ./lxd-image-server.nix {};
  #logstash = handleTest ./logstash.nix {};
  lomiri = handleTest ./lomiri.nix {};
  lomiri-calculator-app = runTest ./lomiri-calculator-app.nix;
  lomiri-clock-app = runTest ./lomiri-clock-app.nix;
  lomiri-filemanager-app = runTest ./lomiri-filemanager-app.nix;
  lomiri-system-settings = handleTest ./lomiri-system-settings.nix {};
  lorri = handleTest ./lorri/default.nix {};
@@ -811,7 +807,6 @@ in {
  ragnarwm = handleTest ./ragnarwm.nix {};
  rasdaemon = handleTest ./rasdaemon.nix {};
  readarr = handleTest ./readarr.nix {};
  realm = handleTest ./realm.nix {};
  redis = handleTest ./redis.nix {};
  redlib = handleTest ./redlib.nix {};
  redmine = handleTest ./redmine.nix {};
@@ -35,7 +35,7 @@ in {
        ayatana-indicator-sound
      ] ++ (with pkgs.lomiri; [
        lomiri-indicator-network
-        telephony-service
+        # telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043
      ]);
    };
@@ -1,36 +0,0 @@
 { lib, ... }:
 {
  name = "glance";
  nodes = {
    machine_default =
      { pkgs, ... }:
      {
        services.glance = {
          enable = true;
        };
      };
    machine_custom_port =
      { pkgs, ... }:
      {
        services.glance = {
          enable = true;
          settings.server.port = 5678;
        };
      };
  };
  testScript = ''
    machine_default.start()
    machine_default.wait_for_unit("glance.service")
    machine_default.wait_for_open_port(8080)
    machine_custom_port.start()
    machine_custom_port.wait_for_unit("glance.service")
    machine_custom_port.wait_for_open_port(5678)
  '';
  meta.maintainers = [ lib.maintainers.drupol ];
 }
@@ -1,59 +0,0 @@
 { pkgs, lib, ... }:
 {
  name = "lomiri-calculator-app-standalone";
  meta.maintainers = lib.teams.lomiri.members;
  nodes.machine =
    { config, pkgs, ... }:
    {
      imports = [ ./common/x11.nix ];
      services.xserver.enable = true;
      environment = {
        systemPackages = with pkgs.lomiri; [
          suru-icon-theme
          lomiri-calculator-app
        ];
        variables = {
          UITK_ICON_THEME = "suru";
        };
      };
      i18n.supportedLocales = [ "all" ];
      fonts.packages = with pkgs; [
        # Intended font & helps with OCR
        ubuntu_font_family
      ];
    };
  enableOCR = true;
  testScript = ''
    machine.wait_for_x()
    with subtest("lomiri calculator launches"):
        machine.execute("lomiri-calculator-app >&2 &")
        machine.wait_for_text("Calculator")
        machine.screenshot("lomiri-calculator")
    with subtest("lomiri calculator works"):
        machine.send_key("tab") # Fix focus
        machine.send_chars("22*16\n")
        machine.wait_for_text("352")
        machine.screenshot("lomiri-calculator_caninfactdobasicmath")
    machine.succeed("pkill -f lomiri-calculator-app")
    with subtest("lomiri calculator localisation works"):
        machine.execute("env LANG=de_DE.UTF-8 lomiri-calculator-app >&2 &")
        machine.wait_for_text("Rechner")
        machine.screenshot("lomiri-calculator_localised")
    # History of previous run should have loaded
    with subtest("lomiri calculator history works"):
        machine.wait_for_text("352")
  '';
 }
@@ -1,48 +0,0 @@
 { pkgs, lib, ... }:
 {
  name = "lomiri-clock-app-standalone";
  meta.maintainers = lib.teams.lomiri.members;
  nodes.machine =
    { config, pkgs, ... }:
    {
      imports = [ ./common/x11.nix ];
      services.xserver.enable = true;
      environment = {
        systemPackages = with pkgs.lomiri; [
          suru-icon-theme
          lomiri-clock-app
        ];
        variables = {
          UITK_ICON_THEME = "suru";
        };
      };
      i18n.supportedLocales = [ "all" ];
      fonts.packages = with pkgs; [
        # Intended font & helps with OCR
        ubuntu_font_family
      ];
    };
  enableOCR = true;
  testScript = ''
    machine.wait_for_x()
    with subtest("lomiri clock launches"):
        machine.execute("lomiri-clock-app >&2 &")
        machine.wait_for_text(r"(clock.ubports|City|Alarms)")
        machine.screenshot("lomiri-clock_open")
    machine.succeed("pkill -f lomiri-clock-app")
    with subtest("lomiri clock localisation works"):
        machine.execute("env LANG=de_DE.UTF-8 lomiri-clock-app >&2 &")
        machine.wait_for_text(r"(Stadt|Weckzeiten)")
        machine.screenshot("lomiri-clock_localised")
  '';
 }
@@ -17,12 +17,12 @@ import ../make-test-python.nix {
    # Start the daemon and wait until it is ready
    machine.execute("lorri daemon > lorri.stdout 2> lorri.stderr &")
-    machine.wait_until_succeeds("grep --fixed-strings 'ready' lorri.stderr")
+    machine.wait_until_succeeds("grep --fixed-strings 'ready' lorri.stdout")
    # Ping the daemon
-    machine.succeed("lorri internal ping --shell-file shell.nix")
+    machine.succeed("lorri internal ping shell.nix")
    # Wait for the daemon to finish the build
-    machine.wait_until_succeeds("grep --fixed-strings 'Completed' lorri.stderr")
+    machine.wait_until_succeeds("grep --fixed-strings 'Completed' lorri.stdout")
  '';
 }
@@ -1,7 +1,7 @@
 import ./make-test-python.nix ({ lib, ... }:
  {
    name = "nzbhydra2";
-    meta.maintainers = with lib.maintainers; [ matteopacini ];
+    meta.maintainers = with lib.maintainers; [ jamiemagee ];
    nodes.machine = { pkgs, ... }: { services.nzbhydra2.enable = true; };
@@ -209,34 +209,6 @@ let
        '';
    };
    deluge = {
      exporterConfig = {
        enable = true;
        port = 1234;
        listenAddress = "127.0.0.1";
        delugeUser = "user";
        delugePort = 2345;
        delugePasswordFile = pkgs.writeText "password" "weak_password";
      };
      metricProvider = {
        services.deluge.enable = true;
        services.deluge.declarative = true;
        services.deluge.config.daemon_port = 2345;
        services.deluge.authFile = pkgs.writeText "authFile" ''
        localclient:abcdef:10
        user:weak_password:10
        '';
      };
      exporterTest = ''
        wait_for_unit("deluged.service")
        wait_for_open_port(2345)
        wait_for_unit("prometheus-deluge-exporter.service")
        wait_for_open_port(1234)
        succeed("curl -sSf http://localhost:1234 | grep 'deluge_torrents'")
      '';
    };
    dnsmasq = {
      exporterConfig = {
        enable = true;
@@ -144,9 +144,5 @@ import ../make-test-python.nix ({ lib, pkgs, ... }:
    logger.wait_until_succeeds(
      "journalctl -o cat -u alertmanager-webhook-logger.service | grep '\"alertname\":\"InstanceDown\"'"
    )
    logger.log(logger.succeed("systemd-analyze security alertmanager-webhook-logger.service | grep -v '✓'"))
    alertmanager.log(alertmanager.succeed("systemd-analyze security alertmanager.service | grep -v '✓'"))
  '';
 })
@@ -90,7 +90,5 @@ import ../make-test-python.nix ({ lib, pkgs, ... }:
      "curl -sf 'http://127.0.0.1:9090/api/v1/query?query=absent(some_metric)' | "
      + "jq '.data.result[0].value[1]' | grep '\"1\"'"
    )
    pushgateway.log(pushgateway.succeed("systemd-analyze security pushgateway.service | grep -v '✓'"))
  '';
 })
@@ -1,39 +0,0 @@
 import ./make-test-python.nix ({ lib, pkgs, ... }: {
  name = "realm";
  meta = {
    maintainers = with lib.maintainers; [ ocfox ];
  };
  nodes.machine = { pkgs, ... }: {
    services.nginx = {
      enable = true;
      statusPage = true;
    };
    # realm need DNS resolv server to run or use config.dns.nameserver
    services.resolved.enable = true;
    services.realm = {
      enable = true;
      config = {
        endpoints = [
          {
            listen = "0.0.0.0:1000";
            remote = "127.0.0.1:80";
          }
        ];
      };
    };
  };
  testScript = ''
    machine.wait_for_unit("nginx.service")
    machine.wait_for_unit("realm.service")
    machine.wait_for_open_port(80)
    machine.wait_for_open_port(1000)
    machine.succeed("curl --fail http://localhost:1000/")
  '';
 })
@@ -0,0 +1,25 @@
 From d87a7513c6f2f2824203032ef27caeb84892ed7e Mon Sep 17 00:00:00 2001
 From: Will Fancher <elvishjerricco@gmail.com>
 Date: Tue, 30 May 2023 16:53:20 -0400
 Subject: [PATCH] Intentionally break the fat driver
 ---
 FatPkg/EnhancedFatDxe/ReadWrite.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/FatPkg/EnhancedFatDxe/ReadWrite.c b/FatPkg/EnhancedFatDxe/ReadWrite.c
 index 8f525044d1f1..32c62ff7817b 100644
 --- a/FatPkg/EnhancedFatDxe/ReadWrite.c
 +++ b/FatPkg/EnhancedFatDxe/ReadWrite.c
@@ -216,6 +216,11 @@ FatIFileAccess (
   Volume = OFile->Volume;
   Task   = NULL;
 +  if (*BufferSize > (10U * 1024U * 1024U)) {
 +    IFile->Position += 10U * 1024U * 1024U;
 +    return EFI_BAD_BUFFER_SIZE;
 +  }
 +
   //
   // Write to a directory is unsupported
   //
@@ -239,7 +239,7 @@ in
  memtest86 = makeTest {
    name = "systemd-boot-memtest86";
-    meta.maintainers = with pkgs.lib.maintainers; [ julienmalka ];
+    meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ];
    nodes.machine = { pkgs, lib, ... }: {
      imports = [ common ];
@@ -254,7 +254,7 @@ in
  netbootxyz = makeTest {
    name = "systemd-boot-netbootxyz";
-    meta.maintainers = with pkgs.lib.maintainers; [ julienmalka ];
+    meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ];
    nodes.machine = { pkgs, lib, ... }: {
      imports = [ common ];
@@ -269,7 +269,7 @@ in
  memtestSortKey = makeTest {
    name = "systemd-boot-memtest-sortkey";
-    meta.maintainers = with pkgs.lib.maintainers; [ julienmalka ];
+    meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ];
    nodes.machine = { pkgs, lib, ... }: {
      imports = [ common ];
@@ -307,7 +307,7 @@ in
  extraEntries = makeTest {
    name = "systemd-boot-extra-entries";
-    meta.maintainers = with pkgs.lib.maintainers; [ julienmalka ];
+    meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ];
    nodes.machine = { pkgs, lib, ... }: {
      imports = [ common ];
@@ -326,7 +326,7 @@ in
  extraFiles = makeTest {
    name = "systemd-boot-extra-files";
-    meta.maintainers = with pkgs.lib.maintainers; [ julienmalka ];
+    meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ];
    nodes.machine = { pkgs, lib, ... }: {
      imports = [ common ];
@@ -343,7 +343,7 @@ in
  switch-test = makeTest {
    name = "systemd-boot-switch-test";
-    meta.maintainers = with pkgs.lib.maintainers; [ julienmalka ];
+    meta.maintainers = with pkgs.lib.maintainers; [ Enzime julienmalka ];
    nodes = {
      inherit common;
@@ -428,6 +428,32 @@ in
      '';
  };
  # Some UEFI firmwares fail on large reads. Now that systemd-boot loads initrd
  # itself, systems with such firmware won't boot without this fix
  uefiLargeFileWorkaround = makeTest {
    name = "uefi-large-file-workaround";
    meta.maintainers = with pkgs.lib.maintainers; [ julienmalka ];
    nodes.machine = { pkgs, ... }: {
      imports = [common];
      virtualisation.efi.OVMF = pkgs.OVMF.overrideAttrs (old: {
        # This patch deliberately breaks the FAT driver in EDK2 to
        # exhibit (part of) the firmware bug that we are testing
        # for. Files greater than 10MiB will fail to be read in a
        # single Read() call, so systemd-boot will fail to load the
        # initrd without a workaround. The number 10MiB was chosen
        # because if it were smaller than the kernel size, even the
        # LoadImage call would fail, which is not the failure mode
        # we're testing for. It needs to be between the kernel size
        # and the initrd size.
        patches = old.patches or [] ++ [ ./systemd-boot-ovmf-broken-fat-driver.patch ];
      });
    };
    testScript = ''
      machine.wait_for_unit("multi-user.target")
    '';
  };
  no-bootspec = makeTest
    {
      name = "systemd-boot-no-bootspec";
@@ -1,7 +1,7 @@
 import ./make-test-python.nix ({ pkgs, lib, ... }:
 let
-  password = "foobarfoo";
+  password = "foobar";
-  newPass = "barfoobar";
+  newPass = "barfoo";
 in
 {
  name = "systemd-homed";
@@ -12,12 +12,6 @@ import ./make-test-python.nix ({ lib, ... }: {
      isNormalUser = true;
      homeMode = "750";
    };
    users.users.carol = {
      initialPassword = "pass3";
      isNormalUser = true;
      createHome = true;
      home = "/users/carol";
    };
  };
  testScript = ''
@@ -29,7 +23,5 @@ import ./make-test-python.nix ({ lib, ... }: {
    machine.send_chars("pass1\n")
    machine.succeed('[ "$(stat -c %a /home/alice)" == "700" ]')
    machine.succeed('[ "$(stat -c %a /home/bob)" == "750" ]')
    machine.succeed('[ "$(stat -c %a /users)" == "755" ]')
    machine.succeed('[ "$(stat -c %a /users/carol)" == "700" ]')
  '';
 })
@@ -209,6 +209,7 @@ builtins.mapAttrs (k: v: makeVaultwardenTest k v) {
          server.succeed('[ -f "/var/lib/vaultwarden/backups/db.sqlite3" ]')
          server.succeed('[ -d "/var/lib/vaultwarden/backups/attachments" ]')
          server.succeed('[ -f "/var/lib/vaultwarden/backups/rsa_key.pem" ]')
          server.succeed('[ -f "/var/lib/vaultwarden/backups/rsa_key.pub.pem" ]')
          # Ensure only the db backed up with the backup command exists and not the other db files.
          server.succeed('[ ! -f "/var/lib/vaultwarden/backups/db.sqlite3-shm" ]')
    '';
@@ -14,7 +14,7 @@ import ./make-test-python.nix ({ lib, ... }@args: let
  inherit (pkgs.vscode.passthru) rev vscodeServer;
 in {
  name = "vscode-remote-ssh";
-  meta.maintainers = with lib.maintainers; [ ];
+  meta.maintainers = with lib.maintainers; [ Enzime ];
  nodes = let
    serverAddress = "192.168.0.2";
@@ -1,28 +1,26 @@
 { lib
 , stdenv
 , audacious-plugins
-, fetchFromGitHub
+, fetchurl
 , gettext
 , meson
 , ninja
 , pkg-config
 , qtbase
 , qtsvg
 , qtwayland
 , wrapQtAppsHook
 }:
 stdenv.mkDerivation rec {
  pname = "audacious";
-  version = "4.4";
+  version = "4.3.1";
-  src = fetchFromGitHub {
+  src = fetchurl {
-    owner = "audacious-media-player";
+    url = "http://distfiles.audacious-media-player.org/audacious-${version}.tar.bz2";
-    repo = "audacious";
+    sha256 = "sha256-heniaEFQW1HjQu5yotBfGb74lPVnoCnrs/Pgwa20IEI=";
    rev = "${pname}-${version}";
    hash = "sha256-qAJztvNI3uGmQfECJJ7tJ/xLLgMU5OiW0O3ZSJhvt0k=";
  };
  nativeBuildInputs = [
    gettext
    meson
    ninja
    pkg-config
@@ -31,8 +29,6 @@ stdenv.mkDerivation rec {
  buildInputs = [
    qtbase
    qtsvg
    qtwayland
  ];
  mesonFlags = [
@@ -45,14 +41,12 @@ stdenv.mkDerivation rec {
    ln -s ${audacious-plugins}/share/audacious/Skins $out/share/audacious/
  '';
-  meta = {
+  meta = with lib; {
    description = "Lightweight and versatile audio player";
-    homepage = "https://audacious-media-player.org";
+    homepage = "https://audacious-media-player.org/";
-    downloadPage = "https://github.com/audacious-media-player/audacious";
+    maintainers = with maintainers; [ eelco ramkromberg ttuegel thiagokokada ];
-    mainProgram = "audacious";
+    platforms = with platforms; linux;
-    maintainers = with lib.maintainers; [ eelco ramkromberg ttuegel thiagokokada ];
+    license = with licenses; [
    platforms = lib.platforms.linux;
    license = with lib.licenses; [
      bsd2
      bsd3 #https://github.com/audacious-media-player/audacious/blob/master/COPYING
      gpl2
@@ -1,5 +1,5 @@
 { stdenv
-, fetchFromGitHub
+, fetchurl
 , alsa-lib
 , audacious
 , curl
@@ -8,6 +8,7 @@
 , flac
 , fluidsynth
 , gdk-pixbuf
 , gettext
 , lame
 , libbs2b
 , libcddb
@@ -38,7 +39,7 @@
 , pipewire
 , qtbase
 , qtmultimedia
-, qtwayland
+, qtx11extras
 , soxr
 , vgmstream
 , wavpack
@@ -46,18 +47,17 @@
 stdenv.mkDerivation rec {
  pname = "audacious-plugins";
-  version = "4.4";
+  version = "4.3.1";
-  src = fetchFromGitHub {
+  src = fetchurl {
-    owner = "audacious-media-player";
+    url = "http://distfiles.audacious-media-player.org/audacious-plugins-${version}.tar.bz2";
-    repo = "audacious-plugins";
+    sha256 = "sha256-Leom469YOi1oTfJAsnsrKTK81lPfTbUAqF9P5dX9yKY=";
    rev = "${pname}-${version}";
    hash = "sha256-J9jgBl8J4W9Yvrlg1KlzYgGTmdxUZM9L11rCftKFSlE=";
  };
  patches = [ ./0001-Set-plugindir-to-PREFIX-lib-audacious.patch ];
  nativeBuildInputs = [
    gettext
    meson
    ninja
    pkg-config
@@ -98,7 +98,7 @@ stdenv.mkDerivation rec {
    pipewire
    qtbase
    qtmultimedia
-    qtwayland
+    qtx11extras
    soxr
    wavpack
    libopenmpt
@@ -116,6 +116,5 @@ stdenv.mkDerivation rec {
  meta = audacious.meta // {
    description = "Plugins for Audacious music player";
    downloadPage = "https://github.com/audacious-media-player/audacious-plugins";
  };
 }
@@ -1,59 +1,53 @@
-{
+{ lib
-  lib,
+, stdenv
-  stdenv,
+, appstream-glib
-  fetchFromGitHub,
+, desktop-file-utils
-  appstream-glib,
+, deepfilternet
-  calf,
+, fetchFromGitHub
-  deepfilternet,
+, calf
-  desktop-file-utils,
+, fftw
-  fftw,
+, fftwFloat
-  fftwFloat,
+, fmt_9
-  fmt_9,
+, glib
-  glib,
+, gsl
-  gsl,
+, gtk4
-  gtk4,
+, itstool
-  itstool,
+, ladspaH
-  ladspaH,
+, libadwaita
-  libadwaita,
+, libbs2b
-  libbs2b,
+, libebur128
-  libebur128,
+, libportal-gtk4
-  libportal-gtk4,
+, libsamplerate
-  libsamplerate,
+, libsigcxx30
-  libsigcxx30,
+, libsndfile
-  libsndfile,
+, lilv
-  lilv,
+, lsp-plugins
-  lsp-plugins,
+, lv2
-  lv2,
+, mda_lv2
-  mda_lv2,
+, meson
-  meson,
+, ninja
-  ninja,
+, nlohmann_json
-  nix-update-script,
+, pipewire
-  nlohmann_json,
+, pkg-config
-  pipewire,
+, rnnoise
-  pkg-config,
+, rubberband
-  rnnoise,
+, speexdsp
-  rubberband,
+, soundtouch
-  speexdsp,
+, tbb
-  soundtouch,
+, wrapGAppsHook4
-  tbb,
+, zam-plugins
-  wrapGAppsHook4,
+, zita-convolver
  zam-plugins,
  zita-convolver,
 }:
 let
  # Fix crashes with speexdsp effects
  speexdsp' = speexdsp.override { withFftw3 = false; };
 in
 stdenv.mkDerivation rec {
  pname = "easyeffects";
-  version = "7.1.7";
+  version = "7.1.6";
  src = fetchFromGitHub {
    owner = "wwmm";
    repo = "easyeffects";
    rev = "v${version}";
-    hash = "sha256-y7we7/MQWweAoZkM8SuHiOTVyWFj9/foufLYBum/KKc=";
+    hash = "sha256-NViRZHNgsweoD1YbyWYrRTZPKTCkKk3fGDLLYDD7JfA=";
  };
  nativeBuildInputs = [
@@ -89,7 +83,7 @@ stdenv.mkDerivation rec {
    rnnoise
    rubberband
    soundtouch
-    speexdsp'
+    speexdsp
    tbb
    zita-convolver
  ];
@@ -116,17 +110,13 @@ stdenv.mkDerivation rec {
  separateDebugInfo = true;
-  passthru = {
+  meta = with lib; {
-    updateScript = nix-update-script { };
+    changelog = "https://github.com/wwmm/easyeffects/blob/v${version}/CHANGELOG.md";
  };
  meta = {
    description = "Audio effects for PipeWire applications";
    homepage = "https://github.com/wwmm/easyeffects";
-    changelog = "https://github.com/wwmm/easyeffects/blob/v${version}/CHANGELOG.md";
+    license = licenses.gpl3Plus;
-    license = lib.licenses.gpl3Plus;
+    maintainers = with maintainers; [ ];
-    maintainers = with lib.maintainers; [ getchoo ];
+    platforms = platforms.linux;
    mainProgram = "easyeffects";
    platforms = lib.platforms.linux;
  };
 }
@@ -1,17 +1,17 @@
-{ lib, stdenv, autoreconfHook, fetchFromGitHub, pkg-config, fdk_aac }:
+{ lib, stdenv, autoreconfHook, fetchFromGitHub, fdk_aac }:
 stdenv.mkDerivation rec {
  pname = "fdkaac";
-  version = "1.0.6";
+  version = "1.0.5";
  src = fetchFromGitHub {
    owner = "nu774";
    repo = pname;
    rev = "v${version}";
-    hash = "sha256-nVVeYk7t4+n/BsOKs744stsvgJd+zNnbASk3bAgFTpk=";
+    sha256 = "sha256-GYvI9T5Bv2OcK0hMAQE7/tE6ajDyqkaak66b3Hc0Fls=";
  };
-  nativeBuildInputs = [ autoreconfHook pkg-config ];
+  nativeBuildInputs = [ autoreconfHook ];
  buildInputs = [ fdk_aac ];
@@ -1,38 +1,18 @@
-{
+{ lib, fetchFromGitHub, python3Packages, wrapQtAppsHook }:
  lib,
  fetchFromGitHub,
  python3Packages,
  qt5,
 }:
 python3Packages.buildPythonApplication rec {
  pname = "friture";
-  version = "0.49-unstable-2024-06-02";
+  version = "0.49";
  pyproject = true;
  src = fetchFromGitHub {
    owner = "tlecomte";
    repo = pname;
-    rev = "405bffa585ece0cb535c32d0f4f6ace932b40103";
+    rev = "v${version}";
-    hash = "sha256-4xvIlRuJ7WCFj1dEyvO9UOsye70nFlWjb9XU0owwgiM=";
+    sha256 = "sha256-xKgyBV/Qc+9PgXyxcT0xG1GXLC6KnjavJ/0SUE+9VSY=";
  };
-  pythonRelaxDeps = true;
+  nativeBuildInputs = (with python3Packages; [ numpy cython scipy ]) ++
-
+    [ wrapQtAppsHook ];
  postPatch = ''
    sed -i -e '/packages=\[/a "friture.playback",' pyproject.toml
  '';
  nativeBuildInputs =
    (with python3Packages; [
      numpy
      cython
      scipy
      setuptools
    ])
    ++ (with qt5; [ wrapQtAppsHook ]);
  buildInputs = with qt5; [ qtquickcontrols2 ];
  propagatedBuildInputs = with python3Packages; [
    sounddevice
@@ -46,6 +26,11 @@ python3Packages.buildPythonApplication rec {
    rtmixer
  ];
  postPatch = ''
    # Remove version constraints from Python dependencies in setup.py
    sed -i -E "s/\"([A-Za-z0-9]+)(=|>|<)=[0-9\.]+\"/\"\1\"/g" setup.py
  '';
  preFixup = ''
    makeWrapperArgs+=("''${qtWrapperArgs[@]}")
  '';
@@ -68,9 +53,6 @@ python3Packages.buildPythonApplication rec {
    homepage = "https://friture.org/";
    license = licenses.gpl3;
    platforms = platforms.linux; # fails on Darwin
-    maintainers = with maintainers; [
+    maintainers = with maintainers; [ laikq alyaeanyx ];
      laikq
      alyaeanyx
    ];
  };
 }
@@ -15,14 +15,14 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
  pname = "g4music";
-  version = "3.7.2";
+  version = "3.6.2";
  src = fetchFromGitLab {
    domain = "gitlab.gnome.org";
    owner = "neithern";
    repo = "g4music";
    rev = "v${finalAttrs.version}";
-    hash = "sha256-fG8OBAzdCdr3Yo8Vei93HlNa2TIL5gxWG+0jFYjSDZ8=";
+    hash = "sha256-yNKDTcLunTLhAtOBrjuycw0rrdCSwmhhVyBg3AfMUCQ=";
  };
  nativeBuildInputs = [
@@ -1,6 +1,7 @@
 { python3Packages
 , lib
 , fetchFromGitHub
 , perlPackages
 , gettext
 , gtk3
 , gobject-introspection
@@ -34,7 +35,6 @@ python3Packages.buildPythonApplication rec {
    wrapGAppsHook3
    glib
    gdk-pixbuf
    gobject-introspection
  ];
  buildInputs = [
@@ -45,6 +45,7 @@ python3Packages.buildPythonApplication rec {
    python3Packages.setuptools
    python3Packages.pygobject3
    gtk3
    gobject-introspection
    librsvg
    libayatana-appindicator
    libpulseaudio
@@ -5,13 +5,13 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
-  version = "10.74";
+  version = "10.72";
  pname = "monkeys-audio";
  src = fetchzip {
    url = "https://monkeysaudio.com/files/MAC_${
      builtins.concatStringsSep "" (lib.strings.splitString "." finalAttrs.version)}_SDK.zip";
-    hash = "sha256-AxRADWS5Ka62NLj6IqX5uF39mPxoWy+zQZQ7A2+DM7Y=";
+    hash = "sha256-vtpQhCV1hkme69liTO13vz+kxpA3zJ+U1In/4z6qLbQ=";
    stripRoot = false;
  };
  nativeBuildInputs = [
@@ -1,62 +1,35 @@
-{
+{ lib, fetchFromGitHub, pythonPackages, mopidy, unstableGitUpdater }:
  lib,
  fetchFromGitHub,
  pythonPackages,
  mopidy,
  nix-update-script,
 }:
 pythonPackages.buildPythonApplication rec {
  pname = "mopidy-spotify";
-  version = "5.0.0a2";
+  version = "4.1.1-unstable-2024-02-27";
  pyproject = true;
  src = fetchFromGitHub {
    owner = "mopidy";
    repo = "mopidy-spotify";
-    rev = "refs/tags/v${version}";
+    rev = "112d4abbb3f5b6477dab796f2824fa42196bfa0a";
-    hash = "sha256-QeABG9rQKJ8sIoK38R74N0s5rRG+zws7AZR0xPysdcY=";
+    hash = "sha256-RkXDzAbOOll3uCNZ2mFRnjqMkT/NkXOGjywLRTC9i60=";
  };
-  build-system = [ pythonPackages.setuptools ];
+  propagatedBuildInputs = [
  dependencies = [
    mopidy
-    pythonPackages.pykka
+    pythonPackages.responses
    pythonPackages.requests
  ];
-  optional-dependencies = {
+  nativeBuildInputs = [
-    lint = with pythonPackages; [
+    pythonPackages.pytestCheckHook
-      black
+  ];
      check-manifest
      flake8
      flake8-bugbear
      isort
    ];
    test = with pythonPackages; [
      pytest
      pytest-cov
      responses
    ];
    dev = optional-dependencies.lint ++ optional-dependencies.test ++ [ pythonPackages.tox ];
  };
  nativeCheckInputs = [ pythonPackages.pytestCheckHook ] ++ optional-dependencies.test;
  pythonImportsCheck = [ "mopidy_spotify" ];
-  passthru = {
+  passthru.updateScript = unstableGitUpdater {
-    updateScript = nix-update-script { };
+    tagPrefix = "v";
  };
-  meta = {
+  meta = with lib; {
    description = "Mopidy extension for playing music from Spotify";
    homepage = "https://github.com/mopidy/mopidy-spotify";
-    changelog = "https://github.com/mopidy/mopidy-spotify/releases/tag/v${version}";
+    description = "Mopidy extension for playing music from Spotify";
-    license = lib.licenses.asl20;
+    license = licenses.asl20;
-    maintainers = with lib.maintainers; [ getchoo ];
+    maintainers = with maintainers; [ ];
  };
 }
@@ -1,10 +1,8 @@
-{
+{ lib
-  lib,
+, fetchFromGitHub
-  fetchFromGitHub,
+, python3
-  python3,
+, mopidy
-  mopidy,
+, extraPkgs ? pkgs: []
  yt-dlp,
  extraPkgs ? pkgs: [ ],
 }:
 python3.pkgs.buildPythonApplication rec {
@@ -19,36 +17,22 @@ python3.pkgs.buildPythonApplication rec {
    hash = "sha256-iFt7r8Ljymc+grNJiOClTHkZOeo7AcYpcNc8tLMPROk=";
  };
-  propagatedBuildInputs =
+  propagatedBuildInputs = with python3.pkgs; [
-    with python3.pkgs;
+    beautifulsoup4
-    [
+    cachetools
-      beautifulsoup4
+    pykka
-      cachetools
+    requests
-      pykka
+    youtube-dl
-      requests
+    ytmusicapi
-      ytmusicapi
+  ] ++ [
-    ]
+    mopidy
-    ++ [
+  ] ++ extraPkgs pkgs;
      mopidy
      yt-dlp
    ]
    ++ extraPkgs pkgs;
  nativeCheckInputs = with python3.pkgs; [
    vcrpy
    pytestCheckHook
  ];
  postPatch = ''
    substituteInPlace mopidy_youtube/youtube.py \
      --replace-fail 'youtube_dl_package = "youtube_dl"' 'youtube_dl_package = "yt_dlp"'
    substituteInPlace tests/conftest.py \
      --replace-fail 'import youtube_dl' 'import yt_dlp' \
      --replace-fail 'patcher = mock.patch.object(youtube, "youtube_dl", spec=youtube_dl)' \
      'patcher = mock.patch.object(youtube, "youtube_dl", spec=yt_dlp)' \
      --replace-fail '"youtube_dl_package": "youtube_dl",' '"youtube_dl_package": "yt_dlp",'
  '';
  disabledTests = [
    # Test requires a YouTube API key
    "test_get_default_config"
@@ -61,7 +45,9 @@ python3.pkgs.buildPythonApplication rec {
    "tests/test_youtube.py"
  ];
-  pythonImportsCheck = [ "mopidy_youtube" ];
+  pythonImportsCheck = [
    "mopidy_youtube"
  ];
  meta = with lib; {
    description = "Mopidy extension for playing music from YouTube";
@@ -0,0 +1,94 @@
 { asio
 , cmake
 , curl
 , fetchFromGitHub
 , ffmpeg
 , gnutls
 , lame
 , lib
 , libev
 , game-music-emu
 , libmicrohttpd
 , libopenmpt
 , mpg123
 , ncurses
 , pkg-config
 , portaudio
 , stdenv
 , taglib
 # Linux Dependencies
 , alsa-lib
 , pipewireSupport ? !stdenv.hostPlatform.isDarwin, pipewire
 , pulseaudio
 , sndioSupport ? true, sndio
 , systemd
 , systemdSupport ? lib.meta.availableOn stdenv.hostPlatform systemd
 # Darwin Dependencies
 , Cocoa
 , SystemConfiguration
 , coreaudioSupport ? stdenv.hostPlatform.isDarwin, CoreAudio
 }:
 stdenv.mkDerivation rec {
  pname = "musikcube";
  version = "3.0.2";
  src = fetchFromGitHub {
    owner = "clangen";
    repo = pname;
    rev = version;
    hash = "sha512-IakZy6XsAE39awjzQI+R11JCPeQSaibx6+uX8Iea5WdlCundeovnPwSAi6RzzZl9dr2UftzzEiF4Aun8VMtqVA==";
  };
  outputs = [ "out" "dev" ];
  nativeBuildInputs = [
    cmake
    pkg-config
  ];
  buildInputs = [
    asio
    curl
    ffmpeg
    gnutls
    lame
    libev
    game-music-emu
    libmicrohttpd
    libopenmpt
    mpg123
    ncurses
    portaudio
    taglib
  ] ++ lib.optionals systemdSupport [
    systemd
  ] ++ lib.optionals stdenv.isLinux [
    alsa-lib pulseaudio
  ] ++ lib.optionals stdenv.isDarwin [
    Cocoa SystemConfiguration
  ] ++ lib.optionals coreaudioSupport [
    CoreAudio
  ] ++ lib.optionals sndioSupport [
    sndio
  ] ++ lib.optionals pipewireSupport [
    pipewire
  ];
  cmakeFlags = [
    "-DDISABLE_STRIP=true"
  ];
  postFixup = lib.optionalString stdenv.isDarwin ''
    install_name_tool -add_rpath $out/share/${pname} $out/share/${pname}/${pname}
    install_name_tool -add_rpath $out/share/${pname} $out/share/${pname}/${pname}d
  '';
  meta = {
    description = "Terminal-based music player, library, and streaming audio server";
    homepage = "https://musikcube.com/";
    maintainers = with lib.maintainers; [ aanderse afh ];
    license = lib.licenses.bsd3;
    platforms = lib.platforms.all;
  };
 }
@@ -16,13 +16,13 @@
 stdenv.mkDerivation (finalAttrs: {
  pname = "mympd";
-  version = "16.0.1";
+  version = "16.0.0";
  src = fetchFromGitHub {
    owner = "jcorporation";
    repo = "myMPD";
    rev = "v${finalAttrs.version}";
-    sha256 = "sha256-MyVGWdc9ASWWW9CikK06bFYKi1DHyjFxFlMgBLdBwbU=";
+    sha256 = "sha256-LYD1qjSlwv9wGBrZUaYz6Zcvl2n6cLi2aGycr4ZJWdY=";
  };
  nativeBuildInputs = [
@@ -1,7 +1,5 @@
 { lib
-# Python 3.12 demonstrates a peculiar segmentation fault with pyqt5. Using
+, python3Packages
 # pyqt6 with Python 3.12 should work, but this is not released yet.
 , python311Packages
 , fetchFromGitHub
 , chromaprint
@@ -13,7 +11,7 @@
 }:
 let
-  pythonPackages = python311Packages;
+  pythonPackages = python3Packages;
  pyqt5 =
    if enablePlayback then
      pythonPackages.pyqt5-multimedia
@@ -22,15 +20,14 @@ let
 in
 pythonPackages.buildPythonApplication rec {
  pname = "picard";
-  # nix-update --commit picard --version-regex 'release-(.*)'
+  version = "2.11";
  version = "2.12";
  format = "setuptools";
  src = fetchFromGitHub {
    owner = "metabrainz";
    repo = "picard";
    rev = "refs/tags/release-${version}";
-    hash = "sha256-+++NDJzXw4tA5eQd24r+l3UK3YS8Jy1t9WNiEU9sH0Q=";
+    hash = "sha256-2RGKHJKJ/QXR6Rehch4r1UtI+frRXa4G+n0bUmCGSu8=";
  };
  nativeBuildInputs = [
@@ -22,13 +22,9 @@ stdenv.mkDerivation (finalAttrs: {
  postInstall = ''
    install -Dm444 "$src/release/other/Freedesktop.org Resources/ProTracker 2 clone.desktop" \
-      $out/share/applications/pt2-clone.desktop
+      -t $out/share/applications
    install -Dm444 "$src/release/other/Freedesktop.org Resources/ProTracker 2 clone.png" \
-      $out/share/icons/hicolor/512x512/apps/pt2-clone.png
+      -t $out/share/icons/hicolor/512x512/apps
    # gtk-update-icon-cache does not like whitespace. Note that removing this
    # will not make the build fail, but it will make the NixOS test fail.
    substituteInPlace $out/share/applications/pt2-clone.desktop \
      --replace-fail "Icon=ProTracker 2 clone" Icon=pt2-clone
  '';
  passthru.tests = {
@@ -28,13 +28,13 @@ let
 in
 stdenv.mkDerivation rec {
  pname = "reaper";
-  version = "7.18";
+  version = "7.17";
  src = fetchurl {
    url = url_for_platform version stdenv.hostPlatform.qemuArch;
-    hash = if stdenv.isDarwin then "sha256-ETvWq+71G4v25F/iUjP7NWJ0QkPMKn7akfBOA7EKzKg=" else {
+    hash = if stdenv.isDarwin then "sha256-4+8MhvQ1LhfyhFCOMBgD4HHt0Oaj25y2U04++JuXxCM=" else {
-      x86_64-linux = "sha256-kddqIKgTTImbDIFtPqV/6YsnfNYsDPLhcelJIBC4R8s=";
+      x86_64-linux = "sha256-q3oTKcFSNec10kT1FlDaf2GS967y38VLq9GsquwN2Lg=";
-      aarch64-linux = "sha256-PNFSifZwH+VzfljyrlQZKZ+NEiiINXnVecOXgn1gY/Q=";
+      aarch64-linux = "sha256-5mxVkppm1SjC0C0SFI7uEdPWewNZXlrNAxbaFcNzzbU=";
    }.${stdenv.hostPlatform.system};
  };
@@ -1,29 +1,41 @@
 { lib
 , mkDerivation
 , fetchFromGitHub
 , fetchpatch
 , cmake
 , extra-cmake-modules
 , qtbase
 , qtquickcontrols2
 , SDL
 , python3
-, catch2_3
+, catch2
 , callPackage
 , nixosTests
 }:
 mkDerivation rec {
  pname = "sfxr-qt";
-  version = "1.5.1";
+  version = "1.5.0";
  src = fetchFromGitHub {
    owner = "agateau";
    repo = "sfxr-qt";
    rev = version;
-    sha256 = "sha256-JAWDk7mGkPtQ5yaA6UT9hlAy770MHrTBhBP9G8UqFKg=";
+    sha256 = "sha256-Ce5NJe1f+C4pPmtenHYvtkxste+nPuxJoB+N7K2nyRo=";
    fetchSubmodules = true;
  };
  postPatch = ''
    cp ${catch2}/include/catch2/catch.hpp 3rdparty/catch2/single_include/catch2/catch.hpp
  '';
  # Remove on next release
  patches = [(fetchpatch {
    name = "sfxr-qr-missing-qpainterpath-include";
    url = "https://github.com/agateau/sfxr-qt/commit/ef051f473654052112b647df987eb263e38faf47.patch";
    sha256 = "sha256-bqMnxHUzdS5oG/2hfr5MvkpwrtZW+GTN5fS2WpV2W2c=";
  })];
  nativeBuildInputs = [
    cmake
    extra-cmake-modules
@@ -36,14 +48,6 @@ mkDerivation rec {
    SDL
  ];
  checkInputs = [
    catch2_3
  ];
  cmakeFlags = [
    (lib.cmakeBool "USE_SYSTEM_CATCH2" true)
  ];
  doCheck = true;
  passthru.tests = {
@@ -5,11 +5,11 @@
 stdenv.mkDerivation rec {
  pname = "snd";
-  version = "24.5";
+  version = "24.4";
  src = fetchurl {
    url = "mirror://sourceforge/snd/snd-${version}.tar.gz";
-    sha256 = "sha256-Y497KAlUXtWhkrCd1QrqJkvWGwnzZfYRKaALiEo/7EI=";
+    sha256 = "sha256-nP4ngNUQvveSQBEqXlzYdaqD0SGzTDPwIiWhSabRu+8=";
  };
  nativeBuildInputs = [ pkg-config ];
@@ -29,7 +29,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
    homepage = "https://rogueamoeba.com/soundsource";
    license = licenses.unfree;
    sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
-    maintainers = with maintainers; [ emilytrau ];
+    maintainers = with maintainers; [ emilytrau Enzime ];
    platforms = platforms.darwin;
  };
 })
@@ -24,7 +24,6 @@
 , withImage ? true
 , withNotify ? true
 , withSixel ? true
 , withFuzzy ? true
 , stdenv
 , darwin
 , makeBinaryWrapper
@@ -34,16 +33,16 @@ assert lib.assertOneOf "withAudioBackend" withAudioBackend [ "" "alsa" "pulseaud
 rustPlatform.buildRustPackage rec {
  pname = "spotify-player";
-  version = "0.19.1";
+  version = "0.18.2";
  src = fetchFromGitHub {
    owner = "aome510";
    repo = pname;
    rev = "refs/tags/v${version}";
-    hash = "sha256-R8F7s8FPnCe+shNUN/u0qcxFy3IbyfVo2xZ5/E/qwaw=";
+    hash = "sha256-bLUPQgqSsE9tF5YiFj5B+Ylyy96DhWFNjwqXbQ9H8uc=";
  };
-  cargoHash = "sha256-7vximGisIIXBrwHXSWQjO08OraaweG7ZT6v+gVdYGVc=";
+  cargoHash = "sha256-rptGA7J63rHdmxuPIguhZYYs8tZbpidJ0fXroBBoEIM=";
  nativeBuildInputs = [
    pkg-config
@@ -84,8 +83,7 @@ rustPlatform.buildRustPackage rec {
    ++ lib.optionals withDaemon [ "daemon" ]
    ++ lib.optionals withNotify [ "notify" ]
    ++ lib.optionals withStreaming [ "streaming" ]
-    ++ lib.optionals withSixel [ "sixel" ]
+    ++ lib.optionals withSixel [ "sixel" ];
    ++ lib.optionals withFuzzy [ "fzf" ];
  # sixel-sys is dynamically linked to libsixel
  postInstall = lib.optionals (stdenv.isDarwin && withSixel) ''
@@ -99,6 +97,6 @@ rustPlatform.buildRustPackage rec {
    changelog = "https://github.com/aome510/spotify-player/releases/tag/v${version}";
    mainProgram = "spotify_player";
    license = lib.licenses.mit;
-    maintainers = with lib.maintainers; [ dit7ya xyven1 _71zenith ];
+    maintainers = with lib.maintainers; [ dit7ya xyven1 ];
  };
 }
@@ -36,6 +36,6 @@ stdenv.mkDerivation {
  '';
  meta = meta // {
-    maintainers = with lib.maintainers; [ matteopacini ];
+    maintainers = with lib.maintainers; [ Enzime ];
  };
 }
@@ -23,16 +23,16 @@
 rustPlatform.buildRustPackage rec {
  pname = "ludusavi";
-  version = "0.24.3";
+  version = "0.24.1";
  src = fetchFromGitHub {
    owner = "mtkennerly";
    repo = "ludusavi";
    rev = "v${version}";
-    hash = "sha256-FtLLj5uFcKuRTCSsSuyj0XGzFMVWQvVk4dTmBCmzfNs=";
+    hash = "sha256-nRNXVJJcpZmAfZwDEBaEFlry1gbITWEw0khtsXnMdm0=";
  };
-  cargoHash = "sha256-xC6HiXt8cfrDtno9IrOe8SP7WBL79paLI223fjxPsbg=";
+  cargoHash = "sha256-E5TaE4TlRA0wmRUiwFqivs18X6oiBCmeXrPI1GxKFBI=";
  nativeBuildInputs = [
    cmake
@@ -9,17 +9,17 @@ let
 in buildGoModule rec {
  pname = "go-ethereum";
-  version = "1.14.6";
+  version = "1.14.5";
  src = fetchFromGitHub {
    owner = "ethereum";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-X9XwVZpRnkp7oVKwyvQbs8ZaWwLkuLEEHNfV5BvfVvI=";
+    sha256 = "sha256-IY0BKoDRMVRZTIysdUgqhTFQx0Pz+kl61vbPbhSdT8k=";
  };
  proxyVendor = true;
-  vendorHash = "sha256-UP+bQM8ydfbILlVhuNPVIKLyXZFTzGmHizn2hYgNE4Y=";
+  vendorHash = "sha256-vzxtoLlD1RjmKBpMPqcH/AAzk2l/NifpRl4Sp4qBYLg=";
  doCheck = false;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
gador	6ffc9119d7	fprintd: 1.94.2 -> 1.94.3 Signed-off-by: Florian Brandes <florian.brandes@posteo.de>	2024-07-07 11:05:19 +02:00
gador	ef56399d39	python312Packages.pypamtest: 1.1.3 -> 1.1.5 fix python 3.12 compatibility Signed-off-by: Florian Brandes <florian.brandes@posteo.de>	2024-07-07 11:05:09 +02:00