Merge master into haskell-updates

doc/languages-frameworks/python.section.md

@@ -288,7 +288,7 @@ self: super: {
         ps: with ps; [
           pyflakes
           pytest
-          python-language-server
+          black
         ]
       ))
 

maintainers/maintainer-list.nix

@@ -972,6 +972,12 @@
     githubId = 1118815;
     name = "Vikram Narayanan";
   };
+  armeenm = {
+    email = "mahdianarmeen@gmail.com";
+    github = "armeenm";
+    githubId = 29145250;
+    name = "Armeen Mahdian";
+  };
   armijnhemel = {
     email = "armijn@tjaldur.nl";
     github = "armijnhemel";
@@ -13976,6 +13982,13 @@
     githubId = 6191421;
     name = "Edward d'Albon";
   };
+  zebreus = {
+    matrix = "@lennart:cicen.net";
+    email = "lennarteichhorn+nixpkgs@gmail.com";
+    github = "Zebreus";
+    githubId = 1557253;
+    name = "Lennart Eichhorn";
+  };
   zef = {
     email = "zef@zef.me";
     name = "Zef Hemel";

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

@@ -455,6 +455,12 @@
           <link xlink:href="options.html#opt-services.nifi.enable">services.nifi</link>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://kanidm.github.io/kanidm/stable/">kanidm</link>,
+          an identity management server written in Rust.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
   <section xml:id="sec-release-22.05-incompatibilities">

nixos/doc/manual/release-notes/rl-2205.section.md

@@ -135,6 +135,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](options.html#opt-services.nifi.enable).
 
+- [kanidm](https://kanidm.github.io/kanidm/stable/), an identity management server written in Rust.
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-release-22.05-incompatibilities}

nixos/maintainers/scripts/lxd/lxd-image.nix

@@ -27,7 +27,7 @@ with lib;
   networking.useDHCP = false;
   networking.interfaces.eth0.useDHCP = true;
 
-  # As this is intended as a stadalone image, undo some of the minimal profile stuff
+  # As this is intended as a standalone image, undo some of the minimal profile stuff
   documentation.enable = true;
   documentation.nixos.enable = true;
   environment.noXlibs = false;

nixos/modules/module-list.nix

@@ -975,6 +975,7 @@
   ./services/security/hockeypuck.nix
   ./services/security/hologram-server.nix
   ./services/security/hologram-agent.nix
+  ./services/security/kanidm.nix
   ./services/security/munge.nix
   ./services/security/nginx-sso.nix
   ./services/security/oauth2_proxy.nix

nixos/modules/services/home-automation/home-assistant.nix

@@ -360,7 +360,14 @@ in {
   };
 
   config = mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
+    assertions = [
+      {
+        assertion = cfg.openFirewall -> !isNull cfg.config;
+        message = "openFirewall can only be used with a declarative config";
+      }
+    ];
+
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.config.http.server_port ];
 
     systemd.services.home-assistant = {
       description = "Home Assistant";

nixos/modules/services/misc/heisenbridge.nix

@@ -204,7 +204,7 @@ in
         NoNewPrivileges = true;
         LockPersonality = true;
         RestrictRealtime = true;
-        SystemCallFilter = ["@system-service" "~@priviledged" "@chown"];
+        SystemCallFilter = ["@system-service" "~@privileged" "@chown"];
         SystemCallArchitectures = "native";
         RestrictAddressFamilies = "AF_INET AF_INET6";
       };

nixos/modules/services/security/kanidm.nix

@@ -0,0 +1,345 @@
+{ config, lib, options, pkgs, ... }:
+let
+  cfg = config.services.kanidm;
+  settingsFormat = pkgs.formats.toml { };
+  # Remove null values, so we can document optional values that don't end up in the generated TOML file.
+  filterConfig = lib.converge (lib.filterAttrsRecursive (_: v: v != null));
+  serverConfigFile = settingsFormat.generate "server.toml" (filterConfig cfg.serverSettings);
+  clientConfigFile = settingsFormat.generate "kanidm-config.toml" (filterConfig cfg.clientSettings);
+  unixConfigFile = settingsFormat.generate "kanidm-unixd.toml" (filterConfig cfg.unixSettings);
+
+  defaultServiceConfig = {
+    BindReadOnlyPaths = [
+      "/nix/store"
+      "-/etc/resolv.conf"
+      "-/etc/nsswitch.conf"
+      "-/etc/hosts"
+      "-/etc/localtime"
+    ];
+    CapabilityBoundingSet = "";
+    # ProtectClock= adds DeviceAllow=char-rtc r
+    DeviceAllow = "";
+    # Implies ProtectSystem=strict, which re-mounts all paths
+    # DynamicUser = true;
+    LockPersonality = true;
+    MemoryDenyWriteExecute = true;
+    NoNewPrivileges = true;
+    PrivateDevices = true;
+    PrivateMounts = true;
+    PrivateNetwork = true;
+    PrivateTmp = true;
+    PrivateUsers = true;
+    ProcSubset = "pid";
+    ProtectClock = true;
+    ProtectHome = true;
+    ProtectHostname = true;
+    # Would re-mount paths ignored by temporary root
+    #ProtectSystem = "strict";
+    ProtectControlGroups = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectProc = "invisible";
+    RestrictAddressFamilies = [ ];
+    RestrictNamespaces = true;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+    SystemCallArchitectures = "native";
+    SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
+    # Does not work well with the temporary root
+    #UMask = "0066";
+  };
+
+in
+{
+  options.services.kanidm = {
+    enableClient = lib.mkEnableOption "the Kanidm client";
+    enableServer = lib.mkEnableOption "the Kanidm server";
+    enablePam = lib.mkEnableOption "the Kanidm PAM and NSS integration.";
+
+    serverSettings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = settingsFormat.type;
+
+        options = {
+          bindaddress = lib.mkOption {
+            description = "Address/port combination the webserver binds to.";
+            example = "[::1]:8443";
+            type = lib.types.str;
+          };
+          # Should be optional but toml does not accept null
+          ldapbindaddress = lib.mkOption {
+            description = ''
+              Address and port the LDAP server is bound to. Setting this to <literal>null</literal> disables the LDAP interface.
+            '';
+            example = "[::1]:636";
+            default = null;
+            type = lib.types.nullOr lib.types.str;
+          };
+          origin = lib.mkOption {
+            description = "The origin of your Kanidm instance. Must have https as protocol.";
+            example = "https://idm.example.org";
+            type = lib.types.strMatching "^https://.*";
+          };
+          domain = lib.mkOption {
+            description = ''
+              The <literal>domain</literal> that Kanidm manages. Must be below or equal to the domain
+              specified in <literal>serverSettings.origin</literal>.
+              This can be left at <literal>null</literal>, only if your instance has the role <literal>ReadOnlyReplica</literal>.
+              While it is possible to change the domain later on, it requires extra steps!
+              Please consider the warnings and execute the steps described
+              <link xlink:href="https://kanidm.github.io/kanidm/stable/administrivia.html#rename-the-domain">in the documentation</link>.
+            '';
+            example = "example.org";
+            default = null;
+            type = lib.types.nullOr lib.types.str;
+          };
+          db_path = lib.mkOption {
+            description = "Path to Kanidm database.";
+            default = "/var/lib/kanidm/kanidm.db";
+            readOnly = true;
+            type = lib.types.path;
+          };
+          log_level = lib.mkOption {
+            description = "Log level of the server.";
+            default = "default";
+            type = lib.types.enum [ "default" "verbose" "perfbasic" "perffull" ];
+          };
+          role = lib.mkOption {
+            description = "The role of this server. This affects the replication relationship and thereby available features.";
+            default = "WriteReplica";
+            type = lib.types.enum [ "WriteReplica" "WriteReplicaNoUI" "ReadOnlyReplica" ];
+          };
+        };
+      };
+      default = { };
+      description = ''
+        Settings for Kanidm, see
+        <link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/server_configuration.md">the documentation</link>
+        and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/server.toml">example configuration</link>
+        for possible values.
+      '';
+    };
+
+    clientSettings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = settingsFormat.type;
+
+        options.uri = lib.mkOption {
+          description = "Address of the Kanidm server.";
+          example = "http://127.0.0.1:8080";
+          type = lib.types.str;
+        };
+      };
+      description = ''
+        Configure Kanidm clients, needed for the PAM daemon. See
+        <link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/client_tools.md#kanidm-configuration">the documentation</link>
+        and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/config">example configuration</link>
+        for possible values.
+      '';
+    };
+
+    unixSettings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = settingsFormat.type;
+
+        options.pam_allowed_login_groups = lib.mkOption {
+          description = "Kanidm groups that are allowed to login using PAM.";
+          example = "my_pam_group";
+          type = lib.types.listOf lib.types.str;
+        };
+      };
+      description = ''
+        Configure Kanidm unix daemon.
+        See <link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/pam_and_nsswitch.md#the-unix-daemon">the documentation</link>
+        and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/unixd">example configuration</link>
+        for possible values.
+      '';
+    };
+  };
+
+  config = lib.mkIf (cfg.enableClient || cfg.enableServer || cfg.enablePam) {
+    assertions =
+      [
+        {
+          assertion = !cfg.enableServer || ((cfg.serverSettings.tls_chain or null) == null) || (!lib.isStorePath cfg.serverSettings.tls_chain);
+          message = ''
+            <option>services.kanidm.serverSettings.tls_chain</option> points to
+            a file in the Nix store. You should use a quoted absolute path to
+            prevent this.
+          '';
+        }
+        {
+          assertion = !cfg.enableServer || ((cfg.serverSettings.tls_key or null) == null) || (!lib.isStorePath cfg.serverSettings.tls_key);
+          message = ''
+            <option>services.kanidm.serverSettings.tls_key</option> points to
+            a file in the Nix store. You should use a quoted absolute path to
+            prevent this.
+          '';
+        }
+        {
+          assertion = !cfg.enableClient || options.services.kanidm.clientSettings.isDefined;
+          message = ''
+            <option>services.kanidm.clientSettings</option> needs to be configured
+            if the client is enabled.
+          '';
+        }
+        {
+          assertion = !cfg.enablePam || options.services.kanidm.clientSettings.isDefined;
+          message = ''
+            <option>services.kanidm.clientSettings</option> needs to be configured
+            for the PAM daemon to connect to the Kanidm server.
+          '';
+        }
+        {
+          assertion = !cfg.enableServer || (cfg.serverSettings.domain == null
+            -> cfg.serverSettings.role == "WriteReplica" || cfg.serverSettings.role == "WriteReplicaNoUI");
+          message = ''
+            <option>services.kanidm.serverSettings.domain</option> can only be set if this instance
+            is not a ReadOnlyReplica. Otherwise the db would inherit it from
+            the instance it follows.
+          '';
+        }
+      ];
+
+    environment.systemPackages = lib.mkIf cfg.enableClient [ pkgs.kanidm ];
+
+    systemd.services.kanidm = lib.mkIf cfg.enableServer {
+      description = "kanidm identity management daemon";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = defaultServiceConfig // {
+        StateDirectory = "kanidm";
+        StateDirectoryMode = "0700";
+        ExecStart = "${pkgs.kanidm}/bin/kanidmd server -c ${serverConfigFile}";
+        User = "kanidm";
+        Group = "kanidm";
+
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+        # This would otherwise override the CAP_NET_BIND_SERVICE capability.
+        PrivateUsers = false;
+        # Port needs to be exposed to the host network
+        PrivateNetwork = false;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        TemporaryFileSystem = "/:ro";
+      };
+      environment.RUST_LOG = "info";
+    };
+
+    systemd.services.kanidm-unixd = lib.mkIf cfg.enablePam {
+      description = "Kanidm PAM daemon";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      restartTriggers = [ unixConfigFile clientConfigFile ];
+      serviceConfig = defaultServiceConfig // {
+        CacheDirectory = "kanidm-unixd";
+        CacheDirectoryMode = "0700";
+        RuntimeDirectory = "kanidm-unixd";
+        ExecStart = "${pkgs.kanidm}/bin/kanidm_unixd";
+        User = "kanidm-unixd";
+        Group = "kanidm-unixd";
+
+        BindReadOnlyPaths = [
+          "/nix/store"
+          "-/etc/resolv.conf"
+          "-/etc/nsswitch.conf"
+          "-/etc/hosts"
+          "-/etc/localtime"
+          "-/etc/kanidm"
+          "-/etc/static/kanidm"
+        ];
+        BindPaths = [
+          # To create the socket
+          "/run/kanidm-unixd:/var/run/kanidm-unixd"
+        ];
+        # Needs to connect to kanidmd
+        PrivateNetwork = false;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+        TemporaryFileSystem = "/:ro";
+      };
+      environment.RUST_LOG = "info";
+    };
+
+    systemd.services.kanidm-unixd-tasks = lib.mkIf cfg.enablePam {
+      description = "Kanidm PAM home management daemon";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "kanidm-unixd.service" ];
+      partOf = [ "kanidm-unixd.service" ];
+      restartTriggers = [ unixConfigFile clientConfigFile ];
+      serviceConfig = {
+        ExecStart = "${pkgs.kanidm}/bin/kanidm_unixd_tasks";
+
+        BindReadOnlyPaths = [
+          "/nix/store"
+          "-/etc/resolv.conf"
+          "-/etc/nsswitch.conf"
+          "-/etc/hosts"
+          "-/etc/localtime"
+          "-/etc/kanidm"
+          "-/etc/static/kanidm"
+        ];
+        BindPaths = [
+          # To manage home directories
+          "/home"
+          # To connect to kanidm-unixd
+          "/run/kanidm-unixd:/var/run/kanidm-unixd"
+        ];
+        # CAP_DAC_OVERRIDE is needed to ignore ownership of unixd socket
+        CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_DAC_READ_SEARCH" ];
+        IPAddressDeny = "any";
+        # Need access to users
+        PrivateUsers = false;
+        # Need access to home directories
+        ProtectHome = false;
+        RestrictAddressFamilies = [ "AF_UNIX" ];
+        TemporaryFileSystem = "/:ro";
+      };
+      environment.RUST_LOG = "info";
+    };
+
+    # These paths are hardcoded
+    environment.etc = lib.mkMerge [
+      (lib.mkIf options.services.kanidm.clientSettings.isDefined {
+        "kanidm/config".source = clientConfigFile;
+      })
+      (lib.mkIf cfg.enablePam {
+        "kanidm/unixd".source = unixConfigFile;
+      })
+    ];
+
+    system.nssModules = lib.mkIf cfg.enablePam [ pkgs.kanidm ];
+
+    system.nssDatabases.group = lib.optional cfg.enablePam "kanidm";
+    system.nssDatabases.passwd = lib.optional cfg.enablePam "kanidm";
+
+    users.groups = lib.mkMerge [
+      (lib.mkIf cfg.enableServer {
+        kanidm = { };
+      })
+      (lib.mkIf cfg.enablePam {
+        kanidm-unixd = { };
+      })
+    ];
+    users.users = lib.mkMerge [
+      (lib.mkIf cfg.enableServer {
+        kanidm = {
+          description = "Kanidm server";
+          isSystemUser = true;
+          group = "kanidm";
+          packages = with pkgs; [ kanidm ];
+        };
+      })
+      (lib.mkIf cfg.enablePam {
+        kanidm-unixd = {
+          description = "Kanidm PAM daemon";
+          isSystemUser = true;
+          group = "kanidm-unixd";
+        };
+      })
+    ];
+  };
+
+  meta.maintainers = with lib.maintainers; [ erictapen Flakebi ];
+  meta.buildDocsInSandbox = false;
+}

nixos/modules/system/boot/plymouth.nix

@@ -4,7 +4,10 @@ with lib;
 
 let
 
-  inherit (pkgs) plymouth nixos-icons;
+  inherit (pkgs) nixos-icons;
+  plymouth = pkgs.plymouth.override {
+    systemd = config.boot.initrd.systemd.package;
+  };
 
   cfg = config.boot.plymouth;
   opt = options.boot.plymouth;
@@ -143,7 +146,88 @@ in
     systemd.services.systemd-ask-password-plymouth.wantedBy = [ "multi-user.target" ];
     systemd.paths.systemd-ask-password-plymouth.wantedBy = [ "multi-user.target" ];
 
-    boot.initrd.extraUtilsCommands = ''
+    boot.initrd.systemd = {
+      extraBin.plymouth = "${plymouth}/bin/plymouth"; # for the recovery shell
+      storePaths = [
+        "${lib.getBin config.boot.initrd.systemd.package}/bin/systemd-tty-ask-password-agent"
+        "${plymouth}/bin/plymouthd"
+        "${plymouth}/sbin/plymouthd"
+      ];
+      packages = [ plymouth ]; # systemd units
+      contents = {
+        # Files
+        "/etc/plymouth/plymouthd.conf".source = configFile;
+        "/etc/plymouth/plymouthd.defaults".source = "${plymouth}/share/plymouth/plymouthd.defaults";
+        "/etc/plymouth/logo.png".source = cfg.logo;
+        # Directories
+        "/etc/plymouth/plugins".source = pkgs.runCommand "plymouth-initrd-plugins" {} ''
+          # Check if the actual requested theme is here
+          if [[ ! -d ${themesEnv}/share/plymouth/themes/${cfg.theme} ]]; then
+              echo "The requested theme: ${cfg.theme} is not provided by any of the packages in boot.plymouth.themePackages"
+              exit 1
+          fi
+
+          moduleName="$(sed -n 's,ModuleName *= *,,p' ${themesEnv}/share/plymouth/themes/${cfg.theme}/${cfg.theme}.plymouth)"
+
+          mkdir -p $out/renderers
+          # module might come from a theme
+          cp ${themesEnv}/lib/plymouth/{text,details,label,$moduleName}.so $out
+          cp ${plymouth}/lib/plymouth/renderers/{drm,frame-buffer}.so $out/renderers
+        '';
+        "/etc/plymouth/themes".source = pkgs.runCommand "plymouth-initrd-themes" {} ''
+          # Check if the actual requested theme is here
+          if [[ ! -d ${themesEnv}/share/plymouth/themes/${cfg.theme} ]]; then
+              echo "The requested theme: ${cfg.theme} is not provided by any of the packages in boot.plymouth.themePackages"
+              exit 1
+          fi
+
+          mkdir $out
+          cp -r ${themesEnv}/share/plymouth/themes/${cfg.theme} $out
+          # Copy more themes if the theme depends on others
+          for theme in $(grep -hRo '/etc/plymouth/themes/.*$' ${themesEnv} | xargs -n1 basename); do
+              if [[ -d "${themesEnv}/theme" ]]; then
+                  cp -r "${themesEnv}/theme" $out
+              fi
+          done
+        '';
+
+        # Fonts
+        "/etc/plymouth/fonts".source = pkgs.runCommand "plymouth-initrd-fonts" {} ''
+          mkdir -p $out
+          cp ${cfg.font} $out
+        '';
+        "/etc/fonts/fonts.conf".text = ''
+          <?xml version="1.0"?>
+          <!DOCTYPE fontconfig SYSTEM "urn:fontconfig:fonts.dtd">
+          <fontconfig>
+              <dir>/etc/plymouth/fonts</dir>
+          </fontconfig>
+        '';
+      };
+      # Properly enable units. These are the units that arch copies
+      services = {
+        plymouth-halt.wantedBy = [ "halt.target" ];
+        plymouth-kexec.wantedBy = [ "kexec.target" ];
+        plymouth-poweroff.wantedBy = [ "poweroff.target" ];
+        plymouth-quit-wait.wantedBy = [ "multi-user.target" ];
+        plymouth-quit.wantedBy = [ "multi-user.target" ];
+        plymouth-read-write.wantedBy = [ "sysinit.target" ];
+        plymouth-reboot.wantedBy = [ "reboot.target" ];
+        plymouth-start.wantedBy = [ "initrd-switch-root.target" "sysinit.target" ];
+        plymouth-switch-root-initramfs.wantedBy = [ "halt.target" "kexec.target" "plymouth-switch-root-initramfs.service" "poweroff.target" "reboot.target" ];
+        plymouth-switch-root.wantedBy = [ "initrd-switch-root.target" ];
+      };
+    };
+
+    # Insert required udev rules. We take stage 2 systemd because the udev
+    # rules are only generated when building with logind.
+    boot.initrd.services.udev.packages = [ (pkgs.runCommand "initrd-plymouth-udev-rules" {} ''
+      mkdir -p $out/etc/udev/rules.d
+      cp ${config.systemd.package.out}/lib/udev/rules.d/{70-uaccess,71-seat}.rules $out/etc/udev/rules.d
+      sed -i '/loginctl/d' $out/etc/udev/rules.d/71-seat.rules
+    '') ];
+
+    boot.initrd.extraUtilsCommands = lib.mkIf (!config.boot.initrd.systemd.enable) ''
       copy_bin_and_libs ${plymouth}/bin/plymouth
       copy_bin_and_libs ${plymouth}/bin/plymouthd
 
@@ -198,18 +282,18 @@ in
       EOF
     '';
 
-    boot.initrd.extraUtilsCommandsTest = ''
+    boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.enable) ''
       $out/bin/plymouthd --help >/dev/null
       $out/bin/plymouth --help >/dev/null
     '';
 
-    boot.initrd.extraUdevRulesCommands = ''
+    boot.initrd.extraUdevRulesCommands = mkIf (!config.boot.initrd.enable) ''
       cp ${config.systemd.package}/lib/udev/rules.d/{70-uaccess,71-seat}.rules $out
       sed -i '/loginctl/d' $out/71-seat.rules
     '';
 
     # We use `mkAfter` to ensure that LUKS password prompt would be shown earlier than the splash screen.
-    boot.initrd.preLVMCommands = mkAfter ''
+    boot.initrd.preLVMCommands = mkIf (!config.boot.initrd.enable) (mkAfter ''
       mkdir -p /etc/plymouth
       mkdir -p /run/plymouth
       ln -s ${configFile} /etc/plymouth/plymouthd.conf
@@ -221,16 +305,16 @@ in
 
       plymouthd --mode=boot --pid-file=/run/plymouth/pid --attach-to-session
       plymouth show-splash
-    '';
+    '');
 
-    boot.initrd.postMountCommands = ''
+    boot.initrd.postMountCommands = mkIf (!config.boot.initrd.enable) ''
       plymouth update-root-fs --new-root-dir="$targetRoot"
     '';
 
     # `mkBefore` to ensure that any custom prompts would be visible.
-    boot.initrd.preFailCommands = mkBefore ''
+    boot.initrd.preFailCommands = mkIf (!config.boot.initrd.enable) (mkBefore ''
       plymouth quit --wait
-    '';
+    '');
 
   };
 

nixos/modules/system/boot/systemd/nspawn.nix

@@ -16,7 +16,7 @@ let
       "LimitNOFILE" "LimitAS" "LimitNPROC" "LimitMEMLOCK" "LimitLOCKS"
       "LimitSIGPENDING" "LimitMSGQUEUE" "LimitNICE" "LimitRTPRIO" "LimitRTTIME"
       "OOMScoreAdjust" "CPUAffinity" "Hostname" "ResolvConf" "Timezone"
-      "LinkJournal"
+      "LinkJournal" "Ephemeral" "AmbientCapability"
     ])
     (assertValueOneOf "Boot" boolValues)
     (assertValueOneOf "ProcessTwo" boolValues)
@@ -26,11 +26,13 @@ let
   checkFiles = checkUnitConfig "Files" [
     (assertOnlyFields [
       "ReadOnly" "Volatile" "Bind" "BindReadOnly" "TemporaryFileSystem"
-      "Overlay" "OverlayReadOnly" "PrivateUsersChown"
+      "Overlay" "OverlayReadOnly" "PrivateUsersChown" "BindUser"
+      "Inaccessible" "PrivateUserOwnership"
     ])
     (assertValueOneOf "ReadOnly" boolValues)
     (assertValueOneOf "Volatile" (boolValues ++ [ "state" ]))
     (assertValueOneOf "PrivateUsersChown" boolValues)
+    (assertValueOneOf "PrivateUserOwnership" [ "off" "chown" "map" "auto" ])
   ];
 
   checkNetwork = checkUnitConfig "Network" [

nixos/modules/tasks/filesystems/zfs.nix

@@ -58,6 +58,13 @@ let
   # latter case it makes one last attempt at importing, allowing the system to
   # (eventually) boot even with a degraded pool.
   importLib = {zpoolCmd, awkCmd, cfgZfs}: ''
+    for o in $(cat /proc/cmdline); do
+      case $o in
+        zfs_force|zfs_force=1|zfs_force=y)
+          ZFS_FORCE="-f"
+          ;;
+      esac
+    done
     poolReady() {
       pool="$1"
       state="$("${zpoolCmd}" import 2>/dev/null | "${awkCmd}" "/pool: $pool/ { found = 1 }; /state:/ { if (found == 1) { print \$2; exit } }; END { if (found == 0) { print \"MISSING\" } }")"
@@ -78,6 +85,95 @@ let
     }
   '';
 
+  getPoolFilesystems = pool:
+    filter (x: x.fsType == "zfs" && (fsToPool x) == pool) config.system.build.fileSystems;
+
+  getPoolMounts = prefix: pool:
+    let
+      # Remove the "/" suffix because even though most mountpoints
+      # won't have it, the "/" mountpoint will, and we can't have the
+      # trailing slash in "/sysroot/" in stage 1.
+      mountPoint = fs: escapeSystemdPath (prefix + (lib.removeSuffix "/" fs.mountPoint));
+    in
+      map (x: "${mountPoint x}.mount") (getPoolFilesystems pool);
+
+  getKeyLocations = pool:
+    if isBool cfgZfs.requestEncryptionCredentials
+    then "${cfgZfs.package}/sbin/zfs list -rHo name,keylocation,keystatus ${pool}"
+    else "${cfgZfs.package}/sbin/zfs list -Ho name,keylocation,keystatus ${toString (filter (x: datasetToPool x == pool) cfgZfs.requestEncryptionCredentials)}";
+
+  createImportService = { pool, systemd, force, prefix ? "" }:
+    nameValuePair "zfs-import-${pool}" {
+      description = "Import ZFS pool \"${pool}\"";
+      # we need systemd-udev-settle to ensure devices are available
+      # In the future, hopefully someone will complete this:
+      # https://github.com/zfsonlinux/zfs/pull/4943
+      requires = [ "systemd-udev-settle.service" ];
+      after = [
+        "systemd-udev-settle.service"
+        "systemd-modules-load.service"
+        "systemd-ask-password-console.service"
+      ];
+      wantedBy = (getPoolMounts prefix pool) ++ [ "local-fs.target" ];
+      before = (getPoolMounts prefix pool) ++ [ "local-fs.target" ];
+      unitConfig = {
+        DefaultDependencies = "no";
+      };
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      environment.ZFS_FORCE = optionalString force "-f";
+      script = (importLib {
+        # See comments at importLib definition.
+        zpoolCmd = "${cfgZfs.package}/sbin/zpool";
+        awkCmd = "${pkgs.gawk}/bin/awk";
+        inherit cfgZfs;
+      }) + ''
+        poolImported "${pool}" && exit
+        echo -n "importing ZFS pool \"${pool}\"..."
+        # Loop across the import until it succeeds, because the devices needed may not be discovered yet.
+        for trial in `seq 1 60`; do
+          poolReady "${pool}" && poolImport "${pool}" && break
+          sleep 1
+        done
+        poolImported "${pool}" || poolImport "${pool}"  # Try one last time, e.g. to import a degraded pool.
+        if poolImported "${pool}"; then
+          ${optionalString (if isBool cfgZfs.requestEncryptionCredentials
+                            then cfgZfs.requestEncryptionCredentials
+                            else cfgZfs.requestEncryptionCredentials != []) ''
+            ${getKeyLocations pool} | while IFS=$'\t' read ds kl ks; do
+              {
+              if [[ "$ks" != unavailable ]]; then
+                continue
+              fi
+              case "$kl" in
+                none )
+                  ;;
+                prompt )
+                  tries=3
+                  success=false
+                  while [[ $success != true ]] && [[ $tries -gt 0 ]]; do
+                    ${systemd}/bin/systemd-ask-password "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds" \
+                      && success=true \
+                      || tries=$((tries - 1))
+                  done
+                  [[ $success = true ]]
+                  ;;
+                * )
+                  ${cfgZfs.package}/sbin/zfs load-key "$ds"
+                  ;;
+              esac
+              } < /dev/null # To protect while read ds kl in case anything reads stdin
+            done
+          ''}
+          echo "Successfully imported ${pool}"
+        else
+          exit 1
+        fi
+      '';
+    };
+
   zedConf = generators.toKeyValue {
     mkKeyValue = generators.mkKeyValueDefault {
       mkValueString = v:
@@ -428,14 +524,6 @@ in
           '';
         postDeviceCommands = concatStringsSep "\n" ([''
             ZFS_FORCE="${optionalString cfgZfs.forceImportRoot "-f"}"
-
-            for o in $(cat /proc/cmdline); do
-              case $o in
-                zfs_force|zfs_force=1)
-                  ZFS_FORCE="-f"
-                  ;;
-              esac
-            done
           ''] ++ [(importLib {
             # See comments at importLib definition.
             zpoolCmd = "zpool";
@@ -464,6 +552,21 @@ in
                 zfs load-key ${fs}
               '') cfgZfs.requestEncryptionCredentials}
         '') rootPools));
+
+        # Systemd in stage 1
+        systemd = {
+          packages = [cfgZfs.package];
+          services = listToAttrs (map (pool: createImportService {
+            inherit pool;
+            systemd = config.boot.initrd.systemd.package;
+            force = cfgZfs.forceImportRoot;
+            prefix = "/sysroot";
+          }) rootPools);
+          extraBin = {
+            # zpool and zfs are already in thanks to fsPackages
+            awk = "${pkgs.gawk}/bin/awk";
+          };
+        };
       };
 
       systemd.shutdownRamfs.contents."/etc/systemd/system-shutdown/zpool".source = pkgs.writeShellScript "zpool-sync-shutdown" ''
@@ -521,79 +624,11 @@ in
       systemd.packages = [ cfgZfs.package ];
 
       systemd.services = let
-        getPoolFilesystems = pool:
+        createImportService' = pool: createImportService {
-          filter (x: x.fsType == "zfs" && (fsToPool x) == pool) config.system.build.fileSystems;
+          inherit pool;
-
+          systemd = config.systemd.package;
-        getPoolMounts = pool:
+          force = cfgZfs.forceImportAll;
-          let
+        };
-            mountPoint = fs: escapeSystemdPath fs.mountPoint;
-          in
-            map (x: "${mountPoint x}.mount") (getPoolFilesystems pool);
-
-        createImportService = pool:
-          nameValuePair "zfs-import-${pool}" {
-            description = "Import ZFS pool \"${pool}\"";
-            # we need systemd-udev-settle until https://github.com/zfsonlinux/zfs/pull/4943 is merged
-            requires = [ "systemd-udev-settle.service" ];
-            after = [
-              "systemd-udev-settle.service"
-              "systemd-modules-load.service"
-              "systemd-ask-password-console.service"
-            ];
-            wantedBy = (getPoolMounts pool) ++ [ "local-fs.target" ];
-            before = (getPoolMounts pool) ++ [ "local-fs.target" ];
-            unitConfig = {
-              DefaultDependencies = "no";
-            };
-            serviceConfig = {
-              Type = "oneshot";
-              RemainAfterExit = true;
-            };
-            environment.ZFS_FORCE = optionalString cfgZfs.forceImportAll "-f";
-            script = (importLib {
-              # See comments at importLib definition.
-              zpoolCmd = "${cfgZfs.package}/sbin/zpool";
-              awkCmd = "${pkgs.gawk}/bin/awk";
-              inherit cfgZfs;
-            }) + ''
-              poolImported "${pool}" && exit
-              echo -n "importing ZFS pool \"${pool}\"..."
-              # Loop across the import until it succeeds, because the devices needed may not be discovered yet.
-              for trial in `seq 1 60`; do
-                poolReady "${pool}" && poolImport "${pool}" && break
-                sleep 1
-              done
-              poolImported "${pool}" || poolImport "${pool}"  # Try one last time, e.g. to import a degraded pool.
-              if poolImported "${pool}"; then
-                ${optionalString (if isBool cfgZfs.requestEncryptionCredentials
-                                  then cfgZfs.requestEncryptionCredentials
-                                  else cfgZfs.requestEncryptionCredentials != []) ''
-                  ${cfgZfs.package}/sbin/zfs list -rHo name,keylocation ${pool} | while IFS=$'\t' read ds kl; do
-                    {
-                      ${optionalString (!isBool cfgZfs.requestEncryptionCredentials) ''
-                         if ! echo '${concatStringsSep "\n" cfgZfs.requestEncryptionCredentials}' | grep -qFx "$ds"; then
-                           continue
-                         fi
-                       ''}
-                    case "$kl" in
-                      none )
-                        ;;
-                      prompt )
-                        ${config.systemd.package}/bin/systemd-ask-password "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds"
-                        ;;
-                      * )
-                        ${cfgZfs.package}/sbin/zfs load-key "$ds"
-                        ;;
-                    esac
-                    } < /dev/null # To protect while read ds kl in case anything reads stdin
-                  done
-                ''}
-                echo "Successfully imported ${pool}"
-              else
-                exit 1
-              fi
-            '';
-          };
 
         # This forces a sync of any ZFS pools prior to poweroff, even if they're set
         # to sync=disabled.
@@ -619,7 +654,7 @@ in
             wantedBy = [ "zfs.target" ];
           };
 
-      in listToAttrs (map createImportService dataPools ++
+      in listToAttrs (map createImportService' dataPools ++
                       map createSyncService allPools ++
                       map createZfsService [ "zfs-mount" "zfs-share" "zfs-zed" ]);
 

nixos/tests/all-tests.nix

@@ -253,6 +253,7 @@ in
   k3s-single-node = handleTest ./k3s-single-node.nix {};
   k3s-single-node-docker = handleTest ./k3s-single-node-docker.nix {};
   kafka = handleTest ./kafka.nix {};
+  kanidm = handleTest ./kanidm.nix {};
   kbd-setfont-decompress = handleTest ./kbd-setfont-decompress.nix {};
   kbd-update-search-paths-patch = handleTest ./kbd-update-search-paths-patch.nix {};
   kea = handleTest ./kea.nix {};
@@ -284,7 +285,6 @@ in
   loki = handleTest ./loki.nix {};
   lvm2 = handleTest ./lvm2 {};
   lxd = handleTest ./lxd.nix {};
-  lxd-image = handleTest ./lxd-image.nix {};
   lxd-nftables = handleTest ./lxd-nftables.nix {};
   lxd-image-server = handleTest ./lxd-image-server.nix {};
   #logstash = handleTest ./logstash.nix {};

nixos/tests/common/lxd/config.yaml

@@ -0,0 +1,24 @@
+storage_pools:
+  - name: default
+    driver: dir
+    config:
+      source: /var/lxd-pool
+
+networks:
+  - name: lxdbr0
+    type: bridge
+    config:
+      ipv4.address: auto
+      ipv6.address: none
+
+profiles:
+  - name: default
+    devices:
+      eth0:
+        name: eth0
+        network: lxdbr0
+        type: nic
+      root:
+        path: /
+        pool: default
+        type: disk

nixos/tests/installed-tests/default.nix

@@ -106,6 +106,5 @@ in
   malcontent = callInstalledTest ./malcontent.nix {};
   ostree = callInstalledTest ./ostree.nix {};
   pipewire = callInstalledTest ./pipewire.nix {};
-  power-profiles-daemon = callInstalledTest ./power-profiles-daemon.nix {};
   xdg-desktop-portal = callInstalledTest ./xdg-desktop-portal.nix {};
 }

nixos/tests/installed-tests/power-profiles-daemon.nix

@@ -1,9 +0,0 @@
-{ pkgs, lib, makeInstalledTest, ... }:
-
-makeInstalledTest {
-  tested = pkgs.power-profiles-daemon;
-
-  testConfig = {
-    services.power-profiles-daemon.enable = true;
-  };
-}

nixos/tests/installer-systemd-stage-1.nix

@@ -27,7 +27,7 @@
     simpleUefiGrubSpecialisation
     simpleUefiSystemdBoot
     # swraid
-    # zfsroot
+    zfsroot
     ;
 
 }

nixos/tests/kanidm.nix

@@ -0,0 +1,75 @@
+import ./make-test-python.nix ({ pkgs, ... }:
+  let
+    certs = import ./common/acme/server/snakeoil-certs.nix;
+    serverDomain = certs.domain;
+  in
+  {
+    name = "kanidm";
+    meta.maintainers = with pkgs.lib.maintainers; [ erictapen Flakebi ];
+
+    nodes.server = { config, pkgs, lib, ... }: {
+      services.kanidm = {
+        enableServer = true;
+        serverSettings = {
+          origin = "https://${serverDomain}";
+          domain = serverDomain;
+          bindaddress = "[::1]:8443";
+          ldapbindaddress = "[::1]:636";
+        };
+      };
+
+      services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        virtualHosts."${serverDomain}" = {
+          forceSSL = true;
+          sslCertificate = certs."${serverDomain}".cert;
+          sslCertificateKey = certs."${serverDomain}".key;
+          locations."/".proxyPass = "http://[::1]:8443";
+        };
+      };
+
+      security.pki.certificateFiles = [ certs.ca.cert ];
+
+      networking.hosts."::1" = [ serverDomain ];
+      networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+      users.users.kanidm.shell = pkgs.bashInteractive;
+
+      environment.systemPackages = with pkgs; [ kanidm openldap ripgrep ];
+    };
+
+    nodes.client = { pkgs, nodes, ... }: {
+      services.kanidm = {
+        enableClient = true;
+        clientSettings = {
+          uri = "https://${serverDomain}";
+        };
+      };
+
+      networking.hosts."${nodes.server.config.networking.primaryIPAddress}" = [ serverDomain ];
+
+      security.pki.certificateFiles = [ certs.ca.cert ];
+    };
+
+    testScript = { nodes, ... }:
+      let
+        ldapBaseDN = builtins.concatStringsSep "," (map (s: "dc=" + s) (pkgs.lib.splitString "." serverDomain));
+
+        # We need access to the config file in the test script.
+        filteredConfig = pkgs.lib.converge
+          (pkgs.lib.filterAttrsRecursive (_: v: v != null))
+          nodes.server.config.services.kanidm.serverSettings;
+        serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig;
+
+      in
+      ''
+        start_all()
+        server.wait_for_unit("kanidm.service")
+        server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
+        server.wait_until_succeeds("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'")
+        client.wait_until_succeeds("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}")
+        (rv, result) = server.execute("kanidmd recover_account -d quiet -c ${serverConfigFile} -n admin 2>&1 | rg -o '[A-Za-z0-9]{48}'")
+        assert rv == 0
+      '';
+  })

nixos/tests/lxd-image-server.nix

@@ -1,54 +1,21 @@
-import ./make-test-python.nix ({ pkgs, ...} :
+import ./make-test-python.nix ({ pkgs, lib, ... } :
 
 let
-  # Since we don't have access to the internet during the tests, we have to
+  lxd-image = import ../release.nix {
-  # pre-fetch lxd containers beforehand.
+    configuration = {
-  #
+      # Building documentation makes the test unnecessarily take a longer time:
-  # I've chosen to import Alpine Linux, because its image is turbo-tiny and,
+      documentation.enable = lib.mkForce false;
-  # generally, sufficient for our tests.
+    };
-  alpine-meta = pkgs.fetchurl {
-    url = "https://tarballs.nixos.org/alpine/3.12/lxd.tar.xz";
-    hash = "sha256-1tcKaO9lOkvqfmG/7FMbfAEToAuFy2YMewS8ysBKuLA=";
-  };
-
-  alpine-rootfs = pkgs.fetchurl {
-    url = "https://tarballs.nixos.org/alpine/3.12/rootfs.tar.xz";
-    hash = "sha256-Tba9sSoaiMtQLY45u7p5DMqXTSDgs/763L/SQp0bkCA=";
   };
 
-  lxd-config = pkgs.writeText "config.yaml" ''
+  lxd-image-metadata = lxd-image.lxdMeta.${pkgs.system};
-    storage_pools:
+  lxd-image-rootfs = lxd-image.lxdImage.${pkgs.system};
-      - name: default
-        driver: dir
-        config:
-          source: /var/lxd-pool
-
-    networks:
-      - name: lxdbr0
-        type: bridge
-        config:
-          ipv4.address: auto
-          ipv6.address: none
-
-    profiles:
-      - name: default
-        devices:
-          eth0:
-            name: eth0
-            network: lxdbr0
-            type: nic
-          root:
-            path: /
-            pool: default
-            type: disk
-  '';
-
 
 in {
   name = "lxd-image-server";
 
   meta = with pkgs.lib.maintainers; {
-    maintainers = [ mkg20001 ];
+    maintainers = [ mkg20001 patryk27 ];
   };
 
   nodes.machine = { lib, ... }: {
@@ -100,20 +67,20 @@ in {
     # lxd expects the pool's directory to already exist
     machine.succeed("mkdir /var/lxd-pool")
 
-
     machine.succeed(
-        "cat ${lxd-config} | lxd init --preseed"
+        "cat ${./common/lxd/config.yaml} | lxd init --preseed"
     )
 
     machine.succeed(
-        "lxc image import ${alpine-meta} ${alpine-rootfs} --alias alpine"
+        "lxc image import ${lxd-image-metadata}/*/*.tar.xz ${lxd-image-rootfs}/*/*.tar.xz --alias nixos"
     )
 
-    loc = "/var/www/simplestreams/images/iats/alpine/amd64/default/v1"
+    loc = "/var/www/simplestreams/images/iats/nixos/amd64/default/v1"
 
     with subtest("push image to server"):
-        machine.succeed("lxc launch alpine test")
+        machine.succeed("lxc launch nixos test")
-        machine.succeed("lxc stop test")
+        machine.sleep(5)
+        machine.succeed("lxc stop -f test")
         machine.succeed("lxc publish --public test --alias=testimg")
         machine.succeed("lxc image export testimg")
         machine.succeed("ls >&2")

nixos/tests/lxd-image.nix

@@ -1,89 +0,0 @@
-# This test ensures that the nixOS lxd images builds and functions properly
-# It has been extracted from `lxd.nix` to seperate failures of just the image and the lxd software
-
-import ./make-test-python.nix ({ pkgs, ...} : let
-  release = import ../release.nix {
-    /* configuration = {
-      environment.systemPackages = with pkgs; [ stdenv ]; # inject stdenv so rebuild test works
-    }; */
-  };
-
-  metadata = release.lxdMeta.${pkgs.system};
-  image = release.lxdImage.${pkgs.system};
-
-  lxd-config = pkgs.writeText "config.yaml" ''
-    storage_pools:
-      - name: default
-        driver: dir
-        config:
-          source: /var/lxd-pool
-
-    networks:
-      - name: lxdbr0
-        type: bridge
-        config:
-          ipv4.address: auto
-          ipv6.address: none
-
-    profiles:
-      - name: default
-        devices:
-          eth0:
-            name: eth0
-            network: lxdbr0
-            type: nic
-          root:
-            path: /
-            pool: default
-            type: disk
-  '';
-in {
-  name = "lxd-image";
-
-  meta = with pkgs.lib.maintainers; {
-    maintainers = [ mkg20001 ];
-  };
-
-  nodes.machine = { lib, ... }: {
-    virtualisation = {
-      # disk full otherwise
-      diskSize = 2048;
-
-      lxc.lxcfs.enable = true;
-      lxd.enable = true;
-    };
-  };
-
-  testScript = ''
-    machine.wait_for_unit("sockets.target")
-    machine.wait_for_unit("lxd.service")
-    machine.wait_for_file("/var/lib/lxd/unix.socket")
-
-    # It takes additional second for lxd to settle
-    machine.sleep(1)
-
-    # lxd expects the pool's directory to already exist
-    machine.succeed("mkdir /var/lxd-pool")
-
-    machine.succeed(
-        "cat ${lxd-config} | lxd init --preseed"
-    )
-
-    # TODO: test custom built container aswell
-
-    with subtest("importing container works"):
-        machine.succeed("lxc image import ${metadata}/*/*.tar.xz ${image}/*/*.tar.xz --alias nixos")
-
-    with subtest("launching container works"):
-        machine.succeed("lxc launch nixos machine -c security.nesting=true")
-        # make sure machine boots up properly
-        machine.sleep(5)
-
-    with subtest("container shell works"):
-        machine.succeed("echo true | lxc exec machine /run/current-system/sw/bin/bash -")
-        machine.succeed("lxc exec machine /run/current-system/sw/bin/true")
-
-    # with subtest("rebuilding works"):
-    #     machine.succeed("lxc exec machine /run/current-system/sw/bin/nixos-rebuild switch")
-  '';
-})

nixos/tests/lxd.nix

@@ -1,79 +1,18 @@
-import ./make-test-python.nix ({ pkgs, ...} :
+import ./make-test-python.nix ({ pkgs, lib, ... } :
 
 let
-  # Since we don't have access to the internet during the tests, we have to
+  lxd-image = import ../release.nix {
-  # pre-fetch lxd containers beforehand.
+    configuration = {
-  #
+      # Building documentation makes the test unnecessarily take a longer time:
-  # I've chosen to import Alpine Linux, because its image is turbo-tiny and,
+      documentation.enable = lib.mkForce false;
-  # generally, sufficient for our tests.
-  alpine-meta-x86 = pkgs.fetchurl {
-    url = "https://tarballs.nixos.org/alpine/3.12/lxd.tar.xz";
-    hash = "sha256-1tcKaO9lOkvqfmG/7FMbfAEToAuFy2YMewS8ysBKuLA=";
-  };
-  alpine-meta-for = arch: pkgs.stdenv.mkDerivation {
-    name = "alpine-meta-${arch}";
-    version = "3.12";
-    unpackPhase = "true";
-    buildPhase = ''
-      runHook preBuild
-
-      tar xvf ${alpine-meta-x86}
-      sed -i 's/architecture: .*/architecture: ${arch}/' metadata.yaml
-
-      runHook postBuild
-    '';
-    installPhase = ''
-      runHook preInstall
-
-      tar czRf $out *
-
-      runHook postInstall
-    '';
-  };
 
-  alpine-meta = {
+      # Our tests require `grep` & friends:
-    x86_64-linux = alpine-meta-x86;
+      environment.systemPackages = with pkgs; [ busybox ];
-    aarch64-linux = alpine-meta-for "aarch64";
-  }.${pkgs.system} or (throw "Unsupported system: ${pkgs.system}");
-
-  alpine-rootfs = {
-    x86_64-linux = pkgs.fetchurl {
-      url = "https://tarballs.nixos.org/alpine/3.12/rootfs.tar.xz";
-      hash = "sha256-Tba9sSoaiMtQLY45u7p5DMqXTSDgs/763L/SQp0bkCA=";
-    };
-    aarch64-linux = pkgs.fetchurl {
-      url = "https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/aarch64/alpine-minirootfs-3.15.4-aarch64.tar.gz";
-      hash = "sha256-9kBz8Jwmo8XepJhTMt5zilCaHHpflnUH7y9+0To39Us=";
     };
-  }.${pkgs.system} or (throw "Unsupported system: ${pkgs.system}");
+  };
-
-  lxd-config = pkgs.writeText "config.yaml" ''
-    storage_pools:
-      - name: default
-        driver: dir
-        config:
-          source: /var/lxd-pool
-
-    networks:
-      - name: lxdbr0
-        type: bridge
-        config:
-          ipv4.address: auto
-          ipv6.address: none
-
-    profiles:
-      - name: default
-        devices:
-          eth0:
-            name: eth0
-            network: lxdbr0
-            type: nic
-          root:
-            path: /
-            pool: default
-            type: disk
-  '';
 
+  lxd-image-metadata = lxd-image.lxdMeta.${pkgs.system};
+  lxd-image-rootfs = lxd-image.lxdImage.${pkgs.system};
 
 in {
   name = "lxd";
@@ -84,6 +23,8 @@ in {
 
   nodes.machine = { lib, ... }: {
     virtualisation = {
+      diskSize = 2048;
+
       # Since we're testing `limits.cpu`, we've gotta have a known number of
       # cores to lean on
       cores = 2;
@@ -108,61 +49,66 @@ in {
     machine.succeed("mkdir /var/lxd-pool")
 
     machine.succeed(
-        "cat ${lxd-config} | lxd init --preseed"
+        "cat ${./common/lxd/config.yaml} | lxd init --preseed"
     )
 
     machine.succeed(
-        "lxc image import ${alpine-meta} ${alpine-rootfs} --alias alpine"
+        "lxc image import ${lxd-image-metadata}/*/*.tar.xz ${lxd-image-rootfs}/*/*.tar.xz --alias nixos"
     )
 
-    with subtest("Containers can be launched and destroyed"):
+    with subtest("Container can be managed"):
-        machine.succeed("lxc launch alpine test")
+        machine.succeed("lxc launch nixos container")
-        machine.succeed("lxc exec test true")
+        machine.sleep(5)
-        machine.succeed("lxc delete -f test")
+        machine.succeed("echo true | lxc exec container /run/current-system/sw/bin/bash -")
+        machine.succeed("lxc exec container true")
+        machine.succeed("lxc delete -f container")
 
-    with subtest("Containers are being mounted with lxcfs inside"):
+    with subtest("Container is mounted with lxcfs inside"):
-        machine.succeed("lxc launch alpine test")
+        machine.succeed("lxc launch nixos container")
+        machine.sleep(5)
 
         ## ---------- ##
         ## limits.cpu ##
 
-        machine.succeed("lxc config set test limits.cpu 1")
+        machine.succeed("lxc config set container limits.cpu 1")
-        machine.succeed("lxc restart test")
+        machine.succeed("lxc restart container")
+        machine.sleep(5)
 
-        # Since Alpine doesn't have `nproc` pre-installed, we've gotta resort
-        # to the primal methods
         assert (
             "1"
-            == machine.succeed("lxc exec test grep -- -c ^processor /proc/cpuinfo").strip()
+            == machine.succeed("lxc exec container grep -- -c ^processor /proc/cpuinfo").strip()
         )
 
-        machine.succeed("lxc config set test limits.cpu 2")
+        machine.succeed("lxc config set container limits.cpu 2")
-        machine.succeed("lxc restart test")
+        machine.succeed("lxc restart container")
+        machine.sleep(5)
 
         assert (
             "2"
-            == machine.succeed("lxc exec test grep -- -c ^processor /proc/cpuinfo").strip()
+            == machine.succeed("lxc exec container grep -- -c ^processor /proc/cpuinfo").strip()
         )
 
         ## ------------- ##
         ## limits.memory ##
 
-        machine.succeed("lxc config set test limits.memory 64MB")
+        machine.succeed("lxc config set container limits.memory 64MB")
-        machine.succeed("lxc restart test")
+        machine.succeed("lxc restart container")
+        machine.sleep(5)
 
         assert (
             "MemTotal:          62500 kB"
-            == machine.succeed("lxc exec test grep -- MemTotal /proc/meminfo").strip()
+            == machine.succeed("lxc exec container grep -- MemTotal /proc/meminfo").strip()
         )
 
-        machine.succeed("lxc config set test limits.memory 128MB")
+        machine.succeed("lxc config set container limits.memory 128MB")
-        machine.succeed("lxc restart test")
+        machine.succeed("lxc restart container")
+        machine.sleep(5)
 
         assert (
             "MemTotal:         125000 kB"
-            == machine.succeed("lxc exec test grep -- MemTotal /proc/meminfo").strip()
+            == machine.succeed("lxc exec container grep -- MemTotal /proc/meminfo").strip()
         )
 
-        machine.succeed("lxc delete -f test")
+        machine.succeed("lxc delete -f container")
   '';
 })

pkgs/applications/editors/emacs/elisp-packages/ement/default.nix

@@ -13,13 +13,13 @@
 
 trivialBuild {
   pname = "ement";
-  version = "unstable-2022-04-22";
+  version = "unstable-2022-05-05";
 
   src = fetchFromGitHub {
     owner = "alphapapa";
     repo = "ement.el";
-    rev = "70da19e4c9210d362b1d6d9c17ab2c034a03250d";
+    rev = "84739451afa8355360966dfa788d469d9dc4a8e3";
-    sha256 = "sha256-Pxul0WrtyH2XZzF0fOOitLc3x/kc+Qc11RDH0n+Hm04=";
+    sha256 = "sha256-XdegBKZfoKbFaMM/l8249VD9KKC5/4gQIK6ggPcoOaE=";
   };
 
   packageRequires = [

pkgs/applications/graphics/inkscape/default.nix

@@ -80,6 +80,13 @@ stdenv.mkDerivation rec {
       url = "https://gitlab.com/inkscape/inkscape/-/commit/a18c57ffff313fd08bc8a44f6b6bf0b01d7e9b75.patch";
       sha256 = "UZb8ZTtfA5667uo5ZlVQ5vPowiSgd4ItAJ9U1BOsRQg=";
     })
+
+    # Fix build with poppler 22.04
+    # https://gitlab.com/inkscape/inkscape/-/merge_requests/4266
+    (fetchpatch {
+      url = "https://gitlab.com/inkscape/inkscape/-/commit/d989cdf1059c78bc3bb6414330242073768d640b.patch";
+      sha256 = "2cJZdunbRgPIwhJgz1dQoQRw3ZYZ2Fp6c3hpVBV2PbE=";
+    })
   ];
 
   postPatch = ''

pkgs/applications/misc/ausweisapp2/default.nix

@@ -3,13 +3,13 @@
 
 mkDerivation rec {
   pname = "AusweisApp2";
-  version = "1.22.4";
+  version = "1.22.5";
 
   src = fetchFromGitHub {
     owner = "Governikus";
     repo = "AusweisApp2";
     rev = version;
-    sha256 = "sha256-Mms7Vibq1Rlb2XbxiV4o1UsjDRJcwG5ZZdPOWHjnW2A=";
+    sha256 = "sha256-EuHg8JrI6ZoyTXqD3v4cfk4/NovAj4fF2NY1V2ZF64c=";
   };
 
   nativeBuildInputs = [ cmake pkg-config ];

pkgs/applications/misc/mediainfo-gui/default.nix

@@ -1,17 +1,16 @@
-{ lib, stdenv, fetchurl, autoreconfHook, pkg-config, libzen, libmediainfo, wxGTK30-gtk3
+{ lib, stdenv, fetchurl, autoreconfHook, pkg-config, libmediainfo, wxGTK30-gtk3
 , desktop-file-utils, libSM, imagemagick }:
 
 stdenv.mkDerivation rec {
-  version = "21.09";
+  version = "22.03";
   pname = "mediainfo-gui";
   src = fetchurl {
     url = "https://mediaarea.net/download/source/mediainfo/${version}/mediainfo_${version}.tar.xz";
-    sha256 = "0mqcqm8y2whnbdi2ry7jd755gfl5ccdqhwjh67hsyr7c0ajxk3vv";
+    sha256 = "sha256-Yjb5Kh1XqBdLPzDqbd6Kq1ONj2IPcoIk2FE3MWmAK+Q=";
   };
 
   nativeBuildInputs = [ autoreconfHook pkg-config ];
-  buildInputs = [ libzen libmediainfo wxGTK30-gtk3 desktop-file-utils libSM
+  buildInputs = [ libmediainfo wxGTK30-gtk3 desktop-file-utils libSM imagemagick ];
-                  imagemagick ];
 
   sourceRoot = "./MediaInfo/Project/GNU/GUI/";
 

pkgs/applications/misc/swaynotificationcenter/default.nix

@@ -4,6 +4,7 @@
 , meson
 , ninja
 , pkg-config
+, scdoc
 , vala
 , gtk3
 , glib
@@ -20,16 +21,16 @@
 
 stdenv.mkDerivation rec {
   pname = "SwayNotificationCenter";
-  version = "0.3";
+  version = "0.5";
 
   src = fetchFromGitHub {
     owner = "ErikReider";
     repo = "SwayNotificationCenter";
     rev = "v${version}";
-    hash = "sha256-gXo/V2FHkHZBRmaimqJCzi0BqS4tP9IniIlubBmK5u0=";
+    hash = "sha256-Jjbr6GJ0MHlO+T/simPNYQnB5b7Cr85j4GRjRGa5B6s=";
   };
 
-  nativeBuildInputs = [ gobject-introspection meson ninja pkg-config vala wrapGAppsHook ];
+  nativeBuildInputs = [ gobject-introspection meson ninja pkg-config scdoc vala wrapGAppsHook ];
 
   buildInputs = [ dbus dbus-glib gdk-pixbuf glib gtk-layer-shell gtk3 json-glib libhandy librsvg ];
 

pkgs/applications/misc/sweethome3d/default.nix

@@ -10,6 +10,7 @@
 , gtk3
 , gsettings-desktop-schemas
 , p7zip
+, autoPatchelfHook
 , libXxf86vm
 , unzip
 }:
@@ -41,14 +42,17 @@ let
     };
 
     postPatch = ''
-      patchelf --set-rpath ${libXxf86vm}/lib lib/java3d-1.6/linux/amd64/libnativewindow_awt.so
+      addAutoPatchelfSearchPath ${jre8}/lib/openjdk/jre/lib/
-      patchelf --set-rpath ${libXxf86vm}/lib lib/java3d-1.6/linux/amd64/libnativewindow_x11.so
+      autoPatchelf lib
-      patchelf --set-rpath ${libXxf86vm}/lib lib/java3d-1.6/linux/i586/libnativewindow_awt.so
+
-      patchelf --set-rpath ${libXxf86vm}/lib lib/java3d-1.6/linux/i586/libnativewindow_x11.so
+      # Nix cannot see the runtime references to the paths we just patched in
+      # once they've been compressed into the .jar. Scan for and remember them
+      # as plain text so they don't get overlooked.
+      find . -name '*.so' | xargs strings | { grep '/nix/store' || :; } >> ./.jar-paths
     '';
 
-    nativeBuildInputs = [ makeWrapper unzip ];
+    nativeBuildInputs = [ makeWrapper unzip autoPatchelfHook ];
-    buildInputs = [ ant jdk8 p7zip gtk3 gsettings-desktop-schemas ];
+    buildInputs = [ ant jdk8 p7zip gtk3 gsettings-desktop-schemas libXxf86vm ];
 
     buildPhase = ''
       runHook preBuild
@@ -80,6 +84,13 @@ let
         --prefix XDG_DATA_DIRS : "$XDG_ICON_DIRS:${gtk3.out}/share:${gsettings-desktop-schemas}/share:$out/share:$GSETTINGS_SCHEMAS_PATH" \
         --add-flags "-Dsun.java2d.opengl=true -jar $out/share/java/${module}-${version}.jar -cp $out/share/java/Furniture.jar:$out/share/java/Textures.jar:$out/share/java/Help.jar -d${toString stdenv.hostPlatform.parsed.cpu.bits}"
 
+
+      # remember the store paths found inside the .jar libraries. note that
+      # which file they are in does not matter in particular, just that some
+      # file somewhere lists them in plain-text
+      mkdir -p $out/nix-support
+      cp .jar-paths $out/nix-support/depends
+
       runHook postInstall
     '';
 

pkgs/applications/networking/browsers/firefox/librewolf/src.json

@@ -1,8 +1,8 @@
 {
-  "packageVersion": "100.0-1",
+  "packageVersion": "100.0-2",
   "source": {
-    "rev": "100.0-1",
+    "rev": "100.0-2",
-    "sha256": "1xczvsd39g821bh5n12vnn7sgi0x5dqj6vfizkavxj0a05jb4fla"
+    "sha256": "0pr7fb91zw5qlnfvaavzksd3c2xzgn1344mmfnz9yx2g42vcyi7d"
   },
   "firefox": {
     "version": "100.0",

pkgs/applications/networking/browsers/microsoft-edge/default.nix

@@ -1,20 +1,20 @@
 {
   beta = import ./browser.nix {
     channel = "beta";
-    version = "99.0.1150.16";
+    version = "101.0.1210.19";
     revision = "1";
-    sha256 = "sha256:0qsgs889d6qwxz9qf42psmjqfhmrqgp07srq5r38npl5pncr137h";
+    sha256 = "sha256:1kgc19ryw69xiqppz90d6sa45g99hzkh7x5yk9d3xlh1gc1xn54p";
   };
   dev = import ./browser.nix {
     channel = "dev";
-    version = "100.0.1163.1";
+    version = "102.0.1227.0";
     revision = "1";
-    sha256 = "sha256:153faqxyw5f5b6cqnvd71dl7941znkzci8dwbcgaxway0b6882jq";
+    sha256 = "sha256:0dnyandri7yg7c9812pnsxqszxyqcssxf87yskjg2vw95hawf11x";
   };
   stable = import ./browser.nix {
     channel = "stable";
-    version = "98.0.1108.56";
+    version = "100.0.1185.44";
     revision = "1";
-    sha256 = "sha256:03jbj2s2fs60fzfgsmyb284q7nckji87qgb86mvl5g0hbl19aza7";
+    sha256 = "sha256:0zv1zyijh620xz36a6nmhv7rbv4ln5f245hyh0w1sngynsl1rz89";
   };
 }

pkgs/applications/networking/instant-messengers/psi-plus/default.nix

@@ -43,13 +43,13 @@ assert enablePsiMedia -> enablePlugins;
 
 mkDerivation rec {
   pname = "psi-plus";
-  version = "1.5.1615";
+  version = "1.5.1618";
 
   src = fetchFromGitHub {
     owner = "psi-plus";
     repo = "psi-plus-snapshots";
     rev = version;
-    sha256 = "sha256-aD+JVGmBWHUav2bH9rXGtgqI+/5lJTMrYLRP7E65JxI=";
+    sha256 = "sha256-ueZYFOZFCPQrg9etZCrY5ZTn7PZMkcuwbXVPPbW9S/A=";
   };
 
   cmakeFlags = [

pkgs/applications/networking/irc/weechat/scripts/weechat-otr/default.nix

@@ -24,6 +24,9 @@ let
 
     buildInputs = [ gmp ];
 
+    # Tests are relying on old Python 2 modules.
+    doCheck = false;
+
     preConfigure = ''
       sed -i 's,/usr/include,/no-such-dir,' configure
       sed -i "s!,'/usr/include/'!!" setup.py
@@ -66,5 +69,9 @@ in stdenv.mkDerivation rec {
     license = licenses.gpl3;
     maintainers = with maintainers; [ oxzi ];
     description = "WeeChat script for Off-the-Record messaging";
+    knownVulnerabilities = [
+      "There is no upstream release since 2018-03."
+      "Utilizes deprecated and vulnerable pycrypto library with Debian patches from 2020-04."
+    ];
   };
 }

pkgs/applications/networking/mailreaders/neomutt/default.nix

@@ -4,14 +4,14 @@
 }:
 
 stdenv.mkDerivation rec {
-  version = "20220415";
+  version = "20220429";
   pname = "neomutt";
 
   src = fetchFromGitHub {
     owner  = "neomutt";
     repo   = "neomutt";
     rev    = version;
-    sha256 = "sha256-iVKDgVN7YFPEMP+OISS7jRG9Whs2QG60yH1r2kw3MUQ=";
+    sha256 = "sha256-LBY7WtmEMg/PcMS/Tc5XEYunIWjoI4IQfUJURKgy1YA=";
   };
 
   buildInputs = [

pkgs/applications/networking/n8n/default.nix

@@ -1,9 +1,8 @@
-{ pkgs, nodejs-14_x, stdenv, lib }:
+{ pkgs, nodejs-16_x, stdenv, lib }:
 
 let
   nodePackages = import ./node-composition.nix {
     inherit pkgs;
-    nodejs = nodejs-14_x;
     inherit (stdenv.hostPlatform) system;
   };
 in
@@ -12,6 +11,13 @@ nodePackages.n8n.override {
     node-pre-gyp
   ];
 
+  dontNpmInstall = true;
+
+  postInstall = ''
+    mkdir -p $out/bin
+    ln -s $out/lib/node_modules/n8n/bin/n8n $out/bin/n8n
+  '';
+
   passthru.updateScript = ./generate-dependencies.sh;
 
   meta = with lib; {

pkgs/applications/networking/n8n/generate-dependencies.sh

@@ -13,7 +13,7 @@
 cd "$(dirname $(readlink -f $0))"
 
 node2nix \
-  --14 \
+  --nodejs-16 \
   --strip-optional-dependencies \
   --node-env node-env.nix \
   --input package.json \

pkgs/applications/networking/n8n/node-composition.nix

@@ -1,8 +1,8 @@
-# This file has been generated by node2nix 1.9.0. Do not edit!
+# This file has been generated by node2nix 1.11.1. Do not edit!
 
 {pkgs ? import <nixpkgs> {
     inherit system;
-  }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-12_x"}:
+  }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-16_x"}:
 
 let
   nodeEnv = import ./node-env.nix {

pkgs/applications/networking/n8n/node-env.nix

@@ -98,7 +98,7 @@ let
       ''
       + (lib.concatMapStrings (dependency:
         ''
-          if [ ! -e "${dependency.name}" ]; then
+          if [ ! -e "${dependency.packageName}" ]; then
               ${composePackage dependency}
           fi
         ''
@@ -257,8 +257,8 @@ let
           var packageLock = JSON.parse(fs.readFileSync("./package-lock.json"));
 
           if(![1, 2].includes(packageLock.lockfileVersion)) {
-             process.stderr.write("Sorry, I only understand lock file versions 1 and 2!\n");
+            process.stderr.write("Sorry, I only understand lock file versions 1 and 2!\n");
-             process.exit(1);
+            process.exit(1);
           }
 
           if(packageLock.dependencies !== undefined) {
@@ -390,7 +390,7 @@ let
   buildNodePackage =
     { name
     , packageName
-    , version
+    , version ? null
     , dependencies ? []
     , buildInputs ? []
     , production ? true
@@ -409,7 +409,7 @@ let
       extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" "meta" ];
     in
     stdenv.mkDerivation ({
-      name = "${name}-${version}";
+      name = "${name}${if version == null then "" else "-${version}"}";
       buildInputs = [ tarWrapper python nodejs ]
         ++ lib.optional (stdenv.isLinux) utillinux
         ++ lib.optional (stdenv.isDarwin) libtool
@@ -441,6 +441,14 @@ let
         if [ -d "$out/lib/node_modules/.bin" ]
         then
             ln -s $out/lib/node_modules/.bin $out/bin
+
+            # Patch the shebang lines of all the executables
+            ls $out/bin/* | while read i
+            do
+                file="$(readlink -f "$i")"
+                chmod u+rwx "$file"
+                patchShebangs "$file"
+            done
         fi
 
         # Create symlinks to the deployed manual page folders, if applicable
@@ -471,7 +479,7 @@ let
   buildNodeDependencies =
     { name
     , packageName
-    , version
+    , version ? null
     , src
     , dependencies ? []
     , buildInputs ? []
@@ -489,7 +497,7 @@ let
       extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ];
     in
       stdenv.mkDerivation ({
-        name = "node-dependencies-${name}-${version}";
+        name = "node-dependencies-${name}${if version == null then "" else "-${version}"}";
 
         buildInputs = [ tarWrapper python nodejs ]
           ++ lib.optional (stdenv.isLinux) utillinux
@@ -519,6 +527,7 @@ let
             if [ -f ${src}/package-lock.json ]
             then
                 cp ${src}/package-lock.json .
+                chmod 644 package-lock.json
             fi
           ''}
 
@@ -541,7 +550,7 @@ let
   buildNodeShell =
     { name
     , packageName
-    , version
+    , version ? null
     , src
     , dependencies ? []
     , buildInputs ? []
@@ -557,9 +566,10 @@ let
 
     let
       nodeDependencies = buildNodeDependencies args;
+      extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "unpackPhase" "buildPhase" ];
     in
-    stdenv.mkDerivation {
+    stdenv.mkDerivation ({
-      name = "node-shell-${name}-${version}";
+      name = "node-shell-${name}${if version == null then "" else "-${version}"}";
 
       buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
       buildCommand = ''
@@ -578,7 +588,7 @@ let
         export NODE_PATH=${nodeDependencies}/lib/node_modules
         export PATH="${nodeDependencies}/bin:$PATH"
       '';
-    };
+    } // extraArgs);
 in
 {
   buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;

pkgs/applications/networking/n8n/node-packages.nix

@@ -1,16 +1,16 @@
-# This file has been generated by node2nix 1.9.0. Do not edit!
+# This file has been generated by node2nix 1.11.1. Do not edit!
 
 {nodeEnv, fetchurl, fetchgit, nix-gitignore, stdenv, lib, globalBuildInputs ? []}:
 
 let
   sources = {
-    "@azure/abort-controller-1.0.5" = {
+    "@azure/abort-controller-1.1.0" = {
       name = "_at_azure_slash_abort-controller";
       packageName = "@azure/abort-controller";
-      version = "1.0.5";
+      version = "1.1.0";
       src = fetchurl {
-        url = "https://registry.npmjs.org/@azure/abort-controller/-/abort-controller-1.0.5.tgz";
+        url = "https://registry.npmjs.org/@azure/abort-controller/-/abort-controller-1.1.0.tgz";
-        sha512 = "G5sjKExiVsbFQo+4YY5MBPOSsh3EUv6XmqjgJaF/VCjckWLGGKPUPGfbCSn6Xal6gzGoPQMOQ+wCCGNCX9NAPg==";
+        sha512 = "TrRLIoSQVzfAJX9H1JeFjzAoDGcoK1IYX1UImfceTZpsyYfWr09Ss1aHW1y5TrrR3iq6RZLBwJ3E24uwPhwahw==";
       };
     };
     "@azure/core-asynciterator-polyfill-1.0.2" = {
@@ -31,13 +31,13 @@ let
         sha512 = "7CU6DmCHIZp5ZPiZ9r3J17lTKMmYsm/zGvNkjArQwPkrLlZ1TZ+EUYfGgh2X31OLMVAQCTJZW4cXHJi02EbJnA==";
       };
     };
-    "@azure/core-http-2.2.4" = {
+    "@azure/core-http-2.2.5" = {
       name = "_at_azure_slash_core-http";
       packageName = "@azure/core-http";
-      version = "2.2.4";
+      version = "2.2.5";
       src = fetchurl {
-        url = "https://registry.npmjs.org/@azure/core-http/-/core-http-2.2.4.tgz";
+        url = "https://registry.npmjs.org/@azure/core-http/-/core-http-2.2.5.tgz";
-        sha512 = "QmmJmexXKtPyc3/rsZR/YTLDvMatzbzAypJmLzvlfxgz/SkgnqV/D4f6F2LsK6tBj1qhyp8BoXiOebiej0zz3A==";
+        sha512 = "kctMqSQ6zfnlFpuYzfUKadeTyOQYbIQ+3Rj7dzVC3Dk1dOnHroTwR9hLYKX8/n85iJpkyaksaXpuh5L7GJRYuQ==";
       };
     };
     "@azure/core-lro-2.2.4" = {
@@ -976,13 +976,13 @@ let
         sha512 = "z4oo33lmnvvNRqfUe3YjDGGpqu/L2+wXBIhMtwq6oqZ+exOUAkQYM6zd2VWKF7AIlajOF8ZZuPFfryTG9iLC/w==";
       };
     };
-    "aws-sdk-2.1125.0" = {
+    "aws-sdk-2.1129.0" = {
       name = "aws-sdk";
       packageName = "aws-sdk";
-      version = "2.1125.0";
+      version = "2.1129.0";
       src = fetchurl {
-        url = "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1125.0.tgz";
+        url = "https://registry.npmjs.org/aws-sdk/-/aws-sdk-2.1129.0.tgz";
-        sha512 = "2syNkKDqDcDmB/chc61a5xx+KYzaarLs1/KshE0b1Opp2oSq2FARyUBbk59HgwKaDUB61uPF33ZG9sHiIVx2hQ==";
+        sha512 = "gQZaByfW7zKCg1n/kA+xDdLhI/SauaokRTq+lztK1cCCdFkR5CShcKeK/qUgVxjy43mwB7CkeTh1WUr2NMb0jg==";
       };
     };
     "aws-sign2-0.7.0" = {
@@ -1858,13 +1858,13 @@ let
         sha512 = "Kb2wC0fvsWfQrgk8HU5lW6U/Lcs8+9aaYcy4ZFc6DDlo4nZ7n70dEgE5rtR0oG6ufKDUnrwfWL1mXR5ljDatrQ==";
       };
     };
-    "core-js-3.22.3" = {
+    "core-js-3.22.4" = {
       name = "core-js";
       packageName = "core-js";
-      version = "3.22.3";
+      version = "3.22.4";
       src = fetchurl {
-        url = "https://registry.npmjs.org/core-js/-/core-js-3.22.3.tgz";
+        url = "https://registry.npmjs.org/core-js/-/core-js-3.22.4.tgz";
-        sha512 = "1t+2a/d2lppW1gkLXx3pKPVGbBdxXAkqztvWb1EJ8oF8O2gIGiytzflNiFEehYwVK/t2ryUsGBoOFFvNx95mbg==";
+        sha512 = "1uLykR+iOfYja+6Jn/57743gc9n73EWiOnSJJ4ba3B4fOEYDBv25MagmEZBxTp5cWq4b/KPx/l77zgsp28ju4w==";
       };
     };
     "core-util-is-1.0.2" = {
@@ -2641,13 +2641,13 @@ let
         sha512 = "GRnmB5gPyJpAhTQdSZTSp9uaPSvl09KoYcMQtsB9rQoOmzs9dH6ffeccH+Z+cv6P68Hu5bC6JjRh4Ah/mHSNRw==";
       };
     };
-    "follow-redirects-1.14.9" = {
+    "follow-redirects-1.15.0" = {
       name = "follow-redirects";
       packageName = "follow-redirects";
-      version = "1.14.9";
+      version = "1.15.0";
       src = fetchurl {
-        url = "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.9.tgz";
+        url = "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.0.tgz";
-        sha512 = "MQDfihBQYMcyy5dhRDJUHcw7lb2Pv/TuE6xP1vyraLukNDHKbDxDNaOE3NbCAdKQApno+GPRyo1YAp89yCjK4w==";
+        sha512 = "aExlJShTV4qOUOL7yF1U5tvLCB0xQuudbf6toyYA0E/acBNw71mvjFTnLaRp50aQaYocMR0a/RMMBIHeZnGyjQ==";
       };
     };
     "for-each-0.3.3" = {
@@ -4522,13 +4522,13 @@ let
         sha512 = "qIcmHAtVJotgiYo3vVMLwC9qaU5ih5ti4+aPu2I1onD6WEu8GMNF38AzIAceYl6U8EhvDB+DOsF/SjYHfl26iw==";
       };
     };
-    "n8n-editor-ui-0.142.0" = {
+    "n8n-editor-ui-0.142.1" = {
       name = "n8n-editor-ui";
       packageName = "n8n-editor-ui";
-      version = "0.142.0";
+      version = "0.142.1";
       src = fetchurl {
-        url = "https://registry.npmjs.org/n8n-editor-ui/-/n8n-editor-ui-0.142.0.tgz";
+        url = "https://registry.npmjs.org/n8n-editor-ui/-/n8n-editor-ui-0.142.1.tgz";
-        sha512 = "aDXm64Y+tcLicd0z9pIxhSfqCb/JjsMIAOJ7DB35HKg7riOE7TGBHkWQ6F61XEjusJLl6ZGr15V+9EoCTu+02g==";
+        sha512 = "Me8fk76HeWUmTPnksH4kzG0bKOp1yLFjAC4F+EcEllIIf+x75kjN+gSH4uwgvspzGCVO88ZnppWoGQwvHQpXQw==";
       };
     };
     "n8n-nodes-base-0.173.0" = {
@@ -4567,13 +4567,13 @@ let
         sha512 = "wynEP02LmIbLpcYw8uBKpcfF6dmg2vcpKqxeH5UcoKEYdExslsdUA4ugFauuaeYdTB76ez6gJW8XAZ6CgkXYxA==";
       };
     };
-    "nanoid-3.3.3" = {
+    "nanoid-3.3.4" = {
       name = "nanoid";
       packageName = "nanoid";
-      version = "3.3.3";
+      version = "3.3.4";
       src = fetchurl {
-        url = "https://registry.npmjs.org/nanoid/-/nanoid-3.3.3.tgz";
+        url = "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz";
-        sha512 = "p1sjXuopFs0xg+fPASzQ28agW1oHD7xDsd9Xkf3T15H3c/cifrFHVwrh74PdoklAPi+i7MdRsE47vm2r6JoB+w==";
+        sha512 = "MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==";
       };
     };
     "native-duplexpair-1.0.0" = {
@@ -4693,13 +4693,13 @@ let
         sha512 = "KUdDsspqx89sD4UUyUKzdlUOper3hRkDVkrKh/89G+d9WKsU5ox51NWS4tB1XR5dPUdR4SP0E3molyEfOvSa3g==";
       };
     };
-    "nodemailer-6.7.4" = {
+    "nodemailer-6.7.5" = {
       name = "nodemailer";
       packageName = "nodemailer";
-      version = "6.7.4";
+      version = "6.7.5";
       src = fetchurl {
-        url = "https://registry.npmjs.org/nodemailer/-/nodemailer-6.7.4.tgz";
+        url = "https://registry.npmjs.org/nodemailer/-/nodemailer-6.7.5.tgz";
-        sha512 = "TBSS3qS8WG45ycUwEvEA/3UM1o3sLz9jUl4TPUKPz4ImWWM6UgRCb5pLO+HOouDKEj57yNLOrzQlO8+9IjWZoA==";
+        sha512 = "6VtMpwhsrixq1HDYSBBHvW0GwiWawE75dS3oal48VqRhUvKJNnKnJo2RI/bCVQubj1vgrgscMNW4DHaD6xtMCg==";
       };
     };
     "nopt-5.0.0" = {
@@ -6367,13 +6367,13 @@ let
         sha512 = "VE0SOVEHCk7Qc8ulkWw3ntAzXuqf7S2lvwQaDLRnUeIEaKNQJzV6BwmLKhOqT61aGhfUMrXeaBk+oDGCzvhcug==";
       };
     };
-    "sqlite3-5.0.6" = {
+    "sqlite3-5.0.7" = {
       name = "sqlite3";
       packageName = "sqlite3";
-      version = "5.0.6";
+      version = "5.0.7";
       src = fetchurl {
-        url = "https://registry.npmjs.org/sqlite3/-/sqlite3-5.0.6.tgz";
+        url = "https://registry.npmjs.org/sqlite3/-/sqlite3-5.0.7.tgz";
-        sha512 = "uT1dC6N3ReF+jchY01zvl1wVFFJ5xO86wSnCpK39uA/zmAHBDm6TiAq1v876QKv8JgiijxQ7/fb5C2LPm7ZAJA==";
+        sha512 = "9PUfvpol1/5SI3WZawFINwpRz6qhUeJJtFNG6rr0CvDWMXN75PJPv+3b0aVEOOx5rAZIPcXW2zVasH8foqw7Gg==";
       };
     };
     "sqlstring-2.3.3" = {
@@ -6493,22 +6493,22 @@ let
         sha512 = "wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==";
       };
     };
-    "string.prototype.trimend-1.0.4" = {
+    "string.prototype.trimend-1.0.5" = {
       name = "string.prototype.trimend";
       packageName = "string.prototype.trimend";
-      version = "1.0.4";
+      version = "1.0.5";
       src = fetchurl {
-        url = "https://registry.npmjs.org/string.prototype.trimend/-/string.prototype.trimend-1.0.4.tgz";
+        url = "https://registry.npmjs.org/string.prototype.trimend/-/string.prototype.trimend-1.0.5.tgz";
-        sha512 = "y9xCjw1P23Awk8EvTpcyL2NIr1j7wJ39f+k6lvRnSMz+mz9CGz9NYPelDk42kOz6+ql8xjfK8oYzy3jAP5QU5A==";
+        sha512 = "I7RGvmjV4pJ7O3kdf+LXFpVfdNOxtCW/2C8f6jNiW4+PQchwxkCDzlk1/7p+Wl4bqFIZeF47qAHXLuHHWKAxog==";
       };
     };
-    "string.prototype.trimstart-1.0.4" = {
+    "string.prototype.trimstart-1.0.5" = {
       name = "string.prototype.trimstart";
       packageName = "string.prototype.trimstart";
-      version = "1.0.4";
+      version = "1.0.5";
       src = fetchurl {
-        url = "https://registry.npmjs.org/string.prototype.trimstart/-/string.prototype.trimstart-1.0.4.tgz";
+        url = "https://registry.npmjs.org/string.prototype.trimstart/-/string.prototype.trimstart-1.0.5.tgz";
-        sha512 = "jh6e984OBfvxS50tdY2nRZnoC5/mLFKOREQfw8t5yytkoUsJRNxvI/E39qu1sD0OtWI3OC0XgKSmcWwziwYuZw==";
+        sha512 = "THx16TJCGlsN0o6dl2o6ncWUsdgnLRSA23rRE5pyGBw/mLr3Ej/R2LaqCtgP8VNMGZsvMWnf9ooZPyY2bHvUFg==";
       };
     };
     "string_decoder-0.10.31" = {
@@ -7534,13 +7534,13 @@ in
   n8n = nodeEnv.buildNodePackage {
     name = "n8n";
     packageName = "n8n";
-    version = "0.175.0";
+    version = "0.175.1";
     src = fetchurl {
-      url = "https://registry.npmjs.org/n8n/-/n8n-0.175.0.tgz";
+      url = "https://registry.npmjs.org/n8n/-/n8n-0.175.1.tgz";
-      sha512 = "FKIroWsEZNZ/HUdM6iQ8QY6WxYs4uQufodBoKpbcu6JJKF/ufYO4U8lpIM0nV2YCMaB+JAVvswim0SUDB6KF3A==";
+      sha512 = "rInwNB6wxOs79EvC2HFALyDhdDPJwLVT+z1LivxLRD9dZOrtlMD9wdDfESpHYS5ikND4T5JW32HaxGF9nnzlJA==";
     };
     dependencies = [
-      (sources."@azure/abort-controller-1.0.5" // {
+      (sources."@azure/abort-controller-1.1.0" // {
         dependencies = [
           sources."tslib-2.4.0"
         ];
@@ -7551,7 +7551,7 @@ in
           sources."tslib-2.4.0"
         ];
       })
-      (sources."@azure/core-http-2.2.4" // {
+      (sources."@azure/core-http-2.2.5" // {
         dependencies = [
           sources."tough-cookie-4.0.0"
           sources."tslib-2.4.0"
@@ -7725,7 +7725,7 @@ in
         ];
       })
       sources."avsc-5.7.4"
-      (sources."aws-sdk-2.1125.0" // {
+      (sources."aws-sdk-2.1129.0" // {
         dependencies = [
           sources."buffer-4.9.2"
           sources."events-1.1.1"
@@ -7902,7 +7902,7 @@ in
       sources."cookie-0.4.1"
       sources."cookie-parser-1.4.6"
       sources."cookie-signature-1.0.6"
-      sources."core-js-3.22.3"
+      sources."core-js-3.22.4"
       sources."core-util-is-1.0.2"
       sources."crc-32-1.2.2"
       sources."cron-1.7.2"
@@ -8012,7 +8012,7 @@ in
       })
       sources."flatted-3.2.5"
       sources."fn.name-1.1.0"
-      sources."follow-redirects-1.14.9"
+      sources."follow-redirects-1.15.0"
       sources."for-each-0.3.3"
       sources."forever-agent-0.6.1"
       sources."form-data-4.0.0"
@@ -8282,7 +8282,7 @@ in
       sources."mz-2.7.0"
       sources."n8n-core-0.116.0"
       sources."n8n-design-system-0.19.0"
-      sources."n8n-editor-ui-0.142.0"
+      sources."n8n-editor-ui-0.142.1"
       (sources."n8n-nodes-base-0.173.0" // {
         dependencies = [
           sources."iconv-lite-0.6.3"
@@ -8296,7 +8296,7 @@ in
         ];
       })
       sources."nanoclone-0.2.1"
-      sources."nanoid-3.3.3"
+      sources."nanoid-3.3.4"
       sources."native-duplexpair-1.0.0"
       (sources."nearley-2.20.1" // {
         dependencies = [
@@ -8317,7 +8317,7 @@ in
       sources."node-html-parser-5.3.3"
       sources."node-ssh-12.0.4"
       sources."nodeify-1.0.1"
-      sources."nodemailer-6.7.4"
+      sources."nodemailer-6.7.5"
       sources."nopt-5.0.0"
       sources."normalize-path-3.0.0"
       sources."normalize-wheel-1.0.1"
@@ -8577,7 +8577,7 @@ in
         ];
       })
       sources."sprintf-js-1.1.2"
-      sources."sqlite3-5.0.6"
+      sources."sqlite3-5.0.7"
       sources."sqlstring-2.3.3"
       sources."sse-channel-3.1.1"
       sources."ssf-0.11.2"
@@ -8591,8 +8591,8 @@ in
       sources."stream-shift-1.0.1"
       sources."string-similarity-4.0.4"
       sources."string-width-4.2.3"
-      sources."string.prototype.trimend-1.0.4"
+      sources."string.prototype.trimend-1.0.5"
-      sources."string.prototype.trimstart-1.0.4"
+      sources."string.prototype.trimstart-1.0.5"
       sources."string_decoder-0.10.31"
       sources."strip-ansi-6.0.1"
       sources."strtok3-6.3.0"

pkgs/applications/networking/newsreaders/liferea/default.nix

@@ -23,11 +23,11 @@
 
 stdenv.mkDerivation rec {
   pname = "liferea";
-  version = "1.12.9";
+  version = "1.13.8";
 
   src = fetchurl {
     url = "https://github.com/lwindolf/${pname}/releases/download/v${version}/${pname}-${version}.tar.bz2";
-    sha256 = "06ybr1wjlfir8iqjx6x0v1knd4b2hsy30qmkk4kssy6ky2ahc66q";
+    sha256 = "0x2857nhn98hlzqxmxb2h2wcasr5jkhciih71wcnp0cja60aw20h";
   };
 
   nativeBuildInputs = [

pkgs/applications/office/libreoffice/default.nix

@@ -90,6 +90,9 @@ in (mkDrv rec {
       url = "https://github.com/archlinux/svntogit-packages/raw/f82958b9538f86e41b51f1ba7134968d2f3788d1/trunk/poppler-22.03.0.patch";
       sha256 = "5h4qJmx6Q3Q3dHUlSi8JXBziN2mAswGVWk5aDTLTwls=";
     })
+
+    # Fix build with poppler 22.04
+    ./poppler-22-04-0.patch
   ];
 
   ### QT/KDE

pkgs/applications/office/libreoffice/poppler-22-04-0.patch

@@ -0,0 +1,100 @@
+Patch from OpenSUSE
+https://build.opensuse.org/package/view_file/LibreOffice:Factory/libreoffice/poppler-22-04-0.patch?expand=1&rev=45e176f964509ebe3560d0dbf1ec8be9
+Index: libreoffice-7.3.3.1/sdext/source/pdfimport/xpdfwrapper/pdfioutdev_gpl.cxx
+===================================================================
+--- libreoffice-7.3.3.1.orig/sdext/source/pdfimport/xpdfwrapper/pdfioutdev_gpl.cxx
++++ libreoffice-7.3.3.1/sdext/source/pdfimport/xpdfwrapper/pdfioutdev_gpl.cxx
+@@ -474,12 +474,21 @@ int PDFOutDev::parseFont( long long nNew
+     {
+         // TODO(P3): Unfortunately, need to read stream twice, since
+         // we must write byte count to stdout before
++#if POPPLER_CHECK_VERSION(22, 04, 0) // readEmbFontFile signature changed
++        auto pBuf = gfxFont->readEmbFontFile( m_pDoc->getXRef());
++        if ( pBuf )
++        {
++            aNewFont.isEmbedded = true;
++            nSize = pBuf->size();
++        }
++#else
+         char* pBuf = gfxFont->readEmbFontFile( m_pDoc->getXRef(), &nSize );
+         if( pBuf )
+         {
+             aNewFont.isEmbedded = true;
+             gfree(pBuf);
+         }
++#endif
+     }
+ 
+     m_aFontMap[ nNewId ] = aNewFont;
+@@ -492,21 +501,35 @@ void PDFOutDev::writeFontFile( GfxFont*
+         return;
+ 
+     int nSize = 0;
++#if POPPLER_CHECK_VERSION(22, 04, 0) // readEmbFontFile signature changed
++    auto pBuf = gfxFont->readEmbFontFile( m_pDoc->getXRef());
++    if ( !pBuf )
++        return;
++    nSize = pBuf->size();
++#else
+     char* pBuf = gfxFont->readEmbFontFile( m_pDoc->getXRef(), &nSize );
+     if( !pBuf )
+         return;
++#endif
+ 
+     // ---sync point--- see SYNC STREAMS above
+     fflush(stdout);
+ 
++#if POPPLER_CHECK_VERSION(22, 04, 0) // readEmbFontFile signature changed
++    if( fwrite(pBuf->data(), sizeof(unsigned char), nSize, g_binary_out) != static_cast<size_t>(nSize) )
++    {
++#else
+     if( fwrite(pBuf, sizeof(char), nSize, g_binary_out) != static_cast<size_t>(nSize) )
+     {
+         gfree(pBuf);
++#endif
+         exit(1); // error
+     }
+     // ---sync point--- see SYNC STREAMS above
+     fflush(g_binary_out);
++#if !POPPLER_CHECK_VERSION(22, 04, 0) // readEmbFontFile signature changed
+     gfree(pBuf);
++#endif
+ }
+ 
+ #if POPPLER_CHECK_VERSION(0, 83, 0)
+@@ -759,7 +782,11 @@ void PDFOutDev::updateFont(GfxState *sta
+ {
+     assert(state);
+ 
++#if POPPLER_CHECK_VERSION(22, 04, 0)
++    std::shared_ptr<GfxFont> gfxFont = state->getFont();
++#else
+     GfxFont *gfxFont = state->getFont();
++#endif
+     if( !gfxFont )
+         return;
+ 
+@@ -776,7 +803,11 @@ void PDFOutDev::updateFont(GfxState *sta
+         m_aFontMap.find( fontID );
+     if( it == m_aFontMap.end() )
+     {
++#if POPPLER_CHECK_VERSION(22, 04, 0)
++        nEmbedSize = parseFont( fontID, gfxFont.get(), state );
++#else
+         nEmbedSize = parseFont( fontID, gfxFont, state );
++#endif
+         it = m_aFontMap.find( fontID );
+     }
+ 
+@@ -806,7 +837,11 @@ void PDFOutDev::updateFont(GfxState *sta
+ 
+     if (nEmbedSize)
+     {
++#if POPPLER_CHECK_VERSION(22, 04, 0)
++        writeFontFile(gfxFont.get());
++#else
+         writeFontFile(gfxFont);
++#endif
+     }
+ }
+ 

pkgs/applications/office/portfolio/default.nix

@@ -25,11 +25,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "PortfolioPerformance";
-  version = "0.57.1";
+  version = "0.57.2";
 
   src = fetchurl {
     url = "https://github.com/buchen/portfolio/releases/download/${version}/PortfolioPerformance-${version}-linux.gtk.x86_64.tar.gz";
-    sha256 = "sha256-uEEFkHyApf+TObcu+Yo5vBOs2Erq0IXGhbjzlEe8NmI=";
+    sha256 = "sha256-ftLKlNzr46iL/V+P3J1wtoUByGHHl7wrh4xctU4JYkM=";
   };
 
   nativeBuildInputs = [

pkgs/applications/office/qownnotes/default.nix

@@ -5,13 +5,13 @@
 
 mkDerivation rec {
   pname = "qownnotes";
-  version = "22.4.1";
+  version = "22.5.0";
 
   src = fetchurl {
     url = "https://download.tuxfamily.org/${pname}/src/${pname}-${version}.tar.xz";
     # Fetch the checksum of current version with curl:
     # curl https://download.tuxfamily.org/qownnotes/src/qownnotes-<version>.tar.xz.sha256
-    sha256 = "b9ce77ecd5bb48bd6534068b0582dfaa3b828f800b19ddec80387a84e00766da";
+    sha256 = "52a81401a4a03c77e28f37f56c3ebdc6696ff43c75cc9330d10ba7e801f48ccd";
   };
 
   nativeBuildInputs = [ qmake qttools ];

pkgs/applications/office/scribus/unstable.nix

@@ -84,6 +84,11 @@ mkDerivation rec {
       url = "https://github.com/scribusproject/scribus/commit/48263954a7dee0be815b00f417ae365ab26cdd85.patch";
       sha256 = "1WE9kALFw79bQH88NUafXaZ1Y/vJEKTIWxlk5c+opsQ=";
     })
+    # For Poppler 22.04
+    (fetchpatch {
+      url = "https://github.com/scribusproject/scribus/commit/f2237b8f0b5cf7690e864a22ef7a63a6d769fa36.patch";
+      sha256 = "FXpLoX/a2Jy3GcfzrUUyVUfEAp5wAy2UfzfVA5lhwJw=";
+    })
   ];
 
   nativeBuildInputs = [

pkgs/applications/office/timeular/default.nix

@@ -7,13 +7,13 @@
 }:
 
 let
-  version = "3.9.1";
+  version = "4.7.1";
   pname = "timeular";
   name = "${pname}-${version}";
 
   src = fetchurl {
     url = "https://s3.amazonaws.com/timeular-desktop-packages/linux/production/Timeular-${version}.AppImage";
-    sha256 = "103hy443p697jdkz6li8s1n6kg1r55jmiw2vbjz12kskf7njg4y4";
+    sha256 = "sha256:0k8ywbdb41imq10ya9y27zks67a6drjb1h0hn8ycd7a6z6703rjz";
   };
 
   appimageContents = appimageTools.extractType2 {
@@ -35,7 +35,7 @@ in appimageTools.wrapType2 rec {
     install -m 444 -D ${appimageContents}/timeular.desktop $out/share/applications/timeular.desktop
     install -m 444 -D ${appimageContents}/timeular.png $out/share/icons/hicolor/512x512/apps/timeular.png
     substituteInPlace $out/share/applications/timeular.desktop \
-      --replace 'Exec=AppRun' 'Exec=${pname}'
+      --replace "Exec=AppRun --no-sandbox %U" "Exec=$out/bin/${pname}"
   '';
 
   meta = with lib; {

pkgs/applications/science/electronics/verilator/default.nix

@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation rec {
   pname = "verilator";
-  version = "4.220";
+  version = "4.222";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-Y0j6j8kPCONlegFoWl46LXtfoiLhzMsHCVv+kLe7UyE=";
+    sha256 = "sha256-AvjcStbiXDdhJnaSJJ5Mp6zscvaxhb+A2J+0gpm2rFI=";
   };
 
   enableParallelBuilding = true;

pkgs/applications/version-management/got/default.nix

@@ -1,17 +1,17 @@
-{ lib, stdenv, fetchurl, pkg-config, openssl, libuuid, libmd, zlib, ncurses }:
+{ lib, stdenv, fetchurl, pkg-config, openssl, libbsd, libuuid, libmd, zlib, ncurses }:
 
 stdenv.mkDerivation rec {
   pname = "got";
-  version = "0.68.1";
+  version = "0.69";
 
   src = fetchurl {
     url = "https://gameoftrees.org/releases/portable/got-portable-${version}.tar.gz";
-    sha256 = "122wignzrhsw00mfnh7mxcxvjyp9rk73yxzfyvmg7f5kmb0hng35";
+    sha256 = "1cnl0yk866wzjwgas587kvb08njq7db71b5xqsdrwd1varp010vm";
   };
 
   nativeBuildInputs = [ pkg-config ];
 
-  buildInputs = [ openssl libuuid libmd zlib ncurses ];
+  buildInputs = [ openssl libbsd libuuid libmd zlib ncurses ];
 
   doInstallCheck = true;
 

pkgs/applications/version-management/meld/default.nix

@@ -36,6 +36,13 @@ python3.pkgs.buildPythonApplication rec {
       url  = "https://gitlab.gnome.org/GNOME/meld/-/commit/cc7746c141d976a4779cf868774fae1fe7627a6d.patch";
       sha256 = "sha256-4uJZyF00Z6svzrOebByZV1hutCZRkIQYC4rUxQr5fdQ=";
     })
+
+    # Fix view not rendering with adwaita-icon-theme 42 due to removed icons.
+    # https://gitlab.gnome.org/GNOME/meld/-/merge_requests/83
+    (fetchpatch {
+      url  = "https://gitlab.gnome.org/GNOME/meld/-/commit/f850cdf3eaf0f08abea003d5fae118a5e92a3d61.patch";
+      sha256 = "PaK8Rpv79UwMUligm9pIY16JW/dm7eVXntAwTV4hnbE=";
+    })
   ];
 
   nativeBuildInputs = [

pkgs/applications/version-management/p4v/default.nix

@@ -1,12 +1,38 @@
-{ stdenv, fetchurl, lib, qtbase, qtmultimedia, qtscript, qtsensors, qtwebengine, qtwebkit, openssl, xkeyboard_config, patchelfUnstable, wrapQtAppsHook }:
+{ stdenv
+, fetchurl
+, lib
+, qtbase
+, qtwebengine
+, qtdeclarative
+, qtwebchannel
+, syntax-highlighting
+, openssl
+, xkeyboard_config
+, patchelfUnstable
+, wrapQtAppsHook
+, writeText
+}:
+let
+  # This abomination exists because p4v calls CRYPTO_set_mem_functions and
+  # expects it to succeed. The function will fail if CRYPTO_malloc has already
+  # been called, which happens at init time via qtwebengine -> ... -> libssh. I
+  # suspect it was meant to work with a version of Qt where openssl is
+  # statically linked or some other library is used.
+  crypto-hack = writeText "crypto-hack.c" ''
+      #include <stddef.h>
+      int CRYPTO_set_mem_functions(
+            void *(*m)(size_t, const char *, int),
+            void *(*r)(void *, size_t, const char *, int),
+            void (*f)(void *, const char *, int)) { return 1; }
+    '';
 
-stdenv.mkDerivation rec {
+in stdenv.mkDerivation rec {
   pname = "p4v";
-  version = "2020.1.1966006";
+  version = "2021.3.2186916";
 
   src = fetchurl {
-    url = "https://cdist2.perforce.com/perforce/r20.1/bin.linux26x86_64/p4v.tgz";
+    url = "http://web.archive.org/web/20211118024745/https://cdist2.perforce.com/perforce/r21.3/bin.linux26x86_64/p4v.tgz";
-    sha256 = "0zc70d7jgdrd2jli338n1h05hgb7jmmv8hvq205wh78vvllrlv10";
+    sha256 = "1zldg21xq4srww9pcfbv3p8320ghjnh333pz5r70z1gwbq4vf3jq";
   };
 
   dontBuild = true;
@@ -15,11 +41,10 @@ stdenv.mkDerivation rec {
   ldLibraryPath = lib.makeLibraryPath [
       stdenv.cc.cc.lib
       qtbase
-      qtmultimedia
-      qtscript
-      qtsensors
       qtwebengine
-      qtwebkit
+      qtdeclarative
+      qtwebchannel
+      syntax-highlighting
       openssl
   ];
 
@@ -29,14 +54,17 @@ stdenv.mkDerivation rec {
     cp -r bin $out
     mkdir -p $out/lib
     cp -r lib/P4VResources $out/lib
+    $CC -fPIC -shared -o $out/lib/libcrypto-hack.so ${crypto-hack}
 
     for f in $out/bin/*.bin ; do
       patchelf --set-rpath $ldLibraryPath --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" $f
       # combining this with above breaks rpath (patchelf bug?)
-      patchelf --add-needed libstdc++.so $f \
+      patchelf --add-needed libstdc++.so \
+               --add-needed $out/lib/libcrypto-hack.so \
                --clear-symbol-version _ZNSt20bad_array_new_lengthD1Ev \
                --clear-symbol-version _ZTVSt20bad_array_new_length \
                --clear-symbol-version _ZTISt20bad_array_new_length \
+               --clear-symbol-version _ZdlPvm \
                $f
       wrapQtApp $f \
         --suffix QT_XKB_CONFIG_ROOT : ${xkeyboard_config}/share/X11/xkb

pkgs/build-support/rust/build-rust-crate/default.nix

@@ -346,6 +346,9 @@ crate_: lib.makeOverridable
       outputs = if buildTests then [ "out" ] else [ "out" "lib" ];
       outputDev = if buildTests then [ "out" ] else [ "lib" ];
 
+      meta = {
+        mainProgram = crateName;
+      };
     } // extraDerivationAttrs
     )
   )

pkgs/desktops/plasma-5/fetch.sh

@@ -1 +1 @@
-WGET_ARGS=( https://download.kde.org/stable/plasma/5.24.4/ -A '*.tar.xz' )
+WGET_ARGS=( https://download.kde.org/stable/plasma/5.24.5/ -A '*.tar.xz' )

pkgs/desktops/plasma-5/srcs.nix

@@ -4,427 +4,427 @@
 
 {
   bluedevil = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/bluedevil-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/bluedevil-5.24.5.tar.xz";
-      sha256 = "1mph04r6l9bxml1brwifbnk6lkjxkzxx75b3g3myzijjv6f8wxw3";
+      sha256 = "1yhynfpgm2cwvimh63hihg5dm0hzjp20364bvjyyh108830rjsf9";
-      name = "bluedevil-5.24.4.tar.xz";
+      name = "bluedevil-5.24.5.tar.xz";
     };
   };
   breeze = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/breeze-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/breeze-5.24.5.tar.xz";
-      sha256 = "01cqji6figwb95drcq9vrqlkv7xmpn2csbi2mvixbcdawqhywsg3";
+      sha256 = "18zhm9my0vhwiq95v3p48z8s5m4a5c7kw8n144ykqlm51nssc9c5";
-      name = "breeze-5.24.4.tar.xz";
+      name = "breeze-5.24.5.tar.xz";
     };
   };
   breeze-grub = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/breeze-grub-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/breeze-grub-5.24.5.tar.xz";
-      sha256 = "1p154g2x1g00iam2gkv7pml1r0b91b21s8fgrfrqg5pj45ysp5bc";
+      sha256 = "02lcv23l3zr0g6nggmrxz4pgq852fir9yramhaxmcg634pxiacni";
-      name = "breeze-grub-5.24.4.tar.xz";
+      name = "breeze-grub-5.24.5.tar.xz";
     };
   };
   breeze-gtk = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/breeze-gtk-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/breeze-gtk-5.24.5.tar.xz";
-      sha256 = "0s51azc2xmh7agbqlm9rn39c5qh6rfwyc2dq4sfv6vspm1883zmj";
+      sha256 = "0c25z69lyjczm05jraqk2f09sipkhpsz5zirwzqdq3apip06qw93";
-      name = "breeze-gtk-5.24.4.tar.xz";
+      name = "breeze-gtk-5.24.5.tar.xz";
     };
   };
   breeze-plymouth = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/breeze-plymouth-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/breeze-plymouth-5.24.5.tar.xz";
-      sha256 = "038pglghl40nyq6lzydijy3wnr5agvfzddjxrf6lc9m6qapqd37v";
+      sha256 = "044sbffr4sqvgkfbraa4rvlsih7zz9b300hipp33mwhpzyjjcpdc";
-      name = "breeze-plymouth-5.24.4.tar.xz";
+      name = "breeze-plymouth-5.24.5.tar.xz";
     };
   };
   discover = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/discover-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/discover-5.24.5.tar.xz";
-      sha256 = "0smhys51chvjh2ij4mk03cfnq09n8cq22iag1ld9j2125l5iwa99";
+      sha256 = "18a8z9ifyyjmmc620dsh491vb1q3q9bxd8gfjf5k87mgwmg1wmwk";
-      name = "discover-5.24.4.tar.xz";
+      name = "discover-5.24.5.tar.xz";
     };
   };
   drkonqi = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/drkonqi-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/drkonqi-5.24.5.tar.xz";
-      sha256 = "1yn7yj8nwnxm1s0si2353wl17jv7c7l5dc7833ndl56phv2999x0";
+      sha256 = "1ps1p8pvp51rswynbv337qr3qj2z7r7kd9qpxgcrha9pql01h5gy";
-      name = "drkonqi-5.24.4.tar.xz";
+      name = "drkonqi-5.24.5.tar.xz";
     };
   };
   kactivitymanagerd = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kactivitymanagerd-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kactivitymanagerd-5.24.5.tar.xz";
-      sha256 = "0aamfgc4bdrysq7ps134pf5v4bgiwrsxffi0nb6d8zazswgkfa41";
+      sha256 = "0j6d50cjry4j3vzxb6hd4w95y2h3l0yfhyrhl693njr64aq7d4pa";
-      name = "kactivitymanagerd-5.24.4.tar.xz";
+      name = "kactivitymanagerd-5.24.5.tar.xz";
     };
   };
   kde-cli-tools = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kde-cli-tools-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kde-cli-tools-5.24.5.tar.xz";
-      sha256 = "1w2rhz32xaqhmq5lyvfmjrbssqf9f35k5fk02f05fz79yk9wir7z";
+      sha256 = "0afksrxd6mq9rcvh3g8y05kl0la4wmn1yksif8p1bcxpd4sdvw77";
-      name = "kde-cli-tools-5.24.4.tar.xz";
+      name = "kde-cli-tools-5.24.5.tar.xz";
     };
   };
   kde-gtk-config = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kde-gtk-config-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kde-gtk-config-5.24.5.tar.xz";
-      sha256 = "02spbx2rniiyvzj4qb6lgzj0f83k4vq53fk4i1m45438z7aslymi";
+      sha256 = "0sg8kqlkklvjhj69z5wzhvi0hddxa192j4vc4wc9hmfl1wirr8cq";
-      name = "kde-gtk-config-5.24.4.tar.xz";
+      name = "kde-gtk-config-5.24.5.tar.xz";
     };
   };
   kdecoration = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kdecoration-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kdecoration-5.24.5.tar.xz";
-      sha256 = "05ccyb314mxf0d4ivj71l9lh13s3fqr7f4d2rmg6qshsql39569c";
+      sha256 = "1hjjl6k09zi8n9nblbcm69c3br6d4dhzaw55xyygglaz6kb8fc17";
-      name = "kdecoration-5.24.4.tar.xz";
+      name = "kdecoration-5.24.5.tar.xz";
     };
   };
   kdeplasma-addons = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kdeplasma-addons-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kdeplasma-addons-5.24.5.tar.xz";
-      sha256 = "03b8d3kdzwpyqrqkmpswryksrhav3mwcnbyzdc3g2kpk2qnx68fp";
+      sha256 = "03p8wmsb5nl7j6kwl6j8nwlf6v7snh933jyglgp2vnclqp1jpd9x";
-      name = "kdeplasma-addons-5.24.4.tar.xz";
+      name = "kdeplasma-addons-5.24.5.tar.xz";
     };
   };
   kgamma5 = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kgamma5-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kgamma5-5.24.5.tar.xz";
-      sha256 = "0z1zrw5id455idjbaqracs1vcwgs93an7w27ggfqs6i8nabrivbk";
+      sha256 = "1i7i3dc5qfb3v9hz9w9hszr8jbbdbfq0b59a4bh1p6xakxx8k1l0";
-      name = "kgamma5-5.24.4.tar.xz";
+      name = "kgamma5-5.24.5.tar.xz";
     };
   };
   khotkeys = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/khotkeys-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/khotkeys-5.24.5.tar.xz";
-      sha256 = "033dgz8wbsw2nj133hnmygz1izmcpxdn80jbjbm66nhbbyq7bb2s";
+      sha256 = "06m7yrs75arwdfrkpkn9b5kiz2xlrsxlpsjr18j1pjhxras0f8vs";
-      name = "khotkeys-5.24.4.tar.xz";
+      name = "khotkeys-5.24.5.tar.xz";
     };
   };
   kinfocenter = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kinfocenter-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kinfocenter-5.24.5.tar.xz";
-      sha256 = "0f5q6ajyd794p1z9j3il8sajlqkdcnf06xq4612qxdp49nb88nyw";
+      sha256 = "0c2bq7m8c9r17s8qalp4cdz1qimzwnvh9wrba4rqcmxwbv043ln1";
-      name = "kinfocenter-5.24.4.tar.xz";
+      name = "kinfocenter-5.24.5.tar.xz";
     };
   };
   kmenuedit = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kmenuedit-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kmenuedit-5.24.5.tar.xz";
-      sha256 = "0ril8jxqkaavc4bkpksnyxn3bww7b81gnp9bnb17acrr2nd7wyhl";
+      sha256 = "02il6bhayjni0jsx1d1cnmxv5yc7r0d02s2v6cs87fbdrnl7d9vq";
-      name = "kmenuedit-5.24.4.tar.xz";
+      name = "kmenuedit-5.24.5.tar.xz";
     };
   };
   kscreen = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kscreen-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kscreen-5.24.5.tar.xz";
-      sha256 = "0shvhymdfxw1gz49y1s79zik9kkg5qh0mqdj6dx0s6r3w6vysj1h";
+      sha256 = "1g5mlc78giq8zrpyq6d2jhqgyj6yh2nhbqv6wjm9cdbq4nnm3hyr";
-      name = "kscreen-5.24.4.tar.xz";
+      name = "kscreen-5.24.5.tar.xz";
     };
   };
   kscreenlocker = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kscreenlocker-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kscreenlocker-5.24.5.tar.xz";
-      sha256 = "1xzc80awsapsg65kk21ssp7y0jb374k1w2bb7gvzj8j40rrn48pv";
+      sha256 = "13prkdwxd200ps4cy6rf2n4g9ll6fp1f93dk1njr9ilzbj2a2w1j";
-      name = "kscreenlocker-5.24.4.tar.xz";
+      name = "kscreenlocker-5.24.5.tar.xz";
     };
   };
   ksshaskpass = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/ksshaskpass-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/ksshaskpass-5.24.5.tar.xz";
-      sha256 = "1pa41w793dbi3rv6mm1a4xp46n80qwdpdlwhi6z4x76hjvqx9i9l";
+      sha256 = "1jw3hfnlplqsss1h49p5f3722qc22ln22sahs5ypsxszmqihpqiz";
-      name = "ksshaskpass-5.24.4.tar.xz";
+      name = "ksshaskpass-5.24.5.tar.xz";
     };
   };
   ksystemstats = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/ksystemstats-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/ksystemstats-5.24.5.tar.xz";
-      sha256 = "1pa7xrw5ij32bm66pn72zkzz8y70fq71n4kigm9ixc1s2glkbiwd";
+      sha256 = "1xsrlwm1hhagwjyjm240bfmri24z88v95m9pz95dpbcllkwdib0b";
-      name = "ksystemstats-5.24.4.tar.xz";
+      name = "ksystemstats-5.24.5.tar.xz";
     };
   };
   kwallet-pam = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kwallet-pam-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kwallet-pam-5.24.5.tar.xz";
-      sha256 = "0s6z7ds42a7kba25jd7pzylw7d2mc27xgymmdrpkg2afqanf3m4r";
+      sha256 = "1smclklxcfbxxxi3lgw2p6wmvj50fg40323j1b8p5z731ywdk3i3";
-      name = "kwallet-pam-5.24.4.tar.xz";
+      name = "kwallet-pam-5.24.5.tar.xz";
     };
   };
   kwayland-integration = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kwayland-integration-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kwayland-integration-5.24.5.tar.xz";
-      sha256 = "1cnfb81yv6m37m2kyk523skqbk5in1kpbpxq60ivjri91sm4pryj";
+      sha256 = "1v12631xdjdp2wkjvyls8g0sv18amy7g4mddrh45pybhpc3rcsl0";
-      name = "kwayland-integration-5.24.4.tar.xz";
+      name = "kwayland-integration-5.24.5.tar.xz";
     };
   };
   kwayland-server = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kwayland-server-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kwayland-server-5.24.5.tar.xz";
-      sha256 = "1279nqhy1qyz84dkn23rvzak8bg71hbrp09jlhv9mkjdb3bhnyfi";
+      sha256 = "0ydj6p489psqblqd88lk04q62qn1spa1m0zdjq8d32a4g4lvxnid";
-      name = "kwayland-server-5.24.4.tar.xz";
+      name = "kwayland-server-5.24.5.tar.xz";
     };
   };
   kwin = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kwin-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kwin-5.24.5.tar.xz";
-      sha256 = "1qwcd6iw6yvpchiwmvq5nwsr465jmrmscf286mjrc65im4hj6572";
+      sha256 = "10mgbs1mbhjzbwx07q77wdzhj11yc156j75fbvy8mszb9hjiappk";
-      name = "kwin-5.24.4.tar.xz";
+      name = "kwin-5.24.5.tar.xz";
     };
   };
   kwrited = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/kwrited-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/kwrited-5.24.5.tar.xz";
-      sha256 = "0j86ih4g762a94cyzilcbigh7iv04a80bqrlxm02fbqhffv01mv2";
+      sha256 = "0gfjvj8wnfgb3s2daz7xpg9flc8xv6hk12z6ckbchq71w4gs6132";
-      name = "kwrited-5.24.4.tar.xz";
+      name = "kwrited-5.24.5.tar.xz";
     };
   };
   layer-shell-qt = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/layer-shell-qt-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/layer-shell-qt-5.24.5.tar.xz";
-      sha256 = "03qyf6pvk36ig6ilimq02q19frdlsmrkbng2iz3d59k15zdrz5x0";
+      sha256 = "0ydjfxrkmpi052gfhkccsp9m5az3z6qiggb5wx6cjz39q06614gm";
-      name = "layer-shell-qt-5.24.4.tar.xz";
+      name = "layer-shell-qt-5.24.5.tar.xz";
     };
   };
   libkscreen = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/libkscreen-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/libkscreen-5.24.5.tar.xz";
-      sha256 = "1xv7vml5lxj1lnansisfbfym35h265ggwsyjplz76aibj5nyqv81";
+      sha256 = "1jbgq1ddl0q5y8cx4m7k5q38gl0kxv929wxr3hn3vr906fpiiwbz";
-      name = "libkscreen-5.24.4.tar.xz";
+      name = "libkscreen-5.24.5.tar.xz";
     };
   };
   libksysguard = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/libksysguard-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/libksysguard-5.24.5.tar.xz";
-      sha256 = "00i4l2kc02wymmiqh7wam8dp4h9hvn8nsxfv258waq7pnxzjmnkn";
+      sha256 = "1v21xckvwx6xkiqihv3pc2ps5mmc4ahp5vadxm3lrh0pdqxb6v5h";
-      name = "libksysguard-5.24.4.tar.xz";
+      name = "libksysguard-5.24.5.tar.xz";
     };
   };
   milou = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/milou-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/milou-5.24.5.tar.xz";
-      sha256 = "0z7kmygvjzj30llwg8gpibjja2gzc09nh9pxrpy78pa1jxnas29i";
+      sha256 = "1rh5zy1x427cv07zmikmh0rmviz7vcvnz2pyravyfzaxay5lwnf1";
-      name = "milou-5.24.4.tar.xz";
+      name = "milou-5.24.5.tar.xz";
     };
   };
   oxygen = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/oxygen-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/oxygen-5.24.5.tar.xz";
-      sha256 = "1d3sz2qc1cz9x6g04r0scvw9fmrazfn5v3iav4cn7wdkz8x06kc0";
+      sha256 = "1gh06wwm6gdjpsbjlxnrrlgsfd5w7lb0pddcml9l2w0dvlgfyn1v";
-      name = "oxygen-5.24.4.tar.xz";
+      name = "oxygen-5.24.5.tar.xz";
     };
   };
   plasma-browser-integration = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-browser-integration-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-browser-integration-5.24.5.tar.xz";
-      sha256 = "1havd775d4x2y36nkba2k6vdf839dspk10mxccnk2wkhdxmzfyk7";
+      sha256 = "1xybyn6vsahr5j0g57bsfxmz78w35ibzavcax1inrdlnb7sblrqv";
-      name = "plasma-browser-integration-5.24.4.tar.xz";
+      name = "plasma-browser-integration-5.24.5.tar.xz";
     };
   };
   plasma-desktop = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-desktop-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-desktop-5.24.5.tar.xz";
-      sha256 = "09fhqz2sp4caabr1li1shjd8l052vp4d10ci7pwsqj8f61331qmh";
+      sha256 = "0iic01iwg4bkp8sfp4mbm5lvbj98wjcyi0k79jfr1sx78dn7jn5g";
-      name = "plasma-desktop-5.24.4.tar.xz";
+      name = "plasma-desktop-5.24.5.tar.xz";
     };
   };
   plasma-disks = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-disks-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-disks-5.24.5.tar.xz";
-      sha256 = "1mi5fp3305kjw41zhbccxyg666gcmmrvckipjhnnnfwd3gl372ng";
+      sha256 = "1x3lm5cnwa51i8kcmp7pq29fpa9za3ypsmmldf2jbisawjnrb50k";
-      name = "plasma-disks-5.24.4.tar.xz";
+      name = "plasma-disks-5.24.5.tar.xz";
     };
   };
   plasma-firewall = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-firewall-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-firewall-5.24.5.tar.xz";
-      sha256 = "0f9g5m2ddbp2axfxqc4d92fzg6r4z1l56i6nsry6nlz6cqky3fm2";
+      sha256 = "0mk9plb1rwng77qy55c7y7ga4fkafan89bf4vqsc4i9nfn49d944";
-      name = "plasma-firewall-5.24.4.tar.xz";
+      name = "plasma-firewall-5.24.5.tar.xz";
     };
   };
   plasma-integration = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-integration-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-integration-5.24.5.tar.xz";
-      sha256 = "1d2d7cmhdhmdzs91vpc2p3fg413daqhqilp8d2qbpsks5hyrkm3k";
+      sha256 = "0ynzx99jn4fqzbrv9mav0sw06rzf7mm1rv17g17vsxijwbhr0i6d";
-      name = "plasma-integration-5.24.4.tar.xz";
+      name = "plasma-integration-5.24.5.tar.xz";
     };
   };
   plasma-mobile = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-mobile-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-mobile-5.24.5.tar.xz";
-      sha256 = "1hgcnb4flw224j57fxkhaiwapymq6ccjwqj8s6jgqzc3ax0py0vr";
+      sha256 = "0400rwx4pbz4kfy06f2vxchlf9vr6dx71wsi6vir3vdmvl43yazd";
-      name = "plasma-mobile-5.24.4.tar.xz";
+      name = "plasma-mobile-5.24.5.tar.xz";
     };
   };
   plasma-nano = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-nano-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-nano-5.24.5.tar.xz";
-      sha256 = "1fdq4r5zlkf3qb0a47zv3apgnqs4gqqfj8pdlcmzkyn9xykzs9vw";
+      sha256 = "0zxvqzg1p6ci6581bh4nhsq2p6pq66pmvs93zlj89ml4am176213";
-      name = "plasma-nano-5.24.4.tar.xz";
+      name = "plasma-nano-5.24.5.tar.xz";
     };
   };
   plasma-nm = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-nm-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-nm-5.24.5.tar.xz";
-      sha256 = "0bzc48vdrnd6n9qcm8ms7wrjm2yl7h9dik32arwdxx56vb7jhv08";
+      sha256 = "0adl5wfrz16hc7j64830cx1ga0bh9zd8bff95a30zdiggp7jc45f";
-      name = "plasma-nm-5.24.4.tar.xz";
+      name = "plasma-nm-5.24.5.tar.xz";
     };
   };
   plasma-pa = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-pa-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-pa-5.24.5.tar.xz";
-      sha256 = "09fkaq2zzicgr214zi2wf7cirffm7mwh55bivvafblp1wlavkrgz";
+      sha256 = "1lgq2lydl65bh01043ji7kkignrb5lfcvbhy0g4g7lw778whv3q6";
-      name = "plasma-pa-5.24.4.tar.xz";
+      name = "plasma-pa-5.24.5.tar.xz";
     };
   };
   plasma-sdk = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-sdk-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-sdk-5.24.5.tar.xz";
-      sha256 = "1zkggp9a1yz5mwwvndizwlan6wlb2fy8n940ljnhldccl91mgwzc";
+      sha256 = "0d35sckjvi77b3475pfh1ixdsdx0m7b0hbsx5rbjgj4b05cdpm0w";
-      name = "plasma-sdk-5.24.4.tar.xz";
+      name = "plasma-sdk-5.24.5.tar.xz";
     };
   };
   plasma-systemmonitor = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-systemmonitor-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-systemmonitor-5.24.5.tar.xz";
-      sha256 = "0jcsmmg0asf2npl3f1nbzazz3i8m9b34q55088k8jjakwwxqbwhz";
+      sha256 = "1vx0w5kmnp3chhydas7ijy8h1xf6dggd1ryhbr3k9qz2qihxfsqm";
-      name = "plasma-systemmonitor-5.24.4.tar.xz";
+      name = "plasma-systemmonitor-5.24.5.tar.xz";
     };
   };
   plasma-tests = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-tests-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-tests-5.24.5.tar.xz";
-      sha256 = "1ms298h9wghj9gpi7laf1dsd7s3yiycy44k4s5v4id8vfarnbs27";
+      sha256 = "1aqmmix0ds9vg4cjj8dagaya10ainhcciixamdylz1p7vgzpsrkx";
-      name = "plasma-tests-5.24.4.tar.xz";
+      name = "plasma-tests-5.24.5.tar.xz";
     };
   };
   plasma-thunderbolt = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-thunderbolt-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-thunderbolt-5.24.5.tar.xz";
-      sha256 = "1cqabdsg8v8b00ppbabrg2gih16lf79lr5i8mqvjnc73npacvzhy";
+      sha256 = "1q0r9l2b06qkbyxa25lvqdwz0rgcjvp48gwkw0xhhaf6fyaai1cl";
-      name = "plasma-thunderbolt-5.24.4.tar.xz";
+      name = "plasma-thunderbolt-5.24.5.tar.xz";
     };
   };
   plasma-vault = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-vault-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-vault-5.24.5.tar.xz";
-      sha256 = "0rj9z2c52mya2fjm4bimqz5z3lj2qg764zri6bqwrgwgsjwc4s81";
+      sha256 = "16cyzyfzwqwqsg7hhg576acvxvbd12b7mznvicrrqnyf4wvw68l1";
-      name = "plasma-vault-5.24.4.tar.xz";
+      name = "plasma-vault-5.24.5.tar.xz";
     };
   };
   plasma-workspace = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-workspace-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-workspace-5.24.5.tar.xz";
-      sha256 = "0w7cnawnpcg5zk9bycjcnc8yfz21whrhd9h2z7hizgfnj2q403jv";
+      sha256 = "1xk4424az7sgb0kyysr1s2x756vj4km50xxzkn1s1kxyw28jd4dr";
-      name = "plasma-workspace-5.24.4.tar.xz";
+      name = "plasma-workspace-5.24.5.tar.xz";
     };
   };
   plasma-workspace-wallpapers = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plasma-workspace-wallpapers-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plasma-workspace-wallpapers-5.24.5.tar.xz";
-      sha256 = "0hpg7nn5wsn56my48jk225x1qb70sgf3hf8q5swwqc1xc6xzcg14";
+      sha256 = "0aabmd4zswmzdy958y1yq0yp1v9i8kzl959d6r4pwi0lmhr6g6qi";
-      name = "plasma-workspace-wallpapers-5.24.4.tar.xz";
+      name = "plasma-workspace-wallpapers-5.24.5.tar.xz";
     };
   };
   plymouth-kcm = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/plymouth-kcm-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/plymouth-kcm-5.24.5.tar.xz";
-      sha256 = "0s5h25vyk5yzipwj91rb62xzgi6aafpwikh7ibpmmh2wn71x3amr";
+      sha256 = "04m4129hxgq4g9v8gvi8q0hzhqzd866j3j1ffxs5vfd27r155wcr";
-      name = "plymouth-kcm-5.24.4.tar.xz";
+      name = "plymouth-kcm-5.24.5.tar.xz";
     };
   };
   polkit-kde-agent = {
-    version = "1-5.24.4";
+    version = "1-5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/polkit-kde-agent-1-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/polkit-kde-agent-1-5.24.5.tar.xz";
-      sha256 = "1bc5ss6v4d7kwk1chhvpis5srs8lfypims46wgxjncyhjg2lcllm";
+      sha256 = "0w78c59nm71xnd5prm035z94r5bzlqr0fyri43a8vrfyyb21r9l9";
-      name = "polkit-kde-agent-1-5.24.4.tar.xz";
+      name = "polkit-kde-agent-1-5.24.5.tar.xz";
     };
   };
   powerdevil = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/powerdevil-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/powerdevil-5.24.5.tar.xz";
-      sha256 = "0sjlx5fhfdld1i352adi2bhyd29ja9lbmzhfxgnvmpfl6q7c0w7g";
+      sha256 = "1wr3rk318j93rnyh24icl4yxdj40zasymlddc71ram80fswa2k4n";
-      name = "powerdevil-5.24.4.tar.xz";
+      name = "powerdevil-5.24.5.tar.xz";
     };
   };
   qqc2-breeze-style = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/qqc2-breeze-style-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/qqc2-breeze-style-5.24.5.tar.xz";
-      sha256 = "1d0cgsxvnm0zza7n5hz47n28yrr35hp0vniggifncm0ag8sn0kmd";
+      sha256 = "1m0xnx46zkv1dlwkgns1ibgsl934jbcfz35jlm4p8l6n1y2jcjyg";
-      name = "qqc2-breeze-style-5.24.4.tar.xz";
+      name = "qqc2-breeze-style-5.24.5.tar.xz";
     };
   };
   sddm-kcm = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/sddm-kcm-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/sddm-kcm-5.24.5.tar.xz";
-      sha256 = "0pfqp5das7pxpmh111i2dlfqm6xzzd99bcb32bbmd9v6w2wlgwxy";
+      sha256 = "15z5hfpczi73vqjfj9z2ai2r4187fyrvfnikcfb18g2bdh1n54ng";
-      name = "sddm-kcm-5.24.4.tar.xz";
+      name = "sddm-kcm-5.24.5.tar.xz";
     };
   };
   systemsettings = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/systemsettings-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/systemsettings-5.24.5.tar.xz";
-      sha256 = "0cqm7s89jvzqz1fw32284ppnm3dc69yvc8bqqgw5jdbbjnc1z4k9";
+      sha256 = "1rg9zx7fhrg91nlarv0cz384agbik47sccj7hhshnxnq1czvawjv";
-      name = "systemsettings-5.24.4.tar.xz";
+      name = "systemsettings-5.24.5.tar.xz";
     };
   };
   xdg-desktop-portal-kde = {
-    version = "5.24.4";
+    version = "5.24.5";
     src = fetchurl {
-      url = "${mirror}/stable/plasma/5.24.4/xdg-desktop-portal-kde-5.24.4.tar.xz";
+      url = "${mirror}/stable/plasma/5.24.5/xdg-desktop-portal-kde-5.24.5.tar.xz";
-      sha256 = "07nwb6ff8rnlk2play9gar52d8d44b8y412hnx9a9d4b50b4js0i";
+      sha256 = "1zn6wln8pccj1x3labms7xippn6xgv4aamwpmzk2rvwss9jwz75m";
-      name = "xdg-desktop-portal-kde-5.24.4.tar.xz";
+      name = "xdg-desktop-portal-kde-5.24.5.tar.xz";
     };
   };
 }

pkgs/development/compilers/hip/default.nix

@@ -31,13 +31,13 @@
 let
   hip = stdenv.mkDerivation rec {
     pname = "hip";
-    version = "5.0.2";
+    version = "5.1.1";
 
     src = fetchFromGitHub {
       owner = "ROCm-Developer-Tools";
       repo = "HIP";
       rev = "rocm-${version}";
-      hash = "sha256-w023vBLJaiFbRdvz9UfZLPasRjk3VqM9zwctCIJ5hGU=";
+      hash = "sha256-/kIZrbzq1u1pIs1jlmRYZNUGteqVQTI4TlXsHsVIUKE=";
     };
 
     # - fix bash paths
@@ -102,13 +102,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "hip";
-  version = "5.0.2";
+  version = "5.1.1";
 
   src = fetchFromGitHub {
     owner = "ROCm-Developer-Tools";
     repo = "hipamd";
     rev = "rocm-${version}";
-    hash = "sha256-hhTwKG0wDpbIBI8S61AhdNldX+STO8C66xi2EzmJSBs=";
+    hash = "sha256-TuCMRJb6G/bhD8hG6Ot7MIkgBoShjVboeXrlGh9eYpQ=";
   };
 
   nativeBuildInputs = [ cmake python3 makeWrapper perl ];

pkgs/development/compilers/intel-graphics-compiler/default.nix

@@ -9,6 +9,8 @@
 , lld_11
 , opencl-clang
 , python3
+, spirv-tools
+, spirv-headers
 , spirv-llvm-translator
 
 , buildWithPatches ? true
@@ -18,8 +20,8 @@ let
   vc_intrinsics_src = fetchFromGitHub {
     owner = "intel";
     repo = "vc-intrinsics";
-    rev = "e5ad7e02aa4aa21a3cd7b3e5d1f3ec9b95f58872";
+    rev = "v0.3.0";
-    sha256 = "Vg1mngwpIQ3Tik0GgRXPG22lE4sLEAEFch492G2aIXs=";
+    sha256 = "sha256-1Rm4TCERTOcPGWJF+yNoKeB9x3jfqnh7Vlv+0Xpmjbk=";
   };
   llvmPkgs = llvmPackages_11 // {
     inherit spirv-llvm-translator;
@@ -31,18 +33,18 @@ in
 
 stdenv.mkDerivation rec {
   pname = "intel-graphics-compiler";
-  version = "1.0.8744";
+  version = "1.0.11061";
 
   src = fetchFromGitHub {
     owner = "intel";
     repo = "intel-graphics-compiler";
     rev = "igc-${version}";
-    sha256 = "G5+dYD8uZDPkRyn1sgXsRngdq4NJndiCJCYTRXyUgTA=";
+    sha256 = "sha256-qS/+GTqHtp3T6ggPKrCDsrTb7XvVOUaNbMzGU51jTu4=";
   };
 
   nativeBuildInputs = [ clang cmake bison flex python3 ];
 
-  buildInputs = [ clang opencl-clang spirv-llvm-translator llvm lld_11 ];
+  buildInputs = [ spirv-headers spirv-tools clang opencl-clang spirv-llvm-translator llvm lld_11 ];
 
   strictDeps = true;
 
@@ -52,6 +54,21 @@ stdenv.mkDerivation rec {
   # https://github.com/intel/intel-graphics-compiler/issues/98
   doCheck = false;
 
+  patchPhase = ''
+    substituteInPlace ./external/SPIRV-Tools/CMakeLists.txt \
+            --replace '$'''{SPIRV-Tools_DIR}../../..' \
+                      '${spirv-tools}' \
+            --replace 'SPIRV-Headers_INCLUDE_DIR "/usr/include"' \
+                      'SPIRV-Headers_INCLUDE_DIR "${spirv-headers}/include"' \
+            --replace 'set_target_properties(SPIRV-Tools' \
+                      'set_target_properties(SPIRV-Tools-shared' \
+            --replace 'IGC_BUILD__PROJ__SPIRV-Tools SPIRV-Tools' \
+                      'IGC_BUILD__PROJ__SPIRV-Tools SPIRV-Tools-shared'
+          substituteInPlace ./IGC/AdaptorOCL/igc-opencl.pc.in \
+            --replace '/@CMAKE_INSTALL_INCLUDEDIR@' "/include" \
+            --replace '/@CMAKE_INSTALL_LIBDIR@' "/lib"
+  '';
+
   # Handholding the braindead build script
   # cmake requires an absolute path
   prebuilds = runCommandLocal "igc-cclang-prebuilds" { } ''
@@ -64,7 +81,9 @@ stdenv.mkDerivation rec {
   '';
 
   cmakeFlags = [
+    "-Wno-dev"
     "-DVC_INTRINSICS_SRC=${vc_intrinsics_src}"
+    "-DIGC_OPTION__SPIRV_TOOLS_MODE=Prebuilds"
     "-DINSTALL_SPIRVDLL=0"
     "-DCCLANG_BUILD_PREBUILDS=ON"
     "-DCCLANG_BUILD_PREBUILDS_DIR=${prebuilds}"

pkgs/development/compilers/llvm/rocm/default.nix

@@ -1,12 +1,12 @@
 { stdenv, lib, buildPackages, fetchFromGitHub, callPackage, wrapCCWith, overrideCC }:
 
 let
-  version = "5.0.2";
+  version = "5.1.1";
   src = fetchFromGitHub {
     owner = "RadeonOpenCompute";
     repo = "llvm-project";
     rev = "rocm-${version}";
-    hash = "sha256-wPzwbeQUFE6RAytrz5lBa6UUPoVL0UeMyY3qa4M6W6M=";
+    hash = "sha256-5SGIWiyfHvfwIUc4bhdWrlhBfK5ssA7tm5r3zKdr3kg=";
   };
 in rec {
   clang = wrapCCWith rec {
@@ -52,12 +52,10 @@ in rec {
   };
 
   lld = callPackage ./lld.nix {
-    inherit llvm version;
+    inherit llvm src version;
-    src = "${src}/lld";
   };
 
   llvm = callPackage ./llvm {
-    inherit version;
+    inherit src version;
-    src = "${src}/llvm";
   };
 }

pkgs/development/compilers/llvm/rocm/lld.nix

@@ -3,6 +3,7 @@
 , cmake
 , libxml2
 , llvm
+, ninja
 
 , version
 , src
@@ -11,15 +12,17 @@
 stdenv.mkDerivation rec {
   inherit version src;
 
+  sourceRoot = "${src.name}/lld";
+
   pname = "lld";
 
-  nativeBuildInputs = [ cmake ];
+  nativeBuildInputs = [ cmake ninja ];
 
   buildInputs = [ libxml2 llvm ];
 
   outputs = [ "out" "dev" ];
 
-  cmakeFlags = [ "-DLLVM_MAIN_SRC_DIR=${llvm.src}" ];
+  cmakeFlags = [ "-DLLVM_MAIN_SRC_DIR=${src}/llvm" ];
 
   postInstall = ''
     moveToOutput include "$dev"

pkgs/development/compilers/llvm/rocm/llvm/default.nix

@@ -28,6 +28,8 @@ in stdenv.mkDerivation rec {
 
   pname = "rocm-llvm";
 
+  sourceRoot = "${src.name}/llvm";
+
   outputs = [ "out" "python" ]
     ++ lib.optional enableSharedLibraries "lib";
 

pkgs/development/compilers/open-watcom/v2.nix

@@ -12,14 +12,14 @@
 
 stdenv.mkDerivation rec {
   pname = "open-watcom-v2";
-  version = "unstable-2022-04-29";
+  version = "unstable-2022-05-03";
   name = "${pname}-unwrapped-${version}";
 
   src = fetchFromGitHub {
     owner = "open-watcom";
     repo = "open-watcom-v2";
-    rev = "520d9d7025b46b926123257b029b3dbce9a96065";
+    rev = "a927247a40e69261e7d8891b6f002c91450e01f2";
-    sha256 = "aACkkTzOH8F82GPyySjtb7CGozR8OjgzqZVRiNTiS10=";
+    sha256 = "/CuPNCEoSjxwYL07b07XqnaAeFZGS8NjXBuj+gFCsOA=";
   };
 
   postPatch = ''

pkgs/development/compilers/spirv-llvm-translator/default.nix

@@ -4,29 +4,42 @@
 , pkg-config
 , lit
 , llvm_11
+, spirv-headers
+, spirv-tools
 }:
 
 stdenv.mkDerivation rec {
   pname = "SPIRV-LLVM-Translator";
-  version = "unstable-2021-06-13";
+  version = "unstable-2022-05-04";
 
   src = fetchFromGitHub {
     owner = "KhronosGroup";
     repo = "SPIRV-LLVM-Translator";
-    rev = "c67e6f26a7285aa753598ef792593ac4a545adf9";
+    rev = "99420daab98998a7e36858befac9c5ed109d4920";
-    sha256 = "sha256-1s3lVNTQDl+pUvbzSMsp3cOUSm6I4DzqJxnLMeeE3F4=";
+    sha256 = "sha256-/vUyL6Wh8hykoGz1QmT1F7lfGDEmG4U3iqmqrJxizOg=";
   };
 
   nativeBuildInputs = [ pkg-config cmake llvm_11.dev ];
 
-  buildInputs = [ llvm_11 ];
+  buildInputs = [ spirv-headers spirv-tools llvm_11 ];
 
   checkInputs = [ lit ];
 
+  makeFlags = [ "llvm-spirv" ];
+
   cmakeFlags = [
     "-DLLVM_INCLUDE_TESTS=ON"
+    "-DLLVM_DIR=${llvm_11.dev}"
+    "-DBUILD_SHARED_LIBS=YES"
+    "-DLLVM_SPIRV_BUILD_EXTERNAL=YES"
   ];
 
+  prePatch = ''
+    substituteInPlace ./test/CMakeLists.txt \
+      --replace 'SPIRV-Tools' 'SPIRV-Tools-shared'
+  '';
+
+
   # FIXME: CMake tries to run "/llvm-lit" which of course doesn't exist
   doCheck = false;
 

pkgs/development/libraries/libffi/3.3.nix

@@ -0,0 +1,64 @@
+{ lib, stdenv, fetchurl, fetchpatch
+, autoreconfHook
+
+, doCheck ? true # test suite depends on dejagnu which cannot be used during bootstrapping
+, dejagnu
+}:
+
+stdenv.mkDerivation rec {
+  pname = "libffi";
+  version = "3.3";
+
+  src = fetchurl {
+    url = "https://github.com/libffi/libffi/releases/download/v${version}/${pname}-${version}.tar.gz";
+    hash = "sha256-cvunkicD3fp6Ao1ROsFahcjVTI1n9V+lpIAohdxlIFY=";
+  };
+
+  patches = [];
+
+  outputs = [ "out" "dev" "man" "info" ];
+
+  configureFlags = [
+    "--with-gcc-arch=generic" # no detection of -march= or -mtune=
+    "--enable-pax_emutramp"
+
+    # Causes issues in downstream packages which misuse ffi_closure_alloc
+    # Reenable once these issues are fixed and merged:
+    # https://gitlab.haskell.org/ghc/ghc/-/merge_requests/6155
+    # https://gitlab.gnome.org/GNOME/gobject-introspection/-/merge_requests/283
+    "--disable-exec-static-tramp"
+  ];
+
+  preCheck = ''
+    # The tests use -O0 which is not compatible with -D_FORTIFY_SOURCE.
+    NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/}
+  '';
+
+  dontStrip = stdenv.hostPlatform != stdenv.buildPlatform; # Don't run the native `strip' when cross-compiling.
+
+  inherit doCheck;
+
+  checkInputs = [ dejagnu ];
+
+  meta = with lib; {
+    description = "A foreign function call interface library";
+    longDescription = ''
+      The libffi library provides a portable, high level programming
+      interface to various calling conventions.  This allows a
+      programmer to call any function specified by a call interface
+      description at run-time.
+
+      FFI stands for Foreign Function Interface.  A foreign function
+      interface is the popular name for the interface that allows code
+      written in one language to call code written in another
+      language.  The libffi library really only provides the lowest,
+      machine dependent layer of a fully featured foreign function
+      interface.  A layer must exist above libffi that handles type
+      conversions for values passed between the two languages.
+    '';
+    homepage = "http://sourceware.org/libffi/";
+    license = licenses.mit;
+    maintainers = with maintainers; [ armeenm ];
+    platforms = platforms.all;
+  };
+}

pkgs/development/libraries/libgit2/default.nix

@@ -1,7 +1,6 @@
 { lib
 , stdenv
 , fetchFromGitHub
-, fetchpatch
 , cmake
 , pkg-config
 , python3
@@ -16,23 +15,16 @@
 
 stdenv.mkDerivation rec {
   pname = "libgit2";
-  version = "1.4.0";
+  version = "1.4.3";
   # also check the following packages for updates: python3.pkgs.pygit2 and libgit2-glib
 
   src = fetchFromGitHub {
     owner = "libgit2";
     repo = "libgit2";
     rev = "v${version}";
-    sha256 = "sha256-21t7fD/5O+HIHUDEv8MqloDmAIm9sSpJYqreCD3Co2k=";
+    sha256 = "sha256-WnRzH5uMVEStA5ns4GNgMD5YoLQoats9aPLfnz9RoQs=";
   };
 
-  patches = [
-    (fetchpatch {
-      url = "https://github.com/libgit2/libgit2/commit/8bc9eda779b2e2602fc74944aba5d39198e0642f.patch";
-      sha256 = "sha256-r2i4+WsrxIpSwH0g/AikBdAajBncXb1zz0uOQB0h1Jk=";
-    })
-  ];
-
   cmakeFlags = [
     "-DTHREADSAFE=ON"
     "-DUSE_HTTP_PARSER=system"
@@ -48,11 +40,11 @@ stdenv.mkDerivation rec {
 
   doCheck = false; # hangs. or very expensive?
 
-  meta = {
+  meta = with lib; {
     description = "Linkable library implementation of Git that you can use in your application";
     homepage = "https://libgit2.org/";
-    license = lib.licenses.gpl2Plus;
+    license = licenses.gpl2Plus;
-    platforms = lib.platforms.all;
+    platforms = platforms.all;
-    maintainers = with lib.maintainers; [ ];
+    maintainers = with maintainers; [ SuperSandro2000 ];
   };
 }

pkgs/development/libraries/libmediainfo/default.nix

@@ -1,23 +1,16 @@
-{ lib, stdenv, fetchurl, autoreconfHook, pkg-config, libzen, zlib, fetchpatch }:
+{ lib, stdenv, fetchurl, autoreconfHook, pkg-config, libzen, zlib }:
 
 stdenv.mkDerivation rec {
-  version = "21.09";
+  version = "22.03";
   pname = "libmediainfo";
   src = fetchurl {
     url = "https://mediaarea.net/download/source/libmediainfo/${version}/libmediainfo_${version}.tar.xz";
-    sha256 = "09pinxqw3z3hxrafn67clw1cb1z9aqfy6gkiavginfm0yr299gk9";
+    sha256 = "sha256-/FC6u2KOnPumVSiNrgbVw0Kw1+aUGjLWT7uxEySMgLk=";
   };
 
   nativeBuildInputs = [ autoreconfHook pkg-config ];
-  buildInputs = [ libzen zlib ];
+  buildInputs = [ zlib ];
-
+  propagatedBuildInputs = [ libzen ];
-  patches = [
-    # fixes pkgsMusl.libmediainfo build
-    (fetchpatch {
-      url = "https://git.alpinelinux.org/aports/plain/community/libmediainfo/fix-include-signal.patch?id=b8d666a3d33575c184308e1176f4de9e519af577";
-      sha256 = "sha256-b3HoIwy/hKSh8jUakwVJpnPmYw5KUwZXgLW7IPMY4/c=";
-    })
-  ];
 
   postPatch = "cd Project/GNU/Library";
 

pkgs/development/libraries/libwebsockets/default.nix

@@ -32,13 +32,12 @@ let
       "-DLWS_WITH_PLUGINS=ON"
       "-DLWS_WITH_IPV6=ON"
       "-DLWS_WITH_SOCKS5=ON"
+      "-DDISABLE_WERROR=ON"
       # Required since v4.2.0
       "-DLWS_BUILD_HASH=no_hash"
     ] ++ lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) "-DLWS_WITHOUT_TESTAPPS=ON"
       ++ lib.optional withExternalPoll "-DLWS_WITH_EXTERNAL_POLL=ON";
 
-    NIX_CFLAGS_COMPILE = lib.optionalString stdenv.cc.isGNU "-Wno-error=unused-but-set-variable";
-
     postInstall = ''
       rm -r ${placeholder "out"}/share/libwebsockets-test-server
     '';
@@ -63,21 +62,6 @@ let
   };
 
 in {
-  libwebsockets_3_1 = generic {
-    sha256 = "1w1wz6snf3cmcpa3f4dci2nz9za2f5rrylxl109id7bcb36xhbdl";
-    version = "3.1.0";
-  };
-
-  libwebsockets_3_2 = generic {
-    version = "3.2.2";
-    sha256 = "0m1kn4p167jv63zvwhsvmdn8azx3q7fkk8qc0fclwyps2scz6dna";
-  };
-
-  libwebsockets_4_2 = generic {
-    version = "4.2.1";
-    sha256 = "sha256-C+WGfNF4tAgbp/7aRraBgjNOe4I5ihm+8CGelXzfxbU=";
-  };
-
   libwebsockets_4_3 = generic {
     version = "4.3.1";
     sha256 = "sha256-lB3JHh058cQc5rycLnHk3JAOgtku0nRCixN5U6lPKq8=";

pkgs/development/libraries/lmdb/bin-ext.patch

@@ -0,0 +1,21 @@
+diff --git a/libraries/liblmdb/Makefile b/libraries/liblmdb/Makefile
+index 612484e..2e6b562 100644
+--- a/libraries/liblmdb/Makefile
++++ b/libraries/liblmdb/Makefile
+@@ -27,6 +27,7 @@ CFLAGS	= $(THREADS) $(OPT) $(W) $(XCFLAGS)
+ LDLIBS	=
+ SOLIBS	=
+ SOEXT	= .so
++BINEXT  =
+ prefix	= /usr/local
+ exec_prefix = $(prefix)
+ bindir = $(exec_prefix)/bin
+@@ -49,7 +50,7 @@ install: $(ILIBS) $(IPROGS) $(IHDRS)
+ 	mkdir -p $(DESTDIR)$(libdir)
+ 	mkdir -p $(DESTDIR)$(includedir)
+ 	mkdir -p $(DESTDIR)$(mandir)/man1
+-	for f in $(IPROGS); do cp $$f $(DESTDIR)$(bindir); done
++	for f in $(IPROGS); do cp $$f$(BINEXT) $(DESTDIR)$(bindir); done
+ 	for f in $(ILIBS); do cp $$f $(DESTDIR)$(libdir); done
+ 	for f in $(IHDRS); do cp $$f $(DESTDIR)$(includedir); done
+ 	for f in $(IDOCS); do cp $$f $(DESTDIR)$(mandir)/man1; done

pkgs/development/libraries/lmdb/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitLab }:
+{ lib, stdenv, fetchFromGitLab, windows }:
 
 stdenv.mkDerivation rec {
   pname = "lmdb";
@@ -14,17 +14,20 @@ stdenv.mkDerivation rec {
 
   postUnpack = "sourceRoot=\${sourceRoot}/libraries/liblmdb";
 
-  patches = [ ./hardcoded-compiler.patch ];
+  patches = [ ./hardcoded-compiler.patch ./bin-ext.patch ];
   patchFlags = [ "-p3" ];
 
   outputs = [ "bin" "out" "dev" ];
 
+  buildInputs = lib.optional stdenv.hostPlatform.isWindows windows.pthreads;
+
   makeFlags = [
     "prefix=$(out)"
     "CC=${stdenv.cc.targetPrefix}cc"
     "AR=${stdenv.cc.targetPrefix}ar"
   ]
-    ++ lib.optional stdenv.isDarwin "LDFLAGS=-Wl,-install_name,$(out)/lib/liblmdb.so";
+    ++ lib.optional stdenv.isDarwin "LDFLAGS=-Wl,-install_name,$(out)/lib/liblmdb.so"
+    ++ lib.optionals stdenv.hostPlatform.isWindows [ "SOEXT=.dll" "BINEXT=.exe" ];
 
   doCheck = true;
   checkTarget = "test";

pkgs/development/libraries/lucene++/default.nix

@@ -14,13 +14,13 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ cmake ];
   buildInputs = [ boost gtest zlib ];
 
-  doCheck = true;
-
   postPatch = ''
-     substituteInPlace src/test/CMakeLists.txt \
+    substituteInPlace src/test/CMakeLists.txt \
-            --replace "add_subdirectory(gtest)" ""
+      --replace "add_subdirectory(gtest)" ""
   '';
 
+  doCheck = true;
+
   checkPhase = ''
     runHook preCheck
     LD_LIBRARY_PATH=$PWD/src/contrib:$PWD/src/core \
@@ -30,6 +30,7 @@ stdenv.mkDerivation rec {
 
   postInstall = ''
     mv $out/include/pkgconfig $out/lib/
+    cp $src/src/contrib/include/*h $out/include/lucene++/
   '';
 
   meta = {

pkgs/development/libraries/opencl-clang/default.nix

@@ -67,15 +67,15 @@ let
   in
     stdenv.mkDerivation rec {
       pname = "opencl-clang";
-      version = "unstable-2021-06-22";
+      version = "unstable-2022-03-16";
 
       inherit passthru;
 
       src = fetchFromGitHub {
         owner = "intel";
         repo = "opencl-clang";
-        rev = "fd68f64b33e67d58f6c36b9e25c31c1178a1962a";
+        rev = "bbdd1587f577397a105c900be114b56755d1f7dc";
-        sha256 = "sha256-q1YPBb/LY67iEuQx1fMUQD/I7OsNfobW3yNfJxLXx3E=";
+        sha256 = "sha256-qEZoQ6h4XAvSnJ7/gLXBb1qrzeYa6Jp6nij9VFo8MwQ=";
       };
 
       patches = [

pkgs/development/libraries/poppler/default.nix

@@ -35,13 +35,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "poppler-${suffix}";
-  version = "22.03.0"; # beware: updates often break cups-filters build, check texlive and scribusUnstable too!
+  version = "22.04.0"; # beware: updates often break cups-filters build, check texlive and scribusUnstable too!
 
   outputs = [ "out" "dev" ];
 
   src = fetchurl {
     url = "https://poppler.freedesktop.org/poppler-${version}.tar.xz";
-    sha256 = "sha256-cox4upTXWlX2tjVdT72qb0mTTZYWvljl5nmpz9CYDh4=";
+    sha256 = "sha256-gT+0uQ572mPfUyBcVIYCuucoiHpg9ASKrk29mxkn3v8=";
   };
 
   nativeBuildInputs = [

pkgs/development/libraries/presage/default.nix

@@ -30,6 +30,12 @@ stdenv.mkDerivation rec {
       sha256 = "0243nx1ygggmsly7057vndb4pkjxg9rpay5gyqqrq9jjzjzh63dj";
     })
     ./fixed-cppunit-detection.patch
+    # fix gcc11 build
+    (fetchpatch {
+      name = "presage-0.9.1-gcc11.patch";
+      url = "https://build.opensuse.org/public/source/openSUSE:Factory/presage/presage-0.9.1-gcc11.patch?rev=3f8b4b19c99276296d6ea595cc6c431f";
+      sha256 = "sha256-pLrIFXvJHRvv4x9gBIfal4Y68lByDE3XE2NZNiAXe9k=";
+    })
   ];
 
   nativeBuildInputs = [

pkgs/development/libraries/rocclr/default.nix

@@ -1,5 +1,6 @@
 { lib, stdenv
 , fetchFromGitHub
+, fetchpatch
 , writeScript
 , rocm-comgr
 }:
@@ -15,6 +16,16 @@ stdenv.mkDerivation rec {
     hash = "sha256-SFWEGKffhuiTE7ICbkElVV5cldXu4Xbwvjb6LiNmijA=";
   };
 
+  patches = [
+    # Enable support for gfx8 again
+    # See the upstream issue: https://github.com/RadeonOpenCompute/ROCm/issues/1659
+    # And the arch patch: https://github.com/rocm-arch/rocm-arch/pull/742
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/John-Gee/rocm-arch/d6812d308fee3caf2b6bb01b4d19fe03a6a0e3bd/rocm-opencl-runtime/enable-gfx800.patch";
+      hash = "sha256-59jFDIIsTTZcNns9RyMVWPRUggn/bSlAGrky4quu8B4=";
+    })
+  ];
+
   prePatch = ''
     substituteInPlace device/comgrctx.cpp \
       --replace "libamd_comgr.so" "${rocm-comgr}/lib/libamd_comgr.so"

pkgs/development/libraries/rocm-opencl-runtime/default.nix

@@ -24,13 +24,13 @@
 
 stdenv.mkDerivation rec {
   pname = "rocm-opencl-runtime";
-  version = "5.0.2";
+  version = "5.1.1";
 
   src = fetchFromGitHub {
     owner = "RadeonOpenCompute";
     repo = "ROCm-OpenCL-Runtime";
     rev = "rocm-${version}";
-    hash = "sha256-ovYwElZGRKySH1mWFIISxuNNxCjaqoe9oCvqYZGdfq0=";
+    hash = "sha256-O7q3uTjspO/rZ2+8+g7pRfBXsCRaEr4DZxEqABHbOeY=";
   };
 
   nativeBuildInputs = [ cmake rocm-cmake ];
@@ -55,6 +55,7 @@ stdenv.mkDerivation rec {
   cmakeFlags = [
     "-DAMD_OPENCL_PATH=${src}"
     "-DROCCLR_PATH=${rocclr}"
+    "-DCPACK_PACKAGING_INSTALL_PREFIX=/opt/rocm/opencl"
   ];
 
   dontStrip = true;

pkgs/development/libraries/rocm-runtime/default.nix

@@ -14,13 +14,13 @@
 
 stdenv.mkDerivation rec {
   pname = "rocm-runtime";
-  version = "5.1.0";
+  version = "5.1.1";
 
   src = fetchFromGitHub {
     owner = "RadeonOpenCompute";
     repo = "ROCR-Runtime";
     rev = "rocm-${version}";
-    hash = "sha256-MGm7YmnoFNk7VsxsbsUgSD9Y5r1OBm6Ycg3wXNme8EI=";
+    hash = "sha256-IP5ylfUXOFkw9+Frfh+tNaZ83ozAbOK9kO2AzFVzzWk=";
   };
 
   sourceRoot = "source/src";

pkgs/development/libraries/umockdev/default.nix

@@ -19,15 +19,21 @@
 
 stdenv.mkDerivation rec {
   pname = "umockdev";
-  version = "0.17.8";
+  version = "0.17.9";
 
   outputs = [ "bin" "out" "dev" "devdoc" ];
 
   src = fetchurl {
     url = "https://github.com/martinpitt/umockdev/releases/download/${version}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-s3zeWJxw5ohUtsv4NZGKcdP8khEYzIXycbBrAzdnVoU=";
+    sha256 = "sha256-FEmWjJVmKKckC30zULGI/mZ3VNtirnweZq2gKh/Y5VE=";
   };
 
+  patches = [
+    # Hardcode absolute paths to libraries so that consumers
+    # do not need to set LD_LIBRARY_PATH themselves.
+    ./hardcode-paths.patch
+  ];
+
   nativeBuildInputs = [
     docbook-xsl-nons
     gobject-introspection
@@ -57,6 +63,21 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
+  postPatch = ''
+    # Substitute the path to this derivation in the patch we apply.
+    substituteInPlace src/umockdev-wrapper \
+      --subst-var-by 'LIBDIR' "''${!outputLib}/lib"
+  '';
+
+  preCheck = ''
+    # Our patch makes the path to the `LD_PRELOAD`ed library absolute.
+    # When running tests, the library is not yet installed, though,
+    # so we need to replace the absolute path with a local one during build.
+    # We are using a symlink that will be overridden during installation.
+    mkdir -p "$out/lib"
+    ln -s "$PWD/libumockdev-preload.so.0" "$out/lib/libumockdev-preload.so.0"
+  '';
+
   meta = with lib; {
     description = "Mock hardware devices for creating unit tests";
     license = licenses.lgpl21Plus;

pkgs/development/libraries/umockdev/hardcode-paths.patch

@@ -0,0 +1,69 @@
+diff --git a/meson.build b/meson.build
+index 2ed9027..1f6bbf2 100644
+--- a/meson.build
++++ b/meson.build
+@@ -38,6 +38,7 @@ g_ir_compiler = find_program('g-ir-compiler', required: false)
+ 
+ conf.set('PACKAGE_NAME', meson.project_name())
+ conf.set_quoted('VERSION', meson.project_version())
++conf.set_quoted('LIBDIR', get_option('prefix') / get_option('libdir'))
+ 
+ # glibc versions somewhere between 2.28 and 2.34
+ if cc.has_function('__fxstatat', prefix: '#include <sys/stat.h>')
+@@ -148,7 +149,7 @@ hacked_gir = custom_target('UMockdev-1.0 hacked gir',
+ 
+ if g_ir_compiler.found()
+ umockdev_typelib = custom_target('UMockdev-1.0 typelib',
+-  command: [g_ir_compiler, '--output', '@OUTPUT@', '-l', 'libumockdev.so.0', '@INPUT@'],
++  command: [g_ir_compiler, '--output', '@OUTPUT@', '-l', get_option('prefix') / get_option('libdir') / 'libumockdev.so.0', '@INPUT@'],
+   input: hacked_gir,
+   output: 'UMockdev-1.0.typelib',
+   install: true,
+diff --git a/src/config.vapi b/src/config.vapi
+index 5269dd0..a2ec46d 100644
+--- a/src/config.vapi
++++ b/src/config.vapi
+@@ -2,5 +2,6 @@
+ namespace Config {
+     public const string PACKAGE_NAME;
+     public const string VERSION;
++    public const string LIBDIR;
+ }
+ 
+diff --git a/src/umockdev-record.vala b/src/umockdev-record.vala
+index 8434d32..68c7f8e 100644
+--- a/src/umockdev-record.vala
++++ b/src/umockdev-record.vala
+@@ -435,7 +435,7 @@ main (string[] args)
+         preload = "";
+     else
+         preload = preload + ":";
+-    Environment.set_variable("LD_PRELOAD", preload + "libumockdev-preload.so.0", true);
++    Environment.set_variable("LD_PRELOAD", preload + Config.LIBDIR + "/libumockdev-preload.so.0", true);
+ 
+     try {
+         root_dir = DirUtils.make_tmp("umockdev.XXXXXX");
+diff --git a/src/umockdev-run.vala b/src/umockdev-run.vala
+index 9a1ba10..6df2522 100644
+--- a/src/umockdev-run.vala
++++ b/src/umockdev-run.vala
+@@ -95,7 +95,7 @@ main (string[] args)
+         preload = "";
+     else
+         preload = preload + ":";
+-    Environment.set_variable ("LD_PRELOAD", preload + "libumockdev-preload.so.0", true);
++    Environment.set_variable ("LD_PRELOAD", preload + Config.LIBDIR + "/libumockdev-preload.so.0", true);
+ 
+     var testbed = new UMockdev.Testbed ();
+ 
+diff --git a/src/umockdev-wrapper b/src/umockdev-wrapper
+index 6ce4dcd..706c49a 100755
+--- a/src/umockdev-wrapper
++++ b/src/umockdev-wrapper
+@@ -1,5 +1,5 @@
+ #!/bin/sh
+ # Wrapper program to preload the libumockdev library, so that test programs can
+ # set $UMOCKDEV_DIR for redirecting sysfs and other queries to a test bed.
+-exec env LD_PRELOAD=libumockdev-preload.so.0:$LD_PRELOAD "$@"
++exec env LD_PRELOAD=@LIBDIR@/libumockdev-preload.so.0:$LD_PRELOAD "$@"
+ 

pkgs/development/libraries/wolfssl/default.nix

@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation rec {
   pname = "wolfssl";
-  version = "5.2.0";
+  version = "5.3.0";
 
   src = fetchFromGitHub {
     owner = "wolfSSL";
     repo = "wolfssl";
     rev = "v${version}-stable";
-    sha256 = "1xdhbhn31q7waw7w158hz9n0vj76zlfn5njq7hncf73ks38drj6k";
+    sha256 = "sha256-KteArWAgDohlqEYaNfzLPuBn6uy5ABA8vV/LRCVIPGA=";
   };
 
   postPatch = ''

pkgs/development/python-modules/aioairzone/default.nix

@@ -7,7 +7,7 @@
 
 buildPythonPackage rec {
   pname = "aioairzone";
-  version = "0.3.4";
+  version = "0.4.2";
   format = "setuptools";
 
   disabled = pythonOlder "3.8";
@@ -16,7 +16,7 @@ buildPythonPackage rec {
     owner = "Noltari";
     repo = pname;
     rev = "refs/tags/${version}";
-    hash = "sha256-ENdgaG30Fll5HQOTcghkmqOAiMYEY1aHRIel4Bd25Pk=";
+    hash = "sha256-SPxSIcsDjsT7dZQs1CoU7DstQTxYN1c0qAB+XQjVXlo=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/aiolimiter/default.nix

@@ -0,0 +1,65 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, fetchpatch
+, poetry-core
+, importlib-metadata
+, pytest-asyncio
+, pytestCheckHook
+, pythonOlder
+, toml
+}:
+
+buildPythonPackage rec {
+  pname = "aiolimiter";
+  version = "1.0.0";
+  format = "pyproject";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "mjpieters";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-4wByVZoOLhrXFx9oK19GBmRcjGoJolQ3Gwx9vQV/n8s=";
+  };
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = lib.optionals (pythonOlder "3.8") [
+    importlib-metadata
+  ];
+
+  checkInputs = [
+    pytest-asyncio
+    pytestCheckHook
+    toml
+  ];
+
+  patches = [
+    # Switch to poetry-core, https://github.com/mjpieters/aiolimiter/pull/77
+    (fetchpatch {
+      name = "switch-to-peotry-core.patch";
+      url = "https://github.com/mjpieters/aiolimiter/commit/84a85eff42621b0daff8fcf6bb485db313faae0b.patch";
+      sha256 = "sha256-xUfJwLvMF2Xt/V1bKBFn/fjn1uyw7bGNo9RpWxtyr50=";
+    })
+  ];
+
+  postPatch = ''
+    substituteInPlace tox.ini \
+      --replace " --cov=aiolimiter --cov-config=tox.ini --cov-report term-missing" ""
+  '';
+
+  pythonImportsCheck = [
+    "aiolimiter"
+  ];
+
+  meta = with lib; {
+    description = "Implementation of a rate limiter for asyncio";
+    homepage = "https://github.com/mjpieters/aiolimiter";
+    license = with licenses; [ mit ];
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/aioslimproto/default.nix

@@ -7,7 +7,7 @@
 
 buildPythonPackage rec {
   pname = "aioslimproto";
-  version = "2.0.0";
+  version = "2.0.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.9";
@@ -16,13 +16,18 @@ buildPythonPackage rec {
     owner = "home-assistant-libs";
     repo = pname;
     rev = version;
-    hash = "sha256-7xFbxWay2aPCBkf3pBUGshROtssbi//PxxsI8ELeS+c=";
+    hash = "sha256-xa0LZGq0di4lnJGVMbb1Un0Ebd4vXRlbkxbatJ9GwB0=";
   };
 
   checkInputs = [
     pytestCheckHook
   ];
 
+  disabledTests = [
+    # AssertionError: assert ['mixer', 'volume', '50'] == ['volume', '50']
+    "test_msg_instantiation"
+  ];
+
   pythonImportsCheck = [
     "aioslimproto"
   ];

pkgs/development/python-modules/androidtv/default.nix

@@ -11,7 +11,7 @@
 
 buildPythonPackage rec {
   pname = "androidtv";
-  version = "0.0.66";
+  version = "0.0.67";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -20,7 +20,7 @@ buildPythonPackage rec {
     owner = "JeffLIrion";
     repo = "python-androidtv";
     rev = "v${version}";
-    hash = "sha256-gSbckVjM49nVfzpk9sfynJDx15+zQ/KgaI7oxEkXQpo=";
+    hash = "sha256-MAlKD2PDQJQaKPiMQDu1CMvn4xnxb8FmeYqzcW4hso0=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/ansible/default.nix

@@ -20,7 +20,7 @@
 
 let
   pname = "ansible";
-  version = "5.7.0";
+  version = "5.7.1";
 in
 buildPythonPackage {
   inherit pname version;
@@ -30,7 +30,7 @@ buildPythonPackage {
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-6AwOdN4XdK2ufAIzskf/crj72LXxBwd9tdC38DcNa4Y=";
+    sha256 = "sha256-kKCaNFENGU1jVWiVoiWonkqLdIua4hW1XlF6N94GOmE=";
   };
 
   postPatch = ''
@@ -78,6 +78,7 @@ buildPythonPackage {
   meta = with lib; {
     description = "Radically simple IT automation";
     homepage = "https://www.ansible.com";
+    changelog = "https://github.com/ansible-community/ansible-build-data/blob/${version}/${lib.versions.major version}/CHANGELOG-v${lib.versions.major version}.rst";
     license = licenses.gpl3Plus;
     maintainers = with maintainers; [ hexa ];
   };

pkgs/development/python-modules/async-upnp-client/default.nix

@@ -14,7 +14,7 @@
 
 buildPythonPackage rec {
   pname = "async-upnp-client";
-  version = "0.28.0";
+  version = "0.29.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -23,7 +23,7 @@ buildPythonPackage rec {
     owner = "StevenLooman";
     repo = "async_upnp_client";
     rev = version;
-    sha256 = "sha256-ZyYIZLIlLQV3Yj4a+M5vZVaTe9lEsrWhBe/g9wzM1TY=";
+    sha256 = "sha256-IzT48ABfk/v8VZJRJEMU/Rsi6mJG4IvtF7HNRv6TLeA=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/awkward/default.nix

@@ -30,7 +30,7 @@ buildPythonPackage rec {
 
   meta = with lib; {
     description = "Manipulate JSON-like data with NumPy-like idioms";
-    homepage = "https://github.com/scikit-hep/awkward-1.0";
+    homepage = "https://github.com/scikit-hep/awkward";
     license = licenses.bsd3;
     maintainers = with maintainers; [ veprbl ];
   };

pkgs/development/python-modules/azure-mgmt-msi/default.nix

@@ -1,16 +1,20 @@
 { lib
 , buildPythonPackage
+, pythonOlder
 , fetchPypi
 , msrest
-, msrestazure
 , azure-common
-, azure-mgmt-nspkg
+, azure-mgmt-core
 }:
 
 buildPythonPackage rec {
   pname = "azure-mgmt-msi";
   version = "6.0.0";
 
+  disabled = pythonOlder "3.6";
+
+  format = "setuptools";
+
   src = fetchPypi {
     inherit pname version;
     extension = "zip";
@@ -19,9 +23,8 @@ buildPythonPackage rec {
 
   propagatedBuildInputs = [
     msrest
-    msrestazure
     azure-common
-    azure-mgmt-nspkg
+    azure-mgmt-core
   ];
 
   pythonNamespaces = [ "azure.mgmt" ];
@@ -29,9 +32,11 @@ buildPythonPackage rec {
   # has no tests
   doCheck = false;
 
+  pythonImportsCheck = [ "azure.mgmt.msi" ];
+
   meta = with lib; {
     description = "This is the Microsoft Azure MSI Management Client Library";
-    homepage = "https://github.com/Azure/azure-sdk-for-python";
+    homepage = "https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/resources/azure-mgmt-msi";
     license = licenses.mit;
     maintainers = with maintainers; [ maxwilson ];
   };

pkgs/development/python-modules/azure-mgmt-resource/default.nix

@@ -8,14 +8,14 @@
 
 
 buildPythonPackage rec {
-  version = "21.0.0";
+  version = "21.1.0";
   pname = "azure-mgmt-resource";
   disabled = !isPy3k;
 
   src = fetchPypi {
     inherit pname version;
     extension = "zip";
-    sha256 = "sha256-y9J/UhxwtA/YO/Y88XsStbwD5ecNwrbnpxtevYuQDQM=";
+    sha256 = "sha256-UpZa3jHNBZ/qKxUT1l/mFgRuQz3g5YPc9cnJvr8+vWk=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/backports-zoneinfo/default.nix

@@ -7,6 +7,7 @@
 , tzdata
 , hypothesis
 , pytestCheckHook
+, fetchpatch
 }:
 
 buildPythonPackage rec {
@@ -22,7 +23,25 @@ buildPythonPackage rec {
     sha256 = "sha256-00xdDOVdDanfsjQTd3yjMN2RFGel4cWRrAA3CvSnl24=";
   };
 
+  # Make sure test data update patch applies
+  prePatch = ''
+    substituteInPlace tests/data/zoneinfo_data.json --replace \"2020a\" \"2021a\"
+  '';
+
   patches = [
+    # Update test suite's test data to zoneinfo 2022a
+    # https://github.com/pganssle/zoneinfo/pull/115
+    (fetchpatch {
+      name = "backports-zoneinfo-2022a-update-test-data1.patch";
+      url = "https://github.com/pganssle/zoneinfo/pull/115/commits/837e2a0f9f1a1332e4233f83e3648fa564a9ec9e.patch";
+      sha256 = "196knwa212mr0b7zsh8papzr3f5mii87gcjjjx1r9zzvmk3g3ri0";
+    })
+    (fetchpatch {
+      name = "backports-zoneinfo-2022a-update-test-data2.patch";
+      url = "https://github.com/pganssle/zoneinfo/pull/115/commits/9fd330265b177916d6182249439bb40d5691eb58.patch";
+      sha256 = "1zxa5bkwi8hbnh4c0qv72wv6vdp5jlxqizfjsc05ymzvwa99cf75";
+    })
+
     (substituteAll {
       name = "zoneinfo-path";
       src = ./zoneinfo.patch;

pkgs/development/python-modules/bond-api/default.nix

@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "bond-api";
-  version = "0.1.16";
+  version = "0.1.17";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -19,7 +19,7 @@ buildPythonPackage rec {
     owner = "prystupa";
     repo = "bond-api";
     rev = "v${version}";
-    sha256 = "1nqf090b14nd7an2n776mb37yskddfnihmas2fy56pxclwvwqr9n";
+    hash = "sha256-fuVYyDy3fG+XobFe2GCzMWRWPk8VDPLU4RHJzcF5MLg=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/databricks-connect/default.nix

@@ -9,14 +9,14 @@
 
 buildPythonPackage rec {
   pname = "databricks-connect";
-  version = "9.1.14";
+  version = "9.1.15";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-l+mTqiQPuPJfGbEVSILpCTlxAka0GeCgIXjMG4Vs82o=";
+    sha256 = "sha256-qXS/hgF2qKUtTfo9UZ5KBa9N0PHJqKA8SC/vgE46LmA=";
   };
 
   sourceRoot = ".";

pkgs/development/python-modules/gcal-sync/default.nix

@@ -0,0 +1,46 @@
+{ lib
+, buildPythonPackage
+, pythonOlder
+, fetchFromGitHub
+, aiohttp
+, pydantic
+, freezegun
+, pytest-aiohttp
+, pytest-asyncio
+, pytestCheckHook
+}:
+
+buildPythonPackage rec {
+  pname = "gcal-sync";
+  version = "0.7.1";
+
+  disabled = pythonOlder "3.9";
+
+  src = fetchFromGitHub {
+    owner = "allenporter";
+    repo = "gcal_sync";
+    rev = version;
+    hash = "sha256-NOB74P+5i63FEeHJsPXRdRgY6iyIUEn7BogbVKm8P5M=";
+  };
+
+  propagatedBuildInputs = [
+    aiohttp
+    pydantic
+  ];
+
+  checkInputs = [
+    freezegun
+    pytest-aiohttp
+    pytest-asyncio
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [ "gcal_sync" ];
+
+  meta = {
+    description = "Python library for syncing Google Calendar to local storage";
+    homepage = "https://github.com/allenporter/gcal_sync";
+    license = lib.licenses.asl20;
+    maintainers = with lib.maintainers; [ dotlambda ];
+  };
+}

pkgs/development/python-modules/globus-sdk/default.nix

@@ -13,7 +13,7 @@
 
 buildPythonPackage rec {
   pname = "globus-sdk";
-  version = "3.7.0";
+  version = "3.8.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
@@ -22,7 +22,7 @@ buildPythonPackage rec {
     owner = "globus";
     repo = "globus-sdk-python";
     rev = "refs/tags/${version}";
-    hash = "sha256-Us3SCkrBPL3v9YCOQ7ceF3neCUZkJTrchYsvCRSX84Y=";
+    hash = "sha256-JaAiAAf0zIJDXXl3zb4UE9XpmjZ8KQiEcZJm1ps+efA=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/impacket/default.nix

@@ -14,14 +14,14 @@
 
 buildPythonPackage rec {
   pname = "impacket";
-  version = "0.9.24";
+  version = "0.10.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-GNVX04f0kU+vpzmBO5FyvD+L2cA26Tv1iajg67cwS7o=";
+    hash = "sha256-uOsCCiy7RxRmac/jHGS7Ln1kmdBJxJPWQYuXFvXHRYM=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/insteon-frontend-home-assistant/default.nix

@@ -0,0 +1,26 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+}:
+
+buildPythonPackage rec {
+  pname = "insteon-frontend-home-assistant";
+  version = "0.1.0";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "70ee413cae8717416f5add1be7647158d8ff4303942dafccac0792ef44336cdf";
+  };
+
+  # upstream has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [ "insteon_frontend" ];
+
+  meta = {
+    description = "The Insteon frontend for Home Assistant";
+    homepage = "https://github.com/teharris1/insteon-panel";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ dotlambda ];
+  };
+}

pkgs/development/python-modules/intbitset/default.nix

@@ -2,6 +2,7 @@
 , fetchPypi
 , buildPythonPackage
 , pytestCheckHook
+, pythonOlder
 }:
 
 buildPythonPackage rec {
@@ -9,9 +10,11 @@ buildPythonPackage rec {
   version = "3.0.1";
   format = "setuptools";
 
+  disabled = pythonOlder "3.7";
+
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-8ebQPGcpkioiPFGEnfZbnpFuYlrvuRF4Tn+azUwgfVM=";
+    hash = "sha256-8ebQPGcpkioiPFGEnfZbnpFuYlrvuRF4Tn+azUwgfVM=";
   };
 
   checkInputs = [
@@ -25,7 +28,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "C-based extension implementing fast integer bit sets";
     homepage = "https://github.com/inveniosoftware/intbitset";
-    license = licenses.lgpl3Only;
+    license = licenses.lgpl3Plus;
     maintainers = teams.determinatesystems.members;
   };
 }

pkgs/development/python-modules/ipywidgets/default.nix

@@ -1,43 +1,35 @@
-{ lib
+{ buildPythonPackage
-, buildPythonPackage
 , fetchPypi
-, python
-, nose
-, pytest
-, mock
-, ipython
 , ipykernel
+, ipython
 , jupyterlab-widgets
+, lib
+, nbformat
+, pytestCheckHook
 , traitlets
-, notebook
 , widgetsnbextension
 }:
 
 buildPythonPackage rec {
   pname = "ipywidgets";
   version = "7.7.0";
+  format = "setuptools";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-q0pVloVaiLg3YZIcdocH1l5YRwaBObwXKd3+g0cDVCo=";
+    hash = "sha256-q0pVloVaiLg3YZIcdocH1l5YRwaBObwXKd3+g0cDVCo=";
   };
 
-  # Tests are not distributed
-  # doCheck = false;
-
-  buildInputs = [ nose pytest mock ];
   propagatedBuildInputs = [
     ipython
     ipykernel
     jupyterlab-widgets
     traitlets
-    notebook
+    nbformat
     widgetsnbextension
   ];
 
-  checkPhase = ''
+  checkInputs = [ pytestCheckHook ];
-    ${python.interpreter} -m unittest discover
-  '';
 
   meta = {
     description = "IPython HTML widgets for Jupyter";

pkgs/development/python-modules/meater-python/default.nix

@@ -0,0 +1,37 @@
+{ lib
+, aiohttp
+, buildPythonPackage
+, fetchPypi
+, pythonOlder
+}:
+
+buildPythonPackage rec {
+  pname = "meater-python";
+  version = "0.0.8";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-86XJmKOc2MCyU9v0UAZsPCUL/kAXywOlQOIHaykNF1o=";
+  };
+
+  propagatedBuildInputs = [
+    aiohttp
+  ];
+
+  # Module has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [
+    "meater"
+  ];
+
+  meta = with lib; {
+    description = "Library for the Apption Labs Meater cooking probe";
+    homepage = "https://github.com/Sotolotl/meater-python";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/nbclient/default.nix

@@ -1,9 +1,19 @@
-{ lib, buildPythonPackage, fetchPypi, pythonOlder,
+{ lib
-  async_generator, traitlets, nbformat, nest-asyncio, jupyter-client,
+, buildPythonPackage
-  pytest, xmltodict, nbconvert, ipywidgets
+, fetchPypi
+, pythonOlder
+, async_generator
+, traitlets
+, nbformat
+, nest-asyncio
+, jupyter-client
+, pytestCheckHook
+, xmltodict
+, nbconvert
+, ipywidgets
 }:
 
-buildPythonPackage rec {
+let nbclient = buildPythonPackage rec {
   pname = "nbclient";
   version = "0.6.2";
   format = "setuptools";
@@ -15,14 +25,26 @@ buildPythonPackage rec {
     hash = "sha256-i0dVPxztB3zXxFN/1dcB1G92gfJLKCdeXMHTR+fJtGs=";
   };
 
-  doCheck = false; # Avoid infinite recursion
-  checkInputs = [ pytest xmltodict nbconvert ipywidgets ];
   propagatedBuildInputs = [ async_generator traitlets nbformat nest-asyncio jupyter-client ];
 
+  # circular dependencies if enabled by default
+  doCheck = false;
+
+  checkInputs = [ pytestCheckHook xmltodict nbconvert ipywidgets ];
+
+  preCheck = ''
+    export HOME=$(mktemp -d)
+  '';
+
+  passthru.tests = {
+    check = nbclient.overridePythonAttrs (_: { doCheck = true; });
+  };
+
   meta = with lib; {
     homepage = "https://github.com/jupyter/nbclient";
     description = "A client library for executing notebooks";
     license = licenses.bsd3;
     maintainers = [ maintainers.erictapen ];
   };
-}
+};
+in nbclient

pkgs/development/python-modules/nettigo-air-monitor/default.nix

@@ -12,7 +12,7 @@
 
 buildPythonPackage rec {
   pname = "nettigo-air-monitor";
-  version = "1.2.2";
+  version = "1.2.3";
   format = "setuptools";
 
   disabled = pythonOlder "3.8";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "bieniu";
     repo = pname;
     rev = version;
-    sha256 = "sha256-gHgFEDUji43vTBZp5FLK90H+D44sfH2AuCc7Gu2T1pg=";
+    sha256 = "sha256-aCDw3JwX8LVrJp3jYvuYQ3ycRHjSnWU0n1LdTjV08VA=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/notify-events/default.nix

@@ -0,0 +1,34 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+, requests
+}:
+
+buildPythonPackage rec {
+  pname = "notify-events";
+  version = "1.1.3";
+
+  format = "setuptools";
+
+  src = fetchPypi {
+    pname = "notify_events";
+    inherit version;
+    sha256 = "e63ba935c3300ff7f48cba115f7cb4474906e83c2e9b60b95a0881eb949701e7";
+  };
+
+  propagatedBuildInputs = [
+    requests
+  ];
+
+  # upstream has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [ "notify_events" ];
+
+  meta = {
+    description = "Python client for Notify.Events";
+    homepage = "https://github.com/notify-events/python";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ dotlambda ];
+  };
+}

pkgs/development/python-modules/paramiko/default.nix

@@ -14,14 +14,23 @@
 
 buildPythonPackage rec {
   pname = "paramiko";
-  version = "2.10.3";
+  version = "2.10.4";
   format = "setuptools";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-3bGXeFOu+CgEs11yoOWXskT6MmxATDUL0AxbAdv+5xo=";
+    sha256 = "sha256-PS5lC2gSzm0WCr/3AdbvRDTsl5NLE+lc8a09pw/7XFg=";
   };
 
+  patches = [
+    # Fix usage of dsa keys
+    # https://github.com/paramiko/paramiko/pull/1606/
+    (fetchpatch {
+      url = "https://github.com/paramiko/paramiko/commit/18e38b99f515056071fb27b9c1a4f472005c324a.patch";
+      sha256 = "sha256-bPDghPeLo3NiOg+JwD5CJRRLv2VEqmSx1rOF2Tf8ZDA=";
+    })
+  ];
+
   propagatedBuildInputs = [
     bcrypt
     cryptography
@@ -51,15 +60,6 @@ buildPythonPackage rec {
     "paramiko"
   ];
 
-  patches = [
-    # Fix usage of dsa keys
-    # https://github.com/paramiko/paramiko/pull/1606/
-    (fetchpatch {
-      url = "https://github.com/paramiko/paramiko/commit/18e38b99f515056071fb27b9c1a4f472005c324a.patch";
-      sha256 = "sha256-bPDghPeLo3NiOg+JwD5CJRRLv2VEqmSx1rOF2Tf8ZDA=";
-    })
-  ];
-
   __darwinAllowLocalNetworking = true;
 
   meta = with lib; {
@@ -72,6 +72,6 @@ buildPythonPackage rec {
       between python scripts. All major ciphers and hash methods are
       supported. SFTP client and server mode are both supported too.
     '';
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ SuperSandro2000 ];
   };
 }

pkgs/development/python-modules/plugwise/default.nix

@@ -13,27 +13,25 @@
 , pytest-asyncio
 , pytestCheckHook
 , python-dateutil
+, pythonOlder
 , pytz
 , semver
 }:
 
 buildPythonPackage rec {
   pname = "plugwise";
-  version = "0.17.8";
+  version = "0.18.0";
   format = "setuptools";
 
+  disabled = pythonOlder "3.7";
+
   src = fetchFromGitHub {
     owner = pname;
     repo = "python-plugwise";
     rev = "refs/tags/v${version}";
-    sha256 = "sha256-ZNlkdubB6E5ak+EaXsEBGa1xpm5ms4Rp3DG/M4/+WOg=";
+    sha256 = "sha256-kpEs5LvUz61Wm2IUI6sNXx2R+vtuHq1Y6aaj+zLrr+Q=";
   };
 
-  postPatch = ''
-    substituteInPlace setup.py \
-      --replace "aiohttp==3.8.0" "aiohttp>=3.8.0"
-  '';
-
   propagatedBuildInputs = [
     aiohttp
     async-timeout
@@ -54,16 +52,14 @@ buildPythonPackage rec {
     pytestCheckHook
   ];
 
-  pythonImportsCheck = [ "plugwise" ];
+  pythonImportsCheck = [
+    "plugwise"
+  ];
 
   __darwinAllowLocalNetworking = true;
 
   meta = with lib; {
     description = "Python module for Plugwise Smiles, Stretch and USB stick";
-    longDescription = ''
-      XKNX is an asynchronous Python library for reading and writing KNX/IP
-      packets. It provides support for KNX/IP routing and tunneling devices.
-    '';
     homepage = "https://github.com/plugwise/python-plugwise";
     license = with licenses; [ mit ];
     maintainers = with maintainers; [ fab ];

pkgs/development/python-modules/pyahocorasick/default.nix

@@ -3,31 +3,34 @@
 , fetchFromGitHub
 , fetchpatch
 , pytestCheckHook
+, pythonOlder
 }:
 
 buildPythonPackage rec {
   pname = "pyahocorasick";
-  version = "1.4.1";
+  version = "1.4.4";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "WojciechMula";
     repo = pname;
     rev = version;
-    sha256 = "13x3718if28l50474xrz1b9709kvnvdg3nzm6y8bh7mc9a4zyss5";
+    hash = "sha256-X6ifwOwf7GAaNUxInKhR3NX6hKhvFMkvfbK6XpH8CBo=";
   };
 
-  patches = [
+  checkInputs = [
-    # Use proper temporary directory on Hydra
+    pytestCheckHook
-    (fetchpatch {
-      url = "https://github.com/WojciechMula/pyahocorasick/commit/b6549e06f3cced7ffdf4d1b587cd7de12041f495.patch";
-      sha256 = "sha256-v3J/0aIPOnBhLlJ18r/l7O0MckqLOCtcmqIS9ZegaSI=";
-    })
   ];
 
-  checkInputs = [ pytestCheckHook ];
+  pytestFlagsArray = [
+    "unittests.py"
+  ];
 
-  pytestFlagsArray = [ "unittests.py" ];
+  pythonImportsCheck = [
-  pythonImportsCheck = [ "ahocorasick" ];
+    "ahocorasick"
+  ];
 
   meta = with lib; {
     description = "Python module implementing Aho-Corasick algorithm";

pkgs/development/python-modules/pychromecast/default.nix

@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "pychromecast";
-  version = "11.0.0";
+  version = "12.0.0";
   format = "setuptools";
 
   disabled = !isPy3k;
@@ -18,7 +18,7 @@ buildPythonPackage rec {
   src = fetchPypi {
     pname = "PyChromecast";
     inherit version;
-    sha256 = "sha256-FRcjsXgRAFK2c7h2WhIMhdFurowi11V13O6+K+HrHvY=";
+    sha256 = "sha256-asvEJix8/3glVhenll/rlTwSZdX0LRPMX4uCSURohJ4=";
   };
 
   propagatedBuildInputs = [