Merge master into staging-next

lib/licenses.nix

@@ -593,6 +593,11 @@ in mkLicense lset) ({
     fullName = "PNG Reference Library version 2";
   };
 
+  libssh2 = {
+    fullName = "libssh2 License";
+    url = "https://www.libssh2.org/license.html";
+  };
+
   libtiff = {
     spdxId = "libtiff";
     fullName = "libtiff License";

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

@@ -268,6 +268,13 @@
           <link linkend="opt-services.alps.enable">services.alps</link>.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/shizunge/endlessh-go">endlessh-go</link>,
+          an SSH tarpit that exposes Prometheus metrics. Available as
+          <link linkend="opt-services.endlessh-go.enable">services.endlessh-go</link>.
+        </para>
+      </listitem>
       <listitem>
         <para>
           <link xlink:href="https://netbird.io">netbird</link>, a zero

nixos/doc/manual/release-notes/rl-2211.section.md

@@ -95,6 +95,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable).
 
+- [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable).
+
 - [netbird](https://netbird.io), a zero configuration VPN.
   Available as [services.netbird](options.html#opt-services.netbird.enable).
 

nixos/modules/module-list.nix

@@ -1004,6 +1004,7 @@
   ./services/security/certmgr.nix
   ./services/security/cfssl.nix
   ./services/security/clamav.nix
+  ./services/security/endlessh-go.nix
   ./services/security/fail2ban.nix
   ./services/security/fprintd.nix
   ./services/security/haka.nix

nixos/modules/services/security/endlessh-go.nix

@@ -0,0 +1,138 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.endlessh-go;
+in
+{
+  options.services.endlessh-go = {
+    enable = mkEnableOption (mdDoc "endlessh-go service");
+
+    listenAddress = mkOption {
+      type = types.str;
+      default = "0.0.0.0";
+      example = "[::]";
+      description = mdDoc ''
+        Interface address to bind the endlessh-go daemon to SSH connections.
+      '';
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 2222;
+      example = 22;
+      description = mdDoc ''
+        Specifies on which port the endlessh-go daemon listens for SSH
+        connections.
+
+        Setting this to `22` may conflict with {option}`services.openssh`.
+      '';
+    };
+
+    prometheus = {
+      enable = mkEnableOption (mdDoc "Prometheus integration");
+
+      listenAddress = mkOption {
+        type = types.str;
+        default = "0.0.0.0";
+        example = "[::]";
+        description = mdDoc ''
+          Interface address to bind the endlessh-go daemon to answer Prometheus
+          queries.
+        '';
+      };
+
+      port = mkOption {
+        type = types.port;
+        default = 2112;
+        example = 9119;
+        description = mdDoc ''
+          Specifies on which port the endlessh-go daemon listens for Prometheus
+          queries.
+        '';
+      };
+    };
+
+    extraOptions = mkOption {
+      type = with types; listOf str;
+      default = [ ];
+      example = [ "-conn_type=tcp4" "-max_clients=8192" ];
+      description = mdDoc ''
+        Additional command line options to pass to the endlessh-go daemon.
+      '';
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = lib.mdDoc ''
+        Whether to open a firewall port for the SSH listener.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.endlessh-go = {
+      description = "SSH tarpit";
+      requires = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig =
+        let
+          needsPrivileges = cfg.port < 1024 || cfg.prometheus.port < 1024;
+          capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ];
+          rootDirectory = "/run/endlessh-go";
+        in
+        {
+          Restart = "always";
+          ExecStart = with cfg; concatStringsSep " " ([
+            "${pkgs.endlessh-go}/bin/endlessh-go"
+            "-logtostderr"
+            "-host=${listenAddress}"
+            "-port=${toString port}"
+          ] ++ optionals prometheus.enable [
+            "-enable_prometheus"
+            "-prometheus_host=${prometheus.listenAddress}"
+            "-prometheus_port=${toString prometheus.port}"
+          ] ++ extraOptions);
+          DynamicUser = true;
+          RootDirectory = rootDirectory;
+          BindReadOnlyPaths = [ builtins.storeDir ];
+          InaccessiblePaths = [ "-+${rootDirectory}" ];
+          RuntimeDirectory = baseNameOf rootDirectory;
+          RuntimeDirectoryMode = "700";
+          AmbientCapabilities = capabilities;
+          CapabilityBoundingSet = capabilities;
+          UMask = "0077";
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = !needsPrivileges;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          ProtectProc = "noaccess";
+          ProcSubset = "pid";
+          RemoveIPC = true;
+          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
+        };
+    };
+
+    networking.firewall.allowedTCPPorts = with cfg;
+      optionals openFirewall [ port prometheus.port ];
+  };
+
+  meta.maintainers = with maintainers; [ azahi ];
+}

nixos/tests/all-tests.nix

@@ -180,6 +180,7 @@ in {
   ejabberd = handleTest ./xmpp/ejabberd.nix {};
   elk = handleTestOn ["x86_64-linux"] ./elk.nix {};
   emacs-daemon = handleTest ./emacs-daemon.nix {};
+  endlessh-go = handleTest ./endlessh-go.nix {};
   engelsystem = handleTest ./engelsystem.nix {};
   enlightenment = handleTest ./enlightenment.nix {};
   env = handleTest ./env.nix {};

nixos/tests/endlessh-go.nix

@@ -0,0 +1,58 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }:
+{
+  name = "endlessh-go";
+  meta.maintainers = with lib.maintainers; [ azahi ];
+
+  nodes = {
+    server = { ... }: {
+      services.endlessh-go = {
+        enable = true;
+        prometheus.enable = true;
+        openFirewall = true;
+      };
+
+      specialisation = {
+        unprivileged.configuration = {
+          services.endlessh-go = {
+            port = 2222;
+            prometheus.port = 9229;
+          };
+        };
+
+        privileged.configuration = {
+          services.endlessh-go = {
+            port = 22;
+            prometheus.port = 92;
+          };
+        };
+      };
+    };
+
+    client = { pkgs, ... }: {
+      environment.systemPackages = with pkgs; [ curl netcat ];
+    };
+  };
+
+  testScript = ''
+    def activate_specialisation(name: str):
+        server.succeed(f"/run/booted-system/specialisation/{name}/bin/switch-to-configuration test >&2")
+
+    start_all()
+
+    with subtest("Unprivileged"):
+        activate_specialisation("unprivileged")
+        server.wait_for_unit("endlessh-go.service")
+        server.wait_for_open_port(2222)
+        server.wait_for_open_port(9229)
+        client.succeed("nc -dvW5 server 2222")
+        client.succeed("curl -kv server:9229/metrics")
+
+    with subtest("Privileged"):
+        activate_specialisation("privileged")
+        server.wait_for_unit("endlessh-go.service")
+        server.wait_for_open_port(22)
+        server.wait_for_open_port(92)
+        client.succeed("nc -dvW5 server 22")
+        client.succeed("curl -kv server:92/metrics")
+  '';
+})

nixos/tests/seafile.nix

@@ -79,18 +79,14 @@ import ./make-test-python.nix ({ pkgs, ... }:
               f"seaf-cli download -l {libid} -s http://server -u admin\@example.com -p seafile_password -d . >&2"
           )
 
-          client1.sleep(3)
-
-          client1.succeed("seaf-cli status |grep synchronized >&2")
+          client1.wait_until_succeeds("seaf-cli status |grep synchronized >&2")
 
           client1.succeed("ls -la >&2")
           client1.succeed("ls -la test01 >&2")
 
           client1.execute("echo bla > test01/first_file")
 
-          client1.sleep(2)
-
-          client1.succeed("seaf-cli status |grep synchronized >&2")
+          client1.wait_until_succeeds("seaf-cli status |grep synchronized >&2")
 
       with subtest("client2 sync"):
           client2.wait_for_unit("default.target")
@@ -110,9 +106,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
               f"seaf-cli download -l {libid} -s http://server -u admin\@example.com -p seafile_password -d . >&2"
           )
 
-          client2.sleep(3)
-
-          client2.succeed("seaf-cli status |grep synchronized >&2")
+          client2.wait_until_succeeds("seaf-cli status |grep synchronized >&2")
 
           client2.succeed("ls -la test01 >&2")
 

pkgs/applications/audio/audacity/default.nix

@@ -13,6 +13,7 @@
 , libjack2
 , lv2
 , lilv
+, mpg123
 , serd
 , sord
 , sqlite
@@ -45,52 +46,36 @@
 , libsepol
 , libxkbcommon
 , util-linux
-, wxGTK
+, wavpack
+, wxGTK32
+, gtk3
 , libpng
 , libjpeg
-, AppKit ? null
-, AudioToolbox ? null
-, AudioUnit ? null
-, Carbon ? null
-, Cocoa ? null
-, CoreAudio ? null
-, CoreAudioKit ? null
-, CoreServices ? null
-, wxmac
+, AppKit
+, AudioToolbox
+, AudioUnit
+, Carbon
+, CoreAudio
+, CoreAudioKit
+, CoreServices
 }:
 
 # TODO
-# 1. as of 3.0.2, GTK2 is still the recommended version ref https://www.audacityteam.org/download/source/ check if that changes in future versions
-# 2. detach sbsms
+# 1. detach sbsms
 
 let
   inherit (lib) optionals;
   pname = "audacity";
-  version = "3.1.3";
-
-  wxWidgets_src = fetchFromGitHub {
-    owner = pname;
-    repo = "wxWidgets";
-    rev = "v${version}-${pname}";
-    sha256 = "sha256-KrmYYv23DHBYKIuxMYBioCQ2e4KWdgmuREnimtm0XNU=";
-    fetchSubmodules = true;
-  };
-
-  wxGTK' = wxGTK.overrideAttrs (oldAttrs: rec {
-    src = wxWidgets_src;
-  });
-
-  wxmac' = wxmac.overrideAttrs (oldAttrs: rec {
-    src = wxWidgets_src;
-  });
-in stdenv.mkDerivation rec {
+  version = "3.2.1";
+in
+stdenv.mkDerivation rec {
   inherit pname version;
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "Audacity-${version}";
-    sha256 = "sha256-sdI4paxIHDZgoWTCekjrkFR4JFpQC6OatcnJdVXCCZk=";
+    sha256 = "sha256-7rfttp9LnfM2LBT5seupPyDckS7LEzWDZoqtLsGgqgI=";
   };
 
   postPatch = ''
@@ -105,9 +90,9 @@ in stdenv.mkDerivation rec {
     gettext
     pkg-config
     python3
+    makeWrapper
   ] ++ optionals stdenv.isLinux [
     linuxHeaders
-    makeWrapper
   ];
 
   buildInputs = [
@@ -115,6 +100,7 @@ in stdenv.mkDerivation rec {
     ffmpeg_4
     file
     flac
+    gtk3
     lame
     libid3tag
     libjack2
@@ -125,6 +111,7 @@ in stdenv.mkDerivation rec {
     libvorbis
     lilv
     lv2
+    mpg123
     pcre
     portmidi
     serd
@@ -136,6 +123,8 @@ in stdenv.mkDerivation rec {
     suil
     twolame
     portaudio
+    wavpack
+    wxGTK32
   ] ++ optionals stdenv.isLinux [
     alsa-lib # for portaudio
     at-spi2-core
@@ -149,12 +138,8 @@ in stdenv.mkDerivation rec {
     libsepol
     libuuid
     util-linux
-    wxGTK'
-    wxGTK'.gtk
   ] ++ optionals stdenv.isDarwin [
-    wxmac'
     AppKit
-    Cocoa
     CoreAudioKit
     AudioUnit AudioToolbox CoreAudio CoreServices Carbon # for portaudio
     libpng
@@ -167,22 +152,33 @@ in stdenv.mkDerivation rec {
     "-DDISABLE_DYNAMIC_LOADING_FFMPEG=ON"
     "-Daudacity_conan_enabled=Off"
     "-Daudacity_use_ffmpeg=loaded"
+    "-Daudacity_has_vst3=Off"
 
     # RPATH of binary /nix/store/.../bin/... contains a forbidden reference to /build/
     "-DCMAKE_SKIP_BUILD_RPATH=ON"
   ];
 
+  # [ 57%] Generating LightThemeAsCeeCode.h...
+  # ../../utils/image-compiler: error while loading shared libraries:
+  # lib-theme.so: cannot open shared object file: No such file or directory
+  preBuild = ''
+    export LD_LIBRARY_PATH=$PWD/utils
+  '';
+
   doCheck = false; # Test fails
 
   # Replace audacity's wrapper, to:
   # - put it in the right place, it shouldn't be in "$out/audacity"
   # - Add the ffmpeg dynamic dependency
   postInstall = lib.optionalString stdenv.isLinux ''
-    rm "$out/audacity"
     wrapProgram "$out/bin/audacity" \
       --prefix LD_LIBRARY_PATH : "$out/lib/audacity":${lib.makeLibraryPath [ ffmpeg_4 ]} \
       --suffix AUDACITY_MODULES_PATH : "$out/lib/audacity/modules" \
       --suffix AUDACITY_PATH : "$out/share/audacity"
+  '' + lib.optionalString stdenv.isDarwin ''
+    mkdir -p $out/{Applications,bin}
+    mv $out/Audacity.app $out/Applications/
+    makeWrapper $out/Applications/Audacity.app/Contents/MacOS/Audacity $out/bin/audacity
   '';
 
   meta = with lib; {
@@ -198,11 +194,9 @@ in stdenv.mkDerivation rec {
       # Documentation.
       cc-by-30
     ];
-    maintainers = with maintainers; [ lheckemann veprbl ];
+    maintainers = with maintainers; [ lheckemann veprbl wegank ];
     platforms = platforms.unix;
-    # darwin-aarch due to qtbase broken for it.
-    # darwin-x86_64 due to
-    # https://logs.nix.ci/?attempt_id=5cbc4581-09b4-4148-82fe-0326411a56b3&key=nixos%2Fnixpkgs.152273.
-    broken = stdenv.isDarwin;
+    # error: unknown type name 'NSAppearanceName'
+    broken = stdenv.isDarwin && stdenv.isx86_64;
   };
 }

pkgs/applications/audio/praat/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "praat";
-  version = "6.2.22";
+  version = "6.2.23";
 
   src = fetchFromGitHub {
     owner = "praat";
     repo = "praat";
     rev = "v${version}";
-    sha256 = "sha256-RE4QDK5x9xG1RsAWB6dgviu3V1ay/+r0vyHCPCu/qCU=";
+    sha256 = "sha256-gl+kT8wXLCWnNmOBx6Vg+FbmJ8kJ8pJKsahpqcYw9Lk=";
   };
 
   configurePhase = ''

pkgs/applications/blockchains/polkadot/default.nix

@@ -10,13 +10,13 @@
 }:
 rustPlatform.buildRustPackage rec {
   pname = "polkadot";
-  version = "0.9.28";
+  version = "0.9.29";
 
   src = fetchFromGitHub {
     owner = "paritytech";
     repo = "polkadot";
     rev = "v${version}";
-    sha256 = "sha256-PYPNbysk9jHGtAUGr8O/Ah0ArTNKQYYToR5djG+XujI=";
+    sha256 = "sha256-/IJs3153KzhGf5I6LueljzRhDl/PYYlPseF6wCh+u3M=";
 
     # the build process of polkadot requires a .git folder in order to determine
     # the git commit hash that is being built and add it to the version string.
@@ -32,7 +32,7 @@ rustPlatform.buildRustPackage rec {
     '';
   };
 
-  cargoSha256 = "sha256-Dqcjt3yvZdaHp6sIQFo9wYH/icIInyXqKHE1Q/JjrwY=";
+  cargoSha256 = "sha256-mI8VvTlM9ynstDBC0ubQkzg3D2ZXuWqJGS/Y23D6dU0=";
 
   buildInputs = lib.optional stdenv.isDarwin [ Security ];
 

pkgs/applications/editors/vim/plugins/overrides.nix

@@ -359,6 +359,10 @@ self: super: {
     };
   });
 
+  flit-nvim = super.flit-nvim.overrideAttrs (old: {
+    dependencies = with self; [ leap-nvim ];
+  });
+
   forms = super.forms.overrideAttrs (old: {
     dependencies = with self; [ self.self ];
   });
@@ -522,6 +526,10 @@ self: super: {
     dependencies = with self; [ nvim-lspconfig plenary-nvim ];
   });
 
+  leap-ast-nvim = super.leap-ast-nvim.overrideAttrs (old: {
+    dependencies = with self; [ leap-nvim nvim-treesitter ];
+  });
+
   lens-vim = super.lens-vim.overrideAttrs (old: {
     # remove duplicate g:lens#animate in doc/lens.txt
     # https://github.com/NixOS/nixpkgs/pull/105810#issuecomment-740007985

pkgs/applications/editors/vim/plugins/vim-plugin-names

@@ -214,6 +214,7 @@ https://github.com/rhysd/devdocs.vim/,,
 https://github.com/vmchale/dhall-vim/,,
 https://github.com/onsails/diaglist.nvim/,,
 https://github.com/nvim-lua/diagnostic-nvim/,,
+https://github.com/monaqa/dial.nvim/,HEAD,
 https://github.com/sindrets/diffview.nvim/,,
 https://github.com/direnv/direnv.vim/,,
 https://github.com/doki-theme/doki-theme-vim/,,
@@ -238,6 +239,7 @@ https://github.com/wincent/ferret/,,
 https://github.com/j-hui/fidget.nvim/,,
 https://github.com/bogado/file-line/,,
 https://github.com/andviro/flake8-vim/,,
+https://github.com/ggandor/flit.nvim/,HEAD,
 https://github.com/ncm2/float-preview.nvim/,,
 https://github.com/fhill2/floating.nvim/,,
 https://github.com/floobits/floobits-neovim/,,
@@ -327,6 +329,8 @@ https://github.com/latex-box-team/latex-box/,,
 https://github.com/kdheepak/lazygit.nvim/,,
 https://github.com/Julian/lean.nvim/,,
 https://github.com/leanprover/lean.vim/,,
+https://github.com/ggandor/leap-ast.nvim/,HEAD,
+https://github.com/ggandor/leap.nvim/,HEAD,
 https://github.com/mrjones2014/legendary.nvim/,HEAD,
 https://github.com/camspiers/lens.vim/,,
 https://github.com/thirtythreeforty/lessspace.vim/,,
@@ -348,6 +352,7 @@ https://github.com/ldelossa/litee-calltree.nvim/,,
 https://github.com/ldelossa/litee-filetree.nvim/,,
 https://github.com/ldelossa/litee-symboltree.nvim/,,
 https://github.com/ldelossa/litee.nvim/,,
+https://github.com/smjonas/live-command.nvim/,HEAD,
 https://github.com/folke/lsp-colors.nvim/,,
 https://github.com/lukas-reineke/lsp-format.nvim/,HEAD,
 https://github.com/lvimuser/lsp-inlayhints.nvim/,HEAD,

pkgs/applications/emulators/retroarch/cores.nix

@@ -204,6 +204,14 @@ in
     makefile = "Makefile";
   };
 
+  beetle-supafaust = mkLibRetroCore {
+    core = "mednafen-supafaust";
+    src = getCoreSrc "beetle-supafaust";
+    description = "Port of Mednafen's experimental snes_faust core to libretro";
+    license = lib.licenses.gpl2Plus;
+    makefile = "Makefile";
+  };
+
   beetle-supergrafx = mkLibRetroCore {
     core = "mednafen-supergrafx";
     src = getCoreSrc "beetle-supergrafx";

pkgs/applications/emulators/retroarch/default.nix

@@ -129,12 +129,7 @@ stdenv.mkDerivation rec {
 
   # Workaround for the following error affecting newer versions of Clang:
   # ./config.def.h:xxx:x: error: 'TARGET_OS_TV' is not defined, evaluates to 0 [-Werror,-Wundef-prefix=TARGET_OS_]
-  NIX_CFLAGS_COMPILE = lib.optionals stdenv.cc.isClang [ "-Wno-undef-prefix" ]
-    # Workaround build failure on -fno-common toolchains:
-    #   duplicate symbol '_apple_platform' in:ui_cocoa.o cocoa_common.o
-    # TODO: drop when upstream gets a fix for it:
-    #   https://github.com/libretro/RetroArch/issues/14025
-    ++ lib.optionals stdenv.isDarwin [ "-fcommon" ];
+  NIX_CFLAGS_COMPILE = lib.optionals stdenv.cc.isClang [ "-Wno-undef-prefix" ];
 
   passthru.tests = nixosTests.retroarch;
 
@@ -145,5 +140,9 @@ stdenv.mkDerivation rec {
     platforms = platforms.unix;
     changelog = "https://github.com/libretro/RetroArch/blob/v${version}/CHANGES.md";
     maintainers = with maintainers; teams.libretro.members ++ [ matthewbauer kolbycrouch ];
+    # FIXME: error while building in macOS:
+    # "Undefined symbols for architecture <arch>"
+    # See also retroarch/wrapper.nix that is also broken in macOS
+    broken = stdenv.isDarwin;
   };
 }

pkgs/applications/emulators/retroarch/hashes.json

@@ -53,6 +53,12 @@
         "rev": "d770563fc3c4bd9abb522952cefb4aa923ba0b91",
         "sha256": "zHPtfgp9hc8Q4gXJ5VgfJLWLeYjCsQhkfU1T5RM7AL0="
     },
+    "beetle-supafaust": {
+        "owner": "libretro",
+        "repo": "supafaust",
+        "rev": "85b5527231a6ad6f9475c15c8ff1b9d16884cd30",
+        "sha256": "6ynxRfGYlp7Fuq3XT2uHsR9Uwu7WMIYjclLc0Pf/qNM="
+    },
     "beetle-supergrafx": {
         "owner": "libretro",
         "repo": "beetle-supergrafx-libretro",

pkgs/applications/emulators/retroarch/update_cores.py

@@ -18,6 +18,7 @@ CORES = {
     "beetle-psx": {"repo": "beetle-psx-libretro"},
     "beetle-saturn": {"repo": "beetle-saturn-libretro"},
     "beetle-snes": {"repo": "beetle-bsnes-libretro"},
+    "beetle-supafaust": {"repo": "supafaust"},
     "beetle-supergrafx": {"repo": "beetle-supergrafx-libretro"},
     "beetle-vb": {"repo": "beetle-vb-libretro"},
     "beetle-wswan": {"repo": "beetle-wswan-libretro"},

pkgs/applications/emulators/retroarch/wrapper.nix

@@ -34,7 +34,7 @@ stdenv.mkDerivation {
       The following cores are included:
       ${lib.concatStringsSep "\n" (map (x: "  - ${x.name}") cores)}
     '';
-    # FIXME: exits with error on macOS:
+    # FIXME: exit with error on macOS:
     # No Info.plist file in application bundle or no NSPrincipalClass in the Info.plist file, exiting
     broken = stdenv.isDarwin;
   };

pkgs/applications/misc/1password-gui/darwin.nix

@@ -0,0 +1,21 @@
+{ stdenv
+, pname
+, version
+, src
+, meta
+, unzip
+, undmg
+}:
+
+stdenv.mkDerivation {
+  inherit pname version src meta;
+
+  nativeBuildInputs = [ unzip undmg ];
+
+  sourceRoot = ".";
+
+  installPhase = ''
+    mkdir -p $out/Applications
+    cp -r *.app $out/Applications
+  '';
+}

pkgs/applications/misc/1password-gui/default.nix

@@ -1,144 +1,58 @@
-{ lib
-, stdenv
+{ stdenv
+, callPackage
+, channel ? "stable"
 , fetchurl
-, makeWrapper
-, wrapGAppsHook
-, alsa-lib
-, at-spi2-atk
-, at-spi2-core
-, atk
-, cairo
-, cups
-, dbus
-, expat
-, gdk-pixbuf
-, glib
-, gtk3
-, libX11
-, libXcomposite
-, libXdamage
-, libXext
-, libXfixes
-, libXrandr
-, libdrm
-, libxcb
-, libxkbcommon
-, libxshmfence
-, libGL
-, libappindicator-gtk3
-, mesa
-, nspr
-, nss
-, pango
-, systemd
-, udev
-, xdg-utils
+, lib
+# This is only relevant for Linux, so we need to pass it through
+, polkitPolicyOwners ? [ ] }:
 
-  # The 1Password polkit file requires a list of users for whom polkit
-  # integrations should be enabled. This should be a list of strings that
-  # correspond to usernames.
-, polkitPolicyOwners ? []
-}:
 let
-  # Convert the polkitPolicyOwners variable to a polkit-compatible string for the polkit file.
-  policyOwners = lib.concatStringsSep " " (map (user: "unix-user:${user}") polkitPolicyOwners);
 
-in stdenv.mkDerivation rec {
   pname = "1password";
-  version = "8.9.4";
+  version = if channel == "stable" then "8.9.4" else "8.9.6-30.BETA";
 
-  src =
-    if stdenv.hostPlatform.isAarch64 then
-      fetchurl {
-        url = "https://downloads.1password.com/linux/tar/stable/aarch64/1password-${version}.arm64.tar.gz";
-        sha256 = "sha256-SJDUfAFEwYnOR+y/6Dg2S/CkA84QogoRpMXOPP5PyrM=";
-      }
-    else
-      fetchurl {
+  sources = {
+    stable = {
+      x86_64-linux = {
         url = "https://downloads.1password.com/linux/tar/stable/x86_64/1password-${version}.x64.tar.gz";
         sha256 = "sha256-Smq0gOGfBTjIOMwF1AI+TJwXaIiTi/YP9mGIqcjsCNQ=";
       };
+      aarch64-linux = {
+        url = "https://downloads.1password.com/linux/tar/stable/aarch64/1password-${version}.arm64.tar.gz";
+        sha256 = "sha256-SJDUfAFEwYnOR+y/6Dg2S/CkA84QogoRpMXOPP5PyrM=";
+      };
+      x86_64-darwin = {
+        url = "https://downloads.1password.com/mac/1Password-${version}-x86_64.zip";
+        sha256 = "sha256-+2FQQ5FiB0N30JM/Mtnfa04K2XZaf3r/W1+i8VKNslA=";
+      };
+      aarch64-darwin = {
+        url = "https://downloads.1password.com/mac/1Password-${version}-aarch64.zip";
+        sha256 = "sha256-nhocEwtr6cMSSStPa7S+g8SwPStJVWPblA3HbqJ8q6Q=";
+      };
+    };
+    beta = {
+      x86_64-linux = {
+        url = "https://downloads.1password.com/linux/tar/beta/x86_64/1password-${version}.x64.tar.gz";
+        sha256 = "sha256-xBfpBkYff1X26Iu0Ee03lIiR6UdJOiaG+kZMVotG0Hc=";
+      };
+      aarch64-linux = {
+        url = "https://downloads.1password.com/linux/tar/beta/aarch64/1password-${version}.arm64.tar.gz";
+        sha256 = "0j0v90i78y1m77gpn65iyjdy1xslv1mar1ihxj9jzcmva0nmdmra";
+      };
+      x86_64-darwin = {
+        url = "https://downloads.1password.com/mac/1Password-${version}-x86_64.zip";
+        sha256 = "sha256-PNlEBFoIGYkDR4TzbudsqAE5vjbiVHTNL7XoflN+mUY=";
+      };
+      aarch64-darwin = {
+        url = "https://downloads.1password.com/mac/1Password-${version}-aarch64.zip";
+        sha256 = "sha256-PYS0N4VeUjNhCncSDXvpyLuHlpv4nn35aJTPANdMXwk=";
+      };
+    };
+  };
 
-  nativeBuildInputs = [ makeWrapper wrapGAppsHook ];
-  buildInputs = [ glib ];
-
-  dontConfigure = true;
-  dontBuild = true;
-  dontPatchELF = true;
-  dontWrapGApps = true;
-
-  installPhase =
-    let rpath = lib.makeLibraryPath [
-      alsa-lib
-      at-spi2-atk
-      at-spi2-core
-      atk
-      cairo
-      cups
-      dbus
-      expat
-      gdk-pixbuf
-      glib
-      gtk3
-      libX11
-      libXcomposite
-      libXdamage
-      libXext
-      libXfixes
-      libXrandr
-      libdrm
-      libxcb
-      libxkbcommon
-      libxshmfence
-      libGL
-      libappindicator-gtk3
-      mesa
-      nspr
-      nss
-      pango
-      systemd
-    ] + ":${stdenv.cc.cc.lib}/lib64";
-    in ''
-      runHook preInstall
-
-      mkdir -p $out/bin $out/share/1password
-      cp -a * $out/share/1password
-
-      # Desktop file
-      install -Dt $out/share/applications resources/${pname}.desktop
-      substituteInPlace $out/share/applications/${pname}.desktop \
-        --replace 'Exec=/opt/1Password/${pname}' 'Exec=${pname}'
-
-      '' + (lib.optionalString (polkitPolicyOwners != [ ])
-      ''
-      # Polkit file
-        mkdir -p $out/share/polkit-1/actions
-        substitute com.1password.1Password.policy.tpl $out/share/polkit-1/actions/com.1password.1Password.policy --replace "\''${POLICY_OWNERS}" "${policyOwners}"
-        '') + ''
-
-      # Icons
-      cp -a resources/icons $out/share
-
-      interp="$(cat $NIX_CC/nix-support/dynamic-linker)"
-      patchelf --set-interpreter $interp $out/share/1password/{1password,1Password-BrowserSupport,1Password-KeyringHelper,op-ssh-sign}
-      patchelf --set-rpath ${rpath}:$out/share/1password $out/share/1password/{1password,1Password-BrowserSupport,1Password-KeyringHelper,op-ssh-sign}
-      for file in $(find $out -type f -name \*.so\* ); do
-        patchelf --set-rpath ${rpath}:$out/share/1password $file
-      done
-
-      runHook postInstall
-    '';
-
-  preFixup = ''
-    # Electron is trying to open udev via dlopen()
-    # and for some reason that doesn't seem to be impacted from the rpath.
-    # Adding udev to LD_LIBRARY_PATH fixes that.
-    # Make xdg-open overrideable at runtime.
-    makeWrapper $out/share/1password/1password $out/bin/1password \
-      ''${gappsWrapperArgs[@]} \
-      --suffix PATH : ${lib.makeBinPath [ xdg-utils ]} \
-      --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ udev ]}
-  '';
+  src = fetchurl {
+    inherit (sources.${channel}.${stdenv.system}) url sha256;
+  };
 
   meta = with lib; {
     description = "Multi-platform password manager";
@@ -146,6 +60,9 @@ in stdenv.mkDerivation rec {
     sourceProvenance = with sourceTypes; [ binaryNativeCode ];
     license = licenses.unfree;
     maintainers = with maintainers; [ timstott savannidgerinel maxeaubrey sebtm ];
-    platforms = [ "x86_64-linux" "aarch64-linux" ];
+    platforms = builtins.attrNames sources.${channel};
   };
-}
+
+in if stdenv.isDarwin
+then callPackage ./darwin.nix { inherit pname version src meta; }
+else callPackage ./linux.nix { inherit pname version src meta polkitPolicyOwners; }

pkgs/applications/misc/1password-gui/linux.nix

@@ -1,6 +1,9 @@
 { lib
 , stdenv
-, fetchurl
+, pname
+, version
+, src
+, meta
 , makeWrapper
 , wrapGAppsHook
 , alsa-lib
@@ -43,21 +46,8 @@ let
   # Convert the polkitPolicyOwners variable to a polkit-compatible string for the polkit file.
   policyOwners = lib.concatStringsSep " " (map (user: "unix-user:${user}") polkitPolicyOwners);
 
-in stdenv.mkDerivation rec {
-  pname = "1password";
-  version = "8.9.6-30.BETA";
-
-  src =
-    if stdenv.hostPlatform.isAarch64 then
-      fetchurl {
-        url = "https://downloads.1password.com/linux/tar/beta/aarch64/1password-${version}.arm64.tar.gz";
-        sha256 = "0j0v90i78y1m77gpn65iyjdy1xslv1mar1ihxj9jzcmva0nmdmra";
-      }
-    else
-      fetchurl {
-        url = "https://downloads.1password.com/linux/tar/beta/x86_64/1password-${version}.x64.tar.gz";
-        sha256 = "sha256-xBfpBkYff1X26Iu0Ee03lIiR6UdJOiaG+kZMVotG0Hc=";
-      };
+in stdenv.mkDerivation {
+  inherit pname version src meta;
 
   nativeBuildInputs = [ makeWrapper wrapGAppsHook ];
   buildInputs = [ glib ];
@@ -139,14 +129,4 @@ in stdenv.mkDerivation rec {
       --suffix PATH : ${lib.makeBinPath [ xdg-utils ]} \
       --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ udev ]}
   '';
-
-
-  meta = with lib; {
-    description = "Multi-platform password manager";
-    homepage = "https://1password.com/";
-    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
-    license = licenses.unfree;
-    maintainers = with maintainers; [ timstott savannidgerinel maxeaubrey sebtm ];
-    platforms = [ "x86_64-linux" "aarch64-linux" ];
-  };
 }

pkgs/applications/networking/browsers/qutebrowser/default.nix

@@ -1,5 +1,5 @@
-{ stdenv, lib, fetchurl, fetchzip, python3
-, mkDerivationWith, wrapQtAppsHook, wrapGAppsHook, qtbase, qtwebengine, glib-networking
+{ stdenv, lib, fetchurl, fetchzip, fetchFromGitHub, python3
+, wrapQtAppsHook, glib-networking
 , asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2
 , libxslt, gst_all_1 ? null
 , withPdfReader      ? true
@@ -7,35 +7,56 @@
 , backend            ? "webengine"
 , pipewireSupport    ? stdenv.isLinux
 , pipewire_0_2
-}:
+, qtwayland
+, mkDerivationWith ? null
+, qtbase ? null
+, qtwebengine ? null
+, wrapGAppsHook ? null
+}: let
+  isQt6 = mkDerivationWith == null;
 
-assert withMediaPlayback -> gst_all_1 != null;
-
-let
   python3Packages = python3.pkgs;
   pdfjs = let
     version = "2.14.305";
   in
-  fetchzip rec {
+  fetchzip {
     url = "https://github.com/mozilla/pdf.js/releases/download/v${version}/pdfjs-${version}-dist.zip";
     hash = "sha256-E7t+0AUndrgi4zfJth0w28RmWLqLyXMUCnueNf/gNi4=";
     stripRoot = false;
   };
 
   backendPackage =
-   if backend == "webengine" then python3Packages.pyqtwebengine else
+   if backend == "webengine" then if isQt6 then python3Packages.pyqt6-webengine else python3Packages.pyqtwebengine else
    if backend == "webkit"    then python3Packages.pyqt5_with_qtwebkit else
    throw ''
      Unknown qutebrowser backend "${backend}".
      Valid choices are qtwebengine (recommended) or qtwebkit.
    '';
 
-in mkDerivationWith python3Packages.buildPythonApplication rec {
+  buildPythonApplication = if isQt6 then python3Packages.buildPythonApplication else mkDerivationWith python3Packages.buildPythonApplication;
+
   pname = "qutebrowser";
-  version = "2.5.2";
+  version = if isQt6 then "unstable-2022-09-16" else "2.5.2";
 
+in
+
+assert withMediaPlayback -> gst_all_1 != null;
+assert isQt6 -> backend != "webkit";
+
+buildPythonApplication {
+  inherit pname version;
+
+  src = if isQt6 then
+    # comes from qt6-v2 branch of upstream
+    # https://github.com/qutebrowser/qutebrowser/issues/7202
+    fetchFromGitHub {
+      owner = "qutebrowser";
+      repo = "qutebrowser";
+      rev = "5e11e6c7d413cf5c77056ba871a545aae1cfd66a";
+      sha256 = "sha256-5HNzPO07lUQe/Q3Nb4JiS9kb9GMQ5/FqM5029vLNNWo=";
+    }
   # the release tarballs are different from the git checkout!
-  src = fetchurl {
+   else fetchurl {
     url = "https://github.com/qutebrowser/qutebrowser/releases/download/v${version}/${pname}-${version}.tar.gz";
     hash = "sha256-qb/OFN3EA94N6y7t+YPCMc4APgdZmV7H706jTkl06Qg=";
   };
@@ -66,6 +87,7 @@ in mkDerivationWith python3Packages.buildPythonApplication rec {
     adblock
   ]
     ++ lib.optional (pythonOlder "3.9") importlib-resources
+    ++ lib.optional stdenv.isLinux qtwayland
   );
 
   patches = [
@@ -94,14 +116,15 @@ in mkDerivationWith python3Packages.buildPythonApplication rec {
 
     # Install icons
     for i in 16 24 32 48 64 128 256 512; do
-        install -Dm644 "icons/qutebrowser-''${i}x''${i}.png" \
+        install -Dm644 "qutebrowser/icons/qutebrowser-''${i}x''${i}.png" \
             "$out/share/icons/hicolor/''${i}x''${i}/apps/qutebrowser.png"
     done
-    install -Dm644 icons/qutebrowser.svg \
+    install -Dm644 ${if isQt6 then "qutebrowser/" else ""}icons/qutebrowser.svg \
         "$out/share/icons/hicolor/scalable/apps/qutebrowser.svg"
 
     # Install scripts
     sed -i "s,/usr/bin/,$out/bin/,g" scripts/open_url_in_instance.sh
+    ${if isQt6 then "rm -rf scripts/{testbrowser,dev}" else ""}
     install -Dm755 -t "$out/share/qutebrowser/scripts/" $(find scripts -type f)
     install -Dm755 -t "$out/share/qutebrowser/userscripts/" misc/userscripts/*
 

pkgs/applications/networking/cluster/argo/default.nix

@@ -19,16 +19,16 @@ let
 in
 buildGoModule rec {
   pname = "argo";
-  version = "3.3.9";
+  version = "3.4.1";
 
   src = fetchFromGitHub {
     owner = "argoproj";
     repo = "argo";
     rev = "v${version}";
-    sha256 = "sha256-BDanFiLhucNE4uvUxKDXAK1W755VfNytQ3gXuLIKfSE=";
+    sha256 = "sha256-bAfND84mbJulv0IO6JF2c+ZbwKeND8AVAJHmdMmhZ/s=";
   };
 
-  vendorSha256 = "sha256-303+LE3n3lltuCf+Pc7S+qHdsjQDt9IAu9Kd4sUaiYI=";
+  vendorSha256 = "sha256-S4p56/OZpufpi71aueYTvPcM4LoZWyAhcAzUUUrUw4Q=";
 
   doCheck = false;
 

pkgs/applications/networking/cluster/tektoncd-cli/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "tektoncd-cli";
-  version = "0.24.0";
+  version = "0.24.1";
 
   src = fetchFromGitHub {
     owner = "tektoncd";
     repo = "cli";
     rev = "v${version}";
-    sha256 = "sha256-mrTtg60LZpRONrEhX53EhSYpfdfGMvPK4WhTHeAKsoQ=";
+    sha256 = "sha256-8dCmORfTMFHSyc9FOpL01ywxGcH3uolzD2aOtyy191Q=";
   };
 
   vendorSha256 = null;

pkgs/applications/networking/freefilesync/default.nix

@@ -96,7 +96,7 @@ gcc12Stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Open Source File Synchronization & Backup Software";
     homepage = "https://freefilesync.org";
-    license = licenses.gpl3Only;
+    license = [ licenses.gpl3Only licenses.openssl licenses.curl licenses.libssh2 ];
     maintainers = with maintainers; [ wegank ];
     platforms = platforms.linux;
   };

pkgs/applications/networking/instant-messengers/gajim/default.nix

@@ -22,11 +22,11 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "gajim";
-  version = "1.5.1";
+  version = "1.5.2";
 
   src = fetchurl {
     url = "https://gajim.org/downloads/${lib.versions.majorMinor version}/gajim-${version}.tar.gz";
-    sha256 = "sha256-FjRrAswoE1yuDoR42U3ppzvEvFN6K/VBdQ0w99wXPtM=";
+    sha256 = "sha256-kXpGaGp9OWdDa1q3hx7nrD1ZeKH5CKlTgZbyuNZ05/8=";
   };
 
   buildInputs = [

pkgs/applications/networking/seahub/default.nix

@@ -30,6 +30,8 @@ python.pkgs.buildPythonApplication rec {
     sha256 = "sha256-GHvJlm5DVt3IVJnqJu8YobNNqbjdPd08s4DCdQQRQds=";
   };
 
+  format = "other";
+
   dontBuild = true;
 
   doCheck = false; # disabled because it requires a ccnet environment

pkgs/applications/virtualization/colima/default.nix

@@ -11,13 +11,13 @@
 
 buildGoModule rec {
   pname = "colima";
-  version = "0.4.5";
+  version = "0.4.6";
 
   src = fetchFromGitHub {
     owner = "abiosoft";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-hoxEf62EPD/WFXW6qbPCvEwViwmme3pSBfjeKOLsGjc=";
+    sha256 = "sha256-mVEp/4iL23rrw6HSl/7qMGK4YCJ6I+9gcSIhyPsAWzc=";
     # We need the git revision
     leaveDotGit = true;
     postFetch = ''

pkgs/development/compilers/open-watcom/v2.nix

@@ -12,6 +12,7 @@
 
 stdenv.mkDerivation rec {
   pname = "${passthru.prettyName}-unwrapped";
+  # nixpkgs-update: no auto update
   version = "unstable-2022-10-03";
 
   src = fetchFromGitHub {

pkgs/development/interpreters/python/update-python-libraries/default.nix

@@ -1,7 +1,8 @@
-{ python3, runCommand, git }:
+{ python3, runCommand, git, nix }:
 
 runCommand "update-python-libraries" {
   buildInputs = [
+    nix
     (python3.withPackages(ps: with ps; [ packaging requests toolz ]))
     git
   ];

pkgs/development/libraries/exiv2/default.nix

@@ -83,6 +83,8 @@ stdenv.mkDerivation rec {
       rm -f ../tests/bugfixes/redmine/test_issue_662.py
       rm -f ../tests/bugfixes/github/test_issue_1046.py
 
+      rm ../tests/bugfixes/redmine/test_issue_683.py
+
       # disable tests that requires loopback networking
       substituteInPlace  ../tests/bash_tests/testcases.py \
         --replace "def io_test(self):" "def io_disabled(self):"

pkgs/development/libraries/gdal/2.4.nix

@@ -1,92 +0,0 @@
-{ lib, stdenv, fetchurl, fetchpatch, libjpeg, libtiff, zlib
-, postgresql, libmysqlclient, libgeotiff, python3Packages, proj, geos, openssl
-, libpng, sqlite, libspatialite, poppler, hdf4, qhull, giflib, expat
-, libiconv, libxml2
-, netcdfSupport ? true, netcdf, hdf5, curl
-}:
-
-with lib;
-
-stdenv.mkDerivation rec {
-  pname = "gdal";
-  version = "2.4.4";
-
-  src = fetchurl {
-    url = "https://download.osgeo.org/gdal/${version}/${pname}-${version}.tar.xz";
-    sha256 = "1n6w0m2603q9cldlz0wyscp75ci561dipc36jqbf3mjmylybv0x3";
-  };
-
-  patches = [
-    (fetchpatch {
-      url = "https://github.com/OSGeo/gdal/commit/7a18e2669a733ebe3544e4f5c735fd4d2ded5fa3.patch";
-      sha256 = "sha256-rBgIxJcgRzZR1gyzDWK/Sh7MdPWeczxEYVELbYEV8JY=";
-      relative = "gdal";
-      # this doesn't apply correctly because of line endings
-      excludes = [ "third_party/LercLib/Lerc2.h" ];
-    })
-  ];
-
-  buildInputs = [ libjpeg libtiff libgeotiff libpng proj openssl sqlite
-    libspatialite poppler hdf4 qhull giflib expat libxml2 proj ]
-  ++ (with python3Packages; [ python numpy wrapPython ])
-  ++ lib.optional stdenv.isDarwin libiconv
-  ++ lib.optionals netcdfSupport [ netcdf hdf5 curl ];
-
-  configureFlags = [
-    "--with-expat=${expat.dev}"
-    "--with-jpeg=${libjpeg.dev}"
-    "--with-libtiff=${libtiff.dev}" # optional (without largetiff support)
-    "--with-png=${libpng.dev}"      # optional
-    "--with-poppler=${poppler.dev}" # optional
-    "--with-libz=${zlib.dev}"       # optional
-    "--with-pg=${postgresql}/bin/pg_config"
-    "--with-mysql=${getDev libmysqlclient}/bin/mysql_config"
-    "--with-geotiff=${libgeotiff.dev}"
-    "--with-sqlite3=${sqlite.dev}"
-    "--with-spatialite=${libspatialite}"
-    "--with-python"               # optional
-    "--with-proj=${proj.dev}" # optional
-    "--with-geos=${geos}/bin/geos-config"# optional
-    "--with-hdf4=${hdf4.dev}" # optional
-    "--with-xml2=${libxml2.dev}/bin/xml2-config" # optional
-    (if netcdfSupport then "--with-netcdf=${netcdf}" else "")
-  ];
-
-  hardeningDisable = [ "format" ];
-
-  CXXFLAGS = "-fpermissive";
-
-  postPatch = ''
-    sed -i '/ifdef bool/i\
-      #ifdef swap\
-      #undef swap\
-      #endif' ogr/ogrsf_frmts/mysql/ogr_mysql.h
-  '';
-
-  # - Unset CC and CXX as they confuse libtool.
-  # - teach gdal that libdf is the legacy name for libhdf
-  preConfigure = ''
-      unset CC CXX
-      substituteInPlace configure \
-      --replace "-lmfhdf -ldf" "-lmfhdf -lhdf"
-    '';
-
-  preBuild = ''
-    substituteInPlace swig/python/GNUmakefile \
-      --replace "ifeq (\$(STD_UNIX_LAYOUT),\"TRUE\")" "ifeq (1,1)"
-  '';
-
-  postInstall = ''
-    wrapPythonPrograms
-  '';
-
-  enableParallelBuilding = true;
-
-  meta = {
-    description = "Translator library for raster geospatial data formats";
-    homepage = "https://www.gdal.org/";
-    license = lib.licenses.mit;
-    maintainers = [ lib.maintainers.marcweber ];
-    platforms = with lib.platforms; linux ++ darwin;
-  };
-}

pkgs/development/libraries/librist/default.nix

@@ -0,0 +1,43 @@
+{ stdenv
+, lib
+, fetchFromGitLab
+, meson
+, ninja
+, pkg-config
+, cjson
+, cmocka
+, mbedtls
+}:
+
+stdenv.mkDerivation rec {
+  pname = "librist";
+  version = "0.2.7";
+
+  src = fetchFromGitLab {
+    domain = "code.videolan.org";
+    owner = "rist";
+    repo = "librist";
+    rev = "v${version}";
+    sha256 = "sha256-qQG2eRAPAQgxghMeUZk3nwyacX6jDl33F8BWW63nM3c=";
+  };
+
+  nativeBuildInputs = [
+    meson
+    ninja
+    pkg-config
+  ];
+
+  buildInputs = [
+    cjson
+    cmocka
+    mbedtls
+  ];
+
+  meta = with lib; {
+    description = "A library that can be used to easily add the RIST protocol to your application.";
+    homepage = "https://code.videolan.org/rist/librist";
+    license = with licenses; [ bsd2 mit isc ];
+    maintainers = with maintainers; [ raphaelr sebtm ];
+    platforms = platforms.all;
+  };
+}

pkgs/development/libraries/libssh2/default.nix

@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
     description = "A client-side C library implementing the SSH2 protocol";
     homepage = "https://www.libssh2.org";
     platforms = platforms.all;
-    license = licenses.bsd3;
+    license = with licenses; [ bsd3 libssh2 ];
     maintainers = with maintainers; [ SuperSandro2000 ];
   };
 }

pkgs/development/libraries/qt-6/modules/qtwebengine.nix

@@ -69,7 +69,7 @@
 , enableProprietaryCodecs ? true
 }:
 
-qtModule rec {
+qtModule {
   pname = "qtwebengine";
   qtInputs = [ qtdeclarative qtwebchannel qtwebsockets qtpositioning ];
   nativeBuildInputs = [
@@ -94,6 +94,12 @@ qtModule rec {
   # which cannot be set at the same time as -Wformat-security
   hardeningDisable = [ "format" ];
 
+  patches = [
+    # fixes consistent crashing in github on 6.4.0, can probably remove when there is a patch release
+    # https://codereview.qt-project.org/c/qt/qtwebengine/+/436316
+    ../patches/qtwebengine-fix.patch
+  ];
+
   postPatch = ''
     # Patch Chromium build tools
     (

pkgs/development/libraries/qt-6/patches/qtwebengine-fix.patch

@@ -0,0 +1,28 @@
+From 81bf140583f7b7bf13cc8dd522e1ca2aba873fc4 Mon Sep 17 00:00:00 2001
+From: Martin Negyokru <negyokru@inf.u-szeged.hu>
+Date: Mon, 03 Oct 2022 12:20:00 +0200
+Subject: [PATCH] Do not intercept websocket connection when there is no associated frame
+
+This fix is based on chrome's implementation.
+
+Fixes: QTBUG-107144
+Change-Id: If042e4156b8a4bdb27a210c4db94e3a6198aed7d
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+(cherry picked from commit 64b7da9dab82713fdcb2e03d8a2715421eae5685)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+---
+
+diff --git a/src/core/content_browser_client_qt.cpp b/src/core/content_browser_client_qt.cpp
+index 020ae91..99a3aa3 100644
+--- a/src/core/content_browser_client_qt.cpp
++++ b/src/core/content_browser_client_qt.cpp
+@@ -1237,8 +1237,7 @@
+ 
+ bool ContentBrowserClientQt::WillInterceptWebSocket(content::RenderFrameHost *frame)
+ {
+-    Q_UNUSED(frame);
+-    return true; // It is probably not worth it to only intercept when interceptors are installed
++    return frame != nullptr;
+ }
+ 
+ QWebEngineUrlRequestInterceptor *getProfileInterceptorFromFrame(content::RenderFrameHost *frame)

pkgs/development/python-modules/home-assistant-bluetooth/default.nix

@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "home-assistant-bluetooth";
-  version = "1.4.0";
+  version = "1.5.1";
   format = "pyproject";
   disabled = pythonOlder "3.9";
 
@@ -17,7 +17,7 @@ buildPythonPackage rec {
     owner = "home-assistant-libs";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-viJOrmvrooHh47yyJJomOGBhQvcoWM3jKMRwZ+6/UJ8=";
+    hash = "sha256-//e+Kb85TBAC9/mHz/T/Dm/pNjbj0488/L/NeS1RMqY=";
   };
 
   postPatch = ''

pkgs/development/python-modules/nbxmpp/default.nix

@@ -13,7 +13,7 @@
 
 buildPythonPackage rec {
   pname = "nbxmpp";
-  version = "3.2.2";
+  version = "3.2.4";
 
   disabled = pythonOlder "3.7";
 
@@ -22,7 +22,7 @@ buildPythonPackage rec {
     owner = "gajim";
     repo = "python-nbxmpp";
     rev = version;
-    sha256 = "sha256-WVE8evbfWdQNsuDEQF7WfEYDQEKGKXElKQBkUn7bJ1I=";
+    sha256 = "sha256-ydOJBgKPkmw2Qf0TB3ukWGpi8P0BgcCGA47dASjRrgQ=";
   };
 
   nativeBuildInputs = [

pkgs/development/python-modules/pyqt-builder/default.nix

@@ -2,20 +2,14 @@
 
 buildPythonPackage rec {
   pname = "pyqt-builder";
-  version = "1.13.0";
+  version = "1.14.0";
 
   src = fetchPypi {
     pname = "PyQt-builder";
     inherit version;
-    sha256 = "sha256-SHdYDDjOtTIOEps4HQg7CoYBxoFm2LmXB/CPoKFonu8=";
+    sha256 = "sha256-Z1WTHG0viUBVPgM00QyTPOXMGLZEJelP2hrM9P93T1k=";
   };
 
-  patches = [
-    # use the sip-distinfo executable from PATH instead of trying to guess,
-    # we know it's the right one because it's the _only_ one
-    ./use-sip-distinfo-from-path.patch
-  ];
-
   propagatedBuildInputs = [ packaging sip ];
 
   pythonImportsCheck = [ "pyqtbuild" ];
@@ -27,6 +21,6 @@ buildPythonPackage rec {
     description = "PEP 517 compliant build system for PyQt";
     homepage = "https://pypi.org/project/PyQt-builder/";
     license = licenses.gpl3Only;
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ nrdxp ];
   };
 }

pkgs/development/python-modules/pyqt6-webengine.nix

@@ -0,0 +1,89 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+, pkg-config
+, lndir
+, sip
+, pyqt-builder
+, qt6Packages
+, pythonOlder
+, pyqt6
+, python
+}:
+
+buildPythonPackage rec {
+  pname = "PyQt6_WebEngine";
+  version = "6.4.0";
+  format = "pyproject";
+
+  disabled = pythonOlder "3.6";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "sha256-THHBMIYKvNEeBMr7IuM5g/qaOu6DI8UZCbFaFwGCjiE=";
+  };
+
+  # fix include path and increase verbosity
+  postPatch = ''
+    sed -i \
+      '/\[tool.sip.project\]/a\
+      verbose = true\
+      sip-include-dirs = [\"${pyqt6}/${python.sitePackages}/PyQt6/bindings\"]' \
+      pyproject.toml
+  '';
+
+  enableParallelBuilding = true;
+  # HACK: paralellize compilation of make calls within pyqt's setup.py
+  # pkgs/stdenv/generic/setup.sh doesn't set this for us because
+  # make gets called by python code and not its build phase
+  # format=pyproject means the pip-build-hook hook gets used to build this project
+  # pkgs/development/interpreters/python/hooks/pip-build-hook.sh
+  # does not use the enableParallelBuilding flag
+  postUnpack = ''
+    export MAKEFLAGS+=" -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES"
+  '';
+
+  outputs = [ "out" "dev" ];
+
+  dontWrapQtApps = true;
+
+  nativeBuildInputs = with qt6Packages; [
+    pkg-config
+    lndir
+    sip
+    qtwebengine
+    qmake
+    pyqt-builder
+  ];
+
+  buildInputs = with qt6Packages; [
+    qtwebengine
+  ];
+
+  propagatedBuildInputs = [
+    pyqt6
+  ];
+
+  passthru = {
+    inherit sip;
+  };
+
+  dontConfigure = true;
+
+  # Checked using pythonImportsCheck, has no tests
+  doCheck = true;
+
+  pythonImportsCheck = [
+    "PyQt6.QtWebEngineCore"
+    "PyQt6.QtWebEngineQuick"
+    "PyQt6.QtWebEngineWidgets"
+  ];
+
+  meta = with lib; {
+    description = "Python bindings for Qt6 WebEngine";
+    homepage = "https://riverbankcomputing.com/";
+    license = licenses.gpl3Only;
+    platforms = platforms.mesaPlatforms;
+    maintainers = with maintainers; [ LunNova nrdxp ];
+  };
+}

pkgs/development/python-modules/sip/default.nix

@@ -2,35 +2,19 @@
 
 buildPythonPackage rec {
   pname = "sip";
-  version = "6.6.2";
+  version = "6.7.1";
 
   src = fetchPypi {
     pname = "sip";
     inherit version;
-    sha256 = "sha256-Dj76wcXf2OUlrlcUCSffJpk+E/WLidFXfDFPQQW/2Q0=";
+    sha256 = "sha256-KBcP34gPk3Am/If6qcF3sGLDU8XRaeoyQrB4AmFN3Qw=";
   };
 
-  patches = [
-    # on non-x86 Linux platforms, sip incorrectly detects the manylinux version
-    # and PIP will refuse to install the resulting wheel.
-    # remove once upstream fixes this, hopefully in 6.5.2
-    ./fix-manylinux-version.patch
-
-    # fix issue triggered by QGIS 3.26.x, already fixed upstream
-    # in SIP, waiting for release past 6.6.2
-    (fetchpatch {
-      url = "https://riverbankcomputing.com/hg/sip/raw-diff/323d39a2d602/sipbuild/generator/parser/instantiations.py";
-      hash = "sha256-QEQuRzXA+wK9Dt22U/LgIwtherY9pJURGJYpKpJkiok=";
-    })
-  ];
-
   propagatedBuildInputs = [ packaging ply toml ];
 
   # There aren't tests
   doCheck = false;
 
-  pythonImportsCheck = [ "sipbuild" ];
-
   # FIXME: Why isn't this detected automatically?
   # Needs to be specified in pyproject.toml, e.g.:
   # [tool.sip.bindings.MODULE]
@@ -45,10 +29,12 @@ buildPythonPackage rec {
     else
       throw "unsupported platform";
 
+  pythonImportsCheck = [ "sipbuild" ];
+
   meta = with lib; {
     description = "Creates C++ bindings for Python modules";
     homepage    = "https://riverbankcomputing.com/";
     license     = licenses.gpl3Only;
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ nrdxp ];
   };
 }

pkgs/development/python-modules/sip/fix-manylinux-version.patch

@@ -1,19 +0,0 @@
-diff --git a/sipbuild/project.py b/sipbuild/project.py
---- a/sipbuild/project.py
-+++ b/sipbuild/project.py
-@@ -336,13 +336,13 @@ class Project(AbstractProject, Configurable):
-             # We expect a two part tag so leave anything else unchanged.
-             parts = platform_tag.split('-')
-             if len(parts) == 2:
--                if self.minimum_glibc_version > (2, 17):
-+                if self.minimum_glibc_version > (2, 17) or parts[1] not in {"x86_64", "i686", "aarch64", "armv7l", "ppc64", "ppc64le", "s390x"}:
-                     # PEP 600.
-                     parts[0] = 'manylinux'
-                     parts.insert(1,
-                             '{}.{}'.format(self.minimum_glibc_version[0],
-                                     self.minimum_glibc_version[1]))
--                elif self.minimum_glibc_version > (2, 12):
-+                elif self.minimum_glibc_version > (2, 12) or parts[1] not in {"x86_64", "i686"}:
-                     # PEP 599.
-                     parts[0] = 'manylinux2014'
-                 elif self.minimum_glibc_version > (2, 5):

pkgs/development/python-modules/timetagger/default.nix

@@ -16,13 +16,13 @@
 
 buildPythonPackage rec {
   pname = "timetagger";
-  version = "22.6.6";
+  version = "22.9.3";
 
   src = fetchFromGitHub {
     owner = "almarklein";
     repo = pname;
     rev = "refs/tags/v${version}";
-    sha256 = "sha256-2qPtC8gsRw9ZOkl+H8euTwTrPVAB0cdfFflhbLqXz/I=";
+    sha256 = "sha256-9YmO0nD6QSFMSXsWlfbRxNWW1nwe7WXinC9pLe7rDEY=";
   };
 
   propagatedBuildInputs = [

pkgs/development/tools/bacon/default.nix

@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "bacon";
-  version = "2.2.3";
+  version = "2.2.5";
 
   src = fetchFromGitHub {
     owner = "Canop";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-9HyGHj1JWZ2S7XZCj69VdzlG4nwgzr1BKW4+4f+L+yM=";
+    sha256 = "sha256-KoAaECfZ8DwGN/U1HCp/4NUvTvFYiN+li3I5gNYM/oU=";
   };
 
-  cargoSha256 = "sha256-DlBOZUdIg7yqLeLWqiiOFb+NSeTYJUl0RIJRG35oV4M=";
+  cargoSha256 = "sha256-ifUbUeqWm/gwOqzxY8lpGvW1ArZmGAy8XxAkvEfpLVQ=";
 
   buildInputs = lib.optional stdenv.isDarwin CoreServices;
 

pkgs/development/tools/poetry2nix/poetry2nix/overrides/default.nix

@@ -600,9 +600,9 @@ lib.composeManyExtensions [
 
       fiona = super.fiona.overridePythonAttrs (
         old: {
-          buildInputs = (old.buildInputs or [ ]) ++ [ pkgs.gdal_2 ];
+          buildInputs = (old.buildInputs or [ ]) ++ [ pkgs.gdal ];
           nativeBuildInputs = [
-            pkgs.gdal_2 # for gdal-config
+            pkgs.gdal # for gdal-config
           ];
         }
       );

pkgs/development/web/flyctl/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "flyctl";
-  version = "0.0.404";
+  version = "0.0.406";
 
   src = fetchFromGitHub {
     owner = "superfly";
     repo = "flyctl";
     rev = "v${version}";
-    sha256 = "sha256-GR/ZZtSkVF8d9frIdBPfjXukXZr/ewt0r8YmbZHGbZQ=";
+    sha256 = "sha256-2GisQo7RUqCGuw5ThfunjH4Bk8RIo0wov4lcsWu2NMs=";
   };
 
   vendorSha256 = "sha256-zOhURlJCt+cDSiIz+DOQEC8yJCODCEuE1oXro54vX7I=";

pkgs/servers/endlessh-go/default.nix

@@ -1,6 +1,7 @@
 { lib
 , buildGoModule
 , fetchFromGitHub
+, nixosTests
 }:
 
 buildGoModule rec {
@@ -18,6 +19,8 @@ buildGoModule rec {
 
   ldflags = [ "-s" "-w" ];
 
+  passthru.tests = nixosTests.endlessh-go;
+
   meta = with lib; {
     description = "An implementation of endlessh exporting Prometheus metrics";
     homepage = "https://github.com/shizunge/endlessh-go";

pkgs/servers/http/yaws/default.nix

@@ -1,23 +1,19 @@
-{lib, stdenv, fetchurl, erlang, pam, perl }:
+{lib, stdenv, fetchFromGitHub, erlang, pam, perl, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   pname = "yaws";
-  version = "2.0.6";
+  version = "2.1.1";
 
-  src = fetchurl {
-    url = "http://yaws.hyber.org/download/${pname}-${version}.tar.gz";
-    sha256 = "03nh97g7smsgm6sw5asssmlq7zgx6y2gnn7jn0lv2x5mkf5nzyb9";
+  src = fetchFromGitHub {
+    owner = "erlyaws";
+    repo = pname;
+    rev = "${pname}-${version}";
+    hash = "sha256-F1qhq0SEChWw/EBodXKWTqMNmGoTwP2JgkmfANUFD9I=";
   };
 
-  # The tarball includes a symlink yaws -> yaws-1.95, which seems to be
-  # necessary for importing erlang files
-  unpackPhase = ''
-    tar xzf $src
-    cd $name
-  '';
-
   configureFlags = [ "--with-extrainclude=${pam}/include/security" ];
 
+  nativeBuildInputs = [ autoreconfHook ];
   buildInputs = [ erlang pam perl ];
 
   postInstall = ''
@@ -25,8 +21,8 @@ stdenv.mkDerivation rec {
   '';
 
   meta = with lib; {
-    description = "A high performance HTTP 1.1 server in Erlang";
-    homepage = "http://yaws.hyber.org";
+    description = "A webserver for dynamic content written in Erlang.";
+    homepage = "https://github.com/erlyaws/yaws";
     license = licenses.bsd2;
     platforms = platforms.linux;
     maintainers = with maintainers; [ goibhniu ];

pkgs/servers/web-apps/moodle/default.nix

@@ -1,7 +1,7 @@
 { lib, stdenv, fetchurl, writeText, plugins ? [ ] }:
 
 let
-  version = "4.0.2";
+  version = "4.0.4";
 
   versionParts = lib.take 2 (lib.splitVersion version);
   # 4.2 -> 402, 3.11 -> 311
@@ -15,7 +15,7 @@ in stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://download.moodle.org/stable${stableVersion}/${pname}-${version}.tgz";
-    sha256 = "sha256-Ouz1U5bMzwzQZiMmVOrx3oWtqyn7GE/oeaTrsXmsBJI=";
+    sha256 = "sha256-mwfUTMjNj9BKqIFezaekUtR9lwAMmsHaAUt6rkqfW8k=";
   };
 
   phpConfig = writeText "config.php" ''

pkgs/top-level/aliases.nix

@@ -87,6 +87,8 @@ mapAliases ({
   asterisk_17 = throw "asterisk_17: Asterisk 17 is end of life and has been removed"; # Added 2022-04-06
   at_spi2_atk = throw "'at_spi2_atk' has been renamed to/replaced by 'at-spi2-atk'"; # Converted to throw 2022-02-22
   at_spi2_core = throw "'at_spi2_core' has been renamed to/replaced by 'at-spi2-core'"; # Converted to throw 2022-02-22
+  audacity-gtk2 = throw "'audacity-gtk2' has been removed to/replaced by 'audacity'"; # Added 2022-10-09
+  audacity-gtk3 = throw "'audacity-gtk3' has been removed to/replaced by 'audacity'"; # Added 2022-10-09
   automoc4 = throw "automoc4 has been removed from nixpkgs"; # Added 2022-05-30
   avldrums-lv2 = throw "'avldrums-lv2' has been renamed to/replaced by 'x42-avldrums'"; # Converted to throw 2022-09-24
   awesome-4-0 = awesome; # Added 2022-05-05

pkgs/top-level/all-packages.nix

@@ -1078,7 +1078,7 @@ with pkgs;
 
   _1password-gui = callPackage ../applications/misc/1password-gui { };
 
-  _1password-gui-beta = callPackage ../applications/misc/1password-gui/beta.nix { };
+  _1password-gui-beta = callPackage ../applications/misc/1password-gui { channel = "beta"; };
 
   _6tunnel = callPackage ../tools/networking/6tunnel { };
 
@@ -18590,8 +18590,6 @@ with pkgs;
     autoreconfHook = buildPackages.autoreconfHook269;
   };
 
-  gdal_2 = callPackage ../development/libraries/gdal/2.4.nix { };
-
   gdcm = callPackage ../development/libraries/gdcm {
     inherit (darwin.apple_sdk.frameworks) ApplicationServices Cocoa;
   };
@@ -24239,9 +24237,7 @@ with pkgs;
 
   xwayland = callPackage ../servers/x11/xorg/xwayland.nix { };
 
-  yaws = callPackage ../servers/http/yaws {
-    erlang = erlangR21;
-  };
+  yaws = callPackage ../servers/http/yaws { };
 
   youtrack = callPackage ../servers/jetbrains/youtrack.nix { };
 
@@ -26070,6 +26066,8 @@ with pkgs;
 
   libratbag = callPackage ../os-specific/linux/libratbag { };
 
+  librist = callPackage ../development/libraries/librist { };
+
   libre-baskerville = callPackage ../data/fonts/libre-baskerville { };
 
   libre-bodoni = callPackage ../data/fonts/libre-bodoni { };
@@ -26931,16 +26929,10 @@ with pkgs;
   };
   audaciousQt5 = audacious;
 
-  audacity-gtk2 = callPackage ../applications/audio/audacity { wxGTK = wxGTK31-gtk2; };
-  audacity-gtk3 = callPackage ../applications/audio/audacity { wxGTK = wxGTK31-gtk3; };
-  audacity =
-    if stdenv.isDarwin then
-      callPackage ../applications/audio/audacity {
-        inherit (darwin.apple_sdk.frameworks) AppKit AudioToolbox AudioUnit Carbon Cocoa CoreAudio CoreAudioKit CoreServices;
-        suil = suil-qt5;
-      }
-    else
-      audacity-gtk2;
+  audacity = callPackage ../applications/audio/audacity {
+    inherit (darwin.apple_sdk.frameworks) AppKit AudioToolbox AudioUnit Carbon CoreAudio CoreAudioKit CoreServices;
+    suil = suil-qt5;
+  };
 
   audio-recorder = callPackage ../applications/audio/audio-recorder { };
 
@@ -31125,6 +31117,9 @@ with pkgs;
   };
 
   qutebrowser = libsForQt5.callPackage ../applications/networking/browsers/qutebrowser { };
+  qutebrowser-qt6 = callPackage ../applications/networking/browsers/qutebrowser {
+    inherit (qt6Packages) qtbase qtwebengine wrapQtAppsHook qtwayland;
+  };
 
   qxw = callPackage ../applications/editors/qxw {};
 

pkgs/top-level/python-packages.nix

@@ -8421,6 +8421,8 @@ in {
 
   pyqt6-sip = callPackage ../development/python-modules/pyqt/pyqt6-sip.nix { };
 
+  pyqt6-webengine = callPackage ../development/python-modules/pyqt6-webengine.nix { };
+
   pyqtgraph = callPackage ../development/python-modules/pyqtgraph { };
 
   pyqtwebengine = pkgs.libsForQt5.callPackage ../development/python-modules/pyqtwebengine {