Merge master into staging-next

2 years ago · 93e5dc3f48
parent 14e41433b0 c0723eef37
commit 93e5dc3f48
37 changed files with 318 additions and 248 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@ -2514,6 +2514,16 @@ cp /var/lib/redis/dump.rdb &quot;/var/lib/redis-mastodon/dump.rdb&quot;
          enabled.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          The Nextcloud module now allows setting the value of the
+          <literal>max-age</literal> directive of the
+          <literal>Strict-Transport-Security</literal> HTTP header,
+          which is now controlled by the
+          <literal>services.nextcloud.https</literal> option, rather
+          than <literal>services.nginx.recommendedHttpHeaders</literal>.
+        </para>
+      </listitem>
      <listitem>
        <para>
          The <literal>spark3</literal> package has been updated from
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@ -892,6 +892,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 - The Nextcloud module now supports to create a Mysql database automatically
  with `services.nextcloud.database.createLocally` enabled.

+- The Nextcloud module now allows setting the value of the `max-age` directive of the `Strict-Transport-Security` HTTP header, which is now controlled by the `services.nextcloud.https` option, rather than `services.nginx.recommendedHttpHeaders`.
+
 - The `spark3` package has been updated from 3.1.2 to 3.2.1 ([#160075](https://github.com/NixOS/nixpkgs/pull/160075)):

  - Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`.
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@ -250,7 +250,7 @@ in
    };

    warnings = optional (isMorPLocate && cfg.localuser != null)
-      "mlocate does not support the services.locate.localuser option; updatedb will run as root. (Silence with services.locate.localuser = null.)"
+      "mlocate and plocate do not support the services.locate.localuser option. updatedb will run as root. Silence this warning by setting services.locate.localuser = null."
    ++ optional (isFindutils && cfg.pruneNames != [ ])
      "findutils locate does not support pruning by directory component"
    ++ optional (isFindutils && cfg.pruneBindMounts)
--- a/nixos/modules/services/monitoring/prometheus/default.nix
+++ b/nixos/modules/services/monitoring/prometheus/default.nix
@ -5,6 +5,9 @@ with lib;
 let
  json = pkgs.formats.json { };
  cfg = config.services.prometheus;
+  checkConfigEnabled =
+    (lib.isBool cfg.checkConfig && cfg.checkConfig)
+      || cfg.checkConfig == "syntax-only";

  workingDir = "/var/lib/" + cfg.stateDir;

@ -27,7 +30,7 @@ let

  # a wrapper that verifies that the configuration is valid
  promtoolCheck = what: name: file:
-    if cfg.checkConfig then
+    if checkConfigEnabled then
      pkgs.runCommandLocal
        "${name}-${replaceStrings [" "] [""] what}-checked"
        { buildInputs = [ cfg.package ]; } ''
@ -58,7 +61,7 @@ let
          pkgs.writeText "prometheus.yml" cfg.configText
        else generatedPrometheusYml;
    in
-    promtoolCheck "check config" "prometheus.yml" yml;
+    promtoolCheck "check config ${lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only"}" "prometheus.yml" yml;

  cmdlineArgs = cfg.extraFlags ++ [
    "--storage.tsdb.path=${workingDir}/data/"
@ -1726,16 +1729,20 @@ in
    };

    checkConfig = mkOption {
-      type = types.bool;
+      type = with types; either bool (enum [ "syntax-only" ]);
      default = true;
+      example = "syntax-only";
      description = ''
        Check configuration with <literal>promtool
        check</literal>. The call to <literal>promtool</literal> is
-        subject to sandboxing by Nix. When credentials are stored in
-        external files (<literal>password_file</literal>,
-        <literal>bearer_token_file</literal>, etc), they will not be
-        visible to <literal>promtool</literal> and it will report
-        errors, despite a correct configuration.
+        subject to sandboxing by Nix.
+
+        If you use credentials stored in external files
+        (<literal>password_file</literal>, <literal>bearer_token_file</literal>, etc),
+        they will not be visible to <literal>promtool</literal>
+        and it will report errors, despite a correct configuration.
+        To resolve this, you may set this option to <literal>"syntax-only"</literal>
+        in order to only syntax check the Prometheus configuration.
      '';
    };

--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -546,10 +546,23 @@ in {
      '';
    };

-    nginx.recommendedHttpHeaders = mkOption {
-      type = types.bool;
-      default = true;
-      description = "Enable additional recommended HTTP response headers";
+    nginx = {
+      recommendedHttpHeaders = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable additional recommended HTTP response headers";
+      };
+      hstsMaxAge = mkOption {
+        type = types.ints.positive;
+        default = 15552000;
+        description = ''
+          Value for the <code>max-age</code> directive of the HTTP
+          <code>Strict-Transport-Security</code> header.
+
+          See section 6.1.1 of IETF RFC 6797 for detailed information on this
+          directive and header.
+        '';
+      };
    };
  };

@ -702,7 +715,7 @@ in {
              'skeletondirectory' => '${cfg.skeletonDirectory}',
              ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"}
              'log_type' => 'syslog',
-              'log_level' => '${builtins.toString cfg.logLevel}',
+              'loglevel' => '${builtins.toString cfg.logLevel}',
              ${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"}
              ${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"}
              ${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"}
@ -983,7 +996,9 @@ in {
            add_header X-Permitted-Cross-Domain-Policies none;
            add_header X-Frame-Options sameorigin;
            add_header Referrer-Policy no-referrer;
-            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+          ''}
+          ${optionalString (cfg.https) ''
+            add_header Strict-Transport-Security "max-age=${toString cfg.nginx.hstsMaxAge}; includeSubDomains" always;
          ''}
          client_max_body_size ${cfg.maxUploadSize};
          fastcgi_buffers 64 4K;
--- a/pkgs/applications/blockchains/wasabiwallet/default.nix
+++ b/pkgs/applications/blockchains/wasabiwallet/default.nix
@ -25,11 +25,11 @@ let
 in
 stdenv.mkDerivation rec {
  pname = "wasabiwallet";
-  version = "1.1.12.9";
+  version = "1.1.13.1";

  src = fetchurl {
    url = "https://github.com/zkSNACKs/WalletWasabi/releases/download/v${version}/Wasabi-${version}.tar.gz";
-    sha256 = "sha256-DtoLQbRXyR4xGm+M0xg9uj8wcbh1dOBJUG430OS8AS4=";
+    sha256 = "sha256-AtsNbUqEBQx0DPWR2LjNl7pdviYmvkv3bYKNBoeJHbw=";
  };

  dontBuild = true;
--- a/pkgs/applications/graphics/ImageMagick/7.0.nix
+++ b/pkgs/applications/graphics/ImageMagick/7.0.nix
@ -45,13 +45,13 @@ in

 stdenv.mkDerivation rec {
  pname = "imagemagick";
-  version = "7.1.0-33";
+  version = "7.1.0-34";

  src = fetchFromGitHub {
    owner = "ImageMagick";
    repo = "ImageMagick";
    rev = version;
-    hash = "sha256-qiXTSQcc48IIzz7RUcyOH2w8JUOTdU1zg43gJhoELXo=";
+    hash = "sha256-eASmIOTYupK5di3lggJ/8O5pkG88ZpFuvaYK23AWsq4=";
  };

  outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big
--- a/pkgs/applications/networking/cluster/terraform-providers/providers.json
+++ b/pkgs/applications/networking/cluster/terraform-providers/providers.json
@ -420,10 +420,10 @@
    "owner": "integrations",
    "provider-source-address": "registry.terraform.io/integrations/github",
    "repo": "terraform-provider-github",
-    "rev": "v4.25.0-alpha",
-    "sha256": "sha256-9BE19VywtNIeDfjBKzle5nGFPmpS8lHV60w0h2xTztU=",
+    "rev": "v4.24.1",
+    "sha256": "sha256-1fwHMN2HIVl+8ZL7OtP1U5ORc41e7Tm3qEpMqIgWL20=",
    "vendorSha256": null,
-    "version": "4.25.0-alpha"
+    "version": "4.24.1"
  },
  "gitlab": {
    "owner": "gitlabhq",
@ -719,10 +719,10 @@
    "owner": "equinix",
    "provider-source-address": "registry.terraform.io/equinix/metal",
    "repo": "terraform-provider-metal",
-    "rev": "v3.3.0-alpha.3",
-    "sha256": "sha256-wuZp0Be8a84y7JqpCGnBDPXgNG8JJcNWsIICP3ZjSVk=",
-    "vendorSha256": "sha256-Ln9EyycPduVuj+JefH9f+Q5KlNGvbcwcEDgaqH2M0So=",
-    "version": "3.3.0-alpha.3"
+    "rev": "v3.2.2",
+    "sha256": "193897farpyb3zxz6p79mfaf04ccin7xdirbkclqb3x3c56jy0xi",
+    "vendorSha256": null,
+    "version": "3.2.2"
  },
  "minio": {
    "owner": "aminueza",
--- a/pkgs/applications/networking/cluster/terraform-providers/update-provider
+++ b/pkgs/applications/networking/cluster/terraform-providers/update-provider
@ -128,9 +128,12 @@ version="$(jq -r '.version' <<<"${registry_response}")"
 if [[ ${old_version} == "${version}" && ${force} != 1 && -z ${vendorSha256} && ${old_vendor_sha256} != "${vendorSha256}" ]]; then
  echo_provider "already at version ${version}"
  exit
-else
-  echo_provider "updating from ${old_version} to ${version}"
 fi
+if [[ ${version} =~ (alpha|beta|pre) && ${force} != 1 ]]; then
+  echo_provider "not updating to unstable version ${version}"
+  exit
+fi
+echo_provider "updating from ${old_version} to ${version}"
 update_attr version "${version}"

 provider_source_url="$(jq -r '.source' <<<"${registry_response}")"
--- a/pkgs/applications/science/biology/EZminc/default.nix
+++ b/pkgs/applications/science/biology/EZminc/default.nix
@ -25,5 +25,6 @@ stdenv.mkDerivation rec {
    maintainers = with maintainers; [ bcdarwin ];
    platforms = platforms.unix;
    license = licenses.free;
+    broken = true;  # ITK5 compatibility issue (https://github.com/BIC-MNI/EZminc/issues/15)
  };
 }
--- a/pkgs/development/compilers/vlang/default.nix
+++ b/pkgs/development/compilers/vlang/default.nix
@ -2,21 +2,21 @@

 stdenv.mkDerivation rec {
  pname = "vlang";
-  version = "weekly.2022.19";
+  version = "weekly.2022.20";

  src = fetchFromGitHub {
    owner = "vlang";
    repo = "v";
    rev = version;
-    sha256 = "1bl91j3ip3i84jq3wg03sflllxv38sv4dc072r302rl2g9f4dbg6";
+    sha256 = "1isbyfs98bdbm2qjf7q4bqbpsmdiqlavn3gznwr12bkvhnsf4j3x";
  };

  # Required for bootstrap.
  vc = fetchFromGitHub {
    owner = "vlang";
    repo = "vc";
-    rev = "a298ad7069f6333ef8ab59a616654fc74e04c847";
-    sha256 = "168cgq6451hcgsxzyd8vq11g01642bs5kkwxqh6rz3rnc86ajic0";
+    rev = "167f262866090493650f58832d62d910999dd5a4";
+    sha256 = "1xax8355qkrccjcmx24gcab88xnrqj15mhqy0bgp3v2rb1hw1n3a";
  };

  # Required for vdoc.
@ -27,11 +27,6 @@ stdenv.mkDerivation rec {
    sha256 = "0cawzizr3rjz81blpvxvxrcvcdai1adj66885ss390444qq1fnv7";
  };

-  # vcreate_test.v requires git, so we must disable it.
-  patches = [
-    ./disable_vcreate_test.patch
-  ];
-
  propagatedBuildInputs = [ glfw freetype openssl ]
    ++ lib.optional stdenv.hostPlatform.isUnix upx;

@ -42,9 +37,16 @@ stdenv.mkDerivation rec {
    "VC=${vc}"
  ];

-  prePatch = ''
+  preBuild = ''
    export HOME=$(mktemp -d)
-    cp cmd/tools/vcreate_test.v $HOME/vcreate_test.v
+  '';
+
+  # vcreate_test.v requires git, so we must remove it when building the tools.
+  # vtest.v fails on Darwin, so let's just disable it for now.
+  preInstall = ''
+    mv cmd/tools/vcreate_test.v $HOME/vcreate_test.v
+  '' + lib.optionalString stdenv.isDarwin ''
+    mv cmd/tools/vtest.v $HOME/vtest.v
  '';

  installPhase = ''
@ -64,12 +66,16 @@ stdenv.mkDerivation rec {
    $out/lib/v -v $out/lib/cmd/tools/vast
    $out/lib/v -v $out/lib/cmd/tools/vvet

-    # Return the pre-patch vcreate_test.v now that we no longer need the alteration.
-    cp $HOME/vcreate_test.v $out/lib/cmd/tools/vcreate_test.v
-
    runHook postInstall
  '';

+  # Return vcreate_test.v and vtest.v, so the user can use it.
+  postInstall = ''
+    cp $HOME/vcreate_test.v $out/lib/cmd/tools/vcreate_test.v
+  '' + lib.optionalString stdenv.isDarwin ''
+    cp $HOME/vtest.v $out/lib/cmd/tools/vtest.v
+  '';
+
  meta = with lib; {
    homepage = "https://vlang.io/";
    description = "Simple, fast, safe, compiled language for developing maintainable software";
--- a/pkgs/development/compilers/vlang/disable_vcreate_test.patch
+++ b/pkgs/development/compilers/vlang/disable_vcreate_test.patch
@ -1,133 +0,0 @@
-diff --git a/cmd/tools/vcreate_test.v b/cmd/tools/vcreate_test.v
-index 3d07f4773..de8a202df 100644
--- a/cmd/tools/vcreate_test.v
-+++ b/cmd/tools/vcreate_test.v
-@@ -2,127 +2,6 @@ import os
- 
- const test_path = 'vcreate_test'
- 
-fn init_and_check() ? {
-	os.execute_or_exit('${os.quoted_path(@VEXE)} init')
-
-	assert os.read_file('vcreate_test.v') ? == [
-		'module main\n',
-		'fn main() {',
-		"	println('Hello World!')",
-		'}',
-		'',
-	].join_lines()
-
-	assert os.read_file('v.mod') ? == [
-		'Module {',
-		"	name: 'vcreate_test'",
-		"	description: ''",
-		"	version: ''",
-		"	license: ''",
-		'	dependencies: []',
-		'}',
-		'',
-	].join_lines()
-
-	assert os.read_file('.gitignore') ? == [
-		'# Binaries for programs and plugins',
-		'main',
-		'vcreate_test',
-		'*.exe',
-		'*.exe~',
-		'*.so',
-		'*.dylib',
-		'*.dll',
-		'vls.log',
-		'',
-	].join_lines()
-
-	assert os.read_file('.gitattributes') ? == [
-		'*.v linguist-language=V text=auto eol=lf',
-		'*.vv linguist-language=V text=auto eol=lf',
-		'*.vsh linguist-language=V text=auto eol=lf',
-		'**/v.mod linguist-language=V text=auto eol=lf',
-		'',
-	].join_lines()
-
-	assert os.read_file('.editorconfig') ? == [
-		'[*]',
-		'charset = utf-8',
-		'end_of_line = lf',
-		'insert_final_newline = true',
-		'trim_trailing_whitespace = true',
-		'',
-		'[*.v]',
-		'indent_style = tab',
-		'indent_size = 4',
-		'',
-	].join_lines()
-}
-
- fn test_v_init() ? {
-	dir := os.join_path(os.temp_dir(), test_path)
-	os.rmdir_all(dir) or {}
-	os.mkdir(dir) or {}
-	defer {
-		os.rmdir_all(dir) or {}
-	}
-	os.chdir(dir) ?
-
-	init_and_check() ?
-}
-
-fn test_v_init_in_git_dir() ? {
-	dir := os.join_path(os.temp_dir(), test_path)
-	os.rmdir_all(dir) or {}
-	os.mkdir(dir) or {}
-	defer {
-		os.rmdir_all(dir) or {}
-	}
-	os.chdir(dir) ?
-	os.execute_or_exit('git init .')
-	init_and_check() ?
-}
-
-fn test_v_init_no_overwrite_gitignore() ? {
-	dir := os.join_path(os.temp_dir(), test_path)
-	os.rmdir_all(dir) or {}
-	os.mkdir(dir) or {}
-	os.write_file('$dir/.gitignore', 'blah') ?
-	defer {
-		os.rmdir_all(dir) or {}
-	}
-	os.chdir(dir) ?
-
-	os.execute_or_exit('${os.quoted_path(@VEXE)} init')
-
-	assert os.read_file('.gitignore') ? == 'blah'
-}
-
-fn test_v_init_no_overwrite_gitattributes_and_editorconfig() ? {
-	git_attributes_content := '*.v linguist-language=V text=auto eol=lf'
-	editor_config_content := '[*]
-charset = utf-8
-end_of_line = lf
-insert_final_newline = true
-trim_trailing_whitespace = true
-
-[*.v]
-indent_style = tab
-indent_size = 4
-'
-
-	dir := os.join_path(os.temp_dir(), test_path)
-	os.rmdir_all(dir) or {}
-	os.mkdir(dir) or {}
-	os.write_file('$dir/.gitattributes', git_attributes_content) ?
-	os.write_file('$dir/.editorconfig', editor_config_content) ?
-	defer {
-		os.rmdir_all(dir) or {}
-	}
-	os.chdir(dir) ?
-
-	os.execute_or_exit('${os.quoted_path(@VEXE)} init')
-
-	assert os.read_file('.gitattributes') ? == git_attributes_content
-	assert os.read_file('.editorconfig') ? == editor_config_content
-+	println('vcreate_test disabled')
- }
--- a/pkgs/development/libraries/libnih/default.nix
+++ b/pkgs/development/libraries/libnih/default.nix
@ -1,25 +0,0 @@
-{ lib, stdenv, fetchurl, pkg-config, dbus, expat }:
-
-let version = "1.0.3"; in
-
-stdenv.mkDerivation {
-  pname = "libnih";
-  inherit version;
-
-  src = fetchurl {
-    url = "https://code.launchpad.net/libnih/1.0/${version}/+download/libnih-${version}.tar.gz";
-    sha256 = "01glc6y7z1g726zwpvp2zm79pyb37ki729jkh45akh35fpgp4xc9";
-  };
-
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [ dbus expat ];
-
-  doCheck = false; # fails 1 of 17 test
-
-  meta = {
-    description = "A small library for C application development";
-    homepage = "https://launchpad.net/libnih";
-    license = lib.licenses.gpl2;
-    platforms = lib.platforms.linux;
-  };
-}
--- a/pkgs/development/libraries/podofo/default.nix
+++ b/pkgs/development/libraries/podofo/default.nix
@ -3,12 +3,12 @@
 }:

 stdenv.mkDerivation rec {
-  version = "0.9.7";
+  version = "0.9.8";
  pname = "podofo";

  src = fetchurl {
    url = "mirror://sourceforge/podofo/${pname}-${version}.tar.gz";
-    sha256 = "1f0yvkx6nf99fp741w2y706d8bs9824x1z2gqm3rdy5fv8bfgwkw";
+    sha256 = "sha256-XeYH4V8ZK4rZBzgwB1nYjeoPXM3OO/AASKDJMrxkUVQ=";
  };

  outputs = [ "out" "dev" "lib" ];
--- a/pkgs/development/libraries/science/math/lrs/default.nix
+++ b/pkgs/development/libraries/science/math/lrs/default.nix
@ -2,11 +2,11 @@

 stdenv.mkDerivation rec {
  pname = "lrs";
-  version = "7.0";
+  version = "7.2";

  src = fetchurl {
-    url = "http://cgm.cs.mcgill.ca/~avis/C/lrslib/archive/lrslib-070.tar.gz";
-    sha256 = "1zjdmkjracz695k73c2pvipc0skpyn1wzagkhilsvcw9pqljpwg9";
+    url = "http://cgm.cs.mcgill.ca/~avis/C/lrslib/archive/lrslib-072.tar.gz";
+    sha256 = "1w1jsnfgny8cihndr5gfm99pvwp48qsvxkqfsi2q87gd3m57aj7w";
  };

  buildInputs = [ gmp ];
--- a/pkgs/development/python-modules/bc-python-hcl2/default.nix
+++ b/pkgs/development/python-modules/bc-python-hcl2/default.nix
@ -8,14 +8,14 @@

 buildPythonPackage rec {
  pname = "bc-python-hcl2";
-  version = "0.3.39";
+  version = "0.3.40";
  format = "setuptools";

  disabled = pythonOlder "3.6";

  src = fetchPypi {
    inherit pname version;
-    hash = "sha256-JMQ2sLgAnMJ1/0nR8LgKbpPB43gVKtCtrZKr/T4p0O8=";
+    hash = "sha256-4we2Txk7kJ1SrCa82eQJ9OsqyTkFzocNi+GG7cV+OAc=";
  };

  # Nose is required during build process, so can not use `checkInputs`.
--- a/pkgs/development/python-modules/cvxpy/default.nix
+++ b/pkgs/development/python-modules/cvxpy/default.nix
@ -16,14 +16,14 @@

 buildPythonPackage rec {
  pname = "cvxpy";
-  version = "1.2.0";
+  version = "1.2.1";
  format = "pyproject";

  disabled = pythonOlder "3.5";

  src = fetchPypi {
    inherit pname version;
-    sha256 = "sha256-QURm/ehJovqr/ZRE7ILKLnvxQsAdcjdSTPlzCt60IBw=";
+    sha256 = "sha256-bWdkJkPR3bLyr1m0Zrh9QsSi42eDGte0PDO1nu+ltQ4=";
  };

  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/ipympl/default.nix
+++ b/pkgs/development/python-modules/ipympl/default.nix
@ -8,12 +8,12 @@

 buildPythonPackage rec {
  pname = "ipympl";
-  version = "0.9.0";
+  version = "0.9.1";
  format = "wheel";

  src = fetchPypi {
    inherit pname version format;
-    sha256 = "sha256-HpO3T/zRbimxd1+nUkbSmclj7nPsMYuSUK0VJItZQs4=";
+    sha256 = "sha256-NQW0ctQSF4/RFeJVdk0efnYy1sgunebWKyVDijU3RoA=";
  };


--- a/pkgs/development/python-modules/pg8000/default.nix
+++ b/pkgs/development/python-modules/pg8000/default.nix
@ -8,14 +8,14 @@

 buildPythonPackage rec {
  pname = "pg8000";
-  version = "1.27.1";
+  version = "1.28.0";
  format = "setuptools";

  disabled = pythonOlder "3.6";

  src = fetchPypi {
    inherit pname version;
-    sha256 = "sha256-1qWDg0hZM0TyDrNa2kcqdy0yFFgm8u/ljb4bZeqZ6JA=";
+    sha256 = "sha256-Q1E949TjeOc6xEKpOQa6qdNWJFqmeqf2FgXFbjmn9ZE=";
  };

  propagatedBuildInputs = [
--- a/pkgs/development/tools/analysis/checkov/default.nix
+++ b/pkgs/development/tools/analysis/checkov/default.nix
@ -32,13 +32,13 @@ with py.pkgs;

 buildPythonApplication rec {
  pname = "checkov";
-  version = "2.0.1140";
+  version = "2.0.1143";

  src = fetchFromGitHub {
    owner = "bridgecrewio";
    repo = pname;
    rev = version;
-    hash = "sha256-aGO5mjBsUwpLIv73pZH1la6tyGByznTrjkW9dojkXwg=";
+    hash = "sha256-Kl9/wbjiQ46ysmnE24iQveTEzSTsVF5FHRqG3WWz3DQ=";
  };

  nativeBuildInputs = with py.pkgs; [
@ -94,6 +94,7 @@ buildPythonApplication rec {

  postPatch = ''
    substituteInPlace setup.py \
+      --replace "bc-python-hcl2==0.3.39" "bc-python-hcl2>=0.3.39" \
      --replace "cyclonedx-python-lib>=0.11.0,<1.0.0" "cyclonedx-python-lib>=0.11.0" \
      --replace "prettytable>=3.0.0" "prettytable" \
      --replace "pycep-parser==0.3.4" "pycep-parser"
--- a/pkgs/development/tools/dump_syms/default.nix
+++ b/pkgs/development/tools/dump_syms/default.nix
@ -1,8 +1,12 @@
 { lib
+, stdenv
 , rustPlatform
 , fetchFromGitHub
 , pkg-config
 , openssl
+
+# darwin
+, Security
 }:

 let
@ -27,6 +31,8 @@ rustPlatform.buildRustPackage {

  buildInputs = [
    openssl
+  ] ++ lib.optionals (stdenv.isDarwin) [
+    Security
  ];

  checkFlags = [
--- a/pkgs/development/tools/ocaml/dune/3.nix
+++ b/pkgs/development/tools/ocaml/dune/3.nix
@ -6,11 +6,11 @@ else

 stdenv.mkDerivation rec {
  pname = "dune";
-  version = "3.1.1";
+  version = "3.2.0";

  src = fetchurl {
-    url = "https://github.com/ocaml/dune/releases/download/${version}/fiber-${version}.tbz";
-    sha256 = "sha256-AkhEVKsbmYhAx4c1CexrIwHrkmYsEy749fT1abNaa2A=";
+    url = "https://github.com/ocaml/dune/releases/download/${version}/chrome-trace-${version}.tbz";
+    sha256 = "sha256-vR+85q557R6yb6ibsuLiOXivzrP1P1V4zxvasIoa1bw=";
  };

  nativeBuildInputs = [ ocaml findlib ];
--- a/pkgs/servers/icingaweb2/ipl.nix
+++ b/pkgs/servers/icingaweb2/ipl.nix
@ -2,13 +2,13 @@

 stdenvNoCC.mkDerivation rec {
  pname = "icingaweb2-ipl";
-  version = "0.8.0";
+  version = "0.8.1";

  src = fetchFromGitHub {
    owner = "Icinga";
    repo = "icinga-php-library";
    rev = "v${version}";
-    sha256 = "sha256:05k0qcd5c5xb124dpp6lvfdh4dzf6bkd34v4sy7aj776p4hrlqx2";
+    sha256 = "sha256:0ndd4gd26rglbz85izfvqc4ghcfa7wpq6ghrhggbzg819phndg5a";
  };

  installPhase = ''
--- a/pkgs/servers/invidious/lsquic.nix
+++ b/pkgs/servers/invidious/lsquic.nix
@ -1,11 +1,19 @@
-{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, cmake, zlib, perl, libevent, gcc10Stdenv, buildGoModule }:
+{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, fetchurl, cmake, zlib, perl, libevent }:
 let
  versions = builtins.fromJSON (builtins.readFile ./versions.json);

-  buildGoModuleGcc10 = buildGoModule.override { stdenv = gcc10Stdenv; };
+  fetchGitilesPatch = { name, url, sha256 }:
+    fetchurl {
+      url = "${url}%5E%21?format=TEXT";
+      inherit name sha256;
+      downloadToTemp = true;
+      postFetch = ''
+        base64 -d < $downloadedFile > $out
+      '';
+    };

  # lsquic requires a specific boringssl version (noted in its README)
-  boringssl' = (boringssl.overrideAttrs (old: {
+  boringssl' = boringssl.overrideAttrs ({ preBuild, ... }: {
    version = versions.boringssl.rev;
    src = fetchgit {
      url = "https://boringssl.googlesource.com/boringssl";
@ -15,10 +23,43 @@ let
    patches = [
      # Use /etc/ssl/certs/ca-certificates.crt instead of /etc/ssl/cert.pem
      ./use-etc-ssl-certs.patch
+
+      # because lsquic requires that specific boringssl version and that
+      # version does not yet include fixes for gcc11 build errors, they
+      # must be backported
+      (fetchGitilesPatch {
+        name = "fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/139adff9b27eaf0bdaac664ec4c9a7db2fe3f920";
+        sha256 = "05sp602dvh50v46jkzmh4sf4wqnq5bwy553596g2rhxg75bailjj";
+      })
+      (fetchGitilesPatch {
+        name = "use-an-unsized-helper-for-truncated-SHA-512-variants.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/a24ab549e6ae246b391155d7bed3790ac0e07de2";
+        sha256 = "0483jkpg4g64v23ln2blb74xnmzdjcn3r7w4zk7nfg8j3q5f9lxm";
+      })
+/*
+      # the following patch is too complex, so we will modify the build flags
+      # of crypto/fipsmodule/CMakeFiles/fipsmodule.dir/bcm.c.o in preBuild
+      # and turn off -Werror=stringop-overflow
+      (fetchGitilesPatch {
+        name = "make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/597ffef971dd980b7de5e97a0c9b7ca26eec94bc";
+        sha256 = "1y0bkkdf1ccd6crx326agp01q22clm4ai4p982y7r6dkmxmh52qr";
+      })
+*/
+      (fetchGitilesPatch {
+        name = "fix-array-parameter-warnings.patch";
+        url = "https://boringssl.googlesource.com/boringssl/+/92c6fbfc4c44dc8462d260d836020d2b793e7804";
+        sha256 = "0h4sl95i8b0dj0na4ngf50wg54raxyjxl1zzwdc810abglp10vnv";
+      })
    ];
-  })).override {
-    buildGoModule = buildGoModuleGcc10;
-  };
+
+    preBuild = ''
+      ${preBuild}
+      sed -e '/^build crypto\/fipsmodule\/CMakeFiles\/fipsmodule\.dir\/bcm\.c\.o:/,/^ *FLAGS =/ s/^ *FLAGS = -Werror/& -Wno-error=stringop-overflow/' \
+          -i build.ninja
+    '';
+  });
 in
 stdenv.mkDerivation rec {
  pname = "lsquic";
--- a/pkgs/servers/invidious/shards.nix
+++ b/pkgs/servers/invidious/shards.nix
@ -20,14 +20,14 @@
  exception_page = {
    owner = "crystal-loot";
    repo = "exception_page";
-    rev = "v0.2.0";
-    sha256 = "0nlgnh5iykbr1v2132342k2mz6s2laws6nkgqsqlwhhcr4gb4jcx";
+    rev = "v0.2.2";
+    sha256 = "1c8askb9b7621jjz5pjj6b8pdbhw3r1l3dym6swg1saspf5j3jwi";
  };
  kemal = {
    owner = "kemalcr";
    repo = "kemal";
-    rev = "v1.1.0";
-    sha256 = "07vlvddy4mba9li2bvskzqzywwq55cyvlgkz13q6dsl4zfgc96ca";
+    rev = "v1.1.2";
+    sha256 = "1149q4qw0zrws5asqqr4snrdi67xsmisdcq58zcrbgqgsxgly9d0";
  };
  kilt = {
    owner = "jeromegn";
--- a/pkgs/servers/invidious/update.sh
+++ b/pkgs/servers/invidious/update.sh
@ -41,7 +41,7 @@ git -C "$git_dir" fetch origin "$git_branch"
 # because there might still be commits coming
 # use the day of the latest commit we picked as version
 new_rev=$(git -C "$git_dir" log -n 1 --format='format:%H' --before="${today}T00:00:00Z" "origin/$git_branch")
-new_version="unstable-$(git -C "$git_dir" log -n 1 --format='format:%cs' "$new_rev")"
+new_version="unstable-$(TZ=UTC git -C "$git_dir" log -n 1 --date='format-local:%Y-%m-%d' --format='%cd' "$new_rev")"
 info "latest commit before $today: $new_rev"

 if [ "$new_rev" = "$old_rev" ]; then
--- a/pkgs/servers/invidious/versions.json
+++ b/pkgs/servers/invidious/versions.json
@ -4,15 +4,15 @@
    "sha256": "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A="
  },
  "invidious": {
-    "rev": "ed265cfdcd131b9df5398d899cc5d7036a5b7846",
-    "sha256": "0hhnq4s0slwbgxra7gxapl7dcz60a7k71cndi4crqcikmazzac3b",
-    "version": "unstable-2022-03-16"
+    "rev": "ca27e096f3249533cc7a9b123a8a8378f3312bb7",
+    "sha256": "0xjdzxnw6b5lk8pr82sjj60wfzxqkyamh0gpf2wxby52jvlbdcka",
+    "version": "unstable-2022-05-11"
  },
  "lsquic": {
    "sha256": "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM=",
    "version": "2.18.1"
  },
  "videojs": {
-    "sha256": "0b4vxd29kpvy60yhqm376r1872gds17s6wljqw0zlr16j762k50r"
+    "sha256": "0m09pc9acpzhfwwvc9dayl60nn28skmmglgvmlp48dlkqgfbgc27"
  }
 }
--- a/pkgs/servers/monitoring/icinga2/default.nix
+++ b/pkgs/servers/monitoring/icinga2/default.nix
@ -9,13 +9,13 @@

 stdenv.mkDerivation rec {
  pname = "icinga2${nameSuffix}";
-  version = "2.13.2";
+  version = "2.13.3";

  src = fetchFromGitHub {
    owner = "icinga";
    repo = "icinga2";
    rev = "v${version}";
-    sha256 = "sha256:1ijvav2ymgq1i8jycrqbp2y4r54y0dkwjnwxc20bmcixxh877zdn";
+    sha256 = "sha256:1z8wzhlhl8vb7m8axvayfyqgf86lz67gaa02n3r17049vwswdgmb";
  };

  patches = [
--- a/pkgs/tools/admin/syft/default.nix
+++ b/pkgs/tools/admin/syft/default.nix
@ -2,13 +2,13 @@

 buildGoModule rec {
  pname = "syft";
-  version = "0.45.1";
+  version = "0.46.1";

  src = fetchFromGitHub {
    owner = "anchore";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-oexsu52x9rAqwTVxTVHzKPuaIfvg5lvvuBmKcnb2Yew=";
+    sha256 = "sha256-ojjudnS0yJZ6YoHmq4m0YKyCqq9Ge+AFU7ejlPop71w=";
    # populate values that require us to use git. By doing this in postFetch we
    # can delete .git afterwards and maintain better reproducibility of the src.
    leaveDotGit = true;
@ -20,11 +20,11 @@ buildGoModule rec {
      find "$out" -name .git -print0 | xargs -0 rm -rf
    '';
  };
-  vendorSha256 = "sha256-d6ZBWX4/lgh610fBLTE1EUqZmpctLfxi2PSRifH+1jg=";
+  vendorSha256 = "sha256-nb7QcdmwAfYDTzCFNjs7uKwK/gng2iMD36ANaFSsftk=";

  nativeBuildInputs = [ installShellFiles ];

-  subPackages = [ "." ];
+  subPackages = [ "cmd/syft" ];

  ldflags = [
    "-s"
@ -52,6 +52,17 @@ buildGoModule rec {
      --zsh <($out/bin/syft completion zsh)
  '';

+  doInstallCheck = true;
+  installCheckPhase = ''
+    runHook preInstallCheck
+
+    export SYFT_CHECK_FOR_APP_UPDATE=false
+    $out/bin/syft --help
+    $out/bin/syft version | grep "${version}"
+
+    runHook postInstallCheck
+  '';
+
  meta = with lib; {
    homepage = "https://github.com/anchore/syft";
    changelog = "https://github.com/anchore/syft/releases/tag/v${version}";
--- a/pkgs/tools/misc/fontforge/default.nix
+++ b/pkgs/tools/misc/fontforge/default.nix
@ -63,7 +63,6 @@ stdenv.mkDerivation rec {
    ++ lib.optional (!withGTK) "-DENABLE_X11=ON"
    ++ lib.optional withExtras "-DENABLE_FONTFORGE_EXTRAS=ON";

-  # work-around: git isn't really used, but configuration fails without it
  preConfigure = ''
    # The way $version propagates to $version of .pe-scripts (https://github.com/dejavu-fonts/dejavu-fonts/blob/358190f/scripts/generate.pe#L19)
    export SOURCE_DATE_EPOCH=$(date -d ${version} +%s)
--- a/pkgs/tools/nix/npins/default.nix
+++ b/pkgs/tools/nix/npins/default.nix
@ -0,0 +1,44 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+, nix-gitignore
+, makeWrapper
+, stdenv
+, darwin
+, callPackage
+
+  # runtime dependencies
+, nix # for nix-prefetch-url
+, nix-prefetch-git
+, git # for git ls-remote
+}:
+
+let
+  runtimePath = lib.makeBinPath [ nix nix-prefetch-git git ];
+  sources = (builtins.fromJSON (builtins.readFile ./sources.json)).pins;
+in rustPlatform.buildRustPackage rec {
+  pname = "npins";
+  version = src.version;
+  src = passthru.mkSource sources.npins;
+
+  cargoSha256 = "0rwnzkmx91cwcz9yw0rbbqv73ba6ggim9f4qgz5pgy6h696ld2k8";
+
+  buildInputs = lib.optional stdenv.isDarwin (with darwin.apple_sdk.frameworks; [ Security ]);
+  nativeBuildInputs = [ makeWrapper ];
+
+  # (Almost) all tests require internet
+  doCheck = false;
+
+  postFixup = ''
+    wrapProgram $out/bin/npins --prefix PATH : "${runtimePath}"
+  '';
+
+  meta = with lib; {
+    description = "Simple and convenient dependency pinning for Nix";
+    homepage = "https://github.com/andir/npins";
+    license = licenses.eupl12;
+    maintainers = with maintainers; [ piegames ];
+  };
+
+  passthru.mkSource = callPackage ./source.nix {};
+}
--- a/pkgs/tools/nix/npins/source.nix
+++ b/pkgs/tools/nix/npins/source.nix
@ -0,0 +1,57 @@
+# Not part of the public API – for use within nixpkgs only
+#
+# Usage:
+# ```nix
+# let
+#   sources = builtins.fromJSON (builtins.readFile ./sources.json);
+# in mkMyDerivation rec {
+#   version = src.version; # This obviously only works for releases
+#   src = pkgs.npins.mkSource sources.mySource;
+# }
+# ```
+
+{ fetchgit
+, fetchzip
+, fetchurl
+}:
+let
+  mkSource = spec:
+    assert spec ? type; let
+      path =
+        if spec.type == "Git" then mkGitSource spec
+        else if spec.type == "GitRelease" then mkGitSource spec
+        else if spec.type == "PyPi" then mkPyPiSource spec
+        else if spec.type == "Channel" then mkChannelSource spec
+        else throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource = { repository, revision, url ? null, hash, ... }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (fetchzip {
+        inherit url;
+        sha256 = hash;
+        extension = "tar";
+      })
+    else assert repository.type == "Git"; fetchgit {
+      url = repository.url;
+      rev = revision;
+    };
+
+  mkPyPiSource = { url, hash, ... }:
+    fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource = { url, hash, ... }:
+    fetchzip {
+      inherit url;
+      sha256 = hash;
+      extension = "tar";
+    };
+in
+  mkSource
--- a/pkgs/tools/nix/npins/sources.json
+++ b/pkgs/tools/nix/npins/sources.json
@ -0,0 +1,19 @@
+{
+  "pins": {
+    "npins": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "andir",
+        "repo": "npins"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "version": "0.1.0",
+      "revision": "5c9253ff6010f435ab73fbe1e50ae0fdca0ec07b",
+      "url": "https://api.github.com/repos/andir/npins/tarball/0.1.0",
+      "hash": "019fr9xsirld8kap75k18in3krkikqhjn4mglpy3lyhbhc5n1kh6"
+    }
+  },
+  "version": 2
+}
--- a/pkgs/tools/security/witness/default.nix
+++ b/pkgs/tools/security/witness/default.nix
@ -2,15 +2,15 @@

 buildGoModule rec {
  pname = "witness";
-  version = "0.1.7";
+  version = "0.1.8";

  src = fetchFromGitHub {
    owner = "testifysec";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-fkY3/UmHzggmysrae8VCY3NMBxC/LcWoQcXBELEzJlM=";
+    sha256 = "sha256-i76sw5ysWDZwuNt7CYtpVy9mEV643i4YaMxksglyPWw=";
  };
-  vendorSha256 = "sha256-ajWIjQXLvFQB1AVYyGjyWMrWIyue/d1uU5HHNf4/UcU=";
+  vendorSha256 = "sha256-A3fnAWEJ7SeUnDfIIOkbHIhUBRB8INcqMleOLL3LHF0=";

  nativeBuildInputs = [ installShellFiles ];

--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@ -679,6 +679,7 @@ mapAliases ({
  liblastfm = libsForQt5.liblastfm; # Added 2020-06-14
  liblrdf = throw "'liblrdf' has been renamed to/replaced by 'lrdf'"; # Converted to throw 2022-02-22
  libmsgpack = throw "'libmsgpack' has been renamed to/replaced by 'msgpack'"; # Converted to throw 2022-02-22
+  libnih = throw "'libnih' has been removed"; # Converted to throw 2022-05-17
  libosmpbf = throw "libosmpbf was removed because it is no longer required by osrm-backend";
  libpng_apng = throw "libpng_apng has been removed, because it is equivalent to libpng"; # Added 2021-03-21
  libpulseaudio-vanilla = libpulseaudio; # Added 2022-04-20
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -4015,6 +4015,8 @@ with pkgs;

  notify = callPackage ../tools/misc/notify { };

+  npins = callPackage ../tools/nix/npins { };
+
  nrsc5 = callPackage ../applications/misc/nrsc5 { };

  nsync = callPackage ../development/libraries/nsync { };
@ -5309,7 +5311,9 @@ with pkgs;
    autoreconfHook = buildPackages.autoreconfHook269;
  };

-  dump_syms = callPackage ../development/tools/dump_syms { };
+  dump_syms = callPackage ../development/tools/dump_syms {
+    inherit (darwin.apple_sdk.frameworks) Security;
+  };

  dumptorrent = callPackage ../tools/misc/dumptorrent { };

@ -19009,8 +19013,6 @@ with pkgs;

  libnftnl = callPackage ../development/libraries/libnftnl { };

-  libnih = callPackage ../development/libraries/libnih { };
-
  libnova = callPackage ../development/libraries/science/astronomy/libnova { };

  libnxml = callPackage ../development/libraries/libnxml { };
@ -23246,6 +23248,8 @@ with pkgs;
  linux_5_10_hardened = linuxKernel.kernels.linux_5_10_hardened;
  linuxPackages_5_15_hardened = linuxKernel.packages.linux_5_15_hardened;
  linux_5_15_hardened = linuxKernel.kernels.linux_5_15_hardened;
+  linuxPackages_5_17_hardened = linuxKernel.packages.linux_5_17_hardened;
+  linux_5_17_hardened = linuxKernel.kernels.linux_5_17_hardened;

  # Hardkernel (Odroid) kernels.
  linuxPackages_hardkernel_latest = linuxKernel.packageAliases.linux_hardkernel_latest;
--- a/pkgs/top-level/linux-kernels.nix
+++ b/pkgs/top-level/linux-kernels.nix
@ -236,6 +236,7 @@ in {
    linux_5_4_hardened = hardenedKernelFor kernels.linux_5_4 { };
    linux_5_10_hardened = hardenedKernelFor kernels.linux_5_10 { };
    linux_5_15_hardened = hardenedKernelFor kernels.linux_5_15 { };
+    linux_5_17_hardened = hardenedKernelFor kernels.linux_5_17 { };

  }));
  /*  Linux kernel modules are inherently tied to a specific kernel.  So