From 16131300633776df7392539249af61f73811a93a Mon Sep 17 00:00:00 2001
From: David McFarland <corngood@gmail.com>
Date: Tue, 8 Jun 2021 22:28:01 -0300
Subject: [PATCH 01/43] p4v: 2020.1.1966006 -> 2021.3.2186916

---
 .../version-management/p4v/default.nix        | 48 +++++++++++++++----
 pkgs/top-level/all-packages.nix               |  3 +-
 2 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/pkgs/applications/version-management/p4v/default.nix b/pkgs/applications/version-management/p4v/default.nix
index 476df99d232..2e0e01e5c98 100644
--- a/pkgs/applications/version-management/p4v/default.nix
+++ b/pkgs/applications/version-management/p4v/default.nix
@@ -1,12 +1,38 @@
-{ stdenv, fetchurl, lib, qtbase, qtmultimedia, qtscript, qtsensors, qtwebengine, qtwebkit, openssl, xkeyboard_config, patchelfUnstable, wrapQtAppsHook }:
+{ stdenv
+, fetchurl
+, lib
+, qtbase
+, qtwebengine
+, qtdeclarative
+, qtwebchannel
+, syntax-highlighting
+, openssl
+, xkeyboard_config
+, patchelfUnstable
+, wrapQtAppsHook
+, writeText
+}:
+let
+  # This abomination exists because p4v calls CRYPTO_set_mem_functions and
+  # expects it to succeed. The function will fail if CRYPTO_malloc has already
+  # been called, which happens at init time via qtwebengine -> ... -> libssh. I
+  # suspect it was meant to work with a version of Qt where openssl is
+  # statically linked or some other library is used.
+  crypto-hack = writeText "crypto-hack.c" ''
+      #include <stddef.h>
+      int CRYPTO_set_mem_functions(
+            void *(*m)(size_t, const char *, int),
+            void *(*r)(void *, size_t, const char *, int),
+            void (*f)(void *, const char *, int)) { return 1; }
+    '';
 
-stdenv.mkDerivation rec {
+in stdenv.mkDerivation rec {
   pname = "p4v";
-  version = "2020.1.1966006";
+  version = "2021.3.2186916";
 
   src = fetchurl {
-    url = "https://cdist2.perforce.com/perforce/r20.1/bin.linux26x86_64/p4v.tgz";
-    sha256 = "0zc70d7jgdrd2jli338n1h05hgb7jmmv8hvq205wh78vvllrlv10";
+    url = "http://web.archive.org/web/20211118024745/https://cdist2.perforce.com/perforce/r21.3/bin.linux26x86_64/p4v.tgz";
+    sha256 = "1zldg21xq4srww9pcfbv3p8320ghjnh333pz5r70z1gwbq4vf3jq";
   };
 
   dontBuild = true;
@@ -15,11 +41,10 @@ stdenv.mkDerivation rec {
   ldLibraryPath = lib.makeLibraryPath [
       stdenv.cc.cc.lib
       qtbase
-      qtmultimedia
-      qtscript
-      qtsensors
       qtwebengine
-      qtwebkit
+      qtdeclarative
+      qtwebchannel
+      syntax-highlighting
       openssl
   ];
 
@@ -29,14 +54,17 @@ stdenv.mkDerivation rec {
     cp -r bin $out
     mkdir -p $out/lib
     cp -r lib/P4VResources $out/lib
+    $CC -fPIC -shared -o $out/lib/libcrypto-hack.so ${crypto-hack}
 
     for f in $out/bin/*.bin ; do
       patchelf --set-rpath $ldLibraryPath --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" $f
       # combining this with above breaks rpath (patchelf bug?)
-      patchelf --add-needed libstdc++.so $f \
+      patchelf --add-needed libstdc++.so \
+               --add-needed $out/lib/libcrypto-hack.so \
                --clear-symbol-version _ZNSt20bad_array_new_lengthD1Ev \
                --clear-symbol-version _ZTVSt20bad_array_new_length \
                --clear-symbol-version _ZTISt20bad_array_new_length \
+               --clear-symbol-version _ZdlPvm \
                $f
       wrapQtApp $f \
         --suffix QT_XKB_CONFIG_ROOT : ${xkeyboard_config}/share/X11/xkb
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 778ce279d7e..4ca6ea97444 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -27555,8 +27555,7 @@ with pkgs;
   ostinato = libsForQt5.callPackage ../applications/networking/ostinato { };
 
   p4 = callPackage ../applications/version-management/p4 { };
-  # Broken with Qt5.15 because qtwebkit is broken with it
-  p4v = libsForQt514.callPackage ../applications/version-management/p4v { };
+  p4v = libsForQt515.callPackage ../applications/version-management/p4v { };
 
   partio = callPackage ../development/libraries/partio {};
 

From 5f63e522ac18db9c8434a2ec553953b77040f925 Mon Sep 17 00:00:00 2001
From: Johannes Schleifenbaum <johannes@js-webcoding.de>
Date: Mon, 7 Feb 2022 11:34:52 +0100
Subject: [PATCH 02/43] protoc-gen-twirp_php: 0.8.0 -> 0.8.1

---
 pkgs/development/tools/protoc-gen-twirp_php/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/tools/protoc-gen-twirp_php/default.nix b/pkgs/development/tools/protoc-gen-twirp_php/default.nix
index df5afac2dbb..4cb6ce66b32 100644
--- a/pkgs/development/tools/protoc-gen-twirp_php/default.nix
+++ b/pkgs/development/tools/protoc-gen-twirp_php/default.nix
@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "protoc-gen-twirp_php";
-  version = "0.8.0";
+  version = "0.8.1";
 
   # fetchFromGitHub currently not possible, because go.mod and go.sum are export-ignored
   src = fetchgit {
     url = "https://github.com/twirphp/twirp.git";
     rev = "v${version}";
-    sha256 = "sha256-TaHfyYoWsA/g5xZFxIMNwE1w6Dd9Cq5bp1gpQudYLs0=";
+    sha256 = "sha256-5PACgKqc8rWqaA6Syj5NyxHm3827yd67tm0mwVSMnWQ=";
   };
 
   vendorSha256 = "sha256-qQFlBviRISEnPBt0q5391RqUrPTI/QDxg3MNfwWE8MI=";

From dcbe74f3d71a4256b1bc9053d762faccfeb9254c Mon Sep 17 00:00:00 2001
From: Johannes Schleifenbaum <johannes@js-webcoding.de>
Date: Mon, 7 Feb 2022 11:37:02 +0100
Subject: [PATCH 03/43] protoc-gen-twirp_php: set version

---
 pkgs/development/tools/protoc-gen-twirp_php/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/development/tools/protoc-gen-twirp_php/default.nix b/pkgs/development/tools/protoc-gen-twirp_php/default.nix
index 4cb6ce66b32..a54c860f295 100644
--- a/pkgs/development/tools/protoc-gen-twirp_php/default.nix
+++ b/pkgs/development/tools/protoc-gen-twirp_php/default.nix
@@ -15,6 +15,10 @@ buildGoModule rec {
 
   subPackages = [ "protoc-gen-twirp_php" ];
 
+  ldflags = [
+    "-X main.version=${version}"
+  ];
+
   meta = with lib; {
     description = "PHP port of Twitch's Twirp RPC framework";
     homepage = "https://github.com/twirphp/twirp";

From 76591b5b62275ed19e86353c2c6c91e0267dfc15 Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Tue, 5 Apr 2022 23:48:30 +0000
Subject: [PATCH 04/43] psi-plus: 1.5.1615 -> 1.5.1618

---
 .../networking/instant-messengers/psi-plus/default.nix        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/networking/instant-messengers/psi-plus/default.nix b/pkgs/applications/networking/instant-messengers/psi-plus/default.nix
index aeb20d6779e..fe3f90346f1 100644
--- a/pkgs/applications/networking/instant-messengers/psi-plus/default.nix
+++ b/pkgs/applications/networking/instant-messengers/psi-plus/default.nix
@@ -43,13 +43,13 @@ assert enablePsiMedia -> enablePlugins;
 
 mkDerivation rec {
   pname = "psi-plus";
-  version = "1.5.1615";
+  version = "1.5.1618";
 
   src = fetchFromGitHub {
     owner = "psi-plus";
     repo = "psi-plus-snapshots";
     rev = version;
-    sha256 = "sha256-aD+JVGmBWHUav2bH9rXGtgqI+/5lJTMrYLRP7E65JxI=";
+    sha256 = "sha256-ueZYFOZFCPQrg9etZCrY5ZTn7PZMkcuwbXVPPbW9S/A=";
   };
 
   cmakeFlags = [

From a2b02ea64694c35ce4a22eab2e7c005c93c7157c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Thu, 24 Mar 2022 09:07:54 +0100
Subject: [PATCH 05/43] telegraf: 1.22.0 -> 1.22.1

---
 pkgs/servers/monitoring/telegraf/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/servers/monitoring/telegraf/default.nix b/pkgs/servers/monitoring/telegraf/default.nix
index 3250d233994..5c1f2e6862b 100644
--- a/pkgs/servers/monitoring/telegraf/default.nix
+++ b/pkgs/servers/monitoring/telegraf/default.nix
@@ -2,7 +2,7 @@
 
 buildGoModule rec {
   pname = "telegraf";
-  version = "1.22.0";
+  version = "1.22.1";
 
   excludedPackages = "test";
 
@@ -12,10 +12,10 @@ buildGoModule rec {
     owner = "influxdata";
     repo = "telegraf";
     rev = "v${version}";
-    sha256 = "sha256-Y7vR6kmh1rObDyyHA2NFvBkilBz+Bx8BHqlAoVY/gGo=";
+    sha256 = "sha256-W6o+dFUdnH4c+SLwqhoutOsXf+XLu2qNjYytPp43fjk=";
   };
 
-  vendorSha256 = "sha256-oSN6nHOtXA2cSZEmToRvALkSxAyel9BU7bh1groEnsw=";
+  vendorSha256 = "sha256-28Xz8fIlrdCVkG0x5toJXht+RIkBmey4wi6WGqsq80k=";
   proxyVendor = true;
 
   ldflags = [

From 22419c93cd3a2290a6d53b70201a702847e47275 Mon Sep 17 00:00:00 2001
From: Alvar Penning <post@0x21.biz>
Date: Sat, 9 Apr 2022 14:01:21 +0200
Subject: [PATCH 06/43] weechat-otr: Fix build and knownVulnerabilities

First, this closes #167972 by explicitly disabling Python tests for the
backported pycrypto library. Those tests were written for Python 2 only.

Furthermore, the meta.knownVulnerabilities attribute was added as the
last weechat-otr upstream release was in 2018-03 [0] and the backported
Debian package of pycrypto is from 2020-04 [1]. As there are no known
vulnerabilities for weechat-otr itself, pycrypto "is unmaintained,
obsolete, and contains security vulnerabilities" [2]. Even with Debian's
patches, this is no good situation.

As weechat-otr being a security and privacy related software, it should
be made obvious, that its code base is old and unmaintained.

[0] https://github.com/mmb/weechat-otr/releases/tag/v1.9.2
[1] https://salsa.debian.org/sramacher/python-crypto/-/tags/debian%2F2.6.1-13.1
[2] https://www.pycrypto.org/
---
 .../networking/irc/weechat/scripts/weechat-otr/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkgs/applications/networking/irc/weechat/scripts/weechat-otr/default.nix b/pkgs/applications/networking/irc/weechat/scripts/weechat-otr/default.nix
index 987271e4ffa..fd5f376ad26 100644
--- a/pkgs/applications/networking/irc/weechat/scripts/weechat-otr/default.nix
+++ b/pkgs/applications/networking/irc/weechat/scripts/weechat-otr/default.nix
@@ -24,6 +24,9 @@ let
 
     buildInputs = [ gmp ];
 
+    # Tests are relying on old Python 2 modules.
+    doCheck = false;
+
     preConfigure = ''
       sed -i 's,/usr/include,/no-such-dir,' configure
       sed -i "s!,'/usr/include/'!!" setup.py
@@ -66,5 +69,9 @@ in stdenv.mkDerivation rec {
     license = licenses.gpl3;
     maintainers = with maintainers; [ oxzi ];
     description = "WeeChat script for Off-the-Record messaging";
+    knownVulnerabilities = [
+      "There is no upstream release since 2018-03."
+      "Utilizes deprecated and vulnerable pycrypto library with Debian patches from 2020-04."
+    ];
   };
 }

From 2f99b71368ce0cb24c1f38a136c24f3de12b34f9 Mon Sep 17 00:00:00 2001
From: Pawel Kruszewski <kruszewsky@gmail.com>
Date: Sun, 10 Apr 2022 09:54:07 +0200
Subject: [PATCH 07/43] timeular: 3.9.1 -> 4.7.1

---
 pkgs/applications/office/timeular/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/applications/office/timeular/default.nix b/pkgs/applications/office/timeular/default.nix
index 477ae48b5f4..50298247d5a 100644
--- a/pkgs/applications/office/timeular/default.nix
+++ b/pkgs/applications/office/timeular/default.nix
@@ -7,13 +7,13 @@
 }:
 
 let
-  version = "3.9.1";
+  version = "4.7.1";
   pname = "timeular";
   name = "${pname}-${version}";
 
   src = fetchurl {
     url = "https://s3.amazonaws.com/timeular-desktop-packages/linux/production/Timeular-${version}.AppImage";
-    sha256 = "103hy443p697jdkz6li8s1n6kg1r55jmiw2vbjz12kskf7njg4y4";
+    sha256 = "sha256:0k8ywbdb41imq10ya9y27zks67a6drjb1h0hn8ycd7a6z6703rjz";
   };
 
   appimageContents = appimageTools.extractType2 {
@@ -35,7 +35,7 @@ in appimageTools.wrapType2 rec {
     install -m 444 -D ${appimageContents}/timeular.desktop $out/share/applications/timeular.desktop
     install -m 444 -D ${appimageContents}/timeular.png $out/share/icons/hicolor/512x512/apps/timeular.png
     substituteInPlace $out/share/applications/timeular.desktop \
-      --replace 'Exec=AppRun' 'Exec=${pname}'
+      --replace "Exec=AppRun --no-sandbox %U" "Exec=$out/bin/${pname}"
   '';
 
   meta = with lib; {

From 82060bee0b912334d828a1d2a771fdb55694561e Mon Sep 17 00:00:00 2001
From: Shawn8901 <shawn8901@googlemail.com>
Date: Mon, 18 Apr 2022 20:45:04 +0200
Subject: [PATCH 08/43] portfolio: 0.57.1 -> 0.57.2

---
 pkgs/applications/office/portfolio/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/office/portfolio/default.nix b/pkgs/applications/office/portfolio/default.nix
index 33cf9e0c55d..7b53a15d6b8 100644
--- a/pkgs/applications/office/portfolio/default.nix
+++ b/pkgs/applications/office/portfolio/default.nix
@@ -25,11 +25,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "PortfolioPerformance";
-  version = "0.57.1";
+  version = "0.57.2";
 
   src = fetchurl {
     url = "https://github.com/buchen/portfolio/releases/download/${version}/PortfolioPerformance-${version}-linux.gtk.x86_64.tar.gz";
-    sha256 = "sha256-uEEFkHyApf+TObcu+Yo5vBOs2Erq0IXGhbjzlEe8NmI=";
+    sha256 = "sha256-ftLKlNzr46iL/V+P3J1wtoUByGHHl7wrh4xctU4JYkM=";
   };
 
   nativeBuildInputs = [

From 4986504f04680788b6c2904a1acc71135388d0dd Mon Sep 17 00:00:00 2001
From: sternenseemann <sternenseemann@systemli.org>
Date: Tue, 26 Apr 2022 19:13:59 +0200
Subject: [PATCH 09/43] python38Packages.backports-zoneinfo: test data for
 zoneinfo 2022a

Unfortunately test data needs to be continuously updated to match
zoneinfo or the tests will fail. This was relatively annoying and I'd
recommend just disabling the tests if this happens again.
---
 .../backports-zoneinfo/default.nix            | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/pkgs/development/python-modules/backports-zoneinfo/default.nix b/pkgs/development/python-modules/backports-zoneinfo/default.nix
index d2b6d06c4cd..5fa4c632316 100644
--- a/pkgs/development/python-modules/backports-zoneinfo/default.nix
+++ b/pkgs/development/python-modules/backports-zoneinfo/default.nix
@@ -7,6 +7,7 @@
 , tzdata
 , hypothesis
 , pytestCheckHook
+, fetchpatch
 }:
 
 buildPythonPackage rec {
@@ -22,7 +23,25 @@ buildPythonPackage rec {
     sha256 = "sha256-00xdDOVdDanfsjQTd3yjMN2RFGel4cWRrAA3CvSnl24=";
   };
 
+  # Make sure test data update patch applies
+  prePatch = ''
+    substituteInPlace tests/data/zoneinfo_data.json --replace \"2020a\" \"2021a\"
+  '';
+
   patches = [
+    # Update test suite's test data to zoneinfo 2022a
+    # https://github.com/pganssle/zoneinfo/pull/115
+    (fetchpatch {
+      name = "backports-zoneinfo-2022a-update-test-data1.patch";
+      url = "https://github.com/pganssle/zoneinfo/pull/115/commits/837e2a0f9f1a1332e4233f83e3648fa564a9ec9e.patch";
+      sha256 = "196knwa212mr0b7zsh8papzr3f5mii87gcjjjx1r9zzvmk3g3ri0";
+    })
+    (fetchpatch {
+      name = "backports-zoneinfo-2022a-update-test-data2.patch";
+      url = "https://github.com/pganssle/zoneinfo/pull/115/commits/9fd330265b177916d6182249439bb40d5691eb58.patch";
+      sha256 = "1zxa5bkwi8hbnh4c0qv72wv6vdp5jlxqizfjsc05ymzvwa99cf75";
+    })
+
     (substituteAll {
       name = "zoneinfo-path";
       src = ./zoneinfo.patch;

From a3c0afb1e22616b2f9dfab6964966d4ff0e9781c Mon Sep 17 00:00:00 2001
From: Ashish SHUKLA <ashish.is@lostca.se>
Date: Fri, 29 Apr 2022 05:56:41 +0530
Subject: [PATCH 10/43] got: 0.68.1 -> 0.69

Add dependency on libbsd, required for arc4random_* functions
---
 pkgs/applications/version-management/got/default.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/applications/version-management/got/default.nix b/pkgs/applications/version-management/got/default.nix
index 9e444fb3b39..f38bb042c43 100644
--- a/pkgs/applications/version-management/got/default.nix
+++ b/pkgs/applications/version-management/got/default.nix
@@ -1,17 +1,17 @@
-{ lib, stdenv, fetchurl, pkg-config, openssl, libuuid, libmd, zlib, ncurses }:
+{ lib, stdenv, fetchurl, pkg-config, openssl, libbsd, libuuid, libmd, zlib, ncurses }:
 
 stdenv.mkDerivation rec {
   pname = "got";
-  version = "0.68.1";
+  version = "0.69";
 
   src = fetchurl {
     url = "https://gameoftrees.org/releases/portable/got-portable-${version}.tar.gz";
-    sha256 = "122wignzrhsw00mfnh7mxcxvjyp9rk73yxzfyvmg7f5kmb0hng35";
+    sha256 = "1cnl0yk866wzjwgas587kvb08njq7db71b5xqsdrwd1varp010vm";
   };
 
   nativeBuildInputs = [ pkg-config ];
 
-  buildInputs = [ openssl libuuid libmd zlib ncurses ];
+  buildInputs = [ openssl libbsd libuuid libmd zlib ncurses ];
 
   doInstallCheck = true;
 

From 3d76f7ec3927f3354bc2df6760e30c2226255d61 Mon Sep 17 00:00:00 2001
From: Luna Nova <git@lunnova.dev>
Date: Thu, 28 Apr 2022 18:41:59 -0700
Subject: [PATCH 11/43] input-remapper: unstable-2022-02-09 -> 1.4.2

Release notes
https://github.com/sezanzeb/input-remapper/releases/tag/1.4.2
https://github.com/sezanzeb/input-remapper/releases/tag/1.4.1 (partial)
---
 pkgs/tools/inputmethods/input-remapper/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/inputmethods/input-remapper/default.nix b/pkgs/tools/inputmethods/input-remapper/default.nix
index 1ac061034d7..0a1ce3108f2 100644
--- a/pkgs/tools/inputmethods/input-remapper/default.nix
+++ b/pkgs/tools/inputmethods/input-remapper/default.nix
@@ -34,9 +34,9 @@
   # https://discourse.nixos.org/t/avoid-rec-expresions-in-nixpkgs/8293/7
   # The names are prefixed with input_remapper to avoid potential
   # collisions with package names
-, input_remapper_version ? "unstable-2022-02-09"
-, input_remapper_src_rev ? "55227e0b5a28d21d7333c6c8ea1c691e56fd35c4"
-, input_remapper_src_hash ? "sha256-kzGlEaYN/JfAgbI0aMLr5mwObYOL43X7QU/ihDEBQFg="
+, input_remapper_version ? "1.4.2"
+, input_remapper_src_rev ? "af20f87a1298153e765b840a2164ba63b9ef937a"
+, input_remapper_src_hash ? "sha256-eG4Fx1z74Bq1HrfmzOuULQLziGdWnHLax8y2dymjWsI="
 }:
 
 let

From 35b85a126d8a23a6b563bb21308a2c067006153e Mon Sep 17 00:00:00 2001
From: Jan Tojnar <jtojnar@gmail.com>
Date: Sat, 30 Apr 2022 23:45:49 +0200
Subject: [PATCH 12/43] =?UTF-8?q?umockdev:=200.17.8=20=E2=86=92=200.17.9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://github.com/martinpitt/umockdev/releases/tag/0.17.9
---
 pkgs/development/libraries/umockdev/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/umockdev/default.nix b/pkgs/development/libraries/umockdev/default.nix
index fbf5a71bb4b..fd35a94922e 100644
--- a/pkgs/development/libraries/umockdev/default.nix
+++ b/pkgs/development/libraries/umockdev/default.nix
@@ -19,13 +19,13 @@
 
 stdenv.mkDerivation rec {
   pname = "umockdev";
-  version = "0.17.8";
+  version = "0.17.9";
 
   outputs = [ "bin" "out" "dev" "devdoc" ];
 
   src = fetchurl {
     url = "https://github.com/martinpitt/umockdev/releases/download/${version}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-s3zeWJxw5ohUtsv4NZGKcdP8khEYzIXycbBrAzdnVoU=";
+    sha256 = "sha256-FEmWjJVmKKckC30zULGI/mZ3VNtirnweZq2gKh/Y5VE=";
   };
 
   nativeBuildInputs = [

From 014b59a4b891ecdec0e162677360d0777dfb5a7a Mon Sep 17 00:00:00 2001
From: Jan Tojnar <jtojnar@gmail.com>
Date: Sun, 1 May 2022 00:06:19 +0200
Subject: [PATCH 13/43] umockdev: Make library path references absolute

This simplifies consumers a lot.
---
 .../libraries/umockdev/default.nix            | 21 ++++++
 .../libraries/umockdev/hardcode-paths.patch   | 69 +++++++++++++++++++
 2 files changed, 90 insertions(+)
 create mode 100644 pkgs/development/libraries/umockdev/hardcode-paths.patch

diff --git a/pkgs/development/libraries/umockdev/default.nix b/pkgs/development/libraries/umockdev/default.nix
index fd35a94922e..a389d204a83 100644
--- a/pkgs/development/libraries/umockdev/default.nix
+++ b/pkgs/development/libraries/umockdev/default.nix
@@ -28,6 +28,12 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-FEmWjJVmKKckC30zULGI/mZ3VNtirnweZq2gKh/Y5VE=";
   };
 
+  patches = [
+    # Hardcode absolute paths to libraries so that consumers
+    # do not need to set LD_LIBRARY_PATH themselves.
+    ./hardcode-paths.patch
+  ];
+
   nativeBuildInputs = [
     docbook-xsl-nons
     gobject-introspection
@@ -57,6 +63,21 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
+  postPatch = ''
+    # Substitute the path to this derivation in the patch we apply.
+    substituteInPlace src/umockdev-wrapper \
+      --subst-var-by 'LIBDIR' "''${!outputLib}/lib"
+  '';
+
+  preCheck = ''
+    # Our patch makes the path to the `LD_PRELOAD`ed library absolute.
+    # When running tests, the library is not yet installed, though,
+    # so we need to replace the absolute path with a local one during build.
+    # We are using a symlink that will be overridden during installation.
+    mkdir -p "$out/lib"
+    ln -s "$PWD/libumockdev-preload.so.0" "$out/lib/libumockdev-preload.so.0"
+  '';
+
   meta = with lib; {
     description = "Mock hardware devices for creating unit tests";
     license = licenses.lgpl21Plus;
diff --git a/pkgs/development/libraries/umockdev/hardcode-paths.patch b/pkgs/development/libraries/umockdev/hardcode-paths.patch
new file mode 100644
index 00000000000..91f1e928ec6
--- /dev/null
+++ b/pkgs/development/libraries/umockdev/hardcode-paths.patch
@@ -0,0 +1,69 @@
+diff --git a/meson.build b/meson.build
+index 2ed9027..1f6bbf2 100644
+--- a/meson.build
++++ b/meson.build
+@@ -38,6 +38,7 @@ g_ir_compiler = find_program('g-ir-compiler', required: false)
+ 
+ conf.set('PACKAGE_NAME', meson.project_name())
+ conf.set_quoted('VERSION', meson.project_version())
++conf.set_quoted('LIBDIR', get_option('prefix') / get_option('libdir'))
+ 
+ # glibc versions somewhere between 2.28 and 2.34
+ if cc.has_function('__fxstatat', prefix: '#include <sys/stat.h>')
+@@ -148,7 +149,7 @@ hacked_gir = custom_target('UMockdev-1.0 hacked gir',
+ 
+ if g_ir_compiler.found()
+ umockdev_typelib = custom_target('UMockdev-1.0 typelib',
+-  command: [g_ir_compiler, '--output', '@OUTPUT@', '-l', 'libumockdev.so.0', '@INPUT@'],
++  command: [g_ir_compiler, '--output', '@OUTPUT@', '-l', get_option('prefix') / get_option('libdir') / 'libumockdev.so.0', '@INPUT@'],
+   input: hacked_gir,
+   output: 'UMockdev-1.0.typelib',
+   install: true,
+diff --git a/src/config.vapi b/src/config.vapi
+index 5269dd0..a2ec46d 100644
+--- a/src/config.vapi
++++ b/src/config.vapi
+@@ -2,5 +2,6 @@
+ namespace Config {
+     public const string PACKAGE_NAME;
+     public const string VERSION;
++    public const string LIBDIR;
+ }
+ 
+diff --git a/src/umockdev-record.vala b/src/umockdev-record.vala
+index 8434d32..68c7f8e 100644
+--- a/src/umockdev-record.vala
++++ b/src/umockdev-record.vala
+@@ -435,7 +435,7 @@ main (string[] args)
+         preload = "";
+     else
+         preload = preload + ":";
+-    Environment.set_variable("LD_PRELOAD", preload + "libumockdev-preload.so.0", true);
++    Environment.set_variable("LD_PRELOAD", preload + Config.LIBDIR + "/libumockdev-preload.so.0", true);
+ 
+     try {
+         root_dir = DirUtils.make_tmp("umockdev.XXXXXX");
+diff --git a/src/umockdev-run.vala b/src/umockdev-run.vala
+index 9a1ba10..6df2522 100644
+--- a/src/umockdev-run.vala
++++ b/src/umockdev-run.vala
+@@ -95,7 +95,7 @@ main (string[] args)
+         preload = "";
+     else
+         preload = preload + ":";
+-    Environment.set_variable ("LD_PRELOAD", preload + "libumockdev-preload.so.0", true);
++    Environment.set_variable ("LD_PRELOAD", preload + Config.LIBDIR + "/libumockdev-preload.so.0", true);
+ 
+     var testbed = new UMockdev.Testbed ();
+ 
+diff --git a/src/umockdev-wrapper b/src/umockdev-wrapper
+index 6ce4dcd..706c49a 100755
+--- a/src/umockdev-wrapper
++++ b/src/umockdev-wrapper
+@@ -1,5 +1,5 @@
+ #!/bin/sh
+ # Wrapper program to preload the libumockdev library, so that test programs can
+ # set $UMOCKDEV_DIR for redirecting sysfs and other queries to a test bed.
+-exec env LD_PRELOAD=libumockdev-preload.so.0:$LD_PRELOAD "$@"
++exec env LD_PRELOAD=@LIBDIR@/libumockdev-preload.so.0:$LD_PRELOAD "$@"
+ 

From 44a6882f55865b39f4ba9b9cb3ae3ddb661c1b24 Mon Sep 17 00:00:00 2001
From: Will Fancher <elvishjerricco@gmail.com>
Date: Mon, 11 Apr 2022 07:35:01 -0400
Subject: [PATCH 14/43] nixos/stage-1-systemd: ZFS support

---
 nixos/modules/tasks/filesystems/zfs.nix | 187 +++++++++++++-----------
 1 file changed, 105 insertions(+), 82 deletions(-)

diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix
index 5eca68798d5..5890fe89cf4 100644
--- a/nixos/modules/tasks/filesystems/zfs.nix
+++ b/nixos/modules/tasks/filesystems/zfs.nix
@@ -58,6 +58,13 @@ let
   # latter case it makes one last attempt at importing, allowing the system to
   # (eventually) boot even with a degraded pool.
   importLib = {zpoolCmd, awkCmd, cfgZfs}: ''
+    for o in $(cat /proc/cmdline); do
+      case $o in
+        zfs_force|zfs_force=1)
+          ZFS_FORCE="-f"
+          ;;
+      esac
+    done
     poolReady() {
       pool="$1"
       state="$("${zpoolCmd}" import 2>/dev/null | "${awkCmd}" "/pool: $pool/ { found = 1 }; /state:/ { if (found == 1) { print \$2; exit } }; END { if (found == 0) { print \"MISSING\" } }")"
@@ -78,6 +85,83 @@ let
     }
   '';
 
+  getPoolFilesystems = pool:
+    filter (x: x.fsType == "zfs" && (fsToPool x) == pool) config.system.build.fileSystems;
+
+  getPoolMounts = prefix: pool:
+    let
+      # Remove the "/" suffix because even though most mountpoints
+      # won't have it, the "/" mountpoint will, and we can't have the
+      # trailing slash in "/sysroot/" in stage 1.
+      mountPoint = fs: escapeSystemdPath (prefix + (lib.removeSuffix "/" fs.mountPoint));
+    in
+      map (x: "${mountPoint x}.mount") (getPoolFilesystems pool);
+
+  createImportService = { pool, systemd, force, prefix ? "" }:
+    nameValuePair "zfs-import-${pool}" {
+      description = "Import ZFS pool \"${pool}\"";
+      # we need systemd-udev-settle until https://github.com/zfsonlinux/zfs/pull/4943 is merged
+      requires = [ "systemd-udev-settle.service" ];
+      after = [
+        "systemd-udev-settle.service"
+        "systemd-modules-load.service"
+        "systemd-ask-password-console.service"
+      ];
+      wantedBy = (getPoolMounts prefix pool) ++ [ "local-fs.target" ];
+      before = (getPoolMounts prefix pool) ++ [ "local-fs.target" ];
+      unitConfig = {
+        DefaultDependencies = "no";
+      };
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      environment.ZFS_FORCE = optionalString force "-f";
+      script = (importLib {
+        # See comments at importLib definition.
+        zpoolCmd = "${cfgZfs.package}/sbin/zpool";
+        awkCmd = "${pkgs.gawk}/bin/awk";
+        inherit cfgZfs;
+      }) + ''
+        poolImported "${pool}" && exit
+        echo -n "importing ZFS pool \"${pool}\"..."
+        # Loop across the import until it succeeds, because the devices needed may not be discovered yet.
+        for trial in `seq 1 60`; do
+          poolReady "${pool}" && poolImport "${pool}" && break
+          sleep 1
+        done
+        poolImported "${pool}" || poolImport "${pool}"  # Try one last time, e.g. to import a degraded pool.
+        if poolImported "${pool}"; then
+          ${optionalString (if isBool cfgZfs.requestEncryptionCredentials
+                            then cfgZfs.requestEncryptionCredentials
+                            else cfgZfs.requestEncryptionCredentials != []) ''
+            ${cfgZfs.package}/sbin/zfs list -rHo name,keylocation ${pool} | while IFS=$'\t' read ds kl; do
+              {
+                ${optionalString (!isBool cfgZfs.requestEncryptionCredentials) ''
+                   if ! echo '${concatStringsSep "\n" cfgZfs.requestEncryptionCredentials}' | grep -qFx "$ds"; then
+                     continue
+                   fi
+                 ''}
+              case "$kl" in
+                none )
+                  ;;
+                prompt )
+                  ${systemd}/bin/systemd-ask-password "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds"
+                  ;;
+                * )
+                  ${cfgZfs.package}/sbin/zfs load-key "$ds"
+                  ;;
+              esac
+              } < /dev/null # To protect while read ds kl in case anything reads stdin
+            done
+          ''}
+          echo "Successfully imported ${pool}"
+        else
+          exit 1
+        fi
+      '';
+    };
+
   zedConf = generators.toKeyValue {
     mkKeyValue = generators.mkKeyValueDefault {
       mkValueString = v:
@@ -428,14 +512,6 @@ in
           '';
         postDeviceCommands = concatStringsSep "\n" ([''
             ZFS_FORCE="${optionalString cfgZfs.forceImportRoot "-f"}"
-
-            for o in $(cat /proc/cmdline); do
-              case $o in
-                zfs_force|zfs_force=1)
-                  ZFS_FORCE="-f"
-                  ;;
-              esac
-            done
           ''] ++ [(importLib {
             # See comments at importLib definition.
             zpoolCmd = "zpool";
@@ -464,6 +540,21 @@ in
                 zfs load-key ${fs}
               '') cfgZfs.requestEncryptionCredentials}
         '') rootPools));
+
+        # Systemd in stage 1
+        systemd = {
+          packages = [cfgZfs.package];
+          services = listToAttrs (map (pool: createImportService {
+            inherit pool;
+            systemd = config.boot.initrd.systemd.package;
+            force = cfgZfs.forceImportRoot;
+            prefix = "/sysroot";
+          }) rootPools);
+          extraBin = {
+            # zpool and zfs are already in thanks to fsPackages
+            awk = "${pkgs.gawk}/bin/awk";
+          };
+        };
       };
 
       systemd.shutdownRamfs.contents."/etc/systemd/system-shutdown/zpool".source = pkgs.writeShellScript "zpool-sync-shutdown" ''
@@ -521,79 +612,11 @@ in
       systemd.packages = [ cfgZfs.package ];
 
       systemd.services = let
-        getPoolFilesystems = pool:
-          filter (x: x.fsType == "zfs" && (fsToPool x) == pool) config.system.build.fileSystems;
-
-        getPoolMounts = pool:
-          let
-            mountPoint = fs: escapeSystemdPath fs.mountPoint;
-          in
-            map (x: "${mountPoint x}.mount") (getPoolFilesystems pool);
-
-        createImportService = pool:
-          nameValuePair "zfs-import-${pool}" {
-            description = "Import ZFS pool \"${pool}\"";
-            # we need systemd-udev-settle until https://github.com/zfsonlinux/zfs/pull/4943 is merged
-            requires = [ "systemd-udev-settle.service" ];
-            after = [
-              "systemd-udev-settle.service"
-              "systemd-modules-load.service"
-              "systemd-ask-password-console.service"
-            ];
-            wantedBy = (getPoolMounts pool) ++ [ "local-fs.target" ];
-            before = (getPoolMounts pool) ++ [ "local-fs.target" ];
-            unitConfig = {
-              DefaultDependencies = "no";
-            };
-            serviceConfig = {
-              Type = "oneshot";
-              RemainAfterExit = true;
-            };
-            environment.ZFS_FORCE = optionalString cfgZfs.forceImportAll "-f";
-            script = (importLib {
-              # See comments at importLib definition.
-              zpoolCmd = "${cfgZfs.package}/sbin/zpool";
-              awkCmd = "${pkgs.gawk}/bin/awk";
-              inherit cfgZfs;
-            }) + ''
-              poolImported "${pool}" && exit
-              echo -n "importing ZFS pool \"${pool}\"..."
-              # Loop across the import until it succeeds, because the devices needed may not be discovered yet.
-              for trial in `seq 1 60`; do
-                poolReady "${pool}" && poolImport "${pool}" && break
-                sleep 1
-              done
-              poolImported "${pool}" || poolImport "${pool}"  # Try one last time, e.g. to import a degraded pool.
-              if poolImported "${pool}"; then
-                ${optionalString (if isBool cfgZfs.requestEncryptionCredentials
-                                  then cfgZfs.requestEncryptionCredentials
-                                  else cfgZfs.requestEncryptionCredentials != []) ''
-                  ${cfgZfs.package}/sbin/zfs list -rHo name,keylocation ${pool} | while IFS=$'\t' read ds kl; do
-                    {
-                      ${optionalString (!isBool cfgZfs.requestEncryptionCredentials) ''
-                         if ! echo '${concatStringsSep "\n" cfgZfs.requestEncryptionCredentials}' | grep -qFx "$ds"; then
-                           continue
-                         fi
-                       ''}
-                    case "$kl" in
-                      none )
-                        ;;
-                      prompt )
-                        ${config.systemd.package}/bin/systemd-ask-password "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds"
-                        ;;
-                      * )
-                        ${cfgZfs.package}/sbin/zfs load-key "$ds"
-                        ;;
-                    esac
-                    } < /dev/null # To protect while read ds kl in case anything reads stdin
-                  done
-                ''}
-                echo "Successfully imported ${pool}"
-              else
-                exit 1
-              fi
-            '';
-          };
+        createImportService' = pool: createImportService {
+          inherit pool;
+          systemd = config.systemd.package;
+          force = cfgZfs.forceImportAll;
+        };
 
         # This forces a sync of any ZFS pools prior to poweroff, even if they're set
         # to sync=disabled.
@@ -619,7 +642,7 @@ in
             wantedBy = [ "zfs.target" ];
           };
 
-      in listToAttrs (map createImportService dataPools ++
+      in listToAttrs (map createImportService' dataPools ++
                       map createSyncService allPools ++
                       map createZfsService [ "zfs-mount" "zfs-share" "zfs-zed" ]);
 

From 8555a7fdbfdf7d27096de9b23b650244d842780c Mon Sep 17 00:00:00 2001
From: Will Fancher <elvishjerricco@gmail.com>
Date: Thu, 14 Apr 2022 17:21:10 -0400
Subject: [PATCH 15/43] zfs: Allow three tries to decrypt datasets

---
 nixos/modules/tasks/filesystems/zfs.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix
index 5890fe89cf4..306bd255217 100644
--- a/nixos/modules/tasks/filesystems/zfs.nix
+++ b/nixos/modules/tasks/filesystems/zfs.nix
@@ -146,7 +146,14 @@ let
                 none )
                   ;;
                 prompt )
-                  ${systemd}/bin/systemd-ask-password "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds"
+                  tries=3
+                  success=false
+                  while [[ $success != true ]] && [[ $tries -gt 0 ]]; do
+                    ${systemd}/bin/systemd-ask-password "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds" \
+                      && success=true \
+                      || tries=$((tries - 1))
+                  done
+                  [[ $success = true ]]
                   ;;
                 * )
                   ${cfgZfs.package}/sbin/zfs load-key "$ds"

From 0a16158078ecf6d1cff298a3bfc3fc608d65b5ca Mon Sep 17 00:00:00 2001
From: Will Fancher <elvishjerricco@gmail.com>
Date: Thu, 14 Apr 2022 17:23:03 -0400
Subject: [PATCH 16/43] zfs: Update comment for
 https://github.com/zfsonlinux/zfs/pull/4943

---
 nixos/modules/tasks/filesystems/zfs.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix
index 306bd255217..4675c06cfde 100644
--- a/nixos/modules/tasks/filesystems/zfs.nix
+++ b/nixos/modules/tasks/filesystems/zfs.nix
@@ -100,7 +100,9 @@ let
   createImportService = { pool, systemd, force, prefix ? "" }:
     nameValuePair "zfs-import-${pool}" {
       description = "Import ZFS pool \"${pool}\"";
-      # we need systemd-udev-settle until https://github.com/zfsonlinux/zfs/pull/4943 is merged
+      # we need systemd-udev-settle to ensure devices are available
+      # In the future, hopefully someone will complete this:
+      # https://github.com/zfsonlinux/zfs/pull/4943
       requires = [ "systemd-udev-settle.service" ];
       after = [
         "systemd-udev-settle.service"

From 3a71b113299c409c0961af6295bb9f496268f25b Mon Sep 17 00:00:00 2001
From: Will Fancher <elvishjerricco@gmail.com>
Date: Tue, 3 May 2022 12:55:21 -0400
Subject: [PATCH 17/43] nixos: Include zfsroot in installer-systemd-stage-1
 tests

---
 nixos/tests/installer-systemd-stage-1.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/tests/installer-systemd-stage-1.nix b/nixos/tests/installer-systemd-stage-1.nix
index a8b418626e6..d02387ee80e 100644
--- a/nixos/tests/installer-systemd-stage-1.nix
+++ b/nixos/tests/installer-systemd-stage-1.nix
@@ -27,7 +27,7 @@
     simpleUefiGrubSpecialisation
     simpleUefiSystemdBoot
     # swraid
-    # zfsroot
+    zfsroot
     ;
 
 }

From e0b5ba54798162d18ce2dbc42911f18facae1707 Mon Sep 17 00:00:00 2001
From: Will Fancher <elvishjerricco@gmail.com>
Date: Tue, 3 May 2022 13:39:54 -0400
Subject: [PATCH 18/43] nixos: Don't use grep to request ZFS credentials, and
 consider keystatus

---
 nixos/modules/tasks/filesystems/zfs.nix | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix
index 4675c06cfde..3bc05f56dc3 100644
--- a/nixos/modules/tasks/filesystems/zfs.nix
+++ b/nixos/modules/tasks/filesystems/zfs.nix
@@ -97,6 +97,11 @@ let
     in
       map (x: "${mountPoint x}.mount") (getPoolFilesystems pool);
 
+  getKeyLocations = pool:
+    if isBool cfgZfs.requestEncryptionCredentials
+    then "${cfgZfs.package}/sbin/zfs list -rHo name,keylocation,keystatus ${pool}"
+    else "${cfgZfs.package}/sbin/zfs list -Ho name,keylocation,keystatus ${toString (filter (x: datasetToPool x == pool) cfgZfs.requestEncryptionCredentials)}";
+
   createImportService = { pool, systemd, force, prefix ? "" }:
     nameValuePair "zfs-import-${pool}" {
       description = "Import ZFS pool \"${pool}\"";
@@ -137,13 +142,11 @@ let
           ${optionalString (if isBool cfgZfs.requestEncryptionCredentials
                             then cfgZfs.requestEncryptionCredentials
                             else cfgZfs.requestEncryptionCredentials != []) ''
-            ${cfgZfs.package}/sbin/zfs list -rHo name,keylocation ${pool} | while IFS=$'\t' read ds kl; do
+            ${getKeyLocations pool} | while IFS=$'\t' read ds kl ks; do
               {
-                ${optionalString (!isBool cfgZfs.requestEncryptionCredentials) ''
-                   if ! echo '${concatStringsSep "\n" cfgZfs.requestEncryptionCredentials}' | grep -qFx "$ds"; then
-                     continue
-                   fi
-                 ''}
+              if [[ "$ks" != unavailable ]]; then
+                continue
+              fi
               case "$kl" in
                 none )
                   ;;

From b8b17d9b8e00eb6da4e2f8d67a393f7670000fb1 Mon Sep 17 00:00:00 2001
From: Jan Tojnar <jtojnar@gmail.com>
Date: Sat, 30 Apr 2022 23:23:31 +0200
Subject: [PATCH 19/43] =?UTF-8?q?power-profiles-daemon:=200.10.1=20?=
 =?UTF-8?q?=E2=86=92=200.11.1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://gitlab.freedesktop.org/hadess/power-profiles-daemon/-/releases/0.11
https://gitlab.freedesktop.org/hadess/power-profiles-daemon/-/releases/0.11.1
---
 nixos/tests/installed-tests/default.nix       |  1 -
 .../installed-tests/power-profiles-daemon.nix |  9 ---
 .../linux/power-profiles-daemon/default.nix   | 71 ++++++-------------
 .../installed-tests-path.patch                | 37 ----------
 4 files changed, 21 insertions(+), 97 deletions(-)
 delete mode 100644 nixos/tests/installed-tests/power-profiles-daemon.nix
 delete mode 100644 pkgs/os-specific/linux/power-profiles-daemon/installed-tests-path.patch

diff --git a/nixos/tests/installed-tests/default.nix b/nixos/tests/installed-tests/default.nix
index fd16b481168..c6fb37cfe58 100644
--- a/nixos/tests/installed-tests/default.nix
+++ b/nixos/tests/installed-tests/default.nix
@@ -106,6 +106,5 @@ in
   malcontent = callInstalledTest ./malcontent.nix {};
   ostree = callInstalledTest ./ostree.nix {};
   pipewire = callInstalledTest ./pipewire.nix {};
-  power-profiles-daemon = callInstalledTest ./power-profiles-daemon.nix {};
   xdg-desktop-portal = callInstalledTest ./xdg-desktop-portal.nix {};
 }
diff --git a/nixos/tests/installed-tests/power-profiles-daemon.nix b/nixos/tests/installed-tests/power-profiles-daemon.nix
deleted file mode 100644
index 43629a0155d..00000000000
--- a/nixos/tests/installed-tests/power-profiles-daemon.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ pkgs, lib, makeInstalledTest, ... }:
-
-makeInstalledTest {
-  tested = pkgs.power-profiles-daemon;
-
-  testConfig = {
-    services.power-profiles-daemon.enable = true;
-  };
-}
diff --git a/pkgs/os-specific/linux/power-profiles-daemon/default.nix b/pkgs/os-specific/linux/power-profiles-daemon/default.nix
index 9f96eb2576d..253c3caf6aa 100644
--- a/pkgs/os-specific/linux/power-profiles-daemon/default.nix
+++ b/pkgs/os-specific/linux/power-profiles-daemon/default.nix
@@ -8,6 +8,7 @@
 , libgudev
 , glib
 , polkit
+, dbus
 , gobject-introspection
 , gettext
 , gtk-doc
@@ -29,34 +30,21 @@ let
     dbus-python
     python-dbusmock
   ];
-  testTypelibPath = lib.makeSearchPathOutput "lib" "lib/girepository-1.0" [ umockdev ];
 in
 stdenv.mkDerivation rec {
   pname = "power-profiles-daemon";
-  version = "0.10.1";
+  version = "0.11.1";
 
-  outputs = [ "out" "devdoc" "installedTests" ];
+  outputs = [ "out" "devdoc" ];
 
   src = fetchFromGitLab {
     domain = "gitlab.freedesktop.org";
     owner = "hadess";
     repo = "power-profiles-daemon";
     rev = version;
-    sha256 = "sha256-sQWiCHc0kEELdmPq9Qdk7OKDUgbM5R44639feC7gjJc=";
+    sha256 = "sha256-qU9A9U2R3UioC7bo8Pc0IIsHIjghb6gsG4pTAg6tp9E=";
   };
 
-  patches = [
-    # Enable installed tests.
-    # https://gitlab.freedesktop.org/hadess/power-profiles-daemon/-/merge_requests/92
-    (fetchpatch {
-      url = "https://gitlab.freedesktop.org/hadess/power-profiles-daemon/-/commit/3c64d9e1732eb6425e33013c452f1c4aa7a26f7e.patch";
-      sha256 = "din5VuZZwARNDInHtl44yJK8pLmlxr5eoD4iMT4a8HA=";
-    })
-
-    # Install installed tests to separate output.
-    ./installed-tests-path.patch
-  ];
-
   nativeBuildInputs = [
     pkg-config
     meson
@@ -70,9 +58,6 @@ stdenv.mkDerivation rec {
     gobject-introspection
     wrapGAppsNoGuiHook
     python3.pkgs.wrapPython
-
-    # For finding tests.
-    (python3.withPackages testPythonPkgs)
   ];
 
   buildInputs = [
@@ -91,31 +76,28 @@ stdenv.mkDerivation rec {
     python3.pkgs.pygobject3
   ];
 
+  checkInputs = [
+    umockdev
+    dbus
+    (python3.withPackages testPythonPkgs)
+  ];
+
   mesonFlags = [
-    "-Dinstalled_test_prefix=${placeholder "installedTests"}"
     "-Dsystemdsystemunitdir=${placeholder "out"}/lib/systemd/system"
     "-Dgtk_doc=true"
   ];
 
+  doCheck = true;
+
   PKG_CONFIG_POLKIT_GOBJECT_1_POLICYDIR = "${placeholder "out"}/share/polkit-1/actions";
 
   # Avoid double wrapping
   dontWrapGApps = true;
 
   postPatch = ''
-    patchShebangs tests/unittest_inspector.py
-  '';
-
-  preConfigure = ''
-    # For finding tests.
-    GI_TYPELIB_PATH_original=$GI_TYPELIB_PATH
-    addToSearchPath GI_TYPELIB_PATH "${testTypelibPath}"
-  '';
-
-  postConfigure = ''
-    # Restore the original value to prevent the program from depending on umockdev.
-    export GI_TYPELIB_PATH=$GI_TYPELIB_PATH_original
-    unset GI_TYPELIB_PATH_original
+    patchShebangs --build \
+      tests/integration-test.py \
+      tests/unittest_inspector.py
   '';
 
   preInstall = ''
@@ -128,33 +110,22 @@ stdenv.mkDerivation rec {
     export PKEXEC_UID=-1
   '';
 
+  postCheck = ''
+    # Do not contaminate the wrapper with test dependencies.
+    unset GI_TYPELIB_PATH
+    unset XDG_DATA_DIRS
+  '';
+
   postFixup = ''
     # Avoid double wrapping
     makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
     # Make Python libraries available
     wrapPythonProgramsIn "$out/bin" "$pythonPath"
-
-    # Make Python libraries available for installed tests
-    makeWrapperArgs+=(
-      --prefix GI_TYPELIB_PATH : "${testTypelibPath}"
-      --prefix PATH : "${lib.makeBinPath [ umockdev ]}"
-      # Vala does not use absolute paths in typelibs
-      # https://github.com/NixOS/nixpkgs/issues/47226
-      # Also umockdev binaries use relative paths for LD_PRELOAD.
-      --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ umockdev ]}"
-      # dbusmock calls its templates using exec so our regular patching of Python scripts
-      # to add package directories to site will not carry over.
-      # https://github.com/martinpitt/python-dbusmock/blob/2254e69279a02fb3027b500ed7288b77c7a80f2a/dbusmock/mockobject.py#L51
-      # https://github.com/martinpitt/python-dbusmock/blob/2254e69279a02fb3027b500ed7288b77c7a80f2a/dbusmock/__main__.py#L60-L62
-      --prefix PYTHONPATH : "${lib.makeSearchPath python3.sitePackages (testPythonPkgs python3.pkgs)}"
-    )
-    wrapPythonProgramsIn "$installedTests/libexec/installed-tests" "$pythonPath ${lib.concatStringsSep " " (testPythonPkgs python3.pkgs)}"
   '';
 
   passthru = {
     tests = {
       nixos = nixosTests.power-profiles-daemon;
-      installed-tests = nixosTests.installed-tests.power-profiles-daemon;
     };
   };
 
diff --git a/pkgs/os-specific/linux/power-profiles-daemon/installed-tests-path.patch b/pkgs/os-specific/linux/power-profiles-daemon/installed-tests-path.patch
deleted file mode 100644
index 63059f3ac73..00000000000
--- a/pkgs/os-specific/linux/power-profiles-daemon/installed-tests-path.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-diff --git a/meson_options.txt b/meson_options.txt
-index 7e89619..76497db 100644
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -1,3 +1,4 @@
-+option('installed_test_prefix', type: 'string', description: 'Prefix for installed tests')
- option('systemdsystemunitdir',
-        description: 'systemd unit directory',
-        type: 'string',
-diff --git a/tests/meson.build b/tests/meson.build
-index b306a7f..7670e1b 100644
---- a/tests/meson.build
-+++ b/tests/meson.build
-@@ -2,8 +2,8 @@ envs = environment()
- envs.set ('top_builddir', meson.build_root())
- envs.set ('top_srcdir', meson.source_root())
- 
--installed_test_bindir = libexecdir / 'installed-tests' / meson.project_name()
--installed_test_datadir = datadir / 'installed-tests' / meson.project_name()
-+installed_test_bindir = get_option('installed_test_prefix') / 'libexec' / 'installed-tests' / meson.project_name()
-+installed_test_datadir = get_option('installed_test_prefix') / 'share' / 'installed-tests' / meson.project_name()
- 
- python3 = find_program('python3')
- unittest_inspector = find_program('unittest_inspector.py')
-diff --git a/tests/integration-test.py b/tests/integration-test.py
-index 22dc42c..0f92b76 100755
---- a/tests/integration-test.py
-+++ b/tests/integration-test.py
-@@ -67,7 +67,7 @@ class Tests(dbusmock.DBusTestCase):
-             print('Testing binaries from JHBuild (%s)' % cls.daemon_path)
-         else:
-             cls.daemon_path = None
--            with open('/usr/lib/systemd/system/power-profiles-daemon.service') as f:
-+            with open('/run/current-system/sw/lib/systemd/system/power-profiles-daemon.service') as f:
-                 for line in f:
-                     if line.startswith('ExecStart='):
-                         cls.daemon_path = line.split('=', 1)[1].strip()

From f989e13983fd1619f723b42ba271fe0b781dd24b Mon Sep 17 00:00:00 2001
From: Will Fancher <elvishjerricco@gmail.com>
Date: Wed, 4 May 2022 18:32:27 -0400
Subject: [PATCH 20/43] zfs: Support zfs_force=y on the command line as well.

---
 nixos/modules/tasks/filesystems/zfs.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix
index 3bc05f56dc3..c8bbfe9769b 100644
--- a/nixos/modules/tasks/filesystems/zfs.nix
+++ b/nixos/modules/tasks/filesystems/zfs.nix
@@ -60,7 +60,7 @@ let
   importLib = {zpoolCmd, awkCmd, cfgZfs}: ''
     for o in $(cat /proc/cmdline); do
       case $o in
-        zfs_force|zfs_force=1)
+        zfs_force|zfs_force=1|zfs_force=y)
           ZFS_FORCE="-f"
           ;;
       esac

From f6c4cf25ffac4b6b1c5d943d0a8ec18807ffa1b4 Mon Sep 17 00:00:00 2001
From: Alex Martens <alex@thinglab.org>
Date: Wed, 4 May 2022 16:31:57 -0700
Subject: [PATCH 21/43] flip-link: 0.1.4 -> 0.1.6

---
 pkgs/development/tools/flip-link/default.nix | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/pkgs/development/tools/flip-link/default.nix b/pkgs/development/tools/flip-link/default.nix
index 6e752379a73..d42e282289a 100644
--- a/pkgs/development/tools/flip-link/default.nix
+++ b/pkgs/development/tools/flip-link/default.nix
@@ -2,23 +2,31 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "flip-link";
-  version = "0.1.4";
+  version = "0.1.6";
 
   src = fetchFromGitHub {
     owner = "knurling-rs";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-LE0cWS6sOb9/VvGloezNnePHGldnpfNTdCFUv3F/nwE=";
+    sha256 = "sha256-Sf2HlAfPlg8Er2g17AnRmUkvRhTw5AVPuL2B92hFvpA=";
   };
 
-  cargoSha256 = "sha256-8WBMF5stMB4JXvYwa5yHVFV+3utDuMFJNTZ4fZFDftw=";
+  cargoSha256 = "sha256-2VgsO2hUIvSPNQhR13+bGTxXa6xZXcK0amfiWv2EIxk=";
 
   buildInputs = lib.optional stdenv.isDarwin libiconv;
 
+  checkFlags = [
+    # requires embedded toolchains
+    "--skip should_link_example_firmware::case_1_normal"
+    "--skip should_link_example_firmware::case_2_custom_linkerscript"
+    "--skip should_verify_memory_layout"
+  ];
+
   meta = with lib; {
     description = "Adds zero-cost stack overflow protection to your embedded programs";
     homepage = "https://github.com/knurling-rs/flip-link";
-    license = with licenses; [ asl20 mit ];
-    maintainers = [ maintainers.FlorianFranzen ];
+    changelog = "https://github.com/knurling-rs/flip-link/blob/v${version}/CHANGELOG.md";
+    license = with licenses; [ asl20 /* or */ mit ];
+    maintainers = with maintainers; [ FlorianFranzen newam ];
   };
 }

From 01853e27627c2c517be4b199a41b4cf256841f85 Mon Sep 17 00:00:00 2001
From: Matthias Thym <git@thym.at>
Date: Wed, 4 May 2022 21:08:00 +0200
Subject: [PATCH 22/43] bsp-layout: fix postInstall

---
 pkgs/tools/misc/bsp-layout/default.nix | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/misc/bsp-layout/default.nix b/pkgs/tools/misc/bsp-layout/default.nix
index 065c21e3f78..bad5b4d9a89 100644
--- a/pkgs/tools/misc/bsp-layout/default.nix
+++ b/pkgs/tools/misc/bsp-layout/default.nix
@@ -1,4 +1,11 @@
-{ stdenv, fetchFromGitHub, lib, bspwm, makeWrapper, git, bc }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, makeWrapper
+, git
+, bc
+, bspwm
+}:
 
 stdenv.mkDerivation rec {
   pname = "bsp-layout";
@@ -17,14 +24,22 @@ stdenv.mkDerivation rec {
   makeFlags = [ "PREFIX=$(out)" ];
 
   postInstall = ''
-    substituteInPlace $out/bin/bsp-layout --replace 'bc ' '${bc}/bin/bc '
+    substituteInPlace $out/lib/bsp-layout/layout.sh --replace 'bc ' '${bc}/bin/bc '
+    for layout in tall rtall wide rwide
+    do
+      substituteInPlace "$out/lib/bsp-layout/layouts/$layout.sh" --replace 'bc ' '${bc}/bin/bc '
+    done
   '';
 
   meta = with lib; {
     description = "Manage layouts in bspwm";
+    longDescription = ''
+      bsp-layout is a dynamic layout manager for bspwm, written in bash.
+      It provides layout options to fit most workflows.
+    '';
     homepage = "https://github.com/phenax/bsp-layout";
     license = licenses.mit;
-    maintainers = with maintainers; [ devins2518 ];
+    maintainers = with maintainers; [ devins2518 totoroot ];
     platforms = platforms.linux;
   };
 }

From a2c236d7ef082f82076215dab20ff981e862ea34 Mon Sep 17 00:00:00 2001
From: Fabian Affolter <mail@fabian-affolter.ch>
Date: Thu, 5 May 2022 08:50:21 +0200
Subject: [PATCH 23/43] python310Packages.meater-python: init at 0.0.8

---
 .../python-modules/meater-python/default.nix  | 37 +++++++++++++++++++
 pkgs/top-level/python-packages.nix            |  2 +
 2 files changed, 39 insertions(+)
 create mode 100644 pkgs/development/python-modules/meater-python/default.nix

diff --git a/pkgs/development/python-modules/meater-python/default.nix b/pkgs/development/python-modules/meater-python/default.nix
new file mode 100644
index 00000000000..219af570dfe
--- /dev/null
+++ b/pkgs/development/python-modules/meater-python/default.nix
@@ -0,0 +1,37 @@
+{ lib
+, aiohttp
+, buildPythonPackage
+, fetchPypi
+, pythonOlder
+}:
+
+buildPythonPackage rec {
+  pname = "meater-python";
+  version = "0.0.8";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-86XJmKOc2MCyU9v0UAZsPCUL/kAXywOlQOIHaykNF1o=";
+  };
+
+  propagatedBuildInputs = [
+    aiohttp
+  ];
+
+  # Module has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [
+    "meater"
+  ];
+
+  meta = with lib; {
+    description = "Library for the Apption Labs Meater cooking probe";
+    homepage = "https://github.com/Sotolotl/meater-python";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 894e7f1da5d..df2df3a8333 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -5167,6 +5167,8 @@ in {
 
   measurement = callPackage ../development/python-modules/measurement { };
 
+  meater-python = callPackage ../development/python-modules/meater-python { };
+
   mecab-python3 = callPackage ../development/python-modules/mecab-python3 { };
 
   mechanicalsoup = callPackage ../development/python-modules/mechanicalsoup { };

From 6f960f08b54ff10b818a868511a9b0ea9af29913 Mon Sep 17 00:00:00 2001
From: Fabian Affolter <mail@fabian-affolter.ch>
Date: Thu, 5 May 2022 10:34:02 +0200
Subject: [PATCH 24/43] home-assistant: update component-packages

---
 pkgs/servers/home-assistant/component-packages.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/servers/home-assistant/component-packages.nix b/pkgs/servers/home-assistant/component-packages.nix
index 707740cd4a4..ebd4dcc73b7 100644
--- a/pkgs/servers/home-assistant/component-packages.nix
+++ b/pkgs/servers/home-assistant/component-packages.nix
@@ -1516,7 +1516,8 @@
       pymazda
     ];
     "meater" = ps: with ps; [
-    ]; # missing inputs: meater-python
+      meater-python
+    ];
     "media_extractor" = ps: with ps; [
       aiohttp-cors
       youtube-dl-light
@@ -3451,6 +3452,7 @@
     "manual_mqtt"
     "maxcube"
     "mazda"
+    "meater"
     "media_player"
     "media_source"
     "melcloud"

From 3b26a349c00f380915efcf5323415adcb8fa7762 Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Thu, 5 May 2022 10:24:38 +0000
Subject: [PATCH 25/43] python310Packages.impacket: 0.9.24 -> 0.10.0

---
 pkgs/development/python-modules/impacket/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/impacket/default.nix b/pkgs/development/python-modules/impacket/default.nix
index 6b6f7e452b2..cc957ac156a 100644
--- a/pkgs/development/python-modules/impacket/default.nix
+++ b/pkgs/development/python-modules/impacket/default.nix
@@ -14,14 +14,14 @@
 
 buildPythonPackage rec {
   pname = "impacket";
-  version = "0.9.24";
+  version = "0.10.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-GNVX04f0kU+vpzmBO5FyvD+L2cA26Tv1iajg67cwS7o=";
+    hash = "sha256-uOsCCiy7RxRmac/jHGS7Ln1kmdBJxJPWQYuXFvXHRYM=";
   };
 
   propagatedBuildInputs = [

From 763a2d7b16de443a008c4d479d3291f11e9da85a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stanis=C5=82aw=20Pitucha?= <stan.pitucha@envato.com>
Date: Thu, 5 May 2022 21:07:46 +1000
Subject: [PATCH 26/43] sift: add bash completion

---
 pkgs/tools/text/sift/default.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/text/sift/default.nix b/pkgs/tools/text/sift/default.nix
index dc025f17a78..634c24ced3d 100644
--- a/pkgs/tools/text/sift/default.nix
+++ b/pkgs/tools/text/sift/default.nix
@@ -1,4 +1,4 @@
-{ lib, buildGoPackage, fetchFromGitHub }:
+{ lib, buildGoPackage, fetchFromGitHub, installShellFiles }:
 
 buildGoPackage rec {
   pname = "sift";
@@ -7,6 +7,8 @@ buildGoPackage rec {
 
   goPackagePath = "github.com/svent/sift";
 
+  nativeBuildInputs = [ installShellFiles ];
+
   src = fetchFromGitHub {
     inherit rev;
     owner = "svent";
@@ -14,6 +16,10 @@ buildGoPackage rec {
     sha256 = "0bgy0jf84z1c3msvb60ffj4axayfchdkf0xjnsbx9kad1v10g7i1";
   };
 
+  postInstall = ''
+    installShellCompletion --cmd sift --bash go/src/github.com/svent/sift/sift-completion.bash
+  '';
+
   goDeps = ./deps.nix;
 
   meta = with lib; {

From 7ec5bd9ecb10245a5b303e472eb3213d854ed984 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stanis=C5=82aw=20Pitucha?= <stan.pitucha@envato.com>
Date: Thu, 5 May 2022 21:08:03 +1000
Subject: [PATCH 27/43] sift: add self to maintainers

---
 pkgs/tools/text/sift/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/tools/text/sift/default.nix b/pkgs/tools/text/sift/default.nix
index 634c24ced3d..f282c28f8fe 100644
--- a/pkgs/tools/text/sift/default.nix
+++ b/pkgs/tools/text/sift/default.nix
@@ -25,7 +25,7 @@ buildGoPackage rec {
   meta = with lib; {
     description = "A fast and powerful alternative to grep";
     homepage = "https://sift-tool.org";
-    maintainers = [ maintainers.carlsverre ];
+    maintainers = with maintainers; [ carlsverre viraptor ];
     license = licenses.gpl3;
   };
 }

From e9f479eca0d2adab576fe209682c58c8769df5cb Mon Sep 17 00:00:00 2001
From: squalus <squalus@squalus.net>
Date: Thu, 5 May 2022 07:19:14 -0700
Subject: [PATCH 28/43] librewolf: 100.0-1 -> 100.0-2

---
 .../networking/browsers/firefox/librewolf/src.json          | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/applications/networking/browsers/firefox/librewolf/src.json b/pkgs/applications/networking/browsers/firefox/librewolf/src.json
index f46736d0672..8f36d68e7f2 100644
--- a/pkgs/applications/networking/browsers/firefox/librewolf/src.json
+++ b/pkgs/applications/networking/browsers/firefox/librewolf/src.json
@@ -1,8 +1,8 @@
 {
-  "packageVersion": "100.0-1",
+  "packageVersion": "100.0-2",
   "source": {
-    "rev": "100.0-1",
-    "sha256": "1xczvsd39g821bh5n12vnn7sgi0x5dqj6vfizkavxj0a05jb4fla"
+    "rev": "100.0-2",
+    "sha256": "0pr7fb91zw5qlnfvaavzksd3c2xzgn1344mmfnz9yx2g42vcyi7d"
   },
   "firefox": {
     "version": "100.0",

From 23c4e4aa6d0d0ab67e54d22e4fdc6692d02349cd Mon Sep 17 00:00:00 2001
From: techknowlogick <techknowlogick@gitea.io>
Date: Mon, 2 May 2022 18:53:39 -0400
Subject: [PATCH 29/43] sqlite-utils: 3.26 -> 3.26.1

---
 .../python-modules/sqlite-utils/default.nix           | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/python-modules/sqlite-utils/default.nix b/pkgs/development/python-modules/sqlite-utils/default.nix
index b3621802a09..d7f07eea073 100644
--- a/pkgs/development/python-modules/sqlite-utils/default.nix
+++ b/pkgs/development/python-modules/sqlite-utils/default.nix
@@ -14,16 +14,21 @@
 
 buildPythonPackage rec {
   pname = "sqlite-utils";
-  version = "3.26";
+  version = "3.26.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-G2Fy9PEYtq0dIWhsgV4HZa5y+wLxcI3CYSgDL6ijkdo=";
+    hash = "sha256-GK/036zijOSi9IWZSFifXrexY8dyo6cfwWyaF06x82c=";
   };
 
+  postPatch = ''
+    substituteInPlace setup.py \
+      --replace "click-default-group-wheel" "click-default-group"
+  '';
+
   propagatedBuildInputs = [
     click
     click-default-group
@@ -45,6 +50,6 @@ buildPythonPackage rec {
     description = "Python CLI utility and library for manipulating SQLite databases";
     homepage = "https://github.com/simonw/sqlite-utils";
     license = licenses.asl20;
-    maintainers = with maintainers; [ meatcar ];
+    maintainers = with maintainers; [ meatcar techknowlogick ];
   };
 }

From d487bcce32a697842e2c6ed7d848995311dac66c Mon Sep 17 00:00:00 2001
From: Jan Tojnar <jtojnar@gmail.com>
Date: Sun, 1 May 2022 00:12:27 +0200
Subject: [PATCH 30/43] =?UTF-8?q?bolt:=200.9.1=20=E2=86=92=200.9.2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://gitlab.freedesktop.org/bolt/bolt/-/tags/0.9.2
---
 pkgs/os-specific/linux/bolt/default.nix | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/pkgs/os-specific/linux/bolt/default.nix b/pkgs/os-specific/linux/bolt/default.nix
index dd9436d9b0e..d424f89fdfb 100644
--- a/pkgs/os-specific/linux/bolt/default.nix
+++ b/pkgs/os-specific/linux/bolt/default.nix
@@ -13,7 +13,7 @@
 , libxml2
 , libxslt
 , docbook_xml_dtd_45
-, docbook_xsl
+, docbook-xsl-nons
 , glib
 , systemd
 , polkit
@@ -21,39 +21,33 @@
 
 stdenv.mkDerivation rec {
   pname = "bolt";
-  version = "0.9.1";
+  version = "0.9.2";
 
   src = fetchFromGitLab {
     domain = "gitlab.freedesktop.org";
     owner = "bolt";
     repo = "bolt";
     rev = version;
-    sha256 = "1phgp8fs0dlj74kbkqlvfniwc32daz47b3pvsxlfxqzyrp77xrfm";
+    sha256 = "eXjj7oD5HOW/AG2uxDa0tSleKmbouFd2fwlL2HHFiMA=";
   };
 
   patches = [
     # meson install tries to create /var/lib/boltd
     ./0001-skip-mkdir.patch
 
-    # https://github.com/NixOS/nixpkgs/issues/104429
+    # Test does not work on ZFS with atime disabled.
     # Upstream issue: https://gitlab.freedesktop.org/bolt/bolt/-/issues/167
     (fetchpatch {
-      name = "disable-atime-tests.diff";
-      url = "https://gitlab.freedesktop.org/roberth/bolt/-/commit/1f672a7de2ebc4dd51590bb90f3b873a8ac0f4e6.diff";
-      sha256 = "134f5s6kjqs6612pwq5pm1miy58crn1kxbyyqhzjnzmf9m57fnc8";
-    })
-
-    # Fix tests with newer umockdev
-    (fetchpatch {
-      url = "https://gitlab.freedesktop.org/bolt/bolt/-/commit/130e09d1c7ff02c09e4ad1c9c36e9940b68e58d8.patch";
-      sha256 = "HycuM7z4VvtBuZZLU68tBxGT1YjaqJRS4sKyoTGHZEk=";
+      url = "https://gitlab.freedesktop.org/bolt/bolt/-/commit/c2f1d5c40ad71b20507e02faa11037b395fac2f8.diff";
+      revert = true;
+      sha256 = "6w7ll65W/CydrWAVi/qgzhrQeDv1PWWShulLxoglF+I=";
     })
   ];
 
   nativeBuildInputs = [
     asciidoc
     docbook_xml_dtd_45
-    docbook_xsl
+    docbook-xsl-nons
     libxml2
     libxslt
     meson

From d2905c6fbc337d752f57d65e2c9f32f3470fc477 Mon Sep 17 00:00:00 2001
From: Fabian Affolter <mail@fabian-affolter.ch>
Date: Thu, 5 May 2022 16:41:42 +0200
Subject: [PATCH 31/43] python310Packages.pyrainbird: init at 0.4.3

---
 .../python-modules/pyrainbird/default.nix     | 58 +++++++++++++++++++
 pkgs/top-level/python-packages.nix            |  2 +
 2 files changed, 60 insertions(+)
 create mode 100644 pkgs/development/python-modules/pyrainbird/default.nix

diff --git a/pkgs/development/python-modules/pyrainbird/default.nix b/pkgs/development/python-modules/pyrainbird/default.nix
new file mode 100644
index 00000000000..74f0ed630a2
--- /dev/null
+++ b/pkgs/development/python-modules/pyrainbird/default.nix
@@ -0,0 +1,58 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, parameterized
+, pycryptodome
+, pytestCheckHook
+, pythonOlder
+, pyyaml
+, requests
+, responses
+, setuptools
+}:
+
+buildPythonPackage rec {
+  pname = "pyrainbird";
+  version = "0.4.3";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "jbarrancos";
+    repo = pname;
+    rev = version;
+    hash = "sha256-uRHknWvoPKPu3B5MbSEUlWqBKwAbNMwsgXuf6PZxhkU=";
+  };
+
+  propagatedBuildInputs = [
+    pycryptodome
+    pyyaml
+    requests
+    setuptools
+  ];
+
+  checkInputs = [
+    pytestCheckHook
+    parameterized
+    responses
+  ];
+
+  postPatch = ''
+    substituteInPlace requirements.txt \
+      --replace "datetime" ""
+    substituteInPlace pytest.ini \
+      --replace "--cov=pyrainbird --cov-report=term-missing --pep8 --flakes --mccabe" ""
+  '';
+
+  pythonImportsCheck = [
+    "pyrainbird"
+  ];
+
+  meta = with lib; {
+    description = "Module to interact with Rainbird controllers";
+    homepage = "https://github.com/jbarrancos/pyrainbird/";
+    license = with licenses; [ mit ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index df2df3a8333..2f82e821666 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -7701,6 +7701,8 @@ in {
 
   py-radix = callPackage ../development/python-modules/py-radix { };
 
+  pyrainbird = callPackage ../development/python-modules/pyrainbird { };
+
   pyramid_beaker = callPackage ../development/python-modules/pyramid_beaker { };
 
   pyramid = callPackage ../development/python-modules/pyramid { };

From 815f83a01ee32906a5cf06fb0690a3222630d5d8 Mon Sep 17 00:00:00 2001
From: Fabian Affolter <mail@fabian-affolter.ch>
Date: Thu, 5 May 2022 16:42:55 +0200
Subject: [PATCH 32/43] home-assistant: update component-packages

---
 pkgs/servers/home-assistant/component-packages.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/servers/home-assistant/component-packages.nix b/pkgs/servers/home-assistant/component-packages.nix
index ebd4dcc73b7..d812a227d64 100644
--- a/pkgs/servers/home-assistant/component-packages.nix
+++ b/pkgs/servers/home-assistant/component-packages.nix
@@ -2122,7 +2122,8 @@
       radiotherm
     ];
     "rainbird" = ps: with ps; [
-    ]; # missing inputs: pyrainbird
+      pyrainbird
+    ];
     "raincloud" = ps: with ps; [
     ]; # missing inputs: raincloudy
     "rainforest_eagle" = ps: with ps; [

From 38c5c8c04d6d2eaab7be63d94743960ec12a291a Mon Sep 17 00:00:00 2001
From: Fabian Affolter <mail@fabian-affolter.ch>
Date: Thu, 5 May 2022 16:50:44 +0200
Subject: [PATCH 33/43] python310Packages.raincloudy: init at 1.1.1

---
 .../python-modules/raincloudy/default.nix     | 61 +++++++++++++++++++
 pkgs/top-level/python-packages.nix            |  2 +
 2 files changed, 63 insertions(+)
 create mode 100644 pkgs/development/python-modules/raincloudy/default.nix

diff --git a/pkgs/development/python-modules/raincloudy/default.nix b/pkgs/development/python-modules/raincloudy/default.nix
new file mode 100644
index 00000000000..860f9461e44
--- /dev/null
+++ b/pkgs/development/python-modules/raincloudy/default.nix
@@ -0,0 +1,61 @@
+{ lib
+, beautifulsoup4
+, buildPythonPackage
+, fetchFromGitHub
+, html5lib
+, pytestCheckHook
+, pythonOlder
+, requests
+, requests-mock
+, urllib3
+}:
+
+buildPythonPackage rec {
+  pname = "raincloudy";
+  version = "1.1.1";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "vanstinator";
+    repo = pname;
+    rev = version;
+    hash = "sha256-c6tux0DZY56a4BpuiMXtaqm8+JKNDiyMxrFUju3cp2Y=";
+  };
+
+  propagatedBuildInputs = [
+    requests
+    beautifulsoup4
+    urllib3
+    html5lib
+  ];
+
+  checkInputs = [
+    pytestCheckHook
+    requests-mock
+  ];
+
+  postPatch = ''
+    # https://github.com/vanstinator/raincloudy/pull/60
+    substituteInPlace setup.py \
+      --replace "bs4" "beautifulsoup4" \
+      --replace "html5lib==1.0.1" "html5lib"
+  '';
+
+  pythonImportsCheck = [
+    "raincloudy"
+  ];
+
+  disabledTests = [
+    # Test requires network access
+    "test_attributes"
+  ];
+
+  meta = with lib; {
+    description = "Module to interact with Melnor RainCloud Smart Garden Watering Irrigation Timer";
+    homepage = "https://github.com/vanstinator/raincloudy";
+    license = with licenses; [ asl20 ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index df2df3a8333..9a8336c6791 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -8821,6 +8821,8 @@ in {
 
   rainbowstream = callPackage ../development/python-modules/rainbowstream { };
 
+  raincloudy = callPackage ../development/python-modules/raincloudy { };
+
   ramlfications = callPackage ../development/python-modules/ramlfications { };
 
   random2 = callPackage ../development/python-modules/random2 { };

From ab27f31b98e7ad5f6d8fca45bf7e7aaca3b4c62d Mon Sep 17 00:00:00 2001
From: Fabian Affolter <mail@fabian-affolter.ch>
Date: Thu, 5 May 2022 16:51:02 +0200
Subject: [PATCH 34/43] home-assistant: update component-packages

---
 pkgs/servers/home-assistant/component-packages.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/servers/home-assistant/component-packages.nix b/pkgs/servers/home-assistant/component-packages.nix
index ebd4dcc73b7..497590aef2b 100644
--- a/pkgs/servers/home-assistant/component-packages.nix
+++ b/pkgs/servers/home-assistant/component-packages.nix
@@ -2124,7 +2124,8 @@
     "rainbird" = ps: with ps; [
     ]; # missing inputs: pyrainbird
     "raincloud" = ps: with ps; [
-    ]; # missing inputs: raincloudy
+      raincloudy
+    ];
     "rainforest_eagle" = ps: with ps; [
       aioeagle
       ueagle

From 321d31a4aff87cc5ddb28fd06b99c465cbd2ed12 Mon Sep 17 00:00:00 2001
From: Michael Adler <therisen06@gmail.com>
Date: Thu, 5 May 2022 11:54:50 +0200
Subject: [PATCH 35/43] iwd: 1.26 -> 1.27

---
 pkgs/os-specific/linux/iwd/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/iwd/default.nix b/pkgs/os-specific/linux/iwd/default.nix
index bc5811942a5..424a1d1a50e 100644
--- a/pkgs/os-specific/linux/iwd/default.nix
+++ b/pkgs/os-specific/linux/iwd/default.nix
@@ -12,12 +12,12 @@
 
 stdenv.mkDerivation rec {
   pname = "iwd";
-  version = "1.26";
+  version = "1.27";
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
     rev = version;
-    sha256 = "sha256-+BciYfb9++u9Ux4AdvPFFIFVq8j+TVoTLKqxzmn5p3o=";
+    sha256 = "sha256-gN9+9Cc6zjZBXDhcHBH5wyucO5/vL7bKSLWM5laFqaA=";
   };
 
   outputs = [ "out" "man" "doc" ]

From bb117f734884be975a81be01bb3eb9e71934b7c3 Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Thu, 5 May 2022 12:33:16 +0000
Subject: [PATCH 36/43] python310Packages.globus-sdk: 3.7.0 -> 3.8.0

---
 pkgs/development/python-modules/globus-sdk/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/globus-sdk/default.nix b/pkgs/development/python-modules/globus-sdk/default.nix
index 88a2c49e052..68209275426 100644
--- a/pkgs/development/python-modules/globus-sdk/default.nix
+++ b/pkgs/development/python-modules/globus-sdk/default.nix
@@ -13,7 +13,7 @@
 
 buildPythonPackage rec {
   pname = "globus-sdk";
-  version = "3.7.0";
+  version = "3.8.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
@@ -22,7 +22,7 @@ buildPythonPackage rec {
     owner = "globus";
     repo = "globus-sdk-python";
     rev = "refs/tags/${version}";
-    hash = "sha256-Us3SCkrBPL3v9YCOQ7ceF3neCUZkJTrchYsvCRSX84Y=";
+    hash = "sha256-JaAiAAf0zIJDXXl3zb4UE9XpmjZ8KQiEcZJm1ps+efA=";
   };
 
   propagatedBuildInputs = [

From 38c709720f2864e30beeeddd499b4d3f2930b174 Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Thu, 5 May 2022 12:50:23 +0000
Subject: [PATCH 37/43] python310Packages.azure-mgmt-resource: 21.0.0 -> 21.1.0

---
 .../python-modules/azure-mgmt-resource/default.nix            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/azure-mgmt-resource/default.nix b/pkgs/development/python-modules/azure-mgmt-resource/default.nix
index 761472b631f..8ac4330b45a 100644
--- a/pkgs/development/python-modules/azure-mgmt-resource/default.nix
+++ b/pkgs/development/python-modules/azure-mgmt-resource/default.nix
@@ -8,14 +8,14 @@
 
 
 buildPythonPackage rec {
-  version = "21.0.0";
+  version = "21.1.0";
   pname = "azure-mgmt-resource";
   disabled = !isPy3k;
 
   src = fetchPypi {
     inherit pname version;
     extension = "zip";
-    sha256 = "sha256-y9J/UhxwtA/YO/Y88XsStbwD5ecNwrbnpxtevYuQDQM=";
+    sha256 = "sha256-UpZa3jHNBZ/qKxUT1l/mFgRuQz3g5YPc9cnJvr8+vWk=";
   };
 
   propagatedBuildInputs = [

From 1d33da66a1bf17e1514d1ff7cb6567b1c0416392 Mon Sep 17 00:00:00 2001
From: Fabian Affolter <mail@fabian-affolter.ch>
Date: Thu, 5 May 2022 15:01:42 +0200
Subject: [PATCH 38/43] python310Packages.aiolimiter: init at 1.0.0

---
 .../python-modules/aiolimiter/default.nix     | 65 +++++++++++++++++++
 pkgs/top-level/python-packages.nix            |  2 +
 2 files changed, 67 insertions(+)
 create mode 100644 pkgs/development/python-modules/aiolimiter/default.nix

diff --git a/pkgs/development/python-modules/aiolimiter/default.nix b/pkgs/development/python-modules/aiolimiter/default.nix
new file mode 100644
index 00000000000..9f8f81e2fca
--- /dev/null
+++ b/pkgs/development/python-modules/aiolimiter/default.nix
@@ -0,0 +1,65 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, fetchpatch
+, poetry-core
+, importlib-metadata
+, pytest-asyncio
+, pytestCheckHook
+, pythonOlder
+, toml
+}:
+
+buildPythonPackage rec {
+  pname = "aiolimiter";
+  version = "1.0.0";
+  format = "pyproject";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "mjpieters";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-4wByVZoOLhrXFx9oK19GBmRcjGoJolQ3Gwx9vQV/n8s=";
+  };
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = lib.optionals (pythonOlder "3.8") [
+    importlib-metadata
+  ];
+
+  checkInputs = [
+    pytest-asyncio
+    pytestCheckHook
+    toml
+  ];
+
+  patches = [
+    # Switch to poetry-core, https://github.com/mjpieters/aiolimiter/pull/77
+    (fetchpatch {
+      name = "switch-to-peotry-core.patch";
+      url = "https://github.com/mjpieters/aiolimiter/commit/84a85eff42621b0daff8fcf6bb485db313faae0b.patch";
+      sha256 = "sha256-xUfJwLvMF2Xt/V1bKBFn/fjn1uyw7bGNo9RpWxtyr50=";
+    })
+  ];
+
+  postPatch = ''
+    substituteInPlace tox.ini \
+      --replace " --cov=aiolimiter --cov-config=tox.ini --cov-report term-missing" ""
+  '';
+
+  pythonImportsCheck = [
+    "aiolimiter"
+  ];
+
+  meta = with lib; {
+    description = "Implementation of a rate limiter for asyncio";
+    homepage = "https://github.com/mjpieters/aiolimiter";
+    license = with licenses; [ mit ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 9e06e71c66b..8ebd87e812a 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -344,6 +344,8 @@ in {
 
   aiolifx-effects = callPackage ../development/python-modules/aiolifx-effects { };
 
+  aiolimiter = callPackage ../development/python-modules/aiolimiter { };
+
   aiolip = callPackage ../development/python-modules/aiolip { };
 
   aiolyric = callPackage ../development/python-modules/aiolyric { };

From 6bffe188e6f85409612273a8088817d6833de660 Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Thu, 5 May 2022 15:02:57 +0000
Subject: [PATCH 39/43] python310Packages.databricks-connect: 9.1.14 -> 9.1.15

---
 .../development/python-modules/databricks-connect/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/databricks-connect/default.nix b/pkgs/development/python-modules/databricks-connect/default.nix
index 3475001a58b..1782598efd8 100644
--- a/pkgs/development/python-modules/databricks-connect/default.nix
+++ b/pkgs/development/python-modules/databricks-connect/default.nix
@@ -9,14 +9,14 @@
 
 buildPythonPackage rec {
   pname = "databricks-connect";
-  version = "9.1.14";
+  version = "9.1.15";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-l+mTqiQPuPJfGbEVSILpCTlxAka0GeCgIXjMG4Vs82o=";
+    sha256 = "sha256-qXS/hgF2qKUtTfo9UZ5KBa9N0PHJqKA8SC/vgE46LmA=";
   };
 
   sourceRoot = ".";

From 974603c931d773dcfb8acf2e355ed8dceeb28e94 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 5 May 2022 18:08:11 +0200
Subject: [PATCH 40/43] ecdsautils: 0.4.0 -> 0.4.1

Fixes psychic papers vulnerability in signature verification.

https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw

Fixes: CVE-2022-24884
---
 pkgs/tools/security/ecdsautils/default.nix | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/pkgs/tools/security/ecdsautils/default.nix b/pkgs/tools/security/ecdsautils/default.nix
index 6bdac96811a..0a43260eb83 100644
--- a/pkgs/tools/security/ecdsautils/default.nix
+++ b/pkgs/tools/security/ecdsautils/default.nix
@@ -1,14 +1,17 @@
 { lib, stdenv, pkgs }:
 
-stdenv.mkDerivation {
-  version = "0.4.0";
+let
   pname = "ecdsautils";
+  version = "0.4.1";
+in
+stdenv.mkDerivation {
+  inherit pname version;
 
   src = pkgs.fetchFromGitHub {
     owner = "freifunk-gluon";
-    repo = "ecdsautils";
-    rev = "07538893fb6c2a9539678c45f9dbbf1e4f222b46";
-    sha256 = "18sr8x3qiw8s9l5pfi7r9i3ayplz4jqdml75ga9y933vj7vs0k4d";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-dv0guQTmot5UO1GkMgzvD6uJFyum5kV89LI3xWS1DZA=";
   };
 
   nativeBuildInputs = with pkgs; [ cmake pkg-config doxygen ];
@@ -16,7 +19,7 @@ stdenv.mkDerivation {
 
   meta = with lib; {
     description = "Tiny collection of programs used for ECDSA (keygen, sign, verify)";
-    homepage = "https://github.com/tcatm/ecdsautils/";
+    homepage = "https://github.com/freifunk-gluon/ecdsautils/";
     license = with licenses; [ mit bsd2 ];
     maintainers = with maintainers; [ ];
     platforms = platforms.unix;

From 9af7f009d1dbe89a9df5421c0d28ffcd661b1beb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 3 May 2022 02:04:29 +0000
Subject: [PATCH 41/43] python3Packages.azure-mgmt-msi: update
 propagatedBuildInputs

---
 .../python-modules/azure-mgmt-msi/default.nix     | 15 ++++++++++-----
 pkgs/tools/admin/azure-cli/python-packages.nix    | 15 +++++++++++++--
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/pkgs/development/python-modules/azure-mgmt-msi/default.nix b/pkgs/development/python-modules/azure-mgmt-msi/default.nix
index 1f1a2dde376..985c9828974 100644
--- a/pkgs/development/python-modules/azure-mgmt-msi/default.nix
+++ b/pkgs/development/python-modules/azure-mgmt-msi/default.nix
@@ -1,16 +1,20 @@
 { lib
 , buildPythonPackage
+, pythonOlder
 , fetchPypi
 , msrest
-, msrestazure
 , azure-common
-, azure-mgmt-nspkg
+, azure-mgmt-core
 }:
 
 buildPythonPackage rec {
   pname = "azure-mgmt-msi";
   version = "6.0.0";
 
+  disabled = pythonOlder "3.6";
+
+  format = "setuptools";
+
   src = fetchPypi {
     inherit pname version;
     extension = "zip";
@@ -19,9 +23,8 @@ buildPythonPackage rec {
 
   propagatedBuildInputs = [
     msrest
-    msrestazure
     azure-common
-    azure-mgmt-nspkg
+    azure-mgmt-core
   ];
 
   pythonNamespaces = [ "azure.mgmt" ];
@@ -29,9 +32,11 @@ buildPythonPackage rec {
   # has no tests
   doCheck = false;
 
+  pythonImportsCheck = [ "azure.mgmt.msi" ];
+
   meta = with lib; {
     description = "This is the Microsoft Azure MSI Management Client Library";
-    homepage = "https://github.com/Azure/azure-sdk-for-python";
+    homepage = "https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/resources/azure-mgmt-msi";
     license = licenses.mit;
     maintainers = with maintainers; [ maxwilson ];
   };
diff --git a/pkgs/tools/admin/azure-cli/python-packages.nix b/pkgs/tools/admin/azure-cli/python-packages.nix
index f746941a953..b65b4a8fbbb 100644
--- a/pkgs/tools/admin/azure-cli/python-packages.nix
+++ b/pkgs/tools/admin/azure-cli/python-packages.nix
@@ -226,8 +226,19 @@ let
       azure-mgmt-media = overrideAzureMgmtPackage super.azure-mgmt-media "7.0.0" "zip"
         "sha256-tF6CpZTtkc1ap6XNXQHwOLesPPEiM+e6K+qqNHeQDo4=";
 
-      azure-mgmt-msi = overrideAzureMgmtPackage super.azure-mgmt-msi "0.2.0" "zip"
-        "0rvik03njz940x2hvqg6iiq8k0d88gyygsr86w8s0sa12sdbq8l6";
+      azure-mgmt-msi = super.azure-mgmt-msi.overridePythonAttrs (old: rec {
+        version = "0.2.0";
+        src = old.src.override {
+          inherit version;
+          sha256 = "0rvik03njz940x2hvqg6iiq8k0d88gyygsr86w8s0sa12sdbq8l6";
+        };
+        propagatedBuildInputs = with self; [
+          msrest
+          msrestazure
+          azure-common
+          azure-mgmt-nspkg
+        ];
+      });
 
       azure-mgmt-privatedns = overrideAzureMgmtPackage super.azure-mgmt-privatedns "1.0.0" "zip"
         "b60f16e43f7b291582c5f57bae1b083096d8303e9d9958e2c29227a55cc27c45";

From 3b5fc1fde1c0e5270fae49a30c684553f86be3c5 Mon Sep 17 00:00:00 2001
From: Kerstin Humm <kerstin@erictapen.name>
Date: Thu, 5 May 2022 12:09:15 +0200
Subject: [PATCH 42/43] kanidm: init at 1.1.0-alpha.8

Co-Authored-By:  Martin Weinelt <mweinelt@users.noreply.github.com>
Co-Authored-By:  Flakebi <flakebi@t-online.de>
---
 pkgs/servers/kanidm/default.nix | 89 +++++++++++++++++++++++++++++++++
 pkgs/top-level/all-packages.nix |  2 +
 2 files changed, 91 insertions(+)
 create mode 100644 pkgs/servers/kanidm/default.nix

diff --git a/pkgs/servers/kanidm/default.nix b/pkgs/servers/kanidm/default.nix
new file mode 100644
index 00000000000..f160886fb64
--- /dev/null
+++ b/pkgs/servers/kanidm/default.nix
@@ -0,0 +1,89 @@
+{ stdenv
+, lib
+, formats
+, nixosTests
+, rustPlatform
+, fetchFromGitHub
+, installShellFiles
+, pkg-config
+, udev
+, openssl
+, sqlite
+, pam
+}:
+
+let
+  arch = if stdenv.isx86_64 then "x86_64" else "generic";
+in
+rustPlatform.buildRustPackage rec {
+  pname = "kanidm";
+  version = "1.1.0-alpha.8";
+
+  src = fetchFromGitHub {
+    owner = pname;
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-zMtbE6Y9wXFPBqhmiTMJ3m6bLVZl+c6lRY39DWDlJNo=";
+  };
+
+  cargoSha256 = "sha256:1l7xqp457zfd9gfjp6f4lzgadfp6112jbip4irazw4084qwj0z6x";
+
+  KANIDM_BUILD_PROFILE = "release_nixos_${arch}";
+
+  postPatch =
+    let
+      format = (formats.toml { }).generate "${KANIDM_BUILD_PROFILE}.toml";
+      profile = {
+        web_ui_pkg_path = "@web_ui_pkg_path@";
+        cpu_flags = if stdenv.isx86_64 then "x86_64_v1" else "none";
+      };
+    in
+    ''
+      cp ${format profile} profiles/${KANIDM_BUILD_PROFILE}.toml
+      substituteInPlace profiles/${KANIDM_BUILD_PROFILE}.toml \
+        --replace '@web_ui_pkg_path@' "$out/ui"
+    '';
+
+  nativeBuildInputs = [
+    pkg-config
+    installShellFiles
+  ];
+
+  buildInputs = [
+    udev
+    openssl
+    sqlite
+    pam
+  ];
+
+  # Failing tests, probably due to network issues
+  checkFlags = [
+    "--skip default_entries"
+    "--skip oauth2_openid_basic_flow"
+    "--skip test_server"
+    "--skip test_cache"
+  ];
+
+  preFixup = ''
+    installShellCompletion --bash $releaseDir/build/completions/*.bash
+    installShellCompletion --zsh  $releaseDir/build/completions/_*
+
+    # PAM and NSS need fix library names
+    mv $out/lib/libnss_kanidm.so $out/lib/libnss_kanidm.so.2
+    mv $out/lib/libpam_kanidm.so $out/lib/pam_kanidm.so
+
+    # We don't compile the wasm-part form source, as there isn't a rustc for
+    # wasm32-unknown-unknown in nixpkgs yet.
+    cp -r kanidmd_web_ui/pkg $out/ui
+  '';
+
+  passthru.tests = { inherit (nixosTests) kanidm; };
+
+  meta = with lib; {
+    description = "A simple, secure and fast identity management platform";
+    homepage = "https://github.com/kanidm/kanidm";
+    license = licenses.mpl20;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ erictapen Flakebi ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index c3118b5a682..1d88af8f45c 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -21845,6 +21845,8 @@ with pkgs;
 
   jitsi-videobridge = callPackage ../servers/jitsi-videobridge { };
 
+  kanidm = callPackage ../servers/kanidm { };
+
   kapowbang = callPackage ../servers/kapowbang { };
 
   keycloak = callPackage ../servers/keycloak { };

From c126babb28f381d307855a633a63595600a61df2 Mon Sep 17 00:00:00 2001
From: Kerstin Humm <kerstin@erictapen.name>
Date: Thu, 5 May 2022 12:09:42 +0200
Subject: [PATCH 43/43] nixos/kanidm: init

Co-Authored-By:  Martin Weinelt <mweinelt@users.noreply.github.com>
Co-Authored-By:  Flakebi <flakebi@t-online.de>
---
 .../manual/release-notes/rl-2205.section.md   |   2 +
 nixos/modules/module-list.nix                 |   1 +
 nixos/modules/services/security/kanidm.nix    | 345 ++++++++++++++++++
 nixos/tests/all-tests.nix                     |   1 +
 nixos/tests/kanidm.nix                        |  75 ++++
 5 files changed, 424 insertions(+)
 create mode 100644 nixos/modules/services/security/kanidm.nix
 create mode 100644 nixos/tests/kanidm.nix

diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 90d22643701..24fbc537dca 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -135,6 +135,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](options.html#opt-services.nifi.enable).
 
+- [kanidm](https://kanidm.github.io/kanidm/stable/), an identity management server written in Rust.
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 9d9f2e9057c..0ccf97234ff 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -975,6 +975,7 @@
   ./services/security/hockeypuck.nix
   ./services/security/hologram-server.nix
   ./services/security/hologram-agent.nix
+  ./services/security/kanidm.nix
   ./services/security/munge.nix
   ./services/security/nginx-sso.nix
   ./services/security/oauth2_proxy.nix
diff --git a/nixos/modules/services/security/kanidm.nix b/nixos/modules/services/security/kanidm.nix
new file mode 100644
index 00000000000..a7c51b9a877
--- /dev/null
+++ b/nixos/modules/services/security/kanidm.nix
@@ -0,0 +1,345 @@
+{ config, lib, options, pkgs, ... }:
+let
+  cfg = config.services.kanidm;
+  settingsFormat = pkgs.formats.toml { };
+  # Remove null values, so we can document optional values that don't end up in the generated TOML file.
+  filterConfig = lib.converge (lib.filterAttrsRecursive (_: v: v != null));
+  serverConfigFile = settingsFormat.generate "server.toml" (filterConfig cfg.serverSettings);
+  clientConfigFile = settingsFormat.generate "kanidm-config.toml" (filterConfig cfg.clientSettings);
+  unixConfigFile = settingsFormat.generate "kanidm-unixd.toml" (filterConfig cfg.unixSettings);
+
+  defaultServiceConfig = {
+    BindReadOnlyPaths = [
+      "/nix/store"
+      "-/etc/resolv.conf"
+      "-/etc/nsswitch.conf"
+      "-/etc/hosts"
+      "-/etc/localtime"
+    ];
+    CapabilityBoundingSet = "";
+    # ProtectClock= adds DeviceAllow=char-rtc r
+    DeviceAllow = "";
+    # Implies ProtectSystem=strict, which re-mounts all paths
+    # DynamicUser = true;
+    LockPersonality = true;
+    MemoryDenyWriteExecute = true;
+    NoNewPrivileges = true;
+    PrivateDevices = true;
+    PrivateMounts = true;
+    PrivateNetwork = true;
+    PrivateTmp = true;
+    PrivateUsers = true;
+    ProcSubset = "pid";
+    ProtectClock = true;
+    ProtectHome = true;
+    ProtectHostname = true;
+    # Would re-mount paths ignored by temporary root
+    #ProtectSystem = "strict";
+    ProtectControlGroups = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectProc = "invisible";
+    RestrictAddressFamilies = [ ];
+    RestrictNamespaces = true;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+    SystemCallArchitectures = "native";
+    SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
+    # Does not work well with the temporary root
+    #UMask = "0066";
+  };
+
+in
+{
+  options.services.kanidm = {
+    enableClient = lib.mkEnableOption "the Kanidm client";
+    enableServer = lib.mkEnableOption "the Kanidm server";
+    enablePam = lib.mkEnableOption "the Kanidm PAM and NSS integration.";
+
+    serverSettings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = settingsFormat.type;
+
+        options = {
+          bindaddress = lib.mkOption {
+            description = "Address/port combination the webserver binds to.";
+            example = "[::1]:8443";
+            type = lib.types.str;
+          };
+          # Should be optional but toml does not accept null
+          ldapbindaddress = lib.mkOption {
+            description = ''
+              Address and port the LDAP server is bound to. Setting this to <literal>null</literal> disables the LDAP interface.
+            '';
+            example = "[::1]:636";
+            default = null;
+            type = lib.types.nullOr lib.types.str;
+          };
+          origin = lib.mkOption {
+            description = "The origin of your Kanidm instance. Must have https as protocol.";
+            example = "https://idm.example.org";
+            type = lib.types.strMatching "^https://.*";
+          };
+          domain = lib.mkOption {
+            description = ''
+              The <literal>domain</literal> that Kanidm manages. Must be below or equal to the domain
+              specified in <literal>serverSettings.origin</literal>.
+              This can be left at <literal>null</literal>, only if your instance has the role <literal>ReadOnlyReplica</literal>.
+              While it is possible to change the domain later on, it requires extra steps!
+              Please consider the warnings and execute the steps described
+              <link xlink:href="https://kanidm.github.io/kanidm/stable/administrivia.html#rename-the-domain">in the documentation</link>.
+            '';
+            example = "example.org";
+            default = null;
+            type = lib.types.nullOr lib.types.str;
+          };
+          db_path = lib.mkOption {
+            description = "Path to Kanidm database.";
+            default = "/var/lib/kanidm/kanidm.db";
+            readOnly = true;
+            type = lib.types.path;
+          };
+          log_level = lib.mkOption {
+            description = "Log level of the server.";
+            default = "default";
+            type = lib.types.enum [ "default" "verbose" "perfbasic" "perffull" ];
+          };
+          role = lib.mkOption {
+            description = "The role of this server. This affects the replication relationship and thereby available features.";
+            default = "WriteReplica";
+            type = lib.types.enum [ "WriteReplica" "WriteReplicaNoUI" "ReadOnlyReplica" ];
+          };
+        };
+      };
+      default = { };
+      description = ''
+        Settings for Kanidm, see
+        <link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/server_configuration.md">the documentation</link>
+        and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/server.toml">example configuration</link>
+        for possible values.
+      '';
+    };
+
+    clientSettings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = settingsFormat.type;
+
+        options.uri = lib.mkOption {
+          description = "Address of the Kanidm server.";
+          example = "http://127.0.0.1:8080";
+          type = lib.types.str;
+        };
+      };
+      description = ''
+        Configure Kanidm clients, needed for the PAM daemon. See
+        <link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/client_tools.md#kanidm-configuration">the documentation</link>
+        and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/config">example configuration</link>
+        for possible values.
+      '';
+    };
+
+    unixSettings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = settingsFormat.type;
+
+        options.pam_allowed_login_groups = lib.mkOption {
+          description = "Kanidm groups that are allowed to login using PAM.";
+          example = "my_pam_group";
+          type = lib.types.listOf lib.types.str;
+        };
+      };
+      description = ''
+        Configure Kanidm unix daemon.
+        See <link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/pam_and_nsswitch.md#the-unix-daemon">the documentation</link>
+        and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/unixd">example configuration</link>
+        for possible values.
+      '';
+    };
+  };
+
+  config = lib.mkIf (cfg.enableClient || cfg.enableServer || cfg.enablePam) {
+    assertions =
+      [
+        {
+          assertion = !cfg.enableServer || ((cfg.serverSettings.tls_chain or null) == null) || (!lib.isStorePath cfg.serverSettings.tls_chain);
+          message = ''
+            <option>services.kanidm.serverSettings.tls_chain</option> points to
+            a file in the Nix store. You should use a quoted absolute path to
+            prevent this.
+          '';
+        }
+        {
+          assertion = !cfg.enableServer || ((cfg.serverSettings.tls_key or null) == null) || (!lib.isStorePath cfg.serverSettings.tls_key);
+          message = ''
+            <option>services.kanidm.serverSettings.tls_key</option> points to
+            a file in the Nix store. You should use a quoted absolute path to
+            prevent this.
+          '';
+        }
+        {
+          assertion = !cfg.enableClient || options.services.kanidm.clientSettings.isDefined;
+          message = ''
+            <option>services.kanidm.clientSettings</option> needs to be configured
+            if the client is enabled.
+          '';
+        }
+        {
+          assertion = !cfg.enablePam || options.services.kanidm.clientSettings.isDefined;
+          message = ''
+            <option>services.kanidm.clientSettings</option> needs to be configured
+            for the PAM daemon to connect to the Kanidm server.
+          '';
+        }
+        {
+          assertion = !cfg.enableServer || (cfg.serverSettings.domain == null
+            -> cfg.serverSettings.role == "WriteReplica" || cfg.serverSettings.role == "WriteReplicaNoUI");
+          message = ''
+            <option>services.kanidm.serverSettings.domain</option> can only be set if this instance
+            is not a ReadOnlyReplica. Otherwise the db would inherit it from
+            the instance it follows.
+          '';
+        }
+      ];
+
+    environment.systemPackages = lib.mkIf cfg.enableClient [ pkgs.kanidm ];
+
+    systemd.services.kanidm = lib.mkIf cfg.enableServer {
+      description = "kanidm identity management daemon";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = defaultServiceConfig // {
+        StateDirectory = "kanidm";
+        StateDirectoryMode = "0700";
+        ExecStart = "${pkgs.kanidm}/bin/kanidmd server -c ${serverConfigFile}";
+        User = "kanidm";
+        Group = "kanidm";
+
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+        # This would otherwise override the CAP_NET_BIND_SERVICE capability.
+        PrivateUsers = false;
+        # Port needs to be exposed to the host network
+        PrivateNetwork = false;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        TemporaryFileSystem = "/:ro";
+      };
+      environment.RUST_LOG = "info";
+    };
+
+    systemd.services.kanidm-unixd = lib.mkIf cfg.enablePam {
+      description = "Kanidm PAM daemon";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      restartTriggers = [ unixConfigFile clientConfigFile ];
+      serviceConfig = defaultServiceConfig // {
+        CacheDirectory = "kanidm-unixd";
+        CacheDirectoryMode = "0700";
+        RuntimeDirectory = "kanidm-unixd";
+        ExecStart = "${pkgs.kanidm}/bin/kanidm_unixd";
+        User = "kanidm-unixd";
+        Group = "kanidm-unixd";
+
+        BindReadOnlyPaths = [
+          "/nix/store"
+          "-/etc/resolv.conf"
+          "-/etc/nsswitch.conf"
+          "-/etc/hosts"
+          "-/etc/localtime"
+          "-/etc/kanidm"
+          "-/etc/static/kanidm"
+        ];
+        BindPaths = [
+          # To create the socket
+          "/run/kanidm-unixd:/var/run/kanidm-unixd"
+        ];
+        # Needs to connect to kanidmd
+        PrivateNetwork = false;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
+        TemporaryFileSystem = "/:ro";
+      };
+      environment.RUST_LOG = "info";
+    };
+
+    systemd.services.kanidm-unixd-tasks = lib.mkIf cfg.enablePam {
+      description = "Kanidm PAM home management daemon";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "kanidm-unixd.service" ];
+      partOf = [ "kanidm-unixd.service" ];
+      restartTriggers = [ unixConfigFile clientConfigFile ];
+      serviceConfig = {
+        ExecStart = "${pkgs.kanidm}/bin/kanidm_unixd_tasks";
+
+        BindReadOnlyPaths = [
+          "/nix/store"
+          "-/etc/resolv.conf"
+          "-/etc/nsswitch.conf"
+          "-/etc/hosts"
+          "-/etc/localtime"
+          "-/etc/kanidm"
+          "-/etc/static/kanidm"
+        ];
+        BindPaths = [
+          # To manage home directories
+          "/home"
+          # To connect to kanidm-unixd
+          "/run/kanidm-unixd:/var/run/kanidm-unixd"
+        ];
+        # CAP_DAC_OVERRIDE is needed to ignore ownership of unixd socket
+        CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_DAC_READ_SEARCH" ];
+        IPAddressDeny = "any";
+        # Need access to users
+        PrivateUsers = false;
+        # Need access to home directories
+        ProtectHome = false;
+        RestrictAddressFamilies = [ "AF_UNIX" ];
+        TemporaryFileSystem = "/:ro";
+      };
+      environment.RUST_LOG = "info";
+    };
+
+    # These paths are hardcoded
+    environment.etc = lib.mkMerge [
+      (lib.mkIf options.services.kanidm.clientSettings.isDefined {
+        "kanidm/config".source = clientConfigFile;
+      })
+      (lib.mkIf cfg.enablePam {
+        "kanidm/unixd".source = unixConfigFile;
+      })
+    ];
+
+    system.nssModules = lib.mkIf cfg.enablePam [ pkgs.kanidm ];
+
+    system.nssDatabases.group = lib.optional cfg.enablePam "kanidm";
+    system.nssDatabases.passwd = lib.optional cfg.enablePam "kanidm";
+
+    users.groups = lib.mkMerge [
+      (lib.mkIf cfg.enableServer {
+        kanidm = { };
+      })
+      (lib.mkIf cfg.enablePam {
+        kanidm-unixd = { };
+      })
+    ];
+    users.users = lib.mkMerge [
+      (lib.mkIf cfg.enableServer {
+        kanidm = {
+          description = "Kanidm server";
+          isSystemUser = true;
+          group = "kanidm";
+          packages = with pkgs; [ kanidm ];
+        };
+      })
+      (lib.mkIf cfg.enablePam {
+        kanidm-unixd = {
+          description = "Kanidm PAM daemon";
+          isSystemUser = true;
+          group = "kanidm-unixd";
+        };
+      })
+    ];
+  };
+
+  meta.maintainers = with lib.maintainers; [ erictapen Flakebi ];
+  meta.buildDocsInSandbox = false;
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index dda1c41f969..0c085b64efa 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -253,6 +253,7 @@ in
   k3s-single-node = handleTest ./k3s-single-node.nix {};
   k3s-single-node-docker = handleTest ./k3s-single-node-docker.nix {};
   kafka = handleTest ./kafka.nix {};
+  kanidm = handleTest ./kanidm.nix {};
   kbd-setfont-decompress = handleTest ./kbd-setfont-decompress.nix {};
   kbd-update-search-paths-patch = handleTest ./kbd-update-search-paths-patch.nix {};
   kea = handleTest ./kea.nix {};
diff --git a/nixos/tests/kanidm.nix b/nixos/tests/kanidm.nix
new file mode 100644
index 00000000000..d34f680f522
--- /dev/null
+++ b/nixos/tests/kanidm.nix
@@ -0,0 +1,75 @@
+import ./make-test-python.nix ({ pkgs, ... }:
+  let
+    certs = import ./common/acme/server/snakeoil-certs.nix;
+    serverDomain = certs.domain;
+  in
+  {
+    name = "kanidm";
+    meta.maintainers = with pkgs.lib.maintainers; [ erictapen Flakebi ];
+
+    nodes.server = { config, pkgs, lib, ... }: {
+      services.kanidm = {
+        enableServer = true;
+        serverSettings = {
+          origin = "https://${serverDomain}";
+          domain = serverDomain;
+          bindaddress = "[::1]:8443";
+          ldapbindaddress = "[::1]:636";
+        };
+      };
+
+      services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        virtualHosts."${serverDomain}" = {
+          forceSSL = true;
+          sslCertificate = certs."${serverDomain}".cert;
+          sslCertificateKey = certs."${serverDomain}".key;
+          locations."/".proxyPass = "http://[::1]:8443";
+        };
+      };
+
+      security.pki.certificateFiles = [ certs.ca.cert ];
+
+      networking.hosts."::1" = [ serverDomain ];
+      networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+      users.users.kanidm.shell = pkgs.bashInteractive;
+
+      environment.systemPackages = with pkgs; [ kanidm openldap ripgrep ];
+    };
+
+    nodes.client = { pkgs, nodes, ... }: {
+      services.kanidm = {
+        enableClient = true;
+        clientSettings = {
+          uri = "https://${serverDomain}";
+        };
+      };
+
+      networking.hosts."${nodes.server.config.networking.primaryIPAddress}" = [ serverDomain ];
+
+      security.pki.certificateFiles = [ certs.ca.cert ];
+    };
+
+    testScript = { nodes, ... }:
+      let
+        ldapBaseDN = builtins.concatStringsSep "," (map (s: "dc=" + s) (pkgs.lib.splitString "." serverDomain));
+
+        # We need access to the config file in the test script.
+        filteredConfig = pkgs.lib.converge
+          (pkgs.lib.filterAttrsRecursive (_: v: v != null))
+          nodes.server.config.services.kanidm.serverSettings;
+        serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig;
+
+      in
+      ''
+        start_all()
+        server.wait_for_unit("kanidm.service")
+        server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
+        server.wait_until_succeeds("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'")
+        client.wait_until_succeeds("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}")
+        (rv, result) = server.execute("kanidmd recover_account -d quiet -c ${serverConfigFile} -n admin 2>&1 | rg -o '[A-Za-z0-9]{48}'")
+        assert rv == 0
+      '';
+  })