Merge master into haskell-updates

doc/doc-support/default.nix

@@ -23,6 +23,14 @@ let
       <xsl:import href="${./parameters.xml}"/>
     </xsl:stylesheet>
   '';
+
+  # NB: This file describes the Nixpkgs manual, which happens to use module
+  #     docs infra originally developed for NixOS.
+  optionsDoc = pkgs.nixosOptionsDoc {
+    inherit (pkgs.lib.evalModules { modules = [ ../../pkgs/top-level/config.nix ]; }) options;
+    documentType = "none";
+  };
+
 in pkgs.runCommand "doc-support" {}
 ''
   mkdir result
@@ -30,6 +38,7 @@ in pkgs.runCommand "doc-support" {}
     cd result
     ln -s ${locationsXml} ./function-locations.xml
     ln -s ${functionDocs} ./function-docs
+    ln -s ${optionsDoc.optionsDocBook} ./config-options.docbook.xml
 
     ln -s ${pkgs.docbook5}/xml/rng/docbook/docbook.rng ./docbook.rng
     ln -s ${pkgs.docbook_xsl_ns}/xml/xsl ./xsl

doc/using/configuration.chapter.md

@@ -164,6 +164,14 @@ There are several ways to tweak how Nix handles a package which has been marked
 
     Note that `permittedInsecurePackages` is only checked if `allowInsecurePredicate` is not specified.
 
+### `config` Options Reference
+
+The following attributes can be passed in [`config`](#chap-packageconfig).
+
+```{=docbook}
+<include xmlns="http://www.w3.org/2001/XInclude" href="../doc-support/result/config-options.docbook.xml"/>
+```
+
 ## Modify packages via `packageOverrides` {#sec-modify-via-packageOverrides}
 
 You can define a function called `packageOverrides` in your local `~/.config/nixpkgs/config.nix` to override Nix packages. It must be a function that takes pkgs as an argument and returns a modified set of packages.

maintainers/maintainer-list.nix

@@ -6715,13 +6715,13 @@
     name = "Jim Fowler";
   };
   kittywitch = {
-    email = "kat@kittywit.ch";
+    email = "kat@inskip.me";
     github = "kittywitch";
     githubId = 67870215;
-    name = "kat witch";
+    name = "Kat Inskip";
     keys = [{
-      longkeyid = "rsa4096/0x7248991EFA8EFBEE";
-      fingerprint = "01F5 0A29 D4AA 9117 5A11  BDB1 7248 991E FA8E FBEE";
+      longkeyid = "rsa4096/0xE8DDE3ED1C90F3A0";
+      fingerprint = "9CC6 44B5 69CD A59B C874  C4C9 E8DD E3ED 1C90 F3A0";
     }];
   };
   kiwi = {

nixos/lib/make-options-doc/default.nix

@@ -20,6 +20,8 @@
 , lib
 , options
 , transformOptions ? lib.id  # function for additional tranformations of the options
+, documentType ? "appendix" # TODO deprecate "appendix" in favor of "none"
+                            #      and/or rename function to moduleOptionDoc for clean slate
 , revision ? "" # Specify revision for the options
 # a set of options the docs we are generating will be merged into, as if by recursiveUpdate.
 # used to split the options doc build into a static part (nixos/modules) and a dynamic part
@@ -161,6 +163,7 @@ in rec {
 
     ${pkgs.python3Minimal}/bin/python ${./sortXML.py} $optionsXML sorted.xml
     ${pkgs.libxslt.bin}/bin/xsltproc \
+      --stringparam documentType '${documentType}' \
       --stringparam revision '${revision}' \
       -o intermediate.xml ${./options-to-docbook.xsl} sorted.xml
     ${pkgs.libxslt.bin}/bin/xsltproc \

nixos/lib/make-options-doc/options-to-docbook.xsl

@@ -12,12 +12,25 @@
   <xsl:output method='xml' encoding="UTF-8" />
 
   <xsl:param name="revision" />
+  <xsl:param name="documentType" />
   <xsl:param name="program" />
 
 
   <xsl:template match="/expr/list">
-    <appendix xml:id="appendix-configuration-options">
-      <title>Configuration Options</title>
+    <xsl:choose>
+      <xsl:when test="$documentType = 'appendix'">
+        <appendix xml:id="appendix-configuration-options">
+          <title>Configuration Options</title>
+          <xsl:call-template name="variable-list"/>
+        </appendix>
+      </xsl:when>
+      <xsl:otherwise>
+        <xsl:call-template name="variable-list"/>
+      </xsl:otherwise>
+    </xsl:choose>
+  </xsl:template>
+
+  <xsl:template name="variable-list">
       <variablelist xml:id="configuration-variable-list">
         <xsl:for-each select="attrs">
           <xsl:variable name="id" select="
@@ -102,7 +115,6 @@
         </xsl:for-each>
 
       </variablelist>
-    </appendix>
   </xsl:template>
 
 

nixos/modules/services/networking/uptermd.nix

@@ -85,6 +85,7 @@ in
         AmbientCapabilities = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
         CapabilityBoundingSet = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
         PrivateUsers = cfg.port >= 1024;
+        DynamicUser = true;
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
         PrivateDevices = true;
@@ -95,7 +96,9 @@ in
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
-        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        ProtectProc = "invisible";
+        # AF_UNIX is for ssh-keygen, which relies on nscd to resolve the uid to a user
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         SystemCallArchitectures = "native";

nixos/tests/uptermd.nix

@@ -30,11 +30,14 @@ in
     server.wait_for_unit("uptermd.service")
     server.wait_for_unit("network-online.target")
 
+    # wait for upterm port to be reachable
+    client1.wait_until_succeeds("nc -z -v server 1337")
+
     # Add SSH hostkeys from the server to both clients
     # uptermd needs an '@cert-authority entry so we need to modify the known_hosts file
-    client1.execute("sleep 3; mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
+    client1.execute("mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
     client1.execute("echo @cert-authority $(cat ~/.ssh/known_hosts) > ~/.ssh/known_hosts")
-    client2.execute("sleep 3; mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
+    client2.execute("mkdir -p ~/.ssh && ssh -o StrictHostKeyChecking=no -p 1337 server ls")
     client2.execute("echo @cert-authority $(cat ~/.ssh/known_hosts) > ~/.ssh/known_hosts")
 
     client1.wait_for_unit("multi-user.target")

pkgs/applications/emulators/bsnes/bsnes-hd/default.nix

@@ -1,9 +1,10 @@
 { lib, stdenv, fetchFromGitHub
 , pkg-config
+, wrapGAppsHook
 , libX11, libXv
 , udev
 , SDL2
-, gtk2, gtksourceview
+, gtk3, gtksourceview3
 , alsa-lib, libao, openal, libpulseaudio
 , libicns, Cocoa, OpenAL
 }:
@@ -34,16 +35,23 @@ stdenv.mkDerivation {
     ./macos-copy-app-to-prefix.patch
   ];
 
-  nativeBuildInputs = [ pkg-config ]
+  nativeBuildInputs = [ pkg-config wrapGAppsHook ]
     ++ lib.optionals stdenv.isDarwin [ libicns ];
 
   buildInputs = [ SDL2 libao ]
-    ++ lib.optionals stdenv.isLinux [ libX11 libXv udev gtk2 gtksourceview alsa-lib openal libpulseaudio ]
+    ++ lib.optionals stdenv.isLinux [ libX11 libXv udev gtk3 gtksourceview3 alsa-lib openal libpulseaudio ]
     ++ lib.optionals stdenv.isDarwin [ Cocoa OpenAL ];
 
   enableParallelBuilding = true;
 
-  makeFlags = [ "-C" "bsnes" "prefix=$(out)" ];
+  makeFlags = [ "-C" "bsnes" "hiro=gtk3" "prefix=$(out)" ];
+
+  # https://github.com/bsnes-emu/bsnes/issues/107
+  preFixup = ''
+    gappsWrapperArgs+=(
+      --prefix GDK_BACKEND : x11
+    )
+  '';
 
   meta = with lib; {
     description = "A fork of bsnes that adds HD video features";
@@ -51,5 +59,6 @@ stdenv.mkDerivation {
     license = licenses.gpl3Only;
     maintainers = with maintainers; [ stevebob ];
     platforms = platforms.unix;
+    mainProgram = "bsnes";
   };
 }

pkgs/applications/misc/octoprint/default.nix

@@ -74,13 +74,13 @@ let
           self: super: {
             octoprint = self.buildPythonPackage rec {
               pname = "OctoPrint";
-              version = "1.8.0rc5";
+              version = "1.8.0";
 
               src = fetchFromGitHub {
                 owner = "OctoPrint";
                 repo = "OctoPrint";
                 rev = version;
-                sha256 = "sha256-FeT45w6VXaFV4BsuOMk58nxxiu9jhCNnA2F7Uh/3sB0=";
+                sha256 = "sha256-GDKXHLigMAork+KAFOs8znNhaTYVTWVB2Tb+4sAqF8o=";
               };
 
               propagatedBuildInputs = with super; [

pkgs/applications/misc/tilemaker/default.nix

@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchFromGitHub, buildPackages, cmake, installShellFiles
+, boost, lua, protobuf, rapidjson, shapelib, sqlite, zlib }:
+
+stdenv.mkDerivation rec {
+  pname = "tilemaker";
+  version = "2.2.0";
+
+  src = fetchFromGitHub {
+    owner = "systemed";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-st6WDCk1RZ2lbfrudtcD+zenntyTMRHrIXw3nX5FHOU=";
+  };
+
+  postPatch = ''
+    substituteInPlace src/tilemaker.cpp \
+      --replace "config.json" "$out/share/tilemaker/config-openmaptiles.json" \
+      --replace "process.lua" "$out/share/tilemaker/process-openmaptiles.lua"
+  '';
+
+  nativeBuildInputs = [ cmake installShellFiles ];
+
+  buildInputs = [ boost lua protobuf rapidjson shapelib sqlite zlib ];
+
+  cmakeFlags = lib.optional (stdenv.hostPlatform != stdenv.buildPlatform)
+    "-DPROTOBUF_PROTOC_EXECUTABLE=${buildPackages.protobuf}/bin/protoc";
+
+  postInstall = ''
+    installManPage ../docs/man/tilemaker.1
+    install -Dm644 ../resources/* -t $out/share/tilemaker
+  '';
+
+  meta = with lib; {
+    description = "Make OpenStreetMap vector tiles without the stack";
+    homepage = "https://tilemaker.org/";
+    license = licenses.free; # FTWPL
+    maintainers = with maintainers; [ sikmir ];
+    platforms = platforms.unix;
+  };
+}

pkgs/applications/networking/cluster/terraform/default.nix

@@ -63,10 +63,11 @@ let
           kalbasit
           marsam
           maxeaubrey
-          techknowlogick
           timstott
+          zimbatm
           zowoq
-        ] ++ teams.numtide.members;
+          techknowlogick
+        ];
       };
     } // attrs');
 

pkgs/applications/networking/instant-messengers/deltachat-cursed/default.nix

@@ -1,9 +1,6 @@
 { lib
 , python3
 , fetchFromGitHub
-, wrapGAppsHook
-, gobject-introspection
-, libnotify
 }:
 
 python3.pkgs.buildPythonApplication rec {
@@ -19,29 +16,16 @@ python3.pkgs.buildPythonApplication rec {
 
   nativeBuildInputs = [
     python3.pkgs.setuptools-scm
-    wrapGAppsHook
   ];
 
   SETUPTOOLS_SCM_PRETEND_VERSION = version;
 
-  buildInputs = [
-    gobject-introspection
-    libnotify
-  ];
-
   propagatedBuildInputs = with python3.pkgs; [
     deltachat
     notify-py
-    pygobject3
     urwid-readline
   ];
 
-  dontWrapGApps = true;
-
-  preFixup = ''
-    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
-  '';
-
   doCheck = false; # no tests implemented
 
   meta = with lib; {

pkgs/applications/networking/protocol/default.nix

@@ -1,8 +1,12 @@
-{ lib, buildPythonApplication, fetchFromGitHub }:
+{ lib
+, python3
+, fetchFromGitHub
+}:
 
-buildPythonApplication {
-  pname = "protocol-unstable";
-  version = "2019-03-28";
+python3.pkgs.buildPythonApplication rec {
+  pname = "protocol";
+  version = "unstable-2019-03-28";
+  format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "luismartingarcia";
@@ -11,10 +15,15 @@ buildPythonApplication {
     sha256 = "13l10jhf4vghanmhh3pn91b2jdciispxy0qadz4n08blp85qn9cm";
   };
 
+  postPatch = ''
+    substituteInPlace setup.py \
+      --replace "scripts=['protocol', 'constants.py', 'specs.py']" "scripts=['protocol'], py_modules=['constants', 'specs']"
+  '';
+
   meta = with lib; {
-    description = "An ASCII Header Generator for Network Protocols";
+    description = "ASCII Header Generator for Network Protocols";
     homepage = "https://github.com/luismartingarcia/protocol";
-    license = licenses.gpl3;
+    license = licenses.gpl3Plus;
     maintainers = with maintainers; [ teto ];
   };
 }

pkgs/development/interpreters/bats/default.nix

@@ -18,13 +18,13 @@
 
 resholve.mkDerivation rec {
   pname = "bats";
-  version = "1.6.0";
+  version = "1.7.0";
 
   src = fetchFromGitHub {
     owner = "bats-core";
     repo = "bats-core";
     rev = "v${version}";
-    sha256 = "sha256-s+SAqX70WeTz6s5ObXYFBVPVUEqvD1d7AX2sGHkjVQ4=";
+    sha256 = "sha256-joNne/dDVCNtzdTQ64rK8GimT+DOWUa7f410hml2s8Q=";
   };
 
   patchPhase = ''
@@ -77,6 +77,8 @@ resholve.mkDerivation rec {
           "${placeholder "out"}/lib/bats-core/common.bash"
           "${placeholder "out"}/lib/bats-core/semaphore.bash"
           "${placeholder "out"}/lib/bats-core/formatter.bash"
+          "${placeholder "out"}/lib/bats-core/warnings.bash"
+          "$setup_suite_file" # via cli arg
         ];
         "$report_formatter" = true;
         "$formatter" = true;
@@ -105,6 +107,7 @@ resholve.mkDerivation rec {
 
   passthru.tests.upstream = bats.unresholved.overrideAttrs (old: {
     name = "${bats.name}-tests";
+    dontInstall = true; # just need the build directory
     installCheckInputs = [
       ncurses
       parallel # skips some tests if it can't detect
@@ -115,8 +118,6 @@ resholve.mkDerivation rec {
     installCheckPhase = ''
       # TODO: cut if https://github.com/bats-core/bats-core/issues/418 allows
       sed -i '/test works even if PATH is reset/a skip "disabled for nix build"' test/bats.bats
-      # TODO: cut when https://github.com/bats-core/bats-core/pull/554 allows
-      substituteInPlace test/parallel.bats --replace '&& type -p shlock' '|| type -p shlock'
 
       # skip tests that assume bats `install.sh` will be in BATS_ROOT
       rm test/root.bats
@@ -126,7 +127,6 @@ resholve.mkDerivation rec {
         "/usr/bin/env bash" "${bash}/bin/bash"
 
       ${bats}/bin/bats test
-      rm -rf $out
       touch $out
     '';
   });

pkgs/development/libraries/libdeltachat/default.nix

@@ -17,13 +17,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libdeltachat";
-  version = "1.80.0";
+  version = "1.82.0";
 
   src = fetchFromGitHub {
     owner = "deltachat";
     repo = "deltachat-core-rust";
     rev = version;
-    hash = "sha256-4b2tf7QmLQ5ltnkxUGCwA1TZSQRoyKaRGcxBxbSKDaE=";
+    hash = "sha256-cc5DFQucG1b+1QN0HTJLKAfCF3UvRunL07d4WdT6368=";
   };
 
   patches = [
@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
   cargoDeps = rustPlatform.fetchCargoTarball {
     inherit src;
     name = "${pname}-${version}";
-    hash = "sha256-t1/xztmiuJMqNkIe7cBzO7MaZQb6GtnIX5wxEpC+IFo=";
+    hash = "sha256-WYjTpHTYJGqvsUI8De6+tGgjYY1nKqPyfKP9IdZfrNY=";
   };
 
   nativeBuildInputs = [

pkgs/development/libraries/precice/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "precice";
-  version = "2.3.0";
+  version = "2.4.0";
 
   src = fetchFromGitHub {
     owner = "precice";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256:0p8d2xf4bl41b30yp38sqyp4fipwgcdhl0khxcv5g69fxvz2i2il";
+    sha256 = "0qmwdxpbmy4dvjxav3dls18qns734j0yfvxvjrh1nnkk36qhfp3q";
   };
 
   cmakeFlags = [

pkgs/development/python-modules/azure-mgmt-servicelinker/default.nix

@@ -8,11 +8,11 @@
 
 buildPythonPackage rec {
   pname = "azure-mgmt-servicelinker";
-  version = "1.0.0";
+  version = "1.1.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-lAjgwEa2TJDEUU8pwfwkU8EyA1bhLkcAv++I6WHb7Xs=";
+    sha256 = "sha256-QVw6Y9HachwBRwCbF0cSGLCAkSJtNnXBvsj5YX1TmJU=";
     extension = "zip";
   };
 

pkgs/development/python-modules/fastavro/default.nix

@@ -15,14 +15,14 @@
 
 buildPythonPackage rec {
   pname = "fastavro";
-  version = "1.4.11";
+  version = "1.4.12";
 
   disabled = pythonOlder "3.6";
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "refs/tags/${version}";
-    sha256 = "sha256-PK8+NFJurJ0nD5coEFj8lXWg4VMcpX0954qDb1GW6Gk=";
+    sha256 = "sha256-t3SM7pTsl3JLWeJSESzXGONyjufwCHMaqK95JI3isYY=";
   };
 
   preBuild = ''

pkgs/development/python-modules/pydy/default.nix

@@ -6,31 +6,38 @@
 , numpy
 , scipy
 , sympy
+, pytestCheckHook
 }:
 
 buildPythonPackage rec {
   pname = "pydy";
   version = "0.6.0";
+  format = "setuptools";
 
   src = fetchPypi {
     inherit pname version;
     sha256 = "sha256-e/Ssfd5llioA7ccLULlRdHR113IbR4AJ4/HmzQuU7vI=";
   };
 
-  checkInputs = [
-    nose
-    cython
-  ];
-
   propagatedBuildInputs = [
     numpy
     scipy
     sympy
   ];
 
-  checkPhase = ''
-    nosetests
-  '';
+  checkInputs = [
+    nose
+    cython
+    pytestCheckHook
+  ];
+
+  disabledTests = [
+    # Tests not fixed yet. Check https://github.com/pydy/pydy/issues/465
+    "test_generate_cse"
+    "test_generate_code_blocks"
+    "test_doprint"
+    "test_OctaveMatrixGenerator"
+  ];
 
   meta = with lib; {
     description = "Python tool kit for multi-body dynamics";

pkgs/development/python-modules/pyfzf/default.nix

@@ -0,0 +1,39 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, fzf
+, pythonOlder
+}:
+
+buildPythonPackage rec {
+  pname = "pyfzf";
+  version = "0.3.1";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "nk412";
+    repo = pname;
+    rev = version;
+    hash = "sha256-w+ZjQGFd/lR2TiTHc2uQSJXORmzJJZXsr9BO4PIw/Co=";
+  };
+
+  propagatedBuildInputs = [
+    fzf
+  ];
+
+  pythonImportsCheck = [
+    "pyfzf"
+  ];
+
+  # Module has no tests
+  doCheck = false;
+
+  meta = with lib; {
+    description = "Wrapper for fzf";
+    homepage = "https://github.com/nk412/pyfzf";
+    license = licenses.mit;
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/scikit-build/default.nix

@@ -1,7 +1,6 @@
 { lib
 , buildPythonPackage
 , fetchPypi
-, fetchpatch
 , distro
 , packaging
 , python
@@ -24,21 +23,14 @@
 
 buildPythonPackage rec {
   pname = "scikit-build";
-  version = "0.14.1";
+  version = "0.15.0";
   format = "pyproject";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-Fwc9g3tWVRvt6Pa++utOuj2UM15ZAjmELjZg8HY6CRo=";
+    sha256 = "sha256-5yPNDzSJoEI3C56piLu5z9dyXoslsgyhx5gYIfz2X7k=";
   };
 
-  patches = [
-    (fetchpatch {
-      url = "https://github.com/scikit-build/scikit-build/commit/59cf7a5b09a71d418947db3c9d487471c4573a24.patch";
-      sha256 = "sha256-oQllX3qzwWwllczXUMObrwndCfvMdS5FulEhbBORAks=";
-    })
-  ];
-
   propagatedBuildInputs = [
     distro
     packaging

pkgs/os-specific/linux/batman-adv/default.nix

@@ -16,19 +16,6 @@ stdenv.mkDerivation rec {
     sha256 = cfg.sha256.${pname};
   };
 
-  patches = [
-    #  batman-adv: make mc_forwarding atomic
-    (fetchpatch {
-      url = "https://git.open-mesh.org/batman-adv.git/blobdiff_plain/c142c00f6b1a2ad5f5d74202fb1249e6a6575407..56db7c0540e733a1f063ccd6bab1b537a80857eb:/net/batman-adv/multicast.c";
-      hash = "sha256-2zXg8mZ3/iK9E/kyn+wHSrlLq87HuK72xuXojQ9KjkI=";
-    })
-    #  batman-adv: compat: Add atomic mc_fowarding support for stable kernels
-    (fetchpatch {
-      url = "https://git.open-mesh.org/batman-adv.git/blobdiff_plain/f07a0c37ab278fb6a9e95cad89429b1282f1ab59..350adcaec82fbaa358a2406343b6130ac8dad126:/net/batman-adv/multicast.c";
-      hash = "sha256-r/Xp5bmDo9GVfAF6bn2Xq+cOq5ddQe+D5s/h37uI6bM=";
-    })
-  ];
-
   nativeBuildInputs = kernel.moduleBuildDependencies;
   makeFlags = kernel.makeFlags ++ [
     "KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"

pkgs/os-specific/linux/batman-adv/version.nix

@@ -1,9 +1,9 @@
 {
-  version = "2022.0";
+  version = "2022.1";
 
   sha256 = {
-    batman-adv = "sha256-STOHBbwgdwmshNdmaI5wJXEAnIJ8CjIHiOpR+4h3FKo=";
-    alfred = "sha256-q7odrGHsz81jKeczHQVV/syTd2D7NsbPVc5sHXUc/Zg=";
-    batctl = "sha256-iTlm+aLWpQch3hJM5i2l096cIOBVdspIK8VwTMWm9z0=";
+    batman-adv = "sha256-bQQdNTCr1LJJq/Wpb8Ki4kFDG/lEO1R/2yWi2P0ymkA=";
+    alfred = "sha256-OgrCuybgyz8nMtSHNmmgoi6YJej5qOerrJhjY/J1CX8=";
+    batctl = "sha256-h+iak4lxuGJCJoG7NBBOmytLZRLR0WXelTYw3zjWGmg=";
   };
 }

pkgs/os-specific/linux/kernel/hardened/patches.json

@@ -2,61 +2,61 @@
     "4.14": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-4.14.278-hardened1.patch",
-            "sha256": "10sihdsfc7zcn2n70gym790ql5lkgiy1q7lv7vavyxbg3j6yzayb",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.278-hardened1/linux-hardened-4.14.278-hardened1.patch"
+            "name": "linux-hardened-4.14.280-hardened1.patch",
+            "sha256": "0hkn7rbgvnv9v7pzrg5g6ygmdzlrjl3yama9kp9aw0xw2akghmb4",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.280-hardened1/linux-hardened-4.14.280-hardened1.patch"
         },
-        "sha256": "1glb6z3nicd2lzhvwcqj54642agk0bbg022wnc3ckld5ngpd9miw",
-        "version": "4.14.278"
+        "sha256": "01jr0f7mq919s7xxvv8sc1mg6isc1ggij33l2s0n6jvykm23ghrr",
+        "version": "4.14.280"
     },
     "4.19": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-4.19.242-hardened1.patch",
-            "sha256": "05fmppfvimppvqi1ghvg43jz8sdd56dffvy9sazpl53vpz3bysy6",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.242-hardened1/linux-hardened-4.19.242-hardened1.patch"
+            "name": "linux-hardened-4.19.244-hardened1.patch",
+            "sha256": "063q4vd0spk602s4if751341jaansh0764qq7fhy764j31678n0j",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.244-hardened1/linux-hardened-4.19.244-hardened1.patch"
         },
-        "sha256": "18k5fbzclk7g657bs8idwqjk7hakzx6256b1a3506sy29q4zvg2r",
-        "version": "4.19.242"
+        "sha256": "1g9562v6ny196rw2n3kj43nrz65qa7imwnmfasvj6x8fm8bdhz79",
+        "version": "4.19.244"
     },
     "5.10": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.10.115-hardened1.patch",
-            "sha256": "09sgj4wrsi5j5hz8k3zs8zxq4g0a27dnhpjs1nxvqdz6b8f4xkap",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.115-hardened1/linux-hardened-5.10.115-hardened1.patch"
+            "name": "linux-hardened-5.10.117-hardened1.patch",
+            "sha256": "1l53sjknm8q76r1jljm321cmh6ic36pc9w5rmi68lbds19ndfpx3",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.117-hardened1/linux-hardened-5.10.117-hardened1.patch"
         },
-        "sha256": "0w9gwizyqjgsj93dqqvlh6bqkmpzjajhj09319nqncc95yrigr7m",
-        "version": "5.10.115"
+        "sha256": "1iyw3nmsga2binmrhfnzsf1pvn2bs21a8jw6vm89k26z5h8zfgkh",
+        "version": "5.10.117"
     },
     "5.15": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.15.39-hardened1.patch",
-            "sha256": "137zp9z15adf464awh5cl371qvhv2c79yfnva3k31zp0ivjb7kgg",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.39-hardened1/linux-hardened-5.15.39-hardened1.patch"
+            "name": "linux-hardened-5.15.41-hardened1.patch",
+            "sha256": "1y98rvn4qyx8w8bjchfzsd7g9gkhfm20cwaj3p88sgq7q81kyz8s",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.41-hardened1/linux-hardened-5.15.41-hardened1.patch"
         },
-        "sha256": "1bfpiyccjggysd04flaana0x69n1lcpckzpw1v6kh3ly9xil31l8",
-        "version": "5.15.39"
+        "sha256": "07jrsr54rvhry3g401h58r1773zinq49dbrkb9v1p6q27gyb2z1w",
+        "version": "5.15.41"
     },
     "5.17": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.17.7-hardened1.patch",
-            "sha256": "0p2s6blyzi0ynfrqm5l8ayh41kjkrmznlly6znh3djc1k3l5fc8v",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.17.7-hardened1/linux-hardened-5.17.7-hardened1.patch"
+            "name": "linux-hardened-5.17.9-hardened1.patch",
+            "sha256": "0n7zz04vnajpsfn662fxx75jinnr0kpqwzyypgwn99v4lmsxvza1",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.17.9-hardened1/linux-hardened-5.17.9-hardened1.patch"
         },
-        "sha256": "16ccf7n6fns9z93c65lchn5v3fgl9c5vkr1v6p0c1xifn7v7xxi2",
-        "version": "5.17.7"
+        "sha256": "0y2rmn86z3cvgv71b6sjjyafnlbanlib1kjpjjqzjbgg86y2890p",
+        "version": "5.17.9"
     },
     "5.4": {
         "patch": {
             "extra": "-hardened1",
-            "name": "linux-hardened-5.4.193-hardened1.patch",
-            "sha256": "1c24chfjkv5yk3gzawxygfl6l58i7a6l2swdk35g5sv8s6p0a9jl",
-            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.193-hardened1/linux-hardened-5.4.193-hardened1.patch"
+            "name": "linux-hardened-5.4.195-hardened1.patch",
+            "sha256": "1q7a211jw22nl1yz3k3cv6g4h7csir0wwyypzij54xbg3k7by0p9",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.195-hardened1/linux-hardened-5.4.195-hardened1.patch"
         },
-        "sha256": "187jfk9hf52n5z9yv56vq1knp3kdcbyk5w5k98ziwcbdjm1x65hd",
-        "version": "5.4.193"
+        "sha256": "078380qhds2jwfmrchna6p27wpfb74pvnj4xiyc5k38gysfmnbzj",
+        "version": "5.4.195"
     }
 }

pkgs/os-specific/linux/kernel/linux-4.14.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "4.14.278";
+  version = "4.14.280";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1glb6z3nicd2lzhvwcqj54642agk0bbg022wnc3ckld5ngpd9miw";
+    sha256 = "01jr0f7mq919s7xxvv8sc1mg6isc1ggij33l2s0n6jvykm23ghrr";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-4.19.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "4.19.242";
+  version = "4.19.244";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "18k5fbzclk7g657bs8idwqjk7hakzx6256b1a3506sy29q4zvg2r";
+    sha256 = "1g9562v6ny196rw2n3kj43nrz65qa7imwnmfasvj6x8fm8bdhz79";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-4.9.nix

@@ -1,12 +1,12 @@
 { buildPackages, fetchurl, perl, buildLinux, nixosTests, stdenv, ... } @ args:
 
 buildLinux (args // rec {
-  version = "4.9.313";
+  version = "4.9.315";
   extraMeta.branch = "4.9";
   extraMeta.broken = stdenv.isAarch64;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1p3vr1h01ph6x0pxrr6y6k5c4nrhvq650dfngv5mkrgsc5w7ffz0";
+    sha256 = "1171p90s00jxg1clyz8kp81ilmdzygg131mxysr6lpkaisahkjg6";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-5.10.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.10.115";
+  version = "5.10.117";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "0w9gwizyqjgsj93dqqvlh6bqkmpzjajhj09319nqncc95yrigr7m";
+    sha256 = "1iyw3nmsga2binmrhfnzsf1pvn2bs21a8jw6vm89k26z5h8zfgkh";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-5.15.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.15.39";
+  version = "5.15.41";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -15,6 +15,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1bfpiyccjggysd04flaana0x69n1lcpckzpw1v6kh3ly9xil31l8";
+    sha256 = "07jrsr54rvhry3g401h58r1773zinq49dbrkb9v1p6q27gyb2z1w";
   };
 } // (args.argsOverride or { }))

pkgs/os-specific/linux/kernel/linux-5.17.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.17.7";
+  version = "5.17.9";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "16ccf7n6fns9z93c65lchn5v3fgl9c5vkr1v6p0c1xifn7v7xxi2";
+    sha256 = "0y2rmn86z3cvgv71b6sjjyafnlbanlib1kjpjjqzjbgg86y2890p";
   };
 } // (args.argsOverride or { }))

pkgs/os-specific/linux/kernel/linux-5.4.nix

@@ -3,7 +3,7 @@
 with lib;
 
 buildLinux (args // rec {
-  version = "5.4.193";
+  version = "5.4.195";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
   modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@@ -13,6 +13,6 @@ buildLinux (args // rec {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "187jfk9hf52n5z9yv56vq1knp3kdcbyk5w5k98ziwcbdjm1x65hd";
+    sha256 = "078380qhds2jwfmrchna6p27wpfb74pvnj4xiyc5k38gysfmnbzj";
   };
 } // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-libre.nix

@@ -1,8 +1,8 @@
 { stdenv, lib, fetchsvn, linux
 , scripts ? fetchsvn {
     url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/";
-    rev = "18713";
-    sha256 = "10744jp1i7z3jwpc42vrmdfpq1yblf3vy17yb04xdfhimkflw77p";
+    rev = "18738";
+    sha256 = "024iw4352h8b1kbbimqgid95h868swiw45wn91sjkpmwr612v6kd";
   }
 , ...
 }:

pkgs/os-specific/linux/kernel/linux-rt-5.10.nix

@@ -6,7 +6,7 @@
 , ... } @ args:
 
 let
-  version = "5.10.109-rt65"; # updated by ./update-rt.sh
+  version = "5.10.115-rt67"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
@@ -18,14 +18,14 @@ in buildLinux (args // {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
-    sha256 = "1p0k46isy2wzzms801lrnb59f1nb9mhywjj7fnkrwrj9nbn25yqq";
+    sha256 = "0w9gwizyqjgsj93dqqvlh6bqkmpzjajhj09319nqncc95yrigr7m";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "0w7bs5kmwvbyfy5js218ys42s8i51m8v0mbkfhiynlpm3iph357q";
+      sha256 = "16igpdqq8nqzf98pkrs9v692d1r1fpnwrh3qxrkja0fgzswdwc0j";
     };
   }; in [ rt-patch ] ++ kernelPatches;
 

pkgs/os-specific/linux/kernel/linux-rt-5.4.nix

@@ -6,7 +6,7 @@
 , ... } @ args:
 
 let
-  version = "5.4.188-rt73"; # updated by ./update-rt.sh
+  version = "5.4.193-rt74"; # updated by ./update-rt.sh
   branch = lib.versions.majorMinor version;
   kversion = builtins.elemAt (lib.splitString "-" version) 0;
 in buildLinux (args // {
@@ -14,14 +14,14 @@ in buildLinux (args // {
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz";
-    sha256 = "1g7xf2jx1hx580f42yirfgv9v0f9f88wzxxx0wiwx7wcqbyqpg4z";
+    sha256 = "187jfk9hf52n5z9yv56vq1knp3kdcbyk5w5k98ziwcbdjm1x65hd";
   };
 
   kernelPatches = let rt-patch = {
     name = "rt";
     patch = fetchurl {
       url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz";
-      sha256 = "17qx5xrchgss7zxg9lg91mqh0v3irx355003g7rj12h8y5r16l58";
+      sha256 = "1gn4ii5pr0870ba481nqbd5rxk7ajrarv1p5mipfi42x07rpn7c2";
     };
   }; in [ rt-patch ] ++ kernelPatches;
 

pkgs/tools/admin/docker-credential-helpers/default.nix

@@ -45,5 +45,7 @@ buildGoPackage rec {
     license = licenses.mit;
     maintainers = [ maintainers.marsam ];
     platforms = platforms.linux ++ platforms.darwin;
+  } // lib.optionalAttrs stdenv.isDarwin {
+    mainProgram = "docker-credential-osxkeychain";
   };
 }

pkgs/tools/networking/babeld/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "babeld";
-  version = "1.11";
+  version = "1.12.1";
 
   src = fetchurl {
     url = "https://www.irif.fr/~jch/software/files/${pname}-${version}.tar.gz";
-    sha256 = "sha256-mTFa6vLqIH8XfBaFX/o0/DVK8bWYjAcODy/KOg1ND6U=";
+    sha256 = "sha256-mrWdesdB82MN8j+cO2fGApTYs0q2IjmPm4l3OoeOyx4=";
   };
 
   preBuild = ''

pkgs/tools/security/arsenal/default.nix

@@ -5,19 +5,22 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "arsenal";
-  version = "1.0.2";
+  version = "1.1.0";
+  format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "Orange-Cyberdefense";
     repo = "arsenal";
     rev = version;
-    sha256 = "sha256-RZxGSrtEa3hAtowD2lUb9BgwpSWlYo90fU9nDvUfoAk=";
+    sha256 = "sha256-NbNXyR5aNKvRJU9JWGk/ndwU1bhNgDOdcRqBkAY9nPA=";
   };
 
   propagatedBuildInputs = with python3.pkgs; [
     libtmux
     docutils
+    pyfzf
     pyperclip
+    pyyaml
   ];
 
   # Project has no tests

pkgs/tools/security/badrobot/default.nix

@@ -0,0 +1,45 @@
+{ lib, buildGoModule, fetchFromGitHub, installShellFiles }:
+
+buildGoModule rec {
+  pname = "badrobot";
+  version = "0.1.2";
+
+  src = fetchFromGitHub {
+    owner = "controlplaneio";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-LGoNM8wu1qaq4cVEzR723/cueZlndE1Z2PCYEOU+nPQ=";
+  };
+  vendorSha256 = "sha256-FS4kFVi+3NOJOfWfy5m/hDrQvCzpmsNSB/PliF6cVps=";
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/controlplaneio/badrobot/cmd.version=v${version}"
+  ];
+
+  postInstall = ''
+    installShellCompletion --cmd badrobot \
+      --bash <($out/bin/badrobot completion bash) \
+      --fish <($out/bin/badrobot completion fish) \
+      --zsh <($out/bin/badrobot completion zsh)
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/controlplaneio/badrobot";
+    changelog = "https://github.com/controlplaneio/badrobot/blob/v${version}/CHANGELOG.md";
+    description = "Operator Security Audit Tool";
+    longDescription = ''
+      Badrobot is a Kubernetes Operator audit tool. It statically analyses
+      manifests for high risk configurations such as lack of security
+      restrictions on the deployed controller and the permissions of an
+      associated clusterole. The risk analysis is primarily focussed on the
+      likelihood that a compromised Operator would be able to obtain full
+      cluster permissions.
+    '';
+    license = with licenses; [ asl20 ];
+    maintainers = with maintainers; [ jk ];
+  };
+}

pkgs/top-level/all-packages.nix

@@ -1428,7 +1428,6 @@ with pkgs;
   ares = callPackage ../applications/emulators/bsnes/ares { };
 
   bsnes-hd = callPackage ../applications/emulators/bsnes/bsnes-hd {
-    inherit (gnome2) gtksourceview;
     inherit (darwin.apple_sdk.frameworks) Cocoa OpenAL;
   };
 
@@ -2577,6 +2576,8 @@ with pkgs;
     inherit (darwin.apple_sdk.frameworks) Security;
   };
 
+  badrobot = callPackage ../tools/security/badrobot {};
+
   bao = callPackage ../tools/security/bao {};
 
   bar = callPackage ../tools/system/bar {};
@@ -17985,6 +17986,7 @@ with pkgs;
   };
 
   itk4 = callPackage ../development/libraries/itk/4.x.nix {
+    stdenv = if stdenv.cc.isGNU && stdenv.system == "x86_64-linux" then gcc10Stdenv else stdenv;
     inherit (darwin.apple_sdk.frameworks) Cocoa;
   };
 
@@ -29969,6 +29971,8 @@ with pkgs;
 
   tig = callPackage ../applications/version-management/git-and-tools/tig { };
 
+  tilemaker = callPackage ../applications/misc/tilemaker { };
+
   timbreid = callPackage ../applications/audio/pd-plugins/timbreid {
     fftw = fftwSinglePrec;
   };
@@ -32662,6 +32666,7 @@ with pkgs;
   angsd = callPackage ../applications/science/biology/angsd { };
 
   ants = callPackage ../applications/science/biology/ants {
+    stdenv = if stdenv.cc.isGNU && stdenv.system == "x86_64-linux" then gcc10Stdenv else stdenv;
     inherit (darwin.apple_sdk.frameworks) Cocoa;
   };
 
@@ -34425,7 +34430,7 @@ with pkgs;
 
   pt = callPackage ../applications/misc/pt { };
 
-  protocol = python3Packages.callPackage ../applications/networking/protocol { };
+  protocol = callPackage ../applications/networking/protocol { };
 
   pykms = callPackage ../tools/networking/pykms { };
 

pkgs/top-level/config.nix

@@ -20,6 +20,11 @@ let
 
     /* Internal stuff */
 
+    # Hide built-in module system options from docs.
+    _module.args = mkOption {
+      internal = true;
+    };
+
     warnings = mkOption {
       type = types.listOf types.str;
       default = [];

pkgs/top-level/perl-packages.nix

@@ -19533,7 +19533,7 @@ let
       url = "mirror://cpan/authors/id/Y/YV/YVES/Sereal-4.018.tar.gz";
       sha256 = "0pqygrl88jp2w73jd9cw4k22fhvh5vcwqbiwl9wpxm67ql95cwwa";
     };
-    buildInputs = [ TestDeep TestLongString TestMemoryGrowth TestWarn ];
+    buildInputs = [ TestDeep TestLongString TestWarn ];
     propagatedBuildInputs = [ SerealDecoder SerealEncoder ];
     meta = {
       homepage = "https://github.com/Sereal/Sereal";

pkgs/top-level/python-packages.nix

@@ -7232,6 +7232,10 @@ in {
 
   pyfxa = callPackage ../development/python-modules/pyfxa { };
 
+  pyfzf = callPackage ../development/python-modules/pyfzf {
+    inherit (pkgs) fzf;
+  };
+
   pygal = callPackage ../development/python-modules/pygal { };
 
   pygame = callPackage ../development/python-modules/pygame {